Security Calendar · Calendario Operativo

Calendario delle routine di sicurezza Multiverbe. Skill di riferimento: multiverbe-security-ch (playbook completo) e slash commands /security-weekly, /security-monthly, /dr-test, /incident-start. File .ics importabile in Google Calendar: security-calendar.ics.


Cadenza · vista d'insieme

Frequenza Check Tempo Skill / command
Daily Sentry alert review · Stripe failed payments 5 min (manual)
Weekly (Lun 9:00) pnpm/pip audit + Stripe webhook + Dependabot + secret rotation cal + sub-processor advisories 35 min /security-weekly
Monthly (1° del mese) RLS audit + audit log + Stripe webhook signature test + Sentry PII filter + securityheaders.com + 1Password drill + sub-processor cert + storage backup 85 min /security-monthly
Quarterly DR test PITR Supabase + integrity check + cleanup 60 min /dr-test
Annual Pentest esterno + bug bounty review + SOC2 readiness check 1-2 giorni manual + skill multiverbe-security-ch
On-demand Incident response 5-step 4h target /incident-start

🔐 One-shot pre-MVP-gate (Lun 25 Mag 2026, 3-5h): Security Hardening MAX prompt — vedi source/13-security-hardening.md. Audit deep complementare al weekly/monthly skill, eseguito una sola volta come "predisposizione massima" pre-launch commerciale (prodotto chiavi-in-mano). Fase 1 (10 step audit) + Fase 2 (4 regole privacy-by-design) + Fase 3 (10 step compliance/founder liability).


🔐 Password & Secret Rotation

Calendario rotazione proattiva (anche senza incidenti).

Secret Frequenza Owner Note
Supabase service_role_key Trimestrale Gregorio post-rotate redeploy backend
Anthropic API key Trimestrale Gregorio rotate via console
Mistral API key Trimestrale Gregorio
Gemini API key Trimestrale Gregorio
Stripe keys (live + test) Annuale Gregorio rotate via dashboard
GitHub PAT Trimestrale Gregorio repo + actions secrets
Vercel deployment secrets Trimestrale Gregorio
1Password master Annuale Gregorio + Loris ognuno il suo
Yubikey backup n/a Gregorio hardware key + backup key

Pattern: rotate 1 secret/settimana per evitare cliff (anziché tutto lo stesso giorno).


📋 Security Checks Recurring

Daily (5 min, durante coffee mattina)

  • [ ] Sentry · errori notturni > 5? Investigate
  • [ ] Stripe dashboard · failed payments / dunning? Skill multiverbe-stripe-checkout-edges
  • [ ] Vercel deploy status · ultimo deploy ok?
  • [ ] Supabase project status · uptime ok?

Weekly (Lun 9:00, 35 min) · /security-weekly

  • [ ] pnpm audit (frontend) + pip-audit (backend) → fix critical/high
  • [ ] Stripe webhook events review · failed deliveries > 0? retry o investigate
  • [ ] Dependabot PR review · merge se safe (skill coderabbit:code-review)
  • [ ] Secret rotation calendar · 1 secret rotated questa sett?
  • [ ] Sub-processor advisories check (Anthropic, Mistral, Google, Stripe, Vercel, Supabase)

Monthly (1° del mese, 85 min) · /security-monthly

  • [ ] RLS audit · skill multiverbe-supabase-rls-patterns · get_advisors MCP tool · check policy performance + cross-tenant leak
  • [ ] Audit log review · pgAudit log inspection · anomalie?
  • [ ] Stripe webhook signature test · skill multiverbe-stripe-checkout-edges
  • [ ] Sentry PII filter · check eventi non contengano PII (email, telefono, contenuti)
  • [ ] securityheaders.com scan · target A+ · CSP, HSTS, X-Frame-Options, Referrer-Policy
  • [ ] 1Password drill · backup recovery test (recovery key funzionante?)
  • [ ] Sub-processor cert · SOC2/ISO 27001 ancora vigenti? rinnovi imminenti?
  • [ ] Storage backup · Supabase storage backup downloadabile? checksum valido?

Quarterly (1 ora) · /dr-test

  • [ ] DR test Supabase PITR · restore in dev branch + integrity check + cleanup
  • [ ] Backup S3 dump · test scarico + restore parziale
  • [ ] Secret rotation full cycle · ruota tutto invecesssimo trimestrale
  • [ ] Incident response drill · simulazione 30 min skill multiverbe-incident-response

Annual (1-2 giorni)

  • [ ] Pentest esterno · vendor selezionato (CHF 8-15k) · skill multiverbe-security-ch per scope
  • [ ] Bug bounty platform · attivare HackerOne/Intigriti? trigger: 50+ paganti
  • [ ] SOC2 readiness check · gap analysis · solo se 100+ paganti enterprise

🔑 Account Aziendali Attivi · Tracker

Tieni sincronizzato. Quando aggiungi/rimuovi account, aggiorna qui + log in decisions-log.md.

Servizio Owner MFA Tipo Costo
Anthropic Console Gregorio ✅ Yubikey API + Claude Code Max $400/mo (Mag-Giu)
Supabase Gregorio ✅ TOTP DB + auth Free → $25/mo
Vercel Gregorio ✅ TOTP Hosting $0 → $20/mo
Stripe Gregorio ✅ TOTP Payments per uso
Mistral La Plateforme Gregorio ✅ TOTP Email outreach API per uso
Google Cloud (Gemini) Gregorio ✅ TOTP Content multimodal per uso
GitHub Gregorio + Loris ✅ Yubikey + TOTP Code + business repo Free
Cloudflare Gregorio ✅ TOTP DNS + CDN Free
Sentry Gregorio ✅ TOTP Error tracking Free → $26/mo
Brevo Gregorio ✅ TOTP Email transazionale Multiverbe (sender send.multiverbe.com) Free 9k/mo → $20/mo Pro 50k
Resend Gregorio ✅ TOTP Email transazionale Metaverbe agenzia (NON Multiverbe · separato dal 2026-05-10 decisione) Free 3k/mo
Google Workspace Gregorio RIMOSSO 2026-05-17 audit · filosofia Hub decentralizzata. Sostituito da ImprovMX catch-all (free) + Brevo. $18/mo risparmiati.
ImprovMX Gregorio password + 2FA Catch-all *@multiverbe.com (futuro *@multiverbe.ch) → metaverbe@gmail.com inbox Free tier
Register.it Gregorio ⚠️ password only Domini + DNS legacy €12/anno
Datatrans / Payrexx post Q4 ⚠️ pending Twint CH CHF 49/mo
Notion Gregorio ✅ TOTP Note personal Free

⚠️ Action items:

  • [ ] Register.it · attivare MFA appena possibile
  • [ ] Q4 '26: setup Datatrans/Payrexx con MFA hardware

👤 Account Personali Critici

Meta: founder personal liability mitigation (CHF 250k revFADP).

Account Owner MFA Note
Email founder primario Gregorio ✅ Yubikey + backup key recovery setup
Email Loris primario Loris ✅ TOTP min · Yubikey raccomandato
Banking online (CH) Loris (residente) ✅ hardware token banca post GmbH
1Password personal entrambi ✅ Yubikey recovery key in safe fisica
Apple ID / Google ID entrambi ✅ TOTP min impatta device encryption
iCloud / Google Drive backup entrambi ✅ TOTP no doc Multiverbe sensibili lì

📅 Come integrare in Google Calendar

  1. Apri Google Calendar
  2. Settings → Add calendar → Import
  3. Carica security-calendar.ics
  4. Calendario "Multiverbe Security" appare in sidebar
  5. Eventi ricorrenti: Daily 9:00 (5min) · Weekly Lun 9:00 (35min) · Monthly day 1 (85min) · Quarterly day 1 of quarter (1h)

🚨 Quick action checklist · founder prima settimana post-launch

  • [ ] Tutti i secret in 1Password (no env locali, no chat, no email)
  • [ ] Yubikey hardware acquistato + setup MFA tutti gli account critici
  • [ ] BitLocker abilitato su Windows founder
  • [ ] VPN aziendale attivata (Mullvad o ProtonVPN, CHF 5/mo)
  • [ ] Sentry alert configurato per critical errors → Slack/email Gregorio
  • [ ] Stripe webhook monitor configurato
  • [ ] Supabase RLS audit script eseguito (vedi skill multiverbe-supabase-rls-patterns)
  • [ ] DR test prima esecuzione manuale (skill dr-test)
  • [ ] Privacy policy + ToS pubblicate su multiverbe.com
  • [ ] Cookie banner LPD/GDPR-compliant attivo
  • [ ] Sub-processor list pubblicata + DPA template per clienti

Skill master: multiverbe-security-ch (calendario completo + OWASP Top 10 + incident response + DR + supply chain + secret rotation cadence + MFA + backup test + vendor security scoring + pentest roadmap)

Ultimo update: 2026-05-17 · audit-batch · (1) Email transazionale Multiverbe correttamente attribuita a Brevo (era erroneamente "Resend" — Resend ora solo Metaverbe agenzia, decisione 2026-05-10). (2) Google Workspace RIMOSSO ($18/mo risparmiati · filosofia Hub decentralizzata · ImprovMX catch-all free + Brevo bastano). Precedente 2026-05-09: estratto da BOS §17. Owner: Gregorio Ciurleo (esecuzione) · Loris Beraud (account propri MFA)