Product updates

Changelog

Track product releases, security hardening, compliance reporting work, and infrastructure changes across VAT Engine.

Latest release: 3.6.7; Compliance QA & Accessibility Hardening
Releases tracked: 57; Since January 2026
Logged changes: 482; Across all categories

SecurityFeatureImprovementFixInfrastructure

3.6.7May 19, 2026

Compliance QA & Accessibility Hardening

6 changes

Improvement3 items

The public roadmap now reflects partially shipped OSS/IOSS reporting, notification, and billing work more accurately
OSS/IOSS registration actions now show a clearer secure preparation state before form changes are enabled
Cookie consent now behaves more predictably for keyboard and screen-reader users on first visit

Security2 items

Backup-code recovery now narrows pasted recovery input before checking codes, reducing unnecessary processing while preserving the existing recovery flow
API reference coverage now includes scoped-access denial behavior so integrations can distinguish invalid keys from valid keys with insufficient permissions

Infrastructure1 item

Added a route timing smoke check for release validation so slow public or authenticated report pages can be caught earlier

3.6.6May 18, 2026

Union OSS Corrections Workflow

4 changes

Feature2 items

Union OSS reporting now carries later-period correction rows and per-Member-State payable balances across OSS Quarterly Summary, Country VAT Breakdown, Accountant Format, Filing Prep, Multi-jurisdiction, and export packages
The reporting APIs now understand original-supply references for refunds, cancellations, credit notes, and adjustments, so correction-aware payable VAT can be reviewed without mutating locked periods

Improvement2 items

Export manifests, public API docs, and OpenAPI now document the correction-aware totals, new warning code for missing original references, and the version 2 accountant export package
Dashboard guidance now explains that payable VAT is calculated per Member State of consumption and that a negative balance in one Member State does not offset another state's payable VAT

3.6.5May 18, 2026

Threshold Ledger Clarification

2 changes

Improvement2 items

The OSS Overview, compliance API docs, and transaction docs now explain that threshold monitoring uses committed supply events, while POST /v1/vat/calculate writes a separate audit transaction ledger
Filing Prep and other OSS/IOSS compliance surfaces now make it explicit that repeated calculator calls do not change threshold exposure unless the sale is also committed into the supply ledger

3.6.4May 18, 2026

IOSS Monthly Summaries

3 changes

Feature2 items

Filing Prep and Multi-jurisdiction now show real IOSS month summaries built from committed imported-goods events, with month statuses, totals, included counts, and warning categories instead of placeholder states
The reporting APIs now apply the EUR 150 intrinsic-value ceiling, excise exclusion, registration-window checks, and month-end ECB conversion when preparing IOSS month totals

Improvement1 item

Imported-goods rows excluded from Union OSS are now surfaced with explicit IOSS monthly warnings and counts so merchants can see whether a month is ready, nil, blocked, or still needs review

3.6.3May 17, 2026

OSS Overview Data Source Alignment

3 changes

Fix2 items

The OSS Overview now reads threshold progress from the committed compliance ledger, so merchants with filing-ready supply data no longer see an empty threshold position just because legacy calculation logs are absent
Supporting evidence on the overview now comes from committed classified supply events and explains that the threshold uses a narrower eligible slice than the broader activity totals shown for context

Improvement1 item

Daily threshold alerts now use the same underlying compliance data source as the dashboard, reducing mismatches between the OSS Overview, in-app alerts, and email notifications

3.6.2May 16, 2026

OSS / IOSS Filing Prep Workspace

3 changes

Feature2 items

Added a new Filing Prep workspace under Compliance that combines quarter deadlines, registration coverage, Union OSS readiness, and quarter-scoped IOSS monthly review context in one account-level view
Added an authenticated filing-prep API that reuses the existing Union OSS preview logic while returning registration-required or missing-rate blockers as explicit readiness states instead of raw preview errors

Improvement1 item

The new workspace links directly into OSS Quarterly Summary, Accountant Format, Country VAT Breakdown, Multi-jurisdiction, Exports, and OSS / IOSS Registrations so merchants can move through filing review without hunting through the dashboard

3.6.1May 13, 2026

OSS Overview & Registration Guidance

5 changes

Feature2 items

The OSS Overview now understands Union OSS registration coverage, so exceeded turnover is shown as managed when an active Union OSS registration is already on file
The dashboard now gives merchants a direct shortcut into OSS / IOSS Registrations when the threshold is exceeded but no active Union OSS registration covers the account

Improvement2 items

Unread threshold alerts are surfaced in context on the OSS Overview page and still open through the existing notification bell in the top bar
Registration summaries now ignore unresolved overlapping rows when showing active coverage, reducing false confidence from duplicate records

Fix1 item

Overlapping or duplicate registration rows are easier to clean up: the page highlights conflicts and explains when to use Excluded versus Ended

3.6.0May 13, 2026

Marketing Page Performance & Accessibility

4 changes

Improvement4 items

Improved color contrast across homepage badges, stat tiles, step markers, and decorative numbers so the public site meets WCAG accessibility expectations on both light and dark sections
Reduced first-paint time on the homepage by inlining the critical stylesheet, eliminating an extra round-trip on first visits
Tuned client-side bundling for the public marketing pages so unused code from heavier libraries is not shipped to visitors
Removed an unused legacy font asset that was no longer needed after the move to a platform-managed font

3.5.9May 11, 2026

Public Site Refresh

3 changes

Improvement3 items

Refreshed the public site with a more expressive homepage, stronger color palette, and clearer storytelling around VAT calculations, compliance, and launch readiness
Redesigned the main navigation and footer so documentation, sign-in paths, and launch actions are easier to find from every public page
Updated the Privacy Policy and Terms pages with clearer, more current service language

3.5.8May 7, 2026

OSS / IOSS Multi-jurisdiction Reporting

4 changes

Feature2 items

Added a Multi-jurisdiction dashboard report that shows Union OSS Member State of consumption exposure, preserved return sections, due dates, and source-event counts for a selected quarter
Added an authenticated multi-jurisdiction API that reuses the existing Union OSS filing-prep preview rules and now includes month-scoped IOSS review data alongside the quarterly exposure view

Improvement2 items

Imported-goods rows detected during the Union OSS quarter preview are now surfaced as IOSS data awaiting the monthly engine instead of being lost inside generic unsupported-supply warnings
The new report keeps OSS/IOSS period cadence explicit: Union OSS remains quarterly and IOSS remains monthly with end-of-following-month due dates

3.5.7May 7, 2026

Union OSS Accountant Format

4 changes

Feature2 items

Added a dedicated Accountant Format dashboard page for Union OSS quarter review, combining manifest assumptions, filing context, summary lines, and country regrouping in one accountant-readable layout
Added an authenticated accountant-format API for Union OSS that reuses the existing filing-prep preview logic while emitting export-safe major-unit amounts and percentage VAT rates

Improvement2 items

The new filing context now shows the statutory due date and only treats a quarter as a nil-return candidate when zero source events were recorded, avoiding silent nil-return assumptions for excluded or review-needed rows
The accountant-format view keeps the existing CSV and JSON export package separate while giving accountants a faster on-screen review surface before download or later filing workflows

3.5.6May 6, 2026

Union OSS Reporting Previews

5 changes

Feature2 items

Added dedicated OSS Quarterly Summary and Country VAT Breakdown dashboard pages for reviewing a Union OSS quarter by return section, Member State of consumption, and return-currency totals
Added authenticated preview APIs for the Union OSS quarterly summary and country VAT breakdown, backed by the same filing-grade classification and warning rules

Improvement3 items

The existing Country Exposure page remains available as analytics, while the new period-driven OSS previews now cover filing-oriented quarter review
Expected preview blockers, such as missing Union OSS registration coverage or quarter-end exchange rates, now stay inside the dashboard UI instead of surfacing noisy browser errors
Blocked previews no longer keep retrying in the background and now explain the specific prerequisite that must be fixed before the quarter can be reviewed

3.5.5May 4, 2026

Managed Source Catalog Foundation

5 changes

Feature2 items

Added a dedicated Sources dashboard page for registering stores and channels, reviewing unregistered source tags, and editing source profile metadata without changing historical transaction rows
Added authenticated source management APIs so integrations can list, register, update, and review source profiles directly

Improvement2 items

Transaction Ledger and Exports now use searchable source selectors backed by managed profiles plus unresolved raw tags, and Ledger rows show mapped labels alongside raw source keys
Developer docs and OpenAPI now document the Sources API alongside the existing X-Source-ID capture flow on VAT calculations

Security1 item

Source profile mutations now flow through CSRF-protected, rate-limited dashboard proxy routes, while backend handlers enforce account scoping, validation, and active-profile caps

3.5.4May 4, 2026

Multi-Store Reporting Plan

3 changes

Improvement2 items

Documented the next multi-store and multi-channel reporting phase: current Source ID tagging stays supported, while managed source profiles, channel labels, marketplace metadata, and searchable source filters are planned next
Developer docs now explain how to pass X-Source-ID on VAT calculations and how source_id filters affect transaction list, export, and aggregation endpoints

Security1 item

Source-profile planning now includes account-level authorization, resource caps, audit logging, and guidance to keep personal data and secrets out of source tags

3.5.3April 30, 2026

Reporting Filter Refinements

6 changes

Improvement6 items

Transaction Ledger and Exports now use searchable dropdown filters for country, currency, tax class, and API key instead of requiring users to type identifiers manually
Ledger filters are preserved when moving to CSV export, keeping export scope aligned with the rows users were reviewing
Monthly Trend now uses active-month comparisons and totals so inactive months no longer read like real revenue drops
Transaction Ledger request IDs are easier to copy when matching a row to API requests or backend logs
Tax Class Mix now uses normalized all-currency totals, catalog labels, compact metrics, ledger drill-down links, accessible share indicators, and a cleaner breakdown table instead of clipped donut labels
Source ID remains a bounded text field for integration-defined store or channel tags that do not have a shared catalog yet

3.5.2April 29, 2026

Account & Security Dashboard Refresh

7 changes

Security3 items

Security Settings now provides clearer protection status, password controls, authenticator setup, and backup-code regeneration from one focused page
Backup-code regeneration now has stronger confirmation requirements and is included in the account activity trail
Dashboard billing and account forms received additional request validation before sensitive redirects or profile changes

Improvement4 items

Account Settings now presents profile details, email verification state, account identifier, security status, and subscription status in a cleaner layout
API key details now highlight recent error rate and use clearer wording for the latest request IP security signal
Activity Log labels are clearer for profile updates, email changes, and two-factor authentication events
Dashboard form validation and loading states were refined to reduce stale data flicker after account updates

3.5.1April 26, 2026

Compliance Reporting Hardening

6 changes

Security1 item

Strengthened request-origin validation for compliance dashboard actions, improving protection when the app is deployed behind proxies or multiple hostnames

Improvement4 items

Compliance report downloads now handle very large result sets more gracefully, returning a clear truncation marker instead of failing mid-stream
Background exchange-rate refreshes now spread themselves out over time, reducing the chance of synchronized refresh spikes across deployments
Dashboard-to-API compliance requests now time out cleanly when an upstream service stalls, reducing hanging pages
Added dedicated reporting views for transaction ledger, exports, country exposure, tax-class mix, and monthly trend analysis

Fix1 item

Country and currency reference data used by the compliance dashboard is now checked automatically to prevent frontend and backend drift

3.5.0April 2026

Multi-Currency Compliance Tracking

4 changes

Feature2 items

Compliance threshold tracking now supports foreign-currency transactions using European Central Bank reference rates for EUR comparison
Compliance responses now show which currencies were converted successfully and which still need exchange-rate data before they can be included

Fix1 item

Threshold status and threshold checks now handle empty transaction periods cleanly instead of failing for new or inactive accounts

Improvement1 item

Background exchange-rate syncing is now part of the API startup flow so compliance calculations can stay current without manual imports

3.4.2April 26, 2026

Edge Protection v2

5 changes

Security4 items

Tightened scanner-detection thresholds and widened the detection window so both fast bursts and slow scans are caught
Broadened malformed-request detection to also flag headless scanner traffic with no client identification
Extended ban-history retention so repeat offenders cannot reset their escalation by waiting out a single ban cycle
Added per-site rate-limit zones as defense-in-depth against distributed traffic floods

Improvement1 item

Tightened request-header memory limits and connection-rotation behavior for slow-loris and oversized-header resilience

3.4.1April 22, 2026

Edge Protection Refinements

3 changes

Security2 items

Strengthened automated blocking for malformed and non-standard connection probes at the edge, improving protection against low-level scanning traffic
Improved deployment-time validation guidance so live protection rules can be verified more reliably after rollout

Improvement1 item

Refined security runbooks to reduce configuration drift between repository changes and the active server setup

3.4.0April 2026

Backend Platform Upgrade

5 changes

Infrastructure2 items

Modernized the backend web platform to the latest generation of our Go API framework, improving long-term maintainability and compatibility with current tooling
Aligned backend build images with the current Go toolchain used in development and deployment

Security1 item

Improved how the API interprets client IP and HTTPS information behind a reverse proxy, making secure-request enforcement and request limiting more reliable

Improvement2 items

Standardized backend request parsing, middleware behavior, and automated tests without changing the public API contract
Refreshed internal metrics integration and framework-level request handling to make future backend upgrades lower risk

3.3.0April 2026

Code Review Hardening

10 changes

Security3 items

Fixed a memory safety issue where request header values could be corrupted when passed to background processing — headers are now safely copied before async use
Sequential database identifiers are no longer exposed in user API responses — only the public UUID is returned to clients
All database error comparisons updated to use wrapped-error-safe checks, preventing edge cases where errors could be silently misclassified

Fix2 items

Fixed an unreachable error response path in CSV export streaming — errors during export are now properly logged instead of attempting to send JSON after CSV headers were already committed
Clipboard copy button no longer throws an unhandled promise rejection when the browser denies clipboard access (e.g. non-HTTPS contexts)

Improvement5 items

Threshold listing endpoint now supports an optional country filter for more targeted lookups
Threshold queries consolidated from multiple near-identical database calls into a single efficient dynamic query
API specification updated with all missing query parameters and standardized error responses across every authenticated endpoint
API documentation scopes table now lists all transaction and compliance endpoints with their required access levels
API key management pages now show animated skeleton loaders instead of plain text while loading

3.2.0April 2026

SME Eligibility & Public Threshold Lookup

5 changes

Feature3 items

New public API endpoint checks domestic SME VAT exemption eligibility — submit a country and annual turnover to find out if you fall within the national exemption threshold. Includes policy details and sector-specific sub-thresholds where applicable
New public threshold lookup endpoint returns OSS and IOSS thresholds with optional type and date filters — designed for integration into registration workflows
Negative consignment amounts are now rejected with a clear validation error on the IOSS threshold check endpoint

Improvement2 items

Full API documentation added for the SME eligibility endpoint at /docs/api/sme-eligibility
OpenAPI specification updated with complete request and response schemas for all new endpoints

3.1.0April 2026

Compliance Logic Review Fixes

7 changes

Fix5 items

IOSS removed from annual threshold status — IOSS is a per-consignment check, not an annual cumulative threshold. Ad-hoc IOSS validation remains available via the threshold check endpoint
Threshold reporting now highlights when some foreign-currency transactions could not yet be included in the totals
Date range queries fixed to include all transactions on the end date (previously could miss the final day)
Request ID in VAT calculation responses now matches the ID used in logs and tracing headers
Export date range validation adjusted to correctly handle leap years

Security1 item

Account-scoped endpoints (transactions, compliance, threshold status) now require V2 authenticated API keys — legacy keys are restricted to VAT calculation and rate lookup only

Improvement1 item

Prepared the compliance reporting surface for later multi-currency threshold conversion support

3.0.0April 14, 2026

Compliance Logic Foundation

3 changes

Feature2 items

Account ID: every user account now has a stable, unique public identifier shown in the dashboard under Profile Information — useful for support, integrations, and future multi-key compliance reporting
Account ID can be copied to clipboard directly from the dashboard with one click

Infrastructure1 item

Database schema extended to support full compliance transaction tracking and user-scoped data ownership — foundation for per-country VAT aggregations and OSS threshold monitoring

2.9.0April 10, 2026

SME VAT Thresholds — TEDB Integration

7 changes

Feature5 items

New public API endpoint returns EU SME VAT exemption and scheme thresholds for all 27 member states — no API key required
Thresholds include EUR amounts and, for non-eurozone countries, national-currency equivalents (e.g. PLN, HUF, CZK, DKK, SEK, RON, BGN)
Sectoral thresholds available where TEDB provides them (e.g. specific industry exemption levels)
Data sourced directly from the official EU TEDB SMERetrievalService and kept in sync via the admin panel
Full API documentation available at /docs/api/sme-thresholds

Improvement2 items

Admin TEDB panel extended with an SME Thresholds tab: preview incoming changes, review field-level diffs, and apply with a single click
Diff preview highlights every changed threshold field individually — operators see exactly what changed before confirming

2.8.0April 3, 2026

TEDB Scheduled Sync & Change Alerts

5 changes

Feature3 items

VAT rate sync now runs automatically on a monthly schedule — no external cron or manual trigger required
When pending rate changes are detected, a Grafana alert is sent via email so operators can review the diff before applying
Changes are never applied automatically — human review is required before any database update

Infrastructure2 items

Dedicated sync service added to all deployment environments with automatic restart on failure or host reboot
Credentials injected securely from Docker secrets at runtime — not stored in docker-compose environment configuration or exposed via basic container inspection metadata

2.7.1March 22, 2026

Security Hardening — GeoIP, Docker Secrets & CrowdSec Evaluation

7 changes

Security3 items

Introduced geo-based country-level traffic filtering at the edge to prioritize access from primary business regions
Hardened secrets management for the API so sensitive credentials are loaded from secure runtime storage instead of plain environment variables
Evaluated CrowdSec as a potential complement to existing Fail2Ban protections; retained the current setup while keeping options open for future hardening

Infrastructure4 items

Automated GeoIP database updates with safe, atomic refresh and scheduled execution
Enabled automatic GeoIP database reloads in nginx so updates apply without service restarts
Standardized container configuration to use secret-based credential management for the API service
Expanded secret coverage so all core service credentials are managed through centralized secrets handling

2.7.0March 22, 2026

Security Hardening — Nginx, Fail2Ban & Grafana Alerts

10 changes

Security6 items

Nginx blocks dotfiles, attack file extensions, common exploit paths, and double-encoded path traversal — all silently dropped
Rate limiting at nginx: tiered per-zone limits for frontend and API with connection throttling, returning proper 429 status codes
Bad bot blocking: known scanner user-agents and empty user-agents silently dropped
Fail2Ban auto-bans repeat scanner IPs and 404 flooders with adaptive thresholds
Incremental ban escalation for repeat offenders across all Fail2Ban jails
Backend ErrorHandler log levels tuned to reduce alert noise from scanner probes

Infrastructure4 items

Shared nginx security include file for http-context rate limit zones and bot detection maps
Conditional nginx access log for Fail2Ban — filters normal traffic to reduce log volume
New Grafana alert rules for elevated error rates and unusual traffic patterns
Tiered notification routing with repeat interval management for low-noise alerting

2.6.0March 17, 2026

Centralized Log Aggregation (Loki + Grafana)

9 changes

Feature4 items

Centralized log aggregation with Grafana Loki and Grafana across all three environments (local, develop, production)
All Docker services ship logs via Loki Docker logging driver with per-environment labels and automatic retry
Grafana auto-provisioned with Loki datasource — live log tailing via WebSocket
Nginx reverse proxy configs for Grafana with WebSocket support for live log streaming

Security3 items

Docker socket no longer mounted in any container — replaced custom log viewer with Grafana
Grafana hardened in prod/develop: cookie_secure, disable_gravatar, hide_version, Content Security Policy, disabled analytics/update-checks/snapshots
Loki containers run read-only with tmpfs writable paths and resource limits (prod/develop)

Infrastructure2 items

Deploy script pre-flight check verifies Loki Docker logging driver plugin is installed
Removed custom Docker-socket-based log viewer (backend handler, frontend pages, API routes, sidebar entry)

2.5.1March 15, 2026

Infrastructure Hardening

3 changes

Infrastructure3 items

Gzip compression enabled on all 4 nginx configs — JSON for API proxies, full MIME set for frontend, with gzip_proxied any
Docker images pinned to specific patch versions for build reproducibility
Local compose next-app now runs as non-root user via init container + named volumes

2.5.0March 15, 2026

TEDB Admin Panel — Live Rate Sync

7 changes

Feature3 items

Admin TEDB sync dashboard with status cards, diff preview, one-click apply, and sync history
4 new backend endpoints: status, preview, apply, sync-log — behind internal admin authentication
Collapsible diff sections show added, changed, and removed rates with country flags and percentage formatting

Fix4 items

Fixed TEDB SOAP XML namespace qualification — child elements now inherit via default namespace (resolves TEDB-ERR-2 XSD validation error)
Fixed unique constraint violation when applying changed rates — new rows use current timestamp as valid_from
Fixed pgx v5 date scan error on sync log — PostgreSQL date column now scanned into time.Time
Fixed admin API routes blocked by proxy CSP headers — added proper routing exception for admin API paths

2.4.0March 14, 2026

TEDB Phase 3 — Automated SOAP Rate Sync

7 changes

Feature5 items

New tedb_sync CLI tool: fetches live VAT rates from the EU TEDB SOAP API and applies changes to the database with dry-run mode by default
SOAP client with retry/backoff, 10 MB response limit, and context cancellation support
Diff engine detects added, changed, removed, and unchanged rates by (country, tax_class_id)
Transactional writer: closes old rate rows, inserts new ones, and invalidates Redis cache — all in a single Postgres transaction
Sync audit log table (tedb_sync_log) tracks every sync run with status, counters, and timestamps

Improvement2 items

Replaced custom string helpers with Go stdlib: strings.Replace, sort.Strings, time.DateOnly
25 unit tests covering SOAP types, client retry/fault handling, rate mapping, and diff logic

2.3.0March 11, 2026

Dashboard & Documentation UX Improvements

6 changes

Feature3 items

API keys inventory now uses a Data Table (TanStack React Table) with text search, status filter, and environment filter
Dynamic CurlBlock component for API docs — replaces hardcoded URLs with NEXT_PUBLIC_API_URL or runtime origin across all 7 documentation pages
API documentation portal with fumadocs MDX, DynamicCodeBlock syntax highlighting, and runtime-resolved API base URLs

Fix1 item

CSP inline script violation on docs pages — nonce now passed from middleware through docs layout to RootProvider/next-themes

Improvement2 items

Extracted shared API key types to lib/api-keys/types.ts — eliminated 4× type duplication with proper union types (APIKeyScope, APIKeyStatus, APIKeyEnvironment)
Scopes field now typed as APIKeyScope[] instead of string[] across all consumers

2.2.0March 2026

TEDB Phase 2 — Tax Class Catalog & Public API

6 changes

Feature4 items

Interactive tax class catalog on /docs — browse 37 curated EU tax classes with real-time search, group filtering, and per-country VAT rate preview
Public API endpoints: GET /v1/tax-classes and GET /v1/tax-classes/:id — no API key required, IP rate-limited
Tax class grouping: classes organized into groups (e.g., Books & Publications, Food & Beverages) with tags for faceted filtering
DB migration: added group_slug, group_name, tags columns with backfill and composite indexes

Infrastructure2 items

Docker Turbopack fix: moved pnpm store to /tmp and .next to anonymous volume to stay under Linux inotify watch limit
pnpm v10 compatibility: added onlyBuiltDependencies for esbuild, sharp, bcrypt native binaries

2.1.0March 7, 2026

Usage Tracking & Rotation UX Improvements

6 changes

Fix3 items

Usage graphs now correctly track API requests — fixed missing usage aggregation in backend pipeline
After key rotation, the new secret modal stays open until you confirm the key has been stored — no premature redirect
Viewing a rotated key now shows a banner directing you to the active replacement key

Improvement3 items

Usage charts auto-refresh every 10 seconds and on tab focus
Empty-state messages shown when no usage data exists for a key
Rotated keys enforce a strict 48-hour grace window — requests after expiry are rejected

2.0.0March 6, 2026

API Key Management — Phase 1 & Phase 2 Complete

12 changes

Feature6 items

Self-service API key lifecycle: generate, rotate (24–48h grace period), and revoke keys from the dashboard
Two-tier key hashing — fast verification path plus adaptive hashing for breach-resistant storage
Per-key sliding window rate limiting with Redis sorted sets and automatic in-memory fallback
Batch audit logger (10 events / 10s flush) with OWASP Application Logging Vocabulary
Usage dashboard with daily request graphs, hourly breakdown, and quota bar
Key detail view with full metadata, scope badges, and audit log timeline

Security6 items

API key pepper required in production (≥32 bytes via environment variable)
Scope enforcement per route — 403 Forbidden on insufficient permissions
Key generation rate limiting and per-user key cap enforced
One-time plaintext key display with mandatory copy confirmation before dialog close
CSRF-protected API routes with server-side validation and metadata-only responses
Phase 2 frontend audit: 5 findings fixed (2 HIGH, 3 MEDIUM), 12 security controls verified

1.5.11March 1, 2026

Third-Pass Audit Fixes

7 changes

Security6 items

Server listen failure now terminates process instead of hanging silently (BE-S13N)
GetRate endpoint no longer leaks internal error format (BE-S12N)
Currency input validated as 3 uppercase ASCII letters — blocks non-alphabetic codes (BE-S14N)
Production Postgres container has no-new-privileges security option (INFRA-0010)
All local Docker ports bound to 127.0.0.1 — prevents LAN exposure (INFRA-0003/04)
Database backup files created with chmod 600 — no longer world-readable (INFRA-0021)

Improvement1 item

Cache provider logs marshal errors and evicts corrupted Redis entries immediately (BE-BP17N/18N)

1.5.10February 28, 2026

Deferred Findings Resolution

3 changes

Security2 items

Docker Compose secrets migration — database and cache credentials moved to secure runtime storage (M-05)
Branch protection automation for main and develop branches via GitHub CLI (M-03)

Improvement1 item

Fixed rate-limit docs drift — corrected documented value to match actual default (L-03)

1.5.9February 28, 2026

Full Project Re-Audit Fixes

6 changes

Security3 items

CSRF tokens now session-bound — HMAC includes session JWT fingerprint (OWASP Signed Double-Submit Cookie)
CI pipeline blocks on high/critical npm audit findings (was advisory-only)
Production PostgreSQL TLS upgraded to sslmode=verify-full (CA cert verification)

Infrastructure2 items

Added turbopack.root config to resolve multiple lockfile detection warning
Added TruffleHog secret scanning and Anchore SBOM generation to CI pipeline

Improvement1 item

CSRF documentation updated across all files to accurately describe session-bound HMAC model

1.5.8February 28, 2026

Frontend Pass 3 Audit Fixes

6 changes

Security5 items

Fixed confirmRecovery CSRF regression — was missing await, had inverted logic, and wrong return type
Added duplicate email detection in account updates with user-friendly error message
JWT tokens now include issuer and audience claims, enforced on both signing and verification
Added CSRF validation to resendVerificationEmail server action
Added explicit CSRF validation to signOut server action

Improvement1 item

Created shared SWR fetcher module with response status validation — replaced 4 inline definitions

1.5.7February 28, 2026

Re-Audit Security Hardening

14 changes

Security8 items

Fixed critical 2FA login flow — CSRF token now properly included in two-factor authentication
Added CSRF validation to all TOTP management actions (setup, confirm, disable, regenerate backup codes)
Added CSRF validation to account recovery form submissions
Proxy header validated against known-safe headers allowlist at startup
Production startup now rejects unencrypted PostgreSQL connections (sslmode=disable)
Rate limit configuration validated at startup (must be positive values)
IP normalization for metrics allowlist handles IPv4-mapped IPv6 addresses
Email templates now use HTML-escaped URL interpolation for XSS prevention

Improvement5 items

Graceful shutdown drain period now configurable via environment variable
Aligned frontend password validation regex with backend requirements
SWR data fetcher now validates response status before parsing
TOTP Redis initialization uses modern dynamic import instead of CommonJS require
Health endpoint uses centralized environment detection helper

Infrastructure1 item

Database backup directory added to version control ignore list

1.5.6February 28, 2026

Security Hardening Follow-Up

8 changes

Security3 items

CSRF tokens now include HMAC server-side signature — prevents token forgery across sessions
Added rate limiting to CSRF and user API endpoints
Shared IP extraction utility consolidated to eliminate code duplication

Infrastructure3 items

Added CI/CD pipeline: automated linting, testing, build validation, and vulnerability scanning on every push
Development environment variables synced with production security requirements
Environment templates updated with backend security configuration section

Improvement2 items

API error responses now return specific error codes for missing vs. invalid authentication
PostgreSQL SSL upgrade path documented for production environments

1.5.5February 27, 2026

Cross-Audit Security Hardening

19 changes

Security7 items

Resolved 22 consensus findings from three independent security audits (audit score: 9.5/10)
Fixed critical environment detection inconsistency that could enable debug logging in production
Production startup now fails immediately if API key, CORS origins, or metrics auth are not configured
Added Helmet middleware for automatic HTTP security headers on all API responses
Fixed Redis rate limiter configuration to prevent credential exposure in connection strings
Added CSRF validation to two-factor authentication verification
All Nginx reverse proxy configs hardened: server tokens hidden, body size limits, HSTS preload, proxy timeouts

Improvement8 items

Added error boundaries for graceful error recovery (prevents white screen crashes)
Enabled Partial Prerendering with React component caching for faster page loads
Activity page refactored with Suspense for streaming data loading
Deployment script now creates database backup before running migrations
OpenAPI specification updated with security schemes and comprehensive error responses (401/429/500)
Improved error handling patterns across migration and import tools
All backend logging now uses structured logger (no unstructured output)
Moved development-only dependencies out of production bundle

Fix4 items

Fixed deferred file operations in data import tool to properly check for write errors
Fixed goroutine safety issue in logging timestamp configuration
Removed redundant environment variable loading (handled natively by framework)
Updated stale code comments referencing deprecated middleware pattern

1.5.4February 24, 2026

Frontend Code Audit & Hardening

19 changes

Security7 items

Resolved all 3 HIGH severity findings from dedicated frontend audit
Added server-only guards to 8 sensitive modules (prevents client-side import of secrets)
Stripe checkout now validates price ID format, requires authentication, and checks CSRF token
CSP upgraded with nonce-based strict-dynamic and upgrade-insecure-requests directives
Email addresses masked in all server-side logs to prevent PII exposure
IP addresses removed from user-facing activity log display
All error logging sanitized to prevent stack trace leaks in production

Improvement8 items

Cookie consent versioning: users automatically re-prompted when privacy policy updates
Rate limiting added to email verification endpoint
Dedicated rate limiter for resend-verification emails
Database connection pool configured with proper limits and timeouts
Analytics script loads conditionally based on cookie consent preferences
Password validation error messages corrected to match actual requirements
Stripe client initialization validates environment variables at startup
SMTP configuration documented in environment template

Fix4 items

Fixed rate limiter cleanup timer blocking Node.js graceful shutdown
Added loading spinner fallback to email verification page
Removed duplicate redirect logic in user menu component
Cleaned up unused imports and state declarations

1.5.3February 24, 2026

Backend Code Audit & Hardening

19 changes

Security5 items

Resolved all 4 HIGH severity findings from dedicated backend audit
VAT calculate endpoint now returns proper HTTP status codes (400/404/409) instead of generic 500
Country code validation enforced (ISO alpha-2 format)
Currency and tax class identifiers validated for length and format
Negative gross amounts rejected at domain level

Improvement7 items

Rate limiter upgraded to distributed Redis-backed storage
CORS origins default changed from wildcard to explicit configuration
Metrics authentication configuration centralized into config struct
Error comparison uses errors.Is() for proper wrapped error handling
Sign-safe rounding in VAT calculation (correct for all input values)
Overflow protection added to monetary arithmetic operations
Rate limiter returns Retry-After header on throttled responses

Fix7 items

Removed unnecessary synchronization from immutable rate provider
Removed unused floating-point multiplication method from Money type
Cleaned up control flow in cached rate provider (removed goto)
Fixed potential panic in TEDB import on empty rate set
Deduplicated EU country list constant in import tool
Deduplicated domain error sentinel across packages
Documented provisioned but unused database tables with roadmap notes

1.5.2February 24, 2026

Full-Stack Security Audit & Remediation

37 changes

Security25 items

Resolved all 11 HIGH severity findings from comprehensive security audit (score: 9.2/10)
Resolved all 15 MEDIUM severity findings
Resolved all 14 LOW severity findings (12 fixed, 2 accepted with rationale)
Backend: CORS middleware with configurable allowed origins
Backend: HTTP timeouts (read/write/idle) — Slowloris protection
Backend: API rate limiting middleware (configurable max requests/window)
Backend: API key authentication with constant-time comparison
Backend: Custom ErrorHandler — no internal error leaks to clients
Backend: Timing-safe metrics auth (removed length pre-check)
Backend: Proxy header configuration for IP spoofing prevention
Backend: Health endpoint hides internal details in production
Backend: Graceful shutdown with configurable drain period
Backend: Panic recovery with structured logging
Frontend: CSRF validation added to updateAccount, updatePassword, deleteAccount
Frontend: Session-bound CSRF tokens via HMAC binding
Frontend: TOTP verification rate limiting
Frontend: TOTP replay protection (prevents code reuse within time window)
Frontend: Password required for email change
Frontend: Session renewal only when <50% lifetime remaining
Frontend: Broadened password regex to accept any special character
Frontend: Signup session blocked for unverified users
Frontend: Hardened IP address extraction with format validation
Frontend: Server-readable cookie consent for GDPR compliance
Frontend: Rate limit status check no longer consumes a token
Frontend: Strict type safety for authentication state objects

Improvement6 items

Backend: Cache key sanitization against injection attacks
Backend: Proper error status codes (400 vs 500 differentiation)
Backend: errors.Is() for wrapped error handling
Backend: Redis connection pool tuning (PoolSize, MinIdleConns, MaxActiveConns)
Backend: PostgreSQL pool configuration (MaxConns, MinConns, lifetime, idle time)
Backend: Fail-fast on invalid rate provider mode

Infrastructure6 items

Database: Added foreign key constraint for VAT rate tax class references
Database: Standardized all timestamps to use timezone-aware format
Database: Added missing indexes for activity logs and soft-deleted users
Database: Removed redundant index to reduce write overhead
Database: Auto-update trigger for user record timestamps
Database: Added descriptive comments to all tables

1.5.1February 22-23, 2026

Code Review & Security Hardening

17 changes

Security6 items

Timing attack mitigation: Added ensureMinDuration to all confirmRecovery auth paths
Email verification gate: Recovery flow now verifies email BEFORE persisting TOTP secrets
Rate limiting fail-safe: Changed Redis failure from fail-open to in-memory fallback
Password DOM security: Removed defaultValue from password inputs to prevent value exposure
Data integrity: Added .notNull() constraint to activityLogs.userId foreign key
Timing-safe comparison used across all authentication endpoints

Feature4 items

Idle timeout improvements: Time-based countdown with 500ms tick accuracy
Double-firing protection: hasTimedOut ref prevents duplicate logout triggers
Auto-logout enforcement: Countdown reaching 0 now reliably triggers session termination
Configurable timeout: Added enabled prop to conditionally enforce idle detection

Fix3 items

Currency handling: Fixed hardcoded scale=2 bug affecting 0-decimal (JPY/KRW) and 3-decimal (KWD/BHD/OMR) currencies
Removed dead code: Unused redirectTo variable, unused fetcher imports, commented code blocks
Callback ordering: Fixed handleTimeout used before declaration error

Infrastructure4 items

Constants consolidation: Centralized PASSWORD_REGEX to lib/auth/constants.ts
Timeout constants: Exported IDLE_TIMEOUT_MS and WARNING_BEFORE_MS from hook
Code organization: Removed duplicate constants across multiple files
Backend currency support: Added GetCurrencyScale() for ISO 4217 compliance

1.5.0February 17, 2026

OTP Verification & Session Security Improvements

15 changes

Security7 items

Two-Factor Authentication (TOTP) with authenticator app support and provisioning codes
TOTP secrets encrypted at rest using secure encryption
Backup codes (one-time use) generated on TOTP enable
Sign-in requires authenticator code or backup code when TOTP enabled
Account recovery flow: backup code → new QR → new authenticator → new backup codes
Session Revocation: all existing sessions revoked on password reset/change
Email tokens now stored as SHA-256 hashes for additional security

Feature4 items

TOTP enable/confirm/disable/recovery flows in security dashboard
Authenticator code entry and validation
QR code provisioning for popular authenticator apps
Backup codes display and download on first enable

Infrastructure4 items

Database schema updated for storing TOTP data securely
Environment configuration updated for encryption keys
Service infrastructure updated to handle encrypted credentials
Two-factor authentication UI components implemented

1.4.1February 16, 2026

Email Verification & Password Recovery Enhancements

21 changes

Security6 items

Email Verification: time-limited single-use tokens, sign-in blocked until verified
Password Recovery: time-limited single-use tokens with per-email request caps
Password reset immediately revokes all existing user sessions
Session tracking prevents unauthorized access after password changes
Generic success messages on forgot-password to prevent account enumeration
Rate limiting added to email verification resend endpoint

Feature5 items

Forgot Password page with form and honeypot field
Reset Password page with token validation and new password form
Verify Email page for email confirmation flow
Email change confirmation with reverification
Activity logging for email verification and password reset events

Infrastructure6 items

Database schema updated with verification token storage
Email verification fields added to user accounts
Token generation and validation system implemented
Email sending service integrated
Email credentials added to environment configuration
Service infrastructure updated to handle email delivery

Improvement4 items

Consistent response timing for password reset flows
Email verification non-blocking (signup succeeds even if email fails to send)
Resend verification email available for logged-in users
Password requirements enforced: 8-100 characters with uppercase, lowercase, number, special character

1.4.0February 15, 2026

Session Idle Timeout & CSRF Token Rotation

16 changes

Security6 items

Session Idle Timeout: Auto-logout after period of inactivity
1-minute warning dialog before session expires with "Stay Logged In" option
Activity detection: monitors mouse, keyboard, touch, scroll, click events
Cross-device session synchronization for activity tracking
Token rotation for session security
CSRF tokens stored securely in cookies

Feature4 items

Idle Timeout Warning dialog with accessibility features
Session timeout detection and handling
Cross-device session synchronization
Automatic redirect to sign-in after timeout

Infrastructure3 items

Session monitoring system for detecting user inactivity
Timeout detection logic with cross-tab synchronization
Session version tracking integrated into authentication tokens

Improvement3 items

Session security with version-based token validation
Password hashing with industry-standard security parameters
Security headers enhanced for browser protection

1.3.0February 9, 2026

EU TEDB VAT Data Integration — Phase 1

12 changes

Feature4 items

Comprehensive tax classification for merchants (books, food, pharma, accommodation, energy, etc.)
Complete VAT rate entries covering all EU member states
Tax database reference table for audit and compliance
Supported Tax Classes section added to API documentation

Infrastructure4 items

Data import pipeline created for EU tax database integration
Database schema expanded to store tax classes and VAT rates
Tax class registry updated to support 37 categories
Fallback rate providers configured for all environments

Improvement4 items

VAT rates updated to current regulations
Country code standardization
API documentation updated with current rates and examples
Automatic rate selection for multiple applicable scenarios

1.2.0February 5, 2026

Production-Grade Security & Rate Limiting

17 changes

Security7 items

Distributed rate limiting for authentication endpoints
CSRF protection with secure token comparison
Bot detection mechanisms
Timing attack protection for authentication operations
Account enumeration prevention
Content Security Policy (CSP) headers configured
Cookie consent banner with GDPR compliance

Feature5 items

Form validation and submission handling improved
Real-time password requirements indicator
Password visibility toggle
UI form components with improved accessibility
Distributed rate limiting service integration

Infrastructure4 items

Rate limiting service configured across all environments
Database persistence improved
Container isolation improved for deployment
Rate limiting monitoring and analytics

Improvement1 item

Activity logging for all authentication events

1.1.1January 29, 2026

API Hardening & Session Safety

7 changes

Security3 items

Added security headers for API protection
Error handling and crash recovery improved
Hardened session token validation and safe fallback on invalid tokens

Infrastructure2 items

API rate limiting (per-IP) to reduce abuse and protect availability
Request size limits to prevent payload abuse

Fix2 items

Normalized input for VAT calculations and rate lookups
Corrected API docs example field name for price_includes_vat

1.1.0January 28, 2026

Authentication & Security Overhaul

15 changes

Security5 items

Implemented strong password requirements: minimum 8 characters with uppercase, lowercase, digit, and special character
Added rate limiting to login/signup endpoints to prevent brute-force attacks
Email normalization: all emails converted to lowercase to prevent account duplication
Generic error messages to prevent user enumeration attacks
Secure password handling: passwords cleared from state after validation errors

Feature3 items

Password confirmation field for signup with real-time match validation
Show/hide password toggle buttons for better UX during password entry
Live password requirements indicator showing uppercase, lowercase, number, and special character status

Improvement4 items

Enhanced login/signup UI with better error handling and visual feedback
Disabled submit button during signup until all password requirements are met
Improved accessibility with proper aria-labels and semantic HTML
Better placeholder text and form labels for clarity

Infrastructure3 items

API URL configuration for flexible environment support
Dynamic API URL configuration for all environments
Production deployment configuration completed

1.0.1January 18, 2026

Frontend Database & API Documentation

10 changes

Feature5 items

Comprehensive API documentation with interactive examples
Interactive API documentation with copy-to-clipboard functionality
Parameter reference table for POST /v1/vat/calculate endpoint
Supported countries grid showing all 27 EU member states
Frontend database schema with users and activity_logs tables

Fix2 items

Hydration and rendering compatibility issues resolved
Database connectivity fixed for containerized environments

Infrastructure3 items

Database migrations executed for frontend schema
Database tables created and populated for user management
Added API docs and roadmap navigation links to dashboard header

1.0.0January 4, 2026

Core VAT Engine & Production Deployment

14 changes

Feature5 items

Production-ready environment configuration deployed
Backend API endpoints for VAT calculations and rate lookups
Caching layer implemented for improved performance
Database infrastructure for VAT rates and transaction tracking
Comprehensive roadmap with 10 development phases through Q3 2026

Security4 items

SSL/TLS encryption on production
Secure session management with password hashing
Soft delete for user accounts with email anonymization
Activity logging for compliance and audit trails

Infrastructure5 items

Container orchestration with reverse proxy
Production environment configuration
Backend health monitoring and graceful service shutdown
All database migrations applied and verified
Comprehensive backend test coverage