zuplo 6.70.70 → 6.71.0

package/docs/dev-portal/zudoku/customization/colors-theme.mdx

@@ -164,29 +164,55 @@ const config = {
 };
 ```
 
-Alternatively, you can copy the CSS code and paste it into your `customCss` configuration:
+Alternatively, paste the copied CSS into a stylesheet and import it from your config:
+
+```css title=styles.css
+/* Copied CSS code */
+```
 
 ```ts title=zudoku.config.ts
-const config = {
-  theme: {
-    customCss: `
-      /* Copied CSS code */
-    `,
-  },
-};
+import "./styles.css";
 ```
 
 ## Custom CSS
 
-For advanced styling, you can add custom CSS either as a string or structured object:
+The recommended way to add custom styles is to write a `.css` file alongside your config and import
+it. This gives you HMR during development, syntax highlighting, autocompletion, and lets you split
+styles across files as your site grows.
 
-:::note
+```css title=styles.css
+.custom {
+  background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+}
+```
 
-Changes to `customCss` require restarting the development server to take effect.
+```ts title=zudoku.config.ts
+import "./styles.css";
 
-:::
+const config = {
+  // ...
+};
+```
+
+If TypeScript reports `Cannot find module './styles.css'`, add `zudoku/client` to your tsconfig
+types so CSS side-effect imports are recognized:
+
+```json title=tsconfig.json
+{
+  "compilerOptions": {
+    "types": ["zudoku/client"]
+  }
+}
+```
+
+Projects created with `create-zudoku` include this by default.
+
+### Inline alternatives (deprecated)
 
-### CSS String
+The `theme.customCss` option is deprecated and will be removed in a future release. It still accepts
+a CSS string or object for backwards compatibility, but every change requires restarting the dev
+server and you lose syntax highlighting, autocompletion, and HMR. Migrate to an imported `.css`
+file.
 
 ```ts title=zudoku.config.ts
 const config = {
@@ -200,37 +226,22 @@ const config = {
 };
 ```
 
-### CSS Object
-
-```ts title=zudoku.config.ts
-const config = {
-  theme: {
-    customCss: {
-      ".custom": {
-        background: "linear-gradient(135deg, #667eea 0%, #764ba2 100%)",
-      },
-    },
-  },
-};
-```
-
 ### Enabling Code Ligatures
 
 Dev Portal disables ligatures in code blocks by default to avoid unwanted glyph joining in fonts like
 Geist Mono (e.g. `---`, `###`, `|--|`). If you're using a coding font designed around ligatures
-(Fira Code, JetBrains Mono, etc.), re-enable them via `customCss`:
-
-```ts title=zudoku.config.ts
-const config = {
-  theme: {
-    customCss: `
-      code, pre, kbd, samp, .shiki, .shiki span {
-        font-variant-ligatures: normal;
-        font-feature-settings: normal;
-      }
-    `,
-  },
-};
+(Fira Code, JetBrains Mono, etc.), re-enable them in your CSS file:
+
+```css title=styles.css
+code,
+pre,
+kbd,
+samp,
+.shiki,
+.shiki span {
+  font-variant-ligatures: normal;
+  font-feature-settings: normal;
+}
 ```
 
 ## Default Theme

package/docs/errors/rate-limit-exceeded.mdx

@@ -4,6 +4,29 @@ title: Rate Limit Exceeded (RATE_LIMIT_EXCEEDED)
 
 The request was rejected because the client exceeded the configured rate limit.
 
+## Response format
+
+The 429 response uses the
+[Problem Details](../programmable-api/http-problems.mdx) format:
+
+```json
+{
+  "type": "https://httpproblems.com/http-status/429",
+  "title": "Too Many Requests",
+  "status": 429,
+  "detail": "Rate limit exceeded",
+  "instance": "/your-route",
+  "trace": {
+    "requestId": "4d54e4ee-c003-4d75-aba9-e09a6d707b08",
+    "timestamp": "2026-04-14T12:00:00.000Z",
+    "buildId": "ec44e831-3a02-467e-a26c-7e401e4473bf"
+  }
+}
+```
+
+If `headerMode` is set to `"retry-after"` (the default), the response includes a
+`Retry-After` header with the number of seconds to wait before retrying.
+
 ## Common Causes
 
 - **Too many requests** — The client sent more requests than the rate limit
@@ -24,8 +47,12 @@ The request was rejected because the client exceeded the configured rate limit.
 
 ## For API Operators
 
-- Review the rate limiting policy configuration in the route settings.
+- Review the rate limiting policy configuration in the route settings. Check the
+  `requestsAllowed` and `timeWindowMinutes` values and verify that the
+  `rateLimitBy` identifier is resolving correctly.
 - Consider using
-  [dynamic rate limiting](../articles/step-5-dynamic-rate-limiting.mdx) to set
+  [dynamic rate limiting](../rate-limiting/dynamic-rate-limiting.mdx) to set
   different limits per customer tier.
-- Check the rate limit metrics to determine if limits need adjustment.
+- Use your [logging integration](../articles/logging.mdx) to filter for 429
+  responses and identify which consumers are being throttled. Break down by user
+  or IP to spot noisy neighbors.

package/docs/handlers/system-handlers.mdx

@@ -5,7 +5,8 @@ sidebar_label: Internal Route Handlers
 
 The Zuplo Runtime automatically registers certain routes on your gateway to
 provide enhanced functionality. Requests to these routes may appear in your
-Analytics page. Below is a list of reserved routes:
+project's analytics under the **Observability** tab. Below is a list of reserved
+routes:
 
 | Name                    | Method  | Path                              | Description                                                 |
 | ----------------------- | ------- | --------------------------------- | ----------------------------------------------------------- |

package/docs/mcp-gateway/how-to/connect-upstream-api-key.mdx

@@ -48,7 +48,7 @@ Virtual Server**, with these choices:
 
 <ModalScreenshot size="md">
 
-![Outbound auth set to None with Remove auth token selected](../../public/media/mcp-gateway-upstream-api-key/01-outbound-auth-none.png)
+![Outbound auth set to None with Remove auth token selected](../../../public/media/mcp-gateway-upstream-api-key/01-outbound-auth-none.png)
 
 </ModalScreenshot>
 
@@ -85,7 +85,7 @@ set.
 
 <ModalScreenshot size="md">
 
-![The set-headers-inbound policy added to the end of the request policy stack](../../public/media/mcp-gateway-upstream-api-key/02-policy-stack.png)
+![The set-headers-inbound policy added to the end of the request policy stack](../../../public/media/mcp-gateway-upstream-api-key/02-policy-stack.png)
 
 </ModalScreenshot>
 

package/docs/mcp-gateway/observability/analytics.mdx

@@ -7,10 +7,11 @@ description:
 ---
 
 Every authenticated MCP request the Zuplo MCP Gateway handles produces a set of
-structured analytics events. The events power the MCP tab on the Zuplo Portal's
-**Analytics** page and feed the same data into Zuplo's standard log and metrics
-pipelines. This page explains why each event exists, the dimensions that scope
-the data, and the operational questions the dashboard exists to answer.
+structured analytics events. The events power the MCP section of the Zuplo
+Portal's **Observability → Analytics** view and feed the same data into Zuplo's
+standard log and metrics pipelines. This page explains why each event exists,
+the dimensions that scope the data, and the operational questions the dashboard
+exists to answer.
 
 ## What the analytics are for
 
@@ -125,15 +126,18 @@ A few panels carry detail worth calling out:
 
 ## Where to find it
 
-The MCP analytics dashboard is a tab on the Zuplo Portal's **Analytics** page.
-At the account scope,
-[Analytics → MCP](https://portal.zuplo.com/+/account/analytics) aggregates
-across every project on the account that has MCP routes. At the project scope,
-[Analytics → MCP](https://portal.zuplo.com/+/account/project/analytics) shows
-that project's events only.
-
-The MCP tab appears automatically once any MCP request has been recorded for the
-project. New projects show the empty state until the first MCP request lands.
+The MCP analytics dashboard is a section of the Analytics view inside the Zuplo
+Portal's **Observability** tab. At the account scope,
+[**Observability → Analytics → MCP**](https://portal.zuplo.com/+/account/observability/analytics/mcp)
+aggregates across every project on the account that has MCP routes. At the
+project scope, open your project, click **Observability**, then select
+**Analytics → MCP** to see
+[that project's events](https://portal.zuplo.com/+/account/project/analytics)
+only.
+
+The MCP section appears automatically once any MCP request has been recorded for
+the project. New projects show the empty state until the first MCP request
+lands.
 
 ## Reference: event types
 

package/docs/mcp-gateway/quickstart.mdx

@@ -251,9 +251,10 @@ result on your machine.
    tool, then returns results proxied through the gateway.
 
    Open the project's
-   [Analytics dashboard](https://portal.zuplo.com/+/account/project/analytics)
-   and switch to the **MCP** tab to see the call appear in the events timeline,
-   the success rate, the top capabilities table, and the user breakdown.
+   [**Observability → Analytics**](https://portal.zuplo.com/+/account/project/analytics)
+   view and select the **MCP** section to see the call appear in the events
+   timeline, the success rate, the top capabilities table, and the user
+   breakdown.
 
 </Stepper>
 

package/docs/mcp-gateway/troubleshooting.mdx

@@ -216,10 +216,10 @@ window where a stolen cookie is useful.
 
 ## Where to look when none of the above match
 
-- Open the project's **Logs** in the Portal and filter on the request's
-  `zuplo-request-id`. Gateway log entries include the relevant `operationId` and
-  `subjectId`.
-- Open the **Analytics** dashboard and switch to the **MCP** tab. The "Top
+- Open the project's **Observability → Logs** view in the Portal and filter on
+  the request's `zuplo-request-id`. Gateway log entries include the relevant
+  `operationId` and `subjectId`.
+- Open **Observability → Analytics** and select the **MCP** section. The "Top
   Reason Codes" and "Failure Origins" panels surface the highest-cardinality
   failure modes for the current time window.
 - For OAuth-specific issues, the

package/docs/policies/_index.md

@@ -37,10 +37,13 @@
 | curity-phantom-token-inbound | Curity Phantom Token Auth | Authenticate users using the Curity Phantom Token Pattern. | api-gateway |
 | custom-code-inbound | Custom Code Inbound | Enables a custom code policy written in TypeScript. Change YOUR_MODULE to the name of your module (without .ts extension) | api-gateway |
 | custom-code-outbound | Custom Code Outbound | A custom outbound response policy. | api-gateway |
+| data-loss-prevention-outbound | Data Loss Prevention | Scans the upstream response body for sensitive data — PII, secrets, and financial identifiers — using an extensible catalog of built-in recognizers plus any custom patterns, and takes a configurable action when a match is found.  The action is one of `mask` (redact matches before returning the response), `block` (replace the response with a `422` listing the detected entity names only), or `log` (record a warning and return unchanged). Only text content types are inspected; binary bodies pass through untouched, and the body is read from a clone so the client still receives the original stream. | api-gateway |
+| data-loss-prevention-inbound | Data Loss Prevention | Scans the incoming request body for sensitive data — PII, secrets, and financial identifiers — using an extensible catalog of built-in recognizers plus any custom patterns, and takes a configurable action when a match is found.  The action is one of `mask` (redact matches before forwarding the request), `block` (reject with a `422` listing the detected entity names only), or `log` (record a warning and forward unchanged). Only text content types are inspected; binary bodies pass through untouched, and the body is read from a clone so the upstream still receives the original stream. | api-gateway |
 | firebase-jwt-inbound | Firebase JWT Auth | Authenticate users using Firebase issued JWT tokens. | api-gateway |
 | formdata-to-json-inbound | Form Data to JSON | Converts form data in the incoming request to JSON. | api-gateway |
 | galileo-tracing-inbound | Galileo Tracing | Galileo Tracing Inbound Policy | ai-gateway |
 | geo-filter-inbound | Geo-location filtering | Block requests based on geo-location parameters: country, region code, and ASN | api-gateway |
+| graphql-analytics-outbound | GraphQL Analytics | Reports GraphQL errors returned in response bodies to Zuplo's GraphQL analytics. GraphQL servers following the standard Apollo / graphql-yoga pattern return `200 OK` with an `errors[]` array in the body when an operation fails, which HTTP-level analytics alone report as a success — add this policy to a GraphQL route and failed operations show up as failures on the GraphQL dashboard, classified by error type.  Each error in `errors[]` is classified from its `extensions.code` following the Apollo Server conventions (`GRAPHQL_PARSE_FAILED` → `syntax`, `GRAPHQL_VALIDATION_FAILED` → `validation`, `UNAUTHENTICATED` / `FORBIDDEN` → `auth`, timeout codes → `timeout`); custom codes can be mapped with `errorCodeClassification`, and anything unrecognized falls back to `defaultErrorClass` (`resolver`). Optionally set `logErrors` to also write a structured warning per errored response. Bodies larger than `maxResponseBytes` (default 5 MiB) are not inspected.  The response always passes through unchanged — the body is read from a clone, and any internal failure is swallowed so reporting can never break the request. The route must be marked `x-graphql: true` in `routes.oas.json` (which enables GraphQL analytics for the route); without the marker the policy logs a warning and does nothing. | api-gateway |
 | graphql-complexity-limit-inbound | GraphQL Complexity Limit | Policy that limits the complexity and depth of GraphQL queries to prevent abuse. Protects your GraphQL API from expensive queries that could cause performance issues or denial of service attacks. | api-gateway |
 | graphql-disable-introspection-inbound | GraphQL Disable Introspection | Policy that disables GraphQL introspection queries in production. Introspection allows clients to discover the schema, which can be a security risk as it exposes your entire API structure. | api-gateway |
 | graphql-introspection-filter-outbound | GraphQL Introspection Filter | Filters GraphQL introspection responses to exclude specific types and fields.  This policy intercepts GraphQL introspection query responses and removes configured types and fields from the schema. Useful for hiding internal types or sensitive fields from the public schema. | api-gateway |

package/docs/policies/data-loss-prevention-inbound/doc.md

@@ -0,0 +1,115 @@
+This policy inspects the body of each incoming request for sensitive data and
+applies a configurable action. It is the inbound counterpart to the
+[Data Loss Prevention - Outbound](/docs/policies/data-loss-prevention-outbound)
+policy, which inspects upstream responses.
+
+Detection happens entirely inside the gateway isolate — request bodies are never
+sent to a third-party service.
+
+## Actions
+
+- **`mask`** (default) — every detected value is replaced with the `mask` string
+  and the modified body is forwarded upstream. Overlapping matches are merged
+  and masked once.
+- **`block`** — the request is rejected with a `422 Unprocessable Content`. The
+  problem detail lists only the names of the detected entities, never the
+  matched values, so the policy never leaks the data it caught.
+- **`log`** — a structured warning is written (entity ids and counts only) and
+  the request is forwarded unchanged.
+
+## Built-in recognizers
+
+Enable entities individually or by **group selector** in the `entities` option,
+or omit it to use the full catalog. Entity ids follow a
+`{category}-{scope}-{name}` taxonomy, and any dash-aligned prefix of an id is a
+valid selector: `secret` enables every secret, `id-au` enables Australia's
+identifiers, `secret-aws` enables both AWS entities. Two named groups (`pii`,
+`region-eu`) bundle entities across categories.
+
+| Group       | Entities                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
+| ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `secret`    | `secret-private-key`, `secret-jwt`, `secret-aws-access-key`, `secret-aws-bedrock`, `secret-github`, `secret-gitlab`, `secret-zuplo`, `secret-openai`, `secret-anthropic`, `secret-google-api-key`, `secret-stripe`, `secret-slack`, `secret-discord-webhook`, `secret-npm`, `secret-pypi`, `secret-sendgrid`, `secret-twilio`, `secret-hugging-face`, `secret-databricks`, `secret-shopify`, `secret-square`, `secret-mailchimp`, `secret-mailgun`, `secret-postman`, `secret-terraform`, `secret-sentry`, `secret-digitalocean`, `secret-heroku`, `secret-perplexity`, `secret-azure-client`, `secret-telegram-bot` |
+| `finance`   | `finance-credit-card` (Luhn), `finance-iban` (per-country length + mod-97), `finance-crypto-wallet`, `finance-us-aba-routing` (checksum), `finance-swift-bic`, `finance-us-bank-account`, `finance-cvv`                                                                                                                                                                                                                                                                                                                                                                                                              |
+| `id`        | `id-us-ssn`, `id-us-itin`, `id-us-passport`, `id-uk-nino`, `id-uk-nhs` (mod-11), `id-ca-sin` (Luhn), `id-au-abn`, `id-au-acn`, `id-au-tfn`, `id-au-medicare` (all checksummed), `id-in-aadhaar` (Verhoeff), `id-in-pan`, `id-sg-nric` (checksum), `id-es-nif` (checksum), `id-it-fiscal-code` (checksum), `id-pl-pesel` (checksum), `id-nl-bsn` (11-proef), `id-br-cpf` (checksum), `id-fr-nir` (mod-97)                                                                                                                                                                                                             |
+| `contact`   | `contact-email`, `contact-phone`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
+| `network`   | `network-ipv4`, `network-ipv6`, `network-mac`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
+| `pii`       | `contact` + `id`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
+| Prefixes    | `id-us`, `id-uk`, `id-au`, `id-ca`, `id-in`, `id-sg`, `id-es`, `id-it`, `id-pl`, `id-nl`, `id-br`, `id-fr`, `finance-us`, `secret-aws` — everything whose id starts with that prefix                                                                                                                                                                                                                                                                                                                                                                                                                                 |
+| `region-eu` | `id-es-nif`, `id-it-fiscal-code`, `id-pl-pesel`, `id-nl-bsn`, `id-fr-nir`, `finance-iban`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
+
+## Context-word scoring
+
+Every match gets a confidence score. Recognizers whose raw pattern is just "a
+run of digits" (bank accounts, routing numbers, NHS numbers, …) carry a low base
+confidence and a list of **context words**; when one of those words appears near
+the match — in prose, or in a JSON key, form field, or header-like label
+(`nhsNumber`, `routing_number`, `cvv:`) — the confidence is boosted above the
+detection threshold.
+
+For example, with the `id-uk-nhs` entity enabled, `{"nhsNumber": "9434765919"}`
+is masked while the same digits in `{"orderId": "9434765919"}` pass through
+untouched.
+
+The threshold is configurable via `minConfidence` (default `0.5`): lower it to
+detect context-dependent entities everywhere, raise it to keep only prefix- and
+checksum-validated matches.
+
+## Custom patterns
+
+Add your own recognizers with `customPatterns`. Each entry has a `name`, a
+JavaScript regular expression `pattern`, and optionally a `confidence` and
+`context` words to participate in context scoring. Invalid patterns are logged
+and skipped rather than failing the request. Remember to escape backslashes for
+JSON (for example `\\d` to match a digit).
+
+## Content types
+
+Only text-based bodies (JSON, XML, form-encoded, and `text/*`) are scanned;
+binary bodies pass through untouched. Override the allow-list with the
+`contentTypes` option if you need to scan a different set of content types.
+
+## Configuration
+
+- `engine`: The detection engine. Only `builtin` is available today.
+  **Default:** `builtin`
+- `entities`: Recognizer ids and/or group selectors (prefixes, `pii`,
+  `region-eu`) to enable. **Default:** all recognizers
+- `customPatterns`: Additional `{ name, pattern, confidence?, context? }` regex
+  recognizers
+- `action`: `mask`, `block`, or `log`. **Default:** `mask`
+- `mask`: Replacement string used when `action` is `mask`. **Default:**
+  `[REDACTED]`
+- `minConfidence`: Detection threshold (0-1). **Default:** `0.5`
+- `contentTypes`: Override the scannable content-type allow-list
+
+## Usage
+
+Apply this policy to inbound requests in your route configuration:
+
+```json
+{
+  "policies": [
+    {
+      "name": "data-loss-prevention-inbound",
+      "policyType": "data-loss-prevention-inbound",
+      "handler": {
+        "export": "DataLossPreventionInboundPolicy",
+        "module": "$import(@zuplo/runtime)",
+        "options": {
+          "action": "mask",
+          "entities": ["secret", "finance", "id-us", "contact-email"],
+          "mask": "[REDACTED]",
+          "customPatterns": [
+            {
+              "name": "employee-id",
+              "pattern": "EMP-\\d{6}",
+              "confidence": 0.3,
+              "context": ["employee"]
+            }
+          ]
+        }
+      }
+    }
+  ]
+}
+```

package/docs/policies/data-loss-prevention-inbound/intro.md

@@ -0,0 +1,15 @@
+The Data Loss Prevention (DLP) policy scans incoming request bodies for
+sensitive data — personally identifiable information (PII), secrets and API keys
+for dozens of vendors, payment and bank identifiers, and national IDs for many
+countries — using a catalog of 60+ built-in recognizers plus any custom patterns
+you add. When a match is found it takes a configurable action: mask the matches,
+block the request, or log a warning and let it through.
+
+Recognizers are selected individually or via entity groups (`secret`, `finance`,
+`pii`, `id-us`, `id-uk`, `region-eu`, …). Detection runs entirely in the gateway
+isolate using regular expressions, checksums (Luhn, mod-97, Verhoeff, and
+friends), and context-word scoring — no request data leaves the gateway.
+
+Pair with the
+[Data Loss Prevention - Outbound](/docs/policies/data-loss-prevention-outbound)
+policy to also scan upstream responses before they're returned to the client.

package/docs/policies/data-loss-prevention-inbound/schema.json

@@ -0,0 +1,220 @@
+{
+  "$schema": "https://json-schema.org/draft-07/schema",
+  "$id": "https://cdn.zuplo.com/policies/runtime/schemas/data-loss-prevention-inbound.json",
+  "type": "object",
+  "title": "Data Loss Prevention",
+  "isDeprecated": false,
+  "isPaidAddOn": false,
+  "isEnterprise": false,
+  "isInternal": false,
+  "isBeta": false,
+  "isHidden": false,
+  "requiresAI": false,
+  "products": ["api-gateway"],
+  "description": "Scans the incoming request body for sensitive data — PII, secrets, and financial identifiers — using an extensible catalog of built-in recognizers plus any custom patterns, and takes a configurable action when a match is found.\n\nThe action is one of `mask` (redact matches before forwarding the request), `block` (reject with a `422` listing the detected entity names only), or `log` (record a warning and forward unchanged). Only text content types are inspected; binary bodies pass through untouched, and the body is read from a clone so the upstream still receives the original stream.",
+  "deprecatedMessage": "",
+  "required": ["handler"],
+  "properties": {
+    "handler": {
+      "type": "object",
+      "default": {},
+      "required": ["export", "module", "options"],
+      "properties": {
+        "export": {
+          "const": "DataLossPreventionInboundPolicy",
+          "description": "The name of the exported type"
+        },
+        "module": {
+          "const": "$import(@zuplo/runtime)",
+          "description": "The module containing the policy"
+        },
+        "options": {
+          "title": "DataLossPreventionInboundPolicyOptions",
+          "type": "object",
+          "description": "The options for the Data Loss Prevention inbound policy. Scans the incoming request body for sensitive data and applies the configured action (mask, block, or log).",
+          "additionalProperties": false,
+          "required": [],
+          "examples": [
+            {
+              "action": "mask",
+              "entities": ["secret", "finance", "contact-email", "id-us-ssn"],
+              "mask": "[REDACTED]"
+            }
+          ],
+          "properties": {
+            "engine": {
+              "type": "string",
+              "enum": ["builtin"],
+              "default": "builtin",
+              "description": "The detection engine. Only `builtin` (in-isolate regex + checksum detection with context-word scoring) is available today. This is the extension point for a future hosted `presidio-service` mode; declaring it now keeps adding that mode an additive, non-breaking change."
+            },
+            "entities": {
+              "type": "array",
+              "description": "Built-in recognizer ids and/or group selectors to enable. Entity ids follow a {category}-{scope}-{name} taxonomy, and any dash-aligned id prefix acts as a selector (for example `secret` is every secret, `id-au` is Australia's identifiers, `secret-aws` is both AWS entities), plus the named groups `pii` and `region-eu`. Available selectors: `contact`, `finance`, `finance-us`, `id`, `id-au`, `id-br`, `id-ca`, `id-es`, `id-fr`, `id-in`, `id-it`, `id-nl`, `id-pl`, `id-sg`, `id-uk`, `id-us`, `network`, `pii`, `region-eu`, `secret`, `secret-aws`. When omitted, the full built-in catalog is used.",
+              "items": {
+                "type": "string",
+                "enum": [
+                  "contact",
+                  "finance",
+                  "finance-us",
+                  "id",
+                  "id-au",
+                  "id-br",
+                  "id-ca",
+                  "id-es",
+                  "id-fr",
+                  "id-in",
+                  "id-it",
+                  "id-nl",
+                  "id-pl",
+                  "id-sg",
+                  "id-uk",
+                  "id-us",
+                  "network",
+                  "pii",
+                  "region-eu",
+                  "secret",
+                  "secret-aws",
+                  "contact-email",
+                  "contact-phone",
+                  "finance-credit-card",
+                  "finance-crypto-wallet",
+                  "finance-cvv",
+                  "finance-iban",
+                  "finance-swift-bic",
+                  "finance-us-aba-routing",
+                  "finance-us-bank-account",
+                  "id-au-abn",
+                  "id-au-acn",
+                  "id-au-medicare",
+                  "id-au-tfn",
+                  "id-br-cpf",
+                  "id-ca-sin",
+                  "id-es-nif",
+                  "id-fr-nir",
+                  "id-in-aadhaar",
+                  "id-in-pan",
+                  "id-it-fiscal-code",
+                  "id-nl-bsn",
+                  "id-pl-pesel",
+                  "id-sg-nric",
+                  "id-uk-nhs",
+                  "id-uk-nino",
+                  "id-us-itin",
+                  "id-us-passport",
+                  "id-us-ssn",
+                  "network-ipv4",
+                  "network-ipv6",
+                  "network-mac",
+                  "secret-anthropic",
+                  "secret-aws-access-key",
+                  "secret-aws-bedrock",
+                  "secret-azure-client",
+                  "secret-databricks",
+                  "secret-digitalocean",
+                  "secret-discord-webhook",
+                  "secret-github",
+                  "secret-gitlab",
+                  "secret-google-api-key",
+                  "secret-heroku",
+                  "secret-hugging-face",
+                  "secret-jwt",
+                  "secret-mailchimp",
+                  "secret-mailgun",
+                  "secret-npm",
+                  "secret-openai",
+                  "secret-perplexity",
+                  "secret-postman",
+                  "secret-private-key",
+                  "secret-pypi",
+                  "secret-sendgrid",
+                  "secret-sentry",
+                  "secret-shopify",
+                  "secret-slack",
+                  "secret-square",
+                  "secret-stripe",
+                  "secret-telegram-bot",
+                  "secret-terraform",
+                  "secret-twilio",
+                  "secret-zuplo"
+                ]
+              }
+            },
+            "customPatterns": {
+              "type": "array",
+              "description": "Additional customer-defined regex recognizers. Invalid patterns are logged and skipped rather than failing the request.",
+              "items": {
+                "type": "object",
+                "title": "DlpCustomPattern",
+                "additionalProperties": false,
+                "required": ["name", "pattern"],
+                "properties": {
+                  "name": {
+                    "type": "string",
+                    "description": "Identifier reported in findings and block details for this pattern."
+                  },
+                  "pattern": {
+                    "type": "string",
+                    "description": "A JavaScript regular expression source string. Remember to escape backslashes for JSON (for example `\\\\d` for a digit)."
+                  },
+                  "confidence": {
+                    "type": "number",
+                    "minimum": 0,
+                    "maximum": 1,
+                    "default": 0.85,
+                    "description": "Base confidence (0-1) for matches of this pattern. The default of 0.85 is above the default detection threshold; combine a low value with `context` words for patterns that are only sensitive in context."
+                  },
+                  "context": {
+                    "type": "array",
+                    "items": {
+                      "type": "string"
+                    },
+                    "description": "Context words that boost a match's confidence by 0.45 when one appears near the match (in the surrounding field, label, or key)."
+                  }
+                }
+              }
+            },
+            "action": {
+              "type": "string",
+              "enum": ["mask", "block", "log"],
+              "default": "mask",
+              "description": "What to do when sensitive data is detected. `mask` redacts matches before forwarding the request, `block` rejects with a 422 listing only the detected entity names, and `log` records a warning and forwards the request unchanged."
+            },
+            "mask": {
+              "type": "string",
+              "default": "[REDACTED]",
+              "examples": ["[REDACTED]"],
+              "description": "The string that replaces detected values when `action` is `mask`."
+            },
+            "minConfidence": {
+              "type": "number",
+              "minimum": 0,
+              "maximum": 1,
+              "default": 0.5,
+              "x-show-example": false,
+              "description": "Minimum confidence (0-1) a match must reach to count as a finding. Context-dependent recognizers (for example `finance-us-bank-account` or `finance-us-aba-routing`) sit below the default threshold of 0.5 until a context word near the match boosts them above it. Lower the threshold to surface them everywhere; raise it to keep only prefix- or checksum-validated matches."
+            },
+            "contentTypes": {
+              "type": "array",
+              "description": "Override the set of scannable content-type prefixes. When omitted, the built-in text content-type allow-list (JSON, XML, form-encoded, text/\\*) is used.",
+              "items": {
+                "type": "string"
+              }
+            }
+          }
+        }
+      },
+      "examples": [
+        {
+          "export": "DataLossPreventionInboundPolicy",
+          "module": "$import(@zuplo/runtime)",
+          "options": {
+            "action": "mask",
+            "entities": ["secret", "finance", "contact-email", "id-us-ssn"],
+            "mask": "[REDACTED]"
+          }
+        }
+      ]
+    }
+  }
+}