"use client"; /** * CloudOnboardingWizard — shared 5-step federated-first wizard. * * Same component drives AWS / Azure / GCP / Cloudflare onboarding; * the cloud-specific shape comes from `schemas.ts`. Steps: * * 1. Choose cloud + auth method (locked to the federated default). * 2. Bootstrap artifacts — server returns trust policy / WIF / * federated-credential JSON / scoped-token-template + 1-click * IaC link. Operator applies on the customer's cloud. * 3. Validate identity — read-only caller-identity probe. * 4. Validate permissions — read-only dry-run permission preview. * 5. Connect — persists the resolved record. * * The wizard never echoes the raw token / federated-credential JSON / * trust-policy back to the operator after submission; only metadata * (caller ARN, subscription id, project id, token id, audit_run_id) * crosses the BFF boundary. */ import { useMutation } from "@tanstack/react-query"; import { useMemo, useState } from "react"; import { type AdminApiError, adminApi, type CloudBootstrapResult, type CloudConnectResult, type CloudEnumerateResult, type CloudIdentityResult, type CloudKind, type CloudPermissionResult, } from "@/lib/api/client"; import { CLOUD_SCHEMAS, type CloudSchema, type FieldSchema } from "./schemas"; export type CloudOnboardingWizardProps = { cloudKind: CloudKind; orgId: string; onConnected?: () => void; }; type Step = 1 | 2 | 3 | 4 | 5; type FormState = Record; export function CloudOnboardingWizard({ cloudKind, orgId, onConnected, }: CloudOnboardingWizardProps) { const schema = CLOUD_SCHEMAS[cloudKind]; const [step, setStep] = useState(1); const [form, setForm] = useState({}); const [validationError, setValidationError] = useState(null); const bootstrap = useMutation< CloudBootstrapResult, AdminApiError | Error, Record >({ mutationFn: (body) => adminApi.cloudBootstrap(orgId, cloudKind, body), onSuccess: () => { setValidationError(null); setStep(3); }, onError: (err) => setValidationError(err.message), }); const identity = useMutation< CloudIdentityResult, AdminApiError | Error, Record >({ mutationFn: (body) => adminApi.cloudValidateIdentity(orgId, cloudKind, body), onError: (err) => setValidationError(err.message), }); const permissions = useMutation< CloudPermissionResult, AdminApiError | Error, Record >({ mutationFn: (body) => adminApi.cloudValidatePermissions(orgId, cloudKind, body), onError: (err) => setValidationError(err.message), }); const enumerateMut = useMutation< CloudEnumerateResult, AdminApiError | Error, Record >({ mutationFn: (body) => adminApi.cloudEnumerate(orgId, cloudKind, body), onError: (err) => setValidationError(err.message), }); const connect = useMutation< CloudConnectResult, AdminApiError | Error, Record >({ mutationFn: (body) => adminApi.cloudConnect(orgId, cloudKind, body), onSuccess: () => { setValidationError(null); onConnected?.(); }, onError: (err) => setValidationError(err.message), }); const bootstrapBody = useMemo(() => onlyBootstrapFields(schema, form), [ schema, form, ]); const validateBody = useMemo(() => onlyStepFields(schema, form, "validate"), [ schema, form, ]); const connectBody = useMemo(() => onlyStepFields(schema, form, "connect"), [ schema, form, ]); function onBootstrap() { if (!requireAll(schema.bootstrapFields, form, setValidationError)) return; bootstrap.mutate(bootstrapBody); } function onValidateIdentity() { if (!requireValidationInputs(schema, form, setValidationError)) return; identity.mutate(validateBody); } function onValidatePermissions() { if (!identity.data?.ok) { setValidationError("Validate identity first."); return; } permissions.mutate(validateBody); } function onEnumerate() { enumerateMut.mutate(validateBody); } function onConnect() { if (!identity.data?.ok) { setValidationError("Validate identity before connecting."); return; } if (!requireConnectInputs(schema, form, setValidationError)) return; connect.mutate({ ...connectBody, ...validateBody }); } return (

{schema.label} cloud connection

Federated-first onboarding for{" "} {orgId} . {schema.description}

Auth method:{" "} {schema.authMethodLabel} ·{" "} Why this auth method?

{num} {label}

{step === 1 ? setStep(2)} /> : null} {step === 2 ? ( setStep(1)} onSubmit={onBootstrap} bootstrapResult={bootstrap.data} isLoading={bootstrap.isPending} /> ) : null} {step === 3 ? ( setStep(2)} onSubmit={onValidateIdentity} identityResult={identity.data} isLoading={identity.isPending} onNext={() => setStep(4)} /> ) : null} {step === 4 ? ( setStep(3)} onNext={() => setStep(5)} /> ) : null} {step === 5 ? ( setStep(4)} onSubmit={onConnect} connectResult={connect.data} isLoading={connect.isPending} /> ) : null} {validationError ? (

{validationError}

) : null}

); } // --------------------------------------------------------------------------- // Step components // --------------------------------------------------------------------------- function Step1({ schema, onNext, }: { schema: CloudSchema; onNext: () => void; }) { return (

Auth method: {schema.authMethodLabel}

{schema.description}

); } function Step2({ schema, form, onChange, onBack, onSubmit, bootstrapResult, isLoading, }: { schema: CloudSchema; form: FormState; onChange: (form: FormState) => void; onBack: () => void; onSubmit: () => void; bootstrapResult: CloudBootstrapResult | undefined; isLoading: boolean; }) { return (

{schema.bootstrapFields.length > 0 ? ( ) : (

No additional inputs required for the bootstrap step on {schema.label}.

)} {bootstrapResult ? ( ) : null}

); } function Step3({ schema, form, onChange, onBack, onSubmit, identityResult, isLoading, onNext, }: { schema: CloudSchema; form: FormState; onChange: (form: FormState) => void; onBack: () => void; onSubmit: () => void; identityResult: CloudIdentityResult | undefined; isLoading: boolean; onNext: () => void; }) { const fields = schema.validateFields.filter((f) => (f.showOn ?? ["validate"]).includes("validate"), ); return (

{identityResult ? ( ) : null}

); } function Step4({ permissionsResult, enumerateResult, isPermissionsLoading, isEnumerateLoading, onValidate, onEnumerate, onBack, onNext, }: { permissionsResult: CloudPermissionResult | undefined; enumerateResult: CloudEnumerateResult | undefined; isPermissionsLoading: boolean; isEnumerateLoading: boolean; onValidate: () => void; onEnumerate: () => void; onBack: () => void; onNext: () => void; }) { return (

Permissions preview

{permissionsResult ? ( ) : (

No preview yet — run the dry-run check.

)}

Resource enumeration

{enumerateResult ? ( ) : (

No listing yet — enumerate to populate dropdowns.

)}

); } function Step5({ schema, form, onChange, onBack, onSubmit, connectResult, isLoading, }: { schema: CloudSchema; form: FormState; onChange: (form: FormState) => void; onBack: () => void; onSubmit: () => void; connectResult: CloudConnectResult | undefined; isLoading: boolean; }) { const fields = schema.validateFields.filter((f) => (f.showOn ?? []).includes("connect"), ); return (

{connectResult ? (

Connected

credential_key: {connectResult.integration.credential_key}
namespace: {connectResult.integration.namespace}
status: {connectResult.integration.status}
audit_run_id: {connectResult.audit_run_id ?? "—"}

) : null}

); } // --------------------------------------------------------------------------- // Preview blocks // --------------------------------------------------------------------------- function BootstrapPreview({ result }: { result: CloudBootstrapResult }) { return (

Next step

{result.next_step}

{result.external_id ? (

External id


            {result.external_id}

) : null} {Object.entries(result.templates).map(([name, body]) => (

{name}

            {body}

))} {Object.entries(result.cli_commands).map(([name, cmd]) => (

{name}

            {cmd}

))} {Object.entries(result.iac_links).length > 0 ? (

Quick links

{name}

) : null}

); } function IdentityPreview({ result }: { result: CloudIdentityResult }) { return (

Identity probe: {result.ok ? "ok" : "failed"}

{result.error ?

{result.error}

: null}

{k}: {String(v ?? "—")}

); } function PermissionPreview({ result }: { result: CloudPermissionResult }) { if (result.error) { return (

Error: {result.error}

); } return (

Status:{" "} {result.ok ? "all required granted" : "missing required scopes"}

{result.allowed.length > 0 ? (

Allowed:{" "} {result.allowed.join(", ")}

) : null} {result.denied.length > 0 ? (

Denied:{" "} {result.denied.join(", ")}

) : null} {result.missing_required.length > 0 ? (

Missing required:{" "} {result.missing_required.join(", ")}

) : null}

); } function EnumeratePreview({ result }: { result: CloudEnumerateResult }) { if (result.error) { return

Error: {result.error}

; } const entries = Object.entries(result.resources); if (entries.length === 0) { return

No resources listed.

; } return (

{entries.map(([group, items]) => (

{group} ({items.length})

{JSON.stringify(item)}
…and {items.length - 5} more

))}

); } // --------------------------------------------------------------------------- // Shared field helpers // --------------------------------------------------------------------------- function FieldGrid({ schemaFields, form, onChange, }: { schemaFields: FieldSchema[]; form: FormState; onChange: (form: FormState) => void; }) { if (schemaFields.length === 0) return null; return (

{schemaFields.map((field) => ( ))}

); } function Field({ field, form, onChange, }: { field: FieldSchema; form: FormState; onChange: (form: FormState) => void; }) { const value = form[field.name] ?? ""; function setValue(next: string) { onChange({ ...form, [field.name]: next }); } return (

{field.label} {field.required ? * : null}

{field.type === "select" ? ( ) : field.type === "textarea" ? (

setValue(e.target.value)}
        />
      ) : (
        <input
          className="w-full rounded border px-3 py-2 text-sm"
          placeholder={field.placeholder}
          value={value}
          onChange={(e) => setValue(e.target.value)}
        />
      )}
      {field.hint ? (
        <div className="text-[11px] text-muted-foreground">{field.hint}</div>
      ) : null}
    </label>
  );
}

// ---------------------------------------------------------------------------
// Helpers
// ---------------------------------------------------------------------------

function requireValidationInputs(
  schema: CloudSchema,
  form: FormState,
  setError: (msg: string | null) => void,
): boolean {
  return requireAll(
    schema.validateFields.filter((f) =>
      (f.showOn ?? ["validate"]).includes("validate"),
    ),
    form,
    setError,
  );
}

function requireConnectInputs(
  schema: CloudSchema,
  form: FormState,
  setError: (msg: string | null) => void,
): boolean {
  return requireAll(
    schema.validateFields.filter((f) =>
      (f.showOn ?? []).includes("connect"),
    ),
    form,
    setError,
  );
}

// React Fragment helper — keeps the JSX clean.
function Fragment({
  children,
}: {
  // biome-ignore lint/suspicious/noExplicitAny: structural pass-through
  children: any;
}) {
  return <>{children}</>;
}

export default CloudOnboardingWizard;