At the basic level, one Apigee policy file is one XML document whose root tag is the policy type and whose name attribute is the policy instance name. A tiny Verify API Key policy says: read the API key from one request location.
ApiGeeToMuleSoft/samples/apigee-bundle/apiproxy/policies/VerifyAPIKey.xml
<?xml version="1.0" encoding="UTF-8"?>
<VerifyAPIKey name="VerifyAPIKey-1">
<APIKey ref="request.header.x-api-key"/>
</VerifyAPIKey>
Larger policies still follow the same shape: root policy tag, child config tags, and variable references inside child tags. This AssignMessage policy stores pieces of the incoming request into named Apigee variables.
Code include not found: ../Adhoc/apigee-policies/security/basic-auth-simple/policies/AM-Extract-BasicAuth-Credentials.xml
The repo mostly cares about the root tag, the name, child config, path, and discovery order. That becomes the Policy object consumed by mapping and execution.