…n type in spec

…m for weixin

- WeixinLogin: rewrite API calls to use GET+query params matching iLink SDK
  (bot_type param, correct response fields qrcode/qrcode_img_content,
  bot_token/ilink_bot_id, long-poll timeout treated as wait)
- WeixinLoginHandler: render QR page via hidden BrowserWindow to extract
  canvas data URL, since qrcode_img_content is a JS-rendered SPA
- WeixinPlugin: write SDK credential file (~/.openclaw/.../accounts/<id>.json)
  on initialize so weixin-agent-sdk start() can authenticate
- ChannelManager: add weixin to getPluginTypeFromId and builtinStartableTypes;
  add weixin credentials block in enablePlugin; always derive pluginType from
  pluginId instead of stale DB type field
- channelBridge: add weixin to BUILTIN_TYPES and BUILTIN_NAMES so getPluginStatus
  correctly returns hasToken and status for the WeChat channel
- database: include type in upsertChannelPlugin ON CONFLICT update so stale
  plugin type records are corrected on next enable

…lugin

…lugin

- Fix duplicate replies by writing WeChat credentials to AionUi's
  isolated data dir (getDataDir()) instead of ~/.openclaw, preventing
  the local openclaw gateway from auto-discovering the account
- Temporarily set OPENCLAW_STATE_DIR before void start() so the SDK
  reads the isolated dir, then restore after the first async suspension
- Add .then() auto-resolve on emitMessage for non-streaming responses
  (pairing codes, errors) that only call sendMessage without editMessage
- Strip HTML from sendMessage text stored in accumulatedText
- Add stripHtml to WeixinAdapter and wire it into ActionExecutor for
  outgoing text formatting on the weixin platform
- Add 'weixin' to ConversationSource and isFromChannel yoloMode check
- Fix TelegramConfigForm to filter pairings/events by platformType so
  Weixin pairing requests don't bleed into the Telegram UI
- Add pairing request and authorized user management sections to
  WeixinConfigForm, matching the pattern from TelegramConfigForm
- Update weixinPlugin unit tests to mock @/common/platform and use the
  isolated test data dir; fix pending-handler tests to block emitMessage
  so auto-resolve doesn't fire before rejection tests can observe it

…mentation

…inPlugin

- Add weixin.svg channel logo (green WeChat-style icon)
- Register weixin logo in ChannelHeader channelLogoMap
- Add weixin logo to CHANNEL_LOGOS in WebuiModalContent Channels tab
- Add channels.weixinTitle / channels.weixinDesc i18n keys to all 6 locales
  (zh-CN: 微信, zh-TW: 微信, others: WeChat)
- Update webui.featureChannelsDesc to include WeChat across all locales

- Update WeixinLogin to use qrcode_url/ticket from QR endpoint
  and botToken/userId/baseUrl from poll endpoint (matching test contracts)
- Remove renderQRPage from WeixinLoginHandler: onQR now forwards
  the image URL directly to renderer instead of opening a hidden window
- Add missing channel mock entries (getPendingPairings, getAuthorizedUsers,
  pairingRequested, userAuthorized) to WeixinConfigForm DOM tests
- Fix oxfmt formatting issues in 5 files

- weixinLogin.test.ts: align mock responses with actual iLink API field
  names (qrcode/qrcode_img_content for QR endpoint, bot_token/ilink_bot_id/
  baseurl for poll endpoint)
- weixinLoginHandler.test.ts: use vi.spyOn on renderQRPage to avoid
  BrowserWindow mock complexity; mock electron at file level for import;
  test verifies onQR forwards canvas data URL to renderer IPC

- Add formatError helper to capture error.cause for better diagnostics
- Split agent.chat() and callSendMessage() into separate try-catch blocks
- Log 'agent error' vs 'send error' to distinguish failure points
- No retry on send failure to avoid duplicate messages

…n stripHtml

- Strip tags before decoding entities to prevent double-unescaping
  (&amp;lt; now stays as &lt; instead of becoming <)
- Use single-pass replace callback for entity decoding (no chained replacements)
- Two-pass strip: before decode handles raw tags, after decode handles
  entity-encoded tags (&lt;script&gt; -> <script>)
- Loop strip until stable to handle nested/malformed markup

Fixes CodeQL alerts: js/double-escaping (#99), js/incomplete-multi-character-sanitization (#100)