feat: add Phase 4 live Dataverse tests and complete Phase 2/3 gaps (#55) (#102)

* feat: add Phase 4 live Dataverse tests and complete Phase 2/3 gaps (#55)

Phase 4 - Live Dataverse Tests:
- Connection pool tests (initialization, distribution, recovery)
- DOP tests (x-ms-dop-hint header parsing, parallelism calculation)
- Bulk operation tests (CreateMultiple, UpdateMultiple, UpsertMultiple)
- Throttle detection tests (tracker infrastructure, strategy selection)

Phase 2 - Azure DevOps OIDC Authentication:
- Add AzureDevOpsFederatedAuthenticationTests
- Add SkipIfNoAzureDevOpsOidcAttribute
- Update LiveTestConfiguration for Azure DevOps environment detection

Phase 3 - Query and Action Tests:
- QueryExecutionTests: paging, ordering, complex filters, FetchXML
- AggregateQueryTests: COUNT, SUM, AVG, MIN, MAX, GROUP BY
- CustomActionTests: CRUD requests, UpsertRequest, RetrieveMultipleRequest

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: address bot review comments - unused variables, async dispose, comments

- Rename Service_MultipleConcurrentCreates_AllSucceed to Service_MultipleSequentialCreates_AllSucceed (Gemini)
- Use DisposeAsync instead of Dispose for pool in BulkOperationLiveTests cleanup (Gemini)
- Fix DOP comments to say up to 52 instead of 50 for consistency with assertions (Copilot)
- Fix folder reference in ThrottleDetectionLiveTests comment (Copilot)
- Remove unused connectionId variable in ConnectionPoolLiveTests (Copilot/CodeQL)
- Use discard pattern for unused pool variable in 5 test methods (Copilot/CodeQL)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: resolve InvalidateSeed disposing externally-owned clients + handle CLR crash in vuln check

InvalidateSeed bug fix:
- Pool was disposing seed clients that belong to IConnectionSource implementations
- For ServiceClientSource, this disposed the externally-managed client while the
  source still held a reference to it, causing subsequent GetSeedClient() calls
  to return a disposed client
- Fix: Let sources manage their own seed lifecycle via InvalidateSeed()
  - ConnectionStringSource: disposes and recreates on next GetSeedClient()
  - ServiceClientSource: no-op (caller owns the client lifecycle)

Vulnerable packages check:
- dotnet list package --vulnerable can crash with CLR error 0x80131506 on some
  SDK versions (JSON serializer bug in ReflectionEmitMemberAccessor)
- Fix: Capture exit code, log warning on unexpected failures, always succeed
- Actual vulnerability blocking is handled by dependency-review-action

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: joshsmithxrm

.github/workflows/build.yml

@@ -45,18 +45,30 @@ jobs:
     - name: Check for vulnerable packages
       shell: pwsh
       run: |
+        # Run vulnerability check - capture output and exit code separately
+        # Note: dotnet list package can crash with CLR errors on some SDK versions
         $output = dotnet list package --vulnerable --include-transitive 2>&1
+        $dotnetExitCode = $LASTEXITCODE
         $output | Write-Host
 
-        if ($output -match "has the following vulnerable packages") {
+        # Handle CLR crashes or other unexpected failures gracefully
+        if ($dotnetExitCode -ne 0 -and $output -notmatch "has the following vulnerable packages") {
+          Write-Host ""
+          Write-Host "::warning::Vulnerable package check exited with code $dotnetExitCode (possible SDK bug, continuing)"
+        }
+        elseif ($output -match "has the following vulnerable packages") {
           Write-Host ""
           Write-Host "::warning::Vulnerable packages detected - review security advisories above"
           # Note: Not failing the build to avoid blocking on transitive dependencies
           # that require upstream fixes. Dependency-review-action will catch new vulns.
-        } else {
+        }
+        else {
           Write-Host "No known vulnerabilities found in packages"
         }
 
+        # Always succeed - vulnerability blocking is handled by dependency-review-action
+        exit 0
+
     - name: Build
       run: dotnet build --configuration Release --no-restore
 

src/PPDS.Dataverse/Pooling/DataverseConnectionPool.cs

@@ -1112,25 +1112,18 @@ public void InvalidateSeed(string connectionName)
             }
 
             // Remove from our seed cache
-            if (_seedClients.TryRemove(connectionName, out var oldSeed))
+            if (_seedClients.TryRemove(connectionName, out _))
             {
                 _logger.LogWarning(
                     "Invalidating seed client for connection {ConnectionName} due to token failure. " +
                     "Next connection request will create fresh authentication.",
                     connectionName);
-
-                // Dispose the old seed
-                try
-                {
-                    oldSeed.Dispose();
-                }
-                catch (Exception ex)
-                {
-                    _logger.LogDebug(ex, "Error disposing old seed client for {ConnectionName}", connectionName);
-                }
             }
 
-            // Invalidate the source's cached seed so GetSeedClient() creates a fresh one
+            // Invalidate the source's cached seed so GetSeedClient() creates a fresh one.
+            // The source owns the seed client and is responsible for disposal:
+            // - ConnectionStringSource: disposes and recreates on next GetSeedClient()
+            // - ServiceClientSource: no-op (externally-managed client, caller owns lifecycle)
             var source = _sources.FirstOrDefault(s =>
                 string.Equals(s.Name, connectionName, StringComparison.OrdinalIgnoreCase));
 

tests/PPDS.Dataverse.IntegrationTests/Actions/CustomActionTests.cs

@@ -0,0 +1,247 @@
+using FluentAssertions;
+using Microsoft.Xrm.Sdk;
+using Microsoft.Xrm.Sdk.Messages;
+using Xunit;
+
+namespace PPDS.Dataverse.IntegrationTests.Actions;
+
+/// <summary>
+/// Tests for custom action and built-in message execution using FakeXrmEasy.
+/// </summary>
+/// <remarks>
+/// Note: FakeXrmEasy's open-source version (RPL-1.5) has limited message support.
+/// The following are NOT supported in the open-source version:
+/// - WhoAmIRequest (requires commercial license)
+/// - SetStateRequest (requires commercial license)
+/// - ExecuteMultipleRequest (requires commercial license)
+/// - Associate/Disassociate (requires metadata registration)
+///
+/// These tests cover what IS supported in the open-source version.
+/// For full coverage, live integration tests in PPDS.LiveTests cover the complete API.
+/// </remarks>
+public class CustomActionTests : FakeXrmEasyTestsBase
+{
+    #region Request/Response Tests
+
+    [Fact]
+    public void Execute_RetrieveRequest_ReturnsEntity()
+    {
+        // Arrange
+        var entity = new Entity("account") { ["name"] = "Test Account" };
+        var id = Service.Create(entity);
+
+        var request = new RetrieveRequest
+        {
+            Target = new EntityReference("account", id),
+            ColumnSet = new Microsoft.Xrm.Sdk.Query.ColumnSet(true)
+        };
+
+        // Act
+        var response = (RetrieveResponse)Service.Execute(request);
+
+        // Assert
+        response.Should().NotBeNull();
+        response.Entity.Should().NotBeNull();
+        response.Entity.Id.Should().Be(id);
+        response.Entity.GetAttributeValue<string>("name").Should().Be("Test Account");
+    }
+
+    [Fact]
+    public void Execute_CreateRequest_ReturnsNewId()
+    {
+        // Arrange
+        var request = new CreateRequest
+        {
+            Target = new Entity("account") { ["name"] = "New Account" }
+        };
+
+        // Act
+        var response = (CreateResponse)Service.Execute(request);
+
+        // Assert
+        response.Should().NotBeNull();
+        response.id.Should().NotBeEmpty();
+    }
+
+    [Fact]
+    public void Execute_UpdateRequest_ModifiesEntity()
+    {
+        // Arrange
+        var entity = new Entity("account") { ["name"] = "Original" };
+        var id = Service.Create(entity);
+
+        var request = new UpdateRequest
+        {
+            Target = new Entity("account", id) { ["name"] = "Updated" }
+        };
+
+        // Act
+        Service.Execute(request);
+
+        // Assert
+        var retrieved = Service.Retrieve("account", id, new Microsoft.Xrm.Sdk.Query.ColumnSet(true));
+        retrieved.GetAttributeValue<string>("name").Should().Be("Updated");
+    }
+
+    [Fact]
+    public void Execute_DeleteRequest_RemovesEntity()
+    {
+        // Arrange
+        var entity = new Entity("account") { ["name"] = "To Delete" };
+        var id = Service.Create(entity);
+
+        var request = new DeleteRequest
+        {
+            Target = new EntityReference("account", id)
+        };
+
+        // Act
+        Service.Execute(request);
+
+        // Assert
+        var action = () => Service.Retrieve("account", id, new Microsoft.Xrm.Sdk.Query.ColumnSet(true));
+        action.Should().Throw<Exception>();
+    }
+
+    #endregion
+
+    #region Upsert Tests
+
+    // Note: FakeXrmEasy's UpsertRequest for new records (create path) has issues.
+    // The update path works correctly. For full upsert coverage, see live tests.
+
+    [Fact]
+    public void Execute_UpsertRequest_UpdatesExistingRecord()
+    {
+        // Arrange - Create existing record first
+        var entity = new Entity("account") { ["name"] = "Original" };
+        var id = Service.Create(entity);
+
+        var updateEntity = new Entity("account", id) { ["name"] = "Upserted Update" };
+        var request = new UpsertRequest { Target = updateEntity };
+
+        // Act
+        var response = (UpsertResponse)Service.Execute(request);
+
+        // Assert
+        response.Should().NotBeNull();
+        response.RecordCreated.Should().BeFalse("Existing record should be updated");
+
+        var retrieved = Service.Retrieve("account", id, new Microsoft.Xrm.Sdk.Query.ColumnSet(true));
+        retrieved.GetAttributeValue<string>("name").Should().Be("Upserted Update");
+    }
+
+    #endregion
+
+    #region RetrieveMultiple Request Tests
+
+    [Fact]
+    public void Execute_RetrieveMultipleRequest_ReturnsResults()
+    {
+        // Arrange
+        Service.Create(new Entity("account") { ["name"] = "Account 1" });
+        Service.Create(new Entity("account") { ["name"] = "Account 2" });
+
+        var request = new RetrieveMultipleRequest
+        {
+            Query = new Microsoft.Xrm.Sdk.Query.QueryExpression("account")
+            {
+                ColumnSet = new Microsoft.Xrm.Sdk.Query.ColumnSet(true)
+            }
+        };
+
+        // Act
+        var response = (RetrieveMultipleResponse)Service.Execute(request);
+
+        // Assert
+        response.Should().NotBeNull();
+        response.EntityCollection.Should().NotBeNull();
+        response.EntityCollection.Entities.Should().HaveCount(2);
+    }
+
+    [Fact]
+    public void Execute_RetrieveMultipleRequest_WithFilter_ReturnsFilteredResults()
+    {
+        // Arrange
+        Service.Create(new Entity("account") { ["name"] = "Alpha Corp" });
+        Service.Create(new Entity("account") { ["name"] = "Beta Corp" });
+        Service.Create(new Entity("account") { ["name"] = "Gamma Corp" });
+
+        var query = new Microsoft.Xrm.Sdk.Query.QueryExpression("account")
+        {
+            ColumnSet = new Microsoft.Xrm.Sdk.Query.ColumnSet("name"),
+            Criteria = new Microsoft.Xrm.Sdk.Query.FilterExpression
+            {
+                Conditions =
+                {
+                    new Microsoft.Xrm.Sdk.Query.ConditionExpression("name", Microsoft.Xrm.Sdk.Query.ConditionOperator.Equal, "Beta Corp")
+                }
+            }
+        };
+
+        var request = new RetrieveMultipleRequest { Query = query };
+
+        // Act
+        var response = (RetrieveMultipleResponse)Service.Execute(request);
+
+        // Assert
+        response.EntityCollection.Entities.Should().HaveCount(1);
+        response.EntityCollection.Entities[0].GetAttributeValue<string>("name").Should().Be("Beta Corp");
+    }
+
+    #endregion
+
+    #region Batch Operations via Service Methods
+
+    [Fact]
+    public void Service_CreateUpdateDelete_BatchWorkflow()
+    {
+        // This tests a typical batch workflow using individual operations
+
+        // Create
+        var entity = new Entity("account") { ["name"] = "Batch Test" };
+        var id = Service.Create(entity);
+        id.Should().NotBeEmpty();
+
+        // Update
+        var update = new Entity("account", id) { ["name"] = "Batch Updated" };
+        Service.Update(update);
+
+        // Verify update
+        var retrieved = Service.Retrieve("account", id, new Microsoft.Xrm.Sdk.Query.ColumnSet(true));
+        retrieved.GetAttributeValue<string>("name").Should().Be("Batch Updated");
+
+        // Delete
+        Service.Delete("account", id);
+
+        // Verify delete
+        var action = () => Service.Retrieve("account", id, new Microsoft.Xrm.Sdk.Query.ColumnSet(true));
+        action.Should().Throw<Exception>();
+    }
+
+    [Fact]
+    public void Service_MultipleSequentialCreates_AllSucceed()
+    {
+        // Arrange
+        var entities = Enumerable.Range(1, 5).Select(i => new Entity("account")
+        {
+            ["name"] = $"Concurrent Account {i}"
+        }).ToList();
+
+        // Act
+        var ids = entities.Select(e => Service.Create(e)).ToList();
+
+        // Assert
+        ids.Should().HaveCount(5);
+        ids.All(id => id != Guid.Empty).Should().BeTrue();
+
+        // Verify all records exist
+        foreach (var id in ids)
+        {
+            var retrieved = Service.Retrieve("account", id, new Microsoft.Xrm.Sdk.Query.ColumnSet("name"));
+            retrieved.Should().NotBeNull();
+        }
+    }
+
+    #endregion
+}