Grand Archive backend

Routes:
  GET  /health         → { ok: true, ts, peer: {...}, auth: {...} }
  GET  /auth/login     → 302 to accounts.gatcg.com
  GET  /auth/callback  → finishes the OAuth handshake
  GET  /auth/me        → { user } or 401
  POST /auth/refresh   → refresh the upstream token
  POST /auth/logout    → clear the session
  GET  /rooms          → list active multiplayer rooms
  POST /rooms          → host registers a new room (returns hostToken)
  PATCH /rooms/:code   → host updates players/viewers/status
  POST /rooms/:code/heartbeat → host keepalive ping
  DELETE /rooms/:code  → host closes the room
  *    /peerjs         → PeerJS signaling broker (WebSocket upgrade)

Allowed origins: https://gatcg-testing.opcg.site, http://localhost:5173
Backend public URL (redirect_uri): https://api-gatcg-testing.opcg.site
Frontend origin (post-login redirect): https://gatcg-testing.opcg.site