fix admin auth for private HF Space; add manage_results script

The HF Space is private, so its proxy requires a valid HF token as the
Authorization Bearer header, preventing our ADMIN_TOKEN from reaching
Express. adminAuth now also accepts the token via X-Admin-Token header.
manage_results.sh sends both headers (HF_TOKEN as Bearer, ADMIN_TOKEN
as X-Admin-Token) so downloads and deletes work through the proxy.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

manage_results.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+
+# Load .env
+if [[ -f "$SCRIPT_DIR/.env" ]]; then
+  set -a; source "$SCRIPT_DIR/.env"; set +a
+else
+  echo "Error: .env file not found"; exit 1
+fi
+
+HOST="${DIFFMT_HOST:-https://htw-ki-werkstatt-diffmt.hf.space}"
+
+# The Space is private, so HF's proxy requires a valid HF_TOKEN as Bearer.
+# Our ADMIN_TOKEN travels in X-Admin-Token to avoid the conflict.
+auth_headers=(-H "Authorization: Bearer ${HF_TOKEN}" -H "X-Admin-Token: ${ADMIN_TOKEN}")
+
+cmd="${1:-}"
+
+if [[ "$cmd" == "download" ]]; then
+  OUT="$SCRIPT_DIR/results_$(date +%Y%m%d_%H%M%S).json"
+  echo "Downloading results from $HOST …"
+  http_code=$(curl -sf -w "%{http_code}" -o "$OUT" \
+    "${auth_headers[@]}" "$HOST/api/export")
+  if [[ "$http_code" == "200" ]]; then
+    echo "Saved to $OUT"
+    python3 -c "
+import json, sys
+d = json.load(open('$OUT'))
+print(f\"Sessions: {len(d.get('sessions',[]))}\")
+print(f\"Trials:   {len(d.get('trials',[]))}\")
+"
+  else
+    rm -f "$OUT"
+    echo "Error: server returned HTTP $http_code"
+    exit 1
+  fi
+
+elif [[ "$cmd" == "delete" ]]; then
+  read -rp "Delete ALL results on the server? Type YES to confirm: " confirm
+  if [[ "$confirm" != "YES" ]]; then echo "Aborted."; exit 0; fi
+  http_code=$(curl -sf -w "%{http_code}" -o /dev/null -X POST \
+    "${auth_headers[@]}" "$HOST/api/admin/clear")
+  echo "Server responded: HTTP $http_code"
+
+else
+  echo "Usage: $0 <download|delete>"
+  exit 1
+fi

server.js

@@ -13,8 +13,13 @@ function adminAuth(req, res, next) {
   if (!ADMIN_TOKEN) {
     return res.status(503).json({ error: 'Admin access disabled: ADMIN_TOKEN not set' });
   }
-  const auth = req.headers.authorization || '';
-  if (auth !== `Bearer ${ADMIN_TOKEN}`) {
+  // Accept token via Authorization Bearer OR X-Admin-Token header.
+  // The X-Admin-Token header is needed when the HF Space is private:
+  // HF's proxy requires a valid HF token as the Bearer header, so the
+  // admin token must travel in a separate header.
+  const bearer = (req.headers.authorization || '').replace(/^Bearer\s+/i, '');
+  const custom  = req.headers['x-admin-token'] || '';
+  if (bearer !== ADMIN_TOKEN && custom !== ADMIN_TOKEN) {
     return res.status(401).json({ error: 'Unauthorized' });
   }
   next();

start.sh

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+cd "$SCRIPT_DIR"
+
+# Load .env if present
+if [[ -f .env ]]; then
+  set -a; source .env; set +a
+fi
+
+# Locate node — try nvm, then Homebrew, then PATH
+if [[ -z "$(command -v node 2>/dev/null)" ]]; then
+  [[ -s "$HOME/.nvm/nvm.sh" ]] && source "$HOME/.nvm/nvm.sh"
+  for p in /opt/homebrew/bin /usr/local/bin; do
+    [[ -x "$p/node" ]] && export PATH="$p:$PATH" && break
+  done
+fi
+
+NODE="$(command -v node 2>/dev/null)" \
+  || { echo "Error: node not found. Install Node.js and try again."; exit 1; }
+
+# Use local data dir instead of HF bucket
+export DATA_PATH="$SCRIPT_DIR/data/results.json"
+
+PORT="${PORT:-3000}"
+URL="http://localhost:$PORT"
+
+echo "Starting DiffMT on $URL  (node: $NODE)"
+open "$URL" 2>/dev/null || true   # open browser on macOS; silently skipped elsewhere
+
+"$NODE" server.js