Remove ScriptBlock exemption for AuthSessionBroker

[Copilot]

AuthSessionBroker objects stored a validation ScriptBlock as a property, requiring an exemption in Assert-IdleNoScriptBlock. This exemption created boundary confusion between trusted extension points and untrusted data inputs.

Changes

Eliminated ScriptBlock storage

• Removed ValidateAuthSession property from broker objects
• Call Assert-IdleAuthSessionMatchesType directly in AcquireAuthSession method
• Removes premature optimization with no performance benefit

Removed exemption logic

• Deleted type-based exemption for IdLE.AuthSessionBroker in Assert-IdleNoScriptBlock
• All objects now validated uniformly with zero exemptions

Documented trust boundaries

• Defined untrusted inputs (data-only) vs trusted extension points (code) in docs/about/security.md
• Established single source of truth for ScriptBlock handling rules
• Clarified that AuthSessionBroker may have ScriptMethods but not ScriptBlock properties

Added regression tests

• Test suite confirms ScriptBlocks rejected in workflows, provider maps, lifecycle requests, and broker properties
• Confirms brokers without ScriptBlocks pass validation

Security Impact

ScriptBlock exemptions: 1 → 0

No increase in allowed ScriptBlock surface for untrusted inputs. Broker external contract unchanged.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Minimize and document ScriptBlock exemptions for AuthSessionBroker trust boundary</issue_title>
<issue_description>## Problem Statement

IdLE enforces a “data-only / no ScriptBlocks” rule for untrusted inputs (workflows, request data, provider maps). At the same time, AuthSessionBroker is a trusted extension point and may contain ScriptMethods/ScriptBlocks by design.

This creates two risks:

1. Boundary confusion: contributors may not clearly understand which objects are allowed to contain ScriptBlocks and why.
2. Drift risk: exemptions in ScriptBlock validation logic may become too broad over time and accidentally allow ScriptBlocks in untrusted objects.

Proposed Solution

Make ScriptBlock handling around AuthSessionBroker explicit, minimal, and test-protected:

1. Audit the current ScriptBlock validation logic and document:
   • Exactly where ScriptBlocks are rejected
   • Exactly what is exempted and why
2. Minimize ScriptBlock surface on the broker object where feasible:
   • Prefer not storing ScriptBlocks as properties (e.g., store a function/command name and resolve internally), or
   • Keep the current model but ensure the exemption logic is narrowly scoped to trusted broker instances.
3. Update security/architecture documentation to clearly define:
   • “Trusted extension objects may contain code (ScriptMethods/ScriptBlocks).”
   • “Untrusted inputs are data-only and must never contain ScriptBlocks.”
   • One canonical place for this rule (other docs must reference it).
4. Add tests that:
   • Confirm ScriptBlocks are rejected in untrusted inputs (regression protection)
   • Confirm the broker exemption is minimal (does not allow arbitrary ScriptBlocks elsewhere)

Alternatives Considered

• Keep everything as-is without explicit documentation/tests.
  • Rejected: encourages silent drift and confusion.
• Remove broker concept entirely.
  • Rejected: contradicts the host-agnostic auth/session orchestration design.

Impact

• Does this affect existing workflows?
  • Potentially none if behavior stays identical; may affect custom brokers if implementation changes.
• Any backward compatibility concerns?
  • If broker shape changes, document migration clearly. Prefer keeping external contract stable.

Acceptance Criteria:

• Documentation clearly defines trusted vs untrusted ScriptBlock rules (single source of truth).
• ScriptBlock validation exemptions are demonstrably minimal.
• Pester tests cover both rejection and allowed broker behavior.

Additional Context

Notes:

• This issue must stay within IdLE’s security guardrails: no “shortcuts” that weaken validation.
• Prefer the simplest implementation that reduces exemption complexity.

Definition of Done:

• Code + tests + docs updated.
• No increase in allowed ScriptBlock surface for untrusted inputs.
  </issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Minimize and document ScriptBlock exemptions for AuthSessionBroker trust boundary #184

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[Copilot]

Pull request overview

This PR eliminates the ScriptBlock exemption for AuthSessionBroker objects, strengthening IdLE's security boundaries by ensuring uniform ScriptBlock validation across all data-only inputs.

Changes:

• Removed ValidateAuthSession ScriptBlock property from broker objects, replaced with direct function calls to Assert-IdleAuthSessionMatchesType
• Deleted type-based exemption logic in Assert-IdleNoScriptBlock, achieving zero exemptions
• Added comprehensive regression tests verifying ScriptBlocks are rejected in workflows, provider maps, lifecycle requests, and broker properties
• Documented trust boundaries in security.md distinguishing untrusted data inputs from trusted extension points

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
src/IdLE.Core/Public/Assert-IdleNoScriptBlock.ps1	Removed IdLE.AuthSessionBroker exemption logic and updated comment-based help to remove outdated .NOTES section
src/IdLE.Core/Public/New-IdleAuthSessionBroker.ps1	Eliminated ValidateAuthSession property, removed cached Get-Command call, replaced with direct Assert-IdleAuthSessionMatchesType calls
tests/Core/Assert-IdleNoScriptBlock.Tests.ps1	Added regression tests for trust boundary enforcement including broker validation, workflow rejection, provider map validation, and lifecycle request checks
docs/about/security.md	Documented trust boundaries, defined untrusted vs trusted inputs, specified AuthSessionBroker trust model and ScriptBlock handling rules
docs/extend/extensibility.md	Added security reference pointing to trust boundaries documentation