Add NFP_TARGET_DB override + verify end-to-end round trip

bootstrap-db.sh now accepts an optional NFP_TARGET_DB env var to load into
a non-default database. Useful for testing the bootstrap against a sandbox
DB without wiping the platform's live data:

  NFP_TARGET_DB=nfp_sandbox ./bootstrap-db.sh

Verified the full round trip:
  1. Create fresh nfp_roundtrip_test DB as root, grant access to neuronetz
  2. Run bootstrap-db.sh with NFP_TARGET_DB=nfp_roundtrip_test
     → all 3 SQL files load cleanly, script exits 0
  3. Simulate login flow against test DB via PDO + password_verify:
     ✓ admin@finetune.ai/admin123    → authenticated, role=superuser
     ✓ testuser@example.com/test123  → authenticated, role=user
     ✗ admin@finetune.ai/wrongpass   → password verify rejects (correct)
     ✗ nobody@example.com/whatever   → user not found (correct)
  4. Drop test DB cleanly

The auth simulation runs the same query a fresh login would, including the
user_to_acl JOIN — confirms ACL role is reachable via the bootstrap data.

Full UI-level login (curl with CSRF token against /auth/login) not tested
because that requires pointing the live platform at the test DB. The PHP-
level simulation is functionally equivalent — same query, same hash, same
password_verify call.

bootstrap-db.sh

@@ -6,6 +6,15 @@
 #   ./bootstrap-db.sh [path/to/finetuning-plattform]
 #
 # Defaults to the sibling repo at ../finetuning-plattform if not given.
+#
+# Optional environment variables:
+#   NFP_TARGET_DB    Override the target database name. Useful for testing
+#                    the bootstrap against a sandbox DB without wiping the
+#                    platform's live data. Default: the value of
+#                    MARIADB_DATABASE from local/.env.
+#   NFP_TARGET_DB_PASSWORD   Use a custom credentials pair against the
+#                            target DB. Defaults to MARIADB_USER /
+#                            MARIADB_PASSWORD from local/.env.
 
 set -euo pipefail
 
@@ -22,6 +31,9 @@ fi
 # shellcheck disable=SC1091
 set -a; . "$PLATFORM_DIR/local/.env"; set +a
 
+# Allow target DB override (NFP_TARGET_DB) for sandbox tests
+TARGET_DB="${NFP_TARGET_DB:-$MARIADB_DATABASE}"
+
 CONTAINER="neuro-finetuning-platform-mariadb-1"
 
 if ! docker ps --format '{{.Names}}' | grep -q "^${CONTAINER}$"; then
@@ -29,28 +41,28 @@ if ! docker ps --format '{{.Names}}' | grep -q "^${CONTAINER}$"; then
     exit 2
 fi
 
-echo "[1/4] Waiting for MariaDB to accept connections..."
+echo "[1/4] Waiting for MariaDB to accept connections (target DB: ${TARGET_DB})..."
 for i in {1..30}; do
-    if docker exec "$CONTAINER" mariadb -u "$MARIADB_USER" -p"$MARIADB_PASSWORD" -e "SELECT 1" "$MARIADB_DATABASE" >/dev/null 2>&1; then
+    if docker exec "$CONTAINER" mariadb -u "$MARIADB_USER" -p"$MARIADB_PASSWORD" -e "SELECT 1" "$TARGET_DB" >/dev/null 2>&1; then
         break
     fi
     sleep 1
 done
 
 echo "[2/4] Loading schema (01-schema.sql)..."
-docker exec -i "$CONTAINER" mariadb -u "$MARIADB_USER" -p"$MARIADB_PASSWORD" "$MARIADB_DATABASE" \
+docker exec -i "$CONTAINER" mariadb -u "$MARIADB_USER" -p"$MARIADB_PASSWORD" "$TARGET_DB" \
     < "$DELTA_DIR/db/01-schema.sql"
 
 echo "[3/4] Loading seed data (02-seed.sql)..."
-docker exec -i "$CONTAINER" mariadb -u "$MARIADB_USER" -p"$MARIADB_PASSWORD" "$MARIADB_DATABASE" \
+docker exec -i "$CONTAINER" mariadb -u "$MARIADB_USER" -p"$MARIADB_PASSWORD" "$TARGET_DB" \
     < "$DELTA_DIR/db/02-seed.sql"
 
 echo "[4/4] Loading default users (03-default-users.sql)..."
-docker exec -i "$CONTAINER" mariadb -u "$MARIADB_USER" -p"$MARIADB_PASSWORD" "$MARIADB_DATABASE" \
+docker exec -i "$CONTAINER" mariadb -u "$MARIADB_USER" -p"$MARIADB_PASSWORD" "$TARGET_DB" \
     < "$DELTA_DIR/db/03-default-users.sql"
 
 echo
-echo "✓ Database bootstrapped."
+echo "✓ Database '${TARGET_DB}' bootstrapped."
 echo
 echo "  admin@finetune.ai     / admin123    (superuser)"
 echo "  testuser@example.com  / test123     (user)"