Open-source · Rust · MIT

Run your agents
safely in prod.

Railroad is the runtime layer that makes coding agents production-safe. Let Claude Code run autonomously — Railroad blocks the dangerous commands while everything else flies through.

Star on GitHub →Join Discord
Without Railroad
×Claude wants to run: npm install
Allow? (y/n) y
Claude wants to run: npm run build
Allow? (y/n) y
Claude wants to run: terraform destroy
Allow? (y/n) y
→ VPC + RDS + ECS deleted. 1.9M rows. Gone.

Babysit every command, or skip permissions and risk production.

With Railroad
✓ npm install
✓ npm run build
✓ git add . && git commit
✓ npx prisma migrate deploy
⛔ BLOCKED  terraform destroy
⛔ BLOCKED  drizzle-kit push --force
⛔ BLOCKED  rm -rf /

Safe commands fly through. Dangerous ones never run.

cargo install --git https://github.com/railroad-dev/railroad.git && railroad install

Four pillars.
Production-safe.

What you unlock
Autonomous
Run --dangerously-skip-permissions without the danger. Railroad intercepts every action at the OS level — destructive commands are blocked, risky ones need approval, everything else flies through in under 2ms.
Kernel-level sandbox via sandbox-exec (macOS) and bwrap (Linux). Pattern matching, not LLM intent-guessing. 99% of commands execute instantly with zero overhead.
Parallel
Run 5 agents at once. Railroad's coordination layer prevents file conflicts across sessions — file-level locking, automatic awareness, self-healing locks with heartbeat timeouts.
Each session knows what other sessions are editing. Locks auto-expire after 60s with PID verification. Run railroad locks to see all active locks.
Recoverable
Every file write is snapshotted before execution. Undo the last edit, undo the last N edits, or undo an entire session. One command: railroad rollback.
Instant, atomic rollback. Works for files, config edits, and more. You can also ask Claude directly: “undo the last change Railroad blocked.”
Observable
Live dashboard streaming every action across all sessions. Full session replay with timestamps and color-coded decisions. Structured JSON traces for your observability stack.
railroad dashboard for live view. railroad replay --session <id> for history. Search, filter, and expand any action.
How it works

Up in
60 seconds.

01
Install
One command. Railroad registers hooks with Claude Code, configures the sandbox shell, and injects agent-awareness via CLAUDE.md.
02
Configure
Drop a railroad.yaml in your project. Define blocklists, allowlists, and approval rules. Changes take effect instantly — no restart.
03
Ship with confidence
Use claude --dangerously-skip-permissions knowing Railroad has your back. Run multiple sessions. Ship faster. Nothing dangerous gets through.
railroad — zsh
# install in one line
$cargo install --git https://github.com/railroad-dev/railroad.git
$railroad install
✓ hooks registered with Claude Code
✓ sandbox shell configured
✓ policy loaded · railroad.yaml

# now run with full autonomy
$claude --dangerously-skip-permissions

✓ npm install && npm run build
✓ git add . && git commit
⛔ BLOCKED terraform destroy
  rule: destructive-infra · railroad.yaml:14
✓ 241 actions · 1 blocked · 0 incidents
Works with
Claude Code
Codex — coming soon
Kiro — coming soon
Featured on
YHacker NewsReddit

Frequently asked questions

How do I run Claude Code safely in production?

Install Railroad. It intercepts every Claude Code action before it executes — safe commands fly through instantly, dangerous commands like terraform destroy or rm -rf are blocked. You get the speed of --dangerously-skip-permissions without the risk.

Is Railroad a sandbox?

No. Sandboxes restrict where your agent can work — they limit file access, network, and tools. Railroad only restricts what commands your agent can run. Your agent keeps full access to your project, your tools, and your workflow. It just can't run the commands that would destroy production.

What does --dangerously-skip-permissions do in Claude Code?

It skips all permission checks, letting Claude Code execute any command without asking for approval. It's fast, but it means destructive commands like terraform destroy or DROP TABLE run without any safety net. Railroad makes this flag safe to use.

What commands does Railroad block?

Railroad blocks whatever you configure in railroad.yaml. Common blocklist entries include terraform destroy, rm -rf, DROP TABLE, push --force, and drizzle-kit push --force. You can also flag commands for manual approval.

Does Railroad work with agents other than Claude Code?

Railroad currently works with Claude Code via its native hooks system. Support for OpenAI Codex and Kiro is coming soon.

Does Railroad add latency?

Under 2ms per command. 99% of commands execute instantly. Railroad runs on-device — nothing leaves your machine, no network calls, no cloud dependency.

Ship faster.
Break nothing.

Star on GitHub →Join the Discord
MIT Licensed
Written in Rust
On-device
Free forever