docs(nix): document lib.mkWebapp in branding/README + CLAUDE.md

branding/README's "Integration with NixOS deployment" section now
describes the actual lib.mkWebapp API + the per-host call site, with
a ready-to-paste server-deploy snippet. Also documents the pnpm_10
pin, sharp/autoPatchelfHook handling, and CI=true bypass — anchors
that surface in error logs and benefit from being grep-able.

CLAUDE.md's NixOS deployment paragraph stops calling lib.mkWebapp a
future TODO and points at the API directly.

Adds a `nix build` recipe (default + impure brand override) for local
sanity-checking.

Part of aiolabs/webapp#97.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

CLAUDE.md

@@ -759,12 +759,15 @@ BRAND_DIR=branding/cfaun pnpm build:events
 instead of `@/assets/logo.png`. The latter still works for non-brand
 assets (`@/assets/bitcoin.svg`, etc.) — it's only the logo that moved.
 
-**NixOS deployment:** brand directories will eventually live in
-`deploy/server-deploy/hosts/<host>/branding/`, with each host's
-`services/webapp.nix` calling `inputs.webapp.lib.mkWebapp { brandDir =
-./../branding; }`. `flake.nix` exposing `lib.mkWebapp` is a follow-up
-to this PR. Until it lands, server-deploy continues to build webapp
-through its existing path. See aiolabs/server-deploy#8.
+**NixOS deployment:** `flake.nix` exposes
+`lib.mkWebapp { pkgs, brandDir ? ./branding/default, app ? "main" }`.
+Server-deploy hosts call it from their `services/webapp.nix`:
+`inputs.webapp.lib.mkWebapp { inherit pkgs; brandDir = ./../branding; app = "events"; }`.
+Builder pins `pkgs.pnpm_10` regardless of consumer's nixpkgs (keeps
+pnpmDeps hash stable downstream), uses `autoPatchelfHook` to handle
+prebuilt sharp binaries, and sets `CI=true` to bypass pnpm's
+interactive modules-purge prompt. Per-host migration tracked in
+aiolabs/server-deploy#8.
 
 ## Payment Rails Pattern