rename(phase 1): CapaKraken → Nexus across code, UI, docs, CI

- @capakraken/* → @nexus/* across 12 packages (root + 11 workspaces),
  1551 import lines migrated via codemod
- User-visible brand strings renamed (emails, page titles, PWA
  manifest, mobile header, MFA backup-codes header, tooltips, signin
  page, invite page, weekly digest, install prompt)
- TOTP issuer "CapaKraken" → "Nexus" (existing secrets still valid;
  re-enrollment relabels them in users' authenticator apps)
- Function rename: assertCapaKrakenDbTarget → assertNexusDbTarget
- LocalStorage migration shim in apps/web/src/app/layout.tsx copies
  capakraken_* → nexus_* on first load (guarded by nexus_migrated_v1
  sentinel; runs once per browser, then never again)
- Service-worker cache name capakraken-v2 → nexus-v2 with one-time
  caches.delete('capakraken-v2') from the same shim
- Email-domain fixtures @capakraken.{dev,app} → @nexus.{dev,app} in
  seed data, e2e specs, SMTP default fallback
- Dockerfile.dev / Dockerfile.prod / all .github/workflows/*.yml
  pnpm --filter @capakraken/* → @nexus/*
- README, CLAUDE.md, LEARNINGS.md, all docs/*.md, .env.example,
  tooling/deploy/.env.production.example brand sweep

Phase 1 deliberately leaves untouched (handled in Phase 3 cutover):
- PostgreSQL DB name "capakraken" and POSTGRES_USER "capakraken"
- Volume names capakraken_pgdata etc.
- Compose project name "capakraken" / "capakraken-prod"
- db-target-guard default expectedDatabase
- env-var CAPAKRAKEN_EXPECTED_DB_NAME
- Container DNS names in docker-compose.ci.yml

Quality gates green: pnpm typecheck (7/7), pnpm test:unit (7/7),
pnpm lint (0 errors), check:exports/imports/architecture all pass.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

docs/sdlc.md

@@ -1,4 +1,4 @@
-# Secure Development Lifecycle (SDLC) — CapaKraken
+# Secure Development Lifecycle (SDLC) — Nexus
 
 > Version: 1.0 | Date: 2026-03-27
 
@@ -14,22 +14,22 @@ Feature Branch -> Pull Request -> CI Pipeline -> Code Review -> Merge to main ->
 
 Every pull request must pass:
 
-1. **TypeScript strict check**: `pnpm --filter @capakraken/web exec tsc --noEmit`
+1. **TypeScript strict check**: `pnpm --filter @nexus/web exec tsc --noEmit`
 2. **Linting**: `pnpm lint` (ESLint with strict rules)
 3. **Unit tests**: `pnpm test:unit` (Vitest, engine + staffing packages)
 4. **E2E tests**: Playwright tests for critical user flows
 
 ## Security Gates
 
-| Gate | Tool | Stage |
-|------|------|-------|
-| Type safety | TypeScript strict mode | Build |
-| Input validation | Zod schemas on all tRPC procedures | Build + Runtime |
-| Dependency vulnerabilities | Dependabot + `pnpm audit` | PR + Weekly |
-| Audit logging | `createAuditEntry()` required for data mutations | Code review |
-| RBAC enforcement | `requirePermission()` on new procedures | Code review |
-| No hardcoded secrets | PR review checklist | Code review |
-| SQL injection prevention | Prisma ORM (parameterized queries only) | Architecture |
+| Gate                       | Tool                                             | Stage           |
+| -------------------------- | ------------------------------------------------ | --------------- |
+| Type safety                | TypeScript strict mode                           | Build           |
+| Input validation           | Zod schemas on all tRPC procedures               | Build + Runtime |
+| Dependency vulnerabilities | Dependabot + `pnpm audit`                        | PR + Weekly     |
+| Audit logging              | `createAuditEntry()` required for data mutations | Code review     |
+| RBAC enforcement           | `requirePermission()` on new procedures          | Code review     |
+| No hardcoded secrets       | PR review checklist                              | Code review     |
+| SQL injection prevention   | Prisma ORM (parameterized queries only)          | Architecture    |
 
 ## PR Review Checklist