Recent platform and API updates in Strait.

2026-03

Auth / RBAC / Audit / Rotation Updates

• Added optional OIDC bearer-token authentication path for user traffic.
• Expanded RBAC with role inheritance and optional lineage introspection (GET /v1/roles/{roleID}?include_lineage=true).
• Added policy-based authorization controls:
  • resource policies
  • tag policies
• Added bulk member assignment endpoint (POST /v1/members/bulk).
• Added audit event API with filtering and ordering:
  • GET /v1/audit-events
  • supports from, to, order, limit, cursor
• Added API key rotation with grace windows (POST /v1/api-keys/{keyID}/rotate).
• Updated CLI parity for rotation (strait api-keys rotate --grace-period-minutes ...).
• Added new webhook authenticity headers:
  • X-Strait-Timestamp
  • X-Strait-Signature
  • compatibility X-Webhook-Signature

Docs / Tooling

• Synced and expanded OpenAPI specs (docs/openapi.yaml, apps/strait/internal/api/openapi.yaml).
• Added pre-commit OpenAPI parity enforcement via lefthook:
  • cd apps/strait && go run ./scripts/check-openapi-parity
• Added operations docs for monitoring, rollouts, and authz incident response.

Performance & Observability

• Added GET /v1/analytics/performance endpoint with slowest jobs, throughput, and health summary aggregations.
• Added 5 new Prometheus metrics for analytics, bulk operations, and webhook retries.
• Added OpenTelemetry trace spans to analytics, bulk trigger, bulk cancel, and webhook retry handlers.
• Completed 7-phase performance optimization: pool shutdown fixes, N+1 query elimination, slice pre-allocation, hot-path optimizations, benchmarks, and analytics endpoint.
• Removed all 44 feature flags - all features unconditionally active.

Test Coverage

• Added 40 store integration tests covering event triggers, advisory locks, audit events, RBAC tag policies, API key rotation, job/workflow versions, webhook retries, analytics, and health stats.
• Added 8 queue integration tests for concurrent dequeue (SKIP LOCKED), idempotency conflict handling, context cancellation, and edge cases.
• Increased CLI client test coverage from 40% to 84% and CLI auth from 44% to 94%.
• Added 7 E2E tests for analytics endpoint, bulk cancel with children, SDK heartbeat/log/progress, and debug mode.

Sprint 1-4 Feature Releases

• Batch Operations: Added batch_operations table and tracking for bulk trigger requests. Batch status queryable via GET /v1/batch-operations.
• Log Drains: Added external log streaming via configurable HTTP drain endpoints. Full CRUD at /v1/log-drains.
• Event Sources v2: Added inbound event management with subscriptions and filter expressions. Events dispatched to jobs or workflows via POST /v1/events/dispatch.
• Per-Key Concurrency: Added max_concurrency_per_key to jobs and concurrency_key to runs for per-tenant/per-resource throttling.
• Named Rate Limit Keys: Added rate_limit_keys for multiple named rate limits per job, extending the flat rate_limit_max/rate_limit_window_secs.
• Default Run Metadata: Added default_run_metadata on jobs, automatically applied to every new run.
• Payload Containment Filter: Added payload_contains query parameter on run listings for JSONB containment queries.
• New Run Fields: Added batch_id, concurrency_key, created_by, tags, and job_version_id to job runs.
• Run Sub-resources: Added endpoints for run checkpoints, usage, tool calls, and outputs.
• Bulk Run Operations: Added POST /v1/runs/bulk-cancel, POST /v1/runs/bulk-replay, POST /v1/runs/bulk-dlq-replay, POST /v1/runs/bulk-cancel-all.
• Workflow Enhancements: Added bulk cancel, individual retry, and step retry for workflow runs.
• Removed 5 remaining dead feature flag environment variables (FF_PAYLOAD_FILTER, FF_CONCURRENCY_KEY, FF_LOG_DRAINS, FF_WEBHOOK_SUBSCRIPTIONS, FF_EVENT_SOURCES_V2). All sprint 1-4 features are unconditionally active.