feat(api): api update (#2197)

Author: stainless-app[bot]

.stats.yml

@@ -1,2 +1,2 @@
 configured_endpoints: 1451
-openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/cloudflare%2Fcloudflare-4acaaed718bd08d16e3866d5ad032fbf2bbfeb978df2cf5164edb81fe41e4f89.yml
+openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/cloudflare%2Fcloudflare-c41d5095ac6ddaaef83c817e3f7a3bbf8d609ee792e4a1f07590fdd6719da1d0.yml

src/cloudflare/resources/zero_trust/access/applications/applications.py

@@ -335,6 +335,10 @@ def revoke_users(
         email: str,
         account_id: str | NotGiven = NOT_GIVEN,
         zone_id: str | NotGiven = NOT_GIVEN,
+        query_devices: bool | NotGiven = NOT_GIVEN,
+        body_devices: bool | NotGiven = NOT_GIVEN,
+        user_uid: str | NotGiven = NOT_GIVEN,
+        warp_session_reauth: bool | NotGiven = NOT_GIVEN,
         # Use the following arguments if you need to pass additional parameters to the API that aren't available via kwargs.
         # The extra values given here take precedence over values defined on the client or passed to this method.
         extra_headers: Headers | None = None,
@@ -352,6 +356,16 @@ def revoke_users(
 
           zone_id: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
 
+          query_devices: When set to `true`, all devices associated with the user will be revoked.
+
+          body_devices: When set to `true`, all devices associated with the user will be revoked.
+
+          user_uid: The uuid of the user to revoke.
+
+          warp_session_reauth: When set to `true`, the user will be required to re-authenticate to WARP for all
+              Gateway policies that enforce a WARP client session duration. When `false`, the
+              user’s WARP session will remain active
+
           extra_headers: Send extra headers
 
           extra_query: Add additional query parameters to the request
@@ -374,12 +388,23 @@ def revoke_users(
             account_or_zone_id = zone_id
         return self._post(
             f"/{account_or_zone}/{account_or_zone_id}/access/organizations/revoke_user",
-            body=maybe_transform({"email": email}, organization_revoke_users_params.OrganizationRevokeUsersParams),
+            body=maybe_transform(
+                {
+                    "email": email,
+                    "body_devices": body_devices,
+                    "user_uid": user_uid,
+                    "warp_session_reauth": warp_session_reauth,
+                },
+                organization_revoke_users_params.OrganizationRevokeUsersParams,
+            ),
             options=make_request_options(
                 extra_headers=extra_headers,
                 extra_query=extra_query,
                 extra_body=extra_body,
                 timeout=timeout,
+                query=maybe_transform(
+                    {"query_devices": query_devices}, organization_revoke_users_params.OrganizationRevokeUsersParams
+                ),
                 post_parser=ResultWrapper[Optional[OrganizationRevokeUsersResponse]]._unwrapper,
             ),
             cast_to=cast(
@@ -682,6 +707,10 @@ async def revoke_users(
         email: str,
         account_id: str | NotGiven = NOT_GIVEN,
         zone_id: str | NotGiven = NOT_GIVEN,
+        query_devices: bool | NotGiven = NOT_GIVEN,
+        body_devices: bool | NotGiven = NOT_GIVEN,
+        user_uid: str | NotGiven = NOT_GIVEN,
+        warp_session_reauth: bool | NotGiven = NOT_GIVEN,
         # Use the following arguments if you need to pass additional parameters to the API that aren't available via kwargs.
         # The extra values given here take precedence over values defined on the client or passed to this method.
         extra_headers: Headers | None = None,
@@ -699,6 +728,16 @@ async def revoke_users(
 
           zone_id: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
 
+          query_devices: When set to `true`, all devices associated with the user will be revoked.
+
+          body_devices: When set to `true`, all devices associated with the user will be revoked.
+
+          user_uid: The uuid of the user to revoke.
+
+          warp_session_reauth: When set to `true`, the user will be required to re-authenticate to WARP for all
+              Gateway policies that enforce a WARP client session duration. When `false`, the
+              user’s WARP session will remain active
+
           extra_headers: Send extra headers
 
           extra_query: Add additional query parameters to the request
@@ -722,13 +761,22 @@ async def revoke_users(
         return await self._post(
             f"/{account_or_zone}/{account_or_zone_id}/access/organizations/revoke_user",
             body=await async_maybe_transform(
-                {"email": email}, organization_revoke_users_params.OrganizationRevokeUsersParams
+                {
+                    "email": email,
+                    "body_devices": body_devices,
+                    "user_uid": user_uid,
+                    "warp_session_reauth": warp_session_reauth,
+                },
+                organization_revoke_users_params.OrganizationRevokeUsersParams,
             ),
             options=make_request_options(
                 extra_headers=extra_headers,
                 extra_query=extra_query,
                 extra_body=extra_body,
                 timeout=timeout,
+                query=await async_maybe_transform(
+                    {"query_devices": query_devices}, organization_revoke_users_params.OrganizationRevokeUsersParams
+                ),
                 post_parser=ResultWrapper[Optional[OrganizationRevokeUsersResponse]]._unwrapper,
             ),
             cast_to=cast(

src/cloudflare/resources/zero_trust/organizations/organizations.py

@@ -22,6 +22,7 @@
 __all__ = [
     "ApplicationCreateParams",
     "SelfHostedApplication",
+    "SelfHostedApplicationDestination",
     "SelfHostedApplicationPolicy",
     "SelfHostedApplicationPolicyAccessAppPolicyLink",
     "SelfHostedApplicationPolicyUnionMember2",
@@ -35,12 +36,14 @@
     "SaaSApplicationSCIMConfig",
     "SaaSApplicationSCIMConfigAuthentication",
     "BrowserSSHApplication",
+    "BrowserSSHApplicationDestination",
     "BrowserSSHApplicationPolicy",
     "BrowserSSHApplicationPolicyAccessAppPolicyLink",
     "BrowserSSHApplicationPolicyUnionMember2",
     "BrowserSSHApplicationSCIMConfig",
     "BrowserSSHApplicationSCIMConfigAuthentication",
     "BrowserVNCApplication",
+    "BrowserVNCApplicationDestination",
     "BrowserVNCApplicationPolicy",
     "BrowserVNCApplicationPolicyAccessAppPolicyLink",
     "BrowserVNCApplicationPolicyUnionMember2",
@@ -81,10 +84,9 @@
 
 class SelfHostedApplication(TypedDict, total=False):
     domain: Required[str]
-    """The primary hostname and path that Access will secure.
+    """The primary hostname and path secured by Access.
 
-    If the app is visible in the App Launcher dashboard, this is the domain that
-    will be displayed.
+    This domain will be displayed if the app is visible in the App Launcher.
     """
 
     type: Required[str]
@@ -144,6 +146,14 @@ class SelfHostedApplication(TypedDict, total=False):
     custom_pages: List[str]
     """The custom pages that will be displayed when applicable for this application"""
 
+    destinations: Iterable[SelfHostedApplicationDestination]
+    """List of destinations secured by Access.
+
+    This supersedes `self_hosted_domains` to allow for more flexibility in defining
+    different types of domains. If `destinations` are provided, then
+    `self_hosted_domains` will be ignored.
+    """
+
     enable_binding_cookie: bool
     """
     Enables the binding cookie, which increases security against compromised
@@ -194,7 +204,12 @@ class SelfHostedApplication(TypedDict, total=False):
     """
 
     self_hosted_domains: List[SelfHostedDomains]
-    """List of domains that Access will secure."""
+    """List of public domains that Access will secure.
+
+    This field is deprecated in favor of `destinations` and will be supported until
+    **November 21, 2025.** If `destinations` are provided, then
+    `self_hosted_domains` will be ignored.
+    """
 
     service_auth_401_redirect: bool
     """Returns a 401 status code when the request is blocked by a Service Auth policy."""
@@ -216,6 +231,20 @@ class SelfHostedApplication(TypedDict, total=False):
     """
 
 
+class SelfHostedApplicationDestination(TypedDict, total=False):
+    destination: str
+    """A destination secured by Access.
+
+    Public destinations can include a domain and path with
+    [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
+    Private destinations are an early access feature and gated behind a feature
+    flag. Private destinations support private IPv4, IPv6, and Server Name
+    Indications (SNI) with optional port ranges.
+    """
+
+    type: Literal["public", "private"]
+
+
 class SelfHostedApplicationPolicyAccessAppPolicyLink(TypedDict, total=False):
     id: str
     """The UUID of the policy"""
@@ -468,10 +497,9 @@ class SaaSApplicationSCIMConfig(TypedDict, total=False):
 
 class BrowserSSHApplication(TypedDict, total=False):
     domain: Required[str]
-    """The primary hostname and path that Access will secure.
+    """The primary hostname and path secured by Access.
 
-    If the app is visible in the App Launcher dashboard, this is the domain that
-    will be displayed.
+    This domain will be displayed if the app is visible in the App Launcher.
     """
 
     type: Required[str]
@@ -531,6 +559,14 @@ class BrowserSSHApplication(TypedDict, total=False):
     custom_pages: List[str]
     """The custom pages that will be displayed when applicable for this application"""
 
+    destinations: Iterable[BrowserSSHApplicationDestination]
+    """List of destinations secured by Access.
+
+    This supersedes `self_hosted_domains` to allow for more flexibility in defining
+    different types of domains. If `destinations` are provided, then
+    `self_hosted_domains` will be ignored.
+    """
+
     enable_binding_cookie: bool
     """
     Enables the binding cookie, which increases security against compromised
@@ -581,7 +617,12 @@ class BrowserSSHApplication(TypedDict, total=False):
     """
 
     self_hosted_domains: List[SelfHostedDomains]
-    """List of domains that Access will secure."""
+    """List of public domains that Access will secure.
+
+    This field is deprecated in favor of `destinations` and will be supported until
+    **November 21, 2025.** If `destinations` are provided, then
+    `self_hosted_domains` will be ignored.
+    """
 
     service_auth_401_redirect: bool
     """Returns a 401 status code when the request is blocked by a Service Auth policy."""
@@ -603,6 +644,20 @@ class BrowserSSHApplication(TypedDict, total=False):
     """
 
 
+class BrowserSSHApplicationDestination(TypedDict, total=False):
+    destination: str
+    """A destination secured by Access.
+
+    Public destinations can include a domain and path with
+    [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
+    Private destinations are an early access feature and gated behind a feature
+    flag. Private destinations support private IPv4, IPv6, and Server Name
+    Indications (SNI) with optional port ranges.
+    """
+
+    type: Literal["public", "private"]
+
+
 class BrowserSSHApplicationPolicyAccessAppPolicyLink(TypedDict, total=False):
     id: str
     """The UUID of the policy"""
@@ -700,10 +755,9 @@ class BrowserSSHApplicationSCIMConfig(TypedDict, total=False):
 
 class BrowserVNCApplication(TypedDict, total=False):
     domain: Required[str]
-    """The primary hostname and path that Access will secure.
+    """The primary hostname and path secured by Access.
 
-    If the app is visible in the App Launcher dashboard, this is the domain that
-    will be displayed.
+    This domain will be displayed if the app is visible in the App Launcher.
     """
 
     type: Required[str]
@@ -763,6 +817,14 @@ class BrowserVNCApplication(TypedDict, total=False):
     custom_pages: List[str]
     """The custom pages that will be displayed when applicable for this application"""
 
+    destinations: Iterable[BrowserVNCApplicationDestination]
+    """List of destinations secured by Access.
+
+    This supersedes `self_hosted_domains` to allow for more flexibility in defining
+    different types of domains. If `destinations` are provided, then
+    `self_hosted_domains` will be ignored.
+    """
+
     enable_binding_cookie: bool
     """
     Enables the binding cookie, which increases security against compromised
@@ -813,7 +875,12 @@ class BrowserVNCApplication(TypedDict, total=False):
     """
 
     self_hosted_domains: List[SelfHostedDomains]
-    """List of domains that Access will secure."""
+    """List of public domains that Access will secure.
+
+    This field is deprecated in favor of `destinations` and will be supported until
+    **November 21, 2025.** If `destinations` are provided, then
+    `self_hosted_domains` will be ignored.
+    """
 
     service_auth_401_redirect: bool
     """Returns a 401 status code when the request is blocked by a Service Auth policy."""
@@ -835,6 +902,20 @@ class BrowserVNCApplication(TypedDict, total=False):
     """
 
 
+class BrowserVNCApplicationDestination(TypedDict, total=False):
+    destination: str
+    """A destination secured by Access.
+
+    Public destinations can include a domain and path with
+    [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
+    Private destinations are an early access feature and gated behind a feature
+    flag. Private destinations support private IPv4, IPv6, and Server Name
+    Indications (SNI) with optional port ranges.
+    """
+
+    type: Literal["public", "private"]
+
+
 class BrowserVNCApplicationPolicyAccessAppPolicyLink(TypedDict, total=False):
     id: str
     """The UUID of the policy"""