#9747: feat(config): add pass (password-store) secret backend support

Extends config substitution to support ${pass:path/to/secret} syntax. Secrets are retrieved via 'pass show' command at config load time. - Adds MissingSecretError for failed lookups - Caches pass lookups to avoid repeated calls - 5 second timeout for pass commands - Supports standard pass paths (alphanumeric, underscores, hyphens, slashes) This allows openclaw.json to reference secrets stored in pass (GPG-encrypted) instead of storing credentials in plaintext. Example: "botToken": "${pass:openclaw/telegram/bot_token}" <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> This PR extends config value substitution (performed during config load in `src/config/io.ts`) to support `${pass:path/to/secret}` in addition to the existing `${VAR_NAME}` env-var syntax. It adds a `MissingSecretError`, a `pass` lookup helper with a process-lifetime cache, and performs lookups via `pass show` with a timeout. Main concerns are around (1) executing `pass` via a shell command string, and (2) user-facing behavior regressions/UX around escaping and error reporting (pass failures are not escapable with `$${}` and are reported as “Env var substitution failed” in config snapshots). <h3>Confidence Score: 3/5</h3> - This PR is close to mergeable but has a couple of user-facing and security-related issues to address. - Score is reduced due to shell-based execution for secret retrieval, an escaping behavior mismatch for the new `${pass:...}` syntax, and misleading error labeling in config snapshot output. The changes are localized to config substitution, so fixes should be straightforward. - src/config/env-substitution.ts, src/config/io.ts <!-- greptile_other_comments_section --> _{(2/5) Greptile learns from your feedback when you react with thumbs up/down!} <!-- /greptile_comment -->