# Security Model: Visit Preparation Summary Agent

This document describes the data flows, access boundaries, and consent model for the visit preparation summary agent example.

## Data Access Summary

### What the Agent Read

This agent requires **full Pod access** to generate a comprehensive visit summary.

| Resource | File | Records Read |
|----------|------|-------------|
| Patient profile | `clinical/patient-profile.ttl` | 1 profile (demographics, emergency contact) |
| Conditions | `clinical/conditions.ttl` | 5 active conditions |
| Medications | `clinical/medications.ttl` | 8 medication records |
| Allergies | `clinical/allergies.ttl` | 3 allergy records |
| Lab results | `clinical/lab-results.ttl` | 11 lab results |
| Immunizations | `clinical/immunizations.ttl` | 4 immunization records |
| Vital signs | `clinical/vital-signs.ttl` | 30 days (180 individual readings) |
| Insurance | `clinical/insurance.ttl` | 1 coverage record |
| Heart rate | `wellness/heart-rate.ttl` | 30 daily readings |
| Blood pressure | `wellness/blood-pressure.ttl` | 30 daily readings |
| Activity | `wellness/activity.ttl` | 30 daily snapshots |
| Sleep | `wellness/sleep.ttl` | 30 daily snapshots |
| Supplements | `wellness/supplements.ttl` | 3 supplement records |

**Total resources accessed:** 13 files, ~356 individual records

### What the Agent Wrote

This agent is **read-only**. It generates a text summary but does not write any data back to the Pod. The visit summary output is displayed to the user and can be printed or saved separately.

## Data Flow Diagram

```
+-------------------------------------------------------------------+
|                     LOCAL MACHINE ONLY                              |
|                                                                    |
|  +-------------------+        +----------------------------+       |
|  | Reference Patient |  READ  | AI Agent                   |       |
|  | Pod (filesystem)  |------->| (Claude Desktop or         |       |
|  |                   |        |  Claude Code)              |       |
|  | clinical/         |        |                            |       |
|  |   patient-profile |        | 1. Parse all categories    |       |
|  |   conditions      |        | 2. Cross-reference data    |       |
|  |   medications     |        | 3. Compute trends          |       |
|  |   allergies       |        | 4. Identify gaps           |       |
|  |   lab-results     |        | 5. Generate summary doc    |       |
|  |   immunizations   |        |                            |       |
|  |   vital-signs     |        +-------------+--------------+       |
|  |   insurance       |                      |                      |
|  |                   |                      v                      |
|  | wellness/         |        +----------------------------+       |
|  |   heart-rate      |        | Visit Summary (text)       |       |
|  |   blood-pressure  |        | Displayed to user          |       |
|  |   activity        |        | Can be printed/saved       |       |
|  |   sleep           |        +----------------------------+       |
|  |   supplements     |                                             |
|  +-------------------+                                             |
|                                                                    |
|  No data leaves this machine via Cascade tooling.                  |
|  No write-back to the Pod occurs.                                  |
+-------------------------------------------------------------------+
```

## No Data Left the Machine

This is a **local-first, read-only** operation:

1. **Pod storage:** Local filesystem only. No cloud uploads.

2. **MCP/CLI:** All data retrieval happens locally via stdio (MCP) or filesystem reads (CLI). Zero network traffic from Cascade tooling.

3. **LLM processing:** Pod data is sent to the Anthropic API as conversation context for processing. This is the only network hop. Governed by Anthropic's data handling policies (not used for training, zero-retention available).

4. **Output:** The visit summary is displayed in the chat interface. It is not automatically sent anywhere. The user decides whether to print, save, or share it.

## Consent Model

### Read Consent

- **Full Pod access:** This agent reads every category in the Pod. The patient grants this access by configuring the MCP server or invoking the CLI with the Pod path.
- **Justification:** A visit preparation summary requires comprehensive data access. Partial access would produce an incomplete summary.
- **Scope control (future):** For agents that need less data, the Cascade CLI will support `--scope` flags to restrict access.

### Write Consent

- **No write operations.** This agent is purely analytical. It does not modify the Pod in any way.

### Audit Records Created

Each MCP tool invocation or CLI command generates an audit log entry:

| Timestamp | Action | Resource | Agent |
|-----------|--------|----------|-------|
| T+0s | `pod_query` | `clinical/patient-profile.ttl` | Cascade Visit Prep Agent |
| T+1s | `pod_query` | `clinical/conditions.ttl` | Cascade Visit Prep Agent |
| T+2s | `pod_query` | `clinical/medications.ttl` | Cascade Visit Prep Agent |
| T+3s | `pod_query` | `clinical/allergies.ttl` | Cascade Visit Prep Agent |
| T+4s | `pod_query` | `clinical/lab-results.ttl` | Cascade Visit Prep Agent |
| T+5s | `pod_query` | `clinical/immunizations.ttl` | Cascade Visit Prep Agent |
| T+6s | `pod_query` | `clinical/vital-signs.ttl` | Cascade Visit Prep Agent |
| T+7s | `pod_query` | `clinical/insurance.ttl` | Cascade Visit Prep Agent |
| T+8s | `pod_query` | `wellness/heart-rate.ttl` | Cascade Visit Prep Agent |
| T+9s | `pod_query` | `wellness/blood-pressure.ttl` | Cascade Visit Prep Agent |
| T+10s | `pod_query` | `wellness/activity.ttl` | Cascade Visit Prep Agent |
| T+11s | `pod_query` | `wellness/sleep.ttl` | Cascade Visit Prep Agent |
| T+12s | `pod_query` | `wellness/supplements.ttl` | Cascade Visit Prep Agent |

All 13 audit entries persist in the Pod for patient review.

## Threat Model Considerations

| Threat | Mitigation |
|--------|-----------|
| Agent reads entire Pod | Intentional for comprehensive summary; future scoped access available |
| Summary contains sensitive data | Output is local-only, displayed to the Pod owner. Not persisted to Pod. |
| Summary shared inappropriately | Patient responsibility; summary is plaintext, not a controlled resource |
| Pod data sent to cloud LLM | Anthropic zero-retention policy; local LLM option for air-gapped use |
| Incorrect summary content | Clearly labeled as preparation document, not clinical advice |
| Stale data presented as current | All data points include their original dates; agent notes data currency |

## Privacy Considerations for Printing

If the patient prints the visit summary to bring to an appointment:

- The printed document contains PHI (names, conditions, medications, lab values)
- The patient should handle it as they would any medical document
- The Cascade Protocol does not control or track printed copies
- Consider using the `--redact-identifiers` flag (future) for partially anonymized summaries

## Summary

- **Data accessed:** 13 files (full Pod), ~356 individual records
- **Data written:** None (read-only agent)
- **Network hops:** Zero for data retrieval; one for LLM inference (Anthropic API)
- **No PHI left the local machine** via Cascade Protocol tooling
- **Audit trail:** 13 entries logged in the Pod