fix: ServiceClient org metadata and multi-layer environment resolution (#98)

* fix: add SkipDiscovery and multi-layer environment resolution

Issue #86: Added SkipDiscovery = false to ConnectionOptions in 5 credential
providers (InteractiveBrowser, DeviceCode, ManagedIdentity, GitHubFederated,
AzureDevOpsFederated) to force org metadata discovery.

Issues #89 + #88: Added EnvironmentResolutionService for multi-layer resolution:
- Direct Dataverse connection first (works for service principals)
- Global Discovery fallback (for interactive users)
- Updated ppds env select and ppds auth update --environment to use new resolver

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: force eager org metadata discovery before clone

ServiceClient org metadata discovery is lazy - properties are only
populated when first accessed. Since the connection pool clones the
seed client before properties are accessed, the clones had empty
org metadata.

Fix: Access ConnectedOrgFriendlyName immediately after creating the
ServiceClient to trigger discovery while values can still be copied
to clones.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* refactor: remove unnecessary SkipDiscovery setting

Testing confirmed that SkipDiscovery = false is not required.
The eager property access alone triggers org metadata discovery.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* docs: improve comments explaining eager property access pattern

Added detailed comments explaining why we access ConnectedOrgFriendlyName
immediately after ServiceClient creation. Referenced that PAC CLI uses
the same pattern (ConnectedOrgToSelectedOrganizationInfo after Connect).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: remove inappropriate external code reference from comments

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: address bot review comments

- Add token cache priming with cancellationToken in GitHubFederated,
  AzureDevOpsFederated, and ManagedIdentity credential providers
- Simplify CanUseGlobalDiscovery to use 'is or' pattern

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* docs: fix XML documentation for ResolveAsync

- Fixed return description to match actual Result type
- Removed incorrect exception documentation

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: joshsmithxrm

src/PPDS.Auth/CHANGELOG.md

@@ -9,10 +9,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
-- **ServiceClient org metadata not populated** - Credential providers now use `ConnectionOptions` constructor instead of token provider constructor, which triggers org metadata discovery. This populates `ConnectedOrgFriendlyName`, `ConnectedOrgUniqueName`, and `ConnectedOrgId` properties. ([#86](https://github.com/joshsmithxrm/ppds-sdk/issues/86))
+- **ServiceClient org metadata not populated** - Credential providers now force eager org metadata discovery by accessing `ConnectedOrgFriendlyName` immediately after creating the ServiceClient. Discovery is lazy by default, and the connection pool clones clients before properties are accessed, resulting in empty metadata. This fix ensures `ConnectedOrgFriendlyName`, `ConnectedOrgUniqueName`, and `ConnectedOrgId` are populated. ([#86](https://github.com/joshsmithxrm/ppds-sdk/issues/86))
 
 ### Added
 
+- **`EnvironmentResolutionService`** - Multi-layer environment resolution that tries direct Dataverse connection first (works for service principals), then falls back to Global Discovery for user authentication. Returns full org metadata. ([#89](https://github.com/joshsmithxrm/ppds-sdk/issues/89), [#88](https://github.com/joshsmithxrm/ppds-sdk/issues/88))
 - **Integration tests for credential providers** - Live tests for `ClientSecretCredentialProvider`, `CertificateFileCredentialProvider`, and `GitHubFederatedCredentialProvider` ([#55](https://github.com/joshsmithxrm/ppds-sdk/issues/55))
 - Manual test procedures documentation for interactive browser and device code authentication
 

src/PPDS.Auth/Credentials/AzureDevOpsFederatedCredentialProvider.cs

@@ -77,15 +77,24 @@ public async Task<ServiceClient> CreateServiceClientAsync(
 
         EnsureCredentialInitialized();
 
-        // Create ServiceClient using ConnectionOptions to ensure org metadata discovery.
-        // The provider function acquires tokens on demand and refreshes when needed.
+        // Get token and prime the cache (uses cancellationToken for cancellable first request)
+        await GetTokenAsync(environmentUrl, cancellationToken).ConfigureAwait(false);
+
+        // Create ServiceClient using ConnectionOptions.
+        // The provider function uses cached tokens and refreshes when needed.
         var options = new ConnectionOptions
         {
             ServiceUri = new Uri(environmentUrl),
             AccessTokenProviderFunctionAsync = _ => GetTokenAsync(environmentUrl, CancellationToken.None)
         };
         var client = new ServiceClient(options);
 
+        // Force org metadata discovery before client is cloned by pool.
+        // ServiceClient uses lazy initialization - properties like ConnectedOrgFriendlyName
+        // are only populated when first accessed. The connection pool clones clients before
+        // properties are accessed, so clones would have empty metadata.
+        _ = client.ConnectedOrgFriendlyName;
+
         if (!client.IsReady)
         {
             var error = client.LastError ?? "Unknown error";

src/PPDS.Auth/Credentials/DeviceCodeCredentialProvider.cs

@@ -111,7 +111,7 @@ public async Task<ServiceClient> CreateServiceClientAsync(
         // Get token and prime the cache (may prompt user for device code auth)
         await GetTokenAsync(environmentUrl, forceInteractive, cancellationToken).ConfigureAwait(false);
 
-        // Create ServiceClient using ConnectionOptions to ensure org metadata discovery.
+        // Create ServiceClient using ConnectionOptions.
         // The provider function uses cached tokens and refreshes silently when needed.
         var options = new ConnectionOptions
         {
@@ -120,6 +120,12 @@ public async Task<ServiceClient> CreateServiceClientAsync(
         };
         var client = new ServiceClient(options);
 
+        // Force org metadata discovery before client is cloned by pool.
+        // ServiceClient uses lazy initialization - properties like ConnectedOrgFriendlyName
+        // are only populated when first accessed. The connection pool clones clients before
+        // properties are accessed, so clones would have empty metadata.
+        _ = client.ConnectedOrgFriendlyName;
+
         if (!client.IsReady)
         {
             var error = client.LastError ?? "Unknown error";

src/PPDS.Auth/Credentials/GitHubFederatedCredentialProvider.cs

@@ -77,15 +77,24 @@ public async Task<ServiceClient> CreateServiceClientAsync(
 
         EnsureCredentialInitialized();
 
-        // Create ServiceClient using ConnectionOptions to ensure org metadata discovery.
-        // The provider function acquires tokens on demand and refreshes when needed.
+        // Get token and prime the cache (uses cancellationToken for cancellable first request)
+        await GetTokenAsync(environmentUrl, cancellationToken).ConfigureAwait(false);
+
+        // Create ServiceClient using ConnectionOptions.
+        // The provider function uses cached tokens and refreshes when needed.
         var options = new ConnectionOptions
         {
             ServiceUri = new Uri(environmentUrl),
             AccessTokenProviderFunctionAsync = _ => GetTokenAsync(environmentUrl, CancellationToken.None)
         };
         var client = new ServiceClient(options);
 
+        // Force org metadata discovery before client is cloned by pool.
+        // ServiceClient uses lazy initialization - properties like ConnectedOrgFriendlyName
+        // are only populated when first accessed. The connection pool clones clients before
+        // properties are accessed, so clones would have empty metadata.
+        _ = client.ConnectedOrgFriendlyName;
+
         if (!client.IsReady)
         {
             var error = client.LastError ?? "Unknown error";

src/PPDS.Auth/Credentials/InteractiveBrowserCredentialProvider.cs

@@ -144,7 +144,7 @@ public async Task<ServiceClient> CreateServiceClientAsync(
         // Get token and prime the cache (may prompt user for interactive auth)
         await GetTokenAsync(environmentUrl, forceInteractive, cancellationToken).ConfigureAwait(false);
 
-        // Create ServiceClient using ConnectionOptions to ensure org metadata discovery.
+        // Create ServiceClient using ConnectionOptions.
         // The provider function uses cached tokens and refreshes silently when needed.
         var options = new ConnectionOptions
         {
@@ -153,6 +153,12 @@ public async Task<ServiceClient> CreateServiceClientAsync(
         };
         var client = new ServiceClient(options);
 
+        // Force org metadata discovery before client is cloned by pool.
+        // ServiceClient uses lazy initialization - properties like ConnectedOrgFriendlyName
+        // are only populated when first accessed. The connection pool clones clients before
+        // properties are accessed, so clones would have empty metadata.
+        _ = client.ConnectedOrgFriendlyName;
+
         if (!client.IsReady)
         {
             var error = client.LastError ?? "Unknown error";

src/PPDS.Auth/Credentials/ManagedIdentityCredentialProvider.cs

@@ -91,8 +91,11 @@ public async Task<ServiceClient> CreateServiceClientAsync(
         // Normalize URL
         environmentUrl = environmentUrl.TrimEnd('/');
 
-        // Create ServiceClient using ConnectionOptions to ensure org metadata discovery.
-        // The provider function acquires tokens on demand and refreshes when needed.
+        // Get token and prime the cache (uses cancellationToken for cancellable first request)
+        await GetTokenAsync(environmentUrl, cancellationToken).ConfigureAwait(false);
+
+        // Create ServiceClient using ConnectionOptions.
+        // The provider function uses cached tokens and refreshes when needed.
         ServiceClient client;
         try
         {
@@ -102,6 +105,12 @@ public async Task<ServiceClient> CreateServiceClientAsync(
                 AccessTokenProviderFunctionAsync = _ => GetTokenAsync(environmentUrl, CancellationToken.None)
             };
             client = new ServiceClient(options);
+
+            // Force org metadata discovery before client is cloned by pool.
+            // ServiceClient uses lazy initialization - properties like ConnectedOrgFriendlyName
+            // are only populated when first accessed. The connection pool clones clients before
+            // properties are accessed, so clones would have empty metadata.
+            _ = client.ConnectedOrgFriendlyName;
         }
         catch (Exception ex)
         {

src/PPDS.Auth/Credentials/MsalClientBuilder.cs

@@ -113,9 +113,9 @@ public static void UnregisterCache(MsalCacheHelper? cacheHelper, IPublicClientAp
             {
                 cacheHelper.UnregisterCache(client.UserTokenCache);
             }
-            catch
+            catch (Exception)
             {
-                // Ignore errors during cleanup
+                // Cleanup should never throw - swallow all errors
             }
         }
     }