Release Notes — June 2026

Every month we publish a record of what shipped. Not marketing copy — a factual list of what changed, why, and what it means for your verification results. June was a heavy month for infrastructure fixes and intelligence upgrades.

Street View: Images Now Actually Load

The Street View Pro tile was returning a broken image placeholder for most users. Two separate root causes, both fixed.

The Referer header problem. Google Maps Static API and Street View Static API both support HTTP referrer restrictions — a security feature that lets you lock an API key to only work from your domain. Our server-side image proxy was dutifully sending Referer: https://gumshoe.au/ with every request. For some key configurations, Google was rejecting this with a 403. Server-side proxies are not browsers and should not send Referer headers with API key requests; the header was removed. All map and street view image requests now succeed.

The Mapillary CDN expiry problem. Mapillary photo URLs expire. When Gumshoe ran the Street View check, it fetched a Mapillary photo URL and included it in the verification result. By the time the browser tried to load that URL (even a few seconds later), it had expired. The fix: the browser never sees the raw Mapillary URL. All imagery is now proxied server-side — the browser requests /api/sv-img, and Gumshoe re-fetches the current live URL from Mapillary at that moment. If Mapillary returns nothing for a location, the proxy falls back to a Google satellite map tile rather than showing a broken image.

Dual thumbnail layout. When Street View Pro resolves, the tile now shows two images side by side: a street-level photo (from Mapillary or Google Street View) and a satellite map thumbnail. Collapsed, they appear as a 80px header strip. Expanded, the street image and map stack in a left column beside the analysis detail. The combination lets you see both what the premises looks like at street level and where it sits geographically — in one tile.

Social Media: From Two Platforms to a Ranked Candidate List

WHAT WE SHIPPED

Feature	Status
Street View	Fixed
Smarter social media discovery	New
Homepage cross-checks	New
Support queue	New

The social tile previously checked LinkedIn and Facebook for matching business name slugs. June's update extends this significantly.

Instagram now probed. In addition to LinkedIn and Facebook, Gumshoe now probes Instagram for each entity name slug candidate. A business that uses @acmeplumbing on Instagram but doesn't link to it from their website will now surface as a candidate.

Linktree parsing. If a Linktree page exists for the entity's slug (linktr.ee/acmeplumbing), Gumshoe fetches it and extracts every social link from it. These links carry a source: linktree tag in the result — so you can see that the Instagram or Facebook account was found via the business's own Linktree page rather than inferred from the name alone.

JSON-LD sameAs parsing. Most business websites include structured data in their page source — a LocalBusiness block that explicitly declares the business's social media URLs via the sameAs field. When a website declares "sameAs": ["https://www.linkedin.com/company/acme", "https://facebook.com/acmeplumbing"], those URLs are now extracted and treated as confirmed profiles — the business itself declared them, which is the strongest possible signal.

Confidence tiers. All social candidates are now ranked into three tiers: confirmed (found on homepage or declared in JSON-LD), found (slug probe returned a live page, or extracted from Linktree), and possible (slug generated from entity name but not yet confirmed). The expanded social tile displays these in order, labelled so you know what's verified and what needs a manual look.

User-supplied social URL now used. The social profile field in the supplier details panel was previously sent to the server but silently ignored. It now flows into the check as a confirmed profile, with platform auto-detected from the URL.

Homepage Cross-Checks: What the Website Says About Itself

Every time Gumshoe fetches a supplier's website (for the web domain check), it now extracts structured data from the page source and cross-checks it against the registered record.

ABN on website vs checked ABN. Many Australian businesses display their ABN in the website footer. Gumshoe now reads it and compares. If the ABN on the website doesn't match the ABN being checked, the web tile downgrades from PASS to WARN and flags the mismatch. This catches the case where a fraudulent invoice uses a real ABN but links to a domain that actually belongs to a different entity.

Phone on website vs invoice phone. If the supplier's website lists a phone number in structured data or a tel: link, and you've provided a phone number from the invoice, Gumshoe cross-checks them. A match is a corroborating signal; a mismatch appears in the web tile's expanded view as a data point worth checking.

Yellow Pages website cross-check. Yellow Pages listings include a website URL for most entries. Gumshoe now compares the YP-listed website against the domain found for the entity. If they differ — the YP listing says the website is acme.com.au but the invoice domain is acme-invoices.net — the web tile flags this and downgrades the status. A business with a mismatched YP website is not necessarily fraudulent, but it warrants a phone call before an invoice is paid.

"The ABN lookup tells you who they say they are. The website cross-check tells you whether the website agrees."

Domain Matching: Fewer False Confidence Scores

The auto-detected domain feature generates plausible domain candidates from an entity name and probes which ones are live. This is useful — but it was generating false-PASS results for low-quality matches.

The fix: domain candidates are now scored against the entity name before the status is determined. Stems of three characters or fewer get a score of 0.1 — not enough to pass. A domain like bs.com.au auto-detected for "B & S Bodyworks Pty Ltd" now returns WARN with a note that the domain match is low-confidence, rather than PASS. Short stems are too ambiguous to trust.

If you supply the domain explicitly (by typing it into the supplier details panel), the score is bypassed entirely — you've confirmed it, so no inference is needed.

Support Queue and Feedback Routing

The feedback form and flag-it button now route to a centralised support queue rather than sending raw email. Each item is classified by category and priority; a cron job runs hourly to auto-triage P3 items and escalate P1/P2 items for review. The support queue monitor produces a daily log at /srv/gumshoe/logs/support-YYYY-MM-DD.json covering what was actioned, what was escalated, and any patterns.

Individual Plan: Usage Quota Display

Individual tier accounts now see monthly phone check and Street View check usage in the dashboard — two progress bars showing used vs included checks, with a warning colour when approaching the limit. The display only appears for Individual accounts, since Enterprise accounts have different usage terms.

Infrastructure

Database backup restored. Daily backups had been silently failing since 11 June — the backup user was missing SELECT permission on the tester_events table (added during a schema migration). The grant was added; backups are now producing correct 765MB dumps again. The nightly cron runs at 02:00 AEST.

Tile regression suite: 13/13 passing. All 28+ verification tiles are covered by an automated test runner (scripts/tile-test.js) that calls the verify API with seeded test ABNs and validates each tile's status, label, and data fields. Back-to-back API calls were causing HTTP 429 rate limiting on the last two cases; a 2-second delay between cases resolved this. All 13 test cases pass cleanly.

Coming in July

The August pipeline is filling up. Immediately ahead: better handling of entities with no domain (the current WARN state is sometimes too aggressive for established sole traders), expanded network analysis for the Enterprise plan, and improved address cross-checks using ASIC registered office data. Longer term: PPSR registration checks and entity officer lookups are both dependent on data access arrangements that are in progress.

Release notes publish on the last Friday of each month. If something you expected to see isn't here, or you've found a behaviour that doesn't match what's described, use the feedback button in the dashboard.

---

Late June 2026 — Security, credits and infrastructure

A second wave of changes landed in the back half of June. These are mostly operator-facing and infrastructure, but several directly affect how unused payment balances are handled — worth reading if you have any purchased checks sitting idle.

Account credit system

Unused payment grants used to expire after 2 hours with no recovery path. That window is now 30 days, and when a grant does expire unused it automatically converts to a permanent account credit rather than disappearing. Credits carry no expiry.

• Dashboard shows your credit balance as a green banner whenever you have funds available
• Checkout auto-applies credits — if your balance covers the full amount, no card entry is required
• Works on both per-check purchases and annual plan payments
• An email goes out whenever a credit is created, so nothing is silently converted
• Full ledger audit trail in account_credit_ledger — every debit and credit is recorded with source and timestamp

Payment grant expiry extended: 2 hours → 30 days

If you purchase a check bundle and don’t immediately run a verification, you now have 30 days before the grant converts. The previous 2-hour window was catching users who paid, got interrupted, and returned to find their grant gone.

Downtime voice calls via Twilio

The uptime monitor already sent email alerts. It now also places an outbound voice call if the site is down for 15 minutes or more (3 consecutive 5-minute checks). Email still fires at 10 minutes with a heads-up that a call will follow if the issue persists. The call uses Twilio’s Polly.Matthew voice and repeats the alert twice.

OCI multi-region deployment preparation

Infrastructure scripts are written and ready for an Oracle Cloud Free Tier ARM instance (4 OCPU / 24GB RAM) as primary production. The architecture: home server handles all data ingestion and pushes builds to OCI; Cloudflare DNS routes to OCI primary with automatic failover to the home server if OCI is unreachable. A cf-switch.sh script checks both origins every 5 minutes and flips the DNS A record if needed. OCI instance provisioning is pending Melbourne ARM capacity freeing up.

Security hardening

Several hardening changes shipped together:

• Rate limiting added to register (5 attempts/hour) and forgot-password (10/hour) endpoints. Login already had rate limiting.
• Email enumeration closed — the register endpoint previously returned a distinct error when an email was already in use. It now returns a generic response in all cases.
• Server-side price re-derivation — the annual subscription endpoint was trusting the client’s submitted discountedCents value. It now re-derives the canonical price from the server-side tier allowlist and re-validates any promo code discount from the database before charging.
• Content-Security-Policy headers added at both the Apache layer and SvelteKit hooks layer.
• OCI SSH access restricted to home server IP only at both the VCN security list level and OS-level iptables (two independent layers).

OCI spend guardrail

A $0.01 budget alert is configured on the OCI tenancy. Any charge — however small — triggers an immediate email. The Always Free tier should mean this never fires, but the guardrail is there regardless.

Ingest health monitor cleanup

ato_sg_noncomplying and ato_tax_debt tables are permanently retired — no public bulk download exists for these datasets. They have been removed from the ingest health monitor entirely; they no longer appear in health check reports or alert emails.