treeship

---

Why this exists

AI agents are doing real work — real money, real code, real decisions. But there's no clean way to answer the simplest question afterward: what did the agent actually do?

Chat logs are editable, screenshottable, deniable. They're a story, not evidence.

Treeship produces evidence: signed, timestamped, portable, verifiable receipts of every tool call an agent made. Show the receipt to a customer, a regulator, a teammate, or your future self in six months. It stays true.

Install

CLI (the binary you'll always need)

# One-liner: installs CLI, runs treeship init, instruments any AI agents
# it detects (Claude Code, Cursor, Hermes, OpenClaw)
curl -fsSL treeship.dev/setup | sh

# Or via npm (inspectable, signed package, no shell pipe)
npm install -g treeship

/setup and /install are both POSIX shell. macOS and Linux native. Windows users: use WSL — a native Windows binary is planned for v0.10.0.

Claude Code plugin (recommended for Claude Code users)

claude plugin marketplace add zerkerlabs/treeship
claude plugin install treeship@treeship

After this, every Claude Code session in a project with a .treeship/ directory auto-records to a portable, signed receipt. The plugin's SessionStart / PostToolUse / SessionEnd hooks fire automatically — no treeship session start to remember, no manual wrapping.

See integrations/claude-code-plugin/ for the full design.

First receipt in 60 seconds

treeship init                       # one-time, per machine
treeship session start              # opens a recording session
treeship wrap -- npm test           # captures the command + its exit code + file writes
treeship session close              # seals the receipt
treeship session report             # uploads + prints a shareable URL

Or with the Claude Code plugin installed: just open Claude Code in a treeship init-ed project. Sessions start and seal themselves.

What you get

• Signed receipts — Ed25519 over RFC 8785 canonical JSON (DSSE envelopes, in-toto compatible)
• Auto-chaining — every receipt links to the hash of the previous one
• Merkle inclusion proofs — packaged with the receipt for offline verification
• Hash-only payloads — by default the receipt stores SHA-256 of arguments and outputs, not the raw content
• Approval binding — treeship attest action --approval-nonce wires a human approval to the action it authorized
• Local-first — everything works offline; the hub is a publishing surface, not a custodian
• Offline verification — treeship package verify is pure WASM, no network required
• Multi-runtime SDKs — TypeScript, Python, Go (hub), Rust core; verifier runs on Node, Deno, browser, Vercel Edge, Cloudflare Workers, AWS Lambda

Trust model

Treeship doesn't decide trust globally. Each verifier decides trust using local policy.

• Trust comes from keys + your policy, not from a Treeship server
• Receipts are portable bundles — verify anywhere, no callback to a Treeship API
• Privacy-aware default: payloads are hashed, not stored raw
• Hub connections are optional and per-receipt opt-in

For an exhaustive description of what @treeship/mcp actually captures (every field, in every artifact type), see TREESHIP.md. It's the universal trust + onboarding doc that any AI agent can read to evaluate Treeship before using it.

How it works

Agent / human action
        │
        ▼
  Treeship core
        │
        ├─ Canonicalize payload (RFC 8785)
        ├─ Hash inputs/outputs (SHA-256)
        ├─ Link to previous receipt
        ├─ Sign with Ed25519
        └─ Append to Merkle log
        │
        ▼
  Local receipt store (.treeship/)
        │
        ├─ Bundle builder
        ├─ Checkpoint (signed Merkle root)
        ├─ Verifier (pure WASM)
        └─ Optional: hub publish

Verification runs five checks: signatures (DSSE envelope), chain integrity (each receipt links to its parent), Merkle inclusion, checkpoint signature, and policy. All offline.

Packages

Rust crates (crates.io)