Treeship
Get started

What is Treeship

Treeship is a portable cryptographic trust layer for human-agent workflows.

Treeship keeps a signed record of every action your agents take, every approval your team issues, and every handoff of work between systems.

The record is self-contained. It verifies offline. It crosses organizational boundaries. It does not depend on Treeship's servers to be valid -- the signatures are the trust.

The problem

When AI agents take consequential actions -- moving money, modifying code, executing contracts -- there is no receipt. Logs show API calls happened. They do not show:

  • Who authorized the action
  • What scope the authorization covered
  • Whether the chain of custody is intact
  • Whether the approval was used once or many times

Treeship produces cryptographic receipts that answer all four.

What Treeship is not

Treeship is not a scanner, EDR, SIEM, orchestration framework, or centralized trust authority. It is the evidence layer. Other tools find problems. Treeship signs what happened.

Architecture: agents, ships, and hub connections

Treeship is organized in three layers:

Layer 1: Agents -- the actors within a trust domain. Every human or AI that performs work is identified by a URI like human://alice or agent://deployer. Agents create and sign artifacts.

Layer 2: Ships -- the trust domain itself. One ship equals one Ed25519 keypair and one local artifact store. A ship is your identity boundary. All artifacts signed by a ship share the same root of trust.

Layer 3: Hub connections -- how a ship connects to the outside world. A hub connection is a named link from your ship to a Hub workspace. Think of hub connections like tmux sessions -- named connections you can attach, detach, and kill independently.

Most developers need exactly one hub connection. You would create multiple connections if you publish artifacts to separate audiences -- for example, one connection for your personal workspace and another for a client's workspace. The ship key stays the same across all connections, and your artifacts never change. Hub connections only control where artifacts appear on Hub.

Core properties

Local-first

Every operation works offline. The Hub adds shareability, never trust.

Self-contained

A signed artifact is a JSON file. It verifies without a database, API, or account.

Deterministic

Same content always produces the same artifact ID.

Portable

Works across orgs, clouds, and protocols with no shared infrastructure.

Open

MIT licensed. The verifier is open source. Anyone can verify without trusting Treeship.

How it fits with other tools

ToolWhat it doesTreeship's role
TrivyFinds vulnerabilitiesTreeship signs the evidence Trivy produces
FalcoDetects runtime anomaliesTreeship attests that Falco ran and what it found
LangfuseTraces agent behaviorTreeship signs the authorization chain
SigstoreSigns software artifactsTreeship applies the same model to agent actions
Edit on GitHub

Quickstart

From zero to a verified artifact URL in under five minutes.

On this page

The problemWhat Treeship is notArchitecture: agents, ships, and hub connectionsCore propertiesHow it fits with other tools