Compliance
Using Treeship artifacts for regulatory compliance, audit trails, and human-in-the-loop gating.
Treeship artifacts provide a tamper-proof audit trail that supports regulatory compliance. Each action, approval, and handoff is signed and chained, creating evidence that auditors and regulators can independently verify.
What Treeship provides
- Immutable records. Signed artifacts cannot be modified after creation. Tampering changes the content-addressed ID and breaks verification.
- Approval chains. Nonce-bound approvals prove that specific humans authorized specific actions.
- Verifiable handoffs. When work moves between agents or organizations, the handoff is recorded with a signed artifact.
- Independent verification. Auditors verify artifacts locally without trusting the organization that created them.
Human-in-the-loop gating
Treeship approvals enforce that an agent cannot proceed without human authorization:
# Human creates a time-limited approval
treeship attest approval \
--approver human://alice \
--description "approve financial filing" \
--subject art_pending123 \
--expires 2026-04-01T12:00:00Z
# Agent uses the nonce -- without it, the action has no approval binding
treeship attest action \
--actor agent://filing-system \
--action report.file \
--approval-nonce <nonce>The approval is bound to the action by nonce, scoped to a specific actor / action / subject when the approver sets --allowed-actor / --allowed-action / --allowed-subject, and verifiers report exactly what was checked: binding (always), scope (when present), and replay posture (package-local only -- no global ledger consulted as of v0.9.6). A local Approval Use Journal for cross-package replay enforcement ships in v0.10.
Compliance patterns
SOX compliance
For financial reporting, create artifacts that prove the review and approval chain:
# Agent generates financial report
treeship attest action \
--actor agent://financial-reporting \
--action report.generate \
--input-digest sha256:abc123 \
--content-uri s3://reports/q1-2026-10q.pdf \
--meta '{"period": "Q1-2026", "type": "10-Q"}'
# Controller reviews
treeship attest approval \
--approver human://alice \
--description "reviewed Q1 10-Q financials" \
--subject art_report123
# CFO signs off
treeship attest approval \
--approver human://bob \
--description "approve Q1 10-Q filing" \
--subject art_report123
# Final action with approval nonce
treeship attest action \
--actor agent://filing-system \
--action report.file \
--approval-nonce <cfo-nonce> \
--parent art_report123GDPR data processing
Record data processing activities with artifacts:
treeship attest action \
--actor agent://data-processor \
--action data.process \
--input-digest sha256:def456 \
--meta '{"purpose": "analytics", "legal_basis": "consent", "data_types": ["usage_metrics"]}'Endorsement artifacts
Third-party compliance attestations use endorsement artifacts:
treeship attest endorsement \
--endorser auditor://compliance-firm \
--subject art_process123 \
--kind compliance \
--rationale "Reviewed and found SOC 2 Type II compliant"The endorsement is a separate signed artifact that references the original. Both can be verified independently.
Exportable proof bundles
Bundle all relevant artifacts and share with auditors:
treeship bundle create --artifacts art_report123,art_approval456,art_signoff789 --tag q1-2026-audit
treeship bundle export art_bundle_id --out q1-audit.treeshipThe auditor imports the bundle and verifies every artifact independently:
treeship bundle import q1-audit.treeship
treeship verify art_bundle_idThe bundle is self-contained. The auditor does not need access to Hub or any external service to verify the artifacts.
Treeship v2 will add ZK proofs for privacy-preserving compliance verification. Organizations will be able to prove regulatory compliance without exposing underlying data.