@pacaf/wizard-ux 3.6.6 → 3.6.8

package/dist/index.html

@@ -28,7 +28,7 @@
       }
       @keyframes spin { to { transform: rotate(360deg); } }
     </style>
-    <script type="module" crossorigin src="/assets/index-CKpAviup.js"></script>
+    <script type="module" crossorigin src="/assets/index-BId92dEF.js"></script>
   </head>
   <body>
     <div id="root"><div id="boot"><div class="ring"></div></div></div>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pacaf/wizard-ux",
-  "version": "3.6.6",
+  "version": "3.6.8",
   "private": false,
   "type": "module",
   "description": "Browser-based setup wizard for Power Apps Code Apps.",
@@ -63,7 +63,7 @@
     "dev": "node server/index.mjs",
     "build": "vite build",
     "preview": "vite preview --port 5174",
-    "test": "node --test server/steps/05-environments.test.mjs",
+    "test": "node --test server/steps/05-environments.test.mjs server/lib/process-runner.test.mjs",
     "postinstall": "node scripts/fix-pty-perms.mjs"
   }
 }

package/server/lib/process-runner.mjs

@@ -16,7 +16,7 @@ class Run extends EventEmitter {
   constructor(id) {
     super();
     this.id = id;
-    this.lines = []; // { stream: 'stdout'|'stderr', text, ts }
+    this.lines = []; // { stream: 'stdout'|'stderr', level: 'info'|'warn'|'error', text, ts }
     this.status = 'pending'; // pending | running | done | error
     this.exitCode = null;
     this.error = null;
@@ -25,12 +25,17 @@ class Run extends EventEmitter {
     this.child = null;
   }
 
-  push(stream, text) {
+  push(stream, text, level = 'info') {
     // Defense-in-depth: scrub any secret-shaped values from text before it
     // hits the SSE log buffer. The buffer is streamed to the browser and
     // rendered in the UI; never let a real secret land there.
     const safe = SCRUB.scrubSecrets(text);
-    const evt = { stream, text: safe, ts: Date.now() };
+    // `level` reflects INTENT, not the OS pipe. Raw subprocess stderr is
+    // 'info' by default — git, npm, vitest and pac all write normal progress
+    // to stderr, so the pipe alone must never imply a warning. Only the
+    // wizard's own log.warn/log.fail set 'warn'/'error'. The UI keys its
+    // warning banner and red coloring off `level`, not `stream`.
+    const evt = { stream, level, text: safe, ts: Date.now() };
     this.lines.push(evt);
     if (this.lines.length > 1000) this.lines.shift();
     this.emit('line', evt);
@@ -106,8 +111,8 @@ export async function runInline(run, fn) {
   const log = {
     info: (msg) => run.push('stdout', `${msg}\n`),
     ok: (msg) => run.push('stdout', `✓ ${msg}\n`),
-    warn: (msg) => run.push('stderr', `⚠ ${msg}\n`),
-    fail: (msg) => run.push('stderr', `✗ ${msg}\n`),
+    warn: (msg) => run.push('stderr', `⚠ ${msg}\n`, 'warn'),
+    fail: (msg) => run.push('stderr', `✗ ${msg}\n`, 'error'),
   };
   try {
     const result = await fn(log);

package/server/lib/process-runner.test.mjs

@@ -0,0 +1,46 @@
+import test from 'node:test';
+import assert from 'node:assert/strict';
+import { newRun, runInline } from './process-runner.mjs';
+
+// The UI decides whether to show the "review items" / agent-triage banner from
+// each log line's `level`, NOT its OS pipe. Raw subprocess stderr (git, npm,
+// vitest, pac all write normal progress to stderr) must stay 'info', or every
+// successful step falsely looks like it finished with warnings.
+
+test('raw stderr lines are tagged info, not warn', () => {
+  const run = newRun();
+  run.push('stderr', 'Cloning into ...\n'); // typical git/npm stderr chatter
+  const line = run.lines.at(-1);
+  assert.equal(line.stream, 'stderr');
+  assert.equal(line.level, 'info');
+});
+
+test('raw stdout lines are tagged info', () => {
+  const run = newRun();
+  run.push('stdout', 'hello\n');
+  assert.equal(run.lines.at(-1).level, 'info');
+});
+
+test('log.warn raises level to warn; log.fail to error; log.ok/info stay info', async () => {
+  const run = newRun();
+  await runInline(run, async (log) => {
+    log.ok('all good');
+    log.info('fyi');
+    log.warn('optional thing missing');
+    log.fail('something broke');
+  });
+  const byText = (needle) => run.lines.find((l) => l.text.includes(needle));
+  assert.equal(byText('all good').level, 'info');
+  assert.equal(byText('fyi').level, 'info');
+  assert.equal(byText('optional thing missing').level, 'warn');
+  assert.equal(byText('something broke').level, 'error');
+});
+
+test('only warn/error lines would trigger the warning banner', async () => {
+  const run = newRun();
+  // Simulate a successful step that shelled out (stderr chatter) and logged ok.
+  run.push('stderr', 'npm notice ...\n');
+  await runInline(run, async (log) => { log.ok('done'); });
+  const hasWarnings = run.lines.some((l) => l.level === 'warn' || l.level === 'error');
+  assert.equal(hasWarnings, false);
+});

package/server/steps/01-prerequisites.mjs

@@ -207,8 +207,12 @@ export default {
     // Note: The Dataverse-skills plugin manages its own Python SDK installation
     // via the dv-connect skill. No separate pip install needed here.
 
-    // Dataverse Python SDK (PowerPlatform-Dataverse-Client + pandas) — warning only.
-    // dv-connect can install this, so it does not block, but we surface it.
+    // Dataverse Python SDK (PowerPlatform-Dataverse-Client + pandas) — purely
+    // informational. It is NOT needed for scaffold/build/deploy, and the
+    // Dataverse-skills plugin installs it on demand via dv-connect. Emit at
+    // info level (not warn) so its absence never trips the step's warning /
+    // triage banner — telling the user to pip-install something they don't
+    // need yet is exactly the noise we want to avoid.
     const sdkOk = detectDataverseSdk(pythonCmd);
     if (sdkOk) {
       checks.push({ name: 'Dataverse Python SDK', ok: true, value: 'available', hint: null });
@@ -218,10 +222,10 @@ export default {
         name: 'Dataverse Python SDK',
         ok: false,
         value: null,
-        hint: 'Run: pip install PowerPlatform-Dataverse-Client pandas',
+        hint: 'Optional — dv-connect installs it when you start Dataverse work (pip install PowerPlatform-Dataverse-Client pandas)',
         optional: true,
       });
-      log.warn('Dataverse Python SDK — not found (pip install PowerPlatform-Dataverse-Client pandas)');
+      log.info('Dataverse Python SDK not found (optional — dv-connect installs it later when you start Dataverse work)');
     }
 
     // Dataverse-skills plugin — HARD GATE. All Dataverse work in this template

package/server/steps/05-environments.mjs

@@ -151,6 +151,36 @@ export function selectDuplicateProfiles(profiles, keepName) {
   );
 }
 
+/**
+ * Select every profile that must be removed before we finalize the discovery
+ * profile into its environment-scoped name. Two categories are unsafe:
+ *
+ *   1. Same-user + same-kind duplicates of the profile we are keeping. Once the
+ *      discovery profile is retargeted onto Dev it shares the (user, env, tenant)
+ *      key with these, which is what trips pac's SingleOrDefault crash (#102).
+ *   2. Any profile whose name already equals the target name we are about to
+ *      rename to. `pac auth name` cannot rename onto a name that is already
+ *      taken, and a leftover SPN/user profile from a prior run for the same Dev
+ *      environment collides here even though its user/kind differ.
+ *
+ * Pure (no I/O) so the selection rules can be unit-tested against fixtures.
+ */
+export function selectProfilesToPrune(profiles, keepName, targetName) {
+  const keep = profiles.find((p) => p.name === keepName);
+  const out = [];
+  const seen = new Set();
+  for (const p of profiles) {
+    if (p.name === keepName) continue;
+    const isUserKindDup = keep && p.user === keep.user && p.kind === keep.kind;
+    const isTargetCollision = targetName && p.name === targetName;
+    if ((isUserKindDup || isTargetCollision) && !seen.has(p.name)) {
+      seen.add(p.name);
+      out.push(p);
+    }
+  }
+  return out;
+}
+
 /**
  * Detect the signature of the corrupted-auth-store crash so we can surface an
  * actionable remediation instead of the raw pac stack trace. The
@@ -164,6 +194,25 @@ export function isDuplicateAuthStoreError(output) {
     || /InvalidOperationException/i.test(s);
 }
 
+/**
+ * Extract the most useful error text from a runSafeCapture result. pac writes
+ * its real error lines to STDOUT (e.g. "Error: The value 2 of --index is not
+ * valid..."), while runSafeCapture puts Node's generic "Command failed: ..."
+ * into `stderr` (from err.message). Reading stderr-first therefore shadows the
+ * real reason — so prefer an `Error:` line from stdout, then stdout, then
+ * stderr. Returns scrubbed text safe for display.
+ */
+export function extractPacError(result) {
+  const stdout = String(result?.stdout || '');
+  const stderr = String(result?.stderr || '');
+  const errLine = stdout
+    .split(/\r?\n/)
+    .map((l) => l.trim())
+    .find((l) => /^Error:/i.test(l));
+  const detail = errLine || stdout.trim() || stderr.trim() || '';
+  return SCRUB.scrubSecrets(detail);
+}
+
 /** Fetch and parse `pac auth list` into structured rows. */
 function parseAuthProfiles(pac) {
   const res = SHELL.runSafeCapture(pac, ['auth', 'list']);
@@ -172,30 +221,37 @@ function parseAuthProfiles(pac) {
 }
 
 /**
- * Pre-flight auth hygiene. `pac auth name` crashes with
- * "Sequence contains more than one matching element" when the local auth store
- * holds duplicate profiles for the same user (a known pac CLI bug — its
- * AuthProfiles.Update uses SingleOrDefault). Prior wizard runs in other folders
- * leave stale `pp-<slug>-*` profiles behind, which is exactly the trigger.
+ * Pre-flight auth hygiene, run BEFORE the discovery profile is retargeted onto
+ * Dev. `pac auth name`/`delete` crash with "Sequence contains more than one
+ * matching element" when the local auth store holds two profiles that resolve
+ * to the same (user, environment, tenant) key — a known pac CLI bug whose
+ * AuthProfiles.Update/Delete uses SingleOrDefault.
+ *
+ * Two leftovers from prior wizard runs trigger this:
+ *   - same-user/kind duplicates of the discovery profile, and
+ *   - a profile already named exactly `targetName` (the env-scoped name we are
+ *     about to rename onto).
  *
- * Before renaming the discovery profile, delete any *other* profile that shares
- * the same user + kind as the profile we're keeping. The discovery profile was
- * freshly authenticated for the current user in Step 4, so same-user leftovers
- * are stale and safe to remove. This both prevents the crash and stops profiles
- * accumulating across runs (issue #102, fixes 1 & 3).
+ * Crucially this must happen while keys are still DISTINCT — i.e. before
+ * `pac env select` points the discovery profile at Dev. Removing them now
+ * prevents the ambiguous store from ever forming, which is the actual root
+ * cause behind the recurring "Could not finalize the auth profile" failure.
+ *
+ * Returns the number of profiles removed.
  */
-function pruneDuplicateAuthProfiles(log, pac, keepName) {
+function pruneConflictingAuthProfiles(log, pac, keepName, targetName) {
   const profiles = parseAuthProfiles(pac);
-  if (profiles.length === 0) return;
-  const dupes = selectDuplicateProfiles(profiles, keepName);
-  if (dupes.length === 0) return;
-  const keep = profiles.find((p) => p.name === keepName);
-  log.warn(`Found ${dupes.length} stale duplicate auth profile(s) for ${keep.user}; removing them to avoid a known pac CLI crash.`);
+  if (profiles.length === 0) return 0;
+  const dupes = selectProfilesToPrune(profiles, keepName, targetName);
+  if (dupes.length === 0) return 0;
+  log.warn(`Found ${dupes.length} conflicting auth profile(s) from a prior run; removing them to avoid a known pac CLI crash.`);
+  let removed = 0;
   for (const d of dupes) {
     const del = SHELL.runSafeCapture(pac, ['auth', 'delete', '--name', d.name]);
-    if (del.ok) log.ok(`Removed stale auth profile ${d.name}`);
+    if (del.ok) { log.ok(`Removed stale auth profile ${d.name}`); removed += 1; }
     else log.warn(`Could not remove stale auth profile ${d.name}. If finalize still fails, run \`pac auth clear\` and retry.`);
   }
+  return removed;
 }
 
 export default {
@@ -333,30 +389,58 @@ export default {
 
       const discoveryIdx = findProfileIndexByName(pac, DISCOVERY_PROFILE_NAME);
       if (discoveryIdx != null) {
+        // Pre-flight hygiene FIRST, while auth-store keys are still distinct.
+        // Removing same-user/kind duplicates and any existing profile already
+        // named `userProfileName` BEFORE we retarget the discovery profile onto
+        // Dev prevents the ambiguous (user, env, tenant) store that crashes both
+        // `pac auth delete` and `pac auth name` (issues #102 and the recurring
+        // "Could not finalize the auth profile" failure). Doing this after
+        // `env select` is the original defect — by then the keys already collide.
+        pruneConflictingAuthProfiles(log, pac, DISCOVERY_PROFILE_NAME, userProfileName);
+
         // Retarget the (already-authenticated) discovery profile to Dev, then
         // rename it to the environment-scoped name — no second sign-in.
         SHELL.runSafeCapture(pac, ['auth', 'select', '--name', DISCOVERY_PROFILE_NAME]);
         const sel = SHELL.runSafeCapture(pac, ['env', 'select', '--environment', devUrl]);
-        if (!sel.ok) throw new Error(`Could not target ${devUrl}: ${SCRUB.scrubSecrets(sel.stderr || sel.stdout || '')}`);
-        // Pre-flight hygiene: clear stale duplicate profiles that crash `pac auth name` (issue #102).
-        pruneDuplicateAuthProfiles(log, pac, DISCOVERY_PROFILE_NAME);
-        // Deletions can shift indices, so re-resolve the discovery profile's index.
-        const renameIdx = findProfileIndexByName(pac, DISCOVERY_PROFILE_NAME) ?? discoveryIdx;
-        const renamed = SHELL.runSafeCapture(pac, ['auth', 'name', '--index', String(renameIdx), '--name', userProfileName]);
-        if (!renamed.ok) {
-          const detail = SCRUB.scrubSecrets(renamed.stderr || renamed.stdout || '');
-          if (isDuplicateAuthStoreError(detail)) {
+        if (!sel.ok) throw new Error(`Could not target ${devUrl}: ${extractPacError(sel)}`);
+
+        // Re-resolve the discovery profile's index against the CURRENT store —
+        // never fall back to the pre-prune index, which may now be out of range.
+        const renameIdx = findProfileIndexByName(pac, DISCOVERY_PROFILE_NAME);
+        if (renameIdx == null) {
+          // Idempotent recovery: an interrupted prior run may have already
+          // renamed discovery into userProfileName. Accept that and move on.
+          if (findProfileIndexByName(pac, userProfileName) != null) {
+            SHELL.runSafeCapture(pac, ['auth', 'select', '--name', userProfileName]);
+            SHELL.runSafeCapture(pac, ['env', 'select', '--environment', devUrl]);
+            log.ok(`Reusing existing profile ${userProfileName} (targeting Dev).`);
+          } else {
             throw new Error([
-              'Could not finalize the auth profile: your local PAC auth store has duplicate or dual-active profiles.',
-              'This is a known pac CLI bug ("Sequence contains more than one matching element") that crashes `pac auth name`.',
-              'Fix it by clearing the local profiles, then click Save & run again:',
+              'Could not finalize the auth profile: the sign-in profile disappeared from the local PAC auth store.',
+              'This usually means the store still holds conflicting profiles. Clear them, then click Save & run again:',
               '  pac auth clear',
               '(After clearing you will be asked to sign in once more to recreate a single clean profile.)',
             ].join('\n'));
           }
-          throw new Error(`Could not finalize the auth profile: ${detail}`);
+        } else {
+          const renamed = SHELL.runSafeCapture(pac, ['auth', 'name', '--index', String(renameIdx), '--name', userProfileName]);
+          // pac writes errors to stdout; check both the result flag and the store.
+          const finalized = renamed.ok || findProfileIndexByName(pac, userProfileName) != null;
+          if (!finalized) {
+            const detail = extractPacError(renamed);
+            if (isDuplicateAuthStoreError(detail)) {
+              throw new Error([
+                'Could not finalize the auth profile: your local PAC auth store has duplicate or dual-active profiles.',
+                'This is a known pac CLI bug ("Sequence contains more than one matching element") that crashes `pac auth name`.',
+                'Fix it by clearing the local profiles, then click Save & run again:',
+                '  pac auth clear',
+                '(After clearing you will be asked to sign in once more to recreate a single clean profile.)',
+              ].join('\n'));
+            }
+            throw new Error(`Could not finalize the auth profile: ${detail}`);
+          }
+          log.ok(`Profile ${userProfileName} ready (targeting Dev).`);
         }
-        log.ok(`Profile ${userProfileName} ready (targeting Dev).`);
       } else if (findProfileIndexByName(pac, userProfileName) != null) {
         // Re-run after a previous success: discovery was already renamed.
         SHELL.runSafeCapture(pac, ['auth', 'select', '--name', userProfileName]);

package/server/steps/05-environments.test.mjs

@@ -3,6 +3,8 @@ import assert from 'node:assert/strict';
 import {
   parseAuthListOutput,
   selectDuplicateProfiles,
+  selectProfilesToPrune,
+  extractPacError,
   isDuplicateAuthStoreError,
 } from './05-environments.mjs';
 
@@ -55,3 +57,56 @@ test('isDuplicateAuthStoreError matches the known pac crash signatures', () => {
   assert.equal(isDuplicateAuthStoreError('Error: environment not found'), false);
   assert.equal(isDuplicateAuthStoreError(''), false);
 });
+
+// Reproduces the exact log from the recurring failure: a leftover env-scoped
+// user profile from a prior run already holds the target name. Same user as
+// discovery so it is also a same-user duplicate.
+const TARGET_COLLISION_OUTPUT = `
+Index Active Kind      Name                     User
+[1]   *      UNIVERSAL pp-prosp8dc-d-u-6ae3eeaf user@contoso.com User
+[2]          UNIVERSAL pacaf-discovery          user@contoso.com User
+`;
+
+test('selectProfilesToPrune removes a profile already holding the target name', () => {
+  const profiles = parseAuthListOutput(TARGET_COLLISION_OUTPUT);
+  const prune = selectProfilesToPrune(profiles, 'pacaf-discovery', 'pp-prosp8dc-d-u-6ae3eeaf');
+  assert.deepEqual(prune.map((p) => p.name), ['pp-prosp8dc-d-u-6ae3eeaf']);
+});
+
+test('selectProfilesToPrune removes same-user/kind dupes plus a distinct target collision', () => {
+  const output = `
+[1]   *      UNIVERSAL pacaf-discovery   me@contoso.com User
+[2]          UNIVERSAL pp-dup-d-u-aaaa   me@contoso.com User
+[3]          UNIVERSAL pp-target-d-u-bb  someone@else.com User
+`;
+  const prune = selectProfilesToPrune(parseAuthListOutput(output), 'pacaf-discovery', 'pp-target-d-u-bb');
+  assert.deepEqual(prune.map((p) => p.name).sort(), ['pp-dup-d-u-aaaa', 'pp-target-d-u-bb']);
+});
+
+test('selectProfilesToPrune does not double-list a profile that is both dup and target', () => {
+  const profiles = parseAuthListOutput(TARGET_COLLISION_OUTPUT);
+  const prune = selectProfilesToPrune(profiles, 'pacaf-discovery', 'pp-prosp8dc-d-u-6ae3eeaf');
+  assert.equal(prune.length, 1);
+});
+
+test('selectProfilesToPrune never returns the kept profile', () => {
+  const profiles = parseAuthListOutput(TARGET_COLLISION_OUTPUT);
+  const prune = selectProfilesToPrune(profiles, 'pacaf-discovery', 'pacaf-discovery');
+  assert.equal(prune.find((p) => p.name === 'pacaf-discovery'), undefined);
+});
+
+test('extractPacError prefers the pac Error: line from stdout over the generic stderr', () => {
+  // pac writes the real reason to stdout; runSafeCapture puts "Command failed"
+  // into stderr. Reading stderr-first (the old bug) would shadow the real error.
+  const result = {
+    ok: false,
+    stdout: 'Index Active Kind ...\n\nError: The value 2 of --index is not valid. It must be between 1 and 1.\n',
+    stderr: 'Command failed: pac auth name --index 2 --name foo',
+  };
+  assert.equal(extractPacError(result), 'Error: The value 2 of --index is not valid. It must be between 1 and 1.');
+});
+
+test('extractPacError falls back to stderr when stdout is empty', () => {
+  assert.equal(extractPacError({ ok: false, stdout: '', stderr: 'boom' }), 'boom');
+  assert.equal(extractPacError({}), '');
+});