FEAT: Realtime streaming session support and server-side barge-in attack#1766
Open
adrian-gavrila wants to merge 49 commits into
Open
FEAT: Realtime streaming session support and server-side barge-in attack#1766adrian-gavrila wants to merge 49 commits into
adrian-gavrila wants to merge 49 commits into
Conversation
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…t API Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ardown Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…nc rename, Optional→union Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…tion) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…me-server-vad # Conflicts: # pyrit/prompt_target/openai/openai_realtime_target.py
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…imitive Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
… inline drive_response Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…' into adrian-gavrila/realtime-server-vad
…idation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…mitted-turn handler Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…n Protocol Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…' into adrian-gavrila/realtime-server-vad
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Phase 3 moved all live streaming into _OpenAIRealtimeStreamingSession, so the old subscription/dispatcher/swap path on RealtimeTarget is unreachable. Remove the dead branch (and its tests) in one cut: _streaming_state registry, _StreamingConversationState, StreamingHandle.subscribe_events_async / cleanup_conversation, _RealtimeStreamingHandle's matching impls, the streaming branch in _send_prompt_to_target_async, the unused SupportsStreamingBargeIn Protocol, and the REALTIME_COMMITTED_ITEM_ID_KEY constant. Refresh stale docstrings and the supports_streaming_barge_in capability comment to point at open_streaming_session(). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Both methods have zero production callers after Phases 3 and 4. They were speculative API surface for streaming attacks that ended up using the session-based path instead. Tests targeting them are removed alongside. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Pulls send_streaming_session_config_async + push_audio_chunk_async off _RealtimeStreamingHandle and swap_user_audio_async + request_response_async (plus the insert/delete helpers) off RealtimeTarget, re-homing them as six private wire helpers on _OpenAIRealtimeStreamingSession. Drops the connection/dispatcher kwargs since the session already owns both as instance state. Captures _effective_vad in __init__ (per-call vad ?? target._server_vad) so the streaming session config and on-committed paths read from one source - prevents drift and stages the eventual removal of _server_vad from the target. Removes the corresponding abstract method declarations from the StreamingHandle ABC; the remaining ABC surface (connect_async, save_audio, SAMPLE_RATE_HZ, server_vad_config) will collapse in a follow-up commit. Test churn: relocated push_audio_chunk_async tests and the three send_streaming_session_config_async tests from test_barge_in.py and test_realtime_target.py to the session test file, where they now build a real RealtimeTarget + open_streaming_session and assert on the session's private wire helpers directly; refactored ~10 existing session tests to mock on the session instance after construction. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The speculative provider-agnostic `StreamingHandle` ABC had one impl
(`_RealtimeStreamingHandle`) and no structural consumers after phases 5a-5b
moved every session-only method off it. This commit collapses the layer:
- Delete `_RealtimeStreamingHandle` class (~65 LOC) and the
`StreamingHandle` ABC (~50 LOC).
- Hoist `SAMPLE_RATE_HZ` (ClassVar), `connect_async` (now private
`_connect_async`), and `save_audio` (public) onto `RealtimeTarget`.
- Drop `RealtimeTarget.streaming` attribute + the composition shim in
`__init__`.
- Rewire 5 atomic-path call sites in `openai_realtime_target.py` and
4 sites in `_openai_realtime_streaming_session.py` (also dropping
the now-pointless `streaming = self._target.streaming` locals).
- Update `open_streaming_session` docstring reference.
- Test churn: drop 4 streaming-handle wiring tests; rewrite the
`SAMPLE_RATE_HZ` assertion against `RealtimeTarget`; rewire
`target.streaming.connect_async` mocks to `target._connect_async`
and `target.streaming.save_audio` to `target.save_audio`.
Net: -92 LOC. Pure structural refactor — no behavior change.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Server VAD only makes sense in streaming flow where chunks are continuously pushed and turn boundaries are server-detected. In the atomic path the caller controls turn boundaries explicitly, so a VAD config there was a footgun: `RealtimeTarget(server_vad=True).send_prompt_async(...)` silently emitted a turn_detection block. After this: - `RealtimeTarget` ctor no longer accepts `server_vad=`; the attribute is gone. - `_set_system_prompt_and_config_vars` keeps its `server_vad` kwarg (the session passes it explicitly) but drops the fallback. Atomic callers omit it and get no turn_detection block. - `open_streaming_session` (and the session ctor) rename `vad: ServerVadConfig | None = None` to `server_vad: bool | ServerVadConfig = True`. Default `True` matches the only non-degenerate streaming mode; pass a config for custom tuning, `False` to disable (sending streaming config then raises). Net -37 LOC. No external API changes (the ctor kwarg was added on this branch and never shipped on main). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The common/streaming package was a speculative provider-agnostic split that never materialized: - StreamingAudioTarget ABC had zero implementors, zero isinstance checks, and zero callers of its abstractmethod send_streaming_prompt_async. The live contract is target.open_streaming_session(...) -> session, not the ABC. Its signature was also stale (kept the old vad= kwarg name after Phase 5d's rename to server_vad=). - ServerVadConfig and STREAMING_INTERRUPTED_KEY are realtime-audio- specific in practice. The artificial package split forced a re-export indirection in realtime_audio.py (`ServerVadConfig as ServerVadConfig`). Move the two live symbols into realtime_audio.py next to RealtimeTargetResult and friends, drop the dead ABC, delete the package, and remove the re-export kludge. 4 import sites updated; public `ServerVadConfig` export in `pyrit.prompt_target` preserved. Net: -90 LOC, -1 directory, -1 module. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ng cleanup Rename the streaming capability to supports_streaming_audio / STREAMING_AUDIO (was barge-in-specific). Drop the redundant isinstance gate in BargeInAttack in favor of the capability requirement, using cast for the concrete dependency. Add async suffixes to realtime dispatcher/session methods and update callers. Replace forbidden reST roles with backticks and trim deferred-work docstring notes. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…me-server-vad # Conflicts: # pyrit/executor/attack/__init__.py # pyrit/prompt_normalizer/prompt_normalizer.py # pyrit/prompt_target/openai/openai_realtime_target.py # tests/unit/prompt_normalizer/test_prompt_normalizer.py # tests/unit/prompt_target/target/test_realtime_target.py
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds persistent streaming session support to
OpenAIRealtimeTargetand introducesBargeInAttack, a streaming attack that leverages server-side VAD to detect and exploit barge-in (interruption) behavior. Previously the target only supported single-turn fire-and-forget audio exchanges; this PR adds the transport primitives needed for multi-turn streaming sessions with incremental audio push, event subscription, and mid-session response requests.When the server detects new user speech while the assistant is still responding, the in-flight response is automatically interrupted and the conversation history is truncated to match what was actually delivered.
Key additions:
OpenAIRealtimeTargetstreaming primitives —connect_async,push_audio_chunk_async,insert_user_audio_async,subscribe_events_async,request_response_async,send_streaming_session_config_async. These expose transport-level operations over a persistent WebSocket connection._RealtimeEventDispatcher— ABC that owns a realtime connection's event stream, routes provider-specific events to the active turn, and fires anon_user_audio_committedcallback when server VAD finalizes a turn. Provider-specific routing is isolated to_route_event/_cancelabstract methods.BargeInAttack— streaming attack that pushes audio chunks into a persistent session, applies configured converters on each server-committed turn (convert-on-commit), requests responses, and tracks interruptions. Per-turnMessagepairs are persisted toCentralMemorywithprompt_metadata["interrupted"] = Trueon interrupted turns.ServerVadConfig/RealtimeTargetResult— shared types for configuring server VAD and representing turn results (audio, transcripts, interruption flag).PromptNormalizer.convert_audio_async— applies audio converter configurations to raw PCM bytes for streaming attacks that hold audio mid-turn rather than aMessage.The target exposes only transport primitives; all attack logic (buffering, convert-on-commit dance, interruption signaling) lives in
BargeInAttack.Tests and Documentation
realtime_audio.py, 72% onopenai_realtime_target.py(uncovered lines are pre-existing code paths, not new additions).doc/code/executor/attack/barge_in_attack.py(jupytext py:percent format) demonstrates the attack against a live OpenAI Realtime API endpoint with server VAD. Ran successfully againstgpt-4o-realtime-preview— outputs cleared for CI (requires live credentials).