Closes #194. Two fixes on the Azure Key Vault storage backend plus the tests that pin them.
What landed
fix(azure-kv)— both-mode retrieve falls back to Secrets whenexport_certificatereturns None (the MAJOR finding). When the Certificate API claimed a fresher copy than Secrets but the export failed (companion Secret deleted manually, base64 garbage, PFX parse error), the older Secrets snapshot was silently discarded and the caller saw None. Now the fallback fires and a WARNING-level log surfaces the skew so operators can investigate.fix(azure-kv)—_delete_secretsmetadata failure flags the surface as failed (the MINOR finding). Restores the surface-independence contract that the rest ofdelete_certificatealready enforces. Metadata-delete failures now log at WARNING (not debug) so they surface in the operator log.
Two new tests in tests/test_azure_keyvault_certificate_storage.py pin both behaviours.
Closes #194.