Government & public sector
What Pleach ships today for federal, SLG, and government-contractor procurement, and what is still on the v2+ roadmap.
This page is the landing for federal agencies, state and local government (SLG), government contractors, and SLG IT teams evaluating Pleach for procurement.
It is written conservatively. Pleach has shipped a useful v1 floor for this audience, but it is not FedRAMP-authorized today, IL5/IL6 is not in scope at v1, and the roadmap items (SBOM, Sigstore, full offline install) are tracked honestly below rather than collapsed into a checkmark grid.
Who this is for
- Federal agencies — civilian (GSA, HHS, IRS, Treasury) and defense-related (DoD program offices, defense primes, FFRDCs).
- State and local government — state IT (CalDGS, NYC OTI), city digital-services teams, county and municipal procurement.
- Government contractors — defense primes (Lockheed, Raytheon, Booz Allen, SAIC) and integrators delivering to federal agencies under a flowdown.
- SLG IT — managed-service providers serving multi-tenant SLG customers under shared compliance posture.
Common shape: 1,000–100,000+ person organizations, multi-million-dollar AI budgets, 12–24 month procurement cycles, hard requirements on license, hosting topology, identity federation, and audit posture.
v1 scope — what ships today
Three concrete capabilities, each tested and on vine:
1. License clarity for procurement
All 13 publishable SKUs ship under FSL-1.1-Apache-2.0 (Functional Source License 1.1 with a future-license clause to Apache-2.0 at the 2-year mark). This is the single biggest procurement unblocker for government buyers — there is a written, dated path from source-available to OSI-compliant Apache-2.0.
See License compatibility for the procurement-facing detail.
2. Air-gapped endpoint redirection
@pleach/core enforces a fail-closed allowlist on every outbound
provider URL when airGapped: true is set on SessionRuntimeConfig.
The check lives next to the fetch() it guards, so a host cannot
bypass it by forgetting to wire something at the edge. Operator
misconfiguration (empty allowlist + air-gapped mode) is surfaced at
construction time, not at first call.
See Air-gapped architecture for the call-site map and the v2+ gaps (dependency vendoring, full offline install).
3. IAM-federated identity (AWS GovCloud)
@pleach/gateway/identity/providers/iam ships an IdentityProvider
backed by STS AssumeRole. The buyer supplies their own STSClient
(region-scoped to us-gov-east-1 / us-gov-west-1), and the provider
templates a per-tenant role ARN so IAM policies scope model access per
tenant. The adapter takes no build-time dependency on @aws-sdk/* —
the STS client is injected.
Azure Government and GCP IL2 identity adapters exist at
@pleach/gateway/identity/providers/{azure,gcp} but are not wired by
the governmentAgent recipe at v1. AWS GovCloud is the explicit v1
target.
v2+ roadmap
The honest list of what is not in v1:
- FedRAMP authorization (Moderate, then High). This is a 12–18
month paperwork track. The runtime surfaces
declared
fedrampBaselineas procurement-visible metadata today; the authorization itself is not. - DoD Impact Level 5 / Impact Level 6. Out of scope at v1. Tracked for v2+ as a separate program parallel to FedRAMP High.
- Fully air-gapped offline install. v1 ships the runtime
enforcement (URL allowlist + env-var override of the OpenRouter base
URL) but
npm installstill requires reaching a private registry or a vendored snapshot. The vendoring recipe is v2+ scope. - SBOM artifacts (CycloneDX 1.5 / SPDX 2.3). The
governmentAgentrecipe surfaces declaredsbomFormatas procurement-visible metadata today, but the publish pipeline does not yet emit the artifact. v1.x scope. - SLSA provenance + Sigstore signing. Same status as SBOM — declared on the agent, not yet emitted by the publish pipeline. v1.x scope.
See Supply-chain risk & SBOM for the SCRM stance and the per-SKU dependency posture.
Quickstart
import { governmentAgent } from "@pleach/recipes"The minimal air-gapped + IAM example:
import { STSClient, AssumeRoleCommand } from "@aws-sdk/client-sts"
import { governmentAgent } from "@pleach/recipes"
const stsClient = new STSClient({ region: "us-gov-east-1" })
const bot = governmentAgent({
agencyId: "gsa-tts",
airGapped: true,
airGappedAllowedHosts: ["llm.internal.gsa.gov"],
classification: "fouo",
fedrampBaseline: "moderate",
onPremProvider: {
kind: "iam",
endpoint: "https://llm.internal.gsa.gov",
},
iamConfig: {
stsClient,
roleArnTemplate:
"arn:aws-us-gov:iam::123456789012:role/pleach-gateway/{tenantId}",
assumeRoleCommandFactory: (input) => new AssumeRoleCommand(input),
},
auditPackage: { format: "fedramp", retentionYears: 7 },
})
const answer = await bot.ask(
"Summarize current FedRAMP boundary changes.",
)What this wires:
airGapped: true+ a single-host allowlist — every outbound provider URL is checked againstllm.internal.gsa.gov; anything else throwsAirGappedHostRejectedErrorfrom@pleach/core/runtime/AirGappedRuntimeOption.onPremProvider.kind: "iam"+iamConfig.stsClient— the recipe lazy-loadscreateIamIdentityProviderfrom@pleach/gateway/identity/providers/iamand exposes the provider + token cache onbot.iamProvider/bot.tokenCacheso the host can thread them into its gateway wiring.classification: "fouo"+fedrampBaseline: "moderate"— procurement-visible metadata stamped on the runtime under theGOVERNMENT_AGENT_TAGsymbol. The metadata does not enforce authorization; it surfaces the operator's declared posture for audit.
Fail-closed by design
If airGapped: true is supplied with an empty or absent
airGappedAllowedHosts, the allowlist rejects every outbound URL.
@pleach/core enforces this fail-closed: the first provider-URL
resolution throws AirGappedHostRejectedError, so a misconfigured
air-gapped deployment fails on its first call — during smoke test —
rather than leaking silently in production.
What this recipe does not do
- Does not enforce FedRAMP / IL5 / TS authorization. Those are paperwork tracks; the recipe surfaces the declared posture but does not validate it against an ATO.
- Does not bundle a fed-cloud provider. The buyer constructs the
STSClient(or equivalent) and injects it. - Does not generate SBOM or SLSA provenance artifacts. Those are publish-pipeline concerns, tracked for v1.x.
- Does not call
init({ destination })for@pleach/observe— the observe SDK is process-singleton; the host owns init.