{"id":50453932,"url":"https://github.com/mizcausevic-dev/financial-decision-record-audit-stream-reference","last_synced_at":"2026-06-01T01:05:28.016Z","repository":{"id":361696504,"uuid":"1254842226","full_name":"mizcausevic-dev/financial-decision-record-audit-stream-reference","owner":"mizcausevic-dev","description":"AGPL-3.0 reference impl of FinTech audit-stream. 2 orthogonal invariants: FCRA §604 permissible-purpose on every credit-bureau pull + human-credit-officer on adverse recommendations (Reg B + FCRA §615 + CFPB Circular 2023-03). Runs Meridian × CreditMind v4.x trajectory end-to-end.","archived":false,"fork":false,"pushed_at":"2026-05-31T20:43:17.000Z","size":26,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-31T22:18:32.339Z","etag":null,"topics":["audit-stream","cfpb","credit-decisioning","ecoa-reg-b","fcra","fintech","kinetic-gain-protocol-suite","reference-implementation","section-604"],"latest_commit_sha":null,"homepage":"https://suite.kineticgain.com/verticals/fintech/","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mizcausevic-dev.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-31T04:13:39.000Z","updated_at":"2026-05-31T20:43:19.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/mizcausevic-dev/financial-decision-record-audit-stream-reference","commit_stats":null,"previous_names":["mizcausevic-dev/financial-decision-record-audit-stream-reference"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/mizcausevic-dev/financial-decision-record-audit-stream-reference","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mizcausevic-dev%2Ffinancial-decision-record-audit-stream-reference","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mizcausevic-dev%2Ffinancial-decision-record-audit-stream-reference/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mizcausevic-dev%2Ffinancial-decision-record-audit-stream-reference/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mizcausevic-dev%2Ffinancial-decision-record-audit-stream-reference/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mizcausevic-dev","download_url":"https://codeload.github.com/mizcausevic-dev/financial-decision-record-audit-stream-reference/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mizcausevic-dev%2Ffinancial-decision-record-audit-stream-reference/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33755377,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-31T02:00:06.040Z","response_time":95,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["audit-stream","cfpb","credit-decisioning","ecoa-reg-b","fcra","fintech","kinetic-gain-protocol-suite","reference-implementation","section-604"],"created_at":"2026-06-01T01:05:27.273Z","updated_at":"2026-06-01T01:05:28.008Z","avatar_url":"https://github.com/mizcausevic-dev.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# financial-decision-record-audit-stream-reference\n\n\u003e **AGPL-3.0 reference implementation of [`financial-decision-record-audit-stream`](https://github.com/mizcausevic-dev/financial-decision-record-audit-stream).** Runs the Meridian Financial × VendorF CreditMind v4.x credit-decisioning trajectory end-to-end. Proves the FinTech audit-stream design works: **2 orthogonal invariants** enforced at vault-request-time AND independently at verifier-time — FCRA §604 permissible-purpose on every credit-bureau pull + human-credit-officer on every adverse-action-capable recommendation.\n\nPart of the [Kinetic Gain Protocol Suite](https://suite.kineticgain.com).\n\nSibling to [`fhir-resource-access-audit-reference`](https://github.com/mizcausevic-dev/fhir-resource-access-audit-reference) (HealthTech), [`matter-decision-record-audit-stream-reference`](https://github.com/mizcausevic-dev/matter-decision-record-audit-stream-reference) (LegalTech), [`grid-decision-record-audit-stream-reference`](https://github.com/mizcausevic-dev/grid-decision-record-audit-stream-reference) (EnergyTech), [`defense-decision-record-audit-stream-reference`](https://github.com/mizcausevic-dev/defense-decision-record-audit-stream-reference) (DefenseTech), and [`government-decision-record-audit-stream-reference`](https://github.com/mizcausevic-dev/government-decision-record-audit-stream-reference) (GovTech).\n\n## What this proves\n\nThe FinTech spec ships with two invariants that interlock differently from any other vertical:\n\n1. **FCRA §604 permissible-purpose on every credit-bureau pull** — every event with `action: \"pull-credit-report\"` MUST carry `agent.fcra_permissible_purpose` set to one of the 8 enumerated FCRA §604 purposes. The credit bureaus (TransUnion / Equifax / Experian) require this on every API request; failures are §604(a) violations under 15 USC §1681b. This is the **strongest per-event regulatory citation in the Suite** — no other vertical requires a specific statutory section to be named on the request.\n2. **human-credit-officer on adverse-action-capable kinds** — every event whose kind is in the adverse-action-capable set AND whose `outcome.recommendation` is adverse (decline, approve-with-conditions, counter-offer, freeze, reduce-line, close) MUST carry `agent.human_credit_officer_id_tokenized`. Maps to ECOA Reg B 12 CFR §1002.9 (30-day adverse-action notice) + FCRA §615 (15 USC §1681m) which both require an identifiable human credit officer accountable for the decision. CFPB Circular 2023-03 specifically reaffirmed this requirement for AI-driven adverse actions.\n\n## Architecture\n\n```\norchestrator.mjs (4 steps)\n   │\n   ├─ requests access via credit-vault.mjs (enforces both invariants)\n   │\n   ├─ builds hash-chained event via event-builder.mjs (canonical-JSON SHA-256)\n   │\n   └─ emits to examples/meridian-creditmind-reference-stream.ndjson\n\nverifier.mjs (independent, post-hoc)\n   │\n   ├─ chain integrity (each prev_hash = prior hash)\n   ├─ invariant #1: FCRA §604 permissible-purpose on credit-bureau pulls\n   └─ invariant #2: human-credit-officer on adverse-action-capable recommendations\n```\n\n## Run it\n\n```bash\ngit clone https://github.com/mizcausevic-dev/financial-decision-record-audit-stream-reference\ncd financial-decision-record-audit-stream-reference\nnpm install\nnpm start    # 4-step trajectory + verifier\nnpm test     # 9 unit tests including vault-denial + verifier-trip cases\n```\n\nExpected output:\n```\nBuilt 4 events → examples/meridian-creditmind-reference-stream.ndjson\nOK · 4 events · chain ✓ · 2 invariants ✓ (FCRA §604 permissible-purpose + human-credit-officer)\n```\n\n## Canonical trajectory — Meridian Financial × VendorF CreditMind v4.x\n\n| Step | Event | Invariant exercised |\n| --- | --- | --- |\n| 1 | Credit application received | (none — informational) |\n| 2 | Credit-bureau report pulled | **#1 — cites FCRA §604(a)(3)(A) \"credit transaction initiated by consumer\"** |\n| 3 | AI score produced (advisory-only) | (none — informational, not adverse-action-capable) |\n| 4 | Application decision recommended (approve-with-conditions) | **#2 — adverse-recommendation requires human credit officer ID** |\n\nEven step 4's `approve-with-conditions` triggers the human-officer rule because conditional approvals carry adverse-action notification obligations under Reg B (counter-offer terms must be disclosed with reasons).\n\n## FCRA §604 permissible-purpose enumeration\n\nThe vault + verifier recognize 8 statutory purposes:\n\n| Purpose | Common operational use |\n| --- | --- |\n| `604(a)(1)-court-order-or-subpoena` | Litigation discovery |\n| `604(a)(2)-consumer-written-instructions` | Customer-authorized inquiries (e.g. mortgage prequalification) |\n| `604(a)(3)(A)-credit-transaction-initiated-by-consumer` | **Most common** — applicant applied for credit |\n| `604(a)(3)(B)-employment-purposes-with-disclosure-and-consent` | Background checks (separate FCRA workflow) |\n| `604(a)(3)(C)-insurance-underwriting` | Insurance applications |\n| `604(a)(3)(D)-license-determination` | Government licensing |\n| `604(a)(3)(E)-legitimate-business-need-account-review` | Existing-customer account reviews |\n| `604(a)(3)(F)-legitimate-business-need-transaction-initiated` | Existing-customer new-transaction requests |\n\nThe verifier rejects any purpose string outside this set.\n\n## Vault denial scenarios (covered by tests)\n\n| Failure mode | Reason |\n| --- | --- |\n| Bureau pull without FCRA permissible purpose | \"Credit-bureau pull requires fcra_permissible_purpose citation per FCRA §604\" |\n| Bureau pull with unrecognized purpose | `\"i-just-want-the-credit-report\"` → rejected as not in the §604 enumeration |\n| Adverse credit decision without human credit officer | \"Adverse-action-capable kind X with recommendation Y requires human_credit_officer_id_tokenized\" |\n| Non-adverse decision (clean approve) without human officer | Permitted — clean approvals don't trigger adverse-action notice obligations |\n\n## Composes with\n\n- [`financial-decision-record-audit-stream`](https://github.com/mizcausevic-dev/financial-decision-record-audit-stream) — the spec this implements\n- [`cfpb-readiness-evidence-bundle`](https://github.com/mizcausevic-dev/cfpb-readiness-evidence-bundle) — evidence bundle that ingests events produced here\n- [`financial-ai-incident-card-profile`](https://github.com/mizcausevic-dev/financial-ai-incident-card-profile) — any invariant failure becomes a published Incident Card\n- [`state-financial-ai-disclosure-tracker`](https://github.com/mizcausevic-dev/state-financial-ai-disclosure-tracker) — regulatory-lifecycle context (NY Part 500, CA CCFPL, CO SB 24-205, etc.)\n- [`financial-customer-data-vault-contract-profile`](https://github.com/mizcausevic-dev/financial-customer-data-vault-contract-profile) — vault contract for the 17 financial data categories\n- [Kinetic Gain Protocol Suite](https://suite.kineticgain.com) — umbrella\n\n## Compliance posture\n\nReference implementation **readiness scaffolding** for CFPB + OCC 2011-12 + FRB SR 11-7 + ECOA Reg B + FCRA Reg V + GLBA Safeguards + BSA/AML + Section 1071 + Section 1033 + CFPB UDAAP. Does NOT constitute CFPB examination approval, OCC fair-lending compliance, or model-risk-management attestation. The mock credit vault is in-memory — production deployments must route real bureau pulls through TransUnion/Equifax/Experian APIs with the cited purpose in the request header, log per-pull audit trails meeting ECOA's 25-month recordkeeping requirement, and integrate with the lender's identified credit-officer workforce. Per the standing Suite public-language guardrail: *readiness · evidence · posture · controls · scaffolding* — never \"compliant\" / \"certified\" without external attestation.\n\n## License\n\nAGPL-3.0-only. Spec repos this depends on remain MIT.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmizcausevic-dev%2Ffinancial-decision-record-audit-stream-reference","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmizcausevic-dev%2Ffinancial-decision-record-audit-stream-reference","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmizcausevic-dev%2Ffinancial-decision-record-audit-stream-reference/lists"}