#23654: security(cli): redact sensitive values in config get output

## Summary `runConfigGet()` reads raw config values but never applies redaction before printing. Running `openclaw config get gateway.token` leaks the real credential to the terminal — visible in shell history, scrollback, and screenshots. This is a 1-line fix using the existing `redactConfigObject()` from `redact-snapshot.ts` (already used by the Web UI path) to scrub sensitive fields before output. Supersedes #13777 (rebased against current HEAD after upstream refactored `config get` into `runConfigGet()`). Fixes #13683 ## Changes - Import `redactConfigObject` from `../config/redact-snapshot.js` - Apply `redactConfigObject(snapshot.config)` before `getAtPath()` in `runConfigGet()` ## Test plan - [ ] `openclaw config get gateway.token` → prints `__OPENCLAW_REDACTED__` instead of real token - [ ] `openclaw config get gateway.token --json` → prints `"__OPENCLAW_REDACTED__"` - [ ] `openclaw config get agents` → non-sensitive paths return real values unchanged 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> <!-- greptile_comment --> <h3>Greptile Summary</h3> This PR fixes a security vulnerability where `openclaw config get` commands leaked sensitive credentials (tokens, passwords, API keys) to terminal output, shell history, and screenshots. The fix applies the existing `redactConfigObject()` function from `src/config/redact-snapshot.ts` before retrieving the config value, ensuring sensitive fields are replaced with `__OPENCLAW_REDACTED__` sentinel values. - Imported `redactConfigObject` from `../config/redact-snapshot.js` in `src/cli/config-cli.ts:4` - Applied redaction to `snapshot.config` before `getAtPath()` in `runConfigGet()` at `src/cli/config-cli.ts:236-237` - The redaction logic is well-tested and already used by the Web UI path and other config endpoints - Sensitive field detection uses regex patterns matching `token`, `password`, `secret`, `apiKey` (with exceptions for fields like `maxTokens`) - Non-sensitive paths return actual values unchanged <h3>Confidence Score: 5/5</h3> - This PR is safe to merge with minimal risk - The fix is a targeted 2-line security patch that reuses existing, well-tested redaction infrastructure (`redactConfigObject()`) already used by the Web UI and gateway config endpoints. The change is minimal, focused, and follows established patterns in the codebase. The redaction function has comprehensive test coverage and handles edge cases (environment variable placeholders, whitelisted fields like `maxTokens`). No breaking changes or performance concerns. - No files require special attention _{Last reviewed commit: 92dace9} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->