diff --git a/src/app/admin/page.tsx b/src/app/admin/page.tsx
index 1322519..b8a8fff 100644
--- a/src/app/admin/page.tsx
+++ b/src/app/admin/page.tsx
@@ -1,11 +1,21 @@
 import { AppShell } from "@/components/app-shell";
 import { StatusBadge } from "@/components/status-badge";
 import { SYSTEM_PERMISSIONS } from "@/lib/access";
+import { requireCurrentUser, userIsAdmin } from "@/lib/session";
+import { requireInitialSetup } from "@/lib/setup";
 import { rooms } from "@/lib/sample-data";
+import { redirect } from "next/navigation";
+
+export default async function AdminPage() {
+  await requireInitialSetup();
+  const user = await requireCurrentUser();
+
+  if (!userIsAdmin(user)) {
+    redirect("/dashboard");
+  }
 
-export default function AdminPage() {
   return (
-    <AppShell active="Admin">
+    <AppShell active="Admin" isAdmin>
       <header className="topbar">
         <div className="title-block">
           <h1>Admin</h1>
diff --git a/src/app/dashboard/page.tsx b/src/app/dashboard/page.tsx
index afbd92f..d7e29b8 100644
--- a/src/app/dashboard/page.tsx
+++ b/src/app/dashboard/page.tsx
@@ -1,14 +1,16 @@
 import { AppShell } from "@/components/app-shell";
 import { RoomConsole } from "@/components/room-console";
 import { StatusBadge } from "@/components/status-badge";
-import { getCurrentUser } from "@/lib/session";
+import { requireCurrentUser, userIsAdmin } from "@/lib/session";
+import { requireInitialSetup } from "@/lib/setup";
 import { dashboardStats, friends, rooms } from "@/lib/sample-data";
 
 export default async function DashboardPage() {
-  const user = await getCurrentUser();
+  await requireInitialSetup();
+  const user = await requireCurrentUser();
 
   return (
-    <AppShell active="Dashboard">
+    <AppShell active="Dashboard" isAdmin={userIsAdmin(user)}>
       <header className="topbar">
         <div className="title-block">
           <h1>Dashboard</h1>
diff --git a/src/app/friends/page.tsx b/src/app/friends/page.tsx
index 1ec8544..769123d 100644
--- a/src/app/friends/page.tsx
+++ b/src/app/friends/page.tsx
@@ -1,10 +1,15 @@
 import { AppShell } from "@/components/app-shell";
 import { StatusBadge } from "@/components/status-badge";
+import { requireCurrentUser, userIsAdmin } from "@/lib/session";
+import { requireInitialSetup } from "@/lib/setup";
 import { friends } from "@/lib/sample-data";
 
-export default function FriendsPage() {
+export default async function FriendsPage() {
+  await requireInitialSetup();
+  const user = await requireCurrentUser();
+
   return (
-    <AppShell active="Friends">
+    <AppShell active="Friends" isAdmin={userIsAdmin(user)}>
       <header className="topbar">
         <div className="title-block">
           <h1>Friends</h1>
diff --git a/src/app/login/page.tsx b/src/app/login/page.tsx
index 49f9865..4f4b357 100644
--- a/src/app/login/page.tsx
+++ b/src/app/login/page.tsx
@@ -1,7 +1,13 @@
 import Link from "next/link";
 import { loginUser } from "@/lib/user-actions";
+import { hasAdminUser } from "@/lib/setup";
+import { redirect } from "next/navigation";
+
+export default async function LoginPage() {
+  if (!(await hasAdminUser())) {
+    redirect("/setup");
+  }
 
-export default function LoginPage() {
   return (
     <main className="auth-page">
       <section className="auth-card">
diff --git a/src/app/page.tsx b/src/app/page.tsx
index 9ef1235..8c82da7 100644
--- a/src/app/page.tsx
+++ b/src/app/page.tsx
@@ -1,5 +1,10 @@
 import { redirect } from "next/navigation";
+import { hasAdminUser } from "@/lib/setup";
+
+export default async function HomePage() {
+  if (!(await hasAdminUser())) {
+    redirect("/setup");
+  }
 
-export default function HomePage() {
   redirect("/dashboard");
 }
diff --git a/src/app/register/page.tsx b/src/app/register/page.tsx
index bd8ede5..37776e4 100644
--- a/src/app/register/page.tsx
+++ b/src/app/register/page.tsx
@@ -1,7 +1,13 @@
 import Link from "next/link";
 import { registerUser } from "@/lib/user-actions";
+import { hasAdminUser } from "@/lib/setup";
+import { redirect } from "next/navigation";
+
+export default async function RegisterPage() {
+  if (!(await hasAdminUser())) {
+    redirect("/setup");
+  }
 
-export default function RegisterPage() {
   return (
     <main className="auth-page">
       <section className="auth-card">
diff --git a/src/app/rooms/[slug]/page.tsx b/src/app/rooms/[slug]/page.tsx
index 9b9d5f9..b491013 100644
--- a/src/app/rooms/[slug]/page.tsx
+++ b/src/app/rooms/[slug]/page.tsx
@@ -1,13 +1,17 @@
 import { AppShell } from "@/components/app-shell";
 import { RoomConsole } from "@/components/room-console";
 import { StatusBadge } from "@/components/status-badge";
+import { requireCurrentUser, userIsAdmin } from "@/lib/session";
+import { requireInitialSetup } from "@/lib/setup";
 
 export default async function RoomPage({ params }: { params: Promise<{ slug: string }> }) {
+  await requireInitialSetup();
+  const user = await requireCurrentUser();
   const { slug } = await params;
   const roomSlug = decodeURIComponent(slug);
 
   return (
-    <AppShell active="Rooms">
+    <AppShell active="Rooms" isAdmin={userIsAdmin(user)}>
       <header className="topbar">
         <div className="title-block">
           <h1>{roomSlug}</h1>
diff --git a/src/app/setup/page.tsx b/src/app/setup/page.tsx
index 1f3dcdd..3c2432e 100644
--- a/src/app/setup/page.tsx
+++ b/src/app/setup/page.tsx
@@ -3,21 +3,10 @@ import { hash } from "bcryptjs";
 import { prisma } from "@/lib/prisma";
 import { SYSTEM_PERMISSIONS } from "@/lib/access";
 import { setSession } from "@/lib/session";
+import { hasAdminUser } from "@/lib/setup";
 
 export const dynamic = "force-dynamic";
 
-async function hasAdmin() {
-  try {
-    const admin = await prisma.userRole.findFirst({
-      where: { role: { name: "admin" } },
-      select: { userId: true }
-    });
-    return Boolean(admin);
-  } catch {
-    return false;
-  }
-}
-
 async function createFirstAdmin(formData: FormData) {
   "use server";
 
@@ -95,7 +84,7 @@ async function createFirstAdmin(formData: FormData) {
 }
 
 export default async function SetupPage() {
-  if (await hasAdmin()) {
+  if (await hasAdminUser()) {
     redirect("/login");
   }
 
diff --git a/src/components/app-shell.tsx b/src/components/app-shell.tsx
index fba6213..4dda999 100644
--- a/src/components/app-shell.tsx
+++ b/src/components/app-shell.tsx
@@ -1,15 +1,23 @@
 import Link from "next/link";
-import { Gauge, MonitorPlay, Shield, UserRoundPlus, UsersRound } from "lucide-react";
+import { Gauge, MonitorPlay, Shield, UsersRound } from "lucide-react";
 
 const nav = [
   { href: "/dashboard", label: "Dashboard", icon: Gauge },
   { href: "/rooms/@admin", label: "Rooms", icon: MonitorPlay },
-  { href: "/friends", label: "Friends", icon: UsersRound },
-  { href: "/admin", label: "Admin", icon: Shield },
-  { href: "/setup", label: "Setup", icon: UserRoundPlus }
+  { href: "/friends", label: "Friends", icon: UsersRound }
 ];
 
-export function AppShell({ children, active = "Dashboard" }: { children: React.ReactNode; active?: string }) {
+export function AppShell({
+  children,
+  active = "Dashboard",
+  isAdmin = false
+}: {
+  children: React.ReactNode;
+  active?: string;
+  isAdmin?: boolean;
+}) {
+  const visibleNav = isAdmin ? [...nav, { href: "/admin", label: "Admin", icon: Shield }] : nav;
+
   return (
     <div className="app-shell">
       <aside className="sidebar">
@@ -18,7 +26,7 @@ export function AppShell({ children, active = "Dashboard" }: { children: React.R
           <span>WatchLink</span>
         </Link>
         <nav className="nav-list" aria-label="Primary">
-          {nav.map((item) => {
+          {visibleNav.map((item) => {
             const Icon = item.icon;
             return (
               <Link key={item.href} href={item.href} className={`nav-item ${active === item.label ? "active" : ""}`}>
diff --git a/src/lib/session.ts b/src/lib/session.ts
index b6ca249..288fd44 100644
--- a/src/lib/session.ts
+++ b/src/lib/session.ts
@@ -1,5 +1,6 @@
 import { createHmac, timingSafeEqual } from "node:crypto";
 import { cookies } from "next/headers";
+import { redirect } from "next/navigation";
 import { prisma } from "./prisma";
 
 const COOKIE_NAME = "watchlink_session";
@@ -49,3 +50,15 @@ export async function getCurrentUser() {
     include: { roles: { include: { role: true } } }
   });
 }
+
+export function userIsAdmin(user: Awaited<ReturnType<typeof getCurrentUser>>) {
+  return Boolean(user?.roles.some((userRole) => userRole.role.name === "admin"));
+}
+
+export async function requireCurrentUser() {
+  const user = await getCurrentUser();
+  if (!user) {
+    redirect("/login");
+  }
+  return user;
+}
diff --git a/src/lib/setup.ts b/src/lib/setup.ts
new file mode 100644
index 0000000..01e7693
--- /dev/null
+++ b/src/lib/setup.ts
@@ -0,0 +1,20 @@
+import { redirect } from "next/navigation";
+import { prisma } from "./prisma";
+
+export async function hasAdminUser() {
+  try {
+    const admin = await prisma.userRole.findFirst({
+      where: { role: { name: "admin" } },
+      select: { userId: true }
+    });
+    return Boolean(admin);
+  } catch {
+    return false;
+  }
+}
+
+export async function requireInitialSetup() {
+  if (!(await hasAdminUser())) {
+    redirect("/setup");
+  }
+}