Skip to content

Fix PTT dead-mic recovery and prove realtime providers#9770

Open
Git-on-my-level wants to merge 6 commits into
mainfrom
codex/issue-9757-ptt-provider-proof
Open

Fix PTT dead-mic recovery and prove realtime providers#9770
Git-on-my-level wants to merge 6 commits into
mainfrom
codex/issue-9757-ptt-provider-proof

Conversation

@Git-on-my-level

@Git-on-my-level Git-on-my-level commented Jul 14, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Make push-to-talk silent-mic recovery preserve zero-frame evidence, record the post-rebuild outcome, and re-arm only after a truthful success/failure result.
  • Add a bounded deployed OpenAI and Gemini realtime mint-to-terminal-response probe to the desktop development release workflow, with an explicit outage-only bypass.
  • Make the Firebase Secret Manager/IAM project distinct from the expected Firebase auth project and reject mismatched probe-token claims before they reach a deployed service.

Closes #9757
Closes #9677
Closes #9081
Closes #9190

Root cause and durable guard

A zero-frame PTT turn previously reset the silent-capture evidence, while recovery was logged as successful when it was merely attempted. The policy now treats zero frames as neutral, keeps its threshold bounded, and waits for the next judgeable turn to record the rebuild outcome. Behavioral policy tests and wiring checks cover the affected discard and completion paths.

The development desktop-backend workflow verified revision identity but did not prove the direct managed provider websocket paths. It now mints a fixed non-human identity token, validates its auth-project audience/issuer/subject without exposing it, calls each provider directly, requires its terminal event, sanitizes all bounded results, and retries only timeouts or upstream 5xx responses. Hermetic tests cover OpenAI, Gemini, token contract mismatch, and transport timeout behavior.

Verification

  • cd desktop/macos && ./scripts/swift-test-suites.sh
  • BACKEND_PYTEST_WORKERS=4 PYTHON=/Users/david/workspace/omi/backend/.venv/bin/python ./backend/test.sh
  • actionlint .github/workflows/desktop_backend_auto_dev.yml .github/workflows/gcp_backend.yml .github/workflows/sync_ledger_fence_cutover.yml
  • python3 -m py_compile backend/scripts/firebase_release_probe_token.py scripts/voice-provider-probe.sh
  • make preflight
  • Named omi-9757-ptt bundle launched with the automation bridge; exercised ptt_start then ptt_stop with no invalid lifecycle transition. The local bundle had no seeded auth session, so it correctly reached signed-out cancellation rather than an authenticated provider turn; the deployed workflow probe is the authenticated provider-path guard.

Product invariants affected

  • INV-CHAT-1
  • INV-VOICE-1

Review in cubic

CI and others added 6 commits July 14, 2026 18:51
…at mint 429 as retryable

Bluetooth silent-mic fallback was sharing recordCaptureRebuild's outcome arm with CoreAudio rebuilds, so switch_to_built_in_mic results were mislabeled. Keep arming on the dead-mic threshold path only. Map probe HTTP 429 to exit 75 to match desktop mint transient handling.

Co-authored-by: Cursor <cursoragent@cursor.com>
Bluetooth silent-mic fallback correctly leaves outcomes unarmed, but the
mid-turn CoreAudio watchdog rebuild also stopped arming after that split.
Arm only inside requestCoreAudioCaptureRecovery so both threshold and
watchdog CoreAudio rebuilds get truthful next-turn success/failure.

Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

1 participant