Issues/10 provider contracts entitlement operations get grant revoke

[blindzero]

Summary

This PR fully implements Issue #10 by completing and stabilizing the provider contract test suite for identity, capability advertisement, and entitlement operations.

All provider contracts are now aligned with the current engine architecture, Pester 5 execution model, and the real provider interfaces used by IdLE.

What was done

Identity provider contract

• Relaxed overly strict type assertions.
• GetIdentity() is now validated by shape/semantics instead of forcing [hashtable].
• Both hashtable and PSCustomObject identity representations are accepted as long as required properties are present.

Capability advertisement contract

• Stabilized provider factory handling for Pester 5 discovery vs run phase.
• Ensures GetCapabilities() is exposed as a method.
• Validates that capability identifiers are stable, non-empty strings.
• Supports empty capability lists only when explicitly allowed.

Entitlement provider contract (core of #10)

• Removed legacy EnsureEntitlement expectations.
• Introduced explicit contract for:
  • ListEntitlements
  • GrantEntitlement
  • RevokeEntitlement
• Validates idempotency of grant and revoke operations.
• Verifies that ListEntitlements() correctly reflects grant/revoke state changes.
• Normalizes provider output so $null entitlement lists are treated as empty collections.
• Avoids Pester pipeline pitfalls when asserting empty arrays.

Why this change

• Issue Provider contracts: entitlement operations (Get/Grant/Revoke) #10 required moving away from implicit / legacy entitlement handling toward explicit, idempotent entitlement operations.
• The previous contracts did not reflect the actual provider API and caused false negatives.
• Pester 5’s discovery/run separation required a more robust factory handling approach.
• Contracts are now semantics-driven, not implementation-driven, and tolerate realistic provider behavior (e.g. $null vs empty lists).

How it works (high-level)

• Provider factories are captured safely for Pester runtime execution.
• Contract tests validate observable behavior instead of internal data structures.
• Entitlement state is asserted through List → Grant → List → Revoke → List.
• All provider outputs are normalized before assertions to ensure deterministic tests.

Tests

• Invoke-Pester -Path .\tests\Providers\MockIdentityProvider.Tests.ps1
• All provider contract tests pass locally
• No changes to production code paths

Issues

Closes Issue #10

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.