fix: strip comments from bundle to avoid install-time env-harvesting false positive

[jalehman]

Problem

OpenClaw's install-time security scanner has an env-harvesting rule that fires when both process.env and /\bfetch\b/i appear in the same source file. The pre-bundled dist/index.js contains process.env reads (for config like LCM_SUMMARY_MODEL, OPENCLAW_STATE_DIR) and the word "Fetch" in a JSDoc comment (* 1. Fetch all context items for the conversation). The case-insensitive regex matches the comment, triggering a critical finding that blocks installation.

Users see: "Environment variable access combined with network send — possible credential harvesting"

Reported by @DBCrypt0.

Fix

Add --minify-whitespace to the esbuild command. This strips all comments (including JSDoc) while keeping variable names and stack traces readable.

• Bundle shrinks from 712KB → 552KB
• Scanner no longer triggers the false positive
• All 695 tests pass
• No semantic change

Verification

// Before (triggers)
const src = fs.readFileSync('dist/index.js', 'utf8');
/process\.env/.test(src)                        // true
/\bfetch\b|\bpost\b|http\.request/i.test(src)  // true  ← JSDoc comment

// After (clean)
/process\.env/.test(src)                        // true
/\bfetch\b|\bpost\b|http\.request/i.test(src)  // false ← comments stripped