@appwarden/middleware 3.11.6 → 3.13.0

package/{chunk-R7TXTHSG.js → chunk-HP5GMFH7.js}

@@ -1,6 +1,13 @@
 import {
+  MemoryCache,
+  debug,
+  printMessage
+} from "./chunk-2ZSJUEHK.js";
+import {
+  APPWARDEN_CACHE_KEY,
+  APPWARDEN_TEST_ROUTE,
   LockValue
-} from "./chunk-WEM7GS4M.js";
+} from "./chunk-SREQAAZC.js";
 
 // src/utils/cloudflare/cloudflare-cache.ts
 var store = {
@@ -38,51 +45,6 @@ var updateCacheValue = async (context, cacheKey, value, ttl) => {
 };
 var clearCache = (context, cacheKey) => context.cache.delete(cacheKey);
 
-// src/utils/cloudflare/csp-keywords.ts
-var CSP_KEYWORDS = [
-  "self",
-  "none",
-  "unsafe-inline",
-  "unsafe-eval",
-  "unsafe-hashes",
-  "strict-dynamic",
-  "report-sample",
-  "unsafe-allow-redirects",
-  "wasm-unsafe-eval",
-  "trusted-types-eval",
-  "report-sha256",
-  "report-sha384",
-  "report-sha512",
-  "unsafe-webtransport-hashes"
-];
-var CSP_KEYWORDS_SET = new Set(CSP_KEYWORDS);
-var isCSPKeyword = (value) => {
-  return CSP_KEYWORDS_SET.has(value.toLowerCase());
-};
-var isQuoted = (value) => {
-  return value.startsWith("'") && value.endsWith("'");
-};
-var autoQuoteCSPKeyword = (value) => {
-  const trimmed = value.trim();
-  if (isQuoted(trimmed)) {
-    return trimmed;
-  }
-  if (isCSPKeyword(trimmed)) {
-    return `'${trimmed}'`;
-  }
-  return trimmed;
-};
-var autoQuoteCSPDirectiveValue = (value) => {
-  return value.trim().split(/\s+/).filter(Boolean).map(autoQuoteCSPKeyword).join(" ");
-};
-var autoQuoteCSPDirectiveArray = (values) => {
-  return values.map(autoQuoteCSPKeyword);
-};
-
-// src/utils/print-message.ts
-var addSlashes = (str) => str.replace(/\\/g, "\\\\").replace(/`/g, "\\`").replace(/\$/g, "\\$").replace(/"/g, '\\"').replace(/'/g, "\\'").replace(/\u0000/g, "\\0").replace(/<\/script>/gi, "<\\/script>");
-var printMessage = (message) => `[@appwarden/middleware] ${addSlashes(message)}`;
-
 // src/utils/cloudflare/delete-edge-value.ts
 var deleteEdgeValue = async (context) => {
   try {
@@ -105,39 +67,6 @@ var deleteEdgeValue = async (context) => {
   }
 };
 
-// src/utils/errors.ts
-var errorsMap = {
-  mode: '`CSP_MODE` must be one of "disabled", "report-only", or "enforced"',
-  directives: {
-    ["DirectivesRequired" /* DirectivesRequired */]: '`CSP_DIRECTIVES` must be provided when `CSP_MODE` is "report-only" or "enforced"',
-    ["DirectivesBadParse" /* DirectivesBadParse */]: "Failed to parse `CSP_DIRECTIVES`. Is it a valid JSON string?"
-  },
-  appwardenApiToken: "Please provide a valid `appwardenApiToken`. Learn more at https://appwarden.com/docs/guides/api-token-management."
-};
-var getErrors = (error) => {
-  const matches = [];
-  const errors = [...Object.entries(error.flatten().fieldErrors)];
-  for (const issue of error.issues) {
-    errors.push(
-      ...Object.entries(
-        "returnTypeError" in issue ? issue.returnTypeError.flatten().fieldErrors : {}
-      )
-    );
-  }
-  for (const [field, maybeSchemaErrorKey] of errors) {
-    let match = errorsMap[field];
-    if (match) {
-      if (match instanceof Object) {
-        if (maybeSchemaErrorKey) {
-          match = match[maybeSchemaErrorKey[0]];
-        }
-      }
-      matches.push(match);
-    }
-  }
-  return matches;
-};
-
 // src/utils/cloudflare/get-lock-value.ts
 var getLockValue = async (context) => {
   try {
@@ -181,56 +110,6 @@ var getLockValue = async (context) => {
   }
 };
 
-// src/utils/cloudflare/insert-errors-logs.ts
-var insertErrorLogs = async (context, error) => {
-  const errors = getErrors(error);
-  for (const err of errors) {
-    console.log(printMessage(err));
-  }
-  return new HTMLRewriter().on("body", {
-    element: (elem) => {
-      elem.append(
-        `<script>
-            ${errors.map((err) => `console.error(\`${printMessage(err)}\`)`).join("\n")}
-          </script>`,
-        { html: true }
-      );
-    }
-  }).transform(await fetch(context.request.clone()));
-};
-
-// src/utils/cloudflare/make-csp-header.ts
-var addNonce = (value, cspNonce) => value.replace("{{nonce}}", `'nonce-${cspNonce}'`);
-var makeCSPHeader = (cspNonce, directives, mode) => {
-  const namesSeen = /* @__PURE__ */ new Set(), result = [];
-  Object.entries(directives ?? {}).forEach(([originalName, value]) => {
-    const name = originalName.replace(/([a-z])([A-Z])/g, "$1-$2").toLowerCase();
-    if (namesSeen.has(name)) {
-      throw new Error(`${originalName} is specified more than once`);
-    }
-    namesSeen.add(name);
-    let directiveValue;
-    if (Array.isArray(value)) {
-      directiveValue = autoQuoteCSPDirectiveArray(value).join(" ");
-    } else if (value === true) {
-      directiveValue = "";
-    } else if (typeof value === "string") {
-      directiveValue = autoQuoteCSPDirectiveValue(value);
-    } else {
-      return;
-    }
-    if (directiveValue) {
-      result.push(`${name} ${addNonce(directiveValue, cspNonce)}`);
-    } else {
-      result.push(name);
-    }
-  });
-  return [
-    mode === "enforced" ? "Content-Security-Policy" : "Content-Security-Policy-Report-Only",
-    result.join("; ")
-  ];
-};
-
 // src/utils/cloudflare/sync-edge-value.ts
 var APIError = class extends Error {
   constructor(message) {
@@ -287,19 +166,72 @@ var syncEdgeValue = async (context) => {
   }
 };
 
+// src/core/check-lock-status.ts
+var createContext = async (config) => {
+  const requestUrl = new URL(config.request.url);
+  const keyName = APPWARDEN_CACHE_KEY;
+  const provider = "cloudflare-cache";
+  const debugFn = debug(config.debug ?? false);
+  const edgeCache = store.json(
+    {
+      serviceOrigin: requestUrl.origin,
+      cache: await caches.open("appwarden:lock"),
+      debug: debugFn
+    },
+    keyName
+  );
+  return {
+    keyName,
+    request: config.request,
+    edgeCache,
+    requestUrl,
+    provider,
+    debug: debugFn,
+    lockPageSlug: config.lockPageSlug,
+    appwardenApiToken: config.appwardenApiToken,
+    appwardenApiHostname: config.appwardenApiHostname,
+    waitUntil: config.waitUntil
+  };
+};
+var resolveLockStatus = async (context) => {
+  const { lockValue, shouldDeleteEdgeValue } = await getLockValue(context);
+  if (shouldDeleteEdgeValue) {
+    context.debug("Deleting corrupted cache value");
+    await deleteEdgeValue(context);
+  }
+  const isTestRoute = context.requestUrl.pathname === APPWARDEN_TEST_ROUTE;
+  const isTestLock = isTestRoute && !MemoryCache.isTestExpired(lockValue) && !!lockValue;
+  return {
+    isLocked: !!lockValue?.isLocked || isTestLock,
+    isTestLock,
+    lockValue,
+    wasDeleted: shouldDeleteEdgeValue ?? false
+  };
+};
+var checkLockStatus = async (config) => {
+  const context = await createContext(config);
+  let { isLocked, isTestLock, lockValue, wasDeleted } = await resolveLockStatus(context);
+  const isExpired = MemoryCache.isExpired(lockValue);
+  if (!isExpired && !wasDeleted && lockValue) {
+    context.debug("Lock value resolved from cache");
+  }
+  if (isExpired || wasDeleted) {
+    if (!lockValue || wasDeleted || lockValue.isLocked) {
+      context.debug(
+        "No fresh cached lock status available - syncing with API synchronously"
+      );
+      await syncEdgeValue(context);
+      ({ isLocked, isTestLock } = await resolveLockStatus(context));
+    } else {
+      context.debug(
+        "Cached lock status expired but last known state unlocked - syncing with API in background"
+      );
+      config.waitUntil(syncEdgeValue(context));
+    }
+  }
+  return { isLocked, isTestLock };
+};
+
 export {
-  printMessage,
-  getErrors,
-  store,
-  CSP_KEYWORDS,
-  isCSPKeyword,
-  isQuoted,
-  autoQuoteCSPKeyword,
-  autoQuoteCSPDirectiveValue,
-  autoQuoteCSPDirectiveArray,
-  deleteEdgeValue,
-  getLockValue,
-  insertErrorLogs,
-  makeCSPHeader,
-  syncEdgeValue
+  checkLockStatus
 };

package/chunk-HUWGPM4M.js

@@ -0,0 +1,9 @@
+// src/utils/to-next-response.ts
+import { NextResponse } from "next/server";
+var toNextResponse = (response) => {
+  return new NextResponse(response.body, response);
+};
+
+export {
+  toNextResponse
+};

package/{chunk-WBWF3PPX.js → chunk-J2TA6BEU.js}

@@ -1,12 +1,10 @@
 import {
-  isHTMLResponse
-} from "./chunk-AY4ZKZTF.js";
+  isHTMLResponse,
+  makeCSPHeader
+} from "./chunk-2ZSJUEHK.js";
 import {
   UseCSPInputSchema
-} from "./chunk-ZTVJBORU.js";
-import {
-  makeCSPHeader
-} from "./chunk-R7TXTHSG.js";
+} from "./chunk-SREQAAZC.js";
 
 // src/middlewares/use-content-security-policy.ts
 var AppendAttribute = (attribute, nonce) => ({

package/chunk-NV7K5PRA.js

@@ -0,0 +1,36 @@
+// src/utils/errors.ts
+var errorsMap = {
+  mode: '`CSP_MODE` must be one of "disabled", "report-only", or "enforced"',
+  directives: {
+    ["DirectivesRequired" /* DirectivesRequired */]: '`CSP_DIRECTIVES` must be provided when `CSP_MODE` is "report-only" or "enforced"',
+    ["DirectivesBadParse" /* DirectivesBadParse */]: "Failed to parse `CSP_DIRECTIVES`. Is it a valid JSON string?"
+  },
+  appwardenApiToken: "Please provide a valid `appwardenApiToken`. Learn more at https://appwarden.com/docs/guides/api-token-management."
+};
+var getErrors = (error) => {
+  const matches = [];
+  const errors = [...Object.entries(error.flatten().fieldErrors)];
+  for (const issue of error.issues) {
+    errors.push(
+      ...Object.entries(
+        "returnTypeError" in issue ? issue.returnTypeError.flatten().fieldErrors : {}
+      )
+    );
+  }
+  for (const [field, maybeSchemaErrorKey] of errors) {
+    let match = errorsMap[field];
+    if (match) {
+      if (match instanceof Object) {
+        if (maybeSchemaErrorKey) {
+          match = match[maybeSchemaErrorKey[0]];
+        }
+      }
+      matches.push(match);
+    }
+  }
+  return matches;
+};
+
+export {
+  getErrors
+};

package/chunk-SREQAAZC.js

@@ -0,0 +1,220 @@
+// src/constants.ts
+var LOCKDOWN_TEST_EXPIRY_MS = 5 * 60 * 1e3;
+var errors = { badCacheConnection: "BAD_CACHE_CONNECTION" };
+var globalErrors = [errors.badCacheConnection];
+var APPWARDEN_TEST_ROUTE = "/_appwarden/test";
+var APPWARDEN_HEARTBEAT_ROUTE = "/_appwarden/heartbeat";
+var HEARTBEAT_CONTRACT_VERSION = 1;
+var HEARTBEAT_VERSION_MAX_LENGTH = 128;
+var HEARTBEAT_CONFIG_ERROR_MAX_COUNT = 10;
+var HEARTBEAT_CONFIG_ERROR_MAX_PATH_DEPTH = 10;
+var HEARTBEAT_CONFIG_ERROR_MAX_CODE_LENGTH = 100;
+var HEARTBEAT_CONFIG_ERROR_MAX_MESSAGE_LENGTH = 500;
+var HEARTBEAT_CONFIG_ERRORS_MAX_SERIALIZED_BYTES = 12 * 1024;
+var HEARTBEAT_RESPONSE_BODY_MAX_SERIALIZED_BYTES = 32 * 1024;
+var HEARTBEAT_CONFIG_ERROR_MAX_PATH_SEGMENT_LENGTH = 100;
+var APPWARDEN_CACHE_KEY = "appwarden-lock";
+var HEARTBEAT_SERVICE_VALUES = [
+  "cloudflare",
+  "cloudflare-astro",
+  "cloudflare-react-router",
+  "cloudflare-tanstack-start",
+  "cloudflare-nextjs",
+  "vercel"
+];
+var [
+  CLOUDFLARE,
+  CLOUDFLARE_ASTRO,
+  CLOUDFLARE_REACT_ROUTER,
+  CLOUDFLARE_TANSTACK_START,
+  CLOUDFLARE_NEXTJS,
+  VERCEL
+] = HEARTBEAT_SERVICE_VALUES;
+var HEARTBEAT_SERVICES = {
+  CLOUDFLARE,
+  CLOUDFLARE_ASTRO,
+  CLOUDFLARE_REACT_ROUTER,
+  CLOUDFLARE_TANSTACK_START,
+  CLOUDFLARE_NEXTJS,
+  VERCEL
+};
+
+// src/types/heartbeat.ts
+import { z } from "zod";
+function getSerializedJsonByteLength(value) {
+  return new TextEncoder().encode(JSON.stringify(value)).length;
+}
+function getHeartbeatResponseBodyByteBudgetIssue() {
+  return {
+    code: z.ZodIssueCode.custom,
+    message: `Serialized heartbeat response body must be at most ${HEARTBEAT_RESPONSE_BODY_MAX_SERIALIZED_BYTES} bytes`,
+    path: []
+  };
+}
+function getHeartbeatResponseBodySerializationIssue() {
+  return {
+    code: z.ZodIssueCode.custom,
+    message: "Heartbeat response body must be JSON-serializable",
+    path: []
+  };
+}
+var HeartbeatConfigErrorPathSegmentSchema = z.union([
+  z.string().max(HEARTBEAT_CONFIG_ERROR_MAX_PATH_SEGMENT_LENGTH),
+  z.number().int().nonnegative()
+]);
+var HeartbeatConfigErrorSchema = z.object({
+  path: z.array(HeartbeatConfigErrorPathSegmentSchema).max(HEARTBEAT_CONFIG_ERROR_MAX_PATH_DEPTH),
+  code: z.string().min(1).max(HEARTBEAT_CONFIG_ERROR_MAX_CODE_LENGTH),
+  message: z.string().min(1).max(HEARTBEAT_CONFIG_ERROR_MAX_MESSAGE_LENGTH)
+}).strict();
+var HeartbeatConfigErrorsSchema = z.array(HeartbeatConfigErrorSchema).max(HEARTBEAT_CONFIG_ERROR_MAX_COUNT).superRefine((configErrors, ctx) => {
+  if (getSerializedJsonByteLength(configErrors) > HEARTBEAT_CONFIG_ERRORS_MAX_SERIALIZED_BYTES) {
+    ctx.addIssue({
+      code: z.ZodIssueCode.custom,
+      message: `Serialized configErrors payload must be at most ${HEARTBEAT_CONFIG_ERRORS_MAX_SERIALIZED_BYTES} bytes`
+    });
+  }
+});
+var HeartbeatResponseBodySchema = z.object({
+  app: z.literal("appwarden"),
+  kind: z.literal("heartbeat"),
+  status: z.literal("ok"),
+  contractVersion: z.literal(HEARTBEAT_CONTRACT_VERSION),
+  service: z.enum(HEARTBEAT_SERVICE_VALUES),
+  version: z.string().min(1).max(HEARTBEAT_VERSION_MAX_LENGTH),
+  configErrors: HeartbeatConfigErrorsSchema
+}).strict().superRefine((body, ctx) => {
+  if (getSerializedJsonByteLength(body) > HEARTBEAT_RESPONSE_BODY_MAX_SERIALIZED_BYTES) {
+    ctx.addIssue({
+      code: z.ZodIssueCode.custom,
+      message: `Serialized heartbeat response body must be at most ${HEARTBEAT_RESPONSE_BODY_MAX_SERIALIZED_BYTES} bytes`
+    });
+  }
+});
+function validateHeartbeatResponseBody(value) {
+  let serializedJsonByteLength;
+  try {
+    serializedJsonByteLength = getSerializedJsonByteLength(value);
+  } catch {
+    throw new z.ZodError([getHeartbeatResponseBodySerializationIssue()]);
+  }
+  if (serializedJsonByteLength > HEARTBEAT_RESPONSE_BODY_MAX_SERIALIZED_BYTES) {
+    throw new z.ZodError([getHeartbeatResponseBodyByteBudgetIssue()]);
+  }
+  return HeartbeatResponseBodySchema.parse(value);
+}
+
+// src/schemas/use-content-security-policy.ts
+import { z as z4 } from "zod";
+
+// src/types/csp.ts
+import { z as z2 } from "zod";
+var stringySchema = z2.union([z2.array(z2.string()), z2.string(), z2.boolean()]);
+var ContentSecurityPolicySchema = z2.object({
+  "default-src": stringySchema.optional(),
+  "script-src": stringySchema.optional(),
+  "style-src": stringySchema.optional(),
+  "img-src": stringySchema.optional(),
+  "connect-src": stringySchema.optional(),
+  "font-src": stringySchema.optional(),
+  "object-src": stringySchema.optional(),
+  "media-src": stringySchema.optional(),
+  "frame-src": stringySchema.optional(),
+  sandbox: stringySchema.optional(),
+  "report-uri": stringySchema.optional(),
+  "child-src": stringySchema.optional(),
+  "form-action": stringySchema.optional(),
+  "frame-ancestors": stringySchema.optional(),
+  "plugin-types": stringySchema.optional(),
+  "base-uri": stringySchema.optional(),
+  "report-to": stringySchema.optional(),
+  "worker-src": stringySchema.optional(),
+  "manifest-src": stringySchema.optional(),
+  "prefetch-src": stringySchema.optional(),
+  "navigate-to": stringySchema.optional(),
+  "require-sri-for": stringySchema.optional(),
+  "block-all-mixed-content": stringySchema.optional(),
+  "upgrade-insecure-requests": stringySchema.optional(),
+  "trusted-types": stringySchema.optional(),
+  "require-trusted-types-for": stringySchema.optional()
+});
+
+// src/schemas/helpers.ts
+import { z as z3 } from "zod";
+var BoolOrStringSchema = z3.union([z3.string(), z3.boolean()]).optional();
+var BooleanSchema = BoolOrStringSchema.transform((val) => {
+  if (val === "true" || val === true) {
+    return true;
+  } else if (val === "false" || val === false) {
+    return false;
+  }
+  throw new Error("Invalid value");
+});
+var AppwardenApiTokenSchema = z3.string().refine((val) => !!val, { message: "appwardenApiToken is required" });
+var AppwardenApiHostnameSchema = z3.string().url({
+  message: "Invalid `appwardenApiHostname`. Please provide an absolute URL (e.g. https://api.appwarden.io)."
+}).refine((value) => value.startsWith("https://"), {
+  message: "`appwardenApiHostname` must use the https:// scheme (e.g. https://api.appwarden.io)."
+});
+var LockValue = z3.object({
+  isLocked: z3.number(),
+  isLockedTest: z3.number(),
+  lastCheck: z3.number()
+});
+
+// src/schemas/use-content-security-policy.ts
+var CSPDirectivesSchema = z4.union([
+  z4.string(),
+  ContentSecurityPolicySchema
+]);
+var CSPModeSchema = z4.union([
+  z4.literal("disabled"),
+  z4.literal("report-only"),
+  z4.literal("enforced")
+]);
+var UseCSPInputSchema = z4.object({
+  mode: CSPModeSchema,
+  directives: CSPDirectivesSchema.refine(
+    (val) => {
+      try {
+        if (typeof val === "string") {
+          JSON.parse(val);
+        }
+        return true;
+      } catch (error) {
+        return false;
+      }
+    },
+    { message: "DirectivesBadParse" /* DirectivesBadParse */ }
+  ).transform(
+    (val) => typeof val === "string" ? JSON.parse(val) : val
+  )
+});
+
+export {
+  LOCKDOWN_TEST_EXPIRY_MS,
+  errors,
+  globalErrors,
+  APPWARDEN_TEST_ROUTE,
+  APPWARDEN_HEARTBEAT_ROUTE,
+  HEARTBEAT_CONTRACT_VERSION,
+  HEARTBEAT_CONFIG_ERROR_MAX_COUNT,
+  HEARTBEAT_CONFIG_ERROR_MAX_PATH_DEPTH,
+  HEARTBEAT_CONFIG_ERROR_MAX_CODE_LENGTH,
+  HEARTBEAT_CONFIG_ERROR_MAX_MESSAGE_LENGTH,
+  HEARTBEAT_CONFIG_ERRORS_MAX_SERIALIZED_BYTES,
+  HEARTBEAT_RESPONSE_BODY_MAX_SERIALIZED_BYTES,
+  HEARTBEAT_CONFIG_ERROR_MAX_PATH_SEGMENT_LENGTH,
+  APPWARDEN_CACHE_KEY,
+  HEARTBEAT_SERVICES,
+  BooleanSchema,
+  AppwardenApiTokenSchema,
+  AppwardenApiHostnameSchema,
+  LockValue,
+  HeartbeatConfigErrorSchema,
+  HeartbeatResponseBodySchema,
+  validateHeartbeatResponseBody,
+  CSPDirectivesSchema,
+  CSPModeSchema,
+  UseCSPInputSchema
+};

package/{chunk-UFWJYCX6.js → chunk-TBSMAMWC.js}

@@ -1,6 +1,6 @@
 import {
   useContentSecurityPolicy
-} from "./chunk-WBWF3PPX.js";
+} from "./chunk-J2TA6BEU.js";
 
 // src/utils/apply-content-security-policy-to-response.ts
 var applyContentSecurityPolicyToResponse = async ({

package/cloudflare/astro.d.ts

@@ -270,8 +270,8 @@ declare const AstroCloudflareConfigSchema: z.ZodObject<{
         };
     }>>>;
 }, "strip", z.ZodTypeAny, {
-    debug: boolean;
     lockPageSlug: string;
+    debug: boolean;
     appwardenApiToken: string;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
@@ -308,7 +308,6 @@ declare const AstroCloudflareConfigSchema: z.ZodObject<{
 }, {
     lockPageSlug: string;
     appwardenApiToken: string;
-    debug?: string | boolean | undefined;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
         directives: string | {
@@ -340,6 +339,7 @@ declare const AstroCloudflareConfigSchema: z.ZodObject<{
             "require-trusted-types-for"?: string | boolean | string[] | undefined;
         };
     } | undefined;
+    debug?: string | boolean | undefined;
     appwardenApiHostname?: string | undefined;
 }>;
 type AstroCloudflareConfig = z.infer<typeof AstroCloudflareConfigSchema>;

package/cloudflare/astro.js

@@ -1,34 +1,35 @@
 import {
   applyContentSecurityPolicyToResponse,
   isResponseLike
-} from "../chunk-UFWJYCX6.js";
-import "../chunk-WBWF3PPX.js";
+} from "../chunk-TBSMAMWC.js";
+import "../chunk-J2TA6BEU.js";
 import {
   getNowMs,
   logElapsed
 } from "../chunk-G6BMPIYD.js";
 import {
   checkLockStatus
-} from "../chunk-QC2ZUZWY.js";
+} from "../chunk-HP5GMFH7.js";
 import {
   TEMPORARY_REDIRECT_STATUS,
   buildLockPageUrl,
+  createHeartbeatConfigError,
   createRedirect,
   debug,
+  handleHeartbeatRequest,
   isHTMLRequest,
-  isOnLockPage
-} from "../chunk-AY4ZKZTF.js";
-import {
-  UseCSPInputSchema
-} from "../chunk-ZTVJBORU.js";
-import {
-  printMessage
-} from "../chunk-R7TXTHSG.js";
+  isHeartbeatRequest,
+  isOnLockPage,
+  printMessage,
+  sanitizeConfigErrors
+} from "../chunk-2ZSJUEHK.js";
 import {
   AppwardenApiHostnameSchema,
   AppwardenApiTokenSchema,
-  BooleanSchema
-} from "../chunk-WEM7GS4M.js";
+  BooleanSchema,
+  HEARTBEAT_SERVICES,
+  UseCSPInputSchema
+} from "../chunk-SREQAAZC.js";
 
 // src/adapters/astro-cloudflare.ts
 import { waitUntil } from "cloudflare:workers";
@@ -49,13 +50,50 @@ var AstroCloudflareConfigSchema = z.object({
 });
 
 // src/adapters/astro-cloudflare.ts
+var createAstroHeartbeatResponse = (request, runtime, configFn) => {
+  if (!runtime) {
+    return handleHeartbeatRequest(
+      request,
+      HEARTBEAT_SERVICES.CLOUDFLARE_ASTRO,
+      [
+        createHeartbeatConfigError(
+          ["runtime"],
+          "custom",
+          "Cloudflare runtime unavailable"
+        )
+      ]
+    );
+  }
+  try {
+    const validationResult = AstroCloudflareConfigSchema.safeParse(
+      configFn(runtime)
+    );
+    return handleHeartbeatRequest(
+      request,
+      HEARTBEAT_SERVICES.CLOUDFLARE_ASTRO,
+      validationResult.success ? [] : sanitizeConfigErrors(validationResult.error)
+    );
+  } catch {
+    return handleHeartbeatRequest(
+      request,
+      HEARTBEAT_SERVICES.CLOUDFLARE_ASTRO,
+      [
+        createHeartbeatConfigError(
+          ["config"],
+          "custom",
+          "Appwarden config evaluation failed"
+        )
+      ]
+    );
+  }
+};
 function createAppwardenMiddleware(configFn) {
   return async (context, next) => {
     const startTime = getNowMs();
     const { request } = context;
     let config;
     let debugFn;
-    let requestUrl;
+    const requestUrl = new URL(request.url);
     const applyCspToResponse = async (response2) => {
       if (!config.contentSecurityPolicy || !isResponseLike(response2)) {
         return response2;
@@ -79,6 +117,9 @@ function createAppwardenMiddleware(configFn) {
       }
     };
     const locals = context.locals;
+    if (isHeartbeatRequest(request, requestUrl)) {
+      return createAstroHeartbeatResponse(request, locals.runtime, configFn);
+    }
     try {
       const runtime = locals.runtime;
       if (!runtime) {
@@ -101,7 +142,6 @@ function createAppwardenMiddleware(configFn) {
       }
       config = validationResult.data;
       debugFn = debug(config.debug);
-      requestUrl = new URL(request.url);
       const isHTML = isHTMLRequest(request);
       debugFn(
         `Appwarden middleware invoked for ${requestUrl.pathname}`,