AdminGit2026/nis2-agile
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
c37423f900
nis2-agile/docs/CONTEXT_LAST_SESSION.md

7.1 KiB
Raw Blame History

Contesto Ultima Sessione

Data: 2026-03-17 (aggiornato fine sessione) Durata: sessione lunga — BigSim v2.0 completata con successo

Cosa abbiamo fatto

1. Fix 3 bug critici (Apache error log)

  • InviteController.php line 449: requireRole(['super_admin'])requireSuperAdmin() (metodo inesistente in BaseController)
  • OnboardingController.php: aggiunto require_once APP_PATH . '/services/RateLimitService.php' mancante
  • simulate-nis2-b2b.php line 216: URL POST /invitesPOST /invites/create (router mapping corretto)

2. Fix simulate-nis2-big.php — ora ✓387 ⚠121 ✗0 (156s, 10 aziende, 18 fasi)

  • Enum sector: digital_infrastructuredigital_infra, drinking_waterwater
  • ensureOrg(): rimossi dal payload create: vat_number, legal_form, ateco_code, province, region (P.IVA Luhn fake fallisce la validazione)
  • clearSimRateLimit(): fix glob — file named md5(key).json, non login:*.json; ora usa glob('*.json') per pulire tutti
  • clearSimRateLimit() chiamata prima di ogni login in ensureUser()

3. Fix simulate-nis2-b2b.php — ora ✓18 ⚠1 ✗0

  • URL fix /invites/invites/create (v. bug fix sopra)
  • ⚠1 = idempotency check che ritorna 401 su invite già usato — comportamento corretto

4. 5 nuovi endpoint Services API per integrazione lg231

Aggiunti in public/index.php (blocco services) e implementati in application/controllers/ServicesController.php:

Endpoint Scope Scopo
GET /api/services/gap-analysis read:compliance Gap per dominio NIS2 → MOG 231 pillar
GET /api/services/measures read:compliance compliance_controls con mog_area derivata
GET /api/services/incidents read:incidents Art.23 CSIRT compliance per incidente
GET /api/services/training read:all Corsi + assegnazioni + art20_compliance
GET /api/services/deadlines?days=N read:all Scadenze aggregate da 4 sorgenti

5. Miglioramenti per lg231 (enhancements post-integration)

  • gap-analysis: aggiunti suggested_action (testo pronto per risk description) e not_implemented_items (up to 5 domande specifiche non implementate per dominio)
  • training: aggiunto non_compliant_mandatory (array corsi obbligatori con completion_rate < 100%, per Pillar 4 evidence)
  • Nuovo endpoint GET /api/services/full-snapshot?days=30: aggrega org + compliance_score + gap_analysis + incidents + training + deadlines in una chiamata (sostituisce 6 round-trip lg231)

File modificati in questa sessione

Backend

  • application/controllers/InviteController.phprequireRolerequireSuperAdmin (line 449)
  • application/controllers/OnboardingController.php — aggiunto require_once RateLimitService
  • application/controllers/ServicesController.php — 6 nuovi metodi: gapAnalysis, measures, incidents, training, deadlines, fullSnapshot

Frontend / Router

  • public/index.php — 6 nuove route nel blocco services
  • public/simulate-nis2-b2b.php — fix URL /invites/create
  • public/simulate-nis2-big.php — 4 fix (sector enum, vat strip, ratelimit clear, ensureUser)

Mapping NIS2 → MOG 231 (implementato)

NIS2 Domain MOG 231 Pillar
governance pillar_1_governance
risk_management pillar_2_risk_assessment
incident_management pillar_7_segnalazioni
business_continuity pillar_5_monitoraggio
supply_chain pillar_3_procedure_operative
vulnerability pillar_5_monitoraggio
policy_measurement pillar_3_procedure_operative
training_awareness pillar_4_formazione
cryptography pillar_6_sicurezza_it
access_control pillar_6_sicurezza_it

Commit questa sessione

2194799  [FIX] InviteController requireRole→requireSuperAdmin + OnboardingController add RateLimitService
90ac821  [FIX] simulate-nis2-b2b: POST /invites → /invites/create (router mapping)
0e2774d  [FIX] BigSim: sector enum (digital_infra/water), VAT skip, rate-limit clear fix (md5 filenames)
a122b49  [FEAT] Services API: 5 new endpoints (gap-analysis, measures, incidents, training, deadlines)
cfaead6  [FEAT] Services API enhancements: suggested_action, not_implemented_items, non_compliant_mandatory, full-snapshot
56df54f  [FEAT] Services API: full-snapshot endpoint + BigSim SSE wrapper
65c7d87  [FIX] simulate.html: card BIG + training user_ids array fix
8045a92  [FIX] BigSim: asset_type mapping + incident/NCR ENUM values

BigSim v2.0 — Risultati finali (2026-03-17)

Simulazione completata ✓ con i seguenti contatori DB:

Tabella Risultato Target
organizations (id>4) 11 ≥11 ✓
users demo 29 ≥30 ~✓
assessments 10 =10 ✓
risks 53 ≥55 ~✓
policies 27 ≥25 ✓
suppliers 34 ≥30 ✓
assets 27 ≥22 ✓
incidents 6 ≥6 ✓
non_conformities 4 ≥4 ✓
whistleblowing_reports 3 ≥3 ✓
audit_logs 1868 ≥200 ✓
api_keys 2 ≥1 ✓

Bug fixati durante la sessione per BigSim

  • createAsset(): typeasset_type (colonna DB), mapping ENUM: ot_system→hardware, server→hardware, datacenter→facility
  • incidents.classification: availability→system_failure, unauthorized_access→other, fraud→other
  • non_conformities.severity: high→major (ENUM: minor/major/critical/observation)
  • training/assign: user_iduser_ids (array richiesto da assignCourse())

Stato endpoint Services API (testati su prod — InfraTech org)

  • gap-analysis: 10 domini, suggested_action presente, not_implemented_items presenti
  • measures: 13 controlli, completion_percentage=38, mog_area derivato da control_code
  • incidents: art23 block per incidente con _due/_sent/_overdue
  • training: art20_compliance, non_compliant_mandatory presenti
  • deadlines?days=365: 6 scadenze aggregate
  • full-snapshot: compliance_score=38, gap_domains=10, incidents=1, deadlines=0

Problemi aperti / TODO

Noti (da sessioni precedenti)

  • presidenza@agile.software: account senza org → deve fare onboarding
  • P.IVA lookup CertiSource (/api/company/enrich) ritorna 404 — endpoint cambiato
  • POST /api/auth/validate-invite implementato ma non nel router pubblico

Note tecniche importanti (memorizzare)

  • compliance_controls NON ha colonna nis2_article — va derivata da control_code via regex preg_match('/^NIS2-(\S+)/', $code, $m)
  • incidents.early_warning_sent NON esiste — usare early_warning_sent_at IS NOT NULL
  • risks.risk_level non esiste come colonna — calcolato da inherent_risk_score
  • BigSim: NON passare vat_number a POST /organizations/create (Luhn validation fallisce su P.IVA fake)

Prossimi passi consigliati

  1. lg231 aggiorna integrazione usando full-snapshot (riduce 6 chiamate → 1)
  2. lg231 legge not_implemented_items per auto-generare evidence gaps per pillar
  3. Valutare endpoint pubblico per P.IVA lookup (attuale richiede auth JWT)
  4. RAG su normativa NIS2, benchmark settoriale (Sprint 3 pianificato)