Sanitized n8n workflow library: lead intake, enrichment, post-call processing, and webhook security middleware. The checked-in workflows are generic n8n. The registry still carries legacy voice-agent workflow metadata (ElevenLabs business process, integration entries), but the live agent runtime lives at wranngle/voice_ai_agent_evals.
workflows/: production flows (lead-intake-main.json,lead-enrichment-microservice.json,dev/,knowledge_management/youtube-rag-pipeline/) plus governance + registry YAMLsscripts/: workflow API utilities (activate-workflow.js,list_workflows.js,update_workflow.py, etc.), governance (governance-engine.js), and webhook security (secure-n8n-webhooks.js,secure-internal-callers.js)templates/: generic n8n templatestests/: workflow integration smoke testscontext/: local knowledge bases (YouTube + Discord research) feeding the workflow generator
54-second walkthrough (historical, illustrative only): browse workflows/registry.yaml → generate a synthetic fixture → POST /rest/workflows → invoke via webhook → governance check. The current checkout ships no workflows/live-universalized/ fixtures, so the fixture-generation step shown does not run today (see Test fixtures below). Re-render with node scripts/generate-install-demo.mjs (ffmpeg required).
npm run build:site walks workflows/ and emits one fork-landing page per workflow at dist/site/<slug>/index.html. Each page carries a Download .json link, a placeholder workflow screenshot (screenshot.svg), and a one-line problem statement. If a deterministic fixture is present at fixtures/<slug>.json (round-1 #24), the page also links a sample payload so the fork story is end-to-end. Test contract: npm run test:site.
See ARCHITECTURE.md for the lead intake → CRM → call → post-call flow and how this repo connects to its satellites:
wranngle/voice_ai_agent_evals: eval harness for ElevenLabs voice agents (the production agent runtime, prompt versioning, scenario framework)wranngle/gtm_ops: unified GTM motion runtime (presales pipeline, ops-console, audit log surface)
The hardening scripts can add an X-Webhook-Secret header, validated against N8N_WEBHOOK_SECRET, but not every checked-in workflow is currently hardened. See docs/WEBHOOK_AUTH.md for the rotation playbook. ElevenLabs HMAC-signed webhooks (different protocol, HMAC-SHA256 over <timestamp>.<body>) are handled in voice_ai_agent_evals.
scripts/generate-fixtures.js emits fixtures only for workflows/live-universalized/ entries; the current checkout has none. When entries exist, it writes one deterministic synthetic payload per workflow into fixtures/, keyed by registry slug. The generator inspects each workflow's trigger node (webhook, form, schedule, manual, evaluation, pipedrive) and shapes the payload accordingly so every importable workflow can be smoke-tested without touching tenant data. Re-running the script over a clean checkout produces zero diff: fixture drift is the signal, not the noise.
- DEV: all active development. Modifiable.
- ARCHIVED: deprecated, read-only. Deletion is blocked; archive instead.
- New workflows auto-tag as DEV.
workflows/governance.yaml is the authoritative phase tracker; scripts/governance-engine.js enforces it. See WORKFLOWS.md for the per-workflow index.
Each workflow in workflows/registry.yaml carries a security.audited ISO date and a security.scanner tag. The table below is regenerated by scripts/generate-readme-table.js; rerun it whenever an audit date is bumped, and node scripts/generate-readme-table.js --check exits non-zero if the table drifts from the registry.
Freshness reference: 2026-05-14. Entries audited within the last 90 days render green.
| Workflow | Audit status | Scanner |
|---|---|---|
lead-enrichment-microservice |
gitleaks+verify | |
lead-intake-main |
gitleaks+verify | |
youtube-rag-pipeline |
gitleaks+verify |
# Workflow API utilities (require N8N_API_KEY)
node scripts/list_workflows.js
node scripts/activate-workflow.js --workflow <id>
# Governance audit
node scripts/governance-engine.js --check
# Webhook security middleware (idempotent, run after creating new workflows)
node scripts/secure-n8n-webhooks.js --apply
node scripts/secure-internal-callers.js --applySee .env.example for required environment variables.
Import a workflow JSON into a local n8n instance via its REST API:
node scripts/install-workflow.js workflows/lead-intake-main.json \
--n8n-url http://localhost:5678 --api-key "$N8N_API_KEY"On success the script prints the new workflow id and exits 0. --n8n-url and --api-key may also be supplied via N8N_URL / N8N_API_KEY env vars.
Reverse of scripts/install-workflow.js. Looks up workflows on the remote
n8n instance and deletes each match. --dry-run prints the exact API calls
without mutating anything.
# Preview what would be deleted
node bin/uninstall-workflow.js --name lead-intake-main \
--n8n-url http://localhost:5678 --api-key "$N8N_API_KEY" --dry-run
# Delete by id
node bin/uninstall-workflow.js --id wf-42 \
--n8n-url http://localhost:5678 --api-key "$N8N_API_KEY"--n8n-url and --api-key also accept N8N_URL / N8N_API_KEY env vars.
Exits non-zero if no workflows match or any DELETE fails.
scripts/n8n-diff.js renders a deterministic markdown diff between two
workflow JSON files: nodes added/removed/modified, connection delta, and
env-var changes. Pair it with the one-click installer above for a "review
before you ship" pre-merge check.
node scripts/n8n-diff.js workflows/a.json workflows/b.json
node scripts/n8n-diff.js workflows/a.json workflows/b.json --out diff.mdDemo against the bundled fixture pair:
node scripts/n8n-diff.js fixtures/diff/a.json fixtures/diff/b.jsonCompare workflows deployed on an n8n instance against the JSON files tracked in this repo:
node bin/drift.js --n8n-url http://localhost:5678 --api-key "$N8N_API_KEY" \
--workflows-dir ./workflows --out drift.mdThe report (drift.md) groups results into three sections: Only on instance, Only in repo, and Modified (matched by name, compared via canonical fingerprint that ignores id/updatedAt/active). The script exits non-zero when any drift is detected so it can gate CI.
See LICENSE.