@pacaf/wizard-ux 3.6.3 → 3.6.5

package/README.md

@@ -1,8 +1,8 @@
 # WizardUX — Browser-Based Setup
 
-A browser-based UX for the PAppsCAFoundations setup wizard. Runs alongside the CLI wizard, sharing the same `.wizard-state.json` so you can switch between them at any time.
+The browser-based setup wizard for PAppsCAFoundations. This is the supported way to scaffold and configure a Code App — run it with `npx @pacaf/wizard-ux@latest`.
 
-> Both the CLI wizard at [`../wizard/`](../wizard) and this browser wizard are fully supported entry points. WizardUX now keeps the full nine-step setup flow in the browser, using server-side runners and live logs for long-running commands.
+> WizardUX keeps the full nine-step setup flow in the browser, using server-side runners and live logs for long-running commands.
 
 ## Quick start
 
@@ -36,7 +36,7 @@ This installs `wizard-ux` dependencies on first run, starts the Fastify server o
 | 8. Connectors | Native defer/notes step |
 | 9. Verify & deploy | Full form + live build/deploy output |
 
-All nine steps now stay inside WizardUX. App registration values are collected in browser forms, credentials can be read from or synced to 1Password, PAC auth output streams through the live log, scaffolding runs server-side, and verify/deploy can build and push without opening the old CLI wizard.
+All nine steps now stay inside WizardUX. App registration values are collected in browser forms, credentials can be read from or synced to 1Password, PAC auth output streams through the live log, scaffolding runs server-side, and verify/deploy can build and push — all in the browser.
 
 ## Architecture
 
@@ -59,14 +59,9 @@ wizard-ux/
 - Client secrets are held in memory on the server only — never sent back to the browser, never written to logs.
 - Auto-shutdown after 10 minutes of API inactivity.
 
-## How it differs from the CLI
+## Architecture note — shared internals
 
-The CLI ([`../wizard/`](../wizard)) is the authoritative pipeline. It calls the same `wizard/lib/*` helpers WizardUX does. You can:
-1. Start in WizardUX, finish in the CLI.
-2. Start in the CLI, finish in WizardUX.
-3. Use WizardUX as a state inspector while the CLI runs in another terminal.
-
-`.wizard-state.json` is the single source of truth for both.
+WizardUX is the user-facing entry point. Internally it reuses the same `wizard/lib/*` helpers from the [`@pacaf/wizard`](../wizard) package (a workspace dependency), so the setup pipeline logic lives in one place. `.wizard-state.json` is the single source of truth.
 
 ## Build for production
 

package/package.json

@@ -1,9 +1,9 @@
 {
   "name": "@pacaf/wizard-ux",
-  "version": "3.6.3",
+  "version": "3.6.5",
   "private": false,
   "type": "module",
-  "description": "Browser-based setup wizard for Power Apps Code Apps (parallel to @pacaf/wizard CLI).",
+  "description": "Browser-based setup wizard for Power Apps Code Apps.",
   "license": "MIT",
   "repository": {
     "type": "git",
@@ -38,7 +38,7 @@
     "react-dom": "^19.0.0",
     "react-resizable-panels": "^2.1.7",
     "react-router-dom": "^7.1.0",
-    "@pacaf/wizard": "3.4.7"
+    "@pacaf/wizard": "3.4.8"
   },
   "devDependencies": {
     "@types/react": "^19.0.0",
@@ -63,6 +63,7 @@
     "dev": "node server/index.mjs",
     "build": "vite build",
     "preview": "vite preview --port 5174",
+    "test": "node --test server/steps/05-environments.test.mjs",
     "postinstall": "node scripts/fix-pty-perms.mjs"
   }
 }

package/server/steps/05-environments.mjs

@@ -116,6 +116,88 @@ function findProfileIndexByName(pac, name) {
   return null;
 }
 
+/**
+ * Parse the raw stdout of `pac auth list` into structured rows. Columns are:
+ *   [index] [active*] Kind Name User ...
+ * The active flag is a `*` in the second column; it is absent for inactive
+ * profiles. Pure (no I/O) so it can be unit-tested against captured fixtures.
+ */
+export function parseAuthListOutput(stdout) {
+  const rows = [];
+  for (const line of String(stdout || '').split(/\r?\n/)) {
+    const m = line.match(/^\s*\[(\d+)\]\s*(\*?)\s+(\S+)\s+(\S+)\s+(\S+)/);
+    if (!m) continue;
+    rows.push({
+      index: Number(m[1]),
+      active: m[2] === '*',
+      kind: m[3],
+      name: m[4],
+      user: m[5].trim(),
+    });
+  }
+  return rows;
+}
+
+/**
+ * Given parsed profiles and the name we intend to keep, return the stale
+ * duplicates: other profiles sharing the same user + kind as the kept profile.
+ * Pure so the duplicate-detection rules can be unit-tested directly.
+ */
+export function selectDuplicateProfiles(profiles, keepName) {
+  const keep = profiles.find((p) => p.name === keepName);
+  if (!keep) return [];
+  return profiles.filter(
+    (p) => p.name !== keepName && p.user === keep.user && p.kind === keep.kind,
+  );
+}
+
+/**
+ * Detect the signature of the corrupted-auth-store crash so we can surface an
+ * actionable remediation instead of the raw pac stack trace. The
+ * "Sequence contains..." line lands in pac-log.txt; the console shows the
+ * generic non-recoverable error / InvalidOperationException.
+ */
+export function isDuplicateAuthStoreError(output) {
+  const s = String(output || '');
+  return /Sequence contains more than one matching element/i.test(s)
+    || /non-recoverable error/i.test(s)
+    || /InvalidOperationException/i.test(s);
+}
+
+/** Fetch and parse `pac auth list` into structured rows. */
+function parseAuthProfiles(pac) {
+  const res = SHELL.runSafeCapture(pac, ['auth', 'list']);
+  if (!res.ok) return [];
+  return parseAuthListOutput(res.stdout);
+}
+
+/**
+ * Pre-flight auth hygiene. `pac auth name` crashes with
+ * "Sequence contains more than one matching element" when the local auth store
+ * holds duplicate profiles for the same user (a known pac CLI bug — its
+ * AuthProfiles.Update uses SingleOrDefault). Prior wizard runs in other folders
+ * leave stale `pp-<slug>-*` profiles behind, which is exactly the trigger.
+ *
+ * Before renaming the discovery profile, delete any *other* profile that shares
+ * the same user + kind as the profile we're keeping. The discovery profile was
+ * freshly authenticated for the current user in Step 4, so same-user leftovers
+ * are stale and safe to remove. This both prevents the crash and stops profiles
+ * accumulating across runs (issue #102, fixes 1 & 3).
+ */
+function pruneDuplicateAuthProfiles(log, pac, keepName) {
+  const profiles = parseAuthProfiles(pac);
+  if (profiles.length === 0) return;
+  const dupes = selectDuplicateProfiles(profiles, keepName);
+  if (dupes.length === 0) return;
+  const keep = profiles.find((p) => p.name === keepName);
+  log.warn(`Found ${dupes.length} stale duplicate auth profile(s) for ${keep.user}; removing them to avoid a known pac CLI crash.`);
+  for (const d of dupes) {
+    const del = SHELL.runSafeCapture(pac, ['auth', 'delete', '--name', d.name]);
+    if (del.ok) log.ok(`Removed stale auth profile ${d.name}`);
+    else log.warn(`Could not remove stale auth profile ${d.name}. If finalize still fails, run \`pac auth clear\` and retry.`);
+  }
+}
+
 export default {
   meta: {
     number: 5,
@@ -256,8 +338,24 @@ export default {
         SHELL.runSafeCapture(pac, ['auth', 'select', '--name', DISCOVERY_PROFILE_NAME]);
         const sel = SHELL.runSafeCapture(pac, ['env', 'select', '--environment', devUrl]);
         if (!sel.ok) throw new Error(`Could not target ${devUrl}: ${SCRUB.scrubSecrets(sel.stderr || sel.stdout || '')}`);
-        const renamed = SHELL.runSafeCapture(pac, ['auth', 'name', '--index', String(discoveryIdx), '--name', userProfileName]);
-        if (!renamed.ok) throw new Error(`Could not finalize the auth profile: ${SCRUB.scrubSecrets(renamed.stderr || renamed.stdout || '')}`);
+        // Pre-flight hygiene: clear stale duplicate profiles that crash `pac auth name` (issue #102).
+        pruneDuplicateAuthProfiles(log, pac, DISCOVERY_PROFILE_NAME);
+        // Deletions can shift indices, so re-resolve the discovery profile's index.
+        const renameIdx = findProfileIndexByName(pac, DISCOVERY_PROFILE_NAME) ?? discoveryIdx;
+        const renamed = SHELL.runSafeCapture(pac, ['auth', 'name', '--index', String(renameIdx), '--name', userProfileName]);
+        if (!renamed.ok) {
+          const detail = SCRUB.scrubSecrets(renamed.stderr || renamed.stdout || '');
+          if (isDuplicateAuthStoreError(detail)) {
+            throw new Error([
+              'Could not finalize the auth profile: your local PAC auth store has duplicate or dual-active profiles.',
+              'This is a known pac CLI bug ("Sequence contains more than one matching element") that crashes `pac auth name`.',
+              'Fix it by clearing the local profiles, then click Save & run again:',
+              '  pac auth clear',
+              '(After clearing you will be asked to sign in once more to recreate a single clean profile.)',
+            ].join('\n'));
+          }
+          throw new Error(`Could not finalize the auth profile: ${detail}`);
+        }
         log.ok(`Profile ${userProfileName} ready (targeting Dev).`);
       } else if (findProfileIndexByName(pac, userProfileName) != null) {
         // Re-run after a previous success: discovery was already renamed.

package/server/steps/05-environments.test.mjs

@@ -0,0 +1,57 @@
+import test from 'node:test';
+import assert from 'node:assert/strict';
+import {
+  parseAuthListOutput,
+  selectDuplicateProfiles,
+  isDuplicateAuthStoreError,
+} from './05-environments.mjs';
+
+// Reproduces the corrupted store from issue #102: two profiles flagged active
+// (`*`) that are duplicates of the same user + environment.
+const DUAL_ACTIVE_OUTPUT = `
+Index Active Kind      Name                     User
+[1]          UNIVERSAL pp-papps4ff-d-s-6ae3eeaf 00000000-0000-0000-0000-000000000000 Application
+[2]   *      UNIVERSAL pp-check6f6-d-u-6ae3eeaf user@contoso.com User
+[3]   *      UNIVERSAL pacaf-discovery          user@contoso.com User
+`;
+
+test('parseAuthListOutput parses index, active flag, kind, name, and user', () => {
+  const rows = parseAuthListOutput(DUAL_ACTIVE_OUTPUT);
+  assert.equal(rows.length, 3);
+  assert.deepEqual(rows[0], { index: 1, active: false, kind: 'UNIVERSAL', name: 'pp-papps4ff-d-s-6ae3eeaf', user: '00000000-0000-0000-0000-000000000000' });
+  assert.deepEqual(rows[1], { index: 2, active: true, kind: 'UNIVERSAL', name: 'pp-check6f6-d-u-6ae3eeaf', user: 'user@contoso.com' });
+  assert.deepEqual(rows[2], { index: 3, active: true, kind: 'UNIVERSAL', name: 'pacaf-discovery', user: 'user@contoso.com' });
+});
+
+test('parseAuthListOutput ignores the header and blank lines', () => {
+  assert.deepEqual(parseAuthListOutput(''), []);
+  assert.deepEqual(parseAuthListOutput('Index Active Kind Name User'), []);
+});
+
+test('selectDuplicateProfiles returns same-user/kind profiles other than the kept one', () => {
+  const profiles = parseAuthListOutput(DUAL_ACTIVE_OUTPUT);
+  const dupes = selectDuplicateProfiles(profiles, 'pacaf-discovery');
+  assert.deepEqual(dupes.map((p) => p.name), ['pp-check6f6-d-u-6ae3eeaf']);
+});
+
+test('selectDuplicateProfiles leaves a different user untouched', () => {
+  const output = `
+[1]   *      UNIVERSAL pacaf-discovery   me@contoso.com User
+[2]          UNIVERSAL pp-other-d-u-1234 someone@else.com User
+`;
+  const dupes = selectDuplicateProfiles(parseAuthListOutput(output), 'pacaf-discovery');
+  assert.equal(dupes.length, 0);
+});
+
+test('selectDuplicateProfiles returns nothing when the kept profile is absent', () => {
+  const dupes = selectDuplicateProfiles(parseAuthListOutput(DUAL_ACTIVE_OUTPUT), 'nonexistent');
+  assert.deepEqual(dupes, []);
+});
+
+test('isDuplicateAuthStoreError matches the known pac crash signatures', () => {
+  assert.equal(isDuplicateAuthStoreError('FTL | Sequence contains more than one matching element'), true);
+  assert.equal(isDuplicateAuthStoreError('Sorry, the app encountered a non-recoverable error'), true);
+  assert.equal(isDuplicateAuthStoreError('System.InvalidOperationException: ...'), true);
+  assert.equal(isDuplicateAuthStoreError('Error: environment not found'), false);
+  assert.equal(isDuplicateAuthStoreError(''), false);
+});

package/server/steps/06-publisher.mjs

@@ -8,7 +8,6 @@ import { parsePacTabularRows } from '../lib/pac-parse.mjs';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const PACKAGE_DIR = resolve(__dirname, '..', '..', '..');
-const VALIDATE = await import(pathToFileURL(resolve(PACKAGE_DIR, 'wizard', 'lib', 'validate.mjs')).href);
 const SHELL = await import(pathToFileURL(resolve(PACKAGE_DIR, 'wizard', 'lib', 'shell.mjs')).href);
 const PAC_TARGET = await import(pathToFileURL(resolve(PACKAGE_DIR, 'wizard', 'lib', 'pac-target.mjs')).href);
 
@@ -278,7 +277,10 @@ export default {
       options: [
         ...solutions,
         { value: PASTE_URL, label: 'Paste solution URL from Maker Portal' },
-        { value: CREATE_NEW, label: '+ Create new solution' },
+        // "Create new solution" is only offered for service-principal auth, which
+        // can create solutions via the Dataverse API. User auth cannot, so they
+        // create the solution in the Maker Portal and paste its URL instead.
+        ...(!isUserAuth ? [{ value: CREATE_NEW, label: '+ Create new solution' }] : []),
       ],
       hideIf: { id: '__resume', equals: true },
     });
@@ -340,47 +342,10 @@ export default {
       }
     }
 
-    // ── Create new user auth: link to Maker Portal + URL paste back ──
-    if (isUserAuth) {
-      questions.push({
-        id: 'SOLUTION_CREATED_MANUALLY',
-        type: 'confirm',
-        label: 'I have created the solution in the Maker Portal',
-        help: `Create the solution at ${makerLink}, then come back here. You can either paste the URL above (switch to "Paste solution URL") or toggle this and enter details manually.`,
-        defaultValue: false,
-        showIf: { id: 'SOLUTION_SELECTION', equals: CREATE_NEW },
-        why: [
-          'Create your solution in the Maker Portal:',
-          `1. Open ${makerLink}`,
-          '2. Click + New Solution',
-          '3. Enter the display name',
-          '4. Select (or create) a publisher',
-          '5. Save the solution',
-          '',
-          'Then come back here and either:',
-          '• Switch the dropdown to "Paste solution URL" and paste the URL (recommended)',
-          '• OR toggle this confirmation and enter the details manually below',
-        ].join('\n'),
-      });
-
-      questions.push({
-        id: 'MANUAL_SOLUTION_UNIQUE_NAME',
-        type: 'text',
-        label: 'Solution unique name',
-        help: 'The internal name (no spaces). Find this in the solution details in the Maker Portal.',
-        defaultValue: '',
-        showIf: { id: 'SOLUTION_CREATED_MANUALLY', equals: true },
-      });
-
-      questions.push({
-        id: 'MANUAL_PUBLISHER_PREFIX',
-        type: 'text',
-        label: 'Publisher prefix',
-        help: '2–8 lowercase letters. Find this in the Maker Portal under the publisher you selected.',
-        defaultValue: state.PUBLISHER_PREFIX || '',
-        showIf: { id: 'SOLUTION_CREATED_MANUALLY', equals: true },
-      });
-    }
+    // Note: "+ Create new solution" is only offered to service-principal auth
+    // (see SOLUTION_SELECTION options above). User auth creates the solution in
+    // the Maker Portal and pastes the URL back via the PASTE_URL path, so no
+    // manual create-and-enter-details questions are needed here.
 
     return questions;
   },
@@ -453,34 +418,15 @@ export default {
       return { stateUpdate: buildStateUpdate(sol), completedStep: 7 };
     }
 
-    // ── Create new ──
+    // ── Create new (service-principal only) ──
     const solName = String(answers.NEW_SOLUTION_NAME || '').trim();
     if (!solName) throw new Error('Solution display name is required.');
     const solUnique = solName.replace(/[\s\-]+/g, '');
 
     if (isUserAuth) {
-      if (answers.SOLUTION_CREATED_MANUALLY !== true) {
-        throw new Error('Create the solution in the Maker Portal first, then confirm — or switch to "Paste solution URL".');
-      }
-      const manualUnique = String(answers.MANUAL_SOLUTION_UNIQUE_NAME || '').trim();
-      const manualPrefix = String(answers.MANUAL_PUBLISHER_PREFIX || '').trim();
-      if (!manualUnique) throw new Error('Solution unique name is required.');
-      if (!VALIDATE.isValidPrefix(manualPrefix)) throw new Error('Publisher prefix must be 2–8 lowercase letters.');
-      log.ok(`Solution: "${solName}" (${manualUnique})`);
-      log.ok(`Publisher prefix: ${manualPrefix}`);
-      return {
-        stateUpdate: {
-          SOLUTION_ID: '',
-          SOLUTION_UNIQUE_NAME: manualUnique,
-          SOLUTION_DISPLAY_NAME: solName,
-          PUBLISHER_ID: '',
-          PUBLISHER_NAME: '',
-          PUBLISHER_DISPLAY_NAME: '',
-          PUBLISHER_PREFIX: manualPrefix,
-          CHOICE_VALUE_PREFIX: '',
-        },
-        completedStep: 7,
-      };
+      // "Create new solution" isn't offered for user auth — it can't create a
+      // solution via the API. Direct the user to the Maker Portal + paste flow.
+      throw new Error('Creating a new solution requires service-principal auth. Create the solution in the Maker Portal, then choose "Paste solution URL".');
     }
 
     // SPN: create via API