Keep enterprise directory data in sync across Feishu and WeCom#183
Open
Atlas-SZ wants to merge 2 commits intodataelement:mainfrom
Open
Keep enterprise directory data in sync across Feishu and WeCom#183Atlas-SZ wants to merge 2 commits intodataelement:mainfrom
Atlas-SZ wants to merge 2 commits intodataelement:mainfrom
Conversation
The org sync flow now supports a provider-aware configuration model, adds WeCom directory ingestion, and updates the enterprise settings UI so admins can configure sync, browse a collapsible org tree, and inspect member details without manual directory maintenance. The read path for org sync settings was tightened so only admins can fetch the config and provider secrets are redacted from API responses while still being preserved on save when the UI submits blank secret fields. Constraint: WeCom validation had to remain read-only against the live tenant Constraint: Existing Feishu org sync settings needed to keep working without a data migration Rejected: Add a separate WeCom-only settings key | would duplicate provider config paths and UI state Rejected: Store org sync secrets only in environment variables | conflicts with tenant-managed enterprise settings workflow Confidence: high Scope-risk: moderate Reversibility: clean Directive: Do not expose org_sync secrets in API responses or relax admin-only access without revisiting the trust boundary Tested: backend/.venv/bin/python -m ruff check backend/app/api/enterprise.py backend/app/models/org.py backend/app/services/org_sync_service.py backend/tests/test_password_reset_and_notifications.py Tested: DATABASE_URL=postgresql+asyncpg://postgres:QF20200610@localhost:25432/clawith REDIS_URL=redis://:difyai123456@localhost:16379/0 backend/.venv/bin/python -m pytest backend/tests/test_password_reset_and_notifications.py Tested: cd frontend && npm run build Not-tested: Durable background job processing for very large org syncs
WeCom channel configuration was executing correctly server-side, but the UI could misreport connection health and silently fail after disconnect because it tried to parse a 204 response as JSON. The stream path also treated official WeCom AI Bot payloads as if they used legacy field names, which let group messages fall into p2p sessions. This change makes runtime connection state authoritative, separates group and p2p session keys correctly, and adds explicit UI feedback for save and disconnect actions. Constraint: WeCom AI Bot traffic arrives through the official SDK fields from_userid, chattype, and chatid Constraint: Local macOS system proxy settings must not break the WeCom websocket client Rejected: Adding python-socks as a local dependency | unnecessary once the SDK path is forced to proxy=None Confidence: high Scope-risk: moderate Reversibility: clean Directive: Do not treat websocket mode as connected in the UI without consulting the backend is_connected flag Tested: backend/.venv/bin/python -m ruff check backend/app/api/wecom.py backend/app/services/wecom_stream.py backend/tests/test_wecom_channel_api.py backend/tests/test_wecom_stream.py Tested: backend/.venv/bin/python -m pytest backend/tests/test_wecom_stream.py backend/tests/test_wecom_channel_api.py Tested: cd frontend && npm run build Tested: Real WeCom websocket connect and disconnect with local runtime config Not-tested: End-to-end live single-chat and group-chat message exchange against the running bot Related: dataelement#182
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The org sync flow now supports a provider-aware configuration model, adds WeCom directory ingestion, and updates the enterprise settings UI so admins can configure sync, browse a collapsible org tree, and inspect member details without manual directory maintenance. The read path for org sync settings was tightened so only admins can fetch the config and provider secrets are redacted from API responses while still being preserved on save when the UI submits blank secret fields.
Constraint: WeCom validation had to remain read-only against the live tenant
Constraint: Existing Feishu org sync settings needed to keep working without a data migration
Rejected: Add a separate WeCom-only settings key | would duplicate provider config paths and UI state
Rejected: Store org sync secrets only in environment variables | conflicts with tenant-managed enterprise settings workflow
Confidence: high
Scope-risk: moderate
Reversibility: clean
Directive: Do not expose org_sync secrets in API responses or relax admin-only access without revisiting the trust boundary
Tested: backend/.venv/bin/python -m ruff check backend/app/api/enterprise.py backend/app/models/org.py backend/app/services/org_sync_service.py backend/tests/test_password_reset_and_notifications.py
Tested: DATABASE_URL=postgresql+asyncpg://postgres:QF20200610@localhost:25432/clawith REDIS_URL=redis://:difyai123456@localhost:16379/0 backend/.venv/bin/python -m pytest backend/tests/test_password_reset_and_notifications.py
Tested: cd frontend && npm run build
Not-tested: Durable background job processing for very large org syncs
Summary
Checklist