5d0c43ec6e
* feat(realtime): EOU-driven semantic_vad turn detection Add a `semantic_vad` turn-detection mode to the realtime API that feeds the transcription model live and decides "the user finished speaking" from the `<EOU>` end-of-utterance token rather than from silence alone. When EOU fires the turn commits immediately (~0.3s); otherwise it falls back to an eagerness-scaled silence threshold (low/med/high = 8/4/2s). Plumbing, bottom to top: - proto: `AudioTranscriptionLive` bidirectional RPC (config-first oneof, mono float PCM @16k, ready-ack / Unimplemented degrade signal) plus `TranscriptResult.eou` for the unary retranscribe gate. - pkg/grpc: client/server/base/embed scaffolding for the bidi stream, modeled on AudioTransformStream; release stream conns on terminal Recv. - parakeet-cpp: live transcription RPC with per-C-call engine locking (one live stream per turn, finalize+free at commit); bump parakeet.cpp to ABI v5 — incremental StreamingMel (no more quadratic per-feed mel recompute that delayed EOU on long turns) and the <EOU>/<EOB> split; strip the literal <EOU>/<EOB> from offline text and set Eou. - core/backend: LiveTranscriptionSession wrapper + pipeline `turn_detection:` config block (type/eagerness/retranscribe). - realtime: semantic_vad integration — live input captions streamed as transcription deltas while the user speaks, EOU-immediate commit with eagerness fallback, optional retranscribe gate (batch re-decode must also end in <EOU> to confirm), clause synthesis off the LLM token callback, and per-turn live-transcription / model_load telemetry. - UI: show the realtime pipeline components as a vertical list. Docs and tests included; opt-in via the pipeline YAML or per-session `session.update`. Non-streaming STT backends degrade to silence-only. Assisted-by: Claude Code:claude-opus-4-8 [Read] [Edit] [Write] [Bash] Assisted-by: Claude Code:claude-fable-5 [Read] [Edit] [Bash] Signed-off-by: Richard Palethorpe <io@richiejp.com> * feat(realtime): explicit formally-verified state machines + parakeet streaming driver The realtime API had several implicit state machines whose state was inferred from scattered booleans, channels, and five separate mutexes, leaving illegal/inconsistent states reachable. Make them explicit and keep the implementation in step with a formal design; rework the parakeet streaming backend along the same lines. Realtime state machines (M1-M5). Each is a sealed sum-type State/Event/Effect with a total, pure Next(state,event)->(state,[]effect) behind a single-writer Coordinator: M1 conncoord connection lifecycle: VAD toggle + once-only teardown (replaces vadServerStarted + a `done` channel closed from two sites). M2 turncoord turn detection: collapses speechStarted and the live-stream "turn open" flag into one state, so discardTurn can no longer desync them and suppress the next onset. M3 respcoord response coordination: serializes the dual-writer start/cancel so at most one response is live; one response.done per response.create. M4 compactcoord conversation compaction: single-flight (replaces the `compacting atomic.Bool` CAS). M5 ttscoord TTS pipeline: open->closing->closed, idempotent wait(), rejects enqueue-after-close (was a silent drop). The Coordinator/Sink/Next plumbing — only the sealed types and Next differed per machine — is extracted once into core/http/endpoints/openai/coordinator as a generic Coordinator[S,E,F]; each machine keeps its public API via type aliases, so no sink, call-site, or test moved. Hierarchy. session_lifecycle.fizz models M1 as the parent region with its children (M2/M3/M4) as one statechart and asserts ChildrenDieWithParent (conn torn => all children terminal, none start after teardown). respcoord and compactcoord gain an absorbing Terminated state + Shutdown event; conncoord's teardown drives the children terminal. This closes a compaction teardown gap: a fire-and-forget compaction could outlive a torn session — compactionSink now takes a session-scoped cancellable context + WaitGroup and joins the in-flight summarize+evict on shutdown. Formal verification. formal-verification/ holds one authoritative FizzBee spec per machine plus the composition spec, each with an always-assertion and a documented one-line edit that makes the checker fail (verified non-vacuous). scripts/realtime-conformance.sh is fail-closed: all Go conformance suites under -race AND a model-check of every .fizz spec; a missing FizzBee is a hard error (only the loud REALTIME_CONFORMANCE_SKIP_FIZZBEE=1 bypasses it, never in CI). FizzBee is pinned by sha256 and installed via scripts/install-fizzbee.sh into .tools/ (gitignored). Wired as make test-realtime-conformance, a CI workflow, and a pre-commit path filter. Go conformance tests are Ginkgo/Gomega (per the repo's forbidigo lint): transition tables + fixed-seed property walks + concurrent/-race specs, no rapid dependency. Design map: docs/design/realtime-state-machines.md. Parakeet streaming backend. The same treatment applied to the parakeet-cpp streaming paths: - AudioTranscriptionStream returns codes.Unimplemented for non-streaming models instead of decoding offline and emitting it as one delta + final. A client that asked for streaming learns the model cannot stream rather than receiving a batch result shaped like a stream. New grpcerrors.StreamTranscriptionUnsupported carries that signal; the HTTP /v1/audio/transcriptions stream path surfaces it as an SSE error event. Mirrors AudioTranscriptionLive, which already did this. - utteranceBoundary (boundary.go): a single definition of the end-of-utterance latch, replacing three open-coded finalEou toggles. Modelled as a two-valued type so illegal states are unrepresentable. - Shared decode driver (driver.go): streamFeedResult (one per-feed event) + feedChunk (hides the ABI v4 JSON vs text-only split) + feedSlices + flushTail. The feed loop is written once. - AudioTranscriptionLive becomes a bidi adapter: it streams the per-feed {delta,eou,eob,words} the realtime turn detector consumes and a terminal FinalResult carrying only Text. Segments/duration/eou are offline-only and no longer produced (nor read) on the live path; liveTraceState drops the terminal eou and keeps the per-feed eou_events count. - AudioTranscriptionStream + streamJSON merge into one driver-based function; streamSegmenter is generalized to the unified event with a text-only fallback that preserves the legacy (no-words) library's per-utterance segmentation. Verified: build/vet/gofumpt clean, golangci-lint 0 issues, all coordinator and parakeet packages under -race, the fail-closed conformance gate green, and make test-realtime (12 e2e WS+WebRTC). Assisted-by: Claude:claude-opus-4-8 [Claude Code] Signed-off-by: Richard Palethorpe <io@richiejp.com> --------- Signed-off-by: Richard Palethorpe <io@richiejp.com>
Formal verification — realtime state machines
Formal designs (FizzBee specs) for the realtime API state machines and the harness that keeps the Go implementation provably in step with them. Background and rationale: ../docs/design/realtime-state-machines.md (Part 6).
The design is authoritative: behaviour changes go through the spec first, then
the implementation is checked against it. The realtime-conformance gate makes
that the path of least resistance — you cannot land a non-conforming change green.
What's here
| File | Role |
|---|---|
response_lifecycle.fizz |
Authoritative FizzBee model of machine M3 (response coordination). Model-checked + drives the Go MBT conformance harness. |
turn_lifecycle.fizz |
Authoritative FizzBee model of machine M2 (turn detection): the speechStarted / turn-open coupling. |
conn_lifecycle.fizz |
Authoritative FizzBee model of machine M1 (connection lifecycle): VAD toggle + once-only teardown. |
compaction.fizz |
Authoritative FizzBee model of machine M4 (conversation compaction): single-flight. |
tts_pipeline.fizz |
Authoritative FizzBee model of machine M5 (TTS pipeline): open->closing->closed, idempotent close. |
session_lifecycle.fizz |
Composition spec: the M1–M5 hierarchy — conn (M1) is the parent; when it is torn down, every child (vad/M2, resp/M3, compaction/M4) is terminal. Models the relationship the per-machine specs can't express. |
fizzbee.sha256 |
Pinned checksum(s) of the FizzBee release the gate uses (created on first install-fizzbee.sh run). |
The implementations under test live in
core/http/endpoints/openai/respcoord (M3),
core/http/endpoints/openai/turncoord (M2),
core/http/endpoints/openai/conncoord (M1),
core/http/endpoints/openai/compactcoord (M4),
and core/http/endpoints/openai/ttscoord (M5).
Running the gate
make test-realtime-conformance
# or directly:
./scripts/realtime-conformance.sh
Two layers, both required — the gate is fail-closed:
- Go-native conformance — the
respcoord+turncoord+conncoord+compactcoord+ttscoordtransition-table tests + Ginkgo/Gomega seeded property (random-walk) tests under-race(checks the implementation), plus the sharedcoordinatorruntime they all build on. Also run as part ofmake test(they're ordinary Go packages with a Ginkgo suite each). The five machines reduce to their sealed State/Event/Effect types + a pureNext; the single-writer Coordinator/Sink plumbing lives once incore/http/endpoints/openai/coordinator(a genericCoordinator[S,E,F]). - FizzBee model check — model-checks the authoritative
.fizzspecs (checks the design). A missing FizzBee is a hard failure, not a skip — otherwise the design verification silently disappears whenever the tool is inconvenient, which is the whole thing we're trying to prevent.
FizzBee is pinned and checksum-verified (fizzbee.sha256), so "couldn't install"
is not a reason to skip — run make install-fizzbee. The only way to skip is
the explicit, loud REALTIME_CONFORMANCE_SKIP_FIZZBEE=1 opt-out, intended for
local work on unrelated code. CI never sets it, and pre-commit runs the full
gate whenever respcoord/**, turncoord/**, conncoord/**, compactcoord/**, ttscoord/**, or formal-verification/** is
staged (so a pure .fizz edit still re-verifies).
Installing FizzBee (pinned)
FizzBee is pre-1.0 and single-maintainer, so we pin a version + sha256 and use the
prebuilt release tarball (its primary build is Bazel — it is not go-gettable:
the pkg/modelchecker library imports the Bazel-internal fizz/proto with no
committed .pb.go, so a plain go get won't build it).
make install-fizzbee # = scripts/install-fizzbee.sh (default v0.5.2)
The four platform assets are pinned by sha256 in fizzbee.sha256 (digests taken
from the GitHub release); the installer verifies before extracting. Heads-up: the
Linux bundles are large (~290–350 MB, because parser_bin embeds a full runtime),
macOS ~36 MB. CI caches .tools/fizzbee keyed on the pin so it downloads once.
This unpacks a self-contained directory under .tools/fizzbee/ (gitignored):
.tools/fizzbee/
fizz -> stable symlink the gate auto-detects
fizzbee-v0.5.2-linux_x86/
fizz # CLI wrapper (entrypoint)
parser/parser_bin # the .fizz frontend, BUNDLED (no system Python needed)
fizzbee # Go model-checker binary
fizz.env # resolves the above paths relative to `fizz`
mbt_gen.zip # MBT generator (this one DOES need system python)
Keep the directory intact — fizz.env resolves its siblings relative to the
fizz wrapper. The gate auto-detects .tools/fizzbee/fizz; override with
FIZZBEE_BIN only if you installed elsewhere (point it at the fizz wrapper,
not the raw fizzbee binary).
First install-fizzbee.sh run prints the computed sha256; record it in
fizzbee.sha256 as <sha256> <asset> and commit so later runs verify the pin.
CLI facts (validate against the pinned version — FizzBee is pre-1.0): the CLI is
fizz [flags] <spec.fizz>(default = exhaustive BFS); there is norunsubcommand. The checker can printFAILED/DEADLOCKwhile still exiting 0, so the gate scans output for those markers in addition to the exit code. Model-checking needs only the bundledparser_bin(no Python); onlymbt-scaffoldshells out to systempython.
Reproducing the bug the spec catches
Each spec models the correct design, so it passes; each documents how to reproduce the legacy bug it guards against:
response_lifecycle.fizz(M3): changeatomic func start()toserial func start()— the checker reportsAtMostOneLiveviolated (the dual-writer race). Pinned deterministically in Go by the respcoord "legacy dual-writer characterization" spec.turn_lifecycle.fizz(M2): inAbort, deleteself.speech = 0(clear only the turn, as the legacydiscardTurndid) — the checker reportsCoupledviolated (the speechStarted/turn-open desync that suppressed the next onset).conn_lifecycle.fizz(M1): inClose, deleteself.torn = 1— the checker reportsTeardownOnceviolated (the legacy double-teardown / double-close hazard when a session reaches teardown from more than one exit path).compaction.fizz(M4): inTrigger, delete theif self.active == 0:guard — the checker reportsSingleFlightviolated (two goroutines compacting the same overflow concurrently, the race thecompactingCAS prevents).tts_pipeline.fizz(M5): inClose, delete theif self.phase == 0guard — the checker reportsWakeOnceviolated (a non-idempotent wait() that wakes / joins the worker more than once).session_lifecycle.fizz(hierarchy): inTeardown, deleteself.compaction = 2— the checker reportsChildrenDieWithParentviolated. This is the real M4 gap: a fire-and-forget compaction outliving the torn session. The fix isconncoord's teardown cancelling + joining each conversation's compaction (and respcoord/ compactcoord gained an absorbingTerminatedstate so no child can start after teardown).
Adding another machine
All five mapped machines (M1–M5) have landed. To add a new sealed-state machine:
- Add
<machine>.fizzhere (with analways assertion; verify non-vacuity by breaking one guard and confirming the checker fails). - Implement it as a sealed-state package under
core/http/endpoints/openai/. - Add transition-table + Ginkgo/Gomega seeded property conformance tests
(one
*_suite_test.gobootstrap per package; LocalAI mandates Ginkgo/Gomega). - The gate picks up new
*.fizzspecs automatically; add the new Go package to the-racetest list inscripts/realtime-conformance.sh(and the path filters in.githooks/pre-commit+.github/workflows/realtime-conformance.yml).