feat: add plugin check command (Experimental)

[tasshi-me]

Why

When developing kintone plugins, using internal APIs or internal CSS class names creates a risk that the plugin will break in future kintone updates. However, there was no mechanism to detect these usages beforehand.

We need a tool that can automatically detect potential issues so plugin developers can write safer code.

What

Added a plugin check command to check kintone plugin code for potential issues.

⚠️ Note: This is an experimental feature under early development. The command behavior, options, and check rules may change in future releases.

This command inspects JavaScript files in plugins using the following custom ESLint rules:

Check Rules

1. no-cybozu-data (Doc) :

   • Detects access to the internal API cybozu.data
   • Covers patterns like cybozu.data, cybozu["data"], cybozu?.data, etc.

2. no-kintone-internal-selector (Doc) :

   • Detects usage of internal CSS class names
   • Detects the following patterns:
     • gaia-argoui-* (e.g., gaia-argoui-button)
     • *-gaia (e.g., button-gaia)
     • ocean-* (e.g., ocean-ui-button)
     • kintone-* (e.g., kintone-dialog)
   • Detects not only DOM API calls (querySelector, querySelectorAll, closest, getElementsByClassName, matches) but also class names in string literals (e.g., jQuery)

Features

• Accepts plugin zip files or manifest.json files as input
• Supports plain (default) and json output formats

How to test

Basic functionality

# Build the project
pnpm build

# Check a plugin zip file
./bin/cli-kintone.js plugin check --input ./path/to/plugin.zip

# Check by specifying manifest.json
./bin/cli-kintone.js plugin check --input ./path/to/manifest.json

# Output in JSON format
./bin/cli-kintone.js plugin check --input ./plugin.zip --format json

Run test cases

# Run unit tests
pnpm test

# Check ESLint rule tests
pnpm test src/plugin/check/rules/__tests__/

Sample code for detection verification

You can test with a plugin containing code like:

// cybozu.data usage (should be detected)
console.log(cybozu.data);
const data = cybozu.data;

// Internal class name usage (should be detected)
document.querySelector(".gaia-argoui-button");
document.querySelectorAll(".ocean-ui-dialog");
element.closest(".kintone-dialog");
$(".button-gaia").click();

Checklist

• Read CONTRIBUTING.md
• Updated documentation if it is required.
• Added/updated tests if it is required. (or tested manually)
• Passed pnpm lint and pnpm test on the root directory.

[tasshi-me]

cli-kintoneのローカルルールとして作っていたルールをjs-sdkのeslint-pluginに移動した。
kintone/js-sdk#3616

そのため、このローカルルールを削除して、@kintone/eslint-pluginを使うようにする。

[tasshi-me]

eslint-pluginのrecommendedを設定すればOK。
（eslint-plugin側がリリースされるまでCIが落ちるかも）

[tasshi-me]

ここのルール説明はeslint-pluginへのリンクにする

[Copilot]

Pull request overview

Adds an experimental plugin check subcommand to help plugin developers detect usage of kintone internal/unsupported APIs and internal CSS selectors before release.

Changes:

• Introduces plugin check command wiring in the CLI and a new implementation that runs custom ESLint rules against plugin JS sources.
• Updates packaging/dependencies so ESLint and @kintone/eslint-plugin are available for the npm-distributed CLI while excluded from the SEA binary.
• Adds (unlisted) documentation and E2E scaffolding/assets for the new command.

Reviewed changes

Copilot reviewed 14 out of 16 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
website/docs/guide/commands/plugin-check.md	New English docs page for plugin check usage/options/output.
website/i18n/ja/docusaurus-plugin-content-docs/current/guide/commands/plugin-check.md	New Japanese docs page for plugin check.
src/plugin/core/plugin/index.ts	Exposes contentsZip() so other features can read plugin contents from a zip.
src/plugin/check/index.ts	New implementation that dynamically imports ESLint + runs checks, supports plain/json output.
src/cli/plugin/index.ts	Registers the new plugin check subcommand under plugin.
src/cli/plugin/check.ts	New yargs command module for plugin check (experimental).
package.json	Excludes ESLint from ncc bundle; adds runtime deps for plugin check.
pnpm-workspace.yaml	Excludes @kintone/eslint-plugin from minimum release age.
pnpm-lock.yaml	Lockfile updates for added dependencies.
license-manager.config.js	Adds license overrides for newly introduced transitive deps.
cucumber.js	Skips @skip scenarios by default.
features/plugin/check.feature	Adds E2E scenarios for plugin check (real linting scenarios are @skip).
features/step_definitions/file.ts	Adds fixture mapping for plugin_with_issues.
features/assets/plugin_with_issues/**	Adds fixture plugin project used by E2E tests.

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The docs’ sample output uses the rule id local/no-cybozu-data, but the implementation enables @kintone/eslint-plugin/no-cybozu-data / @kintone/eslint-plugin/no-kintone-internal-selector, so the reported ruleId will include the plugin name (e.g. @kintone/eslint-plugin/no-cybozu-data). Please update the sample outputs to match the actual ruleId values (both in the Plain and JSON examples).

[Copilot]

The JSON output example documents messages entries as a reduced shape (ruleId/severity/message/line/column), but the code currently serializes ESLint’s full message objects. Either normalize the JSON output to the documented shape, or adjust the docs to clarify that the output is raw ESLint messages (and may include additional fields).

[Copilot]

Minor grammar: “Default to plain.” should be “Defaults to plain.” (or “Default: plain.”) to match the style used elsewhere in the docs.

Suggested change

	| `--format` | | Output format.<br/>Format: `plain` or `json`.<br/>Default to `plain`. |
	| `--format` | | Output format.<br/>Format: `plain` or `json`.<br/>Defaults to `plain`.|

[Copilot]

サンプル出力のルールIDが local/no-cybozu-data になっていますが、実装では @kintone/eslint-plugin/no-cybozu-data / @kintone/eslint-plugin/no-kintone-internal-selector を有効化しているため、出力される ruleId もそれに合わせた値になります。Plain/JSON両方の例を実際の ruleId に合わせて更新してください。

[Copilot]

OutputFormat is imported from ../../plugin/info, but this command calls ../../plugin/check and that module already defines its own OutputFormat. Importing the type from plugin/info introduces unnecessary coupling and could become incorrect if the formats diverge; please import OutputFormat from ../../plugin/check (or define a local union here).

[Copilot]

JSONフォーマット例では messages を最小限のフィールドだけに絞った形で記載していますが、現状の実装は ESLint の message オブジェクトをそのまま JSON 化するため、追加フィールド（endLine 等）が含まれます。出力を例の形に正規化するか、ドキュメント側で「ESLintの生メッセージを出力する」旨を明記してください。

[Copilot]

eslint is now listed in both devDependencies and dependencies (with different ranges). This can lead to duplicate installs and version skew between development and runtime. Since plugin check needs ESLint at runtime, consider keeping a single entry (typically in dependencies) and aligning/removing the devDependency version.

[Copilot]

normalizeResults silently drops ESLint messages that indicate a rule is missing (“Definition for rule ... was not found.”). This can hide misconfiguration (e.g., the recommended config enabling rules whose plugins aren’t installed) and give users a false sense that checks are complete. Consider surfacing these as errors/warnings in the output (or fail fast) so users know the check setup is incomplete.

Suggested change

	if (m.message.match(/Definition for rule '.+' was not found./)) {
	continue;
	}

[Copilot]

There’s no non-skipped automated coverage for the new plugin check behavior (the E2E scenarios that validate real linting are tagged @skip). Please add a Vitest test that runs the command/module in “npm mode” against a small fixture plugin and asserts the plain/json outputs (and counts) so regressions in rule wiring/output formatting are caught in CI.