Alpha testing: all current functionality is free while VAT Engine is in active development

Product updates

Changelog

Track product releases, security hardening, compliance reporting work, and infrastructure changes across VAT Engine.

Archive page 13 of 14.

Latest release
3.6.112
Production Frontend Now Redirects www To The Canonical Apex Host
Releases tracked
162
Since January 2026
Logged changes
755
Across all categories
SecurityFeatureImprovementFixInfrastructure

Showing releases 145-156 of 162

1.5.9February 28, 2026

Full Project Re-Audit Fixes

6 changes
Security3 items
  • CSRF tokens now session-bound — HMAC includes session JWT fingerprint (OWASP Signed Double-Submit Cookie)
  • CI pipeline blocks on high/critical npm audit findings (was advisory-only)
  • Production PostgreSQL TLS upgraded to sslmode=verify-full (CA cert verification)
Infrastructure2 items
  • Added turbopack.root config to resolve multiple lockfile detection warning
  • Added TruffleHog secret scanning and Anchore SBOM generation to CI pipeline
Improvement1 item
  • CSRF documentation updated across all files to accurately describe session-bound HMAC model
1.5.8February 28, 2026

Frontend Pass 3 Audit Fixes

6 changes
Security5 items
  • Fixed confirmRecovery CSRF regression — was missing await, had inverted logic, and wrong return type
  • Added duplicate email detection in account updates with user-friendly error message
  • JWT tokens now include issuer and audience claims, enforced on both signing and verification
  • Added CSRF validation to resendVerificationEmail server action
  • Added explicit CSRF validation to signOut server action
Improvement1 item
  • Created shared SWR fetcher module with response status validation — replaced 4 inline definitions
1.5.7February 28, 2026

Re-Audit Security Hardening

14 changes
Security8 items
  • Fixed critical 2FA login flow — CSRF token now properly included in two-factor authentication
  • Added CSRF validation to all TOTP management actions (setup, confirm, disable, regenerate backup codes)
  • Added CSRF validation to account recovery form submissions
  • Proxy header validated against known-safe headers allowlist at startup
  • Production startup now rejects unencrypted PostgreSQL connections (sslmode=disable)
  • Rate limit configuration validated at startup (must be positive values)
  • IP normalization for metrics allowlist handles IPv4-mapped IPv6 addresses
  • Email templates now use HTML-escaped URL interpolation for XSS prevention
Improvement5 items
  • Graceful shutdown drain period now configurable via environment variable
  • Aligned frontend password validation regex with backend requirements
  • SWR data fetcher now validates response status before parsing
  • TOTP Redis initialization uses modern dynamic import instead of CommonJS require
  • Health endpoint uses centralized environment detection helper
Infrastructure1 item
  • Database backup directory added to version control ignore list
1.5.6February 28, 2026

Security Hardening Follow-Up

8 changes
Security3 items
  • CSRF tokens now include HMAC server-side signature — prevents token forgery across sessions
  • Added rate limiting to CSRF and user API endpoints
  • Shared IP extraction utility consolidated to eliminate code duplication
Infrastructure3 items
  • Added CI/CD pipeline: automated linting, testing, build validation, and vulnerability scanning on every push
  • Development environment variables synced with production security requirements
  • Environment templates updated with backend security configuration section
Improvement2 items
  • API error responses now return specific error codes for missing vs. invalid authentication
  • PostgreSQL SSL upgrade path documented for production environments
1.5.5February 27, 2026

Cross-Audit Security Hardening

19 changes
Security7 items
  • Resolved 22 consensus findings from three independent security audits (audit score: 9.5/10)
  • Fixed critical environment detection inconsistency that could enable debug logging in production
  • Production startup now fails immediately if API key, CORS origins, or metrics auth are not configured
  • Added Helmet middleware for automatic HTTP security headers on all API responses
  • Fixed Redis rate limiter configuration to prevent credential exposure in connection strings
  • Added CSRF validation to two-factor authentication verification
  • All Nginx reverse proxy configs hardened: server tokens hidden, body size limits, HSTS preload, proxy timeouts
Improvement8 items
  • Added error boundaries for graceful error recovery (prevents white screen crashes)
  • Enabled Partial Prerendering with React component caching for faster page loads
  • Activity page refactored with Suspense for streaming data loading
  • Deployment script now creates database backup before running migrations
  • OpenAPI specification updated with security schemes and comprehensive error responses (401/429/500)
  • Improved error handling patterns across migration and import tools
  • All backend logging now uses structured logger (no unstructured output)
  • Moved development-only dependencies out of production bundle
Fix4 items
  • Fixed deferred file operations in data import tool to properly check for write errors
  • Fixed goroutine safety issue in logging timestamp configuration
  • Removed redundant environment variable loading (handled natively by framework)
  • Updated stale code comments referencing deprecated middleware pattern
1.5.4February 24, 2026

Frontend Code Audit & Hardening

19 changes
Security7 items
  • Resolved all 3 HIGH severity findings from dedicated frontend audit
  • Added server-only guards to 8 sensitive modules (prevents client-side import of secrets)
  • Stripe checkout now validates price ID format, requires authentication, and checks CSRF token
  • CSP upgraded with nonce-based strict-dynamic and upgrade-insecure-requests directives
  • Email addresses masked in all server-side logs to prevent PII exposure
  • IP addresses removed from user-facing activity log display
  • All error logging sanitized to prevent stack trace leaks in production
Improvement8 items
  • Cookie consent versioning: users automatically re-prompted when privacy policy updates
  • Rate limiting added to email verification endpoint
  • Dedicated rate limiter for resend-verification emails
  • Database connection pool configured with proper limits and timeouts
  • Analytics script loads conditionally based on cookie consent preferences
  • Password validation error messages corrected to match actual requirements
  • Stripe client initialization validates environment variables at startup
  • SMTP configuration documented in environment template
Fix4 items
  • Fixed rate limiter cleanup timer blocking Node.js graceful shutdown
  • Added loading spinner fallback to email verification page
  • Removed duplicate redirect logic in user menu component
  • Cleaned up unused imports and state declarations
1.5.3February 24, 2026

Backend Code Audit & Hardening

19 changes
Security5 items
  • Resolved all 4 HIGH severity findings from dedicated backend audit
  • VAT calculate endpoint now returns proper HTTP status codes (400/404/409) instead of generic 500
  • Country code validation enforced (ISO alpha-2 format)
  • Currency and tax class identifiers validated for length and format
  • Negative gross amounts rejected at domain level
Improvement7 items
  • Rate limiter upgraded to distributed Redis-backed storage
  • CORS origins default changed from wildcard to explicit configuration
  • Metrics authentication configuration centralized into config struct
  • Error comparison uses errors.Is() for proper wrapped error handling
  • Sign-safe rounding in VAT calculation (correct for all input values)
  • Overflow protection added to monetary arithmetic operations
  • Rate limiter returns Retry-After header on throttled responses
Fix7 items
  • Removed unnecessary synchronization from immutable rate provider
  • Removed unused floating-point multiplication method from Money type
  • Cleaned up control flow in cached rate provider (removed goto)
  • Fixed potential panic in TEDB import on empty rate set
  • Deduplicated EU country list constant in import tool
  • Deduplicated domain error sentinel across packages
  • Documented provisioned but unused database tables with roadmap notes
1.5.2February 24, 2026

Full-Stack Security Audit & Remediation

37 changes
Security25 items
  • Resolved all 11 HIGH severity findings from comprehensive security audit (score: 9.2/10)
  • Resolved all 15 MEDIUM severity findings
  • Resolved all 14 LOW severity findings (12 fixed, 2 accepted with rationale)
  • Backend: CORS middleware with configurable allowed origins
  • Backend: HTTP timeouts (read/write/idle) — Slowloris protection
  • Backend: API rate limiting middleware (configurable max requests/window)
  • Backend: API key authentication with constant-time comparison
  • Backend: Custom ErrorHandler — no internal error leaks to clients
  • Backend: Timing-safe metrics auth (removed length pre-check)
  • Backend: Proxy header configuration for IP spoofing prevention
  • Backend: Health endpoint hides internal details in production
  • Backend: Graceful shutdown with configurable drain period
  • Backend: Panic recovery with structured logging
  • Frontend: CSRF validation added to updateAccount, updatePassword, deleteAccount
  • Frontend: Session-bound CSRF tokens via HMAC binding
  • Frontend: TOTP verification rate limiting
  • Frontend: TOTP replay protection (prevents code reuse within time window)
  • Frontend: Password required for email change
  • Frontend: Session renewal only when <50% lifetime remaining
  • Frontend: Broadened password regex to accept any special character
  • Frontend: Signup session blocked for unverified users
  • Frontend: Hardened IP address extraction with format validation
  • Frontend: Server-readable cookie consent for GDPR compliance
  • Frontend: Rate limit status check no longer consumes a token
  • Frontend: Strict type safety for authentication state objects
Improvement6 items
  • Backend: Cache key sanitization against injection attacks
  • Backend: Proper error status codes (400 vs 500 differentiation)
  • Backend: errors.Is() for wrapped error handling
  • Backend: Redis connection pool tuning (PoolSize, MinIdleConns, MaxActiveConns)
  • Backend: PostgreSQL pool configuration (MaxConns, MinConns, lifetime, idle time)
  • Backend: Fail-fast on invalid rate provider mode
Infrastructure6 items
  • Database: Added foreign key constraint for VAT rate tax class references
  • Database: Standardized all timestamps to use timezone-aware format
  • Database: Added missing indexes for activity logs and soft-deleted users
  • Database: Removed redundant index to reduce write overhead
  • Database: Auto-update trigger for user record timestamps
  • Database: Added descriptive comments to all tables
1.5.1February 22-23, 2026

Code Review & Security Hardening

17 changes
Security6 items
  • Timing attack mitigation: Added ensureMinDuration to all confirmRecovery auth paths
  • Email verification gate: Recovery flow now verifies email BEFORE persisting TOTP secrets
  • Rate limiting fail-safe: Changed Redis failure from fail-open to in-memory fallback
  • Password DOM security: Removed defaultValue from password inputs to prevent value exposure
  • Data integrity: Added .notNull() constraint to activityLogs.userId foreign key
  • Timing-safe comparison used across all authentication endpoints
Feature4 items
  • Idle timeout improvements: Time-based countdown with 500ms tick accuracy
  • Double-firing protection: hasTimedOut ref prevents duplicate logout triggers
  • Auto-logout enforcement: Countdown reaching 0 now reliably triggers session termination
  • Configurable timeout: Added enabled prop to conditionally enforce idle detection
Fix3 items
  • Currency handling: Fixed hardcoded scale=2 bug affecting 0-decimal (JPY/KRW) and 3-decimal (KWD/BHD/OMR) currencies
  • Removed dead code: Unused redirectTo variable, unused fetcher imports, commented code blocks
  • Callback ordering: Fixed handleTimeout used before declaration error
Infrastructure4 items
  • Constants consolidation: Centralized PASSWORD_REGEX to lib/auth/constants.ts
  • Timeout constants: Exported IDLE_TIMEOUT_MS and WARNING_BEFORE_MS from hook
  • Code organization: Removed duplicate constants across multiple files
  • Backend currency support: Added GetCurrencyScale() for ISO 4217 compliance
1.5.0February 17, 2026

OTP Verification & Session Security Improvements

15 changes
Security7 items
  • Two-Factor Authentication (TOTP) with authenticator app support and provisioning codes
  • TOTP secrets encrypted at rest using secure encryption
  • Backup codes (one-time use) generated on TOTP enable
  • Sign-in requires authenticator code or backup code when TOTP enabled
  • Account recovery flow: backup code → new QR → new authenticator → new backup codes
  • Session Revocation: all existing sessions revoked on password reset/change
  • Email tokens now stored as SHA-256 hashes for additional security
Feature4 items
  • TOTP enable/confirm/disable/recovery flows in security dashboard
  • Authenticator code entry and validation
  • QR code provisioning for popular authenticator apps
  • Backup codes display and download on first enable
Infrastructure4 items
  • Database schema updated for storing TOTP data securely
  • Environment configuration updated for encryption keys
  • Service infrastructure updated to handle encrypted credentials
  • Two-factor authentication UI components implemented
1.4.1February 16, 2026

Email Verification & Password Recovery Enhancements

21 changes
Security6 items
  • Email Verification: time-limited single-use tokens, sign-in blocked until verified
  • Password Recovery: time-limited single-use tokens with per-email request caps
  • Password reset immediately revokes all existing user sessions
  • Session tracking prevents unauthorized access after password changes
  • Generic success messages on forgot-password to prevent account enumeration
  • Rate limiting added to email verification resend endpoint
Feature5 items
  • Forgot Password page with form and honeypot field
  • Reset Password page with token validation and new password form
  • Verify Email page for email confirmation flow
  • Email change confirmation with reverification
  • Activity logging for email verification and password reset events
Infrastructure6 items
  • Database schema updated with verification token storage
  • Email verification fields added to user accounts
  • Token generation and validation system implemented
  • Email sending service integrated
  • Email credentials added to environment configuration
  • Service infrastructure updated to handle email delivery
Improvement4 items
  • Consistent response timing for password reset flows
  • Email verification non-blocking (signup succeeds even if email fails to send)
  • Resend verification email available for logged-in users
  • Password requirements enforced: 8-100 characters with uppercase, lowercase, number, special character
1.4.0February 15, 2026

Session Idle Timeout & CSRF Token Rotation

16 changes
Security6 items
  • Session Idle Timeout: Auto-logout after period of inactivity
  • 1-minute warning dialog before session expires with "Stay Logged In" option
  • Activity detection: monitors mouse, keyboard, touch, scroll, click events
  • Cross-device session synchronization for activity tracking
  • Token rotation for session security
  • CSRF tokens stored securely in cookies
Feature4 items
  • Idle Timeout Warning dialog with accessibility features
  • Session timeout detection and handling
  • Cross-device session synchronization
  • Automatic redirect to sign-in after timeout
Infrastructure3 items
  • Session monitoring system for detecting user inactivity
  • Timeout detection logic with cross-tab synchronization
  • Session version tracking integrated into authentication tokens
Improvement3 items
  • Session security with version-based token validation
  • Password hashing with industry-standard security parameters
  • Security headers enhanced for browser protection