Problem
Voice provider API keys (ElevenLabs, OpenAI Whisper, etc.) are written directly to moltis.toml via update_config:
[voice.tts.elevenlabs]
api_key = "sk-..."
[voice.stt.elevenlabs]
api_key = "sk-..."
This is a security concern — moltis.toml is a plain-text config file that may be backed up, synced, or accidentally committed. LLM provider keys are already stored in the credential store (KeyStore / provider_keys.json), but voice provider keys bypass this.
Expected behavior
Voice API keys should be stored in the credential store (or vault when enabled), not in moltis.toml. The config file should reference them via env var substitution or the key store, matching how LLM provider credentials work.
Scope
crates/gateway/src/voice.rs — the update_config calls that write API keyscrates/provider-setup/src/key_store.rs — the KeyStore that LLM providers use- Voice settings UI — should save keys through the credential store path
Problem
Voice provider API keys (ElevenLabs, OpenAI Whisper, etc.) are written directly to
moltis.tomlviaupdate_config:This is a security concern —
moltis.tomlis a plain-text config file that may be backed up, synced, or accidentally committed. LLM provider keys are already stored in the credential store (KeyStore/provider_keys.json), but voice provider keys bypass this.Expected behavior
Voice API keys should be stored in the credential store (or vault when enabled), not in
moltis.toml. The config file should reference them via env var substitution or the key store, matching how LLM provider credentials work.Scope
crates/gateway/src/voice.rs— theupdate_configcalls that write API keyscrates/provider-setup/src/key_store.rs— theKeyStorethat LLM providers use