Bug Description

The sensitive field redaction mechanism uses overly broad regex patterns to identify fields that should be masked:

const SENSITIVE_KEY_PATTERNS = [
  /token/i,
  /password/i,
  /secret/i,
  /api.?key/i
];

The /token/i pattern matches maxTokens (a numeric config field for max token count), which is not a sensitive credential.

Impact

When certain code paths (e.g., extension API /config set) write config back to disk without calling restoreRedactedValues(), the redacted placeholder __OPENCLAW_REDACTED__ overwrites the original numeric value of maxTokens.

This also affects actual sensitive fields (channels.discord.token, channels.telegram.botToken, channels.feishu.appSecret) — their values get permanently replaced with the placeholder string if the round-trip write happens.

This issue consistently reproduces after version updates.

Steps to Reproduce

1. Have a working openclaw.json with maxTokens: 16384 and valid channel tokens
2. Update OpenClaw to a new version
3. Observe that maxTokens is now "__OPENCLAW_REDACTED__" instead of 16384
4. Channel tokens may also be corrupted

Expected Behavior

• maxTokens should NOT be redacted (it is not a sensitive credential)
• Config write-back should always restore redacted values before persisting

Suggested Fix

1. Narrow the regex: Use /^(?:bot)?token$/i or match full field names instead of substrings
2. Whitelist non-sensitive fields: Explicitly exclude maxTokens, maxOutputTokens, etc.
3. Guard all write paths: Ensure restoreRedactedValues() is called before any config persistence
4. Add a round-trip test: Read config → redact → restore → compare with original

Environment

• OpenClaw: 2026.2.9
• OS: macOS (arm64)
• Node: v25.6.0