Sanitized n8n workflow library: lead intake, enrichment, post-call processing, and webhook security middleware. Generic n8n surface only — voice-agent / ElevenLabs-specific code lives at wranngle/voice_ai_agent_evals.
workflows/— production flows (lead-intake-main.json,lead-enrichment-microservice.json,dev/,knowledge_management/youtube-rag-pipeline/) plus governance + registry YAMLsscripts/— workflow API utilities (activate-workflow.js,list_workflows.js,update_workflow.py, etc.), governance (governance-engine.js), and webhook security (secure-n8n-webhooks.js,secure-internal-callers.js)templates/— generic n8n templatestests/— workflow integration smoke testscontext/— local knowledge bases (YouTube + Discord research) feeding the workflow generator
54-second deterministic walkthrough: browse workflows/registry.yaml → generate a synthetic fixture → POST /rest/workflows → invoke via webhook → governance check. Re-render with node scripts/generate-install-demo.mjs (ffmpeg required).
npm run build:site walks workflows/ and emits one fork-landing page per workflow at dist/site/<slug>/index.html. Each page carries a Download .json link, a placeholder workflow screenshot (screenshot.svg), and a one-line problem statement. If a deterministic fixture is present at fixtures/<slug>.json (round-1 #24), the page also links a sample payload so the fork story is end-to-end. Test contract: npm run test:site.
See ARCHITECTURE.md for the lead intake → CRM → call → post-call flow and how this repo connects to its satellites:
wranngle/voice_ai_agent_evals— eval harness for ElevenLabs voice agents (the production agent runtime, prompt versioning, scenario framework)wranngle/gtm_ops— unified GTM motion runtime (presales pipeline, ops-console, audit log surface)
Every n8n webhook in this repo requires an X-Webhook-Secret header validated against N8N_WEBHOOK_SECRET. See docs/WEBHOOK_AUTH.md for the rotation playbook. ElevenLabs HMAC-signed webhooks (different protocol — HMAC-SHA256 over <timestamp>.<body>) are handled in voice_ai_agent_evals.
scripts/generate-fixtures.js emits one deterministic synthetic payload per live-universalized workflow into fixtures/, keyed by registry slug. The generator inspects each workflow's trigger node (webhook, form, schedule, manual, evaluation, pipedrive) and shapes the payload accordingly so every importable workflow can be smoke-tested without touching tenant data. Re-running the script over a clean checkout produces zero diff — fixture drift is the signal, not the noise.
- DEV: all active development. Modifiable.
- ARCHIVED: deprecated, read-only. Deletion is blocked; archive instead.
- New workflows auto-tag as DEV.
workflows/governance.yaml is the authoritative phase tracker; scripts/governance-engine.js enforces it. See WORKFLOWS.md for the per-workflow index.
Each workflow in workflows/registry.yaml carries a security.audited ISO date and a security.scanner tag. The table below is regenerated by scripts/generate-readme-table.js; rerun it whenever an audit date is bumped, and node scripts/generate-readme-table.js --check exits non-zero if the table drifts from the registry.
Freshness reference: 2026-05-14. Entries audited within the last 90 days render green.
| Workflow | Audit status | Scanner |
|---|---|---|
elevenlabs-call-completed |
 |
gitleaks+verify |
elevenlabs-call-completed-presales |
|
gitleaks+verify |
elevenlabs-twilio-bulletproof |
|
gitleaks+verify |
elevenlabs-twilio-client-data |
|
gitleaks+verify |
example-webhook-to-slack |
|
gitleaks+verify |
get-weather |
|
gitleaks+verify |
hello-world-minimal |
|
gitleaks+verify |
lead-enrichment-microservice |
|
gitleaks+verify |
lead-intake-main |
|
gitleaks+verify |
pipedrive-lead-caller |
|
gitleaks+verify |
ringcentral-to-pipedrive |
|
gitleaks+verify |
transcript-field-extractor |
|
gitleaks+verify |
transcript-field-extractor-v2 |
|
gitleaks+verify |
webhook-echo |
|
gitleaks+verify |
youtube-rag-pipeline |
|
gitleaks+verify |
# Workflow API utilities (require N8N_API_KEY)
node scripts/list_workflows.js
node scripts/activate-workflow.js --workflow <id>
# Governance audit
node scripts/governance-engine.js --check
# Webhook security middleware (idempotent, run after creating new workflows)
node scripts/secure-n8n-webhooks.js --apply
node scripts/secure-internal-callers.js --applySee .env.example for required environment variables.
<<<<<<< HEAD
Import a workflow JSON into a local n8n instance via its REST API:
node scripts/install-workflow.js workflows/lead-intake-main.json \
--n8n-url http://localhost:5678 --api-key "$N8N_API_KEY"On success the script prints the new workflow id and exits 0. --n8n-url and --api-key may also be supplied via N8N_URL / N8N_API_KEY env vars.
Reverse of scripts/install-workflow.js. Looks up workflows on the remote
n8n instance and deletes each match. --dry-run prints the exact API calls
without mutating anything.
# Preview what would be deleted
node bin/uninstall-workflow.js --name lead-intake-main \
--n8n-url http://localhost:5678 --api-key "$N8N_API_KEY" --dry-run
# Delete by id
node bin/uninstall-workflow.js --id wf-42 \
--n8n-url http://localhost:5678 --api-key "$N8N_API_KEY"--n8n-url and --api-key also accept N8N_URL / N8N_API_KEY env vars.
Exits non-zero if no workflows match or any DELETE fails.
scripts/n8n-diff.js renders a deterministic markdown diff between two
workflow JSON files — nodes added/removed/modified, connection delta, and
env-var changes. Pair it with the one-click installer above for a "review
before you ship" pre-merge check.
node scripts/n8n-diff.js workflows/a.json workflows/b.json
node scripts/n8n-diff.js workflows/a.json workflows/b.json --out diff.mdDemo against the bundled fixture pair:
node scripts/n8n-diff.js fixtures/diff/a.json fixtures/diff/b.jsonCompare workflows deployed on an n8n instance against the JSON files tracked in this repo:
node bin/drift.js --n8n-url http://localhost:5678 --api-key "$N8N_API_KEY" \
--workflows-dir ./workflows --out drift.mdThe report (drift.md) groups results into three sections: Only on instance, Only in repo, and Modified (matched by name, compared via canonical fingerprint that ignores id/updatedAt/active). The script exits non-zero when any drift is detected so it can gate CI.
See LICENSE.