Problem description
The CAMARA Validation Framework run on PR #131 raised 32 hints across module schema files for missing field constraints required by the CAMARA API Design Guide §2.2:
- S-310 (
owasp:api4:2023-integer-format) — integer properties missing format: int32 or format: int64
- S-311 (
owasp:api4:2023-integer-limit-legacy) — integer properties missing minimum / maximum
- S-312 (
owasp:api4:2023-string-limit) — bounded string properties missing maxLength
The tables below list every affected occurrence with proposed starting values. Reviewers should comment on rows where domain knowledge or operator policy suggests different bounds — the values shown are reasonable defaults, not recommendations to lock in as-is.
Expected action
Single PR adds the proposed constraints to each row. Touches code/modules/Policy.yaml, code/modules/TrustDomains/TrustDomainCapabilities.yaml, code/modules/AccessDetail.yaml, code/modules/NAM_Common.yaml, code/modules/NetworkAccessDevices/NetworkAccessDevices.yaml, code/modules/TrustDomainDevices/TrustDomainDevices.yaml, code/modules/TrustDomains/TrustDomains.yaml.
Integer fields (S-310 + S-311)
| File:line |
Field |
Proposed format |
Proposed minimum |
Proposed maximum |
Rationale |
Policy.yaml:31 |
MaxDevicesPolicy (integer root) |
int32 |
1 |
1024 |
Operator-defined cap; 1024 covers residential + small commercial |
Policy.yaml:40 |
MaxDomainDownstreamRatePolicy.value |
int64 |
0 |
10000000 |
Rate in unit (typically Kbps); 10 Gbps ≈ 10,000,000 Kbps |
Policy.yaml:58 |
MaxDomainUpstreamRatePolicy.value |
int64 |
0 |
10000000 |
Same as downstream |
TrustDomainCapabilities.yaml:130 |
MaxDevicesPolicyCapability.maxValue |
int32 |
1 |
1024 |
Mirror MaxDevicesPolicy |
TrustDomainCapabilities.yaml:135 |
MaxDevicesPolicyCapability.minValue |
int32 |
1 |
1024 |
Mirror |
TrustDomainCapabilities.yaml:148 |
BandwidthPolicyCapability.maxValue |
int64 |
0 |
10000000 |
Same as rate policies |
TrustDomainCapabilities.yaml:153 |
BandwidthPolicyCapability.minValue |
int64 |
0 |
10000000 |
Mirror |
TrustDomainCapabilities.yaml:166 |
EgressPolicyCapability.maxEntries |
int32 |
1 |
1024 |
Reasonable ACL size cap |
TrustDomainCapabilities.yaml:217 |
ThreadAccessTypeProperties.supportedChannels.min |
int32 |
11 |
26 |
IEEE 802.15.4 channels for Thread 2.4 GHz |
TrustDomainCapabilities.yaml:223 |
supportedChannels.max |
int32 |
11 |
26 |
Same band |
TrustDomainCapabilities.yaml:241 |
networkNameConstraints.minLength |
int32 |
1 |
16 |
Thread spec: network name 1–16 bytes |
TrustDomainCapabilities.yaml:245 |
networkNameConstraints.maxLength |
int32 |
1 |
16 |
Same |
TrustDomainCapabilities.yaml:253 |
maxDatasetLength |
int32 |
1 |
254 |
Thread TLV operational dataset ≤ ~254 bytes |
TrustDomainCapabilities.yaml:263 |
PasswordConstraints.minLength |
int32 |
8 |
63 |
WPA2/WPA3 Personal range |
TrustDomainCapabilities.yaml:268 |
PasswordConstraints.maxLength |
int32 |
8 |
63 |
Same |
AccessDetail.yaml:142 |
ThreadStructuredAccessDetail.channel |
int32 |
11 |
26 |
Thread channel range |
String fields (S-312)
| File:line |
Field |
Proposed maxLength |
Rationale |
NAM_Common.yaml:35 |
DateTime |
30 |
RFC 3339 with timezone (e.g. 2023-07-03T14:27:08.312+02:00 = 29 chars) |
AccessDetail.yaml:148 |
ThreadStructuredAccessDetail.extendedPanId |
16 |
Thread 64-bit ID = 16 hex chars |
AccessDetail.yaml:153 |
ThreadStructuredAccessDetail.networkKey |
32 |
Thread 128-bit AES key = 32 hex chars |
AccessDetail.yaml:164 |
ThreadStructuredAccessDetail.panId |
4 |
Thread 16-bit ID = 4 hex chars |
NetworkAccessDevices.yaml:81 |
hardwareAddress.value (oneOf variant) |
17 |
MAC xx:xx:xx:xx:xx:xx = 17 chars |
Policy.yaml:75 |
EgressAllowedListPolicy.items |
253 |
FQDN max per RFC 1035 |
TrustDomainDevices.yaml:294 |
TrustDomainDeviceUpdate.hardwareAddress.value |
17 |
MAC |
TrustDomains.yaml:76 |
TrustDomainUpdate.name |
64 |
Human-readable Trust Domain name cap |
TrustDomains.yaml:80 |
TrustDomainUpdate.description |
255 |
Free-form description, reasonable cap |
Additional context
Problem description
The CAMARA Validation Framework run on PR #131 raised 32 hints across module schema files for missing field constraints required by the CAMARA API Design Guide §2.2:
owasp:api4:2023-integer-format) — integer properties missingformat: int32orformat: int64owasp:api4:2023-integer-limit-legacy) — integer properties missingminimum/maximumowasp:api4:2023-string-limit) — bounded string properties missingmaxLengthThe tables below list every affected occurrence with proposed starting values. Reviewers should comment on rows where domain knowledge or operator policy suggests different bounds — the values shown are reasonable defaults, not recommendations to lock in as-is.
Expected action
Single PR adds the proposed constraints to each row. Touches
code/modules/Policy.yaml,code/modules/TrustDomains/TrustDomainCapabilities.yaml,code/modules/AccessDetail.yaml,code/modules/NAM_Common.yaml,code/modules/NetworkAccessDevices/NetworkAccessDevices.yaml,code/modules/TrustDomainDevices/TrustDomainDevices.yaml,code/modules/TrustDomains/TrustDomains.yaml.Integer fields (S-310 + S-311)
formatminimummaximumPolicy.yaml:31MaxDevicesPolicy(integer root)Policy.yaml:40MaxDomainDownstreamRatePolicy.valueunit(typically Kbps); 10 Gbps ≈ 10,000,000 KbpsPolicy.yaml:58MaxDomainUpstreamRatePolicy.valueTrustDomainCapabilities.yaml:130MaxDevicesPolicyCapability.maxValueMaxDevicesPolicyTrustDomainCapabilities.yaml:135MaxDevicesPolicyCapability.minValueTrustDomainCapabilities.yaml:148BandwidthPolicyCapability.maxValueTrustDomainCapabilities.yaml:153BandwidthPolicyCapability.minValueTrustDomainCapabilities.yaml:166EgressPolicyCapability.maxEntriesTrustDomainCapabilities.yaml:217ThreadAccessTypeProperties.supportedChannels.minTrustDomainCapabilities.yaml:223supportedChannels.maxTrustDomainCapabilities.yaml:241networkNameConstraints.minLengthTrustDomainCapabilities.yaml:245networkNameConstraints.maxLengthTrustDomainCapabilities.yaml:253maxDatasetLengthTrustDomainCapabilities.yaml:263PasswordConstraints.minLengthTrustDomainCapabilities.yaml:268PasswordConstraints.maxLengthAccessDetail.yaml:142ThreadStructuredAccessDetail.channelString fields (S-312)
maxLengthNAM_Common.yaml:35DateTime2023-07-03T14:27:08.312+02:00= 29 chars)AccessDetail.yaml:148ThreadStructuredAccessDetail.extendedPanIdAccessDetail.yaml:153ThreadStructuredAccessDetail.networkKeyAccessDetail.yaml:164ThreadStructuredAccessDetail.panIdNetworkAccessDevices.yaml:81hardwareAddress.value(oneOf variant)xx:xx:xx:xx:xx:xx= 17 charsPolicy.yaml:75EgressAllowedListPolicy.itemsTrustDomainDevices.yaml:294TrustDomainDeviceUpdate.hardwareAddress.valueTrustDomains.yaml:76TrustDomainUpdate.nameTrustDomains.yaml:80TrustDomainUpdate.descriptionAdditional context
PropertyAddress.addressLine1, etc.) are intentionally excluded — Spectral's own suggestion text says "Acceptable if free-form field or implementation-dependent — no fix needed."