#12958: fix: block agent read access to sensitive config and credential files

Prevent the read tool from accessing OpenClaw config files (openclaw.json and legacy variants) and the credentials directory. This Stops indirect prompt injection attacks where a malicious web page tricks the model into reading ~/.openclaw/openclaw.json and exfiltrating the gateway auth token. <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> This change adds a sensitive-path guard to the read tool to prevent the agent from reading OpenClaw config files (e.g. `openclaw.json` and legacy variants) and anything under the state `credentials/` directory, using `resolveStateDir()` as the root. The guard is implemented in `src/agents/pi-tools.read.ts` by introducing `isSensitiveOpenClawPath()`/`assertNotSensitivePath()` and calling it from both `createOpenClawReadTool()` and an additional wrapper inside `createSandboxedReadTool()`, before delegating to the underlying `pi-coding-agent` read tool (with existing MIME normalization/sanitization preserved). <h3>Confidence Score: 2/5</h3> - This PR reduces risk but still has clear bypasses for the new sensitive-file guard. - The intent is correct, but the sensitive-path check can be bypassed via parameter aliasing (`file_path`) and via Unicode-space normalization differences between the sandbox resolver and the new `expandTilde()` logic. These are directly relevant to the PR’s security goal (blocking credential/config reads). - src/agents/pi-tools.read.ts <!-- greptile_other_comments_section --> _{(2/5) Greptile learns from your feedback when you react with thumbs up/down!} <!-- /greptile_comment -->