Chore/docs

docs/reference/providers/_provider-name_template.md

@@ -117,6 +117,37 @@ $result = Invoke-IdlePlan -Plan $plan -Providers $providers
 
 ---
 
+
+## Context Resolvers
+
+> Context Resolvers populate **`Request.Context.*` during planning** using **read-only** provider capabilities.  
+> Workflow authors can then reference the resolved values in **Conditions**, **Preconditions**, and **Templates**.
+
+### Supported Context Resolver capabilities
+
+> Document, **per supported read-only capability**, what your provider writes into `Request.Context.*`.
+> - If your provider supports none of the allowlisted capabilities, state that explicitly.
+> - Keep this section **reference-style**: focus on *paths*, *shapes*, and *types* (including nested properties).
+> - Output paths are **predefined** by the engine and **cannot be changed** by workflow authors.
+
+#### Capability: `IdLE.Capability.Path`
+
+Writes to: `Request.Context.Target`  
+Type: `OutputType` (`PSTypeName = 'IdLE.Identity'`)
+
+Top-level properties:
+
+| Property | Type | Notes |
+| --- | --- | --- |
+| `PSTypeName` | `string` | Always `IdLE.Identity`. |
+| `Property1` | `property1-type` | property1 description |
+| `PropertyN` | `propertyN-type` | propertyN description  |
+| `PropertyX` | `hashtable` | optional in case of Key/value bag; keys are strings; values are provider-defined (commonly `string`). |
+
+`PropertyX` contents:
+- List the attributes you populate and their types.
+- Only document what workflow authors can *rely on* (stable contract, not incidental Graph/AD fields).
+
 ## Configuration
 
 ### Provider creation

docs/reference/providers/provider-ad.md

@@ -86,6 +86,57 @@ The AD provider supports the common identity lifecycle and entitlement operation
 | `IdLE.Step.RemoveEntitlement` | Remove managed groups | Prefer explicit allow-lists / managed lists |
 | `IdLE.Step.DeleteIdentity` | Delete user | **Opt-in** via `-AllowDelete` (see Configuration) |
 
+## Context Resolvers
+
+This provider supports Context Resolvers for the allowlisted, read-only capabilities below.
+
+### Capability: `IdLE.Identity.Read`
+
+Writes to: `Request.Context.Identity.Profile`  
+Type: `PSCustomObject` (`PSTypeName = 'IdLE.Identity'`)
+
+Top-level properties:
+
+| Property | Type | Notes |
+| --- | --- | --- |
+| `PSTypeName` | `string` | Always `IdLE.Identity`. |
+| `IdentityKey` | `string` | The identity key used by the workflow (GUID/UPN/sAMAccountName). |
+| `Enabled` | `bool` | Derived from AD user `Enabled`. |
+| `Attributes` | `hashtable` | Key/value bag; keys are strings; values are typically `string`. |
+
+`Attributes` keys populated by this provider (when present on the AD user object):
+
+| Attribute key | Type |
+| --- | --- |
+| `GivenName` | `string` |
+| `Surname` | `string` |
+| `DisplayName` | `string` |
+| `Description` | `string` |
+| `Department` | `string` |
+| `Title` | `string` |
+| `EmailAddress` | `string` |
+| `UserPrincipalName` | `string` |
+| `sAMAccountName` | `string` |
+| `DistinguishedName` | `string` |
+
+### Capability: `IdLE.Entitlement.List`
+
+Writes to: `Request.Context.Identity.Entitlements`  
+Type: `object[]` (array of `PSCustomObject`, `PSTypeName = 'IdLE.Entitlement'`)
+
+Each element represents one AD group membership:
+
+| Property | Type | Notes |
+| --- | --- | --- |
+| `PSTypeName` | `string` | Always `IdLE.Entitlement`. |
+| `Kind` | `string` | Always `Group`. |
+| `Id` | `string` | AD group `DistinguishedName`. |
+| `DisplayName` | `string` | AD group `Name`. |
+
+Notes:
+- The output paths are fixed by the engine and cannot be changed.
+- Use these values in **Conditions**, **Preconditions**, and **Templates** (resolved during planning).
+
 ## Configuration
 
 ### Provider factory

docs/reference/providers/provider-directorysync-entraconnect.md

@@ -92,6 +92,13 @@ Those are typically used by step types like:
 
 - `IdLE.Step.TriggerDirectorySync` (trigger + optional wait/poll)
 
+## Context Resolvers
+
+This provider does **not** support any of the allowlisted Context Resolver capabilities.
+
+Context Resolvers can only use read-only capabilities like `IdLE.Identity.Read` and `IdLE.Entitlement.List`.
+This provider does not advertise these capabilities, so it cannot be used in the workflow `ContextResolvers` section.
+
 ## Configuration
 
 This provider has no admin-facing option bag. Configuration is done through:

docs/reference/providers/provider-entraID.md

@@ -86,6 +86,57 @@ Recommended wiring in examples:
 - `AuthSessionOptions = @{ Role = 'Admin' }` for routing (optional)
 - Use a more privileged role only for privileged actions (e.g. delete)
 
+## Context Resolvers
+
+This provider supports Context Resolvers for the allowlisted, read-only capabilities below.
+
+### Capability: `IdLE.Identity.Read`
+
+Writes to: `Request.Context.Identity.Profile`  
+Type: `PSCustomObject` (`PSTypeName = 'IdLE.Identity'`)
+
+Top-level properties:
+
+| Property | Type | Notes |
+| --- | --- | --- |
+| `PSTypeName` | `string` | Always `IdLE.Identity`. |
+| `IdentityKey` | `string` | The identity key used by the workflow (typically the Entra user `id`). |
+| `Enabled` | `bool` | Derived from Entra user `accountEnabled`. |
+| `Attributes` | `hashtable` | Key/value bag; keys are strings; values are typically `string`. |
+
+`Attributes` keys populated by this provider (when present on the user object):
+
+| Attribute key | Type | Source (Graph field) |
+| --- | --- | --- |
+| `GivenName` | `string` | `givenName` |
+| `Surname` | `string` | `surname` |
+| `DisplayName` | `string` | `displayName` |
+| `UserPrincipalName` | `string` | `userPrincipalName` |
+| `Mail` | `string` | `mail` |
+| `Department` | `string` | `department` |
+| `JobTitle` | `string` | `jobTitle` |
+| `OfficeLocation` | `string` | `officeLocation` |
+| `CompanyName` | `string` | `companyName` |
+
+### Capability: `IdLE.Entitlement.List`
+
+Writes to: `Request.Context.Identity.Entitlements`  
+Type: `object[]` (array of `PSCustomObject`, `PSTypeName = 'IdLE.Entitlement'`)
+
+Each element represents one Entra ID group membership:
+
+| Property | Type | Notes |
+| --- | --- | --- |
+| `PSTypeName` | `string` | Always `IdLE.Entitlement`. |
+| `Kind` | `string` | Always `Group`. |
+| `Id` | `string` | Entra group `id`. |
+| `DisplayName` | `string` or `$null` | Group `displayName` (if returned by the adapter). |
+| `Mail` | `string` or `$null` | Group `mail` (if returned by the adapter). |
+
+Notes:
+- The output paths are fixed by the engine and cannot be changed.
+- Use these values in **Conditions**, **Preconditions**, and **Templates** (resolved during planning).
+
 ## Configuration
 
 ### Provider constructor / factory

docs/reference/providers/provider-exchangeonline.md

@@ -156,6 +156,13 @@ For **app-only** flows, the token's `roles` claim must include:
 
 ---
 
+## Context Resolvers
+
+This provider does **not** support any of the allowlisted Context Resolver capabilities.
+
+Context Resolvers can only use read-only capabilities like `IdLE.Identity.Read` and `IdLE.Entitlement.List`.
+This provider does not advertise these capabilities, so it cannot be used in the workflow `ContextResolvers` section.
+
 ## Configuration
 
 ### Provider creation

docs/reference/providers/provider-mock.md

@@ -61,6 +61,46 @@ No authentication is required. The Mock provider ignores `AuthSessionName`.
 - Identity: create/update attributes (in-memory)
 - Entitlements: ensure/remove group memberships (in-memory)
 
+## Context Resolvers
+
+This provider supports Context Resolvers for the allowlisted, read-only capabilities below.
+
+### Capability: `IdLE.Identity.Read`
+
+Writes to: `Request.Context.Identity.Profile`  
+Type: `PSCustomObject` (`PSTypeName = 'IdLE.Identity'`)
+
+Top-level properties:
+
+| Property | Type | Notes |
+| --- | --- | --- |
+| `PSTypeName` | `string` | Always `IdLE.Identity`. |
+| `IdentityKey` | `string` | The identity key used by the workflow. |
+| `Enabled` | `bool` | Stored boolean value (defaults to `$true` when created on demand). |
+| `Attributes` | `hashtable` | Free-form key/value bag stored in the mock provider store. |
+
+Mock-specific behavior:
+- Missing identities are created **on-demand** on first `GetIdentity` call (planning-time resolvers may therefore “create” a record in the in-memory store).
+- `Attributes` is whatever your tests/demos put into the store (commonly `string` values).
+
+### Capability: `IdLE.Entitlement.List`
+
+Writes to: `Request.Context.Identity.Entitlements`  
+Type: `object[]` (array of `PSCustomObject`, `PSTypeName = 'IdLE.Entitlement'`)
+
+Each element is normalized via `ConvertToEntitlement`:
+
+| Property | Type | Notes |
+| --- | --- | --- |
+| `PSTypeName` | `string` | Always `IdLE.Entitlement`. |
+| `Kind` | `string` | Required; non-empty. |
+| `Id` | `string` | Required; non-empty. |
+| `DisplayName` | `string` or `$null` | Optional. |
+
+Notes:
+- The output paths are fixed by the engine and cannot be changed.
+- Use these values in **Conditions**, **Preconditions**, and **Templates** (resolved during planning).
+
 ## Configuration
 
 This provider has no admin-facing options.