+**Agentic reality:** The repo is developed largely via agents (Codex CLI, Claude, and dedicated model sessions). When updating product scope, update docs first, then implement behind flags, and add tests for the new behavior.

+

+| **Archive Store** | Dedicated model session | SQLite/local archive format, HealthKit metadata mapping |

+| **Data Models (SwiftData)** | Dedicated model session | Xcode, Swift; derived UI/cache/settings/log models only |

+| **Context Monitoring** | Dedicated model session | Xcode; logs Health/iCloud state as context only |

+├── Models/          ← Models agent (SwiftData UI/cache schemas)

+├── Services/        ← Services agent (HealthKit, archive store, anomaly, context)

+**Documentation scope:** `HealthProbe/Doc/` is shared. Keep it consistent with shipped behavior, and add a dated entry when objectives change.

+

+### ContextMonitorProtocol

+/// Consumed by: UI (ContextViewModel)

+protocol ContextMonitorProtocol {

+    var lastObservedAt: Date? { get }

+    var stateChanges: [ContextStateChange] { get }

+// Interface updated 2026-05-18 — see AGENTS.md

+// SwiftData is not the forensic source of truth. TypeCount and related rows store

+// precomputed UI/index data only. Complete HealthKit samples and metadata belong

+// in the local archive store, in one schema that can preserve relationships across

+// data types, sources, devices, workouts, and metadata.

+**Clarification:** “No raw health values” applies to this repository’s contents. The app may optionally store a user's raw HealthKit samples *locally on-device* for forensic backup purposes, but such samples must never appear in source control, logs, or docs.

+

+**Current state:** SwiftUI + SwiftData app is active. Product direction changed on 2026-05-18: HealthProbe is a local audit/capture agent. Do not add HealthProbe CloudKit/iCloud sync.

+- `Services/` — HealthKit queries, anomaly detection, archive store, context monitoring (see AGENTS.md)

+├── Tab 4: Archive Status     → ArchiveStatusView

+### ArchiveStatusView

+- Current local archive health

+- Last archive verification timestamp

+- Selected data types covered by forensic capture

+- Recent Health/iCloud context events (for correlation only; no HealthProbe sync)

+- Point export/report actions for selected findings

+- `externaldrive.fill.badge.checkmark` — archive status

+│   ├── Archive/

+│   │   └── ArchiveStatusView.swift

+│   └── ArchiveStatusViewModel.swift

+| **Consolidation / downsampling** | Apple Health/iCloud can rewrite high-frequency historical samples in-place (count decreases; values/intervals change) | Store fingerprints + optionally archive raw samples for selected types (local-only forensic backup mode) |

+- If Apple consolidates history, **counts alone can be misleading** (a month can “lose” samples but keep the same totals via aggregation); value-level forensics are required for proof

+| **Timing attacks** (inferring behavior) | MEDIUM: archive/check patterns reveal habits | ✅ No automatic cloud sync; reports are explicit local exports |

+| **Silent rewrites (no deletion events)** | HIGH: history can change without HKDeletedObject evidence | ✅ Detect via fingerprint diffs; **Forensic Backup Mode** can preserve per-sample evidence locally for selected types |

+| **iCloud account compromise** | MEDIUM: Apple Health/iCloud state may still affect source data | ✅ HealthProbe archive remains local; no HealthProbe CloudKit sync |

+  1. Export anonymized anomaly summaries manually

+  2. Keep raw archive local

+| **Snapshots not being saved** | Insufficient storage or archive write failure | Free up space; verify local archive health and SwiftData cache rebuild |

+| **Old audit trail entries missing** | SwiftData cache/log retention policy or migration issue | Rebuild derived views from archive where possible; export reports before uninstall |

+The application operates as a **local audit and capture agent**. It does not sync HealthProbe data via CloudKit/iCloud; HealthKit databases can evolve differently per device, so the MVP keeps each device archive local and explicit.

+4. **No app cloud sync**

+   - HealthProbe does not sync raw samples, digests, or reports through CloudKit/iCloud

+5. **Robust local archive**

+   - Store captured HealthKit data in one local archive store, not per-data-type silos

+   - SwiftData is used for derived UI data, settings, logs, and history only

+Persist:

+- sample values and units

+- source and source revision metadata

+- device metadata exposed by HealthKit

+- HealthKit metadata dictionaries

+- first-seen / last-seen / last-verified timestamps

+- fingerprints for matching against Apple Health XML exports and backup database extracts

+

+**Version:** 1.2  

+**Last Updated:** 2026-05-18  

+**Solution:** HealthProbe incrementally captures HealthKit data into a robust local archive and maintains an audit trail for post-incident forensic analysis. SwiftData is used for UI assistance, settings, logs, history, and precomputed values; it is not the source of truth. The local archive exists because Apple Health/iCloud can **rewrite / downsample / consolidate** historical samples in-place (not only add/delete), which cannot be proven by counts alone.

+#### E. Consolidation / Downsampling (Historical Rewrites)

+**Pattern:** For high-frequency data types, Apple Health/iCloud may rewrite historical samples such that:

+- total sample `count` decreases for older months

+- timestamps in a later snapshot/export become a **subset** of an earlier snapshot/export (thinning)

+- some samples become **interval-based** (`endDate > startDate`) and/or values become fractional

+- for cumulative quantities, `value_sum` can remain stable while per-sample `value_max` increases (consolidation)

+

+**Why it matters:** A “record counter” cannot distinguish discard vs consolidation. HealthProbe must support value-level forensics and (optionally) preserve complete evidence locally.

+

+**Detection method:** Snapshot comparison of fingerprints *plus* optional per-sample archives for selected data types.

+

+---

+

+4. **Single archive store** (do not split the forensic store per data type; cross-type relationships and shared metadata matter)

+6. **Privacy by default** (no HealthProbe cloud sync; local storage remains under user control)

+7. **Forensic capture** (selected data types are archived locally as complete per-sample records with metadata to preserve evidence against silent rewrites)

+│  Local Archive Store                    │

+│  - Canonical HealthKit samples          │

+│  - Sources, devices, metadata           │

+│  - Cross-type relationships             │

+│  - Fingerprints and verification hashes │

+└──────────────┬──────────────────────────┘

+               │

+┌──────────────▼──────────────────────────┐

+│  SwiftData UI Store                     │

+│  - Precomputed counts/statistics        │

+│  - Visualization state and settings     │

+│  - Logs, history, report indexes        │

+### 3.3 Storage Model

+**Local Archive Store (source of truth):**

+- one robust local database for all archived samples, not one archive per data type

+- normalized entities for samples, workouts, sources, source revisions, devices, metadata, relationships, and observations

+- multiple fingerprints per sample: HealthKit UUID, strict fingerprint, semantic fingerprint, and fuzzy matching keys for export/backup reconciliation

+- append-only observation history (`firstSeen`, `lastSeen`, `lastVerified`, disappearance evidence)

+- snapshot-level and table-level hashes for integrity checks

+**SwiftData UI Store (derived/cache layer):**

+- settings and selected data types

+- import job state and progress

+- precomputed counts, temporal bins, display ranges, and summary statistics

+- audit log entries and report indexes

+- anomaly summaries and links into the archive store

+SwiftData rows must be rebuildable from the local archive store. If the two disagree, the archive store wins.

+## 5. Sync Context Logging

+HealthProbe does **not** sync its own archive through iCloud or CloudKit. Observed HealthKit databases can diverge between devices, so cross-device HealthProbe sync would increase complexity without providing a reliable forensic source of truth.

+

+Health/iCloud state is still useful as **context** for anomalies.

+

+### 5.1 Context Tracking

+// → Logs context for later correlation

+- iCloud sign-in detected → log context and schedule a local archive verification pass

+### 5.2 Context Documentation

+  - Action: archive verification scheduled

+  - Result: no HealthProbe cloud sync performed

+### 5.3 Background Monitoring

+- `background-fetch` — periodic archive and context checks

+- `remote-notification` → not required for HealthProbe archive sync

+**Check frequency:**

+## 6. Local Archive, Reports & Forensics

+### 6.1 Local Archive Store

+The main backup artifact is the on-device archive store. It is populated incrementally from HealthKit and is not dependent on Apple Health ZIP exports or full encrypted iPhone backups.

+The archive must preserve as much HealthKit information as the API exposes:

+- sample UUID, type, start/end date, value, unit, and metadata

+- source, source revision, bundle identifier, product type, version/build if available

+- device fields exposed by `HKDevice`

+- relationships between workouts, samples, events, and other linked records where available

+- first-seen / last-seen / last-verified observations

+- fingerprints suitable for matching against Apple Health XML exports and extracted backup databases

+

+The archive is selected by data type for performance and privacy, but it is stored in **one schema** so later analysis can follow relationships between types.

+

+### 6.2 Reports and Point Exports

+HealthProbe does not need to optimize for routine complete exports. The local archive is the backup.

+

+Export is scoped to what the user is inspecting:

+- anomaly reports

+- tables of records shown in UI (e.g., “these 1,000 HK records disappeared”)

+- point-in-time manifests and hashes

+- selected record sets needed for external analysis

+

+### 6.3 Forensic Query Examples

+1. Correlate anomalies with observed Health/iCloud state changes

+2. Show timeline: before state change, during reconciliation, after

+- **Archive Status** — current local archive health, last verification, selected data types

+- Local archive retention and report export options

+- ℹ️ "Archive check completed, 2 duplicates found"

+- Open and analyze exported HealthProbe reports or archive copies

+- **Local Archive Store:** canonical HealthKit sample archive (source of truth)

+- **SwiftData:** derived UI/cache/settings/log/history store

+- **No CloudKit sync:** HealthProbe data remains local unless the user exports a report or selected record table

+- Snapshot/index size: ≈ 5-10 KB per type per snapshot in SwiftData

+- Archive storage: depends on selected high-frequency data types; report per-type storage costs in settings

+**Local archive:**

+- ✅ Per-sample archive for user-selected types, stored on-device and exportable by user

+- ✅ Metadata needed for recognition in Apple Health XML exports, backup database extracts, and future datasets

+

+### 10.3 Cloud Policy

+- No HealthProbe CloudKit/iCloud sync

+- No automatic upload of raw samples, digests, reports, or device fingerprints

+- User-triggered exports are explicit, scoped, and local-file based

+| **Performance** | Background capture battery impact | < 2% drain/day |

+- **No raw health values in the repository** — do not include real health records, measurements, or workouts in code, tests, logs, examples, or documentation. The app may optionally store a user's raw samples **locally on-device** for forensic backup, but nothing real belongs in this repo.

+## 2. Storage Implementation

+

+HealthProbe uses two storage layers:

+

+1. **Local Archive Store (source of truth)**

+   - Stores canonical HealthKit samples and all metadata exposed by the API

+   - Uses one schema for all selected data types, so workouts, samples, sources, devices, and metadata can be related later

+   - Maintains `firstSeen`, `lastSeen`, `lastVerified`, strict/semantic/fuzzy fingerprints, and integrity hashes

+   - Should be implemented with an explicit local database/archive format (not SwiftData model graphs for millions of samples)

+

+2. **SwiftData UI Store (derived/cache layer)**

+   - Stores settings, logs, import/check history, anomaly summaries, and precomputed values used by charts

+   - Can be rebuilt from the archive store

+   - Must not be treated as the only forensic copy

+

+### 2.1 SwiftData UI Models

+final class ContextStateChange {

+        ContextStateChange.self,

+### 2.2 Local Archive Store Contract

+

+The archive store should expose a small service interface rather than leaking SQL/archive details into UI code:

+

+```swift

+protocol HealthArchiveStore {

+    func upsertSamples(_ samples: [HKSample], observedAt: Date) async throws

+    func markVerification(sampleType: HKSampleType, verifiedAt: Date) async throws

+    func recordDisappearance(fingerprint: String, observedMissingAt: Date) async throws

+    func records(for reportID: String) async throws -> [ArchivedHealthRecord]

+    func exportReport(_ reportID: String) async throws -> URL

+}

+```

+

+Archive rows should preserve:

+- HealthKit UUID where exposed

+- type identifier, start/end date, value, unit

+- source, source revision, bundle identifier, version/build/product type where available

+- `HKDevice` fields exposed by HealthKit

+- full metadata dictionary as structured data

+- relationship keys for workouts, events, and related samples where available

+- fingerprints for matching records across HealthProbe, Apple Health XML exports, and backup database extracts

+

+## 4. Context Monitoring (Background Thread)

+

+HealthProbe does not sync its own database through iCloud/CloudKit. This service only logs Health/iCloud state as context for later forensic correlation.

+class ContextMonitor {

+    private var previousHealthCloudState: String = "unknown"

+            self.monitorContext()

+    private func monitorContext() {

+        if currentState != previousHealthCloudState {

+            logContextChange(from: previousHealthCloudState, to: currentState)

+            previousHealthCloudState = currentState

+            // Schedule archive verification on state change

+                NotificationCenter.default.post(name: NSNotification.Name("HealthContextChanged"), object: nil)

+    private func logContextChange(from: String, to: String) {

+        let change = ContextStateChange(

+                eventType: "health_context_change",

+                message: "Health cloud context: \(from) → \(to)",

+            print("Error logging context change: \(error)")

+    @StateObject private var contextMonitor: ContextMonitor

+            _contextMonitor = StateObject(wrappedValue: ContextMonitor(modelContext: context))

+                            // Start context monitoring and archive capture

+                            contextMonitor.startMonitoring()

+- ✅ Local archive persistence and recovery

+- ✅ SwiftData cache rebuild from archive

+- ✅ Background context monitoring accuracy

+| SwiftData cache update | < 1 sec | Can run on main thread only after archive work completes |

+| Archive write | Background | Stream large imports; never build full high-frequency datasets in memory |

+| Background check | < 30 sec | iOS allows 30 min for background fetch |

+- [ ] Local archive schema migrations tested

+- [ ] HealthProbe CloudKit/iCloud sync is not described as a product goal

+| **Sync Context Logging** | 📋 Designed | Log Health/iCloud state as forensic context; do not sync HealthProbe data via iCloud |

+| **Local Archive Store** | 📋 Designed | Robust on-device archive is the source of truth |

+| **Reports & Point Exports** | 📋 Designed | Export only selected reports/record tables, not a complete routine dump |

+3. **Implement Local Archive Store** (`Sources/ArchiveStore.swift`)

+   - Single robust local database for all archived samples

+   - Preserve cross-type relationships, sources, devices, metadata, and fingerprints

+   - Keep SwiftData as UI/cache/settings/history only

+| **Archive DB as truth** | Store HealthKit samples and metadata in a robust local database, not split per data type |

+| **SwiftData as UI cache** | Keep precomputed values, settings, logs, and history for visualization only |

+| **No HealthProbe iCloud sync** | Device HealthKit databases evolve independently; CloudKit sync adds complexity without proven forensic benefit |

+| **Selective forensic capture** | When Health/iCloud rewrites or downsamples historical data, counts alone are insufficient; HealthProbe archives complete samples for selected types in one local store |

+- **v1.1** — 2026-05-17 — Objective extension (post-findings)

+  - New observed behavior: Apple-side consolidation/downsampling can rewrite historical samples (not just add/delete)

+  - HealthProbe scope extended: from “counter of records” → “forensic backup agent” (local-only archives for selected types)

+- **v1.2** — 2026-05-18 — Storage direction update

+  - Robust single local archive store becomes the source of truth

+  - SwiftData is limited to precomputed UI data, settings, logs, and history

+  - CloudKit/iCloud sync removed from product goals; reports and point exports replace routine complete export ambitions

+    // Two local ModelConfiguration instances:

+    //   uiCacheConfig - derived audit/index data for UI

+    //   localConfig   - local-only settings and operation metadata

+    // SwiftData is not the forensic source of truth. Complete HealthKit samples

+    // belong in the local archive store; these rows must remain rebuildable.

+        let uiCacheStoreURL = appSupportURL.appending(path: "HealthProbeRecords.store")

+        let uiCacheModels = Schema([

+        let uiCacheConfig = ModelConfiguration(

+            "ui-cache",

+            schema: uiCacheModels,

+            url: uiCacheStoreURL,

+            return try ModelContainer(for: fullSchema, configurations: [uiCacheConfig, localConfig])

+                uiCacheStoreURL,

+            return try ModelContainer(for: fullSchema, configurations: [uiCacheConfig, localConfig])

+import Foundation

+import HealthKit

+

+// Interface updated 2026-05-18 — see AGENTS.md

+protocol HealthArchiveStore {

+    func upsertSamples(_ samples: [HKSample], observedAt: Date) async throws -> HealthArchiveWriteSummary

+    func markVerification(sampleType: HKSampleType, verifiedAt: Date) async throws

+    func recordDisappearance(fingerprint: String, sampleTypeIdentifier: String, observedMissingAt: Date) async throws

+    func records(for request: HealthArchiveRecordRequest) async throws -> [ArchivedHealthRecord]

+    func exportReport(_ request: HealthArchiveReportRequest) async throws -> URL

+}

+

+struct HealthArchiveWriteSummary: Equatable, Sendable {

+    let insertedCount: Int

+    let updatedCount: Int

+    let unchangedCount: Int

+}

+

+struct HealthArchiveRecordRequest: Equatable, Sendable {

+    let sampleTypeIdentifier: String?

+    let fingerprints: Set<String>

+    let limit: Int?

+}

+

+struct HealthArchiveReportRequest: Equatable, Sendable {

+    let reportID: UUID

+    let title: String

+    let includedFingerprints: Set<String>

+}

+

+struct ArchivedHealthRecord: Identifiable, Equatable, Sendable {

+    let id: String

+    let sampleTypeIdentifier: String

+    let strictFingerprint: String

+    let semanticFingerprint: String?

+    let healthKitUUIDHash: String?

+    let startDate: Date

+    let endDate: Date

+    let firstSeenAt: Date

+    let lastSeenAt: Date?

+    let lastVerifiedAt: Date?

+    let disappearedAt: Date?

+}

+        case .valid:

+✅ **SnapshotDelta.swift** — Local delta with checksums and cascade relationship to TypeDeltas

+✅ **TypeDelta.swift** — Per-type local delta with transition, reason, quality before/after, yearly count note

+#### Step 12: Local-only storage refactor ✅

+- Removed CloudKitSyncService and CloudKit-pending chain states

+  - uiCacheConfig: HealthSnapshot, TypeCount, YearlyCount, SnapshotDelta, TypeDelta, AnomalyRecord (derived local UI/index data)

+  - localConfig: OperationLog, DeviceProfile, MetricTimeoutProfile (local-only settings and operation metadata)

+- Added `HealthArchiveStore` protocol for the single local archive store source of truth

+- Schema migration recovery: removes legacy SwiftData stores and retries once on failure

+- [ ] 12. Local-only launch → app functions without iCloud/CloudKit entitlements

+- [ ] 17. Missing local delta/typeDeltas → integrity validation surfaces the fault, never hides it as sync latency

+- [ ] 25. Missing delta → validateChain() returns .missingDelta and stops

+### Local Archive Direction

+- CloudKit/iCloud sync is not a product goal

+- SwiftData rows are derived UI/index data and must be rebuildable from the local archive store

+- Missing deltas or type deltas are treated as local integrity faults, not remote sync latency

+3. **Local archive store implementation is still pending** (protocol boundary exists, SQLite/archive schema still needed)

+4. **No automatic cross-device reconstruction**; cross-device analysis is future macOS/report work

+4. Implement the local archive store behind `HealthArchiveStore`

+**Built with:** SwiftUI, SwiftData, HealthKit, CryptoKit