feat(sync): re-auth prompt on expired session + server deployment artifacts

On auth failure during pull (access + refresh both expired), sync_plugin now
fires SyncConfigureRequestEvent so the Connect modal reopens automatically
instead of leaving the player with a silent error status. The modal's existing
double-open guard keeps repeated failures idempotent.

Also removes the unused SyncAuthResultEvent (results handled inline in
SyncSetupPlugin via PendingAuthTask polling) and adds server deployment
artifacts: Dockerfile (multi-stage, SQLX_OFFLINE), docker-compose.yml (SQLite
volume, health-check), and .env.example for local development setup.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

solitaire_engine/src/events.rs

@@ -134,12 +134,6 @@ pub struct ManualSyncRequestEvent;
 #[derive(Message, Debug, Clone, Copy, Default)]
 pub struct SyncConfigureRequestEvent;
 
-/// Result of an async login or register attempt. `Ok(username)` on success;
-/// `Err(human-readable message)` on failure. Consumed by `SyncSetupPlugin`
-/// to update the in-world provider and surface errors in the modal.
-#[derive(Message, Debug, Clone)]
-pub struct SyncAuthResultEvent(pub Result<String, String>);
-
 /// Request to disconnect from the current sync backend, clear stored
 /// credentials, and reset to `SyncBackend::Local`. Fired by the "Disconnect"
 /// button in the Settings sync section.

solitaire_engine/src/sync_plugin.rs

@@ -25,7 +25,10 @@ use solitaire_data::{
 use solitaire_sync::{merge, SyncPayload, SyncResponse};
 
 use crate::achievement_plugin::{AchievementsResource, AchievementsStoragePath};
-use crate::events::{GameWonEvent, ManualSyncRequestEvent, SyncCompleteEvent};
+use crate::events::{
+    GameWonEvent, InfoToastEvent, ManualSyncRequestEvent, SyncCompleteEvent,
+    SyncConfigureRequestEvent,
+};
 use crate::game_plugin::RecordingReplay;
 use crate::progress_plugin::{ProgressResource, ProgressStoragePath};
 use crate::resources::{GameStateResource, SyncStatus, SyncStatusResource};
@@ -104,6 +107,8 @@ impl Plugin for SyncPlugin {
             .init_resource::<PendingReplayUpload>()
             .add_message::<ManualSyncRequestEvent>()
             .add_message::<SyncCompleteEvent>()
+            .add_message::<SyncConfigureRequestEvent>()
+            .add_message::<InfoToastEvent>()
             .add_systems(Startup, start_pull)
             .add_systems(
                 Update,
@@ -191,6 +196,8 @@ fn poll_pull_result(
     mut progress: ResMut<ProgressResource>,
     progress_path: Res<ProgressStoragePath>,
     mut complete_writer: MessageWriter<SyncCompleteEvent>,
+    mut configure_sync: MessageWriter<SyncConfigureRequestEvent>,
+    mut toast: MessageWriter<InfoToastEvent>,
 ) {
     let Some(task) = task_res.0.as_mut() else {
         return;
@@ -240,10 +247,19 @@ fn poll_pull_result(
             warn!("sync pull failed: {e}");
             let msg = match &e {
                 SyncError::Network(_) => "Can't reach server — check your connection".to_string(),
-                SyncError::Auth(_) => "Login expired — tap Sync Now after re-logging in".to_string(),
+                SyncError::Auth(_) => "Session expired — please reconnect".to_string(),
                 SyncError::Serialization(_) => format!("Unexpected server response: {e}"),
                 SyncError::UnsupportedPlatform => unreachable!("handled above"),
             };
+            // On auth failure, reopen the Connect modal so the player can
+            // re-enter credentials without having to navigate through Settings.
+            // `open_sync_setup_modal` is idempotent — it ignores the event when
+            // the modal is already on screen, so repeated pull failures don't
+            // stack multiple modals.
+            if matches!(e, SyncError::Auth(_)) {
+                toast.write(InfoToastEvent("Session expired — please reconnect".to_string()));
+                configure_sync.write(SyncConfigureRequestEvent);
+            }
             status.0 = SyncStatus::Error(msg.clone());
             complete_writer.write(SyncCompleteEvent(Err(msg)));
         }

solitaire_server/.env.example

@@ -0,0 +1,13 @@
+# Copy this file to .env and fill in the values.
+# The server reads these on startup via dotenvy.
+
+# SQLite database path. For local dev use a file path; for Docker use the
+# volume-mounted path (see docker-compose.yml).
+DATABASE_URL=sqlite://sol.db
+
+# HS256 signing secret for JWT tokens. Use at least 32 random characters.
+# Generate one with: openssl rand -hex 32
+JWT_SECRET=change-me-use-openssl-rand-hex-32
+
+# TCP port to listen on (optional, default 8080).
+# SERVER_PORT=8080

solitaire_server/Dockerfile

@@ -0,0 +1,57 @@
+# --- Build stage ---
+FROM rust:1.95-slim AS builder
+
+WORKDIR /build
+
+# Install musl tools for a fully static binary and sqlx-cli for compile-time
+# query checking (SQLX_OFFLINE=true skips the live-DB check at build time).
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    pkg-config \
+    libssl-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+# Copy only the files needed to build the server crate.
+# Layer order: workspace manifests first so dependency fetches are cached.
+COPY Cargo.toml Cargo.lock ./
+COPY solitaire_sync/Cargo.toml ./solitaire_sync/Cargo.toml
+COPY solitaire_server/Cargo.toml ./solitaire_server/Cargo.toml
+COPY solitaire_core/Cargo.toml ./solitaire_core/Cargo.toml
+
+# Stub every crate source so `cargo fetch` succeeds without full source.
+RUN mkdir -p solitaire_sync/src solitaire_server/src solitaire_core/src && \
+    echo "pub fn _stub() {}" > solitaire_sync/src/lib.rs && \
+    echo "pub fn _stub() {}" > solitaire_core/src/lib.rs && \
+    echo "pub fn _stub() {}" > solitaire_server/src/lib.rs && \
+    echo "fn main() {}" > solitaire_server/src/main.rs
+
+RUN cargo fetch --locked
+
+# Now copy real source and build in release mode.
+COPY solitaire_core/src ./solitaire_core/src
+COPY solitaire_sync/src  ./solitaire_sync/src
+COPY solitaire_server/src ./solitaire_server/src
+COPY solitaire_server/migrations ./solitaire_server/migrations
+# sqlx offline query cache — required when SQLX_OFFLINE=true so the
+# compile-time macros don't need a live database.
+COPY .sqlx ./.sqlx
+
+ENV SQLX_OFFLINE=true
+RUN cargo build --release --locked -p solitaire_server --bin solitaire_server
+
+# --- Runtime stage ---
+FROM debian:bookworm-slim
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /app
+
+COPY --from=builder /build/target/release/solitaire_server ./solitaire_server
+# Migrations are embedded via sqlx::migrate!("./migrations") relative to the
+# crate root at compile time — they do not need to be copied here.
+
+ENV SERVER_PORT=8080
+EXPOSE 8080
+
+ENTRYPOINT ["./solitaire_server"]

solitaire_server/docker-compose.yml

@@ -0,0 +1,25 @@
+services:
+  server:
+    build:
+      context: ..
+      dockerfile: solitaire_server/Dockerfile
+    image: solitaire-quest-server:latest
+    restart: unless-stopped
+    ports:
+      - "${SERVER_PORT:-8080}:8080"
+    volumes:
+      # SQLite database persisted outside the container.
+      - db-data:/app/data
+    environment:
+      DATABASE_URL: sqlite:///app/data/sol.db
+      JWT_SECRET: ${JWT_SECRET}
+      SERVER_PORT: 8080
+    healthcheck:
+      test: ["CMD", "wget", "-qO-", "http://localhost:8080/health"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 10s
+
+volumes:
+  db-data: