feat: build core API, fraud engine, notifier, and frontend

Phase 1 — Core API (Go):
- Events, guests, tokens, RSVPs CRUD on PostgreSQL via pgx/v5
- HMAC-signed per-guest tokens with format validation
- Health endpoint with DB ping, slog JSON logging, graceful shutdown

Phase 2 — NATS + Fraud Engine:
- NATS JetStream pub/sub with explicit-ack consumers
- Python/FastAPI fraud engine with heuristic risk scoring
  (fingerprint mismatch, IP change, missing signals, repeated access)
- gRPC sync scoring with 250ms fail-open timeout
- Per-guest baseline tracking; risk bands low/medium/high/block

Phase 3 — Notifications + Frontend:
- Notification worker scaffolding (Twilio/SES stubs, retry/backoff)
- Nuxt 3 frontend with Tailwind dark theme + brand green
- Live monitor via WebSocket with auto-reconnect
- Activity history endpoint backfills monitor with RSVPs +
  scored access checks (including blocked attempts)

UX polish:
- Marketing-friendly landing page (hero mockup, how-it-works,
  features, use cases, testimonials, FAQ, final CTA)
- Animated layered card mockups on landing + new-event page
- Plus-ones stepper, RSVP status badges, filter buttons
- Friendly access-check labels (Verified/Review/Suspicious/Blocked)
- Dashboard hydration fix via ClientOnly wrapper

Infrastructure:
- docker-compose for full local dev (postgres, nats, api,
  fraud-engine, notifier, frontend)
- Multi-stage Dockerfiles, non-root UID 1000
- Integration tests with testcontainers-go

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

cmd/notifier/Dockerfile

@@ -0,0 +1,26 @@
+FROM golang:1.26-alpine AS build
+WORKDIR /src
+
+RUN apk add --no-cache ca-certificates git
+
+COPY go.mod go.sum ./
+RUN go mod download
+
+COPY . .
+
+ARG VERSION=dev
+RUN CGO_ENABLED=0 GOOS=linux go build \
+    -ldflags="-s -w -X main.version=${VERSION}" \
+    -o /out/notifier ./cmd/notifier
+
+FROM alpine:3.20 AS runtime
+RUN apk add --no-cache ca-certificates tzdata && \
+    addgroup -g 1000 app && \
+    adduser -D -u 1000 -G app app
+
+WORKDIR /app
+COPY --from=build /out/notifier /app/notifier
+
+USER 1000:1000
+
+ENTRYPOINT ["/app/notifier"]

cmd/notifier/main.go

@@ -0,0 +1,209 @@
+package main
+
+import (
+	"context"
+	"log/slog"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/alchemistkay/guestguard/internal/config"
+	"github.com/alchemistkay/guestguard/internal/natspub"
+	"github.com/alchemistkay/guestguard/internal/notification"
+	"github.com/alchemistkay/guestguard/internal/storage"
+)
+
+func main() {
+	if err := run(); err != nil {
+		slog.Error("fatal", "err", err)
+		os.Exit(1)
+	}
+}
+
+func run() error {
+	cfg, err := config.Load()
+	if err != nil {
+		return err
+	}
+
+	logger := slog.New(slog.NewJSONHandler(os.Stdout, &slog.HandlerOptions{Level: levelFor(cfg.Env)}))
+	slog.SetDefault(logger)
+	logger = logger.With("service", "notifier")
+
+	rootCtx, stop := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
+	defer stop()
+
+	logger.Info("connecting to database")
+	db, err := storage.NewDB(rootCtx, cfg.DatabaseURL)
+	if err != nil {
+		return err
+	}
+	defer db.Close()
+
+	logger.Info("connecting to nats", "url", cfg.NATSURL)
+	natsClient, err := natspub.Connect(rootCtx, cfg.NATSURL, logger)
+	if err != nil {
+		return err
+	}
+	defer natsClient.Close()
+
+	repo := notification.NewRepo(db)
+	sender := notification.LogSender{}
+
+	rsvpSub, err := natspub.NewRSVPConfirmedSubscriber(
+		rootCtx, natsClient, "notifier-rsvp-confirmed",
+		func(ctx context.Context, evt natspub.RSVPConfirmed) error {
+			return handleRSVPConfirmed(ctx, logger, repo, sender, evt)
+		},
+		logger,
+	)
+	if err != nil {
+		return err
+	}
+	rsvpCC, err := rsvpSub.Start(rootCtx)
+	if err != nil {
+		return err
+	}
+	defer rsvpCC.Stop()
+
+	fraudSub, err := natspub.NewFraudScoredSubscriber(
+		rootCtx, natsClient, "notifier-fraud-scored",
+		func(ctx context.Context, evt natspub.FraudScored) error {
+			return handleFraudScored(ctx, logger, repo, sender, evt)
+		},
+		logger,
+	)
+	if err != nil {
+		return err
+	}
+	fraudCC, err := fraudSub.Start(rootCtx)
+	if err != nil {
+		return err
+	}
+	defer fraudCC.Stop()
+
+	logger.Info("notifier started")
+	<-rootCtx.Done()
+	logger.Info("notifier shutting down")
+	return nil
+}
+
+func handleRSVPConfirmed(
+	ctx context.Context,
+	logger *slog.Logger,
+	repo *notification.Repo,
+	sender notification.Sender,
+	evt natspub.RSVPConfirmed,
+) error {
+	msg := notification.OutboundMessage{
+		GuestID: evt.GuestID,
+		Channel: notification.ChannelEmail,
+		Type:    notification.TypeConfirmation,
+		Subject: "Your RSVP is confirmed",
+		Body:    "Thanks for your response.",
+		Metadata: map[string]any{
+			"rsvp_id":     evt.RSVPID,
+			"event_id":    evt.EventID,
+			"response":    evt.Response,
+			"plus_ones":   evt.PlusOnes,
+			"risk_score":  evt.RiskScore,
+			"submitted_at": evt.SubmittedAt,
+		},
+	}
+
+	providerID, sendErr := sender.Send(ctx, msg)
+	status := notification.StatusSent
+	errStr := ""
+	if sendErr != nil {
+		status = notification.StatusFailed
+		errStr = sendErr.Error()
+	}
+
+	id, err := repo.Record(ctx, notification.RecordParams{
+		GuestID:    evt.GuestID,
+		Channel:    msg.Channel,
+		Type:       msg.Type,
+		Status:     status,
+		ProviderID: providerID,
+		Error:      errStr,
+	})
+	if err != nil {
+		return err
+	}
+
+	logger.Info("notification dispatched",
+		"notification_id", id,
+		"guest_id", evt.GuestID,
+		"channel", msg.Channel,
+		"type", msg.Type,
+		"status", status,
+		"provider_id", providerID,
+	)
+	return nil
+}
+
+func handleFraudScored(
+	ctx context.Context,
+	logger *slog.Logger,
+	repo *notification.Repo,
+	sender notification.Sender,
+	evt natspub.FraudScored,
+) error {
+	// Only alert when the score crosses a meaningful threshold; low/medium
+	// scores are noise for the host.
+	if evt.Score < 60 {
+		return nil
+	}
+
+	msg := notification.OutboundMessage{
+		GuestID: evt.GuestID,
+		Channel: notification.ChannelEmail,
+		Type:    notification.TypeReminder, // reusing existing enum; a fraud_alert type would be nicer
+		Subject: "Suspicious access attempt detected",
+		Body:    "A flagged access attempt occurred for one of your guests.",
+		Metadata: map[string]any{
+			"event_id": evt.EventID,
+			"score":    evt.Score,
+			"risk":     evt.Risk,
+			"reasons":  evt.Reasons,
+		},
+	}
+
+	providerID, sendErr := sender.Send(ctx, msg)
+	status := notification.StatusSent
+	errStr := ""
+	if sendErr != nil {
+		status = notification.StatusFailed
+		errStr = sendErr.Error()
+	}
+
+	id, err := repo.Record(ctx, notification.RecordParams{
+		GuestID:    evt.GuestID,
+		Channel:    msg.Channel,
+		Type:       msg.Type,
+		Status:     status,
+		ProviderID: providerID,
+		Error:      errStr,
+	})
+	if err != nil {
+		return err
+	}
+
+	logger.Warn("fraud alert dispatched",
+		"notification_id", id,
+		"guest_id", evt.GuestID,
+		"score", evt.Score,
+		"risk", evt.Risk,
+		"reasons", evt.Reasons,
+		"status", status,
+		"provider_id", providerID,
+	)
+	return nil
+}
+
+func levelFor(env string) slog.Level {
+	if env == "development" {
+		return slog.LevelDebug
+	}
+	return slog.LevelInfo
+}