FEAT: Realtime streaming session support and server-side barge-in attack

[adrian-gavrila]

Description

Adds persistent streaming session support to OpenAIRealtimeTarget and introduces BargeInAttack, a streaming attack that leverages server-side VAD to detect and exploit barge-in (interruption) behavior. Previously the target only supported single-turn fire-and-forget audio exchanges; this PR adds the transport primitives needed for multi-turn streaming sessions with incremental audio push, event subscription, and mid-session response requests.

When the server detects new user speech while the assistant is still responding, the in-flight response is automatically interrupted and the conversation history is truncated to match what was actually delivered.

Key additions:

• OpenAIRealtimeTarget streaming primitives — connect_async, push_audio_chunk_async, insert_user_audio_async, subscribe_events_async, request_response_async, send_streaming_session_config_async. These expose transport-level operations over a persistent WebSocket connection.
• _RealtimeEventDispatcher — ABC that owns a realtime connection's event stream, routes provider-specific events to the active turn, and fires an on_user_audio_committed callback when server VAD finalizes a turn. Provider-specific routing is isolated to _route_event / _cancel abstract methods.
• BargeInAttack — streaming attack that pushes audio chunks into a persistent session, applies configured converters on each server-committed turn (convert-on-commit), requests responses, and tracks interruptions. Per-turn Message pairs are persisted to CentralMemory with prompt_metadata["interrupted"] = True on interrupted turns.
• ServerVadConfig / RealtimeTargetResult — shared types for configuring server VAD and representing turn results (audio, transcripts, interruption flag).
• PromptNormalizer.convert_audio_async — applies audio converter configurations to raw PCM bytes for streaming attacks that hold audio mid-turn rather than a Message.

The target exposes only transport primitives; all attack logic (buffering, convert-on-commit dance, interruption signaling) lives in BargeInAttack.

Tests and Documentation

• 82 unit tests across 3 test files covering: event dispatch and routing, turn lifecycle, interruption detection, converter application, error paths, multi-turn connection reuse, and the full attack lifecycle.
• Coverage: 98% on realtime_audio.py, 72% on openai_realtime_target.py (uncovered lines are pre-existing code paths, not new additions).
• Notebook: doc/code/executor/attack/barge_in_attack.py (jupytext py:percent format) demonstrates the attack against a live OpenAI Realtime API endpoint with server VAD. Ran successfully against gpt-4o-realtime-preview — outputs cleared for CI (requires live credentials).

[hannahwestra25]

could we make this a message_normalizer and then the target can use this as the default normalizer if the user doesn't specify a special one ?

[adrian-gavrila]

I agree that this probably shouldn't live on PromptNormalizer but I am not sure it fits the shape of MessageNormalizer since this is converting from bytes to bytes instead of operating directly on messages (since they don't exist mid-stream where this would be run). I made a standalone AudioStreamNormalizer instead of forcing the shape. What do you think?