@pacaf/wizard-ux 3.0.12 → 3.1.0

package/dist/index.html

@@ -28,7 +28,7 @@
       }
       @keyframes spin { to { transform: rotate(360deg); } }
     </style>
-    <script type="module" crossorigin src="/assets/index-BIqBKzCb.js"></script>
+    <script type="module" crossorigin src="/assets/index-C-wYJNnd.js"></script>
   </head>
   <body>
     <div id="root"><div id="boot"><div class="ring"></div></div></div>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pacaf/wizard-ux",
-  "version": "3.0.12",
+  "version": "3.1.0",
   "private": false,
   "type": "module",
   "description": "Browser-based setup wizard for Power Apps Code Apps (parallel to @pacaf/wizard CLI).",
@@ -38,7 +38,7 @@
     "react-dom": "^19.0.0",
     "react-resizable-panels": "^2.1.7",
     "react-router-dom": "^7.1.0",
-    "@pacaf/wizard": "3.1.4"
+    "@pacaf/wizard": "3.2.0"
   },
   "devDependencies": {
     "@types/react": "^19.0.0",

package/server/index.mjs

@@ -14,6 +14,7 @@ import stepsRoutes from './routes/steps.mjs';
 import streamRoutes from './routes/stream.mjs';
 import ptyRoutes from './routes/pty.mjs';
 import onepasswordRoutes from './routes/onepassword.mjs';
+import configSeedRoutes from './routes/config-seed.mjs';
 import { detectCloudSync, cloudSyncWarning } from '../../wizard/lib/cloud-sync-detect.mjs';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
@@ -84,6 +85,7 @@ await app.register(stepsRoutes, { prefix: '/api/steps', rootDir: ROOT_DIR });
 await app.register(streamRoutes, { prefix: '/api/steps', rootDir: ROOT_DIR });
 await app.register(ptyRoutes, { rootDir: ROOT_DIR, csrfToken: CSRF_TOKEN });
 await app.register(onepasswordRoutes, { prefix: '/api/1password' });
+await app.register(configSeedRoutes, { prefix: '/api/config-seed', rootDir: ROOT_DIR });
 
 // Serve the UI — prebuilt dist/ by default; vite middleware only in dev mode
 const distDir = join(UX_DIR, 'dist');

package/server/lib/config-seed-allowlist.mjs

@@ -0,0 +1,125 @@
+// wizard-ux/server/lib/config-seed-allowlist.mjs
+// Single source of truth for which wizard-state keys are portable across projects.
+// Anything not in this list is excluded from export and rejected on import.
+// New state keys added in future steps are excluded by default — opt in explicitly.
+
+export const SEED_VERSION = 1;
+
+/** @typedef {'string'|'string[]'|'stringMap'} SeedType */
+/** @typedef {{ key: string, type: SeedType, label: string }} SeedKeySpec */
+
+/** @type {SeedKeySpec[]} */
+export const CONFIG_SEED_KEYS = [
+  // Publisher (org-level)
+  { key: 'PUBLISHER_PREFIX',       type: 'string', label: 'Publisher prefix' },
+  { key: 'PUBLISHER_ID',           type: 'string', label: 'Publisher ID' },
+  { key: 'PUBLISHER_NAME',         type: 'string', label: 'Publisher name' },
+  { key: 'PUBLISHER_DISPLAY_NAME', type: 'string', label: 'Publisher display name' },
+  { key: 'CHOICE_VALUE_PREFIX',    type: 'string', label: 'Choice value prefix' },
+
+  // Environments
+  { key: 'PP_ENV_DEV',  type: 'string', label: 'Dev environment URL' },
+  { key: 'PP_ENV_TEST', type: 'string', label: 'Test environment URL' },
+  { key: 'PP_ENV_PROD', type: 'string', label: 'Prod environment URL' },
+
+  // Auth profile references (NOT the secrets themselves)
+  { key: 'AUTH_PROFILE_TYPE', type: 'string', label: 'Auth profile type' },
+  { key: 'OP_VAULT',          type: 'string', label: '1Password vault' },
+  { key: 'OP_ITEM',           type: 'string', label: '1Password item' },
+
+  // Agent preference
+  { key: 'CODING_AGENT', type: 'string', label: 'Coding agent' },
+
+  // Connectors
+  { key: 'CONNECTOR_API_IDS',        type: 'string[]',  label: 'Selected connector apiIds' },
+  { key: 'CONNECTOR_CONNECTION_IDS', type: 'stringMap', label: 'Connection IDs by apiId' },
+  { key: 'CUSTOM_CONNECTORS',        type: 'string[]',  label: 'Custom connector entries' },
+];
+
+const KEY_BY_NAME = new Map(CONFIG_SEED_KEYS.map((s) => [s.key, s]));
+
+// Second-line defense: even if someone adds a key to the allow-list by mistake,
+// reject any key name that looks like a secret.
+const SECRET_KEY_PATTERN = /secret|token|password|client_id|client_secret|private_key|api[_-]?key/i;
+
+/** Filter a state object down to the allow-listed keys. Drops empty / undefined values. */
+export function filterToSeed(state) {
+  const out = {};
+  for (const spec of CONFIG_SEED_KEYS) {
+    const raw = state?.[spec.key];
+    if (raw === undefined || raw === null || raw === '') continue;
+    if (spec.type === 'string[]' && Array.isArray(raw) && raw.length === 0) continue;
+    if (spec.type === 'stringMap' && typeof raw === 'object' && Object.keys(raw).length === 0) continue;
+    out[spec.key] = raw;
+  }
+  return out;
+}
+
+/**
+ * Validate an inbound payload (the `values` object from an uploaded seed file).
+ * Returns { applied: {key,value}[], skipped: {key,reason}[] }.
+ * Never throws on per-key issues — collects them as skips so the UI can show them.
+ */
+export function validateSeed(values) {
+  const applied = [];
+  const skipped = [];
+
+  if (!values || typeof values !== 'object' || Array.isArray(values)) {
+    return { applied: [], skipped: [{ key: '<root>', reason: 'Payload must be a JSON object.' }] };
+  }
+
+  for (const [key, value] of Object.entries(values)) {
+    if (SECRET_KEY_PATTERN.test(key)) {
+      skipped.push({ key, reason: 'Key name looks like a secret; refusing to import.' });
+      continue;
+    }
+    const spec = KEY_BY_NAME.get(key);
+    if (!spec) {
+      skipped.push({ key, reason: 'Key is not in the allow-list.' });
+      continue;
+    }
+    const checked = checkType(spec, value);
+    if (checked.ok) {
+      applied.push({ key, value: checked.value });
+    } else {
+      skipped.push({ key, reason: checked.reason });
+    }
+  }
+
+  return { applied, skipped };
+}
+
+function checkType(spec, value) {
+  if (spec.type === 'string') {
+    if (typeof value !== 'string') return { ok: false, reason: `Expected string, got ${typeOf(value)}.` };
+    if (value.length > 2048) return { ok: false, reason: 'String value exceeds 2048 chars.' };
+    return { ok: true, value };
+  }
+  if (spec.type === 'string[]') {
+    if (!Array.isArray(value)) return { ok: false, reason: `Expected array of strings, got ${typeOf(value)}.` };
+    if (value.length > 256) return { ok: false, reason: 'Array exceeds 256 entries.' };
+    for (const item of value) {
+      if (typeof item !== 'string') return { ok: false, reason: 'Array contains non-string entry.' };
+    }
+    return { ok: true, value };
+  }
+  if (spec.type === 'stringMap') {
+    if (!value || typeof value !== 'object' || Array.isArray(value)) {
+      return { ok: false, reason: `Expected object of string-to-string, got ${typeOf(value)}.` };
+    }
+    const keys = Object.keys(value);
+    if (keys.length > 256) return { ok: false, reason: 'Object exceeds 256 entries.' };
+    for (const k of keys) {
+      if (SECRET_KEY_PATTERN.test(k)) return { ok: false, reason: `Inner key ${k} looks like a secret.` };
+      if (typeof value[k] !== 'string') return { ok: false, reason: `Value at ${k} is not a string.` };
+    }
+    return { ok: true, value };
+  }
+  return { ok: false, reason: `Unknown allow-list type: ${spec.type}` };
+}
+
+function typeOf(v) {
+  if (Array.isArray(v)) return 'array';
+  if (v === null) return 'null';
+  return typeof v;
+}

package/server/routes/config-seed.mjs

@@ -0,0 +1,94 @@
+// Routes for /api/config-seed — export/import portable wizard configuration "seeds".
+// A seed is an allow-listed subset of .wizard-state.json — never secrets.
+import { readState, writeState } from '../lib/state-bridge.mjs';
+import {
+  CONFIG_SEED_KEYS, SEED_VERSION, filterToSeed, validateSeed,
+} from '../lib/config-seed-allowlist.mjs';
+
+const MAX_IMPORT_BYTES = 64 * 1024;
+
+export default async function configSeedRoutes(app, opts) {
+  const { rootDir } = opts;
+
+  // Metadata about what is exportable. Lets the UI render a preview/legend.
+  app.get('/keys', async () => ({
+    version: SEED_VERSION,
+    keys: CONFIG_SEED_KEYS.map(({ key, type, label }) => ({ key, type, label })),
+  }));
+
+  // Download the current state, filtered to the allow-list.
+  app.get('/export', async (_req, reply) => {
+    const state = readState(rootDir);
+    const values = filterToSeed(state);
+    const payload = {
+      $schema: 'https://aka.ms/pacaf/wizard-config/v1',
+      version: SEED_VERSION,
+      exportedAt: new Date().toISOString(),
+      values,
+    };
+    const filename = `pacaf-wizard-config-${new Date().toISOString().slice(0, 10)}.json`;
+    reply
+      .header('Content-Type', 'application/json; charset=utf-8')
+      .header('Content-Disposition', `attachment; filename="${filename}"`)
+      .send(JSON.stringify(payload, null, 2) + '\n');
+  });
+
+  // Import a seed file. Body = parsed seed JSON. Validates against allow-list and merges.
+  // Modes:
+  //   merge (default)        — only write keys whose current value is empty/missing
+  //   replace-allowlisted    — overwrite every allow-listed key the seed provides
+  app.post('/import', async (req, reply) => {
+    const raw = req.body;
+    const size = Buffer.byteLength(JSON.stringify(raw ?? {}), 'utf-8');
+    if (size > MAX_IMPORT_BYTES) {
+      return reply.code(413).send({ error: `Payload too large (${size} > ${MAX_IMPORT_BYTES} bytes).` });
+    }
+    if (!raw || typeof raw !== 'object' || Array.isArray(raw)) {
+      return reply.code(400).send({ error: 'Body must be a JSON object.' });
+    }
+    const mode = String(raw.mode || 'merge');
+    if (mode !== 'merge' && mode !== 'replace-allowlisted') {
+      return reply.code(400).send({ error: `Unknown mode: ${mode}` });
+    }
+    const seed = raw.seed;
+    if (!seed || typeof seed !== 'object') {
+      return reply.code(400).send({ error: 'Body must include a `seed` object.' });
+    }
+    if (seed.version !== undefined && Number(seed.version) > SEED_VERSION) {
+      return reply.code(400).send({
+        error: `Seed version ${seed.version} is newer than this wizard supports (max ${SEED_VERSION}). Upgrade the wizard.`,
+      });
+    }
+    const { applied, skipped } = validateSeed(seed.values || {});
+
+    const current = readState(rootDir);
+    const partial = {};
+    const written = [];
+    const preserved = [];
+
+    for (const { key, value } of applied) {
+      const existing = current[key];
+      const isEmpty = existing === undefined
+        || existing === null
+        || existing === ''
+        || (Array.isArray(existing) && existing.length === 0)
+        || (typeof existing === 'object' && !Array.isArray(existing) && Object.keys(existing).length === 0);
+
+      if (mode === 'merge' && !isEmpty) {
+        preserved.push({ key, reason: 'Existing value preserved (merge mode).' });
+        continue;
+      }
+      partial[key] = value;
+      written.push({ key });
+    }
+
+    if (Object.keys(partial).length > 0) writeState(rootDir, partial);
+
+    return {
+      mode,
+      written,
+      preserved,
+      skipped,
+    };
+  });
+}

package/server/routes/state.mjs

@@ -16,6 +16,15 @@ function pickTargetEnvUrl(state) {
   return { target, environmentUrl: raw.replace(/\/$/, '') };
 }
 
+// Append ?hideNavBar=true (or & form) so the Power Apps "purple bar" is hidden
+// by default for every Code App built from this template. See issue #44 and
+// 04-deployment.instructions.md ("Default play URL: ?hideNavBar=true").
+function withHideNavBar(url) {
+  if (!url) return url;
+  if (/[?&]hideNavBar=/i.test(url)) return url;
+  return url + (url.includes('?') ? '&' : '?') + 'hideNavBar=true';
+}
+
 function readPowerAppInfo(rootDir, state) {
   const projectDir = resolve(rootDir, String(state.PROJECT_DIR || '.'));
   const powerConfigPath = join(projectDir, 'power.config.json');
@@ -43,7 +52,7 @@ function readPowerAppInfo(rootDir, state) {
     appId,
     targetEnv: target,
     environmentUrl,
-    launchUrl: deployedUrl,
+    launchUrl: withHideNavBar(deployedUrl),
   };
 }
 

package/server/steps/07-scaffold.mjs

@@ -40,7 +40,9 @@ function runCommand(log, command, opts = {}) {
 function runFile(log, file, args, opts = {}) {
   return new Promise((resolvePromise) => {
     log.info(`$ ${SHELL.formatCommandForLog(file, args)}`);
-    const child = SHELL.spawnSafe(file, args, { cwd: opts.cwd || process.cwd(), stdio: ['ignore', 'pipe', 'pipe'] });
+    const spawnOpts = { cwd: opts.cwd || process.cwd(), stdio: ['ignore', 'pipe', 'pipe'] };
+    if (opts.env) spawnOpts.env = opts.env;
+    const child = SHELL.spawnSafe(file, args, spawnOpts);
     child.stdout.setEncoding('utf-8');
     child.stderr.setEncoding('utf-8');
     child.stdout.on('data', (chunk) => log.info(String(chunk).trimEnd()));
@@ -53,6 +55,47 @@ function runFile(log, file, args, opts = {}) {
   });
 }
 
+// Build a noisy-but-reassuring env for `npm install` / `pnpm install` so the
+// SSE-piped output stops looking frozen during long cold installs:
+//  - `npm_config_loglevel=http` is added at the CLI level (so it shows the
+//    `npm http fetch ...` per-package line).
+//  - `npm_config_progress=true` keeps progress hints on (npm still suppresses
+//    its TTY bar but at least won't strip extra hints).
+//  - `FORCE_COLOR=0` keeps ANSI escapes out of the SSE stream.
+//  - `CI` is unset to avoid npm dropping output thinking it is in CI.
+function installEnv() {
+  const env = { ...process.env, npm_config_progress: 'true', FORCE_COLOR: '0' };
+  delete env.CI;
+  return env;
+}
+
+// Detect whether `pnpm` is available on PATH. pnpm prints staged progress
+// (`Progress: resolved X, reused Y, downloaded Z`) even in non-TTY mode and
+// is materially faster on a cold cache, so prefer it when present.
+function detectPnpm() {
+  try {
+    execFileSync(process.platform === 'win32' ? 'where' : 'which', ['pnpm'], { stdio: 'ignore' });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+async function runInstall(log, { stage, label, projectDir, pnpm, mode, packages = [] }) {
+  log.info('');
+  log.info(`[${stage}] ${label} (typically 30s–3min on a cold cache)…`);
+  const bin = pnpm
+    ? toolCommand('pnpm')
+    : toolCommand('npm');
+  const baseArgs = pnpm
+    ? (mode === 'base' ? ['install'] : mode === 'dev' ? ['add', '-D', ...packages] : ['add', ...packages])
+    : (mode === 'base' ? ['install'] : mode === 'dev' ? ['install', '-D', ...packages] : ['install', ...packages]);
+  const noisyArgs = pnpm
+    ? ['--reporter=append-only', ...baseArgs]
+    : ['--loglevel=http', '--no-audit', '--no-fund', ...baseArgs];
+  return runFile(log, bin, noisyArgs, { cwd: projectDir, env: installEnv() });
+}
+
 function toolCommand(name) {
   return process.platform === 'win32' ? `${name}.cmd` : name;
 }
@@ -233,16 +276,32 @@ export default {
     }
 
     log.info('Installing dependencies...');
-    if (await runFile(log, toolCommand('npm'), ['install'], { cwd: projectDir })) log.ok('Base dependencies installed');
-    else log.warn('Base dependency install reported errors; continuing to merge required packages.');
+    const pnpm = detectPnpm();
+    if (pnpm) {
+      log.info('Detected pnpm — using it for faster installs and shared dependency cache.');
+    } else {
+      log.info('pnpm not found — using npm. Tip: `corepack enable && corepack prepare pnpm@latest --activate` makes Step 7 noticeably faster.');
+    }
+
+    if (await runInstall(log, { stage: '1/3', label: 'Installing base dependencies', projectDir, pnpm, mode: 'base' })) {
+      log.ok('[1/3] Base dependencies installed');
+    } else {
+      log.warn('[1/3] Base dependency install reported errors; continuing to merge required packages.');
+    }
 
     const prodPkgs = SCAFFOLD.packageSpecs(SCAFFOLD.REQUIRED_RUNTIME_PACKAGES);
-    if (await runFile(log, toolCommand('npm'), ['install', ...prodPkgs], { cwd: projectDir })) log.ok('Runtime packages installed');
-    else log.warn('Some runtime packages failed to install.');
+    if (await runInstall(log, { stage: '2/3', label: 'Installing runtime packages (React, Fluent UI, TanStack Query, SDK)', projectDir, pnpm, mode: 'prod', packages: prodPkgs })) {
+      log.ok('[2/3] Runtime packages installed');
+    } else {
+      log.warn('[2/3] Some runtime packages failed to install.');
+    }
 
     const devPkgs = SCAFFOLD.packageSpecs(SCAFFOLD.REQUIRED_DEV_PACKAGES);
-    if (await runFile(log, toolCommand('npm'), ['install', '-D', ...devPkgs], { cwd: projectDir })) log.ok('Dev packages installed');
-    else log.warn('Some dev packages failed to install.');
+    if (await runInstall(log, { stage: '3/3', label: 'Installing dev dependencies (Vitest, ESLint, Playwright, @pacaf/scripts)', projectDir, pnpm, mode: 'dev', packages: devPkgs })) {
+      log.ok('[3/3] Dev packages installed');
+    } else {
+      log.warn('[3/3] Some dev packages failed to install.');
+    }
 
     SCAFFOLD.writeConfig(projectDir, foundationLogger);
     SCAFFOLD.mergePackageJsonScripts(projectDir, foundationLogger);

package/server/steps/09-verify-deploy.mjs

@@ -82,6 +82,16 @@ function runFileCapture(log, file, args, opts = {}) {
 
 const PAC_HTTP_ERROR_RE = /HTTP error status:\s*[45]\d\d/i;
 
+// Append ?hideNavBar=true (or &hideNavBar=true if the URL already has a query
+// string) so the Power Apps "purple bar" — the top chrome rendered by the
+// Power Apps host around any Code App — is hidden by default. See
+// .github/instructions/04-deployment.instructions.md and issue #44.
+function withHideNavBar(url) {
+  if (!url) return url;
+  if (/[?&]hideNavBar=/i.test(url)) return url;
+  return url + (url.includes('?') ? '&' : '?') + 'hideNavBar=true';
+}
+
 function resolveCredentialValues(state) {
   return PAC_TARGET.resolveCredentialValues({
     rootDir: PROJECT_DIR,
@@ -198,10 +208,12 @@ export default {
     //   "The app was successfully published. URL: https://apps.powerapps.com/play/e/<envId>/a/<appId>"
     // Capture the first matching apps.powerapps.com/play URL and persist it
     // to wizard state so the Summary can show the real launch URL.
+    // Always append ?hideNavBar=true so the deployed app hides the Power
+    // Apps "purple bar" by default (see issue #44 and 04-deployment.instructions.md).
     const deployedUrlMatch = pushOutput.match(/https:\/\/apps\.powerapps\.com\/play\/[^\s'"<>)]+/i);
     const stateUpdate = { PROJECT_DIR: projectDir };
     if (deployedUrlMatch) {
-      const deployedUrl = deployedUrlMatch[0].replace(/[.,;]+$/, '');
+      const deployedUrl = withHideNavBar(deployedUrlMatch[0].replace(/[.,;]+$/, ''));
       stateUpdate.DEPLOYED_APP_URL = deployedUrl;
       log.ok(`App URL: ${deployedUrl}`);
     } else {