feat(deploy): local chess.local instance for VDJ-RIG

A second, LAN-only deploy alongside the CT 690 / chess.sethpc.xyz
instance. Runs on VDJ-RIG as a persistent systemd daemon, served on
port 80 and reachable at http://chess.local via an mDNS alias.

- blind-chess-local.service: server unit; binds port 80 as the
  non-root blindchess user via CAP_NET_BIND_SERVICE.
- chess-mdns-alias{,.service}: publishes the chess.local mDNS name
  with avahi-publish -a -R (-R skips the reverse PTR, which would
  otherwise collide with the host's own <hostname>.local record).
- install-local.sh: idempotent root-side installer (Node 22 via
  NodeSource, avahi-utils, blindchess user, /opt/blind-chess, units).
- CLAUDE.md: documents the local instance under Operations.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

deploy/blind-chess-local.service

@@ -0,0 +1,36 @@
+[Unit]
+Description=blind_chess server — local LAN instance (chess.local)
+Documentation=https://git.sethpc.xyz/Seth/blind_chess
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=blindchess
+Group=blindchess
+WorkingDirectory=/opt/blind-chess/server
+ExecStart=/usr/bin/node /opt/blind-chess/server/dist/server.js
+Environment=NODE_ENV=production
+Environment=PORT=80
+Environment=HOST=0.0.0.0
+Environment=STATIC_DIR=/opt/blind-chess/client/dist
+Environment=PUBLIC_BASE=http://chess.local
+Environment=LOG_LEVEL=info
+Restart=always
+RestartSec=2s
+StandardOutput=journal
+StandardError=journal
+
+# Bind privileged port 80 as a non-root user
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+
+# Hardening
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths=/opt/blind-chess
+
+[Install]
+WantedBy=multi-user.target