guestguard

alchemistkay/guestguard

Fork 0

Commit Graph

Author	SHA1	Message	Date
Kwaku Danso	98678ff5a3	feat(tier2): finish the finish line — Block H follow-ups, Block G geolocation, cross-cutting Three threads of work land here together to close out Tier 2. ### Block H follow-ups — day-of check-in - Scanner is now an "open on your phone" magic-link flow. Hosts on desktop mint a scoped JWT via POST /events/{id}/scanner-ticket and render its URL into a QR; phone scans it and lands on /scanner with the ticket as bearer. The ticket carries Audience=scanner so it can never substitute for a session token. - Plus-one confirmation at the door: scan → POST /check-in/preview to fetch guest + expected party size → confirm buttons ("Just them", "Party of N", custom) → POST /check-in. No more silent arrival_count=1. - Offline scan queue: failed POSTs go into an IndexedDB store and drain on the 'online' event with poison-message protection. - Day-of arrivals headline widget on the event overview, gated to the host's local calendar date so it doesn't dominate the page weeks out. - Tab nav restyled with inline heroicons + scrollable segmented control; Check-in moves to the rightmost slot. - PWA: manifest + service worker scoped to /scanner, generated 192/512 icons (Go scripted renderer in scripts/gen-scanner-icons.go). - Confirmation email QR was rendering broken because html/template rewrites data: URLs to #ZgotmplZ; mark the value as template.URL. - Email "open your invitation" link 404'd because we had no token to put after /rsvp/. Threaded AccessLink through the RSVPConfirmed NATS event from the API at submit time. ### Block G remainder — geolocation + threshold preview - Pluggable GeoResolver in the fraud engine (NullResolver, IPApiResolver for the free ip-api.com fallback, MaxMindResolver behind GG_GEOIP_DB_PATH). Wrapped in a Redis cache (30d TTL). Geo flows through both gRPC and NATS scoring paths. - geo_jump scoring feature: >500km in <1h flags ("accessed from Lagos and Paris within 12 minutes"); >500km in <6h is a softer signal. The existing single-signal cap keeps a lone geo_jump in MEDIUM. - FraudScored event carries geo_country/city/lat/lon; ApplyScore uses COALESCE so a later re-score without geo doesn't wipe earlier data. - Threshold-slider live preview: GET /events/{id}/security/thresholds/preview returns band counts the host's existing access events would have fallen into under the proposed thresholds. Debounced (250ms) widget under the Advanced sliders so the host gets concrete feedback instead of guessing. ### Cross-cutting — audit, tier-gating, feature flags - audit_log table + internal/audit.Recorder (async fire-and-forget on detached context so an audit blip never fails the real action). Wired into branding update, thresholds update, allowlist add/remove, collaborator invite/role-change/remove, message create/send-now/cancel. - Tier-gating: extended billing.Limits with MaxCollaborators, CustomBranding, Scanner, Broadcasts. Free = none; Pro = 5 + all; Business = unlimited. Gates the scanner-ticket, message create, branding put, and collaborator invite endpoints with 402 + structured upgrade payload. Auto-reminders, fraud detection, and analytics deliberately stay on every tier — those are safety + visibility features, not upsell levers. - Feature flags: feature_flags table + internal/flags.Store with 30s in-memory refresh, stable sha256(key + user_id) percent bucketing, unknown-key-defaults-on. Six Tier 2 flags pre-seeded. Three handlers (branding, broadcasts, scanner) check the kill switch ahead of the tier gate so ops can pull a feature back without a redeploy. ### Verified - go test ./... + fraud-engine pytest (12/12 incl. 3 new geo_jump tests + 5 new flags tests). - docker compose build + up across api, fraud-engine, notifier, frontend. - /health endpoints 200; migrations 0014 + 0015 applied; 6 flags seeded; audit_log table + partial indexes confirmed. - Fraud-engine logs confirm geo resolver kind=CachedGeoResolver provider=auto. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-21 20:30:02 +01:00
Kwaku Danso	59b8781659	feat: ship Tier 1 — auth, authz, rate limits, real notifications, CSV import, billing, backups/DR, privacy Closes every block in docs/TIER1_PLAN.md from the Claude-scope side. The homelab / cloud setup steps (SES verification, restore drill, lawyer- drafted ToS) remain operator-owned but are unblocked. Block A — Authentication - Migration 0003: password_hash, email_verified, email_verification_tokens, password_reset_tokens, refresh_tokens (with replaced_by family chain). - Bcrypt hasher, HS256 JWT signer, single-use refresh tokens with rotation + replay-detection (revokes the family on reuse). - /auth/signup, /login, /refresh, /logout, /verify-email, /forgot-password, /reset-password — enumeration-safe. - requireAuth middleware + GET /me. - Frontend useAuth/useApi with auto-refresh-on-401, login/signup/verify/ forgot/reset pages, route-guard middleware. Block B — Authorisation - EventRepo.GetForHost; Update/Delete scoped by host_id. - All host routes behind requireAuth + ownership; cross-tenant returns 404 (no enumeration). ?host_id removed. - WS auth via short-lived single-use tickets (POST /auth/ws-ticket). - Tests: TestCrossTenantIsolation — 9 probes. Block C — Rate limiting - Redis sliding-window via Lua (atomic ZADD+ZCARD+PEXPIRE). - Per-route limits matching the plan (signup IP, login IP+email, RSVP/ access by token, events/guests/tokens by user_id). - 429 with Retry-After header and JSON body. - Auth lockout: 5 failed logins → account locked, only password reset clears it. - Frontend: useErrMessage normalises 429 + locked messaging. Block D — Real notifications - Migration 0004: provider_message_id, bounce_type, complained columns + unsubscribes (CITEXT) suppression table. - Branded HTML + plaintext templates for verification, reset, invitation, confirmation, reminder. Per-page templates avoid html/template's contextual-escape collisions. - Senders: SESv2, Twilio (SMS), SMTP (Mailpit-friendly), Resend HTTP. - PickEmailSender priority Resend > SMTP > SES > Log — system boots cleanly in dev with Mailpit; production flips one env var. - Webhook endpoints (Twilio status + SES SNS) — bounces add to suppression; signature verification stubbed pending creds. - Auto-send: POST /tokens publishes invitation.send; notifier renders + delivers via the configured backend; suppression list honoured. - Bulk + per-row invitation flow: POST /events/{id}/guests/invitations/bulk returns per-guest tokens so phone-only guests can be SMS'd manually. - Unsubscribe: signed HMAC token (no TTL) + /unsubscribe/[token] page. - WhatsApp Option A+: wa.me click-to-chat wizard with per-guest progress tracking, isLikelyE164 validation, edit-from-wizard. - Token rotate (POST /tokens/rotate) invalidates the old URL — used by the regenerate-link flow. - Mailpit added to docker-compose for dev inbox. Block E — CSV import - Streaming parser: tolerant header detection, UTF-8 BOM + UTF-16 LE/BE decoding, row-level validation, 5,000-row cap. - Strict E.164 phone validation with helpful error message. - POST /preview + /import + GET /template; preview UI on event page; atomic per-batch with dedup on existing emails. Phone capture across UI - PhoneInput component: country picker (~50 ISO codes) + national input + live E.164 preview + inline length validation. - Used in Add Guest and Edit Guest modals. Smart paste-handling extracts country code from full E.164 strings. Block F — Billing (Stripe) - Migration 0005: subscriptions table (user_id → tier/status/period_end + Stripe customer/sub ids). Partial unique index keeps one granting sub per user. - internal/billing: Tier + Limits model (Free 1/50, Pro 10/1000, Business ∞/5000), Stripe SDK wrapper with IgnoreAPIVersionMismatch for newer account API versions. - /billing/checkout-session, /billing/portal, /billing/status, /webhooks/stripe (signature-verified, lifecycle events). - Tier enforcement: 402 on POST /events, /guests, /import with {error, reason, tier, used, limit, upgrade_url} body. - Frontend: useBilling composable, /dashboard/billing page (current plan, usage bars, tier cards), global UpgradeModal triggered by useApi's 402 interceptor. - Customer portal kept for self-service cancel/payment-method changes. Block G — Backups & DR (application side) - Every migration has a tested .down.sql. - TestMigrationRoundtrip applies all ups → all downs → all ups against a fresh container; catches asymmetric down migrations. - cmd/restore-verify: 28-check post-restore invariant tool (schema presence, no orphans across 10 FK relationships, email uniqueness, single-active subscription, row-count snapshot). - docs/RUNBOOK_RESTORE.md: 9-step restore procedure with RTO/RPO targets, drill instructions, rollback path. Block H — Privacy compliance (application side) - Migration 0006: deleted_at + terms_accepted_at + privacy_policy_accepted_at on users. Partial index on email for live-only uniqueness. - GET /me/data-export — synchronous JSON dump (user, events, guests, tokens, rsvps, access_logs, notifications). - DELETE /me — soft-delete with PII scrub + refresh-token revocation; re-signup with same email works. - POST /me/accept-terms — idempotent consent recording. - Frontend /privacy + /terms placeholder pages with substantive (pending legal review) copy; footer links; signup terms checkbox; TermsGateModal for accounts created before the rollout; export + delete buttons on /dashboard/billing. Tests - All migrations verified up/down/up. - Integration suite: TestE2EHappyPath, TestAuthFlow, TestCrossTenantIsolation, TestRateLimitSignup, TestLoginLockout, TestUnsubscribeFlow, TestSESBounceWebhook, TestTwilioStatusWebhook, TestCsvImportFlow, TestCsvImportAtomicRollback, TestBulkIssueInvitations, TestBulkIssueExplicitSubset, TestTokenIssuePublishesInvitation, TestTokenIssueWithoutGuestEmailSkipsInvitation, TestGuestUpdate, TestGuestDelete, TestTokenRotate, TestSMTPSenderAgainstMailpit, TestFreeTierEventLimit, TestFreeTierGuestLimit, TestBusinessTierBypassesLimits, TestDataExport, TestDeleteMe, TestAcceptTerms, TestMigrationRoundtrip. Full suite runs in ~120s against real Postgres + NATS + Redis + Mailpit. - Unit suite green across internal/auth, internal/csvimport, internal/notification, internal/ratelimit, internal/domain. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-16 23:54:22 +01:00

Author

SHA1

Message

Date

Kwaku Danso

98678ff5a3

feat(tier2): finish the finish line — Block H follow-ups, Block G geolocation, cross-cutting

Three threads of work land here together to close out Tier 2.

### Block H follow-ups — day-of check-in
- Scanner is now an "open on your phone" magic-link flow. Hosts on
  desktop mint a scoped JWT via POST /events/{id}/scanner-ticket and
  render its URL into a QR; phone scans it and lands on /scanner with
  the ticket as bearer. The ticket carries Audience=scanner so it can
  never substitute for a session token.
- Plus-one confirmation at the door: scan → POST /check-in/preview to
  fetch guest + expected party size → confirm buttons ("Just them",
  "Party of N", custom) → POST /check-in. No more silent arrival_count=1.
- Offline scan queue: failed POSTs go into an IndexedDB store and drain
  on the 'online' event with poison-message protection.
- Day-of arrivals headline widget on the event overview, gated to the
  host's local calendar date so it doesn't dominate the page weeks out.
- Tab nav restyled with inline heroicons + scrollable segmented control;
  Check-in moves to the rightmost slot.
- PWA: manifest + service worker scoped to /scanner, generated 192/512
  icons (Go scripted renderer in scripts/gen-scanner-icons.go).
- Confirmation email QR was rendering broken because html/template
  rewrites data: URLs to #ZgotmplZ; mark the value as template.URL.
- Email "open your invitation" link 404'd because we had no token to
  put after /rsvp/. Threaded AccessLink through the RSVPConfirmed NATS
  event from the API at submit time.

### Block G remainder — geolocation + threshold preview
- Pluggable GeoResolver in the fraud engine (NullResolver, IPApiResolver
  for the free ip-api.com fallback, MaxMindResolver behind GG_GEOIP_DB_PATH).
  Wrapped in a Redis cache (30d TTL). Geo flows through both gRPC and
  NATS scoring paths.
- geo_jump scoring feature: >500km in <1h flags ("accessed from Lagos
  and Paris within 12 minutes"); >500km in <6h is a softer signal. The
  existing single-signal cap keeps a lone geo_jump in MEDIUM.
- FraudScored event carries geo_country/city/lat/lon; ApplyScore uses
  COALESCE so a later re-score without geo doesn't wipe earlier data.
- Threshold-slider live preview: GET /events/{id}/security/thresholds/preview
  returns band counts the host's existing access events would have
  fallen into under the proposed thresholds. Debounced (250ms) widget
  under the Advanced sliders so the host gets concrete feedback instead
  of guessing.

### Cross-cutting — audit, tier-gating, feature flags
- audit_log table + internal/audit.Recorder (async fire-and-forget on
  detached context so an audit blip never fails the real action). Wired
  into branding update, thresholds update, allowlist add/remove,
  collaborator invite/role-change/remove, message create/send-now/cancel.
- Tier-gating: extended billing.Limits with MaxCollaborators,
  CustomBranding, Scanner, Broadcasts. Free = none; Pro = 5 + all;
  Business = unlimited. Gates the scanner-ticket, message create,
  branding put, and collaborator invite endpoints with 402 +
  structured upgrade payload. Auto-reminders, fraud detection, and
  analytics deliberately stay on every tier — those are safety + visibility
  features, not upsell levers.
- Feature flags: feature_flags table + internal/flags.Store with 30s
  in-memory refresh, stable sha256(key + user_id) percent bucketing,
  unknown-key-defaults-on. Six Tier 2 flags pre-seeded. Three handlers
  (branding, broadcasts, scanner) check the kill switch ahead of the
  tier gate so ops can pull a feature back without a redeploy.

### Verified
- go test ./... + fraud-engine pytest (12/12 incl. 3 new geo_jump tests + 5
  new flags tests).
- docker compose build + up across api, fraud-engine, notifier, frontend.
- /health endpoints 200; migrations 0014 + 0015 applied; 6 flags
  seeded; audit_log table + partial indexes confirmed.
- Fraud-engine logs confirm geo resolver kind=CachedGeoResolver provider=auto.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-05-21 20:30:02 +01:00

Kwaku Danso

59b8781659

feat: ship Tier 1 — auth, authz, rate limits, real notifications, CSV import, billing, backups/DR, privacy

Closes every block in docs/TIER1_PLAN.md from the Claude-scope side. The
homelab / cloud setup steps (SES verification, restore drill, lawyer-
drafted ToS) remain operator-owned but are unblocked.

Block A — Authentication
- Migration 0003: password_hash, email_verified, email_verification_tokens,
  password_reset_tokens, refresh_tokens (with replaced_by family chain).
- Bcrypt hasher, HS256 JWT signer, single-use refresh tokens with rotation
  + replay-detection (revokes the family on reuse).
- /auth/signup, /login, /refresh, /logout, /verify-email,
  /forgot-password, /reset-password — enumeration-safe.
- requireAuth middleware + GET /me.
- Frontend useAuth/useApi with auto-refresh-on-401, login/signup/verify/
  forgot/reset pages, route-guard middleware.

Block B — Authorisation
- EventRepo.GetForHost; Update/Delete scoped by host_id.
- All host routes behind requireAuth + ownership; cross-tenant returns
  404 (no enumeration). ?host_id removed.
- WS auth via short-lived single-use tickets (POST /auth/ws-ticket).
- Tests: TestCrossTenantIsolation — 9 probes.

Block C — Rate limiting
- Redis sliding-window via Lua (atomic ZADD+ZCARD+PEXPIRE).
- Per-route limits matching the plan (signup IP, login IP+email, RSVP/
  access by token, events/guests/tokens by user_id).
- 429 with Retry-After header and JSON body.
- Auth lockout: 5 failed logins → account locked, only password reset
  clears it.
- Frontend: useErrMessage normalises 429 + locked messaging.

Block D — Real notifications
- Migration 0004: provider_message_id, bounce_type, complained columns
  + unsubscribes (CITEXT) suppression table.
- Branded HTML + plaintext templates for verification, reset, invitation,
  confirmation, reminder. Per-page templates avoid html/template's
  contextual-escape collisions.
- Senders: SESv2, Twilio (SMS), SMTP (Mailpit-friendly), Resend HTTP.
- PickEmailSender priority Resend > SMTP > SES > Log — system boots
  cleanly in dev with Mailpit; production flips one env var.
- Webhook endpoints (Twilio status + SES SNS) — bounces add to suppression;
  signature verification stubbed pending creds.
- Auto-send: POST /tokens publishes invitation.send; notifier renders +
  delivers via the configured backend; suppression list honoured.
- Bulk + per-row invitation flow: POST /events/{id}/guests/invitations/bulk
  returns per-guest tokens so phone-only guests can be SMS'd manually.
- Unsubscribe: signed HMAC token (no TTL) + /unsubscribe/[token] page.
- WhatsApp Option A+: wa.me click-to-chat wizard with per-guest progress
  tracking, isLikelyE164 validation, edit-from-wizard.
- Token rotate (POST /tokens/rotate) invalidates the old URL — used by
  the regenerate-link flow.
- Mailpit added to docker-compose for dev inbox.

Block E — CSV import
- Streaming parser: tolerant header detection, UTF-8 BOM + UTF-16 LE/BE
  decoding, row-level validation, 5,000-row cap.
- Strict E.164 phone validation with helpful error message.
- POST /preview + /import + GET /template; preview UI on event page;
  atomic per-batch with dedup on existing emails.

Phone capture across UI
- PhoneInput component: country picker (~50 ISO codes) + national input +
  live E.164 preview + inline length validation.
- Used in Add Guest and Edit Guest modals. Smart paste-handling extracts
  country code from full E.164 strings.

Block F — Billing (Stripe)
- Migration 0005: subscriptions table (user_id → tier/status/period_end +
  Stripe customer/sub ids). Partial unique index keeps one granting sub
  per user.
- internal/billing: Tier + Limits model (Free 1/50, Pro 10/1000, Business
  ∞/5000), Stripe SDK wrapper with IgnoreAPIVersionMismatch for newer
  account API versions.
- /billing/checkout-session, /billing/portal, /billing/status,
  /webhooks/stripe (signature-verified, lifecycle events).
- Tier enforcement: 402 on POST /events, /guests, /import with
  {error, reason, tier, used, limit, upgrade_url} body.
- Frontend: useBilling composable, /dashboard/billing page (current plan,
  usage bars, tier cards), global UpgradeModal triggered by useApi's
  402 interceptor.
- Customer portal kept for self-service cancel/payment-method changes.

Block G — Backups & DR (application side)
- Every migration has a tested .down.sql.
- TestMigrationRoundtrip applies all ups → all downs → all ups against a
  fresh container; catches asymmetric down migrations.
- cmd/restore-verify: 28-check post-restore invariant tool (schema
  presence, no orphans across 10 FK relationships, email uniqueness,
  single-active subscription, row-count snapshot).
- docs/RUNBOOK_RESTORE.md: 9-step restore procedure with RTO/RPO
  targets, drill instructions, rollback path.

Block H — Privacy compliance (application side)
- Migration 0006: deleted_at + terms_accepted_at + privacy_policy_accepted_at
  on users. Partial index on email for live-only uniqueness.
- GET /me/data-export — synchronous JSON dump (user, events, guests,
  tokens, rsvps, access_logs, notifications).
- DELETE /me — soft-delete with PII scrub + refresh-token revocation;
  re-signup with same email works.
- POST /me/accept-terms — idempotent consent recording.
- Frontend /privacy + /terms placeholder pages with substantive (pending
  legal review) copy; footer links; signup terms checkbox; TermsGateModal
  for accounts created before the rollout; export + delete buttons on
  /dashboard/billing.

Tests
- All migrations verified up/down/up.
- Integration suite: TestE2EHappyPath, TestAuthFlow, TestCrossTenantIsolation,
  TestRateLimitSignup, TestLoginLockout, TestUnsubscribeFlow,
  TestSESBounceWebhook, TestTwilioStatusWebhook, TestCsvImportFlow,
  TestCsvImportAtomicRollback, TestBulkIssueInvitations, TestBulkIssueExplicitSubset,
  TestTokenIssuePublishesInvitation, TestTokenIssueWithoutGuestEmailSkipsInvitation,
  TestGuestUpdate, TestGuestDelete, TestTokenRotate, TestSMTPSenderAgainstMailpit,
  TestFreeTierEventLimit, TestFreeTierGuestLimit, TestBusinessTierBypassesLimits,
  TestDataExport, TestDeleteMe, TestAcceptTerms, TestMigrationRoundtrip.
  Full suite runs in ~120s against real Postgres + NATS + Redis + Mailpit.
- Unit suite green across internal/auth, internal/csvimport,
  internal/notification, internal/ratelimit, internal/domain.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-05-16 23:54:22 +01:00

2 Commits