Drygate

Drygate Architecture
Home
Verify Page
Report
History

Inspiration

I have been building n8n workflows for a while. Every time I hand one off to a client or a team I feel uncertain. Did I miss something? Is there a hardcoded API key? What happens when that HTTP Request gets a 401?

The n8n editor gives you green checkmarks. It does not tell you if the workflow survives production. Real payloads, missing credentials, silent failures at 2am.

I looked for a tool that could answer this. I found FlowLint, great if you are already on GitHub CI. I found a CLI validator. I did not find a product. Something a freelancer or agency could use without setting up infrastructure first. So I built Drygate.

What it does

You paste or upload your exported n8n workflow JSON. Drygate runs a four-stage pipeline and tells you if it is safe to ship.

Parse. Validates graph structure, connections, trigger presence.

Static analysis. 25 plus rules across five modules: structure, credentials, error handling, loops and rate limiting. Catches hardcoded secrets, credential mismatches, missing error branches, webhook endpoints with no auth, loops hitting APIs with no rate limiting, AI prompt injection risks and more. Issues are grouped into categories: Security, Reliability, Logic, Configuration and AI Agents.

Sandbox execution. Connects to a persistent n8n instance, imports the workflow, coerces triggers to manual, executes it and captures per-node traces with real error messages.

Remediation. A prioritized fix plan with numbered steps and time estimates per issue. For high severity issues, an AI powered suggestion is generated using the actual node parameters to give a specific fix rather than generic advice.

Every result gets a score from 0 to 100, a readiness band, a workflow graph visualization with nodes colored by status and a shareable report link. The pipeline streams live so you watch it run in real time.

How I built it

Next.js 14 for frontend and API routes. The verify pipeline fires as a background task after returning the verification ID immediately.

Static analysis is a custom TypeScript validator with five check modules producing typed Issue objects with codes, severities and remediation hints.

Scoring starts at 100 and deducts per finding with per-code caps. Four codes trigger fail-closed behavior. MISSING_TRIGGER, HARDCODED_SECRET, CIRCULAR_DEPENDENCY, UNAUTHORIZED_EGRESS_DETECTED. Final score is capped at 40 if any appear.

Sandbox connects to n8n via its internal REST API with a multi-step fallback chain for different n8n versions. Polls for completion, extracts per-node traces then cleans up.

AI fix suggestions call an LLM with the actual node parameters for each high severity issue and return a workflow-specific fix rather than boilerplate text.

SSE streaming uses a process-local Map with a history buffer for late subscribers plus a 2-second DB poll fallback.

Prisma and PostgreSQL on Supabase, deployed on Railway with private networking between the app and the n8n sandbox.

Challenges I ran into

The n8n API is not what you think. The public REST API has no execution trigger endpoint. Running a workflow programmatically means calling an internal undocumented API whose shape changed across major versions. I built a fallback chain across v0, v1 and v2 shapes.

n8n version drift. N8N_USER_MANAGEMENT_DISABLED and N8N_BASIC_AUTH_ACTIVE were both removed in n8n 1.0. My auth model broke completely. I had to implement owner provisioning by detecting showSetupOnFirstLoad from /rest/settings and calling /rest/owner/setup on first run. That was a full day lost to a changelog nobody reads.

Sticky Notes as false positives. They are annotation nodes, never connected by design. My disconnection checks were flagging every one as DISCONNECTED_NODE. One-line fix, but I only found it by running the tool against real community workflows.

SSE race conditions. The pipeline can finish before the client subscribes. Fixed with a history buffer that replays events to late subscribers plus a DB polling fallback.

What I am proud of

The fail-closed scoring rule. A hardcoded secret caps the score at 40. No partial credit.

The CREDENTIAL_REF_INCONSISTENT check. Catches auth type configured with no credential attached. Guaranteed 401 on every production run. The n8n editor never flags this and no other tool does either.

The categorized issue report. Issues grouped into Security, Reliability, Logic, Configuration and AI Agents with expandable fix cards. Scales cleanly as checks grow.

The workflow graph. Nodes colored by status: red for issues, green for passed, gray for blocked. One visual that communicates workflow health without reading a list.

Shipping and deploying the full thing in 7 days. That one genuinely surprised me.

What I learned

n8n's internal API is fragile and undocumented. Building on it means reverse-engineering the editor. The right long-term path is contributing an official execution API upstream.

Static analysis catches more than I expected. The most impactful findings, hardcoded secrets, credential mismatches, missing error outputs, are all static. The sandbox adds real value for code-heavy workflows but static alone is useful for 100 percent of them.

Documenting limits builds trust. Being honest about what Drygate cannot do made it feel more credible, not less.

What's next

The sandbox coverage gap is the biggest open problem. Credential-blocked nodes skip execution so most real workflows get 0 to 8 percent coverage. My plan:

Expression analyzer. Parse every expression and detect null reference access, missing fallbacks, dead node references. No execution needed, works on 100 percent of workflows.

pinData simulation. Inject synthetic output into credential-blocked nodes using n8n's official pinData feature then run the full downstream chain. Estimated coverage jump from 8 percent to 70 to 90 percent.

AI simulation. Send the workflow graph to an LLM for predicted execution traces and logic error detection on complex branching workflows.

Security scanning. n8n has had five critical RCE vulnerabilities in four months, all from unsafe expression evaluation. I want to scan expressions for known injection patterns and flag dangerous Code node constructs. The quality gate becomes a security gate.