// Add whitelist endpoints (protected)
app.get('/admin/whitelist', auth.middleware, async (req, res) => {
  try {
    const [rows] = await db.query('SELECT id, identifier, note, created_at FROM auto_whitelist ORDER BY id DESC');
    res.json(rows);
  } catch (e) { res.status(500).json({ error: 'server' }); }
});

app.post('/admin/whitelist', auth.middleware, async (req, res) => {
  const { identifier, note } = req.body;
  if (!identifier) return res.status(400).json({ error: 'missing' });
  try {
    await db.query('INSERT INTO auto_whitelist (identifier, note, created_at) VALUES (?, ?, ?)', [identifier, note||'', Math.floor(Date.now()/1000)]);
    res.json({ ok: true });
  } catch (e) { res.status(500).json({ error: e.message }); }
});

app.delete('/admin/whitelist/:id', auth.middleware, async (req, res) => {
  try {
    await db.query('DELETE FROM auto_whitelist WHERE id = ?', [req.params.id]);
    res.json({ ok: true });
  } catch (e) { res.status(500).json({ error: 'server' }); }
});

// Review-queue: list flagged
app.get('/admin/flags', auth.middleware, async (req, res) => {
  try {
    const [rows] = await db.query('SELECT id, player_id, reason, pts, meta, flagged_at, reviewed_by, action_taken FROM flagged_reviews WHERE reviewed_at IS NULL ORDER BY flagged_at DESC LIMIT 200');
    res.json(rows);
  } catch (e) { res.status(500).json({ error: 'server' }); }
});

// Create flag entry (called from /ac/event handler, if desired)
app.post('/admin/flags/:id/review', auth.middleware, async (req, res) => {
  const { action, notes } = req.body;
  const id = req.params.id;
  try {
    await db.query('UPDATE flagged_reviews SET reviewed_by = ?, reviewed_at = ?, action_taken = ?, notes = ? WHERE id = ?', [req.user.username, Math.floor(Date.now()/1000), action||'', notes||'', id]);
    res.json({ ok: true });
    io.emit('flag:updated', { id, action });
  } catch (e) { res.status(500).json({ error: 'server' }); }
});