AdminGit2026/nis2-agile
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
128 Commits 1 Branch 0 Tags 12 MiB
4924075142
Commit Graph

21 Commits

Author SHA1 Message Date
DevEnv nis2-agile
4924075142 [FEAT] Asset import CMDB/cloud + scoring automatico GV.OC-04 (P2) 
- AssetScoringService::inferCriteria: euristica 6 criteri da campi CMDB
  (criticality, data_classification, internet_facing, dependencies, regulated)
- AssetController::import (JWT org_admin/compliance_manager) + bulkUpsert condiviso:
  upsert dedup su external_ref, scoring auto GV.OC-04, max 1000 asset/batch
- ServicesController::ingestAssets -> POST /services/assets-ingest (scope ingest:assets) per connettori CMDB/cloud
- Migrazione 025: assets += external_ref + discovery_source + indice univoco dedup
- Route POST:assetsIngest (services) + POST:import (assets)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
 2026-05-30 09:14:12 +02:00
DevEnv nis2-agile
d5d83bb3b9 [FEAT] AiController /api/ai/ask (ARIA) -> askWithRag + fix DNS Qdrant php-fpm 
Il FAB ARIA (common.js) chiamava POST /api/ai/ask ma il controller non esisteva
(assistente AI rotto). Creato AiController::ask -> AIService::askWithRag con RAG su KB
+ grounding fonti certe. Verificato in produzione: rag_used=True, cita Ambiti NIS2 / Determina ACN.

Fix DNS Qdrant: nei worker php-fpm (musl) getenv e gethostbyname NON funzionano per
hostname Docker single-label; funziona solo un IP letterale. VectorService fallback ->
172.21.0.3 (fpm-safe); QDRANT_URL compose resta hostname per CLI. Vedi nota drift in VectorService.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
 2026-05-29 18:55:44 +02:00
DevEnv nis2-agile
94d7867cea [FIX] Qdrant URL hostname drift-proof (RAG produzione) + recreate app 
L'IP hardcoded Qdrant 172.21.0.5 era driftato a .3 (container senza IP statico) e
con php-fpm clear_env=no la env QDRANT_URL=172.21.0.5 (morta) veniva usata -> RAG web rotta.
Fix: QDRANT_URL e fallback VectorService usano l'hostname http://nis2-qdrant:6333,
risolto via Docker DNS sia in CLI sia in php-fpm. Verificato retrieval end-to-end (287 chunk).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
 2026-05-29 17:22:54 +02:00
DevEnv nis2-agile
5c545ea3d0 [FEAT] Integrazione analisi docs/nis2 v1.7.0 — scoring asset, tassonomia incidenti, PIR, NIST CSF, fonti certe 
Fase 1 - Asset Relevance Scoring NIS2 (GV.OC-04): metodologia 0-100 a 6 criteri,
  AssetScoringService + endpoint scoringGrid/score/relevantSystems + UI assets.html + registro stampabile.
Fase 2 - Tassonomia incidenti Determina ACN 164179/2025: IS-1..4 + regime essenziale/importante (Allegati 3/4).
Fase 3 - Post-Incident Review (5-Whys) + metriche TTD/TTC/TTR + timestamp di fase.
Fase 4 - Mapping NIST CSF 2.0 (43 controlli) reference-only.
Fonti certe: registry config/nis2_sources.php + grounding AI (vieta riferimenti inventati) +
  citazioni help.js + ingest PDF normativi nella KB RAG (scripts/ingest-nis2-sources.php).
Migrazioni 020/021/022 (additive idempotenti). Fix VectorService IP Qdrant (drift .5->.3).
Analisi concorrenza Evix (docs/EVIX_ANALISI_CONCORRENZA.html, gap-driven).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
 2026-05-29 17:15:13 +02:00
DevEnv nis2-agile
a7a21faa82 [FEAT] Knowledge Base RAG multi-livello (SYSTEM/FIRM/ORG) + Qdrant + Voyage 
- KnowledgeBaseController: ingest, list, firmOrgs, search, delete
- VectorService (Qdrant + buildAuthzFilter), EmbedService (Voyage), RagService (pipeline)
- AIService::askWithRag con fallback graceful
- docker-compose: servizio qdrant + env Voyage (chiave da .env/vault, no hardcoded)
- SQL 012 consulting_firms, 013 firm_assignments + kb_uploaded_documents
- public/kb.html + kb.js (upload, lista, search preview)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
 2026-05-29 15:44:13 +02:00
DevEnv nis2-agile
e4f9e9179e [FEAT] Allineamento NIS2 ↔ TRPG (Fasi 1-5): SSO + Sessions + Reset + Impersonate + Branding 
Implementazione completa del progetto allineamento alla suite Evix (TRPG/lg231),
basato sul doc canonico docs/GAP_TRPG_NIS2_ALIGNMENT.md (5 fasi, 18 gap).

Version 1.0.0 → 1.5.0

Fase 1 — SSO Federation (v1.1.0)
- Migration 015_sso_columns: users.sso_identity_id + password_version
- application/services/SsoHelper.php (client SSO dual-mode, cURL nativo, zero deps)
- AuthController::login() + changePassword() conditional SSO (SSO_MODE=local default)

Fase 2 — Multi-device Sessions (v1.2.0)
- Migration 016_active_sessions: tabella + refresh_tokens.session_jti
- BaseController::requireAuth() verifica jti + last_activity throttle + parseDeviceLabel
- login() genera jti, logout/changePassword revoca selettiva
- GET/DELETE /auth/sessions[/{id}]
- UI settings.html tab Sicurezza con lista device + revoca

Fase 3 — Password Reset + Tenant Switcher (v1.3.0)
- Migration 017_password_reset_tokens (TTL 30min, single-use)
- POST /auth/forgot-password (risposta opaca) + reset-password
- Pagine forgot-password.html + reset-password.html (con strength bar)
- EmailService::sendPasswordReset
- POST /auth/switchContext con rotazione JWT + organization_id claim
- Dropdown tenant in sidebar esposto a tutti gli utenti con ≥2 org

Fase 4 — Impersonate + Preferences + Versioning UI (v1.4.0)
- POST /auth/impersonate (super_admin o consulente stesso firm, TTL 1h, audit)
- Migration 018_user_preferences: users.theme/timezone/notif_email/notif_inapp
- GET/PUT /auth/preferences
- Sidebar footer mostra versione + changelog modal su click

Fase 5 — Branding white-label + Auth-gate (v1.5.0)
- Migration 019_firm_branding (logo/colori/brand_name per consulting firm)
- BrandingController GET /branding/current (auth opzionale) + PUT
- common.js auto-applica CSS variables al boot
- public/js/auth-gate.js (gate password client-side per docs riservati, da TRPG)

Skip motivati:
- G15 demo login: simulator esistenti coprono
- G18 refactor controllers: rinviato (~5gg, valore tecnico solo)

Cron sync SSO: AgileHub Ticket #220 aperto a team AGILEHUB per estendere
sso-password-sync.sh al DB nis2_agile_db. Prerequisito per switch SSO_MODE=dual.

Backup files: tutti i file modificati hanno .bak.pre-{fase}-{ts} sia in DEV
sia in /var/www/nis2-agile/.backups/ su Hetzner (rollback ready).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-29 13:18:35 +02:00
DevEnv nis2-agile
56df54f8b1 [FEAT] Services API: full-snapshot endpoint + BigSim SSE wrapper 
- ServicesController: nuovo endpoint GET /api/services/full-snapshot
  Aggrega gap-analysis, measures, incidents, training, deadlines,
  compliance-summary in una sola chiamata (reduce 6 round-trip → 1)
  Parametro ?days=N per finestra deadlines (default 30, max 365)

- public/index.php: route GET:fullSnapshot aggiunta all'action map services

- public/simulate-nis2-big.php: wrapper SSE per simulate-nis2-big.php
  Esegue il simulatore come sottoprocesso CLI con NIS2_SSE=1 e
  streama l'output al browser tramite Server-Sent Events

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-17 15:16:00 +01:00
DevEnv nis2-agile
75a678f60e [FEAT] CertiSource atti-service.php integration: structured data, PAT auth, ATECO fix 
- VisuraService::fetchFromCertiSource: new atti-service.php API (POST richiesta → polling stato → GET dati)
- Structured data mapping: sedi/ateco_codes/cariche/addetti → formato interno
- mapAtecoToNis2Sector: allineato ENUM DB (digital_infra, water, waste, public_admin, ecc.)
- config.php: CERTISOURCE_API_URL, CERTISOURCE_API_KEY, CERTISOURCE_POLL_MAX/SEC
- PHP 8.4: curl_close → unset,  usato in logAiInteraction

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-17 13:24:03 +01:00
DevEnv nis2-agile
c52766953d [FEAT] Help online feedback, traduzioni IT/EN, AI system prompt aggiornato 
- help.js: nuova sezione 'feedback' con 6 sotto-sezioni (come usare FAB,
  risposta AI, password gate, le mie segnalazioni, worker autonomo, consigli)
- i18n.js: 30 chiavi IT/EN per tutto il sistema feedback
- AIService::callAPI: system prompt esteso con lista completa moduli NIS2 Agile
- AIService::classifyFeedback: system prompt NIS2-aware

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-10 09:05:12 +01:00
DevEnv nis2-agile
3a382d34be [FIX] FeedbackController/Service: u.name → u.full_name (colonna corretta) 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-10 08:56:19 +01:00
DevEnv nis2-agile
1382530189 [FEAT] Sistema Segnalazioni & Risoluzione AI (feedback) 
Adattato da alltax.it — il sistema più maturo testato con utenti reali.

Backend:
- FeedbackController: 6 endpoint (submit, mine, list, show, update, resolve)
- FeedbackService: createReport + classifyWithAI + broadcastResolution
- AIService::classifyFeedback() — 10s timeout, 500 token, JSON puro
- EmailService::sendFeedbackResolved() — broadcast email org
- DB migration 014: tabella feedback_reports

Frontend:
- feedback.js: FAB rosso #EF4444, modal 2 fasi (form → AI → password gate)
- Tab "Le mie segnalazioni" con badge status
- Auto-init su tutte le pagine autenticate (common.js::checkAuth)
- api.js: 6 metodi client; style.css: stili completi

Worker:
- scripts/feedback-worker.php: cron ogni 30 min
  → docker exec nis2-agile-devenv + Claude Code CLI
  → risoluzione autonoma con POST /api/feedback/{id}/resolve

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-10 08:51:52 +01:00
DevEnv nis2-agile
27ec63c28d [FIX] ServicesController: entity_type (nis2_entity_type col non esiste) + WebhookService risk.status null-safe 2026-03-09 10:14:30 +01:00
DevEnv nis2-agile
13df162ec4 [FIX] SIM-06 + EmailService + WebhookService + supplier assessment 
- ServicesController::provision(): created_by usa userId (INT) non string
- EmailService::logEmail(): rimosso sent_at (colonna non esiste in email_log)
- WebhookService::incidentPayload(): status ?? 'detected' (null-safe)
- simulate-nis2.php: supplier assessment usa formato assessment_responses
  corretto [{question, weight, value: yes|partial|no}]

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-09 09:56:39 +01:00
DevEnv nis2-agile
19a9e5622d [FEAT] L4 AI Cross-Analysis — analisi aggregata multi-org per consulenti 
- CrossAnalysisController.php: analyze/history/portfolio (k-anonymity min 2 org)
- AIService::crossOrgAnalysis(): aggregazione 9 dimensioni, zero PII nel prompt
- cross-analysis.html: chat UI purple theme, 3 tab, quick questions, portfolio stats
- index.php: routing /api/cross-analysis/{analyze,history,portfolio}
- common.js: link "AI Cross-Analysis" in sidebar sezione Gestione
- docs/AI_LEVELS_SCHEMA.md: schema architetturale L1-L5 con matrice privacy

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-09 08:17:53 +01:00
DevEnv nis2-agile
874eabb6fc [FEAT] Simulazioni Demo + Audit Trail Certificato SHA-256 
- 5 scenari reali: Onboarding, Ransomware Art.23, Data Breach Supply Chain,
  Whistleblowing SCADA, Audit Hash Chain Verification
- simulate-nis2.php: 3 aziende (DataCore/MedClinic/EnerNet), 10 fasi, CLI+SSE
- AuditService.php: hash chain SHA-256 stile lg231 (prev_hash+entry_hash)
- Migration 010: prev_hash, entry_hash, severity, performed_by su audit_logs
- AuditController: GET chain-verify + GET export-certified
- reset-demo.sql: reset dati demo idempotente
- public/simulate.html: web runner SSE con console dark-theme
- Sidebar: link Simulazione Demo + Integrazioni

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-07 13:56:53 +01:00
DevEnv nis2-agile
86e9bdded2 [FEAT] Services API, Webhook, Whistleblowing, Normative + integrazioni 
Sprint completo — prodotto presentation-ready:

Services API (read-only, API Key + scope):
- GET /api/services/status|compliance-summary|risks-feed|incidents-feed
- GET /api/services/controls-status|assets-critical|suppliers-risk|policies-approved
- GET /api/services/openapi (spec OpenAPI 3.0.3 JSON)

Webhook Outbound (Stripe-like HMAC-SHA256):
- CRUD api_keys + webhook_subscriptions (Settings → 2 nuovi tab)
- WebhookService: retry 3x backoff (0s/5min/30min), delivery log
- Trigger auto in IncidentController, RiskController, PolicyController
- Delivery log, test ping, processRetry

Nuovi moduli:
- WhistleblowingController (Art.32 NIS2): anonimato garantito, timeline, token tracking
- NormativeController: feed NIS2/ACN/DORA con ACK tracciato per audit

Frontend:
- whistleblowing.html: form submit anonimo/firmato + gestione CISO
- normative.html: feed con presa visione documentata + progress bar ACK
- public/docs/api.html: documentazione API dark theme (Swagger-like)
- settings.html: tab API Keys + tab Webhook
- integrations/: guide per lg231, SustainAI, AllRisk, SIEM (widget + codice)
- Sidebar: Segnalazioni + Normative aggiunte a common.js

DB: migration 007 (api_keys, webhook_subscriptions, webhook_deliveries),
    008 (whistleblowing_reports + timeline),
    009 (normative_updates + normative_ack + seed NIS2/ACN/DORA/ISO)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-07 13:20:24 +01:00
DevEnv nis2-agile
782389849f [SEC+UX] Hardening sicurezza + miglioramenti UX pre-audit 
SICUREZZA:
- index.php: rimosso CORS wildcard in debug mode (solo origini autorizzate)
- AuthController: getClientIP() con X-Forwarded-For sicuro (proxy-aware)
- AuthController: refresh token con SELECT FOR UPDATE in transazione atomica
- AIService: anonimizzazione dati org nei prompt Anthropic API (no nome/fatturato)

UX AUDIT-READY:
- dashboard.html: gauge rinominato 'Avanzamento implementazione misure Art.21'
- incidents.html: decision tree Art.23 con 5 criteri per 'Is Significant?'
- policies.html: banner warning obbligatorio su bozze generate da AI
- risks.html: tooltip dettagliati scala Likelihood/Impact (ISO 27005)
- assessment.html: progress bar % completamento risposta domande

DB:
- migration 006: indici performance + audit_log immutabile (trigger) + soft delete

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-02-20 12:01:33 +01:00
Cristiano Benassati
bcc5a2b003 [FIX] E2E testing - fix router, EmailService, frontend data mapping 
Critical fixes discovered during end-to-end testing:

Router (index.php):
- Rewrote route resolution engine to properly handle /{id}/subAction patterns
- All routes like GET /assessments/{id}/questions, POST /incidents/{id}/early-warning,
  GET /organizations/{id}/members now resolve correctly
- Routes with kebab-case sub-actions (early-warning, ai-analyze) now convert to camelCase
- Controller methods receive correct arguments via spread operator

EmailService.php:
- Fix PHP parse error: ?? operator cannot be used inside string interpolation {}
- Extract incident_code to variable before interpolation (3 occurrences)

assessment.html:
- Fix data structure handling: API returns categories with nested questions array
- Fix field names: question_code (not question_id), response_value (not compliance_level)
- Fix answer enum values: not_implemented/partial/implemented (not Italian)
- Fix question text field: question_text (not text/question/title)
- Show NIS2 article and ISO 27001 control references
- Fix response restoration from existing answers

dashboard.html:
- Fix data mapping from overview API response structure
- risks.total instead of open_risks, policies array instead of approved_policies
- Calculate training completion percentage from training object
- Load deadlines/activity from dedicated endpoints (not included in overview)

onboarding.html:
- Fix field name mismatches: annual_turnover_eur, contact_email, contact_phone,
  full_name, phone (matching OnboardingController expected params)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-17 19:40:26 +01:00
Cristiano Benassati
6f4b457ce0 [FEAT] Add EmailService, RateLimitService, ReportService + integrations 
Services:
- EmailService: CSIRT notifications (24h/72h/30d), training alerts, welcome email
- RateLimitService: File-based rate limiting for auth and AI endpoints
- ReportService: Executive HTML report, CSV exports (risks/incidents/controls/assets)

Integrations:
- AuthController: Rate limiting on login (5/min, 20/h) and register (3/10min)
- IncidentController: Email notifications on CSIRT milestones
- AuditController: Executive report and CSV export endpoints
- Router: 429 rate limit error handling, new audit export routes

Database:
- Migration 002: email_log table for notification tracking

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-17 19:12:46 +01:00
Cristiano Benassati
9aa2788c68 [FEAT] Add onboarding wizard with visura camerale and CertiSource integration 
- New 5-step onboarding wizard (onboarding.html) replacing setup-org.html
- Step 1: Choose data source (Upload Visura / CertiSource / Manual)
- Step 2: PDF upload with AI extraction or CertiSource P.IVA lookup
- Step 3: Verify/complete company data with NIS2 sector mapping
- Step 4: User profile completion
- Step 5: NIS2 classification (Essential/Important) with summary
- OnboardingController with upload-visura, fetch-company, complete endpoints
- VisuraService with Claude AI PDF extraction and ATECO-to-NIS2 mapping
- CertiSource API integration for automatic company data retrieval
- Updated login/register redirects to point to new onboarding wizard

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-17 19:01:34 +01:00
Cristiano Benassati
ae78a2f7f4 [CORE] Initial project scaffold - NIS2 Agile Compliance Platform 
Complete MVP implementation including:
- PHP 8.4 backend with Front Controller pattern (80+ API endpoints)
- Multi-tenant architecture with organization_id isolation
- JWT authentication (HS256, 2h access + 7d refresh tokens)
- 14 controllers: Auth, Organization, Assessment, Dashboard, Risk,
  Incident, Policy, SupplyChain, Training, Asset, Audit, Admin
- AI Service integration (Anthropic Claude API) for gap analysis,
  risk suggestions, policy generation, incident classification
- NIS2 gap analysis questionnaire (~80 questions, 10 categories)
- MySQL schema (20 tables) with NIS2 Art. 21 compliance controls
- NIS2 Art. 23 incident reporting workflow (24h/72h/30d)
- Frontend: login, register, dashboard, assessment wizard, org setup
- Docker configuration (PHP-FPM + Nginx + MySQL)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-17 17:50:18 +01:00