guestguard

alchemistkay/guestguard

Fork 0

Commit Graph

Author	SHA1	Message	Date
Kwaku Danso	b873012191	feat(tier2): smarter fraud detection — Block G Per-event fraud tuning. Hosts can now dial the medium / high / block boundaries, allowlist trusted networks, and feed verdicts back on flagged accesses — the seed corpus for a future ML model. Schema (migration 0011) - events.fraud_{medium,high,block}_threshold default 30/60/85 so existing events behave identically until a host changes them - access_logs.geo_{country,city,lat,lon} for future enrichment - fraud_feedback table — verdict ('legitimate' \| 'suspicious') + note, PK on access_log_id so re-mark is an upsert - event_allowlists table — (event_id, ip_cidr) primary key, inet column so containment checks use the native >>= operator (indexed lookup) Domain - FraudThresholds with Valid() + Band() helpers; Default trio echoed through GET responses so the frontend doesn't duplicate constants - ParseAllowlistCIDR accepts bare IPs (auto-widens to /32 or /128) and canonicalises the output (203.0.113.42 → 203.0.113.42/32) - Event.Thresholds() falls back to defaults if columns weren't populated yet, so the API never wedges every score into "low" Storage - AllowlistRepo: List / Add / Remove + Matches() — the latter pushes CIDR containment into Postgres rather than streaming rows back - FeedbackRepo: Record (upserts) + ListForEvent (joined through guests) - EventRepo.GetThresholds + UpdateThresholds, plus the threshold columns baked into scanEvent so every event load carries them - AccessLogRepo.BelongsToEvent — stops a hostile editor on event A from marking event B's access logs API - GET/PUT /events/{id}/security/thresholds (viewer/editor) - GET/POST/DELETE /events/{id}/security/allowlist - POST /events/{id}/access-logs/{log_id}/feedback (editor) - GET /events/{id}/security/feedback - RSVP scoring path: allowlist short-circuit fires before the fraud engine; the engine's score is then re-banded against the event's thresholds (engine.Risk becomes advisory — API is the source of truth for "what counts as block here") - CORS Allow-Methods already includes PUT (Block D fix) Fraud engine - Single-signal cap: it now takes ≥2 sub-scores of ≥70 to push the final into HIGH. Fixes the well-known "second visit with a slightly shifted fingerprint scores 60+" false positive - Engine band remains advisory; API re-bands using per-event thresholds before deciding to block Frontend - SecurityCard.vue: visual band ribbon (proportional to thresholds), three sliders with mutual clamping so dragging medium past high pushes high (not an invalid ordering), reset-to-defaults button, CIDR allowlist with inline add + per-row remove, verdict-history inbox. Toast feedback on save/add/remove - "Security" tab added to the event-detail tab nav (5th tab, right of Analytics) - Viewer role hides write affordances; server enforces too Tests - Domain: ThresholdsBand, ThresholdsValid, ParseAllowlistCIDR (bare IP widening + traversal/typo rejection), FraudFeedbackValid - Integration: thresholds round-trip + invalid ordering rejection, allowlist CRUD + duplicate 409 + invalid CIDR 400 + IP auto-widen, feedback record + upsert + cross-tenant 404 + invalid verdict 400, viewer can read / editor can write / outsider gets 404 - Full integration suite green (315.8s, all 36 top-level tests pass) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-19 21:33:57 +01:00
Kwaku Danso	39533162bb	feat(tier2): editable RSVPs — Block A Guests can revisit their invitation link and change their response or plus-ones up to 5 times. Each prior state is snapshotted into `rsvp_revisions` and surfaced to the host via a per-guest history modal on the event detail page. - Migration 0007 adds rsvp_revisions + rsvps.edit_count (with down) - RSVPRepo.Update wraps snapshot+update+counter in one transaction, FOR UPDATE-locking the row so concurrent edits can't bypass the cap - PATCH /rsvp/{token} re-runs the fraud check on every edit attempt (different device on an edit is itself a signal) - POST /rsvp no longer marks the token used — the link stays valid so the guest can come back to edit - GET /access/{token} now embeds the existing RSVP so the frontend renders an edit form instead of a blank submit form on revisit - New host endpoint GET /events/{id}/guests/{guest_id}/rsvp/history - Frontend: rsvp/[token].vue toggles between summary + edit form, surfaces edits-remaining; dashboard adds a "History" action on responded guests opening a revision-trail modal Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-17 19:27:50 +01:00
Kwaku Danso	3f8bc58ca9	feat: build core API, fraud engine, notifier, and frontend Phase 1 — Core API (Go): - Events, guests, tokens, RSVPs CRUD on PostgreSQL via pgx/v5 - HMAC-signed per-guest tokens with format validation - Health endpoint with DB ping, slog JSON logging, graceful shutdown Phase 2 — NATS + Fraud Engine: - NATS JetStream pub/sub with explicit-ack consumers - Python/FastAPI fraud engine with heuristic risk scoring (fingerprint mismatch, IP change, missing signals, repeated access) - gRPC sync scoring with 250ms fail-open timeout - Per-guest baseline tracking; risk bands low/medium/high/block Phase 3 — Notifications + Frontend: - Notification worker scaffolding (Twilio/SES stubs, retry/backoff) - Nuxt 3 frontend with Tailwind dark theme + brand green - Live monitor via WebSocket with auto-reconnect - Activity history endpoint backfills monitor with RSVPs + scored access checks (including blocked attempts) UX polish: - Marketing-friendly landing page (hero mockup, how-it-works, features, use cases, testimonials, FAQ, final CTA) - Animated layered card mockups on landing + new-event page - Plus-ones stepper, RSVP status badges, filter buttons - Friendly access-check labels (Verified/Review/Suspicious/Blocked) - Dashboard hydration fix via ClientOnly wrapper Infrastructure: - docker-compose for full local dev (postgres, nats, api, fraud-engine, notifier, frontend) - Multi-stage Dockerfiles, non-root UID 1000 - Integration tests with testcontainers-go Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-11 21:08:56 +01:00

Author

SHA1

Message

Date

Kwaku Danso

b873012191

feat(tier2): smarter fraud detection — Block G

Per-event fraud tuning. Hosts can now dial the medium / high / block
boundaries, allowlist trusted networks, and feed verdicts back on
flagged accesses — the seed corpus for a future ML model.

Schema (migration 0011)
- events.fraud_{medium,high,block}_threshold default 30/60/85 so
  existing events behave identically until a host changes them
- access_logs.geo_{country,city,lat,lon} for future enrichment
- fraud_feedback table — verdict ('legitimate' | 'suspicious') + note,
  PK on access_log_id so re-mark is an upsert
- event_allowlists table — (event_id, ip_cidr) primary key, inet column
  so containment checks use the native >>= operator (indexed lookup)

Domain
- FraudThresholds with Valid() + Band() helpers; Default trio echoed
  through GET responses so the frontend doesn't duplicate constants
- ParseAllowlistCIDR accepts bare IPs (auto-widens to /32 or /128) and
  canonicalises the output (203.0.113.42 → 203.0.113.42/32)
- Event.Thresholds() falls back to defaults if columns weren't
  populated yet, so the API never wedges every score into "low"

Storage
- AllowlistRepo: List / Add / Remove + Matches() — the latter pushes
  CIDR containment into Postgres rather than streaming rows back
- FeedbackRepo: Record (upserts) + ListForEvent (joined through guests)
- EventRepo.GetThresholds + UpdateThresholds, plus the threshold
  columns baked into scanEvent so every event load carries them
- AccessLogRepo.BelongsToEvent — stops a hostile editor on event A
  from marking event B's access logs

API
- GET/PUT /events/{id}/security/thresholds (viewer/editor)
- GET/POST/DELETE /events/{id}/security/allowlist
- POST /events/{id}/access-logs/{log_id}/feedback (editor)
- GET /events/{id}/security/feedback
- RSVP scoring path: allowlist short-circuit fires before the fraud
  engine; the engine's score is then re-banded against the event's
  thresholds (engine.Risk becomes advisory — API is the source of
  truth for "what counts as block here")
- CORS Allow-Methods already includes PUT (Block D fix)

Fraud engine
- Single-signal cap: it now takes ≥2 sub-scores of ≥70 to push the
  final into HIGH. Fixes the well-known "second visit with a slightly
  shifted fingerprint scores 60+" false positive
- Engine band remains advisory; API re-bands using per-event
  thresholds before deciding to block

Frontend
- SecurityCard.vue: visual band ribbon (proportional to thresholds),
  three sliders with mutual clamping so dragging medium past high
  pushes high (not an invalid ordering), reset-to-defaults button,
  CIDR allowlist with inline add + per-row remove, verdict-history
  inbox. Toast feedback on save/add/remove
- "Security" tab added to the event-detail tab nav (5th tab,
  right of Analytics)
- Viewer role hides write affordances; server enforces too

Tests
- Domain: ThresholdsBand, ThresholdsValid, ParseAllowlistCIDR (bare
  IP widening + traversal/typo rejection), FraudFeedbackValid
- Integration: thresholds round-trip + invalid ordering rejection,
  allowlist CRUD + duplicate 409 + invalid CIDR 400 + IP auto-widen,
  feedback record + upsert + cross-tenant 404 + invalid verdict 400,
  viewer can read / editor can write / outsider gets 404
- Full integration suite green (315.8s, all 36 top-level tests pass)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-05-19 21:33:57 +01:00

Kwaku Danso

39533162bb

feat(tier2): editable RSVPs — Block A

Guests can revisit their invitation link and change their response
or plus-ones up to 5 times. Each prior state is snapshotted into
`rsvp_revisions` and surfaced to the host via a per-guest history
modal on the event detail page.

- Migration 0007 adds rsvp_revisions + rsvps.edit_count (with down)
- RSVPRepo.Update wraps snapshot+update+counter in one transaction,
  FOR UPDATE-locking the row so concurrent edits can't bypass the cap
- PATCH /rsvp/{token} re-runs the fraud check on every edit attempt
  (different device on an edit is itself a signal)
- POST /rsvp no longer marks the token used — the link stays valid
  so the guest can come back to edit
- GET /access/{token} now embeds the existing RSVP so the frontend
  renders an edit form instead of a blank submit form on revisit
- New host endpoint GET /events/{id}/guests/{guest_id}/rsvp/history
- Frontend: rsvp/[token].vue toggles between summary + edit form,
  surfaces edits-remaining; dashboard adds a "History" action on
  responded guests opening a revision-trail modal

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-05-17 19:27:50 +01:00

Kwaku Danso

3f8bc58ca9

feat: build core API, fraud engine, notifier, and frontend

Phase 1 — Core API (Go):
- Events, guests, tokens, RSVPs CRUD on PostgreSQL via pgx/v5
- HMAC-signed per-guest tokens with format validation
- Health endpoint with DB ping, slog JSON logging, graceful shutdown

Phase 2 — NATS + Fraud Engine:
- NATS JetStream pub/sub with explicit-ack consumers
- Python/FastAPI fraud engine with heuristic risk scoring
  (fingerprint mismatch, IP change, missing signals, repeated access)
- gRPC sync scoring with 250ms fail-open timeout
- Per-guest baseline tracking; risk bands low/medium/high/block

Phase 3 — Notifications + Frontend:
- Notification worker scaffolding (Twilio/SES stubs, retry/backoff)
- Nuxt 3 frontend with Tailwind dark theme + brand green
- Live monitor via WebSocket with auto-reconnect
- Activity history endpoint backfills monitor with RSVPs +
  scored access checks (including blocked attempts)

UX polish:
- Marketing-friendly landing page (hero mockup, how-it-works,
  features, use cases, testimonials, FAQ, final CTA)
- Animated layered card mockups on landing + new-event page
- Plus-ones stepper, RSVP status badges, filter buttons
- Friendly access-check labels (Verified/Review/Suspicious/Blocked)
- Dashboard hydration fix via ClientOnly wrapper

Infrastructure:
- docker-compose for full local dev (postgres, nats, api,
  fraud-engine, notifier, frontend)
- Multi-stage Dockerfiles, non-root UID 1000
- Integration tests with testcontainers-go

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-05-11 21:08:56 +01:00

3 Commits