Updated policy definitions

[Saadha123]

Purpose

Updated policy definitions of released policies.

• advanced-ratelimit
• api-key-auth
• llm-cost-based-ratelimit
• token-based-ratelimit

[coderabbitai]

📝 Walkthrough

Updated policy definitions for released policies

This PR updates the policy definitions for four released policies in the gateway controller to version 1.0.3:

Version updates across all policies:

• advanced-ratelimit: Version bumped from v1.0.2 to v1.0.3
• api-key-auth: Version bumped from v1.0.2 to v1.0.3
• llm-cost-based-ratelimit: Version bumped from v1.0.2 to v1.0.3
• token-based-ratelimit: Version bumped from v1.0.2 to v1.0.3

New functional parameter:
Two policies introduce a new consumerBased boolean parameter (default: false):

• llm-cost-based-ratelimit: Allows cost-based rate limiting counters to be tracked per GenAI consumer/application or shared across all consumers
• token-based-ratelimit: Enables rate limit tracking to be scoped independently per consumer or shared across all consumers

The changes maintain backward compatibility with existing configurations while providing enhanced flexibility for consumer-specific rate limiting behavior.

Walkthrough

Four gateway controller policy definition files have been updated with version increments from v1.0.2 to v1.0.3. The advanced-ratelimit and api-key-auth policies receive only version updates with no functional changes. The llm-cost-based-ratelimit and token-based-ratelimit policies introduce a new boolean parameter consumerBased (default false) that enables rate-limiting counters to be tracked independently per consumer when enabled, rather than shared across all consumers.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is largely incomplete. It provides only the Purpose section with a list of affected policies but lacks Goals, Approach, User stories, Documentation, Automation tests, Security checks, Samples, Related PRs, and Test environment sections required by the template.	Complete the pull request description by adding the missing sections from the template, including Goals, Approach, testing details, security verification, and test environment information.
Title check	❓ Inconclusive	The title is vague and generic. It uses a non-descriptive term 'Updated policy definitions' that does not convey the specific nature of the changes, such as version bumps or new parameters.	Revise the title to be more specific, such as 'Bump policy versions to v1.0.3 and add consumerBased parameter' to better reflect the main changes.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@gateway/gateway-controller/default-policies/llm-cost-based-ratelimit.yaml`:
- Around line 45-53: The top-level behavior text is outdated given consumerBased
defaults to false; update the main description (the file-level description
field) to state that by default a single shared rate limit applies across all
consumers and that setting consumerBased (boolean, default: false) to true
enables per-consumer scoping using the x-wso2-application-id metadata; ensure
the new wording clearly contrasts the default shared behavior with the optional
per-consumer enforcement and references the consumerBased flag and
x-wso2-application-id so readers know how to enable per-consumer limits.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 40343e3f-0291-43c9-9813-e376a6bbb3a3

📥 Commits

Reviewing files that changed from the base of the PR and between 60c4463 and dfb2dd0.

📒 Files selected for processing (4)

• gateway/gateway-controller/default-policies/advanced-ratelimit.yaml
• gateway/gateway-controller/default-policies/api-key-auth.yaml
• gateway/gateway-controller/default-policies/llm-cost-based-ratelimit.yaml
• gateway/gateway-controller/default-policies/token-based-ratelimit.yaml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Top-level behavior description should be aligned with the new default.

With consumerBased defaulting to false, the file-level description still implying always per-consumer enforcement is now misleading. Please update the description to reflect shared-by-default behavior with optional per-consumer scoping.

Suggested wording update

-  The policy reads costs from SharedContext.Metadata under "x-llm-cost" (set by the llm-cost
-  system policy) and enforces per-consumer spending limits (e.g., $10 per hour, $100 per day).
+  The policy reads costs from SharedContext.Metadata under "x-llm-cost" (set by the llm-cost
+  system policy) and enforces spending limits (e.g., $10 per hour, $100 per day).
+  When `consumerBased` is enabled, limits are scoped per consumer/application.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@gateway/gateway-controller/default-policies/llm-cost-based-ratelimit.yaml`
around lines 45 - 53, The top-level behavior text is outdated given
consumerBased defaults to false; update the main description (the file-level
description field) to state that by default a single shared rate limit applies
across all consumers and that setting consumerBased (boolean, default: false) to
true enables per-consumer scoping using the x-wso2-application-id metadata;
ensure the new wording clearly contrasts the default shared behavior with the
optional per-consumer enforcement and references the consumerBased flag and
x-wso2-application-id so readers know how to enable per-consumer limits.