start.sh generate token admin

start.sh

@@ -360,6 +360,44 @@ else
     update_env VITE_TUS_ENDPOINT "http://127.0.0.1:${tusd_port:-13400}/files"
   fi
 fi
+
+generate_admin_token() {
+  if command -v openssl >/dev/null 2>&1; then
+    openssl rand -hex 32 | tr -d '\n'
+  elif command -v python3 >/dev/null 2>&1; then
+    python3 - <<'PY'
+import os, binascii
+print(binascii.hexlify(os.urandom(32)).decode())
+PY
+  elif command -v python >/dev/null 2>&1; then
+    python - <<'PY'
+import os, binascii
+print(binascii.hexlify(os.urandom(32)).decode())
+PY
+  else
+    echo "Need openssl or python to generate ADMIN_API_TOKEN" >&2
+    exit 1
+  fi
+}
+
+ensure_admin_token() {
+  local raw cur
+  raw=$(ini_val ADMIN_API_TOKEN)
+  cur=$(sanitize_assignment ADMIN_API_TOKEN "$raw")
+  if [[ -n "$cur" ]]; then
+    if [[ "$cur" != "$raw" ]]; then
+      update_env ADMIN_API_TOKEN "$cur"
+    fi
+    echo "ADMIN_API_TOKEN is set in .env; keeping existing value"
+    return
+  fi
+  echo "Generating ADMIN_API_TOKEN for admin /admin access ..."
+  local token
+  token=$(generate_admin_token)
+  update_env ADMIN_API_TOKEN "$token"
+}
+
+ensure_admin_token
 generate_kek() {
   if command -v openssl >/dev/null 2>&1; then
     openssl rand -base64 32 | tr -d '\n'