Compliance
Using Treeship artifacts for regulatory compliance, audit trails, and human-in-the-loop gating.
Treeship artifacts provide a tamper-proof audit trail that supports regulatory compliance. Each action, approval, and handoff is signed and chained, creating evidence that auditors and regulators can independently verify.
What Treeship provides
- Immutable records. Signed artifacts cannot be modified after creation. Tampering changes the content-addressed ID and breaks verification.
- Approval chains. Nonce-bound approvals prove that specific humans authorized specific actions.
- Verifiable handoffs. When work moves between agents or organizations, the handoff is recorded with a signed artifact.
- Independent verification. Auditors verify artifacts locally without trusting the organization that created them.
Human-in-the-loop gating
Treeship approvals enforce that an agent cannot proceed without human authorization:
# Human creates a time-limited approval
treeship attest approval \
--approver human://alice \
--description "approve financial filing" \
--subject art_pending123 \
--expires 2026-04-01T12:00:00Z
# Agent uses the nonce -- without it, the action has no approval binding
treeship attest action \
--actor agent://filing-system \
--action report.file \
--approval-nonce <nonce>The approval nonce is single-use. The agent cannot reuse it for a second action. Verifiers can confirm that the nonce was valid at the time of use.
Compliance patterns
SOX compliance
For financial reporting, create artifacts that prove the review and approval chain:
# Agent generates financial report
treeship attest action \
--actor agent://financial-reporting \
--action report.generate \
--input-digest sha256:abc123 \
--content-uri s3://reports/q1-2026-10q.pdf \
--meta '{"period": "Q1-2026", "type": "10-Q"}'
# Controller reviews
treeship attest approval \
--approver human://alice \
--description "reviewed Q1 10-Q financials" \
--subject art_report123
# CFO signs off
treeship attest approval \
--approver human://bob \
--description "approve Q1 10-Q filing" \
--subject art_report123
# Final action with approval nonce
treeship attest action \
--actor agent://filing-system \
--action report.file \
--approval-nonce <cfo-nonce> \
--parent art_report123GDPR data processing
Record data processing activities with artifacts:
treeship attest action \
--actor agent://data-processor \
--action data.process \
--input-digest sha256:def456 \
--meta '{"purpose": "analytics", "legal_basis": "consent", "data_types": ["usage_metrics"]}'Endorsement artifacts
Third-party compliance attestations use endorsement artifacts:
treeship attest endorsement \
--endorser auditor://compliance-firm \
--subject art_process123 \
--kind compliance \
--rationale "Reviewed and found SOC 2 Type II compliant"The endorsement is a separate signed artifact that references the original. Both can be verified independently.
Exportable proof bundles
Bundle all relevant artifacts and share with auditors:
treeship bundle create --artifacts art_report123,art_approval456,art_signoff789 --tag q1-2026-audit
treeship bundle export art_bundle_id --out q1-audit.treeshipThe auditor imports the bundle and verifies every artifact independently:
treeship bundle import q1-audit.treeship
treeship verify art_bundle_idThe bundle is self-contained. The auditor does not need access to Hub or any external service to verify the artifacts.
Treeship v2 will add ZK proofs for privacy-preserving compliance verification. Organizations will be able to prove regulatory compliance without exposing underlying data.