Scope server routes by base path

deploy/README.md

@@ -79,21 +79,19 @@ cd "$REPO_ROOT"
 Expected proxy endpoints:
 
 ```apache
-ProxyPass        /ws  ws://127.0.0.1:8765
-ProxyPassReverse /ws  ws://127.0.0.1:8765
-ProxyPass        /auth/session/  http://127.0.0.1:8765/auth/session/
-ProxyPassReverse /auth/session/  http://127.0.0.1:8765/auth/session/
+ProxyPass        /chgrid/ws  ws://127.0.0.1:8765/chgrid/ws
+ProxyPassReverse /chgrid/ws  ws://127.0.0.1:8765/chgrid/ws
+ProxyPass        /chgrid/auth/session/  http://127.0.0.1:8765/chgrid/auth/session/
+ProxyPassReverse /chgrid/auth/session/  http://127.0.0.1:8765/chgrid/auth/session/
 ```
 
 The websocket server enforces browser origin matching against `CHGRID_HOST_ORIGIN`, so the public site origin must match that env var exactly.
+The `server.base_path` value in `config.toml` must match the published client path and the proxy paths above.
 
 What each route does:
-- `/ws`: websocket signaling (presence, movement, item actions, chat, voice signaling).
-- `/auth/session/set`: called by client after successful login to set `HttpOnly` session cookie.
-- `/auth/session/clear`: called by client on logout/session-reset to clear `HttpOnly` session cookie.
-
-Important:
-- Keep `/auth/session/*` at domain root even when the app is served from a subpath like `/chgrid`.
+- `<base_path>ws`: websocket signaling (presence, movement, item actions, chat, voice signaling).
+- `<base_path>auth/session/set`: called by client after successful login to set the instance-scoped `HttpOnly` session cookie.
+- `<base_path>auth/session/clear`: called by client on logout/session-reset to clear the instance-scoped `HttpOnly` session cookie.
 
 After Apache changes, reload Apache using your host's command.
 

deploy/apache/chgrid-vhost-snippet.conf

@@ -7,14 +7,13 @@
 # SetEnv CHGRID_HOST_ORIGIN https://example.com
 
 # Proxy websocket signaling endpoint to local Python service.
-# `/ws` is used by the browser signaling client for realtime packets.
-ProxyPass        /ws  ws://127.0.0.1:8765
-ProxyPassReverse /ws  ws://127.0.0.1:8765
+# Replace `/chgrid/` with the same value configured in `server.base_path`.
+ProxyPass        /chgrid/ws  ws://127.0.0.1:8765/chgrid/ws
+ProxyPassReverse /chgrid/ws  ws://127.0.0.1:8765/chgrid/ws
 # Proxy auth cookie helper endpoints to local Python service.
-# These root-scoped paths are required even when the app is hosted under `/chgrid`.
-# The client calls `/auth/session/set` after login and `/auth/session/clear` on logout/session-reset.
-ProxyPass        /auth/session/  http://127.0.0.1:8765/auth/session/
-ProxyPassReverse /auth/session/  http://127.0.0.1:8765/auth/session/
+# These paths should live under the same instance base path.
+ProxyPass        /chgrid/auth/session/  http://127.0.0.1:8765/chgrid/auth/session/
+ProxyPassReverse /chgrid/auth/session/  http://127.0.0.1:8765/chgrid/auth/session/
 
 # Ensure HTML entrypoint is never cached so version updates are picked up quickly.
 <LocationMatch "^/chgrid/?$|^/chgrid/index\\.html$">

deploy/scripts/deploy_client.sh

@@ -57,6 +57,7 @@ except ModuleNotFoundError:  # pragma: no cover - compatibility fallback
 config_path = Path(sys.argv[1])
 host = "127.0.0.1"
 port = 8765
+base_path = "/"
 if config_path.exists():
     with config_path.open("rb") as fp:
         data = tomllib.load(fp)
@@ -72,7 +73,9 @@ if config_path.exists():
         port = int(server.get("port", port))
     except (TypeError, ValueError):
         port = 8765
-print(f"http://{host}:{port}/auth/session/check")
+    raw_base_path = str(server.get("base_path", base_path)).strip() or "/"
+    base_path = "/" if raw_base_path == "/" else f"/{raw_base_path.strip('/')}/"
+print(f"http://{host}:{port}{base_path}auth/session/check")
 PY
   )"
   escaped_host_origin=${CHGRID_HOST_ORIGIN//\\/\\\\}