fix(xueqiu): fix 400 errors — use browser cookies, correct UA and Referer, fix hot posts endpoint

[MatrixA]

Problem

Xueqiu returns HTTP 400 (`error_code: 400016`) for all API calls regardless of proxy setup. This is not a network issue — it's an auth issue in the code itself.

Root cause: the stock API requires `xq_a_token`, a session token generated by Xueqiu's frontend JavaScript. Visiting the homepage via `urllib.request` only ever yields `acw_tc` (an anti-DDoS cookie). `xq_a_token` is never obtainable this way, so `_ensure_cookies()` was fundamentally insufficient.

Additional issues found during investigation:

• `User-Agent: "agent-reach/1.0"` is flagged by Xueqiu's anti-bot system
• All API requests were missing `Referer: https://xueqiu.com/\`
• `get_hot_posts()` was calling `/statuses/hot/listV3.json` which returns an empty body (deprecated endpoint)
• `configure --from-browser` didn't extract Xueqiu cookies, even though browser cookies fix the 400

Changes

`agent_reach/channels/xueqiu.py`

• `_ensure_cookies()`: new three-level priority — (1) config file (saved by `--from-browser`) → (2) live Chrome cookies via `browser_cookie3` if `xq_a_token` is present → (3) homepage fallback
• `_get_json()`: use real Chrome User-Agent; add `Referer: https://xueqiu.com/\`
• `get_hot_posts()`: switch to `/v4/statuses/public_timeline_by_category.json`; parse `item.data` as JSON string to extract author, text, likes
• `check()`: error message now points to `configure --from-browser chrome` instead of suggesting a proxy
• `tier` and `backends` updated to reflect cookie requirement

`agent_reach/cookie_extract.py`

• Add Xueqiu to `PLATFORM_SPECS` (grab all cookies, like XHS)
• `configure_from_browser()` now saves `xueqiu_cookie` when `xq_a_token` is present; warns the user to log in first if it's missing

`tests/test_channels.py`

• Update `get_hot_posts` test data to v4 timeline format
• Add `test_ensure_cookies_loads_from_config`: verifies config-file cookie injection
• Add `test_get_json_sends_referer_and_browser_ua`: verifies Referer header and non-bot UA

Docs (style kept minimal, consistent with existing tone)

• README / README_en: update Xueqiu row from "Zero config" → "Tell your Agent 'help me set up Xueqiu'"
• `docs/install.md`: add Xueqiu to `--from-browser` tip; add brief setup section
• `docs/troubleshooting.md`: add short Xueqiu 400 section
• `agent_reach/skill/SKILL.md`: update section header and footer note
• `CHANGELOG.md`: add 1.3.1 entry

Testing

75 passed in 25s

End-to-end verified locally with real browser cookies:

• `check()` → ok
• `get_stock_quote("SH600519")` → 贵州茅台 1413.9 元
• `get_hot_stocks(limit=10)` → 泡泡玛特 rank 1, 赣锋锂业 rank 2 …
• `get_hot_posts(limit=3)` → real authors, titles, like counts
• `configure --from-browser chrome` → ✅ Xueqiu: 18 cookies (含 xq_a_token)