fix(plugins): tolerate whitespace/NBSP in safe_uninstall confirmation phrase

Davidson typed the exact required phrase ("EXCLUIR PLUGIN NUTRI") in the
uninstall wizard and got back 400 confirmation_phrase_mismatch. Strict ==
comparison was punishing the user for an invisible character (likely an
NBSP from copy-paste or a trailing whitespace from autofill — the kind of
thing operators can't see and shouldn't have to debug).

Backend (routes/plugins.py uninstall handler)
- Normalize both sides with unicodedata.normalize("NFC") + strip + replace
  NBSP with regular space before comparing. The phrase is a human-typed
  confirmation token, not a cryptographic key — tolerance is appropriate.
- Mismatch response now also returns expected/received raw values + lengths,
  so the wizard (or operator inspecting the response) can see the actual diff.

Frontend (components/PluginUninstall.tsx)
- Same normalisation client-side, applied both to the gate (typedPhrase ===
  required check) and to the body sent to the backend. The user no longer
  has to hunt for an invisible character.

Direct push to develop per Davidson's instruction (no PR needed for this
small UX fix).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: DavidsonGomes

dashboard/backend/routes/plugins.py

@@ -1274,11 +1274,28 @@ def uninstall_plugin(slug: str):
         _body = request.get_json(force=True, silent=True) or {}
         _phrase_required = (_safe_uninstall_spec.get("user_confirmation") or {}).get("typed_phrase", "")
         _phrase_given = _body.get("confirmation_phrase", "")
-        if _phrase_required and _phrase_given != _phrase_required:
+        # Normalize both sides before comparing so the user is not punished for
+        # invisible characters that the browser silently inserts (NBSP from
+        # copy-paste, trailing whitespace from autofill, NFD vs NFC composition).
+        # The phrase is a human-typed confirmation token, not a cryptographic key —
+        # tolerance is appropriate. The raw values are still preserved for the
+        # error response so the operator can see the actual diff if needed.
+        import unicodedata
+        def _normalize_phrase(s: str) -> str:
+            return unicodedata.normalize("NFC", str(s or "")).strip().replace(" ", " ")
+        _required_norm = _normalize_phrase(_phrase_required)
+        _given_norm = _normalize_phrase(_phrase_given)
+        if _required_norm and _given_norm != _required_norm:
+            # Surface the actual diff so the UI can highlight the mismatch
+            # without the operator having to guess what went wrong.
             return jsonify({
                 "error": "confirmation_phrase_mismatch",
                 "detail": f"Typed phrase must be exactly: {_phrase_required}",
                 "code": "bad_request",
+                "expected": _phrase_required,
+                "received": _phrase_given,
+                "expected_length": len(_required_norm),
+                "received_length": len(_given_norm),
             }), 400
 
         _exported_at = _body.get("exported_at", "")

dashboard/frontend/src/components/PluginUninstall.tsx

@@ -61,22 +61,32 @@ export default function PluginUninstall({
   const [uninstalling, setUninstalling] = useState(false)
   const [error, setError] = useState<string | null>(null)
 
+  // Normalize the same way the backend does (NFC + strip + collapse common
+  // whitespace lookalikes) so a copy-paste with a trailing space or NBSP
+  // doesn't fail the strict comparison silently.
+  const normalize = (s: string) =>
+    s.normalize('NFC').replace(/ /g, ' ').trim()
+
   const requiredPhrase = safeUninstall?.user_confirmation?.typed_phrase ?? ''
+  const requiredPhraseNorm = normalize(requiredPhrase)
   const checkboxLabel =
     safeUninstall?.user_confirmation?.checkbox_label ??
     'Tenho uma cópia dos dados exportados e assumo responsabilidade pela retenção legal.'
   const reason = safeUninstall?.reason ?? ''
   const preservedTables = safeUninstall?.preserved_tables ?? []
 
-  const phraseMatches = typedPhrase === requiredPhrase
+  const typedPhraseNorm = normalize(typedPhrase)
+  const phraseMatches = typedPhraseNorm === requiredPhraseNorm
   const passwordsMatch = zipPassword === zipPasswordConfirm && zipPassword.length >= 8
 
   async function handleUninstall() {
     setUninstalling(true)
     setError(null)
     try {
       const body: Record<string, unknown> = {
-        confirmation_phrase: typedPhrase,
+        // Send the normalised value so the backend never sees stray NBSP or
+        // surrounding whitespace from autofill / copy-paste.
+        confirmation_phrase: typedPhraseNorm,
         zip_password: zipPassword,
       }
       await api.delete(`/plugins/${slug}`, body)