Phase 5: library & stats

- Full library home page: question list with per-user mastery stats,
  search/source filter, sort (A-Z, weakest first, most-seen), source
  breakdown in header, Take a test CTA.
- GET/POST /questions/{id}: view and edit question text, source, answers;
  radio-select correct answer; shows seen×/correct% stat.
- POST /questions/{id}/delete: hard delete (cascades to answers via FK).
- repo: ListQuestions supports SortWeakest/SortMostSeen via LEFT JOIN;
  added CountBySource, UpdateQuestion, UpdateAnswers, DeleteQuestion.
- render: added pct template func (correct*100/seen).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

internal/handlers/question.go

@@ -0,0 +1,112 @@
+package handlers
+
+import (
+	"fmt"
+	"log/slog"
+	"net/http"
+	"strconv"
+
+	"github.com/go-chi/chi/v5"
+
+	"qbank/internal/auth"
+	"qbank/internal/db"
+)
+
+type QuestionHandler struct {
+	auth   *auth.Manager
+	repo   *db.Repo
+	render *Renderer
+}
+
+func NewQuestionHandler(a *auth.Manager, repo *db.Repo, r *Renderer) *QuestionHandler {
+	return &QuestionHandler{auth: a, repo: repo, render: r}
+}
+
+func (h *QuestionHandler) Show(w http.ResponseWriter, r *http.Request) {
+	id := chi.URLParam(r, "id")
+	user := auth.UserFromCtx(r.Context())
+
+	q, answers, err := h.repo.GetQuestion(id)
+	if err != nil {
+		HTTPError(w, http.StatusNotFound)
+		return
+	}
+
+	stats, _ := h.repo.GetStatsForUser(user.ID, []string{id})
+
+	data := BaseData(h.auth, r)
+	data["Question"] = q
+	data["Answers"] = answers
+	data["Stat"] = stats[id]
+
+	h.render.Render(w, http.StatusOK, "question", data)
+}
+
+func (h *QuestionHandler) Edit(w http.ResponseWriter, r *http.Request) {
+	id := chi.URLParam(r, "id")
+
+	if !h.auth.CheckCSRF(r) {
+		HTTPError(w, http.StatusForbidden)
+		return
+	}
+
+	r.Body = http.MaxBytesReader(w, r.Body, 1<<20)
+	if err := r.ParseForm(); err != nil {
+		HTTPError(w, http.StatusBadRequest)
+		return
+	}
+
+	_, answers, err := h.repo.GetQuestion(id)
+	if err != nil {
+		HTTPError(w, http.StatusNotFound)
+		return
+	}
+
+	text := r.FormValue("q_text")
+	source := r.FormValue("source")
+	correctIdx, _ := strconv.Atoi(r.FormValue("correct"))
+
+	if err := h.repo.UpdateQuestion(id, text, source); err != nil {
+		slog.Error("update question", "err", err)
+		HTTPError(w, http.StatusInternalServerError)
+		return
+	}
+
+	updates := make([]db.AnswerUpdate, len(answers))
+	for i, a := range answers {
+		updates[i] = db.AnswerUpdate{
+			ID:        a.ID,
+			Text:      r.FormValue(fmt.Sprintf("a_text_%d", i)),
+			IsCorrect: i == correctIdx,
+		}
+	}
+	if err := h.repo.UpdateAnswers(updates); err != nil {
+		slog.Error("update answers", "err", err)
+		HTTPError(w, http.StatusInternalServerError)
+		return
+	}
+
+	h.auth.SetFlash(r, "Question saved.")
+	http.Redirect(w, r, "/questions/"+id, http.StatusSeeOther)
+}
+
+func (h *QuestionHandler) Delete(w http.ResponseWriter, r *http.Request) {
+	id := chi.URLParam(r, "id")
+
+	if !h.auth.CheckCSRF(r) {
+		HTTPError(w, http.StatusForbidden)
+		return
+	}
+
+	r.Body = http.MaxBytesReader(w, r.Body, 4096)
+	r.ParseForm()
+
+	if err := h.repo.DeleteQuestion(id); err != nil {
+		slog.Error("delete question", "err", err)
+		HTTPError(w, http.StatusInternalServerError)
+		return
+	}
+
+	h.auth.SetFlash(r, "Question deleted.")
+	http.Redirect(w, r, "/", http.StatusSeeOther)
+}