Open source AI tools for small business automation are a four-layer stack, not a tool list.
Most of the existing playbooks on this topic publish a list of twenty tools and stop. The order is missing, the integration cost is missing, and the security framing has not been updated since the April 2026 Vercel incident. Here is the four-layer stack I actually assemble for SMBs, with each layer pinned to one of my posted service tiers and the recent event that shaped it.
The numbers shaping this decision in April 2026
Four data points dictate the open source versus hosted question for an SMB this quarter. Anthropic Opus 4.7 is now $5 input and $25 output per million tokens since April 16, 2026. Prompt caching removes up to 90% of repeated input cost. The Apr 19 to 20 Vercel breach via a compromised AI vendor was listed by ShinyHunters at $2M. And the ChatGPT Apps SDK has been public since December 18, 2025. The open source decision is the response to all four, not just the first one.
The 90% caching cut applies to the hosted-model path. The $2M number applies to every SMB still running unscoped OAuth on its AI vendors. Open source closes one of those gaps and changes the shape of the other.
The four layers, in the order they break first
Each layer corresponds to a published c0nsl service SKU. The order below is the order of failure, not the order of build. Skip a layer and the one below it eats the time you saved.
Layer 1. Orchestrator (SVC-008)
n8n self-hosted is the default. Make and Zapier fill the connector gaps. Lindy and Relevance fit narrow agent-style cases. The SVC-008 AI Stack Selection audit ends with a one-line recommendation per workflow, not a tool tier list. Pick this layer first because it sets the shape of every other layer.
Layer 2. Distribution (SVC-010)
The ChatGPT Apps SDK went public on Dec 18, 2025. Custom GPTs migrated to GPT-5.2 on Jan 12, 2026. Your customers are already inside ChatGPT, so the distribution surface is now real, even when the model behind it is open source.
Layer 3. Security review (SVC-007)
The Apr 19 to 20, 2026 Vercel breach via Context.ai was an OAuth scoping failure, not a model failure. SVC-007 AI Vendor Security Review walks every OAuth scope and env var on every AI tool in the stack, and hands back a remediation list as a fixed fee.
Layer 4. Open-weight model (SVC-009)
Llama, Mistral, or Qwen on hardware you own or rent. SVC-009 Local AI Infrastructure ships the model, the inference server, the monitoring, and an honest comparison against Opus 4.7 for your specific workload. The model is the most discussed and least load-bearing decision in the stack, which is why it sits last.
Where the data actually flows
An SMB automation stack is a small graph. Customer events, batch jobs, and inbound files all hit the orchestrator. The orchestrator dispatches to your local model when the data should stay private, and to the hosted distribution surface when reach matters more than control. The security review sits on every edge.
An open source SMB automation stack, data-flow view
With a properly scoped stack, only one of the right-side nodes (the Apps SDK listing) leaves your network. The other three stay inside the SMB. That is the difference open source actually buys, the model is just the surface marker.
The order of operations
The hard part is not picking each tool. It is picking them in the right order. Most SMB stacks I review were assembled backwards: model first, orchestrator second, distribution never, security as an afterthought. Reverse the order and the same tools start to compose.
From zero to a working open source stack
Inventory the workflows that recur weekly
List every workflow that takes more than 30 minutes a week and runs more than once a month. The model picks itself once you can name the workflows. Skipping this step is what causes the model-first mistake.
Pick the orchestrator on connector coverage, not vibe
Score n8n, Make, and Zapier on the specific connectors your inventory needs. Self-hosted n8n wins on cost once you cross roughly 5,000 task runs a month, but only if the connectors you need are maintained. SVC-008 produces this score sheet as a deliverable.
Decide whether you need an Apps SDK presence
If your customers already ask questions inside ChatGPT, ship the directory listing. If they live in your own product or in a vertical SaaS, skip this layer. Apps SDK is leverage, not a requirement.
Run the security review before you wire any connector
Walk every OAuth scope and env var on every AI vendor before the first integration goes live. SVC-007 hands back a remediation list. The post-Vercel-breach lesson is that the audit is cheap and the breach is not.
Pick the open-weight model against the workload
Match the model to the workload, not the other way around. A document ingestion job often runs fine on a quantized 8B Mistral. A complex agent flow may need a Llama 70B variant on rented GPU. The model is now the easiest decision because the other three layers are already pinned.
Wire the orchestrator, then the model, then the listing
Do not start with the model. Wire n8n first against a hosted API stub, swap in the local model when the orchestrator is stable, and submit the Apps SDK app last. SVC-009 ships exactly this sequence as a fixed-fee Custom System.
Run the security review on a recurring cadence
OAuth scopes drift. New connectors get added. Quarterly is the cheapest cadence that still catches the Vercel-shaped pattern. The retainer tier covers this without re-quoting.
What an actual install looks like
For the small minority of guides that include commands, those commands assume a single isolated tool. The interesting part of an SMB stack is how the open source pieces hand off. The terminal below shows the first ten minutes of a real Custom System install on a Linux box, with placeholders where API keys would land.
The order on the terminal is the same as the timeline above. Layer 1 first, Layer 4 second so the orchestrator has something to call, Layer 3 before any external connector goes live, and Layer 2 last because submission review takes days regardless of how fast you assembled the rest.
Open source layer by layer, not a tool listicle
The list below is what I actually reach for. It is short on purpose. Every additional tool in the stack costs senior engineer hours that an SMB does not have, so the bar for inclusion is whether the tool replaces something a hosted vendor would otherwise be billing per seat or per token.
The shortlist by layer
- Orchestrator: n8n self-hosted, Make as a fallback for missing connectors
- Vector / retrieval: Postgres with pgvector beats most boutique stores at SMB scale
- Local inference: Ollama or vLLM, with quantized Llama 3, Mistral, or Qwen instruct variants
- Speech: Whisper.cpp for transcription, Coqui or Piper for outbound voice
- Document parsing: unstructured.io or a small bespoke pipeline, never a black-box SaaS for sensitive docs
- Distribution: ChatGPT Apps SDK for reach, your own domain for everything else
- Security: a recurring scope audit, not a one-off scan, on every connector and env var
- Observability: a small Postgres-backed audit log beats every AI-specific monitoring SaaS for the first year
Open source stack vs the default agency pattern
The agency pattern is the version of this story you get when the consultant is incentivized to keep you on a retainer. The scoped open source pattern is older, more boring, and easier to explain to a bookkeeper.
| Feature | Default agency pattern | Scoped open source stack |
|---|---|---|
| Tool selection logic | Whichever vendor pays the largest affiliate kickback | SVC-008 audit scored against your specific connectors and volume |
| Model layer | Hosted-only, locked to the agency's API key | Open-weight Llama, Mistral, or Qwen on your hardware or rented GPU |
| Distribution surface | A landing page and a Calendly link | ChatGPT Apps SDK listing where your customers already are |
| Security review | A one-time scan during sales, never re-run | SVC-007 recurring OAuth and env var audit, post-Vercel-breach scope |
| Pricing shape | Hourly retainer with hidden tooling markups | Fixed-scope tiers from $500 to $10K+, posted on the homepage |
| Time to first running automation | 8 to 16 weeks, $30K to $50K strategy route | 2 to 6 weeks, fixed fee, named engineer |
Why the integration cost is the real cost
The license cost of the open source layer is, as advertised, zero. The integration cost is the part the listicles skip. A full four-layer stack ships in 2 to 6 weeks of senior engineer time the first time it is assembled. Compare that against the $30K to $50K strategy-consultant route quoted in HN 44704133: the open source build comes in under a fifth of that, and you keep the engineer on a $0K to $5K/mo retainer rather than a 12-month enterprise contract.
Where the hours actually go on a four-layer build
Workflow inventory
1 day, SVC-008
Orchestrator wiring
3 to 7 days
OAuth scope audit
1 day, SVC-007
Local model swap-in
2 to 5 days, SVC-009
Apps SDK submission
1 day, SVC-010
The diagram above is the same on every Custom System engagement. The hours move slightly with the orchestrator choice and the model size, but the shape does not. That is why the tier on the c0nsl homepage is fixed-scope, not hourly.
Why this page names a person, a SKU, and a number
Most of the existing playbooks on this topic sell a course to aspiring agency owners or hide their rate until a discovery call. The lane I work in does neither. The c0nsl homepage publishes the full tier set and the services page publishes twelve named SKUs. That means the integration line on your open source budget is not a blank cheque, it is a number you can type into a spreadsheet before the first call.
The anchor fact for this guide is the one thing no other page on this subject can copy: four layers, four named SKUs (SVC-007, SVC-008, SVC-009, SVC-010), each scoped to a specific April 2026 incident or release, sold by a named engineer at posted rates. Everything else in this guide is implementation. This piece is contractual.
Walk your actual workflows with the named engineer
Bring the workflow inventory, the connector list, and the data residency constraints. I come back with a four-layer stack, a fixed-fee quote, and an honest note if open source is not the right answer.
Frequently asked questions
Is open source AI actually free for a small business running automation?
The license is free. The integration is not. A working four-layer stack (open-weight model, orchestrator, distribution surface, security review) takes between 2 and 6 weeks of senior engineer time the first time it is wired together. On the c0nsl tier set, that lands inside the $2K to $10K+ Custom System bracket, with a $1K to $5K monthly retainer to keep models, orchestrator nodes, and OAuth scopes current. The point of the open source choice is not zero spend, it is that none of the per-token, per-seat, or per-vendor lines on the bill compound the way they do on a hosted-only stack.
Should I pick Llama, Mistral, or Qwen for the local model layer?
If your workload is general purpose customer support or document analysis and you have any GPU at all, start with a Llama 3 instruct variant because the tooling around it is the most mature in 2026. If your workload is small enough to run on a CPU or a single mid-range GPU, Mistral and Qwen instruct variants both compress more aggressively and often beat Llama on cost per useful answer. The honest answer is that the model is the smallest part of the decision: the orchestrator, the OAuth scopes, and the escalation path matter more than which open-weight checkpoint you pulled. SVC-009 Local AI Infrastructure on the c0nsl service catalog scopes the full set, model included, as a fixed fee.
Does n8n cover everything an SMB needs, or do I still need Zapier or Make?
n8n covers most of it once you self-host. The exceptions are connectors that lag behind the proprietary platforms (some niche CRMs, a few payment processors, certain enterprise SaaS apps), and high-volume queues where the operational overhead of running your own n8n is more expensive than the per-task fee on a hosted platform. In practice the SVC-008 stack selection audit ends with a one-line recommendation: n8n for everything that has a maintained connector, Make for the spots where n8n drops, Zapier only when a non-engineer team member needs to extend a flow themselves. Lindy and Relevance fit narrower agent-style use cases and rarely belong in the core stack.
After the April 2026 Vercel breach, is hosted automation still safe to use at all?
Yes, but with one specific change. The Apr 19 to 20, 2026 Vercel incident traced back to a compromised Context.ai employee whose OAuth scope was set to Allow All, which let the attacker pivot from the AI vendor into Vercel's Google Workspace and environment variables. ShinyHunters then listed the exfiltrated material at $2M. The lesson is not to abandon hosted tools, it is to enforce least-privilege OAuth scopes and isolate environment variables on every AI vendor in your stack. SVC-007 AI Vendor Security Review on the c0nsl service catalog is a fixed-fee audit that does exactly that, and it pairs with whichever automation platform the SVC-008 audit recommends.
How does the ChatGPT Apps SDK fit if I want to stay open source?
The Apps SDK is a distribution surface, not a model choice. It went public on Dec 18, 2025 and the migration to GPT-5.2 finished on Jan 12, 2026. Your customers already live inside ChatGPT, so even an SMB whose backend is fully open source and self-hosted can submit an Apps SDK app that surfaces inside ChatGPT and routes traffic back to the open source orchestrator. The model that actually answers the question can still be a Llama or Mistral instance you control. SVC-010 Ship Your Business Inside ChatGPT scopes the build, the auth wiring, and the directory listing as a fixed fee.
What is the smallest open source automation stack a five-person SMB actually needs?
One model layer (a single Llama or Mistral instruct variant on rented GPU or owned hardware), one orchestrator (n8n self-hosted), one distribution surface (the existing website, plus an Apps SDK listing if your customers live in ChatGPT), and one security review per quarter that walks the OAuth scopes on every connector. That is four moving parts. The c0nsl Custom System tier at $2K to $10K+ scopes the first three to ship in 2 to 6 weeks. The fourth is a recurring item, not a one-time build.
What is the single most common mistake SMBs make when they go open source on AI?
Picking the model first. The model is the most discussed and the least load-bearing decision. Operators who pick Llama versus Mistral before they have decided on n8n versus Make, or before they have decided whether they need an Apps SDK presence at all, end up rebuilding the orchestrator and the auth layer twice. The right order is: orchestrator, distribution, security review, model. The model layer is the easiest to swap once the other three are wired correctly.