Alpha testing: all current functionality is free while VAT Engine is in active development

Product updates

Changelog

Track product releases, security hardening, compliance reporting work, and infrastructure changes across VAT Engine.

Archive page 8 of 14.

Latest release
3.6.112
Production Frontend Now Redirects www To The Canonical Apex Host
Releases tracked
162
Since January 2026
Logged changes
755
Across all categories
SecurityFeatureImprovementFixInfrastructure

Showing releases 85-96 of 162

3.6.28June 15, 2026

Scanner Detection Narrowing

2 changes
Security1 item
  • Automated scanner detection was narrowed so legitimate authenticated API traffic is less likely to be misclassified while suspicious probe patterns remain blocked
Fix1 item
  • Regression coverage now keeps the safer distinction between real scanner signatures and normal application routes
3.6.27June 15, 2026

Frontend Asset Throttle Restore

2 changes
Security1 item
  • Frontend throttling now covers static assets as well as normal page traffic, closing a higher-rate bypass to the app process
Fix1 item
  • Deployment guidance now reflects the restored all-route frontend throttling baseline
3.6.26June 15, 2026

Public API Control-Plane Isolation

2 changes
Security1 item
  • Private control-plane and monitoring surfaces are now isolated from the public API entrypoint, reducing exposure of internal-only capabilities
Fix1 item
  • Deployment notes now clarify that these operational surfaces belong on private ingress only
3.6.25June 15, 2026

Safer Automated Abuse Signals

2 changes
Security1 item
  • Automated host blocking now focuses on clearer abusive traffic signals, reducing accidental bans on normal visitors
Fix1 item
  • Operational notes now reflect the narrower abuse-detection policy
3.6.24June 15, 2026

Browser Telemetry Intake Hardening

3 changes
Security2 items
  • Browser telemetry now keeps a tighter low-cardinality storage footprint, reducing avoidable pressure on observability systems
  • Telemetry intake now applies stronger same-origin validation before it accepts a consented browser report
Fix1 item
  • Unused client-supplied component labels are now ignored by the telemetry intake path
3.6.23June 15, 2026

TEDB Rate Sync Integrity Hardening

3 changes
Security2 items
  • TEDB VAT-rate apply runs now serialize before writing to the shared rate table, so overlapping admin sync attempts cannot leave duplicate active rates behind
  • The database now enforces one active VAT-rate row per country and tax class, which blocks ambiguous public lookup state even if a future write path misbehaves
Fix1 item
  • The admin and CLI apply path now recomputes the diff from the locked live snapshot before commit, so stale apply requests turn into a clean no-op instead of replaying old state transitions
3.6.22June 15, 2026

Stripe Checkout Binding Hardening

3 changes
Security2 items
  • Stripe checkout callbacks now accept only completed subscription sessions that were explicitly bound to the signed-in VAT Engine account, so random or legacy unbound session IDs cannot rewrite local billing state
  • Stripe webhook sync now ignores checkout sessions that are missing a valid user binding or try to attach a Stripe customer that already belongs to another VAT Engine account
Fix1 item
  • The hosted checkout flow now uses one shared validation path for both the browser callback and the webhook sync, keeping Stripe customer and subscription ownership checks consistent
3.6.21June 15, 2026

API Key Quota Fallback Hardening

3 changes
Security2 items
  • API-key request quotas no longer drop away during a configured Redis outage or script failure, because the limiter now keeps enforcing the local fallback window instead of silently allowing extra authenticated traffic
  • API-key generation throttling now follows the same fallback rule, so Redis trouble does not remove the safeguard around repeated key-creation attempts
Fix1 item
  • The distributed limiter now treats a missing Redis setup differently from a broken Redis path, preserving the intended fail-safe behavior without turning normal runtime errors into quota bypasses
3.6.20June 14, 2026

Atomic TOTP Replay Protection

3 changes
Security2 items
  • Accepted authenticator codes are now claimed atomically across app instances, so concurrent sign-in attempts can no longer reuse the same valid TOTP code before another request records it
  • The same replay hardening now protects both the customer sign-in flow and the admin sign-in flow
Fix1 item
  • Two-factor replay tracking now normalizes pasted code formatting more consistently and keeps the same one-time-use behavior even when the app temporarily falls back to local memory instead of Redis
3.6.19June 14, 2026

Idle Timeout Cross-Tab Sync Hardening

3 changes
Security2 items
  • Dashboard idle-timeout cross-tab sync now reuses the originating tab's recorded activity time instead of minting a fresh timestamp in every listening tab, preventing multiple open tabs from keeping a session alive without real user input
  • Tab-visibility rescheduling no longer treats switching back to a dashboard tab as fresh activity by itself, so the idle timeout continues to measure true inactivity more accurately
Fix1 item
  • If another tab proves the session is active, any already-open idle-warning dialog is now dismissed before a fresh countdown starts, avoiding stale sign-out warnings across tabs
3.6.18June 12, 2026

Alpha Preview Banner & Legal Status Refresh

3 changes
Improvement3 items
  • Added a slim alpha-status banner above the public site navigation so visitors can immediately see that current VAT Engine functionality is free during testing
  • Updated the public Terms and Privacy pages to make the alpha / pre-release status explicit and to clarify that features, workflows, and outputs may change while development continues
  • Refreshed shared public metadata so search, manifest, and legal-page descriptions no longer describe the product as production-ready while alpha testing is still in progress
3.6.17June 11, 2026

IndexNow Deployment Wiring Fix

2 changes
Fix2 items
  • Fixed an issue where production IndexNow verification could remain unavailable after deploy because the publishing key was not reaching the frontend runtime
  • Deployment examples now document the production-only runtime variables needed for the hosted IndexNow key file and protected submission route