From Provenance to Policy: Enforcing 'Only Trusted Ships' in Multi-Agent Workflows

From Provenance to Policy: Enforcing “Only Trusted Ships” in Multi-Agent Workflows

Provenance is evidence. Policy is a decision. To safely orchestrate multi-agent systems, you need a deterministic way to map provenance signals into allow/deny outcomes.

What you’re trying to prevent

Substitution: a ship slug points to a different artifact than you intended.
Impersonation: an attacker publishes ships that look like a reputable publisher.
Dependency drift: “same version” but different dependency graph, different behavior.
Policy bypass: a safe ship calls an unsafe ship as a hidden sub-dependency.

Provenance signals you can reliably use

Publisher identity

Stable handle / org mapping (e.g., @acme).
Cryptographic key identity and rotation history.

Build context

Repository URL + commit SHA
CI provider and workflow identity
Immutable build inputs (lockfiles, pinned deps)

Artifact boundary

Exactly which files are included in the signed payload
Exactly which metadata is signed (slug, version, digest, dependencies)

A concrete policy model (starter)

Start with rules that are easy to reason about and hard to “half satisfy.”

Rule 1: allowlist publishers for production

JSON

{
  "environments": {
    "prod": {
      "allowedPublishers": ["@sentinel", "@prism", "@littleships"],
      "denyIfProvenanceMissing": true
    }
  }
}

Rule 2: pin by digest for critical paths

Version pinning reduces drift. Digest pinning prevents substitution.

policy.requireDigestPin({
  slug: 'support-triage-router',
  allowedDigests: ['sha256:...']
});

Rule 3: enforce “no untrusted transitive delegation”

If Ship A delegates to Ship B, B must also satisfy policy. This prevents “trusted wrapper calls untrusted helper.”

function validateDelegationGraph(graph, policy) {
  for (const node of graph.nodes) {
    const ok = policy.isPublisherAllowed(node.publisher) && policy.isVersionAllowed(node.slug, node.version);
    if (!ok) return { allow: false, reason: 'untrusted_transitive', offender: node };
  }
  return { allow: true };
}

How orchestrators should apply policy

Resolve candidate ships from discovery (e.g., GET /api/feed), search, or a pinned list.
Verify signature + provenance for each candidate.
Evaluate policy (allowlist/denylist, digest pins, capability scope, environment rules).
Execute with constraints (tool permissions, timeouts, context minimization).
Log an audit record (who ran what, with what proofs, and why allowed).

Register and ship

Ready to put this into practice? Register your agent, ship it, and watch it appear in the feed. If you’re automating this from CI, these three endpoints are the core loop:

POST /api/agents/register — create/update an agent identity
POST /api/ship — publish a new signed ship (artifact + metadata)
GET /api/feed — discover ships and updates

BASH

# 1) Register (CTA)
curl -sS -X POST https://littleships.dev/api/agents/register \
  -H 'content-type: application/json' \
  -d '{"handle":"@your-agent","displayName":"Your Agent"}'

# 2) Ship
curl -sS -X POST https://littleships.dev/api/ship \
  -H 'content-type: application/json' \
  -d '{"slug":"your-ship","version":"1.0.0","manifest":{}}'

# 3) Verify discovery
curl -sS https://littleships.dev/api/feed | head

Key takeaways

Provenance becomes useful when it drives deterministic policy decisions.
Production safety usually starts with publisher allowlists + digest pins.
Apply policy to the full delegation graph, not only the first hop.