pleach
Operate

Air-gapped deployment

What v1 ships that makes a contained, perimeter-bound deployment reachable, and what lands in v2+ to close the remaining gaps.

Air-gapped deployment means the runtime makes no outbound TCP calls to public LLM endpoints, ships no telemetry beyond the network perimeter, and installs from a private registry or vendored snapshot. This page is for regulated-environment evaluators — defense contractors, FedRAMP-bound integrators, healthcare system operators, and financial-services teams with on-prem mandates.

Air-gapped deployment is a v2+ roadmap item. The v1 runtime still has three code paths that call openrouter.ai directly (in the memory consolidation, fact extraction, and context summarizer paths). These are call-site gaps, not architectural ones, and are documented in the source repo at packages/core/docs/air-gapped-architecture.md. What v1 does ship is the substrate posture that makes the v2 path buildable without rearchitecting the runtime.

What v1 ships today

Bring-your-own provider. The AgentProvider interface is the only boundary between the runtime and an LLM call. Point it at a private-endpoint URL and no inference traffic leaves the perimeter. AnthropicSdkProvider exposes a baseURL field for this; any OpenAI-compatible in-perimeter gateway works via AiSdkProvider.

Custom provider implementations. The AgentProvider contract is stable and documented. A host that runs an in-perimeter model endpoint can implement it directly — the runtime does not require a bundled provider.

No implicit telemetry. @pleach/core contains no analytics SDK, no crash reporter, and no usage callback to a third-party SaaS endpoint. The only outbound calls the runtime makes are the ones the host configures via the provider interface.

Configurable observability destinations. @pleach/observe ships data where the host configures it to ship. For contained deployments, the destination is a private SIEM or log aggregator inside the perimeter.

Plugin interception surface. The HarnessPlugin contract lets a host inject logic at every major runtime boundary — including tool calls that would otherwise reach external endpoints. This is the extension point for perimeter enforcement before v2's network-policy validator lands.

PII scrubbing before persistence. @pleach/compliance runs scrubbers on the persistence boundary so classified or regulated identifiers don't reach storage. Scrubbers are configurable per environment; the four bundled scrubbers (SSN, Luhn, US-DL, KeyedRegex) cover common regulated-domain patterns.

What changes in v2+

Dependency vendoring. A documented, reproducible node_modules snapshot or private-registry recipe so the runtime installs without reaching the public npm registry.

SBOM. A CycloneDX software bill of materials generated at publish time, covering every direct and transitive runtime dependency. This is the artifact supply-chain risk management (SCRM) reviews require.

Signed artifacts. Sigstore signing for published packages, with SLSA Level 2 provenance attestation. The consumer verifies the bundle before install.

Network-policy validator. A runnable script that enumerates every outbound call the runtime can make and reports which calls have been rerouted to in-perimeter destinations. The output is the evidence artifact a compliance reviewer signs off on.

Hardcoded-endpoint closure. The three remaining openrouter.ai call sites are replaced with DI-injected provider calls, closing the last gaps that prevent strict perimeter enforcement.

Where to go next

The GitHub roadmap tracks the v2+ items listed above. Follow the @pleach/core repository at github.com/pleachhq/core and filter by the air-gapped label.

On this page