I think this condition should be inside (service.backendSystem && hostEnv !== hostEnvironment.bas) otherwise it will always log, even on bas.

Makes sense - thank you. Committed, with an additional check, as discussed.

Can we not remove the credentials from the PromptState.odataService.backendSystem object before returning (wherever we determine this) - so we dont need this extra logic in multiple places? I dont recall why we need this extra property temporaryCredentials?

I think we could do it with just newOrUpdated, actually, without the temporaryCredentials.

Do we need this condition? Regardless of having creds or auth fails and the user will have to input credentials.

Not needed - leftover from testing something during dev, will remove it - thanks for spotting!

This is reading every system from secure store? We went to some effort to avoid this!

Why check for display name here? I dont think this is related to the username.

This should be a lower priority that the cert errors (the condition should be evaluated after error conditions)

Im not sure we should be maintaining a specific system info at the root level without context. Can we instead update the locally cached backend system (selected system actually) that is selected with updateCredentials boolean property that is set based on some criteria (existence of credentials or a property of the stored system in future marked as do not store creds).

I think we can avoid a second read here.

We shouldnt be validating if there are no credentials to validate hence the conditions that have been removed? Note that this code is also used by new system flows probably and so these conditions are relevant in those cases

This was meant to check with hasStoredCredentials from above, which would be valid at that point. I missed it.