@appwarden/middleware 3.13.0 → 3.13.1

package/README.md

@@ -4,7 +4,7 @@
 [![GitHub](https://img.shields.io/badge/GitHub-appwarden%2Fmiddleware-181717?logo=github&logoColor=white)](https://github.com/appwarden/middleware)
 [![npm version](https://img.shields.io/npm/v/@appwarden/middleware.svg)](https://www.npmjs.com/package/@appwarden/middleware)
 [![npm provenance](https://img.shields.io/badge/npm-provenance-green)](https://docs.npmjs.com/generating-provenance-statements)
-![Test Coverage](https://img.shields.io/badge/coverage-94.3%25-brightgreen)
+![Test Coverage](https://img.shields.io/badge/coverage-94.02%25-brightgreen)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
 
 ## Core Features
@@ -320,6 +320,12 @@ Please review our [security policy](SECURITY.md) for details on how we handle vu
 
 This package is published with npm trusted publishers, to prevent npm token exfiltration, and provenance enabled, which provides a verifiable link between the published package and its source code. For more information, see [npm provenance documentation](https://docs.npmjs.com/generating-provenance-statements).
 
+## Versioning & dependencies
+
+- This project uses Conventional Commits and automated release tooling to keep versions and the changelog up to date.
+- Patch releases may include bug fixes and internal maintenance or dependency updates (for example, Cloudflare Workers types, Wrangler, and GitHub Action tooling). New features are shipped in minor releases.
+- See `CHANGELOG.md` for the complete release history.
+
 ## License
 
 This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

package/{chunk-HP5GMFH7.js → chunk-CVOSFBOE.js}

@@ -2,12 +2,12 @@ import {
   MemoryCache,
   debug,
   printMessage
-} from "./chunk-2ZSJUEHK.js";
+} from "./chunk-U7E4KM2B.js";
 import {
   APPWARDEN_CACHE_KEY,
   APPWARDEN_TEST_ROUTE,
   LockValue
-} from "./chunk-SREQAAZC.js";
+} from "./chunk-OIEAURS7.js";
 
 // src/utils/cloudflare/cloudflare-cache.ts
 var store = {

package/{chunk-SREQAAZC.js → chunk-OIEAURS7.js}

@@ -198,6 +198,7 @@ export {
   APPWARDEN_TEST_ROUTE,
   APPWARDEN_HEARTBEAT_ROUTE,
   HEARTBEAT_CONTRACT_VERSION,
+  HEARTBEAT_VERSION_MAX_LENGTH,
   HEARTBEAT_CONFIG_ERROR_MAX_COUNT,
   HEARTBEAT_CONFIG_ERROR_MAX_PATH_DEPTH,
   HEARTBEAT_CONFIG_ERROR_MAX_CODE_LENGTH,
@@ -206,6 +207,7 @@ export {
   HEARTBEAT_RESPONSE_BODY_MAX_SERIALIZED_BYTES,
   HEARTBEAT_CONFIG_ERROR_MAX_PATH_SEGMENT_LENGTH,
   APPWARDEN_CACHE_KEY,
+  HEARTBEAT_SERVICE_VALUES,
   HEARTBEAT_SERVICES,
   BooleanSchema,
   AppwardenApiTokenSchema,

package/{chunk-J2TA6BEU.js → chunk-Q5LVKCWK.js}

@@ -1,10 +1,10 @@
 import {
   isHTMLResponse,
   makeCSPHeader
-} from "./chunk-2ZSJUEHK.js";
+} from "./chunk-U7E4KM2B.js";
 import {
   UseCSPInputSchema
-} from "./chunk-SREQAAZC.js";
+} from "./chunk-OIEAURS7.js";
 
 // src/middlewares/use-content-security-policy.ts
 var AppendAttribute = (attribute, nonce) => ({

package/{chunk-TBSMAMWC.js → chunk-QM56445N.js}

@@ -1,6 +1,6 @@
 import {
   useContentSecurityPolicy
-} from "./chunk-J2TA6BEU.js";
+} from "./chunk-Q5LVKCWK.js";
 
 // src/utils/apply-content-security-policy-to-response.ts
 var applyContentSecurityPolicyToResponse = async ({

package/{chunk-2ZSJUEHK.js → chunk-U7E4KM2B.js}

@@ -10,7 +10,7 @@ import {
   HEARTBEAT_RESPONSE_BODY_MAX_SERIALIZED_BYTES,
   LOCKDOWN_TEST_EXPIRY_MS,
   validateHeartbeatResponseBody
-} from "./chunk-SREQAAZC.js";
+} from "./chunk-OIEAURS7.js";
 
 // src/utils/build-lock-page-url.ts
 function normalizeLockPageSlug(lockPageSlug) {
@@ -122,7 +122,7 @@ var MemoryCache = class {
 };
 
 // src/version.ts
-var MIDDLEWARE_VERSION = "3.12.0";
+var MIDDLEWARE_VERSION = "3.13.0";
 
 // src/utils/heartbeat.ts
 var DEFAULT_HEARTBEAT_CONFIG_ERROR_CODE = "custom";

package/{chunk-GNDWHKJ5.js → chunk-UBWPR24M.js}

@@ -3,7 +3,7 @@ import {
   AppwardenApiTokenSchema,
   BooleanSchema,
   UseCSPInputSchema
-} from "./chunk-SREQAAZC.js";
+} from "./chunk-OIEAURS7.js";
 
 // src/schemas/use-appwarden.ts
 import { z } from "zod";

package/cloudflare/astro.d.ts

@@ -270,8 +270,8 @@ declare const AstroCloudflareConfigSchema: z.ZodObject<{
         };
     }>>>;
 }, "strip", z.ZodTypeAny, {
-    lockPageSlug: string;
     debug: boolean;
+    lockPageSlug: string;
     appwardenApiToken: string;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
@@ -308,6 +308,7 @@ declare const AstroCloudflareConfigSchema: z.ZodObject<{
 }, {
     lockPageSlug: string;
     appwardenApiToken: string;
+    debug?: string | boolean | undefined;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
         directives: string | {
@@ -339,7 +340,6 @@ declare const AstroCloudflareConfigSchema: z.ZodObject<{
             "require-trusted-types-for"?: string | boolean | string[] | undefined;
         };
     } | undefined;
-    debug?: string | boolean | undefined;
     appwardenApiHostname?: string | undefined;
 }>;
 type AstroCloudflareConfig = z.infer<typeof AstroCloudflareConfigSchema>;

package/cloudflare/astro.js

@@ -1,15 +1,15 @@
 import {
   applyContentSecurityPolicyToResponse,
   isResponseLike
-} from "../chunk-TBSMAMWC.js";
-import "../chunk-J2TA6BEU.js";
+} from "../chunk-QM56445N.js";
+import "../chunk-Q5LVKCWK.js";
 import {
   getNowMs,
   logElapsed
 } from "../chunk-G6BMPIYD.js";
 import {
   checkLockStatus
-} from "../chunk-HP5GMFH7.js";
+} from "../chunk-CVOSFBOE.js";
 import {
   TEMPORARY_REDIRECT_STATUS,
   buildLockPageUrl,
@@ -22,14 +22,14 @@ import {
   isOnLockPage,
   printMessage,
   sanitizeConfigErrors
-} from "../chunk-2ZSJUEHK.js";
+} from "../chunk-U7E4KM2B.js";
 import {
   AppwardenApiHostnameSchema,
   AppwardenApiTokenSchema,
   BooleanSchema,
   HEARTBEAT_SERVICES,
   UseCSPInputSchema
-} from "../chunk-SREQAAZC.js";
+} from "../chunk-OIEAURS7.js";
 
 // src/adapters/astro-cloudflare.ts
 import { waitUntil } from "cloudflare:workers";

package/cloudflare/nextjs.d.ts

@@ -329,8 +329,8 @@ declare const NextJsCloudflareConfigSchema: z.ZodObject<{
         };
     }>>>;
 }, "strip", z.ZodTypeAny, {
-    lockPageSlug: string;
     debug: boolean;
+    lockPageSlug: string;
     appwardenApiToken: string;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
@@ -367,6 +367,7 @@ declare const NextJsCloudflareConfigSchema: z.ZodObject<{
 }, {
     lockPageSlug: string;
     appwardenApiToken: string;
+    debug?: string | boolean | undefined;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
         directives: string | {
@@ -398,7 +399,6 @@ declare const NextJsCloudflareConfigSchema: z.ZodObject<{
             "require-trusted-types-for"?: string | boolean | string[] | undefined;
         };
     } | undefined;
-    debug?: string | boolean | undefined;
     appwardenApiHostname?: string | undefined;
 }>;
 type NextJsCloudflareConfig = z.infer<typeof NextJsCloudflareConfigSchema>;

package/cloudflare/nextjs.js

@@ -7,7 +7,7 @@ import {
 } from "../chunk-G6BMPIYD.js";
 import {
   checkLockStatus
-} from "../chunk-HP5GMFH7.js";
+} from "../chunk-CVOSFBOE.js";
 import {
   TEMPORARY_REDIRECT_STATUS,
   buildLockPageUrl,
@@ -20,14 +20,14 @@ import {
   makeCSPHeader,
   printMessage,
   sanitizeConfigErrors
-} from "../chunk-2ZSJUEHK.js";
+} from "../chunk-U7E4KM2B.js";
 import {
   AppwardenApiHostnameSchema,
   AppwardenApiTokenSchema,
   BooleanSchema,
   HEARTBEAT_SERVICES,
   UseCSPInputSchema
-} from "../chunk-SREQAAZC.js";
+} from "../chunk-OIEAURS7.js";
 
 // src/adapters/nextjs-cloudflare.ts
 import { getCloudflareContext } from "@opennextjs/cloudflare";

package/cloudflare/react-router.d.ts

@@ -268,8 +268,8 @@ declare const ReactRouterCloudflareConfigSchema: z.ZodObject<{
         };
     }>>>;
 }, "strip", z.ZodTypeAny, {
-    lockPageSlug: string;
     debug: boolean;
+    lockPageSlug: string;
     appwardenApiToken: string;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
@@ -306,6 +306,7 @@ declare const ReactRouterCloudflareConfigSchema: z.ZodObject<{
 }, {
     lockPageSlug: string;
     appwardenApiToken: string;
+    debug?: string | boolean | undefined;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
         directives: string | {
@@ -337,7 +338,6 @@ declare const ReactRouterCloudflareConfigSchema: z.ZodObject<{
             "require-trusted-types-for"?: string | boolean | string[] | undefined;
         };
     } | undefined;
-    debug?: string | boolean | undefined;
     appwardenApiHostname?: string | undefined;
 }>;
 type ReactRouterCloudflareConfig = z.infer<typeof ReactRouterCloudflareConfigSchema>;

package/cloudflare/react-router.js

@@ -1,15 +1,15 @@
 import {
   applyContentSecurityPolicyToResponse,
   isResponseLike
-} from "../chunk-TBSMAMWC.js";
-import "../chunk-J2TA6BEU.js";
+} from "../chunk-QM56445N.js";
+import "../chunk-Q5LVKCWK.js";
 import {
   getNowMs,
   logElapsed
 } from "../chunk-G6BMPIYD.js";
 import {
   checkLockStatus
-} from "../chunk-HP5GMFH7.js";
+} from "../chunk-CVOSFBOE.js";
 import {
   buildLockPageUrl,
   createHeartbeatConfigError,
@@ -21,14 +21,14 @@ import {
   isOnLockPage,
   printMessage,
   sanitizeConfigErrors
-} from "../chunk-2ZSJUEHK.js";
+} from "../chunk-U7E4KM2B.js";
 import {
   AppwardenApiHostnameSchema,
   AppwardenApiTokenSchema,
   BooleanSchema,
   HEARTBEAT_SERVICES,
   UseCSPInputSchema
-} from "../chunk-SREQAAZC.js";
+} from "../chunk-OIEAURS7.js";
 
 // src/adapters/react-router-cloudflare.ts
 import { waitUntil } from "cloudflare:workers";

package/cloudflare/tanstack-start.d.ts

@@ -268,8 +268,8 @@ declare const TanStackStartCloudflareConfigSchema: z.ZodObject<{
         };
     }>>>;
 }, "strip", z.ZodTypeAny, {
-    lockPageSlug: string;
     debug: boolean;
+    lockPageSlug: string;
     appwardenApiToken: string;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
@@ -306,6 +306,7 @@ declare const TanStackStartCloudflareConfigSchema: z.ZodObject<{
 }, {
     lockPageSlug: string;
     appwardenApiToken: string;
+    debug?: string | boolean | undefined;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
         directives: string | {
@@ -337,7 +338,6 @@ declare const TanStackStartCloudflareConfigSchema: z.ZodObject<{
             "require-trusted-types-for"?: string | boolean | string[] | undefined;
         };
     } | undefined;
-    debug?: string | boolean | undefined;
     appwardenApiHostname?: string | undefined;
 }>;
 type TanStackStartCloudflareConfig = z.infer<typeof TanStackStartCloudflareConfigSchema>;

package/cloudflare/tanstack-start.js

@@ -1,15 +1,15 @@
 import {
   applyContentSecurityPolicyToResponse,
   isResponseLike
-} from "../chunk-TBSMAMWC.js";
-import "../chunk-J2TA6BEU.js";
+} from "../chunk-QM56445N.js";
+import "../chunk-Q5LVKCWK.js";
 import {
   getNowMs,
   logElapsed
 } from "../chunk-G6BMPIYD.js";
 import {
   checkLockStatus
-} from "../chunk-HP5GMFH7.js";
+} from "../chunk-CVOSFBOE.js";
 import {
   buildLockPageUrl,
   createHeartbeatConfigError,
@@ -21,14 +21,14 @@ import {
   isOnLockPage,
   printMessage,
   sanitizeConfigErrors
-} from "../chunk-2ZSJUEHK.js";
+} from "../chunk-U7E4KM2B.js";
 import {
   AppwardenApiHostnameSchema,
   AppwardenApiTokenSchema,
   BooleanSchema,
   HEARTBEAT_SERVICES,
   UseCSPInputSchema
-} from "../chunk-SREQAAZC.js";
+} from "../chunk-OIEAURS7.js";
 
 // src/adapters/tanstack-start-cloudflare.ts
 import { waitUntil } from "cloudflare:workers";

package/cloudflare.js

@@ -1,16 +1,16 @@
 import {
   UseAppwardenInputSchema,
   lockPageSlugRefinement
-} from "./chunk-GNDWHKJ5.js";
+} from "./chunk-UBWPR24M.js";
 import {
   getErrors
 } from "./chunk-NV7K5PRA.js";
 import {
   useContentSecurityPolicy
-} from "./chunk-J2TA6BEU.js";
+} from "./chunk-Q5LVKCWK.js";
 import {
   checkLockStatus
-} from "./chunk-HP5GMFH7.js";
+} from "./chunk-CVOSFBOE.js";
 import {
   buildLockPageUrl,
   createHeartbeatConfigError,
@@ -22,10 +22,10 @@ import {
   isOnLockPage,
   printMessage,
   sanitizeConfigErrors
-} from "./chunk-2ZSJUEHK.js";
+} from "./chunk-U7E4KM2B.js";
 import {
   HEARTBEAT_SERVICES
-} from "./chunk-SREQAAZC.js";
+} from "./chunk-OIEAURS7.js";
 
 // src/runners/appwarden-on-cloudflare.ts
 import { ZodError } from "zod";

package/index.d.ts

@@ -2,8 +2,50 @@ export { B as Bindings, C as CSPDirectivesSchema, a as CSPModeSchema, M as Middl
 import { z } from 'zod';
 
 declare const LOCKDOWN_TEST_EXPIRY_MS: number;
+declare const APPWARDEN_HEARTBEAT_ROUTE = "/_appwarden/heartbeat";
+declare const HEARTBEAT_CONTRACT_VERSION: 1;
+declare const HEARTBEAT_VERSION_MAX_LENGTH = 128;
+/**
+ * Maximum number of public heartbeat config errors.
+ * Prevents unbounded response sizes.
+ */
+declare const HEARTBEAT_CONFIG_ERROR_MAX_COUNT = 10;
+/**
+ * Maximum path depth for public heartbeat config errors.
+ * Prevents deeply nested paths from being exposed.
+ */
+declare const HEARTBEAT_CONFIG_ERROR_MAX_PATH_DEPTH = 10;
+/**
+ * Maximum length for public heartbeat config error codes.
+ * Keeps error codes within the contract bounds.
+ */
+declare const HEARTBEAT_CONFIG_ERROR_MAX_CODE_LENGTH = 100;
+/**
+ * Maximum length for public heartbeat config error messages.
+ * Prevents excessively long messages from being exposed.
+ */
+declare const HEARTBEAT_CONFIG_ERROR_MAX_MESSAGE_LENGTH = 500;
+declare const HEARTBEAT_CONFIG_ERRORS_MAX_SERIALIZED_BYTES: number;
+declare const HEARTBEAT_RESPONSE_BODY_MAX_SERIALIZED_BYTES: number;
+/**
+ * Maximum length for individual public heartbeat config error path segments.
+ * Prevents excessively long path segments from being exposed.
+ */
+declare const HEARTBEAT_CONFIG_ERROR_MAX_PATH_SEGMENT_LENGTH = 100;
 declare const APPWARDEN_CACHE_KEY: "appwarden-lock";
 declare const HEARTBEAT_SERVICE_VALUES: readonly ["cloudflare", "cloudflare-astro", "cloudflare-react-router", "cloudflare-tanstack-start", "cloudflare-nextjs", "vercel"];
+/**
+ * Service identifiers for different middleware adapters.
+ * These are hardcoded per adapter bundle.
+ */
+declare const HEARTBEAT_SERVICES: {
+    readonly CLOUDFLARE: "cloudflare";
+    readonly CLOUDFLARE_ASTRO: "cloudflare-astro";
+    readonly CLOUDFLARE_REACT_ROUTER: "cloudflare-react-router";
+    readonly CLOUDFLARE_TANSTACK_START: "cloudflare-tanstack-start";
+    readonly CLOUDFLARE_NEXTJS: "cloudflare-nextjs";
+    readonly VERCEL: "vercel";
+};
 
 /**
  * Service identifiers for different middleware adapters.
@@ -894,4 +936,4 @@ declare const LockValue: z.ZodObject<{
 }>;
 type LockValueType = z.infer<typeof LockValue>;
 
-export { APPWARDEN_CACHE_KEY, type HeartbeatConfigError, HeartbeatConfigErrorSchema, type HeartbeatResponseBody, HeartbeatResponseBodySchema, type HeartbeatService, LOCKDOWN_TEST_EXPIRY_MS, type LockValueType, UseAppwardenInputSchema, getEdgeConfigId, isCacheUrl, isValidCacheUrl, validateHeartbeatResponseBody };
+export { APPWARDEN_CACHE_KEY, APPWARDEN_HEARTBEAT_ROUTE, HEARTBEAT_CONFIG_ERRORS_MAX_SERIALIZED_BYTES, HEARTBEAT_CONFIG_ERROR_MAX_CODE_LENGTH, HEARTBEAT_CONFIG_ERROR_MAX_COUNT, HEARTBEAT_CONFIG_ERROR_MAX_MESSAGE_LENGTH, HEARTBEAT_CONFIG_ERROR_MAX_PATH_DEPTH, HEARTBEAT_CONFIG_ERROR_MAX_PATH_SEGMENT_LENGTH, HEARTBEAT_CONTRACT_VERSION, HEARTBEAT_RESPONSE_BODY_MAX_SERIALIZED_BYTES, HEARTBEAT_SERVICES, HEARTBEAT_SERVICE_VALUES, HEARTBEAT_VERSION_MAX_LENGTH, type HeartbeatConfigError, HeartbeatConfigErrorSchema, type HeartbeatResponseBody, HeartbeatResponseBodySchema, type HeartbeatService, LOCKDOWN_TEST_EXPIRY_MS, type LockValueType, UseAppwardenInputSchema, getEdgeConfigId, isCacheUrl, isValidCacheUrl, validateHeartbeatResponseBody };

package/index.js

@@ -5,20 +5,44 @@ import {
 } from "./chunk-QEFORWCW.js";
 import {
   UseAppwardenInputSchema
-} from "./chunk-GNDWHKJ5.js";
+} from "./chunk-UBWPR24M.js";
 import {
   APPWARDEN_CACHE_KEY,
+  APPWARDEN_HEARTBEAT_ROUTE,
   CSPDirectivesSchema,
   CSPModeSchema,
+  HEARTBEAT_CONFIG_ERRORS_MAX_SERIALIZED_BYTES,
+  HEARTBEAT_CONFIG_ERROR_MAX_CODE_LENGTH,
+  HEARTBEAT_CONFIG_ERROR_MAX_COUNT,
+  HEARTBEAT_CONFIG_ERROR_MAX_MESSAGE_LENGTH,
+  HEARTBEAT_CONFIG_ERROR_MAX_PATH_DEPTH,
+  HEARTBEAT_CONFIG_ERROR_MAX_PATH_SEGMENT_LENGTH,
+  HEARTBEAT_CONTRACT_VERSION,
+  HEARTBEAT_RESPONSE_BODY_MAX_SERIALIZED_BYTES,
+  HEARTBEAT_SERVICES,
+  HEARTBEAT_SERVICE_VALUES,
+  HEARTBEAT_VERSION_MAX_LENGTH,
   HeartbeatConfigErrorSchema,
   HeartbeatResponseBodySchema,
   LOCKDOWN_TEST_EXPIRY_MS,
   validateHeartbeatResponseBody
-} from "./chunk-SREQAAZC.js";
+} from "./chunk-OIEAURS7.js";
 export {
   APPWARDEN_CACHE_KEY,
+  APPWARDEN_HEARTBEAT_ROUTE,
   CSPDirectivesSchema,
   CSPModeSchema,
+  HEARTBEAT_CONFIG_ERRORS_MAX_SERIALIZED_BYTES,
+  HEARTBEAT_CONFIG_ERROR_MAX_CODE_LENGTH,
+  HEARTBEAT_CONFIG_ERROR_MAX_COUNT,
+  HEARTBEAT_CONFIG_ERROR_MAX_MESSAGE_LENGTH,
+  HEARTBEAT_CONFIG_ERROR_MAX_PATH_DEPTH,
+  HEARTBEAT_CONFIG_ERROR_MAX_PATH_SEGMENT_LENGTH,
+  HEARTBEAT_CONTRACT_VERSION,
+  HEARTBEAT_RESPONSE_BODY_MAX_SERIALIZED_BYTES,
+  HEARTBEAT_SERVICES,
+  HEARTBEAT_SERVICE_VALUES,
+  HEARTBEAT_VERSION_MAX_LENGTH,
   HeartbeatConfigErrorSchema,
   HeartbeatResponseBodySchema,
   LOCKDOWN_TEST_EXPIRY_MS,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@appwarden/middleware",
-  "version": "3.13.0",
+  "version": "3.13.1",
   "description": "Instantly disable all user interaction with your app deployed on Cloudflare or Vercel",
   "type": "module",
   "license": "MIT",
@@ -58,7 +58,7 @@
     "node": ">=24"
   },
   "dependencies": {
-    "@upstash/redis": "^1.36.3",
+    "@upstash/redis": "^1.36.4",
     "@vercel/edge-config": "^1.4.3",
     "zod": "^3.25.76"
   },

package/vercel.js

@@ -20,7 +20,7 @@ import {
   makeCSPHeader,
   printMessage,
   sanitizeConfigErrors
-} from "./chunk-2ZSJUEHK.js";
+} from "./chunk-U7E4KM2B.js";
 import {
   APPWARDEN_CACHE_KEY,
   AppwardenApiHostnameSchema,
@@ -30,7 +30,7 @@ import {
   LockValue,
   errors,
   globalErrors
-} from "./chunk-SREQAAZC.js";
+} from "./chunk-OIEAURS7.js";
 
 // src/runners/appwarden-on-vercel.ts
 import { waitUntil } from "@vercel/functions";