nis2-agile

AdminGit2026/nis2-agile

Author	SHA1	Message	Date
DevEnv nis2-agile	1be3bd01a4	[FEAT] Risk quantitativo FAIR + KRI dashboard (P2) Competizione coi GRC enterprise sul risk management quantitativo: - FairService: simulazione Monte Carlo FAIR (PERT su TEF e Loss Magnitude), ALE in EUR con percentili P10/P50/P90 + istogramma, deterministico (seed da input) - RiskController::computeFair -> POST /risks/{id}/fair (persiste parametri+ALE) - RiskController::fairRegister -> GET /risks/fairRegister (portfolio ALE EUR) - KRI: listKri/createKri/updateKri (GET/POST /risks/kri, PUT /risks/kri/{id}) con stato semaforo green/amber/red su soglie+direzione - Migrazione 026: risks += parametri FAIR + ale_min/ml/max/mean; nuova tabella kri Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-05-30 09:25:46 +02:00
DevEnv nis2-agile	4924075142	[FEAT] Asset import CMDB/cloud + scoring automatico GV.OC-04 (P2) - AssetScoringService::inferCriteria: euristica 6 criteri da campi CMDB (criticality, data_classification, internet_facing, dependencies, regulated) - AssetController::import (JWT org_admin/compliance_manager) + bulkUpsert condiviso: upsert dedup su external_ref, scoring auto GV.OC-04, max 1000 asset/batch - ServicesController::ingestAssets -> POST /services/assets-ingest (scope ingest:assets) per connettori CMDB/cloud - Migrazione 025: assets += external_ref + discovery_source + indice univoco dedup - Route POST:assetsIngest (services) + POST:import (assets) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-05-30 09:14:12 +02:00
DevEnv nis2-agile	307993fbad	[FEAT] Evidence Automation + Continuous Control Monitoring (P1) Colma il gap competitivo vs Vanta/Drata (compliance automation): - ServicesController::ingestEvidence -> POST /services/evidence-ingest (scope ingest:evidence) raccolta evidenze automatiche dai connettori (M365/Google/AWS/Azure/IdP/EDR/SIEM), batch fino a 200, upsert idempotente su external_ref - recomputeControlMonitoring: ricalcolo monitoring_status (healthy/warning/stale/failing) per freschezza+esito - controlsMonitoring -> GET /services/controls-monitoring (scope read:compliance): coverage + summary semafori - Migrazione 024: tabella control_evidence_auto + compliance_controls.{monitoring_status,last_checked_at,freshness_days} - Route POST:evidenceIngest, GET:controlsMonitoring Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-05-30 08:55:26 +02:00
DevEnv nis2-agile	21909994c2	[FEAT] Ingestion incidenti SIEM/SOC/EDR (P1) -> endpoint /services/incidents-ingest - ServicesController::ingestIncident: crea incidente Art.23 da alert esterno (scope ingest:incidents) - Dedup su external_ref (org+ref), mapSeverity (CVSS/P1-P5/stringhe -> enum) - Classificazione AI best-effort (classifyIncident: IS-1..4, severity, significativita) - Deadline Art.23 (24h/72h/30g) su incidenti significativi + webhook dispatch - Migrazione 023: incidents += source/source_system/external_ref + indice univoco dedup - Route POST:incidentsIngest in index.php Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-05-30 08:41:57 +02:00
DevEnv nis2-agile	d5d83bb3b9	[FEAT] AiController /api/ai/ask (ARIA) -> askWithRag + fix DNS Qdrant php-fpm Il FAB ARIA (common.js) chiamava POST /api/ai/ask ma il controller non esisteva (assistente AI rotto). Creato AiController::ask -> AIService::askWithRag con RAG su KB + grounding fonti certe. Verificato in produzione: rag_used=True, cita Ambiti NIS2 / Determina ACN. Fix DNS Qdrant: nei worker php-fpm (musl) getenv e gethostbyname NON funzionano per hostname Docker single-label; funziona solo un IP letterale. VectorService fallback -> 172.21.0.3 (fpm-safe); QDRANT_URL compose resta hostname per CLI. Vedi nota drift in VectorService. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-05-29 18:55:44 +02:00
DevEnv nis2-agile	5c545ea3d0	[FEAT] Integrazione analisi docs/nis2 v1.7.0 — scoring asset, tassonomia incidenti, PIR, NIST CSF, fonti certe Fase 1 - Asset Relevance Scoring NIS2 (GV.OC-04): metodologia 0-100 a 6 criteri, AssetScoringService + endpoint scoringGrid/score/relevantSystems + UI assets.html + registro stampabile. Fase 2 - Tassonomia incidenti Determina ACN 164179/2025: IS-1..4 + regime essenziale/importante (Allegati 3/4). Fase 3 - Post-Incident Review (5-Whys) + metriche TTD/TTC/TTR + timestamp di fase. Fase 4 - Mapping NIST CSF 2.0 (43 controlli) reference-only. Fonti certe: registry config/nis2_sources.php + grounding AI (vieta riferimenti inventati) + citazioni help.js + ingest PDF normativi nella KB RAG (scripts/ingest-nis2-sources.php). Migrazioni 020/021/022 (additive idempotenti). Fix VectorService IP Qdrant (drift .5->.3). Analisi concorrenza Evix (docs/EVIX_ANALISI_CONCORRENZA.html, gap-driven). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-05-29 17:15:13 +02:00
DevEnv nis2-agile	e4f9e9179e	[FEAT] Allineamento NIS2 ↔ TRPG (Fasi 1-5): SSO + Sessions + Reset + Impersonate + Branding Implementazione completa del progetto allineamento alla suite Evix (TRPG/lg231), basato sul doc canonico docs/GAP_TRPG_NIS2_ALIGNMENT.md (5 fasi, 18 gap). Version 1.0.0 → 1.5.0 Fase 1 — SSO Federation (v1.1.0) - Migration 015_sso_columns: users.sso_identity_id + password_version - application/services/SsoHelper.php (client SSO dual-mode, cURL nativo, zero deps) - AuthController::login() + changePassword() conditional SSO (SSO_MODE=local default) Fase 2 — Multi-device Sessions (v1.2.0) - Migration 016_active_sessions: tabella + refresh_tokens.session_jti - BaseController::requireAuth() verifica jti + last_activity throttle + parseDeviceLabel - login() genera jti, logout/changePassword revoca selettiva - GET/DELETE /auth/sessions[/{id}] - UI settings.html tab Sicurezza con lista device + revoca Fase 3 — Password Reset + Tenant Switcher (v1.3.0) - Migration 017_password_reset_tokens (TTL 30min, single-use) - POST /auth/forgot-password (risposta opaca) + reset-password - Pagine forgot-password.html + reset-password.html (con strength bar) - EmailService::sendPasswordReset - POST /auth/switchContext con rotazione JWT + organization_id claim - Dropdown tenant in sidebar esposto a tutti gli utenti con ≥2 org Fase 4 — Impersonate + Preferences + Versioning UI (v1.4.0) - POST /auth/impersonate (super_admin o consulente stesso firm, TTL 1h, audit) - Migration 018_user_preferences: users.theme/timezone/notif_email/notif_inapp - GET/PUT /auth/preferences - Sidebar footer mostra versione + changelog modal su click Fase 5 — Branding white-label + Auth-gate (v1.5.0) - Migration 019_firm_branding (logo/colori/brand_name per consulting firm) - BrandingController GET /branding/current (auth opzionale) + PUT - common.js auto-applica CSS variables al boot - public/js/auth-gate.js (gate password client-side per docs riservati, da TRPG) Skip motivati: - G15 demo login: simulator esistenti coprono - G18 refactor controllers: rinviato (~5gg, valore tecnico solo) Cron sync SSO: AgileHub Ticket #220 aperto a team AGILEHUB per estendere sso-password-sync.sh al DB nis2_agile_db. Prerequisito per switch SSO_MODE=dual. Backup files: tutti i file modificati hanno .bak.pre-{fase}-{ts} sia in DEV sia in /var/www/nis2-agile/.backups/ su Hetzner (rollback ready). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-29 13:18:35 +02:00
DevEnv nis2-agile	56df54f8b1	[FEAT] Services API: full-snapshot endpoint + BigSim SSE wrapper - ServicesController: nuovo endpoint GET /api/services/full-snapshot Aggrega gap-analysis, measures, incidents, training, deadlines, compliance-summary in una sola chiamata (reduce 6 round-trip → 1) Parametro ?days=N per finestra deadlines (default 30, max 365) - public/index.php: route GET:fullSnapshot aggiunta all'action map services - public/simulate-nis2-big.php: wrapper SSE per simulate-nis2-big.php Esegue il simulatore come sottoprocesso CLI con NIS2_SSE=1 e streama l'output al browser tramite Server-Sent Events Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-17 15:16:00 +01:00
DevEnv nis2-agile	cfaead6121	[FEAT] CertiSource atti-service.php integration: structured data, PAT auth, ATECO fix Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-17 14:07:16 +01:00
DevEnv nis2-agile	1382530189	[FEAT] Sistema Segnalazioni & Risoluzione AI (feedback) Adattato da alltax.it — il sistema più maturo testato con utenti reali. Backend: - FeedbackController: 6 endpoint (submit, mine, list, show, update, resolve) - FeedbackService: createReport + classifyWithAI + broadcastResolution - AIService::classifyFeedback() — 10s timeout, 500 token, JSON puro - EmailService::sendFeedbackResolved() — broadcast email org - DB migration 014: tabella feedback_reports Frontend: - feedback.js: FAB rosso #EF4444, modal 2 fasi (form → AI → password gate) - Tab "Le mie segnalazioni" con badge status - Auto-init su tutte le pagine autenticate (common.js::checkAuth) - api.js: 6 metodi client; style.css: stili completi Worker: - scripts/feedback-worker.php: cron ogni 30 min → docker exec nis2-agile-devenv + Claude Code CLI → risoluzione autonoma con POST /api/feedback/{id}/resolve Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-10 08:51:52 +01:00
DevEnv nis2-agile	b1dcd4cbd7	[FEAT] Standardizzazione lead form — allineamento a TRPG Agile MktgLeadController.php: - Endpoint POST /api/mktg-lead/submit (standard condiviso TRPG/NIS2) - Proxy a mktg.agile.software/api/webhook/leads con X-Webhook-Key server-side - Payload standard: name, email, phone, company, product_interest, source, notes - source: "nis2-landing" per tracciamento CRM - Fallback email a info@agile.software se webhook non raggiungibile - Rate limit 3/10min per IP, supporto campi IT e EN index.html — form allineato a TRPG: - Aggiunto: telefono (opzionale) - Aggiunto: tipo utilizzo (select 6 opzioni) - N° dipendenti: fasce standardizzate (<50/50-249/250-999/1000+) - Aggiunto: interesse (info/demo/accesso/integrazione B2B) - Endpoint aggiornato a /api/mktg-lead/submit - Payload mappato su campi standard EN + source: "nis2-landing" Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-09 12:14:42 +01:00
DevEnv nis2-agile	0a194f6f12	[FEAT] Landing NIS2: accesso su invito + form lead request - index.html: CTA "Registrati" → "Richiedi accesso" (anchor form) Badge hero "Accesso su invito — Richiedi il tuo codice per iniziare" Sezione #richiedi-accesso con form lead (nome, email, azienda, ruolo, dimensioni, messaggio) + JS submit asincrono + stato successo/errore CTA finale aggiornato con messaggio codice invito - ContactController.php: POST /api/contact/request-invite Validazione campi, rate limit 3/10min per IP, email a info@agile.software tramite EmailService con template HTML branded - index.php: route contact → ContactController + action requestInvite Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-09 11:23:40 +01:00
DevEnv nis2-agile	19a9e5622d	[FEAT] L4 AI Cross-Analysis — analisi aggregata multi-org per consulenti - CrossAnalysisController.php: analyze/history/portfolio (k-anonymity min 2 org) - AIService::crossOrgAnalysis(): aggregazione 9 dimensioni, zero PII nel prompt - cross-analysis.html: chat UI purple theme, 3 tab, quick questions, portfolio stats - index.php: routing /api/cross-analysis/{analyze,history,portfolio} - common.js: link "AI Cross-Analysis" in sidebar sezione Gestione - docs/AI_LEVELS_SCHEMA.md: schema architetturale L1-L5 con matrice privacy Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-09 08:17:53 +01:00
DevEnv nis2-agile	ab0e3755f4	[BACKEND] Completa backend: validate-invite, lookup-piva, ruoli, SIM-06 AuthController: - register() accetta `role` diretto (compliance_manager, org_admin, auditor, board_member, consultant) - Aggiunto validateInvite() → POST /api/auth/validate-invite (no auth) OnboardingController: - Aggiunto lookupPiva() → POST /api/onboarding/lookup-piva (no auth, rate limit 10/min) usato da register.html per P.IVA lookup pre-login Router (index.php): - Aggiunto POST:validateInvite e POST:lookupPiva api.js: - register() invia sia `role` che `user_type` per retrocompatibilità simulate-nis2.php: - SIM-06: B2B provisioning via X-Provision-Secret → org + JWT + API Key - Filtro NIS2_SIM=SIM06 via goto per skip SIM-01→05 indipendenti - readEnvValue() helper per leggere PROVISION_SECRET da .env register.html: - lookupPiva usa /onboarding/lookup-piva (endpoint pubblico) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-07 17:23:16 +01:00
DevEnv nis2-agile	612befd66d	[INVITE] Sistema inviti/licenze B2B + provisioning con invite_token - InviteController: CRUD inviti (gen, list, show, revoke, rigenera, validate) - Token inv_* sha256-hashed, one-shot o multi-use, canali, scadenza - ServicesController::provision() accetta invite_token al posto di X-Provision-Secret Piano e durata forzati dall'invito, markUsed() chiaamto dopo provisioning riuscito - index.php: routing /api/invites/* aggiunto (controller + action map) - integrazioniext.html: nuovo tab "Inviti & Licenze" con flow completo, endpoints, esempi curl/php, guida lg231 aggiornata con sezione provisioning automatico Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-07 15:22:25 +01:00
DevEnv nis2-agile	6933e1d3fb	[INTEG] Provisioning B2B automatico + fix JWT helpers - POST /api/services/provision: onboarding automatico tenant da lg231 - X-Provision-Secret auth (master secret, non org-specific) - Crea org (con tutti i dati lg231: P.IVA, ATECO, sede, PEC, fatturato) - Crea admin user con password temporanea (must_change_password=1) - Genera API Key scope [read:all, write:all, admin:org, sso:login] - Emette JWT 2h per apertura immediata UI - Callback webhook a lg231 con api_key - Idempotent: stessa P.IVA → restituisce org esistente - Audit: org.provisioned severity=critical - config.php: PROVISION_SECRET (env var) - BaseController: base64UrlEncode/Decode da private → protected - Migration 011: colonne provisioning + must_change_password + indexes Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-07 15:02:11 +01:00
DevEnv nis2-agile	1f534db33a	[INTEG] Token exchange + SSO federato + Audit trail chiamate esterne ServicesController: - POST /api/services/token: lg231 invia API key → riceve JWT 15min - POST /api/services/sso: SSO federato con identità utente + responsabilità → crea/trova utente NIS2 + emette JWT 2h con ruolo e responsibilities - Audit trail: ogni chiamata esterna autenticata loggata (api.external_call) - SSO login loggato come auth.sso_login severity=warning con responsabilità Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-07 14:46:27 +01:00
DevEnv nis2-agile	874eabb6fc	[FEAT] Simulazioni Demo + Audit Trail Certificato SHA-256 - 5 scenari reali: Onboarding, Ransomware Art.23, Data Breach Supply Chain, Whistleblowing SCADA, Audit Hash Chain Verification - simulate-nis2.php: 3 aziende (DataCore/MedClinic/EnerNet), 10 fasi, CLI+SSE - AuditService.php: hash chain SHA-256 stile lg231 (prev_hash+entry_hash) - Migration 010: prev_hash, entry_hash, severity, performed_by su audit_logs - AuditController: GET chain-verify + GET export-certified - reset-demo.sql: reset dati demo idempotente - public/simulate.html: web runner SSE con console dark-theme - Sidebar: link Simulazione Demo + Integrazioni Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-07 13:56:53 +01:00
DevEnv nis2-agile	86e9bdded2	[FEAT] Services API, Webhook, Whistleblowing, Normative + integrazioni Sprint completo — prodotto presentation-ready: Services API (read-only, API Key + scope): - GET /api/services/status\|compliance-summary\|risks-feed\|incidents-feed - GET /api/services/controls-status\|assets-critical\|suppliers-risk\|policies-approved - GET /api/services/openapi (spec OpenAPI 3.0.3 JSON) Webhook Outbound (Stripe-like HMAC-SHA256): - CRUD api_keys + webhook_subscriptions (Settings → 2 nuovi tab) - WebhookService: retry 3x backoff (0s/5min/30min), delivery log - Trigger auto in IncidentController, RiskController, PolicyController - Delivery log, test ping, processRetry Nuovi moduli: - WhistleblowingController (Art.32 NIS2): anonimato garantito, timeline, token tracking - NormativeController: feed NIS2/ACN/DORA con ACK tracciato per audit Frontend: - whistleblowing.html: form submit anonimo/firmato + gestione CISO - normative.html: feed con presa visione documentata + progress bar ACK - public/docs/api.html: documentazione API dark theme (Swagger-like) - settings.html: tab API Keys + tab Webhook - integrations/: guide per lg231, SustainAI, AllRisk, SIEM (widget + codice) - Sidebar: Segnalazioni + Normative aggiunte a common.js DB: migration 007 (api_keys, webhook_subscriptions, webhook_deliveries), 008 (whistleblowing_reports + timeline), 009 (normative_updates + normative_ack + seed NIS2/ACN/DORA/ISO) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-07 13:20:24 +01:00
DevEnv nis2-agile	782389849f	[SEC+UX] Hardening sicurezza + miglioramenti UX pre-audit SICUREZZA: - index.php: rimosso CORS wildcard in debug mode (solo origini autorizzate) - AuthController: getClientIP() con X-Forwarded-For sicuro (proxy-aware) - AuthController: refresh token con SELECT FOR UPDATE in transazione atomica - AIService: anonimizzazione dati org nei prompt Anthropic API (no nome/fatturato) UX AUDIT-READY: - dashboard.html: gauge rinominato 'Avanzamento implementazione misure Art.21' - incidents.html: decision tree Art.23 con 5 criteri per 'Is Significant?' - policies.html: banner warning obbligatorio su bozze generate da AI - risks.html: tooltip dettagliati scala Likelihood/Impact (ISO 27005) - assessment.html: progress bar % completamento risposta domande DB: - migration 006: indici performance + audit_log immutabile (trigger) + soft delete Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-02-20 12:01:33 +01:00
DevEnv nis2-agile	ba21534e6a	[DEPLOY] Migrazione a subdomain nis2.certisource.it Rimozione prefisso /nis2/ da tutti i path frontend e router: - index.php: basePath '' (da '/nis2') - api.js: baseUrl '/api' (da '/nis2/api') - Tutti i file HTML: path assoluti senza prefisso /nis2/ Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-02-19 14:05:18 +01:00
Cristiano Benassati	4e3408e9f6	[FEAT] Visura auto-fill, adesione volontaria, modulo NCR/CAPA 1. Fix auto-fill visura: mapping corretto suggested_sector e employees_range, indicatori visivi verdi sui campi auto-compilati, fatturato sempre manuale 2. Adesione volontaria: colonna voluntary_compliance, checkbox in onboarding step 5 quando not_applicable, toggle in settings, reset su ri-classificazione 3. Modulo NCR/CAPA: NonConformityController con 10 endpoint API, tabelle non_conformities + capa_actions, generazione NCR dai gap assessment, predisposizione integrazione SistemiG.agile (webhook + sync) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-18 08:12:57 +01:00
Cristiano Benassati	bcc5a2b003	[FIX] E2E testing - fix router, EmailService, frontend data mapping Critical fixes discovered during end-to-end testing: Router (index.php): - Rewrote route resolution engine to properly handle /{id}/subAction patterns - All routes like GET /assessments/{id}/questions, POST /incidents/{id}/early-warning, GET /organizations/{id}/members now resolve correctly - Routes with kebab-case sub-actions (early-warning, ai-analyze) now convert to camelCase - Controller methods receive correct arguments via spread operator EmailService.php: - Fix PHP parse error: ?? operator cannot be used inside string interpolation {} - Extract incident_code to variable before interpolation (3 occurrences) assessment.html: - Fix data structure handling: API returns categories with nested questions array - Fix field names: question_code (not question_id), response_value (not compliance_level) - Fix answer enum values: not_implemented/partial/implemented (not Italian) - Fix question text field: question_text (not text/question/title) - Show NIS2 article and ISO 27001 control references - Fix response restoration from existing answers dashboard.html: - Fix data mapping from overview API response structure - risks.total instead of open_risks, policies array instead of approved_policies - Calculate training completion percentage from training object - Load deadlines/activity from dedicated endpoints (not included in overview) onboarding.html: - Fix field name mismatches: annual_turnover_eur, contact_email, contact_phone, full_name, phone (matching OnboardingController expected params) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-17 19:40:26 +01:00
Cristiano Benassati	6f4b457ce0	[FEAT] Add EmailService, RateLimitService, ReportService + integrations Services: - EmailService: CSIRT notifications (24h/72h/30d), training alerts, welcome email - RateLimitService: File-based rate limiting for auth and AI endpoints - ReportService: Executive HTML report, CSV exports (risks/incidents/controls/assets) Integrations: - AuthController: Rate limiting on login (5/min, 20/h) and register (3/10min) - IncidentController: Email notifications on CSIRT milestones - AuditController: Executive report and CSV export endpoints - Router: 429 rate limit error handling, new audit export routes Database: - Migration 002: email_log table for notification tracking Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-17 19:12:46 +01:00
Cristiano Benassati	9aa2788c68	[FEAT] Add onboarding wizard with visura camerale and CertiSource integration - New 5-step onboarding wizard (onboarding.html) replacing setup-org.html - Step 1: Choose data source (Upload Visura / CertiSource / Manual) - Step 2: PDF upload with AI extraction or CertiSource P.IVA lookup - Step 3: Verify/complete company data with NIS2 sector mapping - Step 4: User profile completion - Step 5: NIS2 classification (Essential/Important) with summary - OnboardingController with upload-visura, fetch-company, complete endpoints - VisuraService with Claude AI PDF extraction and ATECO-to-NIS2 mapping - CertiSource API integration for automatic company data retrieval - Updated login/register redirects to point to new onboarding wizard Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-17 19:01:34 +01:00
Cristiano Benassati	ae78a2f7f4	[CORE] Initial project scaffold - NIS2 Agile Compliance Platform Complete MVP implementation including: - PHP 8.4 backend with Front Controller pattern (80+ API endpoints) - Multi-tenant architecture with organization_id isolation - JWT authentication (HS256, 2h access + 7d refresh tokens) - 14 controllers: Auth, Organization, Assessment, Dashboard, Risk, Incident, Policy, SupplyChain, Training, Asset, Audit, Admin - AI Service integration (Anthropic Claude API) for gap analysis, risk suggestions, policy generation, incident classification - NIS2 gap analysis questionnaire (~80 questions, 10 categories) - MySQL schema (20 tables) with NIS2 Art. 21 compliance controls - NIS2 Art. 23 incident reporting workflow (24h/72h/30d) - Frontend: login, register, dashboard, assessment wizard, org setup - Docker configuration (PHP-FPM + Nginx + MySQL) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-17 17:50:18 +01:00

26 Commits