# Security

## Secrets and encryption
- Store credentials are encrypted with AES-256-GCM.
- Integration secrets (webhooks/slack/jira) use the same encryption mechanism.
- Plaintext secrets are never logged.

## Access control
- Route-level middleware: auth + entitlements + feature flags.
- Approval actions verify role permissions for the current step.
- Reconcile/rollback force actions are role-restricted.

## Integrity and audit
- All key actions are written to `merch_audit_log`.
- Run worker emits step-by-step logs and retry/fail/success statuses.
- Webhook deliveries use idempotency keys and retry controls.