Improve policy definition validation and description quality

[Tharsanan1]

Fixes: wso2/api-platform#1074

Summary by CodeRabbit

• New Features

  • AWS Bedrock guardrail exposes credential and system configuration; Semantic Cache gains embedding/vector-store settings; Semantic Prompt Guard adds allowed/denied phrase lists; Prompt Decorator accepts JSON string or object; XML/JSON policies default flows updated.

• Bug Fixes

  • Stricter validation and conditional rules added (minItems, required fields, conditional requirements); many policies now require at least one of request or response configuration.

• Documentation

  • Policy descriptions and field wording simplified and standardized for clarity.

[coderabbitai]

Warning

Rate limit exceeded

@Tharsanan1 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 4 minutes and 55 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

Walkthrough

Updates to ~40 policy-definition YAMLs: concise description rewrites, tighter validation (minItems/minLength/required/additionalProperties), schema restructures (properties blocks, systemParameters), and added conditional rules (anyOf/allOf) to enforce context-dependent field presence.

Changes

Cohort / File(s)	Summary
Description-only policies/basic-auth/policy-definition.yaml, policies/model-round-robin/policy-definition.yaml, policies/model-weighted-round-robin/policy-definition.yaml, policies/respond/policy-definition.yaml, policies/set-headers/policy-definition.yaml, policies/log-message/policy-definition.yaml	Shortened/clarified top-level descriptions and parameter descriptions; no schema or behavioral changes.
Header policies policies/add-headers/policy-definition.yaml, policies/set-headers/policy-definition.yaml, policies/modify-headers/policy-definition.yaml, policies/remove-headers/policy-definition.yaml	Clarified append vs overwrite semantics; added minItems and conditional requirements (e.g., SET requires value); added anyOf requiring requestHeaders or responseHeaders when applicable.
Rate limiting policies/advanced-ratelimit/policy-definition.yaml, policies/basic-ratelimit/policy-definition.yaml, policies/token-based-ratelimit/policy-definition.yaml	Advanced ratelimit significantly restructured (quotas required, per-quota key/costExtraction, conditional validation); token-based limits add minItems and anyOf; basic-ratelimit only description trimmed.
Auth / JWT / API key policies/api-key-auth/policy-definition.yaml, policies/jwt-auth/policy-definition.yaml	Simplified descriptions; moved minLength/maxLength to top-level properties; expanded required to include location (in); clarified requiredClaims semantics.
Guardrails / Content validation policies/json-schema-guardrail/policy-definition.yaml, policies/regex-guardrail/policy-definition.yaml, policies/content-length-guardrail/policy-definition.yaml, policies/word-count-guardrail/policy-definition.yaml, policies/sentence-count-guardrail/policy-definition.yaml, policies/url-guardrail/policy-definition.yaml, policies/azure-content-safety-content-moderation/policy-definition.yaml, policies/aws-bedrock-guardrail/policy-definition.yaml	Introduced anyOf requiring request or response, tightened jsonPath/regex/minLength/min/max constraints, standardized invert/showAssessment wording, added category threshold fields and systemParameters in moderation/guardrail policies.
Rewrite & routing policies/request-rewrite/policy-definition.yaml, policies/mcp-rewrite/policy-definition.yaml, policies/modify-headers/policy-definition.yaml	Added extensive conditional validation (allOf) to require type/action-specific fields (pathRewrite, queryRewrite, match.headers/queryParams); MCP rewrite adds structured properties and required fields for tools/resources/prompts.
MCP & Authorization policies/mcp-acl-list/policy-definition.yaml, policies/mcp-auth/policy-definition.yaml, policies/mcp-authz/policy-definition.yaml	Restructured parameters with explicit properties/additionalProperties:false; expanded schemas for tools/resources/prompts; mcp-authz gains rules array, attribute enums/defaults, and anyOf requiring claims or scopes.
Prompt / Semantic features policies/prompt-decorator/policy-definition.yaml, policies/prompt-template/policy-definition.yaml, policies/semantic-cache/policy-definition.yaml, policies/semantic-prompt-guard/policy-definition.yaml	Allowed promptDecoratorConfig to be string or object; added systemParameters and embedding/vector-store config for semantic-cache; semantic-prompt-guard adds allowedPhrases/deniedPhrases with anyOf requirement.
Transform policies policies/json-to-xml/policy-definition.yaml, policies/xml-to-json/policy-definition.yaml	json-to-xml: parameters restructured under properties with additionalProperties:false; xml-to-json: default booleans changed (onRequestFlow/onResponseFlow true) and descriptions simplified.
CORS & security policies/cors/policy-definition.yaml, policies/pii-masking-regex/policy-definition.yaml	CORS: added conditional allOf enforcing non-"*" constraints when allowCredentials is true. PII masking: added piiEntities validation (minItems/minLength/pattern), redactPII flag, and systemParameters.
Analytics & logging policies/analytics-header-filter/policy-definition.yaml, policies/log-message/policy-definition.yaml	Reworded descriptions; removed headers from required lists in analytics filter; clarified independent request/response application.
Misc small updates policies/content-length-guardrail/policy-definition.yaml, policies/json-schema-guardrail/policy-definition.yaml, policies/regex-guardrail/policy-definition.yaml, policies/url-guardrail/policy-definition.yaml, policies/word-count-guardrail/policy-definition.yaml, policies/sentence-count-guardrail/policy-definition.yaml	Standardized phase descriptions, tightened field docs and constraints, and added anyOf requiring request or response for multiple guardrail policies.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐇 I hop through YAML, tidy and bright,
Trimming descriptions, setting constraints right.
anyOf and allOf now guard every door,
Headers and prompts, quotas and more.
A rabbit’s small cheer for schemas made tight!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is missing critical sections required by the template, including Purpose, Goals, Approach, User stories, Release note, Documentation, and other required sections.	Complete the PR description using the provided template. Include Purpose (link to issue), Goals, Approach, User stories, Release note, Documentation links, and other required sections (Training, Certification, Marketing, Automation tests, Security checks, Samples, Related PRs, Migrations, Test environment, Learning).

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Improve policy definition validation and description quality' clearly summarizes the main objective of the changeset, which involves enhancing validation schemas and refining descriptions across multiple policy definition files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (4)

policies/semantic-prompt-guard/policy-definition.yaml (1)

33-50: ⚠️ Potential issue | 🟡 Minor

Consider adding minItems: 1 to allowedPhrases and deniedPhrases.

The anyOf constraint correctly enforces that at least one of the two phrase lists is provided. However, required only checks that the key is present — a user could supply allowedPhrases: [] (an empty array) and pass validation, leaving the policy with nothing to match against at runtime.

Based on learnings, policy configurations are validated against these schemas at API creation/policy attachment time, so tightening this here prevents a misconfiguration from reaching runtime.

Proposed fix

     allowedPhrases:
       type: array
       description: |
         List of phrases that are considered safe. The prompt must match one of these
         within allowSimilarityThreshold. Embeddings will be automatically generated
         for these phrases during policy initialization.
+      minItems: 1
       items:
         type: string
         description: Phrase text to allow
     deniedPhrases:
       type: array
       description: |
         List of phrases that should block the prompt when similar within the
         denySimilarityThreshold. Embeddings will be automatically generated
         for these phrases during policy initialization.
+      minItems: 1
       items:
         type: string
         description: Phrase text to deny

Also applies to: 55-59

policies/semantic-cache/policy-definition.yaml (1)

56-61: ⚠️ Potential issue | 🟡 Minor

Add minimum constraints to integer system parameters.

embeddingDimension, dbPort, and ttl accept any integer, including zero or negative values, which are never valid for these fields. Since these schemas are the validation gate at policy-attach time, adding bounds here prevents invalid configs from reaching runtime. Based on learnings, policy configurations are validated against their policy-definition.yaml schemas when APIs are created or policies are attached, before runtime execution.

Proposed fix

     embeddingDimension:
       type: integer
       description: |
         Dimension of embedding vectors (required for some vector databases)
         Common values: 1536 (OpenAI ada-002), 1024 (Mistral), etc.
+      minimum: 1
       "wso2/defaultValue": "${config.embedding_provider_dimension}"

     dbPort:
       type: integer
       description: Vector database port (required for Redis/Milvus)
+      minimum: 1
+      maximum: 65535
       "wso2/defaultValue": "${config.vector_db_provider_port}"

     ttl:
       type: integer
       description: Vector database TTL (optional)
+      minimum: 0
       "wso2/defaultValue": "${config.vector_db_provider_ttl}"

Also applies to: 82-85, 98-101

policies/url-guardrail/policy-definition.yaml (1)

28-34: ⚠️ Potential issue | 🟡 Minor

A timeout of 0 would cause DNS/HTTP HEAD checks to fail instantly.

minimum: 0 allows a zero-millisecond timeout, which is almost certainly not useful for network operations. Consider minimum: 1 (or a more practical floor like 100) to prevent misconfiguration.

policies/azure-content-safety-content-moderation/policy-definition.yaml (1)

92-94: ⚠️ Potential issue | 🟡 Minor

Response-phase passthroughOnError description incorrectly references "requests".

This appears to be copy-pasted from the request block. In the response phase, it should reference responses rather than requests.

📝 Proposed fix

         description: |
-            If true, allows requests to proceed if Azure Content Safety API call fails.
-            If false (default), blocks requests on API errors.
+            If true, allows responses to proceed if Azure Content Safety API call fails.
+            If false (default), blocks responses on API errors.

🤖 Fix all issues with AI agents

In `@policies/mcp-authz/policy-definition.yaml`:
- Around line 66-70: The anyOf block is currently nested under the properties
map and thus treated as a property instead of a validation keyword; move the
anyOf key out of the properties object so it becomes a sibling of
properties/additionalProperties/required within the item schema (i.e., place
anyOf at the same level as properties, required, additionalProperties in the
items object) and ensure the anyOf entries reference the requiredClaims and
requiredScopes property requirements so the array item validates correctly given
additionalProperties: false.

In `@policies/pii-masking-regex/policy-definition.yaml`:
- Around line 24-25: The pattern for piiEntity names in policy-definition.yaml
currently allows underscore-only values; update the "pattern" value so the regex
requires at least one letter (e.g., start with an uppercase letter and then
allow uppercase letters or underscores) instead of permitting strings composed
solely of underscores, ensuring valid entity names like "EMAIL" or "PII_ENTITY"
but not "_" or "___".

🧹 Nitpick comments (7)

policies/semantic-cache/policy-definition.yaml (1)

102-109: Add conditional validation for embeddingModel when embeddingProvider is OPENAI or MISTRAL.

embeddingModel is documented as required for OPENAI and MISTRAL providers but is not listed in the required fields. Many other policy files in this codebase (word-count-guardrail, url-guardrail, set-headers, request-rewrite, and 10+ others) use anyOf/allOf conditional validation to enforce provider-specific requirements. Applying the same pattern here would catch misconfiguration at policy attach time rather than runtime.

policies/token-based-ratelimit/policy-definition.yaml (1)

26-26: Pre-existing: duration pattern allows negative values.

The regex ^[-+]?... permits negative durations (e.g., "-5m"), which is semantically invalid for a rate-limit time window. This is pre-existing and outside the scope of this PR, but worth a follow-up to tighten the pattern (e.g., remove the [-+]? prefix or replace with [+]?).

policies/set-headers/policy-definition.yaml (1)

10-14: Missing minItems: 1 on requestHeaders and responseHeaders — inconsistent with sibling policies.

The add-headers policy now enforces minItems: 1 on both header arrays, but set-headers does not. An empty array would pass validation here but serve no purpose. Consider adding the same constraint for consistency.

Suggested diff

     requestHeaders:
       type: array
       description: Array of headers that need to set to the request during request phase. At least
         one of requestHeaders or responseHeaders must be specified.
+      minItems: 1
       items:

     responseHeaders:
       type: array
       description: Array of headers that need to set to the response during response phase. At
         least one of requestHeaders or responseHeaders must be specified.
+      minItems: 1
       items:

Also applies to: 32-36

policies/mcp-acl-list/policy-definition.yaml (1)

8-77: Consider adding an anyOf constraint to require at least one of tools, resources, or prompts.

Other policies in this PR consistently add anyOf blocks to ensure at least one meaningful configuration section is provided. Without it, a user could attach this policy with an empty object {}, which would be a no-op. If that's intentional (no ACL = pass-through), please disregard.

Suggested addition after line 77

+  anyOf:
+  - required:
+    - tools
+  - required:
+    - resources
+  - required:
+    - prompts

policies/aws-bedrock-guardrail/policy-definition.yaml (1)

99-106: awsRoleARN and awsRoleRegion are missing minLength: 1 unlike other string fields.

Other optional string fields in this block (awsAccessKeyID, awsSecretAccessKey, awsSessionToken, awsRoleExternalID) all have minLength: 1. These two fields omit it, which would allow empty strings to pass validation if provided. Consider adding minLength: 1 for consistency if empty strings are not meaningful.

Proposed fix

     awsRoleARN:
       type: string
       description: AWS IAM role ARN to assume (for role-based authentication). If specified, runtime assumes this role instead of using static credentials.
+      minLength: 1
       "wso2/defaultValue": "${config.awsbedrock_role_arn}"
     awsRoleRegion:
       type: string
       description: AWS region for role assumption (required if awsRoleARN is specified).
+      minLength: 1
       "wso2/defaultValue": "${config.awsbedrock_role_region}"

policies/advanced-ratelimit/policy-definition.yaml (2)

62-91: Duplicated keyExtraction item schema between per-quota and global levels.

The item schema for keyExtraction at the per-quota level (lines 69-91) and the global level (lines 177-199) are identical. If JSON Schema $ref or YAML anchors/aliases are supported by the schema consumer, you could DRY this up. Not blocking, but worth considering if the schema grows further.

Also applies to: 170-199

---

67-67: minItems: 0 is redundant.

Arrays allow zero items by default in JSON Schema, so minItems: 0 has no effect. Same applies to line 175. Removing them would reduce noise, but this is purely cosmetic.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@policies/mcp-authz/policy-definition.yaml`:
- Around line 49-65: The schema allows empty requiredClaims ({}) or
requiredScopes ([]) which satisfy presence checks but enforce nothing; update
the policy-definition.yaml schema by adding minProperties: 1 to the
requiredClaims object definition and minItems: 1 to the requiredScopes array
definition so empty values are rejected at validation time (look for the
requiredClaims and requiredScopes definitions and add the respective
minProperties/minItems constraints).