Security & Compliance Guide - Cascade Protocol

Security Architecture Overview

The Cascade Protocol follows a local-first, zero-network-call architecture. All data processing occurs on the user's machine. There are no backend services, cloud databases, or remote APIs involved in core protocol operations.

Design Principles

Local-only processing. The CLI, MCP server, and Swift SDK operate entirely on the local filesystem. No data leaves the device during normal operation.
Open source. All repositories are public, enabling full code audit. No proprietary dependencies are required for core functionality.
No telemetry. There are no analytics, crash reporting, phone-home behaviors, or tracking of any kind in the protocol tools or SDK.
Minimal attack surface. The protocol defines data structure and serialization, not networking. There is no HTTP server, no database daemon, and no listening socket in default operation.

Data Flow Diagram

[ User's Health Data ] ——> [ Cascade CLI / SDK (local process) ] ——> [ Local Pod (encrypted at rest) ]

NO data sent to external APIs | NO cloud storage | NO telemetry | NO analytics

Verifiable claim

The absence of network calls can be verified by auditing the source code or running the CLI under a network monitor (e.g., Little Snitch, tcpdump, Wireshark). The CLI and SDK make zero outbound connections.

PHI Handling

Protected Health Information (PHI) under HIPAA includes any individually identifiable health information. The Cascade Protocol stores PHI categories locally in the user's Pod as RDF/Turtle files, organized by data type.

PHI Categories

The protocol defines the following PHI-relevant data categories, each stored in its own directory within the Pod:

Category	Pod Directory	Vocabulary
Medications	`clinical/`	`clinical:`
Conditions	`clinical/`	`clinical:`
Allergies	`clinical/`	`clinical:`
Lab Results	`clinical/`	`clinical:`
Vital Signs	`wellness/` or `clinical/`	`health:` / `clinical:`
Immunizations	`clinical/`	`clinical:`
Demographics	`profile/`	`cascade:`

Consent Model

The protocol supports category-based consent filtering. When sharing data (e.g., via the MCP server for AI agent access or via export), consumers can specify which PHI categories to include or exclude. Only authorized categories are surfaced.

The consent configuration is defined per Pod using a consent.json file in the Pod root. This allows fine-grained control over which data categories are accessible to external consumers.

// Example consent.json (planned implementation)
{
  "version": "1.0",
  "categories": {
    "medications": { "share": true },
    "conditions": { "share": true },
    "allergies": { "share": true },
    "lab_results": { "share": false },
    "vital_signs": { "share": true },
    "immunizations": { "share": true },
    "demographics": { "share": false }
  },
  "defaultPolicy": "deny"
}

Implementation status

The consent.json configuration file is specified but not yet enforced at the protocol level. Current implementations rely on the consuming application to respect category filtering. Enforcement at the MCP server layer is planned for a future release.

Data Minimization

The protocol follows a share-only-what-is-authorized principle. Export and query operations accept a list of requested data types, and only matching records are returned. There is no "select all" behavior in the MCP server — the agent must explicitly request each data type.

Provenance Model

Every record in the Cascade Protocol carries provenance metadata based on the W3C PROV-O ontology. Provenance distinguishes how data was created and by whom, which is critical for clinical decision-making and regulatory compliance.

Provenance Types

Type	URI	Description	Example Source
ClinicalGenerated	`cascade:ClinicalGenerated`	Data originating from clinical or EHR systems	Apple Health clinical records imported from a hospital
DeviceGenerated	`cascade:DeviceGenerated`	Data from wearable or medical devices	Apple Watch heart rate, blood oxygen readings
SelfReported	`cascade:SelfReported`	Data entered directly by the patient	Symptom diary entry, manually entered medication
AIExtracted	`cascade:AIExtracted`	AI-extracted from existing clinical documents	Structured data parsed from a scanned lab report
AIGenerated	`cascade:AIGenerated`	AI-generated observations, analyses, or recommendations	Agent-written health summary, trend analysis

Provenance Attachment

Provenance is attached to every record as RDF triples using the cascade: and prov: namespaces. The following Turtle example demonstrates how provenance metadata is serialized:

@prefix cascade: <https://ns.cascadeprotocol.org/core/v1#> .
@prefix prov: <http://www.w3.org/ns/prov#> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .

<urn:uuid:a1b2c3d4-e5f6-7890-abcd-ef1234567890>
    a clinical:MedicationRecord ;
    cascade:dataProvenance cascade:ClinicalGenerated ;
    cascade:schemaVersion "1.5" ;
    prov:wasAttributedTo <https://id.cascadeprotocol.org/users/patient-123> ;
    prov:generatedAtTime "2026-01-15T10:30:00Z"^^xsd:dateTime ;
    clinical:medicationName "Metoprolol" ;
    clinical:dose "25 mg" ;
    clinical:frequency "twice daily" .

Verifying Provenance

Provenance can be verified by querying the Pod's Turtle files for cascade:dataProvenance triples. The cascade_pod_query MCP tool and the CLI cascade pod read command both return provenance metadata with every record. To audit provenance across all records:

# Query all records and inspect provenance fields
cascade pod read --path ./my-pod

# Or use the MCP server programmatically via cascade_pod_query
# The response includes dataProvenance for each record

Audit Logging

All operations performed through the MCP server are logged to an append-only audit log stored within the Pod at provenance/audit-log.ttl. This log is written in RDF/Turtle format using Cascade Protocol vocabulary.

Log Format

Each audit entry records the following fields:

Field	RDF Property	Description
Timestamp	`cascade:timestamp`	ISO 8601 datetime of the operation
Operation	`cascade:operation`	Type of operation: `read`, `write`, `query`, `validate`, `convert`
Data Types	`cascade:dataTypes`	RDF list of data types accessed (e.g., `"medications"`, `"conditions"`)
Agent ID	`cascade:agentId`	Identifier of the AI agent or tool that performed the operation
Record Count	`cascade:recordsAccessed`	Number of records read or written

Example Audit Entry

The following is a real example of the Turtle output written by the audit logger (from cli/src/lib/mcp/audit.ts):

@prefix cascade: <https://ns.cascadeprotocol.org/core/v1#> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
@prefix prov: <http://www.w3.org/ns/prov#> .

# Cascade Protocol Agent Audit Log
# Generated by cascade serve --mcp

<#audit-3f8a91c2-7b4d-4e6f-9a1c-2d3e4f5a6b7c> a cascade:AuditEntry ;
    cascade:timestamp "2026-02-15T14:30:22.451Z"^^xsd:dateTime ;
    cascade:operation "read" ;
    cascade:dataTypes ("medications" "conditions") ;
    cascade:agentId "claude-desktop-v1" ;
    cascade:recordsAccessed 12 .

<#audit-8c1d2e3f-4a5b-6c7d-8e9f-0a1b2c3d4e5f> a cascade:AuditEntry ;
    cascade:timestamp "2026-02-15T14:31:05.789Z"^^xsd:dateTime ;
    cascade:operation "write" ;
    cascade:dataTypes ("medications") ;
    cascade:agentId "claude-desktop-v1" ;
    cascade:recordsAccessed 1 .

Reviewing Audit Logs

Audit logs are standard Turtle files and can be read with any RDF tool or text editor.

# View the raw audit log
cat ./my-pod/provenance/audit-log.ttl

# Count total operations
grep -c "a cascade:AuditEntry" ./my-pod/provenance/audit-log.ttl

# Filter by agent
grep -A5 "agentId" ./my-pod/provenance/audit-log.ttl

Implementation detail

Audit entry IDs use crypto.randomUUID(), ensuring globally unique identifiers that survive server restarts and concurrent sessions without collision. The log is append-only — entries are never modified or deleted during normal operation.

AI Agent Access

The Cascade Protocol exposes health data to AI agents via the Model Context Protocol (MCP). The MCP server (cascade serve --mcp) enforces several security controls.

Path Containment

All file operations are validated against a boundary directory to prevent path traversal attacks. The implementation resolves both the target path and the Pod boundary to absolute paths, then verifies containment:

// From cli/src/lib/mcp/tools.ts
function validatePathBoundary(
  resolvedPath: string,
  boundary: string
): boolean {
  const normalizedPath = path.resolve(resolvedPath);
  const normalizedBoundary = path.resolve(boundary);
  return (
    normalizedPath.startsWith(normalizedBoundary + path.sep) ||
    normalizedPath === normalizedBoundary
  );
}

This check runs on every write operation. If the resolved target file path falls outside the Pod directory, the operation is rejected with an error.

Automatic AIGenerated Provenance

All data written through the MCP server is automatically tagged with AIGenerated provenance. This is enforced at the server level — the agent cannot override it. The provenance record includes:

Provenance type: Always AIGenerated for MCP-written data
Agent ID: Identifier of the agent (e.g., "claude-desktop-v1"), defaults to "unknown-agent" if not provided
Timestamp: ISO 8601 datetime of the write operation
Reason: Optional free-text explanation for why the record was created
Confidence level: A float between 0.0 and 1.0 indicating the agent's confidence in the data
Source records: URIs of existing records used to derive the new data

// Provenance metadata returned for every MCP write operation
{
  "type": "AIGenerated",
  "agentId": "claude-desktop-v1",
  "timestamp": "2026-02-15T14:31:05.789Z",
  "reason": "Summarized medication list for visit prep",
  "confidence": 0.92
}

Audit Trail

Every MCP tool invocation — read, write, query, validate, or convert — is logged to the Pod's audit log. See Audit Logging above for format details.

Encryption

Encryption responsibilities are deliberately separated across layers. The protocol itself defines data structure, not encryption — this is an intentional design decision to avoid coupling serialization with security infrastructure.

Cascade handles

Infrastructure handles

Protocol Layer (Vocabulary & Serialization)

The protocol vocabularies and Turtle serialization format do not include encryption. This is intentional. The protocol defines what data looks like, not how it is secured at rest.

Application SDK Layer (cascade-sdk-swift)

AES-256-GCM encryption at rest. The Swift SDK encrypts all Pod data on disk using AES-256-GCM authenticated encryption. Encryption keys are stored in the platform keychain (iOS Keychain / macOS Keychain) and are never written to disk or transmitted.

Per-Pod encryption keys. Each Pod has its own encryption key, generated on first creation. Deleting a Pod's key makes its data irrecoverable.

Infrastructure Layer

TLS in transit. If data is transmitted (e.g., future Solid Pod sync), transport encryption is the responsibility of the infrastructure layer.

Filesystem encryption. iOS and macOS provide full-disk encryption (Data Protection / FileVault). This provides an additional encryption layer beneath the SDK's application-level encryption.

Access control. Operating system permissions, app sandboxing, and keychain access groups are managed by the platform, not by the protocol.

Regulatory Considerations

Not legal advice

This section describes how the Cascade Protocol's technical architecture aligns with regulatory frameworks. It is not legal advice and does not constitute a compliance certification. Organizations building on the protocol should conduct their own regulatory assessment.

HIPAA (Health Insurance Portability and Accountability Act)

What Cascade helps with

Data minimization. Category-based consent filtering ensures only authorized PHI categories are shared. Query operations require explicit data type selection.

Audit trails. All operations are logged with timestamps, agent IDs, data types accessed, and record counts. Logs are stored in the Pod as immutable Turtle files.

Access control patterns. The protocol defines consent models and provenance tracking that support access control implementation by consuming applications.

Encryption at rest. AES-256-GCM encryption in the Swift SDK meets the HIPAA encryption addressable specification.

What Cascade does NOT help with

Business Associate Agreements (BAAs). The protocol is a technical framework, not a business entity. BAAs must be established between covered entities and their business associates independently.

Breach notification. The protocol does not include breach detection or notification mechanisms. Organizations must implement their own incident response procedures.

Administrative safeguards. Workforce training, security officers, risk assessments, and contingency planning are organizational responsibilities outside the protocol's scope.

GDPR (General Data Protection Regulation)

What Cascade helps with

Data portability. Pod data is stored in open RDF/Turtle format. Users can export their entire Pod at any time — no proprietary format lock-in.

Right to erasure. Deleting a Pod removes all associated data. With per-Pod encryption keys stored in the keychain, deleting the key renders data cryptographically irrecoverable.

Data minimization. Category-based consent and explicit data type queries prevent over-collection.

Reduced cross-border transfer risk. Local-first architecture means data stays on the user's device by default. No data crosses jurisdictional boundaries unless the user explicitly initiates a transfer.

21st Century Cures Act

Patient access to data. The protocol is designed to give patients full ownership and control of their health records, directly supporting the Cures Act's information blocking provisions.

Interoperability. FHIR alignment and conversion support (cascade_convert MCP tool) enable data exchange between Cascade Pods and FHIR-compliant systems.

Open standards. Built on W3C RDF/OWL, PROV-O, and Solid specifications. No proprietary formats or vendor lock-in.

Threat Model

Threats Cascade Mitigates

Data exfiltration via AI agents. The MCP server operates locally with no network access. An AI agent accessing a Pod through MCP cannot transmit data to external services because the protocol tools make no outbound connections.

Unauthorized data access. Category-based consent filtering restricts which PHI categories are visible. Agents must request specific data types; there is no wildcard access.

Data tampering without attribution. All writes are tagged with provenance (including agent ID, timestamp, and confidence level) and logged to the audit trail. Modifications are traceable.

Path traversal attacks. The validatePathBoundary() function resolves all paths to absolute form and verifies they remain within the Pod directory before any filesystem operation.

Provenance forgery for agent-written data. The MCP server automatically sets provenance type to AIGenerated for all write operations. Agents cannot override this to claim data is ClinicalGenerated.

Threats Cascade Does NOT Mitigate

Limitations

The following threats are outside the protocol's scope. They must be addressed by the user's platform, infrastructure, or organizational security measures.

Compromised local machine. If the user's device is compromised (malware, rootkit), the attacker has access to everything the user can access, including Pod data and encryption keys in the keychain. The protocol cannot protect against a compromised runtime environment.

Social engineering. If a user is tricked into granting an untrusted agent access to their Pod or sharing their data, the protocol cannot prevent the resulting data exposure.

Physical access to device. An attacker with physical access to an unlocked device can read Pod files directly. Device-level security (passcode, biometrics, full-disk encryption) is the user's responsibility.

Vulnerabilities in the user's infrastructure. The protocol does not audit or secure the user's operating system, network configuration, or third-party software. A vulnerability in any of these could expose Pod data.

Supply chain attacks on dependencies. While the protocol minimizes dependencies, the tools and SDK do rely on third-party packages. A compromised dependency could introduce vulnerabilities. See Open Source Audit for dependency review guidance.

Open Source Audit

All Cascade Protocol repositories are open source and available for independent audit. No proprietary code or closed-source dependencies are required for core protocol functionality.

Repositories

Repository	Description	Language
`cascadeprotocol.org`	Protocol CLI, MCP server, SHACL validator, FHIR converter, documentation	TypeScript
`cascade-sdk-swift`	Swift SDK: Pod storage, encryption, HealthKit integration, RDF serialization	Swift

Verifying No Telemetry

The absence of telemetry, analytics, or phone-home behavior can be verified by searching the codebase for network-related code. The following commands should return no results for core protocol functionality:

# Search for HTTP/network calls in the CLI
grep -r "fetch\|axios\|http\.\|https\.\|XMLHttpRequest\|net\.connect" \
  --include="*.ts" --include="*.js" \
  cli/src/

# Search for analytics or tracking
grep -ri "analytics\|telemetry\|tracking\|phone.home\|beacon" \
  --include="*.ts" --include="*.js" \
  cli/src/

# Search for network calls in the Swift SDK
grep -r "URLSession\|URLRequest\|Alamofire\|Network\.framework" \
  --include="*.swift" \
  Sources/

Expected results

The CLI uses node:fs and node:path for local filesystem operations only. The Swift SDK uses CryptoKit for encryption and HealthKit for Apple Health data access. Neither makes outbound network requests.

Dependency Audit

The protocol's runtime dependencies and their purposes are documented below. All are open source.

CLI (TypeScript / Node.js)

Dependency	Purpose
`@modelcontextprotocol/sdk`	MCP server implementation for AI agent access
`n3`	RDF/Turtle parsing and serialization
`rdf-validate-shacl`	SHACL constraint validation
`zod`	Runtime schema validation for MCP tool inputs
`commander`	CLI argument parsing

Swift SDK

Dependency	Purpose
`CryptoKit` (Apple)	AES-256-GCM encryption, key derivation
`HealthKit` (Apple)	Apple Health data access (on-device only)
No third-party packages	The SDK has zero external dependencies

How to Audit

Clone the repositories and review the source code directly. All code paths are auditable.
Check dependencies with npm ls --production (CLI) or review Package.swift (SDK) for the full dependency tree.
Run under network monitoring to confirm no outbound connections during normal operation.
Review the audit log after any agent interaction to verify all operations were properly recorded.