Simplify EntraConnect DirectorySync auth flow: provider-managed PSRemoting with provider-specific step inputs

[Copilot]

This PR simplifies the TriggerDirectorySync contract and EntraConnect integration by keeping provider-specific sync inputs (ComputerName, PolicyType) as direct With.* keys while making step-level input requirements provider-agnostic.

What changed

• Re-assessed TriggerDirectorySync contract usage and removed ProviderInput nesting for this step/provider path.
• Refactored TriggerDirectorySync step + metadata so step-level WithSchema has no required keys.
• Kept With.Provider, With.AuthSessionName, and With.AuthSessionOptions optional (default behavior applies when omitted).
• Treated ComputerName and PolicyType as provider-specific inputs (validated by provider implementations, not enforced at step schema level).
• Kept and documented With.AuthSessionOptions support (including provider docs).
• Kept EntraConnect provider methods on direct ComputerName / PolicyType arguments.
• Updated tests and regenerated step/provider documentation to match the finalized contract.

Follow-up review adjustments

• Optimized the step reference generator output for steps with no required With.* keys (instead of manually editing generated docs), then regenerated references.
• Re-added a workflow template example showing With.AuthSessionOptions usage for EntraConnect routing.
• Refined TriggerDirectorySync step tests:
  • renamed misleading test wording around AuthSessionName
  • restored step-path coverage for PolicyType='Initial'
  • added/clarified negative coverage for invalid PolicyType via provider-side validation.

Validation

• Ran targeted step/metadata regression tests.
• Ran full Pester validation.
• Addressed review feedback and revalidated.

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• www.powershellgallery.com
  • Triggering command: /usr/bin/pwsh pwsh -NoLogo -NoProfile -File ./tools/Invoke-IdleScriptAnalyzer.ps1 (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

Copilot reviewed 14 out of 14 changed files in this pull request and generated 3 comments.

Comments suppressed due to low confidence (1)

src/IdLE.Provider.DirectorySync.EntraConnect/Public/New-IdleEntraConnectDirectorySyncProvider.ps1:148

• When $AuthSession is $null, the [ValidateNotNull()] attribute on the [object] parameter will throw first — good — but if it is a value type passed via the script-method invocation, $AuthSession.GetType().FullName after the -isnot [pscredential] check is safe. However, if $AuthSession were ever a hashtable or other non-credential reference type without GetType issues it's fine; consider also formatting the error to include the parameter name (e.g. "AuthSession parameter must be a [PSCredential]...") to keep parity with the more descriptive ComputerName binding error message. Minor wording suggestion only.

        if ($AuthSession -isnot [pscredential]) {
            $actualType = $AuthSession.GetType().FullName
            throw "AuthSession must be a [PSCredential] for PSRemoting session creation. Received: [$actualType]"
        }

[Copilot]

Pull request overview

Copilot reviewed 14 out of 14 changed files in this pull request and generated 4 comments.

Comments suppressed due to low confidence (1)

src/IdLE.Steps.DirectorySync/Public/Invoke-IdleStepTriggerDirectorySync.ps1:110

• The DirectorySyncTriggered event data payload forwards $policyType and $computerName verbatim. The Message text is guarded via [string]$policyType, but the structured PolicyType/ComputerName data fields can still receive non-string objects (or $null) from With.*. Downstream event consumers/log sinks previously could rely on these being strings. Consider coercing the event-data fields to [string] as well for consistency. The same applies to the PolicyType payload at line 196 in the non-wait branch.

        $Context.EventSink.WriteEvent('DirectorySyncTriggered', $triggerMessage, $stepName, @{
                PolicyType = $policyType
                ComputerName = $computerName
            })

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• www.powershellgallery.com
  • Triggering command: /usr/bin/pwsh pwsh -NoLogo -NoProfile -File ./tools/Invoke-IdleScriptAnalyzer.ps1 (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

Copilot reviewed 14 out of 14 changed files in this pull request and generated 1 comment.

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• www.powershellgallery.com
  • Triggering command: /usr/bin/pwsh pwsh -NoLogo -NoProfile -File ./tools/Invoke-IdleScriptAnalyzer.ps1 (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)