Improve migration tool; fix bugs

Author: Samson Gebre

src/PowerPlatform/Dataverse/client.py

@@ -50,7 +50,16 @@ class DataverseClient:
     :type context: ~PowerPlatform.Dataverse.core.config.OperationContext or None
 
     :raises ValueError: If ``base_url`` is missing or empty after trimming.
+    :raises ValueError: If ``base_url`` does not use HTTPS. Dataverse only
+        serves over HTTPS; constructing with ``http://`` would send the OAuth
+        bearer token unencrypted, so the check fails fast at construction.
     :raises ValueError: If both ``config`` and ``context`` are provided.
+    :raises AttributeError: If a v0 beta shortcut (``create``, ``update``,
+        ``delete``, ``get``, ``query_sql``, ``create_table``, ``delete_table``,
+        ``list_tables``, ``get_table_info``, ``create_columns``,
+        ``delete_columns``, ``upload_file``) is accessed. The error message
+        names the GA replacement and the codemod command. See
+        :attr:`_REMOVED_BETA_METHODS`.
 
     .. note::
         The client lazily initializes its internal OData client on first use, allowing lightweight construction without immediate network calls.
@@ -70,6 +79,12 @@ class DataverseClient:
     - ``client.dataframe`` -- pandas DataFrame wrappers for record CRUD
     - ``client.batch`` -- batch multiple operations into a single HTTP request
 
+    v0 beta methods (``client.create``, ``client.query_sql``, etc.) were removed
+    in 1.0 GA. Calling one now raises :class:`AttributeError` with a message
+    naming the GA replacement and the codemod command -- previously these calls
+    raised a bare ``AttributeError`` with no migration hint, so debugging
+    half-migrated code was painful. See :attr:`_REMOVED_BETA_METHODS`.
+
     The client supports Python's context manager protocol for automatic resource
     cleanup and HTTP connection pooling:
 
@@ -95,6 +110,26 @@ class DataverseClient:
                 client.close()
     """
 
+    # v0 beta methods removed in 1.0 GA -> human-readable GA replacement.
+    # Kept in sync with ``migrate_v0_to_v1._CLIENT_SHORTCUTS``: any addition
+    # there should land here too so the runtime error and the codemod's
+    # rewrite always agree. ``__getattr__`` reads this to turn what used to
+    # be a bare ``AttributeError`` into one with an actionable hint.
+    _REMOVED_BETA_METHODS = {
+        "create": "client.records.create(table, data)",
+        "update": "client.records.update(table, record_id, data)",
+        "delete": "client.records.delete(table, record_id)",
+        "get": "client.records.get(table, ...)",
+        "query_sql": "client.query.sql(sql)",
+        "get_table_info": "client.tables.get(table)",
+        "create_table": "client.tables.create(...)",
+        "delete_table": "client.tables.delete(table)",
+        "list_tables": "client.tables.list()",
+        "create_columns": "client.tables.add_columns(table, ...)",
+        "delete_columns": "client.tables.remove_columns(table, ...)",
+        "upload_file": "client.files.upload(...)",
+    }
+
     def __init__(
         self,
         base_url: str,
@@ -111,6 +146,15 @@ def __init__(
         self._base_url = (base_url or "").rstrip("/")
         if not self._base_url:
             raise ValueError("base_url is required.")
+        # Dataverse never serves over plaintext. A typo or copy-paste that leaves
+        # the scheme as ``http://`` would send the bearer token unencrypted on the
+        # very first request -- by then the credential is already on the wire.
+        # Fail-fast at construction so the leak can't happen.
+        if not self._base_url.lower().startswith("https://"):
+            raise ValueError(
+                f"base_url must use HTTPS (got {base_url!r}). Dataverse only serves "
+                f"over HTTPS; plaintext would send OAuth bearer tokens unencrypted."
+            )
         if config is not None:
             self._config = config
         elif context is not None:
@@ -215,6 +259,28 @@ def _check_closed(self) -> None:
         if self._closed:
             raise RuntimeError("DataverseClient is closed")
 
+    def __getattr__(self, name: str):
+        """Surface a migration hint for v0 beta shortcuts removed at 1.0 GA.
+
+        Python only calls this when normal attribute lookup has failed, so the
+        GA namespaces (``records``, ``query``, ``tables``, ``files``,
+        ``dataframe``, ``batch``) -- which are set on the instance in
+        ``__init__`` -- never reach here. Names starting with ``_`` fall
+        through to a plain :class:`AttributeError` so pickling, ``copy.deepcopy``,
+        IDE introspection, and similar protocol lookups behave normally.
+        """
+        if name.startswith("_"):
+            raise AttributeError(f"{type(self).__name__!r} object has no attribute {name!r}")
+        new_call = self._REMOVED_BETA_METHODS.get(name)
+        if new_call is None:
+            raise AttributeError(f"{type(self).__name__!r} object has no attribute {name!r}")
+        raise AttributeError(
+            f"'DataverseClient' has no attribute {name!r}. This was a v0 beta "
+            f"method removed in 1.0 GA. Use {new_call} instead. To migrate a "
+            f"codebase automatically, run: "
+            f"python -m PowerPlatform.Dataverse.migration.migrate_v0_to_v1 <path>"
+        )
+
     # ---------------- Cache utilities ----------------
 
     def flush_cache(self, kind) -> int:

src/PowerPlatform/Dataverse/core/_auth.py

@@ -16,7 +16,7 @@
 from azure.core.credentials import TokenCredential
 
 
-@dataclass
+@dataclass(repr=False)
 class _TokenPair:
     """
     Container for an OAuth2 access token and its associated resource scope.
@@ -25,11 +25,22 @@ class _TokenPair:
     :type resource: :class:`str`
     :param access_token: The access token string.
     :type access_token: :class:`str`
+
+    .. note::
+        ``repr()`` / ``str()`` redact ``access_token`` to ``[REDACTED]``. Python's
+        default dataclass ``__repr__`` would otherwise emit the full bearer
+        JWT, so any accidental ``print()``, ``logging.debug(self)``, or
+        ``traceback`` with locals dumps would leak the token. The redaction
+        mirrors the ``Authorization``-header treatment in
+        :mod:`~PowerPlatform.Dataverse.core._http_logger`.
     """
 
     resource: str
     access_token: str
 
+    def __repr__(self) -> str:
+        return f"_TokenPair(resource={self.resource!r}, access_token='[REDACTED]')"
+
 
 class _AuthManager:
     """

src/PowerPlatform/Dataverse/core/log_config.py

@@ -17,13 +17,20 @@
 
 __all__ = ["LogConfig"]
 
-# Headers whose values must never appear in log files
+# Headers whose values must never appear in log files.
+#
+# ``set-cookie`` / ``cookie`` are session-bearing: Dataverse responses include
+# session identifiers (``ReqClientId``, ``orgId``, ...) with very long expiries.
+# Captured in a log file they enable session-replay against the same environment
+# for the lifetime of the cookie, so they get the same treatment as bearer tokens.
 _DEFAULT_REDACTED_HEADERS: FrozenSet[str] = frozenset(
     {
         "authorization",
         "proxy-authorization",
         "x-ms-authorization-auxiliary",
         "ocp-apim-subscription-key",
+        "set-cookie",
+        "cookie",
     }
 )
 
@@ -51,7 +58,11 @@ class LogConfig:
         sessions — bodies may contain PII and sensitive business data.
     :param redacted_headers: Header names (case-insensitive) whose values are
         replaced with ``"[REDACTED]"`` in logs. Defaults include
-        ``Authorization``, ``Proxy-Authorization``, etc.
+        ``Authorization``, ``Proxy-Authorization``,
+        ``X-MS-Authorization-Auxiliary``, ``Ocp-Apim-Subscription-Key``,
+        ``Set-Cookie``, and ``Cookie``. Cookie headers are redacted because
+        Dataverse responses include session-bearing values
+        (``ReqClientId``, ``orgId``) that enable session replay if leaked.
     :param log_level: Python logging level name. Default: ``"DEBUG"``.
     :param max_file_bytes: Max size per log file before rotation (bytes).
         Default: ``10_485_760`` (10 MB).