API authentication enforcement is now configurable. Set the SECURITY_ENFORCE_AUTH=true environment variable to require authentication on all API endpoints. When enabled, requests must supply a valid API key (X-API-Key) or SSO JWT (Authorization: Bearer <jwt>).

Authentication defaults to permissive for development convenience. Always set SECURITY_ENFORCE_AUTH=true in production. Public paths (Swagger UI, health endpoint, SSO login/callback, OAuth2) remain accessible without authentication regardless of this setting.

PostgreSQL is now the default database. The application ships with Flyway migration scripts (V1–V31) that apply cleanly against PostgreSQL. H2 is retained only for unit tests.

Configure the datasource via environment variables: SPRING_DATASOURCE_URL, SPRING_DATASOURCE_USERNAME, and SPRING_DATASOURCE_PASSWORD. A Docker Compose file with a PostgreSQL service is included in the repository root.

SCM tokens are now encrypted at rest using AES-256-GCM before being persisted to the database. A unique 12-byte IV is generated per token; the ciphertext and IV are stored together as a single Base64-encoded value.

Set the encryption key via the SCM_ENCRYPTION_KEY environment variable (32-character string). A default development key is used when the variable is not set. Existing Base64-only tokens remain readable via backward-compatible legacy decoding. Rotate tokens after enabling encryption for maximum security.

The default embedded OPA policy evaluator supports a simplified subset of policy logic. Full Rego language features — including imports, virtual documents, and partial rules — are not available in embedded mode.

Mitigation: Set OPA_MODE=external and configure OPA_URL to point to a full OPA server instance. Full Rego support is available in external mode. WASM-compiled policy modules are also supported via the Policy Management API.

RBAC is now implemented. The application supports four roles: ADMIN, MEMBER, VIEWER, and SERVICE_ACCOUNT (pipeline-bot). Role enforcement on sensitive endpoints (organisation management, policy management) is activated automatically when SECURITY_ENFORCE_AUTH=true.

Assign roles when creating service account API keys. SSO users inherit roles from group→role mappings configured in the SSO settings for your organisation.

The following frontend views have been added to the Vue application:

• Compliance Frameworks (/compliance) — browse and import PCI-DSS v4, SOX ITGC, GDPR Art.32, and SLSA Level 2/3 framework templates.
• Policy Management (/policies) — create, view, and delete deployment policies; upload WASM policy modules.
• Drift Detection (/drift) — compare environment allowlists against active snapshots; identify and highlight out-of-compliance artifacts.

All backend features now have dedicated UI coverage.

A standalone Go CLI (factstore-cli) is available in the cli/ directory. It supports attest and gate commands for use in CI/CD pipelines without requiring curl + jq. Reusable GitHub Actions workflows (factstore-attest.yml, factstore-gate.yml) and a GitLab CI template (gitlab/factstore.yml) are also provided.

JWT-based authentication (SSO via OIDC, API keys for service accounts) and role-based access control (ADMIN / MEMBER / VIEWER / SERVICE_ACCOUNT) are implemented. Enable enforcement with SECURITY_ENFORCE_AUTH=true.

PostgreSQL is the default database. Flyway migration scripts (V1–V31) are included, and a Docker Compose profile for a persistent development environment is in the repository root.

A Kubernetes operator for managing OpenFactstore deployments declaratively, with custom resources for Flows and deployment policies.