review: fix critical/medium bugs in 4 plugins (round 2)

group_horse_racing:
- settle_race: rewrite with 7 bug fixes (race condition, draw double-credit, empty participants, etc.)
- models.py: reorder fields for correct defaults, add indexes
- message_service: add logger import

danding_points:
- api.py: add finally blocks to 3 methods (add_points, get_history, get_leaderboard)
- database.py: add finally block to get_user_balance

chatai:
- __init__.py: deprecated API→asyncio.to_thread, deduplicate logging, taskkill filter for safety
- screenshot.py: XSS protection with bleach on HTML content
- requirements.txt: add bleach dependency

danding_qqpush:
- api.py L13: fix self-referencing _renderer NameError crash
- api.py: lazy singleton pattern via _get_renderer() instead of per-request ImageRenderer
- __init__.py: mask Token in log output (security)

All 34 tests pass.

danding_bot/plugins/danding_points/database.py

@@ -77,11 +77,13 @@ class PointsDatabase:
     def get_user_balance(self, user_id: str) -> int:
         """Get user's current points balance."""
         conn = self.get_connection()
-        cursor = conn.cursor()
-        cursor.execute("SELECT points FROM user_points WHERE user_id = ?", (user_id,))
-        row = cursor.fetchone()
-        conn.close()
-        return row["points"] if row else 0
+        try:
+            cursor = conn.cursor()
+            cursor.execute("SELECT points FROM user_points WHERE user_id = ?", (user_id,))
+            row = cursor.fetchone()
+            return row["points"] if row else 0
+        finally:
+            conn.close()
 
     def ensure_user_exists(self, user_id: str, conn=None) -> None:
         """Create user account if it doesn't exist. Reuses provided conn if given."""