Fix agentBlueprintClientSecret being nulled out on subsequent setup blueprint runs

[Copilot]

Running a365 setup blueprint a second time on an existing blueprint overwrites agentBlueprintClientSecret to null in a365.generated.config.json, rendering the blueprint unusable.

Root Cause

SetupBlueprintAsync rebuilds the generated config as a camelCaseConfig JsonObject and writes it directly to disk as an intermediate step before deciding whether to create a new client secret. This object preserved managedIdentityPrincipalId and resourceConsents from the existing config, but omitted agentBlueprintClientSecret and agentBlueprintClientSecretProtected. When the existing secret validates successfully, CreateBlueprintClientSecretAsync (and its SaveStateAsync call) is correctly skipped — leaving the file with no secret.

Fix

Preserve the existing secret fields in the intermediate write, consistent with the other passthrough fields:

var camelCaseConfig = new JsonObject
{
    ["managedIdentityPrincipalId"] = generatedConfig["managedIdentityPrincipalId"]?.DeepClone(),
    // ... other fields ...
    ["resourceConsents"] = generatedConfig["resourceConsents"]?.DeepClone() ?? new JsonArray(),
    // Added: preserve secret across the intermediate file write
    ["agentBlueprintClientSecret"] = generatedConfig["agentBlueprintClientSecret"]?.DeepClone(),
    ["agentBlueprintClientSecretProtected"] = generatedConfig["agentBlueprintClientSecretProtected"]?.DeepClone(),
};

Original prompt

---

This section details on the original issue you should resolve

<issue_title>agentBlueprintClientSecret in a365.generated.config.json gets overwritten on subsequent runs of a365 setup blueprint</issue_title>
<issue_description>### Description

When you first run a365 setup all for the very first time with a new blueprint, the client secret for the Blueprint app registration will appear in the a365.generated.config.json, but if you ever run a365 setup blueprint on the same blueprint again, this value will get overwritten to null and then the Blueprint is basically lost and useless, because you can never generate a new Client Secret (UI says insufficient privileges eventho the listed Owner on the app registration is me, the user who created the blueprint via CLI)

Expected behavior

the client secret stays in the generated config AND (even better) owner user should be able to create new client secret via the UI in Azure portal: https://www.loom.com/share/970faccc56fd45789ed0a42d8444b3e3

SDK Version

1.1.94-preview+61107da00a

Language/Runtime

Node

OS

macOS 15.7.3 (24G419)

How to Reproduce

1. create a new blueprint via a365 config init
2. then run a365 setup all
3. notice how agentBlueprintClientSecret in a365.generated.config.json is visible as string (at least on Mac, as documented)
4. run a365 setup blueprint again
5. notice how agentBlueprintClientSecret is now null

Output

No response

Screenshots

No response

Code of Conduct

• I agree to follow the Microsoft Open Source Code of Conduct.</issue_description>

<agent_instructions>Please verify the current behavior and fix the issue with out regressions.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes agentBlueprintClientSecret in a365.generated.config.json gets overwritten on subsequent runs of a365 setup blueprint #299

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.