Include system policies in Gateway Builder

[renuka-fernando]

Purpose

• Update configs for gateway release
• Include system policies in gateway builder
• Update sdk version as 0.3.1
• Include system policy manifest in cli

Summary by CodeRabbit

Release Notes

• New Features

  • Added rate-limiting policy configuration with fixed-window algorithm and memory-based storage.
  • Enhanced analytics with publisher support and access logging capabilities.
  • Added new policies for model routing, content moderation, prompt handling, and API key authentication.

• Chores

  • Updated core dependencies to latest version.
  • Reorganized policy manifest for improved structure.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This PR refactors the gateway configuration and build pipeline by introducing rate-limiting policies, expanding analytics capabilities with publishers and Access Log Service configurations, reorganizing the policy manifest, and upgrading the API platform SDK dependency across all policy modules from v0.3.0 to v0.3.1. It also updates Docker Compose and build tooling to include system policies.

Changes

Cohort / File(s)	Summary
Configuration & Examples gateway/configs/config.yaml, gateway/examples/weather-api.yaml	Replaced JWT auth policy with new ratelimit_v010 configuration (fixed-window algorithm, memory backend). Expanded analytics section with moesif publishers and ALS/gRPC access log configurations. Added rate-limiting policy to weather API GET endpoint.
Docker & Build Tooling gateway/docker-compose.yaml, gateway/gateway-builder/Dockerfile, gateway/gateway-builder/Makefile	Removed container_name declarations from all services; added xds-server command to policy-engine; removed router healthcheck; updated grafana image to grafana/grafana:latest. Updated Dockerfile to copy system-policies and added CMD for manifest-lock path. Modified Makefile to include system-policies in Docker build contexts.
Policy Manifest gateway/policies/policy-manifest-lock.yaml	Reorganized and updated policy registry: removed older policy entries, added new policies (api-key-auth, aws-bedrock-guardrail, azure-content-safety-content-moderation, mcp-auth, model-round-robin, model-weighted-round-robin, semantic-cache, prompt-decorator, prompt-template, cors, etc.), and reassigned file paths.
SDK Dependency Updates gateway/policies/*/v0.1.0/go.mod, gateway/sample-policies/*/v*.*.*/go.mod, gateway/system-policies/analytics/v0.1.0/go.mod, gateway/policy-engine/go.mod	Updated github.com/wso2/api-platform/sdk dependency from v0.3.0 to v0.3.1 across 25+ modules (advanced-ratelimit, api-key-auth, aws-bedrock-guardrail, azure-content-safety-content-moderation, basic-auth, basic-ratelimit, content-length-guardrail, cors, json-schema-guardrail, jwt-auth, mcp-auth, model-round-robin, model-weighted-round-robin, modify-headers, pii-masking-regex, prompt-decorator, prompt-template, regex-guardrail, respond, semantic-cache, semantic-prompt-guard, sentence-count-guardrail, url-guardrail, word-count-guardrail, count-letters, uppercase-body, analytics, and policy-engine).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~30 minutes

Suggested reviewers

• RakhithaRR

Poem

🐰 Hops with glee through rate limits so fine,
Analytics flowing down logs in a line,
Policies gathered, a manifest grown,
SDK updated, new seeds are sown!
Docker containers now nameless and free—
The gateway hops faster! 🐇 Hop, hop, hooray!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description provides a brief list of changes but lacks the structured detail required by the template. Missing sections include Goals, Approach, User stories, Documentation, Automation tests, Security checks, Samples, Related PRs, and Test environment.	Expand the description to follow the provided template, including detailed Goals, Approach, test coverage information, security verification, and test environment details.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately captures the primary change: including system policies in the Gateway Builder. It is specific, concise, and directly related to the main objective of the changeset.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 37ad5c9 and 752c2dd.

📒 Files selected for processing (1)

• gateway/gateway-builder/Dockerfile

🚧 Files skipped from review as they are similar to previous changes (1)

• gateway/gateway-builder/Dockerfile

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@gateway/docker-compose.yaml`:
- Around line 186-187: The Grafana service currently uses the floating tag
"grafana/grafana:latest"; change the image reference for the grafana service to
the pinned version "grafana/grafana:12.2.0" to ensure reproducible builds and
consistent behavior across deployments—update the image string in the grafana
service block accordingly.

🧹 Nitpick comments (1)

gateway/configs/config.yaml (1)

343-355: Consider using environment variable syntax for sensitive configuration.

The application_id uses a raw placeholder <MOESIF_APPLICATION_ID>. For consistency with other configurations in this file (e.g., GATEWAY_REGISTRATION_TOKEN in docker-compose), consider using environment variable substitution or documenting how this should be overridden.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2f7d70b and af45acf.

📒 Files selected for processing (4)

• gateway/configs/config.yaml
• gateway/docker-compose.yaml
• gateway/examples/weather-api.yaml
• gateway/policies/policy-manifest-lock.yaml

🧰 Additional context used

🧠 Learnings (3)

📚 Learning: 2025-12-18T08:49:15.812Z

Learnt from: RakhithaRR
Repo: wso2/api-platform PR: 504
File: gateway/policies/mcp-auth/v0.1.0/policy-definition.yaml:118-191
Timestamp: 2025-12-18T08:49:15.812Z
Learning: The policy engine in the gateway validates configuration paths (e.g., `${config.policy_configurations.jwtauth_v010.*}`) in a case-insensitive manner, so references using lowercase (jwtauth_v010) will correctly match configuration keys using mixed case (JWTAuth_v010) in the Helm values or config files.

Applied to files:

• gateway/configs/config.yaml

📚 Learning: 2025-12-12T04:05:38.530Z

Learnt from: Thenujan-Nagaratnam
Repo: wso2/api-platform PR: 385
File: gateway/policies/url-guardrail/v0.1.0/urlguardrail.go:261-281
Timestamp: 2025-12-12T04:05:38.530Z
Learning: In the api-platform repository, when adding new guardrail policies, security enhancements that are not present in existing/old policies are deferred to future versions to maintain consistency across policy implementations.

Applied to files:

• gateway/policies/policy-manifest-lock.yaml

📚 Learning: 2025-12-18T08:49:08.028Z

Learnt from: RakhithaRR
Repo: wso2/api-platform PR: 504
File: gateway/policies/mcp-auth/v0.1.0/policy-definition.yaml:118-191
Timestamp: 2025-12-18T08:49:08.028Z
Learning: Ensure the policy engine resolves configuration paths in a case-insensitive manner when matching keys (e.g., jwtauth_v010 should match JWTAuth_v010 regardless of case). In reviews, look for references to path resolution logic and verify it normalizes keys (e.g., to lower or upper case) before comparison. Add tests to cover mixed-case Helm values and config keys and document this behavior in the policy engine's docs.

Applied to files:

• gateway/policies/policy-manifest-lock.yaml

🔇 Additional comments (5)

gateway/examples/weather-api.yaml (1)

60-65: LGTM!

The operation-level rate-limiting policy is correctly configured with sensible defaults (5 requests per minute). The policy name basic-ratelimit and version v0.1.0 align with the policy manifest lock file.

gateway/configs/config.yaml (2)

318-337: LGTM!

The rate-limiting policy configuration is well-structured with sensible defaults: fixed-window algorithm for simplicity, in-memory backend suitable for single-instance deployments, and appropriate header controls for standard rate-limit response headers.

---

384-389: Verify max_message_size is intentionally set to ~1GB.

The value 1000000000 bytes (~1GB) is quite large for gRPC message size. Ensure this aligns with expected access log batch sizes and won't cause memory pressure under high load. Typical defaults are in the 4-16MB range.

gateway/docker-compose.yaml (1)

47-61: LGTM!

The xDS server configuration correctly points to gateway-controller:18001, matching the port exposed in the gateway-controller service (line 28). This enables dynamic policy configuration updates via xDS.

gateway/policies/policy-manifest-lock.yaml (1)

3-75: LGTM!

The policy manifest lock file is well-organized with 24 policies listed alphabetically. All entries maintain a consistent structure (name, version, filePath), use the standard v0.1.0 versioning, and all referenced policy directories exist in the repository.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n gateway/docker-compose.yaml | grep -A 2 -B 2 "grafana"

Repository: wso2/api-platform

Length of output: 921

---

🏁 Script executed:

cat -n gateway/docker-compose.yaml | grep -E "image:" | head -20

Repository: wso2/api-platform

Length of output: 717

---

🌐 Web query:

latest stable version of Grafana 2025 2026

💡 Result:

As of Jan 14, 2026 the latest stable Grafana release is Grafana 12.2.0 (released Sept 23, 2025). [1][2]

Sources:

• Grafana download page listing 12.2.0. [1]
• Grafana 12 release blog and security patch notes. [2]

---

Pin the Grafana image version for reproducibility.

Using the :latest tag can lead to non-reproducible builds and unexpected behavior when the upstream image changes. Other services in this file use pinned versions (e.g., prom/prometheus:v3.3.1, opensearchproject/opensearch:3.4.0). Update to the current stable version 12.2.0 instead of :latest.

📦 Suggested fix

   grafana:
-    image: "grafana/grafana:latest"
+    image: "grafana/grafana:12.2.0"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	grafana:
	image: ""
	container_name: grafana
	image: "grafana/grafana:latest"
	grafana:
	image: "grafana/grafana:12.2.0"

🤖 Prompt for AI Agents

In `@gateway/docker-compose.yaml` around lines 186 - 187, The Grafana service
currently uses the floating tag "grafana/grafana:latest"; change the image
reference for the grafana service to the pinned version "grafana/grafana:12.2.0"
to ensure reproducible builds and consistent behavior across deployments—update
the image string in the grafana service block accordingly.