rename(phase 3): compose/DB/infra names + stray code refs capakraken → nexus

- docker-compose.yml / .prod.yml / .ci.yml: project names, POSTGRES_DB/USER,
  pg_isready, DATABASE_URL, volume names (nexus_pgdata, nexus_prod_*)
- .github/workflows/ci.yml: POSTGRES_PASSWORD, pg_isready, psql credentials,
  GRANT statements, POSTGRES_PASSWORD=nexus_dev for Docker Deploy job
- scripts/db-target-guard.mjs: expectedDatabase default, NEXUS_EXPECTED_DB_NAME
- scripts/prisma-with-env.mjs, e2e/test-server.mjs: env-var rename
- packages/db/src/safe-destructive-env.ts + reset-dispo-import.ts: DB name set
- packages/db/src/destructive-db-guard.ts: PROTECTED_DATABASE_NAMES → "nexus"
- packages/db/src/destructive-db-guard.test.ts: all fixture DB names + comments
- .env.example, tooling/deploy/deploy.env.example: DATABASE_URL, image refs
- packages/api: Redis channel/key prefixes (rbac-invalidate, sse, ratelimit),
  logger service name, app-base-url log prefix
- E2E: DB container names, localStorage/sessionStorage keys, email domains
- scripts: architecture-guardrails filter, export/import-dev-seed defaults,
  harden-postgres defaults, start.sh pg_isready, worktree-hygiene fixture
- tooling/migrate/rename-to-nexus.sh: new maintenance-window cutover script

Only intentional capakraken survivor: anonymization.ts DEFAULT_ANONYMIZATION_SEED
(functional cryptographic constant — changing it would invalidate stored aliases).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.github/workflows/ci.yml

@@ -159,11 +159,11 @@ jobs:
       postgres:
         image: postgres:16
         env:
-          POSTGRES_DB: capakraken_test
-          POSTGRES_USER: capakraken
-          POSTGRES_PASSWORD: capakraken_test
+          POSTGRES_DB: nexus_test
+          POSTGRES_USER: nexus
+          POSTGRES_PASSWORD: nexus_test
         options: >-
-          --health-cmd="pg_isready -U capakraken -d capakraken_test"
+          --health-cmd="pg_isready -U nexus -d nexus_test"
           --health-interval=10s
           --health-timeout=5s
           --health-retries=5
@@ -175,7 +175,7 @@ jobs:
           --health-timeout=5s
           --health-retries=5
     env:
-      DATABASE_URL: postgresql://capakraken:capakraken_test@postgres:5432/capakraken_test
+      DATABASE_URL: postgresql://nexus:nexus_test@postgres:5432/nexus_test
       REDIS_URL: redis://redis:6379
       # Force in-memory rate limiter to avoid cross-test state when Redis drops.
       # Redis fallback downgrades to max/10 limits which rate-limits unit tests.
@@ -291,11 +291,11 @@ jobs:
       e2epg:
         image: postgres:16
         env:
-          POSTGRES_DB: capakraken_test
-          POSTGRES_USER: capakraken
-          POSTGRES_PASSWORD: capakraken_test
+          POSTGRES_DB: nexus_test
+          POSTGRES_USER: nexus
+          POSTGRES_PASSWORD: nexus_test
         options: >-
-          --health-cmd="pg_isready -U capakraken -d capakraken_test"
+          --health-cmd="pg_isready -U nexus -d nexus_test"
           --health-interval=10s
           --health-timeout=5s
           --health-retries=5
@@ -307,14 +307,14 @@ jobs:
           --health-timeout=5s
           --health-retries=5
     env:
-      DATABASE_URL: postgresql://capakraken:capakraken_test@e2epg:5432/capakraken_test
+      DATABASE_URL: postgresql://nexus:nexus_test@e2epg:5432/nexus_test
       # Playwright test-server.mjs requires an explicit test DB URL.
-      PLAYWRIGHT_DATABASE_URL: postgresql://capakraken:capakraken_test@e2epg:5432/capakraken_test
+      PLAYWRIGHT_DATABASE_URL: postgresql://nexus:nexus_test@e2epg:5432/nexus_test
       # prisma-with-env.mjs refuses to run unless DATABASE_URL's db name matches
-      # the expected target; default is "capakraken", CI uses capakraken_test.
-      CAPAKRAKEN_EXPECTED_DB_NAME: capakraken_test
+      # the expected target; default is "nexus", CI uses nexus_test.
+      NEXUS_EXPECTED_DB_NAME: nexus_test
       ALLOW_DESTRUCTIVE_DB_TOOLS: "true"
-      CONFIRM_DESTRUCTIVE_DB_NAME: capakraken_test
+      CONFIRM_DESTRUCTIVE_DB_NAME: nexus_test
       REDIS_URL: redis://e2eredis:6379
       PORT: 3100
       # test-server.mjs spawns `docker compose --profile test up postgres-test`;
@@ -375,7 +375,7 @@ jobs:
 
       - name: Push DB schema & seed
         env:
-          PGPASSWORD: capakraken_test
+          PGPASSWORD: nexus_test
         run: |
           # Nuke any leftover schema state from a previous job that shared the
           # postgres service container (act_runner reuses service volumes).
@@ -397,7 +397,7 @@ jobs:
           IPS=$(getent hosts e2epg | awk '{print $1}')
           PG_IP=""
           for ip in $IPS; do
-            if PGPASSWORD=capakraken_test psql -h "$ip" -U capakraken -d capakraken_test -v ON_ERROR_STOP=1 -Atc "SELECT 1" >/dev/null 2>&1; then
+            if PGPASSWORD=nexus_test psql -h "$ip" -U nexus -d nexus_test -v ON_ERROR_STOP=1 -Atc "SELECT 1" >/dev/null 2>&1; then
               PG_IP="$ip"
               echo "Locked onto postgres at $PG_IP"
               break
@@ -406,19 +406,19 @@ jobs:
             fi
           done
           if [ -z "$PG_IP" ]; then
-            echo "ERROR: no resolved e2epg IP accepted capakraken_test credentials"
+            echo "ERROR: no resolved e2epg IP accepted nexus_test credentials"
             exit 1
           fi
-          PINNED_URL="postgresql://capakraken:capakraken_test@$PG_IP:5432/capakraken_test"
+          PINNED_URL="postgresql://nexus:nexus_test@$PG_IP:5432/nexus_test"
           echo "DATABASE_URL=$PINNED_URL" >> "$GITHUB_ENV"
           echo "PLAYWRIGHT_DATABASE_URL=$PINNED_URL" >> "$GITHUB_ENV"
           echo "--- DROP SCHEMA ---"
-          psql -h "$PG_IP" -U capakraken -d capakraken_test -v ON_ERROR_STOP=1 \
-            -c "DROP SCHEMA IF EXISTS public CASCADE; CREATE SCHEMA public; GRANT ALL ON SCHEMA public TO capakraken; GRANT ALL ON SCHEMA public TO public;"
+          psql -h "$PG_IP" -U nexus -d nexus_test -v ON_ERROR_STOP=1 \
+            -c "DROP SCHEMA IF EXISTS public CASCADE; CREATE SCHEMA public; GRANT ALL ON SCHEMA public TO nexus; GRANT ALL ON SCHEMA public TO public;"
           echo "--- prisma db push ---"
           DATABASE_URL="$PINNED_URL" pnpm --filter @nexus/db exec prisma db push --schema ./prisma/schema.prisma --accept-data-loss --skip-generate
           echo "--- tables in public after push ---"
-          psql -h "$PG_IP" -U capakraken -d capakraken_test -v ON_ERROR_STOP=1 -At \
+          psql -h "$PG_IP" -U nexus -d nexus_test -v ON_ERROR_STOP=1 -At \
             -c "SELECT tablename FROM pg_tables WHERE schemaname='public' ORDER BY tablename" \
             | tee /tmp/tables.txt
           if ! grep -qx 'audit_logs' /tmp/tables.txt; then
@@ -468,8 +468,8 @@ jobs:
           NEXTAUTH_SECRET=ci-test-secret-minimum-32-chars-xx
           PGADMIN_PASSWORD=ci-pgadmin
           # Must match the password baked into docker-compose.ci.yml's
-          # DATABASE_URL override (capakraken_dev).
-          POSTGRES_PASSWORD=capakraken_dev
+          # DATABASE_URL override (nexus_dev).
+          POSTGRES_PASSWORD=nexus_dev
           EOF
 
       - name: Tear down any stale stack & volumes
@@ -485,7 +485,7 @@ jobs:
       - name: Wait for postgres
         run: |
           for i in $(seq 1 20); do
-            docker compose -f docker-compose.yml -f docker-compose.ci.yml exec -T postgres pg_isready -U capakraken -d capakraken && break
+            docker compose -f docker-compose.yml -f docker-compose.ci.yml exec -T postgres pg_isready -U nexus -d nexus && break
             sleep 3
           done