rename(phase 1): CapaKraken → Nexus across code, UI, docs, CI

- @capakraken/* → @nexus/* across 12 packages (root + 11 workspaces),
  1551 import lines migrated via codemod
- User-visible brand strings renamed (emails, page titles, PWA
  manifest, mobile header, MFA backup-codes header, tooltips, signin
  page, invite page, weekly digest, install prompt)
- TOTP issuer "CapaKraken" → "Nexus" (existing secrets still valid;
  re-enrollment relabels them in users' authenticator apps)
- Function rename: assertCapaKrakenDbTarget → assertNexusDbTarget
- LocalStorage migration shim in apps/web/src/app/layout.tsx copies
  capakraken_* → nexus_* on first load (guarded by nexus_migrated_v1
  sentinel; runs once per browser, then never again)
- Service-worker cache name capakraken-v2 → nexus-v2 with one-time
  caches.delete('capakraken-v2') from the same shim
- Email-domain fixtures @capakraken.{dev,app} → @nexus.{dev,app} in
  seed data, e2e specs, SMTP default fallback
- Dockerfile.dev / Dockerfile.prod / all .github/workflows/*.yml
  pnpm --filter @capakraken/* → @nexus/*
- README, CLAUDE.md, LEARNINGS.md, all docs/*.md, .env.example,
  tooling/deploy/.env.production.example brand sweep

Phase 1 deliberately leaves untouched (handled in Phase 3 cutover):
- PostgreSQL DB name "capakraken" and POSTGRES_USER "capakraken"
- Volume names capakraken_pgdata etc.
- Compose project name "capakraken" / "capakraken-prod"
- db-target-guard default expectedDatabase
- env-var CAPAKRAKEN_EXPECTED_DB_NAME
- Container DNS names in docker-compose.ci.yml

Quality gates green: pnpm typecheck (7/7), pnpm test:unit (7/7),
pnpm lint (0 errors), check:exports/imports/architecture all pass.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

docs/security-audit-2026-03-15.md

@@ -2,7 +2,7 @@
 
 ## Scope
 
-Static security review of the current CapaKraken codebase, focused on:
+Static security review of the current Nexus codebase, focused on:
 
 - authentication and authorization boundaries
 - sensitive read/write API routes
@@ -15,7 +15,7 @@ This review was done by parallel audit slices across API routes, auth/session co
 
 ## Executive Summary
 
-The main security problem is not one isolated bug. It is that CapaKraken currently treats "authenticated" as broadly equivalent to "allowed to see most planning data". That shows up in four places:
+The main security problem is not one isolated bug. It is that Nexus currently treats "authenticated" as broadly equivalent to "allowed to see most planning data". That shows up in four places:
 
 1. any signed-in user can currently create a vacation request for any `resourceId`
 2. many sensitive read routes are only protected by `protectedProcedure`
@@ -119,7 +119,7 @@ Any signed-in user connected to the timeline SSE endpoint can receive metadata a
 
 **Impact**
 
-CapaKraken parses spreadsheet data from files, including browser-side and import-related flows, with a library version that has known high-severity issues when reading crafted workbooks. Export-only flows are lower risk; read/parse flows are the real problem.
+Nexus parses spreadsheet data from files, including browser-side and import-related flows, with a library version that has known high-severity issues when reading crafted workbooks. Export-only flows are lower risk; read/parse flows are the real problem.
 
 **Recommended fix**
 
@@ -193,7 +193,7 @@ The caller is limited to their linked resource, which is good, but the endpoint
 
 **Evidence**
 
-- `packages/db/src/reset-dispo-import.ts:24-31` defaults to `admin@capakraken.dev` / `admin123`
+- `packages/db/src/reset-dispo-import.ts:24-31` defaults to `admin@nexus.dev` / `admin123`
 - `packages/db/src/reset-dispo-import.ts:107-115` uses `prisma.$executeRawUnsafe(...)`
 
 **Impact**