docs: competitive analysis of open-source API gateways

[cuioss-oliver]

Summary

• Add fact sheets for 6 open-source API gateways (APISIX, Kong, Gravitee, Tyk, KrakenD, Traefik) under doc/others/
• Update project manifest with new mandatory requirements: simple deployment, OIDC Relying Party, token mediation, transparent token refresh, RFC 9470 step-up authentication
• Add summary/README with top-3 contender comparison table and gap analysis
• Add excluded gateways list with reasoning (dormant, proprietary, wrong scope)

Key Findings

• No existing gateway satisfies all manifest requirements
• RFC 7239, RFC 9470 step-up auth, and distributed config discovery are gaps across all evaluated gateways
• Apache APISIX covers the most requirements in its open-source edition

Test plan

• Verify all AsciiDoc files render correctly
• Verify cross-references between documents work
• Review factual claims against cited sources

🤖 Generated with Claude Code

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a comprehensive competitive analysis of open-source API gateways, evaluating them against the defined 'API Sheriff' project manifest. It provides detailed fact sheets for six prominent gateways, a comparative summary highlighting top contenders and their adherence to mandatory requirements, and a clear identification of common gaps. The analysis aims to inform the strategic direction for the API Sheriff project by understanding the current landscape and justifying the need for a purpose-built solution.

Highlights

• Competitive Analysis Fact Sheets: Fact sheets for six open-source API gateways (APISIX, Kong, Gravitee, Tyk, KrakenD, Traefik) were added, detailing their features, architecture, and compliance with project requirements.
• Updated Project Manifest: The project manifest was updated to include new mandatory requirements such as simple deployment, OIDC Relying Party capabilities, token mediation, transparent token refresh, and RFC 9470 step-up authentication.
• Comparative Summary and Gap Analysis: A summary document was added, featuring a comparison table of the top-3 contenders and an analysis of key gaps found across all evaluated gateways.
• Excluded Gateways List: A list of API gateways that were considered but excluded from detailed evaluation, along with their respective reasons (e.g., dormant, proprietary, wrong scope), was included.
• Key Findings on Gateway Compliance: The analysis revealed that no existing gateway fully satisfies all mandatory requirements, with specific gaps identified in RFC 7239, RFC 9470 step-up authentication, and distributed configuration discovery.
• Apache APISIX Recommendation: Apache APISIX was identified as the open-source gateway covering the most manifest requirements, particularly for OIDC Relying Party, token mediation, and automatic token refresh.

Changelog

• doc/manifest.adoc
  • Added the API Sheriff Project Manifest, detailing mandatory, planned, and optional requirements for the gateway.
• doc/others/README.adoc
  • Added an overview of the competitive analysis, including a comparison of top contenders and a feature matrix against mandatory requirements.
• doc/others/apache-apisix.adoc
  • Added a fact sheet for Apache APISIX, detailing its features, architecture, and compliance with API Sheriff requirements.
• doc/others/excluded.adoc
  • Added a document listing API gateways considered but not evaluated, with reasons for exclusion.
• doc/others/gravitee.adoc
  • Added a fact sheet for Gravitee API Management, detailing its features, architecture, and compliance with API Sheriff requirements.
• doc/others/kong.adoc
  • Added a fact sheet for Kong Gateway, detailing its features, architecture, and compliance with API Sheriff requirements, noting its open-core model shift.
• doc/others/krakend.adoc
  • Added a fact sheet for KrakenD API Gateway, detailing its features, architecture, and compliance with API Sheriff requirements.
• doc/others/traefik.adoc
  • Added a fact sheet for Traefik Proxy, detailing its features, architecture, and compliance with API Sheriff requirements.
• doc/others/tyk.adoc
  • Added a fact sheet for Tyk API Gateway, detailing its features, architecture, and compliance with API Sheriff requirements.
• doc/technical_aspects.adoc
  • Added a document outlining the technical aspects and libraries used by API Sheriff, covering HTTP communication, security validation, OAuth token handling, logging, and testing.

Activity

• The pull request content was generated using Claude Code.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request adds a comprehensive competitive analysis of several open-source API gateways, along with a project manifest and technical design document. The documentation is well-structured and detailed. My review identifies a systematic formatting issue in all AsciiDoc tables that will prevent them from rendering correctly. I've provided a detailed comment with an example fix on the main README.adoc file; this fix should be applied globally. I also found a couple of minor typos in document titles. After these formatting corrections, the documentation will be in great shape.

[cuioss-oliver]

The multi-line cell format is valid AsciiDoc. Each cell starting with | on its own line is the standard way to write readable tables in AsciiDoc — see https://docs.asciidoctor.org/asciidoc/latest/tables/add-cells-and-rows/. Single-line format is also valid but less readable for cells with longer content. No change needed.

[cuioss-oliver]

Fixed in 6c69004. The commit prefix was introduced by an external linter modification.

[cuioss-oliver]

Fixed in 6c69004. The RE prefix was introduced by an external linter modification.