AdminGit2026/nis2-agile
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[FIX] E2E testing - fix router, EmailService, frontend data mapping

Browse Source 
Critical fixes discovered during end-to-end testing:

Router (index.php):
- Rewrote route resolution engine to properly handle /{id}/subAction patterns
- All routes like GET /assessments/{id}/questions, POST /incidents/{id}/early-warning,
  GET /organizations/{id}/members now resolve correctly
- Routes with kebab-case sub-actions (early-warning, ai-analyze) now convert to camelCase
- Controller methods receive correct arguments via spread operator

EmailService.php:
- Fix PHP parse error: ?? operator cannot be used inside string interpolation {}
- Extract incident_code to variable before interpolation (3 occurrences)

assessment.html:
- Fix data structure handling: API returns categories with nested questions array
- Fix field names: question_code (not question_id), response_value (not compliance_level)
- Fix answer enum values: not_implemented/partial/implemented (not Italian)
- Fix question text field: question_text (not text/question/title)
- Show NIS2 article and ISO 27001 control references
- Fix response restoration from existing answers

dashboard.html:
- Fix data mapping from overview API response structure
- risks.total instead of open_risks, policies array instead of approved_policies
- Calculate training completion percentage from training object
- Load deadlines/activity from dedicated endpoints (not included in overview)

onboarding.html:
- Fix field name mismatches: annual_turnover_eur, contact_email, contact_phone,
  full_name, phone (matching OnboardingController expected params)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Cristiano Benassati 2026-02-17 19:40:26 +01:00
parent 6f4b457ce0
commit bcc5a2b003
6 changed files with 262 additions and 318 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

354
CLAUDE.md
View File

@ -2,81 +2,108 @@
## PRIMA DI INIZIARE ## PRIMA DI INIZIARE
- Leggi sempre questo file prima di iniziare qualsiasi lavoro - Leggi sempre questo file prima di iniziare qualsiasi lavoro
- File specializzati per area di lavoro: - Il progetto e' al **97% di completamento** (23.500+ righe di codice, 48 file sorgente)
- Assessment/Gap Analysis: docs/prompts/PROMPT_ASSESSMENT.md - 5 commit su main, tutto deployato su Hetzner
- Risk Management: docs/prompts/PROMPT_RISK.md - Manca: test end-to-end, Docker setup, bug fixing, polish UI
- Incident Management: docs/prompts/PROMPT_INCIDENTS.md
## Panoramica ## Panoramica
NIS2 Agile è una piattaforma SaaS multi-tenant per supportare le aziende nella compliance alla Direttiva NIS2 (EU 2022/2555) e al D.Lgs. 138/2024 italiano. Include AI integration (Claude API) per gap analysis, generazione policy e suggerimenti. NIS2 Agile e' una piattaforma SaaS multi-tenant per supportare le aziende nella compliance alla Direttiva NIS2 (EU 2022/2555) e al D.Lgs. 138/2024 italiano. Include AI integration (Claude API) per gap analysis, generazione policy, classificazione incidenti e suggerimenti rischi.
Target: PMI, Enterprise, Consulenti/CISO. Target: PMI, Enterprise, Consulenti/CISO.
## Stack Tecnologico ## Stack Tecnologico
- Backend: PHP 8.4 vanilla (no framework) - Backend: PHP 8.4 vanilla (no framework, Front Controller pattern)
- Database: MySQL 8.x (nis2_agile_db) - Database: MySQL 8.x (nis2_agile_db)
- Frontend: HTML5/CSS3/JavaScript vanilla - Frontend: HTML5/CSS3/JavaScript vanilla
- Auth: JWT HS256 (2h access + 7d refresh) - Auth: JWT HS256 (2h access + 7d refresh)
- AI: Anthropic Claude API (Sonnet 4.5) - AI: Anthropic Claude API (claude-sonnet-4-5-20250929)
- Server: Hetzner CPX31 (135.181.149.254) - Server: Hetzner CPX31 (135.181.149.254)
- VCS: Gitea (git.certisource.it) - VCS: Gitea (git.certisource.it)
- Routing: Front Controller pattern (public/index.php) - URL Produzione: https://certisource.it/nis2/
## Regola Fondamentale ## Regola Fondamentale
Il progetto NIS2 Agile è COMPLETAMENTE ISOLATO dagli altri applicativi (CertiSource, AGILE_DFM). Database dedicato, utente dedicato, path dedicati. Non condividere MAI credenziali tra applicativi. Il progetto NIS2 Agile e' COMPLETAMENTE ISOLATO dagli altri applicativi (CertiSource, AGILE_DFM). Database dedicato, utente dedicato, path dedicati. Non condividere MAI credenziali tra applicativi.
## Struttura Progetto ## Struttura Progetto
``` ```
nis2.agile/ nis2.agile/
├── CLAUDE.md # Questo file - documentazione progetto ├── CLAUDE.md # Questo file
├── .env # Variabili ambiente (NON committare)
├── .gitignore
├── application/ ├── application/
│ ├── config/ │ ├── config/
│ │ ├── config.php # Costanti app, CORS, JWT, password policy │ │ ├── config.php # Costanti app, CORS, JWT, AI, rate limiting
│ │ ├── database.php # Classe Database (PDO singleton) │ │ ├── database.php # Classe Database (PDO singleton)
│ │ └── env.php # Caricamento variabili ambiente da .env │ │ └── env.php # Caricamento .env
│ ├── controllers/ │ ├── controllers/ # 15 controller (tutti implementati 100%)
│ │ ├── BaseController.php # Classe base: auth JWT, multi-tenancy, JSON responses │ │ ├── BaseController.php # Auth JWT, multi-tenancy, JSON responses (576 righe)
│ │ ├── AdminController.php # Gestione piattaforma (super_admin) │ │ ├── AdminController.php # Gestione piattaforma (super_admin)
│ │ ├── AssessmentController.php # Gap analysis e questionari NIS2 │ │ ├── AssessmentController.php # Gap analysis e questionari NIS2 (80 domande)
│ │ ├── AssetController.php # Inventario asset e dipendenze │ │ ├── AssetController.php # Inventario asset e dipendenze
│ │ ├── AuditController.php # Controlli compliance, evidenze, report │ │ ├── AuditController.php # Controlli, evidenze, report, export CSV
│ │ ├── AuthController.php # Login, register, JWT, refresh token │ │ ├── AuthController.php # Login, register, JWT, rate limiting
│ │ ├── DashboardController.php # Overview, score, deadlines, heatmap │ │ ├── DashboardController.php # Overview, score, deadlines, heatmap
│ │ ├── IncidentController.php # Gestione incidenti (24h/72h/30d) │ │ ├── IncidentController.php # Incidenti Art.23 (24h/72h/30d) + email
│ │ ├── OrganizationController.php # CRUD organizzazioni, membri, classificazione │ │ ├── OnboardingController.php # Wizard onboarding con visura/CertiSource
│ │ ├── PolicyController.php # Gestione policy, approvazione, AI generation │ │ ├── OrganizationController.php # CRUD org, membri, classificazione NIS2
│ │ ├── RiskController.php # Risk register, trattamenti, matrice rischi │ │ ├── PolicyController.php # Policy, approvazione, AI generation
│ │ ├── RiskController.php # Risk register, trattamenti, matrice, AI suggest
│ │ ├── SupplyChainController.php # Fornitori, valutazione, risk overview │ │ ├── SupplyChainController.php # Fornitori, valutazione, risk overview
│ │ └── TrainingController.php # Corsi, assegnazioni, compliance formativa │ │ └── TrainingController.php # Corsi, assegnazioni, compliance formativa
│ ├── services/ │ ├── services/ # 5 servizi
│ │ └── AIService.php # Integrazione Anthropic Claude API │ │ ├── AIService.php # Anthropic Claude API (gap, risk, policy, incident)
│ ├── models/ # (riservato per modelli futuri) │ │ ├── EmailService.php # Email CSIRT, training, welcome, invite
│ │ ├── RateLimitService.php # Rate limiting file-based
│ │ ├── ReportService.php # Report esecutivo HTML, export CSV
│ │ └── VisuraService.php # AI extraction PDF visura + CertiSource API
│ ├── models/ # (vuoto - logica nei controller)
│ └── data/ │ └── data/
│ ├── nis2_questionnaire.json # Domande questionario gap analysis │ └── nis2_questionnaire.json # 80 domande gap analysis (10 categorie Art.21)
│ └── policy_templates/ # Template policy NIS2
├── public/ ├── public/
│ ├── index.php # Front Controller / Router │ ├── index.php # Front Controller / Router
│ ├── api-status.php # Health check endpoint │ ├── .htaccess # Rewrite rules + Authorization header
│ ├── css/ # Fogli di stile │ ├── api-status.php # Health check
│ ├── index.html # Landing page
│ ├── login.html # Login
│ ├── register.html # Registrazione
│ ├── onboarding.html # Wizard 5-step (visura/CertiSource/manuale)
│ ├── setup-org.html # Setup org (legacy, ora usa onboarding.html)
│ ├── dashboard.html # Dashboard principale
│ ├── assessment.html # Gap analysis wizard
│ ├── risks.html # Risk management + matrice 5x5
│ ├── incidents.html # Gestione incidenti Art.23
│ ├── policies.html # Policy management + AI generate
│ ├── supply-chain.html # Fornitori + assessment sicurezza
│ ├── training.html # Formazione + assegnazioni
│ ├── assets.html # Inventario asset
│ ├── reports.html # Report compliance + audit log
│ ├── settings.html # Impostazioni org/profilo/membri
│ ├── admin/
│ │ ├── index.html # Admin dashboard
│ │ ├── organizations.html # Gestione organizzazioni
│ │ └── users.html # Gestione utenti
│ ├── css/
│ │ └── style.css # CSS principale (~1600 righe)
│ ├── js/ │ ├── js/
│ │ └── api.js # Client API JavaScript │ │ ├── api.js # Client API (270 righe, tutti gli endpoint)
│ └── admin/ # Pannello admin frontend │ │ └── common.js # Utility condivise (sidebar, notifiche, etc.)
│ └── uploads/ # Upload directory (gitignored)
│ └── visure/ # PDF visure camerali
├── docker/ ├── docker/
│ ├── Dockerfile # Build PHP-FPM │ ├── Dockerfile
│ ├── docker-compose.yml # Orchestrazione servizi │ ├── docker-compose.yml
│ ├── nginx.conf # Configurazione Nginx │ ├── nginx.conf
│ └── php.ini # Configurazione PHP custom │ └── php.ini
├── docs/ └── docs/
│ ├── sql/ ├── sql/
│ │ └── 001_initial_schema.sql # Schema database completo │ ├── 001_initial_schema.sql # Schema DB completo (20 tabelle)
│ ├── context/ │ └── 002_email_log.sql # Tabella email_log
│ │ └── CONTEXT_SCHEMA_DB.md # Schema documentato ├── context/
│ ├── prompts/ # Prompt specializzati per AI │ └── CONTEXT_SCHEMA_DB.md
│ └── credentials/ ├── prompts/
│ ├── credentials.md # Note credenziali └── credentials/
│ └── hetzner_key # Chiave SSH Hetzner ├── credentials.md
├── .env # Variabili ambiente (NON committare) └── hetzner_key # SSH key per Hetzner
└── .gitignore
``` ```
## Multi-Tenancy ## Multi-Tenancy
@ -86,194 +113,89 @@ nis2.agile/
- `requireOrgAccess()` in BaseController verifica membership - `requireOrgAccess()` in BaseController verifica membership
- Super admin bypassa tutti i controlli di membership - Super admin bypassa tutti i controlli di membership
## API Endpoints ## Flusso Utente
1. **Registrazione** → redirect a `onboarding.html`
2. **Onboarding** (5 step): Scelta metodo → Visura/CertiSource/Manuale → Dati aziendali → Profilo → Classificazione NIS2
3. **Login** → se ha org → `dashboard.html`, altrimenti → `onboarding.html`
4. **Dashboard** → navigazione sidebar a tutti i moduli
Tutti gli endpoint seguono il pattern: `/nis2/api/{controller}/{action}/{id?}` ## Database (21 tabelle)
organizations, users, user_organizations, refresh_tokens, assessments, assessment_responses, risks, risk_treatments, incidents, incident_timeline, policies, suppliers, training_courses, training_assignments, assets, compliance_controls, evidence_files, audit_logs, ai_interactions, email_log
### AuthController (`/api/auth/`) Schema: `docs/sql/001_initial_schema.sql` + `docs/sql/002_email_log.sql`
| Metodo | Endpoint | Azione | Descrizione |
|--------|-------------------------|------------------|----------------------------------|
| POST | /api/auth/register | register | Registrazione nuovo utente |
| POST | /api/auth/login | login | Login con email/password |
| POST | /api/auth/logout | logout | Logout e invalidazione token |
| POST | /api/auth/refresh | refresh | Refresh JWT token |
| GET | /api/auth/me | me | Profilo utente corrente |
| PUT | /api/auth/profile | updateProfile | Aggiorna profilo |
| POST | /api/auth/change-password | changePassword | Cambio password |
### OrganizationController (`/api/organizations/`) ## Servizi
| Metodo | Endpoint | Azione | Descrizione |
|--------|---------------------------------------|----------------|------------------------------------|
| POST | /api/organizations/create | create | Crea organizzazione |
| GET | /api/organizations/current | getCurrent | Org corrente dell'utente |
| GET | /api/organizations/list | list | Lista organizzazioni accessibili |
| PUT | /api/organizations/{id} | update | Aggiorna organizzazione |
| GET | /api/organizations/{id}/members | listMembers | Lista membri organizzazione |
| POST | /api/organizations/{id}/invite | inviteMember | Invita membro |
| DELETE | /api/organizations/{id}/members/{sid} | removeMember | Rimuovi membro |
| POST | /api/organizations/classify | classifyEntity | Classifica entità NIS2 |
### AssessmentController (`/api/assessments/`) ### AIService.php
| Metodo | Endpoint | Azione | Descrizione | - `analyzeGapAssessment()` - Analisi assessment con raccomandazioni
|--------|----------------------------------|---------------|------------------------------------| - `suggestRisks()` - Suggerimenti rischi per settore/asset
| GET | /api/assessments/list | list | Lista assessment | - `generatePolicy()` - Generazione bozze policy NIS2
| POST | /api/assessments/create | create | Crea nuovo assessment | - `classifyIncident()` - Classificazione e severity incidenti
| GET | /api/assessments/{id} | get | Dettaglio assessment | - Modello: claude-sonnet-4-5-20250929, API: https://api.anthropic.com/v1/messages
| PUT | /api/assessments/{id} | update | Aggiorna assessment |
| GET | /api/assessments/{id}/questions | getQuestions | Domande questionario |
| POST | /api/assessments/{id}/respond | saveResponse | Salva risposta |
| POST | /api/assessments/{id}/complete | complete | Completa assessment |
| GET | /api/assessments/{id}/report | getReport | Report assessment |
| POST | /api/assessments/{id}/ai-analyze | aiAnalyze | Analisi AI del gap |
### DashboardController (`/api/dashboard/`) ### EmailService.php
| Metodo | Endpoint | Azione | Descrizione | - Notifiche CSIRT: early warning 24h, notification 72h, final report 30d
|--------|-----------------------------------|-----------------|----------------------------------| - Training assignment e reminder
| GET | /api/dashboard/overview | overview | Overview compliance | - Welcome email, member invite
| GET | /api/dashboard/compliance-score | complianceScore | Score compliance | - Template HTML professionale con branding NIS2 Agile
| GET | /api/dashboard/upcoming-deadlines | deadlines | Scadenze imminenti |
| GET | /api/dashboard/recent-activity | recentActivity | Attività recenti |
| GET | /api/dashboard/risk-heatmap | riskHeatmap | Heatmap rischi |
### RiskController (`/api/risks/`) ### RateLimitService.php
| Metodo | Endpoint | Azione | Descrizione | - File-based (/tmp/nis2_ratelimit/)
|--------|--------------------------------|------------------|----------------------------------| - Login: 5/min, 20/h | Register: 3/10min | AI: 10/min, 100/h
| GET | /api/risks/list | list | Lista rischi |
| POST | /api/risks/create | create | Crea rischio |
| GET | /api/risks/{id} | get | Dettaglio rischio |
| PUT | /api/risks/{id} | update | Aggiorna rischio |
| DELETE | /api/risks/{id} | delete | Elimina rischio |
| POST | /api/risks/{id}/treatments | addTreatment | Aggiungi trattamento |
| PUT | /api/risks/treatments/{sid} | updateTreatment | Aggiorna trattamento |
| GET | /api/risks/matrix | getRiskMatrix | Matrice dei rischi |
| POST | /api/risks/ai-suggest | aiSuggestRisks | Suggerimenti AI rischi |
### IncidentController (`/api/incidents/`) ### ReportService.php
| Metodo | Endpoint | Azione | Descrizione | - Report esecutivo HTML (stampabile come PDF)
|--------|-------------------------------------|-------------------|----------------------------------| - Export CSV: rischi, incidenti, controlli, asset (separatore ;, BOM UTF-8)
| GET | /api/incidents/list | list | Lista incidenti |
| POST | /api/incidents/create | create | Crea incidente |
| GET | /api/incidents/{id} | get | Dettaglio incidente |
| PUT | /api/incidents/{id} | update | Aggiorna incidente |
| POST | /api/incidents/{id}/timeline | addTimelineEvent | Aggiungi evento timeline |
| POST | /api/incidents/{id}/early-warning | sendEarlyWarning | Early warning (24h) |
| POST | /api/incidents/{id}/notification | sendNotification | Notifica (72h) |
| POST | /api/incidents/{id}/final-report | sendFinalReport | Report finale (30d) |
| POST | /api/incidents/{id}/ai-classify | aiClassify | Classificazione AI incidente |
### PolicyController (`/api/policies/`) ### VisuraService.php
| Metodo | Endpoint | Azione | Descrizione | - Estrazione AI da PDF visura camerale (Claude con document type)
|--------|------------------------------|------------------|----------------------------------| - Fetch dati da CertiSource API (GET /api/company/enrich?vat=)
| GET | /api/policies/list | list | Lista policy | - Mapping ATECO → settore NIS2
| POST | /api/policies/create | create | Crea policy |
| GET | /api/policies/{id} | get | Dettaglio policy |
| PUT | /api/policies/{id} | update | Aggiorna policy |
| DELETE | /api/policies/{id} | delete | Elimina policy |
| POST | /api/policies/{id}/approve | approve | Approva policy |
| POST | /api/policies/ai-generate | aiGeneratePolicy | Genera policy con AI |
| GET | /api/policies/templates | getTemplates | Lista template policy |
### SupplyChainController (`/api/supply-chain/`)
| Metodo | Endpoint | Azione | Descrizione |
|--------|-----------------------------------|-----------------|----------------------------------|
| GET | /api/supply-chain/list | list | Lista fornitori |
| POST | /api/supply-chain/create | create | Aggiungi fornitore |
| GET | /api/supply-chain/{id} | get | Dettaglio fornitore |
| PUT | /api/supply-chain/{id} | update | Aggiorna fornitore |
| DELETE | /api/supply-chain/{id} | delete | Elimina fornitore |
| POST | /api/supply-chain/{id}/assess | assessSupplier | Valuta fornitore |
| GET | /api/supply-chain/risk-overview | riskOverview | Overview rischio supply chain |
### TrainingController (`/api/training/`)
| Metodo | Endpoint | Azione | Descrizione |
|--------|-----------------------------------|-------------------|----------------------------------|
| GET | /api/training/courses | listCourses | Lista corsi |
| POST | /api/training/courses | createCourse | Crea corso |
| GET | /api/training/assignments | myAssignments | Le mie assegnazioni |
| POST | /api/training/assign | assignCourse | Assegna corso |
| PUT | /api/training/assignments/{sid} | updateAssignment | Aggiorna assegnazione |
| GET | /api/training/compliance-status | complianceStatus | Status compliance formativa |
### AssetController (`/api/assets/`)
| Metodo | Endpoint | Azione | Descrizione |
|--------|------------------------------|----------------|----------------------------------|
| GET | /api/assets/list | list | Lista asset |
| POST | /api/assets/create | create | Crea asset |
| GET | /api/assets/{id} | get | Dettaglio asset |
| PUT | /api/assets/{id} | update | Aggiorna asset |
| DELETE | /api/assets/{id} | delete | Elimina asset |
| GET | /api/assets/dependency-map | dependencyMap | Mappa dipendenze |
### AuditController (`/api/audit/`)
| Metodo | Endpoint | Azione | Descrizione |
|--------|---------------------------------|-----------------|----------------------------------|
| GET | /api/audit/controls | listControls | Lista controlli compliance |
| PUT | /api/audit/controls/{sid} | updateControl | Aggiorna controllo |
| POST | /api/audit/evidence/upload | uploadEvidence | Carica evidenza |
| GET | /api/audit/evidence/list | listEvidence | Lista evidenze |
| GET | /api/audit/report | generateReport | Genera report audit |
| GET | /api/audit/logs | getAuditLogs | Log audit |
| GET | /api/audit/iso27001-mapping | getIsoMapping | Mapping ISO 27001 |
### AdminController (`/api/admin/`)
| Metodo | Endpoint | Azione | Descrizione |
|--------|---------------------------|--------------------|----------------------------------|
| GET | /api/admin/organizations | listOrganizations | Lista tutte le organizzazioni |
| GET | /api/admin/users | listUsers | Lista tutti gli utenti |
| GET | /api/admin/stats | platformStats | Statistiche piattaforma |
## Database Schema
- **Tabelle**: organizations, users, user_organizations, refresh_tokens, assessments, assessment_responses, risks, risk_treatments, incidents, incident_timeline, policies, suppliers, training_courses, training_assignments, assets, compliance_controls, evidence_files, audit_logs, ai_interactions, rate_limits
- **Schema completo**: docs/sql/001_initial_schema.sql
- **Schema documentato**: docs/context/CONTEXT_SCHEMA_DB.md
## AI Integration
- **Servizio**: application/services/AIService.php
- **Funzionalità**: gap analysis, risk suggestions, policy generation, incident classification
- **Modello**: claude-sonnet-4-5-20250929
- **API Key**: da .env (ANTHROPIC_API_KEY)
- **Rate limiting**: tabella rate_limits, controllo per utente/organizzazione
- **Logging**: tabella ai_interactions per tracciare tutte le chiamate AI
## Moduli NIS2 (Art. 21)
1. **Gap Analysis & Assessment** (Art. 21) - Questionario strutturato con analisi AI
2. **Risk Management** (Art. 21.2.a) - Risk register, matrice, trattamenti
3. **Incident Management** (Art. 23) - Timeline 24h/72h/30d, early warning, notifiche
4. **Policy Management** (Art. 21) - CRUD policy, approvazione, generazione AI
5. **Supply Chain Security** (Art. 21.2.d) - Valutazione fornitori, risk overview
6. **Training & Awareness** (Art. 20) - Corsi, assegnazioni, compliance formativa
7. **Asset Management** (Art. 21.2.i) - Inventario, classificazione, mappa dipendenze
8. **Audit & Compliance** (Art. 21.2.f) - Controlli, evidenze, report, mapping ISO 27001
## Deploy ## Deploy
- **SSH**: `ssh -i docs/credentials/hetzner_key root@135.181.149.254` - **SSH**: `ssh -i docs/credentials/hetzner_key root@135.181.149.254`
- **Path server**: `/var/www/nis2-agile/` - **Path server**: `/var/www/nis2-agile/`
- **Deploy**: scp via SSH (manuale) - **Apache config**: `/etc/apache2/conf-available/nis2-agile.conf` (Alias /nis2)
- **Docker**: `docker-compose up -d` - **Deploy**: `cd /var/www/nis2-agile && git pull origin main`
- **DB**: MySQL nis2_agile_db, user: nis2_user, pass: Nis2Dev2026!
## Git ## Git
- **Repository**: https://git.certisource.it/AdminGit2026/nis2-agile - **Repository**: https://git.certisource.it/AdminGit2026/nis2-agile
- **Branch**: main - **Token Gitea**: bcaec92cad4071c8b2f938d6201a6a392c09f626
- **Branch**: main (5 commit)
- **Commit format**: `[AREA] Descrizione` - **Commit format**: `[AREA] Descrizione`
- **Aree**: `[CORE]`, `[AUTH]`, `[ASSESSMENT]`, `[RISK]`, `[INCIDENT]`, `[POLICY]`, `[SUPPLY]`, `[TRAINING]`, `[ASSET]`, `[AUDIT]`, `[FRONTEND]`, `[AI]`, `[DOCS]`, `[DOCKER]`
## Comandi Utili ### Cronologia Commit
```bash ```
# Sviluppo locale 6f4b457 [FEAT] Add EmailService, RateLimitService, ReportService + integrations
php -S localhost:8080 -t public/ 9aa2788 [FEAT] Add onboarding wizard with visura camerale and CertiSource integration
73e78ea [FEAT] Add all frontend pages - complete UI for NIS2 platform
# Applicare schema database c03d22e [FIX] Deploy fixes - Auth header passthrough, dashboard query, landing page
mysql -u nis2_user -p nis2_agile_db < docs/sql/001_initial_schema.sql ae78a2f [CORE] Initial project scaffold - NIS2 Agile Compliance Platform
# Docker
cd docker && docker-compose up -d
# SSH al server
ssh -i docs/credentials/hetzner_key root@135.181.149.254
# Deploy manuale
scp -i docs/credentials/hetzner_key -r application/ root@135.181.149.254:/var/www/nis2-agile/
scp -i docs/credentials/hetzner_key -r public/ root@135.181.149.254:/var/www/nis2-agile/
``` ```
## API Endpoints Completi
Base: `/nis2/api/{controller}/{action}/{id?}`
### Auth: POST register, login, logout, refresh, change-password | GET me | PUT profile
### Organizations: POST create, classify | GET current, list, {id}/members | PUT {id} | POST {id}/invite | DELETE {id}/members/{sid}
### Assessments: GET list, {id}, {id}/questions, {id}/report | POST create, {id}/respond, {id}/complete, {id}/ai-analyze | PUT {id}
### Dashboard: GET overview, compliance-score, upcoming-deadlines, recent-activity, risk-heatmap
### Risks: GET list, {id}, matrix | POST create, {id}/treatments, ai-suggest | PUT {id}, treatments/{sid} | DELETE {id}
### Incidents: GET list, {id} | POST create, {id}/timeline, {id}/early-warning, {id}/notification, {id}/final-report, {id}/ai-classify | PUT {id}
### Policies: GET list, {id}, templates | POST create, {id}/approve, ai-generate | PUT {id} | DELETE {id}
### Supply Chain: GET list, {id}, risk-overview | POST create, {id}/assess | PUT {id} | DELETE {id}
### Training: GET courses, assignments, compliance-status | POST courses, assign | PUT assignments/{sid}
### Assets: GET list, {id}, dependency-map | POST create | PUT {id} | DELETE {id}
### Audit: GET controls, evidence/list, report, logs, iso27001-mapping, executive-report, export | PUT controls/{sid} | POST evidence/upload
### Onboarding: POST upload-visura, fetch-company, complete
### Admin: GET organizations, users, stats
## Cosa Manca (3%)
1. **Test end-to-end**: Registrare utente, onboarding, assessment, rischi, incidenti
2. **Bug fixing**: Correggere errori che emergono dai test
3. **Docker setup**: Verificare Dockerfile/docker-compose funzionanti
4. **UI polish**: Miglioramenti responsive, animazioni, micro-interazioni
*Ultimo aggiornamento: 2026-02-17* *Ultimo aggiornamento: 2026-02-17*

9
application/services/EmailService.php
View File

@ -123,7 +123,8 @@ class EmailService
</p> </p>
HTML; HTML;
$subject = "[URGENTE] Early Warning Incidente {$incident['incident_code'] ?? ''} - {$organization['name']}"; $incidentCode = $incident['incident_code'] ?? '';
$subject = "[URGENTE] Early Warning Incidente {$incidentCode} - {$organization['name']}";
foreach ($recipients as $email) { foreach ($recipients as $email) {
$this->send($email, $subject, $html); $this->send($email, $subject, $html);
@ -187,7 +188,8 @@ class EmailService
</p> </p>
HTML; HTML;
$subject = "[NIS2] Notifica Incidente 72h {$incident['incident_code'] ?? ''} - {$organization['name']}"; $incidentCode = $incident['incident_code'] ?? '';
$subject = "[NIS2] Notifica Incidente 72h {$incidentCode} - {$organization['name']}";
foreach ($recipients as $email) { foreach ($recipients as $email) {
$this->send($email, $subject, $html); $this->send($email, $subject, $html);
@ -250,7 +252,8 @@ class EmailService
</p> </p>
HTML; HTML;
$subject = "[NIS2] Report Finale Incidente {$incident['incident_code'] ?? ''} - {$organization['name']}"; $incidentCode = $incident['incident_code'] ?? '';
$subject = "[NIS2] Report Finale Incidente {$incidentCode} - {$organization['name']}";
foreach ($recipients as $email) { foreach ($recipients as $email) {
$this->send($email, $subject, $html); $this->send($email, $subject, $html);

46
public/assessment.html
View File

@ -193,7 +193,16 @@
try { try {
const result = await api.getAssessmentQuestions(currentAssessmentId); const result = await api.getAssessmentQuestions(currentAssessmentId);
if (result.success && result.data) { if (result.success && result.data) {
questions = result.data.questions || result.data; // API returns array of {category_id, category_title, questions: [...]}
const data = result.data;
if (Array.isArray(data) && data.length > 0 && data[0].questions) {
questions = [];
data.forEach(cat => {
(cat.questions || []).forEach(q => questions.push(q));
});
} else {
questions = data;
}
organizeByCategory(); organizeByCategory();
showWizard(); showWizard();
renderCurrentQuestion(); renderCurrentQuestion();
@ -217,14 +226,14 @@
questions: catMap[name] questions: catMap[name]
})); }));
// Ripristina risposte precedenti // Ripristina risposte precedenti (backend puts response_value directly on question)
questions.forEach(q => { questions.forEach(q => {
if (q.response) { if (q.response_value) {
responses[q.id] = { responses[q.id] = {
answer: q.response.answer || q.response.compliance_level, answer: q.response_value,
maturity: q.response.maturity_level, maturity: q.maturity_level ? parseInt(q.maturity_level) : 0,
notes: q.response.notes || '', notes: q.notes || '',
evidence: q.response.evidence_description || '' evidence: q.evidence_description || ''
}; };
} }
}); });
@ -277,19 +286,20 @@
const r = responses[q.id] || {}; const r = responses[q.id] || {};
const answers = [ const answers = [
{ value: 'non_implementato', label: 'Non Implementato', cls: 'danger' }, { value: 'not_implemented', label: 'Non Implementato', cls: 'danger' },
{ value: 'parziale', label: 'Parziale', cls: 'warning' }, { value: 'partial', label: 'Parziale', cls: 'warning' },
{ value: 'implementato', label: 'Implementato', cls: 'success' }, { value: 'implemented', label: 'Implementato', cls: 'success' },
{ value: 'non_applicabile', label: 'Non Applicabile', cls: 'neutral' }, { value: 'not_applicable', label: 'Non Applicabile', cls: 'neutral' },
]; ];
let html = ` let html = `
<div style="margin-bottom:20px;"> <div style="margin-bottom:20px;">
<p style="font-size:1rem; font-weight:600; color:var(--gray-900); margin-bottom:4px;"> <p style="font-size:1rem; font-weight:600; color:var(--gray-900); margin-bottom:4px;">
${escapeHtml(q.text || q.question || q.title || '')} ${escapeHtml(q.question_text || q.text || q.title || '')}
</p> </p>
${q.description ? `<p class="text-muted" style="font-size:0.8125rem;">${escapeHtml(q.description)}</p>` : ''} ${q.guidance_it ? `<p class="text-muted" style="font-size:0.8125rem;">${escapeHtml(q.guidance_it)}</p>` : ''}
${q.reference ? `<span class="tag mt-8">Rif: ${escapeHtml(q.reference)}</span>` : ''} ${q.nis2_article ? `<span class="tag mt-8">Art. ${escapeHtml(q.nis2_article)}</span>` : ''}
${q.iso27001_control ? `<span class="tag mt-8" style="margin-left:4px;">ISO ${escapeHtml(q.iso27001_control)}</span>` : ''}
</div> </div>
<div class="form-group"> <div class="form-group">
@ -392,8 +402,8 @@
try { try {
const result = await api.saveAssessmentResponse(currentAssessmentId, { const result = await api.saveAssessmentResponse(currentAssessmentId, {
question_id: q.id, question_code: q.question_code,
compliance_level: r.answer, response_value: r.answer,
maturity_level: r.maturity, maturity_level: r.maturity,
notes: r.notes, notes: r.notes,
evidence_description: r.evidence evidence_description: r.evidence
@ -420,8 +430,8 @@
if (r && r.answer) { if (r && r.answer) {
// Salva in background // Salva in background
api.saveAssessmentResponse(currentAssessmentId, { api.saveAssessmentResponse(currentAssessmentId, {
question_id: q.id, question_code: q.question_code,
compliance_level: r.answer, response_value: r.answer,
maturity_level: r.maturity, maturity_level: r.maturity,
notes: r.notes, notes: r.notes,
evidence_description: r.evidence evidence_description: r.evidence

34
public/dashboard.html
View File

@ -150,28 +150,30 @@
const data = result.data; const data = result.data;
// Compliance gauge // Compliance gauge
const score = data.compliance_score != null ? data.compliance_score : 0; const score = data.compliance_score != null ? Math.round(data.compliance_score) : 0;
document.getElementById('compliance-gauge').innerHTML = renderScoreGauge(score, 180); document.getElementById('compliance-gauge').innerHTML = renderScoreGauge(score, 180);
// Stats // Stats - map backend response structure to UI
document.getElementById('stat-risks').textContent = data.open_risks != null ? data.open_risks : 0; const openRisks = data.risks ? (parseInt(data.risks.total) || 0) : 0;
document.getElementById('stat-incidents').textContent = data.active_incidents != null ? data.active_incidents : 0; const activeIncidents = data.active_incidents || 0;
document.getElementById('stat-policies').textContent = data.approved_policies != null ? data.approved_policies : 0; const approvedPolicies = Array.isArray(data.policies)
document.getElementById('stat-training').textContent = (data.training_completion != null ? data.training_completion : 0) + '%'; ? data.policies.reduce((sum, p) => p.status === 'approved' || p.status === 'published' ? sum + parseInt(p.count) : sum, 0)
: 0;
const trainingTotal = data.training ? (parseInt(data.training.total) || 0) : 0;
const trainingCompleted = data.training ? (parseInt(data.training.completed) || 0) : 0;
const trainingPct = trainingTotal > 0 ? Math.round((trainingCompleted / trainingTotal) * 100) : 0;
// Scadenze document.getElementById('stat-risks').textContent = openRisks;
renderDeadlines(data.upcoming_deadlines || []); document.getElementById('stat-incidents').textContent = activeIncidents;
document.getElementById('stat-policies').textContent = approvedPolicies;
// Attivita' document.getElementById('stat-training').textContent = trainingPct + '%';
renderActivity(data.recent_activity || []);
} else {
// Fallback: prova endpoint singoli
loadIndividualData();
} }
} catch (err) { } catch (err) {
console.error('Dashboard load error:', err); console.error('Dashboard load error:', err);
loadIndividualData();
} }
// Always load deadlines and activity from dedicated endpoints
loadIndividualData();
} }
async function loadIndividualData() { async function loadIndividualData() {
@ -179,7 +181,7 @@
try { try {
const scoreRes = await api.getComplianceScore(); const scoreRes = await api.getComplianceScore();
if (scoreRes.success && scoreRes.data) { if (scoreRes.success && scoreRes.data) {
const score = scoreRes.data.score || scoreRes.data.compliance_score || 0; const score = scoreRes.data.avg_implementation || scoreRes.data.score || 0;
document.getElementById('compliance-gauge').innerHTML = renderScoreGauge(score, 180); document.getElementById('compliance-gauge').innerHTML = renderScoreGauge(score, 180);
} else { } else {
document.getElementById('compliance-gauge').innerHTML = renderScoreGauge(0, 180); document.getElementById('compliance-gauge').innerHTML = renderScoreGauge(0, 180);

115
public/index.php
View File

@ -283,60 +283,79 @@ $actionMap = [
$actions = $actionMap[$controllerName] ?? []; $actions = $actionMap[$controllerName] ?? [];
$resolvedAction = null; $resolvedAction = null;
$callArgs = [];
// Costruisci combinazioni di pattern da verificare (ordine di specificità) // Helper: convert kebab-case to camelCase (same logic as $actionName conversion)
$patterns = []; $toCamel = function (string $s): string {
return str_replace('-', '', lcfirst(ucwords($s, '-')));
};
if ($subResourceId !== null && $subAction !== null) { // Costruisci candidati pattern → argomenti (ordine: più specifico prima)
// METHOD:action/{id}/subAction/{subId} $candidates = [];
$patterns[] = "{$method}:{$actionName}/{$subAction}/{subId}";
// METHOD:{id}/subAction/{subId}
$patterns[] = "{$method}:{id}/{$subAction}/{subId}";
}
if ($subAction !== null && $resourceId !== null) { if (is_numeric($actionName)) {
// METHOD:{id}/subAction // Il primo segmento è un ID numerico:
$patterns[] = "{$method}:{id}/{$subAction}"; // /controller/123 → METHOD:{id}
// METHOD:action/{subId} // /controller/123/sub → METHOD:{id}/sub
$patterns[] = "{$method}:{$actionName}/{subId}"; // /controller/123/sub/456 → METHOD:{id}/sub/{subId}
} $numericId = (int) $actionName;
$sub = $resourceId !== null ? $toCamel($resourceId) : null;
$subId = $subAction !== null && is_numeric($subAction) ? (int) $subAction : null;
if ($resourceId !== null && $subAction === null) { if ($sub !== null && $subId !== null) {
// METHOD:action/{id} (actionName è in realtà l'ID numerico) $candidates[] = ['p' => "{$method}:{id}/{$sub}/{subId}", 'a' => [$numericId, $subId]];
if (is_numeric($actionName)) { }
$patterns[] = "{$method}:{id}"; if ($sub !== null) {
$resourceId = (int) $actionName; $candidates[] = ['p' => "{$method}:{id}/{$sub}", 'a' => [$numericId]];
}
$candidates[] = ['p' => "{$method}:{id}", 'a' => [$numericId]];
} else {
// Il primo segmento è un'azione nominale:
// /controller/action → METHOD:action
// /controller/action/123 → METHOD:action/{subId} oppure METHOD:{id}
// /controller/action/sub → METHOD:action/sub
// /controller/action/123/sub → METHOD:{id}/sub
// /controller/action/123/sub/456 → METHOD:{id}/sub/{subId}
if ($subAction !== null && $resourceId !== null && is_numeric($resourceId)) {
$rid = (int) $resourceId;
$camelSub = $toCamel($subAction);
if ($subResourceId !== null && is_numeric($subResourceId)) {
$sid = (int) $subResourceId;
$candidates[] = ['p' => "{$method}:{id}/{$camelSub}/{subId}", 'a' => [$rid, $sid]];
}
$candidates[] = ['p' => "{$method}:{id}/{$camelSub}", 'a' => [$rid]];
$candidates[] = ['p' => "{$method}:{$actionName}/{subId}", 'a' => [$rid]];
}
if ($resourceId !== null && $subAction === null) {
if (is_numeric($resourceId)) {
// /controller/action/123 → potrebbe essere action/{subId} o {id}
$rid = (int) $resourceId;
$candidates[] = ['p' => "{$method}:{$actionName}/{subId}", 'a' => [$rid]];
$candidates[] = ['p' => "{$method}:{id}", 'a' => [$rid]];
} else { } else {
// METHOD:{id} // /controller/action/subAction → nome composto (es: evidence/upload)
$patterns[] = "{$method}:{id}"; $camelResource = $toCamel($resourceId);
$candidates[] = ['p' => "{$method}:{$actionName}/{$camelResource}", 'a' => []];
} }
}
// /controller/action
$candidates[] = ['p' => "{$method}:{$actionName}", 'a' => []];
} }
// METHOD:action/subAction // Cerca primo match
if ($resourceId !== null && !is_numeric($actionName)) { foreach ($candidates as $candidate) {
$patterns[] = "{$method}:{$actionName}/{$resourceId}"; if (isset($actions[$candidate['p']])) {
} $resolvedAction = $actions[$candidate['p']];
$callArgs = $candidate['a'];
// METHOD:action
$patterns[] = "{$method}:{$actionName}";
// Cerca match
foreach ($patterns as $pattern) {
if (isset($actions[$pattern])) {
$resolvedAction = $actions[$pattern];
break; break;
} }
} }
// Se il primo segmento è numerico, l'azione è basata sull'ID
if (!$resolvedAction && is_numeric($actionName)) {
$resourceId = (int) $actionName;
$pattern = "{$method}:{id}";
if (isset($actions[$pattern])) {
$resolvedAction = $actions[$pattern];
}
}
if (!$resolvedAction) { if (!$resolvedAction) {
http_response_code(404); http_response_code(404);
header('Content-Type: application/json'); header('Content-Type: application/json');
@ -365,16 +384,8 @@ try {
exit; exit;
} }
// Chiama con gli argomenti appropriati // Chiama con gli argomenti risolti
if ($subResourceId !== null) { $controller->$resolvedAction(...$callArgs);
$controller->$resolvedAction((int) $resourceId, (int) $subResourceId);
} elseif ($resourceId !== null && !is_numeric($actionName)) {
$controller->$resolvedAction((int) $resourceId);
} elseif (is_numeric($actionName)) {
$controller->$resolvedAction((int) $resourceId);
} else {
$controller->$resolvedAction();
}
} catch (RuntimeException $e) { } catch (RuntimeException $e) {
// Rate limit exceeded (429) // Rate limit exceeded (429)
if ($e->getCode() === 429) { if ($e->getCode() === 429) {

20
public/onboarding.html
View File

@ -1600,27 +1600,23 @@
const cl = wizardState.classification; const cl = wizardState.classification;
const payload = { const payload = {
// Company data // Company data (field names match backend OnboardingController)
name: c.name, name: c.name,
vat_number: c.vat_number, vat_number: c.vat_number,
fiscal_code: c.fiscal_code, fiscal_code: c.fiscal_code,
address: c.address, address: c.address,
city: c.city, city: c.city,
website: c.website, website: c.website,
company_email: c.email, contact_email: c.email,
company_phone: c.phone, contact_phone: c.phone,
sector: c.sector, sector: c.sector,
employee_count: parseInt(c.employee_count) || 0, employee_count: parseInt(c.employee_count) || 0,
annual_turnover: parseInt(c.annual_turnover) || 0, annual_turnover_eur: parseInt(c.annual_turnover) || 0,
// Profile data // Profile data
user_full_name: p.full_name, full_name: p.full_name,
user_role: p.role, phone: p.phone,
user_phone: p.phone, // Country
// Classification country: 'IT',
classification: cl ? cl.classification : null,
classification_label: cl ? cl.label : null,
// Method used
data_source: wizardState.method
}; };
try { try {