fix: Address review feedback for caching improvements

- Hasher: Use static HashData methods (.NET 5+) instead of ThreadLocal
  to avoid resource leaks from undisposed HashAlgorithm instances
- AzureKeyVault: Use composite key (vaultUri, tokenCredential) to ensure
  different credentials for the same vault return different clients

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: thomhurst

src/ModularPipelines.Azure/AzureKeyVault.cs

@@ -16,25 +16,27 @@ namespace ModularPipelines.Azure;
 /// </remarks>
 internal class AzureKeyVault : IAzureKeyVault
 {
-    private readonly ConcurrentDictionary<string, SecretClient> _secretClients = new();
-    private readonly ConcurrentDictionary<string, CertificateClient> _certificateClients = new();
-    private readonly ConcurrentDictionary<string, KeyClient> _keyClients = new();
+    // Use composite key (vaultUri, credential) to ensure different credentials for the same vault
+    // return different clients. TokenCredential uses reference equality.
+    private readonly ConcurrentDictionary<(string VaultUri, TokenCredential Credential), SecretClient> _secretClients = new();
+    private readonly ConcurrentDictionary<(string VaultUri, TokenCredential Credential), CertificateClient> _certificateClients = new();
+    private readonly ConcurrentDictionary<(string VaultUri, TokenCredential Credential), KeyClient> _keyClients = new();
 
     public SecretClient GetSecretClient(Uri vaultUri, TokenCredential tokenCredential)
     {
-        var key = vaultUri.ToString();
+        var key = (vaultUri.ToString(), tokenCredential);
         return _secretClients.GetOrAdd(key, _ => new SecretClient(vaultUri, tokenCredential));
     }
 
     public CertificateClient GetCertificateClient(Uri vaultUri, TokenCredential tokenCredential)
     {
-        var key = vaultUri.ToString();
+        var key = (vaultUri.ToString(), tokenCredential);
         return _certificateClients.GetOrAdd(key, _ => new CertificateClient(vaultUri, tokenCredential));
     }
 
     public KeyClient GetKeyClient(Uri vaultUri, TokenCredential tokenCredential)
     {
-        var key = vaultUri.ToString();
+        var key = (vaultUri.ToString(), tokenCredential);
         return _keyClients.GetOrAdd(key, _ => new KeyClient(vaultUri, tokenCredential));
     }
 }

src/ModularPipelines/Context/Hasher.cs

@@ -7,23 +7,14 @@ namespace ModularPipelines.Context;
 /// Provides hashing operations using various algorithms.
 /// </summary>
 /// <remarks>
-/// HashAlgorithm instances are not thread-safe, so we use ThreadLocal to cache
-/// one instance per thread. This avoids the allocation overhead of creating new
-/// instances on every call while maintaining thread safety.
+/// Uses the static HashData methods available in .NET 5+ which are thread-safe
+/// and don't require disposal, avoiding resource leaks.
 /// </remarks>
 internal class Hasher : IHasher
 {
     private readonly IHex _hex;
     private readonly IBase64 _base64;
 
-    // ThreadLocal instances for thread-safe caching of hash algorithms
-    // HashAlgorithm is not thread-safe, so each thread gets its own instance
-    private static readonly ThreadLocal<SHA1> Sha1Algorithm = new(() => SHA1.Create());
-    private static readonly ThreadLocal<SHA256> Sha256Algorithm = new(() => SHA256.Create());
-    private static readonly ThreadLocal<SHA384> Sha384Algorithm = new(() => SHA384.Create());
-    private static readonly ThreadLocal<SHA512> Sha512Algorithm = new(() => SHA512.Create());
-    private static readonly ThreadLocal<MD5> Md5Algorithm = new(() => MD5.Create());
-
     public Hasher(IHex hex, IBase64 base64)
     {
         _hex = hex;
@@ -32,33 +23,31 @@ public Hasher(IHex hex, IBase64 base64)
 
     public string Sha1(string input, HashType hashType = HashType.Hex)
     {
-        return ComputeHash(Sha1Algorithm.Value!, input, hashType);
+        var bytes = System.Security.Cryptography.SHA1.HashData(Encoding.UTF8.GetBytes(input));
+        return hashType == HashType.Hex ? _hex.ToHex(bytes) : _base64.ToBase64String(bytes);
     }
 
     public string Sha256(string input, HashType hashType = HashType.Hex)
     {
-        return ComputeHash(Sha256Algorithm.Value!, input, hashType);
+        var bytes = System.Security.Cryptography.SHA256.HashData(Encoding.UTF8.GetBytes(input));
+        return hashType == HashType.Hex ? _hex.ToHex(bytes) : _base64.ToBase64String(bytes);
     }
 
     public string Sha384(string input, HashType hashType = HashType.Hex)
     {
-        return ComputeHash(Sha384Algorithm.Value!, input, hashType);
+        var bytes = System.Security.Cryptography.SHA384.HashData(Encoding.UTF8.GetBytes(input));
+        return hashType == HashType.Hex ? _hex.ToHex(bytes) : _base64.ToBase64String(bytes);
     }
 
     public string Sha512(string input, HashType hashType = HashType.Hex)
     {
-        return ComputeHash(Sha512Algorithm.Value!, input, hashType);
+        var bytes = System.Security.Cryptography.SHA512.HashData(Encoding.UTF8.GetBytes(input));
+        return hashType == HashType.Hex ? _hex.ToHex(bytes) : _base64.ToBase64String(bytes);
     }
 
     public string Md5(string input, HashType hashType = HashType.Hex)
     {
-        return ComputeHash(Md5Algorithm.Value!, input, hashType);
-    }
-
-    private string ComputeHash(HashAlgorithm hashAlgorithm, string input, HashType hashType)
-    {
-        var bytes = hashAlgorithm.ComputeHash(Encoding.UTF8.GetBytes(input));
-
+        var bytes = System.Security.Cryptography.MD5.HashData(Encoding.UTF8.GetBytes(input));
         return hashType == HashType.Hex ? _hex.ToHex(bytes) : _base64.ToBase64String(bytes);
     }
 }