Merge branch 'cloudflare:production' into production

Author: Thienlta

public/__redirects

@@ -1628,6 +1628,7 @@
 /turnstile/troubleshooting/troubleshooting-faqs/ /turnstile/frequently-asked-questions/#troubleshooting 301
 /turnstile/tutorials/protecting-your-payment-form-from-attackers-bots-using-turnstile/ /developer-spotlight/ 301
 /turnstile/frequently-asked-questions/ /turnstile/ 301
+/turnstile/tutorials/implicit-vs-explicit-rendering/ /turnstile/get-started/client-side-rendering/ 301
 
 # waf
 /waf/about/ /waf/concepts/ 301

src/components/ExtraFlagDetails.astro

@@ -0,0 +1,14 @@
+---
+import { z } from "astro:schema";
+
+const props = z.object({
+	key: z.string(),
+	mode: z.enum(["append", "replace"]).default("append"),
+});
+
+const { key, mode } = props.parse(Astro.props);
+---
+
+<div data-extra-flag-key={key} data-extra-flag-mode={mode}>
+	<slot />
+</div>

src/components/WranglerArg.astro

@@ -8,9 +8,13 @@ import MetaInfo from "./MetaInfo.astro";
 const props = z.object({
 	key: z.string(),
 	definition: z.custom<any>(),
+	extraDetails: z.object({
+		content: z.string(),
+		mode: z.enum(["append", "replace"])
+	}).optional(),
 });
 
-const { key, definition } = props.parse(Astro.props);
+const { key, definition, extraDetails } = props.parse(Astro.props);
 
 const type = definition.type ?? definition.choices;
 const description = definition.description ?? definition.describe;
@@ -46,5 +50,12 @@ if (alias) {
 	{aliasText && <MetaInfo text={aliasText} />}
 	{required && <MetaInfo text="required" />}
 	{defaultValue !== undefined && <MetaInfo text={`default: ${defaultValue}`} />}
-	<Fragment set:html={marked.parse(sanitizedDescription)} />
+	{extraDetails?.mode === "replace" ? (
+		<Fragment set:html={marked.parse(extraDetails.content)} />
+	) : (
+		<>
+			<Fragment set:html={marked.parse(sanitizedDescription)} />
+			{extraDetails && <Fragment set:html={marked.parse(extraDetails.content)} />}
+		</>
+	)}
 </li>

src/components/WranglerCommand.astro

@@ -6,6 +6,7 @@ import WranglerArg from "./WranglerArg.astro";
 import Details from "./Details.astro";
 import { marked } from "marked";
 import { commands, getCommand } from "~/util/wrangler";
+import { parse } from "node-html-parser";
 
 const props = z.object({
 	command: z.string(),
@@ -19,6 +20,19 @@ const definition = getCommand(command);
 
 description ??= definition.metadata.description;
 
+// some commands are present but marked as "hidden" and shouldn't be shown
+let hidden = false;
+
+if (definition.metadata.hidden) {
+	hidden = true;
+}
+
+if (hidden) {
+	throw new Error(
+		`[WranglerCommand] "${command}" is marked as hidden. If you want to publish, fix upstream in workers-sdk repo.`
+	);
+}
+
 if (!definition.args) {
 	console.warn(`[WranglerCommand] "${command}" has no arguments`);
 }
@@ -30,6 +44,27 @@ const positionals = definition.positionalArgs
 	.join(" ");
 
 const positionalSet = new Set(definition.positionalArgs);
+
+// Extract ExtraFlagDetails from slot
+const slotContent = await Astro.slots.render("default");
+const extraFlagDetailsMap = new Map<string, { content: string; mode: "append" | "replace" }>();
+
+if (slotContent) {
+	const html = parse(slotContent);
+	const extraFlagElements = html.querySelectorAll("div[data-extra-flag-key]");
+
+	for (const element of extraFlagElements) {
+		const key = element.getAttribute("data-extra-flag-key");
+		const mode = element.getAttribute("data-extra-flag-mode") || "append";
+
+		if (key) {
+			extraFlagDetailsMap.set(key, {
+				content: element.innerHTML.trim(),
+				mode: mode as "append" | "replace"
+			});
+		}
+	}
+}
 ---
 
 <AnchorHeading depth={headingLevel} title={`\`${command}\``} />
@@ -53,6 +88,7 @@ const positionalSet = new Set(definition.positionalArgs);
 						<WranglerArg
 							key={key}
 							definition={{ ...value, positional: positionalSet.has(key) }}
+							extraDetails={extraFlagDetailsMap.get(key)}
 						/>
 					);
 				})}

src/components/WranglerNamespace.astro

@@ -5,7 +5,7 @@ import WranglerCommand from "./WranglerCommand.astro";
 
 const props = z.object({
 	namespace: z.string(),
-	headingLevel: z.number().default(2)
+	headingLevel: z.number().default(2),
 });
 
 const { namespace, headingLevel } = props.parse(Astro.props);
@@ -22,6 +22,10 @@ const definitions: NonNullable<(typeof node)["definition"]>[] = [];
 
 function flattenSubtree(node: (typeof registry)["subtree"]) {
 	for (const value of node.values()) {
+		// skip commands marked as hidden
+		if (value.definition?.metadata?.hidden) {
+			continue;
+		}
 		if (value.definition?.type === "command") {
 			definitions.push(value.definition);
 		} else {
@@ -37,11 +41,14 @@ flattenSubtree(node.subtree);
 	definitions.map((definition) => {
 		if (definition.type !== "command") {
 			throw new Error(
-				`[WranglerNamespace] Expected "command" but got "${definition.type}" for "${definition.command}"`,
+				`[WranglerNamespace] Expected "command" but got "${definition.type}" for "${definition.command}"`
 			);
 		}
 		return (
-			<WranglerCommand command={definition.command.replace("wrangler ", "")} headingLevel={headingLevel} />
+			<WranglerCommand
+				command={definition.command.replace("wrangler ", "")}
+				headingLevel={headingLevel}
+			/>
 		);
 	})
 }

src/components/index.ts

@@ -20,6 +20,7 @@ export { default as Details } from "./Details.astro";
 export { default as DirectoryListing } from "./DirectoryListing.astro";
 export { default as Example } from "./Example.astro";
 export { default as ExternalResources } from "./ExternalResources.astro";
+export { default as ExtraFlagDetails } from "./ExtraFlagDetails.astro";
 export { default as Feature } from "./Feature.astro";
 export { default as FeatureTable } from "./FeatureTable.astro";
 export { default as Flex } from "./Flex.astro";

src/content/changelog/casb/2025-11-14-casb-digest.mdx

@@ -0,0 +1,26 @@
+---
+title: New SaaS Security weekly digests with API CASB
+description: Cloudflare CASB now offers a weekly email digest, summarizing your organization's latest SaaS security findings, integration health, and content exposures.
+products:
+  - casb
+date: 2025-11-14
+---
+
+You can now stay on top of your SaaS security posture with the new **CASB Weekly Digest** notification. This opt-in email digest is delivered to your inbox every Monday morning and provides a high-level summary of your organization's Cloudflare API CASB findings from the previous week.
+
+This allows security teams and IT administrators to get proactive, at-a-glance visibility into new risks and integration health without having to log in to the dashboard.
+
+To opt in, navigate to **Manage Account** > **Notifications** in the Cloudflare dashboard to configure the **CASB Weekly Digest** alert type.
+
+### Key capabilities
+
+- **At-a-glance summary** — Review new high/critical findings, most frequent finding types, and new content exposures from the past 7 days.
+- **Integration health** — Instantly see the status of all your connected SaaS integrations (Healthy, Unhealthy, or Paused) to spot API connection issues.
+- **Proactive alerting** — The digest is sent automatically to all subscribed users every Monday morning.
+- **Easy to configure** — Users can opt in by enabling the notification in the Cloudflare dashboard under **Manage Account** > **Notifications**.
+
+### Learn more
+
+- Configure [notification preferences](/notifications/) in Cloudflare.
+
+The CASB Weekly Digest notification is available to all Cloudflare users today.

src/content/docs/ai-crawl-control/index.mdx

@@ -19,6 +19,7 @@ import {
 	LinkButton,
 	RelatedProduct,
 	Card,
+  Stream
 } from "~/components";
 
 <Plan type="all" />
@@ -27,6 +28,12 @@ import {
 
 Monitor and control how AI services access your website content.
 
+<Stream
+  id="c2f3d8aada64a53e6cc118e5af834601"
+  title="Introduction to AI Crawl Control"
+  thumbnail="1m37s"
+/>
+
 </Description>
 
 AI companies use web content to train their models and power AI applications. AI Crawl Control (formerly AI Audit) gives you visibility into which AI services are accessing your content, and provides tools to manage access according to your preferences.

src/content/docs/ai-gateway/tutorials/deploy-aig-worker.mdx

@@ -89,7 +89,7 @@ export default {
 };
 ```
 
-To make this work, you need to use [`wrangler secret put`](/workers/wrangler/commands/#put) to set your `OPENAI_API_KEY`. This will save the API key to your environment so your Worker can access it when deployed. This key is the API key you created earlier in the OpenAI dashboard:
+To make this work, you need to use [`wrangler secret put`](/workers/wrangler/commands/#secret-put) to set your `OPENAI_API_KEY`. This will save the API key to your environment so your Worker can access it when deployed. This key is the API key you created earlier in the OpenAI dashboard:
 
 <PackageManagers type="exec" pkg="wrangler" args="secret put OPENAI_API_KEY" />
 

src/content/docs/api-shield/security/schema-validation/index.mdx

@@ -18,6 +18,8 @@ Cloudflare has launched Schema validation 2.0. For help configuring the previous
 
 You can migrate to Schema validation 2.0 manually by uploading your schemas to the new system.
 
+---
+
 ## Process
 
 <GlossaryTooltip term="API endpoint">Endpoints</GlossaryTooltip> must be added to [Endpoint Management](/api-shield/management-and-monitoring/endpoint-management/) for Schema validation to protect them. Uploading a schema via the Cloudflare dashboard will automatically add endpoints, or you can manually add them from [API Discovery](/api-shield/security/api-discovery/).
@@ -31,6 +33,8 @@ If you are uploading a schema via the API or Terraform, you must parse the schem
 To view the contents in your learned schema, refer to [Export a schema](/api-shield/management-and-monitoring/endpoint-management/schema-learning/#export-a-schema) in Endpoint Management.
 :::
 
+---
+
 ### Add validation by uploading a schema
 
 <Tabs syncKey="dashNewNav">
@@ -230,7 +234,6 @@ To change the default action:
    </TabItem>
 </Tabs>
 
-
 ### Change the action of a single endpoint
 
 You can change individual endpoint actions separately from the default action in Schema validation.
@@ -348,12 +351,16 @@ To delete currently uploaded or learned schemas:
    </TabItem>
 </Tabs>
 
+---
+
 ## Specifications
 
 Cloudflare currently only accepts [OpenAPI v3 schemas](https://spec.openapis.org/oas/v3.0.3.html). The accepted file formats are YAML (`.yml` or `.yaml` file extension) and JSON (`.json` file extension).
 
 OpenAPI schemas generated by different tooling may not be specific enough to import to Schema validation. We recommend using a third-party tool such as [Swagger Editor](https://swagger.io/tools/swagger-editor/) to ensure that schemas are compliant to the OpenAPI specification.
 
+---
+
 ## Limitations
 
 Cloudflare API Shield's Schema validation (importing) and [Schema learning](/api-shield/management-and-monitoring/endpoint-management/schema-learning/) (exporting) capabilities rely on the [OpenAPI Specification (OAS) v3.0](https://spec.openapis.org/oas/v3.0.3).
@@ -452,6 +459,8 @@ Refer to the information below for more details on Schema validation's current s
 - [`uniqueItems`](https://spec.openapis.org/oas/v3.0.3#schema-object)
    - This field is currently not validated by Schema validation.
 
+---
+
 ## Body inspection
 
 API Shield has the ability to identify body specifications contained in uploaded schemas and validate that the data of incoming API requests adheres to them.
@@ -478,6 +487,25 @@ Cloudflare allows specifying the following media-ranges in the OpenAPI request b
 
 Media-ranges can also be configured to enforce a `charset` parameter. For this, Cloudflare only accepts the `charset` parameter with a static value of `utf-8` as part of the media-range specification and when configured, we will similarly require the request's content-type to carry this charset.
 
+---
+
+## Troubleshooting
+
+This section addresses common issues you may encounter when using schema validation.
+
+### `OneOf` constraint error schema violation in the Security Events
+
+A `OneOf` constraint error means an API request failed schema validation because its body did not match exactly one of the options defined in a [`oneOf`](https://swagger.io/docs/specification/v3_0/data-models/oneof-anyof-allof-not/) list within your uploaded schema.
+
+The request was invalid for one of two reasons:
+
+- **Matches Zero**: The payload did not correctly match any of the available subschemas. This is common when a discriminator field is set, but the payload is missing other required fields for that type.
+- **Matches Multiple**: The payload was ambiguous and matched more than one subschema. This happens with generic schemas (for example, if a payload includes both an `email` and a `phone` field, it might match both an `email` and a `phone` schema definition, violating the "exactly one" rule).
+
+To fix this, check the failing request body against the API schema definition. It will either be missing required fields for the intended type or include properties from multiple different, conflicting types that make it ambiguous.
+
+---
+
 ## Availability
 
 Schema validation is available for all customers. Refer to [Plans](/api-shield/plans/) for more information based on your plan type.