guestguard

Author	SHA1	Message	Date
Kwaku Danso	98678ff5a3	feat(tier2): finish the finish line — Block H follow-ups, Block G geolocation, cross-cutting Three threads of work land here together to close out Tier 2. ### Block H follow-ups — day-of check-in - Scanner is now an "open on your phone" magic-link flow. Hosts on desktop mint a scoped JWT via POST /events/{id}/scanner-ticket and render its URL into a QR; phone scans it and lands on /scanner with the ticket as bearer. The ticket carries Audience=scanner so it can never substitute for a session token. - Plus-one confirmation at the door: scan → POST /check-in/preview to fetch guest + expected party size → confirm buttons ("Just them", "Party of N", custom) → POST /check-in. No more silent arrival_count=1. - Offline scan queue: failed POSTs go into an IndexedDB store and drain on the 'online' event with poison-message protection. - Day-of arrivals headline widget on the event overview, gated to the host's local calendar date so it doesn't dominate the page weeks out. - Tab nav restyled with inline heroicons + scrollable segmented control; Check-in moves to the rightmost slot. - PWA: manifest + service worker scoped to /scanner, generated 192/512 icons (Go scripted renderer in scripts/gen-scanner-icons.go). - Confirmation email QR was rendering broken because html/template rewrites data: URLs to #ZgotmplZ; mark the value as template.URL. - Email "open your invitation" link 404'd because we had no token to put after /rsvp/. Threaded AccessLink through the RSVPConfirmed NATS event from the API at submit time. ### Block G remainder — geolocation + threshold preview - Pluggable GeoResolver in the fraud engine (NullResolver, IPApiResolver for the free ip-api.com fallback, MaxMindResolver behind GG_GEOIP_DB_PATH). Wrapped in a Redis cache (30d TTL). Geo flows through both gRPC and NATS scoring paths. - geo_jump scoring feature: >500km in <1h flags ("accessed from Lagos and Paris within 12 minutes"); >500km in <6h is a softer signal. The existing single-signal cap keeps a lone geo_jump in MEDIUM. - FraudScored event carries geo_country/city/lat/lon; ApplyScore uses COALESCE so a later re-score without geo doesn't wipe earlier data. - Threshold-slider live preview: GET /events/{id}/security/thresholds/preview returns band counts the host's existing access events would have fallen into under the proposed thresholds. Debounced (250ms) widget under the Advanced sliders so the host gets concrete feedback instead of guessing. ### Cross-cutting — audit, tier-gating, feature flags - audit_log table + internal/audit.Recorder (async fire-and-forget on detached context so an audit blip never fails the real action). Wired into branding update, thresholds update, allowlist add/remove, collaborator invite/role-change/remove, message create/send-now/cancel. - Tier-gating: extended billing.Limits with MaxCollaborators, CustomBranding, Scanner, Broadcasts. Free = none; Pro = 5 + all; Business = unlimited. Gates the scanner-ticket, message create, branding put, and collaborator invite endpoints with 402 + structured upgrade payload. Auto-reminders, fraud detection, and analytics deliberately stay on every tier — those are safety + visibility features, not upsell levers. - Feature flags: feature_flags table + internal/flags.Store with 30s in-memory refresh, stable sha256(key + user_id) percent bucketing, unknown-key-defaults-on. Six Tier 2 flags pre-seeded. Three handlers (branding, broadcasts, scanner) check the kill switch ahead of the tier gate so ops can pull a feature back without a redeploy. ### Verified - go test ./... + fraud-engine pytest (12/12 incl. 3 new geo_jump tests + 5 new flags tests). - docker compose build + up across api, fraud-engine, notifier, frontend. - /health endpoints 200; migrations 0014 + 0015 applied; 6 flags seeded; audit_log table + partial indexes confirmed. - Fraud-engine logs confirm geo resolver kind=CachedGeoResolver provider=auto. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-21 20:30:02 +01:00
Kwaku Danso	003a320690	feat(tier2): day-of check-in — Block H QR codes on RSVP confirmations, a phone-friendly door scanner, walk-in support, and a live arrivals widget that updates over WebSocket. Closes the final Tier 2 block. Schema (migration 0013) - check_ins (id, guest_id UNIQUE, checked_in_at, checked_in_by, arrival_count, notes, walk_in). UNIQUE on guest_id is the double-check-in guard at the DB layer; signature validation lives in the QR JWT. QR JWT - internal/auth/checkin_qr.go: CheckInQRSigner mints {event_id, guest_id, exp} payloads with the platform's existing HMAC secret. Issue() extends expiry to eventDate+24h so a QR minted weeks in advance still scans on the day. Parse() distinguishes ErrExpiredJWT from generic ErrInvalidJWT so the API can render a friendlier 410. - Unit tests cover round-trip, wrong-secret rejection, expiry detection, and short-secret refusal at construction time. Domain + storage - domain.CheckIn + CheckInSummary - storage.CheckInRepo: Record (returns ErrAlreadyCheckedIn on the unique violation), ListByEvent, Summary (arrived headcount, expected headcount, guests-checked-in count), GuestBelongsToEvent (belt-and-braces guard against a forged JWT pointing at a different event's guest). API - GET /access/{token} now embeds a check_in payload (raw JWT + a base64-encoded PNG via skip2/go-qrcode) for attending RSVPs, so the confirmation page can render the code straight into an <img>. - POST /events/{id}/check-in — editor+. Validates the QR JWT, refuses cross-event payloads (400), refuses expired ones (410), records the row, broadcasts check_in.recorded over the existing WS hub so the live dashboard updates. - POST /events/{id}/walk-ins — editor+. Creates the guest + check-in in one logical op for a door-add who wasn't on the original list. - GET /events/{id}/check-ins — viewer+. Returns the list and the summary together so the dashboard widget hydrates in one call. Frontend - New CheckInCard.vue: live arrivals widget ("47 of 60 · 78%" plus a progress bar), recent-arrivals list, Walk-in button, and a "Start scanning" button that opens a full-screen camera modal. jsQR loaded from CDN on first open (no bundler dep). Scan throttling + dedupe prevents the 30fps camera loop from POSTing N times per paper QR. Successful scan vibrates the phone. Duplicate (409) → "Already checked in" toast; expired (410) → "This code has expired"; foreign-event (400) → "doesn't look like one of your guests". - New "Check-in" tab on the event-detail page, between Communications and Branding. - RSVP confirmation card + revisit card both surface a "Save for the day" / "Your door code" QR block for attending guests. The PNG ships pre-rendered from the API so the frontend doesn't need its own QR library. - The submit flow now refetches /access after a successful POST so the QR appears immediately on first submit, not just on revisit. Tests - Backend unit tests for the QR signer (round-trip, wrong-secret, expired, short-secret rejection). - Integration: TestCheckInHappyPath (scan -> 200, double-scan -> 409, summary reflects arrival), TestCheckInRejectsForeignQR (event A's JWT can't be used on event B), TestWalkInCreatesGuest AndCheckIn (door-add creates both rows). - Full integration suite passes (188.3s, 41 tests / 80+ subtests). Tier 2 is complete: Blocks A through H all shipped. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-20 17:20:46 +01:00
Kwaku Danso	dbddf17e3b	fix(rsvp): defend the edit flow against forwarded invitation links When a guest submitted via their invitation and then forwarded the link (or someone copied the URL), the recipient was shown the original guest's response and a "Change my response" button. Two real problems: - Privacy leak: the original guest's reply was visible - Integrity: the recipient could silently overwrite the response The fix is two layered defences plus a recovery path, matching the industry pattern used by Eventbrite / Partiful / Lu.ma: Backend - GET /access/{token} now compares the device fingerprint of the current request to the fingerprint stored on the existing RSVP. When they don't match, the rsvp field is omitted from the response and a new rsvp_submitted_elsewhere flag is set instead. The original guest's reply stays private. - PATCH /rsvp/{token} runs the same gate before scoring. A foreign device gets 403 with a hint to request an edit link. - The fingerprint check is intentionally narrow (user_agent only), so a guest jumping between Wi-Fi and mobile data on the same phone still sails through. Recovery path - New POST /access/{token}/request-edit-link mints a short-lived edit nonce (Redis, 30-min TTL, SHA-256-hashed), then emails it to the guest's address on file via the existing EmailSender. Rate-limited to 3 per token per hour. - GET /access/{token}?edit=<nonce> and PATCH /rsvp with edit_nonce in the body both accept the nonce as a bypass for the same-device check. Lets the real guest edit from a new phone when their original device is gone. - New SendRSVPEditLink method on auth.EmailSender, implemented by every concrete sender (log stub / Resend / SMTP / SES), with a branded HTML+text template that explains the "we sent this because we didn't recognise the device" framing. Frontend - rsvp/[token].vue learns the new "responded elsewhere" state. Renders "This invitation has already been used" + a "Send me an edit link" CTA when the access response says we have somewhere to deliver it. Empty-state copy reads "If you forwarded the link, please ask the original guest to reach out to the host". - When the URL carries ?edit=<nonce>, the page passes it on the /access call (so the backend unhides the RSVP), opens the edit form pre-populated, and forwards the nonce on PATCH. - Removed two leftover leaks from earlier — the page no longer shows internal "Risk score N · band" to confirmed or blocked guests; the blocked-attempt copy now reads "Something about this attempt looked off" rather than "suspicious access attempt". Defensive nil-guard - The access handler's NATS publish goroutine now skips when deps.AccessPublisher is nil (matches the rsvp publisher's existing guard); without it the handler nil-panicked in tests that don't wire NATS. Tests - TestFingerprintsSimilar (unit) covers the same-UA / different-UA / missing-UA matrix. - TestForwardedInvitationLinkDefence (integration) walks the full flow: submit from UA-A, hide on UA-B, request link, follow nonce from UA-B and edit, then verify a UA-C with a forged nonce is still refused. - Full integration suite passes (183.5s). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-20 15:09:07 +01:00
Kwaku Danso	3629ab8c79	fix(tier2-g): rebrand Security → Gate with event-planner language The original Block G UI was correct but felt like a firewall config panel. The audience for GuestGuard is wedding couples, party hosts, and event planners — not network admins. Three concrete problems: 1. "Fraud detection" / "Risk score" frames every guest as a suspect. "Gate" is the metaphor every host already uses ("gate the guest list", "doorman"). It's the same idea, friendlier. 2. Three threshold sliders (0–100) are abstract. Hosts can't reason about "block at 85" without context. Replaced by four presets — Relaxed / Balanced / Strict / Very strict — each with a sentence that explains the kind of event it fits. The sliders survive under an Advanced disclosure for the rare power user. 3. CIDR notation is gibberish to a layperson. "Trusted networks" is what they're actually doing. A "Use my current network" button detects the host's apparent IP, widens IPv4 to /24 (typical home block), and pre-fills the form. Manual entry stays for cases where the host knows what they're doing. Plus two leaks fixed on the guest-facing RSVP page: removed the "Risk score 72 · high" line from both the confirmation and the blocked-attempt cards. Guests should never see internal scoring detail — the blocked message now reads "Something about this attempt looked off" instead of "suspicious access attempt". Backend - New GET /me/public-ip (authed) — echoes the caller's apparent IP so the frontend's auto-detect button doesn't need a third-party ipify call Frontend - New components/GateCard.vue with preset cards + advanced disclosure + trusted-networks UX with auto-detect - Removed components/SecurityCard.vue - Event tab nav: Security → Gate. Hash-link alias preserves any /events/<id>#security bookmarks - RSVP page: leaked risk-score lines removed; blocked-attempt message reworded for non-technical guests Internal storage / API names stay (FraudThresholds, fraud_v2, /security/* endpoints) — they're never user-visible and renaming them would be a breaking change for no end-user benefit. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-19 22:15:11 +01:00
Kwaku Danso	b873012191	feat(tier2): smarter fraud detection — Block G Per-event fraud tuning. Hosts can now dial the medium / high / block boundaries, allowlist trusted networks, and feed verdicts back on flagged accesses — the seed corpus for a future ML model. Schema (migration 0011) - events.fraud_{medium,high,block}_threshold default 30/60/85 so existing events behave identically until a host changes them - access_logs.geo_{country,city,lat,lon} for future enrichment - fraud_feedback table — verdict ('legitimate' \| 'suspicious') + note, PK on access_log_id so re-mark is an upsert - event_allowlists table — (event_id, ip_cidr) primary key, inet column so containment checks use the native >>= operator (indexed lookup) Domain - FraudThresholds with Valid() + Band() helpers; Default trio echoed through GET responses so the frontend doesn't duplicate constants - ParseAllowlistCIDR accepts bare IPs (auto-widens to /32 or /128) and canonicalises the output (203.0.113.42 → 203.0.113.42/32) - Event.Thresholds() falls back to defaults if columns weren't populated yet, so the API never wedges every score into "low" Storage - AllowlistRepo: List / Add / Remove + Matches() — the latter pushes CIDR containment into Postgres rather than streaming rows back - FeedbackRepo: Record (upserts) + ListForEvent (joined through guests) - EventRepo.GetThresholds + UpdateThresholds, plus the threshold columns baked into scanEvent so every event load carries them - AccessLogRepo.BelongsToEvent — stops a hostile editor on event A from marking event B's access logs API - GET/PUT /events/{id}/security/thresholds (viewer/editor) - GET/POST/DELETE /events/{id}/security/allowlist - POST /events/{id}/access-logs/{log_id}/feedback (editor) - GET /events/{id}/security/feedback - RSVP scoring path: allowlist short-circuit fires before the fraud engine; the engine's score is then re-banded against the event's thresholds (engine.Risk becomes advisory — API is the source of truth for "what counts as block here") - CORS Allow-Methods already includes PUT (Block D fix) Fraud engine - Single-signal cap: it now takes ≥2 sub-scores of ≥70 to push the final into HIGH. Fixes the well-known "second visit with a slightly shifted fingerprint scores 60+" false positive - Engine band remains advisory; API re-bands using per-event thresholds before deciding to block Frontend - SecurityCard.vue: visual band ribbon (proportional to thresholds), three sliders with mutual clamping so dragging medium past high pushes high (not an invalid ordering), reset-to-defaults button, CIDR allowlist with inline add + per-row remove, verdict-history inbox. Toast feedback on save/add/remove - "Security" tab added to the event-detail tab nav (5th tab, right of Analytics) - Viewer role hides write affordances; server enforces too Tests - Domain: ThresholdsBand, ThresholdsValid, ParseAllowlistCIDR (bare IP widening + traversal/typo rejection), FraudFeedbackValid - Integration: thresholds round-trip + invalid ordering rejection, allowlist CRUD + duplicate 409 + invalid CIDR 400 + IP auto-widen, feedback record + upsert + cross-tenant 404 + invalid verdict 400, viewer can read / editor can write / outsider gets 404 - Full integration suite green (315.8s, all 36 top-level tests pass) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-19 21:33:57 +01:00
Kwaku Danso	e5b187c575	feat(tier2): event branding + UX polish — Block D Backend - Migration 0010 adds event_branding (one row per event; all fields nullable so a brand-new event renders with defaults) - BrandingRepo with COALESCE/NULLIF upsert semantics: nil pointer preserves the existing value, "" clears the field to NULL - internal/uploads package: ImageStore interface + LocalFSStore (dev), pure-stdlib decode + re-encode that strips EXIF and rejects anything that isn't valid JPEG/PNG. Size cap 2 MB, random 16-byte filenames - GET /events/{id}/branding (viewer+) returns the row plus the AllowedFonts list so the frontend picker stays in sync - PUT /events/{id}/branding (editor+) validates hex colours, font allowlist, and refuses image URLs whose path doesn't start with /uploads/ (blocks arbitrary-origin <img> smuggling on guest pages) - POST /uploads/image (authed) → fresh CDN URL; GET /uploads/{file} serves with year-long cache (immutable random names) - GET /access/{token} now embeds the host's branding so the RSVP page can render in their colours/font with their logo + cover - docker-compose mounts a named volume for uploads - Custom-domain sub-block deferred to Tier 3 per the plan Frontend - BrandingCard.vue: colour pickers, font dropdown, logo + cover upload with progressive disclosure, live preview pane that re-renders on every keystroke - RSVP page applies branding via CSS vars at the section root, so primary colour theme + font cascade through every child card. Cover image renders as a banner above the form; logo lands in the header - Submit button background switches to var(--brand-primary) when set - Mounted on the event detail page below the guests block Plus the small UX fixes from the e2e walkthrough: - Nav: dropped the top-level "Events" link; the logo doubles as the home affordance (→ /dashboard when signed in, → / otherwise). Account + Billing + Sign out live under a profile dropdown (avatar with initials, opens on click, closes on outside-click / Esc / route nav) - Renamed "Back to dashboard" → "Back to events" across event detail, billing, account, and new-event pages Tests - TestBrandingGetReturnsDefaults / TestBrandingPutPersists / TestBrandingPutRejectsBadInputs / TestUploadAndServeImage / TestUploadRejectsNonImage — all pass - Domain tests for IsValidHexColor + IsAllowedFont - Full integration suite green (176s) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-18 12:04:09 +01:00
Kwaku Danso	6803d700b4	feat(tier2): calendar integration — Block B After confirming attendance (or revisiting an already-attending RSVP), guests can add the event to Google, Outlook, Apple, or any iCalendar client with one click. - internal/calendar package builds an RFC 5545 VCALENDAR plus the three provider deep-links from a narrow Event projection. Times are emitted as Z-suffixed UTC; the UID is deterministic (event-uuid@guestguard) so re-downloads update the same calendar entry instead of duplicating - GET /access/{token}/calendar.ics returns the .ics with a slugified filename in Content-Disposition; same rate-limit class as /access - GET /access/{token} response now embeds google/outlook/yahoo/ics URLs so the frontend doesn't re-encode per provider - AddToCalendar.vue renders the four buttons; shown only when the guest is attending (declined/maybe don't need a calendar entry) - Unit tests cover ics field presence, RFC 5545 escaping (comma, semicolon), CRLF line endings, explicit-end handling, omitted optionals, provider URL shape, filename slugification - Integration: ics download returns valid VCALENDAR with the event UID + name; unknown token returns 404; /access embeds the links Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-17 19:36:06 +01:00
Kwaku Danso	39533162bb	feat(tier2): editable RSVPs — Block A Guests can revisit their invitation link and change their response or plus-ones up to 5 times. Each prior state is snapshotted into `rsvp_revisions` and surfaced to the host via a per-guest history modal on the event detail page. - Migration 0007 adds rsvp_revisions + rsvps.edit_count (with down) - RSVPRepo.Update wraps snapshot+update+counter in one transaction, FOR UPDATE-locking the row so concurrent edits can't bypass the cap - PATCH /rsvp/{token} re-runs the fraud check on every edit attempt (different device on an edit is itself a signal) - POST /rsvp no longer marks the token used — the link stays valid so the guest can come back to edit - GET /access/{token} now embeds the existing RSVP so the frontend renders an edit form instead of a blank submit form on revisit - New host endpoint GET /events/{id}/guests/{guest_id}/rsvp/history - Frontend: rsvp/[token].vue toggles between summary + edit form, surfaces edits-remaining; dashboard adds a "History" action on responded guests opening a revision-trail modal Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-17 19:27:50 +01:00
Kwaku Danso	3f8bc58ca9	feat: build core API, fraud engine, notifier, and frontend Phase 1 — Core API (Go): - Events, guests, tokens, RSVPs CRUD on PostgreSQL via pgx/v5 - HMAC-signed per-guest tokens with format validation - Health endpoint with DB ping, slog JSON logging, graceful shutdown Phase 2 — NATS + Fraud Engine: - NATS JetStream pub/sub with explicit-ack consumers - Python/FastAPI fraud engine with heuristic risk scoring (fingerprint mismatch, IP change, missing signals, repeated access) - gRPC sync scoring with 250ms fail-open timeout - Per-guest baseline tracking; risk bands low/medium/high/block Phase 3 — Notifications + Frontend: - Notification worker scaffolding (Twilio/SES stubs, retry/backoff) - Nuxt 3 frontend with Tailwind dark theme + brand green - Live monitor via WebSocket with auto-reconnect - Activity history endpoint backfills monitor with RSVPs + scored access checks (including blocked attempts) UX polish: - Marketing-friendly landing page (hero mockup, how-it-works, features, use cases, testimonials, FAQ, final CTA) - Animated layered card mockups on landing + new-event page - Plus-ones stepper, RSVP status badges, filter buttons - Friendly access-check labels (Verified/Review/Suspicious/Blocked) - Dashboard hydration fix via ClientOnly wrapper Infrastructure: - docker-compose for full local dev (postgres, nats, api, fraud-engine, notifier, frontend) - Multi-stage Dockerfiles, non-root UID 1000 - Integration tests with testcontainers-go Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-11 21:08:56 +01:00

9 Commits