--- title: Approval Workflow Hub url: https://blog.guigpap.com/en/workflows/approval-workflow/ url_md: https://blog.guigpap.com/en/workflows/approval-workflow.md category: automation date: '2026-03-28' maturite: production techno: - n8n - telegram - claude - docker application: - automation - operations --- # Approval Workflow Hub > Centralising multi-source approval requests with Telegram buttons ## 1. What? — Definition and context Docker updates, critical MCP operations, incident remediations — several workflows need a human approval before they act. Rather than having every workflow reimplement its own validation logic, the **Approval Workflow Hub** centralises every request in a uniform format with [Approve] / [Reject] Telegram buttons. > **Note - Human approval** > > In an automated infrastructure, some actions are too risky to run unattended: updating a production service, deleting a workflow, or executing a remediation script. Telegram approval lets you validate from your phone in one tap. ### Approval sources | Source | Example | Callback | |--------|---------|----------| | **Docker DIUN** | Application image update | `notif_approve_` | | **MCP Gateway** | N8N workflow write | `mcp_approve_` | | **Incident Response** | Automatic remediation | `incident_execute_` | | **File Provider** | Custom image rebuild | `approve_file_` | --- ## 2. Why? — Stakes and motivations ### Problems solved | Problem | Without the hub | With the hub | |---------|-----------------|--------------| | **Duplicated logic** | Every workflow runs its own buttons | Unified format and storage | | **No tracking** | Approval lost if Telegram crashes | Data Table with audit trail | | **Silent timeout** | No reply = nothing happens | Configurable timeout with default action | --- ## 3. How? — Technical implementation ### Architecture ```mermaid flowchart TD subgraph Sources["Approval request sources"] direction TB Docker["Docker DIUN · application update"] MCP["MCP Gateway · workflow write"] Incident["Incident Response · remediation"] File["File Provider · custom rebuild"] end Hub["Approval Workflow Hub · normalisation"] DT["Data Table Pending Approvals · audit trail"] Notif["Notification Hub · Telegram buttons"] Wait["Wait for callback · configurable timeout"] Router{"Route by type"} ApproveDocker["SSH update command"] ApproveMCP["HTTP POST cli-ollama gateway"] ApproveIncident["Run remediation script"] ApproveFile["Trigger Docker rebuild"] Sources --> Hub --> DT --> Notif --> Wait --> Router Router --> ApproveDocker Router --> ApproveMCP Router --> ApproveIncident Router --> ApproveFile ``` The hub normalises each request into a common format stored in the `Pending Approvals` Data Table: | Field | Description | |-------|-------------| | `approval_id` | Unique identifier | | `type` | claude / docker / incident / file_provider | | `source` | Triggering workflow | | `context` | Context payload (JSON) | | `callback_url` | Return URL (for the MCP gateway) | | `status` | pending / approved / rejected / expired | When the user clicks a button, the callback is routed by type: - **Docker** → runs the SSH update command - **MCP** → HTTP POST to the cli-ollama gateway - **Incident** → starts the remediation script - **File Provider** → triggers the Docker rebuild > **Caution - Admin required** > > Every approval requires the `is_admin = true` flag in the authorised users table. A non-admin user sees "Action restricted to admins". --- ## 4. What if? — Perspectives and limits ### Current limits | Limit | Impact | Mitigation | |-------|--------|------------| | **Single admin** | Only one approver | Sufficient for solo use | | **No escalation** | Timeout = nothing happens | Reminder notification planned | ### Evolution scenarios **If a team is involved**: - Multi-signature approval (2 admins out of 3) - Temporary delegation (vacation) - Approval history in Grafana --- ## Related pages ### Workflows - [Docker auto-updates](/en/workflows/docker-updates/) — Update approvals - [Conversational system](/en/workflows/systeme-conversationnel/) — MCP confirmations - [Notification Hub](/en/workflows/notification-hub/) — Request routing ### Infrastructure - [Security Stack](/en/infrastructure/security-stack/) — Caddy blocks external webhooks ## Metadonnees agent - Cet article est issu du blog GuiGPaP Lab. - Contexte global du blog: https://blog.guigpap.com/llms.txt - Contact auteur: https://odoo.guigpap.com/mon-cv - Licence: CC-BY-SA 4.0