Alpha testing: all current functionality is free while VAT Engine is in active development

Product updates

Changelog

Track product releases, security hardening, compliance reporting work, and infrastructure changes across VAT Engine.

Archive page 6 of 14.

Latest release
3.6.112
Production Frontend Now Redirects www To The Canonical Apex Host
Releases tracked
162
Since January 2026
Logged changes
755
Across all categories
SecurityFeatureImprovementFixInfrastructure

Showing releases 61-72 of 162

3.6.52June 17, 2026

Legacy Commerce Import Source-ID Bridging

2 changes
Fix1 item
  • Older unlinked committed-order imports that still carried a domain-derived fallback source ID are now bridged onto the newer integration-derived fallback, so later imports for the same storefront do not split source-scoped reporting into two raw buckets
Infrastructure1 item
  • Deployment migrations now normalize already stored importer rows, and the importer also self-heals legacy source IDs in case a partial environment missed the one-time backfill
3.6.51June 17, 2026

Shopify Privacy Duplicate Finalization Safety

2 changes
Fix1 item
  • Duplicate Shopify privacy payload handling no longer depends on a failed database insert, so a late duplicate cannot leave the open transaction aborted before the duplicate webhook event is finalized and marked processed
Improvement1 item
  • The database-backed commerce integration test schema now creates the same privacy-request unique indexes used in production, so duplicate-workflow regressions exercise real uniqueness behavior
3.6.50June 17, 2026

OSS Quarter Date-Range Guard

2 changes
Fix1 item
  • Quarter-driven OSS and IOSS dashboard surfaces now reject the unsupported extreme quarter that could generate an invalid statutory due date, preventing Filing Prep from crashing on a crafted far-future link
Improvement1 item
  • The Filing Prep page now formats backend date-only values through a safer parser instead of relying on browser date-string parsing for every rendered deadline
3.6.49June 17, 2026

Frontend Readiness Dependency Checks

2 changes
Fix1 item
  • The public frontend readiness check no longer reports healthy unconditionally and now waits for key dependencies before declaring the app ready
Infrastructure1 item
  • Deployment probes now rely on the stronger readiness signal instead of treating a merely running frontend process as healthy
3.6.48June 17, 2026

Grafana Alert Email Context

2 changes
Infrastructure1 item
  • Grafana alert emails now identify the target environment more clearly and include direct app and Grafana links, so operators can tell at a glance whether a notification came from local, develop, or production
Improvement1 item
  • Alert messages now explain what happened and, where relevant, include a direct next-step link instead of relying on Grafana’s generic default email layout
3.6.47June 17, 2026

In-Memory VAT Validity Window Cloning

1 change
Fix1 item
  • The in-memory VAT rate provider now deep-copies optional `ValidTo` timestamps both when seed rates are loaded and when a matched rate is returned, so internal callers cannot mutate future validity decisions through shared `*time.Time` pointers
3.6.46June 16, 2026

Migration Rollback Safety Guard

2 changes
Infrastructure1 item
  • The backend migration CLI no longer treats `down` as a full schema reset, so a routine rollback command now reverts only one migration by default instead of silently unwinding the entire backend migration history
Fix1 item
  • Operators can still roll back multiple backend migrations with an explicit step count, while a full destructive reset now requires a separate `down-all --confirm-full-rollback` confirmation command and the maintained deployment docs now point production rollback toward bounded steps or backup restore
3.6.45June 16, 2026

Frontend Build-Key Rotation Hardening

2 changes
Security1 item
  • Frontend secure build-key rotation now forces an explicit fresh build step, so key changes cannot silently reuse cached output
Fix1 item
  • Deployment guidance across local, develop, and production now requires an explicit rebuild marker whenever the frontend action key changes
3.6.44June 16, 2026

Login Failure Throttle DoS Hardening

2 changes
Security1 item
  • Sign-in stopped using the shared per-account failure bucket as a hard pre-password blocker, so a correct password no longer has to sit behind a shared email-only lock by default
Fix1 item
  • The login-throttle model kept the source-aware pre-check and moved the shared failure counter behind real misses, which later June hardening then rebalanced with stronger account-level slowing and extra source protection
3.6.43June 16, 2026

Shopify Privacy Shop-Identity Binding

2 changes
Security1 item
  • The public Shopify privacy endpoint now binds the documented `shop_id` lookup to the same verified shop domain from `X-Shopify-Shop-Domain` and the payload `shop_domain`, so a cross-tenant shop-ID collision cannot preempt the correct receiver or force an avoidable conflict
Fix1 item
  • Legacy installs that do not yet have a stored Shopify `shop_id` still fall back to the canonical shop-domain lookup, preserving reconnect and rollout compatibility while tightening cross-tenant privacy routing
3.6.42June 16, 2026

Shopify Privacy Topic Binding Hardening

2 changes
Security1 item
  • The public Shopify privacy endpoint now requires the payload to match the exact compliance topic after HMAC verification, so replaying a valid signed body under a different unsigned `X-Shopify-Topic` can no longer reclassify a request into `customers/redact` or `shop/redact`
Fix1 item
  • Duplicate privacy payloads are now detected before privacy side effects run, preventing replayed `shop/redact` bodies from reaching merchant-token cleanup twice just by changing unsigned delivery headers
3.6.41June 16, 2026

Backfill Script DB-Credential Hardening

2 changes
Security1 item
  • The batched PostgreSQL maintenance scripts for webhook raw-payload expiry and privacy-request identifier retention no longer accept `DATABASE_URL` on the command line or pass connection URIs through `psql` argv
Infrastructure1 item
  • Operator guidance now uses standard libpq connection settings such as `PGHOST`, `PGPORT`, `PGDATABASE`, `PGUSER`, and `PGPASSFILE`, or `PGSERVICE` / `PGSERVICEFILE`, and the deploy checklist now also calls out the raw-payload backfill step for migration `000035`