Refactor flight to filter-then-clone and address review feedback

Replace the uncloned-references approach with filter-then-clone:
- getAccounts()/getCredentials() always return defensive copies
- getAccountsFilteredBy()/getCredentialsFilteredBy() with flight on:
  filter on uncloned in-memory refs first, then clone only matches
- Extract cloneItems() generic helper to DRY the clone loops

Telemetry and documentation:
- Record is_filter_then_clone_enabled span attribute in both
  getAccounts() and getCredentials() for diagnostic consistency
- Update AttributeName Javadoc to reference FilteredBy methods
- Update flight Javadoc to accurately describe behavior

Tests:
- Add tests for getAccountsFilteredBy/getCredentialsFilteredBy with
  flight enabled: verifies filtering works and returns cloned objects
- Update getAccounts/getCredentials flight-enabled tests to verify
  cloned objects (not shared references)
- Fix test flakiness: call getAccounts()/getCredentials() before
  resetCallCounts() to ensure initial load completes deterministically

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: siddhijain

common/src/test/java/com/microsoft/identity/common/SharedPreferencesAccountCredentialCacheWithMemoryCacheTest.java

@@ -70,9 +70,7 @@
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNotSame;
 import static org.junit.Assert.assertNull;
-import static org.junit.Assert.assertSame;
 import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
 import static org.mockito.Mockito.when;
 
 @RunWith(RobolectricTestRunner.class)
@@ -2573,7 +2571,7 @@ public void getAccounts_flightDisabled_returnsMutableListOfClones() {
     }
 
     @Test
-    public void getAccounts_flightEnabled_returnsUnmodifiableListWithSharedReferences() {
+    public void getAccounts_flightEnabled_stillReturnsMutableListOfClones() {
         enableFilterThenCloneFlight();
         try {
             final AccountRecord account = buildDefaultAccountRecord();
@@ -2584,16 +2582,17 @@ public void getAccounts_flightEnabled_returnsUnmodifiableListWithSharedReference
             final List<AccountRecord> accounts2 = mSharedPreferencesAccountCredentialCache.getAccounts();
             assertEquals(1, accounts2.size());
 
-            // When flight is enabled, objects are shared references (not cloned)
-            assertSame(accounts1.get(0), accounts2.get(0));
+            // Even with flight enabled, getAccounts() still returns clones
+            assertNotSame(accounts1.get(0), accounts2.get(0));
+            assertEquals(accounts1.get(0), accounts2.get(0));
 
-            // The returned list should be unmodifiable
-            try {
-                accounts1.add(new AccountRecord());
-                fail("Expected UnsupportedOperationException from unmodifiable list");
-            } catch (final UnsupportedOperationException e) {
-                // expected
-            }
+            // Mutating a returned object should not affect subsequent retrievals
+            accounts1.get(0).setLocalAccountId("mutated");
+            final List<AccountRecord> accounts3 = mSharedPreferencesAccountCredentialCache.getAccounts();
+            assertNotEquals("mutated", accounts3.get(0).getLocalAccountId());
+
+            // The returned list should be mutable (no exception thrown)
+            accounts1.add(new AccountRecord());
         } finally {
             resetFlight();
         }
@@ -2626,7 +2625,7 @@ public void getCredentials_flightDisabled_returnsMutableListOfClones() {
     }
 
     @Test
-    public void getCredentials_flightEnabled_returnsUnmodifiableListWithSharedReferences() {
+    public void getCredentials_flightEnabled_stillReturnsMutableListOfClones() {
         enableFilterThenCloneFlight();
         try {
             final RefreshTokenRecord rt = buildDefaultRefreshToken();
@@ -2637,16 +2636,91 @@ public void getCredentials_flightEnabled_returnsUnmodifiableListWithSharedRefere
             final List<Credential> creds2 = mSharedPreferencesAccountCredentialCache.getCredentials();
             assertEquals(1, creds2.size());
 
-            // When flight is enabled, objects are shared references (not cloned)
-            assertSame(creds1.get(0), creds2.get(0));
+            // Even with flight enabled, getCredentials() still returns clones
+            assertNotSame(creds1.get(0), creds2.get(0));
+            assertEquals(creds1.get(0), creds2.get(0));
+
+            // Mutating a returned object should not affect subsequent retrievals
+            creds1.get(0).setCachedAt("mutated");
+            final List<Credential> creds3 = mSharedPreferencesAccountCredentialCache.getCredentials();
+            assertNotEquals("mutated", creds3.get(0).getCachedAt());
+
+            // The returned list should be mutable (no exception thrown)
+            creds1.add(new RefreshTokenRecord());
+        } finally {
+            resetFlight();
+        }
+    }
+
+    // =====================================================================
+    // Tests verifying filter-then-clone optimization in FilteredBy methods
+    // =====================================================================
+
+    @Test
+    public void getAccountsFilteredBy_flightEnabled_returnsClonedMatches() {
+        enableFilterThenCloneFlight();
+        try {
+            final AccountRecord account = buildDefaultAccountRecord();
+            mSharedPreferencesAccountCredentialCache.saveAccount(account);
+
+            // Also save a non-matching account
+            final AccountRecord otherAccount = new AccountRecord();
+            otherAccount.setHomeAccountId("other-home-id");
+            otherAccount.setEnvironment("other.environment.com");
+            otherAccount.setRealm("other-realm");
+            otherAccount.setLocalAccountId("other-local-id");
+            otherAccount.setUsername("other-user");
+            otherAccount.setAuthorityType(AUTHORITY_TYPE);
+            mSharedPreferencesAccountCredentialCache.saveAccount(otherAccount);
+
+            // Filter by the default account's realm — should return only one match
+            final List<AccountRecord> filtered = mSharedPreferencesAccountCredentialCache
+                    .getAccountsFilteredBy(HOME_ACCOUNT_ID, ENVIRONMENT, REALM);
+            assertEquals(1, filtered.size());
+            assertEquals(HOME_ACCOUNT_ID, filtered.get(0).getHomeAccountId());
+
+            // Returned objects should be clones — mutating should not affect cache
+            filtered.get(0).setLocalAccountId("mutated");
+            final List<AccountRecord> filtered2 = mSharedPreferencesAccountCredentialCache
+                    .getAccountsFilteredBy(HOME_ACCOUNT_ID, ENVIRONMENT, REALM);
+            assertNotEquals("mutated", filtered2.get(0).getLocalAccountId());
+        } finally {
+            resetFlight();
+        }
+    }
+
+    @Test
+    public void getCredentialsFilteredBy_flightEnabled_returnsClonedMatches() {
+        enableFilterThenCloneFlight();
+        try {
+            final RefreshTokenRecord rt = buildDefaultRefreshToken();
+            mSharedPreferencesAccountCredentialCache.saveCredential(rt);
 
-            // The returned list should be unmodifiable
-            try {
-                creds1.add(new RefreshTokenRecord());
-                fail("Expected UnsupportedOperationException from unmodifiable list");
-            } catch (final UnsupportedOperationException e) {
-                // expected
-            }
+            // Also save a non-matching credential
+            final RefreshTokenRecord otherRt = new RefreshTokenRecord();
+            otherRt.setCredentialType(CredentialType.RefreshToken.name());
+            otherRt.setHomeAccountId("other-home-id");
+            otherRt.setEnvironment("other.environment.com");
+            otherRt.setClientId("other-client-id");
+            otherRt.setCachedAt(CACHED_AT);
+            otherRt.setSecret(SECRET);
+            mSharedPreferencesAccountCredentialCache.saveCredential(otherRt);
+
+            // Filter by the default credential's attributes — should return only one match
+            final List<Credential> filtered = mSharedPreferencesAccountCredentialCache
+                    .getCredentialsFilteredBy(
+                            HOME_ACCOUNT_ID, ENVIRONMENT, CredentialType.RefreshToken,
+                            CLIENT_ID, null, null, null, null, null);
+            assertEquals(1, filtered.size());
+            assertEquals(CLIENT_ID, filtered.get(0).getClientId());
+
+            // Returned objects should be clones — mutating should not affect cache
+            filtered.get(0).setCachedAt("mutated");
+            final List<Credential> filtered2 = mSharedPreferencesAccountCredentialCache
+                    .getCredentialsFilteredBy(
+                            HOME_ACCOUNT_ID, ENVIRONMENT, CredentialType.RefreshToken,
+                            CLIENT_ID, null, null, null, null, null);
+            assertNotEquals("mutated", filtered2.get(0).getCachedAt());
         } finally {
             resetFlight();
         }
@@ -2735,7 +2809,9 @@ public void removeAccount_doesNotCallKeySetOrGetAll() throws Exception {
         final AccountRecord account = buildDefaultAccountRecord();
         cache.saveAccount(account);
 
-        // Reset counters after initial load (which may call getAll/keySet for loading)
+        // Force initial load to complete (getAccounts blocks on waitForInitialLoad),
+        // then reset counters so only removeAccount() calls are measured.
+        cache.getAccounts();
         trackingStorage.resetCallCounts();
 
         cache.removeAccount(account);
@@ -2757,7 +2833,9 @@ public void removeCredential_doesNotCallKeySetOrGetAll() throws Exception {
         final RefreshTokenRecord rt = buildDefaultRefreshToken();
         cache.saveCredential(rt);
 
-        // Reset counters after initial load (which may call getAll/keySet for loading)
+        // Force initial load to complete (getCredentials blocks on waitForInitialLoad),
+        // then reset counters so only removeCredential() calls are measured.
+        cache.getCredentials();
         trackingStorage.resetCallCounts();
 
         cache.removeCredential(rt);

common4j/src/main/com/microsoft/identity/common/java/cache/SharedPreferencesAccountCredentialCacheWithMemoryCache.java

@@ -41,7 +41,6 @@
 import com.microsoft.identity.common.java.util.ported.Predicate;
 
 import java.util.ArrayList;
-import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Iterator;
@@ -117,6 +116,26 @@ private void waitForInitialLoad() {
         }
     }
 
+    /**
+     * Clones each element of {@code items} and returns the cloned list.
+     * Used by filter-then-clone paths to defensively copy only matching items.
+     */
+    @SuppressWarnings("unchecked")
+    @NonNull
+    private <T extends AccountCredentialBase> List<T> cloneItems(
+            @NonNull final List<T> items,
+            @NonNull final String methodTag) {
+        final List<T> cloned = new ArrayList<>(items.size());
+        for (final T item : items) {
+            try {
+                cloned.add((T) item.clone());
+            } catch (final CloneNotSupportedException e) {
+                Logger.error(methodTag, "Failed to clone " + item.getClass().getSimpleName(), e);
+            }
+        }
+        return cloned;
+    }
+
     @Override
     public void saveAccount(@NonNull final AccountRecord accountInput) {
         final String methodTag = TAG + ":saveAccount";
@@ -272,14 +291,11 @@ public List<AccountRecord> getAccounts() {
         final boolean useFilterThenClone = CommonFlightsManager.INSTANCE
                 .getFlightsProvider()
                 .isFlightEnabled(CommonFlight.ENABLE_FILTER_THEN_CLONE_IN_MEMORY_CACHE);
+        SpanExtension.current().setAttribute(
+                AttributeName.is_filter_then_clone_enabled.name(), useFilterThenClone);
 
         synchronized (mCacheLock) {
             waitForInitialLoad();
-            if (useFilterThenClone) {
-                Logger.info(methodTag, "Found [" + mCachedAccountRecordsWithKeys.size() + "] Accounts...");
-                return Collections.unmodifiableList(
-                        new ArrayList<>(mCachedAccountRecordsWithKeys.values()));
-            }
             final List<AccountRecord> accounts = new ArrayList<>();
             for (AccountRecord record : mCachedAccountRecordsWithKeys.values()) {
                 try {
@@ -302,6 +318,23 @@ public List<AccountRecord> getAccountsFilteredBy(
         final String methodTag = TAG + ":getAccountsFilteredBy";
         Logger.verbose(methodTag, "Loading Accounts...");
 
+        final boolean useFilterThenClone = CommonFlightsManager.INSTANCE
+                .getFlightsProvider()
+                .isFlightEnabled(CommonFlight.ENABLE_FILTER_THEN_CLONE_IN_MEMORY_CACHE);
+
+        if (useFilterThenClone) {
+            synchronized (mCacheLock) {
+                waitForInitialLoad();
+                final List<AccountRecord> unclonedAccounts =
+                        new ArrayList<>(mCachedAccountRecordsWithKeys.values());
+                final List<AccountRecord> matchingUncloned = getAccountsFilteredByInternal(
+                        homeAccountId, environment, realm, unclonedAccounts);
+                final List<AccountRecord> clonedMatches = cloneItems(matchingUncloned, methodTag);
+                Logger.verbose(methodTag, "Found [" + clonedMatches.size() + "] matching Accounts...");
+                return clonedMatches;
+            }
+        }
+
         final List<AccountRecord> allAccounts = getAccounts();
 
         final List<AccountRecord> matchingAccounts = getAccountsFilteredByInternal(
@@ -372,12 +405,6 @@ public List<Credential> getCredentials() {
 
         synchronized (mCacheLock) {
             waitForInitialLoad();
-            if (useFilterThenClone) {
-                // Return uncloned references in an unmodifiable list.
-                // All callers have been verified as read-only on the returned items.
-                return Collections.unmodifiableList(
-                        new ArrayList<>(mCachedCredentialsWithKeys.values()));
-            }
             ArrayList<Credential> credentials = new ArrayList<>();
             for (Credential credential : mCachedCredentialsWithKeys.values()) {
                 try {
@@ -405,6 +432,36 @@ public List<Credential> getCredentialsFilteredBy(
         final String methodTag = TAG + ":getCredentialsFilteredBy";
         Logger.verbose(methodTag, "getCredentialsFilteredBy()");
 
+        final boolean useFilterThenClone = CommonFlightsManager.INSTANCE
+                .getFlightsProvider()
+                .isFlightEnabled(CommonFlight.ENABLE_FILTER_THEN_CLONE_IN_MEMORY_CACHE);
+
+        if (useFilterThenClone) {
+            synchronized (mCacheLock) {
+                waitForInitialLoad();
+                final List<Credential> unclonedCredentials =
+                        new ArrayList<>(mCachedCredentialsWithKeys.values());
+                final List<Credential> matchingUncloned = getCredentialsFilteredByInternal(
+                        unclonedCredentials,
+                        homeAccountId,
+                        environment,
+                        credentialType,
+                        clientId,
+                        applicationIdentifier,
+                        mamEnrollmentIdentifier,
+                        realm,
+                        target,
+                        authScheme,
+                        null,
+                        null,
+                        false
+                );
+                final List<Credential> clonedMatches = cloneItems(matchingUncloned, methodTag);
+                Logger.verbose(methodTag, "Found [" + clonedMatches.size() + "] matching Credentials...");
+                return clonedMatches;
+            }
+        }
+
         final List<Credential> allCredentials = getCredentials();
 
         final List<Credential> matchingCredentials = getCredentialsFilteredByInternal(
@@ -480,6 +537,36 @@ public List<Credential> getCredentialsFilteredBy(
         final String methodTag = TAG + ":getCredentialsFilteredBy";
         Logger.verbose(methodTag, "getCredentialsFilteredBy()");
 
+        final boolean useFilterThenClone = CommonFlightsManager.INSTANCE
+                .getFlightsProvider()
+                .isFlightEnabled(CommonFlight.ENABLE_FILTER_THEN_CLONE_IN_MEMORY_CACHE);
+
+        if (useFilterThenClone) {
+            synchronized (mCacheLock) {
+                waitForInitialLoad();
+                final List<Credential> unclonedCredentials =
+                        new ArrayList<>(mCachedCredentialsWithKeys.values());
+                final List<Credential> matchingUncloned = getCredentialsFilteredByInternal(
+                        unclonedCredentials,
+                        homeAccountId,
+                        environment,
+                        credentialType,
+                        clientId,
+                        applicationIdentifier,
+                        mamEnrollmentIdentifier,
+                        realm,
+                        target,
+                        authScheme,
+                        requestedClaims,
+                        null,
+                        false
+                );
+                final List<Credential> clonedMatches = cloneItems(matchingUncloned, methodTag);
+                Logger.verbose(methodTag, "Found [" + clonedMatches.size() + "] matching Credentials...");
+                return clonedMatches;
+            }
+        }
+
         final List<Credential> allCredentials = getCredentials();
 
         final List<Credential> matchingCredentials = getCredentialsFilteredByInternal(
@@ -591,6 +678,42 @@ public List<Credential> getCredentialsFilteredBy(@Nullable final String homeAcco
                                                      @Nullable final String target,
                                                      @Nullable final String authScheme,
                                                      @Nullable final String requestedClaims) {
+        final String methodTag = TAG + ":getCredentialsFilteredBy";
+
+        final boolean useFilterThenClone = CommonFlightsManager.INSTANCE
+                .getFlightsProvider()
+                .isFlightEnabled(CommonFlight.ENABLE_FILTER_THEN_CLONE_IN_MEMORY_CACHE);
+
+        if (useFilterThenClone) {
+            synchronized (mCacheLock) {
+                waitForInitialLoad();
+                final List<Credential> unclonedCredentials =
+                        new ArrayList<>(mCachedCredentialsWithKeys.values());
+                final List<Credential> result = new ArrayList<>();
+                for (final CredentialType type : credentialTypes) {
+                    result.addAll(cloneItems(
+                            getCredentialsFilteredByInternal(
+                                    unclonedCredentials,
+                                    homeAccountId,
+                                    environment,
+                                    type,
+                                    clientId,
+                                    applicationIdentifier,
+                                    mamEnrollmentIdentifier,
+                                    realm,
+                                    target,
+                                    authScheme,
+                                    requestedClaims,
+                                    null,
+                                    false
+                            ),
+                            methodTag
+                    ));
+                }
+                return result;
+            }
+        }
+
         final List<Credential> allCredentials = getCredentials();
 
         final List<Credential> result = new ArrayList<>();

common4j/src/main/com/microsoft/identity/common/java/flighting/CommonFlight.java

@@ -255,8 +255,9 @@ public enum CommonFlight implements IFlightConfig {
 
     /**
      * Flight to enable filter-then-clone optimization in SharedPreferencesAccountCredentialCacheWithMemoryCache.
-     * When enabled, getCredentials()/getAccounts() returns uncloned references and
-     * getCredentialsFilteredBy()/getAccountsFilteredBy() filters first, then clones only matching items.
+     * When enabled, getCredentialsFilteredBy()/getAccountsFilteredBy() filters on in-memory
+     * references first, then clones only the matching items — avoiding the cost of
+     * cloning the entire cache when only a subset is needed.
      */
     ENABLE_FILTER_THEN_CLONE_IN_MEMORY_CACHE("EnableFilterThenCloneInMemoryCache", false);