feat(admin): phase 4 — Cmd+K command palette

Global search modal: actions + users + tests + classes.

- GET /api/admin/search?q=X (~50L controller): 3 parameterized LIKE queries, admin-only

- frontend/js/admin/palette.js (~366L): custom lightweight modal (not LS.modal — footer-button oriented), Ctrl+K/Cmd+K capture-phase override of generic /js/search.js, debounce 150ms, race-guard via _reqSeq, min-query 2 chars, 8 hardcoded actions, ↑↓ wrap + Enter, click-outside close

- adminGlobalSearch helper: drop ignored 'limit' param (server hardcodes 5/3/3)

window.AdminPalette = { open, close, isOpen } exposed for Phase 5/6 use.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

backend/src/controllers/adminController.js

@@ -82,6 +82,51 @@ function getOverview(_req, res) {
   }
 }
 
+/* ── Global search (Phase 4 command palette) — prepared statements ────── */
+const searchStmts = {
+  users:   db.prepare(`
+    SELECT id, name, email, role
+    FROM users
+    WHERE name LIKE ? OR email LIKE ?
+    ORDER BY (CASE WHEN name LIKE ? THEN 0 ELSE 1 END), id DESC
+    LIMIT 5
+  `),
+  tests:   db.prepare(`
+    SELECT id, title AS name, subject_slug
+    FROM tests
+    WHERE title LIKE ?
+    ORDER BY id DESC
+    LIMIT 3
+  `),
+  classes: db.prepare(`
+    SELECT id, name, invite_code AS code
+    FROM classes
+    WHERE name LIKE ? OR invite_code LIKE ?
+    ORDER BY id DESC
+    LIMIT 3
+  `),
+};
+
+/* ── GET /api/admin/search?q=X ────────────────────────────────────────── */
+function globalSearch(req, res) {
+  const q = (req.query.q || '').trim();
+  if (q.length < 2) {
+    return res.json({ users: [], tests: [], classes: [] });
+  }
+  try {
+    const like = `%${q}%`;
+    const prefix = `${q}%`;
+    res.json({
+      users:   searchStmts.users.all(like, like, prefix),
+      tests:   searchStmts.tests.all(like),
+      classes: searchStmts.classes.all(like, like),
+    });
+  } catch (err) {
+    console.error('[admin.search]', err.message);
+    res.status(500).json({ error: 'Search failed' });
+  }
+}
+
 /* ── GET /api/admin/users?page=1&limit=50&role=student&q=name ─────────── */
 function getUsers(req, res) {
   const limit  = Math.min(200, Math.max(1, Number(req.query.limit) || 50));
@@ -591,7 +636,7 @@ function broadcast(req, res) {
 }
 
 module.exports = {
-  getStats, getOverview,
+  getStats, getOverview, globalSearch,
   getUsers, updateRole, getUserSessions, getAllSessions, getSessionDetail,
   clearUserSessions, updateUser, banUser, deleteUser,
   getFeatures, updateFeatures, getFreeStudentFeatures, updateFreeStudentFeatures,

backend/src/routes/admin.js

@@ -15,6 +15,7 @@ router.use(requireRole('admin'));
 
 router.get('/stats',                  ctrl.getStats);
 router.get('/overview',               ctrl.getOverview);
+router.get('/search',                 ctrl.globalSearch);
 router.get('/users',                  ctrl.getUsers);
 router.patch('/users/:id/role',       ctrl.updateRole);
 router.get('/users/:id/sessions',     ctrl.getUserSessions);