alchemistkay/guestguard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(tier2): finish the finish line — Block H follow-ups, Block G geolocation, cross-cutting

Browse Source 
Three threads of work land here together to close out Tier 2.

### Block H follow-ups — day-of check-in
- Scanner is now an "open on your phone" magic-link flow. Hosts on
  desktop mint a scoped JWT via POST /events/{id}/scanner-ticket and
  render its URL into a QR; phone scans it and lands on /scanner with
  the ticket as bearer. The ticket carries Audience=scanner so it can
  never substitute for a session token.
- Plus-one confirmation at the door: scan → POST /check-in/preview to
  fetch guest + expected party size → confirm buttons ("Just them",
  "Party of N", custom) → POST /check-in. No more silent arrival_count=1.
- Offline scan queue: failed POSTs go into an IndexedDB store and drain
  on the 'online' event with poison-message protection.
- Day-of arrivals headline widget on the event overview, gated to the
  host's local calendar date so it doesn't dominate the page weeks out.
- Tab nav restyled with inline heroicons + scrollable segmented control;
  Check-in moves to the rightmost slot.
- PWA: manifest + service worker scoped to /scanner, generated 192/512
  icons (Go scripted renderer in scripts/gen-scanner-icons.go).
- Confirmation email QR was rendering broken because html/template
  rewrites data: URLs to #ZgotmplZ; mark the value as template.URL.
- Email "open your invitation" link 404'd because we had no token to
  put after /rsvp/. Threaded AccessLink through the RSVPConfirmed NATS
  event from the API at submit time.

### Block G remainder — geolocation + threshold preview
- Pluggable GeoResolver in the fraud engine (NullResolver, IPApiResolver
  for the free ip-api.com fallback, MaxMindResolver behind GG_GEOIP_DB_PATH).
  Wrapped in a Redis cache (30d TTL). Geo flows through both gRPC and
  NATS scoring paths.
- geo_jump scoring feature: >500km in <1h flags ("accessed from Lagos
  and Paris within 12 minutes"); >500km in <6h is a softer signal. The
  existing single-signal cap keeps a lone geo_jump in MEDIUM.
- FraudScored event carries geo_country/city/lat/lon; ApplyScore uses
  COALESCE so a later re-score without geo doesn't wipe earlier data.
- Threshold-slider live preview: GET /events/{id}/security/thresholds/preview
  returns band counts the host's existing access events would have
  fallen into under the proposed thresholds. Debounced (250ms) widget
  under the Advanced sliders so the host gets concrete feedback instead
  of guessing.

### Cross-cutting — audit, tier-gating, feature flags
- audit_log table + internal/audit.Recorder (async fire-and-forget on
  detached context so an audit blip never fails the real action). Wired
  into branding update, thresholds update, allowlist add/remove,
  collaborator invite/role-change/remove, message create/send-now/cancel.
- Tier-gating: extended billing.Limits with MaxCollaborators,
  CustomBranding, Scanner, Broadcasts. Free = none; Pro = 5 + all;
  Business = unlimited. Gates the scanner-ticket, message create,
  branding put, and collaborator invite endpoints with 402 +
  structured upgrade payload. Auto-reminders, fraud detection, and
  analytics deliberately stay on every tier — those are safety + visibility
  features, not upsell levers.
- Feature flags: feature_flags table + internal/flags.Store with 30s
  in-memory refresh, stable sha256(key + user_id) percent bucketing,
  unknown-key-defaults-on. Six Tier 2 flags pre-seeded. Three handlers
  (branding, broadcasts, scanner) check the kill switch ahead of the
  tier gate so ops can pull a feature back without a redeploy.

### Verified
- go test ./... + fraud-engine pytest (12/12 incl. 3 new geo_jump tests + 5
  new flags tests).
- docker compose build + up across api, fraud-engine, notifier, frontend.
- /health endpoints 200; migrations 0014 + 0015 applied; 6 flags
  seeded; audit_log table + partial indexes confirmed.
- Fraud-engine logs confirm geo resolver kind=CachedGeoResolver provider=auto.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Kwaku Danso
2026-05-21 20:30:02 +01:00
parent 003a320690
commit 98678ff5a3
49 changed files with 3798 additions and 238 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/storage/migrations/0014_audit_log.down.sql
+3
View File
@@ -0,0 +1,3 @@
DROP INDEX IF EXISTS idx_audit_user;
DROP INDEX IF EXISTS idx_audit_event;
DROP TABLE IF EXISTS audit_log;
internal/storage/migrations/0014_audit_log.up.sql
+27
View File
@@ -0,0 +1,27 @@
-- Tier 2 cross-cutting: audit log.
--
-- Every meaningful host-facing write (collaborator change, branding
-- update, threshold tweak, allowlist edit, message send/cancel)
-- records a row here. The shape is deliberately generic so a future
-- Audit tab can render a per-event timeline without per-action joins.
CREATE TABLE audit_log (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
user_id UUID REFERENCES users(id) ON DELETE SET NULL,
event_id UUID REFERENCES events(id) ON DELETE CASCADE,
action TEXT NOT NULL, -- e.g. "branding.update"
entity_type TEXT, -- "event" | "guest" | "message" …
target_id UUID, -- what was acted on (nullable)
metadata JSONB NOT NULL DEFAULT '{}'::jsonb, -- per-action context
request_id TEXT, -- threading / correlation
created_at TIMESTAMPTZ NOT NULL DEFAULT now()
);
-- The two query shapes we'll need: "show me the trail on this event"
-- (Audit tab, host-side timeline) and "what did this user touch lately"
-- (support / compliance lookups). Partial index on event_id keeps the
-- footprint small since not every audit row carries one.
CREATE INDEX idx_audit_event ON audit_log (event_id, created_at DESC)
WHERE event_id IS NOT NULL;
CREATE INDEX idx_audit_user ON audit_log (user_id, created_at DESC)
WHERE user_id IS NOT NULL;
internal/storage/migrations/0015_feature_flags.down.sql
+1
View File
@@ -0,0 +1 @@
DROP TABLE IF EXISTS feature_flags;
internal/storage/migrations/0015_feature_flags.up.sql
+34
View File
@@ -0,0 +1,34 @@
-- Tier 2 cross-cutting: feature flags.
--
-- Lets ops kill a misbehaving block without a redeploy + supports
-- percentage rollouts ("turn checkin_pwa on for 25% of users while we
-- watch the error rate"). Flag values are loaded on every check —
-- they're tiny, and we want to be able to flip a switch and see the
-- next request honour it without restart.
--
-- The default state of any unknown flag is "enabled" so the table
-- only needs rows for the explicit kills + rollouts. This is the
-- right safe default for code that gates a NEW feature: the
-- developer wires the gate, ships, the feature is live; ops can
-- write a row to take it back later without redeploy.
CREATE TABLE feature_flags (
key TEXT PRIMARY KEY,
enabled BOOLEAN NOT NULL DEFAULT TRUE,
percent_rollout SMALLINT NOT NULL DEFAULT 100
CHECK (percent_rollout >= 0 AND percent_rollout <= 100),
note TEXT,
updated_at TIMESTAMPTZ NOT NULL DEFAULT now(),
created_at TIMESTAMPTZ NOT NULL DEFAULT now()
);
-- Pre-seed the Tier 2 flags so an operator can flip them without
-- having to remember the canonical key.
INSERT INTO feature_flags (key, enabled, percent_rollout, note) VALUES
('editable_rsvp', TRUE, 100, 'Tier 2 Block A — guests can edit their RSVP via PATCH /rsvp.'),
('checkin_pwa', TRUE, 100, 'Tier 2 Block H — day-of scanner + magic-link ticket.'),
('smarter_fraud', TRUE, 100, 'Tier 2 Block G — per-event thresholds, allowlists, feedback.'),
('geo_jump', TRUE, 100, 'Tier 2 Block G — geo_jump scoring feature on top of GeoIP.'),
('broadcasts', TRUE, 100, 'Tier 2 Block F — custom broadcasts on top of auto-reminders.'),
('custom_branding', TRUE, 100, 'Tier 2 Block D — per-event logo / cover / colour overrides.')
ON CONFLICT (key) DO NOTHING;