Idempotent setup: blueprint/infrastructure discovery (#144)

* Idempotent setup: blueprint/infrastructure discovery

Implement complete idempotency for a365 setup commands to handle
repeated executions gracefully and provide accurate user feedback.

Changes:
- Add BlueprintLookupService for dual-path blueprint discovery (objectId
  primary, displayName fallback for migration scenarios)
- Add FederatedCredentialService for FIC existence checks and creation
- Persist blueprint objectIds (app + service principal) to config for
  authoritative future lookups
- Track idempotency flags: InfrastructureAlreadyExisted,
  BlueprintAlreadyExisted, EndpointAlreadyExisted
- Update setup summary to display "configured (already exists)" vs "created"

Fixes:
- Move endpoint error log after idempotency check (no more false ERR)
- Convert verbose internal logs to LogDebug ("Saved dynamic state", auth checks)
- Fix SaveStateAsync usage to prevent service principal ID overwrites

Testing:
- Add BlueprintLookupServiceTests (8 tests)
- Add FederatedCredentialServiceTests (11 tests)
- All 777/777 tests passing

Wire new services through DI container and all setup subcommands.

* Improve federated credential and consent handling in CLI

- Cleanup now deletes federated credentials before blueprint removal, using new FederatedCredentialService methods with endpoint fallback.
- FederatedCredentialService enhanced for robust listing, creation, deletion, and error handling; skips malformed entries and supports propagation retries.
- Blueprint setup refactored to consistently handle federated credential creation/validation and admin consent, with consent checked before prompting.
- Added AdminConsentHelper.CheckConsentExistsAsync to verify existing grants.
- Improved idempotency tracking and summary logging for permissions.
- Updated CleanupCommand and tests to require/use FederatedCredentialService.
- Expanded tests for federated credential and consent logic.
- Refined bot endpoint deletion to avoid false positives.
- Improved logging and user feedback throughout blueprint and cleanup flows.

* Refactor: move model classes to dedicated files

Moved blueprint, federated credential, and password credential model classes from service classes to new files in the Models namespace for better organization. Updated services to use the new models. Improved logging for messaging endpoint setup and Azure CLI Python bitness detection.

* Refactor FIC naming and logging; clean up retry logic

- Update FIC naming to use display name only (no objectId), as uniqueness is per app, not tenant-wide.
- Improve error logging for missing blueprint identifiers by removing null-coalescing fallback.
- Remove unused variable assignment from federated credential retry logic.

Author: sellakumaran

src/Microsoft.Agents.A365.DevTools.Cli/Commands/CleanupCommand.cs

@@ -18,7 +18,8 @@ public static Command CreateCommand(
         IBotConfigurator botConfigurator,
         CommandExecutor executor,
         AgentBlueprintService agentBlueprintService,
-        IConfirmationProvider confirmationProvider)
+        IConfirmationProvider confirmationProvider,
+        FederatedCredentialService federatedCredentialService)
     {
         var cleanupCommand = new Command("cleanup", "Clean up ALL resources (blueprint, instance, Azure) - use subcommands for granular cleanup");
 
@@ -40,11 +41,11 @@ public static Command CreateCommand(
         // Set default handler for 'a365 cleanup' (without subcommand) - cleans up everything
         cleanupCommand.SetHandler(async (configFile, verbose) =>
         {
-            await ExecuteAllCleanupAsync(logger, configService, botConfigurator, executor, agentBlueprintService, confirmationProvider, configFile);
+            await ExecuteAllCleanupAsync(logger, configService, botConfigurator, executor, agentBlueprintService, confirmationProvider, federatedCredentialService, configFile);
         }, configOption, verboseOption);
 
         // Add subcommands for granular control
-        cleanupCommand.AddCommand(CreateBlueprintCleanupCommand(logger, configService, botConfigurator, executor, agentBlueprintService));
+        cleanupCommand.AddCommand(CreateBlueprintCleanupCommand(logger, configService, botConfigurator, executor, agentBlueprintService, federatedCredentialService));
         cleanupCommand.AddCommand(CreateAzureCleanupCommand(logger, configService, executor));
         cleanupCommand.AddCommand(CreateInstanceCleanupCommand(logger, configService, executor));
 
@@ -56,7 +57,8 @@ private static Command CreateBlueprintCleanupCommand(
         IConfigService configService,
         IBotConfigurator botConfigurator,
         CommandExecutor executor,
-        AgentBlueprintService agentBlueprintService)
+        AgentBlueprintService agentBlueprintService,
+        FederatedCredentialService federatedCredentialService)
     {
         var command = new Command("blueprint", "Remove Entra ID blueprint application and service principal");
 
@@ -124,7 +126,32 @@ private static Command CreateBlueprintCleanupCommand(
                     return;
                 }
 
+                // Delete federated credentials first before deleting the blueprint
+                logger.LogInformation("");
+                logger.LogInformation("Deleting federated credentials from blueprint...");
+                
+                // Configure FederatedCredentialService with custom client app ID if available
+                if (!string.IsNullOrWhiteSpace(config.ClientAppId))
+                {
+                    federatedCredentialService.CustomClientAppId = config.ClientAppId;
+                }
+                
+                var ficsDeleted = await federatedCredentialService.DeleteAllFederatedCredentialsAsync(
+                    config.TenantId,
+                    config.AgentBlueprintId);
+
+                if (!ficsDeleted)
+                {
+                    logger.LogWarning("Some federated credentials may not have been deleted successfully");
+                    logger.LogWarning("Continuing with blueprint deletion...");
+                }
+                else
+                {
+                    logger.LogInformation("Federated credentials deleted successfully");
+                }
+
                 // Delete the agent blueprint using the special Graph API endpoint
+                logger.LogInformation("");
                 logger.LogInformation("Deleting agent blueprint application...");
                 var deleted = await agentBlueprintService.DeleteAgentBlueprintAsync(
                     config.TenantId,
@@ -395,6 +422,7 @@ private static async Task ExecuteAllCleanupAsync(
         CommandExecutor executor,
         AgentBlueprintService agentBlueprintService,
         IConfirmationProvider confirmationProvider,
+        FederatedCredentialService federatedCredentialService,
         FileInfo? configFile)
     {
         var cleanupSucceeded = false;
@@ -447,7 +475,34 @@ private static async Task ExecuteAllCleanupAsync(
 
             logger.LogInformation("Starting complete cleanup...");
 
-            // 1. Delete agent blueprint application
+            // 1. Delete federated credentials from agent blueprint (if exists)
+            if (!string.IsNullOrWhiteSpace(config.AgentBlueprintId))
+            {
+                logger.LogInformation("Deleting federated credentials from blueprint...");
+                
+                // Configure FederatedCredentialService with custom client app ID if available
+                if (!string.IsNullOrWhiteSpace(config.ClientAppId))
+                {
+                    federatedCredentialService.CustomClientAppId = config.ClientAppId;
+                }
+                
+                var ficsDeleted = await federatedCredentialService.DeleteAllFederatedCredentialsAsync(
+                    config.TenantId,
+                    config.AgentBlueprintId);
+
+                if (!ficsDeleted)
+                {
+                    logger.LogWarning("Some federated credentials may not have been deleted successfully");
+                    logger.LogWarning("Continuing with blueprint deletion...");
+                    hasFailures = true;
+                }
+                else
+                {
+                    logger.LogInformation("Federated credentials deleted successfully");
+                }
+            }
+
+            // 2. Delete agent blueprint application
             if (!string.IsNullOrWhiteSpace(config.AgentBlueprintId))
             {
                 logger.LogInformation("Deleting agent blueprint application...");
@@ -467,7 +522,7 @@ private static async Task ExecuteAllCleanupAsync(
                 }
             }
 
-            // 2. Delete agent identity application
+            // 3. Delete agent identity application
             if (!string.IsNullOrWhiteSpace(config.AgenticAppId))
             {
                 logger.LogInformation("Deleting agent identity application...");
@@ -488,15 +543,15 @@ private static async Task ExecuteAllCleanupAsync(
                 }
             }
 
-            // 3. Delete agent user
+            // 4. Delete agent user
             if (!string.IsNullOrWhiteSpace(config.AgenticUserId))
             {
                 logger.LogInformation("Deleting agent user...");
                 await executor.ExecuteAsync("az", $"ad user delete --id {config.AgenticUserId}", null, true, false, CancellationToken.None);
                 logger.LogInformation("Agent user deleted");
             }
 
-            // 4. Delete bot messaging endpoint using shared helper
+            // 5. Delete bot messaging endpoint using shared helper
             if (!string.IsNullOrWhiteSpace(config.BotName))
             {
                 var endpointDeleted = await DeleteMessagingEndpointAsync(logger, config, botConfigurator);
@@ -506,7 +561,7 @@ private static async Task ExecuteAllCleanupAsync(
                 }
             }
 
-            // 5. Delete Azure resources (Web App and App Service Plan)
+            // 6. Delete Azure resources (Web App and App Service Plan)
             if (!string.IsNullOrWhiteSpace(config.WebAppName) && !string.IsNullOrWhiteSpace(config.ResourceGroup))
             {
                 logger.LogInformation("Deleting Azure resources...");

src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupCommand.cs

@@ -25,6 +25,8 @@ public static Command CreateCommand(
             PlatformDetector platformDetector,
             GraphApiService graphApiService,
             AgentBlueprintService blueprintService,
+            BlueprintLookupService blueprintLookupService,
+            FederatedCredentialService federatedCredentialService,
             IClientAppValidator clientAppValidator)
         {
             var command = new Command("setup", 
@@ -47,13 +49,13 @@ public static Command CreateCommand(
                 logger, configService, azureValidator, webAppCreator, platformDetector, executor));
 
             command.AddCommand(BlueprintSubcommand.CreateCommand(
-                logger, configService, executor, azureValidator, webAppCreator, platformDetector, botConfigurator, graphApiService, blueprintService, clientAppValidator));
+                logger, configService, executor, azureValidator, webAppCreator, platformDetector, botConfigurator, graphApiService, blueprintService, clientAppValidator, blueprintLookupService, federatedCredentialService));
 
             command.AddCommand(PermissionsSubcommand.CreateCommand(
                 logger, configService, executor, graphApiService, blueprintService));
 
             command.AddCommand(AllSubcommand.CreateCommand(
-                logger, configService, executor, botConfigurator, azureValidator, webAppCreator, platformDetector, graphApiService, blueprintService, clientAppValidator));
+                logger, configService, executor, botConfigurator, azureValidator, webAppCreator, platformDetector, graphApiService, blueprintService, clientAppValidator, blueprintLookupService, federatedCredentialService));
 
             return command;
         }

src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/AllSubcommand.cs

@@ -29,7 +29,9 @@ public static Command CreateCommand(
         PlatformDetector platformDetector,
         GraphApiService graphApiService,
         AgentBlueprintService blueprintService,
-        IClientAppValidator clientAppValidator)
+        IClientAppValidator clientAppValidator,
+        BlueprintLookupService blueprintLookupService,
+        FederatedCredentialService federatedCredentialService)
     {
         var command = new Command("all", 
             "Run complete Agent 365 setup (all steps in sequence)\n" +
@@ -134,9 +136,7 @@ public static Command CreateCommand(
                 // PHASE 0: CHECK REQUIREMENTS (if not skipped)
                 if (!skipRequirements)
                 {
-                    logger.LogInformation("Step 0: Requirements Check");
-                    logger.LogInformation("Validating system prerequisites...");
-                    logger.LogInformation("");
+                    logger.LogDebug("Validating system prerequisites...");
 
                     try
                     {
@@ -164,53 +164,51 @@ public static Command CreateCommand(
                 }
                 else
                 {
-                    logger.LogInformation("Skipping requirements validation (--skip-requirements flag used)");
-                    logger.LogInformation("");
+                    logger.LogDebug("Skipping requirements validation (--skip-requirements flag used)");
                 }
 
                 // PHASE 1: VALIDATE ALL PREREQUISITES UPFRONT
-                logger.LogInformation("Validating all prerequisites...");
-                logger.LogInformation("");
+                logger.LogDebug("Validating all prerequisites...");
 
                 var allErrors = new List<string>();
 
                 // Validate Azure CLI authentication first
-                logger.LogInformation("Validating Azure CLI authentication...");
+                logger.LogDebug("Validating Azure CLI authentication...");
                 if (!await azureValidator.ValidateAllAsync(setupConfig.SubscriptionId))
                 {
                     allErrors.Add("Azure CLI authentication failed or subscription not set correctly");
                     logger.LogError("Azure CLI authentication validation failed");
                 }
                 else
                 {
-                    logger.LogInformation("Azure CLI authentication: OK");
+                    logger.LogDebug("Azure CLI authentication: OK");
                 }
 
                 // Validate Infrastructure prerequisites
                 if (!skipInfrastructure && setupConfig.NeedDeployment)
                 {
-                    logger.LogInformation("Validating Infrastructure prerequisites...");
+                    logger.LogDebug("Validating Infrastructure prerequisites...");
                     var infraErrors = await InfrastructureSubcommand.ValidateAsync(setupConfig, azureValidator, CancellationToken.None);
                     if (infraErrors.Count > 0)
                     {
                         allErrors.AddRange(infraErrors.Select(e => $"Infrastructure: {e}"));
                     }
                     else
                     {
-                        logger.LogInformation("Infrastructure prerequisites: OK");
+                        logger.LogDebug("Infrastructure prerequisites: OK");
                     }
                 }
 
                 // Validate Blueprint prerequisites
-                logger.LogInformation("Validating Blueprint prerequisites...");
+                logger.LogDebug("Validating Blueprint prerequisites...");
                 var blueprintErrors = await BlueprintSubcommand.ValidateAsync(setupConfig, azureValidator, clientAppValidator, CancellationToken.None);
                 if (blueprintErrors.Count > 0)
                 {
                     allErrors.AddRange(blueprintErrors.Select(e => $"Blueprint: {e}"));
                 }
                 else
                 {
-                    logger.LogInformation("Blueprint prerequisites: OK");
+                    logger.LogDebug("Blueprint prerequisites: OK");
                 }
 
                 // Stop if any validation failed
@@ -229,9 +227,7 @@ public static Command CreateCommand(
                     return;
                 }
 
-                logger.LogInformation("");
-                logger.LogInformation("All validations passed. Starting setup execution...");
-                logger.LogInformation("");
+                logger.LogDebug("All validations passed. Starting setup execution...");
 
                 var generatedConfigPath = Path.Combine(
                     config.DirectoryName ?? Environment.CurrentDirectory,
@@ -240,10 +236,8 @@ public static Command CreateCommand(
                 // Step 1: Infrastructure (optional)
                 try
                 {
-                    logger.LogInformation("Step 1:");
-                    logger.LogInformation("");
 
-                    bool setupInfra = await InfrastructureSubcommand.CreateInfrastructureImplementationAsync(
+                    var (setupInfra, infraAlreadyExisted) = await InfrastructureSubcommand.CreateInfrastructureImplementationAsync(
                         logger,
                         config.FullName,
                         generatedConfigPath,
@@ -254,6 +248,7 @@ public static Command CreateCommand(
                         CancellationToken.None);
 
                     setupResults.InfrastructureCreated = skipInfrastructure ? false : setupInfra;
+                    setupResults.InfrastructureAlreadyExisted = infraAlreadyExisted;
                 }
                 catch (Agent365Exception infraEx)
                 {
@@ -270,10 +265,6 @@ public static Command CreateCommand(
                 }
 
                 // Step 2: Blueprint
-                logger.LogInformation("");
-                logger.LogInformation("Step 2:");
-                logger.LogInformation("");
-
                 try
                 {
                     var result = await BlueprintSubcommand.CreateBlueprintImplementationAsync(
@@ -288,11 +279,15 @@ public static Command CreateCommand(
                         botConfigurator,
                         platformDetector,
                         graphApiService,
-                        blueprintService
+                        blueprintService,
+                        blueprintLookupService,
+                        federatedCredentialService
                         );
 
                     setupResults.BlueprintCreated = result.BlueprintCreated;
+                    setupResults.BlueprintAlreadyExisted = result.BlueprintAlreadyExisted;
                     setupResults.MessagingEndpointRegistered = result.EndpointRegistered;
+                    setupResults.EndpointAlreadyExisted = result.EndpointAlreadyExisted;
 
                     if (result.EndpointAlreadyExisted)
                     {
@@ -350,10 +345,6 @@ public static Command CreateCommand(
                 }
 
                 // Step 3: MCP Permissions
-                logger.LogInformation("");
-                logger.LogInformation("Step 3:");
-                logger.LogInformation("");
-
                 try
                 {
                     bool mcpPermissionSetup = await PermissionsSubcommand.ConfigureMcpPermissionsAsync(
@@ -381,11 +372,6 @@ public static Command CreateCommand(
                 }
 
                 // Step 4: Bot API Permissions
-
-                logger.LogInformation("");
-                logger.LogInformation("Step 4:");
-                logger.LogInformation("");
-
                 try
                 {
                     bool botPermissionSetup = await PermissionsSubcommand.ConfigureBotPermissionsAsync(