perf: add caching for Hasher hash algorithms and Azure KeyVault clients

Fixes #1594 and #1596

- Use ThreadLocal<T> for hash algorithm instances in Hasher class
  since HashAlgorithm is not thread-safe but creating new instances
  per call is wasteful
- Cache Azure KeyVault clients (SecretClient, CertificateClient,
  KeyClient) in ConcurrentDictionary by vault URI since Azure SDK
  clients are thread-safe and designed for reuse

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: thomhurst

src/ModularPipelines.Azure/AzureKeyVault.cs

@@ -1,24 +1,40 @@
+using System.Collections.Concurrent;
 using Azure.Core;
 using Azure.Security.KeyVault.Certificates;
 using Azure.Security.KeyVault.Keys;
 using Azure.Security.KeyVault.Secrets;
 
 namespace ModularPipelines.Azure;
 
+/// <summary>
+/// Provides access to Azure Key Vault clients with caching.
+/// </summary>
+/// <remarks>
+/// Azure SDK clients (SecretClient, CertificateClient, KeyClient) are thread-safe and designed
+/// to be long-lived and reused. This class caches clients by vault URI to avoid the overhead
+/// of creating new clients on every call.
+/// </remarks>
 internal class AzureKeyVault : IAzureKeyVault
 {
+    private readonly ConcurrentDictionary<string, SecretClient> _secretClients = new();
+    private readonly ConcurrentDictionary<string, CertificateClient> _certificateClients = new();
+    private readonly ConcurrentDictionary<string, KeyClient> _keyClients = new();
+
     public SecretClient GetSecretClient(Uri vaultUri, TokenCredential tokenCredential)
     {
-        return new SecretClient(vaultUri, tokenCredential);
+        var key = vaultUri.ToString();
+        return _secretClients.GetOrAdd(key, _ => new SecretClient(vaultUri, tokenCredential));
     }
 
     public CertificateClient GetCertificateClient(Uri vaultUri, TokenCredential tokenCredential)
     {
-        return new CertificateClient(vaultUri, tokenCredential);
+        var key = vaultUri.ToString();
+        return _certificateClients.GetOrAdd(key, _ => new CertificateClient(vaultUri, tokenCredential));
     }
 
     public KeyClient GetKeyClient(Uri vaultUri, TokenCredential tokenCredential)
     {
-        return new KeyClient(vaultUri, tokenCredential);
+        var key = vaultUri.ToString();
+        return _keyClients.GetOrAdd(key, _ => new KeyClient(vaultUri, tokenCredential));
     }
 }

src/ModularPipelines/Context/Hasher.cs

@@ -3,11 +3,27 @@
 
 namespace ModularPipelines.Context;
 
+/// <summary>
+/// Provides hashing operations using various algorithms.
+/// </summary>
+/// <remarks>
+/// HashAlgorithm instances are not thread-safe, so we use ThreadLocal to cache
+/// one instance per thread. This avoids the allocation overhead of creating new
+/// instances on every call while maintaining thread safety.
+/// </remarks>
 internal class Hasher : IHasher
 {
     private readonly IHex _hex;
     private readonly IBase64 _base64;
 
+    // ThreadLocal instances for thread-safe caching of hash algorithms
+    // HashAlgorithm is not thread-safe, so each thread gets its own instance
+    private static readonly ThreadLocal<SHA1> Sha1Algorithm = new(() => SHA1.Create());
+    private static readonly ThreadLocal<SHA256> Sha256Algorithm = new(() => SHA256.Create());
+    private static readonly ThreadLocal<SHA384> Sha384Algorithm = new(() => SHA384.Create());
+    private static readonly ThreadLocal<SHA512> Sha512Algorithm = new(() => SHA512.Create());
+    private static readonly ThreadLocal<MD5> Md5Algorithm = new(() => MD5.Create());
+
     public Hasher(IHex hex, IBase64 base64)
     {
         _hex = hex;
@@ -16,36 +32,33 @@ public Hasher(IHex hex, IBase64 base64)
 
     public string Sha1(string input, HashType hashType = HashType.Hex)
     {
-        return ComputeHash(SHA1.Create(), input, hashType);
+        return ComputeHash(Sha1Algorithm.Value!, input, hashType);
     }
 
     public string Sha256(string input, HashType hashType = HashType.Hex)
     {
-        return ComputeHash(SHA256.Create(), input, hashType);
+        return ComputeHash(Sha256Algorithm.Value!, input, hashType);
     }
 
     public string Sha384(string input, HashType hashType = HashType.Hex)
     {
-        return ComputeHash(SHA384.Create(), input, hashType);
+        return ComputeHash(Sha384Algorithm.Value!, input, hashType);
     }
 
     public string Sha512(string input, HashType hashType = HashType.Hex)
     {
-        return ComputeHash(SHA512.Create(), input, hashType);
+        return ComputeHash(Sha512Algorithm.Value!, input, hashType);
     }
 
     public string Md5(string input, HashType hashType = HashType.Hex)
     {
-        return ComputeHash(MD5.Create(), input, hashType);
+        return ComputeHash(Md5Algorithm.Value!, input, hashType);
     }
 
     private string ComputeHash(HashAlgorithm hashAlgorithm, string input, HashType hashType)
     {
-        using (hashAlgorithm)
-        {
-            var bytes = hashAlgorithm.ComputeHash(Encoding.UTF8.GetBytes(input));
+        var bytes = hashAlgorithm.ComputeHash(Encoding.UTF8.GetBytes(input));
 
-            return hashType == HashType.Hex ? _hex.ToHex(bytes) : _base64.ToBase64String(bytes);
-        }
+        return hashType == HashType.Hex ? _hex.ToHex(bytes) : _base64.ToBase64String(bytes);
     }
 }