export async function requireAdmin(request: Request) {
  // Simple fallback: check x-admin-token header vs ADMIN_TOKEN
  const token = request.headers.get('x-admin-token');
  if (process.env.ADMIN_TOKEN && token === process.env.ADMIN_TOKEN) return;
  throw new Response('Unauthorized', { status: 401 });
}