#7346: Security: add hardening module and secure-bot extension

- Add src/security/hardening.ts with comprehensive security utilities: - Cryptographically secure token generation - Input validation and sanitization - Path traversal prevention - File permission hardening - Rate limiting implementation - Security headers helper - Audit logging utilities - Add extensions/secure-bot with AI bot security features: - Prompt injection detection with 20+ patterns - Access control lists (allow/block/admin) - Rate limiting per user - Sensitive data redaction (PII, API keys) - Security event logging and metrics - Configurable security policies - Add comprehensive test suite for hardening module https://claude.ai/code/session_0152DnGhhwvDXMppXwT6dtPz <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> Adds a new `src/security/hardening.ts` module with helpers for token generation, input/path validation, file permission hardening, config hardening/auditing, a simple in-memory rate limiter, and recommended HTTP security headers, along with a Vitest test suite. Also introduces a new workspace extension package `@openclaw/secure-bot` implementing a channel plugin that applies access control, rate limiting, prompt-injection pattern detection, and redaction to inbound/outbound messages, plus basic schema/defaults for configuration. <h3>Confidence Score: 2/5</h3> - This PR is not safe to merge as-is due to a runtime ESM/CJS incompatibility and likely plugin packaging issues. - The new `sanitizePath` uses `require()` inside an ESM TS module, which will throw at runtime when invoked. Separately, the `@openclaw/secure-bot` package is configured to publish `dist/` but does not build or include compiled output, and plugin installs omit devDependencies, so the extension is likely non-functional when installed normally. Other issues are lower severity (duplicate exports, potentially broken docs link). - src/security/hardening.ts; extensions/secure-bot/package.json; extensions/secure-bot/src/index.ts <!-- greptile_other_comments_section --> _{(2/5) Greptile learns from your feedback when you react with thumbs up/down!} **Context used:** - Context from `dashboard` - CLAUDE.md ([source](https://app.greptile.com/review/custom-context?memory=fd949e91-5c3a-4ab5-90a1-cbe184fd6ce8)) - Context from `dashboard` - AGENTS.md ([source](https://app.greptile.com/review/custom-context?memory=0d0c8278-ef8e-4d6c-ab21-f5527e322f13)) <!-- /greptile_comment -->