Current product position:
- evidence package receipt
- event-driven processing
- traceability and attribution
- source-specific adapters on top of a common ERP core
CREEP is no longer described here as an all-at-once digital factory.
The current wedge product is a practical ERP kernel that can:
- receive upstream evidence packages
- normalize stable identifiers and observations
- emit internal workflow events
- support failure-path tracing and attribution
The near-term implementation focus is:
- baseline-like package intake
- bronze, silver, and traceability layers
AssetEventas the audit backboneWasmas a tagger, scorer, or rules step
src/api/for API endpointssrc/engine/for event bus, worker logic, and wasm executionsrc/oracles/for source-specific ingest adaptersdeploy/sql/for schema and migrationsschemas/for canonical contractsdocs/for architecture, guides, and historical direction notes
docs/architecture/evidence-traceability-core.mddocs/architecture/hardware-fingerprint-grade-policy-v1.mddocs/guides/vcompose-light-containers.mddocs/guides/evidence-kernel-resident-ops.mddocs/guides/getting-started.mddocs/guides/evidence-trace-intake.mddocs/gaol.mdfor the earlier long-horizon visiondocs/research/hardware-fingerprint-internal-use-interview.mddocs/research/ip-internal-use-interview.mddocs/research/creep-internal-consumer-intro-email.mddocs/research/creep-fingerprint-export-schema-v0.1.jsondocs/research/creep-asset-feedback-schema-v0.1.jsondocs/research/ascension-first-wave-bridge-coordination-email.mddocs/research/ascension-first-wave-bridge-v0.1-freeze.mddocs/architecture/erp-evaluation-harness-v0.1.mddocs/architecture/feedback-taxonomy-v0.1.mddocs/reports/burnbag-baseline-20260424.mddocs/guides/cap010-live-evidence-bridge.mddocs/guides/cap010-live-dry-run-checklist.mddocs/research/cap010-live-bridge-ready-email.mddocs/architecture/payment-asset-sandbox-v0.1.mddocs/runbooks/cap010-creep-e2e-v0.1.mddocs/reports/cap010-creep-live-small-sample-20260604.mddocs/architecture/stripe-issuing-capability-evidence-v0.1.mddocs/architecture/tiny-live-authorization-plan-v0.1.mddocs/architecture/stripe-realtime-authorization-decision-v0.1.mddocs/architecture/stripe-webhook-boundary-harness-v0.1.mddocs/architecture/stripe-live-handler-readiness-v0.1.mddocs/architecture/vcc-real-money-gate-closeout-v0.1.mddocs/architecture/vcc-live-execution-gate-v0.1.mddocs/architecture/vcc-operator-arming-gate-v0.1.mddocs/architecture/vcc-master-key-operator-closeout-v0.1.mddocs/architecture/super-ledger-store-ingestion-v0.1.md
python -m uvicorn src.api.app:app --host 0.0.0.0 --port 8000python -m src.evidence.baseline_ingest --input-dir <path> --tenant <tenant> --env <env>python -m src.evidence.normalize_worker --oncepython -m src.evidence.trace_worker --oncepython -m src.evidence.lineage_smoke --tenant <tenant> --env <env>python -m src.assets.hardware_fingerprint.ascension_export \
--tenant <tenant> \
--env <env> \
--project <project> \
--task <task_id> \
--grade-min 1A \
--count 10 \
--output out/ascension/creep-fingerprint-export.jsonpython -m src.assets.feedback_ingest \
--input ascension-feedback.jsoncurl -H "X-API-Key: $ERP_API_KEY" \
"$CREEP_API/api/v1/asset-feedback/events?recommended_asset_action=quarantine"curl -H "X-API-Key: $ERP_API_KEY" \
"$CREEP_API/api/v1/asset-feedback/disposition-summary?consumer_system=ascension"python -m src.assets.feedback_review_smoke \
--tenant system_default \
--env prod \
--project ascension-first-wave \
--count 8 \
--output-dir out/feedback-review-smoke \
--no-redis \
--jsonCAP010 production /verify-shell data lands in oracle_events_7a first, then bridges into the generic evidence core:
python -m src.oracles.cap010.kv_importer --once --kv-only
python -m src.oracles.cap010.live_bridge \
--once \
--source-kind cap010-live \
--tenant cap010 \
--env prod \
--output out/cap010-live-dry-run/bridge-summary.json \
--jsonThe bridge keeps plan_id optional, defaults live observed fingerprints to grade_code=1A, and reports missing live fields as warning/gap metrics instead of rejecting the row.
Latest small-sample acceptance:
docs/reports/cap010-creep-live-small-sample-20260604.md
oracle_events_seen=11
observations_inserted=11
observations_deduped_on_rerun=11
rejects_recorded=0
trace_by_sid=RESOLVED
Runtime CAP010 KV read material is supplied by master-key. Default master-key
JSON output is artifact-safe and redacted; --include-secret is only for the
runtime importer process and must not be recorded in logs or artifacts.
CREEP also carries the sandbox-only contract for DAR-driven payment and CAP010 evidence experiments:
PaymentIntentSandbox
-> PaymentAuthorizationRequestSandbox
-> PaymentAuthorizationEventSandbox
-> optional PaymentReversalEventSandbox
-> LedgerEntry
-> AssetEvent
-> evidence_seed
python -m src.tools.payment_sandbox \
--intent examples/dar-payment-sandbox/payment-intent.fixture.json \
--authorization-request examples/dar-payment-sandbox/authorization-request.fixture.json \
--authorization examples/dar-payment-sandbox/authorization-success.fixture.json \
--reversal examples/dar-payment-sandbox/reversal-refund-success.fixture.jsonThe sandbox hardening report is the current local evidence that the contract is ready to feed later VCC readiness gates:
python -m src.tools.payment_sandbox_hardening --jsonProvider-shaped sandbox events can be generated without calling a provider:
python -m src.tools.payment_provider_sandbox authorize \
--intent examples/dar-payment-sandbox/payment-intent.fixture.json \
--request examples/dar-payment-sandbox/authorization-request.fixture.json \
--outcome authorizedCAP010 /verify-shell can be checked through a read-only smoke that stores status, bytes, hash, and timing only:
python -m src.tools.cap010_smoke \
--url https://edge-check.com/verify-shell \
--requests 5 \
--timeout-seconds 10CREEP can project a company-level Super Ledger store candidate into ERP asset/evidence primitives without writing production storage:
python -m src.tools.super_ledger_store \
--candidate examples/super-ledger-store/super-ledger-store-candidate.fixture.json \
--jsonThis emits AssetSnapshot, AssetEvent, relationship candidates, an evidence
seed, and creep.super_ledger_store_ref.v0. It is the first persistence step
for the company-level capability, mission, worklog, health, benchmark, and
report-topic ledgers; the future write gate remains separate.
The typed write gate consumes that projection and writes only to Super Ledger staging tables when explicitly allowed:
python -m src.tools.super_ledger_write_gate \
--projection <super_ledger_store_projection.json> \
--jsonAdd --allow-staging-write only after reviewing the projection report. The gate
never writes CREEP core asset tables or production report tables.
Read-only query reports can be generated from staging tables or from a local projection artifact:
python -m src.tools.super_ledger_query \
--query overview \
--json
python -m src.tools.super_ledger_query \
--projection <super_ledger_store_projection.json> \
--query project \
--project-ref particle-accelerator-control-plane \
--jsonSuper Ledger mission/correction records can enter CREEP as candidate evidence through the dry-run mission update gate:
python -m src.tools.super_ledger_mission_update_gate \
--candidate examples/super-ledger-store/mission-update-gate-candidate.fixture.json \
--jsonThe mission update gate remains candidate-only. A green projection may enter the separate typed write gate; it does not perform production CREEP writes.
Real VCC providers, real payment authorization, PAN/CVV storage, CAP010 production delivery actions, and Cloudflare mutations remain outside this sandbox path. The sandbox path now covers allow/block authorization requests, authorized/declined authorization outcomes, refund/void/reversal audit semantics, deterministic ERP IDs, and CAP010 linkage drift checks so VCC provider work can later attach behind a stricter gate.
Provider selection is reviewed before provider readiness. It selects a first onboarding target from official-doc candidates but does not call provider APIs or create a live-candidate profile:
python -m src.tools.vcc_provider_selection \
--candidates examples/dar-payment-sandbox/vcc-provider-candidates.fixture.jsonBefore any real provider or VCC path opens, CREEP evaluates provider readiness through a provider-neutral contract:
python -m src.tools.vcc_provider_readiness \
--profile examples/dar-payment-sandbox/vcc-provider-profile.fixture.json \
--policy examples/dar-payment-sandbox/vcc-gate-policy.fixture.jsonThe readiness contract requires master-key credential governance, scoped runtime material, redacted artifacts, amount controls, merchant controls, idempotency, reversal support, reconciliation, and a kill switch. It does not call provider APIs or authorize real money.
Stripe Issuing capability evidence can be reviewed as a provider-doc matrix before any credential or provider API call:
python -m src.tools.vcc_capability_matrix \
--matrix examples/dar-payment-sandbox/stripe-issuing-capability-evidence-matrix.fixture.jsonThe matrix distinguishes provider-native capabilities from CREEP-enforced realtime authorization boundaries. For example, refund and void are treated as observation/reconciliation capabilities, while merchant controls and kill switch are first implemented through realtime authorization policy plus spending controls.
Tiny real-money readiness can be reviewed without executing a payment:
python -m src.tools.tiny_real_money_readiness \
--profile examples/dar-payment-sandbox/vcc-provider-live-candidate.fixture.json \
--policy examples/dar-payment-sandbox/vcc-gate-policy.fixture.json \
--approval examples/dar-payment-sandbox/tiny-real-money-approval.fixture.jsonThis review only answers whether a single live authorization could be considered. It does not call a provider or execute money movement.
When readiness is green, CREEP can build the final local-only arming plan for a one-shot live authorization:
python -m src.tools.tiny_live_authorization_plan \
--profile examples/dar-payment-sandbox/vcc-provider-live-candidate.fixture.json \
--policy examples/dar-payment-sandbox/vcc-gate-policy.fixture.json \
--approval examples/dar-payment-sandbox/tiny-real-money-approval.fixture.jsonThe plan records merchant allowlist, amount cap, kill-switch mode, credential bridge reference, receipt, and reconciliation requirements. It still does not call a provider or execute money movement.
The arming plan can be used to decide a redacted Stripe Issuing realtime authorization probe locally:
python -m src.tools.tiny_live_authorization_decision \
--plan examples/dar-payment-sandbox/tiny-live-authorization-plan-ready.fixture.json \
--probe examples/dar-payment-sandbox/stripe-realtime-auth-probe-allow.fixture.jsonThe decision output includes the Stripe webhook response body shape, but does not send it to Stripe.
A local webhook boundary harness verifies a Stripe-Signature-style test header against the exact raw body before delegating to the same decision:
python -m src.tools.stripe_realtime_webhook_harness \
--plan examples/dar-payment-sandbox/tiny-live-authorization-plan-ready.fixture.json \
--raw-body examples/dar-payment-sandbox/stripe-realtime-webhook-allow.raw.json \
--stripe-signature 't=1700000000,v1=<generated>' \
--signing-secret local_test_signing_key_not_realThe harness proves the raw-body/signature/delivery boundary without sending a response to Stripe.
A sandbox FastAPI route exercises the same boundary while returning the Stripe response body shape:
POST /api/v1/payment/stripe/realtime-authorization/sandbox
It requires CREEP API auth, Stripe-Signature, and the local-only
CREEP_STRIPE_WEBHOOK_TEST_SIGNING_SECRET. It returns {"approved":true,"amount":100}
for the allowlisted fixture and {"approved":false} for the merchant-blocked
fixture. Signature failures return HTTP 400 before JSON parsing.
A live endpoint skeleton is present but default-closed:
POST /api/v1/payment/stripe/realtime-authorization/live
It does not require CREEP API auth because the Stripe webhook signature is the
runtime authentication boundary. The route returns HTTP 503 unless
CREEP_STRIPE_LIVE_HANDLER_ENABLED=true and
CREEP_VCC_REAL_MONEY_GATE_CLOSEOUT_PATH points to a ready closeout report.
It also requires CREEP_STRIPE_WEBHOOK_SIGNING_SECRET to be injected at
runtime. This keeps live authorization closed until master-key
provider/webhook bridges, receipt, reconciliation, and kill-switch evidence are
all green.
Master-key VCC provider doctor output can be converted into a CREEP profile generation report:
python -m src.tools.vcc_profile_from_master_key \
--doctor-report examples/dar-payment-sandbox/master-key-vcc-stripe-doctor-missing.fixture.json \
--candidates examples/dar-payment-sandbox/vcc-provider-candidates.fixture.json \
--policy examples/dar-payment-sandbox/vcc-gate-policy.fixture.json \
--capability-matrix examples/dar-payment-sandbox/stripe-issuing-capability-evidence-matrix.fixture.jsonThe current real runtime is expected to stop at credential_bridge_missing
until provider.stripe_issuing credential material is imported into master-key.
The next live-handler readiness check separates provider credentials from the Stripe webhook endpoint signing secret:
python -m src.tools.stripe_live_handler_readiness \
--provider-doctor-report examples/dar-payment-sandbox/master-key-vcc-stripe-doctor-missing.fixture.json \
--webhook-doctor-report /tmp/master-key-vcc-webhook-doctor.json \
--plan examples/dar-payment-sandbox/tiny-live-authorization-plan-ready.fixture.json \
--sandbox-route-smoke-greenCurrent expected output is decision=missing_evidence until master-key governs
both provider.stripe_issuing credential material and the Stripe realtime
authorization webhook signing secret.
For fully offline fixture tests, use --webhook-signing-bridge with
examples/dar-payment-sandbox/stripe-webhook-signing-bridge-missing.fixture.json.
The final local-only closeout before implementing a live handler combines the provider doctor, webhook doctor, tiny approval, arming plan, and sandbox route smoke:
python -m src.tools.vcc_real_money_gate_closeout \
--provider-doctor-report /tmp/master-key-vcc-provider-doctor.json \
--webhook-doctor-report /tmp/master-key-vcc-webhook-doctor.json \
--candidates examples/dar-payment-sandbox/vcc-provider-candidates.fixture.json \
--policy examples/dar-payment-sandbox/vcc-gate-policy.fixture.json \
--capability-matrix examples/dar-payment-sandbox/stripe-issuing-capability-evidence-matrix.fixture.json \
--approval examples/dar-payment-sandbox/tiny-real-money-approval-stripe.fixture.json \
--sandbox-route-smoke-greenAfter the closeout is ready, the final local-only execution gate checks receipt, reconciliation, and kill-switch evidence before a tiny live authorization can be armed:
python -m src.tools.vcc_live_execution_gate \
--closeout-report examples/dar-payment-sandbox/vcc-real-money-closeout-ready.fixture.json \
--intent examples/dar-payment-sandbox/payment-intent.fixture.json \
--authorization-request examples/dar-payment-sandbox/authorization-request.fixture.json \
--authorization examples/dar-payment-sandbox/authorization-success.fixture.json \
--reversal examples/dar-payment-sandbox/reversal-refund-success.fixture.json \
--plan examples/dar-payment-sandbox/tiny-live-authorization-plan-ready.fixture.json \
--kill-switch-probe examples/dar-payment-sandbox/stripe-realtime-auth-probe-allow.fixture.jsonThis gate remains local-only. It does not call Stripe, load provider or webhook secret material, execute real money, or send a webhook response.
The final local-only operator arming gate combines master-key doctor reports, the closeout, receipt/reconciliation evidence, and kill-switch evidence:
python -m src.tools.vcc_operator_arming_gate \
--provider-doctor-report /tmp/master-key-vcc-provider-doctor.json \
--webhook-doctor-report /tmp/master-key-vcc-webhook-doctor.json \
--candidates examples/dar-payment-sandbox/vcc-provider-candidates.fixture.json \
--policy examples/dar-payment-sandbox/vcc-gate-policy.fixture.json \
--capability-matrix examples/dar-payment-sandbox/stripe-issuing-capability-evidence-matrix.fixture.json \
--approval examples/dar-payment-sandbox/tiny-real-money-approval-stripe.fixture.json \
--sandbox-hardening-report /tmp/payment-sandbox-hardening-report.json \
--sandbox-route-smoke-green \
--intent examples/dar-payment-sandbox/payment-intent.fixture.json \
--authorization-request examples/dar-payment-sandbox/authorization-request.fixture.json \
--authorization examples/dar-payment-sandbox/authorization-success.fixture.json \
--reversal examples/dar-payment-sandbox/reversal-refund-success.fixture.json \
--plan examples/dar-payment-sandbox/tiny-live-authorization-plan-ready.fixture.json \
--kill-switch-probe examples/dar-payment-sandbox/stripe-realtime-auth-probe-allow.fixture.jsonExpected decision after provider and webhook materials are governed by master-key:
decision=ready_for_operator_arm
After Stripe materials are imported into master-key, the one-shot CREEP closeout runner can call both master-key doctors and the operator arming gate:
python -m src.tools.vcc_master_key_operator_closeout \
--mkctl /Users/whip_a/projects/master-key-work/mkctl \
--candidates examples/dar-payment-sandbox/vcc-provider-candidates.fixture.json \
--policy examples/dar-payment-sandbox/vcc-gate-policy.fixture.json \
--capability-matrix examples/dar-payment-sandbox/stripe-issuing-capability-evidence-matrix.fixture.json \
--approval examples/dar-payment-sandbox/tiny-real-money-approval-stripe.fixture.json \
--sandbox-route-smoke-greenpython -m src.assets.hardware_fingerprint.simulate_roundtrip \
--tenant system_default \
--env prod \
--project ascension-first-wave \
--count 40 \
--output-dir out/ascension-simFault injection can be layered on the same roundtrip:
python -m src.assets.hardware_fingerprint.simulate_roundtrip \
--tenant system_default \
--env prod \
--project ascension-first-wave \
--count 40 \
--fault-scenario network_timeout \
--fault-scenario browser_runtime_crash \
--fault-scenario target_rejected \
--output-dir out/ascension-sim-faultspython -m src.evaluation.burnbag run \
--scenario hardware_fingerprint_ascension_roundtrip \
--tenant system_default \
--env prod \
--project ascension-first-wave \
--runs 7 \
--count 40 \
--output-dir out/evaluation/hf-ascensionFor Redis-free local runs:
python -m src.evaluation.burnbag fault-suite \
--scenario hardware_fingerprint_ascension_roundtrip \
--tenant system_default \
--env prod \
--project ascension-first-wave \
--count 40 \
--output-dir out/evaluation/hf-faults \
--no-redisPrefer common receipt, workflow, and traceability primitives over source-specific one-off flows.