Power Apps Code Apps

🗺️ Template to Production — in 10 Steps

From clicking Use this template on GitHub to promoting through Power Platform Pipelines, every Foundations team follows the same proven path. One picture says it all.

Power Apps Code Apps Foundations — From Template to Production: a 10-step journey showing Use the Template, Run the Wizard, Sample App Live, Plan Mode in VS Code, Agent Mode Builds the POC, Connect Connectors, Bind to Dataverse, Test, Share & Collaborate, and Promote with Pipelines.

The rest of this guide explains how — section by section.

Start Here

The README and the Guide describe the same workflow. Pick the format that matches how you want to onboard.

📝

Start in the README

Use the concise text version if you want the shortest path through cloning, running the wizard, and understanding the repo structure.

Open README.md

🧭

Stay in the Guide

Use this page if you want the same procedure with richer context, step breakdowns, portal links, and operational cautions in one place.

Jump to the setup wizard

🔁

Need the Full Delivery Path?

Use the prototype-first golden path when you want the end-to-end sequence from business planning through schema hardening and real providers.

Open the prototype-first golden path

What's Inside

The repo contains instruction files, helper scripts, and a setup wizard that work together.

PAppsCAFoundations/ ├── .github/ │ └── instructions/ # Canonical coding-agent instructions │ ├── 00-before-you-start.instructions.md # Publisher, environments, solution │ ├── 00-environment-setup.instructions.md # App Registration, auth, 1Password │ ├── 00a-business-problem-decomposition.instructions.md # Turn freeform business narratives into planning inputs │ ├── 00b-scope-refinement-and-solution-shaping.instructions.md # Refine workflows, automation, Teams, reporting, governance │ ├── 00c-solution-concept-to-dataverse-plan.instructions.md # Bridge refined scope into Dataverse planning │ ├── 00d-prototype-validation.instructions.md # Validate UX with mock data before schema hardens │ ├── 01-scaffold.instructions.md # Project structure, tech stack │ ├── 02-connectors.instructions.md # Dataverse, SQL, O365, Custom APIs │ ├── 03-components.instructions.md # React + Fluent UI v9 patterns │ ├── 04-deployment.instructions.md # CI/CD, pac code push, ALM │ ├── 05-testing.instructions.md # Vitest, Playwright, MSW │ ├── 06-security.instructions.md # Auth, secrets, DLP, validation │ ├── 07-dataverse-schema.instructions.md # Tables, columns, option sets │ └── 08-copilot-studio.instructions.md # Copilot Studio agent integration ├── docs/ │ ├── index.html # Marketing landing page (high-level overview) │ ├── guide.html # Interactive visual setup guide (this page) │ └── prototype-golden-path.md # End-to-end delivery from planning to real providers ├── scripts/ │ ├── decrypt-secret.mjs # Decrypt AES-256-GCM secrets from .env.local │ ├── discover-copilot-connection.mjs # Cross-platform Copilot Studio connection discovery │ ├── discover-copilot-connection.sh # Resolve Copilot Studio connection IDs │ ├── export-solution.mjs # Export unmanaged, refresh solution-source, pack managed │ ├── generate-dataverse-plan.mjs # Expand planning payloads into execution plans │ ├── op-pac.mjs # Cross-platform 1Password wrapper for pac │ ├── op-pac.sh # Legacy Bash wrapper for pac │ ├── pac-safe.mjs # Safe pac wrapper with version and profile guards │ ├── patch-datasources-info.mjs # Patch datasources-info.json after changes │ ├── pre-commit-hook.sh # Block accidental secret commits │ ├── register-dataverse-data-sources.mjs # Register Dataverse tables via PAC │ ├── register-dataverse-data-sources.sh # Bash wrapper for table registration │ ├── schema-plan.example.json # Starter Dataverse planning artifact │ ├── seed-prototype-assets.mjs # Generate contracts, mock providers, feedback artifacts │ ├── setup-auth.mjs # Cross-platform auth setup (1Password or .env.local) │ ├── setup-auth.sh # Legacy Bash auth setup │ ├── setup-wizard.sh # Bash wrapper to the Node wizard │ ├── sync-foundations.mjs # Cross-platform template sync entry point │ ├── sync-foundations.sh # Pull latest from template repo │ ├── validate-schema-plan.mjs # Validate planning payloads before provisioning │ └── tests/ # Unit tests for scripts ├── wizard/ # ← THE MAIN EVENT │ ├── index.mjs # Cross-platform Node.js setup wizard │ ├── lib/ # Shared helpers (state, UI, shell) │ └── steps/ # 9 step modules ├── solution/ # Power Platform solution artifacts ├── .env # 1Password references (safe to commit) ├── .env.template # Template for non-1Password teams ├── .foundations-version.json # Bundle/version metadata for downstream syncs ├── .gitignore └── README.md

📋

14 Instruction Files — 4 Agents

Native guidance for GitHub Copilot, Claude Code, Cursor, and Codex. Each agent reads the same rules in its own format. The canonical source lives in .github/instructions/; Claude, Cursor, and Codex projections are generated from it.

🧠

Narrative-First Planning

Optional, but high leverage. If the app idea is still taking shape, this planning layer helps your coding agent decompose the business narrative, challenge gaps, and refine scope before schema and connectors harden.

🧙

Setup Wizard

One script, 9 steps, zero guesswork. Creates publisher and solution via API, sets up auth, scaffolds your app, adds a dedicated connector-binding pass, and deploys from the terminal.

🔐

Auth Scripts

1Password integration or .env.local fallback. Client secrets are encrypted at rest with AES-256-GCM. Service Principal auth means no browser popups — locally or in CI/CD.

🔄

Sync Foundations

Pull the latest instruction files, wizard updates, and security patches from the template repo with npm run sync:foundations. Your project code is never touched.

Before scaffolding? If you haven't run Step 7 yet, there's no root package.json and npm run won't work. Use bash scripts/sync-foundations.sh or node scripts/sync-foundations.mjs directly instead.

🔗

How agent guidance stays in sync

Every coding agent needs its instructions in a different format, but the underlying rules must be identical. Foundations solves this with a single canonical source → multiple generated projections model:

Canonical source — .github/instructions/*.instructions.md (Copilot-native format) plus the hand-authored root AGENTS.md.
Generated projections — A manifest (agent-guidance.config.json) maps each canonical file to its Claude (.claude/rules/), Cursor (.cursor/rules/), and Codex (nested AGENTS.md) equivalents.
Drift prevention — npm run guidance:check fails if any projected file is missing or unmarked. npm run guidance:generate regenerates all projections.

The rule: edit the canonical .github/instructions/ files, then run npm run guidance:generate. Never edit projected files directly — they carry a "do not edit" marker and will be overwritten.

Required Tech Stack

Every Code App uses this exact stack. No substitutions without team lead approval.

Layer	Choice	Version	Why
Language	TypeScript	5.x	Type safety across codebase + connector models
UI Framework	React	18.x	Microsoft-recommended; all official samples target React
Design System	Fluent UI v9	`@fluentui/react-components`	Native Microsoft look; matches Power Platform chrome
Bundler	Vite	5.x	Fast HMR; official templates use Vite
Server State	TanStack Query	v5	Caching, deduplication, background refresh for connectors
Routing	React Router	v6	Nested layouts, data loaders
Power Apps SDK	`@microsoft/power-apps`	^1.0.3	Connector access, auth context
CLI	PAC CLI	latest (not 2.3.2)	Scaffold, add data sources, deploy
Editor	VS Code / Cursor	Latest	Or any editor with coding-agent support
Coding Agent	Copilot / Claude / Cursor / Codex	—	Any LLM-backed agent reads the repo's native guidance

TypeScript 5 React 18 Fluent UI v9 Vite 5 TanStack Query v5 React Router v6 Vitest Playwright MSW

Narrative-First Planning Layer

Use this when the business problem is still being worked out and you want the eventual app to be more than a fast scaffold.

🧠

This is optional, but it is part of the formula for a top-notch app. If the user already knows exactly what they are building, the wizard can get them moving quickly. If the problem, workflows, approvals, reporting, Teams touchpoints, or Microsoft Copilot Studio usage are still emerging, the planning layer helps your coding agent refine the scope before schema and connectors become expensive to change. The new prototype checkpoint sits between conceptual planning and Dataverse provisioning so the UX can influence the final data model.

1

Decompose the Narrative

Your coding agent starts from the user's freeform description, identifies goals, actors, workflows, outputs, constraints, and unknowns, then asks only the most useful follow-up questions.

00a-business-problem-decomposition.instructions.md

2

Refine the Scope

Your agent challenges for exception paths, validations, approvals, automation, Teams, Microsoft 365 outputs, reporting, governance, and Microsoft Copilot Studio placement decisions.

00b-scope-refinement-and-solution-shaping.instructions.md

3

Convert to Technical Planning

Once the scope is stable, your agent derives candidate entities, relationships, ownership patterns, and lifecycle states, then hands off into the Dataverse planning artifact workflow.

00c-solution-concept-to-dataverse-plan.instructions.md

4

Prototype Before Schema

Generate domain contracts and mock providers from the planning payload, build the UX in prototype mode, and capture what that prototype changes in the eventual schema.

00d-prototype-validation.instructions.md

✅

Use the wizard to get operational fast. Use the planning layer to get the business fit right. Together, they help teams avoid premature schema decisions, guessed connectors, weak approval models, and late-stage rework.

Open the prototype-first golden path

⚠️

Expected methodology: the initial wizard run scaffolds the app and seeds prototype assets. It does not assume you already know the connector mix or the correct connection IDs. Real connector binding is a later step after the prototype has influenced the planning payload.

⚠️ Enable Code Apps in Your Environment

This is a prerequisite. Without it, pac code push will fail with "does not allow this operation for this Code app."

🚨

You MUST do this before your first push. Code Apps are disabled by default in Power Platform environments. If you skip this step, the first pac code push will fail even with correct auth.

Steps

Open ↗ admin.powerplatform.microsoft.com
Select your development environment
Go to Settings → Features
Find "Code components for canvas apps" → toggle ON
Find "Allow publishing of canvas apps with code components" → toggle ON
Click Save
Wait ~1 minute for the setting to propagate

ℹ️

Repeat for each environment (Dev, Test, Prod) where you want to deploy Code Apps. You only need to do this once per environment — the setting persists.

Auth for `pac code push`

pac code push requires a user auth profile — the BAP checkAccess API rejects SPN tokens. This is a one-time setup: create a user profile via device-code sign-in, and all subsequent pushes work silently. PAC CLI caches a refresh token that auto-renews (~90 days).

For CI/CD to test/production, use solution export/import instead of pac code push. Solution export and import both accept SPN auth and deploy the Code App, tables, connection references, and security roles as one atomic unit. See the deployment instructions for the full pipeline.

The Setup Wizard

This is the same quick-start flow described in the README. For non-trivial apps, pair it with the planning layer and prototype checkpoint before locking in schema and connectors.

✅

Step 1 — Get the code (pick one):

Recommended: Click "Use this template" on GitHub → create your repo → git clone https://github.com/your-org/my-app.git
Quick explore: npx degit martycarreras-psnl/PAppsCAFoundations my-app

Step 2 — Run the wizard — pick the experience you prefer:

Terminal wizard (the original):

cd my-app/wizard && npm install && node index.mjs

✨ Browser wizard (new) — same flow, beautiful Fluent UI experience at http://127.0.0.1:5174:

cd my-app && npm run wizard:ux

Both wizards share .wizard-state.json, so you can switch between them at any time without losing progress. Steps that need interactive auth or long-running CLI sessions show a one-click "copy command" handoff in the browser version.

Works on Windows, macOS, and Linux.
The wizard saves your progress — quit with Ctrl+C and pick up where you left off. Reset with --reset.

Want a stronger business fit? After the wizard gives you a working foundation, use the narrative-first planning instructions and prototype checkpoint before finalizing Dataverse schema, connectors, approvals, or agent behavior.

⚠ Do not git clone the template repo directly — that leaves origin pointing to PAppsCAFoundations instead of your own repo.

Browser wizard home page showing the nine-step grid: Prerequisites, Project & Environment, App Registration, PAC Auth Profiles, Publisher, Solution, Scaffold the Code App, Bind Connectors, and Verify & Deploy. — The browser wizard at `http://127.0.0.1:5174` — nine self-contained, re-runnable steps. Smart paste means you can drop a Maker Portal connection URL straight in and the wizard pulls the connector apiId and the connection GUID out for you.

🔍

Steps 1–2

Check tools, name project & environments

🔐

Steps 3–4

App Registration & auth setup

🌐

Steps 5–6

Publisher & solution (auto via API)

🚀

Steps 7–9

Scaffold, bind connectors, build & deploy

All 9 Wizard Steps

Expand each step to see what happens and what you'll need.

The wizard checks for required tools and offers to install missing ones:

Editor — VS Code (Install), Cursor, or any editor with coding-agent support
Coding Agent — GitHub Copilot, Claude Code, Cursor, Codex, or another LLM-backed agent (see below)
Node.js 20+ — Install
Git — Install
.NET SDK — Install
PAC CLI — The wizard will install it automatically via dotnet tool install -g Microsoft.PowerApps.CLI.Tool if missing
1Password CLI (optional) — Install

💡

Tip: Once your editor and coding agent are set up, you can ask the agent to install the remaining prerequisites (Node.js, Git, .NET SDK, PAC CLI) for you — it can run the install commands directly in the integrated terminal.

🤖

Coding agent options: GitHub Copilot (uses OpenAI or Azure OpenAI models), Claude Code (Anthropic's Claude via direct API or Azure AI Foundry), Cursor (built-in agent), Codex (OpenAI via ChatGPT subscription or API), or any agent backed by Azure OpenAI, Azure AI Foundry, or a direct paid LLM API. The repo ships native guidance for all of them.

⚠️

PAC CLI version 2.3.2 has a known bug that breaks pac code push. The wizard detects this and helps you downgrade.

The wizard prompts you for your app name and environment URLs:

Value	Example	Notes
App name	My Brain	Display name, any characters
Dev environment URL	`https://org-dev.crm.dynamics.com`	Required. Must have Dataverse enabled.
Test environment URL	`https://org-test.crm.dynamics.com`	Optional — press Enter to skip
Prod environment URL	`https://org.crm.dynamics.com`	Optional — press Enter to skip

If you don't have a development environment yet, create one first:

Open ↗ admin.powerplatform.microsoft.com → Environments → + New
Name it Your App - Dev, type Developer or Sandbox
Toggle "Add Dataverse" to YES (required!)
Copy the Environment URL after provisioning

🚨

Don't forget to enable Code Apps! In the Admin Center → your environment → Settings → Features → turn on "Code components for canvas apps" and "Allow publishing of canvas apps with code components".

This step collects your Azure App Registration credentials. If you use 1Password, the wizard detects it and tries to pull credentials automatically.

1Password Users (fastest path)

If the op CLI is detected, the wizard asks for your vault and item name, then reads tenant-id, app-id, and client-secret directly from 1Password. If all three are found, you skip all manual entry.

✅

Expected 1Password item fields:

tenant-id (Text) — your Azure Directory ID
app-id (Text) — your App Registration Client ID
client-secret (Password) — your App Registration secret
env-dev (Text) — your Dev environment URL
env-test (Text, optional) — Test environment URL
env-prod (Text, optional) — Prod environment URL

If the item doesn't exist yet, the wizard will collect values manually and offer to create the 1Password item for you.

Manual Path (no 1Password, or partial credentials)

If 1Password isn't available, or some fields are missing, the wizard guides you through creating the App Registration:

A. Create Azure App Registration

Open ↗ Azure Portal — App registrations
Click + New registration
Name: PowerApps-CodeApps-YourApp, Single tenant
Copy Application (client) ID and Directory (tenant) ID
Go to Certificates & secrets → + New client secret
Copy the secret value immediately — shown only once!
Go to API permissions → + Add → Dataverse → user_impersonation
Click Grant admin consent

B. Register as Application User

Open ↗ admin.powerplatform.microsoft.com
Select environment → Settings → Users + permissions → Application users
+ New app user → search for your App Registration → assign System Administrator role

ℹ️

The secret is held in memory only — never written to disk in plain text. If you entered values manually and use 1Password, the wizard offers to save them to your vault before proceeding.

The wizard takes the credentials from Step 3 and handles everything:

If you chose 1Password in Step 3, the storage mode and vault/item are already set — no repeated questions
Otherwise, choose 1Password or .env.local for secret storage
Writes credential files (op:// references or encrypted values)
Ensures .env.local is in .gitignore
Creates repo-scoped PAC auth profiles for each environment instead of machine-global Dev/Test/Prod names
Runs pac org who to verify the selected profile matches the wizard target environment and should show your App Registration name, not a human user
Installs a pre-commit hook to prevent accidental secret leaks

✅

After this step, all pac commands work without any browser popup. SPN auth is used for Dataverse API calls, publisher/solution creation, and CI/CD (solution export/import). pac code commands (push, add-data-source) need a user profile — created once via the wizard (one-time sign-in, then silent). The wizard handles this automatically in the later connected-mode steps.

The wizard queries Dataverse directly to find existing publishers or create a new one — no Maker Portal visit needed.

Lists all existing publishers in the environment via Dataverse Web API
Lets you select an existing publisher or create a new one
If creating new: prompts for prefix, display name, and internal name
Creates the publisher via API with all required properties
Records the Choice value prefix automatically

Value	Example	Rules
Publisher prefix	mybrn	2–8 lowercase letters only. Cannot change later.
Publisher display name	My Brain Engineering	Human-readable
Publisher internal name	mybrainengineering	Lowercase, no spaces

🚨

The publisher prefix is the most consequential naming decision. It prefixes every Dataverse table, column, option set, environment variable, and security role. It cannot be changed after data exists.

Like the publisher step, the wizard creates or selects a solution via Dataverse Web API — no Maker Portal visit needed.

Lists all existing unmanaged solutions in the environment
Lets you select an existing solution or create a new one
If creating new: prompts for display name and unique name
Creates the solution via API, bound to your publisher from Step 5

Value	Example	Notes
Solution display name	My Brain	Shown in the Maker Portal solution list
Solution unique name	MyBrain	No spaces. Used in CLI commands and API calls.

The wizard creates a complete, ready-to-develop project:

Downloads the official starter template (or creates a minimal fallback)
Installs all dependencies (React, Fluent UI v9, TanStack Query, @microsoft/power-apps)
Writes tsconfig.json with moduleResolution: "bundler"
Writes vite.config.ts with port 3000, @/ path alias, and relative base path for deploy
Creates the full folder structure (components, pages, hooks, utils, tests, etc.)
Writes starter files: main.tsx, App.tsx with Fluent UI + TanStack Query providers
Writes vitest.config.ts with jsdom, jest-dom matchers, @/ alias, and coverage thresholds
Creates smoke test infrastructure: tests/setup/setup.ts, tests/setup/test-utils.tsx (custom render with all providers), and src/App.test.tsx
Runs npm run test:smoke automatically to verify the scaffold is healthy before proceeding
Copies all instruction files and agent-native guidance (.claude/rules/, .cursor/rules/, nested AGENTS.md) from the foundations repo
Includes the narrative-first planning instructions so you can refine the business scope before hardening schema and connector choices
Seeds prototype contracts, mock providers, and dataverse/prototype-feedback.md from the planning payload
Runs pac code init to register the app in Power Platform
Defers connector setup by default so the team can prototype before binding real systems
Initializes Git repo, detects or prompts for remote URL, makes initial commit
Generates a project-specific README (replaces the template README)

✅

Smoke tests pass from day one. Every scaffold includes vitest.config.ts, a test setup with provider wrappers, and src/App.test.tsx with three smoke tests. The wizard runs npm run test:smoke automatically during this step — if they pass, your scaffold is verified healthy. You can re-run anytime with npm run test:smoke or npm run test.

Connector & Data Source Setup

The initial scaffold no longer asks for connector IDs up front. The intended flow is to return later once the planning payload and prototype are stable enough to bind real systems.

# Terminal wizard:
node wizard/index.mjs --from 8

# Browser wizard — navigate to Step 8 (Bind Connectors):
npm run wizard:ux

🚨

pac code commands need a user auth profile (not SPN). The wizard detects SPN auth and automatically switches to a user profile before running pac code add-data-source. This user profile only needs to be created once — subsequent calls work silently.

When you do re-run connector setup, the wizard first tries pac connection list, filters to the selected connector API ID, and lets you choose from discovered connections. Manual Connection ID entry is only the fallback.

How to Get Connection IDs

You must create connections before adding them as data sources. See the Creating Connections section below for step-by-step instructions. Once they exist, the later wizard connector flow can often discover them for you.

⚠️

If your app concept is still evolving, do not treat Step 7 as permission to guess at tables, workflows, or connectors. Use prototype mode and the feedback artifact first, then bind connectors after the planning payload is stable.

This is the first connected-mode step. Run it only after the planning payload and prototype are stable enough that connector choices are no longer guesses.

Presents a checklist of the seven most common connectors (Office 365 Users, SharePoint, Dataverse, SQL, Teams, Blob, Outlook)
Then loops on "Add another connector by URL or apiId (blank to finish)" — paste any Maker Portal connection URL or a bare shared_xxx apiId, including custom connectors and connectors not on the shortlist
Creates solution-level connection references for the connectors you actually chose
Runs pac connection list and filters matches to the selected connector API ID
Lets you select an existing connection when matches are found
Falls back to manual Connection ID entry only when discovery does not find a usable match
Adds the selected data sources to the Code App so generated services can be produced later

✨

Smart paste — never hand-edit a URL again. Paste a Maker Portal connection-details URL like .../connections/shared_office365users/<GUID>/details and the wizard extracts both the connector apiId and the connection GUID in one shot — no separate Connection-ID prompt for that connector. Pasting just a bare GUID still works, and bare apiIds (e.g. shared_approvals) skip the URL entirely and go straight to connection-ID resolution. Environment URLs are similarly tolerant — paste straight from PPAC, with or without https://.

⚠️

This step uses a user auth profile for pac code add-data-source. The wizard switches from SPN automatically when needed. If the profile already exists, no sign-in is required.

The wizard runs:

npm run build — verifies dist/index.html exists
Checks power.config.json for appId to determine first vs. subsequent push
First push: Creates a user auth profile via browser sign-in (one-time)
Subsequent pushes: Work silently — the cached refresh token auto-renews (~90 days)
Offers to deploy through the verified PAC flow instead of trusting the active machine profile

⚠️

Make sure you've enabled Code Apps in the environment before your first push (Settings → Features → "Code components for canvas apps"), or it will fail.

Then displays a complete summary of everything that was set up and what to do next:

cd ../your-app
npm run dev:local    ← prototype with mock providers
npm run prototype:seed ← refresh prototype assets after editing the planning payload
npm run dev          ← connected mode once real providers exist
node wizard/index.mjs --from 8 ← bind real connectors when ready
npm run deploy       ← deploy changes after the app has been registered

Creating Connections

Before moving from prototype mode into connected mode, create the actual connection instances in the Maker Portal.

A connection reference (created by the wizard in your solution) is a pointer that says "this app uses the Office 365 Users connector." The connection is the authenticated instance — the actual credential that makes it work. You need both.

Step-by-Step: Create a Connection

Go to ↗ make.powerapps.com and select your development environment
In the left nav, click Connections (under Data, or directly at make.powerapps.com/environments/<env-id>/connections)
Click + New connection
Search for the connector (e.g. Office 365 Users) and click it
Click Create and authenticate when prompted
Once created, click the connection to open its details

Copy the Connection ID from the browser URL — it's the GUID at the end:

https://make.powerapps.com/environments/xxx/connections/shared_office365users/160ffdfd-aff5-4740-86a8-47209c1c608c/details

Common Connectors

Connector	API ID (for pac CLI)
Dataverse	`dataverse` (uses `-t <table>` instead of `-c`)
Office 365 Users	`shared_office365users`
SharePoint	`shared_sharepointonline`
Office 365 Outlook	`shared_office365`
Microsoft Teams	`shared_teams`
SQL Server	`shared_sql`
Azure Blob Storage	`shared_azureblob`

Adding Data Sources (After Getting Connection IDs)

Preferred path: rerun the wizard when you are ready to connect real data.

# Terminal wizard:
node wizard/index.mjs --from 8

# Or use the browser wizard — navigate to Step 8:
npm run wizard:ux

The wizard will create the solution-level connection references, try to discover existing environment connections with pac connection list, and let you select one when matches are found.

# Dataverse tables (no connection ID needed):
pac code add-data-source -a dataverse -t myprefix_project

# Non-Dataverse connectors (connection ID required):
pac code add-data-source -a shared_office365users -c 160ffdfd-aff5-4740-86a8-47209c1c608c
pac code add-data-source -a shared_sharepointonline -c <YOUR_CONNECTION_ID>

🚨

Requires a user auth profile (SPN is not supported for pac code commands). Create one once — it works silently after that:

pac auth create --name pp-myrepo-d-u-1a2b3c4d --environment https://org-dev.crm.dynamics.com --deviceCode
pac auth select --name pp-myrepo-d-u-1a2b3c4d

ℹ️

Connections are environment-specific. You need a separate connection (and Connection ID) for dev, test, and prod. Create them in each environment before deploying your solution there.

Portal Quick Links

Portals you may need during setup (Step 3 App Registration is the main manual step).

Power Apps Maker Portal

View your solution, tables, and connections. Publishers and solutions are created automatically by the wizard.

↗ make.powerapps.com

Power Platform Admin Center

Create environments, register Application Users, manage settings.

↗ admin.powerplatform.microsoft.com

Azure Portal — App Registrations

Create Service Principal, client secrets, API permissions.

↗ Azure App Registrations

Azure Portal — Entra ID

Manage tenant, users, enterprise applications, admin consent.

↗ Entra ID (Azure AD)

Local Development with Vite

Two modes: Prototype (mock providers, no Power Platform) and Connected (real connectors). Always start with Prototype mode.

⚡

Prototype Mode

Vite only. Domain contracts plus mock providers. No auth, no connections, no Power Platform needed. Build UI fast and let the UX challenge the data model.

npm run dev:local

🔗

Connected Mode

Vite + pac code run. Real connector calls through the Power Platform proxy.

npm run dev

When to Use Each Mode

Phase	Command	What Runs	Data Source
Prototyping / UI	`npm run dev:local`	Vite only	Mock data
Refresh prototype assets	`npm run prototype:seed`	Node script	Planning payload
Integration	`npm run dev`	Vite + `pac code run`	Real connectors
Unit Tests	`npm run test`	Vitest	Mock data (MSW)
E2E Tests	`npm run test:e2e`	Vite + Playwright	Mock data
Production Build	`npm run build`	`tsc` + Vite build	N/A (static)
Deploy	`npm run deploy`	Build + `pac code push`	N/A

Prototype Mode — How It Works

npm run dev:local runs VITE_USE_MOCK=true vite --port 3000. Vite serves your app at http://localhost:3000 with sub-second HMR — save a file, see it instantly. Refresh prototype contracts and mock providers anytime with npm run prototype:seed after editing dataverse/planning-payload.json.

✅

What works: All React components, routing, Fluent UI, TanStack Query hooks (resolving mock promises), form validation, state management, error boundaries, Playwright E2E tests.

⚠️

What doesn't: Real connector calls, PowerProvider context, auth context, connection consent — these require pac code run.

Need the full sequence from planning payload through prototype review to real providers? Open the prototype-first golden path.

Mock Data Pattern

Every hook that calls a connector checks VITE_USE_MOCK to decide whether to return mock data or make a real call:

// src/hooks/useProjects.ts
import { useQuery } from '@tanstack/react-query';
import { mockProjects } from '@/mockData/projects';
import { ProjectService } from '@/generated/services/ProjectService';

const USE_MOCK = import.meta.env.DEV && import.meta.env.VITE_USE_MOCK === 'true';

export function useProjects() {
  return useQuery({
    queryKey: ['projects'],
    queryFn: USE_MOCK
      ? () => Promise.resolve({ data: mockProjects })
      : () => ProjectService.getAll(),
  });
}

Connected Mode — Prerequisites

PAC auth profiles created (pac org who shows org, no popup)
Data source added: pac code add-data-source
At least one data source added with pac code add-data-source so src/generated/ exists
power.config.json exists next to package.json

Vite Configuration

// vite.config.ts
import { defineConfig } from 'vite';
import react from '@vitejs/plugin-react';
import path from 'path';

export default defineConfig(({ command }) => ({
  base: command === 'build' ? './' : '/', // CRITICAL for Code Apps
  plugins: [react()],
  server: {
    port: 3000,          // Required by Power Apps SDK
    strictPort: true,    // Fail if 3000 occupied (don't silently use 3001)
    open: true,          // Auto-open browser
  },
  resolve: {
    alias: { '@': path.resolve(__dirname, './src') },
  },
  build: { outDir: 'dist' },
}));

base: './' is required for production builds. Power Apps serves your bundle from a nested, non-root path. Without relative base, all asset URLs are absolute (/assets/index-abc.js) which 404 → blank screen.

Vite Environment Variables

Only variables prefixed with VITE_ are exposed to client code via import.meta.env. This is a security feature — Power Platform credentials (PP_*) are never leaked to the browser.

Variable	Purpose	Set In
`VITE_USE_MOCK`	Toggle mock data	`dev:local` script or `.env.development`
`VITE_APP_TITLE`	App display name (optional)	`.env` or `.env.development`

Troubleshooting

Problem	Fix
Port 3000 already in use	`lsof -ti:3000 \| xargs kill -9`
`pac code run` fails	Check `pac org who`, avoid PAC v2.3.2, confirm `power.config.json`
HMR not refreshing	Verify `react()` plugin in vite.config.ts, clear cache: `rm -rf node_modules/.vite`
Mock data shape mismatch	Re-run `pac code add-data-source` for the affected table or connector, then compare with `src/generated/models/`

See .github/instructions/01-scaffold.instructions.md for complete Vite config, mock data patterns, and mutation mocking.

Connectors

Code Apps cannot make direct HTTP calls. All data access goes through Power Platform connectors, but connector binding should happen after prototype validation.

🚨

No fetch(). No axios(). No direct HTTP. Code Apps run in a sandbox with connect-src 'none'. If a connector exists for the service, use it — no exceptions.

Adding a Data Source

Recommended order: prototype first, then rerun the wizard from the dedicated connector step once the planning payload is stable.

# Terminal wizard:
node wizard/index.mjs --from 8

# Or use the browser wizard — navigate to Step 8:
npm run wizard:ux

# Dataverse (no connection ID needed):
pac code add-data-source -a dataverse -t myprefix_project

# Non-Dataverse connectors (connection ID required — see Creating Connections):
pac code add-data-source -a shared_office365users -c <CONNECTION_ID>

🚨

pac code commands need a user auth profile (not SPN). Create the profile once, then all subsequent calls work silently. Switch to your repo-scoped user profile for the current environment before running them.

Wrapping Generated Code with TanStack Query

// src/hooks/useProjects.ts
import { useQuery } from '@tanstack/react-query';
import { SqlService } from '@/generated/services/SqlService';

export function useProjects() {
  return useQuery({
    queryKey: ['projects'],
    queryFn: () => SqlService.getProjects(),
    staleTime: 5 * 60 * 1000,  // Connector calls aren't free
  });
}

⚠️

Never edit files in src/generated/. They're auto-generated by the PAC CLI. If you need to extend a type, create a wrapper in src/types/.

See .github/instructions/02-connectors.instructions.md for full patterns including Dataverse OData queries, pagination, and error handling.

Components

React + Fluent UI v9 patterns for consistent, accessible UI.

Key Principles

Functional components only (no class components)
Single responsibility — files under ~150 lines
Fluent UI v9 (@fluentui/react-components) for all controls
Style with makeStyles + design tokens — never raw CSS values
Local state (useState) for UI; Server state (TanStack Query) for data
Colocate tests: ProjectCard/ProjectCard.tsx + ProjectCard.test.tsx

Provider Stack (main.tsx)

<QueryClientProvider>
  <FluentProvider theme={webLightTheme}>
    <BrowserRouter>
      <App />
    </BrowserRouter>
  </FluentProvider>
</QueryClientProvider>

See .github/instructions/03-components.instructions.md for layout patterns, data tables, error boundaries, and accessibility guidance.

Deployment & CI/CD

From local dev to production with GitHub Actions.

Flow

Feature Branch → PR → CI (lint + test + build) → Merge → Deploy to Dev
                                                              ↓
                                          Deploy to Test → Deploy to Prod

Manual Deploy (Dev Only)

⚠️

All pushes require user auth. pac code push is rejected with SPN auth for both first and subsequent pushes. The wizard creates a user profile automatically. For CI/CD, see Enable Code Apps and the deployment instructions for workarounds.

npm run deploy

GitHub Secrets Required

Secret	Description
`PP_APP_ID`	Application (client) ID
`PP_CLIENT_SECRET`	Client secret value
`PP_TENANT_ID`	Directory (tenant) ID

Per-Environment Variable

Variable	Description
`POWER_PLATFORM_URL`	Environment URL (e.g. `https://org-dev.crm.dynamics.com`)

See .github/instructions/04-deployment.instructions.md for CI/CD workflow YAML, solution management, and deployment settings files.

Testing

Vitest for units, Playwright for E2E, MSW for connector mocking.

Vitest + React Testing Library Playwright MSW (Mock Service Worker) v8 coverage (70% threshold)

What to Test

✅ Component rendering with different states
✅ User interactions (clicks, form submissions)
✅ Custom hooks wrapping connectors
✅ Utility functions with business logic
❌ Generated files (src/generated/)
❌ Fluent UI internals

See .github/instructions/05-testing.instructions.md for config files, MSW handler patterns, and CI integration.

Security

Auth is automatic. Your job: don't leak secrets, validate inputs, sanitize output.

🔒

Never hardcode: API keys, tokens, client secrets, connection strings, passwords, or certificates. Use 1Password or .env.local.

Required .gitignore Entries

.env.local
.env.*.local
.pac/
auth.json
node_modules/
dist/
coverage/
.wizard-state.json

Input Validation

// Always validate user inputs
if (/<script/i.test(name)) return 'Invalid characters';
if (name.length > 200) return 'Max 200 characters';

// Never use dangerouslySetInnerHTML with user data
<Text>{project.description}</Text>  // Safe — React escapes

See .github/instructions/06-security.instructions.md for error message guidelines, DLP handling, and code review checklist.

Dataverse Schema

Tables, columns, option sets — and the rules that prevent expensive mistakes.

Golden Rules

Always global option sets — never inline choices
Always use publisher prefix — mybrn_ideastatus, not ideastatus
Option values start at 100000000 — never 0 or 1
Add, don't delete — removing a live option value breaks existing records silently
Create inside the solution — never from the top-level Tables view

Naming Convention

✅  mybrn_ideastatus          (prefix + descriptive, all lowercase)
✅  mybrn_complexitylevel
❌  IdeaStatus                (no prefix — collides)
❌  mybrn_IdeaStatus          (camelCase — use all lowercase)

See .github/instructions/07-dataverse-schema.instructions.md for idempotent setup scripts, column creation patterns, and relationship modeling.

Copilot Studio Agent Integration

Add a conversational AI agent to your Code App using the Microsoft Copilot Studio connector.

ℹ️

Copilot Studio agents are invoked through a Power Platform connector — the same sandbox rules apply. No direct HTTP. The generated CopilotStudioService handles everything.

Setup Steps

Create & publish your agent in ↗ Copilot Studio
Get the agent name from Channels → Web app → connection string (e.g. cr3e1_customerSupportAgent)
Create a connection in make.powerapps.com → Connections → + New → "Microsoft Copilot Studio"

Add the data source:

pac code add-data-source -a "shared_microsoftcopilotstudio" -c <connectionId>

Import & call the generated service in your React code

Invoking the Agent

🚨

Always use ExecuteCopilotAsyncV2. The other methods (ExecuteCopilot, ExecuteCopilotAsync) have known issues — fire-and-forget or 502 errors.

import { CopilotStudioService } from '@/generated/services/CopilotStudioService';

const response = await CopilotStudioService.ExecuteCopilotAsyncV2({
  message: "What is the status of my order?",
  notificationUrl: "https://notificationurlplaceholder",
  agentName: "cr3e1_customerSupportAgent",
});

if (response.data.completed) {
  console.log(response.data.lastResponse);
}

Request Parameters

Parameter	Required	Description
`message`	Yes	User's message. Can be JSON string for structured data.
`notificationUrl`	Yes	Always `"https://notificationurlplaceholder"`
`agentName`	Yes	Published agent name (case-sensitive, includes publisher prefix)

Response Structure

Property	Type	Description
`responses`	`string[]`	Array of response strings from the agent
`conversationId`	`string`	Conversation ID for multi-turn tracking
`lastResponse`	`string`	Most recent agent response
`completed`	`boolean`	Whether the agent finished processing

⚠️

Response casing varies. Property names may appear as conversationId, ConversationId, or conversationID. Always use optional chaining or a safe accessor.

Prototype Mode (Mock Data)

When running npm run dev:local, create a mock that simulates agent responses with realistic delays. The instruction file includes a complete mock implementation and shows how to wire it into useCopilotAgent with the VITE_USE_MOCK toggle.

See .github/instructions/08-copilot-studio.instructions.md for the complete hook, chat UI component, structured I/O patterns, and troubleshooting.

Naming Conventions

Quick reference for file, component, and Dataverse naming.

Type	Convention	Example
Components	PascalCase folder + file	`components/ProjectCard/ProjectCard.tsx`
Hooks	camelCase + `use` prefix	`hooks/useProjects.ts`
Utils	camelCase	`utils/formatDate.ts`
Types	PascalCase	`types/ProjectExtended.ts`
Constants	SCREAMING_SNAKE in file	`constants/routes.ts`
Tests	Same name + `.test`	`ProjectCard.test.tsx`
Dataverse tables	`prefix_tablename`	`mybrn_project`
Option sets	`prefix_descriptivename`	`mybrn_ideastatus`

Common Connector IDs

Use these when creating deployment settings files or connection references.

Connector	Internal Name	ConnectorId
Office 365 Users	`shared_office365users`	`/providers/Microsoft.PowerApps/apis/shared_office365users`
Office 365 Outlook	`shared_office365`	`/providers/Microsoft.PowerApps/apis/shared_office365`
SharePoint	`shared_sharepointonline`	`/providers/Microsoft.PowerApps/apis/shared_sharepointonline`
Microsoft Dataverse	`shared_commondataserviceforapps`	`/providers/Microsoft.PowerApps/apis/shared_commondataserviceforapps`
SQL Server	`shared_sql`	`/providers/Microsoft.PowerApps/apis/shared_sql`
Microsoft Teams	`shared_teams`	`/providers/Microsoft.PowerApps/apis/shared_teams`
Azure Blob Storage	`shared_azureblob`	`/providers/Microsoft.PowerApps/apis/shared_azureblob`
HTTP with Entra ID	`shared_webcontents`	`/providers/Microsoft.PowerApps/apis/shared_webcontents`

To find Connection IDs in the Power Apps Maker Portal, look at the URL after creating a connection:

https://make.powerapps.com/environments/xxx/connections/shared_office365users/CONNECTION_ID/details

What's Next

After the wizard finishes, here's your daily workflow and common commands.

Daily Development

Command	What It Does
`npm run dev:local`	Prototype with mock data — no auth or Power Platform connection needed
`npm run dev`	Connected mode — runs Vite + `pac code run` concurrently
`npm run build`	TypeScript check + Vite production build → `dist/`
`npm run test`	Run unit tests with Vitest
`npm run lint`	ESLint check across `src/`

Deploying

Command	What It Does
`pac code push`	Upload your built app to Power Platform
`npm run deploy`	Shortcut: build + push in one command

⚠ SPN auth note: pac code push requires Power Platform API access that service principal (SPN) auth lacks for first-push and pac code mutation flows. Use the repo-scoped interactive profile for that environment, then push:

pac auth create --name pp-myrepo-d-u-1a2b3c4d --environment <your-env-url> --deviceCode
pac auth select --name pp-myrepo-d-u-1a2b3c4d
pac code push

Connectors & Connection References

The wizard auto-creates connection references in your solution so they travel across environments. This now happens in an explicit later connector-binding pass, not during the initial scaffold.

Action	How
Add connectors via wizard	`node wizard/index.mjs --from 8` (runs the dedicated connector-binding step)
Add Dataverse table manually	`pac code add-data-source -a dataverse -t <table_name>`
Add other connector manually	`pac code add-data-source -a <api_id> -c <conn_id>`
Map references after import	Power Apps Maker Portal → Solutions → Connection References

How it works: A connection reference says "this solution uses the Office 365 Users connector." The actual authenticated connection (your credentials) is mapped to the reference per-environment. This means you deploy once and map per-environment — no secrets in the solution.

--apiId (-a) is always required for manual adds — there is no interactive picker in the CLI. The wizard compensates for this by discovering existing environment connections with pac connection list and letting you select one when possible. See the Connector IDs table above for common API IDs.

Re-running the Wizard

Both the terminal wizard and the browser wizard (npm run wizard:ux) share .wizard-state.json, so you can switch between them freely. The browser wizard lets you jump directly to any step from the step navigator.

Command	What It Does
`node wizard/index.mjs`	Resume from where you left off
`node wizard/index.mjs --from 7`	Re-run from scaffold onward, including the later connector and deploy steps
`node wizard/index.mjs --from 8`	Run the dedicated connector-binding pass and select real connections
`node wizard/index.mjs --reset`	Start completely fresh
`npm run wizard:ux`	Open the browser wizard — jump to any step from the step navigator

Setting Up CI/CD

See .github/instructions/04-deployment.instructions.md for full details. You'll need:

GitHub secrets: PP_APP_ID, PP_CLIENT_SECRET, PP_TENANT_ID
Environment variable per target: POWER_PLATFORM_URL

🗺️ Template to Production — in 10 Steps

Start Here

Start in the README

Stay in the Guide

Need the Full Delivery Path?

What's Inside

14 Instruction Files — 4 Agents

Narrative-First Planning

Setup Wizard

Auth Scripts

Sync Foundations

Required Tech Stack

Narrative-First Planning Layer

Decompose the Narrative

Refine the Scope

Convert to Technical Planning

Prototype Before Schema

⚠️ Enable Code Apps in Your Environment

Steps

Auth for pac code push

The Setup Wizard

Steps 1–2

Steps 3–4

Steps 5–6

Steps 7–9

All 9 Wizard Steps

1Password Users (fastest path)

Manual Path (no 1Password, or partial credentials)

A. Create Azure App Registration

B. Register as Application User

Connector & Data Source Setup

How to Get Connection IDs

Creating Connections

Step-by-Step: Create a Connection

Common Connectors

Adding Data Sources (After Getting Connection IDs)

Portal Quick Links

Power Apps Maker Portal

Power Platform Admin Center

Azure Portal — App Registrations

Azure Portal — Entra ID

Local Development with Vite

Prototype Mode

Connected Mode

When to Use Each Mode

Prototype Mode — How It Works

Mock Data Pattern

Connected Mode — Prerequisites

Vite Configuration

Vite Environment Variables

Troubleshooting

Connectors

Adding a Data Source

Wrapping Generated Code with TanStack Query

Components

Key Principles

Provider Stack (main.tsx)

Deployment & CI/CD

Flow

Manual Deploy (Dev Only)

GitHub Secrets Required

Per-Environment Variable

Testing

What to Test

Security

Required .gitignore Entries

Input Validation

Dataverse Schema

Golden Rules

Naming Convention

Copilot Studio Agent Integration

Setup Steps

Invoking the Agent

Request Parameters

Response Structure

Prototype Mode (Mock Data)

Naming Conventions

Common Connector IDs

What's Next

Auth for `pac code push`