feat(tier2): calendar integration — Block B

After confirming attendance (or revisiting an already-attending RSVP),
guests can add the event to Google, Outlook, Apple, or any iCalendar
client with one click.

- internal/calendar package builds an RFC 5545 VCALENDAR plus the three
  provider deep-links from a narrow Event projection. Times are emitted
  as Z-suffixed UTC; the UID is deterministic (event-uuid@guestguard)
  so re-downloads update the same calendar entry instead of duplicating
- GET /access/{token}/calendar.ics returns the .ics with a slugified
  filename in Content-Disposition; same rate-limit class as /access
- GET /access/{token} response now embeds google/outlook/yahoo/ics URLs
  so the frontend doesn't re-encode per provider
- AddToCalendar.vue renders the four buttons; shown only when the
  guest is attending (declined/maybe don't need a calendar entry)
- Unit tests cover ics field presence, RFC 5545 escaping (comma,
  semicolon), CRLF line endings, explicit-end handling, omitted
  optionals, provider URL shape, filename slugification
- Integration: ics download returns valid VCALENDAR with the event
  UID + name; unknown token returns 404; /access embeds the links

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

internal/api/server.go

@@ -305,6 +305,11 @@ func (s *Server) Handler() http.Handler {
 	// of their source IP.
 	mux.Handle("GET /access/{token}",
 		rl("access", 60, time.Hour, pathKey("token"), http.HandlerFunc(s.tokens.access)))
+	// Block B: .ics download. Same rate-limit class as /access since the
+	// payload is similarly cheap and the abuse profile is identical (one
+	// token per attacker).
+	mux.Handle("GET /access/{token}/calendar.ics",
+		rl("calendar_ics", 60, time.Hour, pathKey("token"), http.HandlerFunc(s.tokens.calendar)))
 	mux.Handle("POST /rsvp/{token}",
 		rl("rsvp", 10, time.Hour, pathKey("token"), http.HandlerFunc(s.rsvps.submit)))
 	// Block A: edits are bounded by MaxRSVPEdits server-side. The redis