设备配对客户端安全读取 TTS 密钥（`config.get includeSecrets`）

• Gateway version includes PR #14613 or later.
• Your client is paired with a valid device token; unpaired clients should stay redacted.

1. Upgrade OpenClaw to a build including PR #14613 and restart gateway during a low-risk window.
2. From a paired client, call `config.get` with `includeSecrets: true` only for the minimum runtime path that needs TTS keys.
3. From an unpaired or non-device client, issue the same call and confirm secrets are still redacted.
4. Audit logs for config reads and keep key rotation runbook for emergency rollback.

• Do not broaden secret scope beyond TTS needs; extra exposure increases blast radius.
• Exact request shape may vary by client SDK version（需验证）.

This tip is aggregated from community/public sources and preserved with attribution.