fix: allow device-paired clients to retrieve TTS API keys (#14613)

* refactor: add config.get to READ_METHODS set * refactor(gateway): scope talk secrets via talk.config * fix: resolve rebase conflicts for talk scope refactor --------- Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-05-09 01:38:26 +00:00 · 2026-02-13 21:37:49 +05:30
parent c2f7b66d22
commit 4c86821aca
14 changed files with 264 additions and 6 deletions
--- a/src/gateway/server.talk-config.e2e.test.ts
+++ b/src/gateway/server.talk-config.e2e.test.ts
@@ -0,0 +1,93 @@
+import { describe, expect, it } from "vitest";
+import {
+  connectOk,
+  installGatewayTestHooks,
+  rpcReq,
+  startServerWithClient,
+} from "./test-helpers.js";
+
+installGatewayTestHooks({ scope: "suite" });
+
+async function withServer<T>(
+  run: (ws: Awaited<ReturnType<typeof startServerWithClient>>["ws"]) => Promise<T>,
+) {
+  const { server, ws, prevToken } = await startServerWithClient("secret");
+  try {
+    return await run(ws);
+  } finally {
+    ws.close();
+    await server.close();
+    if (prevToken === undefined) {
+      delete process.env.OPENCLAW_GATEWAY_TOKEN;
+    } else {
+      process.env.OPENCLAW_GATEWAY_TOKEN = prevToken;
+    }
+  }
+}
+
+describe("gateway talk.config", () => {
+  it("returns redacted talk config for read scope", async () => {
+    const { writeConfigFile } = await import("../config/config.js");
+    await writeConfigFile({
+      talk: {
+        voiceId: "voice-123",
+        apiKey: "secret-key-abc",
+      },
+      session: {
+        mainKey: "main-test",
+      },
+      ui: {
+        seamColor: "#112233",
+      },
+    });
+
+    await withServer(async (ws) => {
+      await connectOk(ws, { token: "secret", scopes: ["operator.read"] });
+      const res = await rpcReq<{ config?: { talk?: { apiKey?: string; voiceId?: string } } }>(
+        ws,
+        "talk.config",
+        {},
+      );
+      expect(res.ok).toBe(true);
+      expect(res.payload?.config?.talk?.voiceId).toBe("voice-123");
+      expect(res.payload?.config?.talk?.apiKey).toBe("__OPENCLAW_REDACTED__");
+    });
+  });
+
+  it("requires operator.talk.secrets for includeSecrets", async () => {
+    const { writeConfigFile } = await import("../config/config.js");
+    await writeConfigFile({
+      talk: {
+        apiKey: "secret-key-abc",
+      },
+    });
+
+    await withServer(async (ws) => {
+      await connectOk(ws, { token: "secret", scopes: ["operator.read"] });
+      const res = await rpcReq(ws, "talk.config", { includeSecrets: true });
+      expect(res.ok).toBe(false);
+      expect(res.error?.message).toContain("missing scope: operator.talk.secrets");
+    });
+  });
+
+  it("returns secrets for operator.talk.secrets scope", async () => {
+    const { writeConfigFile } = await import("../config/config.js");
+    await writeConfigFile({
+      talk: {
+        apiKey: "secret-key-abc",
+      },
+    });
+
+    await withServer(async (ws) => {
+      await connectOk(ws, {
+        token: "secret",
+        scopes: ["operator.read", "operator.write", "operator.talk.secrets"],
+      });
+      const res = await rpcReq<{ config?: { talk?: { apiKey?: string } } }>(ws, "talk.config", {
+        includeSecrets: true,
+      });
+      expect(res.ok).toBe(true);
+      expect(res.payload?.config?.talk?.apiKey).toBe("secret-key-abc");
+    });
+  });
+});