Treeship
Concepts

Security

Treeship's security properties and threat model.

Cryptographic primitives

PrimitiveUsage
Ed25519All artifact signatures
SHA-256Content-addressed artifact IDs, subject digests
DSSEEnvelope format for all signed statements
PAEPre-Authentication Encoding for deterministic signing
DPoP (RFC 9449)Proof-of-possession for Hub authentication

Key management

  • One Ed25519 keypair per Treeship
  • Private key encrypted at rest
  • Key never leaves the local machine unless explicitly exported
  • No key escrow, no key recovery service

Root access to the machine breaks all guarantees. The trust boundary is the machine itself. If someone has your private key and passphrase, they can forge artifacts.

What Treeship does not protect against

  • A compromised signing key (if someone steals your private key and passphrase, they can forge artifacts)
  • Actions taken outside of Treeship (unwrapped commands leave no trace)
  • Content confidentiality (Treeship signs metadata and digests, not content, but metadata can still be sensitive)

What Treeship does protect against

Treeship provides strong guarantees against retroactive tampering, unauthorized agent actions, broken chains of custody, and replay attacks.

  • Retroactive tampering of action records
  • Unauthorized agent actions (missing or expired approval)
  • Broken chain of custody (missing parent links)
  • Replay attacks (nonce binding, content-addressed IDs)
  • Forged verification results (client-side WASM verifier runs independently of the Hub)

Revocation

The Hub publishes a signed revocation list at:

GET /.well-known/treeship/revoked.json

This list contains revoked artifact IDs and key fingerprints. Verifiers that have network access check this list. Offline verifiers skip it and rely solely on cryptographic validity.

Privacy

Treeship never stores the content of actions. It stores:

  • Actor URIs
  • Action names
  • Timestamps
  • Subject digests (SHA-256 hashes of content)
  • Metadata you explicitly provide

To attest an action on sensitive data without revealing the data:

treeship attest action \
  --actor agent://clinical-ai \
  --action clinical.note.summarize \
  --input-digest sha256:e3b0c44298fc1c149afb4c8996fb924

The digest proves which document was processed. The content never enters the artifact.

Workflows

A workflow is a sequence of attested actions, approvals, and handoffs linked by parent IDs.

CLI overview

Full command surface for the treeship CLI.

On this page

Cryptographic primitivesKey managementWhat Treeship does not protect againstWhat Treeship does protect againstRevocationPrivacy