RRailCall/ enterprise

RailCall Enterprise — System Architecture & Regulatory Compliance Manual

Release: v0.1 previewTarget Architecture: Isolated Local LoopbackSecurity Model: Zero business-data egress · Blind metering · Governed Audit Logging
Controls map to — not certified:HIPAAFINRASECSOC 2 Type IIGDPR
Contents 1. System Topology & Data Flow2. The Workflow Library3. Data Containment↳ Blind-Metering Security Policy4. Regulatory Alignment5. AI Grounding Policy6. Verification & Testing7. Runtime Governance ControlsGovernance Boundary

1. System Topology & Automated Data Flow

RailCall Enterprise runs entirely on local-host metal, isolated to the loopback boundary. The architecture operates on a strict boundary model: ingestion executes zero untrusted or unreviewed code.

Data payloads enter through a loopback-bound ingestion gate, instantly record a tamper-evident cryptographic audit trail, and await explicit, human-approved execution via an isolated data airlock.

[ THE EXTERNAL WORLD ]  │  [ LOCAL LOOPBACK BOUNDARY (127.0.0.1:8799) ]
                        │
   Third-Party          │       ┌───────────────────────────────────────┐
   Webhooks             │       │        /api/webhook/<slot_id>          │
 (Stripe/GitHub/Slack) ─┼──────►│  (Native Ingestion Gate · Max 64KB)   │
   via Secure Tunnel    │       └───────────────────┬───────────────────┘
 (Ngrok/Tailscale/Mesh) │                           │
                        │               [Appends Sanitized Event]
                        │                           ▼
                        │       ┌───────────────────────────────────────┐
                        │       │         Governed Audit Log            │
                        │       │    (Flat-file Tamper-Evident Trail)   │
                        │       └───────────────────┬───────────────────┘
                        │                           │
                        │                   [Flashes In Real-Time]
                        │                           ▼
                        │       ┌───────────────────────────────────────┐
                        │       │          Live UI Monitor Feed         │
                        │       │(Studio Monitor tab, 127.0.0.1:8799/v2)│
                        │       └───────────────────────────────────────┘

The Inbound Data Velocity Control

The local ingestion engine exposes a single hardened loopback route. It rejects any payload over 64 KB with HTTP 413 — nothing is stored or truncated. Accepted payloads are written immediately to a disk-backed inbox — without compiling, evaluating, or executing any raw code.

2. The Workflow Library — Finite, Pre-Audited, Signed

Every workflow is composed from a finite, pre-audited library with signed provenance — reviewed building blocks with verifiable origin, never code improvised at runtime. For a compliance team, that means what can run is enumerable, and what did ship is provable.

3. Enterprise Data Containment & Platform Value

For teams in high-stakes environments, standard cloud-based AI tools represent an unmanaged data-egress vector. RailCall Enterprise isolates the reasoning layer from the execution layer: AI models reason over abstract schemas and structural blueprints. Outbound is limited to the blind billing pulse (SHA-256 key hash + nonce + action) and — on hosted builds — the plain-English description you type (zero-retention). Your records, provider keys, and receipts never leave your machine.

Loopback-Isolated Execution

The execution core binds exclusively to a local loopback address (127.0.0.1), isolated from the public internet — reducing exposure to remote supply-chain attack paths and keeping production layers off external networks.

Data Quarantine

Inbound payloads are locked inside sandboxed flat-file vaults. Because no code runs automatically on ingestion, payloads are quarantined before they can reach an execution runtime.

Cryptographic Evidence

Every build plan, dry-run workflow, and agent action mints a signed, tamper-evident receipt — giving security teams verifiable evidence to streamline external audits.

Cost at Scale

The reasoning cost is paid once, against a finite, pre-audited library. From then on, flows execute deterministically on your own hardware — a flat $0.01 per flow with no per-token metering, so the unit cost cannot climb with volume. See the cost architecture →

Blind-Metering Security Policy — verify it yourself

The pillars above are not posture. Each is a specific, reproducible control you can audit on your own machine — this is the policy a compliance team can attach to a review. The billing gateway settles usage seeing only a key-hash and a per-call nonce — never your workflow names, steps, payloads, or files.

① Data-custody boundary

Payload parsing, API-token ingestion, and schema mapping happen entirely inside the local RailCall runtime (loopback 127.0.0.1). Credentials and workflow state serialize only to local disk at 0600 (owner-only) permissions. The RailCall Cloud Gateway holds zero state for your business data, schemas, files, or third-party API vectors — it is a billing register, not a data sink.

② Process-level network airlock — fail-closed

Every governed execution runs behind a two-layer, fail-closed network airlock. There is no "monitor and hope": a single attempted socket aborts the run and the receipt is stamped FAIL.

as shipped (abridged) · the OS-level socket sweep (fail-closed)

def lsof_self_check():
    # Any internet socket OR any lsof failure => NOT clean. Never assume isolation.
    r = subprocess.run(["lsof", "-nP", "-a", "-i", "-p", str(os.getpid())],
                       capture_output=True, text=True, timeout=10)
    sockets = [l for l in r.stdout.splitlines()[1:] if l.strip()]
    return (len(sockets) == 0), f"{len(sockets)} internet socket(s)"

# ...inside the execution path — fail closed on ANY socket or a failed check:
if sockets_opened != 0:
    raise IOError("network airlock breached during assembly")
clean, detail = lsof_self_check()
if not clean:
    raise IOError(f"lsof check failed (fail-closed): {detail}")

③ Cryptographic blind metering

Billing settles the flat $0.01 per flow without the gateway ever learning what ran. The client posts to /meter a body of only three fields: the SHA-256 of your API key (the raw key never traverses the wire), a one-time nonce, and the action name. The gateway validates the hash against the ledger, decrements one penny atomically, records the nonce to defeat replay, and closes the connection. No run data, schema, log, or business variable is accepted by — or even reachable from — the metering endpoint.

# the entire metering payload — no key, no data, ever
POST /meter
{ "key_hash": "<sha256(api_key)>", "nonce": "<one-time>", "action": "decrement_run" }
# replayed nonce => "duplicate ignored" (no double-bill) · insufficient balance => HTTP 402

④ Offline-verifiable receipts

Every governed action mints a receipt signed with Ed25519 over a canonical (sorted-key) JSON serialization. The receipt records the network-airlock result, a SHA-256 integrity root over the source tree and output, and a PASS/FAIL verdict. Anyone holding the 64-hex public key can verify a receipt's signature with no network call — the audit trail is tamper-evident and independent of RailCall.

4. Regulatory Alignment & Industry Specifics

In heavily regulated spaces, standard AI tools introduce legal liability and complex vendor reviews. RailCall is designed to reduce that structural friction.

🛡️ Bypassing the third-party-processor trap

Under frameworks like HIPAA or GDPR, routing user data through external AI third parties typically requires Business Associate Agreements (BAAs) and introduces broad liability. With RailCall, raw regulated data stays within your local storage boundaries.

Regulatory frameworkThe compliance burdenHow RailCall helps you enforce it locally
Healthcare & Life SciencesHIPAA / HITECH / GDPRNo unprotected exposure, storage, or transmission of Protected Health Information (PHI) to unauthorized cloud entities.Local containment. Records and webhooks land in a flat-file loopback inbox; the local Monitor surface is zero-CDN and loopback-bound by construction, so PHI is not sent off-box.
Financial Services & FinTechFINRA / SEC / SOC 2 Type IIUn-alterable audit logs, deterministic change management, and verifiable separation of concerns.Tamper-evident receipts. Every structural mutation or dry-run execution mints a cryptographically signed receipt — a tamper-evident trail for internal controls.
Defense, Government & EnterpriseSovereign control over data residency, isolation from untrusted dependencies, and defense against remote code execution.Deterministic boundaries. Reasoning is isolated from execution; code never auto-executes on ingestion, closing remote-exploitation and untrusted-package-injection vectors.

The table describes how RailCall's local controls map to each framework's requirements — it is not a claim of certification under any framework. See the governance boundary below.

5. Reinforced AI-Assistant Grounding Policy

The model operating across the system's /api/chat route follows this protocol to stay aligned with the physical architecture:

🛑 The native-integrations doctrine
  1. Never invent servers. For an external tool (Stripe, GitHub, Postgres, Salesforce), never write or suggest custom Express, Flask, Node, or Ruby infrastructure listeners.
  2. Enforce the slot architecture. Direct the user to open the pre-built, structured integration slots in their left-pane workspace.
  3. The webhook rule. External traffic must hit http://127.0.0.1:8799/api/webhook/<slot_id>. Payloads map directly to flat-file entries on disk and flash across the Monitor tab. No processing logic runs during ingestion.
  4. No public sockets. The gateway binds exclusively to 127.0.0.1. Real-world external senders require a secure local tunnel (e.g. Ngrok) run explicitly by the user — the platform never opens a public socket automatically.
  5. No fake green. If an asset or primitive is unverified, it is flagged UNKNOWN. Never assume compliance or validation without a cryptographic receipt pass.

6. System Verification & Testing Manual

Install with curl -fsSL https://railcall.ai/install.sh | bash — it runs from your terminal, so there's no browser download and no Gatekeeper prompt. Then run railcall studio (or double-click the launcher the installer drops on your Desktop) and audit the real loopback gate yourself on 127.0.0.1:8799.

Step 1 · Launch the Studio
railcall studio   # boots the loopback gate on 127.0.0.1:8799 (or double-click the Desktop launcher)
Step 2 · Fire a raw payload at the gate
curl -X POST http://127.0.0.1:8799/api/webhook/stripe_payment_slot \
  -H "Content-Type: application/json" \
  -d '{"id": "evt_test_123", "type": "charge.succeeded", "amount": 5000}'
Step 3 · Verify the outputs
cat ~/.railcall/station/.railcall_workspace/webhook_inbox/stripe_payment_slot/*.json

7. Runtime Governance Controls — Approval Policy & the Evidence Ledger

Two operator-facing controls sit on top of the containment architecture above. (For the full security posture — data-flow, subprocessors, compliance status, DPA — see the Trust & Security page; for a vendor review, the pre-answered CAIQ / SIG-Lite questionnaire is on the Security Review page.) Both ship in the Studio today; both produce the cryptographic evidence this manual is built around.

7.1 The Approval Policy — four hard floors, then your rules

Every governable action is classified by reversibility: reversible (the prior value can be restored) · compensable (a counter-action neutralizes it — delete, close, refund) · irreversible (a human saw it; it cannot be taken back). Above that classification sit four floors no operator, admin, or agent can edit:

F1  Irreversible actions always stop for a human — no rule can auto-fire what can't be taken back.
F2  Unclassified actions always stop for a human — unclassified means untrusted.
F3  Policy changes always stop for a human — the policy can never authorize its own widening.
F4  A $-capped rule with an unpriced action stops for a human — if it can't be priced, a cap can't clear it.

Within the floors, operators write plain-language rules (auto-approve a class on a connector, optionally under a dollar cap; block a verb outright). A policy change goes through the same stage → approve airlock as any write: staging computes a signed widen/tighten diff plus a blast-radius simulation — every action, decided by the real engine — before anything is live. Every policy version is Ed25519-signed and hash-chained to its predecessor; a one-click revert to strictest stages the empty ruleset (the kill-switch drill).

7.2 The Evidence Ledger — attribution an auditor can re-derive

The Monitor tab is an audit-grade ledger over the on-disk artifacts: receipts, policy changes, and the blocked and rolled-back events too — success-only logs are an audit finding, not a feature. Each row answers: who initiated, which principal executed (policy_auto (vN) — a named policy version — or human (ui_click)), why it was permitted (the exact rule or floor), and the signed receipt. One click re-verifies every receipt from canonical disk bytes and re-walks the policy hash chain; the filtered view exports as a JSON evidence bundle that carries its own verification block, so a third party can check the chain with zero trust in the operator or in RailCall.

7.3 Custody & recovery of the compliance record

Receipts and the policy chain live on the operator's machine. railcall backup bundles them into a portable, self-verifying archive (per-file SHA-256 manifest, chain head + intact status, Ed25519-signed manifest — provider keys are excluded by construction); railcall restore verifies every byte and the chain before writing, refuses tampered archives, and will not silently roll a newer policy chain backward. Machine loss therefore costs the hardware, not the audit trail.

⚠️ Disclosure & corporate-governance boundary. RailCall Enterprise provides the local architectural boundaries, sandboxing controls, and verifiable cryptographic evidence required to support strict internal compliance audits. RailCall does not automatically grant SOC 2, HIPAA, or GDPR certification on its own. Organizations must map RailCall's flat-file ledger outputs and local-containment parameters to their own corporate governance and compliance policies. UNKNOWN status items indicate unverified assets — never a passed control.

Get RailCall Studio →   Read the full architecture in Docs →