Harden deep-link IPC handling

[shanselman]

Summary

• Replaces the fixed deep-link IPC pipe with a current-user/session/data-dir scoped pipe name and PipeOptions.CurrentUserOnly on the pipe connection.
• Adds bounded UTF-8 IPC payload reads with timeout handling and oversize/invalid payload rejection.
• Redacts deep-link URI query/path payloads from logs and removes message text from agent deep-link logging.
• Requires explicit user confirmation before state-changing deep-link actions (send, agent, voice, voice-stop, SSH restart aliases) execute while preserving benign navigation/config/help links.
• Adds unit coverage for unsafe action policy, log redaction, pipe-name scoping, and IPC payload bounds.

Security/privacy impact

This addresses the high-consensus finding that a predictable pipe plus unbounded forwarded payloads could allow local cross-user/session IPC abuse or leak sensitive URI contents such as messages, tokens, and query strings in logs. The pipe is now scoped to the active user/session/data directory, payloads are bounded, logs are redacted, and state-changing links require user approval.

User impact

Benign deep links continue to navigate/open diagnostic surfaces without prompts. Deep links that can change state now show an Allow/Cancel confirmation before running.

Validation

• ./build.ps1
• dotnet test ./tests/OpenClaw.Shared.Tests/OpenClaw.Shared.Tests.csproj --no-restore — 1795 total, 0 failed, 1767 passed, 28 skipped
• dotnet test ./tests/OpenClaw.Tray.Tests/OpenClaw.Tray.Tests.csproj --no-restore — 1066 total, 0 failed, 1066 passed