DevEnv nis2-agile
5c7ed9abcb
[FIX] Import fornitori: valida scope org di category_id + allinea header migrazioni 032/033
...
- bulkUpsertSuppliers: il ramo category_id esplicito (import API/CSV) ora verifica
che la categoria sia un preset (org 0) o della stessa org, come gia' fa il ramo
category_slug. Evita di scrivere suppliers.category_id di un'altra org (dato sporco
cross-org). Finding review multi-agente (MINORE, correttezza dati).
- docs/sql/032,033: header "PROPOSTA DI DESIGN (NON applicata)" -> "APPLICATA su
produzione 2026-05-31" (sono effettivamente applicate). Evita confusione operativa.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-05-31 11:16:43 +02:00
DevEnv nis2-agile
f85876f2a2
[FEAT] Supply chain Fase 1: modulo questionari configurabile (categorie + template + domande + import)
...
Backend del modulo questionari fornitori (design docs/DESIGN_MODULO_QUESTIONARI_FORNITORI.md).
Migrazioni 032+033 gia applicate su host (6 tabelle + 10 categorie preset + suppliers.category_id/external_ref/source).
SupplyChainController:
- categorie: categories/createCategory/updateCategory/deleteCategory (preset org 0 + custom per-org, no delete se in uso)
- template: templates/getTemplate/createTemplate/updateTemplate (per-org, scope categoria)
- domande: addTemplateQuestion/updateTemplateQuestion/deleteTemplateQuestion (7 tipi, weight, nis2_ref, vuln_flag, high_criticality_only)
- import: importSuppliers + bulkUpsertSuppliers (upsert per external_ref, anti formula-injection CSV, max 1000, riusabile da API key)
- helper: assertCategoryVisible/assertTemplateOwned/slugify/sanitizeCell
Tutte le query org-scoped (no leak cross-org). Route in public/index.php actionMap supply-chain.
Smoke: no-auth=401, categcategorie_visibili=10 (preset). USR2 applicato. php -l OK.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-05-31 10:36:44 +02:00
DevEnv nis2-agile
a3f821122a
[FIX] Supply chain: coerenza risk_score + submit atomico (findings review)
...
Bug #1 (semantica): submitPublicQuestionnaire scriveva risk_score=100-score (rischio) e
sovrascriveva criticality, divergendo da assessSupplier (risk_score=compliance, alto=buono).
Ora: risk_score=score (compliance), security_requirements_met (soglia 70) settato, criticality
NON toccata (è la criticità del fornitore, non l'esito questionario).
Bug #4 (atomicita): UPDATE ... WHERE status='sent' + rowCount()==0 -> 409. Due submit concorrenti
con lo stesso token non completano due volte.
Verificato E2E: submit 201 (score 94 -> risk_score=94, sec_req_met=1, criticality=high invariata),
re-submit -> 409.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-30 11:56:20 +02:00
ae78a2f7f4
[CORE] Initial project scaffold - NIS2 Agile Compliance Platform
...
Complete MVP implementation including:
- PHP 8.4 backend with Front Controller pattern (80+ API endpoints)
- Multi-tenant architecture with organization_id isolation
- JWT authentication (HS256, 2h access + 7d refresh tokens)
- 14 controllers: Auth, Organization, Assessment, Dashboard, Risk,
Incident, Policy, SupplyChain, Training, Asset, Audit, Admin
- AI Service integration (Anthropic Claude API) for gap analysis,
risk suggestions, policy generation, incident classification
- NIS2 gap analysis questionnaire (~80 questions, 10 categories)
- MySQL schema (20 tables) with NIS2 Art. 21 compliance controls
- NIS2 Art. 23 incident reporting workflow (24h/72h/30d)
- Frontend: login, register, dashboard, assessment wizard, org setup
- Docker configuration (PHP-FPM + Nginx + MySQL)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-17 17:50:18 +01:00
