feat: build core API, fraud engine, notifier, and frontend

Phase 1 — Core API (Go):
- Events, guests, tokens, RSVPs CRUD on PostgreSQL via pgx/v5
- HMAC-signed per-guest tokens with format validation
- Health endpoint with DB ping, slog JSON logging, graceful shutdown

Phase 2 — NATS + Fraud Engine:
- NATS JetStream pub/sub with explicit-ack consumers
- Python/FastAPI fraud engine with heuristic risk scoring
  (fingerprint mismatch, IP change, missing signals, repeated access)
- gRPC sync scoring with 250ms fail-open timeout
- Per-guest baseline tracking; risk bands low/medium/high/block

Phase 3 — Notifications + Frontend:
- Notification worker scaffolding (Twilio/SES stubs, retry/backoff)
- Nuxt 3 frontend with Tailwind dark theme + brand green
- Live monitor via WebSocket with auto-reconnect
- Activity history endpoint backfills monitor with RSVPs +
  scored access checks (including blocked attempts)

UX polish:
- Marketing-friendly landing page (hero mockup, how-it-works,
  features, use cases, testimonials, FAQ, final CTA)
- Animated layered card mockups on landing + new-event page
- Plus-ones stepper, RSVP status badges, filter buttons
- Friendly access-check labels (Verified/Review/Suspicious/Blocked)
- Dashboard hydration fix via ClientOnly wrapper

Infrastructure:
- docker-compose for full local dev (postgres, nats, api,
  fraud-engine, notifier, frontend)
- Multi-stage Dockerfiles, non-root UID 1000
- Integration tests with testcontainers-go

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

internal/storage/tokens.go

@@ -0,0 +1,87 @@
+package storage
+
+import (
+	"context"
+	"errors"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/jackc/pgx/v5"
+	"github.com/jackc/pgx/v5/pgconn"
+	"github.com/jackc/pgx/v5/pgxpool"
+
+	"github.com/alchemistkay/guestguard/internal/domain"
+)
+
+type TokenRepo struct {
+	pool *pgxpool.Pool
+}
+
+func NewTokenRepo(db *DB) *TokenRepo {
+	return &TokenRepo{pool: db.Pool}
+}
+
+type CreateTokenParams struct {
+	GuestID   uuid.UUID
+	TokenHash string
+	ExpiresAt time.Time
+}
+
+func (r *TokenRepo) Create(ctx context.Context, p CreateTokenParams) (*domain.Token, error) {
+	const q = `
+        INSERT INTO tokens (guest_id, token_hash, expires_at, status)
+        VALUES ($1, $2, $3, 'active')
+        RETURNING id, guest_id, token_hash, expires_at, status, used_at, created_at
+    `
+	row := r.pool.QueryRow(ctx, q, p.GuestID, p.TokenHash, p.ExpiresAt)
+	tk, err := scanToken(row)
+	if err != nil {
+		var pgErr *pgconn.PgError
+		if errors.As(err, &pgErr) && pgErr.Code == "23505" {
+			return nil, errors.New("guest already has a token")
+		}
+		return nil, err
+	}
+	return tk, nil
+}
+
+func (r *TokenRepo) GetByHash(ctx context.Context, hash string) (*domain.Token, error) {
+	const q = `
+        SELECT id, guest_id, token_hash, expires_at, status, used_at, created_at
+        FROM tokens WHERE token_hash = $1
+    `
+	tk, err := scanToken(r.pool.QueryRow(ctx, q, hash))
+	if err != nil {
+		if errors.Is(err, pgx.ErrNoRows) {
+			return nil, domain.ErrTokenNotFound
+		}
+		return nil, err
+	}
+	return tk, nil
+}
+
+func (r *TokenRepo) MarkUsed(ctx context.Context, id uuid.UUID) error {
+	tag, err := r.pool.Exec(ctx, `
+        UPDATE tokens SET status = 'used', used_at = now()
+        WHERE id = $1 AND status = 'active'
+    `, id)
+	if err != nil {
+		return err
+	}
+	if tag.RowsAffected() == 0 {
+		return domain.ErrTokenNotFound
+	}
+	return nil
+}
+
+func scanToken(s rowScanner) (*domain.Token, error) {
+	var tk domain.Token
+	err := s.Scan(
+		&tk.ID, &tk.GuestID, &tk.TokenHash, &tk.ExpiresAt,
+		&tk.Status, &tk.UsedAt, &tk.CreatedAt,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &tk, nil
+}