configuration-management 0.1.0

package/README.md

@@ -0,0 +1,199 @@
+# configuration-management
+
+Schema-driven system configuration for **Adobe Commerce** and **Adobe App Builder** sync applications.
+
+Mirrors Magento's `core_config_data` model: scoped configuration (`default` / `websites` / `stores`) stored in **Adobe App Builder Database (ABDB)** with AES-256-GCM encryption for sensitive fields.
+
+## Install
+
+```bash
+npm install configuration-management
+```
+
+Your App Builder project must also have Adobe I/O runtime dependencies installed (peer dependencies):
+
+```bash
+npm install @adobe/aio-lib-core-auth @adobe/aio-lib-db @adobe/aio-lib-ims @adobe/aio-sdk dotenv
+```
+
+For the React Admin UI, also install Spectrum and React peers:
+
+```bash
+npm install react react-dom @adobe/react-spectrum @adobe/uix-guest @adobe/exc-app react-router-dom react-error-boundary @spectrum-icons/workflow
+```
+
+## Quick start
+
+Read a config value from ABDB inside an App Builder action:
+
+```js
+const { getConfig } = require('configuration-management')
+
+async function main (params) {
+  const apiUrl = await getConfig('sync_general/api/url', params, {
+    scope: 'websites',
+    scopeCode: 'base'
+  })
+  // ...
+}
+```
+
+## API
+
+### Config resolution
+
+| Export | Description |
+|--------|-------------|
+| `getConfig(path, params, options)` | Read a value with Magento-style scope inheritance |
+| `clearAbdbConfigCache()` | Clear the in-process lookup cache |
+
+### ABDB helpers (`configuration-management/abdb`)
+
+| Export | Description |
+|--------|-------------|
+| `getClient(params, options)` | Connect to ABDB using IMS credentials from action params |
+| `withDbClient(params, fn, options)` | Run work with auto-close |
+| `findOne`, `insertOne`, `updateOne`, … | Mongo-style collection helpers |
+
+### Scope / path model (`configuration-management/shared`)
+
+| Export | Description |
+|--------|-------------|
+| `toStateKey(scope, scopeId, path)` | Encode `section/group/field` as ABDB document `_id` |
+| `buildInheritanceChain(scope, scopeId, parentWebsiteId)` | Magento-style fallback chain |
+| `isValidPath`, `normalizeScope`, `normalizeScopeId` | Validation helpers |
+
+### Encryption (`configuration-management/crypto`)
+
+| Export | Description |
+|--------|-------------|
+| `encrypt(plaintext, params)` | AES-256-GCM encrypt for at-rest storage |
+| `decrypt(ciphertext, params)` | Decrypt stored values |
+| `isEncrypted(value)` | Detect `enc:v1:` wire format |
+
+### Commerce REST (`configuration-management/oauth1a`)
+
+| Export | Description |
+|--------|-------------|
+| `getCommerceOauthClient(options, logger)` | OAuth 1.0a client for Adobe Commerce REST API |
+
+### React Admin UI (`configuration-management/web`)
+
+Spectrum-based Commerce Admin extension UI for schema-driven system configuration.
+
+```js
+import { createRoot } from 'react-dom/client'
+import {
+  ConfigurationManagementApp,
+  configureWeb,
+  SystemConfig
+} from 'configuration-management/web'
+import actionUrls from './config.json' // deploy-time URLs from aio app deploy
+import 'configuration-management/web/styles.css'
+
+configureWeb({ actionUrls })
+
+createRoot(document.getElementById('root')).render(
+  <ConfigurationManagementApp runtime={runtime} ims={ims} />
+)
+```
+
+| Export | Description |
+|--------|-------------|
+| `ConfigurationManagementApp` | Full app shell (router + Spectrum provider + UIX registration) |
+| `SystemConfig` | Dynamic config form UI |
+| `SystemConfigSchemaEditor` | Schema designer |
+| `useSystemConfig`, `useSystemConfigSchema` | Data hooks |
+| `configureWeb({ actionUrls, extensionId, actionKeys })` | Wire deploy-time action URLs before render |
+
+Styles: `import 'configuration-management/web/styles.css'`
+
+### App Builder actions (`configuration-management/actions`)
+
+OpenWhisk runtime actions and the Commerce Admin extension manifest ship with the package.
+
+#### Automatic wiring on `npm install`
+
+The package runs a **postinstall** script that patches your project's `app.config.yaml`
+(if it exists) with:
+
+```yaml
+extensions:
+  commerce/backend-ui/1:
+    $include: node_modules/configuration-management/actions/configurations/ext.config.yaml
+```
+
+Requirements:
+
+- Run `npm install` from your App Builder project root (where `app.config.yaml` lives).
+- Do not use `npm install --ignore-scripts` (that skips postinstall).
+
+Opt out for a single install:
+
+```bash
+CONFIGURATION_MANAGEMENT_SKIP_SETUP=1 npm install configuration-management
+```
+
+Re-run manually anytime:
+
+```bash
+npx configuration-management-setup
+```
+
+#### Manual wiring
+
+If you prefer to edit `app.config.yaml` yourself:
+
+```yaml
+extensions:
+  commerce/backend-ui/1:
+    $include: node_modules/configuration-management/actions/configurations/ext.config.yaml
+```
+
+The bundled `ext.config.yaml` declares all actions under the `ConfigurationManagement` package
+(`system-config-list`, `system-config-save`, `system-config-schema`, `export-config`,
+`import-config`, `commerce-rest-get`, `sync-store-mappings-from-commerce`) plus admin menu
+`registration`. It expects a `web-src/` folder at your project root for the UI shell.
+
+**Minimal host project layout:**
+
+```
+my-app/
+├── app.config.yaml          ← $include ext.config from node_modules (above)
+├── web-src/
+│   ├── index.html
+│   └── src/
+│       ├── index.js         ← import ConfigurationManagementApp + configureWeb
+│       └── config.json      ← generated by aio app deploy
+├── .env
+└── package.json             ← depends on configuration-management
+```
+
+Action helper utilities are also exported for custom actions:
+
+```js
+const { errorResponse, checkMissingRequestInputs } = require('configuration-management/actions/utils')
+```
+
+## Environment / action inputs
+
+| Variable | Purpose |
+|----------|---------|
+| `AIO_DB_REGION` | ABDB region (`amer`, `emea`, …) |
+| `OAUTH_CLIENT_ID`, `OAUTH_CLIENT_SECRET`, `OAUTH_ORG_ID`, `OAUTH_SCOPES` | IMS credentials for ABDB |
+| `SYSTEM_CONFIG_CRYPT_KEY` | Preferred encryption key (fallback: `OAUTH_CLIENT_SECRET`) |
+| `COMMERCE_BASE_URL`, `COMMERCE_CONSUMER_*`, `COMMERCE_ACCESS_TOKEN*` | Commerce REST (for scope code resolution) |
+
+## Storage model
+
+Documents in the `system_config_data` collection:
+
+```
+{ _id, scope, scope_id, path, value, createdAt, updatedAt }
+```
+
+Config paths use the format `section/group/field` (e.g. `sync_general/api/url`).
+
+## License
+
+Apache-2.0

package/actions/configurations/commerce/index.js

@@ -0,0 +1,55 @@
+/*
+Copyright 2025 Adobe. All rights reserved.
+This file is licensed to you under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License. You may obtain a copy
+of the License at http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software distributed under
+the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+OF ANY KIND, either express or implied. See the License for the specific language
+governing permissions and limitations under the License.
+*/
+
+const { Core } = require('@adobe/aio-sdk')
+const { errorResponse, checkMissingRequestInputs } = require('../../utils')
+const { getCommerceOauthClient } = require('configuration-management/oauth1a')
+
+async function main(params) {
+    const logger = Core.Logger('main', { level: params.LOG_LEVEL || 'info' })
+
+    try {
+        const requiredParams = ['operation', 'COMMERCE_BASE_URL']
+        const requiredHeaders = ['Authorization']
+        const errorMessage = checkMissingRequestInputs(params, requiredParams, requiredHeaders)
+        if (errorMessage) {
+            // return and log client errors
+            return errorResponse(400, errorMessage, logger)
+        }
+
+        const { operation } = params
+        const oauth = getCommerceOauthClient(
+            {
+                url: params.COMMERCE_BASE_URL,
+                consumerKey: params.COMMERCE_CONSUMER_KEY,
+                consumerSecret: params.COMMERCE_CONSUMER_SECRET,
+                accessToken: params.COMMERCE_ACCESS_TOKEN,
+                accessTokenSecret: params.COMMERCE_ACCESS_TOKEN_SECRET
+            },
+            logger
+        )
+
+        const content = await oauth.get(operation)
+
+        return {
+            statusCode: 200,
+            body: content
+        }
+    } catch (error) {
+        // log any server errors
+        logger.error(error)
+        // return with 500
+        return errorResponse(500, error, logger)
+    }
+}
+
+exports.main = main

package/actions/configurations/export-config/index.js

@@ -0,0 +1,259 @@
+/*
+Copyright 2025 Adobe. All rights reserved.
+This file is licensed to you under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License. You may obtain a copy
+of the License at http://www.apache.org/licenses/LICENSE-2.0
+*/
+
+// Export the entire system_config (schema + values) to a portable JSON
+// document. The result includes:
+//   - schema  : the document stored under system_config_schema._id = 'v1'
+//   - values  : every row in system_config_data, as { scope, scope_id, path, value }
+//   - meta    : timestamp + counts so the operator can sanity-check the dump
+//
+// Sensitive fields are exported as their ENCRYPTED ciphertext so the dump is
+// safe to share, but it can only be re-imported into a workspace whose
+// SYSTEM_CONFIG_CRYPT_KEY matches the one used when these values were saved.
+//
+// Trigger from the UI's "Export → JSON" button, or invoke directly:
+//   POST .../system-config-export
+//   body: {}                         → full dump
+//   body: { schemaOnly: true }       → omit values
+//   body: { valuesOnly: true }       → omit schema
+//   body: { scopes: ['default','websites'] } → filter by scope tuple
+//
+// Response: { ok, dump }, where `dump` is the JSON the caller saves as a file.
+
+const { Core } = require('@adobe/aio-sdk')
+const { errorResponse } = require('../../utils')
+const { getClient } = require('configuration-management/abdb')
+const { isEncrypted, decrypt } = require('configuration-management/crypto')
+const { getCommerceOauthClient } = require('configuration-management/oauth1a')
+
+const SCHEMA_COLLECTION = 'system_config_schema'
+const SCHEMA_DOC_ID = 'v1'
+const DATA_COLLECTION = 'system_config_data'
+// Bumped to v2 when we started decrypting sensitive values into plaintext on
+// export. Importers ≥ v2 know to re-encrypt with the target env's key.
+const EXPORT_VERSION = 2
+
+/**
+ * Walk a schema doc and return the set of "section/group/field" paths whose
+ * field is marked `sensitive: true`. Used by both export (decide what to
+ * decrypt) and import (decide what to re-encrypt against the target's key).
+ */
+function deriveLanguageCode (code) {
+  const m = String(code || '').toLowerCase().match(/^([a-z]{2})_/)
+  return m ? m[1] : 'en'
+}
+
+/**
+ * Build a Commerce-style store_mappings blob from live REST data:
+ *   { storeId: { code, language_code, website_code, website_id } }
+ * Returns null if Commerce credentials aren't configured or the call fails.
+ * Embedding this in every export lets cross-env imports translate
+ * website_id / store_id by matching `website_code` / store `code` against the
+ * target env's own Commerce, regardless of whether sync-store-mappings was
+ * ever run on the source.
+ */
+async function fetchSourceStoreMappingsFromCommerce (params, logger) {
+  if (!params.COMMERCE_BASE_URL || !params.COMMERCE_CONSUMER_KEY) return null
+  try {
+    const oauth = getCommerceOauthClient({
+      url: params.COMMERCE_BASE_URL,
+      consumerKey: params.COMMERCE_CONSUMER_KEY,
+      consumerSecret: params.COMMERCE_CONSUMER_SECRET,
+      accessToken: params.COMMERCE_ACCESS_TOKEN,
+      accessTokenSecret: params.COMMERCE_ACCESS_TOKEN_SECRET
+    }, logger)
+    const [storeViews, websites] = await Promise.all([
+      oauth.get('store/storeViews'),
+      oauth.get('store/websites')
+    ])
+    const websiteById = new Map()
+    for (const w of websites || []) {
+      if (w && w.id != null) websiteById.set(String(w.id), w)
+    }
+    const mapping = {}
+    for (const sv of storeViews || []) {
+      if (!sv || sv.id == null) continue
+      const storeId = String(sv.id)
+      if (storeId === '0' || sv.code === 'admin') continue
+      const websiteId = sv.website_id != null ? String(sv.website_id) : ''
+      const website = websiteById.get(websiteId)
+      mapping[storeId] = {
+        code: String(sv.code || ''),
+        language_code: deriveLanguageCode(sv.code),
+        website_code: website ? String(website.code || '') : '',
+        website_id: websiteId
+      }
+    }
+    return Object.keys(mapping).length ? mapping : null
+  } catch (err) {
+    if (logger) logger.warn(`Export: Commerce store_mappings lookup failed: ${err.message}`)
+    return null
+  }
+}
+
+function collectSensitivePaths (schema) {
+  const out = new Set()
+  if (!schema || !Array.isArray(schema.sections)) return out
+  for (const s of schema.sections) {
+    if (!s || !Array.isArray(s.groups)) continue
+    for (const g of s.groups) {
+      if (!g || !Array.isArray(g.fields)) continue
+      for (const f of g.fields) {
+        if (f && f.sensitive) out.add(`${s.id}/${g.id}/${f.id}`)
+      }
+    }
+  }
+  return out
+}
+
+async function tryFindOne (collection, query) {
+  try {
+    const arr = await collection.find(query).limit(1).toArray()
+    return arr && arr.length ? arr[0] : null
+  } catch (err) {
+    const msg = err && err.message ? String(err.message) : String(err)
+    if (/not found/i.test(msg)) return null
+    throw err
+  }
+}
+
+async function main (params) {
+  const logger = Core.Logger('export-config', { level: params.LOG_LEVEL || 'info' })
+
+  const schemaOnly = params.schemaOnly === true || params.schemaOnly === 'true'
+  const valuesOnly = params.valuesOnly === true || params.valuesOnly === 'true'
+  const scopeFilter = Array.isArray(params.scopes) && params.scopes.length
+    ? new Set(params.scopes.map(String))
+    : null
+
+  let dbHandle
+  try {
+    dbHandle = await getClient(params)
+  } catch (e) {
+    logger.error(`ABDB connect failed: ${e.message}`)
+    return errorResponse(500, `ABDB connect failed: ${e.message}`, logger)
+  }
+  const { client, close } = dbHandle
+
+  try {
+    let schema = null
+    if (!valuesOnly) {
+      const schemaCol = await client.collection(SCHEMA_COLLECTION)
+      const doc = await tryFindOne(schemaCol, { _id: SCHEMA_DOC_ID })
+      schema = doc && doc.schema ? doc.schema : { sections: [] }
+    }
+
+    // We need the schema to know which paths are sensitive, even when the
+    // caller asked for valuesOnly — load it locally without including it in
+    // the dump.
+    let schemaForFlags = schema
+    if (!schemaForFlags) {
+      try {
+        const schemaCol = await client.collection(SCHEMA_COLLECTION)
+        const doc = await tryFindOne(schemaCol, { _id: SCHEMA_DOC_ID })
+        schemaForFlags = doc && doc.schema ? doc.schema : null
+      } catch (_) { /* ok if missing */ }
+    }
+    const sensitivePaths = collectSensitivePaths(schemaForFlags)
+
+    // Always pull the SOURCE env's Commerce mapping so we can stamp every
+    // website/store-scoped row with its scope_code (website_code / store
+    // view code). The importer then needs only the target's Commerce — no
+    // separate storeMappings blob has to be carried between envs.
+    const storeMappingsFromCommerce = await fetchSourceStoreMappingsFromCommerce(params, logger)
+    // Build quick lookup tables: websiteId → website_code, storeId → store code.
+    const websiteCodeById = new Map()
+    const storeCodeById = new Map()
+    if (storeMappingsFromCommerce) {
+      for (const [storeId, m] of Object.entries(storeMappingsFromCommerce)) {
+        if (!m) continue
+        if (m.website_id != null && m.website_code) {
+          websiteCodeById.set(String(m.website_id), String(m.website_code))
+        }
+        if (m.code) storeCodeById.set(String(storeId), String(m.code))
+      }
+    }
+
+    let values = []
+    let decryptedCount = 0
+    let decryptFailedCount = 0
+    if (!schemaOnly) {
+      const dataCol = await client.collection(DATA_COLLECTION)
+      const docs = await dataCol.find({}).toArray().catch(() => [])
+      for (const d of docs) {
+        if (!d || typeof d.path !== 'string') continue
+        if (scopeFilter && !scopeFilter.has(d.scope)) continue
+        let value = d.value
+        // Decrypt sensitive ciphertext using THIS env's key so the dump is
+        // portable to any other workspace. The recipient will re-encrypt
+        // with its own key based on schema.sensitive flags. This means the
+        // exported JSON file contains plaintext secrets — treat it as
+        // sensitive.
+        if (isEncrypted(value)) {
+          try {
+            value = decrypt(value, params)
+            decryptedCount++
+          } catch (e) {
+            // Couldn't decrypt — keep the ciphertext envelope so a target
+            // workspace with the matching key can still pick it up via the
+            // legacy sourceCryptKey path.
+            decryptFailedCount++
+            logger.warn(`Export: failed to decrypt ${d.path} @ ${d.scope}:${d.scope_id}: ${e.message}`)
+          }
+        }
+        // Tag the row with the source env's code (website_code or store
+        // view code). At import time the recipient looks up its own Commerce
+        // and resolves scope_code → target scope_id directly, with no need
+        // to ship a separate storeMappings blob.
+        let scopeCode
+        if (d.scope === 'websites') scopeCode = websiteCodeById.get(String(d.scope_id))
+        else if (d.scope === 'stores') scopeCode = storeCodeById.get(String(d.scope_id))
+        values.push({
+          scope: d.scope,
+          scope_id: d.scope_id,
+          ...(scopeCode ? { scope_code: scopeCode } : {}),
+          path: d.path,
+          value
+        })
+      }
+      // Stable ordering for diffable dumps.
+      values.sort((a, b) => {
+        if (a.scope !== b.scope) return a.scope.localeCompare(b.scope)
+        if (a.scope_id !== b.scope_id) return String(a.scope_id).localeCompare(String(b.scope_id))
+        return a.path.localeCompare(b.path)
+      })
+    }
+
+    const dump = {
+      __format: 'adobe-commerce-app-builder/system-config-export',
+      __version: EXPORT_VERSION,
+      exportedAt: new Date().toISOString(),
+      // List of sensitive paths so the importer can re-encrypt them with the
+      // target env's key without needing to re-derive from the schema.
+      sensitivePaths: Array.from(sensitivePaths),
+      sensitiveDecrypted: decryptedCount,
+      sensitiveDecryptFailed: decryptFailedCount,
+      counts: {
+        sections: schema ? (schema.sections || []).length : 0,
+        values: values.length,
+        scopeCoded: values.filter(v => v.scope_code).length
+      },
+      ...(valuesOnly ? {} : { schema }),
+      ...(schemaOnly ? {} : { values })
+    }
+
+    logger.info(`Exported: ${dump.counts.sections} section(s), ${dump.counts.values} value(s)`)
+    return { statusCode: 200, body: { ok: true, dump } }
+  } catch (error) {
+    logger.error(error)
+    return errorResponse(500, error.message || 'Export failed', logger)
+  } finally {
+    try { await close() } catch (_) {}
+  }
+}
+
+exports.main = main

package/actions/configurations/ext.config.yaml

@@ -0,0 +1,151 @@
+operations:
+  view:
+    - type: web
+      impl: index.html
+# Action sources live alongside this manifest (same directory).
+actions: .
+# Host App Builder apps override `web` to point at their UI shell (see README).
+web: ../../../../web-src
+runtimeManifest:
+  packages:
+    admin-ui-sdk:
+      license: Apache-2.0
+      actions:
+        registration:
+          function: registration/index.js
+          web: 'yes'
+          runtime: 'nodejs:20'
+          inputs:
+            LOG_LEVEL: debug
+          annotations:
+            require-adobe-auth: true
+            final: true
+    ConfigurationManagement:
+      license: Apache-2.0
+      actions:
+        commerce-rest-get:
+          function: commerce/index.js
+          web: 'yes'
+          runtime: 'nodejs:20'
+          inputs:
+            LOG_LEVEL: debug
+            COMMERCE_BASE_URL: $COMMERCE_BASE_URL
+            COMMERCE_CONSUMER_KEY: $COMMERCE_CONSUMER_KEY
+            COMMERCE_CONSUMER_SECRET: $COMMERCE_CONSUMER_SECRET
+            COMMERCE_ACCESS_TOKEN: $COMMERCE_ACCESS_TOKEN
+            COMMERCE_ACCESS_TOKEN_SECRET: $COMMERCE_ACCESS_TOKEN_SECRET
+          annotations:
+            require-adobe-auth: false
+            final: true
+        system-config-list:
+          function: system-config-list/index.js
+          web: 'yes'
+          runtime: 'nodejs:20'
+          inputs:
+            LOG_LEVEL: debug
+            SYSTEM_CONFIG_CRYPT_KEY: $SYSTEM_CONFIG_CRYPT_KEY
+            OAUTH_CLIENT_ID: $OAUTH_CLIENT_ID
+            OAUTH_CLIENT_SECRET: $OAUTH_CLIENT_SECRET
+            OAUTH_ORG_ID: $OAUTH_ORG_ID
+            OAUTH_SCOPES: $OAUTH_SCOPES
+            AIO_DB_REGION: $AIO_DB_REGION
+          annotations:
+            require-adobe-auth: false
+            include-ims-credentials: true
+            final: true
+        system-config-save:
+          function: system-config-save/index.js
+          web: 'yes'
+          runtime: 'nodejs:20'
+          inputs:
+            LOG_LEVEL: debug
+            SYSTEM_CONFIG_CRYPT_KEY: $SYSTEM_CONFIG_CRYPT_KEY
+            OAUTH_CLIENT_ID: $OAUTH_CLIENT_ID
+            OAUTH_CLIENT_SECRET: $OAUTH_CLIENT_SECRET
+            OAUTH_ORG_ID: $OAUTH_ORG_ID
+            OAUTH_SCOPES: $OAUTH_SCOPES
+            AIO_DB_REGION: $AIO_DB_REGION
+          annotations:
+            require-adobe-auth: false
+            include-ims-credentials: true
+            final: true
+        system-config-schema:
+          function: system-config-schema/index.js
+          web: 'yes'
+          runtime: 'nodejs:20'
+          inputs:
+            LOG_LEVEL: debug
+            OAUTH_CLIENT_ID: $OAUTH_CLIENT_ID
+            OAUTH_CLIENT_SECRET: $OAUTH_CLIENT_SECRET
+            OAUTH_ORG_ID: $OAUTH_ORG_ID
+            OAUTH_SCOPES: $OAUTH_SCOPES
+            AIO_DB_REGION: $AIO_DB_REGION
+          annotations:
+            require-adobe-auth: false
+            include-ims-credentials: true
+            final: true
+        export-config:
+          function: export-config/index.js
+          web: 'yes'
+          runtime: 'nodejs:20'
+          inputs:
+            LOG_LEVEL: debug
+            SYSTEM_CONFIG_CRYPT_KEY: $SYSTEM_CONFIG_CRYPT_KEY
+            OAUTH_CLIENT_ID: $OAUTH_CLIENT_ID
+            OAUTH_CLIENT_SECRET: $OAUTH_CLIENT_SECRET
+            OAUTH_ORG_ID: $OAUTH_ORG_ID
+            OAUTH_SCOPES: $OAUTH_SCOPES
+            AIO_DB_REGION: $AIO_DB_REGION
+            COMMERCE_BASE_URL: $COMMERCE_BASE_URL
+            COMMERCE_CONSUMER_KEY: $COMMERCE_CONSUMER_KEY
+            COMMERCE_CONSUMER_SECRET: $COMMERCE_CONSUMER_SECRET
+            COMMERCE_ACCESS_TOKEN: $COMMERCE_ACCESS_TOKEN
+            COMMERCE_ACCESS_TOKEN_SECRET: $COMMERCE_ACCESS_TOKEN_SECRET
+          annotations:
+            require-adobe-auth: false
+            include-ims-credentials: true
+            final: true
+        import-config:
+          function: import-config/index.js
+          web: 'yes'
+          runtime: 'nodejs:20'
+          limits:
+            timeout: 300000
+            memory: 512
+          inputs:
+            LOG_LEVEL: debug
+            SYSTEM_CONFIG_CRYPT_KEY: $SYSTEM_CONFIG_CRYPT_KEY
+            OAUTH_CLIENT_ID: $OAUTH_CLIENT_ID
+            OAUTH_CLIENT_SECRET: $OAUTH_CLIENT_SECRET
+            OAUTH_ORG_ID: $OAUTH_ORG_ID
+            OAUTH_SCOPES: $OAUTH_SCOPES
+            AIO_DB_REGION: $AIO_DB_REGION
+            COMMERCE_BASE_URL: $COMMERCE_BASE_URL
+            COMMERCE_CONSUMER_KEY: $COMMERCE_CONSUMER_KEY
+            COMMERCE_CONSUMER_SECRET: $COMMERCE_CONSUMER_SECRET
+            COMMERCE_ACCESS_TOKEN: $COMMERCE_ACCESS_TOKEN
+            COMMERCE_ACCESS_TOKEN_SECRET: $COMMERCE_ACCESS_TOKEN_SECRET
+          annotations:
+            require-adobe-auth: false
+            include-ims-credentials: true
+            final: true
+        sync-store-mappings-from-commerce:
+          function: sync-store-mappings-from-commerce/index.js
+          web: 'yes'
+          runtime: 'nodejs:20'
+          inputs:
+            LOG_LEVEL: debug
+            OAUTH_CLIENT_ID: $OAUTH_CLIENT_ID
+            OAUTH_CLIENT_SECRET: $OAUTH_CLIENT_SECRET
+            OAUTH_ORG_ID: $OAUTH_ORG_ID
+            OAUTH_SCOPES: $OAUTH_SCOPES
+            AIO_DB_REGION: $AIO_DB_REGION
+            COMMERCE_BASE_URL: $COMMERCE_BASE_URL
+            COMMERCE_CONSUMER_KEY: $COMMERCE_CONSUMER_KEY
+            COMMERCE_CONSUMER_SECRET: $COMMERCE_CONSUMER_SECRET
+            COMMERCE_ACCESS_TOKEN: $COMMERCE_ACCESS_TOKEN
+            COMMERCE_ACCESS_TOKEN_SECRET: $COMMERCE_ACCESS_TOKEN_SECRET
+          annotations:
+            require-adobe-auth: false
+            include-ims-credentials: true
+            final: true