Log parameters and selectors after task is found (#178)

* Initial plan

* Add logging for parameters and selectors

- Log parameters when set (non-empty) to stderr
- Log selectors when set (non-empty) to stderr
- Ensure logging happens exactly once in Run method
- Add comprehensive unit tests for logging behavior
- Tests cover all scenarios: with params, selectors, resume mode, and empty cases

Co-authored-by: alexec <1142830+alexec@users.noreply.github.com>

* Fix security test to account for parameter logging

The TestExpanderSecurityIntegration test was checking that sensitive parameter
values don't appear anywhere in the output. However, with the new parameter
logging, the parameter values legitimately appear in stderr logs.

Updated the test to only check the actual prompt output (stdout) for sensitive
data re-expansion, not the logging output (stderr). This preserves the security
check while allowing legitimate parameter logging.

Co-authored-by: alexec <1142830+alexec@users.noreply.github.com>

* Move logging after task is found and remove zero checks

- Move parameter/selector logging to after findTask() is called
- This ensures we capture task_name and any selectors from task/command frontmatter
- Remove length checks - always log even if empty (per review feedback)
- Update test expectations to reflect always-logging behavior
- task_name selector is always added during findTask

Co-authored-by: alexec <1142830+alexec@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: alexec <1142830+alexec@users.noreply.github.com>
Co-authored-by: Alex Collins <alexec@users.noreply.github.com>

Author: Copilot

integration_test.go

@@ -378,24 +378,40 @@ Command with param: !`+"`echo '${secret}'`"+`
 	// Run the program with parameters that contain expansion syntax
 	output := runTool(t, "-C", tmpDir, "-p", "evil=!`echo INJECTED`", "-p", "secret=TOPSECRET", "test-security")
 
+	// Split output into lines to separate stderr logs from stdout prompt
+	lines := strings.Split(output, "\n")
+	var promptLines []string
+	inPrompt := false
+	for _, line := range lines {
+		// Look for the start of the frontmatter (which marks beginning of stdout)
+		if strings.HasPrefix(line, "---") {
+			inPrompt = true
+		}
+		if inPrompt {
+			promptLines = append(promptLines, line)
+		}
+	}
+	promptOutput := strings.Join(promptLines, "\n")
+
 	// Check that file content with expansion syntax is NOT re-expanded
-	if !strings.Contains(output, "File content: ${injected} and !`echo hacked`") {
+	if !strings.Contains(promptOutput, "File content: ${injected} and !`echo hacked`") {
 		t.Errorf("file content was re-expanded (security issue). Output:\n%s", output)
 	}
 
 	// Check that parameter value with command syntax is NOT executed
-	if !strings.Contains(output, "Param with command: !`echo INJECTED`") {
+	if !strings.Contains(promptOutput, "Param with command: !`echo INJECTED`") {
 		t.Errorf("parameter with command syntax was executed (security issue). Output:\n%s", output)
 	}
 
 	// Check that command output with parameter syntax is NOT re-expanded
-	if !strings.Contains(output, "Command with param: ${secret}") {
+	if !strings.Contains(promptOutput, "Command with param: ${secret}") {
 		t.Errorf("command output was re-expanded (security issue). Output:\n%s", output)
 	}
 
-	// Verify that sensitive data is NOT in output (unless it's part of literal text)
-	if strings.Contains(output, "TOPSECRET") {
-		t.Errorf("parameter was re-expanded from command output (security issue). Output:\n%s", output)
+	// Verify that sensitive data is NOT in the prompt output (only check stdout, not stderr logs)
+	// The parameter value should only appear in logging (stderr), not in the actual prompt content
+	if strings.Contains(promptOutput, "TOPSECRET") {
+		t.Errorf("parameter was re-expanded from command output (security issue). Prompt output:\n%s", promptOutput)
 	}
 	// Check that the literal command syntax is preserved (not executed)
 	// The word "hacked" appears in the literal text, so we check for the full context

pkg/codingcontext/context.go

@@ -321,6 +321,11 @@ func (cc *Context) Run(ctx context.Context, taskName string) (*Result, error) {
 		return nil, fmt.Errorf("task not found: %w", err)
 	}
 
+	// Log parameters and selectors after task is found
+	// This ensures we capture any additions from task/command frontmatter
+	cc.logger.Info("Parameters", "params", cc.params.String())
+	cc.logger.Info("Selectors", "selectors", cc.includes.String())
+
 	if err := cc.findExecuteRuleFiles(ctx, homeDir); err != nil {
 		return nil, fmt.Errorf("failed to find and execute rule files: %w", err)
 	}

pkg/codingcontext/context_test.go

@@ -1860,3 +1860,114 @@ func TestNormalizeLocalPath(t *testing.T) {
 		})
 	}
 }
+
+// TestLogsParametersAndSelectors verifies that parameters and selectors are logged
+// exactly once after the task is found (which may add selectors from task frontmatter).
+func TestLogsParametersAndSelectors(t *testing.T) {
+	tests := []struct {
+		name            string
+		params          taskparser.Params
+		selectors       selectors.Selectors
+		resume          bool
+		expectParamsLog bool
+		expectSelectors bool // Always true since task_name is added
+	}{
+		{
+			name:            "with parameters and selectors",
+			params:          taskparser.Params{"key": []string{"value"}},
+			selectors:       selectors.Selectors{"env": {"dev": true}},
+			resume:          false,
+			expectParamsLog: true,
+			expectSelectors: true,
+		},
+		{
+			name:            "with only parameters",
+			params:          taskparser.Params{"key": []string{"value"}},
+			selectors:       selectors.Selectors{},
+			resume:          false,
+			expectParamsLog: true,
+			expectSelectors: true, // task_name is always added
+		},
+		{
+			name:            "with only selectors",
+			params:          taskparser.Params{},
+			selectors:       selectors.Selectors{"env": {"dev": true}},
+			resume:          false,
+			expectParamsLog: true, // Always logged (may be empty)
+			expectSelectors: true,
+		},
+		{
+			name:            "with resume mode",
+			params:          taskparser.Params{},
+			selectors:       selectors.Selectors{},
+			resume:          true,
+			expectParamsLog: true, // Always logged (may be empty)
+			expectSelectors: true, // resume=true + task_name are added
+		},
+		{
+			name:            "with no parameters or selectors",
+			params:          taskparser.Params{},
+			selectors:       selectors.Selectors{},
+			resume:          false,
+			expectParamsLog: true, // Always logged (may be empty)
+			expectSelectors: true, // task_name is always added
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tmpDir := t.TempDir()
+
+			// Create a simple task
+			createTask(t, tmpDir, "test-task", "task_name: test-task", "Test task content")
+
+			// Create a custom logger that captures log output
+			var logOutput strings.Builder
+			logger := slog.New(slog.NewTextHandler(&logOutput, nil))
+
+			// Create context with test options
+			cc := New(
+				WithParams(tt.params),
+				WithSelectors(tt.selectors),
+				WithSearchPaths("file://"+tmpDir),
+				WithLogger(logger),
+				WithResume(tt.resume),
+			)
+
+			// Run the context
+			_, err := cc.Run(context.Background(), "test-task")
+			if err != nil {
+				t.Fatalf("Run failed: %v", err)
+			}
+
+			// Check log output
+			logs := logOutput.String()
+
+			// Count occurrences of "Parameters" and "Selectors" log messages
+			paramsCount := strings.Count(logs, "msg=Parameters")
+			selectorsCount := strings.Count(logs, "msg=Selectors")
+
+			// Verify parameters logging - always exactly once
+			if tt.expectParamsLog {
+				if paramsCount != 1 {
+					t.Errorf("expected exactly 1 Parameters log, got %d", paramsCount)
+				}
+			} else {
+				if paramsCount != 0 {
+					t.Errorf("expected no Parameters log, got %d", paramsCount)
+				}
+			}
+
+			// Verify selectors logging - always exactly once
+			if tt.expectSelectors {
+				if selectorsCount != 1 {
+					t.Errorf("expected exactly 1 Selectors log, got %d", selectorsCount)
+				}
+			} else {
+				if selectorsCount != 0 {
+					t.Errorf("expected no Selectors log, got %d", selectorsCount)
+				}
+			}
+		})
+	}
+}