nis2-agile/docs/sql/008_whistleblowing.sql

-- ============================================================
-- NIS2 Agile - Migration 008: Whistleblowing (Art.32 NIS2)
-- Canale segnalazioni anomalie di sicurezza con anonimato garantito
-- ============================================================

CREATE TABLE IF NOT EXISTS whistleblowing_reports (
    id               INT UNSIGNED AUTO_INCREMENT PRIMARY KEY,
    organization_id  INT NOT NULL,
    report_code      VARCHAR(20) NOT NULL UNIQUE,          -- Es. WB-2026-001

    -- Mittente (opzionale — anonimato garantito)
    is_anonymous     TINYINT(1) NOT NULL DEFAULT 1,
    submitted_by     INT UNSIGNED NULL,                    -- NULL se anonimo
    anonymous_token  VARCHAR(64) NULL,                     -- Token per tracking anonimo
    contact_email    VARCHAR(255) NULL,                    -- Email facoltativa per follow-up

    -- Contenuto segnalazione
    category         ENUM(
        'security_incident', 'policy_violation', 'unauthorized_access',
        'data_breach', 'supply_chain_risk', 'corruption', 'fraud',
        'nis2_non_compliance', 'other'
    ) NOT NULL,
    title            VARCHAR(255) NOT NULL,
    description      TEXT NOT NULL,
    evidence_files   JSON NULL,                            -- Array path files allegati
    nis2_article     VARCHAR(20) NULL,                     -- Articolo NIS2 violato

    -- Gestione
    priority         ENUM('critical', 'high', 'medium', 'low') NOT NULL DEFAULT 'medium',
    status           ENUM('received', 'under_review', 'investigating', 'resolved', 'closed', 'rejected') NOT NULL DEFAULT 'received',
    assigned_to      INT UNSIGNED NULL,                    -- Utente incaricato
    resolution_notes TEXT NULL,                            -- Note risoluzione (visibili al segnalante se email fornita)
    closed_at        TIMESTAMP NULL,
    closed_by        INT UNSIGNED NULL,

    created_at       TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
    updated_at       TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,

    INDEX idx_org (organization_id),
    INDEX idx_status (status),
    INDEX idx_priority (priority),
    INDEX idx_token (anonymous_token),
    INDEX idx_code (report_code)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;

-- ── Timeline segnalazione ──────────────────────────────────
CREATE TABLE IF NOT EXISTS whistleblowing_timeline (
    id               INT UNSIGNED AUTO_INCREMENT PRIMARY KEY,
    report_id        INT UNSIGNED NOT NULL,
    event_type       ENUM('received','status_change','assigned','note_added','closed') NOT NULL,
    description      TEXT NOT NULL,
    new_status       VARCHAR(30) NULL,
    created_by       INT UNSIGNED NULL,                    -- NULL = sistema
    is_visible_to_reporter TINYINT(1) NOT NULL DEFAULT 0, -- Se visibile al segnalante anonimo
    created_at       TIMESTAMP DEFAULT CURRENT_TIMESTAMP,

    INDEX idx_report (report_id)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;

-- ── Foreign Keys ──────────────────────────────────────────
ALTER TABLE whistleblowing_reports
    ADD CONSTRAINT fk_wb_org FOREIGN KEY (organization_id) REFERENCES organizations(id) ON DELETE CASCADE;

ALTER TABLE whistleblowing_timeline
    ADD CONSTRAINT fk_wb_timeline_report FOREIGN KEY (report_id) REFERENCES whistleblowing_reports(id) ON DELETE CASCADE;