feat: build core API, fraud engine, notifier, and frontend

Phase 1 — Core API (Go):
- Events, guests, tokens, RSVPs CRUD on PostgreSQL via pgx/v5
- HMAC-signed per-guest tokens with format validation
- Health endpoint with DB ping, slog JSON logging, graceful shutdown

Phase 2 — NATS + Fraud Engine:
- NATS JetStream pub/sub with explicit-ack consumers
- Python/FastAPI fraud engine with heuristic risk scoring
  (fingerprint mismatch, IP change, missing signals, repeated access)
- gRPC sync scoring with 250ms fail-open timeout
- Per-guest baseline tracking; risk bands low/medium/high/block

Phase 3 — Notifications + Frontend:
- Notification worker scaffolding (Twilio/SES stubs, retry/backoff)
- Nuxt 3 frontend with Tailwind dark theme + brand green
- Live monitor via WebSocket with auto-reconnect
- Activity history endpoint backfills monitor with RSVPs +
  scored access checks (including blocked attempts)

UX polish:
- Marketing-friendly landing page (hero mockup, how-it-works,
  features, use cases, testimonials, FAQ, final CTA)
- Animated layered card mockups on landing + new-event page
- Plus-ones stepper, RSVP status badges, filter buttons
- Friendly access-check labels (Verified/Review/Suspicious/Blocked)
- Dashboard hydration fix via ClientOnly wrapper

Infrastructure:
- docker-compose for full local dev (postgres, nats, api,
  fraud-engine, notifier, frontend)
- Multi-stage Dockerfiles, non-root UID 1000
- Integration tests with testcontainers-go

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

internal/natspub/subscriber.go

@@ -0,0 +1,72 @@
+package natspub
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"log/slog"
+	"time"
+
+	"github.com/nats-io/nats.go/jetstream"
+)
+
+type FraudScoredHandler func(ctx context.Context, evt FraudScored) error
+
+type FraudScoredSubscriber struct {
+	logger   *slog.Logger
+	consumer jetstream.Consumer
+	handler  FraudScoredHandler
+}
+
+func NewFraudScoredSubscriber(
+	ctx context.Context,
+	c *Client,
+	durable string,
+	handler FraudScoredHandler,
+	logger *slog.Logger,
+) (*FraudScoredSubscriber, error) {
+	cons, err := c.js.CreateOrUpdateConsumer(ctx, StreamName, jetstream.ConsumerConfig{
+		Durable:       durable,
+		Name:          durable,
+		FilterSubject: SubjectFraudScored,
+		AckPolicy:     jetstream.AckExplicitPolicy,
+		DeliverPolicy: jetstream.DeliverAllPolicy,
+		MaxDeliver:    5,
+		AckWait:       30 * time.Second,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("create consumer %s: %w", durable, err)
+	}
+
+	return &FraudScoredSubscriber{
+		logger:   logger,
+		consumer: cons,
+		handler:  handler,
+	}, nil
+}
+
+func (s *FraudScoredSubscriber) Start(ctx context.Context) (jetstream.ConsumeContext, error) {
+	cc, err := s.consumer.Consume(func(msg jetstream.Msg) {
+		var evt FraudScored
+		if err := json.Unmarshal(msg.Data(), &evt); err != nil {
+			s.logger.Error("decode fraud.scored", "err", err)
+			_ = msg.Term()
+			return
+		}
+
+		hctx, cancel := context.WithTimeout(ctx, 10*time.Second)
+		defer cancel()
+
+		if err := s.handler(hctx, evt); err != nil {
+			s.logger.Error("handle fraud.scored",
+				"err", err, "guest_id", evt.GuestID, "score", evt.Score)
+			_ = msg.NakWithDelay(2 * time.Second)
+			return
+		}
+		_ = msg.Ack()
+	})
+	if err != nil {
+		return nil, fmt.Errorf("consume: %w", err)
+	}
+	return cc, nil
+}