feat: build core API, fraud engine, notifier, and frontend

Phase 1 — Core API (Go):
- Events, guests, tokens, RSVPs CRUD on PostgreSQL via pgx/v5
- HMAC-signed per-guest tokens with format validation
- Health endpoint with DB ping, slog JSON logging, graceful shutdown

Phase 2 — NATS + Fraud Engine:
- NATS JetStream pub/sub with explicit-ack consumers
- Python/FastAPI fraud engine with heuristic risk scoring
  (fingerprint mismatch, IP change, missing signals, repeated access)
- gRPC sync scoring with 250ms fail-open timeout
- Per-guest baseline tracking; risk bands low/medium/high/block

Phase 3 — Notifications + Frontend:
- Notification worker scaffolding (Twilio/SES stubs, retry/backoff)
- Nuxt 3 frontend with Tailwind dark theme + brand green
- Live monitor via WebSocket with auto-reconnect
- Activity history endpoint backfills monitor with RSVPs +
  scored access checks (including blocked attempts)

UX polish:
- Marketing-friendly landing page (hero mockup, how-it-works,
  features, use cases, testimonials, FAQ, final CTA)
- Animated layered card mockups on landing + new-event page
- Plus-ones stepper, RSVP status badges, filter buttons
- Friendly access-check labels (Verified/Review/Suspicious/Blocked)
- Dashboard hydration fix via ClientOnly wrapper

Infrastructure:
- docker-compose for full local dev (postgres, nats, api,
  fraud-engine, notifier, frontend)
- Multi-stage Dockerfiles, non-root UID 1000
- Integration tests with testcontainers-go

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

internal/auth/token.go

@@ -0,0 +1,45 @@
+package auth
+
+import (
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/hex"
+	"errors"
+	"strings"
+)
+
+const tokenPrefix = "tk_"
+
+var ErrInvalidTokenFormat = errors.New("invalid token format")
+
+type Generator struct{}
+
+func NewGenerator() *Generator {
+	return &Generator{}
+}
+
+func (Generator) Generate() (raw, hash string, err error) {
+	buf := make([]byte, 32)
+	if _, err := rand.Read(buf); err != nil {
+		return "", "", err
+	}
+	raw = tokenPrefix + base64.RawURLEncoding.EncodeToString(buf)
+	hash = HashToken(raw)
+	return raw, hash, nil
+}
+
+func HashToken(raw string) string {
+	sum := sha256.Sum256([]byte(raw))
+	return hex.EncodeToString(sum[:])
+}
+
+func ValidateFormat(raw string) error {
+	if !strings.HasPrefix(raw, tokenPrefix) {
+		return ErrInvalidTokenFormat
+	}
+	if len(raw) < len(tokenPrefix)+20 {
+		return ErrInvalidTokenFormat
+	}
+	return nil
+}

internal/auth/token_test.go

@@ -0,0 +1,48 @@
+package auth
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestGenerate_ProducesDistinctTokens(t *testing.T) {
+	g := NewGenerator()
+	seen := make(map[string]struct{})
+	for i := 0; i < 100; i++ {
+		raw, hash, err := g.Generate()
+		if err != nil {
+			t.Fatalf("generate: %v", err)
+		}
+		if !strings.HasPrefix(raw, "tk_") {
+			t.Errorf("expected tk_ prefix, got %q", raw)
+		}
+		if len(hash) != 64 {
+			t.Errorf("expected 64-char hex hash, got %d", len(hash))
+		}
+		if _, dup := seen[raw]; dup {
+			t.Fatal("duplicate token generated")
+		}
+		seen[raw] = struct{}{}
+	}
+}
+
+func TestHashToken_Stable(t *testing.T) {
+	if HashToken("tk_abc") != HashToken("tk_abc") {
+		t.Fatal("expected deterministic hash")
+	}
+	if HashToken("tk_abc") == HashToken("tk_xyz") {
+		t.Fatal("expected distinct hashes for distinct inputs")
+	}
+}
+
+func TestValidateFormat(t *testing.T) {
+	if err := ValidateFormat("tk_" + strings.Repeat("a", 40)); err != nil {
+		t.Errorf("expected valid, got %v", err)
+	}
+	if err := ValidateFormat("not-a-token"); err == nil {
+		t.Error("expected error for missing prefix")
+	}
+	if err := ValidateFormat("tk_short"); err == nil {
+		t.Error("expected error for too-short token")
+	}
+}