@yanhaidao/wecom 2.2.4 → 2.2.5

package/README.md

@@ -44,23 +44,16 @@
 
 ---
 
-<div align="center">
-  <img src="https://cdn.jsdelivr.net/npm/@yanhaidao/wecom@latest/assets/01.image.jpg" width="45%" />
-  <img src="https://cdn.jsdelivr.net/npm/@yanhaidao/wecom@latest/assets/02.image.jpg" width="45%" />
-</div>
-
-
 
 ## 📊 模式能力对比
 
 | 能力维度 | 🤖 Bot 模式 | 🧩 Agent 模式 | ✨ **本插件 (双模)** |
-|:---|:---:|:---:|:---:|
-| **流式响应** | ✅ 原生支持 | ❌ 不支持 | **✅ 完美支持** |
-| **发送文件/图** | ❌ 不支持 | ✅ 支持 | **✅ 自动切换** |
-| **主动推送** | ❌ 仅回调 | ✅ 随时推送 | **✅ 完整 API** |
-| **Cronjob 定时** | ❌ 仅回调 | ✅ 支持 | **✅ 完美集成** |
-| **接收语音** | ✅ 转文字 | ✅ 语音+文字 | **✅ 双路处理** |
-| **群聊支持** | ✅ @即回 | ⚠️ 仅自建群 | **✅ 混合支持** |
+|:---|:---|:---|:---|
+| **接收消息 (单聊)** | ✅ 文本/图片/语音/文件 | ✅ 文本/图片/语音/视频/位置/链接 | **✅ 全能互补** (覆盖所有类型) |
+| **接收消息 (群聊)** | ✅ 文本/引用 | ❌ 不支持 (无回调) | **✅ 文本/引用** |
+| **发送消息** | ❌ 仅支持文本/图片/Markdown | ✅ **全格式支持** (文本/图片/视频/文件等) | **✅ 智能路由** (自动切换) |
+| **流式响应** | ✅ **支持** (打字机效果) | ❌ 不支持 | **✅ 完美支持** |
+| **主动推送** | ❌ 仅被动回复 | ✅ **支持** (指定用户/部门/标签) | **✅ 完整 API** |
 
 ---
 
@@ -89,8 +82,13 @@ openclaw config set channels.wecom.bot.receiveId ""
 openclaw config set channels.wecom.bot.streamPlaceholderContent "正在思考..."
 openclaw config set channels.wecom.bot.welcomeText "你好！我是 AI 助手"
 
-# 不配置表示所有人可用，配置则进入白名单模式
-openclaw config set channels.wecom.bot.dm.allowFrom '[]' 
+# DM 门禁（推荐显式设置 policy）
+# - open: 默认放开（所有人可用）
+# - disabled: 全部禁用
+# - allowlist: 仅 allowFrom 允许的人可用
+openclaw config set channels.wecom.bot.dm.policy "open"
+# policy=allowlist 时生效（例如只允许某些 userid；"*" 表示允许所有人）
+openclaw config set channels.wecom.bot.dm.allowFrom '["*"]'
 ```
 
 ### 3. 配置 Agent 模式（自建应用，可选）
@@ -103,8 +101,8 @@ openclaw config set channels.wecom.agent.agentId 1000001
 openclaw config set channels.wecom.agent.token "YOUR_CALLBACK_TOKEN"
 openclaw config set channels.wecom.agent.encodingAESKey "YOUR_CALLBACK_AES_KEY"
 openclaw config set channels.wecom.agent.welcomeText "欢迎使用智能助手"
-# 不配置表示所有人可用，配置则进入白名单模式
-openclaw config set channels.wecom.agent.dm.allowFrom '[]'
+openclaw config set channels.wecom.agent.dm.policy "open"
+openclaw config set channels.wecom.agent.dm.allowFrom '["*"]'
 ```
 
 ### 4. 高级网络配置 (公网出口代理)
@@ -317,9 +315,15 @@ Agent 输出 `{"template_card": ...}` 时自动渲染为交互卡片：
 **Q4: 群里 @机器人 发送文件失败？**
 > **A:** 因为企业微信 Bot 接口本身不支持发送非图片文件。我们的解决方案是：自动检测到文件发送需求后，改为通过 Agent 私信该用户发送文件，并在群里给出 "文件已私信发给您" 的提示。
 
-**Q5: Cronjob 定时任务怎么发给群？**
+**Q5: 为什么在 Agent 模式下发送文件（如 PDF、Word）给机器人没有反应？**
+> **A:** 这是由于企业微信官方接口限制。自建应用（Agent）的消息回调接口仅支持：文本、图片、语音、视频、位置和链接信息。**不支持**通用文件（File）类型的回调，因此插件无法感知您发送的文件。
+
+**Q6: Cronjob 定时任务怎么发给群？**
 > **A:** Cronjob 必须走 Agent 通道（Bot 无法主动发消息）。您只需在配置中指定 `to: "party:1"` (部门) 或 `to: "group:wr123..."` (外部群)，即可实现定时推送到群。
 
+**Q7: 为什么发视频给 Bot 没反应？**
+> **A:** 官方 Bot 接口**不支持接收视频**。如果您需要处理视频内容，请配置并使用 Agent 模式（Agent 支持接收视频）。
+
 ---
 
 ## 联系我
@@ -334,12 +338,18 @@ Agent 输出 `{"template_card": ...}` 时自动渲染为交互卡片：
 
 ## 更新日志
 
+### 2026.2.5
+
+- 🛠 **体验优化**：WeCom 媒体（图片/语音/视频/文件）处理的默认大小上限提升到 25MB，减少大文件因超限导致的“下载/保存失败”。
+- 📌 **可配置提示**：若仍遇到 Media exceeds ... limit，日志/回复会提示通过 channels.wecom.media.maxBytes 调整上限，并给出可直接执行的 openclaw config set 示例命令。
+
 ### 2026.2.4
 
 - 🚀 **架构升级**：实施 "Bot 优先 + Agent 兜底" 策略，兼顾流式体验与长任务稳定性（6分钟切换）。
-- ✨ **全模态支持**：Agent 模式完整支持接收与发送图片、文件、语音、视频。
+- ✨ **全模态支持**：Agent 模式完整支持接收图片/语音/视频（文件仅支持发送）。
 - ✨ **Cronjob 增强**：支持向部门 (`party:ID`) 和标签 (`tag:ID`) 广播消息。
 - 🛠 **Monitor 重构**：统一的消息防抖与流状态管理，提升并发稳定性。
+- 🛠 **体验优化**：修复企微重试导致的重复回复（Bot/Agent 均做 `msgid` 去重）；优化 Bot 连续多条消息的排队/合并回执，避免“重复同一答案”或“消息失败提示”。
 - 🐞 **修复**：Outbound ID 解析逻辑及 API 客户端参数缺失问题。
 
 ### 2026.2.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yanhaidao/wecom",
-  "version": "2.2.4",
+  "version": "2.2.5",
   "type": "module",
   "description": "OpenClaw WeCom (WeChat Work) intelligent bot channel plugin",
   "author": "YanHaidao (VX: YanHaidao)",

package/scripts/test-proxy.ts

@@ -0,0 +1,70 @@
+import { wecomFetch } from "../src/http.js";
+
+const args = process.argv.slice(2);
+let proxyUrl = "";
+
+if (args.includes("--host")) {
+    const hostIndex = args.indexOf("--host");
+    const portIndex = args.indexOf("--port");
+    const userIndex = args.indexOf("--user");
+    const passIndex = args.indexOf("--pass");
+
+    if (hostIndex === -1 || portIndex === -1) {
+        console.error("Error: --host and --port are required when using specific params.");
+        process.exit(1);
+    }
+
+    const host = args[hostIndex + 1];
+    const port = args[portIndex + 1];
+    const user = userIndex !== -1 ? args[userIndex + 1] : "";
+    const pass = passIndex !== -1 ? args[passIndex + 1] : "";
+
+    if (user && pass) {
+        // Safe encoding
+        proxyUrl = `http://${encodeURIComponent(user)}:${encodeURIComponent(pass)}@${host}:${port}`;
+    } else {
+        proxyUrl = `http://${host}:${port}`;
+    }
+} else {
+    proxyUrl = args[0] || process.env.PROXY_URL || "";
+}
+
+if (!proxyUrl) {
+  console.error("Usage: npx tsx extensions/wecom/scripts/test-proxy.ts <proxy_url>");
+  console.error("   OR: npx tsx extensions/wecom/scripts/test-proxy.ts --host <ip> --port <port> --user <u?> --pass <p?>");
+  process.exit(1);
+}
+
+console.log(`Testing proxy: ${proxyUrl.replace(/:([^:@]+)@/, ":***@")}`); // Mask password in log
+
+async function run() {
+  try {
+    // 1. Test IP echo to verify traffic goes through proxy
+    console.log("1. Checking IP via httpbin.org...");
+    const ipRes = await wecomFetch("https://httpbin.org/ip", {}, { proxyUrl, timeoutMs: 10000 });
+    if (!ipRes.ok) {
+        throw new Error(`IP check failed: ${ipRes.status} ${ipRes.statusText}`);
+    }
+    const ipJson = await ipRes.json();
+    console.log("   Result:", ipJson);
+
+    // 2. Test WeCom API connectivity
+    console.log("2. Checking WeCom connectivity...");
+    const wecomRes = await wecomFetch("https://qyapi.weixin.qq.com/cgi-bin/gettoken", {}, { proxyUrl, timeoutMs: 10000 });
+    const wecomJson = await wecomRes.json();
+    console.log("   Result:", wecomJson);
+    console.log("✅ Proxy works!");
+
+  } catch (err) {
+    // Extract cause for better debugging
+    const cause = (err as any).cause;
+    if (cause) {
+        console.error("❌ Proxy test failed (Cause):", cause);
+    } else {
+        console.error("❌ Proxy test failed:", err);
+    }
+    process.exit(1);
+  }
+}
+
+run();

package/src/agent/api-client.ts

@@ -118,11 +118,26 @@ export async function sendText(params: {
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify(body),
     }, { proxyUrl: resolveWecomEgressProxyUrlFromNetwork(agent.network), timeoutMs: LIMITS.REQUEST_TIMEOUT_MS });
-    const json = await res.json() as { errcode?: number; errmsg?: string };
+    const json = await res.json() as {
+        errcode?: number;
+        errmsg?: string;
+        invaliduser?: string;
+        invalidparty?: string;
+        invalidtag?: string;
+    };
 
     if (json?.errcode !== 0) {
         throw new Error(`send failed: ${json?.errcode} ${json?.errmsg}`);
     }
+
+    if (json?.invaliduser || json?.invalidparty || json?.invalidtag) {
+        const details = [
+            json.invaliduser ? `invaliduser=${json.invaliduser}` : "",
+            json.invalidparty ? `invalidparty=${json.invalidparty}` : "",
+            json.invalidtag ? `invalidtag=${json.invalidtag}` : ""
+        ].filter(Boolean).join(", ");
+        throw new Error(`send partial failure: ${details}`);
+    }
 }
 
 /**
@@ -246,11 +261,26 @@ export async function sendMedia(params: {
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify(body),
     }, { proxyUrl: resolveWecomEgressProxyUrlFromNetwork(agent.network), timeoutMs: LIMITS.REQUEST_TIMEOUT_MS });
-    const json = await res.json() as { errcode?: number; errmsg?: string };
+    const json = await res.json() as {
+        errcode?: number;
+        errmsg?: string;
+        invaliduser?: string;
+        invalidparty?: string;
+        invalidtag?: string;
+    };
 
     if (json?.errcode !== 0) {
         throw new Error(`send ${mediaType} failed: ${json?.errcode} ${json?.errmsg}`);
     }
+
+    if (json?.invaliduser || json?.invalidparty || json?.invalidtag) {
+        const details = [
+            json.invaliduser ? `invaliduser=${json.invaliduser}` : "",
+            json.invalidparty ? `invalidparty=${json.invalidparty}` : "",
+            json.invalidtag ? `invalidtag=${json.invalidtag}` : ""
+        ].filter(Boolean).join(", ");
+        throw new Error(`send ${mediaType} partial failure: ${details}`);
+    }
 }
 
 /**
@@ -263,7 +293,8 @@ export async function sendMedia(params: {
 export async function downloadMedia(params: {
     agent: ResolvedAgentAccount;
     mediaId: string;
-}): Promise<{ buffer: Buffer; contentType: string }> {
+    maxBytes?: number;
+}): Promise<{ buffer: Buffer; contentType: string; filename?: string }> {
     const { agent, mediaId } = params;
     const token = await getAccessToken(agent);
     const url = `${API_ENDPOINTS.DOWNLOAD_MEDIA}?access_token=${encodeURIComponent(token)}&media_id=${encodeURIComponent(mediaId)}`;
@@ -275,6 +306,24 @@ export async function downloadMedia(params: {
     }
 
     const contentType = res.headers.get("content-type") || "application/octet-stream";
+    const disposition = res.headers.get("content-disposition") || "";
+    const filename = (() => {
+        // 兼容：filename="a.md" / filename=a.md / filename*=UTF-8''a%2Eb.md
+        const mStar = disposition.match(/filename\*\s*=\s*([^;]+)/i);
+        if (mStar) {
+            const raw = mStar[1]!.trim().replace(/^"(.*)"$/, "$1");
+            const parts = raw.split("''");
+            const encoded = parts.length === 2 ? parts[1]! : raw;
+            try {
+                return decodeURIComponent(encoded);
+            } catch {
+                return encoded;
+            }
+        }
+        const m = disposition.match(/filename\s*=\s*([^;]+)/i);
+        if (!m) return undefined;
+        return m[1]!.trim().replace(/^"(.*)"$/, "$1") || undefined;
+    })();
 
     // 检查是否返回了错误 JSON
     if (contentType.includes("application/json")) {
@@ -282,6 +331,6 @@ export async function downloadMedia(params: {
         throw new Error(`download failed: ${json?.errcode} ${json?.errmsg}`);
     }
 
-    const buffer = await readResponseBodyAsBuffer(res);
-    return { buffer, contentType };
+    const buffer = await readResponseBodyAsBuffer(res, params.maxBytes);
+    return { buffer, contentType, filename };
 }

package/src/agent/handler.ts

@@ -4,20 +4,85 @@
  */
 
 import { pathToFileURL } from "node:url";
+import path from "node:path";
 import type { IncomingMessage, ServerResponse } from "node:http";
 import type { OpenClawConfig, PluginRuntime } from "openclaw/plugin-sdk";
 import type { ResolvedAgentAccount } from "../types/index.js";
 import { LIMITS } from "../types/constants.js";
 import { decryptWecomEncrypted, verifyWecomSignature, computeWecomMsgSignature, encryptWecomPlaintext } from "../crypto/index.js";
 import { extractEncryptFromXml, buildEncryptedXmlResponse } from "../crypto/xml.js";
-import { parseXml, extractMsgType, extractFromUser, extractContent, extractChatId, extractMediaId } from "../shared/xml-parser.js";
+import { parseXml, extractMsgType, extractFromUser, extractContent, extractChatId, extractMediaId, extractMsgId, extractFileName } from "../shared/xml-parser.js";
 import { sendText, downloadMedia } from "./api-client.js";
 import { getWecomRuntime } from "../runtime.js";
 import type { WecomAgentInboundMessage } from "../types/index.js";
+import { buildWecomUnauthorizedCommandPrompt, resolveWecomCommandAuthorization } from "../shared/command-auth.js";
+import { resolveWecomMediaMaxBytes } from "../config/index.js";
 
 /** 错误提示信息 */
 const ERROR_HELP = "\n\n遇到问题？联系作者: YanHaidao (微信: YanHaidao)";
 
+// Agent webhook 幂等去重池（防止企微回调重试导致重复回复）
+// 注意：这是进程内内存去重，重启会清空；但足以覆盖企微的短周期重试。
+const RECENT_MSGID_TTL_MS = 10 * 60 * 1000;
+const recentAgentMsgIds = new Map<string, number>();
+
+function rememberAgentMsgId(msgId: string): boolean {
+    const now = Date.now();
+    const existing = recentAgentMsgIds.get(msgId);
+    if (existing && now - existing < RECENT_MSGID_TTL_MS) return false;
+    recentAgentMsgIds.set(msgId, now);
+    // 简单清理：只在写入时做一次线性 prune，避免无界增长
+    for (const [k, ts] of recentAgentMsgIds) {
+        if (now - ts >= RECENT_MSGID_TTL_MS) recentAgentMsgIds.delete(k);
+    }
+    return true;
+}
+
+function looksLikeTextFile(buffer: Buffer): boolean {
+    const sampleSize = Math.min(buffer.length, 4096);
+    if (sampleSize === 0) return true;
+    let bad = 0;
+    for (let i = 0; i < sampleSize; i++) {
+        const b = buffer[i]!;
+        const isWhitespace = b === 0x09 || b === 0x0a || b === 0x0d; // \t \n \r
+        const isPrintable = b >= 0x20 && b !== 0x7f;
+        if (!isWhitespace && !isPrintable) bad++;
+    }
+    // 非可打印字符占比太高，基本可判断为二进制
+    return bad / sampleSize <= 0.02;
+}
+
+function analyzeTextHeuristic(buffer: Buffer): { sampleSize: number; badCount: number; badRatio: number } {
+    const sampleSize = Math.min(buffer.length, 4096);
+    if (sampleSize === 0) return { sampleSize: 0, badCount: 0, badRatio: 0 };
+    let badCount = 0;
+    for (let i = 0; i < sampleSize; i++) {
+        const b = buffer[i]!;
+        const isWhitespace = b === 0x09 || b === 0x0a || b === 0x0d;
+        const isPrintable = b >= 0x20 && b !== 0x7f;
+        if (!isWhitespace && !isPrintable) badCount++;
+    }
+    return { sampleSize, badCount, badRatio: badCount / sampleSize };
+}
+
+function previewHex(buffer: Buffer, maxBytes = 32): string {
+    const n = Math.min(buffer.length, maxBytes);
+    if (n <= 0) return "";
+    return buffer
+        .subarray(0, n)
+        .toString("hex")
+        .replace(/(..)/g, "$1 ")
+        .trim();
+}
+
+function buildTextFilePreview(buffer: Buffer, maxChars: number): string | undefined {
+    if (!looksLikeTextFile(buffer)) return undefined;
+    const text = buffer.toString("utf8");
+    if (!text.trim()) return undefined;
+    const truncated = text.length > maxChars ? `${text.slice(0, maxChars)}\n…(已截断)` : text;
+    return truncated;
+}
+
 /**
  * **AgentWebhookParams (Webhook 处理器参数)**
  * 
@@ -98,6 +163,13 @@ async function handleUrlVerification(
     const nonce = query.get("nonce") ?? "";
     const echostr = query.get("echostr") ?? "";
     const signature = query.get("msg_signature") ?? "";
+    const remote = req.socket?.remoteAddress ?? "unknown";
+
+    // 不输出敏感参数内容，仅输出存在性
+    // 用于排查：是否有请求打到 /wecom/agent
+    // 以及是否带齐 timestamp/nonce/msg_signature/echostr
+    // eslint-disable-next-line no-unused-vars
+    const _debug = { remote, hasTimestamp: Boolean(timestamp), hasNonce: Boolean(nonce), hasSig: Boolean(signature), hasEchostr: Boolean(echostr) };
 
     const valid = verifyWecomSignature({
         token: agent.token,
@@ -139,13 +211,19 @@ async function handleMessageCallback(params: AgentWebhookParams): Promise<boolea
     const { req, res, agent, config, core, log, error } = params;
 
     try {
+        log?.(`[wecom-agent] inbound: method=${req.method ?? "UNKNOWN"} remote=${req.socket?.remoteAddress ?? "unknown"}`);
         const rawXml = await readRawBody(req);
+        log?.(`[wecom-agent] inbound: rawXmlBytes=${Buffer.byteLength(rawXml, "utf8")}`);
         const encrypted = extractEncryptFromXml(rawXml);
+        log?.(`[wecom-agent] inbound: hasEncrypt=${Boolean(encrypted)} encryptLen=${encrypted ? String(encrypted).length : 0}`);
 
         const query = resolveQueryParams(req);
         const timestamp = query.get("timestamp") ?? "";
         const nonce = query.get("nonce") ?? "";
         const signature = query.get("msg_signature") ?? "";
+        log?.(
+            `[wecom-agent] inbound: query timestamp=${timestamp ? "yes" : "no"} nonce=${nonce ? "yes" : "no"} msg_signature=${signature ? "yes" : "no"}`,
+        );
 
         // 验证签名
         const valid = verifyWecomSignature({
@@ -157,6 +235,7 @@ async function handleMessageCallback(params: AgentWebhookParams): Promise<boolea
         });
 
         if (!valid) {
+            error?.(`[wecom-agent] inbound: signature invalid`);
             res.statusCode = 401;
             res.setHeader("Content-Type", "text/plain; charset=utf-8");
             res.end(`unauthorized - 签名验证失败${ERROR_HELP}`);
@@ -169,15 +248,28 @@ async function handleMessageCallback(params: AgentWebhookParams): Promise<boolea
             receiveId: agent.corpId,
             encrypt: encrypted,
         });
+        log?.(`[wecom-agent] inbound: decryptedBytes=${Buffer.byteLength(decrypted, "utf8")}`);
 
         // 解析 XML
         const msg = parseXml(decrypted);
         const msgType = extractMsgType(msg);
         const fromUser = extractFromUser(msg);
         const chatId = extractChatId(msg);
-        const content = extractContent(msg);
+        const msgId = extractMsgId(msg);
+        if (msgId) {
+            const ok = rememberAgentMsgId(msgId);
+            if (!ok) {
+                log?.(`[wecom-agent] duplicate msgId=${msgId} from=${fromUser} chatId=${chatId ?? "N/A"} type=${msgType}; skipped`);
+                res.statusCode = 200;
+                res.setHeader("Content-Type", "text/plain; charset=utf-8");
+                res.end("success");
+                return true;
+            }
+        }
+        const content = String(extractContent(msg) ?? "");
 
-        log?.(`[wecom-agent] ${msgType} from=${fromUser} chatId=${chatId ?? "N/A"} content=${content.slice(0, 100)}`);
+        const preview = content.length > 100 ? `${content.slice(0, 100)}…` : content;
+        log?.(`[wecom-agent] ${msgType} from=${fromUser} chatId=${chatId ?? "N/A"} msgId=${msgId ?? "N/A"} content=${preview}`);
 
         // 先返回 success (Agent 模式使用 API 发送回复，不用被动回复)
         res.statusCode = 200;
@@ -237,6 +329,7 @@ async function processAgentMessage(params: {
 
     const isGroup = Boolean(chatId);
     const peerId = isGroup ? chatId! : fromUser;
+    const mediaMaxBytes = resolveWecomMediaMaxBytes(config);
 
     // 处理媒体文件
     const attachments: any[] = []; // TODO: define specific type
@@ -249,44 +342,95 @@ async function processAgentMessage(params: {
         if (mediaId) {
             try {
                 log?.(`[wecom-agent] downloading media: ${mediaId} (${msgType})`);
-                const { buffer, contentType } = await downloadMedia({ agent, mediaId });
+                const { buffer, contentType, filename: headerFileName } = await downloadMedia({ agent, mediaId, maxBytes: mediaMaxBytes });
+                const xmlFileName = extractFileName(msg);
+                const originalFileName = (xmlFileName || headerFileName || `${mediaId}.bin`).trim();
+                const heuristic = analyzeTextHeuristic(buffer);
 
                 // 推断文件名后缀
                 const extMap: Record<string, string> = {
                     "image/jpeg": "jpg", "image/png": "png", "image/gif": "gif",
                     "audio/amr": "amr", "audio/speex": "speex", "video/mp4": "mp4",
                 };
-                const ext = extMap[contentType] || "bin";
+                const textPreview = msgType === "file" ? buildTextFilePreview(buffer, 12_000) : undefined;
+                const looksText = Boolean(textPreview);
+                const originalExt = path.extname(originalFileName).toLowerCase();
+                const normalizedContentType =
+                    looksText && originalExt === ".md" ? "text/markdown" :
+                    looksText && (!contentType || contentType === "application/octet-stream")
+                        ? "text/plain; charset=utf-8"
+                        : contentType;
+
+                const ext = extMap[normalizedContentType] || (looksText ? "txt" : "bin");
                 const filename = `${mediaId}.${ext}`;
 
+                log?.(
+                    `[wecom-agent] file meta: msgType=${msgType} mediaId=${mediaId} size=${buffer.length} maxBytes=${mediaMaxBytes} ` +
+                    `contentType=${contentType} normalizedContentType=${normalizedContentType} originalFileName=${originalFileName} ` +
+                    `xmlFileName=${xmlFileName ?? "N/A"} headerFileName=${headerFileName ?? "N/A"} ` +
+                    `textHeuristic(sample=${heuristic.sampleSize}, bad=${heuristic.badCount}, ratio=${heuristic.badRatio.toFixed(4)}) ` +
+                    `headHex="${previewHex(buffer)}"`,
+                );
+
                 // 使用 Core SDK 保存媒体文件
                 const saved = await core.channel.media.saveMediaBuffer(
                     buffer,
-                    contentType,
+                    normalizedContentType,
                     "inbound", // context/scope
-                    LIMITS.MAX_REQUEST_BODY_SIZE, // limit
-                    filename
+                    mediaMaxBytes, // limit
+                    originalFileName
                 );
 
                 log?.(`[wecom-agent] media saved to: ${saved.path}`);
                 mediaPath = saved.path;
-                mediaType = contentType;
+                mediaType = normalizedContentType;
 
                 // 构建附件
                 attachments.push({
-                    name: filename,
-                    mimeType: contentType,
+                    name: originalFileName,
+                    mimeType: normalizedContentType,
                     url: pathToFileURL(saved.path).href, // 使用跨平台安全的文件 URL
                 });
 
                 // 更新文本提示
-                finalContent = `${content} (已下载 ${buffer.length} 字节)`;
+                if (textPreview) {
+                    finalContent = [
+                        content,
+                        "",
+                        "文件内容预览：",
+                        "```",
+                        textPreview,
+                        "```",
+                        `(已下载 ${buffer.length} 字节)`,
+                    ].join("\n");
+                } else {
+                    if (msgType === "file") {
+                        finalContent = [
+                            content,
+                            "",
+                            `已收到文件：${originalFileName}`,
+                            `文件类型：${normalizedContentType || contentType || "未知"}`,
+                            "提示：当前仅对文本/Markdown/JSON/CSV/HTML/PDF（可选）做内容抽取；其他二进制格式请转为 PDF 或复制文本内容。",
+                            `(已下载 ${buffer.length} 字节)`,
+                        ].join("\n");
+                    } else {
+                        finalContent = `${content} (已下载 ${buffer.length} 字节)`;
+                    }
+                }
+                log?.(`[wecom-agent] file preview: enabled=${looksText} finalContentLen=${finalContent.length} attachments=${attachments.length}`);
             } catch (err) {
-                error?.(`[wecom-agent] media download failed: ${String(err)}`);
-                finalContent = `${content} (媒体下载失败)`;
+                error?.(`[wecom-agent] media processing failed: ${String(err)}`);
+                finalContent = [
+                    content,
+                    "",
+                    `媒体处理失败：${String(err)}`,
+                    `提示：可在 OpenClaw 配置中提高 channels.wecom.media.maxBytes（当前=${mediaMaxBytes}）`,
+                    `例如：openclaw config set channels.wecom.media.maxBytes ${50 * 1024 * 1024}`,
+                ].join("\n");
             }
         } else {
-            error?.(`[wecom-agent] mediaId not found for ${msgType}`);
+            const keys = Object.keys((msg as unknown as Record<string, unknown>) ?? {}).slice(0, 50).join(",");
+            error?.(`[wecom-agent] mediaId not found for ${msgType}; keys=${keys}`);
         }
     }
 
@@ -316,6 +460,28 @@ async function processAgentMessage(params: {
         body: finalContent,
     });
 
+    const authz = await resolveWecomCommandAuthorization({
+        core,
+        cfg: config,
+        // Agent 门禁应读取 channels.wecom.agent.dm（即 agent.config.dm），而不是 channels.wecom.dm（不存在）
+        accountConfig: agent.config as any,
+        rawBody: finalContent,
+        senderUserId: fromUser,
+    });
+    log?.(`[wecom-agent] authz: dmPolicy=${authz.dmPolicy} shouldCompute=${authz.shouldComputeAuth} sender=${fromUser.toLowerCase()} senderAllowed=${authz.senderAllowed} authorizerConfigured=${authz.authorizerConfigured} commandAuthorized=${String(authz.commandAuthorized)}`);
+
+    // 命令门禁：未授权时必须明确回复（Agent 侧用私信提示）
+    if (authz.shouldComputeAuth && authz.commandAuthorized !== true) {
+        const prompt = buildWecomUnauthorizedCommandPrompt({ senderUserId: fromUser, dmPolicy: authz.dmPolicy, scope: "agent" });
+        try {
+            await sendText({ agent, toUser: fromUser, chatId: undefined, text: prompt });
+            log?.(`[wecom-agent] unauthorized command: replied via DM to ${fromUser}`);
+        } catch (err: unknown) {
+            error?.(`[wecom-agent] unauthorized command reply failed: ${String(err)}`);
+        }
+        return;
+    }
+
     const ctxPayload = core.channel.reply.finalizeInboundContext({
         Body: body,
         RawBody: finalContent,
@@ -332,8 +498,11 @@ async function processAgentMessage(params: {
         Provider: "wecom",
         Surface: "wecom",
         OriginatingChannel: "wecom",
-        OriginatingTo: `wecom:${peerId}`,
-        CommandAuthorized: true, // 已通过 WeCom 签名验证
+        // 标记为 Agent 会话的回复路由目标，避免与 Bot 会话混淆：
+        // - 用于让 /new /reset 这类命令回执不被 Bot 侧策略拦截
+        // - 群聊场景也统一路由为私信触发者（与 deliver 策略一致）
+        OriginatingTo: `wecom-agent:${fromUser}`,
+        CommandAuthorized: authz.commandAuthorized ?? true,
         MediaPath: mediaPath,
         MediaType: mediaType,
         MediaUrl: mediaPath,
@@ -359,12 +528,8 @@ async function processAgentMessage(params: {
                 if (!text) return;
 
                 try {
-                    await sendText({
-                        agent,
-                        toUser: fromUser,
-                        chatId: isGroup ? chatId : undefined,
-                        text,
-                    });
+                    // 统一策略：Agent 模式在群聊场景默认只私信触发者（避免 wr/wc chatId 86008）
+                    await sendText({ agent, toUser: fromUser, chatId: undefined, text });
                     log?.(`[wecom-agent] reply delivered (${info.kind}) to ${fromUser}`);
                 } catch (err: unknown) {
                     error?.(`[wecom-agent] reply failed: ${String(err)}`);

package/src/channel.ts

@@ -31,7 +31,7 @@ const meta = {
 function normalizeWecomMessagingTarget(raw: string): string | undefined {
   const trimmed = raw.trim();
   if (!trimmed) return undefined;
-  return trimmed.replace(/^(wecom|wechatwork|wework|qywx):/i, "").trim() || undefined;
+  return trimmed.replace(/^(wecom-agent|wecom|wechatwork|wework|qywx):/i, "").trim() || undefined;
 }
 
 type ResolvedWecomAccount = {

package/src/config/index.ts

@@ -9,3 +9,4 @@ export {
     isWecomEnabled,
 } from "./accounts.js";
 export { resolveWecomEgressProxyUrl, resolveWecomEgressProxyUrlFromNetwork } from "./network.js";
+export { DEFAULT_WECOM_MEDIA_MAX_BYTES, resolveWecomMediaMaxBytes } from "./media.js";

package/src/config/media.ts

@@ -0,0 +1,14 @@
+import type { OpenClawConfig } from "openclaw/plugin-sdk";
+
+// 默认给一个相对“够用”的上限（80MB），避免视频/较大文件频繁触发失败。
+// 仍保留上限以防止恶意大文件把进程内存打爆（下载实现会读入内存再保存）。
+export const DEFAULT_WECOM_MEDIA_MAX_BYTES = 80 * 1024 * 1024;
+
+export function resolveWecomMediaMaxBytes(cfg: OpenClawConfig): number {
+  const raw = (cfg.channels?.wecom as any)?.media?.maxBytes;
+  const n = typeof raw === "number" ? raw : Number(raw);
+  if (Number.isFinite(n) && n > 0) {
+    return Math.floor(n);
+  }
+  return DEFAULT_WECOM_MEDIA_MAX_BYTES;
+}