changes

DEPLOYMENT.md

@@ -43,6 +43,41 @@ Keep the game server bound to `127.0.0.1`. Set `TRUST_PROXY=1` only when the
 server can be reached solely through your local reverse proxy. This lets account
 limits use the visitor's public IP instead of the proxy's address.
 
+## Separate auth server
+
+The auth routes can run as their own Node process. This is useful when you want
+`auth.phenomrom.com` to stay available while the game server is being rebuilt or
+changed.
+
+On the TrueNAS host, run the auth process against the same project data folder:
+
+```sh
+npm ci
+npm run db:init
+AUTH_HOST=127.0.0.1 AUTH_PORT=4174 TRUST_PROXY=1 COOKIE_SECURE=1 AUTH_CORS_ORIGINS=https://phenomrom.com npm run auth:start
+```
+
+Point `auth.phenomrom.com` at that process through HTTPS:
+
+```caddyfile
+auth.phenomrom.com {
+  reverse_proxy 127.0.0.1:4174
+}
+```
+
+Build the web or mobile app with the auth base URL set separately from the game
+API:
+
+```sh
+VITE_AUTH_API_BASE_URL=https://auth.phenomrom.com npm run build
+```
+
+For a Capacitor wrapper, set `window.CAPACITOR_AUTH_API_BASE_URL` to
+`https://auth.phenomrom.com` the same way `window.CAPACITOR_API_BASE_URL` is set.
+The app stores the returned bearer token locally and sends it with later API
+requests, so auth works across subdomains and inside the mobile WebView. Existing
+same-origin cookie sessions still work when auth is served by the game server.
+
 ## Account limits
 
 Registration permits one account per public IP by default. Login and API rate