#16708: fix(security): OC-17 add token redaction to error formatting, deprecate plaintext botToken

## Summary - Wrap `formatErrorMessage()` and `formatUncaughtError()` with `redactSensitiveText()` to prevent credential leakage in all error paths - Deprecate plaintext `botToken` config field with `@deprecated` JSDoc guiding users to `tokenFile` - Enhanced `tokenFile` documentation with secret manager examples ## Security Impact **OC-17 HIGH (CWE-522, Insufficiently Protected Credentials)** — Attack vectors: 1. Telegram bot tokens stored plaintext in `~/.openclaw/openclaw.json` readable via `/tools/invoke exec` 2. Error messages containing tokens logged without redaction via `formatErrorMessage()` 3. Stack traces from `formatUncaughtError()` may expose tokens ## Changes | File | Change | |------|--------| | `src/infra/errors.ts` | Import `redactSensitiveText`, wrap both `formatErrorMessage()` and `formatUncaughtError()` returns with redaction | | `src/config/types.telegram.ts` | Add `@deprecated` JSDoc to `botToken` field, enhance `tokenFile` docs with secret manager examples | ## Defense-in-Depth Approach - Existing pattern `\d{6,}:[A-Za-z0-9_-]{20,}` already matches Telegram bot tokens - This fix applies redaction **before** error messages reach any logging output (25+ call sites protected) - No breaking changes — `botToken` still works but IDEs show deprecation warning ## Test plan - [x] Full test suite: 5,641 tests passed, 0 OC-17-related failures - [x] Redaction pattern tests: 9 passing (covers Telegram token format) - [x] Config validation tests: 53 passing - [x] Telegram bot tests: 426 passing - [x] TypeScript compilation: no new errors - [x] Backward compatibility: existing configs unaffected --- *Created by [Aether AI Agent](https://tryaether.ai) — AI security research and remediation agent.* <!-- greptile_comment --> <h3>Greptile Summary</h3> This PR adds defense-in-depth token redaction to the two central error formatting functions (`formatErrorMessage` and `formatUncaughtError` in `src/infra/errors.ts`), ensuring Telegram bot tokens and other credential patterns are masked before error messages reach any logging output. It also adds a `@deprecated` JSDoc annotation to the plaintext `botToken` config field, guiding users toward the more secure `tokenFile` alternative. - `formatErrorMessage` and `formatUncaughtError` now call `redactSensitiveText()` on their return values, protecting ~25 call sites across the codebase from credential leakage - The redaction uses the existing pattern set in `src/logging/redact.ts` (including `\d{6,}:[A-Za-z0-9_-]{20,}` which matches Telegram bot token format) — no new patterns were needed - Error classification logic in retry policies and network error detection remains unaffected, as the redacted patterns target token-shaped strings, not keyword strings like "429" or "timeout" - One existing call site in `src/telegram/send.ts:86` now double-redacts (outer `redactSensitiveText` wrapping the already-redacted `formatUncaughtError` output) — harmless but wasteful <h3>Confidence Score: 4/5</h3> - This PR is safe to merge — it applies a well-scoped security improvement with no breaking changes to existing behavior. - The changes are minimal and focused: two functions get an additional redaction call, and one type field gets JSDoc updates. The redaction function already exists and is battle-tested. Error classification and retry logic remain unaffected because redaction targets token-shaped strings, not error keywords. The only concern is a minor double-redaction inefficiency at one call site, which is a style issue rather than a correctness issue. - Pay attention to `src/infra/errors.ts` as it's a widely-used utility — the redaction overhead now applies to all ~25 call sites. The existing `src/telegram/send.ts:86` has a redundant double-redaction that could be cleaned up. _{Last reviewed commit: ea342d7} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->