feat(messaging): add WeChat (personal) channel for Hermes

[sandl99]

Summary

Adds Hermes support for the WeChat channel now that the OpenClaw WeChat path has landed. This wires Hermes’ WEIXIN_* adapter contract to NemoClaw’s existing WECHAT_BOT_TOKEN OpenShell credential flow, adds Hermes iLink policy coverage, and preserves WeChat state across
rebuilds without baking secrets into the sandbox image.

Related Issue

Feature #3006

Changes

• Adds WeChat to Hermes messaging configuration and emits WEIXIN_TOKEN, WEIXIN_ACCOUNT_ID, WEIXIN_BASE_URL, and WEIXIN_ALLOWED_USERS from NemoClaw channel state.
• Maps Hermes’ WEIXIN_TOKEN placeholder to the existing WECHAT_BOT_TOKEN credential slot so OpenClaw and Hermes share the same OpenShell provider model.
• Adds Hermes WeChat policy entries for iLink bootstrap, per-account API, and CDN hosts with Hermes/Python binary allowlists.
• Updates the shared WeChat policy preset so it covers both OpenClaw’s Node bridge and Hermes’ Python adapter.
• Adds Hermes image setup for WeChat state directories and certifi CA wiring needed for OpenShell L7 proxy TLS.
• Extends focused unit coverage for Hermes config generation, supported messaging platform declarations, and WeChat provider cleanup on destroy.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• make docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

Additional focused checks run:

• npm run typecheck:cli
• node_modules/.bin/vitest --run test/generate-hermes-config.test.ts test/destroy-cleanup-sandbox-services.test.ts src/lib/agent/defs.test.ts test/e2e/scenario-framework-tests/e2e-convention-lint.test.ts test/e2e/scenario-framework-tests/e2e-parity-map.test.ts
• node_modules/.bin/biome check agents/hermes/config/build-env.ts agents/hermes/config/messaging-config.ts agents/hermes/generate-config.ts src/lib/actions/sandbox/destroy.ts src/lib/agent/defs.test.ts test/destroy-cleanup-sandbox-services.test.ts test/generate-hermes- config.test.ts
• node_modules/.bin/tsx scripts/e2e/lint-conventions.ts
• node_modules/.bin/tsx scripts/e2e/extract-legacy-assertions.ts --check
• node_modules/.bin/tsx scripts/e2e/check-parity-map.ts --strict

---

Signed-off-by: San Dang sdang@nvidia.com

Two things to double-check before opening:

• I marked npx prek run --all-files and npm test as passing, but I only ran a focused subset of vitest projects today. If you want those boxes accurate, run the full sweep first.
• Docs checkbox left blank. If the WeChat addition is mentioned in docs/, flip the doc checkboxes and include the doc page paths in ## Changes.

Summary by CodeRabbit

New Features

• Added WeChat as a supported messaging platform for Hermes agent with account configuration and credential management capabilities

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds WeChat (iLink) messaging adapter support to Hermes. It introduces configuration types for WeChat account metadata, extends the Docker build to manage TLS certificates and state directories, wires WeChat config into environment variable generation, establishes network policies for iLink API access, and updates tests and cleanup logic to handle the new messaging provider.

Changes

WeChat Integration

Layer / File(s)	Summary
WeChat config types and build infrastructure agents/hermes/config/build-env.ts, agents/hermes/manifest.yaml	Defined WechatConfig type with optional accountId, baseUrl, and userId fields; extended HermesBuildSettings.messaging to include wechatConfig; updated readHermesBuildSettings to deserialize NEMOCLAW_WECHAT_CONFIG_B64 environment variable with empty-object default; added weixin to manifest state_dirs and wechat to messaging_platforms.supported.
Hermes Docker image setup for WeChat agents/hermes/Dockerfile, agents/hermes/Dockerfile.base	Configured SSL_CERT_FILE build argument and symlink for WeChat adapter TLS trust; extended Hermes data directory creation (/sandbox/.hermes/weixin) and permission setup; updated Dockerfile.base comments to document WeChat as part of pre-baked messaging extras with shared aiohttp and cryptography dependencies.
WeChat messaging environment variable generation agents/hermes/config/messaging-config.ts, agents/hermes/generate-config.ts	Extended buildMessagingEnvLines signature to accept wechatConfig; added wechat channel to CHANNEL_TOKEN_ENVS mapping with WEIXIN_TOKEN; implemented buildWechatEnvLines helper to emit WEIXIN_ACCOUNT_ID, WEIXIN_BASE_URL, and WEIXIN_ALLOWED_USERS from config and allowed-user list; updated buildTokenPlaceholder to resolve WEIXIN_TOKEN from host credential WECHAT_BOT_TOKEN; wired config through generate-config.ts.
Network policy for WeChat iLink API agents/hermes/policy-additions.yaml, nemoclaw-blueprint/policies/presets/wechat.yaml	Added wechat_bridge network policy allowing outbound HTTPS to ilinkai.weixin.qq.com and ilinkai.wechat.com with GET/POST enforcement; whitelisted Hermes and Python binaries; updated WeChat preset header and description to cover both OpenClaw and Hermes agents; expanded binaries allowlist to include Hermes Python interpreter paths.
Sandbox cleanup and test updates src/lib/actions/sandbox/destroy.ts, src/lib/agent/defs.test.ts, test/destroy-cleanup-sandbox-services.test.ts, test/generate-hermes-config.test.ts	Extended cleanupSandboxServices to delete wechat-bridge provider during teardown; reorganized imports in destroy.ts; updated hermes agent test to expect wechat in messagingPlatforms; updated cleanup test to assert removal of wechat-bridge provider; added NEMOCLAW_WECHAT_CONFIG_B64 to test harness defaults; added success test verifying Hermes emits WEIXIN_* env vars with credential indirection and constructed allowed-user list; added failure test for missing accountId.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• NVIDIA/NemoClaw#3442: Modifies the shared /sandbox/.hermes mutable state directory logic in Hermes Dockerfile, with potential interaction around permission and subdirectory creation.
• NVIDIA/NemoClaw#3186: Both PRs consume NEMOCLAW_WECHAT_CONFIG_B64 to set up WeChat integration—OpenClaw seeds account data while Hermes generates environment variables from the same config contract.

Suggested labels

Integration: Hermes, enhancement: integration

Suggested reviewers

• cv
• ericksoa

Poem

🐰 A Hermes hops with WeChat cheer,
State directories held near,
iLink policies take their stand,
Environment variables at hand—
Integration done, a rabbit's toast! 🎉

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 14.29% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat(messaging): add WeChat (personal) channel for Hermes' directly summarizes the main change across all files—adding WeChat messaging integration to the Hermes agent.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@agents/hermes/config/messaging-config.ts`:
- Around line 87-94: The buildWechatEnvLines function currently treats
wechatConfig.accountId as optional but this code path only runs when WeChat is
enabled and WEIXIN_ACCOUNT_ID is required; update buildWechatEnvLines to fail
fast by checking wechatConfig.accountId and throwing a clear error (e.g.,
Error('Missing WEIXIN_ACCOUNT_ID: wechatConfig.accountId is required when WeChat
is enabled')) when it's falsy, rather than silently omitting the
WEIXIN_ACCOUNT_ID line; reference the function buildWechatEnvLines and the
wechatConfig.accountId/WEIXIN_ACCOUNT_ID symbols so the check is added at the
start of that function.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 975a48d9-19b5-4874-9136-bba639d87b38

📥 Commits

Reviewing files that changed from the base of the PR and between ecd2708 and ef3267b.

📒 Files selected for processing (12)

• agents/hermes/Dockerfile
• agents/hermes/Dockerfile.base
• agents/hermes/config/build-env.ts
• agents/hermes/config/messaging-config.ts
• agents/hermes/generate-config.ts
• agents/hermes/manifest.yaml
• agents/hermes/policy-additions.yaml
• nemoclaw-blueprint/policies/presets/wechat.yaml
• src/lib/actions/sandbox/destroy.ts
• src/lib/agent/defs.test.ts
• test/destroy-cleanup-sandbox-services.test.ts
• test/generate-hermes-config.test.ts