Pulp Engine Document Rendering
Get started
Release v0.54.0

Release v0.54.0

Date: 2026-04-05

Paginated collection responses, request correlation, and stricter hardened-production enforcement.

API changes

Paginated collection endpoints

GET /templates, GET /templates/:key/versions, and GET /assets now return pagination envelopes:

{
  "items": [],
  "total": 0,
  "limit": 50,
  "offset": 0
}

This is a breaking response-shape change for direct API consumers. First-party UIs now request limit=1000 and warn in the browser console if the server truncates results.

X-Request-ID on every response

Every HTTP response now includes an X-Request-ID UUID generated by the server. Use it to correlate client-side failures with API structured logs (reqId).

Client-supplied X-Request-ID values are ignored. Correlation IDs are server-owned to keep log linkage trustworthy.

Hardened production

BLOCK_REMOTE_RESOURCES is now required

When HARDEN_PRODUCTION=true, the API now requires BLOCK_REMOTE_RESOURCES=true. The previous advisory-only warning path has been removed. Hardened deployments that do not set it will fail startup.

Named-user enforcement for editor-capable hardened deployments

When hardened mode is enabled and editor login is possible (API_KEY_EDITOR, API_KEY_ADMIN, or legacy API_KEY present), the server now requires either:

  • EDITOR_USERS_JSON
  • ALLOW_SHARED_KEY_EDITOR=true

ALLOW_SHARED_KEY_EDITOR is the explicit opt-out for operators who still want shared-key editor identity in hardened mode.

Migration

Existing hardened deployments should add:

BLOCK_REMOTE_RESOURCES=true
# If editor login is enabled but EDITOR_USERS_JSON is not configured:
ALLOW_SHARED_KEY_EDITOR=true

Reliability

Test isolation fixes

This release also includes targeted test-stability fixes:

  • fake-timer safety net in auth.test.ts
  • file-level store reset in ChartNodeView.test.tsx
  • targeted mock reset in login-identity.test.tsx
← Back to releases