What started as a single video watermarker is now a four-tool, in-browser media-provenance suite: mark, seal, scan, and verify — every byte processed locally, anchored to post-quantum signatures, distributed as one self-contained file. This atlas maps what exists, proposes an enterprise structure, and names what's missing.
Read top-down: what the user touches, the engine beneath it, the cryptographic provenance it anchors to, the brand it wears, and how it reaches the world. Each chip is a real artifact in the tree — colored by whether it ships today.
The honest count, grouped by domain. Engine modules are proven (headless BER/PSNR, scanner attack corpus, real-browser export). The duplication and the scattered tools are the structural debt.
invisible-mark.js — spread-spectrum luma markBER 0 · 45dBwatermark.js — visible logo + encode orchestrationH.264file-scanner.js — 9-daemon vuln swarm7/7 attacksuniversal-sealer.js — manifest + .epochsealAES-256seal-ui.js · stack-panel.jsUImp4-muxer.min.js · webcodecs-export.jsmediakem-envelope-client.js — ML-KEM-1024needs bundleepochcore-api.js · receipt-drawer.jsprovenanceCombine Videos.htmlmergeVolume Splice.htmlaudioOne-Word Overlay.htmlcaptionFix Pronunciation.htmlaudioAuto-Merge Two.htmlseamcolors_and_type.css — two faces, one substratetokensui_kits/epochcore-app/ — App face8 jsxui_kits/epochpay-marketing/ — specimen11 jsx_shared/ — brand-mark, seed-lattice, palettesigilspreview/ — design-system cards29brand-kit/ — logo, icon, swarm sigil (SVG+PNG)7product-packs/ — 5 SMB coverspnglogos/ — IBM Business Partner lockups2animations/ — Atoms, Scenes, Runwayjsxscreenshots/ — proof captures4portable.html — self-contained, offline367KBWATERSEAL.json — 12-asset hash manifestsealedHANDOFF.md — propagation runbookdocepoch-core-worker — CF apex serve+verifygatedPQC_CRYPTO_BUNDLE_SPEC.md — awaiting buildspecThe fix for the structural debt: tools become apps/, engine modules become versioned packages/ (kills the duplication), the design system gets its own root, and the ephemeral proofs become a permanent tests/ harness. Color-coded by what exists vs. what to create.
epochcore-platform/ ├─ README.md # have ├─ VERSION.json # create — single source of build/version truth ├─ PLATFORM_ATLAS.html # this document │ ├─ apps/ # user-facing tools — each self-contained │ ├─ watermarker/ # have — video mark + seal │ ├─ sealer/ # partial — currently fused into watermarker; split out │ ├─ verifier/ # CREATE — drop file+seal → verdict; drop video → recover mark │ ├─ merge/ # have — combine · splice · overlay · pronounce · auto-merge │ └─ launcher/ # CREATE — single front door routing to every tool │ ├─ packages/ # shared, versioned libraries — kills the duplication │ ├─ crypto/ │ │ ├─ invisible-mark.js # have │ │ ├─ kem-envelope-client.js # partial │ │ ├─ epochcore-pqc-crypto.js # CREATE — vetted noble bundle (local esbuild) │ │ └─ audio-mark.js # CREATE — spread-spectrum for audio-only files │ ├─ provenance/ │ │ ├─ epochcore-api.js # have — QPC/WORM client (de-dupe from merge2) │ │ ├─ universal-sealer.js # have │ │ └─ receipt-drawer.js # have │ ├─ security/ │ │ └─ file-scanner.js # have — 9-daemon swarm │ ├─ media/ │ │ ├─ webcodecs-export.js # have │ │ └─ mp4-muxer.min.js # have — local, no CDN │ └─ ui/ │ └─ stack-panel.js # have │ ├─ design-system/ # have — promote to first-class root │ ├─ colors_and_type.css # canonical tokens — never re-derive │ ├─ ui_kits/ # app + marketing + _shared │ ├─ brand-kit/ # logo · icon · swarm sigil │ └─ preview/ # 29 design-system cards │ ├─ tests/ # CREATE — make the ephemeral proofs permanent │ ├─ invisible-mark.spec.mjs # BER / PSNR / wrong-key │ ├─ file-scanner.spec.mjs # malicious-file corpus │ ├─ kem-envelope.spec.mjs # round-trip + tamper │ └─ fixtures/ # clips · attack samples │ ├─ dist/ # built portable artifacts + WATERSEAL.json ├─ infra/ # epoch-core-worker + flash-sync (local agent's domain) └─ docs/ # consolidate ├─ HANDOFF.md # have ├─ ARCHITECTURE.md # CREATE — the layer map, in prose └─ THREAT_MODEL.md # CREATE — what the marks/seals do and don't defend
Ranked by leverage. The verifier and the launcher are the two highest-value additions — a provenance product that can mark but can't verify is half a product, and a suite with no front door reads as scattered scripts.
The whole platform marks & seals but has no first-class tool to verify: drop a file + its .epochseal → SHA + signature verdict; drop a watermarked video → recover the invisible mark. Verification is half the value of provenance — and the marketing kit already promises a "public verifier."
Watermarker, sealer, merge ×5, verifier live as scattered HTML files. An enterprise suite needs one home that routes to every tool, carries the brand, and shows the current build/seal. Today there is no single entry point.
kem-envelope-client.js matches your canonical FIPS-203 format exactly but is inert until the vetted epochcore-pqc-crypto.js (noble, offline esbuild) lands. One local build command unblocks recipient-encrypted .epochcrypt.
The watermarker and merge tools use an ad-hoc gold #c9a86a / #0c0d10 palette — not the canonical Swarm Violet #7d5bf4 App face. They look like different products. Reskin to colors_and_type.css tokens.
epochcore-api.js, receipt-drawer.js, webcodecs-export.js are copied into both epochcore-watermarker/ and merge2/. Promote to packages/ and import once — a single source of truth per module.
Every BER/PSNR proof, scanner attack run, and envelope round-trip lived in throwaway scripts. For an enterprise crypto product the proofs must be permanent, re-runnable artifacts in tests/ — they are the evidence layer.
The invisible mark is luma-domain (video/image). Audio files currently ride the video path. The "mark any media" promise needs a real audio spread-spectrum mark for standalone .wav / .mp3 / .flac.
The invisible mark survives the tool's own encode (Tier A, proven). Surviving a hostile third-party transcode needs the WASM-DCT + sync-template upgrade. Right call for the entertainment/social subset, additive on the proven base.
The BrandMark wordmark calls for Geist; it currently renders in system-ui fallback. Drop in the TTF/WOFF to close the one known brand-fidelity caveat.