@appwarden/middleware 3.14.0 → 3.15.0

package/README.md

@@ -4,7 +4,7 @@
 [![GitHub](https://img.shields.io/badge/GitHub-appwarden%2Fmiddleware-181717?logo=github&logoColor=white)](https://github.com/appwarden/middleware)
 [![npm version](https://img.shields.io/npm/v/@appwarden/middleware.svg)](https://www.npmjs.com/package/@appwarden/middleware)
 [![npm provenance](https://img.shields.io/badge/npm-provenance-green)](https://docs.npmjs.com/generating-provenance-statements)
-![Test Coverage](https://img.shields.io/badge/coverage-93.71%25-brightgreen)
+![Test Coverage](https://img.shields.io/badge/coverage-93.34%25-brightgreen)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
 
 ## Core Features

package/{chunk-NC2TN3D5.js → chunk-2R3NOSYY.js}

@@ -11,10 +11,18 @@ import {
   LOCKDOWN_TEST_EXPIRY_MS,
   MIDDLEWARE_VERSION,
   validateHeartbeatResponseBody
-} from "./chunk-FE7E5Q5F.js";
+} from "./chunk-4U4OJ6SP.js";
 
 // src/utils/build-lock-page-url.ts
+function isValidLockPageSlug(lockPageSlug) {
+  return !lockPageSlug.includes("://") && !lockPageSlug.startsWith("//") && !lockPageSlug.includes("\\");
+}
 function normalizeLockPageSlug(lockPageSlug) {
+  if (!isValidLockPageSlug(lockPageSlug)) {
+    throw new Error(
+      `Invalid lockPageSlug: "${lockPageSlug}". Absolute or protocol-relative URLs are not allowed.`
+    );
+  }
   return lockPageSlug.startsWith("/") ? lockPageSlug : `/${lockPageSlug}`;
 }
 function buildLockPageUrl(lockPageSlug, requestUrl) {
@@ -468,6 +476,45 @@ var makeCSPHeader = (cspNonce, directives, mode) => {
   ];
 };
 
+// src/utils/get-appwarden-configuration.ts
+function toDirectiveRecord(value) {
+  if (typeof value === "string") {
+    try {
+      const parsed = JSON.parse(value);
+      return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : {};
+    } catch {
+      throw new Error("contentSecurityPolicy.directives must be valid JSON");
+    }
+  }
+  return value && typeof value === "object" && !Array.isArray(value) ? value : {};
+}
+function mergeAdapterConfig(generated, callSite) {
+  const merged = { ...generated };
+  for (const key of Object.keys(callSite)) {
+    if (key === "contentSecurityPolicy") {
+      if (callSite[key] === void 0) {
+        continue;
+      }
+      const genCsp = generated[key] || {};
+      const siteCsp = callSite[key] || {};
+      merged[key] = {
+        mode: siteCsp.mode ?? genCsp.mode ?? void 0,
+        directives: {
+          ...toDirectiveRecord(genCsp.directives),
+          ...toDirectiveRecord(siteCsp.directives)
+        }
+      };
+    } else if (callSite[key] !== void 0) {
+      merged[key] = callSite[key];
+    }
+  }
+  return merged;
+}
+function parseMergedConfig(generatedConfig, callSiteConfig, parseSchema) {
+  const merged = mergeAdapterConfig(generatedConfig, callSiteConfig);
+  return parseSchema(merged);
+}
+
 export {
   buildLockPageUrl,
   isOnLockPage,
@@ -482,5 +529,6 @@ export {
   handleHeartbeatRequest,
   isHTMLResponse,
   isHTMLRequest,
-  makeCSPHeader
+  makeCSPHeader,
+  parseMergedConfig
 };

package/{chunk-YPF5MTU3.js → chunk-3CC6CMAB.js}

@@ -1,10 +1,10 @@
 import {
   isHTMLResponse,
   makeCSPHeader
-} from "./chunk-NC2TN3D5.js";
+} from "./chunk-2R3NOSYY.js";
 import {
   UseCSPInputSchema
-} from "./chunk-FE7E5Q5F.js";
+} from "./chunk-4U4OJ6SP.js";
 
 // src/middlewares/use-content-security-policy.ts
 var AppendAttribute = (attribute, nonce) => ({

package/{chunk-FE7E5Q5F.js → chunk-4U4OJ6SP.js}

@@ -1,5 +1,5 @@
 // src/version.ts
-var MIDDLEWARE_VERSION = "3.13.4";
+var MIDDLEWARE_VERSION = "3.14.1";
 
 // src/constants.ts
 var LOCKDOWN_TEST_EXPIRY_MS = 5 * 60 * 1e3;
@@ -160,12 +160,30 @@ var AppwardenApiHostnameSchema = z3.string().url({
   message: "Invalid `appwardenApiHostname`. Please provide an absolute URL (e.g. https://api.appwarden.io)."
 }).refine((value) => value.startsWith("https://"), {
   message: "`appwardenApiHostname` must use the https:// scheme (e.g. https://api.appwarden.io)."
-});
+}).refine(
+  (value) => {
+    try {
+      const hostname = new URL(value).hostname;
+      return hostname === "api.appwarden.io" || hostname === "staging-api.appwarden.io";
+    } catch {
+      return false;
+    }
+  },
+  {
+    message: "`appwardenApiHostname` must be https://api.appwarden.io or https://staging-api.appwarden.io."
+  }
+);
 var LockValue = z3.object({
   isLocked: z3.number(),
   isLockedTest: z3.number(),
   lastCheck: z3.number()
 });
+var ValidLockPageSlugSchema = z3.string().refine(
+  (val) => !val.includes("://") && !val.startsWith("//") && !val.includes("\\"),
+  {
+    message: "lockPageSlug must be a relative path"
+  }
+);
 
 // src/schemas/use-content-security-policy.ts
 var CSPDirectivesSchema = z4.union([
@@ -221,6 +239,7 @@ export {
   AppwardenApiTokenSchema,
   AppwardenApiHostnameSchema,
   LockValue,
+  ValidLockPageSlugSchema,
   HeartbeatConfigErrorSchema,
   HeartbeatResponseBodySchema,
   validateHeartbeatResponseBody,

package/{chunk-VVE7MFVZ.js → chunk-55QG265Y.js}

@@ -1,6 +1,6 @@
 import {
   useContentSecurityPolicy
-} from "./chunk-YPF5MTU3.js";
+} from "./chunk-3CC6CMAB.js";
 
 // src/utils/apply-content-security-policy-to-response.ts
 var applyContentSecurityPolicyToResponse = async ({

package/{chunk-HKPJZTYK.js → chunk-PIVEQ7QB.js}

@@ -2,22 +2,23 @@ import {
   AppwardenApiHostnameSchema,
   AppwardenApiTokenSchema,
   BooleanSchema,
-  UseCSPInputSchema
-} from "./chunk-FE7E5Q5F.js";
+  UseCSPInputSchema,
+  ValidLockPageSlugSchema
+} from "./chunk-4U4OJ6SP.js";
 
 // src/schemas/use-appwarden.ts
 import { z } from "zod";
 var AppwardenMultidomainConfigSchema = z.record(
   z.string(),
   z.object({
-    lockPageSlug: z.string(),
+    lockPageSlug: ValidLockPageSlugSchema,
     contentSecurityPolicy: z.lazy(() => UseCSPInputSchema).optional(),
     debug: BooleanSchema.optional()
   })
 );
 var UseAppwardenInputSchema = z.object({
   debug: BooleanSchema.default(false),
-  lockPageSlug: z.string().optional(),
+  lockPageSlug: ValidLockPageSlugSchema.optional(),
   contentSecurityPolicy: z.lazy(() => UseCSPInputSchema).optional(),
   multidomainConfig: AppwardenMultidomainConfigSchema.optional(),
   appwardenApiToken: AppwardenApiTokenSchema,

package/{chunk-GMWSGC6T.js → chunk-PZ3M7SYD.js}

@@ -2,13 +2,14 @@ import {
   MemoryCache,
   debug,
   printMessage
-} from "./chunk-NC2TN3D5.js";
+} from "./chunk-2R3NOSYY.js";
 import {
   APPWARDEN_CACHE_KEY,
   APPWARDEN_MIDDLEWARE_USER_AGENT,
   APPWARDEN_TEST_ROUTE,
+  AppwardenApiHostnameSchema,
   LockValue
-} from "./chunk-FE7E5Q5F.js";
+} from "./chunk-4U4OJ6SP.js";
 
 // src/utils/cloudflare/cloudflare-cache.ts
 var store = {
@@ -122,9 +123,18 @@ var APIError = class extends Error {
   }
 };
 var DEFAULT_API_HOSTNAME = "https://api.appwarden.io";
+var API_TIMEOUT_MS = 1e4;
+function resolveApiHostname(hostname) {
+  if (!hostname) return DEFAULT_API_HOSTNAME;
+  const parsed = AppwardenApiHostnameSchema.safeParse(hostname);
+  if (!parsed.success) return DEFAULT_API_HOSTNAME;
+  return parsed.data;
+}
 var syncEdgeValue = async (context) => {
-  const apiHostname = context.appwardenApiHostname ?? DEFAULT_API_HOSTNAME;
+  const apiHostname = resolveApiHostname(context.appwardenApiHostname);
   context.debug(`GET ${apiHostname}`);
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), API_TIMEOUT_MS);
   try {
     const response = await fetch(new URL("/v1/appwarden/status", apiHostname), {
       method: "POST",
@@ -137,7 +147,8 @@ var syncEdgeValue = async (context) => {
         provider: context.provider,
         fqdn: context.requestUrl.hostname,
         appwardenApiToken: context.appwardenApiToken
-      })
+      }),
+      signal: controller.signal
     });
     if (response.status === 403) {
       console.log(
@@ -177,6 +188,8 @@ var syncEdgeValue = async (context) => {
         e instanceof APIError ? e.message : e instanceof Error ? `${message}: ${e.message}` : message
       )
     );
+  } finally {
+    clearTimeout(timeout);
   }
 };
 

package/cloudflare/astro.d.ts

@@ -1,4 +1,4 @@
-import { MiddlewareHandler } from 'astro';
+import { APIContext } from 'astro';
 import { z } from 'zod';
 
 /**
@@ -7,11 +7,11 @@ import { z } from 'zod';
  */
 declare const AstroCloudflareConfigSchema: z.ZodObject<{
     /** The slug/path of the lock page to redirect to when the site is locked */
-    lockPageSlug: z.ZodString;
+    lockPageSlug: z.ZodEffects<z.ZodString, string, string>;
     /** The Appwarden API token for authentication */
     appwardenApiToken: z.ZodEffects<z.ZodString, string, string>;
     /** Optional custom API hostname (defaults to https://api.appwarden.io) */
-    appwardenApiHostname: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
+    appwardenApiHostname: z.ZodOptional<z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, string, string>>;
     /** Enable debug logging */
     debug: z.ZodDefault<z.ZodEffects<z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodBoolean]>>, boolean, string | boolean | undefined>>;
     /** Optional Content Security Policy configuration */
@@ -350,6 +350,13 @@ type AstroCloudflareConfig = z.infer<typeof AstroCloudflareConfigSchema>;
  */
 type AstroCloudflareConfigInput = z.input<typeof AstroCloudflareConfigSchema>;
 
+/**
+ * Build-time helper that merges generated config with call-site overrides.
+ *
+ * Call-site config has highest priority, followed by framework headers,
+ * then remote Appwarden configuration.
+ */
+declare function getAppwardenConfiguration(generatedConfig: Record<string, unknown>, config: Partial<AstroCloudflareConfigInput>): AstroCloudflareConfig;
 /**
  * Normalized Cloudflare runtime context exposed to Appwarden config functions.
  *
@@ -378,7 +385,7 @@ type AstroAppwardenConfig = AstroCloudflareConfig;
  * This allows dynamic configuration based on environment variables.
  * Accepts pre-transformation input types (e.g., string | boolean for debug, string | object for CSP directives).
  */
-type AstroConfigFn = (runtime: AstroCloudflareRuntime) => AstroCloudflareConfigInput;
+type AstroConfigFn = (runtime: AstroCloudflareRuntime) => AstroCloudflareConfigInput | AstroCloudflareConfig;
 /**
  * Creates an Appwarden middleware function for Astro.
  *
@@ -402,6 +409,6 @@ type AstroConfigFn = (runtime: AstroCloudflareRuntime) => AstroCloudflareConfigI
  * @param configFn - A function that receives the Cloudflare runtime and returns the config
  * @returns An Astro middleware function
  */
-declare function createAppwardenMiddleware(configFn: AstroConfigFn): MiddlewareHandler;
+declare function createAppwardenMiddleware(configFn: AstroConfigFn): (context: APIContext, next: () => Promise<Response>) => Promise<Response>;
 
-export { type AstroAppwardenConfig, type AstroCloudflareConfig, type AstroCloudflareConfigInput, type AstroCloudflareRuntime, type AstroConfigFn, createAppwardenMiddleware };
+export { type AstroAppwardenConfig, type AstroCloudflareConfig, type AstroCloudflareConfigInput, type AstroCloudflareRuntime, type AstroConfigFn, createAppwardenMiddleware, getAppwardenConfiguration };

package/cloudflare/astro.js

@@ -1,15 +1,15 @@
 import {
   applyContentSecurityPolicyToResponse,
   isResponseLike
-} from "../chunk-VVE7MFVZ.js";
-import "../chunk-YPF5MTU3.js";
+} from "../chunk-55QG265Y.js";
+import "../chunk-3CC6CMAB.js";
 import {
   getNowMs,
   logElapsed
 } from "../chunk-G6BMPIYD.js";
 import {
   checkLockStatus
-} from "../chunk-GMWSGC6T.js";
+} from "../chunk-PZ3M7SYD.js";
 import {
   TEMPORARY_REDIRECT_STATUS,
   buildLockPageUrl,
@@ -20,16 +20,18 @@ import {
   isHTMLRequest,
   isHeartbeatRequest,
   isOnLockPage,
+  parseMergedConfig,
   printMessage,
   sanitizeConfigErrors
-} from "../chunk-NC2TN3D5.js";
+} from "../chunk-2R3NOSYY.js";
 import {
   AppwardenApiHostnameSchema,
   AppwardenApiTokenSchema,
   BooleanSchema,
   HEARTBEAT_SERVICES,
-  UseCSPInputSchema
-} from "../chunk-FE7E5Q5F.js";
+  UseCSPInputSchema,
+  ValidLockPageSlugSchema
+} from "../chunk-4U4OJ6SP.js";
 
 // src/adapters/astro-cloudflare.ts
 import { env as cloudflareEnv, waitUntil } from "cloudflare:workers";
@@ -38,7 +40,7 @@ import { env as cloudflareEnv, waitUntil } from "cloudflare:workers";
 import { z } from "zod";
 var AstroCloudflareConfigSchema = z.object({
   /** The slug/path of the lock page to redirect to when the site is locked */
-  lockPageSlug: z.string(),
+  lockPageSlug: ValidLockPageSlugSchema,
   /** The Appwarden API token for authentication */
   appwardenApiToken: AppwardenApiTokenSchema,
   /** Optional custom API hostname (defaults to https://api.appwarden.io) */
@@ -50,6 +52,13 @@ var AstroCloudflareConfigSchema = z.object({
 });
 
 // src/adapters/astro-cloudflare.ts
+function getAppwardenConfiguration(generatedConfig, config) {
+  return parseMergedConfig(
+    generatedConfig,
+    config,
+    AstroCloudflareConfigSchema.parse
+  );
+}
 var createAstroHeartbeatResponse = (request, runtime, configFn) => {
   if (!runtime) {
     return handleHeartbeatRequest(
@@ -202,5 +211,6 @@ function createAppwardenMiddleware(configFn) {
   };
 }
 export {
-  createAppwardenMiddleware
+  createAppwardenMiddleware,
+  getAppwardenConfiguration
 };

package/cloudflare/nextjs.d.ts

@@ -7,11 +7,11 @@ import { z } from 'zod';
  */
 declare const NextJsCloudflareConfigSchema: z.ZodObject<{
     /** The slug/path of the lock page to redirect to when the site is locked */
-    lockPageSlug: z.ZodString;
+    lockPageSlug: z.ZodEffects<z.ZodString, string, string>;
     /** The Appwarden API token for authentication */
     appwardenApiToken: z.ZodEffects<z.ZodString, string, string>;
     /** Optional custom API hostname (defaults to https://api.appwarden.io) */
-    appwardenApiHostname: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
+    appwardenApiHostname: z.ZodOptional<z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, string, string>>;
     /** Enable debug logging */
     debug: z.ZodDefault<z.ZodEffects<z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodBoolean]>>, boolean, string | boolean | undefined>>;
     /** Optional Content Security Policy configuration (headers only, no HTML rewriting; '{{nonce}}' is not supported) */
@@ -410,6 +410,7 @@ type NextJsCloudflareConfig = z.infer<typeof NextJsCloudflareConfigSchema>;
  */
 type NextJsCloudflareConfigInput = z.input<typeof NextJsCloudflareConfigSchema>;
 
+declare function getAppwardenConfiguration(generatedConfig: Record<string, unknown>, config: Partial<NextJsCloudflareConfigInput>): NextJsCloudflareConfig;
 /**
  * Cloudflare runtime context provided by @opennextjs/cloudflare.
  * This is the shape of the context returned by getCloudflareContext().
@@ -432,7 +433,7 @@ type NextJsCloudflareAppwardenConfig = NextJsCloudflareConfig;
  * This allows dynamic configuration based on environment variables.
  * Accepts pre-transformation input types (e.g., string | boolean for debug, string | object for CSP directives).
  */
-type NextJsCloudflareConfigFn = (runtime: NextJsCloudflareRuntime) => NextJsCloudflareConfigInput;
+type NextJsCloudflareConfigFn = (runtime: NextJsCloudflareRuntime) => NextJsCloudflareConfigInput | NextJsCloudflareConfig;
 /**
  * Next.js middleware function signature.
  * Compatible with both middleware.ts and proxy.ts (Next.js 16+).
@@ -464,4 +465,4 @@ type NextJsMiddlewareFunction = (request: NextRequest, event?: NextFetchEvent) =
  */
 declare function createAppwardenMiddleware(configFn: NextJsCloudflareConfigFn): NextJsMiddlewareFunction;
 
-export { type NextJsCloudflareAppwardenConfig, type NextJsCloudflareConfig, type NextJsCloudflareConfigFn, type NextJsCloudflareConfigInput, type NextJsCloudflareRuntime, type NextJsMiddlewareFunction, createAppwardenMiddleware };
+export { type NextJsCloudflareAppwardenConfig, type NextJsCloudflareConfig, type NextJsCloudflareConfigFn, type NextJsCloudflareConfigInput, type NextJsCloudflareRuntime, type NextJsMiddlewareFunction, createAppwardenMiddleware, getAppwardenConfiguration };

package/cloudflare/nextjs.js

@@ -7,7 +7,7 @@ import {
 } from "../chunk-G6BMPIYD.js";
 import {
   checkLockStatus
-} from "../chunk-GMWSGC6T.js";
+} from "../chunk-PZ3M7SYD.js";
 import {
   TEMPORARY_REDIRECT_STATUS,
   buildLockPageUrl,
@@ -18,16 +18,18 @@ import {
   isHeartbeatRequest,
   isOnLockPage,
   makeCSPHeader,
+  parseMergedConfig,
   printMessage,
   sanitizeConfigErrors
-} from "../chunk-NC2TN3D5.js";
+} from "../chunk-2R3NOSYY.js";
 import {
   AppwardenApiHostnameSchema,
   AppwardenApiTokenSchema,
   BooleanSchema,
   HEARTBEAT_SERVICES,
-  UseCSPInputSchema
-} from "../chunk-FE7E5Q5F.js";
+  UseCSPInputSchema,
+  ValidLockPageSlugSchema
+} from "../chunk-4U4OJ6SP.js";
 
 // src/adapters/nextjs-cloudflare.ts
 import { getCloudflareContext } from "@opennextjs/cloudflare";
@@ -50,7 +52,7 @@ var NextJsCloudflareCSPInputSchema = UseCSPInputSchema.refine(
 );
 var NextJsCloudflareConfigSchema = z.object({
   /** The slug/path of the lock page to redirect to when the site is locked */
-  lockPageSlug: z.string(),
+  lockPageSlug: ValidLockPageSlugSchema,
   /** The Appwarden API token for authentication */
   appwardenApiToken: AppwardenApiTokenSchema,
   /** Optional custom API hostname (defaults to https://api.appwarden.io) */
@@ -62,6 +64,13 @@ var NextJsCloudflareConfigSchema = z.object({
 });
 
 // src/adapters/nextjs-cloudflare.ts
+function getAppwardenConfiguration(generatedConfig, config) {
+  return parseMergedConfig(
+    generatedConfig,
+    config,
+    NextJsCloudflareConfigSchema.parse
+  );
+}
 var createNextJsHeartbeatResponse = (request, configFn) => {
   let runtime;
   try {
@@ -174,5 +183,6 @@ function createAppwardenMiddleware(configFn) {
   };
 }
 export {
-  createAppwardenMiddleware
+  createAppwardenMiddleware,
+  getAppwardenConfiguration
 };

package/cloudflare/react-router.d.ts

@@ -6,11 +6,11 @@ import { z } from 'zod';
  */
 declare const ReactRouterCloudflareConfigSchema: z.ZodObject<{
     /** The slug/path of the lock page to redirect to when the site is locked */
-    lockPageSlug: z.ZodString;
+    lockPageSlug: z.ZodEffects<z.ZodString, string, string>;
     /** The Appwarden API token for authentication */
     appwardenApiToken: z.ZodEffects<z.ZodString, string, string>;
     /** Optional custom API hostname (defaults to https://api.appwarden.io) */
-    appwardenApiHostname: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
+    appwardenApiHostname: z.ZodOptional<z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, string, string>>;
     /** Enable debug logging */
     debug: z.ZodDefault<z.ZodEffects<z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodBoolean]>>, boolean, string | boolean | undefined>>;
     /** Optional Content Security Policy configuration */
@@ -349,6 +349,7 @@ type ReactRouterCloudflareConfig = z.infer<typeof ReactRouterCloudflareConfigSch
  */
 type ReactRouterAppwardenConfigInput = z.input<typeof ReactRouterCloudflareConfigSchema>;
 
+declare function getAppwardenConfiguration(generatedConfig: Record<string, unknown>, config: Partial<ReactRouterAppwardenConfigInput>): ReactRouterCloudflareConfig;
 /**
  * Configuration function that returns the config.
  * This allows dynamic configuration based on environment variables from cloudflare:workers.
@@ -357,7 +358,7 @@ type ReactRouterAppwardenConfigInput = z.input<typeof ReactRouterCloudflareConfi
  *
  * @param runtime - Optional runtime context (for backward compatibility)
  */
-type ReactRouterConfigFn = (runtime?: unknown) => ReactRouterAppwardenConfigInput;
+type ReactRouterConfigFn = (runtime?: unknown) => ReactRouterAppwardenConfigInput | ReactRouterCloudflareConfig;
 /**
  * React Router middleware function signature.
  * This matches the unstable_middleware export type in React Router v7.
@@ -392,4 +393,4 @@ type ReactRouterMiddlewareFunction = (args: ReactRouterMiddlewareArgs, next: ()
  */
 declare function createAppwardenMiddleware(configFn: ReactRouterConfigFn): ReactRouterMiddlewareFunction;
 
-export { type ReactRouterAppwardenConfigInput, type ReactRouterCloudflareConfig, type ReactRouterConfigFn, type ReactRouterMiddlewareArgs, type ReactRouterMiddlewareFunction, createAppwardenMiddleware };
+export { type ReactRouterAppwardenConfigInput, type ReactRouterCloudflareConfig, type ReactRouterConfigFn, type ReactRouterMiddlewareArgs, type ReactRouterMiddlewareFunction, createAppwardenMiddleware, getAppwardenConfiguration };

package/cloudflare/react-router.js

@@ -1,15 +1,15 @@
 import {
   applyContentSecurityPolicyToResponse,
   isResponseLike
-} from "../chunk-VVE7MFVZ.js";
-import "../chunk-YPF5MTU3.js";
+} from "../chunk-55QG265Y.js";
+import "../chunk-3CC6CMAB.js";
 import {
   getNowMs,
   logElapsed
 } from "../chunk-G6BMPIYD.js";
 import {
   checkLockStatus
-} from "../chunk-GMWSGC6T.js";
+} from "../chunk-PZ3M7SYD.js";
 import {
   buildLockPageUrl,
   createHeartbeatConfigError,
@@ -19,16 +19,18 @@ import {
   isHTMLRequest,
   isHeartbeatRequest,
   isOnLockPage,
+  parseMergedConfig,
   printMessage,
   sanitizeConfigErrors
-} from "../chunk-NC2TN3D5.js";
+} from "../chunk-2R3NOSYY.js";
 import {
   AppwardenApiHostnameSchema,
   AppwardenApiTokenSchema,
   BooleanSchema,
   HEARTBEAT_SERVICES,
-  UseCSPInputSchema
-} from "../chunk-FE7E5Q5F.js";
+  UseCSPInputSchema,
+  ValidLockPageSlugSchema
+} from "../chunk-4U4OJ6SP.js";
 
 // src/adapters/react-router-cloudflare.ts
 import { waitUntil } from "cloudflare:workers";
@@ -37,7 +39,7 @@ import { waitUntil } from "cloudflare:workers";
 import { z } from "zod";
 var ReactRouterCloudflareConfigSchema = z.object({
   /** The slug/path of the lock page to redirect to when the site is locked */
-  lockPageSlug: z.string(),
+  lockPageSlug: ValidLockPageSlugSchema,
   /** The Appwarden API token for authentication */
   appwardenApiToken: AppwardenApiTokenSchema,
   /** Optional custom API hostname (defaults to https://api.appwarden.io) */
@@ -49,6 +51,13 @@ var ReactRouterCloudflareConfigSchema = z.object({
 });
 
 // src/adapters/react-router-cloudflare.ts
+function getAppwardenConfiguration(generatedConfig, config) {
+  return parseMergedConfig(
+    generatedConfig,
+    config,
+    ReactRouterCloudflareConfigSchema.parse
+  );
+}
 var createConfigEvaluationHeartbeatResponse = (request) => {
   return handleHeartbeatRequest(
     request,
@@ -163,5 +172,6 @@ function createAppwardenMiddleware(configFn) {
   };
 }
 export {
-  createAppwardenMiddleware
+  createAppwardenMiddleware,
+  getAppwardenConfiguration
 };

package/cloudflare/tanstack-start.d.ts

@@ -6,11 +6,11 @@ import { z } from 'zod';
  */
 declare const TanStackStartCloudflareConfigSchema: z.ZodObject<{
     /** The slug/path of the lock page to redirect to when the site is locked */
-    lockPageSlug: z.ZodString;
+    lockPageSlug: z.ZodEffects<z.ZodString, string, string>;
     /** The Appwarden API token for authentication */
     appwardenApiToken: z.ZodEffects<z.ZodString, string, string>;
     /** Optional custom API hostname (defaults to https://api.appwarden.io) */
-    appwardenApiHostname: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
+    appwardenApiHostname: z.ZodOptional<z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, string, string>>;
     /** Enable debug logging */
     debug: z.ZodDefault<z.ZodEffects<z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodBoolean]>>, boolean, string | boolean | undefined>>;
     /** Optional Content Security Policy configuration */
@@ -343,12 +343,14 @@ declare const TanStackStartCloudflareConfigSchema: z.ZodObject<{
 type TanStackStartCloudflareConfig = z.infer<typeof TanStackStartCloudflareConfigSchema>;
 type TanStackStartCloudflareConfigInput = z.input<typeof TanStackStartCloudflareConfigSchema>;
 
+declare function getAppwardenConfiguration(generatedConfig: Record<string, unknown>, config: Partial<TanStackStartCloudflareConfigInput>): TanStackStartCloudflareConfig;
+
 /**
  * Configuration function that returns the config.
  * This allows dynamic configuration based on environment variables from cloudflare:workers.
  * Accepts pre-transformation input types (e.g., string | boolean for debug, string | object for CSP directives).
  */
-type TanStackStartConfigFn = () => TanStackStartCloudflareConfigInput;
+type TanStackStartConfigFn = () => TanStackStartCloudflareConfigInput | TanStackStartCloudflareConfig;
 /**
  * The result returned by the `next()` function in TanStack Start request middleware.
  *
@@ -418,4 +420,4 @@ type TanStackStartMiddlewareFunction = (args: TanStackStartMiddlewareArgs) => Pr
  */
 declare function createAppwardenMiddleware(configFn: TanStackStartConfigFn): TanStackStartMiddlewareFunction;
 
-export { type TanStackStartCloudflareConfig, type TanStackStartCloudflareConfigInput, type TanStackStartConfigFn, type TanStackStartMiddlewareArgs, type TanStackStartMiddlewareFunction, type TanStackStartNextFn, type TanStackStartNextResult, createAppwardenMiddleware };
+export { type TanStackStartCloudflareConfig, type TanStackStartCloudflareConfigInput, type TanStackStartConfigFn, type TanStackStartMiddlewareArgs, type TanStackStartMiddlewareFunction, type TanStackStartNextFn, type TanStackStartNextResult, createAppwardenMiddleware, getAppwardenConfiguration };