feat: build core API, fraud engine, notifier, and frontend

Phase 1 — Core API (Go):
- Events, guests, tokens, RSVPs CRUD on PostgreSQL via pgx/v5
- HMAC-signed per-guest tokens with format validation
- Health endpoint with DB ping, slog JSON logging, graceful shutdown

Phase 2 — NATS + Fraud Engine:
- NATS JetStream pub/sub with explicit-ack consumers
- Python/FastAPI fraud engine with heuristic risk scoring
  (fingerprint mismatch, IP change, missing signals, repeated access)
- gRPC sync scoring with 250ms fail-open timeout
- Per-guest baseline tracking; risk bands low/medium/high/block

Phase 3 — Notifications + Frontend:
- Notification worker scaffolding (Twilio/SES stubs, retry/backoff)
- Nuxt 3 frontend with Tailwind dark theme + brand green
- Live monitor via WebSocket with auto-reconnect
- Activity history endpoint backfills monitor with RSVPs +
  scored access checks (including blocked attempts)

UX polish:
- Marketing-friendly landing page (hero mockup, how-it-works,
  features, use cases, testimonials, FAQ, final CTA)
- Animated layered card mockups on landing + new-event page
- Plus-ones stepper, RSVP status badges, filter buttons
- Friendly access-check labels (Verified/Review/Suspicious/Blocked)
- Dashboard hydration fix via ClientOnly wrapper

Infrastructure:
- docker-compose for full local dev (postgres, nats, api,
  fraud-engine, notifier, frontend)
- Multi-stage Dockerfiles, non-root UID 1000
- Integration tests with testcontainers-go

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

fraud-engine/tests/test_grpc_server.py

@@ -0,0 +1,111 @@
+"""Integration test for the gRPC FraudService over an in-process channel."""
+
+from __future__ import annotations
+
+from uuid import uuid4
+
+import grpc
+import pytest
+
+from app.grpc_server import FraudServicer, serve_grpc, stop_grpc
+from app.scoring import HeuristicScorer
+from fraud.v1 import fraud_pb2, fraud_pb2_grpc
+
+
+@pytest.mark.asyncio
+async def test_score_low_risk_first_access():
+    scorer = HeuristicScorer()
+    server = await serve_grpc(scorer, "127.0.0.1:0")
+    # add_insecure_port returns 0 so we need to fish out the actual bound port via _server's state.
+    # Easier: rebind on a known free port for the test.
+    await stop_grpc(server)
+
+    addr = "127.0.0.1:50951"
+    server = await serve_grpc(scorer, addr)
+    try:
+        async with grpc.aio.insecure_channel(addr) as channel:
+            stub = fraud_pb2_grpc.FraudServiceStub(channel)
+            resp = await stub.Score(
+                fraud_pb2.ScoreRequest(
+                    event_id=str(uuid4()),
+                    guest_id=str(uuid4()),
+                    token_id=str(uuid4()),
+                    access_log_id=str(uuid4()),
+                    fingerprint={"ua": "Chrome", "platform": "macOS"},
+                    ip_address="203.0.113.7",
+                    user_agent="Mozilla/5.0",
+                ),
+                timeout=2.0,
+            )
+            assert resp.score <= 30
+            assert resp.risk == fraud_pb2.RISK_LOW
+    finally:
+        await stop_grpc(server)
+
+
+@pytest.mark.asyncio
+async def test_score_high_risk_after_baseline_change():
+    scorer = HeuristicScorer()
+    addr = "127.0.0.1:50952"
+    server = await serve_grpc(scorer, addr)
+    try:
+        guest_id = str(uuid4())
+        async with grpc.aio.insecure_channel(addr) as channel:
+            stub = fraud_pb2_grpc.FraudServiceStub(channel)
+
+            await stub.Score(
+                fraud_pb2.ScoreRequest(
+                    event_id=str(uuid4()),
+                    guest_id=guest_id,
+                    token_id=str(uuid4()),
+                    access_log_id=str(uuid4()),
+                    fingerprint={"ua": "Chrome"},
+                    ip_address="203.0.113.7",
+                    user_agent="Mozilla/5.0",
+                ),
+                timeout=2.0,
+            )
+
+            resp = await stub.Score(
+                fraud_pb2.ScoreRequest(
+                    event_id=str(uuid4()),
+                    guest_id=guest_id,
+                    token_id=str(uuid4()),
+                    access_log_id=str(uuid4()),
+                    fingerprint={"ua": "curl/8"},
+                    ip_address="198.51.100.42",
+                    user_agent="",
+                ),
+                timeout=2.0,
+            )
+            assert resp.score >= 60
+            assert resp.risk in {fraud_pb2.RISK_HIGH, fraud_pb2.RISK_BLOCK}
+    finally:
+        await stop_grpc(server)
+
+
+@pytest.mark.asyncio
+async def test_invalid_uuid_returns_invalid_argument():
+    scorer = HeuristicScorer()
+    addr = "127.0.0.1:50953"
+    server = await serve_grpc(scorer, addr)
+    try:
+        async with grpc.aio.insecure_channel(addr) as channel:
+            stub = fraud_pb2_grpc.FraudServiceStub(channel)
+            with pytest.raises(grpc.RpcError) as excinfo:
+                await stub.Score(
+                    fraud_pb2.ScoreRequest(
+                        event_id="not-a-uuid",
+                        guest_id=str(uuid4()),
+                        token_id=str(uuid4()),
+                    ),
+                    timeout=2.0,
+                )
+            assert excinfo.value.code() == grpc.StatusCode.INVALID_ARGUMENT
+    finally:
+        await stop_grpc(server)
+
+
+def test_servicer_constructs():
+    # Ensures the servicer wires up against the generated stub.
+    FraudServicer(HeuristicScorer())