blindzero · blindzero · Jan 18, 2026 · Jan 18, 2026 · Jan 18, 2026 · Jan 18, 2026
diff --git a/docs/advanced/provider-capabilities.md b/docs/advanced/provider-capabilities.md
@@ -28,7 +28,7 @@ Naming convention:
 - dot-separated segments
 - no whitespace
 - starts with a letter
-- examples: `Identity.Read`, `Identity.Disable`, `IdLE.Entitlement.List`
+- examples: `IdLE.Identity.Read`, `IdLE.Identity.Disable`, `IdLE.Entitlement.List`
 
 ### Entitlement capability set
 
@@ -79,9 +79,9 @@ The method returns a string list, e.g.:
 ```powershell
 $provider | Add-Member -MemberType ScriptMethod -Name GetCapabilities -Value {
     return @(
-        'Identity.Read'
-        'Identity.Attribute.Ensure'
-        'Identity.Disable'
+        'IdLE.Identity.Read'
+        'IdLE.Identity.Attribute.Ensure'
+        'IdLE.Identity.Disable'
     )
 } -Force
 ```
@@ -114,7 +114,7 @@ Example:
 @{
   Name                 = 'Disable identity'
   Type                 = 'DisableIdentity'
-  RequiresCapabilities = @('Identity.Read', 'Identity.Disable')
+  RequiresCapabilities = @('IdLE.Identity.Read', 'IdLE.Identity.Disable')
 }
 ```
 

diff --git a/docs/usage/steps.md b/docs/usage/steps.md
@@ -105,7 +105,7 @@ For details on declaring OnFailureSteps, see [Workflows](workflows.md).
 
 IdLE ships with a small set of built-in steps to keep demos and tests frictionless:
 
-- **IdLE.Step.EnsureAttribute**: converges an identity attribute to the desired value using `With.IdentityKey`, `With.Name`, and `With.Value`. Requires a provider with `EnsureAttribute` and usually the `Identity.Attribute.Ensure` capability.
+- **IdLE.Step.EnsureAttribute**: converges an identity attribute to the desired value using `With.IdentityKey`, `With.Name`, and `With.Value`. Requires a provider with `EnsureAttribute` and usually the `IdLE.Identity.Attribute.Ensure` capability.
 - **IdLE.Step.EnsureEntitlement**: converges an entitlement assignment to `Present` or `Absent` using `With.IdentityKey`, `With.Entitlement` (Kind + Id + optional DisplayName), `With.State`, and optional `With.Provider` (default `Identity`). Requires provider methods `ListEntitlements` plus `GrantEntitlement` or `RevokeEntitlement` and typically the capabilities `IdLE.Entitlement.List` plus `IdLE.Entitlement.Grant|Revoke`.
 
 ## Related

diff --git a/examples/workflows/joiner-ensureentitlement.psd1 b/examples/workflows/joiner-ensureentitlement.psd1
@@ -6,7 +6,7 @@
             Name                 = 'Ensure Department'
             Type                 = 'IdLE.Step.EnsureAttribute'
             With                 = @{ IdentityKey = 'user1'; Name = 'Department'; Value = 'IT'; Provider = 'Identity' }
-            RequiresCapabilities = 'Identity.Attribute.Ensure'
+            RequiresCapabilities = 'IdLE.Identity.Attribute.Ensure'
         },
         @{
             Name                 = 'Assign demo group'

diff --git a/examples/workflows/joiner-with-onfailure.psd1 b/examples/workflows/joiner-with-onfailure.psd1
@@ -18,7 +18,7 @@
                 Value       = 'IT'
                 Provider    = 'Identity'
             }
-            RequiresCapabilities = 'Identity.Attribute.Ensure'
+            RequiresCapabilities = 'IdLE.Identity.Attribute.Ensure'
         }
         @{
             Name                 = 'Assign demo group'

diff --git a/src/IdLE.Core/Private/Get-IdleProviderCapabilities.ps1 b/src/IdLE.Core/Private/Get-IdleProviderCapabilities.ps1
@@ -61,13 +61,13 @@ function Get-IdleProviderCapabilities {
             $capabilities += 'IdLE.Entitlement.Revoke'
         }
         if ($methodNames -contains 'EnsureAttribute') {
-            $capabilities += 'Identity.Attribute.Ensure'
+            $capabilities += 'IdLE.Identity.Attribute.Ensure'
         }
         if ($methodNames -contains 'DisableIdentity') {
-            $capabilities += 'Identity.Disable'
+            $capabilities += 'IdLE.Identity.Disable'
         }
         if ($methodNames -contains 'GetIdentity') {
-            $capabilities += 'Identity.Read'
+            $capabilities += 'IdLE.Identity.Read'
         }
 
         $capabilitySource = 'inferred'
@@ -90,9 +90,9 @@ function Get-IdleProviderCapabilities {
         # - dot-separated segments
         # - no whitespace
         # - starts with a letter
-        # Example: 'Entitlement.Write', 'Identity.Attribute.Ensure'
+        # Example: 'IdLE.Entitlement.Write', 'IdLE.Identity.Attribute.Ensure'
         if ($s -notmatch '^[A-Za-z][A-Za-z0-9]*(\.[A-Za-z0-9]+)+$') {
-            throw "Provider capability '$s' is invalid. Expected dot-separated segments like 'Identity.Read' or 'Entitlement.Write'."
+            throw "Provider capability '$s' is invalid. Expected dot-separated segments like 'IdLE.Identity.Read' or 'IdLE.Entitlement.Write'."
         }
 
         if ($seen.Add($s)) {

diff --git a/src/IdLE.Core/Public/New-IdlePlanObject.ps1 b/src/IdLE.Core/Public/New-IdlePlanObject.ps1
@@ -164,7 +164,7 @@ function New-IdlePlanObject {
             # - starts with a letter
             if ($s -notmatch '^[A-Za-z][A-Za-z0-9]*(\.[A-Za-z0-9]+)+$') {
                 throw [System.ArgumentException]::new(
-                    ("Workflow step '{0}' declares invalid capability '{1}'. Expected dot-separated segments like 'Identity.Read'." -f $StepName, $s),
+                    ("Workflow step '{0}' declares invalid capability '{1}'. Expected dot-separated segments like 'IdLE.Identity.Read'." -f $StepName, $s),
                     'Workflow'
                 )
             }

diff --git a/src/IdLE.Provider.Mock/Public/New-IdleMockIdentityProvider.ps1 b/src/IdLE.Provider.Mock/Public/New-IdleMockIdentityProvider.ps1
@@ -137,9 +137,9 @@ function New-IdleMockIdentityProvider {
         #>
 
         return @(
-            'Identity.Read'
-            'Identity.Attribute.Ensure'
-            'Identity.Disable'
+            'IdLE.Identity.Read'
+            'IdLE.Identity.Attribute.Ensure'
+            'IdLE.Identity.Disable'
             'IdLE.Entitlement.List'
             'IdLE.Entitlement.Grant'
             'IdLE.Entitlement.Revoke'

diff --git a/tests/Get-IdleProviderCapabilities.Tests.ps1 b/tests/Get-IdleProviderCapabilities.Tests.ps1
@@ -21,19 +21,19 @@ Describe 'IdLE.Core - Get-IdleProviderCapabilities (provider capability discover
 
             $provider | Add-Member -MemberType ScriptMethod -Name GetCapabilities -Value {
                 return @(
-                    'Identity.Disable'
-                    'Identity.Read'
-                    'Identity.Read'            # duplicate on purpose
-                    'Identity.Attribute.Ensure'
+                    'IdLE.Identity.Disable'
+                    'IdLE.Identity.Read'
+                    'IdLE.Identity.Read'            # duplicate on purpose
+                    'IdLE.Identity.Attribute.Ensure'
                 )
             } -Force
 
             $caps = Get-IdleProviderCapabilities -Provider $provider
 
             $caps | Should -Be @(
-                'Identity.Attribute.Ensure'
-                'Identity.Disable'
-                'Identity.Read'
+                'IdLE.Identity.Attribute.Ensure'
+                'IdLE.Identity.Disable'
+                'IdLE.Identity.Read'
             )
         }
 
@@ -81,9 +81,9 @@ Describe 'IdLE.Core - Get-IdleProviderCapabilities (provider capability discover
                 'IdLE.Entitlement.Grant'
                 'IdLE.Entitlement.List'
                 'IdLE.Entitlement.Revoke'
-                'Identity.Attribute.Ensure'
-                'Identity.Disable'
-                'Identity.Read'
+                'IdLE.Identity.Attribute.Ensure'
+                'IdLE.Identity.Disable'
+                'IdLE.Identity.Read'
             )
         }
 
@@ -97,12 +97,12 @@ Describe 'IdLE.Core - Get-IdleProviderCapabilities (provider capability discover
 
             # Also add explicit GetCapabilities (must win)
             $provider | Add-Member -MemberType ScriptMethod -Name GetCapabilities -Value {
-                return @('Identity.Read')
+                return @('IdLE.Identity.Read')
             } -Force
 
             $caps = Get-IdleProviderCapabilities -Provider $provider -AllowInference
 
-            $caps | Should -Be @('Identity.Read')
+            $caps | Should -Be @('IdLE.Identity.Read')
         }
     }
 }
diff --git a/tests/New-IdlePlan.Capabilities.Tests.ps1 b/tests/New-IdlePlan.Capabilities.Tests.ps1
@@ -16,7 +16,7 @@ Describe 'New-IdlePlan - required provider capabilities' {
     @{
       Name                 = 'Disable identity'
       Type                 = 'IdLE.Step.DisableIdentity'
-      RequiresCapabilities = @('Identity.Disable')
+      RequiresCapabilities = @('IdLE.Identity.Disable')
     }
   )
 }
@@ -29,7 +29,7 @@ Describe 'New-IdlePlan - required provider capabilities' {
             throw 'Expected an exception but none was thrown.'
         }
         catch {
-            $_.Exception.Message | Should -Match 'MissingCapabilities: Identity\.Disable'
+            $_.Exception.Message | Should -Match 'MissingCapabilities: IdLE\.Identity\.Disable'
             $_.Exception.Message | Should -Match 'AffectedSteps: Disable identity'
         }
     }
@@ -45,7 +45,7 @@ Describe 'New-IdlePlan - required provider capabilities' {
     @{
       Name                 = 'Disable identity'
       Type                 = 'IdLE.Step.DisableIdentity'
-      RequiresCapabilities = @('Identity.Disable')
+      RequiresCapabilities = @('IdLE.Identity.Disable')
     }
   )
 }
@@ -55,7 +55,7 @@ Describe 'New-IdlePlan - required provider capabilities' {
 
         $provider = [pscustomobject]@{ Name = 'IdentityProvider' }
         $provider | Add-Member -MemberType ScriptMethod -Name GetCapabilities -Value {
-            return @('Identity.Disable')
+            return @('IdLE.Identity.Disable')
         } -Force
 
         $providers = @{
@@ -66,7 +66,7 @@ Describe 'New-IdlePlan - required provider capabilities' {
 
         $plan | Should -Not -BeNullOrEmpty
         $plan.Steps.Count | Should -Be 1
-        $plan.Steps[0].RequiresCapabilities | Should -Be @('Identity.Disable')
+        $plan.Steps[0].RequiresCapabilities | Should -Be @('IdLE.Identity.Disable')
     }
 
     It 'fails fast when an OnFailure step requires capabilities that no provider advertises' {
@@ -86,7 +86,7 @@ Describe 'New-IdlePlan - required provider capabilities' {
     @{
       Name                 = 'Containment'
       Type                 = 'IdLE.Step.Containment'
-      RequiresCapabilities = @('Identity.Disable')
+      RequiresCapabilities = @('IdLE.Identity.Disable')
     }
   )
 }
@@ -99,7 +99,7 @@ Describe 'New-IdlePlan - required provider capabilities' {
             throw 'Expected an exception but none was thrown.'
         }
         catch {
-            $_.Exception.Message | Should -Match 'MissingCapabilities: Identity\.Disable'
+            $_.Exception.Message | Should -Match 'MissingCapabilities: IdLE\.Identity\.Disable'
             $_.Exception.Message | Should -Match 'AffectedSteps: Containment'
         }
     }
@@ -121,7 +121,7 @@ Describe 'New-IdlePlan - required provider capabilities' {
     @{
       Name                 = 'Containment'
       Type                 = 'IdLE.Step.Containment'
-      RequiresCapabilities = @('Identity.Disable')
+      RequiresCapabilities = @('IdLE.Identity.Disable')
     }
   )
 }
@@ -131,7 +131,7 @@ Describe 'New-IdlePlan - required provider capabilities' {
 
         $provider = [pscustomobject]@{ Name = 'IdentityProvider' }
         $provider | Add-Member -MemberType ScriptMethod -Name GetCapabilities -Value {
-            return @('Identity.Disable')
+            return @('IdLE.Identity.Disable')
         } -Force
 
         $providers = @{
@@ -142,7 +142,7 @@ Describe 'New-IdlePlan - required provider capabilities' {
 
         $plan | Should -Not -BeNullOrEmpty
         $plan.OnFailureSteps.Count | Should -Be 1
-        $plan.OnFailureSteps[0].RequiresCapabilities | Should -Be @('Identity.Disable')
+        $plan.OnFailureSteps[0].RequiresCapabilities | Should -Be @('IdLE.Identity.Disable')
     }
 
     It 'validates entitlement capabilities for EnsureEntitlement steps' {