# Security Model: Medication Interaction Review Agent

This document describes the data flows, access boundaries, and consent model for the medication interaction review agent example.

## Data Access Summary

### What the Agent Read

| Resource | File | Data Accessed |
|----------|------|--------------|
| Medications | `clinical/medications.ttl` | 8 medication records (5 prescribed, 1 discontinued, 2 self-reported) |
| Supplements | `wellness/supplements.ttl` | 3 supplement records (all self-reported) |
| Lab Results | `clinical/lab-results.ttl` | 11 lab results from 2026-01-15 panel |
| Conditions | `clinical/conditions.ttl` | 5 active conditions (for context on renal function) |

### What the Agent Did NOT Access

| Resource | File | Reason |
|----------|------|--------|
| Patient demographics | `clinical/patient-profile.ttl` | Not needed for interaction review |
| Allergies | `clinical/allergies.ttl` | Not relevant to this specific interaction |
| Immunizations | `clinical/immunizations.ttl` | Not relevant to medication interactions |
| Vital signs | `clinical/vital-signs.ttl` | Not needed for this analysis |
| Heart rate | `wellness/heart-rate.ttl` | Not needed for this analysis |
| Blood pressure | `wellness/blood-pressure.ttl` | Not needed for this analysis |
| Activity data | `wellness/activity.ttl` | Not needed for this analysis |
| Sleep data | `wellness/sleep.ttl` | Not needed for this analysis |
| Insurance | `clinical/insurance.ttl` | Not needed for this analysis |

### What the Agent Wrote

| Resource | Type | Provenance |
|----------|------|-----------|
| Medication interaction flag | `cascade:AIObservation` | `cascade:AIGenerated` |

The written observation is clearly tagged with `cascade:AIGenerated` provenance, distinguishing it from clinical and patient-reported data. It includes a `cascade:requiresPhysicianReview true` flag.

## Data Flow Diagram

```
+-------------------------------------------------------------------+
|                     LOCAL MACHINE ONLY                              |
|                                                                    |
|  +-------------------+        +----------------------------+       |
|  | Reference Patient |  READ  | AI Agent                   |       |
|  | Pod (filesystem)  |------->| (Claude Desktop or         |       |
|  |                   |        |  Claude Code)              |       |
|  | clinical/         |        |                            |       |
|  |   medications.ttl |        | 1. Parse medications       |       |
|  |   lab-results.ttl |        | 2. Parse supplements       |       |
|  |   conditions.ttl  |        | 3. Identify interactions   |       |
|  |                   |        | 4. Correlate with labs     |       |
|  | wellness/         |        | 5. Generate observation    |       |
|  |   supplements.ttl |        |                            |       |
|  |                   | WRITE  |                            |       |
|  |                   |<-------| AIGenerated observation     |       |
|  +-------------------+        +----------------------------+       |
|                                                                    |
|  No data leaves this machine. No external API calls are made       |
|  for data retrieval. The LLM processes data in-context only.       |
+-------------------------------------------------------------------+
```

## No Data Left the Machine

This is a **local-first** operation:

1. **Pod storage:** The reference patient pod lives on the local filesystem. It is not uploaded to any cloud service.

2. **MCP server:** The `cascade serve --mcp` process runs locally, reading from the local filesystem and communicating with Claude Desktop via stdio (standard input/output). No network requests are made by the MCP server.

3. **CLI invocations:** The `cascade pod query` and `cascade pod write` commands operate entirely on local files. No network traffic is generated.

4. **LLM processing:** When using Claude Desktop or Claude Code, the Pod data is sent to the Anthropic API as part of the conversation context. **This is the only network hop**, and it is governed by Anthropic's data handling policies (data is not used for training, and conversations can be set to zero-retention).

   - For fully air-gapped deployments, a local LLM can be substituted.

## Consent Model

### Read Consent

The agent accesses the Pod because the patient (Pod owner) explicitly invoked the agent. In the Cascade Protocol consent model:

- **Pod owner grants access** by configuring the MCP server with `CASCADE_POD_PATH` pointing to their Pod
- **Scope is implicit:** The agent can read any file in the Pod that the MCP server exposes
- **Granular scoping** (future): The Cascade CLI will support `--scope medications,labs` to restrict agent access to specific categories

### Write Consent

The agent writes an observation back to the Pod:

- **Write is explicitly requested** in the agent prompt ("write back your findings")
- **Provenance is mandatory:** All agent-written data carries `cascade:AIGenerated` provenance
- **Non-destructive:** The agent creates a new observation record. It never modifies or deletes existing clinical or patient-reported data.
- **Physician gate:** The observation includes `cascade:requiresPhysicianReview true`, marking it as advisory-only

### Audit Records Created

Each MCP tool invocation or CLI command generates an audit log entry in the Pod:

| Timestamp | Action | Resource | Agent |
|-----------|--------|----------|-------|
| T+0s | `pod_query` | `clinical/medications.ttl` | Cascade Medication Review Agent |
| T+1s | `pod_query` | `wellness/supplements.ttl` | Cascade Medication Review Agent |
| T+2s | `pod_query` | `clinical/lab-results.ttl` | Cascade Medication Review Agent |
| T+3s | `pod_query` | `clinical/conditions.ttl` | Cascade Medication Review Agent |
| T+4s | `pod_write` | `observations/ai-med-review-20260220.ttl` | Cascade Medication Review Agent |

These audit entries persist in the Pod and can be reviewed by the patient or their care team at any time.

## Threat Model Considerations

| Threat | Mitigation |
|--------|-----------|
| Agent reads more data than necessary | Current: full Pod access. Future: scoped access via `--scope` flag |
| Agent writes incorrect clinical advice | `cascade:AIGenerated` provenance + `requiresPhysicianReview` flag |
| Pod data sent to cloud LLM | Anthropic zero-retention policy; local LLM option for air-gapped use |
| Agent modifies existing clinical data | MCP server enforces append-only for AI-written data |
| Unauthorized agent access | Pod owner must explicitly configure MCP server path |

## Summary

- **Data accessed:** 4 files (medications, supplements, labs, conditions)
- **Data written:** 1 AI-generated observation with full provenance chain
- **Network hops:** Zero for data retrieval; one for LLM inference (Anthropic API)
- **No PHI left the local machine** via Cascade Protocol tooling
- **Audit trail:** 5 entries logged in the Pod