Customer Rollout Runbook — Kinetic Gain Embedded

1. Pre-approval checklist

Before the change-management ticket goes in, gather this. Most of it the vendor publishes; the rest you decide. Each line maps to a specific buyer question.

Read the threat model end-to-end

Lives at /embedded/threat-model/. Reviewer notes which trust boundaries the SDK assumes, which it explicitly does not, and what failure modes apply. Time: ~15 min.

Verify the npm package is provenance-stamped

npm view kinetic-gain-embedded should show an npm provenance badge tying the published bundle to a specific GitHub Actions build. If not, the supply chain isn't what the vendor claims it is. npmjs.com/package/kinetic-gain-embedded.

Pull + verify the SBOM for the version you'll deploy

SBOM is attached to each GitHub release as a CycloneDX JSON. Diff against your existing approved-dependency list. Block any package you don't recognize; the SDK ships zero runtime deps so this list should be effectively empty.

Confirm Apache-2.0 license terms with your legal team

SDK is Apache-2.0 (permissive, patent grant). Hosted tier terms are separate; that's where indemnification + DPA + SCC language lives. Get both reviewed; they cover different scopes.

Map data flow against your data-classification register

What data does the SDK see? The Decision Card body, the customer record at tokenization time, and the audit event metadata. Confirm each is classified under your existing register (Public / Internal / Confidential / Restricted) and that the SDK's handling matches your policy for that class.

Confirm signing keypair + public key location

If you're using ed25519 signing on audit events, you (the customer-of-the-embedder) decide where the public key lives. Recommended: your own .well-known/ at your apex domain. The embedder doesn't need your private key — only the public key for verification.

Capture the buyer-side Decision Card

You sign the Decision Card once. It locks the policy bundle the SDK enforces at runtime. Save the canonical JSON in your evidence locker. Reference spec.

Decide audit-stream destination

Three options: (a) self-hosted endpoint, (b) embedder's hosted tier, (c) drop-in to your existing SIEM (Splunk, Sentinel, Datadog). For regulated workloads pick (a) or (c); (b) is fine for non-regulated.

2. Change-management ticket template

The ticket your CAB needs. Each field aligns to a question they will ask. Paste, fill in your specifics.

Title:        Approve kinetic-gain-embedded SDK v<X.Y.Z> rollout to <product>
Risk class:   Low / Medium / High  (default: Medium, drop to Low after one quarter clean)
Type:         Third-party dependency · AI governance instrumentation
Requestor:    <eng lead>
Owner:        <eng lead> (build) · <security eng> (verify) · <DPO> (sign-off)

WHAT
  Drop in kinetic-gain-embedded SDK at version <X.Y.Z> into <service>.
  Emits hash-chained, ed25519-signed audit events on AI-touching code paths.

WHY
  Buyer-side AI governance compliance. Audit-stream creates the
  verifiable record our customers' compliance teams ask for.

DATA SCOPE
  - Reads:    Decision Card (we control), customer record at tokenization point
  - Writes:   Audit events to <destination — SIEM endpoint URL or hosted tier>
  - Retains:  Audit events for <Y days> per data-retention schedule
  - Does NOT: Send raw customer records off-prem; the SDK tokenizes
              before any cross-boundary call

DEPENDENCIES
  Runtime deps:    0
  Build deps:      see SBOM attached
  Network egress:  <list endpoints + ports — or "none, SDK is offline">

VERIFICATION CHECKLIST (pre-prod gate)
  [ ] SBOM diffed vs approved-dependency register
  [ ] npm provenance badge verified at install time
  [ ] Threat model read end-to-end by reviewer
  [ ] Audit-event roundtrip tested in staging
  [ ] ed25519 signature verification confirmed end-to-end
  [ ] Decision Card canonical JSON archived in evidence locker
  [ ] Rollback procedure tested (see Section 6)
  [ ] On-call playbook updated (see Section 4)

ROLLOUT
  Phase 1 — Internal staging (1 week)
  Phase 2 — 5% production (2 weeks)
  Phase 3 — General availability after both phases clean

ROLLBACK
  npm install kinetic-gain-embedded@<previous>
  redeploy <service>; audit-stream pause is graceful
  (the embedder side does NOT block on audit emission)

CONTACTS
  Vendor:          security@kineticgain.com  (RFC 9116 security.txt verified)
  Internal owner:  <eng lead>
  Escalation:      <DPO>

3. Phased rollout plan

Standard SaaS-vendor rollout shape: stage → canary → GA. Each phase has explicit exit criteria; don't progress until every criterion is met.

Phase 1 · 1 week

Internal staging

Drop the SDK into one non-production service. Wire a synthetic Decision Card. Verify every audit event roundtrips through your SIEM with intact hash chain + valid ed25519 signature.

1 service, staging env only
Synthetic Decision Card
Synthetic customer records
SIEM ingestion verified
Signature verification verified

Exit: 100 events emitted, 100% hash-chain-intact, 100% signatures-verify, zero unexpected egress.

Phase 2 · 2 weeks

5% production canary

Enable the SDK for 5% of production traffic on the same service. Real Decision Card from the buyer. Real records. Production audit-stream destination. Hold here for two full weeks of business-hours operations.

5% production traffic
Real Decision Card (buyer-signed)
Real customer records
Production audit-stream destination
Real on-call rotation aware

Exit: 14 days clean. Zero security incidents. Zero SDK-attributable performance regressions in p99 latency. SIEM dashboard shows expected event volume.

Phase 3 · ongoing

General availability

100% production. Move into normal day-2 operations (Section 4). The SDK is now part of your supported stack. Quarterly review begins (Section 5).

100% production traffic
All services in scope deployed
Day-2 monitoring active
Quarterly audit cadence on calendar

Exit: none — this is the steady state. Next milestone is the first quarterly audit (Section 5).

Don't skip Phase 1 even if you're tempted. The hash-chain verification in staging proves your SIEM is correctly parsing the chain link order. If a downstream system silently drops or reorders events, you'd rather find out in staging than during a customer audit.

4. Day-2 operations

The SDK does not require dedicated on-call. It is a synchronous library — when your service is healthy, the SDK is healthy. The only operational surface is the audit-stream destination: if that endpoint stops responding, the SDK degrades gracefully (events buffer in-process up to a configurable cap, then drop with a warning log).

Monitoring

Event emission rate — log volume should track your AI-touching code-path traffic. A sudden drop = the SDK is silently failing or your traffic dropped. Either way: page.
Hash-chain continuity — your SIEM should run a daily chain-verify job over the previous day's events. Any break is a high-severity incident: events were dropped, reordered, or tampered with.
Signature validity — your SIEM should sample-verify ed25519 signatures (e.g. 1% of events per day). A signature failure on signed events is high-severity.
SDK version drift — track which version of the SDK each service runs. Stale > 6 months across multiple services is a backlog grooming signal, not an incident.

On-call playbook entries

"Audit events stopped emitting" — service is fine, audit-stream destination may be down. Check destination health; if down, follow your normal SIEM incident playbook. SDK does not block.
"Hash chain broken at timestamp X" — page security engineer. Capture the gap, identify the missing block, restore from your SIEM's source-of-truth log. Open a postmortem.
"Signature verification failing" — page security engineer + DPO. If signatures fail systematically (not transiently), assume the signing keypair may be compromised or the public key has rotated unexpectedly. Treat as a vendor incident; check the embedder's /.well-known/security.txt for current contact + signing-policy page.
"SDK version vulnerability disclosed" — Dependabot / Snyk / your scanner of choice will alert. Cross-reference against the embedder's security advisories. Upgrade in a normal patch cycle unless the advisory says otherwise.

The SDK is offline-safe by design. If your audit-stream destination is unreachable, the embedder service does not fail. It buffers, retries, and ultimately drops events with structured warnings. This is intentional: AI governance instrumentation should never take down the product it's instrumenting.

5. Audit cadence

What to put on the operations calendar. Treat the SDK as a third-party dependency with audit obligations.

Cadence	What	Why
Weekly	SIEM dashboard review: event volume, hash-chain breaks (should be 0), signature failures (should be 0)	Catch silent failures within 7 days, not 90.
Monthly	SDK version reconciliation: services on stale SDK versions surface as a backlog ticket	Prevent CVE exposure window from compounding silently.
Quarterly	Decision Card review: re-confirm the buyer-side policy bundle is still the policy you want enforced. Re-sign if anything material changed.	Decision Cards are immutable per version; if your policy changed, you need a new version + re-signing.
Quarterly	Vendor /.well-known/ freshness check: pull `kineticgain.com/.well-known/aeo.json` + 10 sibling docs, verify ed25519 signatures still validate	If the embedder rotated keys or the signatures expired, your signed audit events depend on a chain you no longer trust.
Annually	Threat model re-read: assumptions may have changed (new attack classes, new regulatory frameworks). Update accepted-risks list.	Threat models age. Yours and the embedder's.
Annually	Access review on the audit-stream destination: who can read the audit log, who can write, who can delete	An audit log nobody but the right people can touch is worth more than a perfect signature.
Annually	Off-boarding drill (dry-run): confirm the off-boarding plan in Section 6 still executes cleanly against current architecture	Untested rollback plans are a fiction your incident response can't rely on.

6. Off-boarding plan

How to safely remove KGE from your stack. Treat as a one-quarter operation, not a one-day operation — the audit-stream history needs to remain available for buyer-side compliance even after you stop emitting new events.

Decision (Week 0): The off-boarding ticket goes through the same CAB that approved the rollout. Document the reason (commercial, technical, strategy, or replacement-with-alternative).
Stop new emission (Week 1): Disable the SDK in code paths via feature flag. Verify event volume drops to zero in SIEM. The buffered events still in flight will flush within a few minutes.
Verify the historical record (Week 2): Run your full hash-chain verification against the entire retained audit log. If anything is broken, fix it now — once the SDK is removed, you've lost the live verifier.
Archive (Week 4-12): Export the audit log to long-term retention storage per your data-retention schedule. Confirm the buyer-side Decision Card + public verification key are archived alongside so the log remains independently verifiable.
Remove (Week 13): npm uninstall kinetic-gain-embedded, redeploy. The audit log is now read-only history. Update your data-retention schedule + vendor register.
Post-mortem (Week 14): If this was a replacement, document why; if commercial, document the cost driver. Inform the embedder for product-feedback purposes (this is courtesy, not a contractual obligation).

Don't delete the historical audit log when you remove the SDK. Your customers' auditors may ask to see records covering periods after you've stopped using KGE. The log is your evidence; treat it as evidence you would in any other vendor-departure scenario.

7. Reference materials

Everything below is intended to be read end-to-end before approval, then referenced as needed during operations.

Vendor-side artifacts

Threat model — what the SDK protects against, trust boundaries, failure modes
5-min integration walkthrough — for your engineering team
Synthetic HealthTech rollout case study — what a real deployment looks like
Kinetic Gain security posture — 17 defensive layers, each with verifiable evidence
Signing policy — how the ed25519 keypair is managed
SECURITY.md — coordinated disclosure process
Procurement packet — 17-section diligence response (4 sections verifiable in code)

Your-side artifacts (Trust Pack tooling — free)

AI Vendor Intake — formal intake form for evaluating KGE (or any AI vendor)
Vendor AI Disclosure Review — 10-dimension rubric for scoring the embedder's disclosures
DPIA Lite — GDPR Art 35 scaffold for the processing activity that uses KGE
Risk Register — board-readable starter; add your KGE-specific entries
Subprocessor Disclosure Template — if KGE becomes one of yours
AI Tabletop Kit — for the annual incident-response drill

Standing reference (always-on)

/.well-known/security.txt — RFC 9116 vendor security contact
/.well-known/pulse-signing.json — current ed25519 public key + algorithm
GitHub security advisories
npm package — provenance, SBOM attached to each release

Ask a question Back to overview