internal/handlers/admin.go

package handlers

import (
	"context"
	"net/http"
	"strings"
	"time"

	"github.com/arkie/ark-database/internal/auth"
	"github.com/go-chi/chi/v5"
	"github.com/google/uuid"
	"github.com/jackc/pgx/v5"
	"github.com/jackc/pgx/v5/pgxpool"
	"golang.org/x/crypto/bcrypt"
)

type loginReq struct {
	Email    string `json:"email"`
	Password string `json:"password"`
}

func AdminLogin(secret string) http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {
		var req loginReq
		if err := jsonDecode(r, &req); err != nil {
			http.Error(w, "bad json", http.StatusBadRequest)
			return
		}
		pool := poolFrom(r)
		var id int
		var hash string
		err := pool.QueryRow(r.Context(), `SELECT id, password_hash FROM admins WHERE lower(email) = lower($1)`, strings.TrimSpace(req.Email)).Scan(&id, &hash)
		if err != nil {
			http.Error(w, "invalid credentials", http.StatusUnauthorized)
			return
		}
		if bcrypt.CompareHashAndPassword([]byte(hash), []byte(req.Password)) != nil {
			http.Error(w, "invalid credentials", http.StatusUnauthorized)
			return
		}
		tok, err := auth.SignAdmin(secret, id, req.Email, 7*24*time.Hour)
		if err != nil {
			http.Error(w, err.Error(), http.StatusInternalServerError)
			return
		}
		writeJSON(w, map[string]any{"token": tok})
	}
}

func AdminDashboard(w http.ResponseWriter, r *http.Request) {
	pool := poolFrom(r)
	ctx := r.Context()
	var total, published int
	_ = pool.QueryRow(ctx, `SELECT COUNT(*) FROM resources`).Scan(&total)
	_ = pool.QueryRow(ctx, `SELECT COUNT(*) FROM resources WHERE status = 'published'`).Scan(&published)
	var views, downloads, favs, shares int64
	_ = pool.QueryRow(ctx, `SELECT COALESCE(SUM(view_count),0), COALESCE(SUM(download_count),0), COALESCE(SUM(favorite_count),0), COALESCE(SUM(share_count),0) FROM resources`).Scan(&views, &downloads, &favs, &shares)
	var todayNew int
	_ = pool.QueryRow(ctx, `SELECT COUNT(*) FROM resources WHERE created_at::date = (now() at time zone 'utc')::date`).Scan(&todayNew)

	rows, err := pool.Query(ctx, `
		SELECT r.id, r.title, r.download_count, r.favorite_count, r.view_count
		FROM resources r WHERE r.status = 'published' ORDER BY (r.download_count + r.favorite_count) DESC LIMIT 8`)
	if err != nil {
		http.Error(w, err.Error(), http.StatusInternalServerError)
		return
	}
	defer rows.Close()
	type hot struct {
		ID       string `json:"id"`
		Title    string `json:"title"`
		Download int    `json:"downloads"`
		Favorite int    `json:"favorites"`
		View     int    `json:"views"`
	}
	hotList := make([]hot, 0)
	for rows.Next() {
		var id uuid.UUID
		var h hot
		if err := rows.Scan(&id, &h.Title, &h.Download, &h.Favorite, &h.View); err != nil {
			http.Error(w, err.Error(), http.StatusInternalServerError)
			return
		}
		h.ID = id.String()
		hotList = append(hotList, h)
	}
	if err := rows.Err(); err != nil {
		http.Error(w, err.Error(), http.StatusInternalServerError)
		return
	}

	writeJSON(w, map[string]any{
		"totalResources": total,
		"published":      published,
		"todayNew":       todayNew,
		"totalViews":     views,
		"totalDownloads": downloads,
		"totalFavorites": favs,
		"totalShares":    shares,
		"hotResources":   hotList,
	})
}

type adminResource struct {
	ID             string   `json:"id"`
	Title          string   `json:"title"`
	Description    string   `json:"description"`
	Type           string   `json:"type"`
	Language       string   `json:"language"`
	CategoryID     int      `json:"categoryId"`
	CoverImage     string   `json:"coverImage"`
	FileURL        string   `json:"fileUrl"`
	PreviewURL     string   `json:"previewUrl"`
	ExternalURL    string   `json:"externalUrl"`
	BodyText       string   `json:"bodyText"`
	BadgeLabel     string   `json:"badgeLabel"`
	IsPublic       bool     `json:"isPublic"`
	IsDownloadable bool     `json:"isDownloadable"`
	IsRecommended  bool     `json:"isRecommended"`
	SortOrder      int      `json:"sortOrder"`
	Status         string   `json:"status"`
	PublishedAt    *string  `json:"publishedAt"`
	Tags           []string `json:"tags"`
	ViewCount      int      `json:"viewCount"`
	DownloadCount  int      `json:"downloadCount"`
}

func AdminListResources(w http.ResponseWriter, r *http.Request) {
	pool := poolFrom(r)
	page := atoiDef(r.URL.Query().Get("page"), 1)
	limit := atoiDef(r.URL.Query().Get("limit"), 20)
	if limit > 100 {
		limit = 100
	}
	offset := (page - 1) * limit
	var total int
	if err := pool.QueryRow(r.Context(), `SELECT COUNT(*) FROM resources`).Scan(&total); err != nil {
		http.Error(w, err.Error(), http.StatusInternalServerError)
		return
	}
	rows, err := pool.Query(r.Context(), `
		SELECT r.id, r.title, COALESCE(r.description,''), r.type, r.language, r.category_id,
			COALESCE(r.cover_image,''), COALESCE(r.file_url,''), COALESCE(r.preview_url,''), COALESCE(r.external_url,''), COALESCE(r.body_text,''),
			COALESCE(r.badge_label,''), r.is_public, r.is_downloadable, r.is_recommended, r.sort_order, r.status, r.published_at, r.view_count, r.download_count
		FROM resources r
		ORDER BY r.updated_at DESC
		LIMIT $1 OFFSET $2`, limit, offset)
	if err != nil {
		http.Error(w, err.Error(), http.StatusInternalServerError)
		return
	}
	defer rows.Close()
	list := make([]adminResource, 0)
	for rows.Next() {
		var ar adminResource
		var id uuid.UUID
		var pub *time.Time
		if err := rows.Scan(&id, &ar.Title, &ar.Description, &ar.Type, &ar.Language, &ar.CategoryID, &ar.CoverImage, &ar.FileURL, &ar.PreviewURL, &ar.ExternalURL, &ar.BodyText,
			&ar.BadgeLabel, &ar.IsPublic, &ar.IsDownloadable, &ar.IsRecommended, &ar.SortOrder, &ar.Status, &pub, &ar.ViewCount, &ar.DownloadCount); err != nil {
			http.Error(w, err.Error(), http.StatusInternalServerError)
			return
		}
		ar.ID = id.String()
		if pub != nil {
			s := pub.UTC().Format(time.RFC3339)
			ar.PublishedAt = &s
		}
		tags, _ := loadTagNames(r.Context(), pool, id)
		ar.Tags = tags
		list = append(list, ar)
	}
	if err := rows.Err(); err != nil {
		http.Error(w, err.Error(), http.StatusInternalServerError)
		return
	}
	writeJSON(w, map[string]any{"items": list, "page": page, "limit": limit, "total": total})
}

type searchLogRow struct {
	ID        int64  `json:"id"`
	Query     string `json:"query"`
	CreatedAt string `json:"createdAt"`
}

func AdminSearchLogs(w http.ResponseWriter, r *http.Request) {
	pool := poolFrom(r)
	limit := atoiDef(r.URL.Query().Get("limit"), 200)
	if limit > 500 {
		limit = 500
	}
	rows, err := pool.Query(r.Context(), `SELECT id, query, created_at FROM search_logs ORDER BY id DESC LIMIT $1`, limit)
	if err != nil {
		http.Error(w, err.Error(), http.StatusInternalServerError)
		return
	}
	defer rows.Close()
	out := make([]searchLogRow, 0)
	for rows.Next() {
		var row searchLogRow
		var created time.Time
		if err := rows.Scan(&row.ID, &row.Query, &created); err != nil {
			http.Error(w, err.Error(), http.StatusInternalServerError)
			return
		}
		row.CreatedAt = created.UTC().Format(time.RFC3339)
		out = append(out, row)
	}
	if err := rows.Err(); err != nil {
		http.Error(w, err.Error(), http.StatusInternalServerError)
		return
	}
	writeJSON(w, map[string]any{"items": out})
}

func AdminGetResource(w http.ResponseWriter, r *http.Request) {
	pool := poolFrom(r)
	rid, err := uuid.Parse(chi.URLParam(r, "id"))
	if err != nil {
		http.Error(w, "bad id", http.StatusBadRequest)
		return
	}
	row := pool.QueryRow(r.Context(), `
		SELECT r.id, r.title, COALESCE(r.description,''), r.type, r.language, r.category_id,
			COALESCE(r.cover_image,''), COALESCE(r.file_url,''), COALESCE(r.preview_url,''), COALESCE(r.external_url,''), COALESCE(r.body_text,''),
			COALESCE(r.badge_label,''), r.is_public, r.is_downloadable, r.is_recommended, r.sort_order, r.status, r.published_at, r.view_count, r.download_count
		FROM resources r WHERE r.id = $1`, rid)
	var ar adminResource
	var rowID uuid.UUID
	var pub *time.Time
	if err := row.Scan(&rowID, &ar.Title, &ar.Description, &ar.Type, &ar.Language, &ar.CategoryID, &ar.CoverImage, &ar.FileURL, &ar.PreviewURL, &ar.ExternalURL, &ar.BodyText,
		&ar.BadgeLabel, &ar.IsPublic, &ar.IsDownloadable, &ar.IsRecommended, &ar.SortOrder, &ar.Status, &pub, &ar.ViewCount, &ar.DownloadCount); err != nil {
		if err == pgx.ErrNoRows {
			http.NotFound(w, r)
			return
		}
		http.Error(w, err.Error(), http.StatusInternalServerError)
		return
	}
	ar.ID = rowID.String()
	tags, _ := loadTagNames(r.Context(), pool, rowID)
	ar.Tags = tags
	if pub != nil {
		s := pub.UTC().Format(time.RFC3339)
		ar.PublishedAt = &s
	}
	writeJSON(w, ar)
}

func AdminCreateResource(w http.ResponseWriter, r *http.Request) {
	pool := poolFrom(r)
	var ar adminResource
	if err := jsonDecode(r, &ar); err != nil {
		http.Error(w, "bad json", http.StatusBadRequest)
		return
	}
	adminCreateResource(w, r, pool, &ar)
}

func AdminUpdateResource(w http.ResponseWriter, r *http.Request) {
	pool := poolFrom(r)
	var ar adminResource
	if err := jsonDecode(r, &ar); err != nil {
		http.Error(w, "bad json", http.StatusBadRequest)
		return
	}
	id, err := uuid.Parse(chi.URLParam(r, "id"))
	if err != nil {
		http.Error(w, "bad id", http.StatusBadRequest)
		return
	}
	adminUpdateResource(w, r, pool, id, &ar)
}

func adminCreateResource(w http.ResponseWriter, r *http.Request, pool *pgxpool.Pool, ar *adminResource) {
	ctx := r.Context()
	var pub *time.Time
	if ar.Status == "published" {
		t := time.Now().UTC()
		pub = &t
	}
	row := pool.QueryRow(ctx, `
		INSERT INTO resources (category_id, title, description, type, language, cover_image, file_url, preview_url, external_url, body_text, badge_label,
			is_public, is_downloadable, is_recommended, sort_order, status, published_at)
		VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15,$16,$17)
		RETURNING id`,
		ar.CategoryID, ar.Title, nullIfEmpty(ar.Description), ar.Type, ar.Language, nullIfEmpty(ar.CoverImage), nullIfEmpty(ar.FileURL), nullIfEmpty(ar.PreviewURL),
		nullIfEmpty(ar.ExternalURL), nullIfEmpty(ar.BodyText), nullIfEmpty(ar.BadgeLabel), ar.IsPublic, ar.IsDownloadable, ar.IsRecommended, ar.SortOrder, ar.Status, pub,
	)
	var newID uuid.UUID
	if err := row.Scan(&newID); err != nil {
		http.Error(w, err.Error(), http.StatusBadRequest)
		return
	}
	_ = replaceTags(ctx, pool, newID, ar.Tags)
	ar.ID = newID.String()
	writeJSON(w, ar)
}

func adminUpdateResource(w http.ResponseWriter, r *http.Request, pool *pgxpool.Pool, id uuid.UUID, ar *adminResource) {
	ctx := r.Context()
	var pub *time.Time
	if ar.PublishedAt != nil && *ar.PublishedAt != "" {
		t, err := time.Parse(time.RFC3339, *ar.PublishedAt)
		if err == nil {
			pub = &t
		}
	} else if ar.Status == "published" {
		// keep existing published_at if already set
		var existing *time.Time
		_ = pool.QueryRow(ctx, `SELECT published_at FROM resources WHERE id = $1`, id).Scan(&existing)
		if existing == nil {
			t := time.Now().UTC()
			pub = &t
		} else {
			pub = existing
		}
	}
	cmd, err := pool.Exec(ctx, `
		UPDATE resources SET
			category_id = $1, title = $2, description = $3, type = $4, language = $5,
			cover_image = $6, file_url = $7, preview_url = $8, external_url = $9, body_text = $10, badge_label = $11,
			is_public = $12, is_downloadable = $13, is_recommended = $14, sort_order = $15, status = $16, published_at = COALESCE($17, published_at),
			updated_at = NOW()
		WHERE id = $18`,
		ar.CategoryID, ar.Title, nullIfEmpty(ar.Description), ar.Type, ar.Language, nullIfEmpty(ar.CoverImage), nullIfEmpty(ar.FileURL), nullIfEmpty(ar.PreviewURL),
		nullIfEmpty(ar.ExternalURL), nullIfEmpty(ar.BodyText), nullIfEmpty(ar.BadgeLabel), ar.IsPublic, ar.IsDownloadable, ar.IsRecommended, ar.SortOrder, ar.Status, pub, id,
	)
	if err != nil {
		http.Error(w, err.Error(), http.StatusBadRequest)
		return
	}
	if cmd.RowsAffected() == 0 {
		http.NotFound(w, r)
		return
	}
	_ = replaceTags(ctx, pool, id, ar.Tags)
	writeJSON(w, map[string]any{"ok": true})
}

func nullIfEmpty(s string) any {
	if strings.TrimSpace(s) == "" {
		return nil
	}
	return s
}

func replaceTags(ctx context.Context, pool *pgxpool.Pool, resourceID uuid.UUID, tags []string) error {
	_, err := pool.Exec(ctx, `DELETE FROM resource_tags WHERE resource_id = $1`, resourceID)
	if err != nil {
		return err
	}
	for _, t := range tags {
		t = strings.TrimSpace(t)
		if t == "" {
			continue
		}
		var tid int
		slug := tagSlug(t)
		err := pool.QueryRow(ctx, `INSERT INTO tags (name, slug) VALUES ($1, $2)
			ON CONFLICT (slug) DO UPDATE SET name = EXCLUDED.name RETURNING id`, t, slug).Scan(&tid)
		if err != nil {
			_ = pool.QueryRow(ctx, `SELECT id FROM tags WHERE slug = $1`, slug).Scan(&tid)
		}
		_, _ = pool.Exec(ctx, `INSERT INTO resource_tags (resource_id, tag_id) VALUES ($1,$2) ON CONFLICT DO NOTHING`, resourceID, tid)
	}
	return nil
}

func AdminDeleteResource(w http.ResponseWriter, r *http.Request) {
	pool := poolFrom(r)
	id, err := uuid.Parse(chi.URLParam(r, "id"))
	if err != nil {
		http.Error(w, "bad id", http.StatusBadRequest)
		return
	}
	cmd, err := pool.Exec(r.Context(), `DELETE FROM resources WHERE id = $1`, id)
	if err != nil {
		http.Error(w, err.Error(), http.StatusInternalServerError)
		return
	}
	if cmd.RowsAffected() == 0 {
		http.NotFound(w, r)
		return
	}
	writeJSON(w, map[string]any{"ok": true})
}
Initial backend import 2026-05-16 00:18:22 +08:00			`package handlers`

			`import (`
			`"context"`
			`"net/http"`
			`"strings"`
			`"time"`

			`"github.com/arkie/ark-database/internal/auth"`
			`"github.com/go-chi/chi/v5"`
			`"github.com/google/uuid"`
			`"github.com/jackc/pgx/v5"`
			`"github.com/jackc/pgx/v5/pgxpool"`
			`"golang.org/x/crypto/bcrypt"`
			`)`

			`type loginReq struct {`
			Email string `json:"email"`
			Password string `json:"password"`
			`}`

			`func AdminLogin(secret string) http.HandlerFunc {`
			`return func(w http.ResponseWriter, r *http.Request) {`
			`var req loginReq`
			`if err := jsonDecode(r, &req); err != nil {`
			`http.Error(w, "bad json", http.StatusBadRequest)`
			`return`
			`}`
			`pool := poolFrom(r)`
			`var id int`
			`var hash string`
			err := pool.QueryRow(r.Context(), `SELECT id, password_hash FROM admins WHERE lower(email) = lower($1)`, strings.TrimSpace(req.Email)).Scan(&id, &hash)
			`if err != nil {`
			`http.Error(w, "invalid credentials", http.StatusUnauthorized)`
			`return`
			`}`
			`if bcrypt.CompareHashAndPassword([]byte(hash), []byte(req.Password)) != nil {`
			`http.Error(w, "invalid credentials", http.StatusUnauthorized)`
			`return`
			`}`
			`tok, err := auth.SignAdmin(secret, id, req.Email, 724time.Hour)`
			`if err != nil {`
			`http.Error(w, err.Error(), http.StatusInternalServerError)`
			`return`
			`}`
			`writeJSON(w, map[string]any{"token": tok})`
			`}`
			`}`

			`func AdminDashboard(w http.ResponseWriter, r *http.Request) {`
			`pool := poolFrom(r)`
			`ctx := r.Context()`
			`var total, published int`
			_ = pool.QueryRow(ctx, `SELECT COUNT(*) FROM resources`).Scan(&total)
			_ = pool.QueryRow(ctx, `SELECT COUNT(*) FROM resources WHERE status = 'published'`).Scan(&published)
			`var views, downloads, favs, shares int64`
			_ = pool.QueryRow(ctx, `SELECT COALESCE(SUM(view_count),0), COALESCE(SUM(download_count),0), COALESCE(SUM(favorite_count),0), COALESCE(SUM(share_count),0) FROM resources`).Scan(&views, &downloads, &favs, &shares)
			`var todayNew int`
			_ = pool.QueryRow(ctx, `SELECT COUNT(*) FROM resources WHERE created_at::date = (now() at time zone 'utc')::date`).Scan(&todayNew)

			rows, err := pool.Query(ctx, `
			`SELECT r.id, r.title, r.download_count, r.favorite_count, r.view_count`
			FROM resources r WHERE r.status = 'published' ORDER BY (r.download_count + r.favorite_count) DESC LIMIT 8`)
			`if err != nil {`
			`http.Error(w, err.Error(), http.StatusInternalServerError)`
			`return`
			`}`
			`defer rows.Close()`
			`type hot struct {`
			ID string `json:"id"`
			Title string `json:"title"`
			Download int `json:"downloads"`
			Favorite int `json:"favorites"`
			View int `json:"views"`
			`}`
			`hotList := make([]hot, 0)`
			`for rows.Next() {`
			`var id uuid.UUID`
			`var h hot`
			`if err := rows.Scan(&id, &h.Title, &h.Download, &h.Favorite, &h.View); err != nil {`
			`http.Error(w, err.Error(), http.StatusInternalServerError)`
			`return`
			`}`
			`h.ID = id.String()`
			`hotList = append(hotList, h)`
			`}`
			`if err := rows.Err(); err != nil {`
			`http.Error(w, err.Error(), http.StatusInternalServerError)`
			`return`
			`}`

			`writeJSON(w, map[string]any{`
			`"totalResources": total,`
			`"published": published,`
			`"todayNew": todayNew,`
			`"totalViews": views,`
			`"totalDownloads": downloads,`
			`"totalFavorites": favs,`
			`"totalShares": shares,`
			`"hotResources": hotList,`
			`})`
			`}`

			`type adminResource struct {`
			ID string `json:"id"`
			Title string `json:"title"`
			Description string `json:"description"`
			Type string `json:"type"`
			Language string `json:"language"`
			CategoryID int `json:"categoryId"`
			CoverImage string `json:"coverImage"`
			FileURL string `json:"fileUrl"`
			PreviewURL string `json:"previewUrl"`
			ExternalURL string `json:"externalUrl"`
			BodyText string `json:"bodyText"`
			BadgeLabel string `json:"badgeLabel"`
			IsPublic bool `json:"isPublic"`
			IsDownloadable bool `json:"isDownloadable"`
			IsRecommended bool `json:"isRecommended"`
			SortOrder int `json:"sortOrder"`
			Status string `json:"status"`
			PublishedAt *string `json:"publishedAt"`
			Tags []string `json:"tags"`
			ViewCount int `json:"viewCount"`
			DownloadCount int `json:"downloadCount"`
			`}`

			`func AdminListResources(w http.ResponseWriter, r *http.Request) {`
			`pool := poolFrom(r)`
			`page := atoiDef(r.URL.Query().Get("page"), 1)`
			`limit := atoiDef(r.URL.Query().Get("limit"), 20)`
			`if limit > 100 {`
			`limit = 100`
			`}`
			`offset := (page - 1) * limit`
			`var total int`
			if err := pool.QueryRow(r.Context(), `SELECT COUNT(*) FROM resources`).Scan(&total); err != nil {
			`http.Error(w, err.Error(), http.StatusInternalServerError)`
			`return`
			`}`
			rows, err := pool.Query(r.Context(), `
			`SELECT r.id, r.title, COALESCE(r.description,''), r.type, r.language, r.category_id,`
			`COALESCE(r.cover_image,''), COALESCE(r.file_url,''), COALESCE(r.preview_url,''), COALESCE(r.external_url,''), COALESCE(r.body_text,''),`
			`COALESCE(r.badge_label,''), r.is_public, r.is_downloadable, r.is_recommended, r.sort_order, r.status, r.published_at, r.view_count, r.download_count`
			`FROM resources r`
			`ORDER BY r.updated_at DESC`
			LIMIT $1 OFFSET $2`, limit, offset)
			`if err != nil {`
			`http.Error(w, err.Error(), http.StatusInternalServerError)`
			`return`
			`}`
			`defer rows.Close()`
			`list := make([]adminResource, 0)`
			`for rows.Next() {`
			`var ar adminResource`
			`var id uuid.UUID`
			`var pub *time.Time`
			`if err := rows.Scan(&id, &ar.Title, &ar.Description, &ar.Type, &ar.Language, &ar.CategoryID, &ar.CoverImage, &ar.FileURL, &ar.PreviewURL, &ar.ExternalURL, &ar.BodyText,`
			`&ar.BadgeLabel, &ar.IsPublic, &ar.IsDownloadable, &ar.IsRecommended, &ar.SortOrder, &ar.Status, &pub, &ar.ViewCount, &ar.DownloadCount); err != nil {`
			`http.Error(w, err.Error(), http.StatusInternalServerError)`
			`return`
			`}`
			`ar.ID = id.String()`
			`if pub != nil {`
			`s := pub.UTC().Format(time.RFC3339)`
			`ar.PublishedAt = &s`
			`}`
			`tags, _ := loadTagNames(r.Context(), pool, id)`
			`ar.Tags = tags`
			`list = append(list, ar)`
			`}`
			`if err := rows.Err(); err != nil {`
			`http.Error(w, err.Error(), http.StatusInternalServerError)`
			`return`
			`}`
			`writeJSON(w, map[string]any{"items": list, "page": page, "limit": limit, "total": total})`
			`}`

			`type searchLogRow struct {`
			ID int64 `json:"id"`
			Query string `json:"query"`
			CreatedAt string `json:"createdAt"`
			`}`

			`func AdminSearchLogs(w http.ResponseWriter, r *http.Request) {`
			`pool := poolFrom(r)`
			`limit := atoiDef(r.URL.Query().Get("limit"), 200)`
			`if limit > 500 {`
			`limit = 500`
			`}`
			rows, err := pool.Query(r.Context(), `SELECT id, query, created_at FROM search_logs ORDER BY id DESC LIMIT $1`, limit)
			`if err != nil {`
			`http.Error(w, err.Error(), http.StatusInternalServerError)`
			`return`
			`}`
			`defer rows.Close()`
			`out := make([]searchLogRow, 0)`
			`for rows.Next() {`
			`var row searchLogRow`
			`var created time.Time`
			`if err := rows.Scan(&row.ID, &row.Query, &created); err != nil {`
			`http.Error(w, err.Error(), http.StatusInternalServerError)`
			`return`
			`}`
			`row.CreatedAt = created.UTC().Format(time.RFC3339)`
			`out = append(out, row)`
			`}`
			`if err := rows.Err(); err != nil {`
			`http.Error(w, err.Error(), http.StatusInternalServerError)`
			`return`
			`}`
			`writeJSON(w, map[string]any{"items": out})`
			`}`

			`func AdminGetResource(w http.ResponseWriter, r *http.Request) {`
			`pool := poolFrom(r)`
			`rid, err := uuid.Parse(chi.URLParam(r, "id"))`
			`if err != nil {`
			`http.Error(w, "bad id", http.StatusBadRequest)`
			`return`
			`}`
			row := pool.QueryRow(r.Context(), `
			`SELECT r.id, r.title, COALESCE(r.description,''), r.type, r.language, r.category_id,`
			`COALESCE(r.cover_image,''), COALESCE(r.file_url,''), COALESCE(r.preview_url,''), COALESCE(r.external_url,''), COALESCE(r.body_text,''),`
			`COALESCE(r.badge_label,''), r.is_public, r.is_downloadable, r.is_recommended, r.sort_order, r.status, r.published_at, r.view_count, r.download_count`
			FROM resources r WHERE r.id = $1`, rid)
			`var ar adminResource`
			`var rowID uuid.UUID`
			`var pub *time.Time`
			`if err := row.Scan(&rowID, &ar.Title, &ar.Description, &ar.Type, &ar.Language, &ar.CategoryID, &ar.CoverImage, &ar.FileURL, &ar.PreviewURL, &ar.ExternalURL, &ar.BodyText,`
			`&ar.BadgeLabel, &ar.IsPublic, &ar.IsDownloadable, &ar.IsRecommended, &ar.SortOrder, &ar.Status, &pub, &ar.ViewCount, &ar.DownloadCount); err != nil {`
			`if err == pgx.ErrNoRows {`
			`http.NotFound(w, r)`
			`return`
			`}`
			`http.Error(w, err.Error(), http.StatusInternalServerError)`
			`return`
			`}`
			`ar.ID = rowID.String()`
			`tags, _ := loadTagNames(r.Context(), pool, rowID)`
			`ar.Tags = tags`
			`if pub != nil {`
			`s := pub.UTC().Format(time.RFC3339)`
			`ar.PublishedAt = &s`
			`}`
			`writeJSON(w, ar)`
			`}`

			`func AdminCreateResource(w http.ResponseWriter, r *http.Request) {`
			`pool := poolFrom(r)`
			`var ar adminResource`
			`if err := jsonDecode(r, &ar); err != nil {`
			`http.Error(w, "bad json", http.StatusBadRequest)`
			`return`
			`}`
			`adminCreateResource(w, r, pool, &ar)`
			`}`

			`func AdminUpdateResource(w http.ResponseWriter, r *http.Request) {`
			`pool := poolFrom(r)`
			`var ar adminResource`
			`if err := jsonDecode(r, &ar); err != nil {`
			`http.Error(w, "bad json", http.StatusBadRequest)`
			`return`
			`}`
			`id, err := uuid.Parse(chi.URLParam(r, "id"))`
			`if err != nil {`
			`http.Error(w, "bad id", http.StatusBadRequest)`
			`return`
			`}`
			`adminUpdateResource(w, r, pool, id, &ar)`
			`}`

			`func adminCreateResource(w http.ResponseWriter, r http.Request, pool pgxpool.Pool, ar *adminResource) {`
			`ctx := r.Context()`
			`var pub *time.Time`
			`if ar.Status == "published" {`
			`t := time.Now().UTC()`
			`pub = &t`
			`}`
			row := pool.QueryRow(ctx, `
			`INSERT INTO resources (category_id, title, description, type, language, cover_image, file_url, preview_url, external_url, body_text, badge_label,`
			`is_public, is_downloadable, is_recommended, sort_order, status, published_at)`
			`VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15,$16,$17)`
			RETURNING id`,
			`ar.CategoryID, ar.Title, nullIfEmpty(ar.Description), ar.Type, ar.Language, nullIfEmpty(ar.CoverImage), nullIfEmpty(ar.FileURL), nullIfEmpty(ar.PreviewURL),`
			`nullIfEmpty(ar.ExternalURL), nullIfEmpty(ar.BodyText), nullIfEmpty(ar.BadgeLabel), ar.IsPublic, ar.IsDownloadable, ar.IsRecommended, ar.SortOrder, ar.Status, pub,`
			`)`
			`var newID uuid.UUID`
			`if err := row.Scan(&newID); err != nil {`
			`http.Error(w, err.Error(), http.StatusBadRequest)`
			`return`
			`}`
			`_ = replaceTags(ctx, pool, newID, ar.Tags)`
			`ar.ID = newID.String()`
			`writeJSON(w, ar)`
			`}`

			`func adminUpdateResource(w http.ResponseWriter, r http.Request, pool pgxpool.Pool, id uuid.UUID, ar *adminResource) {`
			`ctx := r.Context()`
			`var pub *time.Time`
			`if ar.PublishedAt != nil && *ar.PublishedAt != "" {`
			`t, err := time.Parse(time.RFC3339, *ar.PublishedAt)`
			`if err == nil {`
			`pub = &t`
			`}`
			`} else if ar.Status == "published" {`
			`// keep existing published_at if already set`
			`var existing *time.Time`
			_ = pool.QueryRow(ctx, `SELECT published_at FROM resources WHERE id = $1`, id).Scan(&existing)
			`if existing == nil {`
			`t := time.Now().UTC()`
			`pub = &t`
			`} else {`
			`pub = existing`
			`}`
			`}`
			cmd, err := pool.Exec(ctx, `
			`UPDATE resources SET`
			`category_id = $1, title = $2, description = $3, type = $4, language = $5,`
			`cover_image = $6, file_url = $7, preview_url = $8, external_url = $9, body_text = $10, badge_label = $11,`
			`is_public = $12, is_downloadable = $13, is_recommended = $14, sort_order = $15, status = $16, published_at = COALESCE($17, published_at),`
			`updated_at = NOW()`
			WHERE id = $18`,
			`ar.CategoryID, ar.Title, nullIfEmpty(ar.Description), ar.Type, ar.Language, nullIfEmpty(ar.CoverImage), nullIfEmpty(ar.FileURL), nullIfEmpty(ar.PreviewURL),`
			`nullIfEmpty(ar.ExternalURL), nullIfEmpty(ar.BodyText), nullIfEmpty(ar.BadgeLabel), ar.IsPublic, ar.IsDownloadable, ar.IsRecommended, ar.SortOrder, ar.Status, pub, id,`
			`)`
			`if err != nil {`
			`http.Error(w, err.Error(), http.StatusBadRequest)`
			`return`
			`}`
			`if cmd.RowsAffected() == 0 {`
			`http.NotFound(w, r)`
			`return`
			`}`
			`_ = replaceTags(ctx, pool, id, ar.Tags)`
			`writeJSON(w, map[string]any{"ok": true})`
			`}`

			`func nullIfEmpty(s string) any {`
			`if strings.TrimSpace(s) == "" {`
			`return nil`
			`}`
			`return s`
			`}`

			`func replaceTags(ctx context.Context, pool *pgxpool.Pool, resourceID uuid.UUID, tags []string) error {`
			_, err := pool.Exec(ctx, `DELETE FROM resource_tags WHERE resource_id = $1`, resourceID)
			`if err != nil {`
			`return err`
			`}`
			`for _, t := range tags {`
			`t = strings.TrimSpace(t)`
			`if t == "" {`
			`continue`
			`}`
			`var tid int`
			`slug := tagSlug(t)`
			err := pool.QueryRow(ctx, `INSERT INTO tags (name, slug) VALUES ($1, $2)
			ON CONFLICT (slug) DO UPDATE SET name = EXCLUDED.name RETURNING id`, t, slug).Scan(&tid)
			`if err != nil {`
			_ = pool.QueryRow(ctx, `SELECT id FROM tags WHERE slug = $1`, slug).Scan(&tid)
			`}`
			_, _ = pool.Exec(ctx, `INSERT INTO resource_tags (resource_id, tag_id) VALUES ($1,$2) ON CONFLICT DO NOTHING`, resourceID, tid)
			`}`
			`return nil`
			`}`

			`func AdminDeleteResource(w http.ResponseWriter, r *http.Request) {`
			`pool := poolFrom(r)`
			`id, err := uuid.Parse(chi.URLParam(r, "id"))`
			`if err != nil {`
			`http.Error(w, "bad id", http.StatusBadRequest)`
			`return`
			`}`
			cmd, err := pool.Exec(r.Context(), `DELETE FROM resources WHERE id = $1`, id)
			`if err != nil {`
			`http.Error(w, err.Error(), http.StatusInternalServerError)`
			`return`
			`}`
			`if cmd.RowsAffected() == 0 {`
			`http.NotFound(w, r)`
			`return`
			`}`
			`writeJSON(w, map[string]any{"ok": true})`
			`}`