feat: support config-level api_key for transcription

[theonlyhennygod]

Summary

• add transcription.api_key to config schema
• encrypt/decrypt and dashboard mask/restore this credential
• use config-level key in transcription with GROQ_API_KEY fallback

Testing

• cargo test --lib uses_config_api_key_without_groq_env

Closes #2108

Summary by CodeRabbit

• New Features

  • Transcription API key can now be configured in the configuration file with encrypted storage support
  • Updated credential resolution to prioritize configuration file settings over environment variables

• Bug Fixes

  • Improved error messages for missing transcription credentials with clearer configuration guidance

[coderabbitai]

Caution

Review failed

The pull request is closed.

Note

.coderabbit.yaml has unrecognized properties

CodeRabbit is using all valid settings from your configuration. Unrecognized properties (listed below) have been ignored and may indicate typos or deprecated fields that can be removed.

⚠️ Parsing warnings (1)

Validation error: Unrecognized key(s) in object: 'tools', 'path_filters', 'review_instructions'

⚙️ Configuration instructions

• Please see the configuration documentation for more information.
• You can also validate your configuration using the online YAML validator.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

ℹ️ Recent review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a09f146 and a023efd.

📒 Files selected for processing (4)

• src/channels/mod.rs
• src/channels/transcription.rs
• src/config/schema.rs
• src/gateway/api.rs

---

📝 Walkthrough

Walkthrough

This PR adds support for a config-level transcription.api_key field, enabling transcription with any provider. Changes include adding the new config field with encryption/decryption support, updating credential resolution logic to prioritize the config key over environment variables, and extending masking/restoration support in the gateway API.

Changes

Cohort / File(s)	Summary
Config Schema & Persistence src/config/schema.rs, src/channels/mod.rs	Added transcription.api_key field to TranscriptionConfig with encryption/decryption during load and save. Updated schema tests to verify round-trip serialization and default initialization.
Transcription Credential Resolution src/channels/transcription.rs	Updated transcribe_audio public API to accept &TranscriptionConfig parameter. Changed credential resolution to prioritize config.api_key over GROQ_API_KEY environment variable. Updated error messages and tests to reflect new resolution order.
Gateway API Masking & Restoration src/gateway/api.rs	Extended config masking, restoration, and hydration logic to handle the new transcription.api_key field during config save operations and mask/restore sensitive values.

Sequence Diagram

sequenceDiagram
    participant Loader as Config Loader
    participant Store as Secret Store
    participant Transcriber as transcribe_audio()
    participant Config as TranscriptionConfig
    participant GROQ as GROQ API

    Loader->>Store: load_runtime_defaults_from_config_file
    Store-->>Loader: decrypt transcription.api_key
    Loader->>Config: transcription.api_key (decrypted)
    
    Transcriber->>Config: Check config.api_key
    alt config.api_key is set
        Config-->>Transcriber: api_key from config
    else config.api_key is empty
        Transcriber->>Transcriber: Check GROQ_API_KEY env var
        Transcriber-->>Transcriber: fallback to env var
    end
    
    Transcriber->>GROQ: POST with resolved api_key
    GROQ-->>Transcriber: audio transcription result

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch issue-2108-transcription-api-key

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

PR intake checks failed (blocking)

Fast safe checks found blocking safety issues:

• Missing Linear issue key reference (RMN-<id>, CDV-<id>, or COM-<id>) in PR title/body.
• Missing required PR template sections: ## Validation Evidence (required), ## Security Impact (required), ## Privacy and Data Hygiene (required), ## Rollback Plan (required)
• Incomplete required PR template fields: summary problem, summary why it matters, summary what changed, validation commands, security risk/mitigation, privacy status, rollback plan

Action items:

1. Complete required PR template sections/fields.
2. Link this PR to exactly one active Linear issue key (RMN-xxx/CDV-xxx/COM-xxx).
3. Remove tabs, trailing whitespace, and merge conflict markers from added lines.
4. Re-run local checks before pushing:
   • ./scripts/ci/rust_quality_gate.sh
   • ./scripts/ci/rust_strict_delta_gate.sh
   • ./scripts/ci/docs_quality_gate.sh

Detected Linear keys: none

Run logs: https://github.com/zeroclaw-labs/zeroclaw/actions/runs/22502205485

Detected blocking line issues (sample):

• none

Detected advisory line issues (sample):

• none

[github-actions]

Thanks for contributing to ZeroClaw.

For faster review, please ensure:

• PR template sections are fully completed
• cargo fmt --all -- --check, cargo clippy --all-targets -- -D warnings, and cargo test are included
• If automation/agents were used heavily, add brief workflow notes
• Scope is focused (prefer one concern per PR)

See CONTRIBUTING.md and docs/pr-workflow.md for full collaboration rules.