feat(e2ee): make E2EE configurable via E2EE_ENABLED env var

Allows disabling E2EE for diagnostic purposes. When disabled, bot
connects to LiveKit without frame encryption.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

voice.py

@@ -421,13 +421,17 @@ class VoiceSession:
                         break
                     await asyncio.sleep(0.1)
 
-            # E2EE: re-enabled after diagnostic confirmed EC encrypts audio.
+            # E2EE: configurable via E2EE_ENABLED env var (default true).
-            # Root cause found: set_key() only applies HKDF if the frame cryptor for that
+            # When enabled, parameters MUST match Element Call JS SDK.
-            # participant already exists. Must call set_key() in on_track_subscribed, not at connect time.
+            e2ee_enabled = os.environ.get("E2EE_ENABLED", "true").lower() in ("true", "1", "yes")
-            # Parameters MUST match Element Call JS SDK: ratchetWindowSize=10, keyringSize=256,
+            if e2ee_enabled:
-            # failureTolerance=10, ratchetSalt="LKFrameEncryptionKey".
+                e2ee_opts = _build_e2ee_options()
-            e2ee_opts = _build_e2ee_options()
+                room_opts = rtc.RoomOptions(e2ee=e2ee_opts)
-            room_opts = rtc.RoomOptions(e2ee=e2ee_opts)
+                logger.info("E2EE enabled (HKDF mode)")
+            else:
+                e2ee_opts = None
+                room_opts = rtc.RoomOptions()
+                logger.warning("E2EE DISABLED — audio is unencrypted")
             self.lk_room = rtc.Room()
 
             @self.lk_room.on("participant_connected")