#15296: Harden config redaction defaults; add explicit --show-secrets opt-in

## Summary This PR hardens config secret handling in a **CLI-only** way: - `openclaw config get` now returns redacted values by default. - `--show-secrets` is the explicit unsafe opt-in for local debugging. ## Changes - Updated `openclaw config get` to read from a redacted config view by default. - Added `--show-secrets` flag to reveal raw values intentionally. - Added a warning when `--show-secrets` is used. - Reverted the earlier gateway-side `showSecrets` path (schema/server/test), so gateway `config.get` remains redacted-only. ## Why The goal is secure-by-default behavior for routine config inspection while still preserving an explicit local escape hatch for trusted debugging workflows. ## Security Notes - Secrets remain redacted by default. - Unredacted output now requires explicit local CLI intent (`--show-secrets`). - No remote/API toggle exists for unredacted `config.get` responses. ## Testing - Verified CLI path behavior: - default `config get` => redacted values - `config get --show-secrets` => raw values with warning - Confirmed gateway path stays redacted (gateway `showSecrets` support removed). ## Backward Compatibility - Scripts relying on plaintext output from `openclaw config get` must now pass `--show-secrets`. - Gateway clients are unaffected except that no new `showSecrets` parameter is supported.