Merge production into device-to-device branch

Resolve conflict in replace-vpn index.mdx: keep both the device-to-device
card (from this branch) and the network-to-network card (from production).

Author: codyanthony850

.github/CODEOWNERS

@@ -20,6 +20,7 @@ package.json @cloudflare/content-engineering
 
 # AI
 
+/src/content/docs/cloudflare-agent/ @dmmulroy @Brayden @cloudflare/pcx-technical-writing
 /src/content/docs/agents/ @irvinebroque @rita3ko @elithrar @thomasgauvin @threepointone @whoiskatrin @cloudflare/pcx-technical-writing @cloudflare/ai-agents @cloudflare/dev-plat-leads
 /src/content/partials/agents/ @elithrar @rita3ko @irvinebroque @vy-ton @cloudflare/pcx-technical-writing
 /src/content/docs/ai-gateway/ @abhishekkankani @palashgo @thebongy @roerohan @kathayl @mchenco @zeke @superhighfives @bfirsh @mattrothenberg @ethulia @cloudflare/pcx-technical-writing

.github/labeler.yml

@@ -10,6 +10,10 @@ product:agents:
   - changed-files:
       - any-glob-to-any-file:
           - src/content/docs/agents/**
+product:cloudflare-agent:
+  - changed-files:
+      - any-glob-to-any-file:
+          - src/content/docs/cloudflare-agent/**
 product:ai-crawl-control:
   - changed-files:
       - any-glob-to-any-file:

.semgrep/directory-entry-validation.yaml

@@ -0,0 +1,49 @@
+rules:
+  - id: directory-entry-wrong-extension
+    languages: [generic]
+    message: >-
+      Directory entry files must use the .yaml extension, not .yml.
+      Rename this file to use .yaml instead.
+      (add [skip style guide checks] to commit message to skip)
+    severity: MEDIUM
+    paths:
+      include:
+        - "/src/content/directory/*.yml"
+    patterns:
+      # Match the name field — every directory entry has one, so this fires
+      # once per .yml file to flag the wrong extension.
+      - pattern-regex: "^name: "
+
+  - id: directory-entry-missing-id
+    languages: [yaml]
+    message: >-
+      Directory entry is missing a required id field.
+      Run "tools/directory-entry-ids" to generate one automatically.
+      (add [skip style guide checks] to commit message to skip)
+    severity: MEDIUM
+    paths:
+      include:
+        - "/src/content/directory/*.yaml"
+        - "/src/content/directory/*.yml"
+    patterns:
+      - pattern: |
+          name: $NAME
+      - pattern-not-inside: |
+          id: ...
+          ...
+
+  - id: directory-entry-invalid-id
+    languages: [generic]
+    message: >-
+      Directory entry has an invalid id. The id must be exactly 6 characters
+      composed only of: abcdefghijkmnopqrstuvwxyzACDEFGHJKLMNPQRTUVWXY34679.
+      Run "tools/directory-entry-ids" to generate a valid id.
+      (add [skip style guide checks] to commit message to skip)
+    severity: MEDIUM
+    paths:
+      include:
+        - "/src/content/directory/*.yaml"
+        - "/src/content/directory/*.yml"
+    patterns:
+      - pattern-regex: "^id: "
+      - pattern-not-regex: "^id: [abcdefghijkmnopqrstuvwxyzACDEFGHJKLMNPQRTUVWXY34679]{6}$"

package.json

@@ -146,7 +146,7 @@
 		"wrangler": "4.58.0"
 	},
 	"engines": {
-		"npm": "10.9.4",
+		"npm": "10.x",
 		"node": "22.x"
 	},
 	"packageManager": "npm@10.9.4+sha512.3a7506f37e85c1ba1021baad79f0cd9724748131f321fc117c4dc3ba235ec01be7327584a41d15117c01945560aa9373220628fcc1e1dddd877a5fe9b336a900"

public/__redirects

@@ -2248,6 +2248,7 @@
 /cloudflare-one/connections/connect-networks/install-and-setup/tunnel-guide/ /cloudflare-one/connections/connect-networks/get-started/ 301
 /cloudflare-one/connections/connect-networks/downloads/system-requirements/ /cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/system-requirements/ 301
 /cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/lb/ /cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/public-load-balancers/ 301
+/cloudflare-one/networks/routes/ /cloudflare-one/networks/routes/add-routes/ 301
 /cloudflare-one/tutorials/vnc-client-in-browser/ /cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/vnc-browser-rendering/ 301
 /cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging/ /cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules 301
 /cloudflare-one/connections/connect-apps/configuration/private-networks/ /cloudflare-one/connections/connect-networks/private-net/ 301
@@ -2559,6 +2560,7 @@
 # WAF
 /waf/managed-rulesets/* /waf/managed-rules/:splat 301
 /waf/custom-rulesets/* /waf/account/custom-rulesets/:splat 301
+/waf/detections/firewall-for-ai/* /waf/detections/ai-security-for-apps/:splat 301
 /waf/exposed-credentials-check/* /waf/managed-rules/check-for-exposed-credentials/:splat 301
 /waf/security-events/* /waf/analytics/security-events/:splat 301
 /waf/change-log/2019-* /waf/change-log/ 301

src/components/SubtractIPCalculator.tsx

@@ -7,23 +7,23 @@ export default function SubtractIPCalculator({
 }: {
 	defaults: {
 		base?: string;
-		exclude?: string[];
+		subtract?: string[];
 	};
 }) {
 	const [base, setBase] = useState(defaults?.base ?? "");
-	const [exclude, setExclude] = useState<string[]>(defaults?.exclude ?? []);
+	const [subtract, setSubtract] = useState<string[]>(defaults?.subtract ?? []);
 
 	const [result, setResult] = useState<string[]>([]);
 
 	function calculate() {
-		setResult(excludeCidr(base, exclude));
+		setResult(excludeCidr(base, subtract));
 		track("interacted with docs calculator", { value: "split ip calculator" });
 	}
 
 	function disableButton() {
 		try {
 			parseCidr(base);
-			exclude.map((cidr) => parseCidr(cidr));
+			subtract.map((cidr) => parseCidr(cidr));
 
 			return false;
 		} catch {
@@ -49,11 +49,11 @@ export default function SubtractIPCalculator({
 					/>
 				</label>
 				<label>
-					<strong>Excluded CIDRs: </strong>
+					<strong>Subtracted CIDRs: </strong>
 					<input
 						type="text"
-						value={exclude}
-						onChange={(e) => setExclude(e.target.value.split(","))}
+						value={subtract}
+						onChange={(e) => setSubtract(e.target.value.split(","))}
 					/>
 				</label>
 			</div>

src/content/changelog/access/2026-02-17-clientless-access-for-private-apps.mdx

@@ -10,7 +10,7 @@ A new **Allow clientless access** setting makes it easier to connect users witho
 
 ![Allow clientless access setting in the Cloudflare One dashboard](~/assets/images/changelog/access/allow-clientless-access.png)
 
-Previously, to provide clientless access to a private hostname or IP without a [published application](/cloudflare-one/networks/routes/#add-a-published-application-route), you had to create a separate [bookmark application](/cloudflare-one/access-controls/applications/bookmarks/) pointing to a prefixed [Clientless Web Isolation](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) URL (for example, `https://<your-teamname>.cloudflareaccess.com/browser/https://10.0.0.1/`). This bookmark was visible to all users in the App Launcher, regardless of whether they had access to the underlying application.
+Previously, to provide clientless access to a private hostname or IP without a [published application](/cloudflare-one/networks/routes/add-routes/#add-a-published-application-route), you had to create a separate [bookmark application](/cloudflare-one/access-controls/applications/bookmarks/) pointing to a prefixed [Clientless Web Isolation](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) URL (for example, `https://<your-teamname>.cloudflareaccess.com/browser/https://10.0.0.1/`). This bookmark was visible to all users in the App Launcher, regardless of whether they had access to the underlying application.
 
 Now, you can manage clientless access directly within your [private self-hosted application](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/). When  **Allow clientless access** is turned on, users who pass your Access application policies will see a tile in their App Launcher pointing to the prefixed URL. Users must have [remote browser permissions](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) to open the link.
 

src/content/changelog/api-shield/2026-03-09-vulnerability-scanner.mdx

@@ -0,0 +1,17 @@
+---
+title: New Vulnerability Scanner for API Shield
+description: Detect Broken Object Level Authorization (BOLA) vulnerabilities in your APIs using the new Vulnerability Scanner.
+date: 2026-03-09
+---
+
+Introducing Cloudflare's Web and API Vulnerability Scanner (Open Beta)
+
+Cloudflare is launching the [Open Beta of the **Web and API Vulnerability Scanner**](https://blog.cloudflare.com/vulnerability-scanner) for all [API Shield](/api-shield/) customers. This new, stateful Dynamic Application Security Testing (DAST) platform helps teams proactively find logic flaws in their APIs.
+
+The initial release focuses on detecting Broken Object Level Authorization (BOLA) vulnerabilities by building API call graphs to simulate attacker and owner contexts, then testing these contexts by sending real HTTP requests to your APIs.
+
+The scanner is now available via the Cloudflare API. To scan, set up your target environment, owner and attacker credentials, and upload your OpenAPI file with response schemas. The scanner will be available in the Cloudflare dashboard in a future release. 
+
+**Access**: This feature is only available to API Shield subscribers via the Cloudflare API. We hope you will use the API for programmatic integration into your CI/CD pipelines and security dashboards.
+
+**Documentation**: Refer to the [developer documentation](/api-shield/security/vulnerability-scanner/) to start scanning your endpoints today.

src/content/changelog/browser-rendering/2026-03-10-br-crawl-endpoint.mdx

@@ -6,7 +6,9 @@ products:
 date: 2026-03-10
 ---
 
-You can now crawl an entire website with a single API call using [Browser Rendering](/browser-rendering/)'s new [`/crawl` endpoint](/browser-rendering/rest-api/crawl-endpoint/), available in open beta. Submit a starting URL, and pages are automatically discovered, rendered in a headless browser, and returned in multiple formats, including HTML, Markdown, and structured JSON. This is great for training models, building RAG pipelines, and researching or monitoring content across a site.
+_Edit: this post has been edited to clarify crawling behavior with respect to site guidance._
+
+You can now crawl an entire website with a single API call using [Browser Rendering](/browser-rendering/)'s new [`/crawl` endpoint](/browser-rendering/rest-api/crawl-endpoint/), available in open beta. Submit a starting URL, and pages are automatically discovered, rendered in a headless browser, and returned in multiple formats, including HTML, Markdown, and structured JSON. The endpoint is a [signed-agent](https://developers.cloudflare.com/bots/concepts/bot/signed-agents/) that respects robots.txt and [AI Crawl Control](https://www.cloudflare.com/ai-crawl-control/) by default, making it easy for developers to comply with website rules, and making it less likely for crawlers to ignore web-owner guidance. This is great for training models, building RAG pipelines, and researching or monitoring content across a site.
 
 Crawl jobs run asynchronously. You submit a URL, receive a job ID, and check back for results as pages are processed.
 
@@ -33,7 +35,9 @@ Key features:
 - **Static mode** - Set `render: false` to fetch static HTML without spinning up a browser, for faster crawling of static sites
 - **Well-behaved bot** - Honors `robots.txt` directives, including `crawl-delay`
 
-Available on both the Workers Free and Paid plans.
+Available on both the Workers Free and Paid plans. 
+
+**Note**: the /crawl endpoint cannot bypass Cloudflare bot detection or captchas, and self-identifies as a bot.
 
 To get started, refer to the [crawl endpoint documentation](/browser-rendering/rest-api/crawl-endpoint/). 
 If you are setting up your own site to be crawled, review the [robots.txt and sitemaps best practices](/browser-rendering/reference/robots-txt/).

src/content/changelog/fundamentals/2026-03-11-json-rfc9457-responses-for-1xxx-errors.mdx

@@ -0,0 +1,61 @@
+---
+title: JSON responses and RFC 9457 support for Cloudflare 1xxx errors
+description: "Cloudflare-generated 1xxx errors now return structured JSON when requested with 'Accept: application/json' or 'Accept: application/problem+json', following RFC 9457 (Problem Details for HTTP APIs)."
+products:
+  - fundamentals
+date: 2026-03-11
+---
+
+Cloudflare-generated 1xxx errors now return structured JSON when clients send `Accept: application/json` or `Accept: application/problem+json`. JSON responses follow [RFC 9457 (Problem Details for HTTP APIs)](https://www.rfc-editor.org/rfc/rfc9457), so any HTTP client that understands Problem Details can parse the base members without Cloudflare-specific code.
+
+## Breaking change
+
+The Markdown frontmatter field `http_status` has been renamed to `status`. Agents consuming Markdown frontmatter should update parsers accordingly.
+
+## Changes
+
+**JSON format.** Clients sending `Accept: application/json` or `Accept: application/problem+json` now receive a structured JSON object with the same operational fields as Markdown frontmatter, plus RFC 9457 standard members.
+
+**RFC 9457 standard members (JSON only):**
+
+- `type` — URI pointing to Cloudflare documentation for the specific error code
+- `status` — HTTP status code (matching the response status)
+- `title` — short, human-readable summary
+- `detail` — human-readable explanation specific to this occurrence
+- `instance` — Ray ID identifying this specific error occurrence
+
+**Field renames:**
+
+- `http_status` -> `status` (JSON and Markdown)
+- `what_happened` -> `detail` (JSON only — Markdown prose sections are unchanged)
+
+**Content-Type mirroring.** Clients sending `Accept: application/problem+json` receive `Content-Type: application/problem+json; charset=utf-8` back; `Accept: application/json` receives `application/json; charset=utf-8`. Same body in both cases.
+
+## Negotiation behavior
+
+| Request header sent                             | Response format                                |
+| ----------------------------------------------- | ---------------------------------------------- |
+| `Accept: application/json`                      | JSON (`application/json` content type)         |
+| `Accept: application/problem+json`              | JSON (`application/problem+json` content type) |
+| `Accept: application/json, text/markdown;q=0.9` | JSON                                           |
+| `Accept: text/markdown`                         | Markdown                                       |
+| `Accept: text/markdown, application/json`       | Markdown (equal `q`, first-listed wins)        |
+| `Accept: */*`                                   | HTML (default)                                 |
+
+## Availability
+
+Available now for Cloudflare-generated 1xxx errors.
+
+## Get started
+
+```bash
+curl -s --compressed -H "Accept: application/json" -A "TestAgent/1.0" -H "Accept-Encoding: gzip, deflate" "<YOUR_DOMAIN>/cdn-cgi/error/1015" | jq .
+```
+
+```bash
+curl -s --compressed -H "Accept: application/problem+json" -A "TestAgent/1.0" -H "Accept-Encoding: gzip, deflate" "<YOUR_DOMAIN>/cdn-cgi/error/1015" | jq .
+```
+
+References:
+- [RFC 9457 — Problem Details for HTTP APIs](https://www.rfc-editor.org/rfc/rfc9457)
+- [Cloudflare 1xxx error documentation](/support/troubleshooting/http-status-codes/cloudflare-1xxx-errors/)