fix: exclude maxTokens from config redaction + honor deleteAfterRun on skipped cron jobs (#13342)

* fix: exclude maxTokens and token-count fields from config redaction

The /token/i regex in SENSITIVE_KEY_PATTERNS falsely matched fields like
maxTokens, maxOutputTokens, maxCompletionTokens etc. These are numeric
config fields for token counts, not sensitive credentials.

Added a whitelist (SENSITIVE_KEY_WHITELIST) that explicitly excludes
known token-count field names from redaction. This prevents config
corruption when maxTokens gets replaced with __OPENCLAW_REDACTED__
during config round-trips.

Fixes #13236

* fix: honor deleteAfterRun for one-shot 'at' jobs with 'skipped' status

Previously, deleteAfterRun only triggered when result.status was 'ok'.
For one-shot 'at' jobs, a 'skipped' status (e.g. empty heartbeat file)
would leave the job in state but disabled, never getting cleaned up.

Now deleteAfterRun also triggers on 'skipped' status for 'at' jobs,
since a skipped one-shot job has no meaningful retry path.

Fixes #13249

* Cron: format timer.ts

---------

Co-authored-by: nice03 <niceyslee@gmail.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>

src/cron/service/timer.ts

@@ -70,7 +70,9 @@ function applyJobResult(
   }
 
   const shouldDelete =
-    job.schedule.kind === "at" && result.status === "ok" && job.deleteAfterRun === true;
+    job.schedule.kind === "at" &&
+    job.deleteAfterRun === true &&
+    (result.status === "ok" || result.status === "skipped");
 
   if (!shouldDelete) {
     if (job.schedule.kind === "at") {