feat: build core API, fraud engine, notifier, and frontend

Phase 1 — Core API (Go): - Events, guests, tokens, RSVPs CRUD on PostgreSQL via pgx/v5 - HMAC-signed per-guest tokens with format validation - Health endpoint with DB ping, slog JSON logging, graceful shutdown Phase 2 — NATS + Fraud Engine: - NATS JetStream pub/sub with explicit-ack consumers - Python/FastAPI fraud engine with heuristic risk scoring (fingerprint mismatch, IP change, missing signals, repeated access) - gRPC sync scoring with 250ms fail-open timeout - Per-guest baseline tracking; risk bands low/medium/high/block Phase 3 — Notifications + Frontend: - Notification worker scaffolding (Twilio/SES stubs, retry/backoff) - Nuxt 3 frontend with Tailwind dark theme + brand green - Live monitor via WebSocket with auto-reconnect - Activity history endpoint backfills monitor with RSVPs + scored access checks (including blocked attempts) UX polish: - Marketing-friendly landing page (hero mockup, how-it-works, features, use cases, testimonials, FAQ, final CTA) - Animated layered card mockups on landing + new-event page - Plus-ones stepper, RSVP status badges, filter buttons - Friendly access-check labels (Verified/Review/Suspicious/Blocked) - Dashboard hydration fix via ClientOnly wrapper Infrastructure: - docker-compose for full local dev (postgres, nats, api, fraud-engine, notifier, frontend) - Multi-stage Dockerfiles, non-root UID 1000 - Integration tests with testcontainers-go Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-11 21:08:56 +01:00
parent f760fc3e21
commit 3f8bc58ca9
89 changed files with 22729 additions and 0 deletions
@@ -0,0 +1,119 @@
+package natspub
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"log/slog"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/nats-io/nats.go"
+	"github.com/nats-io/nats.go/jetstream"
+)
+
+type Client struct {
+	conn   *nats.Conn
+	js     jetstream.JetStream
+	logger *slog.Logger
+}
+
+func Connect(ctx context.Context, url string, logger *slog.Logger) (*Client, error) {
+	conn, err := nats.Connect(url,
+		nats.Name("guestguard-api"),
+		nats.MaxReconnects(-1),
+		nats.ReconnectWait(2*time.Second),
+		nats.DisconnectErrHandler(func(_ *nats.Conn, err error) {
+			if err != nil {
+				logger.Warn("nats disconnected", "err", err)
+			}
+		}),
+		nats.ReconnectHandler(func(c *nats.Conn) {
+			logger.Info("nats reconnected", "url", c.ConnectedUrl())
+		}),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("connect nats: %w", err)
+	}
+
+	js, err := jetstream.New(conn)
+	if err != nil {
+		conn.Close()
+		return nil, fmt.Errorf("jetstream: %w", err)
+	}
+
+	c := &Client{conn: conn, js: js, logger: logger}
+	if err := c.ensureStream(ctx); err != nil {
+		conn.Close()
+		return nil, err
+	}
+	return c, nil
+}
+
+func (c *Client) ensureStream(ctx context.Context) error {
+	cfg := jetstream.StreamConfig{
+		Name:      StreamName,
+		Subjects:  StreamSubjects(),
+		Retention: jetstream.LimitsPolicy,
+		Storage:   jetstream.FileStorage,
+		MaxAge:    14 * 24 * time.Hour,
+		Replicas:  1,
+	}
+
+	_, err := c.js.CreateOrUpdateStream(ctx, cfg)
+	if err != nil {
+		return fmt.Errorf("create stream %s: %w", StreamName, err)
+	}
+	return nil
+}
+
+func (c *Client) Close() {
+	if c.conn != nil {
+		c.conn.Drain() //nolint:errcheck
+	}
+}
+
+func (c *Client) JetStream() jetstream.JetStream {
+	return c.js
+}
+
+func (c *Client) PublishAccessAttempted(ctx context.Context, evt AccessAttempted) error {
+	if evt.OccurredAt.IsZero() {
+		evt.OccurredAt = time.Now().UTC()
+	}
+	return c.publishJSON(ctx, SubjectAccessAttempted, evt, evt.GuestID)
+}
+
+func (c *Client) PublishRSVPConfirmed(ctx context.Context, evt RSVPConfirmed) error {
+	if evt.SubmittedAt.IsZero() {
+		evt.SubmittedAt = time.Now().UTC()
+	}
+	return c.publishJSON(ctx, SubjectRSVPConfirmed, evt, evt.RSVPID)
+}
+
+func (c *Client) publishJSON(ctx context.Context, subject string, payload any, dedupeKey uuid.UUID) error {
+	body, err := json.Marshal(payload)
+	if err != nil {
+		return fmt.Errorf("marshal %s: %w", subject, err)
+	}
+
+	msg := &nats.Msg{Subject: subject, Data: body}
+	msg.Header = nats.Header{}
+	msg.Header.Set("Content-Type", "application/json")
+	if dedupeKey != uuid.Nil {
+		msg.Header.Set("Nats-Msg-Id", subject+":"+dedupeKey.String()+":"+time.Now().UTC().Format(time.RFC3339Nano))
+	}
+
+	pubCtx, cancel := context.WithTimeout(ctx, 3*time.Second)
+	defer cancel()
+
+	_, err = c.js.PublishMsg(pubCtx, msg)
+	if err != nil {
+		if errors.Is(err, context.DeadlineExceeded) {
+			return fmt.Errorf("publish %s timed out: %w", subject, err)
+		}
+		return fmt.Errorf("publish %s: %w", subject, err)
+	}
+	return nil
+}
@@ -0,0 +1,40 @@
+package natspub
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+)
+
+type AccessAttempted struct {
+	EventID     uuid.UUID      `json:"event_id"`
+	GuestID     uuid.UUID      `json:"guest_id"`
+	TokenID     uuid.UUID      `json:"token_id"`
+	AccessLogID uuid.UUID      `json:"access_log_id"`
+	Fingerprint map[string]any `json:"fingerprint,omitempty"`
+	IPAddress   string         `json:"ip_address,omitempty"`
+	UserAgent   string         `json:"user_agent,omitempty"`
+	Referrer    string         `json:"referrer,omitempty"`
+	OccurredAt  time.Time      `json:"occurred_at"`
+}
+
+type FraudScored struct {
+	EventID     uuid.UUID `json:"event_id"`
+	GuestID     uuid.UUID `json:"guest_id"`
+	TokenID     uuid.UUID `json:"token_id"`
+	AccessLogID uuid.UUID `json:"access_log_id"`
+	Score       int       `json:"score"`
+	Risk        string    `json:"risk"`
+	Reasons     []string  `json:"reasons"`
+	ScoredAt    time.Time `json:"scored_at"`
+}
+
+type RSVPConfirmed struct {
+	EventID     uuid.UUID `json:"event_id"`
+	GuestID     uuid.UUID `json:"guest_id"`
+	RSVPID      uuid.UUID `json:"rsvp_id"`
+	Response    string    `json:"response"`
+	PlusOnes    int       `json:"plus_ones"`
+	RiskScore   *int      `json:"risk_score,omitempty"`
+	SubmittedAt time.Time `json:"submitted_at"`
+}
@@ -0,0 +1,64 @@
+package natspub
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"log/slog"
+	"time"
+
+	"github.com/nats-io/nats.go/jetstream"
+)
+
+type RSVPConfirmedHandler func(ctx context.Context, evt RSVPConfirmed) error
+
+type RSVPConfirmedSubscriber struct {
+	logger   *slog.Logger
+	consumer jetstream.Consumer
+	handler  RSVPConfirmedHandler
+}
+
+func NewRSVPConfirmedSubscriber(
+	ctx context.Context,
+	c *Client,
+	durable string,
+	handler RSVPConfirmedHandler,
+	logger *slog.Logger,
+) (*RSVPConfirmedSubscriber, error) {
+	cons, err := c.js.CreateOrUpdateConsumer(ctx, StreamName, jetstream.ConsumerConfig{
+		Durable:       durable,
+		Name:          durable,
+		FilterSubject: SubjectRSVPConfirmed,
+		AckPolicy:     jetstream.AckExplicitPolicy,
+		DeliverPolicy: jetstream.DeliverAllPolicy,
+		MaxDeliver:    5,
+		AckWait:       30 * time.Second,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("create consumer %s: %w", durable, err)
+	}
+	return &RSVPConfirmedSubscriber{logger: logger, consumer: cons, handler: handler}, nil
+}
+
+func (s *RSVPConfirmedSubscriber) Start(ctx context.Context) (jetstream.ConsumeContext, error) {
+	cc, err := s.consumer.Consume(func(msg jetstream.Msg) {
+		var evt RSVPConfirmed
+		if err := json.Unmarshal(msg.Data(), &evt); err != nil {
+			s.logger.Error("decode rsvp.confirmed", "err", err)
+			_ = msg.Term()
+			return
+		}
+		hctx, cancel := context.WithTimeout(ctx, 10*time.Second)
+		defer cancel()
+		if err := s.handler(hctx, evt); err != nil {
+			s.logger.Error("handle rsvp.confirmed", "err", err)
+			_ = msg.NakWithDelay(2 * time.Second)
+			return
+		}
+		_ = msg.Ack()
+	})
+	if err != nil {
+		return nil, fmt.Errorf("consume: %w", err)
+	}
+	return cc, nil
+}
@@ -0,0 +1,19 @@
+package natspub
+
+const (
+	StreamName = "GUESTGUARD"
+
+	SubjectAccessAttempted = "guest.access.attempted"
+	SubjectFraudScored     = "fraud.scored"
+	SubjectRSVPConfirmed   = "rsvp.confirmed"
+	SubjectInvitationSend  = "invitation.send"
+)
+
+func StreamSubjects() []string {
+	return []string{
+		"guest.>",
+		"fraud.>",
+		"rsvp.>",
+		"invitation.>",
+	}
+}
@@ -0,0 +1,72 @@
+package natspub
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"log/slog"
+	"time"
+
+	"github.com/nats-io/nats.go/jetstream"
+)
+
+type FraudScoredHandler func(ctx context.Context, evt FraudScored) error
+
+type FraudScoredSubscriber struct {
+	logger   *slog.Logger
+	consumer jetstream.Consumer
+	handler  FraudScoredHandler
+}
+
+func NewFraudScoredSubscriber(
+	ctx context.Context,
+	c *Client,
+	durable string,
+	handler FraudScoredHandler,
+	logger *slog.Logger,
+) (*FraudScoredSubscriber, error) {
+	cons, err := c.js.CreateOrUpdateConsumer(ctx, StreamName, jetstream.ConsumerConfig{
+		Durable:       durable,
+		Name:          durable,
+		FilterSubject: SubjectFraudScored,
+		AckPolicy:     jetstream.AckExplicitPolicy,
+		DeliverPolicy: jetstream.DeliverAllPolicy,
+		MaxDeliver:    5,
+		AckWait:       30 * time.Second,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("create consumer %s: %w", durable, err)
+	}
+
+	return &FraudScoredSubscriber{
+		logger:   logger,
+		consumer: cons,
+		handler:  handler,
+	}, nil
+}
+
+func (s *FraudScoredSubscriber) Start(ctx context.Context) (jetstream.ConsumeContext, error) {
+	cc, err := s.consumer.Consume(func(msg jetstream.Msg) {
+		var evt FraudScored
+		if err := json.Unmarshal(msg.Data(), &evt); err != nil {
+			s.logger.Error("decode fraud.scored", "err", err)
+			_ = msg.Term()
+			return
+		}
+
+		hctx, cancel := context.WithTimeout(ctx, 10*time.Second)
+		defer cancel()
+
+		if err := s.handler(hctx, evt); err != nil {
+			s.logger.Error("handle fraud.scored",
+				"err", err, "guest_id", evt.GuestID, "score", evt.Score)
+			_ = msg.NakWithDelay(2 * time.Second)
+			return
+		}
+		_ = msg.Ack()
+	})
+	if err != nil {
+		return nil, fmt.Errorf("consume: %w", err)
+	}
+	return cc, nil
+}