feat(gateway): report Matrix service and redact access token

src/gateway/handlers/config.ts

@@ -10,7 +10,7 @@ export interface ConfigHandlerDeps {
  * Redact sensitive values from config before returning.
  * Replaces API keys, tokens, passwords, and other credentials with "***".
  *
- * Covers: telegram, discord, slack, server, models (tiers + fallbacks + local_providers),
+ * Covers: telegram, discord, slack, matrix, server, models (tiers + fallbacks + local_providers),
  * web_search, audio, memory.embedding, automation (webhooks + gmail), and mcp server env vars.
  */
 export function redactConfig(config: Config): Record<string, unknown> {
@@ -33,6 +33,9 @@ export function redactConfig(config: Config): Record<string, unknown> {
   // Slack
   redact(raw.slack as Record<string, unknown>, 'bot_token', 'app_token', 'signing_secret');
 
+  // Matrix
+  redact(raw.matrix as Record<string, unknown>, 'access_token');
+
   // Server (gateway bearer token)
   redact(raw.server as Record<string, unknown>, 'token');
 

src/gateway/handlers/handlers.test.ts

@@ -734,6 +734,7 @@ describe('redactConfig – comprehensive credential redaction', () => {
       telegram: { bot_token: 'tg-secret', allowed_chat_ids: [1], require_mention: true },
       discord: { bot_token: 'dc-secret', allowed_guild_ids: ['g1'], allowed_channel_ids: [], require_mention: true },
       slack: { bot_token: 'sl-bot', app_token: 'sl-app', signing_secret: 'sl-sign', allowed_channel_ids: [], require_mention: false },
+      matrix: { homeserver_url: 'https://matrix.example.org', access_token: 'mx-secret', allowed_room_ids: ['!room1:example.org'], require_mention: true },
       server: { tailscale: {}, localhost: true, port: 18800, token: 'bearer-secret', tailscale_identity: false, auth_http: true },
       models: {
         default: { provider: 'anthropic' as const, model: 'claude', api_key: 'sk-def', auth_token: 'at-def',
@@ -797,6 +798,11 @@ describe('redactConfig – comprehensive credential redaction', () => {
     expect(slack.signing_secret).toBe('***');
   });
 
+  it('redacts matrix.access_token', () => {
+    const result = redactConfig(makeFullConfig() as any);
+    expect((result.matrix as any).access_token).toBe('***');
+  });
+
   it('redacts server.token', () => {
     const result = redactConfig(makeFullConfig() as any);
     expect((result.server as any).token).toBe('***');

src/gateway/handlers/services.test.ts

@@ -24,6 +24,7 @@ function makeBaseConfig(): Config {
     discord: undefined,
     slack: undefined,
     whatsapp: undefined,
+    matrix: undefined,
   } as unknown as Config;
 }
 
@@ -36,6 +37,7 @@ describe('discoverServices', () => {
 
     expect(services).toEqual(expect.arrayContaining([
       expect.objectContaining({ name: 'telegram', status: 'not_configured' }),
+      expect.objectContaining({ name: 'matrix', status: 'not_configured' }),
       expect.objectContaining({ name: 'cron', status: 'not_configured' }),
       expect.objectContaining({ name: 'mcp', status: 'not_configured' }),
       expect.objectContaining({ name: 'web_search', status: 'configured' }),

src/gateway/handlers/services.ts

@@ -52,6 +52,7 @@ export function discoverServices(
     { key: 'discord', name: 'discord', description: 'Discord bot' },
     { key: 'slack', name: 'slack', description: 'Slack app' },
     { key: 'whatsapp', name: 'whatsapp', description: 'WhatsApp gateway' },
+    { key: 'matrix', name: 'matrix', description: 'Matrix bot' },
   ];
 
   for (const { key, name, description } of channelConfigs) {