guestguard

alchemistkay/guestguard

Fork 0

Commit Graph

Author	SHA1	Message	Date
Kwaku Danso	b873012191	feat(tier2): smarter fraud detection — Block G Per-event fraud tuning. Hosts can now dial the medium / high / block boundaries, allowlist trusted networks, and feed verdicts back on flagged accesses — the seed corpus for a future ML model. Schema (migration 0011) - events.fraud_{medium,high,block}_threshold default 30/60/85 so existing events behave identically until a host changes them - access_logs.geo_{country,city,lat,lon} for future enrichment - fraud_feedback table — verdict ('legitimate' \| 'suspicious') + note, PK on access_log_id so re-mark is an upsert - event_allowlists table — (event_id, ip_cidr) primary key, inet column so containment checks use the native >>= operator (indexed lookup) Domain - FraudThresholds with Valid() + Band() helpers; Default trio echoed through GET responses so the frontend doesn't duplicate constants - ParseAllowlistCIDR accepts bare IPs (auto-widens to /32 or /128) and canonicalises the output (203.0.113.42 → 203.0.113.42/32) - Event.Thresholds() falls back to defaults if columns weren't populated yet, so the API never wedges every score into "low" Storage - AllowlistRepo: List / Add / Remove + Matches() — the latter pushes CIDR containment into Postgres rather than streaming rows back - FeedbackRepo: Record (upserts) + ListForEvent (joined through guests) - EventRepo.GetThresholds + UpdateThresholds, plus the threshold columns baked into scanEvent so every event load carries them - AccessLogRepo.BelongsToEvent — stops a hostile editor on event A from marking event B's access logs API - GET/PUT /events/{id}/security/thresholds (viewer/editor) - GET/POST/DELETE /events/{id}/security/allowlist - POST /events/{id}/access-logs/{log_id}/feedback (editor) - GET /events/{id}/security/feedback - RSVP scoring path: allowlist short-circuit fires before the fraud engine; the engine's score is then re-banded against the event's thresholds (engine.Risk becomes advisory — API is the source of truth for "what counts as block here") - CORS Allow-Methods already includes PUT (Block D fix) Fraud engine - Single-signal cap: it now takes ≥2 sub-scores of ≥70 to push the final into HIGH. Fixes the well-known "second visit with a slightly shifted fingerprint scores 60+" false positive - Engine band remains advisory; API re-bands using per-event thresholds before deciding to block Frontend - SecurityCard.vue: visual band ribbon (proportional to thresholds), three sliders with mutual clamping so dragging medium past high pushes high (not an invalid ordering), reset-to-defaults button, CIDR allowlist with inline add + per-row remove, verdict-history inbox. Toast feedback on save/add/remove - "Security" tab added to the event-detail tab nav (5th tab, right of Analytics) - Viewer role hides write affordances; server enforces too Tests - Domain: ThresholdsBand, ThresholdsValid, ParseAllowlistCIDR (bare IP widening + traversal/typo rejection), FraudFeedbackValid - Integration: thresholds round-trip + invalid ordering rejection, allowlist CRUD + duplicate 409 + invalid CIDR 400 + IP auto-widen, feedback record + upsert + cross-tenant 404 + invalid verdict 400, viewer can read / editor can write / outsider gets 404 - Full integration suite green (315.8s, all 36 top-level tests pass) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-19 21:33:57 +01:00
Kwaku Danso	e5b187c575	feat(tier2): event branding + UX polish — Block D Backend - Migration 0010 adds event_branding (one row per event; all fields nullable so a brand-new event renders with defaults) - BrandingRepo with COALESCE/NULLIF upsert semantics: nil pointer preserves the existing value, "" clears the field to NULL - internal/uploads package: ImageStore interface + LocalFSStore (dev), pure-stdlib decode + re-encode that strips EXIF and rejects anything that isn't valid JPEG/PNG. Size cap 2 MB, random 16-byte filenames - GET /events/{id}/branding (viewer+) returns the row plus the AllowedFonts list so the frontend picker stays in sync - PUT /events/{id}/branding (editor+) validates hex colours, font allowlist, and refuses image URLs whose path doesn't start with /uploads/ (blocks arbitrary-origin <img> smuggling on guest pages) - POST /uploads/image (authed) → fresh CDN URL; GET /uploads/{file} serves with year-long cache (immutable random names) - GET /access/{token} now embeds the host's branding so the RSVP page can render in their colours/font with their logo + cover - docker-compose mounts a named volume for uploads - Custom-domain sub-block deferred to Tier 3 per the plan Frontend - BrandingCard.vue: colour pickers, font dropdown, logo + cover upload with progressive disclosure, live preview pane that re-renders on every keystroke - RSVP page applies branding via CSS vars at the section root, so primary colour theme + font cascade through every child card. Cover image renders as a banner above the form; logo lands in the header - Submit button background switches to var(--brand-primary) when set - Mounted on the event detail page below the guests block Plus the small UX fixes from the e2e walkthrough: - Nav: dropped the top-level "Events" link; the logo doubles as the home affordance (→ /dashboard when signed in, → / otherwise). Account + Billing + Sign out live under a profile dropdown (avatar with initials, opens on click, closes on outside-click / Esc / route nav) - Renamed "Back to dashboard" → "Back to events" across event detail, billing, account, and new-event pages Tests - TestBrandingGetReturnsDefaults / TestBrandingPutPersists / TestBrandingPutRejectsBadInputs / TestUploadAndServeImage / TestUploadRejectsNonImage — all pass - Domain tests for IsValidHexColor + IsAllowedFont - Full integration suite green (176s) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-18 12:04:09 +01:00

Author

SHA1

Message

Date

Kwaku Danso

b873012191

feat(tier2): smarter fraud detection — Block G

Per-event fraud tuning. Hosts can now dial the medium / high / block
boundaries, allowlist trusted networks, and feed verdicts back on
flagged accesses — the seed corpus for a future ML model.

Schema (migration 0011)
- events.fraud_{medium,high,block}_threshold default 30/60/85 so
  existing events behave identically until a host changes them
- access_logs.geo_{country,city,lat,lon} for future enrichment
- fraud_feedback table — verdict ('legitimate' | 'suspicious') + note,
  PK on access_log_id so re-mark is an upsert
- event_allowlists table — (event_id, ip_cidr) primary key, inet column
  so containment checks use the native >>= operator (indexed lookup)

Domain
- FraudThresholds with Valid() + Band() helpers; Default trio echoed
  through GET responses so the frontend doesn't duplicate constants
- ParseAllowlistCIDR accepts bare IPs (auto-widens to /32 or /128) and
  canonicalises the output (203.0.113.42 → 203.0.113.42/32)
- Event.Thresholds() falls back to defaults if columns weren't
  populated yet, so the API never wedges every score into "low"

Storage
- AllowlistRepo: List / Add / Remove + Matches() — the latter pushes
  CIDR containment into Postgres rather than streaming rows back
- FeedbackRepo: Record (upserts) + ListForEvent (joined through guests)
- EventRepo.GetThresholds + UpdateThresholds, plus the threshold
  columns baked into scanEvent so every event load carries them
- AccessLogRepo.BelongsToEvent — stops a hostile editor on event A
  from marking event B's access logs

API
- GET/PUT /events/{id}/security/thresholds (viewer/editor)
- GET/POST/DELETE /events/{id}/security/allowlist
- POST /events/{id}/access-logs/{log_id}/feedback (editor)
- GET /events/{id}/security/feedback
- RSVP scoring path: allowlist short-circuit fires before the fraud
  engine; the engine's score is then re-banded against the event's
  thresholds (engine.Risk becomes advisory — API is the source of
  truth for "what counts as block here")
- CORS Allow-Methods already includes PUT (Block D fix)

Fraud engine
- Single-signal cap: it now takes ≥2 sub-scores of ≥70 to push the
  final into HIGH. Fixes the well-known "second visit with a slightly
  shifted fingerprint scores 60+" false positive
- Engine band remains advisory; API re-bands using per-event
  thresholds before deciding to block

Frontend
- SecurityCard.vue: visual band ribbon (proportional to thresholds),
  three sliders with mutual clamping so dragging medium past high
  pushes high (not an invalid ordering), reset-to-defaults button,
  CIDR allowlist with inline add + per-row remove, verdict-history
  inbox. Toast feedback on save/add/remove
- "Security" tab added to the event-detail tab nav (5th tab,
  right of Analytics)
- Viewer role hides write affordances; server enforces too

Tests
- Domain: ThresholdsBand, ThresholdsValid, ParseAllowlistCIDR (bare
  IP widening + traversal/typo rejection), FraudFeedbackValid
- Integration: thresholds round-trip + invalid ordering rejection,
  allowlist CRUD + duplicate 409 + invalid CIDR 400 + IP auto-widen,
  feedback record + upsert + cross-tenant 404 + invalid verdict 400,
  viewer can read / editor can write / outsider gets 404
- Full integration suite green (315.8s, all 36 top-level tests pass)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-05-19 21:33:57 +01:00

Kwaku Danso

e5b187c575

feat(tier2): event branding + UX polish — Block D

Backend
- Migration 0010 adds event_branding (one row per event; all fields
  nullable so a brand-new event renders with defaults)
- BrandingRepo with COALESCE/NULLIF upsert semantics: nil pointer
  preserves the existing value, "" clears the field to NULL
- internal/uploads package: ImageStore interface + LocalFSStore (dev),
  pure-stdlib decode + re-encode that strips EXIF and rejects anything
  that isn't valid JPEG/PNG. Size cap 2 MB, random 16-byte filenames
- GET /events/{id}/branding (viewer+) returns the row plus the
  AllowedFonts list so the frontend picker stays in sync
- PUT /events/{id}/branding (editor+) validates hex colours, font
  allowlist, and refuses image URLs whose path doesn't start with
  /uploads/ (blocks arbitrary-origin <img> smuggling on guest pages)
- POST /uploads/image (authed) → fresh CDN URL; GET /uploads/{file}
  serves with year-long cache (immutable random names)
- GET /access/{token} now embeds the host's branding so the RSVP page
  can render in their colours/font with their logo + cover
- docker-compose mounts a named volume for uploads
- Custom-domain sub-block deferred to Tier 3 per the plan

Frontend
- BrandingCard.vue: colour pickers, font dropdown, logo + cover upload
  with progressive disclosure, live preview pane that re-renders on
  every keystroke
- RSVP page applies branding via CSS vars at the section root, so
  primary colour theme + font cascade through every child card. Cover
  image renders as a banner above the form; logo lands in the header
- Submit button background switches to var(--brand-primary) when set
- Mounted on the event detail page below the guests block

Plus the small UX fixes from the e2e walkthrough:
- Nav: dropped the top-level "Events" link; the logo doubles as the
  home affordance (→ /dashboard when signed in, → / otherwise). Account
  + Billing + Sign out live under a profile dropdown (avatar with
  initials, opens on click, closes on outside-click / Esc / route nav)
- Renamed "Back to dashboard" → "Back to events" across event detail,
  billing, account, and new-event pages

Tests
- TestBrandingGetReturnsDefaults / TestBrandingPutPersists /
  TestBrandingPutRejectsBadInputs / TestUploadAndServeImage /
  TestUploadRejectsNonImage — all pass
- Domain tests for IsValidHexColor + IsAllowedFont
- Full integration suite green (176s)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-05-18 12:04:09 +01:00

2 Commits