Alpha testing: all current functionality is free while VAT Engine is in active development

Product updates

Changelog

Track product releases, security hardening, compliance reporting work, and infrastructure changes across VAT Engine.

Archive page 12 of 14.

Latest release
3.6.112
Production Frontend Now Redirects www To The Canonical Apex Host
Releases tracked
162
Since January 2026
Logged changes
755
Across all categories
SecurityFeatureImprovementFixInfrastructure

Showing releases 133-144 of 162

2.7.1March 22, 2026

Security Hardening — Perimeter Filtering & Secret Handling

7 changes
Security3 items
  • Improved perimeter traffic filtering to better align public access with primary business regions
  • Hardened runtime secret handling for API credentials
  • Reviewed additional defensive layers for future edge-security expansion
Infrastructure4 items
  • Automated supporting security-data refreshes so perimeter updates stay current without manual maintenance
  • Applied those supporting updates without service disruption
  • Standardized secret-backed credential handling for the API service
  • Expanded centralized secret handling across core service credentials
2.7.0March 22, 2026

Security Hardening — Edge Filtering & Alerting

7 changes
Security4 items
  • Broadened edge request filtering for common exploit patterns and abusive automation
  • Refined edge throttling and connection controls across public surfaces
  • Improved automated blocking for repeated abusive traffic
  • Reduced security-alert noise so suspicious activity is easier to spot
Infrastructure3 items
  • Consolidated shared edge-security configuration and supporting log collection
  • Expanded alert coverage for elevated errors and unusual traffic patterns
  • Improved alert routing so recurring notifications stay actionable without overwhelming operators
2.6.0March 17, 2026

Centralized Log Aggregation (Loki + Grafana)

9 changes
Feature4 items
  • Centralized log aggregation with Grafana Loki and Grafana across all three environments (local, develop, production)
  • All Docker services ship logs via Loki Docker logging driver with per-environment labels and automatic retry
  • Grafana auto-provisioned with Loki datasource — live log tailing via WebSocket
  • Nginx reverse proxy configs for Grafana with WebSocket support for live log streaming
Security3 items
  • Docker socket no longer mounted in any container — replaced custom log viewer with Grafana
  • Grafana hardened in prod/develop: cookie_secure, disable_gravatar, hide_version, Content Security Policy, disabled analytics/update-checks/snapshots
  • Loki containers run read-only with tmpfs writable paths and resource limits (prod/develop)
Infrastructure2 items
  • Deploy script pre-flight check verifies Loki Docker logging driver plugin is installed
  • Removed custom Docker-socket-based log viewer (backend handler, frontend pages, API routes, sidebar entry)
2.5.1March 15, 2026

Infrastructure Hardening

3 changes
Infrastructure3 items
  • Gzip compression enabled on all 4 nginx configs — JSON for API proxies, full MIME set for frontend, with gzip_proxied any
  • Docker images pinned to specific patch versions for build reproducibility
  • Local compose next-app now runs as non-root user via init container + named volumes
2.5.0March 15, 2026

TEDB Admin Panel — Live Rate Sync

7 changes
Feature3 items
  • Admin TEDB sync dashboard with status cards, diff preview, one-click apply, and sync history
  • 4 new backend endpoints: status, preview, apply, sync-log — behind internal admin authentication
  • Collapsible diff sections show added, changed, and removed rates with country flags and percentage formatting
Fix4 items
  • Fixed TEDB SOAP XML namespace qualification — child elements now inherit via default namespace (resolves TEDB-ERR-2 XSD validation error)
  • Fixed unique constraint violation when applying changed rates — new rows use current timestamp as valid_from
  • Fixed pgx v5 date scan error on sync log — PostgreSQL date column now scanned into time.Time
  • Fixed admin API routes blocked by proxy CSP headers — added proper routing exception for admin API paths
2.4.0March 14, 2026

TEDB Phase 3 — Automated SOAP Rate Sync

7 changes
Feature5 items
  • New tedb_sync CLI tool: fetches live VAT rates from the EU TEDB SOAP API and applies changes to the database with dry-run mode by default
  • SOAP client with retry/backoff, 10 MB response limit, and context cancellation support
  • Diff engine detects added, changed, removed, and unchanged rates by (country, tax_class_id)
  • Transactional writer: closes old rate rows, inserts new ones, and invalidates Redis cache — all in a single Postgres transaction
  • Sync audit log table (tedb_sync_log) tracks every sync run with status, counters, and timestamps
Improvement2 items
  • Replaced custom string helpers with Go stdlib: strings.Replace, sort.Strings, time.DateOnly
  • 25 unit tests covering SOAP types, client retry/fault handling, rate mapping, and diff logic
2.3.0March 11, 2026

Dashboard & Documentation UX Improvements

6 changes
Feature3 items
  • API keys inventory now uses a Data Table (TanStack React Table) with text search, status filter, and environment filter
  • Dynamic CurlBlock component for API docs — replaces hardcoded URLs with NEXT_PUBLIC_API_URL or runtime origin across all 7 documentation pages
  • API documentation portal with fumadocs MDX, DynamicCodeBlock syntax highlighting, and runtime-resolved API base URLs
Fix1 item
  • CSP inline script violation on docs pages — nonce now passed from middleware through docs layout to RootProvider/next-themes
Improvement2 items
  • Extracted shared API key types to lib/api-keys/types.ts — eliminated 4× type duplication with proper union types (APIKeyScope, APIKeyStatus, APIKeyEnvironment)
  • Scopes field now typed as APIKeyScope[] instead of string[] across all consumers
2.2.0March 2026

TEDB Phase 2 — Tax Class Catalog & Public API

6 changes
Feature4 items
  • Interactive tax class catalog on /docs — browse 37 curated EU tax classes with real-time search, group filtering, and per-country VAT rate preview
  • Public API endpoints: GET /v1/tax-classes and GET /v1/tax-classes/:id — no API key required, IP rate-limited
  • Tax class grouping: classes organized into groups (e.g., Books & Publications, Food & Beverages) with tags for faceted filtering
  • DB migration: added group_slug, group_name, tags columns with backfill and composite indexes
Infrastructure2 items
  • Docker Turbopack fix: moved pnpm store to /tmp and .next to anonymous volume to stay under Linux inotify watch limit
  • pnpm v10 compatibility: added onlyBuiltDependencies for esbuild, sharp, bcrypt native binaries
2.1.0March 7, 2026

Usage Tracking & Rotation UX Improvements

6 changes
Fix3 items
  • Usage graphs now correctly track API requests — fixed missing usage aggregation in backend pipeline
  • After key rotation, the new secret modal stays open until you confirm the key has been stored — no premature redirect
  • Viewing a rotated key now shows a banner directing you to the active replacement key
Improvement3 items
  • Usage charts auto-refresh every 10 seconds and on tab focus
  • Empty-state messages shown when no usage data exists for a key
  • Rotated keys enforce a strict 48-hour grace window — requests after expiry are rejected
2.0.0March 6, 2026

API Key Management — Phase 1 & Phase 2 Complete

12 changes
Feature6 items
  • Self-service API key lifecycle: generate, rotate (24–48h grace period), and revoke keys from the dashboard
  • Two-tier key hashing — fast verification path plus adaptive hashing for breach-resistant storage
  • Per-key sliding window rate limiting with Redis sorted sets and automatic in-memory fallback
  • Batch audit logger (10 events / 10s flush) with OWASP Application Logging Vocabulary
  • Usage dashboard with daily request graphs, hourly breakdown, and quota bar
  • Key detail view with full metadata, scope badges, and audit log timeline
Security6 items
  • API key pepper required in production (≥32 bytes via environment variable)
  • Scope enforcement per route — 403 Forbidden on insufficient permissions
  • Key generation rate limiting and per-user key cap enforced
  • One-time plaintext key display with mandatory copy confirmation before dialog close
  • CSRF-protected API routes with server-side validation and metadata-only responses
  • Phase 2 frontend audit: 5 findings fixed (2 HIGH, 3 MEDIUM), 12 security controls verified
1.5.11March 1, 2026

Third-Pass Audit Fixes

7 changes
Security6 items
  • Server listen failure now terminates process instead of hanging silently (BE-S13N)
  • GetRate endpoint no longer leaks internal error format (BE-S12N)
  • Currency input validated as 3 uppercase ASCII letters — blocks non-alphabetic codes (BE-S14N)
  • Production Postgres container has no-new-privileges security option (INFRA-0010)
  • All local Docker ports bound to 127.0.0.1 — prevents LAN exposure (INFRA-0003/04)
  • Database backup files created with chmod 600 — no longer world-readable (INFRA-0021)
Improvement1 item
  • Cache provider logs marshal errors and evicts corrupted Redis entries immediately (BE-BP17N/18N)
1.5.10February 28, 2026

Deferred Findings Resolution

3 changes
Security2 items
  • Docker Compose secrets migration — database and cache credentials moved to secure runtime storage (M-05)
  • Branch protection automation for main and develop branches via GitHub CLI (M-03)
Improvement1 item
  • Fixed rate-limit docs drift — corrected documented value to match actual default (L-03)