Security Calendar · Calendario Operativo
Calendario delle routine di sicurezza Multiverbe. Skill di riferimento:
multiverbe-security-ch(playbook completo) e slash commands/security-weekly,/security-monthly,/dr-test,/incident-start. File.icsimportabile in Google Calendar:security-calendar.ics.
Cadenza · vista d'insieme
| Frequenza | Check | Tempo | Skill / command |
|---|---|---|---|
| Daily | Sentry alert review · Stripe failed payments | 5 min | (manual) |
| Weekly (Lun 9:00) | pnpm/pip audit + Stripe webhook + Dependabot + secret rotation cal + sub-processor advisories | 35 min | /security-weekly |
| Monthly (1° del mese) | RLS audit + audit log + Stripe webhook signature test + Sentry PII filter + securityheaders.com + 1Password drill + sub-processor cert + storage backup | 85 min | /security-monthly |
| Quarterly | DR test PITR Supabase + integrity check + cleanup | 60 min | /dr-test |
| Annual | Pentest esterno + bug bounty review + SOC2 readiness check | 1-2 giorni | manual + skill multiverbe-security-ch |
| On-demand | Incident response 5-step | 4h target | /incident-start |
🔐 One-shot pre-MVP-gate (Lun 25 Mag 2026, 3-5h): Security Hardening MAX prompt — vedi
source/13-security-hardening.md. Audit deep complementare al weekly/monthly skill, eseguito una sola volta come "predisposizione massima" pre-launch commerciale (prodotto chiavi-in-mano). Fase 1 (10 step audit) + Fase 2 (4 regole privacy-by-design) + Fase 3 (10 step compliance/founder liability).
🔐 Password & Secret Rotation
Calendario rotazione proattiva (anche senza incidenti).
| Secret | Frequenza | Owner | Note |
|---|---|---|---|
| Supabase service_role_key | Trimestrale | Gregorio | post-rotate redeploy backend |
| Anthropic API key | Trimestrale | Gregorio | rotate via console |
| Mistral API key | Trimestrale | Gregorio | |
| Gemini API key | Trimestrale | Gregorio | |
| Stripe keys (live + test) | Annuale | Gregorio | rotate via dashboard |
| GitHub PAT | Trimestrale | Gregorio | repo + actions secrets |
| Vercel deployment secrets | Trimestrale | Gregorio | |
| 1Password master | Annuale | Gregorio + Loris | ognuno il suo |
| Yubikey backup | n/a | Gregorio | hardware key + backup key |
Pattern: rotate 1 secret/settimana per evitare cliff (anziché tutto lo stesso giorno).
📋 Security Checks Recurring
Daily (5 min, durante coffee mattina)
- [ ] Sentry · errori notturni > 5? Investigate
- [ ] Stripe dashboard · failed payments / dunning? Skill
multiverbe-stripe-checkout-edges - [ ] Vercel deploy status · ultimo deploy ok?
- [ ] Supabase project status · uptime ok?
Weekly (Lun 9:00, 35 min) · /security-weekly
- [ ]
pnpm audit(frontend) +pip-audit(backend) → fix critical/high - [ ] Stripe webhook events review · failed deliveries > 0? retry o investigate
- [ ] Dependabot PR review · merge se safe (skill
coderabbit:code-review) - [ ] Secret rotation calendar · 1 secret rotated questa sett?
- [ ] Sub-processor advisories check (Anthropic, Mistral, Google, Stripe, Vercel, Supabase)
Monthly (1° del mese, 85 min) · /security-monthly
- [ ] RLS audit · skill
multiverbe-supabase-rls-patterns·get_advisorsMCP tool · check policy performance + cross-tenant leak - [ ] Audit log review · pgAudit log inspection · anomalie?
- [ ] Stripe webhook signature test · skill
multiverbe-stripe-checkout-edges - [ ] Sentry PII filter · check eventi non contengano PII (email, telefono, contenuti)
- [ ] securityheaders.com scan · target A+ · CSP, HSTS, X-Frame-Options, Referrer-Policy
- [ ] 1Password drill · backup recovery test (recovery key funzionante?)
- [ ] Sub-processor cert · SOC2/ISO 27001 ancora vigenti? rinnovi imminenti?
- [ ] Storage backup · Supabase storage backup downloadabile? checksum valido?
Quarterly (1 ora) · /dr-test
- [ ] DR test Supabase PITR · restore in dev branch + integrity check + cleanup
- [ ] Backup S3 dump · test scarico + restore parziale
- [ ] Secret rotation full cycle · ruota tutto invecesssimo trimestrale
- [ ] Incident response drill · simulazione 30 min skill
multiverbe-incident-response
Annual (1-2 giorni)
- [ ] Pentest esterno · vendor selezionato (CHF 8-15k) · skill
multiverbe-security-chper scope - [ ] Bug bounty platform · attivare HackerOne/Intigriti? trigger: 50+ paganti
- [ ] SOC2 readiness check · gap analysis · solo se 100+ paganti enterprise
🔑 Account Aziendali Attivi · Tracker
Tieni sincronizzato. Quando aggiungi/rimuovi account, aggiorna qui + log in
decisions-log.md.
| Servizio | Owner | MFA | Tipo | Costo |
|---|---|---|---|---|
| Anthropic Console | Gregorio | ✅ Yubikey | API + Claude Code Max | $400/mo (Mag-Giu) |
| Supabase | Gregorio | ✅ TOTP | DB + auth | Free → $25/mo |
| Vercel | Gregorio | ✅ TOTP | Hosting | $0 → $20/mo |
| Stripe | Gregorio | ✅ TOTP | Payments | per uso |
| Mistral La Plateforme | Gregorio | ✅ TOTP | Email outreach API | per uso |
| Google Cloud (Gemini) | Gregorio | ✅ TOTP | Content multimodal | per uso |
| GitHub | Gregorio + Loris | ✅ Yubikey + TOTP | Code + business repo | Free |
| Cloudflare | Gregorio | ✅ TOTP | DNS + CDN | Free |
| Sentry | Gregorio | ✅ TOTP | Error tracking | Free → $26/mo |
| Brevo | Gregorio | ✅ TOTP | Email transazionale Multiverbe (sender send.multiverbe.com) |
Free 9k/mo → $20/mo Pro 50k |
| Resend | Gregorio | ✅ TOTP | Email transazionale Metaverbe agenzia (NON Multiverbe · separato dal 2026-05-10 decisione) | Free 3k/mo |
| — | RIMOSSO 2026-05-17 audit · filosofia Hub decentralizzata. Sostituito da ImprovMX catch-all (free) + Brevo. $18/mo risparmiati. | — | ||
| ImprovMX | Gregorio | password + 2FA | Catch-all *@multiverbe.com (futuro *@multiverbe.ch) → metaverbe@gmail.com inbox |
Free tier |
| Register.it | Gregorio | ⚠️ password only | Domini + DNS legacy | €12/anno |
| Datatrans / Payrexx | post Q4 | ⚠️ pending | Twint CH | CHF 49/mo |
| Notion | Gregorio | ✅ TOTP | Note personal | Free |
⚠️ Action items:
- [ ] Register.it · attivare MFA appena possibile
- [ ] Q4 '26: setup Datatrans/Payrexx con MFA hardware
👤 Account Personali Critici
Meta: founder personal liability mitigation (CHF 250k revFADP).
| Account | Owner | MFA | Note |
|---|---|---|---|
| Email founder primario | Gregorio | ✅ Yubikey + backup key | recovery setup |
| Email Loris primario | Loris | ✅ TOTP min · Yubikey raccomandato | |
| Banking online (CH) | Loris (residente) | ✅ hardware token banca | post GmbH |
| 1Password personal | entrambi | ✅ Yubikey | recovery key in safe fisica |
| Apple ID / Google ID | entrambi | ✅ TOTP min | impatta device encryption |
| iCloud / Google Drive backup | entrambi | ✅ TOTP | no doc Multiverbe sensibili lì |
📅 Come integrare in Google Calendar
- Apri Google Calendar
- Settings → Add calendar → Import
- Carica
security-calendar.ics - Calendario "Multiverbe Security" appare in sidebar
- Eventi ricorrenti: Daily 9:00 (5min) · Weekly Lun 9:00 (35min) · Monthly day 1 (85min) · Quarterly day 1 of quarter (1h)
🚨 Quick action checklist · founder prima settimana post-launch
- [ ] Tutti i secret in 1Password (no env locali, no chat, no email)
- [ ] Yubikey hardware acquistato + setup MFA tutti gli account critici
- [ ] BitLocker abilitato su Windows founder
- [ ] VPN aziendale attivata (Mullvad o ProtonVPN, CHF 5/mo)
- [ ] Sentry alert configurato per critical errors → Slack/email Gregorio
- [ ] Stripe webhook monitor configurato
- [ ] Supabase RLS audit script eseguito (vedi skill
multiverbe-supabase-rls-patterns) - [ ] DR test prima esecuzione manuale (skill
dr-test) - [ ] Privacy policy + ToS pubblicate su multiverbe.com
- [ ] Cookie banner LPD/GDPR-compliant attivo
- [ ] Sub-processor list pubblicata + DPA template per clienti
Skill master: multiverbe-security-ch (calendario completo + OWASP Top 10 + incident response + DR + supply chain + secret rotation cadence + MFA + backup test + vendor security scoring + pentest roadmap)
Ultimo update: 2026-05-17 · audit-batch · (1) Email transazionale Multiverbe correttamente attribuita a Brevo (era erroneamente "Resend" — Resend ora solo Metaverbe agenzia, decisione 2026-05-10). (2) Google Workspace RIMOSSO ($18/mo risparmiati · filosofia Hub decentralizzata · ImprovMX catch-all free + Brevo bastano). Precedente 2026-05-09: estratto da BOS §17. Owner: Gregorio Ciurleo (esecuzione) · Loris Beraud (account propri MFA)