Air-gapped deployment
What v1 ships that makes a contained, perimeter-bound deployment reachable, and what lands in v2+ to close the remaining gaps.
Air-gapped deployment means the runtime makes no outbound TCP calls to public LLM endpoints, ships no telemetry beyond the network perimeter, and installs from a private registry or vendored snapshot. This page is for regulated-environment evaluators — defense contractors, FedRAMP-bound integrators, healthcare system operators, and financial-services teams with on-prem mandates.
Air-gapped deployment is a v2+ roadmap item. The v1 runtime still
has three code paths that call openrouter.ai directly (in the memory
consolidation, fact extraction, and context summarizer paths). These are
call-site gaps, not architectural ones, and are documented in the source
repo at packages/core/docs/air-gapped-architecture.md. What v1 does
ship is the substrate posture that makes the v2 path buildable without
rearchitecting the runtime.
What v1 ships today
Bring-your-own provider. The AgentProvider interface is the only
boundary between the runtime and an LLM call. Point it at a
private-endpoint URL and no inference traffic leaves the perimeter.
AnthropicSdkProvider exposes a baseURL field for this; any
OpenAI-compatible in-perimeter gateway works via AiSdkProvider.
Custom provider implementations. The AgentProvider contract is
stable and documented. A host that runs an in-perimeter model endpoint
can implement it directly — the runtime does not require a bundled
provider.
No implicit telemetry. @pleach/core contains no analytics SDK,
no crash reporter, and no usage callback to a third-party SaaS
endpoint. The only outbound calls the runtime makes are the ones the
host configures via the provider interface.
Configurable observability destinations. @pleach/observe ships
data where the host configures it to ship. For contained deployments,
the destination is a private SIEM or log aggregator inside the
perimeter.
Plugin interception surface. The HarnessPlugin contract lets a
host inject logic at every major runtime boundary — including tool calls
that would otherwise reach external endpoints. This is the extension
point for perimeter enforcement before v2's network-policy validator
lands.
PII scrubbing before persistence. @pleach/compliance runs
scrubbers on the persistence boundary so classified or regulated
identifiers don't reach storage. Scrubbers are configurable per
environment; the four bundled scrubbers (SSN, Luhn, US-DL,
KeyedRegex) cover common regulated-domain patterns.
What changes in v2+
Dependency vendoring. A documented, reproducible node_modules
snapshot or private-registry recipe so the runtime installs without
reaching the public npm registry.
SBOM. A CycloneDX software bill of materials generated at publish time, covering every direct and transitive runtime dependency. This is the artifact supply-chain risk management (SCRM) reviews require.
Signed artifacts. Sigstore signing for published packages, with SLSA Level 2 provenance attestation. The consumer verifies the bundle before install.
Network-policy validator. A runnable script that enumerates every outbound call the runtime can make and reports which calls have been rerouted to in-perimeter destinations. The output is the evidence artifact a compliance reviewer signs off on.
Hardcoded-endpoint closure. The three remaining openrouter.ai
call sites are replaced with DI-injected provider calls, closing the
last gaps that prevent strict perimeter enforcement.
Where to go next
Compliance
PII scrubbing, tenant scoping, and the CI audit gates that regulated deployments inherit from @pleach/compliance.
Regulated-domain agent
End-to-end pattern for deploying a fully audited, tenant-scoped agent in a regulated environment.
The GitHub roadmap tracks the v2+ items listed above. Follow the
@pleach/core repository at github.com/pleachhq/core and filter
by the air-gapped label.
Region-pinned agent
An agent that pins region, family, and model per call class — with parity-validation suites and deterministic failover discipline a procurement reviewer can read.
Performance
Fingerprint dedup, prompt caching, batching, lazy module loading, and the hot-path optimizations that keep per-call overhead low.