feat(n8n-webhook): bridge approvals to gog executors

skills/n8n-webhook/SKILL.md

@@ -27,6 +27,7 @@ Keep the integration narrow: let OpenClaw decide what to do, and let n8n execute
 
 - direct webhook caller: `scripts/call-webhook.sh`
 - action-bus caller: `scripts/call-action.sh`
+- approval executor bridge: `scripts/resolve-approval-with-gog.py`
 - workflow validator: `scripts/validate-workflow.py`
 - importable router workflow: `assets/openclaw-action.workflow.json`
 - sample payloads:
@@ -106,6 +107,7 @@ Use the included workflow asset when you want a ready-made local router for:
 - `send_email_draft` → queue approval-gated email drafts in workflow static data
 - `create_calendar_event` → queue approval-gated calendar proposals in workflow static data
 - `approval_queue_add` / `approval_queue_list` / `approval_queue_resolve` → manage pending approvals and recent history
+- `approval_history_attach_execution` → let a host-side executor attach real execution metadata back onto approval history entries
 - `fetch_and_normalize_url` → fetch + normalize URL content using n8n runtime HTTP helpers
 - `inbound_event_filter` → classify, dedupe, store, and optionally notify on inbound events
 - normalized JSON success/failure responses
@@ -118,6 +120,18 @@ Important:
 
 See `references/openclaw-action.md` for import and test steps.
 
+### Host execution bridge for Gmail/Calendar
+
+When email/calendar provider creds live on the host via `gog` rather than inside n8n, use:
+
+```bash
+python3 scripts/resolve-approval-with-gog.py --id <approval-id> --decision approve
+```
+
+Practical note:
+- unattended execution needs `GOG_KEYRING_PASSWORD` in the environment because `gog`'s file keyring cannot prompt in non-TTY automation
+- for safe plumbing tests without touching Google state, add `--dry-run`
+
 ### Add a new webhook-backed capability
 
 1. Write down the webhook path, required auth, request JSON, and response JSON.

skills/n8n-webhook/references/openclaw-action.md

@@ -20,6 +20,7 @@ It implements a real local OpenClaw → n8n router.
   - `approval_queue_add`
   - `approval_queue_list`
   - `approval_queue_resolve`
+  - `approval_history_attach_execution`
   - `fetch_and_normalize_url`
   - `inbound_event_filter`
 - returns normalized JSON responses
@@ -62,6 +63,13 @@ Example stored record:
 - appends the resolved entry into:
   - `approvalHistory`
 - supports optional notification on approval/rejection
+- executes notification drafts inline when the approved item kind is `notification`
+
+### `approval_history_attach_execution`
+
+- patches an existing resolved history item in `approvalHistory`
+- designed for host-side executors that run outside n8n itself
+- used by the included `scripts/resolve-approval-with-gog.py` bridge to attach Gmail/Calendar execution results
 
 ### `fetch_and_normalize_url`
 
@@ -158,6 +166,7 @@ scripts/call-action.sh fetch_and_normalize_url --args '{"url":"http://192.168.15
 scripts/call-action.sh fetch_and_normalize_url --args '{"url":"https://example.com","skip_ssl_certificate_validation":true}' --pretty
 scripts/call-action.sh approval_queue_list --args '{"limit":10,"include_history":true}' --pretty
 scripts/call-action.sh inbound_event_filter --args-file assets/test-inbound-event-filter.json --pretty
+python3 scripts/resolve-approval-with-gog.py --id <approval-id> --decision approve --dry-run
 ```
 
 ## Expected success examples
@@ -239,6 +248,22 @@ scripts/call-action.sh inbound_event_filter --args-file assets/test-inbound-even
 }
 ```
 
+## Host bridge notes
+
+The included host bridge `scripts/resolve-approval-with-gog.py` is for the case where Gmail/Calendar auth exists on the OpenClaw host via `gog`, not inside n8n itself.
+
+Behavior:
+- resolves an approval item through `openclaw-action`
+- executes supported kinds on the host:
+  - `email_draft` → `gog gmail drafts create`
+  - `calendar_event` → `gog calendar create`
+- writes execution metadata back via `approval_history_attach_execution`
+
+Important automation note:
+- real unattended execution needs `GOG_KEYRING_PASSWORD` in the environment
+- without it, non-TTY `gog` calls will fail when the file keyring tries to prompt
+- `--dry-run` works without touching Google state and is useful for plumbing verification
+
 ## Validation
 
 Run the local validator before import/package changes:

skills/n8n-webhook/references/payloads.md

@@ -239,6 +239,29 @@ Request:
 Purpose:
 - approve or reject a pending item
 - moves resolved entries into `approvalHistory`
+- executes notification drafts inline when the resolved item kind is `notification`
+
+### `approval_history_attach_execution`
+
+Request:
+
+```json
+{
+  "action": "approval_history_attach_execution",
+  "args": {
+    "id": "approval-abc123",
+    "execution": {
+      "driver": "gog",
+      "op": "gmail.drafts.create",
+      "status": "draft_created"
+    }
+  }
+}
+```
+
+Purpose:
+- patch a resolved history item with host-side execution metadata after a real executor runs outside n8n
+- intended for bridges such as `gog`-backed Gmail/Calendar execution
 
 ### `fetch_and_normalize_url`
 

skills/n8n-webhook/scripts/resolve-approval-with-gog.py

@@ -0,0 +1,241 @@
+#!/usr/bin/env python3
+import argparse
+import json
+import os
+import subprocess
+import sys
+import tempfile
+import urllib.error
+import urllib.request
+from pathlib import Path
+
+DEFAULT_BASE_URL = os.environ.get('N8N_BASE_URL', 'http://192.168.153.113:18808').rstrip('/')
+DEFAULT_ACTION_PATH = os.environ.get('N8N_ACTION_PATH', 'openclaw-action').strip('/')
+DEFAULT_SECRET_HEADER = os.environ.get('N8N_SECRET_HEADER', 'x-openclaw-secret')
+
+
+def fail(msg: str, code: int = 1):
+    print(msg, file=sys.stderr)
+    raise SystemExit(code)
+
+
+def run(cmd, *, env=None):
+    proc = subprocess.run(cmd, capture_output=True, text=True, env=env)
+    return proc.returncode, proc.stdout, proc.stderr
+
+
+def gog_account(args_account: str | None) -> str:
+    account = args_account or os.environ.get('GOG_ACCOUNT', '').strip()
+    if not account:
+        fail('missing gog account: pass --account or set GOG_ACCOUNT')
+    return account
+
+
+def webhook_secret() -> str:
+    secret = os.environ.get('N8N_WEBHOOK_SECRET', '').strip()
+    if not secret:
+        fail('missing N8N_WEBHOOK_SECRET in environment')
+    return secret
+
+
+def call_action(payload: dict, *, base_url: str, path: str, secret_header: str, secret: str) -> dict:
+    url = f'{base_url}/webhook/{path}'
+    req = urllib.request.Request(
+        url,
+        data=json.dumps(payload).encode(),
+        method='POST',
+        headers={
+            'Content-Type': 'application/json',
+            'Accept': 'application/json',
+            secret_header: secret,
+        },
+    )
+    try:
+        with urllib.request.urlopen(req, timeout=60) as r:
+            body = r.read().decode('utf-8', 'replace')
+            return json.loads(body) if body else {}
+    except urllib.error.HTTPError as e:
+        body = e.read().decode('utf-8', 'replace')
+        try:
+            parsed = json.loads(body) if body else {}
+        except Exception:
+            parsed = {'ok': False, 'error': {'code': 'http_error', 'message': body or str(e)}}
+        parsed.setdefault('http_status', e.code)
+        return parsed
+
+
+def attach_execution(item_id: str, execution: dict, *, base_url: str, path: str, secret_header: str, secret: str) -> dict:
+    return call_action(
+        {
+            'action': 'approval_history_attach_execution',
+            'args': {'id': item_id, 'execution': execution},
+            'request_id': f'attach-{item_id}',
+        },
+        base_url=base_url,
+        path=path,
+        secret_header=secret_header,
+        secret=secret,
+    )
+
+
+def build_email_command(item: dict, account: str, dry_run: bool):
+    payload = item.get('payload') or {}
+    body_text = payload.get('body_text') or ''
+    body_html = payload.get('body_html') or ''
+    cmd = [
+        'gog', 'gmail', 'drafts', 'create',
+        '--account', account,
+        '--json',
+        '--no-input',
+        '--to', ','.join(payload.get('to') or []),
+        '--subject', payload.get('subject') or '',
+    ]
+    for key in ('cc', 'bcc'):
+        vals = payload.get(key) or []
+        if vals:
+            cmd.extend([f'--{key}', ','.join(vals)])
+    tmp = None
+    if body_text:
+        tmp = tempfile.NamedTemporaryFile('w', delete=False, encoding='utf-8', suffix='.txt')
+        tmp.write(body_text)
+        tmp.close()
+        cmd.extend(['--body-file', tmp.name])
+    elif body_html:
+        # gog requires body or body_html; for HTML-only drafts we can use body_html.
+        pass
+    else:
+        fail('email_draft payload missing body_text/body_html')
+    if body_html:
+        cmd.extend(['--body-html', body_html])
+    if dry_run:
+        cmd.append('--dry-run')
+    return cmd, tmp.name if tmp else None
+
+
+def build_calendar_command(item: dict, account: str, dry_run: bool):
+    payload = item.get('payload') or {}
+    calendar = payload.get('calendar') or 'primary'
+    cmd = [
+        'gog', 'calendar', 'create', calendar,
+        '--account', account,
+        '--json',
+        '--no-input',
+        '--summary', payload.get('title') or '',
+        '--from', payload.get('start') or '',
+        '--to', payload.get('end') or '',
+        '--send-updates', 'none',
+    ]
+    if payload.get('description'):
+        cmd.extend(['--description', payload['description']])
+    if payload.get('location'):
+        cmd.extend(['--location', payload['location']])
+    attendees = payload.get('attendees') or []
+    if attendees:
+        cmd.extend(['--attendees', ','.join(attendees)])
+    if dry_run:
+        cmd.append('--dry-run')
+    return cmd
+
+
+def parse_json(output: str):
+    text = output.strip()
+    if not text:
+        return None
+    return json.loads(text)
+
+
+def main():
+    ap = argparse.ArgumentParser(description='Resolve an n8n approval item and execute email/calendar actions via gog.')
+    ap.add_argument('--id', required=True, help='Approval queue item id')
+    ap.add_argument('--decision', choices=['approve', 'reject'], default='approve')
+    ap.add_argument('--account', help='Google account email; otherwise uses GOG_ACCOUNT')
+    ap.add_argument('--dry-run', action='store_true', help='Use gog --dry-run for host execution')
+    ap.add_argument('--base-url', default=DEFAULT_BASE_URL)
+    ap.add_argument('--path', default=DEFAULT_ACTION_PATH)
+    ap.add_argument('--secret-header', default=DEFAULT_SECRET_HEADER)
+    args = ap.parse_args()
+
+    secret = webhook_secret()
+    resolved = call_action(
+        {
+            'action': 'approval_queue_resolve',
+            'args': {'id': args.id, 'decision': args.decision, 'note': 'resolved by host gog executor', 'notify_on_resolve': False},
+            'request_id': f'resolve-{args.id}',
+        },
+        base_url=args.base_url,
+        path=args.path,
+        secret_header=args.secret_header,
+        secret=secret,
+    )
+    if not resolved.get('ok'):
+        print(json.dumps(resolved, indent=2))
+        raise SystemExit(1)
+
+    result = (resolved.get('result') or {})
+    item = result.get('item') or {}
+    kind = item.get('kind') or ''
+
+    if args.decision == 'reject':
+        print(json.dumps({'resolved': resolved, 'executed': False, 'reason': 'rejected'}, indent=2))
+        return
+
+    if result.get('executed') is True:
+        print(json.dumps({'resolved': resolved, 'executed': True, 'driver': 'n8n'}, indent=2))
+        return
+
+    if kind not in {'email_draft', 'calendar_event'}:
+        print(json.dumps({'resolved': resolved, 'executed': False, 'reason': f'no host executor for kind {kind}'}, indent=2))
+        return
+
+    account = gog_account(args.account)
+    env = os.environ.copy()
+    env['GOG_ACCOUNT'] = account
+
+    if kind == 'email_draft':
+        cmd, tmpfile = build_email_command(item, account, args.dry_run)
+        op = 'gmail.drafts.create'
+        success_status = 'draft_created' if not args.dry_run else 'dry_run'
+    else:
+        cmd = build_calendar_command(item, account, args.dry_run)
+        tmpfile = None
+        op = 'calendar.create'
+        success_status = 'event_created' if not args.dry_run else 'dry_run'
+
+    try:
+        code, stdout, stderr = run(cmd, env=env)
+    finally:
+        if tmpfile:
+            try:
+                Path(tmpfile).unlink(missing_ok=True)
+            except Exception:
+                pass
+
+    if code != 0:
+        execution = {
+            'driver': 'gog',
+            'op': op,
+            'status': 'failed',
+            'account': account,
+            'dry_run': args.dry_run,
+            'stderr': stderr.strip(),
+            'stdout': stdout.strip(),
+        }
+        attach = attach_execution(item['id'], execution, base_url=args.base_url, path=args.path, secret_header=args.secret_header, secret=secret)
+        print(json.dumps({'resolved': resolved, 'execution': execution, 'attach': attach}, indent=2))
+        raise SystemExit(code)
+
+    parsed = parse_json(stdout) if stdout.strip() else None
+    execution = {
+        'driver': 'gog',
+        'op': op,
+        'status': success_status,
+        'account': account,
+        'dry_run': args.dry_run,
+        'result': parsed,
+    }
+    attach = attach_execution(item['id'], execution, base_url=args.base_url, path=args.path, secret_header=args.secret_header, secret=secret)
+    print(json.dumps({'resolved': resolved, 'execution': execution, 'attach': attach}, indent=2))
+
+
+if __name__ == '__main__':
+    main()

skills/n8n-webhook/scripts/validate-workflow.py

@@ -42,6 +42,7 @@ ROUTER_SNIPPETS = [
     'approval_queue_add',
     'approval_queue_list',
     'approval_queue_resolve',
+    'approval_history_attach_execution',
     'fetch_and_normalize_url',
     'inbound_event_filter',
     'unknown_action',