v1.7.14: LLM/SIEM domain allowlists, SRI hashes, auth misconfig warning, Azure Key Vault integration

backend/main.py

@@ -10,6 +10,8 @@ import structlog
 from audit_trail import log_action
 from config import (
     AI_FEATURES_ENABLED,
+    AUTH_ALLOWED_GROUPS,
+    AUTH_ALLOWED_ROLES,
     AUTH_ENABLED,
     CORS_ORIGINS,
     DOCS_ENABLED,
@@ -275,6 +277,13 @@ async def start_periodic_fetch():
         auth_enabled=AUTH_ENABLED,
         ai_enabled=AI_FEATURES_ENABLED,
     )
+    # Warn when auth is enabled but no role/group restrictions are configured
+    if AUTH_ENABLED and not AUTH_ALLOWED_ROLES and not AUTH_ALLOWED_GROUPS:
+        logger.warning(
+            "AUTH_ENABLED is true but no AUTH_ALLOWED_ROLES or AUTH_ALLOWED_GROUPS are configured. "
+            "Any Entra user in the tenant can authenticate and access AOC. "
+            "Set AUTH_ALLOWED_ROLES or AUTH_ALLOWED_GROUPS to restrict access."
+        )
     if ENABLE_PERIODIC_FETCH:
         app.state.fetch_task = asyncio.create_task(_periodic_fetch())