Add secure config validation and telemetry

[orang2bejo]

Summary

• validate security and model configs with Pydantic and secret resolution
• integrate Windows credential store, log sanitization, and device-aware STT/TTS
• add rate limiting, retry helpers, PowerShell hardening, healthcheck script, and CI supply-chain jobs

Testing

• ruff check src/windows_use/tools/voice_input.py src/windows_use/tools/tts_piper.py tests/test_device_flags.py tests/test_web_security.py
• black --check src/windows_use/config_schema.py src/windows_use/config_loader.py src/windows_use/security/secret_store.py src/windows_use/obs/log_sanitizer.py src/windows_use/tools/voice_input.py src/windows_use/tools/tts_piper.py src/windows_use/utils/rate_limit.py src/windows_use/utils/retry.py src/windows_use/web/security_utils.py src/windows_use/tools/ps_shell.py tests/test_config_validation.py tests/test_log_sanitizer.py tests/test_web_security.py tests/test_device_flags.py tests/test_retry_rate_limit.py tests/test_powershell_wrapper.py scripts/healthcheck.py
• mypy --ignore-missing-imports --follow-imports=skip src/windows_use/config_loader.py src/windows_use/config_schema.py src/windows_use/security/secret_store.py src/windows_use/obs/log_sanitizer.py src/windows_use/tools/voice_input.py src/windows_use/tools/tts_piper.py src/windows_use/utils/rate_limit.py src/windows_use/utils/retry.py src/windows_use/web/security_utils.py src/windows_use/tools/ps_shell.py tests/test_config_validation.py tests/test_log_sanitizer.py tests/test_web_security.py tests/test_device_flags.py tests/test_retry_rate_limit.py tests/test_powershell_wrapper.py scripts/healthcheck.py
• PYTHONPATH=src pytest tests/test_config_validation.py tests/test_log_sanitizer.py tests/test_web_security.py tests/test_device_flags.py tests/test_retry_rate_limit.py tests/test_powershell_wrapper.py

---

https://chatgpt.com/codex/tasks/task_e_68b9aa75e5608320915b271cf02b457f

[orang2bejo]

Summary
Introduced Pydantic-based configuration models that enforce an assistive default mode and non-empty web allowlists for security settings, while validating optional model names and providing safe offline defaults

Wrapped Windows Credential Manager via a secret store and added a log sanitizer to redact tokens, emails, and phone numbers before writing logs

Enabled device-aware speech components and a healthcheck utility by auto-selecting GPU/CPU for Whisper and Piper, exposing providers and GPU name in telemetry output

Added rate-limiting and retry decorators, strengthened PowerShell execution with Constrained Language Mode, and implemented web-security utilities for allowlists, confirmation prompts, and OTP fallbacks

Documented security modes, secrets handling, and troubleshooting, updated README with compliance guidance, and introduced a supply-chain job to generate SBOMs, scan secrets, and audit CVEs in CI