nis2-agile

AdminGit2026/nis2-agile

Author	SHA1	Message	Date
DevEnv nis2-agile	397185e245	[SEC] Email kill-switch FAIL-SAFE: default OFF sempre (ambiente solo demo) APP_ENV sul container e' 'production' ma l'ambiente contiene SOLO dati demo: nessuna mail deve partire. Cambiato il default di EMAIL_SENDING_ENABLED da "true in production" a "false sempre". Le email partono SOLO con override esplicito EMAIL_SENDING_ENABLED=true. Fail-safe contro invii accidentali. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-05-31 18:48:00 +02:00
DevEnv nis2-agile	fe77ee8679	[SEC] EmailService: kill-switch invio email (EMAIL_SENDING_ENABLED) Ambiente con soli dati demo: NESSUNA email deve partire. Aggiunto guard all'inizio di sendViaRelay() e sendViaTemplate() (gli UNICI due punti che fanno HTTP al relay -> copre tutti i canali: incidenti, training, inviti, reminder, welcome, password reset, feedback, OTP portale fornitori). EMAIL_SENDING_ENABLED in config: default false in sviluppo, true in produzione, override via .env. Quando false l'invio viene loggato e scartato (return false), nessuna chiamata di rete. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-05-31 18:46:55 +02:00
DevEnv nis2-agile	e4f9e9179e	[FEAT] Allineamento NIS2 ↔ TRPG (Fasi 1-5): SSO + Sessions + Reset + Impersonate + Branding Implementazione completa del progetto allineamento alla suite Evix (TRPG/lg231), basato sul doc canonico docs/GAP_TRPG_NIS2_ALIGNMENT.md (5 fasi, 18 gap). Version 1.0.0 → 1.5.0 Fase 1 — SSO Federation (v1.1.0) - Migration 015_sso_columns: users.sso_identity_id + password_version - application/services/SsoHelper.php (client SSO dual-mode, cURL nativo, zero deps) - AuthController::login() + changePassword() conditional SSO (SSO_MODE=local default) Fase 2 — Multi-device Sessions (v1.2.0) - Migration 016_active_sessions: tabella + refresh_tokens.session_jti - BaseController::requireAuth() verifica jti + last_activity throttle + parseDeviceLabel - login() genera jti, logout/changePassword revoca selettiva - GET/DELETE /auth/sessions[/{id}] - UI settings.html tab Sicurezza con lista device + revoca Fase 3 — Password Reset + Tenant Switcher (v1.3.0) - Migration 017_password_reset_tokens (TTL 30min, single-use) - POST /auth/forgot-password (risposta opaca) + reset-password - Pagine forgot-password.html + reset-password.html (con strength bar) - EmailService::sendPasswordReset - POST /auth/switchContext con rotazione JWT + organization_id claim - Dropdown tenant in sidebar esposto a tutti gli utenti con ≥2 org Fase 4 — Impersonate + Preferences + Versioning UI (v1.4.0) - POST /auth/impersonate (super_admin o consulente stesso firm, TTL 1h, audit) - Migration 018_user_preferences: users.theme/timezone/notif_email/notif_inapp - GET/PUT /auth/preferences - Sidebar footer mostra versione + changelog modal su click Fase 5 — Branding white-label + Auth-gate (v1.5.0) - Migration 019_firm_branding (logo/colori/brand_name per consulting firm) - BrandingController GET /branding/current (auth opzionale) + PUT - common.js auto-applica CSS variables al boot - public/js/auth-gate.js (gate password client-side per docs riservati, da TRPG) Skip motivati: - G15 demo login: simulator esistenti coprono - G18 refactor controllers: rinviato (~5gg, valore tecnico solo) Cron sync SSO: AgileHub Ticket #220 aperto a team AGILEHUB per estendere sso-password-sync.sh al DB nis2_agile_db. Prerequisito per switch SSO_MODE=dual. Backup files: tutti i file modificati hanno .bak.pre-{fase}-{ts} sia in DEV sia in /var/www/nis2-agile/.backups/ su Hetzner (rollback ready). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-29 13:18:35 +02:00
DevEnv nis2-agile	75a678f60e	[FEAT] CertiSource atti-service.php integration: structured data, PAT auth, ATECO fix - VisuraService::fetchFromCertiSource: new atti-service.php API (POST richiesta → polling stato → GET dati) - Structured data mapping: sedi/ateco_codes/cariche/addetti → formato interno - mapAtecoToNis2Sector: allineato ENUM DB (digital_infra, water, waste, public_admin, ecc.) - config.php: CERTISOURCE_API_URL, CERTISOURCE_API_KEY, CERTISOURCE_POLL_MAX/SEC - PHP 8.4: curl_close → unset, usato in logAiInteraction Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-17 13:24:03 +01:00
DevEnv nis2-agile	1382530189	[FEAT] Sistema Segnalazioni & Risoluzione AI (feedback) Adattato da alltax.it — il sistema più maturo testato con utenti reali. Backend: - FeedbackController: 6 endpoint (submit, mine, list, show, update, resolve) - FeedbackService: createReport + classifyWithAI + broadcastResolution - AIService::classifyFeedback() — 10s timeout, 500 token, JSON puro - EmailService::sendFeedbackResolved() — broadcast email org - DB migration 014: tabella feedback_reports Frontend: - feedback.js: FAB rosso #EF4444, modal 2 fasi (form → AI → password gate) - Tab "Le mie segnalazioni" con badge status - Auto-init su tutte le pagine autenticate (common.js::checkAuth) - api.js: 6 metodi client; style.css: stili completi Worker: - scripts/feedback-worker.php: cron ogni 30 min → docker exec nis2-agile-devenv + Claude Code CLI → risoluzione autonoma con POST /api/feedback/{id}/resolve Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-10 08:51:52 +01:00
DevEnv nis2-agile	6933e1d3fb	[INTEG] Provisioning B2B automatico + fix JWT helpers - POST /api/services/provision: onboarding automatico tenant da lg231 - X-Provision-Secret auth (master secret, non org-specific) - Crea org (con tutti i dati lg231: P.IVA, ATECO, sede, PEC, fatturato) - Crea admin user con password temporanea (must_change_password=1) - Genera API Key scope [read:all, write:all, admin:org, sso:login] - Emette JWT 2h per apertura immediata UI - Callback webhook a lg231 con api_key - Idempotent: stessa P.IVA → restituisce org esistente - Audit: org.provisioned severity=critical - config.php: PROVISION_SECRET (env var) - BaseController: base64UrlEncode/Decode da private → protected - Migration 011: colonne provisioning + must_change_password + indexes Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-07 15:02:11 +01:00
Cristiano Benassati	ae78a2f7f4	[CORE] Initial project scaffold - NIS2 Agile Compliance Platform Complete MVP implementation including: - PHP 8.4 backend with Front Controller pattern (80+ API endpoints) - Multi-tenant architecture with organization_id isolation - JWT authentication (HS256, 2h access + 7d refresh tokens) - 14 controllers: Auth, Organization, Assessment, Dashboard, Risk, Incident, Policy, SupplyChain, Training, Asset, Audit, Admin - AI Service integration (Anthropic Claude API) for gap analysis, risk suggestions, policy generation, incident classification - NIS2 gap analysis questionnaire (~80 questions, 10 categories) - MySQL schema (20 tables) with NIS2 Art. 21 compliance controls - NIS2 Art. 23 incident reporting workflow (24h/72h/30d) - Frontend: login, register, dashboard, assessment wizard, org setup - Docker configuration (PHP-FPM + Nginx + MySQL) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-17 17:50:18 +01:00

7 Commits