add wecom and wecomApp

[swordkee]

📝 Description

🗣️ Type of Change

• 🐞 Bug fix (non-breaking change which fixes an issue)
• ✨ New feature (non-breaking change which adds functionality)
• 📖 Documentation update
• ⚡ Code refactoring (no functional changes, no api changes)

🤖 AI Code Generation

• 🤖 Fully AI-generated (100% AI, 0% Human)
• 🛠️ Mostly AI-generated (AI draft, Human verified/modified)
• 👨‍💻 Mostly Human-written (Human lead, AI assisted or none)

🔗 Related Issue

📚 Technical Context (Skip for Docs)

• Reference URL:
• Reasoning:

🧪 Test Environment

• Hardware:
• OS:
• Model/Provider:
• Channels:

📸 Evidence (Optional)

Click to view Logs/Screenshots

☑️ Checklist

• My code/docs follow the style of this project.
• I have performed a self-review of my own changes.
• I have updated the documentation accordingly.

[nikolasdehor]

The WeCom integration adds useful channel support, but there are several issues that should be addressed before merging.

Missing error handling / security concerns:

1. No tests included: This PR adds ~1100 lines of Go code across wecom.go (466 lines) and wecom_app.go (629 lines) with zero test files. At minimum, the AES decryption, signature verification, and XML parsing paths need unit tests — these are security-critical code paths.

2. Config watcher (pkg/config/watcher.go): This adds a 258-line file watcher that is unrelated to WeCom. It should be a separate PR. Mixing orthogonal features makes review harder and increases merge conflict surface.

3. allow_from field inconsistency: The README docs use allow_from (snake_case) for WeCom but some existing channels use allowFrom (camelCase). The config struct should be consistent with the rest of the codebase.

4. Missing context.Context propagation: The WeCom HTTP handler should accept and pass through context.Context for proper cancellation support, consistent with how other channels (LINE, MaixCam) handle it.

5. Hardcoded timeout values: The 5-second WeCom reply deadline is mentioned in docs but I do not see a configurable timeout in the code or config struct. This should be a config option.

6. loop.go changes: The diff shows 18 additions / 21 deletions in loop.go — these changes should be reviewed carefully to ensure they do not affect existing channel behavior. Please describe what changed in the agent loop and why it was necessary for WeCom support.

Please split the config watcher into a separate PR and add tests for the security-critical paths (AES decryption, signature verification).

[alexhoshina]

所有的peer_kind都硬编码为direct，应该存在一些问题。我无法确定，你可以进行相关测试。

1. 所有的群聊消息都会被当作私信处理，直接导致session中会为群聊中的每个用户都创建一个json，也就是说：群聊中的每个用户的llm会话都是独立的。
2. 可能会出现隔离错误，当dm_scope设置为main时，所有的群聊、私聊都会被合并为同一个main会话。

---

All peer_kind are hardcoded as direct, which likely indicates some issues. I'm not entirely certain; you can conduct relevant tests.

1. All group chat messages are treated as private messages, which directly results in a JSON being created for each user in the group chat within the session. In other words, each user in the group chat has an independent LLM session.
2. Isolation errors may occur. When dm_scope is set to main, all group chats and private chats are merged into the same main session.

[alexhoshina]

与wecom.go中的pkcs7UnpadWeCom完全重复，直接调用wecom.go中的pkcs7UnpadWeCom即可

Completely duplicates pkcs7UnpadWeCom in wecom.go, simply call pkcs7UnpadWeCom from wecom.go directly.

[alexhoshina]

与wecom.go中的verifySignature仅receiver不同，可以声明为公共函数。

Only the receiver differs from verifySignature in wecom.go, so it can be declared as a public function.

[alexhoshina]

与wecom.go中的decryptMessage仅receiver不同，和调用的_pkcs7_不同，可以声明为公共函数

Only the receiver differs from decryptMessage in wecom.go, and the called pkcs7 is different; it can be declared as a public function.

[yinwm]

thanks for the pr

[Orgmar]

@swordkee Nice addition bringing WeCom and WeCom App channels into PicoClaw! This opens up the project to a lot of enterprise users on the platform.

We have the PicoClaw Dev Group on Discord for contributors to chat and collaborate. If you want to join, send an email to support@sipeed.com with the subject [Join PicoClaw Dev Group] swordkee and we'll send you the invite!