Agents are probabilistic. Your data is not. Your team already wants AI working the books, the CRM, the inbox — trust is the only blocker. RailCall makes yes safe: every write stages with zero side-effects, no agent touches a customer, a record, or a dollar until you approve, and every run mints a signed, verifiable receipt. Local-first, code-signed, a flat $0.01 per flow.
signed & notarized · opens clean · or one-line install · 100 free flows · no card · 100% local
curl -fsSL https://railcall.ai/install.sh | bash
↑ most flows pass · the few it blocks come with the reason and the exact fix · 0 external
The governed loop
Four steps, every time. Every write crosses all four — no exceptions.
Two governed pillars
Describe any program — RailCall composes it from a pre-audited library and the integrations on your left rail, then runs it airlocked. One receipt for the build, one for every flow.
Point any LLM (your key) at a workflow. It drafts; RailCall composes the UI and logic strictly from license-clean, version-pinned components — never freehand code. If a piece doesn't exist, it says so. Every build ships a receipt.
Every action stages for approval, executes on your machine, and is measured with a per-flow lsof socket sweep. A stray socket fails the receipt and aborts a governed assembly — isolation is measured, never assumed.
↑ describe it · pick your LLM · it composes from audited legos → your local link
In regulated work (finance, healthcare, enterprise CRM), uploading source code, schemas, or customer records to a cloud SaaS breaks your security perimeter. RailCall executes entirely on your machine, in memory.
A governed flow opens zero outbound sockets while your data is in memory — enforced by real-time lsof sweeps. The only connection is a split-second billing pulse carrying a client-side SHA-256 key hash and a random nonce — your business information never shares a socket with our cloud. Open Wireshark and audit the packets live: our gateway is a transaction register, not a data sink.
{
"timestamp": "2026-06-16T11:58:00Z",
"input_source": "fixtures/metrics.csv",
"integrity_root": "sha256:bb3323b6...",
"security_audit": {
"socket_block_enforced": true,
"network_io_observed": false,
"airlock_status": "SECURE"
},
"billing": {
"toll_metered_usd": 0.01,
"billing_state": "dry_run_preview"
}
}
Every live connector clears the same conformance bar: staging writes nothing, approval executes exactly the staged delta, failures roll back or escalate loudly.
Who it's for
RailCall makes yes safe — the write waits for a human, and the receipt proves what ran.
One bad write on a client's CRM is a churned client. Every change stages first, a human approves it, and the signed receipt shows the client exactly what ran.
Invoices, dunning, settlements — nothing posts, sends, or settles until a human approves the staged delta. Failures roll back or escalate loudly.
Strict-by-default approval — every write waits for a human — plus verifiable receipts turn that no into a governed yes.
Keep your n8n, Zapier, and custom pipelines — they're great at the chaotic public web. But the moment a workflow needs to analyze sensitive data, make an intelligent suggestion, or touch backend code that matters, route that payload into RailCall — a local, two-way loopback control plane: secure the data inside the airlock, run the reasoning, and reverse-integrate the clean, structured results straight back into your destination stack, with zero data exposure.
Not a knock on them — they're great at the public web. This is what changes the moment the data is sensitive.
This isn't a workflow-template store. They sell you brittle pre-built flows you have to bend to your problem. RailCall ships pre-audited code that composes to whatever your scenario actually needs — and you pay per flow, never per seat.
One local binary. Two ways to work. Use your favorite AI clients as the brain, while RailCall acts as the airlocked hand.
RailCall registers as an open Model Context Protocol (MCP) server. When your agent wants to build layouts, it calls the local binary over stdin/stdout. The AI handles the "thinking"—RailCall handles the "doing."
Need a fast, offline compilation pass? Type commands directly into your shell. RailCall parses with a small model running locally on your machine — nothing leaves your box.
railcall login <key>
railcall audit <file.csv>
railcall verify <receipt.json>
Zero dependencies — 100% Python standard library, loopback-bound. A structural excerpt of the local MCP server is below; the full mcp_server.py and architecture live in the docs.
Autonomy, governed
Where automatic ends and approval begins is a setting you own — never a default an agent can drift past.
Everything up to the write runs itself — ingest, decide, stage. Every write waits for a human. That's the default, out of the box.
A standing, signed rule for where automatic ends — auto-approve reversible updates under a limit, always stop for anything irreversible or money. Ships with 4 hard floors nobody can edit, a blast-radius preview before any rule goes live, and receipts that name their approver — policy or human.
Changing the policy is itself a governed, receipted write — it stages, you approve it, and a signed receipt records who widened what, when. An agent can never loosen its own leash.
Start free — 100 flows, no card. After that, a flat $0.01 per governed flow. No seats, no idle bills — you pay only for what you run.
A flow = one governed action — a build, an audit, or an interpret pass. Composing, dry-runs, and rebuilds after drift don't re-bill.
Build your first workflow and verify a real receipt. No card.
The whole product. No seats, no subscription, no idle bills.
Bigger team? Same $0.01 / flow — plus SSO/SCIM, scoped keys, a DPA & procurement on an enterprise contract. Talk to us →
The same job, priced both ways · build & run 10 workflows · one month
Frontier-model tokens for every line — generated, then regenerated when it drifts.
Compose from a pre-audited library. Reasoning runs local — flat per flow, not metered tokens.
Same 10 workflows. ~50× the bill on raw Claude — you pay to generate, regenerate, and burn tokens on every flow. RailCall composes from pre-audited legos and reasons locally: $0.01 to run, $0 to rebuild.
Estimated at Claude's published rates — $5 / $25 per M tokens (Opus 4.8). Real spend varies with workload.
Pay by card through the secure Stripe portal today. Coming soon: USDC via x402 · autonomous budgeted wallets.
RailCall will never take outside investment. No venture vultures. No profit-driven board steering your tool toward the most extractable version of itself. We answer to the people who run RailCall — not to a cap table demanding its pound of flesh every quarter. You get the best product, not the most monetizable one.
"If it's this powerful, why is it a local download? Why only a penny a flow? What's the catch?"
No catch — just different corporate physics. VC-funded SaaS has a cap table to feed, so it's structurally pushed to meter you per seat, hold your data on its servers, and lock your automations the day you stop paying. We took no outside money, so we're free to ship the exact opposite.
And the penny isn't a loss-leader. The heavy compute runs on your hardware — not our server farm — so our cost to run your flow is near zero. The flat $0.01 just maintains the compilation layer and a blind ledger that physically can't read the data it counts. That's why it's cheap — and why it stays cheap.
built for operators · owned by no one but us
Enterprise procurement teams don't buy critical infrastructure from unvetted accounts. RailCall is led by Patrick Linden, founder of Atlantic Energy (scaled across 36 utilities).
As an operator who raised a $75M debt facility (Signature Bank / V3) and led the exit at Gainline Partners, Patrick builds for teams where data integrity and compliance must be verifiable, not assumed.
Patrick Linden — Founder & CEO
Kyle Burke — CFO
Nick Capozzo — COO
Same rules every step: local-first, your data never leaves your machine, you own your code. Directional, not dated.
From install to your first flow in a single line of code.
@airlock.flow decorator — wrap any Python or TypeScript function and it becomes an audited, metered, receipted flow. One line, no boilerplate.from railcall import airlock @airlock.flow(name="client_sync") def run_pipeline(): # read local DB, call webhooks, any local logic # → now audited + metered + receipted ...
Drop-in blocks for the work you do most — so you start from a working flow, not a blank file.
Run with zero live connection to us — for strict, isolated network boundaries.
Directional, not a commitment to dates. Built in the open — follow along on Discord.
No asterisks. If we can't prove it, we don't claim it.
Yes — that line is yours to draw. Today ships with the strictest setting: everything up to the write runs itself (ingest, decide, stage), and every write waits for your approval. Approval policies are built and land in the next release: a standing, signed rule for where automatic ends — e.g. auto-approve reversible updates under a limit, always stop for anything irreversible or money. Changing the policy is itself a governed write: it stages, you approve it, and a signed receipt records who widened what, when — so an agent can never loosen its own leash.
One governed action — a build, an audit, or an interpret pass. Free trial flows stay fully local; paid flows meter server-side at a flat $0.01. Composing, dry-runs, and rebuilds after drift don't re-bill.
No. Workflows run on your machine; your keys, files, and data stay there. The only outbound call is the blind meter — and you don't have to take our word for it: run lsof or open Wireshark and watch zero data leave.
Never in the clear. To check your balance the CLI sends only a SHA-256 hash of your key plus a one-time nonce — never the key itself, and never your data. The metering endpoint physically can't read what it counts.
Every governed flow mints an Ed25519-signed receipt on your disk. Verify it offline with the public key embedded in the receipt — no network, no trust in us required. railcall verify <receipt> does it for you, and a tampered receipt fails the signature.
You keep every line you generated. It runs locally and depends on nothing we host. Your prepaid balance doesn't expire either — there are no hostage automations and no per-seat lock-in.
Per flow, never per seat. Teams share one balance and invite teammates for free. You're charged for the flows you actually run — nothing else.
100 free flows. No card. 100% local. You own the code — even after you cancel.
Download RailCall Studioor curl -fsSL https://railcall.ai/install.sh | bash