docs: update README with desktop requirements, helper builds, and realistic MVP usage notes

Expand README with desktop platform requirements (Windows x86, macOS ARM), helper build commands, gateway utility scripts, and updated local test flow. Add realistic MVP usage section clarifying current platform build status, gateway configuration needs, and admin debug profile behavior with client private key handling.

docs/deployment.md

@@ -51,6 +51,47 @@ psql "$DATABASE_URL" -f backend/migrations/000001_init.sql
 psql "$DATABASE_URL" -f backend/seed/001_seed.sql
 ```
 
+## Gateway Helper Flow
+
+1. Bootstrap an admin and log into the web UI.
+2. Open the `Gateways` page and note the gateway ID.
+3. Obtain an admin API token through the login flow.
+4. Set `NEXAVPN_GATEWAY_ID` and `NEXAVPN_API_TOKEN` in `deploy/.env`.
+5. Recreate the `gateway` service.
+
+The helper writes:
+
+- `/var/lib/nexavpn/sync-bundle.json`
+- `/var/lib/nexavpn/wg0.generated.conf`
+- `/var/lib/nexavpn/nftables.generated.conf`
+
+Current behavior:
+
+- the gateway helper fetches the sync bundle every 15 seconds
+- it renders `/etc/wireguard/<iface>.conf`
+- it applies nftables rules from generated state
+- it enables IPv4 forwarding
+- it brings up or resyncs the WireGuard interface
+
+Required environment:
+
+- `NEXAVPN_GATEWAY_ID`
+- `NEXAVPN_API_TOKEN`
+- `NEXAVPN_GATEWAY_PRIVATE_KEY`
+- optional: `NEXAVPN_GATEWAY_INTERFACE`
+- optional: `NEXAVPN_UPLINK_INTERFACE`
+- optional: `NEXAVPN_ENABLE_MASQUERADE`
+
+Helper scripts:
+
+- `deploy/scripts/generate-gateway-keypair.sh`
+- `deploy/scripts/get-admin-token.sh`
+
+Host/runtime note:
+
+- the gateway container expects `/dev/net/tun`
+- the host kernel must support WireGuard
+
 ## Production Notes
 
 - Terminate TLS at nginx or another reverse proxy.