Release v0.51.0

Date: 2026-04-03

Security headers, starter pack library, and exhaustive documentation sweep.

Added

`@fastify/helmet` security headers

The API now registers @fastify/helmet to set baseline HTTP security headers on every response:

Route-aware Content-Security-Policy: Editor allows blob: and unsafe-inline for PDF preview and styles; Swagger UI defers to its own staticCSP; HTML render endpoints rely on the renderer’s <meta> CSP; all other routes use default-src 'none'.
Strict-Transport-Security: max-age=31536000; includeSubDomains when REQUIRE_HTTPS=true.
X-Frame-Options: DENY on all routes.
Referrer-Policy: strict-origin-when-cross-origin.
Permissions-Policy: clipboard-write=(self) for the editor; camera=(), microphone=(), geolocation=() for API routes.
Cross-origin isolation policies (CORP/COEP/COOP) are disabled to support cross-port editor development.

See deployment-guide.md § HTTP security headers.

23 starter packs

The new-template dialog now offers 23 starter packs (up from 5), organised into 4 category tabs:

Tab	Packs
Documents	Letter, Proposal, Meeting Minutes, Report, Certificate, Contract, NDA, Event Agenda, Product Sheet
Financial	Invoice (Recommended), Quote, Receipt, Credit Note, Expense Report, Timesheet, Statement
HR	Offer Letter, Pay Stub, Performance Review
Operations	Packing Slip, Purchase Order, Inventory Report

Blank is pinned above the tabs as the default. Each card shows a description, bestFor label, and optional Recommended badge. Selecting a pack auto-fills the template name.

Security-hardening test suite

New test file (apps/api/src/__tests__/security-hardening.test.ts) with 30+ assertions verifying:

CSP header presence and correctness per route category
HSTS presence when REQUIRE_HTTPS=true and absence when false
X-Frame-Options, Referrer-Policy, X-Content-Type-Options on all routes
Permissions-Policy per route

Documentation additions

RATE_LIMIT_MAX, RATE_LIMIT_RENDER_MAX, PREVIEW_BODY_LIMIT, APP_VERSION added to the deployment-guide env var table
GET /render/preview/status endpoint documented in the API guide
pulp_engine_renderer_status gauge metric added to the API guide metrics table
@fastify/helmet security headers section added to the deployment guide

Changed

Exhaustive documentation sweep

All documentation guides audited and aligned with the current codebase:

File	Changes
api-guide.md	Version strings updated (0.49.0 → 0.51.0), renderer_status metric added, preview/status endpoint documented
deployment-guide.md	Version string updated, 4 env vars added, /metrics auth wording corrected, helmet section added
editor-guide.md	Starter packs rewritten: 5 presets → 23 packs across 4 category tabs
evaluator-guide.md	Evaluation checklist expanded with v0.50.0+ editor features
demo-guide.md	Template count corrected
mvp-technical-spec.md	”Still deferred” section cleaned up (shipped features removed), auth description updated to reflect scoped credential model
README.md	API surface description expanded, version example updated
runbook.md	Version strings updated

Editor internals

EditorShell decomposed for maintainability
NewTemplateDialog refactored to card-based picker with category tabs
Vitest configs updated for html-renderer and pdf-renderer coverage

Validation evidence

Check	Method	Result
Version consistency	`node scripts/check-version.mjs`	CI-verified
Build	`pnpm build`	CI-verified
Lint	`pnpm lint`	CI-verified
Typecheck	`pnpm typecheck`	CI-verified
Tests	`pnpm test`	CI-verified
No stale version strings	`grep -r "0.49.0" docs/`	Locally verified — zero hits
Starter pack count	`grep -c "id: '" starter-packs.ts`	Locally verified — 23
Metrics auth wording	Manual review of deployment-guide.md	Locally verified

← Back to releases