# Government & public sector (/docs/use-cases/government)



This page is the landing for federal agencies, state and local
government (SLG), government contractors, and SLG IT teams evaluating
Pleach for procurement.

It is written conservatively. Pleach has shipped a useful v1 floor for
this audience, but it is **not FedRAMP-authorized today**, IL5/IL6 is
not in scope at v1, and the roadmap items (SBOM, Sigstore, full offline
install) are tracked honestly below rather than collapsed into a
checkmark grid.

## Who this is for [#who-this-is-for]

* **Federal agencies** — civilian (GSA, HHS, IRS, Treasury) and
  defense-related (DoD program offices, defense primes, FFRDCs).
* **State and local government** — state IT (CalDGS, NYC OTI), city
  digital-services teams, county and municipal procurement.
* **Government contractors** — defense primes (Lockheed, Raytheon,
  Booz Allen, SAIC) and integrators delivering to federal agencies under
  a flowdown.
* **SLG IT** — managed-service providers serving multi-tenant SLG
  customers under shared compliance posture.

Common shape: 1,000–100,000+ person organizations, multi-million-dollar
AI budgets, 12–24 month procurement cycles, hard requirements on
license, hosting topology, identity federation, and audit posture.

## v1 scope — what ships today [#v1-scope--what-ships-today]

Three concrete capabilities, each tested and on `vine`:

### 1. License clarity for procurement [#1-license-clarity-for-procurement]

All 13 publishable SKUs ship under **FSL-1.1-Apache-2.0**
(Functional Source License 1.1 with a future-license clause to
Apache-2.0 at the 2-year mark). This is the single biggest procurement
unblocker for government buyers — there is a written, dated path from
source-available to OSI-compliant Apache-2.0.

See [License compatibility](/docs/use-cases/government/license-compatibility)
for the procurement-facing detail.

### 2. Air-gapped endpoint redirection [#2-air-gapped-endpoint-redirection]

`@pleach/core` enforces a fail-closed allowlist on every outbound
provider URL when `airGapped: true` is set on `SessionRuntimeConfig`.
The check lives next to the `fetch()` it guards, so a host cannot
bypass it by forgetting to wire something at the edge. Operator
misconfiguration (empty allowlist + air-gapped mode) is surfaced at
construction time, not at first call.

See [Air-gapped architecture](/docs/use-cases/government/air-gapped-architecture)
for the call-site map and the v2+ gaps (dependency vendoring, full
offline install).

### 3. IAM-federated identity (AWS GovCloud) [#3-iam-federated-identity-aws-govcloud]

`@pleach/gateway/identity/providers/iam` ships an `IdentityProvider`
backed by STS `AssumeRole`. The buyer supplies their own `STSClient`
(region-scoped to `us-gov-east-1` / `us-gov-west-1`), and the provider
templates a per-tenant role ARN so IAM policies scope model access per
tenant. The adapter takes no build-time dependency on `@aws-sdk/*` —
the STS client is injected.

Azure Government and GCP IL2 identity adapters exist at
`@pleach/gateway/identity/providers/{azure,gcp}` but are not wired by
the `governmentAgent` recipe at v1. AWS GovCloud is the explicit v1
target.

## v2+ roadmap [#v2-roadmap]

The honest list of what is not in v1:

* **FedRAMP authorization (Moderate, then High).** This is a 12–18
  month paperwork track. The runtime surfaces
  declared `fedrampBaseline` as procurement-visible metadata today; the
  authorization itself is not.
* **DoD Impact Level 5 / Impact Level 6.** Out of scope at v1. Tracked
  for v2+ as a separate program parallel to FedRAMP High.
* **Fully air-gapped offline install.** v1 ships the runtime
  enforcement (URL allowlist + env-var override of the OpenRouter base
  URL) but `npm install` still requires reaching a private registry or a
  vendored snapshot. The vendoring recipe is v2+ scope.
* **SBOM artifacts (CycloneDX 1.5 / SPDX 2.3).** The `governmentAgent`
  recipe surfaces declared `sbomFormat` as procurement-visible metadata
  today, but the publish pipeline does not yet emit the artifact. v1.x
  scope.
* **SLSA provenance + Sigstore signing.** Same status as SBOM —
  declared on the agent, not yet emitted by the publish pipeline. v1.x
  scope.

See [Supply-chain risk & SBOM](/docs/use-cases/government/scrm-and-sbom)
for the SCRM stance and the per-SKU dependency posture.

## Quickstart [#quickstart]

```ts
import { governmentAgent } from "@pleach/recipes"
```

The minimal air-gapped + IAM example:

```ts
import { STSClient, AssumeRoleCommand } from "@aws-sdk/client-sts"
import { governmentAgent } from "@pleach/recipes"

const stsClient = new STSClient({ region: "us-gov-east-1" })

const bot = governmentAgent({
  agencyId: "gsa-tts",
  airGapped: true,
  airGappedAllowedHosts: ["llm.internal.gsa.gov"],
  classification: "fouo",
  fedrampBaseline: "moderate",
  onPremProvider: {
    kind: "iam",
    endpoint: "https://llm.internal.gsa.gov",
  },
  iamConfig: {
    stsClient,
    roleArnTemplate:
      "arn:aws-us-gov:iam::123456789012:role/pleach-gateway/{tenantId}",
    assumeRoleCommandFactory: (input) => new AssumeRoleCommand(input),
  },
  auditPackage: { format: "fedramp", retentionYears: 7 },
})

const answer = await bot.ask(
  "Summarize current FedRAMP boundary changes.",
)
```

What this wires:

* `airGapped: true` + a single-host allowlist — every outbound provider
  URL is checked against `llm.internal.gsa.gov`; anything else throws
  `AirGappedHostRejectedError` from
  `@pleach/core/runtime/AirGappedRuntimeOption`.
* `onPremProvider.kind: "iam"` + `iamConfig.stsClient` — the recipe
  lazy-loads `createIamIdentityProvider` from
  `@pleach/gateway/identity/providers/iam` and exposes the provider +
  token cache on `bot.iamProvider` / `bot.tokenCache` so the host can
  thread them into its gateway wiring.
* `classification: "fouo"` + `fedrampBaseline: "moderate"` —
  procurement-visible metadata stamped on the runtime under the
  `GOVERNMENT_AGENT_TAG` symbol. The metadata does not enforce
  authorization; it surfaces the operator's declared posture for audit.

## Fail-closed by design [#fail-closed-by-design]

If `airGapped: true` is supplied with an empty or absent
`airGappedAllowedHosts`, the allowlist rejects **every** outbound URL.
`@pleach/core` enforces this fail-closed: the first provider-URL
resolution throws `AirGappedHostRejectedError`, so a misconfigured
air-gapped deployment fails on its first call — during smoke test —
rather than leaking silently in production.

## What this recipe does not do [#what-this-recipe-does-not-do]

* Does not enforce FedRAMP / IL5 / TS authorization. Those are
  paperwork tracks; the recipe surfaces the declared posture but does
  not validate it against an ATO.
* Does not bundle a fed-cloud provider. The buyer constructs the
  `STSClient` (or equivalent) and injects it.
* Does not generate SBOM or SLSA provenance artifacts. Those are
  publish-pipeline concerns, tracked for v1.x.
* Does not call `init({ destination })` for `@pleach/observe` — the
  observe SDK is process-singleton; the host owns init.

## Related [#related]

* [License compatibility](/docs/use-cases/government/license-compatibility)
* [Air-gapped architecture](/docs/use-cases/government/air-gapped-architecture)
* [Supply-chain risk & SBOM](/docs/use-cases/government/scrm-and-sbom)
* [Air-gapped deployment (general)](/docs/air-gapped-deployment)
* [Compliance](/docs/compliance)
* [Gateway](/docs/gateway)
