feat: build core API, fraud engine, notifier, and frontend

Phase 1 — Core API (Go):
- Events, guests, tokens, RSVPs CRUD on PostgreSQL via pgx/v5
- HMAC-signed per-guest tokens with format validation
- Health endpoint with DB ping, slog JSON logging, graceful shutdown

Phase 2 — NATS + Fraud Engine:
- NATS JetStream pub/sub with explicit-ack consumers
- Python/FastAPI fraud engine with heuristic risk scoring
  (fingerprint mismatch, IP change, missing signals, repeated access)
- gRPC sync scoring with 250ms fail-open timeout
- Per-guest baseline tracking; risk bands low/medium/high/block

Phase 3 — Notifications + Frontend:
- Notification worker scaffolding (Twilio/SES stubs, retry/backoff)
- Nuxt 3 frontend with Tailwind dark theme + brand green
- Live monitor via WebSocket with auto-reconnect
- Activity history endpoint backfills monitor with RSVPs +
  scored access checks (including blocked attempts)

UX polish:
- Marketing-friendly landing page (hero mockup, how-it-works,
  features, use cases, testimonials, FAQ, final CTA)
- Animated layered card mockups on landing + new-event page
- Plus-ones stepper, RSVP status badges, filter buttons
- Friendly access-check labels (Verified/Review/Suspicious/Blocked)
- Dashboard hydration fix via ClientOnly wrapper

Infrastructure:
- docker-compose for full local dev (postgres, nats, api,
  fraud-engine, notifier, frontend)
- Multi-stage Dockerfiles, non-root UID 1000
- Integration tests with testcontainers-go

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

frontend/composables/useApi.ts

@@ -0,0 +1,16 @@
+// Typed wrapper around $fetch with the configured API base.
+// Usage: const events = await useApi<EventList>('/events')
+export async function useApi<T = unknown>(
+  path: string,
+  opts: { method?: string; body?: unknown; query?: Record<string, unknown> } = {},
+): Promise<T> {
+  const config = useRuntimeConfig()
+  const base = config.public.apiBase as string
+  return await $fetch<T>(path, {
+    baseURL: base,
+    method: (opts.method ?? 'GET') as any,
+    body: opts.body,
+    query: opts.query,
+    headers: { 'Content-Type': 'application/json' },
+  })
+}

frontend/composables/useEventWS.ts

@@ -0,0 +1,57 @@
+// Subscribes to /ws/events/:id and emits per-message callbacks.
+//
+// Auto-reconnects with exponential backoff up to 30s. Returns a cleanup
+// fn the caller invokes (e.g. inside onUnmounted).
+
+interface WSMessage {
+  type: string
+  event_id: string
+  payload: any
+  timestamp: string
+}
+
+export function useEventWS(eventId: string, onMessage: (msg: WSMessage) => void) {
+  if (import.meta.server) return () => {}
+
+  const config = useRuntimeConfig()
+  const base = (config.public.wsBase as string) || ''
+  const url = `${base}/ws/events/${eventId}`
+
+  let ws: WebSocket | null = null
+  let attempt = 0
+  let stopped = false
+  let reconnectTimer: ReturnType<typeof setTimeout> | null = null
+
+  function connect() {
+    if (stopped) return
+    ws = new WebSocket(url)
+
+    ws.onopen = () => {
+      attempt = 0
+    }
+    ws.onmessage = (e) => {
+      try {
+        const msg = JSON.parse(e.data) as WSMessage
+        onMessage(msg)
+      } catch {
+        /* ignore */
+      }
+    }
+    ws.onclose = () => {
+      if (stopped) return
+      const backoff = Math.min(30_000, 500 * Math.pow(2, attempt++))
+      reconnectTimer = setTimeout(connect, backoff)
+    }
+    ws.onerror = () => {
+      ws?.close()
+    }
+  }
+
+  connect()
+
+  return function stop() {
+    stopped = true
+    if (reconnectTimer) clearTimeout(reconnectTimer)
+    ws?.close()
+  }
+}

frontend/composables/useFingerprint.ts

@@ -0,0 +1,22 @@
+// Lightweight browser fingerprint. Not a serious anti-fraud signal on its
+// own — the value is the *delta* between accesses, which is what the fraud
+// engine actually compares against.
+export function useFingerprint(): Record<string, string | number> {
+  if (import.meta.server) return {}
+
+  const screen = window.screen
+  return {
+    platform: navigator.platform,
+    language: navigator.language,
+    languages: (navigator.languages || []).join(','),
+    user_agent: navigator.userAgent,
+    timezone: Intl.DateTimeFormat().resolvedOptions().timeZone,
+    timezone_offset: new Date().getTimezoneOffset(),
+    screen_width: screen.width,
+    screen_height: screen.height,
+    color_depth: screen.colorDepth,
+    pixel_ratio: window.devicePixelRatio,
+    cookie_enabled: navigator.cookieEnabled ? 1 : 0,
+    hardware_concurrency: navigator.hardwareConcurrency || 0,
+  }
+}

frontend/composables/useHost.ts

@@ -0,0 +1,43 @@
+// Demo-grade host bootstrap. Real auth would replace this entirely; for now
+// we upsert by email and stash the host id in localStorage.
+interface User {
+  id: string
+  email: string
+  name: string
+}
+
+const STORAGE_KEY = 'gg.host'
+
+export function useHost() {
+  const host = useState<User | null>('gg-host', () => null)
+
+  if (import.meta.client && !host.value) {
+    const raw = window.localStorage.getItem(STORAGE_KEY)
+    if (raw) {
+      try {
+        host.value = JSON.parse(raw)
+      } catch {
+        window.localStorage.removeItem(STORAGE_KEY)
+      }
+    }
+  }
+
+  async function bootstrap(email: string, name: string) {
+    const u = await useApi<User>('/users', {
+      method: 'POST',
+      body: { email, name },
+    })
+    host.value = u
+    if (import.meta.client) {
+      window.localStorage.setItem(STORAGE_KEY, JSON.stringify(u))
+    }
+    return u
+  }
+
+  function clear() {
+    host.value = null
+    if (import.meta.client) window.localStorage.removeItem(STORAGE_KEY)
+  }
+
+  return { host, bootstrap, clear }
+}