User-selected backend URLs must remain usable without letting clients control server requests.
Call custom providers from the browser while keeping the server proxy bound to its configured host.
This restores voice controls for frontend settings without reopening the SSRF path.
Malformed stored settings could break voice requests instead of using safe defaults.
Health results could outlive auth changes. URL checks also did not guard the fetch sink.
Remove constant recorder branches so lifecycle cancellation stays clear.
Redirects could bypass the backend URL guard, and TTS playback waited for full buffering.
Recording could overlap or finish after teardown. Controls also ignored backend readiness.
Explicit formats and config-aware cache keys prevent stale audio after settings change.
Switches the voice proxy to the OpenAI audio API (/v1/audio/transcriptions and
/v1/audio/speech) so it works with OpenAI, Groq, or a local server. Adds a
Settings -> Voice tab (base URL, API key, models, voice) plus a Quick Settings
toggle, and removes the bundled Python sidecar.
Review fixes: stop mic tracks on unmount, clear the global TTS stop handler and
revoke leaked blob URLs, add fetch timeouts in the proxy, surface mic errors in
the button, trim before appending transcripts, and drop the repo-wide wav ignore.
Adds a push-to-talk mic button in the composer and a read-aloud button on
assistant messages. Both are opt-in and hidden unless a voice backend is
configured via VOICE_SIDECAR_URL.
The auth-gated /api/voice proxy forwards to a configurable backend exposing
/transcribe and /tts (provider-agnostic); the frontend probes /api/voice/health
and hides the controls when disabled. Adds i18n keys and docs/voice.md.
Includes a local, no-API-key reference backend in voice-sidecar/ (faster-whisper
for STT, Kokoro-82M for TTS, both CPU-capable).
