@pacaf/wizard-ux 3.0.8 → 3.0.10

package/dist/index.html

@@ -28,7 +28,7 @@
       }
       @keyframes spin { to { transform: rotate(360deg); } }
     </style>
-    <script type="module" crossorigin src="/assets/index-zSgX3W7E.js"></script>
+    <script type="module" crossorigin src="/assets/index-DODkyiWs.js"></script>
   </head>
   <body>
     <div id="root"><div id="boot"><div class="ring"></div></div></div>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pacaf/wizard-ux",
-  "version": "3.0.8",
+  "version": "3.0.10",
   "private": false,
   "type": "module",
   "description": "Browser-based setup wizard for Power Apps Code Apps (parallel to @pacaf/wizard CLI).",
@@ -38,7 +38,7 @@
     "react-dom": "^19.0.0",
     "react-resizable-panels": "^2.1.7",
     "react-router-dom": "^7.1.0",
-    "@pacaf/wizard": "3.1.1"
+    "@pacaf/wizard": "3.1.3"
   },
   "devDependencies": {
     "@types/react": "^19.0.0",

package/server/index.mjs

@@ -14,6 +14,7 @@ import stepsRoutes from './routes/steps.mjs';
 import streamRoutes from './routes/stream.mjs';
 import ptyRoutes from './routes/pty.mjs';
 import onepasswordRoutes from './routes/onepassword.mjs';
+import { detectCloudSync, cloudSyncWarning } from '../../wizard/lib/cloud-sync-detect.mjs';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const UX_DIR = resolve(__dirname, '..');
@@ -49,11 +50,15 @@ await app.register(cors, {
 
 // Expose the CSRF token to the UI on a single endpoint. UI stores it in memory and
 // echoes it on mutating calls. Token rotates per server start.
-app.get('/api/handshake', async () => ({
-  csrfToken: CSRF_TOKEN,
-  rootDir: ROOT_DIR,
-  startedAt: new Date().toISOString(),
-}));
+app.get('/api/handshake', async () => {
+  const cloud = detectCloudSync(ROOT_DIR);
+  return {
+    csrfToken: CSRF_TOKEN,
+    rootDir: ROOT_DIR,
+    startedAt: new Date().toISOString(),
+    cloudSync: cloud ? { detected: true, provider: cloud.provider } : { detected: false },
+  };
+});
 
 // Guard mutating routes
 app.addHook('onRequest', async (req, reply) => {
@@ -130,6 +135,15 @@ if (!IS_DEV && haveDist) {
 
 await app.listen({ host: HOST, port: PORT });
 
+// Cloud-sync warning surfaced in the server console at startup. The UI also
+// reads /api/handshake -> cloudSync to render an in-browser MessageBar.
+{
+  const cloud = detectCloudSync(ROOT_DIR);
+  if (cloud) {
+    console.log(cloudSyncWarning(cloud.provider, ROOT_DIR));
+  }
+}
+
 const url = `http://${HOST}:${PORT}`;
 console.log('');
 console.log('  ╭─────────────────────────────────────────────╮');

package/server/lib/dataverse-bridge.mjs

@@ -49,3 +49,11 @@ export function hasUsableSecret() {
   if (secretsMod.getSecret()) return true;
   return Boolean(secretsMod.recoverSecret());
 }
+
+export function persistSecretToCache(value) {
+  return secretsMod.persistSecretToCache(value);
+}
+
+export function clearSecretCache() {
+  return secretsMod.clearSecretCache();
+}

package/server/lib/process-runner.mjs

@@ -4,6 +4,11 @@
 import { spawn } from 'node:child_process';
 import { EventEmitter } from 'node:events';
 import { randomBytes } from 'node:crypto';
+import { dirname, resolve } from 'node:path';
+import { fileURLToPath, pathToFileURL } from 'node:url';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const SCRUB = await import(pathToFileURL(resolve(__dirname, '..', '..', '..', 'wizard', 'lib', 'scrub.mjs')).href);
 
 const runs = new Map(); // runId -> Run
 
@@ -21,13 +26,17 @@ class Run extends EventEmitter {
   }
 
   push(stream, text) {
-    const evt = { stream, text, ts: Date.now() };
+    // Defense-in-depth: scrub any secret-shaped values from text before it
+    // hits the SSE log buffer. The buffer is streamed to the browser and
+    // rendered in the UI; never let a real secret land there.
+    const safe = SCRUB.scrubSecrets(text);
+    const evt = { stream, text: safe, ts: Date.now() };
     this.lines.push(evt);
     if (this.lines.length > 1000) this.lines.shift();
     this.emit('line', evt);
     // Detect device code prompts from pac auth create
-    const codeMatch = text.match(/enter the code\s+([A-Z0-9]{6,12})/i);
-    const urlMatch = text.match(/(https:\/\/microsoft\.com\/devicelogin)/i);
+    const codeMatch = safe.match(/enter the code\s+([A-Z0-9]{6,12})/i);
+    const urlMatch = safe.match(/(https:\/\/microsoft\.com\/devicelogin)/i);
     if (codeMatch) {
       this.deviceCode = { code: codeMatch[1], url: 'https://microsoft.com/devicelogin', ts: Date.now() };
       this.emit('deviceCode', this.deviceCode);
@@ -61,7 +70,9 @@ export function spawnInRun(run, file, args, opts = {}) {
   return new Promise((resolveP) => {
     run.status = 'running';
     run.startedAt = Date.now();
-    run.push('stdout', `$ ${file} ${args.join(' ')}\n`);
+    // Display args with sensitive flag values redacted (e.g. --clientSecret ****)
+    const displayArgs = SCRUB.scrubArgs(args);
+    run.push('stdout', `$ ${file} ${displayArgs.join(' ')}\n`);
     const child = spawn(file, args, { ...opts, stdio: ['ignore', 'pipe', 'pipe'] });
     run.child = child;
     child.stdout.setEncoding('utf-8');

package/server/routes/system.mjs

@@ -4,6 +4,7 @@ import { existsSync } from 'node:fs';
 import { join } from 'node:path';
 import { homedir, platform, release } from 'node:os';
 import { pacPath as resolvePacPath, runSafe } from '@pacaf/wizard/lib/shell.mjs';
+import { detectCloudSync } from '@pacaf/wizard/lib/cloud-sync-detect.mjs';
 
 function safeRun(cmd) {
   try { return execSync(cmd, { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] }).trim(); }
@@ -29,15 +30,19 @@ function pacVersion() {
 }
 
 export default async function systemRoutes(app, { rootDir }) {
-  app.get('/', async () => ({
-    os: { platform: platform(), release: release() },
-    node: process.version,
-    git: safeRun('git --version')?.replace('git version ', '') || null,
-    dotnet: safeRun('dotnet --version'),
-    pac: pacVersion(),
-    op: which('op'),
-    rootDir,
-    branch: safeRun(`git -C "${rootDir}" rev-parse --abbrev-ref HEAD`) || null,
-    repoIsClean: safeRun(`git -C "${rootDir}" status --porcelain`) === '',
-  }));
+  app.get('/', async () => {
+    const cloud = detectCloudSync(rootDir);
+    return {
+      os: { platform: platform(), release: release() },
+      node: process.version,
+      git: safeRun('git --version')?.replace('git version ', '') || null,
+      dotnet: safeRun('dotnet --version'),
+      pac: pacVersion(),
+      op: which('op'),
+      rootDir,
+      cloudSync: cloud ? { detected: true, provider: cloud.provider } : { detected: false },
+      branch: safeRun(`git -C "${rootDir}" rev-parse --abbrev-ref HEAD`) || null,
+      repoIsClean: safeRun(`git -C "${rootDir}" status --porcelain`) === '',
+    };
+  });
 }

package/server/steps/03-app-registration.mjs

@@ -1,10 +1,9 @@
 // Step 3 - Authentication. Browser-native auth method selection with optional 1Password sync.
 import { execFileSync } from 'node:child_process';
-import { readFileSync, writeFileSync, existsSync } from 'node:fs';
-import { dirname, resolve, join } from 'node:path';
+import { dirname, resolve } from 'node:path';
 import { platform } from 'node:os';
 import { fileURLToPath, pathToFileURL } from 'node:url';
-import { setSecret, hasUsableSecret } from '../lib/dataverse-bridge.mjs';
+import { setSecret, hasUsableSecret, persistSecretToCache } from '../lib/dataverse-bridge.mjs';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
 // PACKAGE_DIR locates sibling @pacaf/wizard lib files (must stay __dirname-relative).
@@ -429,21 +428,16 @@ export default {
 
     setSecret(clientSecret);
 
-    // Persist encrypted secret to .env.local so it survives server restarts
+    // Persist the encrypted secret to a per-machine OS-temp cache (NOT .env.local)
+    // so it survives wizard server restarts without ever placing the value
+    // inside the project folder. The project folder may be cloud-synced
+    // (OneDrive/Dropbox/iCloud), and content scanners pattern-match
+    // "PP_CLIENT_SECRET=" lines regardless of whether the value is encrypted.
     try {
-      const CRYPTO = await import(pathToFileURL(resolve(PACKAGE_DIR, 'wizard', 'lib', 'crypto.mjs')).href);
-      const envLocalPath = join(PROJECT_DIR, '.env.local');
-      let envContent = existsSync(envLocalPath) ? readFileSync(envLocalPath, 'utf-8') : '';
-      const encrypted = CRYPTO.encrypt(clientSecret);
-      if (envContent.match(/^PP_CLIENT_SECRET=.*$/m)) {
-        envContent = envContent.replace(/^PP_CLIENT_SECRET=.*$/m, `PP_CLIENT_SECRET=${encrypted}`);
-      } else {
-        envContent += `${envContent.endsWith('\n') || !envContent ? '' : '\n'}PP_CLIENT_SECRET=${encrypted}\n`;
-      }
-      writeFileSync(envLocalPath, envContent, 'utf-8');
-      log.ok('Secret encrypted and saved to .env.local');
+      persistSecretToCache(clientSecret);
+      log.ok('Secret cached securely outside the project folder');
     } catch (err) {
-      log.warn(`Could not persist secret to .env.local: ${err.message}`);
+      log.warn(`Could not cache secret across restarts: ${err.message}`);
     }
 
     log.ok('Credential values captured');

package/server/steps/04-auth-setup.mjs

@@ -4,7 +4,7 @@ import { execFileSync } from 'node:child_process';
 import { dirname, join, resolve } from 'node:path';
 import { platform } from 'node:os';
 import { fileURLToPath, pathToFileURL } from 'node:url';
-import { getSecret, hasUsableSecret, recoverSecret, setSecret } from '../lib/dataverse-bridge.mjs';
+import { getSecret, hasUsableSecret, recoverSecret, setSecret, persistSecretToCache, clearSecretCache } from '../lib/dataverse-bridge.mjs';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
 // PACKAGE_DIR locates sibling @pacaf/wizard lib files (must stay __dirname-relative).
@@ -14,6 +14,7 @@ const PROJECT_DIR = process.cwd();
 const SHELL = await import(pathToFileURL(resolve(PACKAGE_DIR, 'wizard', 'lib', 'shell.mjs')).href);
 const CRYPTO = await import(pathToFileURL(resolve(PACKAGE_DIR, 'wizard', 'lib', 'crypto.mjs')).href);
 const PAC_TARGET = await import(pathToFileURL(resolve(PACKAGE_DIR, 'wizard', 'lib', 'pac-target.mjs')).href);
+const SCRUB = await import(pathToFileURL(resolve(PACKAGE_DIR, 'wizard', 'lib', 'scrub.mjs')).href);
 
 function hasCommand(name) {
   try {
@@ -24,6 +25,20 @@ function hasCommand(name) {
   }
 }
 
+/**
+ * Remove any PP_CLIENT_SECRET=... line from .env.local. Called when the
+ * user picks 1Password storage so an encrypted blob from a previous run
+ * doesn't linger inside the (possibly cloud-synced) project folder.
+ */
+function removeSecretFromEnvLocal() {
+  const envLocalPath = join(PROJECT_DIR, '.env.local');
+  if (!existsSync(envLocalPath)) return;
+  const original = readFileSync(envLocalPath, 'utf-8');
+  if (!/^PP_CLIENT_SECRET=/m.test(original)) return;
+  const cleaned = original.replace(/^PP_CLIENT_SECRET=.*\r?\n?/m, '');
+  writeFileSync(envLocalPath, cleaned, 'utf-8');
+}
+
 function normalizeUrl(value) {
   return String(value || '').trim().replace(/\/+$/, '').toLowerCase();
 }
@@ -34,7 +49,8 @@ function warnOnUrlDrift(log, key, stateUrl, credentialUrl) {
 }
 
 function formatPacAuthCreateError(profileName, url, output = '') {
-  const lines = String(output || '').trim().split(/\r?\n/).map((line) => line.trim()).filter(Boolean);
+  const scrubbed = SCRUB.scrubSecrets(String(output || ''));
+  const lines = scrubbed.trim().split(/\r?\n/).map((line) => line.trim()).filter(Boolean);
   const detail = lines.find((line) => /^Error:/i.test(line)) || lines.at(-1) || 'pac auth create failed without a readable error message.';
   return [
     `${profileName} profile failed to create for ${url}.`,
@@ -93,7 +109,7 @@ function installPreCommitHook(log) {
 
 function runLivePac(log, pac, args, opts = {}) {
   return new Promise((resolvePromise) => {
-    log.info(`$ ${SHELL.formatCommandForLog(pac, args)}`);
+    log.info(`$ ${SCRUB.scrubSecrets(SHELL.formatCommandForLog(pac, args))}`);
     const child = SHELL.spawnSafe(pac, args, { cwd: PROJECT_DIR, stdio: ['ignore', 'pipe', 'pipe'] });
     let settled = false;
     const timeout = opts.timeoutMs
@@ -260,6 +276,10 @@ export default {
       if (authMode === '1password' && state.OP_VAULT && state.OP_ITEM) {
         const vault = state.OP_VAULT;
         const itemName = state.OP_ITEM;
+        // 1Password mode: ensure no encrypted PP_CLIENT_SECRET lingers in .env.local
+        // and remove the out-of-tree secret cache.
+        try { removeSecretFromEnvLocal(); } catch { /* best-effort */ }
+        try { clearSecretCache(); } catch { /* best-effort */ }
         const envContent = [
           '# .env - Safe to commit. Contains 1Password references, not secrets.',
           `# Generated by setup wizard on ${dateStr}`,
@@ -326,6 +346,9 @@ export default {
       const itemName = String(answers.OP_ITEM || state.OP_ITEM || '').trim();
       if (!hasCommand('op')) throw new Error('1Password storage was selected, but op CLI is not available.');
       if (!vault || !itemName) throw new Error('1Password vault and item name are required.');
+      // 1Password mode: scrub any prior PP_CLIENT_SECRET line and OS-temp cache.
+      try { removeSecretFromEnvLocal(); } catch { /* best-effort */ }
+      try { clearSecretCache(); } catch { /* best-effort */ }
       const envContent = [
         '# .env - Safe to commit. Contains 1Password references, not secrets.',
         `# Generated by setup wizard on ${dateStr}`,
@@ -364,6 +387,9 @@ export default {
       if (platform() !== 'win32') {
         try { chmodSync(join(PROJECT_DIR, '.env.local'), 0o600); } catch { /* best effort */ }
       }
+      // Mirror the encrypted secret to the OS-temp cache so a wizard restart
+      // can recover without prompting (and without touching .env.local).
+      try { persistSecretToCache(secret); } catch { /* best-effort */ }
       log.ok('Wrote .env.local');
     }