BE Sections Extra · Verbatim Archive · 2026-05-10
Scopo: zero info-loss dell'archive
Business_Eye-pre-refactor-2026-05-10.htmlper le sub-sections operative disec-16 Skills Claude Inventoryesec-17 Reminders Calendarche il refactor BOS in chunks ha riassunto. Tutto verbatim dal BE.Status: archive di consultazione · non parte del build BOS · solo riferimento per Gregorio + Loris + Claude.
Linked from:
05-stack.mdsub-section "Skills Claude Inventory" +09-operations.mdsub-section "Reminders Calendar + Subscription Tools".
1. Password & Secret Rotation (BE sec-17 · 12 secrets)
Calendar entry: "🔑 Rotate [secret]" — 7gg prima della scadenza ogni voce. Rotation = nuovo valore + redeploy + invalida vecchio.
| Secret | Cadenza | Owner | Skill ref |
|---|---|---|---|
| Anthropic API key | 90 giorni | G | multiverbe-security-ch |
| Mistral API key | 90 giorni | G | multiverbe-security-ch |
| Stripe API keys (test + live) | 180 giorni | G | multiverbe-stripe-checkout-edges |
| Supabase service_role key | 365 giorni o post-incident | G | multiverbe-security-ch |
| Brevo API key (Multiverbe transactional) | 90 giorni (post leak 2026-05-10) | G | multiverbe-security-ch |
| Resend API key (Metaverbe agenzia) | 180 giorni | G | multiverbe-security-ch |
| SMTP password Register.it (loris@/gregorio@/support@multiverbe.com) | 90 giorni — IMPORTANTE per outreach reputation | G + L | multiverbe-cold-outreach-ch |
| GitHub PAT (CI/CD) | 90 giorni | G | multiverbe-security-ch |
| JWT secret app-level | 365 giorni o post-leak | G | multiverbe-security-ch |
| Webhook signing (Stripe + Brevo) | 365 giorni | G | multiverbe-stripe-checkout-edges |
| SSH keys deploy Render | 365 giorni | G | multiverbe-security-ch |
| Password 1Password personali | 365 giorni o post-suspicion | G + L | multiverbe-security-ch |
2. Security Checks Recurring (BE sec-17 · 16 voci)
Eseguire i check via slash command (Q3) o manuale via skill multiverbe-security-ch.
| Check | Cadenza | Durata | Owner |
|---|---|---|---|
| Sentry error review | Daily 9:00 | 5 min | G |
security_alerts unack review |
Daily 9:05 | 5 min | G |
| Supabase auto-backup verify | Daily 23:55 | auto | A |
pnpm audit + pip audit |
Weekly Mon | auto + 15 min review | A + G |
| Stripe webhook delivery health | Weekly Mon | 5 min | G |
| Sub-processor advisory check | Weekly Mon | 10 min | G |
| RLS policy audit script | Monthly 1st | 15 min | G |
| Audit log review (20 random) | Monthly 1st | 15 min | G |
| securityheaders.com test A+ | Monthly 1st | 5 min | G |
| 1Password vault access drill | Monthly 1st | 10 min | G + L |
| Internal pentest (skill-driven) | Quarterly | 4-6 ore | G |
| Supabase PITR restore test (dev branch) | Quarterly | 1 ora | G |
| Incident response drill | Quarterly | 2 ore | G + L |
| External pentest CH/EU firm | Annual | 5-10 gg · CHF 5-10k | G |
| Cyber insurance review | Annual | 2 ore · CHF 1-3k | G |
| ISO 27001 self-assessment | Annual (Series-A prep) | 16 ore | G |
3. Account Aziendali Attivi · Tracker (BE sec-17 · 18 account)
Lista canonica account business attivi. Update ad ogni signup nuovo. Owner = chi ha primary access. Backup access = chi ha credential in password manager Bitwarden Family. Decisioni 2026-05-10: path frugal pre-revenue (~CHF 130/anno vs ~$1.500 enterprise) — upgrade ai tier premium quando 5+ paganti raggiunto.
| Account | Tier/Plan scelto | Costo/mese | Owner | Status decisione 2026-05-10 |
|---|---|---|---|---|
| Vercel | Hobby (free) → Pro a 1° pagante | $0 → $20 | G | ✅ Hobby attivo |
| Supabase | Free → Pro + PITR a 5+ paganti | $0 → $25 + $100 | G | ✅ Free attivo (project Multiverbe) |
| Render.com | Starter (legacy MAIND, deprecate Q3) | $7 | G | ⚠️ Da decommissionare post-MVP |
| Stripe | Standard | 1.5%+€0.25/tx EU · 2.9%+€0.30/tx int | G | 🟡 2FA fixed 2026-05-10, MCP setup pending |
| Anthropic API | Build (pay-as-you-go) + prompt cache | ~$50-200 | G | ✅ Attivo |
| Mistral API | Pay-as-you-go (primary email/PII GDPR) | ~$30-100 | G | ✅ Attivo · GDPR EU |
| Gemini API (×2 keys) | Pay-as-you-go batch | ~$20-80 | G | ✅ Attivo |
| Brevo | Free 9K/mo → Pro $20 a 50K/mo | €0 → $20 | G | ✅ Free attivo · DNS verify pending |
| iubenda | Pro FADP+GDPR multilingua auto-update | €27 | G | ✅ SCELTO 2026-05-10 — sblocca privacy/cookie/ToS time-saving |
| Klaro (cookie banner) | Open source self-hosted | €0 | G | ✅ SCELTO 2026-05-10 — invece di Cookiebot €7-50/mo, GDPR-OK + IAB TCF v2 |
| Bitwarden (password manager) | Free tier completo · Premium $10/anno opt | €0 → $10/anno | G | ✅ SCELTO 2026-05-10 — invece di 1Password $60/anno, audit annuali esterni, share Loris incluso |
| Aegis Authenticator / Authy (TOTP 2FA) | App TOTP open source / cloud sync | €0 | G | ✅ SCELTO 2026-05-10 — Yubikey postponed Q3 post-5-paganti |
| Yubikey 5 NFC × 2 | Hardware key (DEFERRED Q3) | — | G | ⏸️ Postponed Q3 (post-5-paganti, $110 una tantum) |
| Apollo.io (sales prospecting) | Free 50 leads/mo | €0 | L | ✅ SCELTO 2026-05-10 — sourcing primo mese Loris (W2 Mag - W1 Giu) |
| LinkedIn Sales Navigator | Core | $99 | L | 📅 SCHEDULED metà Giugno 2026 — signup W3 Giu (15 Giu) per partire SELL HARD W3-W4 Giu post-MVP launch + Apollo data validation. Sblocca filtri "posted last 30gg" intent + InMail 50/mo |
| Sentry | Developer free → Team a 5+ paganti | $0 → $26 | G | 🟡 Da setup W2 (free tier OK) |
| GitHub | Pro | $4 | G | ✅ Attivo |
| Google Workspace (metaverbe.com) | Business Starter (3 caselle) | €6/user × 3 = ~€18 | G | 🟡 Da valutare vs Register.it 3 mailbox incluse |
| Domain registrar (multiverbe.com, metaverbe.com/.it, multiverbe.ch pending) | Register.it | ~€20/anno cad | G | ✅ Attivi (.com .it) · multiverbe.ch acquisto pending |
Total stimato MVP launch path frugal: ~€140-200/mese fixed (Vercel free + Supabase free + Stripe % + iubenda €27 + GitHub $4 + Workspace €18 + Render $7 + variable API €100-200). Apollo free + Klaro free + Bitwarden free + Aegis free = €0 incremento. Upgrade triggers: Vercel Pro a 1° pagante, Supabase Pro + Sentry Team a 5+ paganti, Yubikey + 1Password upgrade Q3, LinkedIn Sales Nav se Apollo non basta.
Razionale path frugal 2026-05-10: founder ha esplicitato "il meglio per gli utenti, scalabilità senza blocchi inutili". Klaro batte Cookiebot per ownership totale codice (no vendor lock-in cookie consent). Bitwarden batte 1Password per audit pubblici esterni + free tier completo. Aegis/Authy battono Yubikey pre-MVP perché Yubikey vale solo se il device è perso/rubato (rischio low pre-revenue). Apollo.io batte LinkedIn Sales Nav per primo mese sales perché 50 leads/mo sono sufficienti per Loris in target Lugano. Tutti sono upgradable al tier premium quando metriche giustificano (LTV/CAC sano, MRR sostenibile).
4. Email Accounts & Mailboxes Multiverbe (BE sec-17)
Mailbox aziendali Multiverbe (Register.it sul dominio multiverbe.com). Limite Register.it base = 3 mailbox per dominio. Quando multiverbe.ch sarà acquistato, replica simmetrica + 3 mailbox addizionali per multi-mailbox warmup outreach. Decisione founder 2026-05-10: gestione mail centralizzata in app via Pianeta Web → Email Hub satellite (target build W4 Mag-W1 Giu 2026).
| Mailbox | Uso | Owner | Stato | Skill ref |
|---|---|---|---|---|
gregorio@multiverbe.com |
Founder personal + cold outreach ABM premium target (notai, immobiliari, agenzie) | G | Da creare su Register.it | multiverbe-cold-outreach-ch |
loris@multiverbe.com |
Sales partner cold outreach mass (60/giorno) + warmup parallelo | L | Da creare su Register.it | multiverbe-cold-outreach-ch |
support@multiverbe.com |
Customer support reactive (richiesto SaaS legalmente) + ticket inbox | G poi L | Da creare su Register.it | multiverbe-ch-compliance |
noreply@multiverbe.com |
Transactional (signup confirm, password reset, weekly reports) — sender DNS-verified, NO mailbox reale | A via Brevo | Brevo domain added (2026-05-10), DNS pending verify | multiverbe-security-ch |
Email transactional sender: noreply@multiverbe.com via Brevo (sending domain send.multiverbe.com verificato via DNS — DKIM x2 + brevo-code TXT + DMARC). Free tier 9.000 email/mese, sufficiente fino a 50+ paganti.
Cold outreach senders: loris@ + gregorio@ via SMTP Register.it (zero costo) con warmup Instantly/Lemwarm 4-6 settimane prima del primo invio reale. Reply detection IMAP gestita da Pianeta Sales (sub-account Loris vede solo le sue, founder vede tutto). Multi-mailbox strategy: quando multiverbe.ch arriva, +3 mailbox = 6 sender warmed paralleli per distribuzione volume + ridondanza reputation CH.
Account Brevo: gregorio@gmail.com primary, IP authorized: 213.55.238.157 (Claude server) + IP founder dynamic. API key salvata SOLO in .env.local (gitignored), MAI in chat o repo committato.
5. Account Personali Critici (BE sec-17)
Account NON business ma collegati al business (account email founder, banking, social). 2FA hardware mandatory.
- metaverbe@gmail.com · primary founder · 2FA hardware Yubikey · backup recovery codes in 1Password
- Banking founder (CH e IT) · 2FA hardware · alert SMS+email
- Apple ID / Google Account founder · 2FA hardware · privacy strict
- Social founder (LinkedIn personal, Instagram) · 2FA hardware · separati da account business
- 1Password Family vault · master password 20+ char + emergency kit printed
6. Security Toolkit GitHub · Top 5 install pre-launch (BE sec-16)
Ricerca dedicata 2026-05-09 (top 10 web research consolidata in skill multiverbe-security-ch). Top 5 install pre-launch (~1.5h totale):
| Tool | Stars | Use case Multiverbe | Setup |
|---|---|---|---|
| gitleaks + trufflehog | 24.4k + 26.1k | Secret scan pre-commit + CI verify (Stripe SK_LIVE leak prevention) | 30 min |
| agamm/claude-code-owasp skill | 176 | OWASP Top 10:2025 + LLM Top 10 auto-attiva su edit auth/RBAC | 5 min curl |
| semgrep Claude Code plugin | 15.1k | SAST automatico every edit Next.js/Python (RLS bypass, IDOR, SSRF) | 10 min |
supabase-mcp get_advisors |
— | RLS audit cross-workspace_id automatico (Splinter-based) | 15 min |
| trivy | 34.9k | CVE + secrets + SBOM Render Docker + Vercel build (one tool) | 20 min |
Q3 add: OWASP ZAP baseline mensile · Nuclei weekly · anthropics/skills marketplace verify.
Q4/Q1 2027 add (Series-A prep): trycompai/comp + getprobo/probo self-hosted SOC2/ISO27001/GDPR evidence collection.
7. Skills Claude · Skills cloned GitHub OSS (BE sec-16)
- tailwindcss-skills (shamiul-anik) · Tailwind v4.2 + OKLCH + container queries + dark mode patterns
- r3f-fundamentals, r3f-postprocessing, r3f-animation (EnzeD/r3f-skills) · API ref auto-iniettate scrivendo R3F
- a11y-skill (airowe) · WCAG 2.2 AA audit (description debole, manual invoke)
8. Skills baseline · n8n + ads + seo (BE sec-16)
- 7×
n8n-*(workflow patterns, code js/python, expression syntax, mcp tools, validation) - 12×
ads-*(audit, budget, creative, google, meta, microsoft, linkedin, tiktok, youtube, landing, plan, competitor) - 13×
seo-*(audit, page, schema, technical, content, geo, hreflang, images, plan, programmatic, sitemap, competitor-pages)
9. Da aggiungere/installare (BE sec-16)
- context7 plugin · NOW: Upstash docs MCP version-specific (React 19, Tailwind 4, Next 16). Comando:
/plugin install context7@claude-plugins-official(30s). - Figma Dev Mode MCP · Q3: Tokens extraction Figma → tokens.css. Richiede Figma Pro account.
- Chrome DevTools MCP · Q3: Audit Core Web Vitals live, performance trace mobile 4G.
- Skills custom Q3 (planned):
multiverbe-supabase-rls-patterns(DONE 2026-05-10) ·multiverbe-email-sender-multitenant·multiverbe-ai-brain-agents·metaverbe-agency-projects(DONE 2026-05-10).
10. Quick action checklist · founder path frugal (BE sec-17)
- ☐ Bitwarden signup free + setup vault founder + invite Loris (€0, premium $10/anno opt)
- ☐ Aegis Authenticator (Android) o Authy (iOS+Android) install + add tutti gli account 2FA TOTP (€0)
- ☐ 2FA TOTP enable su: GitHub, Vercel, Supabase, Stripe (✅ già fixed 2026-05-10), Anthropic, Google Workspace, Banking
- ☐ BitLocker verify device encryption Windows (
manage-bde -status C:) - ☐ iubenda Pro signup + FADP toggle ON + embed JS landing (€27/mo)
- ☐ Klaro integrate npm package + config GDPR-compliant + dark mode skin Nebula Glass (€0)
- ☐ Apollo.io signup free + saved search Lugano restaurants/beauty/services (€0, 50 leads/mo Loris primo mese)
- ☐ Sentry setup frontend + backend + PII filter (free tier)
- ☐ Calendar Multiverbe Security import
Multiverbe-Business/ops/security-calendar.icsin Google Calendar (€0)
Upgrade post-5-paganti (Q3 trigger): 1Password Family $60/anno se Bitwarden share-vault troppo limitato · Yubikey × 2 ($110) per hardware 2FA su account critici · LinkedIn Sales Navigator $99/mo schedulato W3 Giu (15 Giu).
11. Come integrare in Google Calendar (BE sec-17)
- Crea calendario dedicato "Multiverbe Security" in Google Calendar
- Per ogni voce sopra: nuovo evento ricorrente (Daily/Weekly/Monthly/Quarterly/Annual)
- Imposta promemoria 7gg prima per rotation, 1gg per check ricorrenti
- Notifica push iPhone + email founder
- Color code: 🔴 password rotation · 🟡 check security · 🔵 account renewal · 🟣 pentest
Q3 automation: skill multiverbe-security-ch può generare file multiverbe-security-calendar.ics con tutti gli eventi pre-configurati → import 1-click in Google Calendar / Apple Calendar / Outlook.
Source: archive/Business_Eye-pre-refactor-2026-05-10.html righe 6428-6656 (sec-16 + sec-17).
Verbatim preservation: confermato.
Linked from: 05-stack.md, 09-operations.md.