Fix Copilot review noise: restructure instructions for 4K limit (#5971)

* Fix Copilot review noise: restructure instructions for 4K limit

Copilot code review only reads the first 4,000 characters of
copilot-instructions.md. The previous layout consumed this budget
with Copilot Chat skills documentation, so the reviewer never saw
any coding rules — causing 328 false-positive comments across 40 PRs.

Changes:
- Move code review rules to the first 2,500 chars (review scope,
  repo-specific false-positive suppressions, coding standards)
- Push Chat/Agent skills documentation below the 4K cutoff
- Add .github/instructions/tests.instructions.md with test-specific
  rules (RunOn attribute, MSTest patterns, deterministic tests)
- Add .github/instructions/src.instructions.md with source code
  rules (namespace resolution, reflection ban, GetOrAdd pattern)

Path-specific instruction files are not subject to the 4K limit
and provide targeted guidance per file context.

Resolves #5967

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Address review: MSTest v4, strip coding standards from src.instructions (defer to .editorconfig)

- Fix MSTest SDK v3 → v4 in copilot-instructions.md and tests.instructions.md (bgavrilMS suggestion)
- Remove coding standards section from src.instructions.md — enforced via .editorconfig (bgavrilMS)
- Keep only MSAL-specific rules (dependencies) and scope/reviewer rules
- Resolves conflicting reflection guidance flagged by Copilot

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: gladjohn

.github/copilot-instructions.md

@@ -1,26 +1,68 @@
-Carefully review all markdown documents in the ../.clinerules folder. Those are your custom instructions.
+# Code Review Rules
 
----
+These rules apply to Copilot code review. Read all rules before commenting.
 
-# Code Review Rules
+## Review scope
+
+- Only comment on lines added or modified in the PR diff
+- Do not comment on pre-existing code unless the PR directly introduces the issue
+- Do not comment on style, formatting, or indentation
+- Focus exclusively on: bugs, security issues, logic errors, API contract violations
+- If unsure whether something is a bug, do not comment
+- Prefer no comment over a speculative comment
+- Do not re-post a comment already made on an earlier commit in the same PR
+
+## Repo-specific patterns — do NOT flag these
+
+These patterns are correct in this repo. Do not suggest changes:
+
+- `[RunOn]` inherits from `TestMethodAttribute`. Do not flag as missing `[TestMethod]`
+- `Client.AppConfig.X` resolves via parent namespace `Microsoft.Identity`. Do not flag as unresolved namespace
+- `Assert.IsTrue(bool?)` is a valid MSTest overload. Do not flag nullable bool as a type mismatch
+- `Assert.DoesNotContain(substring, value)` — MSTest v4 signature is substring first, value second
+- `ConfigureAwait(false)` is intentional in library code. Do not suggest removal
+
+## ConcurrentDictionary.GetOrAdd — always use factory delegate
+
+`GetOrAdd(key, value)` eagerly evaluates the value arg. Flag any call where the second argument is not a delegate/lambda/method group:
 
-## ConcurrentDictionary.GetOrAdd — always use the factory delegate overload
+- Bad: `pool.GetOrAdd(key, new ExpensiveObject());`
+- Good: `pool.GetOrAdd(key, _ => new ExpensiveObject());`
 
-`ConcurrentDictionary.GetOrAdd(key, value)` **eagerly evaluates** the second argument before checking the dictionary. If the value is a constructor call or method invocation (e.g., `new HttpClient(...)`, `CreateFoo()`), a new object is created and discarded on every cache hit.
+## C# coding standards
 
-**Bad** — object created on every call, discarded on cache hit:
-```csharp
-pool.GetOrAdd(key, new ExpensiveObject());
-pool.GetOrAdd(key, CreateExpensiveObject());
-```
+- Use `is null` / `is not null` instead of `== null` / `!= null`
+- No reflection in product code (`/src`). Acceptable in tests
+- Static fields: `s_camelCase` (e.g., `s_knownHosts`)
+- Ordinal string comparisons for protocol values, identifiers, cache keys
+- Validate inputs at method boundaries (fail fast with specific exception types)
+- Do not include secrets/tokens/PII in exception messages or logs
+- Use `nameof` instead of string literals for member names
 
-**Good** — factory lambda only runs on cache miss:
-```csharp
-pool.GetOrAdd(key, _ => new ExpensiveObject());
-pool.GetOrAdd(key, _ => CreateExpensiveObject());
-```
+## Testing standards
 
-When reviewing code, flag any `GetOrAdd` call where the second argument is **not** a delegate/lambda/method group. All other usages of GetOrAdd(key, value) should be justified.
+- MSTest SDK v4 with NSubstitute for mocking
+- Use `// Arrange`, `// Act`, `// Assert` comments
+- Prefer deterministic tests (no timing flakiness)
+
+## Public API changes
+
+- Update `PublicAPI.Unshipped.txt` for any public API additions/removals
+- XML doc comments required on all public APIs
+- Maintain backward compatibility
+
+## MSAL-specific rules
+
+- Use certificate-based auth over client secrets when possible
+- Use async APIs consistently
+- Keep dependencies minimal and well-justified
+
+---
+
+<!-- Everything below this line is for Copilot Chat and Copilot Agent only. -->
+<!-- Copilot code review reads only the first 4,000 characters of this file. -->
+
+Carefully review all markdown documents in the ../.clinerules folder. Those are your custom instructions.
 
 ---
 

.github/instructions/src.instructions.md

@@ -0,0 +1,37 @@
+# Source code review rules
+
+Applies to: src/**/*.cs
+
+These rules apply when reviewing production source code in this repository.
+
+## Namespace resolution — do NOT flag
+
+- `Client.AppConfig.X`, `Client.Internal.X`, and similar short namespace references resolve via parent namespace `Microsoft.Identity`. Do not flag as unresolved.
+
+## ConcurrentDictionary.GetOrAdd
+
+`GetOrAdd(key, value)` eagerly evaluates the value argument. Flag any call where the second argument is not a delegate/lambda/method group:
+
+- Bad: `pool.GetOrAdd(key, new ExpensiveObject());`
+- Good: `pool.GetOrAdd(key, _ => new ExpensiveObject());`
+
+## `ConfigureAwait(false)`
+
+`ConfigureAwait(false)` is intentional in library code. Do not suggest removal.
+
+## Public API changes
+
+- Any public API additions or removals must be reflected in `PublicAPI.Unshipped.txt`
+- XML doc comments are required on all public APIs
+- Maintain backward compatibility — breaking changes require explicit justification
+
+## MSAL-specific
+
+- Keep dependencies minimal and well-justified
+
+## Scope
+
+- Only comment on source code added or modified in the PR diff
+- Do not comment on pre-existing code unless the PR directly introduces the issue
+- Do not comment on style or formatting — coding standards are enforced via .editorconfig
+- Focus on: bugs, security issues, logic errors, API contract violations

.github/instructions/tests.instructions.md

@@ -0,0 +1,25 @@
+# Test file review rules
+
+Applies to: tests/**/*.cs
+
+These rules apply when reviewing test files in this repository.
+
+## Test framework patterns — do NOT flag
+
+- `[RunOn]` inherits from `TestMethodAttribute` (see `tests/Microsoft.Identity.Test.Integration.netcore/Infrastructure/TargetFramework.cs` line 15). Tests decorated with `[RunOn]` WILL be discovered by MSTest. Do not flag as missing `[TestMethod]`.
+- `Assert.IsTrue(bool?)` is a valid MSTest overload. Do not flag nullable bool arguments as type mismatches.
+- `Assert.DoesNotContain(substring, value)` — in MSTest v4, the first argument is the substring and the second is the value to search. Do not suggest swapping arguments.
+- `Assert.HasCount(expected, collection)` — valid MSTest v4 assertion. Do not suggest `Assert.AreEqual` for count checks.
+
+## Test conventions
+
+- Use MSTest SDK v4 with NSubstitute for mocking
+- Use `// Arrange`, `// Act`, `// Assert` comments
+- Prefer deterministic tests: avoid `Thread.Sleep`, timing dependencies, or environment-specific behavior
+- Copy existing style in nearby files for test method names
+
+## Scope
+
+- Only comment on test code that is added or modified in the PR diff
+- Do not comment on pre-existing test patterns or style
+- Do not re-post comments already made on earlier commits