ci: diagnose e2e audit_logs mystery; fix docker-deploy admin seed

- e2e: install psql; dump 'getent hosts postgres' (suspect two hosts
  answer to 'postgres' on gitea_gitea) and the table list after push.
  Fail loudly when audit_logs is missing so we see the true state at
  push time instead of later at seed time.
- docker-deploy: setup-admin.mjs imports @prisma/client via bare
  specifier, which only resolves inside packages/db in pnpm workspaces.
  Run the script through `pnpm --filter @capakraken/db exec` so Node
  walks the right node_modules.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.github/workflows/ci.yml

@@ -350,22 +350,34 @@ jobs:
         if: steps.playwright-cache.outputs.cache-hit == 'true'
         run: pnpm --filter @capakraken/web exec playwright install-deps chromium
 
+      - name: Install psql (debug schema state)
+        run: sudo apt-get update && sudo apt-get install -y --no-install-recommends postgresql-client
+
       - name: Push DB schema & seed
+        env:
+          PGPASSWORD: capakraken_test
         run: |
           # Nuke any leftover schema state from a previous job that shared the
           # postgres service container (act_runner reuses service volumes).
           # --force-reset alone proved unreliable: push reported "in sync" but
-          # audit_logs ended up missing. Use prisma db execute (no psql dep).
+          # audit_logs ended up missing. Diagnostic hypothesis: there are TWO
-          printf '%s\n' \
+          # postgres hosts reachable as "postgres" on gitea_gitea (the Gitea
-            'DROP SCHEMA IF EXISTS public CASCADE;' \
+          # core DB plus the service container) and push/seed hit different
-            'CREATE SCHEMA public;' \
+          # ones. Verify via direct psql.
-            'GRANT ALL ON SCHEMA public TO capakraken;' \
+          echo "--- hosts resolving to 'postgres' ---"
-            'GRANT ALL ON SCHEMA public TO public;' \
+          getent hosts postgres || true
-            | pnpm --filter @capakraken/db exec prisma db execute --stdin --schema ./prisma/schema.prisma
+          echo "--- DROP SCHEMA ---"
+          psql -h postgres -U capakraken -d capakraken_test -v ON_ERROR_STOP=1 \
+            -c "DROP SCHEMA IF EXISTS public CASCADE; CREATE SCHEMA public; GRANT ALL ON SCHEMA public TO capakraken; GRANT ALL ON SCHEMA public TO public;"
+          echo "--- prisma db push ---"
           pnpm --filter @capakraken/db exec prisma db push --schema ./prisma/schema.prisma --accept-data-loss --skip-generate
-          # Sanity check: confirm the schema actually landed before seeding.
+          echo "--- tables in public after push ---"
-          printf "SELECT to_regclass('public.audit_logs'), to_regclass('public.users');\n" \
+          psql -h postgres -U capakraken -d capakraken_test -v ON_ERROR_STOP=1 \
-            | pnpm --filter @capakraken/db exec prisma db execute --stdin --schema ./prisma/schema.prisma
+            -c "\dt public.*" | tee /tmp/tables.txt
+          if ! grep -q 'audit_logs' /tmp/tables.txt; then
+            echo "ERROR: audit_logs table missing after push!"
+            exit 1
+          fi
           pnpm db:seed
 
       - name: Run E2E tests
@@ -445,8 +457,12 @@ jobs:
           echo "$BODY" | grep '"status":"ok"'
 
       - name: Seed admin user
+        # setup-admin.mjs imports @prisma/client, which only lives in
+        # packages/db/node_modules in pnpm workspaces. Run via pnpm so Node
+        # resolution finds it.
         run: |
-          docker compose -f docker-compose.yml -f docker-compose.ci.yml exec -T app node /app/scripts/setup-admin.mjs \
+          docker compose -f docker-compose.yml -f docker-compose.ci.yml exec -T app \
+            pnpm --filter @capakraken/db exec node /app/scripts/setup-admin.mjs \
             --email admin@capakraken.dev \
             --name "Admin" \
             --password admin123