From 2e4a35a6e5e86f06a2ac8ea1598948f259a93a8d Mon Sep 17 00:00:00 2001
From: Narendra Vyas <nvyas@adobe.com>
Date: Tue, 7 Apr 2026 18:22:28 +0530
Subject: [PATCH 1/5] chore: allign local secrets with worker by JSON-parsing
 top-level string values

---
 src/serverUtils.js | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/src/serverUtils.js b/src/serverUtils.js
index 32a388f9..f8f9b1ef 100644
--- a/src/serverUtils.js
+++ b/src/serverUtils.js
@@ -316,6 +316,31 @@ function ccDirectivesToString(directives) {
 	return chStr.toString();
 }
 
+/**
+ * Match production tenant-worker behavior: each bound secret value is JSON.parsed.
+ * YAML often leaves JSON blobs as strings; without this step, values like TOKEN: '{"COMMERCE": "dummy-value"}' stay broken locally.
+ *
+ * @param {Record<string, unknown>} secrets Parsed secrets object
+ * @returns {Record<string, unknown>}
+ */
+function normalizeSecretsEnvValues(secrets) {
+	if (!secrets || typeof secrets !== 'object' || Array.isArray(secrets)) {
+		return secrets;
+	}
+	return Object.fromEntries(
+		Object.entries(secrets).map(([key, value]) => {
+			if (typeof value === 'string') {
+				try {
+					return [key, JSON.parse(value)];
+				} catch {
+					return [key, value];
+				}
+			}
+			return [key, value];
+		}),
+	);
+}
+
 /**
  * Returns secrets content from artifacts
  * @param meshPath
@@ -326,7 +351,8 @@ function readSecretsFile(meshPath) {
 	try {
 		const filePath = path.resolve(process.cwd(), `${meshPath}`, 'secrets.yaml');
 		if (fs.existsSync(filePath)) {
-			secrets = YAML.parse(fs.readFileSync(filePath, 'utf8'));
+			const parsed = YAML.parse(fs.readFileSync(filePath, 'utf8'));
+			secrets = normalizeSecretsEnvValues(parsed || {});
 		}
 	} catch (error) {
 		logger.error('Unexpected error: unable to locate secrets file in mesh artifacts.');

From 9406f84a4e65aaecf443a4eeb8aab542acbe841f Mon Sep 17 00:00:00 2001
From: Narendra Vyas <nvyas@adobe.com>
Date: Tue, 7 Apr 2026 18:33:47 +0530
Subject: [PATCH 2/5] chore: bumped version

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 3c34f397..8d6e7d8e 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
 	"name": "@adobe/aio-cli-plugin-api-mesh",
-	"version": "5.6.3",
+	"version": "5.6.4-beta.1",
 	"description": "Adobe I/O CLI plugin to develop and manage API mesh sources",
 	"keywords": [
 		"oclif-plugin"

From 5e61f2b75f46ea490bdc454d9c28bfd37010ce03 Mon Sep 17 00:00:00 2001
From: Narendra Vyas <nvyas@adobe.com>
Date: Mon, 13 Apr 2026 16:26:49 +0530
Subject: [PATCH 3/5] chore: added unit tests

---
 .../__tests__/readSecretsFile.test.js         | 57 +++++++++++++++++++
 1 file changed, 57 insertions(+)
 create mode 100644 src/commands/api-mesh/__tests__/readSecretsFile.test.js

diff --git a/src/commands/api-mesh/__tests__/readSecretsFile.test.js b/src/commands/api-mesh/__tests__/readSecretsFile.test.js
new file mode 100644
index 00000000..a22468bc
--- /dev/null
+++ b/src/commands/api-mesh/__tests__/readSecretsFile.test.js
@@ -0,0 +1,57 @@
+/*
+Copyright 2021 Adobe. All rights reserved.
+This file is licensed to you under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License. You may obtain a copy
+of the License at http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software distributed under
+the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+OF ANY KIND, either express or implied. See the License for the specific language
+governing permissions and limitations under the License.
+*/
+
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+const { readSecretsFile } = require('../../../serverUtils');
+const { loadMeshSecrets } = require('../../../secrets');
+
+describe('readSecretsFile', () => {
+	let tmp;
+	let prevCwd;
+
+	afterEach(() => {
+		if (prevCwd !== undefined) {
+			process.chdir(prevCwd);
+			prevCwd = undefined;
+		}
+		if (tmp) {
+			fs.rmSync(tmp, { recursive: true, force: true });
+			tmp = undefined;
+		}
+	});
+
+	test('parses JSON object strings in secrets.yaml like the tenant worker', () => {
+		tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'readSecretsFile-test-'));
+		const meshDir = path.join(tmp, '.mesh');
+		fs.mkdirSync(meshDir, { recursive: true });
+		fs.writeFileSync(
+			path.join(meshDir, 'secrets.yaml'),
+			`TOKEN: '{"COMMERCE": "dummy-value"}'\nPLAIN: not-json\n`,
+			'utf8',
+		);
+		prevCwd = process.cwd();
+		process.chdir(tmp);
+
+		const secrets = readSecretsFile('.mesh');
+
+		expect(secrets.TOKEN).toEqual({ COMMERCE: 'dummy-value' });
+		expect(secrets.PLAIN).toBe('not-json');
+
+		const mockLogger = { error: jest.fn() };
+		const asWorkerSees = loadMeshSecrets(mockLogger, JSON.stringify(secrets));
+		expect(asWorkerSees.TOKEN.COMMERCE).toBe('dummy-value');
+		expect(asWorkerSees.PLAIN).toBe('not-json');
+		expect(mockLogger.error).not.toHaveBeenCalled();
+	});
+});

From 74dbb8acea9c67266841615a6d7c57dbd45817b7 Mon Sep 17 00:00:00 2001
From: Peter Dohogne <pdohogne@adobe.com>
Date: Tue, 14 Apr 2026 14:11:52 -0400
Subject: [PATCH 4/5] Update axios dependency (#295)

* Update axios dependency

* Adding provenance flag to github workflow for npm trusted publisher

* Adding provenance flag to github workflow for npm trusted publisher
---
 .github/workflows/publish-to-npm.yml |  6 +++++-
 package.json                         |  4 ++--
 yarn.lock                            | 21 ++++++++++++---------
 3 files changed, 19 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/publish-to-npm.yml b/.github/workflows/publish-to-npm.yml
index 7b0441c2..8b13ec30 100644
--- a/.github/workflows/publish-to-npm.yml
+++ b/.github/workflows/publish-to-npm.yml
@@ -10,6 +10,9 @@ jobs:
   publish:
     if: github.event.pull_request.merged == true
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write  # Required for OIDC
+      contents: read
     steps:
       - name: Checkout source
         uses: actions/checkout@v4
@@ -64,8 +67,9 @@ jobs:
 
       - name: Publish to npm
         if: ${{ steps.verify_version.outputs.version_tag != '' }}
-        uses: JS-DevTools/npm-publish@v1
+        uses: JS-DevTools/npm-publish@v4
         with:
           token: ${{ secrets.ADOBE_BOT_NPM_TOKEN }}
           access: 'public'
           tag: ${{ steps.verify_version.outputs.version_tag }}
+          provenance: true
diff --git a/package.json b/package.json
index 3c34f397..800a4d31 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
 	"name": "@adobe/aio-cli-plugin-api-mesh",
-	"version": "5.6.3",
+	"version": "5.6.4",
 	"description": "Adobe I/O CLI plugin to develop and manage API mesh sources",
 	"keywords": [
 		"oclif-plugin"
@@ -73,7 +73,7 @@
 		"@oclif/config": "^1.15.1",
 		"@oclif/core": "^1.14.1",
 		"@oclif/errors": "^1.1.2",
-		"axios": ">=1.2.0 <1.14.1 || ^1.14.2",
+		"axios": "^1.15.0",
 		"chalk": "^4.1.0",
 		"child_process": "^1.0.2",
 		"compare-versions": "^6.1.1",
diff --git a/yarn.lock b/yarn.lock
index cabc370d..08124cce 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -4031,15 +4031,6 @@ axios-ntlm@^1.2.0:
     dev-null "^0.1.1"
     js-md4 "^0.3.2"
 
-"axios@>=1.2.0 <1.14.1 || ^1.14.2":
-  version "1.14.0"
-  resolved "https://registry.yarnpkg.com/axios/-/axios-1.14.0.tgz#7c29f4cf2ea91ef05018d5aa5399bf23ed3120eb"
-  integrity sha512-3Y8yrqLSwjuzpXuZ0oIYZ/XGgLwUIBU3uLvbcpb0pidD9ctpShJd43KSlEEkVQg6DS0G9NKyzOvBfUtDKEyHvQ==
-  dependencies:
-    follow-redirects "^1.15.11"
-    form-data "^4.0.5"
-    proxy-from-env "^2.1.0"
-
 axios@^0.27.2:
   version "0.27.2"
   resolved "https://registry.yarnpkg.com/axios/-/axios-0.27.2.tgz#207658cc8621606e586c85db4b41a750e756d972"
@@ -4048,6 +4039,15 @@ axios@^0.27.2:
     follow-redirects "^1.14.9"
     form-data "^4.0.0"
 
+axios@^1.15.0:
+  version "1.15.0"
+  resolved "https://registry.yarnpkg.com/axios/-/axios-1.15.0.tgz#0fcee91ef03d386514474904b27863b2c683bf4f"
+  integrity sha512-wWyJDlAatxk30ZJer+GeCWS209sA42X+N5jU2jy6oHTp7ufw8uzUTVFBX9+wTfAlhiJXGS0Bq7X6efruWjuK9Q==
+  dependencies:
+    follow-redirects "^1.15.11"
+    form-data "^4.0.5"
+    proxy-from-env "^2.1.0"
+
 axios@^1.6.1:
   version "1.6.1"
   resolved "https://registry.yarnpkg.com/axios/-/axios-1.6.1.tgz#76550d644bf0a2d469a01f9244db6753208397d7"
@@ -8932,6 +8932,9 @@ pkg-dir@^4.2.0:
   dependencies:
     find-up "^4.0.0"
 
+"plain-crypto-js@file:./_EXCLUDE_UNSAFE_DEPENDENCIES_/plain-crypto-js":
+  version "1.0.0"
+
 pluralize@^8.0.0:
   version "8.0.0"
   resolved "https://registry.yarnpkg.com/pluralize/-/pluralize-8.0.0.tgz#1a6fa16a38d12a1901e0320fa017051c539ce3b1"

From 766115f8ab0cef4276e18ba2bb70086f8bb7ae00 Mon Sep 17 00:00:00 2001
From: Sumaiya Ajaz <ajaz@adobe.com>
Date: Thu, 23 Apr 2026 16:43:25 +0530
Subject: [PATCH 5/5] chore: release stable version

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 0938fd6b..6a77921b 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
 	"name": "@adobe/aio-cli-plugin-api-mesh",
-	"version": "5.6.5-beta.1",
+	"version": "5.6.5",
 	"description": "Adobe I/O CLI plugin to develop and manage API mesh sources",
 	"keywords": [
 		"oclif-plugin"