rename(phase 3): compose/DB/infra names + stray code refs capakraken → nexus

- docker-compose.yml / .prod.yml / .ci.yml: project names, POSTGRES_DB/USER,
  pg_isready, DATABASE_URL, volume names (nexus_pgdata, nexus_prod_*)
- .github/workflows/ci.yml: POSTGRES_PASSWORD, pg_isready, psql credentials,
  GRANT statements, POSTGRES_PASSWORD=nexus_dev for Docker Deploy job
- scripts/db-target-guard.mjs: expectedDatabase default, NEXUS_EXPECTED_DB_NAME
- scripts/prisma-with-env.mjs, e2e/test-server.mjs: env-var rename
- packages/db/src/safe-destructive-env.ts + reset-dispo-import.ts: DB name set
- packages/db/src/destructive-db-guard.ts: PROTECTED_DATABASE_NAMES → "nexus"
- packages/db/src/destructive-db-guard.test.ts: all fixture DB names + comments
- .env.example, tooling/deploy/deploy.env.example: DATABASE_URL, image refs
- packages/api: Redis channel/key prefixes (rbac-invalidate, sse, ratelimit),
  logger service name, app-base-url log prefix
- E2E: DB container names, localStorage/sessionStorage keys, email domains
- scripts: architecture-guardrails filter, export/import-dev-seed defaults,
  harden-postgres defaults, start.sh pg_isready, worktree-hygiene fixture
- tooling/migrate/rename-to-nexus.sh: new maintenance-window cutover script

Only intentional capakraken survivor: anonymization.ts DEFAULT_ANONYMIZATION_SEED
(functional cryptographic constant — changing it would invalidate stored aliases).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

packages/api/src/__tests__/rbac-cache-redis-pubsub.test.ts

@@ -105,10 +105,10 @@ describe("RBAC cache Redis pub/sub (#57)", () => {
 
     // Simulate a peer instance publishing an invalidation: grab any
     // subscriber on the channel and fire the event as if Redis delivered it.
-    const subs = channelSubscribers.get("capakraken:rbac-invalidate");
+    const subs = channelSubscribers.get("nexus:rbac-invalidate");
     expect(subs).toBeDefined();
     expect(subs!.size).toBeGreaterThanOrEqual(1);
-    for (const sub of subs!) sub.emit("message", "capakraken:rbac-invalidate", "1");
+    for (const sub of subs!) sub.emit("message", "nexus:rbac-invalidate", "1");
 
     // Next load must hit the DB again.
     await loadRoleDefaults();
@@ -126,6 +126,6 @@ describe("RBAC cache Redis pub/sub (#57)", () => {
 
     const newPublishes = publishCalls.slice(countBefore);
     expect(newPublishes.length).toBe(1);
-    expect(newPublishes[0]!.channel).toBe("capakraken:rbac-invalidate");
+    expect(newPublishes[0]!.channel).toBe("nexus:rbac-invalidate");
   });
 });

packages/api/src/__tests__/ssrf-guard.test.ts

@@ -24,7 +24,7 @@ describe("assertWebhookUrlAllowed — SSRF guard", () => {
 
   it("allows an HTTPS URL with a path and query string", async () => {
     await expect(
-      assertWebhookUrlAllowed("https://hooks.external.io/events?source=capakraken"),
+      assertWebhookUrlAllowed("https://hooks.external.io/events?source=nexus"),
     ).resolves.toBeUndefined();
   });
 

packages/api/src/lib/app-base-url.ts

@@ -22,15 +22,15 @@ export function getAppBaseUrl(): string {
   if (process.env["NODE_ENV"] === "production") {
     throw new Error(
       "NEXTAUTH_URL must be set in production — email links will contain localhost otherwise. " +
-      "Set it to the public URL of this app (e.g. https://capakraken.example.com).",
+        "Set it to the public URL of this app (e.g. https://nexus.example.com).",
     );
   }
 
   if (!warned) {
     warned = true;
     console.warn(
-      "[capakraken] NEXTAUTH_URL is not set — falling back to http://localhost:3100 for email links. " +
-      "Set NEXTAUTH_URL in your .env to suppress this warning.",
+      "[nexus] NEXTAUTH_URL is not set — falling back to http://localhost:3100 for email links. " +
+        "Set NEXTAUTH_URL in your .env to suppress this warning.",
     );
   }
 

packages/api/src/lib/logger.ts

@@ -44,13 +44,13 @@ const redactConfig = { paths: REDACT_PATHS, censor: "[REDACTED]" };
 export const logger = isProduction
   ? pino({
       level: LOG_LEVEL,
-      base: { service: "capakraken-api" },
+      base: { service: "nexus-api" },
       redact: redactConfig,
     })
   : pino(
       {
         level: LOG_LEVEL,
-        base: { service: "capakraken-api" },
+        base: { service: "nexus-api" },
         redact: redactConfig,
         formatters: {
           level(label: string) {

packages/api/src/middleware/rate-limit.ts

@@ -31,7 +31,7 @@ type RateLimiterBackend = {
   reset: () => Promise<void>;
 };
 
-const DEFAULT_REDIS_KEY_PREFIX = "capakraken:ratelimit";
+const DEFAULT_REDIS_KEY_PREFIX = "nexus:ratelimit";
 const DEFAULT_REDIS_BACKEND = process.env["RATE_LIMIT_BACKEND"] as RateLimitBackendMode | undefined;
 const DEFAULT_REDIS_URL = process.env["REDIS_URL"]?.trim();
 const warnedRedisFailures = new Set<string>();

packages/api/src/sse/event-bus.ts

@@ -201,7 +201,7 @@ const REDIS_URL =
     : (() => {
         throw new Error("REDIS_URL required in production");
       })());
-const CHANNEL = "capakraken:sse";
+const CHANNEL = "nexus:sse";
 
 let publisher: Redis | null = null;
 let subscriber: Redis | null = null;

packages/api/src/trpc.ts

@@ -42,7 +42,7 @@ const ROLE_DEFAULTS_TTL = 10_000;
 // We publish a single invalidate message per change; every node subscribes and
 // clears its local cache on receipt. Failure to publish/subscribe is logged
 // but never thrown — the TTL above is the fall-back.
-const RBAC_INVALIDATE_CHANNEL = "capakraken:rbac-invalidate";
+const RBAC_INVALIDATE_CHANNEL = "nexus:rbac-invalidate";
 
 let _rbacPublisher: Redis | null = null;
 let _rbacSubscriber: Redis | null = null;