@appwarden/middleware 3.12.0 → 3.13.1

package/README.md

@@ -4,7 +4,7 @@
 [![GitHub](https://img.shields.io/badge/GitHub-appwarden%2Fmiddleware-181717?logo=github&logoColor=white)](https://github.com/appwarden/middleware)
 [![npm version](https://img.shields.io/npm/v/@appwarden/middleware.svg)](https://www.npmjs.com/package/@appwarden/middleware)
 [![npm provenance](https://img.shields.io/badge/npm-provenance-green)](https://docs.npmjs.com/generating-provenance-statements)
-![Test Coverage](https://img.shields.io/badge/coverage-95.28%25-brightgreen)
+![Test Coverage](https://img.shields.io/badge/coverage-94.02%25-brightgreen)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
 
 ## Core Features
@@ -320,6 +320,12 @@ Please review our [security policy](SECURITY.md) for details on how we handle vu
 
 This package is published with npm trusted publishers, to prevent npm token exfiltration, and provenance enabled, which provides a verifiable link between the published package and its source code. For more information, see [npm provenance documentation](https://docs.npmjs.com/generating-provenance-statements).
 
+## Versioning & dependencies
+
+- This project uses Conventional Commits and automated release tooling to keep versions and the changelog up to date.
+- Patch releases may include bug fixes and internal maintenance or dependency updates (for example, Cloudflare Workers types, Wrangler, and GitHub Action tooling). New features are shipped in minor releases.
+- See `CHANGELOG.md` for the complete release history.
+
 ## License
 
 This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

package/{chunk-EXGUJ5XK.js → chunk-CVOSFBOE.js}

@@ -2,12 +2,12 @@ import {
   MemoryCache,
   debug,
   printMessage
-} from "./chunk-HTSD4WPC.js";
+} from "./chunk-U7E4KM2B.js";
 import {
   APPWARDEN_CACHE_KEY,
   APPWARDEN_TEST_ROUTE,
   LockValue
-} from "./chunk-Z7P4QVEY.js";
+} from "./chunk-OIEAURS7.js";
 
 // src/utils/cloudflare/cloudflare-cache.ts
 var store = {

package/{chunk-Z7P4QVEY.js → chunk-OIEAURS7.js}

@@ -5,10 +5,13 @@ var globalErrors = [errors.badCacheConnection];
 var APPWARDEN_TEST_ROUTE = "/_appwarden/test";
 var APPWARDEN_HEARTBEAT_ROUTE = "/_appwarden/heartbeat";
 var HEARTBEAT_CONTRACT_VERSION = 1;
+var HEARTBEAT_VERSION_MAX_LENGTH = 128;
 var HEARTBEAT_CONFIG_ERROR_MAX_COUNT = 10;
 var HEARTBEAT_CONFIG_ERROR_MAX_PATH_DEPTH = 10;
 var HEARTBEAT_CONFIG_ERROR_MAX_CODE_LENGTH = 100;
 var HEARTBEAT_CONFIG_ERROR_MAX_MESSAGE_LENGTH = 500;
+var HEARTBEAT_CONFIG_ERRORS_MAX_SERIALIZED_BYTES = 12 * 1024;
+var HEARTBEAT_RESPONSE_BODY_MAX_SERIALIZED_BYTES = 32 * 1024;
 var HEARTBEAT_CONFIG_ERROR_MAX_PATH_SEGMENT_LENGTH = 100;
 var APPWARDEN_CACHE_KEY = "appwarden-lock";
 var HEARTBEAT_SERVICE_VALUES = [
@@ -36,13 +39,78 @@ var HEARTBEAT_SERVICES = {
   VERCEL
 };
 
+// src/types/heartbeat.ts
+import { z } from "zod";
+function getSerializedJsonByteLength(value) {
+  return new TextEncoder().encode(JSON.stringify(value)).length;
+}
+function getHeartbeatResponseBodyByteBudgetIssue() {
+  return {
+    code: z.ZodIssueCode.custom,
+    message: `Serialized heartbeat response body must be at most ${HEARTBEAT_RESPONSE_BODY_MAX_SERIALIZED_BYTES} bytes`,
+    path: []
+  };
+}
+function getHeartbeatResponseBodySerializationIssue() {
+  return {
+    code: z.ZodIssueCode.custom,
+    message: "Heartbeat response body must be JSON-serializable",
+    path: []
+  };
+}
+var HeartbeatConfigErrorPathSegmentSchema = z.union([
+  z.string().max(HEARTBEAT_CONFIG_ERROR_MAX_PATH_SEGMENT_LENGTH),
+  z.number().int().nonnegative()
+]);
+var HeartbeatConfigErrorSchema = z.object({
+  path: z.array(HeartbeatConfigErrorPathSegmentSchema).max(HEARTBEAT_CONFIG_ERROR_MAX_PATH_DEPTH),
+  code: z.string().min(1).max(HEARTBEAT_CONFIG_ERROR_MAX_CODE_LENGTH),
+  message: z.string().min(1).max(HEARTBEAT_CONFIG_ERROR_MAX_MESSAGE_LENGTH)
+}).strict();
+var HeartbeatConfigErrorsSchema = z.array(HeartbeatConfigErrorSchema).max(HEARTBEAT_CONFIG_ERROR_MAX_COUNT).superRefine((configErrors, ctx) => {
+  if (getSerializedJsonByteLength(configErrors) > HEARTBEAT_CONFIG_ERRORS_MAX_SERIALIZED_BYTES) {
+    ctx.addIssue({
+      code: z.ZodIssueCode.custom,
+      message: `Serialized configErrors payload must be at most ${HEARTBEAT_CONFIG_ERRORS_MAX_SERIALIZED_BYTES} bytes`
+    });
+  }
+});
+var HeartbeatResponseBodySchema = z.object({
+  app: z.literal("appwarden"),
+  kind: z.literal("heartbeat"),
+  status: z.literal("ok"),
+  contractVersion: z.literal(HEARTBEAT_CONTRACT_VERSION),
+  service: z.enum(HEARTBEAT_SERVICE_VALUES),
+  version: z.string().min(1).max(HEARTBEAT_VERSION_MAX_LENGTH),
+  configErrors: HeartbeatConfigErrorsSchema
+}).strict().superRefine((body, ctx) => {
+  if (getSerializedJsonByteLength(body) > HEARTBEAT_RESPONSE_BODY_MAX_SERIALIZED_BYTES) {
+    ctx.addIssue({
+      code: z.ZodIssueCode.custom,
+      message: `Serialized heartbeat response body must be at most ${HEARTBEAT_RESPONSE_BODY_MAX_SERIALIZED_BYTES} bytes`
+    });
+  }
+});
+function validateHeartbeatResponseBody(value) {
+  let serializedJsonByteLength;
+  try {
+    serializedJsonByteLength = getSerializedJsonByteLength(value);
+  } catch {
+    throw new z.ZodError([getHeartbeatResponseBodySerializationIssue()]);
+  }
+  if (serializedJsonByteLength > HEARTBEAT_RESPONSE_BODY_MAX_SERIALIZED_BYTES) {
+    throw new z.ZodError([getHeartbeatResponseBodyByteBudgetIssue()]);
+  }
+  return HeartbeatResponseBodySchema.parse(value);
+}
+
 // src/schemas/use-content-security-policy.ts
-import { z as z3 } from "zod";
+import { z as z4 } from "zod";
 
 // src/types/csp.ts
-import { z } from "zod";
-var stringySchema = z.union([z.array(z.string()), z.string(), z.boolean()]);
-var ContentSecurityPolicySchema = z.object({
+import { z as z2 } from "zod";
+var stringySchema = z2.union([z2.array(z2.string()), z2.string(), z2.boolean()]);
+var ContentSecurityPolicySchema = z2.object({
   "default-src": stringySchema.optional(),
   "script-src": stringySchema.optional(),
   "style-src": stringySchema.optional(),
@@ -72,8 +140,8 @@ var ContentSecurityPolicySchema = z.object({
 });
 
 // src/schemas/helpers.ts
-import { z as z2 } from "zod";
-var BoolOrStringSchema = z2.union([z2.string(), z2.boolean()]).optional();
+import { z as z3 } from "zod";
+var BoolOrStringSchema = z3.union([z3.string(), z3.boolean()]).optional();
 var BooleanSchema = BoolOrStringSchema.transform((val) => {
   if (val === "true" || val === true) {
     return true;
@@ -82,29 +150,29 @@ var BooleanSchema = BoolOrStringSchema.transform((val) => {
   }
   throw new Error("Invalid value");
 });
-var AppwardenApiTokenSchema = z2.string().refine((val) => !!val, { message: "appwardenApiToken is required" });
-var AppwardenApiHostnameSchema = z2.string().url({
+var AppwardenApiTokenSchema = z3.string().refine((val) => !!val, { message: "appwardenApiToken is required" });
+var AppwardenApiHostnameSchema = z3.string().url({
   message: "Invalid `appwardenApiHostname`. Please provide an absolute URL (e.g. https://api.appwarden.io)."
 }).refine((value) => value.startsWith("https://"), {
   message: "`appwardenApiHostname` must use the https:// scheme (e.g. https://api.appwarden.io)."
 });
-var LockValue = z2.object({
-  isLocked: z2.number(),
-  isLockedTest: z2.number(),
-  lastCheck: z2.number()
+var LockValue = z3.object({
+  isLocked: z3.number(),
+  isLockedTest: z3.number(),
+  lastCheck: z3.number()
 });
 
 // src/schemas/use-content-security-policy.ts
-var CSPDirectivesSchema = z3.union([
-  z3.string(),
+var CSPDirectivesSchema = z4.union([
+  z4.string(),
   ContentSecurityPolicySchema
 ]);
-var CSPModeSchema = z3.union([
-  z3.literal("disabled"),
-  z3.literal("report-only"),
-  z3.literal("enforced")
+var CSPModeSchema = z4.union([
+  z4.literal("disabled"),
+  z4.literal("report-only"),
+  z4.literal("enforced")
 ]);
-var UseCSPInputSchema = z3.object({
+var UseCSPInputSchema = z4.object({
   mode: CSPModeSchema,
   directives: CSPDirectivesSchema.refine(
     (val) => {
@@ -130,17 +198,24 @@ export {
   APPWARDEN_TEST_ROUTE,
   APPWARDEN_HEARTBEAT_ROUTE,
   HEARTBEAT_CONTRACT_VERSION,
+  HEARTBEAT_VERSION_MAX_LENGTH,
   HEARTBEAT_CONFIG_ERROR_MAX_COUNT,
   HEARTBEAT_CONFIG_ERROR_MAX_PATH_DEPTH,
   HEARTBEAT_CONFIG_ERROR_MAX_CODE_LENGTH,
   HEARTBEAT_CONFIG_ERROR_MAX_MESSAGE_LENGTH,
+  HEARTBEAT_CONFIG_ERRORS_MAX_SERIALIZED_BYTES,
+  HEARTBEAT_RESPONSE_BODY_MAX_SERIALIZED_BYTES,
   HEARTBEAT_CONFIG_ERROR_MAX_PATH_SEGMENT_LENGTH,
   APPWARDEN_CACHE_KEY,
+  HEARTBEAT_SERVICE_VALUES,
   HEARTBEAT_SERVICES,
   BooleanSchema,
   AppwardenApiTokenSchema,
   AppwardenApiHostnameSchema,
   LockValue,
+  HeartbeatConfigErrorSchema,
+  HeartbeatResponseBodySchema,
+  validateHeartbeatResponseBody,
   CSPDirectivesSchema,
   CSPModeSchema,
   UseCSPInputSchema

package/{chunk-ILIYP3TG.js → chunk-Q5LVKCWK.js}

@@ -1,10 +1,10 @@
 import {
   isHTMLResponse,
   makeCSPHeader
-} from "./chunk-HTSD4WPC.js";
+} from "./chunk-U7E4KM2B.js";
 import {
   UseCSPInputSchema
-} from "./chunk-Z7P4QVEY.js";
+} from "./chunk-OIEAURS7.js";
 
 // src/middlewares/use-content-security-policy.ts
 var AppendAttribute = (attribute, nonce) => ({

package/{chunk-M2YVPCTG.js → chunk-QM56445N.js}

@@ -1,6 +1,6 @@
 import {
   useContentSecurityPolicy
-} from "./chunk-ILIYP3TG.js";
+} from "./chunk-Q5LVKCWK.js";
 
 // src/utils/apply-content-security-policy-to-response.ts
 var applyContentSecurityPolicyToResponse = async ({

package/{chunk-HTSD4WPC.js → chunk-U7E4KM2B.js}

@@ -1,13 +1,16 @@
 import {
   APPWARDEN_HEARTBEAT_ROUTE,
+  HEARTBEAT_CONFIG_ERRORS_MAX_SERIALIZED_BYTES,
   HEARTBEAT_CONFIG_ERROR_MAX_CODE_LENGTH,
   HEARTBEAT_CONFIG_ERROR_MAX_COUNT,
   HEARTBEAT_CONFIG_ERROR_MAX_MESSAGE_LENGTH,
   HEARTBEAT_CONFIG_ERROR_MAX_PATH_DEPTH,
   HEARTBEAT_CONFIG_ERROR_MAX_PATH_SEGMENT_LENGTH,
   HEARTBEAT_CONTRACT_VERSION,
-  LOCKDOWN_TEST_EXPIRY_MS
-} from "./chunk-Z7P4QVEY.js";
+  HEARTBEAT_RESPONSE_BODY_MAX_SERIALIZED_BYTES,
+  LOCKDOWN_TEST_EXPIRY_MS,
+  validateHeartbeatResponseBody
+} from "./chunk-OIEAURS7.js";
 
 // src/utils/build-lock-page-url.ts
 function normalizeLockPageSlug(lockPageSlug) {
@@ -119,9 +122,14 @@ var MemoryCache = class {
 };
 
 // src/version.ts
-var MIDDLEWARE_VERSION = "3.11.6";
+var MIDDLEWARE_VERSION = "3.13.0";
 
 // src/utils/heartbeat.ts
+var DEFAULT_HEARTBEAT_CONFIG_ERROR_CODE = "custom";
+var DEFAULT_HEARTBEAT_CONFIG_ERROR_MESSAGE = "Appwarden configuration validation failed";
+var HEARTBEAT_CONSTRUCTION_FAILURE_BODY = JSON.stringify({
+  error: "appwarden_heartbeat_construction_failed"
+});
 function createSanitizedMessage(code, path) {
   const fieldName = path.length > 0 ? path[path.length - 1] : "field";
   switch (code) {
@@ -159,39 +167,80 @@ function createSanitizedMessage(code, path) {
       return `Validation error for ${fieldName}`;
   }
 }
+function truncateWithEllipsis(value, maxLength) {
+  if (value.length <= maxLength) {
+    return value;
+  }
+  if (maxLength <= 3) {
+    return value.substring(0, maxLength);
+  }
+  return value.substring(0, maxLength - 3) + "...";
+}
+function sanitizePathSegment(segment) {
+  if (typeof segment === "number" && Number.isFinite(segment)) {
+    return Number.isSafeInteger(segment) ? Math.max(0, segment) : Math.max(0, Math.trunc(segment));
+  }
+  return truncateWithEllipsis(
+    typeof segment === "string" ? segment : String(segment),
+    HEARTBEAT_CONFIG_ERROR_MAX_PATH_SEGMENT_LENGTH
+  );
+}
 function sanitizePath(path) {
   const truncatedPath = path.slice(0, HEARTBEAT_CONFIG_ERROR_MAX_PATH_DEPTH);
-  return truncatedPath.map((segment) => {
-    if (typeof segment === "string" && segment.length > HEARTBEAT_CONFIG_ERROR_MAX_PATH_SEGMENT_LENGTH) {
-      return segment.substring(
-        0,
-        HEARTBEAT_CONFIG_ERROR_MAX_PATH_SEGMENT_LENGTH - 3
-      ) + "...";
-    }
-    return segment;
-  });
+  return truncatedPath.map(sanitizePathSegment);
 }
 function truncateMessage(message) {
-  if (message.length <= HEARTBEAT_CONFIG_ERROR_MAX_MESSAGE_LENGTH) {
-    return message;
+  return truncateWithEllipsis(
+    message,
+    HEARTBEAT_CONFIG_ERROR_MAX_MESSAGE_LENGTH
+  );
+}
+function truncateCode(code) {
+  return truncateWithEllipsis(code, HEARTBEAT_CONFIG_ERROR_MAX_CODE_LENGTH);
+}
+function normalizeNonEmptyString(value, fallback, truncate) {
+  const normalizedValue = truncate(value.trim());
+  if (normalizedValue.length > 0) {
+    return normalizedValue;
   }
-  return message.substring(0, HEARTBEAT_CONFIG_ERROR_MAX_MESSAGE_LENGTH - 3) + "...";
+  return truncate(fallback);
+}
+function getSerializedJsonByteLength(value) {
+  return new TextEncoder().encode(JSON.stringify(value)).length;
+}
+function isConfigErrorsWithinByteBudget(configErrors) {
+  return getSerializedJsonByteLength(configErrors) <= HEARTBEAT_CONFIG_ERRORS_MAX_SERIALIZED_BYTES;
+}
+function isResponseBodyWithinByteBudget(body) {
+  return getSerializedJsonByteLength(body) <= HEARTBEAT_RESPONSE_BODY_MAX_SERIALIZED_BYTES;
 }
 function createHeartbeatConfigError(path, code, message) {
   return {
     path: sanitizePath(path),
-    code: code.substring(0, HEARTBEAT_CONFIG_ERROR_MAX_CODE_LENGTH),
-    message: truncateMessage(message)
+    code: normalizeNonEmptyString(
+      code,
+      DEFAULT_HEARTBEAT_CONFIG_ERROR_CODE,
+      truncateCode
+    ),
+    message: normalizeNonEmptyString(
+      message,
+      DEFAULT_HEARTBEAT_CONFIG_ERROR_MESSAGE,
+      truncateMessage
+    )
   };
 }
 function normalizeHeartbeatConfigErrors(configErrors) {
-  return configErrors.slice(0, HEARTBEAT_CONFIG_ERROR_MAX_COUNT).map(
+  const normalizedConfigErrors = configErrors.slice(0, HEARTBEAT_CONFIG_ERROR_MAX_COUNT).map(
     (configError) => createHeartbeatConfigError(
       configError.path,
       configError.code,
       configError.message
     )
   );
+  while (normalizedConfigErrors.length > 0 && !isConfigErrorsWithinByteBudget(normalizedConfigErrors)) {
+    normalizedConfigErrors.pop();
+  }
+  return normalizedConfigErrors;
 }
 function sanitizeConfigErrors(error) {
   if (!error) {
@@ -213,30 +262,48 @@ function sanitizeConfigErrors(error) {
   return errors;
 }
 function createHeartbeatResponseBody(service, configErrors = []) {
-  return {
+  const normalizedConfigErrors = normalizeHeartbeatConfigErrors(configErrors);
+  const body = {
     app: "appwarden",
     kind: "heartbeat",
     status: "ok",
     contractVersion: HEARTBEAT_CONTRACT_VERSION,
     service,
     version: MIDDLEWARE_VERSION,
-    configErrors: normalizeHeartbeatConfigErrors(configErrors)
+    configErrors: normalizedConfigErrors
   };
+  while (body.configErrors.length > 0 && !isResponseBodyWithinByteBudget(body)) {
+    body.configErrors.pop();
+  }
+  return validateHeartbeatResponseBody(body);
 }
-function createHeartbeatResponse(service, configErrors = []) {
-  const body = createHeartbeatResponseBody(service, configErrors);
-  return new Response(JSON.stringify(body), {
-    status: 200,
+function createHeartbeatConstructionFailureResponse() {
+  return new Response(HEARTBEAT_CONSTRUCTION_FAILURE_BODY, {
+    status: 500,
     headers: {
       "content-type": "application/json",
-      "cache-control": "no-store",
-      "x-appwarden-heartbeat": "1",
-      "x-appwarden-contract-version": String(HEARTBEAT_CONTRACT_VERSION),
-      "x-appwarden-service": service,
-      "x-appwarden-version": MIDDLEWARE_VERSION
+      "cache-control": "no-store"
     }
   });
 }
+function createHeartbeatResponse(service, configErrors = []) {
+  try {
+    const body = createHeartbeatResponseBody(service, configErrors);
+    return new Response(JSON.stringify(body), {
+      status: 200,
+      headers: {
+        "content-type": "application/json",
+        "cache-control": "no-store",
+        "x-appwarden-heartbeat": "1",
+        "x-appwarden-contract-version": String(HEARTBEAT_CONTRACT_VERSION),
+        "x-appwarden-service": service,
+        "x-appwarden-version": MIDDLEWARE_VERSION
+      }
+    });
+  } catch {
+    return createHeartbeatConstructionFailureResponse();
+  }
+}
 function isHeartbeatRoute(url) {
   return url.pathname === APPWARDEN_HEARTBEAT_ROUTE;
 }

package/{chunk-6YCNCR22.js → chunk-UBWPR24M.js}

@@ -3,7 +3,7 @@ import {
   AppwardenApiTokenSchema,
   BooleanSchema,
   UseCSPInputSchema
-} from "./chunk-Z7P4QVEY.js";
+} from "./chunk-OIEAURS7.js";
 
 // src/schemas/use-appwarden.ts
 import { z } from "zod";

package/cloudflare/astro.d.ts

@@ -270,8 +270,8 @@ declare const AstroCloudflareConfigSchema: z.ZodObject<{
         };
     }>>>;
 }, "strip", z.ZodTypeAny, {
-    lockPageSlug: string;
     debug: boolean;
+    lockPageSlug: string;
     appwardenApiToken: string;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
@@ -308,6 +308,7 @@ declare const AstroCloudflareConfigSchema: z.ZodObject<{
 }, {
     lockPageSlug: string;
     appwardenApiToken: string;
+    debug?: string | boolean | undefined;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
         directives: string | {
@@ -339,7 +340,6 @@ declare const AstroCloudflareConfigSchema: z.ZodObject<{
             "require-trusted-types-for"?: string | boolean | string[] | undefined;
         };
     } | undefined;
-    debug?: string | boolean | undefined;
     appwardenApiHostname?: string | undefined;
 }>;
 type AstroCloudflareConfig = z.infer<typeof AstroCloudflareConfigSchema>;

package/cloudflare/astro.js

@@ -1,15 +1,15 @@
 import {
   applyContentSecurityPolicyToResponse,
   isResponseLike
-} from "../chunk-M2YVPCTG.js";
-import "../chunk-ILIYP3TG.js";
+} from "../chunk-QM56445N.js";
+import "../chunk-Q5LVKCWK.js";
 import {
   getNowMs,
   logElapsed
 } from "../chunk-G6BMPIYD.js";
 import {
   checkLockStatus
-} from "../chunk-EXGUJ5XK.js";
+} from "../chunk-CVOSFBOE.js";
 import {
   TEMPORARY_REDIRECT_STATUS,
   buildLockPageUrl,
@@ -22,14 +22,14 @@ import {
   isOnLockPage,
   printMessage,
   sanitizeConfigErrors
-} from "../chunk-HTSD4WPC.js";
+} from "../chunk-U7E4KM2B.js";
 import {
   AppwardenApiHostnameSchema,
   AppwardenApiTokenSchema,
   BooleanSchema,
   HEARTBEAT_SERVICES,
   UseCSPInputSchema
-} from "../chunk-Z7P4QVEY.js";
+} from "../chunk-OIEAURS7.js";
 
 // src/adapters/astro-cloudflare.ts
 import { waitUntil } from "cloudflare:workers";

package/cloudflare/nextjs.d.ts

@@ -329,8 +329,8 @@ declare const NextJsCloudflareConfigSchema: z.ZodObject<{
         };
     }>>>;
 }, "strip", z.ZodTypeAny, {
-    lockPageSlug: string;
     debug: boolean;
+    lockPageSlug: string;
     appwardenApiToken: string;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
@@ -367,6 +367,7 @@ declare const NextJsCloudflareConfigSchema: z.ZodObject<{
 }, {
     lockPageSlug: string;
     appwardenApiToken: string;
+    debug?: string | boolean | undefined;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
         directives: string | {
@@ -398,7 +399,6 @@ declare const NextJsCloudflareConfigSchema: z.ZodObject<{
             "require-trusted-types-for"?: string | boolean | string[] | undefined;
         };
     } | undefined;
-    debug?: string | boolean | undefined;
     appwardenApiHostname?: string | undefined;
 }>;
 type NextJsCloudflareConfig = z.infer<typeof NextJsCloudflareConfigSchema>;

package/cloudflare/nextjs.js

@@ -7,7 +7,7 @@ import {
 } from "../chunk-G6BMPIYD.js";
 import {
   checkLockStatus
-} from "../chunk-EXGUJ5XK.js";
+} from "../chunk-CVOSFBOE.js";
 import {
   TEMPORARY_REDIRECT_STATUS,
   buildLockPageUrl,
@@ -20,14 +20,14 @@ import {
   makeCSPHeader,
   printMessage,
   sanitizeConfigErrors
-} from "../chunk-HTSD4WPC.js";
+} from "../chunk-U7E4KM2B.js";
 import {
   AppwardenApiHostnameSchema,
   AppwardenApiTokenSchema,
   BooleanSchema,
   HEARTBEAT_SERVICES,
   UseCSPInputSchema
-} from "../chunk-Z7P4QVEY.js";
+} from "../chunk-OIEAURS7.js";
 
 // src/adapters/nextjs-cloudflare.ts
 import { getCloudflareContext } from "@opennextjs/cloudflare";

package/cloudflare/react-router.d.ts

@@ -268,8 +268,8 @@ declare const ReactRouterCloudflareConfigSchema: z.ZodObject<{
         };
     }>>>;
 }, "strip", z.ZodTypeAny, {
-    lockPageSlug: string;
     debug: boolean;
+    lockPageSlug: string;
     appwardenApiToken: string;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
@@ -306,6 +306,7 @@ declare const ReactRouterCloudflareConfigSchema: z.ZodObject<{
 }, {
     lockPageSlug: string;
     appwardenApiToken: string;
+    debug?: string | boolean | undefined;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
         directives: string | {
@@ -337,7 +338,6 @@ declare const ReactRouterCloudflareConfigSchema: z.ZodObject<{
             "require-trusted-types-for"?: string | boolean | string[] | undefined;
         };
     } | undefined;
-    debug?: string | boolean | undefined;
     appwardenApiHostname?: string | undefined;
 }>;
 type ReactRouterCloudflareConfig = z.infer<typeof ReactRouterCloudflareConfigSchema>;

package/cloudflare/react-router.js

@@ -1,15 +1,15 @@
 import {
   applyContentSecurityPolicyToResponse,
   isResponseLike
-} from "../chunk-M2YVPCTG.js";
-import "../chunk-ILIYP3TG.js";
+} from "../chunk-QM56445N.js";
+import "../chunk-Q5LVKCWK.js";
 import {
   getNowMs,
   logElapsed
 } from "../chunk-G6BMPIYD.js";
 import {
   checkLockStatus
-} from "../chunk-EXGUJ5XK.js";
+} from "../chunk-CVOSFBOE.js";
 import {
   buildLockPageUrl,
   createHeartbeatConfigError,
@@ -21,14 +21,14 @@ import {
   isOnLockPage,
   printMessage,
   sanitizeConfigErrors
-} from "../chunk-HTSD4WPC.js";
+} from "../chunk-U7E4KM2B.js";
 import {
   AppwardenApiHostnameSchema,
   AppwardenApiTokenSchema,
   BooleanSchema,
   HEARTBEAT_SERVICES,
   UseCSPInputSchema
-} from "../chunk-Z7P4QVEY.js";
+} from "../chunk-OIEAURS7.js";
 
 // src/adapters/react-router-cloudflare.ts
 import { waitUntil } from "cloudflare:workers";

package/cloudflare/tanstack-start.d.ts

@@ -268,8 +268,8 @@ declare const TanStackStartCloudflareConfigSchema: z.ZodObject<{
         };
     }>>>;
 }, "strip", z.ZodTypeAny, {
-    lockPageSlug: string;
     debug: boolean;
+    lockPageSlug: string;
     appwardenApiToken: string;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
@@ -306,6 +306,7 @@ declare const TanStackStartCloudflareConfigSchema: z.ZodObject<{
 }, {
     lockPageSlug: string;
     appwardenApiToken: string;
+    debug?: string | boolean | undefined;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
         directives: string | {
@@ -337,7 +338,6 @@ declare const TanStackStartCloudflareConfigSchema: z.ZodObject<{
             "require-trusted-types-for"?: string | boolean | string[] | undefined;
         };
     } | undefined;
-    debug?: string | boolean | undefined;
     appwardenApiHostname?: string | undefined;
 }>;
 type TanStackStartCloudflareConfig = z.infer<typeof TanStackStartCloudflareConfigSchema>;

package/cloudflare/tanstack-start.js

@@ -1,15 +1,15 @@
 import {
   applyContentSecurityPolicyToResponse,
   isResponseLike
-} from "../chunk-M2YVPCTG.js";
-import "../chunk-ILIYP3TG.js";
+} from "../chunk-QM56445N.js";
+import "../chunk-Q5LVKCWK.js";
 import {
   getNowMs,
   logElapsed
 } from "../chunk-G6BMPIYD.js";
 import {
   checkLockStatus
-} from "../chunk-EXGUJ5XK.js";
+} from "../chunk-CVOSFBOE.js";
 import {
   buildLockPageUrl,
   createHeartbeatConfigError,
@@ -21,14 +21,14 @@ import {
   isOnLockPage,
   printMessage,
   sanitizeConfigErrors
-} from "../chunk-HTSD4WPC.js";
+} from "../chunk-U7E4KM2B.js";
 import {
   AppwardenApiHostnameSchema,
   AppwardenApiTokenSchema,
   BooleanSchema,
   HEARTBEAT_SERVICES,
   UseCSPInputSchema
-} from "../chunk-Z7P4QVEY.js";
+} from "../chunk-OIEAURS7.js";
 
 // src/adapters/tanstack-start-cloudflare.ts
 import { waitUntil } from "cloudflare:workers";

package/cloudflare.js

@@ -1,16 +1,16 @@
 import {
   UseAppwardenInputSchema,
   lockPageSlugRefinement
-} from "./chunk-6YCNCR22.js";
+} from "./chunk-UBWPR24M.js";
 import {
   getErrors
 } from "./chunk-NV7K5PRA.js";
 import {
   useContentSecurityPolicy
-} from "./chunk-ILIYP3TG.js";
+} from "./chunk-Q5LVKCWK.js";
 import {
   checkLockStatus
-} from "./chunk-EXGUJ5XK.js";
+} from "./chunk-CVOSFBOE.js";
 import {
   buildLockPageUrl,
   createHeartbeatConfigError,
@@ -22,10 +22,10 @@ import {
   isOnLockPage,
   printMessage,
   sanitizeConfigErrors
-} from "./chunk-HTSD4WPC.js";
+} from "./chunk-U7E4KM2B.js";
 import {
   HEARTBEAT_SERVICES
-} from "./chunk-Z7P4QVEY.js";
+} from "./chunk-OIEAURS7.js";
 
 // src/runners/appwarden-on-cloudflare.ts
 import { ZodError } from "zod";

package/index.d.ts

@@ -2,7 +2,156 @@ export { B as Bindings, C as CSPDirectivesSchema, a as CSPModeSchema, M as Middl
 import { z } from 'zod';
 
 declare const LOCKDOWN_TEST_EXPIRY_MS: number;
+declare const APPWARDEN_HEARTBEAT_ROUTE = "/_appwarden/heartbeat";
+declare const HEARTBEAT_CONTRACT_VERSION: 1;
+declare const HEARTBEAT_VERSION_MAX_LENGTH = 128;
+/**
+ * Maximum number of public heartbeat config errors.
+ * Prevents unbounded response sizes.
+ */
+declare const HEARTBEAT_CONFIG_ERROR_MAX_COUNT = 10;
+/**
+ * Maximum path depth for public heartbeat config errors.
+ * Prevents deeply nested paths from being exposed.
+ */
+declare const HEARTBEAT_CONFIG_ERROR_MAX_PATH_DEPTH = 10;
+/**
+ * Maximum length for public heartbeat config error codes.
+ * Keeps error codes within the contract bounds.
+ */
+declare const HEARTBEAT_CONFIG_ERROR_MAX_CODE_LENGTH = 100;
+/**
+ * Maximum length for public heartbeat config error messages.
+ * Prevents excessively long messages from being exposed.
+ */
+declare const HEARTBEAT_CONFIG_ERROR_MAX_MESSAGE_LENGTH = 500;
+declare const HEARTBEAT_CONFIG_ERRORS_MAX_SERIALIZED_BYTES: number;
+declare const HEARTBEAT_RESPONSE_BODY_MAX_SERIALIZED_BYTES: number;
+/**
+ * Maximum length for individual public heartbeat config error path segments.
+ * Prevents excessively long path segments from being exposed.
+ */
+declare const HEARTBEAT_CONFIG_ERROR_MAX_PATH_SEGMENT_LENGTH = 100;
 declare const APPWARDEN_CACHE_KEY: "appwarden-lock";
+declare const HEARTBEAT_SERVICE_VALUES: readonly ["cloudflare", "cloudflare-astro", "cloudflare-react-router", "cloudflare-tanstack-start", "cloudflare-nextjs", "vercel"];
+/**
+ * Service identifiers for different middleware adapters.
+ * These are hardcoded per adapter bundle.
+ */
+declare const HEARTBEAT_SERVICES: {
+    readonly CLOUDFLARE: "cloudflare";
+    readonly CLOUDFLARE_ASTRO: "cloudflare-astro";
+    readonly CLOUDFLARE_REACT_ROUTER: "cloudflare-react-router";
+    readonly CLOUDFLARE_TANSTACK_START: "cloudflare-tanstack-start";
+    readonly CLOUDFLARE_NEXTJS: "cloudflare-nextjs";
+    readonly VERCEL: "vercel";
+};
+
+/**
+ * Service identifiers for different middleware adapters.
+ * These are hardcoded per adapter bundle.
+ */
+type HeartbeatService = (typeof HEARTBEAT_SERVICE_VALUES)[number];
+/**
+ * Schema for validating heartbeat config errors.
+ * Ensures errors are bounded and sanitized.
+ */
+declare const HeartbeatConfigErrorSchema: z.ZodObject<{
+    path: z.ZodArray<z.ZodUnion<[z.ZodString, z.ZodNumber]>, "many">;
+    code: z.ZodString;
+    message: z.ZodString;
+}, "strict", z.ZodTypeAny, {
+    message: string;
+    code: string;
+    path: (string | number)[];
+}, {
+    message: string;
+    code: string;
+    path: (string | number)[];
+}>;
+type HeartbeatConfigError = z.infer<typeof HeartbeatConfigErrorSchema>;
+/**
+ * Schema for validating the heartbeat response body.
+ */
+declare const HeartbeatResponseBodySchema: z.ZodEffects<z.ZodObject<{
+    app: z.ZodLiteral<"appwarden">;
+    kind: z.ZodLiteral<"heartbeat">;
+    status: z.ZodLiteral<"ok">;
+    contractVersion: z.ZodLiteral<1>;
+    service: z.ZodEnum<["cloudflare", "cloudflare-astro", "cloudflare-react-router", "cloudflare-tanstack-start", "cloudflare-nextjs", "vercel"]>;
+    version: z.ZodString;
+    configErrors: z.ZodEffects<z.ZodArray<z.ZodObject<{
+        path: z.ZodArray<z.ZodUnion<[z.ZodString, z.ZodNumber]>, "many">;
+        code: z.ZodString;
+        message: z.ZodString;
+    }, "strict", z.ZodTypeAny, {
+        message: string;
+        code: string;
+        path: (string | number)[];
+    }, {
+        message: string;
+        code: string;
+        path: (string | number)[];
+    }>, "many">, {
+        message: string;
+        code: string;
+        path: (string | number)[];
+    }[], {
+        message: string;
+        code: string;
+        path: (string | number)[];
+    }[]>;
+}, "strict", z.ZodTypeAny, {
+    status: "ok";
+    app: "appwarden";
+    kind: "heartbeat";
+    contractVersion: 1;
+    service: "cloudflare" | "cloudflare-astro" | "cloudflare-react-router" | "cloudflare-tanstack-start" | "cloudflare-nextjs" | "vercel";
+    version: string;
+    configErrors: {
+        message: string;
+        code: string;
+        path: (string | number)[];
+    }[];
+}, {
+    status: "ok";
+    app: "appwarden";
+    kind: "heartbeat";
+    contractVersion: 1;
+    service: "cloudflare" | "cloudflare-astro" | "cloudflare-react-router" | "cloudflare-tanstack-start" | "cloudflare-nextjs" | "vercel";
+    version: string;
+    configErrors: {
+        message: string;
+        code: string;
+        path: (string | number)[];
+    }[];
+}>, {
+    status: "ok";
+    app: "appwarden";
+    kind: "heartbeat";
+    contractVersion: 1;
+    service: "cloudflare" | "cloudflare-astro" | "cloudflare-react-router" | "cloudflare-tanstack-start" | "cloudflare-nextjs" | "vercel";
+    version: string;
+    configErrors: {
+        message: string;
+        code: string;
+        path: (string | number)[];
+    }[];
+}, {
+    status: "ok";
+    app: "appwarden";
+    kind: "heartbeat";
+    contractVersion: 1;
+    service: "cloudflare" | "cloudflare-astro" | "cloudflare-react-router" | "cloudflare-tanstack-start" | "cloudflare-nextjs" | "vercel";
+    version: string;
+    configErrors: {
+        message: string;
+        code: string;
+        path: (string | number)[];
+    }[];
+}>;
+type HeartbeatResponseBody = z.infer<typeof HeartbeatResponseBodySchema>;
+declare function validateHeartbeatResponseBody(value: unknown): HeartbeatResponseBody;
 
 /**
  * Extracts the Edge Config ID from a valid Edge Config URL
@@ -787,4 +936,4 @@ declare const LockValue: z.ZodObject<{
 }>;
 type LockValueType = z.infer<typeof LockValue>;
 
-export { APPWARDEN_CACHE_KEY, LOCKDOWN_TEST_EXPIRY_MS, type LockValueType, UseAppwardenInputSchema, getEdgeConfigId, isCacheUrl, isValidCacheUrl };
+export { APPWARDEN_CACHE_KEY, APPWARDEN_HEARTBEAT_ROUTE, HEARTBEAT_CONFIG_ERRORS_MAX_SERIALIZED_BYTES, HEARTBEAT_CONFIG_ERROR_MAX_CODE_LENGTH, HEARTBEAT_CONFIG_ERROR_MAX_COUNT, HEARTBEAT_CONFIG_ERROR_MAX_MESSAGE_LENGTH, HEARTBEAT_CONFIG_ERROR_MAX_PATH_DEPTH, HEARTBEAT_CONFIG_ERROR_MAX_PATH_SEGMENT_LENGTH, HEARTBEAT_CONTRACT_VERSION, HEARTBEAT_RESPONSE_BODY_MAX_SERIALIZED_BYTES, HEARTBEAT_SERVICES, HEARTBEAT_SERVICE_VALUES, HEARTBEAT_VERSION_MAX_LENGTH, type HeartbeatConfigError, HeartbeatConfigErrorSchema, type HeartbeatResponseBody, HeartbeatResponseBodySchema, type HeartbeatService, LOCKDOWN_TEST_EXPIRY_MS, type LockValueType, UseAppwardenInputSchema, getEdgeConfigId, isCacheUrl, isValidCacheUrl, validateHeartbeatResponseBody };

package/index.js

@@ -5,20 +5,50 @@ import {
 } from "./chunk-QEFORWCW.js";
 import {
   UseAppwardenInputSchema
-} from "./chunk-6YCNCR22.js";
+} from "./chunk-UBWPR24M.js";
 import {
   APPWARDEN_CACHE_KEY,
+  APPWARDEN_HEARTBEAT_ROUTE,
   CSPDirectivesSchema,
   CSPModeSchema,
-  LOCKDOWN_TEST_EXPIRY_MS
-} from "./chunk-Z7P4QVEY.js";
+  HEARTBEAT_CONFIG_ERRORS_MAX_SERIALIZED_BYTES,
+  HEARTBEAT_CONFIG_ERROR_MAX_CODE_LENGTH,
+  HEARTBEAT_CONFIG_ERROR_MAX_COUNT,
+  HEARTBEAT_CONFIG_ERROR_MAX_MESSAGE_LENGTH,
+  HEARTBEAT_CONFIG_ERROR_MAX_PATH_DEPTH,
+  HEARTBEAT_CONFIG_ERROR_MAX_PATH_SEGMENT_LENGTH,
+  HEARTBEAT_CONTRACT_VERSION,
+  HEARTBEAT_RESPONSE_BODY_MAX_SERIALIZED_BYTES,
+  HEARTBEAT_SERVICES,
+  HEARTBEAT_SERVICE_VALUES,
+  HEARTBEAT_VERSION_MAX_LENGTH,
+  HeartbeatConfigErrorSchema,
+  HeartbeatResponseBodySchema,
+  LOCKDOWN_TEST_EXPIRY_MS,
+  validateHeartbeatResponseBody
+} from "./chunk-OIEAURS7.js";
 export {
   APPWARDEN_CACHE_KEY,
+  APPWARDEN_HEARTBEAT_ROUTE,
   CSPDirectivesSchema,
   CSPModeSchema,
+  HEARTBEAT_CONFIG_ERRORS_MAX_SERIALIZED_BYTES,
+  HEARTBEAT_CONFIG_ERROR_MAX_CODE_LENGTH,
+  HEARTBEAT_CONFIG_ERROR_MAX_COUNT,
+  HEARTBEAT_CONFIG_ERROR_MAX_MESSAGE_LENGTH,
+  HEARTBEAT_CONFIG_ERROR_MAX_PATH_DEPTH,
+  HEARTBEAT_CONFIG_ERROR_MAX_PATH_SEGMENT_LENGTH,
+  HEARTBEAT_CONTRACT_VERSION,
+  HEARTBEAT_RESPONSE_BODY_MAX_SERIALIZED_BYTES,
+  HEARTBEAT_SERVICES,
+  HEARTBEAT_SERVICE_VALUES,
+  HEARTBEAT_VERSION_MAX_LENGTH,
+  HeartbeatConfigErrorSchema,
+  HeartbeatResponseBodySchema,
   LOCKDOWN_TEST_EXPIRY_MS,
   UseAppwardenInputSchema,
   getEdgeConfigId,
   isCacheUrl,
-  isValidCacheUrl
+  isValidCacheUrl,
+  validateHeartbeatResponseBody
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@appwarden/middleware",
-  "version": "3.12.0",
+  "version": "3.13.1",
   "description": "Instantly disable all user interaction with your app deployed on Cloudflare or Vercel",
   "type": "module",
   "license": "MIT",
@@ -58,7 +58,7 @@
     "node": ">=24"
   },
   "dependencies": {
-    "@upstash/redis": "^1.36.3",
+    "@upstash/redis": "^1.36.4",
     "@vercel/edge-config": "^1.4.3",
     "zod": "^3.25.76"
   },

package/vercel.js

@@ -20,7 +20,7 @@ import {
   makeCSPHeader,
   printMessage,
   sanitizeConfigErrors
-} from "./chunk-HTSD4WPC.js";
+} from "./chunk-U7E4KM2B.js";
 import {
   APPWARDEN_CACHE_KEY,
   AppwardenApiHostnameSchema,
@@ -30,7 +30,7 @@ import {
   LockValue,
   errors,
   globalErrors
-} from "./chunk-Z7P4QVEY.js";
+} from "./chunk-OIEAURS7.js";
 
 // src/runners/appwarden-on-vercel.ts
 import { waitUntil } from "@vercel/functions";