Merge branch 'production' into unused-component

Author: kodster28

public/__redirects

@@ -38,6 +38,13 @@
 /waf/change-log/index.xml /changelog/rss/waf.xml 301
 /waf/change-log/general-updates/index.xml /changelog/rss/waf.xml 301
 
+## area changelog feeds
+
+/fundamentals/reference/changelog/performance/index.xml /changelog/rss/application-performance.xml 301
+/fundamentals/reference/changelog/platform/index.xml /changelog/rss/core-platform.xml 301
+/fundamentals/reference/changelog/security/index.xml /changelog/rss/application-security.xml 301
+/workers/platform/changelog/platform/index.xml /changelog/rss/developer-platform.xml 301
+
 ## legacy
 /release-notes/index.xml /changelog/rss/index.xml 301
 /release-notes/ /changelog/ 301
@@ -1241,6 +1248,8 @@
 /security-center/indicator-feeds/get-started/ /security-center/indicator-feeds/ 301
 
 # spectrum
+/spectrum/changelog/ /spectrum/ 301
+/spectrum/changelog/index.xml /changelog/rss/index.xml 301
 /spectrum/getting-started/ /spectrum/get-started/ 301
 /spectrum/getting-started/byoip/ /spectrum/about/byoip/ 301
 /spectrum/getting-started/getting-started/ /spectrum/get-started/ 301
@@ -1514,6 +1523,10 @@
 # time-services_redirects
 /time-services/nts/usage/ /time-services/nts/ 301
 
+# tenant
+/tenant/changelog/ /tenant/ 301
+/tenant/changelog/index.xml /changelog/rss/index.xml 301
+
 # turnstile
 /turnstile/get-started/domain-management/ /turnstile/reference/domain-management/ 301
 /turnstile/get-started/migrating-from-recaptcha/ /turnstile/migration/recaptcha/ 301
@@ -1608,6 +1621,8 @@
 
 # waiting-room
 /waiting-room/how-to/mobile-traffic/ /waiting-room/how-to/json-response/ 301
+/waiting-room/changelog/ /waiting-room/ 301
+/waiting-room/changelog/index.xml /changelog/rss/index.xml 301
 
 # warp-client
 /warp-client/get-started/macOS/ /warp-client/get-started/macos/ 301

src/components/ProductReleaseNotes.astro

@@ -16,11 +16,10 @@ if (!page) {
 }
 
 if (
-	!page.data.release_notes_file_name &&
-	!page.data.release_notes_product_area_name
+	!page.data.release_notes_file_name
 ) {
 	throw new Error(
-		`[ProductReleaseNotes] ${Astro.params.slug} does not have a 'release_notes_file_name' or 'changaelog_product_area_name' frontmatter property.`,
+		`[ProductReleaseNotes] ${Astro.params.slug} does not have a 'release_notes_file_name' frontmatter property.`,
 	);
 }
 
@@ -34,37 +33,22 @@ if (
 }
 
 const name =
-	page.data.release_notes_product_area_name ??
 	page.data.release_notes_file_name?.[0];
 
 let releaseNotes;
 
-if (page.data.release_notes_product_area_name) {
+if (name === "api-deprecations") {
+	const opts = {
+		deprecationsOnly: true,
+	};
+	({ releaseNotes } = await getReleaseNotes(opts));
+} else {
 	const opts = {
 		filter: (entry: CollectionEntry<"release-notes">) => {
-			return entry.data.productArea === name;
+			return entry.id === name;
 		},
 	};
 	({ releaseNotes } = await getReleaseNotes(opts));
-} else {
-	if (name === "wrangler") {
-		const opts = {
-			wranglerOnly: true,
-		};
-		({ releaseNotes } = await getReleaseNotes(opts));
-	} else if (name === "api-deprecations") {
-		const opts = {
-			deprecationsOnly: true,
-		};
-		({ releaseNotes } = await getReleaseNotes(opts));
-	} else {
-		const opts = {
-			filter: (entry: CollectionEntry<"release-notes">) => {
-				return entry.id === name;
-			},
-		};
-		({ releaseNotes } = await getReleaseNotes(opts));
-	}
 }
 
 if (!releaseNotes) {

src/content/changelog/waf/2025-08-04-waf-release.mdx

@@ -96,7 +96,7 @@ Meanwhile, the information disclosure flaw in WordPress core provides attackers
       <td>
         <RuleID id="28108d25f1cf470c8e7648938f634977" />
       </td>
-      <td>100814</td>
+      <td>100820</td>
       <td>CentOS WebPanel - Remote Code Execution - CVE:CVE-2025-48703</td>
       <td>Log</td>
       <td>Block</td>
@@ -136,4 +136,4 @@ Meanwhile, the information disclosure flaw in WordPress core provides attackers
       <td>This is a New Detection</td>
     </tr>
   </tbody>
-</table>
+</table>

src/content/changelog/waf/2025-08-07-emergency-waf-release.mdx

@@ -0,0 +1,61 @@
+---
+title: "WAF Release - 2025-08-07 - Emergency"
+description: Cloudflare WAF managed rulesets 2025-08-07 emergency release
+date: 2025-08-07
+---
+
+import { RuleID } from "~/components";
+
+This week’s highlight focuses on two critical vulnerabilities affecting key infrastructure and enterprise content management platforms. Both flaws present significant remote code execution risks that can be exploited with minimal or no user interaction.
+
+**Key Findings**
+
+- Squid (≤6.3) — CVE-2025-54574: A heap buffer overflow occurs when processing Uniform Resource Names (URNs). This vulnerability may allow remote attackers to execute arbitrary code on the server. The issue has been resolved in version 6.4.
+
+- Adobe AEM (≤6.5.23) — CVE-2025-54253: Due to a misconfiguration, attackers can achieve remote code execution without requiring any user interaction, posing a severe threat to affected deployments.
+
+**Impact**
+
+Both vulnerabilities expose critical attack vectors that can lead to full server compromise. The Squid heap buffer overflow allows remote code execution by crafting malicious URNs, which can lead to server takeover or denial of service. Given Squid’s widespread use as a caching proxy, this flaw could be exploited to disrupt network traffic or gain footholds inside secure environments.
+
+Adobe AEM’s remote code execution vulnerability enables attackers to run arbitrary code on the content management server without any user involvement. This puts sensitive content, application integrity, and the underlying infrastructure at extreme risk. Exploitation could lead to data theft, defacement, or persistent backdoor installation.
+
+These findings reinforce the urgency of updating to the patched versions — Squid 6.4 and Adobe AEM 6.5.24 or later — and reviewing configurations to prevent exploitation.
+
+<table style="width: 100%">
+  <thead>
+    <tr>
+      <th>Ruleset</th>
+      <th>Rule ID</th>
+      <th>Legacy Rule ID</th>
+      <th>Description</th>
+      <th>Previous Action</th>
+      <th>New Action</th>
+      <th>Comments</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="f61ed7c1e7e24c3380289e41ef7e015b" />
+      </td>
+      <td>100844</td>
+      <td>Adobe Experience Manager Forms - Remote Code Execution - CVE:CVE-2025-54253</td>
+      <td>N/A</td>
+      <td>Block</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="e76e65f5a3aa43f49e0684a6baec057a" />
+      </td>
+      <td>100840</td>
+      <td>Squid - Buffer Overflow - CVE:CVE-2025-54574</td>
+      <td>N/A</td>
+      <td>Block</td>
+      <td>This is a New Detection</td>
+    </tr>
+  </tbody>
+</table>

src/content/docs/api-shield/management-and-monitoring/endpoint-management/index.mdx

@@ -114,7 +114,6 @@ If you deselect **Save new endpoints to endpoint management**, the endpoints wil
 
 ### Add endpoints manually
 
-
 <Tabs syncKey="dashNewNav">
   <TabItem label="Old dashboard">
     <Steps>
@@ -192,7 +191,7 @@ For each saved endpoint, customers can view:
 - **Error rate** vs. overall traffic: grouped by 4xx, 5xx, and their sum.
 - **Response size**: The average size of the response (in bytes) returned to the request.
 - **Labels**: The current [labels](/api-shield/management-and-monitoring/endpoint-labels/) assigned to the endpoint.
-- **Authentication status**: The breakdown of which [session identifiers](/api-shield/get-started/#session-identifiers) were seen on successful requests to this endpoint.
+- **[Authentication status](/api-shield/security/authentication-posture/)**: The breakdown of which [session identifiers](/api-shield/get-started/#session-identifiers) were seen on successful requests to this endpoint.
 - **Sequences**: The number of [Sequence Analytics](/api-shield/security/sequence-analytics/) sequences the endpoint was found in.
 
 :::note

src/content/docs/cloudflare-for-platforms/workers-for-platforms/configuration/static-assets.mdx

@@ -4,7 +4,7 @@ title: Static assets
 description: Host static assets on Cloudflare's global network and deliver faster load times worldwide with Workers for Platforms.
 ---
 
-import { Aside } from "@astrojs/starlight/components";
+
 
 Workers for Platforms lets you deploy front-end applications at scale. By hosting static assets on Cloudflare's global network, you can deliver faster load times worldwide and eliminate the need for external infrastructure. You can also combine these static assets with dynamic logic in Cloudflare Workers, providing a full-stack experience for your customers.
 
@@ -57,12 +57,11 @@ Before sending any file data, you need to tell Cloudflare which files you intend
 - A hash (32-hex characters) representing the file contents
 - The file size in bytes
 
-<Aside type="note" title="Asset Isolation Considerations">
+:::note[Asset Isolation Considerations]
 Static assets uploaded to Workers for Platforms are associated with the namespace rather than with individual User Worker. If multiple User Workers exist under the same namespace, assets with identical hashes may be shared across them. **JWTs should therefore only be shared with trusted platform services and should never be distributed to end-users.**
 
 If strict isolation of assets is required, we recommend either salting with a random value each time, or incorporating an end-user identifier (for example, account ID or Worker script ID) within the hashing process, to ensure uniqueness. For example, `hash = slice(sha256(accountID + fileContents), 32)`.
-
-</Aside>
+:::
 
 #### Example manifest (JSON)
 
@@ -134,9 +133,9 @@ If the response to the Upload Session API returns `buckets`, that means you have
 
 Use the [Workers Assets Upload API](/api/resources/workers/subresources/assets/subresources/upload/) to transmit the raw file bytes in base64-encoded format for any missing or changed files. Once uploaded, Cloudflare will store these files so they can then be attached to a User Worker.
 
-<Aside type="caution">
-	Asset uniqueness is determined by the provided hash and are associated globally to their namespace rather than with each specific User Worker. If an asset has already been uploaded for that namespace earlier, Cloudflare will automatically omit sending this asset hash back in the `buckets` response to save you from re-uploading the same thing twice. This means that an asset can be shared between multiple User Workers if it shares the same hash unless you **explicitly make the hash unique**. If you require full isolation between assets across User Workers, incorporate a unique identifier within your asset hashing process (either salting it with something entirely random each time, or by including the end-user account ID or their Worker name to retain per-customer re-use).
-</Aside>
+:::caution
+Asset uniqueness is determined by the provided hash and are associated globally to their namespace rather than with each specific User Worker. If an asset has already been uploaded for that namespace earlier, Cloudflare will automatically omit sending this asset hash back in the `buckets` response to save you from re-uploading the same thing twice. This means that an asset can be shared between multiple User Workers if it shares the same hash unless you **explicitly make the hash unique**. If you require full isolation between assets across User Workers, incorporate a unique identifier within your asset hashing process (either salting it with something entirely random each time, or by including the end-user account ID or their Worker name to retain per-customer re-use).
+:::
 
 #### API Request Authentication
 

src/content/docs/cloudflare-one/applications/configure-apps/index.mdx

@@ -20,4 +20,6 @@ You can protect the following types of web applications:
   - [**Public hostname applications**](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) are web applications that have public DNS records. Anyone on the Internet can access the application by entering the URL in their browser and authenticating through Cloudflare Access. Securing access to a public website requires a Cloudflare DNS [full setup](/dns/zone-setups/full-setup/) or [partial CNAME setup](/dns/zone-setups/partial-setup/).
   - [**Private network applications**](/cloudflare-one/applications/non-http/self-hosted-private-app/) do not have public DNS records, meaning they are not reachable from the public Internet. To connect using a private IP or private hostname, the user's traffic must route through Cloudflare Gateway. The preferred method is to install the WARP client on the user's device, but you could also forward device traffic from a [network location](/magic-wan/) or use an agentless option such as [PAC files](/cloudflare-one/connections/connect-devices/agentless/pac-files/) or [Clientless Web Isolation](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/).
 
+- [**Model Context Protocol (MCP) servers**](/cloudflare-one/applications/configure-apps/mcp-servers/) are web applications that enable generative AI tools to read and write data within your business applications. For example, Salesforce provides an [MCP server](https://github.com/salesforcecli/mcp) for developers to interact with resources in their Salesforce tenant using GitHub Copilot or other AI code editors.
+
 - [**Cloudflare Dashboard SSO**](/cloudflare-one/applications/configure-apps/dash-sso-apps/) is a special type of SaaS application that manages SSO settings for the Cloudflare dashboard and has limited permissions for administrator edits.

src/content/docs/cloudflare-one/applications/configure-apps/mcp-servers/index.mdx

@@ -0,0 +1,12 @@
+---
+pcx_content_type: navigation
+title: MCP servers
+sidebar:
+  order: 3
+  group:
+    hideIndex: true
+---
+
+import { DirectoryListing } from "~/components";
+
+<DirectoryListing />