Fix template resolution type coercion for pure placeholders

[Copilot]

Fix Template Resolution Type Coercion Issue ✅

Successfully fixed template resolution to preserve types for pure placeholders instead of unconditionally coercing to strings.

Summary of Changes

Problem: Template resolution was converting all resolved values to strings, breaking boolean and other typed parameters. For example, $false → "False" → [bool]"False" = $true.

Solution: Modified Resolve-IdleTemplateString.ps1 to detect pure placeholders (single placeholder with no surrounding text) and return the resolved value with its original type preserved.

Implementation Details

• Explore repository structure and locate template resolution code
• Understand current implementation in Resolve-IdleTemplateString.ps1
• Understand existing tests in Resolve-IdleWorkflowTemplates.Tests.ps1
• Modify Resolve-IdleTemplateString.ps1 to detect pure placeholders
• Implement type preservation for pure placeholders (return object as-is)
• Keep string interpolation for mixed content
• Add unit tests for type preservation (bool, int, datetime, guid)
• Add regression test for boolean false scenario
• Run tests to validate changes
• Verify no regressions in existing test suite
• Run ScriptAnalyzer to verify code quality
• Address code review feedback (refactor duplication)
• Run security checker (codeql_checker)
• Extract duplicate resolution logic into shared helpers
• Simplify type validation logic
• Add explicit security checks for dangerous types
• Move security checks before interpolation mode check (applies to both pure and mixed)

Changes Made

Modified:

• src/IdLE.Core/Private/Resolve-IdleTemplateString.ps1
  • Added pure placeholder detection using regex ^\s*\{\{([^}]+)\}\}\s*$
  • Implemented dual-path resolution (pure vs mixed)
  • Extracted validation helpers to eliminate code duplication
  • Extracted resolution logic into shared $resolvePath helper
  • Simplified type validation to use .IsValueType property
  • Security checks for ScriptBlock/PSCredential/SecureString now apply regardless of interpolation mode
  • Updated documentation

Added:

• tests/fixtures/workflows/template-tests/template-pure-boolean-false.psd1
• tests/fixtures/workflows/template-tests/template-pure-boolean-true.psd1
• tests/fixtures/workflows/template-tests/template-pure-integer.psd1
• tests/fixtures/workflows/template-tests/template-pure-datetime.psd1
• tests/fixtures/workflows/template-tests/template-pure-guid.psd1
• tests/fixtures/workflows/template-tests/template-mixed-boolean.psd1

Updated:

• tests/Core/Resolve-IdleWorkflowTemplates.Tests.ps1
  • Added 6 new tests for type preservation
  • Added note about security validation (verified via manual testing due to test harness limitations)

Test Results

✅ All 198 Core tests pass (0 failures, 2 skipped)
✅ All 32 template resolution tests pass (including 6 new type preservation tests)
✅ ScriptAnalyzer passes with no findings
✅ CodeQL security check passes
✅ Manual verification confirms boolean false stays false
✅ Security checks apply to both pure and mixed templates (verified manually)

Code Quality & Security Improvements

• Eliminated duplicate Request.Input alias handling code
• Eliminated duplicate segment traversal logic
• Simplified scalar type validation using .IsValueType
• Security checks now apply before interpolation mode check:
  • ScriptBlock (executable code) - rejected in both pure and mixed modes
  • PSCredential (credentials should use AuthSessionBroker) - rejected in both modes
  • SecureString (credentials should use AuthSessionBroker) - rejected in both modes
• Improved maintainability by centralizing resolution logic
• Clear error messages for security violations

Type Validation Logic

Allowed types (data-only scalars):

• String (fundamental data type)
• Value types via .IsValueType:
  • Primitives: bool, byte, int16, int32, int64, single, double, decimal
  • Structs: DateTime, Guid, TimeSpan
  • Enums

Explicitly rejected (security - applies to both pure and mixed templates):

• ScriptBlock (executable code)
• PSCredential (use AuthSessionBroker instead)
• SecureString (use AuthSessionBroker instead)
• Collections (hashtable, array, IEnumerable)
• Complex reference types (PSCustomObject, Uri, Version, etc.)

Backwards Compatibility

This is a bug fix with no breaking changes:

• Pure placeholders now preserve types (correct behavior)
• Mixed templates still do string interpolation (unchanged)
• All existing tests pass without modification

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Template resolution coerces scalars to string (breaks booleans like Enabled=$false)</issue_title>
<issue_description>## Description

IdLE template resolution currently coerces resolved placeholder values to string unconditionally.

This breaks scenarios where a step expects a typed scalar (e.g. bool) and the workflow uses a template placeholder like:

• Enabled = '{{Request.DesiredState.Enabled}}'

Even if Request.DesiredState.Enabled is a real boolean $false, the template resolver returns "False" (a non-empty string). In PowerShell, casting a non-empty string to [bool] yields $true, so the user ends up enabled unexpectedly.

This is observed with IdLE.Step.CreateIdentity (AD provider), where Enabled is derived from Attributes['Enabled'] via [bool] conversion.

This is a fail-fast correctness bug: it silently flips user intent for boolean parameters.

Step-0 Analysis (Safe)

What happens today

1. Request contains a real boolean:

   • DesiredState.Enabled = $false

2. Workflow contains a template placeholder:

   • Enabled = '{{Request.DesiredState.Enabled}}'

3. The template resolver resolves placeholders and coerces to string (effectively [string]$resolvedValue).

4. The AD provider adapter reads the resolved value:

   • $enabled = [bool]$Attributes['Enabled']

In PowerShell:

• [bool]"False" is $true (because it's a non-empty string).

Why this is not a user error

• Users are doing the correct thing: passing a boolean in the request.
• The workflow template language suggests typed data flows should work (especially for scalar placeholders).
• The engine should preserve the type when the value is a pure placeholder, otherwise typed step inputs cannot be safely templated.

Steps to Reproduce

1. Create a request:

   $joinerReq = New-IdleLifecycleRequestObject -LifecycleEvent 'Joiner' -Actor $env:USERNAME `
     -IdentityKeys @{ SamAccountName = 'foo.bar' } `
     -DesiredState @{ Enabled = $false }

2. Use a workflow step that templates Enabled:

   @{
     Name = 'Create AD account'
     Type = 'IdLE.Step.CreateIdentity'
     With = @{
       Provider    = 'AD'
       IdentityKey = '{{Request.IdentityKeys.SamAccountName}}'
       Attributes  = @{
         Enabled = '{{Request.DesiredState.Enabled}}'
       }
     }
   }

3. Execute the plan (any host runner).

Expected Behavior

• Enabled should remain a boolean False after template resolution.
• The resulting AD account should be created disabled (or at least the provider should see $enabled -eq $false).

Actual Behavior

• The template resolver returns "False" (string).
• The AD provider converts it to boolean and receives $true.
• The account is created enabled (or Enabled behaves inverted).

Scope / Impact

• Affects any step/provider relying on typed scalar inputs (bool, int, datetime, guid, etc.) when values are supplied via templates.
• High risk: produces silent incorrect state and can cause security/process issues (e.g., accounts enabled when they should be disabled).
• Relevant for 1.0 because template-based workflows are a core feature.

Proposed Fix (Agent-Safe)

Fix rule

When a workflow value is exactly one template placeholder (no prefix/suffix text), the template engine must return the resolved value as-is (typed object) instead of coercing to string.

Examples:

• Input: '{{Request.DesiredState.Enabled}}'

  • Output type: bool (same as Request.DesiredState.Enabled)

• Input: 'Enabled={{Request.DesiredState.Enabled}}' (mixed string)

  • Output type: string (string interpolation remains valid)

Implementation outline

1. In the template resolution function (currently Resolve-IdleTemplateString or wherever the placeholder substitution is performed):

   • Detect "pure placeholder" strings using a strict regex, e.g. ^\s*\{\{.+?\}\}\s*$
   • If it is a pure placeholder:
     • Resolve the placeholder and return the underlying value (object) without converting to string.
   • Else:
     • Perform the current string interpolation behavior.

2. Ensure this behavior is applied consistently wherever workflow templates are resolved (arrays/hashtables/nested structures).

3. Add unit tests for:

   • bool $false stays $false (typed)
   • bool $true stays $true
   • int stays int
   • datetime stays datetime
   • mixed string interpolation still returns string

4. Add a regression test for the AD CreateIdentity scenario:

   • CreateIdentity receives a boolean $false for Enabled when templated.

Backwards compatibility

This is a bug fix. Typed preservation only happens for pure placeholders and should not break existing string interpolation patterns.

Additional Notes / References

• The AD provider currently interprets Enabled via [bool]$Attributes['Enabled'], which is correct given a b...

• Fixes Template resolution coerces scalars to string (breaks booleans like Enabled=$false) #166

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2308449431

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Copilot]

Pull request overview

Fixes IdLE workflow template resolution so that pure placeholders (a value that is exactly {{...}} with no surrounding text) preserve the resolved value’s original type instead of coercing to string, preventing typed workflow parameters (notably booleans) from being silently flipped during casting.

Changes:

• Add pure-placeholder detection in Resolve-IdleTemplateString and return typed resolved values for that case; keep string interpolation behavior for mixed templates.
• Refactor shared path validation/root allowlist into reusable scriptblocks.
• Add fixtures + Pester tests covering type preservation for bool/int/datetime/guid and confirming mixed templates still interpolate to strings.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
src/IdLE.Core/Private/Resolve-IdleTemplateString.ps1	Adds pure-placeholder typed return path while keeping mixed-template string interpolation and existing security/root validation.
tests/Core/Resolve-IdleWorkflowTemplates.Tests.ps1	Adds regression tests ensuring scalar types are preserved for pure placeholders and strings remain strings for mixed templates.
tests/fixtures/workflows/template-tests/template-pure-boolean-false.psd1	Fixture workflow for pure-placeholder boolean $false.
tests/fixtures/workflows/template-tests/template-pure-boolean-true.psd1	Fixture workflow for pure-placeholder boolean $true.
tests/fixtures/workflows/template-tests/template-pure-integer.psd1	Fixture workflow for pure-placeholder integer.
tests/fixtures/workflows/template-tests/template-pure-datetime.psd1	Fixture workflow for pure-placeholder datetime.
tests/fixtures/workflows/template-tests/template-pure-guid.psd1	Fixture workflow for pure-placeholder guid.
tests/fixtures/workflows/template-tests/template-mixed-boolean.psd1	Fixture workflow for mixed-template string interpolation with a boolean.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

[blindzero]

@copilot apply changes based on the comments in this thread