commandmate 0.3.5 → 0.4.0

package/dist/server/src/lib/cli-tools/opencode-config.js

@@ -2,9 +2,10 @@
 /**
  * OpenCode configuration file generator
  * Issue #379: Generates opencode.json with Ollama provider configuration
+ * Issue #398: Added LM Studio provider support
  *
  * @remarks [D1-001 SRP] Separated from opencode.ts to maintain single responsibility.
- * This module handles Ollama HTTP API calls and config file I/O,
+ * This module handles Ollama/LM Studio HTTP API calls and config file I/O,
  * while opencode.ts handles tmux session management.
  */
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
@@ -41,7 +42,9 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.OLLAMA_MODEL_PATTERN = exports.MAX_OLLAMA_MODELS = exports.OLLAMA_BASE_URL = exports.OLLAMA_API_URL = void 0;
+exports.LM_STUDIO_MODEL_PATTERN = exports.MAX_LM_STUDIO_MODELS = exports.LM_STUDIO_BASE_URL = exports.LM_STUDIO_API_URL = exports.OLLAMA_MODEL_PATTERN = exports.MAX_OLLAMA_MODELS = exports.OLLAMA_BASE_URL = exports.OLLAMA_API_URL = void 0;
+exports.fetchOllamaModels = fetchOllamaModels;
+exports.fetchLmStudioModels = fetchLmStudioModels;
 exports.ensureOpencodeConfig = ensureOpencodeConfig;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
@@ -75,10 +78,49 @@ exports.MAX_OLLAMA_MODELS = 100;
  *   Length limit provides DoS protection against excessively long model names from Ollama API.
  */
 exports.OLLAMA_MODEL_PATTERN = /^[a-zA-Z0-9._:/-]{1,100}$/;
+/**
+ * [SEC-001] SSRF Prevention: LM Studio API URL is hardcoded.
+ * This value MUST NOT be derived from environment variables, config files,
+ * or user input. OWASP A10:2021
+ */
+exports.LM_STUDIO_API_URL = 'http://localhost:1234/v1/models';
+/**
+ * [SEC-001] SSRF Prevention: LM Studio base URL for opencode.json config.
+ * Same policy as LM_STUDIO_API_URL.
+ */
+exports.LM_STUDIO_BASE_URL = 'http://localhost:1234/v1';
+/** Maximum number of LM Studio models to include in config (DoS prevention) */
+exports.MAX_LM_STUDIO_MODELS = 100;
+/**
+ * LM Studio model ID validation pattern (with length limit).
+ * Allows: alphanumeric, dots, underscores, colons, slashes, @, hyphens.
+ * Max 200 characters (length encoded in regex).
+ *
+ * [SEC-001] Defense-in-depth validation at point of use.
+ *
+ * Character set rationale:
+ *   - a-zA-Z0-9._:/- : Common character set shared with Ollama (model names, org/model format)
+ *   - @ : HuggingFace revision format support (e.g., org/model@revision)
+ *
+ * Actual model ID examples:
+ *   - lmstudio-community/Meta-Llama-3.1-8B-Instruct-GGUF (54 chars)
+ *   - TheBloke/Mistral-7B-Instruct-v0.2-GGUF (41 chars)
+ *
+ * Length limit rationale: Actual model IDs max ~60 chars; 200 provides
+ * sufficient safety margin for org+model+quantization+revision.
+ *
+ * Note: Hyphen `-` is placed at the end of the character class to avoid
+ * the need for escaping in the regex.
+ */
+exports.LM_STUDIO_MODEL_PATTERN = /^[a-zA-Z0-9._:/@-]{1,200}$/;
 /** Ollama API request timeout in milliseconds */
 const OLLAMA_API_TIMEOUT_MS = 3000;
 /** Maximum Ollama API response size (1MB) [D4-007] */
 const MAX_OLLAMA_RESPONSE_SIZE = 1 * 1024 * 1024;
+/** LM Studio API request timeout in milliseconds */
+const LM_STUDIO_API_TIMEOUT_MS = 3000;
+/** Maximum LM Studio API response size (1MB) */
+const MAX_LM_STUDIO_RESPONSE_SIZE = 1 * 1024 * 1024;
 /** Config file name */
 const CONFIG_FILE_NAME = 'opencode.json';
 // =============================================================================
@@ -141,25 +183,22 @@ function validateWorktreePath(worktreePath) {
     return realPath;
 }
 // =============================================================================
-// Main function
+// Provider Functions
 // =============================================================================
 /**
- * Ensure opencode.json exists in the worktree directory.
- * If the file already exists, it is NOT overwritten (respects user configuration).
- * If Ollama is not running, the function logs a warning and returns without error.
+ * Fetch model list from Ollama API.
+ * Returns empty object on any failure (non-fatal).
  *
- * @param worktreePath - Worktree directory path (from DB)
+ * Extracted from ensureOpencodeConfig() for SRP compliance.
+ * All error paths (non-200 response, size exceeded, invalid structure, exceptions)
+ * return empty object {} instead of throwing.
+ *
+ * @returns Model map (key: model name, value: { name: display name })
  * @internal
  */
-async function ensureOpencodeConfig(worktreePath) {
-    // Validate path [D4-004]
-    const validatedPath = validateWorktreePath(worktreePath);
-    const configPath = path.join(validatedPath, CONFIG_FILE_NAME);
-    // Skip if config already exists (respect user configuration)
-    if (fs.existsSync(configPath)) {
-        return;
-    }
-    // Fetch models from Ollama API
+// TODO: If a 3rd provider is added, extract common HTTP fetch logic
+// to fetchWithTimeout(url, timeoutMs, maxResponseSize): Promise<string | null>
+async function fetchOllamaModels() {
     const models = {};
     try {
         const controller = new AbortController();
@@ -170,20 +209,20 @@ async function ensureOpencodeConfig(worktreePath) {
             clearTimeout(timeoutId);
         });
         if (!response.ok) {
-            console.warn(`Ollama API returned status ${response.status}, skipping opencode.json generation`);
-            return;
+            console.warn(`Ollama API returned status ${response.status}, skipping model fetch`);
+            return {};
         }
         // [D4-007] Response size check
         const text = await response.text();
         if (text.length > MAX_OLLAMA_RESPONSE_SIZE) {
-            console.warn('Ollama API response too large, skipping opencode.json generation');
-            return;
+            console.warn('Ollama API response too large, skipping model fetch');
+            return {};
         }
         // Parse and validate response structure [D4-007]
         const data = JSON.parse(text);
         if (!data || !Array.isArray(data.models)) {
-            console.warn('Invalid Ollama API response structure, skipping opencode.json generation');
-            return;
+            console.warn('Invalid Ollama API response structure, skipping model fetch');
+            return {};
         }
         // Limit model count (DoS prevention)
         const modelList = data.models.slice(0, exports.MAX_OLLAMA_MODELS);
@@ -199,26 +238,133 @@ async function ensureOpencodeConfig(worktreePath) {
     catch (error) {
         // Non-fatal: Ollama may not be running [D4-002]
         if (error instanceof Error && error.name === 'AbortError') {
-            console.warn('Ollama API timeout, skipping opencode.json generation');
+            console.warn('Ollama API timeout, skipping model fetch');
+        }
+        else {
+            console.warn('Failed to fetch Ollama models, skipping model fetch');
+        }
+    }
+    return models;
+}
+/**
+ * Fetch model list from LM Studio OpenAI-compatible API.
+ * Returns empty object on any failure (non-fatal).
+ *
+ * LM Studio provides an OpenAI-compatible API at /v1/models.
+ * Response format: { data: [{ id: string, object: string, ... }] }
+ * Model IDs are used as-is for display names (no details available).
+ *
+ * Model IDs are validated with LM_STUDIO_MODEL_PATTERN and used as
+ * opencode.json model keys. JSON.stringify() ensures proper escaping
+ * to prevent JSON structure corruption via malicious model IDs. [SEC-005]
+ *
+ * @returns Model map (key: model id, value: { name: model id })
+ * @internal
+ */
+// TODO: If a 3rd provider is added, extract common HTTP fetch logic
+// to fetchWithTimeout(url, timeoutMs, maxResponseSize): Promise<string | null>
+async function fetchLmStudioModels() {
+    const models = {};
+    try {
+        const controller = new AbortController();
+        const timeoutId = setTimeout(() => controller.abort(), LM_STUDIO_API_TIMEOUT_MS);
+        const response = await fetch(exports.LM_STUDIO_API_URL, {
+            signal: controller.signal,
+        }).finally(() => {
+            clearTimeout(timeoutId);
+        });
+        if (!response.ok) {
+            console.warn(`LM Studio API returned status ${response.status}, skipping model fetch`);
+            return {};
+        }
+        const text = await response.text();
+        if (text.length > MAX_LM_STUDIO_RESPONSE_SIZE) {
+            console.warn('LM Studio API response too large, skipping model fetch');
+            return {};
+        }
+        const data = JSON.parse(text);
+        if (!data || !Array.isArray(data.data)) {
+            console.warn('Invalid LM Studio API response structure, skipping model fetch');
+            return {};
+        }
+        const modelList = data.data.slice(0, exports.MAX_LM_STUDIO_MODELS);
+        for (const model of modelList) {
+            if (typeof model?.id !== 'string')
+                continue;
+            if (!exports.LM_STUDIO_MODEL_PATTERN.test(model.id))
+                continue;
+            models[model.id] = { name: model.id };
+        }
+    }
+    catch (error) {
+        if (error instanceof Error && error.name === 'AbortError') {
+            console.warn('LM Studio API timeout, skipping model fetch');
         }
         else {
-            console.warn('Failed to fetch Ollama models, skipping opencode.json generation');
+            console.warn('Failed to fetch LM Studio models, skipping model fetch');
         }
+    }
+    return models;
+}
+// =============================================================================
+// Main function
+// =============================================================================
+/**
+ * Ensure opencode.json exists in the worktree directory.
+ * If the file already exists, it is NOT overwritten (respects user configuration).
+ * If both Ollama and LM Studio are not running, the function returns without error
+ * and does not generate opencode.json.
+ *
+ * Provider configuration is built dynamically: only providers with models are included.
+ * If a 3rd provider is added, consider refactoring to a data-driven design
+ * (providerDefinitions array + loop) instead of inline if-branches. [KISS]
+ *
+ * @param worktreePath - Worktree directory path (from DB)
+ * @internal
+ */
+async function ensureOpencodeConfig(worktreePath) {
+    // Validate path [D4-004]
+    const validatedPath = validateWorktreePath(worktreePath);
+    const configPath = path.join(validatedPath, CONFIG_FILE_NAME);
+    // Skip if config already exists (respect user configuration)
+    if (fs.existsSync(configPath)) {
+        return;
+    }
+    // Fetch models from both providers in parallel.
+    // Each function catches all exceptions internally and returns {} on failure,
+    // so Promise.all will never reject.
+    const [ollamaModels, lmStudioModels] = await Promise.all([
+        fetchOllamaModels(),
+        fetchLmStudioModels(),
+    ]);
+    // Dynamic provider configuration: only include providers with models
+    const provider = {};
+    if (Object.keys(ollamaModels).length > 0) {
+        provider.ollama = {
+            npm: '@ai-sdk/openai-compatible',
+            name: 'Ollama (local)',
+            options: { baseURL: exports.OLLAMA_BASE_URL },
+            models: ollamaModels,
+        };
+    }
+    if (Object.keys(lmStudioModels).length > 0) {
+        provider.lmstudio = {
+            npm: '@ai-sdk/openai-compatible',
+            name: 'LM Studio (local)',
+            options: { baseURL: exports.LM_STUDIO_BASE_URL },
+            models: lmStudioModels,
+        };
+    }
+    // Both providers have 0 models: skip opencode.json generation
+    if (Object.keys(provider).length === 0) {
         return;
     }
     // [D4-005] Generate config using JSON.stringify (not template literals).
     // JSON.stringify ensures proper escaping of model names and other values,
-    // preventing JSON injection via maliciously crafted Ollama model metadata.
+    // preventing JSON injection via maliciously crafted model metadata.
     const config = {
         $schema: 'https://opencode.ai/config.json',
-        provider: {
-            ollama: {
-                npm: '@ai-sdk/openai-compatible',
-                name: 'Ollama (local)',
-                options: { baseURL: exports.OLLAMA_BASE_URL },
-                models,
-            },
-        },
+        provider,
     };
     try {
         fs.writeFileSync(configPath, JSON.stringify(config, null, 2), {

package/dist/server/src/lib/cli-tools/opencode.js

@@ -14,6 +14,7 @@ exports.OpenCodeTool = exports.OPENCODE_INIT_WAIT_MS = exports.OPENCODE_PANE_HEI
 const base_1 = require("./base");
 const tmux_1 = require("../tmux");
 const pasted_text_helper_1 = require("../pasted-text-helper");
+const tmux_capture_cache_1 = require("../tmux-capture-cache");
 const opencode_config_1 = require("./opencode-config");
 const child_process_1 = require("child_process");
 const util_1 = require("util");
@@ -137,6 +138,8 @@ class OpenCodeTool extends base_1.BaseCLITool {
             if (message.includes('\n')) {
                 await (0, pasted_text_helper_1.detectAndResendIfPastedText)(sessionName);
             }
+            // Issue #405: Invalidate cache after sending message
+            (0, tmux_capture_cache_1.invalidateCache)(sessionName);
             console.log(`Sent message to OpenCode session: ${sessionName}`);
         }
         catch (error) {
@@ -176,6 +179,8 @@ class OpenCodeTool extends base_1.BaseCLITool {
                 // Step 5: Session does not exist, attempt kill anyway (cleanup stale tmux sessions)
                 await (0, tmux_1.killSession)(sessionName);
             }
+            // Issue #405: Invalidate cache after session kill
+            (0, tmux_capture_cache_1.invalidateCache)(sessionName);
             console.log(`Stopped OpenCode session: ${sessionName}`);
         }
         catch (error) {

package/dist/server/src/lib/cli-tools/vibe-local.js

@@ -14,6 +14,7 @@ const base_1 = require("./base");
 const types_1 = require("./types");
 const tmux_1 = require("../tmux");
 const pasted_text_helper_1 = require("../pasted-text-helper");
+const tmux_capture_cache_1 = require("../tmux-capture-cache");
 const db_instance_1 = require("../db-instance");
 const db_1 = require("../db");
 /**
@@ -132,6 +133,8 @@ class VibeLocalTool extends base_1.BaseCLITool {
             if (message.includes('\n')) {
                 await (0, pasted_text_helper_1.detectAndResendIfPastedText)(sessionName);
             }
+            // Issue #405: Invalidate cache after sending message
+            (0, tmux_capture_cache_1.invalidateCache)(sessionName);
             console.log(`✓ Sent message to Vibe Local session: ${sessionName}`);
         }
         catch (error) {

package/dist/server/src/lib/cmate-parser.js

@@ -22,7 +22,7 @@ exports.validateCmatePath = validateCmatePath;
 exports.parseCmateFile = parseCmateFile;
 exports.parseSchedulesSection = parseSchedulesSection;
 exports.readCmateFile = readCmateFile;
-const fs_1 = require("fs");
+const promises_1 = require("fs/promises");
 const path_1 = __importDefault(require("path"));
 const types_1 = require("../lib/cli-tools/types");
 const schedule_config_1 = require("../config/schedule-config");
@@ -64,9 +64,9 @@ function sanitizeMessageContent(content) {
  * @returns true if path is valid and within worktree directory
  * @throws Error if path traversal is detected
  */
-function validateCmatePath(filePath, worktreeDir) {
-    const realFilePath = (0, fs_1.realpathSync)(filePath);
-    const realWorktreeDir = (0, fs_1.realpathSync)(worktreeDir);
+async function validateCmatePath(filePath, worktreeDir) {
+    const realFilePath = await (0, promises_1.realpath)(filePath);
+    const realWorktreeDir = await (0, promises_1.realpath)(worktreeDir);
     // Ensure the file is within the worktree directory
     if (!realFilePath.startsWith(realWorktreeDir + path_1.default.sep) &&
         realFilePath !== path_1.default.join(realWorktreeDir, cmate_constants_1.CMATE_FILENAME)) {
@@ -243,12 +243,12 @@ function parseSchedulesSection(rows) {
  * @returns Parsed CmateConfig, or null if the file doesn't exist
  * @throws Error if path traversal is detected
  */
-function readCmateFile(worktreeDir) {
+async function readCmateFile(worktreeDir) {
     const filePath = path_1.default.join(worktreeDir, cmate_constants_1.CMATE_FILENAME);
     try {
         // Validate path before reading
-        validateCmatePath(filePath, worktreeDir);
-        const content = (0, fs_1.readFileSync)(filePath, 'utf-8');
+        await validateCmatePath(filePath, worktreeDir);
+        const content = await (0, promises_1.readFile)(filePath, 'utf-8');
         return parseCmateFile(content);
     }
     catch (error) {

package/dist/server/src/lib/db-migrations.js

@@ -19,7 +19,7 @@ const db_1 = require("./db");
  * Current schema version
  * Increment this when adding new migrations
  */
-exports.CURRENT_SCHEMA_VERSION = 20;
+exports.CURRENT_SCHEMA_VERSION = 21;
 /**
  * Migration registry
  * All migrations should be added to this array in order
@@ -876,6 +876,23 @@ const migrations = [
             // vibe_local_context_window is a nullable INTEGER column; harmless if unused
             console.log('No rollback for vibe_local_context_window column (SQLite limitation)');
         }
+    },
+    {
+        version: 21,
+        name: 'add-scheduled-executions-worktree-enabled-index',
+        up: (db) => {
+            // Issue #409: Add composite index for schedule sync performance
+            // Used by syncSchedules() to batch-query schedules by worktree_id + enabled
+            db.exec(`
+        CREATE INDEX IF NOT EXISTS idx_scheduled_executions_worktree_enabled
+          ON scheduled_executions(worktree_id, enabled);
+      `);
+            console.log('✓ Created composite index idx_scheduled_executions_worktree_enabled');
+        },
+        down: (db) => {
+            db.exec('DROP INDEX IF EXISTS idx_scheduled_executions_worktree_enabled');
+            console.log('✓ Dropped idx_scheduled_executions_worktree_enabled index');
+        }
     }
 ];
 /**

package/dist/server/src/lib/errors.js

@@ -0,0 +1,153 @@
+"use strict";
+/**
+ * Error Definitions
+ * Issue #136: Phase 1 - Foundation
+ *
+ * Centralized error handling for the application.
+ * SF-SEC-003: Separates client-facing and internal error messages.
+ *
+ * @module errors
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AppError = exports.ErrorCode = void 0;
+exports.createAppError = createAppError;
+exports.isAppError = isAppError;
+exports.wrapError = wrapError;
+exports.getErrorMessage = getErrorMessage;
+/**
+ * Standard error codes used throughout the application
+ * These codes are safe to expose to clients.
+ */
+exports.ErrorCode = {
+    // Input validation errors
+    INVALID_ISSUE_NO: 'INVALID_ISSUE_NO',
+    ISSUE_NO_OUT_OF_RANGE: 'ISSUE_NO_OUT_OF_RANGE',
+    INVALID_BRANCH_NAME: 'INVALID_BRANCH_NAME',
+    BRANCH_NAME_TOO_LONG: 'BRANCH_NAME_TOO_LONG',
+    INVALID_PORT: 'INVALID_PORT',
+    // Resource errors
+    PORT_EXHAUSTED: 'PORT_EXHAUSTED',
+    PORT_IN_USE: 'PORT_IN_USE',
+    WORKTREE_NOT_FOUND: 'WORKTREE_NOT_FOUND',
+    WORKTREE_ALREADY_EXISTS: 'WORKTREE_ALREADY_EXISTS',
+    PID_FILE_EXISTS: 'PID_FILE_EXISTS',
+    PROCESS_NOT_RUNNING: 'PROCESS_NOT_RUNNING',
+    // Security errors
+    PATH_TRAVERSAL: 'PATH_TRAVERSAL',
+    UNAUTHORIZED: 'UNAUTHORIZED',
+    FORBIDDEN: 'FORBIDDEN',
+    // System errors
+    DATABASE_ERROR: 'DATABASE_ERROR',
+    FILESYSTEM_ERROR: 'FILESYSTEM_ERROR',
+    GIT_ERROR: 'GIT_ERROR',
+    TIMEOUT: 'TIMEOUT',
+    // Generic errors
+    UNKNOWN_ERROR: 'UNKNOWN_ERROR',
+};
+/**
+ * Application-specific error class
+ *
+ * @example
+ * ```typescript
+ * throw new AppError('INVALID_ISSUE_NO', 'Issue number must be a positive integer', { received: -1 });
+ * ```
+ */
+class AppError extends Error {
+    /**
+     * Error code - safe to expose to clients
+     */
+    code;
+    /**
+     * Additional details - may contain sensitive info, log only
+     */
+    details;
+    /**
+     * Timestamp when error occurred
+     */
+    timestamp;
+    constructor(code, message, details) {
+        super(message);
+        this.name = 'AppError';
+        this.code = code;
+        this.details = details;
+        this.timestamp = new Date().toISOString();
+        // Maintains proper stack trace for where our error was thrown (only available on V8)
+        if (Error.captureStackTrace) {
+            Error.captureStackTrace(this, AppError);
+        }
+    }
+    /**
+     * Create a client-safe representation (excludes sensitive details)
+     */
+    toClientError() {
+        return {
+            code: this.code,
+            message: this.message,
+        };
+    }
+    /**
+     * Create a log-safe representation (includes details for debugging)
+     */
+    toLogError() {
+        return {
+            code: this.code,
+            message: this.message,
+            details: this.details,
+            timestamp: this.timestamp,
+        };
+    }
+}
+exports.AppError = AppError;
+/**
+ * Factory function to create AppError
+ *
+ * @param code - Error code from ErrorCode enum
+ * @param message - Human-readable error message
+ * @param details - Optional additional details (logged, not sent to client)
+ * @returns AppError instance
+ *
+ * @example
+ * ```typescript
+ * throw createAppError(ErrorCode.PORT_EXHAUSTED, 'No available ports in range', { range: [3001, 3100] });
+ * ```
+ */
+function createAppError(code, message, details) {
+    return new AppError(code, message, details);
+}
+/**
+ * Type guard to check if an error is an AppError
+ *
+ * @param error - Error to check
+ * @returns true if error is an AppError
+ */
+function isAppError(error) {
+    return error instanceof AppError;
+}
+/**
+ * Wrap unknown error into AppError
+ *
+ * @param error - Unknown error
+ * @param defaultCode - Default error code if error is not AppError
+ * @returns AppError instance
+ */
+function wrapError(error, defaultCode = exports.ErrorCode.UNKNOWN_ERROR) {
+    if (isAppError(error)) {
+        return error;
+    }
+    if (error instanceof Error) {
+        return new AppError(defaultCode, error.message, { originalError: error.name });
+    }
+    return new AppError(defaultCode, String(error));
+}
+/**
+ * Get error message from unknown error
+ *
+ * @param error - Unknown error
+ * @returns Error message string
+ */
+function getErrorMessage(error) {
+    if (error instanceof Error) {
+        return error.message;
+    }
+    return String(error);
+}

package/dist/server/src/lib/prompt-answer-sender.js

@@ -9,6 +9,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.sendPromptAnswer = sendPromptAnswer;
 const tmux_1 = require("./tmux");
+const tmux_capture_cache_1 = require("./tmux-capture-cache");
 /** Regex pattern to detect checkbox-style multi-select options */
 const CHECKBOX_OPTION_PATTERN = /^\[[ x]\] /;
 /**
@@ -86,4 +87,6 @@ async function sendPromptAnswer(params) {
         // Send Enter
         await (0, tmux_1.sendKeys)(sessionName, '', true);
     }
+    // Issue #405: Invalidate cache after sending prompt answer
+    (0, tmux_capture_cache_1.invalidateCache)(sessionName);
 }

package/dist/server/src/lib/prompt-detector.js

@@ -6,8 +6,22 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.detectPrompt = detectPrompt;
 exports.getAnswerInput = getAnswerInput;
+exports.resetDetectPromptCache = resetDetectPromptCache;
 const logger_1 = require("./logger");
 const logger = (0, logger_1.createLogger)('prompt-detector');
+/**
+ * Last output tail used for duplicate log suppression.
+ * Only the last 50 lines of the output are compared.
+ * This is a performance optimization to reduce log I/O -- it does NOT
+ * affect detectPrompt()'s return value in any way.
+ *
+ * Uses pure module-scope (not globalThis) since Hot Reload reset is
+ * acceptable for log-only caching. Same pattern as ip-restriction.ts
+ * module-scope cache. [S2-004]
+ *
+ * @internal
+ */
+let lastOutputTail = null;
 /**
  * Maximum number of lines to retain in rawContent.
  * Tail lines are preserved (instruction text typically appears just before the prompt).
@@ -109,8 +123,22 @@ function yesNoPromptResult(question, cleanContent, rawContent, defaultOption) {
  * ```
  */
 function detectPrompt(output, options) {
-    logger.debug('detectPrompt:start', { outputLength: output.length });
+    // D2-001: Extract tail 50 lines for duplicate log suppression.
+    // Reuse `lines` for both dedup check and yes/no pattern matching below.
+    // detectMultipleChoicePrompt() has its own independent split() in its
+    // own scope -- this is intentional function encapsulation [S1-004][S2-001].
     const lines = output.split('\n');
+    const tailForDedup = lines.slice(-50).join('\n');
+    const isDuplicate = tailForDedup === lastOutputTail;
+    // D2-002: Only log on new (non-duplicate) output [S1-001 SRP tradeoff:
+    // dedup logic is inlined here because it needs direct access to output.
+    // If log suppression grows complex (e.g., per-worktree cache), extract
+    // to shouldSuppressLog(output): boolean helper.]
+    if (!isDuplicate) {
+        logger.debug('detectPrompt:start', { outputLength: output.length });
+    }
+    // D2-003: Update cache (affects logging only, never return values)
+    lastOutputTail = tailForDedup;
     // [SF-003] [MF-S2-001] Expanded from 10 to 20 lines for rawContent coverage
     const lastLines = lines.slice(-20).join('\n');
     // Pattern 0: Multiple choice (numbered options with ❯ indicator)
@@ -121,11 +149,14 @@ function detectPrompt(output, options) {
     //   3. Cancel
     const multipleChoiceResult = detectMultipleChoicePrompt(output, options);
     if (multipleChoiceResult.isPrompt) {
-        logger.info('detectPrompt:multipleChoice', {
-            isPrompt: true,
-            question: multipleChoiceResult.promptData?.question,
-            optionsCount: multipleChoiceResult.promptData?.options?.length,
-        });
+        // D2-004: Suppress duplicate multipleChoice info log
+        if (!isDuplicate) {
+            logger.info('detectPrompt:multipleChoice', {
+                isPrompt: true,
+                question: multipleChoiceResult.promptData?.question,
+                optionsCount: multipleChoiceResult.promptData?.options?.length,
+            });
+        }
         return multipleChoiceResult;
     }
     // Patterns 1-4: Yes/no patterns (data-driven matching)
@@ -148,7 +179,10 @@ function detectPrompt(output, options) {
         return yesNoPromptResult(question, content || 'Approve?', trimmedLastLines);
     }
     // No prompt detected
-    logger.debug('detectPrompt:complete', { isPrompt: false });
+    // D2-005: Suppress duplicate complete log
+    if (!isDuplicate) {
+        logger.debug('detectPrompt:complete', { isPrompt: false });
+    }
     return {
         isPrompt: false,
         cleanContent: output.trim(),
@@ -697,3 +731,11 @@ function getAnswerInput(answer, promptType = 'yes_no') {
     // SEC-003: Fixed error message without user input to prevent log injection
     throw new Error("Invalid answer for yes/no prompt. Expected 'yes', 'no', 'y', or 'n'.");
 }
+/**
+ * Reset the duplicate log suppression cache.
+ * Intended for test isolation only.
+ * @internal
+ */
+function resetDetectPromptCache() {
+    lastOutputTail = null;
+}