Centralize ScriptBlock validation to avoid per-step drift

[blindzero]

Problem Statement

ScriptBlock validation is a security-critical guardrail. If individual steps implement their own ScriptBlock checks (even with good intentions), this introduces duplication and drift risk: different steps may validate differently over time, weakening consistency and maintainability.

Proposed Solution

• Identify any step implementations that perform local ScriptBlock validation on With / step input.
• Replace local validations with a centralized assertion/helper from Core (or a single shared helper in Steps.Common), so the rule is implemented once.
• If a step needs a narrower/specialized rule, document it explicitly and keep the specialized logic small and well-tested.

Requirements:

• Central helper name and location should match existing conventions (approved verbs, consistent naming).
• Ensure the central helper is used consistently across steps that need the check.
• Update relevant docs (developer guidance for step authors) to mandate the centralized helper.

Alternatives Considered

• Leave step-local validation in place.
  • Rejected: increases the chance of inconsistent enforcement and future security regressions.

Impact

• Does this affect existing workflows?
  • No functional change intended; this is a refactor/hardening.
• Any backward compatibility concerns?
  • None.

Acceptance Criteria:

• All ScriptBlock validation in steps is routed through a single canonical helper (unless explicitly documented exception).
• Pester tests cover:
  • The helper behavior (positive/negative cases)
  • At least one step using the helper (integration-style unit test)
• Docs for contributors/step authors reference the centralized approach.

Additional Context

Verification:

• Run PSScriptAnalyzer and Pester in a pwsh-capable environment.

Definition of Done:

• Reduced duplication.
• Consistent behavior across steps.
• No loosening of existing security guardrails.