The public client records Session and Page contain collection components but do not make defensive copies. Session is declared at arcp-client/src/main/java/dev/arcp/client/Session.java around line 11 with Set negotiatedFeatures and List availableAgents, and Page is declared at arcp-client/src/main/java/dev/arcp/client/Page.java around line 7 with List items. Although some internal call sites pass immutable collections, public constructors can be called with mutable lists or sets and the record will retain those aliases.
Fix prompt: Add compact constructors to Session and Page that copy collection components with Set.copyOf and List.copyOf while preserving nullability for noncollection fields. Add tests that construct each record with mutable collections, mutate the original collection afterward, and verify the record contents remain unchanged. Also assert that direct mutation through the accessor fails for the returned collections.
The public client records Session and Page contain collection components but do not make defensive copies. Session is declared at arcp-client/src/main/java/dev/arcp/client/Session.java around line 11 with Set negotiatedFeatures and List availableAgents, and Page is declared at arcp-client/src/main/java/dev/arcp/client/Page.java around line 7 with List items. Although some internal call sites pass immutable collections, public constructors can be called with mutable lists or sets and the record will retain those aliases.
Fix prompt: Add compact constructors to Session and Page that copy collection components with Set.copyOf and List.copyOf while preserving nullability for noncollection fields. Add tests that construct each record with mutable collections, mutate the original collection afterward, and verify the record contents remain unchanged. Also assert that direct mutation through the accessor fails for the returned collections.