feat(voice): backend voice picker + advanced controls behind disclosure (#742)#743
Open
heavygee wants to merge 44 commits into
Open
feat(voice): backend voice picker + advanced controls behind disclosure (#742)#743heavygee wants to merge 44 commits into
heavygee wants to merge 44 commits into
Conversation
Contributor
Author
|
Stack note: This PR is blocked by #692. For review, prefer the incremental diff on the fork: heavygee/hapi@feat/pluggable-voice-backend...feat/voice-selection-all-backends (4 commits: catalog scaffold, backend chooser, Gemini/Qwen descriptions, Playwright dogfood script.) |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Findings
- [Major] Qwen proxy forwards arbitrary client frames with the hub API key —
POST /api/voice/qwen-tokencorrectly keeps the DashScope key server-side, but the new/api/voice/qwen-wsproxy then opens DashScope with that key and blindly forwards every browser frame to upstream. Unlike the Gemini path, which rejects client-provided setup frames, any authenticated web client can connect directly and send its ownsession.update/response.createpayloads, turning the hub into a generic DashScope proxy and allowing client-controlled instructions/tools under server credentials. Evidence:hub/src/web/server.ts:159.
Suggested fix:Move the initialconst allowedQwenRuntimeEvents = new Set([ 'input_audio_buffer.append', 'input_audio_buffer.commit', 'response.create', 'conversation.item.create' ]) function parseQwenClientEvent(message: string | ArrayBuffer | Uint8Array): { type?: string } | null { try { return JSON.parse(decodeWsText(message)) as { type?: string } } catch { return null } } message(clientWs: ServerWebSocket<unknown>, message: string | ArrayBuffer | Uint8Array) { const event = parseQwenClientEvent(message) if (!event?.type || !allowedQwenRuntimeEvents.has(event.type)) { try { clientWs.close(1008, 'Client-provided Qwen setup is not allowed') } catch { /* */ } return } const upstream = upstreamMap.get(clientWs) if (upstream?.readyState === WebSocket.OPEN) { upstream.send(message) } }
session.updateconstruction into the hub proxy, as Gemini does withbuildGeminiLiveSetupMessage, and only let the browser send runtime audio/tool-response events afterward.
Questions
- None.
Summary
- Review mode: initial
- One issue found: Qwen realtime proxy needs the same server-owned setup boundary as Gemini before this is safe to merge.
Testing
- Not run (automation; static review only, per PR security instructions).
HAPI Bot
Contributor
Author
|
Noise check (re: default diff vs
GitHub would not let us retarget base to Automated review note: The |
9 tasks
Rebased from Overbaker/hapi#401 onto current main. Adds a pluggable voice backend architecture that extends the existing ElevenLabs integration: - Gemini 2.5 Live (gemini-live): Google real-time audio via WebSocket with full function calling (messageCodingAgent, processPermissionRequest) - Qwen Realtime (qwen-realtime): Alibaba DashScope via hub WebSocket proxy (browser cannot set Authorization header directly) - VoiceBackendSession: dynamic backend selector with React.lazy loading, gates voice button until backend module is registered - Hub WS proxies: JWT-authenticated /api/voice/gemini-ws and /api/voice/qwen-ws endpoints in Bun.serve, with message queueing during upstream connect to prevent dropped setup frames - AudioWorklet pipeline: inline Blob URL recorder, 24 kHz PCM player, serial tool call execution, AudioContext created in user gesture for mobile - Backend discovery: GET /voice/backend + POST /voice/gemini-token / POST /voice/qwen-token hub routes; frontend auto-detects active backend Merge notes: - Rebased 135 upstream commits cleanly; HappyComposer keeps upstream's configurable enter-behavior setting (supersedes hard-coded Ctrl+Enter) - Converted gemini test files from bun:test to vitest (web package uses vitest) - All 221 hub tests and 636 web tests pass; TypeScript clean
turnComplete handler was unconditionally calling setMuted(false), which re-enabled the mic track even when the user had manually muted. Now restores to state.micMuted instead.
buildGeminiLiveConfig was appending VOICE_CHINESE_LANGUAGE_BLOCK which forced Gemini to always respond in Mandarin regardless of user locale. Gemini now uses the neutral base prompt and responds in the language the user speaks to it, consistent with the ElevenLabs behaviour.
If the session closes while Gemini is mid-speech, cleanup() left state.modelSpeaking=true. The next startSession() would then drop all mic audio in sendAudioChunk() until a model turn eventually flipped the flag — effectively deaf until page reload.
ws.onclose operated on module-level state.ws, not the socket that fired the event. A rapid stop/restart could cause the old socket's onclose to call cleanup() after the new socket was assigned, tearing down the live session. Guard with `if (state.ws !== ws) return` before cleanup. via [HAPI](https://hapi.run) Co-Authored-By: HAPI <noreply@hapi.run>
Matches the Gemini fix — both backends now use VOICE_SYSTEM_PROMPT without the Chinese language block, giving consistent English-default behaviour across all non-ElevenLabs backends. via [HAPI](https://hapi.run) Co-Authored-By: HAPI <noreply@hapi.run>
Adds a "Proactive voice" toggle (default: off = reactive) to the Voice Assistant settings section. Reactive (default): initial context and agent-ready events are fed silently; the assistant waits for the user to speak first. Proactive: original behaviour — Gemini/Qwen narrate context on connect and speak unprompted when the agent finishes a task. ElevenLabs is also affected via onReady sending a user message rather than a silent update. Covers all three backends uniformly. localStorage key: hapi-voice-proactive. via [HAPI](https://hapi.run) Co-Authored-By: HAPI <noreply@hapi.run>
… visibility - hub/server.ts: add toClientCloseCode() to normalize reserved upstream close codes (1005/1006/1015) to 1011 before forwarding to browser; abnormal upstream drops (1006) would otherwise throw on clientWs.close() and leave the browser socket open - realtime/index.ts: remove static GeminiLiveVoiceSession and QwenVoiceSession barrel exports; VoiceBackendSession lazy-imports both, so barrel re-exports created static dependencies that defeated the intended code-split - App.tsx: gate global useVisibilityReporter on !sessionEventSubscription so the always-on SSE connection does not suppress native Web Push notifications for sessions the user is not currently viewing via [HAPI](https://hapi.run) Co-Authored-By: HAPI <noreply@hapi.run>
…toggle label - buildGeminiLiveConfig() now accepts optional language param; appends VOICE_CHINESE_LANGUAGE_BLOCK only when language === 'zh' - GeminiLiveVoiceSession passes config.language through - QwenVoiceSession conditionally builds basePrompt from language setting - Fixes silent no-op when user selects Chinese in voice settings on Gemini/Qwen backends (was ElevenLabs-only) - Rename voice-start toggle label to 'Start voice session with summary' - Fix description: clarifies the choice is about session-open behaviour (summary vs greeting), not ongoing narration via [HAPI](https://hapi.run) Co-Authored-By: HAPI <noreply@hapi.run>
Gemini Live has no built-in first-message like ElevenLabs agents do; without an explicit turnComplete:true it sits silently. In reactive mode (default, toggle off) now sends a greeting instruction after any silent context feed so Gemini introduces itself and invites the user to speak. Proactive mode is unchanged: the context summary is the opening speech. via [HAPI](https://hapi.run) Co-Authored-By: HAPI <noreply@hapi.run>
…reeting - VOICE_SYSTEM_PROMPT: explicit instruction never to call itself Gemini, Google, or any underlying model/provider name — always HAPI - Greeting trigger text: instruct to greet as HAPI only, suppress model name and any reference to context/recent activity in the opening line via [HAPI](https://hapi.run) Co-Authored-By: HAPI <noreply@hapi.run>
Gemini + Qwen client:
- onerror now sets setupDone/sessionReady and nulls state.ws before
calling reject(), so the stale-close guard trips in onclose and
prevents a duplicate statusCallback('error') on WS failure
Gemini client:
- Proactive mode with no initialContext now falls through to the
greeting trigger instead of sitting silently
- Remove unused handleBargeIn callback (dead code)
Qwen client:
- Add input_audio_sample_rate: 16000 to session.update so PCM rate
is declared explicitly rather than relying on DashScope's default
Hub proxy:
- Remove no-op ternary in Gemini flush loop and message handler
(typeof x === 'string' ? x : x); use upstream.send(msg) directly
- Qwen onerror now calls upstreamMap.delete() before closing client,
eliminating the stale map entry window
- Align Qwen hub fallback model string with QWEN_REALTIME_MODEL
constant ('qwen3-omni-flash-realtime')
via [HAPI](https://hapi.run)
Co-Authored-By: HAPI <noreply@hapi.run>
hub/voice.ts:
- Replace string-concat WS URL construction with buildVoiceWsUrl() which
uses URL API to set protocol/pathname cleanly — fixes double-slash when
HAPI_PUBLIC_URL has a trailing slash (would silently skip the proxy route)
QwenVoiceSession.tsx:
- Wrap tool definitions in {type:'function', function:{...}} as required
by Qwen-Omni realtime schema — previous flat shape caused session.update
rejection before audio capture could start
- Use pcm16/pcm24 audio formats matching DashScope spec; remove
input_audio_sample_rate (encoded in format name)
via [HAPI](https://hapi.run)
Co-Authored-By: HAPI <noreply@hapi.run>
…ose codes
GeminiLiveVoiceSession + QwenVoiceSession:
- startAudioCapture() is now async and awaits recorder.start() before
calling setMuted() — previously setMuted ran before getUserMedia resolved
so a session restarted while muted would open the mic anyway
- statusCallback('connected') now fires after audio is ready
- setMuted() called unconditionally (not just when true) to correctly
apply saved state in either direction
hub/src/web/server.ts:
- Both Gemini and Qwen close() handlers now pass the client code through
toClientCloseCode() before forwarding to upstream — prevents reserved
codes (e.g. 1006) from causing WebSocket.close() to throw and leave
the upstream session open until provider timeout
- Reason string capped at 123 bytes (WebSocket protocol limit)
via [HAPI](https://hapi.run)
Co-Authored-By: HAPI <noreply@hapi.run>
An unhandled rejection inside the async onmessage callback does not
propagate to the outer startSession Promise — the UI hangs on
'connecting' and the provider socket stays partially open. Wrapping
the await in try/catch calls cleanup()/statusCallback('error')/reject()
so failures surface correctly.
via [HAPI](https://hapi.run)
Co-Authored-By: HAPI <noreply@hapi.run>
…alling back to ElevenLabs
fetchVoiceBackend no longer catches errors and defaults to 'elevenlabs' — any
network or server failure now throws so VoiceBackendSession can surface it via
onStatusChange('error', ...) rather than silently mounting the wrong backend.
VoiceBackendSession also resets backend state to null when api changes, so
a stale ElevenLabs registration from a prior discovery cannot persist into
a new session.
via [HAPI](https://hapi.run)
Co-Authored-By: HAPI <noreply@hapi.run>
…alling back to ElevenLabs Unknown backend strings (future values, typos) now throw rather than defaulting to elevenlabs, closing the narrow remaining form of the original misrouting bug. Also removes the unnecessary `as VoiceBackendResponse` cast. via [HAPI](https://hapi.run) Co-Authored-By: HAPI <noreply@hapi.run>
…r base64 uploads Qwen session.updated handler now sends the same proactive summary or greeting trigger that Gemini does — previously it started silently in both proactive and reactive modes. maxHttpBufferSize raised to 68 MiB to account for base64 expansion: 50 MiB decoded files become ~66.7 MiB as base64 JSON, so the previous 55 MiB ceiling would disconnect uploads above ~41 MiB before they reached the CLI. via [HAPI](https://hapi.run) Co-Authored-By: HAPI <noreply@hapi.run>
….update for Qwen text Qwen's realtime API only supports conversation.item.create for function_call_output. Sending it with type:'message' for greetings/context was invalid and could fail before the user spoke. sendTextMessage and sendContextualUpdate now update session instructions via session.update (accumulating context into the system prompt) and trigger response.create only when a spoken reply is needed — matching Qwen's supported client event surface. via [HAPI](https://hapi.run) Co-Authored-By: HAPI <noreply@hapi.run>
…n start session.updated now returns early after the first ack — subsequent session.update calls (instruction appends) also echo session.updated but must not re-trigger audio capture or the greeting path. currentSessionConfig is now reset to null at the top of startSession so a stale config from a failed previous session cannot leak into the new one. via [HAPI](https://hapi.run) Co-Authored-By: HAPI <noreply@hapi.run>
Without this guard, a missing wsUrl in the hub token response would silently attempt to connect directly to Google with "proxied" as the API key — producing a confusing auth failure instead of a clear error. via [HAPI](https://hapi.run) Co-Authored-By: HAPI <noreply@hapi.run>
DashScope realtime API accepts only 'pcm' for both input and output audio formats. The pcm16/pcm24 values caused session.update rejection before audio capture could start, leaving the Qwen backend unusable. Also updates the default voice from Mia (not in the qwen3-omni-flash- realtime voice list) to Cherry, which is documented as supported. via [HAPI](https://hapi.run) Co-Authored-By: HAPI <noreply@hapi.run>
Failed token fetch, microphone denial, or WebSocket error during setup left state.playbackContext open. Each failure path now calls cleanup() before throwing/rejecting, preventing AudioContext leaks on mobile browsers with hard limits on concurrent contexts. via [HAPI](https://hapi.run) Co-Authored-By: HAPI <noreply@hapi.run>
Reverts changes to files that shouldn't differ from upstream: - .gitignore: remove fork-only AGENTS.local.md entry - web/src/App.tsx: restore dual-subscription SSE pattern (scope-aware) - web/src/hooks/useSSE.ts: restore SSEScope/scope parameter - web/src/hooks/useSSE.test.ts: restore (was accidentally deleted) - web/src/lib/appSseSubscriptions.ts: restore (was accidentally deleted) - web/src/lib/appSseSubscriptions.test.ts: restore (was accidentally deleted) - hub/src/sync/syncEngine.ts: restore (off-topic change)
Hub sends HAPI-owned Gemini setup on proxy connect and rejects client setup frames. Qwen proxy always uses QWEN_REALTIME_MODEL instead of a client query parameter. Shared buildGeminiLiveSetupMessage() keeps wire format in one place. Co-authored-by: Cursor <cursoragent@cursor.com>
Mirror the Gemini proxy security model for Qwen: - Hub sends initial session.update (voice/tools/instructions) on upstream connect so the browser cannot override config fields. - Proxy message() now calls isQwenSafeClientFrame() and closes the connection (1008) if a client session.update touches any field other than 'instructions' (blocks tool/voice/modality overrides). - QwenVoiceSession no longer sends session.update on session.created; it waits for the hub-relayed session.updated and then sends only instruction-only updates for context/proactive content. - Language passed as query param (?language=zh) so hub builds the correct Chinese system prompt without a client-supplied session.update. - buildQwenSessionUpdateMessage() and isQwenSafeClientFrame() added to @hapi/protocol/voice; 9 new unit tests cover filter edge cases.
…ring DashScope requires session.update to be sent AFTER session.created is received, not immediately on WebSocket open. Previously the hub sent session.update in upstream.onopen, which violated this ordering and risked the config being processed in an uninitialized session context. Add pendingSetupMap to buffer the hub-owned session.update payload. The onmessage handler now relays session.created to the browser first, then immediately sends the pending session.update to DashScope — matching the protocol ordering the old browser-side code used (which waited for session.created before sending session.update). Also remove maxHttpBufferSize from the socket.io Engine config. That setting is unrelated to voice backends; upstream/main had no such limit set and it is not introduced by this PR.
Contributor
Author
|
Status update on the open Major (Qwen WS proxy) Coordinated with the #692 agent — they're already implementing the fix in their worktree:
This is correctly #692 scope — the Qwen proxy Plan: Stand by until #692 pushes the fix, then rebase CI green; no other open Major findings. Holding for the upstream layer to land. |
…-completions)
Qwen Realtime session.update expects tools as flat objects:
{ type: 'function', name, description, parameters }
The previous code used the chat-completions shape:
{ type: 'function', function: { name, description, parameters } }
DashScope may reject session.update or silently ignore tools with the
nested shape, causing tool calls to fail at runtime. Fix applied in
buildQwenSessionUpdateMessage(); test updated to assert flat shape and
that no nested `function` key is present.
Expose configured backends from hub, let Settings pick provider when multiple API keys exist, and wire voice selection through Gemini/Qwen/ElevenLabs paths. Co-authored-by: Cursor <cursoragent@cursor.com>
Surface catalog descriptions on the voice row and in the picker, with a hint when preview is ElevenLabs-only. Disabled preview buttons stay visible. Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
When hub/.env (operator-local) sets GEMINI_API_KEY, the 'falls back to elevenlabs for unknown VOICE_BACKEND values' test leaks gemini-live into the backends list. Delete the four non-elevenlabs key env vars defensively at the start of the test, mirroring the cleanup pattern used by the other tests in the same describe block. No behavior change. Co-authored-by: Cursor <cursoragent@cursor.com>
Stacks on voice-selection-all-backends. Adds shared voice-personality presets, Settings accordions (character + backend-specific tuning), and ElevenLabs session overrides from stored preferences. Co-authored-by: Cursor <cursoragent@cursor.com>
Replace append-only personality notes with the bundled HAPI voice system prompt in an advanced editor. User edits replace the base instruction for ElevenLabs, Gemini (incl. hub proxy), and Qwen. Presets only drive TTS sliders unless the user appends delivery text explicitly. Co-authored-by: Cursor <cursoragent@cursor.com>
Split voice instructions into platform fixtures, provider guardrails, and editable identity/character; compose at runtime for ElevenLabs, Gemini, and Qwen. Session history uses a small connect bootstrap plus deferred contextual chunks, gated by the proactive-summary setting. Settings UI shows wire budgets and read-only fixtures. Co-authored-by: Cursor <cursoragent@cursor.com>
The web workspace runs tests via vitest run. Both voice tests imported describe/expect/test from 'bun:test', which vite cannot bundle and caused 'Cannot bundle built-in module bun:test' transform failures during driver soup verify. Only generic test APIs are used; switching the import to 'vitest' is a no-op behavior change. Co-authored-by: Cursor <cursoragent@cursor.com>
Contributor
Author
|
Heads-up from a downstream soup-rebuild (heavygee/hapi driver/integration, 2026-05-31): To get this branch + the voice-advanced layer building cleanly on the current 1. On
The 2. On
Both files imported Surfacing in case you re-do the rebase from scratch and overwrite these locally - they would silently come back as test failures on the next CI/build. No action needed if you keep them. |
heavygee
force-pushed
the
feat/voice-selection-all-backends
branch
from
7469b27 to
238ad4c
Compare
There was a problem hiding this comment.
Findings
- [Major] Qwen proxy still forwards runtime frames before setup is acknowledged — the browser waits for
session.updatedbefore starting audio, but an authenticated client can connect directly and sendresponse.create,conversation.item.create, or instruction-onlysession.updatewhilependingSetupMapis still set. Those frames are forwarded immediately athub/src/web/server.ts:188, before the hub-ownedsession.updatesent athub/src/web/server.ts:159is acknowledged. That can run the upstream session under the provider default config or race ahead of HAPI's locked tools/voice/instructions, reopening part of the generic-proxy boundary the previous review called out.
Suggested fix:const pendingClientFrames = new WeakMap<ServerWebSocket<unknown>, Array<string | ArrayBuffer | Uint8Array>>() // after session.created pendingSetupMap.delete(clientWs) setupAckMap.set(clientWs, false) upstream.send(pendingSetup) // after session.updated for the hub-owned setup setupAckMap.set(clientWs, true) for (const queued of pendingClientFrames.get(clientWs) ?? []) upstream.send(queued) pendingClientFrames.delete(clientWs) message(clientWs, message) { if (!isQwenSafeClientFrame(message)) { /* close */ return } const upstream = upstreamMap.get(clientWs) if (upstream?.readyState !== WebSocket.OPEN) return if (pendingSetupMap.has(clientWs) || setupAckMap.get(clientWs) !== true) { const pending = pendingClientFrames.get(clientWs) ?? [] pending.push(message) pendingClientFrames.set(clientWs, pending) return } upstream.send(message) }
Questions
- None.
Summary
- Review mode: follow-up after new commits
- The previous Qwen proxy issue is partly addressed, but the proxy still needs to gate client frames until the hub-owned Qwen setup has been acknowledged.
Testing
- Not run (automation; static review only, per PR security instructions).
HAPI Bot
The previous Qwen proxy hardening sent the hub-owned session.update once upstream's session.created landed, but never waited for session.updated before forwarding client frames. An authenticated client could push response.create / conversation.item.create / instruction-only session.update during that window and run the upstream session under the provider default config or partially-applied state - reopening part of the generic-proxy boundary the prior review called out. Changes: - Extract createQwenProxyWebSocketHandler into hub/src/web/qwenProxyHandler.ts so the gating behaviour can be unit-tested without spinning up Bun.serve. - Track a per-client setupAcked WeakMap and a pendingClientFrames queue. Client frames are queued (after passing isQwenSafeClientFrame) until the upstream emits session.updated; on ack the queue is flushed in order. - Clear the WeakMaps on upstream error / upstream close / client close so no state leaks across reused references. - Inject the upstream WebSocket constructor for tests; production keeps the real global WebSocket. Tests: 4 new ack-gate cases + existing 245 hub tests still green. Resolves the [Major] thread on PR tiann#743 follow-up review. Co-authored-by: Cursor <cursoragent@cursor.com>
There was a problem hiding this comment.
Findings
- [Major] Gate Gemini client frames until setupComplete — the proxy sends HAPI's setup on upstream open, but it then flushes queued non-setup frames immediately and forwards later frames whenever the upstream socket is open. A direct authenticated client can therefore send
clientContent/tool frames before Google acknowledges the hub-owned setup withsetupComplete, racing execution ahead of HAPI's locked model, tools, system prompt, language, and voice config. Evidence:hub/src/web/server.ts:77andhub/src/web/server.ts:107.
Suggested fix:const setupCompleteMap = new WeakMap<ServerWebSocket<unknown>, boolean>() const pendingClientFrames = new WeakMap<ServerWebSocket<unknown>, Array<string | ArrayBuffer | Uint8Array>>() upstream.onopen = () => { setupCompleteMap.set(clientWs, false) upstream.send(JSON.stringify(buildGeminiLiveSetupMessage(data.language, data.voiceName))) } upstream.onmessage = (event) => { const text = typeof event.data === 'string' ? event.data : new TextDecoder().decode(new Uint8Array(event.data as ArrayBuffer)) if (setupCompleteMap.get(clientWs) === false && JSON.parse(text).setupComplete) { setupCompleteMap.set(clientWs, true) for (const queued of pendingClientFrames.get(clientWs) ?? []) upstream.send(queued) pendingClientFrames.delete(clientWs) } if (clientWs.readyState === 1) clientWs.send(event.data) } message(clientWs, message) { if (isGeminiSetupFrame(message)) { clientWs.close(1008, 'Client-provided Gemini setup is not allowed') return } const upstream = upstreamMap.get(clientWs) if (!upstream || upstream.readyState !== WebSocket.OPEN || setupCompleteMap.get(clientWs) !== true) { const pending = pendingClientFrames.get(clientWs) ?? [] pending.push(message) pendingClientFrames.set(clientWs, pending) return } upstream.send(message) }
Questions
- None.
Summary
- Review mode: follow-up after new commits
- The previous Qwen ack-gate issue appears addressed in the follow-up, but the newly added Gemini proxy still has the same setup-ack race at its proxy boundary.
Testing
- Not run (automation; static review only, per PR security instructions).
HAPI Bot
| upstream.onopen = () => { | ||
| // Hub-owned setup only — never forward client setup (prevents generic Gemini proxy abuse). | ||
| upstream.send(JSON.stringify(buildGeminiLiveSetupMessage(data.language, data.voiceName))) | ||
| for (const queued of pending.splice(0)) { |
There was a problem hiding this comment.
[Major] Gate Gemini client frames until setupComplete
This flushes queued non-setup frames immediately after sending HAPI's setup, before Google has acknowledged it with setupComplete; once the upstream socket is open, message() also forwards later frames directly. A direct authenticated client can send clientContent or tool frames before HAPI's hub-owned model, tools, system prompt, language, and voice setup is installed, so the session can race ahead under default or partially-applied config.
Suggested fix:
const setupCompleteMap = new WeakMap<ServerWebSocket<unknown>, boolean>()
const pendingClientFrames = new WeakMap<ServerWebSocket<unknown>, Array<string | ArrayBuffer | Uint8Array>>()
upstream.onopen = () => {
setupCompleteMap.set(clientWs, false)
upstream.send(JSON.stringify(buildGeminiLiveSetupMessage(data.language, data.voiceName)))
}
// On the first upstream setupComplete, flip the gate and flush queued client frames.
if (setupCompleteMap.get(clientWs) === false && parsed.setupComplete) {
setupCompleteMap.set(clientWs, true)
for (const queued of pendingClientFrames.get(clientWs) ?? []) upstream.send(queued)
pendingClientFrames.delete(clientWs)
}
message(clientWs, message) {
if (isGeminiSetupFrame(message)) {
clientWs.close(1008, 'Client-provided Gemini setup is not allowed')
return
}
const upstream = upstreamMap.get(clientWs)
if (upstream?.readyState !== WebSocket.OPEN || setupCompleteMap.get(clientWs) !== true) {
const pending = pendingClientFrames.get(clientWs) ?? []
pending.push(message)
pendingClientFrames.set(clientWs, pending)
return
}
upstream.send(message)
}ElevenLabs convai rejects sessions whose `overrides` payload references any
property the agent has not explicitly authorized. The server reply is a malformed
error packet on the LiveKit data channel that the convai-react SDK then deref's
as `event.error_type` (undefined -> TypeError -> disconnect), so the symptom is
a generic "Unknown DataChannel error" with no clue.
Empty-prefs sessions now emit exactly `{ agent: { language } }` for byte-parity
with the upstream/main baseline that the configured agent permits today:
- agent.prompt: only when user has customized identity or character
- tts (full slider object): only when preset diverges from balanced defaults
- tts: { voice_id }: only when a voice was picked and sliders are at defaults
Co-authored-by: Cursor <cursoragent@cursor.com>
…onvAI overrides UI: wrap fixtures, identity, character, delivery preset, and tuning sliders in a single collapsed "Advanced voice settings" disclosure. Defaults stay quiet; sub-sections start collapsed when the master opens. Shows a "customized" badge if any layer differs from defaults so a user who tweaked settings still knows where to find them. Hub: on every /voice/token resolution, PATCH the resolved ConvAI agent's platform_settings.overrides to match buildVoiceAgentConfig() (agent.prompt, tts.voice_id/stability/similarity_boost/style/speed). Idempotent per-process (cached per agent_id), best-effort (non-fatal on PATCH error). Fixes the "Cannot read properties of undefined (reading 'error_type')" crash on operators who have an existing agent that predates the override declaration. Co-authored-by: Cursor <cursoragent@cursor.com>
Brings layered voice prompt UI, context bootstrap + streaming, and ConvAI agent override reconciliation into the existing voice picker PR. All new surfaces live behind a single collapsed "Advanced voice settings" disclosure; defaults stay quiet for users who only want to pick a voice. Co-authored-by: Cursor <cursoragent@cursor.com> # Conflicts: # hub/src/web/server.ts
heavygee
changed the title
There was a problem hiding this comment.
Findings
-
[Major] Gate Gemini client frames until setupComplete — the proxy sends HAPI's setup, then immediately flushes queued client frames and forwards later frames as soon as the upstream socket is open. A direct authenticated client can race
clientContentor tool frames before Google acknowledges the hub-owned setup, so execution can start before HAPI's model, tools, prompt, language, and voice configuration are installed. Evidence:hub/src/web/server.ts:88andhub/src/web/server.ts:118.
Suggested fix:const setupCompleteMap = new WeakMap<ServerWebSocket<unknown>, boolean>() const pendingClientFrames = new WeakMap<ServerWebSocket<unknown>, Array<string | ArrayBuffer | Uint8Array>>() upstream.onopen = () => { setupCompleteMap.set(clientWs, false) upstream.send(JSON.stringify(buildGeminiLiveSetupMessage(data.language, data.voiceName, data.systemInstruction))) } upstream.onmessage = (event) => { const text = typeof event.data === 'string' ? event.data : new TextDecoder().decode(new Uint8Array(event.data as ArrayBuffer)) const parsed = JSON.parse(text) as { setupComplete?: unknown } if (setupCompleteMap.get(clientWs) === false && parsed.setupComplete) { setupCompleteMap.set(clientWs, true) for (const queued of pendingClientFrames.get(clientWs) ?? []) upstream.send(queued) pendingClientFrames.delete(clientWs) } if (clientWs.readyState === 1) clientWs.send(event.data) } if (upstream?.readyState !== WebSocket.OPEN || setupCompleteMap.get(clientWs) !== true) { const pending = pendingClientFrames.get(clientWs) ?? [] pending.push(message) pendingClientFrames.set(clientWs, pending) return }
-
[Major] Pass decoded systemInstruction into Qwen setup —
/api/voice/qwen-wsdecodes?systemPrompt=and stores it onws.data, and the Qwen client sends that param for advanced voice settings, butcreateQwenProxyWebSocketHandler()casts the data withoutsystemInstructionand callsbuildQwenSessionUpdateMessage(data.language, data.voiceName). Qwen sessions therefore ignore the user-edited identity/character/delivery prompt while Gemini uses it. Evidence:hub/src/web/qwenProxyHandler.ts:53andhub/src/web/qwenProxyHandler.ts:61.
Suggested fix:const data = clientWs.data as { apiKey: string model: string language?: string voiceName?: string systemInstruction?: string } pendingSetupMap.set(clientWs, JSON.stringify(buildQwenSessionUpdateMessage( data.language, data.voiceName, data.systemInstruction )))
Questions
- None.
Summary
Review mode: follow-up after new commits
The previous Gemini setup-ack race remains present, and the new Qwen prompt transport path drops the decoded custom prompt before upstream setup. Add proxy-level tests for both setup contracts.
Testing
- Not run (automation; static review only).
HAPI Bot
| data.voiceName, | ||
| data.systemInstruction | ||
| ))) | ||
| for (const queued of pending.splice(0)) { |
There was a problem hiding this comment.
[Major] Gate Gemini client frames until setupComplete
This flushes queued client frames immediately after sending HAPI's setup, before Google acknowledges it with setupComplete; message() also forwards later frames whenever the upstream socket is open. A direct authenticated client can race clientContent or tool frames before HAPI's model, tools, prompt, language, and voice setup is installed.
Suggested fix:
const setupCompleteMap = new WeakMap<ServerWebSocket<unknown>, boolean>()
const pendingClientFrames = new WeakMap<ServerWebSocket<unknown>, Array<string | ArrayBuffer | Uint8Array>>()
upstream.onopen = () => {
setupCompleteMap.set(clientWs, false)
upstream.send(JSON.stringify(buildGeminiLiveSetupMessage(data.language, data.voiceName, data.systemInstruction)))
}
if (setupCompleteMap.get(clientWs) !== true) {
const pending = pendingClientFrames.get(clientWs) ?? []
pending.push(message)
pendingClientFrames.set(clientWs, pending)
return
}
// Flip the gate and flush only after the first upstream setupComplete frame.| }) | ||
|
|
||
| upstreamMap.set(clientWs, upstream) | ||
| pendingSetupMap.set(clientWs, JSON.stringify(buildQwenSessionUpdateMessage(data.language, data.voiceName))) |
There was a problem hiding this comment.
[Major] Pass the decoded prompt into Qwen's hub-owned setup
The server decodes ?systemPrompt= for /api/voice/qwen-ws and stores it on ws.data, and the Qwen client sends that param for the advanced voice prompt. This handler drops it when building the initial session.update, so Qwen ignores the user-edited identity/character/delivery prompt while Gemini applies it.
Suggested fix:
const data = clientWs.data as {
apiKey: string
model: string
language?: string
voiceName?: string
systemInstruction?: string
}
pendingSetupMap.set(clientWs, JSON.stringify(buildQwenSessionUpdateMessage(
data.language,
data.voiceName,
data.systemInstruction
)))
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two voice features against #742, stacked on #692. The visible default surface stays small (one picker, one toggle); everything else lives behind a single collapsed disclosure so a user who just wants to pick a voice never sees the tuning UI.
Backend-aware voice picker
shared/voicePickerCatalog.ts- static Gemini/Qwen voice lists, per-backend localStorage keys, resolve helpersGET /api/voice/backendreturns{ backend, backends }when multiple providers are configuredGET /api/voice/voices- ElevenLabs list available even when default backend is Geminigemini-ws-?voice=query param wired into setup messageVoiceSessionConfig.voiceName+ stored preference per backendComposed system prompt + bootstrap-and-stream context (folded in from
feat/voice-advanced-controls)shared/voicePromptLayers.ts: platform fixtures (read-only - tool contracts, routing, TTS rules) + provider guardrails + user-editable identity + user-editable character.composeVoiceAgentPromptmerges them.sendContextualUpdateafter connect. Honest UI wire-budget hints.{agent:{language:'en'}}payload (byte-parity with upstream baseline). Custom layers/sliders/voiceId opt in their respective override fields. Fixes the unauthorized-override crash (Cannot read properties of undefined ('error_type'))./voice/tokenresolution the hub PATCHes the agent'splatform_settings.overridesto matchbuildVoiceAgentConfig()(agent.prompt + tts.voice_id/stability/similarity_boost/style/speed). Idempotent per-process and best-effort - existing agents that predate the override declaration now self-heal on next session start instead of requiring operator-side console edits.UI discipline
web/src/components/settings/VoiceAdvancedControls.tsxwraps fixtures preview, identity editor, character editor, delivery preset selector, and tuning sliders inside one masterAdvanced voice settingsdisclosure (collapsed by default).customizedbadge appears next to the master title if any layer differs from defaults so power users still find their tweaks.Test plan
bunx tsc --noEmit(hub + web)bun testvoice routes (hub) - 20 pass including newreconciles platform_settings.overrides on existing agentstestbun testvoice client tests (web) -voicePersonalitySession+voiceContextPlangreenhapi-driver-rebuild --build-web --verifythen dogfood the three backends end-to-end on driverMerge order
feat/pluggable-voice-backend)upstream/main(PR diff should drop to this PR's own delta), merge feat(voice): backend voice picker + advanced controls behind disclosure (#742) #743Issues
Ref #742
Blocked by #692