formatter: expose CEL expression config in header mutations

[kamalmarhubi]

Commit Message:
formatter: expose CEL expression config in header mutations

Add cel_config to envoy.formatter.cel configuration, allowing CEL runtime options such as string functions to be enabled on a per-formatter basis. Include a formatters field on the header mutation and early header mutation filters so those filters can use configured formatter command parsers, including CEL with cel_config.

Specific changes:

• formatter/cel: explicitly configured envoy.formatter.cel parsers now carry cel_config. The built-in %CEL% parser still uses the active server context, so existing unconfigured usage is unchanged.
• header_mutation / early_header_mutation: add formatters for configuring extension formatter command parsers used in mutation values.

Built-in command parsers remain available when formatters is empty, so there is no behaviour change unless a config opts in.

Fixes #45420

Additional Description: See #45420 for motivation: enabling CEL string functions in (early) header mutation, eg to transform trace-context headers.
AI Disclosure: This was developed by iterating with OpenAI Codex (GPT-5.5), with review and further iteration using Claude Code (Opus 4.8). I reviewed and edited the generated output, understand the submitted changes, and take responsibility for them.
Risk Level: Low
Testing:

bazel test \
  //test/extensions/formatter/cel:cel_test \
  //test/extensions/filters/http/header_mutation:header_mutation_test \
  //test/extensions/http/early_header_mutation/header_mutation:header_mutation_test

Docs Changes: Inline proto documentation for the new cel_config and formatters fields.
Release Notes: Added (formatter, header_mutation, early_header_mutation).
Platform Specific Features: N/A. (The CEL formatter is already excluded on Windows via WINDOWS_SKIP_TARGETS; I haven't changed that.)
API Considerations: adds optional cel_config (reusing config.core.v3.CelExpressionConfig) to envoy.extensions.formatter.cel.v3.Cel, and optional formatters (repeated config.core.v3.TypedExtensionConfig) to the two header mutation messages. All additive; omitting them preserves existing behaviour.

[repokitteh-read-only]

Hi @kamalmarhubi, welcome and thank you for your contribution.

We will try to review your Pull Request as quickly as possible.

In the meantime, please take a look at the contribution guidelines if you have not done so already.

🐱

Caused by: #45815 was opened by kamalmarhubi.

see: more, trace.

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @adisuissa
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

🐱

Caused by: #45815 was opened by kamalmarhubi.

see: more, trace.

[kamalmarhubi]

@adisuissa fyi the API was already given the ok by @wbpcode here: #45420 (comment)

[kamalmarhubi]

Reviewer note: this is broken down into hopefully digestible commits.

[wbpcode]

I think this! Thanks for this great contribution. Only one comment.

[wbpcode]

I guess the previous header mutation constructor is unnecessary (except for test)? Could we remove it?

[kamalmarhubi]

For some reason I missed the human review and only saw the robot review below. In any case, you're sort of in agreement, and the 3-arg constructor is gone.

[wbpcode]

/gemini review

[wbpcode]

/wait

[gemini-code-assist]

Code Review

This pull request introduces the ability to configure extension formatter command parsers (such as CEL with custom runtime options) for header mutation substitution values in both the HTTP header mutation filter and the early header mutation extension. It also exposes cel_config on the CEL formatter to allow enabling CEL runtime options like string functions. One improvement opportunity was identified in header_mutation.cc to use the context's messageValidationVisitor() instead of a null validation visitor to ensure proper configuration validation.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

Using ProtobufMessage::getNullValidationVisitor() bypasses message validation. Since ServerFactoryContext provides a valid messageValidationVisitor(), we should use it instead to ensure any configuration issues or deprecations are properly validated and logged.

Suggested change

	PerRouteHeaderMutation::PerRouteHeaderMutation(const PerRouteProtoConfig& config,
	Server::Configuration::ServerFactoryContext& context,
	absl::Status& creation_status)
	: mutations_(config.mutations(), context, creation_status) {}
	: PerRouteHeaderMutation(config, context, ProtobufMessage::getNullValidationVisitor(),
	creation_status) {}
	PerRouteHeaderMutation::PerRouteHeaderMutation(const PerRouteProtoConfig& config,
	Server::Configuration::ServerFactoryContext& context,
	absl::Status& creation_status)
	: PerRouteHeaderMutation(config, context, context.messageValidationVisitor(),
	creation_status) {}

References

1. In Envoy, the validation_visitor object has a server-level lifetime, making it safe to capture by reference in lambdas even when those lambdas are stored in long-lived components like singleton-managed providers.

[kamalmarhubi]

Fair point. prior to these changes there was no validation visitor used in this path. In these changes I left the tests using the 3-arg constructor, and defaulted to the null validation visitor. But I've now dropped it, and pass in the visitor explicitly from call sites instead. Pushed as fixup commit.

[adisuissa]

The api change LGTM.
/lgtm api
IMHO having a single PR doing 3 concurrent changes is a bit much, but I'll leave it to the extension owners reviewers.

[adisuissa]

/assign @wbpcode @yanavlasov @kyessenov