feat(tier2): day-of check-in — Block H

QR codes on RSVP confirmations, a phone-friendly door scanner, walk-in
support, and a live arrivals widget that updates over WebSocket. Closes
the final Tier 2 block.

Schema (migration 0013)
- check_ins (id, guest_id UNIQUE, checked_in_at, checked_in_by,
  arrival_count, notes, walk_in). UNIQUE on guest_id is the
  double-check-in guard at the DB layer; signature validation lives
  in the QR JWT.

QR JWT
- internal/auth/checkin_qr.go: CheckInQRSigner mints {event_id,
  guest_id, exp} payloads with the platform's existing HMAC secret.
  Issue() extends expiry to eventDate+24h so a QR minted weeks in
  advance still scans on the day. Parse() distinguishes
  ErrExpiredJWT from generic ErrInvalidJWT so the API can render a
  friendlier 410.
- Unit tests cover round-trip, wrong-secret rejection, expiry
  detection, and short-secret refusal at construction time.

Domain + storage
- domain.CheckIn + CheckInSummary
- storage.CheckInRepo: Record (returns ErrAlreadyCheckedIn on the
  unique violation), ListByEvent, Summary (arrived headcount,
  expected headcount, guests-checked-in count), GuestBelongsToEvent
  (belt-and-braces guard against a forged JWT pointing at a
  different event's guest).

API
- GET /access/{token} now embeds a check_in payload (raw JWT + a
  base64-encoded PNG via skip2/go-qrcode) for attending RSVPs, so
  the confirmation page can render the code straight into an <img>.
- POST /events/{id}/check-in — editor+. Validates the QR JWT,
  refuses cross-event payloads (400), refuses expired ones (410),
  records the row, broadcasts check_in.recorded over the existing
  WS hub so the live dashboard updates.
- POST /events/{id}/walk-ins — editor+. Creates the guest + check-in
  in one logical op for a door-add who wasn't on the original list.
- GET /events/{id}/check-ins — viewer+. Returns the list and the
  summary together so the dashboard widget hydrates in one call.

Frontend
- New CheckInCard.vue: live arrivals widget ("47 of 60 · 78%" plus
  a progress bar), recent-arrivals list, Walk-in button, and a
  "Start scanning" button that opens a full-screen camera modal.
  jsQR loaded from CDN on first open (no bundler dep). Scan
  throttling + dedupe prevents the 30fps camera loop from POSTing
  N times per paper QR. Successful scan vibrates the phone.
  Duplicate (409) → "Already checked in" toast; expired (410) →
  "This code has expired"; foreign-event (400) → "doesn't look
  like one of your guests".
- New "Check-in" tab on the event-detail page, between
  Communications and Branding.
- RSVP confirmation card + revisit card both surface a "Save for
  the day" / "Your door code" QR block for attending guests. The
  PNG ships pre-rendered from the API so the frontend doesn't need
  its own QR library.
- The submit flow now refetches /access after a successful POST so
  the QR appears immediately on first submit, not just on revisit.

Tests
- Backend unit tests for the QR signer (round-trip, wrong-secret,
  expired, short-secret rejection).
- Integration: TestCheckInHappyPath (scan -> 200, double-scan ->
  409, summary reflects arrival), TestCheckInRejectsForeignQR
  (event A's JWT can't be used on event B), TestWalkInCreatesGuest
  AndCheckIn (door-add creates both rows).
- Full integration suite passes (188.3s, 41 tests / 80+ subtests).

Tier 2 is complete: Blocks A through H all shipped.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

internal/api/server.go

@@ -43,6 +43,7 @@ type Server struct {
 	uploads   *uploadHandler
 	security  *securityHandler
 	messages  *messageHandler
+	checkIns  *checkInHandler
 }
 
 type ServerDeps struct {
@@ -105,6 +106,16 @@ func NewServer(deps ServerDeps) (*Server, error) {
 	allowlistRepo := storage.NewAllowlistRepo(deps.DB)
 	editNonces := newEditNonceStore(deps.Redis)
 	messageRepo := storage.NewMessageRepo(deps.DB)
+	checkInRepo := storage.NewCheckInRepo(deps.DB)
+
+	// Tier 2 Block H — QR JWT signer reuses the platform's JWT secret
+	// so production secrets management already covers it. TTL=6h is the
+	// minimum lifetime; Issue() extends to eventDate+24h on demand so
+	// codes minted weeks in advance still scan on the day.
+	checkInQRSigner, err := auth.NewCheckInQRSigner(deps.JWTSecret, deps.JWTIssuer, 6*time.Hour)
+	if err != nil {
+		return nil, err
+	}
 	feedbackRepo := storage.NewFeedbackRepo(deps.DB)
 
 	// Branding image store. Empty UploadsDir leaves it nil and the upload
@@ -199,6 +210,7 @@ func NewServer(deps ServerDeps) (*Server, error) {
 			branding:      brandingRepo,
 			editNonces:    editNonces,
 			emails:        emails,
+			checkInQR:     checkInQRSigner,
 			gen:           auth.NewGenerator(),
 			ttl:           deps.TokenTTL,
 			pub:           deps.AccessPublisher,
@@ -283,6 +295,15 @@ func NewServer(deps ServerDeps) (*Server, error) {
 			collabs: collabRepo,
 			repo:    messageRepo,
 		},
+		checkIns: &checkInHandler{
+			logger:   deps.Logger,
+			events:   eventRepo,
+			guests:   guestRepo,
+			collabs:  collabRepo,
+			repo:     checkInRepo,
+			qrSigner: checkInQRSigner,
+			hub:      hub,
+		},
 		collabs: &collaboratorHandler{
 			logger:        deps.Logger,
 			events:        eventRepo,
@@ -414,6 +435,14 @@ func (s *Server) Handler() http.Handler {
 	mux.Handle("DELETE /events/{id}/messages/{message_id}",
 		authed(http.HandlerFunc(s.messages.cancel)))
 
+	// Block H — day-of check-in.
+	mux.Handle("POST /events/{id}/check-in",
+		authed(rl("checkin_record", 1000, time.Hour, userIDKey, http.HandlerFunc(s.checkIns.record))))
+	mux.Handle("POST /events/{id}/walk-ins",
+		authed(rl("checkin_walk_in", 500, time.Hour, userIDKey, http.HandlerFunc(s.checkIns.walkIn))))
+	mux.Handle("GET /events/{id}/check-ins",
+		authed(http.HandlerFunc(s.checkIns.list)))
+
 	// Block D — event branding. Reads are viewer+; PUT is editor+. The
 	// upload endpoint is gated by auth only (any signed-in user can mint
 	// an image URL; the URL is no use without an event they can edit