Migrate configuration format from YAML to TOML

.github/workflows/operator-integration-test.yml

@@ -472,9 +472,9 @@ jobs:
                       # Log level: "debug", "info", "warn", or "error"
                       level: debug
 
-                      # Log format: "json" or "console"
+                      # Log format: "json" or "text"
                       # - json: Structured JSON format (recommended for production)
-                      # - console: Human-readable console format (recommended for development)
+                      # - text: Human-readable text format (recommended for development)
                       format: json
 
                   policy_engine:
@@ -1442,6 +1442,10 @@ jobs:
           echo "=== All Pods Description ==="
           kubectl describe pods --all-namespaces || true
 
+          echo ""
+          echo "=== Gateway Config ConfigMap ==="
+          kubectl get configmap -l app.kubernetes.io/instance=ap-gw -o yaml || true
+
           echo ""
           echo "=== APIGateway Controller Logs ==="
           kubectl logs -l app.kubernetes.io/component=controller --tail=200 || true

.vscode/launch.json

@@ -20,15 +20,15 @@
             "program": "${workspaceFolder}/gateway/gateway-controller/cmd/controller/main.go",
             "args": [
                 "-config",
-                "${workspaceFolder}/gateway/configs/config.yaml",
+                "${workspaceFolder}/gateway/configs/config.toml",
             ],
             "env": {
-                "GATEWAY_GATEWAY__CONTROLLER_STORAGE_SQLITE_PATH": "${workspaceFolder}/gateway/gateway-controller/data/gateway.db",
-                "GATEWAY_GATEWAY__CONTROLLER_CONTROLPLANE_TOKEN": "",
-                "GATEWAY_GATEWAY__CONTROLLER_ROUTER_DOWNSTREAM__TLS_CERT__PATH": "${workspaceFolder}/gateway/gateway-controller/listener-certs/default-listener.crt",
-                "GATEWAY_GATEWAY__CONTROLLER_ROUTER_DOWNSTREAM__TLS_KEY__PATH": "${workspaceFolder}/gateway/gateway-controller/listener-certs/default-listener.key",
-                "GATEWAY_GATEWAY__CONTROLLER_ROUTER_POLICY__ENGINE_HOST": "host.docker.internal",
-                "GATEWAY_GATEWAY__CONTROLLER_POLICIES_DEFINITIONS__PATH": "${workspaceFolder}/gateway/gateway-controller/default-policies",
+                "APIP_GW_GATEWAY__CONTROLLER_STORAGE_SQLITE_PATH": "${workspaceFolder}/gateway/gateway-controller/data/gateway.db",
+                "APIP_GW_GATEWAY__CONTROLLER_CONTROLPLANE_TOKEN": "",
+                "APIP_GW_GATEWAY__CONTROLLER_ROUTER_DOWNSTREAM__TLS_CERT__PATH": "${workspaceFolder}/gateway/gateway-controller/listener-certs/default-listener.crt",
+                "APIP_GW_GATEWAY__CONTROLLER_ROUTER_DOWNSTREAM__TLS_KEY__PATH": "${workspaceFolder}/gateway/gateway-controller/listener-certs/default-listener.key",
+                "APIP_GW_GATEWAY__CONTROLLER_ROUTER_POLICY__ENGINE_HOST": "host.docker.internal",
+                "APIP_GW_GATEWAY__CONTROLLER_POLICIES_DEFINITIONS__PATH": "${workspaceFolder}/gateway/gateway-controller/default-policies",
             }
         },
         {
@@ -51,7 +51,7 @@
             "mode": "auto",
             "program": "${workspaceFolder}/gateway/policy-engine/cmd/policy-engine",
             "args": [
-                "-config", "${workspaceFolder}/gateway/configs/config.yaml" ,
+                "-config", "${workspaceFolder}/gateway/configs/config.toml" ,
                 "-xds-server", "localhost:18001",
                 "-xds-node-id", "node-1",
             ],
@@ -63,7 +63,7 @@
             "mode": "auto",
             "program": "${workspaceFolder}/gateway/policy-engine/cmd/policy-engine",
             "args": [
-                "-config", "${workspaceFolder}/gateway/configs/config.yaml",
+                "-config", "${workspaceFolder}/gateway/configs/config.toml",
                 "-policy-chains-file", "${workspaceFolder}/gateway/policy-engine/configs/policy-chains.yaml",
             ],
         },

cli/VERSION

@@ -1 +1 @@
-0.4.0-SNAPSHOT
+0.5.0-SNAPSHOT

cli/it/go.mod

@@ -17,7 +17,7 @@ require (
 	github.com/hashicorp/golang-lru v0.5.4 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/rogpeppe/go-internal v1.13.1 // indirect
+	github.com/rogpeppe/go-internal v1.14.1 // indirect
 	github.com/spf13/pflag v1.0.10 // indirect
 	github.com/stretchr/testify v1.11.1 // indirect
 )

cli/it/go.sum

@@ -38,8 +38,7 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=

docs/ai-gateway/analytics/moesif-analytics.md

@@ -30,9 +30,9 @@ This capability allows platform administrators and business stakeholders to gain
 
 ## Configuration
 
-Analytics is configured entirely through the gateway `config.yaml` file and is enabled at a system level.
+Analytics is configured entirely through the gateway `config.toml` file and is enabled at a system level.
 
-### System Parameters (`config.yaml`)
+### System Parameters (`config.toml`)
 
 #### Analytics
 
@@ -86,33 +86,34 @@ For Moesif analytics integration, the following publisher-specific attributes mu
 | `timer_wakeup_seconds` | int     | Yes       | Publisher timer resolution                |
 
 
-```yaml
-analytics:
-  enabled: true
-
-  publishers:
-    - type: moesif
-      enabled: true
-      settings:
-        application_id: <MOESIF_APPLICATION_ID>
-        publish_interval: 5
-        event_queue_size: 10000
-        batch_size: 50
-        timer_wakeup_seconds: 3
-
-  grpc_access_logs:
-    host: policy-engine
-    log_name: "envoy_access_log"
-    buffer_flush_interval: 1000000000
-    buffer_size_bytes: 16384
-    grpc_request_timeout: 20000000000
-
-  access_logs_service:
-    als_server_port: 18090
-    shutdown_timeout: 600
-    als_plain_text: true
-    max_message_size: 1000000000
-    max_header_limit: 8192
+```toml
+[analytics]
+enabled = true
+
+[[analytics.publishers]]
+type = "moesif"
+enabled = true
+
+[analytics.publishers.settings]
+application_id = "<MOESIF_APPLICATION_ID>"
+publish_interval = 5
+event_queue_size = 10000
+batch_size = 50
+timer_wakeup_seconds = 3
+
+[analytics.grpc_access_logs]
+host = "policy-engine"
+log_name = "envoy_access_log"
+buffer_flush_interval = 1000000000
+buffer_size_bytes = 16384
+grpc_request_timeout = 20000000000
+
+[analytics.access_logs_service]
+als_server_port = 18090
+shutdown_timeout = 600
+als_plain_text = true
+max_message_size = 1000000000
+max_header_limit = 8192
 ```
 
 

docs/ai-gateway/llm/guardrails/aws-bedrock-guardrail.md

@@ -57,24 +57,24 @@ These parameters are typically configured at the gateway level and automatically
 | `awsRoleExternalID` | string | No | External ID for role assumption (optional, for cross-account access security). |
 
 
-### Configuring System Parameters in config.yaml
+### Configuring System Parameters in config.toml
 
-System parameters can be configured globally in the gateway's `config.yaml` file. These values serve as defaults for all AWS Bedrock Guardrail policy instances and can be overridden per-policy in the API configuration if needed.
+System parameters can be configured globally in the gateway's `config.toml` file. These values serve as defaults for all AWS Bedrock Guardrail policy instances and can be overridden per-policy in the API configuration if needed.
 
-#### Location in config.yaml
+#### Location in config.toml
 
-Add the following configuration section to your `config.yaml` file:
+Add the following configuration section to your `config.toml` file:
 
-```yaml
-awsbedrock_guardrail_region: "us-east-1" 
-awsbedrock_guardrail_id: "your-guardrail-id"
-awsbedrock_guardrail_version: "DRAFT"
-awsbedrock_access_key_id: ""
-awsbedrock_secret_access_key: "" 
-awsbedrock_session_token: ""
-awsbedrock_role_arn: ""
-awsbedrock_role_region: ""
-awsbedrock_role_external_id: ""
+```toml
+awsbedrock_guardrail_region = "us-east-1" 
+awsbedrock_guardrail_id = "your-guardrail-id"
+awsbedrock_guardrail_version = "DRAFT"
+awsbedrock_access_key_id = ""
+awsbedrock_secret_access_key = "" 
+awsbedrock_session_token = ""
+awsbedrock_role_arn = ""
+awsbedrock_role_region = ""
+awsbedrock_role_external_id = ""
 ```
 
 ## JSONPath Support

docs/ai-gateway/llm/guardrails/azure-content-safety.md

@@ -54,17 +54,17 @@ These parameters are typically configured at the gateway level and automatically
 | `azureContentSafetyEndpoint` | string | Yes | Azure Content Safety API endpoint URL (without trailing slash). Example: `https://your-resource.cognitiveservices.azure.com` |
 | `azureContentSafetyKey` | string | Yes | Azure Content Safety API subscription key for authentication. Found in Azure Portal under your Content Safety resource's "Keys and Endpoint" section. |
 
-### Configuring System Parameters in config.yaml
+### Configuring System Parameters in config.toml
 
-System parameters can be configured globally in the gateway's `config.yaml` file. These values serve as defaults for all Azure Content Safety guardrail policy instances and can be overridden per-policy in the API configuration if needed.
+System parameters can be configured globally in the gateway's `config.toml` file. These values serve as defaults for all Azure Content Safety guardrail policy instances and can be overridden per-policy in the API configuration if needed.
 
-#### Location in config.yaml
+#### Location in config.toml
 
-Add the following configuration section to your `config.yaml` file:
+Add the following configuration section to your `config.toml` file:
 
-```yaml
-azurecontentsafety_endpoint: "https://your-resource.cognitiveservices.azure.com"
-azurecontentsafety_key: "<your-azure-content-safety-key>"
+```toml
+azurecontentsafety_endpoint = "https://your-resource.cognitiveservices.azure.com"
+azurecontentsafety_key = "<your-azure-content-safety-key>"
 ```
 
 ## Severity Levels

docs/ai-gateway/llm/guardrails/semantic-prompt-guard.md

@@ -51,20 +51,20 @@ These parameters are typically configured at the gateway level and automatically
 | `embeddingModel` | string | Conditional | - | Embedding model name. **Required for OPENAI and MISTRAL**, not required for AZURE_OPENAI (deployment name is in endpoint URL). Examples: OpenAI: `text-embedding-ada-002` or `text-embedding-3-small`, Mistral: `mistral-embed` |
 | `apiKey` | string | Yes | API key for the embedding service authentication |
 
-### Configuring System Parameters in config.yaml
+### Configuring System Parameters in config.toml
 
-System parameters can be configured globally in the gateway's `config.yaml` file. These values serve as defaults for all Semantic Prompt Guard policy instances and can be overridden per-policy in the API configuration if needed.
+System parameters can be configured globally in the gateway's `config.toml` file. These values serve as defaults for all Semantic Prompt Guard policy instances and can be overridden per-policy in the API configuration if needed.
 
-#### Location in config.yaml
+#### Location in config.toml
 
-Add the following configuration section to your `config.yaml` file:
+Add the following configuration section to your `config.toml` file:
 
-```yaml
-embedding_provider: "MISTRAL" # Supported: MISTRAL, OPENAI, AZURE_OPENAI
-embedding_provider_endpoint: "https://api.mistral.ai/v1/embeddings"
-embedding_provider_model: "mistral-embed"
-embedding_provider_dimension: 1024
-embedding_provider_api_key: ""
+```toml
+embedding_provider = "MISTRAL" # Supported: MISTRAL, OPENAI, AZURE_OPENAI
+embedding_provider_endpoint = "https://api.mistral.ai/v1/embeddings"
+embedding_provider_model = "mistral-embed"
+embedding_provider_dimension = 1024
+embedding_provider_api_key = ""
 ```
 
 ## Similarity Threshold Guidelines

docs/ai-gateway/llm/semantic-caching.md

@@ -70,28 +70,28 @@ These parameters are typically configured at the gateway level and automatically
 | `ttl` | integer | No | Time-to-live for cache entries in seconds. Default is 3600 (1 hour). Set to 0 for no expiration. |
 
 
-### Configuring System Parameters in config.yaml
+### Configuring System Parameters in config.toml
 
-System parameters can be configured globally in the gateway's `config.yaml` file. These values serve as defaults for all Semantic Cache policy instances and can be overridden per-policy in the API configuration if needed.
+System parameters can be configured globally in the gateway's `config.toml` file. These values serve as defaults for all Semantic Cache policy instances and can be overridden per-policy in the API configuration if needed.
 
-#### Location in config.yaml
+#### Location in config.toml
 
-Add the following configuration section to your `config.yaml` file:
+Add the following configuration section to your `config.toml` file:
 
-```yaml
-embedding_provider: "MISTRAL" # Supported: MISTRAL, OPENAI, AZURE_OPENAI
-embedding_provider_endpoint: "https://api.mistral.ai/v1/embeddings"
-embedding_provider_model: "mistral-embed"
-embedding_provider_dimension: 1024
-embedding_provider_api_key: ""
+```toml
+embedding_provider = "MISTRAL" # Supported: MISTRAL, OPENAI, AZURE_OPENAI
+embedding_provider_endpoint = "https://api.mistral.ai/v1/embeddings"
+embedding_provider_model = "mistral-embed"
+embedding_provider_dimension = 1024
+embedding_provider_api_key = ""
 
-vector_db_provider: "REDIS" # Supported: REDIS, MILVUS
-vector_db_provider_host: "redis"
-vector_db_provider_port: 6379
-vector_db_provider_database: "0"
-vector_db_provider_username: "default"
-vector_db_provider_password: "default"
-vector_db_provider_ttl: 3600
+vector_db_provider = "REDIS" # Supported: REDIS, MILVUS
+vector_db_provider_host = "redis"
+vector_db_provider_port = 6379
+vector_db_provider_database = "0"
+vector_db_provider_username = "default"
+vector_db_provider_password = "default"
+vector_db_provider_ttl = 3600
 ```
 
 ## JSONPath Support

docs/ai-gateway/mcp/policies/mcp-authentication.md

@@ -16,10 +16,10 @@ The MCP Authentication policy is designed to secure traffic to Model Context Pro
 
 The MCP Authentication policy uses a two-level configuration model:
 
-- **System Parameters**: Configured by the administrator in `config.yaml` under `policy_configurations.mcpauth_v010` or `policy_configurations.jwtauth_v010` depending on the parameter.
+- **System Parameters**: Configured by the administrator in `config.toml` under `policy_configurations.mcpauth_v010` or `policy_configurations.jwtauth_v010` depending on the parameter.
 - **User Parameters**: Configured per MCP proxy in the configuration yaml.
 
-### System Parameters (config.yaml)
+### System Parameters (config.toml)
 
 These parameters are set by the administrator and apply globally to all MCP authentication policies:
 
@@ -58,40 +58,41 @@ These parameters are configured per-API/route by the API developer:
 
 ## System Configuration Example
 
-Add the following to your `gateway/configs/config.yaml` file under `policy_configurations`:
-
-```yaml
-policy_configurations:
-  mcpauth_v010:
-    gatewayhost: gw.example.com
-  jwtauth_v010:
-    keymanagers:
-      - name: PrimaryIDP
-        issuer: https://idp.example.com/oauth2/token
-        jwks:
-          remote:
-            uri: https://idp.example.com/oauth2/jwks
-            skipTlsVerify: false
-      - name: SecondaryIDP
-        issuer: https://auth.example.org/oauth2/token
-        jwks:
-          remote:
-            uri: https://auth.example.org/oauth2/jwks
-            skipTlsVerify: false
-    jwkscachettl: "5m"
-    jwksfetchtimeout: "5s"
-    jwksfetchretrycount: 3
-    jwksfetchretryinterval: "2s"
-    allowedalgorithms:
-      - RS256
-      - ES256
-    leeway: "30s"
-    authheaderscheme: Bearer
-    headername: Authorization
-    onfailurestatuscode: 401
-    errormessageformat: json
-    errormessage: "Authentication failed."
-    validateissuer: true
+Add the following to your `gateway/configs/config.toml` file under `policy_configurations`:
+
+```toml
+[policy_configurations.mcpauth_v010]
+gatewayhost = "gw.example.com"
+
+[policy_configurations.jwtauth_v010]
+jwkscachettl = "5m"
+jwksfetchtimeout = "5s"
+jwksfetchretrycount = 3
+jwksfetchretryinterval = "2s"
+allowedalgorithms = ["RS256", "ES256"]
+leeway = "30s"
+authheaderscheme = "Bearer"
+headername = "Authorization"
+onfailurestatuscode = 401
+errormessageformat = "json"
+errormessage = "Authentication failed."
+validateissuer = true
+
+[[policy_configurations.jwtauth_v010.keymanagers]]
+name = "PrimaryIDP"
+issuer = "https://idp.example.com/oauth2/token"
+
+[policy_configurations.jwtauth_v010.keymanagers.jwks.remote]
+uri = "https://idp.example.com/oauth2/jwks"
+skipTlsVerify = false
+
+[[policy_configurations.jwtauth_v010.keymanagers]]
+name = "SecondaryIDP"
+issuer = "https://auth.example.org/oauth2/token"
+
+[policy_configurations.jwtauth_v010.keymanagers.jwks.remote]
+uri = "https://auth.example.org/oauth2/jwks"
+skipTlsVerify = false
 ```
 
 ## MCP Proxy Definition Examples