Hooks that run inline with Claude Code. A dashboard for guardrails and audit. A CI gate at the merge. All threaded by the same design review.
Explore all components→From the spec your developer writes to the scanner finding triaged six weeks later, every event in the SDLC threads under the same design review. That's the moat: knowing what to scan, what to block, and what to triage, because the platform remembers what the spec said in the first place.
FlowRail reads each spec and turns it into a structured review: predicted threats mapped to OWASP, approved dependencies, an allowed-channels list, and a stable id every downstream event threads through.
Two checks on every agent write. A fast local pattern net hard-blocks high-confidence secrets. A semantic verifier evaluates against the active review's threats. Either denies; the agent fixes itself and retries.
FlowRail does not run scanners. It decides which rules to apply, ingests Semgrep, SARIF, and custom outputs, and contextually filters findings against the active review so you see what matters, not what's noisy.
Every finding gets a verdict: true positive, false positive, or accepted risk. Findings that escape a guardrail auto-tighten the rule, gated by replay testing and rate-limited integrity protections.
One command in your repo. Wires hooks, registers skills.
Drop a spec under specs/. The first write opens a review id.
Writes verified at code-gen. Scanner findings triaged in context. All threaded by review id.
FlowRail is the security decision layer for spec-driven development. It reads your spec to predict threats, blocks unsafe writes at code-gen, gates dependency installs on supply-chain signals, and triages whatever your existing scanners find. One threat graph, threaded by design intent across every surface of the SDLC.
Free for solo devs. Pay when your team does.