[Feature request] Message egress redactor hook for Telegram / other channels

Summary

There's no beforeSend (or equivalent) hook for outbound message text across chat channels, so operators can't apply secret/PII redaction to outbound text before bot.api.sendMessage fires. v2026.4.15 already ships redactExecApprovals for exec-approval prompt text (CHANGELOG #88, #61077, #333); this is a request to extend the same philosophy to the general message egress path.

Motivation

In a cron-heavy agent setup (weekly reports, error summaries, audit pings), agent output is pushed to Telegram via delivery.channel: telegram. Failure modes where secrets can slip through:

• A subprocess error the agent relays verbatim containing a Bearer token or DB URI
• An error trace with a PGPASSWORD env var that made it into stderr
• A tool output containing an internal hostname or private IP that would leak infra topology

Operators can redact from their own scripts (e.g. by piping through a local redact.py), but any job whose output path is agent-turn → channel delivery skips the operator's redactor entirely.

Current state (what I found reading dist/)

• dist/extensions/telegram/delivery-AYrG1NE_.js:69 sendTelegramText(bot, chatId, text, runtime, opts) → bot.api.sendMessage(chatId, formattedText, ...)
• plugin-sdk/hook-runtime has fireAndForgetHook / triggerInternalHook but these fire the SentMessage context after the call; they don't allow mutating text
• redactWebhookUrl, redactConfigSnapshot, redactExecApprovals exist for other egress points but not for general message text

Proposal

Add a messageEgressRedactor operator config option and/or a plugin-SDK beforeMessageSend hook:

// e.g. ~/.openclaw/config.json
{
  "security": {
    "messageEgressRedactor": {
      // Option A: spawn a subprocess that reads text on stdin, writes redacted text on stdout
      "command": ["python3", "/home/user/.openclaw/workspace/scripts/redact.py"],
      // Option B: path to a JS module exporting `redact(text: string) => string | Promise<string>`
      "modulePath": "/path/to/egress-redactor.js",
      // Fail-closed: if redactor crashes or times out, DO NOT send raw text
      "failClosed": true,
      "timeoutMs": 5000
    }
  }
}

Or plugin SDK:

// plugin-sdk/hook-runtime
export type BeforeMessageSendHook = (ctx: {
  channel: "telegram" | "discord" | ...;
  chatId: string;
  text: string;
  // immutable metadata
  agentId?: string;
  jobId?: string;
}) => string | Promise<string>;

registerBeforeMessageSendHook(fn);

Cross-channel uniformity: whatever mechanism is chosen, it should apply to Telegram, Discord, Slack, IRC, Matrix, Feishu, WhatsApp — anywhere bot.api.sendMessage-like text egress happens. Media captions (e.g. deliverMediaReply) should run through the same redactor.

Why not just patch dist/ locally

• OpenClaw releases are frequent (CHANGELOG shows several 2026.4.x releases already); each vendor patch gets wiped on upgrade
• Plugin-SDK extension point keeps the security contract inside the vendor surface and survives upgrades

Related existing code to reuse

• Pattern from redactExecApprovals (around dist/server.impl-*.js:9791) is already similar — centralized text redaction applied before posting back to chat
• The runtimeConfig schema already has security-relevant sections (SSRF, webhook signing); messageEgressRedactor would slot naturally there

Ack

Happy to contribute a PR if the API shape is agreed on. Would prefer:

• Config option + subprocess support (language-agnostic, operators likely already have redactors in Python/Go/etc.)
• Plus the hook API for plugin authors

Originally reported by an operator using a local Python redactor (~/workspace/scripts/redact.py, fail-closed default + 7-family token coverage). Reproducer environment: v2026.4.15 on Linux (WSL2), Node 22.22.0.