refactor(ui): drive ConfigureSSO navigation from the state machine

Cut the live wizard over from the imperative <Wizard> engine to the pure state
machine. Top-level navigation is now reduce/initialState from the reducer, the
ordered STEPS from transitions, and the bodies from STEP_BODIES; steps no longer
own routing.

- ConfigureSSO.tsx mounts useMachine(facts) and renders STEP_BODIES[current]
  inside the existing ProfileCard/NavBar chrome, via WizardMachineProvider. The
  step-change error effect is gone (the runner clears the card error per submit).
- The header reads the machine + transitions: visible steps are the enabled
  steps minus select-provider, completion stays positional (behavior-equivalent
  to the old breadcrumb), current is machine.current, clicks dispatch GOTO.
- Simple steps (select-provider, test, confirmation) use Step.Footer.Submit +
  the runner; Previous dispatches BACK; confirmation's reconfigure dispatches
  GOTO configure and reset dispatches RESET.
- submitSelectProvider returns { ok: true, goTo: 'configure' }: a successful
  create flips hasConnection, disabling select-provider, so a plain NEXT would
  no-op; GOTO is required.
- Nested-delegating steps (verify-domain, configure) keep their inner <Wizard>
  untouched; only their terminal step advances the machine via an injected
  onComplete.

Re-point the select-provider tests at the machine dispatch and the submit test
at the new goTo result.

Author: iagodahlem

packages/ui/src/components/ConfigureSSO/ConfigureSSO.tsx

@@ -5,7 +5,7 @@ import React from 'react';
 import { useProtect } from '@/common';
 import { withCoreUserGuard } from '@/contexts';
 import { Col, Flex, Flow, Heading, Icon, localizationKeys, Text } from '@/customizables';
-import { useCardState, withCardStateProvider } from '@/elements/contexts';
+import { withCardStateProvider } from '@/elements/contexts';
 import { ProfileCard } from '@/elements/ProfileCard';
 import { ExclamationTriangle } from '@/icons';
 import { Route, Switch } from '@/router';
@@ -17,8 +17,9 @@ import { ConfigureSSOSkeleton } from './ConfigureSSOSkeleton';
 import { useConfigureSSOData } from './data/useConfigureSSOData';
 import { ProfileCardFooter, ProfileCardHeader } from './elements/ProfileCard';
 import { Step } from './elements/Step';
-import { useWizard, Wizard } from './elements/Wizard';
-import { ConfigureStep, ConfirmationStep, SelectProviderStep, TestConfigurationStep, VerifyDomainStep } from './steps';
+import { useMachine } from './elements/useMachine';
+import { WizardMachineProvider } from './elements/WizardMachineContext';
+import { STEP_BODIES } from './machine/stepBodies';
 
 const ConfigureSSOInternal = () => {
   return (
@@ -47,7 +48,8 @@ const AuthenticatedContent = withCoreUserGuard(() => {
 });
 
 export const ConfigureSSOContent = ({ contentRef }: { contentRef: React.RefObject<HTMLDivElement> }) => {
-  const { isLoading, enterpriseConnection, facts, refreshTestRuns, mutations } = useConfigureSSOData();
+  const { isLoading, enterpriseConnection, facts, refreshTestRuns, mutations, primaryEmailAddress } =
+    useConfigureSSOData();
 
   // Gate loading one level above the provider so the context never observes a
   // loading state.
@@ -63,62 +65,39 @@ export const ConfigureSSOContent = ({ contentRef }: { contentRef: React.RefObjec
         enterpriseConnection={enterpriseConnection}
         contentRef={contentRef}
         mutations={mutations}
+        primaryEmailAddress={primaryEmailAddress}
       >
         <ConfigureSSOSteps />
       </ConfigureSSOProvider>
     </ConfigureSSOProtect>
   );
 };
 
+/**
+ * The wizard surface, driven by the pure state machine.
+ *
+ * `useMachine(facts)` owns where we are (`machine.current`) and how we got
+ * there; the only view edge is `STEP_BODIES[machine.current]`, which mounts the
+ * body for the active step. The machine is published via `WizardMachineProvider`
+ * (a sibling to `ConfigureSSOProvider`, mounted at the same level — no inner
+ * provider) so the header, footer, and steps read it.
+ *
+ * Steps no longer own routing: simple steps advance via `Step.Footer.Submit` ->
+ * `useSubmitRunner` -> `dispatch`, and the nested-delegating steps
+ * (verify-domain, configure) bubble their inner terminal step into the machine
+ * through an injected `onComplete`.
+ */
 const ConfigureSSOSteps = () => {
-  const { initialStepId, enterpriseConnection } = useConfigureSSO();
+  const { facts } = useConfigureSSO();
+  const machine = useMachine(facts);
+
+  const Body = STEP_BODIES[machine.current];
 
   return (
-    <Wizard initialStepId={initialStepId}>
-      <ResetCardErrorOnStepChange />
+    <WizardMachineProvider machine={machine}>
       <ConfigureSSOHeader />
-
-      {/*
-       * `select-provider` is only a wizard step while there's no enterprise
-       * connection yet — creating one unregisters this step, which:
-       *   1. Hides it from the breadcrumb (no need for a manual filter), and
-       *   2. Prevents `goPrev` from any later step (e.g. configure's first
-       *      substep) from ever bubbling back into provider selection.
-       */}
-      {!enterpriseConnection && (
-        <Wizard.Step id='select-provider'>
-          <SelectProviderStep />
-        </Wizard.Step>
-      )}
-
-      <Wizard.Step
-        id='verify-domain'
-        label='Verify domain'
-      >
-        <VerifyDomainStep />
-      </Wizard.Step>
-
-      <Wizard.Step
-        id='configure'
-        label='Configure'
-      >
-        <ConfigureStep />
-      </Wizard.Step>
-
-      <Wizard.Step
-        id='test'
-        label='Test'
-      >
-        <TestConfigurationStep />
-      </Wizard.Step>
-
-      <Wizard.Step
-        id='confirmation'
-        label='Confirmation'
-      >
-        <ConfirmationStep />
-      </Wizard.Step>
-    </Wizard>
+      <Body />
+    </WizardMachineProvider>
   );
 };
 
@@ -180,27 +159,4 @@ const MissingManageEnterpriseConnectionsPermission = () => (
   </>
 );
 
-/**
- * Sentinel component rendered inside `<Wizard>`
- *
- * Clears any card-level error whenever the active step transitions, so a stale failure from one step
- * doesn't leak into the next
- */
-const ResetCardErrorOnStepChange = (): null => {
-  const { currentStep } = useWizard();
-  const card = useCardState();
-  const previousStepIdRef = React.useRef(currentStep?.id);
-
-  React.useEffect(() => {
-    if (previousStepIdRef.current === currentStep?.id) {
-      return;
-    }
-
-    previousStepIdRef.current = currentStep?.id;
-    card.setError(undefined);
-  }, [currentStep?.id, card]);
-
-  return null;
-};
-
 export const ConfigureSSO: React.ComponentType<ConfigureSSOProps> = withCardStateProvider(ConfigureSSOInternal);

packages/ui/src/components/ConfigureSSO/ConfigureSSOHeader.tsx

@@ -1,25 +1,35 @@
 import { useLocalizations } from '@/customizables';
 
+import { useConfigureSSO } from './ConfigureSSOContext';
 import { ProfileCardHeader } from './elements/ProfileCard';
 import { Stepper } from './elements/Stepper';
-import { useWizard } from './elements/Wizard';
+import { useWizardMachine } from './elements/WizardMachineContext';
+import { STEPS } from './machine/transitions';
 
+/**
+ * The wizard breadcrumb, driven by the pure state machine + transitions.
+ *
+ * Visible steps are the enabled steps for the current facts, minus
+ * `select-provider` (per design it never appears in the breadcrumb, even while
+ * it's an active step). Completion stays positional — exactly as the legacy
+ * `useWizard()`-backed header computed it (`index < currentIndex`) — so the
+ * breadcrumb's visual completion state is behavior-equivalent. The current step
+ * is `machine.current`; clicking a reachable item jumps via `GOTO`.
+ */
 export const ConfigureSSOHeader = (): JSX.Element => {
-  const { activeSteps, currentStep, goToStep } = useWizard();
+  const { facts } = useConfigureSSO();
+  const { current, dispatch } = useWizardMachine();
   const { t } = useLocalizations();
 
-  // `select-provider` is only mounted while there's no enterprise connection,
-  // but per design it should never appear in the visual breadcrumb regardless,
-  // so we always filter it out here
-  const visibleSteps = activeSteps.filter(step => step.id !== 'select-provider');
-  const currentIndex = visibleSteps.findIndex(step => step.id === currentStep?.id);
+  const visibleSteps = STEPS.filter(step => step.id !== 'select-provider' && (step.enabled?.(facts) ?? true));
+  const currentIndex = visibleSteps.findIndex(step => step.id === current);
 
   return (
     <ProfileCardHeader>
       <Stepper>
         {visibleSteps.map((step, index) => {
           const isCurrent = index === currentIndex;
-          const isCompleted = step.isCompleted ?? index < currentIndex;
+          const isCompleted = index < currentIndex;
           const isReachable = isCompleted || index <= currentIndex;
           const labelText = step.label ? (typeof step.label === 'string' ? step.label : t(step.label)) : '';
 
@@ -30,7 +40,7 @@ export const ConfigureSSOHeader = (): JSX.Element => {
               isCurrent={isCurrent}
               isCompleted={isCompleted}
               isReachable={isReachable}
-              onClick={() => void goToStep(step.id)}
+              onClick={() => dispatch({ type: 'GOTO', step: step.id })}
             >
               {labelText}
             </Stepper.Item>

packages/ui/src/components/ConfigureSSO/ResetConnectionDialog.tsx

@@ -9,7 +9,7 @@ import { useFormControl } from '@/ui/utils/useFormControl';
 import { handleError } from '@/utils/errorHandler';
 
 import { useConfigureSSO } from './ConfigureSSOContext';
-import { useWizard } from './elements/Wizard';
+import { useWizardMachine } from './elements/WizardMachineContext';
 
 type ResetConnectionDialogProps = {
   isOpen: boolean;
@@ -52,7 +52,7 @@ const ResetConnectionDialogContent = withCardStateProvider((props: ResetConnecti
     setProvider,
     mutations: { deleteConnection },
   } = useConfigureSSO();
-  const { goToStep } = useWizard();
+  const { dispatch } = useWizardMachine();
 
   const confirmationField = useFormControl('deleteConfirmation', '', {
     type: 'text',
@@ -73,7 +73,9 @@ const ResetConnectionDialogContent = withCardStateProvider((props: ResetConnecti
     try {
       await deleteConnection(enterpriseConnection.id);
       setProvider(undefined);
-      await goToStep('select-provider');
+      // RESET force-enables select-provider: `facts.hasConnection` won't have
+      // refetched after the delete, so a plain GOTO would be gated out.
+      dispatch({ type: 'RESET' });
       onClose();
     } catch (err) {
       handleError(err as Error, [confirmationField], card.setError);

packages/ui/src/components/ConfigureSSO/__tests__/ConfigureSSO.test.tsx

@@ -67,4 +67,52 @@ describe('ConfigureSSO', () => {
       expect(queryByText(/you do not have permission to manage single sign-on/i)).not.toBeInTheDocument();
     });
   });
+
+  describe('state machine mounts on the right step', () => {
+    it('mounts on select-provider with a verified email and no connection', async () => {
+      const { wrapper, fixtures } = await createFixtures(f => {
+        f.withEnterpriseSso({ selfServeSSO: true });
+        f.withEmailAddress();
+        f.withUser({ email_addresses: ['test@clerk.com'] });
+      });
+
+      fixtures.clerk.user?.getEnterpriseConnections.mockResolvedValue([]);
+
+      const { findByText } = render(<ConfigureSSO />, { wrapper });
+
+      // Verified primary email fulfills verify-domain, so the machine skips it
+      // and lands on select-provider — the first non-fulfilled enabled step.
+      await findByText(/select your identity provider/i);
+    });
+
+    it('short-circuits to the confirmation step for an active connection', async () => {
+      const { wrapper, fixtures } = await createFixtures(f => {
+        f.withEnterpriseSso({ selfServeSSO: true });
+        f.withEmailAddress();
+        f.withUser({ email_addresses: ['test@clerk.com'] });
+      });
+
+      fixtures.clerk.user?.getEnterpriseConnections.mockResolvedValue([
+        {
+          id: 'ent_active',
+          name: 'clerk.com',
+          provider: 'saml_okta',
+          active: true,
+          organizationId: null,
+          domains: ['clerk.com'],
+          samlConnection: {
+            idpSsoUrl: 'https://idp.example.com/sso',
+            idpEntityId: 'https://idp.example.com/entity',
+            idpCertificate: 'CERT',
+          },
+        } as any,
+      ]);
+
+      const { findByText, queryByText } = render(<ConfigureSSO />, { wrapper });
+
+      // An active connection lands on confirmation even if never tested.
+      await findByText(/configuration/i);
+      expect(queryByText(/select your identity provider/i)).not.toBeInTheDocument();
+    });
+  });
 });

packages/ui/src/components/ConfigureSSO/machine/__tests__/submit.test.ts

@@ -37,30 +37,32 @@ const makeCtx = (overrides: Partial<SubmitCtx> = {}): SubmitCtx => ({
 });
 
 describe('submitSelectProvider', () => {
-  it('provider selected → creates the connection and returns { ok: true }', async () => {
+  it('provider selected → creates the connection and jumps to configure', async () => {
     // Under the new order verify-domain ran first, so the create is
-    // unconditional once a provider is chosen.
+    // unconditional once a provider is chosen. The create flips
+    // `facts.hasConnection`, which disables select-provider, so the handler must
+    // jump with an explicit `goTo: 'configure'` (a plain NEXT would no-op).
     const mutations = makeMutations();
     const ctx = makeCtx({ mutations, provider: 'saml_okta' });
 
     const result = await submitSelectProvider(ctx);
 
     expect(ctx.setProvider).toHaveBeenCalledWith('saml_okta');
     expect(mutations.createConnection).toHaveBeenCalledWith('saml_okta', ctx.primaryEmailAddress);
-    expect(result).toEqual({ ok: true });
+    expect(result).toEqual({ ok: true, goTo: 'configure' });
   });
 
   it('always creates regardless of email-verified facts (verify-domain ran first)', async () => {
     // The old isPrimaryEmailVerified branch is dead under the new order: even
-    // with the fact false, the create still fires.
+    // with the fact false, the create still fires and jumps to configure.
     const mutations = makeMutations();
     const ctx = makeCtx({ facts: { ...baseFacts, isPrimaryEmailVerified: false }, mutations, provider: 'saml_custom' });
 
     const result = await submitSelectProvider(ctx);
 
     expect(ctx.setProvider).toHaveBeenCalledWith('saml_custom');
     expect(mutations.createConnection).toHaveBeenCalledWith('saml_custom', ctx.primaryEmailAddress);
-    expect(result).toEqual({ ok: true });
+    expect(result).toEqual({ ok: true, goTo: 'configure' });
   });
 
   it('no provider selected → returns { ok: false } without creating or setting provider', async () => {

packages/ui/src/components/ConfigureSSO/machine/submit.ts

@@ -60,9 +60,14 @@ export interface SubmitCtx {
  * reaches select-provider their domain/email is already verified — the create
  * is unconditional:
  *   - No provider selected → `{ ok: false }` (footer surfaces the validation).
- *   - Provider selected → create the connection now, then `{ ok: true }`. The
- *     reducer's NEXT advances into configure.
+ *   - Provider selected → create the connection now, then jump to `configure`.
  *   - Create throws → `{ ok: false; error }`.
+ *
+ * The jump MUST be an explicit `goTo: 'configure'`, not a plain advance: a
+ * successful create flips `facts.hasConnection`, which disables `select-provider`
+ * (its `enabled` predicate is `!hasConnection`). Once disabled, the machine can
+ * no longer be "at" it, so a plain `NEXT` no-ops. `GOTO` bypasses `fulfilled`
+ * and lands on configure regardless.
  */
 export const submitSelectProvider = async (ctx: SubmitCtx): Promise<SubmitResult> => {
   const { provider, setProvider, mutations, primaryEmailAddress } = ctx;
@@ -75,7 +80,7 @@ export const submitSelectProvider = async (ctx: SubmitCtx): Promise<SubmitResult
 
   try {
     await mutations.createConnection(provider, primaryEmailAddress);
-    return { ok: true };
+    return { ok: true, goTo: 'configure' };
   } catch (error) {
     return { ok: false, error: error as ClerkAPIError | ClerkRuntimeError | string };
   }

packages/ui/src/components/ConfigureSSO/steps/ConfigureStep/index.tsx

@@ -5,6 +5,7 @@ import { descriptors, Flow } from '@/customizables';
 import { useConfigureSSO } from '../../ConfigureSSOContext';
 import { Step } from '../../elements/Step';
 import { Wizard } from '../../elements/Wizard';
+import { useWizardMachine } from '../../elements/WizardMachineContext';
 import type { ProviderType } from '../../types';
 import {
   SamlCustomConfigureSteps,
@@ -22,6 +23,10 @@ const STEPS_BY_PROVIDER: Record<ProviderType, () => JSX.Element> = {
 
 export const ConfigureStep = (): JSX.Element | null => {
   const { provider } = useConfigureSSO();
+  // The inner SAML sub-step flow keeps its own nested <Wizard> (untouched —
+  // slated for the TXT rework). Only its terminal step advances the top-level
+  // machine, via the injected `onComplete`.
+  const { dispatch } = useWizardMachine();
 
   // Type guard, at this point the provider should have been defined
   if (!provider) {
@@ -41,7 +46,7 @@ export const ConfigureStep = (): JSX.Element | null => {
         elementDescriptor={descriptors.configureSSOStep}
         elementId={descriptors.configureSSOStep.setId('configure')}
       >
-        <Wizard>
+        <Wizard onComplete={() => dispatch({ type: 'NEXT' })}>
           <StepsByProvider />
         </Wizard>
       </Step>