[Design Proposal] Configurable CORS for Agent APIs via API Platform Policy

[AnoshanJ]

Problem

CORS for deployed agent APIs is hardcoded in the agent-api ComponentType as a Kubernetes Gateway API type: CORS filter on the external HTTPRoute, with a single allowed origin (http://localhost:3000) baked into the platform definition.

This creates two problems:

1. No per-agent configurability: Changing allowed origins requires a full platform re-deploy of the Helm chart. There is no way for an agent developer to set their own production origins.
2. Extra layer: CORS is applied at the raw Envoy gateway layer, bypassing the API Platform policy engine where all other agent API policies (api-key-auth) are managed. The two layers are inconsistent.

User Stories

• As an agent developer, I want to specify which origins can access my agent API from the deployment drawer, so I can go from dev (localhost:3000) to production (my-app.example.com) without asking a platform operator.
• As a platform operator, I want CORS to be a first-class API Platform policy like api-key-auth so all per-API security settings are managed in one consistent place.

Existing Solutions

• Current workaround: No per-agent override exists. All agents share http://localhost:3000 as the only allowed origin.
• gateway-controllers CORS policy: The WSO2 API Platform already ships a cors v1.0.1 policy that handles CORS at the policy-engine layer, supports per-API origin lists, methods, headers, credentials, and max-age — the same mechanism used by api-key-auth today. See gateway-controllers/policies/cors.

Proposed Solution

Overview

Move CORS from the ComponentType HTTPRoute filter to the API Platform Gateway cors v1.0.1 policy, attached via the api-configuration trait's policies array. Expose allowedOrigins as a user-configurable field in the deployment drawer with the current defaults preserved.

Design

• The cors policy is added to the RestApi CRD's spec.policies array (alongside api-key-auth) on every agent deploy
• The api-configuration trait patch is extended to also remove the HTTPRoute CORS filter when attaching — making each agent's transition from old filter to new policy atomic at deploy time
• Default: allowedOrigins: ["http://localhost:3000"], standard methods and headers — no change in behavior out of the box
• Per-deployment: users configure allowedOrigins in the deployment drawer; stored per-environment in agent_configs DB table
• The DeployAgentRequest API is extended with a corsConfig field (reusing the existing spec.CORSConfig model)

Open Questions

Milestones

Phase	Scope	Target
1	Add cors policy to api-configuration trait; extend trait patch to remove HTTPRoute CORS filter atomically	TBD
2	Remove legacy CORS schema + filter from ComponentType; clean up dead config code	TBD
3	corsConfig.allowedOrigins per-deployment: DB column, API field, service logic	TBD
4	Deployment drawer UI: allowed origins input field for API agents	TBD

Dependencies: cors v1.0.1 policy must be installed and registered on the API Platform Gateway.

Related: #901