feat: build core API, fraud engine, notifier, and frontend

Phase 1 — Core API (Go):
- Events, guests, tokens, RSVPs CRUD on PostgreSQL via pgx/v5
- HMAC-signed per-guest tokens with format validation
- Health endpoint with DB ping, slog JSON logging, graceful shutdown

Phase 2 — NATS + Fraud Engine:
- NATS JetStream pub/sub with explicit-ack consumers
- Python/FastAPI fraud engine with heuristic risk scoring
  (fingerprint mismatch, IP change, missing signals, repeated access)
- gRPC sync scoring with 250ms fail-open timeout
- Per-guest baseline tracking; risk bands low/medium/high/block

Phase 3 — Notifications + Frontend:
- Notification worker scaffolding (Twilio/SES stubs, retry/backoff)
- Nuxt 3 frontend with Tailwind dark theme + brand green
- Live monitor via WebSocket with auto-reconnect
- Activity history endpoint backfills monitor with RSVPs +
  scored access checks (including blocked attempts)

UX polish:
- Marketing-friendly landing page (hero mockup, how-it-works,
  features, use cases, testimonials, FAQ, final CTA)
- Animated layered card mockups on landing + new-event page
- Plus-ones stepper, RSVP status badges, filter buttons
- Friendly access-check labels (Verified/Review/Suspicious/Blocked)
- Dashboard hydration fix via ClientOnly wrapper

Infrastructure:
- docker-compose for full local dev (postgres, nats, api,
  fraud-engine, notifier, frontend)
- Multi-stage Dockerfiles, non-root UID 1000
- Integration tests with testcontainers-go

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

cmd/api/main.go

@@ -0,0 +1,172 @@
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"log/slog"
+	"net/http"
+	"os"
+	"os/signal"
+	"syscall"
+	"time"
+
+	"github.com/alchemistkay/guestguard/internal/api"
+	"github.com/alchemistkay/guestguard/internal/config"
+	"github.com/alchemistkay/guestguard/internal/fraud"
+	"github.com/alchemistkay/guestguard/internal/natspub"
+	"github.com/alchemistkay/guestguard/internal/storage"
+)
+
+func main() {
+	if err := run(); err != nil {
+		slog.Error("fatal", "err", err)
+		os.Exit(1)
+	}
+}
+
+func run() error {
+	cfg, err := config.Load()
+	if err != nil {
+		return err
+	}
+
+	logger := newLogger(cfg.Env)
+	slog.SetDefault(logger)
+
+	rootCtx, stop := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
+	defer stop()
+
+	logger.Info("connecting to database")
+	db, err := storage.NewDB(rootCtx, cfg.DatabaseURL)
+	if err != nil {
+		return err
+	}
+	defer db.Close()
+
+	logger.Info("running migrations")
+	if err := db.Migrate(rootCtx); err != nil {
+		return err
+	}
+
+	logger.Info("connecting to nats", "url", cfg.NATSURL)
+	natsClient, err := natspub.Connect(rootCtx, cfg.NATSURL, logger)
+	if err != nil {
+		return err
+	}
+	defer natsClient.Close()
+
+	logger.Info("dialing fraud engine", "addr", cfg.FraudGRPCAddr)
+	fraudClient, err := fraud.Dial(rootCtx, cfg.FraudGRPCAddr, cfg.FraudGRPCTimeout, logger)
+	if err != nil {
+		return err
+	}
+	defer fraudClient.Close()
+
+	hub := api.NewHub(logger)
+
+	accessLogs := storage.NewAccessLogRepo(db)
+	fraudSub, err := natspub.NewFraudScoredSubscriber(
+		rootCtx, natsClient, "core-api-fraud-scored",
+		func(ctx context.Context, evt natspub.FraudScored) error {
+			if err := accessLogs.ApplyScore(ctx, storage.ApplyScoreParams{
+				AccessLogID: evt.AccessLogID,
+				Score:       evt.Score,
+				Reasons:     evt.Reasons,
+				Flagged:     evt.Score >= 60,
+			}); err != nil {
+				return err
+			}
+			payload, _ := json.Marshal(evt)
+			hub.Broadcast(api.WSEvent{
+				Type:    "fraud.scored",
+				EventID: evt.EventID,
+				Payload: payload,
+			})
+			return nil
+		},
+		logger,
+	)
+	if err != nil {
+		return err
+	}
+	fraudConsumeCtx, err := fraudSub.Start(rootCtx)
+	if err != nil {
+		return err
+	}
+	defer fraudConsumeCtx.Stop()
+
+	rsvpSub, err := natspub.NewRSVPConfirmedSubscriber(
+		rootCtx, natsClient, "core-api-rsvp-confirmed-ws",
+		func(ctx context.Context, evt natspub.RSVPConfirmed) error {
+			payload, _ := json.Marshal(evt)
+			hub.Broadcast(api.WSEvent{
+				Type:    "rsvp.confirmed",
+				EventID: evt.EventID,
+				Payload: payload,
+			})
+			return nil
+		},
+		logger,
+	)
+	if err != nil {
+		return err
+	}
+	rsvpConsumeCtx, err := rsvpSub.Start(rootCtx)
+	if err != nil {
+		return err
+	}
+	defer rsvpConsumeCtx.Stop()
+
+	srv := &http.Server{
+		Addr: cfg.HTTPAddr,
+		Handler: api.NewServer(api.ServerDeps{
+			Logger:          logger,
+			DB:              db,
+			Hub:             hub,
+			AccessPublisher: natsClient,
+			RSVPPublisher:   natsClient,
+			FraudScorer:     fraudClient,
+			TokenTTL:        cfg.TokenTTL,
+		}).Handler(),
+		ReadHeaderTimeout: 5 * time.Second,
+		ReadTimeout:       30 * time.Second,
+		WriteTimeout:      0, // 0 lets WS connections live; per-request handlers still bound by their own ctx
+		IdleTimeout:       60 * time.Second,
+	}
+
+	errCh := make(chan error, 1)
+	go func() {
+		logger.Info("http server starting", "addr", cfg.HTTPAddr, "env", cfg.Env)
+		if err := srv.ListenAndServe(); err != nil && !errors.Is(err, http.ErrServerClosed) {
+			errCh <- err
+		}
+		close(errCh)
+	}()
+
+	select {
+	case <-rootCtx.Done():
+		logger.Info("shutdown signal received")
+	case err := <-errCh:
+		if err != nil {
+			return err
+		}
+	}
+
+	shutdownCtx, cancel := context.WithTimeout(context.Background(), cfg.ShutdownTimeout)
+	defer cancel()
+	if err := srv.Shutdown(shutdownCtx); err != nil {
+		logger.Error("graceful shutdown failed", "err", err)
+		return err
+	}
+	logger.Info("shutdown complete")
+	return nil
+}
+
+func newLogger(env string) *slog.Logger {
+	level := slog.LevelInfo
+	if env == "development" {
+		level = slog.LevelDebug
+	}
+	return slog.New(slog.NewJSONHandler(os.Stdout, &slog.HandlerOptions{Level: level}))
+}