Alpha testing: all current functionality is free while VAT Engine is in active development

Product updates

Changelog

Track product releases, security hardening, compliance reporting work, and infrastructure changes across VAT Engine.

Archive page 7 of 14.

Latest release
3.6.112
Production Frontend Now Redirects www To The Canonical Apex Host
Releases tracked
162
Since January 2026
Logged changes
755
Across all categories
SecurityFeatureImprovementFixInfrastructure

Showing releases 73-84 of 162

3.6.40June 16, 2026

Committed Import Locked-Period Guard

2 changes
Security1 item
  • Canonical committed-order imports now coordinate with locked-return creation under the same per-user PostgreSQL advisory lock and reject new supply-event writes whose `supply_date` falls inside a relevant locked or filed VAT return period
Fix1 item
  • Exact duplicate replays still resolve to the previously stored supply event even after the target period is locked, preserving idempotent connector retry behavior while blocking new period-mutating imports
3.6.39June 16, 2026

Auth Form POST Fallback Hardening

2 changes
Security1 item
  • Client-managed dashboard 2FA disable/regenerate forms and public login, signup, forgot-password, and reset-password forms now force POST semantics, so browser fallback can no longer leak passwords, TOTP codes, or recovery emails through same-origin GET query strings
Fix1 item
  • Added a regression check that the affected client-managed auth forms keep explicit POST submission behavior while retaining their existing React and Server Action flows
3.6.38June 16, 2026

Source Alias Backfill Scope Tightening

2 changes
Security1 item
  • Source-profile alias changes no longer trigger a full-tenant historical transaction rewrite, reducing the database work an authenticated source-management update can force on shared Postgres
Fix1 item
  • Historical `source_profile_id` backfill now touches only the changed source key and alias values, and repeated alias-only updates that keep the same alias set no longer rerun a no-op backfill
3.6.37June 16, 2026

Threshold Alert SMTP TLS Enforcement

2 changes
Security1 item
  • Threshold alert emails now fail closed on non-465 SMTP unless the relay successfully upgrades with STARTTLS, so verified-recipient compliance notifications are no longer sent over opportunistic plaintext transport by default
Fix1 item
  • A new `SMTP_ALLOW_INSECURE_PLAINTEXT` escape hatch now exists only for trusted unauthenticated local relays, and the threshold monitor rejects that mode when SMTP credentials are configured
3.6.36June 16, 2026

OSS / IOSS Summary Overflow Guard

2 changes
Security1 item
  • Union OSS quarterly and IOSS monthly reporting now reject out-of-range grouped currency totals instead of letting signed `int64` bucket arithmetic wrap into corrupted filing amounts
Fix1 item
  • Union OSS summary endpoints now return an explicit `summary_amount_overflow` conflict, and filing-prep / multi-jurisdiction IOSS monthly previews expose the same condition as a blocked month state instead of failing as a generic server error
3.6.35June 16, 2026

Source Catalog Stored-Cap Guard

2 changes
Security1 item
  • Archived source profiles can no longer be used to grow the source catalog without limit, so source-management and reporting views stay bounded even when teams keep historical channel definitions
Fix1 item
  • The Sources dashboard now shows both active-profile and stored-catalog capacity so it is clearer why a new source can or cannot be registered
3.6.34June 16, 2026

Frontend Build Secret Hardening

3 changes
Security2 items
  • Frontend build-time secret handling was tightened so the action key no longer travels through ordinary build configuration or routine runtime environment exposure
  • The deployed frontend no longer receives that action key as a separate normal runtime setting
Fix1 item
  • Deployment guidance now explains that the secure frontend action key must be available during builds even though it is not exposed separately at runtime
3.6.33June 16, 2026

API Key Grace-Window Capacity Guard

2 changes
Security1 item
  • API key creation and rotation now treat grace-window rotated keys as still consuming key capacity, preventing temporary overlap credentials from being used to grow usable key inventory beyond the account limit
Fix1 item
  • The dashboard now shows usable-key capacity separately from active key inventory so it is clear when a recent rotation is why another key cannot be created yet
3.6.32June 15, 2026

Docs Search Recovery

2 changes
Fix2 items
  • Documentation search now returns live matching results again instead of failing when you start typing in the docs search field
  • The public fallback error screen now uses the VAT Engine logo so branded recovery states stay consistent with the site header
3.6.31June 15, 2026

Reverse-Proxy Trust Tightening

2 changes
Security1 item
  • Client IP and HTTPS information are now accepted only from explicitly trusted reverse-proxy hops, reducing spoofing risk in request-based protections
Fix1 item
  • Deployment guidance now uses explicit proxy-hop configuration instead of overly broad trust ranges
3.6.30June 15, 2026

Host-Ban Allowlist Cleanup

2 changes
Security1 item
  • The shared host-ban defaults no longer ship with a permanent public bypass, closing an accidental gap in the default abuse-protection policy
Fix1 item
  • Operational guidance now keeps any permanent admin allowlist as a host-local override instead of a repository default
3.6.29June 15, 2026

Default TLS Policy Restore

2 changes
Security1 item
  • The default HTTPS fallback path now applies the same hardened TLS policy as the rest of the edge, preventing weaker behavior before host routing occurs
Fix1 item
  • Deployment notes now clarify which catch-all host is responsible for the shared TLS baseline