docs(nix): document lib.mkWebapp in branding/README + CLAUDE.md

branding/README's "Integration with NixOS deployment" section now
describes the actual lib.mkWebapp API + the per-host call site, with
a ready-to-paste server-deploy snippet. Also documents the pnpm_10
pin, sharp/autoPatchelfHook handling, and CI=true bypass — anchors
that surface in error logs and benefit from being grep-able.

CLAUDE.md's NixOS deployment paragraph stops calling lib.mkWebapp a
future TODO and points at the API directly.

Adds a `nix build` recipe (default + impure brand override) for local
sanity-checking.

Part of aiolabs/webapp#97.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

CLAUDE.md

@@ -759,12 +759,15 @@ BRAND_DIR=branding/cfaun pnpm build:events
 instead of `@/assets/logo.png`. The latter still works for non-brand
 assets (`@/assets/bitcoin.svg`, etc.) — it's only the logo that moved.
 
-**NixOS deployment:** brand directories will eventually live in
+**NixOS deployment:** `flake.nix` exposes
-`deploy/server-deploy/hosts/<host>/branding/`, with each host's
+`lib.mkWebapp { pkgs, brandDir ? ./branding/default, app ? "main" }`.
-`services/webapp.nix` calling `inputs.webapp.lib.mkWebapp { brandDir =
+Server-deploy hosts call it from their `services/webapp.nix`:
-./../branding; }`. `flake.nix` exposing `lib.mkWebapp` is a follow-up
+`inputs.webapp.lib.mkWebapp { inherit pkgs; brandDir = ./../branding; app = "events"; }`.
-to this PR. Until it lands, server-deploy continues to build webapp
+Builder pins `pkgs.pnpm_10` regardless of consumer's nixpkgs (keeps
-through its existing path. See aiolabs/server-deploy#8.
+pnpmDeps hash stable downstream), uses `autoPatchelfHook` to handle
+prebuilt sharp binaries, and sets `CI=true` to bypass pnpm's
+interactive modules-purge prompt. Per-host migration tracked in
+aiolabs/server-deploy#8.
 
 ## Payment Rails Pattern
 

branding/README.md

@@ -105,6 +105,33 @@ Outputs land in `public/icons/` (gitignored).
 
 ## Integration with NixOS deployment
 
-See [aiolabs/webapp#95](https://git.atitlan.io/aiolabs/webapp/issues/95) for the full architecture. In short: `deploy/server-deploy/hosts/<host>/branding/` will hold per-host brands, and each host's `services/webapp.nix` will call `inputs.webapp.lib.mkWebapp { brandDir = ./../branding; }` once `lib.mkWebapp` is exposed from `flake.nix` (separate follow-up issue).
+`flake.nix` exposes `lib.mkWebapp { pkgs, brandDir ? ./branding/default, app ? "main" }` for downstream consumers. Per-host wiring in `deploy/server-deploy/hosts/<host>/services/webapp.nix` looks like:
+
+```nix
+{ inputs, pkgs, ... }:
+{
+  services.webapp.apps = {
+    main   = inputs.webapp.lib.mkWebapp { inherit pkgs; brandDir = ./../branding; };
+    events = inputs.webapp.lib.mkWebapp { inherit pkgs; brandDir = ./../branding; app = "events"; };
+    wallet = inputs.webapp.lib.mkWebapp { inherit pkgs; brandDir = ./../branding; app = "wallet"; };
+  };
+}
+```
+
+`brandDir` is either a path inside this flake (`./branding/<name>`) or an external path (e.g. `./../branding` from server-deploy). Either way Nix copies it into the build sandbox.
+
+Builder details:
+- Uses `pkgs.pnpm_10` regardless of consumer's nixpkgs, so the pnpmDeps hash stays stable across downstream nixpkgs versions.
+- `pkgs.autoPatchelfHook` + `stdenv.cc.cc.lib` patch the prebuilt `@img/sharp-libvips-linux-*` binaries.
+- `CI=true` bypasses pnpm 10's interactive modules-purge prompt in the sandbox.
 
 The architectural payoff: brand and code become independent axes. Logo changes ship via server-deploy commits + redeploys — no webapp release, no `flake.lock` bump.
+
+For local sanity:
+
+```bash
+nix build .#main          # hub with aiolabs default brand
+nix build .#events        # events standalone with aiolabs default
+# events with a custom brand (the impure way, ad-hoc):
+nix build --impure --expr 'let pkgs = import <nixpkgs> {}; flake = builtins.getFlake (toString ./.); in flake.lib.mkWebapp { inherit pkgs; brandDir = /path/to/brand; app = "events"; }'
+```