Add CORS configuration section to deployment drawer

[AnoshanJ]

Purpose

Describe the problems, issues, or needs driving this feature/fix and include links to related issues in the following format: Resolves issue1, issue2, etc.

The deployment drawer for API agents had no way to configure CORS settings, users had no visibility into or control over which origins, methods, and headers the agent endpoint would accept. This PR surfaces the CORS configuration introduced in #955 in the UI.

Goals

Describe the solutions that this feature/fix will introduce to resolve the problems described above

Approach

Describe how you are implementing the solutions. Include an animated GIF or screenshot if the change affects the UI (email documentation@wso2.com to review all UI text). Include a link to a Markdown file or Google doc if the feature write-up is too long to paste here.

User stories

Summary of user stories addressed by this change>

Release note

Brief description of the new feature or bug fix as it will appear in the release notes

Documentation

Link(s) to product documentation that addresses the changes of this PR. If no doc impact, enter âN/Aâ plus brief explanation of why thereâs no doc impact

Training

Link to the PR for changes to the training content in https://github.com/wso2/WSO2-Training, if applicable

Certification

Type âSentâ when you have provided new/updated certification questions, plus four answers for each question (correct answer highlighted in bold), based on this change. Certification questions/answers should be sent to certification@wso2.com and NOT pasted in this PR. If there is no impact on certification exams, type âN/Aâ and explain why.

Marketing

Link to drafts of marketing content that will describe and promote this feature, including product page changes, technical articles, blog posts, videos, etc., if applicable

Automation tests

• Unit tests

  Code coverage information

• Integration tests

  Details about the test cases and coverage

Security checks

• Followed secure coding standards in http://wso2.com/technical-reports/wso2-secure-engineering-guidelines? yes/no
• Ran FindSecurityBugs plugin and verified report? yes/no
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets? yes/no

Samples

Provide high-level details about the samples related to this feature

Related PRs

List any other related PRs

#955 (backend CORS config API — must merge first)

Migrations (if applicable)

Describe migration steps and platforms on which migration has been tested

Test environment

List all JDK versions, operating systems, databases, and browser/versions on which this feature/fix was tested

Learning

Describe the research phase and any blog posts, patterns, libraries, or add-ons you used to solve the problem.

Summary by CodeRabbit

Release Notes

• New Features
  • Added CORS configuration for API agents with controls to enable/disable CORS, allow all origins, specify custom allowed origins/methods/headers, and manage credential policies.
  • Improved API key authentication input component interface.

[coderabbitai]

Warning

Review limit reached

@AnoshanJ, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 13 minutes and 32 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: db26468d-0ea4-4bc3-b34d-22b56e37b7c0

📥 Commits

Reviewing files that changed from the base of the PR and between ed6113e and 3571aed.

📒 Files selected for processing (1)

• console/workspaces/libs/api-client/src/hooks/deployments.ts

📝 Walkthrough

Walkthrough

This PR adds TypeScript type definitions for CORS configuration and extends the DeploymentConfig React component with a new CORS configuration UI section for API agents. Users can enable CORS, configure allowed origins/methods/headers, and manage credential permissions via multi-value inputs.

Changes

Frontend CORS Configuration UI

Layer / File(s)	Summary
CORS type contracts console/workspaces/libs/types/src/api/common.ts, console/workspaces/libs/types/src/api/deployments.ts	CorsConfig interface defines CORS settings with optional enablement, allowed origins/methods/headers, and credentials flag; Configurations and DeployAgentRequest extended with optional corsConfig field.
CORS configuration UI component console/workspaces/libs/shared-component/src/components/DeploymentConfig.tsx	New Oxygen UI imports (Autocomplete, Chip, ChevronDown); CORS state variables for enablement, allow-all-origins mode, and allow-lists; effect initializes CORS state from agent config; CORS Configuration form section (conditionally shown for API agents) with enable switch, allow-all-origins checkbox, multi-value inputs for origins/methods/headers, and credentials checkbox (disabled when wildcard origins active); deploy payload includes constructed corsConfig with wildcard and credentials logic; X-API-Key header input replaced with TextInput.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• wso2/agent-manager#955: Both PRs extend DeployAgentRequest/Configurations CORS types and wire CORS configuration into deployment, with handling for allowCredentials vs wildcard origins exclusivity.

Suggested reviewers

• menakaj

Poem

🐰 A CORS config form springs to life so bright,
With checkboxes and chips aligned just right,
Origins, headers, methods in a row,
The credentials checkbox steals the show,
Wild stars and origins dance in delight!

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	The PR description addresses Purpose and Goals effectively, but most other template sections remain as empty placeholders with no substantive content provided.	Complete missing sections: Goals, Approach (include UI screenshot/GIF), User stories, Release note, Documentation, Training, Certification, Marketing, Automation tests, Security checks, Samples, Migrations, Test environment, and Learning to provide a complete picture of the change.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change—adding a CORS configuration section to the deployment drawer UI for API agents.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

agent-manager-service/services/agent_manager.go (1)

362-369: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Honor the configured allowCredentials default at create time.

This hardcodes false, but the rest of the flow persists and returns config.GetAgentWorkloadConfig().CORS.AllowCredentials. If the platform default is true, a newly created API agent will report/persist allowCredentials=true while the attached api-configuration trait is provisioned with false until the first deploy.

Proposed fix

 		createPolicies := []map[string]interface{}{
 			client.CORSPolicy(
 				strings.Split(corsConfig.AllowOrigin, ","),
 				strings.Split(corsConfig.AllowMethods, ","),
 				strings.Split(corsConfig.AllowHeaders, ","),
-				false, // allowCredentials defaults to false at agent creation
+				corsConfig.AllowCredentials,
 			),
 			client.APIKeyAuthPolicy(),
 		}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@agent-manager-service/services/agent_manager.go` around lines 362 - 369, The
create-time CORS policy hardcodes allowCredentials to false in the
client.CORSPolicy call (inside agent_manager.go where corsConfig :=
config.GetAgentWorkloadConfig().CORS is read), causing a mismatch with the
persisted/returned config; change that literal false to use the configured value
corsConfig.AllowCredentials (i.e., pass
config.GetAgentWorkloadConfig().CORS.AllowCredentials /
corsConfig.AllowCredentials into client.CORSPolicy) so the created agent's
policy honors the platform default.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@agent-manager-service/services/agent_manager.go`:
- Around line 2039-2045: The validation block that errors when
corsAllowCredentials is true and corsAllowOrigins contains "*" should be skipped
when CORS is disabled; update the logic in agent_manager.go so the existing
check (iterating corsAllowOrigins and comparing to "*") is only executed if
corsEnabled is true (i.e., wrap or gate the corsAllowCredentials /
corsAllowOrigins validation behind corsEnabled), leaving the rest of DeployAgent
behavior unchanged and ensuring stale allowOrigin=["*"] + allowCredentials=true
values do not block disabling CORS.

In
`@console/workspaces/libs/shared-component/src/components/DeploymentConfig.tsx`:
- Around line 507-510: When toggling "Allow all origins" off (handler using
setCorsAllowAll), ensure you remove the wildcard entry from corsOrigins and
update the effective origins used in the payload so credentials cannot be
re-enabled with "*" present; specifically, in the onChange where you call
setCorsAllowAll(checked) and setCorsAllowCredentials(false) when checked===true,
add logic for the unchecked case to filter out the "*" from corsOrigins (and
update the same logic in the other toggle handlers around the Cors UI mentioned)
and ensure payload assembly uses the filtered/effective origins array (not the
raw state that might still contain "*") before validating/submitting.

---

Outside diff comments:
In `@agent-manager-service/services/agent_manager.go`:
- Around line 362-369: The create-time CORS policy hardcodes allowCredentials to
false in the client.CORSPolicy call (inside agent_manager.go where corsConfig :=
config.GetAgentWorkloadConfig().CORS is read), causing a mismatch with the
persisted/returned config; change that literal false to use the configured value
corsConfig.AllowCredentials (i.e., pass
config.GetAgentWorkloadConfig().CORS.AllowCredentials /
corsConfig.AllowCredentials into client.CORSPolicy) so the created agent's
policy honors the platform default.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 08a4c7d2-6f71-4536-9528-43cf6c2dd59d

📥 Commits

Reviewing files that changed from the base of the PR and between 8857b20 and 9138147.

📒 Files selected for processing (19)

• agent-manager-service/clients/openchoreosvc/client/components.go
• agent-manager-service/config/config.go
• agent-manager-service/config/config_loader.go
• agent-manager-service/db_migrations/021_add_cors_allow_origins.go
• agent-manager-service/db_migrations/migration_list.go
• agent-manager-service/docs/api_v1_openapi.yaml
• agent-manager-service/models/agent.go
• agent-manager-service/models/agent_config.go
• agent-manager-service/repositories/agent_config_repository.go
• agent-manager-service/services/agent_manager.go
• agent-manager-service/spec/model_configurations.go
• agent-manager-service/spec/model_cors_config.go
• agent-manager-service/spec/model_deploy_agent_request.go
• agent-manager-service/utils/makeresults.go
• console/workspaces/libs/shared-component/src/components/DeploymentConfig.tsx
• console/workspaces/libs/types/src/api/common.ts
• console/workspaces/libs/types/src/api/deployments.ts
• deployments/helm-charts/wso2-agent-manager/templates/agent-manager-service/configmap.yaml
• deployments/helm-charts/wso2-agent-manager/values.yaml

[coderabbitai]

🧹 Nitpick comments (1)

console/workspaces/libs/shared-component/src/components/DeploymentConfig.tsx (1)

525-533: 💤 Low value

Redundant key prop on Chip components.

The getTagProps({ index }) spread already provides a key prop. Providing an explicit key after the spread overrides it, which is fine but redundant and may cause React warnings in some configurations if the spread's key is applied first.

Suggested simplification

                              renderTags={(tagValues, getTagProps) =>
                                tagValues.map((option, index) => (
                                  <Chip
                                    label={option as string}
                                    size="small"
+                                   key={option as string}
                                    {...getTagProps({ index })}
-                                   key={option as string}
                                  />
                                ))
                              }

Move key before the spread or remove it entirely since getTagProps provides it.

Also applies to: 549-557, 572-580

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@console/workspaces/libs/shared-component/src/components/DeploymentConfig.tsx`
around lines 525 - 533, In the renderTags implementation where tagValues.map
returns a Chip, remove the explicit key prop that follows the spread of
getTagProps({ index }) (or move it before the spread) to avoid
overriding/duplicating the key provided by getTagProps; update the Chip usages
inside renderTags (and the other similar blocks at the noted locations) so they
rely on getTagProps for the key instead of supplying a redundant key prop.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@console/workspaces/libs/shared-component/src/components/DeploymentConfig.tsx`:
- Around line 525-533: In the renderTags implementation where tagValues.map
returns a Chip, remove the explicit key prop that follows the spread of
getTagProps({ index }) (or move it before the spread) to avoid
overriding/duplicating the key provided by getTagProps; update the Chip usages
inside renderTags (and the other similar blocks at the noted locations) so they
rely on getTagProps for the key instead of supplying a redundant key prop.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 97a9045b-70aa-4705-966b-4c91e8deda19

📥 Commits

Reviewing files that changed from the base of the PR and between 9138147 and ed6113e.

📒 Files selected for processing (3)

• console/workspaces/libs/shared-component/src/components/DeploymentConfig.tsx
• console/workspaces/libs/types/src/api/common.ts
• console/workspaces/libs/types/src/api/deployments.ts