Refactor: Standardize Identity capability names to IdLE.Identity.*

[blindzero]

Goal

Standardize all Identity capability names across the repository to use the canonical namespace:

• Canonical: IdLE.Identity.*
• Legacy (deprecated): Identity.*

The repository currently uses a mix of Identity.* and IdLE.Entitlement.*. This issue makes Identity consistent with the existing IdLE.* namespacing approach.

Motivation

• Avoid capability naming drift between docs, examples, tests, and providers.
• Ensure plan-time validation behaves consistently (same names everywhere).
• Reduce cognitive load for contributors and for provider authors.

Scope

In scope

• Update all occurrences of Identity.* capabilities in:
  • Core capability validation / inference helpers (if present)
  • Built-in step metadata (RequiresCapabilities)
  • Mock provider capability advertisement
  • Provider contract tests and other unit tests
  • Example workflow configurations (demo runner workflows)
  • Documentation that references capability names

Out of scope

• Implementing new providers or new steps beyond capability renames.
• Changing the semantics of capabilities (this is a rename/standardization only).

Decisions

1) Canonical naming rule

All Identity capabilities MUST be named under the IdLE. namespace.

• ✅ Canonical: IdLE.Identity.Read
• ❌ Not allowed for new work: Identity.Read

2) Compatibility policy

Until v1.0.0, legacy Identity.* capability names are treated as deprecated aliases for IdLE.Identity.*.

• Engine/plan validation SHOULD accept legacy names when encountered.
• A warning event MUST be emitted when a legacy name is used (so users see it and can migrate).
• Documentation and examples MUST use canonical names only.

Rationale: This avoids breaking existing workflow configs immediately while enabling #46 and future work to rely on canonical names.

Canonical capability map (old → new)

Update capability strings as follows (exact matches):

Legacy name	Canonical name
Identity.Read	IdLE.Identity.Read
Identity.Disable	IdLE.Identity.Disable
Identity.Enable	IdLE.Identity.Enable
Identity.Create	IdLE.Identity.Create
Identity.Delete	IdLE.Identity.Delete
Identity.Move	IdLE.Identity.Move
Identity.List	IdLE.Identity.List
Identity.Attribute.Ensure	IdLE.Identity.Attribute.Ensure

Note: If the repository currently uses an alternative attribute capability name (e.g., Identity.EnsureAttribute), it MUST be normalized to the canonical form above as part of this issue.

Implementation notes

Where to implement alias support (if needed)

If a central normalization point exists (recommended), add a helper that:

• Receives a list of capability strings
• Normalizes them to canonical form
• Returns the canonical list
• Emits a warning event when legacy names are seen

Suggested behavior:

• Normalization is applied both to:
  • Provider-advertised capabilities
  • Step RequiresCapabilities

This ensures plan-time checks do not fail due to legacy naming.

Do not change semantics

This issue is renaming/standardization only:

• Do not change what the capability means
• Do not introduce new side effects

Tasks

Code

• Replace all Identity.* occurrences in core/steps/providers/tests/examples with IdLE.Identity.*.
• Ensure built-in steps declare canonical RequiresCapabilities.
• Update the mock provider to advertise canonical Identity capabilities.
• Add/adjust normalization/alias logic (until v1.0.0) and emit a warning event for legacy names.

Tests

• Update tests that assert capability names.
• Add tests for alias behavior (legacy name accepted, warning emitted, canonical name used internally).

Docs / Examples

• Update documentation to use canonical names.
• Update demo runner example workflows to use canonical names.

Acceptance criteria

• All repository code and examples use canonical IdLE.Identity.* capability names.
• All tests are green.
• PSScriptAnalyzer (or repo linting) remains green.
• Legacy Identity.* names are accepted until v1.0.0 AND produce a warning event.
• No documentation/examples reference Identity.* after this change.

Related issues

• IdLE.Provider.AD (On-Prem AD) MVP (Windows-only) #46 (AD Provider + steps) assumes canonical IdLE.Identity.* capability names.

Notes for reviewers

• This issue is intentionally cross-cutting; keep PRs small by grouping changes by area (e.g., core + tests, then docs + examples) or by doing one cohesive PR if CI time is acceptable.
• Ensure no capability strings remain in the legacy namespace.