feat(tier2): event branding + UX polish — Block D

Backend
- Migration 0010 adds event_branding (one row per event; all fields
  nullable so a brand-new event renders with defaults)
- BrandingRepo with COALESCE/NULLIF upsert semantics: nil pointer
  preserves the existing value, "" clears the field to NULL
- internal/uploads package: ImageStore interface + LocalFSStore (dev),
  pure-stdlib decode + re-encode that strips EXIF and rejects anything
  that isn't valid JPEG/PNG. Size cap 2 MB, random 16-byte filenames
- GET /events/{id}/branding (viewer+) returns the row plus the
  AllowedFonts list so the frontend picker stays in sync
- PUT /events/{id}/branding (editor+) validates hex colours, font
  allowlist, and refuses image URLs whose path doesn't start with
  /uploads/ (blocks arbitrary-origin <img> smuggling on guest pages)
- POST /uploads/image (authed) → fresh CDN URL; GET /uploads/{file}
  serves with year-long cache (immutable random names)
- GET /access/{token} now embeds the host's branding so the RSVP page
  can render in their colours/font with their logo + cover
- docker-compose mounts a named volume for uploads
- Custom-domain sub-block deferred to Tier 3 per the plan

Frontend
- BrandingCard.vue: colour pickers, font dropdown, logo + cover upload
  with progressive disclosure, live preview pane that re-renders on
  every keystroke
- RSVP page applies branding via CSS vars at the section root, so
  primary colour theme + font cascade through every child card. Cover
  image renders as a banner above the form; logo lands in the header
- Submit button background switches to var(--brand-primary) when set
- Mounted on the event detail page below the guests block

Plus the small UX fixes from the e2e walkthrough:
- Nav: dropped the top-level "Events" link; the logo doubles as the
  home affordance (→ /dashboard when signed in, → / otherwise). Account
  + Billing + Sign out live under a profile dropdown (avatar with
  initials, opens on click, closes on outside-click / Esc / route nav)
- Renamed "Back to dashboard" → "Back to events" across event detail,
  billing, account, and new-event pages

Tests
- TestBrandingGetReturnsDefaults / TestBrandingPutPersists /
  TestBrandingPutRejectsBadInputs / TestUploadAndServeImage /
  TestUploadRejectsNonImage — all pass
- Domain tests for IsValidHexColor + IsAllowedFont
- Full integration suite green (176s)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

internal/storage/branding.go

@@ -0,0 +1,118 @@
+package storage
+
+import (
+	"context"
+	"errors"
+
+	"github.com/google/uuid"
+	"github.com/jackc/pgx/v5"
+	"github.com/jackc/pgx/v5/pgxpool"
+
+	"github.com/alchemistkay/guestguard/internal/domain"
+)
+
+// BrandingRepo holds the per-event customisation row. Updates are upserts —
+// a host's first PATCH to the branding endpoint inserts the row, subsequent
+// PATCHes update only the fields the host sent. Tier 2 Block D.
+type BrandingRepo struct {
+	pool *pgxpool.Pool
+}
+
+func NewBrandingRepo(db *DB) *BrandingRepo {
+	return &BrandingRepo{pool: db.Pool}
+}
+
+// Get returns the branding row for `eventID`, or ErrBrandingNotFound when
+// the event has no customisation yet. The caller should render the default
+// theme in that case — a missing row isn't an error condition.
+func (r *BrandingRepo) Get(ctx context.Context, eventID uuid.UUID) (*domain.Branding, error) {
+	const q = `
+        SELECT event_id, primary_color, accent_color, logo_url,
+               cover_image_url, font_family, greeting_message, updated_at
+        FROM event_branding WHERE event_id = $1
+    `
+	var b domain.Branding
+	err := r.pool.QueryRow(ctx, q, eventID).Scan(
+		&b.EventID, &b.PrimaryColor, &b.AccentColor, &b.LogoURL,
+		&b.CoverImageURL, &b.FontFamily, &b.GreetingMessage, &b.UpdatedAt,
+	)
+	if err != nil {
+		if errors.Is(err, pgx.ErrNoRows) {
+			return nil, domain.ErrBrandingNotFound
+		}
+		return nil, err
+	}
+	return &b, nil
+}
+
+// UpsertParams holds the patchable fields. Nil pointers leave the existing
+// value untouched on update; empty strings clear the column to NULL (so
+// hosts can revert to defaults without deleting the whole row).
+type UpsertBrandingParams struct {
+	EventID         uuid.UUID
+	PrimaryColor    *string
+	AccentColor     *string
+	LogoURL         *string
+	CoverImageURL   *string
+	FontFamily      *string
+	GreetingMessage *string
+}
+
+// Upsert inserts or partially updates the branding row. The COALESCE +
+// NULLIF idiom in the UPDATE branch means a nil pointer maps to NULL in
+// SQL and is coalesced away (= keep existing), while an empty string is
+// kept as-is and stored as NULL (= clear). That lets the API support both
+// "no change" and "reset to default" cleanly.
+func (r *BrandingRepo) Upsert(ctx context.Context, p UpsertBrandingParams) (*domain.Branding, error) {
+	const q = `
+        INSERT INTO event_branding (
+            event_id, primary_color, accent_color, logo_url,
+            cover_image_url, font_family, greeting_message, updated_at
+        )
+        VALUES (
+            $1, NULLIF($2, ''), NULLIF($3, ''), NULLIF($4, ''),
+            NULLIF($5, ''), NULLIF($6, ''), NULLIF($7, ''), now()
+        )
+        ON CONFLICT (event_id) DO UPDATE SET
+            primary_color    = COALESCE($2, event_branding.primary_color),
+            accent_color     = COALESCE($3, event_branding.accent_color),
+            logo_url         = COALESCE($4, event_branding.logo_url),
+            cover_image_url  = COALESCE($5, event_branding.cover_image_url),
+            font_family      = COALESCE($6, event_branding.font_family),
+            greeting_message = COALESCE($7, event_branding.greeting_message),
+            updated_at       = now()
+        RETURNING event_id, primary_color, accent_color, logo_url,
+                  cover_image_url, font_family, greeting_message, updated_at
+    `
+	// Convert "" → NULL handling: we pass the same *string into both
+	// COALESCE (the keep-existing path) and NULLIF (the reset path). The
+	// caller passes nil to mean "leave alone" — we surface that as NULL
+	// pgx side which COALESCE swallows.
+	var b domain.Branding
+	err := r.pool.QueryRow(ctx, q,
+		p.EventID,
+		nilOrPtr(p.PrimaryColor),
+		nilOrPtr(p.AccentColor),
+		nilOrPtr(p.LogoURL),
+		nilOrPtr(p.CoverImageURL),
+		nilOrPtr(p.FontFamily),
+		nilOrPtr(p.GreetingMessage),
+	).Scan(
+		&b.EventID, &b.PrimaryColor, &b.AccentColor, &b.LogoURL,
+		&b.CoverImageURL, &b.FontFamily, &b.GreetingMessage, &b.UpdatedAt,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &b, nil
+}
+
+// nilOrPtr passes nil through as nil (pgx → NULL); otherwise unwraps the
+// string so we get a TEXT param instead of pgx receiving a *string and
+// double-wrapping it.
+func nilOrPtr(s *string) any {
+	if s == nil {
+		return nil
+	}
+	return *s
+}

internal/storage/collaborators.go

@@ -195,6 +195,33 @@ func assertNotLastOwner(ctx context.Context, tx pgx.Tx, eventID uuid.UUID) error
 	return nil
 }
 
+// RolesForUser returns a map of event_id → role for every event the user
+// has any accepted role on. Used by GET /events so the dashboard can
+// split "your events" from "shared with you" without making N queries
+// (one per event card).
+func (r *CollaboratorRepo) RolesForUser(ctx context.Context, userID uuid.UUID) (map[uuid.UUID]domain.Role, error) {
+	rows, err := r.pool.Query(ctx, `
+        SELECT event_id, role FROM event_collaborators
+        WHERE user_id = $1 AND accepted_at IS NOT NULL
+    `, userID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	out := map[uuid.UUID]domain.Role{}
+	for rows.Next() {
+		var (
+			id   uuid.UUID
+			role domain.Role
+		)
+		if err := rows.Scan(&id, &role); err != nil {
+			return nil, err
+		}
+		out[id] = role
+	}
+	return out, rows.Err()
+}
+
 // ListEventIDsForUser returns the set of event IDs the user has any accepted
 // role on. Used by GET /events to widen the dashboard list beyond just
 // `events.host_id = userID`.
@@ -341,6 +368,121 @@ func (r *CollaboratorRepo) AcceptInvite(
 	return tx.Commit(ctx)
 }
 
+// PendingInviteForUser is one pending invitation in a user's inbox-style
+// list: their own dashboard's "you've been invited" banner. We surface the
+// event name + inviter name here so the frontend renders one card per
+// invite without N follow-up lookups.
+type PendingInviteForUser struct {
+	EventID     uuid.UUID `json:"event_id"`
+	EventName   string    `json:"event_name"`
+	Role        domain.Role `json:"role"`
+	InvitedBy   uuid.UUID `json:"invited_by"`
+	InviterName string    `json:"inviter_name"`
+	ExpiresAt   time.Time `json:"expires_at"`
+	CreatedAt   time.Time `json:"created_at"`
+}
+
+// ListPendingForEmail returns every unconsumed, non-expired invite addressed
+// to `email`. The most recent invite per (email, event) wins — older
+// duplicates are squashed so the user sees one card per event even if the
+// owner re-sent the invitation. Drives the dashboard banner that lets a
+// just-signed-in user accept without re-clicking the email link.
+func (r *InviteRepo) ListPendingForEmail(ctx context.Context, email string) ([]PendingInviteForUser, error) {
+	email = strings.ToLower(strings.TrimSpace(email))
+	rows, err := r.pool.Query(ctx, `
+        SELECT DISTINCT ON (ci.event_id)
+               ci.event_id, e.name, ci.role, ci.invited_by,
+               COALESCE(u.name, '') AS inviter_name,
+               ci.expires_at, ci.created_at
+        FROM collaborator_invites ci
+        JOIN events e ON e.id = ci.event_id
+        LEFT JOIN users u ON u.id = ci.invited_by
+        WHERE lower(ci.email) = $1
+          AND ci.consumed_at IS NULL
+          AND ci.expires_at > now()
+        ORDER BY ci.event_id, ci.created_at DESC
+    `, email)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	out := []PendingInviteForUser{}
+	for rows.Next() {
+		var p PendingInviteForUser
+		if err := rows.Scan(
+			&p.EventID, &p.EventName, &p.Role, &p.InvitedBy,
+			&p.InviterName, &p.ExpiresAt, &p.CreatedAt,
+		); err != nil {
+			return nil, err
+		}
+		out = append(out, p)
+	}
+	return out, rows.Err()
+}
+
+// AcceptByEventAndEmail finds the latest pending invite for (email, eventID)
+// and atomically consumes it + inserts the collaborator row. Used by the
+// dashboard "Accept" button — the user authenticates with their session,
+// and we match by email so the cross-tab signup flow doesn't need the raw
+// token. Returns ErrInviteNotFound when no matching invite is pending.
+func (r *CollaboratorRepo) AcceptByEventAndEmail(
+	ctx context.Context,
+	eventID uuid.UUID,
+	email string,
+	userID uuid.UUID,
+) (domain.Role, error) {
+	email = strings.ToLower(strings.TrimSpace(email))
+	tx, err := r.pool.Begin(ctx)
+	if err != nil {
+		return "", err
+	}
+	defer tx.Rollback(ctx)
+
+	// Lock the latest matching invite so two concurrent accepts can't
+	// both consume the same row.
+	var (
+		tokenHash string
+		role      domain.Role
+		invitedBy uuid.UUID
+	)
+	err = tx.QueryRow(ctx, `
+        SELECT token_hash, role, invited_by
+        FROM collaborator_invites
+        WHERE event_id = $1
+          AND lower(email) = $2
+          AND consumed_at IS NULL
+          AND expires_at > now()
+        ORDER BY created_at DESC
+        LIMIT 1
+        FOR UPDATE
+    `, eventID, email).Scan(&tokenHash, &role, &invitedBy)
+	if err != nil {
+		if errors.Is(err, pgx.ErrNoRows) {
+			return "", domain.ErrInviteNotFound
+		}
+		return "", err
+	}
+
+	if _, err := tx.Exec(ctx, `
+        UPDATE collaborator_invites
+        SET consumed_at = now()
+        WHERE token_hash = $1
+    `, tokenHash); err != nil {
+		return "", err
+	}
+	if _, err := tx.Exec(ctx, `
+        INSERT INTO event_collaborators (event_id, user_id, role, invited_by, invited_at, accepted_at)
+        VALUES ($1, $2, $3, $4, now(), now())
+        ON CONFLICT (event_id, user_id) DO NOTHING
+    `, eventID, userID, role, invitedBy); err != nil {
+		return "", err
+	}
+	if err := tx.Commit(ctx); err != nil {
+		return "", err
+	}
+	return role, nil
+}
+
 // ListPendingForEvent returns invitations the host hasn't seen accepted yet,
 // shown alongside accepted collaborators on the Team tab.
 func (r *InviteRepo) ListPendingForEvent(ctx context.Context, eventID uuid.UUID) ([]domain.CollaboratorInvite, error) {

internal/storage/migrations/0010_branding.down.sql

@@ -0,0 +1 @@
+DROP TABLE IF EXISTS event_branding;

internal/storage/migrations/0010_branding.up.sql

@@ -0,0 +1,17 @@
+-- Tier 2 Block D — event branding.
+--
+-- Per-event customisation of the RSVP page and outbound emails. The
+-- custom-domain sub-block was deferred to Tier 3 (the application surface
+-- is small but ingress + automatic TLS provisioning isn't — see
+-- TIER2_PLAN.md open question #1).
+
+CREATE TABLE IF NOT EXISTS event_branding (
+    event_id         UUID PRIMARY KEY REFERENCES events(id) ON DELETE CASCADE,
+    primary_color    TEXT,
+    accent_color     TEXT,
+    logo_url         TEXT,
+    cover_image_url  TEXT,
+    font_family      TEXT,
+    greeting_message TEXT,
+    updated_at       TIMESTAMPTZ NOT NULL DEFAULT now()
+);