[pull] dev from KelvinTegelaar:dev

.github/workflows/auto_comments.yml

@@ -17,7 +17,7 @@ jobs:
       # 1) If the comment includes '!notasponsor', delete it using GitHub Script
       - name: Delete !notasponsor comment
         if: contains(github.event.comment.body, '!notasponsor')
-        uses: actions/github-script@v8
+        uses: actions/github-script@v9
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |

.github/workflows/pr_check.yml

@@ -25,7 +25,7 @@ jobs:
           github.event.pull_request.head.repo.fork == true && 
           ((github.event.pull_request.head.ref == 'main' || github.event.pull_request.head.ref == 'master') ||
           (github.event.pull_request.base.ref == 'main' || github.event.pull_request.base.ref == 'master'))
-        uses: actions/github-script@v8
+        uses: actions/github-script@v9
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |

.vscode/launch.json

@@ -35,6 +35,13 @@
       "cwd": "${cwd}",
       "script": ". '${cwd}\\Tools\\Start-CIPPDevEmulators.ps1'"
     },
+    {
+      "type": "PowerShell",
+      "name": "Launch in Windows Terminal with Offloading Proc and HTTP only workers",
+      "request": "launch",
+      "cwd": "${cwd}",
+      "script": ". '${cwd}\\Tools\\Start-CippOffloadSimulation.ps1'"
+    },
     {
       "type": "PowerShell",
       "name": "Launch in Kitty Terminal",

Tools/Start-CippDevEmulators.ps1

@@ -22,7 +22,7 @@ $apiCommand = @'
 try {
 	# Use a stable local identity so timer node selection treats this as the catch-all host.
 	$env:WEBSITE_SITE_NAME = "cipp"
-	$env:CIPP_PROCESSOR = "true"
+	$env:CIPP_PROCESSOR = "false"
 	$env:AzureFunctionsWebHost__hostid = "cipp-single"
 
 	# Ensure prior offload simulation env overrides do not disable triggers in this shell.
@@ -42,5 +42,11 @@ try {
 $frontendCommand = 'try { npm run dev } catch { Write-Error $_.Exception.Message } finally { Read-Host "Press Enter to exit" }'
 $swaCommand = 'try { npm run start-swa } catch { Write-Error $_.Exception.Message } finally { Read-Host "Press Enter to exit" }'
 
+# Encode commands to avoid parsing issues with multi-line strings
+$azuriteEncoded = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($azuriteCommand))
+$apiEncoded = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($apiCommand))
+$frontendEncoded = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($frontendCommand))
+$swaEncoded = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($swaCommand))
+
 # Start Windows Terminal with all tabs
-wt --title CIPP`; new-tab --title 'Azurite' -d $Path pwsh -c $azuriteCommand`; new-tab --title 'FunctionApp' -d $ApiPath pwsh -c $apiCommand`; new-tab --title 'CIPP Frontend' -d $FrontendPath pwsh -c $frontendCommand`; new-tab --title 'SWA' -d $FrontendPath pwsh -c $swaCommand
+wt --title CIPP`; new-tab --title 'Azurite' -d $Path pwsh -EncodedCommand $azuriteEncoded`; new-tab --title 'FunctionApp' -d $ApiPath pwsh -EncodedCommand $apiEncoded`; new-tab --title 'CIPP Frontend' -d $FrontendPath pwsh -EncodedCommand $frontendEncoded`; new-tab --title 'SWA' -d $FrontendPath pwsh -EncodedCommand $swaEncoded

package.json

@@ -31,11 +31,11 @@
     "@emotion/styled": "11.14.1",
     "@heroicons/react": "2.2.0",
     "@monaco-editor/react": "^4.6.0",
-    "@mui/icons-material": "7.3.7",
+    "@mui/icons-material": "7.3.10",
     "@mui/lab": "7.0.0-beta.17",
-    "@mui/material": "7.3.7",
-    "@mui/system": "7.3.2",
-    "@mui/x-date-pickers": "^8.27.2",
+    "@mui/material": "7.3.10",
+    "@mui/system": "7.3.10",
+    "@mui/x-date-pickers": "^9.0.2",
     "@musement/iso-duration": "^1.0.0",
     "@nivo/core": "^0.99.0",
     "@nivo/sankey": "^0.99.0",
@@ -51,12 +51,12 @@
     "@tiptap/extension-image": "^3.20.5",
     "@tiptap/extension-table": "^3.19.0",
     "@tiptap/pm": "^3.22.3",
-    "@tiptap/react": "^3.4.1",
+    "@tiptap/react": "^3.20.5",
     "@tiptap/starter-kit": "^3.20.5",
     "@uiw/react-json-view": "^2.0.0-alpha.41",
     "@vvo/tzdb": "^6.198.0",
     "apexcharts": "5.10.4",
-    "axios": "1.14.0",
+    "axios": "1.15.0",
     "date-fns": "4.1.0",
     "diff": "^8.0.3",
     "eml-parse-js": "^1.2.0-beta.0",
@@ -100,7 +100,7 @@
     "react-redux": "9.2.0",
     "react-syntax-highlighter": "^16.1.0",
     "react-time-ago": "^7.3.3",
-    "react-virtuoso": "^4.18.3",
+    "react-virtuoso": "^4.18.5",
     "react-window": "^2.2.7",
     "recharts": "^3.7.0",
     "redux": "5.0.1",

src/components/CippComponents/AppApprovalTemplateForm.jsx

@@ -19,9 +19,76 @@ const AppApprovalTemplateForm = ({
   refetchKey,
   hideSubmitButton = false, // New prop to hide the submit button when used in a drawer
 }) => {
+  const forbiddenManifestProperties = ["keyCredentials", "passwordCredentials"];
   const [selectedPermissionSet, setSelectedPermissionSet] = useState(null);
   const [permissionsLoaded, setPermissionsLoaded] = useState(false);
   const [permissionSetDrawerVisible, setPermissionSetDrawerVisible] = useState(false);
+  const [manifestSanitizeMessage, setManifestSanitizeMessage] = useState(null);
+
+  const getManifestValidationError = (manifest) => {
+    if (!manifest.displayName) {
+      return "Application manifest must include a 'displayName' property";
+    }
+
+    if (manifest.signInAudience && manifest.signInAudience !== "AzureADMyOrg") {
+      return "signInAudience must be null, undefined, or 'AzureADMyOrg' for security reasons";
+    }
+
+    const presentForbiddenProperties = forbiddenManifestProperties.filter(
+      (propertyName) => Object.prototype.hasOwnProperty.call(manifest, propertyName)
+    );
+    if (presentForbiddenProperties.length > 0) {
+      return `Remove unsupported manifest properties: ${presentForbiddenProperties.join(", ")}.`;
+    }
+
+    return null;
+  };
+
+  const handleSanitizeManifest = () => {
+    const currentManifest = formControl.getValues("applicationManifest");
+
+    if (!currentManifest) {
+      setManifestSanitizeMessage({
+        severity: "warning",
+        text: "Paste a manifest first, then use cleanup.",
+      });
+      return;
+    }
+
+    try {
+      const parsedManifest = JSON.parse(currentManifest);
+      const removedProperties = forbiddenManifestProperties.filter((propertyName) =>
+        Object.prototype.hasOwnProperty.call(parsedManifest, propertyName)
+      );
+
+      if (removedProperties.length === 0) {
+        setManifestSanitizeMessage({
+          severity: "info",
+          text: "No forbidden sections found. Your manifest is already clean.",
+        });
+        return;
+      }
+
+      removedProperties.forEach((propertyName) => {
+        delete parsedManifest[propertyName];
+      });
+
+      formControl.setValue("applicationManifest", JSON.stringify(parsedManifest, null, 2), {
+        shouldDirty: true,
+        shouldValidate: true,
+      });
+
+      setManifestSanitizeMessage({
+        severity: "success",
+        text: `Removed forbidden sections: ${removedProperties.join(", ")}.`,
+      });
+    } catch (error) {
+      setManifestSanitizeMessage({
+        severity: "error",
+        text: "Manifest JSON is invalid. Fix the JSON and try cleanup again.",
+      });
+    }
+  };
 
   // Watch for app type selection changes
   const selectedAppType = useWatch({
@@ -40,6 +107,28 @@ const AppApprovalTemplateForm = ({
     name: "applicationManifest",
   });
 
+  const getForbiddenManifestPropertiesPresent = (manifestValue) => {
+    if (!manifestValue) {
+      return [];
+    }
+
+    try {
+      const manifest = JSON.parse(manifestValue);
+      return forbiddenManifestProperties.filter((propertyName) =>
+        Object.prototype.hasOwnProperty.call(manifest, propertyName)
+      );
+    } catch {
+      return [];
+    }
+  };
+
+  const forbiddenPropertiesInCurrentManifest =
+    selectedAppType === "ApplicationManifest"
+      ? getForbiddenManifestPropertiesPresent(selectedApplicationManifest)
+      : [];
+  const showSanitizeManifestButton = forbiddenPropertiesInCurrentManifest.length > 0;
+  const isTemplateFormValid = formControl?.formState?.isValid ?? false;
+
   // Watch for app selection changes to update template name
   const selectedApp = useWatch({
     control: formControl?.control,
@@ -236,6 +325,22 @@ const AppApprovalTemplateForm = ({
     }
   }, [isEditing, isCopy, templateData]);
 
+  useEffect(() => {
+    if (!formControl) {
+      return;
+    }
+
+    formControl.trigger();
+  }, [
+    formControl,
+    selectedAppType,
+    selectedApplicationManifest,
+    selectedApp,
+    selectedGalleryTemplate,
+    selectedPermissionSetValue,
+    templateData,
+  ]);
+
   // Handle form submission
   const handleSubmit = (data) => {
     let appDisplayName, appId, galleryTemplateId, applicationManifest;
@@ -249,11 +354,12 @@ const AppApprovalTemplateForm = ({
       try {
         applicationManifest = JSON.parse(data.applicationManifest);
 
-        // Validate signInAudience - only allow null/undefined or "AzureADMyOrg"
-        if (
-          applicationManifest.signInAudience &&
-          applicationManifest.signInAudience !== "AzureADMyOrg"
-        ) {
+        const manifestValidationError = getManifestValidationError(applicationManifest);
+        if (manifestValidationError) {
+          setManifestSanitizeMessage({
+            severity: "error",
+            text: manifestValidationError,
+          });
           return; // Don't submit if validation fails
         }
 
@@ -481,24 +587,27 @@ const AppApprovalTemplateForm = ({
                     validate: (value) => {
                       try {
                         const manifest = JSON.parse(value);
-
-                        // Check for minimum required property
-                        if (!manifest.displayName) {
-                          return "Application manifest must include a 'displayName' property";
-                        }
-
-                        // Validate signInAudience if present
-                        if (manifest.signInAudience && manifest.signInAudience !== "AzureADMyOrg") {
-                          return "signInAudience must be null, undefined, or 'AzureADMyOrg' for security reasons";
-                        }
-
-                        return true;
+                        return getManifestValidationError(manifest) ?? true;
                       } catch (e) {
                         return "Invalid JSON format";
                       }
                     },
                   }}
                 />
+                <Stack spacing={1} sx={{ mt: 1 }}>
+                  {showSanitizeManifestButton && (
+                    <Box>
+                      <Button variant="outlined" onClick={handleSanitizeManifest}>
+                        Remove Forbidden Sections
+                      </Button>
+                    </Box>
+                  )}
+                  {manifestSanitizeMessage && (
+                    <Alert severity={manifestSanitizeMessage.severity}>
+                      {manifestSanitizeMessage.text}
+                    </Alert>
+                  )}
+                </Stack>
               </CippFormCondition>
 
               <CippFormCondition
@@ -547,7 +656,7 @@ const AppApprovalTemplateForm = ({
                       variant="contained"
                       color="primary"
                       onClick={formControl.handleSubmit(handleSubmit)}
-                      disabled={updatePermissions.isPending}
+                      disabled={updatePermissions.isPending || !isTemplateFormValid}
                     >
                       {isEditing ? "Update Template" : "Create Template"}
                     </Button>

src/components/CippComponents/CippAppApprovalTemplateDrawer.jsx

@@ -144,7 +144,7 @@ export const CippAppApprovalTemplateDrawer = ({
               variant="contained"
               color="primary"
               onClick={formControl.handleSubmit(handleSubmit)}
-              disabled={updatePermissions.isPending}
+              disabled={updatePermissions.isPending || !formControl.formState.isValid}
             >
               {updatePermissions.isPending
                 ? isEditMode

src/components/CippComponents/CippRestoreWizard.jsx

@@ -44,6 +44,7 @@ const TABLE_LABELS = {
   AppPermissions: "App Permissions",
   CommunityRepos: "Community Repositories",
   Config: "CIPP Configuration",
+  CustomPowershellScripts: "Custom PowerShell/Test Scripts",
   CustomData: "Custom Data",
   CustomRoles: "Custom Roles",
   Domains: "Domains",

src/components/CippSettings/CippPermissionCheck.jsx

@@ -112,6 +112,17 @@ const CippPermissionCheck = (props) => {
     );
   };
 
+  const responseData = executeCheck?.error?.response?.data;
+  const responseText =
+    typeof responseData === "string" ? responseData : responseData ? JSON.stringify(responseData) : "";
+  const shouldShowApiResponse = responseText.includes(
+    "Access to this CIPP API endpoint is not allowed",
+  );
+  const checkErrorMessage =
+    shouldShowApiResponse
+      ? responseText
+      : `Failed to load ${type} check. Please try refreshing the page.`;
+
   return (
     <>
       <CippButtonCard
@@ -141,7 +152,7 @@ const CippPermissionCheck = (props) => {
       >
         {executeCheck.isError && !importReport && (
           <Alert severity="error" sx={{ mb: 2 }}>
-            Failed to load {type} check. Please try refreshing the page.
+            {checkErrorMessage}
           </Alert>
         )}
         {(executeCheck.isSuccess || executeCheck.isLoading) && (

src/components/CippSettings/CippRoleAddEdit.jsx

@@ -103,6 +103,24 @@ export const CippRoleAddEdit = ({ selectedRole }) => {
     return regex.test(value);
   };
 
+  const getFunctionDescriptionText = (description) => {
+    if (!description) return null;
+
+    if (Array.isArray(description)) {
+      return description?.[0]?.Text || description?.[0]?.text || null;
+    }
+
+    if (typeof description === "string") {
+      return description;
+    }
+
+    if (typeof description === "object") {
+      return description?.Text || description?.text || null;
+    }
+
+    return null;
+  };
+
   const getBaseRolePermissions = (role) => {
     const roleConfig = cippRoles[role];
     if (!roleConfig) return {};
@@ -434,7 +452,7 @@ export const CippRoleAddEdit = ({ selectedRole }) => {
                 const apiFunction = apiPermissions[cat][obj][type][api];
                 items.push({
                   name: apiFunction.Name,
-                  description: apiFunction.Description?.[0]?.Text || null,
+                  description: getFunctionDescriptionText(apiFunction.Description),
                 });
               }
               return (
@@ -593,7 +611,9 @@ export const CippRoleAddEdit = ({ selectedRole }) => {
                                     Object.keys(apiPermissions[cat][obj][type]).forEach(
                                       (apiKey) => {
                                         const apiFunction = apiPermissions[cat][obj][type][apiKey];
-                                        const descriptionText = apiFunction.Description?.[0]?.Text;
+                                        const descriptionText = getFunctionDescriptionText(
+                                          apiFunction.Description
+                                        );
                                         allEndpoints.push({
                                           label: descriptionText
                                             ? `${apiFunction.Name} - ${descriptionText}`

src/components/CippWizard/CippGDAPTenantOnboarding.jsx

@@ -45,11 +45,7 @@ export const CippGDAPTenantOnboarding = (props) => {
   });
 
   const relationshipList = ApiGetCall({
-    url: "/api/ListGraphRequest",
-    data: {
-      TenantFilter: "",
-      Endpoint: "tenantRelationships/delegatedAdminRelationships",
-    },
+    url: "/api/ListGDAPRelationships",
     queryKey: "GDAPRelationshipOnboarding-wizard",
   });