Platform Update — Director Checks, Street View Fix & Intelligence Upgrades

This update covers a significant batch of improvements to verification intelligence, data quality, and the admin CMS. As always: factual, not marketing copy.

Street View Pro: the photo finally shows up

Street View Pro has been in production for a while, showing the satellite map thumbnail correctly. But the actual Street View photo — the intended hero of the expanded tile — was missing. Clicking the tile would expand it showing only the satellite map, not the street-level view of the premises.

Root cause: our server-side calls to the Google Street View Metadata API were sending a Referer: https://gumshoe.au/ header. Google's API key had referrer restrictions set, causing it to return 403 Forbidden on those calls. Since the metadata check was failing (returning null), our code never set the svProxyUrl — so the photo was never requested at all.

Fix: removed the Referer header from all direct Google API calls in streetview.ts. The /api/sv-img proxy (the browser-facing endpoint) already strips Referer correctly — the bug was in the server-side metadata and image fetch functions that weren't using the proxy.

The expanded Street View Pro tile now shows the street-level photo as the hero image alongside the satellite map, plus all available location metadata: Google place name, place types, OSM building/land-use tags, and the panorama capture date.

Director cross-check: ASIC banned list now applied to company boards

Previously, the Phoenix Shield check looked at whether a director of the entity under verification had previously run a company that was deregistered in the last 36 months — a phoenix fraud indicator.

The check now also cross-references all directors against:

• ASIC Banned & Disqualified Persons register (7,153 current bans) — if any director is currently banned, the tile fails immediately with the ban type and date.
• Official adverse records — enforcement records against individual directors (not just the company entity) are now surfaced in the Phoenix tile.
• Court and enforcement search links — the expanded Phoenix tile now includes direct links to ASIC Connect, the Federal Court (via AUSTLII), and the ACCC enforcement register, pre-filled with the entity name for one-click manual verification.

This makes the Phoenix tile a genuine board-level integrity check rather than just a company history check.

Social media: better discovery for sole traders

The social media check was generating the wrong profile candidates for sole traders. The Australian Business Register stores individual ABN holders with their name in surname-first format (e.g. HACKNEY ROB rather than ROB HACKNEY). Our slug generator was therefore trying instagram.com/hackneyrobert instead of the more likely instagram.com/rob.hackney.

Two changes:

• Added reversed-word slug candidates for 2-3 word names, so both orderings are tried.
• Added dot-separated variant (e.g. first.last) which is a common Facebook and Instagram handle format for personal accounts.

The system now tries the reversed-dot format (most likely for personal accounts) as the second candidate, immediately after the forward-joined slug. For HACKNEY ROB, it will now probe instagram.com/rob.hackney as a high-priority candidate.

GST date display: no more "1 Jan 1900"

Entities not registered for GST were showing "GST since 1 Jan 1900" in the expanded GST tile. The ABR uses 1900-01-01 as a sentinel date for "no date on record" — our formatter wasn't filtering this out.

Fix: added a validDate() helper that treats any date before 1950 as null. Both fmtDate() (display) and daysSince() (age calculation) now use it. The GST since field in the tile data is also null when GST is not active, so the "GST since" row is suppressed entirely for non-registered entities.

Article CMS: audit trail, category chips, help page

Several admin and content-management improvements shipped alongside the verification work:

• Article audit trail — every create, update, publish, unpublish, and delete on an article is now logged to article_events with the admin user, changed fields, content length, IP, and timestamp.
• Category chips — articles now display a coloured category chip (Case Study, Release Notes, Deep Dive, How-To, etc.) beneath the title in both the listings page and article view. Categories are set in the admin editor sidebar.
• Article type & visibility controls — the admin editor now has Type (blog / knowledge base) and Visibility (public / signed-in users / admin only) dropdowns. This enables the three-tier KB access model.
• Help page — no longer redirects logged-out users. Public visitors see 5 general sections; logged-in users see all user-level sections; admins see everything including internal KB.
• User management — newsletter subscription can now be toggled per user from the admin panel. Password reset sends a magic link (token-hashed, expires in 1 hour) rather than any plain-text credential.

What's not working yet

A full platform capability audit was run this sprint. Several data sources are empty or degraded:

• SG noncompliance, tax debt, FWO compliance — these tables exist but have no data. ATO tax debt goes through Credit Reporting Bureaus (not publicly accessible). ATO SG noncompliance and FWO compliance both require manual CSV downloads from government sites or a commercial data feed.
• Tax Practitioners Board (TPB) — their register is search-only with no bulk export. ~230,000 registered tax practitioners not yet searchable in Gumshoe.
• HIBP email breach data — the Have I Been Pwned API key is not set, so the breach overlay on the Email check is inactive. An API key costs ~$4/month.
• Mapillary street-level photos — Mapillary token is not set. Google Street View is the active path (now working).

We're actively working on data source partnerships and automated ingest for the missing registers. Check the next release notes for updates.