feat: build core API, fraud engine, notifier, and frontend

Phase 1 — Core API (Go):
- Events, guests, tokens, RSVPs CRUD on PostgreSQL via pgx/v5
- HMAC-signed per-guest tokens with format validation
- Health endpoint with DB ping, slog JSON logging, graceful shutdown

Phase 2 — NATS + Fraud Engine:
- NATS JetStream pub/sub with explicit-ack consumers
- Python/FastAPI fraud engine with heuristic risk scoring
  (fingerprint mismatch, IP change, missing signals, repeated access)
- gRPC sync scoring with 250ms fail-open timeout
- Per-guest baseline tracking; risk bands low/medium/high/block

Phase 3 — Notifications + Frontend:
- Notification worker scaffolding (Twilio/SES stubs, retry/backoff)
- Nuxt 3 frontend with Tailwind dark theme + brand green
- Live monitor via WebSocket with auto-reconnect
- Activity history endpoint backfills monitor with RSVPs +
  scored access checks (including blocked attempts)

UX polish:
- Marketing-friendly landing page (hero mockup, how-it-works,
  features, use cases, testimonials, FAQ, final CTA)
- Animated layered card mockups on landing + new-event page
- Plus-ones stepper, RSVP status badges, filter buttons
- Friendly access-check labels (Verified/Review/Suspicious/Blocked)
- Dashboard hydration fix via ClientOnly wrapper

Infrastructure:
- docker-compose for full local dev (postgres, nats, api,
  fraud-engine, notifier, frontend)
- Multi-stage Dockerfiles, non-root UID 1000
- Integration tests with testcontainers-go

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

frontend/composables/useEventWS.ts

@@ -0,0 +1,57 @@
+// Subscribes to /ws/events/:id and emits per-message callbacks.
+//
+// Auto-reconnects with exponential backoff up to 30s. Returns a cleanup
+// fn the caller invokes (e.g. inside onUnmounted).
+
+interface WSMessage {
+  type: string
+  event_id: string
+  payload: any
+  timestamp: string
+}
+
+export function useEventWS(eventId: string, onMessage: (msg: WSMessage) => void) {
+  if (import.meta.server) return () => {}
+
+  const config = useRuntimeConfig()
+  const base = (config.public.wsBase as string) || ''
+  const url = `${base}/ws/events/${eventId}`
+
+  let ws: WebSocket | null = null
+  let attempt = 0
+  let stopped = false
+  let reconnectTimer: ReturnType<typeof setTimeout> | null = null
+
+  function connect() {
+    if (stopped) return
+    ws = new WebSocket(url)
+
+    ws.onopen = () => {
+      attempt = 0
+    }
+    ws.onmessage = (e) => {
+      try {
+        const msg = JSON.parse(e.data) as WSMessage
+        onMessage(msg)
+      } catch {
+        /* ignore */
+      }
+    }
+    ws.onclose = () => {
+      if (stopped) return
+      const backoff = Math.min(30_000, 500 * Math.pow(2, attempt++))
+      reconnectTimer = setTimeout(connect, backoff)
+    }
+    ws.onerror = () => {
+      ws?.close()
+    }
+  }
+
+  connect()
+
+  return function stop() {
+    stopped = true
+    if (reconnectTimer) clearTimeout(reconnectTimer)
+    ws?.close()
+  }
+}