[Feat]: Mirror request plugins execution to the response path

[abdallahsamabd]

Add response plugin execution support to the BBR (Body-Based Router) system, mirroring the existing request plugin path. This enables use cases like response guardrails and content filtering before returning responses to the user.

Changes:

• Add responsePlugins field to BBR Server struct and NewServer constructor
• Implement HandleResponseBody to execute response plugins on the response body
• Add processResponseBody for streaming response body buffering (mirrors processRequestBody)
• Thread ResponsePlugins through ExtProcServerRunner
• Update integration test harness to accept response plugins
• Add unit tests (6) and gRPC integration tests (2) for response plugin execution

Note: Plugins are executed for validation, logging, and side effects, but mutated body/headers are not yet applied to the ext_proc response. Applying mutations (including updating dependent headers like content-length) is deferred to a follow-up to avoid inconsistencies

Note: Configuration of response plugins (CLI flags, Helm chart values) is intentionally left out of scope, as the project is converging on file-based configuration.

What type of PR is this?

/kind feature

What this PR does / why we need it:
The BBR plugin system currently only supports executing plugins on the request path. This PR mirrors that execution to the response path, allowing plugins implementing the PayloadProcessor interface to inspect and mutate response bodies before they are returned to the client. This is useful for response guardrails, content filtering, auditing, and other post-processing use cases.

Which issue(s) this PR fixes:
Ref #2354

Does this PR introduce a user-facing change?:

NONE

[netlify]

✅ Deploy Preview for gateway-api-inference-extension ready!

Name	Link
🔨 Latest commit	26471c5
🔍 Latest deploy log	https://app.netlify.com/projects/gateway-api-inference-extension/deploys/69a6f5fbb33130000756b471
😎 Deploy Preview	https://deploy-preview-2369--gateway-api-inference-extension.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: abdallahsamabd / name: abdallahsamabd (26471c5)

[k8s-ci-robot]

Welcome @abdallahsamabd!

It looks like this is your first PR to kubernetes-sigs/gateway-api-inference-extension 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/gateway-api-inference-extension has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @abdallahsamabd. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[abdallahsamabd]

/retest

[k8s-ci-robot]

@abdallahsamabd: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

Details

In response to this:

/retest

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[nirrozenbaum]

can we revert the change in the README.md?
on the one hand, yes we're starting the add the pluging support.
but on the other hand, this is still not wired properly, so we still don't want to expose it to users (we don't want a user to try and don't understand why it is still not working).

[abdallahsamabd]

ok sure
done

[nirrozenbaum]

@abdallahsamabd a general comment that spreads across multiple files:
can we keep this PR focused on response plugins execution while keeping how we set them plugins out of scope?

more concretely - if we can leave the --response plugins out of runner, as well as the helm chart updates.
the main reason is that, we should converge on configuration from file. so these are going to be removed soon.

[nirrozenbaum]

/ok-to-test

[abdallahsamabd]

@nirrozenbaum
both review comments were fixed
thanks

[nirrozenbaum]

can you explain what is this text with noop plugin? why is it needed?

[abdallahsamabd]

The noop plugin is needed to bypass the len(s.responsePlugins) == 0 early return in HandleResponseBody. Without it, the test would only exercise the no-plugins shortcut path. The noop ensures we go through the full code path (JSON unmarshal → plugin execution → response construction) in streaming mode, validating it completes without errors.

"Noop" stands for no operation — it's a plugin that does nothing. It receives the headers and body, and returns them unchanged. It exists purely to satisfy the "has plugins" condition so the code doesn't take the early-return shortcut.

[nirrozenbaum]

got it. maybe it would be good to reuse the mutating plugin, so we can check that plugin is actually executed correctly in streaming mode.

[abdallahsamabd]

since mutations are not yet applied to the response in this PR, we can't verify the plugin's effect from the returned response. Once we add mutation in the follow-up we'll update this test to use a mutating plugin

[nirrozenbaum]

/lgtm
/approve

Thanks!

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: abdallahsamabd, nirrozenbaum

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [nirrozenbaum]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment