Merge branch 'production' into kian/PCX-16500

Author: kodster28

.github/CODEOWNERS

@@ -18,7 +18,7 @@
 
 # AI
 
-/src/content/docs/agents/ @irvinebroque @rita3ko @elithrar @thomasgauvin @threepointone @harshil1712 @cloudflare/pcx-technical-writing
+/src/content/docs/agents/ @irvinebroque @rita3ko @elithrar @thomasgauvin @threepointone @cloudflare/pcx-technical-writing
 /src/content/docs/ai-gateway/ @kathayl @G4brym @mchenco @daisyfaithauma @cloudflare/pcx-technical-writing
 /src/content/docs/workers-ai/ @rita3ko @craigsdennis @markdembo @mchenco @daisyfaithauma @cloudflare/pcx-technical-writing
 /src/content/docs/vectorize/ @elithrar @vy-ton @sejoker @mchenco @cloudflare/pcx-technical-writing
@@ -93,10 +93,10 @@
 /src/content/docs/calls/ @cloudflare/pcx-technical-writing @cloudflare/calls
 /src/assets/images/calls/ @cloudflare/pcx-technical-writing @cloudflare/calls
 /public/calls/ @cloudflare/pcx-technical-writing @cloudflare/calls
-/src/content/docs/d1/ @elithrar @rozenmd @vy-ton @joshthoward @oxyjun @cloudflare/pcx-technical-writing
+/src/content/docs/d1/ @elithrar @rozenmd @vy-ton @joshthoward @oxyjun @harshil1712 @cloudflare/pcx-technical-writing
 /src/content/release-notes/d1.yaml @elithrar @rozenmd @vy-ton @joshthoward @oxyjun @cloudflare/pcx-technical-writing
-/src/content/partials/d1/ @elithrar @rozenmd @vy-ton @joshthoward @oxyjun @cloudflare/pcx-technical-writing
-/src/content/docs/durable-objects/ @elithrar @vy-ton @joshthoward @oxyjun @cloudflare/pcx-technical-writing
+/src/content/partials/d1/ @elithrar @rozenmd @vy-ton @joshthoward @oxyjun @harshil1712 @cloudflare/pcx-technical-writing
+/src/content/docs/durable-objects/ @elithrar @vy-ton @joshthoward @oxyjun @harshil1712 @cloudflare/pcx-technical-writing
 /src/content/release-notes/durable-objects.yaml @elithrar @rozenmd @vy-ton @joshthoward @oxyjun @cloudflare/pcx-technical-writing
 /src/content/docs/email-routing/ @cloudflare/pcx-technical-writing
 /src/content/docs/hyperdrive/ @elithrar @thomasgauvin @sejoker @oxyjun @cloudflare/pcx-technical-writing
@@ -111,9 +111,9 @@
 /src/content/release-notes/kv.yaml @elithrar @thomasgauvin @rts-rob @oxyjun @cloudflare/pcx-technical-writing
 /src/content/partials/kv/ @elithrar @thomasgauvin @rts-rob @oxyjun @cloudflare/pcx-technical-writing
 /src/content/docs/pub-sub/ @elithrar @dcpena @cloudflare/pcx-technical-writing
-/src/content/docs/queues/ @elithrar @toddmantell @maheshwarip @cloudflare/pcx-technical-writing
+/src/content/docs/queues/ @elithrar @toddmantell @maheshwarip @harshil1712 @cloudflare/pcx-technical-writing
 /src/content/release-notes/queues.yaml @elithrar @toddmantell @maheshwarip @cloudflare/pcx-technical-writing
-/src/content/docs/r2/ @oxyjun @elithrar @jonesphillip @cloudflare/workers-docs @cloudflare/pcx-technical-writing
+/src/content/docs/r2/ @oxyjun @elithrar @jonesphillip @harshil1712 @cloudflare/workers-docs @cloudflare/pcx-technical-writing
 /src/content/release-notes/r2.yaml @oxyjun @elithrar @cloudflare/workers-docs @cloudflare/pcx-technical-writing
 /src/content/docs/stream/ @tsmith512 @dcpena @cloudflare/pcx-technical-writing @renandincer @third774
 /src/content/release-notes/stream.yaml @tsmith512 @dcpena @cloudflare/pcx-technical-writing

src/content/changelog/workers-ai/2025-03-20-markdown-conversion.mdx

@@ -0,0 +1,62 @@
+---
+title: Markdown conversion in Workers AI
+description: You can now convert documents in multiple formats to Markdown using the toMarkdown utility method in Workers AI.
+date: 2025-03-20T18:00:00Z
+---
+
+Document conversion plays an important role when designing and developing AI applications and agents. Workers AI now provides the `toMarkdown` utility method that developers can use to for quick, easy, and convenient conversion and summary of documents in multiple formats to Markdown language.
+
+You can call this new tool using a binding by calling `env.AI.toMarkdown()` or the using the [REST API](/api/resources/ai/) endpoint.
+
+In this example, we fetch a PDF document and an image from R2 and feed them both to `env.AI.toMarkdown()`. The result is a list of converted documents. Workers AI models are used automatically to detect and summarize the image.
+
+```typescript
+import { Env } from "./env";
+
+export default {
+  async fetch(request: Request, env: Env, ctx: ExecutionContext) {
+
+    // https://pub-979cb28270cc461d94bc8a169d8f389d.r2.dev/somatosensory.pdf
+    const pdf = await env.R2.get('somatosensory.pdf');
+
+    // https://pub-979cb28270cc461d94bc8a169d8f389d.r2.dev/cat.jpeg
+    const cat = await env.R2.get('cat.jpeg');
+
+    return Response.json(
+      await env.AI.toMarkdown([
+        {
+          name: "somatosensory.pdf",
+          blob: new Blob([await pdf.arrayBuffer()], { type: "application/octet-stream" }),
+        },
+        {
+          name: "cat.jpeg",
+          blob: new Blob([await cat.arrayBuffer()], { type: "application/octet-stream" }),
+        },
+      ]),
+    );
+  },
+};
+```
+
+This is the result:
+
+```json
+[
+	{
+		"name": "somatosensory.pdf",
+		"mimeType": "application/pdf",
+		"format": "markdown",
+		"tokens": 0,
+		"data": "# somatosensory.pdf\n## Metadata\n- PDFFormatVersion=1.4\n- IsLinearized=false\n- IsAcroFormPresent=false\n- IsXFAPresent=false\n- IsCollectionPresent=false\n- IsSignaturesPresent=false\n- Producer=Prince 20150210 (www.princexml.com)\n- Title=Anatomy of the Somatosensory System\n\n## Contents\n### Page 1\nThis is a sample document to showcase..."
+	},
+	{
+		"name": "cat.jpeg",
+		"mimeType": "image/jpeg",
+		"format": "markdown",
+		"tokens": 0,
+		"data": "The image is a close-up photograph of Grumpy Cat, a cat with a distinctive grumpy expression and piercing blue eyes. The cat has a brown face with a white stripe down its nose, and its ears are pointed upright. Its fur is light brown and darker around the face, with a pink nose and mouth. The cat's eyes are blue and slanted downward, giving it a perpetually grumpy appearance. The background is blurred, but it appears to be a dark brown color. Overall, the image is a humorous and iconic representation of the popular internet meme character, Grumpy Cat. The cat's facial expression and posture convey a sense of displeasure or annoyance, making it a relatable and entertaining image for many people."
+	}
+]
+```
+
+See [Markdown Conversion](/workers-ai/markdown-conversion/) for more information on supported formats, REST API and pricing.

src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-oidc-saas.mdx

@@ -53,7 +53,7 @@ Some SaaS applications provide the Redirect URL after you [configure the SSO pro
     | Key endpoint           | Returns the current public keys used to [verify the Access JWT](/cloudflare-one/identity/authorization-cookie/validating-json/) <br/> `https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/sso/oidc/<client-id>/jwks`                                   |
     | User info endpoint     | Returns all user claims in JSON format <br/> `https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/sso/oidc/<client-id>/userinfo`                                                                                                                        |
 
-11. Add [Access policies](/cloudflare-one/policies/access/) to control who can connect to your application. All Access applications are deny by default -- a user must match an Allow policy before they are granted access.
+11. <Render file="access/add-access-policies" product="cloudflare-one" />
 
 12. <Render file="access/access-choose-idps" product="cloudflare-one" />
 

src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx

@@ -48,7 +48,7 @@ Obtain the following URLs from your SaaS application account:
 If you are using Okta, Microsoft Entra ID (formerly Azure AD), Google Workspace, or GitHub as your IdP, Access will automatically send a SAML attribute titled `groups` with all of the user's associated groups as attribute values.
 :::
 
-11. Add [Access policies](/cloudflare-one/policies/access/) to control who can connect to your application. All Access applications are deny by default -- a user must match an Allow policy before they are granted access.
+11. <Render file="access/add-access-policies" product="cloudflare-one" />
 
 12. <Render file="access/access-choose-idps" product="cloudflare-one" />
 

src/content/docs/cloudflare-one/applications/configure-apps/self-hosted-public-app.mdx

@@ -17,7 +17,7 @@ You can securely publish internal tools and applications by adding Cloudflare Ac
 
 ## 1. Add your application to Access
 
-<Render file="access/self-hosted-app" />
+<Render file="access/self-hosted-app/generic-public-app" />
 
 ## 2. Connect your origin to Cloudflare
 
@@ -37,12 +37,4 @@ Users can now connect to your self-hosted application after authenticating with
 
 ## Product compatibility
 
-When using Access self-hosted applications, the majority of Cloudflare products will be compatible with your application.
-
-However, the following products are not supported:
-
-* [Automatic Signed Exchanges](/speed/optimization/other/signed-exchanges/)
-* [Automatic Platform Optimization](/automatic-platform-optimization)
-* [Zaraz](/zaraz)
-
-You can disable Automatic Signed Exchanges and Zaraz for a specific application - instead of across your entire zone - using a [Configuration Rule](/rules/configuration-rules/) scoped to the application domain.
+ <Render file="access/self-hosted-app/product-compatibility" product="cloudflare-one" />

src/content/docs/cloudflare-one/applications/non-http/browser-rendering.mdx

@@ -5,34 +5,44 @@ sidebar:
   order: 3
 ---
 
-Cloudflare can render certain non-web applications in your browser without the need for client software or end-user configuration changes. Cloudflare currently supports rendering a terminal for SSH and VNC connections in a user's browser.
+import { Render } from "~/components";
 
-:::note
-You can only enable browser rendering on domains and subdomains, not for specific paths.
-:::
+Cloudflare can render SSH, VNC, and RDP applications in a browser without the need for client software or end-user configuration changes. For SSH and VNC, user email prefixes must match their username on the server. RDP leverages your existing Windows usernames and passwords for authenticating to the Windows server; Cloudflare does not manage any credentials on the Windows server.
 
-## Enable browser rendering
+## Limitations
 
-To enable browser rendering:
+- Browser rendering is only supported for [self-hosted public applications](/cloudflare-one/applications/configure-apps/self-hosted-public-app/), not private IPs or hostnames.
+- You can only render a browser-rendered terminal on domains and subdomains, not on specific paths.
+- <Render file="access/self-hosted-app/ssh-sessions" />
+- Cloudflare uses TLS to secure the egress RDP connection to your Windows server. We do not currently validate the chain of trust.
 
-1.  In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
-2.  Locate the SSH or VNC application you created when [connecting the server to Cloudflare](/cloudflare-one/connections/connect-networks/use-cases/ssh/). Select **Configure**.
-3.  In the **Policies** tab, ensure that only **Allow** or **Block** policies are present. **Bypass** and **Service Auth** are not supported for browser-rendered applications.
-4.  Go to **Advanced settings** > **Browser rendering settings**.
-5.  For **Browser rendering**, choose _SSH_ or _VNC_.
+## Turn on browser rendering
 
-        	:::note
+### SSH and VNC
 
-        	When connecting over SSH, Cloudflare supports following key exchange algorithms:
-
-        	- `[email protected]`
-        	- `curve25519-sha256`
-        	- `ecdh-sha2-nistp256`
-        	- `ecdh-sha2-nistp384`
-        	- `ecdh-sha2-nistp521`
-
-        	:::
+To turn on browser rendering for an SSH or VNC application:
 
+1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
+2. Locate the SSH or VNC application you created when [connecting the server to Cloudflare](/cloudflare-one/connections/connect-networks/use-cases/ssh/). Select **Configure**.
+3. In the **Policies** tab, ensure that only **Allow** or **Block** policies are present. **Bypass** and **Service Auth** are not supported for browser-rendered applications.
+4. Go to **Advanced settings** > **Browser rendering settings**.
+5. For **Browser rendering**, choose _SSH_ or _VNC_.
 6.  Select **Save application**.
 
 When users authenticate and visit the URL of the application, Cloudflare will render a terminal in their browser.
+
+### RDP
+
+To set up browser-rendering for RDP, refer to our [browser-based RDP guide](/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-browser/).
+
+### SSH key exchange algorithms
+
+Cloudflare's browser-rendered SSH terminal supports the following Key Exchange (KEX) algorithms:
+
+	- `[email protected]`
+	- `curve25519-sha256`
+	- `ecdh-sha2-nistp256`
+	- `ecdh-sha2-nistp384`
+	- `ecdh-sha2-nistp521`
+
+For browser-rendered SSH connections to work, you may need to update the `sshd_config` file on your server to accept these algorithms.

src/content/docs/cloudflare-one/applications/non-http/index.mdx

@@ -23,11 +23,11 @@ If you would like to define how users access specific infrastructure servers wit
 
 ## Clientless access
 
-Clientless access methods are suited for organizations that cannot deploy the WARP client or need to support third-party contractors where installing a client is not possible. Clientless access requires onboarding a domain to Cloudflare and configuring a public hostname in order to make the server reachable. Command logging is not supported, and user email prefixes must match their username on the server.
+Clientless access methods are suited for organizations that cannot deploy the WARP client or need to support third-party contractors where installing a client is not possible. Clientless access requires onboarding a domain to Cloudflare and configuring a public hostname in order to make the server reachable. Command logging is not supported.
 
 ### Browser-rendered terminal
 
-Cloudflare's [browser-based terminal](/cloudflare-one/applications/non-http/browser-rendering/) allows users to connect over SSH and VNC without any configuration. When users visit the public hostname URL (for example, `https://ssh.example.com`) and log in with their Access credentials, Cloudflare will render a terminal in their browser.
+Cloudflare's [browser-based terminal](/cloudflare-one/applications/non-http/browser-rendering/) allows users to connect over SSH, RDP, and VNC without any configuration. When users visit the public hostname URL (for example, `https://ssh.example.com`) and log in with their Access credentials, Cloudflare will render a terminal in their browser. For RDP connections, users must authenticate to the Windows server using their Windows username and password in addition to being authenticated by Cloudflare Access.
 
 ### Client-side cloudflared (legacy)
 

src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx

@@ -40,7 +40,7 @@ Access for Infrastructure currently only supports [SSH](/cloudflare-one/connecti
 
 ## 1. Add a target
 
-<Render file="access/add-target" />
+<Render file="access/add-target" params={{ protocol: "generic" }}/>
 
 ## 2. Add an infrastructure application
 

src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx

@@ -22,25 +22,15 @@ This feature replaces the legacy [private network app type](/cloudflare-one/appl
 
 ## Add your application to Access
 
-1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
-
-2. Select **Add an application**.
-
-3. Select **Self-hosted**.
-
-4. Enter any name for the application.
-
-5. In **Session Duration**, choose how often the user's [application token](/cloudflare-one/identity/authorization-cookie/application-token/) should expire.
-
-   Cloudflare checks every HTTPS request to your application for a valid application token. If the user's application token (and global token) has expired, they will be prompted to reauthenticate with the IdP. For more information, refer to [Session management](/cloudflare-one/identity/users/session-management/). If the application is non-HTTPS or you do not have TLS decryption turned on, the session is tracked by the WARP client per application.
+<Render file="access/self-hosted-app/create-app" product="cloudflare-one" params={{ private: true }}/>
 
 6. Add the private IP and/or private hostname that represents the application. You can use [wildcards](/cloudflare-one/policies/access/app-paths/) with private hostnames to protect multiple parts of an application that share a root path.
 
 	:::note
 	Private hostnames are currently only available over port `443` over HTTPS and the application must have a valid Server Name Indicator (SNI).
 	:::
 
-7. Add [Access policies](/cloudflare-one/policies/access/) to control who can connect to your application. All Access applications are deny by default -- a user must match an Allow policy before they are granted access.
+7.  <Render file="access/add-access-policies" product="cloudflare-one" />
 
 8. Configure how users will authenticate:
 
@@ -58,14 +48,9 @@ This feature replaces the legacy [private network app type](/cloudflare-one/appl
 
 12. Select **Next**.
 
-13. (Optional) Configure advanced settings. These settings only apply to private hostnames and require [Gateway TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/).
+13. <Render file="access/self-hosted-app/advanced-settings" product="cloudflare-one" />
 
-		- [**Cross-Origin Resource Sharing (CORS) settings**](/cloudflare-one/identity/authorization-cookie/cors/)
-		- [**Cookie settings**](/cloudflare-one/identity/authorization-cookie/#cookie-settings)
-		- **Browser rendering settings**:
-				- [Automatic `cloudflared` authentication](/cloudflare-one/applications/non-http/cloudflared-authentication/automatic-cloudflared-authentication/)
-				- [Browser rendering for SSH and VNC](/cloudflare-one/applications/non-http/browser-rendering/)
-		- **401 Response for Service Auth policies**: Return a `401` response code when a user (or machine) makes a request to the application without the correct [service token](/cloudflare-one/identity/service-tokens/).
+		These settings only apply to private hostnames and require [Gateway TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/).
 
 14. Select **Save**.
 

src/content/docs/cloudflare-one/connections/connect-devices/agentless/index.mdx

@@ -9,7 +9,7 @@ If you are unable to install the WARP client on your devices (for example, Windo
 
 - **[Gateway DNS policies](/cloudflare-one/connections/connect-devices/agentless/dns/)**
 - **[Gateway HTTP policies](/cloudflare-one/connections/connect-devices/agentless/pac-files/)** without user identity and device posture
-- **[Access policies](/cloudflare-one/policies/access/)** without device posture for [web applications](/cloudflare-one/applications/configure-apps/) and [browser-rendered](/cloudflare-one/applications/non-http/browser-rendering/) SSH and VNC connections
+- **[Access policies](/cloudflare-one/policies/access/)** without device posture for [web applications](/cloudflare-one/applications/configure-apps/) and for [browser-rendered](/cloudflare-one/applications/non-http/browser-rendering/) SSH, RDP, and VNC connections
 - **[Remote Browser Isolation](/cloudflare-one/policies/browser-isolation/)** via an [Access policy](/cloudflare-one/policies/access/isolate-application/), [prefixed URLs](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/), or a [non-identity on-ramp](/cloudflare-one/policies/browser-isolation/setup/non-identity/)
 - **[Cloud Access Security Broker (CASB)](/cloudflare-one/applications/casb/)**
 - **[Data Loss Prevention (DLP)](/cloudflare-one/applications/casb/casb-dlp/)** for SaaS applications integrated with Cloudflare CASB