chore(api): update composite API spec

Author: stainless-app[bot]

.stats.yml

@@ -1,4 +1,4 @@
 configured_endpoints: 2028
-openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/cloudflare%2Fcloudflare-2b935132316d46fe098e11238cf09f7861e29754870e6775c31d53108b357a35.yml
-openapi_spec_hash: 3c786e10f8e2cea0b76e820dbd848eab
+openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/cloudflare%2Fcloudflare-3bcd5973c2baae10ef49b19c7928b0a5c762f4a6e755f56c2d62c26b54083398.yml
+openapi_spec_hash: df51921c4c4f3e4a9797751252db0538
 config_hash: a4197f3e022bd501a828d1252b76e06e

magic_cloud_networking/onramp.go

@@ -20478,8 +20478,8 @@ func (r onRampPlanResponseMessagesSourceJSON) RawJSON() string {
 type OnRampNewParams struct {
 	AccountID param.Field[string]                   `path:"account_id,required"`
 	CloudType param.Field[OnRampNewParamsCloudType] `json:"cloud_type,required"`
-	// if set to true, install_routes_in_cloud and install_routes_in_magic_wan should
-	// be set to false
+	// Enables BGP routing. When enabling this feature, set both
+	// install_routes_in_cloud and install_routes_in_magic_wan to false.
 	DynamicRouting          param.Field[bool]                `json:"dynamic_routing,required"`
 	InstallRoutesInCloud    param.Field[bool]                `json:"install_routes_in_cloud,required"`
 	InstallRoutesInMagicWAN param.Field[bool]                `json:"install_routes_in_magic_wan,required"`
@@ -20488,8 +20488,7 @@ type OnRampNewParams struct {
 	AdoptedHubID            param.Field[string]              `json:"adopted_hub_id" format:"uuid"`
 	AttachedHubs            param.Field[[]string]            `json:"attached_hubs" format:"uuid"`
 	AttachedVPCs            param.Field[[]string]            `json:"attached_vpcs" format:"uuid"`
-	// the ASN to use on the cloud side. If unset or zero, the cloud's default will be
-	// used.
+	// Sets the cloud-side ASN. If unset or zero, the cloud's default ASN takes effect.
 	CloudASN                  param.Field[int64]  `json:"cloud_asn"`
 	Description               param.Field[string] `json:"description"`
 	HubProviderID             param.Field[string] `json:"hub_provider_id" format:"uuid"`

origin_ca_certificates/origincacertificate.go

@@ -122,8 +122,14 @@ func (r *OriginCACertificateService) Get(ctx context.Context, certificateID stri
 type OriginCACertificate struct {
 	// The Certificate Signing Request (CSR). Must be newline-encoded.
 	Csr string `json:"csr,required"`
-	// Array of hostnames or wildcard names (e.g., \*.example.com) bound to the
-	// certificate.
+	// Array of hostnames or wildcard names bound to the certificate. Hostnames must be
+	// fully qualified domain names (FQDNs) belonging to zones on your account (e.g.,
+	// `example.com` or `sub.example.com`). Wildcards are supported only as a `*.`
+	// prefix for a single level (e.g., `*.example.com`). Double wildcards
+	// (`*.*.example.com`) and interior wildcards (`foo.*.example.com`) are not
+	// allowed. The wildcard suffix must be a multi-label domain (`*.example.com` is
+	// valid, but `*.com` is not). Unicode/IDN hostnames are accepted and automatically
+	// converted to punycode.
 	Hostnames []string `json:"hostnames,required"`
 	// Signature type desired on certificate ("origin-rsa" (rsa), "origin-ecc" (ecdsa),
 	// or "keyless-certificate" (for Keyless SSL servers).
@@ -189,8 +195,14 @@ func (r originCACertificateDeleteResponseJSON) RawJSON() string {
 type OriginCACertificateNewParams struct {
 	// The Certificate Signing Request (CSR). Must be newline-encoded.
 	Csr param.Field[string] `json:"csr,required"`
-	// Array of hostnames or wildcard names (e.g., \*.example.com) bound to the
-	// certificate.
+	// Array of hostnames or wildcard names bound to the certificate. Hostnames must be
+	// fully qualified domain names (FQDNs) belonging to zones on your account (e.g.,
+	// `example.com` or `sub.example.com`). Wildcards are supported only as a `*.`
+	// prefix for a single level (e.g., `*.example.com`). Double wildcards
+	// (`*.*.example.com`) and interior wildcards (`foo.*.example.com`) are not
+	// allowed. The wildcard suffix must be a multi-label domain (`*.example.com` is
+	// valid, but `*.com` is not). Unicode/IDN hostnames are accepted and automatically
+	// converted to punycode.
 	Hostnames param.Field[[]string] `json:"hostnames,required"`
 	// Signature type desired on certificate ("origin-rsa" (rsa), "origin-ecc" (ecdsa),
 	// or "keyless-certificate" (for Keyless SSL servers).

origin_ca_certificates/origincacertificate_test.go

@@ -32,7 +32,7 @@ func TestOriginCACertificateNewWithOptionalParams(t *testing.T) {
 	)
 	_, err := client.OriginCACertificates.New(context.TODO(), origin_ca_certificates.OriginCACertificateNewParams{
 		Csr:               cloudflare.F("-----BEGIN CERTIFICATE REQUEST-----\nMIICxzCCAa8CAQAwSDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lz\nY28xCzAJBgNVBAcTAkNBMRQwEgYDVQQDEwtleGFtcGxlLm5ldDCCASIwDQYJKoZI\nhvcNAQEBBQADggEPADCCAQoCggEBALxejtu4b+jPdFeFi6OUsye8TYJQBm3WfCvL\nHu5EvijMO/4Z2TImwASbwUF7Ir8OLgH+mGlQZeqyNvGoSOMEaZVXcYfpR1hlVak8\n4GGVr+04IGfOCqaBokaBFIwzclGZbzKmLGwIQioNxGfqFm6RGYGA3be2Je2iseBc\nN8GV1wYmvYE0RR+yWweJCTJ157exyRzu7sVxaEW9F87zBQLyOnwXc64rflXslRqi\ng7F7w5IaQYOl8yvmk/jEPCAha7fkiUfEpj4N12+oPRiMvleJF98chxjD4MH39c5I\nuOslULhrWunfh7GB1jwWNA9y44H0snrf+xvoy2TcHmxvma9Eln8CAwEAAaA6MDgG\nCSqGSIb3DQEJDjErMCkwJwYDVR0RBCAwHoILZXhhbXBsZS5uZXSCD3d3dy5leGFt\ncGxlLm5ldDANBgkqhkiG9w0BAQsFAAOCAQEAcBaX6dOnI8ncARrI9ZSF2AJX+8mx\npTHY2+Y2C0VvrVDGMtbBRH8R9yMbqWtlxeeNGf//LeMkSKSFa4kbpdx226lfui8/\nauRDBTJGx2R1ccUxmLZXx4my0W5iIMxunu+kez+BDlu7bTT2io0uXMRHue4i6quH\nyc5ibxvbJMjR7dqbcanVE10/34oprzXQsJ/VmSuZNXtjbtSKDlmcpw6To/eeAJ+J\nhXykcUihvHyG4A1m2R6qpANBjnA0pHexfwM/SgfzvpbvUg0T1ubmer8BgTwCKIWs\ndcWYTthM51JIqRBfNqy4QcBnX+GY05yltEEswQI55wdiS3CjTTA67sdbcQ==\n-----END CERTIFICATE REQUEST-----"),
-		Hostnames:         cloudflare.F([]string{"example.com", "*.example.com"}),
+		Hostnames:         cloudflare.F([]string{"example.com", "*.example.com", "sub.example.com"}),
 		RequestType:       cloudflare.F(shared.CertificateRequestTypeOriginRSA),
 		RequestedValidity: cloudflare.F(ssl.RequestValidity5475),
 	})

zero_trust/dlppayloadlog.go

@@ -70,18 +70,28 @@ func (r *DLPPayloadLogService) Get(ctx context.Context, query DLPPayloadLogGetPa
 }
 
 type DLPPayloadLogUpdateResponse struct {
-	UpdatedAt time.Time                       `json:"updated_at,required" format:"date-time"`
+	// Masking level for payload logs.
+	//
+	// - `full`: The entire payload is masked.
+	// - `partial`: Only partial payload content is masked.
+	// - `clear`: No masking is applied to the payload content.
+	// - `default`: DLP uses its default masking behavior.
+	MaskingLevel DLPPayloadLogUpdateResponseMaskingLevel `json:"masking_level,required"`
+	UpdatedAt    time.Time                               `json:"updated_at,required" format:"date-time"`
+	// Base64-encoded public key for encrypting payload logs. Null when payload logging
+	// is disabled.
 	PublicKey string                          `json:"public_key,nullable"`
 	JSON      dlpPayloadLogUpdateResponseJSON `json:"-"`
 }
 
 // dlpPayloadLogUpdateResponseJSON contains the JSON metadata for the struct
 // [DLPPayloadLogUpdateResponse]
 type dlpPayloadLogUpdateResponseJSON struct {
-	UpdatedAt   apijson.Field
-	PublicKey   apijson.Field
-	raw         string
-	ExtraFields map[string]apijson.Field
+	MaskingLevel apijson.Field
+	UpdatedAt    apijson.Field
+	PublicKey    apijson.Field
+	raw          string
+	ExtraFields  map[string]apijson.Field
 }
 
 func (r *DLPPayloadLogUpdateResponse) UnmarshalJSON(data []byte) (err error) {
@@ -92,19 +102,52 @@ func (r dlpPayloadLogUpdateResponseJSON) RawJSON() string {
 	return r.raw
 }
 
+// Masking level for payload logs.
+//
+// - `full`: The entire payload is masked.
+// - `partial`: Only partial payload content is masked.
+// - `clear`: No masking is applied to the payload content.
+// - `default`: DLP uses its default masking behavior.
+type DLPPayloadLogUpdateResponseMaskingLevel string
+
+const (
+	DLPPayloadLogUpdateResponseMaskingLevelFull    DLPPayloadLogUpdateResponseMaskingLevel = "full"
+	DLPPayloadLogUpdateResponseMaskingLevelPartial DLPPayloadLogUpdateResponseMaskingLevel = "partial"
+	DLPPayloadLogUpdateResponseMaskingLevelClear   DLPPayloadLogUpdateResponseMaskingLevel = "clear"
+	DLPPayloadLogUpdateResponseMaskingLevelDefault DLPPayloadLogUpdateResponseMaskingLevel = "default"
+)
+
+func (r DLPPayloadLogUpdateResponseMaskingLevel) IsKnown() bool {
+	switch r {
+	case DLPPayloadLogUpdateResponseMaskingLevelFull, DLPPayloadLogUpdateResponseMaskingLevelPartial, DLPPayloadLogUpdateResponseMaskingLevelClear, DLPPayloadLogUpdateResponseMaskingLevelDefault:
+		return true
+	}
+	return false
+}
+
 type DLPPayloadLogGetResponse struct {
-	UpdatedAt time.Time                    `json:"updated_at,required" format:"date-time"`
+	// Masking level for payload logs.
+	//
+	// - `full`: The entire payload is masked.
+	// - `partial`: Only partial payload content is masked.
+	// - `clear`: No masking is applied to the payload content.
+	// - `default`: DLP uses its default masking behavior.
+	MaskingLevel DLPPayloadLogGetResponseMaskingLevel `json:"masking_level,required"`
+	UpdatedAt    time.Time                            `json:"updated_at,required" format:"date-time"`
+	// Base64-encoded public key for encrypting payload logs. Null when payload logging
+	// is disabled.
 	PublicKey string                       `json:"public_key,nullable"`
 	JSON      dlpPayloadLogGetResponseJSON `json:"-"`
 }
 
 // dlpPayloadLogGetResponseJSON contains the JSON metadata for the struct
 // [DLPPayloadLogGetResponse]
 type dlpPayloadLogGetResponseJSON struct {
-	UpdatedAt   apijson.Field
-	PublicKey   apijson.Field
-	raw         string
-	ExtraFields map[string]apijson.Field
+	MaskingLevel apijson.Field
+	UpdatedAt    apijson.Field
+	PublicKey    apijson.Field
+	raw          string
+	ExtraFields  map[string]apijson.Field
 }
 
 func (r *DLPPayloadLogGetResponse) UnmarshalJSON(data []byte) (err error) {
@@ -115,15 +158,81 @@ func (r dlpPayloadLogGetResponseJSON) RawJSON() string {
 	return r.raw
 }
 
+// Masking level for payload logs.
+//
+// - `full`: The entire payload is masked.
+// - `partial`: Only partial payload content is masked.
+// - `clear`: No masking is applied to the payload content.
+// - `default`: DLP uses its default masking behavior.
+type DLPPayloadLogGetResponseMaskingLevel string
+
+const (
+	DLPPayloadLogGetResponseMaskingLevelFull    DLPPayloadLogGetResponseMaskingLevel = "full"
+	DLPPayloadLogGetResponseMaskingLevelPartial DLPPayloadLogGetResponseMaskingLevel = "partial"
+	DLPPayloadLogGetResponseMaskingLevelClear   DLPPayloadLogGetResponseMaskingLevel = "clear"
+	DLPPayloadLogGetResponseMaskingLevelDefault DLPPayloadLogGetResponseMaskingLevel = "default"
+)
+
+func (r DLPPayloadLogGetResponseMaskingLevel) IsKnown() bool {
+	switch r {
+	case DLPPayloadLogGetResponseMaskingLevelFull, DLPPayloadLogGetResponseMaskingLevelPartial, DLPPayloadLogGetResponseMaskingLevelClear, DLPPayloadLogGetResponseMaskingLevelDefault:
+		return true
+	}
+	return false
+}
+
 type DLPPayloadLogUpdateParams struct {
 	AccountID param.Field[string] `path:"account_id,required"`
+	// Masking level for payload logs.
+	//
+	// - `full`: The entire payload is masked.
+	// - `partial`: Only partial payload content is masked.
+	// - `clear`: No masking is applied to the payload content.
+	// - `default`: DLP uses its default masking behavior.
+	MaskingLevel param.Field[DLPPayloadLogUpdateParamsMaskingLevel] `json:"masking_level"`
+	// Base64-encoded public key for encrypting payload logs.
+	//
+	// - Set to null or empty string to disable payload logging.
+	// - Set to a non-empty base64 string to enable payload logging with the given key.
+	//
+	// For customers with configurable payload masking feature rolled out:
+	//
+	//   - If the field is missing, the existing setting will be kept. Note that this is
+	//     different from setting to null or empty string.
+	//
+	// For all other customers:
+	//
+	// - If the field is missing, the existing setting will be cleared.
 	PublicKey param.Field[string] `json:"public_key"`
 }
 
 func (r DLPPayloadLogUpdateParams) MarshalJSON() (data []byte, err error) {
 	return apijson.MarshalRoot(r)
 }
 
+// Masking level for payload logs.
+//
+// - `full`: The entire payload is masked.
+// - `partial`: Only partial payload content is masked.
+// - `clear`: No masking is applied to the payload content.
+// - `default`: DLP uses its default masking behavior.
+type DLPPayloadLogUpdateParamsMaskingLevel string
+
+const (
+	DLPPayloadLogUpdateParamsMaskingLevelFull    DLPPayloadLogUpdateParamsMaskingLevel = "full"
+	DLPPayloadLogUpdateParamsMaskingLevelPartial DLPPayloadLogUpdateParamsMaskingLevel = "partial"
+	DLPPayloadLogUpdateParamsMaskingLevelClear   DLPPayloadLogUpdateParamsMaskingLevel = "clear"
+	DLPPayloadLogUpdateParamsMaskingLevelDefault DLPPayloadLogUpdateParamsMaskingLevel = "default"
+)
+
+func (r DLPPayloadLogUpdateParamsMaskingLevel) IsKnown() bool {
+	switch r {
+	case DLPPayloadLogUpdateParamsMaskingLevelFull, DLPPayloadLogUpdateParamsMaskingLevelPartial, DLPPayloadLogUpdateParamsMaskingLevelClear, DLPPayloadLogUpdateParamsMaskingLevelDefault:
+		return true
+	}
+	return false
+}
+
 type DLPPayloadLogUpdateResponseEnvelope struct {
 	Errors   []DLPPayloadLogUpdateResponseEnvelopeErrors   `json:"errors,required"`
 	Messages []DLPPayloadLogUpdateResponseEnvelopeMessages `json:"messages,required"`

zero_trust/dlppayloadlog_test.go

@@ -28,8 +28,9 @@ func TestDLPPayloadLogUpdateWithOptionalParams(t *testing.T) {
 		option.WithAPIEmail("user@example.com"),
 	)
 	_, err := client.ZeroTrust.DLP.PayloadLogs.Update(context.TODO(), zero_trust.DLPPayloadLogUpdateParams{
-		AccountID: cloudflare.F("account_id"),
-		PublicKey: cloudflare.F("public_key"),
+		AccountID:    cloudflare.F("account_id"),
+		MaskingLevel: cloudflare.F(zero_trust.DLPPayloadLogUpdateParamsMaskingLevelFull),
+		PublicKey:    cloudflare.F("public_key"),
 	})
 	if err != nil {
 		var apierr *cloudflare.Error