mx-keyvault 0.1.0

//! Tests for Azure `KeyVault` integration.
//!
//! These tests focus on the credential resolution logic and error handling.
//! They do not make actual Azure API calls.

use super::*;
use serial_test::serial;
use std::env;

// ─────────────────────────────────────────────────────────────────────────────
// Test Helpers
// ─────────────────────────────────────────────────────────────────────────────

/// Helper to temporarily set environment variables for a test.
struct EnvGuard {
    vars: Vec<(String, Option<String>)>,
}

impl EnvGuard {
    fn new() -> Self {
        Self { vars: Vec::new() }
    }

    fn set(&mut self, key: &str, value: &str) -> &mut Self {
        let original = env::var(key).ok();
        self.vars.push((key.to_owned(), original));
        // SAFETY: Tests run serially (via serial_test) to prevent concurrent access.
        unsafe { env::set_var(key, value) };
        self
    }

    fn remove(&mut self, key: &str) -> &mut Self {
        let original = env::var(key).ok();
        self.vars.push((key.to_owned(), original));
        // SAFETY: Tests run serially (via serial_test) to prevent concurrent access.
        unsafe { env::remove_var(key) };
        self
    }
}

impl Drop for EnvGuard {
    fn drop(&mut self) {
        for (key, original) in self.vars.iter().rev() {
            // SAFETY: Tests run serially (via serial_test) to prevent concurrent access.
            unsafe {
                match original {
                    Some(val) => env::set_var(key, val),
                    None => env::remove_var(key),
                }
            }
        }
    }
}

// ─────────────────────────────────────────────────────────────────────────────
// CredentialConfig Unit Tests
// ─────────────────────────────────────────────────────────────────────────────

mod credential_config_tests {
    use super::*;

    #[test]
    fn test_all_credentials_present_resolves_to_client_secret() {
        let config = CredentialConfig {
            tenant_id: Some("tenant-123".to_owned()),
            client_id: Some("client-456".to_owned()),
            client_secret: Some("secret-789".to_owned()),
            disable_managed_identity: false,
        };

        let result = config.resolve_credential_type();
        assert!(result.is_ok());
        assert_eq!(result.unwrap(), CredentialType::ClientSecret);
    }

    #[test]
    fn test_no_credentials_resolves_to_developer_tools() {
        let config = CredentialConfig {
            tenant_id: None,
            client_id: None,
            client_secret: None,
            disable_managed_identity: false,
        };

        let result = config.resolve_credential_type();
        assert!(result.is_ok());
        assert_eq!(result.unwrap(), CredentialType::DeveloperTools);
    }

    #[test]
    fn test_no_credentials_with_mi_disabled_fails() {
        let config = CredentialConfig {
            tenant_id: None,
            client_id: None,
            client_secret: None,
            disable_managed_identity: true,
        };

        let result = config.resolve_credential_type();
        assert!(result.is_err());
        let err = result.unwrap_err().to_string();
        assert!(err.contains("no env credentials provided"));
        assert!(err.contains("managed identity disabled"));
    }

    #[test]
    fn test_partial_credentials_with_mi_disabled_fails() {
        // Only tenant_id present
        let config = CredentialConfig {
            tenant_id: Some("tenant-123".to_owned()),
            client_id: None,
            client_secret: None,
            disable_managed_identity: true,
        };

        let result = config.resolve_credential_type();
        assert!(result.is_err());
    }

    #[test]
    fn test_partial_credentials_falls_back_to_developer_tools() {
        // Only tenant_id and client_id present (missing secret)
        let config = CredentialConfig {
            tenant_id: Some("tenant-123".to_owned()),
            client_id: Some("client-456".to_owned()),
            client_secret: None,
            disable_managed_identity: false,
        };

        let result = config.resolve_credential_type();
        assert!(result.is_ok());
        assert_eq!(result.unwrap(), CredentialType::DeveloperTools);
    }

    #[test]
    fn test_has_client_secret_credentials_all_present() {
        let config = CredentialConfig {
            tenant_id: Some("t".to_owned()),
            client_id: Some("c".to_owned()),
            client_secret: Some("s".to_owned()),
            disable_managed_identity: false,
        };

        assert!(config.has_client_secret_credentials());
    }

    #[test]
    fn test_has_client_secret_credentials_missing_one() {
        let config = CredentialConfig {
            tenant_id: Some("t".to_owned()),
            client_id: Some("c".to_owned()),
            client_secret: None,
            disable_managed_identity: false,
        };

        assert!(!config.has_client_secret_credentials());
    }

    #[test]
    fn test_has_client_secret_credentials_all_missing() {
        let config = CredentialConfig {
            tenant_id: None,
            client_id: None,
            client_secret: None,
            disable_managed_identity: false,
        };

        assert!(!config.has_client_secret_credentials());
    }

    #[test]
    fn test_has_partial_credentials_none() {
        let config = CredentialConfig {
            tenant_id: None,
            client_id: None,
            client_secret: None,
            disable_managed_identity: false,
        };

        assert!(!config.has_partial_credentials());
    }

    #[test]
    fn test_has_partial_credentials_one() {
        let config = CredentialConfig {
            tenant_id: Some("t".to_owned()),
            client_id: None,
            client_secret: None,
            disable_managed_identity: false,
        };

        assert!(config.has_partial_credentials());
    }

    #[test]
    fn test_has_partial_credentials_two() {
        let config = CredentialConfig {
            tenant_id: Some("t".to_owned()),
            client_id: Some("c".to_owned()),
            client_secret: None,
            disable_managed_identity: false,
        };

        assert!(config.has_partial_credentials());
    }

    #[test]
    fn test_has_partial_credentials_all() {
        let config = CredentialConfig {
            tenant_id: Some("t".to_owned()),
            client_id: Some("c".to_owned()),
            client_secret: Some("s".to_owned()),
            disable_managed_identity: false,
        };

        // All three present means it's NOT partial
        assert!(!config.has_partial_credentials());
    }
}

// ─────────────────────────────────────────────────────────────────────────────
// Environment Variable Tests
// ─────────────────────────────────────────────────────────────────────────────

mod env_tests {
    use super::*;

    #[test]
    #[serial]
    fn test_from_env_with_all_credentials() {
        let mut guard = EnvGuard::new();
        guard
            .set("AZURE_TENANT_ID", "test-tenant")
            .set("AZURE_CLIENT_ID", "test-client")
            .set("AZURE_CLIENT_SECRET", "test-secret")
            .remove("AZURE_IDENTITY_DISABLE_MANAGED_IDENTITY_CREDENTIAL");

        let config = CredentialConfig::from_env();

        assert_eq!(config.tenant_id.as_deref(), Some("test-tenant"));
        assert_eq!(config.client_id.as_deref(), Some("test-client"));
        assert_eq!(config.client_secret.as_deref(), Some("test-secret"));
        assert!(!config.disable_managed_identity);
    }

    #[test]
    #[serial]
    fn test_from_env_with_no_credentials() {
        let mut guard = EnvGuard::new();
        guard
            .remove("AZURE_TENANT_ID")
            .remove("AZURE_CLIENT_ID")
            .remove("AZURE_CLIENT_SECRET")
            .remove("AZURE_IDENTITY_DISABLE_MANAGED_IDENTITY_CREDENTIAL");

        let config = CredentialConfig::from_env();

        assert!(config.tenant_id.is_none());
        assert!(config.client_id.is_none());
        assert!(config.client_secret.is_none());
        assert!(!config.disable_managed_identity);
    }

    #[test]
    #[serial]
    fn test_from_env_with_mi_disabled_true() {
        let mut guard = EnvGuard::new();
        guard
            .remove("AZURE_TENANT_ID")
            .remove("AZURE_CLIENT_ID")
            .remove("AZURE_CLIENT_SECRET")
            .set("AZURE_IDENTITY_DISABLE_MANAGED_IDENTITY_CREDENTIAL", "true");

        let config = CredentialConfig::from_env();
        assert!(config.disable_managed_identity);
    }

    #[test]
    #[serial]
    fn test_from_env_with_mi_disabled_one() {
        let mut guard = EnvGuard::new();
        guard
            .remove("AZURE_TENANT_ID")
            .remove("AZURE_CLIENT_ID")
            .remove("AZURE_CLIENT_SECRET")
            .set("AZURE_IDENTITY_DISABLE_MANAGED_IDENTITY_CREDENTIAL", "1");

        let config = CredentialConfig::from_env();
        assert!(config.disable_managed_identity);
    }

    #[test]
    #[serial]
    fn test_from_env_with_mi_disabled_case_insensitive() {
        let mut guard = EnvGuard::new();
        guard
            .remove("AZURE_TENANT_ID")
            .remove("AZURE_CLIENT_ID")
            .remove("AZURE_CLIENT_SECRET")
            .set("AZURE_IDENTITY_DISABLE_MANAGED_IDENTITY_CREDENTIAL", "TRUE");

        let config = CredentialConfig::from_env();
        assert!(config.disable_managed_identity);
    }

    #[test]
    #[serial]
    fn test_from_env_with_mi_disabled_false() {
        let mut guard = EnvGuard::new();
        guard
            .remove("AZURE_TENANT_ID")
            .remove("AZURE_CLIENT_ID")
            .remove("AZURE_CLIENT_SECRET")
            .set(
                "AZURE_IDENTITY_DISABLE_MANAGED_IDENTITY_CREDENTIAL",
                "false",
            );

        let config = CredentialConfig::from_env();
        assert!(!config.disable_managed_identity);
    }

    #[test]
    #[serial]
    fn test_from_env_with_mi_disabled_invalid_value() {
        let mut guard = EnvGuard::new();
        guard
            .remove("AZURE_TENANT_ID")
            .remove("AZURE_CLIENT_ID")
            .remove("AZURE_CLIENT_SECRET")
            .set("AZURE_IDENTITY_DISABLE_MANAGED_IDENTITY_CREDENTIAL", "yes");

        let config = CredentialConfig::from_env();
        // "yes" is not "true" or "1", so it defaults to false
        assert!(!config.disable_managed_identity);
    }
}

// ─────────────────────────────────────────────────────────────────────────────
// KeyVaultClient Constructor Tests
// ─────────────────────────────────────────────────────────────────────────────

mod client_tests {
    use super::*;

    #[test]
    fn test_new_with_empty_vault_url() {
        let config = CredentialConfig {
            tenant_id: Some("t".to_owned()),
            client_id: Some("c".to_owned()),
            client_secret: Some("s".to_owned()),
            disable_managed_identity: false,
        };

        let result = KeyVaultClient::with_config("", config);
        assert!(result.is_err());
        assert!(result.unwrap_err().to_string().contains("cannot be empty"));
    }

    #[test]
    fn test_new_with_whitespace_only_vault_url() {
        let config = CredentialConfig {
            tenant_id: Some("t".to_owned()),
            client_id: Some("c".to_owned()),
            client_secret: Some("s".to_owned()),
            disable_managed_identity: false,
        };

        let result = KeyVaultClient::with_config("   ", config);
        assert!(result.is_err());
        assert!(result.unwrap_err().to_string().contains("cannot be empty"));
    }

    #[test]
    fn test_new_with_tabs_only_vault_url() {
        let config = CredentialConfig {
            tenant_id: Some("t".to_owned()),
            client_id: Some("c".to_owned()),
            client_secret: Some("s".to_owned()),
            disable_managed_identity: false,
        };

        let result = KeyVaultClient::with_config("\t\t", config);
        assert!(result.is_err());
        assert!(result.unwrap_err().to_string().contains("cannot be empty"));
    }

    #[test]
    fn test_new_fails_when_mi_disabled_and_no_creds() {
        let config = CredentialConfig {
            tenant_id: None,
            client_id: None,
            client_secret: None,
            disable_managed_identity: true,
        };

        let result = KeyVaultClient::with_config("https://my-vault.vault.azure.net", config);
        assert!(result.is_err());
        let err = result.unwrap_err().to_string();
        assert!(err.contains("no env credentials provided"));
    }

    #[test]
    fn test_new_with_valid_client_secret_credentials() {
        // This test verifies that the client can be constructed with valid credentials.
        // Note: The Azure SDK may fail if the credentials format is invalid,
        // but we're testing our credential resolution logic, not Azure.
        let config = CredentialConfig {
            tenant_id: Some("12345678-1234-1234-1234-123456789012".to_owned()),
            client_id: Some("87654321-4321-4321-4321-210987654321".to_owned()),
            client_secret: Some("super-secret-value".to_owned()),
            disable_managed_identity: false,
        };

        // The client creation should succeed (credential construction succeeds)
        let result = KeyVaultClient::with_config("https://my-vault.vault.azure.net", config);

        // This may succeed or fail depending on Azure SDK behavior,
        // but credential resolution should work
        // For now, we just verify no panic occurs
        let _ = result;
    }
}

// ─────────────────────────────────────────────────────────────────────────────
// Vault URL Parsing Tests
// ─────────────────────────────────────────────────────────────────────────────

mod vault_url_tests {
    use super::*;

    /// Test various vault URL formats that should be rejected.
    #[test]
    fn test_empty_url_rejected() {
        let config = CredentialConfig {
            tenant_id: None,
            client_id: None,
            client_secret: None,
            disable_managed_identity: false,
        };

        let result = KeyVaultClient::with_config("", config);
        assert!(result.is_err());
    }

    /// Test that URLs with only protocol are handled.
    #[test]
    fn test_valid_url_format() {
        // We can't actually connect, but we verify no panic on URL format
        let config = CredentialConfig {
            tenant_id: Some("t".to_owned()),
            client_id: Some("c".to_owned()),
            client_secret: Some("s".to_owned()),
            disable_managed_identity: false,
        };

        // Various valid URL formats
        let urls = [
            "https://vault.vault.azure.net",
            "https://my-vault.vault.azure.net/",
            "https://test-keyvault-001.vault.azure.net",
        ];

        for url in urls {
            // Should not panic, even if Azure SDK rejects it later
            let _ = KeyVaultClient::with_config(url, config.clone());
        }
    }
}

// ─────────────────────────────────────────────────────────────────────────────
// Credential Precedence Tests
// ─────────────────────────────────────────────────────────────────────────────

mod precedence_tests {
    use super::*;

    #[test]
    fn test_client_secret_takes_precedence_over_developer_tools() {
        // When all three env vars are set, ClientSecret should be used
        let config = CredentialConfig {
            tenant_id: Some("tenant".to_owned()),
            client_id: Some("client".to_owned()),
            client_secret: Some("secret".to_owned()),
            disable_managed_identity: false, // Even though MI is enabled
        };

        let cred_type = config.resolve_credential_type().unwrap();
        assert_eq!(cred_type, CredentialType::ClientSecret);
    }

    #[test]
    fn test_developer_tools_used_when_any_credential_missing() {
        // Missing tenant_id
        let config1 = CredentialConfig {
            tenant_id: None,
            client_id: Some("client".to_owned()),
            client_secret: Some("secret".to_owned()),
            disable_managed_identity: false,
        };
        assert_eq!(
            config1.resolve_credential_type().unwrap(),
            CredentialType::DeveloperTools
        );

        // Missing client_id
        let config2 = CredentialConfig {
            tenant_id: Some("tenant".to_owned()),
            client_id: None,
            client_secret: Some("secret".to_owned()),
            disable_managed_identity: false,
        };
        assert_eq!(
            config2.resolve_credential_type().unwrap(),
            CredentialType::DeveloperTools
        );

        // Missing client_secret
        let config3 = CredentialConfig {
            tenant_id: Some("tenant".to_owned()),
            client_id: Some("client".to_owned()),
            client_secret: None,
            disable_managed_identity: false,
        };
        assert_eq!(
            config3.resolve_credential_type().unwrap(),
            CredentialType::DeveloperTools
        );
    }
}

// ─────────────────────────────────────────────────────────────────────────────
// Error Message Tests
// ─────────────────────────────────────────────────────────────────────────────

mod error_tests {
    use super::*;

    #[test]
    fn test_empty_vault_url_error_message() {
        let config = CredentialConfig {
            tenant_id: Some("t".to_owned()),
            client_id: Some("c".to_owned()),
            client_secret: Some("s".to_owned()),
            disable_managed_identity: false,
        };

        let err = KeyVaultClient::with_config("", config).unwrap_err();
        assert_eq!(err.to_string(), "KeyVault URL cannot be empty");
    }

    #[test]
    fn test_no_credentials_with_mi_disabled_error_message() {
        let config = CredentialConfig {
            tenant_id: None,
            client_id: None,
            client_secret: None,
            disable_managed_identity: true,
        };

        let err = config.resolve_credential_type().unwrap_err();
        assert!(
            err.to_string()
                .contains("KeyVault enabled but no env credentials provided")
        );
        assert!(err.to_string().contains("managed identity disabled"));
    }
}

// ─────────────────────────────────────────────────────────────────────────────
// CredentialType Tests
// ─────────────────────────────────────────────────────────────────────────────

mod credential_type_tests {
    use super::*;

    #[test]
    fn test_credential_type_debug() {
        assert_eq!(
            format!("{:?}", CredentialType::ClientSecret),
            "ClientSecret"
        );
        assert_eq!(
            format!("{:?}", CredentialType::DeveloperTools),
            "DeveloperTools"
        );
    }

    #[test]
    fn test_credential_type_clone() {
        let original = CredentialType::ClientSecret;
        let cloned = original.clone();
        assert_eq!(original, cloned);
    }

    #[test]
    fn test_credential_type_equality() {
        assert_eq!(CredentialType::ClientSecret, CredentialType::ClientSecret);
        assert_eq!(
            CredentialType::DeveloperTools,
            CredentialType::DeveloperTools
        );
        assert_ne!(CredentialType::ClientSecret, CredentialType::DeveloperTools);
    }
}

// ─────────────────────────────────────────────────────────────────────────────
// CredentialConfig Clone/Debug Tests
// ─────────────────────────────────────────────────────────────────────────────

mod config_traits_tests {
    use super::*;

    #[test]
    fn test_credential_config_debug() {
        let config = CredentialConfig {
            tenant_id: Some("tenant".to_owned()),
            client_id: Some("client".to_owned()),
            client_secret: Some("secret".to_owned()),
            disable_managed_identity: true,
        };

        let debug_str = format!("{config:?}");
        assert!(debug_str.contains("tenant_id"));
        assert!(debug_str.contains("client_id"));
        assert!(debug_str.contains("client_secret"));
        assert!(debug_str.contains("disable_managed_identity"));
    }

    #[test]
    fn test_credential_config_clone() {
        let config = CredentialConfig {
            tenant_id: Some("tenant".to_owned()),
            client_id: Some("client".to_owned()),
            client_secret: Some("secret".to_owned()),
            disable_managed_identity: true,
        };

        let cloned = config.clone();
        assert_eq!(cloned.tenant_id, config.tenant_id);
        assert_eq!(cloned.client_id, config.client_id);
        assert_eq!(cloned.client_secret, config.client_secret);
        assert_eq!(
            cloned.disable_managed_identity,
            config.disable_managed_identity
        );
    }
}

// ─────────────────────────────────────────────────────────────────────────────
// Feature Flag Tests
// ─────────────────────────────────────────────────────────────────────────────

#[cfg(not(feature = "keyvault"))]
mod feature_disabled_tests {
    use super::*;

    #[test]
    fn test_keyvault_disabled_returns_error() {
        let result = KeyVaultClient::new("https://vault.vault.azure.net");
        assert!(result.is_err());
        assert!(
            result
                .unwrap_err()
                .to_string()
                .contains("KeyVault feature not enabled")
        );
    }
}

// ─────────────────────────────────────────────────────────────────────────────
// Secret Fetching Tests (Mocked Behavior)
// ─────────────────────────────────────────────────────────────────────────────
//
// Note: Since `SecretClient` from Azure SDK does not expose a mockable trait,
// we test the logic paths we can reach without actual API calls:
// - Empty name handling (returns Ok(None) without calling Azure)
// - Client construction with various credential configurations
// - Error propagation patterns
//
// For full integration testing with Azure, use the `keyvault-integration` feature
// and provide real credentials.

mod secret_fetching_tests {
    use super::*;

    // ─────────────────────────────────────────────────────────────────────────
    // Test 1: test_fetch_secret_success (Simulated)
    // ─────────────────────────────────────────────────────────────────────────
    //
    // Since we cannot mock the Azure SecretClient directly, we verify the
    // client construction succeeds and test the fetch_secret early-return path.
    #[tokio::test]
    async fn test_fetch_secret_success_path_setup() {
        // Verify client can be constructed with valid credentials
        let config = CredentialConfig {
            tenant_id: Some("12345678-1234-1234-1234-123456789012".to_owned()),
            client_id: Some("87654321-4321-4321-4321-210987654321".to_owned()),
            client_secret: Some("test-secret-value".to_owned()),
            disable_managed_identity: false,
        };

        let result = KeyVaultClient::with_config("https://test-vault.vault.azure.net", config);

        // Client construction should succeed (no network call yet)
        assert!(
            result.is_ok(),
            "Client construction failed: {:?}",
            result.err()
        );

        let client = result.unwrap();

        // Verify empty name returns None without API call
        let empty_result = client.fetch_secret("").await;
        assert!(empty_result.is_ok());
        assert!(empty_result.unwrap().is_none());
    }

    // ─────────────────────────────────────────────────────────────────────────
    // Test 2: test_fetch_secret_not_found (Error Path Simulation)
    // ─────────────────────────────────────────────────────────────────────────
    //
    // Simulates 404 behavior by testing error context wrapping.
    #[test]
    fn test_fetch_secret_not_found_error_context() {
        // Test that our error context format is correct
        let secret_name = "non-existent-secret";
        let expected_context = format!("failed to fetch secret '{secret_name}' from KeyVault");

        // Verify the error message format matches what fetch_secret would produce
        assert!(expected_context.contains(secret_name));
        assert!(expected_context.contains("failed to fetch"));
        assert!(expected_context.contains("KeyVault"));
    }

    // ─────────────────────────────────────────────────────────────────────────
    // Test 3: test_fetch_secret_auth_failure (401 Response Simulation)
    // ─────────────────────────────────────────────────────────────────────────
    //
    // Tests credential validation failure paths.
    #[test]
    fn test_fetch_secret_auth_failure_credential_path() {
        // Test that missing credentials with MI disabled produces auth error
        let config = CredentialConfig {
            tenant_id: None,
            client_id: None,
            client_secret: None,
            disable_managed_identity: true,
        };

        let result = KeyVaultClient::with_config("https://test-vault.vault.azure.net", config);
        assert!(result.is_err());

        let err = result.unwrap_err();
        let err_string = err.to_string();
        assert!(
            err_string.contains("no env credentials provided"),
            "Expected auth error, got: {err_string}"
        );
    }

    // ─────────────────────────────────────────────────────────────────────────
    // Test 4: test_fetch_secret_timeout (Network Timeout Simulation)
    // ─────────────────────────────────────────────────────────────────────────
    //
    // Tests timeout behavior using tokio::time::timeout wrapper pattern.
    #[tokio::test]
    async fn test_fetch_secret_timeout_pattern() {
        use std::time::Duration;
        use tokio::time::timeout;

        let config = CredentialConfig {
            tenant_id: Some("12345678-1234-1234-1234-123456789012".to_owned()),
            client_id: Some("87654321-4321-4321-4321-210987654321".to_owned()),
            client_secret: Some("test-secret".to_owned()),
            disable_managed_identity: false,
        };

        let client =
            KeyVaultClient::with_config("https://test-vault.vault.azure.net", config).unwrap();

        // Test the timeout wrapper pattern that would be used in production
        // Empty name returns immediately, so timeout should not trigger
        let result = timeout(Duration::from_millis(100), client.fetch_secret("")).await;

        assert!(result.is_ok(), "Timeout should not trigger for empty name");
        let inner_result = result.unwrap();
        assert!(inner_result.is_ok());
        assert!(inner_result.unwrap().is_none());
    }

    // ─────────────────────────────────────────────────────────────────────────
    // Test 5: test_fetch_secrets_parallel (Multiple Secrets)
    // ─────────────────────────────────────────────────────────────────────────
    //
    // Tests the parallel fetch_secrets API with empty names (no API call).
    #[tokio::test]
    async fn test_fetch_secrets_parallel_empty_names() {
        let config = CredentialConfig {
            tenant_id: Some("12345678-1234-1234-1234-123456789012".to_owned()),
            client_id: Some("87654321-4321-4321-4321-210987654321".to_owned()),
            client_secret: Some("test-secret".to_owned()),
            disable_managed_identity: false,
        };

        let client =
            KeyVaultClient::with_config("https://test-vault.vault.azure.net", config).unwrap();

        // All empty names should return None without API calls
        let names: &[&str] = &["", "   ", "\t", ""];
        let results = client.fetch_secrets(names).await;

        assert!(results.is_ok());
        let values = results.unwrap();
        assert_eq!(values.len(), 4);
        for value in values {
            assert!(value.is_none(), "Empty/whitespace names should return None");
        }
    }

    // ─────────────────────────────────────────────────────────────────────────
    // Test 6: test_fetch_secrets_partial_failure (Mixed Success/Failure)
    // ─────────────────────────────────────────────────────────────────────────
    //
    // Tests the try_join_all behavior - first failure stops all.
    #[tokio::test]
    async fn test_fetch_secrets_partial_failure_behavior() {
        let config = CredentialConfig {
            tenant_id: Some("12345678-1234-1234-1234-123456789012".to_owned()),
            client_id: Some("87654321-4321-4321-4321-210987654321".to_owned()),
            client_secret: Some("test-secret".to_owned()),
            disable_managed_identity: false,
        };

        let client =
            KeyVaultClient::with_config("https://test-vault.vault.azure.net", config).unwrap();

        // Empty names succeed, non-empty would fail (if we could call API)
        // Testing that the parallel mechanism works correctly
        let names: &[&str] = &["", ""];
        let results = client.fetch_secrets(names).await;

        assert!(results.is_ok());
        let values = results.unwrap();
        assert_eq!(values.len(), 2);
    }

    // ─────────────────────────────────────────────────────────────────────────
    // Test 7: test_secret_name_special_chars (Hyphens, Underscores)
    // ─────────────────────────────────────────────────────────────────────────
    //
    // Tests that special characters in secret names don't cause issues.
    #[tokio::test]
    async fn test_secret_name_special_chars_handling() {
        let config = CredentialConfig {
            tenant_id: Some("12345678-1234-1234-1234-123456789012".to_owned()),
            client_id: Some("87654321-4321-4321-4321-210987654321".to_owned()),
            client_secret: Some("test-secret".to_owned()),
            disable_managed_identity: false,
        };

        let _client =
            KeyVaultClient::with_config("https://test-vault.vault.azure.net", config).unwrap();

        // Test that names with special characters pass validation
        // (They won't return None for empty check, but we can't test API response)
        let special_names = [
            "my-secret-name",
            "my_secret_name",
            "my-secret_name-123",
            "SECRET-NAME",
            "secret--double-dash",
            "secret__double_underscore",
        ];

        for name in special_names {
            // Verify name is not treated as empty
            assert!(!name.trim().is_empty(), "Name '{name}' should not be empty");
        }
    }

    // ─────────────────────────────────────────────────────────────────────────
    // Test 8: test_secret_value_empty (Empty String Value)
    // ─────────────────────────────────────────────────────────────────────────
    //
    // Tests the empty name early-return logic.
    #[tokio::test]
    async fn test_secret_value_empty_name_variants() {
        let config = CredentialConfig {
            tenant_id: Some("12345678-1234-1234-1234-123456789012".to_owned()),
            client_id: Some("87654321-4321-4321-4321-210987654321".to_owned()),
            client_secret: Some("test-secret".to_owned()),
            disable_managed_identity: false,
        };

        let client =
            KeyVaultClient::with_config("https://test-vault.vault.azure.net", config).unwrap();

        // Test various empty/whitespace name patterns
        let empty_variants = ["", " ", "  ", "\t", "\n", " \t\n "];

        for name in empty_variants {
            let result = client.fetch_secret(name).await;
            assert!(
                result.is_ok(),
                "Empty name '{}' should succeed",
                name.escape_debug()
            );
            assert!(
                result.unwrap().is_none(),
                "Empty name '{}' should return None",
                name.escape_debug()
            );
        }
    }

    // ─────────────────────────────────────────────────────────────────────────
    // Test 9: test_secret_value_large (Large Value Simulation)
    // ─────────────────────────────────────────────────────────────────────────
    //
    // Tests that large credential values don't cause issues in config.
    #[test]
    fn test_secret_value_large_credentials() {
        // Simulate 1MB secret value in credentials
        let large_secret = "x".repeat(1024 * 1024);

        let config = CredentialConfig {
            tenant_id: Some("12345678-1234-1234-1234-123456789012".to_owned()),
            client_id: Some("87654321-4321-4321-4321-210987654321".to_owned()),
            client_secret: Some(large_secret),
            disable_managed_identity: false,
        };

        // Verify config handles large values
        assert!(config.has_client_secret_credentials());
        assert!(!config.has_partial_credentials());
        assert_eq!(
            config.resolve_credential_type().unwrap(),
            CredentialType::ClientSecret
        );

        // Verify the large secret is preserved
        assert_eq!(config.client_secret.unwrap().len(), 1024 * 1024);
    }

    // ─────────────────────────────────────────────────────────────────────────
    // Test 10: test_credential_client_secret_creation
    // ─────────────────────────────────────────────────────────────────────────
    //
    // Tests the ClientSecretCredential path thoroughly.
    #[test]
    fn test_credential_client_secret_creation_path() {
        let config = CredentialConfig {
            tenant_id: Some("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee".to_owned()),
            client_id: Some("11111111-2222-3333-4444-555555555555".to_owned()),
            client_secret: Some("super-secret-client-credential".to_owned()),
            disable_managed_identity: false,
        };

        // Verify correct credential type is resolved
        let cred_type = config.resolve_credential_type().unwrap();
        assert_eq!(cred_type, CredentialType::ClientSecret);

        // Verify client can be constructed (this exercises create_credential)
        let result = KeyVaultClient::with_config("https://my-vault.vault.azure.net", config);
        assert!(
            result.is_ok(),
            "ClientSecretCredential creation failed: {:?}",
            result.err()
        );
    }

    // ─────────────────────────────────────────────────────────────────────────
    // Test 11: test_credential_developer_tools_creation
    // ─────────────────────────────────────────────────────────────────────────
    //
    // Tests the DeveloperToolsCredential path.
    #[test]
    fn test_credential_developer_tools_creation_path() {
        let config = CredentialConfig {
            tenant_id: None,
            client_id: None,
            client_secret: None,
            disable_managed_identity: false,
        };

        // Verify correct credential type is resolved
        let cred_type = config.resolve_credential_type().unwrap();
        assert_eq!(cred_type, CredentialType::DeveloperTools);

        // Verify client can be constructed with DeveloperToolsCredential
        let result = KeyVaultClient::with_config("https://my-vault.vault.azure.net", config);
        assert!(
            result.is_ok(),
            "DeveloperToolsCredential creation failed: {:?}",
            result.err()
        );
    }

    // ─────────────────────────────────────────────────────────────────────────
    // Test 12: test_concurrent_fetch_thread_safety
    // ─────────────────────────────────────────────────────────────────────────
    //
    // Tests thread safety of concurrent secret fetching.
    #[tokio::test]
    async fn test_concurrent_fetch_thread_safety() {
        use std::sync::Arc;
        use tokio::task::JoinSet;

        let config = CredentialConfig {
            tenant_id: Some("12345678-1234-1234-1234-123456789012".to_owned()),
            client_id: Some("87654321-4321-4321-4321-210987654321".to_owned()),
            client_secret: Some("test-secret".to_owned()),
            disable_managed_identity: false,
        };

        let client = Arc::new(
            KeyVaultClient::with_config("https://test-vault.vault.azure.net", config).unwrap(),
        );

        let mut join_set = JoinSet::new();

        // Spawn 100 concurrent tasks, each fetching an empty secret name
        for i in 0..100 {
            let client_clone = Arc::clone(&client);
            let name = if i % 2 == 0 { "" } else { "   " };

            join_set.spawn(async move {
                let result = client_clone.fetch_secret(name).await;
                assert!(result.is_ok(), "Task {i} failed");
                assert!(result.unwrap().is_none(), "Task {i} returned value");
            });
        }

        // Wait for all tasks to complete
        while let Some(result) = join_set.join_next().await {
            assert!(result.is_ok(), "Task panicked: {:?}", result.err());
        }
    }
}

// ─────────────────────────────────────────────────────────────────────────────
// KeyVaultClient Debug Implementation Tests
// ─────────────────────────────────────────────────────────────────────────────

mod debug_impl_tests {
    use super::*;

    #[test]
    fn test_keyvault_client_debug_format() {
        let config = CredentialConfig {
            tenant_id: Some("12345678-1234-1234-1234-123456789012".to_owned()),
            client_id: Some("87654321-4321-4321-4321-210987654321".to_owned()),
            client_secret: Some("test-secret".to_owned()),
            disable_managed_identity: false,
        };

        let client =
            KeyVaultClient::with_config("https://test-vault.vault.azure.net", config).unwrap();

        let debug_str = format!("{client:?}");
        assert!(debug_str.contains("KeyVaultClient"));
        assert!(debug_str.contains("<SecretClient>"));
        // Ensure credentials are not exposed in debug output
        assert!(!debug_str.contains("test-secret"));
    }
}

// ─────────────────────────────────────────────────────────────────────────────
// Integration-Ready Test Patterns
// ─────────────────────────────────────────────────────────────────────────────
//
// These tests demonstrate patterns for integration testing when real Azure
// credentials are available. They are skipped by default.

#[cfg(feature = "keyvault-integration")]
mod integration_tests {
    use super::*;

    #[tokio::test]
    #[ignore = "Requires real Azure KeyVault credentials"]
    async fn test_real_fetch_secret() {
        let client = KeyVaultClient::new("https://your-vault.vault.azure.net").unwrap();
        let result = client.fetch_secret("test-secret").await;
        assert!(result.is_ok());
    }

    #[tokio::test]
    #[ignore = "Requires real Azure KeyVault credentials"]
    async fn test_real_fetch_secret_not_found() {
        let client = KeyVaultClient::new("https://your-vault.vault.azure.net").unwrap();
        let result = client
            .fetch_secret("definitely-not-existing-secret-12345")
            .await;
        // Should fail with 404-style error
        assert!(result.is_err());
    }
}