chore(api): update composite API spec

Author: stainless-app[bot]

.stats.yml

@@ -1,4 +1,4 @@
 configured_endpoints: 2020
-openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/cloudflare%2Fcloudflare-2b935132316d46fe098e11238cf09f7861e29754870e6775c31d53108b357a35.yml
-openapi_spec_hash: 3c786e10f8e2cea0b76e820dbd848eab
+openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/cloudflare%2Fcloudflare-3bcd5973c2baae10ef49b19c7928b0a5c762f4a6e755f56c2d62c26b54083398.yml
+openapi_spec_hash: df51921c4c4f3e4a9797751252db0538
 config_hash: a4197f3e022bd501a828d1252b76e06e

src/cloudflare/resources/magic_cloud_networking/on_ramps/on_ramps.py

@@ -112,11 +112,10 @@ def create(
         Create a new On-ramp (Closed Beta).
 
         Args:
-          dynamic_routing: if set to true, install_routes_in_cloud and install_routes_in_magic_wan should
-              be set to false
+          dynamic_routing: Enables BGP routing. When enabling this feature, set both
+              install_routes_in_cloud and install_routes_in_magic_wan to false.
 
-          cloud_asn: the ASN to use on the cloud side. If unset or zero, the cloud's default will be
-              used.
+          cloud_asn: Sets the cloud-side ASN. If unset or zero, the cloud's default ASN takes effect.
 
           extra_headers: Send extra headers
 
@@ -608,11 +607,10 @@ async def create(
         Create a new On-ramp (Closed Beta).
 
         Args:
-          dynamic_routing: if set to true, install_routes_in_cloud and install_routes_in_magic_wan should
-              be set to false
+          dynamic_routing: Enables BGP routing. When enabling this feature, set both
+              install_routes_in_cloud and install_routes_in_magic_wan to false.
 
-          cloud_asn: the ASN to use on the cloud side. If unset or zero, the cloud's default will be
-              used.
+          cloud_asn: Sets the cloud-side ASN. If unset or zero, the cloud's default ASN takes effect.
 
           extra_headers: Send extra headers
 

src/cloudflare/resources/origin_ca_certificates.py

@@ -71,8 +71,14 @@ def create(
         Args:
           csr: The Certificate Signing Request (CSR). Must be newline-encoded.
 
-          hostnames: Array of hostnames or wildcard names (e.g., \\**.example.com) bound to the
-              certificate.
+          hostnames: Array of hostnames or wildcard names bound to the certificate. Hostnames must be
+              fully qualified domain names (FQDNs) belonging to zones on your account (e.g.,
+              `example.com` or `sub.example.com`). Wildcards are supported only as a `*.`
+              prefix for a single level (e.g., `*.example.com`). Double wildcards
+              (`*.*.example.com`) and interior wildcards (`foo.*.example.com`) are not
+              allowed. The wildcard suffix must be a multi-label domain (`*.example.com` is
+              valid, but `*.com` is not). Unicode/IDN hostnames are accepted and automatically
+              converted to punycode.
 
           request_type: Signature type desired on certificate ("origin-rsa" (rsa), "origin-ecc" (ecdsa),
               or "keyless-certificate" (for Keyless SSL servers).
@@ -299,8 +305,14 @@ async def create(
         Args:
           csr: The Certificate Signing Request (CSR). Must be newline-encoded.
 
-          hostnames: Array of hostnames or wildcard names (e.g., \\**.example.com) bound to the
-              certificate.
+          hostnames: Array of hostnames or wildcard names bound to the certificate. Hostnames must be
+              fully qualified domain names (FQDNs) belonging to zones on your account (e.g.,
+              `example.com` or `sub.example.com`). Wildcards are supported only as a `*.`
+              prefix for a single level (e.g., `*.example.com`). Double wildcards
+              (`*.*.example.com`) and interior wildcards (`foo.*.example.com`) are not
+              allowed. The wildcard suffix must be a multi-label domain (`*.example.com` is
+              valid, but `*.com` is not). Unicode/IDN hostnames are accepted and automatically
+              converted to punycode.
 
           request_type: Signature type desired on certificate ("origin-rsa" (rsa), "origin-ecc" (ecdsa),
               or "keyless-certificate" (for Keyless SSL servers).

src/cloudflare/resources/zero_trust/dlp/payload_logs.py

@@ -3,6 +3,7 @@
 from __future__ import annotations
 
 from typing import Type, Optional, cast
+from typing_extensions import Literal
 
 import httpx
 
@@ -49,6 +50,7 @@ def update(
         self,
         *,
         account_id: str,
+        masking_level: Literal["full", "partial", "clear", "default"] | Omit = omit,
         public_key: Optional[str] | Omit = omit,
         # Use the following arguments if you need to pass additional parameters to the API that aren't available via kwargs.
         # The extra values given here take precedence over values defined on the client or passed to this method.
@@ -61,6 +63,27 @@ def update(
         Set payload log settings
 
         Args:
+          masking_level: Masking level for payload logs.
+
+              - `full`: The entire payload is masked.
+              - `partial`: Only partial payload content is masked.
+              - `clear`: No masking is applied to the payload content.
+              - `default`: DLP uses its default masking behavior.
+
+          public_key: Base64-encoded public key for encrypting payload logs.
+
+              - Set to null or empty string to disable payload logging.
+              - Set to a non-empty base64 string to enable payload logging with the given key.
+
+              For customers with configurable payload masking feature rolled out:
+
+              - If the field is missing, the existing setting will be kept. Note that this is
+                different from setting to null or empty string.
+
+              For all other customers:
+
+              - If the field is missing, the existing setting will be cleared.
+
           extra_headers: Send extra headers
 
           extra_query: Add additional query parameters to the request
@@ -73,7 +96,13 @@ def update(
             raise ValueError(f"Expected a non-empty value for `account_id` but received {account_id!r}")
         return self._put(
             f"/accounts/{account_id}/dlp/payload_log",
-            body=maybe_transform({"public_key": public_key}, payload_log_update_params.PayloadLogUpdateParams),
+            body=maybe_transform(
+                {
+                    "masking_level": masking_level,
+                    "public_key": public_key,
+                },
+                payload_log_update_params.PayloadLogUpdateParams,
+            ),
             options=make_request_options(
                 extra_headers=extra_headers,
                 extra_query=extra_query,
@@ -146,6 +175,7 @@ async def update(
         self,
         *,
         account_id: str,
+        masking_level: Literal["full", "partial", "clear", "default"] | Omit = omit,
         public_key: Optional[str] | Omit = omit,
         # Use the following arguments if you need to pass additional parameters to the API that aren't available via kwargs.
         # The extra values given here take precedence over values defined on the client or passed to this method.
@@ -158,6 +188,27 @@ async def update(
         Set payload log settings
 
         Args:
+          masking_level: Masking level for payload logs.
+
+              - `full`: The entire payload is masked.
+              - `partial`: Only partial payload content is masked.
+              - `clear`: No masking is applied to the payload content.
+              - `default`: DLP uses its default masking behavior.
+
+          public_key: Base64-encoded public key for encrypting payload logs.
+
+              - Set to null or empty string to disable payload logging.
+              - Set to a non-empty base64 string to enable payload logging with the given key.
+
+              For customers with configurable payload masking feature rolled out:
+
+              - If the field is missing, the existing setting will be kept. Note that this is
+                different from setting to null or empty string.
+
+              For all other customers:
+
+              - If the field is missing, the existing setting will be cleared.
+
           extra_headers: Send extra headers
 
           extra_query: Add additional query parameters to the request
@@ -171,7 +222,11 @@ async def update(
         return await self._put(
             f"/accounts/{account_id}/dlp/payload_log",
             body=await async_maybe_transform(
-                {"public_key": public_key}, payload_log_update_params.PayloadLogUpdateParams
+                {
+                    "masking_level": masking_level,
+                    "public_key": public_key,
+                },
+                payload_log_update_params.PayloadLogUpdateParams,
             ),
             options=make_request_options(
                 extra_headers=extra_headers,

src/cloudflare/types/magic_cloud_networking/on_ramp_create_params.py

@@ -15,9 +15,10 @@ class OnRampCreateParams(TypedDict, total=False):
     cloud_type: Required[Literal["AWS", "AZURE", "GOOGLE"]]
 
     dynamic_routing: Required[bool]
-    """
-    if set to true, install_routes_in_cloud and install_routes_in_magic_wan should
-    be set to false
+    """Enables BGP routing.
+
+    When enabling this feature, set both install_routes_in_cloud and
+    install_routes_in_magic_wan to false.
     """
 
     install_routes_in_cloud: Required[bool]
@@ -35,9 +36,9 @@ class OnRampCreateParams(TypedDict, total=False):
     attached_vpcs: SequenceNotStr[str]
 
     cloud_asn: int
-    """the ASN to use on the cloud side.
+    """Sets the cloud-side ASN.
 
-    If unset or zero, the cloud's default will be used.
+    If unset or zero, the cloud's default ASN takes effect.
     """
 
     description: str

src/cloudflare/types/origin_ca_certificates/origin_ca_certificate.py

@@ -15,8 +15,14 @@ class OriginCACertificate(BaseModel):
 
     hostnames: List[str]
     """
-    Array of hostnames or wildcard names (e.g., \\**.example.com) bound to the
-    certificate.
+    Array of hostnames or wildcard names bound to the certificate. Hostnames must be
+    fully qualified domain names (FQDNs) belonging to zones on your account (e.g.,
+    `example.com` or `sub.example.com`). Wildcards are supported only as a `*.`
+    prefix for a single level (e.g., `*.example.com`). Double wildcards
+    (`*.*.example.com`) and interior wildcards (`foo.*.example.com`) are not
+    allowed. The wildcard suffix must be a multi-label domain (`*.example.com` is
+    valid, but `*.com` is not). Unicode/IDN hostnames are accepted and automatically
+    converted to punycode.
     """
 
     request_type: CertificateRequestType

src/cloudflare/types/origin_ca_certificates/origin_ca_certificate_create_params.py

@@ -17,8 +17,14 @@ class OriginCACertificateCreateParams(TypedDict, total=False):
 
     hostnames: Required[SequenceNotStr[str]]
     """
-    Array of hostnames or wildcard names (e.g., \\**.example.com) bound to the
-    certificate.
+    Array of hostnames or wildcard names bound to the certificate. Hostnames must be
+    fully qualified domain names (FQDNs) belonging to zones on your account (e.g.,
+    `example.com` or `sub.example.com`). Wildcards are supported only as a `*.`
+    prefix for a single level (e.g., `*.example.com`). Double wildcards
+    (`*.*.example.com`) and interior wildcards (`foo.*.example.com`) are not
+    allowed. The wildcard suffix must be a multi-label domain (`*.example.com` is
+    valid, but `*.com` is not). Unicode/IDN hostnames are accepted and automatically
+    converted to punycode.
     """
 
     request_type: Required[CertificateRequestType]

src/cloudflare/types/zero_trust/dlp/payload_log_get_response.py

@@ -2,13 +2,27 @@
 
 from typing import Optional
 from datetime import datetime
+from typing_extensions import Literal
 
 from ...._models import BaseModel
 
 __all__ = ["PayloadLogGetResponse"]
 
 
 class PayloadLogGetResponse(BaseModel):
+    masking_level: Literal["full", "partial", "clear", "default"]
+    """Masking level for payload logs.
+
+    - `full`: The entire payload is masked.
+    - `partial`: Only partial payload content is masked.
+    - `clear`: No masking is applied to the payload content.
+    - `default`: DLP uses its default masking behavior.
+    """
+
     updated_at: datetime
 
     public_key: Optional[str] = None
+    """Base64-encoded public key for encrypting payload logs.
+
+    Null when payload logging is disabled.
+    """

src/cloudflare/types/zero_trust/dlp/payload_log_update_params.py

@@ -3,12 +3,35 @@
 from __future__ import annotations
 
 from typing import Optional
-from typing_extensions import Required, TypedDict
+from typing_extensions import Literal, Required, TypedDict
 
 __all__ = ["PayloadLogUpdateParams"]
 
 
 class PayloadLogUpdateParams(TypedDict, total=False):
     account_id: Required[str]
 
+    masking_level: Literal["full", "partial", "clear", "default"]
+    """Masking level for payload logs.
+
+    - `full`: The entire payload is masked.
+    - `partial`: Only partial payload content is masked.
+    - `clear`: No masking is applied to the payload content.
+    - `default`: DLP uses its default masking behavior.
+    """
+
     public_key: Optional[str]
+    """Base64-encoded public key for encrypting payload logs.
+
+    - Set to null or empty string to disable payload logging.
+    - Set to a non-empty base64 string to enable payload logging with the given key.
+
+    For customers with configurable payload masking feature rolled out:
+
+    - If the field is missing, the existing setting will be kept. Note that this is
+      different from setting to null or empty string.
+
+    For all other customers:
+
+    - If the field is missing, the existing setting will be cleared.
+    """

src/cloudflare/types/zero_trust/dlp/payload_log_update_response.py

@@ -2,13 +2,27 @@
 
 from typing import Optional
 from datetime import datetime
+from typing_extensions import Literal
 
 from ...._models import BaseModel
 
 __all__ = ["PayloadLogUpdateResponse"]
 
 
 class PayloadLogUpdateResponse(BaseModel):
+    masking_level: Literal["full", "partial", "clear", "default"]
+    """Masking level for payload logs.
+
+    - `full`: The entire payload is masked.
+    - `partial`: Only partial payload content is masked.
+    - `clear`: No masking is applied to the payload content.
+    - `default`: DLP uses its default masking behavior.
+    """
+
     updated_at: datetime
 
     public_key: Optional[str] = None
+    """Base64-encoded public key for encrypting payload logs.
+
+    Null when payload logging is disabled.
+    """