Free · Apache-2.0 · Local-only · Audit-ready

@tenet/offboarding-audit

Local CLI that audits an employee roster for ghost accounts, shadow-AI tool access, stale admin roles, and contractor expiry blind spots. Runs from npx, ships a 40-row demo, appends a hash-only audit log to ~/.tenet/audit.jsonl.

Deterministic. Local. Auditable. Apache-2.0. Zero network calls — you can test-drive the same 7 heuristics in your browser without installing anything.

Try in browser →Download tarball →GitHub →

Install

v0.1.0 is available right now as a downloadable tarball while we wait for npm registry signup approval. The tarball is a regular npm package — point npm install at the URL and it works identically to a registry install.

# Run instantly against the bundled 40-row demo (30 KB tarball)
npx -y https://tenet.grindworks.ai/tenet-offboarding-audit-0.1.0.tgz --demo

# Global install
npm install -g https://tenet.grindworks.ai/tenet-offboarding-audit-0.1.0.tgz

# Audit your own roster CSV
tenet-audit path/to/employees.csv

# Shortly (once the registry name is claimed):
npm install -g @tenet/offboarding-audit

Node 20+ required. Pure JavaScript (no native dependencies).

Checksum: sha256:e9445b3e9ba17c89e425215bd5ef8f6819c6e1e783eef818b1ac5a7bc1347e4e. Verify before installing in a regulated environment: curl -sSf https://tenet.grindworks.ai/tenet-offboarding-audit-0.1.0.tgz | shasum -a 256

Usage

# Audit the bundled sample (40 employees across 4 statuses)
tenet-audit --demo

# Audit your own roster
tenet-audit employees.csv

# JSON for pipelines / piping to jq
tenet-audit employees.csv --format=json

# Markdown for a runbook or Notion paste-in
tenet-audit employees.csv --format=md  > report.md

# CSV for auditors
tenet-audit employees.csv --format=csv > findings.csv

# Print the heuristic catalog
tenet-audit --list-rules

Expected CSV schema

Export from your HRIS; extra columns are ignored. Required:

Column	Notes
employee_id	Any stable internal ID
email	Corporate email
status	active \| terminated \| leave \| contractor
termination_date	ISO YYYY-MM-DD (required when status=terminated)
leave_start_date	ISO YYYY-MM-DD (required when status=leave)
contractor_end_date	ISO YYYY-MM-DD (required when status=contractor)
role_level	ic \| manager \| director \| admin \| super_admin \| owner \| root
apps_accessed	JSON array ["slack","github"] OR semicolon list slack;github

Heuristic catalog (7 built-in rules)

Exact logic lives in src/heuristics.ts — read it, modify it, contribute additions. Stable rule IDs mean an auditor six months later can trace any finding back to the rule that fired.

H01 · high

Terminated employee still in at least one SaaS app

Baseline ghost-account condition. HRIS says terminated; app says active.

H02 · high

Chronic ghost (terminated >90 days with any app access)

90-day line aligns with the typical SOC 2 access-review cadence and NY SHIELD §899-bb reasonable-controls standard.

H03 · critical

Terminated employee still holding high-sensitivity or admin app access

Same-day revocation finding. Blast radius covers the full customer data surface.

H04 · high

Terminated employee with AI tool access (shadow-AI audit)

EU AI Act Article 26(1) operator record at risk. Orphaned AI-tool seat on a former employee = failed audit.

H05 · medium

Employee on leave >180 days still holding admin role

Extended leave frequently outruns access-review cadence. VP People review queue.

H06 · high

Contractor past end-date still active in apps

Contractors occupy a blind spot between HRIS (often doesn't track them) and IAM (long-lived access).

H07 · critical

Terminated employee retained admin or super_admin role marker

For regulated entities, crosses the NYDFS 23 NYCRR 500 72-hour revocation line.

Audit log format

Every tenet-audit run appends one JSONL line to ~/.tenet/audit.jsonl:

{"ts":"2026-04-17T09:45:12.345Z","session_id":"a1b2c3d4e5f60708",
 "version":"0.1.0","event":"offboarding_audit_run","source":"file",
 "input_digest":"8f2a7c1e9b4d5a62","employee_count":412,"findings_count":37,
 "counts_by_severity":{"critical":3,"high":27,"medium":7,"low":0},
 "findings_digests":[
   {"heuristicId":"H03","severity":"critical",
    "emailDigest":"d7a4f1e09c6b3520","priority":1}
 ]}

No plaintext employee data is ever logged. Only lengths, counts, and SHA-256 digests (16 hex chars). This is deliberate: the audit log is the artifact an auditor reviews, so it must not become a new CCPA / CPRA liability by retaining plaintext email addresses of former employees.

CCPA / CPRA alignment

Satisfies CCPA §1798.105 (right to delete) and §1798.110 (right to know) use-case tracking because it records evidence of action without retaining the subject’s PII. Pair with your application-layer deletion pipeline.

NY SHIELD Act §899-bb mapping

“Reasonable administrative safeguards, including regular risk assessments and training” — the run cadence IS the assessment; the log is the evidence of the assessment.

Colorado AI Act (SB 205)

Documents operator-consequential decisions on employment AI systems. Shadow-AI findings (H04) map directly to the developer + deployer evidence requirement.

EU AI Act Article 26(1) mapping

Article 26(1) requires “maintained records of AI system use.” When H04 fires for a former employee, the log proves (a) the operator detected the orphaned AI-tool grant, (b) which rule fired with which severity, and (c) a tamper-evident digest of both the input roster and the subject’s identity — without retaining the plaintext.

Environment variables

Var	Default	Purpose
TENET_LOG_DIR	~/.tenet/	Directory where the audit log is written
TENET_LOG_PATH	{LOG_DIR}/audit.jsonl	Full audit log path override

What this CLI does NOT do (v0.1 scope)

No live SaaS connectors. Reads a CSV you exported. Does not call Okta, Rippling, Workday, or vendor APIs. That’s the hosted product. This is the local spot-check.
No revocation. Output is a ranked report with reason + priority. Human takes the action.
No ML classifier. Every rule is deterministic TypeScript. Your CISO can reproduce every finding by hand.
No centralized reporting. One machine, one audit log. Fleet aggregation is the hosted product.
No guaranteed zero false negatives. Long-tail mid-market SaaS may slip. Contribute additions via GitHub.

Upgrade to hosted Tenet

The open-source CLI is the start. When you need:

40+ SaaS connectors reading actual IAM / HRIS / finance state (not a CSV export)
Shadow-AI discovery via email telemetry + finance signal + browser telemetry
Per-subject state-privacy evidence export for CCPA, CPRA, NY SHIELD, Colorado AI Act, Virginia CDPA, Connecticut CTDPA, Texas TDPSA
EU AI Act Article 26 operator record templates
Tri-buyer UX (VP People policy docs, CIO SCIM health, CISO shadow-AI register, Compliance DSAR-ready export)
Connector write-back to 40+ apps via SCIM/API + admin-console workflow wrappers for long-tail

→ Join the design-partner waitlist. Reply with “tenet-cli user” to seungdo@grindworks.ai for a 15-min design-partner conversation this week.