Hartmut
4a5edeef3e
- @capakraken/* → @nexus/* across 12 packages (root + 11 workspaces),
1551 import lines migrated via codemod
- User-visible brand strings renamed (emails, page titles, PWA
manifest, mobile header, MFA backup-codes header, tooltips, signin
page, invite page, weekly digest, install prompt)
- TOTP issuer "CapaKraken" → "Nexus" (existing secrets still valid;
re-enrollment relabels them in users' authenticator apps)
- Function rename: assertCapaKrakenDbTarget → assertNexusDbTarget
- LocalStorage migration shim in apps/web/src/app/layout.tsx copies
capakraken_* → nexus_* on first load (guarded by nexus_migrated_v1
sentinel; runs once per browser, then never again)
- Service-worker cache name capakraken-v2 → nexus-v2 with one-time
caches.delete('capakraken-v2') from the same shim
- Email-domain fixtures @capakraken.{dev,app} → @nexus.{dev,app} in
seed data, e2e specs, SMTP default fallback
- Dockerfile.dev / Dockerfile.prod / all .github/workflows/*.yml
pnpm --filter @capakraken/* → @nexus/*
- README, CLAUDE.md, LEARNINGS.md, all docs/*.md, .env.example,
tooling/deploy/.env.production.example brand sweep
Phase 1 deliberately leaves untouched (handled in Phase 3 cutover):
- PostgreSQL DB name "capakraken" and POSTGRES_USER "capakraken"
- Volume names capakraken_pgdata etc.
- Compose project name "capakraken" / "capakraken-prod"
- db-target-guard default expectedDatabase
- env-var CAPAKRAKEN_EXPECTED_DB_NAME
- Container DNS names in docker-compose.ci.yml
Quality gates green: pnpm typecheck (7/7), pnpm test:unit (7/7),
pnpm lint (0 errors), check:exports/imports/architecture all pass.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
4.8 KiB
Nexus CI/CD Manual
Overview
This is the operational runbook for the canonical Nexus delivery path:
- CI validates every PR.
- Every push to
mainpublishes immutable release images. - Staging deploys one
sha-<commit>tag. - Production promotes the same tag.
- The host never builds application code from Git.
1. CI Gate
The merge gate is ci.yml.
It covers:
- architecture guardrails
- typecheck
- lint
- unit tests
- build
- E2E
Before merging, all required checks must pass.
Useful local commands:
pnpm --filter @nexus/web exec tsc --project tsconfig.typecheck.json --noEmit
pnpm lint
pnpm test:unit
pnpm --filter @nexus/web exec next build
2. Image Release
release-image.yml runs automatically on every push to main.
It publishes:
ghcr.io/<owner>/<repo>-app:sha-<commit>ghcr.io/<owner>/<repo>-migrator:sha-<commit>
The workflow is also callable manually if a rebuild or tag override is needed.
3. Host Bootstrap
Each deploy target should have a dedicated directory such as /opt/nexus containing:
docker-compose.prod.yml
.env.production
deploy.env
tooling/deploy/deploy-compose.sh
Use these examples from the repo:
Important host-side rules:
- keep
RATE_LIMIT_BACKEND=redis - keep runtime secrets in
.env.productionor the platform secret layer - do not rotate runtime secrets through admin settings
- ensure the host can pull from
ghcr.io
Generate a secure NEXTAUTH_SECRET with:
openssl rand -base64 32
4. Staging Deployment
Standard path:
- merge to
main - wait for release-image.yml to publish
sha-<commit> - run deploy-staging.yml with that tag
The workflow uploads:
- docker-compose.prod.yml
- tooling/deploy
- a short-lived
deploy.env
On the host, deploy-compose.sh:
- validates the rendered compose file
- pulls
APP_IMAGEandMIGRATOR_IMAGE - starts PostgreSQL and Redis
- runs Prisma migrations with the
migratorimage - starts the app
- waits for
GET /api/ready
5. Production Promotion
After staging is accepted:
- run deploy-prod.yml
- use the exact same
sha-<commit>tag - verify
GET /api/ready
Production must promote the already-tested image, not rebuild from source.
6. Manual Host Dry Run
If you need to verify the host outside GitHub Actions:
cp tooling/deploy/.env.production.example .env.production
cp tooling/deploy/deploy.env.example deploy.env
# fill in real secrets and image refs first
set -a
. ./deploy.env
set +a
bash tooling/deploy/deploy-compose.sh staging
7. Health Endpoints
GET /api/health
Process liveness only. Use it for coarse uptime checks.
GET /api/ready
Checks PostgreSQL and Redis connectivity. Use it for deploy readiness and traffic admission.
For deploys, /api/ready is the source of truth.
8. Rollback
Rollback is image-based:
- choose the previous healthy
sha-<commit> - rerun the staging or production deploy workflow with that tag
- confirm
GET /api/ready
Schema changes still need expand-and-contract discipline for rollback safety.
9. Troubleshooting
CI failure
Run the failing command locally:
pnpm --filter @nexus/web exec tsc --project tsconfig.typecheck.json --noEmit
pnpm lint
pnpm test:unit
pnpm --filter @nexus/web exec next build
Deploy fails before container start
Check the rendered compose configuration on the host:
docker compose -f docker-compose.prod.yml config -q
Then verify .env.production and deploy.env.
App never becomes ready
Check:
docker compose -f docker-compose.prod.yml ps
docker compose -f docker-compose.prod.yml logs --tail 200 app
curl -s http://127.0.0.1:${APP_HOST_PORT:-3000}/api/ready
Database migration failure
Inspect the migrator logs:
docker compose -f docker-compose.prod.yml run --rm migrator
Registry pull failure
Verify GHCR_USERNAME and GHCR_TOKEN, then test:
printf '%s\n' "$GHCR_TOKEN" | docker login ghcr.io -u "$GHCR_USERNAME" --password-stdin