feat: build core API, fraud engine, notifier, and frontend

Phase 1 — Core API (Go):
- Events, guests, tokens, RSVPs CRUD on PostgreSQL via pgx/v5
- HMAC-signed per-guest tokens with format validation
- Health endpoint with DB ping, slog JSON logging, graceful shutdown

Phase 2 — NATS + Fraud Engine:
- NATS JetStream pub/sub with explicit-ack consumers
- Python/FastAPI fraud engine with heuristic risk scoring
  (fingerprint mismatch, IP change, missing signals, repeated access)
- gRPC sync scoring with 250ms fail-open timeout
- Per-guest baseline tracking; risk bands low/medium/high/block

Phase 3 — Notifications + Frontend:
- Notification worker scaffolding (Twilio/SES stubs, retry/backoff)
- Nuxt 3 frontend with Tailwind dark theme + brand green
- Live monitor via WebSocket with auto-reconnect
- Activity history endpoint backfills monitor with RSVPs +
  scored access checks (including blocked attempts)

UX polish:
- Marketing-friendly landing page (hero mockup, how-it-works,
  features, use cases, testimonials, FAQ, final CTA)
- Animated layered card mockups on landing + new-event page
- Plus-ones stepper, RSVP status badges, filter buttons
- Friendly access-check labels (Verified/Review/Suspicious/Blocked)
- Dashboard hydration fix via ClientOnly wrapper

Infrastructure:
- docker-compose for full local dev (postgres, nats, api,
  fraud-engine, notifier, frontend)
- Multi-stage Dockerfiles, non-root UID 1000
- Integration tests with testcontainers-go

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

fraud-engine/app/consumer.py

@@ -0,0 +1,74 @@
+from __future__ import annotations
+
+import logging
+from datetime import UTC, datetime
+
+from nats.aio.msg import Msg
+
+from app.nats_bus import NatsBus
+from app.schemas import AccessAttempted, FraudScored
+from app.scoring import HeuristicScorer, risk_band
+
+logger = logging.getLogger(__name__)
+
+SUBJECT_ACCESS_ATTEMPTED = "guest.access.attempted"
+SUBJECT_FRAUD_SCORED = "fraud.scored"
+
+
+class FraudConsumer:
+    def __init__(self, bus: NatsBus, durable: str, scorer: HeuristicScorer) -> None:
+        self._bus = bus
+        self._durable = durable
+        self._scorer = scorer
+        self._subscription = None
+
+    async def start(self) -> None:
+        self._subscription = await self._bus.subscribe(
+            subject=SUBJECT_ACCESS_ATTEMPTED,
+            durable=self._durable,
+            handler=self._handle,
+            manual_ack=True,
+        )
+        logger.info("subscribed", extra={"subject": SUBJECT_ACCESS_ATTEMPTED, "durable": self._durable})
+
+    async def stop(self) -> None:
+        if self._subscription is not None:
+            await self._subscription.unsubscribe()
+            self._subscription = None
+
+    async def _handle(self, msg: Msg) -> None:
+        try:
+            evt = AccessAttempted.model_validate_json(msg.data)
+        except Exception:
+            logger.exception("invalid access.attempted payload — terminating message")
+            await msg.term()
+            return
+
+        try:
+            result = self._scorer.score(evt)
+            scored = FraudScored(
+                event_id=evt.event_id,
+                guest_id=evt.guest_id,
+                token_id=evt.token_id,
+                access_log_id=evt.access_log_id,
+                score=result.score,
+                risk=risk_band(result.score),
+                reasons=result.reasons,
+                scored_at=datetime.now(UTC),
+            )
+            await self._bus.publish(
+                SUBJECT_FRAUD_SCORED,
+                scored.model_dump_json().encode("utf-8"),
+            )
+            logger.info(
+                "scored access",
+                extra={
+                    "guest_id": str(evt.guest_id),
+                    "score": result.score,
+                    "risk": scored.risk,
+                },
+            )
+            await msg.ack()
+        except Exception:
+            logger.exception("failed to score access — nak")
+            await msg.nak(delay=2)