feat(wechat): 完善微信群绑定安全组网约束，要求只允许在指定管理群内进行扫码验证绑定

app/Console/Commands/ConsumeWechatMessages.php

@@ -102,8 +102,21 @@ class ConsumeWechatMessages extends Command
         $fromUser = $msg['from_user'];
         $isChatroom = $msg['is_chatroom'];
 
-        // 绑定逻辑：支持私聊和群聊。只要内容格式为 BD-xxxxxx
+        // 绑定逻辑：支持私聊和被授权的微信群。只要内容格式为 BD-xxxxxx
         if (preg_match('/^BD-\d{6}$/i', $content)) {
+            // 如果是群聊，则仅允许在后台设定的目标通知群里进行扫码绑定
+            if ($isChatroom) {
+                $sysParam = \App\Models\SysParam::where('alias', 'wechat_bot_config')->first();
+                $config = $sysParam && ! empty($sysParam->body) ? json_decode($sysParam->body, true) : [];
+                $allowedGroupWxid = $config['group_notify']['target_wxid'] ?? '';
+
+                if ($msg['chatroom_id'] !== $allowedGroupWxid) {
+                    $this->info("拒绝绑定：来自非授权群聊 {$msg['chatroom_id']}");
+
+                    return;
+                }
+            }
+
             $replyTarget = $isChatroom ? $msg['chatroom_id'] : $fromUser;
             $this->info("收到潜在绑定请求: {$content} from {$fromUser} (Reply to: {$replyTarget})");
             $this->handleBindRequest(strtoupper($content), $fromUser, $replyTarget, $apiService);