Migrate Keyvault tool to recorded tests

core/Azure.Mcp.Core/tests/Azure.Mcp.Tests/Client/RecordedCommandTestsBase.cs

@@ -71,8 +71,10 @@ public abstract class RecordedCommandTestsBase(ITestOutputHelper output, TestPro
     /// <summary>
     /// The test-proxy has a default set of ~90 sanitizers for common sensitive data (GUIDs, tokens, timestamps, etc). This list allows opting out of specific default sanitizers by name.
     /// Grab the names from the test-proxy source at https://github.com/Azure/azure-sdk-tools/blob/main/tools/test-proxy/Azure.Sdk.Tools.TestProxy/Common/SanitizerDictionary.cs#L65)
+    /// Default Set:
+    ///     - `AZSDK3430`: `$..id`
     /// </summary>
-    public virtual List<string> DisabledDefaultSanitizers { get; } = new();
+    public virtual List<string> DisabledDefaultSanitizers { get; } = new() { "AZSDK3430" };
 
     /// <summary>
     /// During recording, variables saved to this dictionary will be propagated to the test-proxy and saved in the recording file.
@@ -343,7 +345,7 @@ private async Task StartRecordOrPlayback()
                 // Extract recording ID from response header
                 if (result.GetRawResponse().Headers.TryGetValue("x-recording-id", out var recordingId))
                 {
-                    RecordingId = recordingId ?? String.Empty;
+                    RecordingId = recordingId ?? string.Empty;
                     Output.WriteLine($"[Record] Recording ID: {RecordingId}");
                 }
             }

tools/Azure.Mcp.Tools.KeyVault/src/Services/KeyVaultService.cs

@@ -4,15 +4,18 @@
 using Azure.Mcp.Core.Options;
 using Azure.Mcp.Core.Services.Azure;
 using Azure.Mcp.Core.Services.Azure.Tenant;
+using Azure.Mcp.Core.Services.Http;
 using Azure.Security.KeyVault.Administration;
 using Azure.Security.KeyVault.Certificates;
 using Azure.Security.KeyVault.Keys;
 using Azure.Security.KeyVault.Secrets;
 
 namespace Azure.Mcp.Tools.KeyVault.Services;
 
-public sealed class KeyVaultService(ITenantService tenantService) : BaseAzureService(tenantService), IKeyVaultService
+public sealed class KeyVaultService(ITenantService tenantService, IHttpClientService httpClientService) : BaseAzureService(tenantService), IKeyVaultService
 {
+    private readonly IHttpClientService _httpClientService = httpClientService ?? throw new ArgumentNullException(nameof(httpClientService));
+
     public async Task<List<string>> ListKeys(
         string vaultName,
         bool includeManagedKeys,
@@ -24,7 +27,7 @@ public async Task<List<string>> ListKeys(
         ValidateRequiredParameters((nameof(vaultName), vaultName), (nameof(subscriptionId), subscriptionId));
 
         var credential = await GetCredential(tenantId, cancellationToken);
-        var client = new KeyClient(new Uri($"https://{vaultName}.vault.azure.net"), credential);
+        var client = CreateKeyClient(vaultName, credential, retryPolicy);
         var keys = new List<string>();
 
         try
@@ -53,7 +56,7 @@ public async Task<KeyVaultKey> GetKey(
         ValidateRequiredParameters((nameof(vaultName), vaultName), (nameof(keyName), keyName), (nameof(subscriptionId), subscriptionId));
 
         var credential = await GetCredential(tenantId, cancellationToken);
-        var client = new KeyClient(new Uri($"https://{vaultName}.vault.azure.net"), credential);
+        var client = CreateKeyClient(vaultName, credential, retryPolicy);
 
         try
         {
@@ -78,7 +81,7 @@ public async Task<KeyVaultKey> CreateKey(
 
         var type = new KeyType(keyType);
         var credential = await GetCredential(tenantId, cancellationToken);
-        var client = new KeyClient(new Uri($"https://{vaultName}.vault.azure.net"), credential);
+        var client = CreateKeyClient(vaultName, credential, retryPolicy);
 
         try
         {
@@ -100,7 +103,7 @@ public async Task<List<string>> ListSecrets(
         ValidateRequiredParameters((nameof(vaultName), vaultName), (nameof(subscriptionId), subscriptionId));
 
         var credential = await GetCredential(tenantId, cancellationToken);
-        var client = new SecretClient(new Uri($"https://{vaultName}.vault.azure.net"), credential);
+        var client = CreateSecretClient(vaultName, credential, retryPolicy);
         var secrets = new List<string>();
 
         try
@@ -130,7 +133,7 @@ public async Task<KeyVaultSecret> CreateSecret(
         ValidateRequiredParameters((nameof(vaultName), vaultName), (nameof(secretName), secretName), (nameof(secretValue), secretValue), (nameof(subscriptionId), subscriptionId));
 
         var credential = await GetCredential(tenantId, cancellationToken);
-        var client = new SecretClient(new Uri($"https://{vaultName}.vault.azure.net"), credential);
+        var client = CreateSecretClient(vaultName, credential, retryPolicy);
 
         try
         {
@@ -153,7 +156,7 @@ public async Task<KeyVaultSecret> GetSecret(
         ValidateRequiredParameters((nameof(vaultName), vaultName), (nameof(secretName), secretName), (nameof(subscriptionId), subscriptionId));
 
         var credential = await GetCredential(tenantId, cancellationToken);
-        var client = new SecretClient(new Uri($"https://{vaultName}.vault.azure.net"), credential);
+        var client = CreateSecretClient(vaultName, credential, retryPolicy);
 
         try
         {
@@ -176,7 +179,7 @@ public async Task<List<string>> ListCertificates(
         ValidateRequiredParameters((nameof(vaultName), vaultName), (nameof(subscriptionId), subscriptionId));
 
         var credential = await GetCredential(tenantId, cancellationToken);
-        var client = new CertificateClient(new Uri($"https://{vaultName}.vault.azure.net"), credential);
+        var client = CreateCertificateClient(vaultName, credential, retryPolicy);
         var certificates = new List<string>();
 
         try
@@ -205,7 +208,7 @@ public async Task<KeyVaultCertificateWithPolicy> GetCertificate(
         ValidateRequiredParameters((nameof(vaultName), vaultName), (nameof(certificateName), certificateName), (nameof(subscriptionId), subscriptionId));
 
         var credential = await GetCredential(tenantId, cancellationToken);
-        var client = new CertificateClient(new Uri($"https://{vaultName}.vault.azure.net"), credential);
+        var client = CreateCertificateClient(vaultName, credential, retryPolicy);
 
         try
         {
@@ -228,7 +231,7 @@ public async Task<CertificateOperation> CreateCertificate(
         ValidateRequiredParameters((nameof(vaultName), vaultName), (nameof(certificateName), certificateName), (nameof(subscriptionId), subscriptionId));
 
         var credential = await GetCredential(tenantId, cancellationToken);
-        var client = new CertificateClient(new Uri($"https://{vaultName}.vault.azure.net"), credential);
+        var client = CreateCertificateClient(vaultName, credential, retryPolicy);
 
         try
         {
@@ -253,7 +256,7 @@ public async Task<KeyVaultCertificateWithPolicy> ImportCertificate(
         ValidateRequiredParameters((nameof(vaultName), vaultName), (nameof(certificateName), certificateName), (nameof(certificateData), certificateData), (nameof(subscriptionId), subscriptionId));
 
         var credential = await GetCredential(tenantId, cancellationToken);
-        var client = new CertificateClient(new Uri($"https://{vaultName}.vault.azure.net"), credential);
+        var client = CreateCertificateClient(vaultName, credential, retryPolicy);
 
         try
         {
@@ -299,6 +302,36 @@ public async Task<KeyVaultCertificateWithPolicy> ImportCertificate(
         }
     }
 
+    private static Uri BuildVaultUri(string vaultName) => new($"https://{vaultName}.vault.azure.net");
+
+    // Create clients with injected HttpClient, this will enable record/playback during testing.
+    private KeyClient CreateKeyClient(string vaultName, Azure.Core.TokenCredential credential, RetryPolicyOptions? retry)
+    {
+        var httpClient = _httpClientService.CreateClient(BuildVaultUri(vaultName));
+        var options = new KeyClientOptions();
+        options = ConfigureRetryPolicy(AddDefaultPolicies(options), retry);
+        options.Transport = new Azure.Core.Pipeline.HttpClientTransport(httpClient);
+        return new KeyClient(BuildVaultUri(vaultName), credential, options);
+    }
+
+    private SecretClient CreateSecretClient(string vaultName, Azure.Core.TokenCredential credential, RetryPolicyOptions? retry)
+    {
+        var httpClient = _httpClientService.CreateClient(BuildVaultUri(vaultName));
+        var options = new SecretClientOptions();
+        options = ConfigureRetryPolicy(AddDefaultPolicies(options), retry);
+        options.Transport = new Azure.Core.Pipeline.HttpClientTransport(httpClient);
+        return new SecretClient(BuildVaultUri(vaultName), credential, options);
+    }
+
+    private CertificateClient CreateCertificateClient(string vaultName, Azure.Core.TokenCredential credential, RetryPolicyOptions? retry)
+    {
+        var httpClient = _httpClientService.CreateClient(BuildVaultUri(vaultName));
+        var options = new CertificateClientOptions();
+        options = ConfigureRetryPolicy(AddDefaultPolicies(options), retry);
+        options.Transport = new Azure.Core.Pipeline.HttpClientTransport(httpClient);
+        return new CertificateClient(BuildVaultUri(vaultName), credential, options);
+    }
+
     public async Task<GetSettingsResult> GetVaultSettings(
         string vaultName,
         string subscription,

tools/Azure.Mcp.Tools.KeyVault/tests/Azure.Mcp.Tools.KeyVault.LiveTests/Azure.Mcp.Tools.KeyVault.LiveTests.csproj

@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
     <IsTestProject>true</IsTestProject>
     <OutputType>Exe</OutputType>
@@ -14,4 +14,9 @@
     <PackageReference Include="xunit.runner.visualstudio" />
     <PackageReference Include="coverlet.collector" />
   </ItemGroup>
+  <ItemGroup>
+    <None Update="TestResources\fake-pfx.pfx">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </None>
+  </ItemGroup>
 </Project>