@pacaf/wizard-ux 3.0.13 → 3.1.1

package/dist/index.html

@@ -28,7 +28,7 @@
       }
       @keyframes spin { to { transform: rotate(360deg); } }
     </style>
-    <script type="module" crossorigin src="/assets/index-DrhEBZpl.js"></script>
+    <script type="module" crossorigin src="/assets/index-C-wYJNnd.js"></script>
   </head>
   <body>
     <div id="root"><div id="boot"><div class="ring"></div></div></div>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pacaf/wizard-ux",
-  "version": "3.0.13",
+  "version": "3.1.1",
   "private": false,
   "type": "module",
   "description": "Browser-based setup wizard for Power Apps Code Apps (parallel to @pacaf/wizard CLI).",
@@ -38,7 +38,7 @@
     "react-dom": "^19.0.0",
     "react-resizable-panels": "^2.1.7",
     "react-router-dom": "^7.1.0",
-    "@pacaf/wizard": "3.1.5"
+    "@pacaf/wizard": "3.2.1"
   },
   "devDependencies": {
     "@types/react": "^19.0.0",

package/server/index.mjs

@@ -14,6 +14,7 @@ import stepsRoutes from './routes/steps.mjs';
 import streamRoutes from './routes/stream.mjs';
 import ptyRoutes from './routes/pty.mjs';
 import onepasswordRoutes from './routes/onepassword.mjs';
+import configSeedRoutes from './routes/config-seed.mjs';
 import { detectCloudSync, cloudSyncWarning } from '../../wizard/lib/cloud-sync-detect.mjs';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
@@ -84,6 +85,7 @@ await app.register(stepsRoutes, { prefix: '/api/steps', rootDir: ROOT_DIR });
 await app.register(streamRoutes, { prefix: '/api/steps', rootDir: ROOT_DIR });
 await app.register(ptyRoutes, { rootDir: ROOT_DIR, csrfToken: CSRF_TOKEN });
 await app.register(onepasswordRoutes, { prefix: '/api/1password' });
+await app.register(configSeedRoutes, { prefix: '/api/config-seed', rootDir: ROOT_DIR });
 
 // Serve the UI — prebuilt dist/ by default; vite middleware only in dev mode
 const distDir = join(UX_DIR, 'dist');

package/server/lib/config-seed-allowlist.mjs

@@ -0,0 +1,125 @@
+// wizard-ux/server/lib/config-seed-allowlist.mjs
+// Single source of truth for which wizard-state keys are portable across projects.
+// Anything not in this list is excluded from export and rejected on import.
+// New state keys added in future steps are excluded by default — opt in explicitly.
+
+export const SEED_VERSION = 1;
+
+/** @typedef {'string'|'string[]'|'stringMap'} SeedType */
+/** @typedef {{ key: string, type: SeedType, label: string }} SeedKeySpec */
+
+/** @type {SeedKeySpec[]} */
+export const CONFIG_SEED_KEYS = [
+  // Publisher (org-level)
+  { key: 'PUBLISHER_PREFIX',       type: 'string', label: 'Publisher prefix' },
+  { key: 'PUBLISHER_ID',           type: 'string', label: 'Publisher ID' },
+  { key: 'PUBLISHER_NAME',         type: 'string', label: 'Publisher name' },
+  { key: 'PUBLISHER_DISPLAY_NAME', type: 'string', label: 'Publisher display name' },
+  { key: 'CHOICE_VALUE_PREFIX',    type: 'string', label: 'Choice value prefix' },
+
+  // Environments
+  { key: 'PP_ENV_DEV',  type: 'string', label: 'Dev environment URL' },
+  { key: 'PP_ENV_TEST', type: 'string', label: 'Test environment URL' },
+  { key: 'PP_ENV_PROD', type: 'string', label: 'Prod environment URL' },
+
+  // Auth profile references (NOT the secrets themselves)
+  { key: 'AUTH_PROFILE_TYPE', type: 'string', label: 'Auth profile type' },
+  { key: 'OP_VAULT',          type: 'string', label: '1Password vault' },
+  { key: 'OP_ITEM',           type: 'string', label: '1Password item' },
+
+  // Agent preference
+  { key: 'CODING_AGENT', type: 'string', label: 'Coding agent' },
+
+  // Connectors
+  { key: 'CONNECTOR_API_IDS',        type: 'string[]',  label: 'Selected connector apiIds' },
+  { key: 'CONNECTOR_CONNECTION_IDS', type: 'stringMap', label: 'Connection IDs by apiId' },
+  { key: 'CUSTOM_CONNECTORS',        type: 'string[]',  label: 'Custom connector entries' },
+];
+
+const KEY_BY_NAME = new Map(CONFIG_SEED_KEYS.map((s) => [s.key, s]));
+
+// Second-line defense: even if someone adds a key to the allow-list by mistake,
+// reject any key name that looks like a secret.
+const SECRET_KEY_PATTERN = /secret|token|password|client_id|client_secret|private_key|api[_-]?key/i;
+
+/** Filter a state object down to the allow-listed keys. Drops empty / undefined values. */
+export function filterToSeed(state) {
+  const out = {};
+  for (const spec of CONFIG_SEED_KEYS) {
+    const raw = state?.[spec.key];
+    if (raw === undefined || raw === null || raw === '') continue;
+    if (spec.type === 'string[]' && Array.isArray(raw) && raw.length === 0) continue;
+    if (spec.type === 'stringMap' && typeof raw === 'object' && Object.keys(raw).length === 0) continue;
+    out[spec.key] = raw;
+  }
+  return out;
+}
+
+/**
+ * Validate an inbound payload (the `values` object from an uploaded seed file).
+ * Returns { applied: {key,value}[], skipped: {key,reason}[] }.
+ * Never throws on per-key issues — collects them as skips so the UI can show them.
+ */
+export function validateSeed(values) {
+  const applied = [];
+  const skipped = [];
+
+  if (!values || typeof values !== 'object' || Array.isArray(values)) {
+    return { applied: [], skipped: [{ key: '<root>', reason: 'Payload must be a JSON object.' }] };
+  }
+
+  for (const [key, value] of Object.entries(values)) {
+    if (SECRET_KEY_PATTERN.test(key)) {
+      skipped.push({ key, reason: 'Key name looks like a secret; refusing to import.' });
+      continue;
+    }
+    const spec = KEY_BY_NAME.get(key);
+    if (!spec) {
+      skipped.push({ key, reason: 'Key is not in the allow-list.' });
+      continue;
+    }
+    const checked = checkType(spec, value);
+    if (checked.ok) {
+      applied.push({ key, value: checked.value });
+    } else {
+      skipped.push({ key, reason: checked.reason });
+    }
+  }
+
+  return { applied, skipped };
+}
+
+function checkType(spec, value) {
+  if (spec.type === 'string') {
+    if (typeof value !== 'string') return { ok: false, reason: `Expected string, got ${typeOf(value)}.` };
+    if (value.length > 2048) return { ok: false, reason: 'String value exceeds 2048 chars.' };
+    return { ok: true, value };
+  }
+  if (spec.type === 'string[]') {
+    if (!Array.isArray(value)) return { ok: false, reason: `Expected array of strings, got ${typeOf(value)}.` };
+    if (value.length > 256) return { ok: false, reason: 'Array exceeds 256 entries.' };
+    for (const item of value) {
+      if (typeof item !== 'string') return { ok: false, reason: 'Array contains non-string entry.' };
+    }
+    return { ok: true, value };
+  }
+  if (spec.type === 'stringMap') {
+    if (!value || typeof value !== 'object' || Array.isArray(value)) {
+      return { ok: false, reason: `Expected object of string-to-string, got ${typeOf(value)}.` };
+    }
+    const keys = Object.keys(value);
+    if (keys.length > 256) return { ok: false, reason: 'Object exceeds 256 entries.' };
+    for (const k of keys) {
+      if (SECRET_KEY_PATTERN.test(k)) return { ok: false, reason: `Inner key ${k} looks like a secret.` };
+      if (typeof value[k] !== 'string') return { ok: false, reason: `Value at ${k} is not a string.` };
+    }
+    return { ok: true, value };
+  }
+  return { ok: false, reason: `Unknown allow-list type: ${spec.type}` };
+}
+
+function typeOf(v) {
+  if (Array.isArray(v)) return 'array';
+  if (v === null) return 'null';
+  return typeof v;
+}

package/server/routes/config-seed.mjs

@@ -0,0 +1,94 @@
+// Routes for /api/config-seed — export/import portable wizard configuration "seeds".
+// A seed is an allow-listed subset of .wizard-state.json — never secrets.
+import { readState, writeState } from '../lib/state-bridge.mjs';
+import {
+  CONFIG_SEED_KEYS, SEED_VERSION, filterToSeed, validateSeed,
+} from '../lib/config-seed-allowlist.mjs';
+
+const MAX_IMPORT_BYTES = 64 * 1024;
+
+export default async function configSeedRoutes(app, opts) {
+  const { rootDir } = opts;
+
+  // Metadata about what is exportable. Lets the UI render a preview/legend.
+  app.get('/keys', async () => ({
+    version: SEED_VERSION,
+    keys: CONFIG_SEED_KEYS.map(({ key, type, label }) => ({ key, type, label })),
+  }));
+
+  // Download the current state, filtered to the allow-list.
+  app.get('/export', async (_req, reply) => {
+    const state = readState(rootDir);
+    const values = filterToSeed(state);
+    const payload = {
+      $schema: 'https://aka.ms/pacaf/wizard-config/v1',
+      version: SEED_VERSION,
+      exportedAt: new Date().toISOString(),
+      values,
+    };
+    const filename = `pacaf-wizard-config-${new Date().toISOString().slice(0, 10)}.json`;
+    reply
+      .header('Content-Type', 'application/json; charset=utf-8')
+      .header('Content-Disposition', `attachment; filename="${filename}"`)
+      .send(JSON.stringify(payload, null, 2) + '\n');
+  });
+
+  // Import a seed file. Body = parsed seed JSON. Validates against allow-list and merges.
+  // Modes:
+  //   merge (default)        — only write keys whose current value is empty/missing
+  //   replace-allowlisted    — overwrite every allow-listed key the seed provides
+  app.post('/import', async (req, reply) => {
+    const raw = req.body;
+    const size = Buffer.byteLength(JSON.stringify(raw ?? {}), 'utf-8');
+    if (size > MAX_IMPORT_BYTES) {
+      return reply.code(413).send({ error: `Payload too large (${size} > ${MAX_IMPORT_BYTES} bytes).` });
+    }
+    if (!raw || typeof raw !== 'object' || Array.isArray(raw)) {
+      return reply.code(400).send({ error: 'Body must be a JSON object.' });
+    }
+    const mode = String(raw.mode || 'merge');
+    if (mode !== 'merge' && mode !== 'replace-allowlisted') {
+      return reply.code(400).send({ error: `Unknown mode: ${mode}` });
+    }
+    const seed = raw.seed;
+    if (!seed || typeof seed !== 'object') {
+      return reply.code(400).send({ error: 'Body must include a `seed` object.' });
+    }
+    if (seed.version !== undefined && Number(seed.version) > SEED_VERSION) {
+      return reply.code(400).send({
+        error: `Seed version ${seed.version} is newer than this wizard supports (max ${SEED_VERSION}). Upgrade the wizard.`,
+      });
+    }
+    const { applied, skipped } = validateSeed(seed.values || {});
+
+    const current = readState(rootDir);
+    const partial = {};
+    const written = [];
+    const preserved = [];
+
+    for (const { key, value } of applied) {
+      const existing = current[key];
+      const isEmpty = existing === undefined
+        || existing === null
+        || existing === ''
+        || (Array.isArray(existing) && existing.length === 0)
+        || (typeof existing === 'object' && !Array.isArray(existing) && Object.keys(existing).length === 0);
+
+      if (mode === 'merge' && !isEmpty) {
+        preserved.push({ key, reason: 'Existing value preserved (merge mode).' });
+        continue;
+      }
+      partial[key] = value;
+      written.push({ key });
+    }
+
+    if (Object.keys(partial).length > 0) writeState(rootDir, partial);
+
+    return {
+      mode,
+      written,
+      preserved,
+      skipped,
+    };
+  });
+}