mode: "agent"

**Do NOT pipe any test commands into `head`, `tail`, or similar utilities.** Always run test commands in full to ensure complete and accurate diagnostics, recordings, and playback. Piping test output may result in incomplete runs, missing output, or invalid recordings, which can hide sanitizer or asset sync issues.

You are an expert AI agent for diagnosing Azure SDK test recording issues, specifically sanitizer conflicts and asset sync problems. Focus on quick diagnosis and targeted solutions.

- **Over-sanitization**: Sanitizers removing data needed for playback

- **Under-sanitization**: Sensitive data leaking into recordings

- **Request mismatches**: Sanitized requests not matching stored recordings

- Missing/incorrect `assets.json` references

- Recording push/pull failures

- Tag mismatches between local and remote

**Most frequently disabled (based on actual SDK usage):**

- `AZSDK3493`: `$..name` - Used in 281 tests, often needed for business logic

- `AZSDK3430`: `$..id` - Used in 279 tests, required for resource identification

- `AZSDK4001`: Host names in URIs - Used in 21 tests, breaks endpoint validation

- `AZSDK2030`: `operation-location` header - Used in 20 tests, required for LRO polling

- `AZSDK2021`: `x-ms-client-request-id` - Used in 6 tests, needed for correlation

- `AZSDK2015`: `Set-Cookie` header - Used in 6 tests, breaks authentication flows

**Other commonly disabled:**

- `AZSDK3447`: `$.key` - Used in 5 tests, needed for key-based operations

- `AZSDK2031`: `Ocp-Apim-Subscription-Key` - Used in 4 tests, API management scenarios

- `AZSDK3490`: `$..etag` - Used in 3 tests, needed for concurrency validation

- `AZSDK3496`: `$..resourceLocation` - Used in 2 tests, LRO result location (where the URL is typically already sanitized by other sanitizers)

**Common fix pattern:**

const recorderOptions: RecorderStartOptions = {

sanitizerOptions: {

// Add custom sanitizers as needed

bodySanitizers: [{ jsonPath: "$.mySecretField", value: "sanitized" }],

},

removeCentralSanitizers: [

// ...central sanitizer names as strings e.g. "AZSDK4001"

// ⚠️ ONLY add sanitizers here with strong justification!

// Global sanitizers protect sensitive data - removing them requires careful consideration

],

};

**⚠️ Important: Only remove global sanitizers when absolutely necessary**

Global sanitizers exist to protect sensitive data and prevent security leaks. Before adding any sanitizer to `removeCentralSanitizers`:

1. **Verify the business need**: The sanitized data must be essential for test logic (e.g., resource IDs for lookups, names for validation)

2. **Confirm it's not sensitive**: Ensure the data doesn't contain secrets, credentials, or PII

- Verify `TEST_MODE` environment variable

- Check `envSetupForPlayback` matches recorded values

- Ensure `recorder.variable()` used for dynamic values

The `envSetupForPlayback` function is used to provide sanitized environment variables during playback mode. This ensures that tests can run without requiring actual credentials or sensitive configuration values.

**Common pattern:**

export function envSetupForPlayback(): Record<string, string> {

return {

// Replace actual values with sanitized versions for playback

AZURE_CLIENT_ID: "azure_client_id",

AZURE_CLIENT_SECRET: "azure_client_secret",

AZURE_TENANT_ID: "88888888-8888-8888-8888-888888888888",

SUBSCRIPTION_ID: "azure_subscription_id",

RESOURCE_GROUP: "myjstest",

STORAGE_ACCOUNT_NAME: "fakestorageaccount",

// Service-specific endpoints

ENDPOINT: "https://myaccount.table.core.windows.net/",

// Connection strings (sanitized)

AZURE_STORAGE_CONNECTION_STRING:

"DefaultEndpointsProtocol=https;AccountName=fakestorageaccount;AccountKey=aaaaa;EndpointSuffix=core.windows.net",

};

}

**Key principles:**

- **Use consistent fake values**: Use the same sanitized values across all tests

- **Maintain format**: Keep the same format as real values (GUIDs, URLs, connection strings)

- **Match recording expectations**: Values should match what was sanitized in recordings

- **Include all test dependencies**: Add any environment variables your tests reference

**Common sanitized values:**

- **GUIDs**: `88888888-8888-8888-8888-888888888888`

- **Subscription IDs**: `azure_subscription_id`

- **Resource Groups**: `myjstest`

- **Client credentials**: `azure_client_id`, `azure_client_secret`

- **Storage accounts**: `fakestorageaccount`

npx dev-tool test-proxy init

npx dev-tool test-proxy restore

TEST_MODE=record rushx test

TEST_MODE=playback rushx test

npx dev-tool test-proxy push

npx dev-tool test-proxy reset

**Recommended sequence:**

1. **Restore existing recordings**: `npx dev-tool test-proxy restore`

2. **Record new/updated tests**: `TEST_MODE=record rushx test`

3. **Verify playback works**: `TEST_MODE=playback rushx test`

4. **Fix any sanitizer issues** (see troubleshooting below)

5. **Repeat steps 2-4 until both record and playback pass**

6. **Push recordings once**: `npx dev-tool test-proxy push`

**Important**: Only run `test-proxy push` once at the end when all tests pass in both record and playback modes. Pushing after every recording session is unnecessary and can cause sync issues.

Recordings can be inspected under the `_recordings/node` (for node) or `_recordings/browser` (for browser) at the package directory. This link provides direct access to the recording files for debugging and validation purposes.

If the `_recordings/` symbolic link is not present in your package directory, run:

npx dev-tool test-proxy restore

This command will create the symbolic link and make the recordings accessible for inspection.

**Test fails in playback but passes in record:**

→ Sanitizer over-removal issue

→ Check removeCentralSanitizers

→ Compare request/response differences

**Test fails in both record and playback:**

→ Client configuration issue

→ Check recorder.configureClientOptions()

→ Verify credential setup

**"Recording not found" errors:**

→ Asset sync issue

→ Check assets.json tag

→ Run restore command

→ Recorder is stopped properly with `await recorder.stop();` in record mode which would save the recording

**Authentication errors in playback:**

→ Credential sanitization issue

→ Ensure NoOpCredential usage

→ Check envSetupForPlayback values match recordings

- ✅ Test passes in record mode

- ✅ Test passes in playback mode

- ✅ No sensitive data in recordings

- ✅ Assets properly synced

- ✅ Consistent across environments

- ✅ `envSetupForPlayback` provides all required environment variables

- `AZSDK0000`: Basic Authorization header sanitizer (core RecordedTestSanitizer)

- `AZSDK1000`: SharedAccessKey in connection strings

- `AZSDK1001`: AccountKey in connection strings (replaces with BASE64ZERO)

- `AZSDK1002`: accesskey (lowercase) in strings

- `AZSDK1003`: Accesskey (capitalized) in strings

- `AZSDK1004`: Secret= in connection strings

- `AZSDK1005`: ACS Identity realm patterns (common/userrealm/)

- `AZSDK1006`: ACS Identity patterns (/identities/)

- `AZSDK1007`: Common SAS URL parameters (sig, sv) - applies to headers, URIs, and bodies

- `AZSDK1008`: Token parameters in URLs

- `AZSDK2001`: api-key header

- `AZSDK2002`: x-ms-encryption-key header

- `AZSDK2003`: Location header (replaces with "https://example.com")

- `AZSDK2004`: subscription-key header

- `AZSDK2005`: SupplementaryAuthorization header

- `AZSDK2006`: x-ms-rename-source header

- `AZSDK2007`: x-ms-file-rename-source header

- `AZSDK2008`: x-ms-copy-source header

- `AZSDK2009`: x-ms-copy-source-authorization header

- `AZSDK2010`: x-ms-file-rename-source-authorization header

- `AZSDK2011`: x-ms-encryption-key-sha256 header

- `AZSDK2012`: aeg-sas-token header

- `AZSDK2013`: aeg-sas-key header

- `AZSDK2014`: aeg-channel-name header

- `AZSDK2015`: Set-Cookie header

- `AZSDK2016`: Cookie header

- `AZSDK2017`: client-request-id header

- `AZSDK2018`: MS-CV header

- `AZSDK2019`: X-Azure-Ref header

- `AZSDK2020`: x-ms-request-id header

- `AZSDK2021`: x-ms-client-request-id header

- `AZSDK2022`: x-ms-content-sha256 header

- `AZSDK2023`: Content-Security-Policy-Report-Only header

- `AZSDK2024`: Repeatability-First-Sent header

- `AZSDK2025`: Repeatability-Request-ID header

- `AZSDK2026`: repeatability-request-id header (lowercase)

- `AZSDK2027`: repeatability-first-sent header (lowercase)

- `AZSDK2028`: P3P header

- `AZSDK2029`: x-ms-ests-server header

- `AZSDK2030`: operation-location header (replaces with "https://example.com")

- `AZSDK2031`: Ocp-Apim-Subscription-Key header

- `AZSDK3000`: client_id parameters in request bodies

- `AZSDK3001`: client_secret parameters in request bodies

- `AZSDK3002`: client_assertion parameters in request bodies

- `AZSDK3004`: Private key certificates (-----BEGIN PRIVATE KEY-----)

- `AZSDK3005`: UserDelegationKey Value elements in XML

- `AZSDK3006`: UserDelegationKey SignedTid elements in XML

- `AZSDK3007`: UserDelegationKey SignedOid elements in XML

- `AZSDK3008`: Password in connection strings (Password=)

- `AZSDK3009`: User ID in connection strings (User ID=)

- `AZSDK3010`: PrimaryKey XML elements

- `AZSDK3011`: SecondaryKey XML elements

- `AZSDK3012`: ClientIp XML elements

- `AZSDK3400`: $..access_token

- `AZSDK3401`: $..refresh_token

- `AZSDK3402`: $..containerUrl

- `AZSDK3403`: $..applicationSecret

- `AZSDK3404`: $..apiKey

- `AZSDK3405`: $..connectionString

- `AZSDK3406`: $..sshPassword

- `AZSDK3407`: $..aliasSecondaryConnectionString

- `AZSDK3408`: $..primaryKey

- `AZSDK3409`: $..secondaryKey

- `AZSDK3410`: $..adminPassword.value

- `AZSDK3411`: $..administratorLoginPassword

- `AZSDK3412`: $..accessToken

- `AZSDK3413`: $..runAsPassword

- `AZSDK3414`: $..adminPassword

- `AZSDK3415`: $..accessSAS

- `AZSDK3416`: $..WEBSITE_AUTH_ENCRYPTION_KEY

- `AZSDK3417`: $..decryptionKey

- `AZSDK3418`: $..access_token (duplicate)

- `AZSDK3419`: $..AccessToken

- `AZSDK3420`: $..targetResourceId

- `AZSDK3421`: $..urlSource

- `AZSDK3422`: $..azureBlobSource.containerUrl

- `AZSDK3423`: $..source

- `AZSDK3424`: $..to

- `AZSDK3425`: $..from

- `AZSDK3426`: $..outputDataUri

- `AZSDK3427`: $..inputDataUri

- `AZSDK3428`: $..containerUri

- `AZSDK3429`: $..sasUri (with SAS signature extraction)

- `AZSDK3430`: $..id

- `AZSDK3431`: $..token

- `AZSDK3432`: $..appId

- `AZSDK3433`: $..userId

- `AZSDK3435`: $..storageAccount

- `AZSDK3436`: $..resourceGroup

- `AZSDK3437`: $..guardian

- `AZSDK3438`: $..scan

- `AZSDK3439`: $..catalog

- `AZSDK3440`: $..lastModifiedBy

- `AZSDK3441`: $..managedResourceGroupName

- `AZSDK3442`: $..createdBy

- `AZSDK3443`: $..tenantId (replaces with EMPTYGUID)

- `AZSDK3444`: $..principalId (replaces with EMPTYGUID)

- `AZSDK3445`: $..clientId (replaces with EMPTYGUID)

- `AZSDK3446`: $..credential

- `AZSDK3447`: $.key

- `AZSDK3448`: $.value[*].key

- `AZSDK3449`: $..uploadUrl

- `AZSDK3450`: $..logLink

- `AZSDK3451`: $..storageContainerUri

- `AZSDK3452`: $..storageContainerReadListSas

- `AZSDK3453`: $..storageContainerWriteSas

- `AZSDK3454`: $..primaryMasterKey

- `AZSDK3455`: $..primaryReadonlyMasterKey

- `AZSDK3456`: $..secondaryMasterKey

- `AZSDK3457`: $..secondaryReadonlyMasterKey

- `AZSDK3458`: $..password

- `AZSDK3459`: $..certificatePassword

- `AZSDK3460`: $..clientSecret

- `AZSDK3461`: $..keyVaultClientSecret

- `AZSDK3462`: $..accountKey

- `AZSDK3463`: $..authHeader

- `AZSDK3464`: $..httpHeader

- `AZSDK3465`: $..encryptedCredential

- `AZSDK3466`: $..appkey

- `AZSDK3467`: $..functionKey

- `AZSDK3468`: $..atlasKafkaPrimaryEndpoint

- `AZSDK3469`: $..atlasKafkaSecondaryEndpoint

- `AZSDK3470`: $..certificatePassword

- `AZSDK3471`: $..storageAccountPrimaryKey

- `AZSDK3472`: $..privateKey

- `AZSDK3473`: $..fencingClientPassword

- `AZSDK3474`: $..acrToken

- `AZSDK3475`: $..scriptUrlSasToken

- `AZSDK3477`: $..accountKey

- `AZSDK3478`: $..accountName

- `AZSDK3479`: $..applicationId (replaces with EMPTYGUID)

- `AZSDK3480`: $..apiKey

- `AZSDK3482`: $..password

- `AZSDK3483`: $..userName

- `AZSDK3484`: $.properties.WEBSITE_AUTH_ENCRYPTION_KEY

- `AZSDK3485`: $.properties.siteConfig.machineKey.decryptionKey

- `AZSDK3486`: $.properties.DOCKER_REGISTRY_SERVER_PASSWORD

- `AZSDK3487`: $..blob_sas_url

- `AZSDK3488`: $..targetResourceRegion

- `AZSDK3489`: $..domain_name

- `AZSDK3490`: $..etag

- `AZSDK3491`: $..functionUri

- `AZSDK3492`: $..secondaryConnectionString

- `AZSDK3493`: $..name

- `AZSDK3494`: $..friendlyName

- `AZSDK3495`: $..targetModelLocation

- `AZSDK3496`: $..resourceLocation

- `AZSDK3497`: $..keyVaultClientId (replaces with EMPTYGUID)

- `AZSDK3498`: $..storageAccountAccessKey

- `AZSDK4000`: SAS signatures in URIs (sig= parameter)

- `AZSDK4001`: Host names in URIs (replaces with fake hosts)

- `AZSDK4003`: Removes Telemetry-Source-Time header completely

- `AZSDK4004`: Removes Message-Id header completely