Install, load the buyer's Decision Card, tokenize before AI tools see the record, emit an audit event. The audit event is automatically UUID v7 ordered, hash-chained, and optionally ed25519-signed — replayable by your customer's auditor from canonical JSON. Dual ESM/CJS, zero runtime deps, Apache-2.0, Node 20+. The rest of this page walks the four steps with verbatim code from the SDK README.
Zero runtime dependencies. The published artifact ships dual ESM/CJS builds plus full TypeScript types. Minimum Node 20.
npm install kinetic-gain-embeddedPackage: npmjs.com/package/kinetic-gain-embedded · provenance-stamped, Apache-2.0.
The Decision Card is the buyer-issued JSON document that describes which fields are PII / PHI / SPI, which fields are tokenizable, and which AI tools are allowed to see what. Your customer signs it. You enforce it.
import { parseDecisionCard } from "kinetic-gain-embedded";
const card = parseDecisionCard(JSON.parse(decisionCardJson));decision_card_ref.Sinks ship: NDJSON file (production-default), HTTP, in-memory (tests), and a write-your-own interface for routing to your SIEM / data warehouse / S3 / wherever.
import { AuditStream, NdjsonFileSink } from "kinetic-gain-embedded";
const audit = new AuditStream({
source: "my-saas-prod",
decisionCardRef: card.canonical_url,
sink: new NdjsonFileSink("/var/log/audit.ndjson")
});This is the actual runtime hot path. Two lines: the vault contract rewrites the record before any AI tool sees it; the audit emit records what was redacted, on which session, against which Decision Card revision.
import { applyVaultContract } from "kinetic-gain-embedded";
const { payload, redactionApplied } = applyVaultContract(customerRecord, card);
// payload is tokenized — hand IT to the AI tool, not the raw record
await audit.emit({
kind: "ai.chat.completion",
redaction_applied: redactionApplied,
session_id: req.sessionId
});audit.emit() assigns a UUID v7 event_id, chains prev_hash → hash via SHA-256 over canonical JSON, optionally ed25519-signs the same canonical body, and writes through the sink. Replayable end-to-end by an external auditor.These invariants are runtime-enforced — no extra config, no extra calls. If you only call audit.emit() + applyVaultContract(), you already get all four.
Time-ordered identifier. Sort by event_id and you get chronological order without a separate timestamp index.
Genesis hash is 64 zeros. Every subsequent event's prev_hash points at the prior event's hash. Any insertion / deletion / reordering breaks the chain at verify time.
Deterministic key ordering before hashing, so the same logical event always produces the same hash regardless of which language wrote it. Python / Go / TypeScript verifiers all agree.
Wire a signing key once; every event then carries a signature over the canonical body. The auditor verifies with the matching public key — no shared secret, no service dependency.
The SDK is free forever (Apache-2.0). You can ship audit-stream + vault contracts indefinitely without paying anything. Hosted tiers add the parts a busy B2B SaaS company would rather not run themselves — Decision Card review, vault contract hosting, ed25519 signing service, quarterly Pulse positioning.
Reference scaffolding for audit evidence — not a HIPAA / FERPA / SOC 2 / GDPR / ISO 27001 / NIST AI RMF / EU AI Act / ISO 42001 compliant or certified product. Compliance posture depends on the embedder's full control environment and external attestation specific to each regulatory regime.