feat(deploy): local chess.local instance for VDJ-RIG

A second, LAN-only deploy alongside the CT 690 / chess.sethpc.xyz
instance. Runs on VDJ-RIG as a persistent systemd daemon, served on
port 80 and reachable at http://chess.local via an mDNS alias.

- blind-chess-local.service: server unit; binds port 80 as the
  non-root blindchess user via CAP_NET_BIND_SERVICE.
- chess-mdns-alias{,.service}: publishes the chess.local mDNS name
  with avahi-publish -a -R (-R skips the reverse PTR, which would
  otherwise collide with the host's own <hostname>.local record).
- install-local.sh: idempotent root-side installer (Node 22 via
  NodeSource, avahi-utils, blindchess user, /opt/blind-chess, units).
- CLAUDE.md: documents the local instance under Operations.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

deploy/chess-mdns-alias

@@ -0,0 +1,21 @@
+#!/bin/bash
+# Publish "chess.local" as an mDNS alias for this host's primary IPv4 address.
+# Invoked by chess-mdns-alias.service (blind_chess local deploy).
+#
+# avahi-daemon already advertises the host's own <hostname>.local; this adds
+# the friendly "chess.local" name pointing at the same machine. Runs in the
+# foreground holding the registration until the service is stopped.
+set -euo pipefail
+
+IP="$(hostname -I | awk '{print $1}')"
+if [ -z "$IP" ]; then
+  echo "chess-mdns-alias: no IPv4 address found" >&2
+  exit 1
+fi
+
+echo "chess-mdns-alias: publishing chess.local -> $IP"
+# -R/--no-reverse: skip the reverse (PTR) record. avahi-daemon already owns the
+# PTR for this IP via the host's own <hostname>.local, so publishing chess.local
+# for the same address *with* a reverse entry collides ("Local name collision").
+# Clients only need the forward A record, which -a still publishes.
+exec avahi-publish -a -R chess.local "$IP"