@appwarden/middleware 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Appwarden
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,110 @@
+# @appwarden/middleware
+
+![Test Coverage](https://img.shields.io/badge/coverage-97.58%25-brightgreen)
+[![npm version](https://img.shields.io/npm/v/@appwarden/middleware.svg)](https://www.npmjs.com/package/@appwarden/middleware)
+[![npm provenance](https://img.shields.io/badge/npm-provenance-green)](https://docs.npmjs.com/generating-provenance-statements)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
+
+> Read the docs [to learn more](https://appwarden.io/docs)
+
+## Stop in progress attacks in their tracks
+
+### Core Features
+
+- **Instant Quarantine**: Immediately redirects all visitors to a maintenance page when activated
+- **Discord Integration**: Trigger lockdowns via Discord commands (`/quarantine lock your.app.io`)
+- **Nonce-based Content Security Policy**: On Cloudflare, deploy a nonce-based Content Security Policy to supercharge your website security
+
+### Performance Optimizations
+
+- **Background Synchronization**: Uses `waitUntil()` to update cache state without blocking responses
+- **Minimal Runtime Overhead**: Lightweight implementation with negligible performance impact
+
+## Installation
+
+Compatible with websites powered by [Cloudflare](https://developers.cloudflare.com/pages/) or [Vercel](https://vercel.com).
+
+For detailed usage instructions, please refer to our [documentation](https://appwarden.io/docs).
+
+### Cloudflare
+
+We recommend using the [`@appwarden/build-cloudflare-action`](https://github.com/appwarden/build-cloudflare-action) Github Action to deploy automatically on Cloudflare.
+
+> Read the docs [to get started](https://appwarden.io/docs/guides/cloudflare-integration)
+
+```typescript
+import {
+  withAppwarden,
+  useContentSecurityPolicy,
+} from "@appwarden/middleware/cloudflare"
+
+export default {
+  fetch: withAppwarden((context) => ({
+    debug: context.env.DEBUG,
+    lockPageSlug: context.env.LOCK_PAGE_SLUG,
+    appwardenApiToken: context.env.APPWARDEN_API_TOKEN,
+    middleware: {
+      before: [
+        useContentSecurityPolicy({
+          mode: "enforced",
+          directives: {
+            "script-src": ["self", "{{nonce}}"],
+            "style-src": ["self", "{{nonce}}"],
+          },
+        }),
+      ],
+    },
+  })),
+}
+```
+
+### Vercel
+
+> Read the docs [to get started](https://appwarden.io/docs/guides/vercel-integration)
+
+```typescript
+import { withAppwarden } from "@appwarden/middleware/vercel"
+
+export default withAppwarden({
+  cacheUrl: process.env.EDGE_CONFIG_URL || process.env.UPSTASH_URL,
+  appwardenApiToken: process.env.APPWARDEN_API_TOKEN,
+  vercelApiToken: process.env.VERCEL_API_TOKEN,
+  lockPageSlug: "/maintenance",
+})
+
+// Configures middleware to match all routes
+export const config = {
+  matcher: ["/((?!api|_next/static|_next/image|favicon.ico).*)"],
+}
+```
+
+## Contributing
+
+Contributions are welcome! Please feel free to submit a Pull Request.
+
+1. Fork the repository
+2. Create your feature branch (`git checkout -b feature/amazing-feature`)
+3. Commit your changes (`git commit -m 'Add some amazing feature'`)
+4. Push to the branch (`git push origin feature/amazing-feature`)
+5. Open a Pull Request
+
+## Development
+
+```bash
+# Install dependencies
+pnpm install
+
+# Build the package
+pnpm build
+
+# Run tests
+pnpm test
+```
+
+## Security
+
+This package is published with npm provenance enabled, which provides a verifiable link between the published package and its source code. For more information, see [npm provenance documentation](https://docs.npmjs.com/generating-provenance-statements).
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

package/chunk-47MLTBFC.js

@@ -0,0 +1,108 @@
+import {
+  LOCKDOWN_TEST_EXPIRY_MS
+} from "./chunk-JWUAFJ2E.js";
+
+// src/utils/errors.ts
+var errorsMap = {
+  mode: '`CSP_MODE` must be one of "disabled", "report-only", or "enforced"',
+  directives: {
+    ["DirectivesRequired" /* DirectivesRequired */]: '`CSP_DIRECTIVES` must be provided when `CSP_MODE` is "report-only" or "enforced"',
+    ["DirectivesBadParse" /* DirectivesBadParse */]: "Failed to parse `CSP_DIRECTIVES`. Is it a valid JSON string?"
+  },
+  appwardenApiToken: "Please provide a valid `appwardenApiToken`. Learn more at https://appwarden.com/docs/guides/api-token-management."
+};
+var getErrors = (error) => {
+  const matches = [];
+  const errors = [...Object.entries(error.flatten().fieldErrors)];
+  for (const issue of error.issues) {
+    errors.push(
+      ...Object.entries(
+        "returnTypeError" in issue ? issue.returnTypeError.flatten().fieldErrors : {}
+      )
+    );
+  }
+  for (const [field, maybeSchemaErrorKey] of errors) {
+    let match = errorsMap[field];
+    if (match) {
+      if (match instanceof Object) {
+        if (maybeSchemaErrorKey) {
+          match = match[maybeSchemaErrorKey[0]];
+        }
+      }
+      matches.push(match);
+    }
+  }
+  return matches;
+};
+
+// src/utils/memory-cache.ts
+var MemoryCache = class {
+  cache = /* @__PURE__ */ new Map();
+  maxSize;
+  constructor(options) {
+    this.maxSize = options.maxSize;
+  }
+  get(key) {
+    let item;
+    if (this.cache.has(key)) {
+      item = this.cache.get(key);
+      this.cache.delete(key);
+      if (item !== void 0) {
+        this.cache.set(key, item);
+      }
+    }
+    return item;
+  }
+  put(key, value) {
+    if (this.cache.has(key)) {
+      this.cache.delete(key);
+    } else if (this.cache.size >= this.maxSize) {
+      const firstKey = this.cache.keys().next().value;
+      if (firstKey !== void 0) {
+        this.cache.delete(firstKey);
+      }
+    }
+    this.cache.set(key, value);
+  }
+  getValues() {
+    return this.cache;
+  }
+  // the default value will be expired here
+  static isExpired = (lockValue) => {
+    if (!lockValue) {
+      return true;
+    }
+    return Date.now() > lockValue.lastCheck + 3e4;
+  };
+  static isTestExpired = (lockValue) => {
+    if (!lockValue) {
+      return true;
+    }
+    return Date.now() > lockValue.isLockedTest + LOCKDOWN_TEST_EXPIRY_MS;
+  };
+};
+
+// src/schemas/helpers.ts
+import { z } from "zod";
+var BoolOrStringSchema = z.union([z.string(), z.boolean()]).optional();
+var BooleanSchema = BoolOrStringSchema.transform((val) => {
+  if (val === "true" || val === true) {
+    return true;
+  } else if (val === "false" || val === false) {
+    return false;
+  }
+  throw new Error("Invalid value");
+});
+var LockValue = z.object({
+  isLocked: z.number(),
+  isLockedTest: z.number(),
+  lastCheck: z.number(),
+  code: z.string()
+});
+
+export {
+  getErrors,
+  MemoryCache,
+  BooleanSchema,
+  LockValue
+};

package/chunk-JWUAFJ2E.js

@@ -0,0 +1,29 @@
+// src/constants.ts
+var LOCKDOWN_TEST_EXPIRY_MS = 5 * 60 * 1e3;
+var errors = { badCacheConnection: "BAD_CACHE_CONNECTION" };
+var globalErrors = [errors.badCacheConnection];
+var APPWARDEN_TEST_ROUTE = "/_appwarden/test";
+var APPWARDEN_USER_AGENT = "Appwarden-Monitor";
+var APPWARDEN_CACHE_KEY = "appwarden-lock";
+
+// src/utils/debug.ts
+var debug = (...msg) => {
+  if (true) {
+    console.log(...msg);
+  }
+};
+
+// src/utils/print-message.ts
+var addSlashes = (str) => str.replace(/[\\"'`]/g, "\\$&").replace(/\u0000/g, "\\0");
+var printMessage = (message) => `[@appwarden/middleware] ${addSlashes(message)}`;
+
+export {
+  LOCKDOWN_TEST_EXPIRY_MS,
+  errors,
+  globalErrors,
+  APPWARDEN_TEST_ROUTE,
+  APPWARDEN_USER_AGENT,
+  APPWARDEN_CACHE_KEY,
+  debug,
+  printMessage
+};

package/chunk-NZNMFDZ7.js

@@ -0,0 +1,145 @@
+import {
+  debug,
+  printMessage
+} from "./chunk-JWUAFJ2E.js";
+
+// src/schemas/use-content-security-policy.ts
+import { z as z2 } from "zod";
+
+// src/types/csp.ts
+import { z } from "zod";
+var stringySchema = z.union([z.array(z.string()), z.string(), z.boolean()]);
+var ContentSecurityPolicySchema = z.object({
+  "default-src": stringySchema.optional(),
+  "script-src": stringySchema.optional(),
+  "style-src": stringySchema.optional(),
+  "img-src": stringySchema.optional(),
+  "connect-src": stringySchema.optional(),
+  "font-src": stringySchema.optional(),
+  "object-src": stringySchema.optional(),
+  "media-src": stringySchema.optional(),
+  "frame-src": stringySchema.optional(),
+  sandbox: stringySchema.optional(),
+  "report-uri": stringySchema.optional(),
+  "child-src": stringySchema.optional(),
+  "form-action": stringySchema.optional(),
+  "frame-ancestors": stringySchema.optional(),
+  "plugin-types": stringySchema.optional(),
+  "base-uri": stringySchema.optional(),
+  "report-to": stringySchema.optional(),
+  "worker-src": stringySchema.optional(),
+  "manifest-src": stringySchema.optional(),
+  "prefetch-src": stringySchema.optional(),
+  "navigate-to": stringySchema.optional(),
+  "require-sri-for": stringySchema.optional(),
+  "block-all-mixed-content": stringySchema.optional(),
+  "upgrade-insecure-requests": stringySchema.optional(),
+  "trusted-types": stringySchema.optional(),
+  "require-trusted-types-for": stringySchema.optional()
+});
+
+// src/schemas/use-content-security-policy.ts
+var CSPDirectivesSchema = z2.union([
+  z2.string(),
+  ContentSecurityPolicySchema
+]);
+var CSPModeSchema = z2.union([
+  z2.literal("disabled"),
+  z2.literal("report-only"),
+  z2.literal("enforced")
+]).optional().default("disabled");
+var UseCSPInputSchema = z2.object({
+  mode: CSPModeSchema,
+  directives: CSPDirectivesSchema.optional().refine(
+    (val) => {
+      try {
+        if (typeof val === "string") {
+          JSON.parse(val);
+        }
+        return true;
+      } catch (error) {
+        return false;
+      }
+    },
+    { message: "DirectivesBadParse" /* DirectivesBadParse */ }
+  ).transform(
+    (val) => typeof val === "string" ? JSON.parse(val) : val
+  )
+}).refine(
+  (values) => (
+    // validate that directives are provided when the mode is "report-only" or "enforced"
+    ["report-only", "enforced"].includes(values.mode) ? !!values.directives : true
+  ),
+  { path: ["directives"], message: "DirectivesRequired" /* DirectivesRequired */ }
+);
+
+// src/utils/cloudflare/make-csp-header.ts
+var addNonce = (value, cspNonce) => value.replace("{{nonce}}", `'nonce-${cspNonce}'`);
+var makeCSPHeader = (cspNonce, directives, mode) => {
+  const namesSeen = /* @__PURE__ */ new Set(), result = [];
+  Object.entries(directives ?? {}).forEach(([originalName, value]) => {
+    const name = originalName.replace(/([a-z])([A-Z])/g, "$1-$2").toLowerCase();
+    if (namesSeen.has(name)) {
+      throw new Error(`${originalName} is specified more than once`);
+    }
+    namesSeen.add(name);
+    if (Array.isArray(value)) {
+      value = addNonce(value.join(" "), cspNonce);
+    } else if (value === true) {
+      value = "";
+    }
+    if (value) {
+      result.push(`${name} ${addNonce(value, cspNonce)}`);
+    } else if (value !== false) {
+      result.push(name);
+    }
+  });
+  return [
+    mode === "enforced" ? "Content-Security-Policy" : "Content-Security-Policy-Report-Only",
+    result.join("; ")
+  ];
+};
+
+// src/middlewares/use-content-security-policy.ts
+var AppendAttribute = (attribute, nonce) => ({
+  element: function(element) {
+    element.setAttribute(attribute, nonce);
+  }
+});
+var useContentSecurityPolicy = (input) => {
+  const parsedInput = UseCSPInputSchema.safeParse(input);
+  if (!parsedInput.success) {
+    throw parsedInput.error;
+  }
+  const config = parsedInput.data;
+  return async (context, next) => {
+    await next();
+    const { response } = context;
+    if (
+      // if the csp is disabled
+      !["enforced", "report-only"].includes(config.mode)
+    ) {
+      debug(printMessage("csp is disabled"));
+      return;
+    }
+    if (response.headers.has("Content-Type") && !response.headers.get("Content-Type")?.includes("text/html")) {
+      return;
+    }
+    const cspNonce = btoa(crypto.getRandomValues(new Uint32Array(2)).toString());
+    const [cspHeaderName, cspHeaderValue] = makeCSPHeader(
+      cspNonce,
+      config.directives,
+      config.mode
+    );
+    const nextResponse = new Response(response.body, response);
+    nextResponse.headers.set(cspHeaderName, cspHeaderValue);
+    nextResponse.headers.set("content-type", "text/html; charset=utf-8");
+    context.response = new HTMLRewriter().on("style", AppendAttribute("nonce", cspNonce)).on("script", AppendAttribute("nonce", cspNonce)).transform(nextResponse);
+  };
+};
+
+export {
+  CSPDirectivesSchema,
+  CSPModeSchema,
+  useContentSecurityPolicy
+};

package/chunk-QEFORWCW.js

@@ -0,0 +1,84 @@
+// src/utils/is-cache-url.ts
+var getEdgeConfigId = (value = "") => {
+  if (isValidCacheUrl.edgeConfig(value)) {
+    const url = new URL(value);
+    return url.pathname.replace("/", "");
+  }
+  return void 0;
+};
+var isCacheUrl = {
+  /**
+   * Checks if a URL is a valid Edge Config URL (hostname check only)
+   * @param value The URL to check
+   * @returns True if the URL is a valid Edge Config URL, false otherwise
+   */
+  edgeConfig: (value = "") => {
+    try {
+      const url = new URL(value);
+      return url.hostname === "edge-config.vercel.com";
+    } catch {
+      return /^https:\/\/edge-config\.vercel\.com\//.test(value);
+    }
+  },
+  /**
+   * Checks if a URL is a valid Upstash URL (hostname check only)
+   * @param value The URL to check
+   * @returns True if the URL is a valid Upstash URL, false otherwise
+   */
+  upstash: (value = "") => {
+    try {
+      const url = new URL(value);
+      return url.hostname.endsWith(".upstash.io");
+    } catch {
+      return /^.*\.upstash\.io$/.test(value || "");
+    }
+  }
+};
+var isValidCacheUrl = {
+  /**
+   * Strictly validates an Edge Config URL
+   * @param value The URL to validate
+   * @returns True if the URL is a valid Edge Config URL, false otherwise
+   */
+  edgeConfig: (value = "") => {
+    try {
+      const url = new URL(value);
+      return (
+        // Only allow HTTPS for security
+        url.protocol === "https:" && // Exact hostname match
+        url.hostname === "edge-config.vercel.com" && // Path must start with /ecfg_
+        url.pathname.startsWith("/ecfg_") && // Must have a token parameter
+        url.searchParams.has("token") && // Token should not be empty
+        url.searchParams.get("token") !== ""
+      );
+    } catch {
+      return false;
+    }
+  },
+  /**
+   * Strictly validates an Upstash URL
+   * @param value The URL to validate
+   * @returns The password if the URL is valid, false otherwise
+   */
+  upstash: (value = "") => {
+    try {
+      const url = new URL(value);
+      if (
+        // Only allow redis: or rediss: protocols
+        ["redis:", "rediss:"].includes(url.protocol) && // Hostname must end with .upstash.io
+        url.hostname.endsWith(".upstash.io")
+      ) {
+        return url.password || "";
+      }
+      return false;
+    } catch {
+      return false;
+    }
+  }
+};
+
+export {
+  getEdgeConfigId,
+  isCacheUrl,
+  isValidCacheUrl
+};

package/cloudflare-2PkEr25r.d.ts

@@ -0,0 +1,99 @@
+import { z } from 'zod';
+
+declare const ContentSecurityPolicySchema: z.ZodObject<{
+    "default-src": z.ZodOptional<z.ZodUnion<[z.ZodArray<z.ZodString, "many">, z.ZodString, z.ZodBoolean]>>;
+    "script-src": z.ZodOptional<z.ZodUnion<[z.ZodArray<z.ZodString, "many">, z.ZodString, z.ZodBoolean]>>;
+    "style-src": z.ZodOptional<z.ZodUnion<[z.ZodArray<z.ZodString, "many">, z.ZodString, z.ZodBoolean]>>;
+    "img-src": z.ZodOptional<z.ZodUnion<[z.ZodArray<z.ZodString, "many">, z.ZodString, z.ZodBoolean]>>;
+    "connect-src": z.ZodOptional<z.ZodUnion<[z.ZodArray<z.ZodString, "many">, z.ZodString, z.ZodBoolean]>>;
+    "font-src": z.ZodOptional<z.ZodUnion<[z.ZodArray<z.ZodString, "many">, z.ZodString, z.ZodBoolean]>>;
+    "object-src": z.ZodOptional<z.ZodUnion<[z.ZodArray<z.ZodString, "many">, z.ZodString, z.ZodBoolean]>>;
+    "media-src": z.ZodOptional<z.ZodUnion<[z.ZodArray<z.ZodString, "many">, z.ZodString, z.ZodBoolean]>>;
+    "frame-src": z.ZodOptional<z.ZodUnion<[z.ZodArray<z.ZodString, "many">, z.ZodString, z.ZodBoolean]>>;
+    sandbox: z.ZodOptional<z.ZodUnion<[z.ZodArray<z.ZodString, "many">, z.ZodString, z.ZodBoolean]>>;
+    "report-uri": z.ZodOptional<z.ZodUnion<[z.ZodArray<z.ZodString, "many">, z.ZodString, z.ZodBoolean]>>;
+    "child-src": z.ZodOptional<z.ZodUnion<[z.ZodArray<z.ZodString, "many">, z.ZodString, z.ZodBoolean]>>;
+    "form-action": z.ZodOptional<z.ZodUnion<[z.ZodArray<z.ZodString, "many">, z.ZodString, z.ZodBoolean]>>;
+    "frame-ancestors": z.ZodOptional<z.ZodUnion<[z.ZodArray<z.ZodString, "many">, z.ZodString, z.ZodBoolean]>>;
+    "plugin-types": z.ZodOptional<z.ZodUnion<[z.ZodArray<z.ZodString, "many">, z.ZodString, z.ZodBoolean]>>;
+    "base-uri": z.ZodOptional<z.ZodUnion<[z.ZodArray<z.ZodString, "many">, z.ZodString, z.ZodBoolean]>>;
+    "report-to": z.ZodOptional<z.ZodUnion<[z.ZodArray<z.ZodString, "many">, z.ZodString, z.ZodBoolean]>>;
+    "worker-src": z.ZodOptional<z.ZodUnion<[z.ZodArray<z.ZodString, "many">, z.ZodString, z.ZodBoolean]>>;
+    "manifest-src": z.ZodOptional<z.ZodUnion<[z.ZodArray<z.ZodString, "many">, z.ZodString, z.ZodBoolean]>>;
+    "prefetch-src": z.ZodOptional<z.ZodUnion<[z.ZodArray<z.ZodString, "many">, z.ZodString, z.ZodBoolean]>>;
+    "navigate-to": z.ZodOptional<z.ZodUnion<[z.ZodArray<z.ZodString, "many">, z.ZodString, z.ZodBoolean]>>;
+    "require-sri-for": z.ZodOptional<z.ZodUnion<[z.ZodArray<z.ZodString, "many">, z.ZodString, z.ZodBoolean]>>;
+    "block-all-mixed-content": z.ZodOptional<z.ZodUnion<[z.ZodArray<z.ZodString, "many">, z.ZodString, z.ZodBoolean]>>;
+    "upgrade-insecure-requests": z.ZodOptional<z.ZodUnion<[z.ZodArray<z.ZodString, "many">, z.ZodString, z.ZodBoolean]>>;
+    "trusted-types": z.ZodOptional<z.ZodUnion<[z.ZodArray<z.ZodString, "many">, z.ZodString, z.ZodBoolean]>>;
+    "require-trusted-types-for": z.ZodOptional<z.ZodUnion<[z.ZodArray<z.ZodString, "many">, z.ZodString, z.ZodBoolean]>>;
+}, "strip", z.ZodTypeAny, {
+    "default-src"?: string | boolean | string[] | undefined;
+    "script-src"?: string | boolean | string[] | undefined;
+    "style-src"?: string | boolean | string[] | undefined;
+    "img-src"?: string | boolean | string[] | undefined;
+    "connect-src"?: string | boolean | string[] | undefined;
+    "font-src"?: string | boolean | string[] | undefined;
+    "object-src"?: string | boolean | string[] | undefined;
+    "media-src"?: string | boolean | string[] | undefined;
+    "frame-src"?: string | boolean | string[] | undefined;
+    sandbox?: string | boolean | string[] | undefined;
+    "report-uri"?: string | boolean | string[] | undefined;
+    "child-src"?: string | boolean | string[] | undefined;
+    "form-action"?: string | boolean | string[] | undefined;
+    "frame-ancestors"?: string | boolean | string[] | undefined;
+    "plugin-types"?: string | boolean | string[] | undefined;
+    "base-uri"?: string | boolean | string[] | undefined;
+    "report-to"?: string | boolean | string[] | undefined;
+    "worker-src"?: string | boolean | string[] | undefined;
+    "manifest-src"?: string | boolean | string[] | undefined;
+    "prefetch-src"?: string | boolean | string[] | undefined;
+    "navigate-to"?: string | boolean | string[] | undefined;
+    "require-sri-for"?: string | boolean | string[] | undefined;
+    "block-all-mixed-content"?: string | boolean | string[] | undefined;
+    "upgrade-insecure-requests"?: string | boolean | string[] | undefined;
+    "trusted-types"?: string | boolean | string[] | undefined;
+    "require-trusted-types-for"?: string | boolean | string[] | undefined;
+}, {
+    "default-src"?: string | boolean | string[] | undefined;
+    "script-src"?: string | boolean | string[] | undefined;
+    "style-src"?: string | boolean | string[] | undefined;
+    "img-src"?: string | boolean | string[] | undefined;
+    "connect-src"?: string | boolean | string[] | undefined;
+    "font-src"?: string | boolean | string[] | undefined;
+    "object-src"?: string | boolean | string[] | undefined;
+    "media-src"?: string | boolean | string[] | undefined;
+    "frame-src"?: string | boolean | string[] | undefined;
+    sandbox?: string | boolean | string[] | undefined;
+    "report-uri"?: string | boolean | string[] | undefined;
+    "child-src"?: string | boolean | string[] | undefined;
+    "form-action"?: string | boolean | string[] | undefined;
+    "frame-ancestors"?: string | boolean | string[] | undefined;
+    "plugin-types"?: string | boolean | string[] | undefined;
+    "base-uri"?: string | boolean | string[] | undefined;
+    "report-to"?: string | boolean | string[] | undefined;
+    "worker-src"?: string | boolean | string[] | undefined;
+    "manifest-src"?: string | boolean | string[] | undefined;
+    "prefetch-src"?: string | boolean | string[] | undefined;
+    "navigate-to"?: string | boolean | string[] | undefined;
+    "require-sri-for"?: string | boolean | string[] | undefined;
+    "block-all-mixed-content"?: string | boolean | string[] | undefined;
+    "upgrade-insecure-requests"?: string | boolean | string[] | undefined;
+    "trusted-types"?: string | boolean | string[] | undefined;
+    "require-trusted-types-for"?: string | boolean | string[] | undefined;
+}>;
+type ContentSecurityPolicyType = z.infer<typeof ContentSecurityPolicySchema>;
+
+declare global {
+    interface CloudflareEnv extends Bindings {
+    }
+}
+type Bindings = {
+    DEBUG: string | boolean;
+    LOCK_PAGE_SLUG: string;
+    CSP_MODE: "disabled" | "report-only" | "enforced";
+    CSP_DIRECTIVES: string | ContentSecurityPolicyType;
+    APPWARDEN_API_TOKEN: string;
+};
+
+export type { Bindings as B };

package/cloudflare.d.ts

@@ -0,0 +1,45 @@
+import { B as Bindings } from './cloudflare-2PkEr25r.js';
+import { z } from 'zod';
+import { M as Middleware } from './use-content-security-policy-C89AROtC.js';
+export { u as useContentSecurityPolicy } from './use-content-security-policy-C89AROtC.js';
+
+declare const ConfigFnInputSchema: z.ZodFunction<z.ZodTuple<[z.ZodType<{
+    env: CloudflareEnv;
+    cf: Record<string, unknown>;
+    ctx: unknown;
+}, z.ZodTypeDef, {
+    env: CloudflareEnv;
+    cf: Record<string, unknown>;
+    ctx: unknown;
+}>], z.ZodUnknown>, z.ZodObject<{
+    debug: z.ZodDefault<z.ZodEffects<z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodBoolean]>>, boolean, string | boolean | undefined>>;
+    lockPageSlug: z.ZodString;
+    appwardenApiToken: z.ZodEffects<z.ZodString, string, string>;
+} & {
+    middleware: z.ZodDefault<z.ZodObject<{
+        before: z.ZodDefault<z.ZodArray<z.ZodType<Middleware, z.ZodTypeDef, Middleware>, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        before: Middleware[];
+    }, {
+        before?: Middleware[] | undefined;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    debug: boolean;
+    lockPageSlug: string;
+    appwardenApiToken: string;
+    middleware: {
+        before: Middleware[];
+    };
+}, {
+    lockPageSlug: string;
+    appwardenApiToken: string;
+    debug?: string | boolean | undefined;
+    middleware?: {
+        before?: Middleware[] | undefined;
+    } | undefined;
+}>>;
+type CloudflareConfigType = ReturnType<z.infer<typeof ConfigFnInputSchema>>;
+
+declare const withAppwarden: (inputFn: CloudflareConfigType) => ExportedHandlerFetchHandler<Bindings>;
+
+export { withAppwarden };