@tencent-weixin/openclaw-weixin 2.0.1 → 2.1.2

package/README.md

@@ -285,7 +285,7 @@ All media types (image/voice/file/video) are transferred via CDN using AES-128-E
 ## Uninstall
 
 ```bash
-openclaw openclaw-weixin uninstall
+openclaw plugins uninstall @tencent-weixin/openclaw-weixin
 ```
 
 ## Troubleshooting

package/README.zh_CN.md

@@ -284,7 +284,7 @@ openclaw config set agents.mode per-channel-per-peer
 ## 卸载
 
 ```bash
-openclaw openclaw-weixin uninstall
+openclaw plugins uninstall @tencent-weixin/openclaw-weixin
 ```
 
 ## 故障排查

package/index.ts

@@ -4,7 +4,6 @@ import { buildChannelConfigSchema } from "openclaw/plugin-sdk/channel-config-sch
 import { weixinPlugin } from "./src/channel.js";
 import { assertHostCompatibility } from "./src/compat.js";
 import { WeixinConfigSchema } from "./src/config/config-schema.js";
-import { registerWeixinCli } from "./src/log-upload.js";
 import { setWeixinRuntime } from "./src/runtime.js";
 
 export default {
@@ -21,13 +20,5 @@ export default {
     }
 
     api.registerChannel({ plugin: weixinPlugin });
-
-    // registrationMode exists in 2026.3.22+; skip heavy registrations in setup-only mode.
-    const mode = (api as { registrationMode?: string }).registrationMode;
-    if (mode && mode !== "full") return;
-
-    api.registerCli(({ program, config }) => registerWeixinCli({ program, config }), {
-      commands: ["openclaw-weixin"],
-    });
   },
 };

package/openclaw.plugin.json

@@ -1,6 +1,6 @@
 {
   "id": "openclaw-weixin",
-  "version": "2.0.0",
+  "version": "2.1.1",
   "channels": ["openclaw-weixin"],
   "configSchema": {
     "type": "object",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tencent-weixin/openclaw-weixin",
-  "version": "2.0.1",
+  "version": "2.1.2",
   "description": "OpenClaw Weixin channel",
   "license": "MIT",
   "author": "Tencent",
@@ -29,9 +29,6 @@
     "qrcode-terminal": "0.12.0",
     "zod": "4.3.6"
   },
-  "peerDependencies": {
-    "openclaw": ">=2026.3.22"
-  },
   "devDependencies": {
     "@vitest/coverage-v8": "^3.1.0",
     "openclaw": "2026.3.23",
@@ -57,5 +54,6 @@
       "defaultChoice": "npm",
       "minHostVersion": ">=2026.3.22"
     }
-  }
+  },
+  "ilink_appid": "bot"
 }

package/src/api/api.ts

@@ -30,18 +30,43 @@ export type WeixinApiOptions = {
 // BaseInfo — attached to every outgoing CGI request
 // ---------------------------------------------------------------------------
 
-function readChannelVersion(): string {
+interface PackageJson {
+  name?: string;
+  version?: string;
+  ilink_appid?: string;
+}
+
+function readPackageJson(): PackageJson {
   try {
     const dir = path.dirname(fileURLToPath(import.meta.url));
     const pkgPath = path.resolve(dir, "..", "..", "package.json");
-    const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf-8")) as { version?: string };
-    return pkg.version ?? "unknown";
+    return JSON.parse(fs.readFileSync(pkgPath, "utf-8")) as PackageJson;
   } catch {
-    return "unknown";
+    return {};
   }
 }
 
-const CHANNEL_VERSION = readChannelVersion();
+const pkg = readPackageJson();
+
+const CHANNEL_VERSION = pkg.version ?? "unknown";
+
+/** iLink-App-Id: 直接读取 package.json 顶层 ilink_appid 字段。 */
+const ILINK_APP_ID: string = pkg.ilink_appid ?? "";
+
+/**
+ * iLink-App-ClientVersion: uint32 encoded as 0x00MMNNPP
+ * High 8 bits fixed to 0; remaining bits: major<<16 | minor<<8 | patch.
+ * e.g. "1.0.11" -> 0x0001000B = 65547
+ */
+function buildClientVersion(version: string): number {
+  const parts = version.split(".").map((p) => parseInt(p, 10));
+  const major = parts[0] ?? 0;
+  const minor = parts[1] ?? 0;
+  const patch = parts[2] ?? 0;
+  return ((major & 0xff) << 16) | ((minor & 0xff) << 8) | (patch & 0xff);
+}
+
+const ILINK_APP_CLIENT_VERSION: number = buildClientVersion(pkg.version ?? "0.0.0");
 
 /** Build the `base_info` payload included in every API request. */
 export function buildBaseInfo(): BaseInfo {
@@ -65,31 +90,78 @@ function randomWechatUin(): string {
   return Buffer.from(String(uint32), "utf-8").toString("base64");
 }
 
+/** Build headers shared by both GET and POST requests. */
+function buildCommonHeaders(): Record<string, string> {
+  const headers: Record<string, string> = {
+    "iLink-App-Id": ILINK_APP_ID,
+    "iLink-App-ClientVersion": String(ILINK_APP_CLIENT_VERSION),
+  };
+  const routeTag = loadConfigRouteTag();
+  if (routeTag) {
+    headers.SKRouteTag = routeTag;
+  }
+  return headers;
+}
+
 function buildHeaders(opts: { token?: string; body: string }): Record<string, string> {
   const headers: Record<string, string> = {
     "Content-Type": "application/json",
     AuthorizationType: "ilink_bot_token",
     "Content-Length": String(Buffer.byteLength(opts.body, "utf-8")),
     "X-WECHAT-UIN": randomWechatUin(),
+    ...buildCommonHeaders(),
   };
   if (opts.token?.trim()) {
     headers.Authorization = `Bearer ${opts.token.trim()}`;
   }
-  const routeTag = loadConfigRouteTag();
-  if (routeTag) {
-    headers.SKRouteTag = routeTag;
-  }
   logger.debug(
     `requestHeaders: ${JSON.stringify({ ...headers, Authorization: headers.Authorization ? "Bearer ***" : undefined })}`,
   );
   return headers;
 }
 
+/**
+ * GET fetch wrapper: send a GET request to a Weixin API endpoint with timeout + abort.
+ * Query parameters should already be encoded in `endpoint`.
+ * Returns the raw response text on success; throws on HTTP error or timeout.
+ */
+export async function apiGetFetch(params: {
+  baseUrl: string;
+  endpoint: string;
+  timeoutMs: number;
+  label: string;
+}): Promise<string> {
+  const base = ensureTrailingSlash(params.baseUrl);
+  const url = new URL(params.endpoint, base);
+  const hdrs = buildCommonHeaders();
+  logger.debug(`GET ${redactUrl(url.toString())}`);
+
+  const controller = new AbortController();
+  const t = setTimeout(() => controller.abort(), params.timeoutMs);
+  try {
+    const res = await fetch(url.toString(), {
+      method: "GET",
+      headers: hdrs,
+      signal: controller.signal,
+    });
+    clearTimeout(t);
+    const rawText = await res.text();
+    logger.debug(`${params.label} status=${res.status} raw=${redactBody(rawText)}`);
+    if (!res.ok) {
+      throw new Error(`${params.label} ${res.status}: ${rawText}`);
+    }
+    return rawText;
+  } catch (err) {
+    clearTimeout(t);
+    throw err;
+  }
+}
+
 /**
  * Common fetch wrapper: POST JSON to a Weixin API endpoint with timeout + abort.
  * Returns the raw response text on success; throws on HTTP error or timeout.
  */
-async function apiFetch(params: {
+async function apiPostFetch(params: {
   baseUrl: string;
   endpoint: string;
   body: string;
@@ -139,7 +211,7 @@ export async function getUpdates(
 ): Promise<GetUpdatesResp> {
   const timeout = params.timeoutMs ?? DEFAULT_LONG_POLL_TIMEOUT_MS;
   try {
-    const rawText = await apiFetch({
+    const rawText = await apiPostFetch({
       baseUrl: params.baseUrl,
       endpoint: "ilink/bot/getupdates",
       body: JSON.stringify({
@@ -166,7 +238,7 @@ export async function getUpdates(
 export async function getUploadUrl(
   params: GetUploadUrlReq & WeixinApiOptions,
 ): Promise<GetUploadUrlResp> {
-  const rawText = await apiFetch({
+  const rawText = await apiPostFetch({
     baseUrl: params.baseUrl,
     endpoint: "ilink/bot/getuploadurl",
     body: JSON.stringify({
@@ -195,7 +267,7 @@ export async function getUploadUrl(
 export async function sendMessage(
   params: WeixinApiOptions & { body: SendMessageReq },
 ): Promise<void> {
-  await apiFetch({
+  await apiPostFetch({
     baseUrl: params.baseUrl,
     endpoint: "ilink/bot/sendmessage",
     body: JSON.stringify({ ...params.body, base_info: buildBaseInfo() }),
@@ -209,7 +281,7 @@ export async function sendMessage(
 export async function getConfig(
   params: WeixinApiOptions & { ilinkUserId: string; contextToken?: string },
 ): Promise<GetConfigResp> {
-  const rawText = await apiFetch({
+  const rawText = await apiPostFetch({
     baseUrl: params.baseUrl,
     endpoint: "ilink/bot/getconfig",
     body: JSON.stringify({
@@ -229,7 +301,7 @@ export async function getConfig(
 export async function sendTyping(
   params: WeixinApiOptions & { body: SendTypingReq },
 ): Promise<void> {
-  await apiFetch({
+  await apiPostFetch({
     baseUrl: params.baseUrl,
     endpoint: "ilink/bot/sendtyping",
     body: JSON.stringify({ ...params.body, base_info: buildBaseInfo() }),

package/src/api/types.ts

@@ -44,6 +44,8 @@ export interface GetUploadUrlResp {
   upload_param?: string;
   /** 缩略图上传加密参数，无缩略图时为空 */
   thumb_upload_param?: string;
+  /** 完整上传 URL（服务端直接返回，无需客户端拼接） */
+  upload_full_url?: string;
 }
 
 export const MessageType = {
@@ -77,6 +79,8 @@ export interface CDNMedia {
   aes_key?: string;
   /** 加密类型: 0=只加密fileid, 1=打包缩略图/中图等信息 */
   encrypt_type?: number;
+  /** 完整下载 URL（服务端直接返回，无需客户端拼接） */
+  full_url?: string;
 }
 
 export interface ImageItem {

package/src/auth/accounts.ts

@@ -291,28 +291,27 @@ export function loadConfigRouteTag(accountId?: string): string | undefined {
 }
 
 /**
- * Ensure the openclaw-weixin channel section exists in openclaw.json so the gateway
- * recognises it as a configured channel at startup, then trigger a config reload.
+ * Bump `channels.openclaw-weixin.channelConfigUpdatedAt` in openclaw.json on each successful login
+ * so the gateway reloads config from disk (no empty `accounts: {}` placeholder).
  */
 export async function triggerWeixinChannelReload(): Promise<void> {
   try {
     const { loadConfig, writeConfigFile } = await import("openclaw/plugin-sdk/config-runtime");
     const cfg = loadConfig();
     const channels = (cfg.channels ?? {}) as Record<string, unknown>;
-    if (!channels["openclaw-weixin"] || Object.keys(channels["openclaw-weixin"] as Record<string, unknown>).every((k) => k === "enabled")) {
-      const updated: OpenClawConfig = {
-        ...cfg,
-        channels: {
-          ...channels,
-          "openclaw-weixin": {
-            ...(channels["openclaw-weixin"] as Record<string, unknown> ?? {}),
-            accounts: {},
-          },
+    const existing = (channels["openclaw-weixin"] as Record<string, unknown> | undefined) ?? {};
+    const updated: OpenClawConfig = {
+      ...cfg,
+      channels: {
+        ...channels,
+        "openclaw-weixin": {
+          ...existing,
+          channelConfigUpdatedAt: new Date().toISOString(),
         },
-      };
-      await writeConfigFile(updated);
-      logger.info("triggerWeixinChannelReload: wrote channel config to openclaw.json");
-    }
+      },
+    };
+    await writeConfigFile(updated);
+    logger.info("triggerWeixinChannelReload: wrote channel config to openclaw.json");
   } catch (err) {
     logger.warn(`triggerWeixinChannelReload: failed to update config: ${String(err)}`);
   }
@@ -343,6 +342,8 @@ type WeixinAccountConfig = {
 
 type WeixinSectionConfig = WeixinAccountConfig & {
   accounts?: Record<string, WeixinAccountConfig>;
+  /** Written on each successful login; see triggerWeixinChannelReload. */
+  channelConfigUpdatedAt?: string;
 };
 
 /** List accountIds from the index file (written at QR login). */

package/src/auth/login-qr.ts

@@ -1,6 +1,6 @@
 import { randomUUID } from "node:crypto";
 
-import { loadConfigRouteTag } from "./accounts.js";
+import { apiGetFetch } from "../api/api.js";
 import { logger } from "../util/logger.js";
 import { redactToken } from "../util/redact.js";
 
@@ -11,17 +11,24 @@ type ActiveLogin = {
   qrcodeUrl: string;
   startedAt: number;
   botToken?: string;
-  status?: "wait" | "scaned" | "confirmed" | "expired";
+  status?: "wait" | "scaned" | "confirmed" | "expired" | "scaned_but_redirect";
   error?: string;
+  /** The current effective polling base URL; may be updated on IDC redirect. */
+  currentApiBaseUrl?: string;
 };
 
 const ACTIVE_LOGIN_TTL_MS = 5 * 60_000;
+/** Client-side timeout for the get_bot_qrcode request. */
+const GET_QRCODE_TIMEOUT_MS = 10_000;
 /** Client-side timeout for the long-poll get_qrcode_status request. */
 const QR_LONG_POLL_TIMEOUT_MS = 35_000;
 
 /** Default `bot_type` for ilink get_bot_qrcode / get_qrcode_status (this channel build). */
 export const DEFAULT_ILINK_BOT_TYPE = "3";
 
+/** Fixed API base URL for all QR code requests. */
+const FIXED_BASE_URL = "https://ilinkai.weixin.qq.com";
+
 const activeLogins = new Map<string, ActiveLogin>();
 
 interface QRCodeResponse {
@@ -30,12 +37,14 @@ interface QRCodeResponse {
 }
 
 interface StatusResponse {
-  status: "wait" | "scaned" | "confirmed" | "expired";
+  status: "wait" | "scaned" | "confirmed" | "expired" | "scaned_but_redirect";
   bot_token?: string;
   ilink_bot_id?: string;
   baseurl?: string;
   /** The user ID of the person who scanned the QR code. */
   ilink_user_id?: string;
+  /** New host to redirect polling to when status is scaned_but_redirect. */
+  redirect_host?: string;
 }
 
 function isLoginFresh(login: ActiveLogin): boolean {
@@ -52,58 +61,35 @@ function purgeExpiredLogins(): void {
 }
 
 async function fetchQRCode(apiBaseUrl: string, botType: string): Promise<QRCodeResponse> {
-  const base = apiBaseUrl.endsWith("/") ? apiBaseUrl : `${apiBaseUrl}/`;
-  const url = new URL(`ilink/bot/get_bot_qrcode?bot_type=${encodeURIComponent(botType)}`, base);
-  logger.info(`Fetching QR code from: ${url.toString()}`);
-
-  const headers: Record<string, string> = {};
-  const routeTag = loadConfigRouteTag();
-  if (routeTag) {
-    headers.SKRouteTag = routeTag;
-  }
-
-  const response = await fetch(url.toString(), { headers });
-  if (!response.ok) {
-    const body = await response.text().catch(() => "(unreadable)");
-    logger.error(`QR code fetch failed: ${response.status} ${response.statusText} body=${body}`);
-    throw new Error(`Failed to fetch QR code: ${response.status} ${response.statusText}`);
-  }
-  return await response.json();
+  logger.info(`Fetching QR code from: ${apiBaseUrl} bot_type=${botType}`);
+  const rawText = await apiGetFetch({
+    baseUrl: apiBaseUrl,
+    endpoint: `ilink/bot/get_bot_qrcode?bot_type=${encodeURIComponent(botType)}`,
+    timeoutMs: GET_QRCODE_TIMEOUT_MS,
+    label: "fetchQRCode",
+  });
+  return JSON.parse(rawText) as QRCodeResponse;
 }
 
 async function pollQRStatus(apiBaseUrl: string, qrcode: string): Promise<StatusResponse> {
-  const base = apiBaseUrl.endsWith("/") ? apiBaseUrl : `${apiBaseUrl}/`;
-  const url = new URL(`ilink/bot/get_qrcode_status?qrcode=${encodeURIComponent(qrcode)}`, base);
-  logger.debug(`Long-poll QR status from: ${url.toString()}`);
-
-  const headers: Record<string, string> = {
-    "iLink-App-ClientVersion": "1",
-  };
-  const routeTag = loadConfigRouteTag();
-  if (routeTag) {
-    headers.SKRouteTag = routeTag;
-  }
-
-  const controller = new AbortController();
-  const timer = setTimeout(() => controller.abort(), QR_LONG_POLL_TIMEOUT_MS);
+  logger.debug(`Long-poll QR status from: ${apiBaseUrl} qrcode=***`);
   try {
-    const response = await fetch(url.toString(), { headers, signal: controller.signal });
-    clearTimeout(timer);
-    logger.debug(`pollQRStatus: HTTP ${response.status}, reading body...`);
-    const rawText = await response.text();
+    const rawText = await apiGetFetch({
+      baseUrl: apiBaseUrl,
+      endpoint: `ilink/bot/get_qrcode_status?qrcode=${encodeURIComponent(qrcode)}`,
+      timeoutMs: QR_LONG_POLL_TIMEOUT_MS,
+      label: "pollQRStatus",
+    });
     logger.debug(`pollQRStatus: body=${rawText.substring(0, 200)}`);
-    if (!response.ok) {
-      logger.error(`QR status poll failed: ${response.status} ${response.statusText} body=${rawText}`);
-      throw new Error(`Failed to poll QR status: ${response.status} ${response.statusText}`);
-    }
     return JSON.parse(rawText) as StatusResponse;
   } catch (err) {
-    clearTimeout(timer);
     if (err instanceof Error && err.name === "AbortError") {
       logger.debug(`pollQRStatus: client-side timeout after ${QR_LONG_POLL_TIMEOUT_MS}ms, returning wait`);
       return { status: "wait" };
     }
-    throw err;
+    // 网关超时（如 Cloudflare 524）或其他网络错误，视为等待状态继续轮询
+    logger.warn(`pollQRStatus: network/gateway error, will retry: ${String(err)}`);
+    return { status: "wait" };
   }
 }
 
@@ -148,15 +134,7 @@ export async function startWeixinLoginWithQr(opts: {
     const botType = opts.botType || DEFAULT_ILINK_BOT_TYPE;
     logger.info(`Starting Weixin login with bot_type=${botType}`);
 
-    if (!opts.apiBaseUrl) {
-      return {
-        message:
-          "No baseUrl configured. Add channels.openclaw-weixin.baseUrl to your config before logging in.",
-        sessionKey,
-      };
-    }
-
-    const qrResponse = await fetchQRCode(opts.apiBaseUrl, botType);
+    const qrResponse = await fetchQRCode(FIXED_BASE_URL, botType);
     logger.info(
       `QR code received, qrcode=${redactToken(qrResponse.qrcode)} imgContentLen=${qrResponse.qrcode_img_content?.length ?? 0}`,
     );
@@ -219,11 +197,15 @@ export async function waitForWeixinLogin(opts: {
   let scannedPrinted = false;
   let qrRefreshCount = 1;
 
+  // Initialize the effective polling base URL; may be updated on IDC redirect.
+  activeLogin.currentApiBaseUrl = FIXED_BASE_URL;
+
   logger.info("Starting to poll QR code status...");
 
   while (Date.now() < deadline) {
     try {
-      const statusResponse = await pollQRStatus(opts.apiBaseUrl, activeLogin.qrcode);
+      const currentBaseUrl = activeLogin.currentApiBaseUrl ?? FIXED_BASE_URL;
+      const statusResponse = await pollQRStatus(currentBaseUrl, activeLogin.qrcode);
       logger.debug(`pollQRStatus: status=${statusResponse.status} hasBotToken=${Boolean(statusResponse.bot_token)} hasBotId=${Boolean(statusResponse.ilink_bot_id)}`);
       activeLogin.status = statusResponse.status;
 
@@ -259,7 +241,7 @@ export async function waitForWeixinLogin(opts: {
 
           try {
             const botType = opts.botType || DEFAULT_ILINK_BOT_TYPE;
-            const qrResponse = await fetchQRCode(opts.apiBaseUrl, botType);
+            const qrResponse = await fetchQRCode(FIXED_BASE_URL, botType);
             activeLogin.qrcode = qrResponse.qrcode;
             activeLogin.qrcodeUrl = qrResponse.qrcode_img_content;
             activeLogin.startedAt = Date.now();
@@ -274,7 +256,7 @@ export async function waitForWeixinLogin(opts: {
             } catch {
               process.stdout.write(`二维码未加载成功，请用浏览器打开以下链接扫码：\n`);
               process.stdout.write(`${qrResponse.qrcode_img_content}\n`);
-            }
+            }          
           } catch (refreshErr) {
             logger.error(`waitForWeixinLogin: failed to refresh QR code: ${String(refreshErr)}`);
             activeLogins.delete(opts.sessionKey);
@@ -285,6 +267,17 @@ export async function waitForWeixinLogin(opts: {
           }
           break;
         }
+        case "scaned_but_redirect": {
+          const redirectHost = statusResponse.redirect_host;
+          if (redirectHost) {
+            const newBaseUrl = `https://${redirectHost}`;
+            activeLogin.currentApiBaseUrl = newBaseUrl;
+            logger.info(`waitForWeixinLogin: IDC redirect, switching polling host to ${redirectHost}`);
+          } else {
+            logger.warn(`waitForWeixinLogin: received scaned_but_redirect but redirect_host is missing, continuing with current host`);
+          }
+          break;
+        }
         case "confirmed": {
           if (!statusResponse.ilink_bot_id) {
             activeLogins.delete(opts.sessionKey);

package/src/cdn/cdn-upload.ts

@@ -13,15 +13,25 @@ const UPLOAD_MAX_RETRIES = 3;
  */
 export async function uploadBufferToCdn(params: {
   buf: Buffer;
-  uploadParam: string;
+  /** From getUploadUrl.upload_full_url; POST target when set (takes precedence over uploadParam). */
+  uploadFullUrl?: string;
+  uploadParam?: string;
   filekey: string;
   cdnBaseUrl: string;
   label: string;
   aeskey: Buffer;
 }): Promise<{ downloadParam: string }> {
-  const { buf, uploadParam, filekey, cdnBaseUrl, label, aeskey } = params;
+  const { buf, uploadFullUrl, uploadParam, filekey, cdnBaseUrl, label, aeskey } = params;
   const ciphertext = encryptAesEcb(buf, aeskey);
-  const cdnUrl = buildCdnUploadUrl({ cdnBaseUrl, uploadParam, filekey });
+  const trimmedFull = uploadFullUrl?.trim();
+  let cdnUrl: string;
+  if (trimmedFull) {
+    cdnUrl = trimmedFull;
+  } else if (uploadParam) {
+    cdnUrl = buildCdnUploadUrl({ cdnBaseUrl, uploadParam, filekey });
+  } else {
+    throw new Error(`${label}: CDN upload URL missing (need upload_full_url or upload_param)`);
+  }
   logger.debug(`${label}: CDN POST url=${redactUrl(cdnUrl)} ciphertextSize=${ciphertext.length}`);
 
   let downloadParam: string | undefined;

package/src/cdn/cdn-url.ts

@@ -2,6 +2,9 @@
  * Unified CDN URL construction for Weixin CDN upload/download.
  */
 
+/** 设为 true 时，当服务端未返回 full_url 字段，回退到客户端拼接 URL；false 则直接报错。 */
+export const ENABLE_CDN_URL_FALLBACK = true;
+
 /** Build a CDN download URL from encrypt_query_param. */
 export function buildCdnDownloadUrl(encryptedQueryParam: string, cdnBaseUrl: string): string {
   return `${cdnBaseUrl}/download?encrypted_query_param=${encodeURIComponent(encryptedQueryParam)}`;

package/src/cdn/pic-decrypt.ts

@@ -1,5 +1,5 @@
 import { decryptAesEcb } from "./aes-ecb.js";
-import { buildCdnDownloadUrl } from "./cdn-url.js";
+import { buildCdnDownloadUrl, ENABLE_CDN_URL_FALLBACK } from "./cdn-url.js";
 import { logger } from "../util/logger.js";
 
 /**
@@ -60,9 +60,17 @@ export async function downloadAndDecryptBuffer(
   aesKeyBase64: string,
   cdnBaseUrl: string,
   label: string,
+  fullUrl?: string,
 ): Promise<Buffer> {
   const key = parseAesKey(aesKeyBase64, label);
-  const url = buildCdnDownloadUrl(encryptedQueryParam, cdnBaseUrl);
+  let url: string;
+  if (fullUrl) {
+    url = fullUrl;
+  } else if (ENABLE_CDN_URL_FALLBACK) {
+    url = buildCdnDownloadUrl(encryptedQueryParam, cdnBaseUrl);
+  } else {
+    throw new Error(`${label}: fullUrl is required (CDN URL fallback is disabled)`);
+  }
   logger.debug(`${label}: fetching url=${url}`);
   const encrypted = await fetchCdnBytes(url, label);
   logger.debug(`${label}: downloaded ${encrypted.byteLength} bytes, decrypting`);
@@ -78,8 +86,16 @@ export async function downloadPlainCdnBuffer(
   encryptedQueryParam: string,
   cdnBaseUrl: string,
   label: string,
+  fullUrl?: string,
 ): Promise<Buffer> {
-  const url = buildCdnDownloadUrl(encryptedQueryParam, cdnBaseUrl);
+  let url: string;
+  if (fullUrl) {
+    url = fullUrl;
+  } else if (ENABLE_CDN_URL_FALLBACK) {
+    url = buildCdnDownloadUrl(encryptedQueryParam, cdnBaseUrl);
+  } else {
+    throw new Error(`${label}: fullUrl is required (CDN URL fallback is disabled)`);
+  }
   logger.debug(`${label}: fetching url=${url}`);
   return fetchCdnBytes(url, label);
 }

package/src/cdn/upload.ts

@@ -82,17 +82,19 @@ async function uploadMediaToCdn(params: {
     aeskey: aeskey.toString("hex"),
   });
 
+  const uploadFullUrl = uploadUrlResp.upload_full_url?.trim();
   const uploadParam = uploadUrlResp.upload_param;
-  if (!uploadParam) {
+  if (!uploadFullUrl && !uploadParam) {
     logger.error(
-      `${label}: getUploadUrl returned no upload_param, resp=${JSON.stringify(uploadUrlResp)}`,
+      `${label}: getUploadUrl returned no upload URL (need upload_full_url or upload_param), resp=${JSON.stringify(uploadUrlResp)}`,
     );
-    throw new Error(`${label}: getUploadUrl returned no upload_param`);
+    throw new Error(`${label}: getUploadUrl returned no upload URL`);
   }
 
   const { downloadParam: downloadEncryptedQueryParam } = await uploadBufferToCdn({
     buf: plaintext,
-    uploadParam,
+    uploadFullUrl: uploadFullUrl || undefined,
+    uploadParam: uploadParam ?? undefined,
     filekey,
     cdnBaseUrl,
     aeskey,

package/src/channel.ts

@@ -168,6 +168,7 @@ export const weixinPlugin: ChannelPlugin<ResolvedWeixinAccount> = {
       "When the user asks you to find an image from the web, use a web search or browser tool to find a suitable image URL, then send it using the message tool with 'media' set to that HTTPS image URL — do NOT download the image first.",
       "IMPORTANT: When generating or saving a file to send, always use an absolute path (e.g. /tmp/photo.png), never a relative path like ./photo.png. Relative paths cannot be resolved and the file will not be delivered.",
       "IMPORTANT: When creating a cron job (scheduled task) for the current Weixin user, you MUST set delivery.to to the user's Weixin ID (the xxx@im.wechat address from the current conversation) AND set delivery.accountId to the current AccountId. Without an explicit 'to', the cron delivery will fail with 'requires target'. Without an explicit 'accountId', the message may be sent from the wrong bot account. Example: delivery: { mode: 'announce', channel: 'openclaw-weixin', to: '<current_user_id@im.wechat>', accountId: '<current_AccountId>' }.",
+      "IMPORTANT: When outputting a MEDIA: directive to send a file, the MEDIA: tag MUST be on its own line — never inline with other text. Correct:\nSome text here\nMEDIA:/path/to/file.mp4\nIncorrect: Some text here MEDIA:/path/to/file.mp4",
     ],
   },
   reload: { configPrefixes: ["channels.openclaw-weixin"] },

package/src/compat.ts

@@ -73,7 +73,7 @@ export function assertHostCompatibility(hostVersion: string | undefined): void {
   throw new Error(
     `openclaw-weixin@${PLUGIN_VERSION} requires OpenClaw >=${SUPPORTED_HOST_MIN}, ` +
     `but found ${hostVersion}. ` +
-    `Please upgrade OpenClaw, or install openclaw-weixin@1.x (legacy) for older hosts:\n` +
-    `  openclaw plugins install @tencent-weixin/openclaw-weixin@legacy`,
+    `Please upgrade OpenClaw, or install the compatible track for older hosts:\n` +
+    `  npx @tencent-weixin/openclaw-weixin-cli install`,
   );
 }

package/src/config/config-schema.ts

@@ -17,6 +17,6 @@ const weixinAccountSchema = z.object({
 /** Top-level weixin config schema (token is stored in credentials file, not config). */
 export const WeixinConfigSchema = weixinAccountSchema.extend({
   accounts: z.record(z.string(), weixinAccountSchema).optional(),
-  /** Default URL for `openclaw openclaw-weixin logs-upload`. Set via `openclaw config set channels.openclaw-weixin.logUploadUrl <url>`. */
-  logUploadUrl: z.string().optional(),
+  /** ISO 8601; bumped on each successful login to refresh gateway config from disk. */
+  channelConfigUpdatedAt: z.string().optional(),
 });

package/src/media/media-download.ts

@@ -39,25 +39,27 @@ export async function downloadMediaFromItem(
 
   if (item.type === MessageItemType.IMAGE) {
     const img = item.image_item;
-    if (!img?.media?.encrypt_query_param) return result;
+    if (!img?.media?.encrypt_query_param && !img?.media?.full_url) return result;
     const aesKeyBase64 = img.aeskey
       ? Buffer.from(img.aeskey, "hex").toString("base64")
       : img.media.aes_key;
     logger.debug(
-      `${label} image: encrypt_query_param=${img.media.encrypt_query_param.slice(0, 40)}... hasAesKey=${Boolean(aesKeyBase64)} aeskeySource=${img.aeskey ? "image_item.aeskey" : "media.aes_key"}`,
+      `${label} image: encrypt_query_param=${(img.media.encrypt_query_param ?? "").slice(0, 40)}... hasAesKey=${Boolean(aesKeyBase64)} aeskeySource=${img.aeskey ? "image_item.aeskey" : "media.aes_key"} full_url=${Boolean(img.media.full_url)}`,
     );
     try {
       const buf = aesKeyBase64
         ? await downloadAndDecryptBuffer(
-            img.media.encrypt_query_param,
+            img.media.encrypt_query_param ?? "",
             aesKeyBase64,
             cdnBaseUrl,
             `${label} image`,
+            img.media.full_url,
           )
         : await downloadPlainCdnBuffer(
-            img.media.encrypt_query_param,
+            img.media.encrypt_query_param ?? "",
             cdnBaseUrl,
             `${label} image-plain`,
+            img.media.full_url,
           );
       const saved = await saveMedia(buf, undefined, "inbound", WEIXIN_MEDIA_MAX_BYTES);
       result.decryptedPicPath = saved.path;
@@ -68,13 +70,15 @@ export async function downloadMediaFromItem(
     }
   } else if (item.type === MessageItemType.VOICE) {
     const voice = item.voice_item;
-    if (!voice?.media?.encrypt_query_param || !voice.media.aes_key) return result;
+    if ((!voice?.media?.encrypt_query_param && !voice?.media?.full_url) || !voice?.media?.aes_key)
+      return result;
     try {
       const silkBuf = await downloadAndDecryptBuffer(
-        voice.media.encrypt_query_param,
+        voice.media.encrypt_query_param ?? "",
         voice.media.aes_key,
         cdnBaseUrl,
         `${label} voice`,
+        voice.media.full_url,
       );
       logger.debug(`${label} voice: decrypted ${silkBuf.length} bytes, attempting silk transcode`);
       const wavBuf = await silkToWav(silkBuf);
@@ -95,13 +99,15 @@ export async function downloadMediaFromItem(
     }
   } else if (item.type === MessageItemType.FILE) {
     const fileItem = item.file_item;
-    if (!fileItem?.media?.encrypt_query_param || !fileItem.media.aes_key) return result;
+    if ((!fileItem?.media?.encrypt_query_param && !fileItem?.media?.full_url) || !fileItem?.media?.aes_key)
+      return result;
     try {
       const buf = await downloadAndDecryptBuffer(
-        fileItem.media.encrypt_query_param,
+        fileItem.media.encrypt_query_param ?? "",
         fileItem.media.aes_key,
         cdnBaseUrl,
         `${label} file`,
+        fileItem.media.full_url,
       );
       const mime = getMimeFromFilename(fileItem.file_name ?? "file.bin");
       const saved = await saveMedia(
@@ -120,13 +126,15 @@ export async function downloadMediaFromItem(
     }
   } else if (item.type === MessageItemType.VIDEO) {
     const videoItem = item.video_item;
-    if (!videoItem?.media?.encrypt_query_param || !videoItem.media.aes_key) return result;
+    if ((!videoItem?.media?.encrypt_query_param && !videoItem?.media?.full_url) || !videoItem?.media?.aes_key)
+      return result;
     try {
       const buf = await downloadAndDecryptBuffer(
-        videoItem.media.encrypt_query_param,
+        videoItem.media.encrypt_query_param ?? "",
         videoItem.media.aes_key,
         cdnBaseUrl,
         `${label} video`,
+        videoItem.media.full_url,
       );
       const saved = await saveMedia(buf, "video/mp4", "inbound", WEIXIN_MEDIA_MAX_BYTES);
       result.decryptedVideoPath = saved.path;

package/src/messaging/process-message.ts

@@ -109,21 +109,23 @@ export async function processOneMessage(
 
   // Find the first downloadable media item (priority: IMAGE > VIDEO > FILE > VOICE).
   // When none found in the main item_list, fall back to media referenced via a quoted message.
+  const hasDownloadableMedia = (m?: { encrypt_query_param?: string; full_url?: string }) =>
+    m?.encrypt_query_param || m?.full_url;
   const mainMediaItem =
     full.item_list?.find(
-      (i) => i.type === MessageItemType.IMAGE && i.image_item?.media?.encrypt_query_param,
+      (i) => i.type === MessageItemType.IMAGE && hasDownloadableMedia(i.image_item?.media),
     ) ??
     full.item_list?.find(
-      (i) => i.type === MessageItemType.VIDEO && i.video_item?.media?.encrypt_query_param,
+      (i) => i.type === MessageItemType.VIDEO && hasDownloadableMedia(i.video_item?.media),
     ) ??
     full.item_list?.find(
-      (i) => i.type === MessageItemType.FILE && i.file_item?.media?.encrypt_query_param,
+      (i) => i.type === MessageItemType.FILE && hasDownloadableMedia(i.file_item?.media),
     ) ??
     full.item_list?.find(
       (i) =>
         i.type === MessageItemType.VOICE &&
-        i.voice_item?.media?.encrypt_query_param &&
-        !i.voice_item.text,
+        hasDownloadableMedia(i.voice_item?.media) &&
+        !i.voice_item?.text,
     );
   const refMediaItem = !mainMediaItem
     ? full.item_list?.find(
@@ -425,7 +427,7 @@ export async function processOneMessage(
     markDispatchIdle();
 
     logger.info(
-      `debug-check: accountId=${deps.accountId} debug=${String(debug)} hasContextToken=${Boolean(contextToken)} stateDir=${process.env.OPENCLAW_STATE_DIR ?? "(unset)"}`,
+      `debug-check: accountId=${deps.accountId} debug=${String(debug)} hasContextToken=${Boolean(contextToken)}`,
     );
 
     if (debug && contextToken) {

package/src/log-upload.ts

@@ -1,149 +0,0 @@
-import fs from "node:fs/promises";
-import path from "node:path";
-
-import type { OpenClawConfig } from "openclaw/plugin-sdk/core";
-import { resolvePreferredOpenClawTmpDir } from "openclaw/plugin-sdk/infra-runtime";
-
-
-/** Minimal subset of commander's Command used by registerWeixinCli. */
-type CliCommand = {
-  command(name: string): CliCommand;
-  description(str: string): CliCommand;
-  option(flags: string, description: string): CliCommand;
-  // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  action(fn: (...args: any[]) => void | Promise<void>): CliCommand;
-};
-
-function currentDayLogFileName(): string {
-  const now = new Date();
-  const offsetMs = -now.getTimezoneOffset() * 60_000;
-  const dateKey = new Date(now.getTime() + offsetMs).toISOString().slice(0, 10);
-  return `openclaw-${dateKey}.log`;
-}
-
-/**
- * Parse --file argument: accepts a short 8-digit date (YYYYMMDD)
- * like "20260316", a full filename like "openclaw-2026-03-16.log",
- * or a legacy 10-digit hour timestamp "2026031614".
- */
-function resolveLogFileName(file: string): string {
-  if (/^\d{8}$/.test(file)) {
-    const yyyy = file.slice(0, 4);
-    const mm = file.slice(4, 6);
-    const dd = file.slice(6, 8);
-    return `openclaw-${yyyy}-${mm}-${dd}.log`;
-  }
-  if (/^\d{10}$/.test(file)) {
-    const yyyy = file.slice(0, 4);
-    const mm = file.slice(4, 6);
-    const dd = file.slice(6, 8);
-    return `openclaw-${yyyy}-${mm}-${dd}.log`;
-  }
-  return file;
-}
-
-function mainLogDir(): string {
-  return resolvePreferredOpenClawTmpDir();
-}
-
-function getConfiguredUploadUrl(config: OpenClawConfig): string | undefined {
-  const section = config.channels?.["openclaw-weixin"] as { logUploadUrl?: string } | undefined;
-  return section?.logUploadUrl;
-}
-
-/** Register the `openclaw openclaw-weixin` CLI subcommands. */
-export function registerWeixinCli(params: { program: CliCommand; config: OpenClawConfig }): void {
-  const { program, config } = params;
-
-  const root = program.command("openclaw-weixin").description("Weixin channel utilities");
-
-  root
-    .command("uninstall")
-    .description("Uninstall the Weixin plugin (cleans up channel config automatically)")
-    .action(async () => {
-      // 1. Remove channels.openclaw-weixin from config
-      const { loadConfig, writeConfigFile } = await import("openclaw/plugin-sdk/config-runtime");
-      const cfg = loadConfig();
-      const channels = (cfg.channels ?? {}) as Record<string, unknown>;
-      if (channels["openclaw-weixin"]) {
-        delete channels["openclaw-weixin"];
-        await writeConfigFile({ ...cfg, channels });
-        console.log("[weixin] Cleaned up channel config.");
-      }
-      // 2. Run the actual uninstall
-      const { execSync } = await import("node:child_process");
-      try {
-        execSync("openclaw plugins uninstall openclaw-weixin", { stdio: "inherit" });
-      } catch {
-        // uninstall command handles its own error output
-      }
-    });
-
-  root
-    .command("logs-upload")
-    .description("Upload a Weixin log file to a remote URL via HTTP POST")
-    .option("--url <url>", "Remote URL to POST the log file to (overrides config)")
-    .option(
-      "--file <file>",
-      "Log file to upload: full filename or 8-digit date YYYYMMDD (default: today)",
-    )
-    .action(async (options: { url?: string; file?: string }) => {
-      const uploadUrl = options.url ?? getConfiguredUploadUrl(config);
-      if (!uploadUrl) {
-        console.error(
-          `[weixin] No upload URL specified. Pass --url or set it with:\n  openclaw config set channels.openclaw-weixin.logUploadUrl <url>`,
-        );
-        process.exit(1);
-      }
-
-      const logDir = mainLogDir();
-      const rawFile = options.file ?? currentDayLogFileName();
-      const fileName = resolveLogFileName(rawFile);
-      const filePath = path.isAbsolute(fileName) ? fileName : path.join(logDir, fileName);
-
-      let content: Buffer;
-      try {
-        content = await fs.readFile(filePath);
-      } catch (err) {
-        console.error(`[weixin] Failed to read log file: ${filePath}\n  ${String(err)}`);
-        process.exit(1);
-      }
-
-      console.log(`[weixin] Uploading ${filePath} (${content.length} bytes) to ${uploadUrl} ...`);
-
-      const formData = new FormData();
-      formData.append("file", new Blob([new Uint8Array(content)], { type: "text/plain" }), fileName);
-
-      let res: Response;
-      try {
-        res = await fetch(uploadUrl, { method: "POST", body: formData });
-      } catch (err) {
-        console.error(`[weixin] Upload request failed: ${String(err)}`);
-        process.exit(1);
-      }
-
-      const responseBody = await res.text().catch(() => "");
-      if (!res.ok) {
-        console.error(
-          `[weixin] Upload failed: HTTP ${res.status} ${res.statusText}\n  ${responseBody}`,
-        );
-        process.exit(1);
-      }
-
-      console.log(`[weixin] Upload succeeded (HTTP ${res.status})`);
-      const fileid = res.headers.get("fileid");
-      if (fileid) {
-        console.log(`fileid: ${fileid}`);
-      } else {
-        // fileid not found; dump all headers for diagnosis
-        const headers: Record<string, string> = {};
-        res.headers.forEach((value, key) => {
-          headers[key] = value;
-        });
-        console.log("headers:", JSON.stringify(headers, null, 2));
-      }
-      if (responseBody) {
-        console.log("body:", responseBody);
-      }
-    });
-}