@salesforce/templates 66.7.13 → 66.9.0

package/lib/templates/project/reactinternalapp/scripts/org-setup.mjs

@@ -22,17 +22,18 @@
  * Permset assignment config (scripts/org-setup.config.json):
  *   {
  *     "permsetAssignments": {
- *       "defaultAssignee": "currentUser",
  *       "assignments": {
- *         "Guest_Permset": { "assignee": "guest@mysite.example.com" },
+ *         "My_Permset": { "assignee": "currentUser" },
+ *         "Guest_Permset": { "assignee": "guestUser", "siteName": "mysite" },
  *         "Internal_Only": { "assignee": "skip" }
  *       }
  *     }
  *   }
- *   Assignee values: "currentUser" (default), "skip", or a specific username.
+ *   Assignee values: "currentUser", "skip", "guestUser" (requires siteName), or a specific username.
+ *   Only permsets explicitly listed in assignments are assigned; unlisted permsets are skipped.
  */
 
-import { spawnSync } from 'node:child_process';
+import { spawnSync, spawn as nodeSpawn } from 'node:child_process';
 import { resolve, dirname } from 'node:path';
 import { fileURLToPath } from 'node:url';
 import { readdirSync, existsSync, readFileSync, writeFileSync, unlinkSync } from 'node:fs';
@@ -97,9 +98,11 @@ function parseArgs() {
     skipLogin: false,
     skipDeploy: false,
     skipPermset: false,
+    skipRole: false,
     skipData: false,
     skipGraphql: false,
     skipUIBundleBuild: false,
+    skipSelfReg: false,
     skipDev: false,
   };
   for (let i = 0; i < args.length; i++) {
@@ -112,7 +115,9 @@ function parseArgs() {
     } else if (args[i] === '--skip-login') flags.skipLogin = true;
     else if (args[i] === '--skip-deploy') flags.skipDeploy = true;
     else if (args[i] === '--skip-permset') flags.skipPermset = true;
+    else if (args[i] === '--skip-role') flags.skipRole = true;
     else if (args[i] === '--skip-data') flags.skipData = true;
+    else if (args[i] === '--skip-self-reg') flags.skipSelfReg = true;
     else if (args[i] === '--skip-graphql') flags.skipGraphql = true;
     else if (args[i] === '--skip-ui-bundle-build') flags.skipUIBundleBuild = true;
     else if (args[i] === '--skip-dev') flags.skipDev = true;
@@ -144,15 +149,15 @@ Permset config (scripts/org-setup.config.json):
   Control per-permset assignment via a config file. Example:
     {
       "permsetAssignments": {
-        "defaultAssignee": "currentUser",
         "assignments": {
-          "Guest_Permset": { "assignee": "guest@mysite.example.com" },
+          "My_Permset": { "assignee": "currentUser" },
+          "Guest_Permset": { "assignee": "guestUser", "siteName": "mysite" },
           "Internal_Only": { "assignee": "skip" }
         }
       }
     }
-  Assignee values: "currentUser" (default), "skip", or a specific username.
-  Without this file, all discovered permsets are assigned to the current user.
+  Assignee values: "currentUser", "skip", "guestUser" (requires siteName), or a specific username.
+  Only permsets explicitly listed in assignments are assigned; unlisted permsets are skipped.
 `);
       process.exit(0);
     }
@@ -213,31 +218,33 @@ function discoverPermissionSetNames() {
  * Config shape:
  *   {
  *     "permsetAssignments": {
- *       "defaultAssignee": "currentUser",          // "currentUser" (default) or "skip"
  *       "assignments": {
- *         "My_Guest_Permset": { "assignee": "guest@mysite.example.com" },
+ *         "My_Permset":       { "assignee": "currentUser" },
+ *         "My_Guest_Permset": { "assignee": "guestUser", "siteName": "mysite" },
  *         "Internal_Only":    { "assignee": "skip" }
  *       }
  *     }
  *   }
  *
  * Assignee values:
- *   "currentUser" — assign to the user running the script (default)
+ *   "currentUser" — assign to the user running the script
  *   "skip"        — do not assign this permset
+ *   "guestUser"   — resolve the site guest user automatically (requires siteName)
  *   "<username>"  — assign to a specific user via --on-behalf-of
  *
- * Returns { defaultAssignee: string, assignments: Record<string, { assignee: string }> }
+ * Only permsets explicitly listed in assignments are assigned; unlisted permsets are skipped.
+ *
+ * Returns { assignments: Record<string, { assignee: string, siteName?: string }> }
  */
 function loadPermsetConfig() {
   const configPath = resolve(__dirname, 'org-setup.config.json');
-  const defaults = { defaultAssignee: 'currentUser', assignments: {} };
+  const defaults = { assignments: {} };
   if (!existsSync(configPath)) return defaults;
   try {
     const raw = JSON.parse(readFileSync(configPath, 'utf8'));
     const section = raw?.permsetAssignments;
     if (!section) return defaults;
     return {
-      defaultAssignee: section.defaultAssignee || 'currentUser',
       assignments: section.assignments || {},
     };
   } catch (err) {
@@ -246,10 +253,375 @@ function loadPermsetConfig() {
   }
 }
 
-/** Resolve the effective assignee for a given permset name. */
-function resolveAssignee(permsetName, permsetConfig) {
+/** Resolve the effective assignment config for a given permset name. */
+function resolveAssignment(permsetName, permsetConfig) {
   const override = permsetConfig.assignments[permsetName];
-  return override?.assignee || permsetConfig.defaultAssignee;
+  if (!override) return { assignee: 'skip' };
+  return { assignee: override.assignee || 'skip', siteName: override.siteName };
+}
+
+/**
+ * Load role assignment config from org-setup.config.json.
+ *
+ * Config shape:
+ *   { "role": { "assignee": "currentUser", "roleName": "Admin" } }
+ *
+ * Returns null if no "role" section exists in config (the step is hidden).
+ */
+function loadRoleConfig() {
+  const configPath = resolve(__dirname, 'org-setup.config.json');
+  if (!existsSync(configPath)) return null;
+  try {
+    const raw = JSON.parse(readFileSync(configPath, 'utf8'));
+    const section = raw?.role;
+    if (!section) return null;
+    return {
+      assignee: section.assignee || 'currentUser',
+      roleName: section.roleName || null,
+    };
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Load self-registration config from org-setup.config.json.
+ *
+ * Config shape:
+ *   {
+ *     "selfRegistration": {
+ *       "siteName": "myapp",
+ *       "selfRegProfile": "myapp Profile",
+ *       "accountName": "My Self-Reg Account"
+ *     }
+ *   }
+ *
+ * Returns null if no "selfRegistration" section exists in config (the step is hidden).
+ */
+function loadSelfRegConfig() {
+  const configPath = resolve(__dirname, 'org-setup.config.json');
+  if (!existsSync(configPath)) return null;
+  try {
+    const raw = JSON.parse(readFileSync(configPath, 'utf8'));
+    const section = raw?.selfRegistration;
+    if (!section) return null;
+    return {
+      siteName: section.siteName || null,
+      selfRegProfile: section.selfRegProfile || null,
+      accountName: section.accountName || null,
+    };
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Ensure the self-registration profile is listed in networkMemberGroups.
+ * This must happen BEFORE the initial deploy so that the profile is a recognised
+ * site member when subsequent steps (selfRegProfile, selfRegistration=true) are deployed.
+ */
+function ensureNetworkMemberProfile(selfRegConfig) {
+  const { siteName, selfRegProfile } = selfRegConfig;
+  if (!siteName || !selfRegProfile) return;
+
+  const networkXmlPath = resolve(SFDX_SOURCE, 'networks', `${siteName}.network-meta.xml`);
+  if (!existsSync(networkXmlPath)) {
+    console.log(`  Network metadata not found: ${networkXmlPath}; skipping member group update.`);
+    return;
+  }
+  const xml = readFileSync(networkXmlPath, 'utf8');
+
+  // Check if profile is already in networkMemberGroups
+  const profileEscaped = selfRegProfile.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+  const profileRegex = new RegExp(`<profile>\\s*${profileEscaped}\\s*</profile>`);
+  if (profileRegex.test(xml)) {
+    console.log(`  Profile "${selfRegProfile}" already in networkMemberGroups; no update needed.`);
+    return;
+  }
+
+  // Add the profile to networkMemberGroups
+  const updatedXml = xml.replace(
+    /(<networkMemberGroups>)/,
+    `$1\n        <profile>${selfRegProfile}</profile>`
+  );
+  writeFileSync(networkXmlPath, updatedXml);
+  console.log(`  Added profile "${selfRegProfile}" to networkMemberGroups in ${siteName}.network-meta.xml`);
+}
+
+/**
+ * Enable self-registration for an Experience Cloud network.
+ *
+ * 1. Modify the network metadata XML to set selfRegistration=true and add selfRegProfile.
+ * 2. Re-deploy the modified network metadata.
+ * 3. Create an Account record (idempotent).
+ * 4. Create a NetworkSelfRegistration record linking the Account to the Network (idempotent).
+ */
+function enableSelfRegistration(selfRegConfig, targetOrg) {
+  const { siteName, selfRegProfile, accountName } = selfRegConfig;
+
+  // 1. Modify network metadata XML
+  const networkXmlPath = resolve(SFDX_SOURCE, 'networks', `${siteName}.network-meta.xml`);
+  if (!existsSync(networkXmlPath)) {
+    console.error(`  Network metadata not found: ${networkXmlPath}`);
+    return;
+  }
+  const xml = readFileSync(networkXmlPath, 'utf8');
+
+  // Skip network modification and deploy if self-registration is already configured
+  const alreadyEnabled = /<selfRegistration>true<\/selfRegistration>/.test(xml);
+  const alreadyHasProfile = /<selfRegProfile>/.test(xml);
+  if (alreadyEnabled || alreadyHasProfile) {
+    console.log(`  Network "${siteName}" already has self-registration configured; skipping metadata update and deploy.`);
+  } else {
+    // Set selfRegistration to true and add selfRegProfile
+    let updatedXml = xml.replace(
+      /<selfRegistration>false<\/selfRegistration>/,
+      '<selfRegistration>true</selfRegistration>'
+    );
+    updatedXml = updatedXml.replace(
+      /(\s*)(<selfRegistration>)/,
+      `$1<selfRegProfile>${selfRegProfile}</selfRegProfile>\n$1$2`
+    );
+
+    writeFileSync(networkXmlPath, updatedXml);
+    console.log(`  Updated ${siteName}.network-meta.xml: selfRegistration=true, selfRegProfile=${selfRegProfile}`);
+
+    // Re-deploy only the network file
+    const deployResult = spawnSync('sf', [
+      'project', 'deploy', 'start',
+      '--target-org', targetOrg,
+      '--source-dir', networkXmlPath,
+    ], { cwd: ROOT, stdio: 'inherit', shell: true, timeout: 120000 });
+    if (deployResult.status !== 0) {
+      console.error('  Failed to deploy updated network metadata.');
+      process.exit(deployResult.status ?? 1);
+    }
+  }
+
+  // 3. Create Account (idempotent)
+  const acctQuery = `SELECT Id FROM Account WHERE Name = '${accountName.replace(/'/g, "\\'")}' LIMIT 1`;
+  const acctQueryResult = spawnSync('sf', [
+    'data', 'query',
+    '--query', acctQuery,
+    '--target-org', targetOrg,
+    '--json',
+  ], { cwd: ROOT, encoding: 'utf8' });
+  let accountId = null;
+  if (acctQueryResult.status === 0) {
+    try {
+      const json = JSON.parse(acctQueryResult.stdout);
+      accountId = json.result?.records?.[0]?.Id || null;
+    } catch { /* proceed to create */ }
+  }
+  if (accountId) {
+    console.log(`  Account "${accountName}" already exists (${accountId}); skipping creation.`);
+  } else {
+    const createResult = spawnSync('sf', [
+      'data', 'create', 'record',
+      '--sobject', 'Account',
+      '--values', `Name='${accountName}'`,
+      '--target-org', targetOrg,
+      '--json',
+    ], { cwd: ROOT, encoding: 'utf8' });
+    if (createResult.status !== 0) {
+      console.error(`  Failed to create Account "${accountName}".`);
+      if (createResult.stderr) console.error(createResult.stderr);
+      return;
+    }
+    try {
+      const json = JSON.parse(createResult.stdout);
+      accountId = json.result?.id;
+      console.log(`  Created Account "${accountName}" (${accountId}).`);
+    } catch {
+      console.error('  Failed to parse Account creation result.');
+      return;
+    }
+  }
+
+  // 4. Query Network Id
+  const netQuery = `SELECT Id FROM Network WHERE Name = '${siteName}'`;
+  const netResult = spawnSync('sf', [
+    'data', 'query',
+    '--query', netQuery,
+    '--target-org', targetOrg,
+    '--json',
+  ], { cwd: ROOT, encoding: 'utf8' });
+  let networkId = null;
+  if (netResult.status === 0) {
+    try {
+      const json = JSON.parse(netResult.stdout);
+      networkId = json.result?.records?.[0]?.Id || null;
+    } catch { /* fall through */ }
+  }
+  if (!networkId) {
+    console.error(`  Could not find Network "${siteName}" in org.`);
+    return;
+  }
+  console.log(`  Found Network "${siteName}" (${networkId}).`);
+
+  // 5. Create NetworkSelfRegistration (idempotent)
+  const nsrQuery = `SELECT Id FROM NetworkSelfRegistration WHERE NetworkId = '${networkId}'`;
+  const nsrResult = spawnSync('sf', [
+    'data', 'query',
+    '--query', nsrQuery,
+    '--target-org', targetOrg,
+    '--json',
+  ], { cwd: ROOT, encoding: 'utf8' });
+  let nsrExists = false;
+  if (nsrResult.status === 0) {
+    try {
+      const json = JSON.parse(nsrResult.stdout);
+      nsrExists = (json.result?.records?.length || 0) > 0;
+    } catch { /* proceed to create */ }
+  }
+  if (nsrExists) {
+    console.log('  NetworkSelfRegistration record already exists; skipping.');
+  } else {
+    const tmpApex = resolve(ROOT, '.tmp-setup-selfreg.apex');
+    const apex = [
+      `Account acct = [SELECT Id FROM Account WHERE Id = '${accountId}' LIMIT 1];`,
+      `NetworkSelfRegistration nsr = new NetworkSelfRegistration();`,
+      `nsr.AccountId = acct.Id;`,
+      `nsr.NetworkId = '${networkId}';`,
+      `insert nsr;`,
+      `System.debug('NSR_CREATED:' + nsr.Id);`,
+    ].join('\n');
+    writeFileSync(tmpApex, apex);
+    const apexResult = spawnSync('sf', [
+      'apex', 'run', '--target-org', targetOrg, '--file', tmpApex,
+    ], { cwd: ROOT, stdio: 'pipe', shell: true, timeout: 60000 });
+    const apexOut = apexResult.stdout?.toString() || '';
+    if (existsSync(tmpApex)) unlinkSync(tmpApex);
+    if (apexResult.status !== 0 && !apexOut.includes('Compiled successfully')) {
+      console.error('  Failed to create NetworkSelfRegistration record.');
+      process.stderr.write(apexResult.stderr?.toString() || apexOut);
+      return;
+    }
+    const nsrMatch = apexOut.match(/NSR_CREATED:(\w+)/);
+    if (nsrMatch) {
+      console.log(`  Created NetworkSelfRegistration (${nsrMatch[1]}).`);
+    } else {
+      console.log('  NetworkSelfRegistration creation executed.');
+    }
+  }
+}
+
+/**
+ * Assign a role to the current user so that Experience Cloud self-registration
+ * works correctly.
+ */
+function assignRoleToCurrentUser(roleName, targetOrg) {
+  const roleQuery = `SELECT Id FROM UserRole WHERE Name = '${roleName}'`;
+  const roleResult = spawnSync('sf', [
+    'data', 'query',
+    '--query', roleQuery,
+    '--target-org', targetOrg,
+    '--json',
+  ], { cwd: ROOT, encoding: 'utf8' });
+  if (roleResult.status !== 0) {
+    console.error(`  Failed to query role "${roleName}" in org.`);
+    if (roleResult.stderr) console.error(roleResult.stderr);
+    return;
+  }
+  let roleId;
+  try {
+    const json = JSON.parse(roleResult.stdout);
+    const records = json.result?.records;
+    if (!records || records.length === 0) {
+      console.error(`  Role "${roleName}" not found in org; skipping.`);
+      return;
+    }
+    roleId = records[0].Id;
+  } catch {
+    console.error(`  Failed to parse role query result for "${roleName}".`);
+    return;
+  }
+
+  const orgResult = spawnSync('sf', [
+    'org', 'display',
+    '--target-org', targetOrg,
+    '--json',
+  ], { cwd: ROOT, encoding: 'utf8' });
+  if (orgResult.status !== 0) {
+    console.error('  Failed to resolve current user from org.');
+    return;
+  }
+  let username;
+  try {
+    const json = JSON.parse(orgResult.stdout);
+    username = json.result?.username;
+    if (!username) {
+      console.error('  Could not determine current username from org display.');
+      return;
+    }
+  } catch {
+    console.error('  Failed to parse org display result.');
+    return;
+  }
+
+  const userQuery = `SELECT Id, UserRoleId FROM User WHERE Username = '${username}'`;
+  const userResult = spawnSync('sf', [
+    'data', 'query',
+    '--query', userQuery,
+    '--target-org', targetOrg,
+    '--json',
+  ], { cwd: ROOT, encoding: 'utf8' });
+  if (userResult.status === 0) {
+    try {
+      const json = JSON.parse(userResult.stdout);
+      const userRecord = json.result?.records?.[0];
+      if (userRecord?.UserRoleId) {
+        console.log(`  User ${username} already has a role assigned; skipping to avoid overriding.`);
+        return;
+      }
+    } catch { /* continue */ }
+  }
+
+  const updateResult = spawnSync('sf', [
+    'data', 'update', 'record',
+    '--sobject', 'User',
+    '--where', `Username='${username}'`,
+    '--values', `UserRoleId='${roleId}'`,
+    '--target-org', targetOrg,
+    '--json',
+  ], { cwd: ROOT, encoding: 'utf8' });
+  if (updateResult.status === 0) {
+    console.log(`  Role "${roleName}" assigned to ${username}.`);
+  } else {
+    const out = (updateResult.stderr?.toString() || '') + (updateResult.stdout?.toString() || '');
+    console.error(`  Failed to assign role "${roleName}" to ${username}.`);
+    if (out) console.error(out);
+  }
+}
+
+/**
+ * Query the org for a guest user whose profile name matches the given site name.
+ */
+function resolveGuestUsername(siteName, targetOrg) {
+  const query = `SELECT Username FROM User WHERE Profile.Name LIKE '%${siteName}%' AND UserType = 'Guest'`;
+  const result = spawnSync('sf', [
+    'data', 'query',
+    '--query', query,
+    '--target-org', targetOrg,
+    '--json',
+  ], { cwd: ROOT, encoding: 'utf8' });
+  if (result.status !== 0) {
+    console.error(`  Failed to query guest user for site "${siteName}".`);
+    if (result.stderr) console.error(result.stderr);
+    return null;
+  }
+  try {
+    const json = JSON.parse(result.stdout);
+    const records = json.result?.records;
+    if (!records || records.length === 0) {
+      console.error(`  No guest user found for site "${siteName}".`);
+      return null;
+    }
+    return records[0].Username;
+  } catch {
+    console.error(`  Failed to parse guest user query result for site "${siteName}".`);
+    return null;
+  }
 }
 
 function isOrgConnected(targetOrg) {
@@ -312,6 +684,22 @@ async function promptSteps(steps) {
   const CYAN = '\x1B[36m';
   const GREEN = '\x1B[32m';
 
+  /** Strip ANSI escape sequences to get visible character count. */
+  function visibleLength(str) {
+    return str.replace(/\x1B\[[0-9;]*m/g, '').length;
+  }
+
+  /** Count how many terminal rows a set of lines occupies (accounting for wrapping). */
+  function terminalRows(lines) {
+    const cols = process.stdout.columns || 80;
+    let rows = 0;
+    for (const line of lines) {
+      const len = visibleLength(line);
+      rows += len === 0 ? 1 : Math.ceil(len / cols);
+    }
+    return rows;
+  }
+
   function render() {
     return steps.map((s, i) => {
       const ptr = i === cursor ? `${CYAN}❯${RST}` : ' ';
@@ -321,17 +709,23 @@ async function promptSteps(steps) {
     });
   }
 
+  let prevRows = 0;
+
   return new Promise((resolve) => {
     process.stdin.setRawMode(true);
     process.stdin.resume();
     process.stdin.setEncoding('utf8');
     process.stdout.write('\x1B[?25l');
     console.log('\nSelect steps (↑↓ move, space toggle, a all, enter confirm):\n');
-    process.stdout.write(render().join('\n') + '\n');
+    const initialLines = render();
+    prevRows = terminalRows(initialLines);
+    process.stdout.write(initialLines.join('\n') + '\n');
 
     function redraw() {
-      process.stdout.write(`\x1B[${steps.length}A`);
-      for (const line of render()) process.stdout.write(`\x1B[2K${line}\n`);
+      process.stdout.write(`\x1B[${prevRows}A`);
+      const lines = render();
+      for (const line of lines) process.stdout.write(`\x1B[2K${line}\n`);
+      prevRows = terminalRows(lines);
     }
 
     process.stdin.on('data', (key) => {
@@ -388,6 +782,37 @@ function run(name, cmd, args, opts = {}) {
   return result;
 }
 
+/** Promise-based spawn for parallel execution. Always uses stdio: 'pipe'. */
+function spawnAsync(cmd, args, opts = {}) {
+  return new Promise((resolve, reject) => {
+    const proc = nodeSpawn(cmd, args, {
+      cwd: opts.cwd || ROOT,
+      stdio: 'pipe',
+      shell: true,
+      ...(opts.timeout && { timeout: opts.timeout }),
+    });
+    let stdout = '';
+    let stderr = '';
+    proc.stdout.on('data', (d) => { stdout += d.toString(); });
+    proc.stderr.on('data', (d) => { stderr += d.toString(); });
+    proc.on('close', (code) => resolve({ status: code, stdout, stderr }));
+    proc.on('error', reject);
+  });
+}
+
+/** Async version of run() for parallel steps. Captures output and prints on failure. */
+async function runAsync(name, cmd, args, opts = {}) {
+  const { cwd = ROOT, optional = false } = opts;
+  const result = await spawnAsync(cmd, args, { cwd, ...(opts.timeout && { timeout: opts.timeout }) });
+  if (result.status !== 0 && !optional) {
+    if (result.stdout) process.stdout.write(result.stdout);
+    if (result.stderr) process.stderr.write(result.stderr);
+    console.error(`\nSetup failed at step: ${name}`);
+    process.exit(result.status ?? 1);
+  }
+  return result;
+}
+
 async function main() {
   // Ensure .gitignore files exist (npm strips them from published packages).
   const gitignoreTemplates = loadGitignoreTemplates();
@@ -410,6 +835,8 @@ async function main() {
     skipLogin: argSkipLogin,
     skipDeploy: argSkipDeploy,
     skipPermset: argSkipPermset,
+    skipRole: argSkipRole,
+    skipSelfReg: argSkipSelfReg,
     skipData: argSkipData,
     skipGraphql: argSkipGraphql,
     skipUIBundleBuild: argSkipUIBundleBuild,
@@ -426,12 +853,18 @@ async function main() {
         : `Permset — assign ${permsetNames.length} permission sets`;
 
   const hasDataPlan = existsSync(DATA_PLAN) && existsSync(DATA_DIR);
+  const roleConfig = loadRoleConfig();
+  const hasRoleConfig = roleConfig !== null;
+  const selfRegConfig = loadSelfRegConfig();
+  const hasSelfRegConfig = selfRegConfig !== null;
 
   const stepDefs = [
     { key: 'login', label: 'Login — org authentication', enabled: !argSkipLogin, available: true },
     { key: 'uiBundleBuild', label: 'UI Bundle Build — npm install + build (pre-deploy)', enabled: !argSkipUIBundleBuild, available: true },
     { key: 'deploy', label: 'Deploy — sf project deploy start', enabled: !argSkipDeploy, available: true },
     { key: 'permset', label: permsetStepLabel, enabled: !argSkipPermset, available: true },
+    { key: 'role', label: `Role — assign "${roleConfig?.roleName ?? '?'}" to current user`, enabled: !argSkipRole && hasRoleConfig, available: hasRoleConfig },
+    { key: 'selfReg', label: `Self-Registration — enable for "${selfRegConfig?.siteName ?? '?'}"`, enabled: !argSkipSelfReg && hasSelfRegConfig, available: hasSelfRegConfig },
     { key: 'data', label: 'Data — delete + import records via Apex', enabled: !argSkipData && hasDataPlan, available: hasDataPlan },
     { key: 'graphql', label: 'GraphQL — schema introspect + codegen', enabled: !argSkipGraphql, available: true },
     { key: 'dev', label: 'Dev — launch dev server', enabled: !argSkipDev, available: true },
@@ -447,6 +880,8 @@ async function main() {
   const skipUIBundleBuild = !on.uiBundleBuild;
   const skipDeploy = !on.deploy;
   const skipPermset = !on.permset;
+  const skipRole = !on.role;
+  const skipSelfReg = !on.selfReg;
   const skipData = !on.data;
   const skipGraphql = !on.graphql;
   const skipDev = !on.dev;
@@ -457,10 +892,12 @@ async function main() {
 
   console.log('Setup — target org:', targetOrg, '| UI bundle:', uiBundleDir ?? '(none)');
   console.log(
-    'Steps: login=%s deploy=%s permset=%s data=%s graphql=%s uiBundle=%s dev=%s',
+    'Steps: login=%s deploy=%s permset=%s role=%s selfReg=%s data=%s graphql=%s uiBundle=%s dev=%s',
     !skipLogin,
     !skipDeploy,
     !skipPermset,
+    !skipRole,
+    !skipSelfReg,
     doData,
     !skipGraphql,
     !skipUIBundleBuild,
@@ -476,6 +913,13 @@ async function main() {
     }
   }
 
+  // Ensure the self-reg profile is in networkMemberGroups before deploy so that
+  // subsequent selfRegProfile / selfRegistration updates don't fail.
+  if (!skipDeploy && selfRegConfig) {
+    console.log('\n--- Ensure network member profile (pre-deploy) ---');
+    ensureNetworkMemberProfile(selfRegConfig);
+  }
+
   // Build all UI Bundles before deploy so dist exists for entity deployment
   if (!skipDeploy && !skipUIBundleBuild) {
     const allUIBundleDirs = discoverAllUIBundleDirs(uiBundleName);
@@ -499,42 +943,84 @@ async function main() {
       console.log('No permission sets found under permissionsets/ and none passed via --permset-name; skipping.');
     } else {
       console.log('\n--- Assign permission sets ---');
+
+      // Resolve assignments (guest user lookups etc.) then run all sf assign calls in parallel.
+      const assignmentJobs = [];
       for (const permsetName of permsetNames) {
-        const assignee = resolveAssignee(permsetName, permsetConfig);
-        if (assignee === 'skip') {
+        const assignment = resolveAssignment(permsetName, permsetConfig);
+        if (assignment.assignee === 'skip') {
           console.log(`Permission set "${permsetName}" — skipped (config).`);
           continue;
         }
+        let effectiveUsername = null;
+        if (assignment.assignee === 'guestUser') {
+          if (!assignment.siteName) {
+            console.error(`Permission set "${permsetName}" — assignee is "guestUser" but no "siteName" configured; skipping.`);
+            continue;
+          }
+          effectiveUsername = resolveGuestUsername(assignment.siteName, targetOrg);
+          if (!effectiveUsername) {
+            console.error(`Permission set "${permsetName}" — could not resolve guest user for site "${assignment.siteName}"; skipping.`);
+            continue;
+          }
+          console.log(`  Resolved guest user for site "${assignment.siteName}": ${effectiveUsername}`);
+        } else if (assignment.assignee !== 'currentUser') {
+          effectiveUsername = assignment.assignee;
+        }
+        assignmentJobs.push({ permsetName, effectiveUsername });
+      }
+
+      // Run all permset assignment calls in parallel.
+      const assignResults = await Promise.all(assignmentJobs.map(async ({ permsetName, effectiveUsername }) => {
         const sfArgs = ['org', 'assign', 'permset', '--name', permsetName, '--target-org', targetOrg];
-        if (assignee !== 'currentUser') {
-          sfArgs.push('--on-behalf-of', assignee);
+        if (effectiveUsername) {
+          sfArgs.push('--on-behalf-of', effectiveUsername);
         }
-        const assigneeLabel = assignee === 'currentUser' ? 'current user' : assignee;
-        const permsetResult = spawnSync('sf', sfArgs, {
-          cwd: ROOT,
-          stdio: 'pipe',
-          shell: true,
-        });
-        if (permsetResult.status === 0) {
+        const assigneeLabel = effectiveUsername || 'current user';
+        const result = await spawnAsync('sf', sfArgs);
+        return { permsetName, assigneeLabel, result };
+      }));
+
+      for (const { permsetName, assigneeLabel, result } of assignResults) {
+        if (result.status === 0) {
           console.log(`Permission set "${permsetName}" assigned to ${assigneeLabel}.`);
         } else {
-          const out =
-            (permsetResult.stderr?.toString() || '') + (permsetResult.stdout?.toString() || '');
+          const out = (result.stderr || '') + (result.stdout || '');
           if (out.includes('Duplicate') && out.includes('PermissionSet')) {
             console.log(`Permission set "${permsetName}" already assigned to ${assigneeLabel}; skipping.`);
           } else if (out.includes('not found') && out.includes('target org')) {
             console.log(`Permission set "${permsetName}" not in org; skipping.`);
           } else {
-            process.stdout.write(permsetResult.stdout?.toString() || '');
-            process.stderr.write(permsetResult.stderr?.toString() || '');
+            if (result.stdout) process.stdout.write(result.stdout);
+            if (result.stderr) process.stderr.write(result.stderr);
             console.error(`\nSetup failed at step: Assign permission set (${permsetName})`);
-            process.exit(permsetResult.status ?? 1);
+            process.exit(result.status ?? 1);
           }
         }
       }
     }
   }
 
+  if (!skipRole) {
+    console.log('\n--- Assign role ---');
+    if (roleConfig?.assignee !== 'currentUser') {
+      console.error(`Role assignee "${roleConfig?.assignee}" is not supported; only "currentUser" is allowed. Skipping.`);
+    } else if (!roleConfig?.roleName) {
+      console.error('Role step enabled but no "roleName" specified in org-setup.config.json; skipping.');
+    } else {
+      assignRoleToCurrentUser(roleConfig.roleName, targetOrg);
+    }
+  }
+
+  if (!skipSelfReg) {
+    console.log('\n--- Enable self-registration ---');
+    if (!selfRegConfig?.siteName || !selfRegConfig?.selfRegProfile || !selfRegConfig?.accountName) {
+      console.error('Self-registration config is incomplete (need siteName, selfRegProfile, accountName); skipping.');
+    } else {
+      enableSelfRegistration(selfRegConfig, targetOrg);
+    }
+  }
+
   if (doData) {
     // Prepare data for uniqueness (run before import so repeat imports don't conflict)
     const prepareScript = resolve(__dirname, 'prepare-import-unique-fields.js');
@@ -652,17 +1138,15 @@ async function main() {
     if (existsSync(tmpApex)) unlinkSync(tmpApex);
   }
 
-  if (!skipGraphql || !skipUIBundleBuild) {
-    run('UI Bundle npm install', 'npm', ['install'], { cwd: uiBundleDir });
-  }
-
   if (!skipGraphql) {
+    run('UI Bundle npm install', 'npm', ['install'], { cwd: uiBundleDir });
     run('Set default org for schema', 'sf', ['config', 'set', 'target-org', targetOrg, '--global']);
     run('GraphQL schema (introspect)', 'npm', ['run', 'graphql:schema'], { cwd: uiBundleDir });
     run('GraphQL codegen', 'npm', ['run', 'graphql:codegen'], { cwd: uiBundleDir });
-  }
-
-  if (!skipUIBundleBuild) {
+    run('UI Bundle build (post-codegen)', 'npm', ['run', 'build'], { cwd: uiBundleDir });
+  } else if (!skipUIBundleBuild && skipDeploy) {
+    // Only build here if the pre-deploy build didn't already run
+    run('UI Bundle npm install', 'npm', ['install'], { cwd: uiBundleDir });
     run('UI Bundle build', 'npm', ['run', 'build'], { cwd: uiBundleDir });
   }