Azure · adamnova · Aug 20, 2025 · Aug 20, 2025 · Aug 20, 2025 · Aug 21, 2025
@@ -59,12 +59,19 @@ public static async Task<Stream> EncryptAsync(
                 throw new InvalidOperationException($"{nameof(Encryptor)} returned null cipherText from {nameof(EncryptAsync)}.");
             }
 
+            // Materialize paths to an IReadOnlyCollection to satisfy ctor signature explicitly
+            IReadOnlyCollection<string> pathsToEncryptCollection = encryptionOptions.PathsToEncrypt as IReadOnlyCollection<string>;
+            if (pathsToEncryptCollection == null)
+            {
+                pathsToEncryptCollection = new List<string>(encryptionOptions.PathsToEncrypt);
+            }
+
             encryptionProperties = new EncryptionProperties(
-                    encryptionFormatVersion: 2,
-                    encryptionOptions.EncryptionAlgorithm,
-                    encryptionOptions.DataEncryptionKeyId,
-                    encryptedData: cipherText,
-                    encryptionOptions.PathsToEncrypt);
+                encryptionFormatVersion: EncryptionFormatVersion.AeAes,
+                encryptionOptions.EncryptionAlgorithm,
+                encryptionOptions.DataEncryptionKeyId,
+                encryptedData: cipherText,
+                pathsToEncryptCollection);
 
             itemJObj.Add(Constants.EncryptedInfo, JObject.FromObject(encryptionProperties));
 

@@ -22,6 +22,34 @@ public T[] Rent(int minimumLength)
             return buffer;
         }
 
+        public void Return(T[] buffer)
+        {
+            if (buffer == null)
+            {
+                return;
+            }
+
+            int idx = this.rentedBuffers?.IndexOf(buffer) ?? -1;
+            if (idx >= 0)
+            {
+                this.rentedBuffers.RemoveAt(idx);
+                ArrayPool<T>.Shared.Return(buffer, clearArray: true);
+            }
+        }
+
+#if DEBUG
+        // Debug-only ownership probe to assert correct pooling contracts without impacting release perf
+        public bool IsOwned(T[] buffer)
+        {
+            if (buffer == null || this.rentedBuffers == null)
+            {
+                return false;
+            }
+
+            return this.rentedBuffers.IndexOf(buffer) >= 0;
+        }
+#endif
+
         protected virtual void Dispose(bool disposing)
         {
             if (!this.disposedValue)

@@ -5,13 +5,14 @@
 namespace Microsoft.Azure.Cosmos.Encryption.Custom
 {
     using System;
+    using System.Collections.Concurrent;
     using System.Collections.Generic;
     using System.Diagnostics;
     using System.Threading;
 
     /// <summary>
     /// Lightweight diagnostics context for Custom Encryption extension.
-    /// Manages Activity creation for OpenTelemetry integration.
+    /// Manages Activity creation for OpenTelemetry integration and collects metrics.
     /// </summary>
     internal class CosmosDiagnosticsContext
     {
@@ -27,6 +28,9 @@ internal class CosmosDiagnosticsContext
         /// </summary>
         internal const string ScopeDecryptModeSelectionPrefix = "EncryptionProcessor.Decrypt.Mde.";
 
+        // Simple metric bag for counters and durations (best-effort; thread-safe and optional)
+        private readonly ConcurrentDictionary<string, long> metrics = new (StringComparer.Ordinal);
+
         internal CosmosDiagnosticsContext()
         {
         }
@@ -59,6 +63,34 @@ public Scope CreateScope(string scope)
             return new Scope(activity);
         }
 
+        // Record or update a metric with an absolute value.
+        public void SetMetric(string name, long value)
+        {
+            if (string.IsNullOrEmpty(name))
+            {
+                return;
+            }
+
+            this.metrics[name] = value;
+        }
+
+        // Increment a metric by delta (can be negative).
+        public void AddMetric(string name, long delta = 1)
+        {
+            if (string.IsNullOrEmpty(name))
+            {
+                return;
+            }
+
+            this.metrics.AddOrUpdate(name, delta, (_, current) => current + delta);
+        }
+
+        // Snapshot of current metrics (intended for diagnostics/testing only).
+        public IReadOnlyDictionary<string, long> GetMetricsSnapshot()
+        {
+            return new Dictionary<string, long>(this.metrics);
+        }
+
         /// <summary>
         /// Represents a diagnostic scope for Activity tracking.
         /// Must be used with the 'using' pattern to ensure proper disposal.

@@ -831,7 +831,12 @@ public override Task<ItemResponse<T>> PatchItemAsync<T>(
             PatchItemRequestOptions requestOptions = null,
             CancellationToken cancellationToken = default)
         {
-            throw new NotImplementedException();
+            return this.PatchItemCoreAsync<T>(
+                id,
+                partitionKey,
+                patchOperations,
+                requestOptions,
+                cancellationToken);
         }
 
         public override Task<ResponseMessage> PatchItemStreamAsync(
@@ -841,7 +846,71 @@ public override Task<ResponseMessage> PatchItemStreamAsync(
             PatchItemRequestOptions requestOptions = null,
             CancellationToken cancellationToken = default)
         {
-            throw new NotImplementedException();
+            return this.PatchItemCoreStreamAsync(
+                id,
+                partitionKey,
+                patchOperations,
+                requestOptions,
+                cancellationToken);
+        }
+
+        private async Task<ItemResponse<T>> PatchItemCoreAsync<T>(
+            string id,
+            PartitionKey partitionKey,
+            IReadOnlyList<PatchOperation> patchOperations,
+            PatchItemRequestOptions requestOptions,
+            CancellationToken cancellationToken)
+        {
+            ResponseMessage response = await this.PatchItemCoreStreamAsync(
+                id,
+                partitionKey,
+                patchOperations,
+                requestOptions,
+                cancellationToken);
+
+            return this.ResponseFactory.CreateItemResponse<T>(response);
+        }
+
+        // Minimal patch implementation: only supports patching non-encrypted paths. If an encrypted path is modified,
+        // the value won't be automatically encrypted – future enhancement would mirror EncryptPatchOperationsAsync from base encryption container.
+        private async Task<ResponseMessage> PatchItemCoreStreamAsync(
+            string id,
+            PartitionKey partitionKey,
+            IReadOnlyList<PatchOperation> patchOperations,
+            PatchItemRequestOptions requestOptions,
+            CancellationToken cancellationToken)
+        {
+            if (string.IsNullOrWhiteSpace(id))
+            {
+                throw new ArgumentNullException(nameof(id));
+            }
+
+            if (patchOperations == null || patchOperations.Count == 0)
+            {
+                throw new ArgumentNullException(nameof(patchOperations));
+            }
+
+            CosmosDiagnosticsContext diagnosticsContext = CosmosDiagnosticsContext.Create(requestOptions);
+            using (diagnosticsContext.CreateScope("PatchItemStream"))
+            {
+                ResponseMessage response = await this.container.PatchItemStreamAsync(
+                    id,
+                    partitionKey,
+                    patchOperations,
+                    requestOptions,
+                    cancellationToken);
+
+                if (response.IsSuccessStatusCode && response.Content != null)
+                {
+                    (response.Content, _) = await EncryptionProcessor.DecryptAsync(
+                        response.Content,
+                        this.Encryptor,
+                        diagnosticsContext,
+                        cancellationToken);
+                }
+
+                return response;
+            }
         }
 
         public override ChangeFeedProcessorBuilder GetChangeFeedProcessorBuilder<T>(

@@ -28,14 +28,14 @@ internal class EncryptionProperties
 
         [JsonProperty(PropertyName = Constants.EncryptedPaths)]
         [JsonPropertyName(Constants.EncryptedPaths)]
-        public IEnumerable<string> EncryptedPaths { get; }
+        public IReadOnlyCollection<string> EncryptedPaths { get; }
 
         public EncryptionProperties(
             int encryptionFormatVersion,
             string encryptionAlgorithm,
             string dataEncryptionKeyId,
             byte[] encryptedData,
-            IEnumerable<string> encryptedPaths)
+            IReadOnlyCollection<string> encryptedPaths)
         {
             this.EncryptionFormatVersion = encryptionFormatVersion;
             this.EncryptionAlgorithm = encryptionAlgorithm;

@@ -0,0 +1,45 @@
+//------------------------------------------------------------
+// Copyright (c) Microsoft Corporation.  All rights reserved.
+//------------------------------------------------------------
+
+namespace Microsoft.Azure.Cosmos.Encryption.Custom
+{
+    using System;
+    using System.Buffers;
+
+    // Small wrapper to make pooled ownership explicit and efficient via Memory/Span
+    internal sealed class PooledByteOwner : IMemoryOwner<byte>, IDisposable
+    {
+        private readonly ArrayPoolManager pool;
+
+        internal byte[] Buffer { get; private set; }
+
+        internal int Length { get; private set; }
+
+        private bool disposed;
+
+        public PooledByteOwner(ArrayPoolManager pool, byte[] buffer, int length)
+        {
+            this.pool = pool ?? throw new ArgumentNullException(nameof(pool));
+            this.Buffer = buffer ?? throw new ArgumentNullException(nameof(buffer));
+            this.Length = length;
+        }
+
+        public Memory<byte> Memory => new Memory<byte>(this.Buffer, 0, this.Length);
+
+        internal byte[] Array => this.Buffer;
+
+        public void Dispose()
+        {
+            if (this.disposed)
+            {
+                return;
+            }
+
+            this.disposed = true;
+            this.pool.Return(this.Buffer);
+            this.Buffer = System.Array.Empty<byte>();
+            this.Length = 0;
+        }
+    }
+}