Add Optional PSUseConstrainedLanguageMode rule

[joshcorr]

PR Summary

This PR adds a new rule PSUseConstrainedLanguageMode that identifies PowerShell patterns incompatible with Constrained Language Mode, helping developers ensure scripts work in restricted environments. This rule is a Warning, but is optional and not enabled by default.

New files:
Rules/UseConstrainedLanguageMode.cs - Implements 14 CLM restriction checks
Tests/Rules/UseConstrainedLanguageMode.tests.ps1 - Adds 46 comprehensive tests
docs/Rules/UseConstrainedLanguageMode.md - Provides complete user documentation

Modified files;

Rules/strings.resx - Adds 16 new diagnostic message strings

Features
Detects CLM Violations:

• Add-Type usage (code compilation)
• Disallowed COM objects (only allows Scripting.Dictionary, Scripting.FileSystemObject, VBScript.RegExp)
• Disallowed .NET types (validates ~70 allowed types including primitives, collections, PowerShell types)
• PowerShell classes (class keyword)
• XAML/WPF usage
• Invoke-Expression usage
• Dot-sourcing patterns
• Type constraints, expressions, and casts
• Member invocations on disallowed types
• Module manifest wildcards and .ps1 references

Signature Awareness:

• Detects signature blocks (# SIG # Begin signature block)
• Applies selective checking to signed scripts (dot-sourcing, parameter types, manifests only)
• Applies full checking to unsigned scripts

Array Type Support:

• Handles array notation correctly ([string[]], [int[][]])
• Strips brackets and validates base types

Configuration:

• IgnoreSignatures property (default: false) bypasses signature detection and enforces full CLM compliance for all scripts

Testing:

PR Checklist

• PR has a meaningful title
  • Use the present tense and imperative mood when describing your changes
• Summarized changes
• Change is not breaking
• Make sure all .cs, .ps1 and .psm1 files have the correct copyright header
• Make sure you've added a new test if existing tests do not effectively test the code changed and/or updated documentation
• This PR is ready to merge and is not Work in Progress.
  • If the PR is work in progress, please add the prefix WIP: to the beginning of the title and remove the prefix when the PR is ready.

[Copilot]

Pull request overview

Adds a new optional ScriptAnalyzer rule (PSUseConstrainedLanguageMode) to detect PowerShell patterns that are incompatible with Constrained Language Mode (CLM), along with tests and documentation so users can opt into CLM-focused linting.

Changes:

• Added UseConstrainedLanguageMode rule implementation to detect multiple CLM-incompatible patterns, with special handling for signature blocks.
• Added a comprehensive Pester test suite for the new rule.
• Added end-user documentation and new localized resource strings for diagnostics.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 7 comments.

File	Description
Rules/UseConstrainedLanguageMode.cs	Implements the new rule logic (CLM checks, signature-block detection, manifest checks).
Tests/Rules/UseConstrainedLanguageMode.tests.ps1	Adds tests covering the new rule’s detections and signature behavior.
docs/Rules/UseConstrainedLanguageMode.md	Documents what the rule flags, signed vs unsigned behavior, and configuration.
Rules/Strings.resx	Adds diagnostic strings used by the new rule (and updates file header/encoding).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[liamjpeters]

👋 @joshcorr,

I wonder if UseConstrainedLanguageMode is the best name for this. The rule isn't checking if you're using/enabling constrained language mode, but rather that you're conforming to it's restrictions at design-time.

Perhaps something like ConformToConstrainedLanguageMode could be more on the money? One to consider.

[joshcorr]

Hi @liamjpeters thanks for the feedback. I named the rule to conform to the existing naming structure Use.. over some of the other leading verbs I found in the project (Avoid, Possible, etc). I do see this rule trying to check for implementation of language specific features (i.e. will this script use constrained language mode correctly), so the name doesn't feel that odd to me, but I see your point. Will wait to see if Andy or others have a strong opinion on the naming.