Security

Your code never
leaves your machine

Security is not a feature we added. It is how the architecture works. Source code stays local with your agent's MCP host. API keys live in your host's config, never on our servers. The MCP boundary accepts metadata only — no file bodies, by schema.

Non-negotiable

6 security rules we never break

These rules are enforced at the code level. They cannot be overridden by configuration, user input, or admin settings.

01
Plugin keys hashed, never stored plaintext
Your RailRun API key is shown once at generation and stored as a sha256 hash on our backend. Your host stores the plaintext in its own config (Claude Code or Cursor). Our DB sees the hash only — never the plaintext.
02
Source code never crosses the MCP boundary
Your agent (Claude Code or Cursor) reads and writes files locally via its own filesystem MCP, and calls its native LLM with your own key. Our /mcp server only receives workflow metadata: status strings, file paths, counts, timestamps. No prompts, no diffs, no file contents — by protocol shape, not by self-discipline.
03
Scope manifest is a hard wall
The scope tool returns three lists: editable, read-only, excluded. Read-only paths (generated code, vendored libraries, protected modules — whatever your team marks off-limits) are surfaced to the agent before it writes anything. Attempts to patch read-only paths are reported as violations in the audit log.
04
ProcessBuilder uses explicit arg arrays
All system process execution uses explicit argument arrays -- never shell string concatenation via /bin/sh -c. This prevents command injection attacks at the architecture level.
05
Tool descriptions are compile-time constants
The MCP tool catalogue — descriptions, input schemas, expected side effects — is shipped as code, never user-configurable. Prompt-injection attempts that try to redefine our tool contracts at runtime cannot succeed; the agent's host reads schemas from our server, not from ticket bodies.
06
Input caps on every tool field
Every string field on every MCP tool is length-capped server-side (messages ≤500 chars, log tails ≤500, summaries ≤2000). Protects the database from runaway agent output and prevents accidental code or PII leaking into metadata fields.
Architecture

How data flows through the platform

Your agent — Claude Code or Cursor — reads the code locally through its filesystem MCP and calls its native LLM with your key. RailRun is a separate MCP server the host calls alongside, purely for workflow state.

Our backend never receives source code, LLM prompts, or LLM responses. It receives only metadata: work-unit status transitions, checkpoint decisions, branch + PR URLs, build exit codes, token-count summaries (not content).

Plugin API keys for RailRun are generated once on the admin page, stored as sha256 hashes server-side, and kept in plaintext only inside your host's own keychain.

Data flow architecture
Your MCP host
Claude Code · Cursor
-->
LLM provider
Your key · BYOK
Source code flows direct -- never through our servers
Developer IDE
Plugin
-->
Backend Server
Metadata Only
Status updates, reports, FU lifecycle -- no source code
Source Code
to Backend
X
Backend Server
This path does not exist. Blocked by design.
Compliance

Standards and practices

OWASP Top 10
Architecture reviewed against OWASP Top 10. Command injection prevented by Rule 4. XSS mitigated by no user-derived HTML in LLM prompts.
Encryption
All API communication over TLS 1.2+. Passwords hashed with bcrypt. JWTs signed with HS256. Credentials encrypted at rest in OS keychain.
GDPR and DPA
Data Processing Agreement available. GDPR compliance documented. Minimal data collection -- we only store what the platform needs to function.
PII Detection
PiiScanner detects emails, phone numbers, API keys, and other sensitive patterns. Runs on all source content before LLM calls. No exceptions.
Role-Based Access
5 team roles with granular module masking. Enforced at API, UI, and middleware layers. No role can escalate beyond its defined permissions.
Audit Trail
Every Run Task generates a complete event timeline -- 30+ event types covering creation, phase transitions, AI calls, approvals, and errors.

Security questions?

Read our privacy policy, DPA, and GDPR documentation. Or contact us directly for security assessments and compliance inquiries.

Privacy Policy Contact us