R
RailCall
Everyone's riding the AI hype bubble. We're not — this is real.

Build locked-down workflows and autonomous agents that actually follow the process. Agents draft. You approve. Receipts prove — all on your machine.

Agents are probabilistic. Your data is not. Your team already wants AI working the books, the CRM, the inbox — trust is the only blocker. RailCall makes yes safe: every write stages with zero side-effects, no agent touches a customer, a record, or a dollar until you approve, and every run mints a signed, verifiable receipt. Local-first, code-signed, a flat $0.01 per flow.

signed & notarized · opens clean · or one-line install · 100 free flows · no card · 100% local

or install via terminal curl -fsSL https://railcall.ai/install.sh | bash
railcall studio · 127.0.0.1
RAILCALL // Layer-2 Builder Monitor Integrate LOCAL · BYOK · DRY-RUN · RECEIPT-BACKED · NO FAKE GREEN
loopback:127.0.0.1 · keys local · 0600 · 26 integrations · 6 workflows · 266 receipts
WORKSPACE · index
▸ WORKFLOWS 6
▸ INTEGRATIONS 3 conn
▾ MONITORING live
lead_routing PASS
ar_recovery PARTIAL
hubspot_leads PASS
▸ DATA 6
▸ RECEIPTS 266
WORKFLOW MONITOR · Studio Interface Preview
illustrative client-side preview · not live data · the real-time panel runs in local RailCall Studio (loopback · daemon GET /monitor)
81PENDING
56APPROVED
68EXECUTED
53BLOCKED
10FAILED
INSPECTOR · PROOF
WORKSPACE
workflows6
PASS2
externalfalse
SAFETY
sendsdisabled
networkloopback
keyslocal 0600

↑ most flows pass · the few it blocks come with the reason and the exact fix · 0 external

The governed loop

How RailCall works

Four steps, every time. Every write crosses all four — no exceptions.

1
1Connect

Plug in your stack with your own keys. They live in a local 0600 vault on your disk — nothing transits our cloud.

2
2Stage

Every change is computed with zero writes — a signed delta you can read before anything happens.

3
3Approve

Nothing touches a customer, a record, or a dollar until a human says yes.

4
4Receipt

Every run mints an Ed25519-signed receipt — independently verifiable, offline.

the governed pipeline · live illustration
your data
n8n
Salesforce
Zapier
400+ reachable
+ your intent“flag risky payments → route to the owner”
DUMP
ingest
loopback · :8799
raw → governed log
reason
AI decision
data + your intent
govern
the Airlock
vs audited code
verify
deterministic
works — or halts
lock
integrity receipt
sha256
back to your stack
Google Sheets Slack n8n 400+ reachable
every send receipted · dry-run by default
✓ RECEIPT · PASS · sha256:a17c…9f3d · dashboard matches disk · no fake green.

Two governed pillars

Govern what AI builds. Govern what it runs.

Describe any program — RailCall composes it from a pre-audited library and the integrations on your left rail, then runs it airlocked. One receipt for the build, one for every flow.

Governed Builds

Build any program — from audited legos only.

Point any LLM (your key) at a workflow. It drafts; RailCall composes the UI and logic strictly from license-clean, version-pinned components — never freehand code. If a piece doesn't exist, it says so. Every build ships a receipt.

✓ components audited · ✓ license-clean · ✓ pushed to your local link
Governed Workflows

Run anything — local, dry-run, fail-closed.

Every action stages for approval, executes on your machine, and is measured with a per-flow lsof socket sweep. A stray socket fails the receipt and aborts a governed assembly — isolation is measured, never assumed.

✓ 0 external sockets · ✓ sha256 integrity root · ✓ keys local 0600
railcall studio · builder · 127.0.0.1
RAILCALL // Layer-2 Builder Monitor Integrate LOCAL · BYOK · DRY-RUN · RECEIPT-BACKED · NO FAKE GREEN
INTEGRATIONS · your palette
hubspot
salesforce
email KEY
github TESTED
slack
stripe
BYOK · LLM ROLES
claude your key
gpt-4o your key
gemini your key
groq TESTED
BUILDER · compose any program from the audited library
describe ❯ a workflow, a website, a program… (or type build) ⌘K

↑ describe it · pick your LLM · it composes from audited legos → your local link

Enterprise Data Sovereignty

Zero data-bearing sockets during processing.

In regulated work (finance, healthcare, enterprise CRM), uploading source code, schemas, or customer records to a cloud SaaS breaks your security perimeter. RailCall executes entirely on your machine, in memory.

A governed flow opens zero outbound sockets while your data is in memory — enforced by real-time lsof sweeps. The only connection is a split-second billing pulse carrying a client-side SHA-256 key hash and a random nonce — your business information never shares a socket with our cloud. Open Wireshark and audit the packets live: our gateway is a transaction register, not a data sink.

mcp_assembly_receipt.json Verified
{
  "timestamp": "2026-06-16T11:58:00Z",
  "input_source": "fixtures/metrics.csv",
  "integrity_root": "sha256:bb3323b6...",
  "security_audit": {
    "socket_block_enforced": true,
    "network_io_observed": false,
    "airlock_status": "SECURE"
  },
  "billing": {
    "toll_metered_usd": 0.01,
    "billing_state": "dry_run_preview"
  }
}

Every live connector clears the same conformance bar: staging writes nothing, approval executes exactly the staged delta, failures roll back or escalate loudly.

Who it's for

Your team already wants agents.
Trust is the blocker.

RailCall makes yes safe — the write waits for a human, and the receipt proves what ran.

Agencies

Automations on client accounts

One bad write on a client's CRM is a churned client. Every change stages first, a human approves it, and the signed receipt shows the client exactly what ran.

Finance · AR ops

Where a wrong write costs real money

Invoices, dunning, settlements — nothing posts, sends, or settles until a human approves the staged delta. Failures roll back or escalate loudly.

Compliance-blocked teams

Compliance said “no agents touch production”

Strict-by-default approval — every write waits for a human — plus verifiable receipts turn that no into a governed yes.

Hybrid Automation Overlay

Build custom programs. Reverse-integrate either way.

Keep your n8n, Zapier, and custom pipelines — they're great at the chaotic public web. But the moment a workflow needs to analyze sensitive data, make an intelligent suggestion, or touch backend code that matters, route that payload into RailCall — a local, two-way loopback control plane: secure the data inside the airlock, run the reasoning, and reverse-integrate the clean, structured results straight back into your destination stack, with zero data exposure.

Cloud workflow tools
n8n · Zapier · Make
RailCall
local · governed
Where your data goes
Their cloud — or your own servers to run & secure
Never leaves your machine
Audit trail
Run logs in their UI
Ed25519 receipts — verify offline
Network during a run
Open
Fail-closed airlock · 0 sockets, lsof-proven
State on failure
Pipeline breaks or duplicates the run
Local rollback — contained, signed delta
Pricing
Per-execution + per-seat tiers
Flat $0.01 / flow, blind-metered
Your automations
Licensed, locked in their tool
You own every line — even after you cancel
Reach
400+ nodes
35 direct + 412 reachable via the API stack — all local · full list →

Not a knock on them — they're great at the public web. This is what changes the moment the data is sensitive.

This isn't a workflow-template store. They sell you brittle pre-built flows you have to bend to your problem. RailCall ships pre-audited code that composes to whatever your scenario actually needs — and you pay per flow, never per seat.

Dual-mode integration

One local binary. Two ways to work. Use your favorite AI clients as the brain, while RailCall acts as the airlocked hand.

Path A · The IDE's Hands

Universal MCP Server

RailCall registers as an open Model Context Protocol (MCP) server. When your agent wants to build layouts, it calls the local binary over stdin/stdout. The AI handles the "thinking"—RailCall handles the "doing."

  • Cursor (Features → MCP)
  • VS Code (Cline / Roo)
  • Claude Desktop / Code
Path B · Manual Execution

Standalone Terminal CLI

Need a fast, offline compilation pass? Type commands directly into your shell. RailCall parses with a small model running locally on your machine — nothing leaves your box.

railcall login <key>

railcall audit <file.csv>

railcall verify <receipt.json>

The Airlocked Hand

Zero dependencies — 100% Python standard library, loopback-bound. A structural excerpt of the local MCP server is below; the full mcp_server.py and architecture live in the docs.

mcp_server.py
#!/usr/bin/env python3
"""
RailCall Local MCP Server & CLI - the "Airlocked Hand" for AI agents.
Zero dependencies . Python standard library only . loopback-bound.
"""
import sys, os, json, csv, subprocess, hashlib
from datetime import datetime, timezone

LOOPBACK_TOKENS = ("127.0.0.1", "localhost", "[::1]")

def measure_active_sockets(pid):
    # per-flow lsof sweep - external sockets are blocked, not assumed safe
    cmd = ["lsof", "-a", "-i", "-P", "-n", "-p", str(pid)]
    ...   # returns status + external / loopback socket counts; UNKNOWN if lsof fails

def emit_receipt(integrity_root, socket_audit, billing):
    # every build and every flow ships a hash-sealed receipt
    ...   # UNKNOWN means unverified - never shown as a false pass

# MCP mode: JSON-RPC over stdio (Cursor / Claude Desktop)
# CLI mode: manual, offline human testing
if __name__ == "__main__":
    run_mcp_server()

See the full MCP/server architecture in Docs →

Autonomy, governed

You draw the line.

Where automatic ends and approval begins is a setting you own — never a default an agent can drift past.

Shipped today

The strictest setting

Everything up to the write runs itself — ingest, decide, stage. Every write waits for a human. That's the default, out of the box.

Built · next release

Approval policies

A standing, signed rule for where automatic ends — auto-approve reversible updates under a limit, always stop for anything irreversible or money. Ships with 4 hard floors nobody can edit, a blast-radius preview before any rule goes live, and receipts that name their approver — policy or human.

Changing the policy is itself a governed, receipted write — it stages, you approve it, and a signed receipt records who widened what, when. An agent can never loosen its own leash.

Metered by the flow, not the seat

Start free — 100 flows, no card. After that, a flat $0.01 per governed flow. No seats, no idle bills — you pay only for what you run.

A flow = one governed action — a build, an audit, or an interpret pass. Composing, dry-runs, and rebuilds after drift don't re-bill.

Free
$0100 flows

Build your first workflow and verify a real receipt. No card.

100 flows included
Full local Studio + CLI
Signed, verifiable receipts
Most popular
Pay-as-you-go
$0.01/ flow

The whole product. No seats, no subscription, no idle bills.

$10 → 1,000 flows
Balance never expires
By the flow, never the seat
Buy flows →

Bigger team? Same $0.01 / flow — plus SSO/SCIM, scoped keys, a DPA & procurement on an enterprise contract. Talk to us →

Blind-metered — only a hashed key + nonce, never your data Every paid flow writes a receipt you verify offline Balance never expires Card checkout on Stripe — details never touch RailCall

The same job, priced both ways · build & run 10 workflows · one month

Build it all on Claude your compute

Frontier-model tokens for every line — generated, then regenerated when it drifts.

Generate 10 workflows · ~3M tok ea$300
Drift → rebuild · ~3 of them$90
Run 1,000× · agent reasons via Claude each call$250
Audit + license-check the outputyour time
Total ~$640 / mo
$0.01 / flow
RailCall

Compose from a pre-audited library. Reasoning runs local — flat per flow, not metered tokens.

Compose 10 from the library · ~200 flows$2.00
Drift · locked, integrity root$0.00
Run 1,000× · local, $0.01 flat$10.00
Audit + license-checkincluded
Total ~$12 / mo

Same 10 workflows. ~50× the bill on raw Claude — you pay to generate, regenerate, and burn tokens on every flow. RailCall composes from pre-audited legos and reasons locally: $0.01 to run, $0 to rebuild.

Estimated at Claude's published rates — $5 / $25 per M tokens (Opus 4.8). Real spend varies with workload.

What flows actually cost
Build a workflow~20 flows · $0.20
Audit a project1 flow · $0.01
Run a pipeline 1,000×1,000 flows · $10
Busy 5-dev shop / motypically $20–60
Estimate yours $21.00 /mo

Pay by card through the secure Stripe portal today. Coming soon: USDC via x402 · autonomous budgeted wallets.

The line we won't cross

No VCs. No board.
No one to answer to but you.

RailCall will never take outside investment. No venture vultures. No profit-driven board steering your tool toward the most extractable version of itself. We answer to the people who run RailCall — not to a cap table demanding its pound of flesh every quarter. You get the best product, not the most monetizable one.

"If it's this powerful, why is it a local download? Why only a penny a flow? What's the catch?"

No catch — just different corporate physics. VC-funded SaaS has a cap table to feed, so it's structurally pushed to meter you per seat, hold your data on its servers, and lock your automations the day you stop paying. We took no outside money, so we're free to ship the exact opposite.

And the penny isn't a loss-leader. The heavy compute runs on your hardware — not our server farm — so our cost to run your flow is near zero. The flat $0.01 just maintains the compilation layer and a blind ledger that physically can't read the data it counts. That's why it's cheap — and why it stays cheap.

built for operators · owned by no one but us

Built by battle-tested operators, not anonymous dev accounts.

Enterprise procurement teams don't buy critical infrastructure from unvetted accounts. RailCall is led by Patrick Linden, founder of Atlantic Energy (scaled across 36 utilities).

As an operator who raised a $75M debt facility (Signature Bank / V3) and led the exit at Gainline Partners, Patrick builds for teams where data integrity and compliance must be verifiable, not assumed.

Patrick Linden — Founder & CEO

Kyle Burke — CFO

Nick Capozzo — COO

100,000+ customers Prior operating record · retail acquisition
Atlantic Energy
$75M debt facility Structured ABL
Signature / V3
PE exit (led) Institutional transition
Gainline Partners
Roadmap · planned

Where RailCall goes next

Same rules every step: local-first, your data never leaves your machine, you own your code. Directional, not dated.

v1.1

Developer ergonomics

From install to your first flow in a single line of code.

  • The @airlock.flow decorator — wrap any Python or TypeScript function and it becomes an audited, metered, receipted flow. One line, no boilerplate.
  • Low-balance nudges — a clean, non-blocking alert when you drop below 1,000 flows, with one-click top-up. Production pipelines never pause.
from railcall import airlock

@airlock.flow(name="client_sync")
def run_pipeline():
    # read local DB, call webhooks, any local logic
    # → now audited + metered + receipted
    ...
v1.2

Ready-made starting points

Drop-in blocks for the work you do most — so you start from a working flow, not a blank file.

  • A growing block library — audited, ready-to-run starting points for common jobs (database syncs, webhook routing, data formatting).
  • Yours to keep — what you build lands in your project and keeps running locally, even after you cancel. Your IP, never held hostage.
v2.0

Enterprise air-gapped tier

Run with zero live connection to us — for strict, isolated network boundaries.

  • Offline-first orchestration — a local daemon queues signed execution tallies entirely on disk. No real-time internet dependency.
  • Encrypted ledger settlement — once a month, push a single file carrying only nonces + signature hashes to settle your balance. Never your data.

Directional, not a commitment to dates. Built in the open — follow along on Discord.

Questions, answered straight

No asterisks. If we can't prove it, we don't claim it.

Do I choose what runs automatically and what waits for me?+

Yes — that line is yours to draw. Today ships with the strictest setting: everything up to the write runs itself (ingest, decide, stage), and every write waits for your approval. Approval policies are built and land in the next release: a standing, signed rule for where automatic ends — e.g. auto-approve reversible updates under a limit, always stop for anything irreversible or money. Changing the policy is itself a governed write: it stages, you approve it, and a signed receipt records who widened what, when — so an agent can never loosen its own leash.

What exactly is a "flow"?+

One governed action — a build, an audit, or an interpret pass. Free trial flows stay fully local; paid flows meter server-side at a flat $0.01. Composing, dry-runs, and rebuilds after drift don't re-bill.

Does my data ever leave my machine?+

No. Workflows run on your machine; your keys, files, and data stay there. The only outbound call is the blind meter — and you don't have to take our word for it: run lsof or open Wireshark and watch zero data leave.

Is my API key ever transmitted?+

Never in the clear. To check your balance the CLI sends only a SHA-256 hash of your key plus a one-time nonce — never the key itself, and never your data. The metering endpoint physically can't read what it counts.

How do I verify a receipt myself?+

Every governed flow mints an Ed25519-signed receipt on your disk. Verify it offline with the public key embedded in the receipt — no network, no trust in us required. railcall verify <receipt> does it for you, and a tampered receipt fails the signature.

What happens to my code if I cancel?+

You keep every line you generated. It runs locally and depends on nothing we host. Your prepaid balance doesn't expire either — there are no hostage automations and no per-seat lock-in.

Per seat or per use?+

Per flow, never per seat. Teams share one balance and invite teammates for free. You're charged for the flows you actually run — nothing else.

Run your first governed flow in two minutes.

100 free flows. No card. 100% local. You own the code — even after you cancel.

Download RailCall Studio

or curl -fsSL https://railcall.ai/install.sh | bash