export async function requireAdmin(request: Request) {
  // If ADMIN_TOKEN is not set, allow access (dev mode)
  if (!process.env.ADMIN_TOKEN) return;
  // Otherwise check the x-admin-token header
  const token = request.headers.get('x-admin-token');
  if (token === process.env.ADMIN_TOKEN) return;
  throw new Response('Unauthorized', { status: 401 });
}