feat: Add WeCom (WeChat Work) channel adapter

[houko]

Summary

• Add WeCom/WeChat Work channel adapter implementation
• Add WeComConfig configuration struct in config.rs
• Register WeCom adapter in channel_bridge.rs

Features

WeCom channel supports:

• Inbound messages via callback webhook
• Outbound text messages via WeCom API
• Access token caching with auto-refresh

Configuration

Add to config.toml:

[channels.wecom]
corp_id = "your_corp_id"
agent_id = "your_agent_id"
secret_env = "WECOM_SECRET"  # env var name
webhook_port = 8454
default_agent = "assistant"

[channels.wecom.overrides]
# optional overrides

Test plan

• Build passes
• Configure WeCom app credentials
• Test message receive via callback
• Test message send

[Avey777]

WeCom：Enterprise use
WeChat：personal use

The two should be different, right?

[houko]

@Avey777 wecom is company wechat, not personal wechat.

manger console : https://work.weixin.qq.com

[Avey777]

@Avey777 wecom is company wechat, not personal wechat.

manger console : https://work.weixin.qq.com

OK, got it.

[houko]

WeCom integration quick start

1. Create a custom app in the WeCom admin console and record these values:

   • CorpID
   • AgentID
   • Secret
   • callback Token
   • callback EncodingAESKey

2. Add a WeCom channel config:

[channels.wecom]
corp_id = "wwxxxxxxxxxxxxxxxx"
agent_id = "1000016"
secret_env = "WECOM_SECRET"
webhook_port = 8454
token = "your-token"
encoding_aes_key = "your-43-char-aes-key"
default_agent = "router"

[channels.wecom.overrides]
output_format = "plain_text"

3. Export the app secret in your environment:

export WECOM_SECRET=your-app-secret

4. Expose the local webhook port to the public internet.

   • OpenFang listens on http://127.0.0.1:8454/wecom/webhook by default.
   • If OpenFang runs on a laptop, home network, office LAN, or any private network, WeCom cannot reach it directly.
   • In that case you must use a tunnel / ingress tool such as Cloudflare Tunnel to expose it as a public HTTPS URL.
   • Example public URL: https://YOUR_DOMAIN/wecom/webhook
   • That public URL should forward to the local path above.

5. In the WeCom admin console, open the app's "Receive Message Server" settings and use the same:

   • URL
   • Token
   • EncodingAESKey

6. Start OpenFang and verify the callback URL.

   • URL verification should succeed.
   • After that, sending a message to the app should deliver the inbound callback to OpenFang.

Common pitfalls

• The GET verification response must be the raw echostr. Returning JSON will fail URL verification.
• WeCom POST callbacks are XML / encrypted XML, not JSON.
• token and encoding_aes_key must exactly match the WeCom console values.
• If sending replies fails, check the app visibility scope and the target member userid.
• If the callback URL is rejected before verification, WeCom may be enforcing domain filing / entity relationship checks.
• If you use a firewall, allow the current callback source IPs from WeCom's getcallbackip API.
• If the app requires a trusted IP for outbound API calls, use your server's current public egress IP.

Useful logs

• ~/.openfang/logs/launchd.log
• ~/.openfang/logs/source-daemon.log

[Avey777]

@jaberjaber23
Perhaps it is possible to hand over part of the architecture review to AI.