tm-drift

# Drift Detection

## Purpose

Compare current threat model state against a baseline to:

- Identify new or removed assets
- Detect changed data flows
- Find new attack surface entries
- Track control status changes
- Highlight new potential threats

## Usage

```
/tm-drift [--baseline <path>] [--create-baseline] [--watch]
```

**Arguments**:
- `--baseline`: Specific baseline file to compare against
- `--create-baseline`: Create new baseline after comparison
- `--watch`: Continuous monitoring mode (future feature)

## Drift Categories

### Asset Changes
- **Added**: New components discovered
- **Removed**: Components no longer present
- **Modified**: Properties changed (classification, owner, etc.)

### Data Flow Changes
- **Added**: New data flows between components
- **Removed**: Flows no longer present
- **Modified**: Protocol, encryption, or authentication changed

### Attack Surface Changes
- **Added**: New entry points exposed
- **Removed**: Entry points removed
- **Modified**: Authentication or configuration changed

### Trust Boundary Changes
- **Added**: New boundaries defined
- **Removed**: Boundaries removed
- **Modified**: Controls or scope changed

### Control Status Changes
- **Implemented → Partial**: Control degraded
- **Implemented → Missing**: Control removed
- **Missing → Implemented**: Control added
- **Verification status changed**

## Baseline Structure

Baselines are snapshots of the complete threat model state:

```json
{
  "version": "1.0",
  "created": "ISO-8601",
  "project": "Project Name",
  "snapshot": {
    "assets": [...],
    "dataflows": [...],
    "trust_boundaries": [...],
    "attack_surface": [...],
    "threats": [...],
    "controls": [...],
    "gaps": [...]
  },
  "metadata": {
    "commit": "git-commit-hash",
    "author": "name",
    "reason": "baseline reason"
  }
}
```

## Drift Report Format

### drift-report.md
```markdown
# Threat Model Drift Report

**Baseline**: 2025-01-15 (snapshot-20250115.json)
**Current**: 2025-