Pulp Engine Document Rendering
Get started
Release v0.37.0

Pulp Engine v0.37.0 — Release Notes

This release tightens release discipline, improves production operator guidance, and removes several invisible lazy-loading gaps in the editor. It adds a mojibake regression guard, consolidates hardened-production startup advisories without changing runtime defaults, introduces explicit loading fallbacks across high-impact Suspense boundaries, adds a root release verification script, and safely extracts the version-history dialog block from EditorShell.

What changed

1. Mojibake regression guard

A repository audit confirmed the source tree was clean, with no active encoding corruption. To keep it that way, this release adds a lightweight guard script:

  • scripts/check-encoding.sh — grep-based check for common Latin-1 mojibake patterns
  • package.json — new check:encoding script
  • scripts/verify-release.sh — now runs the encoding guard as an explicit step

This is preventative only. No runtime behavior changed.

2. Hardened-production advisory consolidated, with behavior unchanged

Production startup hardening advisories were previously emitted as multiple separate console.warn calls. That made it easy for operators to miss the full set of missing controls.

Before: warnings for missing production controls were scattered across multiple log lines.

After: the API now emits a single consolidated hardening advisory block using hardeningViolations(), showing all missing production controls together in one place. The TRUST_PROXY misconfiguration warning remains separate because it is relevant outside production too.

Related docs were updated:

  • .env.example — expanded HARDEN_PRODUCTION guidance with all enforced controls
  • docs/deployment-guide.md — startup warning example updated; hardened mode now explicitly recommended for production deployments
  • docs/release-checklist.md — enforced hardening item clarified and upgrade notes tightened

Important: runtime defaults are unchanged. HARDEN_PRODUCTION remains opt-in. No breaking change. No migration required.

3. Explicit loading states across key lazy boundaries

Several lazy-loaded editor boundaries still used fallback={null}, which could produce visible blank states while code-split chunks were loading.

This release adds reusable loading fallbacks:

  • PanelLoadingFallback — inline spinner row for side-panel surfaces
  • CanvasLoadingFallback — centered loading state for larger canvas-style regions

These replace fallback={null} across high-impact boundaries including:

  • EditorShell.tsxDocumentCanvas, PreviewPanel
  • PropertiesPanel.tsx — multiple property-editor boundaries
  • NodeRenderer.tsxChartNodeView
  • RichTextNodeView.tsx
  • App.tsx — lazy dialogs
  • HeadingNodeProps.tsx
  • TextNodeProps.tsx

CommandMenu intentionally remains null because it is keyboard-triggered and not a user-visible blank surface.

Net effect: first-load lazy transitions now provide visible feedback instead of appearing inert.

4. Full release verification script at repo root

This release adds a single release-oriented verification path:

  • scripts/verify-release.sh
  • package.json — new verify script

The script runs:

  1. version check
  2. encoding guard
  3. lint
  4. build
  5. Postgres tests
  6. file-mode tests
  7. SQL Server tests (skipped unless SQL_SERVER_URL is set)
  8. E2E tests (skipped unless RUN_E2E=true)

Skipped infrastructure-dependent steps are reported explicitly so local runs do not create false confidence.

5. Safe EditorShell decomposition

The version-history dialog Suspense block was extracted from EditorShell into:

  • apps/editor/src/components/shell/VersionHistorySection.tsx

The new component owns the lazy version-history boundary and its dialog-skeleton fallback, reads template and isApiTemplate directly from the store, and only requires three props:

  • showHistory
  • onClose
  • onRestoreSuccess

This reduces EditorShell surface area and isolates one of its more complex UI branches without changing behavior.

Validation

Validated before release:

  • pnpm typecheck — clean on @pulp-engine/api and @pulp-engine/editor
  • pnpm --filter @pulp-engine/editor test — passing
  • pnpm verify — passing local release path, with SQL Server and E2E correctly reported as skipped when CI-only infrastructure is unavailable

Upgrade

No schema migrations. No API contract changes. No environment-variable default changes.

If you want fail-fast production enforcement, continue to opt in explicitly by setting:

  • HARDEN_PRODUCTION=true
  • specific CORS_ALLOWED_ORIGINS
  • explicit DOCS_ENABLED
  • METRICS_TOKEN
  • REQUIRE_HTTPS=true
  • TRUST_PROXY=true

Then deploy the new image:

docker pull ghcr.io/OWNER/pulp-engine:v0.37.0
← Back to releases