+# HealthProbe – Multi-Model Development Guide

+

+## Overview

+

+HealthProbe is built by multiple AI models, each owning a distinct domain.  

+This document defines boundaries, interfaces, and handoff contracts.

+

+---

+

+## Model Allocation

+

+| Domain | Owner | Tools |

+|--------|-------|-------|

+| **UI / SwiftUI Views** | Claude Code | Xcode, SwiftUI, CLAUDE.md |

+| **Data Models (SwiftData)** | Dedicated model session | Xcode, Swift |

+| **HealthKit Integration** | Dedicated model session | Xcode, HealthKit docs |

+| **Anomaly Detection Algorithms** | Dedicated model session | Swift, statistical references |

+| **Sync Monitoring** | Dedicated model session | Xcode, CloudKit docs |

+| **Documentation** | Claude Code + dedicated session | Markdown |

+| **Tests** | Dedicated model session | XCTest, Swift Testing |

+

+---

+

+## Directory Ownership

+

+```

+HealthProbe/

+├── Views/           ← Claude Code (UI)

+├── ViewModels/      ← Claude Code (UI)

+├── Utilities/       ← Claude Code (shared helpers, mocks)

+├── Models/          ← Models agent (SwiftData schemas)

+├── Services/        ← Services agent (HealthKit, anomaly, sync)

+└── Tests/           ← Tests agent

+```

+

+**Rule:** Each agent writes only within its owned directories.  

+Cross-boundary changes require an explicit interface contract (protocol) first.

+

+---

+

+## Interface Contracts

+

+All service boundaries are defined as Swift protocols.  

+Claude Code (UI) consumes protocols — never concrete implementations.

+

+### HealthMonitorProtocol

+

+```swift

+/// Owned by: Services agent

+/// Consumed by: UI (DashboardViewModel)

+protocol HealthMonitorProtocol {

+    var currentStatus: HealthStatus { get }

+    var lastChecked: Date? { get }

+    func runCheck() async throws

+}

+```

+

+### AnomalyStoreProtocol

+

+```swift

+/// Owned by: Services agent

+/// Consumed by: UI (AnomalyListViewModel)

+protocol AnomalyStoreProtocol {

+    var anomalies: [DetectedAnomaly] { get }

+    func markResolved(_ anomaly: DetectedAnomaly) async throws

+}

+```

+

+### AuditTrailProtocol

+

+```swift

+/// Owned by: Services agent

+/// Consumed by: UI (AuditTrailView)

+protocol AuditTrailProtocol {

+    var entries: [AuditTrailEntry] { get }

+    func export() async throws -> Data  // JSON

+}

+```

+

+### SyncMonitorProtocol

+

+```swift

+/// Owned by: Services agent

+/// Consumed by: UI (SyncViewModel)

+protocol SyncMonitorProtocol {

+    var iCloudEnabled: Bool { get }

+    var lastSyncDate: Date? { get }

+    var stateChanges: [SyncStateChange] { get }

+}

+```

+

+---

+

+## Shared Types (Models Agent)

+

+These types are defined once in `Models/` and shared across all agents:

+

+```swift

+// Models/TypeDistributionBin.swift

+@Model

+final class TypeDistributionBin {

+    var bucketStart: Date

+    var bucketEnd: Date

+    var count: Int

+}

+

+// Models/TypeCount.swift

+// TypeCount owns zero or more daily TypeDistributionBin records.

+// These bins store sample counts by time bucket, not raw health values.

+

+// Models/DetectedAnomaly.swift

+enum AnomalyType: String, Codable {

+    case historicalInsertion = "historical_insertion"

+    case silentDeletion      = "silent_deletion"

+    case duplicate           = "duplicate"

+    case divergence          = "divergence"

+}

+

+enum Severity: String, Codable, Comparable {

+    case info, warning, critical

+}

+

+enum HealthStatus: String {

+    case healthy, warning, critical, unknown

+}

+```

+

+Any model changes must be announced in this file before other agents consume them.

+

+---

+

+## Handoff Process

+

+When a module is ready to be consumed by another agent:

+

+1. **Define the protocol** in `Services/Protocols/` (services agent)

+2. **Implement a mock** in `Utilities/Mocks.swift` (Claude Code)

+3. **Build UI against the mock** (Claude Code)

+4. **Replace mock with real implementation** (services agent)

+5. **Integration test** (tests agent)

+

+This allows UI development and service development to proceed in parallel.

+

+---

+

+## Algorithms & Detection Logic

+

+The following modules involve non-trivial logic and should be reviewed carefully:

+

+| Module | File | Description |

+|--------|------|-------------|

+| **Anomaly Detector** | `Services/AnomalyDetector.swift` | Statistical detection: insertions, deletions, duplicates, divergence |

+| **Divergence Engine** | `Services/DivergenceEngine.swift` | Time-series trend analysis, σ comparison |

+| **Fingerprinter** | `Services/SampleFingerprinter.swift` | Duplicate detection via sample hashing |

+| **Snapshot Comparator** | `Services/SnapshotComparator.swift` | Diff between two HealthKit snapshots |

+| **Distribution Comparator** | `Services/SnapshotDiffService.swift` | Daily per-type distribution diff to reveal old-data disappearance masked by new data |

+

+**Guidelines for algorithm modules:**

+- Document assumptions explicitly (e.g., "assumes continuous monitoring since install")

+- All thresholds (e.g., `age > 7 days`) must be configurable constants, not magic numbers

+- Include unit tests for edge cases (empty snapshots, partial data, clock skew)

+- No UI code; return plain Swift types only

+

+---

+

+## Privacy Directives — All Agents

+

+**Mandatory across all modules:**

+- No credentials, API keys, tokens, or certificates in any file

+- No personal data: names, emails, phone numbers, dates of birth

+- No device identifiers: UDID, serial number, advertising ID, device name

+- No account identifiers: Apple ID, iCloud account info, CloudKit record IDs

+- No raw health values in code, tests, previews, logs, or comments

+- No location data or patterns enabling re-identification

+- Synthetic data only in tests and previews

+

+---

+

+## Communication Between Agents

+

+When one agent needs to communicate a decision or change to another:

+

+1. **Update this file** (`AGENTS.md`) with the protocol/interface change

+2. **Update the relevant protocol** in `Services/Protocols/`

+3. **Add a comment** in the affected file: `// Interface updated YYYY-MM-DD — see AGENTS.md`

+

+---

+

+## Current Status

+

+| Module | Status | Owner |

+|--------|--------|-------|

+| SwiftData Models | ✅ Done | Models agent |

+| HealthKit Integration | ✅ Done | Services agent |

+| Snapshot Diff Service | ✅ Done | Services agent |

+| Service Protocols | ⏳ Not started | Services agent |

+| Anomaly Detection | ⏳ Not started | Services agent |

+| Sync Monitor | ⏳ Not started | Services agent |

+| UI – App entry + TabView | ✅ Done | Claude Code |

+| UI – Dashboard | ✅ Done (functional, minimal) | Claude Code |

+| UI – Snapshots + Detail | ✅ Done | Claude Code |

+| UI – Data Types | ✅ Done | Claude Code |

+| UI – Settings | ✅ Done | Claude Code |

+| Unit Tests | ⏳ Not started | Tests agent |

+# HealthProbe – Claude Code Instructions

+

+## Project Context

+

+**HealthProbe** is an iOS app that audits Apple HealthKit data integrity.  

+It detects anomalies: data loss, historical insertions, duplicates, divergence trends.  

+Full specification: `HealthProbe/Doc/HealthProbe – Complete Specification & Motivations.md`

+

+**Current state:** Xcode scaffold only. `ContentView.swift` and `Item.swift` are default templates — replace them entirely.

+

+---

+

+## Claude Code Scope: UI Layer

+

+Claude Code is responsible for:

+- All **SwiftUI Views** (`Views/` directory)

+- All **ViewModels** (`ViewModels/` directory)

+- **Navigation structure** and tab/split layout

+- **Design system** (colors, typography, spacing)

+- **Preview providers** for all views

+- **Accessibility** (VoiceOver, Dynamic Type)

+

+Claude Code does NOT own:

+- `Services/` — HealthKit queries, anomaly detection, sync monitoring (see AGENTS.md)

+- `Models/` — SwiftData models (see AGENTS.md)

+- Entitlements, Info.plist, project configuration

+

+When services are not yet implemented, **consume their protocols and use mock implementations** for UI development.

+

+---

+

+## Target Screen Structure

+

+```

+App (TabView)

+├── Tab 1: Dashboard          → DashboardView

+├── Tab 2: Anomalies          → AnomalyListView → AnomalyDetailView

+├── Tab 3: Audit Trail        → AuditTrailView

+├── Tab 4: Sync Status        → SyncStatusView

+└── Tab 5: Settings           → SettingsView

+```

+

+### DashboardView

+- Large status indicator: ✅ Healthy / ⚠️ Check / 🚨 Critical

+- Last check timestamp

+- Summary cards: samples tracked, anomalies found (all-time)

+- Up to 3 recent active alerts (tappable → AnomalyDetailView)

+- "Check Now" button (calls monitoring service)

+

+### AnomalyListView

+- List of `DetectedAnomaly` sorted by date (most recent first)

+- Filter: All / Critical / Warning / Info

+- Filter: by type (deletion, insertion, duplicate, divergence)

+- Each row: severity badge, type, sample type, date

+- Swipe to mark resolved

+

+### AnomalyDetailView

+- Full anomaly details

+- Evidence dictionary displayed as key-value rows

+- Severity badge

+- Share button → exports as Markdown (for bug reports)

+- "Mark Resolved" action

+

+### AuditTrailView

+- Chronological list of `AuditTrailEntry`

+- Each row: timestamp, event type chip, message

+- Search/filter by event type

+- Export button → JSON

+

+### SyncStatusView

+- Current iCloud sync state (chip: enabled / local-only)

+- Last sync timestamp

+- List of `SyncStateChange` events (most recent first)

+- Visual indicator when sync is stalled (no event in > 48h)

+

+### SettingsView

+- Check frequency: 2h / 6h / 12h / 24h (Picker)

+- Sample types to monitor (MultiSelect toggle list)

+- Alert thresholds (severity level for push notifications)

+- CloudKit sync toggle (off by default, with privacy disclaimer)

+- Export all data (JSON)

+- Delete all audit data (destructive, confirm alert)

+

+---

+

+## Design Guidelines

+

+**Tone:** Professional, calm, medical-adjacent. Not alarming unless critical.

+

+**Color System:**

+```swift

+// Status colors

+.healthyGreen   // SF: green  — all clear

+.warningAmber   // SF: yellow — attention needed  

+.criticalRed    // SF: red    — action required

+.neutralGray    // SF: gray   — informational / resolved

+```

+

+**Typography:** SF Pro (system font). No custom fonts.

+

+**Spacing:** 8pt grid. Use `VStack(spacing: 12)` as baseline.

+

+**Icons:** SF Symbols only. No third-party icon sets.

+

+**Key SF Symbols:**

+- `checkmark.shield.fill` — healthy status

+- `exclamationmark.triangle.fill` — warning

+- `xmark.shield.fill` — critical

+- `clock.arrow.circlepath` — audit trail

+- `antenna.radiowaves.left.and.right` — sync

+- `waveform.path.ecg` — health data

+- `doc.text.magnifyingglass` — anomaly detail

+

+**Dark mode:** Required. Test in both modes.

+

+**Privacy-first UI:**

+- Health metric values are **never shown in plain text** in list rows

+- Values visible only in `AnomalyDetailView` after tap

+- Evidence dictionary values shown as monospace text, not highlighted

+

+---

+

+## SwiftData Integration

+

+Models are defined in `Models/`. Reference them read-only from views:

+

+```swift

+// In views, use @Query — never write directly from a View

+@Query(sort: \DetectedAnomaly.detectedAt, order: .reverse)

+private var anomalies: [DetectedAnomaly]

+

+// Mutations go through ViewModels or services only

+```

+

+Until `Models/` are implemented, use mock data via `PreviewProvider`.

+

+---

+

+## ViewModel Pattern

+

+```swift

+// Pattern for all ViewModels

+@MainActor

+@Observable

+final class DashboardViewModel {

+    private let monitor: HealthMonitorProtocol  // protocol, not concrete type

+    

+    var status: HealthStatus = .unknown

+    var recentAnomalies: [DetectedAnomaly] = []

+    var lastChecked: Date?

+    

+    init(monitor: HealthMonitorProtocol = HealthMonitorService.shared) {

+        self.monitor = monitor

+    }

+    

+    func refresh() async {

+        await monitor.runCheck()

+    }

+}

+```

+

+Always inject dependencies via protocols — makes previews and tests possible without real HealthKit.

+

+---

+

+## Mock Data Protocol

+

+Until services are ready, define preview mocks in `Utilities/Mocks.swift`:

+

+```swift

+struct MockHealthMonitor: HealthMonitorProtocol {

+    func runCheck() async { }

+    var status: HealthStatus { .warning }

+}

+

+extension DetectedAnomaly {

+    static var preview: DetectedAnomaly {

+        DetectedAnomaly(

+            detectedAt: .now,

+            type: "silent_deletion",

+            severity: "warning",

+            sampleType: "Steps",

+            summary: "72 samples missing without deletion event",

+            evidence: ["loss_count": "72", "loss_percent": "23.4"]

+        )

+    }

+}

+```

+

+---

+

+## File Organization

+

+```

+HealthProbe/

+├── Views/

+│   ├── Dashboard/

+│   │   ├── DashboardView.swift

+│   │   └── StatusCardView.swift

+│   ├── Anomalies/

+│   │   ├── AnomalyListView.swift

+│   │   └── AnomalyDetailView.swift

+│   ├── AuditTrail/

+│   │   └── AuditTrailView.swift

+│   ├── Sync/

+│   │   └── SyncStatusView.swift

+│   └── Settings/

+│       └── SettingsView.swift

+├── ViewModels/

+│   ├── DashboardViewModel.swift

+│   ├── AnomalyListViewModel.swift

+│   └── SyncViewModel.swift

+├── Models/           ← NOT owned by Claude Code

+├── Services/         ← NOT owned by Claude Code

+└── Utilities/

+    ├── Mocks.swift

+    ├── DateFormatters.swift

+    └── DesignSystem.swift

+```

+

+---

+

+## Privacy Directives

+

+**Mandatory — no exceptions:**

+- No credentials, tokens, or API keys in any file

+- No personal data, device identifiers, or account identifiers

+- No real health values in code, comments, previews, or tests

+- Synthetic preview data only (see Mocks.swift above)

+

+---

+

+## Before Marking a Task Complete

+

+- [ ] View renders in both Light and Dark mode (use Preview)

+- [ ] VoiceOver labels set on interactive elements

+- [ ] Dynamic Type tested (at least xSmall and AX3)

+- [ ] Works with mock data (no real HealthKit dependency in View layer)

+- [ ] No health values displayed without explicit user tap

+- [ ] Compiles without warnings

+# Contributing to HealthProbe

+

+## ⚠️ Privacy Rules — Non-Negotiable

+

+Before submitting any code, issue, PR, or documentation:

+

+**Never include:**

+- Credentials, API keys, tokens, or certificates

+- Personal data: names, emails, phone numbers, dates of birth

+- Device identifiers: UDID, serial number, advertising ID, device name

+- Account identifiers: Apple ID, iCloud account, CloudKit record IDs

+- Raw health data: actual measurements, records, or workout details

+- Location data: GPS coordinates, location history

+- Any combination of fields that could identify a person or device

+

+**For examples and tests, use synthetic data only:**

+```

+Device:  "iPhone-TESTDEVICE-001"

+User:    "Test User"

+Date:    2000-01-01

+Value:   0 (or clearly fictional)

+```

+

+Submissions containing real credentials or personal data will be closed without review.

+

+---

+

+## Contribution Standards

+

+- **Observations ≠ conclusions:** Label theories and speculation explicitly

+- **Read-only HealthKit:** No code that modifies or deletes health data

+- **Evidence-based:** Bug reports require reproduction steps, device model, and iOS version

+- **No raw health exports:** Aggregated counts only; never raw sample values

+

+## Bug Reports

+

+Include:

+- Device model (e.g., iPhone 15 Pro) — no serial/UDID

+- iOS version

+- HealthProbe version

+- Observed vs. expected behavior

+- Anonymized screenshot or export (values redacted)

+

+## License

+

+By contributing you agree your code is released under the project license.

+						SystemCapabilities = {

+							com.apple.HealthKit = {

+								enabled = 1;

+							};

+							com.apple.iCloud = {

+								enabled = 1;

+							};

+						};

+				SUPPORTED_PLATFORMS = "iphoneos iphonesimulator";

+				SUPPORTS_MACCATALYST = NO;

+				SUPPORTS_MAC_DESIGNED_FOR_IPHONE_IPAD = NO;

+				SUPPORTS_XR_DESIGNED_FOR_IPHONE_IPAD = NO;

+				TARGETED_DEVICE_FAMILY = 1;

+				SUPPORTED_PLATFORMS = "iphoneos iphonesimulator";

+				SUPPORTS_MACCATALYST = NO;

+				SUPPORTS_MAC_DESIGNED_FOR_IPHONE_IPAD = NO;

+				SUPPORTS_XR_DESIGNED_FOR_IPHONE_IPAD = NO;

+				TARGETED_DEVICE_FAMILY = 1;

+        TabView {

+            Tab("Dashboard", systemImage: "waveform.path.ecg") {

+                DashboardView()

+            Tab("Snapshots", systemImage: "clock.arrow.circlepath") {

+                SnapshotsView()

+            Tab("Data Types", systemImage: "doc.text.magnifyingglass") {

+                DataTypesView()

+            }

+            Tab("Settings", systemImage: "gearshape") {

+                SettingsView()

+        .modelContainer(for: [HealthSnapshot.self, TypeCount.self, YearlyCount.self, DeviceProfile.self], inMemory: true)

+        .environment(AppSettings())

+# HealthProbe – Risks, Limitations & Forensic Capabilities

+

+---

+

+## 1. Known Limitations

+

+### 1.1 HealthKit Framework Constraints

+

+**What HealthProbe Cannot Detect:**

+

+| Gap | Why | Mitigation |

+|-----|-----|-----------|

+| **Modifications without deletion** | HealthKit has no "modified" event, only "added" and "deleted" | Use snapshot comparison to detect value changes |

+| **Lost deletions** | If deletion notification arrives while app backgrounded, we may miss it | Monitor both anchored queries AND deleted objects |

+| **Timing precision** | Anchored queries may batch multiple changes, lose granular timestamps | Store both sample timestamp AND observation timestamp |

+| **Private HealthKit types** | Some data types not accessible to third-party apps | Accept data available only to Health.app |

+| **Cross-device sync delays** | Watch-to-phone-to-cloud can take 24+ hours | Extend observation window, don't flag immediate after device sync |

+

+### 1.2 iOS Background Mode Limitations

+

+**Background Fetch Reality:**

+- iOS may delay or skip background fetch requests (battery, network state, user activity)

+- No guarantee that HealthProbe will run at specified interval

+- User can disable background refresh in Settings → HealthProbe

+- System may suspend app if device is low on storage

+

+**Impact:** Anomalies may not be detected for 24-72 hours after occurrence

+

+**Mitigation:**

+- Encourage users to open app regularly (at least weekly)

+- Provide manual "Check Now" button

+- Use `HKObserverQuery` for real-time detection when app is running

+

+### 1.3 Data Retention Constraints

+

+**HealthKit Sample Retention:**

+- HealthKit automatically deletes some transient data (e.g., minute-level HR after 90 days)

+- User can manually delete samples (HealthProbe cannot prevent this)

+- Backups may not restore all data (lossy compression, sync state)

+

+**HealthProbe Impact:**

+- Cannot reconstruct data that was never observed

+- Snapshot from 6 months ago may have samples no longer in HealthKit

+- Gap detection assumes continuous observation (may be false positive if app uninstalled then reinstalled)

+

+---

+

+## 2. Risk Assessment

+

+### 2.1 Privacy Risks (Mitigation: Excellent ✅)

+

+| Risk | Impact | Mitigation |

+|------|--------|-----------|

+| **Raw health data exfiltration** | CRITICAL: user's personal health history exposed | ✅ Local-only storage, never sends raw samples |

+| **Device fingerprinting** | HIGH: tracking user across services | ✅ Salted hash of device ID, stored locally only |

+| **Timing attacks** (inferring behavior) | MEDIUM: sync patterns reveal habits | ✅ CloudKit digest is aggregated & anonymized |

+| **App crashes leaking data** | LOW: crash logs may contain HealthKit info | ✅ All logging is aggregated (counts, not values) |

+

+### 2.2 Data Integrity Risks (Mitigation: Good ✅)

+

+| Risk | Impact | Mitigation |

+|------|--------|-----------|

+| **Snapshot corruption** | HIGH: audit trail becomes unreliable | ✅ Use MD5 checksum of snapshots, detect corruption |

+| **Lost audit trail on uninstall** | HIGH: forensic data disappears | ⚠️ PARTIAL: Encourage export before uninstall; future: iCloud backup option |

+| **Clock skew** (device time wrong) | MEDIUM: timestamps inaccurate, anomaly detection confused | ⚠️ Log both device time + time since boot, detect skew |

+| **Concurrent modification** (app + Health.app) | LOW: race conditions during query | ✅ Anchored queries are atomic |

+

+### 2.3 Security Risks (Mitigation: Good ✅)

+

+| Risk | Impact | Mitigation |

+|------|--------|-----------|

+| **Malicious apps accessing HealthKit** | MEDIUM: third-party apps can read our data | ✅ iOS sandboxing; ask user for HealthKit permission per app |

+| **Jailbroken device** | CRITICAL: all bets off | ⚠️ Not defendable; document assumption: standard iOS device |

+| **iCloud account compromise** | HIGH: CloudKit digest could be leaked | ✅ OPTIONAL: Users can disable CloudKit sync in settings |

+| **Local device theft** | MEDIUM: thief can see audit trail | ✅ Data encrypted by iOS, requires device unlock |

+

+---

+

+## 3. Forensic Capabilities

+

+### 3.1 Questions HealthProbe Can Answer

+

+**Q1: "Was my data lost?"**

+```

+Answer method:

+  1. Load all snapshots for "Steps" type

+  2. Create timeline: date → sample count

+  3. Detect gap where count drops significantly

+  4. Report: when, how much, which source

+  

+Example output:

+  ✅ Yes — On 2026-03-15, step data dropped from 8,234 to 2,100

+     Loss: 6,134 samples (74.3%)

+     Source: "iPhone Health App"

+     Severity: CRITICAL

+```

+

+**Q2: "Why did my data diverge?"**

+```

+Answer method:

+  1. Load historical aggregates (daily sums)

+  2. Fit trend line across 30/60/90 day periods

+  3. Calculate deviation from baseline

+  4. Correlate with sync state changes & OS updates

+  

+Example output:

+  📊 Step count trending down 15% per month

+     Baseline (2025): avg 9,200 steps/day (σ = 1,200)

+     Recent (2026): avg 7,800 steps/day (σ = 1,800)

+     Correlation: Matches iPhone → Apple Watch priority shift

+```

+

+**Q3: "When did this data first appear?"**

+```

+Answer method:

+  1. Search anomaly trail for "historical_insertion"

+  2. Find sample in audit trail with matching ID

+  3. Report exact timestamp (±1 sync cycle)

+  

+Example output:

+  🔍 Workout "Morning Run" (2025-01-15)

+     First observed: 2026-05-01 at 14:35:22 UTC

+     Age: 471 days

+     Context: iCloud sync completed 2 minutes prior

+```

+

+**Q4: "Is my device syncing correctly?"**

+```

+Answer method:

+  1. Load sync state changes

+  2. Check for state = "icloud_sync_active" frequency

+  3. Measure time between sync completions

+  4. Compare to baseline (typical: every 2-4 hours)

+  

+Example output:

+  📡 Sync frequency: ABNORMAL

+     Expected: sync every 2-4 hours

+     Observed: Last sync 6 days ago

+     Status: ⚠️ iCloud sync may be stuck

+```

+

+**Q5: "Which devices are contributing data?"**

+```

+Answer method:

+  1. Analyze source distribution in snapshots

+  2. Track which source each sample came from

+  3. Report composition over time

+  

+Example output:

+  📱 Data source composition:

+     iPhone Health: 45% (4,532 samples)

+     Apple Watch: 50% (5,041 samples)

+     Manual entry: 5% (504 samples)

+  

+  Trend: Watch contribution increased from 30% (Jan) to 50% (Now)

+```

+

+### 3.2 Export Formats for Analysis

+

+**Format 1: JSON Forensic Report**

+```json

+{

+  "export_date": "2026-05-01T14:35:22Z",

+  "device": "iPhone 15 Pro",

+  "ios_version": "18.4.1",

+  "app_version": "1.0.0",

+  "observation_period": {

+    "start": "2026-01-01T00:00:00Z",

+    "end": "2026-05-01T14:35:22Z",

+    "days": 120

+  },

+  "anomalies_summary": {

+    "total": 12,

+    "critical": 2,

+    "warning": 3,

+    "info": 7,

+    "by_type": {

+      "historical_insertion": 5,

+      "silent_deletion": 2,

+      "duplicate": 3,

+      "divergence": 2

+    }

+  },

+  "anomalies": [

+    {

+      "id": "ANML_20260501_001",

+      "type": "silent_deletion",

+      "severity": "critical",

+      "timestamp": "2026-04-15T08:30:00Z",

+      "description": "72 step samples lost without deletion notification",

+      "evidence": {

+        "sample_type": "Steps",

+        "loss_count": 72,

+        "loss_percent": 23.4,

+        "affected_dates": ["2026-04-13", "2026-04-14", "2026-04-15"]

+      }

+    }

+  ],

+  "snapshots": [

+    {

+      "timestamp": "2026-05-01T14:35:00Z",

+      "type": "Steps",

+      "count": 305_432,

+      "sources": {

+        "iPhone Health": 152_716,

+        "Apple Watch": 152_716

+      }

+    }

+  ]

+}

+```

+

+**Format 2: CSV Timeline (for Excel/Sheets)**

+```csv

+Date,Time,Event,Type,Severity,Description,Details

+2026-01-01,08:15,Initial Snapshot,snapshot,info,Baseline established,305432 steps

+2026-02-15,14:20,Historical Insertion,anomaly,medium,Data appeared retroactively,Workout from 2025-01-15

+2026-03-15,09:00,Silent Deletion,anomaly,critical,Data gap detected,72 steps lost

+2026-04-20,16:45,Sync State Change,sync,info,iCloud sync completed,Samples added: 87

+```

+

+**Format 3: Markdown Report (for Bug Submissions)**

+```markdown

+# Apple Health Data Integrity Issue Report

+

+## Timeline

+- **Start observation:** 2026-01-01

+- **Last check:** 2026-05-01

+- **Total observations:** 120 days

+

+## Issue Summary

+3 critical anomalies detected involving 280+ data samples and 15 days of missing data.

+

+### Critical Finding #1: Silent Deletion (2026-03-15)

+- **Type:** 72 step samples disappeared without notification

+- **Date affected:** 2026-04-13 to 2026-04-15

+- **Detection:** Snapshot comparison (305,432 → 305,360)

+- **Severity:** Critical

+- **Context:** Occurred 3 days after iOS 18.4 update

+

+### Critical Finding #2: Historical Insertion (2026-02-15)

+- **Type:** Workout appears 471 days after original date

+- **Sample:** "Morning Run" from 2025-01-15

+- **First observed:** 2026-02-15 14:20 UTC

+- **Context:** 2 minutes after iCloud sync completed

+- **Severity:** Medium (likely restore from backup)

+

+## Recommendations

+1. Verify data integrity on other devices

+2. Compare with iCloud.com Health export

+3. Review iOS 18.4 release notes for HealthKit changes

+4. Check if backup restore was interrupted

+```

+

+### 3.3 Forensic Techniques Enabled by HealthProbe

+

+**Technique 1: Timeline Reconstruction**

+```

+Given: Snapshots at [T0, T1, T2, ...]

+Compute: Δ_count = snapshot[T_i] - snapshot[T_i-1]

+Result: Visual timeline of when data appeared/disappeared

+Use: Correlate with sync events, OS updates, app launches

+```

+

+**Technique 2: Source Attribution**

+```

+Given: Source field in each snapshot

+Track: iPhone vs. Watch vs. Manual contributions

+Result: Identify which device is unreliable

+Use: Isolate whether issue is device, OS, or iCloud

+```

+

+**Technique 3: Anomaly Clustering**

+```

+Given: All anomalies with timestamps

+Cluster: Group nearby anomalies (e.g., within 24 hours)

+Result: Pattern detection — is this systemic or isolated?

+Use: Determine if it's device-specific or iOS version issue

+```

+

+**Technique 4: Cross-Device Correlation** (Future: macOS)

+```

+Given: Multiple device's HealthProbe exports

+Compare: Are anomalies synchronized across devices?

+Result: Distinguish local bug from iCloud sync issue

+Use: Report "this affects all devices" vs. "only this device"

+```

+

+---

+

+## 4. Comparison: HealthProbe vs. Alternatives

+

+| Feature | HealthProbe | Health.app | Third-party apps |

+|---------|------------|-----------|-----------------|

+| **Real-time monitoring** | ✅ Yes | ❌ No | ⚠️ Partial |

+| **Audit trail** | ✅ Yes | ❌ No | ❌ No |

+| **Detects data loss** | ✅ Yes | ❌ No (silent) | ❌ No |

+| **Privacy (no exfiltration)** | ✅ Yes | ✅ Yes | ❌ Often sells data |

+| **Local-only** | ✅ Yes | ✅ Yes | ❌ Often cloud-based |

+| **Open source** | 🔄 Future | ❌ No | ⚠️ Some are |

+| **Forensic export** | ✅ Yes | ❌ No | ⚠️ Limited |

+

+---

+

+## 5. Recommended Usage Patterns

+

+### 5.1 For Individual Users (Personal Monitoring)

+

+```

+Baseline:

+  1. Install HealthProbe

+  2. Let it run for 30 days to establish baseline

+  3. Export first "clean" snapshot

+  

+Ongoing:

+  1. Check app weekly (or enable background notifications)

+  2. If anomaly alert → Screenshot it

+  3. If critical → Export full report immediately

+  4. Keep exported reports in Notes/Files app as backup

+  

+Post-incident:

+  1. Export complete forensic report

+  2. Attach to Apple Feedback Assistant ticket

+  3. Include link to DearApple issue #001

+```

+

+### 5.2 For Researchers (Data Collection)

+

+```

+Setup:

+  1. Enable optional CloudKit sync (with privacy settings)

+  2. Opt into community pattern analysis

+  

+Analysis:

+  1. Correlate own data loss with iOS release dates

+  2. Compare patterns with other HealthProbe users

+  3. Contribute findings to DearApple repository

+```

+

+### 5.3 For Apple Support / Developers

+

+```

+When submitting feedback:

+  1. Include HealthProbe forensic export

+  2. Specify device model, iOS version, exact reproduction steps

+  3. Include timeline showing when anomalies appeared

+  4. Mention if pattern repeats across multiple devices

+```

+

+---

+

+## 6. Future Enhancements (Post-MVP)

+

+### 6.1 Machine Learning Anomaly Scoring

+```

+Current: Binary detection (anomaly or not)

+Future: Confidence scoring (0-100%)

+  - Low risk: Temporary duplicates, minor drifts

+  - High risk: Permanent loss, systematic divergence

+  - Enable severity-based alerting

+```

+

+### 6.2 Community Pattern Database

+```

+Current: Single-device observation

+Future: Anonymized multi-device dataset

+  - iOS 18.4 affected 23% of users

+  - "Morning Run" workout loses 15% post-sync (systematic)

+  - Identify if issue is iOS, device model, or iCloud region specific

+```

+

+### 6.3 Predictive Detection

+```

+Current: Detect after anomaly occurs

+Future: Alert before data is lost

+  - Watch for sync stall patterns

+  - Pre-loss indicators (e.g., rapid duplicates → deletion)

+```

+

+---

+

+## 7. Troubleshooting HealthProbe Itself

+

+### Common Issues

+

+| Issue | Cause | Fix |

+|-------|-------|-----|

+| **No anomalies detected for weeks** | Background fetch disabled | Settings → HealthProbe → Background Refresh |

+| **Snapshots not being saved** | Insufficient storage | Free up space; SwiftData limited by device storage |

+| **Sync state not updating** | iCloud token check failing | Sign out/in to iCloud; restart device |

+| **Old audit trail entries missing** | SwiftData old entries pruned | Expected after > 6 months; export before uninstall |

+

+---

+

+## 8. References

+

+- **iOS HealthKit Framework:** https://developer.apple.com/documentation/healthkit/

+- **HKAnchoredObjectQuery:** https://developer.apple.com/documentation/healthkit/hkanchoredrobjectquery

+- **SwiftData Persistence:** https://developer.apple.com/documentation/swiftdata

+- **DearApple Issue #001:** Apple Health mass data loss investigation

+- **Apple Privacy:** https://www.apple.com/privacy/

+

+---

+

+*HealthProbe — Forensics for Your Health Data*  

+*Document v1.0 — 2026-05-01*

+# HealthProbe iOS – Specification (MVP)

+

+## Overview

+HealthProbe is an iOS application designed to **audit and monitor the integrity of HealthKit data**.  

+It detects anomalies such as:

+- unexpected historical insertions

+- silent deletions of past data

+- duplicate records

+- divergence trends over time

+

+The application operates as a **local audit agent** and optionally synchronizes **aggregated snapshots (digests)** via CloudKit.

+

+⚠️ This document describes ONLY the iOS application (MVP phase).  

+A future macOS application will act as a visualization/analysis layer.

+

+---

+

+## Core Principles

+

+1. **Read-only with respect to HealthKit**

+   - Never modify or delete HealthKit data

+   - Only observe and audit

+

+2. **Local-first architecture**

+   - All detection must work without network access

+

+3. **Incremental observation**

+   - Use anchored queries to track changes

+

+4. **Minimal data exfiltration**

+   - Only aggregated digests are synced (no raw Health data)

+

+5. **Forward compatibility**

+   - CloudKit schema must be shared with a future macOS application

+

+---

+

+## Features (MVP)

+

+### 1. HealthKit Monitoring

+Use:

+- `HKAnchoredObjectQuery`

+- `HKObserverQuery`

+

+Track:

+- Workouts (`HKWorkoutType`)

+- Heart Rate (`HKQuantityTypeIdentifierHeartRate`)

+- High Heart Rate Events

+- Other relevant samples (extensible)

+

+---

+

+### 2. Anomaly Detection

+

+#### A. Historical Insertions

+Detect samples where:

+- `startDate << now`

+- AND `firstSeenAt ≈ now`

+

+#### B. Deletions

+Detect via:

+- `HKDeletedObject`

+- Compare with previously stored snapshot

+

+#### C. Duplicate Detection

+Fingerprint:

+# HealthProbe – Complete Specification & Motivations

+

+**Version:** 1.0  

+**Status:** MVP (iOS monitoring agent)  

+**Last Updated:** 2026-05-01  

+

+---

+

+## 1. Executive Summary

+

+HealthProbe is an **audit and integrity monitoring tool for Apple HealthKit**, designed to detect and document anomalies in health data that would otherwise go unnoticed. It serves as a **local sentinel** — read-only observation with forensic-grade logging for later analysis.

+

+**Core Problem:** Apple Health data loss events (confirmed Sept 2025 incident, ongoing sporadic reports) lack detective mechanisms. Users do not know when data has been lost, corrupted, or silently modified.

+

+**Solution:** HealthProbe monitors HealthKit in real-time and maintains a tamper-proof audit trail, enabling post-incident forensic analysis and pattern detection.

+

+---

+

+## 2. Motivations & Concrete Observed Cases

+

+### 2.1 The September 2025 Mass Data Loss Event

+

+**What happened:**

+- Large-scale loss of Apple Health records reported across multiple devices and iOS versions

+- Timeframe: September 2025 (correlated with iOS 26 release)

+- Suspected triggers:

+  - Device migration (iCloud sync state transitions)

+  - OS upgrade/downgrade cycles

+  - Backup restore operations

+  - HealthKit database re-indexing

+  - iCloud sync divergence

+

+**Why undetected:**

+- No notification from Apple Health

+- Users discover loss retrospectively (weeks/months later)

+- No audit trail to identify exactly *when* or *what* was lost

+- No differentiation between: user deletion, sync loss, corruption, or app bug

+

+**HealthProbe's answer:**

+- Continuous monitoring detects *first occurrence* of loss

+- Timestamped snapshots enable forensic reconstruction

+- Pattern detection identifies trends (gradual loss vs. sudden wipe)

+- Allows users to file reproducible bug reports with evidence

+

+### 2.2 Observed Anomalies

+

+#### A. Historical Insertions (Backdated Data)

+**Pattern:** HealthKit receives samples with `startDate` far in the past, but `firstSeen` ≈ now

+- **Examples:**

+  - Workout from Jan 2023 suddenly appears in Feb 2026

+  - Step count "corrected" retroactively without user action

+  - Heart rate baseline recalibration affecting past months

+  

+**Root cause theories:**

+  - iCloud sync restoring from outdated backup

+  - Third-party fitness app injecting historical reconstructions

+  - HealthKit recovery logic applying retroactive corrections

+  - Cross-device sync desynchronization

+

+**Detection method:** Anchored queries + timestamp comparison

+

+---

+

+#### B. Silent Deletions

+**Pattern:** Samples present in previous snapshot, absent in current, no `HKDeletedObject` notification

+- **Examples:**

+  - 2-week gap of step data (no deletion events logged)

+  - Entire workout history from old iPhone missing post-restore

+  - Selective loss (e.g., only workouts, heart rate preserved)

+

+**Root cause theories:**

+  - Incomplete restore from backup

+  - Selective iCloud sync pruning based on storage limits

+  - Corrupted local database during indexing

+  - Race condition during multi-device sync

+

+**Detection method:** Snapshot comparison + gap detection

+

+---

+

+#### C. Duplicate Records

+**Pattern:** Identical samples (same type, time, value) appearing multiple times

+- **Examples:**

+  - Duplicate step counts from watch syncing (15 min apart)

+  - Duplicate workouts after iCloud re-sync

+  - Conflicting HR readings within 30-second window

+

+**Root cause theories:**

+  - Multi-device sync collision (watch + phone + iPad)

+  - Retry logic without deduplication

+  - Backup restore merging with live data

+

+**Detection method:** Fingerprinting (type + date + value + source)

+

+---

+

+#### D. Divergence Trends

+**Pattern:** Measurable drift in aggregated metrics over time

+- **Examples:**

+  - Active energy expenditure trending down 30% without behavior change

+  - Sleep records shifting systematically earlier/later

+  - Heart rate variability calculation method changing unexpectedly

+

+**Root cause theories:**

+  - Algorithm updates not backfilled uniformly

+  - Device calibration drift

+  - Source priority shifting (watch → phone)

+  - Health app recalculation without user visibility

+

+**Detection method:** Time-series aggregation + statistical outlier detection

+

+---

+

+### 2.3 Why This Matters

+

+| Concern | Impact | HealthProbe Role |

+|---------|--------|-----------------|

+| **Data loss undetected** | Users lose personal health history with no notification | Immediate detection & alert |

+| **No forensic trail** | Impossible to reproduce for bug reports | Audit trail enables Apple debugging |

+| **Blame uncertainty** | "Is it sync? Backup? A bug?" | Precise classification of anomaly type |

+| **Third-party apps** | Apps assume data is trustworthy, may make wrong decisions | Detect corruption before downstream use |

+| **Privacy of monitoring** | Users fear data exfiltration by health apps | Local-only observation, no cloud upload |

+

+---

+

+## 3. Core Architecture

+

+### 3.1 Design Principles

+

+1. **Read-only operations** (never modify HealthKit data)

+2. **Local-first** (full functionality without network)

+3. **Incremental queries** (efficient, avoid repeating work)

+4. **Minimal exfiltration** (only digests, never raw samples)

+5. **Auditability** (every observation logged, timestamped, reproducible)

+6. **Privacy by default** (all aggregated, no PII stored)

+

+### 3.2 Threading Model

+

+```

+┌─────────────────────────────────────────┐

+│  Main Thread (UI)                       │

+│  - Display current health status        │

+│  - Show alerts & anomalies              │

+│  - User interaction                     │

+└──────────────┬──────────────────────────┘

+               │

+               ├─ Delegate query results

+               │

+┌──────────────▼──────────────────────────┐

+│  Background Queue (HealthKit Queries)   │

+│  - HKAnchoredObjectQuery (efficient)    │

+│  - HKObserverQuery (reactive)           │

+│  - Snapshot comparisons                 │

+│  - Anomaly detection logic              │

+└──────────────┬──────────────────────────┘

+               │

+               ├─ Write detected anomalies

+               │

+┌──────────────▼──────────────────────────┐

+│  Local Storage (SwiftData)              │

+│  - Audit trail (immutable append-only)  │

+│  - Snapshots (for forensics)            │

+│  - Anomaly records                      │

+│  - Metadata (versions, migrations)      │

+└─────────────────────────────────────────┘

+```

+

+### 3.3 Data Model (SwiftData)

+

+```swift

+// Immutable audit log entry

+@Model

+final class AuditEntry {

+    var timestamp: Date

+    var eventType: String  // "snapshot", "deletion", "insertion", etc.

+    var samples: [HealthSample]

+    var anomalies: [AnomalyReport]

+    var deviceInfo: DeviceMetadata

+}

+

+// Snapshot for forensic comparison

+@Model

+final class HealthSnapshot {

+    var capturedAt: Date

+    var sampleType: String  // "HKWorkout", "HKQuantity:HeartRate", etc.

+    var sourceDevice: String

+    var recordCount: Int

+    var checksum: String  // MD5 of aggregated data

+    var digest: [String: Int]  // { "source": count, ... }

+}

+

+// Detected anomaly

+@Model

+final class AnomalyReport {

+    var type: String  // "historical_insertion", "deletion", "duplicate", "divergence"

+    var severity: String  // "info", "warning", "critical"

+    var detectedAt: Date

+    var description: String

+    var evidence: [String: Any]  // forensic data

+    var requiresAttention: Bool

+}

+```

+

+---

+

+## 4. Monitoring Features (MVP)

+

+### 4.1 Incremental Change Detection

+

+**Using `HKAnchoredObjectQuery`:**

+```

+Query pattern:

+├─ Initial query: anchor = 0 → captures all existing data

+├─ Store anchor locally

+├─ Periodic queries: anchor = stored → captures only new/modified samples

+└─ Update anchor → efficient incremental updates

+```

+

+**What triggers a query:**

+- App launch

+- Background refresh (iOS allows periodic background queries)

+- User manually triggers "Check Now"

+- Every 12-24 hours (configurable)

+

+### 4.2 Tracked Sample Types (Extensible)

+

+| Type | Why Monitored | Anomaly Signal |

+|------|---------------|----------------|

+| **Workouts** | High-value data, often synced from watch | Historical insertions, duplicates |

+| **Heart Rate** | Continuous stream, high modification risk | Gaps, divergence |

+| **Activity Summary** | Auto-computed, depends on other types | Recalculation without notice |

+| **Steps** | Cross-device (watch/phone), sync-heavy | Duplicate from retries |

+| **Sleep** | Frequently "corrected" post-recording | Backdated entries, loss |

+| **Blood Pressure** | Manual entry, sync state-dependent | Divergence trends |

+| **Audio Exposure** | Often device-specific | Selective loss |

+

+### 4.3 Anomaly Detection Logic

+

+#### A. Historical Insertion Detection

+```

+For each sample:

+  Δt = now - startDate  (age of sample)

+  Δt_observed = now - firstSeen  (how long we've known about it)

+  

+  IF Δt >> Δt_observed (e.g., Δt ≈ 6 months, Δt_observed ≈ 5 minutes):

+    → Flag as "historical insertion"

+    → Severity: MEDIUM (might be legitimate correction)

+```

+

+#### B. Deletion Detection

+```

+Current snapshot: S_now

+Previous snapshot: S_prev

+

+Missing = S_prev - S_now

+  (samples present before, absent now)

+

+IF |Missing| > 0 AND no HKDeletedObject notification:

+  → Flag as "silent deletion"

+  → Severity: CRITICAL

+  → Record gap_duration = time between last observation and absence

+```

+

+#### C. Duplicate Detection

+```

+Fingerprint = (sampleType, startDate, value, unit, source)

+

+IF count(fingerprint) > 1:

+  → Flag as "duplicate record"

+  → Severity: LOW (data integrity risk)

+  → Calculate time between duplicates

+```

+

+#### D. Divergence Detection

+```

+Track aggregated metrics:

+  total_steps_per_day[date]

+  active_energy_per_day[date]

+  hr_average_per_day[date]

+

+For each metric over time:

+  σ_expected = standard deviation (normal range)

+  σ_observed = recent variance

+  

+  IF σ_observed > 2 * σ_expected:

+    → Flag as "divergence trend"

+    → Severity: MEDIUM

+    → Record trend direction & magnitude

+```

+

+---

+

+## 5. Sync Monitoring (Separate Thread)

+

+### 5.1 Sync State Tracking

+

+**Observe HealthKit permission & sync state:**

+```swift

+HKHealthStore().requestAuthorization(...)

+// → Detect when user grants/revokes permissions

+

+// Monitor iCloud state

+FileManager.default.ubiquityIdentityToken

+// → Detects iCloud sign-in/sign-out

+// → Triggers re-baseline after sync state changes

+```

+