rename(phase 1): cover .sh files missed by initial codemod

The Phase 1 codemod only scanned .ts/.tsx/.js/.mjs/.cjs/.json, so two shell scripts that reference workspace packages stayed pointing at the old `@capakraken/*` names. The dev container's entrypoint then printed "No projects matched the filters in /app" on every pnpm --filter call, the app never bound to port 3100, and Fresh-Linux Docker Deploy red on run 154. - tooling/docker/app-dev-start.sh: pnpm --filter @capakraken/{db,web} → @nexus/{db,web} (5 occurrences); /tmp/capakraken-dev-home → /tmp/ nexus-dev-home - scripts/stop.sh: /tmp/capakraken-dev.pid → /tmp/nexus-dev.pid Deferred to Phase 3 (these reference live infrastructure, not package names): scripts/harden-postgres.sh DB_USER/DB_NAME defaults, restart.sh volume names capakraken_node_modules/_next, scripts/start.sh pg_isready -U capakraken -d capakraken. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
fix(ci): clear PR #61 lint error + bump fast-uri/next over high-sev advisories
2026-05-21 16:11:16 +02:00 · 2026-05-21 15:28:52 +02:00 · 2026-05-21 15:10:44 +02:00
53 changed files with 244 additions and 548 deletions
@@ -1 +0,0 @@
-{"sessionId":"aed37e34-4be8-4788-b03a-7145d9b4b2ce","pid":3544538,"procStart":"34480817","acquiredAt":1779373227101}
@@ -32,7 +32,7 @@ POSTGRES_PASSWORD=
 # host (outside Docker). Must match POSTGRES_PASSWORD above. Inside the app
 # container this variable is overridden by docker-compose.yml (which routes
 # to the postgres service name on the internal network).
-DATABASE_URL=postgresql://nexus:nexus_dev@localhost:5433/nexus
+DATABASE_URL=postgresql://capakraken:capakraken_dev@localhost:5433/capakraken

 # ─── Redis ───────────────────────────────────────────────────────────────────

@@ -104,7 +104,7 @@ PGADMIN_PASSWORD=
 # that any resolved path remains inside this directory; this prevents an
 # admin (or compromised admin token) from pointing the parser at arbitrary
 # files on disk and reaching ExcelJS CVEs. Defaults to ./imports if unset.
-# DISPO_IMPORT_DIR=/var/lib/nexus/imports
+# DISPO_IMPORT_DIR=/var/lib/capakraken/imports

 # ─── Testing (never enable in production) ────────────────────────────────────

@@ -159,11 +159,11 @@ jobs:
      postgres:
        image: postgres:16
        env:
-          POSTGRES_DB: nexus_test
-          POSTGRES_USER: nexus
-          POSTGRES_PASSWORD: nexus_test
+          POSTGRES_DB: capakraken_test
+          POSTGRES_USER: capakraken
+          POSTGRES_PASSWORD: capakraken_test
        options: >-
-          --health-cmd="pg_isready -U nexus -d nexus_test"
+          --health-cmd="pg_isready -U capakraken -d capakraken_test"
          --health-interval=10s
          --health-timeout=5s
          --health-retries=5
@@ -175,7 +175,7 @@ jobs:
          --health-timeout=5s
          --health-retries=5
    env:
-      DATABASE_URL: postgresql://nexus:nexus_test@postgres:5432/nexus_test
+      DATABASE_URL: postgresql://capakraken:capakraken_test@postgres:5432/capakraken_test
      REDIS_URL: redis://redis:6379
      # Force in-memory rate limiter to avoid cross-test state when Redis drops.
      # Redis fallback downgrades to max/10 limits which rate-limits unit tests.
@@ -291,11 +291,11 @@ jobs:
      e2epg:
        image: postgres:16
        env:
-          POSTGRES_DB: nexus_test
-          POSTGRES_USER: nexus
-          POSTGRES_PASSWORD: nexus_test
+          POSTGRES_DB: capakraken_test
+          POSTGRES_USER: capakraken
+          POSTGRES_PASSWORD: capakraken_test
        options: >-
-          --health-cmd="pg_isready -U nexus -d nexus_test"
+          --health-cmd="pg_isready -U capakraken -d capakraken_test"
          --health-interval=10s
          --health-timeout=5s
          --health-retries=5
@@ -307,14 +307,14 @@ jobs:
          --health-timeout=5s
          --health-retries=5
    env:
-      DATABASE_URL: postgresql://nexus:nexus_test@e2epg:5432/nexus_test
+      DATABASE_URL: postgresql://capakraken:capakraken_test@e2epg:5432/capakraken_test
      # Playwright test-server.mjs requires an explicit test DB URL.
-      PLAYWRIGHT_DATABASE_URL: postgresql://nexus:nexus_test@e2epg:5432/nexus_test
+      PLAYWRIGHT_DATABASE_URL: postgresql://capakraken:capakraken_test@e2epg:5432/capakraken_test
      # prisma-with-env.mjs refuses to run unless DATABASE_URL's db name matches
-      # the expected target; default is "nexus", CI uses nexus_test.
-      NEXUS_EXPECTED_DB_NAME: nexus_test
+      # the expected target; default is "capakraken", CI uses capakraken_test.
+      CAPAKRAKEN_EXPECTED_DB_NAME: capakraken_test
      ALLOW_DESTRUCTIVE_DB_TOOLS: "true"
-      CONFIRM_DESTRUCTIVE_DB_NAME: nexus_test
+      CONFIRM_DESTRUCTIVE_DB_NAME: capakraken_test
      REDIS_URL: redis://e2eredis:6379
      PORT: 3100
      # test-server.mjs spawns `docker compose --profile test up postgres-test`;
@@ -375,7 +375,7 @@ jobs:

      - name: Push DB schema & seed
        env:
-          PGPASSWORD: nexus_test
+          PGPASSWORD: capakraken_test
        run: |
          # Nuke any leftover schema state from a previous job that shared the
          # postgres service container (act_runner reuses service volumes).
@@ -397,7 +397,7 @@ jobs:
          IPS=$(getent hosts e2epg | awk '{print $1}')
          PG_IP=""
          for ip in $IPS; do
-            if PGPASSWORD=nexus_test psql -h "$ip" -U nexus -d nexus_test -v ON_ERROR_STOP=1 -Atc "SELECT 1" >/dev/null 2>&1; then
+            if PGPASSWORD=capakraken_test psql -h "$ip" -U capakraken -d capakraken_test -v ON_ERROR_STOP=1 -Atc "SELECT 1" >/dev/null 2>&1; then
              PG_IP="$ip"
              echo "Locked onto postgres at $PG_IP"
              break
@@ -406,19 +406,19 @@ jobs:
            fi
          done
          if [ -z "$PG_IP" ]; then
-            echo "ERROR: no resolved e2epg IP accepted nexus_test credentials"
+            echo "ERROR: no resolved e2epg IP accepted capakraken_test credentials"
            exit 1
          fi
-          PINNED_URL="postgresql://nexus:nexus_test@$PG_IP:5432/nexus_test"
+          PINNED_URL="postgresql://capakraken:capakraken_test@$PG_IP:5432/capakraken_test"
          echo "DATABASE_URL=$PINNED_URL" >> "$GITHUB_ENV"
          echo "PLAYWRIGHT_DATABASE_URL=$PINNED_URL" >> "$GITHUB_ENV"
          echo "--- DROP SCHEMA ---"
-          psql -h "$PG_IP" -U nexus -d nexus_test -v ON_ERROR_STOP=1 \
-            -c "DROP SCHEMA IF EXISTS public CASCADE; CREATE SCHEMA public; GRANT ALL ON SCHEMA public TO nexus; GRANT ALL ON SCHEMA public TO public;"
+          psql -h "$PG_IP" -U capakraken -d capakraken_test -v ON_ERROR_STOP=1 \
+            -c "DROP SCHEMA IF EXISTS public CASCADE; CREATE SCHEMA public; GRANT ALL ON SCHEMA public TO capakraken; GRANT ALL ON SCHEMA public TO public;"
          echo "--- prisma db push ---"
          DATABASE_URL="$PINNED_URL" pnpm --filter @nexus/db exec prisma db push --schema ./prisma/schema.prisma --accept-data-loss --skip-generate
          echo "--- tables in public after push ---"
-          psql -h "$PG_IP" -U nexus -d nexus_test -v ON_ERROR_STOP=1 -At \
+          psql -h "$PG_IP" -U capakraken -d capakraken_test -v ON_ERROR_STOP=1 -At \
            -c "SELECT tablename FROM pg_tables WHERE schemaname='public' ORDER BY tablename" \
            | tee /tmp/tables.txt
          if ! grep -qx 'audit_logs' /tmp/tables.txt; then
@@ -468,8 +468,8 @@ jobs:
          NEXTAUTH_SECRET=ci-test-secret-minimum-32-chars-xx
          PGADMIN_PASSWORD=ci-pgadmin
          # Must match the password baked into docker-compose.ci.yml's
-          # DATABASE_URL override (nexus_dev).
-          POSTGRES_PASSWORD=nexus_dev
+          # DATABASE_URL override (capakraken_dev).
+          POSTGRES_PASSWORD=capakraken_dev
          EOF

      - name: Tear down any stale stack & volumes
@@ -477,11 +477,7 @@ jobs:
        # runs. A previous run's failed migration entry in _prisma_migrations
        # causes P3009 on the next migrate deploy; wipe volumes for a truly
        # fresh deploy test every time.
-        # Also tear down the legacy "capakraken" project (pre-Phase-3 rename)
-        # in case old containers are still holding host ports 5433/6380.
-        run: |
-          docker compose -p capakraken --profile full -f docker-compose.yml -f docker-compose.ci.yml down -v --remove-orphans || true
-          docker compose --profile full -f docker-compose.yml -f docker-compose.ci.yml down -v --remove-orphans || true
+        run: docker compose -f docker-compose.yml -f docker-compose.ci.yml down -v --remove-orphans || true

      - name: Start infrastructure (postgres + redis)
        run: docker compose -f docker-compose.yml -f docker-compose.ci.yml up -d postgres redis
@@ -489,7 +485,7 @@ jobs:
      - name: Wait for postgres
        run: |
          for i in $(seq 1 20); do
-            docker compose -f docker-compose.yml -f docker-compose.ci.yml exec -T postgres pg_isready -U nexus -d nexus && break
+            docker compose -f docker-compose.yml -f docker-compose.ci.yml exec -T postgres pg_isready -U capakraken -d capakraken && break
            sleep 3
          done

@@ -101,7 +101,7 @@ test.describe("Assistant approvals", () => {

  test.beforeEach(async ({ page }) => {
    await page.addInitScript((conversationId) => {
-      window.sessionStorage.setItem("nexus-chat-conversation-id", conversationId);
+      window.sessionStorage.setItem("capakraken-chat-conversation-id", conversationId);
    }, CURRENT_CONVERSATION_ID);

    runDb(`
@@ -42,9 +42,9 @@ test.describe("Auth — login / logout", () => {
    await page.click('button[type="submit"]');
    await expect(page).toHaveURL(/\/auth\/signin/, { timeout: 5000 });
    // Error message visible
-    await expect(page.locator("text=/invalid|incorrect|wrong|credentials/i")).toBeVisible({
-      timeout: 5000,
-    });
+    await expect(
+      page.locator("text=/invalid|incorrect|wrong|credentials/i"),
+    ).toBeVisible({ timeout: 5000 });
  });

  test("after logout, protected routes redirect to sign-in", async ({ page }) => {
@@ -75,7 +75,7 @@ test.describe("Session registry — no tRPC 401s after login", () => {

    // At least one user row should be visible
    await expect(page.locator("table")).toBeVisible({ timeout: 10000 });
-    await expect(page.locator("text=/planarchy\\.dev|nexus\\.dev/").first()).toBeVisible({
+    await expect(page.locator("text=/planarchy\\.dev|capakraken\\.dev/").first()).toBeVisible({
      timeout: 10000,
    });
    await expect(page.locator("text=No users found")).toHaveCount(0);
@@ -12,7 +12,7 @@
 *   - Creates a temporary test user via tRPC (admin session) for isolation.
 *   - Cleans up the test user in afterAll.
 *   - Uses an empty storageState to ensure no cross-user localStorage bleed.
- *   - localStorage key is user-scoped: "nexus_dashboard_v1_{userId}".
+ *   - localStorage key is user-scoped: "capakraken_dashboard_v1_{userId}".
 */

 import { expect, test, type Browser, type Page } from "@playwright/test";
@@ -20,16 +20,9 @@ import { STORAGE_STATE } from "../../playwright.dev.config.js";

 // ─── tRPC helpers ─────────────────────────────────────────────────────────────

-type TrpcResult = {
-  result?: { data?: unknown };
-  error?: { data?: { code?: string }; message?: string };
-};
+type TrpcResult = { result?: { data?: unknown }; error?: { data?: { code?: string }; message?: string } };

-async function trpcMutation(
-  page: Page,
-  procedure: string,
-  input: unknown = null,
-): Promise<TrpcResult> {
+async function trpcMutation(page: Page, procedure: string, input: unknown = null): Promise<TrpcResult> {
  return page.evaluate(
    async ({ procedure, input }) => {
      const res = await fetch(`/api/trpc/${procedure}?batch=1`, {
@@ -45,11 +38,7 @@ async function trpcMutation(
  );
 }

-async function trpcQuery(
-  page: Page,
-  procedure: string,
-  input: unknown = null,
-): Promise<TrpcResult> {
+async function trpcQuery(page: Page, procedure: string, input: unknown = null): Promise<TrpcResult> {
  return page.evaluate(
    async ({ procedure, input }) => {
      const encodedInput = encodeURIComponent(JSON.stringify({ "0": { json: input } }));
@@ -139,9 +128,7 @@ test.describe("Dashboard — widget management", () => {

      // Default layout should show at least the stat-cards widget
      // (from createDefaultDashboardLayout in useDashboardLayout)
-      await expect(
-        page.locator('[data-testid="widget-stat-cards"], .react-grid-item').first(),
-      ).toBeVisible({
+      await expect(page.locator('[data-testid="widget-stat-cards"], .react-grid-item').first()).toBeVisible({
        timeout: 8000,
      });
    });
@@ -151,21 +138,16 @@ test.describe("Dashboard — widget management", () => {
      await navigateToDashboard(page);

      // Open modal
-      await page
-        .getByRole("button", { name: /add widget/i })
-        .first()
-        .click();
+      await page.getByRole("button", { name: /add widget/i }).first().click();

      // Verify modal is open
-      await expect(page.getByRole("heading", { name: /add widget/i })).toBeVisible({
-        timeout: 5000,
-      });
+      await expect(page.getByRole("heading", { name: /add widget/i })).toBeVisible({ timeout: 5000 });

      // Verify widget entries are visible in the modal
      // The catalog has 11 widgets; check for at least 5 visible buttons inside the modal
-      const widgetButtons = page
-        .locator('[role="dialog"] button, .fixed button[type="button"]')
-        .filter({ hasText: /./ });
+      const widgetButtons = page.locator(
+        '[role="dialog"] button, .fixed button[type="button"]',
+      ).filter({ hasText: /./ });

      // Count items in the grid (the ×-close button is excluded by checking for icon content)
      const modalContent = page.locator(".fixed.inset-0 .grid");
@@ -184,16 +166,10 @@ test.describe("Dashboard — widget management", () => {
      const initialCount = await page.locator(".react-grid-item").count();

      // Open modal and add "Resource Table" widget
-      await page
-        .getByRole("button", { name: /add widget/i })
-        .first()
-        .click();
+      await page.getByRole("button", { name: /add widget/i }).first().click();
      await expect(page.locator(".fixed.inset-0")).toBeVisible({ timeout: 5000 });

-      await page
-        .locator(".fixed.inset-0 button")
-        .filter({ hasText: /resource table/i })
-        .click();
+      await page.locator(".fixed.inset-0 button").filter({ hasText: /resource table/i }).click();

      // Modal should close after adding
      await expect(page.locator(".fixed.inset-0")).not.toBeVisible({ timeout: 5000 });
@@ -208,15 +184,9 @@ test.describe("Dashboard — widget management", () => {
      await navigateToDashboard(page);

      // Add a recognizable widget
-      await page
-        .getByRole("button", { name: /add widget/i })
-        .first()
-        .click();
+      await page.getByRole("button", { name: /add widget/i }).first().click();
      await expect(page.locator(".fixed.inset-0")).toBeVisible({ timeout: 5000 });
-      await page
-        .locator(".fixed.inset-0 button")
-        .filter({ hasText: /project overview/i })
-        .click();
+      await page.locator(".fixed.inset-0 button").filter({ hasText: /project overview/i }).click();
      await expect(page.locator(".fixed.inset-0")).not.toBeVisible({ timeout: 5000 });

      const countAfterAdd = await page.locator(".react-grid-item").count();
@@ -244,23 +214,19 @@ test.describe("Dashboard — widget management", () => {

      // Read the admin's localStorage key to verify it is user-scoped
      const adminUserId = await adminPage.evaluate(async () => {
-        const res = await fetch(
-          "/api/trpc/user.me?batch=1&input=" +
-            encodeURIComponent(JSON.stringify({ "0": { json: null } })),
-          {
-            credentials: "include",
-          },
-        );
-        const body = (await res.json()) as [{ result?: { data?: { json?: { id?: string } } } }];
+        const res = await fetch("/api/trpc/user.me?batch=1&input=" + encodeURIComponent(JSON.stringify({ "0": { json: null } })), {
+          credentials: "include",
+        });
+        const body = await res.json() as [{ result?: { data?: { json?: { id?: string } } } }];
        return body[0]?.result?.data?.json?.id ?? null;
      });

-      // Verify admin has a user-scoped storage key (not shared "nexus_dashboard_v1")
+      // Verify admin has a user-scoped storage key (not shared "capakraken_dashboard_v1")
      if (adminUserId) {
        const storageKey = await adminPage.evaluate((userId) => {
          // Check both old (unscoped) and new (user-scoped) key formats
-          const oldKey = "nexus_dashboard_v1";
-          const newKey = `nexus_dashboard_v1_${userId}`;
+          const oldKey = "capakraken_dashboard_v1";
+          const newKey = `capakraken_dashboard_v1_${userId}`;
          const oldValue = localStorage.getItem(oldKey);
          const newValue = localStorage.getItem(newKey);
          return { oldKey: oldValue !== null, newKey: newValue !== null };
@@ -278,13 +244,8 @@ test.describe("Dashboard — widget management", () => {

          // Inject the admin's storage key to simulate same browser
          await newUserPage.evaluate(
-            ({ key, value }) => {
-              localStorage.setItem(key, value ?? "");
-            },
-            {
-              key: `nexus_dashboard_v1_${adminUserId}`,
-              value: JSON.stringify({ version: 2, gridCols: 12, widgets: [] }),
-            },
+            ({ key, value }) => { localStorage.setItem(key, value ?? ""); },
+            { key: `capakraken_dashboard_v1_${adminUserId}`, value: JSON.stringify({ version: 2, gridCols: 12, widgets: [] }) },
          );

          // Log in as test user
@@ -301,10 +262,7 @@ test.describe("Dashboard — widget management", () => {
          const gridItems = await newUserPage.locator(".react-grid-item").count();
          // Either show default layout (≥1 widget) OR the properly-scoped empty state with Add Widget CTA
          // The key check: the test user's Add Widget button should still work
-          await newUserPage
-            .getByRole("button", { name: /add widget/i })
-            .first()
-            .click();
+          await newUserPage.getByRole("button", { name: /add widget/i }).first().click();

          // Modal must show widgets to choose from
          const modalContent = newUserPage.locator(".fixed.inset-0 .grid");
@@ -25,9 +25,9 @@ const RESET_TEST_USER = {
  password: "Dev123456!",
 };

-const DB_CONTAINER = "nexus-postgres-1";
-const DB_USER = "nexus";
-const DB_NAME = "nexus";
+const DB_CONTAINER = "capakraken-postgres-1";
+const DB_USER = "capakraken";
+const DB_NAME = "capakraken";

 function psqlExec(sql: string): string {
  return execSync(
@@ -26,7 +26,7 @@ export async function signOut(page: Page) {
  await page.goto("/dashboard"); // land on any authenticated page for cookie context
  await page.evaluate(async () => {
    const csrfRes = await fetch("/api/auth/csrf");
-    const { csrfToken } = (await csrfRes.json()) as { csrfToken: string };
+    const { csrfToken } = await csrfRes.json() as { csrfToken: string };
    await fetch("/api/auth/signout", {
      method: "POST",
      headers: { "Content-Type": "application/x-www-form-urlencoded" },
@@ -62,9 +62,11 @@ function decodeMimeBody(body: string, encoding: string | undefined): string {
  const enc = (encoding ?? "").toLowerCase().trim();
  if (enc === "quoted-printable") {
    return body
-      .replace(/=\r\n/g, "") // soft line break (CRLF)
-      .replace(/=\n/g, "") // soft line break (LF)
-      .replace(/=([0-9A-Fa-f]{2})/g, (_, hex: string) => String.fromCharCode(parseInt(hex, 16)));
+      .replace(/=\r\n/g, "")   // soft line break (CRLF)
+      .replace(/=\n/g, "")      // soft line break (LF)
+      .replace(/=([0-9A-Fa-f]{2})/g, (_, hex: string) =>
+        String.fromCharCode(parseInt(hex, 16)),
+      );
  }
  if (enc === "base64") {
    return Buffer.from(body.replace(/\s/g, ""), "base64").toString("utf8");
@@ -88,10 +90,7 @@ export async function clearMailhog(): Promise<void> {
 */
 export async function getLatestEmailTo(
  address: string,
-  {
-    timeoutMs = 10_000,
-    pollIntervalMs = 500,
-  }: { timeoutMs?: number; pollIntervalMs?: number } = {},
+  { timeoutMs = 10_000, pollIntervalMs = 500 }: { timeoutMs?: number; pollIntervalMs?: number } = {},
 ): Promise<{ subject: string; body: string; html: string }> {
  const deadline = Date.now() + timeoutMs;

@@ -145,9 +144,7 @@ export function extractUrlFromEmail(
  pathPrefix: string,
 ): string {
  const text = email.html || email.body;
-  const match = text.match(
-    new RegExp(`https?://[^\\s"'<>]*${pathPrefix.replace("/", "\\/")}[^\\s"'<>]*`),
-  );
+  const match = text.match(new RegExp(`https?://[^\\s"'<>]*${pathPrefix.replace("/", "\\/")}[^\\s"'<>]*`));
  if (!match?.[0]) {
    throw new Error(`No URL with prefix "${pathPrefix}" found in email`);
  }
@@ -169,10 +166,10 @@ export async function resetPasswordViaApi(
  // argon2id hashes use base64 chars only — safe inside a SQL single-quoted string
  // Column name is camelCase (Prisma default) — must be double-quoted in SQL
  const sql = `UPDATE users SET "passwordHash" = '${passwordHash}' WHERE email = '${email}';`;
-  execSync(`docker exec -i nexus-postgres-1 psql -U nexus -d nexus`, {
-    input: sql,
-    encoding: "utf8",
-  });
+  execSync(
+    `docker exec -i capakraken-postgres-1 psql -U capakraken -d capakraken`,
+    { input: sql, encoding: "utf8" },
+  );
 }

 // ── tRPC helpers ───────────────────────────────────────────────────────────────
@@ -27,7 +27,7 @@ test.describe("invite flow", () => {
  });

  test("admin invites a new user and invited user can sign in", async ({ page, browser }) => {
-    const testEmail = `invite-e2e-${Date.now()}@nexus.test`;
+    const testEmail = `invite-e2e-${Date.now()}@capakraken.test`;

    // Step 1: Navigate to admin users page
    await page.goto("/admin/users");
@@ -36,7 +36,7 @@ test.describe("invite flow", () => {
    // Step 2: Open invite modal
    await page.click('button:has-text("Invite User")');
    // Wait for the modal heading — AnimatedModal does not use role="dialog"
-    await page.waitForSelector("text=Invite User", { state: "visible" });
+    await page.waitForSelector('text=Invite User', { state: "visible" });

    // Step 3: Fill in invite form
    await page.fill('input[type="email"]', testEmail);
@@ -45,9 +45,7 @@ test.describe("invite flow", () => {
    await page.click('button:has-text("Send Invite")');

    // Step 5: Wait for success message (exact text from InviteUserModal.tsx)
-    await expect(page.locator("text=Invitation sent successfully.")).toBeVisible({
-      timeout: 10_000,
-    });
+    await expect(page.locator("text=Invitation sent successfully.")).toBeVisible({ timeout: 10_000 });

    // Step 6: Read invite email from Mailhog
    const email = await getLatestEmailTo(testEmail, { timeoutMs: 15_000 });
@@ -28,7 +28,7 @@ test.describe("RBAC — admin routes (admin session)", () => {

    await expect(page.locator("table")).toBeVisible({ timeout: 10000 });
    // Seed users have planarchy.dev or nexus.dev email domains
-    await expect(page.locator("text=/planarchy\\.dev|nexus\\.dev/").first()).toBeVisible({
+    await expect(page.locator("text=/planarchy\\.dev|capakraken\\.dev/").first()).toBeVisible({
      timeout: 10000,
    });
  });
@@ -16,9 +16,9 @@ const webDistDirPath = resolve(webRoot, webDistDir);
 const managedEnvBanner = "# Managed by apps/web/e2e/test-server.mjs";
 const e2ePort = process.env.PLAYWRIGHT_TEST_PORT ?? "3110";
 const e2eBaseUrl = process.env.PLAYWRIGHT_TEST_BASE_URL ?? `http://localhost:${e2ePort}`;
-const e2eAuthSecret = process.env.PLAYWRIGHT_AUTH_SECRET ?? `nexus-e2e-${randomBytes(24).toString("hex")}`;
+const e2eAuthSecret = process.env.PLAYWRIGHT_AUTH_SECRET ?? `capakraken-e2e-${randomBytes(24).toString("hex")}`;
 const manageWebEnvFile = process.env.PLAYWRIGHT_MANAGE_WEB_ENV_FILE === "true";
-const composeProjectName = `nexus-e2e-${process.pid}`;
+const composeProjectName = `capakraken-e2e-${process.pid}`;
 const managedEnvKeys = [
  "DATABASE_URL",
  "REDIS_URL",
@@ -29,7 +29,7 @@ const managedEnvKeys = [
  "NODE_ENV",
  "PORT",
 ];
-const e2eComposePrefix = "nexus-e2e-";
+const e2eComposePrefix = "capakraken-e2e-";

 function dockerComposeArgs(...args) {
  return ["compose", "-p", composeProjectName, ...args];
@@ -256,7 +256,7 @@ async function ensureE2eDatabaseContainer() {
    try {
      await runQuiet(
        "docker",
-        dockerComposeArgs("exec", "-T", "postgres-test", "pg_isready", "-U", "nexus", "-d", "nexus_test", "-q"),
+        dockerComposeArgs("exec", "-T", "postgres-test", "pg_isready", "-U", "capakraken", "-d", "capakraken_test", "-q"),
        workspaceRoot,
      );
      return;
@@ -360,7 +360,7 @@ process.env.PLAYWRIGHT_DATABASE_URL = playwrightDatabaseUrl;
 if (selectedTestDbPort !== undefined) {
  process.env.POSTGRES_TEST_PORT = String(selectedTestDbPort);
 }
-process.env.NEXUS_EXPECTED_DB_NAME = playwrightDatabaseName;
+process.env.CAPAKRAKEN_EXPECTED_DB_NAME = playwrightDatabaseName;
 process.env.ALLOW_DESTRUCTIVE_DB_TOOLS = "true";
 process.env.CONFIRM_DESTRUCTIVE_DB_NAME = playwrightDatabaseName;
 process.env.NODE_ENV = process.env.NODE_ENV ?? "development";
@@ -856,10 +856,10 @@ async function switchToResourceView(page: Page, readySelector?: string) {

 async function ensureOpenDemandVisibilityEnabled(page: Page) {
  await page.evaluate(() => {
-    const raw = window.localStorage.getItem("nexus_prefs");
+    const raw = window.localStorage.getItem("capakraken_prefs");
    const parsed = raw ? (JSON.parse(raw) as Record<string, unknown>) : {};
    window.localStorage.setItem(
-      "nexus_prefs",
+      "capakraken_prefs",
      JSON.stringify({
        ...parsed,
        showDemandProjects: true,
@@ -874,9 +874,9 @@ test.describe("Timeline", () => {

  test.beforeEach(async ({ page }) => {
    await page.addInitScript(() => {
-      localStorage.setItem("nexus_theme", JSON.stringify({ mode: "dark" }));
+      localStorage.setItem("capakraken_theme", JSON.stringify({ mode: "dark" }));
      localStorage.setItem(
-        "nexus_prefs",
+        "capakraken_prefs",
        JSON.stringify({
          hideCompletedProjects: true,
          timelineDisplayMode: "strip",
@@ -82,7 +82,7 @@ describe("GET /api/cron/auth-anomaly-check — cron secret enforcement", () => {
    const { GET } = await importRoute();
    const res = await GET(makeRequest());
    expect(res.status).toBe(401);
-  }, 15_000); // next/server cold-import can take >5s on the act runner
+  });

  it("proceeds when verifyCronSecret returns null (allowed)", async () => {
    verifyCronSecretMock.mockReturnValue(null);
@@ -450,7 +450,7 @@ function SidebarContent({
          {!sidebarCollapsed && (
            <div className="overflow-hidden">
              <h1 className="font-display text-xl font-semibold text-gray-900 dark:text-gray-50">
-                Nex<span className="text-brand-600">us</span>
+                Capa<span className="text-brand-600">Kraken</span>
              </h1>
              <p className="text-xs uppercase tracking-[0.18em] text-gray-500 dark:text-gray-400">
                Resource & Capacity Planning
@@ -984,7 +984,7 @@ export function AppShell({
              <HamburgerIcon />
            </button>
            <span className="ml-3 font-display text-sm font-semibold text-gray-900 dark:text-gray-50">
-              Nex<span className="text-brand-600">us</span>
+              Capa<span className="text-brand-600">Kraken</span>
            </span>
          </div>
          <PageTransition>{children}</PageTransition>
@@ -284,7 +284,7 @@ export function TimelineProvider({
      const d = new Date(sp);
      if (!isNaN(d.getTime())) return d;
    }
-    return addDays(today, -90);
+    return addDays(today, -30);
  });
  const [viewDays, setViewDays] = useState(() => {
    const sp = searchParams.get("days");
@@ -310,7 +310,7 @@ export function TimelineProvider({
        const d = new Date(spStart);
        if (!isNaN(d.getTime())) return d;
      }
-      return addDays(today, -90);
+      return addDays(today, -30);
    });

    const spDays = searchParams.get("days");
@@ -2,7 +2,7 @@

 import { clsx } from "clsx";
 import { useSession } from "next-auth/react";
-import { useCallback, useEffect, useLayoutEffect, useMemo, useRef, useState } from "react";
+import { useCallback, useEffect, useMemo, useRef, useState } from "react";
 import { useAllocationHistory } from "~/hooks/useAllocationHistory.js";
 import { useProjectDragContext } from "~/hooks/useProjectDragContext.js";
 import { useTimelineDrag } from "~/hooks/useTimelineDrag.js";
@@ -685,70 +685,15 @@ function TimelineViewContent({
  const scrollRafRef = useRef<number | null>(null);
  const [scrollLeft, setScrollLeft] = useState(0);

-  // Pixels to add to scrollLeft after a left-extension re-render (prevents jump).
-  const pendingLeftCompensationPx = useRef(0);
-  // Flag: scroll viewport to today after the next viewStart-driven re-layout.
-  const pendingScrollToTodayRef = useRef(false);
-  // Guard reset on every real unmount (including Strict Mode fake-unmount) so the
-  // scroll-to-today fires correctly on remount.
-  const hasScrolledToTodayOnLoad = useRef(false);
-  useLayoutEffect(() => {
-    return () => {
-      hasScrolledToTodayOnLoad.current = false;
-    };
-  }, []);
-
-  // Scroll to today the first time the canvas is in the DOM (isInitialLoading → false).
-  // totalCanvasWidth is non-zero before data loads, so it can't be used as the trigger.
-  useLayoutEffect(() => {
-    if (isInitialLoading) return;
-    if (hasScrolledToTodayOnLoad.current) return;
-    const el = scrollContainerRef.current;
-    if (!el) return;
-    el.scrollLeft = toLeft(today);
-    hasScrolledToTodayOnLoad.current = true;
-  }, [isInitialLoading, toLeft, today]);
-
-  // Apply scroll compensation synchronously after the canvas grows (left-extend or Today button).
-  useLayoutEffect(() => {
-    const el = scrollContainerRef.current;
-    if (!el) return;
-    const px = pendingLeftCompensationPx.current;
-    if (px !== 0) {
-      el.scrollLeft += px;
-      pendingLeftCompensationPx.current = 0;
-    } else if (pendingScrollToTodayRef.current) {
-      el.scrollLeft = toLeft(today);
-      pendingScrollToTodayRef.current = false;
-    }
-  }, [viewStart, toLeft, today]);
-
-  // 5-year floor — no practical data exists further back; prevents runaway growth.
-  const minDate = useMemo(() => addDays(today, -(365 * 5)), [today]);
-
  // ─── Navigation callbacks for TimelineToolbar ────────────────────────────
  const handleNavigateBack = useCallback(
-    () =>
-      setViewStart((v) => {
-        const candidate = addDays(v, -28);
-        return candidate < minDate ? minDate : candidate;
-      }),
-    [setViewStart, minDate],
+    () => setViewStart((v) => addDays(v, -28)),
+    [setViewStart],
+  );
+  const handleNavigateToday = useCallback(
+    () => setViewStart(addDays(today, -30)),
+    [setViewStart, today],
  );
-  const handleNavigateToday = useCallback(() => {
-    const el = scrollContainerRef.current;
-    const todayMs = new Date(today).setHours(0, 0, 0, 0);
-    const vsMs = new Date(viewStart).setHours(0, 0, 0, 0);
-    const veMs = new Date(addDays(viewStart, viewDays)).setHours(0, 0, 0, 0);
-    if (todayMs >= vsMs && todayMs < veMs && el) {
-      // Today is in range — just scroll without touching state.
-      el.scrollLeft = toLeft(today);
-    } else {
-      // Today is out of range — reset the window and schedule a scroll.
-      pendingScrollToTodayRef.current = true;
-      setViewStart(addDays(today, -90));
-    }
-  }, [today, viewStart, viewDays, toLeft, setViewStart]);
  const handleNavigateForward = useCallback(
    () => setViewStart((v) => addDays(v, 28)),
    [setViewStart],
@@ -764,31 +709,10 @@ function TimelineViewContent({
  const handleContainerScroll = useCallback(() => {
    const el = scrollContainerRef.current;
    if (!el) return;
-
-    // Right-edge: extend future range
    const distanceFromRight = el.scrollWidth - el.scrollLeft - el.clientWidth;
    if (distanceFromRight < CELL_WIDTH * 40) {
      setViewDays((d) => d + 120);
    }
-
-    // Left-edge: prepend past range and compensate scroll position so viewport doesn't jump
-    if (el.scrollLeft < CELL_WIDTH * 40 && viewStart > minDate) {
-      const daysToPrepend = 120;
-      // Count the exact visible days (respecting showWeekends) being prepended
-      let prependedVisible = 0;
-      for (let i = 1; i <= daysToPrepend; i++) {
-        const d = addDays(viewStart, -i);
-        const dow = d.getDay();
-        if (filters.showWeekends || (dow !== 0 && dow !== 6)) prependedVisible++;
-      }
-      pendingLeftCompensationPx.current = prependedVisible * CELL_WIDTH;
-      setViewStart((v) => {
-        const candidate = addDays(v, -daysToPrepend);
-        return candidate < minDate ? minDate : candidate;
-      });
-      setViewDays((d) => d + daysToPrepend);
-    }
-
    scrollLeftRef.current = el.scrollLeft;
    if (scrollRafRef.current === null) {
      scrollRafRef.current = requestAnimationFrame(() => {
@@ -796,7 +720,7 @@ function TimelineViewContent({
        setScrollLeft(scrollLeftRef.current);
      });
    }
-  }, [CELL_WIDTH, setViewDays, viewStart, minDate, setViewStart, filters.showWeekends]);
+  }, [CELL_WIDTH, setViewDays]);

  // ─── Canvas mousemove — only forwards event when drag overlay is active ───
  const handleMouseMove = useCallback(
@@ -34,8 +34,8 @@ services:
    # REDIS_URL to the unique compose container names so resolution is
    # unambiguous regardless of attached networks.
    environment:
-      DATABASE_URL: postgresql://nexus:nexus_dev@nexus-postgres-1:5432/nexus
-      REDIS_URL: redis://nexus-redis-1:6379
+      DATABASE_URL: postgresql://capakraken:capakraken_dev@capakraken-postgres-1:5432/capakraken
+      REDIS_URL: redis://capakraken-redis-1:6379

 networks:
  gitea_gitea:
@@ -1,4 +1,4 @@
-name: nexus-prod
+name: capakraken-prod

 services:
  postgres:
@@ -7,8 +7,8 @@ services:
    ports:
      - "127.0.0.1:${POSTGRES_PORT:-5432}:5432"
    environment:
-      POSTGRES_DB: nexus
-      POSTGRES_USER: nexus
+      POSTGRES_DB: capakraken
+      POSTGRES_USER: capakraken
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?set POSTGRES_PASSWORD}
    command: >
      postgres
@@ -18,9 +18,9 @@ services:
      -c log_line_prefix='%t [%p] %u@%d '
      -c log_min_duration_statement=1000
    volumes:
-      - nexus_prod_pgdata:/var/lib/postgresql/data
+      - capakraken_prod_pgdata:/var/lib/postgresql/data
    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U nexus -d nexus"]
+      test: ["CMD-SHELL", "pg_isready -U capakraken -d capakraken"]
      interval: 10s
      timeout: 5s
      retries: 5
@@ -34,7 +34,7 @@ services:
      - "127.0.0.1:${REDIS_PORT:-6379}:6379"
    command: redis-server --maxmemory 256mb --maxmemory-policy allkeys-lru --requirepass ${REDIS_PASSWORD}
    volumes:
-      - nexus_prod_redis:/data
+      - capakraken_prod_redis:/data
    healthcheck:
      test: ["CMD", "redis-cli", "-a", "${REDIS_PASSWORD}", "--no-auth-warning", "ping"]
      interval: 10s
@@ -49,7 +49,7 @@ services:
    env_file:
      - .env.production
    environment:
-      DATABASE_URL: postgresql://nexus:${POSTGRES_PASSWORD:?set POSTGRES_PASSWORD}@postgres:5432/nexus
+      DATABASE_URL: postgresql://capakraken:${POSTGRES_PASSWORD:?set POSTGRES_PASSWORD}@postgres:5432/capakraken
      REDIS_URL: redis://:${REDIS_PASSWORD}@redis:6379
      RATE_LIMIT_BACKEND: ${RATE_LIMIT_BACKEND:-redis}
    depends_on:
@@ -67,7 +67,7 @@ services:
    env_file:
      - .env.production
    environment:
-      DATABASE_URL: postgresql://nexus:${POSTGRES_PASSWORD:?set POSTGRES_PASSWORD}@postgres:5432/nexus
+      DATABASE_URL: postgresql://capakraken:${POSTGRES_PASSWORD:?set POSTGRES_PASSWORD}@postgres:5432/capakraken
      REDIS_URL: redis://:${REDIS_PASSWORD}@redis:6379
      RATE_LIMIT_BACKEND: ${RATE_LIMIT_BACKEND:-redis}
      NEXT_PUBLIC_SENTRY_DSN: ${NEXT_PUBLIC_SENTRY_DSN:-}
@@ -84,7 +84,7 @@ services:
      start_period: 30s

 volumes:
-  nexus_prod_pgdata:
-    name: nexus_prod_pgdata
-  nexus_prod_redis:
-    name: nexus_prod_redis
+  capakraken_prod_pgdata:
+    name: capakraken_prod_pgdata
+  capakraken_prod_redis:
+    name: capakraken_prod_redis
@@ -1,4 +1,4 @@
-name: nexus
+name: capakraken

 services:
  postgres:
@@ -6,8 +6,8 @@ services:
    ports:
      - "5433:5432"
    environment:
-      POSTGRES_DB: nexus
-      POSTGRES_USER: nexus
+      POSTGRES_DB: capakraken
+      POSTGRES_USER: capakraken
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?set POSTGRES_PASSWORD in .env (any non-empty value for local dev)}
    command: >
      postgres
@@ -17,9 +17,9 @@ services:
      -c log_line_prefix='%t [%p] %u@%d '
      -c log_min_duration_statement=1000
    volumes:
-      - nexus_pgdata:/var/lib/postgresql/data
+      - capakraken_pgdata:/var/lib/postgresql/data
    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U nexus -d nexus"]
+      test: ["CMD-SHELL", "pg_isready -U capakraken -d capakraken"]
      interval: 5s
      timeout: 3s
      retries: 5
@@ -61,7 +61,7 @@ services:
      # Always use the Docker-internal service name. The host-level DATABASE_URL
      # (localhost:5433) must not bleed into the container where "localhost" is
      # the container itself, not the host.
-      DATABASE_URL: postgresql://nexus:${POSTGRES_PASSWORD:?set POSTGRES_PASSWORD}@postgres:5432/nexus
+      DATABASE_URL: postgresql://capakraken:${POSTGRES_PASSWORD:?set POSTGRES_PASSWORD}@postgres:5432/capakraken
      REDIS_URL: redis://redis:6379
      NEXTAUTH_URL: ${NEXTAUTH_URL:?NEXTAUTH_URL must be set (e.g. https://your-domain.com)}
      NEXTAUTH_SECRET: ${NEXTAUTH_SECRET:?set NEXTAUTH_SECRET}
@@ -90,9 +90,9 @@ services:
    volumes:
      - .:/app
      # Named volumes mask the bind-mount for generated/installed artefacts.
-      # Named (not anonymous) so they can be selectively removed: docker volume rm nexus_node_modules
-      - nexus_node_modules:/app/node_modules
-      - nexus_next:/app/apps/web/.next
+      # Named (not anonymous) so they can be selectively removed: docker volume rm capakraken_node_modules
+      - capakraken_node_modules:/app/node_modules
+      - capakraken_next:/app/apps/web/.next
    profiles:
      - full

@@ -101,18 +101,18 @@ services:
    ports:
      - "${POSTGRES_TEST_PORT:-5434}:5432"
    environment:
-      POSTGRES_DB: nexus_test
-      POSTGRES_USER: nexus
-      POSTGRES_PASSWORD: nexus_test
+      POSTGRES_DB: capakraken_test
+      POSTGRES_USER: capakraken
+      POSTGRES_PASSWORD: capakraken_test
    tmpfs:
      - /var/lib/postgresql/data
    profiles:
      - test

 volumes:
-  nexus_pgdata:
-    name: nexus_pgdata
-  nexus_node_modules:
-    name: nexus_node_modules
-  nexus_next:
-    name: nexus_next
+  capakraken_pgdata:
+    name: capakraken_pgdata
+  capakraken_node_modules:
+    name: capakraken_node_modules
+  capakraken_next:
+    name: capakraken_next
@@ -1,5 +1,5 @@
-# Nexus nginx Security Hardening
-# Apply to the server block for nexus.hartmut-noerenberg.com
+# CapaKraken nginx Security Hardening
+# Apply to the server block for capakraken.hartmut-noerenberg.com
 #
 # References:
 #   - EAPPS 3.3.1.3.04 (Server Header entfernen)
@@ -113,5 +113,5 @@ log_format security '$remote_addr - $remote_user [$time_local] '
                    '"$http_referer" "$http_user_agent" '
                    '$request_time $upstream_response_time';

-access_log /var/log/nginx/nexus_access.log security;
-error_log /var/log/nginx/nexus_error.log warn;
+access_log /var/log/nginx/capakraken_access.log security;
+error_log /var/log/nginx/capakraken_error.log warn;
@@ -20,7 +20,7 @@
    "check:imports": "node ./scripts/check-workspace-imports.mjs",
    "worktree:hygiene": "node ./scripts/worktree-hygiene.mjs",
    "clean:next": "node ./scripts/clean-next-artifacts.mjs",
-    "db:doctor": "node ./scripts/db-doctor.mjs nexus",
+    "db:doctor": "node ./scripts/db-doctor.mjs capakraken",
    "db:prisma": "node ./scripts/prisma-with-env.mjs",
    "db:push": "node ./scripts/prisma-with-env.mjs db push",
    "db:migrate": "node ./scripts/prisma-with-env.mjs migrate dev",
@@ -7,14 +7,12 @@ vi.mock("../lib/audit.js", () => ({
 vi.mock("../router/assistant-approvals.js", () => ({
  clearPendingAssistantApproval: vi.fn().mockResolvedValue(undefined),
  consumePendingAssistantApproval: vi.fn(),
-  toApprovalPayload: vi.fn(
-    (approval: { id: string; toolName: string; summary: string }, status: string) => ({
-      id: approval.id,
-      toolName: approval.toolName,
-      summary: approval.summary,
-      status,
-    }),
-  ),
+  toApprovalPayload: vi.fn((approval: { id: string; toolName: string; summary: string }, status: string) => ({
+    id: approval.id,
+    toolName: approval.toolName,
+    summary: approval.summary,
+    status,
+  })),
 }));

 vi.mock("../router/assistant-confirmation.js", () => ({
@@ -41,10 +39,16 @@ import {
  clearPendingAssistantApproval,
  consumePendingAssistantApproval,
 } from "../router/assistant-approvals.js";
-import { canExecuteMutationTool, isCancellationReply } from "../router/assistant-confirmation.js";
+import {
+  canExecuteMutationTool,
+  isCancellationReply,
+} from "../router/assistant-confirmation.js";
 import { buildAssistantInsight } from "../router/assistant-insights.js";
 import { handlePendingAssistantApproval } from "../router/assistant-chat-response.js";
-import { readToolError, readToolSuccessMessage } from "../router/assistant-tool-results.js";
+import {
+  readToolError,
+  readToolSuccessMessage,
+} from "../router/assistant-tool-results.js";
 import { executeTool } from "../router/assistant-tools.js";

 function createPendingApproval() {
@@ -53,16 +57,14 @@ function createPendingApproval() {
    userId: "user_1",
    conversationId: "conv_1",
    toolName: "create_project",
-    toolArguments: '{"name":"Apollo"}',
+    toolArguments: "{\"name\":\"Apollo\"}",
    summary: "create project (name=Apollo)",
    createdAt: Date.now(),
    expiresAt: Date.now() + 60_000,
  };
 }

-function createHandleInput(
-  overrides: Partial<Parameters<typeof handlePendingAssistantApproval>[0]> = {},
-) {
+function createHandleInput(overrides: Partial<Parameters<typeof handlePendingAssistantApproval>[0]> = {}) {
  return {
    db: {} as never,
    dbUserId: "user_1",
@@ -79,10 +81,7 @@ function createHandleInput(
    pendingApproval: createPendingApproval(),
    lastUserMessage: { role: "user" as const, content: "ja" },
    messages: [
-      {
-        role: "assistant" as const,
-        content: "__NEXUS_CONFIRM__ create project (name=Apollo). Bitte bestätigen.",
-      },
+      { role: "assistant" as const, content: "__CAPAKRAKEN_CONFIRM__ create project (name=Apollo). Bitte bestätigen." },
      { role: "user" as const, content: "ja" },
    ],
    collectedActions: [],
@@ -104,11 +103,9 @@ describe("assistant pending approval handling", () => {
  it("cancels pending approvals when the user aborts", async () => {
    vi.mocked(isCancellationReply).mockReturnValue(true);

-    const result = await handlePendingAssistantApproval(
-      createHandleInput({
-        lastUserMessage: { role: "user", content: "nein, abbrechen" },
-      }),
-    );
+    const result = await handlePendingAssistantApproval(createHandleInput({
+      lastUserMessage: { role: "user", content: "nein, abbrechen" },
+    }));

    expect(result).toMatchObject({
      response: {
@@ -130,7 +127,7 @@ describe("assistant pending approval handling", () => {
      summary: "create project (name=Apollo, status=DRAFT)",
    } as never);
    vi.mocked(executeTool).mockResolvedValue({
-      content: '{"message":"Projekt Apollo angelegt"}',
+      content: "{\"message\":\"Projekt Apollo angelegt\"}",
      data: { message: "Projekt Apollo angelegt" },
      action: { type: "refresh" },
    } as never);
@@ -151,35 +148,29 @@ describe("assistant pending approval handling", () => {
          status: "approved",
        },
        actions: [{ type: "refresh" }],
-        insights: [
-          {
-            kind: "holiday_region",
-            title: "Berlin",
-          },
-        ],
+        insights: [{
+          kind: "holiday_region",
+          title: "Berlin",
+        }],
      },
    });
    expect(executeTool).toHaveBeenCalledWith(
      "create_project",
-      '{"name":"Apollo"}',
+      "{\"name\":\"Apollo\"}",
      expect.objectContaining({ userId: "user_1" }),
    );
-    expect(createAuditEntry).toHaveBeenCalledWith(
-      expect.objectContaining({
-        entityName: "create_project",
-        summary: "AI executed previously approved tool: create_project",
-      }),
-    );
+    expect(createAuditEntry).toHaveBeenCalledWith(expect.objectContaining({
+      entityName: "create_project",
+      summary: "AI executed previously approved tool: create_project",
+    }));
  });

  it("does nothing when the user reply is not a valid confirmation", async () => {
    vi.mocked(canExecuteMutationTool).mockReturnValue(false);

-    const result = await handlePendingAssistantApproval(
-      createHandleInput({
-        lastUserMessage: { role: "user", content: "vielleicht" },
-      }),
-    );
+    const result = await handlePendingAssistantApproval(createHandleInput({
+      lastUserMessage: { role: "user", content: "vielleicht" },
+    }));

    expect(result).toBeNull();
    expect(consumePendingAssistantApproval).not.toHaveBeenCalled();
@@ -105,10 +105,10 @@ describe("RBAC cache Redis pub/sub (#57)", () => {

    // Simulate a peer instance publishing an invalidation: grab any
    // subscriber on the channel and fire the event as if Redis delivered it.
-    const subs = channelSubscribers.get("nexus:rbac-invalidate");
+    const subs = channelSubscribers.get("capakraken:rbac-invalidate");
    expect(subs).toBeDefined();
    expect(subs!.size).toBeGreaterThanOrEqual(1);
-    for (const sub of subs!) sub.emit("message", "nexus:rbac-invalidate", "1");
+    for (const sub of subs!) sub.emit("message", "capakraken:rbac-invalidate", "1");

    // Next load must hit the DB again.
    await loadRoleDefaults();
@@ -126,6 +126,6 @@ describe("RBAC cache Redis pub/sub (#57)", () => {

    const newPublishes = publishCalls.slice(countBefore);
    expect(newPublishes.length).toBe(1);
-    expect(newPublishes[0]!.channel).toBe("nexus:rbac-invalidate");
+    expect(newPublishes[0]!.channel).toBe("capakraken:rbac-invalidate");
  });
 });
@@ -24,7 +24,7 @@ describe("assertWebhookUrlAllowed — SSRF guard", () => {

  it("allows an HTTPS URL with a path and query string", async () => {
    await expect(
-      assertWebhookUrlAllowed("https://hooks.external.io/events?source=nexus"),
+      assertWebhookUrlAllowed("https://hooks.external.io/events?source=capakraken"),
    ).resolves.toBeUndefined();
  });

@@ -22,15 +22,15 @@ export function getAppBaseUrl(): string {
  if (process.env["NODE_ENV"] === "production") {
    throw new Error(
      "NEXTAUTH_URL must be set in production — email links will contain localhost otherwise. " +
-        "Set it to the public URL of this app (e.g. https://nexus.example.com).",
+      "Set it to the public URL of this app (e.g. https://capakraken.example.com).",
    );
  }

  if (!warned) {
    warned = true;
    console.warn(
-      "[nexus] NEXTAUTH_URL is not set — falling back to http://localhost:3100 for email links. " +
-        "Set NEXTAUTH_URL in your .env to suppress this warning.",
+      "[capakraken] NEXTAUTH_URL is not set — falling back to http://localhost:3100 for email links. " +
+      "Set NEXTAUTH_URL in your .env to suppress this warning.",
    );
  }

@@ -44,13 +44,13 @@ const redactConfig = { paths: REDACT_PATHS, censor: "[REDACTED]" };
 export const logger = isProduction
  ? pino({
      level: LOG_LEVEL,
-      base: { service: "nexus-api" },
+      base: { service: "capakraken-api" },
      redact: redactConfig,
    })
  : pino(
      {
        level: LOG_LEVEL,
-        base: { service: "nexus-api" },
+        base: { service: "capakraken-api" },
        redact: redactConfig,
        formatters: {
          level(label: string) {
@@ -31,7 +31,7 @@ type RateLimiterBackend = {
  reset: () => Promise<void>;
 };

-const DEFAULT_REDIS_KEY_PREFIX = "nexus:ratelimit";
+const DEFAULT_REDIS_KEY_PREFIX = "capakraken:ratelimit";
 const DEFAULT_REDIS_BACKEND = process.env["RATE_LIMIT_BACKEND"] as RateLimitBackendMode | undefined;
 const DEFAULT_REDIS_URL = process.env["REDIS_URL"]?.trim();
 const warnedRedisFailures = new Set<string>();
@@ -201,7 +201,7 @@ const REDIS_URL =
    : (() => {
        throw new Error("REDIS_URL required in production");
      })());
-const CHANNEL = "nexus:sse";
+const CHANNEL = "capakraken:sse";

 let publisher: Redis | null = null;
 let subscriber: Redis | null = null;
@@ -42,7 +42,7 @@ const ROLE_DEFAULTS_TTL = 10_000;
 // We publish a single invalidate message per change; every node subscribes and
 // clears its local cache on receipt. Failure to publish/subscribe is logged
 // but never thrown — the TTL above is the fall-back.
-const RBAC_INVALIDATE_CHANNEL = "nexus:rbac-invalidate";
+const RBAC_INVALIDATE_CHANNEL = "capakraken:rbac-invalidate";

 let _rbacPublisher: Redis | null = null;
 let _rbacSubscriber: Redis | null = null;
@@ -8,7 +8,7 @@
    "./client": "./src/client.ts"
  },
  "scripts": {
-    "db:doctor": "node ../../scripts/db-doctor.mjs nexus",
+    "db:doctor": "node ../../scripts/db-doctor.mjs capakraken",
    "db:push": "node ../../scripts/prisma-with-env.mjs db push --schema ./prisma/schema.prisma",
    "db:migrate": "node ../../scripts/prisma-with-env.mjs migrate dev --schema ./prisma/schema.prisma",
    "db:migrate:deploy": "node ../../scripts/prisma-with-env.mjs migrate deploy --schema ./prisma/schema.prisma",
@@ -1,4 +1,4 @@
-// Nexus — Prisma Schema
+// CapaKraken — Prisma Schema
 // All monetary values stored as integer cents to avoid float precision issues.

 generator client {
@@ -22,34 +22,34 @@ test.afterEach(() => {
  process.env = { ...ORIGINAL_ENV };
 });

-test("assertDestructiveDbAllowed allows an explicitly confirmed disposable nexus test database", () => {
+test("assertDestructiveDbAllowed allows an explicitly confirmed disposable capakraken test database", () => {
  setEnv({
-    DATABASE_URL: "postgresql://tester:secret@localhost:5432/nexus_test",
+    DATABASE_URL: "postgresql://tester:secret@localhost:5432/capakraken_test",
    ALLOW_DESTRUCTIVE_DB_TOOLS: "true",
-    CONFIRM_DESTRUCTIVE_DB_NAME: "nexus_test",
+    CONFIRM_DESTRUCTIVE_DB_NAME: "capakraken_test",
  });

  const target = assertDestructiveDbAllowed({
    commandName: "db:test",
-    allowedDatabaseNames: ["nexus_test"],
+    allowedDatabaseNames: ["capakraken_test"],
  });

-  assert.equal(target.databaseName, "nexus_test");
+  assert.equal(target.databaseName, "capakraken_test");
  assert.equal(target.hostname, "localhost");
 });

 test("assertDestructiveDbAllowed rejects protected live database names even if allowlisted", () => {
  setEnv({
-    DATABASE_URL: "postgresql://tester:secret@localhost:5432/nexus",
+    DATABASE_URL: "postgresql://tester:secret@localhost:5432/capakraken",
    ALLOW_DESTRUCTIVE_DB_TOOLS: "true",
-    CONFIRM_DESTRUCTIVE_DB_NAME: "nexus",
+    CONFIRM_DESTRUCTIVE_DB_NAME: "capakraken",
  });

  assert.throws(
    () =>
      assertDestructiveDbAllowed({
        commandName: "db:test",
-        allowedDatabaseNames: ["nexus"],
+        allowedDatabaseNames: ["capakraken"],
      }),
    /explicitly protected/u,
  );
@@ -57,7 +57,7 @@ test("assertDestructiveDbAllowed rejects protected live database names even if a

 test("assertDestructiveDbAllowed rejects missing confirmation", () => {
  setEnv({
-    DATABASE_URL: "postgresql://tester:secret@localhost:5432/nexus_e2e",
+    DATABASE_URL: "postgresql://tester:secret@localhost:5432/capakraken_e2e",
    ALLOW_DESTRUCTIVE_DB_TOOLS: "true",
    CONFIRM_DESTRUCTIVE_DB_NAME: "wrong_db",
  });
@@ -66,24 +66,24 @@ test("assertDestructiveDbAllowed rejects missing confirmation", () => {
    () =>
      assertDestructiveDbAllowed({
        commandName: "db:test",
-        allowedDatabaseNames: ["nexus_e2e"],
+        allowedDatabaseNames: ["capakraken_e2e"],
      }),
-    /CONFIRM_DESTRUCTIVE_DB_NAME=nexus_e2e/u,
+    /CONFIRM_DESTRUCTIVE_DB_NAME=capakraken_e2e/u,
  );
 });

 test("assertDestructiveDbAllowed rejects missing destructive allow flag", () => {
  setEnv({
-    DATABASE_URL: "postgresql://tester:secret@localhost:5432/nexus_ci",
+    DATABASE_URL: "postgresql://tester:secret@localhost:5432/capakraken_ci",
    ALLOW_DESTRUCTIVE_DB_TOOLS: undefined,
-    CONFIRM_DESTRUCTIVE_DB_NAME: "nexus_ci",
+    CONFIRM_DESTRUCTIVE_DB_NAME: "capakraken_ci",
  });

  assert.throws(
    () =>
      assertDestructiveDbAllowed({
        commandName: "db:test",
-        allowedDatabaseNames: ["nexus_ci"],
+        allowedDatabaseNames: ["capakraken_ci"],
      }),
    /ALLOW_DESTRUCTIVE_DB_TOOLS=true/u,
  );
@@ -99,19 +99,19 @@ test("assertSafeSeedTarget rejects unexpected legacy disposable databases", () =
  assert.throws(() => assertSafeSeedTarget("db:seed"), /not in the destructive-tool allowlist/u);
 });

-test("assertNexusDbTarget accepts non-destructive nexus targets", () => {
+test("assertNexusDbTarget accepts non-destructive capakraken targets", () => {
  setEnv({
-    DATABASE_URL: "postgresql://tester:secret@localhost:5432/nexus_dev",
+    DATABASE_URL: "postgresql://tester:secret@localhost:5432/capakraken_dev",
  });

  const target = assertNexusDbTarget("db:seed:holidays");

-  assert.equal(target.databaseName, "nexus_dev");
+  assert.equal(target.databaseName, "capakraken_dev");
 });

-test("assertNexusDbTarget rejects legacy non-nexus targets", () => {
+test("assertNexusDbTarget rejects legacy non-capakraken targets", () => {
  setEnv({
-    DATABASE_URL: "postgresql://tester:secret@localhost:5432/legacy_non_nexus",
+    DATABASE_URL: "postgresql://tester:secret@localhost:5432/legacy_non_capakraken",
  });

  assert.throws(() => assertNexusDbTarget("db:seed:holidays"), /not a valid Nexus target/u);
@@ -6,7 +6,7 @@ interface DestructiveGuardOptions {
  requireConfirmation?: boolean;
 }

-const PROTECTED_DATABASE_NAMES = new Set(["nexus"]);
+const PROTECTED_DATABASE_NAMES = new Set(["capakraken"]);

 export function parseDatabaseUrl(rawUrl: string) {
  const parsed = new URL(rawUrl);
@@ -157,7 +157,7 @@ async function main() {
  const options = parseArgs(process.argv.slice(2));
  const target = assertDestructiveDbAllowed({
    commandName: "db:reset:dispo",
-    allowedDatabaseNames: ["nexus_test", "nexus_e2e", "nexus_ci"],
+    allowedDatabaseNames: ["capakraken_test", "capakraken_e2e", "capakraken_ci"],
  });
  const databaseUrl = process.env.DATABASE_URL;

@@ -4,7 +4,7 @@ import {
  parseDatabaseUrl,
 } from "./destructive-db-guard.js";

-const TEST_DATABASE_NAMES = ["nexus_test", "nexus_e2e", "nexus_ci"];
+const TEST_DATABASE_NAMES = ["capakraken_test", "capakraken_e2e", "capakraken_ci"];

 export function assertSafeSeedTarget(commandName: string) {
  return assertDestructiveDbAllowed({
@@ -24,7 +24,7 @@ export function assertNexusDbTarget(commandName: string) {

  const target = parseDatabaseUrl(rawUrl);

-  if (!target.databaseName.startsWith("nexus")) {
+  if (!target.databaseName.startsWith("capakraken")) {
    throw new Error(
      `${commandName} aborted: database '${target.databaseName}' is not a valid Nexus target. Target=${formatTarget(target)}`,
    );
@@ -2372,7 +2372,7 @@ async function main() {
      .map((part) => part.charAt(0).toUpperCase() + part.slice(1))
      .join(" ");

-    const email = `${eid}@nexus.example`;
+    const email = `${eid}@capakraken.example`;
    const lcrCents = Math.round(lcr * 100);
    const ucrCents = Math.round(ucr * 100);
    const availability = computeAvailability(fraction, availDays);
@@ -23,7 +23,7 @@ function toDisplayName(eid) {
 }

 function toEmail(eid) {
-  return `${eid}@nexus.example`;
+  return `${eid}@capakraken.example`;
 }

 function computeSkillLabel(chapter, typeOfWork) {
@@ -150,7 +150,7 @@ async function main() {
    {
      col: 15, // O
      header: "Email\n(generated)",
-      doc: "Generated email: firstname.lastname@nexus.example. Required unique field in Nexus. Replace with real email in production.",
+      doc: "Generated email: firstname.lastname@capakraken.example. Required unique field in Nexus. Replace with real email in production.",
    },
    {
      col: 16, // P
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# restart.sh — Rebuild the Nexus app container from scratch.
+# restart.sh — Rebuild the CapaKraken app container from scratch.
 #
 # When to use:
 #   - After changing pnpm-lock.yaml (new/removed dependencies)
@@ -40,7 +40,7 @@ docker compose --profile "$PROFILE" stop app 2>/dev/null || true

 if $CLEAN; then
  echo "==> Removing stale node_modules and .next volumes..."
-  docker volume rm nexus_node_modules nexus_next 2>/dev/null || true
+  docker volume rm capakraken_node_modules capakraken_next 2>/dev/null || true
 fi

 echo "==> Rebuilding and starting ($( [[ -z "$SERVICES" ]] && echo "all services" || echo "$SERVICES" ))..."
@@ -5,9 +5,9 @@
 import { createRequire } from "module";
 import { writeFileSync, mkdirSync } from "fs";
 const require = createRequire(import.meta.url);
-const XLSX = require("/home/hartmut/Documents/Copilot/nexus/node_modules/.pnpm/xlsx@0.18.5/node_modules/xlsx/xlsx.js");
+const XLSX = require("/home/hartmut/Documents/Copilot/capakraken/node_modules/.pnpm/xlsx@0.18.5/node_modules/xlsx/xlsx.js");

-const OUT_DIR = "/home/hartmut/Documents/Copilot/nexus/samples/skillmatrix_dummydata";
+const OUT_DIR = "/home/hartmut/Documents/Copilot/capakraken/samples/skillmatrix_dummydata";
 mkdirSync(OUT_DIR, { recursive: true });

 // ─── Skill Definitions ─────────────────────────────────────────────────────
@@ -719,7 +719,7 @@ export const rules = [
    ],
    forbidden: [
      {
-        pattern: /pnpm --filter @nexus\/db exec prisma generate/,
+        pattern: /pnpm --filter @capakraken\/db exec prisma generate/,
        message: "CI must not call prisma generate directly outside the workspace wrapper",
      },
    ],
@@ -4,7 +4,7 @@ export function formatDatabaseTarget(parsedUrl, databaseName) {
  return `${parsedUrl.protocol}//${decodeURIComponent(parsedUrl.username)}@${parsedUrl.hostname}${parsedUrl.port ? `:${parsedUrl.port}` : ""}/${databaseName}`;
 }

-export function inspectDatabaseUrl(rawUrl, expectedDatabase = "nexus") {
+export function inspectDatabaseUrl(rawUrl, expectedDatabase = "capakraken") {
  if (!rawUrl) {
    throw new Error("DATABASE_URL is not configured.");
  }
@@ -82,5 +82,5 @@ export function shouldGuardPrismaCommand(args) {
 }

 export function getExpectedDatabaseName() {
-  return process.env.NEXUS_EXPECTED_DB_NAME?.trim() || "nexus";
+  return process.env.CAPAKRAKEN_EXPECTED_DB_NAME?.trim() || "capakraken";
 }
@@ -6,21 +6,21 @@ import {
 } from "./db-target-guard.mjs";

 describe("db target guard", () => {
-  it("accepts the expected nexus database target", () => {
+  it("accepts the expected capakraken database target", () => {
    const result = inspectDatabaseUrl(
-      "postgresql://nexus:secret@localhost:5432/nexus",
-      "nexus",
+      "postgresql://capakraken:secret@localhost:5432/capakraken",
+      "capakraken",
    );

-    assert.equal(result.databaseName, "nexus");
-    assert.equal(result.expectedDatabase, "nexus");
-    assert.equal(result.target, "postgresql://nexus@localhost:5432/nexus");
+    assert.equal(result.databaseName, "capakraken");
+    assert.equal(result.expectedDatabase, "capakraken");
+    assert.equal(result.target, "postgresql://capakraken@localhost:5432/capakraken");
  });

  it("rejects a mismatched database target", () => {
    assert.throws(
-      () => inspectDatabaseUrl("postgresql://nexus:secret@localhost:5432/planarchy", "nexus"),
-      /Unexpected database target 'planarchy'\. Expected 'nexus'\./,
+      () => inspectDatabaseUrl("postgresql://capakraken:secret@localhost:5432/planarchy", "capakraken"),
+      /Unexpected database target 'planarchy'\. Expected 'capakraken'\./,
    );
  });

@@ -10,8 +10,8 @@
 *   node scripts/export-dev-seed.mjs
 *
 * Requirements:
- *   - The nexus-postgres-1 Docker container must be running
- *   - DATABASE_URL must point to a local nexus database
+ *   - The capakraken-postgres-1 Docker container must be running
+ *   - DATABASE_URL must point to a local capakraken database
 */

 import { execSync, spawnSync } from "node:child_process";
@@ -48,7 +48,7 @@ if (!["localhost", "127.0.0.1", "::1"].includes(host)) {

 // ── Docker container check ────────────────────────────────────────────────────

-const CONTAINER = "nexus-postgres-1";
+const CONTAINER = "capakraken-postgres-1";
 const containerCheck = spawnSync("docker", ["inspect", "--format={{.State.Running}}", CONTAINER], {
  encoding: "utf8",
 });
@@ -83,8 +83,8 @@ const excludeFlags = EXCLUDE_TABLES.flatMap((t) => ["--exclude-table-data", `pub

 // ── Run pg_dump inside the Docker container ───────────────────────────────────

-const DB_USER = decodeURIComponent(parsedUrl.username) || "nexus";
-const DB_NAME = parsedUrl.pathname.replace(/^\/+/, "") || "nexus";
+const DB_USER = decodeURIComponent(parsedUrl.username) || "capakraken";
+const DB_NAME = parsedUrl.pathname.replace(/^\/+/, "") || "capakraken";
 const DB_PORT = parsedUrl.port || "5432";

 console.log(`🔍  Exporting ${DB_USER}@${host}:${DB_PORT}/${DB_NAME} …`);
@@ -2,8 +2,8 @@
 # Remove SUPERUSER from the application database user
 # Run after initial setup: bash scripts/harden-postgres.sh

-DB_USER="${DB_USER:-nexus}"
-DB_NAME="${DB_NAME:-nexus}"
+DB_USER="${DB_USER:-capakraken}"
+DB_NAME="${DB_NAME:-capakraken}"

 echo "Hardening PostgreSQL for $DB_USER..."

@@ -10,8 +10,8 @@
 *   node scripts/import-dev-seed.mjs
 *
 * Requirements:
- *   - The nexus-postgres-1 Docker container must be running
- *   - DATABASE_URL must point to a local nexus database
+ *   - The capakraken-postgres-1 Docker container must be running
+ *   - DATABASE_URL must point to a local capakraken database
 *   - dev-seed.sql must exist (run export-dev-seed.mjs first)
 */

@@ -46,13 +46,13 @@ if (!["localhost", "127.0.0.1", "::1"].includes(host)) {
  process.exit(1);
 }

-const DB_USER = decodeURIComponent(parsedUrl.username) || "nexus";
-const DB_NAME = parsedUrl.pathname.replace(/^\/+/, "") || "nexus";
+const DB_USER = decodeURIComponent(parsedUrl.username) || "capakraken";
+const DB_NAME = parsedUrl.pathname.replace(/^\/+/, "") || "capakraken";
 const DB_PORT = parsedUrl.port || "5432";

 // ── Docker container check ────────────────────────────────────────────────────

-const CONTAINER = "nexus-postgres-1";
+const CONTAINER = "capakraken-postgres-1";
 const containerCheck = spawnSync("docker", ["inspect", "--format={{.State.Running}}", CONTAINER], {
  encoding: "utf8",
 });
@@ -27,7 +27,7 @@ if (shouldGuardPrismaCommand(prismaArgs)) {
  } catch (error) {
    console.error(error instanceof Error ? error.message : String(error));
    console.error("Refusing to run Prisma against an unexpected database target.");
-    console.error("Use the repo env files for Nexus, or set NEXUS_EXPECTED_DB_NAME explicitly if you intentionally target another database.");
+    console.error("Use the repo env files for Nexus, or set CAPAKRAKEN_EXPECTED_DB_NAME explicitly if you intentionally target another database.");
    process.exit(1);
  }
 }
@@ -2,7 +2,7 @@
 set -euo pipefail
 cd "$(dirname "$0")/.."

-echo "Restarting Nexus..."
+echo "Restarting CapaKraken..."
 echo ""

 # Stop
@@ -5,7 +5,7 @@ cd "$(dirname "$0")/.."
 APP_PORT="${APP_PORT:-3100}"
 APP_CONTAINER="${APP_CONTAINER:-$(docker compose --profile full ps -q app 2>/dev/null | head -1)}"

-echo "Starting Nexus..."
+echo "Starting CapaKraken..."

 # 1. Start Docker services
 echo "  Starting PostgreSQL + Redis..."
@@ -15,7 +15,7 @@ sleep 2
 # 2. Wait for PostgreSQL to be healthy
 echo "  Waiting for PostgreSQL..."
 for i in {1..30}; do
-  if docker compose exec -T postgres pg_isready -U nexus -d nexus -q 2>/dev/null; then
+  if docker compose exec -T postgres pg_isready -U capakraken -d capakraken -q 2>/dev/null; then
    break
  fi
  sleep 1
@@ -34,7 +34,7 @@ echo "  Waiting for server (up to 90s)..."
 for i in {1..90}; do
  if curl -sf "http://localhost:${APP_PORT}/api/health" > /dev/null 2>&1; then
    echo ""
-    echo "Nexus is running!"
+    echo "CapaKraken is running!"
    curl -s "http://localhost:${APP_PORT}/api/ready" | python3 -m json.tool 2>/dev/null || curl -s "http://localhost:${APP_PORT}/api/ready"
    echo ""
    echo "  URL: http://localhost:${APP_PORT}"
@@ -2,7 +2,7 @@
 set -euo pipefail
 cd "$(dirname "$0")/.."

-echo "Stopping Nexus..."
+echo "Stopping CapaKraken..."

 # 1. Stop any legacy local dev server
 if [ -f /tmp/nexus-dev.pid ]; then
@@ -28,4 +28,4 @@ echo "  Stopping app, PostgreSQL and Redis..."
 docker compose --profile full stop app postgres redis 2>/dev/null || true

 echo ""
-echo "Nexus stopped."
+echo "CapaKraken stopped."
@@ -9,7 +9,7 @@ import {
 function createGitStub(statusOutput) {
  return (args) => {
    if (args[0] === "rev-parse" && args[1] === "--show-toplevel") {
-      return "/tmp/nexus\n";
+      return "/tmp/capakraken\n";
    }
    if (args[0] === "rev-parse" && args[1] === "--abbrev-ref") {
      return "main\n";
@@ -1,5 +1,5 @@
-APP_IMAGE=ghcr.io/example/nexus-app:sha-abc123
-MIGRATOR_IMAGE=ghcr.io/example/nexus-migrator:sha-abc123
+APP_IMAGE=ghcr.io/example/capakraken-app:sha-abc123
+MIGRATOR_IMAGE=ghcr.io/example/capakraken-migrator:sha-abc123
 APP_HOST_PORT=3000
 GHCR_USERNAME=
 GHCR_TOKEN=
@@ -1,167 +0,0 @@
-#!/usr/bin/env bash
-#
-# Phase 3 cutover: migrate the running stack from `capakraken` (DB, role,
-# volumes, compose project) to `nexus`. Intended to be run inside a brief
-# maintenance window — the app is stopped for the duration.
-#
-# Idempotency: each step checks the current state. Re-running after a
-# partial run only does the missing pieces. The script never DROPS the
-# legacy `capakraken` DB or role — that's a manual decision after a
-# stability window.
-#
-# Usage:
-#   ./tooling/migrate/rename-to-nexus.sh dev       # against docker-compose.yml
-#   ./tooling/migrate/rename-to-nexus.sh prod      # against docker-compose.prod.yml
-#
-# Requires:
-#   - POSTGRES_PASSWORD set in env (or .env file picked up by docker compose)
-#   - docker compose CLI v2+
-#   - the `nexus` branch of code already checked out (compose files reference nexus_*)
-
-set -euo pipefail
-
-MODE="${1:-dev}"
-case "$MODE" in
-  dev)
-    COMPOSE_FILE=docker-compose.yml
-    OLD_PROJECT=capakraken
-    NEW_PROJECT=nexus
-    VOLUMES=(pgdata node_modules next)
-    ;;
-  prod)
-    COMPOSE_FILE=docker-compose.prod.yml
-    OLD_PROJECT=capakraken-prod
-    NEW_PROJECT=nexus-prod
-    VOLUMES=(prod_pgdata prod_redis)
-    ;;
-  *)
-    echo "Usage: $0 [dev|prod]" >&2
-    exit 2
-    ;;
-esac
-
-if [ -z "${POSTGRES_PASSWORD:-}" ]; then
-  echo "POSTGRES_PASSWORD must be set in the environment." >&2
-  exit 2
-fi
-
-DUMP_FILE="/tmp/capakraken-pre-rename-$(date +%Y%m%d-%H%M%S).sql"
-
-echo "=== Phase 3 cutover ($MODE) ==="
-echo "compose: $COMPOSE_FILE  project: $OLD_PROJECT → $NEW_PROJECT  dump: $DUMP_FILE"
-echo
-
-#───────────────────────────────────────────────────────────────────────────────
-# 1. Stop the app (DB stays up so we can dump it).
-#───────────────────────────────────────────────────────────────────────────────
-echo "[1/7] Stopping app container under old project name..."
-docker compose -p "$OLD_PROJECT" -f "$COMPOSE_FILE" stop app 2>/dev/null || true
-
-#───────────────────────────────────────────────────────────────────────────────
-# 2. Capture row counts for verification.
-#───────────────────────────────────────────────────────────────────────────────
-echo "[2/7] Capturing pre-rename row counts..."
-PRE_COUNTS=$(docker compose -p "$OLD_PROJECT" -f "$COMPOSE_FILE" exec -T postgres \
-  psql -U capakraken -d capakraken -t -c \
-  "SELECT relname, n_live_tup FROM pg_stat_user_tables ORDER BY relname;")
-echo "$PRE_COUNTS" | head -20
-echo "..."
-
-#───────────────────────────────────────────────────────────────────────────────
-# 3. Dump existing DB.
-#───────────────────────────────────────────────────────────────────────────────
-echo "[3/7] pg_dump capakraken → $DUMP_FILE..."
-docker compose -p "$OLD_PROJECT" -f "$COMPOSE_FILE" exec -T postgres \
-  pg_dump -U capakraken -d capakraken --clean --if-exists > "$DUMP_FILE"
-echo "Dump size: $(du -h "$DUMP_FILE" | cut -f1)"
-
-#───────────────────────────────────────────────────────────────────────────────
-# 4. Create new role + DB inside the running postgres container.
-#───────────────────────────────────────────────────────────────────────────────
-echo "[4/7] Creating nexus role + database..."
-docker compose -p "$OLD_PROJECT" -f "$COMPOSE_FILE" exec -T postgres \
-  psql -U capakraken -d postgres <<SQL
-DO \$\$
-BEGIN
-  IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname='nexus') THEN
-    CREATE ROLE nexus LOGIN PASSWORD '${POSTGRES_PASSWORD}';
-  END IF;
-END
-\$\$;
-
-SELECT 'CREATE DATABASE nexus OWNER nexus'
-WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname='nexus')
-\gexec
-SQL
-
-#───────────────────────────────────────────────────────────────────────────────
-# 5. Restore into new DB.
-#───────────────────────────────────────────────────────────────────────────────
-echo "[5/7] Restoring dump into nexus DB..."
-# Replace OWNER directives so restored objects belong to `nexus`.
-sed 's/OWNER TO capakraken/OWNER TO nexus/g' "$DUMP_FILE" | \
-  docker compose -p "$OLD_PROJECT" -f "$COMPOSE_FILE" exec -T postgres \
-  psql -U nexus -d nexus
-
-#───────────────────────────────────────────────────────────────────────────────
-# 6. Volume rename (offline copy).
-#───────────────────────────────────────────────────────────────────────────────
-echo "[6/7] Stopping old project and copying volumes..."
-docker compose -p "$OLD_PROJECT" -f "$COMPOSE_FILE" down --remove-orphans
-
-for v in "${VOLUMES[@]}"; do
-  src="${OLD_PROJECT//-/_}_${v}"
-  dst="${NEW_PROJECT//-/_}_${v}"
-  # Skip dev-mode app overlays (node_modules / next) — they regenerate on startup.
-  if [ "$MODE" = "dev" ] && { [ "$v" = "node_modules" ] || [ "$v" = "next" ]; }; then
-    echo "  Skipping $v (regenerated on next boot)"
-    continue
-  fi
-  if ! docker volume inspect "$src" >/dev/null 2>&1; then
-    echo "  Source volume $src missing — skip"
-    continue
-  fi
-  if docker volume inspect "$dst" >/dev/null 2>&1; then
-    echo "  Destination volume $dst already exists — skip"
-    continue
-  fi
-  echo "  $src → $dst"
-  docker volume create "$dst" >/dev/null
-  docker run --rm \
-    -v "${src}:/from:ro" \
-    -v "${dst}:/to" \
-    alpine sh -c "cd /from && cp -a . /to/"
-done
-
-#───────────────────────────────────────────────────────────────────────────────
-# 7. Bring up under new compose project name.
-#───────────────────────────────────────────────────────────────────────────────
-echo "[7/7] Starting stack under new project name '$NEW_PROJECT'..."
-PROFILE=""
-[ "$MODE" = "dev" ] && PROFILE="--profile full"
-# shellcheck disable=SC2086
-docker compose -p "$NEW_PROJECT" -f "$COMPOSE_FILE" $PROFILE up -d
-
-echo
-echo "Waiting 15s for postgres to be ready..."
-sleep 15
-
-echo "=== Verification ==="
-POST_COUNTS=$(docker compose -p "$NEW_PROJECT" -f "$COMPOSE_FILE" exec -T postgres \
-  psql -U nexus -d nexus -t -c \
-  "SELECT relname, n_live_tup FROM pg_stat_user_tables ORDER BY relname;")
-echo "Post-rename row counts (sample):"
-echo "$POST_COUNTS" | head -20
-
-if diff <(echo "$PRE_COUNTS") <(echo "$POST_COUNTS") >/dev/null; then
-  echo "✓ Row counts match — migration verified."
-else
-  echo "⚠  Row counts differ — review diff:"
-  diff <(echo "$PRE_COUNTS") <(echo "$POST_COUNTS") | head
-fi
-
-echo
-echo "Done. Old DB+role retained for rollback. Dump kept at $DUMP_FILE."
-echo "After a stability window, drop with:"
-echo "  docker compose -p $NEW_PROJECT -f $COMPOSE_FILE exec postgres psql -U nexus -d postgres \\"
-echo "    -c 'DROP DATABASE capakraken; DROP ROLE capakraken;'"
				`@@ -1 +0,0 @@`
				`{"sessionId":"aed37e34-4be8-4788-b03a-7145d9b4b2ce","pid":3544538,"procStart":"34480817","acquiredAt":1779373227101}`