From 08e137c8d82482536fb8b5d1bc2102740f503291 Mon Sep 17 00:00:00 2001 From: Narendra Vyas Date: Tue, 17 Mar 2026 18:35:58 +0530 Subject: [PATCH 1/8] chore: added validation for max secrets count. --- src/constants.js | 5 ++++- src/utils.js | 12 ++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/src/constants.js b/src/constants.js index 09bf8dd..4c97587 100644 --- a/src/constants.js +++ b/src/constants.js @@ -9,9 +9,10 @@ const StageConstants = { DEV_CONSOLE_API_KEY: 'adobe-api-manager-sms-stage', DEV_CONSOLE_TRANSPORTER_API_KEY: 'UDPWeb1', AIO_CLI_API_KEY: 'aio-cli-console-auth-stage', - SMS_BASE_URL: 'https://graph-stage.adobe.io/api-admin', + SMS_BASE_URL: 'https://schema-management-service-dev1-501va6-corp.commerce-gateway.com/api-admin', MESH_BASE_URL: 'https://edge-stage-graph.adobe.io/api', SMS_API_KEY: 'adobe-graph-stage-onboarding', + MAX_SECRET_COUNT: 25, }; const ProdConstants = { @@ -23,6 +24,7 @@ const ProdConstants = { MESH_BASE_URL: 'https://edge-graph.adobe.io/api', MESH_SANDBOX_BASE_URL: 'https://edge-sandbox-graph.adobe.io/api', SMS_API_KEY: 'adobe-graph-prod', + MAX_SECRET_COUNT: 25, }; const envConstants = clientEnv === 'stage' ? StageConstants : ProdConstants; @@ -38,4 +40,5 @@ module.exports = { MESH_BASE_URL: process.env.MESH_BASE_URL || envConstants.MESH_BASE_URL, MESH_SANDBOX_BASE_URL: process.env.MESH_SANDBOX_BASE_URL || envConstants.MESH_SANDBOX_BASE_URL, SMS_API_KEY: process.env.SMS_API_KEY || envConstants.SMS_API_KEY, + MAX_SECRET_COUNT: process.env.MAX_SECRET_COUNT || envConstants.MAX_SECRET_COUNT, }; diff --git a/src/utils.js b/src/utils.js index 861c205..e3f7fd2 100644 --- a/src/utils.js +++ b/src/utils.js @@ -10,6 +10,9 @@ const parseEnv = require('envsub/js/envsub-parser'); const os = require('os'); const chalk = require('chalk'); const crypto = require('crypto'); +const CONSTANTS = require('./constants'); + +const { MAX_SECRET_COUNT } = CONSTANTS; /** * @returns returns the root directory of the project @@ -535,6 +538,15 @@ async function parseSecrets(secretsContent) { const compiledContent = parseEnv(newSecretsContent, envParserConfig); const compiledSecretsFileContent = replacePlaceholders(compiledContent, placeholderMap); const parsedSecrets = YAML.parse(compiledSecretsFileContent); + const numSecrets = Object.entries(parsedSecrets).length; + + if (numSecrets > MAX_SECRET_COUNT) { + throw new Error( + chalk.red( + `Number of secrets exceeds limit. Maximum allowed number of secrets is ${MAX_SECRET_COUNT}`, + ), + ); + } //check if secrets file is empty if (!parsedSecrets) { From 6153f2667d1cd44616d3febc0930649961736f15 Mon Sep 17 00:00:00 2001 From: Narendra Vyas Date: Tue, 17 Mar 2026 18:39:26 +0530 Subject: [PATCH 2/8] chore: minor correction and bumpled alpha version --- package.json | 2 +- src/constants.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index aeff635..4dc5205 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@adobe/aio-cli-plugin-api-mesh", - "version": "5.6.0", + "version": "5.6.1-alpha.1", "description": "Adobe I/O CLI plugin to develop and manage API mesh sources", "keywords": [ "oclif-plugin" diff --git a/src/constants.js b/src/constants.js index 4c97587..be0c09d 100644 --- a/src/constants.js +++ b/src/constants.js @@ -9,7 +9,7 @@ const StageConstants = { DEV_CONSOLE_API_KEY: 'adobe-api-manager-sms-stage', DEV_CONSOLE_TRANSPORTER_API_KEY: 'UDPWeb1', AIO_CLI_API_KEY: 'aio-cli-console-auth-stage', - SMS_BASE_URL: 'https://schema-management-service-dev1-501va6-corp.commerce-gateway.com/api-admin', + SMS_BASE_URL: 'https://graph-stage.adobe.io/api-admin', MESH_BASE_URL: 'https://edge-stage-graph.adobe.io/api', SMS_API_KEY: 'adobe-graph-stage-onboarding', MAX_SECRET_COUNT: 25, From 59d0d8c7a146b2b82e1cb666fda0d54b3189bb51 Mon Sep 17 00:00:00 2001 From: Narendra Vyas Date: Wed, 18 Mar 2026 19:33:05 +0530 Subject: [PATCH 3/8] chore: bumped max count --- src/constants.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/constants.js b/src/constants.js index be0c09d..123c79d 100644 --- a/src/constants.js +++ b/src/constants.js @@ -12,7 +12,7 @@ const StageConstants = { SMS_BASE_URL: 'https://graph-stage.adobe.io/api-admin', MESH_BASE_URL: 'https://edge-stage-graph.adobe.io/api', SMS_API_KEY: 'adobe-graph-stage-onboarding', - MAX_SECRET_COUNT: 25, + MAX_SECRET_COUNT: 50, }; const ProdConstants = { From e501739f2c757aeb460d2cf0358403c05a9b72dd Mon Sep 17 00:00:00 2001 From: Narendra Vyas Date: Wed, 18 Mar 2026 19:34:08 +0530 Subject: [PATCH 4/8] chore: updated max secrets count --- src/constants.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/constants.js b/src/constants.js index 123c79d..42cea13 100644 --- a/src/constants.js +++ b/src/constants.js @@ -24,7 +24,7 @@ const ProdConstants = { MESH_BASE_URL: 'https://edge-graph.adobe.io/api', MESH_SANDBOX_BASE_URL: 'https://edge-sandbox-graph.adobe.io/api', SMS_API_KEY: 'adobe-graph-prod', - MAX_SECRET_COUNT: 25, + MAX_SECRET_COUNT: 50, }; const envConstants = clientEnv === 'stage' ? StageConstants : ProdConstants; From 833c4e3523ea0596a7fc3601c7e02c0d772ce1f8 Mon Sep 17 00:00:00 2001 From: Narendra Vyas Date: Thu, 19 Mar 2026 17:39:43 +0530 Subject: [PATCH 5/8] chore: updated 5KB restriction on per secret --- src/constants.js | 7 ++++++- src/utils.js | 44 +++++++++++++++++++++++++++++++++++--------- 2 files changed, 41 insertions(+), 10 deletions(-) diff --git a/src/constants.js b/src/constants.js index 42cea13..6db11c2 100644 --- a/src/constants.js +++ b/src/constants.js @@ -4,15 +4,18 @@ const dotenv = require('dotenv'); dotenv.config(); const clientEnv = getCliEnv(); +const MAX_SECRET_SIZE_BYTES = 5 * 1024; // 5 KB — matches Cloudflare's per-secret limit + const StageConstants = { DEV_CONSOLE_BASE_URL: 'https://developers-stage.adobe.io/console', DEV_CONSOLE_API_KEY: 'adobe-api-manager-sms-stage', DEV_CONSOLE_TRANSPORTER_API_KEY: 'UDPWeb1', AIO_CLI_API_KEY: 'aio-cli-console-auth-stage', - SMS_BASE_URL: 'https://graph-stage.adobe.io/api-admin', + SMS_BASE_URL: 'https://graph-qa.adobe.io/api-admin', MESH_BASE_URL: 'https://edge-stage-graph.adobe.io/api', SMS_API_KEY: 'adobe-graph-stage-onboarding', MAX_SECRET_COUNT: 50, + MAX_SECRET_SIZE_BYTES, }; const ProdConstants = { @@ -25,6 +28,7 @@ const ProdConstants = { MESH_SANDBOX_BASE_URL: 'https://edge-sandbox-graph.adobe.io/api', SMS_API_KEY: 'adobe-graph-prod', MAX_SECRET_COUNT: 50, + MAX_SECRET_SIZE_BYTES, }; const envConstants = clientEnv === 'stage' ? StageConstants : ProdConstants; @@ -41,4 +45,5 @@ module.exports = { MESH_SANDBOX_BASE_URL: process.env.MESH_SANDBOX_BASE_URL || envConstants.MESH_SANDBOX_BASE_URL, SMS_API_KEY: process.env.SMS_API_KEY || envConstants.SMS_API_KEY, MAX_SECRET_COUNT: process.env.MAX_SECRET_COUNT || envConstants.MAX_SECRET_COUNT, + MAX_SECRET_SIZE_BYTES: process.env.MAX_SECRET_SIZE_BYTES || envConstants.MAX_SECRET_SIZE_BYTES, }; diff --git a/src/utils.js b/src/utils.js index e3f7fd2..fb0e05e 100644 --- a/src/utils.js +++ b/src/utils.js @@ -12,7 +12,7 @@ const chalk = require('chalk'); const crypto = require('crypto'); const CONSTANTS = require('./constants'); -const { MAX_SECRET_COUNT } = CONSTANTS; +const { MAX_SECRET_COUNT, MAX_SECRET_SIZE_BYTES } = CONSTANTS; /** * @returns returns the root directory of the project @@ -516,6 +516,27 @@ async function interpolateSecrets(secretsFilePath, command) { } } +/** + * Validates that each individual secret value does not exceed MAX_SECRET_SIZE_BYTES + * (5 KB — Cloudflare's per-secret limit). + * the YAML serialization of that value is used for the size measurement. + * + * @param {object} parsedSecrets Parsed secrets object from YAML + */ +function validateSecretsSize(parsedSecrets) { + for (const [key, value] of Object.entries(parsedSecrets)) { + const valueString = typeof value === 'string' ? value : YAML.stringify(value); + const valueSizeBytes = Buffer.byteLength(valueString, 'utf8'); + if (valueSizeBytes > MAX_SECRET_SIZE_BYTES) { + throw new Error( + chalk.red( + `Secret "${key}" exceeds the 5 KB size limit. Please reduce its size and try again.`, + ), + ); + } + } +} + /** * Parse secrets YAML content. * @@ -538,6 +559,16 @@ async function parseSecrets(secretsContent) { const compiledContent = parseEnv(newSecretsContent, envParserConfig); const compiledSecretsFileContent = replacePlaceholders(compiledContent, placeholderMap); const parsedSecrets = YAML.parse(compiledSecretsFileContent); + + //check if secrets file is empty + if (!parsedSecrets) { + throw new Error(chalk.red('Invalid YAML file contents. Please verify and try again.')); + } + //check if parsedSecrets is string and not in k:v pair + if (typeof parsedSecrets === 'string') { + throw new Error(chalk.red('Please provide a valid YAML in key:value format.')); + } + const numSecrets = Object.entries(parsedSecrets).length; if (numSecrets > MAX_SECRET_COUNT) { @@ -548,15 +579,10 @@ async function parseSecrets(secretsContent) { ); } - //check if secrets file is empty - if (!parsedSecrets) { - throw new Error(chalk.red('Invalid YAML file contents. Please verify and try again.')); - } - //check if parsedSecrets is string and not in k:v pair - if (typeof parsedSecrets === 'string') { - throw new Error(chalk.red('Please provide a valid YAML in key:value format.')); - } + validateSecretsSize(parsedSecrets); + const secretsYamlString = YAML.stringify(parsedSecrets); + return secretsYamlString; //TODO: here we will encrypt secrets and return. } catch (err) { throw new Error(chalk.red(getSecretsYamlParseError(err))); From 16b28004775d0fbe477764b0859c01d52034c28d Mon Sep 17 00:00:00 2001 From: Narendra Vyas Date: Thu, 19 Mar 2026 18:28:13 +0530 Subject: [PATCH 6/8] chore: minor correction --- src/constants.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/constants.js b/src/constants.js index 6db11c2..6ef8f34 100644 --- a/src/constants.js +++ b/src/constants.js @@ -11,7 +11,7 @@ const StageConstants = { DEV_CONSOLE_API_KEY: 'adobe-api-manager-sms-stage', DEV_CONSOLE_TRANSPORTER_API_KEY: 'UDPWeb1', AIO_CLI_API_KEY: 'aio-cli-console-auth-stage', - SMS_BASE_URL: 'https://graph-qa.adobe.io/api-admin', + SMS_BASE_URL: 'https://graph-stage.adobe.io/api-admin', MESH_BASE_URL: 'https://edge-stage-graph.adobe.io/api', SMS_API_KEY: 'adobe-graph-stage-onboarding', MAX_SECRET_COUNT: 50, From 3cb4b396578d415fd829185ee7dc294f5986081e Mon Sep 17 00:00:00 2001 From: Narendra Vyas Date: Thu, 19 Mar 2026 18:58:02 +0530 Subject: [PATCH 7/8] chore: updated version in package.json with beta because we are targetting develop --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 4dc5205..3981df4 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@adobe/aio-cli-plugin-api-mesh", - "version": "5.6.1-alpha.1", + "version": "5.6.1-beta.0", "description": "Adobe I/O CLI plugin to develop and manage API mesh sources", "keywords": [ "oclif-plugin" From ae5b750501b3c8cf2deef2b4cc7aded20bde8229 Mon Sep 17 00:00:00 2001 From: Narendra Vyas Date: Mon, 23 Mar 2026 16:35:14 +0530 Subject: [PATCH 8/8] chore: release stable version --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 3981df4..6547281 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@adobe/aio-cli-plugin-api-mesh", - "version": "5.6.1-beta.0", + "version": "5.6.1", "description": "Adobe I/O CLI plugin to develop and manage API mesh sources", "keywords": [ "oclif-plugin"