[UI] Add global policies support for LLM providers and proxies

[ashera96]

Purpose

Portal UI, event-gateway, CLI, samples, and documentation updates to support the globalPolicies / operationPolicies feature and the v1alpha2 version bump.

AI Workspace portal.

• Guardrails tabs for LLM proxies (LLMProxyGuardrailsTab) and service providers (ServiceProviderGuardrailsTab) updated to surface global vs. per-operation policy configuration.

CLI.

• Sample YAML resources and generator updated to v1alpha2.

Samples.

• LLM provider/proxy sample YAMLs updated to v1alpha2 artifact apiVersion.

Docs.

• Gateway REST API reference pages updated to reflect the new globalPolicies / operationPolicies fields and v1alpha2 versions.

CI.

• operator-integration-test.yml YAML indentation fixes (two annotation blocks had a one-space misalignment that caused YAML parse failures at apply time).

[coderabbitai]

Warning

Review limit reached

@ashera96, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 22 minutes and 17 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses rolling per-developer review limits. Reviews become available again as older review attempts age out of the rolling limit window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6fb5e6aa-cefa-49cd-8be5-a6d3b2d6151a

📥 Commits

Reviewing files that changed from the base of the PR and between 5f307d2 and 6b7e548.

📒 Files selected for processing (3)

• docs/gateway/quick-start-guide.md
• docs/rest-apis/gateway/schemas.md
• portals/ai-workspace/cypress/e2e/001-providers/001-provider-and-proxy.cy.js

📝 Walkthrough

Walkthrough

This pull request advances the WSO2 API platform gateway API group version from v1alpha1 (management path v0.9) to v1alpha2 across the entire codebase. The version string is updated in CLI command examples, test fixtures, the MCP generator, all sample YAML manifests and shell scripts, portal configuration files, Docker Compose environment variables, and all management portal React hook fetch targets. Concurrently, a new policy model is introduced: GlobalPolicy and OperationPolicy TypeScript interfaces are added to types.ts, and the corresponding globalPolicies/operationPolicies fields are added to LLMProvider, Proxy, and related request types. The LLMProxyGuardrailsTab and ServiceProviderGuardrailsTab components are rewritten to read, edit, and remove guardrail policies from all three sources (global, operation, legacy). ServiceProviderNew switches from the legacy paths-based policies payload to globalPolicies on provider creation. Schema and REST API reference documentation are updated to document the new policy structure and mark the policies field as deprecated.

Suggested Reviewers

• Arshardh
• VirajSalaka
• Tharsanan1
• RakhithaRR
• HeshanSudarshana
• PasanT9
• Krishanx92

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main change: adding global policies support for LLM providers and proxies with UI component updates.
Description check	✅ Passed	The description addresses Purpose, Goals, and Approach sections with adequate detail about portal, CLI, samples, and documentation updates, though some template sections are not included.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[ashera96]

@coderabbitai please review

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Get PR info
gh pr view 2247 --repo wso2/api-platform --json title,body,files,additions,deletions,changedFiles

echo "---FILES---"
gh pr diff 2247 --repo wso2/api-platform

Length of output: 188414

---

---

@ashera96 The changes look well-structured overall. The tri-source (global / operation / legacy) discrimination in both guardrail tabs is clean, and the backward-compatible deprecation of policies is a good approach. A few items worth addressing:

---

Bug — stale v0.9 URL in docs/gateway/quick-start-guide.md

Every other doc file updates both the curl URL and the apiVersion field in the YAML body, but docs/gateway/quick-start-guide.md only updates the apiVersion in the body while leaving the URL at v0.9:

# Line 40 — URL not updated (should be v1alpha2):
 curl -X POST http://localhost:9090/api/management/v0.9/rest-apis \
   -u admin:admin \
   -H "Content-Type: application/yaml" \
   --data-binary `@-` <<'EOF'
-apiVersion: gateway.api-platform.wso2.com/v1alpha1
+apiVersion: gateway.api-platform.wso2.com/v1alpha2

This would send the request to the old endpoint and fail against a v1alpha2-only server.

---

Minor — orphaned webhook secret schemas in docs/rest-apis/gateway/schemas.md

Four new schemas are added (WebhookSecretCreationRequest, WebhookSecretInfo, WebhookSecretCreationResponse, WebhookSecretListResponse) with no corresponding endpoint documentation page referencing them. If these belong to a follow-up PR, consider noting that in the PR description or adding a stub doc page to avoid a dangling schema section.

---

Minor — splice vs immutable pattern in handleRemoveAppliedGuardrail

Both tab components use operationPolicies.splice(policyIndex, 1) on a spread-copied array. This is technically safe, but inconsistent with the immutable filter/flatMap pattern used for policies and globalPolicies in the same function. A filter-based approach would read more uniformly:

// instead of splice:
operationPolicies.splice(policyIndex, 1);

// consistent alternative:
return { ...prev, operationPolicies: operationPolicies.filter((_, i) => i !== policyIndex) };

---

The rest of the version-bump sweep across CLI, samples, configs, and doc reference pages looks complete and consistent. The ServiceProviderNew.tsx migration from path-bound policies to globalPolicies on provider creation is correct and aligns with the new schema.

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docs/gateway/quick-start-guide.md (1)

38-43: 🎯 Functional Correctness | 🔴 Critical | ⚡ Quick win

Endpoint URL does not match updated API version.

Line 39 uses the legacy /api/management/v0.9/rest-apis endpoint, but line 43 specifies apiVersion: gateway.api-platform.wso2.com/v1alpha2. The endpoint and API version must be aligned; a v1alpha2-only server would reject this request since v0.9 does not support the v1alpha2 API group.

Update the curl endpoint to /api/management/v1alpha2/rest-apis to match the apiVersion in the payload.

🔧 Proposed fix

 # Deploy an API configuration
-curl -X POST http://localhost:9090/api/management/v0.9/rest-apis \
+curl -X POST http://localhost:9090/api/management/v1alpha2/rest-apis \
   -u admin:admin \
   -H "Content-Type: application/yaml" \
   --data-binary `@-` <<'EOF'

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/gateway/quick-start-guide.md` around lines 38 - 43, The curl endpoint
URL in the POST request uses the legacy `/api/management/v0.9/rest-apis` path,
which does not match the apiVersion declared in the YAML payload as
`gateway.api-platform.wso2.com/v1alpha2`. Update the endpoint path from
`/api/management/v0.9/rest-apis` to `/api/management/v1alpha2/rest-apis` to
ensure the endpoint version aligns with the v1alpha2 API version specified in
the apiVersion field of the request body, allowing the server to properly handle
the request.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/rest-apis/gateway/schemas.md`:
- Around line 3861-3981: The diff adds four new webhook secret schemas
(WebhookSecretCreationRequest, WebhookSecretInfo, WebhookSecretCreationResponse,
and WebhookSecretListResponse) but does not include the REST operation
documentation that uses these schemas. Add corresponding operation documentation
sections for the webhook secret endpoints such as creating a secret (POST
operation using WebhookSecretCreationRequest and WebhookSecretCreationResponse)
and listing secrets (GET operation using WebhookSecretListResponse), and any
other related operations like regenerate or delete that are referenced in the
schema descriptions. This ensures the new schemas are properly referenced by
actual API endpoint documentation and avoids orphaned schema definitions.
- Line 3929: The example secret value on line 3929 appears as a
production-shaped string that triggers secret-scanner warnings and looks like a
real credential in documentation. Replace the current secret value with a
clearly synthetic placeholder that obviously cannot be a real secret, such as
using a simple pattern like "whsec_test1234567890test1234567890test12345678" or
similar obviously-fake variant that maintains the same prefix but is
unmistakably an example value. This will reduce noise in secret scanning tools
while keeping the documentation examples clear and usable.

In
`@portals/ai-workspace/src/pages/appShell/appShellPages/proxies/LLMProxyGuardrailsTab.tsx`:
- Around line 258-273: Legacy policies with no paths are created with pathIndex
set to null around line 264, but the update handler (around lines 469-473) only
applies changes when pathIndex is not null, preventing edits from being saved.
Modify the condition in the update logic that checks pathIndex !== null to also
handle the case where pathIndex === null for legacy policies, and ensure the
update mechanism properly persists changes to these legacy policy items by
retrieving and updating the correct policy in the policies array using the
policyIndex identifier instead of relying on pathIndex.

In
`@portals/ai-workspace/src/pages/appShell/appShellPages/serviceProvider/ServiceProviderGuardrailsTab.tsx`:
- Around line 278-287: The legacy edit handling code does not properly process
updates for pathless legacy policies that have pathIndex set to null. Locate the
legacy edit branch (the code that handles edit operations for legacy policies)
and add a condition to handle the case where pathIndex is null. When a legacy
policy item with pathIndex of null is edited, ensure the update is written to
the policy object similar to how it's handled for non-null path indices. This
fix should apply to both the main edit handler and the corresponding section
around line 486-491 to ensure consistency.

---

Outside diff comments:
In `@docs/gateway/quick-start-guide.md`:
- Around line 38-43: The curl endpoint URL in the POST request uses the legacy
`/api/management/v0.9/rest-apis` path, which does not match the apiVersion
declared in the YAML payload as `gateway.api-platform.wso2.com/v1alpha2`. Update
the endpoint path from `/api/management/v0.9/rest-apis` to
`/api/management/v1alpha2/rest-apis` to ensure the endpoint version aligns with
the v1alpha2 API version specified in the apiVersion field of the request body,
allowing the server to properly handle the request.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4c971c2b-a475-41e7-8bef-50d7c634a052

📥 Commits

Reviewing files that changed from the base of the PR and between 4789843 and 5f307d2.

📒 Files selected for processing (81)

• cli/it/resources/gateway/sample-api.yaml
• cli/it/resources/gateway/sample-mcp-config.yaml
• cli/src/cmd/gateway/restapi/apikey/create.go
• cli/src/cmd/gateway/subscription/create.go
• cli/src/cmd/gateway/subscriptionplan/create.go
• cli/src/internal/gateway/cr_test.go
• cli/src/internal/mcp/generator.go
• docs/ai-gateway/analytics/analytics-header-filter.md
• docs/ai-gateway/llm/guardrails/aws-bedrock-guardrail.md
• docs/ai-gateway/llm/guardrails/azure-content-safety.md
• docs/ai-gateway/llm/guardrails/content-length.md
• docs/ai-gateway/llm/guardrails/json-schema.md
• docs/ai-gateway/llm/guardrails/pii-masking-regex.md
• docs/ai-gateway/llm/guardrails/regex.md
• docs/ai-gateway/llm/guardrails/semantic-prompt-guard.md
• docs/ai-gateway/llm/guardrails/sentence-count.md
• docs/ai-gateway/llm/guardrails/url.md
• docs/ai-gateway/llm/guardrails/word-count.md
• docs/ai-gateway/llm/llm-templates.md
• docs/ai-gateway/llm/load-balancing/model-round-robin.md
• docs/ai-gateway/llm/load-balancing/model-weighted-round-robin.md
• docs/ai-gateway/llm/prompt-management/prompt-decorator.md
• docs/ai-gateway/llm/prompt-management/prompt-template.md
• docs/ai-gateway/llm/quick-start-guide.md
• docs/ai-gateway/llm/semantic-caching.md
• docs/ai-gateway/mcp/policies/mcp-acl-list.md
• docs/ai-gateway/mcp/policies/mcp-authentication.md
• docs/ai-gateway/mcp/policies/mcp-authorization.md
• docs/ai-gateway/mcp/policies/mcp-rewrite.md
• docs/ai-gateway/mcp/quick-start-guide.md
• docs/cli/apiproject/README.md
• docs/cli/gateway/README.md
• docs/gateway/analytics/analytics-header-filter.md
• docs/gateway/artifact-templating.md
• docs/gateway/bottom-up-api-deployment-guide.md
• docs/gateway/immutable-gateway.md
• docs/gateway/quick-start-guide.md
• docs/rest-apis/gateway/README.md
• docs/rest-apis/gateway/certificate-management.md
• docs/rest-apis/gateway/llm-provider-management.md
• docs/rest-apis/gateway/llm-provider-template-management.md
• docs/rest-apis/gateway/llm-proxy-management.md
• docs/rest-apis/gateway/mcp-proxy-management.md
• docs/rest-apis/gateway/rest-api-management.md
• docs/rest-apis/gateway/schemas.md
• docs/rest-apis/gateway/secrets-management.md
• docs/rest-apis/gateway/webbroker-api-management.md
• docs/rest-apis/gateway/websub-api-management.md
• gateway/spec/impls/2-use-sqlite/data-model.md
• portals/ai-workspace/configs/config-platform-api-template.toml
• portals/ai-workspace/configs/config-platform-api.toml
• portals/ai-workspace/configs/config-template.toml
• portals/ai-workspace/configs/config.toml
• portals/ai-workspace/docker-compose.yaml
• portals/ai-workspace/src/apis/platformApis.ts
• portals/ai-workspace/src/clients/choreoApiClient.ts
• portals/ai-workspace/src/config.env.ts
• portals/ai-workspace/src/contexts/ChoreoUserContext.tsx
• portals/ai-workspace/src/pages/appShell/appShellPages/proxies/LLMProxyGuardrailsTab.tsx
• portals/ai-workspace/src/pages/appShell/appShellPages/serviceProvider/ServiceProviderGuardrailsTab.tsx
• portals/ai-workspace/src/pages/appShell/appShellPages/serviceProvider/ServiceProviderNew.tsx
• portals/ai-workspace/src/utils/types.ts
• portals/management-portal/src/hooks/GithubAPICreation.ts
• portals/management-portal/src/hooks/apiPublish.ts
• portals/management-portal/src/hooks/apis.ts
• portals/management-portal/src/hooks/deployments.ts
• portals/management-portal/src/hooks/devportals.ts
• portals/management-portal/src/hooks/gateways.ts
• portals/management-portal/src/hooks/orgs.tsx
• portals/management-portal/src/hooks/projects.ts
• portals/management-portal/src/hooks/validation.ts
• portals/management-portal/src/pages/overview/StepTwoApis.tsx
• samples/ai-gw-llm-proxy/inject-mock.sh
• samples/ai-gw-llm-proxy/provider.yaml
• samples/ai-gw-llm-proxy/proxy.yaml
• samples/ai-gw-mcp-claude-desktop/inject-mock.sh
• samples/ai-gw-mcp-claude-desktop/mcp.yaml
• samples/llm-cost-control-and-privacy-control/llm-provider.yaml
• samples/llm-cost-control-and-privacy-control/llm-proxy.yaml
• samples/llm-cost-control-and-privacy-control/setup.sh
• samples/llm-cost-control-and-privacy-control/teardown.sh