feat: overhaul phone call system — thread safety, CallKit extraction, China compliance

[mdmohsin7]

Summary

• Audio thread safety: Added OmiAudioLock (os_unfair_lock, 5-10ns) to protect audio device state from Core Audio real-time callbacks. Pre-allocates capture buffers instead of malloc on the audio thread.
• Structured native errors: Errors now propagate from native to Dart with specific codes (MIC_PERMISSION_DENIED, TWILIO_ERROR, etc.). Mute/speaker toggles use confirmation-based state updates, fixing a race condition where UI could desync from native state.
• CallKit coordinator extraction: All CallKit management extracted into OmiCallCoordinator with provider reset recovery, 3-second readiness timeout, and pending completion tracking. The plugin itself no longer imports CallKit.
• China/CallKit compliance: OmiRegionCheck detects CN locale and carrier MCC 460, swapping to OmiDirectCallCoordinator which manages AVAudioSession directly without CallKit. Resolves Apple Guideline 5 Legal rejection.
• Token refresh: Proactive Twilio token refresh with a 3-minute buffer before expiry, preventing silent call failures on long calls.
• Proximity sensor: Screen turns off when phone held to ear during calls, prevents accidental touches.
• Audio route selection: Full discovery of available outputs (iPhone, Speaker, AirPods, Bluetooth). Long-press the speaker button to open the route picker.
• WebSocket resilience: Audio data buffered during transcription WebSocket reconnects (~2s). Max reconnect attempts increased from 5 to 10. TranscriptionStatus enum tracks WS health.
• Transcription status UI: Color-coded indicator (yellow=connecting, orange=reconnecting, red=failed) in call view and banner.
• File organization: All phone call Swift files moved into app/ios/Runner/PhoneCalls/ subfolder (9 files).

Test plan

• Make a call on iOS — verify audio works, CallKit green bar appears (non-China region)
• Set device locale to China — verify no CallKit UI, call still works
• Connect AirPods → long-press speaker → verify route picker shows AirPods
• Hold phone to ear during call → verify screen turns off
• Toggle mute rapidly 10x → verify UI stays in sync
• Kill backend WebSocket mid-call → verify reconnecting/unavailable indicators
• Start long call → verify token refreshes without interrupting audio
• Test on Android → verify speaker toggle and basic routes still work

🤖 Generated with Claude Code

[greptile-apps]

Greptile Summary

This PR comprehensively overhauled the phone call stack: OmiCallCoordinator extracts CallKit lifecycle management, OmiDirectCallCoordinator + OmiRegionCheck add China compliance (resolving Apple Guideline 5), OmiAudioLock provides os_unfair_lock-backed audio thread safety, mute/speaker now use confirmation-based state updates that eliminate UI desync races, proactive token refresh prevents silent call failures, audio buffering bridges WS reconnects, and the proximity sensor and audio route picker round out UX. Prior review concerns (expiresAt frozen at construction, _tokenExpiry dead code, silent refresh failure) have all been addressed.

• P1: _scheduleTokenRefresh(30) fires in 15 s due to the ttl ~/ 2 branch; change the retry argument to 60 in phone_call_provider.dart.

Confidence Score: 4/5

Safe to merge after fixing the token-refresh retry timing; all other findings are P2 or lower

One P1 bug: _scheduleTokenRefresh(30) fires in 15 s instead of the intended 30 s with a misleading log message. All three prior reviewer concerns (expiresAt frozen, _tokenExpiry dead code, silent refresh failure with no retry) have been resolved in this revision. The remaining P2 (DEBUG race in OmiAudioLock) does not affect production builds.

app/lib/providers/phone_call_provider.dart — _scheduleTokenRefresh retry argument should be 60, not 30

Important Files Changed

Filename	Overview
app/ios/Runner/PhoneCalls/OmiPhoneCallsPlugin.swift	Core plugin correctly wires coordinator + Twilio and sends confirmation events for mute/speaker; audio route discovery reads availableInputs (not outputs), which may miss output-only routes on edge-case hardware
app/ios/Runner/PhoneCalls/OmiCallCoordinator.swift	CallKit coordinator with queue-protected state, provider-reset recovery, 3-second readiness timeout, and pending-completion tracking — logic is sound
app/ios/Runner/PhoneCalls/OmiAudioLock.swift	os_unfair_lock property wrapper correct for production; DEBUG diagnostic stats updated outside the lock (race in debug builds only)
app/ios/Runner/PhoneCalls/OmiRegionCheck.swift	Locale + carrier MCC 460 dual-check for China CallKit restriction is correct; computed each init so no stale state
app/ios/Runner/PhoneCalls/OmiDirectCallCoordinator.swift	Direct AVAudioSession coordinator for China; correct setup/teardown with .notifyOthersOnDeactivation
app/ios/Runner/PhoneCalls/OmiRecordingAudioDevice.swift	VoiceProcessingIO device with pre-allocated capture buffers and OmiAudioLock-protected state; audio thread safety design is sound
app/lib/providers/phone_call_provider.dart	Token refresh, audio buffering, confirmation-based mute/speaker state, and transcription status correctly added; retry delay calculation bug: _scheduleTokenRefresh(30) produces 15 s delay instead of 30 s
app/lib/services/phone_call_service.dart	Native bridge updated for error/muteConfirmed/speakerConfirmed events and audio route methods; straightforward and correct
app/android/app/src/main/kotlin/com/friend/ios/PhoneCallsPlugin.kt	Android stubs for getAudioRoutes/selectAudioRoute/isCallKitAvailable added; earpiece type string 'iPhone' flagged in prior review
app/lib/pages/phone_calls/active_call_page.dart	TranscriptionStatusIndicator and AudioRouteSheet added; long-press speaker for route picker wired correctly
app/lib/backend/schema/phone_call.dart	expiresAt now frozen at construction time (prior review concern resolved); PhoneCallError class added with correct fromEvent factory

Sequence Diagram

sequenceDiagram
    participant F as Flutter/Dart
    participant P as PhoneCallProvider
    participant S as PhoneCallService
    participant N as OmiPhoneCallsPlugin
    participant C as OmiCallCoordinator
    participant T as TwilioVoiceSDK

    F->>P: makeCall(phoneNumber)
    P->>S: initialize(token)
    P->>S: makeCall(phoneNumber, callId)
    S->>N: MethodChannel makeCall
    N->>C: startCall(uuid, phoneNumber)
    C-->>N: onAudioSessionActivated
    N->>T: TwilioVoiceSDK.connect()
    T-->>N: callDidConnect
    N-->>C: reportCallConnected(uuid)
    N-->>S: EventChannel {callStateChanged: active}
    S-->>P: onCallStateChanged(active)
    P-->>F: notifyListeners()
    Note over P,N: Proactive token refresh (TTL − 3 min)
    P->>P: _scheduleTokenRefresh(ttl)
    P->>S: initialize(newToken)
    Note over P,N: Confirmation-based mute toggle
    F->>P: toggleMute()
    P->>S: toggleMute(!_isMuted)
    S->>N: MethodChannel toggleMute
    N-->>S: EventChannel {muteConfirmed}
    S-->>P: onMuteConfirmed(muted)
    P-->>F: notifyListeners()
    Note over P: WS reconnect with audio buffering
    P->>P: buffer audio frames (_audioBuffer)
    P->>P: _connectTranscriptionSocket()
    P->>P: flush _audioBuffer to new socket

Loading

_{Reviews (2): Last reviewed commit: "fix: address PR review — remove double-d..." | Re-trigger Greptile}

[greptile-apps]

Unnecessary double-dispatch on the audio path

audioEventQueue.async immediately re-dispatches to the main thread via DispatchQueue.main.async. The intermediate hop adds a thread context switch on every audio callback (~50 Hz) without doing any work on audioEventQueue. The comment on the queue says it exists "to avoid flooding the main thread", but this implementation doesn't throttle or batch — the sink call still ends up on main. Compare sendEvent(_:) below, which dispatches directly to main in one hop.

Suggested change

	func sendCallStateEvent(_ state: String) {
	sendEvent(["type": "callStateChanged", "state": state])
	}
	func sendErrorEvent(_ error: OmiCallError) {
	sendEvent(error.toEventData())
	}
	func sendAudioDataEvent(_ data: Data, channel: Int) {
	audioEventQueue.async { [weak self] in
	guard let self = self else { return }
	DispatchQueue.main.async {
	func sendAudioDataEvent(_ data: Data, channel: Int) {
	DispatchQueue.main.async { [weak self] in
	self?.eventSink?([
	"type": "audioData",
	"data": FlutterStandardTypedData(bytes: data),
	"channel": channel,
	])
	}
	}

[greptile-apps]

expiresAt returns a different value on every access

DateTime.now().add(Duration(seconds: ttl)) is evaluated fresh each time the getter is called. If a caller holds a PhoneCallToken and queries expiresAt minutes later, the result will be minutes too far in the future — it no longer represents the actual expiry of the token. Currently _tokenExpiry is assigned right after the HTTP response so drift is minimal, but any future use of this getter for expiry decisions will be subtly wrong.

Fix by computing it once at object construction:

Suggested change

	DateTime get expiresAt => DateTime.now().add(Duration(seconds: ttl));
	late final DateTime expiresAt = DateTime.now().add(Duration(seconds: ttl));

This freezes the value at parse time, making it safe to call multiple times.

[greptile-apps]

_tokenExpiry is stored but never read — dead code

_tokenExpiry is assigned in two places (initial call setup and inside the refresh callback) but is never read for any decision. The refresh logic uses token.ttl directly in _scheduleTokenRefresh(token.ttl), so storing _tokenExpiry has no effect. If the intent was to compute remaining time more accurately on the next cycle (e.g. _tokenExpiry!.difference(DateTime.now()).inSeconds), that calculation is missing. Remove the field until it is actually used, to avoid misleading future readers.

Suggested change

	// Audio routes
	List<AudioRoute> _availableRoutes = [];
	// Token refresh
	Timer? _tokenRefreshTimer;

[greptile-apps]

Silent token refresh failure — no retry or user notification

If api.getPhoneCallToken() returns null (network error, server error), the refresh silently does nothing. The original token will expire at its original TTL, and the call will fail with no warning to the user. For a feature specifically designed to prevent silent call failures, this is an ironic gap. At minimum, log an error and consider a simple retry:

var token = await api.getPhoneCallToken();
if (token != null) {
  await _nativeService.initialize(token.accessToken);
  _scheduleTokenRefresh(token.ttl);
} else {
  Logger.error('PhoneCallProvider: token refresh failed — retrying in 30s');
  // Retry once before the original token expires
  _tokenRefreshTimer = Timer(const Duration(seconds: 30), () => _scheduleTokenRefresh(30));
}

[greptile-apps]

Android earpiece uses iOS-specific type string "iPhone"

Sending "type" to "iPhone" from Android causes AudioRoute.fromMap to assign AudioRouteType.iPhone to the earpiece. The UI then uses Icons.phone_android for that type, which happens to be correct — but only by coincidence, because the icon lookup for AudioRouteType.iPhone was written with Icons.phone_android. If AudioRouteType.iPhone is ever renamed or its icon updated for iOS, the Android earpiece silently breaks.

Consider adding a shared earpiece type to AudioRouteType on the Dart side and using it from both platforms:

mapOf("id" to "phone", "name" to "Phone", "type" to "earpiece"),

[mdmohsin7]

@greptile-apps re-review