chore(hook): DB changes

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

.github/CODEOWNERS

@@ -8,3 +8,6 @@
 # Agent context files
 /CLAUDE.md @Weves
 /AGENTS.md @Weves
+
+# Beta cherry-pick workflow owners
+/.github/workflows/post-merge-beta-cherry-pick.yml @justin-tahara @jmelahman

.github/actions/slack-notify/action.yml

@@ -1,11 +1,14 @@
-name: "Slack Notify on Failure"
-description: "Sends a Slack notification when a workflow fails"
+name: "Slack Notify"
+description: "Sends a Slack notification for workflow events"
 inputs:
   webhook-url:
     description: "Slack webhook URL (can also use SLACK_WEBHOOK_URL env var)"
     required: false
+  details:
+    description: "Additional message body content"
+    required: false
   failed-jobs:
-    description: "List of failed job names (newline-separated)"
+    description: "Deprecated alias for details"
     required: false
   title:
     description: "Title for the notification"
@@ -21,6 +24,7 @@ runs:
       shell: bash
       env:
         SLACK_WEBHOOK_URL: ${{ inputs.webhook-url }}
+        DETAILS: ${{ inputs.details }}
         FAILED_JOBS: ${{ inputs.failed-jobs }}
         TITLE: ${{ inputs.title }}
         REF_NAME: ${{ inputs.ref-name }}
@@ -44,6 +48,18 @@ runs:
           REF_NAME="$GITHUB_REF_NAME"
         fi
 
+        if [ -z "$DETAILS" ]; then
+          DETAILS="$FAILED_JOBS"
+        fi
+
+        normalize_multiline() {
+          printf '%s' "$1" | awk 'BEGIN { ORS=""; first=1 } { if (!first) printf "\\n"; printf "%s", $0; first=0 }'
+        }
+
+        DETAILS="$(normalize_multiline "$DETAILS")"
+        REF_NAME="$(normalize_multiline "$REF_NAME")"
+        TITLE="$(normalize_multiline "$TITLE")"
+
         # Escape JSON special characters
         escape_json() {
           local input="$1"
@@ -59,12 +75,12 @@ runs:
         }
 
         REF_NAME_ESC=$(escape_json "$REF_NAME")
-        FAILED_JOBS_ESC=$(escape_json "$FAILED_JOBS")
+        DETAILS_ESC=$(escape_json "$DETAILS")
         WORKFLOW_URL_ESC=$(escape_json "$WORKFLOW_URL")
         TITLE_ESC=$(escape_json "$TITLE")
 
         # Build JSON payload piece by piece
-        # Note: FAILED_JOBS_ESC already contains \n sequences that should remain as \n in JSON
+        # Note: DETAILS_ESC already contains \n sequences that should remain as \n in JSON
         PAYLOAD="{"
         PAYLOAD="${PAYLOAD}\"text\":\"${TITLE_ESC}\","
         PAYLOAD="${PAYLOAD}\"blocks\":[{"
@@ -79,10 +95,10 @@ runs:
         PAYLOAD="${PAYLOAD}{\"type\":\"mrkdwn\",\"text\":\"*Run ID:*\\n#${RUN_NUMBER}\"}"
         PAYLOAD="${PAYLOAD}]"
         PAYLOAD="${PAYLOAD}}"
-        if [ -n "$FAILED_JOBS" ]; then
+        if [ -n "$DETAILS" ]; then
           PAYLOAD="${PAYLOAD},{"
           PAYLOAD="${PAYLOAD}\"type\":\"section\","
-          PAYLOAD="${PAYLOAD}\"text\":{\"type\":\"mrkdwn\",\"text\":\"*Failed Jobs:*\\n${FAILED_JOBS_ESC}\"}"
+          PAYLOAD="${PAYLOAD}\"text\":{\"type\":\"mrkdwn\",\"text\":\"${DETAILS_ESC}\"}"
           PAYLOAD="${PAYLOAD}}"
         fi
         PAYLOAD="${PAYLOAD},{"
@@ -99,4 +115,3 @@ runs:
         curl -X POST -H 'Content-type: application/json' \
           --data "$PAYLOAD" \
           "$SLACK_WEBHOOK_URL"
-

.github/workflows/deployment.yml

@@ -29,20 +29,32 @@ jobs:
       build-backend-craft: ${{ steps.check.outputs.build-backend-craft }}
       build-model-server: ${{ steps.check.outputs.build-model-server }}
       is-cloud-tag: ${{ steps.check.outputs.is-cloud-tag }}
-      is-stable: ${{ steps.check.outputs.is-stable }}
       is-beta: ${{ steps.check.outputs.is-beta }}
-      is-stable-standalone: ${{ steps.check.outputs.is-stable-standalone }}
       is-beta-standalone: ${{ steps.check.outputs.is-beta-standalone }}
-      is-craft-latest: ${{ steps.check.outputs.is-craft-latest }}
+      is-latest: ${{ steps.check.outputs.is-latest }}
       is-test-run: ${{ steps.check.outputs.is-test-run }}
       sanitized-tag: ${{ steps.check.outputs.sanitized-tag }}
       short-sha: ${{ steps.check.outputs.short-sha }}
     steps:
+      - name: Checkout (for git tags)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+          fetch-tags: true
+
+      - name: Setup uv
+        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # ratchet:astral-sh/setup-uv@v7
+        with:
+          version: "0.9.9"
+          enable-cache: false
+
       - name: Check which components to build and version info
         id: check
         env:
           EVENT_NAME: ${{ github.event_name }}
         run: |
+          set -eo pipefail
           TAG="${GITHUB_REF_NAME}"
           # Sanitize tag name by replacing slashes with hyphens (for Docker tag compatibility)
           SANITIZED_TAG=$(echo "$TAG" | tr '/' '-')
@@ -54,9 +66,8 @@ jobs:
           IS_VERSION_TAG=false
           IS_STABLE=false
           IS_BETA=false
-          IS_STABLE_STANDALONE=false
           IS_BETA_STANDALONE=false
-          IS_CRAFT_LATEST=false
+          IS_LATEST=false
           IS_PROD_TAG=false
           IS_TEST_RUN=false
           BUILD_DESKTOP=false
@@ -67,9 +78,6 @@ jobs:
           BUILD_MODEL_SERVER=true
 
           # Determine tag type based on pattern matching (do regex checks once)
-          if [[ "$TAG" == craft-* ]]; then
-            IS_CRAFT_LATEST=true
-          fi
           if [[ "$TAG" == *cloud* ]]; then
             IS_CLOUD=true
           fi
@@ -97,20 +105,28 @@ jobs:
             fi
           fi
 
-          # Craft-latest builds backend with Craft enabled
-          if [[ "$IS_CRAFT_LATEST" == "true" ]]; then
-            BUILD_BACKEND_CRAFT=true
-            BUILD_BACKEND=false
-          fi
-
           # Standalone version checks (for backend/model-server - version excluding cloud tags)
-          if [[ "$IS_STABLE" == "true" ]] && [[ "$IS_CLOUD" != "true" ]]; then
-            IS_STABLE_STANDALONE=true
-          fi
           if [[ "$IS_BETA" == "true" ]] && [[ "$IS_CLOUD" != "true" ]]; then
             IS_BETA_STANDALONE=true
           fi
 
+          # Determine if this tag should get the "latest" Docker tag.
+          # Only the highest semver stable tag (vX.Y.Z exactly) gets "latest".
+          if [[ "$IS_STABLE" == "true" ]]; then
+            HIGHEST_STABLE=$(uv run --no-sync --with onyx-devtools ods latest-stable-tag) || {
+              echo "::error::Failed to determine highest stable tag via 'ods latest-stable-tag'"
+              exit 1
+            }
+            if [[ "$TAG" == "$HIGHEST_STABLE" ]]; then
+              IS_LATEST=true
+            fi
+          fi
+
+          # Build craft-latest backend alongside the regular latest.
+          if [[ "$IS_LATEST" == "true" ]]; then
+            BUILD_BACKEND_CRAFT=true
+          fi
+
           # Determine if this is a production tag
           # Production tags are: version tags (v1.2.3*) or nightly tags
           if [[ "$IS_VERSION_TAG" == "true" ]] || [[ "$IS_NIGHTLY" == "true" ]]; then
@@ -129,11 +145,9 @@ jobs:
             echo "build-backend-craft=$BUILD_BACKEND_CRAFT"
             echo "build-model-server=$BUILD_MODEL_SERVER"
             echo "is-cloud-tag=$IS_CLOUD"
-            echo "is-stable=$IS_STABLE"
             echo "is-beta=$IS_BETA"
-            echo "is-stable-standalone=$IS_STABLE_STANDALONE"
             echo "is-beta-standalone=$IS_BETA_STANDALONE"
-            echo "is-craft-latest=$IS_CRAFT_LATEST"
+            echo "is-latest=$IS_LATEST"
             echo "is-test-run=$IS_TEST_RUN"
             echo "sanitized-tag=$SANITIZED_TAG"
             echo "short-sha=$SHORT_SHA"
@@ -600,7 +614,7 @@ jobs:
             latest=false
           tags: |
             type=raw,value=${{ needs.determine-builds.outputs.is-test-run == 'true' && format('web-{0}', needs.determine-builds.outputs.sanitized-tag) || github.ref_name }}
-            type=raw,value=${{ needs.determine-builds.outputs.is-test-run != 'true' && needs.determine-builds.outputs.is-stable == 'true' && 'latest' || '' }}
+            type=raw,value=${{ needs.determine-builds.outputs.is-test-run != 'true' && needs.determine-builds.outputs.is-latest == 'true' && 'latest' || '' }}
             type=raw,value=${{ needs.determine-builds.outputs.is-test-run != 'true' && env.EDGE_TAG == 'true' && 'edge' || '' }}
             type=raw,value=${{ needs.determine-builds.outputs.is-test-run != 'true' && needs.determine-builds.outputs.is-beta == 'true' && 'beta' || '' }}
 
@@ -1037,7 +1051,7 @@ jobs:
             latest=false
           tags: |
             type=raw,value=${{ needs.determine-builds.outputs.is-test-run == 'true' && format('backend-{0}', needs.determine-builds.outputs.sanitized-tag) || github.ref_name }}
-            type=raw,value=${{ needs.determine-builds.outputs.is-test-run != 'true' && needs.determine-builds.outputs.is-stable-standalone == 'true' && 'latest' || '' }}
+            type=raw,value=${{ needs.determine-builds.outputs.is-test-run != 'true' && needs.determine-builds.outputs.is-latest == 'true' && 'latest' || '' }}
             type=raw,value=${{ needs.determine-builds.outputs.is-test-run != 'true' && env.EDGE_TAG == 'true' && 'edge' || '' }}
             type=raw,value=${{ needs.determine-builds.outputs.is-test-run != 'true' && needs.determine-builds.outputs.is-beta-standalone == 'true' && 'beta' || '' }}
 
@@ -1473,7 +1487,7 @@ jobs:
             latest=false
           tags: |
             type=raw,value=${{ needs.determine-builds.outputs.is-test-run == 'true' && format('model-server-{0}', needs.determine-builds.outputs.sanitized-tag) || github.ref_name }}
-            type=raw,value=${{ needs.determine-builds.outputs.is-test-run != 'true' && needs.determine-builds.outputs.is-stable-standalone == 'true' && 'latest' || '' }}
+            type=raw,value=${{ needs.determine-builds.outputs.is-test-run != 'true' && needs.determine-builds.outputs.is-latest == 'true' && 'latest' || '' }}
             type=raw,value=${{ needs.determine-builds.outputs.is-test-run != 'true' && env.EDGE_TAG == 'true' && 'edge' || '' }}
             type=raw,value=${{ needs.determine-builds.outputs.is-test-run != 'true' && needs.determine-builds.outputs.is-beta-standalone == 'true' && 'beta' || '' }}
 

.github/workflows/post-merge-beta-cherry-pick.yml

@@ -1,67 +1,112 @@
 name: Post-Merge Beta Cherry-Pick
 
 on:
-  push:
-    branches:
-      - main
+  pull_request_target:
+    types:
+      - closed
 
+# SECURITY NOTE:
+# This workflow intentionally uses pull_request_target so post-merge automation can
+# use base-repo credentials. Do not checkout PR head refs in this workflow
+# (e.g. github.event.pull_request.head.sha). Only trusted base refs are allowed.
 permissions:
   contents: read
 
 jobs:
-  cherry-pick-to-latest-release:
-    permissions:
-      contents: write
-      pull-requests: write
+  resolve-cherry-pick-request:
+    if: >-
+      github.event.pull_request.merged == true
+      && github.event.pull_request.base.ref == 'main'
+      && github.event.pull_request.head.repo.full_name == github.repository
     outputs:
       should_cherrypick: ${{ steps.gate.outputs.should_cherrypick }}
       pr_number: ${{ steps.gate.outputs.pr_number }}
-      cherry_pick_reason: ${{ steps.run_cherry_pick.outputs.reason }}
-      cherry_pick_details: ${{ steps.run_cherry_pick.outputs.details }}
+      merge_commit_sha: ${{ steps.gate.outputs.merge_commit_sha }}
+      merged_by: ${{ steps.gate.outputs.merged_by }}
+      gate_error: ${{ steps.gate.outputs.gate_error }}
     runs-on: ubuntu-latest
-    timeout-minutes: 45
+    timeout-minutes: 10
     steps:
       - name: Resolve merged PR and checkbox state
         id: gate
         env:
           GH_TOKEN: ${{ github.token }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          # SECURITY: keep PR body in env/plain-text handling; avoid directly
+          # inlining github.event.pull_request.body into shell commands.
+          PR_BODY: ${{ github.event.pull_request.body }}
+          MERGE_COMMIT_SHA: ${{ github.event.pull_request.merge_commit_sha }}
+          MERGED_BY: ${{ github.event.pull_request.merged_by.login }}
+          # Explicit merger allowlist used because pull_request_target runs with
+          # the default GITHUB_TOKEN, which cannot reliably read org/team
+          # membership for this repository context.
+          ALLOWED_MERGERS: |
+            acaprau
+            bo-onyx
+            danelegend
+            duo-onyx
+            evan-onyx
+            jessicasingh7
+            jmelahman
+            joachim-danswer
+            justin-tahara
+            nmgarza5
+            raunakab
+            rohoswagger
+            subash-mohan
+            trial2onyx
+            wenxi-onyx
+            weves
+            yuhongsun96
         run: |
-          # For the commit that triggered this workflow (HEAD on main), fetch all
-          # associated PRs and keep only the PR that was actually merged into main
-          # with this exact merge commit SHA.
-          pr_numbers="$(gh api "repos/${GITHUB_REPOSITORY}/commits/${GITHUB_SHA}/pulls" | jq -r --arg sha "${GITHUB_SHA}" '.[] | select(.merged_at != null and .base.ref == "main" and .merge_commit_sha == $sha) | .number')"
-          match_count="$(printf '%s\n' "$pr_numbers" | sed '/^[[:space:]]*$/d' | wc -l | tr -d ' ')"
-          pr_number="$(printf '%s\n' "$pr_numbers" | sed '/^[[:space:]]*$/d' | head -n 1)"
+          echo "pr_number=${PR_NUMBER}" >> "$GITHUB_OUTPUT"
+          echo "merged_by=${MERGED_BY}" >> "$GITHUB_OUTPUT"
 
-          if [ "${match_count}" -gt 1 ]; then
-            echo "::warning::Multiple merged PRs matched commit ${GITHUB_SHA}. Using PR #${pr_number}."
-          fi
-
-          if [ -z "$pr_number" ]; then
-            echo "No merged PR associated with commit ${GITHUB_SHA}; skipping."
+          if ! echo "${PR_BODY}" | grep -qiE "\\[x\\][[:space:]]*(\\[[^]]+\\][[:space:]]*)?Please cherry-pick this PR to the latest release version"; then
             echo "should_cherrypick=false" >> "$GITHUB_OUTPUT"
+            echo "Cherry-pick checkbox not checked for PR #${PR_NUMBER}. Skipping."
             exit 0
           fi
 
-          # Read the PR once so we can gate behavior and infer preferred actor.
-          pr_json="$(gh api "repos/${GITHUB_REPOSITORY}/pulls/${pr_number}")"
-          pr_body="$(printf '%s' "$pr_json" | jq -r '.body // ""')"
-          merged_by="$(printf '%s' "$pr_json" | jq -r '.merged_by.login // ""')"
+          # Keep should_cherrypick output before any possible exit 1 below so
+          # notify-slack can still gate on this output even if this job fails.
+          echo "should_cherrypick=true" >> "$GITHUB_OUTPUT"
+          echo "Cherry-pick checkbox checked for PR #${PR_NUMBER}."
 
-          echo "pr_number=$pr_number" >> "$GITHUB_OUTPUT"
-          echo "merged_by=$merged_by" >> "$GITHUB_OUTPUT"
-
-          if echo "$pr_body" | grep -qiE "\\[x\\][[:space:]]*(\\[[^]]+\\][[:space:]]*)?Please cherry-pick this PR to the latest release version"; then
-            echo "should_cherrypick=true" >> "$GITHUB_OUTPUT"
-            echo "Cherry-pick checkbox checked for PR #${pr_number}."
-            exit 0
+          if [ -z "${MERGE_COMMIT_SHA}" ] || [ "${MERGE_COMMIT_SHA}" = "null" ]; then
+            echo "gate_error=missing-merge-commit-sha" >> "$GITHUB_OUTPUT"
+            echo "::error::PR #${PR_NUMBER} requested cherry-pick, but merge_commit_sha is missing."
+            exit 1
           fi
 
-          echo "should_cherrypick=false" >> "$GITHUB_OUTPUT"
-          echo "Cherry-pick checkbox not checked for PR #${pr_number}. Skipping."
+          echo "merge_commit_sha=${MERGE_COMMIT_SHA}" >> "$GITHUB_OUTPUT"
 
+          normalized_merged_by="$(printf '%s' "${MERGED_BY}" | tr '[:upper:]' '[:lower:]')"
+          normalized_allowed_mergers="$(printf '%s\n' "${ALLOWED_MERGERS}" | tr '[:upper:]' '[:lower:]')"
+          if ! printf '%s\n' "${normalized_allowed_mergers}" | grep -Fxq "${normalized_merged_by}"; then
+            echo "gate_error=not-allowed-merger" >> "$GITHUB_OUTPUT"
+            echo "::error::${MERGED_BY} is not in the explicit cherry-pick merger allowlist. Failing cherry-pick gate."
+            exit 1
+          fi
+
+          exit 0
+
+  cherry-pick-to-latest-release:
+    needs:
+      - resolve-cherry-pick-request
+    if: needs.resolve-cherry-pick-request.outputs.should_cherrypick == 'true' && needs.resolve-cherry-pick-request.result == 'success'
+    permissions:
+      contents: write
+      pull-requests: write
+    outputs:
+      cherry_pick_pr_url: ${{ steps.run_cherry_pick.outputs.pr_url }}
+      cherry_pick_reason: ${{ steps.run_cherry_pick.outputs.reason }}
+      cherry_pick_details: ${{ steps.run_cherry_pick.outputs.details }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 45
+    steps:
       - name: Checkout repository
-        if: steps.gate.outputs.should_cherrypick == 'true'
+        # SECURITY: keep checkout pinned to trusted base branch; do not switch to PR head refs.
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
         with:
           fetch-depth: 0
@@ -69,34 +114,44 @@ jobs:
           ref: main
 
       - name: Install the latest version of uv
-        if: steps.gate.outputs.should_cherrypick == 'true'
         uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # ratchet:astral-sh/setup-uv@v7
         with:
           enable-cache: false
           version: "0.9.9"
 
       - name: Configure git identity
-        if: steps.gate.outputs.should_cherrypick == 'true'
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
 
       - name: Create cherry-pick PR to latest release
         id: run_cherry_pick
-        if: steps.gate.outputs.should_cherrypick == 'true'
-        continue-on-error: true
         env:
           GH_TOKEN: ${{ github.token }}
           GITHUB_TOKEN: ${{ github.token }}
-          CHERRY_PICK_ASSIGNEE: ${{ steps.gate.outputs.merged_by }}
+          CHERRY_PICK_ASSIGNEE: ${{ needs.resolve-cherry-pick-request.outputs.merged_by }}
+          MERGE_COMMIT_SHA: ${{ needs.resolve-cherry-pick-request.outputs.merge_commit_sha }}
         run: |
-          set -o pipefail
           output_file="$(mktemp)"
-          uv run --no-sync --with onyx-devtools ods cherry-pick "${GITHUB_SHA}" --yes --no-verify 2>&1 | tee "$output_file"
-          exit_code="${PIPESTATUS[0]}"
+          set +e
+          uv run --no-sync --with onyx-devtools ods cherry-pick "${MERGE_COMMIT_SHA}" --yes --no-verify 2>&1 | tee "$output_file"
+          pipe_statuses=("${PIPESTATUS[@]}")
+          exit_code="${pipe_statuses[0]}"
+          tee_exit="${pipe_statuses[1]:-0}"
+          set -e
+          if [ "${tee_exit}" -ne 0 ]; then
+            echo "status=failure" >> "$GITHUB_OUTPUT"
+            echo "reason=output-capture-failed" >> "$GITHUB_OUTPUT"
+            echo "::error::tee failed to capture cherry-pick output (exit ${tee_exit}); cannot classify result."
+            exit 1
+          fi
 
           if [ "${exit_code}" -eq 0 ]; then
+            pr_url="$(sed -n 's/^.*PR created successfully: \(https:\/\/github\.com\/[^[:space:]]\+\/pull\/[0-9]\+\).*$/\1/p' "$output_file" | tail -n 1)"
             echo "status=success" >> "$GITHUB_OUTPUT"
+            if [ -n "${pr_url}" ]; then
+              echo "pr_url=${pr_url}" >> "$GITHUB_OUTPUT"
+            fi
             exit 0
           fi
 
@@ -115,17 +170,18 @@ jobs:
           } >> "$GITHUB_OUTPUT"
 
       - name: Mark workflow as failed if cherry-pick failed
-        if: steps.gate.outputs.should_cherrypick == 'true' && steps.run_cherry_pick.outputs.status == 'failure'
+        if: steps.run_cherry_pick.outputs.status == 'failure'
         env:
           CHERRY_PICK_REASON: ${{ steps.run_cherry_pick.outputs.reason }}
         run: |
           echo "::error::Automated cherry-pick failed (${CHERRY_PICK_REASON})."
           exit 1
 
-  notify-slack-on-cherry-pick-failure:
+  notify-slack-on-cherry-pick-success:
     needs:
+      - resolve-cherry-pick-request
       - cherry-pick-to-latest-release
-    if: always() && needs.cherry-pick-to-latest-release.outputs.should_cherrypick == 'true' && needs.cherry-pick-to-latest-release.result != 'success'
+    if: needs.resolve-cherry-pick-request.outputs.should_cherrypick == 'true' && needs.resolve-cherry-pick-request.result == 'success' && needs.cherry-pick-to-latest-release.result == 'success'
     runs-on: ubuntu-slim
     timeout-minutes: 10
     steps:
@@ -134,22 +190,95 @@ jobs:
         with:
           persist-credentials: false
 
+      - name: Fail if Slack webhook secret is missing
+        env:
+          CHERRY_PICK_PRS_WEBHOOK: ${{ secrets.CHERRY_PICK_PRS_WEBHOOK }}
+        run: |
+          if [ -z "${CHERRY_PICK_PRS_WEBHOOK}" ]; then
+            echo "::error::CHERRY_PICK_PRS_WEBHOOK is not configured."
+            exit 1
+          fi
+
+      - name: Build cherry-pick success summary
+        id: success-summary
+        env:
+          SOURCE_PR_NUMBER: ${{ needs.resolve-cherry-pick-request.outputs.pr_number }}
+          MERGE_COMMIT_SHA: ${{ needs.resolve-cherry-pick-request.outputs.merge_commit_sha }}
+          CHERRY_PICK_PR_URL: ${{ needs.cherry-pick-to-latest-release.outputs.cherry_pick_pr_url }}
+        run: |
+          source_pr_url="https://github.com/${GITHUB_REPOSITORY}/pull/${SOURCE_PR_NUMBER}"
+          details="*Cherry-pick PR opened successfully.*\\n• source PR: ${source_pr_url}"
+          if [ -n "${CHERRY_PICK_PR_URL}" ]; then
+            details="${details}\\n• cherry-pick PR: ${CHERRY_PICK_PR_URL}"
+          fi
+          if [ -n "${MERGE_COMMIT_SHA}" ]; then
+            details="${details}\\n• merge SHA: ${MERGE_COMMIT_SHA}"
+          fi
+
+          echo "details=${details}" >> "$GITHUB_OUTPUT"
+
+      - name: Notify #cherry-pick-prs about cherry-pick success
+        uses: ./.github/actions/slack-notify
+        with:
+          webhook-url: ${{ secrets.CHERRY_PICK_PRS_WEBHOOK }}
+          details: ${{ steps.success-summary.outputs.details }}
+          title: "✅ Automated Cherry-Pick PR Opened"
+          ref-name: ${{ github.event.pull_request.base.ref }}
+
+  notify-slack-on-cherry-pick-failure:
+    needs:
+      - resolve-cherry-pick-request
+      - cherry-pick-to-latest-release
+    if: always() && needs.resolve-cherry-pick-request.outputs.should_cherrypick == 'true' && (needs.resolve-cherry-pick-request.result == 'failure' || needs.cherry-pick-to-latest-release.result == 'failure')
+    runs-on: ubuntu-slim
+    timeout-minutes: 10
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
+        with:
+          persist-credentials: false
+
+      - name: Fail if Slack webhook secret is missing
+        env:
+          CHERRY_PICK_PRS_WEBHOOK: ${{ secrets.CHERRY_PICK_PRS_WEBHOOK }}
+        run: |
+          if [ -z "${CHERRY_PICK_PRS_WEBHOOK}" ]; then
+            echo "::error::CHERRY_PICK_PRS_WEBHOOK is not configured."
+            exit 1
+          fi
+
       - name: Build cherry-pick failure summary
         id: failure-summary
         env:
-          SOURCE_PR_NUMBER: ${{ needs.cherry-pick-to-latest-release.outputs.pr_number }}
+          SOURCE_PR_NUMBER: ${{ needs.resolve-cherry-pick-request.outputs.pr_number }}
+          MERGE_COMMIT_SHA: ${{ needs.resolve-cherry-pick-request.outputs.merge_commit_sha }}
+          GATE_ERROR: ${{ needs.resolve-cherry-pick-request.outputs.gate_error }}
           CHERRY_PICK_REASON: ${{ needs.cherry-pick-to-latest-release.outputs.cherry_pick_reason }}
           CHERRY_PICK_DETAILS: ${{ needs.cherry-pick-to-latest-release.outputs.cherry_pick_details }}
         run: |
           source_pr_url="https://github.com/${GITHUB_REPOSITORY}/pull/${SOURCE_PR_NUMBER}"
 
           reason_text="cherry-pick command failed"
-          if [ "${CHERRY_PICK_REASON}" = "merge-conflict" ]; then
+          if [ "${GATE_ERROR}" = "missing-merge-commit-sha" ]; then
+            reason_text="requested cherry-pick but merge commit SHA was missing"
+          elif [ "${GATE_ERROR}" = "not-allowed-merger" ]; then
+            reason_text="merger is not in the explicit cherry-pick allowlist"
+          elif [ "${CHERRY_PICK_REASON}" = "output-capture-failed" ]; then
+            reason_text="failed to capture cherry-pick output for classification"
+          elif [ "${CHERRY_PICK_REASON}" = "merge-conflict" ]; then
             reason_text="merge conflict during cherry-pick"
           fi
 
           details_excerpt="$(printf '%s' "${CHERRY_PICK_DETAILS}" | tail -n 8 | tr '\n' ' ' | sed "s/[[:space:]]\\+/ /g" | sed "s/\"/'/g" | cut -c1-350)"
-          failed_jobs="• cherry-pick-to-latest-release\\n• source PR: ${source_pr_url}\\n• reason: ${reason_text}"
+          if [ -n "${GATE_ERROR}" ]; then
+            failed_job_label="resolve-cherry-pick-request"
+          else
+            failed_job_label="cherry-pick-to-latest-release"
+          fi
+          failed_jobs="• ${failed_job_label}\\n• source PR: ${source_pr_url}\\n• reason: ${reason_text}"
+          if [ -n "${MERGE_COMMIT_SHA}" ]; then
+            failed_jobs="${failed_jobs}\\n• merge SHA: ${MERGE_COMMIT_SHA}"
+          fi
           if [ -n "${details_excerpt}" ]; then
             failed_jobs="${failed_jobs}\\n• excerpt: ${details_excerpt}"
           fi
@@ -160,6 +289,6 @@ jobs:
         uses: ./.github/actions/slack-notify
         with:
           webhook-url: ${{ secrets.CHERRY_PICK_PRS_WEBHOOK }}
-          failed-jobs: ${{ steps.failure-summary.outputs.jobs }}
+          details: ${{ steps.failure-summary.outputs.jobs }}
           title: "🚨 Automated Cherry-Pick Failed"
-          ref-name: ${{ github.ref_name }}
+          ref-name: ${{ github.event.pull_request.base.ref }}

.github/workflows/pr-helm-chart-testing.yml

@@ -133,7 +133,7 @@ jobs:
           echo "=== Validating chart dependencies ==="
           cd deployment/helm/charts/onyx
           helm dependency update
-          helm lint .
+          helm lint . --set auth.userauth.values.user_auth_secret=placeholder
 
       - name: Run chart-testing (install) with enhanced monitoring
         timeout-minutes: 25
@@ -194,6 +194,7 @@ jobs:
               --set=vespa.enabled=false \
               --set=opensearch.enabled=true \
               --set=auth.opensearch.enabled=true \
+              --set=auth.userauth.values.user_auth_secret=test-secret \
               --set=slackbot.enabled=false \
               --set=postgresql.enabled=true \
               --set=postgresql.cluster.storage.storageClass=standard \
@@ -230,6 +231,10 @@ jobs:
         if: steps.list-changed.outputs.changed == 'true'
         run: |
           echo "=== Post-install verification ==="
+          if ! kubectl cluster-info >/dev/null 2>&1; then
+            echo "ERROR: Kubernetes cluster is not reachable after install"
+            exit 1
+          fi
           kubectl get pods --all-namespaces
           kubectl get services --all-namespaces
           # Only show issues if they exist
@@ -239,6 +244,10 @@ jobs:
         if: failure() && steps.list-changed.outputs.changed == 'true'
         run: |
           echo "=== Cleanup on failure ==="
+          if ! kubectl cluster-info >/dev/null 2>&1; then
+            echo "Skipping failure cleanup: Kubernetes cluster is not reachable"
+            exit 0
+          fi
           echo "=== Final cluster state ==="
           kubectl get pods --all-namespaces
           kubectl get events --all-namespaces --sort-by=.lastTimestamp | tail -10

backend/alembic/versions/689433b0d8de_add_hook_and_hook_execution_log_tables.py

@@ -0,0 +1,104 @@
+"""add_hook_and_hook_execution_log_tables
+
+Revision ID: 689433b0d8de
+Revises: 93a2e195e25c
+Create Date: 2026-03-13 11:25:06.547474
+
+"""
+
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects.postgresql import UUID as PGUUID
+
+
+# revision identifiers, used by Alembic.
+revision = "689433b0d8de"
+down_revision = "93a2e195e25c"
+branch_labels = None
+depends_on = None
+
+
+def upgrade() -> None:
+    op.create_table(
+        "hook",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(), nullable=False),
+        sa.Column(
+            "hook_point",
+            sa.Enum("document_ingestion", "query_processing", native_enum=False),
+            nullable=False,
+        ),
+        sa.Column("endpoint_url", sa.Text(), nullable=True),
+        sa.Column("api_key", sa.LargeBinary(), nullable=True),
+        sa.Column("is_reachable", sa.Boolean(), nullable=True),
+        sa.Column(
+            "fail_strategy",
+            sa.Enum("hard", "soft", native_enum=False),
+            nullable=False,
+            server_default="hard",
+        ),
+        sa.Column("timeout_seconds", sa.Float(), nullable=False, server_default="30.0"),
+        sa.Column(
+            "is_active", sa.Boolean(), nullable=False, server_default=sa.text("false")
+        ),
+        sa.Column(
+            "deleted", sa.Boolean(), nullable=False, server_default=sa.text("false")
+        ),
+        sa.Column("creator_id", PGUUID(as_uuid=True), nullable=True),
+        sa.Column(
+            "created_at",
+            sa.DateTime(timezone=True),
+            server_default=sa.text("now()"),
+            nullable=False,
+        ),
+        sa.Column(
+            "updated_at",
+            sa.DateTime(timezone=True),
+            server_default=sa.text("now()"),
+            nullable=False,
+        ),
+        sa.ForeignKeyConstraint(["creator_id"], ["user.id"], ondelete="SET NULL"),
+        sa.PrimaryKeyConstraint("id"),
+    )
+    op.create_index(
+        "ix_hook_one_active_per_point",
+        "hook",
+        ["hook_point"],
+        unique=True,
+        postgresql_where=sa.text("is_active = true AND deleted = false"),
+    )
+
+    op.create_table(
+        "hook_execution_log",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("hook_id", sa.Integer(), nullable=False),
+        sa.Column(
+            "hook_point",
+            sa.Enum("document_ingestion", "query_processing", native_enum=False),
+            nullable=False,
+        ),
+        sa.Column("error_message", sa.Text(), nullable=True),
+        sa.Column("status_code", sa.Integer(), nullable=True),
+        sa.Column("duration_ms", sa.Integer(), nullable=True),
+        sa.Column(
+            "created_at",
+            sa.DateTime(timezone=True),
+            server_default=sa.text("now()"),
+            nullable=False,
+        ),
+        sa.ForeignKeyConstraint(["hook_id"], ["hook.id"], ondelete="CASCADE"),
+        sa.PrimaryKeyConstraint("id"),
+    )
+    op.create_index("ix_hook_execution_log_hook_id", "hook_execution_log", ["hook_id"])
+    op.create_index(
+        "ix_hook_execution_log_created_at", "hook_execution_log", ["created_at"]
+    )
+
+
+def downgrade() -> None:
+    op.drop_index("ix_hook_execution_log_created_at", table_name="hook_execution_log")
+    op.drop_index("ix_hook_execution_log_hook_id", table_name="hook_execution_log")
+    op.drop_table("hook_execution_log")
+
+    op.drop_index("ix_hook_one_active_per_point", table_name="hook")
+    op.drop_table("hook")

backend/alembic/versions/93a2e195e25c_add_voice_provider_and_user_voice_prefs.py

@@ -0,0 +1,117 @@
+"""add_voice_provider_and_user_voice_prefs
+
+Revision ID: 93a2e195e25c
+Revises: 27fb147a843f
+Create Date: 2026-02-23 15:16:39.507304
+
+"""
+
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy import column
+from sqlalchemy import true
+from sqlalchemy.dialects import postgresql
+
+
+# revision identifiers, used by Alembic.
+revision = "93a2e195e25c"
+down_revision = "27fb147a843f"
+branch_labels = None
+depends_on = None
+
+
+def upgrade() -> None:
+    # Create voice_provider table
+    op.create_table(
+        "voice_provider",
+        sa.Column("id", sa.Integer(), primary_key=True),
+        sa.Column("name", sa.String(), unique=True, nullable=False),
+        sa.Column("provider_type", sa.String(), nullable=False),
+        sa.Column("api_key", sa.LargeBinary(), nullable=True),
+        sa.Column("api_base", sa.String(), nullable=True),
+        sa.Column("custom_config", postgresql.JSONB(), nullable=True),
+        sa.Column("stt_model", sa.String(), nullable=True),
+        sa.Column("tts_model", sa.String(), nullable=True),
+        sa.Column("default_voice", sa.String(), nullable=True),
+        sa.Column(
+            "is_default_stt", sa.Boolean(), nullable=False, server_default="false"
+        ),
+        sa.Column(
+            "is_default_tts", sa.Boolean(), nullable=False, server_default="false"
+        ),
+        sa.Column("deleted", sa.Boolean(), nullable=False, server_default="false"),
+        sa.Column(
+            "time_created",
+            sa.DateTime(timezone=True),
+            server_default=sa.func.now(),
+            nullable=False,
+        ),
+        sa.Column(
+            "time_updated",
+            sa.DateTime(timezone=True),
+            server_default=sa.func.now(),
+            onupdate=sa.func.now(),
+            nullable=False,
+        ),
+    )
+
+    # Add partial unique indexes to enforce only one default STT/TTS provider
+    op.create_index(
+        "ix_voice_provider_one_default_stt",
+        "voice_provider",
+        ["is_default_stt"],
+        unique=True,
+        postgresql_where=column("is_default_stt") == true(),
+    )
+    op.create_index(
+        "ix_voice_provider_one_default_tts",
+        "voice_provider",
+        ["is_default_tts"],
+        unique=True,
+        postgresql_where=column("is_default_tts") == true(),
+    )
+
+    # Add voice preference columns to user table
+    op.add_column(
+        "user",
+        sa.Column(
+            "voice_auto_send",
+            sa.Boolean(),
+            default=False,
+            nullable=False,
+            server_default="false",
+        ),
+    )
+    op.add_column(
+        "user",
+        sa.Column(
+            "voice_auto_playback",
+            sa.Boolean(),
+            default=False,
+            nullable=False,
+            server_default="false",
+        ),
+    )
+    op.add_column(
+        "user",
+        sa.Column(
+            "voice_playback_speed",
+            sa.Float(),
+            default=1.0,
+            nullable=False,
+            server_default="1.0",
+        ),
+    )
+
+
+def downgrade() -> None:
+    # Remove user voice preference columns
+    op.drop_column("user", "voice_playback_speed")
+    op.drop_column("user", "voice_auto_playback")
+    op.drop_column("user", "voice_auto_send")
+
+    op.drop_index("ix_voice_provider_one_default_tts", table_name="voice_provider")
+    op.drop_index("ix_voice_provider_one_default_stt", table_name="voice_provider")
+
+    # Drop voice_provider table
+    op.drop_table("voice_provider")

backend/onyx/auth/users.py

@@ -1,3 +1,5 @@
+import base64
+import hashlib
 import json
 import os
 import random
@@ -29,6 +31,8 @@ from fastapi import Query
 from fastapi import Request
 from fastapi import Response
 from fastapi import status
+from fastapi import WebSocket
+from fastapi.responses import JSONResponse
 from fastapi.responses import RedirectResponse
 from fastapi.security import OAuth2PasswordRequestForm
 from fastapi_users import BaseUserManager
@@ -55,6 +59,7 @@ from fastapi_users.router.common import ErrorModel
 from fastapi_users_db_sqlalchemy import SQLAlchemyUserDatabase
 from httpx_oauth.integrations.fastapi import OAuth2AuthorizeCallback
 from httpx_oauth.oauth2 import BaseOAuth2
+from httpx_oauth.oauth2 import GetAccessTokenError
 from httpx_oauth.oauth2 import OAuth2Token
 from pydantic import BaseModel
 from sqlalchemy import nulls_last
@@ -120,7 +125,12 @@ from onyx.db.models import Persona
 from onyx.db.models import User
 from onyx.db.pat import fetch_user_for_pat
 from onyx.db.users import get_user_by_email
+from onyx.error_handling.error_codes import OnyxErrorCode
+from onyx.error_handling.exceptions import log_onyx_error
+from onyx.error_handling.exceptions import onyx_error_to_json_response
+from onyx.error_handling.exceptions import OnyxError
 from onyx.redis.redis_pool import get_async_redis_connection
+from onyx.redis.redis_pool import retrieve_ws_token_data
 from onyx.server.settings.store import load_settings
 from onyx.server.utils import BasicAuthenticationError
 from onyx.utils.logger import setup_logger
@@ -1612,6 +1622,102 @@ async def current_admin_user(user: User = Depends(current_user)) -> User:
     return user
 
 
+async def _get_user_from_token_data(token_data: dict) -> User | None:
+    """Shared logic: token data dict → User object.
+
+    Args:
+        token_data: Decoded token data containing 'sub' (user ID).
+
+    Returns:
+        User object if found and active, None otherwise.
+    """
+    user_id = token_data.get("sub")
+    if not user_id:
+        return None
+
+    try:
+        user_uuid = uuid.UUID(user_id)
+    except ValueError:
+        return None
+
+    async with get_async_session_context_manager() as async_db_session:
+        user = await async_db_session.get(User, user_uuid)
+        if user is None or not user.is_active:
+            return None
+        return user
+
+
+async def current_user_from_websocket(
+    websocket: WebSocket,
+    token: str = Query(..., description="WebSocket authentication token"),
+) -> User:
+    """
+    WebSocket authentication dependency using query parameter.
+
+    Validates the WS token from query param and returns the User.
+    Raises BasicAuthenticationError if authentication fails.
+
+    The token must be obtained from POST /voice/ws-token before connecting.
+    Tokens are single-use and expire after 60 seconds.
+
+    Usage:
+        1. POST /voice/ws-token -> {"token": "xxx"}
+        2. Connect to ws://host/path?token=xxx
+
+    This applies the same auth checks as current_user() for HTTP endpoints.
+    """
+    # Check Origin header to prevent Cross-Site WebSocket Hijacking (CSWSH)
+    # Browsers always send Origin on WebSocket connections
+    origin = websocket.headers.get("origin")
+    expected_origin = WEB_DOMAIN.rstrip("/")
+    if not origin:
+        logger.warning("WS auth: missing Origin header")
+        raise BasicAuthenticationError(detail="Access denied. Missing origin.")
+
+    actual_origin = origin.rstrip("/")
+    if actual_origin != expected_origin:
+        logger.warning(
+            f"WS auth: origin mismatch. Expected {expected_origin}, got {actual_origin}"
+        )
+        raise BasicAuthenticationError(detail="Access denied. Invalid origin.")
+
+    # Validate WS token in Redis (single-use, deleted after retrieval)
+    try:
+        token_data = await retrieve_ws_token_data(token)
+        if token_data is None:
+            raise BasicAuthenticationError(
+                detail="Access denied. Invalid or expired authentication token."
+            )
+    except BasicAuthenticationError:
+        raise
+    except Exception as e:
+        logger.error(f"WS auth: error during token validation: {e}")
+        raise BasicAuthenticationError(
+            detail="Authentication verification failed."
+        ) from e
+
+    # Get user from token data
+    user = await _get_user_from_token_data(token_data)
+    if user is None:
+        logger.warning(f"WS auth: user not found for id={token_data.get('sub')}")
+        raise BasicAuthenticationError(
+            detail="Access denied. User not found or inactive."
+        )
+
+    # Apply same checks as HTTP auth (verification, OIDC expiry, role)
+    user = await double_check_user(user)
+
+    # Block LIMITED users (same as current_user)
+    if user.role == UserRole.LIMITED:
+        logger.warning(f"WS auth: user {user.email} has LIMITED role")
+        raise BasicAuthenticationError(
+            detail="Access denied. User role is LIMITED. BASIC or higher permissions are required.",
+        )
+
+    logger.debug(f"WS auth: authenticated {user.email}")
+    return user
+
+
 def get_default_admin_user_emails_() -> list[str]:
     # No default seeding available for Onyx MIT
     return []
@@ -1621,6 +1727,7 @@ STATE_TOKEN_AUDIENCE = "fastapi-users:oauth-state"
 STATE_TOKEN_LIFETIME_SECONDS = 3600
 CSRF_TOKEN_KEY = "csrftoken"
 CSRF_TOKEN_COOKIE_NAME = "fastapiusersoauthcsrf"
+PKCE_COOKIE_NAME_PREFIX = "fastapiusersoauthpkce"
 
 
 class OAuth2AuthorizeResponse(BaseModel):
@@ -1641,6 +1748,21 @@ def generate_csrf_token() -> str:
     return secrets.token_urlsafe(32)
 
 
+def _base64url_encode(data: bytes) -> str:
+    return base64.urlsafe_b64encode(data).rstrip(b"=").decode("ascii")
+
+
+def generate_pkce_pair() -> tuple[str, str]:
+    verifier = secrets.token_urlsafe(64)
+    challenge = _base64url_encode(hashlib.sha256(verifier.encode("ascii")).digest())
+    return verifier, challenge
+
+
+def get_pkce_cookie_name(state: str) -> str:
+    state_hash = hashlib.sha256(state.encode("utf-8")).hexdigest()
+    return f"{PKCE_COOKIE_NAME_PREFIX}_{state_hash}"
+
+
 # refer to https://github.com/fastapi-users/fastapi-users/blob/42ddc241b965475390e2bce887b084152ae1a2cd/fastapi_users/fastapi_users.py#L91
 def create_onyx_oauth_router(
     oauth_client: BaseOAuth2,
@@ -1649,6 +1771,7 @@ def create_onyx_oauth_router(
     redirect_url: Optional[str] = None,
     associate_by_email: bool = False,
     is_verified_by_default: bool = False,
+    enable_pkce: bool = False,
 ) -> APIRouter:
     return get_oauth_router(
         oauth_client,
@@ -1658,6 +1781,7 @@ def create_onyx_oauth_router(
         redirect_url,
         associate_by_email,
         is_verified_by_default,
+        enable_pkce=enable_pkce,
     )
 
 
@@ -1676,6 +1800,7 @@ def get_oauth_router(
     csrf_token_cookie_secure: Optional[bool] = None,
     csrf_token_cookie_httponly: bool = True,
     csrf_token_cookie_samesite: Optional[Literal["lax", "strict", "none"]] = "lax",
+    enable_pkce: bool = False,
 ) -> APIRouter:
     """Generate a router with the OAuth routes."""
     router = APIRouter()
@@ -1692,6 +1817,13 @@ def get_oauth_router(
             route_name=callback_route_name,
         )
 
+    async def null_access_token_state() -> tuple[OAuth2Token, Optional[str]] | None:
+        return None
+
+    access_token_state_dependency = (
+        oauth2_authorize_callback if not enable_pkce else null_access_token_state
+    )
+
     if csrf_token_cookie_secure is None:
         csrf_token_cookie_secure = WEB_DOMAIN.startswith("https")
 
@@ -1725,13 +1857,26 @@ def get_oauth_router(
             CSRF_TOKEN_KEY: csrf_token,
         }
         state = generate_state_token(state_data, state_secret)
+        pkce_cookie: tuple[str, str] | None = None
 
-        # Get the basic authorization URL
-        authorization_url = await oauth_client.get_authorization_url(
-            authorize_redirect_url,
-            state,
-            scopes,
-        )
+        if enable_pkce:
+            code_verifier, code_challenge = generate_pkce_pair()
+            pkce_cookie_name = get_pkce_cookie_name(state)
+            pkce_cookie = (pkce_cookie_name, code_verifier)
+            authorization_url = await oauth_client.get_authorization_url(
+                authorize_redirect_url,
+                state,
+                scopes,
+                code_challenge=code_challenge,
+                code_challenge_method="S256",
+            )
+        else:
+            # Get the basic authorization URL
+            authorization_url = await oauth_client.get_authorization_url(
+                authorize_redirect_url,
+                state,
+                scopes,
+            )
 
         # For Google OAuth, add parameters to request refresh tokens
         if oauth_client.name == "google":
@@ -1739,11 +1884,15 @@ def get_oauth_router(
                 authorization_url, {"access_type": "offline", "prompt": "consent"}
             )
 
-        if redirect:
-            redirect_response = RedirectResponse(authorization_url, status_code=302)
-            redirect_response.set_cookie(
-                key=csrf_token_cookie_name,
-                value=csrf_token,
+        def set_oauth_cookie(
+            target_response: Response,
+            *,
+            key: str,
+            value: str,
+        ) -> None:
+            target_response.set_cookie(
+                key=key,
+                value=value,
                 max_age=STATE_TOKEN_LIFETIME_SECONDS,
                 path=csrf_token_cookie_path,
                 domain=csrf_token_cookie_domain,
@@ -1751,18 +1900,28 @@ def get_oauth_router(
                 httponly=csrf_token_cookie_httponly,
                 samesite=csrf_token_cookie_samesite,
             )
-            return redirect_response
 
-        response.set_cookie(
+        response_with_cookies: Response
+        if redirect:
+            response_with_cookies = RedirectResponse(authorization_url, status_code=302)
+        else:
+            response_with_cookies = response
+
+        set_oauth_cookie(
+            response_with_cookies,
             key=csrf_token_cookie_name,
             value=csrf_token,
-            max_age=STATE_TOKEN_LIFETIME_SECONDS,
-            path=csrf_token_cookie_path,
-            domain=csrf_token_cookie_domain,
-            secure=csrf_token_cookie_secure,
-            httponly=csrf_token_cookie_httponly,
-            samesite=csrf_token_cookie_samesite,
         )
+        if pkce_cookie is not None:
+            pkce_cookie_name, code_verifier = pkce_cookie
+            set_oauth_cookie(
+                response_with_cookies,
+                key=pkce_cookie_name,
+                value=code_verifier,
+            )
+
+        if redirect:
+            return response_with_cookies
 
         return OAuth2AuthorizeResponse(authorization_url=authorization_url)
 
@@ -1793,119 +1952,242 @@ def get_oauth_router(
     )
     async def callback(
         request: Request,
-        access_token_state: Tuple[OAuth2Token, str] = Depends(
-            oauth2_authorize_callback
+        access_token_state: Tuple[OAuth2Token, Optional[str]] | None = Depends(
+            access_token_state_dependency
         ),
+        code: Optional[str] = None,
+        state: Optional[str] = None,
+        error: Optional[str] = None,
         user_manager: BaseUserManager[models.UP, models.ID] = Depends(get_user_manager),
         strategy: Strategy[models.UP, models.ID] = Depends(backend.get_strategy),
-    ) -> RedirectResponse:
-        token, state = access_token_state
-        account_id, account_email = await oauth_client.get_id_email(
-            token["access_token"]
-        )
+    ) -> Response:
+        pkce_cookie_name: str | None = None
 
-        if account_email is None:
-            raise HTTPException(
-                status_code=status.HTTP_400_BAD_REQUEST,
-                detail=ErrorCode.OAUTH_NOT_AVAILABLE_EMAIL,
-            )
+        def delete_pkce_cookie(response: Response) -> None:
+            if enable_pkce and pkce_cookie_name:
+                response.delete_cookie(
+                    key=pkce_cookie_name,
+                    path=csrf_token_cookie_path,
+                    domain=csrf_token_cookie_domain,
+                    secure=csrf_token_cookie_secure,
+                    httponly=csrf_token_cookie_httponly,
+                    samesite=csrf_token_cookie_samesite,
+                )
 
-        try:
-            state_data = decode_jwt(state, state_secret, [STATE_TOKEN_AUDIENCE])
-        except jwt.DecodeError:
-            raise HTTPException(
-                status_code=status.HTTP_400_BAD_REQUEST,
-                detail=getattr(
-                    ErrorCode, "ACCESS_TOKEN_DECODE_ERROR", "ACCESS_TOKEN_DECODE_ERROR"
-                ),
-            )
-        except jwt.ExpiredSignatureError:
-            raise HTTPException(
-                status_code=status.HTTP_400_BAD_REQUEST,
-                detail=getattr(
-                    ErrorCode,
-                    "ACCESS_TOKEN_ALREADY_EXPIRED",
-                    "ACCESS_TOKEN_ALREADY_EXPIRED",
-                ),
-            )
+        def build_error_response(exc: OnyxError) -> JSONResponse:
+            log_onyx_error(exc)
+            error_response = onyx_error_to_json_response(exc)
+            delete_pkce_cookie(error_response)
+            return error_response
 
-        cookie_csrf_token = request.cookies.get(csrf_token_cookie_name)
-        state_csrf_token = state_data.get(CSRF_TOKEN_KEY)
-        if (
-            not cookie_csrf_token
-            or not state_csrf_token
-            or not secrets.compare_digest(cookie_csrf_token, state_csrf_token)
-        ):
-            raise HTTPException(
-                status_code=status.HTTP_400_BAD_REQUEST,
-                detail=getattr(ErrorCode, "OAUTH_INVALID_STATE", "OAUTH_INVALID_STATE"),
-            )
+        def decode_and_validate_state(state_value: str) -> Dict[str, str]:
+            try:
+                state_data = decode_jwt(
+                    state_value, state_secret, [STATE_TOKEN_AUDIENCE]
+                )
+            except jwt.DecodeError:
+                raise OnyxError(
+                    OnyxErrorCode.VALIDATION_ERROR,
+                    getattr(
+                        ErrorCode,
+                        "ACCESS_TOKEN_DECODE_ERROR",
+                        "ACCESS_TOKEN_DECODE_ERROR",
+                    ),
+                )
+            except jwt.ExpiredSignatureError:
+                raise OnyxError(
+                    OnyxErrorCode.VALIDATION_ERROR,
+                    getattr(
+                        ErrorCode,
+                        "ACCESS_TOKEN_ALREADY_EXPIRED",
+                        "ACCESS_TOKEN_ALREADY_EXPIRED",
+                    ),
+                )
+            except jwt.PyJWTError:
+                raise OnyxError(
+                    OnyxErrorCode.VALIDATION_ERROR,
+                    getattr(
+                        ErrorCode,
+                        "ACCESS_TOKEN_DECODE_ERROR",
+                        "ACCESS_TOKEN_DECODE_ERROR",
+                    ),
+                )
 
-        next_url = state_data.get("next_url", "/")
-        referral_source = state_data.get("referral_source", None)
-        try:
-            tenant_id = fetch_ee_implementation_or_noop(
-                "onyx.server.tenants.user_mapping", "get_tenant_id_for_email", None
-            )(account_email)
-        except exceptions.UserNotExists:
-            tenant_id = None
+            cookie_csrf_token = request.cookies.get(csrf_token_cookie_name)
+            state_csrf_token = state_data.get(CSRF_TOKEN_KEY)
+            if (
+                not cookie_csrf_token
+                or not state_csrf_token
+                or not secrets.compare_digest(cookie_csrf_token, state_csrf_token)
+            ):
+                raise OnyxError(
+                    OnyxErrorCode.VALIDATION_ERROR,
+                    getattr(ErrorCode, "OAUTH_INVALID_STATE", "OAUTH_INVALID_STATE"),
+                )
 
-        request.state.referral_source = referral_source
+            return state_data
 
-        # Proceed to authenticate or create the user
-        try:
-            user = await user_manager.oauth_callback(
-                oauth_client.name,
-                token["access_token"],
-                account_id,
-                account_email,
-                token.get("expires_at"),
-                token.get("refresh_token"),
-                request,
-                associate_by_email=associate_by_email,
-                is_verified_by_default=is_verified_by_default,
-            )
-        except UserAlreadyExists:
-            raise HTTPException(
-                status_code=status.HTTP_400_BAD_REQUEST,
-                detail=ErrorCode.OAUTH_USER_ALREADY_EXISTS,
-            )
+        token: OAuth2Token
+        state_data: Dict[str, str]
 
-        if not user.is_active:
-            raise HTTPException(
-                status_code=status.HTTP_400_BAD_REQUEST,
-                detail=ErrorCode.LOGIN_BAD_CREDENTIALS,
-            )
+        # `code`, `state`, and `error` are read directly only in the PKCE path.
+        # In the non-PKCE path, `oauth2_authorize_callback` consumes them.
+        if enable_pkce:
+            if state is not None:
+                pkce_cookie_name = get_pkce_cookie_name(state)
 
-        # Login user
-        response = await backend.login(strategy, user)
-        await user_manager.on_after_login(user, request, response)
+            if error is not None:
+                return build_error_response(
+                    OnyxError(
+                        OnyxErrorCode.VALIDATION_ERROR,
+                        "Authorization request failed or was denied",
+                    )
+                )
+            if code is None:
+                return build_error_response(
+                    OnyxError(
+                        OnyxErrorCode.VALIDATION_ERROR,
+                        "Missing authorization code in OAuth callback",
+                    )
+                )
+            if state is None:
+                return build_error_response(
+                    OnyxError(
+                        OnyxErrorCode.VALIDATION_ERROR,
+                        "Missing state parameter in OAuth callback",
+                    )
+                )
 
-        # Prepare redirect response
-        if tenant_id is None:
-            # Use URL utility to add parameters
-            redirect_url = add_url_params(next_url, {"new_team": "true"})
-            redirect_response = RedirectResponse(redirect_url, status_code=302)
-        else:
-            # No parameters to add
-            redirect_response = RedirectResponse(next_url, status_code=302)
+            state_value = state
 
-        # Copy headers from auth response to redirect response, with special handling for Set-Cookie
-        for header_name, header_value in response.headers.items():
-            # FastAPI can have multiple Set-Cookie headers as a list
-            if header_name.lower() == "set-cookie" and isinstance(header_value, list):
-                for cookie_value in header_value:
-                    redirect_response.headers.append(header_name, cookie_value)
+            if redirect_url is not None:
+                callback_redirect_url = redirect_url
             else:
+                callback_path = request.app.url_path_for(callback_route_name)
+                callback_redirect_url = f"{WEB_DOMAIN}{callback_path}"
+
+            code_verifier = request.cookies.get(cast(str, pkce_cookie_name))
+            if not code_verifier:
+                return build_error_response(
+                    OnyxError(
+                        OnyxErrorCode.VALIDATION_ERROR,
+                        "Missing PKCE verifier cookie in OAuth callback",
+                    )
+                )
+
+            try:
+                state_data = decode_and_validate_state(state_value)
+            except OnyxError as e:
+                return build_error_response(e)
+
+            try:
+                token = await oauth_client.get_access_token(
+                    code, callback_redirect_url, code_verifier
+                )
+            except GetAccessTokenError:
+                return build_error_response(
+                    OnyxError(
+                        OnyxErrorCode.VALIDATION_ERROR,
+                        "Authorization code exchange failed",
+                    )
+                )
+        else:
+            if access_token_state is None:
+                raise OnyxError(
+                    OnyxErrorCode.INTERNAL_ERROR, "Missing OAuth callback state"
+                )
+            token, callback_state = access_token_state
+            if callback_state is None:
+                raise OnyxError(
+                    OnyxErrorCode.VALIDATION_ERROR,
+                    "Missing state parameter in OAuth callback",
+                )
+            state_data = decode_and_validate_state(callback_state)
+
+        async def complete_login_flow(
+            token: OAuth2Token, state_data: Dict[str, str]
+        ) -> RedirectResponse:
+            account_id, account_email = await oauth_client.get_id_email(
+                token["access_token"]
+            )
+
+            if account_email is None:
+                raise OnyxError(
+                    OnyxErrorCode.VALIDATION_ERROR,
+                    ErrorCode.OAUTH_NOT_AVAILABLE_EMAIL,
+                )
+
+            next_url = state_data.get("next_url", "/")
+            referral_source = state_data.get("referral_source", None)
+            try:
+                tenant_id = fetch_ee_implementation_or_noop(
+                    "onyx.server.tenants.user_mapping", "get_tenant_id_for_email", None
+                )(account_email)
+            except exceptions.UserNotExists:
+                tenant_id = None
+
+            request.state.referral_source = referral_source
+
+            # Proceed to authenticate or create the user
+            try:
+                user = await user_manager.oauth_callback(
+                    oauth_client.name,
+                    token["access_token"],
+                    account_id,
+                    account_email,
+                    token.get("expires_at"),
+                    token.get("refresh_token"),
+                    request,
+                    associate_by_email=associate_by_email,
+                    is_verified_by_default=is_verified_by_default,
+                )
+            except UserAlreadyExists:
+                raise OnyxError(
+                    OnyxErrorCode.VALIDATION_ERROR,
+                    ErrorCode.OAUTH_USER_ALREADY_EXISTS,
+                )
+
+            if not user.is_active:
+                raise OnyxError(
+                    OnyxErrorCode.VALIDATION_ERROR,
+                    ErrorCode.LOGIN_BAD_CREDENTIALS,
+                )
+
+            # Login user
+            response = await backend.login(strategy, user)
+            await user_manager.on_after_login(user, request, response)
+
+            # Prepare redirect response
+            if tenant_id is None:
+                # Use URL utility to add parameters
+                redirect_destination = add_url_params(next_url, {"new_team": "true"})
+                redirect_response = RedirectResponse(
+                    redirect_destination, status_code=302
+                )
+            else:
+                # No parameters to add
+                redirect_response = RedirectResponse(next_url, status_code=302)
+
+            # Copy headers from auth response to redirect response, with special handling for Set-Cookie
+            for header_name, header_value in response.headers.items():
+                header_name_lower = header_name.lower()
+                if header_name_lower == "set-cookie":
+                    redirect_response.headers.append(header_name, header_value)
+                    continue
+                if header_name_lower in {"location", "content-length"}:
+                    continue
                 redirect_response.headers[header_name] = header_value
 
-        if hasattr(response, "body"):
-            redirect_response.body = response.body
-        if hasattr(response, "status_code"):
-            redirect_response.status_code = response.status_code
-        if hasattr(response, "media_type"):
-            redirect_response.media_type = response.media_type
+            return redirect_response
 
-        return redirect_response
+        if enable_pkce:
+            try:
+                redirect_response = await complete_login_flow(token, state_data)
+            except OnyxError as e:
+                return build_error_response(e)
+            delete_pkce_cookie(redirect_response)
+            return redirect_response
+
+        return await complete_login_flow(token, state_data)
 
     return router

backend/onyx/configs/app_configs.py

@@ -196,6 +196,10 @@ if _OIDC_SCOPE_OVERRIDE:
     except Exception:
         pass
 
+# Enables PKCE for OIDC login flow. Disabled by default to preserve
+# backwards compatibility for existing OIDC deployments.
+OIDC_PKCE_ENABLED = os.environ.get("OIDC_PKCE_ENABLED", "").lower() == "true"
+
 # Applicable for SAML Auth
 SAML_CONF_DIR = os.environ.get("SAML_CONF_DIR") or "/app/onyx/configs/saml_config"
 

backend/onyx/connectors/sharepoint/connector.py

@@ -33,6 +33,7 @@ from office365.runtime.queries.client_query import ClientQuery  # type: ignore[i
 from office365.sharepoint.client_context import ClientContext  # type: ignore[import-untyped]
 from pydantic import BaseModel
 from pydantic import Field
+from requests.exceptions import HTTPError
 
 from onyx.configs.app_configs import INDEX_BATCH_SIZE
 from onyx.configs.app_configs import REQUEST_TIMEOUT_SECONDS
@@ -272,6 +273,32 @@ class SizeCapExceeded(Exception):
     """Exception raised when the size cap is exceeded."""
 
 
+def _log_and_raise_for_status(response: requests.Response) -> None:
+    """Log the response text and raise for status."""
+    try:
+        response.raise_for_status()
+    except Exception:
+        logger.error(f"HTTP request failed: {response.text}")
+        raise
+
+
+GRAPH_INVALID_REQUEST_CODE = "invalidRequest"
+
+
+def _is_graph_invalid_request(response: requests.Response) -> bool:
+    """Return True if the response body is the generic Graph API
+    ``{"error": {"code": "invalidRequest", "message": "Invalid request"}}``
+    shape. This particular error has no actionable inner error code and is
+    returned by the site-pages endpoint when a page has a corrupt canvas layout
+    (e.g. duplicate web-part IDs — see SharePoint/sp-dev-docs#8822)."""
+    try:
+        body = response.json()
+    except Exception:
+        return False
+    error = body.get("error", {})
+    return error.get("code") == GRAPH_INVALID_REQUEST_CODE
+
+
 def load_certificate_from_pfx(pfx_data: bytes, password: str) -> CertificateData | None:
     """Load certificate from .pfx file for MSAL authentication"""
     try:
@@ -348,7 +375,7 @@ def _probe_remote_size(url: str, timeout: int) -> int | None:
     """Determine remote size using HEAD or a range GET probe. Returns None if unknown."""
     try:
         head_resp = requests.head(url, timeout=timeout, allow_redirects=True)
-        head_resp.raise_for_status()
+        _log_and_raise_for_status(head_resp)
         cl = head_resp.headers.get("Content-Length")
         if cl and cl.isdigit():
             return int(cl)
@@ -363,7 +390,7 @@ def _probe_remote_size(url: str, timeout: int) -> int | None:
             timeout=timeout,
             stream=True,
         ) as range_resp:
-            range_resp.raise_for_status()
+            _log_and_raise_for_status(range_resp)
             cr = range_resp.headers.get("Content-Range")  # e.g., "bytes 0-0/12345"
             if cr and "/" in cr:
                 total = cr.split("/")[-1]
@@ -388,7 +415,7 @@ def _download_with_cap(url: str, timeout: int, cap: int) -> bytes:
     - Returns the full bytes if the content fits within `cap`.
     """
     with requests.get(url, stream=True, timeout=timeout) as resp:
-        resp.raise_for_status()
+        _log_and_raise_for_status(resp)
 
         # If the server provides Content-Length, prefer an early decision.
         cl_header = resp.headers.get("Content-Length")
@@ -432,7 +459,7 @@ def _download_via_graph_api(
     with requests.get(
         url, headers=headers, stream=True, timeout=REQUEST_TIMEOUT_SECONDS
     ) as resp:
-        resp.raise_for_status()
+        _log_and_raise_for_status(resp)
         buf = io.BytesIO()
         for chunk in resp.iter_content(64 * 1024):
             if not chunk:
@@ -1242,26 +1269,135 @@ class SharepointConnector(
         site.execute_query()
         site_id = site.id
 
-        page_url: str | None = (
-            f"{self.graph_api_base}/sites/{site_id}" f"/pages/microsoft.graph.sitePage"
+        site_pages_base = (
+            f"{self.graph_api_base}/sites/{site_id}/pages/microsoft.graph.sitePage"
         )
+        page_url: str | None = site_pages_base
         params: dict[str, str] | None = {"$expand": "canvasLayout"}
         total_yielded = 0
+        yielded_ids: set[str] = set()
 
         while page_url:
-            data = self._graph_api_get_json(page_url, params)
+            try:
+                data = self._graph_api_get_json(page_url, params)
+            except HTTPError as e:
+                if e.response is not None and e.response.status_code == 404:
+                    logger.warning(f"Site page not found: {page_url}")
+                    break
+                if (
+                    e.response is not None
+                    and e.response.status_code == 400
+                    and _is_graph_invalid_request(e.response)
+                ):
+                    logger.warning(
+                        f"$expand=canvasLayout on the LIST endpoint returned 400 "
+                        f"for site {site_descriptor.url}. Falling back to "
+                        f"per-page expansion."
+                    )
+                    yield from self._fetch_site_pages_individually(
+                        site_pages_base, start, end, skip_ids=yielded_ids
+                    )
+                    return
+                raise
+
             params = None  # nextLink already embeds query params
 
             for page in data.get("value", []):
                 if not _site_page_in_time_window(page, start, end):
                     continue
                 total_yielded += 1
+                page_id = page.get("id")
+                if page_id:
+                    yielded_ids.add(page_id)
                 yield page
 
             page_url = data.get("@odata.nextLink")
 
         logger.debug(f"Yielded {total_yielded} site pages for {site_descriptor.url}")
 
+    def _fetch_site_pages_individually(
+        self,
+        site_pages_base: str,
+        start: datetime | None = None,
+        end: datetime | None = None,
+        skip_ids: set[str] | None = None,
+    ) -> Generator[dict[str, Any], None, None]:
+        """Fallback for _fetch_site_pages: list pages without $expand, then
+        expand canvasLayout on each page individually.
+
+        The Graph API's LIST endpoint can return 400 when $expand=canvasLayout
+        is used and *any* page in the site has a corrupt canvas layout (e.g.
+        duplicate web part IDs — see SharePoint/sp-dev-docs#8822). Since the
+        LIST expansion is all-or-nothing, a single bad page poisons the entire
+        response. This method works around it by fetching metadata first, then
+        expanding each page individually so only the broken page loses its
+        canvas content.
+
+        ``skip_ids`` contains page IDs already yielded by the caller before the
+        fallback was triggered, preventing duplicates.
+        """
+        page_url: str | None = site_pages_base
+        total_yielded = 0
+        _skip_ids = skip_ids or set()
+
+        while page_url:
+            try:
+                data = self._graph_api_get_json(page_url)
+            except HTTPError as e:
+                if e.response is not None and e.response.status_code == 404:
+                    break
+                raise
+
+            for page in data.get("value", []):
+                if not _site_page_in_time_window(page, start, end):
+                    continue
+
+                page_id = page.get("id")
+                if page_id and page_id in _skip_ids:
+                    continue
+
+                if not page_id:
+                    total_yielded += 1
+                    yield page
+                    continue
+
+                expanded = self._try_expand_single_page(site_pages_base, page_id, page)
+                total_yielded += 1
+                yield expanded
+
+            page_url = data.get("@odata.nextLink")
+
+        logger.debug(
+            f"Yielded {total_yielded} site pages (per-page expansion fallback)"
+        )
+
+    def _try_expand_single_page(
+        self,
+        site_pages_base: str,
+        page_id: str,
+        fallback_page: dict[str, Any],
+    ) -> dict[str, Any]:
+        """Try to GET a single page with $expand=canvasLayout. On 400, return
+        the metadata-only fallback so the page is still indexed (without canvas
+        content)."""
+        pages_collection = site_pages_base.removesuffix("/microsoft.graph.sitePage")
+        single_url = f"{pages_collection}/{page_id}/microsoft.graph.sitePage"
+        try:
+            return self._graph_api_get_json(single_url, {"$expand": "canvasLayout"})
+        except HTTPError as e:
+            if (
+                e.response is not None
+                and e.response.status_code == 400
+                and _is_graph_invalid_request(e.response)
+            ):
+                page_name = fallback_page.get("name", page_id)
+                logger.warning(
+                    f"$expand=canvasLayout failed for page '{page_name}' "
+                    f"({page_id}). Indexing metadata only."
+                )
+                return fallback_page
+            raise
+
     def _acquire_token(self) -> dict[str, Any]:
         """
         Acquire token via MSAL
@@ -1313,7 +1449,7 @@ class SharepointConnector(
                         access_token = self._get_graph_access_token()
                         headers = {"Authorization": f"Bearer {access_token}"}
                         continue
-                response.raise_for_status()
+                _log_and_raise_for_status(response)
                 return response.json()
             except (requests.ConnectionError, requests.Timeout):
                 if attempt < GRAPH_API_MAX_RETRIES:

backend/onyx/db/enums.py

@@ -304,3 +304,13 @@ class LLMModelFlowType(str, PyEnum):
     CHAT = "chat"
     VISION = "vision"
     CONTEXTUAL_RAG = "contextual_rag"
+
+
+class HookPoint(str, PyEnum):
+    DOCUMENT_INGESTION = "document_ingestion"
+    QUERY_PROCESSING = "query_processing"
+
+
+class HookFailStrategy(str, PyEnum):
+    HARD = "hard"  # exception propagates, pipeline aborts
+    SOFT = "soft"  # log error, return original input, pipeline continues

backend/onyx/db/models.py

@@ -64,6 +64,8 @@ from onyx.db.enums import (
     BuildSessionStatus,
     EmbeddingPrecision,
     HierarchyNodeType,
+    HookFailStrategy,
+    HookPoint,
     IndexingMode,
     OpenSearchDocumentMigrationStatus,
     OpenSearchTenantMigrationStatus,
@@ -353,6 +355,11 @@ class User(SQLAlchemyBaseUserTableUUID, Base):
     # organized in typical structured fashion
     # formatted as `displayName__provider__modelName`
 
+    # Voice preferences
+    voice_auto_send: Mapped[bool] = mapped_column(Boolean, default=False)
+    voice_auto_playback: Mapped[bool] = mapped_column(Boolean, default=False)
+    voice_playback_speed: Mapped[float] = mapped_column(Float, default=1.0)
+
     # relationships
     credentials: Mapped[list["Credential"]] = relationship(
         "Credential", back_populates="user"
@@ -3065,6 +3072,65 @@ class ImageGenerationConfig(Base):
     )
 
 
+class VoiceProvider(Base):
+    """Configuration for voice services (STT and TTS)."""
+
+    __tablename__ = "voice_provider"
+
+    id: Mapped[int] = mapped_column(Integer, primary_key=True)
+    name: Mapped[str] = mapped_column(String, unique=True)
+    provider_type: Mapped[str] = mapped_column(
+        String
+    )  # "openai", "azure", "elevenlabs"
+    api_key: Mapped[SensitiveValue[str] | None] = mapped_column(
+        EncryptedString(), nullable=True
+    )
+    api_base: Mapped[str | None] = mapped_column(String, nullable=True)
+    custom_config: Mapped[dict[str, Any] | None] = mapped_column(
+        postgresql.JSONB(), nullable=True
+    )
+
+    # Model/voice configuration
+    stt_model: Mapped[str | None] = mapped_column(
+        String, nullable=True
+    )  # e.g., "whisper-1"
+    tts_model: Mapped[str | None] = mapped_column(
+        String, nullable=True
+    )  # e.g., "tts-1", "tts-1-hd"
+    default_voice: Mapped[str | None] = mapped_column(
+        String, nullable=True
+    )  # e.g., "alloy", "echo"
+
+    # STT and TTS can use different providers - only one provider per type
+    is_default_stt: Mapped[bool] = mapped_column(Boolean, nullable=False, default=False)
+    is_default_tts: Mapped[bool] = mapped_column(Boolean, nullable=False, default=False)
+
+    deleted: Mapped[bool] = mapped_column(Boolean, default=False)
+
+    time_created: Mapped[datetime.datetime] = mapped_column(
+        DateTime(timezone=True), server_default=func.now()
+    )
+    time_updated: Mapped[datetime.datetime] = mapped_column(
+        DateTime(timezone=True), server_default=func.now(), onupdate=func.now()
+    )
+
+    # Enforce only one default STT provider and one default TTS provider at DB level
+    __table_args__ = (
+        Index(
+            "ix_voice_provider_one_default_stt",
+            "is_default_stt",
+            unique=True,
+            postgresql_where=(is_default_stt == True),  # noqa: E712
+        ),
+        Index(
+            "ix_voice_provider_one_default_tts",
+            "is_default_tts",
+            unique=True,
+            postgresql_where=(is_default_tts == True),  # noqa: E712
+        ),
+    )
+
+
 class CloudEmbeddingProvider(Base):
     __tablename__ = "embedding_provider"
 
@@ -5108,3 +5174,94 @@ class CacheStore(Base):
     expires_at: Mapped[datetime.datetime | None] = mapped_column(
         DateTime(timezone=True), nullable=True
     )
+
+
+class Hook(Base):
+    """Pairs a HookPoint with a customer-provided API endpoint.
+
+    At most one Hook per HookPoint can be active at a time, enforced by a
+    partial unique index on (hook_point) where is_active=true AND deleted=false.
+    """
+
+    __tablename__ = "hook"
+
+    id: Mapped[int] = mapped_column(Integer, primary_key=True)
+    name: Mapped[str] = mapped_column(String, nullable=False)
+    hook_point: Mapped[HookPoint] = mapped_column(
+        Enum(HookPoint, native_enum=False), nullable=False
+    )
+    endpoint_url: Mapped[str | None] = mapped_column(Text, nullable=True)
+    api_key: Mapped[SensitiveValue[str] | None] = mapped_column(
+        EncryptedString(), nullable=True
+    )
+    is_reachable: Mapped[bool | None] = mapped_column(
+        Boolean, nullable=True, default=None
+    )  # null = never validated, true = last check passed, false = last check failed
+    fail_strategy: Mapped[HookFailStrategy] = mapped_column(
+        Enum(HookFailStrategy, native_enum=False),
+        nullable=False,
+        default=HookFailStrategy.HARD,
+        server_default=HookFailStrategy.HARD.value,
+    )
+    timeout_seconds: Mapped[float] = mapped_column(
+        Float, nullable=False, default=30.0, server_default="30.0"
+    )
+    is_active: Mapped[bool] = mapped_column(Boolean, nullable=False, default=False)
+    deleted: Mapped[bool] = mapped_column(Boolean, nullable=False, default=False)
+    creator_id: Mapped[UUID | None] = mapped_column(
+        PGUUID(as_uuid=True),
+        ForeignKey("user.id", ondelete="SET NULL"),
+        nullable=True,
+    )
+    created_at: Mapped[datetime.datetime] = mapped_column(
+        DateTime(timezone=True), server_default=func.now(), nullable=False
+    )
+    updated_at: Mapped[datetime.datetime] = mapped_column(
+        DateTime(timezone=True),
+        server_default=func.now(),
+        onupdate=func.now(),
+        nullable=False,
+    )
+
+    creator: Mapped["User | None"] = relationship("User", foreign_keys=[creator_id])
+    execution_logs: Mapped[list["HookExecutionLog"]] = relationship(
+        "HookExecutionLog", back_populates="hook", cascade="all, delete-orphan"
+    )
+
+    __table_args__ = (
+        Index(
+            "ix_hook_one_active_per_point",
+            "hook_point",
+            unique=True,
+            postgresql_where=(is_active == True) & (deleted == False),  # noqa: E712
+        ),
+    )
+
+
+class HookExecutionLog(Base):
+    """Records each failed hook execution for health monitoring and debugging.
+
+    Only failures are logged. Retention: rows older than 30 days are deleted
+    by a nightly Celery task.
+    """
+
+    __tablename__ = "hook_execution_log"
+
+    id: Mapped[int] = mapped_column(Integer, primary_key=True)
+    hook_id: Mapped[int] = mapped_column(
+        Integer,
+        ForeignKey("hook.id", ondelete="CASCADE"),
+        nullable=False,
+        index=True,
+    )
+    hook_point: Mapped[HookPoint] = mapped_column(
+        Enum(HookPoint, native_enum=False), nullable=False
+    )  # denormalized for query convenience
+    error_message: Mapped[str | None] = mapped_column(Text, nullable=True)
+    status_code: Mapped[int | None] = mapped_column(Integer, nullable=True)
+    duration_ms: Mapped[int | None] = mapped_column(Integer, nullable=True)
+    created_at: Mapped[datetime.datetime] = mapped_column(
+        DateTime(timezone=True), server_default=func.now(), nullable=False, index=True
+    )
+
+    hook: Mapped["Hook"] = relationship("Hook", back_populates="execution_logs")

backend/onyx/db/voice.py

@@ -0,0 +1,248 @@
+from typing import Any
+from uuid import UUID
+
+from sqlalchemy import select
+from sqlalchemy import update
+from sqlalchemy.orm import Session
+
+from onyx.db.models import User
+from onyx.db.models import VoiceProvider
+from onyx.error_handling.error_codes import OnyxErrorCode
+from onyx.error_handling.exceptions import OnyxError
+
+MIN_VOICE_PLAYBACK_SPEED = 0.5
+MAX_VOICE_PLAYBACK_SPEED = 2.0
+
+
+def fetch_voice_providers(db_session: Session) -> list[VoiceProvider]:
+    """Fetch all voice providers."""
+    return list(
+        db_session.scalars(
+            select(VoiceProvider)
+            .where(VoiceProvider.deleted.is_(False))
+            .order_by(VoiceProvider.name)
+        ).all()
+    )
+
+
+def fetch_voice_provider_by_id(
+    db_session: Session, provider_id: int, include_deleted: bool = False
+) -> VoiceProvider | None:
+    """Fetch a voice provider by ID."""
+    stmt = select(VoiceProvider).where(VoiceProvider.id == provider_id)
+    if not include_deleted:
+        stmt = stmt.where(VoiceProvider.deleted.is_(False))
+    return db_session.scalar(stmt)
+
+
+def fetch_default_stt_provider(db_session: Session) -> VoiceProvider | None:
+    """Fetch the default STT provider."""
+    return db_session.scalar(
+        select(VoiceProvider)
+        .where(VoiceProvider.is_default_stt.is_(True))
+        .where(VoiceProvider.deleted.is_(False))
+    )
+
+
+def fetch_default_tts_provider(db_session: Session) -> VoiceProvider | None:
+    """Fetch the default TTS provider."""
+    return db_session.scalar(
+        select(VoiceProvider)
+        .where(VoiceProvider.is_default_tts.is_(True))
+        .where(VoiceProvider.deleted.is_(False))
+    )
+
+
+def fetch_voice_provider_by_type(
+    db_session: Session, provider_type: str
+) -> VoiceProvider | None:
+    """Fetch a voice provider by type."""
+    return db_session.scalar(
+        select(VoiceProvider)
+        .where(VoiceProvider.provider_type == provider_type)
+        .where(VoiceProvider.deleted.is_(False))
+    )
+
+
+def upsert_voice_provider(
+    *,
+    db_session: Session,
+    provider_id: int | None,
+    name: str,
+    provider_type: str,
+    api_key: str | None,
+    api_key_changed: bool,
+    api_base: str | None = None,
+    custom_config: dict[str, Any] | None = None,
+    stt_model: str | None = None,
+    tts_model: str | None = None,
+    default_voice: str | None = None,
+    activate_stt: bool = False,
+    activate_tts: bool = False,
+) -> VoiceProvider:
+    """Create or update a voice provider."""
+    provider: VoiceProvider | None = None
+
+    if provider_id is not None:
+        provider = fetch_voice_provider_by_id(db_session, provider_id)
+        if provider is None:
+            raise OnyxError(
+                OnyxErrorCode.NOT_FOUND,
+                f"No voice provider with id {provider_id} exists.",
+            )
+    else:
+        provider = VoiceProvider()
+        db_session.add(provider)
+
+    # Apply updates
+    provider.name = name
+    provider.provider_type = provider_type
+    provider.api_base = api_base
+    provider.custom_config = custom_config
+    provider.stt_model = stt_model
+    provider.tts_model = tts_model
+    provider.default_voice = default_voice
+
+    # Only update API key if explicitly changed or if provider has no key
+    if api_key_changed or provider.api_key is None:
+        provider.api_key = api_key  # type: ignore[assignment]
+
+    db_session.flush()
+
+    if activate_stt:
+        set_default_stt_provider(db_session=db_session, provider_id=provider.id)
+    if activate_tts:
+        set_default_tts_provider(db_session=db_session, provider_id=provider.id)
+
+    db_session.refresh(provider)
+    return provider
+
+
+def delete_voice_provider(db_session: Session, provider_id: int) -> None:
+    """Soft-delete a voice provider by ID."""
+    provider = fetch_voice_provider_by_id(db_session, provider_id)
+    if provider:
+        provider.deleted = True
+        db_session.flush()
+
+
+def set_default_stt_provider(*, db_session: Session, provider_id: int) -> VoiceProvider:
+    """Set a voice provider as the default STT provider."""
+    provider = fetch_voice_provider_by_id(db_session, provider_id)
+    if provider is None:
+        raise OnyxError(
+            OnyxErrorCode.NOT_FOUND,
+            f"No voice provider with id {provider_id} exists.",
+        )
+
+    # Deactivate all other STT providers
+    db_session.execute(
+        update(VoiceProvider)
+        .where(
+            VoiceProvider.is_default_stt.is_(True),
+            VoiceProvider.id != provider_id,
+        )
+        .values(is_default_stt=False)
+    )
+
+    # Activate this provider
+    provider.is_default_stt = True
+
+    db_session.flush()
+    db_session.refresh(provider)
+    return provider
+
+
+def set_default_tts_provider(
+    *, db_session: Session, provider_id: int, tts_model: str | None = None
+) -> VoiceProvider:
+    """Set a voice provider as the default TTS provider."""
+    provider = fetch_voice_provider_by_id(db_session, provider_id)
+    if provider is None:
+        raise OnyxError(
+            OnyxErrorCode.NOT_FOUND,
+            f"No voice provider with id {provider_id} exists.",
+        )
+
+    # Deactivate all other TTS providers
+    db_session.execute(
+        update(VoiceProvider)
+        .where(
+            VoiceProvider.is_default_tts.is_(True),
+            VoiceProvider.id != provider_id,
+        )
+        .values(is_default_tts=False)
+    )
+
+    # Activate this provider
+    provider.is_default_tts = True
+
+    # Update the TTS model if specified
+    if tts_model is not None:
+        provider.tts_model = tts_model
+
+    db_session.flush()
+    db_session.refresh(provider)
+    return provider
+
+
+def deactivate_stt_provider(*, db_session: Session, provider_id: int) -> VoiceProvider:
+    """Remove the default STT status from a voice provider."""
+    provider = fetch_voice_provider_by_id(db_session, provider_id)
+    if provider is None:
+        raise OnyxError(
+            OnyxErrorCode.NOT_FOUND,
+            f"No voice provider with id {provider_id} exists.",
+        )
+
+    provider.is_default_stt = False
+
+    db_session.flush()
+    db_session.refresh(provider)
+    return provider
+
+
+def deactivate_tts_provider(*, db_session: Session, provider_id: int) -> VoiceProvider:
+    """Remove the default TTS status from a voice provider."""
+    provider = fetch_voice_provider_by_id(db_session, provider_id)
+    if provider is None:
+        raise OnyxError(
+            OnyxErrorCode.NOT_FOUND,
+            f"No voice provider with id {provider_id} exists.",
+        )
+
+    provider.is_default_tts = False
+
+    db_session.flush()
+    db_session.refresh(provider)
+    return provider
+
+
+# User voice preferences
+
+
+def update_user_voice_settings(
+    db_session: Session,
+    user_id: UUID,
+    auto_send: bool | None = None,
+    auto_playback: bool | None = None,
+    playback_speed: float | None = None,
+) -> None:
+    """Update user's voice settings.
+
+    For all fields, None means "don't update this field".
+    """
+    values: dict[str, bool | float] = {}
+
+    if auto_send is not None:
+        values["voice_auto_send"] = auto_send
+    if auto_playback is not None:
+        values["voice_auto_playback"] = auto_playback
+    if playback_speed is not None:
+        values["voice_playback_speed"] = max(
+            MIN_VOICE_PLAYBACK_SPEED, min(MAX_VOICE_PLAYBACK_SPEED, playback_speed)
+        )
+
+    if values:
+        db_session.execute(update(User).where(User.id == user_id).values(**values))  # type: ignore[arg-type]
+        db_session.flush()

backend/onyx/error_handling/error_codes.py

@@ -66,6 +66,11 @@ class OnyxErrorCode(Enum):
     RATE_LIMITED = ("RATE_LIMITED", 429)
     SEAT_LIMIT_EXCEEDED = ("SEAT_LIMIT_EXCEEDED", 402)
 
+    # ------------------------------------------------------------------
+    # Payload (413)
+    # ------------------------------------------------------------------
+    PAYLOAD_TOO_LARGE = ("PAYLOAD_TOO_LARGE", 413)
+
     # ------------------------------------------------------------------
     # Connector / Credential Errors (400-range)
     # ------------------------------------------------------------------

backend/onyx/error_handling/exceptions.py

@@ -59,6 +59,22 @@ class OnyxError(Exception):
         return self._status_code_override or self.error_code.status_code
 
 
+def log_onyx_error(exc: OnyxError) -> None:
+    detail = exc.detail
+    status_code = exc.status_code
+    if status_code >= 500:
+        logger.error(f"OnyxError {exc.error_code.code}: {detail}")
+    elif status_code >= 400:
+        logger.warning(f"OnyxError {exc.error_code.code}: {detail}")
+
+
+def onyx_error_to_json_response(exc: OnyxError) -> JSONResponse:
+    return JSONResponse(
+        status_code=exc.status_code,
+        content=exc.error_code.detail(exc.detail),
+    )
+
+
 def register_onyx_exception_handlers(app: FastAPI) -> None:
     """Register a global handler that converts ``OnyxError`` to JSON responses.
 
@@ -71,13 +87,5 @@ def register_onyx_exception_handlers(app: FastAPI) -> None:
         request: Request,  # noqa: ARG001
         exc: OnyxError,
     ) -> JSONResponse:
-        status_code = exc.status_code
-        if status_code >= 500:
-            logger.error(f"OnyxError {exc.error_code.code}: {exc.detail}")
-        elif status_code >= 400:
-            logger.warning(f"OnyxError {exc.error_code.code}: {exc.detail}")
-
-        return JSONResponse(
-            status_code=status_code,
-            content=exc.error_code.detail(exc.detail),
-        )
+        log_onyx_error(exc)
+        return onyx_error_to_json_response(exc)

backend/onyx/main.py

@@ -44,6 +44,7 @@ from onyx.configs.app_configs import LOG_ENDPOINT_LATENCY
 from onyx.configs.app_configs import OAUTH_CLIENT_ID
 from onyx.configs.app_configs import OAUTH_CLIENT_SECRET
 from onyx.configs.app_configs import OAUTH_ENABLED
+from onyx.configs.app_configs import OIDC_PKCE_ENABLED
 from onyx.configs.app_configs import OIDC_SCOPE_OVERRIDE
 from onyx.configs.app_configs import OPENID_CONFIG_URL
 from onyx.configs.app_configs import POSTGRES_API_SERVER_POOL_OVERFLOW
@@ -119,6 +120,9 @@ from onyx.server.manage.opensearch_migration.api import (
 from onyx.server.manage.search_settings import router as search_settings_router
 from onyx.server.manage.slack_bot import router as slack_bot_management_router
 from onyx.server.manage.users import router as user_router
+from onyx.server.manage.voice.api import admin_router as voice_admin_router
+from onyx.server.manage.voice.user_api import router as voice_router
+from onyx.server.manage.voice.websocket_api import router as voice_websocket_router
 from onyx.server.manage.web_search.api import (
     admin_router as web_search_admin_router,
 )
@@ -497,6 +501,9 @@ def get_application(lifespan_override: Lifespan | None = None) -> FastAPI:
     include_router_with_global_prefix_prepended(application, embedding_router)
     include_router_with_global_prefix_prepended(application, web_search_router)
     include_router_with_global_prefix_prepended(application, web_search_admin_router)
+    include_router_with_global_prefix_prepended(application, voice_admin_router)
+    include_router_with_global_prefix_prepended(application, voice_router)
+    include_router_with_global_prefix_prepended(application, voice_websocket_router)
     include_router_with_global_prefix_prepended(
         application, opensearch_migration_admin_router
     )
@@ -597,6 +604,7 @@ def get_application(lifespan_override: Lifespan | None = None) -> FastAPI:
                 associate_by_email=True,
                 is_verified_by_default=True,
                 redirect_url=f"{WEB_DOMAIN}/auth/oidc/callback",
+                enable_pkce=OIDC_PKCE_ENABLED,
             ),
             prefix="/auth/oidc",
         )

backend/onyx/onyxbot/slack/blocks.py

@@ -1,6 +1,3 @@
-import logging
-import re
-from dataclasses import dataclass
 from datetime import datetime
 from typing import cast
 
@@ -49,8 +46,6 @@ from onyx.onyxbot.slack.utils import remove_slack_text_interactions
 from onyx.onyxbot.slack.utils import translate_vespa_highlight_to_slack
 from onyx.utils.text_processing import decode_escapes
 
-logger = logging.getLogger(__name__)
-
 _MAX_BLURB_LEN = 45
 
 
@@ -81,99 +76,6 @@ def get_feedback_reminder_blocks(thread_link: str, include_followup: bool) -> Bl
     return SectionBlock(text=text)
 
 
-@dataclass
-class CodeSnippet:
-    """A code block extracted from the answer to be uploaded as a Slack file."""
-
-    code: str
-    language: str
-    filename: str
-
-
-_SECTION_BLOCK_LIMIT = 3000
-
-# Matches fenced code blocks: ```lang\n...\n```
-# The opening fence must start at the beginning of a line (^), may have an
-# optional language specifier (\w*), followed by a newline. The closing fence
-# is ``` at the beginning of a line. We also handle an optional trailing
-# newline on the closing fence line to be robust against different formatting.
-_CODE_FENCE_RE = re.compile(
-    r"^```(\w*)\n(.*?)^```\s*$",
-    re.MULTILINE | re.DOTALL,
-)
-
-
-def _extract_code_snippets(
-    text: str, limit: int = _SECTION_BLOCK_LIMIT
-) -> tuple[str, list[CodeSnippet]]:
-    """Extract code blocks that would push the text over *limit*.
-
-    Returns (cleaned_text, snippets) where *cleaned_text* has large code
-    blocks replaced with a placeholder and *snippets* contains the extracted
-    code to be uploaded as Slack file snippets.
-
-    Uses a two-pass approach: first collect all matches, then decide which
-    to extract based on cumulative removal so each decision accounts for
-    previously extracted blocks.
-
-    Pass *limit=0* to force-extract ALL code blocks unconditionally.
-    """
-    if limit > 0 and len(text) <= limit:
-        return text, []
-
-    # Pass 1: collect all code-fence matches
-    matches = list(_CODE_FENCE_RE.finditer(text))
-    if not matches:
-        return text, []
-
-    # Pass 2: decide which blocks to extract, accounting for cumulative removal.
-    # Only extract if the text is still over the limit OR the block is very large.
-    # With limit=0, extract everything unconditionally.
-    extract_indices: set[int] = set()
-    removed_chars = 0
-    for i, match in enumerate(matches):
-        full_block = match.group(0)
-        if limit == 0:
-            extract_indices.add(i)
-            removed_chars += len(full_block)
-        else:
-            current_len = len(text) - removed_chars
-            if current_len > limit and current_len - len(full_block) <= limit:
-                extract_indices.add(i)
-                removed_chars += len(full_block)
-            elif len(full_block) > limit // 2:
-                extract_indices.add(i)
-                removed_chars += len(full_block)
-
-    if not extract_indices:
-        return text, []
-
-    # Build cleaned text and snippets by processing matches in reverse
-    # so character offsets remain valid.
-    snippets: list[CodeSnippet] = []
-    cleaned = text
-    for i in sorted(extract_indices, reverse=True):
-        match = matches[i]
-        lang = match.group(1) or ""
-        code = match.group(2)
-        ext = lang if lang else "txt"
-        snippets.append(
-            CodeSnippet(
-                code=code.strip(),
-                language=lang or "text",
-                filename=f"code_{len(extract_indices) - len(snippets)}.{ext}",
-            )
-        )
-        cleaned = cleaned[: match.start()] + cleaned[match.end() :]
-
-    # Snippets were appended in reverse order — flip to match document order
-    snippets.reverse()
-
-    # Clean up any triple+ blank lines left by extraction
-    cleaned = re.sub(r"\n{3,}", "\n\n", cleaned).strip()
-    return cleaned, snippets
-
-
 def _split_text(text: str, limit: int = 3000) -> list[str]:
     if len(text) <= limit:
         return [text]
@@ -515,7 +417,7 @@ def _build_citations_blocks(
 
 def _build_main_response_blocks(
     answer: ChatBasicResponse,
-) -> tuple[list[Block], list[CodeSnippet]]:
+) -> list[Block]:
     # TODO: add back in later when auto-filtering is implemented
     # if (
     #     retrieval_info.applied_time_cutoff
@@ -546,45 +448,9 @@ def _build_main_response_blocks(
     # replaces markdown links with slack format links
     formatted_answer = format_slack_message(answer.answer)
     answer_processed = decode_escapes(remove_slack_text_interactions(formatted_answer))
+    answer_blocks = [SectionBlock(text=text) for text in _split_text(answer_processed)]
 
-    # Extract large code blocks as snippets to upload separately,
-    # avoiding broken code fences when splitting across SectionBlocks.
-    cleaned_text, code_snippets = _extract_code_snippets(answer_processed)
-    logger.info(
-        "Code extraction: input=%d chars, cleaned=%d chars, snippets=%d",
-        len(answer_processed),
-        len(cleaned_text),
-        len(code_snippets),
-    )
-
-    if len(cleaned_text) <= _SECTION_BLOCK_LIMIT:
-        answer_blocks = [SectionBlock(text=cleaned_text)]
-    elif "```" not in cleaned_text:
-        # No code fences — safe to split at word boundaries.
-        answer_blocks = [
-            SectionBlock(text=text)
-            for text in _split_text(cleaned_text, limit=_SECTION_BLOCK_LIMIT)
-        ]
-    else:
-        # Text still has code fences after extraction and exceeds the
-        # SectionBlock limit. Splitting would break the fences, so fall
-        # back to uploading the entire remaining code as another snippet
-        # and keeping only the prose in the blocks.
-        logger.warning(
-            "Cleaned text still has code fences (%d chars); "
-            "force-extracting remaining code blocks",
-            len(cleaned_text),
-        )
-        remaining_cleaned, remaining_snippets = _extract_code_snippets(
-            cleaned_text, limit=0
-        )
-        code_snippets.extend(remaining_snippets)
-        answer_blocks = [
-            SectionBlock(text=text)
-            for text in _split_text(remaining_cleaned, limit=_SECTION_BLOCK_LIMIT)
-        ]
-
-    return cast(list[Block], answer_blocks), code_snippets
+    return cast(list[Block], answer_blocks)
 
 
 def _build_continue_in_web_ui_block(
@@ -665,13 +531,10 @@ def build_slack_response_blocks(
     skip_ai_feedback: bool = False,
     offer_ephemeral_publication: bool = False,
     skip_restated_question: bool = False,
-) -> tuple[list[Block], list[CodeSnippet]]:
+) -> list[Block]:
     """
     This function is a top level function that builds all the blocks for the Slack response.
     It also handles combining all the blocks together.
-
-    Returns (blocks, code_snippets) where code_snippets should be uploaded
-    as Slack file snippets in the same thread.
     """
     # If called with the OnyxBot slash command, the question is lost so we have to reshow it
     if not skip_restated_question:
@@ -681,7 +544,7 @@ def build_slack_response_blocks(
     else:
         restate_question_block = []
 
-    answer_blocks, code_snippets = _build_main_response_blocks(answer)
+    answer_blocks = _build_main_response_blocks(answer)
 
     web_follow_up_block = []
     if channel_conf and channel_conf.get("show_continue_in_web_ui"):
@@ -747,4 +610,4 @@ def build_slack_response_blocks(
         + follow_up_block
     )
 
-    return all_blocks, code_snippets
+    return all_blocks

backend/onyx/onyxbot/slack/handlers/handle_buttons.py

@@ -282,7 +282,7 @@ def handle_publish_ephemeral_message_button(
             logger.error(f"Failed to send webhook: {e}")
 
         # remove handling of empheremal block and add AI feedback.
-        all_blocks, _ = build_slack_response_blocks(
+        all_blocks = build_slack_response_blocks(
             answer=onyx_bot_answer,
             message_info=slack_message_info,
             channel_conf=channel_conf,
@@ -311,7 +311,7 @@ def handle_publish_ephemeral_message_button(
     elif action_id == KEEP_TO_YOURSELF_ACTION_ID:
         # Keep as ephemeral message in channel or thread, but remove the publish button and add feedback button
 
-        changed_blocks, _ = build_slack_response_blocks(
+        changed_blocks = build_slack_response_blocks(
             answer=onyx_bot_answer,
             message_info=slack_message_info,
             channel_conf=channel_conf,

backend/onyx/onyxbot/slack/handlers/handle_regular_answer.py

@@ -25,7 +25,6 @@ from onyx.db.models import User
 from onyx.db.persona import get_persona_by_id
 from onyx.db.users import get_user_by_email
 from onyx.onyxbot.slack.blocks import build_slack_response_blocks
-from onyx.onyxbot.slack.blocks import CodeSnippet
 from onyx.onyxbot.slack.constants import SLACK_CHANNEL_REF_PATTERN
 from onyx.onyxbot.slack.handlers.utils import send_team_member_message
 from onyx.onyxbot.slack.models import SlackMessageInfo
@@ -135,65 +134,6 @@ def build_slack_context_str(
     return slack_context_str + "\n\n".join(message_strs)
 
 
-# Normalize common LLM language aliases to Slack's expected snippet_type values.
-# Slack silently falls back to plain text for unrecognized types, so this map
-# only needs to cover the most common mismatches.
-_SNIPPET_TYPE_MAP: dict[str, str] = {
-    "py": "python",
-    "js": "javascript",
-    "ts": "typescript",
-    "tsx": "typescript",
-    "jsx": "javascript",
-    "sh": "shell",
-    "bash": "shell",
-    "zsh": "shell",
-    "yml": "yaml",
-    "rb": "ruby",
-    "rs": "rust",
-    "cs": "csharp",
-    "md": "markdown",
-    "txt": "text",
-    "text": "plain_text",
-}
-
-
-def _upload_code_snippets(
-    client: WebClient,
-    channel: str,
-    thread_ts: str,
-    snippets: list[CodeSnippet],
-    logger: OnyxLoggingAdapter,
-    receiver_ids: list[str] | None = None,
-    send_as_ephemeral: bool | None = None,
-) -> None:
-    """Upload extracted code blocks as Slack file snippets in the thread."""
-    for snippet in snippets:
-        try:
-            snippet_type = _SNIPPET_TYPE_MAP.get(snippet.language, snippet.language)
-            client.files_upload_v2(
-                channel=channel,
-                thread_ts=thread_ts,
-                content=snippet.code,
-                filename=snippet.filename,
-                snippet_type=snippet_type,
-            )
-        except Exception:
-            logger.warning(
-                f"Failed to upload code snippet {snippet.filename}, "
-                "falling back to inline code block"
-            )
-            # Fall back to posting as a regular message with code fences,
-            # preserving the same visibility as the primary response.
-            respond_in_thread_or_channel(
-                client=client,
-                channel=channel,
-                receiver_ids=receiver_ids,
-                text=f"```{snippet.language}\n{snippet.code}\n```",
-                thread_ts=thread_ts,
-                send_as_ephemeral=send_as_ephemeral,
-            )
-
-
 def handle_regular_answer(
     message_info: SlackMessageInfo,
     slack_channel_config: SlackChannelConfig,
@@ -447,7 +387,7 @@ def handle_regular_answer(
         offer_ephemeral_publication = False
         skip_ai_feedback = False
 
-    all_blocks, code_snippets = build_slack_response_blocks(
+    all_blocks = build_slack_response_blocks(
         message_info=message_info,
         answer=answer,
         channel_conf=channel_conf,
@@ -474,20 +414,6 @@ def handle_regular_answer(
             send_as_ephemeral=send_as_ephemeral,
         )
 
-        # Upload extracted code blocks as Slack file snippets so they
-        # render as collapsible, syntax-highlighted blocks in the thread.
-        snippet_thread_ts = target_thread_ts or message_ts_to_respond_to
-        if code_snippets and snippet_thread_ts:
-            _upload_code_snippets(
-                client=client,
-                channel=channel,
-                thread_ts=snippet_thread_ts,
-                snippets=code_snippets,
-                logger=logger,
-                receiver_ids=target_receiver_ids,
-                send_as_ephemeral=send_as_ephemeral,
-            )
-
         # For DM (ephemeral message), we need to create a thread via a normal message so the user can see
         # the ephemeral message. This also will give the user a notification which ephemeral message does not.
         # if there is no message_ts_to_respond_to, and we have made it this far, then this is a /onyx message

backend/onyx/redis/redis_pool.py

@@ -419,12 +419,15 @@ async def get_async_redis_connection() -> aioredis.Redis:
     return _async_redis_connection
 
 
-async def retrieve_auth_token_data_from_redis(request: Request) -> dict | None:
-    token = request.cookies.get(FASTAPI_USERS_AUTH_COOKIE_NAME)
-    if not token:
-        logger.debug("No auth token cookie found")
-        return None
+async def retrieve_auth_token_data(token: str) -> dict | None:
+    """Validate auth token against Redis and return token data.
 
+    Args:
+        token: The raw authentication token string.
+
+    Returns:
+        Token data dict if valid, None if invalid/expired.
+    """
     try:
         redis = await get_async_redis_connection()
         redis_key = REDIS_AUTH_KEY_PREFIX + token
@@ -439,13 +442,97 @@ async def retrieve_auth_token_data_from_redis(request: Request) -> dict | None:
         logger.error("Error decoding token data from Redis")
         return None
     except Exception as e:
-        logger.error(
-            f"Unexpected error in retrieve_auth_token_data_from_redis: {str(e)}"
-        )
-        raise ValueError(
-            f"Unexpected error in retrieve_auth_token_data_from_redis: {str(e)}"
+        logger.error(f"Unexpected error in retrieve_auth_token_data: {str(e)}")
+        raise ValueError(f"Unexpected error in retrieve_auth_token_data: {str(e)}")
+
+
+async def retrieve_auth_token_data_from_redis(request: Request) -> dict | None:
+    """Validate auth token from request cookie. Wrapper for backwards compatibility."""
+    token = request.cookies.get(FASTAPI_USERS_AUTH_COOKIE_NAME)
+    if not token:
+        logger.debug("No auth token cookie found")
+        return None
+    return await retrieve_auth_token_data(token)
+
+
+# WebSocket token prefix (separate from regular auth tokens)
+REDIS_WS_TOKEN_PREFIX = "ws_token:"
+# WebSocket tokens expire after 60 seconds
+WS_TOKEN_TTL_SECONDS = 60
+# Rate limit: max tokens per user per window
+WS_TOKEN_RATE_LIMIT_MAX = 10
+WS_TOKEN_RATE_LIMIT_WINDOW_SECONDS = 60
+REDIS_WS_TOKEN_RATE_LIMIT_PREFIX = "ws_token_rate:"
+
+
+class WsTokenRateLimitExceeded(Exception):
+    """Raised when a user exceeds the WS token generation rate limit."""
+
+
+async def store_ws_token(token: str, user_id: str) -> None:
+    """Store a short-lived WebSocket authentication token in Redis.
+
+    Args:
+        token: The generated WS token.
+        user_id: The user ID to associate with this token.
+
+    Raises:
+        WsTokenRateLimitExceeded: If the user has exceeded the rate limit.
+    """
+    redis = await get_async_redis_connection()
+
+    # Atomically increment and check rate limit to avoid TOCTOU races
+    rate_limit_key = REDIS_WS_TOKEN_RATE_LIMIT_PREFIX + user_id
+    pipe = redis.pipeline()
+    pipe.incr(rate_limit_key)
+    pipe.expire(rate_limit_key, WS_TOKEN_RATE_LIMIT_WINDOW_SECONDS)
+    results = await pipe.execute()
+    new_count = results[0]
+
+    if new_count > WS_TOKEN_RATE_LIMIT_MAX:
+        # Over limit — decrement back since we won't use this slot
+        await redis.decr(rate_limit_key)
+        logger.warning(f"WS token rate limit exceeded for user {user_id}")
+        raise WsTokenRateLimitExceeded(
+            f"Rate limit exceeded. Maximum {WS_TOKEN_RATE_LIMIT_MAX} tokens per minute."
         )
 
+    # Store the actual token
+    redis_key = REDIS_WS_TOKEN_PREFIX + token
+    token_data = json.dumps({"sub": user_id})
+    await redis.set(redis_key, token_data, ex=WS_TOKEN_TTL_SECONDS)
+
+
+async def retrieve_ws_token_data(token: str) -> dict | None:
+    """Validate a WebSocket token and return the token data.
+
+    This uses GETDEL for atomic get-and-delete to prevent race conditions
+    where the same token could be used twice.
+
+    Args:
+        token: The WS token to validate.
+
+    Returns:
+        Token data dict with 'sub' (user ID) if valid, None if invalid/expired.
+    """
+    try:
+        redis = await get_async_redis_connection()
+        redis_key = REDIS_WS_TOKEN_PREFIX + token
+
+        # Atomic get-and-delete to prevent race conditions (Redis 6.2+)
+        token_data_str = await redis.getdel(redis_key)
+
+        if not token_data_str:
+            return None
+
+        return json.loads(token_data_str)
+    except json.JSONDecodeError:
+        logger.error("Error decoding WS token data from Redis")
+        return None
+    except Exception as e:
+        logger.error(f"Unexpected error in retrieve_ws_token_data: {str(e)}")
+        return None
+
 
 def redis_lock_dump(lock: RedisLock, r: Redis) -> None:
     # diagnostic logging for lock errors

backend/onyx/server/auth_check.py

@@ -9,6 +9,7 @@ from onyx.auth.users import current_chat_accessible_user
 from onyx.auth.users import current_curator_or_admin_user
 from onyx.auth.users import current_limited_user
 from onyx.auth.users import current_user
+from onyx.auth.users import current_user_from_websocket
 from onyx.auth.users import current_user_with_expired_token
 from onyx.configs.app_configs import APP_API_PREFIX
 from onyx.utils.variable_functionality import fetch_ee_implementation_or_noop
@@ -129,6 +130,7 @@ def check_router_auth(
                     or depends_fn == current_curator_or_admin_user
                     or depends_fn == current_user_with_expired_token
                     or depends_fn == current_chat_accessible_user
+                    or depends_fn == current_user_from_websocket
                     or depends_fn == control_plane_dep
                     or depends_fn == current_cloud_superuser
                     or depends_fn == verify_scim_token

backend/onyx/server/features/build/api/api.py

@@ -1,3 +1,4 @@
+import re
 from collections.abc import Iterator
 from pathlib import Path
 from uuid import UUID
@@ -40,6 +41,9 @@ from onyx.utils.logger import setup_logger
 
 logger = setup_logger()
 
+_TEMPLATES_DIR = Path(__file__).parent / "templates"
+_WEBAPP_HMR_FIXER_TEMPLATE = (_TEMPLATES_DIR / "webapp_hmr_fixer.js").read_text()
+
 
 def require_onyx_craft_enabled(user: User = Depends(current_user)) -> User:
     """
@@ -239,18 +243,62 @@ def _stream_response(response: httpx.Response) -> Iterator[bytes]:
         yield chunk
 
 
+def _inject_hmr_fixer(content: bytes, session_id: str) -> bytes:
+    """Inject a script that stubs root-scoped Next HMR websocket connections."""
+    base = f"/api/build/sessions/{session_id}/webapp"
+    script = f"<script>{_WEBAPP_HMR_FIXER_TEMPLATE.replace('__WEBAPP_BASE__', base)}</script>"
+    text = content.decode("utf-8")
+    text = re.sub(
+        r"(<head\b[^>]*>)",
+        lambda m: m.group(0) + script,
+        text,
+        count=1,
+        flags=re.IGNORECASE,
+    )
+    return text.encode("utf-8")
+
+
 def _rewrite_asset_paths(content: bytes, session_id: str) -> bytes:
     """Rewrite Next.js asset paths to go through the proxy."""
-    import re
-
-    # Base path includes session_id for routing
     webapp_base_path = f"/api/build/sessions/{session_id}/webapp"
+    escaped_webapp_base_path = webapp_base_path.replace("/", r"\/")
+    hmr_paths = ("/_next/webpack-hmr", "/_next/hmr")
 
     text = content.decode("utf-8")
-    # Rewrite /_next/ paths to go through our proxy
-    text = text.replace("/_next/", f"{webapp_base_path}/_next/")
-    # Rewrite JSON data file fetch paths (e.g., /data.json, /data/tickets.json)
-    # Matches paths like "/filename.json" or "/path/to/file.json"
+    # Anchor on delimiter so already-prefixed URLs (from assetPrefix) aren't double-rewritten.
+    for delim in ('"', "'", "("):
+        text = text.replace(f"{delim}/_next/", f"{delim}{webapp_base_path}/_next/")
+        text = re.sub(
+            rf"{re.escape(delim)}https?://[^/\"')]+/_next/",
+            f"{delim}{webapp_base_path}/_next/",
+            text,
+        )
+        text = re.sub(
+            rf"{re.escape(delim)}wss?://[^/\"')]+/_next/",
+            f"{delim}{webapp_base_path}/_next/",
+            text,
+        )
+    text = text.replace(r"\/_next\/", rf"{escaped_webapp_base_path}\/_next\/")
+    text = re.sub(
+        r"https?:\\\/\\\/[^\"']+?\\\/_next\\\/",
+        rf"{escaped_webapp_base_path}\/_next\/",
+        text,
+    )
+    text = re.sub(
+        r"wss?:\\\/\\\/[^\"']+?\\\/_next\\\/",
+        rf"{escaped_webapp_base_path}\/_next\/",
+        text,
+    )
+    for hmr_path in hmr_paths:
+        escaped_hmr_path = hmr_path.replace("/", r"\/")
+        text = text.replace(
+            f"{webapp_base_path}{hmr_path}",
+            hmr_path,
+        )
+        text = text.replace(
+            f"{escaped_webapp_base_path}{escaped_hmr_path}",
+            escaped_hmr_path,
+        )
     text = re.sub(
         r'"(/(?:[a-zA-Z0-9_-]+/)*[a-zA-Z0-9_-]+\.json)"',
         f'"{webapp_base_path}\\1"',
@@ -261,11 +309,29 @@ def _rewrite_asset_paths(content: bytes, session_id: str) -> bytes:
         f"'{webapp_base_path}\\1'",
         text,
     )
-    # Rewrite favicon
     text = text.replace('"/favicon.ico', f'"{webapp_base_path}/favicon.ico')
     return text.encode("utf-8")
 
 
+def _rewrite_proxy_response_headers(
+    headers: dict[str, str], session_id: str
+) -> dict[str, str]:
+    """Rewrite response headers that can leak root-scoped asset URLs."""
+    link = headers.get("link")
+    if link:
+        webapp_base_path = f"/api/build/sessions/{session_id}/webapp"
+        rewritten_link = re.sub(
+            r"<https?://[^>]+/_next/",
+            f"<{webapp_base_path}/_next/",
+            link,
+        )
+        rewritten_link = rewritten_link.replace(
+            "</_next/", f"<{webapp_base_path}/_next/"
+        )
+        headers["link"] = rewritten_link
+    return headers
+
+
 # Content types that may contain asset path references that need rewriting
 REWRITABLE_CONTENT_TYPES = {
     "text/html",
@@ -342,12 +408,17 @@ def _proxy_request(
                 for key, value in response.headers.items()
                 if key.lower() not in EXCLUDED_HEADERS
             }
+            response_headers = _rewrite_proxy_response_headers(
+                response_headers, str(session_id)
+            )
 
             content_type = response.headers.get("content-type", "")
 
             # For HTML/CSS/JS responses, rewrite asset paths
             if any(ct in content_type for ct in REWRITABLE_CONTENT_TYPES):
                 content = _rewrite_asset_paths(response.content, str(session_id))
+                if "text/html" in content_type:
+                    content = _inject_hmr_fixer(content, str(session_id))
                 return Response(
                     content=content,
                     status_code=response.status_code,
@@ -391,7 +462,7 @@ def _check_webapp_access(
     return session
 
 
-_OFFLINE_HTML_PATH = Path(__file__).parent / "templates" / "webapp_offline.html"
+_OFFLINE_HTML_PATH = _TEMPLATES_DIR / "webapp_offline.html"
 
 
 def _offline_html_response() -> Response:
@@ -399,6 +470,7 @@ def _offline_html_response() -> Response:
 
     Design mirrors the default Craft web template (outputs/web/app/page.tsx):
     terminal window aesthetic with Minecraft-themed typing animation.
+
     """
     html = _OFFLINE_HTML_PATH.read_text()
     return Response(content=html, status_code=503, media_type="text/html")

backend/onyx/server/features/build/api/templates/webapp_hmr_fixer.js

@@ -0,0 +1,135 @@
+(function () {
+  var WEBAPP_BASE = "__WEBAPP_BASE__";
+  var PROXIED_NEXT_PREFIX = WEBAPP_BASE + "/_next/";
+  var PROXIED_HMR_PREFIX = WEBAPP_BASE + "/_next/webpack-hmr";
+  var PROXIED_ALT_HMR_PREFIX = WEBAPP_BASE + "/_next/hmr";
+
+  function isHmrWebSocketUrl(url) {
+    if (!url) return false;
+    try {
+      var parsedUrl = new URL(String(url), window.location.href);
+      return (
+        parsedUrl.pathname.indexOf("/_next/webpack-hmr") === 0 ||
+        parsedUrl.pathname.indexOf("/_next/hmr") === 0 ||
+        parsedUrl.pathname.indexOf(PROXIED_HMR_PREFIX) === 0 ||
+        parsedUrl.pathname.indexOf(PROXIED_ALT_HMR_PREFIX) === 0
+      );
+    } catch (e) {}
+    if (typeof url === "string") {
+      return (
+        url.indexOf("/_next/webpack-hmr") === 0 ||
+        url.indexOf("/_next/hmr") === 0 ||
+        url.indexOf(PROXIED_HMR_PREFIX) === 0 ||
+        url.indexOf(PROXIED_ALT_HMR_PREFIX) === 0
+      );
+    }
+    return false;
+  }
+
+  function rewriteNextAssetUrl(url) {
+    if (!url) return url;
+    try {
+      var parsedUrl = new URL(String(url), window.location.href);
+      if (parsedUrl.pathname.indexOf(PROXIED_NEXT_PREFIX) === 0) {
+        return parsedUrl.pathname + parsedUrl.search + parsedUrl.hash;
+      }
+      if (parsedUrl.pathname.indexOf("/_next/") === 0) {
+        return (
+          WEBAPP_BASE + parsedUrl.pathname + parsedUrl.search + parsedUrl.hash
+        );
+      }
+    } catch (e) {}
+    if (typeof url === "string") {
+      if (url.indexOf(PROXIED_NEXT_PREFIX) === 0) {
+        return url;
+      }
+      if (url.indexOf("/_next/") === 0) {
+        return WEBAPP_BASE + url;
+      }
+    }
+    return url;
+  }
+
+  function createEvent(eventType) {
+    return typeof Event === "function"
+      ? new Event(eventType)
+      : { type: eventType };
+  }
+
+  function MockHmrWebSocket(url) {
+    this.url = String(url);
+    this.readyState = 1;
+    this.bufferedAmount = 0;
+    this.extensions = "";
+    this.protocol = "";
+    this.binaryType = "blob";
+    this.onopen = null;
+    this.onmessage = null;
+    this.onerror = null;
+    this.onclose = null;
+    this._l = {};
+    var socket = this;
+    setTimeout(function () {
+      socket._d("open", createEvent("open"));
+    }, 0);
+  }
+
+  MockHmrWebSocket.CONNECTING = 0;
+  MockHmrWebSocket.OPEN = 1;
+  MockHmrWebSocket.CLOSING = 2;
+  MockHmrWebSocket.CLOSED = 3;
+
+  MockHmrWebSocket.prototype.addEventListener = function (eventType, callback) {
+    (this._l[eventType] || (this._l[eventType] = [])).push(callback);
+  };
+
+  MockHmrWebSocket.prototype.removeEventListener = function (
+    eventType,
+    callback,
+  ) {
+    var listeners = this._l[eventType] || [];
+    this._l[eventType] = listeners.filter(function (listener) {
+      return listener !== callback;
+    });
+  };
+
+  MockHmrWebSocket.prototype._d = function (eventType, eventValue) {
+    var listeners = this._l[eventType] || [];
+    for (var i = 0; i < listeners.length; i++) {
+      listeners[i].call(this, eventValue);
+    }
+    var handler = this["on" + eventType];
+    if (typeof handler === "function") {
+      handler.call(this, eventValue);
+    }
+  };
+
+  MockHmrWebSocket.prototype.send = function () {};
+
+  MockHmrWebSocket.prototype.close = function (code, reason) {
+    if (this.readyState >= 2) return;
+    this.readyState = 3;
+    var closeEvent = createEvent("close");
+    closeEvent.code = code === undefined ? 1000 : code;
+    closeEvent.reason = reason || "";
+    closeEvent.wasClean = true;
+    this._d("close", closeEvent);
+  };
+
+  if (window.WebSocket) {
+    var OriginalWebSocket = window.WebSocket;
+    window.WebSocket = function (url, protocols) {
+      if (isHmrWebSocketUrl(url)) {
+        return new MockHmrWebSocket(rewriteNextAssetUrl(url));
+      }
+      return protocols === undefined
+        ? new OriginalWebSocket(url)
+        : new OriginalWebSocket(url, protocols);
+    };
+    window.WebSocket.prototype = OriginalWebSocket.prototype;
+    Object.setPrototypeOf(window.WebSocket, OriginalWebSocket);
+    ["CONNECTING", "OPEN", "CLOSING", "CLOSED"].forEach(function (stateKey) {
+      window.WebSocket[stateKey] = OriginalWebSocket[stateKey];
+    });
+  }
+})();

backend/onyx/server/features/projects/projects_file_utils.py

@@ -157,10 +157,13 @@ def categorize_uploaded_files(
     """
     Categorize uploaded files based on text extractability and tokenized length.
 
-    - Extracts text using extract_file_text for supported plain/document extensions.
+    - Images are estimated for token cost via a patch-based heuristic.
+    - All other files are run through extract_file_text, which handles known
+      document formats (.pdf, .docx, …) and falls back to a text-detection
+      heuristic for unknown extensions (.py, .js, .rs, …).
     - Uses default tokenizer to compute token length.
-    - If token length > 100,000, reject file (unless threshold skip is enabled).
-    - If extension unsupported or text cannot be extracted, reject file.
+    - If token length > threshold, reject file (unless threshold skip is enabled).
+    - If text cannot be extracted, reject file.
     - Otherwise marked as acceptable.
     """
 
@@ -217,8 +220,7 @@ def categorize_uploaded_files(
                     )
                     results.rejected.append(
                         RejectedFile(
-                            filename=filename,
-                            reason=f"Unsupported file type: {extension}",
+                            filename=filename, reason="Unsupported file contents"
                         )
                     )
                     continue
@@ -235,8 +237,10 @@ def categorize_uploaded_files(
                     results.acceptable_file_to_token_count[filename] = token_count
                 continue
 
-            # Otherwise, handle as text/document: extract text and count tokens
-            elif extension in OnyxFileExtensions.ALL_ALLOWED_EXTENSIONS:
+            # Handle as text/document: attempt text extraction and count tokens.
+            # This accepts any file that extract_file_text can handle, including
+            # code files (.py, .js, .rs, etc.) via its is_text_file() fallback.
+            else:
                 if is_file_password_protected(
                     file=upload.file,
                     file_name=filename,
@@ -259,7 +263,10 @@ def categorize_uploaded_files(
                 if not text_content:
                     logger.warning(f"No text content extracted from '{filename}'")
                     results.rejected.append(
-                        RejectedFile(filename=filename, reason="Could not read file")
+                        RejectedFile(
+                            filename=filename,
+                            reason=f"Unsupported file type: {extension}",
+                        )
                     )
                     continue
 
@@ -282,17 +289,6 @@ def categorize_uploaded_files(
                     logger.warning(
                         f"Failed to reset file pointer for '{filename}': {str(e)}"
                     )
-                continue
-
-            # If not recognized as supported types above, mark unsupported
-            logger.warning(
-                f"Unsupported file extension '{extension}' for file '{filename}'"
-            )
-            results.rejected.append(
-                RejectedFile(
-                    filename=filename, reason=f"Unsupported file type: {extension}"
-                )
-            )
         except Exception as e:
             logger.warning(
                 f"Failed to process uploaded file '{get_safe_filename(upload)}' (error_type={type(e).__name__}, error={str(e)})"

backend/onyx/server/manage/models.py

@@ -85,6 +85,11 @@ class UserPreferences(BaseModel):
     chat_background: str | None = None
     default_app_mode: DefaultAppMode = DefaultAppMode.CHAT
 
+    # Voice preferences
+    voice_auto_send: bool | None = None
+    voice_auto_playback: bool | None = None
+    voice_playback_speed: float | None = None
+
     # controls which tools are enabled for the user for a specific assistant
     assistant_specific_configs: UserSpecificAssistantPreferences | None = None
 
@@ -164,6 +169,9 @@ class UserInfo(BaseModel):
                     theme_preference=user.theme_preference,
                     chat_background=user.chat_background,
                     default_app_mode=user.default_app_mode,
+                    voice_auto_send=user.voice_auto_send,
+                    voice_auto_playback=user.voice_auto_playback,
+                    voice_playback_speed=user.voice_playback_speed,
                     assistant_specific_configs=assistant_specific_configs,
                 )
             ),
@@ -240,6 +248,12 @@ class ChatBackgroundRequest(BaseModel):
     chat_background: str | None
 
 
+class VoiceSettingsUpdateRequest(BaseModel):
+    auto_send: bool | None = None
+    auto_playback: bool | None = None
+    playback_speed: float | None = Field(default=None, ge=0.5, le=2.0)
+
+
 class PersonalizationUpdateRequest(BaseModel):
     name: str | None = None
     role: str | None = None

backend/onyx/server/manage/voice/api.py

@@ -0,0 +1,322 @@
+from fastapi import APIRouter
+from fastapi import Depends
+from fastapi import Response
+from sqlalchemy.orm import Session
+
+from onyx.auth.users import current_admin_user
+from onyx.db.engine.sql_engine import get_session
+from onyx.db.models import LLMProvider as LLMProviderModel
+from onyx.db.models import User
+from onyx.db.models import VoiceProvider
+from onyx.db.voice import deactivate_stt_provider
+from onyx.db.voice import deactivate_tts_provider
+from onyx.db.voice import delete_voice_provider
+from onyx.db.voice import fetch_voice_provider_by_id
+from onyx.db.voice import fetch_voice_provider_by_type
+from onyx.db.voice import fetch_voice_providers
+from onyx.db.voice import set_default_stt_provider
+from onyx.db.voice import set_default_tts_provider
+from onyx.db.voice import upsert_voice_provider
+from onyx.error_handling.error_codes import OnyxErrorCode
+from onyx.error_handling.exceptions import OnyxError
+from onyx.server.manage.voice.models import VoiceOption
+from onyx.server.manage.voice.models import VoiceProviderTestRequest
+from onyx.server.manage.voice.models import VoiceProviderUpdateSuccess
+from onyx.server.manage.voice.models import VoiceProviderUpsertRequest
+from onyx.server.manage.voice.models import VoiceProviderView
+from onyx.utils.logger import setup_logger
+from onyx.utils.url import SSRFException
+from onyx.utils.url import validate_outbound_http_url
+from onyx.voice.factory import get_voice_provider
+
+logger = setup_logger()
+
+admin_router = APIRouter(prefix="/admin/voice")
+
+VOICE_PROVIDER_VALIDATION_FAILURE_MESSAGE = (
+    "Connection test failed. Please verify your API key and settings."
+)
+
+
+def _validate_voice_api_base(provider_type: str, api_base: str | None) -> str | None:
+    """Validate and normalize provider api_base / target URI."""
+    if api_base is None:
+        return None
+
+    allow_private_network = provider_type.lower() == "azure"
+    try:
+        return validate_outbound_http_url(
+            api_base, allow_private_network=allow_private_network
+        )
+    except (ValueError, SSRFException) as e:
+        raise OnyxError(
+            OnyxErrorCode.VALIDATION_ERROR,
+            f"Invalid target URI: {str(e)}",
+        ) from e
+
+
+def _provider_to_view(provider: VoiceProvider) -> VoiceProviderView:
+    """Convert a VoiceProvider model to a VoiceProviderView."""
+    return VoiceProviderView(
+        id=provider.id,
+        name=provider.name,
+        provider_type=provider.provider_type,
+        is_default_stt=provider.is_default_stt,
+        is_default_tts=provider.is_default_tts,
+        stt_model=provider.stt_model,
+        tts_model=provider.tts_model,
+        default_voice=provider.default_voice,
+        has_api_key=bool(provider.api_key),
+        target_uri=provider.api_base,  # api_base stores the target URI for Azure
+    )
+
+
+@admin_router.get("/providers")
+def list_voice_providers(
+    _: User = Depends(current_admin_user),
+    db_session: Session = Depends(get_session),
+) -> list[VoiceProviderView]:
+    """List all configured voice providers."""
+    providers = fetch_voice_providers(db_session)
+    return [_provider_to_view(provider) for provider in providers]
+
+
+@admin_router.post("/providers")
+async def upsert_voice_provider_endpoint(
+    request: VoiceProviderUpsertRequest,
+    _: User = Depends(current_admin_user),
+    db_session: Session = Depends(get_session),
+) -> VoiceProviderView:
+    """Create or update a voice provider."""
+    api_key = request.api_key
+    api_key_changed = request.api_key_changed
+
+    # If llm_provider_id is specified, copy the API key from that LLM provider
+    if request.llm_provider_id is not None:
+        llm_provider = db_session.get(LLMProviderModel, request.llm_provider_id)
+        if llm_provider is None:
+            raise OnyxError(
+                OnyxErrorCode.NOT_FOUND,
+                f"LLM provider with id {request.llm_provider_id} not found.",
+            )
+        if llm_provider.api_key is None:
+            raise OnyxError(
+                OnyxErrorCode.VALIDATION_ERROR,
+                "Selected LLM provider has no API key configured.",
+            )
+        api_key = llm_provider.api_key.get_value(apply_mask=False)
+        api_key_changed = True
+
+    # Use target_uri if provided, otherwise fall back to api_base
+    api_base = _validate_voice_api_base(
+        request.provider_type, request.target_uri or request.api_base
+    )
+
+    provider = upsert_voice_provider(
+        db_session=db_session,
+        provider_id=request.id,
+        name=request.name,
+        provider_type=request.provider_type,
+        api_key=api_key,
+        api_key_changed=api_key_changed,
+        api_base=api_base,
+        custom_config=request.custom_config,
+        stt_model=request.stt_model,
+        tts_model=request.tts_model,
+        default_voice=request.default_voice,
+        activate_stt=request.activate_stt,
+        activate_tts=request.activate_tts,
+    )
+
+    # Validate credentials before committing - rollback on failure
+    try:
+        voice_provider = get_voice_provider(provider)
+        await voice_provider.validate_credentials()
+    except OnyxError:
+        db_session.rollback()
+        raise
+    except Exception as e:
+        db_session.rollback()
+        logger.error(f"Voice provider credential validation failed on save: {e}")
+        raise OnyxError(
+            OnyxErrorCode.VALIDATION_ERROR,
+            VOICE_PROVIDER_VALIDATION_FAILURE_MESSAGE,
+        ) from e
+
+    db_session.commit()
+
+    return _provider_to_view(provider)
+
+
+@admin_router.delete(
+    "/providers/{provider_id}", status_code=204, response_class=Response
+)
+def delete_voice_provider_endpoint(
+    provider_id: int,
+    _: User = Depends(current_admin_user),
+    db_session: Session = Depends(get_session),
+) -> Response:
+    """Delete a voice provider."""
+    delete_voice_provider(db_session, provider_id)
+    db_session.commit()
+    return Response(status_code=204)
+
+
+@admin_router.post("/providers/{provider_id}/activate-stt")
+def activate_stt_provider_endpoint(
+    provider_id: int,
+    _: User = Depends(current_admin_user),
+    db_session: Session = Depends(get_session),
+) -> VoiceProviderView:
+    """Set a voice provider as the default STT provider."""
+    provider = set_default_stt_provider(db_session=db_session, provider_id=provider_id)
+    db_session.commit()
+    return _provider_to_view(provider)
+
+
+@admin_router.post("/providers/{provider_id}/deactivate-stt")
+def deactivate_stt_provider_endpoint(
+    provider_id: int,
+    _: User = Depends(current_admin_user),
+    db_session: Session = Depends(get_session),
+) -> VoiceProviderUpdateSuccess:
+    """Remove the default STT status from a voice provider."""
+    deactivate_stt_provider(db_session=db_session, provider_id=provider_id)
+    db_session.commit()
+    return VoiceProviderUpdateSuccess()
+
+
+@admin_router.post("/providers/{provider_id}/activate-tts")
+def activate_tts_provider_endpoint(
+    provider_id: int,
+    tts_model: str | None = None,
+    _: User = Depends(current_admin_user),
+    db_session: Session = Depends(get_session),
+) -> VoiceProviderView:
+    """Set a voice provider as the default TTS provider."""
+    provider = set_default_tts_provider(
+        db_session=db_session, provider_id=provider_id, tts_model=tts_model
+    )
+    db_session.commit()
+    return _provider_to_view(provider)
+
+
+@admin_router.post("/providers/{provider_id}/deactivate-tts")
+def deactivate_tts_provider_endpoint(
+    provider_id: int,
+    _: User = Depends(current_admin_user),
+    db_session: Session = Depends(get_session),
+) -> VoiceProviderUpdateSuccess:
+    """Remove the default TTS status from a voice provider."""
+    deactivate_tts_provider(db_session=db_session, provider_id=provider_id)
+    db_session.commit()
+    return VoiceProviderUpdateSuccess()
+
+
+@admin_router.post("/providers/test")
+async def test_voice_provider(
+    request: VoiceProviderTestRequest,
+    _: User = Depends(current_admin_user),
+    db_session: Session = Depends(get_session),
+) -> VoiceProviderUpdateSuccess:
+    """Test a voice provider connection by making a real API call."""
+    api_key = request.api_key
+
+    if request.use_stored_key:
+        existing_provider = fetch_voice_provider_by_type(
+            db_session, request.provider_type
+        )
+        if existing_provider is None or not existing_provider.api_key:
+            raise OnyxError(
+                OnyxErrorCode.VALIDATION_ERROR,
+                "No stored API key found for this provider type.",
+            )
+        api_key = existing_provider.api_key.get_value(apply_mask=False)
+
+    if not api_key:
+        raise OnyxError(
+            OnyxErrorCode.VALIDATION_ERROR,
+            "API key is required. Either provide api_key or set use_stored_key to true.",
+        )
+
+    # Use target_uri if provided, otherwise fall back to api_base
+    api_base = _validate_voice_api_base(
+        request.provider_type, request.target_uri or request.api_base
+    )
+
+    # Create a temporary VoiceProvider for testing (not saved to DB)
+    temp_provider = VoiceProvider(
+        name="__test__",
+        provider_type=request.provider_type,
+        api_base=api_base,
+        custom_config=request.custom_config or {},
+    )
+    temp_provider.api_key = api_key  # type: ignore[assignment]
+
+    try:
+        provider = get_voice_provider(temp_provider)
+    except ValueError as exc:
+        raise OnyxError(OnyxErrorCode.VALIDATION_ERROR, str(exc)) from exc
+
+    # Validate credentials with a real API call
+    try:
+        await provider.validate_credentials()
+    except OnyxError:
+        raise
+    except Exception as e:
+        logger.error(f"Voice provider connection test failed: {e}")
+        raise OnyxError(
+            OnyxErrorCode.VALIDATION_ERROR,
+            VOICE_PROVIDER_VALIDATION_FAILURE_MESSAGE,
+        ) from e
+
+    logger.info(f"Voice provider test succeeded for {request.provider_type}.")
+    return VoiceProviderUpdateSuccess()
+
+
+@admin_router.get("/providers/{provider_id}/voices")
+def get_provider_voices(
+    provider_id: int,
+    _: User = Depends(current_admin_user),
+    db_session: Session = Depends(get_session),
+) -> list[VoiceOption]:
+    """Get available voices for a provider."""
+    provider_db = fetch_voice_provider_by_id(db_session, provider_id)
+    if provider_db is None:
+        raise OnyxError(OnyxErrorCode.NOT_FOUND, "Voice provider not found.")
+
+    if not provider_db.api_key:
+        raise OnyxError(
+            OnyxErrorCode.VALIDATION_ERROR, "Provider has no API key configured."
+        )
+
+    try:
+        provider = get_voice_provider(provider_db)
+    except ValueError as exc:
+        raise OnyxError(OnyxErrorCode.VALIDATION_ERROR, str(exc)) from exc
+
+    return [VoiceOption(**voice) for voice in provider.get_available_voices()]
+
+
+@admin_router.get("/voices")
+def get_voices_by_type(
+    provider_type: str,
+    _: User = Depends(current_admin_user),
+) -> list[VoiceOption]:
+    """Get available voices for a provider type.
+
+    For providers like ElevenLabs and OpenAI, this fetches voices
+    without requiring an existing provider configuration.
+    """
+    # Create a temporary VoiceProvider to get static voice list
+    temp_provider = VoiceProvider(
+        name="__temp__",
+        provider_type=provider_type,
+    )
+
+    try:
+        provider = get_voice_provider(temp_provider)
+    except ValueError as exc:
+        raise OnyxError(OnyxErrorCode.VALIDATION_ERROR, str(exc)) from exc
+
+    return [VoiceOption(**voice) for voice in provider.get_available_voices()]

backend/onyx/server/manage/voice/models.py

@@ -0,0 +1,95 @@
+from typing import Any
+
+from pydantic import BaseModel
+from pydantic import Field
+
+
+class VoiceProviderView(BaseModel):
+    """Response model for voice provider listing."""
+
+    id: int
+    name: str
+    provider_type: str  # "openai", "azure", "elevenlabs"
+    is_default_stt: bool
+    is_default_tts: bool
+    stt_model: str | None
+    tts_model: str | None
+    default_voice: str | None
+    has_api_key: bool = Field(
+        default=False,
+        description="Indicates whether an API key is stored for this provider.",
+    )
+    target_uri: str | None = Field(
+        default=None,
+        description="Target URI for Azure Speech Services.",
+    )
+
+
+class VoiceProviderUpdateSuccess(BaseModel):
+    """Simple status response for voice provider actions."""
+
+    status: str = "ok"
+
+
+class VoiceOption(BaseModel):
+    """Voice option returned by voice providers."""
+
+    id: str
+    name: str
+
+
+class VoiceProviderUpsertRequest(BaseModel):
+    """Request model for creating or updating a voice provider."""
+
+    id: int | None = Field(default=None, description="Existing provider ID to update.")
+    name: str
+    provider_type: str  # "openai", "azure", "elevenlabs"
+    api_key: str | None = Field(
+        default=None,
+        description="API key for the provider.",
+    )
+    api_key_changed: bool = Field(
+        default=False,
+        description="Set to true when providing a new API key for an existing provider.",
+    )
+    llm_provider_id: int | None = Field(
+        default=None,
+        description="If set, copies the API key from the specified LLM provider.",
+    )
+    api_base: str | None = None
+    target_uri: str | None = Field(
+        default=None,
+        description="Target URI for Azure Speech Services (maps to api_base).",
+    )
+    custom_config: dict[str, Any] | None = None
+    stt_model: str | None = None
+    tts_model: str | None = None
+    default_voice: str | None = None
+    activate_stt: bool = Field(
+        default=False,
+        description="If true, sets this provider as the default STT provider after upsert.",
+    )
+    activate_tts: bool = Field(
+        default=False,
+        description="If true, sets this provider as the default TTS provider after upsert.",
+    )
+
+
+class VoiceProviderTestRequest(BaseModel):
+    """Request model for testing a voice provider connection."""
+
+    provider_type: str
+    api_key: str | None = Field(
+        default=None,
+        description="API key for testing. If not provided, use_stored_key must be true.",
+    )
+    use_stored_key: bool = Field(
+        default=False,
+        description="If true, use the stored API key for this provider type.",
+    )
+    api_base: str | None = None
+    target_uri: str | None = Field(
+        default=None,
+        description="Target URI for Azure Speech Services (maps to api_base).",
+    )
+    custom_config: dict[str, Any] | None = None

backend/onyx/server/manage/voice/user_api.py

@@ -0,0 +1,251 @@
+import secrets
+from collections.abc import AsyncIterator
+
+from fastapi import APIRouter
+from fastapi import Depends
+from fastapi import File
+from fastapi import Query
+from fastapi import UploadFile
+from fastapi.responses import StreamingResponse
+from pydantic import BaseModel
+from sqlalchemy.orm import Session
+
+from onyx.auth.users import current_user
+from onyx.db.engine.sql_engine import get_session
+from onyx.db.engine.sql_engine import get_session_with_current_tenant
+from onyx.db.models import User
+from onyx.db.voice import fetch_default_stt_provider
+from onyx.db.voice import fetch_default_tts_provider
+from onyx.db.voice import update_user_voice_settings
+from onyx.error_handling.error_codes import OnyxErrorCode
+from onyx.error_handling.exceptions import OnyxError
+from onyx.redis.redis_pool import store_ws_token
+from onyx.redis.redis_pool import WsTokenRateLimitExceeded
+from onyx.server.manage.models import VoiceSettingsUpdateRequest
+from onyx.utils.logger import setup_logger
+from onyx.voice.factory import get_voice_provider
+
+logger = setup_logger()
+
+router = APIRouter(prefix="/voice")
+
+# Max audio file size: 25MB (Whisper limit)
+MAX_AUDIO_SIZE = 25 * 1024 * 1024
+# Chunk size for streaming uploads (8KB)
+UPLOAD_READ_CHUNK_SIZE = 8192
+
+
+class VoiceStatusResponse(BaseModel):
+    stt_enabled: bool
+    tts_enabled: bool
+
+
+@router.get("/status")
+def get_voice_status(
+    _: User = Depends(current_user),
+    db_session: Session = Depends(get_session),
+) -> VoiceStatusResponse:
+    """Check whether STT and TTS providers are configured and ready."""
+    stt_provider = fetch_default_stt_provider(db_session)
+    tts_provider = fetch_default_tts_provider(db_session)
+    return VoiceStatusResponse(
+        stt_enabled=stt_provider is not None and stt_provider.api_key is not None,
+        tts_enabled=tts_provider is not None and tts_provider.api_key is not None,
+    )
+
+
+@router.post("/transcribe")
+async def transcribe_audio(
+    audio: UploadFile = File(...),
+    _: User = Depends(current_user),
+    db_session: Session = Depends(get_session),
+) -> dict[str, str]:
+    """Transcribe audio to text using the default STT provider."""
+    provider_db = fetch_default_stt_provider(db_session)
+    if provider_db is None:
+        raise OnyxError(
+            OnyxErrorCode.VALIDATION_ERROR,
+            "No speech-to-text provider configured. Please contact your administrator.",
+        )
+
+    if not provider_db.api_key:
+        raise OnyxError(
+            OnyxErrorCode.VALIDATION_ERROR,
+            "Voice provider API key not configured.",
+        )
+
+    # Read in chunks to enforce size limit during streaming (prevents OOM attacks)
+    chunks: list[bytes] = []
+    total = 0
+    while chunk := await audio.read(UPLOAD_READ_CHUNK_SIZE):
+        total += len(chunk)
+        if total > MAX_AUDIO_SIZE:
+            raise OnyxError(
+                OnyxErrorCode.PAYLOAD_TOO_LARGE,
+                f"Audio file too large. Maximum size is {MAX_AUDIO_SIZE // (1024 * 1024)}MB.",
+            )
+        chunks.append(chunk)
+    audio_data = b"".join(chunks)
+
+    # Extract format from filename
+    filename = audio.filename or "audio.webm"
+    audio_format = filename.rsplit(".", 1)[-1] if "." in filename else "webm"
+
+    try:
+        provider = get_voice_provider(provider_db)
+    except ValueError as exc:
+        raise OnyxError(OnyxErrorCode.INTERNAL_ERROR, str(exc)) from exc
+
+    try:
+        text = await provider.transcribe(audio_data, audio_format)
+        return {"text": text}
+    except NotImplementedError as exc:
+        raise OnyxError(
+            OnyxErrorCode.NOT_IMPLEMENTED,
+            f"Speech-to-text not implemented for {provider_db.provider_type}.",
+        ) from exc
+    except Exception as exc:
+        logger.error(f"Transcription failed: {exc}")
+        raise OnyxError(
+            OnyxErrorCode.INTERNAL_ERROR,
+            "Transcription failed. Please try again.",
+        ) from exc
+
+
+@router.post("/synthesize")
+async def synthesize_speech(
+    text: str | None = Query(
+        default=None, description="Text to synthesize", max_length=4096
+    ),
+    voice: str | None = Query(default=None, description="Voice ID to use"),
+    speed: float | None = Query(
+        default=None, description="Playback speed (0.5-2.0)", ge=0.5, le=2.0
+    ),
+    user: User = Depends(current_user),
+) -> StreamingResponse:
+    """
+    Synthesize text to speech using the default TTS provider.
+
+    Accepts parameters via query string for streaming compatibility.
+    """
+    logger.info(
+        f"TTS request: text length={len(text) if text else 0}, voice={voice}, speed={speed}"
+    )
+
+    if not text:
+        raise OnyxError(OnyxErrorCode.VALIDATION_ERROR, "Text is required")
+
+    # Use short-lived session to fetch provider config, then release connection
+    # before starting the long-running streaming response
+    with get_session_with_current_tenant() as db_session:
+        provider_db = fetch_default_tts_provider(db_session)
+        if provider_db is None:
+            logger.error("No TTS provider configured")
+            raise OnyxError(
+                OnyxErrorCode.VALIDATION_ERROR,
+                "No text-to-speech provider configured. Please contact your administrator.",
+            )
+
+        if not provider_db.api_key:
+            logger.error("TTS provider has no API key")
+            raise OnyxError(
+                OnyxErrorCode.VALIDATION_ERROR,
+                "Voice provider API key not configured.",
+            )
+
+        # Use request voice or provider default
+        final_voice = voice or provider_db.default_voice
+        # Use explicit None checks to avoid falsy float issues (0.0 would be skipped with `or`)
+        final_speed = (
+            speed
+            if speed is not None
+            else (
+                user.voice_playback_speed
+                if user.voice_playback_speed is not None
+                else 1.0
+            )
+        )
+
+        logger.info(
+            f"TTS using provider: {provider_db.provider_type}, voice: {final_voice}, speed: {final_speed}"
+        )
+
+        try:
+            provider = get_voice_provider(provider_db)
+        except ValueError as exc:
+            logger.error(f"Failed to get voice provider: {exc}")
+            raise OnyxError(OnyxErrorCode.INTERNAL_ERROR, str(exc)) from exc
+
+    # Session is now closed - streaming response won't hold DB connection
+    async def audio_stream() -> AsyncIterator[bytes]:
+        try:
+            chunk_count = 0
+            async for chunk in provider.synthesize_stream(
+                text=text, voice=final_voice, speed=final_speed
+            ):
+                chunk_count += 1
+                yield chunk
+            logger.info(f"TTS streaming complete: {chunk_count} chunks sent")
+        except NotImplementedError as exc:
+            logger.error(f"TTS not implemented: {exc}")
+            raise
+        except Exception as exc:
+            logger.error(f"Synthesis failed: {exc}")
+            raise
+
+    return StreamingResponse(
+        audio_stream(),
+        media_type="audio/mpeg",
+        headers={
+            "Content-Disposition": "inline; filename=speech.mp3",
+            # Allow streaming by not setting content-length
+            "Cache-Control": "no-cache",
+            "X-Accel-Buffering": "no",  # Disable nginx buffering
+        },
+    )
+
+
+@router.patch("/settings")
+def update_voice_settings(
+    request: VoiceSettingsUpdateRequest,
+    user: User = Depends(current_user),
+    db_session: Session = Depends(get_session),
+) -> dict[str, str]:
+    """Update user's voice settings."""
+    update_user_voice_settings(
+        db_session=db_session,
+        user_id=user.id,
+        auto_send=request.auto_send,
+        auto_playback=request.auto_playback,
+        playback_speed=request.playback_speed,
+    )
+    db_session.commit()
+    return {"status": "ok"}
+
+
+class WSTokenResponse(BaseModel):
+    token: str
+
+
+@router.post("/ws-token")
+async def get_ws_token(
+    user: User = Depends(current_user),
+) -> WSTokenResponse:
+    """
+    Generate a short-lived token for WebSocket authentication.
+
+    This token should be passed as a query parameter when connecting
+    to voice WebSocket endpoints (e.g., /voice/transcribe/stream?token=xxx).
+
+    The token expires after 60 seconds and is single-use.
+    Rate limited to 10 tokens per minute per user.
+    """
+    token = secrets.token_urlsafe(32)
+    try:
+        await store_ws_token(token, str(user.id))
+    except WsTokenRateLimitExceeded:
+        raise OnyxError(
+            OnyxErrorCode.RATE_LIMITED,
+            "Too many token requests. Please wait before requesting another.",
+        )
+    return WSTokenResponse(token=token)

backend/onyx/server/manage/voice/websocket_api.py

@@ -0,0 +1,860 @@
+"""WebSocket API for streaming speech-to-text and text-to-speech."""
+
+import asyncio
+import io
+import json
+import os
+from collections.abc import MutableMapping
+from typing import Any
+
+from fastapi import APIRouter
+from fastapi import Depends
+from fastapi import WebSocket
+from fastapi import WebSocketDisconnect
+from sqlalchemy.orm import Session
+
+from onyx.auth.users import current_user_from_websocket
+from onyx.db.engine.sql_engine import get_sqlalchemy_engine
+from onyx.db.models import User
+from onyx.db.voice import fetch_default_stt_provider
+from onyx.db.voice import fetch_default_tts_provider
+from onyx.utils.logger import setup_logger
+from onyx.voice.factory import get_voice_provider
+from onyx.voice.interface import StreamingSynthesizerProtocol
+from onyx.voice.interface import StreamingTranscriberProtocol
+from onyx.voice.interface import TranscriptResult
+
+logger = setup_logger()
+
+router = APIRouter(prefix="/voice")
+
+
+# Transcribe every ~0.5 seconds of audio (webm/opus is ~2-4KB/s, so ~1-2KB per 0.5s)
+MIN_CHUNK_BYTES = 1500
+VOICE_DISABLE_STREAMING_FALLBACK = (
+    os.environ.get("VOICE_DISABLE_STREAMING_FALLBACK", "").lower() == "true"
+)
+
+# WebSocket size limits to prevent memory exhaustion attacks
+WS_MAX_MESSAGE_SIZE = 64 * 1024  # 64KB per message (OWASP recommendation)
+WS_MAX_TOTAL_BYTES = 25 * 1024 * 1024  # 25MB total per connection (matches REST API)
+WS_MAX_TEXT_MESSAGE_SIZE = 16 * 1024  # 16KB for text/JSON messages
+WS_MAX_TTS_TEXT_LENGTH = 4096  # Max text length per synthesize call (matches REST API)
+
+
+class ChunkedTranscriber:
+    """Fallback transcriber for providers without streaming support."""
+
+    def __init__(self, provider: Any, audio_format: str = "webm"):
+        self.provider = provider
+        self.audio_format = audio_format
+        self.chunk_buffer = io.BytesIO()
+        self.full_audio = io.BytesIO()
+        self.chunk_bytes = 0
+        self.transcripts: list[str] = []
+
+    async def add_chunk(self, chunk: bytes) -> str | None:
+        """Add audio chunk. Returns transcript if enough audio accumulated."""
+        self.chunk_buffer.write(chunk)
+        self.full_audio.write(chunk)
+        self.chunk_bytes += len(chunk)
+
+        if self.chunk_bytes >= MIN_CHUNK_BYTES:
+            return await self._transcribe_chunk()
+        return None
+
+    async def _transcribe_chunk(self) -> str | None:
+        """Transcribe current chunk and append to running transcript."""
+        audio_data = self.chunk_buffer.getvalue()
+        if not audio_data:
+            return None
+
+        try:
+            transcript = await self.provider.transcribe(audio_data, self.audio_format)
+            self.chunk_buffer = io.BytesIO()
+            self.chunk_bytes = 0
+
+            if transcript and transcript.strip():
+                self.transcripts.append(transcript.strip())
+                return " ".join(self.transcripts)
+            return None
+        except Exception as e:
+            logger.error(f"Transcription error: {e}")
+            self.chunk_buffer = io.BytesIO()
+            self.chunk_bytes = 0
+            return None
+
+    async def flush(self) -> str:
+        """Get final transcript from full audio for best accuracy."""
+        full_audio_data = self.full_audio.getvalue()
+        if full_audio_data:
+            try:
+                transcript = await self.provider.transcribe(
+                    full_audio_data, self.audio_format
+                )
+                if transcript and transcript.strip():
+                    return transcript.strip()
+            except Exception as e:
+                logger.error(f"Final transcription error: {e}")
+        return " ".join(self.transcripts)
+
+
+async def handle_streaming_transcription(
+    websocket: WebSocket,
+    transcriber: StreamingTranscriberProtocol,
+) -> None:
+    """Handle transcription using native streaming API."""
+    logger.info("Streaming transcription: starting handler")
+    last_transcript = ""
+    chunk_count = 0
+    total_bytes = 0
+
+    async def receive_transcripts() -> None:
+        """Background task to receive and send transcripts."""
+        nonlocal last_transcript
+        logger.info("Streaming transcription: starting transcript receiver")
+        while True:
+            result: TranscriptResult | None = await transcriber.receive_transcript()
+            if result is None:  # End of stream
+                logger.info("Streaming transcription: transcript stream ended")
+                break
+            # Send if text changed OR if VAD detected end of speech (for auto-send trigger)
+            if result.text and (result.text != last_transcript or result.is_vad_end):
+                last_transcript = result.text
+                logger.debug(
+                    f"Streaming transcription: got transcript: {result.text[:50]}... "
+                    f"(is_vad_end={result.is_vad_end})"
+                )
+                await websocket.send_json(
+                    {
+                        "type": "transcript",
+                        "text": result.text,
+                        "is_final": result.is_vad_end,
+                    }
+                )
+
+    # Start receiving transcripts in background
+    receive_task = asyncio.create_task(receive_transcripts())
+
+    try:
+        while True:
+            message = await websocket.receive()
+            msg_type = message.get("type", "unknown")
+
+            if msg_type == "websocket.disconnect":
+                logger.info(
+                    f"Streaming transcription: client disconnected after {chunk_count} chunks ({total_bytes} bytes)"
+                )
+                break
+
+            if "bytes" in message:
+                chunk_size = len(message["bytes"])
+
+                # Enforce per-message size limit
+                if chunk_size > WS_MAX_MESSAGE_SIZE:
+                    logger.warning(
+                        f"Streaming transcription: message too large ({chunk_size} bytes)"
+                    )
+                    await websocket.send_json(
+                        {"type": "error", "message": "Message too large"}
+                    )
+                    break
+
+                # Enforce total connection size limit
+                if total_bytes + chunk_size > WS_MAX_TOTAL_BYTES:
+                    logger.warning(
+                        f"Streaming transcription: total size limit exceeded ({total_bytes + chunk_size} bytes)"
+                    )
+                    await websocket.send_json(
+                        {"type": "error", "message": "Total size limit exceeded"}
+                    )
+                    break
+
+                chunk_count += 1
+                total_bytes += chunk_size
+                logger.debug(
+                    f"Streaming transcription: received chunk {chunk_count} ({chunk_size} bytes, total: {total_bytes})"
+                )
+                await transcriber.send_audio(message["bytes"])
+
+            elif "text" in message:
+                try:
+                    data = json.loads(message["text"])
+                    logger.debug(
+                        f"Streaming transcription: received text message: {data}"
+                    )
+                    if data.get("type") == "end":
+                        logger.info(
+                            "Streaming transcription: end signal received, closing transcriber"
+                        )
+                        final_transcript = await transcriber.close()
+                        receive_task.cancel()
+                        logger.info(
+                            "Streaming transcription: final transcript: "
+                            f"{final_transcript[:100] if final_transcript else '(empty)'}..."
+                        )
+                        await websocket.send_json(
+                            {
+                                "type": "transcript",
+                                "text": final_transcript,
+                                "is_final": True,
+                            }
+                        )
+                        break
+                    elif data.get("type") == "reset":
+                        # Reset accumulated transcript after auto-send
+                        logger.info(
+                            "Streaming transcription: reset signal received, clearing transcript"
+                        )
+                        transcriber.reset_transcript()
+                except json.JSONDecodeError:
+                    logger.warning(
+                        f"Streaming transcription: failed to parse JSON: {message.get('text', '')[:100]}"
+                    )
+    except Exception as e:
+        logger.error(f"Streaming transcription: error: {e}", exc_info=True)
+        raise
+    finally:
+        receive_task.cancel()
+        try:
+            await receive_task
+        except asyncio.CancelledError:
+            pass
+        logger.info(
+            f"Streaming transcription: handler finished. Processed {chunk_count} chunks, {total_bytes} total bytes"
+        )
+
+
+async def handle_chunked_transcription(
+    websocket: WebSocket,
+    transcriber: ChunkedTranscriber,
+) -> None:
+    """Handle transcription using chunked batch API."""
+    logger.info("Chunked transcription: starting handler")
+    chunk_count = 0
+    total_bytes = 0
+
+    while True:
+        message = await websocket.receive()
+        msg_type = message.get("type", "unknown")
+
+        if msg_type == "websocket.disconnect":
+            logger.info(
+                f"Chunked transcription: client disconnected after {chunk_count} chunks ({total_bytes} bytes)"
+            )
+            break
+
+        if "bytes" in message:
+            chunk_size = len(message["bytes"])
+
+            # Enforce per-message size limit
+            if chunk_size > WS_MAX_MESSAGE_SIZE:
+                logger.warning(
+                    f"Chunked transcription: message too large ({chunk_size} bytes)"
+                )
+                await websocket.send_json(
+                    {"type": "error", "message": "Message too large"}
+                )
+                break
+
+            # Enforce total connection size limit
+            if total_bytes + chunk_size > WS_MAX_TOTAL_BYTES:
+                logger.warning(
+                    f"Chunked transcription: total size limit exceeded ({total_bytes + chunk_size} bytes)"
+                )
+                await websocket.send_json(
+                    {"type": "error", "message": "Total size limit exceeded"}
+                )
+                break
+
+            chunk_count += 1
+            total_bytes += chunk_size
+            logger.debug(
+                f"Chunked transcription: received chunk {chunk_count} ({chunk_size} bytes, total: {total_bytes})"
+            )
+
+            transcript = await transcriber.add_chunk(message["bytes"])
+            if transcript:
+                logger.debug(
+                    f"Chunked transcription: got transcript: {transcript[:50]}..."
+                )
+                await websocket.send_json(
+                    {
+                        "type": "transcript",
+                        "text": transcript,
+                        "is_final": False,
+                    }
+                )
+
+        elif "text" in message:
+            try:
+                data = json.loads(message["text"])
+                logger.debug(f"Chunked transcription: received text message: {data}")
+                if data.get("type") == "end":
+                    logger.info("Chunked transcription: end signal received, flushing")
+                    final_transcript = await transcriber.flush()
+                    logger.info(
+                        f"Chunked transcription: final transcript: {final_transcript[:100] if final_transcript else '(empty)'}..."
+                    )
+                    await websocket.send_json(
+                        {
+                            "type": "transcript",
+                            "text": final_transcript,
+                            "is_final": True,
+                        }
+                    )
+                    break
+            except json.JSONDecodeError:
+                logger.warning(
+                    f"Chunked transcription: failed to parse JSON: {message.get('text', '')[:100]}"
+                )
+
+    logger.info(
+        f"Chunked transcription: handler finished. Processed {chunk_count} chunks, {total_bytes} total bytes"
+    )
+
+
+@router.websocket("/transcribe/stream")
+async def websocket_transcribe(
+    websocket: WebSocket,
+    _user: User = Depends(current_user_from_websocket),
+) -> None:
+    """
+    WebSocket endpoint for streaming speech-to-text.
+
+    Protocol:
+    - Client sends binary audio chunks
+    - Server sends JSON: {"type": "transcript", "text": "...", "is_final": false}
+    - Client sends JSON {"type": "end"} to signal end
+    - Server responds with final transcript and closes
+
+    Authentication:
+        Requires `token` query parameter (e.g., /voice/transcribe/stream?token=xxx).
+        Applies same auth checks as HTTP endpoints (verification, role checks).
+    """
+    logger.info("WebSocket transcribe: connection request received (authenticated)")
+
+    try:
+        await websocket.accept()
+        logger.info("WebSocket transcribe: connection accepted")
+    except Exception as e:
+        logger.error(f"WebSocket transcribe: failed to accept connection: {e}")
+        return
+
+    streaming_transcriber = None
+    provider = None
+
+    try:
+        # Get STT provider
+        logger.info("WebSocket transcribe: fetching STT provider from database")
+        engine = get_sqlalchemy_engine()
+        with Session(engine) as db_session:
+            provider_db = fetch_default_stt_provider(db_session)
+            if provider_db is None:
+                logger.warning(
+                    "WebSocket transcribe: no default STT provider configured"
+                )
+                await websocket.send_json(
+                    {
+                        "type": "error",
+                        "message": "No speech-to-text provider configured",
+                    }
+                )
+                return
+
+            if not provider_db.api_key:
+                logger.warning("WebSocket transcribe: STT provider has no API key")
+                await websocket.send_json(
+                    {
+                        "type": "error",
+                        "message": "Speech-to-text provider has no API key configured",
+                    }
+                )
+                return
+
+            logger.info(
+                f"WebSocket transcribe: creating voice provider: {provider_db.provider_type}"
+            )
+            try:
+                provider = get_voice_provider(provider_db)
+                logger.info(
+                    f"WebSocket transcribe: voice provider created, streaming supported: {provider.supports_streaming_stt()}"
+                )
+            except ValueError as e:
+                logger.error(
+                    f"WebSocket transcribe: failed to create voice provider: {e}"
+                )
+                await websocket.send_json({"type": "error", "message": str(e)})
+                return
+
+        # Use native streaming if provider supports it
+        if provider.supports_streaming_stt():
+            logger.info("WebSocket transcribe: using native streaming STT")
+            try:
+                streaming_transcriber = await provider.create_streaming_transcriber()
+                logger.info(
+                    "WebSocket transcribe: streaming transcriber created successfully"
+                )
+                await handle_streaming_transcription(websocket, streaming_transcriber)
+            except Exception as e:
+                logger.error(
+                    f"WebSocket transcribe: failed to create streaming transcriber: {e}"
+                )
+                if VOICE_DISABLE_STREAMING_FALLBACK:
+                    await websocket.send_json(
+                        {"type": "error", "message": f"Streaming STT failed: {e}"}
+                    )
+                    return
+                logger.info("WebSocket transcribe: falling back to chunked STT")
+                # Browser stream provides raw PCM16 chunks over WebSocket.
+                chunked_transcriber = ChunkedTranscriber(provider, audio_format="pcm16")
+                await handle_chunked_transcription(websocket, chunked_transcriber)
+        else:
+            # Fall back to chunked transcription
+            if VOICE_DISABLE_STREAMING_FALLBACK:
+                await websocket.send_json(
+                    {
+                        "type": "error",
+                        "message": "Provider doesn't support streaming STT",
+                    }
+                )
+                return
+            logger.info(
+                "WebSocket transcribe: using chunked STT (provider doesn't support streaming)"
+            )
+            chunked_transcriber = ChunkedTranscriber(provider, audio_format="pcm16")
+            await handle_chunked_transcription(websocket, chunked_transcriber)
+
+    except WebSocketDisconnect:
+        logger.debug("WebSocket transcribe: client disconnected")
+    except Exception as e:
+        logger.error(f"WebSocket transcribe: unhandled error: {e}", exc_info=True)
+        try:
+            # Send generic error to avoid leaking sensitive details
+            await websocket.send_json(
+                {"type": "error", "message": "An unexpected error occurred"}
+            )
+        except Exception:
+            pass
+    finally:
+        if streaming_transcriber:
+            try:
+                await streaming_transcriber.close()
+            except Exception:
+                pass
+        try:
+            await websocket.close()
+        except Exception:
+            pass
+        logger.info("WebSocket transcribe: connection closed")
+
+
+async def handle_streaming_synthesis(
+    websocket: WebSocket,
+    synthesizer: StreamingSynthesizerProtocol,
+) -> None:
+    """Handle TTS using native streaming API."""
+    logger.info("Streaming synthesis: starting handler")
+
+    async def send_audio() -> None:
+        """Background task to send audio chunks to client."""
+        chunk_count = 0
+        total_bytes = 0
+        try:
+            while True:
+                audio_chunk = await synthesizer.receive_audio()
+                if audio_chunk is None:
+                    logger.info(
+                        f"Streaming synthesis: audio stream ended, sent {chunk_count} chunks, {total_bytes} bytes"
+                    )
+                    try:
+                        await websocket.send_json({"type": "audio_done"})
+                        logger.info("Streaming synthesis: sent audio_done to client")
+                    except Exception as e:
+                        logger.warning(
+                            f"Streaming synthesis: failed to send audio_done: {e}"
+                        )
+                    break
+                if audio_chunk:  # Skip empty chunks
+                    chunk_count += 1
+                    total_bytes += len(audio_chunk)
+                    try:
+                        await websocket.send_bytes(audio_chunk)
+                    except Exception as e:
+                        logger.warning(
+                            f"Streaming synthesis: failed to send chunk: {e}"
+                        )
+                        break
+        except asyncio.CancelledError:
+            logger.info(
+                f"Streaming synthesis: send_audio cancelled after {chunk_count} chunks"
+            )
+        except Exception as e:
+            logger.error(f"Streaming synthesis: send_audio error: {e}")
+
+    send_task: asyncio.Task | None = None
+    disconnected = False
+
+    try:
+        while not disconnected:
+            try:
+                message = await websocket.receive()
+            except WebSocketDisconnect:
+                logger.info("Streaming synthesis: client disconnected")
+                break
+
+            msg_type = message.get("type", "unknown")  # type: ignore[possibly-undefined]
+
+            if msg_type == "websocket.disconnect":
+                logger.info("Streaming synthesis: client disconnected")
+                disconnected = True
+                break
+
+            if "text" in message:
+                # Enforce text message size limit
+                msg_size = len(message["text"])
+                if msg_size > WS_MAX_TEXT_MESSAGE_SIZE:
+                    logger.warning(
+                        f"Streaming synthesis: text message too large ({msg_size} bytes)"
+                    )
+                    await websocket.send_json(
+                        {"type": "error", "message": "Message too large"}
+                    )
+                    break
+
+                try:
+                    data = json.loads(message["text"])
+
+                    if data.get("type") == "synthesize":
+                        text = data.get("text", "")
+                        # Enforce per-text size limit
+                        if len(text) > WS_MAX_TTS_TEXT_LENGTH:
+                            logger.warning(
+                                f"Streaming synthesis: text too long ({len(text)} chars)"
+                            )
+                            await websocket.send_json(
+                                {"type": "error", "message": "Text too long"}
+                            )
+                            continue
+                        if text:
+                            # Start audio receiver on first text chunk so playback
+                            # can begin before the full assistant response completes.
+                            if send_task is None:
+                                send_task = asyncio.create_task(send_audio())
+                            logger.debug(
+                                f"Streaming synthesis: forwarding text chunk ({len(text)} chars)"
+                            )
+                            await synthesizer.send_text(text)
+
+                    elif data.get("type") == "end":
+                        logger.info("Streaming synthesis: end signal received")
+
+                        # Ensure receiver is active even if no prior text chunks arrived.
+                        if send_task is None:
+                            send_task = asyncio.create_task(send_audio())
+
+                        # Signal end of input
+                        if hasattr(synthesizer, "flush"):
+                            await synthesizer.flush()
+
+                        # Wait for all audio to be sent
+                        logger.info(
+                            "Streaming synthesis: waiting for audio stream to complete"
+                        )
+                        try:
+                            await asyncio.wait_for(send_task, timeout=60.0)
+                        except asyncio.TimeoutError:
+                            logger.warning(
+                                "Streaming synthesis: timeout waiting for audio"
+                            )
+                        break
+
+                except json.JSONDecodeError:
+                    logger.warning(
+                        f"Streaming synthesis: failed to parse JSON: {message.get('text', '')[:100]}"
+                    )
+
+    except WebSocketDisconnect:
+        logger.debug("Streaming synthesis: client disconnected during synthesis")
+    except Exception as e:
+        logger.error(f"Streaming synthesis: error: {e}", exc_info=True)
+    finally:
+        if send_task and not send_task.done():
+            logger.info("Streaming synthesis: waiting for send_task to finish")
+            try:
+                await asyncio.wait_for(send_task, timeout=30.0)
+            except asyncio.TimeoutError:
+                logger.warning("Streaming synthesis: timeout waiting for send_task")
+                send_task.cancel()
+                try:
+                    await send_task
+                except asyncio.CancelledError:
+                    pass
+            except asyncio.CancelledError:
+                pass
+        logger.info("Streaming synthesis: handler finished")
+
+
+async def handle_chunked_synthesis(
+    websocket: WebSocket,
+    provider: Any,
+    first_message: MutableMapping[str, Any] | None = None,
+) -> None:
+    """Fallback TTS handler using provider.synthesize_stream.
+
+    Args:
+        websocket: The WebSocket connection
+        provider: Voice provider instance
+        first_message: Optional first message already received (used when falling
+            back from streaming mode, where the first message was already consumed)
+    """
+    logger.info("Chunked synthesis: starting handler")
+    text_buffer: list[str] = []
+    voice: str | None = None
+    speed = 1.0
+
+    # Process pre-received message if provided
+    pending_message = first_message
+
+    try:
+        while True:
+            if pending_message is not None:
+                message = pending_message
+                pending_message = None
+            else:
+                message = await websocket.receive()
+            msg_type = message.get("type", "unknown")
+
+            if msg_type == "websocket.disconnect":
+                logger.info("Chunked synthesis: client disconnected")
+                break
+
+            if "text" not in message:
+                continue
+
+            # Enforce text message size limit
+            msg_size = len(message["text"])
+            if msg_size > WS_MAX_TEXT_MESSAGE_SIZE:
+                logger.warning(
+                    f"Chunked synthesis: text message too large ({msg_size} bytes)"
+                )
+                await websocket.send_json(
+                    {"type": "error", "message": "Message too large"}
+                )
+                break
+
+            try:
+                data = json.loads(message["text"])
+            except json.JSONDecodeError:
+                logger.warning(
+                    "Chunked synthesis: failed to parse JSON: "
+                    f"{message.get('text', '')[:100]}"
+                )
+                continue
+
+            msg_data_type = data.get("type")  # type: ignore[possibly-undefined]
+            if msg_data_type == "synthesize":
+                text = data.get("text", "")
+                # Enforce per-text size limit
+                if len(text) > WS_MAX_TTS_TEXT_LENGTH:
+                    logger.warning(
+                        f"Chunked synthesis: text too long ({len(text)} chars)"
+                    )
+                    await websocket.send_json(
+                        {"type": "error", "message": "Text too long"}
+                    )
+                    continue
+                if text:
+                    text_buffer.append(text)
+                    logger.debug(
+                        f"Chunked synthesis: buffered text ({len(text)} chars), "
+                        f"total buffered: {len(text_buffer)} chunks"
+                    )
+                if isinstance(data.get("voice"), str) and data["voice"]:
+                    voice = data["voice"]
+                if isinstance(data.get("speed"), (int, float)):
+                    speed = float(data["speed"])
+            elif msg_data_type == "end":
+                logger.info("Chunked synthesis: end signal received")
+                full_text = " ".join(text_buffer).strip()
+                if not full_text:
+                    await websocket.send_json({"type": "audio_done"})
+                    logger.info("Chunked synthesis: no text, sent audio_done")
+                    break
+
+                chunk_count = 0
+                total_bytes = 0
+                logger.info(
+                    f"Chunked synthesis: sending full text ({len(full_text)} chars)"
+                )
+                async for audio_chunk in provider.synthesize_stream(
+                    full_text, voice=voice, speed=speed
+                ):
+                    if not audio_chunk:
+                        continue
+                    chunk_count += 1
+                    total_bytes += len(audio_chunk)
+                    await websocket.send_bytes(audio_chunk)
+                await websocket.send_json({"type": "audio_done"})
+                logger.info(
+                    f"Chunked synthesis: sent audio_done after {chunk_count} chunks, {total_bytes} bytes"
+                )
+                break
+    except WebSocketDisconnect:
+        logger.debug("Chunked synthesis: client disconnected")
+    except Exception as e:
+        logger.error(f"Chunked synthesis: error: {e}", exc_info=True)
+        raise
+    finally:
+        logger.info("Chunked synthesis: handler finished")
+
+
+@router.websocket("/synthesize/stream")
+async def websocket_synthesize(
+    websocket: WebSocket,
+    _user: User = Depends(current_user_from_websocket),
+) -> None:
+    """
+    WebSocket endpoint for streaming text-to-speech.
+
+    Protocol:
+    - Client sends JSON: {"type": "synthesize", "text": "...", "voice": "...", "speed": 1.0}
+    - Server sends binary audio chunks
+    - Server sends JSON: {"type": "audio_done"} when synthesis completes
+    - Client sends JSON {"type": "end"} to close connection
+
+    Authentication:
+        Requires `token` query parameter (e.g., /voice/synthesize/stream?token=xxx).
+        Applies same auth checks as HTTP endpoints (verification, role checks).
+    """
+    logger.info("WebSocket synthesize: connection request received (authenticated)")
+
+    try:
+        await websocket.accept()
+        logger.info("WebSocket synthesize: connection accepted")
+    except Exception as e:
+        logger.error(f"WebSocket synthesize: failed to accept connection: {e}")
+        return
+
+    streaming_synthesizer: StreamingSynthesizerProtocol | None = None
+    provider = None
+
+    try:
+        # Get TTS provider
+        logger.info("WebSocket synthesize: fetching TTS provider from database")
+        engine = get_sqlalchemy_engine()
+        with Session(engine) as db_session:
+            provider_db = fetch_default_tts_provider(db_session)
+            if provider_db is None:
+                logger.warning(
+                    "WebSocket synthesize: no default TTS provider configured"
+                )
+                await websocket.send_json(
+                    {
+                        "type": "error",
+                        "message": "No text-to-speech provider configured",
+                    }
+                )
+                return
+
+            if not provider_db.api_key:
+                logger.warning("WebSocket synthesize: TTS provider has no API key")
+                await websocket.send_json(
+                    {
+                        "type": "error",
+                        "message": "Text-to-speech provider has no API key configured",
+                    }
+                )
+                return
+
+            logger.info(
+                f"WebSocket synthesize: creating voice provider: {provider_db.provider_type}"
+            )
+            try:
+                provider = get_voice_provider(provider_db)
+                logger.info(
+                    f"WebSocket synthesize: voice provider created, streaming TTS supported: {provider.supports_streaming_tts()}"
+                )
+            except ValueError as e:
+                logger.error(
+                    f"WebSocket synthesize: failed to create voice provider: {e}"
+                )
+                await websocket.send_json({"type": "error", "message": str(e)})
+                return
+
+        # Use native streaming if provider supports it
+        if provider.supports_streaming_tts():
+            logger.info("WebSocket synthesize: using native streaming TTS")
+            message = None  # Initialize to avoid UnboundLocalError in except block
+            try:
+                # Wait for initial config message with voice/speed
+                message = await websocket.receive()
+                voice = None
+                speed = 1.0
+                if "text" in message:
+                    try:
+                        data = json.loads(message["text"])
+                        voice = data.get("voice")
+                        speed = data.get("speed", 1.0)
+                    except json.JSONDecodeError:
+                        pass
+
+                streaming_synthesizer = await provider.create_streaming_synthesizer(
+                    voice=voice, speed=speed
+                )
+                logger.info(
+                    "WebSocket synthesize: streaming synthesizer created successfully"
+                )
+                await handle_streaming_synthesis(websocket, streaming_synthesizer)
+            except Exception as e:
+                logger.error(
+                    f"WebSocket synthesize: failed to create streaming synthesizer: {e}"
+                )
+                if VOICE_DISABLE_STREAMING_FALLBACK:
+                    await websocket.send_json(
+                        {"type": "error", "message": f"Streaming TTS failed: {e}"}
+                    )
+                    return
+                logger.info(
+                    "WebSocket synthesize: falling back to chunked TTS synthesis"
+                )
+                # Pass the first message so it's not lost in the fallback
+                await handle_chunked_synthesis(
+                    websocket, provider, first_message=message
+                )
+        else:
+            if VOICE_DISABLE_STREAMING_FALLBACK:
+                await websocket.send_json(
+                    {
+                        "type": "error",
+                        "message": "Provider doesn't support streaming TTS",
+                    }
+                )
+                return
+            logger.info(
+                "WebSocket synthesize: using chunked TTS (provider doesn't support streaming)"
+            )
+            await handle_chunked_synthesis(websocket, provider)
+
+    except WebSocketDisconnect:
+        logger.debug("WebSocket synthesize: client disconnected")
+    except Exception as e:
+        logger.error(f"WebSocket synthesize: unhandled error: {e}", exc_info=True)
+        try:
+            # Send generic error to avoid leaking sensitive details
+            await websocket.send_json(
+                {"type": "error", "message": "An unexpected error occurred"}
+            )
+        except Exception:
+            pass
+    finally:
+        if streaming_synthesizer:
+            try:
+                await streaming_synthesizer.close()
+            except Exception:
+                pass
+        try:
+            await websocket.close()
+        except Exception:
+            pass
+        logger.info("WebSocket synthesize: connection closed")

backend/onyx/utils/url.py

@@ -140,6 +140,44 @@ def _validate_and_resolve_url(url: str) -> tuple[str, str, int]:
     return validated_ip, hostname, port
 
 
+def validate_outbound_http_url(url: str, *, allow_private_network: bool = False) -> str:
+    """
+    Validate a URL that will be used by backend outbound HTTP calls.
+
+    Returns:
+        A normalized URL string with surrounding whitespace removed.
+
+    Raises:
+        ValueError: If URL is malformed.
+        SSRFException: If URL fails SSRF checks.
+    """
+    normalized_url = url.strip()
+    if not normalized_url:
+        raise ValueError("URL cannot be empty")
+
+    parsed = urlparse(normalized_url)
+
+    if parsed.scheme not in ("http", "https"):
+        raise SSRFException(
+            f"Invalid URL scheme '{parsed.scheme}'. Only http and https are allowed."
+        )
+
+    if not parsed.hostname:
+        raise ValueError("URL must contain a hostname")
+
+    if parsed.username or parsed.password:
+        raise SSRFException("URLs with embedded credentials are not allowed.")
+
+    hostname = parsed.hostname.lower()
+    if hostname in BLOCKED_HOSTNAMES:
+        raise SSRFException(f"Access to hostname '{parsed.hostname}' is not allowed.")
+
+    if not allow_private_network:
+        _validate_and_resolve_url(normalized_url)
+
+    return normalized_url
+
+
 MAX_REDIRECTS = 10
 
 

backend/onyx/voice/factory.py

@@ -0,0 +1,70 @@
+from onyx.db.models import VoiceProvider
+from onyx.voice.interface import VoiceProviderInterface
+
+
+def get_voice_provider(provider: VoiceProvider) -> VoiceProviderInterface:
+    """
+    Factory function to get the appropriate voice provider implementation.
+
+    Args:
+        provider: VoiceProvider model instance (can be from DB or constructed temporarily)
+
+    Returns:
+        VoiceProviderInterface implementation
+
+    Raises:
+        ValueError: If provider_type is not supported
+    """
+    provider_type = provider.provider_type.lower()
+
+    # Handle both SensitiveValue (from DB) and plain string (from temp model)
+    if provider.api_key is None:
+        api_key = None
+    elif hasattr(provider.api_key, "get_value"):
+        # SensitiveValue from database
+        api_key = provider.api_key.get_value(apply_mask=False)
+    else:
+        # Plain string from temporary model
+        api_key = provider.api_key  # type: ignore[assignment]
+    api_base = provider.api_base
+    custom_config = provider.custom_config
+    stt_model = provider.stt_model
+    tts_model = provider.tts_model
+    default_voice = provider.default_voice
+
+    if provider_type == "openai":
+        from onyx.voice.providers.openai import OpenAIVoiceProvider
+
+        return OpenAIVoiceProvider(
+            api_key=api_key,
+            api_base=api_base,
+            stt_model=stt_model,
+            tts_model=tts_model,
+            default_voice=default_voice,
+        )
+
+    elif provider_type == "azure":
+        from onyx.voice.providers.azure import AzureVoiceProvider
+
+        return AzureVoiceProvider(
+            api_key=api_key,
+            api_base=api_base,
+            custom_config=custom_config or {},
+            stt_model=stt_model,
+            tts_model=tts_model,
+            default_voice=default_voice,
+        )
+
+    elif provider_type == "elevenlabs":
+        from onyx.voice.providers.elevenlabs import ElevenLabsVoiceProvider
+
+        return ElevenLabsVoiceProvider(
+            api_key=api_key,
+            api_base=api_base,
+            stt_model=stt_model,
+            tts_model=tts_model,
+            default_voice=default_voice,
+        )
+
+    else:
+        raise ValueError(f"Unsupported voice provider type: {provider_type}")

backend/onyx/voice/interface.py

@@ -0,0 +1,182 @@
+from abc import ABC
+from abc import abstractmethod
+from collections.abc import AsyncIterator
+from typing import Protocol
+
+from pydantic import BaseModel
+
+
+class TranscriptResult(BaseModel):
+    """Result from streaming transcription."""
+
+    text: str
+    """The accumulated transcript text."""
+
+    is_vad_end: bool = False
+    """True if VAD detected end of speech (silence). Use for auto-send."""
+
+
+class StreamingTranscriberProtocol(Protocol):
+    """Protocol for streaming transcription sessions."""
+
+    async def send_audio(self, chunk: bytes) -> None:
+        """Send an audio chunk for transcription."""
+        ...
+
+    async def receive_transcript(self) -> TranscriptResult | None:
+        """
+        Receive next transcript update.
+
+        Returns:
+            TranscriptResult with accumulated text and VAD status, or None when stream ends.
+        """
+        ...
+
+    async def close(self) -> str:
+        """Close the session and return final transcript."""
+        ...
+
+    def reset_transcript(self) -> None:
+        """Reset accumulated transcript. Call after auto-send to start fresh."""
+        ...
+
+
+class StreamingSynthesizerProtocol(Protocol):
+    """Protocol for streaming TTS sessions (real-time text-to-speech)."""
+
+    async def connect(self) -> None:
+        """Establish connection to TTS provider."""
+        ...
+
+    async def send_text(self, text: str) -> None:
+        """Send text to be synthesized."""
+        ...
+
+    async def receive_audio(self) -> bytes | None:
+        """
+        Receive next audio chunk.
+
+        Returns:
+            Audio bytes, or None when stream ends.
+        """
+        ...
+
+    async def flush(self) -> None:
+        """Signal end of text input and wait for pending audio."""
+        ...
+
+    async def close(self) -> None:
+        """Close the session."""
+        ...
+
+
+class VoiceProviderInterface(ABC):
+    """Abstract base class for voice providers (STT and TTS)."""
+
+    @abstractmethod
+    async def transcribe(self, audio_data: bytes, audio_format: str) -> str:
+        """
+        Convert audio to text (Speech-to-Text).
+
+        Args:
+            audio_data: Raw audio bytes
+            audio_format: Audio format (e.g., "webm", "wav", "mp3")
+
+        Returns:
+            Transcribed text
+        """
+
+    @abstractmethod
+    def synthesize_stream(
+        self, text: str, voice: str | None = None, speed: float = 1.0
+    ) -> AsyncIterator[bytes]:
+        """
+        Convert text to audio stream (Text-to-Speech).
+
+        Streams audio chunks progressively for lower latency playback.
+
+        Args:
+            text: Text to convert to speech
+            voice: Voice identifier (e.g., "alloy", "echo"), or None for default
+            speed: Playback speed multiplier (0.25 to 4.0)
+
+        Yields:
+            Audio data chunks
+        """
+
+    @abstractmethod
+    async def validate_credentials(self) -> None:
+        """
+        Validate that the provider credentials are correct by making a
+        lightweight API call. Raises on failure.
+        """
+
+    @abstractmethod
+    def get_available_voices(self) -> list[dict[str, str]]:
+        """
+        Get list of available voices for this provider.
+
+        Returns:
+            List of voice dictionaries with 'id' and 'name' keys
+        """
+
+    @abstractmethod
+    def get_available_stt_models(self) -> list[dict[str, str]]:
+        """
+        Get list of available STT models for this provider.
+
+        Returns:
+            List of model dictionaries with 'id' and 'name' keys
+        """
+
+    @abstractmethod
+    def get_available_tts_models(self) -> list[dict[str, str]]:
+        """
+        Get list of available TTS models for this provider.
+
+        Returns:
+            List of model dictionaries with 'id' and 'name' keys
+        """
+
+    def supports_streaming_stt(self) -> bool:
+        """Returns True if this provider supports streaming STT."""
+        return False
+
+    def supports_streaming_tts(self) -> bool:
+        """Returns True if this provider supports real-time streaming TTS."""
+        return False
+
+    async def create_streaming_transcriber(
+        self, audio_format: str = "webm"
+    ) -> StreamingTranscriberProtocol:
+        """
+        Create a streaming transcription session.
+
+        Args:
+            audio_format: Audio format being sent (e.g., "webm", "pcm16")
+
+        Returns:
+            A streaming transcriber that can send audio chunks and receive transcripts
+
+        Raises:
+            NotImplementedError: If streaming STT is not supported
+        """
+        raise NotImplementedError("Streaming STT not supported by this provider")
+
+    async def create_streaming_synthesizer(
+        self, voice: str | None = None, speed: float = 1.0
+    ) -> "StreamingSynthesizerProtocol":
+        """
+        Create a streaming TTS session for real-time audio synthesis.
+
+        Args:
+            voice: Voice identifier
+            speed: Playback speed multiplier
+
+        Returns:
+            A streaming synthesizer that can send text and receive audio chunks
+
+        Raises:
+            NotImplementedError: If streaming TTS is not supported
+        """
+        raise NotImplementedError("Streaming TTS not supported by this provider")

backend/onyx/voice/providers/azure.py

@@ -0,0 +1,625 @@
+"""Azure Speech Services voice provider for STT and TTS.
+
+Azure supports:
+- **STT**: Batch transcription via REST API (audio/wav POST) and real-time
+  streaming via the Azure Speech SDK (push audio stream with continuous
+  recognition). The SDK handles VAD natively through its recognizing/recognized
+  events.
+- **TTS**: SSML-based synthesis via REST API (streaming response) and real-time
+  synthesis via the Speech SDK. Text is escaped with ``xml.sax.saxutils.escape``
+  and attributes with ``quoteattr`` to prevent SSML injection.
+
+Both modes support Azure cloud endpoints (region-based URLs) and self-hosted
+Speech containers (custom endpoint URLs). The ``speech_region`` is validated to
+contain only ``[a-z0-9-]`` to prevent URL injection.
+
+The Azure Speech SDK (``azure-cognitiveservices-speech``) is an optional C
+extension dependency — it is imported lazily inside streaming methods so the
+provider can still be instantiated and used for REST-based operations without it.
+
+See https://learn.microsoft.com/en-us/azure/cognitive-services/speech-service/
+for API reference.
+"""
+
+import asyncio
+import io
+import re
+import struct
+import wave
+from collections.abc import AsyncIterator
+from typing import Any
+from urllib.parse import urlparse
+from xml.sax.saxutils import escape
+from xml.sax.saxutils import quoteattr
+
+import aiohttp
+
+from onyx.utils.logger import setup_logger
+from onyx.voice.interface import StreamingSynthesizerProtocol
+from onyx.voice.interface import StreamingTranscriberProtocol
+from onyx.voice.interface import TranscriptResult
+from onyx.voice.interface import VoiceProviderInterface
+
+# SSML namespace — W3C standard for Speech Synthesis Markup Language.
+# This is a fixed W3C specification and will not change.
+SSML_NAMESPACE = "http://www.w3.org/2001/10/synthesis"
+
+# Common Azure Neural voices
+AZURE_VOICES = [
+    {"id": "en-US-JennyNeural", "name": "Jenny (en-US, Female)"},
+    {"id": "en-US-GuyNeural", "name": "Guy (en-US, Male)"},
+    {"id": "en-US-AriaNeural", "name": "Aria (en-US, Female)"},
+    {"id": "en-US-DavisNeural", "name": "Davis (en-US, Male)"},
+    {"id": "en-US-AmberNeural", "name": "Amber (en-US, Female)"},
+    {"id": "en-US-AnaNeural", "name": "Ana (en-US, Female)"},
+    {"id": "en-US-BrandonNeural", "name": "Brandon (en-US, Male)"},
+    {"id": "en-US-ChristopherNeural", "name": "Christopher (en-US, Male)"},
+    {"id": "en-US-CoraNeural", "name": "Cora (en-US, Female)"},
+    {"id": "en-GB-SoniaNeural", "name": "Sonia (en-GB, Female)"},
+    {"id": "en-GB-RyanNeural", "name": "Ryan (en-GB, Male)"},
+]
+
+
+class AzureStreamingTranscriber(StreamingTranscriberProtocol):
+    """Streaming transcription using Azure Speech SDK."""
+
+    def __init__(
+        self,
+        api_key: str,
+        region: str | None = None,
+        endpoint: str | None = None,
+        input_sample_rate: int = 24000,
+        target_sample_rate: int = 16000,
+    ):
+        self.api_key = api_key
+        self.region = region
+        self.endpoint = endpoint
+        self.input_sample_rate = input_sample_rate
+        self.target_sample_rate = target_sample_rate
+        self._transcript_queue: asyncio.Queue[TranscriptResult | None] = asyncio.Queue()
+        self._accumulated_transcript = ""
+        self._recognizer: Any = None
+        self._audio_stream: Any = None
+        self._closed = False
+        self._loop: asyncio.AbstractEventLoop | None = None
+
+    async def connect(self) -> None:
+        """Initialize Azure Speech recognizer with push stream."""
+        try:
+            import azure.cognitiveservices.speech as speechsdk  # type: ignore
+        except ImportError as e:
+            raise RuntimeError(
+                "Azure Speech SDK is required for streaming STT. "
+                "Install `azure-cognitiveservices-speech`."
+            ) from e
+
+        self._loop = asyncio.get_running_loop()
+
+        # Use endpoint for self-hosted containers, region for Azure cloud
+        if self.endpoint:
+            speech_config = speechsdk.SpeechConfig(
+                subscription=self.api_key,
+                endpoint=self.endpoint,
+            )
+        else:
+            speech_config = speechsdk.SpeechConfig(
+                subscription=self.api_key,
+                region=self.region,
+            )
+
+        audio_format = speechsdk.audio.AudioStreamFormat(
+            samples_per_second=16000,
+            bits_per_sample=16,
+            channels=1,
+        )
+        self._audio_stream = speechsdk.audio.PushAudioInputStream(audio_format)
+        audio_config = speechsdk.audio.AudioConfig(stream=self._audio_stream)
+
+        self._recognizer = speechsdk.SpeechRecognizer(
+            speech_config=speech_config,
+            audio_config=audio_config,
+        )
+
+        transcriber = self
+
+        def on_recognizing(evt: Any) -> None:
+            if evt.result.text and transcriber._loop and not transcriber._closed:
+                full_text = transcriber._accumulated_transcript
+                if full_text:
+                    full_text += " " + evt.result.text
+                else:
+                    full_text = evt.result.text
+                transcriber._loop.call_soon_threadsafe(
+                    transcriber._transcript_queue.put_nowait,
+                    TranscriptResult(text=full_text, is_vad_end=False),
+                )
+
+        def on_recognized(evt: Any) -> None:
+            if evt.result.text and transcriber._loop and not transcriber._closed:
+                if transcriber._accumulated_transcript:
+                    transcriber._accumulated_transcript += " " + evt.result.text
+                else:
+                    transcriber._accumulated_transcript = evt.result.text
+                transcriber._loop.call_soon_threadsafe(
+                    transcriber._transcript_queue.put_nowait,
+                    TranscriptResult(
+                        text=transcriber._accumulated_transcript, is_vad_end=True
+                    ),
+                )
+
+        self._recognizer.recognizing.connect(on_recognizing)
+        self._recognizer.recognized.connect(on_recognized)
+        self._recognizer.start_continuous_recognition_async()
+
+    async def send_audio(self, chunk: bytes) -> None:
+        """Send audio chunk to Azure."""
+        if self._audio_stream and not self._closed:
+            self._audio_stream.write(self._resample_pcm16(chunk))
+
+    def _resample_pcm16(self, data: bytes) -> bytes:
+        """Resample PCM16 audio from input_sample_rate to target_sample_rate."""
+        if self.input_sample_rate == self.target_sample_rate:
+            return data
+
+        num_samples = len(data) // 2
+        if num_samples == 0:
+            return b""
+
+        samples = list(struct.unpack(f"<{num_samples}h", data))
+        ratio = self.input_sample_rate / self.target_sample_rate
+        new_length = int(num_samples / ratio)
+
+        resampled: list[int] = []
+        for i in range(new_length):
+            src_idx = i * ratio
+            idx_floor = int(src_idx)
+            idx_ceil = min(idx_floor + 1, num_samples - 1)
+            frac = src_idx - idx_floor
+            sample = int(samples[idx_floor] * (1 - frac) + samples[idx_ceil] * frac)
+            sample = max(-32768, min(32767, sample))
+            resampled.append(sample)
+
+        return struct.pack(f"<{len(resampled)}h", *resampled)
+
+    async def receive_transcript(self) -> TranscriptResult | None:
+        """Receive next transcript."""
+        try:
+            return await asyncio.wait_for(self._transcript_queue.get(), timeout=0.1)
+        except asyncio.TimeoutError:
+            return TranscriptResult(text="", is_vad_end=False)
+
+    async def close(self) -> str:
+        """Stop recognition and return final transcript."""
+        self._closed = True
+        if self._recognizer:
+            self._recognizer.stop_continuous_recognition_async()
+        if self._audio_stream:
+            self._audio_stream.close()
+        self._loop = None
+        return self._accumulated_transcript
+
+    def reset_transcript(self) -> None:
+        """Reset accumulated transcript."""
+        self._accumulated_transcript = ""
+
+
+class AzureStreamingSynthesizer(StreamingSynthesizerProtocol):
+    """Real-time streaming TTS using Azure Speech SDK."""
+
+    def __init__(
+        self,
+        api_key: str,
+        region: str | None = None,
+        endpoint: str | None = None,
+        voice: str = "en-US-JennyNeural",
+        speed: float = 1.0,
+    ):
+        self._logger = setup_logger()
+        self.api_key = api_key
+        self.region = region
+        self.endpoint = endpoint
+        self.voice = voice
+        self.speed = max(0.5, min(2.0, speed))
+        self._audio_queue: asyncio.Queue[bytes | None] = asyncio.Queue()
+        self._synthesizer: Any = None
+        self._closed = False
+        self._loop: asyncio.AbstractEventLoop | None = None
+
+    async def connect(self) -> None:
+        """Initialize Azure Speech synthesizer with push stream."""
+        try:
+            import azure.cognitiveservices.speech as speechsdk
+        except ImportError as e:
+            raise RuntimeError(
+                "Azure Speech SDK is required for streaming TTS. "
+                "Install `azure-cognitiveservices-speech`."
+            ) from e
+
+        self._logger.info("AzureStreamingSynthesizer: connecting")
+
+        # Store the event loop for thread-safe queue operations
+        self._loop = asyncio.get_running_loop()
+
+        # Use endpoint for self-hosted containers, region for Azure cloud
+        if self.endpoint:
+            speech_config = speechsdk.SpeechConfig(
+                subscription=self.api_key,
+                endpoint=self.endpoint,
+            )
+        else:
+            speech_config = speechsdk.SpeechConfig(
+                subscription=self.api_key,
+                region=self.region,
+            )
+        speech_config.speech_synthesis_voice_name = self.voice
+        # Use MP3 format for streaming - compatible with MediaSource Extensions
+        speech_config.set_speech_synthesis_output_format(
+            speechsdk.SpeechSynthesisOutputFormat.Audio16Khz64KBitRateMonoMp3
+        )
+
+        # Create synthesizer with pull audio output stream
+        self._synthesizer = speechsdk.SpeechSynthesizer(
+            speech_config=speech_config,
+            audio_config=None,  # We'll manually handle audio
+        )
+
+        # Connect to synthesis events
+        self._synthesizer.synthesizing.connect(self._on_synthesizing)
+        self._synthesizer.synthesis_completed.connect(self._on_completed)
+
+        self._logger.info("AzureStreamingSynthesizer: connected")
+
+    def _on_synthesizing(self, evt: Any) -> None:
+        """Called when audio chunk is available (runs in Azure SDK thread)."""
+        if evt.result.audio_data and self._loop and not self._closed:
+            # Thread-safe way to put item in async queue
+            self._loop.call_soon_threadsafe(
+                self._audio_queue.put_nowait, evt.result.audio_data
+            )
+
+    def _on_completed(self, _evt: Any) -> None:
+        """Called when synthesis is complete (runs in Azure SDK thread)."""
+        if self._loop and not self._closed:
+            self._loop.call_soon_threadsafe(self._audio_queue.put_nowait, None)
+
+    async def send_text(self, text: str) -> None:
+        """Send text to be synthesized using SSML for prosody control."""
+        if self._synthesizer and not self._closed:
+            # Build SSML with prosody for speed control
+            rate = f"{int((self.speed - 1) * 100):+d}%"
+            escaped_text = escape(text)
+            ssml = f"""<speak version='1.0' xmlns='{SSML_NAMESPACE}' xml:lang='en-US'>
+                <voice name={quoteattr(self.voice)}>
+                    <prosody rate='{rate}'>{escaped_text}</prosody>
+                </voice>
+            </speak>"""
+            # Use speak_ssml_async for SSML support (includes speed/prosody)
+            self._synthesizer.speak_ssml_async(ssml)
+
+    async def receive_audio(self) -> bytes | None:
+        """Receive next audio chunk."""
+        try:
+            return await asyncio.wait_for(self._audio_queue.get(), timeout=0.1)
+        except asyncio.TimeoutError:
+            return b""  # No audio yet, but not done
+
+    async def flush(self) -> None:
+        """Signal end of text input - wait for pending audio."""
+        # Azure SDK handles flushing automatically
+
+    async def close(self) -> None:
+        """Close the session."""
+        self._closed = True
+        if self._synthesizer:
+            self._synthesizer.synthesis_completed.disconnect_all()
+            self._synthesizer.synthesizing.disconnect_all()
+        self._loop = None
+
+
+class AzureVoiceProvider(VoiceProviderInterface):
+    """Azure Speech Services voice provider."""
+
+    def __init__(
+        self,
+        api_key: str | None,
+        api_base: str | None,
+        custom_config: dict[str, Any],
+        stt_model: str | None = None,
+        tts_model: str | None = None,
+        default_voice: str | None = None,
+    ):
+        self.api_key = api_key
+        self.api_base = api_base
+        self.custom_config = custom_config
+        raw_speech_region = (
+            custom_config.get("speech_region")
+            or self._extract_speech_region_from_uri(api_base)
+            or ""
+        )
+        self.speech_region = self._validate_speech_region(raw_speech_region)
+        self.stt_model = stt_model
+        self.tts_model = tts_model
+        self.default_voice = default_voice or "en-US-JennyNeural"
+
+    @staticmethod
+    def _is_azure_cloud_url(uri: str | None) -> bool:
+        """Check if URI is an Azure cloud endpoint (vs custom/self-hosted)."""
+        if not uri:
+            return False
+        try:
+            hostname = (urlparse(uri).hostname or "").lower()
+        except ValueError:
+            return False
+        return hostname.endswith(
+            (
+                ".speech.microsoft.com",
+                ".api.cognitive.microsoft.com",
+                ".cognitiveservices.azure.com",
+            )
+        )
+
+    @staticmethod
+    def _extract_speech_region_from_uri(uri: str | None) -> str | None:
+        """Extract Azure speech region from endpoint URI.
+
+        Note: Custom domains (*.cognitiveservices.azure.com) contain the resource
+        name, not the region. For custom domains, the region must be specified
+        explicitly via custom_config["speech_region"].
+        """
+        if not uri:
+            return None
+        # Accepted examples:
+        # - https://eastus.tts.speech.microsoft.com/cognitiveservices/v1
+        # - https://eastus.stt.speech.microsoft.com/speech/recognition/...
+        # - https://westus.api.cognitive.microsoft.com/
+        #
+        # NOT supported (requires explicit speech_region config):
+        # - https://<resource>.cognitiveservices.azure.com/ (resource name != region)
+        try:
+            hostname = (urlparse(uri).hostname or "").lower()
+        except ValueError:
+            return None
+
+        stt_tts_match = re.match(
+            r"^([a-z0-9-]+)\.(?:tts|stt)\.speech\.microsoft\.com$", hostname
+        )
+        if stt_tts_match:
+            return stt_tts_match.group(1)
+
+        api_match = re.match(
+            r"^([a-z0-9-]+)\.api\.cognitive\.microsoft\.com$", hostname
+        )
+        if api_match:
+            return api_match.group(1)
+
+        return None
+
+    @staticmethod
+    def _validate_speech_region(speech_region: str) -> str:
+        normalized_region = speech_region.strip().lower()
+        if not normalized_region:
+            return ""
+        if not re.fullmatch(r"[a-z0-9-]+", normalized_region):
+            raise ValueError(
+                "Invalid Azure speech_region. Use lowercase letters, digits, and hyphens only."
+            )
+        return normalized_region
+
+    def _get_stt_url(self) -> str:
+        """Get the STT endpoint URL (auto-detects cloud vs self-hosted)."""
+        if self.api_base and not self._is_azure_cloud_url(self.api_base):
+            # Self-hosted container endpoint
+            return f"{self.api_base.rstrip('/')}/speech/recognition/conversation/cognitiveservices/v1"
+        # Azure cloud endpoint
+        return (
+            f"https://{self.speech_region}.stt.speech.microsoft.com/"
+            "speech/recognition/conversation/cognitiveservices/v1"
+        )
+
+    def _get_tts_url(self) -> str:
+        """Get the TTS endpoint URL (auto-detects cloud vs self-hosted)."""
+        if self.api_base and not self._is_azure_cloud_url(self.api_base):
+            # Self-hosted container endpoint
+            return f"{self.api_base.rstrip('/')}/cognitiveservices/v1"
+        # Azure cloud endpoint
+        return f"https://{self.speech_region}.tts.speech.microsoft.com/cognitiveservices/v1"
+
+    def _is_self_hosted(self) -> bool:
+        """Check if using self-hosted container vs Azure cloud."""
+        return bool(self.api_base and not self._is_azure_cloud_url(self.api_base))
+
+    @staticmethod
+    def _pcm16_to_wav(pcm_data: bytes, sample_rate: int = 24000) -> bytes:
+        """Wrap raw PCM16 mono bytes into a WAV container."""
+        buffer = io.BytesIO()
+        with wave.open(buffer, "wb") as wav_file:
+            wav_file.setnchannels(1)
+            wav_file.setsampwidth(2)
+            wav_file.setframerate(sample_rate)
+            wav_file.writeframes(pcm_data)
+        return buffer.getvalue()
+
+    async def transcribe(self, audio_data: bytes, audio_format: str) -> str:
+        if not self.api_key:
+            raise ValueError("Azure API key required for STT")
+        if not self._is_self_hosted() and not self.speech_region:
+            raise ValueError("Azure speech region required for STT (cloud mode)")
+
+        normalized_format = audio_format.lower()
+        payload = audio_data
+        content_type = f"audio/{normalized_format}"
+
+        # WebSocket chunked fallback sends raw PCM16 bytes.
+        if normalized_format in {"pcm", "pcm16", "raw"}:
+            payload = self._pcm16_to_wav(audio_data, sample_rate=24000)
+            content_type = "audio/wav"
+        elif normalized_format in {"wav", "wave"}:
+            content_type = "audio/wav"
+        elif normalized_format == "webm":
+            content_type = "audio/webm; codecs=opus"
+
+        url = self._get_stt_url()
+        params = {"language": "en-US", "format": "detailed"}
+        headers = {
+            "Ocp-Apim-Subscription-Key": self.api_key,
+            "Content-Type": content_type,
+            "Accept": "application/json",
+        }
+
+        async with aiohttp.ClientSession() as session:
+            async with session.post(
+                url, params=params, headers=headers, data=payload
+            ) as response:
+                if response.status != 200:
+                    error_text = await response.text()
+                    raise RuntimeError(f"Azure STT failed: {error_text}")
+                result = await response.json()
+
+        if result.get("RecognitionStatus") != "Success":
+            return ""
+        nbest = result.get("NBest") or []
+        if nbest and isinstance(nbest, list):
+            display = nbest[0].get("Display")
+            if isinstance(display, str):
+                return display
+        display_text = result.get("DisplayText", "")
+        return display_text if isinstance(display_text, str) else ""
+
+    async def synthesize_stream(
+        self, text: str, voice: str | None = None, speed: float = 1.0
+    ) -> AsyncIterator[bytes]:
+        """
+        Convert text to audio using Azure TTS with streaming.
+
+        Args:
+            text: Text to convert to speech
+            voice: Voice name (defaults to provider's default voice)
+            speed: Playback speed multiplier (0.5 to 2.0)
+
+        Yields:
+            Audio data chunks (mp3 format)
+        """
+        if not self.api_key:
+            raise ValueError("Azure API key required for TTS")
+
+        if not self._is_self_hosted() and not self.speech_region:
+            raise ValueError("Azure speech region required for TTS (cloud mode)")
+
+        voice_name = voice or self.default_voice
+
+        # Clamp speed to valid range and convert to rate format
+        speed = max(0.5, min(2.0, speed))
+        rate = f"{int((speed - 1) * 100):+d}%"  # e.g., 1.0 -> "+0%", 1.5 -> "+50%"
+
+        # Build SSML with escaped text and quoted attributes to prevent injection
+        escaped_text = escape(text)
+        ssml = f"""<speak version='1.0' xmlns='{SSML_NAMESPACE}' xml:lang='en-US'>
+            <voice name={quoteattr(voice_name)}>
+                <prosody rate='{rate}'>{escaped_text}</prosody>
+            </voice>
+        </speak>"""
+
+        url = self._get_tts_url()
+
+        headers = {
+            "Ocp-Apim-Subscription-Key": self.api_key,
+            "Content-Type": "application/ssml+xml",
+            "X-Microsoft-OutputFormat": "audio-16khz-128kbitrate-mono-mp3",
+            "User-Agent": "Onyx",
+        }
+
+        async with aiohttp.ClientSession() as session:
+            async with session.post(url, headers=headers, data=ssml) as response:
+                if response.status != 200:
+                    error_text = await response.text()
+                    raise RuntimeError(f"Azure TTS failed: {error_text}")
+
+                # Use 8192 byte chunks for smoother streaming
+                async for chunk in response.content.iter_chunked(8192):
+                    if chunk:
+                        yield chunk
+
+    async def validate_credentials(self) -> None:
+        """Validate Azure credentials by listing available voices."""
+        if not self.api_key:
+            raise ValueError("Azure API key required")
+        if not self._is_self_hosted() and not self.speech_region:
+            raise ValueError("Azure speech region required (cloud mode)")
+
+        url = f"https://{self.speech_region}.tts.speech.microsoft.com/cognitiveservices/voices/list"
+        if self._is_self_hosted():
+            url = f"{(self.api_base or '').rstrip('/')}/cognitiveservices/voices/list"
+
+        headers = {"Ocp-Apim-Subscription-Key": self.api_key}
+        async with aiohttp.ClientSession() as session:
+            async with session.get(url, headers=headers) as response:
+                if response.status in (401, 403):
+                    raise RuntimeError("Invalid Azure API key.")
+                if response.status != 200:
+                    raise RuntimeError("Azure credential validation failed.")
+
+    def get_available_voices(self) -> list[dict[str, str]]:
+        """Return common Azure Neural voices."""
+        return AZURE_VOICES.copy()
+
+    def get_available_stt_models(self) -> list[dict[str, str]]:
+        return [
+            {"id": "default", "name": "Azure Speech Recognition"},
+        ]
+
+    def get_available_tts_models(self) -> list[dict[str, str]]:
+        return [
+            {"id": "neural", "name": "Neural TTS"},
+        ]
+
+    def supports_streaming_stt(self) -> bool:
+        """Azure supports streaming STT via Speech SDK."""
+        return True
+
+    def supports_streaming_tts(self) -> bool:
+        """Azure supports real-time streaming TTS via Speech SDK."""
+        return True
+
+    async def create_streaming_transcriber(
+        self, _audio_format: str = "webm"
+    ) -> AzureStreamingTranscriber:
+        """Create a streaming transcription session."""
+        if not self.api_key:
+            raise ValueError("API key required for streaming transcription")
+        if not self._is_self_hosted() and not self.speech_region:
+            raise ValueError(
+                "Speech region required for Azure streaming transcription (cloud mode)"
+            )
+
+        # Use endpoint for self-hosted, region for cloud
+        transcriber = AzureStreamingTranscriber(
+            api_key=self.api_key,
+            region=self.speech_region if not self._is_self_hosted() else None,
+            endpoint=self.api_base if self._is_self_hosted() else None,
+            input_sample_rate=24000,
+            target_sample_rate=16000,
+        )
+        await transcriber.connect()
+        return transcriber
+
+    async def create_streaming_synthesizer(
+        self, voice: str | None = None, speed: float = 1.0
+    ) -> AzureStreamingSynthesizer:
+        """Create a streaming TTS session."""
+        if not self.api_key:
+            raise ValueError("API key required for streaming TTS")
+        if not self._is_self_hosted() and not self.speech_region:
+            raise ValueError(
+                "Speech region required for Azure streaming TTS (cloud mode)"
+            )
+
+        # Use endpoint for self-hosted, region for cloud
+        synthesizer = AzureStreamingSynthesizer(
+            api_key=self.api_key,
+            region=self.speech_region if not self._is_self_hosted() else None,
+            endpoint=self.api_base if self._is_self_hosted() else None,
+            voice=voice or self.default_voice or "en-US-JennyNeural",
+            speed=speed,
+        )
+        await synthesizer.connect()
+        return synthesizer

backend/onyx/voice/providers/elevenlabs.py

@@ -0,0 +1,876 @@
+"""ElevenLabs voice provider for STT and TTS.
+
+ElevenLabs supports:
+- **STT**: Scribe API (batch via REST, streaming via WebSocket with Scribe v2 Realtime).
+  The streaming endpoint sends base64-encoded PCM16 audio chunks and receives JSON
+  transcript messages (partial_transcript, committed_transcript, utterance_end).
+- **TTS**: Text-to-speech via REST streaming and WebSocket stream-input.
+  The WebSocket variant accepts incremental text chunks and returns audio in order,
+  enabling low-latency playback before the full text is available.
+
+See https://elevenlabs.io/docs for API reference.
+"""
+
+import asyncio
+import base64
+import json
+from collections.abc import AsyncIterator
+from enum import StrEnum
+from typing import Any
+
+import aiohttp
+
+from onyx.voice.interface import StreamingSynthesizerProtocol
+from onyx.voice.interface import StreamingTranscriberProtocol
+from onyx.voice.interface import TranscriptResult
+from onyx.voice.interface import VoiceProviderInterface
+
+# Default ElevenLabs API base URL
+DEFAULT_ELEVENLABS_API_BASE = "https://api.elevenlabs.io"
+
+# Default sample rates for STT streaming
+DEFAULT_INPUT_SAMPLE_RATE = 24000  # What the browser frontend sends
+DEFAULT_TARGET_SAMPLE_RATE = 16000  # What ElevenLabs Scribe expects
+
+# Default streaming TTS output format
+DEFAULT_TTS_OUTPUT_FORMAT = "mp3_44100_64"
+
+# Default TTS voice settings
+DEFAULT_VOICE_STABILITY = 0.5
+DEFAULT_VOICE_SIMILARITY_BOOST = 0.75
+
+# Chunk length schedule for streaming TTS (optimized for real-time playback)
+DEFAULT_CHUNK_LENGTH_SCHEDULE = [120, 160, 250, 290]
+
+# Default STT streaming VAD configuration
+DEFAULT_VAD_SILENCE_THRESHOLD_SECS = 1.0
+DEFAULT_VAD_THRESHOLD = 0.4
+DEFAULT_MIN_SPEECH_DURATION_MS = 100
+DEFAULT_MIN_SILENCE_DURATION_MS = 300
+
+
+class ElevenLabsSTTMessageType(StrEnum):
+    """Message types from ElevenLabs Scribe Realtime STT API."""
+
+    SESSION_STARTED = "session_started"
+    PARTIAL_TRANSCRIPT = "partial_transcript"
+    COMMITTED_TRANSCRIPT = "committed_transcript"
+    UTTERANCE_END = "utterance_end"
+    SESSION_ENDED = "session_ended"
+    ERROR = "error"
+
+
+class ElevenLabsTTSMessageType(StrEnum):
+    """Message types from ElevenLabs stream-input TTS API."""
+
+    AUDIO = "audio"
+    ERROR = "error"
+
+
+def _http_to_ws_url(http_url: str) -> str:
+    """Convert http(s) URL to ws(s) URL for WebSocket connections."""
+    if http_url.startswith("https://"):
+        return "wss://" + http_url[8:]
+    elif http_url.startswith("http://"):
+        return "ws://" + http_url[7:]
+    return http_url
+
+
+# Common ElevenLabs voices
+ELEVENLABS_VOICES = [
+    {"id": "21m00Tcm4TlvDq8ikWAM", "name": "Rachel"},
+    {"id": "AZnzlk1XvdvUeBnXmlld", "name": "Domi"},
+    {"id": "EXAVITQu4vr4xnSDxMaL", "name": "Bella"},
+    {"id": "ErXwobaYiN019PkySvjV", "name": "Antoni"},
+    {"id": "MF3mGyEYCl7XYWbV9V6O", "name": "Elli"},
+    {"id": "TxGEqnHWrfWFTfGW9XjX", "name": "Josh"},
+    {"id": "VR6AewLTigWG4xSOukaG", "name": "Arnold"},
+    {"id": "pNInz6obpgDQGcFmaJgB", "name": "Adam"},
+    {"id": "yoZ06aMxZJJ28mfd3POQ", "name": "Sam"},
+]
+
+
+class ElevenLabsStreamingTranscriber(StreamingTranscriberProtocol):
+    """Streaming transcription session using ElevenLabs Scribe Realtime API."""
+
+    def __init__(
+        self,
+        api_key: str,
+        model: str = "scribe_v2_realtime",
+        input_sample_rate: int = DEFAULT_INPUT_SAMPLE_RATE,
+        target_sample_rate: int = DEFAULT_TARGET_SAMPLE_RATE,
+        language_code: str = "en",
+        api_base: str | None = None,
+    ):
+        # Import logger first
+        from onyx.utils.logger import setup_logger
+
+        self._logger = setup_logger()
+
+        self._logger.info(
+            f"ElevenLabsStreamingTranscriber: initializing with model {model}"
+        )
+        self.api_key = api_key
+        self.model = model
+        self.input_sample_rate = input_sample_rate
+        self.target_sample_rate = target_sample_rate
+        self.language_code = language_code
+        self.api_base = api_base or DEFAULT_ELEVENLABS_API_BASE
+        self._ws: aiohttp.ClientWebSocketResponse | None = None
+        self._session: aiohttp.ClientSession | None = None
+        self._transcript_queue: asyncio.Queue[TranscriptResult | None] = asyncio.Queue()
+        self._final_transcript = ""
+        self._receive_task: asyncio.Task | None = None
+        self._closed = False
+
+    async def connect(self) -> None:
+        """Establish WebSocket connection to ElevenLabs."""
+        self._logger.info(
+            "ElevenLabsStreamingTranscriber: connecting to ElevenLabs API"
+        )
+        self._session = aiohttp.ClientSession()
+
+        # VAD is configured via query parameters.
+        # commit_strategy=vad enables automatic transcript commit on silence detection.
+        # These params are part of the ElevenLabs Scribe Realtime API contract:
+        # https://elevenlabs.io/docs/api-reference/speech-to-text/realtime
+        ws_base = _http_to_ws_url(self.api_base.rstrip("/"))
+        url = (
+            f"{ws_base}/v1/speech-to-text/realtime"
+            f"?model_id={self.model}"
+            f"&sample_rate={self.target_sample_rate}"
+            f"&language_code={self.language_code}"
+            f"&commit_strategy=vad"
+            f"&vad_silence_threshold_secs={DEFAULT_VAD_SILENCE_THRESHOLD_SECS}"
+            f"&vad_threshold={DEFAULT_VAD_THRESHOLD}"
+            f"&min_speech_duration_ms={DEFAULT_MIN_SPEECH_DURATION_MS}"
+            f"&min_silence_duration_ms={DEFAULT_MIN_SILENCE_DURATION_MS}"
+        )
+        self._logger.info(
+            f"ElevenLabsStreamingTranscriber: connecting to {url} "
+            f"(input={self.input_sample_rate}Hz, target={self.target_sample_rate}Hz)"
+        )
+
+        try:
+            self._ws = await self._session.ws_connect(
+                url,
+                headers={"xi-api-key": self.api_key},
+            )
+            self._logger.info(
+                f"ElevenLabsStreamingTranscriber: connected successfully, "
+                f"ws.closed={self._ws.closed}, close_code={self._ws.close_code}"
+            )
+        except Exception as e:
+            self._logger.error(
+                f"ElevenLabsStreamingTranscriber: failed to connect: {e}"
+            )
+            if self._session:
+                await self._session.close()
+            raise
+
+        # Start receiving transcripts in background
+        self._receive_task = asyncio.create_task(self._receive_loop())
+
+    async def _receive_loop(self) -> None:
+        """Background task to receive transcripts from WebSocket."""
+        self._logger.info("ElevenLabsStreamingTranscriber: receive loop started")
+        if not self._ws:
+            self._logger.warning(
+                "ElevenLabsStreamingTranscriber: no WebSocket connection"
+            )
+            return
+
+        try:
+            async for msg in self._ws:
+                self._logger.debug(
+                    f"ElevenLabsStreamingTranscriber: raw message type: {msg.type}"
+                )
+                if msg.type == aiohttp.WSMsgType.TEXT:
+                    parsed_data: Any = None
+                    data: dict[str, Any]
+                    try:
+                        parsed_data = json.loads(msg.data)
+                    except json.JSONDecodeError:
+                        self._logger.error(
+                            f"ElevenLabsStreamingTranscriber: failed to parse JSON: {msg.data[:200]}"
+                        )
+                        continue
+                    if not isinstance(parsed_data, dict):
+                        self._logger.error(
+                            "ElevenLabsStreamingTranscriber: expected object JSON payload"
+                        )
+                        continue
+                    data = parsed_data
+
+                    # ElevenLabs uses message_type field - fail fast if missing
+                    if "message_type" not in data and "type" not in data:
+                        self._logger.error(
+                            f"ElevenLabsStreamingTranscriber: malformed packet missing 'message_type' field: {data}"
+                        )
+                        continue
+                    msg_type = data.get("message_type", data.get("type", ""))
+                    self._logger.info(
+                        f"ElevenLabsStreamingTranscriber: received message_type: '{msg_type}', data keys: {list(data.keys())}"
+                    )
+                    # Check for error in various formats
+                    if "error" in data or msg_type == ElevenLabsSTTMessageType.ERROR:
+                        error_msg = data.get("error", data.get("message", data))
+                        self._logger.error(
+                            f"ElevenLabsStreamingTranscriber: API error: {error_msg}"
+                        )
+                        continue
+
+                    # Handle message types from ElevenLabs Scribe Realtime API.
+                    # See https://elevenlabs.io/docs/api-reference/speech-to-text/realtime
+                    if msg_type == ElevenLabsSTTMessageType.SESSION_STARTED:
+                        self._logger.info(
+                            f"ElevenLabsStreamingTranscriber: session started, "
+                            f"id={data.get('session_id')}, config={data.get('config')}"
+                        )
+                    elif msg_type == ElevenLabsSTTMessageType.PARTIAL_TRANSCRIPT:
+                        # Interim result — updated as more audio is processed
+                        text = data.get("text", "")
+                        if text:
+                            self._logger.info(
+                                f"ElevenLabsStreamingTranscriber: partial_transcript: {text[:50]}..."
+                            )
+                            self._final_transcript = text
+                            await self._transcript_queue.put(
+                                TranscriptResult(text=text, is_vad_end=False)
+                            )
+                    elif msg_type == ElevenLabsSTTMessageType.COMMITTED_TRANSCRIPT:
+                        # Final transcript for the current utterance (VAD detected end)
+                        text = data.get("text", "")
+                        if text:
+                            self._logger.info(
+                                f"ElevenLabsStreamingTranscriber: committed_transcript: {text[:50]}..."
+                            )
+                            self._final_transcript = text
+                            await self._transcript_queue.put(
+                                TranscriptResult(text=text, is_vad_end=True)
+                            )
+                    elif msg_type == ElevenLabsSTTMessageType.UTTERANCE_END:
+                        # VAD detected end of speech (may carry text or be empty)
+                        text = data.get("text", "") or self._final_transcript
+                        if text:
+                            self._logger.info(
+                                f"ElevenLabsStreamingTranscriber: utterance_end: {text[:50]}..."
+                            )
+                            self._final_transcript = text
+                            await self._transcript_queue.put(
+                                TranscriptResult(text=text, is_vad_end=True)
+                            )
+                    elif msg_type == ElevenLabsSTTMessageType.SESSION_ENDED:
+                        self._logger.info(
+                            "ElevenLabsStreamingTranscriber: session ended"
+                        )
+                        break
+                    else:
+                        # Log unhandled message types with full data for debugging
+                        self._logger.warning(
+                            f"ElevenLabsStreamingTranscriber: unhandled message_type: {msg_type}, full data: {data}"
+                        )
+                elif msg.type == aiohttp.WSMsgType.BINARY:
+                    self._logger.debug(
+                        f"ElevenLabsStreamingTranscriber: received binary message: {len(msg.data)} bytes"
+                    )
+                elif msg.type == aiohttp.WSMsgType.CLOSED:
+                    close_code = self._ws.close_code if self._ws else "N/A"
+                    self._logger.info(
+                        "ElevenLabsStreamingTranscriber: WebSocket closed by "
+                        f"server, close_code={close_code}"
+                    )
+                    break
+                elif msg.type == aiohttp.WSMsgType.ERROR:
+                    self._logger.error(
+                        f"ElevenLabsStreamingTranscriber: WebSocket error: {self._ws.exception() if self._ws else 'N/A'}"
+                    )
+                    break
+                elif msg.type == aiohttp.WSMsgType.CLOSE:
+                    self._logger.info(
+                        f"ElevenLabsStreamingTranscriber: WebSocket CLOSE frame received, data={msg.data}, extra={msg.extra}"
+                    )
+                    break
+        except Exception as e:
+            self._logger.error(
+                f"ElevenLabsStreamingTranscriber: error in receive loop: {e}",
+                exc_info=True,
+            )
+        finally:
+            close_code = self._ws.close_code if self._ws else "N/A"
+            self._logger.info(
+                f"ElevenLabsStreamingTranscriber: receive loop ended, close_code={close_code}"
+            )
+            await self._transcript_queue.put(None)  # Signal end
+
+    def _resample_pcm16(self, data: bytes) -> bytes:
+        """Resample PCM16 audio from input_sample_rate to target_sample_rate."""
+        import struct
+
+        if self.input_sample_rate == self.target_sample_rate:
+            return data
+
+        # Parse int16 samples
+        num_samples = len(data) // 2
+        samples = list(struct.unpack(f"<{num_samples}h", data))
+
+        # Calculate resampling ratio
+        ratio = self.input_sample_rate / self.target_sample_rate
+        new_length = int(num_samples / ratio)
+
+        # Linear interpolation resampling
+        resampled = []
+        for i in range(new_length):
+            src_idx = i * ratio
+            idx_floor = int(src_idx)
+            idx_ceil = min(idx_floor + 1, num_samples - 1)
+            frac = src_idx - idx_floor
+            sample = int(samples[idx_floor] * (1 - frac) + samples[idx_ceil] * frac)
+            # Clamp to int16 range
+            sample = max(-32768, min(32767, sample))
+            resampled.append(sample)
+
+        return struct.pack(f"<{len(resampled)}h", *resampled)
+
+    async def send_audio(self, chunk: bytes) -> None:
+        """Send an audio chunk for transcription."""
+        if not self._ws:
+            self._logger.warning("send_audio: no WebSocket connection")
+            return
+        if self._closed:
+            self._logger.warning("send_audio: transcriber is closed")
+            return
+        if self._ws.closed:
+            self._logger.warning(
+                f"send_audio: WebSocket is closed, close_code={self._ws.close_code}"
+            )
+            return
+
+        try:
+            # Resample from input rate (24kHz) to target rate (16kHz)
+            resampled = self._resample_pcm16(chunk)
+            # ElevenLabs expects input_audio_chunk message format with audio_base_64
+            audio_b64 = base64.b64encode(resampled).decode("utf-8")
+            message = {
+                "message_type": "input_audio_chunk",
+                "audio_base_64": audio_b64,
+                "sample_rate": self.target_sample_rate,
+            }
+            self._logger.info(
+                f"send_audio: {len(chunk)} bytes -> {len(resampled)} bytes (resampled) -> {len(audio_b64)} chars base64"
+            )
+            await self._ws.send_str(json.dumps(message))
+            self._logger.info("send_audio: message sent successfully")
+        except Exception as e:
+            self._logger.error(f"send_audio: failed to send: {e}", exc_info=True)
+            raise
+
+    async def receive_transcript(self) -> TranscriptResult | None:
+        """Receive next transcript. Returns None when done."""
+        try:
+            return await asyncio.wait_for(self._transcript_queue.get(), timeout=0.1)
+        except asyncio.TimeoutError:
+            return TranscriptResult(
+                text="", is_vad_end=False
+            )  # No transcript yet, but not done
+
+    async def close(self) -> str:
+        """Close the session and return final transcript."""
+        self._logger.info("ElevenLabsStreamingTranscriber: closing session")
+        self._closed = True
+        if self._ws and not self._ws.closed:
+            try:
+                # Just close the WebSocket - ElevenLabs Scribe doesn't need a special end message
+                self._logger.info(
+                    "ElevenLabsStreamingTranscriber: closing WebSocket connection"
+                )
+                await self._ws.close()
+            except Exception as e:
+                self._logger.debug(f"Error closing WebSocket: {e}")
+        if self._receive_task and not self._receive_task.done():
+            self._receive_task.cancel()
+            try:
+                await self._receive_task
+            except asyncio.CancelledError:
+                pass
+        if self._session and not self._session.closed:
+            await self._session.close()
+        return self._final_transcript
+
+    def reset_transcript(self) -> None:
+        """Reset accumulated transcript. Call after auto-send to start fresh."""
+        self._final_transcript = ""
+
+
+class ElevenLabsStreamingSynthesizer(StreamingSynthesizerProtocol):
+    """Real-time streaming TTS using ElevenLabs WebSocket API.
+
+    Uses ElevenLabs' stream-input WebSocket which processes text as one
+    continuous stream and returns audio in order.
+    """
+
+    def __init__(
+        self,
+        api_key: str,
+        voice_id: str,
+        model_id: str = "eleven_multilingual_v2",
+        output_format: str = "mp3_44100_64",
+        api_base: str | None = None,
+        speed: float = 1.0,
+    ):
+        from onyx.utils.logger import setup_logger
+
+        self._logger = setup_logger()
+        self.api_key = api_key
+        self.voice_id = voice_id
+        self.model_id = model_id
+        self.output_format = output_format
+        self.api_base = api_base or DEFAULT_ELEVENLABS_API_BASE
+        self.speed = speed
+        self._ws: aiohttp.ClientWebSocketResponse | None = None
+        self._session: aiohttp.ClientSession | None = None
+        self._audio_queue: asyncio.Queue[bytes | None] = asyncio.Queue()
+        self._receive_task: asyncio.Task | None = None
+        self._closed = False
+
+    async def connect(self) -> None:
+        """Establish WebSocket connection to ElevenLabs TTS."""
+        self._logger.info("ElevenLabsStreamingSynthesizer: connecting")
+        self._session = aiohttp.ClientSession()
+
+        # WebSocket URL for streaming input TTS with output format for streaming compatibility
+        # Using mp3_44100_64 for good quality with smaller chunks for real-time playback
+        ws_base = _http_to_ws_url(self.api_base.rstrip("/"))
+        url = (
+            f"{ws_base}/v1/text-to-speech/{self.voice_id}/stream-input"
+            f"?model_id={self.model_id}&output_format={self.output_format}"
+        )
+
+        self._ws = await self._session.ws_connect(
+            url,
+            headers={"xi-api-key": self.api_key},
+        )
+
+        # Send initial configuration with generation settings optimized for streaming.
+        # Note: API key is sent via header only (not in body to avoid log exposure).
+        # See https://elevenlabs.io/docs/api-reference/text-to-speech/stream-input
+        await self._ws.send_str(
+            json.dumps(
+                {
+                    "text": " ",  # Initial space to start the stream
+                    "voice_settings": {
+                        "stability": DEFAULT_VOICE_STABILITY,
+                        "similarity_boost": DEFAULT_VOICE_SIMILARITY_BOOST,
+                        "speed": self.speed,
+                    },
+                    "generation_config": {
+                        "chunk_length_schedule": DEFAULT_CHUNK_LENGTH_SCHEDULE,
+                    },
+                }
+            )
+        )
+
+        # Start receiving audio in background
+        self._receive_task = asyncio.create_task(self._receive_loop())
+        self._logger.info("ElevenLabsStreamingSynthesizer: connected")
+
+    async def _receive_loop(self) -> None:
+        """Background task to receive audio chunks from WebSocket.
+
+        Audio is returned in order as one continuous stream.
+        """
+        if not self._ws:
+            return
+
+        chunk_count = 0
+        total_bytes = 0
+        try:
+            async for msg in self._ws:
+                if self._closed:
+                    self._logger.info(
+                        "ElevenLabsStreamingSynthesizer: closed flag set, stopping "
+                        "receive loop"
+                    )
+                    break
+                if msg.type == aiohttp.WSMsgType.TEXT:
+                    data = json.loads(msg.data)
+                    # Process audio if present
+                    if "audio" in data and data["audio"]:
+                        audio_bytes = base64.b64decode(data["audio"])
+                        chunk_count += 1
+                        total_bytes += len(audio_bytes)
+                        await self._audio_queue.put(audio_bytes)
+
+                    # Check isFinal separately - a message can have both audio AND isFinal
+                    if "isFinal" in data:
+                        self._logger.info(
+                            f"ElevenLabsStreamingSynthesizer: received isFinal={data['isFinal']}, "
+                            f"chunks so far: {chunk_count}, bytes: {total_bytes}"
+                        )
+                        if data.get("isFinal"):
+                            self._logger.info(
+                                "ElevenLabsStreamingSynthesizer: isFinal=true, signaling end of audio"
+                            )
+                            await self._audio_queue.put(None)
+
+                    # Check for errors
+                    if "error" in data or data.get("type") == "error":
+                        self._logger.error(
+                            f"ElevenLabsStreamingSynthesizer: received error: {data}"
+                        )
+                elif msg.type == aiohttp.WSMsgType.BINARY:
+                    chunk_count += 1
+                    total_bytes += len(msg.data)
+                    await self._audio_queue.put(msg.data)
+                elif msg.type in (
+                    aiohttp.WSMsgType.CLOSE,
+                    aiohttp.WSMsgType.ERROR,
+                ):
+                    self._logger.info(
+                        f"ElevenLabsStreamingSynthesizer: WebSocket closed/error, type={msg.type}"
+                    )
+                    break
+        except Exception as e:
+            self._logger.error(f"ElevenLabsStreamingSynthesizer receive error: {e}")
+        finally:
+            self._logger.info(
+                f"ElevenLabsStreamingSynthesizer: receive loop ended, {chunk_count} chunks, {total_bytes} bytes"
+            )
+            await self._audio_queue.put(None)  # Signal end of stream
+
+    async def send_text(self, text: str) -> None:
+        """Send text to be synthesized.
+
+        ElevenLabs processes text as a continuous stream and returns
+        audio in order. We let ElevenLabs handle buffering via chunk_length_schedule
+        and only force generation when flush() is called at the end.
+
+        Args:
+            text: Text to synthesize
+        """
+        if self._ws and not self._closed and text.strip():
+            self._logger.info(
+                f"ElevenLabsStreamingSynthesizer: sending text ({len(text)} chars): '{text}'"
+            )
+            # Let ElevenLabs buffer and auto-generate based on chunk_length_schedule
+            # Don't trigger generation here - wait for flush() at the end
+            await self._ws.send_str(
+                json.dumps(
+                    {
+                        "text": text + " ",  # Space for natural speech flow
+                    }
+                )
+            )
+            self._logger.info("ElevenLabsStreamingSynthesizer: text sent successfully")
+        else:
+            self._logger.warning(
+                f"ElevenLabsStreamingSynthesizer: skipping send_text - "
+                f"ws={self._ws is not None}, closed={self._closed}, text='{text[:30] if text else ''}'"
+            )
+
+    async def receive_audio(self) -> bytes | None:
+        """Receive next audio chunk."""
+        try:
+            return await asyncio.wait_for(self._audio_queue.get(), timeout=0.1)
+        except asyncio.TimeoutError:
+            return b""  # No audio yet, but not done
+
+    async def flush(self) -> None:
+        """Signal end of text input. ElevenLabs will generate remaining audio and close."""
+        if self._ws and not self._closed:
+            # Send empty string to signal end of input
+            # ElevenLabs will generate any remaining buffered text,
+            # send all audio chunks, send isFinal, then close the connection
+            self._logger.info(
+                "ElevenLabsStreamingSynthesizer: sending end-of-input (empty string)"
+            )
+            await self._ws.send_str(json.dumps({"text": ""}))
+            self._logger.info("ElevenLabsStreamingSynthesizer: end-of-input sent")
+        else:
+            self._logger.warning(
+                f"ElevenLabsStreamingSynthesizer: skipping flush - "
+                f"ws={self._ws is not None}, closed={self._closed}"
+            )
+
+    async def close(self) -> None:
+        """Close the session."""
+        self._closed = True
+        if self._ws:
+            await self._ws.close()
+        if self._receive_task:
+            self._receive_task.cancel()
+            try:
+                await self._receive_task
+            except asyncio.CancelledError:
+                pass
+        if self._session:
+            await self._session.close()
+
+
+# Valid ElevenLabs model IDs
+ELEVENLABS_STT_MODELS = {"scribe_v1", "scribe_v2_realtime"}
+ELEVENLABS_TTS_MODELS = {
+    "eleven_multilingual_v2",
+    "eleven_turbo_v2_5",
+    "eleven_monolingual_v1",
+    "eleven_flash_v2_5",
+    "eleven_flash_v2",
+}
+
+
+class ElevenLabsVoiceProvider(VoiceProviderInterface):
+    """ElevenLabs voice provider."""
+
+    def __init__(
+        self,
+        api_key: str | None,
+        api_base: str | None = None,
+        stt_model: str | None = None,
+        tts_model: str | None = None,
+        default_voice: str | None = None,
+    ):
+        self.api_key = api_key
+        self.api_base = api_base or DEFAULT_ELEVENLABS_API_BASE
+        # Validate and default models - use valid ElevenLabs model IDs
+        self.stt_model = (
+            stt_model if stt_model in ELEVENLABS_STT_MODELS else "scribe_v1"
+        )
+        self.tts_model = (
+            tts_model
+            if tts_model in ELEVENLABS_TTS_MODELS
+            else "eleven_multilingual_v2"
+        )
+        self.default_voice = default_voice
+
+    async def transcribe(self, audio_data: bytes, audio_format: str) -> str:
+        """
+        Transcribe audio using ElevenLabs Speech-to-Text API.
+
+        Args:
+            audio_data: Raw audio bytes
+            audio_format: Format of the audio (e.g., 'webm', 'mp3', 'wav')
+
+        Returns:
+            Transcribed text
+        """
+        if not self.api_key:
+            raise ValueError("ElevenLabs API key required for transcription")
+
+        from onyx.utils.logger import setup_logger
+
+        logger = setup_logger()
+
+        url = f"{self.api_base}/v1/speech-to-text"
+
+        # Map common formats to MIME types
+        mime_types = {
+            "webm": "audio/webm",
+            "mp3": "audio/mpeg",
+            "wav": "audio/wav",
+            "ogg": "audio/ogg",
+            "flac": "audio/flac",
+            "m4a": "audio/mp4",
+        }
+        mime_type = mime_types.get(audio_format.lower(), f"audio/{audio_format}")
+
+        headers = {
+            "xi-api-key": self.api_key,
+        }
+
+        # ElevenLabs expects multipart form data
+        form_data = aiohttp.FormData()
+        form_data.add_field(
+            "audio",
+            audio_data,
+            filename=f"audio.{audio_format}",
+            content_type=mime_type,
+        )
+        # For batch STT, use scribe_v1 (not the realtime model)
+        batch_model = (
+            self.stt_model if self.stt_model in ("scribe_v1",) else "scribe_v1"
+        )
+        form_data.add_field("model_id", batch_model)
+
+        logger.info(
+            f"ElevenLabs transcribe: sending {len(audio_data)} bytes, format={audio_format}"
+        )
+
+        async with aiohttp.ClientSession() as session:
+            async with session.post(url, headers=headers, data=form_data) as response:
+                if response.status != 200:
+                    error_text = await response.text()
+                    logger.error(f"ElevenLabs transcribe failed: {error_text}")
+                    raise RuntimeError(f"ElevenLabs transcription failed: {error_text}")
+
+                result = await response.json()
+                text = result.get("text", "")
+                logger.info(f"ElevenLabs transcribe: got result: {text[:50]}...")
+                return text
+
+    async def synthesize_stream(
+        self, text: str, voice: str | None = None, speed: float = 1.0
+    ) -> AsyncIterator[bytes]:
+        """
+        Convert text to audio using ElevenLabs TTS with streaming.
+
+        Args:
+            text: Text to convert to speech
+            voice: Voice ID (defaults to provider's default voice or Rachel)
+            speed: Playback speed multiplier
+
+        Yields:
+            Audio data chunks (mp3 format)
+        """
+        from onyx.utils.logger import setup_logger
+
+        logger = setup_logger()
+
+        if not self.api_key:
+            raise ValueError("ElevenLabs API key required for TTS")
+
+        voice_id = voice or self.default_voice or "21m00Tcm4TlvDq8ikWAM"  # Rachel
+
+        url = f"{self.api_base}/v1/text-to-speech/{voice_id}/stream"
+
+        logger.info(
+            f"ElevenLabs TTS: starting synthesis, text='{text[:50]}...', "
+            f"voice={voice_id}, model={self.tts_model}, speed={speed}"
+        )
+
+        headers = {
+            "xi-api-key": self.api_key,
+            "Content-Type": "application/json",
+            "Accept": "audio/mpeg",
+        }
+
+        payload = {
+            "text": text,
+            "model_id": self.tts_model,
+            "voice_settings": {
+                "stability": DEFAULT_VOICE_STABILITY,
+                "similarity_boost": DEFAULT_VOICE_SIMILARITY_BOOST,
+                "speed": speed,
+            },
+        }
+
+        async with aiohttp.ClientSession() as session:
+            async with session.post(url, headers=headers, json=payload) as response:
+                logger.info(
+                    f"ElevenLabs TTS: got response status={response.status}, "
+                    f"content-type={response.headers.get('content-type')}"
+                )
+                if response.status != 200:
+                    error_text = await response.text()
+                    logger.error(f"ElevenLabs TTS failed: {error_text}")
+                    raise RuntimeError(f"ElevenLabs TTS failed: {error_text}")
+
+                # Use 8192 byte chunks for smoother streaming
+                chunk_count = 0
+                total_bytes = 0
+                async for chunk in response.content.iter_chunked(8192):
+                    if chunk:
+                        chunk_count += 1
+                        total_bytes += len(chunk)
+                        yield chunk
+                logger.info(
+                    f"ElevenLabs TTS: streaming complete, {chunk_count} chunks, "
+                    f"{total_bytes} total bytes"
+                )
+
+    async def validate_credentials(self) -> None:
+        """Validate ElevenLabs API key.
+
+        Calls /v1/models as a lightweight check. ElevenLabs returns 401 for
+        both truly invalid keys and valid keys with restricted scopes, so we
+        inspect the response body: a "missing_permissions" status means the
+        key authenticated successfully but lacks a specific scope.
+        """
+        if not self.api_key:
+            raise ValueError("ElevenLabs API key required")
+
+        headers = {"xi-api-key": self.api_key}
+        async with aiohttp.ClientSession() as session:
+            async with session.get(
+                f"{self.api_base}/v1/models", headers=headers
+            ) as response:
+                if response.status == 200:
+                    return
+                if response.status in (401, 403):
+                    try:
+                        body = await response.json()
+                        detail = body.get("detail", {})
+                        status = (
+                            detail.get("status", "") if isinstance(detail, dict) else ""
+                        )
+                    except Exception:
+                        status = ""
+                    # "missing_permissions" means the key is valid but
+                    # lacks this specific scope — that's fine.
+                    if status == "missing_permissions":
+                        return
+                    raise RuntimeError("Invalid ElevenLabs API key.")
+                raise RuntimeError("ElevenLabs credential validation failed.")
+
+    def get_available_voices(self) -> list[dict[str, str]]:
+        """Return common ElevenLabs voices."""
+        return ELEVENLABS_VOICES.copy()
+
+    def get_available_stt_models(self) -> list[dict[str, str]]:
+        return [
+            {"id": "scribe_v2_realtime", "name": "Scribe v2 Realtime (Streaming)"},
+            {"id": "scribe_v1", "name": "Scribe v1 (Batch)"},
+        ]
+
+    def get_available_tts_models(self) -> list[dict[str, str]]:
+        return [
+            {"id": "eleven_multilingual_v2", "name": "Multilingual v2"},
+            {"id": "eleven_turbo_v2_5", "name": "Turbo v2.5"},
+            {"id": "eleven_monolingual_v1", "name": "Monolingual v1"},
+        ]
+
+    def supports_streaming_stt(self) -> bool:
+        """ElevenLabs supports streaming via Scribe Realtime API."""
+        return True
+
+    def supports_streaming_tts(self) -> bool:
+        """ElevenLabs supports real-time streaming TTS via WebSocket."""
+        return True
+
+    async def create_streaming_transcriber(
+        self, _audio_format: str = "webm"
+    ) -> ElevenLabsStreamingTranscriber:
+        """Create a streaming transcription session."""
+        if not self.api_key:
+            raise ValueError("API key required for streaming transcription")
+        # ElevenLabs realtime STT requires scribe_v2_realtime model.
+        # Frontend sends PCM16 at DEFAULT_INPUT_SAMPLE_RATE (24kHz),
+        # but ElevenLabs expects DEFAULT_TARGET_SAMPLE_RATE (16kHz).
+        # The transcriber resamples automatically.
+        transcriber = ElevenLabsStreamingTranscriber(
+            api_key=self.api_key,
+            model="scribe_v2_realtime",
+            input_sample_rate=DEFAULT_INPUT_SAMPLE_RATE,
+            target_sample_rate=DEFAULT_TARGET_SAMPLE_RATE,
+            language_code="en",
+            api_base=self.api_base,
+        )
+        await transcriber.connect()
+        return transcriber
+
+    async def create_streaming_synthesizer(
+        self, voice: str | None = None, speed: float = 1.0
+    ) -> ElevenLabsStreamingSynthesizer:
+        """Create a streaming TTS session."""
+        if not self.api_key:
+            raise ValueError("API key required for streaming TTS")
+        voice_id = voice or self.default_voice or "21m00Tcm4TlvDq8ikWAM"
+        synthesizer = ElevenLabsStreamingSynthesizer(
+            api_key=self.api_key,
+            voice_id=voice_id,
+            model_id=self.tts_model,
+            output_format=DEFAULT_TTS_OUTPUT_FORMAT,
+            api_base=self.api_base,
+            speed=speed,
+        )
+        await synthesizer.connect()
+        return synthesizer

backend/onyx/voice/providers/openai.py

@@ -0,0 +1,633 @@
+"""OpenAI voice provider for STT and TTS.
+
+OpenAI supports:
+- **STT**: Whisper (batch transcription via REST) and Realtime API (streaming
+  transcription via WebSocket with server-side VAD). Audio is sent as base64-encoded
+  PCM16 at 24kHz mono. The Realtime API returns transcript deltas and completed
+  transcription events per VAD-detected utterance.
+- **TTS**: HTTP streaming endpoint that returns audio chunks progressively.
+  Supported models: tts-1 (standard) and tts-1-hd (high quality).
+
+See https://platform.openai.com/docs for API reference.
+"""
+
+import asyncio
+import base64
+import io
+import json
+from collections.abc import AsyncIterator
+from enum import StrEnum
+from typing import TYPE_CHECKING
+
+import aiohttp
+
+from onyx.voice.interface import StreamingSynthesizerProtocol
+from onyx.voice.interface import StreamingTranscriberProtocol
+from onyx.voice.interface import TranscriptResult
+from onyx.voice.interface import VoiceProviderInterface
+
+if TYPE_CHECKING:
+    from openai import AsyncOpenAI
+
+# Default OpenAI API base URL
+DEFAULT_OPENAI_API_BASE = "https://api.openai.com"
+
+
+class OpenAIRealtimeMessageType(StrEnum):
+    """Message types from OpenAI Realtime transcription API."""
+
+    ERROR = "error"
+    SPEECH_STARTED = "input_audio_buffer.speech_started"
+    SPEECH_STOPPED = "input_audio_buffer.speech_stopped"
+    BUFFER_COMMITTED = "input_audio_buffer.committed"
+    TRANSCRIPTION_DELTA = "conversation.item.input_audio_transcription.delta"
+    TRANSCRIPTION_COMPLETED = "conversation.item.input_audio_transcription.completed"
+    SESSION_CREATED = "transcription_session.created"
+    SESSION_UPDATED = "transcription_session.updated"
+    ITEM_CREATED = "conversation.item.created"
+
+
+def _http_to_ws_url(http_url: str) -> str:
+    """Convert http(s) URL to ws(s) URL for WebSocket connections."""
+    if http_url.startswith("https://"):
+        return "wss://" + http_url[8:]
+    elif http_url.startswith("http://"):
+        return "ws://" + http_url[7:]
+    return http_url
+
+
+class OpenAIStreamingTranscriber(StreamingTranscriberProtocol):
+    """Streaming transcription using OpenAI Realtime API."""
+
+    def __init__(
+        self,
+        api_key: str,
+        model: str = "whisper-1",
+        api_base: str | None = None,
+    ):
+        # Import logger first
+        from onyx.utils.logger import setup_logger
+
+        self._logger = setup_logger()
+
+        self._logger.info(
+            f"OpenAIStreamingTranscriber: initializing with model {model}"
+        )
+        self.api_key = api_key
+        self.model = model
+        self.api_base = api_base or DEFAULT_OPENAI_API_BASE
+        self._ws: aiohttp.ClientWebSocketResponse | None = None
+        self._session: aiohttp.ClientSession | None = None
+        self._transcript_queue: asyncio.Queue[TranscriptResult | None] = asyncio.Queue()
+        self._current_turn_transcript = ""  # Transcript for current VAD turn
+        self._accumulated_transcript = ""  # Accumulated across all turns
+        self._receive_task: asyncio.Task | None = None
+        self._closed = False
+
+    async def connect(self) -> None:
+        """Establish WebSocket connection to OpenAI Realtime API."""
+        self._session = aiohttp.ClientSession()
+
+        # OpenAI Realtime transcription endpoint
+        ws_base = _http_to_ws_url(self.api_base.rstrip("/"))
+        url = f"{ws_base}/v1/realtime?intent=transcription"
+        headers = {
+            "Authorization": f"Bearer {self.api_key}",
+            "OpenAI-Beta": "realtime=v1",
+        }
+
+        try:
+            self._ws = await self._session.ws_connect(url, headers=headers)
+            self._logger.info("Connected to OpenAI Realtime API")
+        except Exception as e:
+            self._logger.error(f"Failed to connect to OpenAI Realtime API: {e}")
+            raise
+
+        # Configure the session for transcription
+        # Enable server-side VAD (Voice Activity Detection) for automatic speech detection
+        config_message = {
+            "type": "transcription_session.update",
+            "session": {
+                "input_audio_format": "pcm16",  # 16-bit PCM at 24kHz mono
+                "input_audio_transcription": {
+                    "model": self.model,
+                },
+                "turn_detection": {
+                    "type": "server_vad",
+                    "threshold": 0.5,
+                    "prefix_padding_ms": 300,
+                    "silence_duration_ms": 500,
+                },
+            },
+        }
+        await self._ws.send_str(json.dumps(config_message))
+        self._logger.info(f"Sent config for model: {self.model} with server VAD")
+
+        # Start receiving transcripts
+        self._receive_task = asyncio.create_task(self._receive_loop())
+
+    async def _receive_loop(self) -> None:
+        """Background task to receive transcripts."""
+        if not self._ws:
+            return
+
+        try:
+            async for msg in self._ws:
+                if msg.type == aiohttp.WSMsgType.TEXT:
+                    data = json.loads(msg.data)
+                    msg_type = data.get("type", "")
+                    self._logger.debug(f"Received message type: {msg_type}")
+
+                    # Handle errors
+                    if msg_type == OpenAIRealtimeMessageType.ERROR:
+                        error = data.get("error", {})
+                        self._logger.error(f"OpenAI error: {error}")
+                        continue
+
+                    # Handle VAD events
+                    if msg_type == OpenAIRealtimeMessageType.SPEECH_STARTED:
+                        self._logger.info("OpenAI: Speech started")
+                        # Reset current turn transcript for new speech
+                        self._current_turn_transcript = ""
+                        continue
+                    elif msg_type == OpenAIRealtimeMessageType.SPEECH_STOPPED:
+                        self._logger.info(
+                            "OpenAI: Speech stopped (VAD detected silence)"
+                        )
+                        continue
+                    elif msg_type == OpenAIRealtimeMessageType.BUFFER_COMMITTED:
+                        self._logger.info("OpenAI: Audio buffer committed")
+                        continue
+
+                    # Handle transcription events
+                    if msg_type == OpenAIRealtimeMessageType.TRANSCRIPTION_DELTA:
+                        delta = data.get("delta", "")
+                        if delta:
+                            self._logger.info(f"OpenAI: Transcription delta: {delta}")
+                            self._current_turn_transcript += delta
+                            # Show accumulated + current turn transcript
+                            full_transcript = self._accumulated_transcript
+                            if full_transcript and self._current_turn_transcript:
+                                full_transcript += " "
+                            full_transcript += self._current_turn_transcript
+                            await self._transcript_queue.put(
+                                TranscriptResult(text=full_transcript, is_vad_end=False)
+                            )
+                    elif msg_type == OpenAIRealtimeMessageType.TRANSCRIPTION_COMPLETED:
+                        transcript = data.get("transcript", "")
+                        if transcript:
+                            self._logger.info(
+                                f"OpenAI: Transcription completed (VAD turn end): {transcript[:50]}..."
+                            )
+                            # This is the final transcript for this VAD turn
+                            self._current_turn_transcript = transcript
+                            # Accumulate this turn's transcript
+                            if self._accumulated_transcript:
+                                self._accumulated_transcript += " " + transcript
+                            else:
+                                self._accumulated_transcript = transcript
+                            # Send with is_vad_end=True to trigger auto-send
+                            await self._transcript_queue.put(
+                                TranscriptResult(
+                                    text=self._accumulated_transcript,
+                                    is_vad_end=True,
+                                )
+                            )
+                    elif msg_type not in (
+                        OpenAIRealtimeMessageType.SESSION_CREATED,
+                        OpenAIRealtimeMessageType.SESSION_UPDATED,
+                        OpenAIRealtimeMessageType.ITEM_CREATED,
+                    ):
+                        # Log any other message types we might be missing
+                        self._logger.info(
+                            f"OpenAI: Unhandled message type '{msg_type}': {data}"
+                        )
+
+                elif msg.type == aiohttp.WSMsgType.ERROR:
+                    self._logger.error(f"WebSocket error: {self._ws.exception()}")
+                    break
+                elif msg.type == aiohttp.WSMsgType.CLOSED:
+                    self._logger.info("WebSocket closed by server")
+                    break
+        except Exception as e:
+            self._logger.error(f"Error in receive loop: {e}")
+        finally:
+            await self._transcript_queue.put(None)
+
+    async def send_audio(self, chunk: bytes) -> None:
+        """Send audio chunk to OpenAI."""
+        if self._ws and not self._closed:
+            # OpenAI expects base64-encoded PCM16 audio at 24kHz mono
+            # PCM16 at 24kHz: 24000 samples/sec * 2 bytes/sample = 48000 bytes/sec
+            # So chunk_bytes / 48000 = duration in seconds
+            duration_ms = (len(chunk) / 48000) * 1000
+            self._logger.debug(
+                f"Sending {len(chunk)} bytes ({duration_ms:.1f}ms) of audio to OpenAI. "
+                f"First 10 bytes: {chunk[:10].hex() if len(chunk) >= 10 else chunk.hex()}"
+            )
+            message = {
+                "type": "input_audio_buffer.append",
+                "audio": base64.b64encode(chunk).decode("utf-8"),
+            }
+            await self._ws.send_str(json.dumps(message))
+
+    def reset_transcript(self) -> None:
+        """Reset accumulated transcript. Call after auto-send to start fresh."""
+        self._logger.info("OpenAI: Resetting accumulated transcript")
+        self._accumulated_transcript = ""
+        self._current_turn_transcript = ""
+
+    async def receive_transcript(self) -> TranscriptResult | None:
+        """Receive next transcript."""
+        try:
+            return await asyncio.wait_for(self._transcript_queue.get(), timeout=0.1)
+        except asyncio.TimeoutError:
+            return TranscriptResult(text="", is_vad_end=False)
+
+    async def close(self) -> str:
+        """Close session and return final transcript."""
+        self._closed = True
+        if self._ws:
+            # With server VAD, the buffer is auto-committed when speech stops.
+            # But we should still commit any remaining audio and wait for transcription.
+            try:
+                await self._ws.send_str(
+                    json.dumps({"type": "input_audio_buffer.commit"})
+                )
+            except Exception as e:
+                self._logger.debug(f"Error sending commit (may be expected): {e}")
+
+            # Wait for *new* transcription to arrive (up to 5 seconds)
+            self._logger.info("Waiting for transcription to complete...")
+            transcript_before_commit = self._accumulated_transcript
+            for _ in range(50):  # 50 * 100ms = 5 seconds max
+                await asyncio.sleep(0.1)
+                if self._accumulated_transcript != transcript_before_commit:
+                    self._logger.info(
+                        f"Got final transcript: {self._accumulated_transcript[:50]}..."
+                    )
+                    break
+            else:
+                self._logger.warning("Timed out waiting for transcription")
+
+            await self._ws.close()
+        if self._receive_task:
+            self._receive_task.cancel()
+            try:
+                await self._receive_task
+            except asyncio.CancelledError:
+                pass
+        if self._session:
+            await self._session.close()
+        return self._accumulated_transcript
+
+
+# OpenAI available voices for TTS
+OPENAI_VOICES = [
+    {"id": "alloy", "name": "Alloy"},
+    {"id": "echo", "name": "Echo"},
+    {"id": "fable", "name": "Fable"},
+    {"id": "onyx", "name": "Onyx"},
+    {"id": "nova", "name": "Nova"},
+    {"id": "shimmer", "name": "Shimmer"},
+]
+
+# OpenAI available STT models (all support streaming via Realtime API)
+OPENAI_STT_MODELS = [
+    {"id": "whisper-1", "name": "Whisper v1"},
+    {"id": "gpt-4o-transcribe", "name": "GPT-4o Transcribe"},
+    {"id": "gpt-4o-mini-transcribe", "name": "GPT-4o Mini Transcribe"},
+]
+
+# OpenAI available TTS models
+OPENAI_TTS_MODELS = [
+    {"id": "tts-1", "name": "TTS-1 (Standard)"},
+    {"id": "tts-1-hd", "name": "TTS-1 HD (High Quality)"},
+]
+
+
+def _create_wav_header(
+    data_length: int,
+    sample_rate: int = 24000,
+    channels: int = 1,
+    bits_per_sample: int = 16,
+) -> bytes:
+    """Create a WAV file header for PCM audio data."""
+    import struct
+
+    byte_rate = sample_rate * channels * bits_per_sample // 8
+    block_align = channels * bits_per_sample // 8
+
+    # WAV header is 44 bytes
+    header = struct.pack(
+        "<4sI4s4sIHHIIHH4sI",
+        b"RIFF",  # ChunkID
+        36 + data_length,  # ChunkSize
+        b"WAVE",  # Format
+        b"fmt ",  # Subchunk1ID
+        16,  # Subchunk1Size (PCM)
+        1,  # AudioFormat (1 = PCM)
+        channels,  # NumChannels
+        sample_rate,  # SampleRate
+        byte_rate,  # ByteRate
+        block_align,  # BlockAlign
+        bits_per_sample,  # BitsPerSample
+        b"data",  # Subchunk2ID
+        data_length,  # Subchunk2Size
+    )
+    return header
+
+
+class OpenAIStreamingSynthesizer(StreamingSynthesizerProtocol):
+    """Streaming TTS using OpenAI HTTP TTS API with streaming responses."""
+
+    def __init__(
+        self,
+        api_key: str,
+        voice: str = "alloy",
+        model: str = "tts-1",
+        speed: float = 1.0,
+        api_base: str | None = None,
+    ):
+        from onyx.utils.logger import setup_logger
+
+        self._logger = setup_logger()
+        self.api_key = api_key
+        self.voice = voice
+        self.model = model
+        self.speed = max(0.25, min(4.0, speed))
+        self.api_base = api_base or DEFAULT_OPENAI_API_BASE
+        self._session: aiohttp.ClientSession | None = None
+        self._audio_queue: asyncio.Queue[bytes | None] = asyncio.Queue()
+        self._text_queue: asyncio.Queue[str | None] = asyncio.Queue()
+        self._synthesis_task: asyncio.Task | None = None
+        self._closed = False
+        self._flushed = False
+
+    async def connect(self) -> None:
+        """Initialize HTTP session for TTS requests."""
+        self._logger.info("OpenAIStreamingSynthesizer: connecting")
+        self._session = aiohttp.ClientSession()
+        # Start background task to process text queue
+        self._synthesis_task = asyncio.create_task(self._process_text_queue())
+        self._logger.info("OpenAIStreamingSynthesizer: connected")
+
+    async def _process_text_queue(self) -> None:
+        """Background task to process queued text for synthesis."""
+        while not self._closed:
+            try:
+                text = await asyncio.wait_for(self._text_queue.get(), timeout=0.1)
+                if text is None:
+                    break
+                await self._synthesize_text(text)
+            except asyncio.TimeoutError:
+                continue
+            except asyncio.CancelledError:
+                break
+            except Exception as e:
+                self._logger.error(f"Error processing text queue: {e}")
+
+    async def _synthesize_text(self, text: str) -> None:
+        """Make HTTP TTS request and stream audio to queue."""
+        if not self._session or self._closed:
+            return
+
+        url = f"{self.api_base.rstrip('/')}/v1/audio/speech"
+        headers = {
+            "Authorization": f"Bearer {self.api_key}",
+            "Content-Type": "application/json",
+        }
+        payload = {
+            "model": self.model,
+            "voice": self.voice,
+            "input": text,
+            "speed": self.speed,
+            "response_format": "mp3",
+        }
+
+        try:
+            async with self._session.post(
+                url, headers=headers, json=payload
+            ) as response:
+                if response.status != 200:
+                    error_text = await response.text()
+                    self._logger.error(f"OpenAI TTS error: {error_text}")
+                    return
+
+                # Use 8192 byte chunks for smoother streaming
+                # (larger chunks = more complete MP3 frames, better playback)
+                async for chunk in response.content.iter_chunked(8192):
+                    if self._closed:
+                        break
+                    if chunk:
+                        await self._audio_queue.put(chunk)
+        except Exception as e:
+            self._logger.error(f"OpenAIStreamingSynthesizer synthesis error: {e}")
+
+    async def send_text(self, text: str) -> None:
+        """Queue text to be synthesized via HTTP streaming."""
+        if not text.strip() or self._closed:
+            return
+        await self._text_queue.put(text)
+
+    async def receive_audio(self) -> bytes | None:
+        """Receive next audio chunk (MP3 format)."""
+        try:
+            return await asyncio.wait_for(self._audio_queue.get(), timeout=0.1)
+        except asyncio.TimeoutError:
+            return b""  # No audio yet, but not done
+
+    async def flush(self) -> None:
+        """Signal end of text input - wait for synthesis to complete."""
+        if self._flushed:
+            return
+        self._flushed = True
+
+        # Signal end of text input
+        await self._text_queue.put(None)
+
+        # Wait for synthesis task to complete processing all text
+        if self._synthesis_task and not self._synthesis_task.done():
+            try:
+                await asyncio.wait_for(self._synthesis_task, timeout=60.0)
+            except asyncio.TimeoutError:
+                self._logger.warning("OpenAIStreamingSynthesizer: flush timeout")
+                self._synthesis_task.cancel()
+                try:
+                    await self._synthesis_task
+                except asyncio.CancelledError:
+                    pass
+            except asyncio.CancelledError:
+                pass
+
+        # Signal end of audio stream
+        await self._audio_queue.put(None)
+
+    async def close(self) -> None:
+        """Close the session."""
+        if self._closed:
+            return
+        self._closed = True
+
+        # Signal end of queues only if flush wasn't already called
+        if not self._flushed:
+            await self._text_queue.put(None)
+            await self._audio_queue.put(None)
+
+        if self._synthesis_task and not self._synthesis_task.done():
+            self._synthesis_task.cancel()
+            try:
+                await self._synthesis_task
+            except asyncio.CancelledError:
+                pass
+
+        if self._session:
+            await self._session.close()
+
+
+class OpenAIVoiceProvider(VoiceProviderInterface):
+    """OpenAI voice provider using Whisper for STT and TTS API for speech synthesis."""
+
+    def __init__(
+        self,
+        api_key: str | None,
+        api_base: str | None = None,
+        stt_model: str | None = None,
+        tts_model: str | None = None,
+        default_voice: str | None = None,
+    ):
+        self.api_key = api_key
+        self.api_base = api_base
+        self.stt_model = stt_model or "whisper-1"
+        self.tts_model = tts_model or "tts-1"
+        self.default_voice = default_voice or "alloy"
+
+        self._client: "AsyncOpenAI | None" = None
+
+    def _get_client(self) -> "AsyncOpenAI":
+        if self._client is None:
+            from openai import AsyncOpenAI
+
+            self._client = AsyncOpenAI(
+                api_key=self.api_key,
+                base_url=self.api_base,
+            )
+        return self._client
+
+    async def transcribe(self, audio_data: bytes, audio_format: str) -> str:
+        """
+        Transcribe audio using OpenAI Whisper.
+
+        Args:
+            audio_data: Raw audio bytes
+            audio_format: Audio format (e.g., "webm", "wav", "mp3")
+
+        Returns:
+            Transcribed text
+        """
+        client = self._get_client()
+
+        # Create a file-like object from the audio bytes
+        audio_file = io.BytesIO(audio_data)
+        audio_file.name = f"audio.{audio_format}"
+
+        response = await client.audio.transcriptions.create(
+            model=self.stt_model,
+            file=audio_file,
+        )
+
+        return response.text
+
+    async def synthesize_stream(
+        self, text: str, voice: str | None = None, speed: float = 1.0
+    ) -> AsyncIterator[bytes]:
+        """
+        Convert text to audio using OpenAI TTS with streaming.
+
+        Args:
+            text: Text to convert to speech
+            voice: Voice identifier (defaults to provider's default voice)
+            speed: Playback speed multiplier (0.25 to 4.0)
+
+        Yields:
+            Audio data chunks (mp3 format)
+        """
+        client = self._get_client()
+
+        # Clamp speed to valid range
+        speed = max(0.25, min(4.0, speed))
+
+        # Use with_streaming_response for proper async streaming
+        # Using 8192 byte chunks for better streaming performance
+        # (larger chunks = fewer round-trips, more complete MP3 frames)
+        async with client.audio.speech.with_streaming_response.create(
+            model=self.tts_model,
+            voice=voice or self.default_voice,
+            input=text,
+            speed=speed,
+            response_format="mp3",
+        ) as response:
+            async for chunk in response.iter_bytes(chunk_size=8192):
+                yield chunk
+
+    async def validate_credentials(self) -> None:
+        """Validate OpenAI API key by listing models."""
+        from openai import AuthenticationError, PermissionDeniedError
+
+        client = self._get_client()
+        try:
+            await client.models.list()
+        except AuthenticationError:
+            raise RuntimeError("Invalid OpenAI API key.")
+        except PermissionDeniedError:
+            raise RuntimeError("OpenAI API key does not have sufficient permissions.")
+
+    def get_available_voices(self) -> list[dict[str, str]]:
+        """Get available OpenAI TTS voices."""
+        return OPENAI_VOICES.copy()
+
+    def get_available_stt_models(self) -> list[dict[str, str]]:
+        """Get available OpenAI STT models."""
+        return OPENAI_STT_MODELS.copy()
+
+    def get_available_tts_models(self) -> list[dict[str, str]]:
+        """Get available OpenAI TTS models."""
+        return OPENAI_TTS_MODELS.copy()
+
+    def supports_streaming_stt(self) -> bool:
+        """OpenAI supports streaming via Realtime API for all STT models."""
+        return True
+
+    def supports_streaming_tts(self) -> bool:
+        """OpenAI supports real-time streaming TTS via Realtime API."""
+        return True
+
+    async def create_streaming_transcriber(
+        self, _audio_format: str = "webm"
+    ) -> OpenAIStreamingTranscriber:
+        """Create a streaming transcription session using Realtime API."""
+        if not self.api_key:
+            raise ValueError("API key required for streaming transcription")
+        transcriber = OpenAIStreamingTranscriber(
+            api_key=self.api_key,
+            model=self.stt_model,
+            api_base=self.api_base,
+        )
+        await transcriber.connect()
+        return transcriber
+
+    async def create_streaming_synthesizer(
+        self, voice: str | None = None, speed: float = 1.0
+    ) -> OpenAIStreamingSynthesizer:
+        """Create a streaming TTS session using HTTP streaming API."""
+        if not self.api_key:
+            raise ValueError("API key required for streaming TTS")
+        synthesizer = OpenAIStreamingSynthesizer(
+            api_key=self.api_key,
+            voice=voice or self.default_voice or "alloy",
+            model=self.tts_model or "tts-1",
+            speed=speed,
+            api_base=self.api_base,
+        )
+        await synthesizer.connect()
+        return synthesizer

backend/requirements/default.txt

@@ -67,6 +67,8 @@ attrs==25.4.0
     #   zeep
 authlib==1.6.7
     # via fastmcp
+azure-cognitiveservices-speech==1.38.0
+    # via onyx
 babel==2.17.0
     # via courlan
 backoff==2.2.1
@@ -614,7 +616,7 @@ opentelemetry-sdk==1.39.1
     #   opentelemetry-exporter-otlp-proto-http
 opentelemetry-semantic-conventions==0.60b1
     # via opentelemetry-sdk
-orjson==3.11.4 ; platform_python_implementation != 'PyPy'
+orjson==3.11.6 ; platform_python_implementation != 'PyPy'
     # via langsmith
 packaging==24.2
     # via

backend/tests/unit/build/test_rewrite_asset_paths.py

@@ -0,0 +1,256 @@
+"""Unit tests for webapp proxy path rewriting/injection."""
+
+from types import SimpleNamespace
+from typing import cast
+from typing import Literal
+from uuid import UUID
+
+import httpx
+import pytest
+from fastapi import Request
+from sqlalchemy.orm import Session
+
+from onyx.server.features.build.api import api
+from onyx.server.features.build.api.api import _inject_hmr_fixer
+from onyx.server.features.build.api.api import _rewrite_asset_paths
+from onyx.server.features.build.api.api import _rewrite_proxy_response_headers
+
+SESSION_ID = "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
+BASE = f"/api/build/sessions/{SESSION_ID}/webapp"
+
+
+def rewrite(html: str) -> str:
+    return _rewrite_asset_paths(html.encode(), SESSION_ID).decode()
+
+
+def inject(html: str) -> str:
+    return _inject_hmr_fixer(html.encode(), SESSION_ID).decode()
+
+
+class TestNextjsPathRewriting:
+    def test_rewrites_bare_next_script_src(self) -> None:
+        html = '<script src="/_next/static/chunks/main.js">'
+        result = rewrite(html)
+        assert f'src="{BASE}/_next/static/chunks/main.js"' in result
+        assert '"/_next/' not in result
+
+    def test_rewrites_bare_next_in_single_quotes(self) -> None:
+        html = "<link href='/_next/static/css/app.css'>"
+        result = rewrite(html)
+        assert f"'{BASE}/_next/static/css/app.css'" in result
+
+    def test_rewrites_bare_next_in_url_parens(self) -> None:
+        html = "background: url(/_next/static/media/font.woff2)"
+        result = rewrite(html)
+        assert f"url({BASE}/_next/static/media/font.woff2)" in result
+
+    def test_no_double_prefix_when_already_proxied(self) -> None:
+        """assetPrefix makes Next.js emit already-prefixed URLs — must not double-rewrite."""
+        already_prefixed = f'<script src="{BASE}/_next/static/chunks/main.js">'
+        result = rewrite(already_prefixed)
+        # Should be unchanged
+        assert result == already_prefixed
+        # Specifically, no double path
+        assert f"{BASE}/{BASE}" not in result
+
+    def test_rewrites_favicon(self) -> None:
+        html = '<link rel="icon" href="/favicon.ico">'
+        result = rewrite(html)
+        assert f'"{BASE}/favicon.ico"' in result
+
+    def test_rewrites_json_data_path_double_quoted(self) -> None:
+        html = 'fetch("/data/tickets.json")'
+        result = rewrite(html)
+        assert f'"{BASE}/data/tickets.json"' in result
+
+    def test_rewrites_json_data_path_single_quoted(self) -> None:
+        html = "fetch('/data/items.json')"
+        result = rewrite(html)
+        assert f"'{BASE}/data/items.json'" in result
+
+    def test_rewrites_escaped_next_font_path_in_json_script(self) -> None:
+        """Next dev can embed font asset paths in JSON-escaped script payloads."""
+        html = r'{"src":"\/_next\/static\/media\/font.woff2"}'
+        result = rewrite(html)
+        assert (
+            r'{"src":"\/api\/build\/sessions\/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\/webapp\/_next\/static\/media\/font.woff2"}'
+            in result
+        )
+
+    def test_rewrites_escaped_next_font_path_in_style_payload(self) -> None:
+        """Keep dynamically generated next/font URLs inside the session proxy."""
+        html = r'{"css":"@font-face{src:url(\"\/_next\/static\/media\/font.woff2\")"}'
+        result = rewrite(html)
+        assert (
+            r"\/api\/build\/sessions\/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\/webapp\/_next\/static\/media\/font.woff2"
+            in result
+        )
+
+    def test_rewrites_absolute_next_font_url(self) -> None:
+        html = (
+            '<link rel="preload" as="font" '
+            'href="https://craft-dev.onyx.app/_next/static/media/font.woff2">'
+        )
+        result = rewrite(html)
+        assert f'"{BASE}/_next/static/media/font.woff2"' in result
+
+    def test_rewrites_root_hmr_path(self) -> None:
+        html = 'new WebSocket("wss://craft-dev.onyx.app/_next/webpack-hmr?id=abc")'
+        result = rewrite(html)
+        assert '"wss://craft-dev.onyx.app/_next/webpack-hmr?id=abc"' not in result
+        assert '"/_next/webpack-hmr?id=abc"' in result
+
+    def test_rewrites_escaped_absolute_next_font_url(self) -> None:
+        html = (
+            r'{"href":"https:\/\/craft-dev.onyx.app\/_next\/static\/media\/font.woff2"}'
+        )
+        result = rewrite(html)
+        assert (
+            r'{"href":"\/api\/build\/sessions\/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\/webapp\/_next\/static\/media\/font.woff2"}'
+            in result
+        )
+
+
+class TestRuntimeFixerInjection:
+    def test_injects_websocket_rewrite_shim(self) -> None:
+        html = "<html><head></head><body></body></html>"
+        result = inject(html)
+        assert "window.WebSocket = function (url, protocols)" in result
+        assert f'var WEBAPP_BASE = "{BASE}"' in result
+
+    def test_injects_hmr_websocket_stub(self) -> None:
+        html = "<html><head></head><body></body></html>"
+        result = inject(html)
+        assert "function MockHmrWebSocket(url)" in result
+        assert "return new MockHmrWebSocket(rewriteNextAssetUrl(url));" in result
+
+    def test_injects_before_head_contents(self) -> None:
+        html = "<html><head><title>x</title></head><body></body></html>"
+        result = inject(html)
+        assert result.index(
+            "window.WebSocket = function (url, protocols)"
+        ) < result.index("<title>x</title>")
+
+    def test_rewritten_hmr_url_still_matches_shim_intercept_logic(self) -> None:
+        html = (
+            "<html><head></head><body>"
+            'new WebSocket("wss://craft-dev.onyx.app/_next/webpack-hmr?id=abc")'
+            "</body></html>"
+        )
+
+        rewritten = rewrite(html)
+        assert '"wss://craft-dev.onyx.app/_next/webpack-hmr?id=abc"' not in rewritten
+        assert 'new WebSocket("/_next/webpack-hmr?id=abc")' in rewritten
+
+        injected = inject(rewritten)
+
+        assert 'new WebSocket("/_next/webpack-hmr?id=abc")' in injected
+        assert 'parsedUrl.pathname.indexOf("/_next/webpack-hmr") === 0' in injected
+
+
+class TestProxyHeaderRewriting:
+    def test_rewrites_link_header_font_preload_paths(self) -> None:
+        headers = {
+            "link": (
+                '</_next/static/media/font.woff2>; rel=preload; as="font"; crossorigin, '
+                '</_next/static/media/font2.woff2>; rel=preload; as="font"; crossorigin'
+            )
+        }
+
+        result = _rewrite_proxy_response_headers(headers, SESSION_ID)
+
+        assert f"<{BASE}/_next/static/media/font.woff2>" in result["link"]
+
+
+class TestProxyRequestWiring:
+    def test_proxy_request_rewrites_link_header_on_html_response(
+        self, monkeypatch: pytest.MonkeyPatch
+    ) -> None:
+        html = b"<html><head></head><body>ok</body></html>"
+        upstream = httpx.Response(
+            200,
+            headers={
+                "content-type": "text/html; charset=utf-8",
+                "link": '</_next/static/media/font.woff2>; rel=preload; as="font"',
+            },
+            content=html,
+        )
+
+        monkeypatch.setattr(api, "_get_sandbox_url", lambda *_args: "http://sandbox")
+
+        class FakeClient:
+            def __init__(self, *_args: object, **_kwargs: object) -> None:
+                pass
+
+            def __enter__(self) -> "FakeClient":
+                return self
+
+            def __exit__(self, *_args: object) -> Literal[False]:
+                return False
+
+            def get(self, _url: str, headers: dict[str, str]) -> httpx.Response:
+                assert "host" not in {key.lower() for key in headers}
+                return upstream
+
+        monkeypatch.setattr(api.httpx, "Client", FakeClient)
+
+        request = cast(Request, SimpleNamespace(headers={}, query_params=""))
+
+        response = api._proxy_request(
+            "", request, UUID(SESSION_ID), cast(Session, SimpleNamespace())
+        )
+
+        assert response.headers["link"] == (
+            f'<{BASE}/_next/static/media/font.woff2>; rel=preload; as="font"'
+        )
+
+    def test_proxy_request_injects_hmr_fixer_for_html_response(
+        self, monkeypatch: pytest.MonkeyPatch
+    ) -> None:
+        upstream = httpx.Response(
+            200,
+            headers={"content-type": "text/html; charset=utf-8"},
+            content=b"<html><head><title>x</title></head><body></body></html>",
+        )
+
+        monkeypatch.setattr(api, "_get_sandbox_url", lambda *_args: "http://sandbox")
+
+        class FakeClient:
+            def __init__(self, *_args: object, **_kwargs: object) -> None:
+                pass
+
+            def __enter__(self) -> "FakeClient":
+                return self
+
+            def __exit__(self, *_args: object) -> Literal[False]:
+                return False
+
+            def get(self, _url: str, headers: dict[str, str]) -> httpx.Response:
+                assert "host" not in {key.lower() for key in headers}
+                return upstream
+
+        monkeypatch.setattr(api.httpx, "Client", FakeClient)
+
+        request = cast(Request, SimpleNamespace(headers={}, query_params=""))
+
+        response = api._proxy_request(
+            "", request, UUID(SESSION_ID), cast(Session, SimpleNamespace())
+        )
+        body = cast(bytes, response.body).decode("utf-8")
+
+        assert "window.WebSocket = function (url, protocols)" in body
+        assert body.index("window.WebSocket = function (url, protocols)") < body.index(
+            "<title>x</title>"
+        )
+
+    def test_rewrites_absolute_link_header_font_preload_paths(self) -> None:
+        headers = {
+            "link": (
+                "<https://craft-dev.onyx.app/_next/static/media/font.woff2>; "
+                'rel=preload; as="font"; crossorigin'
+            )
+        }
+
+        result = _rewrite_proxy_response_headers(headers, SESSION_ID)
+
+        assert f"<{BASE}/_next/static/media/font.woff2>" in result["link"]

backend/tests/unit/onyx/auth/test_oidc_pkce.py

@@ -0,0 +1,400 @@
+from typing import Any
+from typing import cast
+from unittest.mock import AsyncMock
+from unittest.mock import MagicMock
+from unittest.mock import patch
+from urllib.parse import parse_qs
+from urllib.parse import urlparse
+
+from fastapi import FastAPI
+from fastapi import Response
+from fastapi.testclient import TestClient
+from fastapi_users.authentication import AuthenticationBackend
+from fastapi_users.authentication import CookieTransport
+from fastapi_users.jwt import generate_jwt
+from httpx_oauth.oauth2 import BaseOAuth2
+from httpx_oauth.oauth2 import GetAccessTokenError
+
+from onyx.auth.users import CSRF_TOKEN_COOKIE_NAME
+from onyx.auth.users import CSRF_TOKEN_KEY
+from onyx.auth.users import get_oauth_router
+from onyx.auth.users import get_pkce_cookie_name
+from onyx.auth.users import PKCE_COOKIE_NAME_PREFIX
+from onyx.auth.users import STATE_TOKEN_AUDIENCE
+from onyx.error_handling.exceptions import register_onyx_exception_handlers
+
+
+class _StubOAuthClient:
+    def __init__(self) -> None:
+        self.name = "openid"
+        self.authorization_calls: list[dict[str, str | list[str] | None]] = []
+        self.access_token_calls: list[dict[str, str | None]] = []
+
+    async def get_authorization_url(
+        self,
+        redirect_uri: str,
+        state: str | None = None,
+        scope: list[str] | None = None,
+        code_challenge: str | None = None,
+        code_challenge_method: str | None = None,
+    ) -> str:
+        self.authorization_calls.append(
+            {
+                "redirect_uri": redirect_uri,
+                "state": state,
+                "scope": scope,
+                "code_challenge": code_challenge,
+                "code_challenge_method": code_challenge_method,
+            }
+        )
+        return f"https://idp.example.com/authorize?state={state}"
+
+    async def get_access_token(
+        self, code: str, redirect_uri: str, code_verifier: str | None = None
+    ) -> dict[str, str | int]:
+        self.access_token_calls.append(
+            {
+                "code": code,
+                "redirect_uri": redirect_uri,
+                "code_verifier": code_verifier,
+            }
+        )
+        return {
+            "access_token": "oidc_access_token",
+            "refresh_token": "oidc_refresh_token",
+            "expires_at": 1730000000,
+        }
+
+    async def get_id_email(self, _access_token: str) -> tuple[str, str | None]:
+        return ("oidc_account_id", "oidc_user@example.com")
+
+
+def _build_test_client(
+    enable_pkce: bool,
+    login_status_code: int = 302,
+) -> tuple[TestClient, _StubOAuthClient, MagicMock]:
+    oauth_client = _StubOAuthClient()
+    transport = CookieTransport(cookie_name="testsession")
+
+    async def get_strategy() -> MagicMock:
+        return MagicMock()
+
+    backend = AuthenticationBackend(
+        name="test_backend",
+        transport=transport,
+        get_strategy=get_strategy,
+    )
+
+    login_response = Response(status_code=login_status_code)
+    if login_status_code in {301, 302, 303, 307, 308}:
+        login_response.headers["location"] = "/app"
+    login_response.set_cookie("testsession", "session-token")
+    backend.login = AsyncMock(return_value=login_response)  # type: ignore[method-assign]
+
+    user = MagicMock()
+    user.is_active = True
+    user_manager = MagicMock()
+    user_manager.oauth_callback = AsyncMock(return_value=user)
+    user_manager.on_after_login = AsyncMock()
+
+    async def get_user_manager() -> MagicMock:
+        return user_manager
+
+    router = get_oauth_router(
+        oauth_client=cast(BaseOAuth2[Any], oauth_client),
+        backend=backend,
+        get_user_manager=get_user_manager,
+        state_secret="test-secret",
+        redirect_url="http://localhost/auth/oidc/callback",
+        associate_by_email=True,
+        is_verified_by_default=True,
+        enable_pkce=enable_pkce,
+    )
+    app = FastAPI()
+    app.include_router(router, prefix="/auth/oidc")
+    register_onyx_exception_handlers(app)
+
+    client = TestClient(app, raise_server_exceptions=False)
+    return client, oauth_client, user_manager
+
+
+def _extract_state_from_authorize_response(response: Any) -> str:
+    auth_url = response.json()["authorization_url"]
+    return parse_qs(urlparse(auth_url).query)["state"][0]
+
+
+def test_oidc_authorize_omits_pkce_when_flag_disabled() -> None:
+    client, oauth_client, _ = _build_test_client(enable_pkce=False)
+
+    response = client.get("/auth/oidc/authorize")
+
+    assert response.status_code == 200
+    assert oauth_client.authorization_calls[0]["code_challenge"] is None
+    assert oauth_client.authorization_calls[0]["code_challenge_method"] is None
+    assert "fastapiusersoauthcsrf" in response.cookies.keys()
+    assert not any(
+        key.startswith(PKCE_COOKIE_NAME_PREFIX) for key in response.cookies.keys()
+    )
+
+
+def test_oidc_authorize_adds_pkce_when_flag_enabled() -> None:
+    client, oauth_client, _ = _build_test_client(enable_pkce=True)
+
+    response = client.get("/auth/oidc/authorize")
+
+    assert response.status_code == 200
+    assert oauth_client.authorization_calls[0]["code_challenge"] is not None
+    assert oauth_client.authorization_calls[0]["code_challenge_method"] == "S256"
+    assert any(
+        key.startswith(PKCE_COOKIE_NAME_PREFIX) for key in response.cookies.keys()
+    )
+
+
+def test_oidc_callback_fails_when_pkce_cookie_missing() -> None:
+    client, oauth_client, _ = _build_test_client(enable_pkce=True)
+    authorize_response = client.get("/auth/oidc/authorize")
+    state = _extract_state_from_authorize_response(authorize_response)
+
+    for key in list(client.cookies.keys()):
+        if key.startswith(PKCE_COOKIE_NAME_PREFIX):
+            del client.cookies[key]
+
+    response = client.get(
+        "/auth/oidc/callback", params={"code": "abc123", "state": state}
+    )
+
+    assert response.status_code == 400
+    assert response.json()["error_code"] == "VALIDATION_ERROR"
+    assert oauth_client.access_token_calls == []
+    assert "Max-Age=0" in response.headers.get("set-cookie", "")
+
+
+def test_oidc_callback_rejects_bad_state_before_token_exchange() -> None:
+    client, oauth_client, _ = _build_test_client(enable_pkce=True)
+    client.get("/auth/oidc/authorize")
+    tampered_state = "not-a-valid-state-jwt"
+    client.cookies.set(get_pkce_cookie_name(tampered_state), "verifier123")
+
+    response = client.get(
+        "/auth/oidc/callback", params={"code": "abc123", "state": tampered_state}
+    )
+
+    assert response.status_code == 400
+    assert response.json()["error_code"] == "VALIDATION_ERROR"
+    assert oauth_client.access_token_calls == []
+    assert "Max-Age=0" in response.headers.get("set-cookie", "")
+
+
+def test_oidc_callback_rejects_wrongly_signed_state_before_token_exchange() -> None:
+    client, oauth_client, _ = _build_test_client(enable_pkce=True)
+    client.get("/auth/oidc/authorize")
+    csrf_token = client.cookies.get(CSRF_TOKEN_COOKIE_NAME)
+    assert csrf_token is not None
+    tampered_state = generate_jwt(
+        {
+            "aud": STATE_TOKEN_AUDIENCE,
+            CSRF_TOKEN_KEY: csrf_token,
+        },
+        "wrong-secret",
+        3600,
+    )
+    client.cookies.set(get_pkce_cookie_name(tampered_state), "verifier123")
+
+    response = client.get(
+        "/auth/oidc/callback",
+        params={"code": "abc123", "state": tampered_state},
+    )
+
+    assert response.status_code == 400
+    assert response.json()["error_code"] == "VALIDATION_ERROR"
+    assert response.json()["detail"] == "ACCESS_TOKEN_DECODE_ERROR"
+    assert oauth_client.access_token_calls == []
+    assert "Max-Age=0" in response.headers.get("set-cookie", "")
+
+
+def test_oidc_callback_rejects_csrf_mismatch_in_pkce_path() -> None:
+    client, oauth_client, _ = _build_test_client(enable_pkce=True)
+    authorize_response = client.get("/auth/oidc/authorize")
+    state = _extract_state_from_authorize_response(authorize_response)
+
+    # Keep PKCE verifier cookie intact, but invalidate CSRF match against state JWT.
+    client.cookies.set("fastapiusersoauthcsrf", "wrong-csrf-token")
+
+    response = client.get(
+        "/auth/oidc/callback",
+        params={"code": "abc123", "state": state},
+    )
+
+    assert response.status_code == 400
+    assert response.json()["error_code"] == "VALIDATION_ERROR"
+    assert oauth_client.access_token_calls == []
+    assert "Max-Age=0" in response.headers.get("set-cookie", "")
+
+
+def test_oidc_callback_get_access_token_error_is_400() -> None:
+    client, oauth_client, _ = _build_test_client(enable_pkce=True)
+    authorize_response = client.get("/auth/oidc/authorize")
+    state = _extract_state_from_authorize_response(authorize_response)
+    with patch.object(
+        oauth_client,
+        "get_access_token",
+        AsyncMock(side_effect=GetAccessTokenError("token exchange failed")),
+    ):
+        response = client.get(
+            "/auth/oidc/callback", params={"code": "abc123", "state": state}
+        )
+
+    assert response.status_code == 400
+    assert response.json()["error_code"] == "VALIDATION_ERROR"
+    assert response.json()["detail"] == "Authorization code exchange failed"
+    assert "Max-Age=0" in response.headers.get("set-cookie", "")
+
+
+def test_oidc_callback_cleans_pkce_cookie_on_idp_error_with_state() -> None:
+    client, oauth_client, _ = _build_test_client(enable_pkce=True)
+    authorize_response = client.get("/auth/oidc/authorize")
+    state = _extract_state_from_authorize_response(authorize_response)
+
+    response = client.get(
+        "/auth/oidc/callback",
+        params={"error": "access_denied", "state": state},
+    )
+
+    assert response.status_code == 400
+    assert response.json()["error_code"] == "VALIDATION_ERROR"
+    assert response.json()["detail"] == "Authorization request failed or was denied"
+    assert oauth_client.access_token_calls == []
+    assert "Max-Age=0" in response.headers.get("set-cookie", "")
+
+
+def test_oidc_callback_cleans_pkce_cookie_on_missing_email() -> None:
+    client, oauth_client, _ = _build_test_client(enable_pkce=True)
+    authorize_response = client.get("/auth/oidc/authorize")
+    state = _extract_state_from_authorize_response(authorize_response)
+
+    with patch.object(
+        oauth_client, "get_id_email", AsyncMock(return_value=("oidc_account_id", None))
+    ):
+        response = client.get(
+            "/auth/oidc/callback", params={"code": "abc123", "state": state}
+        )
+
+    assert response.status_code == 400
+    assert response.json()["error_code"] == "VALIDATION_ERROR"
+    assert "Max-Age=0" in response.headers.get("set-cookie", "")
+
+
+def test_oidc_callback_rejects_wrong_audience_state_before_token_exchange() -> None:
+    client, oauth_client, _ = _build_test_client(enable_pkce=True)
+    client.get("/auth/oidc/authorize")
+    csrf_token = client.cookies.get(CSRF_TOKEN_COOKIE_NAME)
+    assert csrf_token is not None
+    wrong_audience_state = generate_jwt(
+        {
+            "aud": "wrong-audience",
+            CSRF_TOKEN_KEY: csrf_token,
+        },
+        "test-secret",
+        3600,
+    )
+    client.cookies.set(get_pkce_cookie_name(wrong_audience_state), "verifier123")
+
+    response = client.get(
+        "/auth/oidc/callback",
+        params={"code": "abc123", "state": wrong_audience_state},
+    )
+
+    assert response.status_code == 400
+    assert response.json()["error_code"] == "VALIDATION_ERROR"
+    assert response.json()["detail"] == "ACCESS_TOKEN_DECODE_ERROR"
+    assert oauth_client.access_token_calls == []
+    assert "Max-Age=0" in response.headers.get("set-cookie", "")
+
+
+def test_oidc_callback_uses_code_verifier_when_pkce_enabled() -> None:
+    client, oauth_client, user_manager = _build_test_client(enable_pkce=True)
+    authorize_response = client.get("/auth/oidc/authorize")
+    state = _extract_state_from_authorize_response(authorize_response)
+
+    with patch(
+        "onyx.auth.users.fetch_ee_implementation_or_noop",
+        return_value=lambda _email: "tenant_1",
+    ):
+        response = client.get(
+            "/auth/oidc/callback",
+            params={"code": "abc123", "state": state},
+            follow_redirects=False,
+        )
+
+    assert response.status_code == 302
+    assert response.headers.get("location") == "/"
+    assert oauth_client.access_token_calls[0]["code_verifier"] is not None
+    user_manager.oauth_callback.assert_awaited_once()
+    assert "Max-Age=0" in response.headers.get("set-cookie", "")
+
+
+def test_oidc_callback_works_without_pkce_when_flag_disabled() -> None:
+    client, oauth_client, user_manager = _build_test_client(enable_pkce=False)
+    authorize_response = client.get("/auth/oidc/authorize")
+    state = _extract_state_from_authorize_response(authorize_response)
+
+    with patch(
+        "onyx.auth.users.fetch_ee_implementation_or_noop",
+        return_value=lambda _email: "tenant_1",
+    ):
+        response = client.get(
+            "/auth/oidc/callback",
+            params={"code": "abc123", "state": state},
+            follow_redirects=False,
+        )
+
+    assert response.status_code == 302
+    assert oauth_client.access_token_calls[0]["code_verifier"] is None
+    user_manager.oauth_callback.assert_awaited_once()
+
+
+def test_oidc_callback_pkce_preserves_redirect_when_backend_login_is_non_redirect() -> (
+    None
+):
+    client, oauth_client, user_manager = _build_test_client(
+        enable_pkce=True,
+        login_status_code=200,
+    )
+    authorize_response = client.get("/auth/oidc/authorize")
+    state = _extract_state_from_authorize_response(authorize_response)
+
+    with patch(
+        "onyx.auth.users.fetch_ee_implementation_or_noop",
+        return_value=lambda _email: "tenant_1",
+    ):
+        response = client.get(
+            "/auth/oidc/callback",
+            params={"code": "abc123", "state": state},
+            follow_redirects=False,
+        )
+
+    assert response.status_code == 302
+    assert response.headers.get("location") == "/"
+    assert oauth_client.access_token_calls[0]["code_verifier"] is not None
+    user_manager.oauth_callback.assert_awaited_once()
+    assert "Max-Age=0" in response.headers.get("set-cookie", "")
+
+
+def test_oidc_callback_non_pkce_rejects_csrf_mismatch() -> None:
+    client, oauth_client, _ = _build_test_client(enable_pkce=False)
+    authorize_response = client.get("/auth/oidc/authorize")
+    state = _extract_state_from_authorize_response(authorize_response)
+
+    client.cookies.set(CSRF_TOKEN_COOKIE_NAME, "wrong-csrf-token")
+
+    response = client.get(
+        "/auth/oidc/callback",
+        params={"code": "abc123", "state": state},
+    )
+
+    assert response.status_code == 400
+    assert response.json()["error_code"] == "VALIDATION_ERROR"
+    assert response.json()["detail"] == "OAUTH_INVALID_STATE"
+    # NOTE: In the non-PKCE path, oauth2_authorize_callback exchanges the code
+    # before route-body CSRF validation runs. This is a known ordering trade-off.
+    assert oauth_client.access_token_calls

backend/tests/unit/onyx/connectors/sharepoint/test_fetch_site_pages.py

@@ -0,0 +1,325 @@
+"""Unit tests for SharepointConnector._fetch_site_pages error handling.
+
+Covers 404 handling (classic sites / no modern pages) and 400
+canvasLayout fallback (corrupt pages causing $expand=canvasLayout to
+fail on the LIST endpoint).
+"""
+
+from __future__ import annotations
+
+import json
+from typing import Any
+
+import pytest
+from requests import Response
+from requests.exceptions import HTTPError
+
+from onyx.connectors.sharepoint.connector import GRAPH_INVALID_REQUEST_CODE
+from onyx.connectors.sharepoint.connector import SharepointConnector
+from onyx.connectors.sharepoint.connector import SiteDescriptor
+
+SITE_URL = "https://tenant.sharepoint.com/sites/ClassicSite"
+FAKE_SITE_ID = "tenant.sharepoint.com,abc123,def456"
+PAGES_COLLECTION = f"https://graph.microsoft.com/v1.0/sites/{FAKE_SITE_ID}/pages"
+SITE_PAGES_BASE = f"{PAGES_COLLECTION}/microsoft.graph.sitePage"
+
+
+def _site_descriptor() -> SiteDescriptor:
+    return SiteDescriptor(url=SITE_URL, drive_name=None, folder_path=None)
+
+
+def _make_http_error(
+    status_code: int,
+    error_code: str = "itemNotFound",
+    message: str = "Item not found",
+) -> HTTPError:
+    body = {"error": {"code": error_code, "message": message}}
+    response = Response()
+    response.status_code = status_code
+    response._content = json.dumps(body).encode()
+    response.headers["Content-Type"] = "application/json"
+    return HTTPError(response=response)
+
+
+def _setup_connector(
+    monkeypatch: pytest.MonkeyPatch,  # noqa: ARG001
+) -> SharepointConnector:
+    """Create a connector with the graph client and site resolution mocked."""
+    connector = SharepointConnector(sites=[SITE_URL])
+    connector.graph_api_base = "https://graph.microsoft.com/v1.0"
+
+    mock_sites = type(
+        "FakeSites",
+        (),
+        {
+            "get_by_url": staticmethod(
+                lambda url: type(  # noqa: ARG005
+                    "Q",
+                    (),
+                    {
+                        "execute_query": lambda self: None,  # noqa: ARG005
+                        "id": FAKE_SITE_ID,
+                    },
+                )()
+            ),
+        },
+    )()
+    connector._graph_client = type("FakeGraphClient", (), {"sites": mock_sites})()
+
+    return connector
+
+
+def _patch_graph_api_get_json(
+    monkeypatch: pytest.MonkeyPatch,
+    fake_fn: Any,
+) -> None:
+    monkeypatch.setattr(SharepointConnector, "_graph_api_get_json", fake_fn)
+
+
+class TestFetchSitePages404:
+    def test_404_yields_no_pages(self, monkeypatch: pytest.MonkeyPatch) -> None:
+        """A 404 from the Pages API should result in zero yielded pages."""
+        connector = _setup_connector(monkeypatch)
+
+        def fake_get_json(
+            self: SharepointConnector,  # noqa: ARG001
+            url: str,  # noqa: ARG001
+            params: dict[str, str] | None = None,  # noqa: ARG001
+        ) -> dict[str, Any]:
+            raise _make_http_error(404)
+
+        _patch_graph_api_get_json(monkeypatch, fake_get_json)
+
+        pages = list(connector._fetch_site_pages(_site_descriptor()))
+        assert pages == []
+
+    def test_404_does_not_raise(self, monkeypatch: pytest.MonkeyPatch) -> None:
+        """A 404 must not propagate as an exception."""
+        connector = _setup_connector(monkeypatch)
+
+        def fake_get_json(
+            self: SharepointConnector,  # noqa: ARG001
+            url: str,  # noqa: ARG001
+            params: dict[str, str] | None = None,  # noqa: ARG001
+        ) -> dict[str, Any]:
+            raise _make_http_error(404)
+
+        _patch_graph_api_get_json(monkeypatch, fake_get_json)
+
+        for _ in connector._fetch_site_pages(_site_descriptor()):
+            pass
+
+    def test_non_404_http_error_still_raises(
+        self, monkeypatch: pytest.MonkeyPatch
+    ) -> None:
+        """Non-404 HTTP errors (e.g. 403) must still propagate."""
+        connector = _setup_connector(monkeypatch)
+
+        def fake_get_json(
+            self: SharepointConnector,  # noqa: ARG001
+            url: str,  # noqa: ARG001
+            params: dict[str, str] | None = None,  # noqa: ARG001
+        ) -> dict[str, Any]:
+            raise _make_http_error(403)
+
+        _patch_graph_api_get_json(monkeypatch, fake_get_json)
+
+        with pytest.raises(HTTPError):
+            list(connector._fetch_site_pages(_site_descriptor()))
+
+    def test_successful_fetch_yields_pages(
+        self, monkeypatch: pytest.MonkeyPatch
+    ) -> None:
+        """When the API succeeds, pages should be yielded normally."""
+        connector = _setup_connector(monkeypatch)
+
+        fake_page = {
+            "id": "page-1",
+            "title": "Hello World",
+            "webUrl": f"{SITE_URL}/SitePages/Hello.aspx",
+            "lastModifiedDateTime": "2025-06-01T00:00:00Z",
+        }
+
+        def fake_get_json(
+            self: SharepointConnector,  # noqa: ARG001
+            url: str,  # noqa: ARG001
+            params: dict[str, str] | None = None,  # noqa: ARG001
+        ) -> dict[str, Any]:
+            return {"value": [fake_page]}
+
+        _patch_graph_api_get_json(monkeypatch, fake_get_json)
+
+        pages = list(connector._fetch_site_pages(_site_descriptor()))
+        assert len(pages) == 1
+        assert pages[0]["id"] == "page-1"
+
+    def test_404_on_second_page_stops_pagination(
+        self, monkeypatch: pytest.MonkeyPatch
+    ) -> None:
+        """If the first API page succeeds but a nextLink returns 404,
+        already-yielded pages are kept and iteration stops cleanly."""
+        connector = _setup_connector(monkeypatch)
+
+        call_count = 0
+        first_page = {
+            "id": "page-1",
+            "title": "First",
+            "webUrl": f"{SITE_URL}/SitePages/First.aspx",
+            "lastModifiedDateTime": "2025-06-01T00:00:00Z",
+        }
+
+        def fake_get_json(
+            self: SharepointConnector,  # noqa: ARG001
+            url: str,  # noqa: ARG001
+            params: dict[str, str] | None = None,  # noqa: ARG001
+        ) -> dict[str, Any]:
+            nonlocal call_count
+            call_count += 1
+            if call_count == 1:
+                return {
+                    "value": [first_page],
+                    "@odata.nextLink": "https://graph.microsoft.com/next",
+                }
+            raise _make_http_error(404)
+
+        _patch_graph_api_get_json(monkeypatch, fake_get_json)
+
+        pages = list(connector._fetch_site_pages(_site_descriptor()))
+        assert len(pages) == 1
+        assert pages[0]["id"] == "page-1"
+
+
+class TestFetchSitePages400Fallback:
+    """When $expand=canvasLayout on the LIST endpoint returns 400
+    invalidRequest, _fetch_site_pages should fall back to listing
+    without expansion, then expanding each page individually."""
+
+    GOOD_PAGE: dict[str, Any] = {
+        "id": "good-1",
+        "name": "Good.aspx",
+        "title": "Good Page",
+        "lastModifiedDateTime": "2025-06-01T00:00:00Z",
+    }
+    BAD_PAGE: dict[str, Any] = {
+        "id": "bad-1",
+        "name": "Bad.aspx",
+        "title": "Bad Page",
+        "lastModifiedDateTime": "2025-06-01T00:00:00Z",
+    }
+    GOOD_PAGE_EXPANDED: dict[str, Any] = {
+        **GOOD_PAGE,
+        "canvasLayout": {"horizontalSections": []},
+    }
+
+    def test_fallback_expands_good_pages_individually(
+        self, monkeypatch: pytest.MonkeyPatch
+    ) -> None:
+        """On 400 from the LIST expand, the connector should list without
+        expand, then GET each page individually with $expand=canvasLayout."""
+        connector = _setup_connector(monkeypatch)
+        good_page = self.GOOD_PAGE
+        bad_page = self.BAD_PAGE
+        good_page_expanded = self.GOOD_PAGE_EXPANDED
+
+        def fake_get_json(
+            self: SharepointConnector,  # noqa: ARG001
+            url: str,
+            params: dict[str, str] | None = None,
+        ) -> dict[str, Any]:
+            if url == SITE_PAGES_BASE and params == {"$expand": "canvasLayout"}:
+                raise _make_http_error(
+                    400, GRAPH_INVALID_REQUEST_CODE, "Invalid request"
+                )
+            if url == SITE_PAGES_BASE and params is None:
+                return {"value": [good_page, bad_page]}
+            expand_params = {"$expand": "canvasLayout"}
+            if url == f"{PAGES_COLLECTION}/good-1/microsoft.graph.sitePage":
+                assert params == expand_params, f"Expected $expand params, got {params}"
+                return good_page_expanded
+            if url == f"{PAGES_COLLECTION}/bad-1/microsoft.graph.sitePage":
+                assert params == expand_params, f"Expected $expand params, got {params}"
+                raise _make_http_error(
+                    400, GRAPH_INVALID_REQUEST_CODE, "Invalid request"
+                )
+            raise AssertionError(f"Unexpected call: {url} {params}")
+
+        _patch_graph_api_get_json(monkeypatch, fake_get_json)
+        pages = list(connector._fetch_site_pages(_site_descriptor()))
+
+        assert len(pages) == 2
+        assert pages[0].get("canvasLayout") is not None
+        assert pages[1].get("canvasLayout") is None
+        assert pages[1]["id"] == "bad-1"
+
+    def test_mid_pagination_400_does_not_duplicate(
+        self, monkeypatch: pytest.MonkeyPatch
+    ) -> None:
+        """If the first paginated batch succeeds but a later nextLink
+        returns 400, pages from the first batch must not be re-yielded
+        by the fallback."""
+        connector = _setup_connector(monkeypatch)
+        good_page = self.GOOD_PAGE
+        good_page_expanded = self.GOOD_PAGE_EXPANDED
+        bad_page = self.BAD_PAGE
+        second_page = {
+            "id": "page-2",
+            "name": "Second.aspx",
+            "title": "Second Page",
+            "lastModifiedDateTime": "2025-06-01T00:00:00Z",
+        }
+        next_link = "https://graph.microsoft.com/v1.0/next-page-link"
+
+        def fake_get_json(
+            self: SharepointConnector,  # noqa: ARG001
+            url: str,
+            params: dict[str, str] | None = None,
+        ) -> dict[str, Any]:
+            if url == SITE_PAGES_BASE and params == {"$expand": "canvasLayout"}:
+                return {
+                    "value": [good_page],
+                    "@odata.nextLink": next_link,
+                }
+            if url == next_link:
+                raise _make_http_error(
+                    400, GRAPH_INVALID_REQUEST_CODE, "Invalid request"
+                )
+            if url == SITE_PAGES_BASE and params is None:
+                return {"value": [good_page, bad_page, second_page]}
+            expand_params = {"$expand": "canvasLayout"}
+            if url == f"{PAGES_COLLECTION}/good-1/microsoft.graph.sitePage":
+                assert params == expand_params, f"Expected $expand params, got {params}"
+                return good_page_expanded
+            if url == f"{PAGES_COLLECTION}/bad-1/microsoft.graph.sitePage":
+                assert params == expand_params, f"Expected $expand params, got {params}"
+                raise _make_http_error(
+                    400, GRAPH_INVALID_REQUEST_CODE, "Invalid request"
+                )
+            if url == f"{PAGES_COLLECTION}/page-2/microsoft.graph.sitePage":
+                assert params == expand_params, f"Expected $expand params, got {params}"
+                return {**second_page, "canvasLayout": {"horizontalSections": []}}
+            raise AssertionError(f"Unexpected call: {url} {params}")
+
+        _patch_graph_api_get_json(monkeypatch, fake_get_json)
+        pages = list(connector._fetch_site_pages(_site_descriptor()))
+
+        ids = [p["id"] for p in pages]
+        assert ids == ["good-1", "bad-1", "page-2"]
+
+    def test_non_invalid_request_400_still_raises(
+        self, monkeypatch: pytest.MonkeyPatch
+    ) -> None:
+        """A 400 with a different error code (not invalidRequest) should
+        propagate, not trigger the fallback."""
+        connector = _setup_connector(monkeypatch)
+
+        def fake_get_json(
+            self: SharepointConnector,  # noqa: ARG001
+            url: str,  # noqa: ARG001
+            params: dict[str, str] | None = None,  # noqa: ARG001
+        ) -> dict[str, Any]:
+            raise _make_http_error(400, "badRequest", "Something else went wrong")
+
+        _patch_graph_api_get_json(monkeypatch, fake_get_json)
+
+        with pytest.raises(HTTPError):
+            list(connector._fetch_site_pages(_site_descriptor()))

backend/tests/unit/onyx/db/test_voice.py

@@ -0,0 +1,507 @@
+"""Unit tests for onyx.db.voice module."""
+
+from unittest.mock import MagicMock
+from uuid import uuid4
+
+import pytest
+
+from onyx.db.models import VoiceProvider
+from onyx.db.voice import deactivate_stt_provider
+from onyx.db.voice import deactivate_tts_provider
+from onyx.db.voice import delete_voice_provider
+from onyx.db.voice import fetch_default_stt_provider
+from onyx.db.voice import fetch_default_tts_provider
+from onyx.db.voice import fetch_voice_provider_by_id
+from onyx.db.voice import fetch_voice_provider_by_type
+from onyx.db.voice import fetch_voice_providers
+from onyx.db.voice import MAX_VOICE_PLAYBACK_SPEED
+from onyx.db.voice import MIN_VOICE_PLAYBACK_SPEED
+from onyx.db.voice import set_default_stt_provider
+from onyx.db.voice import set_default_tts_provider
+from onyx.db.voice import update_user_voice_settings
+from onyx.db.voice import upsert_voice_provider
+from onyx.error_handling.exceptions import OnyxError
+
+
+def _make_voice_provider(
+    id: int = 1,
+    name: str = "Test Provider",
+    provider_type: str = "openai",
+    is_default_stt: bool = False,
+    is_default_tts: bool = False,
+) -> VoiceProvider:
+    """Create a VoiceProvider instance for testing."""
+    provider = VoiceProvider()
+    provider.id = id
+    provider.name = name
+    provider.provider_type = provider_type
+    provider.is_default_stt = is_default_stt
+    provider.is_default_tts = is_default_tts
+    provider.api_key = None
+    provider.api_base = None
+    provider.custom_config = None
+    provider.stt_model = None
+    provider.tts_model = None
+    provider.default_voice = None
+    return provider
+
+
+class TestFetchVoiceProviders:
+    """Tests for fetch_voice_providers."""
+
+    def test_returns_all_providers(self, mock_db_session: MagicMock) -> None:
+        providers = [
+            _make_voice_provider(id=1, name="Provider A"),
+            _make_voice_provider(id=2, name="Provider B"),
+        ]
+        mock_db_session.scalars.return_value.all.return_value = providers
+
+        result = fetch_voice_providers(mock_db_session)
+
+        assert result == providers
+        mock_db_session.scalars.assert_called_once()
+
+    def test_returns_empty_list_when_no_providers(
+        self, mock_db_session: MagicMock
+    ) -> None:
+        mock_db_session.scalars.return_value.all.return_value = []
+
+        result = fetch_voice_providers(mock_db_session)
+
+        assert result == []
+
+
+class TestFetchVoiceProviderById:
+    """Tests for fetch_voice_provider_by_id."""
+
+    def test_returns_provider_when_found(self, mock_db_session: MagicMock) -> None:
+        provider = _make_voice_provider(id=1)
+        mock_db_session.scalar.return_value = provider
+
+        result = fetch_voice_provider_by_id(mock_db_session, 1)
+
+        assert result is provider
+        mock_db_session.scalar.assert_called_once()
+
+    def test_returns_none_when_not_found(self, mock_db_session: MagicMock) -> None:
+        mock_db_session.scalar.return_value = None
+
+        result = fetch_voice_provider_by_id(mock_db_session, 999)
+
+        assert result is None
+
+
+class TestFetchDefaultProviders:
+    """Tests for fetch_default_stt_provider and fetch_default_tts_provider."""
+
+    def test_fetch_default_stt_provider_returns_provider(
+        self, mock_db_session: MagicMock
+    ) -> None:
+        provider = _make_voice_provider(id=1, is_default_stt=True)
+        mock_db_session.scalar.return_value = provider
+
+        result = fetch_default_stt_provider(mock_db_session)
+
+        assert result is provider
+
+    def test_fetch_default_stt_provider_returns_none_when_no_default(
+        self, mock_db_session: MagicMock
+    ) -> None:
+        mock_db_session.scalar.return_value = None
+
+        result = fetch_default_stt_provider(mock_db_session)
+
+        assert result is None
+
+    def test_fetch_default_tts_provider_returns_provider(
+        self, mock_db_session: MagicMock
+    ) -> None:
+        provider = _make_voice_provider(id=1, is_default_tts=True)
+        mock_db_session.scalar.return_value = provider
+
+        result = fetch_default_tts_provider(mock_db_session)
+
+        assert result is provider
+
+    def test_fetch_default_tts_provider_returns_none_when_no_default(
+        self, mock_db_session: MagicMock
+    ) -> None:
+        mock_db_session.scalar.return_value = None
+
+        result = fetch_default_tts_provider(mock_db_session)
+
+        assert result is None
+
+
+class TestFetchVoiceProviderByType:
+    """Tests for fetch_voice_provider_by_type."""
+
+    def test_returns_provider_when_found(self, mock_db_session: MagicMock) -> None:
+        provider = _make_voice_provider(id=1, provider_type="openai")
+        mock_db_session.scalar.return_value = provider
+
+        result = fetch_voice_provider_by_type(mock_db_session, "openai")
+
+        assert result is provider
+
+    def test_returns_none_when_not_found(self, mock_db_session: MagicMock) -> None:
+        mock_db_session.scalar.return_value = None
+
+        result = fetch_voice_provider_by_type(mock_db_session, "nonexistent")
+
+        assert result is None
+
+
+class TestUpsertVoiceProvider:
+    """Tests for upsert_voice_provider."""
+
+    def test_creates_new_provider_when_no_id(self, mock_db_session: MagicMock) -> None:
+        mock_db_session.flush.return_value = None
+        mock_db_session.refresh.return_value = None
+
+        upsert_voice_provider(
+            db_session=mock_db_session,
+            provider_id=None,
+            name="New Provider",
+            provider_type="openai",
+            api_key="test-key",
+            api_key_changed=True,
+        )
+
+        mock_db_session.add.assert_called_once()
+        mock_db_session.flush.assert_called()
+        added_obj = mock_db_session.add.call_args[0][0]
+        assert added_obj.name == "New Provider"
+        assert added_obj.provider_type == "openai"
+
+    def test_updates_existing_provider(self, mock_db_session: MagicMock) -> None:
+        existing_provider = _make_voice_provider(id=1, name="Old Name")
+        mock_db_session.scalar.return_value = existing_provider
+        mock_db_session.flush.return_value = None
+        mock_db_session.refresh.return_value = None
+
+        upsert_voice_provider(
+            db_session=mock_db_session,
+            provider_id=1,
+            name="Updated Name",
+            provider_type="elevenlabs",
+            api_key="new-key",
+            api_key_changed=True,
+        )
+
+        mock_db_session.add.assert_not_called()
+        assert existing_provider.name == "Updated Name"
+        assert existing_provider.provider_type == "elevenlabs"
+
+    def test_raises_when_provider_not_found(self, mock_db_session: MagicMock) -> None:
+        mock_db_session.scalar.return_value = None
+
+        with pytest.raises(OnyxError) as exc_info:
+            upsert_voice_provider(
+                db_session=mock_db_session,
+                provider_id=999,
+                name="Test",
+                provider_type="openai",
+                api_key=None,
+                api_key_changed=False,
+            )
+
+        assert "No voice provider with id 999" in str(exc_info.value)
+
+    def test_does_not_update_api_key_when_not_changed(
+        self, mock_db_session: MagicMock
+    ) -> None:
+        existing_provider = _make_voice_provider(id=1)
+        existing_provider.api_key = "original-key"  # type: ignore[assignment]
+        original_api_key = existing_provider.api_key
+        mock_db_session.scalar.return_value = existing_provider
+        mock_db_session.flush.return_value = None
+        mock_db_session.refresh.return_value = None
+
+        upsert_voice_provider(
+            db_session=mock_db_session,
+            provider_id=1,
+            name="Test",
+            provider_type="openai",
+            api_key="new-key",
+            api_key_changed=False,
+        )
+
+        # api_key should remain unchanged (same object reference)
+        assert existing_provider.api_key is original_api_key
+
+    def test_activates_stt_when_requested(self, mock_db_session: MagicMock) -> None:
+        existing_provider = _make_voice_provider(id=1)
+        mock_db_session.scalar.return_value = existing_provider
+        mock_db_session.flush.return_value = None
+        mock_db_session.refresh.return_value = None
+        mock_db_session.execute.return_value = None
+
+        upsert_voice_provider(
+            db_session=mock_db_session,
+            provider_id=1,
+            name="Test",
+            provider_type="openai",
+            api_key=None,
+            api_key_changed=False,
+            activate_stt=True,
+        )
+
+        assert existing_provider.is_default_stt is True
+
+    def test_activates_tts_when_requested(self, mock_db_session: MagicMock) -> None:
+        existing_provider = _make_voice_provider(id=1)
+        mock_db_session.scalar.return_value = existing_provider
+        mock_db_session.flush.return_value = None
+        mock_db_session.refresh.return_value = None
+        mock_db_session.execute.return_value = None
+
+        upsert_voice_provider(
+            db_session=mock_db_session,
+            provider_id=1,
+            name="Test",
+            provider_type="openai",
+            api_key=None,
+            api_key_changed=False,
+            activate_tts=True,
+        )
+
+        assert existing_provider.is_default_tts is True
+
+
+class TestDeleteVoiceProvider:
+    """Tests for delete_voice_provider."""
+
+    def test_soft_deletes_provider_when_found(self, mock_db_session: MagicMock) -> None:
+        provider = _make_voice_provider(id=1)
+        mock_db_session.scalar.return_value = provider
+
+        delete_voice_provider(mock_db_session, 1)
+
+        assert provider.deleted is True
+        mock_db_session.flush.assert_called_once()
+
+    def test_does_nothing_when_provider_not_found(
+        self, mock_db_session: MagicMock
+    ) -> None:
+        mock_db_session.scalar.return_value = None
+
+        delete_voice_provider(mock_db_session, 999)
+
+        mock_db_session.flush.assert_not_called()
+
+
+class TestSetDefaultProviders:
+    """Tests for set_default_stt_provider and set_default_tts_provider."""
+
+    def test_set_default_stt_provider_deactivates_others(
+        self, mock_db_session: MagicMock
+    ) -> None:
+        provider = _make_voice_provider(id=1)
+        mock_db_session.scalar.return_value = provider
+        mock_db_session.execute.return_value = None
+        mock_db_session.flush.return_value = None
+        mock_db_session.refresh.return_value = None
+
+        result = set_default_stt_provider(db_session=mock_db_session, provider_id=1)
+
+        mock_db_session.execute.assert_called_once()
+        assert result.is_default_stt is True
+
+    def test_set_default_stt_provider_raises_when_not_found(
+        self, mock_db_session: MagicMock
+    ) -> None:
+        mock_db_session.scalar.return_value = None
+
+        with pytest.raises(OnyxError) as exc_info:
+            set_default_stt_provider(db_session=mock_db_session, provider_id=999)
+
+        assert "No voice provider with id 999" in str(exc_info.value)
+
+    def test_set_default_tts_provider_deactivates_others(
+        self, mock_db_session: MagicMock
+    ) -> None:
+        provider = _make_voice_provider(id=1)
+        mock_db_session.scalar.return_value = provider
+        mock_db_session.execute.return_value = None
+        mock_db_session.flush.return_value = None
+        mock_db_session.refresh.return_value = None
+
+        result = set_default_tts_provider(db_session=mock_db_session, provider_id=1)
+
+        mock_db_session.execute.assert_called_once()
+        assert result.is_default_tts is True
+
+    def test_set_default_tts_provider_updates_model_when_provided(
+        self, mock_db_session: MagicMock
+    ) -> None:
+        provider = _make_voice_provider(id=1)
+        mock_db_session.scalar.return_value = provider
+        mock_db_session.execute.return_value = None
+        mock_db_session.flush.return_value = None
+        mock_db_session.refresh.return_value = None
+
+        result = set_default_tts_provider(
+            db_session=mock_db_session, provider_id=1, tts_model="tts-1-hd"
+        )
+
+        assert result.tts_model == "tts-1-hd"
+
+    def test_set_default_tts_provider_raises_when_not_found(
+        self, mock_db_session: MagicMock
+    ) -> None:
+        mock_db_session.scalar.return_value = None
+
+        with pytest.raises(OnyxError) as exc_info:
+            set_default_tts_provider(db_session=mock_db_session, provider_id=999)
+
+        assert "No voice provider with id 999" in str(exc_info.value)
+
+
+class TestDeactivateProviders:
+    """Tests for deactivate_stt_provider and deactivate_tts_provider."""
+
+    def test_deactivate_stt_provider_sets_false(
+        self, mock_db_session: MagicMock
+    ) -> None:
+        provider = _make_voice_provider(id=1, is_default_stt=True)
+        mock_db_session.scalar.return_value = provider
+        mock_db_session.flush.return_value = None
+        mock_db_session.refresh.return_value = None
+
+        result = deactivate_stt_provider(db_session=mock_db_session, provider_id=1)
+
+        assert result.is_default_stt is False
+
+    def test_deactivate_stt_provider_raises_when_not_found(
+        self, mock_db_session: MagicMock
+    ) -> None:
+        mock_db_session.scalar.return_value = None
+
+        with pytest.raises(OnyxError) as exc_info:
+            deactivate_stt_provider(db_session=mock_db_session, provider_id=999)
+
+        assert "No voice provider with id 999" in str(exc_info.value)
+
+    def test_deactivate_tts_provider_sets_false(
+        self, mock_db_session: MagicMock
+    ) -> None:
+        provider = _make_voice_provider(id=1, is_default_tts=True)
+        mock_db_session.scalar.return_value = provider
+        mock_db_session.flush.return_value = None
+        mock_db_session.refresh.return_value = None
+
+        result = deactivate_tts_provider(db_session=mock_db_session, provider_id=1)
+
+        assert result.is_default_tts is False
+
+    def test_deactivate_tts_provider_raises_when_not_found(
+        self, mock_db_session: MagicMock
+    ) -> None:
+        mock_db_session.scalar.return_value = None
+
+        with pytest.raises(OnyxError) as exc_info:
+            deactivate_tts_provider(db_session=mock_db_session, provider_id=999)
+
+        assert "No voice provider with id 999" in str(exc_info.value)
+
+
+class TestUpdateUserVoiceSettings:
+    """Tests for update_user_voice_settings."""
+
+    def test_updates_auto_send(self, mock_db_session: MagicMock) -> None:
+        user_id = uuid4()
+
+        update_user_voice_settings(mock_db_session, user_id, auto_send=True)
+
+        mock_db_session.execute.assert_called_once()
+        mock_db_session.flush.assert_called_once()
+
+    def test_updates_auto_playback(self, mock_db_session: MagicMock) -> None:
+        user_id = uuid4()
+
+        update_user_voice_settings(mock_db_session, user_id, auto_playback=True)
+
+        mock_db_session.execute.assert_called_once()
+        mock_db_session.flush.assert_called_once()
+
+    def test_updates_playback_speed_within_range(
+        self, mock_db_session: MagicMock
+    ) -> None:
+        user_id = uuid4()
+
+        update_user_voice_settings(mock_db_session, user_id, playback_speed=1.5)
+
+        mock_db_session.execute.assert_called_once()
+
+    def test_clamps_playback_speed_to_min(self, mock_db_session: MagicMock) -> None:
+        user_id = uuid4()
+
+        update_user_voice_settings(mock_db_session, user_id, playback_speed=0.1)
+
+        mock_db_session.execute.assert_called_once()
+        stmt = mock_db_session.execute.call_args[0][0]
+        compiled = stmt.compile(compile_kwargs={"literal_binds": True})
+        assert str(MIN_VOICE_PLAYBACK_SPEED) in str(compiled)
+
+    def test_clamps_playback_speed_to_max(self, mock_db_session: MagicMock) -> None:
+        user_id = uuid4()
+
+        update_user_voice_settings(mock_db_session, user_id, playback_speed=5.0)
+
+        mock_db_session.execute.assert_called_once()
+        stmt = mock_db_session.execute.call_args[0][0]
+        compiled = stmt.compile(compile_kwargs={"literal_binds": True})
+        assert str(MAX_VOICE_PLAYBACK_SPEED) in str(compiled)
+
+    def test_updates_multiple_settings(self, mock_db_session: MagicMock) -> None:
+        user_id = uuid4()
+
+        update_user_voice_settings(
+            mock_db_session,
+            user_id,
+            auto_send=True,
+            auto_playback=False,
+            playback_speed=1.25,
+        )
+
+        mock_db_session.execute.assert_called_once()
+        mock_db_session.flush.assert_called_once()
+
+    def test_does_nothing_when_no_settings_provided(
+        self, mock_db_session: MagicMock
+    ) -> None:
+        user_id = uuid4()
+
+        update_user_voice_settings(mock_db_session, user_id)
+
+        mock_db_session.execute.assert_not_called()
+        mock_db_session.flush.assert_not_called()
+
+
+class TestSpeedClampingLogic:
+    """Tests for the speed clamping constants and logic."""
+
+    def test_min_speed_constant(self) -> None:
+        assert MIN_VOICE_PLAYBACK_SPEED == 0.5
+
+    def test_max_speed_constant(self) -> None:
+        assert MAX_VOICE_PLAYBACK_SPEED == 2.0
+
+    def test_clamping_formula(self) -> None:
+        """Verify the clamping formula used in update_user_voice_settings."""
+        test_cases = [
+            (0.1, MIN_VOICE_PLAYBACK_SPEED),
+            (0.5, 0.5),
+            (1.0, 1.0),
+            (1.5, 1.5),
+            (2.0, 2.0),
+            (3.0, MAX_VOICE_PLAYBACK_SPEED),
+        ]
+        for speed, expected in test_cases:
+            clamped = max(
+                MIN_VOICE_PLAYBACK_SPEED, min(MAX_VOICE_PLAYBACK_SPEED, speed)
+            )
+            assert (
+                clamped == expected
+            ), f"speed={speed} expected={expected} got={clamped}"

backend/tests/unit/onyx/onyxbot/test_slack_blocks.py

@@ -7,9 +7,6 @@ import timeago  # type: ignore
 from onyx.configs.constants import DocumentSource
 from onyx.context.search.models import SavedSearchDoc
 from onyx.onyxbot.slack.blocks import _build_documents_blocks
-from onyx.onyxbot.slack.blocks import _extract_code_snippets
-from onyx.onyxbot.slack.blocks import _split_text
-from onyx.onyxbot.slack.handlers.handle_regular_answer import _SNIPPET_TYPE_MAP
 
 
 def _make_saved_doc(updated_at: datetime | None) -> SavedSearchDoc:
@@ -72,148 +69,3 @@ def test_build_documents_blocks_formats_naive_timestamp(
     formatted_timestamp: datetime = captured["doc"]
     expected_timestamp: datetime = naive_timestamp.replace(tzinfo=pytz.utc)
     assert formatted_timestamp == expected_timestamp
-
-
-# ---------------------------------------------------------------------------
-# _split_text tests
-# ---------------------------------------------------------------------------
-
-
-class TestSplitText:
-    def test_short_text_returns_single_chunk(self) -> None:
-        result = _split_text("hello world", limit=100)
-        assert result == ["hello world"]
-
-    def test_splits_at_space_boundary(self) -> None:
-        text = "aaa bbb ccc ddd"
-        result = _split_text(text, limit=8)
-        assert len(result) >= 2
-
-    def test_no_code_fences_splits_normally(self) -> None:
-        text = "word " * 100  # 500 chars
-        result = _split_text(text, limit=100)
-        assert len(result) >= 5
-        for chunk in result:
-            assert "```" not in chunk
-
-
-# ---------------------------------------------------------------------------
-# _extract_code_snippets tests
-# ---------------------------------------------------------------------------
-
-
-class TestExtractCodeSnippets:
-    def test_short_text_no_extraction(self) -> None:
-        text = "short answer with ```python\nprint('hi')\n``` inline"
-        cleaned, snippets = _extract_code_snippets(text, limit=3000)
-        assert cleaned == text
-        assert snippets == []
-
-    def test_large_code_block_extracted(self) -> None:
-        code = "x = 1\n" * 200  # ~1200 chars of code
-        text = f"Here is the solution:\n```python\n{code}```\nHope that helps!"
-        cleaned, snippets = _extract_code_snippets(text, limit=200)
-
-        assert len(snippets) == 1
-        assert snippets[0].language == "python"
-        assert snippets[0].filename == "code_1.python"
-        assert "x = 1" in snippets[0].code
-        # Code block should be removed from cleaned text
-        assert "```" not in cleaned
-        assert "Here is the solution" in cleaned
-        assert "Hope that helps!" in cleaned
-
-    def test_multiple_code_blocks_only_large_ones_extracted(self) -> None:
-        small_code = "print('hi')"
-        large_code = "x = 1\n" * 300
-        text = (
-            f"First:\n```python\n{small_code}\n```\n"
-            f"Second:\n```javascript\n{large_code}\n```\n"
-            "Done!"
-        )
-        cleaned, snippets = _extract_code_snippets(text, limit=500)
-
-        # The large block should be extracted
-        assert len(snippets) >= 1
-        langs = [s.language for s in snippets]
-        assert "javascript" in langs
-
-    def test_language_specifier_captured(self) -> None:
-        code = "fn main() {}\n" * 100
-        text = f"```rust\n{code}```"
-        _, snippets = _extract_code_snippets(text, limit=100)
-
-        assert len(snippets) == 1
-        assert snippets[0].language == "rust"
-        assert snippets[0].filename == "code_1.rust"
-
-    def test_no_language_defaults_to_text(self) -> None:
-        code = "some output\n" * 100
-        text = f"```\n{code}```"
-        _, snippets = _extract_code_snippets(text, limit=100)
-
-        assert len(snippets) == 1
-        assert snippets[0].language == "text"
-        assert snippets[0].filename == "code_1.txt"
-
-    def test_cleaned_text_has_no_triple_blank_lines(self) -> None:
-        code = "x = 1\n" * 200
-        text = f"Before\n\n```python\n{code}```\n\nAfter"
-        cleaned, _ = _extract_code_snippets(text, limit=100)
-
-        assert "\n\n\n" not in cleaned
-
-    def test_multiple_blocks_cumulative_removal(self) -> None:
-        """When multiple code blocks exist, extraction decisions should
-        account for previously extracted blocks (two-pass logic).
-        Blocks must be smaller than limit//2 so the 'very large block'
-        override doesn't trigger — we're testing the cumulative logic only."""
-        # Each fenced block is ~103 chars (```python\n + 15*6 + ```)
-        block_a = "a = 1\n" * 15  # 90 chars of code
-        block_b = "b = 2\n" * 15  # 90 chars of code
-        prose = "x" * 200
-        # Total: ~200 + 103 + 103 + overhead ≈ 420 chars
-        # limit=300, limit//2=150. Each block (~103) < 150, so only
-        # the cumulative check applies. Removing block_a (~103 chars)
-        # brings us to ~317 > 300, so block_b should also be extracted.
-        # But with limit=350: removing block_a → ~317 ≤ 350, stop.
-        text = f"{prose}\n```python\n{block_a}```\n```python\n{block_b}```\nEnd"
-        cleaned, snippets = _extract_code_snippets(text, limit=350)
-
-        # After extracting block_a the text is ≤ 350, so block_b stays.
-        assert len(snippets) == 1
-        assert snippets[0].filename == "code_1.python"
-        # block_b should still be in the cleaned text
-        assert "b = 2" in cleaned
-
-
-# ---------------------------------------------------------------------------
-# _SNIPPET_TYPE_MAP tests
-# ---------------------------------------------------------------------------
-
-
-class TestSnippetTypeMap:
-    @pytest.mark.parametrize(
-        "alias,expected",
-        [
-            ("py", "python"),
-            ("js", "javascript"),
-            ("ts", "typescript"),
-            ("tsx", "typescript"),
-            ("jsx", "javascript"),
-            ("sh", "shell"),
-            ("bash", "shell"),
-            ("yml", "yaml"),
-            ("rb", "ruby"),
-            ("rs", "rust"),
-            ("cs", "csharp"),
-            ("md", "markdown"),
-            ("text", "plain_text"),
-        ],
-    )
-    def test_common_aliases_normalized(self, alias: str, expected: str) -> None:
-        assert _SNIPPET_TYPE_MAP[alias] == expected
-
-    def test_unknown_language_passes_through(self) -> None:
-        unknown = "haskell"
-        assert _SNIPPET_TYPE_MAP.get(unknown, unknown) == "haskell"

backend/tests/unit/onyx/server/manage/voice/test_voice_api_validation.py

@@ -0,0 +1,23 @@
+import pytest
+
+from onyx.error_handling.exceptions import OnyxError
+from onyx.server.manage.voice.api import _validate_voice_api_base
+
+
+def test_validate_voice_api_base_blocks_private_for_non_azure() -> None:
+    with pytest.raises(OnyxError, match="Invalid target URI"):
+        _validate_voice_api_base("openai", "http://127.0.0.1:11434")
+
+
+def test_validate_voice_api_base_allows_private_for_azure() -> None:
+    validated = _validate_voice_api_base("azure", "http://127.0.0.1:5000")
+    assert validated == "http://127.0.0.1:5000"
+
+
+def test_validate_voice_api_base_blocks_metadata_for_azure() -> None:
+    with pytest.raises(OnyxError, match="Invalid target URI"):
+        _validate_voice_api_base("azure", "http://metadata.google.internal/")
+
+
+def test_validate_voice_api_base_returns_none_for_none() -> None:
+    assert _validate_voice_api_base("openai", None) is None

backend/tests/unit/onyx/server/test_projects_file_utils.py

@@ -186,3 +186,42 @@ def test_categorize_uploaded_files_checks_size_before_text_extraction(
     assert len(result.acceptable) == 0
     assert len(result.rejected) == 1
     assert result.rejected[0].reason == "Exceeds 1 MB file size limit"
+
+
+def test_categorize_uploaded_files_accepts_python_file(
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    _patch_common_dependencies(monkeypatch)
+    monkeypatch.setattr(utils, "USER_FILE_MAX_UPLOAD_SIZE_BYTES", 10_000)
+    monkeypatch.setattr(utils, "USER_FILE_MAX_UPLOAD_SIZE_MB", 1)
+
+    py_source = b'def hello():\n    print("world")\n'
+    monkeypatch.setattr(
+        utils, "extract_file_text", lambda **_kwargs: py_source.decode()
+    )
+
+    upload = _make_upload("script.py", size=len(py_source), content=py_source)
+    result = utils.categorize_uploaded_files([upload], MagicMock())
+
+    assert len(result.acceptable) == 1
+    assert result.acceptable[0].filename == "script.py"
+    assert len(result.rejected) == 0
+
+
+def test_categorize_uploaded_files_rejects_binary_file(
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    _patch_common_dependencies(monkeypatch)
+    monkeypatch.setattr(utils, "USER_FILE_MAX_UPLOAD_SIZE_BYTES", 10_000)
+    monkeypatch.setattr(utils, "USER_FILE_MAX_UPLOAD_SIZE_MB", 1)
+
+    monkeypatch.setattr(utils, "extract_file_text", lambda **_kwargs: "")
+
+    binary_content = bytes(range(256)) * 4
+    upload = _make_upload("data.bin", size=len(binary_content), content=binary_content)
+    result = utils.categorize_uploaded_files([upload], MagicMock())
+
+    assert len(result.acceptable) == 0
+    assert len(result.rejected) == 1
+    assert result.rejected[0].filename == "data.bin"
+    assert "Unsupported file type" in result.rejected[0].reason

backend/tests/unit/onyx/utils/test_url_ssrf.py

@@ -14,6 +14,7 @@ from onyx.utils.url import _is_ip_private_or_reserved
 from onyx.utils.url import _validate_and_resolve_url
 from onyx.utils.url import ssrf_safe_get
 from onyx.utils.url import SSRFException
+from onyx.utils.url import validate_outbound_http_url
 
 
 class TestIsIpPrivateOrReserved:
@@ -305,3 +306,22 @@ class TestSsrfSafeGet:
 
                 call_args = mock_get.call_args
                 assert call_args[1]["timeout"] == (5, 15)
+
+
+class TestValidateOutboundHttpUrl:
+    def test_rejects_private_ip_by_default(self) -> None:
+        with pytest.raises(SSRFException, match="internal/private IP"):
+            validate_outbound_http_url("http://127.0.0.1:8000")
+
+    def test_allows_private_ip_when_explicitly_enabled(self) -> None:
+        validated_url = validate_outbound_http_url(
+            "http://127.0.0.1:8000", allow_private_network=True
+        )
+        assert validated_url == "http://127.0.0.1:8000"
+
+    def test_blocks_metadata_hostname_when_private_is_enabled(self) -> None:
+        with pytest.raises(SSRFException, match="not allowed"):
+            validate_outbound_http_url(
+                "http://metadata.google.internal/latest",
+                allow_private_network=True,
+            )

backend/tests/unit/onyx/voice/providers/test_azure_provider.py

@@ -0,0 +1,30 @@
+import pytest
+
+from onyx.voice.providers.azure import AzureVoiceProvider
+
+
+def test_azure_provider_extracts_region_from_target_uri() -> None:
+    provider = AzureVoiceProvider(
+        api_key="key",
+        api_base="https://westus.api.cognitive.microsoft.com/",
+        custom_config={},
+    )
+    assert provider.speech_region == "westus"
+
+
+def test_azure_provider_normalizes_uppercase_region() -> None:
+    provider = AzureVoiceProvider(
+        api_key="key",
+        api_base=None,
+        custom_config={"speech_region": "WestUS2"},
+    )
+    assert provider.speech_region == "westus2"
+
+
+def test_azure_provider_rejects_invalid_speech_region() -> None:
+    with pytest.raises(ValueError, match="Invalid Azure speech_region"):
+        AzureVoiceProvider(
+            api_key="key",
+            api_base=None,
+            custom_config={"speech_region": "westus/../../etc"},
+        )

backend/tests/unit/onyx/voice/providers/test_azure_ssml.py

@@ -0,0 +1,194 @@
+import io
+import struct
+import wave
+
+import pytest
+
+from onyx.voice.providers.azure import AzureVoiceProvider
+
+
+# --- _is_azure_cloud_url ---
+
+
+def test_is_azure_cloud_url_speech_microsoft() -> None:
+    assert AzureVoiceProvider._is_azure_cloud_url(
+        "https://eastus.tts.speech.microsoft.com/cognitiveservices/v1"
+    )
+
+
+def test_is_azure_cloud_url_cognitive_microsoft() -> None:
+    assert AzureVoiceProvider._is_azure_cloud_url(
+        "https://westus.api.cognitive.microsoft.com/"
+    )
+
+
+def test_is_azure_cloud_url_rejects_custom_host() -> None:
+    assert not AzureVoiceProvider._is_azure_cloud_url("https://my-custom-host.com/")
+
+
+def test_is_azure_cloud_url_rejects_none() -> None:
+    assert not AzureVoiceProvider._is_azure_cloud_url(None)
+
+
+# --- _extract_speech_region_from_uri ---
+
+
+def test_extract_region_from_tts_url() -> None:
+    assert (
+        AzureVoiceProvider._extract_speech_region_from_uri(
+            "https://eastus.tts.speech.microsoft.com/cognitiveservices/v1"
+        )
+        == "eastus"
+    )
+
+
+def test_extract_region_from_cognitive_api_url() -> None:
+    assert (
+        AzureVoiceProvider._extract_speech_region_from_uri(
+            "https://eastus.api.cognitive.microsoft.com/"
+        )
+        == "eastus"
+    )
+
+
+def test_extract_region_returns_none_for_custom_domain() -> None:
+    """Custom domains use resource name, not region — must use speech_region config."""
+    assert (
+        AzureVoiceProvider._extract_speech_region_from_uri(
+            "https://myresource.cognitiveservices.azure.com/"
+        )
+        is None
+    )
+
+
+def test_extract_region_returns_none_for_none() -> None:
+    assert AzureVoiceProvider._extract_speech_region_from_uri(None) is None
+
+
+# --- _validate_speech_region ---
+
+
+def test_validate_region_normalizes_to_lowercase() -> None:
+    assert AzureVoiceProvider._validate_speech_region("WestUS2") == "westus2"
+
+
+def test_validate_region_accepts_hyphens() -> None:
+    assert AzureVoiceProvider._validate_speech_region("us-east-1") == "us-east-1"
+
+
+def test_validate_region_rejects_path_traversal() -> None:
+    with pytest.raises(ValueError, match="Invalid Azure speech_region"):
+        AzureVoiceProvider._validate_speech_region("westus/../../etc")
+
+
+def test_validate_region_rejects_dots() -> None:
+    with pytest.raises(ValueError, match="Invalid Azure speech_region"):
+        AzureVoiceProvider._validate_speech_region("west.us")
+
+
+# --- _pcm16_to_wav ---
+
+
+def test_pcm16_to_wav_produces_valid_wav() -> None:
+    samples = [32767, -32768, 0, 1234]
+    pcm_data = struct.pack(f"<{len(samples)}h", *samples)
+    wav_bytes = AzureVoiceProvider._pcm16_to_wav(pcm_data, sample_rate=16000)
+
+    with wave.open(io.BytesIO(wav_bytes), "rb") as wav_file:
+        assert wav_file.getnchannels() == 1
+        assert wav_file.getsampwidth() == 2
+        assert wav_file.getframerate() == 16000
+        frames = wav_file.readframes(4)
+        recovered = struct.unpack(f"<{len(samples)}h", frames)
+        assert list(recovered) == samples
+
+
+# --- URL Construction ---
+
+
+def test_get_tts_url_cloud() -> None:
+    provider = AzureVoiceProvider(
+        api_key="key", api_base=None, custom_config={"speech_region": "eastus"}
+    )
+    assert (
+        provider._get_tts_url()
+        == "https://eastus.tts.speech.microsoft.com/cognitiveservices/v1"
+    )
+
+
+def test_get_stt_url_cloud() -> None:
+    provider = AzureVoiceProvider(
+        api_key="key", api_base=None, custom_config={"speech_region": "westus2"}
+    )
+    assert "westus2.stt.speech.microsoft.com" in provider._get_stt_url()
+
+
+def test_get_tts_url_self_hosted() -> None:
+    provider = AzureVoiceProvider(
+        api_key="key", api_base="http://localhost:5000", custom_config={}
+    )
+    assert provider._get_tts_url() == "http://localhost:5000/cognitiveservices/v1"
+
+
+def test_get_tts_url_self_hosted_strips_trailing_slash() -> None:
+    provider = AzureVoiceProvider(
+        api_key="key", api_base="http://localhost:5000/", custom_config={}
+    )
+    assert provider._get_tts_url() == "http://localhost:5000/cognitiveservices/v1"
+
+
+# --- _is_self_hosted ---
+
+
+def test_is_self_hosted_true_for_custom_endpoint() -> None:
+    provider = AzureVoiceProvider(
+        api_key="key", api_base="http://localhost:5000", custom_config={}
+    )
+    assert provider._is_self_hosted() is True
+
+
+def test_is_self_hosted_false_for_azure_cloud() -> None:
+    provider = AzureVoiceProvider(
+        api_key="key",
+        api_base="https://eastus.api.cognitive.microsoft.com/",
+        custom_config={},
+    )
+    assert provider._is_self_hosted() is False
+
+
+# --- Resampling ---
+
+
+def test_resample_pcm16_passthrough() -> None:
+    from onyx.voice.providers.azure import AzureStreamingTranscriber
+
+    t = AzureStreamingTranscriber.__new__(AzureStreamingTranscriber)
+    t.input_sample_rate = 16000
+    t.target_sample_rate = 16000
+
+    data = struct.pack("<4h", 100, 200, 300, 400)
+    assert t._resample_pcm16(data) == data
+
+
+def test_resample_pcm16_downsamples() -> None:
+    from onyx.voice.providers.azure import AzureStreamingTranscriber
+
+    t = AzureStreamingTranscriber.__new__(AzureStreamingTranscriber)
+    t.input_sample_rate = 24000
+    t.target_sample_rate = 16000
+
+    input_samples = [1000, 2000, 3000, 4000, 5000, 6000]
+    data = struct.pack(f"<{len(input_samples)}h", *input_samples)
+
+    result = t._resample_pcm16(data)
+    assert len(result) // 2 == 4
+
+
+def test_resample_pcm16_empty_data() -> None:
+    from onyx.voice.providers.azure import AzureStreamingTranscriber
+
+    t = AzureStreamingTranscriber.__new__(AzureStreamingTranscriber)
+    t.input_sample_rate = 24000
+    t.target_sample_rate = 16000
+
+    assert t._resample_pcm16(b"") == b""

backend/tests/unit/onyx/voice/providers/test_elevenlabs_provider.py

@@ -0,0 +1,117 @@
+import struct
+
+from onyx.voice.providers.elevenlabs import _http_to_ws_url
+from onyx.voice.providers.elevenlabs import DEFAULT_ELEVENLABS_API_BASE
+from onyx.voice.providers.elevenlabs import ElevenLabsSTTMessageType
+from onyx.voice.providers.elevenlabs import ElevenLabsVoiceProvider
+
+
+# --- _http_to_ws_url ---
+
+
+def test_http_to_ws_url_converts_https_to_wss() -> None:
+    assert _http_to_ws_url("https://api.elevenlabs.io") == "wss://api.elevenlabs.io"
+
+
+def test_http_to_ws_url_converts_http_to_ws() -> None:
+    assert _http_to_ws_url("http://localhost:8080") == "ws://localhost:8080"
+
+
+def test_http_to_ws_url_passes_through_other_schemes() -> None:
+    assert _http_to_ws_url("wss://already.ws") == "wss://already.ws"
+
+
+def test_http_to_ws_url_preserves_path() -> None:
+    assert (
+        _http_to_ws_url("https://api.elevenlabs.io/v1/tts")
+        == "wss://api.elevenlabs.io/v1/tts"
+    )
+
+
+# --- StrEnum comparison ---
+
+
+def test_stt_message_type_compares_as_string() -> None:
+    """StrEnum members should work in string comparisons (e.g. from JSON)."""
+    assert str(ElevenLabsSTTMessageType.COMMITTED_TRANSCRIPT) == "committed_transcript"
+    assert isinstance(ElevenLabsSTTMessageType.ERROR, str)
+
+
+# --- Resampling ---
+
+
+def test_resample_pcm16_passthrough_when_same_rate() -> None:
+    from onyx.voice.providers.elevenlabs import ElevenLabsStreamingTranscriber
+
+    t = ElevenLabsStreamingTranscriber.__new__(ElevenLabsStreamingTranscriber)
+    t.input_sample_rate = 16000
+    t.target_sample_rate = 16000
+
+    data = struct.pack("<4h", 100, 200, 300, 400)
+    assert t._resample_pcm16(data) == data
+
+
+def test_resample_pcm16_downsamples() -> None:
+    """24kHz -> 16kHz should produce fewer samples (ratio 3:2)."""
+    from onyx.voice.providers.elevenlabs import ElevenLabsStreamingTranscriber
+
+    t = ElevenLabsStreamingTranscriber.__new__(ElevenLabsStreamingTranscriber)
+    t.input_sample_rate = 24000
+    t.target_sample_rate = 16000
+
+    input_samples = [1000, 2000, 3000, 4000, 5000, 6000]
+    data = struct.pack(f"<{len(input_samples)}h", *input_samples)
+
+    result = t._resample_pcm16(data)
+    output_samples = struct.unpack(f"<{len(result) // 2}h", result)
+
+    assert len(output_samples) == 4
+
+
+def test_resample_pcm16_clamps_to_int16_range() -> None:
+    from onyx.voice.providers.elevenlabs import ElevenLabsStreamingTranscriber
+
+    t = ElevenLabsStreamingTranscriber.__new__(ElevenLabsStreamingTranscriber)
+    t.input_sample_rate = 24000
+    t.target_sample_rate = 16000
+
+    input_samples = [32767, -32768, 32767, -32768, 32767, -32768]
+    data = struct.pack(f"<{len(input_samples)}h", *input_samples)
+
+    result = t._resample_pcm16(data)
+    output_samples = struct.unpack(f"<{len(result) // 2}h", result)
+    for s in output_samples:
+        assert -32768 <= s <= 32767
+
+
+# --- Provider Model Defaulting ---
+
+
+def test_provider_defaults_invalid_stt_model() -> None:
+    provider = ElevenLabsVoiceProvider(api_key="test", stt_model="invalid_model")
+    assert provider.stt_model == "scribe_v1"
+
+
+def test_provider_defaults_invalid_tts_model() -> None:
+    provider = ElevenLabsVoiceProvider(api_key="test", tts_model="invalid_model")
+    assert provider.tts_model == "eleven_multilingual_v2"
+
+
+def test_provider_accepts_valid_models() -> None:
+    provider = ElevenLabsVoiceProvider(
+        api_key="test", stt_model="scribe_v2_realtime", tts_model="eleven_turbo_v2_5"
+    )
+    assert provider.stt_model == "scribe_v2_realtime"
+    assert provider.tts_model == "eleven_turbo_v2_5"
+
+
+def test_provider_defaults_api_base() -> None:
+    provider = ElevenLabsVoiceProvider(api_key="test")
+    assert provider.api_base == DEFAULT_ELEVENLABS_API_BASE
+
+
+def test_provider_get_available_voices_returns_copy() -> None:
+    provider = ElevenLabsVoiceProvider(api_key="test")
+    voices = provider.get_available_voices()
+    voices.clear()
+    assert len(provider.get_available_voices()) > 0

backend/tests/unit/onyx/voice/providers/test_openai_provider.py

@@ -0,0 +1,97 @@
+import io
+import struct
+import wave
+
+from onyx.voice.providers.openai import _create_wav_header
+from onyx.voice.providers.openai import _http_to_ws_url
+from onyx.voice.providers.openai import OpenAIRealtimeMessageType
+from onyx.voice.providers.openai import OpenAIVoiceProvider
+
+
+# --- _http_to_ws_url ---
+
+
+def test_http_to_ws_url_converts_https_to_wss() -> None:
+    assert _http_to_ws_url("https://api.openai.com") == "wss://api.openai.com"
+
+
+def test_http_to_ws_url_converts_http_to_ws() -> None:
+    assert _http_to_ws_url("http://localhost:9090") == "ws://localhost:9090"
+
+
+def test_http_to_ws_url_passes_through_ws() -> None:
+    assert _http_to_ws_url("wss://already.ws") == "wss://already.ws"
+
+
+# --- StrEnum comparison ---
+
+
+def test_realtime_message_type_compares_as_string() -> None:
+    assert str(OpenAIRealtimeMessageType.ERROR) == "error"
+    assert (
+        str(OpenAIRealtimeMessageType.TRANSCRIPTION_DELTA)
+        == "conversation.item.input_audio_transcription.delta"
+    )
+    assert isinstance(OpenAIRealtimeMessageType.ERROR, str)
+
+
+# --- _create_wav_header ---
+
+
+def test_wav_header_is_44_bytes() -> None:
+    assert len(_create_wav_header(1000)) == 44
+
+
+def test_wav_header_chunk_size_matches_data_length() -> None:
+    data_length = 2000
+    header = _create_wav_header(data_length)
+    chunk_size = struct.unpack_from("<I", header, 4)[0]
+    assert chunk_size == 36 + data_length
+
+
+def test_wav_header_byte_rate() -> None:
+    header = _create_wav_header(100, sample_rate=24000, channels=1, bits_per_sample=16)
+    byte_rate = struct.unpack_from("<I", header, 28)[0]
+    assert byte_rate == 24000 * 1 * 16 // 8
+
+
+def test_wav_header_produces_valid_wav() -> None:
+    """Header + PCM data should parse as valid WAV."""
+    data_length = 100
+    pcm_data = b"\x00" * data_length
+    header = _create_wav_header(data_length, sample_rate=24000)
+
+    with wave.open(io.BytesIO(header + pcm_data), "rb") as wav_file:
+        assert wav_file.getnchannels() == 1
+        assert wav_file.getsampwidth() == 2
+        assert wav_file.getframerate() == 24000
+        assert wav_file.getnframes() == data_length // 2
+
+
+# --- Provider Defaults ---
+
+
+def test_provider_default_models() -> None:
+    provider = OpenAIVoiceProvider(api_key="test")
+    assert provider.stt_model == "whisper-1"
+    assert provider.tts_model == "tts-1"
+    assert provider.default_voice == "alloy"
+
+
+def test_provider_custom_models() -> None:
+    provider = OpenAIVoiceProvider(
+        api_key="test",
+        stt_model="gpt-4o-transcribe",
+        tts_model="tts-1-hd",
+        default_voice="nova",
+    )
+    assert provider.stt_model == "gpt-4o-transcribe"
+    assert provider.tts_model == "tts-1-hd"
+    assert provider.default_voice == "nova"
+
+
+def test_provider_get_available_voices_returns_copy() -> None:
+    provider = OpenAIVoiceProvider(api_key="test")
+    voices = provider.get_available_voices()
+    voices.clear()
+    assert len(provider.get_available_voices()) > 0

deployment/docker_compose/env.prod.template

@@ -33,6 +33,7 @@ SECRET=
 
 # OpenID Connect (OIDC)
 #OPENID_CONFIG_URL=
+#OIDC_PKCE_ENABLED=
 
 # SAML config directory for OneLogin compatible setups
 #SAML_CONF_DIR=

deployment/docker_compose/env.template

@@ -167,6 +167,7 @@ LOG_ONYX_MODEL_INTERACTIONS=False
 # OAUTH_CLIENT_ID=
 # OAUTH_CLIENT_SECRET=
 # OPENID_CONFIG_URL=
+# OIDC_PKCE_ENABLED=
 # TRACK_EXTERNAL_IDP_EXPIRY=
 # CORS_ALLOWED_ORIGIN=
 # INTEGRATION_TESTS_MODE=

deployment/helm/charts/onyx/Chart.yaml

@@ -5,7 +5,7 @@ home: https://www.onyx.app/
 sources:
   - "https://github.com/onyx-dot-app/onyx"
 type: application
-version: 0.4.33
+version: 0.4.35
 appVersion: latest
 annotations:
   category: Productivity

deployment/helm/charts/onyx/ci/ct-values.yaml

@@ -0,0 +1,6 @@
+# Values for chart-testing (ct lint/install)
+# This file is automatically used by ct when running lint and install commands
+auth:
+  userauth:
+    values:
+      user_auth_secret: "placeholder-for-ci-testing"

deployment/helm/charts/onyx/templates/auth-secrets.yaml

@@ -1,17 +1,29 @@
 {{- if hasKey .Values.auth "secretKeys" }}
 {{- fail "ERROR: Secrets handling has been refactored under 'auth' and must be updated before upgrading to this chart version." }}
 {{- end }}
-{{- range $secretContent := .Values.auth }}
-{{- if and (empty $secretContent.existingSecret) (ne ($secretContent.enabled | default true) false) }}
+{{- range $secretKey, $secretContent := .Values.auth }}
+{{- if and (empty $secretContent.existingSecret) (or (not (hasKey $secretContent "enabled")) $secretContent.enabled) }}
+{{- $secretName := include "onyx.secretName" $secretContent }}
+{{- $existingSecret := lookup "v1" "Secret" $.Release.Namespace $secretName }}
+{{- /* Pre-validate: fail before emitting YAML if any required value is missing */ -}}
+{{- range $name, $value := $secretContent.values }}
+{{- if and (empty $value) (not (and $existingSecret (hasKey $existingSecret.data $name))) }}
+{{- fail (printf "Secret value for '%s' is required but not set and no existing secret found. Please set auth.%s.values.%s in values.yaml" $name $secretKey $name) }}
+{{- end }}
+{{- end }}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "onyx.secretName" $secretContent }}
+  name: {{ $secretName }}
 type: Opaque
 stringData:
-  {{- range $name, $value := $secretContent.values }}
+{{- range $name, $value := $secretContent.values }}
+{{- if not (empty $value) }}
   {{ $name }}: {{ $value | quote }}
-  {{- end }}
+{{- else if and $existingSecret (hasKey $existingSecret.data $name) }}
+  {{ $name }}: {{ index $existingSecret.data $name | b64dec | quote }}
+{{- end }}
+{{- end }}
 {{- end }}
 {{- end }}

deployment/helm/charts/onyx/values.yaml

@@ -1183,10 +1183,30 @@ auth:
     values:
       opensearch_admin_username: "admin"
       opensearch_admin_password: "OnyxDev1!"
+  userauth:
+    # -- Used for password reset / verification tokens and OAuth/OIDC state signing.
+    # Disabled by default to preserve upgrade compatibility for existing Helm customers.
+    enabled: false
+    # -- Overwrite the default secret name, ignored if existingSecret is defined
+    secretName: 'onyx-userauth'
+    # -- Use a secret specified elsewhere
+    existingSecret: ""
+    # -- This defines the env var to secret map
+    secretKeys:
+      USER_AUTH_SECRET: user_auth_secret
+    # -- Secret value. Required when this secret is enabled - generate with: openssl rand -hex 32
+    # If not set, helm install/upgrade will fail when auth.userauth.enabled=true.
+    values:
+      user_auth_secret: ""
 
 configMap:
-  # Change this for production uses unless Onyx is only accessible behind VPN
-  AUTH_TYPE: "disabled"
+  # Auth type: "basic" (default), "google_oauth", "oidc", or "saml"
+  # UPGRADE NOTE: Default changed from "disabled" to "basic" in 0.4.34.
+  # Set auth.userauth.enabled=true and provide auth.userauth.values.user_auth_secret
+  # before enabling flows that require it.
+  AUTH_TYPE: "basic"
+  # Enable PKCE for OIDC login flow. Leave empty/false for backward compatibility.
+  OIDC_PKCE_ENABLED: ""
   # 1 Day Default
   SESSION_EXPIRE_TIME_SECONDS: "86400"
   # Can be something like onyx.app, as an extra double-check

greptile.json

@@ -52,6 +52,10 @@
         {
           "scope": [],
           "content": "Use explicit type annotations for variables to enhance code clarity, especially when moving type hints around in the code."
+        },
+        {
+          "scope": [],
+          "content": "Use `contributing_guides/best_practices.md` as core review context. Prefer consistency with existing patterns, fix issues in code you touch, avoid tacking new features onto muddy interfaces, fail loudly instead of silently swallowing errors, keep code strictly typed, preserve clear state boundaries, remove duplicate or dead logic, break up overly long functions, avoid hidden import-time side effects, respect module boundaries, and favor correctness-by-construction over relying on callers to use an API correctly."
         }
       ],
       "rules": [
@@ -71,6 +75,14 @@
           "scope": [],
           "rule": "When hardcoding a boolean variable to a constant value, remove the variable entirely and clean up all places where it's used rather than just setting it to a constant."
         },
+        {
+          "scope": [],
+          "rule": "Code changes must consider both multi-tenant and single-tenant deployments. In multi-tenant mode, preserve tenant isolation, ensure tenant context is propagated correctly, and avoid assumptions that only hold for a single shared schema or globally shared state. In single-tenant mode, avoid introducing unnecessary tenant-specific requirements or cloud-only control-plane dependencies."
+        },
+        {
+          "scope": [],
+          "rule": "Code changes must consider both regular Onyx deployments and Onyx lite deployments. Lite deployments disable the vector DB, Redis, model servers, and background workers by default, use PostgreSQL-backed cache/auth/file storage, and rely on the API server to handle background work. Do not assume those services are available unless the code path is explicitly limited to full deployments."
+        },
         {
           "scope": ["backend/**/*.py"],
           "rule": "Never raise HTTPException directly in business code. Use `raise OnyxError(OnyxErrorCode.XXX, \"message\")` from `onyx.error_handling.exceptions`. A global FastAPI exception handler converts OnyxError into structured JSON responses with {\"error_code\": \"...\", \"message\": \"...\"}. Error codes are defined in `onyx.error_handling.error_codes.OnyxErrorCode`. For upstream errors with dynamic HTTP status codes, use `status_code_override`: `raise OnyxError(OnyxErrorCode.BAD_GATEWAY, detail, status_code_override=upstream_status)`."
@@ -86,6 +98,21 @@
           "scope": [],
           "path": "CLAUDE.md",
           "description": "Project instructions and coding standards"
+        },
+        {
+          "scope": [],
+          "path": "backend/alembic/README.md",
+          "description": "Migration guidance, including multi-tenant migration behavior"
+        },
+        {
+          "scope": [],
+          "path": "deployment/helm/charts/onyx/values-lite.yaml",
+          "description": "Lite deployment Helm values and service assumptions"
+        },
+        {
+          "scope": [],
+          "path": "deployment/docker_compose/docker-compose.onyx-lite.yml",
+          "description": "Lite deployment Docker Compose overlay and disabled service behavior"
         }
       ]
     }

pyproject.toml

@@ -35,6 +35,7 @@ backend = [
     "alembic==1.10.4",
     "asyncpg==0.30.0",
     "atlassian-python-api==3.41.16",
+    "azure-cognitiveservices-speech==1.38.0",
     "beautifulsoup4==4.12.3",
     "boto3==1.39.11",
     "boto3-stubs[s3]==1.39.11",

tools/ods/cmd/print_latest.go

@@ -2,7 +2,6 @@ package cmd
 
 import (
 	"fmt"
-
 	"github.com/jmelahman/tag/git"
 	"github.com/spf13/cobra"
 )

uv.lock

@@ -463,6 +463,19 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/f8/00/3ed12264094ec91f534fae429945efbaa9f8c666f3aa7061cc3b2a26a0cd/authlib-1.6.7-py2.py3-none-any.whl", hash = "sha256:c637340d9a02789d2efa1d003a7437d10d3e565237bcb5fcbc6c134c7b95bab0", size = 244115, upload-time = "2026-02-06T14:04:12.141Z" },
 ]
 
+[[package]]
+name = "azure-cognitiveservices-speech"
+version = "1.38.0"
+source = { registry = "https://pypi.org/simple" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/85/f4/4571c42cb00f8af317d5431f594b4ece1fbe59ab59f106947fea8e90cf89/azure_cognitiveservices_speech-1.38.0-py3-none-macosx_10_14_x86_64.whl", hash = "sha256:18dce915ab032711f687abb3297dd19176b9cbea562b322ee6fa7365ef4a5091", size = 6775838, upload-time = "2024-06-11T03:08:35.202Z" },
+    { url = "https://files.pythonhosted.org/packages/86/22/0ca2c59a573119950cad1f53531fec9872fc38810c405a4e1827f3d13a8e/azure_cognitiveservices_speech-1.38.0-py3-none-macosx_11_0_arm64.whl", hash = "sha256:9dd0800fbc4a8438c6dfd5747a658251914fe2d205a29e9b46158cadac6ab381", size = 6687975, upload-time = "2024-06-11T03:08:38.797Z" },
+    { url = "https://files.pythonhosted.org/packages/4d/96/5436c09de3af3a9aefaa8cc00533c3a0f5d17aef5bbe017c17f0a30ad66e/azure_cognitiveservices_speech-1.38.0-py3-none-manylinux1_x86_64.whl", hash = "sha256:1c344e8a6faadb063cea451f0301e13b44d9724e1242337039bff601e81e6f86", size = 40022287, upload-time = "2024-06-11T03:08:16.777Z" },
+    { url = "https://files.pythonhosted.org/packages/a9/2d/ba20d05ff77ec9870cd489e6e7a474ba7fe820524bcf6fd202025e0c11cf/azure_cognitiveservices_speech-1.38.0-py3-none-manylinux2014_aarch64.whl", hash = "sha256:1e002595a749471efeac3a54c80097946570b76c13049760b97a4b881d9d24af", size = 39788653, upload-time = "2024-06-11T03:08:30.405Z" },
+    { url = "https://files.pythonhosted.org/packages/0c/21/25f8c37fb6868db4346ca977c287ede9e87f609885d932653243c9ed5f63/azure_cognitiveservices_speech-1.38.0-py3-none-win32.whl", hash = "sha256:16a530e6c646eb49ea0bc05cb45a9d28b99e4b67613f6c3a6c54e26e6bf65241", size = 1428364, upload-time = "2024-06-11T03:08:03.965Z" },
+    { url = "https://files.pythonhosted.org/packages/14/05/a6414a3481c5ee30c4f32742abe055e5f3ce4ff69e936089d86ece354067/azure_cognitiveservices_speech-1.38.0-py3-none-win_amd64.whl", hash = "sha256:1d38d8c056fb3f513a9ff27ab4e77fd08ca487f8788cc7a6df772c1ab2c97b54", size = 1539297, upload-time = "2024-06-11T03:08:01.304Z" },
+]
+
 [[package]]
 name = "babel"
 version = "2.17.0"
@@ -4227,6 +4240,7 @@ backend = [
     { name = "asana" },
     { name = "asyncpg" },
     { name = "atlassian-python-api" },
+    { name = "azure-cognitiveservices-speech" },
     { name = "beautifulsoup4" },
     { name = "boto3" },
     { name = "boto3-stubs", extra = ["s3"] },
@@ -4381,6 +4395,7 @@ requires-dist = [
     { name = "asana", marker = "extra == 'backend'", specifier = "==5.0.8" },
     { name = "asyncpg", marker = "extra == 'backend'", specifier = "==0.30.0" },
     { name = "atlassian-python-api", marker = "extra == 'backend'", specifier = "==3.41.16" },
+    { name = "azure-cognitiveservices-speech", marker = "extra == 'backend'", specifier = "==1.38.0" },
     { name = "beautifulsoup4", marker = "extra == 'backend'", specifier = "==4.12.3" },
     { name = "black", marker = "extra == 'dev'", specifier = "==25.1.0" },
     { name = "boto3", marker = "extra == 'backend'", specifier = "==1.39.11" },
@@ -4739,70 +4754,70 @@ wheels = [
 
 [[package]]
 name = "orjson"
-version = "3.11.4"
+version = "3.11.6"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/c6/fe/ed708782d6709cc60eb4c2d8a361a440661f74134675c72990f2c48c785f/orjson-3.11.4.tar.gz", hash = "sha256:39485f4ab4c9b30a3943cfe99e1a213c4776fb69e8abd68f66b83d5a0b0fdc6d", size = 5945188, upload-time = "2025-10-24T15:50:38.027Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/70/a3/4e09c61a5f0c521cba0bb433639610ae037437669f1a4cbc93799e731d78/orjson-3.11.6.tar.gz", hash = "sha256:0a54c72259f35299fd033042367df781c2f66d10252955ca1efb7db309b954cb", size = 6175856, upload-time = "2026-01-29T15:13:07.942Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/63/1d/1ea6005fffb56715fd48f632611e163d1604e8316a5bad2288bee9a1c9eb/orjson-3.11.4-cp311-cp311-macosx_10_15_x86_64.macosx_11_0_arm64.macosx_10_15_universal2.whl", hash = "sha256:5e59d23cd93ada23ec59a96f215139753fbfe3a4d989549bcb390f8c00370b39", size = 243498, upload-time = "2025-10-24T15:48:48.101Z" },
-    { url = "https://files.pythonhosted.org/packages/37/d7/ffed10c7da677f2a9da307d491b9eb1d0125b0307019c4ad3d665fd31f4f/orjson-3.11.4-cp311-cp311-macosx_15_0_arm64.whl", hash = "sha256:5c3aedecfc1beb988c27c79d52ebefab93b6c3921dbec361167e6559aba2d36d", size = 128961, upload-time = "2025-10-24T15:48:49.571Z" },
-    { url = "https://files.pythonhosted.org/packages/a2/96/3e4d10a18866d1368f73c8c44b7fe37cc8a15c32f2a7620be3877d4c55a3/orjson-3.11.4-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:da9e5301f1c2caa2a9a4a303480d79c9ad73560b2e7761de742ab39fe59d9175", size = 130321, upload-time = "2025-10-24T15:48:50.713Z" },
-    { url = "https://files.pythonhosted.org/packages/eb/1f/465f66e93f434f968dd74d5b623eb62c657bdba2332f5a8be9f118bb74c7/orjson-3.11.4-cp311-cp311-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:8873812c164a90a79f65368f8f96817e59e35d0cc02786a5356f0e2abed78040", size = 129207, upload-time = "2025-10-24T15:48:52.193Z" },
-    { url = "https://files.pythonhosted.org/packages/28/43/d1e94837543321c119dff277ae8e348562fe8c0fafbb648ef7cb0c67e521/orjson-3.11.4-cp311-cp311-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:5d7feb0741ebb15204e748f26c9638e6665a5fa93c37a2c73d64f1669b0ddc63", size = 136323, upload-time = "2025-10-24T15:48:54.806Z" },
-    { url = "https://files.pythonhosted.org/packages/bf/04/93303776c8890e422a5847dd012b4853cdd88206b8bbd3edc292c90102d1/orjson-3.11.4-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:01ee5487fefee21e6910da4c2ee9eef005bee568a0879834df86f888d2ffbdd9", size = 137440, upload-time = "2025-10-24T15:48:56.326Z" },
-    { url = "https://files.pythonhosted.org/packages/1e/ef/75519d039e5ae6b0f34d0336854d55544ba903e21bf56c83adc51cd8bf82/orjson-3.11.4-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:3d40d46f348c0321df01507f92b95a377240c4ec31985225a6668f10e2676f9a", size = 136680, upload-time = "2025-10-24T15:48:57.476Z" },
-    { url = "https://files.pythonhosted.org/packages/b5/18/bf8581eaae0b941b44efe14fee7b7862c3382fbc9a0842132cfc7cf5ecf4/orjson-3.11.4-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:95713e5fc8af84d8edc75b785d2386f653b63d62b16d681687746734b4dfc0be", size = 136160, upload-time = "2025-10-24T15:48:59.631Z" },
-    { url = "https://files.pythonhosted.org/packages/c4/35/a6d582766d351f87fc0a22ad740a641b0a8e6fc47515e8614d2e4790ae10/orjson-3.11.4-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:ad73ede24f9083614d6c4ca9a85fe70e33be7bf047ec586ee2363bc7418fe4d7", size = 140318, upload-time = "2025-10-24T15:49:00.834Z" },
-    { url = "https://files.pythonhosted.org/packages/76/b3/5a4801803ab2e2e2d703bce1a56540d9f99a9143fbec7bf63d225044fef8/orjson-3.11.4-cp311-cp311-musllinux_1_2_armv7l.whl", hash = "sha256:842289889de515421f3f224ef9c1f1efb199a32d76d8d2ca2706fa8afe749549", size = 406330, upload-time = "2025-10-24T15:49:02.327Z" },
-    { url = "https://files.pythonhosted.org/packages/80/55/a8f682f64833e3a649f620eafefee175cbfeb9854fc5b710b90c3bca45df/orjson-3.11.4-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:3b2427ed5791619851c52a1261b45c233930977e7de8cf36de05636c708fa905", size = 149580, upload-time = "2025-10-24T15:49:03.517Z" },
-    { url = "https://files.pythonhosted.org/packages/ad/e4/c132fa0c67afbb3eb88274fa98df9ac1f631a675e7877037c611805a4413/orjson-3.11.4-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:3c36e524af1d29982e9b190573677ea02781456b2e537d5840e4538a5ec41907", size = 139846, upload-time = "2025-10-24T15:49:04.761Z" },
-    { url = "https://files.pythonhosted.org/packages/54/06/dc3491489efd651fef99c5908e13951abd1aead1257c67f16135f95ce209/orjson-3.11.4-cp311-cp311-win32.whl", hash = "sha256:87255b88756eab4a68ec61837ca754e5d10fa8bc47dc57f75cedfeaec358d54c", size = 135781, upload-time = "2025-10-24T15:49:05.969Z" },
-    { url = "https://files.pythonhosted.org/packages/79/b7/5e5e8d77bd4ea02a6ac54c42c818afb01dd31961be8a574eb79f1d2cfb1e/orjson-3.11.4-cp311-cp311-win_amd64.whl", hash = "sha256:e2d5d5d798aba9a0e1fede8d853fa899ce2cb930ec0857365f700dffc2c7af6a", size = 131391, upload-time = "2025-10-24T15:49:07.355Z" },
-    { url = "https://files.pythonhosted.org/packages/0f/dc/9484127cc1aa213be398ed735f5f270eedcb0c0977303a6f6ddc46b60204/orjson-3.11.4-cp311-cp311-win_arm64.whl", hash = "sha256:6bb6bb41b14c95d4f2702bce9975fda4516f1db48e500102fc4d8119032ff045", size = 126252, upload-time = "2025-10-24T15:49:08.869Z" },
-    { url = "https://files.pythonhosted.org/packages/63/51/6b556192a04595b93e277a9ff71cd0cc06c21a7df98bcce5963fa0f5e36f/orjson-3.11.4-cp312-cp312-macosx_10_15_x86_64.macosx_11_0_arm64.macosx_10_15_universal2.whl", hash = "sha256:d4371de39319d05d3f482f372720b841c841b52f5385bd99c61ed69d55d9ab50", size = 243571, upload-time = "2025-10-24T15:49:10.008Z" },
-    { url = "https://files.pythonhosted.org/packages/1c/2c/2602392ddf2601d538ff11848b98621cd465d1a1ceb9db9e8043181f2f7b/orjson-3.11.4-cp312-cp312-macosx_15_0_arm64.whl", hash = "sha256:e41fd3b3cac850eaae78232f37325ed7d7436e11c471246b87b2cd294ec94853", size = 128891, upload-time = "2025-10-24T15:49:11.297Z" },
-    { url = "https://files.pythonhosted.org/packages/4e/47/bf85dcf95f7a3a12bf223394a4f849430acd82633848d52def09fa3f46ad/orjson-3.11.4-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:600e0e9ca042878c7fdf189cf1b028fe2c1418cc9195f6cb9824eb6ed99cb938", size = 130137, upload-time = "2025-10-24T15:49:12.544Z" },
-    { url = "https://files.pythonhosted.org/packages/b4/4d/a0cb31007f3ab6f1fd2a1b17057c7c349bc2baf8921a85c0180cc7be8011/orjson-3.11.4-cp312-cp312-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:7bbf9b333f1568ef5da42bc96e18bf30fd7f8d54e9ae066d711056add508e415", size = 129152, upload-time = "2025-10-24T15:49:13.754Z" },
-    { url = "https://files.pythonhosted.org/packages/f7/ef/2811def7ce3d8576b19e3929fff8f8f0d44bc5eb2e0fdecb2e6e6cc6c720/orjson-3.11.4-cp312-cp312-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:4806363144bb6e7297b8e95870e78d30a649fdc4e23fc84daa80c8ebd366ce44", size = 136834, upload-time = "2025-10-24T15:49:15.307Z" },
-    { url = "https://files.pythonhosted.org/packages/00/d4/9aee9e54f1809cec8ed5abd9bc31e8a9631d19460e3b8470145d25140106/orjson-3.11.4-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:ad355e8308493f527d41154e9053b86a5be892b3b359a5c6d5d95cda23601cb2", size = 137519, upload-time = "2025-10-24T15:49:16.557Z" },
-    { url = "https://files.pythonhosted.org/packages/db/ea/67bfdb5465d5679e8ae8d68c11753aaf4f47e3e7264bad66dc2f2249e643/orjson-3.11.4-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:c8a7517482667fb9f0ff1b2f16fe5829296ed7a655d04d68cd9711a4d8a4e708", size = 136749, upload-time = "2025-10-24T15:49:17.796Z" },
-    { url = "https://files.pythonhosted.org/packages/01/7e/62517dddcfce6d53a39543cd74d0dccfcbdf53967017c58af68822100272/orjson-3.11.4-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:97eb5942c7395a171cbfecc4ef6701fc3c403e762194683772df4c54cfbb2210", size = 136325, upload-time = "2025-10-24T15:49:19.347Z" },
-    { url = "https://files.pythonhosted.org/packages/18/ae/40516739f99ab4c7ec3aaa5cc242d341fcb03a45d89edeeaabc5f69cb2cf/orjson-3.11.4-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:149d95d5e018bdd822e3f38c103b1a7c91f88d38a88aada5c4e9b3a73a244241", size = 140204, upload-time = "2025-10-24T15:49:20.545Z" },
-    { url = "https://files.pythonhosted.org/packages/82/18/ff5734365623a8916e3a4037fcef1cd1782bfc14cf0992afe7940c5320bf/orjson-3.11.4-cp312-cp312-musllinux_1_2_armv7l.whl", hash = "sha256:624f3951181eb46fc47dea3d221554e98784c823e7069edb5dbd0dc826ac909b", size = 406242, upload-time = "2025-10-24T15:49:21.884Z" },
-    { url = "https://files.pythonhosted.org/packages/e1/43/96436041f0a0c8c8deca6a05ebeaf529bf1de04839f93ac5e7c479807aec/orjson-3.11.4-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:03bfa548cf35e3f8b3a96c4e8e41f753c686ff3d8e182ce275b1751deddab58c", size = 150013, upload-time = "2025-10-24T15:49:23.185Z" },
-    { url = "https://files.pythonhosted.org/packages/1b/48/78302d98423ed8780479a1e682b9aecb869e8404545d999d34fa486e573e/orjson-3.11.4-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:525021896afef44a68148f6ed8a8bf8375553d6066c7f48537657f64823565b9", size = 139951, upload-time = "2025-10-24T15:49:24.428Z" },
-    { url = "https://files.pythonhosted.org/packages/4a/7b/ad613fdcdaa812f075ec0875143c3d37f8654457d2af17703905425981bf/orjson-3.11.4-cp312-cp312-win32.whl", hash = "sha256:b58430396687ce0f7d9eeb3dd47761ca7d8fda8e9eb92b3077a7a353a75efefa", size = 136049, upload-time = "2025-10-24T15:49:25.973Z" },
-    { url = "https://files.pythonhosted.org/packages/b9/3c/9cf47c3ff5f39b8350fb21ba65d789b6a1129d4cbb3033ba36c8a9023520/orjson-3.11.4-cp312-cp312-win_amd64.whl", hash = "sha256:c6dbf422894e1e3c80a177133c0dda260f81428f9de16d61041949f6a2e5c140", size = 131461, upload-time = "2025-10-24T15:49:27.259Z" },
-    { url = "https://files.pythonhosted.org/packages/c6/3b/e2425f61e5825dc5b08c2a5a2b3af387eaaca22a12b9c8c01504f8614c36/orjson-3.11.4-cp312-cp312-win_arm64.whl", hash = "sha256:d38d2bc06d6415852224fcc9c0bfa834c25431e466dc319f0edd56cca81aa96e", size = 126167, upload-time = "2025-10-24T15:49:28.511Z" },
-    { url = "https://files.pythonhosted.org/packages/23/15/c52aa7112006b0f3d6180386c3a46ae057f932ab3425bc6f6ac50431cca1/orjson-3.11.4-cp313-cp313-macosx_10_15_x86_64.macosx_11_0_arm64.macosx_10_15_universal2.whl", hash = "sha256:2d6737d0e616a6e053c8b4acc9eccea6b6cce078533666f32d140e4f85002534", size = 243525, upload-time = "2025-10-24T15:49:29.737Z" },
-    { url = "https://files.pythonhosted.org/packages/ec/38/05340734c33b933fd114f161f25a04e651b0c7c33ab95e9416ade5cb44b8/orjson-3.11.4-cp313-cp313-macosx_15_0_arm64.whl", hash = "sha256:afb14052690aa328cc118a8e09f07c651d301a72e44920b887c519b313d892ff", size = 128871, upload-time = "2025-10-24T15:49:31.109Z" },
-    { url = "https://files.pythonhosted.org/packages/55/b9/ae8d34899ff0c012039b5a7cb96a389b2476e917733294e498586b45472d/orjson-3.11.4-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:38aa9e65c591febb1b0aed8da4d469eba239d434c218562df179885c94e1a3ad", size = 130055, upload-time = "2025-10-24T15:49:33.382Z" },
-    { url = "https://files.pythonhosted.org/packages/33/aa/6346dd5073730451bee3681d901e3c337e7ec17342fb79659ec9794fc023/orjson-3.11.4-cp313-cp313-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:f2cf4dfaf9163b0728d061bebc1e08631875c51cd30bf47cb9e3293bfbd7dcd5", size = 129061, upload-time = "2025-10-24T15:49:34.935Z" },
-    { url = "https://files.pythonhosted.org/packages/39/e4/8eea51598f66a6c853c380979912d17ec510e8e66b280d968602e680b942/orjson-3.11.4-cp313-cp313-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:89216ff3dfdde0e4070932e126320a1752c9d9a758d6a32ec54b3b9334991a6a", size = 136541, upload-time = "2025-10-24T15:49:36.923Z" },
-    { url = "https://files.pythonhosted.org/packages/9a/47/cb8c654fa9adcc60e99580e17c32b9e633290e6239a99efa6b885aba9dbc/orjson-3.11.4-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:9daa26ca8e97fae0ce8aa5d80606ef8f7914e9b129b6b5df9104266f764ce436", size = 137535, upload-time = "2025-10-24T15:49:38.307Z" },
-    { url = "https://files.pythonhosted.org/packages/43/92/04b8cc5c2b729f3437ee013ce14a60ab3d3001465d95c184758f19362f23/orjson-3.11.4-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:5c8b2769dc31883c44a9cd126560327767f848eb95f99c36c9932f51090bfce9", size = 136703, upload-time = "2025-10-24T15:49:40.795Z" },
-    { url = "https://files.pythonhosted.org/packages/aa/fd/d0733fcb9086b8be4ebcfcda2d0312865d17d0d9884378b7cffb29d0763f/orjson-3.11.4-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1469d254b9884f984026bd9b0fa5bbab477a4bfe558bba6848086f6d43eb5e73", size = 136293, upload-time = "2025-10-24T15:49:42.347Z" },
-    { url = "https://files.pythonhosted.org/packages/c2/d7/3c5514e806837c210492d72ae30ccf050ce3f940f45bf085bab272699ef4/orjson-3.11.4-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:68e44722541983614e37117209a194e8c3ad07838ccb3127d96863c95ec7f1e0", size = 140131, upload-time = "2025-10-24T15:49:43.638Z" },
-    { url = "https://files.pythonhosted.org/packages/9c/dd/ba9d32a53207babf65bd510ac4d0faaa818bd0df9a9c6f472fe7c254f2e3/orjson-3.11.4-cp313-cp313-musllinux_1_2_armv7l.whl", hash = "sha256:8e7805fda9672c12be2f22ae124dcd7b03928d6c197544fe12174b86553f3196", size = 406164, upload-time = "2025-10-24T15:49:45.498Z" },
-    { url = "https://files.pythonhosted.org/packages/8e/f9/f68ad68f4af7c7bde57cd514eaa2c785e500477a8bc8f834838eb696a685/orjson-3.11.4-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:04b69c14615fb4434ab867bf6f38b2d649f6f300af30a6705397e895f7aec67a", size = 149859, upload-time = "2025-10-24T15:49:46.981Z" },
-    { url = "https://files.pythonhosted.org/packages/b6/d2/7f847761d0c26818395b3d6b21fb6bc2305d94612a35b0a30eae65a22728/orjson-3.11.4-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:639c3735b8ae7f970066930e58cf0ed39a852d417c24acd4a25fc0b3da3c39a6", size = 139926, upload-time = "2025-10-24T15:49:48.321Z" },
-    { url = "https://files.pythonhosted.org/packages/9f/37/acd14b12dc62db9a0e1d12386271b8661faae270b22492580d5258808975/orjson-3.11.4-cp313-cp313-win32.whl", hash = "sha256:6c13879c0d2964335491463302a6ca5ad98105fc5db3565499dcb80b1b4bd839", size = 136007, upload-time = "2025-10-24T15:49:49.938Z" },
-    { url = "https://files.pythonhosted.org/packages/c0/a9/967be009ddf0a1fffd7a67de9c36656b28c763659ef91352acc02cbe364c/orjson-3.11.4-cp313-cp313-win_amd64.whl", hash = "sha256:09bf242a4af98732db9f9a1ec57ca2604848e16f132e3f72edfd3c5c96de009a", size = 131314, upload-time = "2025-10-24T15:49:51.248Z" },
-    { url = "https://files.pythonhosted.org/packages/cb/db/399abd6950fbd94ce125cb8cd1a968def95174792e127b0642781e040ed4/orjson-3.11.4-cp313-cp313-win_arm64.whl", hash = "sha256:a85f0adf63319d6c1ba06fb0dbf997fced64a01179cf17939a6caca662bf92de", size = 126152, upload-time = "2025-10-24T15:49:52.922Z" },
-    { url = "https://files.pythonhosted.org/packages/25/e3/54ff63c093cc1697e758e4fceb53164dd2661a7d1bcd522260ba09f54533/orjson-3.11.4-cp314-cp314-macosx_10_15_x86_64.macosx_11_0_arm64.macosx_10_15_universal2.whl", hash = "sha256:42d43a1f552be1a112af0b21c10a5f553983c2a0938d2bbb8ecd8bc9fb572803", size = 243501, upload-time = "2025-10-24T15:49:54.288Z" },
-    { url = "https://files.pythonhosted.org/packages/ac/7d/e2d1076ed2e8e0ae9badca65bf7ef22710f93887b29eaa37f09850604e09/orjson-3.11.4-cp314-cp314-macosx_15_0_arm64.whl", hash = "sha256:26a20f3fbc6c7ff2cb8e89c4c5897762c9d88cf37330c6a117312365d6781d54", size = 128862, upload-time = "2025-10-24T15:49:55.961Z" },
-    { url = "https://files.pythonhosted.org/packages/9f/37/ca2eb40b90621faddfa9517dfe96e25f5ae4d8057a7c0cdd613c17e07b2c/orjson-3.11.4-cp314-cp314-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:6e3f20be9048941c7ffa8fc523ccbd17f82e24df1549d1d1fe9317712d19938e", size = 130047, upload-time = "2025-10-24T15:49:57.406Z" },
-    { url = "https://files.pythonhosted.org/packages/c7/62/1021ed35a1f2bad9040f05fa4cc4f9893410df0ba3eaa323ccf899b1c90a/orjson-3.11.4-cp314-cp314-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:aac364c758dc87a52e68e349924d7e4ded348dedff553889e4d9f22f74785316", size = 129073, upload-time = "2025-10-24T15:49:58.782Z" },
-    { url = "https://files.pythonhosted.org/packages/e8/3f/f84d966ec2a6fd5f73b1a707e7cd876813422ae4bf9f0145c55c9c6a0f57/orjson-3.11.4-cp314-cp314-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:d5c54a6d76e3d741dcc3f2707f8eeb9ba2a791d3adbf18f900219b62942803b1", size = 136597, upload-time = "2025-10-24T15:50:00.12Z" },
-    { url = "https://files.pythonhosted.org/packages/32/78/4fa0aeca65ee82bbabb49e055bd03fa4edea33f7c080c5c7b9601661ef72/orjson-3.11.4-cp314-cp314-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:f28485bdca8617b79d44627f5fb04336897041dfd9fa66d383a49d09d86798bc", size = 137515, upload-time = "2025-10-24T15:50:01.57Z" },
-    { url = "https://files.pythonhosted.org/packages/c1/9d/0c102e26e7fde40c4c98470796d050a2ec1953897e2c8ab0cb95b0759fa2/orjson-3.11.4-cp314-cp314-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:bfc2a484cad3585e4ba61985a6062a4c2ed5c7925db6d39f1fa267c9d166487f", size = 136703, upload-time = "2025-10-24T15:50:02.944Z" },
-    { url = "https://files.pythonhosted.org/packages/df/ac/2de7188705b4cdfaf0b6c97d2f7849c17d2003232f6e70df98602173f788/orjson-3.11.4-cp314-cp314-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e34dbd508cb91c54f9c9788923daca129fe5b55c5b4eebe713bf5ed3791280cf", size = 136311, upload-time = "2025-10-24T15:50:04.441Z" },
-    { url = "https://files.pythonhosted.org/packages/e0/52/847fcd1a98407154e944feeb12e3b4d487a0e264c40191fb44d1269cbaa1/orjson-3.11.4-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:b13c478fa413d4b4ee606ec8e11c3b2e52683a640b006bb586b3041c2ca5f606", size = 140127, upload-time = "2025-10-24T15:50:07.398Z" },
-    { url = "https://files.pythonhosted.org/packages/c1/ae/21d208f58bdb847dd4d0d9407e2929862561841baa22bdab7aea10ca088e/orjson-3.11.4-cp314-cp314-musllinux_1_2_armv7l.whl", hash = "sha256:724ca721ecc8a831b319dcd72cfa370cc380db0bf94537f08f7edd0a7d4e1780", size = 406201, upload-time = "2025-10-24T15:50:08.796Z" },
-    { url = "https://files.pythonhosted.org/packages/8d/55/0789d6de386c8366059db098a628e2ad8798069e94409b0d8935934cbcb9/orjson-3.11.4-cp314-cp314-musllinux_1_2_i686.whl", hash = "sha256:977c393f2e44845ce1b540e19a786e9643221b3323dae190668a98672d43fb23", size = 149872, upload-time = "2025-10-24T15:50:10.234Z" },
-    { url = "https://files.pythonhosted.org/packages/cc/1d/7ff81ea23310e086c17b41d78a72270d9de04481e6113dbe2ac19118f7fb/orjson-3.11.4-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:1e539e382cf46edec157ad66b0b0872a90d829a6b71f17cb633d6c160a223155", size = 139931, upload-time = "2025-10-24T15:50:11.623Z" },
-    { url = "https://files.pythonhosted.org/packages/77/92/25b886252c50ed64be68c937b562b2f2333b45afe72d53d719e46a565a50/orjson-3.11.4-cp314-cp314-win32.whl", hash = "sha256:d63076d625babab9db5e7836118bdfa086e60f37d8a174194ae720161eb12394", size = 136065, upload-time = "2025-10-24T15:50:13.025Z" },
-    { url = "https://files.pythonhosted.org/packages/63/b8/718eecf0bb7e9d64e4956afaafd23db9f04c776d445f59fe94f54bdae8f0/orjson-3.11.4-cp314-cp314-win_amd64.whl", hash = "sha256:0a54d6635fa3aaa438ae32e8570b9f0de36f3f6562c308d2a2a452e8b0592db1", size = 131310, upload-time = "2025-10-24T15:50:14.46Z" },
-    { url = "https://files.pythonhosted.org/packages/1a/bf/def5e25d4d8bfce296a9a7c8248109bf58622c21618b590678f945a2c59c/orjson-3.11.4-cp314-cp314-win_arm64.whl", hash = "sha256:78b999999039db3cf58f6d230f524f04f75f129ba3d1ca2ed121f8657e575d3d", size = 126151, upload-time = "2025-10-24T15:50:15.878Z" },
+    { url = "https://files.pythonhosted.org/packages/f3/fd/d6b0a36854179b93ed77839f107c4089d91cccc9f9ba1b752b6e3bac5f34/orjson-3.11.6-cp311-cp311-macosx_10_15_x86_64.macosx_11_0_arm64.macosx_10_15_universal2.whl", hash = "sha256:e259e85a81d76d9665f03d6129e09e4435531870de5961ddcd0bf6e3a7fde7d7", size = 250029, upload-time = "2026-01-29T15:11:35.942Z" },
+    { url = "https://files.pythonhosted.org/packages/a3/bb/22902619826641cf3b627c24aab62e2ad6b571bdd1d34733abb0dd57f67a/orjson-3.11.6-cp311-cp311-macosx_15_0_arm64.whl", hash = "sha256:52263949f41b4a4822c6b1353bcc5ee2f7109d53a3b493501d3369d6d0e7937a", size = 134518, upload-time = "2026-01-29T15:11:37.347Z" },
+    { url = "https://files.pythonhosted.org/packages/72/90/7a818da4bba1de711a9653c420749c0ac95ef8f8651cbc1dca551f462fe0/orjson-3.11.6-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:6439e742fa7834a24698d358a27346bb203bff356ae0402e7f5df8f749c621a8", size = 137917, upload-time = "2026-01-29T15:11:38.511Z" },
+    { url = "https://files.pythonhosted.org/packages/59/0f/02846c1cac8e205cb3822dd8aa8f9114acda216f41fd1999ace6b543418d/orjson-3.11.6-cp311-cp311-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:b81ffd68f084b4e993e3867acb554a049fa7787cc8710bbcc1e26965580d99be", size = 134923, upload-time = "2026-01-29T15:11:39.711Z" },
+    { url = "https://files.pythonhosted.org/packages/94/cf/aeaf683001b474bb3c3c757073a4231dfdfe8467fceaefa5bfd40902c99f/orjson-3.11.6-cp311-cp311-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:a5a5468e5e60f7ef6d7f9044b06c8f94a3c56ba528c6e4f7f06ae95164b595ec", size = 140752, upload-time = "2026-01-29T15:11:41.347Z" },
+    { url = "https://files.pythonhosted.org/packages/fc/fe/dad52d8315a65f084044a0819d74c4c9daf9ebe0681d30f525b0d29a31f0/orjson-3.11.6-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:72c5005eb45bd2535632d4f3bec7ad392832cfc46b62a3021da3b48a67734b45", size = 144201, upload-time = "2026-01-29T15:11:42.537Z" },
+    { url = "https://files.pythonhosted.org/packages/36/bc/ab070dd421565b831801077f1e390c4d4af8bfcecafc110336680a33866b/orjson-3.11.6-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0b14dd49f3462b014455a28a4d810d3549bf990567653eb43765cd847df09145", size = 142380, upload-time = "2026-01-29T15:11:44.309Z" },
+    { url = "https://files.pythonhosted.org/packages/e6/d8/4b581c725c3a308717f28bf45a9fdac210bca08b67e8430143699413ff06/orjson-3.11.6-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6e0bb2c1ea30ef302f0f89f9bf3e7f9ab5e2af29dc9f80eb87aa99788e4e2d65", size = 145582, upload-time = "2026-01-29T15:11:45.506Z" },
+    { url = "https://files.pythonhosted.org/packages/5b/a2/09aab99b39f9a7f175ea8fa29adb9933a3d01e7d5d603cdee7f1c40c8da2/orjson-3.11.6-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:825e0a85d189533c6bff7e2fc417a28f6fcea53d27125c4551979aecd6c9a197", size = 147270, upload-time = "2026-01-29T15:11:46.782Z" },
+    { url = "https://files.pythonhosted.org/packages/b8/2f/5ef8eaf7829dc50da3bf497c7775b21ee88437bc8c41f959aa3504ca6631/orjson-3.11.6-cp311-cp311-musllinux_1_2_armv7l.whl", hash = "sha256:b04575417a26530637f6ab4b1f7b4f666eb0433491091da4de38611f97f2fcf3", size = 421222, upload-time = "2026-01-29T15:11:48.106Z" },
+    { url = "https://files.pythonhosted.org/packages/3b/b0/dd6b941294c2b5b13da5fdc7e749e58d0c55a5114ab37497155e83050e95/orjson-3.11.6-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:b83eb2e40e8c4da6d6b340ee6b1d6125f5195eb1b0ebb7eac23c6d9d4f92d224", size = 155562, upload-time = "2026-01-29T15:11:49.408Z" },
+    { url = "https://files.pythonhosted.org/packages/8e/09/43924331a847476ae2f9a16bd6d3c9dab301265006212ba0d3d7fd58763a/orjson-3.11.6-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:1f42da604ee65a6b87eef858c913ce3e5777872b19321d11e6fc6d21de89b64f", size = 147432, upload-time = "2026-01-29T15:11:50.635Z" },
+    { url = "https://files.pythonhosted.org/packages/5d/e9/d9865961081816909f6b49d880749dbbd88425afd7c5bbce0549e2290d77/orjson-3.11.6-cp311-cp311-win32.whl", hash = "sha256:5ae45df804f2d344cffb36c43fdf03c82fb6cd247f5faa41e21891b40dfbf733", size = 139623, upload-time = "2026-01-29T15:11:51.82Z" },
+    { url = "https://files.pythonhosted.org/packages/b4/f9/6836edb92f76eec1082919101eb1145d2f9c33c8f2c5e6fa399b82a2aaa8/orjson-3.11.6-cp311-cp311-win_amd64.whl", hash = "sha256:f4295948d65ace0a2d8f2c4ccc429668b7eb8af547578ec882e16bf79b0050b2", size = 136647, upload-time = "2026-01-29T15:11:53.454Z" },
+    { url = "https://files.pythonhosted.org/packages/b3/0c/4954082eea948c9ae52ee0bcbaa2f99da3216a71bcc314ab129bde22e565/orjson-3.11.6-cp311-cp311-win_arm64.whl", hash = "sha256:314e9c45e0b81b547e3a1cfa3df3e07a815821b3dac9fe8cb75014071d0c16a4", size = 135327, upload-time = "2026-01-29T15:11:56.616Z" },
+    { url = "https://files.pythonhosted.org/packages/14/ba/759f2879f41910b7e5e0cdbd9cf82a4f017c527fb0e972e9869ca7fe4c8e/orjson-3.11.6-cp312-cp312-macosx_10_15_x86_64.macosx_11_0_arm64.macosx_10_15_universal2.whl", hash = "sha256:6f03f30cd8953f75f2a439070c743c7336d10ee940da918d71c6f3556af3ddcf", size = 249988, upload-time = "2026-01-29T15:11:58.294Z" },
+    { url = "https://files.pythonhosted.org/packages/f0/70/54cecb929e6c8b10104fcf580b0cc7dc551aa193e83787dd6f3daba28bb5/orjson-3.11.6-cp312-cp312-macosx_15_0_arm64.whl", hash = "sha256:af44baae65ef386ad971469a8557a0673bb042b0b9fd4397becd9c2dfaa02588", size = 134445, upload-time = "2026-01-29T15:11:59.819Z" },
+    { url = "https://files.pythonhosted.org/packages/f2/6f/ec0309154457b9ba1ad05f11faa4441f76037152f75e1ac577db3ce7ca96/orjson-3.11.6-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:c310a48542094e4f7dbb6ac076880994986dda8ca9186a58c3cb70a3514d3231", size = 137708, upload-time = "2026-01-29T15:12:01.488Z" },
+    { url = "https://files.pythonhosted.org/packages/20/52/3c71b80840f8bab9cb26417302707b7716b7d25f863f3a541bcfa232fe6e/orjson-3.11.6-cp312-cp312-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:d8dfa7a5d387f15ecad94cb6b2d2d5f4aeea64efd8d526bfc03c9812d01e1cc0", size = 134798, upload-time = "2026-01-29T15:12:02.705Z" },
+    { url = "https://files.pythonhosted.org/packages/30/51/b490a43b22ff736282360bd02e6bded455cf31dfc3224e01cd39f919bbd2/orjson-3.11.6-cp312-cp312-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ba8daee3e999411b50f8b50dbb0a3071dd1845f3f9a1a0a6fa6de86d1689d84d", size = 140839, upload-time = "2026-01-29T15:12:03.956Z" },
+    { url = "https://files.pythonhosted.org/packages/95/bc/4bcfe4280c1bc63c5291bb96f98298845b6355da2226d3400e17e7b51e53/orjson-3.11.6-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:f89d104c974eafd7436d7a5fdbc57f7a1e776789959a2f4f1b2eab5c62a339f4", size = 144080, upload-time = "2026-01-29T15:12:05.151Z" },
+    { url = "https://files.pythonhosted.org/packages/01/74/22970f9ead9ab1f1b5f8c227a6c3aa8d71cd2c5acd005868a1d44f2362fa/orjson-3.11.6-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:b2e2e2456788ca5ea75616c40da06fc885a7dc0389780e8a41bf7c5389ba257b", size = 142435, upload-time = "2026-01-29T15:12:06.641Z" },
+    { url = "https://files.pythonhosted.org/packages/29/34/d564aff85847ab92c82ee43a7a203683566c2fca0723a5f50aebbe759603/orjson-3.11.6-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:2a42efebc45afabb1448001e90458c4020d5c64fbac8a8dc4045b777db76cb5a", size = 145631, upload-time = "2026-01-29T15:12:08.351Z" },
+    { url = "https://files.pythonhosted.org/packages/e7/ef/016957a3890752c4aa2368326ea69fa53cdc1fdae0a94a542b6410dbdf52/orjson-3.11.6-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:71b7cbef8471324966c3738c90ba38775563ef01b512feb5ad4805682188d1b9", size = 147058, upload-time = "2026-01-29T15:12:10.023Z" },
+    { url = "https://files.pythonhosted.org/packages/56/cc/9a899c3972085645b3225569f91a30e221f441e5dc8126e6d060b971c252/orjson-3.11.6-cp312-cp312-musllinux_1_2_armv7l.whl", hash = "sha256:f8515e5910f454fe9a8e13c2bb9dc4bae4c1836313e967e72eb8a4ad874f0248", size = 421161, upload-time = "2026-01-29T15:12:11.308Z" },
+    { url = "https://files.pythonhosted.org/packages/21/a8/767d3fbd6d9b8fdee76974db40619399355fd49bf91a6dd2c4b6909ccf05/orjson-3.11.6-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:300360edf27c8c9bf7047345a94fddf3a8b8922df0ff69d71d854a170cb375cf", size = 155757, upload-time = "2026-01-29T15:12:12.776Z" },
+    { url = "https://files.pythonhosted.org/packages/ad/0b/205cd69ac87e2272e13ef3f5f03a3d4657e317e38c1b08aaa2ef97060bbc/orjson-3.11.6-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:caaed4dad39e271adfadc106fab634d173b2bb23d9cf7e67bd645f879175ebfc", size = 147446, upload-time = "2026-01-29T15:12:14.166Z" },
+    { url = "https://files.pythonhosted.org/packages/de/c5/dd9f22aa9f27c54c7d05cc32f4580c9ac9b6f13811eeb81d6c4c3f50d6b1/orjson-3.11.6-cp312-cp312-win32.whl", hash = "sha256:955368c11808c89793e847830e1b1007503a5923ddadc108547d3b77df761044", size = 139717, upload-time = "2026-01-29T15:12:15.7Z" },
+    { url = "https://files.pythonhosted.org/packages/23/a1/e62fc50d904486970315a1654b8cfb5832eb46abb18cd5405118e7e1fc79/orjson-3.11.6-cp312-cp312-win_amd64.whl", hash = "sha256:2c68de30131481150073d90a5d227a4a421982f42c025ecdfb66157f9579e06f", size = 136711, upload-time = "2026-01-29T15:12:17.055Z" },
+    { url = "https://files.pythonhosted.org/packages/04/3d/b4fefad8bdf91e0fe212eb04975aeb36ea92997269d68857efcc7eb1dda3/orjson-3.11.6-cp312-cp312-win_arm64.whl", hash = "sha256:65dfa096f4e3a5e02834b681f539a87fbe85adc82001383c0db907557f666bfc", size = 135212, upload-time = "2026-01-29T15:12:18.3Z" },
+    { url = "https://files.pythonhosted.org/packages/ae/45/d9c71c8c321277bc1ceebf599bc55ba826ae538b7c61f287e9a7e71bd589/orjson-3.11.6-cp313-cp313-macosx_10_15_x86_64.macosx_11_0_arm64.macosx_10_15_universal2.whl", hash = "sha256:e4ae1670caabb598a88d385798692ce2a1b2f078971b3329cfb85253c6097f5b", size = 249828, upload-time = "2026-01-29T15:12:20.14Z" },
+    { url = "https://files.pythonhosted.org/packages/ac/7e/4afcf4cfa9c2f93846d70eee9c53c3c0123286edcbeb530b7e9bd2aea1b2/orjson-3.11.6-cp313-cp313-macosx_15_0_arm64.whl", hash = "sha256:2c6b81f47b13dac2caa5d20fbc953c75eb802543abf48403a4703ed3bff225f0", size = 134339, upload-time = "2026-01-29T15:12:22.01Z" },
+    { url = "https://files.pythonhosted.org/packages/40/10/6d2b8a064c8d2411d3d0ea6ab43125fae70152aef6bea77bb50fa54d4097/orjson-3.11.6-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:647d6d034e463764e86670644bdcaf8e68b076e6e74783383b01085ae9ab334f", size = 137662, upload-time = "2026-01-29T15:12:23.307Z" },
+    { url = "https://files.pythonhosted.org/packages/5a/50/5804ea7d586baf83ee88969eefda97a24f9a5bdba0727f73e16305175b26/orjson-3.11.6-cp313-cp313-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:8523b9cc4ef174ae52414f7699e95ee657c16aa18b3c3c285d48d7966cce9081", size = 134626, upload-time = "2026-01-29T15:12:25.099Z" },
+    { url = "https://files.pythonhosted.org/packages/9e/2e/f0492ed43e376722bb4afd648e06cc1e627fc7ec8ff55f6ee739277813ea/orjson-3.11.6-cp313-cp313-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:313dfd7184cde50c733fc0d5c8c0e2f09017b573afd11dc36bd7476b30b4cb17", size = 140873, upload-time = "2026-01-29T15:12:26.369Z" },
+    { url = "https://files.pythonhosted.org/packages/10/15/6f874857463421794a303a39ac5494786ad46a4ab46d92bda6705d78c5aa/orjson-3.11.6-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:905ee036064ff1e1fd1fb800055ac477cdcb547a78c22c1bc2bbf8d5d1a6fb42", size = 144044, upload-time = "2026-01-29T15:12:28.082Z" },
+    { url = "https://files.pythonhosted.org/packages/d2/c7/b7223a3a70f1d0cc2d86953825de45f33877ee1b124a91ca1f79aa6e643f/orjson-3.11.6-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:ce374cb98411356ba906914441fc993f271a7a666d838d8de0e0900dd4a4bc12", size = 142396, upload-time = "2026-01-29T15:12:30.529Z" },
+    { url = "https://files.pythonhosted.org/packages/87/e3/aa1b6d3ad3cd80f10394134f73ae92a1d11fdbe974c34aa199cc18bb5fcf/orjson-3.11.6-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:cded072b9f65fcfd188aead45efa5bd528ba552add619b3ad2a81f67400ec450", size = 145600, upload-time = "2026-01-29T15:12:31.848Z" },
+    { url = "https://files.pythonhosted.org/packages/f6/cf/e4aac5a46cbd39d7e769ef8650efa851dfce22df1ba97ae2b33efe893b12/orjson-3.11.6-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:7ab85bdbc138e1f73a234db6bb2e4cc1f0fcec8f4bd2bd2430e957a01aadf746", size = 146967, upload-time = "2026-01-29T15:12:33.203Z" },
+    { url = "https://files.pythonhosted.org/packages/0b/04/975b86a4bcf6cfeda47aad15956d52fbeda280811206e9967380fa9355c8/orjson-3.11.6-cp313-cp313-musllinux_1_2_armv7l.whl", hash = "sha256:351b96b614e3c37a27b8ab048239ebc1e0be76cc17481a430d70a77fb95d3844", size = 421003, upload-time = "2026-01-29T15:12:35.097Z" },
+    { url = "https://files.pythonhosted.org/packages/28/d1/0369d0baf40eea5ff2300cebfe209883b2473ab4aa4c4974c8bd5ee42bb2/orjson-3.11.6-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:f9959c85576beae5cdcaaf39510b15105f1ee8b70d5dacd90152617f57be8c83", size = 155695, upload-time = "2026-01-29T15:12:36.589Z" },
+    { url = "https://files.pythonhosted.org/packages/ab/1f/d10c6d6ae26ff1d7c3eea6fd048280ef2e796d4fb260c5424fd021f68ecf/orjson-3.11.6-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:75682d62b1b16b61a30716d7a2ec1f4c36195de4a1c61f6665aedd947b93a5d5", size = 147392, upload-time = "2026-01-29T15:12:37.876Z" },
+    { url = "https://files.pythonhosted.org/packages/8d/43/7479921c174441a0aa5277c313732e20713c0969ac303be9f03d88d3db5d/orjson-3.11.6-cp313-cp313-win32.whl", hash = "sha256:40dc277999c2ef227dcc13072be879b4cfd325502daeb5c35ed768f706f2bf30", size = 139718, upload-time = "2026-01-29T15:12:39.274Z" },
+    { url = "https://files.pythonhosted.org/packages/88/bc/9ffe7dfbf8454bc4e75bb8bf3a405ed9e0598df1d3535bb4adcd46be07d0/orjson-3.11.6-cp313-cp313-win_amd64.whl", hash = "sha256:f0f6e9f8ff7905660bc3c8a54cd4a675aa98f7f175cf00a59815e2ff42c0d916", size = 136635, upload-time = "2026-01-29T15:12:40.593Z" },
+    { url = "https://files.pythonhosted.org/packages/6f/7e/51fa90b451470447ea5023b20d83331ec741ae28d1e6d8ed547c24e7de14/orjson-3.11.6-cp313-cp313-win_arm64.whl", hash = "sha256:1608999478664de848e5900ce41f25c4ecdfc4beacbc632b6fd55e1a586e5d38", size = 135175, upload-time = "2026-01-29T15:12:41.997Z" },
+    { url = "https://files.pythonhosted.org/packages/31/9f/46ca908abaeeec7560638ff20276ab327b980d73b3cc2f5b205b4a1c60b3/orjson-3.11.6-cp314-cp314-macosx_10_15_x86_64.macosx_11_0_arm64.macosx_10_15_universal2.whl", hash = "sha256:6026db2692041d2a23fe2545606df591687787825ad5821971ef0974f2c47630", size = 249823, upload-time = "2026-01-29T15:12:43.332Z" },
+    { url = "https://files.pythonhosted.org/packages/ff/78/ca478089818d18c9cd04f79c43f74ddd031b63c70fa2a946eb5e85414623/orjson-3.11.6-cp314-cp314-macosx_15_0_arm64.whl", hash = "sha256:132b0ab2e20c73afa85cf142e547511feb3d2f5b7943468984658f3952b467d4", size = 134328, upload-time = "2026-01-29T15:12:45.171Z" },
+    { url = "https://files.pythonhosted.org/packages/39/5e/cbb9d830ed4e47f4375ad8eef8e4fff1bf1328437732c3809054fc4e80be/orjson-3.11.6-cp314-cp314-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b376fb05f20a96ec117d47987dd3b39265c635725bda40661b4c5b73b77b5fde", size = 137651, upload-time = "2026-01-29T15:12:46.602Z" },
+    { url = "https://files.pythonhosted.org/packages/7c/3a/35df6558c5bc3a65ce0961aefee7f8364e59af78749fc796ea255bfa0cf5/orjson-3.11.6-cp314-cp314-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:954dae4e080574672a1dfcf2a840eddef0f27bd89b0e94903dd0824e9c1db060", size = 134596, upload-time = "2026-01-29T15:12:47.95Z" },
+    { url = "https://files.pythonhosted.org/packages/cd/8e/3d32dd7b7f26a19cc4512d6ed0ae3429567c71feef720fe699ff43c5bc9e/orjson-3.11.6-cp314-cp314-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:fe515bb89d59e1e4b48637a964f480b35c0a2676de24e65e55310f6016cca7ce", size = 140923, upload-time = "2026-01-29T15:12:49.333Z" },
+    { url = "https://files.pythonhosted.org/packages/6c/9c/1efbf5c99b3304f25d6f0d493a8d1492ee98693637c10ce65d57be839d7b/orjson-3.11.6-cp314-cp314-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:380f9709c275917af28feb086813923251e11ee10687257cd7f1ea188bcd4485", size = 144068, upload-time = "2026-01-29T15:12:50.927Z" },
+    { url = "https://files.pythonhosted.org/packages/82/83/0d19eeb5be797de217303bbb55dde58dba26f996ed905d301d98fd2d4637/orjson-3.11.6-cp314-cp314-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:a8173e0d3f6081e7034c51cf984036d02f6bab2a2126de5a759d79f8e5a140e7", size = 142493, upload-time = "2026-01-29T15:12:52.432Z" },
+    { url = "https://files.pythonhosted.org/packages/32/a7/573fec3df4dc8fc259b7770dc6c0656f91adce6e19330c78d23f87945d1e/orjson-3.11.6-cp314-cp314-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6dddf9ba706294906c56ef5150a958317b09aa3a8a48df1c52ccf22ec1907eac", size = 145616, upload-time = "2026-01-29T15:12:53.903Z" },
+    { url = "https://files.pythonhosted.org/packages/c2/0e/23551b16f21690f7fd5122e3cf40fdca5d77052a434d0071990f97f5fe2f/orjson-3.11.6-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:cbae5c34588dc79938dffb0b6fbe8c531f4dc8a6ad7f39759a9eb5d2da405ef2", size = 146951, upload-time = "2026-01-29T15:12:55.698Z" },
+    { url = "https://files.pythonhosted.org/packages/b8/63/5e6c8f39805c39123a18e412434ea364349ee0012548d08aa586e2bd6aa9/orjson-3.11.6-cp314-cp314-musllinux_1_2_armv7l.whl", hash = "sha256:f75c318640acbddc419733b57f8a07515e587a939d8f54363654041fd1f4e465", size = 421024, upload-time = "2026-01-29T15:12:57.434Z" },
+    { url = "https://files.pythonhosted.org/packages/1d/4d/724975cf0087f6550bd01fd62203418afc0ea33fd099aed318c5bcc52df8/orjson-3.11.6-cp314-cp314-musllinux_1_2_i686.whl", hash = "sha256:e0ab8d13aa2a3e98b4a43487c9205b2c92c38c054b4237777484d503357c8437", size = 155774, upload-time = "2026-01-29T15:12:59.397Z" },
+    { url = "https://files.pythonhosted.org/packages/a8/a3/f4c4e3f46b55db29e0a5f20493b924fc791092d9a03ff2068c9fe6c1002f/orjson-3.11.6-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:f884c7fb1020d44612bd7ac0db0babba0e2f78b68d9a650c7959bf99c783773f", size = 147393, upload-time = "2026-01-29T15:13:00.769Z" },
+    { url = "https://files.pythonhosted.org/packages/ee/86/6f5529dd27230966171ee126cecb237ed08e9f05f6102bfaf63e5b32277d/orjson-3.11.6-cp314-cp314-win32.whl", hash = "sha256:8d1035d1b25732ec9f971e833a3e299d2b1a330236f75e6fd945ad982c76aaf3", size = 139760, upload-time = "2026-01-29T15:13:02.173Z" },
+    { url = "https://files.pythonhosted.org/packages/d3/b5/91ae7037b2894a6b5002fb33f4fbccec98424a928469835c3837fbb22a9b/orjson-3.11.6-cp314-cp314-win_amd64.whl", hash = "sha256:931607a8865d21682bb72de54231655c86df1870502d2962dbfd12c82890d077", size = 136633, upload-time = "2026-01-29T15:13:04.267Z" },
+    { url = "https://files.pythonhosted.org/packages/55/74/f473a3ec7a0a7ebc825ca8e3c86763f7d039f379860c81ba12dcdd456547/orjson-3.11.6-cp314-cp314-win_arm64.whl", hash = "sha256:fe71f6b283f4f1832204ab8235ce07adad145052614f77c876fcf0dac97bc06f", size = 135168, upload-time = "2026-01-29T15:13:05.932Z" },
 ]
 
 [[package]]

web/jest.config.js

@@ -53,6 +53,8 @@ const sharedConfig = {
         // Testing & Mocking
         "msw",
         "until-async",
+        // Language Detection
+        "linguist-languages",
         // Markdown & Syntax Highlighting
         "react-markdown",
         "remark-.*", // All remark packages

web/lib/opal/src/components/buttons/open-button/components.tsx

@@ -55,8 +55,11 @@ type OpenButtonContentProps =
       children?: string;
     };
 
-type OpenButtonProps = Omit<InteractiveStatefulProps, "variant"> &
-  OpenButtonContentProps & {
+type OpenButtonVariant = "select-light" | "select-heavy" | "select-tinted";
+
+type OpenButtonProps = Omit<InteractiveStatefulProps, "variant"> & {
+  variant?: OpenButtonVariant;
+} & OpenButtonContentProps & {
     /**
      * Size preset — controls gap, text size, and Container height/rounding.
      */
@@ -65,6 +68,13 @@ type OpenButtonProps = Omit<InteractiveStatefulProps, "variant"> &
     /** Width preset. */
     width?: WidthVariant;
 
+    /**
+     * Content justify mode. When `"between"`, icon+label group left and
+     * chevron pushes to the right edge. Default keeps all items in a
+     * tight `gap-1` row.
+     */
+    justifyContent?: "between";
+
     /** Tooltip text shown on hover. */
     tooltip?: string;
 
@@ -82,9 +92,11 @@ function OpenButton({
   size = "lg",
   foldable,
   width,
+  justifyContent,
   tooltip,
   tooltipSide = "top",
   interaction,
+  variant = "select-heavy",
   ...statefulProps
 }: OpenButtonProps) {
   const { isDisabled } = useDisabled();
@@ -111,7 +123,7 @@ function OpenButton({
 
   const button = (
     <Interactive.Stateful
-      variant="select-heavy"
+      variant={variant}
       interaction={resolvedInteraction}
       {...statefulProps}
     >
@@ -125,19 +137,32 @@ function OpenButton({
       >
         <div
           className={cn(
-            "opal-button interactive-foreground flex flex-row items-center gap-1",
-            foldable && "interactive-foldable-host"
+            "opal-button interactive-foreground flex flex-row items-center",
+            justifyContent === "between" ? "w-full justify-between" : "gap-1",
+            foldable &&
+              justifyContent !== "between" &&
+              "interactive-foldable-host"
           )}
         >
-          {iconWrapper(Icon, size, !foldable && !!children)}
-
-          {foldable ? (
-            <Interactive.Foldable>
-              {labelEl}
+          {justifyContent === "between" ? (
+            <>
+              <span className="flex flex-row items-center gap-1">
+                {iconWrapper(Icon, size, !foldable && !!children)}
+                {labelEl}
+              </span>
               {iconWrapper(ChevronIcon, size, !!children)}
-            </Interactive.Foldable>
+            </>
+          ) : foldable ? (
+            <>
+              {iconWrapper(Icon, size, !foldable && !!children)}
+              <Interactive.Foldable>
+                {labelEl}
+                {iconWrapper(ChevronIcon, size, !!children)}
+              </Interactive.Foldable>
+            </>
           ) : (
             <>
+              {iconWrapper(Icon, size, !foldable && !!children)}
               {labelEl}
               {iconWrapper(ChevronIcon, size, !!children)}
             </>

web/lib/opal/src/components/tag/components.tsx

@@ -9,6 +9,8 @@ import { cn } from "@opal/utils";
 
 type TagColor = "green" | "purple" | "blue" | "gray" | "amber";
 
+type TagSize = "sm" | "md";
+
 interface TagProps {
   /** Optional icon component. */
   icon?: IconFunctionComponent;
@@ -18,6 +20,9 @@ interface TagProps {
 
   /** Color variant. Default: `"gray"`. */
   color?: TagColor;
+
+  /** Size variant. Default: `"sm"`. */
+  size?: TagSize;
 }
 
 // ---------------------------------------------------------------------------
@@ -36,11 +41,11 @@ const COLOR_CONFIG: Record<TagColor, { bg: string; text: string }> = {
 // Tag
 // ---------------------------------------------------------------------------
 
-function Tag({ icon: Icon, title, color = "gray" }: TagProps) {
+function Tag({ icon: Icon, title, color = "gray", size = "sm" }: TagProps) {
   const config = COLOR_CONFIG[color];
 
   return (
-    <div className={cn("opal-auxiliary-tag", config.bg)}>
+    <div className={cn("opal-auxiliary-tag", config.bg)} data-size={size}>
       {Icon && (
         <div className="opal-auxiliary-tag-icon-container">
           <Icon className={cn("opal-auxiliary-tag-icon", config.text)} />
@@ -48,7 +53,8 @@ function Tag({ icon: Icon, title, color = "gray" }: TagProps) {
       )}
       <span
         className={cn(
-          "opal-auxiliary-tag-title px-[2px] font-figure-small-value",
+          "opal-auxiliary-tag-title px-[2px]",
+          size === "md" ? "font-secondary-body" : "font-figure-small-value",
           config.text
         )}
       >
@@ -58,4 +64,4 @@ function Tag({ icon: Icon, title, color = "gray" }: TagProps) {
   );
 }
 
-export { Tag, type TagProps, type TagColor };
+export { Tag, type TagProps, type TagColor, type TagSize };

web/lib/opal/src/components/tag/styles.css

@@ -13,6 +13,12 @@
   gap: 0;
 }
 
+.opal-auxiliary-tag[data-size="md"] {
+  height: 1.375rem;
+  padding: 0 0.375rem;
+  border-radius: 0.375rem;
+}
+
 .opal-auxiliary-tag-icon-container {
   display: flex;
   align-items: center;

web/lib/opal/src/core/interactive/stateful/components.tsx

@@ -10,7 +10,11 @@ import type { WithoutStyles } from "@opal/types";
 // Types
 // ---------------------------------------------------------------------------
 
-type InteractiveStatefulVariant = "select-light" | "select-heavy" | "sidebar";
+type InteractiveStatefulVariant =
+  | "select-light"
+  | "select-heavy"
+  | "select-tinted"
+  | "sidebar";
 type InteractiveStatefulState = "empty" | "filled" | "selected";
 type InteractiveStatefulInteraction = "rest" | "hover" | "active";
 

web/lib/opal/src/core/interactive/stateful/styles.css

@@ -11,7 +11,7 @@
    Children read the variables with no independent transitions.
 
    State dimension: `data-interactive-state` = "empty" | "filled" | "selected"
-   Variant dimension: `data-interactive-variant` = "select-light" | "select-heavy" | "sidebar"
+   Variant dimension: `data-interactive-variant` = "select-light" | "select-heavy" | "select-tinted" | "sidebar"
 
    Interaction override: `data-interaction="hover"` and `data-interaction="active"`
    allow JS-controlled visual state overrides.
@@ -211,6 +211,103 @@
   --interactive-foreground-icon: var(--action-link-03);
 }
 
+/* ===========================================================================
+   Select-Tinted — like Select-Heavy but with a tinted rest background
+   =========================================================================== */
+
+/* ---------------------------------------------------------------------------
+   Select-Tinted — Empty
+   --------------------------------------------------------------------------- */
+.interactive[data-interactive-variant="select-tinted"][data-interactive-state="empty"] {
+  @apply bg-background-tint-01;
+  --interactive-foreground: var(--text-04);
+  --interactive-foreground-icon: var(--text-03);
+}
+.interactive[data-interactive-variant="select-tinted"][data-interactive-state="empty"]:hover:not(
+    [data-disabled]
+  ),
+.interactive[data-interactive-variant="select-tinted"][data-interactive-state="empty"][data-interaction="hover"]:not(
+    [data-disabled]
+  ) {
+  @apply bg-background-tint-02;
+  --interactive-foreground-icon: var(--text-04);
+}
+.interactive[data-interactive-variant="select-tinted"][data-interactive-state="empty"]:active:not(
+    [data-disabled]
+  ),
+.interactive[data-interactive-variant="select-tinted"][data-interactive-state="empty"][data-interaction="active"]:not(
+    [data-disabled]
+  ) {
+  @apply bg-background-neutral-00;
+  --interactive-foreground: var(--text-05);
+  --interactive-foreground-icon: var(--text-05);
+}
+.interactive[data-interactive-variant="select-tinted"][data-interactive-state="empty"][data-disabled] {
+  @apply bg-transparent;
+  --interactive-foreground: var(--text-01);
+  --interactive-foreground-icon: var(--text-01);
+}
+
+/* ---------------------------------------------------------------------------
+   Select-Tinted — Filled
+   --------------------------------------------------------------------------- */
+.interactive[data-interactive-variant="select-tinted"][data-interactive-state="filled"] {
+  @apply bg-background-tint-01;
+  --interactive-foreground: var(--action-link-05);
+  --interactive-foreground-icon: var(--action-link-05);
+}
+.interactive[data-interactive-variant="select-tinted"][data-interactive-state="filled"]:hover:not(
+    [data-disabled]
+  ),
+.interactive[data-interactive-variant="select-tinted"][data-interactive-state="filled"][data-interaction="hover"]:not(
+    [data-disabled]
+  ) {
+  @apply bg-background-tint-02;
+}
+.interactive[data-interactive-variant="select-tinted"][data-interactive-state="filled"]:active:not(
+    [data-disabled]
+  ),
+.interactive[data-interactive-variant="select-tinted"][data-interactive-state="filled"][data-interaction="active"]:not(
+    [data-disabled]
+  ) {
+  @apply bg-background-tint-00;
+}
+.interactive[data-interactive-variant="select-tinted"][data-interactive-state="filled"][data-disabled] {
+  @apply bg-transparent;
+  --interactive-foreground: var(--text-01);
+  --interactive-foreground-icon: var(--text-01);
+}
+
+/* ---------------------------------------------------------------------------
+   Select-Tinted — Selected
+   --------------------------------------------------------------------------- */
+.interactive[data-interactive-variant="select-tinted"][data-interactive-state="selected"] {
+  @apply bg-[var(--action-link-01)];
+  --interactive-foreground: var(--action-link-05);
+  --interactive-foreground-icon: var(--action-link-05);
+}
+.interactive[data-interactive-variant="select-tinted"][data-interactive-state="selected"]:hover:not(
+    [data-disabled]
+  ),
+.interactive[data-interactive-variant="select-tinted"][data-interactive-state="selected"][data-interaction="hover"]:not(
+    [data-disabled]
+  ) {
+  @apply bg-background-tint-02;
+}
+.interactive[data-interactive-variant="select-tinted"][data-interactive-state="selected"]:active:not(
+    [data-disabled]
+  ),
+.interactive[data-interactive-variant="select-tinted"][data-interactive-state="selected"][data-interaction="active"]:not(
+    [data-disabled]
+  ) {
+  @apply bg-background-tint-00;
+}
+.interactive[data-interactive-variant="select-tinted"][data-interactive-state="selected"][data-disabled] {
+  @apply bg-transparent;
+  --interactive-foreground: var(--action-link-03);
+  --interactive-foreground-icon: var(--action-link-03);
+}
+
 /* ===========================================================================
    Sidebar
    =========================================================================== */

web/lib/opal/src/icons/audio.tsx

@@ -0,0 +1,20 @@
+import type { IconProps } from "@opal/types";
+const SvgAudio = ({ size, ...props }: IconProps) => (
+  <svg
+    width={size}
+    height={size}
+    viewBox="0 0 16 16"
+    fill="none"
+    xmlns="http://www.w3.org/2000/svg"
+    stroke="currentColor"
+    {...props}
+  >
+    <path
+      d="M2 10V6M5 14V2M11 11V5M14 9V7M8 10V6"
+      strokeWidth={1.5}
+      strokeLinecap="round"
+      strokeLinejoin="round"
+    />
+  </svg>
+);
+export default SvgAudio;

web/lib/opal/src/icons/filter-plus.tsx

@@ -0,0 +1,21 @@
+import type { IconProps } from "@opal/types";
+
+const SvgFilterPlus = ({ size, ...props }: IconProps) => (
+  <svg
+    width={size}
+    height={size}
+    viewBox="0 0 16 16"
+    fill="none"
+    xmlns="http://www.w3.org/2000/svg"
+    stroke="currentColor"
+    {...props}
+  >
+    <path
+      d="M9.5 12.5L6.83334 11.1667V7.80667L1.5 1.5H14.8333L12.1667 4.65333M12.1667 7V9.5M12.1667 9.5V12M12.1667 9.5H9.66667M12.1667 9.5H14.6667"
+      strokeWidth={1.5}
+      strokeLinecap="round"
+      strokeLinejoin="round"
+    />
+  </svg>
+);
+export default SvgFilterPlus;

web/lib/opal/src/icons/index.ts

@@ -17,6 +17,7 @@ export { default as SvgArrowUpDown } from "@opal/icons/arrow-up-down";
 export { default as SvgArrowUpDot } from "@opal/icons/arrow-up-dot";
 export { default as SvgArrowUpRight } from "@opal/icons/arrow-up-right";
 export { default as SvgArrowWallRight } from "@opal/icons/arrow-wall-right";
+export { default as SvgAudio } from "@opal/icons/audio";
 export { default as SvgAudioEqSmall } from "@opal/icons/audio-eq-small";
 export { default as SvgAws } from "@opal/icons/aws";
 export { default as SvgAzure } from "@opal/icons/azure";
@@ -72,6 +73,7 @@ export { default as SvgFileChartPie } from "@opal/icons/file-chart-pie";
 export { default as SvgFileSmall } from "@opal/icons/file-small";
 export { default as SvgFileText } from "@opal/icons/file-text";
 export { default as SvgFilter } from "@opal/icons/filter";
+export { default as SvgFilterPlus } from "@opal/icons/filter-plus";
 export { default as SvgFold } from "@opal/icons/fold";
 export { default as SvgFolder } from "@opal/icons/folder";
 export { default as SvgFolderIn } from "@opal/icons/folder-in";
@@ -106,6 +108,8 @@ export { default as SvgLogOut } from "@opal/icons/log-out";
 export { default as SvgMaximize2 } from "@opal/icons/maximize-2";
 export { default as SvgMcp } from "@opal/icons/mcp";
 export { default as SvgMenu } from "@opal/icons/menu";
+export { default as SvgMicrophone } from "@opal/icons/microphone";
+export { default as SvgMicrophoneOff } from "@opal/icons/microphone-off";
 export { default as SvgMinus } from "@opal/icons/minus";
 export { default as SvgMinusCircle } from "@opal/icons/minus-circle";
 export { default as SvgMoon } from "@opal/icons/moon";
@@ -176,6 +180,8 @@ export { default as SvgUserManage } from "@opal/icons/user-manage";
 export { default as SvgUserPlus } from "@opal/icons/user-plus";
 export { default as SvgUserSync } from "@opal/icons/user-sync";
 export { default as SvgUsers } from "@opal/icons/users";
+export { default as SvgVolume } from "@opal/icons/volume";
+export { default as SvgVolumeOff } from "@opal/icons/volume-off";
 export { default as SvgWallet } from "@opal/icons/wallet";
 export { default as SvgWorkflow } from "@opal/icons/workflow";
 export { default as SvgX } from "@opal/icons/x";

web/lib/opal/src/icons/microphone-off.tsx

@@ -0,0 +1,29 @@
+import type { IconProps } from "@opal/types";
+
+const SvgMicrophoneOff = ({ size, ...props }: IconProps) => (
+  <svg
+    width={size}
+    height={size}
+    viewBox="0 0 16 16"
+    fill="none"
+    xmlns="http://www.w3.org/2000/svg"
+    stroke="currentColor"
+    {...props}
+  >
+    {/* Microphone body */}
+    <path
+      d="M12.5 7V7.5C12.5 9.98528 10.4853 12 8 12M3.5 7V7.5C3.5 9.98528 5.51472 12 8 12M8 12V14.5M8 14.5H5M8 14.5H11M8 9.5C6.89543 9.5 6 8.60457 6 7.5V3.5C6 2.39543 6.89543 1.5 8 1.5C9.10457 1.5 10 2.39543 10 3.5V7.5C10 8.60457 9.10457 9.5 8 9.5Z"
+      strokeWidth={1.5}
+      strokeLinecap="round"
+      strokeLinejoin="round"
+    />
+    {/* Diagonal slash */}
+    <path
+      d="M2 2L14 14"
+      strokeWidth={1.5}
+      strokeLinecap="round"
+      strokeLinejoin="round"
+    />
+  </svg>
+);
+export default SvgMicrophoneOff;

web/lib/opal/src/icons/microphone.tsx

@@ -0,0 +1,21 @@
+import type { IconProps } from "@opal/types";
+
+const SvgMicrophone = ({ size, ...props }: IconProps) => (
+  <svg
+    width={size}
+    height={size}
+    viewBox="0 0 16 16"
+    fill="none"
+    xmlns="http://www.w3.org/2000/svg"
+    stroke="currentColor"
+    {...props}
+  >
+    <path
+      d="M12.5 7V7.5C12.5 9.98528 10.4853 12 8 12M3.5 7V7.5C3.5 9.98528 5.51472 12 8 12M8 12V14.5M8 14.5H5M8 14.5H11M8 9.5C6.89543 9.5 6 8.60457 6 7.5V3.5C6 2.39543 6.89543 1.5 8 1.5C9.10457 1.5 10 2.39543 10 3.5V7.5C10 8.60457 9.10457 9.5 8 9.5Z"
+      strokeWidth={1.5}
+      strokeLinecap="round"
+      strokeLinejoin="round"
+    />
+  </svg>
+);
+export default SvgMicrophone;

web/lib/opal/src/icons/volume-off.tsx

@@ -0,0 +1,26 @@
+import type { IconProps } from "@opal/types";
+const SvgVolumeOff = ({ size, ...props }: IconProps) => (
+  <svg
+    width={size}
+    height={size}
+    viewBox="0 0 16 16"
+    fill="none"
+    xmlns="http://www.w3.org/2000/svg"
+    stroke="currentColor"
+    {...props}
+  >
+    <path
+      d="M2 6V10H5L9 13V3L5 6H2Z"
+      strokeWidth={1.5}
+      strokeLinecap="round"
+      strokeLinejoin="round"
+    />
+    <path
+      d="M14 6L11 9M11 6L14 9"
+      strokeWidth={1.5}
+      strokeLinecap="round"
+      strokeLinejoin="round"
+    />
+  </svg>
+);
+export default SvgVolumeOff;

web/lib/opal/src/icons/volume.tsx

@@ -0,0 +1,26 @@
+import type { IconProps } from "@opal/types";
+const SvgVolume = ({ size, ...props }: IconProps) => (
+  <svg
+    width={size}
+    height={size}
+    viewBox="0 0 16 16"
+    fill="none"
+    xmlns="http://www.w3.org/2000/svg"
+    stroke="currentColor"
+    {...props}
+  >
+    <path
+      d="M2 6V10H5L9 13V3L5 6H2Z"
+      strokeWidth={1.5}
+      strokeLinecap="round"
+      strokeLinejoin="round"
+    />
+    <path
+      d="M11.5 5.5C12.3 6.3 12.8 7.4 12.8 8.5C12.8 9.6 12.3 10.7 11.5 11.5"
+      strokeWidth={1.5}
+      strokeLinecap="round"
+      strokeLinejoin="round"
+    />
+  </svg>
+);
+export default SvgVolume;

web/next.config.js

@@ -59,7 +59,7 @@ const nextConfig = {
           {
             key: "Permissions-Policy",
             value:
-              "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()",
+              "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(self), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()",
           },
         ],
       },

web/package-lock.json

@@ -53,12 +53,13 @@
         "formik": "^2.2.9",
         "highlight.js": "^11.11.1",
         "js-cookie": "^3.0.5",
-        "katex": "^0.16.17",
+        "katex": "^0.16.38",
         "linguist-languages": "^9.3.1",
         "lodash": "^4.17.23",
         "lowlight": "^3.3.0",
         "lucide-react": "^0.454.0",
         "mdast-util-find-and-replace": "^3.0.1",
+        "mime": "^4.1.0",
         "motion": "^12.29.0",
         "next": "16.1.6",
         "next-themes": "^0.4.4",
@@ -12793,7 +12794,9 @@
       }
     },
     "node_modules/katex": {
-      "version": "0.16.25",
+      "version": "0.16.38",
+      "resolved": "https://registry.npmjs.org/katex/-/katex-0.16.38.tgz",
+      "integrity": "sha512-cjHooZUmIAUmDsHBN+1n8LaZdpmbj03LtYeYPyuYB7OuloiaeaV6N4LcfjcnHVzGWjVQmKrxxTrpDcmSzEZQwQ==",
       "funding": [
         "https://opencollective.com/katex",
         "https://github.com/sponsors/katex"
@@ -13883,6 +13886,21 @@
         "url": "https://github.com/sponsors/jonschlinkert"
       }
     },
+    "node_modules/mime": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/mime/-/mime-4.1.0.tgz",
+      "integrity": "sha512-X5ju04+cAzsojXKes0B/S4tcYtFAJ6tTMuSPBEn9CPGlrWr8Fiw7qYeLT0XyH80HSoAoqWCaz+MWKh22P7G1cw==",
+      "funding": [
+        "https://github.com/sponsors/broofa"
+      ],
+      "license": "MIT",
+      "bin": {
+        "mime": "bin/cli.js"
+      },
+      "engines": {
+        "node": ">=16"
+      }
+    },
     "node_modules/mime-db": {
       "version": "1.52.0",
       "license": "MIT",

web/package.json

@@ -71,12 +71,13 @@
     "formik": "^2.2.9",
     "highlight.js": "^11.11.1",
     "js-cookie": "^3.0.5",
-    "katex": "^0.16.17",
+    "katex": "^0.16.38",
     "linguist-languages": "^9.3.1",
     "lodash": "^4.17.23",
     "lowlight": "^3.3.0",
     "lucide-react": "^0.454.0",
     "mdast-util-find-and-replace": "^3.0.1",
+    "mime": "^4.1.0",
     "motion": "^12.29.0",
     "next": "16.1.6",
     "next-themes": "^0.4.4",

web/public/ElevenLabs.svg

@@ -0,0 +1,4 @@
+<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M10.5 2H13V14H10.5V2Z" fill="currentColor"/>
+<path d="M3 2H5.5V14H3V2Z" fill="currentColor"/>
+</svg>

web/public/ElevenLabsDark.svg

@@ -0,0 +1,4 @@
+<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M10.5 2H13V14H10.5V2Z" fill="white"/>
+<path d="M3 2H5.5V14H3V2Z" fill="white"/>
+</svg>

web/src/app/admin/configuration/voice/VoiceProviderSetupModal.tsx

@@ -0,0 +1,558 @@
+"use client";
+
+import Image from "next/image";
+import { FunctionComponent, useState, useEffect } from "react";
+import {
+  AzureIcon,
+  ElevenLabsIcon,
+  OpenAIIcon,
+} from "@/components/icons/icons";
+import Modal from "@/refresh-components/Modal";
+import Button from "@/refresh-components/buttons/Button";
+import InputTypeIn from "@/refresh-components/inputs/InputTypeIn";
+import PasswordInputTypeIn from "@/refresh-components/inputs/PasswordInputTypeIn";
+import InputSelect from "@/refresh-components/inputs/InputSelect";
+import InputComboBox from "@/refresh-components/inputs/InputComboBox";
+import { FormField } from "@/refresh-components/form/FormField";
+import { Vertical, Horizontal } from "@/layouts/input-layouts";
+import { Section } from "@/layouts/general-layouts";
+import { SvgArrowExchange, SvgOnyxLogo } from "@opal/icons";
+import { Disabled } from "@opal/core";
+import type { IconProps } from "@opal/types";
+import { VoiceProviderView } from "@/hooks/useVoiceProviders";
+import {
+  testVoiceProvider,
+  upsertVoiceProvider,
+  fetchVoicesByType,
+  fetchLLMProviders,
+} from "@/lib/admin/voice/svc";
+
+interface VoiceOption {
+  value: string;
+  label: string;
+  description?: string;
+}
+
+interface LLMProviderView {
+  id: number;
+  name: string;
+  provider: string;
+  api_key: string | null;
+}
+
+interface ApiKeyOption {
+  value: string;
+  label: string;
+  description?: string;
+}
+
+interface VoiceProviderSetupModalProps {
+  providerType: string;
+  existingProvider: VoiceProviderView | null;
+  mode: "stt" | "tts";
+  defaultModelId?: string | null;
+  onClose: () => void;
+  onSuccess: () => void;
+}
+
+const PROVIDER_LABELS: Record<string, string> = {
+  openai: "OpenAI",
+  azure: "Azure Speech Services",
+  elevenlabs: "ElevenLabs",
+};
+
+const PROVIDER_API_KEY_URLS: Record<string, string> = {
+  openai: "https://platform.openai.com/api-keys",
+  azure: "https://portal.azure.com/",
+  elevenlabs: "https://elevenlabs.io/app/settings/api-keys",
+};
+
+const PROVIDER_LOGO_URLS: Record<string, string> = {
+  openai: "/Openai.svg",
+  azure: "/Azure.png",
+  elevenlabs: "/ElevenLabs.svg",
+};
+
+const PROVIDER_DOCS_URLS: Record<string, string> = {
+  openai: "https://platform.openai.com/docs/guides/text-to-speech",
+  azure: "https://learn.microsoft.com/en-us/azure/ai-services/speech-service/",
+  elevenlabs: "https://elevenlabs.io/docs",
+};
+
+const PROVIDER_VOICE_DOCS_URLS: Record<string, { url: string; label: string }> =
+  {
+    openai: {
+      url: "https://platform.openai.com/docs/guides/text-to-speech#voice-options",
+      label: "OpenAI",
+    },
+    azure: {
+      url: "https://learn.microsoft.com/en-us/azure/ai-services/speech-service/language-support?tabs=tts",
+      label: "Azure",
+    },
+    elevenlabs: {
+      url: "https://elevenlabs.io/docs/voices/premade-voices",
+      label: "ElevenLabs",
+    },
+  };
+
+const OPENAI_STT_MODELS = [{ id: "whisper-1", name: "Whisper v1" }];
+
+const OPENAI_TTS_MODELS = [
+  { id: "tts-1", name: "TTS-1" },
+  { id: "tts-1-hd", name: "TTS-1 HD" },
+];
+
+// Map model IDs from cards to actual API model IDs
+const MODEL_ID_MAP: Record<string, string> = {
+  "tts-1": "tts-1",
+  "tts-1-hd": "tts-1-hd",
+  whisper: "whisper-1",
+};
+
+type Phase = "idle" | "validating" | "saving";
+type MessageState = {
+  kind: "status" | "error" | "success";
+  text: string;
+} | null;
+
+export default function VoiceProviderSetupModal({
+  providerType,
+  existingProvider,
+  mode,
+  defaultModelId,
+  onClose,
+  onSuccess,
+}: VoiceProviderSetupModalProps) {
+  // Map the card model ID to the actual API model ID
+  // Prioritize defaultModelId (from the clicked card) over stored value
+  const initialTtsModel = defaultModelId
+    ? MODEL_ID_MAP[defaultModelId] ?? "tts-1"
+    : existingProvider?.tts_model ?? "tts-1";
+
+  const [apiKey, setApiKey] = useState("");
+  const [apiKeyChanged, setApiKeyChanged] = useState(false);
+  const [targetUri, setTargetUri] = useState(
+    existingProvider?.target_uri ?? ""
+  );
+  const [selectedLlmProviderId, setSelectedLlmProviderId] = useState<
+    number | null
+  >(null);
+  const [sttModel, setSttModel] = useState(
+    existingProvider?.stt_model ?? "whisper-1"
+  );
+  const [ttsModel, setTtsModel] = useState(initialTtsModel);
+  const [defaultVoice, setDefaultVoice] = useState(
+    existingProvider?.default_voice ?? ""
+  );
+  const [phase, setPhase] = useState<Phase>("idle");
+  const [message, setMessage] = useState<MessageState>(null);
+
+  // Dynamic voices fetched from backend
+  const [voiceOptions, setVoiceOptions] = useState<VoiceOption[]>([]);
+  const [isLoadingVoices, setIsLoadingVoices] = useState(false);
+
+  // Existing OpenAI LLM providers for API key reuse
+  const [existingApiKeyOptions, setExistingApiKeyOptions] = useState<
+    ApiKeyOption[]
+  >([]);
+  const [llmProviderMap, setLlmProviderMap] = useState<Map<string, number>>(
+    new Map()
+  );
+
+  // Fetch existing OpenAI LLM providers (for API key reuse)
+  useEffect(() => {
+    if (providerType !== "openai") return;
+
+    fetchLLMProviders()
+      .then((res) => res.json())
+      .then((data: { providers: LLMProviderView[] } | LLMProviderView[]) => {
+        const providers = Array.isArray(data) ? data : data.providers ?? [];
+        const openaiProviders = providers.filter(
+          (p) => p.provider === "openai" && p.api_key
+        );
+        const options: ApiKeyOption[] = openaiProviders.map((p) => ({
+          value: p.api_key!,
+          label: p.api_key!,
+          description: `Used for LLM provider **${p.name}**`,
+        }));
+        setExistingApiKeyOptions(options);
+
+        // Map masked API keys to provider IDs for lookup on selection
+        const providerMap = new Map<string, number>();
+        openaiProviders.forEach((p) => {
+          if (p.api_key) {
+            providerMap.set(p.api_key, p.id);
+          }
+        });
+        setLlmProviderMap(providerMap);
+      })
+      .catch(() => {
+        setExistingApiKeyOptions([]);
+      });
+  }, [providerType]);
+
+  // Fetch voices on mount (works without API key for ElevenLabs/OpenAI)
+  useEffect(() => {
+    setIsLoadingVoices(true);
+    fetchVoicesByType(providerType)
+      .then((res) => res.json())
+      .then((data: Array<{ id: string; name: string }>) => {
+        const options = data.map((v) => ({
+          value: v.id,
+          label: v.name,
+          description: v.id,
+        }));
+        setVoiceOptions(options);
+        // Set default voice to first option if not already set,
+        // or if current value doesn't exist in the new options
+        setDefaultVoice((prev) => {
+          if (!prev) return options[0]?.value ?? "";
+          const existsInOptions = options.some((opt) => opt.value === prev);
+          return existsInOptions ? prev : options[0]?.value ?? "";
+        });
+      })
+      .catch(() => {
+        setVoiceOptions([]);
+      })
+      .finally(() => {
+        setIsLoadingVoices(false);
+      });
+  }, [providerType]);
+
+  const isEditing = !!existingProvider;
+  const label = PROVIDER_LABELS[providerType] ?? providerType;
+  const isProcessing = phase !== "idle";
+  const hasNonEmptyApiKey = apiKey.trim().length > 0;
+  const shouldSendApiKey =
+    !selectedLlmProviderId && apiKeyChanged && hasNonEmptyApiKey;
+  const shouldUseStoredKey =
+    isEditing && !selectedLlmProviderId && !shouldSendApiKey;
+
+  const canConnect = (() => {
+    if (selectedLlmProviderId) return true;
+    if (!isEditing && !apiKey) return false;
+    if (providerType === "azure" && !isEditing && !targetUri) return false;
+    return true;
+  })();
+
+  // Logo arrangement component for the modal header
+  // No useMemo needed - providerType and label are stable props
+  const LogoArrangement: FunctionComponent<IconProps> = () => (
+    <div className="flex items-center gap-2">
+      <div className="flex items-center justify-center size-7 shrink-0 overflow-clip">
+        {providerType === "openai" ? (
+          <OpenAIIcon size={24} />
+        ) : providerType === "azure" ? (
+          <AzureIcon size={24} />
+        ) : providerType === "elevenlabs" ? (
+          <ElevenLabsIcon size={24} />
+        ) : (
+          <Image
+            src={PROVIDER_LOGO_URLS[providerType] ?? "/Openai.svg"}
+            alt={`${label} logo`}
+            width={24}
+            height={24}
+            className="object-contain"
+          />
+        )}
+      </div>
+      <div className="flex items-center justify-center size-4 shrink-0">
+        <SvgArrowExchange className="size-3 text-text-04" />
+      </div>
+      <div className="flex items-center justify-center size-7 p-0.5 shrink-0 overflow-clip">
+        <SvgOnyxLogo size={24} className="text-text-04 shrink-0" />
+      </div>
+    </div>
+  );
+
+  const formFieldState: "idle" | "error" | "success" =
+    message?.kind === "error"
+      ? "error"
+      : message?.kind === "success"
+        ? "success"
+        : "idle";
+
+  const handleSubmit = async () => {
+    if (!canConnect) return;
+
+    setMessage(null);
+
+    try {
+      // Test the connection first (skip if reusing LLM provider key - validated on save)
+      if (!selectedLlmProviderId) {
+        setPhase("validating");
+        setMessage({ kind: "status", text: "Validating API key..." });
+
+        const testResponse = await testVoiceProvider({
+          provider_type: providerType,
+          api_key: shouldSendApiKey ? apiKey : undefined,
+          target_uri: targetUri || undefined,
+          use_stored_key: shouldUseStoredKey,
+        });
+
+        if (!testResponse.ok) {
+          const data = await testResponse.json().catch(() => ({}));
+          const detail =
+            typeof data?.detail === "string"
+              ? data.detail
+              : "Connection test failed";
+          setPhase("idle");
+          setMessage({ kind: "error", text: detail });
+          return;
+        }
+
+        setMessage({
+          kind: "status",
+          text: "API key validated. Saving provider...",
+        });
+      }
+
+      // Save the provider
+      setPhase("saving");
+      const response = await upsertVoiceProvider({
+        id: existingProvider?.id,
+        name: label,
+        provider_type: providerType,
+        api_key: shouldSendApiKey ? apiKey : undefined,
+        api_key_changed: shouldSendApiKey,
+        target_uri: targetUri || undefined,
+        llm_provider_id: selectedLlmProviderId,
+        stt_model: sttModel,
+        tts_model: ttsModel,
+        default_voice: defaultVoice,
+        activate_stt: mode === "stt",
+        activate_tts: mode === "tts",
+      });
+
+      if (response.ok) {
+        onSuccess();
+      } else {
+        const data = await response.json().catch(() => ({}));
+        const detail =
+          typeof data?.detail === "string"
+            ? data.detail
+            : "Failed to save provider";
+        setPhase("idle");
+        setMessage({ kind: "error", text: detail });
+      }
+    } catch {
+      setPhase("idle");
+      setMessage({ kind: "error", text: "Failed to save provider" });
+    }
+  };
+
+  return (
+    <Modal open onOpenChange={(isOpen) => !isOpen && onClose()}>
+      <Modal.Content width="sm">
+        <Modal.Header
+          icon={LogoArrangement}
+          title={isEditing ? `Edit ${label}` : `Set up ${label}`}
+          description={`Connect to ${label} and set up your voice models.`}
+          onClose={onClose}
+        />
+        <Modal.Body>
+          <Section gap={1} alignItems="stretch">
+            <FormField name="api_key" state={formFieldState} className="w-full">
+              <FormField.Label>API Key</FormField.Label>
+              <FormField.Description>
+                {isEditing ? (
+                  "Leave blank to keep existing key"
+                ) : (
+                  <>
+                    Paste your{" "}
+                    <a
+                      href={PROVIDER_API_KEY_URLS[providerType]}
+                      target="_blank"
+                      rel="noopener noreferrer"
+                      className="underline"
+                    >
+                      API key
+                    </a>{" "}
+                    from {label} to access your models.
+                  </>
+                )}
+              </FormField.Description>
+              <FormField.Control asChild>
+                {providerType === "openai" &&
+                existingApiKeyOptions.length > 0 ? (
+                  <InputComboBox
+                    placeholder={isEditing ? "••••••••" : "Enter API key"}
+                    value={apiKey}
+                    onChange={(e) => {
+                      setApiKey(e.target.value);
+                      setApiKeyChanged(true);
+                      setSelectedLlmProviderId(null);
+                      setMessage(null);
+                    }}
+                    onValueChange={(value) => {
+                      setApiKey(value);
+                      // Check if this is an existing key
+                      const llmProviderId = llmProviderMap.get(value);
+                      if (llmProviderId) {
+                        setSelectedLlmProviderId(llmProviderId);
+                        setApiKeyChanged(false);
+                      } else {
+                        setSelectedLlmProviderId(null);
+                        setApiKeyChanged(true);
+                      }
+                      setMessage(null);
+                    }}
+                    options={existingApiKeyOptions}
+                    separatorLabel="Reuse OpenAI API Keys"
+                    strict={false}
+                    showAddPrefix
+                  />
+                ) : (
+                  <PasswordInputTypeIn
+                    placeholder={isEditing ? "••••••••" : "Enter API key"}
+                    value={apiKey}
+                    onChange={(e) => {
+                      setApiKey(e.target.value);
+                      setApiKeyChanged(true);
+                      setMessage(null);
+                    }}
+                    showClearButton={false}
+                  />
+                )}
+              </FormField.Control>
+              {isProcessing ? (
+                <FormField.APIMessage
+                  state="loading"
+                  messages={{
+                    loading: message?.text ?? "Validating API key...",
+                  }}
+                />
+              ) : message ? (
+                <FormField.Message
+                  messages={{
+                    idle: "",
+                    error: message.kind === "error" ? message.text : "",
+                    success: message.kind === "success" ? message.text : "",
+                  }}
+                />
+              ) : null}
+            </FormField>
+
+            {providerType === "azure" && (
+              <Vertical
+                title="Target URI"
+                subDescription={
+                  <>
+                    Paste the endpoint shown in{" "}
+                    <a
+                      href="https://portal.azure.com/"
+                      target="_blank"
+                      rel="noopener noreferrer"
+                      className="underline"
+                    >
+                      Azure Portal (Keys and Endpoint)
+                    </a>
+                    . Onyx extracts the speech region from this URL. Examples:
+                    https://westus.api.cognitive.microsoft.com/ or
+                    https://westus.tts.speech.microsoft.com/.
+                  </>
+                }
+                nonInteractive
+              >
+                <InputTypeIn
+                  placeholder={
+                    isEditing
+                      ? "Leave blank to keep existing"
+                      : "https://<region>.api.cognitive.microsoft.com/"
+                  }
+                  value={targetUri}
+                  onChange={(e) => setTargetUri(e.target.value)}
+                />
+              </Vertical>
+            )}
+
+            {providerType === "openai" && mode === "stt" && (
+              <Horizontal title="STT Model" center nonInteractive>
+                <InputSelect value={sttModel} onValueChange={setSttModel}>
+                  <InputSelect.Trigger />
+                  <InputSelect.Content>
+                    {OPENAI_STT_MODELS.map((model) => (
+                      <InputSelect.Item key={model.id} value={model.id}>
+                        {model.name}
+                      </InputSelect.Item>
+                    ))}
+                  </InputSelect.Content>
+                </InputSelect>
+              </Horizontal>
+            )}
+
+            {providerType === "openai" && mode === "tts" && (
+              <Vertical
+                title="Default Model"
+                subDescription="This model will be used by Onyx by default for text-to-speech."
+                nonInteractive
+              >
+                <InputSelect value={ttsModel} onValueChange={setTtsModel}>
+                  <InputSelect.Trigger />
+                  <InputSelect.Content>
+                    {OPENAI_TTS_MODELS.map((model) => (
+                      <InputSelect.Item key={model.id} value={model.id}>
+                        {model.name}
+                      </InputSelect.Item>
+                    ))}
+                  </InputSelect.Content>
+                </InputSelect>
+              </Vertical>
+            )}
+
+            {mode === "tts" && (
+              <Vertical
+                title="Voice"
+                subDescription={
+                  <>
+                    This voice will be used for spoken responses. See full list
+                    of supported languages and voices at{" "}
+                    <a
+                      href={
+                        PROVIDER_VOICE_DOCS_URLS[providerType]?.url ??
+                        PROVIDER_DOCS_URLS[providerType]
+                      }
+                      target="_blank"
+                      rel="noopener noreferrer"
+                      className="underline"
+                    >
+                      {PROVIDER_VOICE_DOCS_URLS[providerType]?.label ?? label}
+                    </a>
+                    .
+                  </>
+                }
+                nonInteractive
+              >
+                <InputComboBox
+                  value={defaultVoice}
+                  onValueChange={setDefaultVoice}
+                  options={voiceOptions}
+                  placeholder={
+                    isLoadingVoices
+                      ? "Loading voices..."
+                      : "Select a voice or enter voice ID"
+                  }
+                  disabled={isLoadingVoices}
+                  strict={false}
+                />
+              </Vertical>
+            )}
+          </Section>
+        </Modal.Body>
+        <Modal.Footer>
+          <Button secondary onClick={onClose}>
+            Cancel
+          </Button>
+          <Disabled disabled={!canConnect || isProcessing}>
+            <Button
+              onClick={handleSubmit}
+              disabled={!canConnect || isProcessing}
+            >
+              {isProcessing ? "Connecting..." : isEditing ? "Save" : "Connect"}
+            </Button>
+          </Disabled>
+        </Modal.Footer>
+      </Modal.Content>
+    </Modal>
+  );
+}

web/src/app/admin/configuration/voice/page.tsx

@@ -0,0 +1,630 @@
+"use client";
+
+import Image from "next/image";
+import { useMemo, useState } from "react";
+import { AdminPageTitle } from "@/components/admin/Title";
+import {
+  AzureIcon,
+  ElevenLabsIcon,
+  InfoIcon,
+  OpenAIIcon,
+} from "@/components/icons/icons";
+import Text from "@/refresh-components/texts/Text";
+import Separator from "@/refresh-components/Separator";
+import { FetchError } from "@/lib/fetcher";
+import {
+  useVoiceProviders,
+  VoiceProviderView,
+} from "@/hooks/useVoiceProviders";
+import {
+  activateVoiceProvider,
+  deactivateVoiceProvider,
+} from "@/lib/admin/voice/svc";
+import { ThreeDotsLoader } from "@/components/Loading";
+import { Callout } from "@/components/ui/callout";
+import Button from "@/refresh-components/buttons/Button";
+import { Button as OpalButton } from "@opal/components";
+import { cn } from "@/lib/utils";
+import {
+  SvgArrowExchange,
+  SvgArrowRightCircle,
+  SvgAudio,
+  SvgCheckSquare,
+  SvgEdit,
+  SvgMicrophone,
+  SvgX,
+} from "@opal/icons";
+import VoiceProviderSetupModal from "./VoiceProviderSetupModal";
+
+interface ModelDetails {
+  id: string;
+  label: string;
+  subtitle: string;
+  logoSrc?: string;
+  providerType: string;
+}
+
+interface ProviderGroup {
+  providerType: string;
+  providerLabel: string;
+  logoSrc?: string;
+  models: ModelDetails[];
+}
+
+// STT Models - individual cards
+const STT_MODELS: ModelDetails[] = [
+  {
+    id: "whisper",
+    label: "Whisper",
+    subtitle: "OpenAI's general purpose speech recognition model.",
+    logoSrc: "/Openai.svg",
+    providerType: "openai",
+  },
+  {
+    id: "azure-speech-stt",
+    label: "Azure Speech",
+    subtitle: "Speech to text in Microsoft Foundry Tools.",
+    logoSrc: "/Azure.png",
+    providerType: "azure",
+  },
+  {
+    id: "elevenlabs-stt",
+    label: "ElevenAPI",
+    subtitle: "ElevenLabs Speech to Text API.",
+    logoSrc: "/ElevenLabs.svg",
+    providerType: "elevenlabs",
+  },
+];
+
+// TTS Models - grouped by provider
+const TTS_PROVIDER_GROUPS: ProviderGroup[] = [
+  {
+    providerType: "openai",
+    providerLabel: "OpenAI",
+    logoSrc: "/Openai.svg",
+    models: [
+      {
+        id: "tts-1",
+        label: "TTS-1",
+        subtitle: "OpenAI's text-to-speech model optimized for speed.",
+        logoSrc: "/Openai.svg",
+        providerType: "openai",
+      },
+      {
+        id: "tts-1-hd",
+        label: "TTS-1 HD",
+        subtitle: "OpenAI's text-to-speech model optimized for quality.",
+        logoSrc: "/Openai.svg",
+        providerType: "openai",
+      },
+    ],
+  },
+  {
+    providerType: "azure",
+    providerLabel: "Azure",
+    logoSrc: "/Azure.png",
+    models: [
+      {
+        id: "azure-speech-tts",
+        label: "Azure Speech",
+        subtitle: "Text to speech in Microsoft Foundry Tools.",
+        logoSrc: "/Azure.png",
+        providerType: "azure",
+      },
+    ],
+  },
+  {
+    providerType: "elevenlabs",
+    providerLabel: "ElevenLabs",
+    logoSrc: "/ElevenLabs.svg",
+    models: [
+      {
+        id: "elevenlabs-tts",
+        label: "ElevenAPI",
+        subtitle: "ElevenLabs Text to Speech API.",
+        logoSrc: "/ElevenLabs.svg",
+        providerType: "elevenlabs",
+      },
+    ],
+  },
+];
+
+interface HoverIconButtonProps extends React.ComponentProps<typeof Button> {
+  isHovered: boolean;
+  onMouseEnter: () => void;
+  onMouseLeave: () => void;
+  children: React.ReactNode;
+}
+
+function HoverIconButton({
+  isHovered,
+  onMouseEnter,
+  onMouseLeave,
+  children,
+  ...buttonProps
+}: HoverIconButtonProps) {
+  return (
+    <div onMouseEnter={onMouseEnter} onMouseLeave={onMouseLeave}>
+      <Button {...buttonProps} rightIcon={isHovered ? SvgX : SvgCheckSquare}>
+        {children}
+      </Button>
+    </div>
+  );
+}
+
+type ProviderMode = "stt" | "tts";
+
+export default function VoiceConfigurationPage() {
+  const [modalOpen, setModalOpen] = useState(false);
+  const [selectedProvider, setSelectedProvider] = useState<string | null>(null);
+  const [editingProvider, setEditingProvider] =
+    useState<VoiceProviderView | null>(null);
+  const [modalMode, setModalMode] = useState<ProviderMode>("stt");
+  const [selectedModelId, setSelectedModelId] = useState<string | null>(null);
+  const [sttActivationError, setSTTActivationError] = useState<string | null>(
+    null
+  );
+  const [ttsActivationError, setTTSActivationError] = useState<string | null>(
+    null
+  );
+  const [hoveredButtonKey, setHoveredButtonKey] = useState<string | null>(null);
+
+  const { providers, error, isLoading, refresh: mutate } = useVoiceProviders();
+
+  const handleConnect = (
+    providerType: string,
+    mode: ProviderMode,
+    modelId?: string
+  ) => {
+    setSelectedProvider(providerType);
+    setEditingProvider(null);
+    setModalMode(mode);
+    setSelectedModelId(modelId ?? null);
+    setModalOpen(true);
+    setSTTActivationError(null);
+    setTTSActivationError(null);
+  };
+
+  const handleEdit = (
+    provider: VoiceProviderView,
+    mode: ProviderMode,
+    modelId?: string
+  ) => {
+    setSelectedProvider(provider.provider_type);
+    setEditingProvider(provider);
+    setModalMode(mode);
+    setSelectedModelId(modelId ?? null);
+    setModalOpen(true);
+  };
+
+  const handleSetDefault = async (
+    providerId: number,
+    mode: ProviderMode,
+    modelId?: string
+  ) => {
+    const setError =
+      mode === "stt" ? setSTTActivationError : setTTSActivationError;
+    setError(null);
+    try {
+      const response = await activateVoiceProvider(providerId, mode, modelId);
+      if (!response.ok) {
+        const errorBody = await response.json().catch(() => ({}));
+        throw new Error(
+          typeof errorBody?.detail === "string"
+            ? errorBody.detail
+            : `Failed to set provider as default ${mode.toUpperCase()}.`
+        );
+      }
+      await mutate();
+    } catch (err) {
+      const message =
+        err instanceof Error ? err.message : "Unexpected error occurred.";
+      setError(message);
+    }
+  };
+
+  const handleDeactivate = async (providerId: number, mode: ProviderMode) => {
+    const setError =
+      mode === "stt" ? setSTTActivationError : setTTSActivationError;
+    setError(null);
+    try {
+      const response = await deactivateVoiceProvider(providerId, mode);
+      if (!response.ok) {
+        const errorBody = await response.json().catch(() => ({}));
+        throw new Error(
+          typeof errorBody?.detail === "string"
+            ? errorBody.detail
+            : `Failed to deactivate ${mode.toUpperCase()} provider.`
+        );
+      }
+      await mutate();
+    } catch (err) {
+      const message =
+        err instanceof Error ? err.message : "Unexpected error occurred.";
+      setError(message);
+    }
+  };
+
+  const handleModalClose = () => {
+    setModalOpen(false);
+    setSelectedProvider(null);
+    setEditingProvider(null);
+    setSelectedModelId(null);
+  };
+
+  const handleModalSuccess = () => {
+    mutate();
+    handleModalClose();
+  };
+
+  const isProviderConfigured = (provider?: VoiceProviderView): boolean => {
+    return !!provider?.has_api_key;
+  };
+
+  // Map provider types to their configured provider data
+  const providersByType = useMemo(() => {
+    return new Map((providers ?? []).map((p) => [p.provider_type, p] as const));
+  }, [providers]);
+
+  const hasActiveSTTProvider =
+    providers?.some((p) => p.is_default_stt) ?? false;
+  const hasActiveTTSProvider =
+    providers?.some((p) => p.is_default_tts) ?? false;
+
+  const renderLogo = ({
+    logoSrc,
+    providerType,
+    alt,
+    size = 16,
+  }: {
+    logoSrc?: string;
+    providerType: string;
+    alt: string;
+    size?: number;
+  }) => {
+    const containerSizeClass = size === 24 ? "size-7" : "size-5";
+
+    return (
+      <div
+        className={cn(
+          "flex items-center justify-center px-0.5 py-0 shrink-0 overflow-clip",
+          containerSizeClass
+        )}
+      >
+        {providerType === "openai" ? (
+          <OpenAIIcon size={size} />
+        ) : providerType === "azure" ? (
+          <AzureIcon size={size} />
+        ) : providerType === "elevenlabs" ? (
+          <ElevenLabsIcon size={size} />
+        ) : logoSrc ? (
+          <Image
+            src={logoSrc}
+            alt={alt}
+            width={size}
+            height={size}
+            className="object-contain"
+          />
+        ) : (
+          <SvgMicrophone size={size} className="text-text-02" />
+        )}
+      </div>
+    );
+  };
+
+  const renderModelCard = ({
+    model,
+    mode,
+  }: {
+    model: ModelDetails;
+    mode: ProviderMode;
+  }) => {
+    const provider = providersByType.get(model.providerType);
+    const isConfigured = isProviderConfigured(provider);
+    // For TTS, also check that this specific model is the default (not just the provider)
+    const isActive =
+      mode === "stt"
+        ? provider?.is_default_stt
+        : provider?.is_default_tts && provider?.tts_model === model.id;
+    const isHighlighted = isActive ?? false;
+    const providerId = provider?.id;
+
+    const buttonState = (() => {
+      if (!provider || !isConfigured) {
+        return {
+          label: "Connect",
+          disabled: false,
+          icon: "arrow" as const,
+          onClick: () => handleConnect(model.providerType, mode, model.id),
+        };
+      }
+
+      if (isActive) {
+        return {
+          label: "Current Default",
+          disabled: false,
+          icon: "check" as const,
+          onClick: providerId
+            ? () => handleDeactivate(providerId, mode)
+            : undefined,
+        };
+      }
+
+      return {
+        label: "Set as Default",
+        disabled: false,
+        icon: "arrow-circle" as const,
+        onClick: providerId
+          ? () => handleSetDefault(providerId, mode, model.id)
+          : undefined,
+      };
+    })();
+
+    const buttonKey = `${mode}-${model.id}`;
+    const isButtonHovered = hoveredButtonKey === buttonKey;
+    const isCardClickable =
+      buttonState.icon === "arrow" &&
+      typeof buttonState.onClick === "function" &&
+      !buttonState.disabled;
+
+    const handleCardClick = () => {
+      if (isCardClickable) {
+        buttonState.onClick?.();
+      }
+    };
+
+    return (
+      <div
+        key={`${mode}-${model.id}`}
+        onClick={isCardClickable ? handleCardClick : undefined}
+        className={cn(
+          "flex items-start justify-between gap-4 rounded-16 border p-2 bg-background-neutral-01",
+          isHighlighted ? "border-action-link-05" : "border-border-01",
+          isCardClickable &&
+            "cursor-pointer hover:bg-background-tint-01 transition-colors"
+        )}
+      >
+        <div className="flex flex-1 items-start gap-2.5 p-2">
+          {renderLogo({
+            logoSrc: model.logoSrc,
+            providerType: model.providerType,
+            alt: `${model.label} logo`,
+            size: 16,
+          })}
+          <div className="flex flex-col gap-0.5">
+            <Text as="p" mainUiAction text04>
+              {model.label}
+            </Text>
+            <Text as="p" secondaryBody text03>
+              {model.subtitle}
+            </Text>
+          </div>
+        </div>
+        <div className="flex items-center justify-end gap-1.5 self-center">
+          {isConfigured && (
+            <OpalButton
+              icon={SvgEdit}
+              tooltip="Edit"
+              prominence="tertiary"
+              size="sm"
+              onClick={(e) => {
+                e.stopPropagation();
+                if (provider) handleEdit(provider, mode, model.id);
+              }}
+              aria-label={`Edit ${model.label}`}
+            />
+          )}
+          {buttonState.icon === "check" ? (
+            <HoverIconButton
+              isHovered={isButtonHovered}
+              onMouseEnter={() => setHoveredButtonKey(buttonKey)}
+              onMouseLeave={() => setHoveredButtonKey(null)}
+              action={true}
+              tertiary
+              disabled={buttonState.disabled}
+              onClick={(e) => {
+                e.stopPropagation();
+                buttonState.onClick?.();
+              }}
+            >
+              {buttonState.label}
+            </HoverIconButton>
+          ) : (
+            <Button
+              action={false}
+              tertiary
+              disabled={buttonState.disabled || !buttonState.onClick}
+              onClick={(e) => {
+                e.stopPropagation();
+                buttonState.onClick?.();
+              }}
+              rightIcon={
+                buttonState.icon === "arrow"
+                  ? SvgArrowExchange
+                  : buttonState.icon === "arrow-circle"
+                    ? SvgArrowRightCircle
+                    : undefined
+              }
+            >
+              {buttonState.label}
+            </Button>
+          )}
+        </div>
+      </div>
+    );
+  };
+
+  if (error) {
+    const message = error?.message || "Unable to load voice configuration.";
+    const detail =
+      error instanceof FetchError && typeof error.info?.detail === "string"
+        ? error.info.detail
+        : undefined;
+
+    return (
+      <>
+        <AdminPageTitle
+          title="Voice"
+          icon={SvgMicrophone}
+          includeDivider={false}
+        />
+        <Callout type="danger" title="Failed to load voice settings">
+          {message}
+          {detail && (
+            <Text as="p" className="mt-2 text-text-03" mainContentBody text03>
+              {detail}
+            </Text>
+          )}
+        </Callout>
+      </>
+    );
+  }
+
+  if (isLoading) {
+    return (
+      <>
+        <AdminPageTitle
+          title="Voice"
+          icon={SvgMicrophone}
+          includeDivider={false}
+        />
+        <div className="mt-8">
+          <ThreeDotsLoader />
+        </div>
+      </>
+    );
+  }
+
+  return (
+    <>
+      <AdminPageTitle icon={SvgAudio} title="Voice" />
+      <div className="pt-4 pb-4">
+        <Text as="p" secondaryBody text03>
+          Speech to text (STT) and text to speech (TTS) capabilities.
+        </Text>
+      </div>
+
+      <Separator />
+
+      <div className="flex w-full flex-col gap-8 pb-6">
+        {/* Speech-to-Text Section */}
+        <div className="flex w-full max-w-[960px] flex-col gap-3">
+          <div className="flex flex-col">
+            <Text as="p" mainContentEmphasis text04>
+              Speech to Text
+            </Text>
+            <Text as="p" secondaryBody text03>
+              Select a model to transcribe speech to text in chats.
+            </Text>
+          </div>
+
+          {sttActivationError && (
+            <Callout type="danger" title="Unable to update STT provider">
+              {sttActivationError}
+            </Callout>
+          )}
+
+          {!hasActiveSTTProvider && (
+            <div
+              className="flex items-start rounded-16 border p-2"
+              style={{
+                backgroundColor: "var(--status-info-00)",
+                borderColor: "var(--status-info-02)",
+              }}
+            >
+              <div className="flex items-start gap-1 p-2">
+                <div
+                  className="flex size-5 items-center justify-center rounded-full p-0.5"
+                  style={{
+                    backgroundColor: "var(--status-info-01)",
+                  }}
+                >
+                  <div style={{ color: "var(--status-text-info-05)" }}>
+                    <InfoIcon size={16} />
+                  </div>
+                </div>
+                <Text as="p" className="flex-1 px-0.5" mainUiBody text04>
+                  Connect a speech to text provider to use in chat.
+                </Text>
+              </div>
+            </div>
+          )}
+
+          <div className="flex flex-col gap-2">
+            {STT_MODELS.map((model) => renderModelCard({ model, mode: "stt" }))}
+          </div>
+        </div>
+
+        {/* Text-to-Speech Section */}
+        <div className="flex w-full max-w-[960px] flex-col gap-3">
+          <div className="flex flex-col">
+            <Text as="p" mainContentEmphasis text04>
+              Text to Speech
+            </Text>
+            <Text as="p" secondaryBody text03>
+              Select a model to speak out chat responses.
+            </Text>
+          </div>
+
+          {ttsActivationError && (
+            <Callout type="danger" title="Unable to update TTS provider">
+              {ttsActivationError}
+            </Callout>
+          )}
+
+          {!hasActiveTTSProvider && (
+            <div
+              className="flex items-start rounded-16 border p-2"
+              style={{
+                backgroundColor: "var(--status-info-00)",
+                borderColor: "var(--status-info-02)",
+              }}
+            >
+              <div className="flex items-start gap-1 p-2">
+                <div
+                  className="flex size-5 items-center justify-center rounded-full p-0.5"
+                  style={{
+                    backgroundColor: "var(--status-info-01)",
+                  }}
+                >
+                  <div style={{ color: "var(--status-text-info-05)" }}>
+                    <InfoIcon size={16} />
+                  </div>
+                </div>
+                <Text as="p" className="flex-1 px-0.5" mainUiBody text04>
+                  Connect a text to speech provider to use in chat.
+                </Text>
+              </div>
+            </div>
+          )}
+
+          <div className="flex flex-col gap-4">
+            {TTS_PROVIDER_GROUPS.map((group) => (
+              <div key={group.providerType} className="flex flex-col gap-2">
+                <Text as="p" secondaryBody text03 className="px-0.5">
+                  {group.providerLabel}
+                </Text>
+                <div className="flex flex-col gap-2">
+                  {group.models.map((model) =>
+                    renderModelCard({ model, mode: "tts" })
+                  )}
+                </div>
+              </div>
+            ))}
+          </div>
+        </div>
+      </div>
+
+      {modalOpen && selectedProvider && (
+        <VoiceProviderSetupModal
+          providerType={selectedProvider}
+          existingProvider={editingProvider}
+          mode={modalMode}
+          defaultModelId={selectedModelId}
+          onClose={handleModalClose}
+          onSuccess={handleModalSuccess}
+        />
+      )}
+    </>
+  );
+}

web/src/app/admin/users/page.tsx

@@ -1,342 +1 @@
-"use client";
-
-import { useState } from "react";
-import SimpleTabs from "@/refresh-components/SimpleTabs";
-import { Card, CardContent, CardHeader, CardTitle } from "@/components/ui/card";
-import InvitedUserTable from "@/components/admin/users/InvitedUserTable";
-import SignedUpUserTable from "@/components/admin/users/SignedUpUserTable";
-import Modal from "@/refresh-components/Modal";
-import { ThreeDotsLoader } from "@/components/Loading";
-import { toast } from "@/hooks/useToast";
-import * as SettingsLayouts from "@/layouts/settings-layouts";
-import { errorHandlingFetcher } from "@/lib/fetcher";
-import useSWR, { mutate } from "swr";
-import { ErrorCallout } from "@/components/ErrorCallout";
-import BulkAdd, { EmailInviteStatus } from "@/components/admin/users/BulkAdd";
-import Text from "@/refresh-components/texts/Text";
-import { InvitedUserSnapshot } from "@/lib/types";
-import { NEXT_PUBLIC_CLOUD_ENABLED } from "@/lib/constants";
-import PendingUsersTable from "@/components/admin/users/PendingUsersTable";
-import CreateButton from "@/refresh-components/buttons/CreateButton";
-import { Button } from "@opal/components";
-import { Disabled } from "@opal/core";
-import InputTypeIn from "@/refresh-components/inputs/InputTypeIn";
-import { Spinner } from "@/components/Spinner";
-import { SvgDownloadCloud, SvgUserPlus } from "@opal/icons";
-import { ADMIN_ROUTE_CONFIG, ADMIN_PATHS } from "@/lib/admin-routes";
-
-const route = ADMIN_ROUTE_CONFIG[ADMIN_PATHS.USERS]!;
-
-interface CountDisplayProps {
-  label: string;
-  value: number | null;
-  isLoading: boolean;
-}
-
-function CountDisplay({ label, value, isLoading }: CountDisplayProps) {
-  const displayValue = isLoading
-    ? "..."
-    : value === null
-      ? "-"
-      : value.toLocaleString();
-
-  return (
-    <div className="flex items-center gap-1 px-1 py-0.5 rounded-06">
-      <Text as="p" mainUiMuted text03>
-        {label}
-      </Text>
-      <Text as="p" headingH3 text05>
-        {displayValue}
-      </Text>
-    </div>
-  );
-}
-
-function UsersTables({
-  q,
-  isDownloadingUsers,
-  setIsDownloadingUsers,
-}: {
-  q: string;
-  isDownloadingUsers: boolean;
-  setIsDownloadingUsers: (loading: boolean) => void;
-}) {
-  const [currentUsersCount, setCurrentUsersCount] = useState<number | null>(
-    null
-  );
-  const [currentUsersLoading, setCurrentUsersLoading] = useState<boolean>(true);
-
-  const downloadAllUsers = async () => {
-    setIsDownloadingUsers(true);
-    const startTime = Date.now();
-    const minDurationMsForSpinner = 1000;
-    try {
-      const response = await fetch("/api/manage/users/download");
-      if (!response.ok) {
-        throw new Error("Failed to download all users");
-      }
-      const blob = await response.blob();
-      const url = window.URL.createObjectURL(blob);
-      const anchor_tag = document.createElement("a");
-      anchor_tag.href = url;
-      anchor_tag.download = "users.csv";
-      document.body.appendChild(anchor_tag);
-      anchor_tag.click();
-      //Clean up URL after download to avoid memory leaks
-      window.URL.revokeObjectURL(url);
-      document.body.removeChild(anchor_tag);
-    } catch (error) {
-      toast.error(`Failed to download all users - ${error}`);
-    } finally {
-      //Ensure spinner is visible for at least 1 second
-      //This is to avoid the spinner disappearing too quickly
-      const endTime = Date.now();
-      const duration = endTime - startTime;
-      await new Promise((resolve) =>
-        setTimeout(resolve, minDurationMsForSpinner - duration)
-      );
-      setIsDownloadingUsers(false);
-    }
-  };
-
-  const {
-    data: invitedUsers,
-    error: invitedUsersError,
-    isLoading: invitedUsersLoading,
-    mutate: invitedUsersMutate,
-  } = useSWR<InvitedUserSnapshot[]>(
-    "/api/manage/users/invited",
-    errorHandlingFetcher
-  );
-
-  const { data: validDomains, error: domainsError } = useSWR<string[]>(
-    "/api/manage/admin/valid-domains",
-    errorHandlingFetcher
-  );
-
-  const {
-    data: pendingUsers,
-    error: pendingUsersError,
-    isLoading: pendingUsersLoading,
-    mutate: pendingUsersMutate,
-  } = useSWR<InvitedUserSnapshot[]>(
-    NEXT_PUBLIC_CLOUD_ENABLED ? "/api/tenants/users/pending" : null,
-    errorHandlingFetcher
-  );
-
-  const invitedUsersCount =
-    invitedUsers === undefined ? null : invitedUsers.length;
-  const pendingUsersCount =
-    pendingUsers === undefined ? null : pendingUsers.length;
-  // Show loading animation only during the initial data fetch
-  if (!validDomains) {
-    return <ThreeDotsLoader />;
-  }
-
-  if (domainsError) {
-    return (
-      <ErrorCallout
-        errorTitle="Error loading valid domains"
-        errorMsg={domainsError?.info?.detail}
-      />
-    );
-  }
-
-  const tabs = SimpleTabs.generateTabs({
-    current: {
-      name: "Current Users",
-      content: (
-        <Card className="w-full">
-          <CardHeader>
-            <div className="flex justify-between items-center gap-1">
-              <CardTitle>Current Users</CardTitle>
-              <Disabled disabled={isDownloadingUsers}>
-                <Button
-                  icon={SvgDownloadCloud}
-                  onClick={() => downloadAllUsers()}
-                >
-                  {isDownloadingUsers ? "Downloading..." : "Download CSV"}
-                </Button>
-              </Disabled>
-            </div>
-          </CardHeader>
-          <CardContent>
-            <SignedUpUserTable
-              invitedUsers={invitedUsers || []}
-              q={q}
-              invitedUsersMutate={invitedUsersMutate}
-              countDisplay={
-                <CountDisplay
-                  label="Total users"
-                  value={currentUsersCount}
-                  isLoading={currentUsersLoading}
-                />
-              }
-              onTotalItemsChange={(count) => setCurrentUsersCount(count)}
-              onLoadingChange={(loading) => {
-                setCurrentUsersLoading(loading);
-                if (loading) {
-                  setCurrentUsersCount(null);
-                }
-              }}
-            />
-          </CardContent>
-        </Card>
-      ),
-    },
-    invited: {
-      name: "Invited Users",
-      content: (
-        <Card className="w-full">
-          <CardHeader>
-            <div className="flex justify-between items-center gap-1">
-              <CardTitle>Invited Users</CardTitle>
-              <CountDisplay
-                label="Total invited"
-                value={invitedUsersCount}
-                isLoading={invitedUsersLoading}
-              />
-            </div>
-          </CardHeader>
-          <CardContent>
-            <InvitedUserTable
-              users={invitedUsers || []}
-              mutate={invitedUsersMutate}
-              error={invitedUsersError}
-              isLoading={invitedUsersLoading}
-              q={q}
-            />
-          </CardContent>
-        </Card>
-      ),
-    },
-    ...(NEXT_PUBLIC_CLOUD_ENABLED && {
-      pending: {
-        name: "Pending Users",
-        content: (
-          <Card>
-            <CardHeader>
-              <div className="flex justify-between items-center gap-1">
-                <CardTitle>Pending Users</CardTitle>
-                <CountDisplay
-                  label="Total pending"
-                  value={pendingUsersCount}
-                  isLoading={pendingUsersLoading}
-                />
-              </div>
-            </CardHeader>
-            <CardContent>
-              <PendingUsersTable
-                users={pendingUsers || []}
-                mutate={pendingUsersMutate}
-                error={pendingUsersError}
-                isLoading={pendingUsersLoading}
-                q={q}
-              />
-            </CardContent>
-          </Card>
-        ),
-      },
-    }),
-  });
-
-  return <SimpleTabs tabs={tabs} defaultValue="current" />;
-}
-
-function SearchableTables() {
-  const [query, setQuery] = useState("");
-  const [isDownloadingUsers, setIsDownloadingUsers] = useState(false);
-
-  return (
-    <div>
-      {isDownloadingUsers && <Spinner />}
-      <div className="flex flex-col gap-y-4">
-        <div className="flex flex-row items-center gap-2">
-          <InputTypeIn
-            placeholder="Search"
-            value={query}
-            onChange={(event) => setQuery(event.target.value)}
-          />
-          <AddUserButton />
-        </div>
-        <UsersTables
-          q={query}
-          isDownloadingUsers={isDownloadingUsers}
-          setIsDownloadingUsers={setIsDownloadingUsers}
-        />
-      </div>
-    </div>
-  );
-}
-
-function AddUserButton() {
-  const [bulkAddUsersModal, setBulkAddUsersModal] = useState(false);
-
-  const onSuccess = (emailInviteStatus: EmailInviteStatus) => {
-    mutate(
-      (key) => typeof key === "string" && key.startsWith("/api/manage/users")
-    );
-    setBulkAddUsersModal(false);
-    if (emailInviteStatus === "NOT_CONFIGURED") {
-      toast.warning(
-        "Users added, but no email notification was sent. There is no SMTP server set up for email sending."
-      );
-    } else if (emailInviteStatus === "SEND_FAILED") {
-      toast.warning(
-        "Users added, but email sending failed. Check your SMTP configuration and try again."
-      );
-    } else {
-      toast.success("Users invited!");
-    }
-  };
-
-  const onFailure = async (res: Response) => {
-    const error = (await res.json()).detail;
-    toast.error(`Failed to invite users - ${error}`);
-  };
-
-  const handleInviteClick = () => {
-    setBulkAddUsersModal(true);
-  };
-
-  return (
-    <>
-      <CreateButton primary onClick={handleInviteClick}>
-        Invite Users
-      </CreateButton>
-
-      {bulkAddUsersModal && (
-        <Modal open onOpenChange={() => setBulkAddUsersModal(false)}>
-          <Modal.Content>
-            <Modal.Header
-              icon={SvgUserPlus}
-              title="Bulk Add Users"
-              onClose={() => setBulkAddUsersModal(false)}
-            />
-            <Modal.Body>
-              <div className="flex flex-col gap-2">
-                <Text as="p">
-                  Add the email addresses to import, separated by whitespaces.
-                  Invited users will be able to login to this domain with their
-                  email address.
-                </Text>
-                <BulkAdd onSuccess={onSuccess} onFailure={onFailure} />
-              </div>
-            </Modal.Body>
-          </Modal.Content>
-        </Modal>
-      )}
-    </>
-  );
-}
-
-export default function Page() {
-  return (
-    <SettingsLayouts.Root>
-      <SettingsLayouts.Header title={route.title} icon={route.icon} separator />
-      <SettingsLayouts.Body>
-        <SearchableTables />
-      </SettingsLayouts.Body>
-    </SettingsLayouts.Root>
-  );
-}
+export { default } from "@/refresh-pages/admin/UsersPage";

web/src/app/admin/users2/page.tsx

@@ -1 +0,0 @@
-export { default } from "@/refresh-pages/admin/UsersPage";

web/src/app/app/layout.tsx

@@ -3,6 +3,7 @@ import type { Route } from "next";
 import { unstable_noStore as noStore } from "next/cache";
 import { requireAuth } from "@/lib/auth/requireAuth";
 import { ProjectsProvider } from "@/providers/ProjectsContext";
+import { VoiceModeProvider } from "@/providers/VoiceModeProvider";
 import AppSidebar from "@/sections/sidebar/AppSidebar";
 
 export interface LayoutProps {
@@ -21,10 +22,15 @@ export default async function Layout({ children }: LayoutProps) {
 
   return (
     <ProjectsProvider>
-      <div className="flex flex-row w-full h-full">
-        <AppSidebar />
-        {children}
-      </div>
+      {/* VoiceModeProvider wraps the full app layout so TTS playback state
+          persists across page navigations (e.g., sidebar clicks during playback).
+          It only activates WebSocket connections when TTS is actually triggered. */}
+      <VoiceModeProvider>
+        <div className="flex flex-row w-full h-full">
+          <AppSidebar />
+          {children}
+        </div>
+      </VoiceModeProvider>
     </ProjectsProvider>
   );
 }

web/src/app/app/message/messageComponents/AgentMessage.tsx

@@ -1,6 +1,12 @@
 "use client";
 
-import React, { useRef, RefObject, useMemo } from "react";
+import React, {
+  useRef,
+  RefObject,
+  useMemo,
+  useEffect,
+  useLayoutEffect,
+} from "react";
 import { Packet, StopReason } from "@/app/app/services/streamingModels";
 import CustomToolAuthCard from "@/app/app/message/messageComponents/CustomToolAuthCard";
 import { FullChatState } from "@/app/app/message/messageComponents/interfaces";
@@ -16,6 +22,9 @@ import { LlmDescriptor, LlmManager } from "@/lib/hooks";
 import { Message } from "@/app/app/interfaces";
 import Text from "@/refresh-components/texts/Text";
 import { AgentTimeline } from "@/app/app/message/messageComponents/timeline/AgentTimeline";
+import { useVoiceMode } from "@/providers/VoiceModeProvider";
+import { getTextContent } from "@/app/app/services/packetUtils";
+import { removeThinkingTokens } from "@/app/app/services/thinkingTokens";
 
 // Type for the regeneration factory function passed from ChatUI
 export type RegenerationFactory = (regenerationRequest: {
@@ -75,6 +84,7 @@ function arePropsEqual(
 
 const AgentMessage = React.memo(function AgentMessage({
   rawPackets,
+  packetCount,
   chatState,
   nodeId,
   messageId,
@@ -162,6 +172,80 @@ const AgentMessage = React.memo(function AgentMessage({
     onMessageSelection,
   });
 
+  // Streaming TTS integration
+  const { streamTTS, resetTTS, stopTTS } = useVoiceMode();
+  const ttsCompletedRef = useRef(false);
+  const hasStreamedIncompleteRef = useRef(false);
+  const hasObservedPacketGrowthRef = useRef(false);
+  const lastSeenPacketCountRef = useRef(packetCount ?? rawPackets.length);
+  const streamTTSRef = useRef(streamTTS);
+
+  // Keep streamTTS ref in sync without triggering effect re-runs
+  useEffect(() => {
+    streamTTSRef.current = streamTTS;
+  }, [streamTTS]);
+
+  // Stream TTS as text content arrives - only for messages still streaming
+  // Uses ref for streamTTS to avoid re-triggering when its identity changes
+  // Note: packetCount is used instead of rawPackets because the array is mutated in place
+  useLayoutEffect(() => {
+    const effectivePacketCount = packetCount ?? rawPackets.length;
+    if (effectivePacketCount > lastSeenPacketCountRef.current) {
+      hasObservedPacketGrowthRef.current = true;
+    }
+    lastSeenPacketCountRef.current = effectivePacketCount;
+
+    // Skip if we've already finished TTS for this message
+    if (ttsCompletedRef.current) return;
+
+    // If user cancelled generation, do not send more text to TTS.
+    if (stopPacketSeen && stopReason === StopReason.USER_CANCELLED) {
+      ttsCompletedRef.current = true;
+      return;
+    }
+
+    const textContent = removeThinkingTokens(getTextContent(rawPackets));
+    if (!(typeof textContent === "string" && textContent.length > 0)) return;
+
+    // Only autoplay messages that were observed streaming in this lifecycle.
+    // Prevents historical, already-complete chats from re-triggering read-aloud on mount.
+    if (!isComplete) {
+      if (!hasObservedPacketGrowthRef.current) {
+        return;
+      }
+      hasStreamedIncompleteRef.current = true;
+      streamTTSRef.current(textContent, false, nodeId);
+      return;
+    }
+
+    if (hasStreamedIncompleteRef.current) {
+      streamTTSRef.current(textContent, true, nodeId);
+      ttsCompletedRef.current = true;
+    }
+  }, [packetCount, isComplete, rawPackets, nodeId, stopPacketSeen, stopReason]); // packetCount triggers on new packets since rawPackets is mutated in place
+
+  // Stop TTS immediately when user cancels generation.
+  useEffect(() => {
+    if (stopPacketSeen && stopReason === StopReason.USER_CANCELLED) {
+      stopTTS({ manual: true });
+    }
+  }, [stopPacketSeen, stopReason, stopTTS]);
+
+  // Reset TTS completed flag when nodeId changes (new message)
+  useEffect(() => {
+    ttsCompletedRef.current = false;
+    hasStreamedIncompleteRef.current = false;
+    hasObservedPacketGrowthRef.current = false;
+    lastSeenPacketCountRef.current = packetCount ?? rawPackets.length;
+  }, [nodeId]);
+
+  // Reset TTS when component unmounts or nodeId changes
+  useEffect(() => {
+    return () => {
+      resetTTS();
+    };
+  }, [nodeId, resetTTS]);
+
   return (
     <div
       className="flex flex-col gap-3"
@@ -208,6 +292,8 @@ const AgentMessage = React.memo(function AgentMessage({
                 key={`${displayGroup.turn_index}-${displayGroup.tab_index}`}
                 packets={displayGroup.packets}
                 chatState={effectiveChatState}
+                messageNodeId={nodeId}
+                hasTimelineThinking={pacedTurnGroups.length > 0 || hasSteps}
                 onComplete={() => {
                   // Only mark complete on the last display group
                   // Hook handles the finalAnswerComing check internally

web/src/app/app/message/messageComponents/MessageToolbar.tsx

@@ -29,6 +29,9 @@ import FeedbackModal, {
   FeedbackModalProps,
 } from "@/sections/modals/FeedbackModal";
 import { Button, SelectButton } from "@opal/components";
+import TTSButton from "./TTSButton";
+import { useVoiceMode } from "@/providers/VoiceModeProvider";
+import { useVoiceStatus } from "@/hooks/useVoiceStatus";
 
 // Wrapper component for SourceTag in toolbar to handle memoization
 const SourcesTagWrapper = React.memo(function SourcesTagWrapper({
@@ -144,6 +147,14 @@ export default function MessageToolbar({
     (state) => state.updateCurrentSelectedNodeForDocDisplay
   );
 
+  // Voice mode - hide toolbar during TTS playback for this message
+  const { isTTSPlaying, activeMessageNodeId, isAwaitingAutoPlaybackStart } =
+    useVoiceMode();
+  const { ttsEnabled } = useVoiceStatus();
+  const isTTSActiveForThisMessage =
+    (isTTSPlaying || isAwaitingAutoPlaybackStart) &&
+    activeMessageNodeId === nodeId;
+
   // Feedback modal state and handlers
   const { handleFeedbackChange } = useFeedbackController();
   const modal = useCreateModal();
@@ -204,6 +215,11 @@ export default function MessageToolbar({
     [messageId, currentFeedback, handleFeedbackChange, modal]
   );
 
+  // Hide toolbar while TTS is playing for this message
+  if (isTTSActiveForThisMessage) {
+    return null;
+  }
+
   return (
     <>
       <modal.Provider>
@@ -268,6 +284,13 @@ export default function MessageToolbar({
               }
               data-testid="AgentMessage/dislike-button"
             />
+            {ttsEnabled && (
+              <TTSButton
+                text={
+                  removeThinkingTokens(getTextContent(rawPackets)) as string
+                }
+              />
+            )}
 
             {onRegenerate &&
               messageId !== undefined &&

web/src/app/app/message/messageComponents/TTSButton.tsx

@@ -0,0 +1,90 @@
+"use client";
+
+import { useCallback, useEffect } from "react";
+import { SvgPlayCircle, SvgStop } from "@opal/icons";
+import { Button } from "@opal/components";
+import { useVoicePlayback } from "@/hooks/useVoicePlayback";
+import { useVoiceMode } from "@/providers/VoiceModeProvider";
+import { toast } from "@/hooks/useToast";
+import SimpleLoader from "@/refresh-components/loaders/SimpleLoader";
+
+interface TTSButtonProps {
+  text: string;
+  voice?: string;
+  speed?: number;
+}
+
+function TTSButton({ text, voice, speed }: TTSButtonProps) {
+  const { isPlaying, isLoading, error, play, pause, stop } = useVoicePlayback();
+  const { isTTSPlaying, isTTSLoading, isAwaitingAutoPlaybackStart, stopTTS } =
+    useVoiceMode();
+
+  const isGlobalTTSActive =
+    isTTSPlaying || isTTSLoading || isAwaitingAutoPlaybackStart;
+  const isButtonPlaying = isGlobalTTSActive || isPlaying;
+  const isButtonLoading = !isGlobalTTSActive && isLoading;
+
+  const handleClick = useCallback(async () => {
+    if (isGlobalTTSActive) {
+      // Stop auto-playback voice mode stream from the toolbar button.
+      stopTTS({ manual: true });
+      stop();
+    } else if (isPlaying) {
+      pause();
+    } else if (isButtonLoading) {
+      stop();
+    } else {
+      try {
+        // Ensure no voice-mode stream is active before starting manual playback.
+        stopTTS();
+        await play(text, voice, speed);
+      } catch (err) {
+        console.error("TTS playback failed:", err);
+        toast.error("Could not play audio");
+      }
+    }
+  }, [
+    isGlobalTTSActive,
+    isPlaying,
+    isButtonLoading,
+    text,
+    voice,
+    speed,
+    play,
+    pause,
+    stop,
+    stopTTS,
+  ]);
+
+  // Surface streaming voice playback errors to the user via toast
+  useEffect(() => {
+    if (error) {
+      console.error("Voice playback error:", error);
+      toast.error(error);
+    }
+  }, [error]);
+
+  const icon = isButtonLoading
+    ? SimpleLoader
+    : isButtonPlaying
+      ? SvgStop
+      : SvgPlayCircle;
+
+  const tooltip = isButtonPlaying
+    ? "Stop playback"
+    : isButtonLoading
+      ? "Loading..."
+      : "Read aloud";
+
+  return (
+    <Button
+      icon={icon}
+      onClick={handleClick}
+      prominence="tertiary"
+      tooltip={tooltip}
+      data-testid="AgentMessage/tts-button"
+    />
+  );
+}
+
+export default TTSButton;

web/src/app/app/message/messageComponents/interfaces.ts

@@ -67,6 +67,10 @@ export type MessageRenderer<
 > = React.ComponentType<{
   packets: T[];
   state: S;
+  /** Node id for the message currently being rendered */
+  messageNodeId?: number;
+  /** True when timeline/thinking UI is already shown above this text block */
+  hasTimelineThinking?: boolean;
   onComplete: () => void;
   renderType: RenderType;
   animate: boolean;

web/src/app/app/message/messageComponents/renderMessageComponent.tsx

@@ -166,6 +166,8 @@ function MixedContentHandler({
   chatPackets,
   imagePackets,
   chatState,
+  messageNodeId,
+  hasTimelineThinking,
   onComplete,
   animate,
   stopPacketSeen,
@@ -175,6 +177,8 @@ function MixedContentHandler({
   chatPackets: Packet[];
   imagePackets: Packet[];
   chatState: FullChatState;
+  messageNodeId?: number;
+  hasTimelineThinking?: boolean;
   onComplete: () => void;
   animate: boolean;
   stopPacketSeen: boolean;
@@ -185,6 +189,8 @@ function MixedContentHandler({
     <MessageTextRenderer
       packets={chatPackets as ChatPacket[]}
       state={chatState}
+      messageNodeId={messageNodeId}
+      hasTimelineThinking={hasTimelineThinking}
       onComplete={() => {}}
       animate={animate}
       renderType={RenderType.FULL}
@@ -212,6 +218,8 @@ function MixedContentHandler({
 interface RendererComponentProps {
   packets: Packet[];
   chatState: FullChatState;
+  messageNodeId?: number;
+  hasTimelineThinking?: boolean;
   onComplete: () => void;
   animate: boolean;
   stopPacketSeen: boolean;
@@ -229,7 +237,8 @@ function areRendererPropsEqual(
     prev.stopPacketSeen === next.stopPacketSeen &&
     prev.stopReason === next.stopReason &&
     prev.animate === next.animate &&
-    prev.chatState.agent?.id === next.chatState.agent?.id
+    prev.chatState.agent?.id === next.chatState.agent?.id &&
+    prev.messageNodeId === next.messageNodeId
     // Skip: onComplete, children (function refs), chatState (memoized upstream)
   );
 }
@@ -238,6 +247,8 @@ function areRendererPropsEqual(
 export const RendererComponent = memo(function RendererComponent({
   packets,
   chatState,
+  messageNodeId,
+  hasTimelineThinking,
   onComplete,
   animate,
   stopPacketSeen,
@@ -272,6 +283,8 @@ export const RendererComponent = memo(function RendererComponent({
         chatPackets={chatPackets}
         imagePackets={imagePackets}
         chatState={chatState}
+        messageNodeId={messageNodeId}
+        hasTimelineThinking={hasTimelineThinking}
         onComplete={onComplete}
         animate={animate}
         stopPacketSeen={stopPacketSeen}
@@ -292,6 +305,8 @@ export const RendererComponent = memo(function RendererComponent({
     <RendererFn
       packets={packets as any}
       state={chatState}
+      messageNodeId={messageNodeId}
+      hasTimelineThinking={hasTimelineThinking}
       onComplete={onComplete}
       animate={animate}
       renderType={RenderType.FULL}

web/src/app/app/message/messageComponents/renderers/MessageTextRenderer.tsx

@@ -1,4 +1,4 @@
-import React, { useEffect, useMemo, useState } from "react";
+import React, { useEffect, useMemo, useRef, useState } from "react";
 import Text from "@/refresh-components/texts/Text";
 
 import {
@@ -10,6 +10,55 @@ import { MessageRenderer, FullChatState } from "../interfaces";
 import { isFinalAnswerComplete } from "../../../services/packetUtils";
 import { useMarkdownRenderer } from "../markdownUtils";
 import { BlinkingBar } from "../../BlinkingBar";
+import { useVoiceMode } from "@/providers/VoiceModeProvider";
+
+/**
+ * Maps a cleaned character position to the corresponding position in markdown text.
+ * This allows progressive reveal to work with markdown formatting.
+ */
+function getRevealPosition(markdown: string, cleanChars: number): number {
+  // Skip patterns that don't contribute to visible character count
+  const skipChars = new Set(["*", "`", "#"]);
+  let cleanIndex = 0;
+  let mdIndex = 0;
+
+  while (cleanIndex < cleanChars && mdIndex < markdown.length) {
+    const char = markdown[mdIndex];
+
+    // Skip markdown formatting characters
+    if (char !== undefined && skipChars.has(char)) {
+      mdIndex++;
+      continue;
+    }
+
+    // Handle link syntax [text](url) - skip the (url) part but count the text
+    if (
+      char === "]" &&
+      mdIndex + 1 < markdown.length &&
+      markdown[mdIndex + 1] === "("
+    ) {
+      const closeIdx = markdown.indexOf(")", mdIndex + 2);
+      if (closeIdx > 0) {
+        mdIndex = closeIdx + 1;
+        continue;
+      }
+    }
+
+    cleanIndex++;
+    mdIndex++;
+  }
+
+  // Extend to word boundary to avoid cutting mid-word
+  while (
+    mdIndex < markdown.length &&
+    markdown[mdIndex] !== " " &&
+    markdown[mdIndex] !== "\n"
+  ) {
+    mdIndex++;
+  }
+
+  return mdIndex;
+}
 
 // Control the rate of packet streaming (packets per second)
 const PACKET_DELAY_MS = 10;
@@ -20,6 +69,8 @@ export const MessageTextRenderer: MessageRenderer<
 > = ({
   packets,
   state,
+  messageNodeId,
+  hasTimelineThinking,
   onComplete,
   renderType,
   animate,
@@ -36,6 +87,17 @@ export const MessageTextRenderer: MessageRenderer<
 
   const [displayedPacketCount, setDisplayedPacketCount] =
     useState(initialPacketCount);
+  const lastStableSyncedContentRef = useRef("");
+  const lastVisibleContentRef = useRef("");
+
+  // Get voice mode context for progressive text reveal synced with audio
+  const {
+    revealedCharCount,
+    autoPlayback,
+    isAudioSyncActive,
+    activeMessageNodeId,
+    isAwaitingAutoPlaybackStart,
+  } = useVoiceMode();
 
   // Get the full content from all packets
   const fullContent = packets
@@ -50,6 +112,11 @@ export const MessageTextRenderer: MessageRenderer<
     })
     .join("");
 
+  const shouldUseAutoPlaybackSync =
+    autoPlayback &&
+    typeof messageNodeId === "number" &&
+    activeMessageNodeId === messageNodeId;
+
   // Animation effect - gradually increase displayed packets at controlled rate
   useEffect(() => {
     if (!animate) {
@@ -93,13 +160,37 @@ export const MessageTextRenderer: MessageRenderer<
     }
   }, [packets, onComplete, animate, displayedPacketCount]);
 
-  // Get content based on displayed packet count
-  const content = useMemo(() => {
+  // Get content based on displayed packet count or audio progress
+  const computedContent = useMemo(() => {
+    // Hold response in "thinking" state only while autoplay startup is pending.
+    if (shouldUseAutoPlaybackSync && isAwaitingAutoPlaybackStart) {
+      return "";
+    }
+
+    // Sync text with audio only for the message currently being spoken.
+    if (shouldUseAutoPlaybackSync && isAudioSyncActive) {
+      const MIN_REVEAL_CHARS = 12;
+      if (revealedCharCount < MIN_REVEAL_CHARS) {
+        return "";
+      }
+
+      // Reveal text progressively based on audio progress
+      const revealPos = getRevealPosition(fullContent, revealedCharCount);
+      return fullContent.slice(0, Math.max(revealPos, 0));
+    }
+
+    // During an active synced turn, if sync temporarily drops, keep current reveal
+    // instead of jumping to full content or blanking.
+    if (shouldUseAutoPlaybackSync && !stopPacketSeen) {
+      return lastStableSyncedContentRef.current;
+    }
+
+    // Standard behavior when auto-playback is off
     if (!animate || displayedPacketCount === -1) {
       return fullContent; // Show all content
     }
 
-    // Only show content from packets up to displayedPacketCount
+    // Packet-based reveal (when auto-playback is disabled)
     return packets
       .slice(0, displayedPacketCount)
       .map((packet) => {
@@ -112,31 +203,109 @@ export const MessageTextRenderer: MessageRenderer<
         return "";
       })
       .join("");
-  }, [animate, displayedPacketCount, fullContent, packets]);
+  }, [
+    animate,
+    displayedPacketCount,
+    fullContent,
+    packets,
+    revealedCharCount,
+    autoPlayback,
+    isAudioSyncActive,
+    activeMessageNodeId,
+    isAwaitingAutoPlaybackStart,
+    messageNodeId,
+    shouldUseAutoPlaybackSync,
+    stopPacketSeen,
+  ]);
+
+  // Keep synced text monotonic: once visible, never regress or disappear between chunks.
+  const content = useMemo(() => {
+    const wasUserCancelled = stopReason === StopReason.USER_CANCELLED;
+
+    // On user cancel, freeze at exactly what was already visible.
+    if (wasUserCancelled) {
+      return lastVisibleContentRef.current;
+    }
+
+    if (!shouldUseAutoPlaybackSync) {
+      return computedContent;
+    }
+
+    if (computedContent.length === 0) {
+      return lastStableSyncedContentRef.current;
+    }
+
+    const last = lastStableSyncedContentRef.current;
+    if (computedContent.startsWith(last)) {
+      return computedContent;
+    }
+
+    // If content shape changed unexpectedly mid-stream, prefer the stable version
+    // to avoid flicker/dumps.
+    if (!stopPacketSeen || wasUserCancelled) {
+      return last;
+    }
+
+    // For normal completed responses, allow final full content.
+    return computedContent;
+  }, [computedContent, shouldUseAutoPlaybackSync, stopPacketSeen, stopReason]);
+
+  // Sync the stable ref outside of useMemo to avoid side effects during render.
+  useEffect(() => {
+    if (stopReason === StopReason.USER_CANCELLED) {
+      return;
+    }
+    if (!shouldUseAutoPlaybackSync) {
+      lastStableSyncedContentRef.current = "";
+    } else if (content.length > 0) {
+      lastStableSyncedContentRef.current = content;
+    }
+  }, [content, shouldUseAutoPlaybackSync, stopReason]);
+
+  // Track last actually rendered content so cancel can freeze without dumping buffered text.
+  useEffect(() => {
+    if (content.length > 0) {
+      lastVisibleContentRef.current = content;
+    }
+  }, [content]);
+
+  const shouldShowThinkingPlaceholder =
+    shouldUseAutoPlaybackSync &&
+    isAwaitingAutoPlaybackStart &&
+    !hasTimelineThinking &&
+    !stopPacketSeen;
+
+  const shouldShowSpeechWarmupIndicator =
+    shouldUseAutoPlaybackSync &&
+    !isAwaitingAutoPlaybackStart &&
+    content.length === 0 &&
+    fullContent.length > 0 &&
+    !hasTimelineThinking &&
+    !stopPacketSeen;
+
+  const shouldShowCursor =
+    content.length > 0 &&
+    (!stopPacketSeen ||
+      (shouldUseAutoPlaybackSync && content.length < fullContent.length));
 
   const { renderedContent } = useMarkdownRenderer(
     // the [*]() is a hack to show a blinking dot when the packet is not complete
-    stopPacketSeen ? content : content + " [*]() ",
+    shouldShowCursor ? content + " [*]() " : content,
     state,
     "font-main-content-body"
   );
 
-  const wasUserCancelled = stopReason === StopReason.USER_CANCELLED;
-
   return children([
     {
       icon: null,
       status: null,
       content:
-        content.length > 0 || packets.length > 0 ? (
-          <>
-            {renderedContent}
-            {wasUserCancelled && (
-              <Text as="p" secondaryBody text04>
-                User has stopped generation
-              </Text>
-            )}
-          </>
+        shouldShowThinkingPlaceholder || shouldShowSpeechWarmupIndicator ? (
+          <Text as="span" secondaryBody text04 className="italic">
+            Thinking
+          </Text>
+        ) : content.length > 0 ? (
+          <>{renderedContent}</>
         ) : (
           <BlinkingBar addMargin />
         ),

web/src/app/craft/components/ChatPanel.tsx

@@ -2,7 +2,7 @@
 
 import { useCallback, useState, useEffect, useRef, useMemo } from "react";
 import { useRouter } from "next/navigation";
-import { usePostHog } from "posthog-js/react";
+import { track, AnalyticsEvent } from "@/lib/analytics";
 import {
   useSession,
   useSessionId,
@@ -61,7 +61,6 @@ export default function BuildChatPanel({
   existingSessionId,
 }: BuildChatPanelProps) {
   const router = useRouter();
-  const posthog = usePostHog();
   const outputPanelOpen = useOutputPanelOpen();
   const session = useSession();
   const sessionId = useSessionId();
@@ -254,7 +253,7 @@ export default function BuildChatPanel({
         return;
       }
 
-      posthog?.capture("sent_craft_message");
+      track(AnalyticsEvent.SENT_CRAFT_MESSAGE);
 
       if (hasSession && sessionId) {
         // Existing session flow
@@ -367,7 +366,6 @@ export default function BuildChatPanel({
       hasUploadingFiles,
       limits,
       refreshLimits,
-      posthog,
     ]
   );
 

web/src/app/craft/components/IntroContent.tsx

@@ -2,7 +2,7 @@
 
 import { useEffect } from "react";
 import { motion } from "motion/react";
-import { usePostHog } from "posthog-js/react";
+import { track, AnalyticsEvent } from "@/lib/analytics";
 import { OnyxLogoTypeIcon } from "@/components/icons/icons";
 import Text from "@/refresh-components/texts/Text";
 import BigButton from "@/app/craft/components/BigButton";
@@ -16,12 +16,10 @@ export default function BuildModeIntroContent({
   onClose,
   onTryBuildMode,
 }: BuildModeIntroContentProps) {
-  const posthog = usePostHog();
-
   // Track when user sees the craft intro
   useEffect(() => {
-    posthog?.capture("saw_craft_intro");
-  }, [posthog]);
+    track(AnalyticsEvent.SAW_CRAFT_INTRO);
+  }, []);
 
   return (
     <div className="absolute inset-0 flex flex-col items-center justify-center pointer-events-none">
@@ -75,7 +73,7 @@ export default function BuildModeIntroContent({
             className="!border-white !text-white hover:!bg-white/10 active:!bg-white/20 !w-[160px]"
             onClick={(e) => {
               e.stopPropagation();
-              posthog?.capture("clicked_go_home");
+              track(AnalyticsEvent.CLICKED_GO_HOME);
               onClose();
             }}
           >
@@ -86,7 +84,7 @@ export default function BuildModeIntroContent({
             className="!bg-white !text-black hover:!bg-gray-200 active:!bg-gray-300 !w-[160px]"
             onClick={(e) => {
               e.stopPropagation();
-              posthog?.capture("clicked_try_craft");
+              track(AnalyticsEvent.CLICKED_TRY_CRAFT);
               onTryBuildMode();
             }}
           >

web/src/app/craft/onboarding/components/BuildOnboardingModal.tsx

@@ -1,7 +1,11 @@
 "use client";
 
 import { useState, useEffect, useMemo } from "react";
-import { usePostHog } from "posthog-js/react";
+import {
+  track,
+  AnalyticsEvent,
+  LLMProviderConfiguredSource,
+} from "@/lib/analytics";
 import { SvgArrowRight, SvgArrowLeft, SvgX } from "@opal/icons";
 import { cn } from "@/lib/utils";
 import Text from "@/refresh-components/texts/Text";
@@ -112,8 +116,6 @@ export default function BuildOnboardingModal({
   onLlmComplete,
   onClose,
 }: BuildOnboardingModalProps) {
-  const posthog = usePostHog();
-
   // Compute steps based on mode
   const steps = useMemo(
     () => getStepsForMode(mode, isAdmin, allProvidersConfigured, hasUserInfo),
@@ -283,6 +285,12 @@ export default function BuildOnboardingModal({
         modelName: selectedModel,
       });
 
+      track(AnalyticsEvent.CONFIGURED_LLM_PROVIDER, {
+        provider: currentProviderConfig.providerName,
+        is_creation: true,
+        source: LLMProviderConfiguredSource.CRAFT_ONBOARDING,
+      });
+
       setConnectionStatus("success");
     } catch (error) {
       console.error("Error connecting LLM provider:", error);
@@ -347,7 +355,7 @@ export default function BuildOnboardingModal({
         level: level || undefined,
       });
 
-      posthog?.capture("completed_craft_onboarding");
+      track(AnalyticsEvent.COMPLETED_CRAFT_ONBOARDING);
       onClose();
     } catch (error) {
       console.error("Error completing onboarding:", error);
@@ -465,7 +473,7 @@ export default function BuildOnboardingModal({
               <button
                 type="button"
                 onClick={() => {
-                  posthog?.capture("completed_craft_user_info", {
+                  track(AnalyticsEvent.COMPLETED_CRAFT_USER_INFO, {
                     first_name: firstName.trim(),
                     last_name: lastName.trim() || undefined,
                     work_area: workArea,

web/src/app/globals.css

@@ -566,6 +566,21 @@ textarea {
   animation: fadeIn 0.2s ease-out forwards;
 }
 
+/* Recording waveform animation */
+@keyframes waveform {
+  0%,
+  100% {
+    transform: scaleY(0.3);
+  }
+  50% {
+    transform: scaleY(1);
+  }
+}
+
+.animate-waveform {
+  animation: waveform 0.8s ease-in-out infinite;
+}
+
 .container {
   margin-bottom: 1rem;
 }

web/src/app/layout.tsx

@@ -12,7 +12,7 @@ import {
   MODAL_ROOT_ID,
 } from "@/lib/constants";
 import { Metadata } from "next";
-import { buildClientUrl } from "@/lib/utilsSS";
+
 import { Inter } from "next/font/google";
 import { EnterpriseSettings, ApplicationStatus } from "@/interfaces/settings";
 import AppProvider from "@/providers/AppProvider";
@@ -45,14 +45,14 @@ const hankenGrotesk = Hanken_Grotesk({
 });
 
 export async function generateMetadata(): Promise<Metadata> {
-  let logoLocation = buildClientUrl("/onyx.ico");
+  let logoLocation = "/onyx.ico";
   let enterpriseSettings: EnterpriseSettings | null = null;
   if (SERVER_SIDE_ONLY__PAID_ENTERPRISE_FEATURES_ENABLED) {
     enterpriseSettings = await (await fetchEnterpriseSettingsSS()).json();
     logoLocation =
       enterpriseSettings && enterpriseSettings.use_custom_logo
         ? "/api/enterprise-settings/logo"
-        : buildClientUrl("/onyx.ico");
+        : "/onyx.ico";
   }
 
   return {

web/src/app/nrf/layout.tsx

@@ -1,4 +1,5 @@
 import { ProjectsProvider } from "@/providers/ProjectsContext";
+import { VoiceModeProvider } from "@/providers/VoiceModeProvider";
 
 export interface LayoutProps {
   children: React.ReactNode;
@@ -11,5 +12,9 @@ export interface LayoutProps {
  * Sidebar and chrome are handled by sub-layouts / individual pages.
  */
 export default function Layout({ children }: LayoutProps) {
-  return <ProjectsProvider>{children}</ProjectsProvider>;
+  return (
+    <ProjectsProvider>
+      <VoiceModeProvider>{children}</VoiceModeProvider>
+    </ProjectsProvider>
+  );
 }

web/src/components/admin/ClientLayout.tsx

@@ -31,7 +31,6 @@ const SETTINGS_LAYOUT_PREFIXES = [
   ADMIN_PATHS.LLM_MODELS,
   ADMIN_PATHS.AGENTS,
   ADMIN_PATHS.USERS,
-  ADMIN_PATHS.USERS_V2,
   ADMIN_PATHS.TOKEN_RATE_LIMITS,
   ADMIN_PATHS.SEARCH_SETTINGS,
   ADMIN_PATHS.DOCUMENT_PROCESSING,

web/src/components/chat/MinimalMarkdown.tsx

@@ -11,14 +11,13 @@ import rehypeHighlight from "rehype-highlight";
 import remarkMath from "remark-math";
 import rehypeKatex from "rehype-katex";
 import "katex/dist/katex.min.css";
-import { transformLinkUri } from "@/lib/utils";
+import { cn, transformLinkUri } from "@/lib/utils";
 
 type MinimalMarkdownComponentOverrides = Partial<Components>;
 
 interface MinimalMarkdownProps {
   content: string;
   className?: string;
-  style?: CSSProperties;
   showHeader?: boolean;
   /**
    * Override specific markdown renderers.
@@ -30,7 +29,6 @@ interface MinimalMarkdownProps {
 export default function MinimalMarkdown({
   content,
   className = "",
-  style,
   showHeader = true,
   components,
 }: MinimalMarkdownProps) {
@@ -63,19 +61,17 @@ export default function MinimalMarkdown({
   }, [content, components, showHeader]);
 
   return (
-    <div style={style || {}} className={`${className}`}>
-      <ReactMarkdown
-        className="prose dark:prose-invert max-w-full text-sm break-words"
-        components={markdownComponents}
-        rehypePlugins={[rehypeHighlight, rehypeKatex]}
-        remarkPlugins={[
-          remarkGfm,
-          [remarkMath, { singleDollarTextMath: false }],
-        ]}
-        urlTransform={transformLinkUri}
-      >
-        {content}
-      </ReactMarkdown>
-    </div>
+    <ReactMarkdown
+      className={cn(
+        "prose dark:prose-invert max-w-full text-sm break-words",
+        className
+      )}
+      components={markdownComponents}
+      rehypePlugins={[rehypeHighlight, rehypeKatex]}
+      remarkPlugins={[remarkGfm, [remarkMath, { singleDollarTextMath: false }]]}
+      urlTransform={transformLinkUri}
+    >
+      {content}
+    </ReactMarkdown>
   );
 }

web/src/components/icons/icons.tsx

@@ -39,6 +39,8 @@ import document360Icon from "@public/Document360.png";
 import dropboxIcon from "@public/Dropbox.png";
 import drupalwikiIcon from "@public/DrupalWiki.png";
 import egnyteIcon from "@public/Egnyte.png";
+import elevenLabsDarkSVG from "@public/ElevenLabsDark.svg";
+import elevenLabsSVG from "@public/ElevenLabs.svg";
 import firefliesIcon from "@public/Fireflies.png";
 import freshdeskIcon from "@public/Freshdesk.png";
 import geminiSVG from "@public/Gemini.svg";
@@ -843,6 +845,9 @@ export const Document360Icon = createLogoIcon(document360Icon);
 export const DropboxIcon = createLogoIcon(dropboxIcon);
 export const DrupalWikiIcon = createLogoIcon(drupalwikiIcon);
 export const EgnyteIcon = createLogoIcon(egnyteIcon);
+export const ElevenLabsIcon = createLogoIcon(elevenLabsSVG, {
+  darkSrc: elevenLabsDarkSVG,
+});
 export const FirefliesIcon = createLogoIcon(firefliesIcon);
 export const FreshdeskIcon = createLogoIcon(freshdeskIcon);
 export const GeminiIcon = createLogoIcon(geminiSVG);

web/src/components/voice/Waveform.tsx

@@ -0,0 +1,206 @@
+"use client";
+
+import { useEffect, useState, useMemo, useRef } from "react";
+import { cn } from "@/lib/utils";
+import { formatElapsedTime } from "@/lib/dateUtils";
+import { Button } from "@opal/components";
+import {
+  SvgMicrophone,
+  SvgMicrophoneOff,
+  SvgVolume,
+  SvgVolumeOff,
+} from "@opal/icons";
+
+// Recording waveform constants
+const RECORDING_BAR_COUNT = 120;
+const MIN_BAR_HEIGHT = 2;
+const MAX_BAR_HEIGHT = 16;
+
+// Speaking waveform constants
+const SPEAKING_BAR_COUNT = 28;
+
+interface WaveformProps {
+  /** Visual style and behavior variant */
+  variant: "speaking" | "recording";
+  /** Whether the waveform is actively animating */
+  isActive: boolean;
+  /** Whether audio is muted */
+  isMuted?: boolean;
+  /** Current microphone audio level (0-1), only used for recording variant */
+  audioLevel?: number;
+  /** Callback when mute button is clicked */
+  onMuteToggle?: () => void;
+}
+
+function Waveform({
+  variant,
+  isActive,
+  isMuted = false,
+  audioLevel = 0,
+  onMuteToggle,
+}: WaveformProps) {
+  // ─── Recording variant state ───────────────────────────────────────────────
+  const [elapsedSeconds, setElapsedSeconds] = useState(0);
+  const [barHeights, setBarHeights] = useState<number[]>(
+    () => new Array(RECORDING_BAR_COUNT).fill(MIN_BAR_HEIGHT) as number[]
+  );
+  const animationRef = useRef<number | null>(null);
+  const lastPushTimeRef = useRef(0);
+  const audioLevelRef = useRef(audioLevel);
+  audioLevelRef.current = audioLevel;
+
+  // ─── Speaking variant bars ─────────────────────────────────────────────────
+  const speakingBars = useMemo(() => {
+    return Array.from({ length: SPEAKING_BAR_COUNT }, (_, i) => ({
+      id: i,
+      // Create a natural wave pattern with height variation
+      baseHeight: Math.sin(i * 0.4) * 5 + 8,
+      delay: i * 0.025,
+    }));
+  }, []);
+
+  // ─── Recording: Timer effect ───────────────────────────────────────────────
+  useEffect(() => {
+    if (variant !== "recording") return;
+
+    if (!isActive) {
+      setElapsedSeconds(0);
+      return;
+    }
+
+    const interval = setInterval(() => {
+      setElapsedSeconds((prev) => prev + 1);
+    }, 1000);
+
+    return () => clearInterval(interval);
+  }, [variant, isActive]);
+
+  // ─── Recording: Audio level visualization effect ───────────────────────────
+  useEffect(() => {
+    if (variant !== "recording") return;
+
+    if (!isActive) {
+      setBarHeights(
+        new Array(RECORDING_BAR_COUNT).fill(MIN_BAR_HEIGHT) as number[]
+      );
+      lastPushTimeRef.current = 0;
+      return;
+    }
+
+    const updateBars = (timestamp: number) => {
+      // Push a new bar roughly every 50ms (~20fps scrolling)
+      if (timestamp - lastPushTimeRef.current >= 50) {
+        lastPushTimeRef.current = timestamp;
+        const level = isMuted ? 0 : audioLevelRef.current;
+        const height =
+          MIN_BAR_HEIGHT + level * (MAX_BAR_HEIGHT - MIN_BAR_HEIGHT);
+
+        setBarHeights((prev) => {
+          const next = prev.slice(1);
+          next.push(height);
+          return next;
+        });
+      }
+
+      animationRef.current = requestAnimationFrame(updateBars);
+    };
+
+    animationRef.current = requestAnimationFrame(updateBars);
+
+    return () => {
+      if (animationRef.current) {
+        cancelAnimationFrame(animationRef.current);
+        animationRef.current = null;
+      }
+    };
+  }, [variant, isActive, isMuted]);
+
+  const formattedTime = useMemo(
+    () => formatElapsedTime(elapsedSeconds),
+    [elapsedSeconds]
+  );
+
+  if (!isActive) {
+    return null;
+  }
+
+  // ─── Speaking variant render ───────────────────────────────────────────────
+  if (variant === "speaking") {
+    return (
+      <div className="flex items-center gap-0.5 p-1.5 bg-background-tint-00 rounded-16 shadow-01">
+        {/* Waveform container */}
+        <div className="flex items-center p-1 bg-background-tint-00 rounded-12 max-w-[144px] min-h-[32px]">
+          <div className="flex items-center p-1">
+            {/* Waveform bars */}
+            <div className="flex items-center justify-center gap-[2px] h-4 w-[120px] overflow-hidden">
+              {speakingBars.map((bar) => (
+                <div
+                  key={bar.id}
+                  className={cn(
+                    "w-[3px] rounded-full",
+                    isMuted ? "bg-text-03" : "bg-theme-blue-05",
+                    !isMuted && "animate-waveform"
+                  )}
+                  style={{
+                    height: isMuted ? "2px" : `${bar.baseHeight}px`,
+                    animationDelay: isMuted ? undefined : `${bar.delay}s`,
+                  }}
+                />
+              ))}
+            </div>
+          </div>
+        </div>
+
+        {/* Divider */}
+        <div className="w-0.5 self-stretch bg-border-02" />
+
+        {/* Volume button */}
+        {onMuteToggle && (
+          <div className="flex items-center p-1 bg-background-tint-00 rounded-12">
+            <Button
+              icon={isMuted ? SvgVolumeOff : SvgVolume}
+              onClick={onMuteToggle}
+              prominence="tertiary"
+              size="sm"
+              tooltip={isMuted ? "Unmute" : "Mute"}
+            />
+          </div>
+        )}
+      </div>
+    );
+  }
+
+  // ─── Recording variant render ──────────────────────────────────────────────
+  return (
+    <div className="flex items-center gap-3 px-3 py-2 bg-background-tint-00 rounded-12 min-h-[32px]">
+      {/* Waveform visualization driven by real audio levels */}
+      <div className="flex-1 flex items-center justify-between h-4 overflow-hidden">
+        {barHeights.map((height, i) => (
+          <div
+            key={i}
+            className="w-[1.5px] bg-text-03 rounded-full shrink-0 transition-[height] duration-75"
+            style={{ height: `${height}px` }}
+          />
+        ))}
+      </div>
+
+      {/* Timer */}
+      <span className="font-mono text-xs text-text-03 tabular-nums shrink-0">
+        {formattedTime}
+      </span>
+
+      {/* Mute button */}
+      {onMuteToggle && (
+        <Button
+          icon={isMuted ? SvgMicrophoneOff : SvgMicrophone}
+          onClick={onMuteToggle}
+          prominence="tertiary"
+          size="sm"
+          aria-label={isMuted ? "Unmute microphone" : "Mute microphone"}
+        />
+      )}
+    </div>
+  );
+}
+
+export default Waveform;