Merge branch 'production' into cicku-patch-20

Author: cicku

.github/CODEOWNERS

@@ -21,20 +21,20 @@
 # AI
 
 /src/content/docs/agents/ @irvinebroque @rita3ko @elithrar @thomasgauvin @threepointone @cloudflare/pcx-technical-writing
-/src/content/docs/ai-gateway/ @kathayl @G4brym @mchenco @daisyfaithauma @cloudflare/pcx-technical-writing
+/src/content/docs/ai-gateway/ @kathayl @mchenco @daisyfaithauma @cloudflare/pcx-technical-writing
 /src/content/docs/workers-ai/ @rita3ko @craigsdennis @markdembo @mchenco @daisyfaithauma @cloudflare/pcx-technical-writing
 /src/content/docs/vectorize/ @elithrar @vy-ton @sejoker @mchenco @cloudflare/pcx-technical-writing
 /src/content/partials/vectorize/ @elithrar @mchenco @sejoker @cloudflare/pcx-technical-writing
-/src/content/release-notes/workers-ai.yaml @kathayl @G4brym @mchenco @daisyfaithauma @cloudflare/pcx-technical-writing
-/src/content/release-notes/ai-gateway.yaml @kathayl @G4brym @mchenco @daisyfaithauma @cloudflare/pcx-technical-writing
+/src/content/release-notes/workers-ai.yaml @kathayl @mchenco @daisyfaithauma @cloudflare/pcx-technical-writing
+/src/content/release-notes/ai-gateway.yaml @kathayl @mchenco @daisyfaithauma @cloudflare/pcx-technical-writing
 /src/content/release-notes/vectorize.yaml @elithrar @mchenco @sejoker @cloudflare/pcx-technical-writing
 /src/content/docs/autorag/ @rita3ko @irvinebroque @aninibread @ToriLindsay @cloudflare/pcx-technical-writing
 
 # Analytics & Logs
 
-/src/content/docs/analytics/ @46bit @jherre @jimhawkridge @soheiokamoto @victor-perov @angelampcosta @cloudflare/pcx-technical-writing
+/src/content/docs/analytics/ @jimhawkridge @soheiokamoto @angelampcosta @cloudflare/pcx-technical-writing
 /src/content/docs/data-localization/ @soheiokamoto @angelampcosta @cloudflare/pcx-technical-writing
-/src/content/docs/logs/ @jherre @soheiokamoto @victor-perov @angelampcosta @cloudflare/pcx-technical-writing
+/src/content/docs/logs/ @soheiokamoto @angelampcosta @cloudflare/pcx-technical-writing
 
 # API & Zones
 
@@ -45,12 +45,12 @@
 
 # Browser Rendering API
 
-/src/content/docs/browser-rendering/ @mchenco @cloudflare/pcx-technical-writing @celso @meddulla @danielgek @kathayl
+/src/content/docs/browser-rendering/ @mchenco @cloudflare/pcx-technical-writing @celso @danielgek @kathayl
 
 # Changelogs
 
-/src/content/changelog/ @cloudflare/pm-changelogs
-/src/assets/images/changelog/ @cloudflare/pm-changelogs
+/src/content/changelog/ @cloudflare/pm-changelogs @cloudflare/pcx-cloudflare-one
+/src/assets/images/changelog/ @cloudflare/pm-changelogs @cloudflare/pcx-cloudflare-one
 /src/assets/images/ @cloudflare/pm-changelogs @cloudflare/pcx-technical-writing
 
 # Cloudflare One
@@ -114,8 +114,8 @@
 /src/content/release-notes/kv.yaml @elithrar @thomasgauvin @rts-rob @oxyjun @cloudflare/pcx-technical-writing
 /src/content/partials/kv/ @elithrar @thomasgauvin @rts-rob @oxyjun @cloudflare/pcx-technical-writing
 /src/content/docs/pub-sub/ @elithrar @dcpena @cloudflare/pcx-technical-writing
-/src/content/docs/queues/ @elithrar @toddmantell @maheshwarip @harshil1712 @cloudflare/pcx-technical-writing
-/src/content/release-notes/queues.yaml @elithrar @toddmantell @maheshwarip @cloudflare/pcx-technical-writing
+/src/content/docs/queues/ @elithrar @maheshwarip @harshil1712 @cloudflare/pcx-technical-writing
+/src/content/release-notes/queues.yaml @elithrar @maheshwarip @cloudflare/pcx-technical-writing
 /src/content/docs/r2/ @oxyjun @elithrar @jonesphillip @harshil1712 @cloudflare/workers-docs @cloudflare/pcx-technical-writing
 /src/content/release-notes/r2.yaml @oxyjun @elithrar @cloudflare/workers-docs @cloudflare/pcx-technical-writing
 /src/content/docs/stream/ @tsmith512 @dcpena @cloudflare/pcx-technical-writing @renandincer @third774
@@ -136,21 +136,21 @@
 /src/content/docs/workers/reference/migrate-to-module-workers.mdx @irvinebroque @GregBrimble @ToriLindsay @cloudflare/deploy-config @cloudflare/pcx-technical-writing
 /src/content/docs/workers/reference/security-model.mdx @irvinebroque @GregBrimble @ToriLindsay @cloudflare/pcx-technical-writing
 /src/content/compatibility-flags/ @irvinebroque @mikenomitch @GregBrimble @cloudflare/pcx-technical-writing
-/src/content/docs/workers/wrangler/ @cloudflare/wrangler @cloudflare/wrangler-friends @irvinebroque @ToriLindsay @cloudflare/pcx-technical-writing
+/src/content/docs/workers/wrangler/ @cloudflare/wrangler @irvinebroque @ToriLindsay @cloudflare/pcx-technical-writing
 /src/content/docs/workers/frameworks/ @igorminar @cloudflare/wrangler @aninibread @GregBrimble @ToriLindsay @cloudflare/pcx-technical-writing
 /src/content/docs/pages/framework-guides/ @igorminar @cloudflare/wrangler @aninibread @GregBrimble @ToriLindsay @cloudflare/pcx-technical-writing
 /src/content/docs/analytics/analytics-engine/ @irvinebroque @elithrar @cloudflare/pcx-technical-writing
 /src/content/docs/cloudflare-for-platforms/workers-for-platforms/ @irvinebroque @angelampcosta @GregBrimble @cloudflare/deploy-config @cloudflare/pcx-technical-writing
 /src/content/docs/workers/observability/ @irvinebroque @mikenomitch @rohinlohe @ToriLindsay @cloudflare/pcx-technical-writing
 /src/content/docs/workers/static-assets @irvinebroque @GregBrimble @WalshyDev @ToriLindsay @cloudflare/deploy-config @cloudflare/pcx-technical-writing
-/src/content/docs/workflows/ @elithrar @celso @sidharthachatterjee @cloudflare/pcx-technical-writing
+/src/content/docs/workflows/ @elithrar @celso @cloudflare/pcx-technical-writing
 
 # DDoS Protection
 
 /src/content/docs/ddos-protection/ @patriciasantaana @cloudflare/pcx-technical-writing
-/src/content/docs/ddos-protection/change-log/ @antoinecordelle @patriciasantaana @cloudflare/pcx-technical-writing
-/src/content/release-notes/ddos-http.yaml @antoinecordelle @patriciasantaana @cloudflare/pcx-technical-writing
-/src/content/release-notes/ddos-network.yaml @antoinecordelle @patriciasantaana @cloudflare/pcx-technical-writing
+/src/content/docs/ddos-protection/change-log/ @patriciasantaana @cloudflare/pcx-technical-writing
+/src/content/release-notes/ddos-http.yaml @patriciasantaana @cloudflare/pcx-technical-writing
+/src/content/release-notes/ddos-network.yaml @patriciasantaana @cloudflare/pcx-technical-writing
 
 # Docs team areas
 
@@ -160,7 +160,7 @@
 # Magic products
 
 /src/content/docs/magic-transit/ @marciocloudflare @cloudflare/pcx-technical-writing
-/src/content/docs/magic-firewall/ @arges @Maddy-Cloudflare @cloudflare/pcx-technical-writing
+/src/content/docs/magic-firewall/ @Maddy-Cloudflare @cloudflare/pcx-technical-writing
 /src/content/docs/magic-network-monitoring/ @marciocloudflare @cloudflare/pcx-technical-writing
 /src/content/docs/magic-wan/ @marciocloudflare @cloudflare/pcx-technical-writing
 /src/content/docs/magic-cloud-networking/ @marciocloudflare @cloudflare/pcx-technical-writing
@@ -183,13 +183,13 @@
 
 # Privacy
 
-/src/content/docs/key-transparency/ @cloudflare/privacy @cloudflare/pcx-technical-writing
-/src/content/docs/privacy-gateway/ @cloudflare/privacy @cloudflare/pcx-technical-writing
+/src/content/docs/key-transparency/ @cloudflare/pcx-technical-writing
+/src/content/docs/privacy-gateway/ @cloudflare/pcx-technical-writing
 
 # Radar
 
-/src/content/docs/radar/ @meddulla @G4brym @tiagoad @andre-j3sus @cloudflare/pcx-technical-writing
-/src/content/release-notes/radar.yaml @meddulla @G4brym @tiagoad @andre-j3sus @cloudflare/pcx-technical-writing
+/src/content/docs/radar/ @tiagoad @andre-j3sus @cloudflare/pcx-technical-writing
+/src/content/release-notes/radar.yaml @tiagoad @andre-j3sus @cloudflare/pcx-technical-writing
 
 # Reference architecture
 
@@ -212,8 +212,8 @@
 
 # Support
 
-/src/content/docs/support/ @shanecloudflare @zeinjaber @TracyCloudflare @ngayerie @cloudflare/pcx-technical-writing @cloudflare/customer-support
-/src/assets/images/support/ @shanecloudflare @zeinjaber @TracyCloudflare @ngayerie @cloudflare/pcx-technical-writing @cloudflare/customer-support
+/src/content/docs/support/ @zeinjaber @TracyCloudflare @ngayerie @cloudflare/pcx-technical-writing @cloudflare/customer-support
+/src/assets/images/support/ @zeinjaber @TracyCloudflare @ngayerie @cloudflare/pcx-technical-writing @cloudflare/customer-support
 
 # Turnstile
 

.hyperlint/.vale.ini

@@ -1,4 +1,4 @@
-StylesPath = ./automations/styles
+StylesPath = automations/styles
 MinAlertLevel = suggestion
 IgnoredScopes = code, tt, img
 SkippedScopes = script, style, pre, figure, code
@@ -17,4 +17,4 @@ Vale.Spelling = NO
 
 [*.yaml]
 BasedOnStyles = Vale, cloudflare, cloudflare-automation
-Vale.Spelling = NO
+Vale.Spelling = NO

public/__redirects

@@ -1751,6 +1751,7 @@
 /cloudflare-one/connections/connect-networks/install-and-setup/tunnel-permissions/ /cloudflare-one/connections/connect-networks/configure-tunnels/local-management/tunnel-permissions/ 301
 /cloudflare-one/connections/connect-networks/install-and-setup/ports-and-ips/ /cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-with-firewall/ 301
 /cloudflare-one/connections/connect-networks/install-and-setup/tunnel-useful-terms/ /cloudflare-one/connections/connect-networks/get-started/tunnel-useful-terms/ 301
+/cloudflare-one/connections/connect-networks/install-and-setup/installation/ /cloudflare-one/connections/connect-networks/downloads/update-cloudflared/ 301
 /cloudflare-one/connections/connect-networks/do-more-with-tunnels/secure-server/ /cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-with-firewall/ 301
 /cloudflare-one/connections/connect-networks/do-more-with-tunnels/grafana/ /cloudflare-one/connections/connect-networks/monitor-tunnels/grafana/ 301
 /cloudflare-one/connections/connect-networks/downloads/system-requirements/ /cloudflare-one/connections/connect-networks/deploy-tunnels/system-requirements/ 301

src/assets/images/changelog/api-shield/endpoint-management-label.png

@@ -6,6 +6,6 @@ date: 2025-04-09T6:00:00Z
 
 [Cloudflare Zero Trust SCIM provisioning](/cloudflare-one/identity/users/scim) now has a full audit log of all create, update and delete event from any SCIM Enabled IdP. The [SCIM logs](/cloudflare-one/insights/logs/scim-logs/) support filtering by IdP, Event type, Result and many more fields. This will help with debugging user and group update issues and questions.
 
-SCIM logs can be found on the Zero Trust Dashboard under Logs -> SCIM provisioning
+SCIM logs can be found on the Zero Trust Dashboard under **Logs** -> **SCIM provisioning**.
 
-![Example SCIM Logs](~/assets/images/changelog/access/example-scim-log.png)
+![Example SCIM Logs](~/assets/images/changelog/access/example-scim-log.png)

src/assets/images/changelog/api-shield/posture-management-insight.png

@@ -43,7 +43,7 @@ We've added a number of big new features to the Agents SDK over the past few wee
 
 - You can now set `cors: true` when using `routeAgentRequest` to return permissive default CORS headers to Agent responses.
 - The regular client now syncs state on the agent (just like the React version).
-- `useAgentChat` bug fixes for passing headers/credentials, includng properly clearing cache on unmount.
+- `useAgentChat` bug fixes for passing headers/credentials, including properly clearing cache on unmount.
 - Experimental `/schedule` module with a prompt/schema for adding scheduling to your app (with evals!).
 - Changed the internal `zod` schema to be compatible with the limitations of Google's Gemini models by removing the discriminated union, allowing you to use Gemini models with the scheduling API.
 

src/content/changelog/access/2025-04-09-SCIM-provisioning-logs.mdx

@@ -0,0 +1,34 @@
+---
+title: New API Posture Management for API Shield
+description: Monitor for API-specific threats and risks with Posture Management for API Shield
+date: 2025-03-18T11:00:00Z
+---
+
+Now, API Shield **automatically** labels your API inventory with API-specific risks so that you can track and manage risks to your APIs.
+
+View these risks in [Endpoint Management](/api-shield/management-and-monitoring/) by label:
+
+![A list of endpoint management labels](~/assets/images/changelog/api-shield/endpoint-management-label.png)
+
+ ...or in [Security Center Insights](/security-center/security-insights/):
+
+![An example security center insight](~/assets/images/changelog/api-shield/posture-management-insight.png)
+ 
+API Shield will scan for risks on your API inventory daily. Here are the new risks we're scanning for and automatically labelling:
+
+- **cf-risk-sensitive**: applied if the customer is subscribed to the [sensitive data detection ruleset](/waf/managed-rules/reference/sensitive-data-detection/) and the WAF detects sensitive data returned on an endpoint in the last seven days.
+- **cf-risk-missing-auth**: applied if the customer has configured a session ID and no successful requests to the endpoint contain the session ID. 
+- **cf-risk-mixed-auth**: applied if the customer has configured a session ID and some successful requests to the endpoint contain the session ID while some lack the session ID.
+- **cf-risk-missing-schema**: added when a learned schema is available for an endpoint that has no active schema.
+- **cf-risk-error-anomaly**: added when an endpoint experiences a recent increase in response errors over the last 24 hours.
+- **cf-risk-latency-anomaly**: added when an endpoint experiences a recent increase in response latency over the last 24 hours.
+- **cf-risk-size-anomaly**: added when an endpoint experiences a spike in response body size over the last 24 hours.
+
+In addition, API Shield has two new 'beta' scans for **Broken Object Level Authorization (BOLA) attacks**. If you're in the beta, you will see the following two labels when API Shield suspects an endpoint is suffering from a BOLA vulnerability:
+ 
+ - **cf-risk-bola-enumeration**: added when an endpoint experiences successful responses with drastic differences in the number of unique elements requested by different user sessions.
+ - **cf-risk-bola-pollution**: added when an endpoint experiences successful responses where parameters are found in multiple places in the request.
+
+We are currently accepting more customers into our beta. Contact your account team if you are interested in BOLA attack detection for your API.
+
+Refer to the [blog post](https://blog.cloudflare.com/cloudflare-security-posture-management/) for more information about Cloudflare's expanded posture management capabilities.

src/content/changelog/agents/2025-03-18-npm-i-agents.mdx

@@ -7,7 +7,7 @@ products:
 date: 2025-04-07T6:00:00Z
 ---
 
-[AutoRAG](/autorag) is now in open beta, making it easy for you to build fully-managed retrieval-augmented generation (RAG) pipelines without managing infrasturcture. Just upload your docs to [R2](/r2/get-started/), and AutoRAG handles the rest: embeddings, indexing, retrieval, and response generation via API.
+[AutoRAG](/autorag) is now in open beta, making it easy for you to build fully-managed retrieval-augmented generation (RAG) pipelines without managing infrastructure. Just upload your docs to [R2](/r2/get-started/), and AutoRAG handles the rest: embeddings, indexing, retrieval, and response generation via API.
 
 ![AutoRAG open beta demo](~/assets/images/changelog/autorag/autorag-open-beta.gif)
 

src/content/changelog/api-shield/2025-03-18-api-posture-management.mdx

@@ -12,7 +12,7 @@ This makes it easier to request multiple KV pairs within a single Worker invocat
 ```js
 // Read single key
 const key = "key-a";
-const value = await env.NAMESPACE.get(keys);
+const value = await env.NAMESPACE.get(key);
 
 // Read multiple keys
 const keys = ["key-a", "key-b", "key-c", ...] // up to 100 keys