API authentication enforcement is now configurable. Set the SECURITY_ENFORCE_AUTH=true environment variable to require authentication on all API endpoints. When enabled, requests must supply a valid API key (X-API-Key) or SSO JWT (Authorization: Bearer <jwt>).

Authentication defaults to permissive for development convenience. Always set SECURITY_ENFORCE_AUTH=true in production. Public paths (Swagger UI, health endpoint, SSO login/callback, OAuth2) remain accessible without authentication regardless of this setting.

PostgreSQL is now the default database. The application ships with Flyway migration scripts (V1–V31) that apply cleanly against PostgreSQL. H2 is retained only for unit tests.

Configure the datasource via environment variables: SPRING_DATASOURCE_URL, SPRING_DATASOURCE_USERNAME, and SPRING_DATASOURCE_PASSWORD. A Docker Compose file with a PostgreSQL service is included in the repository root.

SCM tokens are now encrypted at rest using AES-256-GCM before being persisted to the database. A unique 12-byte IV is generated per token; the ciphertext and IV are stored together as a single Base64-encoded value.

Set the encryption key via the FACTSTORE_SCM_ENCRYPTION_KEY environment variable (32-character string). A default development key is used when the variable is not set. Rotate tokens after enabling encryption for maximum security.

The embedded OPA policy evaluator now supports a meaningful subset of Rego policy patterns without requiring an external OPA server. Supported constructs include:

• deny[msg] { <conditions>; msg := "reason" } — deny rules with message extraction
• allow { <conditions> } — explicit allow rules
• default allow = false — require at least one allow rule to pass
• String equality / inequality: input.field == "value", input.field != "value"
• Numeric comparisons: input.field > N, >=, <, <=, ==
• Existence checks: input.field (truthy), not input.field (falsy / absent)
• Collection size: count(input.attestations) == 0

Full Rego features (imports, virtual documents, comprehensions, partial rules) still require an external OPA server. Set OPA_MODE=external and configure OPA_URL for full Rego support.

RBAC is now implemented. The application supports four roles: ADMIN, MEMBER, VIEWER, and SERVICE_ACCOUNT (pipeline-bot). Role enforcement on sensitive endpoints (organisation management, policy management) is activated automatically when SECURITY_ENFORCE_AUTH=true.

Assign roles when creating service account API keys. SSO users inherit roles from group→role mappings configured in the SSO settings for your organisation.

The following frontend views have been added to the Vue application:

• Compliance Frameworks (/compliance) — browse and import PCI-DSS v4, SOX ITGC, GDPR Art.32, and SLSA Level 2/3 framework templates.
• Policy Management (/policies) — create, view, and delete deployment policies; upload WASM policy modules.
• Drift Detection (/drift) — compare environment allowlists against active snapshots; identify and highlight out-of-compliance artifacts.

All backend features now have dedicated UI coverage.

A standalone Go CLI (factstore-cli) is available in the cli/ directory. It supports attest and gate commands for use in CI/CD pipelines without requiring curl + jq. Reusable GitHub Actions workflows (factstore-attest.yml, factstore-gate.yml) and a GitLab CI template (gitlab/factstore.yml) are also provided.

JWT-based authentication (SSO via OIDC, API keys for service accounts) and role-based access control (ADMIN / MEMBER / VIEWER / SERVICE_ACCOUNT) are implemented. Enable enforcement with SECURITY_ENFORCE_AUTH=true.

PostgreSQL is the default database. Flyway migration scripts (V1–V31) are included, and a Docker Compose profile for a persistent development environment is in the repository root.

A Kubernetes operator for managing OpenFactstore deployments declaratively, with custom resources for Flows and deployment policies.