Add /auth endpoint for iOS Safari cross-subdomain auth

iOS Safari blocks shared cookies. Now L2 can redirect to
L1/auth?auth_token=xxx after login, and L1 sets its own
first-party cookie.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

server.py

@@ -3839,7 +3839,34 @@ def render_ui_html(actor_id: Optional[str] = None, tab: str = "runs") -> str:
 
 
 # Auth - L1 doesn't handle login (user logs in at their L2 server)
-# Shared cookie authenticates across L1 and L2
+# Token can be passed via URL from L2 redirect, then L1 sets its own cookie
+
+@app.get("/auth")
+async def auth_callback(auth_token: str = None):
+    """
+    Receive auth token from L2 redirect and set local cookie.
+    This enables cross-subdomain auth on iOS Safari which blocks shared cookies.
+    """
+    if not auth_token:
+        return RedirectResponse(url="/", status_code=302)
+
+    # Verify the token is valid
+    ctx = await get_verified_user_context(auth_token)
+    if not ctx:
+        return RedirectResponse(url="/", status_code=302)
+
+    # Set local first-party cookie and redirect to home
+    response = RedirectResponse(url="/runs", status_code=302)
+    response.set_cookie(
+        key="auth_token",
+        value=auth_token,
+        httponly=True,
+        max_age=60 * 60 * 24 * 30,  # 30 days
+        samesite="lax",
+        secure=True
+    )
+    return response
+
 
 @app.get("/logout")
 async def logout():