Alpha testing: all current functionality is free while VAT Engine is in active development

Product updates

Changelog

Track product releases, security hardening, compliance reporting work, and infrastructure changes across VAT Engine.

Latest release
3.6.112
Production Frontend Now Redirects www To The Canonical Apex Host
Releases tracked
162
Since January 2026
Logged changes
755
Across all categories
SecurityFeatureImprovementFixInfrastructure

Showing releases 1-12 of 162

3.6.112July 8, 2026

Production Frontend Now Redirects www To The Canonical Apex Host

3 changes
Infrastructure3 items
  • The maintained production frontend vhost now accepts both vat-engine.app and www.vat-engine.app on port 80, redirects both to the canonical https://vat-engine.app host, and adds a dedicated HTTPS www redirect server for the same apex target
  • The production operator docs now make the www DNS alias and shared SAN-certificate requirement explicit, so operators expand the vat-engine.app certificate before they reload the new redirect vhost
  • Post-deploy crawler checks now include the expected https://www.vat-engine.app to https://vat-engine.app redirect together with certificate coverage for www, keeping canonical-host verification aligned with the production SEO surface
3.6.111July 8, 2026

Shopify Tax-Treatment Diagnostics Now Separate Inclusive, Exempt, And Zero-Rate Evidence

3 changes
Improvement3 items
  • Shopify imports now treat tax-inclusive and tax-exclusive prices differently, so VAT Engine backs VAT out of inclusive line prices before it evaluates taxable base and gross amounts
  • Zero-VAT Shopify rows now surface a dedicated tax-treatment diagnostic that separates exempt evidence, explicit zero-rate evidence, ordinary taxed rows, and contradictory or incomplete cases that still need review
  • The Shopify order preview now shows order-level price basis together with a per-event tax-treatment panel, making it much clearer why a row resolved as exempt, zero-rated, or still pending review
3.6.110July 8, 2026

Shopify Multi-Currency Orders Now Show Clear Amount Context

4 changes
Improvement4 items
  • Shopify imports now consistently use the store currency as the canonical VAT ledger amount, keeping tax calculations stable across sales, refunds, shipping, duties, fees, and adjustments
  • When a customer paid in a different presentment currency, the Shopify order preview now keeps that customer-facing currency as diagnostic context instead of mixing it into filing amounts
  • The Shopify preview response now reuses the shared backend shop_money policy constant, so preview metadata cannot drift from adapter evidence if the canonical-money-source label ever changes
  • This makes multi-currency Shopify reviews easier to explain while leaving VAT reporting currency conversion in the existing reporting workflow
3.6.109July 7, 2026

Public Analytics Now Uses Consent-Gated Google Analytics

3 changes
Improvement3 items
  • VAT Engine now uses Google Analytics for public-site analytics instead of the previous lightweight analytics provider
  • Analytics still waits for the visitor to allow analytics cookies and is locked to the canonical production hostname so local and staging traffic do not pollute production reports
  • The privacy and security notes now reflect the current analytics provider and browser security policy
3.6.108July 7, 2026

Develop TEDB Automation Token Now Uses A Secret File

2 changes
Security2 items
  • The develop Compose API service now mounts the TEDB automation bearer token as a dedicated secret file instead of requiring that public-automation credential to remain in the running container environment
  • That keeps the develop TEDB preview automation path aligned with the hardened production secret boundary while leaving the rest of the current develop API secret model unchanged for now
3.6.107July 7, 2026

API Host Now Explicitly Opts Out Of Search Indexing

3 changes
Improvement3 items
  • The public API host now sends `X-Robots-Tag: noindex, nofollow, noarchive` on every response and serves its own `robots.txt` with `Disallow: /`, so `api.vat-engine.app` no longer relies on implicit 404 behavior to stay out of search indexes
  • Backend 4xx and 5xx logs now include the request host and user agent, making it much easier to separate main-site traffic, API-host probes, and recognizable crawler strings in production logs
  • Targeted backend tests now cover the API-host `robots.txt`, noindex headers on both success and 404 responses, and the enriched structured log fields
3.6.106July 7, 2026

Shopify Shipping Alias Matching No Longer Guesses Across Multiple Warehouses

3 changes
Fix3 items
  • Shopify shipping sale rows and refund-shipping rows now reuse fulfillment-location alias evidence only when Shopify routing points to one unambiguous assigned location for the order
  • If Shopify routes one order across multiple warehouse locations, VAT Engine now keeps shipping source attribution fail-closed instead of letting one warehouse alias win by position alone
  • Single-location Shopify shipping flows still keep warehouse alias matching, so shipping-family rows can continue resolving to the right source profile when routing is clear
3.6.105July 7, 2026

External TEDB Preview Automation No Longer Depends On The Private Admin Plane

3 changes
Fix3 items
  • External schedulers can now fetch both VAT-rate and SME-threshold TEDB preview diffs through a dedicated machine-to-machine surface, so public automation no longer breaks against the private admin-only control plane
  • The public automation path is limited to read-only TEDB preview calls and uses its own bearer-token boundary instead of reopening the broader internal admin route family on the public API host
  • Deployment examples and operator guidance now document the intended external-automation setup so scheduled preview jobs can target the supported public path consistently
3.6.104July 6, 2026

API TLS Rejections Now Point To Trusted-Proxy Configuration

3 changes
Improvement3 items
  • VAT Engine now logs an explicit operator-facing warning when an API request is rejected as non-HTTPS even though it arrived with X-Forwarded-Proto, which narrows the problem to trusted-proxy configuration instead of a generic client mistake
  • Production and develop environment examples now document that TRUSTED_PROXY_PROXIES must match the reverse-proxy hop seen by the API container, commonly the Docker bridge gateway in this deployment layout
  • The deployment checklist now includes a concrete post-deploy verification step for 421 tls_required incidents on the public API host
3.6.103July 6, 2026

Product-Tax Special-Flag Migration Self-Heals Legacy Invalid Rows

3 changes
Fix3 items
  • Migration 000046 no longer fails on preexisting product-tax mapping rows that older dashboard or API paths could store with impossible special-product flag combinations
  • VAT Engine now preserves the stored supply kind and special handling on those legacy rows, clears only the incompatible additive flags, and then validates the new PostgreSQL constraints explicitly
  • The rollout path is now covered by a DB-backed regression that proves historical invalid rows are normalized before constraint validation and that future invalid inserts are still rejected by the database
3.6.102July 6, 2026

Shopify Imported-Goods Signals No Longer Override Non-Goods Mappings

3 changes
Fix3 items
  • Shopify imported-goods auto-detection now promotes a row to imported_goods only when the current mapped supply kind is still goods-compatible, instead of silently overwriting explicit non-goods product mappings such as service or TBE service
  • When Shopify non-EU dispatch and import-fee evidence conflicts with an explicit non-goods product tax mapping, VAT Engine now keeps the mapped supply kind and moves the row to needs_review with an imported-goods conflict reason
  • The imported-goods review surface still preserves origin, duty, and consignment diagnostics for operators, but those Shopify evidence fields no longer outrank explicit non-goods mapping decisions by themselves
3.6.101July 6, 2026

Shopify Unknown Channel Marketplace State Stays Reviewable

3 changes
Fix3 items
  • VAT Engine no longer treats missing Shopify `channelDefinition` marketplace metadata as a confirmed non-marketplace channel, so unknown Shopify channels do not auto-fall to merchant-liable treatment
  • Canonical Shopify evidence now preserves marketplace status as true, false, or unknown across both live Admin GraphQL fetches and bulk-operation parsing, and the marketplace-liability classifier only uses the non-marketplace fast path when Shopify explicitly says the channel is not a marketplace
  • Explicit non-marketplace channels still resolve merchant-liable as before, while ambiguous channels remain in needs_review until tax-line or source-profile evidence is decisive