v2.5.4 -- Tier 2 + Tier 3 closure: auth hardening, GDPR UX, OSS hygiene

TIER 2 -- security hardening on auth + GDPR-aware UX

* /auth/forgot-password is now constant-time and PII-free in logs.
  Pre-2.5.4 the unknown-email path early-returned (5-20x faster than
  the known-email path) and the MTA-failure log printed user.email.
  Both paths now do the same token-gen + hash work and sleep a
  randomised 50-250ms; failure log records user.id only.

* CSRF token rotation on /auth/refresh -- regression-locked. The
  rotation was already happening (every _build_token_response mints
  a fresh secrets.token_urlsafe(32)) but the invariant was nowhere
  asserted. Added inline rationale + TestCSRF.test_csrf_token_
  rotates_on_refresh in the integration suite.

* Findings page: dismissible GDPR PII notice banner. Scan evidence
  can include hostnames, employee emails, IPs -- all PII under Art.
  4(1). Banner reminds the operator they're the controller for this
  data. 3 keys x 5 locales = 15 new i18n entries, parity 5/5.

* docs/privacy.md v1.0 -> v1.1: rewrote the self-hosted section
  with concrete data-flow disclosures (data-inventory table, IP/UA
  in audit_logs + Art. 89 pseudonymisation on erasure, crt.sh as a
  third-party transfer, scanner-PII surfaces, deployer obligations).

TIER 3 -- OSS hygiene

* SECURITY.md fully rewritten: RFC 9116 cross-ref, GitHub-private-
  disclosure preferred, 24h/48h/5d/10d response-by-severity SLA, 35d
  medium-severity patch ceiling (CRA Reg. EU 2024/2847 conventions),
  90d coordinated disclosure default, in/out-of-scope matrix, full
  enumerated security-measures section, hall-of-fame placeholder,
  PGP placeholder until permanent key is provisioned.

* packages/web/public/.well-known/security.txt -- RFC 9116-compliant
  with Contact, Policy, Languages (en, it), Canonical, Expires
  2027-04-30.

* CODE_OF_CONDUCT.md -- Contributor Covenant 2.1.

* .github/ISSUE_TEMPLATE/{bug_report,feature_request}.yml +
  config.yml. blank_issues_enabled: false; contact_links redirect
  security to private advisories, questions to Discussions, dual-
  license inquiries to email.

* .github/PULL_REQUEST_TEMPLATE.md -- summary / why / surface impact
  / verification / NIS2-GDPR-legal exposure prompt.

* .github/CODEOWNERS -- single-maintainer fallback with explicit
  re-listing of the security-sensitive paths.

Misc:
* .gitignore: .ruff_cache/ added.
* .gitleaks.toml: nis2-findings-pii-notice-v\d+ added to allowlist.
* API_VERSION 2.5.3 -> 2.5.4.

Verified:
* Web build green (24/24 pages).
* 5/5 locales validate; findings.piiNotice* aligned.
* security.txt linted by hand against RFC 9116 sec. 2.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: fabriziosalmi

.github/CODEOWNERS

@@ -0,0 +1,45 @@
+# Copyright (c) 2026 Fabrizio Salmi <fabrizio.salmi@gmail.com>
+# SPDX-License-Identifier: AGPL-3.0-only
+# NIS2 Compliance Platform — https://github.com/fabriziosalmi/nis2-public
+#
+# CODEOWNERS controls auto-assignment of reviewers on pull requests.
+# Today the project has a single maintainer, so every path falls back
+# to the same owner. The file still earns its keep:
+#   - it makes the ownership explicit for any future fork or
+#     dual-maintained scenario (just add lines, no schema change);
+#   - it auto-requests review on every PR so nothing slips through
+#     waiting for the author to remember to assign;
+#   - GitHub uses it for required-review branch protection rules
+#     even when there is only one owner.
+#
+# Syntax: https://docs.github.com/en/repositories/managing-your-repositories-settings-and-features/customizing-your-repository/about-code-owners
+
+# Default — every path not matched by a more specific rule below.
+*                                       @fabriziosalmi
+
+# Security-sensitive surfaces. Listing them again is redundant while
+# there is one owner, but it documents the surfaces that warrant the
+# strictest review when ownership grows.
+SECURITY.md                             @fabriziosalmi
+.well-known/                            @fabriziosalmi
+packages/web/public/.well-known/        @fabriziosalmi
+packages/api/app/middleware/csrf.py     @fabriziosalmi
+packages/api/app/database.py            @fabriziosalmi
+packages/api/app/routers/auth.py        @fabriziosalmi
+packages/api/app/utils/target_validator.py  @fabriziosalmi
+packages/api/alembic/                   @fabriziosalmi
+infra/                                  @fabriziosalmi
+
+# Legal / compliance copy. Any change here should ship in lockstep
+# with the dashboard's compliance page and the CHANGELOG.
+docs/privacy.md                         @fabriziosalmi
+docs/terms.md                           @fabriziosalmi
+LICENSE                                 @fabriziosalmi
+CODE_OF_CONDUCT.md                      @fabriziosalmi
+
+# CI / supply chain. A bad workflow change can leak secrets or
+# downgrade the security gates — explicit ownership prompts a
+# closer review.
+.github/workflows/                      @fabriziosalmi
+.github/dependabot.yml                  @fabriziosalmi
+.gitleaks.toml                          @fabriziosalmi

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,98 @@
+# Copyright (c) 2026 Fabrizio Salmi <fabrizio.salmi@gmail.com>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+name: Bug report
+description: Something works incorrectly or breaks. Not for security issues — see SECURITY.md.
+title: "[bug] "
+labels: ["bug", "triage"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to file a bug report. The platform is
+        AGPL-3.0 *as is, without warranty* — but well-formed reports get
+        addressed faster, so a few specifics here go a long way.
+
+        **Not a bug?** Use [Discussions](https://github.com/fabriziosalmi/nis2-public/discussions) for questions or design conversations.
+        **Security issue?** Use the [private advisory flow](https://github.com/fabriziosalmi/nis2-public/security/advisories/new), not this template.
+
+  - type: input
+    id: version
+    attributes:
+      label: Platform version
+      description: |
+        Run `cat packages/api/pyproject.toml | grep ^version` or check the bottom-left of the dashboard. If you can, also include the commit SHA (`git rev-parse HEAD`).
+      placeholder: e.g. 2.5.4 (commit abc1234)
+    validations:
+      required: true
+
+  - type: dropdown
+    id: deployment
+    attributes:
+      label: How are you running the platform?
+      options:
+        - "make dev (local Docker compose)"
+        - "make prod (Caddy + production compose)"
+        - "Custom deployment (Kubernetes / cloud / other)"
+        - "Not running yet — bug in the install path"
+    validations:
+      required: true
+
+  - type: dropdown
+    id: os
+    attributes:
+      label: Host OS
+      options:
+        - macOS (Apple Silicon)
+        - macOS (Intel)
+        - Linux (Debian / Ubuntu)
+        - Linux (RHEL / Fedora / Rocky / Alma)
+        - Linux (other distro)
+        - Windows + WSL2
+        - Windows native (cmd.exe / PowerShell)
+        - Other
+    validations:
+      required: true
+
+  - type: textarea
+    id: what-happened
+    attributes:
+      label: What happened?
+      description: A clear and concise description of the bug. What did you see versus what you expected?
+      placeholder: |
+        I clicked X and got Y, but I expected Z because the docs said …
+    validations:
+      required: true
+
+  - type: textarea
+    id: reproduce
+    attributes:
+      label: Steps to reproduce
+      description: Minimal repro from a fresh `make dev` clone whenever possible. Concrete commands beat prose.
+      placeholder: |
+        1. `git clone … && make dev`
+        2. Register at /register with …
+        3. Click …
+        4. Observe …
+    validations:
+      required: true
+
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant logs
+      description: |
+        Output from `make api-logs`, `make web-logs`, browser DevTools console — whatever helps. **Strip any production secrets, real customer data, or internal hostnames before pasting.**
+      render: shell
+    validations:
+      required: false
+
+  - type: checkboxes
+    id: prereqs
+    attributes:
+      label: Pre-flight
+      options:
+        - label: I confirmed this is not a security vulnerability (security goes via the private advisory flow).
+          required: true
+        - label: I searched existing issues and discussions before opening this.
+          required: true

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,29 @@
+# Copyright (c) 2026 Fabrizio Salmi <fabrizio.salmi@gmail.com>
+# SPDX-License-Identifier: AGPL-3.0-only
+# NIS2 Compliance Platform — https://github.com/fabriziosalmi/nis2-public
+#
+# `blank_issues_enabled: false` forces every new issue through one of
+# the structured templates below — saves a triage round on "what version
+# are you on", "is this a bug or a question", etc.
+
+blank_issues_enabled: false
+contact_links:
+  - name: Security vulnerability
+    url: https://github.com/fabriziosalmi/nis2-public/security/advisories/new
+    about: |
+      Please use GitHub's private vulnerability reporting flow. Public
+      issues for security bugs leave every operator running this code
+      exposed before a fix is available — see SECURITY.md for the full
+      policy and SLA.
+  - name: Question / discussion
+    url: https://github.com/fabriziosalmi/nis2-public/discussions
+    about: |
+      For questions, configuration help, or open-ended design
+      discussions, please open a Discussion instead of an Issue.
+      Issues are reserved for actionable bugs and feature requests.
+  - name: Commercial / dual-license inquiry
+    url: mailto:fabrizio.salmi@gmail.com
+    about: |
+      Email the maintainer directly for dual-license / consultancy
+      requests. The codebase is AGPL-3.0; commercial-friendly licensing
+      is available on a case-by-case basis.

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,63 @@
+# Copyright (c) 2026 Fabrizio Salmi <fabrizio.salmi@gmail.com>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+name: Feature request
+description: Suggest a new capability or an enhancement to an existing feature.
+title: "[feat] "
+labels: ["enhancement", "triage"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for thinking about how the platform could be better. The bar for accepting a feature request is "this helps a real NIS2 / Art. 21 / Art. 18 use case for an Italian or EU operator", so the framing below is what we'll triage against.
+
+  - type: textarea
+    id: problem
+    attributes:
+      label: What problem are you trying to solve?
+      description: Lead with the pain, not the proposed solution. "I can't see X" is more useful than "Add a new tab".
+      placeholder: |
+        When I run a scan against …, I cannot tell whether …
+    validations:
+      required: true
+
+  - type: textarea
+    id: proposal
+    attributes:
+      label: Proposed change
+      description: How would you like the platform to behave? UI mock-ups, API shape, or just prose are all fine.
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      description: Workarounds that exist today, and why they fall short.
+    validations:
+      required: false
+
+  - type: dropdown
+    id: surface
+    attributes:
+      label: Which surface does this touch?
+      multiple: true
+      options:
+        - API
+        - Web UI / Dashboard
+        - Scanner
+        - Documentation site
+        - Compliance / Governance / Vendors content
+        - Deployment / packaging
+        - Other
+    validations:
+      required: true
+
+  - type: textarea
+    id: nis2-context
+    attributes:
+      label: NIS2 / regulatory context (optional)
+      description: |
+        If the request is driven by a specific Article — Art. 21 sub-paragraph, Art. 18, ACN-specific obligation, GDPR cross-cut, etc. — cite it. It's a tie-breaker on prioritisation.
+    validations:
+      required: false

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,68 @@
+<!--
+  Copyright (c) 2026 Fabrizio Salmi <fabrizio.salmi@gmail.com>
+  SPDX-License-Identifier: AGPL-3.0-only
+  NIS2 Compliance Platform — https://github.com/fabriziosalmi/nis2-public
+
+  Thanks for the contribution. The template below mirrors how the
+  maintainer writes commit messages and CHANGELOG entries — filling it
+  in honestly speeds up review and reduces the back-and-forth that
+  follows a vague PR description.
+-->
+
+## Summary
+
+<!-- One or two sentences. What does this change do, and why? -->
+
+## Why
+
+<!--
+  The motivation. Cite a specific user, audit finding, NIS2 / GDPR
+  Article, or external-reviewer feedback if applicable. "Cleanup" is
+  a fine reason; just say so.
+-->
+
+## What changes
+
+<!-- A short bulleted list. Files / modules touched, not a diff dump. -->
+
+-
+
+## Surface impact
+
+- [ ] API behaviour change
+- [ ] Database schema (migration included)
+- [ ] Web UI change (screenshots below)
+- [ ] Scanner module
+- [ ] Documentation site
+- [ ] Deployment / packaging / CI
+- [ ] None of the above (refactor / internal / docs only)
+
+## Verification
+
+<!--
+  How did you test this? Concrete commands beat "tested locally".
+  If a UI change, attach a screenshot or screen recording.
+-->
+
+- [ ] Web build passes (`cd packages/web && npx next build`)
+- [ ] Unit tests pass (`make test`)
+- [ ] Tested by hand against `make dev`
+- [ ] i18n parity preserved (`node` parity check on `messages/*.json`)
+- [ ] No new secrets committed (gitleaks-clean)
+
+## NIS2 / GDPR / legal exposure
+
+<!--
+  If this PR touches anything personal-data-shaped, anything that
+  changes what the operator (data controller) is told, or anything
+  that materially shifts the maintainer's exposure under AGPL-3.0
+  §15-16, flag it here so it can be reflected in CHANGELOG and the
+  privacy notice as needed.
+
+  Most PRs will say "no exposure change" — that's a fine answer.
+-->
+
+## Related issues / discussions
+
+Closes #
+Refs #

.gitignore

@@ -90,6 +90,7 @@ Thumbs.db
 # Misc caches
 __pycache__/
 .pytest_cache/
+.ruff_cache/
 *.pyc
 # VitePress build artifacts
 docs/.vitepress/cache/

.gitleaks.toml

@@ -44,4 +44,5 @@ regexes = [
     '''nis2-doc-locale''',
     '''nis2-auth-v\d+''',
     '''nis2-dashboard-orientation-v\d+''',
+    '''nis2-findings-pii-notice-v\d+''',
 ]

CHANGELOG.md

@@ -1,5 +1,75 @@
 # Changelog
 
+## [2.5.4] - 2026-04-30
+
+Tier 2 + Tier 3 closure — security hardening on the auth surfaces, GDPR-aware UX on findings, and the OSS-hygiene files (SECURITY.md, security.txt, CODE_OF_CONDUCT, issue/PR templates, CODEOWNERS) the project had been carrying as deferred items.
+
+### 🟠 Security — `/auth/forgot-password` is now constant-time and PII-free in the logs
+
+**Pre-2.5.4 problem.** The unknown-email path early-returned after the `SELECT`, so its wall-clock time was 5–20× shorter than the known-email path (which generates a token, hashes it, INSERTs, and awaits SMTP). A chatty attacker could enumerate registered emails via response timing alone, defeating the always-204 contract. Separately, the MTA-failure log printed `user.email`, promoting a transient operational error into a long-lived PII record and creating a secondary email-enumeration channel for anyone with log access.
+
+**v2.5.4 changes** in `packages/api/app/routers/auth.py::forgot_password`:
+
+1. The unknown-email path now performs the **same** `secrets.token_urlsafe(32)` + SHA-256 hash work as the known-email path and discards the result, so CPU and DB-ish profiles match within a few microseconds.
+2. **Both** paths sleep a randomised `asyncio.sleep(uniform(0.05, 0.25))` before returning, so the variable cost of the real `send_email()` call is masked under the same jitter band.
+3. The MTA-failure log now records `user.id` only — sufficient for an operator triaging the failure, not an enumeration channel.
+
+The full rationale is in the function docstring so the next reader doesn't strip the defenses thinking they're noise.
+
+### 🟠 Security — CSRF token rotation on `/auth/refresh` (regression-locked)
+
+The double-submit CSRF cookie was already being re-minted on every call to `_build_token_response` — but the invariant was nowhere asserted in tests, and the inline rationale was missing. v2.5.4 adds:
+
+- A focused inline comment in `_build_token_response` explaining *why* the rotation is intentional (a captured CSRF cookie has the same short lifetime as the access token rather than surviving for the full refresh-token window).
+- `TestCSRF.test_csrf_token_rotates_on_refresh` in the integration suite, asserting both cookie and response-body reflect a fresh token after `/auth/refresh`.
+
+### 🟠 GDPR — Findings page now carries an explicit personal-data notice
+
+Scan results capture hostnames, IP addresses, employee email addresses (from secrets scanning), and other identifiers that count as personal data under GDPR Art. 4(1). Pre-2.5.4 the operator was given no in-product notice that they are the controller for this evidence and that exports / sharing / retention need to reflect that.
+
+The new dismissible `FindingsPiiNotice` banner sits between the Findings page header and the filters, with content like:
+
+> **I findings possono contenere dati personali**
+>
+> I risultati delle scansioni possono includere hostname, indirizzi IP, indirizzi email o altri identificatori estratti da fonti pubbliche (DNS, certificate transparency, pattern-matching su secret). Ai sensi del GDPR sei il titolare del trattamento per queste evidenze — applica agli export, alla condivisione e alla retention la stessa cura che applicheresti ai dati personali sottostanti.
+
+Implementation: same SSR-empty-tree pattern as `LegalDisclaimerModal` and `OrientationCard`; versioned `localStorage` key `nis2-findings-pii-notice-v1`; 3 keys × 5 locales (en/it/fr/de/es) = 15 new i18n entries, parity 5/5.
+
+### 🟠 GDPR — `docs/privacy.md` rewritten with concrete data-flow disclosures
+
+`§7 Self-hosted deployments` was a generic "you're the controller" stub. v1.1 splits it into six numbered sub-sections that lay out **specifically** what a self-hosted instance processes:
+
+- **§7.1 Data inventory** — explicit table of every personal-data category, the table it lives in, and the default retention.
+- **§7.2 IP address and User-Agent in `audit_logs`** — names the columns, cites the legal basis (Art. 6(1)(f)), documents pseudonymisation on Art. 17 erasure, and points at `AUDIT_LOG_RETENTION_DAYS`.
+- **§7.3 Outbound network calls** — names `crt.sh` (Sectigo), DNS resolvers, and target hosts as third-party data flows the deployer has to disclose to data subjects. Reaffirms zero outbound telemetry.
+- **§7.4 PII captured incidentally by the scanner** — secrets-scanner output, subdomain enumeration, port banners.
+- **§7.5 / §7.6** — what the maintainer is *not* (no Art. 28 contract, no warranty), and the deployer's own GDPR obligations.
+
+Doc version bumped to 1.1; the existing template structure for self-hosted deployers is preserved.
+
+### 🟠 OSS hygiene — SECURITY.md, security.txt, CODE_OF_CONDUCT, issue / PR templates, CODEOWNERS
+
+The project had a thin `SECURITY.md` (3-row supported-versions table, 7-day-fix promise, no PGP, no CRA reference) and no other OSS-hygiene scaffolding. v2.5.4 ships a coordinated rewrite:
+
+- **`SECURITY.md`** — RFC 9116 cross-reference, GitHub-private-disclosure preferred channel, 24h/48h/5d/10d response-by-severity SLAs, **35-day medium-severity patch ceiling** (aligned with EU Cyber Resilience Act Reg. EU 2024/2847 conventions), 90-day coordinated-disclosure default, in-scope / out-of-scope matrix, full enumerated security-measures section reflecting code as it ships in `main`, hall-of-fame placeholder, PGP placeholder until the maintainer's permanent key is provisioned.
+- **`packages/web/public/.well-known/security.txt`** — RFC 9116-compliant: GitHub private-disclosure URL + email contact, policy URL, languages `en, it`, canonical URL, `Expires: 2027-04-30`.
+- **`CODE_OF_CONDUCT.md`** — verbatim Contributor Covenant 2.1 with the project's community spaces and reporting contact filled in.
+- **`.github/ISSUE_TEMPLATE/{bug_report,feature_request}.yml` + `config.yml`** — structured forms with `blank_issues_enabled: false`. The config `contact_links` redirect security reports to the private-advisory flow, questions to Discussions, and dual-license inquiries to email — saving a triage round on miscategorised issues.
+- **`.github/PULL_REQUEST_TEMPLATE.md`** — summary / why / surface-impact checkboxes / verification checklist / NIS2-GDPR-legal-exposure prompt. Mirrors the structure of the maintainer's commit-message and CHANGELOG style.
+- **`.github/CODEOWNERS`** — every path falls back to `@fabriziosalmi` (single maintainer), with explicit re-listing of the security-sensitive paths (auth, RLS bootstrap, target validator, alembic, infra, gitleaks config) so that growth into multi-maintainer requires no schema change. Documents the *intent* of strictest review on those paths.
+
+### Misc
+
+- `.gitignore`: `.ruff_cache/` added (was leaking into `git status`).
+- `.gitleaks.toml`: `nis2-findings-pii-notice-v\d+` added to the localStorage-key allowlist family.
+- `API_VERSION` literal bumped 2.5.3 → 2.5.4 in lockstep with `pyproject.toml`.
+
+### Verified
+
+- Web build: green (24/24 pages, /dashboard/findings page builds cleanly).
+- 5/5 i18n locales validate; new `findings.piiNotice*` namespace present and aligned (3 keys × 5 locales = 15 entries).
+- `.well-known/security.txt` linted by hand against RFC 9116 §2 (Expires set, Contact present, Canonical and Policy URLs absolute).
+
 ## [2.5.3] - 2026-04-30
 
 External-reviewer feedback round (Davide, fresh-clone walkthrough). Four concrete fixes — one runtime blocker, one onboarding trap, one operability paper-cut, one orientation gap.