feat(tier2): event branding + UX polish — Block D

Backend
- Migration 0010 adds event_branding (one row per event; all fields
  nullable so a brand-new event renders with defaults)
- BrandingRepo with COALESCE/NULLIF upsert semantics: nil pointer
  preserves the existing value, "" clears the field to NULL
- internal/uploads package: ImageStore interface + LocalFSStore (dev),
  pure-stdlib decode + re-encode that strips EXIF and rejects anything
  that isn't valid JPEG/PNG. Size cap 2 MB, random 16-byte filenames
- GET /events/{id}/branding (viewer+) returns the row plus the
  AllowedFonts list so the frontend picker stays in sync
- PUT /events/{id}/branding (editor+) validates hex colours, font
  allowlist, and refuses image URLs whose path doesn't start with
  /uploads/ (blocks arbitrary-origin <img> smuggling on guest pages)
- POST /uploads/image (authed) → fresh CDN URL; GET /uploads/{file}
  serves with year-long cache (immutable random names)
- GET /access/{token} now embeds the host's branding so the RSVP page
  can render in their colours/font with their logo + cover
- docker-compose mounts a named volume for uploads
- Custom-domain sub-block deferred to Tier 3 per the plan

Frontend
- BrandingCard.vue: colour pickers, font dropdown, logo + cover upload
  with progressive disclosure, live preview pane that re-renders on
  every keystroke
- RSVP page applies branding via CSS vars at the section root, so
  primary colour theme + font cascade through every child card. Cover
  image renders as a banner above the form; logo lands in the header
- Submit button background switches to var(--brand-primary) when set
- Mounted on the event detail page below the guests block

Plus the small UX fixes from the e2e walkthrough:
- Nav: dropped the top-level "Events" link; the logo doubles as the
  home affordance (→ /dashboard when signed in, → / otherwise). Account
  + Billing + Sign out live under a profile dropdown (avatar with
  initials, opens on click, closes on outside-click / Esc / route nav)
- Renamed "Back to dashboard" → "Back to events" across event detail,
  billing, account, and new-event pages

Tests
- TestBrandingGetReturnsDefaults / TestBrandingPutPersists /
  TestBrandingPutRejectsBadInputs / TestUploadAndServeImage /
  TestUploadRejectsNonImage — all pass
- Domain tests for IsValidHexColor + IsAllowedFont
- Full integration suite green (176s)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

internal/storage/collaborators.go

@@ -195,6 +195,33 @@ func assertNotLastOwner(ctx context.Context, tx pgx.Tx, eventID uuid.UUID) error
 	return nil
 }
 
+// RolesForUser returns a map of event_id → role for every event the user
+// has any accepted role on. Used by GET /events so the dashboard can
+// split "your events" from "shared with you" without making N queries
+// (one per event card).
+func (r *CollaboratorRepo) RolesForUser(ctx context.Context, userID uuid.UUID) (map[uuid.UUID]domain.Role, error) {
+	rows, err := r.pool.Query(ctx, `
+        SELECT event_id, role FROM event_collaborators
+        WHERE user_id = $1 AND accepted_at IS NOT NULL
+    `, userID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	out := map[uuid.UUID]domain.Role{}
+	for rows.Next() {
+		var (
+			id   uuid.UUID
+			role domain.Role
+		)
+		if err := rows.Scan(&id, &role); err != nil {
+			return nil, err
+		}
+		out[id] = role
+	}
+	return out, rows.Err()
+}
+
 // ListEventIDsForUser returns the set of event IDs the user has any accepted
 // role on. Used by GET /events to widen the dashboard list beyond just
 // `events.host_id = userID`.
@@ -341,6 +368,121 @@ func (r *CollaboratorRepo) AcceptInvite(
 	return tx.Commit(ctx)
 }
 
+// PendingInviteForUser is one pending invitation in a user's inbox-style
+// list: their own dashboard's "you've been invited" banner. We surface the
+// event name + inviter name here so the frontend renders one card per
+// invite without N follow-up lookups.
+type PendingInviteForUser struct {
+	EventID     uuid.UUID `json:"event_id"`
+	EventName   string    `json:"event_name"`
+	Role        domain.Role `json:"role"`
+	InvitedBy   uuid.UUID `json:"invited_by"`
+	InviterName string    `json:"inviter_name"`
+	ExpiresAt   time.Time `json:"expires_at"`
+	CreatedAt   time.Time `json:"created_at"`
+}
+
+// ListPendingForEmail returns every unconsumed, non-expired invite addressed
+// to `email`. The most recent invite per (email, event) wins — older
+// duplicates are squashed so the user sees one card per event even if the
+// owner re-sent the invitation. Drives the dashboard banner that lets a
+// just-signed-in user accept without re-clicking the email link.
+func (r *InviteRepo) ListPendingForEmail(ctx context.Context, email string) ([]PendingInviteForUser, error) {
+	email = strings.ToLower(strings.TrimSpace(email))
+	rows, err := r.pool.Query(ctx, `
+        SELECT DISTINCT ON (ci.event_id)
+               ci.event_id, e.name, ci.role, ci.invited_by,
+               COALESCE(u.name, '') AS inviter_name,
+               ci.expires_at, ci.created_at
+        FROM collaborator_invites ci
+        JOIN events e ON e.id = ci.event_id
+        LEFT JOIN users u ON u.id = ci.invited_by
+        WHERE lower(ci.email) = $1
+          AND ci.consumed_at IS NULL
+          AND ci.expires_at > now()
+        ORDER BY ci.event_id, ci.created_at DESC
+    `, email)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	out := []PendingInviteForUser{}
+	for rows.Next() {
+		var p PendingInviteForUser
+		if err := rows.Scan(
+			&p.EventID, &p.EventName, &p.Role, &p.InvitedBy,
+			&p.InviterName, &p.ExpiresAt, &p.CreatedAt,
+		); err != nil {
+			return nil, err
+		}
+		out = append(out, p)
+	}
+	return out, rows.Err()
+}
+
+// AcceptByEventAndEmail finds the latest pending invite for (email, eventID)
+// and atomically consumes it + inserts the collaborator row. Used by the
+// dashboard "Accept" button — the user authenticates with their session,
+// and we match by email so the cross-tab signup flow doesn't need the raw
+// token. Returns ErrInviteNotFound when no matching invite is pending.
+func (r *CollaboratorRepo) AcceptByEventAndEmail(
+	ctx context.Context,
+	eventID uuid.UUID,
+	email string,
+	userID uuid.UUID,
+) (domain.Role, error) {
+	email = strings.ToLower(strings.TrimSpace(email))
+	tx, err := r.pool.Begin(ctx)
+	if err != nil {
+		return "", err
+	}
+	defer tx.Rollback(ctx)
+
+	// Lock the latest matching invite so two concurrent accepts can't
+	// both consume the same row.
+	var (
+		tokenHash string
+		role      domain.Role
+		invitedBy uuid.UUID
+	)
+	err = tx.QueryRow(ctx, `
+        SELECT token_hash, role, invited_by
+        FROM collaborator_invites
+        WHERE event_id = $1
+          AND lower(email) = $2
+          AND consumed_at IS NULL
+          AND expires_at > now()
+        ORDER BY created_at DESC
+        LIMIT 1
+        FOR UPDATE
+    `, eventID, email).Scan(&tokenHash, &role, &invitedBy)
+	if err != nil {
+		if errors.Is(err, pgx.ErrNoRows) {
+			return "", domain.ErrInviteNotFound
+		}
+		return "", err
+	}
+
+	if _, err := tx.Exec(ctx, `
+        UPDATE collaborator_invites
+        SET consumed_at = now()
+        WHERE token_hash = $1
+    `, tokenHash); err != nil {
+		return "", err
+	}
+	if _, err := tx.Exec(ctx, `
+        INSERT INTO event_collaborators (event_id, user_id, role, invited_by, invited_at, accepted_at)
+        VALUES ($1, $2, $3, $4, now(), now())
+        ON CONFLICT (event_id, user_id) DO NOTHING
+    `, eventID, userID, role, invitedBy); err != nil {
+		return "", err
+	}
+	if err := tx.Commit(ctx); err != nil {
+		return "", err
+	}
+	return role, nil
+}
+
 // ListPendingForEvent returns invitations the host hasn't seen accepted yet,
 // shown alongside accepted collaborators on the Team tab.
 func (r *InviteRepo) ListPendingForEvent(ctx context.Context, eventID uuid.UUID) ([]domain.CollaboratorInvite, error) {