Technical
Auth & RBAC
Roles, access grants, the resolve_patient dependency, and how DENY gets audited.
Roles
- PATIENT — owns one PatientProfile.
- CAREGIVER — reaches a patient only via an active CaregiverAccess (READ or WRITE).
- CLINICIAN — reaches a patient only via an active ClinicianAccess (always READ).
- RESEARCHER — never sees identified data; works against de-identified exports.
- ADMIN — sees everything; every action is itself audited.
The patient-resolver
Routes that operate on a specific patient depend on resolve_patient(scope), which loads the PatientProfile and checks: PATIENT → must be the owner; CAREGIVER → must have an active grant with at least the requested scope; CLINICIAN → must have an active grant; RESEARCHER → never; ADMIN → always. If the check fails, a DENY audit row is written and FastAPI returns 403.
Note
In dev only, the API accepts X-Dev-Email and X-Dev-Role headers in lieu of a JWT. This is gated by DEV_ALLOW_HEADER_AUTH and never enabled in production.