Human-gated ETL, self-hosted
Let an LLM handle your inbox.
Keep the approve button.
BookingPilot wires incoming messages (Gmail, webhook) through an LLM, asks you to approve on Telegram, then commits the structured data to the store of your choice — Sheets, JSON file, anything with a Store adapter.
- IngestPoll a Gmail label or receive a webhook. Each message is deduped by SHA-256 before the engine touches it.
- ExtractAn LLM (OpenAI, Ollama, Groq — any OpenAI-compatible endpoint) turns the message into typed JSON.
- GateTelegram pings you with Approve / Reject buttons. The pipeline pauses server-side until you tap one.
- PersistApproved rows flow into your chosen Store — Google Sheets, JSON file, or any custom StoreProvider.
- AuditEvery step is logged. Terminal failures land in the Hospital DLQ and can be replayed from the admin UI.
What you get out of the box
Node-chain pipelines
Build pipelines as a typed linear chain: source → transform → gate → sink. Validated before save; no runtime surprises.
Pluggable connectors
Ingestors, LLMs, stores and notifiers are all interfaces in @bookingpilot/core. Add your own in one package.
Credentials vaulted
Workflow JSON and connector credentials are AES-GCM encrypted on disk using your ENCRYPTION_SECRET.
Idempotent at the edge
Webhooks are dedup-locked by SHA-256 before enqueue. Replays are safe; duplicates never re-run the LLM.
Circuit breakers
A misbehaving integration (Gmail down, LLM refusing) trips its circuit and fails fast without eating the queue.
Admin observability
Live engine status, per-user workflow inspection, uptime chart, server-issue log and DLQ triage — no external stack needed.
You run it. Your secrets stay on your box.
Everything ships as a pnpm monorepo with Docker Compose + Traefik. Workflow JSON is encrypted at rest with your ENCRYPTION_SECRET, LLM credentials never leave your server, and admins see a real health panel with circuit breakers, a Hospital DLQ for failed jobs, server-issue logs, and a 24-hour uptime chart.