Alpha testing: all current functionality is free while VAT Engine is in active development

Product updates

Changelog

Track product releases, security hardening, compliance reporting work, and infrastructure changes across VAT Engine.

Archive page 9 of 14.

Latest release
3.6.112
Production Frontend Now Redirects www To The Canonical Apex Host
Releases tracked
162
Since January 2026
Logged changes
755
Across all categories
SecurityFeatureImprovementFixInfrastructure

Showing releases 97-108 of 162

3.6.16June 11, 2026

Homepage Account Menu & Cookie Banner Cleanup

4 changes
Improvement2 items
  • The homepage account trigger now keeps the same compact dropdown behavior as the customer area while staying lighter on first load for public visitors
  • Cookie controls now load after the main page content is on screen, reducing avoidable work during the initial homepage render on slower devices
Fix2 items
  • The homepage no longer falls back to the wrong standalone sign-in control when the shared account menu should be shown instead
  • Cookie-policy links now use clearer wording for search engines and assistive technology, and the public header status badge uses stronger contrast
3.6.15June 7, 2026

Search Indexing & Shopify Availability Controls

8 changes
Feature2 items
  • Added optional IndexNow publishing support with a hosted verification key file and an authenticated internal submission route that accepts only canonical public URLs
  • Shopify public app surfaces can now be gated behind SHOPIFY_INTEGRATION_ENABLED so install and setup entry points stay closed until the integration is intentionally enabled
Improvement3 items
  • Public SEO metadata now uses tighter page descriptions, clearer Google and Bing crawler directives, and safer JSON-LD output across the homepage, docs, and public legal pages
  • Homepage and integration copy were refreshed so public search snippets and landing-page messaging reflect the current product surface more accurately
  • Documentation, roadmap, changelog, and public legal pages now expose breadcrumb trails and page-specific structured data that matches visible content more closely
Security3 items
  • Integration request handling now enforces guarded streaming body limits and safer form parsing before larger Shopify-related payloads reach deeper processing
  • The internal IndexNow submission route now rejects oversized JSON bodies and overlong submitted URL strings before they reach deeper validation or upstream search-engine submission
  • Authenticated IndexNow submission responses now trim unexpected upstream response bodies before echoing them back to internal automation callers
3.6.14June 6, 2026

Shopify Validation & Import Guardrails

6 changes
Feature2 items
  • Shopify install handling now canonicalizes shop domains, requires a configured app secret when the integration is enabled, and keeps active installs globally unique in public app mode
  • Alias and product tax mapping changes now emit dedicated commerce audit events, while committed-order imports support richer source ID handling and four-decimal currency validation
Security2 items
  • Webhook deliveries now require verified HMAC signatures, JSON payload content types, and validated webhook_secret handling instead of merchant-specific secret overrides
  • Shop redact and disconnect or uninstall cleanup now fully revoke stored installation credentials while Shopify webhook verification stays on central app configuration
Improvement2 items
  • Zero-consideration sale imports now require explicit evidence and classification reasons so free or promotional flows cannot silently enter the filing ledger
  • Connector roadmap wording now distinguishes shipped integration foundation work from production-ready connector coverage more clearly
3.6.13June 5, 2026

Privacy Retention & Deployment-Safe Robots

5 changes
Security2 items
  • Shopify privacy request handling now retains only the minimum identifiers needed for operator fulfilment and can minimize completed redaction records immediately
  • Webhook event storage now suppresses raw payload persistence where it is no longer operationally required, reducing retained merchant data
Infrastructure2 items
  • robots.txt responses now adapt to the deployment environment instead of assuming one fixed public host or indexability state
  • Added stricter environment-flag parsing so experimental features cannot turn on from loose truthy string values
Improvement1 item
  • Privacy workflow documentation now explains overdue requests, retained identifiers, and remaining operator actions more clearly
3.6.12June 4, 2026

Shopify Webhook & Privacy Endpoints

5 changes
Feature2 items
  • Added dedicated Shopify webhook and privacy endpoints as the first public inbound surfaces for storefront integrations
  • Added webhook payload retention windows, backfill support, and a reaper workflow so inbound deliveries can be replayed or purged intentionally
Security2 items
  • Shopify webhook handling is now exempted from the standard IP limiter where appropriate, while same-origin checks protect dashboard-triggered privacy retention changes
  • Manual resync controls are now disabled for integrations that are not importable, reducing invalid operator actions during connector troubleshooting
Improvement1 item
  • Added privacy-handling test coverage around webhook flows and retention-expiration behavior
3.6.11June 3, 2026

Review Queue, Metrics & Integration Health

4 changes
Feature2 items
  • Added an imported-event review queue API and dashboard UI so merchants can inspect and resolve normalized events before they become filing-grade supply rows
  • Added operational metrics, health checks, and audit event tracking for commerce integrations to support safer rollout and troubleshooting
Infrastructure1 item
  • Webhook payload retention and purging logic now records inbound integration traffic without leaving indefinite storage behind
Improvement1 item
  • Source profile IDs now support string values across integration flows, and database URL handling is more flexible for environment-based deployments
3.6.10June 2, 2026

Source Aliases & Product Tax Mapping

5 changes
Feature2 items
  • The Integrations workspace now lets teams keep stable source aliases for shop domains, external store IDs, sales-channel labels, fulfillment locations, and renamed storefronts
  • Product tax mapping rules can now classify product IDs, variant IDs, SKUs, tags, categories, and metafields into VAT treatment and supply-kind defaults before broader automation is switched on
Improvement2 items
  • Alias and catalog-classification rules can be kept account-wide or narrowed to a specific reporting source or storefront connection, making multi-store rollout safer
  • These integration setup rules prepare future sync behavior without rewriting historical filed data or hiding rows that still need review
Security1 item
  • Integration prep records stay isolated per account and validate conflicting live aliases or mapping scopes before they are saved
3.6.9May 20, 2026

Webhook Inbox & Sync Job Controls

4 changes
Feature2 items
  • Storefront integrations can now accept verified webhook deliveries, keep a durable activity trail, and queue follow-up sync work from the dashboard
  • The Integrations workspace now shows recent delivery activity, queued sync jobs, and replay or manual resync controls for connector troubleshooting
Security1 item
  • Webhook signing secrets now follow the same write-only credential handling as other connector secrets, and incoming storefront deliveries are verified before they enter the queue
Improvement1 item
  • Operations teams can inspect recent connector activity in one place instead of guessing whether a delivery arrived, duplicated, or needs a replay
3.6.8May 19, 2026

E-commerce Integration Foundation Storage

8 changes
Feature3 items
  • Added an Integrations dashboard workspace for storefront metadata, source-profile mapping, connection state, and encrypted connector token rotation
  • Added backend storage for commerce integrations, encrypted token records, sync cursors, and import jobs as the first shipped slice of the Phase 8 connector foundation
  • Added a canonical committed-order import workflow so one normalized commerce event at a time can be validated and written into the filing-grade supply ledger from the Integrations page
Security2 items
  • Third-party access and refresh tokens are now stored only as AES-GCM ciphertext and are never revealed back through the dashboard after submission
  • Disconnecting an integration now removes locally stored connector secrets instead of leaving stale credentials at rest
Improvement3 items
  • Account activity now records integration create, update, and disconnect events so storefront connection changes are auditable alongside other dashboard actions
  • Integration records now stay isolated per account, so the same storefront identifiers can be connected in separate workspaces without one merchant blocking another
  • Duplicate committed-order replays now resolve to the same stored supply event, keeping manual connector smoke imports idempotent while the broader webhook and worker foundation is still ahead
3.6.7May 19, 2026

Compliance QA & Accessibility Hardening

6 changes
Improvement3 items
  • The public roadmap now reflects partially shipped OSS/IOSS reporting, notification, and billing work more accurately
  • OSS/IOSS registration actions now show a clearer secure preparation state before form changes are enabled
  • Cookie consent now behaves more predictably for keyboard and screen-reader users on first visit
Security2 items
  • Backup-code recovery now narrows pasted recovery input before checking codes, reducing unnecessary processing while preserving the existing recovery flow
  • API reference coverage now includes scoped-access denial behavior so integrations can distinguish invalid keys from valid keys with insufficient permissions
Infrastructure1 item
  • Added a route timing smoke check for release validation so slow public or authenticated report pages can be caught earlier
3.6.6May 18, 2026

Union OSS Corrections Workflow

4 changes
Feature2 items
  • Union OSS reporting now carries later-period correction rows and per-Member-State payable balances across OSS Quarterly Summary, Country VAT Breakdown, Accountant Format, Filing Prep, Multi-jurisdiction, and export packages
  • The reporting APIs now understand original-supply references for refunds, cancellations, credit notes, and adjustments, so correction-aware payable VAT can be reviewed without mutating locked periods
Improvement2 items
  • Export manifests, public API docs, and OpenAPI now document the correction-aware totals, new warning code for missing original references, and the version 2 accountant export package
  • Dashboard guidance now explains that payable VAT is calculated per Member State of consumption and that a negative balance in one Member State does not offset another state's payable VAT
3.6.5May 18, 2026

Threshold Ledger Clarification

2 changes
Improvement2 items
  • The OSS Overview, compliance API docs, and transaction docs now explain that threshold monitoring uses committed supply events, while POST /v1/vat/calculate writes a separate audit transaction ledger
  • Filing Prep and other OSS/IOSS compliance surfaces now make it explicit that repeated calculator calls do not change threshold exposure unless the sale is also committed into the supply ledger