rename(phase 1): CapaKraken → Nexus across code, UI, docs, CI

- @capakraken/* → @nexus/* across 12 packages (root + 11 workspaces),
  1551 import lines migrated via codemod
- User-visible brand strings renamed (emails, page titles, PWA
  manifest, mobile header, MFA backup-codes header, tooltips, signin
  page, invite page, weekly digest, install prompt)
- TOTP issuer "CapaKraken" → "Nexus" (existing secrets still valid;
  re-enrollment relabels them in users' authenticator apps)
- Function rename: assertCapaKrakenDbTarget → assertNexusDbTarget
- LocalStorage migration shim in apps/web/src/app/layout.tsx copies
  capakraken_* → nexus_* on first load (guarded by nexus_migrated_v1
  sentinel; runs once per browser, then never again)
- Service-worker cache name capakraken-v2 → nexus-v2 with one-time
  caches.delete('capakraken-v2') from the same shim
- Email-domain fixtures @capakraken.{dev,app} → @nexus.{dev,app} in
  seed data, e2e specs, SMTP default fallback
- Dockerfile.dev / Dockerfile.prod / all .github/workflows/*.yml
  pnpm --filter @capakraken/* → @nexus/*
- README, CLAUDE.md, LEARNINGS.md, all docs/*.md, .env.example,
  tooling/deploy/.env.production.example brand sweep

Phase 1 deliberately leaves untouched (handled in Phase 3 cutover):
- PostgreSQL DB name "capakraken" and POSTGRES_USER "capakraken"
- Volume names capakraken_pgdata etc.
- Compose project name "capakraken" / "capakraken-prod"
- db-target-guard default expectedDatabase
- env-var CAPAKRAKEN_EXPECTED_DB_NAME
- Container DNS names in docker-compose.ci.yml

Quality gates green: pnpm typecheck (7/7), pnpm test:unit (7/7),
pnpm lint (0 errors), check:exports/imports/architecture all pass.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

docs/security-architecture.md

@@ -1,4 +1,4 @@
-# Security Architecture — CapaKraken
+# Security Architecture — Nexus
 
 > Version: 1.0 | Date: 2026-03-27
 
@@ -68,7 +68,7 @@ publicProcedure
 - The admin settings mutation no longer persists new secret values into `SystemSettings`; secret inputs must be provisioned through environment or a deployment-time secret manager, and legacy database copies can be cleared explicitly
 - The admin UI now exposes runtime secret source/status plus an explicit "clear legacy DB secrets" cleanup path so operators can complete the migration without direct database writes
 - Production startup now validates Auth.js runtime configuration and refuses to boot if `AUTH_SECRET`/`NEXTAUTH_SECRET` is missing, left on a known development placeholder, paired with a non-HTTPS public auth URL, shorter than 32 characters, or failing a Shannon-entropy check (≥ 3.5 bits/char)
-- User passwords: minimum 12 characters, maximum 128 characters; single `PASSWORD_MIN_LENGTH` / `PASSWORD_MAX_LENGTH` constant (`@capakraken/shared/constants`) is imported by every client-side pre-submit validator and server-side Zod schema — prevents client/server policy drift
+- User passwords: minimum 12 characters, maximum 128 characters; single `PASSWORD_MIN_LENGTH` / `PASSWORD_MAX_LENGTH` constant (`@nexus/shared/constants`) is imported by every client-side pre-submit validator and server-side Zod schema — prevents client/server policy drift
 
 #### Secret rotation
 
@@ -223,7 +223,7 @@ cannot escalate to JS execution in this application.
 ## 10. Dependency Security
 
 - **Dependabot** configured for automated dependency updates
-- `pnpm audit` runs in the scheduled [nightly-security.yml](/home/hartmut/Documents/Copilot/capakraken/.github/workflows/nightly-security.yml) workflow, and high-signal architecture guardrails run on every PR in [ci.yml](/home/hartmut/Documents/Copilot/capakraken/.github/workflows/ci.yml)
+- `pnpm audit` runs in the scheduled [nightly-security.yml](/home/hartmut/Documents/Copilot/nexus/.github/workflows/nightly-security.yml) workflow, and high-signal architecture guardrails run on every PR in [ci.yml](/home/hartmut/Documents/Copilot/nexus/.github/workflows/ci.yml)
 - Lockfile integrity verified on install
 - transitive audit hotspots such as `flatted` and `picomatch` are pinned through root `pnpm.overrides` to keep dev-tooling CVEs from drifting back in through nested dependencies
 - runtime workbook parsing and export generation now use `exceljs` boundaries instead of direct `xlsx` usage in application, engine, and web paths
@@ -246,7 +246,7 @@ Browser -> Next.js (port 3100) -> tRPC -> Prisma -> PostgreSQL (port 5433)
 
 ### Authentication and Access
 
-- PostgreSQL uses password-based authentication (`capakraken` user with strong password)
+- PostgreSQL uses password-based authentication (`nexus` user with strong password)
 - Connection restricted to the Docker internal network (port 5433 on host, 5432 inside container)
 - No direct internet access to the database — all queries routed through Prisma ORM via the application layer
 - Application uses a single database user; no shared or anonymous access
@@ -264,7 +264,7 @@ Browser -> Next.js (port 3100) -> tRPC -> Prisma -> PostgreSQL (port 5433)
   - `log_statement=ddl` — all DDL statements (CREATE, ALTER, DROP)
   - `log_min_duration_statement=1000` — slow queries (>1s) logged for performance review
   - `log_line_prefix='%t [%p] %u@%d '` — timestamp, PID, user, and database in every log line
-- **SUPERUSER removed** from the application database user (`capakraken`); hardening script at `scripts/harden-postgres.sh`
+- **SUPERUSER removed** from the application database user (`nexus`); hardening script at `scripts/harden-postgres.sh`
 - **Minimal privilege grants**: application user has only SELECT, INSERT, UPDATE, DELETE on tables and USAGE/SELECT on sequences — no CREATE, DROP, or SUPERUSER capabilities
 
 ### Recommendations for Further Production Hardening