BE Sections Extra · Verbatim Archive · 2026-05-10

Scopo: zero info-loss dell'archive Business_Eye-pre-refactor-2026-05-10.html per le sub-sections operative di sec-16 Skills Claude Inventory e sec-17 Reminders Calendar che il refactor BOS in chunks ha riassunto. Tutto verbatim dal BE.

Status: archive di consultazione · non parte del build BOS · solo riferimento per Gregorio + Loris + Claude.

Linked from: 05-stack.md sub-section "Skills Claude Inventory" + 09-operations.md sub-section "Reminders Calendar + Subscription Tools".


1. Password & Secret Rotation (BE sec-17 · 12 secrets)

Calendar entry: "🔑 Rotate [secret]" — 7gg prima della scadenza ogni voce. Rotation = nuovo valore + redeploy + invalida vecchio.

Secret Cadenza Owner Skill ref
Anthropic API key 90 giorni G multiverbe-security-ch
Mistral API key 90 giorni G multiverbe-security-ch
Stripe API keys (test + live) 180 giorni G multiverbe-stripe-checkout-edges
Supabase service_role key 365 giorni o post-incident G multiverbe-security-ch
Brevo API key (Multiverbe transactional) 90 giorni (post leak 2026-05-10) G multiverbe-security-ch
Resend API key (Metaverbe agenzia) 180 giorni G multiverbe-security-ch
SMTP password Register.it (loris@/gregorio@/support@multiverbe.com) 90 giorni — IMPORTANTE per outreach reputation G + L multiverbe-cold-outreach-ch
GitHub PAT (CI/CD) 90 giorni G multiverbe-security-ch
JWT secret app-level 365 giorni o post-leak G multiverbe-security-ch
Webhook signing (Stripe + Brevo) 365 giorni G multiverbe-stripe-checkout-edges
SSH keys deploy Render 365 giorni G multiverbe-security-ch
Password 1Password personali 365 giorni o post-suspicion G + L multiverbe-security-ch

2. Security Checks Recurring (BE sec-17 · 16 voci)

Eseguire i check via slash command (Q3) o manuale via skill multiverbe-security-ch.

Check Cadenza Durata Owner
Sentry error review Daily 9:00 5 min G
security_alerts unack review Daily 9:05 5 min G
Supabase auto-backup verify Daily 23:55 auto A
pnpm audit + pip audit Weekly Mon auto + 15 min review A + G
Stripe webhook delivery health Weekly Mon 5 min G
Sub-processor advisory check Weekly Mon 10 min G
RLS policy audit script Monthly 1st 15 min G
Audit log review (20 random) Monthly 1st 15 min G
securityheaders.com test A+ Monthly 1st 5 min G
1Password vault access drill Monthly 1st 10 min G + L
Internal pentest (skill-driven) Quarterly 4-6 ore G
Supabase PITR restore test (dev branch) Quarterly 1 ora G
Incident response drill Quarterly 2 ore G + L
External pentest CH/EU firm Annual 5-10 gg · CHF 5-10k G
Cyber insurance review Annual 2 ore · CHF 1-3k G
ISO 27001 self-assessment Annual (Series-A prep) 16 ore G

3. Account Aziendali Attivi · Tracker (BE sec-17 · 18 account)

Lista canonica account business attivi. Update ad ogni signup nuovo. Owner = chi ha primary access. Backup access = chi ha credential in password manager Bitwarden Family. Decisioni 2026-05-10: path frugal pre-revenue (~CHF 130/anno vs ~$1.500 enterprise) — upgrade ai tier premium quando 5+ paganti raggiunto.

Account Tier/Plan scelto Costo/mese Owner Status decisione 2026-05-10
Vercel Hobby (free) → Pro a 1° pagante $0 → $20 G ✅ Hobby attivo
Supabase Free → Pro + PITR a 5+ paganti $0 → $25 + $100 G ✅ Free attivo (project Multiverbe)
Render.com Starter (legacy MAIND, deprecate Q3) $7 G ⚠️ Da decommissionare post-MVP
Stripe Standard 1.5%+€0.25/tx EU · 2.9%+€0.30/tx int G 🟡 2FA fixed 2026-05-10, MCP setup pending
Anthropic API Build (pay-as-you-go) + prompt cache ~$50-200 G ✅ Attivo
Mistral API Pay-as-you-go (primary email/PII GDPR) ~$30-100 G ✅ Attivo · GDPR EU
Gemini API (×2 keys) Pay-as-you-go batch ~$20-80 G ✅ Attivo
Brevo Free 9K/mo → Pro $20 a 50K/mo €0 → $20 G ✅ Free attivo · DNS verify pending
iubenda Pro FADP+GDPR multilingua auto-update €27 G SCELTO 2026-05-10 — sblocca privacy/cookie/ToS time-saving
Klaro (cookie banner) Open source self-hosted €0 G SCELTO 2026-05-10 — invece di Cookiebot €7-50/mo, GDPR-OK + IAB TCF v2
Bitwarden (password manager) Free tier completo · Premium $10/anno opt €0 → $10/anno G SCELTO 2026-05-10 — invece di 1Password $60/anno, audit annuali esterni, share Loris incluso
Aegis Authenticator / Authy (TOTP 2FA) App TOTP open source / cloud sync €0 G SCELTO 2026-05-10 — Yubikey postponed Q3 post-5-paganti
Yubikey 5 NFC × 2 Hardware key (DEFERRED Q3) G ⏸️ Postponed Q3 (post-5-paganti, $110 una tantum)
Apollo.io (sales prospecting) Free 50 leads/mo €0 L SCELTO 2026-05-10 — sourcing primo mese Loris (W2 Mag - W1 Giu)
LinkedIn Sales Navigator Core $99 L 📅 SCHEDULED metà Giugno 2026 — signup W3 Giu (15 Giu) per partire SELL HARD W3-W4 Giu post-MVP launch + Apollo data validation. Sblocca filtri "posted last 30gg" intent + InMail 50/mo
Sentry Developer free → Team a 5+ paganti $0 → $26 G 🟡 Da setup W2 (free tier OK)
GitHub Pro $4 G ✅ Attivo
Google Workspace (metaverbe.com) Business Starter (3 caselle) €6/user × 3 = ~€18 G 🟡 Da valutare vs Register.it 3 mailbox incluse
Domain registrar (multiverbe.com, metaverbe.com/.it, multiverbe.ch pending) Register.it ~€20/anno cad G ✅ Attivi (.com .it) · multiverbe.ch acquisto pending

Total stimato MVP launch path frugal: ~€140-200/mese fixed (Vercel free + Supabase free + Stripe % + iubenda €27 + GitHub $4 + Workspace €18 + Render $7 + variable API €100-200). Apollo free + Klaro free + Bitwarden free + Aegis free = €0 incremento. Upgrade triggers: Vercel Pro a 1° pagante, Supabase Pro + Sentry Team a 5+ paganti, Yubikey + 1Password upgrade Q3, LinkedIn Sales Nav se Apollo non basta.

Razionale path frugal 2026-05-10: founder ha esplicitato "il meglio per gli utenti, scalabilità senza blocchi inutili". Klaro batte Cookiebot per ownership totale codice (no vendor lock-in cookie consent). Bitwarden batte 1Password per audit pubblici esterni + free tier completo. Aegis/Authy battono Yubikey pre-MVP perché Yubikey vale solo se il device è perso/rubato (rischio low pre-revenue). Apollo.io batte LinkedIn Sales Nav per primo mese sales perché 50 leads/mo sono sufficienti per Loris in target Lugano. Tutti sono upgradable al tier premium quando metriche giustificano (LTV/CAC sano, MRR sostenibile).


4. Email Accounts & Mailboxes Multiverbe (BE sec-17)

Mailbox aziendali Multiverbe (Register.it sul dominio multiverbe.com). Limite Register.it base = 3 mailbox per dominio. Quando multiverbe.ch sarà acquistato, replica simmetrica + 3 mailbox addizionali per multi-mailbox warmup outreach. Decisione founder 2026-05-10: gestione mail centralizzata in app via Pianeta Web → Email Hub satellite (target build W4 Mag-W1 Giu 2026).

Mailbox Uso Owner Stato Skill ref
gregorio@multiverbe.com Founder personal + cold outreach ABM premium target (notai, immobiliari, agenzie) G Da creare su Register.it multiverbe-cold-outreach-ch
loris@multiverbe.com Sales partner cold outreach mass (60/giorno) + warmup parallelo L Da creare su Register.it multiverbe-cold-outreach-ch
support@multiverbe.com Customer support reactive (richiesto SaaS legalmente) + ticket inbox G poi L Da creare su Register.it multiverbe-ch-compliance
noreply@multiverbe.com Transactional (signup confirm, password reset, weekly reports) — sender DNS-verified, NO mailbox reale A via Brevo Brevo domain added (2026-05-10), DNS pending verify multiverbe-security-ch

Email transactional sender: noreply@multiverbe.com via Brevo (sending domain send.multiverbe.com verificato via DNS — DKIM x2 + brevo-code TXT + DMARC). Free tier 9.000 email/mese, sufficiente fino a 50+ paganti.

Cold outreach senders: loris@ + gregorio@ via SMTP Register.it (zero costo) con warmup Instantly/Lemwarm 4-6 settimane prima del primo invio reale. Reply detection IMAP gestita da Pianeta Sales (sub-account Loris vede solo le sue, founder vede tutto). Multi-mailbox strategy: quando multiverbe.ch arriva, +3 mailbox = 6 sender warmed paralleli per distribuzione volume + ridondanza reputation CH.

Account Brevo: gregorio@gmail.com primary, IP authorized: 213.55.238.157 (Claude server) + IP founder dynamic. API key salvata SOLO in .env.local (gitignored), MAI in chat o repo committato.


5. Account Personali Critici (BE sec-17)

Account NON business ma collegati al business (account email founder, banking, social). 2FA hardware mandatory.

  • metaverbe@gmail.com · primary founder · 2FA hardware Yubikey · backup recovery codes in 1Password
  • Banking founder (CH e IT) · 2FA hardware · alert SMS+email
  • Apple ID / Google Account founder · 2FA hardware · privacy strict
  • Social founder (LinkedIn personal, Instagram) · 2FA hardware · separati da account business
  • 1Password Family vault · master password 20+ char + emergency kit printed

6. Security Toolkit GitHub · Top 5 install pre-launch (BE sec-16)

Ricerca dedicata 2026-05-09 (top 10 web research consolidata in skill multiverbe-security-ch). Top 5 install pre-launch (~1.5h totale):

Tool Stars Use case Multiverbe Setup
gitleaks + trufflehog 24.4k + 26.1k Secret scan pre-commit + CI verify (Stripe SK_LIVE leak prevention) 30 min
agamm/claude-code-owasp skill 176 OWASP Top 10:2025 + LLM Top 10 auto-attiva su edit auth/RBAC 5 min curl
semgrep Claude Code plugin 15.1k SAST automatico every edit Next.js/Python (RLS bypass, IDOR, SSRF) 10 min
supabase-mcp get_advisors RLS audit cross-workspace_id automatico (Splinter-based) 15 min
trivy 34.9k CVE + secrets + SBOM Render Docker + Vercel build (one tool) 20 min

Q3 add: OWASP ZAP baseline mensile · Nuclei weekly · anthropics/skills marketplace verify.

Q4/Q1 2027 add (Series-A prep): trycompai/comp + getprobo/probo self-hosted SOC2/ISO27001/GDPR evidence collection.


7. Skills Claude · Skills cloned GitHub OSS (BE sec-16)

  • tailwindcss-skills (shamiul-anik) · Tailwind v4.2 + OKLCH + container queries + dark mode patterns
  • r3f-fundamentals, r3f-postprocessing, r3f-animation (EnzeD/r3f-skills) · API ref auto-iniettate scrivendo R3F
  • a11y-skill (airowe) · WCAG 2.2 AA audit (description debole, manual invoke)

8. Skills baseline · n8n + ads + seo (BE sec-16)

  • n8n-* (workflow patterns, code js/python, expression syntax, mcp tools, validation)
  • 12× ads-* (audit, budget, creative, google, meta, microsoft, linkedin, tiktok, youtube, landing, plan, competitor)
  • 13× seo-* (audit, page, schema, technical, content, geo, hreflang, images, plan, programmatic, sitemap, competitor-pages)

9. Da aggiungere/installare (BE sec-16)

  • context7 plugin · NOW: Upstash docs MCP version-specific (React 19, Tailwind 4, Next 16). Comando: /plugin install context7@claude-plugins-official (30s).
  • Figma Dev Mode MCP · Q3: Tokens extraction Figma → tokens.css. Richiede Figma Pro account.
  • Chrome DevTools MCP · Q3: Audit Core Web Vitals live, performance trace mobile 4G.
  • Skills custom Q3 (planned): multiverbe-supabase-rls-patterns (DONE 2026-05-10) · multiverbe-email-sender-multitenant · multiverbe-ai-brain-agents · metaverbe-agency-projects (DONE 2026-05-10).

10. Quick action checklist · founder path frugal (BE sec-17)

  • Bitwarden signup free + setup vault founder + invite Loris (€0, premium $10/anno opt)
  • Aegis Authenticator (Android) o Authy (iOS+Android) install + add tutti gli account 2FA TOTP (€0)
  • 2FA TOTP enable su: GitHub, Vercel, Supabase, Stripe (✅ già fixed 2026-05-10), Anthropic, Google Workspace, Banking
  • BitLocker verify device encryption Windows (manage-bde -status C:)
  • iubenda Pro signup + FADP toggle ON + embed JS landing (€27/mo)
  • Klaro integrate npm package + config GDPR-compliant + dark mode skin Nebula Glass (€0)
  • Apollo.io signup free + saved search Lugano restaurants/beauty/services (€0, 50 leads/mo Loris primo mese)
  • Sentry setup frontend + backend + PII filter (free tier)
  • Calendar Multiverbe Security import Multiverbe-Business/ops/security-calendar.ics in Google Calendar (€0)

Upgrade post-5-paganti (Q3 trigger): 1Password Family $60/anno se Bitwarden share-vault troppo limitato · Yubikey × 2 ($110) per hardware 2FA su account critici · LinkedIn Sales Navigator $99/mo schedulato W3 Giu (15 Giu).


11. Come integrare in Google Calendar (BE sec-17)

  1. Crea calendario dedicato "Multiverbe Security" in Google Calendar
  2. Per ogni voce sopra: nuovo evento ricorrente (Daily/Weekly/Monthly/Quarterly/Annual)
  3. Imposta promemoria 7gg prima per rotation, 1gg per check ricorrenti
  4. Notifica push iPhone + email founder
  5. Color code: 🔴 password rotation · 🟡 check security · 🔵 account renewal · 🟣 pentest

Q3 automation: skill multiverbe-security-ch può generare file multiverbe-security-calendar.ics con tutti gli eventi pre-configurati → import 1-click in Google Calendar / Apple Calendar / Outlook.


Source: archive/Business_Eye-pre-refactor-2026-05-10.html righe 6428-6656 (sec-16 + sec-17). Verbatim preservation: confermato. Linked from: 05-stack.md, 09-operations.md.