Initial commit — Performance West telecom compliance platform

Includes: API (Express/TypeScript), Astro site, Python workers,
document generators, FCC compliance tools, Canada CRTC formation,
Ansible infrastructure, and deployment scripts.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

api/src/middleware/admin-auth.ts

@@ -0,0 +1,41 @@
+import type { Request, Response, NextFunction } from "express";
+import jwt from "jsonwebtoken";
+import { config } from "../config.js";
+
+const JWT_SECRET = process.env.ADMIN_JWT_SECRET || "change-this-in-production";
+
+export interface AdminPayload {
+  id: number;
+  username: string;
+}
+
+declare global {
+  namespace Express {
+    interface Request {
+      admin?: AdminPayload;
+    }
+  }
+}
+
+/** Sign a JWT for an admin user. */
+export function signAdminToken(payload: AdminPayload): string {
+  return jwt.sign(payload, JWT_SECRET, { expiresIn: "8h" });
+}
+
+/** Verify admin JWT from Authorization: Bearer <token> header. */
+export function requireAdmin(req: Request, res: Response, next: NextFunction): void {
+  const header = req.headers.authorization;
+  if (!header || !header.startsWith("Bearer ")) {
+    res.status(401).json({ error: "Authentication required." });
+    return;
+  }
+
+  const token = header.slice(7);
+  try {
+    const decoded = jwt.verify(token, JWT_SECRET) as AdminPayload;
+    req.admin = decoded;
+    next();
+  } catch {
+    res.status(401).json({ error: "Invalid or expired token." });
+  }
+}