Merge branch 'production' into dpena/implementation-guide

Author: pedrosousa

src/content/docs/agents/model-context-protocol/mcp-portal.mdx

@@ -0,0 +1,11 @@
+---
+pcx_content_type: navigation
+title: MCP server portals
+tags:
+  - MCP
+sidebar:
+  order: 101
+external_link: /cloudflare-one/applications/configure-apps/mcp-servers/mcp-portals/
+description: Centralize multiple MCP servers onto a single endpoint and customize the tools, prompts, and resources available to users.
+
+---

src/content/docs/cloudflare-one/account-limits.mdx

@@ -13,20 +13,21 @@ This page lists the default account limits for rules, applications, fields, and
 
 | Feature                     | Limit |
 | --------------------------- | ----- |
-| Applications count          | 500   |
+| Applications                | 500   |
 | Audit Logpush jobs          | 5     |
 | Email addresses per rule    | 1,000 |
-| Group count                 | 300   |
-| Group size                  | 1,000 |
+| Rule groups                 | 300   |
+| Rules per rule group        | 1,000 |
 | IP addresses per rule       | 1,000 |
 | mTLS root certificates      | 50    |
-| Service tokens count        | 50    |
-| IdP count                   | 50    |
-| Reusable policies count     | 500   |
-| Rules count per application | 1,000 |
-| Rules count per group       | 1,000 |
+| Service tokens              | 50    |
+| Identity providers          | 50    |
+| Reusable policies           | 500   |
+| Rules per application       | 1,000 |
 | Domains per application     | 5     |
 | Infrastructure targets      | 5,000 |
+| MCP portals                 | 20    |
+| MCP servers per portal      | 10    |
 
 ## Gateway
 

src/content/docs/cloudflare-one/applications/casb/casb-integrations/anthropic.mdx

@@ -0,0 +1,68 @@
+---
+pcx_content_type: reference
+title: Anthropic
+rss: file
+---
+
+import { Render } from "~/components";
+
+<Render
+	file="casb/integration-description"
+	product="cloudflare-one"
+	params={{
+		integrationName: "Anthropic",
+		integrationAccountType: "Anthropic account",
+	}}
+/>
+
+This integration covers the following Anthropic products:
+
+- Claude Console (organizations, workspaces/projects, users, invites)
+- Anthropic API Platform (organization and project API keys)
+
+## Integration prerequisites
+
+- An Anthropic [Team or Enterprise organization](https://www.anthropic.com/pricing#team-&-enterprise)
+- [Organization-level admin (or equivalent) privileges in Anthropic](https://support.anthropic.com/articles/10186004-api-console-roles-and-permissions) to view organization metadata and manage API keys
+
+## Integration permissions
+
+For the Anthropic integration to function, Cloudflare CASB requires authorization via **API keys**:
+
+- `Organization API key (organization-level)`: Grants read-only access to organization/workspace metadata, members and invites, and key metadata used for findings.
+- (Optional) `Project API key (project-level)`: Grants read-only access to project metadata and keys when you include project scopes in the scan.
+
+These credentials follow the principle of least privilege so that only the minimum required access is granted.
+
+## Security findings
+
+<Render
+	file="casb/security-findings"
+	product="cloudflare-one"
+	params={{ integrationName: "Anthropic", slugRelativePath: "anthropic" }}
+/>
+
+### API key hygiene
+
+Detect API keys that may be unused or overdue for rotation.
+
+| Finding type              | FindingTypeID                          | Severity |
+| ------------------------- | -------------------------------------- | -------- |
+| Anthropic: Unused API key | `f343cd22-21f0-45a6-b6f7-39b1539a0f2b` | Medium   |
+
+### Access security
+
+Flag organization access issues to help enforce best practices.
+
+| Finding type                     | FindingTypeID                          | Severity |
+| -------------------------------- | -------------------------------------- | -------- |
+| Anthropic: High-privilege invite | `a435d091-3bb1-42e1-bc98-32d80c6340a5` | High     |
+| Anthropic: Stale pending invite  | `5667f7fa-4215-4a8e-80d7-4694ea33335b` | Low      |
+
+### Data Loss Prevention (optional)
+
+<Render file="casb/data-loss-prevention" product="cloudflare-one" />
+
+| Finding type                                        | FindingTypeID                          | Severity |
+| --------------------------------------------------- | -------------------------------------- | -------- |
+| Anthropic: Downloadable File with DLP Profile match | `74ec2a38-0e69-48d4-80ed-a8faad5f40ef` | High     |

src/content/docs/cloudflare-one/applications/casb/casb-integrations/google-workspace/gemini.mdx

@@ -0,0 +1,60 @@
+---
+pcx_content_type: reference
+title: Gemini for Google Workspace
+rss: file
+---
+
+import { Render } from "~/components";
+
+<Render
+	file="casb/integration-description"
+	product="cloudflare-one"
+	params={{
+		integrationName: "Gemini for Google Workspace",
+		integrationAccountType: "Google Workspace account",
+	}}
+/>
+
+## Integration prerequisites
+
+<Render file="casb/google/google-prereqs" product="cloudflare-one" />
+
+## Integration permissions
+
+<Render
+	file="casb/integration-perms"
+	product="cloudflare-one"
+	params={{
+		parentIntegration: "Google Workspace",
+		parentSlug: "google-workspace",
+	}}
+/>
+
+## Security findings
+
+<Render
+	file="casb/security-findings"
+	product="cloudflare-one"
+	params={{
+		integrationName: "Gemini for Google Workspace",
+		slugRelativePath: "gemini",
+	}}
+/>
+
+### User account settings
+
+| Finding type                                                                             | FindingTypeID                          | Severity | Description                                                                                                  |
+| ---------------------------------------------------------------------------------------- | -------------------------------------- | -------- | ------------------------------------------------------------------------------------------------------------ |
+| Google Workspace: Admin user with Gemini license with two-factor authentication disabled | `27a0a9a0-13c6-4d8f-a67c-b455dd213cb9` | High     | An administrator with a Gemini for Google Workspace license does not have two-factor authentication enabled. |
+| Google Workspace: User with Gemini license with two-factor authentication disabled       | `c82024dc-b836-4b86-8c90-ab07971474e4` | Medium   | A user with a Gemini for Google Workspace license does not have two-factor authentication enabled.           |
+
+### Inactive or suspended users
+
+| Finding type                                                 | FindingTypeID                          | Severity | Description                                                                            |
+| ------------------------------------------------------------ | -------------------------------------- | -------- | -------------------------------------------------------------------------------------- |
+| Google Workspace: Admin user suspended with AI Ultra license | `ee7d4ed6-479f-404f-8dbd-f82dce2a0f66` | Low      | An administrator account with an AI Ultra (Gemini for Workspace) license is suspended. |
+| Google Workspace: User suspended with AI Ultra license       | `cf20e808-29ad-4026-a8f9-6ec3e069376c` | Low      | A user account with an AI Ultra (Gemini for Workspace) license is suspended.           |
+
+### Gemini licensing
+
+<Render file="casb/google/gemini-licensing" product="cloudflare-one" />

src/content/docs/cloudflare-one/applications/casb/casb-integrations/google-workspace/index.mdx

@@ -59,6 +59,10 @@ These permissions follow the principle of least privilege to ensure that only th
 
 <Render file="casb/google/inactive-suspended-users" product="cloudflare-one" />
 
+### Gemini licensing
+
+<Render file="casb/google/gemini-licensing" product="cloudflare-one" />
+
 ### File sharing
 
 <Render file="casb/google/file-sharing" product="cloudflare-one" />

src/content/docs/cloudflare-one/applications/casb/casb-integrations/openai.mdx

@@ -0,0 +1,108 @@
+---
+pcx_content_type: reference
+title: OpenAI
+rss: file
+---
+
+import { Render } from "~/components";
+
+The OpenAI integration detects a variety of data loss prevention, account misconfiguration, and user security risks in an integrated OpenAI account that could leave you and your organization vulnerable.
+
+This integration covers the following OpenAI products:
+
+- ChatGPT Enterprise (Workspaces)
+- OpenAI Platform Projects (API keys)
+- GPTs (custom GPTs)
+
+:::note
+Before you begin, ensure that OpenAI has enabled ChatGPT Enterprise Compliance API access for your organization. You will need an Admin API key issued for your organization, your Organization ID, and your Workspace ID. These are available in your [ChatGPT Admin Settings](https://chatgpt.com/admin/settings).
+
+If Compliance API access is not yet turned on for your organization, refer to [Enable Compliance API access](#enable-combliane-api-access).
+:::
+
+## Integration prerequisites
+
+- An OpenAI organization with a ChatGPT Enterprise workspace
+- Organization-level admin privileges to create and manage Admin API keys
+- (Optional) A Project API key and the corresponding Project ID if you plan to include OpenAI Platform Projects in the scan scope
+
+### Enable Compliance API access
+
+Compliance API access is required to use the OpenAI CASB integration. To enable Compliance API access:
+
+1. Contact `[email protected]` to request access to the Compliance API for your organization and for the API key you will use with Cloudflare CASB. In your request, include:
+   - The last four characters of the API key
+   - The name of the API key
+   - The name of the user who created the key
+   - The requested scope (`read`, `write`, or both)
+2. OpenAI will verify the key and grant the requested Compliance API scopes.
+3. After the scopes are granted, [add the OpenAI integration to CASB](/cloudflare-one/applications/casb/#add-an-integration). When prompted, enter your Open AI Admin API key, Organization ID, and Workspace ID (available at `https://chatgpt.com/admin/settings`).
+
+For more information, refer to the [OpenAI Help Center](https://help.openai.com/articles/9261474-compliance-api-for-enterprise-customers).
+
+## Integration permissions
+
+For the OpenAI integration to function, Cloudflare CASB requires the following authorization via API keys:
+
+- `Admin API key (organization-level)`: Grants read-only access to organization/workspace metadata, GPTs, users, invites, and audit/compliance objects exposed by the ChatGPT Enterprise Compliance API.
+- (Optional) `Project API key (project-level)`: Grants read-only access to OpenAI Platform project metadata and keys.
+
+These credentials follow the principle of least privilege so that only the minimum required access is granted.
+
+## Security findings
+
+<Render
+	file="casb/security-findings"
+	product="cloudflare-one"
+	params={{ integrationName: "OpenAI", slugRelativePath: "openai" }}
+/>
+
+### Model and tool governance
+
+Flag risky tool and capability settings on custom GPTs.
+
+| Finding type                              | FindingTypeID                          | Severity | ChatGPT Enterprise required |
+| ----------------------------------------- | -------------------------------------- | -------- | --------------------------- |
+| OpenAI: GPT with Custom Actions enabled   | `5a2995f5-0cc1-4af3-9045-cdf7e6601f7b` | High     | ✅                          |
+| OpenAI: GPT with Code Interpreter enabled | `d368036a-be90-49f0-b7da-5092a3f8beb4` | Medium   | ✅                          |
+| OpenAI: GPT with web browsing enabled     | `3af14358-5ff2-4502-921e-7ffd9a310093` | Medium   | ✅                          |
+
+### Publishing and sharing
+
+Identify GPTs that are externally visible beyond your organization.
+
+| Finding type                                    | FindingTypeID                          | Severity | ChatGPT Enterprise required |
+| ----------------------------------------------- | -------------------------------------- | -------- | --------------------------- |
+| OpenAI: GPT publicly accessible via GPT Store   | `c69adfa6-2362-4939-86ec-49ff34093cfd` | High     | ✅                          |
+| OpenAI: GPT publicly accessible via public link | `de460c9f-55c0-4131-9cdf-e4c3b84f9549` | High     | ✅                          |
+
+### API key hygiene
+
+Detect API keys that may be stale, unused, or overdue for rotation.
+
+| Finding type                        | FindingTypeID                          | Severity | ChatGPT Enterprise required |
+| ----------------------------------- | -------------------------------------- | -------- | --------------------------- |
+| OpenAI: Admin API key not rotated   | `b72e971d-f5b9-4cf3-96f4-ef82bdf38453` | High     | ❌                          |
+| OpenAI: Project API key not rotated | `2c079fe8-6188-43e1-a2e5-d0e2dd8c7686` | High     | ❌                          |
+| OpenAI: Unused admin API key        | `49c75a36-1e64-437b-98a1-e54ec35d0a64` | Medium   | ❌                          |
+| OpenAI: Unused project API key      | `c8fd231b-de51-43cc-8c3f-e1e57114c5f5` | Medium   | ❌                          |
+
+### Access security
+
+Flag user/invite issues to help enforce best practices.
+
+| Finding type                  | FindingTypeID                          | Severity | ChatGPT Enterprise required |
+| ----------------------------- | -------------------------------------- | -------- | --------------------------- |
+| OpenAI: High-privilege invite | `776ceb93-fa9a-4ca0-83db-668a67c09936` | High     | ❌                          |
+| OpenAI: Inactive user         | `20ab9ddb-fd48-46a8-9fdf-9bb9b9061f21` | Medium   | ❌                          |
+| OpenAI: Stale pending invite  | `18fd5b21-8489-485e-9c93-0bd4a696e724` | Low      | ❌                          |
+
+### Data Loss Prevention (optional)
+
+<Render file="casb/data-loss-prevention" product="cloudflare-one" />
+
+| Finding type                                                | FindingTypeID                          | Severity | ChatGPT Enterprise required |
+| ----------------------------------------------------------- | -------------------------------------- | -------- | --------------------------- |
+| OpenAI: File in ChatGPT Conversation with DLP Profile match | `9aca654d-b331-4052-a5b4-2ceecced8676` | High     | ✅                          |
+| OpenAI: File in ChatGPT GPT with DLP Profile match          | `520200f5-7dcc-42c9-bc3c-423019159d45` | High     | ✅                          |
+| OpenAI: File in ChatGPT Project with DLP Profile match      | `8e46ec69-e5c1-4f53-ab00-a92f2050ec33` | High     | ❌                          |

src/content/docs/cloudflare-one/applications/configure-apps/mcp-servers/linked-apps.mdx

@@ -4,7 +4,7 @@ title: Authenticate MCP server to self-hosted apps
 tags:
   - MCP
 sidebar:
-  order: 2
+  order: 3
   label: Enable MCP OAuth to self-hosted apps
 ---