feat: implement and deploy blind_chess MVP

- pnpm workspace: shared/server/client packages
- Server: Fastify+ws, chess.js, FSM (touch-move + hierarchy),
  per-player view filter, zod validation, rate limiting, grace-window
  disconnect handling
- Client: Svelte 5 + Vite, click-to-move board, moderator panel,
  promotion/draw dialogs
- Shared: protocol types, ModeratorText enum, geometricMoves helper
  (provably zero opponent-info leak)
- 43 tests pass (21 shared, 22 server incl. 4 real-WS integration)
- Deploy: CT 690 on node-241 (192.168.0.245), systemd-managed,
  Caddy block for chess.sethpc.xyz
- Live at https://chess.sethpc.xyz

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

deploy/Caddyfile.snippet

@@ -0,0 +1,7 @@
+# Snippet for Caddy CT 600 — append to /etc/caddy/Caddyfile.
+# Backend: blind-chess LXC on node-241, port 3000.
+
+chess.sethpc.xyz {
+    reverse_proxy <BLIND_CHESS_CT_IP>:3000
+    encode gzip zstd
+}

deploy/blind-chess.service

@@ -0,0 +1,31 @@
+[Unit]
+Description=blind_chess server (Fastify + ws)
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=blindchess
+Group=blindchess
+WorkingDirectory=/opt/blind-chess
+ExecStart=/usr/bin/node /opt/blind-chess/server/dist/server.js
+Environment=NODE_ENV=production
+Environment=PORT=3000
+Environment=HOST=0.0.0.0
+Environment=STATIC_DIR=/opt/blind-chess/client/dist
+Environment=PUBLIC_BASE=https://chess.sethpc.xyz
+Environment=LOG_LEVEL=info
+Restart=always
+RestartSec=2s
+StandardOutput=journal
+StandardError=journal
+
+# Hardening
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths=/opt/blind-chess
+
+[Install]
+WantedBy=multi-user.target