Skip to content

FEAT: Realtime streaming session support and server-side barge-in attack#1766

Merged
adrian-gavrila merged 53 commits into
microsoft:mainfrom
adrian-gavrila:adrian-gavrila/realtime-server-vad
Jun 3, 2026
Merged

FEAT: Realtime streaming session support and server-side barge-in attack#1766
adrian-gavrila merged 53 commits into
microsoft:mainfrom
adrian-gavrila:adrian-gavrila/realtime-server-vad

Conversation

@adrian-gavrila
Copy link
Copy Markdown
Contributor

@adrian-gavrila adrian-gavrila commented May 20, 2026

Description

Adds persistent streaming session support to OpenAIRealtimeTarget and introduces BargeInAttack, a streaming attack that leverages server-side VAD to detect and exploit barge-in (interruption) behavior. Previously the target only supported single-turn fire-and-forget audio exchanges; this PR adds the transport primitives needed for multi-turn streaming sessions with incremental audio push, event subscription, and mid-session response requests.

When the server detects new user speech while the assistant is still responding, the in-flight response is automatically interrupted and the conversation history is truncated to match what was actually delivered.

Key additions:

  • OpenAIRealtimeTarget streaming primitivesconnect_async, push_audio_chunk_async, insert_user_audio_async, subscribe_events_async, request_response_async, send_streaming_session_config_async. These expose transport-level operations over a persistent WebSocket connection.
  • _RealtimeEventDispatcher — ABC that owns a realtime connection's event stream, routes provider-specific events to the active turn, and fires an on_user_audio_committed callback when server VAD finalizes a turn. Provider-specific routing is isolated to _route_event / _cancel abstract methods.
  • BargeInAttack — streaming attack that pushes audio chunks into a persistent session, applies configured converters on each server-committed turn (convert-on-commit), requests responses, and tracks interruptions. Per-turn Message pairs are persisted to CentralMemory with prompt_metadata["interrupted"] = True on interrupted turns.
  • ServerVadConfig / RealtimeTargetResult — shared types for configuring server VAD and representing turn results (audio, transcripts, interruption flag).
  • PromptNormalizer.convert_audio_async — applies audio converter configurations to raw PCM bytes for streaming attacks that hold audio mid-turn rather than a Message.

The target exposes only transport primitives; all attack logic (buffering, convert-on-commit dance, interruption signaling) lives in BargeInAttack.

Tests and Documentation

  • 82 unit tests across 3 test files covering: event dispatch and routing, turn lifecycle, interruption detection, converter application, error paths, multi-turn connection reuse, and the full attack lifecycle.
  • Coverage: 98% on realtime_audio.py, 72% on openai_realtime_target.py (uncovered lines are pre-existing code paths, not new additions).
  • Notebook: doc/code/executor/attack/barge_in_attack.py (jupytext py:percent format) demonstrates the attack against a live OpenAI Realtime API endpoint with server VAD. Ran successfully against gpt-4o-realtime-preview — outputs cleared for CI (requires live credentials).

BaedrianG and others added 16 commits May 14, 2026 13:07
@BaedrianG
Server VAD config for RealtimeTarget
a26052b 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@BaedrianG
Stream PCM chunks via input_audio_buffer.append
dea833d 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@BaedrianG
Turn state and response cancel for RealtimeTarget
22c0b54 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@BaedrianG
Event dispatcher for RealtimeTarget
276c06c 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@BaedrianG
Persist interrupted flag on RealtimeTargetResult and message metadata
66bc828 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@BaedrianG
Add user audio committed callback to realtime dispatcher
69b7a1c 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@BaedrianG
Add wire primitive methods to RealtimeTarget for streaming attacks
d624e6a 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@BaedrianG
Add streaming barge-in attack with subscription and turn-future targe…
1aaf10b 
…t API

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@BaedrianG
Add convert-on-commit to streaming barge-in attack via PromptNormalizer
d1edfd5 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@BaedrianG
Persist streaming barge-in turns to CentralMemory
23225ad 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@BaedrianG
Add barge-in demo notebook, fix dispatcher deadlock and turn-await te…
836b2a9 
…ardown

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@BaedrianG
Fix review findings: insert-before-delete, CentralMemory, connect_asy…
32dd43e 
…nc rename, Optional→union

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@BaedrianG
Remove redundant response.cancel (server auto-cancels on speech detec…
892beb5 
…tion)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@BaedrianG
Trim verbose docstrings to match codebase conventions
7e122e3 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@BaedrianG
Merge remote-tracking branch 'origin/main' into adrian-gavrila/realti…
258ef03 
…me-server-vad

# Conflicts:
#	pyrit/prompt_target/openai/openai_realtime_target.py
@BaedrianG
Enable supports_streaming_barge_in in permissive probe configuration
b1abe9c
@hannahwestra25 hannahwestra25 self-assigned this May 21, 2026
hannahwestra25
hannahwestra25 reviewed May 21, 2026
View reviewed changes
Comment thread pyrit/executor/attack/streaming/barge_in.py
hannahwestra25
hannahwestra25 reviewed May 21, 2026
View reviewed changes
Comment thread pyrit/executor/attack/streaming/barge_in.py Outdated
hannahwestra25
hannahwestra25 reviewed May 21, 2026
View reviewed changes
Comment thread pyrit/prompt_normalizer/prompt_normalizer.py
hannahwestra25
hannahwestra25 reviewed May 21, 2026
View reviewed changes
Comment thread pyrit/executor/attack/streaming/barge_in.py Outdated
hannahwestra25
hannahwestra25 reviewed May 21, 2026
View reviewed changes
Comment thread doc/code/executor/attack/barge_in_attack.py Outdated
hannahwestra25
hannahwestra25 reviewed May 21, 2026
View reviewed changes
Comment thread pyrit/executor/attack/streaming/barge_in.py Outdated
hannahwestra25
hannahwestra25 reviewed May 21, 2026
View reviewed changes
Comment thread doc/code/executor/attack/barge_in_attack.py
BaedrianG and others added 6 commits May 22, 2026 12:36
@BaedrianG
Replace assert with explicit ValueError in BargeInAttack
2cdfe14 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@BaedrianG
Extract audio conversion into a target-owned AudioStreamNormalizer
aa9feee 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@BaedrianG
Decompose _perform_async into named per-turn helpers
32347fd 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@BaedrianG
Rename 'utterance' to 'statement' in barge-in notebook
50aec9e 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@BaedrianG
Promote realtime streaming types to public and add swap_user_audio pr…
6f53913 
…imitive

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@BaedrianG
Fix self-review polish: ordering test, filtered-config short-circuit,…
5056145 
… inline drive_response

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
BaedrianG and others added 5 commits June 2, 2026 15:03
@BaedrianG
Drop dead realtime methods _stream_pcm_async and insert_user_text_async
f5af803 
Both methods have zero production callers after Phases 3 and 4. They were

speculative API surface for streaming attacks that ended up using the

session-based path instead. Tests targeting them are removed alongside.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@BaedrianG
Move streaming-only methods onto _OpenAIRealtimeStreamingSession
b56538a 
Pulls send_streaming_session_config_async + push_audio_chunk_async off
_RealtimeStreamingHandle and swap_user_audio_async + request_response_async
(plus the insert/delete helpers) off RealtimeTarget, re-homing them as
six private wire helpers on _OpenAIRealtimeStreamingSession. Drops the
connection/dispatcher kwargs since the session already owns both as
instance state.

Captures _effective_vad in __init__ (per-call vad ?? target._server_vad)
so the streaming session config and on-committed paths read from one
source - prevents drift and stages the eventual removal of _server_vad
from the target.

Removes the corresponding abstract method declarations from the
StreamingHandle ABC; the remaining ABC surface (connect_async,
save_audio, SAMPLE_RATE_HZ, server_vad_config) will collapse in a
follow-up commit.

Test churn: relocated push_audio_chunk_async tests and the three
send_streaming_session_config_async tests from test_barge_in.py and
test_realtime_target.py to the session test file, where they now build
a real RealtimeTarget + open_streaming_session and assert on the
session's private wire helpers directly; refactored ~10 existing session
tests to mock on the session instance after construction.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@BaedrianG
Collapse StreamingHandle ABC; hoist members onto RealtimeTarget
620b998 
The speculative provider-agnostic `StreamingHandle` ABC had one impl

(`_RealtimeStreamingHandle`) and no structural consumers after phases 5a-5b

moved every session-only method off it. This commit collapses the layer:

  - Delete `_RealtimeStreamingHandle` class (~65 LOC) and the

    `StreamingHandle` ABC (~50 LOC).

  - Hoist `SAMPLE_RATE_HZ` (ClassVar), `connect_async` (now private

    `_connect_async`), and `save_audio` (public) onto `RealtimeTarget`.

  - Drop `RealtimeTarget.streaming` attribute + the composition shim in

    `__init__`.

  - Rewire 5 atomic-path call sites in `openai_realtime_target.py` and

    4 sites in `_openai_realtime_streaming_session.py` (also dropping

    the now-pointless `streaming = self._target.streaming` locals).

  - Update `open_streaming_session` docstring reference.

  - Test churn: drop 4 streaming-handle wiring tests; rewrite the

    `SAMPLE_RATE_HZ` assertion against `RealtimeTarget`; rewire

    `target.streaming.connect_async` mocks to `target._connect_async`

    and `target.streaming.save_audio` to `target.save_audio`.

Net: -92 LOC. Pure structural refactor — no behavior change.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@BaedrianG
Make server_vad a streaming-only concept; drop from RealtimeTarget
3a3d5cc 
Server VAD only makes sense in streaming flow where chunks are continuously pushed and turn boundaries are server-detected. In the atomic path the caller controls turn boundaries explicitly, so a VAD config there was a footgun: `RealtimeTarget(server_vad=True).send_prompt_async(...)` silently emitted a turn_detection block.

After this:

- `RealtimeTarget` ctor no longer accepts `server_vad=`; the attribute is gone.

- `_set_system_prompt_and_config_vars` keeps its `server_vad` kwarg (the session passes it explicitly) but drops the fallback. Atomic callers omit it and get no turn_detection block.

- `open_streaming_session` (and the session ctor) rename `vad: ServerVadConfig | None = None` to `server_vad: bool | ServerVadConfig = True`. Default `True` matches the only non-degenerate streaming mode; pass a config for custom tuning, `False` to disable (sending streaming config then raises).

Net -37 LOC. No external API changes (the ctor kwarg was added on this branch and never shipped on main).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@BaedrianG
Collapse common/streaming package into realtime_audio
bff23a0 
The common/streaming package was a speculative provider-agnostic split
that never materialized:

- StreamingAudioTarget ABC had zero implementors, zero isinstance
  checks, and zero callers of its abstractmethod send_streaming_prompt_async.
  The live contract is target.open_streaming_session(...) -> session, not
  the ABC. Its signature was also stale (kept the old vad= kwarg name
  after Phase 5d's rename to server_vad=).
- ServerVadConfig and STREAMING_INTERRUPTED_KEY are realtime-audio-
  specific in practice. The artificial package split forced a re-export
  indirection in realtime_audio.py (`ServerVadConfig as ServerVadConfig`).

Move the two live symbols into realtime_audio.py next to RealtimeTargetResult
and friends, drop the dead ABC, delete the package, and remove the
re-export kludge. 4 import sites updated; public `ServerVadConfig` export
in `pyrit.prompt_target` preserved.

Net: -90 LOC, -1 directory, -1 module.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
hannahwestra25
hannahwestra25 reviewed Jun 2, 2026
View reviewed changes
Comment thread pyrit/prompt_target/common/discover_target_capabilities.py
hannahwestra25
hannahwestra25 reviewed Jun 2, 2026
View reviewed changes
Comment thread pyrit/prompt_target/common/target_capabilities.py Outdated
BaedrianG and others added 3 commits June 2, 2026 22:01
@BaedrianG
Polish realtime streaming: async suffixes, capability rename, docstri…
b050ad9 
…ng cleanup

Rename the streaming capability to supports_streaming_audio / STREAMING_AUDIO
(was barge-in-specific). Drop the redundant isinstance gate in BargeInAttack in
favor of the capability requirement, using cast for the concrete dependency.
Add async suffixes to realtime dispatcher/session methods and update callers.
Replace forbidden reST roles with backticks and trim deferred-work docstring notes.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@BaedrianG
Merge remote-tracking branch 'origin/main' into adrian-gavrila/realti…
4b10fe9 
…me-server-vad

# Conflicts:
#	pyrit/executor/attack/__init__.py
#	pyrit/prompt_normalizer/prompt_normalizer.py
#	pyrit/prompt_target/openai/openai_realtime_target.py
#	tests/unit/prompt_normalizer/test_prompt_normalizer.py
#	tests/unit/prompt_target/target/test_realtime_target.py
@BaedrianG
Fix D420 docstring section order in open_streaming_session
2cd5431 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
hannahwestra25
hannahwestra25 reviewed Jun 3, 2026
View reviewed changes
Comment thread pyrit/executor/attack/streaming/barge_in.py Outdated
hannahwestra25
hannahwestra25 reviewed Jun 3, 2026
View reviewed changes
Comment thread pyrit/executor/attack/streaming/barge_in.py Outdated
@BaedrianG
Test deprecated realtime aliases and cleanup error paths
8a7bbd0 
Lift diff coverage above the 90% gate by covering the deprecated
non-_async aliases, cleanup_conversation_async, and the cleanup_target_async
error-swallowing paths added during the main merge.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
hannahwestra25
hannahwestra25 reviewed Jun 3, 2026
View reviewed changes
Comment thread doc/code/executor/attack/barge_in_attack.py Outdated
hannahwestra25
hannahwestra25 reviewed Jun 3, 2026
View reviewed changes
Comment thread pyrit/prompt_target/common/prompt_target.py Outdated
hannahwestra25
hannahwestra25 reviewed Jun 3, 2026
View reviewed changes
Comment thread doc/code/executor/attack/barge_in_attack.py Outdated
hannahwestra25
hannahwestra25 reviewed Jun 3, 2026
View reviewed changes
Comment thread doc/code/executor/attack/barge_in_attack.py Outdated
hannahwestra25
hannahwestra25 reviewed Jun 3, 2026
View reviewed changes
Comment thread pyrit/prompt_target/openai/_openai_realtime_streaming_session.py Outdated
hannahwestra25
hannahwestra25 reviewed Jun 3, 2026
View reviewed changes
Comment thread pyrit/prompt_target/openai/openai_realtime_target.py Outdated
@BaedrianG
Address PR review nits: trim comment, docstring, doc reorder, async a…
6ec0cc7 
…liases

- Drop redundant capability-validation comment above the RealtimeTarget cast
- Make _validate_context Raises docstring describe the actual checks
- Move the 'Reading the barge-in output' note above the barge-in cell and
  reword its intro for pre-execution reading
- Use cleanup_target_async() in the barge-in doc (py + ipynb)
- Remove dead 'from __future__ import annotations' in prompt_target base

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
hannahwestra25
hannahwestra25 reviewed Jun 3, 2026
View reviewed changes
Comment thread pyrit/prompt_target/openai/openai_realtime_target.py Outdated
@BaedrianG
Extract realtime dispatcher to its own module; replace lifecycle asserts
caafa62 
- Move _OpenAIRealtimeDispatcher out of openai_realtime_target.py into a new
  _openai_realtime_dispatcher.py, mirroring the existing private session module.
  This removes the target<->session import cycle, so the session import is
  promoted from a function-local import to a normal top-level one.
- Replace the scattered `assert self._connection/_dispatcher/_queue is not None`
  invariant checks in the streaming session with _require_connection/_require_
  dispatcher/_require_queue helpers that raise RuntimeError (asserts are stripped
  under python -O and gave no diagnostic).
- Update test patch targets for the moved dispatcher and the now top-level
  session import.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
hannahwestra25
hannahwestra25 reviewed Jun 3, 2026
View reviewed changes
Comment thread pyrit/prompt_target/openai/openai_realtime_target.py Outdated
@BaedrianG
Use save_formatted_audio_async; drop redundant PromptTarget base
27e61f5 
- Revert save_formatted_audio -> save_formatted_audio_async (the plain alias
  is deprecated, removed_in 0.16.0); a merge from main had switched it.
- Drop the redundant PromptTarget base from RealtimeTarget; OpenAITarget
  already subclasses PromptTarget, so the MRO is unchanged.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@adrian-gavrila adrian-gavrila added this pull request to the merge queue Jun 3, 2026
Merged via the queue into microsoft:main with commit 46d52b1 Jun 3, 2026
52 checks passed
@adrian-gavrila adrian-gavrila deleted the adrian-gavrila/realtime-server-vad branch June 3, 2026 17:54
romanlutz added a commit to romanlutz/PyRIT that referenced this pull request Jun 4, 2026
@romanlutz
Merge branch 'main' into romanlutz/typing-modernization-audit
37d0519 
Merge 26 commits from main, including:
- MAINT Breaking: Convert ScenarioResult to Pydantic (microsoft#1908)
- MAINT: Migrating Seed classes to Pydantic (microsoft#1898)
- MAINT: Migrating AttackResult to Pydantic (microsoft#1899)
- MAINT: Bump ty-pre-commit v0.0.32 -> 0.0.43 (microsoft#1919)
- FEAT: Realtime streaming session support and server-side barge-in attack (microsoft#1766)
- FEAT text adaptive scenario (microsoft#1760)
- FIX: Integration Test Fixes (microsoft#1907)
- DOC: Scoring Docs Refactor (microsoft#1892)
- Various dependency bumps

Conflicts (15 files) resolved by taking main's version + re-running
ruff --fix to re-apply PEP 604 typing modernization on the incoming code
(177 violations auto-fixed). All resolved files re-staged.

Local verification:
- ruff check: All checks passed
- ruff format: clean
- pytest tests/unit -n 8: 9550 passed, 6 skipped

Known issue (pre-existing on main, not caused by this merge):
- ty 0.0.43 enabled missing-override-decorator rule, which flags hundreds
  of pre-existing methods across the codebase. Main's own CI is currently
  failing on this. Our PR will inherit the same failure since touched
  files come into pre-commit scope. Fixing this rule globally is a
  separate, large mechanical change orthogonal to typing modernization.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hannahwestra25 hannahwestra25 hannahwestra25 approved these changes

Assignees

@hannahwestra25 hannahwestra25

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@adrian-gavrila @hannahwestra25 @BaedrianG