@profithooks/auditai-sdk
v1.0.0
Published
AuditAI — AI-native compliance & audit capture SDK. Drop-in plugin to capture, redact, hash-chain, and audit every LLM decision. Framework-agnostic: works in MERN, MEAN, Next.js, plain Node, or the browser.
Maintainers
Readme
@auditai/sdk
AI-native compliance & audit capture — a drop-in plugin that captures, redacts, hash-chains, and audits every LLM decision your app makes.
@auditai/sdk is framework-agnostic. One install, then pick the adapter for your stack. It sends a structured, PII-redacted event envelope to the AuditAI service (async, non-blocking, offline-resilient), where it is classified, mapped to regulations (ECOA/FCRA in the MVP), risk-scored, and sealed into a tamper-evident chain.
npm install @profithooks/auditai-sdkEndpoint
By default the SDK sends events to the hosted AuditAI service at
https://api.mark48.com. Override it with the AUDITAI_ENDPOINT environment
variable or the endpoint option — e.g. http://localhost:5050 when running the
AuditAI server locally.
Platform support (one core, many adapters)
| Platform / Stack | Adapter | Import |
|---|---|---|
| Any Node app using OpenAI (Express, Nest, Next.js API routes, plain Node) | wrapOpenAI | @auditai/sdk/openai |
| MERN / MEAN backends (Express) | auditaiExpress middleware → req.auditai | @auditai/sdk/express |
| React / Angular / Vue / any frontend or non-OpenAI backend | new AuditAI().capture() | @auditai/sdk |
The capture pipeline (envelope, PII redaction, hashing, queue, retry, transport) is identical across all adapters — only the integration glue differs.
1. OpenAI wrapper — works in any JS runtime
The most universal adapter: wrap your existing OpenAI client; the API is identical, every call is audited.
const OpenAI = require('openai');
const { wrapOpenAI } = require('@auditai/sdk/openai');
const openai = wrapOpenAI(new OpenAI({ apiKey: process.env.OPENAI_API_KEY }), {
apiKey: process.env.AUDITAI_API_KEY,
// endpoint defaults to https://api.mark48.com; set AUDITAI_ENDPOINT to override
appId: 'loan-origination-v2',
useCase: 'credit_decision', // drives regulation mapping
environment: 'production',
});
// Identical call — AuditAI intercepts, redacts, logs, forwards. Response unchanged.
const res = await openai.chat.completions.create({
model: 'gpt-4o',
messages: [{ role: 'user', content: 'Should we approve this loan?' }],
auditai_context: { decision_id: 'loan-12345', requested_amount: 50000 }, // optional, stripped before egress
});2. MERN / MEAN backends — Express middleware
Adds a request-scoped req.auditai with hashed IP / user / route context pre-filled.
const { auditaiExpress } = require('@auditai/sdk/express');
app.use(auditaiExpress({
apiKey: process.env.AUDITAI_API_KEY,
endpoint: process.env.AUDITAI_ENDPOINT,
appId: 'my-api',
useCase: 'credit_decision',
}));
app.post('/score', async (req, res) => {
const out = await openai.chat.completions.create({ model: 'gpt-4o', messages });
req.auditai.capture({ request: { model: 'gpt-4o', messages }, response: out });
res.json(out);
});MEAN = same Express backend adapter; the Angular frontend uses adapter #3 to record any client-side AI interactions or to surface compliance state.
3. Frontend / non-OpenAI — manual capture
Framework-agnostic. Use anywhere (Angular service, React hook, Vue, a non-OpenAI backend):
import { AuditAI } from '@auditai/sdk';
const audit = new AuditAI({
apiKey: import.meta.env.VITE_AUDITAI_KEY,
endpoint: import.meta.env.VITE_AUDITAI_ENDPOINT,
appId: 'web-advisor',
useCase: 'credit_decision',
});
audit.capture({
request: { model: 'gpt-4o', messages: [{ role: 'user', content: prompt }] },
response: { choices: [{ message: { content: answer } }], usage },
latencyMs: 840,
context: { decision_id: 'loan-9' },
});What the SDK does on every capture
- Redacts PII before anything leaves the host process (SSN, credit card [Luhn-checked], email, phone, DOB, account #, IP, honorific names). Extensible patterns.
- Builds the canonical event envelope (request, response, model, tokens, latency, declared use case, metadata).
- Computes a client-side content hash (
sha256) for payload integrity. The authoritative tamper-evident chain is sealed server-side. - Queues async and flushes in batches with exponential-backoff retry; buffers in memory when the network is down. Never blocks your request path.
Options
| Option | Default | Description |
|---|---|---|
| apiKey | env AUDITAI_API_KEY | AuditAI ingest key |
| endpoint | env AUDITAI_ENDPOINT / https://api.mark48.com | AuditAI service base URL |
| appId | default-app | AI system identifier |
| useCase | general | e.g. credit_decision — selects applicable regulations |
| environment | NODE_ENV / production | deployment env |
| redactPII | true | redact before egress |
| flushInterval | 2000 ms | background flush cadence (0 = manual only) |
| maxBatch / maxQueue / maxRetries | 20 / 10000 / 5 | queue tuning |
| onError(err) | – | callback on permanent flush failure |
wrapOpenAI(...) / new AuditAI({ client }) also expose .capture(), .flush(), .close(), .stats() on the returned object.
Roadmap (kept in the interface)
The envelope and adapter contract are forward-compatible with the platform vision: reverse-proxy & API-gateway capture, agent-runtime hooks (LangChain/CrewAI), a Python SDK, and additional regulation packs — all emit the same envelope this SDK already produces.
MIT licensed.
