contentstack · cs-raj · Apr 8, 2026 · Apr 8, 2026 · Apr 8, 2026
@@ -18,19 +18,65 @@ description: >-
 
 Provide consistent **security**, **correctness**, and **maintainability** review for this repository. The plugin handles stack API keys in error messages, opens **HTML** diffs in a browser, and writes **diagram** files via Graphviz.
 
+Use **Critical** / **Important** / **Suggestion** when leaving feedback.
+
 ### Highlights
 
 - **Secrets**: Never approve logging of tokens, `authtoken` / `authorization` values, or raw management tokens.
 - **Compare / diagram**: Changes to [src/core/content-type/compare.ts](../../src/core/content-type/compare.ts) or [diagram.ts](../../src/core/content-type/diagram.ts) deserve extra scrutiny (temp files, browser open, paths, binary dependency).
 - **Dependencies**: axios, diff2html, git-diff, node-graphviz, tmp, cli-ux—review changelog and supply-chain for version bumps.
 - **Quality**: TypeScript and **eslint-config-oclif-typescript** ([.eslintrc](../../.eslintrc)); behavioral changes should include or update **Jest** tests where appropriate.
 
-### Full checklist
+### Security and privacy
+
+| Severity | Item |
+|----------|------|
+| Critical | No logging or serializing of **access tokens**, **management tokens**, or **Bearer** strings. |
+| Critical | No new `console.log` of full API responses that may contain secrets. |
+| Important | Stack API keys appear in user-facing errors only in line with [src/core/contentstack/client.ts](../../src/core/contentstack/client.ts) (`buildError` + optional key suffix). |
+
+### Correctness
+
+| Severity | Item |
+|----------|------|
+| Critical | Command flags and `setup(flags)` behavior remain consistent; **compare-remote** still resolves origin vs remote stacks correctly. |
+| Important | **Compare**: left/right version logic and warning when versions are equal; HTML output path and browser open behavior unchanged unless intentionally redesigned. |
+| Important | **Diagram**: output path validation; Graphviz / DOT paths; orientation and file type flags. |
+| Suggestion | Edge cases for empty audit logs, missing references, or single-version content types. |
+
+### Compare and diagram (touching core)
+
+| Severity | Item |
+|----------|------|
+| Critical | [compare.ts](../../src/core/content-type/compare.ts): temp HTML creation does not write sensitive data beyond the diff; file handling is safe on failure paths. |
+| Important | [diagram.ts](../../src/core/content-type/diagram.ts): `sanitizePath` / path usage; large stack models do not cause unbounded memory without consideration. |
+| Suggestion | User messaging when Graphviz is missing or SVG generation fails. |
+
+### Dependencies
+
+| Severity | Item |
+|----------|------|
+| Important | **axios**: security advisories; upgrade notes. |
+| Important | **diff2html**, **git-diff**, **tmp**, **cli-ux**: behavior changes affecting compare UX. |
+| Important | **node-graphviz**: compatibility with supported Node and system Graphviz. |
+| Suggestion | **moment** (if touched): prefer minimal churn; note maintenance status of dependencies. |
+
+### Tests and tooling
+
+| Severity | Item |
+|----------|------|
+| Important | New behavior in `src/core/` or `src/utils/` has **Jest** coverage or a clear reason why not. |
+| Important | `npm test` and **ESLint** (`posttest` / [`.eslintrc`](../../.eslintrc)) pass. |
+| Suggestion | Tests mock HTTP/SDK boundaries; no accidental live API calls. |
+
+### Documentation
 
-Use [references/checklist.md](references/checklist.md) for the printable severity-labeled checklist.
+| Severity | Item |
+|----------|------|
+| Important | If commands or flags change, **README** (generated via `oclif readme`) is updated via `prepack` / `version` workflow. |
+| Suggestion | User-facing strings and examples match `src/commands/content-type/*.ts` examples. |
 
 ## References
 
-- [references/checklist.md](references/checklist.md)
 - [testing/SKILL.md](../testing/SKILL.md) — test and lint expectations.
 - [contentstack-cli-content-type/SKILL.md](../contentstack-cli-content-type/SKILL.md) — architecture and risky areas.
@@ -33,7 +33,43 @@ npm package `contentstack-cli-content-type`: a **Contentstack CLI** (`csdx`) plu
 | Types | `src/types/index.ts` |
 | Config (pagination limits) | `src/config/index.ts` |
 
-Commands **parse flags**, call **`setup(flags)`**, build **`managementSDKClient`**, then call utils + core builders. See [references/architecture.md](references/architecture.md) and [references/commands.md](references/commands.md).
+Commands **parse flags**, call **`setup(flags)`**, build **`managementSDKClient`**, then call utils + core builders.
+
+### Command → core modules
+
+| Command file | Core / utilities | Notes |
+|--------------|------------------|--------|
+| `src/commands/content-type/audit.ts` | `core/content-type/audit.ts`, `utils` (`getStack`, `getUsers`, `getContentType`), `client.getContentTypeAuditLogs` | Audit + users for display |
+| `src/commands/content-type/compare.ts` | `core/content-type/compare.ts`, `utils` | Same-stack two versions; optional `--left` / `--right` |
+| `src/commands/content-type/compare-remote.ts` | `core/content-type/compare.ts` (same `buildOutput`), `utils` | Two stacks; `setup` uses origin stack key only |
+| `src/commands/content-type/details.ts` | `core/content-type/details.ts`, `utils`, `client.getContentTypeReferences` | `--path` / `--no-path` |
+| `src/commands/content-type/diagram.ts` | `core/content-type/diagram.ts`, `utils` (`getStack`, `getContentTypes`, `getGlobalFields`) | Writes file via Graphviz |
+| `src/commands/content-type/list.ts` | `core/content-type/list.ts`, `utils` | `--order title|modified` |
+
+Formatting helpers live under `src/core/content-type/formatting.ts` where imported by core modules.
+
+### Auth flow (high level)
+
+```mermaid
+flowchart LR
+  subgraph setup [ContentTypeCommand.setup]
+    A[getAuthDetails]
+    B{accessToken?}
+    C[error auth:login]
+    D{alias or stack key?}
+    E[exit 1 missing stack]
+    F[getToken or use stack API key]
+    G[ContentstackClient]
+  end
+  A --> B
+  B -->|no| C
+  B -->|yes| D
+  D -->|neither| E
+  D -->|ok| F
+  F --> G
+```
+
+- **`compare-remote`**: `setup` is called with `{ alias: undefined, stack: flags["origin-stack"] }` so `apiKey` is the **origin** stack API key; remote stack is passed only in `getStack` / `getContentType` calls.
 
 ### Authentication and stack identity
 
@@ -46,9 +82,76 @@ Commands **parse flags**, call **`setup(flags)`**, build **`managementSDKClient`
 
 ### Two ways to call APIs
 
-- **Axios `ContentstackClient`**: `GET https://{cmaHost}/v3/...` with default headers `authorization` (if Bearer) or `authtoken`, plus per-request `headers: { api_key }`. Used for audit logs and references. Errors → `ContentstackError` via `buildError`.
+- **Axios `ContentstackClient`**: `GET https://{cmaHost}/v3/...` with default headers `authorization` (if Bearer) or `authtoken`, plus per-request `headers: { api_key }`. Used for audit logs and CT references. Errors → `ContentstackError` via `buildError`.
 - **Management SDK** (`managementSDKClient({ host, 'X-CS-CLI': ... })`): stack fetch, content types, global fields, content type by version—see `src/utils/index.ts`.
 
+**CMA request shape (`ContentstackClient`)**
+
+- **Base URL**: `https://{cmaHost}/v3/` (`cmaHost` from command context).
+- **Default axios headers**: `authorization: <token>` if token string includes `Bearer`, else `authtoken: <token>`.
+- **Per-request**: `headers: { api_key: <stack API key> }` for stack-scoped routes.
+
+| Method | HTTP | Path / params |
+|--------|------|----------------|
+| `getContentTypeAuditLogs` | GET | `/audit-logs` — `params.query.$and`: `module: content_type`, `metadata.uid` |
+| `getContentTypeReferences` | GET | `/content_types/{uid}/references` — `include_global_fields: true` |
+
+Errors: response `data.errors` → `ContentstackError`; optional suffix with stack API key when `data.errors.api_key` and context `api_key` are set.
+
+### Compare and diagram pipelines
+
+- **Compare**: `core/content-type/compare.ts` builds a unified diff from two JSON snapshots (`git-diff`), parses with **diff2html**, writes a **temporary HTML** file, opens it in the browser (`cli-ux` / `cli.open`). Not a terminal table.
+- **Diagram**: `core/content-type/diagram.ts` builds a DOT graph, runs **node-graphviz** (`graphviz` binary must be available on the system for SVG rendering). Output path is sanitized where utilities apply.
+
+### Commands (flags and behavior)
+
+Primary sources: `README.md` and `src/commands/content-type/*.ts`.
+
+#### `content-type:list`
+
+- **Flags**: `--stack-api-key` (`-k`), `--stack` (deprecated → use stack key), `--token-alias` / `--alias` (`-a`), `--order` (`-o`) `title` \| `modified` (default `title`).
+- **Files**: `src/commands/content-type/list.ts`, `src/core/content-type/list.ts`.
+- **Behavior**: Lists Content Types for the stack; table output via core builder.
+
+#### `content-type:details`
+
+- **Flags**: stack identity flags as above; `--content-type` (`-c`) required; `--path` / `--no-path` (`-p`) — default shows path column; use `--no-path` on narrow terminals (README).
+- **Files**: `src/commands/content-type/details.ts`, `src/core/content-type/details.ts`.
+- **Behavior**: Fetches CT + **references** via `ContentstackClient.getContentTypeReferences`.
+
+#### `content-type:audit`
+
+- **Flags**: stack identity + `--content-type` (`-c`) required.
+- **Files**: `src/commands/content-type/audit.ts`, `src/core/content-type/audit.ts`.
+- **Behavior**: Audit logs via `getContentTypeAuditLogs`; README notes **audit log retention** (e.g. 90 days) per Contentstack docs.
+
+#### `content-type:compare`
+
+- **Flags**: stack identity + `--content-type` (`-c`); optional `--left` (`-l`) / `--right` (`-r`) **integers** (both required if either set). If omitted, command infers latest version vs previous from discovery fetch.
+- **Files**: `src/commands/content-type/compare.ts`, `src/core/content-type/compare.ts`.
+- **Behavior**: Side-by-side diff in **HTML** in a browser; not stdout-only. Warns if left === right.
+
+#### `content-type:compare-remote`
+
+- **Flags**: `--origin-stack` (`-o`) and `--remote-stack` (`-r`) **required** (stack API keys); `--content-type` (`-c`) required. No token-alias flow for two stacks—setup uses **origin** stack key for session.
+- **Files**: `src/commands/content-type/compare-remote.ts`, same `core/content-type/compare.ts` as same-stack compare.
+- **Behavior**: Same HTML diff pipeline; compares CT JSON from two stacks. Warns if origin === remote API key.
+
+#### `content-type:diagram`
+
+- **Flags**: stack identity; `--output` (`-o`) **required** (full path); `--direction` (`-d`) `portrait` \| `landscape` (required in schema, default portrait); `--type` (`-t`) `svg` \| `dot` (default svg).
+- **Files**: `src/commands/content-type/diagram.ts`, `src/core/content-type/diagram.ts`.
+- **Behavior**: Loads all content types + global fields; renders graph. **Graphviz** must be installed for typical SVG generation; DOT export available. README documents `-t dot` for raw DOT language.
+
+### Editing checklist
+
+| Change | Touch first |
+|--------|-------------|
+| New flag / description | Command file under `src/commands/content-type/`, then `oclif readme` |
+| Output format / table | `src/core/content-type/*.ts`, `formatting.ts` |
+| REST audit/references | `src/core/contentstack/client.ts`, `error.ts` |
+| SDK pagination / fetch | `src/utils/index.ts`, `src/config/index.ts` |
+
 ### Build and CLI metadata
 
 `package.json` scripts **`prepack`** and **`version`** drive `tsc`, `oclif manifest`, and `oclif readme`. After changing commands, flags, or descriptions, keep **README.md** and **oclif.manifest.json** in sync—see [dev-workflow/SKILL.md](../dev-workflow/SKILL.md) for commands and workflow.
@@ -68,8 +171,6 @@ Commands **parse flags**, call **`setup(flags)`**, build **`managementSDKClient`
 
 ## References
 
-- [references/architecture.md](references/architecture.md) — command → core mapping, auth flow, CMA shape.
-- [references/commands.md](references/commands.md) — flags, UX notes, files to edit per command.
 - [dev-workflow/SKILL.md](../dev-workflow/SKILL.md) — TypeScript build, ESLint, oclif docs, `npm run prepack`.
 - [testing/SKILL.md](../testing/SKILL.md) — Jest layout, mocks, coverage.
 - [Content Management API](https://www.contentstack.com/docs/developers/apis/content-management-api/) (external).