Merge branch 'cloudflare:production' into production

Author: Thienlta

patches/@astrojs+starlight-docsearch+0.6.0.patch

@@ -0,0 +1,93 @@
+diff --git a/node_modules/@astrojs/starlight-docsearch/DocSearch.astro b/node_modules/@astrojs/starlight-docsearch/DocSearch.astro
+index f50c208..5309557 100644
+--- a/node_modules/@astrojs/starlight-docsearch/DocSearch.astro
++++ b/node_modules/@astrojs/starlight-docsearch/DocSearch.astro
+@@ -109,15 +109,20 @@ const docsearchTranslations: DocSearchTranslationProps = {
+ 		.DocSearch-Button-Keys {
+ 			margin-inline-start: auto;
+ 		}
+-		.DocSearch-Button-Keys::before {
+-			content: '';
+-			width: 1em;
+-			height: 1em;
+-			-webkit-mask-image: url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 24 24'%3E%3Cpath d='M17 2H7a5 5 0 0 0-5 5v10a5 5 0 0 0 5 5h10a5 5 0 0 0 5-5V7a5 5 0 0 0-5-5Zm3 15a3 3 0 0 1-3 3H7a3 3 0 0 1-3-3V7a3 3 0 0 1 3-3h10a3 3 0 0 1 3 3v10Z'%3E%3C/path%3E%3Cpath d='M15.293 6.707a1 1 0 1 1 1.414 1.414l-8.485 8.486a1 1 0 0 1-1.414-1.415l8.485-8.485Z'%3E%3C/path%3E%3C/svg%3E");
+-			mask-image: url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 24 24'%3E%3Cpath d='M17 2H7a5 5 0 0 0-5 5v10a5 5 0 0 0 5 5h10a5 5 0 0 0 5-5V7a5 5 0 0 0-5-5Zm3 15a3 3 0 0 1-3 3H7a3 3 0 0 1-3-3V7a3 3 0 0 1 3-3h10a3 3 0 0 1 3 3v10Z'%3E%3C/path%3E%3Cpath d='M15.293 6.707a1 1 0 1 1 1.414 1.414l-8.485 8.486a1 1 0 0 1-1.414-1.415l8.485-8.485Z'%3E%3C/path%3E%3C/svg%3E");
+-			-webkit-mask-size: 100%;
+-			mask-size: 100%;
+-			background-color: currentColor;
++		.DocSearch-Button-Key:first-child {
++			margin-right: 0.4em;
++		}
++		.DocSearch-Button-Key {
++			display: inline-block;
++			font-size: 0.75em;
++			font-weight: 600;
++			opacity: 0.8;
++			border: 1px solid var(--sl-color-gray-4);
++			border-radius: 0.25rem;
++			padding: 0.125rem 0.375rem;
++			background-color: var(--sl-color-gray-6);
++			color: var(--sl-color-gray-1);
++			line-height: 1;
+ 		}
+ 	}
+ </style>
+@@ -128,6 +133,7 @@ const docsearchTranslations: DocSearchTranslationProps = {
+ 	class StarlightDocSearch extends HTMLElement {
+ 		constructor() {
+ 			super();
++
+ 			window.addEventListener('DOMContentLoaded', async () => {
+ 				const { default: docsearch } = await import('@docsearch/js');
+ 				const options = { ...config, container: 'sl-doc-search' };
+@@ -136,6 +142,27 @@ const docsearchTranslations: DocSearchTranslationProps = {
+ 					Object.assign(options, translations);
+ 				} catch {}
+ 				docsearch(options);
++
++				const keyboardShortcuts = options.keyboardShortcuts ?? {};
++				const slashEnabled = keyboardShortcuts?.['/'] !== false;
++				const ctrlCmdKEnabled = keyboardShortcuts?.['Ctrl/Cmd+K'] !== false;
++
++				if (slashEnabled && !ctrlCmdKEnabled) {
++					const styleContainer = document.createElement('style');
++					styleContainer.innerHTML = `
++						.DocSearch-Button-Keys::before {
++							content: '';
++							width: 1em;
++							height: 1em;
++							-webkit-mask-image: url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 24 24'%3E%3Cpath d='M17 2H7a5 5 0 0 0-5 5v10a5 5 0 0 0 5 5h10a5 5 0 0 0 5-5V7a5 5 0 0 0-5-5Zm3 15a3 3 0 0 1-3 3H7a3 3 0 0 1-3-3V7a3 3 0 0 1 3-3h10a3 3 0 0 1 3 3v10Z'%3E%3C/path%3E%3Cpath d='M15.293 6.707a1 1 0 1 1 1.414 1.414l-8.485 8.486a1 1 0 0 1-1.414-1.415l8.485-8.485Z'%3E%3C/path%3E%3C/svg%3E");
++							mask-image: url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 24 24'%3E%3Cpath d='M17 2H7a5 5 0 0 0-5 5v10a5 5 0 0 0 5 5h10a5 5 0 0 0 5-5V7a5 5 0 0 0-5-5Zm3 15a3 3 0 0 1-3 3H7a3 3 0 0 1-3-3V7a3 3 0 0 1 3-3h10a3 3 0 0 1 3 3v10Z'%3E%3C/path%3E%3Cpath d='M15.293 6.707a1 1 0 1 1 1.414 1.414l-8.485 8.486a1 1 0 0 1-1.414-1.415l8.485-8.485Z'%3E%3C/path%3E%3C/svg%3E");
++							-webkit-mask-size: 100%;
++							mask-size: 100%;
++							background-color: currentColor;
++						}
++					`;
++					document.head.appendChild(styleContainer);
++				}
+ 			});
+ 		}
+ 	}
+diff --git a/node_modules/@astrojs/starlight-docsearch/index.ts b/node_modules/@astrojs/starlight-docsearch/index.ts
+index e8cc7e5..6c88e07 100644
+--- a/node_modules/@astrojs/starlight-docsearch/index.ts
++++ b/node_modules/@astrojs/starlight-docsearch/index.ts
+@@ -43,6 +43,18 @@ const DocSearchConfigSchema = z
+ 		 * @see https://www.algolia.com/doc/api-reference/search-api-parameters/
+ 		 */
+ 		searchParameters: z.custom<SearchOptions>(),
++		/**
++		 * Configuration for keyboard shortcuts that trigger the DocSearch modal.
++		 * @see https://docsearch.algolia.com/docs/api/#keyboardshortcuts
++		 */
++		keyboardShortcuts: z
++			.object({
++				/** Enable/disable Ctrl/Cmd+K shortcut. @default true */
++				'Ctrl/Cmd+K': z.boolean().optional(),
++				/** Enable/disable / shortcut. @default true */
++				'/': z.boolean().optional(),
++			})
++			.optional(),
+ 	})
+ 	.strict()
+ 	.or(

patches/@docsearch+js+3.8.2.patch

@@ -10,17 +10,37 @@
 
 <script>
 	import { track } from "~/util/zaraz";
+	import { openGlobalSearch } from "~/util/search";
 
 	const { pathname } = window.location;
 
 	const anchor = document.getElementById("404-search-link");
+	const pretty = decodeURIComponent(
+		pathname.replaceAll("/", " ").replaceAll("-", " ").trim(),
+	);
 
 	if (anchor) {
-		const pretty = pathname.replaceAll("/", " ").replaceAll("-", " ").trim();
-
 		anchor.setAttribute("href", `/search/?q=${encodeURIComponent(pretty)}`);
 		anchor.addEventListener("click", () => {
 			track("serp from location", { value: "404", query: pretty });
 		});
 	}
+
+	document.addEventListener(
+		"keydown",
+		(keyboardEvent) => {
+			if (
+				(keyboardEvent.metaKey || keyboardEvent.ctrlKey) &&
+				keyboardEvent.key === "k"
+			) {
+				keyboardEvent.preventDefault();
+				keyboardEvent.stopPropagation();
+
+				openGlobalSearch(pretty);
+			}
+		},
+		{
+			capture: true,
+		},
+	);
 </script>

src/components/404.astro

@@ -22,8 +22,9 @@ const [product, module] = Astro.url.pathname.split("/").filter(Boolean);
 		type="text"
 		id="sidebar-search"
 		placeholder="Search sidebar..."
-		class="w-full px-3 py-2 text-sm border border-gray-300 dark:border-gray-600 rounded-md bg-white dark:bg-gray-800 text-gray-900 dark:text-gray-100 placeholder-gray-500 dark:placeholder-gray-400 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:border-blue-500 dark:focus:ring-orange-500 dark:focus:border-orange-500 transition-colors duration-200"
+		class="w-full px-3 py-2 pr-10 text-sm border border-gray-300 dark:border-gray-600 rounded-md bg-white dark:bg-gray-800 text-gray-900 dark:text-gray-100 placeholder-gray-500 dark:placeholder-gray-400 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:border-blue-500 dark:focus:ring-orange-500 dark:focus:border-orange-500 transition-colors duration-200"
 	/>
+	<div class="sidebar-search-icon"></div>
 </div>
 
 <!-- No Results Message -->
@@ -37,7 +38,9 @@ const [product, module] = Astro.url.pathname.split("/").filter(Boolean);
 <Default><slot /></Default>
 
 <script>
-	import { track } from "~/util/zaraz"
+	import { track } from "~/util/zaraz";
+	import { openGlobalSearch } from "~/util/search";
+
 	function initSidebarSearch() {
 		const searchInput = document.getElementById('sidebar-search') as HTMLInputElement;
 		const noResultsMessage = document.getElementById('sidebar-no-results') as HTMLElement;
@@ -230,31 +233,33 @@ const [product, module] = Astro.url.pathname.split("/").filter(Boolean);
 		globalSearchLink.addEventListener('click', () => {
 			const currentQuery = searchInput.value.trim();
 			if (currentQuery) {
-				// Try multiple selectors for DocSearch
-				const docSearchButton = document.querySelector('#docsearch button') as HTMLButtonElement ||
-					document.querySelector('.DocSearch-Button') as HTMLButtonElement ||
-					document.querySelector('[data-docsearch-button]') as HTMLButtonElement;
-
-				if (docSearchButton) {
-					// Click the DocSearch button to open the modal
-					docSearchButton.click();
-
-					// Wait for modal to open and set the search term
-					setTimeout(() => {
-						const searchInput = document.querySelector('.DocSearch-Input') as HTMLInputElement ||
-							document.querySelector('#docsearch-input') as HTMLInputElement ||
-							document.querySelector('[data-docsearch-input]') as HTMLInputElement;
-
-						if (searchInput) {
-							searchInput.value = currentQuery;
-							searchInput.focus();
-							// Trigger search
-							searchInput.dispatchEvent(new Event('input', { bubbles: true }));
-						}
-					}, 100);
-				}
+				openGlobalSearch(currentQuery);
 			}
 		});
+
+		document.addEventListener(
+			"keydown",
+			(keyboardEvent) => {
+				const target = keyboardEvent.target;
+
+				const isInput =
+					target instanceof EventTarget &&
+					(("tagName" in target &&
+						(target.tagName === "INPUT" ||
+							target.tagName === "TEXTAREA" ||
+							target.tagName === "SELECT")) ||
+						("isContentEditable" in target && target.isContentEditable));
+
+				if (keyboardEvent.key === "/" && !isInput) {
+					keyboardEvent.preventDefault();
+					keyboardEvent.stopPropagation();
+					searchInput.focus();
+				}
+			},
+			{
+				capture: true,
+			},
+		);
 	}
 
 	// Initialize when DOM is loaded
@@ -269,6 +274,21 @@ const [product, module] = Astro.url.pathname.split("/").filter(Boolean);
 </script>
 
 <style is:global>
+	.sidebar-search-icon {
+		position: absolute;
+		right: 12px;
+		top: 50%;
+		transform: translateY(-50%);
+		width: 1em;
+		height: 1em;
+		-webkit-mask-image: url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 24 24'%3E%3Cpath d='M17 2H7a5 5 0 0 0-5 5v10a5 5 0 0 0 5 5h10a5 5 0 0 0 5-5V7a5 5 0 0 0-5-5Zm3 15a3 3 0 0 1-3 3H7a3 3 0 0 1-3-3V7a3 3 0 0 1 3-3h10a3 3 0 0 1 3 3v10Z'%3E%3C/path%3E%3Cpath d='M15.293 6.707a1 1 0 1 1 1.414 1.414l-8.485 8.486a1 1 0 0 1-1.414-1.415l8.485-8.485Z'%3E%3C/path%3E%3C/svg%3E");
+		mask-image: url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 24 24'%3E%3Cpath d='M17 2H7a5 5 0 0 0-5 5v10a5 5 0 0 0 5 5h10a5 5 0 0 0 5-5V7a5 5 0 0 0-5-5Zm3 15a3 3 0 0 1-3 3H7a3 3 0 0 1-3-3V7a3 3 0 0 1 3-3h10a3 3 0 0 1 3 3v10Z'%3E%3C/path%3E%3Cpath d='M15.293 6.707a1 1 0 1 1 1.414 1.414l-8.485 8.486a1 1 0 0 1-1.414-1.415l8.485-8.485Z'%3E%3C/path%3E%3C/svg%3E");
+		-webkit-mask-size: 100%;
+		mask-size: 100%;
+		background-color: currentColor;
+		pointer-events: none;
+	}
+
 	:root {
 		.sidebar-content {
 			--sl-color-hairline-light: #cacaca !important;

src/components/overrides/Sidebar.astro

@@ -135,17 +135,19 @@ Your new document entry will replace the original document entry. If your file u
 
 ## AI prompt topics
 
-DLP uses [Application Granular Controls](/cloudflare-one/policies/gateway/http-policies/#application-granular-controls) to detect and categorize prompts submitted to generative AI tools. Application Granular Controls analyzes prompts for both content and user intent. Supported prompt topic detections include:
-
-| Detection entry                       | Description                                                                                      |
-| ------------------------------------- | ------------------------------------------------------------------------------------------------ |
-| Content: PII                          | Prompt contains personal information such as names, SSNs, or email addresses                     |
-| Content: Credentials and Secrets      | Prompt contains API keys, passwords, or other sensitive credentials                              |
-| Content: Source Code                  | Prompt contains actual source code, code snippets, or proprietary algorithms                     |
-| Content: Customer Data                | Prompt contains customer names, projects, business activities, or confidential customer contexts |
-| Content: Financial Information        | Prompt contains financial numbers or confidential business data                                  |
-| Intent: PII                           | Prompt requests specific personal information about individuals                                  |
-| Intent: Code Abuse and Malicious Code | Prompt requests malicious code for attacks, exploits, or harmful activities                      |
-| Intent: Jailbreak                     | Prompt attempts to circumvent AI security policies                                               |
-
-To use an AI prompt topic, add it as an existing entry to a [custom DLP profile](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/#build-a-custom-profile).
+DLP uses [Application Granular Controls](/cloudflare-one/policies/gateway/http-policies/#application-granular-controls) to detect and categorize prompts submitted to generative AI tools. Application Granular Controls analyzes prompts for both content and user intent. Supported AI prompt protection detections include:
+
+| Detection entry                       | Description                                                                                       |
+| ------------------------------------- | ------------------------------------------------------------------------------------------------- |
+| Content: PII                          | Prompt contains personal information such as names, SSNs, or email addresses.                     |
+| Content: Credentials and Secrets      | Prompt contains API keys, passwords, or other sensitive credentials.                              |
+| Content: Source Code                  | Prompt contains actual source code, code snippets, or proprietary algorithms.                     |
+| Content: Customer Data                | Prompt contains customer names, projects, business activities, or confidential customer contexts. |
+| Content: Financial Information        | Prompt contains financial numbers or confidential business data.                                  |
+| Intent: PII                           | Prompt requests specific personal information about individuals.                                  |
+| Intent: Code Abuse and Malicious Code | Prompt requests malicious code for attacks, exploits, or harmful activities.                      |
+| Intent: Jailbreak                     | Prompt attempts to circumvent AI security policies.                                               |
+
+Each detection entry is categorized as either Content or Intent. Content focuses on the specific text or data the user provides the generative AI tool. It is the information the AI needs to process and analyze to generate a response. Intent focuses on the user's goal or objective for the AI's response. It dictates the type of output the user wants to receive. This category is particularly useful for customers who are using SaaS connectors or MCPs that provide the AI application access to internal data sources that contain sensitive information.
+
+To use an AI prompt topic, configure the corresponding [predefined DLP profile](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles/#ai-prompt) or add it as an existing entry to a [custom DLP profile](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/#build-a-custom-profile). AI prompt protection is available for ChatGPT, Google Gemini, Perplexity, and Claude.

src/content/docs/cloudflare-one/policies/data-loss-prevention/detection-entries.mdx

@@ -9,6 +9,18 @@ import { Render } from "~/components";
 
 Cloudflare Zero Trust provides predefined DLP profiles for common types of sensitive data. Some profiles include built-in validation checks to increase detection granularity. Additionally, you can configure [advanced settings](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/) for predefined profiles.
 
+## AI Prompt
+
+DLP provides AI prompt protection with the following predefined profiles:
+
+- AI Prompt: AI Security
+- AI Prompt: Customer
+- AI Prompt: Financial Information
+- AI Prompt: PII
+- AI Prompt: Technical
+
+For more information on included detection entries, refer to [AI prompt topics](/cloudflare-one/policies/data-loss-prevention/detection-entries/#ai-prompt-topics).
+
 ## Credentials and Secrets
 
 The following secrets are validated with regex.

src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles.mdx

@@ -10,7 +10,7 @@ import { Render } from "~/components";
 
 [Cloudflare Gateway](/cloudflare-one/policies/gateway/), our comprehensive Secure Web Gateway, allows you to set up policies to inspect DNS, network, HTTP, and egress traffic.
 
-You can apply network and HTTP Gateway policies alongside [Magic Firewall](/magic-firewall/) policies (for L3/4 traffic filtering) to Internet-bound traffic or private traffic entering the Cloudflare network via Magic WAN.
+You can apply network and HTTP Gateway policies alongside [Magic Firewall](/magic-firewall/) policies (for L3/4 traffic filtering) to Internet-bound traffic or private traffic entering the Cloudflare network via Magic WAN. Additionally, you can configure Gateway to [resolve DNS queries](#dns-filtering) from Magic WAN.
 
 ## HTTPS filtering
 
@@ -32,6 +32,28 @@ If your organization onboards users to Magic WAN via an [on-ramp other than WARP
 | --------- | -------- | ---------------- | -------------- |
 | Source IP | in       | `203.0.113.0/24` | Do Not Inspect |
 
+## DNS filtering
+
+You can configure the DNS resolver for your Magic WAN networks to the shared IP addresses for the Gateway DNS resolver. The Gateway DNS resolver IPs are `172.64.36.1` and `172.64.36.2`. When you resolve DNS queries from Magic WAN through Gateway, Gateway will log the queries with the private source IP. You can use the private source IP to create [resolver policies](/cloudflare-one/policies/gateway/resolver-policies/) for queries intended for [internal DNS records](/cloudflare-one/policies/gateway/resolver-policies/#internal-dns).
+
+```mermaid
+flowchart LR
+ subgraph subGraph0["Data center"]
+    direction TB
+        InternalDNS(["Internal DNS"])
+        ResolverPolicies["Resolver policies"]
+        CloudflareGatewayDNSResolver["Gateway DNS resolver"]
+  end
+    ResolverPolicies -- Retain and use</br>Source Internal IP --> InternalDNS
+    CloudflareGatewayDNSResolver -- <br> --> ResolverPolicies
+    WarpConnector["WARP Connector"] -- DHCP/DNS resolver --> IPSecTunnel["IPsec tunnel"]
+    MagicWAN["Magic WAN"] -- DHCP/DNS resolver --> IPSecTunnel
+    IPSecTunnel -- Shared IP endpoints --> CloudflareGatewayDNSResolver
+    ResolverPolicies@{ shape: proc}
+    WarpConnector@{ shape: in-out}
+    MagicWAN@{ shape: in-out}
+```
+
 ## Outbound Internet traffic
 
 By default, the following traffic routed through Magic WAN tunnels and destined to public IP addresses is proxied/filtered through Cloudflare Gateway:
@@ -50,6 +72,7 @@ By default, TCP, UDP, and ICMP traffic routed through Magic WAN tunnels and dest
 Contact your account team to enable Gateway filtering for traffic destined to routes behind Magic WAN tunnels.
 
 If enabled, by default TCP/UDP traffic meeting **all** the following criteria will be proxied/filtered by Cloudflare Gateway:
+
 - Both source and destination IPs are part of either [RFC1918](https://datatracker.ietf.org/doc/html/rfc1918) space, [WARP](/cloudflare-one/connections/connect-devices/warp/), [BYO](/byoip/) or [Leased IPs](/magic-transit/cloudflare-ips/)
 - Source port must be a client port strictly higher than `1023`
 - Destination port is a well-known port lower than `1024`

src/content/docs/magic-wan/zero-trust/cloudflare-gateway.mdx

@@ -43,4 +43,9 @@ export default {
 			},
 		};
 	},
+	// @ts-expect-error Will be fixed with the next release of @docsearch/js
+	keyboardShortcuts: {
+		"Ctrl/Cmd+K": true,
+		"/": false,
+	},
 } satisfies DocSearchClientOptions;

src/plugins/docsearch/index.ts

@@ -0,0 +1,31 @@
+export const openGlobalSearch = (searchTerm?: string) => {
+	// Try multiple selectors for DocSearch
+	const docSearchButton =
+		(document.querySelector("#docsearch button") as HTMLButtonElement) ||
+		(document.querySelector(".DocSearch-Button") as HTMLButtonElement) ||
+		(document.querySelector("[data-docsearch-button]") as HTMLButtonElement);
+
+	if (docSearchButton) {
+		// Click the DocSearch button to open the modal
+		docSearchButton.click();
+
+		if (searchTerm) {
+			// Wait for modal to open and set the search term
+			setTimeout(() => {
+				const searchInput =
+					(document.querySelector(".DocSearch-Input") as HTMLInputElement) ||
+					(document.querySelector("#docsearch-input") as HTMLInputElement) ||
+					(document.querySelector(
+						"[data-docsearch-input]",
+					) as HTMLInputElement);
+
+				if (searchInput) {
+					searchInput.value = searchTerm;
+					searchInput.focus();
+					// Trigger search
+					searchInput.dispatchEvent(new Event("input", { bubbles: true }));
+				}
+			}, 100);
+		}
+	}
+};