coderail-watch 0.1.8 → 0.1.12

package/bin/coderail-watch.js

@@ -12,6 +12,8 @@ const ENV_BASE_URLS = {
   production: "https://api.coderail.local",
 };
 const DEFAULT_RETRY_WAIT_MS = 2000;
+const DEFAULT_LOG_BATCH_MS = 300;
+const DEFAULT_LOG_BATCH_MAX_LINES = 50;
 const ALERT_PREFIX = "[[CODERAIL_ERROR]] ";
 const ERROR_PATTERN = /(^|[\s:])(?:error|exception|traceback|panic|fatal)(?=[\s:])/i;
 const DEFAULT_PROJECT_TREE_MAX_FILES = 1000;
@@ -55,7 +57,21 @@ const parseArgs = (argv) => {
   return args;
 };
 
-const log = (message) => {
+const LOG_LEVELS = {
+  error: 0,
+  warn: 1,
+  info: 2,
+  debug: 3,
+};
+let currentLogLevel = LOG_LEVELS.warn;
+
+const shouldLog = (level) => {
+  const resolved = LOG_LEVELS[level] ?? LOG_LEVELS.info;
+  return currentLogLevel >= resolved;
+};
+
+const log = (message, level = "info") => {
+  if (!shouldLog(level)) return;
   process.stderr.write(`[coderail-watch] ${message}\n`);
 };
 
@@ -66,6 +82,7 @@ if (!WebSocketImpl) {
   } catch (error) {
     log(
       "Missing dependency 'ws'. Run `cd tools/coderail-watch && npm install` or use the published package via `npx coderail-watch@latest ...`.",
+      "error",
     );
     process.exit(1);
   }
@@ -85,7 +102,7 @@ const normalizeBaseHttpUrl = (baseUrl) => {
   return normalized.replace(/\/$/, "");
 };
 
-const buildWsUrl = (baseUrl, sessionId, projectKey, token) => {
+const buildWsUrl = (baseUrl, sessionId, projectKey, token, flowId) => {
   const url = new URL(normalizeHttpBaseUrl(baseUrl));
   const wsProtocol = url.protocol === "https:" ? "wss:" : "ws:";
   url.protocol = wsProtocol;
@@ -96,6 +113,9 @@ const buildWsUrl = (baseUrl, sessionId, projectKey, token) => {
   if (token) {
     url.searchParams.set("token", token);
   }
+  if (flowId) {
+    url.searchParams.set("flow_id", flowId);
+  }
   return url.toString();
 };
 
@@ -148,7 +168,7 @@ const collectSnapshotPaths = (rootDir, excludes) => {
     try {
       entries = fs.readdirSync(current, { withFileTypes: true });
     } catch (error) {
-      log(`snapshot read failed: ${current} (${error})`);
+      log(`snapshot read failed: ${current} (${error})`, "warn");
       continue;
     }
     for (const entry of entries) {
@@ -255,7 +275,7 @@ let baseUrl = "";
 try {
   baseUrl = resolveBaseUrl(args);
 } catch (error) {
-  log(error.message || String(error));
+  log(error.message || String(error), "error");
   process.exit(1);
 }
 const token = args["token"];
@@ -264,6 +284,16 @@ const retryWaitMs = normalizeIntArg(
   DEFAULT_RETRY_WAIT_MS,
   0,
 );
+const logBatchMs = normalizeIntArg(
+  args["log-batch-ms"],
+  DEFAULT_LOG_BATCH_MS,
+  0,
+);
+const logBatchMaxLines = normalizeIntArg(
+  args["log-batch-lines"],
+  DEFAULT_LOG_BATCH_MAX_LINES,
+  1,
+);
 const logPath = args["log-path"];
 const projectRoot = path.resolve(args["project-root"] || process.cwd());
 const sendProjectTree = normalizeBoolArg(args["project-tree"], true);
@@ -280,7 +310,8 @@ const projectTreeMaxBytes = normalizeIntArg(
   DEFAULT_PROJECT_TREE_MAX_BYTES,
   1,
 );
-const enableApiCheck = normalizeBoolArg(args["api-llm-check"], true);
+const runMode = args["mode"] || "default";
+const enableApiCheck = true;
 const enableScreenCheck = normalizeBoolArg(args["screen-check"], true);
 const dotenvPath = args["env-file"] || path.join(projectRoot, ".env");
 const loadEnvFile = (filePath) => {
@@ -318,20 +349,57 @@ const openaiModel =
   process.env.OPENAI_MODEL ||
   envFromFile.OPENAI_MODEL ||
   DEFAULT_OPENAI_MODEL;
-const apiEndpointUrl = `${baseUrl.replace(/\/$/, "")}/api/v1/projects/${encodeURIComponent(
-  projectKey,
-)}/api_endpoint_list`;
+const isNumericProjectKey = /^[0-9]+$/.test(projectKey);
+const apiEndpointUrl = isNumericProjectKey
+  ? `${baseUrl.replace(/\/$/, "")}/api/v1/projects/${encodeURIComponent(
+      projectKey,
+    )}/api_endpoint_list`
+  : `${baseUrl.replace(/\/$/, "")}/api/v1/projects/by_public/${encodeURIComponent(
+      projectKey,
+    )}/api_endpoint_list`;
+const screenListUrl = isNumericProjectKey
+  ? `${baseUrl.replace(/\/$/, "")}/api/v1/projects/${encodeURIComponent(
+      projectKey,
+    )}/screen_list`
+  : `${baseUrl.replace(/\/$/, "")}/api/v1/projects/by_public/${encodeURIComponent(
+      projectKey,
+    )}/screen_list`;
 let apiEndpointCandidatesCached = [];
+let screenCandidatesCached = [];
+const toScreenName = (item) =>
+  typeof item === "object" && item !== null ? item.name || JSON.stringify(item) : String(item);
+let apiEndpointFetchStatus = "unknown";
+let apiEndpointFetchDetail = "";
+let screenListFetchStatus = "unknown";
+let screenListFetchDetail = "";
 
 if (!sessionId || !projectKey) {
-  log("Missing required args: --session-id and --project-key");
+  log("Missing required args: --session-id and --project-key", "error");
   process.exit(1);
 }
 
-const wsUrl = buildWsUrl(baseUrl, sessionId, projectKey, token);
+const requestedLogLevel = String(
+  args["log-level"] || args["loglevel"] || "",
+).toLowerCase();
+if (requestedLogLevel in LOG_LEVELS) {
+  currentLogLevel = LOG_LEVELS[requestedLogLevel];
+}
+if (args["quiet"] === "true") {
+  currentLogLevel = -1;
+}
+// --mode security はデフォルトで info レベル以上を表示
+if (runMode === "security" && !requestedLogLevel && args["quiet"] !== "true") {
+  currentLogLevel = LOG_LEVELS.info;
+}
+
+const MODE_FLOW_IDS = { security: "security_check" };
+const resolvedFlowId = args["flow-id"] || MODE_FLOW_IDS[runMode] || null;
+const wsUrl = buildWsUrl(baseUrl, sessionId, projectKey, token, resolvedFlowId);
 let socket = null;
 let isOpen = false;
 const queue = [];
+const logBuffer = [];
+let logFlushTimer = null;
 let retryCount = 0;
 let lastErrorMessage = "";
 let apiCheckInFlight = false;
@@ -354,22 +422,67 @@ const isSocketOpen = () => {
   return isOpen;
 };
 
+const CONNECT_TIMEOUT_MS = 10000;
+
 const connect = () => {
   retryCount += 1;
-  log(`connecting (#${retryCount})...`);
+  const attempt = retryCount;
+  log(`connecting to ${wsUrl} (#${attempt})...`, "warn");
   try {
-    socket = new WebSocket(wsUrl);
+    const wsOptions = wsUrl.startsWith("wss://")
+      ? { rejectUnauthorized: false }
+      : undefined;
+    socket = new WebSocket(wsUrl, wsOptions);
   } catch (error) {
     lastErrorMessage = String(error);
-    log(`connect failed: ${lastErrorMessage}`);
+    log(`connect failed: ${lastErrorMessage}`, "error");
     setTimeout(connect, retryWaitMs);
     return;
   }
 
+  // 接続タイムアウト検知
+  const connectTimer = setTimeout(() => {
+    if (socket && !isOpen) {
+      log(`connection timeout (${CONNECT_TIMEOUT_MS}ms). 接続先を確認してください: ${wsUrl}`, "error");
+      try { socket.close(); } catch (_e) { /* ignore */ }
+    }
+  }, CONNECT_TIMEOUT_MS);
+
   attachHandler(socket, "open", () => {
+    clearTimeout(connectTimer);
     isOpen = true;
     retryCount = 0;
-    log(`connected: ${wsUrl}`);
+    log(`connected: ${wsUrl}`, "warn");
+
+    // --mode security: run security check only, then exit
+    if (runMode === "security") {
+      void (async () => {
+        try {
+          const result = await triggerSecurityCheck("mode:security");
+          flushLogBuffer();
+          // Send done summary as code-analysis done for backend pipeline
+          sendCodeAnalysisLine(`done ${JSON.stringify({
+            api_missing_count: 0, api_missing_items: [],
+            api_implemented_count: 0, api_implemented_items: [],
+            screen_missing_count: 0, screen_missing_items: [],
+            screen_implemented_count: 0, screen_implemented_items: [],
+            ...result,
+          })}`);
+          flushLogBuffer();
+          // Give time for send to complete
+          setTimeout(() => {
+            log("security mode complete, exiting.", "warn");
+            if (socket) socket.close();
+            process.exit(0);
+          }, 500);
+        } catch (error) {
+          log(`security mode error: ${error}`, "error");
+          process.exit(1);
+        }
+      })();
+      return;
+    }
+
     if (sendProjectTree) {
       emitProjectTree();
     }
@@ -384,6 +497,14 @@ const connect = () => {
         }
       })();
     }
+    if (enableScreenCheck) {
+      void (async () => {
+        if (!screenCandidatesCached.length) {
+          await fetchScreenList();
+        }
+        logScreenCheckStatus();
+      })();
+    }
     while (queue.length) {
       const payload = queue.shift();
       if (!isSocketOpen()) {
@@ -418,10 +539,18 @@ const connect = () => {
     }
     if (!payload || typeof payload !== "object") return;
     if (payload.type !== "control") return;
+    log(`[control] received action=${payload.action}`, "info");
     if (payload.action === "api_check") {
+      log("[control] triggering api_check", "info");
       void triggerApiCheck("control");
       return;
     }
+    if (payload.action === "code_analysis") {
+      const role = payload.role || null;
+      log(`[control] triggering code_analysis role=${role}`, "info");
+      void triggerCodeAnalysis("control", role);
+      return;
+    }
     if (payload.action === "screen_check") {
       if (enableScreenCheck) {
         void triggerScreenCheck("control");
@@ -429,9 +558,14 @@ const connect = () => {
         sendScreenCheckLine("screen check disabled; skipping.");
       }
     }
+    if (payload.action === "security_check") {
+      log("[control] triggering security_check", "info");
+      void triggerSecurityCheck("control");
+    }
   });
 
   attachHandler(socket, "close", (event) => {
+    clearTimeout(connectTimer);
     isOpen = false;
     const code =
       event && typeof event === "object" && "code" in event ? event.code : null;
@@ -439,13 +573,23 @@ const connect = () => {
       event && typeof event === "object" && "reason" in event
         ? event.reason
         : "";
-    const detail = [code ? `code=${code}` : null, reason || null]
+    const reasonStr = reason ? String(reason) : "";
+    const detail = [code ? `code=${code}` : null, reasonStr || null]
       .filter(Boolean)
       .join(" ");
+    if (code === 1008) {
+      const hint = reasonStr === "project_key_mismatch"
+        ? "同じ session_id で別の project_key が既に登録されています。バックエンドサーバーを再起動してください。"
+        : reasonStr
+          ? `サーバーが接続を拒否しました: ${reasonStr}`
+          : "サーバーが接続を拒否しました (code=1008)。session_id / project_key を確認してください。";
+      log(`error: ${hint}`, "error");
+    }
     log(
       `disconnected; retrying in ${retryWaitMs}ms${
         detail ? ` (${detail})` : ""
       }`,
+      "warn",
     );
     setTimeout(connect, retryWaitMs);
   });
@@ -456,8 +600,33 @@ const connect = () => {
         ? error.message
         : String(error);
     lastErrorMessage = message;
-    log(`error: ${message}`);
+    log(`error: ${message}`, "warn");
+    if (error && error.code) {
+      log(`  code: ${error.code}`, "warn");
+    }
+    if (error && error.errno) {
+      log(`  errno: ${error.errno}`, "warn");
+    }
   });
+
+  // ws library emits 'unexpected-response' when server returns non-101 (e.g. 403)
+  if (typeof socket.on === "function") {
+    socket.on("unexpected-response", (req, res) => {
+      const status = res.statusCode;
+      let body = "";
+      res.on("data", (chunk) => { body += chunk.toString(); });
+      res.on("end", () => {
+        log(`server rejected WebSocket upgrade: HTTP ${status}`, "error");
+        if (body) {
+          log(`  response body: ${body.slice(0, 500)}`, "error");
+        }
+        const headers = res.headers || {};
+        if (Object.keys(headers).length) {
+          log(`  response headers: ${JSON.stringify(headers)}`, "error");
+        }
+      });
+    });
+  }
 };
 
 connect();
@@ -480,45 +649,96 @@ const enqueueOrSend = (payload) => {
   queue.push(payload);
 };
 
-const sendLogLine = (line) => {
+const flushLogBuffer = () => {
+  if (logFlushTimer) {
+    clearTimeout(logFlushTimer);
+    logFlushTimer = null;
+  }
+  if (!logBuffer.length) return;
+  const lines = logBuffer.splice(0, logBuffer.length);
   const payload = JSON.stringify({
     type: "log",
-    content: line,
+    content: lines.join("\n"),
     timestamp: new Date().toISOString(),
   });
   enqueueOrSend(payload);
 };
 
+const enqueueLogLine = (line) => {
+  if (!line) return;
+  logBuffer.push(line);
+  if (logBatchMs === 0 || logBuffer.length >= logBatchMaxLines) {
+    flushLogBuffer();
+    return;
+  }
+  if (!logFlushTimer) {
+    logFlushTimer = setTimeout(flushLogBuffer, logBatchMs);
+  }
+};
+
+const sendLogLine = (line) => {
+  enqueueLogLine(line);
+};
+
 const sendApiCheckLine = (line) => {
   const tagged = `[api-check] ${line}`;
-  log(tagged);
+  log(tagged, "debug");
+  sendLogLine(tagged);
+};
+
+const sendCodeAnalysisLine = (line) => {
+  const tagged = `[code-analysis] ${line}`;
+  log(tagged, "info");
   sendLogLine(tagged);
 };
 
 const sendScreenCheckLine = (line) => {
   const tagged = `[screen-check] ${line}`;
-  log(tagged);
+  log(tagged, "debug");
+  sendLogLine(tagged);
+};
+
+const sendSecurityCheckLine = (line) => {
+  const tagged = `[security-check] ${line}`;
+  log(tagged, "info");
   sendLogLine(tagged);
 };
 
 const logApiCheckStatus = () => {
   const maskedKey = openaiApiKey ? `${openaiApiKey.slice(0, 6)}...` : "";
+  const statusLabel =
+    apiEndpointFetchStatus === "error"
+      ? `NG(fetch_failed${apiEndpointFetchDetail ? `: ${apiEndpointFetchDetail}` : ""})`
+      : apiEndpointFetchStatus === "ok_empty"
+        ? "NG(empty)"
+        : apiEndpointCandidatesCached.length
+          ? "OK"
+          : "NG(unknown)";
   sendApiCheckLine(
-    `必須チェック: api_endpoint_list=${
-      apiEndpointCandidatesCached.length ? "OK" : "NG"
-    } openai_api_key=${openaiApiKey ? "OK" : "NG"} ${
+    `必須チェック: api_endpoint_list=${statusLabel} openai_api_key=${
+      openaiApiKey ? "OK" : "NG"
+    } ${
       maskedKey ? `(${maskedKey})` : ""
     } openai_model=${openaiModel ? "OK" : "NG"}`,
   );
 };
 
+const logScreenCheckStatus = () => {
+  const statusLabel =
+    screenListFetchStatus === "error"
+      ? `NG(fetch_failed${screenListFetchDetail ? `: ${screenListFetchDetail}` : ""})`
+      : screenListFetchStatus === "ok_empty"
+        ? "NG(empty)"
+        : screenCandidatesCached.length
+          ? "OK"
+          : "NG(unknown)";
+  sendScreenCheckLine(
+    `必須チェック: screen_list=${statusLabel}`,
+  );
+};
+
 const handleLine = (line) => {
-  const payload = JSON.stringify({
-    type: "log",
-    content: line,
-    timestamp: new Date().toISOString(),
-  });
-  enqueueOrSend(payload);
+  sendLogLine(line);
   if (isErrorLine(line)) {
     const alertPayload = JSON.stringify({
       type: "alert",
@@ -538,11 +758,21 @@ const emitProjectTree = () => {
     projectTreeMaxBytes,
   );
   lines.forEach((line) => {
-    log(line);
+    log(line, "debug");
     sendLogLine(line);
   });
 };
 
+process.on("SIGINT", () => {
+  flushLogBuffer();
+  process.exit(0);
+});
+
+process.on("SIGTERM", () => {
+  flushLogBuffer();
+  process.exit(0);
+});
+
 const buildApiCheckPrompt = (endpoints, treeLines) => {
   return [
     "You are a senior backend engineer. Determine which API endpoints are NOT implemented in the codebase.",
@@ -569,19 +799,25 @@ const collectTreeForApiCheck = () => {
 };
 
 const runApiCheck = async () => {
-  if (!enableApiCheck) return;
-  if (!apiEndpointCandidatesCached.length) return;
+  const allMissingResult = () => {
+    const items = apiEndpointCandidatesCached.map(String);
+    return { api_missing_count: items.length, api_missing_items: items, api_implemented_count: 0, api_implemented_items: [] };
+  };
+  if (!enableApiCheck) return allMissingResult();
+  if (!apiEndpointCandidatesCached.length) {
+    return { api_missing_count: 0, api_missing_items: [], api_implemented_count: 0, api_implemented_items: [] };
+  }
   if (!openaiApiKey) {
-    sendApiCheckLine("OPENAI_API_KEY is not set; skipping API check.");
-    return;
+    sendApiCheckLine("OPENAI_API_KEY is not set; すべて未実装として扱います。");
+    return allMissingResult();
   }
   if (!openaiModel) {
-    sendApiCheckLine("OPENAI_MODEL is not set; skipping API check.");
-    return;
+    sendApiCheckLine("OPENAI_MODEL is not set; すべて未実装として扱います。");
+    return allMissingResult();
   }
   if (typeof fetch !== "function") {
-    sendApiCheckLine("fetch is not available in this runtime; skipping API check.");
-    return;
+    sendApiCheckLine("fetch is not available in this runtime; すべて未実装として扱います。");
+    return allMissingResult();
   }
   const treeLines = collectTreeForApiCheck();
   const prompt = buildApiCheckPrompt(apiEndpointCandidatesCached, treeLines);
@@ -609,7 +845,7 @@ const runApiCheck = async () => {
     });
   } catch (error) {
     sendApiCheckLine(`OpenAI request failed: ${error}`);
-    return;
+    return allMissingResult();
   }
   if (!response.ok) {
     const text = await response.text();
@@ -617,19 +853,19 @@ const runApiCheck = async () => {
       `OpenAI request failed: ${response.status} ${response.statusText}`,
     );
     sendApiCheckLine(text.slice(0, 1000));
-    return;
+    return allMissingResult();
   }
   let data = null;
   try {
     data = await response.json();
   } catch (error) {
     sendApiCheckLine(`OpenAI response parse failed: ${error}`);
-    return;
+    return allMissingResult();
   }
   const content = data?.choices?.[0]?.message?.content?.trim();
   if (!content) {
     sendApiCheckLine("OpenAI response was empty.");
-    return;
+    return allMissingResult();
   }
   try {
     const parsed = JSON.parse(content);
@@ -641,38 +877,68 @@ const runApiCheck = async () => {
     sendApiCheckLine(
       `missing=${missing.length} unknown=${unknown.length} implemented=${implemented.length}`,
     );
+    const missingItems = [];
     missing.forEach((item) => {
       if (item && typeof item === "object") {
+        const label = item.endpoint || "";
+        missingItems.push(label);
         sendApiCheckLine(
-          `missing: ${item.endpoint || ""} (${item.reason || "no reason"})`,
+          `missing: ${label} (${item.reason || "no reason"})`,
         );
       } else {
+        missingItems.push(String(item));
         sendApiCheckLine(`missing: ${String(item)}`);
       }
     });
+    const implementedItems = [];
     unknown.forEach((item) => sendApiCheckLine(`unknown: ${String(item)}`));
-    implemented.forEach((item) =>
-      sendApiCheckLine(`implemented: ${String(item)}`),
-    );
+    implemented.forEach((item) => {
+      implementedItems.push(String(item));
+      sendApiCheckLine(`implemented: ${String(item)}`);
+    });
+    return {
+      api_missing_count: missing.length,
+      api_missing_items: missingItems,
+      api_implemented_count: implemented.length,
+      api_implemented_items: implementedItems,
+    };
   } catch (error) {
     sendApiCheckLine("OpenAI output was not valid JSON. Raw output:");
     sendApiCheckLine(content.slice(0, 2000));
+    return allMissingResult();
   }
 };
 
 const screenCheckUrl = `${normalizeBaseHttpUrl(baseUrl)}/api/v1/project_snapshot/check`;
 
 const runScreenCheck = async () => {
+  const allMissingResult = () => {
+    const items = screenCandidatesCached.map(toScreenName);
+    return { screen_missing_count: items.length, screen_missing_items: items, screen_implemented_count: 0, screen_implemented_items: [] };
+  };
   if (!projectKey) {
-    sendScreenCheckLine("project_key is missing; skipping screen check.");
-    return;
+    sendScreenCheckLine("project_key is missing; すべて未実装として扱います。");
+    return allMissingResult();
   }
   if (typeof fetch !== "function") {
-    sendScreenCheckLine("fetch is not available in this runtime; skipping screen check.");
-    return;
+    sendScreenCheckLine("fetch is not available in this runtime; すべて未実装として扱います。");
+    return allMissingResult();
   }
-  const paths = collectSnapshotPaths(projectRoot, DEFAULT_SNAPSHOT_EXCLUDES);
+  const paths = collectSnapshotPaths(projectRoot, DEFAULT_SNAPSHOT_EXCLUDES).filter(
+    (item) => item.startsWith("frontend/"),
+  );
   const limitedPaths = paths.slice(0, projectTreeMaxFiles);
+  if (!limitedPaths.length) {
+    sendScreenCheckLine("frontend/ 配下のファイルが見つからないため、すべて未実装として扱います。");
+    const allMissing = screenCandidatesCached.map(toScreenName);
+    allMissing.forEach((item) => sendScreenCheckLine(`missing: ${item}`));
+    return {
+      screen_missing_count: allMissing.length,
+      screen_missing_items: allMissing,
+      screen_implemented_count: 0,
+      screen_implemented_items: [],
+    };
+  }
   const payload = {
     projectPublicId: projectKey,
     paths: limitedPaths,
@@ -686,7 +952,7 @@ const runScreenCheck = async () => {
     });
   } catch (error) {
     sendScreenCheckLine(`screen check request failed: ${error}`);
-    return;
+    return allMissingResult();
   }
   if (!response.ok) {
     const text = await response.text();
@@ -694,19 +960,24 @@ const runScreenCheck = async () => {
       `screen check failed: ${response.status} ${response.statusText}`,
     );
     sendScreenCheckLine(text.slice(0, 1000));
-    return;
+    return allMissingResult();
   }
   let data = null;
   try {
     data = await response.json();
   } catch (error) {
     sendScreenCheckLine(`screen check response parse failed: ${error}`);
-    return;
+    return allMissingResult();
   }
-  const expected = Array.isArray(data?.expectedScreens) ? data.expectedScreens : [];
-  const missing = Array.isArray(data?.check?.missingScreens)
+  const expected = screenCandidatesCached.length
+    ? screenCandidatesCached.map(toScreenName)
+    : (Array.isArray(data?.expectedScreens) ? data.expectedScreens : []);
+  const rawMissing = Array.isArray(data?.check?.missingScreens)
     ? data.check.missingScreens
     : [];
+  // expected をキャッシュに揃えたので、missing も expected に含まれるもののみに絞る
+  const expectedSet = new Set(expected.map(String));
+  const missing = rawMissing.filter((item) => expectedSet.has(String(item)));
   const implemented = expected.filter((item) => !missing.includes(item));
   sendScreenCheckLine(
     `missing_screens=${missing.length} expected=${expected.length} implemented=${implemented.length}`,
@@ -718,10 +989,17 @@ const runScreenCheck = async () => {
   if (data?.check?.notes) {
     sendScreenCheckLine(`note: ${String(data.check.notes)}`);
   }
+  return {
+    screen_missing_count: missing.length,
+    screen_missing_items: missing.map(String),
+    screen_implemented_count: implemented.length,
+    screen_implemented_items: implemented.map(String),
+  };
 };
 
 const triggerApiCheck = async (reason) => {
-  if (apiCheckInFlight) return;
+  const emptyResult = { api_missing_count: 0, api_missing_items: [], api_implemented_count: 0, api_implemented_items: [] };
+  if (apiCheckInFlight) return emptyResult;
   apiCheckInFlight = true;
   try {
     sendApiCheckLine(`api-check start (${reason})`);
@@ -731,27 +1009,292 @@ const triggerApiCheck = async (reason) => {
     logApiCheckStatus();
     if (!apiEndpointCandidatesCached.length) {
       sendApiCheckLine("api_endpoint_list is empty; skipping api-check.");
-      return;
+      return emptyResult;
     }
-    await runApiCheck();
+    return await runApiCheck();
   } finally {
     apiCheckInFlight = false;
   }
 };
 
 const triggerScreenCheck = async (reason) => {
+  const emptyResult = { screen_missing_count: 0, screen_missing_items: [], screen_implemented_count: 0, screen_implemented_items: [] };
   try {
     sendScreenCheckLine(`screen-check start (${reason})`);
-    await runScreenCheck();
+    if (!screenCandidatesCached.length) {
+      await fetchScreenList();
+    }
+    logScreenCheckStatus();
+    if (!screenCandidatesCached.length) {
+      sendScreenCheckLine("screen_list is empty; skipping screen-check.");
+      return emptyResult;
+    }
+    return await runScreenCheck();
   } catch (error) {
     sendScreenCheckLine(`screen-check failed: ${error}`);
+    return emptyResult;
   }
 };
 
+// ---------------------------------------------------------------------------
+// Security Check (static regex-based)
+// ---------------------------------------------------------------------------
+
+const SECURITY_RULES = [
+  {
+    id: "raw_sql",
+    label: "SQLインジェクション",
+    pattern: /(?:execute\s*\(\s*f["']|\.raw\s*\(|cursor\.execute\s*\(\s*f["'])/,
+    extensions: new Set([".py", ".js", ".ts"]),
+  },
+  {
+    id: "xss",
+    label: "XSS",
+    pattern: /(?:dangerouslySetInnerHTML|v-html)/,
+    extensions: new Set([".js", ".jsx", ".ts", ".tsx", ".vue"]),
+  },
+  {
+    id: "hardcoded_secrets",
+    label: "秘密情報ハードコード",
+    pattern: /(?:api_key|apikey|secret_key|password|aws_secret)\s*=\s*["'][^"']{4,}["']/i,
+    extensions: new Set([".py", ".js", ".ts", ".env", ".yaml", ".yml", ".json"]),
+  },
+  {
+    id: "stack_trace_leak",
+    label: "スタックトレース漏洩",
+    pattern: /(?:traceback\.format_exc|import\s+traceback)/,
+    extensions: new Set([".py"]),
+  },
+  {
+    id: "log_secrets",
+    label: "ログ秘密情報",
+    pattern: /(?:logger\.\w+.*(?:password|token|secret)|print\s*\(.*(?:password|token|secret))/i,
+    extensions: new Set([".py", ".js", ".ts"]),
+  },
+  {
+    id: "cors_wildcard",
+    label: "CORSワイルドカード",
+    pattern: /allow_origins\s*=\s*\[\s*["']\*["']\s*\]/,
+    extensions: new Set([".py"]),
+  },
+];
+
+const SECURITY_EXTENSIONS = new Set([".py", ".js", ".jsx", ".ts", ".tsx", ".vue", ".yaml", ".yml", ".json"]);
+
+const collectSecurityTargetPaths = (rootDir, excludes) => {
+  const results = [];
+  const queue = [rootDir];
+  while (queue.length) {
+    const current = queue.pop();
+    if (!current) continue;
+    let entries = [];
+    try {
+      entries = fs.readdirSync(current, { withFileTypes: true });
+    } catch (error) {
+      continue;
+    }
+    for (const entry of entries) {
+      const fullPath = path.join(current, entry.name);
+      const relPath = path.relative(rootDir, fullPath).replace(/\\/g, "/");
+      if (isExcludedPath(relPath, entry.name, excludes)) continue;
+      if (entry.isSymbolicLink && entry.isSymbolicLink()) continue;
+      if (entry.isDirectory()) {
+        queue.push(fullPath);
+        continue;
+      }
+      if (entry.isFile()) {
+        const ext = path.extname(entry.name).toLowerCase();
+        if (SECURITY_EXTENSIONS.has(ext)) {
+          results.push({ relPath, fullPath, ext });
+        }
+      }
+    }
+  }
+  return results;
+};
+
+const SECURITY_CHECK_STEP_DELAY_MS = 400;
+const SECURITY_DETAIL_MAX_MATCHES = 5;
+
+const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+
+const collectRuleMatches = (rule, files) => {
+  const matches = [];
+  for (const file of files) {
+    if (!rule.extensions.has(file.ext)) continue;
+    let content = "";
+    try {
+      const buffer = fs.readFileSync(file.fullPath);
+      if (isBinaryBuffer(buffer)) continue;
+      content = buffer.toString("utf8");
+    } catch (error) {
+      continue;
+    }
+    const lines = content.split("\n");
+    const re = new RegExp(rule.pattern.source, rule.pattern.flags);
+    for (let i = 0; i < lines.length; i++) {
+      if (!re.test(lines[i])) continue;
+      const contextStart = Math.max(0, i - 3);
+      const contextEnd = Math.min(lines.length, i + 4);
+      matches.push({
+        file: file.relPath,
+        line: i + 1,
+        code: lines[i].trim(),
+        context: lines.slice(contextStart, contextEnd).join("\n"),
+      });
+      if (matches.length >= SECURITY_DETAIL_MAX_MATCHES) return matches;
+    }
+  }
+  return matches;
+};
+
+const runSecurityCheck = async () => {
+  const files = collectSecurityTargetPaths(projectRoot, DEFAULT_SNAPSHOT_EXCLUDES);
+  const issueMap = {};   // id -> count
+  const passedIds = [];
+  const issueDetails = []; // { id, label, count }
+  const total = SECURITY_RULES.length + 1; // +1 for .env check
+
+  // Check each rule
+  let ruleIndex = 0;
+  for (const rule of SECURITY_RULES) {
+    ruleIndex += 1;
+    // Collect detailed match info
+    const ruleMatches = collectRuleMatches(rule, files);
+    const hitCount = ruleMatches.length;
+    if (hitCount > 0) {
+      issueMap[rule.id] = hitCount;
+      issueDetails.push({ id: rule.id, label: rule.label, count: hitCount });
+      sendSecurityCheckLine(`progress ${ruleIndex}/${total} ${rule.id} issue ${hitCount}`);
+      // Send detail line with match locations
+      sendSecurityCheckLine(`detail ${JSON.stringify({ rule_id: rule.id, label: rule.label, matches: ruleMatches })}`);
+    } else {
+      passedIds.push(rule.id);
+      sendSecurityCheckLine(`progress ${ruleIndex}/${total} ${rule.id} passed`);
+    }
+    // 1項目ずつ送信してバルーン更新を可視化
+    flushLogBuffer();
+    await sleep(SECURITY_CHECK_STEP_DELAY_MS);
+  }
+
+  // Check .env in .gitignore
+  let envGitignored = false;
+  try {
+    const gitignore = fs.readFileSync(path.join(projectRoot, ".gitignore"), "utf8");
+    envGitignored = /^\.env$/m.test(gitignore);
+  } catch (error) {
+    // no .gitignore
+  }
+  if (!envGitignored) {
+    issueDetails.push({ id: "env_not_gitignored", label: ".env未gitignore", count: 1 });
+    issueMap["env_not_gitignored"] = 1;
+    sendSecurityCheckLine(`progress ${total}/${total} env_not_gitignored issue 1`);
+  } else {
+    passedIds.push("env_not_gitignored");
+    sendSecurityCheckLine(`progress ${total}/${total} env_not_gitignored passed`);
+  }
+  flushLogBuffer();
+
+  return {
+    security_issue_count: issueDetails.length,
+    security_issue_items: issueDetails.map((d) => `${d.id} (${d.count}箇所)`),
+    security_passed_count: passedIds.length,
+    security_passed_items: passedIds,
+  };
+};
+
+const triggerSecurityCheck = async (reason) => {
+  sendSecurityCheckLine(`security-check start (${reason})`);
+  flushLogBuffer();
+  const result = await runSecurityCheck();
+
+  // Emit detail lines
+  for (const item of result.security_issue_items) {
+    sendSecurityCheckLine(`issue: ${item}`);
+  }
+  for (const id of result.security_passed_items) {
+    sendSecurityCheckLine(`passed: ${id}`);
+  }
+  sendSecurityCheckLine(
+    `issues=${result.security_issue_count} passed=${result.security_passed_count}`,
+  );
+  return result;
+};
+
+const triggerCodeAnalysis = async (reason, role = null) => {
+  const runApi = !role || role === "api";
+  const runScreen = !role || role === "screen";
+
+  const steps = [];
+  if (runApi) {
+    const apiCount = apiEndpointCandidatesCached.length;
+    const apiSuffix = apiCount ? ` (対象: ${apiCount}件)` : "";
+    steps.push({ label: `API実装チェック中...${apiSuffix}`, fn: () => triggerApiCheck(`code-analysis:${reason}`) });
+  }
+  if (runScreen && enableScreenCheck) {
+    const screenCount = screenCandidatesCached.length;
+    const screenSuffix = screenCount ? ` (対象: ${screenCount}件)` : "";
+    steps.push({ label: `画面実装チェック中...${screenSuffix}`, fn: () => triggerScreenCheck(`code-analysis:${reason}`) });
+  }
+  // Security check is always included
+  steps.push({ label: "セキュリティチェック中...", fn: async () => triggerSecurityCheck(`code-analysis:${reason}`) });
+
+  const totalSteps = steps.length;
+  let currentStep = 0;
+
+  sendCodeAnalysisLine(`code-analysis start (${reason})`);
+
+  // 各ステップの結果を収集
+  const summary = {
+    api_missing_count: 0, api_missing_items: [], api_implemented_count: 0, api_implemented_items: [],
+    screen_missing_count: 0, screen_missing_items: [], screen_implemented_count: 0, screen_implemented_items: [],
+    security_issue_count: 0, security_issue_items: [], security_passed_count: 0, security_passed_items: [],
+  };
+
+  for (const step of steps) {
+    currentStep += 1;
+    sendCodeAnalysisLine(`[${currentStep}/${totalSteps}] ${step.label}`);
+    const result = await step.fn();
+    if (result) {
+      Object.assign(summary, result);
+    }
+  }
+
+  const apiExpected = apiEndpointCandidatesCached.map(String);
+  const screenExpected = screenCandidatesCached.map(toScreenName);
+  const apiResultEmpty =
+    summary.api_missing_count === 0 &&
+    summary.api_implemented_count === 0 &&
+    !summary.api_missing_items.length &&
+    !summary.api_implemented_items.length;
+  const screenResultEmpty =
+    summary.screen_missing_count === 0 &&
+    summary.screen_implemented_count === 0 &&
+    !summary.screen_missing_items.length &&
+    !summary.screen_implemented_items.length;
+
+  if (runApi && apiExpected.length && apiResultEmpty) {
+    summary.api_missing_count = apiExpected.length;
+    summary.api_missing_items = apiExpected;
+    summary.api_check_inferred = true;
+  }
+  if (runScreen && enableScreenCheck && screenExpected.length && screenResultEmpty) {
+    summary.screen_missing_count = screenExpected.length;
+    summary.screen_missing_items = screenExpected;
+    summary.screen_check_inferred = true;
+  }
+
+  // done 行にサマリー JSON を埋め込む（バックエンドが確実にパースできるように）
+  flushLogBuffer();
+  sendCodeAnalysisLine(`done ${JSON.stringify(summary)}`);
+};
+
 const fetchApiEndpointList = async () => {
   if (!apiEndpointUrl) return [];
   if (typeof fetch !== "function") {
     sendApiCheckLine("fetch is not available in this runtime; skipping fetch.");
+    apiEndpointFetchStatus = "error";
+    apiEndpointFetchDetail = "fetch_unavailable";
     return [];
   }
   try {
@@ -770,6 +1313,8 @@ const fetchApiEndpointList = async () => {
       sendApiCheckLine(
         `api_endpoint_list取得失敗: ${response.status} ${response.statusText} (${apiEndpointUrl})${detailSnippet}`,
       );
+      apiEndpointFetchStatus = "error";
+      apiEndpointFetchDetail = `${response.status}`;
       return [];
     }
     const data = await response.json();
@@ -777,17 +1322,90 @@ const fetchApiEndpointList = async () => {
       apiEndpointCandidatesCached = extractApiEndpointItems(
         data.api_endpoint_list,
       );
+      apiEndpointFetchStatus = apiEndpointCandidatesCached.length
+        ? "ok"
+        : "ok_empty";
+      apiEndpointFetchDetail = "";
       return apiEndpointCandidatesCached;
     }
     if (Array.isArray(data?.endpoints)) {
       apiEndpointCandidatesCached = extractApiEndpointItems(
         JSON.stringify({ endpoints: data.endpoints }),
       );
+      apiEndpointFetchStatus = apiEndpointCandidatesCached.length
+        ? "ok"
+        : "ok_empty";
+      apiEndpointFetchDetail = "";
       return apiEndpointCandidatesCached;
     }
+    apiEndpointFetchStatus = "ok_empty";
+    apiEndpointFetchDetail = "";
     return [];
   } catch (error) {
     sendApiCheckLine(`api_endpoint_list fetch error: ${error}`);
+    apiEndpointFetchStatus = "error";
+    apiEndpointFetchDetail = "exception";
+    return [];
+  }
+};
+
+const fetchScreenList = async () => {
+  if (!screenListUrl) return [];
+  if (typeof fetch !== "function") {
+    sendScreenCheckLine("fetch is not available in this runtime; skipping fetch.");
+    screenListFetchStatus = "error";
+    screenListFetchDetail = "fetch_unavailable";
+    return [];
+  }
+  try {
+    const response = await fetch(screenListUrl, {
+      method: "GET",
+      headers: { "Content-Type": "application/json" },
+    });
+    if (!response.ok) {
+      let detail = "";
+      try {
+        detail = await response.text();
+      } catch (error) {
+        detail = "";
+      }
+      const detailSnippet = detail ? ` detail=${detail.slice(0, 200)}` : "";
+      sendScreenCheckLine(
+        `screen_list取得失敗: ${response.status} ${response.statusText} (${screenListUrl})${detailSnippet}`,
+      );
+      screenListFetchStatus = "error";
+      screenListFetchDetail = `${response.status}`;
+      return [];
+    }
+    const data = await response.json();
+    if (data?.screen_list) {
+      const raw = Array.isArray(data?.screens) ? data.screens : [];
+      screenCandidatesCached = raw.map((item) =>
+        typeof item === "object" && item !== null ? item.name || String(item) : String(item)
+      );
+      screenListFetchStatus = screenCandidatesCached.length
+        ? "ok"
+        : "ok_empty";
+      screenListFetchDetail = "";
+      return screenCandidatesCached;
+    }
+    if (Array.isArray(data?.screens)) {
+      screenCandidatesCached = data.screens.map((item) =>
+        typeof item === "object" && item !== null ? item.name || String(item) : String(item)
+      );
+      screenListFetchStatus = screenCandidatesCached.length
+        ? "ok"
+        : "ok_empty";
+      screenListFetchDetail = "";
+      return screenCandidatesCached;
+    }
+    screenListFetchStatus = "ok_empty";
+    screenListFetchDetail = "";
+    return [];
+  } catch (error) {
+    sendScreenCheckLine(`screen_list fetch error: ${error}`);
+    screenListFetchStatus = "error";
+    screenListFetchDetail = "exception";
     return [];
   }
 };
@@ -802,7 +1420,7 @@ const startFileTailer = (targetPath) => {
       fileOffset = stats.size;
       return true;
     } catch (error) {
-      log(`log-path not found: ${targetPath} (retrying...)`);
+      log(`log-path not found: ${targetPath} (retrying...)`, "warn");
       return false;
     }
   };
@@ -821,7 +1439,7 @@ const startFileTailer = (targetPath) => {
   const readNewData = () => {
     fs.stat(targetPath, (error, stats) => {
       if (error) {
-        log(`log-path read error: ${error.message || String(error)}`);
+        log(`log-path read error: ${error.message || String(error)}`, "warn");
         return;
       }
       if (stats.size < fileOffset) {
@@ -844,6 +1462,7 @@ const startFileTailer = (targetPath) => {
           `log-path stream error: ${
             streamError.message || String(streamError)
           }`,
+          "warn",
         );
       });
     });
@@ -857,7 +1476,7 @@ const startFileTailer = (targetPath) => {
         }
       });
     } catch (error) {
-      log(`log-path watch error: ${error.message || String(error)}`);
+      log(`log-path watch error: ${error.message || String(error)}`, "warn");
     }
   };
 
@@ -874,21 +1493,23 @@ const startFileTailer = (targetPath) => {
   startWatcher();
 };
 
-if (logPath) {
-  startFileTailer(logPath);
-} else {
-  const rl = readline.createInterface({
-    input: process.stdin,
-    crlfDelay: Infinity,
-  });
+if (runMode !== "security") {
+  if (logPath) {
+    startFileTailer(logPath);
+  } else {
+    const rl = readline.createInterface({
+      input: process.stdin,
+      crlfDelay: Infinity,
+    });
 
-  rl.on("line", (line) => {
-    handleLine(line);
-  });
+    rl.on("line", (line) => {
+      handleLine(line);
+    });
 
-  rl.on("close", () => {
-    if (socket) {
-      socket.close();
-    }
-  });
+    rl.on("close", () => {
+      if (socket) {
+        socket.close();
+      }
+    });
+  }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "coderail-watch",
-  "version": "0.1.8",
+  "version": "0.1.12",
   "description": "Stream terminal output to CodeRail backend over WebSocket.",
   "bin": {
     "coderail-watch": "bin/coderail-watch.js"