pleach
Use cases

Government & public sector

What Pleach ships today for federal, SLG, and government-contractor procurement, and what is still on the v2+ roadmap.

This page is the landing for federal agencies, state and local government (SLG), government contractors, and SLG IT teams evaluating Pleach for procurement.

It is written conservatively. Pleach has shipped a useful v1 floor for this audience, but it is not FedRAMP-authorized today, IL5/IL6 is not in scope at v1, and the roadmap items (SBOM, Sigstore, full offline install) are tracked honestly below rather than collapsed into a checkmark grid.

Who this is for

  • Federal agencies — civilian (GSA, HHS, IRS, Treasury) and defense-related (DoD program offices, defense primes, FFRDCs).
  • State and local government — state IT (CalDGS, NYC OTI), city digital-services teams, county and municipal procurement.
  • Government contractors — defense primes (Lockheed, Raytheon, Booz Allen, SAIC) and integrators delivering to federal agencies under a flowdown.
  • SLG IT — managed-service providers serving multi-tenant SLG customers under shared compliance posture.

Common shape: 1,000–100,000+ person organizations, multi-million-dollar AI budgets, 12–24 month procurement cycles, hard requirements on license, hosting topology, identity federation, and audit posture.

v1 scope — what ships today

Three concrete capabilities, each tested and on vine:

1. License clarity for procurement

All 13 publishable SKUs ship under FSL-1.1-Apache-2.0 (Functional Source License 1.1 with a future-license clause to Apache-2.0 at the 2-year mark). This is the single biggest procurement unblocker for government buyers — there is a written, dated path from source-available to OSI-compliant Apache-2.0.

See License compatibility for the procurement-facing detail.

2. Air-gapped endpoint redirection

@pleach/core enforces a fail-closed allowlist on every outbound provider URL when airGapped: true is set on SessionRuntimeConfig. The check lives next to the fetch() it guards, so a host cannot bypass it by forgetting to wire something at the edge. Operator misconfiguration (empty allowlist + air-gapped mode) is surfaced at construction time, not at first call.

See Air-gapped architecture for the call-site map and the v2+ gaps (dependency vendoring, full offline install).

3. IAM-federated identity (AWS GovCloud)

@pleach/gateway/identity/providers/iam ships an IdentityProvider backed by STS AssumeRole. The buyer supplies their own STSClient (region-scoped to us-gov-east-1 / us-gov-west-1), and the provider templates a per-tenant role ARN so IAM policies scope model access per tenant. The adapter takes no build-time dependency on @aws-sdk/* — the STS client is injected.

Azure Government and GCP IL2 identity adapters exist at @pleach/gateway/identity/providers/{azure,gcp} but are not wired by the governmentAgent recipe at v1. AWS GovCloud is the explicit v1 target.

v2+ roadmap

The honest list of what is not in v1:

  • FedRAMP authorization (Moderate, then High). This is a 12–18 month paperwork track. The runtime surfaces declared fedrampBaseline as procurement-visible metadata today; the authorization itself is not.
  • DoD Impact Level 5 / Impact Level 6. Out of scope at v1. Tracked for v2+ as a separate program parallel to FedRAMP High.
  • Fully air-gapped offline install. v1 ships the runtime enforcement (URL allowlist + env-var override of the OpenRouter base URL) but npm install still requires reaching a private registry or a vendored snapshot. The vendoring recipe is v2+ scope.
  • SBOM artifacts (CycloneDX 1.5 / SPDX 2.3). The governmentAgent recipe surfaces declared sbomFormat as procurement-visible metadata today, but the publish pipeline does not yet emit the artifact. v1.x scope.
  • SLSA provenance + Sigstore signing. Same status as SBOM — declared on the agent, not yet emitted by the publish pipeline. v1.x scope.

See Supply-chain risk & SBOM for the SCRM stance and the per-SKU dependency posture.

Quickstart

import { governmentAgent } from "@pleach/recipes"

The minimal air-gapped + IAM example:

import { STSClient, AssumeRoleCommand } from "@aws-sdk/client-sts"
import { governmentAgent } from "@pleach/recipes"

const stsClient = new STSClient({ region: "us-gov-east-1" })

const bot = governmentAgent({
  agencyId: "gsa-tts",
  airGapped: true,
  airGappedAllowedHosts: ["llm.internal.gsa.gov"],
  classification: "fouo",
  fedrampBaseline: "moderate",
  onPremProvider: {
    kind: "iam",
    endpoint: "https://llm.internal.gsa.gov",
  },
  iamConfig: {
    stsClient,
    roleArnTemplate:
      "arn:aws-us-gov:iam::123456789012:role/pleach-gateway/{tenantId}",
    assumeRoleCommandFactory: (input) => new AssumeRoleCommand(input),
  },
  auditPackage: { format: "fedramp", retentionYears: 7 },
})

const answer = await bot.ask(
  "Summarize current FedRAMP boundary changes.",
)

What this wires:

  • airGapped: true + a single-host allowlist — every outbound provider URL is checked against llm.internal.gsa.gov; anything else throws AirGappedHostRejectedError from @pleach/core/runtime/AirGappedRuntimeOption.
  • onPremProvider.kind: "iam" + iamConfig.stsClient — the recipe lazy-loads createIamIdentityProvider from @pleach/gateway/identity/providers/iam and exposes the provider + token cache on bot.iamProvider / bot.tokenCache so the host can thread them into its gateway wiring.
  • classification: "fouo" + fedrampBaseline: "moderate" — procurement-visible metadata stamped on the runtime under the GOVERNMENT_AGENT_TAG symbol. The metadata does not enforce authorization; it surfaces the operator's declared posture for audit.

Fail-closed by design

If airGapped: true is supplied with an empty or absent airGappedAllowedHosts, the allowlist rejects every outbound URL. @pleach/core enforces this fail-closed: the first provider-URL resolution throws AirGappedHostRejectedError, so a misconfigured air-gapped deployment fails on its first call — during smoke test — rather than leaking silently in production.

What this recipe does not do

  • Does not enforce FedRAMP / IL5 / TS authorization. Those are paperwork tracks; the recipe surfaces the declared posture but does not validate it against an ATO.
  • Does not bundle a fed-cloud provider. The buyer constructs the STSClient (or equivalent) and injects it.
  • Does not generate SBOM or SLSA provenance artifacts. Those are publish-pipeline concerns, tracked for v1.x.
  • Does not call init({ destination }) for @pleach/observe — the observe SDK is process-singleton; the host owns init.

On this page