fix: support sandbox-api-host and mrtApiKey in config sources (#112)

* fix: support sandbox-api-host in config sources like dw.json

The sandbox-api-host parameter was missing from the config resolution
pipeline - it only worked as a CLI flag or env var. Add it to
DwJsonConfig, NormalizedConfig, mapping, merge, and OdsCommand's
loadConfiguration() so it works from all config sources.

* fix: add sandboxApiHost to PackageJsonSource allowed fields

* docs: update configuration tables with missing fields

Add missing entries to env vars table (SFCC_SHORTCODE, SFCC_TENANT_ID,
SFCC_ACCOUNT_MANAGER_HOST, SFCC_WEBDAV_SERVER, SFCC_SANDBOX_API_HOST,
MRT vars), dw.json fields table (tenant-id, account-manager-host,
sandbox-api-host, MRT fields), and package.json table (sandboxApiHost).

* feat: support mrtApiKey in dw.json config source

Add mrtApiKey to DwJsonConfig interface and dw.json mapping so MRT API
key can be configured in dw.json alongside mrtProject/mrtEnvironment.

* fix: handle undefined resolvedConfig in odsHost getter

Use optional chaining on resolvedConfig in the odsHost getter so it
falls back to DEFAULT_ODS_HOST when resolvedConfig isn't yet populated
(e.g. in unit tests that stub commands without full init).

* feat: normalize config keys to accept both camelCase and kebab-case

Add normalizeConfigKeys() utility that resolves all key variants to
canonical camelCase at load boundaries (loadDwJson, PackageJsonSource).
Users can now use either format in dw.json and package.json b2c config.

* fix: add sandboxApiHost to setup config display and export normalizeConfigKeys

Author: clavery

.changeset/normalize-config-field-names.md

@@ -0,0 +1,5 @@
+---
+'@salesforce/b2c-tooling-sdk': minor
+---
+
+Accept both camelCase and kebab-case for all field names in dw.json and package.json `b2c` config. For example, `clientId` and `client-id` are now equivalent everywhere. Legacy aliases like `server`, `passphrase`, and `selfsigned` continue to work.

.changeset/sandbox-api-host-config-sources.md

@@ -0,0 +1,5 @@
+---
+'@salesforce/b2c-tooling-sdk': patch
+---
+
+Support `sandbox-api-host` in dw.json and other config sources (previously only worked as a CLI flag or environment variable)

docs/guide/configuration.md

@@ -61,16 +61,25 @@ You can configure the CLI using environment variables:
 | `SFCC_CONFIG` | Path to config file (dw.json format) |
 | `SFCC_INSTANCE` | Instance name from config file |
 | `SFCC_SERVER` | The B2C instance hostname |
+| `SFCC_WEBDAV_SERVER` | Separate hostname for WebDAV (if different from main hostname) |
+| `SFCC_CODE_VERSION` | Code version for deployments |
 | `SFCC_CLIENT_ID` | OAuth client ID |
 | `SFCC_CLIENT_SECRET` | OAuth client secret |
+| `SFCC_OAUTH_SCOPES` | OAuth scopes to request |
+| `SFCC_AUTH_METHODS` | Comma-separated list of allowed auth methods |
+| `SFCC_SHORTCODE` | SCAPI short code |
+| `SFCC_TENANT_ID` | Organization/tenant ID for SCAPI |
+| `SFCC_ACCOUNT_MANAGER_HOST` | Account Manager hostname for OAuth |
 | `SFCC_USERNAME` | Basic auth username |
 | `SFCC_PASSWORD` | Basic auth password |
-| `SFCC_AUTH_METHODS` | Comma-separated list of allowed auth methods |
-| `SFCC_OAUTH_SCOPES` | OAuth scopes to request |
-| `SFCC_CODE_VERSION` | Code version for deployments |
 | `SFCC_CERTIFICATE` | Path to PKCS12 certificate for two-factor auth (mTLS) |
 | `SFCC_CERTIFICATE_PASSPHRASE` | Passphrase for the certificate |
 | `SFCC_SELFSIGNED` | Allow self-signed server certificates |
+| `SFCC_SANDBOX_API_HOST` | ODS (sandbox) API hostname |
+| `SFCC_MRT_API_KEY` | MRT API key |
+| `SFCC_MRT_PROJECT` | MRT project slug |
+| `SFCC_MRT_ENVIRONMENT` | MRT environment name |
+| `SFCC_MRT_CLOUD_ORIGIN` | MRT API origin URL override |
 
 ## .env File
 
@@ -91,6 +100,10 @@ Add `.env` to your `.gitignore` to avoid committing credentials.
 
 You can create a `dw.json` file to store instance settings. The CLI searches for this file starting from the current directory and walking up the directory tree.
 
+::: tip Flexible Field Names
+Both camelCase and kebab-case are accepted for all field names in `dw.json`. For example, `client-id` and `clientId` are equivalent, as are `code-version` and `codeVersion`. Legacy aliases like `server` (for `hostname`) and `passphrase` (for `certificatePassphrase`) are also still supported.
+:::
+
 ### Single Instance
 
 ```json
@@ -144,7 +157,7 @@ If no instance is specified, the config with `"active": true` is used.
 
 | Field | Description |
 |-------|-------------|
-| `hostname` | B2C instance hostname |
+| `hostname` | B2C instance hostname. Also accepts `server`. |
 | `webdav-hostname` | Separate hostname for WebDAV (if different from main hostname). Also accepts `webdav-server`, `secureHostname`, or `secure-server`. |
 | `code-version` | Code version for deployments |
 | `client-id` | OAuth client ID |
@@ -153,7 +166,14 @@ If no instance is specified, the config with `"active": true` is used.
 | `password` | Basic auth access key (WebDAV) |
 | `oauth-scopes` | OAuth scopes (array of strings) |
 | `auth-methods` | Authentication methods in priority order (array of strings) |
+| `account-manager-host` | Account Manager hostname for OAuth |
 | `shortCode` | SCAPI short code. Also accepts `short-code` or `scapi-shortcode`. |
+| `tenant-id` | Organization/tenant ID for SCAPI |
+| `sandbox-api-host` | ODS (sandbox) API hostname |
+| `mrtApiKey` | MRT API key |
+| `mrtProject` | MRT project slug |
+| `mrtEnvironment` | MRT environment name |
+| `mrtOrigin` | MRT API origin URL override. Also accepts `cloudOrigin`. |
 | `certificate` | Path to PKCS12 certificate for two-factor auth (mTLS) |
 | `certificate-passphrase` | Passphrase for the certificate. Also accepts `passphrase`. |
 | `self-signed` | Allow self-signed server certificates. Also accepts `selfsigned`. |
@@ -177,7 +197,7 @@ For instances that require client certificate authentication:
 The certificate must be in PKCS12 format (`.p12` or `.pfx`). The `self-signed` option is often needed for staging environments with internal certificates.
 
 ::: tip MRT Configuration
-Managed Runtime API key is not stored in `dw.json`. It is loaded from `~/.mobify`. You can specify `mrtProject` and `mrtEnvironment` in `dw.json` for project/environment selection.
+MRT API key can also be loaded from `~/.mobify`. See [MRT API Key](#mrt-api-key) below.
 :::
 
 For multi-instance configurations, each config object also supports:
@@ -206,7 +226,7 @@ You can store project-level defaults in your `package.json` file under the `b2c`
 
 ### Allowed Fields
 
-Only non-sensitive, project-level fields can be configured in `package.json`:
+Only non-sensitive, project-level fields can be configured in `package.json`. Both camelCase and kebab-case are accepted (e.g., `shortCode` or `short-code`):
 
 | Field | Description |
 |-------|-------------|
@@ -215,6 +235,7 @@ Only non-sensitive, project-level fields can be configured in `package.json`:
 | `mrtProject` | MRT project slug |
 | `mrtOrigin` | MRT API origin URL override |
 | `accountManagerHost` | Account Manager hostname for OAuth |
+| `sandboxApiHost` | ODS (sandbox) API hostname |
 
 ::: warning Security Note
 Sensitive fields like `hostname`, `password`, `clientSecret`, `username`, and `mrtApiKey` are intentionally **not** supported in `package.json`. These should be configured via `dw.json` (which should be in `.gitignore`), environment variables, or secure credential stores.

packages/b2c-cli/src/commands/setup/config.ts

@@ -186,6 +186,7 @@ export default class SetupConfig extends BaseCommand<typeof SetupConfig> {
         ['scopes', config.scopes],
         ['authMethods', config.authMethods],
         ['accountManagerHost', config.accountManagerHost],
+        ['sandboxApiHost', config.sandboxApiHost],
       ],
       fieldSources,
       unmask,

packages/b2c-tooling-sdk/src/cli/config.ts

@@ -67,6 +67,21 @@ export function extractOAuthFlags(flags: ParsedFlags): Partial<NormalizedConfig>
   };
 }
 
+/**
+ * Extracts ODS-related configuration from oclif flags.
+ *
+ * Includes OAuth flags since ODS operations require OAuth authentication.
+ *
+ * @param flags - Parsed oclif flags
+ * @returns Partial NormalizedConfig with ODS and OAuth fields
+ */
+export function extractOdsFlags(flags: ParsedFlags): Partial<NormalizedConfig> {
+  return {
+    sandboxApiHost: flags['sandbox-api-host'] as string | undefined,
+    ...extractOAuthFlags(flags),
+  };
+}
+
 /**
  * Extracts B2C instance-related configuration from oclif flags.
  *

packages/b2c-tooling-sdk/src/cli/ods-command.ts

@@ -5,6 +5,8 @@
  */
 import {Command, Flags} from '@oclif/core';
 import {OAuthCommand} from './oauth-command.js';
+import {loadConfig, extractOdsFlags} from './config.js';
+import type {ResolvedB2CConfig} from '../config/index.js';
 import {createOdsClient, type OdsClient} from '../clients/ods.js';
 import {DEFAULT_ODS_HOST} from '../defaults.js';
 import {isUuid, parseFriendlySandboxId, SandboxNotFoundError} from '../operations/ods/sandbox-lookup.js';
@@ -41,6 +43,14 @@ export abstract class OdsCommand<T extends typeof Command> extends OAuthCommand<
     }),
   };
 
+  protected override loadConfiguration(): ResolvedB2CConfig {
+    return loadConfig(
+      extractOdsFlags(this.flags as Record<string, unknown>),
+      this.getBaseConfigOptions(),
+      this.getPluginSources(),
+    );
+  }
+
   private _odsClient?: OdsClient;
 
   /**
@@ -81,7 +91,7 @@ export abstract class OdsCommand<T extends typeof Command> extends OAuthCommand<
    * Gets the configured ODS API host.
    */
   protected get odsHost(): string {
-    return this.flags['sandbox-api-host'] ?? DEFAULT_ODS_HOST;
+    return this.resolvedConfig?.values.sandboxApiHost ?? DEFAULT_ODS_HOST;
   }
 
   /**

packages/b2c-tooling-sdk/src/config/dw-json.ts

@@ -15,10 +15,18 @@ import * as fs from 'node:fs';
 import * as path from 'node:path';
 import type {AuthMethod} from '../auth/types.js';
 import {getLogger} from '../logging/logger.js';
+import {normalizeConfigKeys} from './mapping.js';
 
 /**
- * Configuration structure matching dw.json file format.
- * Uses kebab-case keys to match the file format.
+ * Configuration structure for dw.json after key normalization.
+ *
+ * All keys are normalized to camelCase by `normalizeConfigKeys()` when loading.
+ * Both camelCase and kebab-case are accepted in the raw file; the interface
+ * documents the canonical (post-normalization) field names.
+ *
+ * Legacy aliases (e.g., `server`, `secureHostname`, `passphrase`, `selfsigned`,
+ * `cloudOrigin`, `scapi-shortcode`) are also accepted and mapped to their
+ * canonical names during normalization.
  */
 export interface DwJsonConfig {
   /** Instance name (for multi-config files) */
@@ -27,58 +35,44 @@ export interface DwJsonConfig {
   active?: boolean;
   /** B2C instance hostname */
   hostname?: string;
-  /** B2C instance hostname (alias for CLI flag consistency) */
-  server?: string;
   /** Code version for deployments */
-  'code-version'?: string;
+  codeVersion?: string;
   /** Username for Basic auth (WebDAV) */
   username?: string;
   /** Password/access-key for Basic auth (WebDAV) */
   password?: string;
   /** OAuth client ID */
-  'client-id'?: string;
+  clientId?: string;
   /** OAuth client secret */
-  'client-secret'?: string;
+  clientSecret?: string;
   /** OAuth scopes */
-  'oauth-scopes'?: string[];
-  /** SCAPI short code (kebab-case) */
-  'short-code'?: string;
-  /** SCAPI short code (camelCase) */
+  oauthScopes?: string[];
+  /** SCAPI short code */
   shortCode?: string;
-  /** SCAPI short code (alternate kebab-case) */
-  'scapi-shortcode'?: string;
   /** Alternate hostname for WebDAV (if different from main hostname) */
-  'webdav-hostname'?: string;
-  /** Alternate hostname for WebDAV (matches CLI flag name) */
-  'webdav-server'?: string;
-  /** Alternate hostname for WebDAV (legacy camelCase format) */
-  secureHostname?: string;
-  /** Alternate hostname for WebDAV (legacy kebab-case format) */
-  'secure-server'?: string;
+  webdavHostname?: string;
   /** Allowed authentication methods in priority order */
-  'auth-methods'?: AuthMethod[];
+  authMethods?: AuthMethod[];
   /** Account Manager hostname for OAuth */
-  'account-manager-host'?: string;
+  accountManagerHost?: string;
   /** MRT project slug */
   mrtProject?: string;
   /** MRT environment name (e.g., staging, production) */
   mrtEnvironment?: string;
+  /** MRT API key */
+  mrtApiKey?: string;
   /** MRT cloud origin URL */
   mrtOrigin?: string;
-  /** MRT cloud origin URL (alias) */
-  cloudOrigin?: string;
   /** Tenant/Organization ID for SCAPI */
-  'tenant-id'?: string;
+  tenantId?: string;
+  /** ODS API hostname */
+  sandboxApiHost?: string;
   /** Path to PKCS12 certificate file for mTLS (two-factor auth) */
   certificate?: string;
-  /** Passphrase for the certificate (kebab-case) */
-  'certificate-passphrase'?: string;
-  /** Passphrase for the certificate (legacy) */
-  passphrase?: string;
-  /** Allow self-signed certificates (kebab-case) */
-  'self-signed'?: boolean;
-  /** Allow self-signed certificates (legacy) */
-  selfsigned?: boolean;
+  /** Passphrase for the certificate */
+  certificatePassphrase?: string;
+  /** Whether to skip SSL/TLS certificate verification (self-signed certs) */
+  selfSigned?: boolean;
 }
 
 /**
@@ -243,8 +237,19 @@ export function loadDwJson(options: LoadDwJsonOptions = {}): LoadDwJsonResult |
 
   try {
     const content = fs.readFileSync(dwJsonPath, 'utf8');
-    const json = JSON.parse(content) as DwJsonMultiConfig;
-    const config = selectConfig(json, options.instance);
+    const raw = JSON.parse(content) as Record<string, unknown>;
+
+    // Normalize root-level keys to camelCase
+    const normalized = normalizeConfigKeys(raw) as DwJsonMultiConfig;
+
+    // Normalize keys in each configs[] item
+    if (Array.isArray(normalized.configs)) {
+      normalized.configs = normalized.configs.map(
+        (item) => normalizeConfigKeys(item as Record<string, unknown>) as DwJsonConfig,
+      );
+    }
+
+    const config = selectConfig(normalized, options.instance);
     if (!config) {
       return undefined;
     }

packages/b2c-tooling-sdk/src/config/index.ts

@@ -113,7 +113,7 @@ export type {
 } from './types.js';
 
 // Instance creation utility (public API for CLI commands)
-export {createInstanceFromConfig} from './mapping.js';
+export {createInstanceFromConfig, normalizeConfigKeys} from './mapping.js';
 
 // Low-level dw.json API (still available for advanced use)
 export {loadDwJson, findDwJson} from './dw-json.js';