v4.0.0 8 February 2026

Sage UK Foundation

SpeyBooks 4.0.0 is a foundational release. The chart of accounts, security posture, and frontend performance have been rebuilt from the ground up. Every new signup now gets a Sage-aligned UK chart of accounts that any accountant will recognise.

This release consolidates 13 incremental versions (3.6.4–3.6.17) shipped in a single day of focused development.

Chart of Accounts — Sage UK Standard

The default chart of accounts has been completely replaced with 118 accounts aligned to the Sage UK convention — the de facto standard used by thousands of UK accountants.

  • Plan-aware seeding — sole traders and limited companies receive the correct accounts at signup
  • Sole trader: Capital, Capital Introduced, Drawings
  • Limited company: Share Capital, Director Loan Account, Dividends, Corporation Tax
  • Full VAT breakdown across four accounts (VAT on Sales, VAT on Purchases, VAT Liability, VAT Allocations) — ready for Making Tax Digital
  • Fixed assets with depreciation pairs — property, plant and machinery, office equipment, fixtures, motor vehicles
  • Control accounts with typed constraints — 30+ control types enforced at database level
  • Opening Balances (9998) and Suspense (9999) — essential for data migration and reconciliation
  • Granular overheads — premises, utilities, vehicle, travel, office, professional fees, each with correct default VAT rates (20% standard, 5% reduced, 0% exempt)

Security Hardening

Every item on the pre-launch security checklist has been completed.

  • Automated daily database backups to S3 with verified restore and 90-day lifecycle
  • PostgreSQL 15 → 17 upgrade with security improvements
  • Auth rate limiting on all 7 authentication endpoints
  • Session invalidation on password change — existing sessions revoked immediately
  • Fail2ban with 4 jails protecting SSH, nginx, and application endpoints
  • UFW firewall — only ports 22, 80, 443 open
  • Content Security Policy on all 4 domains
  • HSTS preload submitted to browser inclusion lists
  • security.txt deployed on all domains with correct contact and policy URLs
  • DNS CAA records restricting certificate issuance to Let’s Encrypt
  • Database role separation — application connects with least-privilege role
  • SSL Labs A+ rating — TLS 1.3, HSTS, EC 256-bit key
  • robots.txt on app and API domains to prevent indexing of authenticated content
  • Docker removed — direct process management, reduced attack surface
  • OS-level updates applied

API Key Rotation

  • New endpoint: POST /api/v1/api-keys/:id/rotate generates a replacement key with the same name and scopes
  • 24-hour grace period — the old key remains valid during transition, then auto-expires
  • Double-rotation protection — cannot rotate a key that is already rotating
  • Full audit trail — rotation events logged with key lineage tracking
  • Frontend UI — rotate button, amber status indicator, grace period countdown, new key reveal

Performance

  • Code splitting — 41 pages lazy-loaded on demand with vendor chunk separation
  • Initial bundle reduced from 1,020 kB to 84 kB — users download only the JavaScript they need
  • Vendor chunks cached independently: React, data layer, utilities, UI components
  • Build time improved from 15s to 14s

Infrastructure

  • Log retention aligned to GDPR and HMRC requirements (7-year financial, 2-year access, 30-day debug)
  • Failed login monitoring with real-time alerting
  • CORS configuration corrected for production domains
  • Duplicate TLS certificates cleaned
  • pg_hba.conf reviewed and hardened
  • SEO fixes — favicon.ico, registration error hardening