diff --git a/admin/setup.php b/admin/setup.php
new file mode 100644
index 0000000..1a944c1
--- /dev/null
+++ b/admin/setup.php
@@ -0,0 +1,123 @@
+<?php
+require_once __DIR__ . '/../includes/db.php';
+require_once __DIR__ . '/../includes/csrf.php';
+
+if (session_status() === PHP_SESSION_NONE) session_start();
+
+// Setup key - change this or delete this file after setup
+define('SETUP_KEY', 'gestorialp2026');
+
+$message = '';
+$error = '';
+
+// Verify setup key
+$keyValid = false;
+if (isset($_GET['key']) && $_GET['key'] === SETUP_KEY) {
+    $keyValid = true;
+    $_SESSION['setup_key_valid'] = true;
+} elseif (!empty($_SESSION['setup_key_valid'])) {
+    $keyValid = true;
+}
+
+if (!$keyValid) {
+    die('<!DOCTYPE html><html><head><title>Setup</title></head><body style="font-family:Inter,sans-serif;display:flex;justify-content:center;align-items:center;height:100vh;"><div style="text-align:center;"><h1>Acceso Denegado</h1><p>Necesitas la clave de setup. Accede con: <code>setup.php?key=TU_CLAVE</code></p></div></body></html>');
+}
+
+if ($_SERVER['REQUEST_METHOD'] === 'POST' && csrfValidate()) {
+    $username = trim($_POST['username'] ?? 'admin');
+    $password = $_POST['password'] ?? '';
+    $passwordConfirm = $_POST['password_confirm'] ?? '';
+
+    if (strlen($password) < 8) {
+        $error = 'La contraseña debe tener al menos 8 caracteres.';
+    } elseif ($password !== $passwordConfirm) {
+        $error = 'Las contraseñas no coinciden.';
+    } else {
+        $db = getDB();
+        $hash = password_hash($password, PASSWORD_DEFAULT);
+
+        // Check if user exists
+        $stmt = $db->prepare('SELECT id FROM usuarios WHERE username = ?');
+        $stmt->execute([$username]);
+        $existing = $stmt->fetch();
+
+        if ($existing) {
+            $stmt = $db->prepare('UPDATE usuarios SET password_hash = ? WHERE username = ?');
+            $stmt->execute([$hash, $username]);
+            $message = "Contraseña actualizada para el usuario '{$username}'.";
+        } else {
+            $stmt = $db->prepare('INSERT INTO usuarios (username, password_hash, email) VALUES (?, ?, ?)');
+            $stmt->execute([$username, $hash, 'admin@gestorialp.com']);
+            $message = "Usuario '{$username}' creado exitosamente.";
+        }
+
+        // Clear setup session
+        unset($_SESSION['setup_key_valid']);
+    }
+}
+?>
+<!DOCTYPE html>
+<html lang="es">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Setup - Gestoría LP</title>
+    <link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;600;700&display=swap" rel="stylesheet">
+    <style>
+        * { margin: 0; padding: 0; box-sizing: border-box; }
+        body { font-family: 'Inter', sans-serif; background: linear-gradient(135deg, #1B3A5C 0%, #0d1f33 100%); min-height: 100vh; display: flex; align-items: center; justify-content: center; }
+        .setup-card { background: white; padding: 2.5rem; border-radius: 12px; box-shadow: 0 20px 60px rgba(0,0,0,0.3); width: 100%; max-width: 450px; }
+        .setup-card h1 { color: #1B3A5C; margin-bottom: 0.5rem; }
+        .setup-card p { color: #666; margin-bottom: 1.5rem; }
+        .form-group { margin-bottom: 1rem; }
+        .form-group label { display: block; font-weight: 600; margin-bottom: 0.3rem; color: #333; }
+        .form-group input { width: 100%; padding: 0.75rem; border: 2px solid #ddd; border-radius: 8px; font-size: 1rem; transition: border-color 0.3s; }
+        .form-group input:focus { outline: none; border-color: #C9A94E; }
+        .btn { width: 100%; padding: 0.85rem; background: #1B3A5C; color: white; border: none; border-radius: 8px; font-size: 1rem; font-weight: 600; cursor: pointer; transition: background 0.3s; }
+        .btn:hover { background: #142d47; }
+        .alert { padding: 1rem; border-radius: 8px; margin-bottom: 1rem; }
+        .alert--success { background: #d4edda; color: #155724; border: 1px solid #c3e6cb; }
+        .alert--danger { background: #f8d7da; color: #721c24; border: 1px solid #f5c6cb; }
+        .note { margin-top: 1.5rem; padding: 1rem; background: #fff3cd; border-radius: 8px; font-size: 0.85rem; color: #856404; }
+    </style>
+</head>
+<body>
+    <div class="setup-card">
+        <h1>Setup Inicial</h1>
+        <p>Configura tu usuario administrador para Gestoría LP</p>
+
+        <?php if ($message): ?>
+            <div class="alert alert--success">
+                <?= htmlspecialchars($message) ?>
+                <br><br><a href="login.php" style="color:#155724;font-weight:600;">Ir al Login →</a>
+            </div>
+        <?php endif; ?>
+
+        <?php if ($error): ?>
+            <div class="alert alert--danger"><?= htmlspecialchars($error) ?></div>
+        <?php endif; ?>
+
+        <?php if (!$message): ?>
+        <form method="POST">
+            <?= csrfField() ?>
+            <div class="form-group">
+                <label for="username">Usuario</label>
+                <input type="text" id="username" name="username" value="admin" required>
+            </div>
+            <div class="form-group">
+                <label for="password">Contraseña</label>
+                <input type="password" id="password" name="password" required minlength="8" placeholder="Mínimo 8 caracteres">
+            </div>
+            <div class="form-group">
+                <label for="password_confirm">Confirmar Contraseña</label>
+                <input type="password" id="password_confirm" name="password_confirm" required>
+            </div>
+            <button type="submit" class="btn">Crear / Actualizar Usuario</button>
+        </form>
+        <div class="note">
+            <strong>Importante:</strong> Después de configurar tu usuario, elimina este archivo (setup.php) del servidor por seguridad.
+        </div>
+        <?php endif; ?>
+    </div>
+</body>
+</html>