Merge branch 'production' into kian/PCX-17614

Author: KianNH

package-lock.json

@@ -36,7 +36,7 @@
 		"@astrojs/starlight-docsearch": "0.6.0",
 		"@astrojs/starlight-tailwind": "4.0.1",
 		"@cloudflare/vitest-pool-workers": "0.8.32",
-		"@cloudflare/workers-types": "4.20250522.0",
+		"@cloudflare/workers-types": "4.20250529.0",
 		"@codingheads/sticky-header": "1.0.2",
 		"@expressive-code/plugin-collapsible-sections": "0.41.2",
 		"@floating-ui/react": "0.27.8",
@@ -49,7 +49,7 @@
 		"@tailwindcss/postcss": "4.1.4",
 		"@types/hast": "3.0.4",
 		"@types/he": "1.2.3",
-		"@types/node": "22.15.19",
+		"@types/node": "22.15.29",
 		"@types/react": "19.0.7",
 		"@types/react-dom": "19.0.4",
 		"@typescript-eslint/parser": "8.32.1",
@@ -71,7 +71,7 @@
 		"fast-glob": "3.3.3",
 		"fast-xml-parser": "5.2.3",
 		"github-slugger": "2.0.0",
-		"globals": "16.1.0",
+		"globals": "16.2.0",
 		"hast-util-heading-rank": "3.0.0",
 		"hast-util-select": "6.0.4",
 		"hastscript": "9.0.1",
@@ -91,7 +91,7 @@
 		"patch-package": "8.0.0",
 		"prettier": "3.5.3",
 		"prettier-plugin-astro": "0.14.1",
-		"prettier-plugin-tailwindcss": "0.6.11",
+		"prettier-plugin-tailwindcss": "0.6.12",
 		"pretty-bytes": "7.0.0",
 		"react": "19.0.0",
 		"react-dom": "19.0.0",

package.json

@@ -711,6 +711,7 @@
 /fundamentals/setup/account/customize-account/appearance/ /fundamentals/account/customize-account/ 301
 /fundamentals/setup/account/customize-account/communication-preference/ /fundamentals/account/customize-account/ 301
 /fundamentals/setup/account/customize-account/language-preference/ /fundamentals/account/customize-account/ 301
+/fundamentals/setup/ /fundamentals/account/ 301
 
 # gateway
 /gateway/about/ /cloudflare-one/policies/gateway/ 301

public/__redirects

@@ -9,6 +9,7 @@ import type { CollectionEntry } from "astro:content";
 
 const DEFAULT_TITLE_DELIMITER = "|";
 const NOINDEX_PRODUCTS = ["email-security", "style-guide", "security"];
+const CHATBOT_DEPRIORITIZE_PRODUCTS = ["firewall"];
 
 const currentSection = Astro.url.pathname.split("/")[1].replaceAll(".", "");
 
@@ -22,6 +23,10 @@ const shouldNoIndex =
 	frontmatter.noindex ||
 	frontmatter.external_link;
 
+const shouldChatbotDeprioritize =
+	CHATBOT_DEPRIORITIZE_PRODUCTS.includes(currentSection) ||
+	frontmatter.chatbot_deprioritize;
+
 if (currentSection) {
 	const product = await getEntry("products", currentSection);
 
@@ -83,6 +88,16 @@ if (shouldNoIndex) {
 	});
 }
 
+if (shouldChatbotDeprioritize) {
+	head.push({
+		tag: "meta",
+		attrs: {
+			name: "pcx_chatbot_deprioritize",
+			content: true,
+		},
+	});
+}
+
 if (
 	frontmatter.description &&
 	head.findIndex(

src/assets/images/changelog/cloudflare-one/gateway-analytics.png

@@ -0,0 +1,20 @@
+---
+title: New Gateway Analytics in the Cloudflare One Dashboard
+description: An upgraded analytics experience for Gateway usage and metrics.
+date: 2025-05-29T09:00:00Z
+products:
+  - gateway
+---
+
+Users can now access significant enhancements to Cloudflare Gateway analytics, providing you with unprecedented visibility into your organization's DNS queries, HTTP requests, and Network sessions. These powerful new dashboards enable you to go beyond raw logs and gain actionable insights into how your users are interacting with the Internet and your protected resources.
+
+You can now visualize and explore:
+
+- Patterns Over Time: Understand trends in traffic volume and blocked requests, helping you identify anomalies and plan for future capacity.
+- Top Users & Destinations: Quickly pinpoint the most active users, enabling better policy enforcement and resource allocation.
+- Actions Taken: See a clear breakdown of security actions applied by Gateway policies, such as blocks and allows, offering a comprehensive view of your security posture.
+- Geographic Regions: Gain insight into the global distribution of your traffic.
+
+![Gateway Analytics](~/assets/images/changelog/cloudflare-one/gateway-analytics.png) 
+
+To access the new overview, log in to your Cloudflare [Zero Trust dashboard](https://one.dash.cloudflare.com/) and go to Analytics in the side navigation bar.

src/assets/images/changelog/fundamentals/2025-06-02-permissions-policy-ux.png

@@ -0,0 +1,34 @@
+---
+title: Cloudflare User Groups & Enhanced Permission Policies are now in Beta
+description: Simplifying the management of users, groups, and permissions within Cloudflare.
+products:
+  - fundamentals
+date: 2025-06-02
+---
+
+We're excited to announce the Public Beta launch of **User Groups for Cloudflare Dashboard** and **System for Cross Domain Identity Management (SCIM) User Groups**, expanding our RBAC capabilities to simplify user and group management at scale.
+
+We've also visually overhauled the **Permission Policies UI** to make defining permissions more intuitive.
+
+**What's New**
+
+**User Groups [BETA]**: [User Groups](/fundamentals/manage-members/user-groups/) are a new Cloudflare IAM primitive that enable administrators to create collections of account members that are treated equally from an access control perspective. User Groups can be assigned permission policies, with individual members in the group inheriting all permissions granted to the User Group. User Groups can be created manually, via our APIs, or Terraform.
+
+**SCIM User Groups [BETA]**: Centralize & simplify your user and group management at scale by syncing memberships directly from your upstream identity provider (like Okta or Entra ID) to the Cloudflare Platform. This ensures Cloudflare stays in sync with your identity provider, letting you apply Permission Policies to those synced groups directly within the Cloudflare Dashboard.
+
+:::note
+SCIM Virtual Groups (identified by the pattern `CF-<accountID>-<Role Name>` in your IdP) are deprecated as of 06/02/25. We recommend migrating SCIM Virtual Groups implementations to use [SCIM User Groups](/fundamentals/account/account-security/scim-setup/). If you did not use Virtual Groups, no action is needed.
+:::
+
+**Revamped Permission Policies UI [BETA]**: As Cloudflare's services have grown, so has the need for precise, role-based access control. We've given the Permission Policies builder a visual overhaul to make it much easier for administrators to find and define the exact permissions they want for specific principals.
+
+![Updated Permissions Policy UX](~/assets/images/changelog/fundamentals/2025-06-02-permissions-policy-ux.png)
+
+:::note
+When opting into the Beta for User Groups and Permission Policies, you'll be transitioning to a new experience. Please be aware that opting out isn't currently available.
+:::
+
+For more info:
+
+- [Get started with User Groups](/fundamentals/manage-members/user-groups/)
+- [Explore our SCIM integration guide](/fundamentals/account/account-security/scim-setup/)

src/components/overrides/Head.astro

@@ -64,7 +64,7 @@ curl -X POST https://gateway.ai.cloudflare.com/v1/{account_id}/{gateway_id}/comp
 
 ### Universal provider
 
-You can also use this pattern with a [Universal Endpoint](/ai-gateway/universal/).
+You can also use this pattern with the [Universal Endpoint](/ai-gateway/universal/) to add [fallbacks](/ai-gateway/configuration/fallbacks/) across multiple providers. When used in combination, every request will return the same standardized format, whether from the primary or fallback model. This behavior means that you do not have to add extra parsing logic to your app. 
 
 ```ts title="index.ts"
 export interface Env {

src/content/changelog/cloudflare-one/gateway-analytics-v2

@@ -3,46 +3,38 @@ title: Get started
 pcx_content_type: get-started
 sidebar:
   order: 2
-
 ---
 
-import { GlossaryTooltip } from "~/components"
+import { GlossaryTooltip } from "~/components";
+
+Work with your account team to understand everything you need to ensure a smooth transition during the onboarding process.
 
-To bring your own IPs, you must work with your account team to understand everything you need to ensure a smooth transition during the onboarding process.
+Cloudflare requires a service-specific configuration for your prefixes, as well as some requirements common to all BYOIP customers regardless of service type.
 
-Cloudflare requires a service-specific configuration for your prefixes, as well as some requirements common to all BYOIP customers regardless of service type. These requirements are common to all products compatible with BYOIP, such as [Magic Transit](/magic-transit/), [Spectrum](/spectrum/), and [CDN services](/cache/).
+## Requirements
 
-## Prerequisites
+The following requirements are common to all products compatible with BYOIP.
 
-There are two major prerequisites before Cloudflare can begin onboarding your IP space.
+You must verify that your [Internet Routing Registry (IRR)](/byoip/concepts/irr-entries/) records are up to date and contain:
 
-1. Cloudflare must receive a [Letter of Agency (LOA)](/byoip/concepts/loa/) to announce your prefixes, which we will share with our transit partners as evidence that we are allowed to announce the route.
-2. You must verify that your [Internet Routing Registry (IRR)](/byoip/concepts/irr-entries/) records are up to date and contain:
     - `route` or `route6` objects matching the exact prefixes you want to onboard
     - `origin` matching the correct ASN you want to onboard
 
 :::caution[RPKI validation]
-You are not required to use <GlossaryTooltip term="Resource Public Key Infrastructure (RPKI)">Resource Public Key Infrastructure (RPKI)</GlossaryTooltip>. However, if you do, make sure your <GlossaryTooltip term="Route Origin Authorization (ROA)">ROAs</GlossaryTooltip> are accurate. You can use [Cloudflare's RPKI Portal](https://rpki.cloudflare.com/?view=validator) and a second source such as [Routinator](https://rpki-validator.ripe.net/ui/) to double check your prefixes.
+You are not required to use <GlossaryTooltip term="Resource Public Key Infrastructure (RPKI)">Resource Public Key Infrastructure (RPKI)</GlossaryTooltip>. However, if you do, make sure your <GlossaryTooltip term="Route Origin Authorization (ROA)">ROAs</GlossaryTooltip> are accurate. You can use [Cloudflare's RPKI Portal](https://rpki.cloudflare.com/?view=validator) and a second source such as [Routinator](https://rpki-validator.ripe.net/ui/) to double-check your prefixes.
 :::
 
-After onboarding, [Border Gateway Protocol (BGP)](https://www.cloudflare.com/learning/security/glossary/what-is-bgp/) announcements for customer prefixes can be controlled with the [Dynamic Advertisement](/byoip/concepts/dynamic-advertisement/) API or via the Cloudflare dashboard.
-
-## Cloudflare IPs
-
-If you are unable to bring your own IP to Cloudflare, you can use an IP address issued by Cloudflare.
+## Process overview
 
-Using a Cloudflare IP may be a good option if you:
+Overall, the steps can be summarized as follows:
 
-* Have one or a few IPs allocated from home or business class ISPs.
-* Are an online streamer who could be the target of a DoS attack if your IP is leaked.
-* Are a business owner with a small number of locations with broadband Internet connections.
-* Do not own an IP space with a /24 prefix length.
-* Maintain a large number of locations with a combination of connectivity methods.
-* Own an IP space with a /24 prefix length but do not advertise prefixes from every location.
+1. You revise your [IRRs and ROAs](#requirements) (if applicable) to make sure they are correct.
+2. You prepare a [Letter of Agency (LOA)](/byoip/concepts/loa/) containing both the prefix you are authorizing Cloudflare to announce and which ASN they will be announced under. Cloudflare will present this to our transit partners as evidence that we are allowed to announce the route.
+3. You use the [Upload LOA Document](/api/resources/addressing/subresources/loa_documents/methods/create/) API endpoint to submit the letter under your account and the [Add Prefix](/api/resources/addressing/subresources/prefixes/methods/create/) endpoint to create the prefix in your account with the associated `loa_document_id`.
+4. After receiving the LOA, Cloudflare validates the [requirements](#requirements) and provisions the IPs.
+5. (Optional) You can use [prefix delegations](/byoip/concepts/prefix-delegations/) to share all or part of your prefix with another Cloudflare account.
+6. You use [service bindings](/byoip/service-bindings/)[^1] and [address maps](/byoip/address-maps/)[^2] to control how your IPs are used.
+7. You advertise or withdraw the BGP route for a prefix via the [BGP Prefixes API](/api/resources/addressing/subresources/prefixes/subresources/bgp_prefixes/).
 
-To protect your network using a Cloudflare IP address, contact your account manager.
-
-:::note
-
-When you use a Cloudflare-managed IP space, you do not need to provide a Letter of Agency (LOA) and advertise your prefixes that are associated with bringing your own IP.
-:::
+[^1]: Mappings that control through which pipeline traffic destined for a given IP address will be routed.
+[^2]: Mappings that specify which IP addresses should be used when Cloudflare responds to DNS queries for proxied hostnames.