From a53b4beb3731e243fcd0d54eb29cb73d70f77051 Mon Sep 17 00:00:00 2001
From: DevEnv nis2-agile <dev@certisource.it>
Date: Fri, 20 Feb 2026 11:09:04 +0100
Subject: [PATCH] [CORE] Housekeeping: CLAUDE.md allineato, docker hardening,
 gitignore

- CLAUDE.md: aggiunto NonConformityController, companies.html, architecture.html,
  i18n.js, help.js, SQL 003-005, 22 tabelle, endpoint NCR/CAPA, API base path
  aggiornato a /api/... (post-subdomain), cronologia commit aggiornata
- docker-compose.yml: mem_limit (app 256m, web 128m, db 512m) + DB port
  binding su 127.0.0.1 per sicurezza
- .gitignore: aggiunti docker/*.bak* e .claude/memory/
- Eliminati file backup temporanei docker-compose.yml.bak.*

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .claude/settings.local.json |  5 ++--
 .gitignore                  |  4 ++++
 CLAUDE.md                   | 48 ++++++++++++++++++++++++++-----------
 docker/docker-compose.yml   |  5 +++-
 4 files changed, 45 insertions(+), 17 deletions(-)

diff --git a/.claude/settings.local.json b/.claude/settings.local.json
index 4bd2036..0827a86 100644
--- a/.claude/settings.local.json
+++ b/.claude/settings.local.json
@@ -24,7 +24,8 @@
       "Bash(docker:*)",
       "Bash(ssh:*)",
       "Bash(scp:*)",
-      "Bash(tar:*)"
+      "Bash(tar:*)",
+      "Read(//root/**)"
     ]
   }
-}
\ No newline at end of file
+}
diff --git a/.gitignore b/.gitignore
index cbc1d3a..d63b9cc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -33,3 +33,7 @@ docker/data/
 
 # Claude
 .claude/plans/
+.claude/memory/
+
+# Backup files
+docker/*.bak*
diff --git a/CLAUDE.md b/CLAUDE.md
index 730e5d2..d9ca062 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -19,7 +19,7 @@ Target: PMI, Enterprise, Consulenti/CISO.
 - AI: Anthropic Claude API (claude-sonnet-4-5-20250929)
 - Server: Hetzner CPX31 (135.181.149.254)
 - VCS: Gitea (git.certisource.it)
-- URL Produzione: https://certisource.it/nis2/
+- URL Produzione: https://nis2.certisource.it/
 
 
 ## Visibilita Cross-Project
@@ -102,6 +102,7 @@ nis2.agile/
 │   │   ├── AuthController.php         # Login, register, JWT, rate limiting
 │   │   ├── DashboardController.php    # Overview, score, deadlines, heatmap
 │   │   ├── IncidentController.php     # Incidenti Art.23 (24h/72h/30d) + email
+│   │   ├── NonConformityController.php# NCR/CAPA non-conformità e azioni correttive
 │   │   ├── OnboardingController.php   # Wizard onboarding con visura/CertiSource
 │   │   ├── OrganizationController.php # CRUD org, membri, classificazione NIS2
 │   │   ├── PolicyController.php       # Policy, approvazione, AI generation
@@ -136,6 +137,8 @@ nis2.agile/
 │   ├── assets.html                    # Inventario asset
 │   ├── reports.html                   # Report compliance + audit log
 │   ├── settings.html                  # Impostazioni org/profilo/membri
+│   ├── companies.html                 # Gestione aziende (consulente)
+│   ├── architecture.html              # Pagina architettura sistema
 │   ├── admin/
 │   │   ├── index.html                 # Admin dashboard
 │   │   ├── organizations.html         # Gestione organizzazioni
@@ -144,7 +147,9 @@ nis2.agile/
 │   │   └── style.css                  # CSS principale (~1600 righe)
 │   ├── js/
 │   │   ├── api.js                     # Client API (270 righe, tutti gli endpoint)
-│   │   └── common.js                  # Utility condivise (sidebar, notifiche, etc.)
+│   │   ├── common.js                  # Utility condivise (sidebar, notifiche, etc.)
+│   │   ├── i18n.js                    # Internazionalizzazione IT/EN
+│   │   └── help.js                    # Help contestuale online
 │   └── uploads/                       # Upload directory (gitignored)
 │       └── visure/                    # PDF visure camerali
 ├── docker/
@@ -155,7 +160,10 @@ nis2.agile/
 └── docs/
     ├── sql/
     │   ├── 001_initial_schema.sql     # Schema DB completo (20 tabelle)
-    │   └── 002_email_log.sql          # Tabella email_log
+    │   ├── 002_email_log.sql          # Tabella email_log
+    │   ├── 003_voluntary_compliance.sql # ALTER organizations: voluntary_compliance
+    │   ├── 004_ncr_capa.sql           # Tabelle non_conformities, corrective_actions
+    │   └── 005_consultant_support.sql # ALTER user_organizations: ruolo consultant
     ├── context/
     │   └── CONTEXT_SCHEMA_DB.md
     ├── prompts/
@@ -177,10 +185,10 @@ nis2.agile/
 3. **Login** → se ha org → `dashboard.html`, altrimenti → `onboarding.html`
 4. **Dashboard** → navigazione sidebar a tutti i moduli
 
-## Database (21 tabelle)
-organizations, users, user_organizations, refresh_tokens, assessments, assessment_responses, risks, risk_treatments, incidents, incident_timeline, policies, suppliers, training_courses, training_assignments, assets, compliance_controls, evidence_files, audit_logs, ai_interactions, email_log
+## Database (22 tabelle)
+organizations, users, user_organizations, refresh_tokens, assessments, assessment_responses, risks, risk_treatments, incidents, incident_timeline, policies, suppliers, training_courses, training_assignments, assets, compliance_controls, evidence_files, audit_logs, ai_interactions, email_log, non_conformities, corrective_actions
 
-Schema: `docs/sql/001_initial_schema.sql` + `docs/sql/002_email_log.sql`
+Schema: `docs/sql/` (5 migrazioni: 001→005)
 
 ## Servizi
 
@@ -220,22 +228,28 @@ Schema: `docs/sql/001_initial_schema.sql` + `docs/sql/002_email_log.sql`
 ## Git
 - **Repository**: https://git.certisource.it/AdminGit2026/nis2-agile
 - **Token Gitea**: Configurato in git credential manager (non documentare qui)
-- **Branch**: main (7 commit)
+- **Branch**: main
 - **Commit format**: `[AREA] Descrizione`
 
 ### Cronologia Commit
 ```
+7080695 [FEAT] Ruolo Consulente + Wizard Registrazione v2
+ba21534 [DEPLOY] Migrazione a subdomain nis2.certisource.it
+92f9366 Merge branch 'main'
+d3eac7c [CORE] Rimosso credenziali da CLAUDE.md + aggiunto docs/DB_ACCESS.md
+a0fd543 [CORE] Aggiunto settings Claude Code con permessi ampi
+0a73983 [FIX] Dockerignore: allow docker/php.ini for build context
+4bd2326 [CORE] Aggiunto integrazione agile-services
+52fd45f [FEAT] i18n IT/EN, Help Online contestuale, pagina Architettura
+4e3408e [FEAT] Visura auto-fill, adesione volontaria, modulo NCR/CAPA
+517cab7 [FIX] Fix annual_turnover field name in setup-org.html
+68f8cab [POLISH] Docker setup fix + UI polish + project completion
 bcc5a2b [FIX] E2E testing - fix router, EmailService, frontend data mapping
-6f4b457 [FEAT] Add EmailService, RateLimitService, ReportService + integrations
-9aa2788 [FEAT] Add onboarding wizard with visura camerale and CertiSource integration
-73e78ea [FEAT] Add all frontend pages - complete UI for NIS2 platform
-c03d22e [FIX] Deploy fixes - Auth header passthrough, dashboard query, landing page
-ae78a2f [CORE] Initial project scaffold - NIS2 Agile Compliance Platform
 ```
 
 ## API Endpoints Completi
 
-Base: `/nis2/api/{controller}/{action}/{id?}`
+Base: `/api/{controller}/{action}/{id?}` (su subdomain https://nis2.certisource.it/)
 
 ### Auth: POST register, login, logout, refresh, change-password | GET me | PUT profile
 ### Organizations: POST create, classify | GET current, list, {id}/members | PUT {id} | POST {id}/invite | DELETE {id}/members/{sid}
@@ -250,6 +264,7 @@ Base: `/nis2/api/{controller}/{action}/{id?}`
 ### Audit: GET controls, evidence/list, report, logs, iso27001-mapping, executive-report, export | PUT controls/{sid} | POST evidence/upload
 ### Onboarding: POST upload-visura, fetch-company, complete
 ### Admin: GET organizations, users, stats
+### NCR/CAPA: GET list, {id}, stats | POST create, fromAssessment, {id}/capa, {id}/sync, webhook | PUT {id}, capa/{subId}
 
 ## Stato Completamento
 Tutti i moduli sono implementati e testati:
@@ -264,4 +279,9 @@ Tutti i moduli sono implementati e testati:
 3. **Frontend data mapping** - Dashboard, Assessment, Onboarding avevano nomi campo diversi dal backend
 4. **Field name mismatches** - annual_turnover→annual_turnover_eur, question_id→question_code, compliance_level→response_value
 
-*Ultimo aggiornamento: 2026-02-17*
+*Ultimo aggiornamento: 2026-02-20*
+
+## REGOLA: Sincronizzazione CLAUDE.md
+- Dopo QUALSIASI modifica a: URL produzione, dominio, porta, path, schema DB, architettura -> **AGGIORNARE CLAUDE.md IMMEDIATAMENTE**
+- CLAUDE.md e la "single source of truth" del progetto
+- A fine sessione: verificare che CLAUDE.md rifletta lo stato reale
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index c06e14e..51a2d3c 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -8,6 +8,7 @@ services:
       dockerfile: docker/Dockerfile
     container_name: nis2-app
     restart: unless-stopped
+    mem_limit: 256m
     volumes:
       - ../application:/var/www/nis2-agile/application
       - ../public:/var/www/nis2-agile/public
@@ -35,6 +36,7 @@ services:
     image: nginx:1.27-alpine
     container_name: nis2-web
     restart: unless-stopped
+    mem_limit: 128m
     ports:
       - "${WEB_PORT:-8080}:8080"
     volumes:
@@ -51,13 +53,14 @@ services:
     image: mysql:8.0
     container_name: nis2-db
     restart: unless-stopped
+    mem_limit: 512m
     environment:
       MYSQL_ROOT_PASSWORD: ${DB_ROOT_PASSWORD:-rootpass}
       MYSQL_DATABASE: ${DB_NAME:-nis2_agile_db}
       MYSQL_USER: ${DB_USER:-nis2_user}
       MYSQL_PASSWORD: ${DB_PASS}
     ports:
-      - "${DB_EXPOSE_PORT:-3307}:3306"
+      - "127.0.0.1:${DB_EXPOSE_PORT:-3307}:3306"
     volumes:
       - nis2-db-data:/var/lib/mysql
       - ../docs/sql/001_initial_schema.sql:/docker-entrypoint-initdb.d/001_initial_schema.sql:ro