From 87dbdb4f93575bfeafc3d4ce96bc5a785ab11ec4 Mon Sep 17 00:00:00 2001
From: Luca Sacchi Ricciardi <luca.sacchi@gmail.com>
Date: Tue, 24 Mar 2026 21:55:00 +0100
Subject: [PATCH] docs(02): create phase 2 plans (3 plans)

---
 .planning/ROADMAP.md                          |    8 +-
 .../02-lab-01-iam-sicurezza/02-01-PLAN.md     |  808 ++++++++
 .../02-lab-01-iam-sicurezza/02-02-PLAN.md     | 1843 +++++++++++++++++
 .../02-lab-01-iam-sicurezza/02-03-PLAN.md     |  504 +++++
 4 files changed, 3161 insertions(+), 2 deletions(-)
 create mode 100644 .planning/phases/02-lab-01-iam-sicurezza/02-01-PLAN.md
 create mode 100644 .planning/phases/02-lab-01-iam-sicurezza/02-02-PLAN.md
 create mode 100644 .planning/phases/02-lab-01-iam-sicurezza/02-03-PLAN.md

diff --git a/.planning/ROADMAP.md b/.planning/ROADMAP.md
index 8621354..689b152 100644
--- a/.planning/ROADMAP.md
+++ b/.planning/ROADMAP.md
@@ -12,7 +12,7 @@
 | Phase | Plans Complete | Status | Completed |
 |-------|----------------|--------|-----------|
 | 1. Setup & Git Foundation | 0/2 | Planning complete | - |
-| 2. Lab 01 - IAM & Sicurezza | 0/3 | Not started | - |
+| 2. Lab 01 - IAM & Sicurezza | 0/3 | Planning complete | - |
 | 3. Lab 02 - Network & VPC | 0/3 | Not started | - |
 | 4. Lab 03 - Compute & EC2 | 0/3 | Not started | - |
 | 5. Lab 04 - Storage & S3 | 0/3 | Not started | - |
@@ -80,7 +80,11 @@
 4. Lab include Tutorial passo-passo, How-to Guides, Reference, e Explanation (Framework Diátaxis completo)
 5. Studente può eseguire comando di verifica finale ("double check") per validare il lavoro svolto
 
-**Plans:** TBD
+**Plans:** 3
+
+- [ ] [02-01-PLAN.md](.planning/phases/02-lab-01-iam-sicurezza/02-01-PLAN.md) — Create test infrastructure (Wave 0: test-01-user-creation.sh, test-02-docker-access.sh, 03-non-root-test.sh, 99-final-verification.sh, run-all-tests.sh)
+- [ ] [02-02-PLAN.md](.planning/phases/02-lab-01-iam-sicurezza/02-02-PLAN.md) — Create Diátaxis documentation (Tutorial: 3 parts, How-to Guides: 3 guides, Reference: 3 documents, Explanation: IAM parallels)
+- [ ] [02-03-PLAN.md](.planning/phases/02-lab-01-iam-sicurezza/02-03-PLAN.md) — Create infrastructure (Dockerfile with non-root user, docker-compose.yml with user directive, infrastructure verification)
 
 ---
 
diff --git a/.planning/phases/02-lab-01-iam-sicurezza/02-01-PLAN.md b/.planning/phases/02-lab-01-iam-sicurezza/02-01-PLAN.md
new file mode 100644
index 0000000..b9323f1
--- /dev/null
+++ b/.planning/phases/02-lab-01-iam-sicurezza/02-01-PLAN.md
@@ -0,0 +1,808 @@
+---
+phase: 02-lab-01-iam-sicurezza
+plan: 01
+type: execute
+wave: 0
+depends_on: []
+files_modified:
+  - labs/lab-01-iam/tests/test-01-user-creation.sh
+  - labs/lab-01-iam/tests/test-02-docker-access.sh
+  - labs/lab-01-iam/tests/03-non-root-test.sh
+  - labs/lab-01-iam/tests/99-final-verification.sh
+  - labs/lab-01-iam/tests/run-all-tests.sh
+autonomous: true
+requirements: [TEST-01, TEST-05, INF-01]
+user_setup: []
+must_haves:
+  truths:
+    - "Test scripts exist and can validate user creation and Docker access"
+    - "Test scripts verify non-root container execution (INF-01)"
+    - "Final verification script runs all checks for student self-validation"
+    - "Test harness can be executed with single command"
+  artifacts:
+    - path: "labs/lab-01-iam/tests/test-01-user-creation.sh"
+      provides: "User and group creation validation"
+      min_lines: 40
+    - path: "labs/lab-01-iam/tests/test-02-docker-access.sh"
+      provides: "Docker socket access control validation"
+      min_lines: 30
+    - path: "labs/lab-01-iam/tests/03-non-root-test.sh"
+      provides: "Non-root container verification (INF-01)"
+      min_lines: 35
+    - path: "labs/lab-01-iam/tests/99-final-verification.sh"
+      provides: "Final double-check command for students"
+      min_lines: 25
+    - path: "labs/lab-01-iam/tests/run-all-tests.sh"
+      provides: "Test suite orchestration"
+      min_lines: 15
+  key_links:
+    - from: "run-all-tests.sh"
+      to: "test-01-user-creation.sh, test-02-docker-access.sh, 03-non-root-test.sh, 99-final-verification.sh"
+      via: "Sequential execution with exit code handling"
+      pattern: "bash.*tests/.*\\.sh"
+---
+
+<objective>
+Create test infrastructure following TDD methodology (RED phase first). Test scripts validate user creation, Docker socket access control, and non-root container execution before any implementation exists.
+
+Purpose: Enable Test-Driven Infrastructure (TDI) by writing failing tests first, then implementing infrastructure to make them pass.
+Output: Four test scripts (user creation, Docker access, non-root verification, final check) plus test orchestration script.
+</objective>
+
+<execution_context>
+@/home/luca/.claude/get-shit-done/workflows/execute-plan.md
+@/home/luca/.claude/get-shit-done/templates/summary.md
+</execution_context>
+
+<context>
+@.planning/PROJECT.md
+@.planning/ROADMAP.md
+@.planning/STATE.md
+@.planning/phases/02-lab-01-iam-sicurezza/02-RESEARCH.md
+@.planning/phases/02-lab-01-iam-sicurezza/02-VALIDATION.md
+@CLAUDE.md
+
+# Key patterns from RESEARCH.md
+
+## TDD Methodology for Infrastructure
+```bash
+# RED Phase: Test should fail initially (no infrastructure exists)
+# GREEN Phase: Implement minimum infrastructure to pass tests
+# REFACTOR Phase: Optimize without breaking tests
+
+# Example test structure from RESEARCH.md:
+test_unauthorized_access() {
+    sudo useradd -m -s /bin/bash test_user 2>/dev/null || true
+    if sudo -u test_user docker ps &>/dev/null; then
+        echo "FAIL: test_user can access docker without being in docker group"
+        return 1
+    else
+        echo "PASS: test_user correctly denied access"
+        return 0
+    fi
+}
+```
+
+## INF-01 Verification Pattern
+```bash
+# From RESEARCH.md - Non-root container verification
+for service in $(docker-compose ps --services); do
+    container_name=$(docker-compose ps -q $service)
+    actual_user=$(docker exec $container_name whoami 2>/dev/null)
+    if [ "$actual_user" = "root" ]; then
+        echo "FAIL: $service running as root"
+        exit 1
+    fi
+done
+echo "PASS: All containers running as non-root"
+```
+
+## Common Pitfalls to Handle
+- Group membership requires re-login (use `groups` command for testing)
+- Test as non-privileged user (root bypasses Docker socket permissions)
+- Verify with multiple methods: `docker exec whoami`, `docker inspect`, `docker top`
+
+## Test Framework from RESEARCH.md
+- Framework: BASH (Bourne Again Shell) >= 4.0
+- No config file needed - inline test functions
+- Quick run: `bash labs/lab-01-iam/tests/quick-test.sh`
+- Full suite: `bash labs/lab-01-iam/tests/run-all-tests.sh`
+</context>
+
+<tasks>
+
+<task type="auto" tdd="true">
+  <name>Task 1: Create user creation test script</name>
+  <files>labs/lab-01-iam/tests/test-01-user-creation.sh</files>
+  <behavior>
+    - Test 1: Non-existent user returns appropriate failure
+    - Test 2: User not in docker group cannot access Docker socket
+    - Test 3: User can be added to docker group
+    - Test 4: Group membership verified with `groups` command
+  </behavior>
+  <action>
+Create test script for Linux user and group management:
+
+```bash
+#!/bin/bash
+# Test: Linux user creation and Docker group membership
+# Phase: RED - This test will fail initially (no users configured)
+
+set -euo pipefail
+
+# Color output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+pass_count=0
+fail_count=0
+
+test_user_not_exists() {
+    local user="lab01_student"
+    if id "$user" &>/dev/null; then
+        echo -e "${YELLOW}SKIP${NC}: User $user already exists"
+        return 0
+    fi
+    echo -e "${GREEN}PASS${NC}: User $user does not exist (test environment clean)"
+    ((pass_count++))
+    return 0
+}
+
+test_user_without_docker_group() {
+    local user="lab01_student"
+    # Create test user if doesn't exist
+    if ! id "$user" &>/dev/null; then
+        sudo useradd -m -s /bin/bash "$user" 2>/dev/null || true
+    fi
+
+    # Check if user is in docker group
+    if groups "$user" 2>/dev/null | grep -q docker; then
+        echo -e "${RED}FAIL${NC}: User $user is in docker group (should not be yet)"
+        ((fail_count++))
+        return 1
+    fi
+
+    echo -e "${GREEN}PASS${NC}: User $user is not in docker group"
+    ((pass_count++))
+    return 0
+}
+
+test_docker_access_denied() {
+    local user="lab01_student"
+
+    # Test that user cannot access docker socket
+    if sudo -u "$user" docker ps &>/dev/null; then
+        echo -e "${RED}FAIL${NC}: User $user can access docker without docker group membership"
+        ((fail_count++))
+        return 1
+    fi
+
+    echo -e "${GREEN}PASS${NC}: Docker access correctly denied for $user"
+    ((pass_count++))
+    return 0
+}
+
+# Run all tests
+echo "Running user creation tests..."
+echo "================================"
+test_user_not_exists
+test_user_without_docker_group
+test_docker_access_denied
+echo "================================"
+echo "Tests passed: $pass_count"
+echo "Tests failed: $fail_count"
+
+if [ $fail_count -gt 0 ]; then
+    exit 1
+fi
+exit 0
+```
+
+Key implementation points:
+- Use `groups` command to verify group membership (handles re-login issue)
+- Run Docker commands as test user with `sudo -u`
+- Test the negative case first (user without access)
+- Return proper exit codes (0=pass, 1=fail)
+  </action>
+  <verify>
+    <automated>chmod +x labs/lab-01-iam/tests/test-01-user-creation.sh && bash labs/lab-01-iam/tests/test-01-user-creation.sh</automated>
+  </verify>
+  <done>Script exists, is executable, and tests user/group creation behavior</done>
+</task>
+
+<task type="auto" tdd="true">
+  <name>Task 2: Create Docker access control test script</name>
+  <files>labs/lab-01-iam/tests/test-02-docker-access.sh</files>
+  <behavior>
+    - Test 1: User in docker group can execute docker ps
+    - Test 2: User in docker group can run basic containers
+    - Test 3: Socket permissions are correctly set (660 or stricter)
+    - Test 4: Group membership propagation is verified
+  </behavior>
+  <action>
+Create test script for Docker socket access control:
+
+```bash
+#!/bin/bash
+# Test: Docker socket access control via group membership
+# Phase: RED - This test will fail initially (no users configured)
+
+set -euo pipefail
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m'
+
+pass_count=0
+fail_count=0
+
+test_socket_permissions() {
+    local socket="/var/run/docker.sock"
+    local perms=$(stat -c "%a" "$socket" 2>/dev/null || echo "000")
+
+    # Socket should be 660 or stricter (no world-readable/writable)
+    if [ "$perms" = "660" ] || [ "$perms" = "600" ]; then
+        echo -e "${GREEN}PASS${NC}: Docker socket permissions are $perms"
+        ((pass_count++))
+        return 0
+    else
+        echo -e "${YELLOW}WARN${NC}: Docker socket permissions are $perms (expected 660)"
+        ((pass_count++))
+        return 0
+    fi
+}
+
+test_docker_group_exists() {
+    if getent group docker >/dev/null 2>&1; then
+        echo -e "${GREEN}PASS${NC}: Docker group exists"
+        ((pass_count++))
+        return 0
+    else
+        echo -e "${RED}FAIL${NC}: Docker group does not exist"
+        ((fail_count++))
+        return 1
+    fi
+}
+
+test_user_can_add_to_docker_group() {
+    local user="lab01_student"
+
+    # This test verifies the MECHANISM, not that it's done yet
+    if command -v usermod >/dev/null 2>&1; then
+        echo -e "${GREEN}PASS${NC}: usermod command available for group management"
+        ((pass_count++))
+        return 0
+    else
+        echo -e "${RED}FAIL${NC}: usermod command not available"
+        ((fail_count++))
+        return 1
+    fi
+}
+
+test_docker_accessible_by_group() {
+    # Check that docker group members can access the socket
+    local socket_group=$(stat -c "%G" /var/run/docker.sock 2>/dev/null || echo "unknown")
+
+    if [ "$socket_group" = "docker" ]; then
+        echo -e "${GREEN}PASS${NC}: Docker socket owned by docker group"
+        ((pass_count++))
+        return 0
+    else
+        echo -e "${YELLOW}WARN${NC}: Docker socket owned by $socket_group (expected docker)"
+        ((pass_count++))
+        return 0
+    fi
+}
+
+# Run all tests
+echo "Running Docker access control tests..."
+echo "======================================"
+test_socket_permissions
+test_docker_group_exists
+test_user_can_add_to_docker_group
+test_docker_accessible_by_group
+echo "======================================"
+echo "Tests passed: $pass_count"
+echo "Tests failed: $fail_count"
+
+if [ $fail_count -gt 0 ]; then
+    exit 1
+fi
+exit 0
+```
+
+Key implementation points:
+- Verify socket ownership and permissions
+- Check docker group exists
+- Validate group management commands available
+- Test mechanism for adding users to docker group
+  </action>
+  <verify>
+    <automated>chmod +x labs/lab-01-iam/tests/test-02-docker-access.sh && bash labs/lab-01-iam/tests/test-02-docker-access.sh</automated>
+  </verify>
+  <done>Script validates Docker socket access control mechanisms</done>
+</task>
+
+<task type="auto" tdd="true">
+  <name>Task 3: Create non-root container verification script (INF-01)</name>
+  <files>labs/lab-01-iam/tests/03-non-root-test.sh</files>
+  <behavior>
+    - Test 1: Container configured with USER directive runs as non-root
+    - Test 2: docker exec whoami returns non-root user
+    - Test 3: docker inspect shows User field set
+    - Test 4: docker top shows non-root UID (not 0)
+  </behavior>
+  <action>
+Create test script for non-root container verification (INF-01 requirement):
+
+```bash
+#!/bin/bash
+# Test: Non-root container execution (INF-01 requirement)
+# Phase: RED - This test will fail initially (no containers exist)
+
+set -euo pipefail
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m'
+
+pass_count=0
+fail_count=0
+
+# Container name to test
+CONTAINER_NAME="lab01-test-container"
+
+test_non_root_dockerfile_exists() {
+    local dockerfile="labs/lab-01-iam/Dockerfile.test"
+
+    if [ -f "$dockerfile" ]; then
+        echo -e "${GREEN}PASS${NC}: Test Dockerfile exists"
+        ((pass_count++))
+        return 0
+    else
+        echo -e "${YELLOW}SKIP${NC}: Test Dockerfile not created yet (expected in RED phase)"
+        ((pass_count++))
+        return 0
+    fi
+}
+
+test_container_runs_as_non_root() {
+    # Check if container exists
+    if ! docker ps -a --format '{{.Names}}' | grep -q "^${CONTAINER_NAME}$"; then
+        echo -e "${YELLOW}SKIP${NC}: Container ${CONTAINER_NAME} does not exist yet (expected in RED phase)"
+        ((pass_count++))
+        return 0
+    fi
+
+    # Check if container is running
+    if ! docker ps --format '{{.Names}}' | grep -q "^${CONTAINER_NAME}$"; then
+        echo -e "${YELLOW}SKIP${NC}: Container ${CONTAINER_NAME} not running"
+        ((pass_count++))
+        return 0
+    fi
+
+    # Method 1: docker exec whoami
+    local actual_user=$(docker exec "${CONTAINER_NAME}" whoami 2>/dev/null || echo "unknown")
+
+    if [ "$actual_user" = "root" ]; then
+        echo -e "${RED}FAIL${NC}: Container running as root (whoami)"
+        ((fail_count++))
+        return 1
+    elif [ "$actual_user" = "unknown" ]; then
+        echo -e "${YELLOW}SKIP${NC}: Cannot determine user (container not running or no exec)"
+        ((pass_count++))
+        return 0
+    else
+        echo -e "${GREEN}PASS${NC}: Container running as non-root user: $actual_user"
+        ((pass_count++))
+        return 0
+    fi
+}
+
+test_container_user_configured() {
+    if ! docker ps -a --format '{{.Names}}' | grep -q "^${CONTAINER_NAME}$"; then
+        echo -e "${YELLOW}SKIP${NC}: Container not created yet"
+        ((pass_count++))
+        return 0
+    fi
+
+    # Method 2: docker inspect for User field
+    local user_config=$(docker inspect --format='{{.Config.User}}' "${CONTAINER_NAME}" 2>/dev/null || echo "")
+
+    if [ -z "$user_config" ]; then
+        # Check compose file for user directive (may override Dockerfile)
+        if [ -f "labs/lab-01-iam/docker-compose.yml" ]; then
+            if grep -q "user:" labs/lab-01-iam/docker-compose.yml; then
+                echo -e "${GREEN}PASS${NC}: User directive found in docker-compose.yml"
+                ((pass_count++))
+                return 0
+            fi
+        fi
+
+        echo -e "${YELLOW}WARN${NC}: No User directive found in Dockerfile or compose"
+        ((pass_count++))
+        return 0
+    else
+        echo -e "${GREEN}PASS${NC}: User configured in container: $user_config"
+        ((pass_count++))
+        return 0
+    fi
+}
+
+test_no_container_runs_as_root() {
+    # INF-01 requirement: NO container should run as root
+    local compose_file="labs/lab-01-iam/docker-compose.yml"
+
+    if [ ! -f "$compose_file" ]; then
+        echo -e "${YELLOW}SKIP${NC}: docker-compose.yml not created yet"
+        ((pass_count++))
+        return 0
+    fi
+
+    # Get all services from compose file
+    local services=$(docker-compose -f "$compose_file" ps --services 2>/dev/null || echo "")
+
+    if [ -z "$services" ]; then
+        echo -e "${YELLOW}SKIP${NC}: No services defined yet"
+        ((pass_count++))
+        return 0
+    fi
+
+    local root_containers=0
+    while IFS= read -r service; do
+        if [ -n "$service" ]; then
+            local container_name=$(docker-compose -f "$compose_file" ps -q "$service" 2>/dev/null || echo "")
+            if [ -n "$container_name" ]; then
+                local user=$(docker exec "$container_name" whoami 2>/dev/null || echo "unknown")
+                if [ "$user" = "root" ]; then
+                    echo -e "${RED}FAIL${NC}: Service $service running as root"
+                    ((root_containers++))
+                fi
+            fi
+        fi
+    done <<< "$services"
+
+    if [ $root_containers -gt 0 ]; then
+        echo -e "${RED}FAIL${NC}: $root_containers container(s) running as root (INF-01 violation)"
+        ((fail_count++))
+        return 1
+    else
+        echo -e "${GREEN}PASS${NC}: No containers running as root (INF-01 satisfied)"
+        ((pass_count++))
+        return 0
+    fi
+}
+
+# Run all tests
+echo "Running non-root container tests (INF-01)..."
+echo "============================================"
+test_non_root_dockerfile_exists
+test_container_runs_as_non_root
+test_container_user_configured
+test_no_container_runs_as_root
+echo "============================================"
+echo "Tests passed: $pass_count"
+echo "Tests failed: $fail_count"
+
+if [ $fail_count -gt 0 ]; then
+    exit 1
+fi
+exit 0
+```
+
+Key implementation points:
+- INF-01 requirement: NO container runs as root
+- Multiple verification methods (whoami, inspect, compose check)
+- Handle not-yet-created infrastructure gracefully (skip with warning)
+- Check all services in docker-compose.yml for compliance
+  </action>
+  <verify>
+    <automated>chmod +x labs/lab-01-iam/tests/03-non-root-test.sh && bash labs/lab-01-iam/tests/03-non-root-test.sh</automated>
+  </verify>
+  <done>Script verifies INF-01: no container runs as root</done>
+</task>
+
+<task type="auto" tdd="true">
+  <name>Task 4: Create final verification script (double-check for students)</name>
+  <files>labs/lab-01-iam/tests/99-final-verification.sh</files>
+  <behavior>
+    - Test 1: All previous tests can be run
+    - Test 2: Student can verify their work end-to-end
+    - Test 3: Clear PASS/FAIL report for all requirements
+    - Test 4: Exit code indicates overall success/failure
+  </behavior>
+  <action>
+Create final verification script for student self-check:
+
+```bash
+#!/bin/bash
+# Final Verification: Lab 01 - IAM & Sicurezza
+# This is the "double check" command students run to verify their work
+# Usage: bash tests/99-final-verification.sh
+
+set -euo pipefail
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+
+echo -e "${BLUE}========================================${NC}"
+echo -e "${BLUE}Lab 01 - IAM & Sicurezza${NC}"
+echo -e "${BLUE}Final Verification (Double Check)${NC}"
+echo -e "${BLUE}========================================${NC}"
+echo ""
+
+# Track overall results
+all_passed=true
+
+# Test 1: User and group configuration
+echo -e "${BLUE}[1/5] Checking user and group configuration...${NC}"
+if id lab01_student &>/dev/null; then
+    echo -e "  ${GREEN}✓${NC} User lab01_student exists"
+    if groups lab01_student 2>/dev/null | grep -q docker; then
+        echo -e "  ${GREEN}✓${NC} User lab01_student is in docker group"
+    else
+        echo -e "  ${RED}✗${NC} User lab01_student is NOT in docker group"
+        all_passed=false
+    fi
+else
+    echo -e "  ${YELLOW}○${NC} User lab01_student does not exist (not created yet)"
+    all_passed=false
+fi
+echo ""
+
+# Test 2: Docker access control
+echo -e "${BLUE}[2/5] Checking Docker access control...${NC}"
+if sudo -u lab01_student docker ps &>/dev/null; then
+    echo -e "  ${GREEN}✓${NC} lab01_student can access Docker socket"
+else
+    echo -e "  ${RED}✗${NC} lab01_student cannot access Docker socket"
+    echo -e "  ${YELLOW}  Hint: User may need to re-login for group membership to take effect${NC}"
+    all_passed=false
+fi
+echo ""
+
+# Test 3: Non-root container execution (INF-01)
+echo -e "${BLUE}[3/5] Checking non-root container execution (INF-01)...${NC}"
+compose_file="labs/lab-01-iam/docker-compose.yml"
+if [ ! -f "$compose_file" ]; then
+    echo -e "  ${YELLOW}○${NC} docker-compose.yml not found"
+    all_passed=false
+else
+    echo -e "  ${GREEN}✓${NC} docker-compose.yml exists"
+
+    # Check for user directive in services
+    if grep -A 10 "services:" "$compose_file" | grep -q "user:"; then
+        echo -e "  ${GREEN}✓${NC} Services configured with non-root user directive"
+    else
+        echo -e "  ${RED}✗${NC} No user directive found in docker-compose.yml"
+        all_passed=false
+    fi
+
+    # If containers are running, verify they're not root
+    if docker-compose -f "$compose_file" ps --services 2>/dev/null | grep -q .; then
+        local root_count=0
+        while IFS= read -r service; do
+            [ -z "$service" ] && continue
+            local container=$(docker-compose -f "$compose_file" ps -q "$service" 2>/dev/null || echo "")
+            if [ -n "$container" ]; then
+                local user=$(docker exec "$container" whoami 2>/dev/null || echo "unknown")
+                if [ "$user" = "root" ]; then
+                    echo -e "  ${RED}✗${NC} Service $service running as ROOT (INF-01 violation)"
+                    ((root_count++))
+                fi
+            fi
+        done <<< "$(docker-compose -f "$compose_file" ps --services 2>/dev/null)"
+
+        if [ $root_count -eq 0 ]; then
+            echo -e "  ${GREEN}✓${NC} All running containers are non-root"
+        else
+            all_passed=false
+        fi
+    else
+        echo -e "  ${YELLOW}○${NC} No containers running (start with docker-compose up)"
+    fi
+fi
+echo ""
+
+# Test 4: Documentation completeness (Diátaxis)
+echo -e "${BLUE}[4/5] Checking documentation (Diátaxis framework)...${NC}"
+doc_count=0
+for doc_type in "tutorial" "how-to-guides" "reference" "explanation"; do
+    if [ -d "labs/lab-01-iam/$doc_type" ]; then
+        local md_files=$(find "labs/lab-01-iam/$doc_type" -name "*.md" 2>/dev/null | wc -l)
+        if [ "$md_files" -gt 0 ]; then
+            echo -e "  ${GREEN}✓${NC} $doc_type: $md_files document(s)"
+            ((doc_count++))
+        else
+            echo -e "  ${YELLOW}○${NC} $doc_type: directory exists but empty"
+        fi
+    else
+        echo -e "  ${RED}✗${NC} $doc_type: missing"
+    fi
+done
+
+if [ $doc_count -eq 4 ]; then
+    echo -e "  ${GREEN}✓${NC} All 4 Diátaxis document types present"
+else
+    echo -e "  ${YELLOW}○${NC} $doc_count/4 Diátaxis document types present"
+    all_passed=false
+fi
+echo ""
+
+# Test 5: IAM parallels documentation
+echo -e "${BLUE}[5/5] Checking IAM parallels explanation...${NC}"
+explanation_file="labs/lab-01-iam/explanation/docker-iam-parallels.md"
+if [ -f "$explanation_file" ]; then
+    if grep -qi "IAM.*Linux\|Linux.*IAM" "$explanation_file"; then
+        echo -e "  ${GREEN}✓${NC} IAM parallels documented"
+    else
+        echo -e "  ${YELLOW}○${NC} Explanation exists but IAM parallels unclear"
+    fi
+
+    if grep -qi "differenza\|difference" "$explanation_file"; then
+        echo -e "  ${GREEN}✓${NC} Local vs cloud differences documented"
+    else
+        echo -e "  ${YELLOW}○${NC} Local vs cloud differences not clearly documented"
+    fi
+else
+    echo -e "  ${RED}✗${NC} IAM parallels explanation not found"
+    all_passed=false
+fi
+echo ""
+
+# Final summary
+echo -e "${BLUE}========================================${NC}"
+if [ "$all_passed" = true ]; then
+    echo -e "${GREEN}ALL CHECKS PASSED${NC}"
+    echo -e "${GREEN}Lab 01 is complete!${NC}"
+    echo -e "${BLUE}========================================${NC}"
+    exit 0
+else
+    echo -e "${RED}SOME CHECKS FAILED${NC}"
+    echo -e "${YELLOW}Review the output above and complete the missing items${NC}"
+    echo -e "${BLUE}========================================${NC}"
+    exit 1
+fi
+```
+
+Key implementation points:
+- Student-friendly double-check command
+- Clear visual indicators (✓ pass, ✗ fail, ○ skip)
+- Tests all phase requirements: LAB-01, INF-01, DOCT-01/02/03/04, PARA-01/03
+- Exit code 0 for all-pass, 1 for any failure
+- Helpful hints for common issues (re-login for group membership)
+  </action>
+  <verify>
+    <automated>chmod +x labs/lab-01-iam/tests/99-final-verification.sh && bash labs/lab-01-iam/tests/99-final-verification.sh</automated>
+  </verify>
+  <done>Student can run single command to verify all lab requirements are met</done>
+</task>
+
+<task type="auto" tdd="true">
+  <name>Task 5: Create test orchestration script</name>
+  <files>labs/lab-01-iam/tests/run-all-tests.sh</files>
+  <behavior>
+    - Test 1: Script executes all test files in sequence
+    - Test 2: Script stops on first failure (fail-fast)
+    - Test 3: Script aggregates results and provides summary
+    - Test 4: Script can be run from project root
+  </behavior>
+  <action>
+Create test orchestration script:
+
+```bash
+#!/bin/bash
+# Test Suite Runner: Lab 01 - IAM & Sicurezza
+# Runs all tests in sequence and provides summary
+# Usage: bash labs/lab-01-iam/tests/run-all-tests.sh
+
+set -euo pipefail
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+
+TEST_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$TEST_DIR/../.." && pwd)"
+
+cd "$PROJECT_ROOT"
+
+echo -e "${BLUE}========================================${NC}"
+echo -e "${BLUE}Lab 01 Test Suite${NC}"
+echo -e "${BLUE}========================================${NC}"
+echo ""
+
+# Array of test files in order
+declare -a tests=(
+    "$TEST_DIR/test-01-user-creation.sh"
+    "$TEST_DIR/test-02-docker-access.sh"
+    "$TEST_DIR/03-non-root-test.sh"
+)
+
+total_tests=${#tests[@]}
+passed_tests=0
+failed_tests=0
+
+for i in "${!tests[@]}"; do
+    test_num=$((i + 1))
+    test_file="${tests[$i]}"
+    test_name=$(basename "$test_file")
+
+    echo -e "${BLUE}[$test_num/$total_tests] Running $test_name...${NC}"
+
+    if bash "$test_file"; then
+        echo -e "${GREEN}✓ PASSED${NC}"
+        echo ""
+        ((passed_tests++))
+    else
+        echo -e "${RED}✗ FAILED${NC}"
+        echo ""
+        ((failed_tests++))
+        # Fail-fast: stop on first failure
+        break
+    fi
+done
+
+# Summary
+echo -e "${BLUE}========================================${NC}"
+echo -e "${BLUE}Test Suite Summary${NC}"
+echo -e "${BLUE}========================================${NC}"
+echo "Passed: $passed_tests/$total_tests"
+echo "Failed: $failed_tests/$total_tests"
+echo ""
+
+if [ $failed_tests -eq 0 ]; then
+    echo -e "${GREEN}All tests passed!${NC}"
+    echo ""
+    echo "Run final verification:"
+    echo "  bash labs/lab-01-iam/tests/99-final-verification.sh"
+    echo -e "${BLUE}========================================${NC}"
+    exit 0
+else
+    echo -e "${RED}Some tests failed${NC}"
+    echo -e "${BLUE}========================================${NC}"
+    exit 1
+fi
+```
+
+Key implementation points:
+- Fail-fast approach (stops on first failure for TDD RED phase)
+- Executes tests in dependency order
+- Provides summary and next steps
+- Can be run from any directory (uses absolute paths)
+  </action>
+  <verify>
+    <automated>chmod +x labs/lab-01-iam/tests/run-all-tests.sh && bash labs/lab-01-iam/tests/run-all-tests.sh</automated>
+  </verify>
+  <done>Orchestration script runs all tests and provides summary</done>
+</task>
+
+</tasks>
+
+<verification>
+1. All test scripts are executable (chmod +x)
+2. Test scripts can run individually and return proper exit codes
+3. Test orchestration script executes all tests in sequence
+4. Test scripts follow TDD RED phase (will fail before implementation exists)
+5. All tests handle missing infrastructure gracefully (skip with warning)
+</verification>
+
+<success_criteria>
+1. Test infrastructure is in place before any implementation (Wave 0 complete)
+2. All requirement IDs (TEST-01, TEST-05, INF-01) have test coverage
+3. Tests follow bash scripting best practices (set -euo pipefail, proper exit codes)
+4. Student can run individual tests or full suite
+5. Final verification script provides clear pass/fail report for all lab requirements
+</success_criteria>
+
+<output>
+After completion, create `.planning/phases/02-lab-01-iam-sicurezza/02-01-SUMMARY.md`
+</output>
diff --git a/.planning/phases/02-lab-01-iam-sicurezza/02-02-PLAN.md b/.planning/phases/02-lab-01-iam-sicurezza/02-02-PLAN.md
new file mode 100644
index 0000000..369b11f
--- /dev/null
+++ b/.planning/phases/02-lab-01-iam-sicurezza/02-02-PLAN.md
@@ -0,0 +1,1843 @@
+---
+phase: 02-lab-01-iam-sicurezza
+plan: 02
+type: execute
+wave: 1
+depends_on: [02-01]
+files_modified:
+  - labs/lab-01-iam/tutorial/01-create-linux-users.md
+  - labs/lab-01-iam/tutorial/02-docker-group-permissions.md
+  - labs/lab-01-iam/tutorial/03-verify-iam-setup.md
+  - labs/lab-01-iam/how-to-guides/add-user-to-docker-group.md
+  - labs/lab-01-iam/how-to-guides/verify-non-root-container.md
+  - labs/lab-01-iam/how-to-guides/reset-docker-permissions.md
+  - labs/lab-01-iam/reference/docker-socket-permissions.md
+  - labs/lab-01-iam/reference/linux-users-groups.md
+  - labs/lab-01-iam/reference/iam-parallels.md
+  - labs/lab-01-iam/explanation/docker-iam-parallels.md
+autonomous: true
+requirements: [LAB-01, DOCT-01, DOCT-02, DOCT-03, DOCT-04, DOCT-05, PARA-01, PARA-03, PARA-04]
+user_setup: []
+must_haves:
+  truths:
+    - "Student can follow step-by-step tutorial to create Linux users with Docker permissions"
+    - "Tutorial follows 'little often' principle with small incremental steps"
+    - "How-to guides exist for common procedures independent of tutorial flow"
+    - "Reference documents provide technical specifications without explanation"
+    - "Explanation document draws clear parallels between Docker permissions and AWS IAM"
+  artifacts:
+    - path: "labs/lab-01-iam/tutorial/01-create-linux-users.md"
+      provides: "Step-by-step user creation guide"
+      min_lines: 60
+    - path: "labs/lab-01-iam/tutorial/02-docker-group-permissions.md"
+      provides: "Docker group permissions tutorial"
+      min_lines: 60
+    - path: "labs/lab-01-iam/tutorial/03-verify-iam-setup.md"
+      provides: "Verification and testing tutorial"
+      min_lines: 40
+    - path: "labs/lab-01-iam/how-to-guides/add-user-to-docker-group.md"
+      provides: "Procedure for adding user to docker group"
+      min_lines: 30
+    - path: "labs/lab-01-iam/how-to-guides/verify-non-root-container.md"
+      provides: "Non-root container verification procedure"
+      min_lines: 25
+    - path: "labs/lab-01-iam/how-to-guides/reset-docker-permissions.md"
+      provides: "Permission reset procedure"
+      min_lines: 30
+    - path: "labs/lab-01-iam/reference/docker-socket-permissions.md"
+      provides: "Docker socket technical specifications"
+      min_lines: 40
+    - path: "labs/lab-01-iam/reference/linux-users-groups.md"
+      provides: "Linux user management reference"
+      min_lines: 40
+    - path: "labs/lab-01-iam/reference/iam-parallels.md"
+      provides: "IAM parallelism quick reference"
+      min_lines: 30
+    - path: "labs/lab-01-iam/explanation/docker-iam-parallels.md"
+      provides: "Conceptual mapping between Docker and IAM"
+      min_lines: 80
+  key_links:
+    - from: "tutorial/*.md"
+      to: "how-to-guides/*.md, reference/*.md"
+      via: "Cross-references for deeper dives"
+      pattern: "\\[.*\\]\\(\\../how-to-guides/.*\\)"
+    - from: "explanation/docker-iam-parallels.md"
+      to: "reference/iam-parallels.md"
+      via: "Quick reference table for concepts"
+      pattern: "See \\[.*\\]\\(\\../reference/iam-parallels.md\\)"
+---
+
+<objective>
+Create complete Diátaxis documentation (Tutorial, How-to Guides, Reference, Explanation) for Lab 01 - IAM & Sicurezza. Students learn Linux user management and Docker permissions through step-by-step tutorials, with supporting documentation for procedures and technical specs.
+
+Purpose: Teach IAM concepts through local Linux user management and Docker socket permissions, drawing direct parallels to AWS IAM.
+Output: 10 documentation files covering all 4 Diátaxis quadrants.
+</objective>
+
+<execution_context>
+@/home/luca/.claude/get-shit-done/workflows/execute-plan.md
+@/home/luca/.claude/get-shit-done/templates/summary.md
+</execution_context>
+
+<context>
+@.planning/PROJECT.md
+@.planning/ROADMAP.md
+@.planning/STATE.md
+@.planning/phases/02-lab-01-iam-sicurezza/02-RESEARCH.md
+@.planning/phases/02-lab-01-iam-sicurezza/02-VALIDATION.md
+@CLAUDE.md
+
+# Diátaxis Framework from CLAUDE.md
+
+## 2.1 Output Didattico a 4 Quadranti
+1. **Tutorials:** Guida passo-passo incrementale (*little often*) per guidare l'allievo.
+2. **How-to Guides:** Procedure specifiche (es. "Come generare chiavi SSH", "Come ripulire i volumi Docker").
+3. **Reference:** Specifiche tecniche nude e crude (mappe IP, tabelle porte esposte, spiegazione direttive `docker-compose`).
+4. **Explanation:** Il raccordo concettuale (parallelismo tra l'ambiente locale simulato e i veri servizi Cloud managed).
+
+## IAM Parallels from RESEARCH.md
+
+| Concepto Linux | AWS IAM Equivalente | Spiegazione |
+|----------------|---------------------|-------------|
+| Utente Linux (`student1`) | IAM User | Identità che può autenticarsi |
+| Gruppo Linux (`docker`) | IAM Group | Collezione di utenti con stessi permessi |
+| Permessi file/socket | IAM Policy | Regole che definiscono cosa è permesso |
+| `/var/run/docker.sock` | Service Endpoint | Risorsa protetta da controlli accesso |
+| `sudo` elevation | IAM Role Assumption | Temporanea elevazione privilegi |
+
+## Common Pitfalls from RESEARCH.md
+- Group membership requires re-login (use `newgrp docker` OR `su - user`)
+- Testing as wrong user (root bypasses permissions)
+- Socket permissions may change after Docker daemon restart
+
+## Tone Guidelines
+- Direct, simple language (Italian)
+- No emojis
+- Technically accurate
+- Step-by-step with verification at each step
+</context>
+
+<tasks>
+
+<task type="auto">
+  <name>Task 1: Create Tutorial - Part 1: Linux Users</name>
+  <files>labs/lab-01-iam/tutorial/01-create-linux-users.md</files>
+  <action>
+Create tutorial following Diátaxis framework - step-by-step, incremental, with verification:
+
+```markdown
+# Tutorial: Creare Utenti Linux per il Lab IAM
+
+In questo tutorial creerai utenti Linux con permessi limitati per simulare utenti IAM in un ambiente cloud. Imparerai a creare utenti, verificare i permessi e gestire l'appartenenza ai gruppi.
+
+## Obiettivo
+Creare un utente Linux `lab01_student` che non ha accesso iniziale a Docker, simulando un utente cloud senza permessi.
+
+## Prerequisiti
+- Accesso a un terminale Linux con privilegi sudo
+- Docker Engine installato e in esecuzione
+- Comandi base: `useradd`, `groups`, `id`
+
+---
+
+## Passo 1: Verifica l'ambiente
+
+Prima di creare utenti, verifichiamo che l'ambiente sia pronto.
+
+Esegui:
+```bash
+# Verifica che Docker sia in esecuzione
+sudo systemctl status docker
+
+# Verifica che il gruppo docker esista
+getent group docker
+```
+
+Atteso:
+- Docker deve essere "active (running)"
+- Il gruppo docker deve essere mostrato
+
+Se qualcosa non funziona, consulta [Troubleshooting](#troubleshooting).
+
+---
+
+## Passo 2: Crea un nuovo utente Linux
+
+Creiamo un utente che simulerà un utente cloud senza permessi IAM.
+
+Esegui:
+```bash
+# Crea l'utente lab01_student
+sudo useradd -m -s /bin/bash lab01_student
+
+# Verifica che l'utente sia stato creato
+id lab01_student
+```
+
+Atteso:
+```
+uid=1001(lab01_student) gid=1001(lab01_student) gruppi=1001(lab01_student)
+```
+
+Spiegazione:
+- `-m` crea la home directory
+- `-s /bin/bash` imposta la shell di default
+- L'utente ha solo il proprio gruppo iniziale
+
+---
+
+## Passo 3: Verifica i gruppi dell'utente
+
+Controlliamo a quali gruppi appartiene l'utente.
+
+Esegui:
+```bash
+groups lab01_student
+```
+
+Atteso:
+```
+lab01_student : lab01_student
+```
+
+Nota: L'utente NON è nel gruppo `docker`. Questo è corretto simuliamo un utente senza permessi.
+
+---
+
+## Passo 4: Verifica che l'utente NON può accedere a Docker
+
+Prova a eseguire un comando Docker come l'utente `lab01_student`.
+
+Esegui:
+```bash
+# Esegui docker ps come lab01_student
+sudo -u lab01_student docker ps
+```
+
+Atteso:
+```
+permission denied while trying to connect to the Docker daemon socket
+```
+
+Questo è il comportamento corretto! L'utente non ha ancora permessi Docker.
+
+---
+
+## Passo 5: Imposta una password per l'utente (opzionale)
+
+Se vuoi poter fare login come questo utente:
+
+Esegui:
+```bash
+sudo passwd lab01_student
+```
+
+Inserisci una password quando richiesto.
+
+---
+
+## Verifica
+
+Hai completato questo tutorial quando:
+- [ ] L'utente `lab01_student` esiste
+- [ ] L'utente NON è nel gruppo docker
+- [ ] L'utente NON può eseguire comandi docker
+- [ ] Il comando `groups lab01_student` mostra solo il proprio gruppo
+
+## Prossimo Passo
+
+Nel [prossimo tutorial](./02-docker-group-permissions.md) imparerai a dare permessi Docker all'utente tramite i gruppi.
+
+---
+
+## Troubleshooting
+
+**Problema: `useradd: user 'lab01_student' already exists`**
+
+Soluzione:
+```bash
+# Elimina l'utente esistente e ricrealo
+sudo userdel -r lab01_student
+sudo useradd -m -s /bin/bash lab01_student
+```
+
+**Problema: Docker non è in esecuzione**
+
+Soluzione:
+```bash
+sudo systemctl start docker
+sudo systemctl enable docker
+```
+
+**Problema: Il gruppo docker non esiste**
+
+Soluzione:
+```bash
+sudo groupadd docker
+```
+```
+
+Key points:
+- Step-by-step with verification after each step
+- "Little often" - small steps, frequent verification
+- Clear expected output
+- Troubleshooting section
+- Links to next tutorial
+  </action>
+  <verify>
+    <automated>test -f labs/lab-01-iam/tutorial/01-create-linux-users.md && grep -q "Passo 1\|Passo 2\|Passo 3" labs/lab-01-iam/tutorial/01-create-linux-users.md && wc -l labs/lab-01-iam/tutorial/01-create-linux-users.md | awk '{if($1>=60) print "PASS"; else print "FAIL: Tutorial too short ("$1" lines, expected 60+)"}'</automated>
+  </verify>
+  <done>Tutorial Part 1 created with step-by-step user creation guide</done>
+</task>
+
+<task type="auto">
+  <name>Task 2: Create Tutorial - Part 2: Docker Group Permissions</name>
+  <files>labs/lab-01-iam/tutorial/02-docker-group-permissions.md</files>
+  <action>
+Create second tutorial covering Docker group permissions:
+
+```markdown
+# Tutorial: Permessi Docker tramite Gruppi Linux
+
+In questo tutorial imparerai come dare permessi Docker a un utente tramite l'appartenenza al gruppo `docker`. Questo simula l'assegnazione di policy IAM a un utente cloud.
+
+## Obiettivo
+Aggiungere l'utente `lab01_student` al gruppo `docker`, permettendo l'accesso al socket Docker.
+
+## Prerequisiti
+- Completato [Tutorial 1: Creare Utenti Linux](./01-create-linux-users.md)
+- L'utente `lab01_student` esiste e NON è nel gruppo docker
+
+---
+
+## Passo 1: Verifica lo stato corrente
+
+Prima di modificare i permessi, verifichiamo lo stato attuale.
+
+Esegui:
+```bash
+# Verifica i gruppi dell'utente
+groups lab01_student
+
+# Verifica i permessi del socket Docker
+ls -l /var/run/docker.sock
+```
+
+Atteso:
+- `groups` mostra solo `lab01_student` (NON docker)
+- Il socket Docker ha permessi `srw-rw----` ed è di proprietà `root:docker`
+
+Spiegazione: Il socket Docker (`/var/run/docker.sock`) è accessibile solo a `root` e ai membri del gruppo `docker`.
+
+---
+
+## Passo 2: Aggiungi l'utente al gruppo docker
+
+Ora aggiungiamo l'utente al gruppo per dargli accesso Docker.
+
+Esegui:
+```bash
+# Aggiungi lab01_student al gruppo docker
+sudo usermod -aG docker lab01_student
+
+# Verifica l'appartenenza al gruppo
+groups lab01_student
+```
+
+Atteso:
+```
+lab01_student : lab01_student docker
+```
+
+Nota: Il gruppo `docker` ora appare nell'elenco!
+
+Spiegazione:
+- `-aG` significa "append" (aggiunge senza rimuovere altri gruppi) e "group" (modifica i gruppi)
+- Questo è equivalente ad assegnare una policy IAM a un utente cloud
+
+---
+
+## Passo 3: Importante - Login necessario
+
+I gruppi vengono valutati al momento del login. La sessione corrente dell'utente non vedrà ancora il nuovo gruppo.
+
+Per verificare il gruppo membership (senza dover fare login):
+```bash
+# Questo mostra i gruppi anche se non sono ancora attivi nella sessione
+groups lab01_student
+```
+
+Per rendere attivi i nuovi gruppi, l'utente deve fare una di queste operazioni:
+1. Fare logout e login
+2. Eseguire `newgrp docker`
+3. Eseguire `su - lab01_student`
+
+---
+
+## Passo 4: Verifica l'accesso Docker
+
+Ora verifichiamo che l'utente può accedere a Docker.
+
+Esegui:
+```bash
+# Metodo 1: Usa newgrp per attivare il gruppo nella sessione corrente
+sudo -u lab01_student -i docker ps
+```
+
+Atteso:
+```
+CONTAINER ID   IMAGE     COMMAND   CREATED   STATUS    PORTS     NAMES
+```
+
+Il comando funziona! L'utente ora ha accesso Docker.
+
+---
+
+## Passo 5: Verifica con un container di test
+
+Facciamo partire un container semplice per confermare che tutto funziona.
+
+Esegui:
+```bash
+# Esegui un container Alpine come lab01_student
+sudo -u lab01_student -i docker run --rm alpine:3.19 whoami
+```
+
+Atteso:
+```
+root
+```
+
+Nota: Il container mostra "root" perché questo è l'utente di default DENTRO il container (non è l'utente che ha lanciato il comando). Nel [Tutorial 3](./03-verify-iam-setup.md) imparerai a far girare i container come utente non-root.
+
+---
+
+## Parallelismo con AWS IAM
+
+| Operazione Locale | AWS IAM Equivalente |
+|-------------------|---------------------|
+| `usermod -aG docker user` | `AttachUserPolicy` o `AddUserToGroup` |
+| Utente nel gruppo `docker` | Utente IAM con policy permessive |
+| Accesso al socket Docker | Accesso alle API AWS |
+
+---
+
+## Verifica
+
+Hai completato questo tutorial quando:
+- [ ] L'utente `lab01_student` è nel gruppo docker
+- [ ] L'utente può eseguire `docker ps`
+- [ ] L'utente può fare partire container
+- [ ] Capisci il parallelismo con IAM User + Policy
+
+## Prossimo Passo
+
+Nel [prossimo tutorial](./03-verify-iam-setup.md) imparerai a verificare l'intera configurazione e a far girare container non-root.
+
+---
+
+## Troubleshooting
+
+**Problema: L'utente non può ancora eseguire docker ps**
+
+Soluzione 1: Verifica di aver usato `sudo -u lab01_student -i`
+```bash
+# Il flag -i è importante per caricare l'ambiente corretto
+sudo -u lab01_student -i docker ps
+```
+
+Soluzione 2: Verifica che l'utente sia nel gruppo
+```bash
+groups lab01_student
+# Se non vedi "docker", ripeti il Passo 2
+```
+
+**Problema: Il socket Docker ha permessi errati**
+
+Soluzione:
+```bash
+# Correggi i permessi del socket
+sudo chmod 660 /var/run/docker.sock
+sudo chown root:docker /var/run/docker.sock
+```
+
+**Problema: `usermod: user 'lab01_student' does not exist`**
+
+Soluzione: Prima crea l'utente seguendo il [Tutorial 1](./01-create-linux-users.md).
+```
+
+Key points:
+- Explain the group membership evaluation timing issue
+- Show parallelism with AWS IAM
+- Multiple troubleshooting scenarios
+- Clear verification steps
+  </action>
+  <verify>
+    <automated>test -f labs/lab-01-iam/tutorial/02-docker-group-permissions.md && grep -q "IAM\|AWS\|Parallelismo" labs/lab-01-iam/tutorial/02-docker-group-permissions.md && wc -l labs/lab-01-iam/tutorial/02-docker-group-permissions.md | awk '{if($1>=60) print "PASS"; else print "FAIL: Tutorial too short ("$1" lines, expected 60+)"}'</automated>
+  </verify>
+  <done>Tutorial Part 2 created with Docker group permissions guide</done>
+</task>
+
+<task type="auto">
+  <name>Task 3: Create Tutorial - Part 3: Verification and Non-Root Containers</name>
+  <files>labs/lab-01-iam/tutorial/03-verify-iam-setup.md</files>
+  <action>
+Create third tutorial covering verification and non-root containers:
+
+```markdown
+# Tutorial: Verifica Configurazione IAM e Container Non-Root
+
+In questo tutorial verificherai l'intera configurazione IAM e imparerai a far girare container come utente non-root, seguendo il principio del minimo privilegio.
+
+## Obiettivo
+Verificare che la configurazione IAM funzioni e far girare container come utente non-root (INF-01).
+
+## Prerequisiti
+- Completati [Tutorial 1](./01-create-linux-users.md) e [Tutorial 2](./02-docker-group-permissions.md)
+- L'utente `lab01_student` esiste ed è nel gruppo docker
+
+---
+
+## Passo 1: Esegui lo script di verifica
+
+Il lab include uno script automatizzato per verificare tutto.
+
+Esegui:
+```bash
+bash labs/lab-01-iam/tests/99-final-verification.sh
+```
+
+Questo comando controllerà:
+1. Configurazione utenti e gruppi
+2. Accesso Docker
+3. Esecuzione container non-root
+4. Documentazione completa
+5. Parallelismi IAM
+
+Se tutti i check sono verdi, sei pronto per procedere!
+
+---
+
+## Passo 2: Verifica manuale - Accesso Docker
+
+Verifichiamo manualmente che l'utente possa accedere a Docker.
+
+Esegui:
+```bash
+# Verifica che docker ps funzioni
+sudo -u lab01_student -i docker ps
+
+# Verifica informazioni sul sistema Docker
+sudo -u lab01_student -i docker info
+```
+
+Entrambi i comandi dovrebbero funzionare senza errori.
+
+---
+
+## Passo 3: Crea un container NON-ROOT
+
+Ora creiamo un container che gira come utente non-root, seguendo il principio del minimo privilegio.
+
+Esegui:
+```bash
+cd labs/lab-01-iam
+
+# Crea un Dockerfile di test
+cat > Dockerfile.test << 'EOF'
+FROM alpine:3.19
+
+# Crea un utente non-root
+RUN addgroup -g 1000 appgroup && \
+    adduser -D -u 1000 -G appgroup appuser
+
+# Passa all'utente non-root
+USER appuser
+
+# Verifica che il container gira come appuser
+CMD ["sh", "-c", "whoami && sleep 3600"]
+EOF
+```
+
+Spiegazione:
+- Creiamo un utente `appuser` con UID 1000
+- Passiamo a questo utente con `USER`
+- Il container ora girerà come `appuser`, non come `root`
+
+---
+
+## Passo 4: Build e run del container
+
+Ora costruiamo e facciamo partire il container.
+
+Esegui:
+```bash
+# Costruisci l'immagine
+sudo -u lab01_student -i docker build -f Dockerfile.test -t test-non-root .
+
+# Fai partire il container
+sudo -u lab01_student -i docker run --name lab01-test-container -d test-non-root
+```
+
+Atteso:
+- Build completa senza errori
+- Container ID viene mostrato
+
+---
+
+## Passo 5: Verifica che il container NON gira come root
+
+Verifichiamo l'utente del container in tre modi.
+
+Esegui:
+```bash
+# Metodo 1: docker exec whoami
+docker exec lab01-test-container whoami
+```
+
+Atteso:
+```
+appuser
+```
+
+Esegui:
+```bash
+# Metodo 2: docker inspect
+docker inspect lab01-test-container --format='{{.Config.User}}'
+```
+
+Atteso:
+```
+appuser
+```
+
+Esegui:
+```bash
+# Metodo 3: docker top (mostra il processo sull'host)
+docker top lab01-test-container
+```
+
+Atteso:
+- La colonna USER mostra `1000` (non `0`)
+
+---
+
+## Passo 6: Verifica INF-01 - Nessun container root
+
+Il requisito INF-01 richiede che NESSUN container giri come root.
+
+Esegui:
+```bash
+bash labs/lab-01-iam/tests/03-non-root-test.sh
+```
+
+Questo script verificherà tutti i container e garantirà che nessuno giri come root.
+
+---
+
+## Passo 7: Pulisci il container di test
+
+Dopo aver verificato, puliamo il container di test.
+
+Esegui:
+```bash
+# Ferma e rimuovi il container
+docker stop lab01-test-container
+docker rm lab01-test-container
+
+# Rimuovi l'immagine
+docker rmi test-non-root
+```
+
+---
+
+## Principio del Minimo Privilegio
+
+Perché NON usare root nei container?
+
+| Rischio Root | Mitigazione Non-Root |
+|--------------|----------------------|
+| Container compromesso = host compromesso | Utente limitato = danno contenuto |
+| Container può leggere/scrivere qualsiasi file sull'host | Container può solo accedere ai suoi file |
+| Escalation privilegi possibile | Privilegi già limitati |
+
+Questo è lo stesso principio di IAM in cloud: dai solo i permessi minimi necessari.
+
+---
+
+## Verifica
+
+Hai completato questo tutorial quando:
+- [ ] Lo script di verifica passa senza errori
+- [ ] Il container di test gira come utente non-root
+- [ ] Tutti e tre i metodi di verifica mostrano lo stesso utente non-root
+- [ ] Capisci perché INF-01 è importante per la sicurezza
+
+---
+
+## Troubleshooting
+
+**Problema: `docker exec` mostra "root"**
+
+Soluzione: Verifica che il Dockerfile abbia la direttiva `USER`
+```bash
+# Verifica che USER sia nel Dockerfile
+grep USER Dockerfile.test
+# Dovrebbe mostrare: USER appuser
+```
+
+**Problema: `docker top` mostra UID 0**
+
+Soluzione: Il container potrebbe essere stato configurato con docker-compose. Verifica:
+```bash
+# Verifica la direttiva user in docker-compose
+grep -A 5 "user:" labs/lab-01-iam/docker-compose.yml
+```
+
+**Problema: Il test INF-01 fallisce**
+
+Soluzione: Assicurati che TUTTI i container abbiano la direttiva USER o user:
+```bash
+# Controlla tutti i container
+docker ps --format "{{.Names}}" | xargs -I {} sh -c 'echo "Container: {}" && docker inspect --format="{{.Config.User}}" {}'
+```
+```
+
+Key points:
+- Multiple verification methods for non-root execution
+- Clear explanation of security principle
+- Automated test integration
+- Comprehensive troubleshooting
+  </action>
+  <verify>
+    <automated>test -f labs/lab-01-iam/tutorial/03-verify-iam-setup.md && grep -q "INF-01\|minimo privilegio\|non-root" labs/lab-01-iam/tutorial/03-verify-iam-setup.md && wc -l labs/lab-01-iam/tutorial/03-verify-iam-setup.md | awk '{if($1>=40) print "PASS"; else print "FAIL: Tutorial too short ("$1" lines, expected 40+)"}'</automated>
+  </verify>
+  <done>Tutorial Part 3 created with verification and non-root container guide</done>
+</task>
+
+<task type="auto">
+  <name>Task 4: Create How-to Guides</name>
+  <files>labs/lab-01-iam/how-to-guides/add-user-to-docker-group.md, labs/lab-01-iam/how-to-guides/verify-non-root-container.md, labs/lab-01-iam/how-to-guides/reset-docker-permissions.md</files>
+  <action>
+Create three how-to guides for common procedures:
+
+**File 1: labs/lab-01-iam/how-to-guides/add-user-to-docker-group.md**
+```markdown
+# How-To: Aggiungere un Utente al Gruppo Docker
+
+Guida rapida per aggiungere un utente Linux al gruppo Docker e dargli accesso al socket.
+
+## Comando Rapido
+
+```bash
+# Aggiungi utente esistente al gruppo docker
+sudo usermod -aG docker nome_utente
+```
+
+## Verifica
+
+```bash
+# Verifica l'appartenenza al gruppo
+groups nome_utente
+
+# Verifica l'accesso docker
+sudo -u nome_utente -i docker ps
+```
+
+## Nota Importante
+
+I gruppi vengono valutati al login. Per attivare il nuovo gruppo immediatamente:
+
+```bash
+# Opzione 1: newgrp (attiva solo per questo comando)
+sudo -u nome_utente -i docker ps
+
+# Opzione 2: su - (nuova sessione login)
+su - nome_utente
+docker ps
+
+# Opzione 3: logout/login (sessione interattiva)
+```
+
+## Rimuovi Utente dal Gruppo Docker
+
+```bash
+# Rimuovi utente dal gruppo docker
+sudo gpasswd -d nome_utente docker
+
+# Oppure modifica i gruppi supplementari
+sudo usermod -G nome_utente nome_utente
+```
+
+## Vedi Anche
+
+- [Tutorial: Permessi Docker tramite Gruppi](../tutorial/02-docker-group-permissions.md)
+- [Reference: Permessi Socket Docker](../reference/docker-socket-permissions.md)
+```
+
+**File 2: labs/lab-01-iam/how-to-guides/verify-non-root-container.md**
+```markdown
+# How-To: Verificare che un Container Giri come Non-Root
+
+Guida rapida per verificare che un container non giri come utente root (requisito INF-01).
+
+## Metodo 1: docker exec whoami
+
+```bash
+docker exec <container_name> whoami
+```
+
+Se mostra `root`, il container NON è conforme a INF-01.
+
+## Metodo 2: docker inspect
+
+```bash
+docker inspect <container_name> --format='{{.Config.User}}'
+```
+
+- Se vuoto, il container gira come root (default)
+- Se mostra un UID/nome, il container gira come quell'utente
+
+## Metodo 3: docker top
+
+```bash
+docker top <container_name>
+```
+
+Guarda la colonna USER:
+- `0` o `root` = NON conforme
+- Altri UID (es. `1000`) = CONFORME
+
+## Verifica Tutti i Container
+
+```bash
+# Verifica tutti i container in esecuzione
+docker ps --format "{{.Names}}" | while read container; do
+    echo "Container: $container"
+    docker exec $container whoami 2>/dev/null || echo "N/A"
+done
+```
+
+## Verifica con docker-compose
+
+```bash
+# Verifica tutti i servizi nel compose file
+docker-compose ps --services | while read service; do
+    container=$(docker-compose ps -q $service)
+    echo "Service: $service, User: $(docker exec $container whoami)"
+done
+```
+
+## Vedi Anche
+
+- [Tutorial: Container Non-Root](../tutorial/03-verify-iam-setup.md)
+- [Test: Script Non-Root](../tests/03-non-root-test.sh)
+```
+
+**File 3: labs/lab-01-iam/how-to-guides/reset-docker-permissions.md**
+```markdown
+# How-To: Reset dei Permessi Docker
+
+Guida per ripristinare i permessi del socket Docker e risolvere problemi di accesso.
+
+## Reset dei Permessi del Socket
+
+```bash
+# Ferma il demone Docker
+sudo systemctl stop docker
+
+# Ripristina la proprietà del socket
+sudo chown root:docker /var/run/docker.sock
+
+# Ripristina i permessi (660 = rw-rw----)
+sudo chmod 660 /var/run/docker.sock
+
+# Riavvia Docker
+sudo systemctl start docker
+```
+
+## Verifica
+
+```bash
+# Verifica i permessi del socket
+ls -l /var/run/docker.sock
+```
+
+Atteso: `srw-rw---- 1 root docker ...`
+
+## Ricrea il Gruppo Docker
+
+Se il gruppo docker è stato eliminato:
+
+```bash
+# Crea il gruppo docker
+sudo groupadd docker
+
+# Riavvia Docker per assicurarti che il socket appartenga al gruppo
+sudo systemctl restart docker
+```
+
+## Risoluzione Problemi Comuni
+
+### Problema: "Got permission denied while trying to connect"
+
+**Causa:** Utente non nel gruppo docker o permessi socket errati
+
+**Soluzione:**
+```bash
+# Verifica gruppi utente
+groups $USER
+
+# Aggiungi al gruppo se necessario
+sudo usermod -aG docker $USER
+
+# Verifica permessi socket
+ls -l /var/run/docker.sock
+
+# Correggi se necessario
+sudo chmod 660 /var/run/docker.sock
+sudo chown root:docker /var/run/docker.sock
+```
+
+### Problema: Socket non esiste
+
+**Causa:** Docker non è in esecuzione
+
+**Soluzione:**
+```bash
+# Avvia Docker
+sudo systemctl start docker
+
+# Verifica che il socket sia stato creato
+ls -l /var/run/docker.sock
+```
+
+### Problema: Group membership non attiva
+
+**Causa:** I gruppi vengono valutati al login
+
+**Soluzione:**
+```bash
+# Attiva il gruppo per la sessione corrente
+newgrp docker
+
+# Oppure fai login di nuovo
+su - $USER
+```
+
+## Reset Completo dell'Ambiente
+
+Per reset completo dell'ambiente Docker tra i lab:
+
+```bash
+# Usa lo script di reset
+bash scripts/reset-env.sh
+
+# Oppure reset manuale
+docker stop $(docker ps -aq)
+docker rm $(docker ps -aq)
+docker system prune -a
+```
+
+## Vedi Anche
+
+- [How-To: Ambiente Reset](../../how-to-guides/reset-docker-environment.md)
+- [Tutorial: Permessi Docker](../tutorial/02-docker-group-permissions.md)
+```
+
+Key points:
+- Procedure-focused, not step-by-step learning
+- Command-first structure
+- Links to tutorials and reference
+- Troubleshooting common issues
+  </action>
+  <verify>
+    <automated>test -f labs/lab-01-iam/how-to-guides/add-user-to-docker-group.md && test -f labs/lab-01-iam/how-to-guides/verify-non-root-container.md && test -f labs/lab-01-iam/how-to-guides/reset-docker-permissions.md && grep -q "##" labs/lab-01-iam/how-to-guides/*.md | wc -l | awk '{if($1>=9) print "PASS"; else print "FAIL: How-to guides need more sections"}'</automated>
+  </verify>
+  <done>Three how-to guides created for common procedures</done>
+</task>
+
+<task type="auto">
+  <name>Task 5: Create Reference Documents</name>
+  <files>labs/lab-01-iam/reference/docker-socket-permissions.md, labs/lab-01-iam/reference/linux-users-groups.md, labs/lab-01-iam/reference/iam-parallels.md</files>
+  <action>
+Create three reference documents with technical specifications:
+
+**File 1: labs/lab-01-iam/reference/docker-socket-permissions.md**
+```markdown
+# Reference: Permessi del Socket Docker
+
+Specifiche tecniche del socket Docker Unix domain socket e controllo accessi.
+
+## Percorso del Socket
+
+```
+/var/run/docker.sock
+```
+
+## Permessi Standard
+
+```
+srw-rw---- 1 root docker 0 Mar 24 20:00 /var/run/docker.sock
+```
+
+| Campo | Valore | Significato |
+|-------|--------|-------------|
+| Tipo | `s` | Socket Unix domain |
+| Permessi | `rw-rw----` (660) | Owner e gruppo possono leggere/scrivere |
+| Owner | `root` | Il demone Docker gira come root |
+| Gruppo | `docker` | Membri del gruppo docker possono accedere |
+| Altro | `---` | Nessun altro permesso |
+
+## Controllo Accessi
+
+L'accesso al socket è controllato dai permessi file system standard Linux:
+
+### Chi puo accedere?
+
+| Utente | Accesso | Motivo |
+|--------|---------|--------|
+| root | Si | Proprietario del socket |
+| Membri del gruppo docker | Si | Permesso gruppo (rw) |
+| Altri utenti | No | Nessun permesso |
+
+### Verifica Permessi
+
+```bash
+# Mostra permessi dettagliati
+stat -c "%a %U %G %n" /var/run/docker.sock
+# Output: 660 root docker /var/run/docker.sock
+
+# Verifica gruppo del socket
+stat -c "%G" /var/run/docker.sock
+# Output: docker
+
+# Verifica proprietario
+stat -c "%U" /var/run/docker.sock
+# Output: root
+```
+
+## Modifica Permessi
+
+```bash
+# Modifica permessi (non raccomandato: 666 permette accesso a tutti)
+sudo chmod 660 /var/run/docker.sock
+
+# Modifica gruppo
+sudo chown root:docker /var/run/docker.sock
+
+# Modifica proprietario (non raccomandato)
+sudo chown $USER /var/run/docker.sock
+```
+
+⚠️ **WARNING:** Non usare mai `chmod 666` o `777` sul socket Docker. Questo elimina tutti i controlli di accesso.
+
+## Docker Daemon e Socket
+
+### Allocazione Socket
+
+Il demone Docker crea il socket all'avvio:
+
+```bash
+# Avvia demone (crea/ricrea socket)
+sudo systemctl start docker
+
+# Riavvia per ripristinare permessi
+sudo systemctl restart docker
+```
+
+### Rootless Docker
+
+Con rootless Docker, il socket si trova in:
+
+```
+$XDG_RUNTIME_DIR/docker.sock
+# Tipicamente: /run/user/1000/docker.sock
+```
+
+## Troubleshooting
+
+| Problema | Diagnosi | Soluzione |
+|----------|----------|-----------|
+| Permission denied | Utente non in gruppo docker | `sudo usermod -aG docker $USER` |
+| Socket non trovato | Docker non in esecuzione | `sudo systemctl start docker` |
+| Permessi errati | chmod eseguito sul socket | `sudo systemctl restart docker` |
+| Gruppo errato | Chown sul socket | `sudo chown root:docker /var/run/docker.sock` |
+
+## Comandi Rapidi
+
+```bash
+# Verifica permessi attuali
+ls -l /var/run/docker.sock
+
+# Verifica chi puo accedere
+namei -l /var/run/docker.sock
+
+# Trova processi con handle al socket
+sudo lsof /var/run/docker.sock
+```
+
+## Vedi Anche
+
+- [Reference: Utenti e Gruppi Linux](./linux-users-groups.md)
+- [Explanation: Parallelismi IAM](../explanation/docker-iam-parallels.md)
+```
+
+**File 2: labs/lab-01-iam/reference/linux-users-groups.md**
+```markdown
+# Reference: Utenti e Gruppi Linux
+
+Specifiche tecniche per la gestione utenti e gruppi in Linux per il lab IAM.
+
+## Comandi Utente
+
+### useradd - Crea utente
+
+```bash
+sudo useradd -m -s /bin/bash nome_utente
+```
+
+| Flag | Significato |
+|------|-------------|
+| `-m` | Crea home directory |
+| `-s /bin/bash` | Imposta shell di login |
+| `-G group1,group2` | Aggiunge a gruppi supplementari |
+| `-u 1000` | Specifica UID |
+
+### usermod - Modifica utente
+
+```bash
+# Aggiungi a gruppo (append)
+sudo usermod -aG docker nome_utente
+
+# Modifica shell
+sudo usermod -s /bin/zsh nome_utente
+
+# Modifica gruppi supplementari (sovrascrive)
+sudo usermod -G docker,nome_utente nome_utente
+```
+
+⚠️ **IMPORTANTE:** Usa `-aG` (append) per aggiungere a un gruppo senza rimuovere gli altri.
+
+### userdel - Elimina utente
+
+```bash
+# Elimina utente (mantieni home)
+sudo userdel nome_utente
+
+# Elimina utente e home directory
+sudo userdel -r nome_utente
+```
+
+### passwd - Imposta password
+
+```bash
+# Imposta password per utente
+sudo passwd nome_utente
+
+# Cambia la tua password
+passwd
+```
+
+## Comandi Gruppo
+
+### groupadd - Crea gruppo
+
+```bash
+sudo groupadd docker
+```
+
+### groupmod - Modifica gruppo
+
+```bash
+# Rinomina gruppo
+sudo groupmod -n nuovo_nome vecchio_nome
+
+# Modifica GID
+sudo groupmod -g 1001 docker
+```
+
+### gpasswd - Gestisci membri gruppo
+
+```bash
+# Aggiungi utente al gruppo
+sudo gpasswd -a utente gruppo
+
+# Rimuovi utente dal gruppo
+sudo gpasswd -d utente gruppo
+
+# Imposta amministratori gruppo
+sudo gpasswd -A utente1,utente2 gruppo
+```
+
+### groupdel - Elimina gruppo
+
+```bash
+sudo groupdelete docker
+```
+
+## Comandi Informazione
+
+### id - Mostra info utente
+
+```bash
+# Mostra UID, GID e gruppi dell'utente corrente
+id
+
+# Mostra info di un utente specifico
+id nome_utente
+
+# Solo UID
+id -u nome_utente
+
+# Solo gruppi
+id -G nome_utente
+```
+
+Output esempio:
+```
+uid=1001(lab01_student) gid=1001(lab01_student) groups=1001(lab01_student),999(docker)
+```
+
+### groups - Mostra gruppi utente
+
+```bash
+# Gruppi dell'utente corrente
+groups
+
+# Gruppi di un utente specifico
+groups nome_utente
+```
+
+### getent - Query database di sistema
+
+```bash
+# Verifica che un gruppo esista
+getent group docker
+
+# Output: docker:x:999:utente1,utente2
+#        nome:x:GID:lista_membri
+
+# Verifica che un utente esista
+getent passwd nome_utente
+
+# Output: nome_utente:x:1001:1001:,,,:/home/nome_utente:/bin/bash
+#         nome:x:UID:GID:commento:home:shell
+```
+
+## File di Configurazione
+
+### /etc/passwd
+
+```bash
+# Visualizza tutti gli utenti
+cat /etc/passwd
+
+# Aggiungi utente manualmente (non raccomandato)
+echo "utente:x:1001:1001::/home/utente:/bin/bash" | sudo tee -a /etc/passwd
+```
+
+Formato:
+```
+username:x:UID:GID:commento:home:shell
+```
+
+### /etc/group
+
+```bash
+# Visualizza tutti i gruppi
+cat /etc/group
+
+# Aggiungi gruppo manualmente
+echo "docker:x:999:utente1,utente2" | sudo tee -a /etc/group
+```
+
+Formato:
+```
+gruppo:x:GID:lista_membri
+```
+
+### /etc/shadow
+
+```bash
+# Password e scadenza (richiede root)
+sudo cat /etc/shadow
+```
+
+## Valutazione Gruppi al Login
+
+I gruppi vengono valutati quando l'utente fa login:
+
+| Momento | Gruppi Valutati |
+|---------|-----------------|
+| Avvio sistema | No |
+| Login interattivo | Si |
+| `su - utente` | Si (nuovo login) |
+| `newgrp group` | Si (solo sessione corrente) |
+| `sudo -u utente cmd` | No (gruppi dell'utente originale) |
+| Aggiunta gruppo con usermod | No (fino al prossimo login) |
+
+## UID/GID Standard
+
+| UID/GID | Utente/Gruppo |
+|---------|---------------|
+| 0 | root |
+| 1-999 | Utenti di sistema |
+| 1000-60000 | Utenti normali |
+| 999 | docker (tipico) |
+
+## Comandi Rapidi
+
+```bash
+# Lista tutti gli utenti umani
+cat /etc/passwd | grep ':[1-9][0-9][0-9][0-9]:'
+
+# Lista tutti i gruppi
+cat /etc/group | cut -d: -f1
+
+# Utenti in un gruppo
+members gruppo
+# Oppure:
+getent group gruppo | cut -d: -f4
+```
+
+## Vedi Anche
+
+- [Reference: Permessi Socket Docker](./docker-socket-permissions.md)
+- [How-To: Aggiungi Utente al Gruppo Docker](../how-to-guides/add-user-to-docker-group.md)
+```
+
+**File 3: labs/lab-01-iam/reference/iam-parallels.md**
+```markdown
+# Reference: Parallelismi Docker e AWS IAM
+
+Tabella di riferimento rapido per i parallelismi tra concetti Docker/Linux e AWS IAM.
+
+## Tabella Parallelismi
+
+| Concetto Locale | AWS IAM Equivalente | Descrizione |
+|-----------------|---------------------|-------------|
+| Utente Linux (`student1`) | IAM User | Identità che può autenticarsi |
+| Gruppo Linux (`docker`) | IAM Group | Collezione di utenti con stessi permessi |
+| Permessi file/socket | IAM Policy | Regole che definiscono cosa è permesso |
+| `/var/run/docker.sock` | Service Endpoint | Risorsa protetta da controlli accesso |
+| `sudo` elevation | IAM Role Assumption | Temporanea elevazione privilegi |
+| `usermod -aG docker` | `AttachUserPolicy` | Assegna permessi a utente |
+| Appartenenza gruppo `docker` | Policy attachment | Permessi attivi per utente |
+
+## Comandi a Confronto
+
+### Creazione Utente
+
+| Operazione Locale | Comando AWS |
+|-------------------|-------------|
+| `sudo useradd -m user` | `aws iam create-user --user-name user` |
+| `sudo passwd user` | `aws iam create-login-profile --user-name user --password Pass123!` |
+
+### Gestione Permessi
+
+| Operazione Locale | Comando AWS |
+|-------------------|-------------|
+| `sudo usermod -aG docker user` | `aws iam attach-user-policy --user-name user --policy-arn arn:aws:iam::aws:policy/PowerUserAccess` |
+| `sudo gpasswd -d user docker` | `aws iam detach-user-policy --user-name user --policy-arn arn:aws:iam::aws:policy/PowerUserAccess` |
+
+### Verifica Permessi
+
+| Operazione Locale | Comando AWS |
+|-------------------|-------------|
+| `groups user` | `aws iam list-attached-user-policies --user-name user` |
+| `id user` | `aws iam get-user --user-name user` |
+| `sudo -u user docker ps` | `aws sts get-caller-identity` |
+
+### Elevazione Privilegi
+
+| Operazione Locale | Comando AWS |
+|-------------------|-------------|
+| `sudo command` | Assumere IAM Role |
+| `su - root` | `aws sts assume-role` |
+
+## Differenze Chiave
+
+| Aspetto | Locale | Cloud AWS |
+|---------|--------|-----------|
+| Autenticazione | Password, SSH key | Access key, Secret key, Session token |
+| Autorizzazione | Gruppi Linux, permessi file | IAM Policies, JSON document |
+| Scope | Singolo host | Account AWS intero |
+| Audit | `last`, `/var/log/auth.log` | CloudTrail |
+| MFA | Non disponibile | Disponibile |
+
+## Modelli di Policy
+
+### Modello Allow
+
+**Locale:**
+```bash
+# Utente nel gruppo docker puo accedere al socket
+sudo usermod -aG docker utente
+```
+
+**AWS:**
+```json
+{
+  "Effect": "Allow",
+  "Action": "docker:*",
+  "Resource": "*"
+}
+```
+
+### Modello Deny
+
+**Locale:**
+```bash
+# Utente NON nel gruppo docker non puo accedere
+# (default deny)
+```
+
+**AWS:**
+```json
+{
+  "Effect": "Deny",
+  "Action": "docker:*",
+  "Resource": "*"
+}
+```
+
+## Best Practices Comuni
+
+| Best Practice | Locale | Cloud |
+|---------------|--------|-------|
+| Minimo privilegio | Utenti non-root | IAM Policies restrittive |
+| Separazione doveri | Gruppi distinti | Gruppi IAM distinti |
+| Audit logging | auth.log | CloudTrail |
+| Rotazione credenziali | `chage` | Rotate access keys |
+
+## Comandi Utili
+
+```bash
+# Verifica membri gruppo docker
+getent group docker
+
+# Simulazione:_lista politiche IAM
+aws iam list-attached-user-policies --user-name user
+
+# Verifica permessi socket
+ls -l /var/run/docker.sock
+
+# Simulazione:_simula accesso AWS
+aws sts get-caller-identity
+```
+
+## Vedi Anche
+
+- [Explanation: Docker IAM Parallels](../explanation/docker-iam-parallels.md)
+- [Tutorial: Permessi Docker](../tutorial/02-docker-group-permissions.md)
+```
+
+Key points:
+- Pure reference material (no tutorial content)
+- Tables and specifications
+- Command comparisons
+- Quick reference format
+  </action>
+  <verify>
+    <automated>test -f labs/lab-01-iam/reference/docker-socket-permissions.md && test -f labs/lab-01-iam/reference/linux-users-groups.md && test -f labs/lab-01-iam/reference/iam-parallels.md && grep -q "|" labs/lab-01-iam/reference/*.md | wc -l | awk '{if($1>=15) print "PASS"; else print "FAIL: Reference docs need more tables"}'</automated>
+  </verify>
+  <done>Three reference documents created with technical specifications</done>
+</task>
+
+<task type="auto">
+  <name>Task 6: Create Explanation Document (IAM Parallels)</name>
+  <files>labs/lab-01-iam/explanation/docker-iam-parallels.md</files>
+  <action>
+Create explanation document that connects local Docker concepts to cloud IAM:
+
+```markdown
+# Explanation: Parallelismi tra Docker Permissions e AWS IAM
+
+In questo documento esploreremo come i permessi Docker e la gestione utenti Linux simulano i concetti di Identity and Access Management (IAM) nei cloud provider come AWS. Comprendere questi parallelismi ti aiuterà a trasferire le conoscenze acquisite localmente agli ambienti cloud reali.
+
+## Cos'è IAM?
+
+**IAM (Identity and Access Management)** è il framework che controlla:
+- **Identity:** Chi sei (autenticazione)
+- **Access:** Cosa puoi fare (autorizzazione)
+
+AWS IAM, Azure IAM, Google Cloud IAM sono tutti basati sullo stesso concetto fondamentale: le identità hanno permessi specifici su risorse specifiche.
+
+---
+
+## Il Parallelismo Fondamentale
+
+### Utente Linux = IAM User
+
+| Locale | Cloud |
+|--------|-------|
+| Un utente Linux (`lab01_student`) | Un IAM User (`alice`) |
+| Può fare login al sistema | Può fare login ad AWS |
+| Ha UID univoco | Ha User ID univoco (AIDAI...) |
+| Appartiene a gruppi | Appartiene a IAM Groups |
+
+**Similitudine:** Entrambi rappresentano un'identità umana o di servizio che può autenticarsi.
+
+**Differenza:** Gli utenti Linux sono locali a una singola macchina, gli IAM Users sono globali all'account AWS.
+
+### Gruppo Linux = IAM Group
+
+| Locale | Cloud |
+|--------|-------|
+| Gruppo `docker` | IAM Group `Developers` |
+| Membri ereditano permessi del gruppo | Membri ereditano policies del gruppo |
+| Utente può essere in multipli gruppi | Utente può essere in multipli gruppi |
+| `groups user` mostra membrianze | `aws iam list-groups-for-user` |
+
+**Similitudine:** I gruppi rendono facile gestire i permessi per molti utenti. Aggiungi un utente al gruppo e ha automaticamente tutti i permessi del gruppo.
+
+**Differenza:** I gruppi Linux sono definiti localmente, i gruppi IAM sono definiti centralmente e possono avere utenti跨-region.
+
+### Socket Docker = Service Endpoint
+
+| Locale | Cloud |
+|--------|-------|
+| `/var/run/docker.sock` | AWS API endpoint (`https://ec2.amazonaws.com`) |
+| Accessibile solo con permessi corretti | Accessibile solo con credenziali valide |
+| `chmod 660` limita l'accesso | IAM policies limitano l'accesso |
+
+**Similitudine:** Entrambe sono risorse protette che richiedono autorizzazione per essere utilizzate.
+
+**Differenza:** Il socket Docker è un file Unix locale, gli API endpoint sono servizi web remoti.
+
+### Permessi File = IAM Policy
+
+| Locale | Cloud |
+|--------|-------|
+| `rw-rw----` su socket | JSON policy con `Effect: Allow/Deny` |
+| Utente deve essere nel gruppo `docker` | Utente deve avere policy permessiva |
+| `chmod` cambia permessi | `AttachUserPolicy` assegna policy |
+
+**Similitudine:** Entrambi definiscono regole esplicite su chi puo fare cosa.
+
+**Differenza:** I permessi Linux sono semplici (read/write/execute), le IAM policies sono espressioni complesse con condizioni, wildcard, e resource-level permissions.
+
+---
+
+## Esempio Pratico: Setup di un Nuovo Sviluppatore
+
+### Scenario Locale
+
+```bash
+# 1. Crea utente per il nuovo sviluppatore
+sudo useradd -m -s /bin/bash mario_rossi
+
+# 2. Aggiungi al gruppo docker (permette di lanciare container)
+sudo usermod -aG docker mario_rossi
+
+# 3. Verifica
+groups mario_rossi
+# Output: mario_rossi : mario_rossi docker
+
+# 4. Mario ora puo lanciare container
+sudo -u mario_rossi docker run alpine whoami
+```
+
+### Scenario Cloud AWS (Equivalente)
+
+```bash
+# 1. Crea IAM User per il nuovo sviluppatore
+aws iam create-user --user-name mario_rossi
+
+# 2. Crea gruppo per sviluppatori (se non esiste)
+aws iam create-group --group-name Developers
+
+# 3. Allega policy al gruppo (permette di usare EC2/containers)
+aws iam attach-group-policy \
+  --group-name Developers \
+  --policy-arn arn:aws:iam::aws:policy/PowerUserAccess
+
+# 4. Aggiungi utente al gruppo
+aws iam add-user-to-group \
+  --group-name Developers \
+  --user-name mario_rossi
+
+# 5. Verifica
+aws iam list-groups-for-user --user-name mario_rossi
+# Output: Groups: [Developers]
+
+# 6. Mario ora puo lanciare istanze EC2 (equivalente a container)
+aws ec2 run-instances --image-id ami-12345 ...
+```
+
+**Parallelismo:**
+- Entrambi iniziano creando un'identità
+- Entrambi usano gruppi per gestire i permessi
+- Entrambi verificano l'appartenenza al gruppo
+- Entrambi ora possono lanciare risorse (container/EC2)
+
+---
+
+## Il Principio del Minimo Privilegio
+
+### Locale: Non-Root Containers
+
+**Perché non root?**
+- Root in container = root sull'host (se vulnerabilità kernel)
+- Root puo leggere/scrivere qualsiasi file
+- Root puo modificare configurazioni di sistema
+
+**Soluzione locale:**
+```dockerfile
+# Dockerfile con utente non-root
+FROM alpine:3.19
+RUN adduser -D -u 1000 appuser
+USER appuser
+CMD ["sh", "-c", "whoami"]
+```
+
+**Verifica:**
+```bash
+docker exec container whoami
+# Output: appuser (NON root)
+```
+
+### Cloud: IAM Policies Restrittive
+
+**Perché policy minime?**
+- Chiave compromessa = danno limitato
+- Principio di least privilege
+- Audit e compliance requirements
+
+**Soluzione cloud:**
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:GetObject",
+        "s3:PutObject"
+      ],
+      "Resource": "arn:aws:s3:::my-bucket/*"
+    }
+  ]
+}
+```
+
+**Verifica:**
+```bash
+# Simula accesso dell'utente
+aws iam simulate-principal-policy \
+  --policy-source-arn arn:aws:iam::123456789012:user/mario_rossi \
+  --action-names s3:DeleteBucket \
+  # Output: Decision: Deny (policy non permette DeleteBucket)
+```
+
+**Parallelismo:**
+- Entrambi limitano cosa l'identità puo fare
+- Entrambi riducono la superficie di attacco
+- Entrambi sono verificabili tramite test
+
+---
+
+## Differenze tra Locale e Cloud
+
+### 1. Scope dei Permessi
+
+| Locale | Cloud |
+|--------|-------|
+| Permessi validi solo su questa macchina | Permessi validi per tutto l'account AWS |
+| Utente locale accede solo a risorse locali | IAM user accede a risorse globali |
+| Gruppi definiti in `/etc/group` | Gruppi definiti in IAM (centralizzato) |
+
+**Implicazione:** Nel cloud, un utente con permessi S3 puo accedere a tutti i bucket S3 nell'account, non solo a quelli "vicini" come nel filesystem locale.
+
+### 2. Complessità delle Policy
+
+| Locale | Cloud |
+|--------|-------|
+| Semplice: lettura/scrittura/esecuzione | Complesso: conditions, IP restrictions, MFA |
+| Basato su owner/group/other | Basato su JSON con wildcards |
+| Binario: o hai permesso o no | Granulare: resource-level, tag-based, time-based |
+
+**Esempio Cloud (non possibile localmente):**
+```json
+{
+  "Effect": "Allow",
+  "Action": "s3:*",
+  "Resource": "*",
+  "Condition": {
+    "IpAddress": {
+      "aws:SourceIp": ["203.0.113.0/24"]
+    },
+    "DateGreaterThan": {
+      "aws:CurrentTime": "2024-01-01T00:00:00Z"
+    },
+    "Bool": {
+      "aws:MultiFactorAuthPresent": "true"
+    }
+  }
+}
+```
+
+**Implicazione:** Le IAM policies sono piu potenti ma anche piu complesse da capire e debuggare.
+
+### 3. Audit e Logging
+
+| Locale | Cloud |
+|--------|-------|
+| `/var/log/auth.log` per login sudo | CloudTrail per tutte le chiamate API |
+| `last` mostra ultimi login | IAM Access Analyzer mostra attivita |
+| Manuale correlare eventi | Ricerche automatiche su CloudTrail Logs |
+
+**Implicazione:** Nel cloud hai audit trail automatico, completo e ricercabile. Localmente devi configurare e mantenere i log.
+
+### 4. Autenticazione
+
+| Locale | Cloud |
+|--------|-------|
+| Password, SSH key | Access Key ID, Secret Access Key, Session Token |
+| Password scade mai (default) | Access keys devono essere ruotate regolarmente |
+| MFA non disponibile | MFA obbligatorio per root/users in molte organizzazioni |
+
+**Implicazione:** Nel cloud, l'autenticazione e piu sicura di default (rotazione automatica, MFA, sessioni temporanee).
+
+---
+
+## Comandi Equivalenti: Quick Reference
+
+| Operazione | Locale | Cloud AWS |
+|------------|--------|-----------|
+| **Crea utente** | `sudo useradd -m user` | `aws iam create-user --user-name user` |
+| **Aggiungi a gruppo** | `sudo usermod -aG docker user` | `aws iam add-user-to-group --group-name Developers --user-name user` |
+| **Verifica permessi** | `groups user` | `aws iam list-attached-user-policies --user-name user` |
+| **Test accesso** | `sudo -u user docker ps` | `aws sts get-caller-identity` |
+| **Eleva privilegi** | `sudo command` | `aws sts assume-role` |
+| **Revoca permessi** | `sudo gpasswd -d user docker` | `aws iam detach-user-policy --user-name user --policy-arn ...` |
+| **Elimina utente** | `sudo userdel user` | `aws iam delete-user --user-name user` |
+
+---
+
+## Best Practices Transferibili
+
+### 1. Mai Usare Root per Lavoro Normale
+
+**Locale:**
+```bash
+# SBAGLIATO: Log in come root
+ssh root@server
+
+# GIUSTO: Log in come utente normale, usa sudo quando serve
+ssh user@server
+sudo command
+```
+
+**Cloud:**
+```bash
+# SBAGLIATO: Usa root account AWS (l'email con cui ti sei registrato)
+# Mai usare root account per operazioni quotidiane
+
+# GIUSTO: Crea IAM User con permessi limitati
+aws iam create-user --user-name daily-ops-user
+aws iam attach-user-policy --user-name daily-ops-user --policy-arn ...
+```
+
+### 2. Usa Gruppi per Gestire Permessi
+
+**Locale:**
+```bash
+# Invece di dare permessi a ogni singolo utente
+sudo usermod -aG docker user1
+sudo usermod -aG docker user2
+sudo usermod -aG docker user3
+
+# Tutti automaticamente ereditano i permessi del gruppo docker
+```
+
+**Cloud:**
+```bash
+# Invece di attachare policy a ogni singolo utente
+aws iam create-group --group-name Developers
+aws iam attach-group-policy --group-name Developers --policy-arn ...
+aws iam add-user-to-group --group-name Developers --user-name user1
+aws iam add-user-to-group --group-name Developers --user-name user2
+
+# Tutti automaticamente ereditano le policies del gruppo Developers
+```
+
+### 3. Verifica i Permessi
+
+**Locale:**
+```bash
+# Verifica che l'utente abbia i permessi corretti
+groups user
+id user
+sudo -u user docker ps
+```
+
+**Cloud:**
+```bash
+# Verifica che l'utente abbia le policies corrette
+aws iam list-attached-user-policies --user-name user
+aws iam simulate-principal-policy --policy-source-arn ... --action-names s3:GetObject
+```
+
+---
+
+## Conclusione
+
+I concetti che hai imparato in questo lab - utenti, gruppi, permessi - si applicano direttamente ad AWS IAM e altri cloud provider. La differenza principale e la scala e la complessita: nel cloud, questi concetti sono potenziati con condizioni granulari, audit automatico, e credenziali ruotabili.
+
+Quando lavorerai con AWS IAM, ricorda:
+- IAM User = Utente Linux (identità)
+- IAM Group = Gruppo Linux (raccolta di utenti con stessi permessi)
+- IAM Policy = Permessi file/socket (regole di accesso)
+- Service Endpoint = Socket Docker (risorsa protetta)
+
+Comprendendo questi parallelismi, sarai in grado di applicare le conoscenze locali al cloud con fiducia.
+
+---
+
+## Approfondimenti
+
+- [AWS IAM Documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html)
+- [IAM Best Practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
+- [Tutorial: Permessi Docker](../tutorial/02-docker-group-permissions.md)
+- [Reference: Tabella Parallelismi](../reference/iam-parallels.md)
+```
+
+Key points:
+- Clear explanation of IAM concepts
+- Side-by-side comparisons
+- Practical examples
+- Best practices transferable to cloud
+- Links to AWS documentation
+- Covers PARA-01 (Docker mapped to IAM), PARA-03 (differences documented), PARA-04 (commands shown)
+  </action>
+  <verify>
+    <automated>test -f labs/lab-01-iam/explanation/docker-iam-parallels.md && grep -q "IAM\|AWS\|differenza\|difference" labs/lab-01-iam/explanation/docker-iam-parallels.md && wc -l labs/lab-01-iam/explanation/docker-iam-parallels.md | awk '{if($1>=80) print "PASS"; else print "FAIL: Explanation too short ("$1" lines, expected 80+)"}'</automated>
+  </verify>
+  <done>Explanation document created with IAM parallels and local-cloud differences</done>
+</task>
+
+</tasks>
+
+<verification>
+1. All 4 Diátaxis document types exist: tutorial/, how-to-guides/, reference/, explanation/
+2. Tutorial follows "little often" principle (small incremental steps)
+3. How-to guides are procedure-focused (not tutorial-style)
+4. Reference documents are technical specifications without tutorial content
+5. Explanation document draws clear parallels between Docker and IAM (PARA-01, PARA-03, PARA-04)
+6. All documents use Italian language without emojis
+7. All documents have cross-references to related content
+</verification>
+
+<success_criteria>
+1. Tutorial has 3 parts covering user creation, Docker permissions, and verification
+2. How-to guides cover common procedures independent of tutorial flow
+3. Reference documents provide technical specifications in quick-reference format
+4. Explanation document clearly maps Docker concepts to AWS IAM concepts
+5. All requirement IDs satisfied: LAB-01, DOCT-01, DOCT-02, DOCT-03, DOCT-04, DOCT-05, PARA-01, PARA-03, PARA-04
+</success_criteria>
+
+<output>
+After completion, create `.planning/phases/02-lab-01-iam-sicurezza/02-02-SUMMARY.md`
+</output>
diff --git a/.planning/phases/02-lab-01-iam-sicurezza/02-03-PLAN.md b/.planning/phases/02-lab-01-iam-sicurezza/02-03-PLAN.md
new file mode 100644
index 0000000..567d531
--- /dev/null
+++ b/.planning/phases/02-lab-01-iam-sicurezza/02-03-PLAN.md
@@ -0,0 +1,504 @@
+---
+phase: 02-lab-01-iam-sicurezza
+plan: 03
+type: execute
+wave: 2
+depends_on: [02-01, 02-02]
+files_modified:
+  - labs/lab-01-iam/Dockerfile
+  - labs/lab-01-iam/docker-compose.yml
+  - labs/lab-01-iam/tests/04-verify-infrastructure.sh
+autonomous: true
+requirements: [LAB-01, INF-01, TEST-01]
+user_setup: []
+must_haves:
+  truths:
+    - "docker-compose.yml defines services with non-root user directive (INF-01)"
+    - "Dockerfile creates non-root user and switches before CMD (INF-01)"
+    - "Test scripts validate non-root execution (INF-01)"
+    - "Infrastructure follows test-driven approach (GREEN phase of TDI)"
+  artifacts:
+    - path: "labs/lab-01-iam/Dockerfile"
+      provides: "Non-root container image definition"
+      min_lines: 15
+    - path: "labs/lab-01-iam/docker-compose.yml"
+      provides: "Service orchestration with user directive"
+      min_lines: 20
+    - path: "labs/lab-01-iam/tests/04-verify-infrastructure.sh"
+      provides: "Infrastructure verification script"
+      min_lines: 25
+  key_links:
+    - from: "docker-compose.yml"
+      to: "Dockerfile"
+      via: "build context and image reference"
+      pattern: "build:.*\\..*Dockerfile"
+    - from: "tests/04-verify-infrastructure.sh"
+      to: "docker-compose.yml, Dockerfile"
+      via: "Infrastructure validation"
+      pattern: "docker-compose.*-f.*docker-compose.yml"
+---
+
+<objective>
+Create Docker infrastructure (Dockerfile and docker-compose.yml) that implements non-root container execution (INF-01). Following TDD methodology, infrastructure is created AFTER tests exist, and tests should now pass (GREEN phase).
+
+Purpose: Implement minimum infrastructure to satisfy LAB-01 and INF-01 requirements while ensuring all containers run as non-root.
+Output: Dockerfile with non-root user, docker-compose.yml with user directive, and infrastructure verification test.
+</objective>
+
+<execution_context>
+@/home/luca/.claude/get-shit-done/workflows/execute-plan.md
+@/home/luca/.claude/get-shit-done/templates/summary.md
+</execution_context>
+
+<context>
+@.planning/PROJECT.md
+@.planning/ROADMAP.md
+@.planning/STATE.md
+@.planning/phases/02-lab-01-iam-sicurezza/02-RESEARCH.md
+@.planning/phases/02-lab-01-iam-sicurezza/02-VALIDATION.md
+@CLAUDE.md
+
+# From RESEARCH.md - Non-Root Container Pattern
+
+```dockerfile
+# Source: Docker security best practices
+FROM alpine:3.19
+
+# Create non-root user with specific UID/GID for consistency
+RUN addgroup -g 1000 appgroup && \
+    adduser -D -u 1000 -G appgroup appuser
+
+# Switch to non-root user BEFORE any operations
+USER appuser
+
+# Verify non-root execution
+CMD ["sh", "-c", "echo 'Running as:' && whoami"]
+```
+
+```yaml
+# docker-compose.yml with user directive
+services:
+  test-container:
+    image: alpine:3.19
+    user: "1000:1000"  # UID:GID for non-root
+    command: ["sh", "-c", "whoami && sleep 3600"]
+```
+
+# From RESEARCH.md - Verification Methods
+
+```bash
+# Method 1: Execute whoami inside container
+docker exec <container_name> whoami
+# Expected output: appuser (NOT root)
+
+# Method 2: Inspect container configuration
+docker inspect <container_name> --format='{{.State.User}}'
+
+# Method 3: Check process on host
+docker top <container_name>
+# Look at USER column - should show UID (e.g., 1000), NOT 0 (root)
+```
+
+# Common Pitfalls to Avoid
+
+- Running containers as root (violates INF-01)
+- Using `--privileged` flag (defeats container isolation)
+- Skipping verification of non-root execution
+- Forgetting `user:` directive in docker-compose.yml
+
+# TDD Methodology - GREEN Phase
+
+Now that tests exist (Wave 0), implement MINIMUM infrastructure to make them pass:
+1. docker-compose.yml with `user:` directive
+2. Dockerfile with `USER` directive
+3. Run tests to verify GREEN phase
+4. Do NOT over-engineer - minimum to pass tests is sufficient
+</context>
+
+<tasks>
+
+<task type="auto" tdd="true">
+  <name>Task 1: Create Dockerfile with non-root user</name>
+  <files>labs/lab-01-iam/Dockerfile</files>
+  <behavior>
+    - Base image: alpine:3.19 (small, secure)
+    - Creates non-root user with UID/GID 1000
+    - Switches to non-root user with USER directive
+    - CMD demonstrates non-root execution with whoami
+    - Follows INF-01 requirement (no root execution)
+  </behavior>
+  <action>
+Create Dockerfile that implements non-root container execution:
+
+```dockerfile
+# Lab 01 - IAM & Sicurezza
+# Dockerfile per container non-root (INF-01 requirement)
+#
+# Questo Dockerfile dimostra come creare un container che gira
+# come utente non-root, seguendo il principio del minimo privilegio.
+
+FROM alpine:3.19
+
+# Label per metadata
+LABEL maintainer="Lab 01 - IAM & Sicurezza"
+LABEL description="Container non-root per dimostrare permessi IAM"
+LABEL version="1.0"
+
+# Crea utente non-root con UID/GID specifici per consistenza
+# UID 1000 e GID 1000 sono comuni per utenti non-root
+RUN addgroup -g 1000 labuser && \
+    adduser -D -u 1000 -G labuser labuser
+
+# Imposta la working directory (creata con adduser -D)
+WORKDIR /home/labuser
+
+# Crea un file semplice per verificare i permessi di scrittura
+RUN echo "Questo file e stato creato durante la build" > /home/labuser/test.txt && \
+    chown labuser:labuser /home/labuser/test.txt
+
+# PASSA A UTENTE NON-ROOT PRIMA DI QUALSIASI OPERAZIONE
+# Questo e il punto chiave per INF-01: nessun processo gira come root
+USER labuser
+
+# Verifica che il container gira come utente non-root
+CMD ["sh", "-c", "\
+echo '========================================' && \
+echo 'Lab 01 - IAM & Sicurezza' && \
+echo 'Container non-root verification (INF-01)' && \
+echo '========================================' && \
+echo '' && \
+echo 'Utente corrente:' && \
+whoami && \
+echo '' && \
+echo 'UID:' && \
+id -u && \
+echo '' && \
+echo 'GID:' && \
+id -g && \
+echo '' && \
+echo 'Gruppi:' && \
+groups && \
+echo '' && \
+echo 'Home directory:' && \
+pwd && \
+echo '' && \
+echo 'Contenuto di test.txt (permessi scrittura):' && \
+cat test.txt && \
+echo '' && \
+echo '========================================' && \
+echo 'Se vedi \"labuser\" sopra, INF-01 e soddisfatto!' && \
+echo '========================================' && \
+echo '' && \
+echo 'Container in esecuzione. Premi Ctrl-C per uscire.' && \
+sleep 3600 \
+"]
+```
+
+Key implementation points:
+- Base image Alpine 3.19 (minimal, secure)
+- Creates `labuser` with UID/GID 1000
+- USER directive switches to non-root BEFORE CMD
+- CMD demonstrates and verifies non-root execution
+- Follows INF-01 requirement strictly
+- Labels for metadata and documentation
+- Working directory set to user's home
+- Test file to verify write permissions
+
+TDD Context: This is the GREEN phase - tests already exist (from Wave 0), this Dockerfile should make those tests pass.
+  </action>
+  <verify>
+    <automated>cd labs/lab-01-iam && docker build -t lab01-non-root . && docker run --rm lab01-non-root | grep -q "labuser" && echo "PASS: Container runs as non-root" || echo "FAIL: Container not running as labuser"</automated>
+  </verify>
+  <done>Dockerfile creates non-root container verified by whoami output</done>
+</task>
+
+<task type="auto" tdd="true">
+  <name>Task 2: Create docker-compose.yml with user directive</name>
+  <files>labs/lab-01-iam/docker-compose.yml</files>
+  <behavior>
+    - Defines service with local image build
+    - Specifies user directive (1000:1000) for non-root execution
+    - Includes container_name for easy reference
+    - Follows INF-01 requirement (no root)
+    - Enables test scripts to verify configuration
+  </behavior>
+  <action>
+Create docker-compose.yml that enforces non-root execution:
+
+```yaml
+# Lab 01 - IAM & Sicurezza
+# Docker Compose configuration per container non-root
+#
+# Questo file definisce i servizi per il lab, assicurandosi che
+# TUTTI i container girino come utente non-root (INF-01).
+
+version: "3.8"
+
+services:
+  # Container di test per verificare l'esecuzione non-root
+  lab01-test:
+    build:
+      context: .
+      dockerfile: Dockerfile
+    image: lab01-non-root:latest
+    container_name: lab01-iam-test
+    # CRITICO: user directive assicura esecuzione non-root (INF-01)
+    # Format: UID:GID
+    # 1000:1000 corrisponde all'utente labuser creato nel Dockerfile
+    user: "1000:1000"
+    # Non esponiamo porte (non necessario per questo lab)
+    # Le porte private non devono essere esposte sull'host (best practice)
+    restart: unless-stopped
+    # Nessun volume mount necessario per questo lab semplice
+    # I volumi saranno introdotti nei lab successivi
+    healthcheck:
+      # Healthcheck per verificare che il container sia sano
+      test: ["CMD", "sh", "-c", "whoami | grep -q labuser"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 5s
+
+# Nessuna rete definita - useremo la default bridge network
+# Le reti custom isolate saranno introdotte nel Lab 02 (Network & VPC)
+
+# Nessun volume definito - i volumi saranno introdotti nel Lab 04 (Storage & S3)
+```
+
+Key implementation points:
+- Service definition with local build context
+- `user: "1000:1000"` directive enforces non-root execution
+- Container name matches test expectations
+- Healthcheck verifies non-root user
+- Comments explain why no volumes/networks (future labs)
+- Follows docker-compose V3.8 syntax
+- No ports exposed (security best practice)
+
+TDD Context: Tests from Wave 0 check for user directive - this configuration should satisfy those tests.
+
+INF-01 Compliance:
+- User directive explicitly set
+- Healthcheck verifies non-root execution
+- No possibility of root execution
+  </action>
+  <verify>
+    <automated>cd labs/lab-01-iam && docker-compose config > /dev/null 2>&1 && echo "PASS: docker-compose.yml is valid" || echo "FAIL: docker-compose.yml has errors"</automated>
+  </verify>
+  <done>docker-compose.yml defines service with non-root user directive</done>
+</task>
+
+<task type="auto" tdd="true">
+  <name>Task 3: Create infrastructure verification script</name>
+  <files>labs/lab-01-iam/tests/04-verify-infrastructure.sh</files>
+  <behavior>
+    - Test 1: docker-compose.yml is valid YAML
+    - Test 2: Dockerfile builds successfully
+    - Test 3: Service has user directive set
+    - Test 4: Built container runs as non-root
+    - Test 5: All INF-01 requirements satisfied
+  </behavior>
+  <action>
+Create infrastructure verification script (TDD GREEN phase verification):
+
+```bash
+#!/bin/bash
+# Infrastructure Verification: Lab 01
+# Verifies that docker-compose.yml and Dockerfile satisfy all requirements
+# This is the GREEN phase check - tests should pass after infrastructure implementation
+
+set -euo pipefail
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+
+TEST_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$TEST_DIR/../.." && pwd)"
+LAB_DIR="$PROJECT_ROOT/labs/lab-01-iam"
+
+cd "$LAB_DIR"
+
+echo -e "${BLUE}========================================${NC}"
+echo -e "${BLUE}Lab 01 Infrastructure Verification${NC}"
+echo -e "${BLUE}GREEN Phase Check${NC}"
+echo -e "${BLUE}========================================${NC}"
+echo ""
+
+pass_count=0
+fail_count=0
+
+# Test 1: docker-compose.yml is valid
+echo -e "${BLUE}[1/6] Checking docker-compose.yml syntax...${NC}"
+if docker-compose config >/dev/null 2>&1; then
+    echo -e "  ${GREEN}✓${NC} docker-compose.yml is valid YAML"
+    ((pass_count++))
+else
+    echo -e "  ${RED}✗${NC} docker-compose.yml has syntax errors"
+    ((fail_count++))
+fi
+echo ""
+
+# Test 2: Dockerfile exists and is readable
+echo -e "${BLUE}[2/6] Checking Dockerfile...${NC}"
+if [ -f "Dockerfile" ]; then
+    echo -e "  ${GREEN}✓${NC} Dockerfile exists"
+
+    # Check for USER directive
+    if grep -q "^USER" Dockerfile; then
+        user_line=$(grep "^USER" Dockerfile)
+        echo -e "  ${GREEN}✓${NC} USER directive found: $user_line"
+        ((pass_count++))
+    else
+        echo -e "  ${RED}✗${NC} No USER directive found in Dockerfile"
+        ((fail_count++))
+    fi
+else
+    echo -e "  ${RED}✗${NC} Dockerfile not found"
+    ((fail_count++))
+fi
+echo ""
+
+# Test 3: docker-compose.yml has user directive
+echo -e "${BLUE}[3/6] Checking docker-compose.yml user directive...${NC}"
+if grep -q "user:" docker-compose.yml; then
+    user_value=$(grep "user:" docker-compose.yml | head -1 | sed 's/.*user: *//' | tr -d '"')
+    echo -e "  ${GREEN}✓${NC} user directive found: $user_value"
+
+    # Verify it's not root (0:0)
+    if [[ "$user_value" != *"0:0"* ]] && [[ "$user_value" != *"root"* ]]; then
+        echo -e "  ${GREEN}✓${NC} User is not root (INF-01 compliant)"
+        ((pass_count++))
+    else
+        echo -e "  ${RED}✗${NC} User is root (INF-01 violation)"
+        ((fail_count++))
+    fi
+else
+    echo -e "  ${RED}✗${NC} No user directive in docker-compose.yml"
+    ((fail_count++))
+fi
+echo ""
+
+# Test 4: Build Docker image
+echo -e "${BLUE}[4/6] Building Docker image...${NC}"
+if docker build -t lab01-non-root -q Dockerfile >/dev/null 2>&1; then
+    echo -e "  ${GREEN}✓${NC} Docker image built successfully"
+    ((pass_count++))
+else
+    echo -e "  ${RED}✗${NC} Docker image build failed"
+    ((fail_count++))
+fi
+echo ""
+
+# Test 5: Verify container runs as non-root
+echo -e "${BLUE}[5/6] Verifying non-root execution...${NC}"
+if docker run --rm lab01-non-root whoami 2>/dev/null | grep -q "labuser"; then
+    echo -e "  ${GREEN}✓${NC} Container runs as non-root user (labuser)"
+    ((pass_count++))
+else
+    echo -e "  ${RED}✗${NC} Container not running as labuser"
+    ((fail_count++))
+fi
+echo ""
+
+# Test 6: Verify docker-compose service
+echo -e "${BLUE}[6/6] Verifying docker-compose service...${NC}"
+# Start container in detached mode
+if docker-compose up -d >/dev/null 2>&1; then
+    echo -e "  ${GREEN}✓${NC} docker-compose service started"
+
+    # Wait for container to be ready
+    sleep 3
+
+    # Check container is running
+    if docker ps --format "{{.Names}}" | grep -q "^lab01-iam-test$"; then
+        echo -e "  ${GREEN}✓${NC} Container is running"
+
+        # Verify user
+        actual_user=$(docker exec lab01-iam-test whoami 2>/dev/null || echo "unknown")
+        if [ "$actual_user" = "labuser" ]; then
+            echo -e "  ${GREEN}✓${NC} docker-compose container runs as non-root"
+            ((pass_count++))
+        else
+            echo -e "  ${RED}✗${NC} docker-compose container running as $actual_user (expected labuser)"
+            ((fail_count++))
+        fi
+    else
+        echo -e "  ${RED}✗${NC} Container not running"
+        ((fail_count++))
+    fi
+
+    # Cleanup
+    docker-compose down --volumes >/dev/null 2>&1
+else
+    echo -e "  ${RED}✗${NC} Failed to start docker-compose service"
+    ((fail_count++))
+fi
+echo ""
+
+# Summary
+echo -e "${BLUE}========================================${NC}"
+echo -e "${BLUE}Verification Summary${NC}"
+echo -e "${BLUE}========================================${NC}"
+echo "Passed: $pass_count/6"
+echo "Failed: $fail_count/6"
+echo ""
+
+if [ $fail_count -eq 0 ]; then
+    echo -e "${GREEN}All checks passed!${NC}"
+    echo -e "${GREEN}GREEN phase complete - infrastructure satisfies tests${NC}"
+    echo ""
+    echo "Next: Run full test suite"
+    echo "  bash labs/lab-01-iam/tests/run-all-tests.sh"
+    echo -e "${BLUE}========================================${NC}"
+    exit 0
+else
+    echo -e "${RED}Some checks failed${NC}"
+    echo -e "${RED}Infrastructure needs fixes before tests will pass${NC}"
+    echo -e "${BLUE}========================================${NC}"
+    exit 1
+fi
+```
+
+Key implementation points:
+- Validates docker-compose.yml syntax
+- Verifies USER directive in Dockerfile
+- Verifies user directive in docker-compose.yml
+- Builds and tests Docker image
+- Starts container with docker-compose and verifies execution
+- Proper cleanup after testing
+- Clear pass/fail indicators
+
+TDD Context: This script confirms the GREEN phase - infrastructure implementation makes tests pass.
+  </action>
+  <verify>
+    <automated>chmod +x labs/lab-01-iam/tests/04-verify-infrastructure.sh && cd labs/lab-01-iam && bash ../tests/04-verify-infrastructure.sh</automated>
+  </verify>
+  <done>Infrastructure verification script confirms all requirements satisfied</done>
+</task>
+
+</tasks>
+
+<verification>
+1. Dockerfile creates non-root user with USER directive
+2. docker-compose.yml specifies user directive for service
+3. docker-compose config validates without errors
+4. Docker build succeeds without warnings
+5. Container execution verified as non-root (whoami, docker inspect, docker top)
+6. All Wave 0 tests now pass (GREEN phase of TDD)
+7. INF-01 requirement satisfied: no container runs as root
+</verification>
+
+<success_criteria>
+1. Dockerfile follows non-root best practices from RESEARCH.md
+2. docker-compose.yml enforces non-root execution via user directive
+3. Infrastructure verification confirms all requirements met
+4. Tests from Wave 0 (02-01-PLAN.md) now pass
+5. LAB-01 requirement satisfied: students can configure users and Docker permissions
+6. INF-01 requirement satisfied: no container runs as root
+</success_criteria>
+
+<output>
+After completion, create `.planning/phases/02-lab-01-iam-sicurezza/02-03-SUMMARY.md`
+</output>