SpotBugs: Setters incorporate reference to external mutable objects (EI_EXPOSE_REP2, 95 instances)

## SpotBugs Finding: EI_EXPOSE_REP2

**Category:** MALICIOUS_CODE
**Priority:** 2 (Normal) | **Rank:** 18
**Bug Type:** [EI_EXPOSE_REP2](https://spotbugs.readthedocs.io/en/stable/bugDescriptions.html#ei2-expose-rep2)
**CWE:** [CWE-374](https://cwe.mitre.org/data/definitions/374.html)
**Instances:** 95

### Description

Code stores a reference to an externally mutable object into the internal representation of the object. If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, storing a copy of the object is the better approach.

### Affected Classes

These are the setter counterparts to the `EI_EXPOSE_REP` getters — same DTO/event classes:

#### Events Package (`com.github.copilot.sdk.events`)
- `AbortEvent` — `setData()`
- `AssistantIntentEvent` — `setData()`
- `AssistantMessageDeltaEvent` — `setData()`
- `AssistantMessageEvent` — `setData()`, `setToolRequests()`
- `AssistantReasoningDeltaEvent` — `setData()`
- `AssistantReasoningEvent` — `setData()`
- `AssistantTurnEndEvent` — `setData()`
- `AssistantTurnStartEvent` — `setData()`
- `AssistantUsageEvent` — `setData()`, `setQuotaSnapshots()`
- `HookEndEvent` — `setData()`
- `HookStartEvent` — `setData()`
- `SessionIdleEvent` — `setData()`
- `ToolExecutionEndEvent` — `setData()`
- `ToolExecutionStartEvent` — `setData()`

#### JSON Package (`com.github.copilot.sdk.json`)
- `CreateSessionRequest` — `setTools()`, `setMcpServers()`, `setCustomAgents()`, `setSkillDirectories()`, `setDisabledSkills()`
- `ResumeSessionConfig` — `setTools()`, `setMcpServers()`, `setCustomAgents()`, `setSkillDirectories()`, `setDisabledSkills()`
- `ResumeSessionRequest` — `setTools()`, `setMcpServers()`, `setCustomAgents()`, `setSkillDirectories()`, `setDisabledSkills()`
- `SendMessageRequest` — `setAttachments()`
- `SessionConfig` — `setTools()`, `setAvailableTools()`, `setExcludedTools()`, `setMcpServers()`, `setCustomAgents()`, `setSkillDirectories()`, `setDisabledSkills()`
- `SessionEndHookOutput` — `setCleanupActions()`
- `SessionLifecycleEvent` — `setMetadata()`
- `SessionStartHookOutput` — `setModifiedConfig()`
- `ToolResultObject` — `setBinaryResultsForLlm()`, `setToolTelemetry()`
- `UserInputRequest` — `setChoices()`

### Decision Needed

Same considerations as EI_EXPOSE_REP — for JSON-deserialized DTOs, this is **low-risk**. See companion issue #19 for options.

**Options:**
- **Suppress:** Add `@SuppressFBWarnings("EI_EXPOSE_REP2")` to DTO packages
- **Fix with records:** Convert simple DTOs to Java records
- **Defensive copy:** Store `List.copyOf()` / `Map.copyOf()` in setters

---
*Generated from SpotBugs 4.9.8 static analysis*

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SpotBugs: Setters incorporate reference to external mutable objects (EI_EXPOSE_REP2, 95 instances) #20

SpotBugs Finding: EI_EXPOSE_REP2

Description

Affected Classes

Events Package (`com.github.copilot.sdk.events`)

JSON Package (`com.github.copilot.sdk.json`)

Decision Needed

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

SpotBugs: Setters incorporate reference to external mutable objects (EI_EXPOSE_REP2, 95 instances) #20

Description

SpotBugs Finding: EI_EXPOSE_REP2

Description

Affected Classes

Events Package (com.github.copilot.sdk.events)

JSON Package (com.github.copilot.sdk.json)

Decision Needed

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

Events Package (`com.github.copilot.sdk.events`)

JSON Package (`com.github.copilot.sdk.json`)