The Phase 1 codemod only scanned .ts/.tsx/.js/.mjs/.cjs/.json, so two
shell scripts that reference workspace packages stayed pointing at the
old `@capakraken/*` names. The dev container's entrypoint then printed
"No projects matched the filters in /app" on every pnpm --filter call,
the app never bound to port 3100, and Fresh-Linux Docker Deploy red on
run 154.
- tooling/docker/app-dev-start.sh: pnpm --filter @capakraken/{db,web}
→ @nexus/{db,web} (5 occurrences); /tmp/capakraken-dev-home → /tmp/
nexus-dev-home
- scripts/stop.sh: /tmp/capakraken-dev.pid → /tmp/nexus-dev.pid
Deferred to Phase 3 (these reference live infrastructure, not package
names): scripts/harden-postgres.sh DB_USER/DB_NAME defaults, restart.sh
volume names capakraken_node_modules/_next, scripts/start.sh
pg_isready -U capakraken -d capakraken.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- e2e: switch schema reset + sanity check from psql (not installed in
act_runner's catthehacker/ubuntu image) to `prisma db execute --stdin`
which is already a dev dep.
- docker-deploy: after `db push` the schema matches schema.prisma but
_prisma_migrations is empty, so the follow-up `migrate deploy` fails
with P3005. Baseline each migration directory as applied via
`prisma migrate resolve --applied` before deploy; the migrations
themselves are idempotent supplements, so marking-as-applied is safe.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- e2e: use prisma db push --force-reset so the job starts from a
guaranteed clean schema (previous runs hit missing audit_logs
even though push reported in-sync; suspected stale service volume).
- docker-deploy: run prisma db push before db:migrate:deploy in
app-dev-start.sh. The migrations/*.sql files are idempotent
supplements (IF NOT EXISTS guards) that assume base tables already
exist; a fresh container has no tables, so the first incremental
migration's FK on "users" fails. db push creates the baseline,
migrate deploy then layers on the incremental additions.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The bind mount (.:/app) provides workspace-level node_modules symlinks
from the host, but those target the root node_modules/.pnpm store which
inside the container is a named volume with different content-addressable
hashes. Added `pnpm install --frozen-lockfile` to app-dev-start.sh so
symlinks are regenerated against the container's store on every boot.
Also adds restart.sh convenience script for image rebuilds.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Installs postgresql-client in the dev image so pg_isready is available.
The startup script now polls until postgres accepts connections, preventing
the P1001 "can't reach database" crash when the app container starts before
postgres is fully ready.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
#19 MFA QR code: render locally via qrcode package, remove external qrserver.com request
#20 Webhook SSRF: add ssrf-guard.ts with DNS-verified IP blocklist; enforce on create/update/test/dispatch
#21 /api/perf: fail-closed when CRON_SECRET missing; remove query-string token auth
#22 CSP: remove unsafe-eval and unsafe-inline from script-src in production builds
#23 Active session registry: forward jti into session object; validate against ActiveSession on every tRPC request
#24 Docker: add missing packages/application to Dockerfile.dev; fix pnpm-lock.yaml glob;
run db:migrate:deploy on container start so a fresh checkout boots without manual steps
Also: fix pre-existing TS error in e2e/allocations.spec.ts (args.length literal type overlap)
Co-Authored-By: claude-flow <ruv@ruv.net>
Hartmut