--- name: config-audit:drift description: Compare current configuration against a saved baseline — shows new, resolved, and changed findings argument-hint: "[path] [--baseline name] [--save]" allowed-tools: Read, Write, Glob, Grep, Bash model: sonnet --- # Config-Audit: Drift Detection Compare current configuration against a saved baseline to see what changed. ## Arguments - `$ARGUMENTS` may contain: - A target path (default: current working directory) - `--save`: Save current state as baseline - `--baseline `: Compare against a specific named baseline (default: "default") - `--raw`: Pass-through to the scanner; produces v5.0.0 verbatim diff output (bypasses the humanizer). Use when piping into v5.0.0-baseline diff tooling that depends on byte-stable output. ## Implementation ### Save a baseline If `--save` is present: Tell the user: **"Saving current configuration as baseline..."** ```bash RAW_FLAG="" if echo "$ARGUMENTS" | grep -q -- "--raw"; then RAW_FLAG="--raw"; fi node ${CLAUDE_PLUGIN_ROOT}/scanners/drift-cli.mjs --save --name $RAW_FLAG 2>/dev/null ``` Read stdout for confirmation. Tell the user: ```markdown ### Baseline Saved Captured current state as baseline "{name}". Run `/config-audit drift` anytime to see what changed since this point. ``` ### Compare against baseline Without `--save`: Tell the user: **"Comparing current configuration against baseline..."** ```bash RAW_FLAG="" if echo "$ARGUMENTS" | grep -q -- "--raw"; then RAW_FLAG="--raw"; fi node ${CLAUDE_PLUGIN_ROOT}/scanners/drift-cli.mjs --baseline $RAW_FLAG 2>/dev/null ``` Read stdout. In default mode the diff sections are humanized — finding titles, descriptions, and recommendations have already been replaced with plain-language equivalents. New/resolved/changed finding lists carry `userImpactCategory`, `userActionLanguage`, and `relevanceContext` so you can group and prioritize without re-deriving severity prose. If `--raw` was passed, the v5.0.0 diff is verbatim — present it in a code block as-is. If baseline not found, tell the user: ``` No baseline found. Save one first with: /config-audit drift --save ``` Otherwise, parse and present the drift report. Use the Read tool on the captured stdout (or pipe it into a tmpfile first if you prefer): ```markdown ### Configuration Drift **Trend:** {Improving|Degrading|Stable} **Score:** {before} → {after} ({+/-delta} points) {If new findings:} #### New Issues ({count}) | ID | Action | Description | |----|--------|-------------| | {id} | {userActionLanguage — "Fix this now", "Fix soon", etc.} | {humanized title} | {If resolved findings:} #### Resolved ({count}) | ID | Description | |----|-------------| | {id} | {humanized title} | {If area changes:} #### Area Changes | Area | Before | After | Change | |------|--------|-------|--------| | ... | ... | ... | ... | ``` When iterating new/resolved findings, prefer `userActionLanguage` over raw `severity` for the "Action" column — the humanizer already mapped severity to plain-language phrasing, and surfacing it consistently keeps the toolchain coherent. Mention `relevanceContext` when it isn't `affects-everyone` (the user wants to know if a fix touches shared config or just their machine). ### List baselines If `$ARGUMENTS` contains `--list`: ```bash node ${CLAUDE_PLUGIN_ROOT}/scanners/drift-cli.mjs --list 2>/dev/null ``` ### What's next After viewing drift: - `/config-audit fix` — Auto-fix new findings - `/config-audit posture` — Full posture assessment - `/config-audit drift --save` — Update the baseline to current state