fix: allow device-paired clients to retrieve TTS API keys

[akramcodez]

Problem

iOS/macOS talk mode fails because ElevenLabs API key is always redacted in config.get RPC responses. The iOS app receives __OPENCLAW_REDACTED__ instead of the actual API key, causing 401 errors from ElevenLabs.

Solution

Added optional includeSecrets parameter to config.get RPC with proper authorization:

• iOS app passes includeSecrets: true when requesting config
• Server only returns unredacted secrets to device-paired clients (verified via deviceToken)
• Unauthorized clients always receive redacted config (backward compatible)

Security

• Authorization check via client.deviceToken - only paired devices get secrets
• Default behavior unchanged - still redacts by default
• Explicit opt-in required via includeSecrets: true

Testing

• TypeScript compilation passes (tsc --noEmit)
• Unpaired clients still receive redacted config (verified via redact-snapshot.test.ts)
• Backward compatibility maintained (no regression in existing config responses)

Changes

• Added includeSecrets optional param to ConfigGetParamsSchema
• Added deviceToken to GatewayClient and GatewayWsClient types
• Plumbed deviceToken through WebSocket handshake
• Conditional redaction based on authorization in config.get handler
• iOS app requests unredacted config for TTS

fixes #14586

Greptile Overview

Greptile Summary

This PR adds an includeSecrets?: boolean option to the config.get RPC and plumbs the device-pairing token into the per-connection client object so config.get can return either a redacted snapshot (default) or the full on-disk snapshot for device-paired clients. The iOS TalkModeManager now opts in with includeSecrets: true when reloading talk-mode configuration.

The change fits into the gateway’s existing redaction system (redactConfigSnapshot) by keeping redaction as the default and only bypassing it when an authenticated/paired device is detected via the WebSocket handshake state.

Confidence Score: 2/5

• Not safe to merge as-is; the main functional path appears blocked by existing gateway authorization rules.
• The includeSecrets behavior is implemented, but config.get remains gated behind operator.admin for all clients, which likely prevents device-paired mobile clients from accessing it and makes the intended fix ineffective. No other definite regressions were found in the changed files.
• src/gateway/server-methods.ts, src/gateway/server-methods/config.ts

[greptile-apps]

_{6 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (1)

src/gateway/server-methods.ts
Admin scope blocks fix

authorizeGatewayMethod currently denies all config.* methods unless the client has operator.admin (src/gateway/server-methods.ts:141-163). This PR’s new includeSecrets && client.deviceToken path in config.get (src/gateway/server-methods/config.ts:95-114) won’t be reachable for device-paired clients unless they also request/are granted operator.admin, so iOS talk mode may still receive a denied RPC rather than an unredacted key.

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/gateway/server-methods.ts
Line: 141:163

Comment:
**Admin scope blocks fix**

`authorizeGatewayMethod` currently denies *all* `config.*` methods unless the client has `operator.admin` (`src/gateway/server-methods.ts:141-163`). This PR’s new `includeSecrets && client.deviceToken` path in `config.get` (`src/gateway/server-methods/config.ts:95-114`) won’t be reachable for device-paired clients unless they also request/are granted `operator.admin`, so iOS talk mode may still receive a denied RPC rather than an unredacted key.

How can I resolve this? If you propose a fix, please make it concise.

[akramcodez]

Hi @gumadeiras @thewilloftheshadow @cpojer,

Would appreciate a review when you get a chance. This refactors gateway authorization by adding config.get to the READ_METHODS set, allowing device-paired clients to access it without requiring operator.admin.

This unblocks the includeSecrets flow for TTS on iOS while keeping default redaction and existing security guarantees intact.

Thanks!

[oswalpalash]

possibly duplicates #14645

[steipete]

Landed via temp rebase onto main.

• Gate: pnpm check (blocked by existing unrelated lint in src/plugins/discovery.test.ts and src/infra/provider-usage.auth.normalizes-keys.test.ts), pnpm exec vitest run --config vitest.e2e.config.ts src/gateway/server.talk-config.e2e.test.ts src/gateway/server.auth.e2e.test.ts
• Land commit: cfd03eb
• Merge commit: 4c86821

Thanks @akramcodez!