Merge branch 'production' into patricia/pcx19847-gtm

Author: patriciasantaana

.github/CODEOWNERS

@@ -140,7 +140,7 @@
 /src/content/docs/analytics/analytics-engine/ @irvinebroque @elithrar @cloudflare/pcx-technical-writing
 /src/content/docs/cloudflare-for-platforms/ @irvinebroque @dinasaur404 @cloudflare/pcx-technical-writing
 /src/content/docs/cloudflare-for-platforms/workers-for-platforms/ @irvinebroque @dinasaur404 @cloudflare/deploy-config @cloudflare/pcx-technical-writing
-/src/content/docs/workers/observability/ @irvinebroque @mikenomitch @rohinlohe @kodster28 @cloudflare/pcx-technical-writing
+/src/content/docs/workers/observability/ @irvinebroque @mikenomitch @nevikashah @kodster28 @cloudflare/pcx-technical-writing
 /src/content/docs/workers/static-assets @irvinebroque @GregBrimble @WalshyDev @kodster28 @cloudflare/deploy-config @cloudflare/pcx-technical-writing
 /src/content/docs/workflows/ @elithrar @celso @cloudflare/pcx-technical-writing
 /src/content/docs/sandbox/ @whoiskatrin @ghostwriternr @cloudflare/pcx-technical-writing @cloudflare/ai-agents

.github/workflows/close-stale-issues-prs.yml

@@ -18,15 +18,9 @@ jobs:
         uses: actions/stale@v4
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
-          # Messages for issues (mention the issue author)
-          stale-issue-message: "Hey there, this issue has been automatically marked as stale because it has not had recent activity. It will be auto-closed after and additional 10 days of inactivity. If you need it open for longer, add the label `stale-exempt`."
-          close-issue-message: "Hey there, this issue has been automatically closed due to 45 days of inactivity. If needed, please reopen or comment and we can reevaluate your request."
-          # Messages for pull requests (mention the PR author)
-          stale-pr-message: "Hey there, this pull request has been automatically marked as stale because it has not had recent activity. It will be auto-closed after and additional 10 days of inactivity. If you need it open for longer, add the label `stale-exempt`."
-          close-pr-message: "Hey there, this pull request has been automatically closed due to 45 days of inactivity. If needed, please reopen or comment and we can reevaluate your request."
-          # Time thresholds (adjust to your policy)
+          stale-issue-message: "Hey there, we've marked this pull request as stale because there's no recent activity on it. This label helps us identify long-standing issues in our repo (and not used to auto-close issues)."
+          stale-pr-message: "Hey there, we've marked this pull request as stale because there's no recent activity on it. This label is helps us identify PRs that might need updates (or to be closed out by our team if no longer relevant)."
           days-before-stale: 35
-          days-before-close: 15
+          # setting to a negative number means they'll never be autoclosed
+          days-before-close: -1
           operations-per-run: 100
-          exempt-pr-labels: stale-exempt
-          exempt-issues-labels: stale-exempt

assets/images/security-center/2025-10-24RFITokens.png

@@ -11,6 +11,8 @@ import react from "@astrojs/react";
 
 import { readdir } from "fs/promises";
 import { fileURLToPath } from "url";
+import { execSync } from "child_process";
+import { existsSync } from "fs";
 
 import remarkValidateImages from "./src/plugins/remark/validate-images";
 
@@ -59,6 +61,52 @@ const customCss = await autogenStyles();
 
 const runLinkCheck = process.env.RUN_LINK_CHECK || false;
 
+/**
+ * Get the last Git modification date for a file
+ * @param filePath - Absolute path to the file
+ * @returns ISO date string or null if not available
+ */
+function getGitLastModified(filePath: string): string | null {
+	try {
+		const result = execSync(`git log -1 --format=%cI -- "${filePath}"`, {
+			encoding: "utf-8",
+		}).trim();
+		return result || null;
+	} catch (_error) {
+		return null;
+	}
+}
+
+/**
+ * Convert a sitemap URL to the corresponding source file path
+ * @param url - The full URL from the sitemap
+ * @returns Absolute file path or null if not found
+ */
+function urlToFilePath(url: string): string | null {
+	try {
+		const urlObj = new URL(url);
+		const pathname = urlObj.pathname.replace(/\/$/, ""); // Remove trailing slash
+
+		// Try different file extensions and paths
+		const possiblePaths = [
+			`./src/content/docs${pathname}.md`,
+			`./src/content/docs${pathname}.mdx`,
+			`./src/content/docs${pathname}/index.md`,
+			`./src/content/docs${pathname}/index.mdx`,
+		];
+
+		for (const path of possiblePaths) {
+			if (existsSync(path)) {
+				return path;
+			}
+		}
+
+		return null;
+	} catch (_error) {
+		return null;
+	}
+}
+
 // https://astro.build/config
 export default defineConfig({
 	site: "https://developers.cloudflare.com",
@@ -194,7 +242,18 @@ export default defineConfig({
 				return true;
 			},
 			serialize(item) {
-				item.lastmod = new Date().toISOString();
+				const filePath = urlToFilePath(item.url);
+				if (filePath) {
+					const gitDate = getGitLastModified(filePath);
+					if (gitDate) {
+						item.lastmod = gitDate;
+					}
+				} else {
+					console.warn(
+						`[sitemap] Could not find last modified for ${item.url} - setting to now`,
+					);
+					item.lastmod = new Date().toISOString();
+				}
 				return item;
 			},
 		}),

astro.config.ts

@@ -0,0 +1,9 @@
+---
+title: Report logo misuse to Cloudflare directly from the Brand Protection dashboard
+description: You can now use the Brand Protection logo dashboard to report abuse on the Cloudflare network 
+date: 2025-10-31
+---
+
+The Brand Protection logo query dashboard now allows you to use the **Report to Cloudflare** button to submit an Abuse report directly from the Brand Protection logo queries dashboard. While you could previously report new domains that were impersonating your brand before, now you can do the same for websites found to be using your logo wihtout your permission. The abuse reports wiull be prefilled and you will only need to validate a few fields before you can click the submit button, after which our team process your request.
+
+Ready to start? Check out the [Brand Protection docs](/security-center/brand-protection/). 

src/content/changelog/security-center/2025-10-31-brand-protection-logo-dashboard-report-abuse.mdx

@@ -0,0 +1,44 @@
+---
+title: "WAF Release - 2025-11-03"
+description: Cloudflare WAF managed rulesets 2025-11-03 release
+date: 2025-11-03
+---
+
+import { RuleID } from "~/components";
+
+This week highlights enhancements to detection signatures improving coverage for vulnerabilities in Adobe Commerce and Magento Open Source, linked to CVE-2025-54236.
+
+**Key Findings**
+
+This vulnerability allows unauthenticated attackers to take over customer accounts through the Commerce REST API and, in certain configurations, may lead to remote code execution. The latest update provides enhanced detection logic for resilient protection against exploitation attempts.
+
+**Impact**
+
+- Adobe Commerce (CVE-2025-54236): Exploitation may allow attackers to hijack sessions, execute arbitrary commands, steal data, and disrupt storefronts, resulting in confidentiality and integrity risks for merchants. Administrators are strongly encouraged to apply vendor patches without delay.
+
+<table style="width: 100%">
+	<thead>
+		<tr>
+			<th>Ruleset</th>
+			<th>Rule ID</th>
+			<th>Legacy Rule ID</th>
+			<th>Description</th>
+			<th>Previous Action</th>
+			<th>New Action</th>
+			<th>Comments</th>
+		</tr>
+	</thead>
+	<tbody>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="f5295d8333b7428c816654d8cb6d5fe5" />
+			</td>
+			<td>100774C</td>
+			<td>Adobe Commerce - Remote Code Execution - CVE:CVE-2025-54236</td>
+			<td>Log</td>
+			<td>Block</td>
+			<td>This is an improved detection.</td>
+		</tr>
+	</tbody>
+</table>

src/content/changelog/waf/2025-11-03-waf-release.mdx

@@ -1,7 +1,7 @@
 ---
-title: WAF Release - Scheduled changes for 2025-11-03
-description: WAF managed ruleset changes scheduled for 2025-11-03
-date: 2025-10-27
+title: WAF Release - Scheduled changes for 2025-11-10
+description: WAF managed ruleset changes scheduled for 2025-11-10
+date: 2025-11-03
 scheduled: true
 ---
 
@@ -22,18 +22,7 @@ import { RuleID } from "~/components";
 	<tbody>
 	<tr>
 		<td>2025-10-27</td>
-		<td>2025-11-03</td>
-		<td>Log</td>
-		<td>100774</td>
-		<td>
-			<RuleID id="f5295d8333b7428c816654d8cb6d5fe5" />
-		</td>
-		<td>Adobe Commerce - Remote Code Execution - CVE:CVE-2025-54236</td>
-		<td>This is a new detection</td>
-	</tr>
-	<tr>
-		<td>2025-10-27</td>
-		<td>2025-11-03</td>
+		<td>2025-11-10</td>
 		<td>Log</td>
 		<td>N/A</td>
 		<td>
@@ -44,7 +33,7 @@ import { RuleID } from "~/components";
 	</tr>
 	<tr>
 		<td>2025-10-27</td>
-		<td>2025-11-03</td>
+		<td>2025-11-10</td>
 		<td>Log</td>
 		<td>N/A</td>
 		<td>
@@ -55,7 +44,7 @@ import { RuleID } from "~/components";
 	</tr>
 	<tr>
 		<td>2025-10-27</td>
-		<td>2025-11-03</td>
+		<td>2025-11-10</td>
 		<td>Log</td>
 		<td>N/A</td>
 		<td>
@@ -66,47 +55,14 @@ import { RuleID } from "~/components";
 	</tr>
 	<tr>
 		<td>2025-10-27</td>
-		<td>2025-11-03</td>
+		<td>2025-11-10</td>
 		<td>Log</td>
 		<td>N/A</td>
 		<td>
-			<RuleID id="833078bdcfa04bb7aa7b8fb67efbeb39" />
+			<RuleID id="818d92d370654c3d8f1adc7c9029cd61" />
 		</td>
 		<td>HTTP Truncated Beta</td>
 		<td>This is a beta detection and will replace the action on original detection (ID: <RuleID id="646bccf7e9dc46918a4150d6c22b51d3" />)  </td>
 	</tr>
-	<tr>
-		<td>2025-10-27</td>
-		<td>2025-11-03</td>
-		<td>Disabled</td>
-		<td>N/A</td>
-		<td>
-			<RuleID id="5f2a6681a2b94442b23816286d060a0d" />
-		</td>
-		<td>Generic Rules - Command Execution - URI - Beta</td>
-		<td>We have updated the rule logic</td>
-	</tr>
-	<tr>
-		<td>2025-10-27</td>
-		<td>2025-11-03</td>
-		<td>Disabled</td>
-		<td>N/A</td>
-		<td>
-			<RuleID id="e7ee67e824844754b513cdf3836855a4" />
-		</td>
-		<td>Generic Rules - Command Execution - Header - Beta</td>
-		<td>We have updated the rule logic</td>
-	</tr>
-	<tr>
-		<td>2025-10-27</td>
-		<td>2025-11-03</td>
-		<td>Disabled</td>
-		<td>N/A</td>
-		<td>
-			<RuleID id="aa21c9b8b97743bfb217748b2049a60c" />
-		</td>
-		<td>Generic Rules - Command Execution - Body - Beta</td>
-		<td>We have updated the rule logic</td>
-	</tr>
 	</tbody>
 </table>

src/content/changelog/waf/scheduled-waf-release.mdx

@@ -0,0 +1,15 @@
+---
+title: Workers WebSocket message size limit increased from 1 MiB to 32 MiB
+description: The maximum WebSocket message size limit for all Workers has been increased from 1 MiB to 32 MiB.
+products:
+  - workers
+  - durable-objects
+  - browser-rendering
+date: 2025-10-31
+---
+
+Workers, including those using [Durable Objects](/durable-objects/) and [Browser Rendering](/browser-rendering/workers-bindings/), may now process WebSocket messages up to 32 MiB in size. Previously, this limit was 1 MiB.
+
+This change allows Workers to handle use cases requiring large message sizes, such as processing Chrome Devtools Protocol messages.
+
+For more information, please see the [Durable Objects startup limits](/durable-objects/platform/limits/#SQLite-backed-Durable-Objects-general-limits).

src/content/changelog/workers/2025-10-31-increased-websocket-message-size-limit.mdx

@@ -0,0 +1,17 @@
+---
+title: Increased Workflows instance and concurrency limits
+description: Higher concurrency and creation limits for Workflow instances now available
+products:
+  - workflows
+  - workers
+date: 2025-10-31
+---
+
+We've raised the [Cloudflare Workflows](/workflows/) account-level limits for all accounts on the [Workers paid plan](/workers/platform/pricing/):
+
+* **Instance creation rate** increased from 100 workflow instances per 10 seconds to 100 instances per second
+* **Concurrency limit** increased from 4,500 to 10,000 workflow instances per account
+
+These increases mean you can create new instances up to 10x faster, and have more workflow instances concurrently executing. To learn more and get started with Workflows, refer to [the getting started guide](/workflows/get-started/guide/). 
+
+If your application requires a higher limit, fill out the [Limit Increase Request Form](/workers/platform/limits/) or contact your account team. Please refer to [Workflows pricing](/workflows/reference/pricing/) for more information.

src/content/changelog/workflows/2025-10-28-raising-limits.mdx

@@ -5,10 +5,10 @@ _build:
   list: never
 
 name: "Enable ctx.exports"
-sort_date: "2025-09-24"
+sort_date: "2025-11-17"
+enable_date: "2025-11-17"
 enable_flag: "enable_ctx_exports"
+disable_flag: "disable_ctx_exports"
 ---
 
 This flag enables [the `ctx.exports` API](/workers/runtime-apis/context/#exports), which contains automatically-configured loopback bindings for your Worker's top-level exports. This allows you to skip configuring explicit bindings for your `WorkerEntrypoint`s and Durable Object namespaces defined in the same Worker.
-
-We may change this API to be enabled by default in the future (regardless of compat date or flags).