@appwarden/middleware 3.11.6 → 3.12.0

package/chunk-NV7K5PRA.js

@@ -0,0 +1,36 @@
+// src/utils/errors.ts
+var errorsMap = {
+  mode: '`CSP_MODE` must be one of "disabled", "report-only", or "enforced"',
+  directives: {
+    ["DirectivesRequired" /* DirectivesRequired */]: '`CSP_DIRECTIVES` must be provided when `CSP_MODE` is "report-only" or "enforced"',
+    ["DirectivesBadParse" /* DirectivesBadParse */]: "Failed to parse `CSP_DIRECTIVES`. Is it a valid JSON string?"
+  },
+  appwardenApiToken: "Please provide a valid `appwardenApiToken`. Learn more at https://appwarden.com/docs/guides/api-token-management."
+};
+var getErrors = (error) => {
+  const matches = [];
+  const errors = [...Object.entries(error.flatten().fieldErrors)];
+  for (const issue of error.issues) {
+    errors.push(
+      ...Object.entries(
+        "returnTypeError" in issue ? issue.returnTypeError.flatten().fieldErrors : {}
+      )
+    );
+  }
+  for (const [field, maybeSchemaErrorKey] of errors) {
+    let match = errorsMap[field];
+    if (match) {
+      if (match instanceof Object) {
+        if (maybeSchemaErrorKey) {
+          match = match[maybeSchemaErrorKey[0]];
+        }
+      }
+      matches.push(match);
+    }
+  }
+  return matches;
+};
+
+export {
+  getErrors
+};

package/{chunk-ZTVJBORU.js → chunk-Z7P4QVEY.js}

@@ -3,10 +3,41 @@ var LOCKDOWN_TEST_EXPIRY_MS = 5 * 60 * 1e3;
 var errors = { badCacheConnection: "BAD_CACHE_CONNECTION" };
 var globalErrors = [errors.badCacheConnection];
 var APPWARDEN_TEST_ROUTE = "/_appwarden/test";
+var APPWARDEN_HEARTBEAT_ROUTE = "/_appwarden/heartbeat";
+var HEARTBEAT_CONTRACT_VERSION = 1;
+var HEARTBEAT_CONFIG_ERROR_MAX_COUNT = 10;
+var HEARTBEAT_CONFIG_ERROR_MAX_PATH_DEPTH = 10;
+var HEARTBEAT_CONFIG_ERROR_MAX_CODE_LENGTH = 100;
+var HEARTBEAT_CONFIG_ERROR_MAX_MESSAGE_LENGTH = 500;
+var HEARTBEAT_CONFIG_ERROR_MAX_PATH_SEGMENT_LENGTH = 100;
 var APPWARDEN_CACHE_KEY = "appwarden-lock";
+var HEARTBEAT_SERVICE_VALUES = [
+  "cloudflare",
+  "cloudflare-astro",
+  "cloudflare-react-router",
+  "cloudflare-tanstack-start",
+  "cloudflare-nextjs",
+  "vercel"
+];
+var [
+  CLOUDFLARE,
+  CLOUDFLARE_ASTRO,
+  CLOUDFLARE_REACT_ROUTER,
+  CLOUDFLARE_TANSTACK_START,
+  CLOUDFLARE_NEXTJS,
+  VERCEL
+] = HEARTBEAT_SERVICE_VALUES;
+var HEARTBEAT_SERVICES = {
+  CLOUDFLARE,
+  CLOUDFLARE_ASTRO,
+  CLOUDFLARE_REACT_ROUTER,
+  CLOUDFLARE_TANSTACK_START,
+  CLOUDFLARE_NEXTJS,
+  VERCEL
+};
 
 // src/schemas/use-content-security-policy.ts
-import { z as z2 } from "zod";
+import { z as z3 } from "zod";
 
 // src/types/csp.ts
 import { z } from "zod";
@@ -40,17 +71,40 @@ var ContentSecurityPolicySchema = z.object({
   "require-trusted-types-for": stringySchema.optional()
 });
 
+// src/schemas/helpers.ts
+import { z as z2 } from "zod";
+var BoolOrStringSchema = z2.union([z2.string(), z2.boolean()]).optional();
+var BooleanSchema = BoolOrStringSchema.transform((val) => {
+  if (val === "true" || val === true) {
+    return true;
+  } else if (val === "false" || val === false) {
+    return false;
+  }
+  throw new Error("Invalid value");
+});
+var AppwardenApiTokenSchema = z2.string().refine((val) => !!val, { message: "appwardenApiToken is required" });
+var AppwardenApiHostnameSchema = z2.string().url({
+  message: "Invalid `appwardenApiHostname`. Please provide an absolute URL (e.g. https://api.appwarden.io)."
+}).refine((value) => value.startsWith("https://"), {
+  message: "`appwardenApiHostname` must use the https:// scheme (e.g. https://api.appwarden.io)."
+});
+var LockValue = z2.object({
+  isLocked: z2.number(),
+  isLockedTest: z2.number(),
+  lastCheck: z2.number()
+});
+
 // src/schemas/use-content-security-policy.ts
-var CSPDirectivesSchema = z2.union([
-  z2.string(),
+var CSPDirectivesSchema = z3.union([
+  z3.string(),
   ContentSecurityPolicySchema
 ]);
-var CSPModeSchema = z2.union([
-  z2.literal("disabled"),
-  z2.literal("report-only"),
-  z2.literal("enforced")
+var CSPModeSchema = z3.union([
+  z3.literal("disabled"),
+  z3.literal("report-only"),
+  z3.literal("enforced")
 ]);
-var UseCSPInputSchema = z2.object({
+var UseCSPInputSchema = z3.object({
   mode: CSPModeSchema,
   directives: CSPDirectivesSchema.refine(
     (val) => {
@@ -74,7 +128,19 @@ export {
   errors,
   globalErrors,
   APPWARDEN_TEST_ROUTE,
+  APPWARDEN_HEARTBEAT_ROUTE,
+  HEARTBEAT_CONTRACT_VERSION,
+  HEARTBEAT_CONFIG_ERROR_MAX_COUNT,
+  HEARTBEAT_CONFIG_ERROR_MAX_PATH_DEPTH,
+  HEARTBEAT_CONFIG_ERROR_MAX_CODE_LENGTH,
+  HEARTBEAT_CONFIG_ERROR_MAX_MESSAGE_LENGTH,
+  HEARTBEAT_CONFIG_ERROR_MAX_PATH_SEGMENT_LENGTH,
   APPWARDEN_CACHE_KEY,
+  HEARTBEAT_SERVICES,
+  BooleanSchema,
+  AppwardenApiTokenSchema,
+  AppwardenApiHostnameSchema,
+  LockValue,
   CSPDirectivesSchema,
   CSPModeSchema,
   UseCSPInputSchema

package/cloudflare/astro.d.ts

@@ -270,8 +270,8 @@ declare const AstroCloudflareConfigSchema: z.ZodObject<{
         };
     }>>>;
 }, "strip", z.ZodTypeAny, {
-    debug: boolean;
     lockPageSlug: string;
+    debug: boolean;
     appwardenApiToken: string;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
@@ -308,7 +308,6 @@ declare const AstroCloudflareConfigSchema: z.ZodObject<{
 }, {
     lockPageSlug: string;
     appwardenApiToken: string;
-    debug?: string | boolean | undefined;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
         directives: string | {
@@ -340,6 +339,7 @@ declare const AstroCloudflareConfigSchema: z.ZodObject<{
             "require-trusted-types-for"?: string | boolean | string[] | undefined;
         };
     } | undefined;
+    debug?: string | boolean | undefined;
     appwardenApiHostname?: string | undefined;
 }>;
 type AstroCloudflareConfig = z.infer<typeof AstroCloudflareConfigSchema>;

package/cloudflare/astro.js

@@ -1,34 +1,35 @@
 import {
   applyContentSecurityPolicyToResponse,
   isResponseLike
-} from "../chunk-UFWJYCX6.js";
-import "../chunk-WBWF3PPX.js";
+} from "../chunk-M2YVPCTG.js";
+import "../chunk-ILIYP3TG.js";
 import {
   getNowMs,
   logElapsed
 } from "../chunk-G6BMPIYD.js";
 import {
   checkLockStatus
-} from "../chunk-QC2ZUZWY.js";
+} from "../chunk-EXGUJ5XK.js";
 import {
   TEMPORARY_REDIRECT_STATUS,
   buildLockPageUrl,
+  createHeartbeatConfigError,
   createRedirect,
   debug,
+  handleHeartbeatRequest,
   isHTMLRequest,
-  isOnLockPage
-} from "../chunk-AY4ZKZTF.js";
-import {
-  UseCSPInputSchema
-} from "../chunk-ZTVJBORU.js";
-import {
-  printMessage
-} from "../chunk-R7TXTHSG.js";
+  isHeartbeatRequest,
+  isOnLockPage,
+  printMessage,
+  sanitizeConfigErrors
+} from "../chunk-HTSD4WPC.js";
 import {
   AppwardenApiHostnameSchema,
   AppwardenApiTokenSchema,
-  BooleanSchema
-} from "../chunk-WEM7GS4M.js";
+  BooleanSchema,
+  HEARTBEAT_SERVICES,
+  UseCSPInputSchema
+} from "../chunk-Z7P4QVEY.js";
 
 // src/adapters/astro-cloudflare.ts
 import { waitUntil } from "cloudflare:workers";
@@ -49,13 +50,50 @@ var AstroCloudflareConfigSchema = z.object({
 });
 
 // src/adapters/astro-cloudflare.ts
+var createAstroHeartbeatResponse = (request, runtime, configFn) => {
+  if (!runtime) {
+    return handleHeartbeatRequest(
+      request,
+      HEARTBEAT_SERVICES.CLOUDFLARE_ASTRO,
+      [
+        createHeartbeatConfigError(
+          ["runtime"],
+          "custom",
+          "Cloudflare runtime unavailable"
+        )
+      ]
+    );
+  }
+  try {
+    const validationResult = AstroCloudflareConfigSchema.safeParse(
+      configFn(runtime)
+    );
+    return handleHeartbeatRequest(
+      request,
+      HEARTBEAT_SERVICES.CLOUDFLARE_ASTRO,
+      validationResult.success ? [] : sanitizeConfigErrors(validationResult.error)
+    );
+  } catch {
+    return handleHeartbeatRequest(
+      request,
+      HEARTBEAT_SERVICES.CLOUDFLARE_ASTRO,
+      [
+        createHeartbeatConfigError(
+          ["config"],
+          "custom",
+          "Appwarden config evaluation failed"
+        )
+      ]
+    );
+  }
+};
 function createAppwardenMiddleware(configFn) {
   return async (context, next) => {
     const startTime = getNowMs();
     const { request } = context;
     let config;
     let debugFn;
-    let requestUrl;
+    const requestUrl = new URL(request.url);
     const applyCspToResponse = async (response2) => {
       if (!config.contentSecurityPolicy || !isResponseLike(response2)) {
         return response2;
@@ -79,6 +117,9 @@ function createAppwardenMiddleware(configFn) {
       }
     };
     const locals = context.locals;
+    if (isHeartbeatRequest(request, requestUrl)) {
+      return createAstroHeartbeatResponse(request, locals.runtime, configFn);
+    }
     try {
       const runtime = locals.runtime;
       if (!runtime) {
@@ -101,7 +142,6 @@ function createAppwardenMiddleware(configFn) {
       }
       config = validationResult.data;
       debugFn = debug(config.debug);
-      requestUrl = new URL(request.url);
       const isHTML = isHTMLRequest(request);
       debugFn(
         `Appwarden middleware invoked for ${requestUrl.pathname}`,

package/cloudflare/nextjs.d.ts

@@ -329,8 +329,8 @@ declare const NextJsCloudflareConfigSchema: z.ZodObject<{
         };
     }>>>;
 }, "strip", z.ZodTypeAny, {
-    debug: boolean;
     lockPageSlug: string;
+    debug: boolean;
     appwardenApiToken: string;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
@@ -367,7 +367,6 @@ declare const NextJsCloudflareConfigSchema: z.ZodObject<{
 }, {
     lockPageSlug: string;
     appwardenApiToken: string;
-    debug?: string | boolean | undefined;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
         directives: string | {
@@ -399,6 +398,7 @@ declare const NextJsCloudflareConfigSchema: z.ZodObject<{
             "require-trusted-types-for"?: string | boolean | string[] | undefined;
         };
     } | undefined;
+    debug?: string | boolean | undefined;
     appwardenApiHostname?: string | undefined;
 }>;
 type NextJsCloudflareConfig = z.infer<typeof NextJsCloudflareConfigSchema>;

package/cloudflare/nextjs.js

@@ -1,30 +1,36 @@
+import {
+  toNextResponse
+} from "../chunk-HUWGPM4M.js";
 import {
   getNowMs,
   logElapsed
 } from "../chunk-G6BMPIYD.js";
 import {
   checkLockStatus
-} from "../chunk-QC2ZUZWY.js";
+} from "../chunk-EXGUJ5XK.js";
 import {
   TEMPORARY_REDIRECT_STATUS,
   buildLockPageUrl,
+  createHeartbeatConfigError,
   debug,
+  handleHeartbeatRequest,
   isHTMLRequest,
-  isOnLockPage
-} from "../chunk-AY4ZKZTF.js";
-import {
-  UseCSPInputSchema
-} from "../chunk-ZTVJBORU.js";
-import {
-  printMessage
-} from "../chunk-R7TXTHSG.js";
+  isHeartbeatRequest,
+  isOnLockPage,
+  makeCSPHeader,
+  printMessage,
+  sanitizeConfigErrors
+} from "../chunk-HTSD4WPC.js";
 import {
   AppwardenApiHostnameSchema,
   AppwardenApiTokenSchema,
-  BooleanSchema
-} from "../chunk-WEM7GS4M.js";
+  BooleanSchema,
+  HEARTBEAT_SERVICES,
+  UseCSPInputSchema
+} from "../chunk-Z7P4QVEY.js";
 
 // src/adapters/nextjs-cloudflare.ts
+import { getCloudflareContext } from "@opennextjs/cloudflare";
 import {
   NextResponse
 } from "next/server";
@@ -56,12 +62,53 @@ var NextJsCloudflareConfigSchema = z.object({
 });
 
 // src/adapters/nextjs-cloudflare.ts
+var createNextJsHeartbeatResponse = (request, configFn) => {
+  let runtime;
+  try {
+    runtime = getCloudflareContext();
+  } catch {
+    return toNextResponse(
+      handleHeartbeatRequest(request, HEARTBEAT_SERVICES.CLOUDFLARE_NEXTJS, [
+        createHeartbeatConfigError(
+          ["context"],
+          "custom",
+          "Cloudflare context unavailable"
+        )
+      ])
+    );
+  }
+  try {
+    const validationResult = NextJsCloudflareConfigSchema.safeParse(
+      configFn(runtime)
+    );
+    return toNextResponse(
+      handleHeartbeatRequest(
+        request,
+        HEARTBEAT_SERVICES.CLOUDFLARE_NEXTJS,
+        validationResult.success ? [] : sanitizeConfigErrors(validationResult.error)
+      )
+    );
+  } catch {
+    return toNextResponse(
+      handleHeartbeatRequest(request, HEARTBEAT_SERVICES.CLOUDFLARE_NEXTJS, [
+        createHeartbeatConfigError(
+          ["config"],
+          "custom",
+          "Appwarden config evaluation failed"
+        )
+      ])
+    );
+  }
+};
 function createAppwardenMiddleware(configFn) {
   return async (request, _event) => {
     const startTime = getNowMs();
+    const requestUrl = new URL(request.url);
+    if (isHeartbeatRequest(request, requestUrl)) {
+      return createNextJsHeartbeatResponse(request, configFn);
+    }
     try {
-      const { getCloudflareContext } = await import("@opennextjs/cloudflare");
-      const { env, ctx } = await getCloudflareContext();
+      const { env, ctx } = getCloudflareContext();
       const rawConfig = configFn({ env, ctx });
       const validationResult = NextJsCloudflareConfigSchema.safeParse(rawConfig);
       if (!validationResult.success) {
@@ -74,7 +121,6 @@ function createAppwardenMiddleware(configFn) {
       }
       const config = validationResult.data;
       const debugFn = debug(config.debug);
-      const requestUrl = new URL(request.url);
       const isHTML = isHTMLRequest(request);
       debugFn(
         `Appwarden middleware invoked for ${requestUrl.pathname}`,
@@ -105,7 +151,6 @@ function createAppwardenMiddleware(configFn) {
         debugFn(
           `Applying CSP headers in ${config.contentSecurityPolicy.mode} mode`
         );
-        const { makeCSPHeader } = await import("../cloudflare-MAHYENA6.js");
         const [headerName, headerValue] = makeCSPHeader(
           "",
           config.contentSecurityPolicy.directives,

package/cloudflare/react-router.d.ts

@@ -268,8 +268,8 @@ declare const ReactRouterCloudflareConfigSchema: z.ZodObject<{
         };
     }>>>;
 }, "strip", z.ZodTypeAny, {
-    debug: boolean;
     lockPageSlug: string;
+    debug: boolean;
     appwardenApiToken: string;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
@@ -306,7 +306,6 @@ declare const ReactRouterCloudflareConfigSchema: z.ZodObject<{
 }, {
     lockPageSlug: string;
     appwardenApiToken: string;
-    debug?: string | boolean | undefined;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
         directives: string | {
@@ -338,6 +337,7 @@ declare const ReactRouterCloudflareConfigSchema: z.ZodObject<{
             "require-trusted-types-for"?: string | boolean | string[] | undefined;
         };
     } | undefined;
+    debug?: string | boolean | undefined;
     appwardenApiHostname?: string | undefined;
 }>;
 type ReactRouterCloudflareConfig = z.infer<typeof ReactRouterCloudflareConfigSchema>;

package/cloudflare/react-router.js

@@ -1,33 +1,34 @@
 import {
   applyContentSecurityPolicyToResponse,
   isResponseLike
-} from "../chunk-UFWJYCX6.js";
-import "../chunk-WBWF3PPX.js";
+} from "../chunk-M2YVPCTG.js";
+import "../chunk-ILIYP3TG.js";
 import {
   getNowMs,
   logElapsed
 } from "../chunk-G6BMPIYD.js";
 import {
   checkLockStatus
-} from "../chunk-QC2ZUZWY.js";
+} from "../chunk-EXGUJ5XK.js";
 import {
   buildLockPageUrl,
+  createHeartbeatConfigError,
   createRedirect,
   debug,
+  handleHeartbeatRequest,
   isHTMLRequest,
-  isOnLockPage
-} from "../chunk-AY4ZKZTF.js";
-import {
-  UseCSPInputSchema
-} from "../chunk-ZTVJBORU.js";
-import {
-  printMessage
-} from "../chunk-R7TXTHSG.js";
+  isHeartbeatRequest,
+  isOnLockPage,
+  printMessage,
+  sanitizeConfigErrors
+} from "../chunk-HTSD4WPC.js";
 import {
   AppwardenApiHostnameSchema,
   AppwardenApiTokenSchema,
-  BooleanSchema
-} from "../chunk-WEM7GS4M.js";
+  BooleanSchema,
+  HEARTBEAT_SERVICES,
+  UseCSPInputSchema
+} from "../chunk-Z7P4QVEY.js";
 
 // src/adapters/react-router-cloudflare.ts
 import { waitUntil } from "cloudflare:workers";
@@ -48,13 +49,38 @@ var ReactRouterCloudflareConfigSchema = z.object({
 });
 
 // src/adapters/react-router-cloudflare.ts
+var createConfigEvaluationHeartbeatResponse = (request) => {
+  return handleHeartbeatRequest(
+    request,
+    HEARTBEAT_SERVICES.CLOUDFLARE_REACT_ROUTER,
+    [
+      createHeartbeatConfigError(
+        ["config"],
+        "custom",
+        "Appwarden config evaluation failed"
+      )
+    ]
+  );
+};
+var handleReactRouterHeartbeatRequest = (request, configFn) => {
+  try {
+    const validationResult = ReactRouterCloudflareConfigSchema.safeParse(configFn());
+    return handleHeartbeatRequest(
+      request,
+      HEARTBEAT_SERVICES.CLOUDFLARE_REACT_ROUTER,
+      validationResult.success ? [] : sanitizeConfigErrors(validationResult.error)
+    );
+  } catch {
+    return createConfigEvaluationHeartbeatResponse(request);
+  }
+};
 function createAppwardenMiddleware(configFn) {
   return async (args, next) => {
     const startTime = getNowMs();
     const { request } = args;
     let config;
     let debugFn;
-    let requestUrl;
+    const requestUrl = new URL(request.url);
     const applyCspToResponse = async (response2) => {
       if (!config.contentSecurityPolicy || !isResponseLike(response2)) {
         return response2;
@@ -77,6 +103,9 @@ function createAppwardenMiddleware(configFn) {
         return response2;
       }
     };
+    if (isHeartbeatRequest(request, requestUrl)) {
+      return handleReactRouterHeartbeatRequest(request, configFn);
+    }
     try {
       const configInput = configFn();
       const validationResult = ReactRouterCloudflareConfigSchema.safeParse(configInput);
@@ -90,7 +119,6 @@ function createAppwardenMiddleware(configFn) {
       }
       config = validationResult.data;
       debugFn = debug(config.debug);
-      requestUrl = new URL(request.url);
       const isHTML = isHTMLRequest(request);
       debugFn(
         `Appwarden middleware invoked for ${requestUrl.pathname}`,

package/cloudflare/tanstack-start.d.ts

@@ -268,8 +268,8 @@ declare const TanStackStartCloudflareConfigSchema: z.ZodObject<{
         };
     }>>>;
 }, "strip", z.ZodTypeAny, {
-    debug: boolean;
     lockPageSlug: string;
+    debug: boolean;
     appwardenApiToken: string;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
@@ -306,7 +306,6 @@ declare const TanStackStartCloudflareConfigSchema: z.ZodObject<{
 }, {
     lockPageSlug: string;
     appwardenApiToken: string;
-    debug?: string | boolean | undefined;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
         directives: string | {
@@ -338,6 +337,7 @@ declare const TanStackStartCloudflareConfigSchema: z.ZodObject<{
             "require-trusted-types-for"?: string | boolean | string[] | undefined;
         };
     } | undefined;
+    debug?: string | boolean | undefined;
     appwardenApiHostname?: string | undefined;
 }>;
 type TanStackStartCloudflareConfig = z.infer<typeof TanStackStartCloudflareConfigSchema>;

package/cloudflare/tanstack-start.js

@@ -1,33 +1,34 @@
 import {
   applyContentSecurityPolicyToResponse,
   isResponseLike
-} from "../chunk-UFWJYCX6.js";
-import "../chunk-WBWF3PPX.js";
+} from "../chunk-M2YVPCTG.js";
+import "../chunk-ILIYP3TG.js";
 import {
   getNowMs,
   logElapsed
 } from "../chunk-G6BMPIYD.js";
 import {
   checkLockStatus
-} from "../chunk-QC2ZUZWY.js";
+} from "../chunk-EXGUJ5XK.js";
 import {
   buildLockPageUrl,
+  createHeartbeatConfigError,
   createRedirect,
   debug,
+  handleHeartbeatRequest,
   isHTMLRequest,
-  isOnLockPage
-} from "../chunk-AY4ZKZTF.js";
-import {
-  UseCSPInputSchema
-} from "../chunk-ZTVJBORU.js";
-import {
-  printMessage
-} from "../chunk-R7TXTHSG.js";
+  isHeartbeatRequest,
+  isOnLockPage,
+  printMessage,
+  sanitizeConfigErrors
+} from "../chunk-HTSD4WPC.js";
 import {
   AppwardenApiHostnameSchema,
   AppwardenApiTokenSchema,
-  BooleanSchema
-} from "../chunk-WEM7GS4M.js";
+  BooleanSchema,
+  HEARTBEAT_SERVICES,
+  UseCSPInputSchema
+} from "../chunk-Z7P4QVEY.js";
 
 // src/adapters/tanstack-start-cloudflare.ts
 import { waitUntil } from "cloudflare:workers";
@@ -48,13 +49,35 @@ var TanStackStartCloudflareConfigSchema = z.object({
 });
 
 // src/adapters/tanstack-start-cloudflare.ts
+var createTanStackHeartbeatResponse = (request, configFn) => {
+  try {
+    const validationResult = TanStackStartCloudflareConfigSchema.safeParse(configFn());
+    return handleHeartbeatRequest(
+      request,
+      HEARTBEAT_SERVICES.CLOUDFLARE_TANSTACK_START,
+      validationResult.success ? [] : sanitizeConfigErrors(validationResult.error)
+    );
+  } catch {
+    return handleHeartbeatRequest(
+      request,
+      HEARTBEAT_SERVICES.CLOUDFLARE_TANSTACK_START,
+      [
+        createHeartbeatConfigError(
+          ["config"],
+          "custom",
+          "Appwarden config evaluation failed"
+        )
+      ]
+    );
+  }
+};
 function createAppwardenMiddleware(configFn) {
   const middleware = async (args) => {
     const startTime = getNowMs();
     const { request, next } = args;
     let config;
     let debugFn;
-    let requestUrl;
+    const requestUrl = new URL(request.url);
     const applyCspToResponse = async (response2) => {
       if (!config.contentSecurityPolicy || !isResponseLike(response2)) {
         return response2;
@@ -77,6 +100,9 @@ function createAppwardenMiddleware(configFn) {
         return response2;
       }
     };
+    if (isHeartbeatRequest(request, requestUrl)) {
+      throw createTanStackHeartbeatResponse(request, configFn);
+    }
     try {
       const rawConfig = configFn();
       const validationResult = TanStackStartCloudflareConfigSchema.safeParse(rawConfig);
@@ -90,7 +116,6 @@ function createAppwardenMiddleware(configFn) {
       }
       config = validationResult.data;
       debugFn = debug(config.debug ?? false);
-      requestUrl = new URL(request.url);
       const isHTML = isHTMLRequest(request);
       debugFn(
         `Appwarden middleware invoked for ${requestUrl.pathname}`,