feat(tier2): editable RSVPs — Block A

Guests can revisit their invitation link and change their response
or plus-ones up to 5 times. Each prior state is snapshotted into
`rsvp_revisions` and surfaced to the host via a per-guest history
modal on the event detail page.

- Migration 0007 adds rsvp_revisions + rsvps.edit_count (with down)
- RSVPRepo.Update wraps snapshot+update+counter in one transaction,
  FOR UPDATE-locking the row so concurrent edits can't bypass the cap
- PATCH /rsvp/{token} re-runs the fraud check on every edit attempt
  (different device on an edit is itself a signal)
- POST /rsvp no longer marks the token used — the link stays valid
  so the guest can come back to edit
- GET /access/{token} now embeds the existing RSVP so the frontend
  renders an edit form instead of a blank submit form on revisit
- New host endpoint GET /events/{id}/guests/{guest_id}/rsvp/history
- Frontend: rsvp/[token].vue toggles between summary + edit form,
  surfaces edits-remaining; dashboard adds a "History" action on
  responded guests opening a revision-trail modal

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

internal/api/rsvps.go

@@ -9,6 +9,8 @@ import (
 	"net/http"
 	"time"
 
+	"github.com/google/uuid"
+
 	"github.com/alchemistkay/guestguard/internal/auth"
 	"github.com/alchemistkay/guestguard/internal/domain"
 	"github.com/alchemistkay/guestguard/internal/fraud"
@@ -43,51 +45,24 @@ type submitRSVPRequest struct {
 }
 
 type submitRSVPResponse struct {
-	RSVP      *domain.RSVP   `json:"rsvp"`
-	Decision  fraud.Decision `json:"fraud"`
-	Blocked   bool           `json:"blocked"`
+	RSVP     *domain.RSVP   `json:"rsvp"`
+	Decision fraud.Decision `json:"fraud"`
+	Blocked  bool           `json:"blocked"`
+	Edited   bool           `json:"edited"`
 }
 
 // POST /rsvp/{token} — synchronous fraud check + RSVP recording.
 func (h *rsvpHandler) submit(w http.ResponseWriter, r *http.Request) {
-	raw := r.PathValue("token")
-	if err := auth.ValidateFormat(raw); err != nil {
-		writeError(w, http.StatusBadRequest, "malformed token")
+	tk, ok := h.loadValidToken(w, r)
+	if !ok {
 		return
 	}
-
-	tk, err := h.tokens.GetByHash(r.Context(), auth.HashToken(raw))
-	if err != nil {
-		if errors.Is(err, domain.ErrTokenNotFound) {
-			writeError(w, http.StatusNotFound, "token not found")
-			return
-		}
-		writeError(w, http.StatusInternalServerError, "failed to load token")
+	req, ok := decodeSubmitRSVP(w, r)
+	if !ok {
 		return
 	}
-	if err := tk.IsValid(time.Now().UTC()); err != nil {
-		writeError(w, http.StatusGone, err.Error())
-		return
-	}
-
-	var req submitRSVPRequest
-	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
-		writeError(w, http.StatusBadRequest, "invalid json")
-		return
-	}
-	resp := domain.RSVPResponse(req.Response)
-	if !resp.Valid() {
-		writeError(w, http.StatusBadRequest, "response must be attending|declined|maybe")
-		return
-	}
-	if req.PlusOnes < 0 {
-		writeError(w, http.StatusBadRequest, "plus_ones must be >= 0")
-		return
-	}
-
-	guest, err := h.guests.Get(r.Context(), tk.GuestID)
-	if err != nil {
-		writeError(w, http.StatusInternalServerError, "failed to load guest")
+	guest, event, ok := h.loadGuestEvent(w, r, tk.GuestID)
+	if !ok {
 		return
 	}
 	if req.PlusOnes > guest.PlusOnes {
@@ -95,13 +70,246 @@ func (h *rsvpHandler) submit(w http.ResponseWriter, r *http.Request) {
 			fmt.Sprintf("you may bring up to %d plus-one(s)", guest.PlusOnes))
 		return
 	}
-	event, err := h.events.Get(r.Context(), guest.EventID)
-	if err != nil {
-		writeError(w, http.StatusInternalServerError, "failed to load event")
+
+	decision, fingerprint, ip, ok := h.scoreAccess(w, r, event, guest, tk, req.Fingerprint)
+	if !ok {
 		return
 	}
 
-	fingerprint := mergeFingerprint(req.Fingerprint, collectFingerprint(r))
+	score := decision.Score
+	rsvp, err := h.rsvps.Create(r.Context(), storage.CreateRSVPParams{
+		GuestID:           guest.ID,
+		Response:          req.Resp,
+		PlusOnes:          req.PlusOnes,
+		DietaryNotes:      req.DietaryNotes,
+		DeviceFingerprint: fingerprint,
+		IPAddress:         ip,
+		RiskScore:         &score,
+	})
+	if err != nil {
+		if errors.Is(err, domain.ErrRSVPAlreadySubmitted) {
+			// Tier 2 Block A: guests edit an existing RSVP via PATCH. Tell
+			// the client to switch endpoints rather than swallowing the
+			// retry silently.
+			writeError(w, http.StatusConflict, "rsvp already submitted — use PATCH to edit")
+			return
+		}
+		h.logger.Error("create rsvp", "err", err, "guest_id", guest.ID)
+		writeError(w, http.StatusInternalServerError, "failed to record rsvp")
+		return
+	}
+
+	// Block A: we intentionally do NOT mark the token used here any more.
+	// The token must remain valid so the guest can come back to the same
+	// link and edit their response.
+
+	h.publishRSVPConfirmed(event.ID, guest.ID, rsvp, &score)
+
+	writeJSON(w, http.StatusCreated, submitRSVPResponse{
+		RSVP:     rsvp,
+		Decision: decision,
+		Blocked:  false,
+		Edited:   false,
+	})
+}
+
+// PATCH /rsvp/{token} — revise an existing RSVP. Same fraud check as POST.
+// The prior state is snapshotted into rsvp_revisions inside Update; edits
+// past MaxRSVPEdits return 429.
+func (h *rsvpHandler) edit(w http.ResponseWriter, r *http.Request) {
+	tk, ok := h.loadValidToken(w, r)
+	if !ok {
+		return
+	}
+	req, ok := decodeSubmitRSVP(w, r)
+	if !ok {
+		return
+	}
+	guest, event, ok := h.loadGuestEvent(w, r, tk.GuestID)
+	if !ok {
+		return
+	}
+	if req.PlusOnes > guest.PlusOnes {
+		writeError(w, http.StatusBadRequest,
+			fmt.Sprintf("you may bring up to %d plus-one(s)", guest.PlusOnes))
+		return
+	}
+
+	decision, fingerprint, ip, ok := h.scoreAccess(w, r, event, guest, tk, req.Fingerprint)
+	if !ok {
+		return
+	}
+
+	score := decision.Score
+	rsvp, err := h.rsvps.Update(r.Context(), storage.UpdateRSVPParams{
+		GuestID:           guest.ID,
+		Response:          req.Resp,
+		PlusOnes:          req.PlusOnes,
+		DietaryNotes:      req.DietaryNotes,
+		DeviceFingerprint: fingerprint,
+		IPAddress:         ip,
+		RiskScore:         &score,
+	})
+	if err != nil {
+		switch {
+		case errors.Is(err, domain.ErrRSVPNotFound):
+			writeError(w, http.StatusNotFound, "no rsvp to edit — submit first")
+		case errors.Is(err, domain.ErrRSVPEditLimitReached):
+			writeError(w, http.StatusTooManyRequests,
+				fmt.Sprintf("edit limit reached (%d edits)", domain.MaxRSVPEdits))
+		default:
+			h.logger.Error("update rsvp", "err", err, "guest_id", guest.ID)
+			writeError(w, http.StatusInternalServerError, "failed to update rsvp")
+		}
+		return
+	}
+
+	h.publishRSVPConfirmed(event.ID, guest.ID, rsvp, &score)
+
+	writeJSON(w, http.StatusOK, submitRSVPResponse{
+		RSVP:     rsvp,
+		Decision: decision,
+		Blocked:  false,
+		Edited:   true,
+	})
+}
+
+type rsvpHistoryResponse struct {
+	RSVP      *domain.RSVP          `json:"rsvp"`
+	Revisions []domain.RSVPRevision `json:"revisions"`
+}
+
+// GET /events/{id}/guests/{guest_id}/rsvp/history — host view of the
+// current RSVP plus every prior revision newest-first.
+func (h *rsvpHandler) history(w http.ResponseWriter, r *http.Request) {
+	hostID, ok := hostFromContext(w, r)
+	if !ok {
+		return
+	}
+	eventID, ok := parseIDParam(w, r, "id")
+	if !ok {
+		return
+	}
+	guestID, ok := parseIDParam(w, r, "guest_id")
+	if !ok {
+		return
+	}
+	if _, ok := requireEventOwner(w, r, h.events, eventID, hostID); !ok {
+		return
+	}
+
+	guest, err := h.guests.Get(r.Context(), guestID)
+	if err != nil {
+		if errors.Is(err, domain.ErrGuestNotFound) {
+			writeError(w, http.StatusNotFound, "guest not found")
+			return
+		}
+		writeError(w, http.StatusInternalServerError, "failed to load guest")
+		return
+	}
+	if guest.EventID != eventID {
+		writeError(w, http.StatusNotFound, "guest not found in event")
+		return
+	}
+
+	rsvp, err := h.rsvps.GetByGuest(r.Context(), guestID)
+	if err != nil {
+		if errors.Is(err, domain.ErrRSVPNotFound) {
+			writeJSON(w, http.StatusOK, rsvpHistoryResponse{Revisions: []domain.RSVPRevision{}})
+			return
+		}
+		writeError(w, http.StatusInternalServerError, "failed to load rsvp")
+		return
+	}
+
+	revisions, err := h.rsvps.ListRevisions(r.Context(), rsvp.ID)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "failed to load revisions")
+		return
+	}
+	writeJSON(w, http.StatusOK, rsvpHistoryResponse{RSVP: rsvp, Revisions: revisions})
+}
+
+// --- shared helpers ---
+
+type decodedRSVPRequest struct {
+	Resp         domain.RSVPResponse
+	PlusOnes     int
+	DietaryNotes *string
+	Fingerprint  map[string]any
+}
+
+func decodeSubmitRSVP(w http.ResponseWriter, r *http.Request) (decodedRSVPRequest, bool) {
+	var req submitRSVPRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid json")
+		return decodedRSVPRequest{}, false
+	}
+	resp := domain.RSVPResponse(req.Response)
+	if !resp.Valid() {
+		writeError(w, http.StatusBadRequest, "response must be attending|declined|maybe")
+		return decodedRSVPRequest{}, false
+	}
+	if req.PlusOnes < 0 {
+		writeError(w, http.StatusBadRequest, "plus_ones must be >= 0")
+		return decodedRSVPRequest{}, false
+	}
+	return decodedRSVPRequest{
+		Resp:         resp,
+		PlusOnes:     req.PlusOnes,
+		DietaryNotes: req.DietaryNotes,
+		Fingerprint:  req.Fingerprint,
+	}, true
+}
+
+func (h *rsvpHandler) loadValidToken(w http.ResponseWriter, r *http.Request) (*domain.Token, bool) {
+	raw := r.PathValue("token")
+	if err := auth.ValidateFormat(raw); err != nil {
+		writeError(w, http.StatusBadRequest, "malformed token")
+		return nil, false
+	}
+	tk, err := h.tokens.GetByHash(r.Context(), auth.HashToken(raw))
+	if err != nil {
+		if errors.Is(err, domain.ErrTokenNotFound) {
+			writeError(w, http.StatusNotFound, "token not found")
+			return nil, false
+		}
+		writeError(w, http.StatusInternalServerError, "failed to load token")
+		return nil, false
+	}
+	if err := tk.IsValid(time.Now().UTC()); err != nil {
+		writeError(w, http.StatusGone, err.Error())
+		return nil, false
+	}
+	return tk, true
+}
+
+func (h *rsvpHandler) loadGuestEvent(w http.ResponseWriter, r *http.Request, guestID uuid.UUID) (*domain.Guest, *domain.Event, bool) {
+	guest, err := h.guests.Get(r.Context(), guestID)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "failed to load guest")
+		return nil, nil, false
+	}
+	event, err := h.events.Get(r.Context(), guest.EventID)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "failed to load event")
+		return nil, nil, false
+	}
+	return guest, event, true
+}
+
+// scoreAccess logs the access attempt, scores it, and short-circuits with a
+// 403 on a BLOCK decision. Returns the decision and the merged fingerprint /
+// IP so the caller can persist them on the RSVP row.
+func (h *rsvpHandler) scoreAccess(
+	w http.ResponseWriter,
+	r *http.Request,
+	event *domain.Event,
+	guest *domain.Guest,
+	tk *domain.Token,
+	clientFP map[string]any,
+) (fraud.Decision, map[string]any, string, bool) {
+	fingerprint := mergeFingerprint(clientFP, collectFingerprint(r))
 	ip := clientIP(r)
 
 	accessLogID, err := h.accessLogs.Create(r.Context(), storage.CreateAccessLogParams{
@@ -124,39 +332,20 @@ func (h *rsvpHandler) submit(w http.ResponseWriter, r *http.Request) {
 		UserAgent:   r.UserAgent(),
 		Referrer:    r.Referer(),
 	})
-
 	if fraud.IsBlock(decision) {
 		writeJSON(w, http.StatusForbidden, submitRSVPResponse{
 			Decision: decision,
 			Blocked:  true,
 		})
+		return decision, nil, "", false
+	}
+	return decision, fingerprint, ip, true
+}
+
+func (h *rsvpHandler) publishRSVPConfirmed(eventID, guestID uuid.UUID, rsvp *domain.RSVP, score *int) {
+	if h.pub == nil {
 		return
 	}
-
-	score := decision.Score
-	rsvp, err := h.rsvps.Create(r.Context(), storage.CreateRSVPParams{
-		GuestID:           guest.ID,
-		Response:          resp,
-		PlusOnes:          req.PlusOnes,
-		DietaryNotes:      req.DietaryNotes,
-		DeviceFingerprint: fingerprint,
-		IPAddress:         ip,
-		RiskScore:         &score,
-	})
-	if err != nil {
-		if errors.Is(err, domain.ErrRSVPAlreadySubmitted) {
-			writeError(w, http.StatusConflict, "rsvp already submitted for this guest")
-			return
-		}
-		h.logger.Error("create rsvp", "err", err, "guest_id", guest.ID)
-		writeError(w, http.StatusInternalServerError, "failed to record rsvp")
-		return
-	}
-
-	if err := h.tokens.MarkUsed(r.Context(), tk.ID); err != nil {
-		h.logger.Warn("mark token used", "err", err, "token_id", tk.ID)
-	}
-
 	go func(evt natspub.RSVPConfirmed) {
 		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 		defer cancel()
@@ -164,20 +353,14 @@ func (h *rsvpHandler) submit(w http.ResponseWriter, r *http.Request) {
 			h.logger.Error("publish rsvp.confirmed", "err", err, "rsvp_id", evt.RSVPID)
 		}
 	}(natspub.RSVPConfirmed{
-		EventID:     event.ID,
-		GuestID:     guest.ID,
+		EventID:     eventID,
+		GuestID:     guestID,
 		RSVPID:      rsvp.ID,
 		Response:    string(rsvp.Response),
 		PlusOnes:    rsvp.PlusOnes,
-		RiskScore:   &score,
+		RiskScore:   score,
 		SubmittedAt: rsvp.SubmittedAt,
 	})
-
-	writeJSON(w, http.StatusCreated, submitRSVPResponse{
-		RSVP:     rsvp,
-		Decision: decision,
-		Blocked:  false,
-	})
 }
 
 func mergeFingerprint(client map[string]any, server map[string]any) map[string]any {
@@ -207,4 +390,3 @@ func stringifyFingerprint(fp map[string]any) map[string]string {
 	}
 	return out
 }
-

internal/api/server.go

@@ -161,6 +161,7 @@ func NewServer(deps ServerDeps) (*Server, error) {
 			events:        eventRepo,
 			users:         userRepo,
 			accessLogs:    accessRepo,
+			rsvps:         rsvpRepo,
 			gen:           auth.NewGenerator(),
 			ttl:           deps.TokenTTL,
 			pub:           deps.AccessPublisher,
@@ -306,6 +307,16 @@ func (s *Server) Handler() http.Handler {
 		rl("access", 60, time.Hour, pathKey("token"), http.HandlerFunc(s.tokens.access)))
 	mux.Handle("POST /rsvp/{token}",
 		rl("rsvp", 10, time.Hour, pathKey("token"), http.HandlerFunc(s.rsvps.submit)))
+	// Block A: edits are bounded by MaxRSVPEdits server-side. The redis
+	// limiter is a coarser guard that also throttles attempts that hit the
+	// edit-cap 429 path, so a hostile actor can't burn through fraud-engine
+	// calls on the same token.
+	mux.Handle("PATCH /rsvp/{token}",
+		rl("rsvp_edit", 10, time.Hour, pathKey("token"), http.HandlerFunc(s.rsvps.edit)))
+
+	// Host view of the edit trail for a single guest.
+	mux.Handle("GET /events/{id}/guests/{guest_id}/rsvp/history",
+		authed(http.HandlerFunc(s.rsvps.history)))
 
 	// WebSocket endpoint authenticates via single-use ticket on the query
 	// string (see POST /auth/ws-ticket).

internal/api/tokens.go

@@ -32,6 +32,7 @@ type tokenHandler struct {
 	events        *storage.EventRepo
 	users         *storage.UserRepo
 	accessLogs    *storage.AccessLogRepo
+	rsvps         *storage.RSVPRepo
 	gen           *auth.Generator
 	ttl           time.Duration
 	pub           accessPublisher
@@ -401,10 +402,14 @@ func (h *tokenHandler) rotate(w http.ResponseWriter, r *http.Request) {
 }
 
 type accessResponse struct {
-	Guest      *domain.Guest `json:"guest"`
-	Event      *domain.Event `json:"event"`
-	Token      *domain.Token `json:"token"`
-	AccessLog  uuid.UUID     `json:"access_log_id"`
+	Guest     *domain.Guest `json:"guest"`
+	Event     *domain.Event `json:"event"`
+	Token     *domain.Token `json:"token"`
+	AccessLog uuid.UUID     `json:"access_log_id"`
+	// RSVP is the guest's current submission, if any. Populated so the RSVP
+	// page can show an edit form instead of a fresh submit form when the
+	// guest revisits their invitation link (Tier 2 Block A).
+	RSVP *domain.RSVP `json:"rsvp,omitempty"`
 }
 
 // GET /access/{token} — validate token, log the access attempt, publish to NATS.
@@ -471,11 +476,28 @@ func (h *tokenHandler) access(w http.ResponseWriter, r *http.Request) {
 		OccurredAt:  time.Now().UTC(),
 	})
 
+	var existingRSVP *domain.RSVP
+	if h.rsvps != nil {
+		// Best-effort: a missing RSVP just means the guest hasn't submitted
+		// yet. Any other error is logged but doesn't fail the access call —
+		// we'd rather the guest see the form than a 500.
+		rs, err := h.rsvps.GetByGuest(r.Context(), guest.ID)
+		switch {
+		case err == nil:
+			existingRSVP = rs
+		case errors.Is(err, domain.ErrRSVPNotFound):
+			// expected first-visit case
+		default:
+			h.logger.Warn("load rsvp for access", "err", err, "guest_id", guest.ID)
+		}
+	}
+
 	writeJSON(w, http.StatusOK, accessResponse{
 		Guest:     guest,
 		Event:     event,
 		Token:     tk,
 		AccessLog: accessLogID,
+		RSVP:      existingRSVP,
 	})
 }
 

internal/domain/rsvp.go

@@ -33,9 +33,29 @@ type RSVP struct {
 	DeviceFingerprint map[string]any `json:"device_fingerprint,omitempty"`
 	IPAddress         *string        `json:"ip_address,omitempty"`
 	RiskScore         *int           `json:"risk_score,omitempty"`
+	EditCount         int            `json:"edit_count"`
 }
 
+// RSVPRevision is one snapshot of an RSVP's previous state, written before
+// the new values are applied on PATCH /rsvp/{token}. The host history view
+// renders these newest-first so the edit trail is auditable.
+type RSVPRevision struct {
+	ID           uuid.UUID    `json:"id"`
+	RSVPID       uuid.UUID    `json:"rsvp_id"`
+	PrevResponse RSVPResponse `json:"prev_response"`
+	PrevPlusOnes int          `json:"prev_plus_ones"`
+	PrevDietary  *string      `json:"prev_dietary,omitempty"`
+	ChangedAt    time.Time    `json:"changed_at"`
+}
+
+// MaxRSVPEdits caps the number of times a single RSVP can be revised.
+// The 6th attempt returns 429 — keeps a hostile actor from churning the
+// host's activity feed with endless updates.
+const MaxRSVPEdits = 5
+
 var (
 	ErrRSVPAlreadySubmitted = errors.New("rsvp already submitted")
 	ErrRSVPBlocked          = errors.New("rsvp blocked due to fraud risk")
+	ErrRSVPNotFound         = errors.New("rsvp not found")
+	ErrRSVPEditLimitReached = errors.New("rsvp edit limit reached")
 )

internal/storage/migrations/0007_rsvp_edits.down.sql

@@ -0,0 +1,4 @@
+ALTER TABLE rsvps DROP COLUMN IF EXISTS edit_count;
+
+DROP INDEX IF EXISTS idx_rsvp_revisions_rsvp;
+DROP TABLE IF EXISTS rsvp_revisions;

internal/storage/migrations/0007_rsvp_edits.up.sql

@@ -0,0 +1,25 @@
+-- Tier 2 Block A — editable RSVPs.
+--
+-- Guests can revisit their invitation link after submitting and change their
+-- response or plus-one count. Every prior state is captured in rsvp_revisions
+-- so the host can see the trail of edits.
+--
+-- The plan called this 0004_rsvp_edits in TIER2_PLAN.md; using the next free
+-- slot (0007) because 0004–0006 were taken by Tier 1 work.
+
+CREATE TABLE IF NOT EXISTS rsvp_revisions (
+    id              UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    rsvp_id         UUID NOT NULL REFERENCES rsvps(id) ON DELETE CASCADE,
+    prev_response   rsvp_response NOT NULL,
+    prev_plus_ones  INTEGER NOT NULL,
+    prev_dietary    TEXT,
+    changed_at      TIMESTAMPTZ NOT NULL DEFAULT now()
+);
+
+CREATE INDEX IF NOT EXISTS idx_rsvp_revisions_rsvp
+    ON rsvp_revisions(rsvp_id, changed_at DESC);
+
+-- Hard cap on how many times a guest can edit. The numeric cap (5) is
+-- enforced in Go; storing the running count avoids a count(*) on every PATCH.
+ALTER TABLE rsvps
+    ADD COLUMN IF NOT EXISTS edit_count SMALLINT NOT NULL DEFAULT 0;

internal/storage/rsvps.go

@@ -8,6 +8,7 @@ import (
 	"time"
 
 	"github.com/google/uuid"
+	"github.com/jackc/pgx/v5"
 	"github.com/jackc/pgx/v5/pgconn"
 	"github.com/jackc/pgx/v5/pgxpool"
 
@@ -52,7 +53,8 @@ func (r *RSVPRepo) Create(ctx context.Context, p CreateRSVPParams) (*domain.RSVP
                            device_fingerprint, ip_address, risk_score)
         VALUES ($1, $2, $3, $4, $5, $6::inet, $7)
         RETURNING id, guest_id, response, plus_ones, dietary_notes,
-                  submitted_at, device_fingerprint, ip_address::text, risk_score
+                  submitted_at, device_fingerprint, ip_address::text, risk_score,
+                  edit_count
     `
 
 	row := r.pool.QueryRow(ctx, q,
@@ -71,6 +73,152 @@ func (r *RSVPRepo) Create(ctx context.Context, p CreateRSVPParams) (*domain.RSVP
 	return rs, nil
 }
 
+// GetByGuest returns the RSVP submitted by `guestID`, or ErrRSVPNotFound when
+// none exists yet. Used by /access/{token} to surface the current submission
+// so the frontend can show an edit form, and by PATCH /rsvp to load the row
+// being revised.
+func (r *RSVPRepo) GetByGuest(ctx context.Context, guestID uuid.UUID) (*domain.RSVP, error) {
+	const q = `
+        SELECT id, guest_id, response, plus_ones, dietary_notes,
+               submitted_at, device_fingerprint, ip_address::text, risk_score,
+               edit_count
+        FROM rsvps WHERE guest_id = $1
+    `
+	rs, err := scanRSVP(r.pool.QueryRow(ctx, q, guestID))
+	if err != nil {
+		if errors.Is(err, pgx.ErrNoRows) {
+			return nil, domain.ErrRSVPNotFound
+		}
+		return nil, err
+	}
+	return rs, nil
+}
+
+type UpdateRSVPParams struct {
+	GuestID           uuid.UUID
+	Response          domain.RSVPResponse
+	PlusOnes          int
+	DietaryNotes      *string
+	DeviceFingerprint map[string]any
+	IPAddress         string
+	RiskScore         *int
+}
+
+// Update applies a revision to the guest's RSVP. The previous values are
+// snapshotted into rsvp_revisions inside the same transaction so the history
+// is consistent — either both the snapshot and the new state land, or neither
+// does. Returns ErrRSVPEditLimitReached if the guest has already hit
+// MaxRSVPEdits; the row itself is left untouched.
+func (r *RSVPRepo) Update(ctx context.Context, p UpdateRSVPParams) (*domain.RSVP, error) {
+	var fpJSON []byte
+	if p.DeviceFingerprint != nil {
+		b, err := json.Marshal(p.DeviceFingerprint)
+		if err != nil {
+			return nil, fmt.Errorf("marshal fingerprint: %w", err)
+		}
+		fpJSON = b
+	}
+
+	var ip *string
+	if p.IPAddress != "" {
+		ip = &p.IPAddress
+	}
+
+	tx, err := r.pool.Begin(ctx)
+	if err != nil {
+		return nil, err
+	}
+	defer tx.Rollback(ctx)
+
+	// SELECT ... FOR UPDATE locks the row so two concurrent edits can't both
+	// snapshot the same prior state and both increment edit_count past the cap.
+	var (
+		rsvpID       uuid.UUID
+		prevResp     domain.RSVPResponse
+		prevPlusOnes int
+		prevDietary  *string
+		editCount    int
+	)
+	err = tx.QueryRow(ctx, `
+        SELECT id, response, plus_ones, dietary_notes, edit_count
+        FROM rsvps WHERE guest_id = $1
+        FOR UPDATE
+    `, p.GuestID).Scan(&rsvpID, &prevResp, &prevPlusOnes, &prevDietary, &editCount)
+	if err != nil {
+		if errors.Is(err, pgx.ErrNoRows) {
+			return nil, domain.ErrRSVPNotFound
+		}
+		return nil, err
+	}
+	if editCount >= domain.MaxRSVPEdits {
+		return nil, domain.ErrRSVPEditLimitReached
+	}
+
+	if _, err := tx.Exec(ctx, `
+        INSERT INTO rsvp_revisions (rsvp_id, prev_response, prev_plus_ones, prev_dietary)
+        VALUES ($1, $2, $3, $4)
+    `, rsvpID, prevResp, prevPlusOnes, prevDietary); err != nil {
+		return nil, fmt.Errorf("snapshot revision: %w", err)
+	}
+
+	const upd = `
+        UPDATE rsvps
+        SET response = $2,
+            plus_ones = $3,
+            dietary_notes = $4,
+            device_fingerprint = COALESCE($5, device_fingerprint),
+            ip_address = COALESCE($6::inet, ip_address),
+            risk_score = COALESCE($7, risk_score),
+            submitted_at = now(),
+            edit_count = edit_count + 1
+        WHERE guest_id = $1
+        RETURNING id, guest_id, response, plus_ones, dietary_notes,
+                  submitted_at, device_fingerprint, ip_address::text, risk_score,
+                  edit_count
+    `
+	row := tx.QueryRow(ctx, upd,
+		p.GuestID, p.Response, p.PlusOnes, p.DietaryNotes,
+		fpJSON, ip, p.RiskScore,
+	)
+	rs, err := scanRSVP(row)
+	if err != nil {
+		return nil, err
+	}
+	if err := tx.Commit(ctx); err != nil {
+		return nil, err
+	}
+	return rs, nil
+}
+
+// ListRevisions returns every prior state of an RSVP, newest first. Empty
+// slice (not nil) when there are no revisions, so the JSON encodes as `[]`.
+func (r *RSVPRepo) ListRevisions(ctx context.Context, rsvpID uuid.UUID) ([]domain.RSVPRevision, error) {
+	const q = `
+        SELECT id, rsvp_id, prev_response, prev_plus_ones, prev_dietary, changed_at
+        FROM rsvp_revisions
+        WHERE rsvp_id = $1
+        ORDER BY changed_at DESC
+    `
+	rows, err := r.pool.Query(ctx, q, rsvpID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	out := []domain.RSVPRevision{}
+	for rows.Next() {
+		var rev domain.RSVPRevision
+		if err := rows.Scan(
+			&rev.ID, &rev.RSVPID, &rev.PrevResponse,
+			&rev.PrevPlusOnes, &rev.PrevDietary, &rev.ChangedAt,
+		); err != nil {
+			return nil, err
+		}
+		out = append(out, rev)
+	}
+	return out, rows.Err()
+}
+
 // RSVPActivity is a denormalised RSVP entry for the activity feed —
 // includes the guest's name so the API can hand it to the frontend
 // without a separate lookup.
@@ -120,7 +268,7 @@ func scanRSVP(s rowScanner) (*domain.RSVP, error) {
 	)
 	err := s.Scan(
 		&rs.ID, &rs.GuestID, &rs.Response, &rs.PlusOnes, &rs.DietaryNotes,
-		&rs.SubmittedAt, &fpJSON, &ip, &rs.RiskScore,
+		&rs.SubmittedAt, &fpJSON, &ip, &rs.RiskScore, &rs.EditCount,
 	)
 	if err != nil {
 		return nil, err