feat: ship Tier 1 — auth, authz, rate limits, real notifications, CSV import, billing, backups/DR, privacy

Closes every block in docs/TIER1_PLAN.md from the Claude-scope side. The homelab / cloud setup steps (SES verification, restore drill, lawyer- drafted ToS) remain operator-owned but are unblocked. Block A — Authentication - Migration 0003: password_hash, email_verified, email_verification_tokens, password_reset_tokens, refresh_tokens (with replaced_by family chain). - Bcrypt hasher, HS256 JWT signer, single-use refresh tokens with rotation + replay-detection (revokes the family on reuse). - /auth/signup, /login, /refresh, /logout, /verify-email, /forgot-password, /reset-password — enumeration-safe. - requireAuth middleware + GET /me. - Frontend useAuth/useApi with auto-refresh-on-401, login/signup/verify/ forgot/reset pages, route-guard middleware. Block B — Authorisation - EventRepo.GetForHost; Update/Delete scoped by host_id. - All host routes behind requireAuth + ownership; cross-tenant returns 404 (no enumeration). ?host_id removed. - WS auth via short-lived single-use tickets (POST /auth/ws-ticket). - Tests: TestCrossTenantIsolation — 9 probes. Block C — Rate limiting - Redis sliding-window via Lua (atomic ZADD+ZCARD+PEXPIRE). - Per-route limits matching the plan (signup IP, login IP+email, RSVP/ access by token, events/guests/tokens by user_id). - 429 with Retry-After header and JSON body. - Auth lockout: 5 failed logins → account locked, only password reset clears it. - Frontend: useErrMessage normalises 429 + locked messaging. Block D — Real notifications - Migration 0004: provider_message_id, bounce_type, complained columns + unsubscribes (CITEXT) suppression table. - Branded HTML + plaintext templates for verification, reset, invitation, confirmation, reminder. Per-page templates avoid html/template's contextual-escape collisions. - Senders: SESv2, Twilio (SMS), SMTP (Mailpit-friendly), Resend HTTP. - PickEmailSender priority Resend > SMTP > SES > Log — system boots cleanly in dev with Mailpit; production flips one env var. - Webhook endpoints (Twilio status + SES SNS) — bounces add to suppression; signature verification stubbed pending creds. - Auto-send: POST /tokens publishes invitation.send; notifier renders + delivers via the configured backend; suppression list honoured. - Bulk + per-row invitation flow: POST /events/{id}/guests/invitations/bulk returns per-guest tokens so phone-only guests can be SMS'd manually. - Unsubscribe: signed HMAC token (no TTL) + /unsubscribe/[token] page. - WhatsApp Option A+: wa.me click-to-chat wizard with per-guest progress tracking, isLikelyE164 validation, edit-from-wizard. - Token rotate (POST /tokens/rotate) invalidates the old URL — used by the regenerate-link flow. - Mailpit added to docker-compose for dev inbox. Block E — CSV import - Streaming parser: tolerant header detection, UTF-8 BOM + UTF-16 LE/BE decoding, row-level validation, 5,000-row cap. - Strict E.164 phone validation with helpful error message. - POST /preview + /import + GET /template; preview UI on event page; atomic per-batch with dedup on existing emails. Phone capture across UI - PhoneInput component: country picker (~50 ISO codes) + national input + live E.164 preview + inline length validation. - Used in Add Guest and Edit Guest modals. Smart paste-handling extracts country code from full E.164 strings. Block F — Billing (Stripe) - Migration 0005: subscriptions table (user_id → tier/status/period_end + Stripe customer/sub ids). Partial unique index keeps one granting sub per user. - internal/billing: Tier + Limits model (Free 1/50, Pro 10/1000, Business ∞/5000), Stripe SDK wrapper with IgnoreAPIVersionMismatch for newer account API versions. - /billing/checkout-session, /billing/portal, /billing/status, /webhooks/stripe (signature-verified, lifecycle events). - Tier enforcement: 402 on POST /events, /guests, /import with {error, reason, tier, used, limit, upgrade_url} body. - Frontend: useBilling composable, /dashboard/billing page (current plan, usage bars, tier cards), global UpgradeModal triggered by useApi's 402 interceptor. - Customer portal kept for self-service cancel/payment-method changes. Block G — Backups & DR (application side) - Every migration has a tested .down.sql. - TestMigrationRoundtrip applies all ups → all downs → all ups against a fresh container; catches asymmetric down migrations. - cmd/restore-verify: 28-check post-restore invariant tool (schema presence, no orphans across 10 FK relationships, email uniqueness, single-active subscription, row-count snapshot). - docs/RUNBOOK_RESTORE.md: 9-step restore procedure with RTO/RPO targets, drill instructions, rollback path. Block H — Privacy compliance (application side) - Migration 0006: deleted_at + terms_accepted_at + privacy_policy_accepted_at on users. Partial index on email for live-only uniqueness. - GET /me/data-export — synchronous JSON dump (user, events, guests, tokens, rsvps, access_logs, notifications). - DELETE /me — soft-delete with PII scrub + refresh-token revocation; re-signup with same email works. - POST /me/accept-terms — idempotent consent recording. - Frontend /privacy + /terms placeholder pages with substantive (pending legal review) copy; footer links; signup terms checkbox; TermsGateModal for accounts created before the rollout; export + delete buttons on /dashboard/billing. Tests - All migrations verified up/down/up. - Integration suite: TestE2EHappyPath, TestAuthFlow, TestCrossTenantIsolation, TestRateLimitSignup, TestLoginLockout, TestUnsubscribeFlow, TestSESBounceWebhook, TestTwilioStatusWebhook, TestCsvImportFlow, TestCsvImportAtomicRollback, TestBulkIssueInvitations, TestBulkIssueExplicitSubset, TestTokenIssuePublishesInvitation, TestTokenIssueWithoutGuestEmailSkipsInvitation, TestGuestUpdate, TestGuestDelete, TestTokenRotate, TestSMTPSenderAgainstMailpit, TestFreeTierEventLimit, TestFreeTierGuestLimit, TestBusinessTierBypassesLimits, TestDataExport, TestDeleteMe, TestAcceptTerms, TestMigrationRoundtrip. Full suite runs in ~120s against real Postgres + NATS + Redis + Mailpit. - Unit suite green across internal/auth, internal/csvimport, internal/notification, internal/ratelimit, internal/domain. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-16 23:54:22 +01:00
parent a0ed34f860
commit 59b8781659
124 changed files with 13702 additions and 445 deletions
@@ -0,0 +1,36 @@
+{{define "base"}}<!doctype html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
+<title>{{.Subject}}</title>
+</head>
+<body style="margin:0;padding:0;background:#f7f7f8;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,Helvetica,Arial,sans-serif;color:#0f172a;">
+  <table role="presentation" width="100%" cellpadding="0" cellspacing="0" style="background:#f7f7f8;padding:32px 16px;">
+    <tr><td align="center">
+      <table role="presentation" width="560" cellpadding="0" cellspacing="0" style="background:#ffffff;border-radius:12px;overflow:hidden;box-shadow:0 1px 2px rgba(15,23,42,0.05);">
+        <tr>
+          <td style="background:#0a0a0a;padding:20px 28px;">
+            <span style="display:inline-block;width:10px;height:10px;background:#22c55e;border-radius:50%;vertical-align:middle;"></span>
+            <span style="color:#fafafa;font-weight:600;font-size:16px;margin-left:8px;vertical-align:middle;">GuestGuard</span>
+          </td>
+        </tr>
+        <tr>
+          <td style="padding:32px 28px 24px;font-size:15px;line-height:1.55;color:#0f172a;">
+            {{block "body" .}}{{end}}
+          </td>
+        </tr>
+        <tr>
+          <td style="padding:0 28px 28px;">
+            <hr style="border:none;border-top:1px solid #e5e7eb;margin:0 0 16px;">
+            <p style="font-size:12px;color:#64748b;margin:0;">
+              You're receiving this because of activity on your GuestGuard account.
+              {{if .UnsubscribeLink}}<br>If you'd rather not get emails like this, <a href="{{.UnsubscribeLink}}" style="color:#16a34a;">unsubscribe here</a>.{{end}}
+            </p>
+          </td>
+        </tr>
+      </table>
+    </td></tr>
+  </table>
+</body>
+</html>{{end}}
@@ -0,0 +1,11 @@
+{{define "body"}}
+<h1 style="font-size:20px;margin:0 0 12px;">RSVP received</h1>
+<p style="margin:0 0 16px;">Hi {{.GuestName}},</p>
+<p style="margin:0 0 16px;">Thanks for letting {{.HostName}} know — your RSVP for <strong>{{.EventName}}</strong> is confirmed as <strong>{{.Response}}</strong>{{if gt .PlusOnes 0}} with {{.PlusOnes}} plus-one{{if ne .PlusOnes 1}}s{{end}}{{end}}.</p>
+{{if or .Venue .EventDate}}
+<p style="margin:0 0 16px;color:#64748b;font-size:14px;">
+  {{if .Venue}}{{.Venue}}{{end}}{{if and .Venue .EventDate}} · {{end}}{{if .EventDate}}{{.EventDate}}{{end}}
+</p>
+{{end}}
+<p style="margin:24px 0 0;font-size:13px;color:#64748b;">You'll get a reminder closer to the date. If your plans change, use the same invitation link to update your reply.</p>
+{{end}}
@@ -0,0 +1,10 @@
+Hi {{.GuestName}},
+
+Your RSVP for "{{.EventName}}" is confirmed as {{.Response}}{{if gt .PlusOnes 0}} (+{{.PlusOnes}}){{end}}.
+
+{{if .Venue}}{{.Venue}}{{end}}{{if and .Venue .EventDate}} · {{end}}{{if .EventDate}}{{.EventDate}}{{end}}
+
+You'll get a reminder closer to the date. If your plans change, use the
+same invitation link to update your reply.
+
+— GuestGuard
@@ -0,0 +1,15 @@
+{{define "body"}}
+<p style="font-size:13px;letter-spacing:0.2em;text-transform:uppercase;color:#16a34a;margin:0 0 16px;">✦ You're invited</p>
+<h1 style="font-size:24px;margin:0 0 4px;color:#0a0a0a;">{{.EventName}}</h1>
+{{if or .Venue .EventDate}}
+<p style="margin:0 0 24px;color:#64748b;font-size:14px;">
+  {{if .Venue}}{{.Venue}}{{end}}{{if and .Venue .EventDate}} · {{end}}{{if .EventDate}}{{.EventDate}}{{end}}
+</p>
+{{end}}
+<p style="margin:0 0 20px;">Hi {{.GuestName}}, {{.HostName}} would love to know if you can make it. Use the personal link below to RSVP.</p>
+<p style="margin:0 0 24px;text-align:center;">
+  <a href="{{.Link}}" style="background:#22c55e;color:#0a0a0a;padding:12px 22px;border-radius:8px;font-weight:600;text-decoration:none;display:inline-block;">RSVP now</a>
+</p>
+<p style="margin:0 0 8px;color:#64748b;font-size:13px;">Or paste this URL into your browser:</p>
+<p style="margin:0;word-break:break-all;font-size:12px;color:#0f172a;">{{.Link}}</p>
+{{end}}
@@ -0,0 +1,11 @@
+You're invited — {{.EventName}}
+
+Hi {{.GuestName}},
+
+{{.HostName}} would love to know if you can make it{{if .EventDate}} on {{.EventDate}}{{end}}{{if .Venue}}, at {{.Venue}}{{end}}.
+
+RSVP here:
+
+    {{.Link}}
+
+— GuestGuard
@@ -0,0 +1,7 @@
+{{define "body"}}
+<h1 style="font-size:20px;margin:0 0 12px;">Reminder: {{.EventName}}</h1>
+<p style="margin:0 0 16px;">Hi {{.GuestName}},</p>
+<p style="margin:0 0 16px;">Just a quick reminder that <strong>{{.EventName}}</strong> is coming up{{if .EventDate}} on {{.EventDate}}{{end}}{{if .Venue}}, at {{.Venue}}{{end}}.</p>
+{{if .Response}}<p style="margin:0 0 16px;">You're down as <strong>{{.Response}}</strong>{{if gt .PlusOnes 0}} with {{.PlusOnes}} plus-one{{if ne .PlusOnes 1}}s{{end}}{{end}}.</p>{{end}}
+<p style="margin:24px 0 0;font-size:13px;color:#64748b;">Need to change your plans? Use your invitation link.</p>
+{{end}}
@@ -0,0 +1,7 @@
+Hi {{.GuestName}},
+
+Reminder: {{.EventName}}{{if .EventDate}} — {{.EventDate}}{{end}}{{if .Venue}} at {{.Venue}}{{end}}.
+
+{{if .Response}}You're down as {{.Response}}{{if gt .PlusOnes 0}} (+{{.PlusOnes}}){{end}}.{{end}}
+
+— GuestGuard
@@ -0,0 +1,11 @@
+{{define "body"}}
+<h1 style="font-size:20px;margin:0 0 12px;">Reset your password</h1>
+<p style="margin:0 0 16px;">Hi {{.Name}},</p>
+<p style="margin:0 0 20px;">We received a request to reset the password on your GuestGuard account. Tap the button to choose a new one — the link is valid for {{.ExpiryHumane}}.</p>
+<p style="margin:0 0 24px;text-align:center;">
+  <a href="{{.Link}}" style="background:#22c55e;color:#0a0a0a;padding:12px 22px;border-radius:8px;font-weight:600;text-decoration:none;display:inline-block;">Choose a new password</a>
+</p>
+<p style="margin:0 0 8px;color:#64748b;font-size:13px;">Or paste this URL into your browser:</p>
+<p style="margin:0;word-break:break-all;font-size:12px;color:#0f172a;">{{.Link}}</p>
+<p style="margin:24px 0 0;font-size:13px;color:#64748b;">If you didn't ask to reset your password, you can ignore this email — your current password is unchanged.</p>
+{{end}}
@@ -0,0 +1,11 @@
+Hi {{.Name}},
+
+We received a request to reset your GuestGuard password. The link is valid
+for {{.ExpiryHumane}}:
+
+    {{.Link}}
+
+If you didn't ask to reset your password, you can ignore this email — your
+current password is unchanged.
+
+— GuestGuard
@@ -0,0 +1,11 @@
+{{define "body"}}
+<h1 style="font-size:20px;margin:0 0 12px;">Verify your email</h1>
+<p style="margin:0 0 16px;">Hi {{.Name}}, welcome to GuestGuard.</p>
+<p style="margin:0 0 20px;">To finish setting up your account, please confirm this is your email address.</p>
+<p style="margin:0 0 24px;text-align:center;">
+  <a href="{{.Link}}" style="background:#22c55e;color:#0a0a0a;padding:12px 22px;border-radius:8px;font-weight:600;text-decoration:none;display:inline-block;">Verify email</a>
+</p>
+<p style="margin:0 0 8px;color:#64748b;font-size:13px;">Or paste this URL into your browser:</p>
+<p style="margin:0;word-break:break-all;font-size:12px;color:#0f172a;">{{.Link}}</p>
+<p style="margin:24px 0 0;font-size:13px;color:#64748b;">If you didn't sign up for GuestGuard, you can ignore this email.</p>
+{{end}}
@@ -0,0 +1,9 @@
+Hi {{.Name}}, welcome to GuestGuard.
+
+Please verify your email by visiting:
+
+    {{.Link}}
+
+If you didn't sign up for GuestGuard, you can ignore this email.
+
+— GuestGuard