Pulp Engine v0.37.0 — Release Notes
This release tightens release discipline, improves production operator guidance, and removes several invisible lazy-loading gaps in the editor. It adds a mojibake regression guard, consolidates hardened-production startup advisories without changing runtime defaults, introduces explicit loading fallbacks across high-impact Suspense boundaries, adds a root release verification script, and safely extracts the version-history dialog block from EditorShell.
What changed
1. Mojibake regression guard
A repository audit confirmed the source tree was clean, with no active encoding corruption. To keep it that way, this release adds a lightweight guard script:
scripts/check-encoding.sh— grep-based check for common Latin-1 mojibake patternspackage.json— newcheck:encodingscriptscripts/verify-release.sh— now runs the encoding guard as an explicit step
This is preventative only. No runtime behavior changed.
2. Hardened-production advisory consolidated, with behavior unchanged
Production startup hardening advisories were previously emitted as multiple separate console.warn calls. That made it easy for operators to miss the full set of missing controls.
Before: warnings for missing production controls were scattered across multiple log lines.
After: the API now emits a single consolidated hardening advisory block using hardeningViolations(), showing all missing production controls together in one place. The TRUST_PROXY misconfiguration warning remains separate because it is relevant outside production too.
Related docs were updated:
.env.example— expandedHARDEN_PRODUCTIONguidance with all enforced controlsdocs/deployment-guide.md— startup warning example updated; hardened mode now explicitly recommended for production deploymentsdocs/release-checklist.md— enforced hardening item clarified and upgrade notes tightened
Important: runtime defaults are unchanged. HARDEN_PRODUCTION remains opt-in. No breaking change. No migration required.
3. Explicit loading states across key lazy boundaries
Several lazy-loaded editor boundaries still used fallback={null}, which could produce visible blank states while code-split chunks were loading.
This release adds reusable loading fallbacks:
PanelLoadingFallback— inline spinner row for side-panel surfacesCanvasLoadingFallback— centered loading state for larger canvas-style regions
These replace fallback={null} across high-impact boundaries including:
EditorShell.tsx—DocumentCanvas,PreviewPanelPropertiesPanel.tsx— multiple property-editor boundariesNodeRenderer.tsx—ChartNodeViewRichTextNodeView.tsxApp.tsx— lazy dialogsHeadingNodeProps.tsxTextNodeProps.tsx
CommandMenu intentionally remains null because it is keyboard-triggered and not a user-visible blank surface.
Net effect: first-load lazy transitions now provide visible feedback instead of appearing inert.
4. Full release verification script at repo root
This release adds a single release-oriented verification path:
scripts/verify-release.shpackage.json— newverifyscript
The script runs:
- version check
- encoding guard
- lint
- build
- Postgres tests
- file-mode tests
- SQL Server tests (skipped unless
SQL_SERVER_URLis set) - E2E tests (skipped unless
RUN_E2E=true)
Skipped infrastructure-dependent steps are reported explicitly so local runs do not create false confidence.
5. Safe EditorShell decomposition
The version-history dialog Suspense block was extracted from EditorShell into:
apps/editor/src/components/shell/VersionHistorySection.tsx
The new component owns the lazy version-history boundary and its dialog-skeleton fallback, reads template and isApiTemplate directly from the store, and only requires three props:
showHistoryonCloseonRestoreSuccess
This reduces EditorShell surface area and isolates one of its more complex UI branches without changing behavior.
Validation
Validated before release:
pnpm typecheck— clean on@pulp-engine/apiand@pulp-engine/editorpnpm --filter @pulp-engine/editor test— passingpnpm verify— passing local release path, with SQL Server and E2E correctly reported as skipped when CI-only infrastructure is unavailable
Upgrade
No schema migrations. No API contract changes. No environment-variable default changes.
If you want fail-fast production enforcement, continue to opt in explicitly by setting:
HARDEN_PRODUCTION=true- specific
CORS_ALLOWED_ORIGINS - explicit
DOCS_ENABLED METRICS_TOKENREQUIRE_HTTPS=trueTRUST_PROXY=true
Then deploy the new image:
docker pull ghcr.io/OWNER/pulp-engine:v0.37.0