rename(phase 3): compose/DB/infra names + stray code refs capakraken → nexus

- docker-compose.yml / .prod.yml / .ci.yml: project names, POSTGRES_DB/USER,
  pg_isready, DATABASE_URL, volume names (nexus_pgdata, nexus_prod_*)
- .github/workflows/ci.yml: POSTGRES_PASSWORD, pg_isready, psql credentials,
  GRANT statements, POSTGRES_PASSWORD=nexus_dev for Docker Deploy job
- scripts/db-target-guard.mjs: expectedDatabase default, NEXUS_EXPECTED_DB_NAME
- scripts/prisma-with-env.mjs, e2e/test-server.mjs: env-var rename
- packages/db/src/safe-destructive-env.ts + reset-dispo-import.ts: DB name set
- packages/db/src/destructive-db-guard.ts: PROTECTED_DATABASE_NAMES → "nexus"
- packages/db/src/destructive-db-guard.test.ts: all fixture DB names + comments
- .env.example, tooling/deploy/deploy.env.example: DATABASE_URL, image refs
- packages/api: Redis channel/key prefixes (rbac-invalidate, sse, ratelimit),
  logger service name, app-base-url log prefix
- E2E: DB container names, localStorage/sessionStorage keys, email domains
- scripts: architecture-guardrails filter, export/import-dev-seed defaults,
  harden-postgres defaults, start.sh pg_isready, worktree-hygiene fixture
- tooling/migrate/rename-to-nexus.sh: new maintenance-window cutover script

Only intentional capakraken survivor: anonymization.ts DEFAULT_ANONYMIZATION_SEED
(functional cryptographic constant — changing it would invalidate stored aliases).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

scripts/check-architecture-guardrails.mjs

@@ -719,7 +719,7 @@ export const rules = [
     ],
     forbidden: [
       {
-        pattern: /pnpm --filter @capakraken\/db exec prisma generate/,
+        pattern: /pnpm --filter @nexus\/db exec prisma generate/,
         message: "CI must not call prisma generate directly outside the workspace wrapper",
       },
     ],

scripts/db-target-guard.mjs

@@ -4,7 +4,7 @@ export function formatDatabaseTarget(parsedUrl, databaseName) {
   return `${parsedUrl.protocol}//${decodeURIComponent(parsedUrl.username)}@${parsedUrl.hostname}${parsedUrl.port ? `:${parsedUrl.port}` : ""}/${databaseName}`;
 }
 
-export function inspectDatabaseUrl(rawUrl, expectedDatabase = "capakraken") {
+export function inspectDatabaseUrl(rawUrl, expectedDatabase = "nexus") {
   if (!rawUrl) {
     throw new Error("DATABASE_URL is not configured.");
   }
@@ -82,5 +82,5 @@ export function shouldGuardPrismaCommand(args) {
 }
 
 export function getExpectedDatabaseName() {
-  return process.env.CAPAKRAKEN_EXPECTED_DB_NAME?.trim() || "capakraken";
+  return process.env.NEXUS_EXPECTED_DB_NAME?.trim() || "nexus";
 }

scripts/db-target-guard.test.mjs

@@ -6,21 +6,21 @@ import {
 } from "./db-target-guard.mjs";
 
 describe("db target guard", () => {
-  it("accepts the expected capakraken database target", () => {
+  it("accepts the expected nexus database target", () => {
     const result = inspectDatabaseUrl(
-      "postgresql://capakraken:secret@localhost:5432/capakraken",
-      "capakraken",
+      "postgresql://nexus:secret@localhost:5432/nexus",
+      "nexus",
     );
 
-    assert.equal(result.databaseName, "capakraken");
-    assert.equal(result.expectedDatabase, "capakraken");
-    assert.equal(result.target, "postgresql://capakraken@localhost:5432/capakraken");
+    assert.equal(result.databaseName, "nexus");
+    assert.equal(result.expectedDatabase, "nexus");
+    assert.equal(result.target, "postgresql://nexus@localhost:5432/nexus");
   });
 
   it("rejects a mismatched database target", () => {
     assert.throws(
-      () => inspectDatabaseUrl("postgresql://capakraken:secret@localhost:5432/planarchy", "capakraken"),
-      /Unexpected database target 'planarchy'\. Expected 'capakraken'\./,
+      () => inspectDatabaseUrl("postgresql://nexus:secret@localhost:5432/planarchy", "nexus"),
+      /Unexpected database target 'planarchy'\. Expected 'nexus'\./,
     );
   });
 

scripts/export-dev-seed.mjs

@@ -10,8 +10,8 @@
  *   node scripts/export-dev-seed.mjs
  *
  * Requirements:
- *   - The capakraken-postgres-1 Docker container must be running
- *   - DATABASE_URL must point to a local capakraken database
+ *   - The nexus-postgres-1 Docker container must be running
+ *   - DATABASE_URL must point to a local nexus database
  */
 
 import { execSync, spawnSync } from "node:child_process";
@@ -48,7 +48,7 @@ if (!["localhost", "127.0.0.1", "::1"].includes(host)) {
 
 // ── Docker container check ────────────────────────────────────────────────────
 
-const CONTAINER = "capakraken-postgres-1";
+const CONTAINER = "nexus-postgres-1";
 const containerCheck = spawnSync("docker", ["inspect", "--format={{.State.Running}}", CONTAINER], {
   encoding: "utf8",
 });
@@ -83,8 +83,8 @@ const excludeFlags = EXCLUDE_TABLES.flatMap((t) => ["--exclude-table-data", `pub
 
 // ── Run pg_dump inside the Docker container ───────────────────────────────────
 
-const DB_USER = decodeURIComponent(parsedUrl.username) || "capakraken";
-const DB_NAME = parsedUrl.pathname.replace(/^\/+/, "") || "capakraken";
+const DB_USER = decodeURIComponent(parsedUrl.username) || "nexus";
+const DB_NAME = parsedUrl.pathname.replace(/^\/+/, "") || "nexus";
 const DB_PORT = parsedUrl.port || "5432";
 
 console.log(`🔍  Exporting ${DB_USER}@${host}:${DB_PORT}/${DB_NAME} …`);

scripts/harden-postgres.sh

@@ -2,8 +2,8 @@
 # Remove SUPERUSER from the application database user
 # Run after initial setup: bash scripts/harden-postgres.sh
 
-DB_USER="${DB_USER:-capakraken}"
-DB_NAME="${DB_NAME:-capakraken}"
+DB_USER="${DB_USER:-nexus}"
+DB_NAME="${DB_NAME:-nexus}"
 
 echo "Hardening PostgreSQL for $DB_USER..."
 

scripts/import-dev-seed.mjs

@@ -10,8 +10,8 @@
  *   node scripts/import-dev-seed.mjs
  *
  * Requirements:
- *   - The capakraken-postgres-1 Docker container must be running
- *   - DATABASE_URL must point to a local capakraken database
+ *   - The nexus-postgres-1 Docker container must be running
+ *   - DATABASE_URL must point to a local nexus database
  *   - dev-seed.sql must exist (run export-dev-seed.mjs first)
  */
 
@@ -46,13 +46,13 @@ if (!["localhost", "127.0.0.1", "::1"].includes(host)) {
   process.exit(1);
 }
 
-const DB_USER = decodeURIComponent(parsedUrl.username) || "capakraken";
-const DB_NAME = parsedUrl.pathname.replace(/^\/+/, "") || "capakraken";
+const DB_USER = decodeURIComponent(parsedUrl.username) || "nexus";
+const DB_NAME = parsedUrl.pathname.replace(/^\/+/, "") || "nexus";
 const DB_PORT = parsedUrl.port || "5432";
 
 // ── Docker container check ────────────────────────────────────────────────────
 
-const CONTAINER = "capakraken-postgres-1";
+const CONTAINER = "nexus-postgres-1";
 const containerCheck = spawnSync("docker", ["inspect", "--format={{.State.Running}}", CONTAINER], {
   encoding: "utf8",
 });

scripts/prisma-with-env.mjs

@@ -27,7 +27,7 @@ if (shouldGuardPrismaCommand(prismaArgs)) {
   } catch (error) {
     console.error(error instanceof Error ? error.message : String(error));
     console.error("Refusing to run Prisma against an unexpected database target.");
-    console.error("Use the repo env files for Nexus, or set CAPAKRAKEN_EXPECTED_DB_NAME explicitly if you intentionally target another database.");
+    console.error("Use the repo env files for Nexus, or set NEXUS_EXPECTED_DB_NAME explicitly if you intentionally target another database.");
     process.exit(1);
   }
 }

scripts/start.sh

@@ -15,7 +15,7 @@ sleep 2
 # 2. Wait for PostgreSQL to be healthy
 echo "  Waiting for PostgreSQL..."
 for i in {1..30}; do
-  if docker compose exec -T postgres pg_isready -U capakraken -d capakraken -q 2>/dev/null; then
+  if docker compose exec -T postgres pg_isready -U nexus -d nexus -q 2>/dev/null; then
     break
   fi
   sleep 1

scripts/worktree-hygiene.test.mjs

@@ -9,7 +9,7 @@ import {
 function createGitStub(statusOutput) {
   return (args) => {
     if (args[0] === "rev-parse" && args[1] === "--show-toplevel") {
-      return "/tmp/capakraken\n";
+      return "/tmp/nexus\n";
     }
     if (args[0] === "rev-parse" && args[1] === "--abbrev-ref") {
       return "main\n";