@openclaw/voice-call 2026.2.13 → 2026.2.14

package/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## 2026.2.14
+
+### Changes
+
+- Version alignment with core OpenClaw release numbers.
+
 ## 2026.2.13
 
 ### Changes

package/README.md

@@ -45,6 +45,14 @@ Put under `plugins.entries.voice-call.config`:
     authToken: "your_token",
   },
 
+  telnyx: {
+    apiKey: "KEYxxxx",
+    connectionId: "CONNxxxx",
+    // Telnyx webhook public key from the Telnyx Mission Control Portal
+    // (Base64 string; can also be set via TELNYX_PUBLIC_KEY).
+    publicKey: "...",
+  },
+
   plivo: {
     authId: "MAxxxxxxxxxxxxxxxxxxxx",
     authToken: "your_token",
@@ -76,6 +84,7 @@ Notes:
 
 - Twilio/Telnyx/Plivo require a **publicly reachable** webhook URL.
 - `mock` is a local dev provider (no network calls).
+- Telnyx requires `telnyx.publicKey` (or `TELNYX_PUBLIC_KEY`) unless `skipSignatureVerification` is true.
 - `tunnel.allowNgrokFreeTierLoopbackBypass: true` allows Twilio webhooks with invalid signatures **only** when `tunnel.provider="ngrok"` and `serve.bind` is loopback (ngrok local agent). Use for local dev only.
 
 ## TTS for calls

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openclaw/voice-call",
-  "version": "2026.2.13",
+  "version": "2026.2.14",
   "description": "OpenClaw voice-call plugin",
   "type": "module",
   "dependencies": {

package/src/config.test.ts

@@ -47,6 +47,7 @@ describe("validateProviderConfig", () => {
     delete process.env.TWILIO_AUTH_TOKEN;
     delete process.env.TELNYX_API_KEY;
     delete process.env.TELNYX_CONNECTION_ID;
+    delete process.env.TELNYX_PUBLIC_KEY;
     delete process.env.PLIVO_AUTH_ID;
     delete process.env.PLIVO_AUTH_TOKEN;
   });
@@ -121,7 +122,7 @@ describe("validateProviderConfig", () => {
   describe("telnyx provider", () => {
     it("passes validation when credentials are in config", () => {
       const config = createBaseConfig("telnyx");
-      config.telnyx = { apiKey: "KEY123", connectionId: "CONN456" };
+      config.telnyx = { apiKey: "KEY123", connectionId: "CONN456", publicKey: "public-key" };
 
       const result = validateProviderConfig(config);
 
@@ -132,6 +133,7 @@ describe("validateProviderConfig", () => {
     it("passes validation when credentials are in environment variables", () => {
       process.env.TELNYX_API_KEY = "KEY123";
       process.env.TELNYX_CONNECTION_ID = "CONN456";
+      process.env.TELNYX_PUBLIC_KEY = "public-key";
       let config = createBaseConfig("telnyx");
       config = resolveVoiceCallConfig(config);
 
@@ -163,7 +165,7 @@ describe("validateProviderConfig", () => {
 
       expect(result.valid).toBe(false);
       expect(result.errors).toContain(
-        "plugins.entries.voice-call.config.telnyx.publicKey is required for inboundPolicy allowlist/pairing",
+        "plugins.entries.voice-call.config.telnyx.publicKey is required (or set TELNYX_PUBLIC_KEY env)",
       );
     });
 
@@ -181,6 +183,17 @@ describe("validateProviderConfig", () => {
       expect(result.valid).toBe(true);
       expect(result.errors).toEqual([]);
     });
+
+    it("passes validation when skipSignatureVerification is true (even without public key)", () => {
+      const config = createBaseConfig("telnyx");
+      config.skipSignatureVerification = true;
+      config.telnyx = { apiKey: "KEY123", connectionId: "CONN456" };
+
+      const result = validateProviderConfig(config);
+
+      expect(result.valid).toBe(true);
+      expect(result.errors).toEqual([]);
+    });
   });
 
   describe("plivo provider", () => {

package/src/config.ts

@@ -207,8 +207,10 @@ export const VoiceCallTunnelConfigSchema = z
     ngrokDomain: z.string().min(1).optional(),
     /**
      * Allow ngrok free tier compatibility mode.
-     * When true, signature verification failures on ngrok-free.app URLs
-     * will be allowed only for loopback requests (ngrok local agent).
+     * When true, forwarded headers may be trusted for loopback requests
+     * to reconstruct the public ngrok URL used for signing.
+     *
+     * IMPORTANT: This does NOT bypass signature verification.
      */
     allowNgrokFreeTierLoopbackBypass: z.boolean().default(false),
   })
@@ -483,12 +485,9 @@ export function validateProviderConfig(config: VoiceCallConfig): {
         "plugins.entries.voice-call.config.telnyx.connectionId is required (or set TELNYX_CONNECTION_ID env)",
       );
     }
-    if (
-      (config.inboundPolicy === "allowlist" || config.inboundPolicy === "pairing") &&
-      !config.telnyx?.publicKey
-    ) {
+    if (!config.skipSignatureVerification && !config.telnyx?.publicKey) {
       errors.push(
-        "plugins.entries.voice-call.config.telnyx.publicKey is required for inboundPolicy allowlist/pairing",
+        "plugins.entries.voice-call.config.telnyx.publicKey is required (or set TELNYX_PUBLIC_KEY env)",
       );
     }
   }

package/src/manager/context.ts

@@ -8,18 +8,32 @@ export type TranscriptWaiter = {
   timeout: NodeJS.Timeout;
 };
 
-export type CallManagerContext = {
+export type CallManagerRuntimeState = {
   activeCalls: Map<CallId, CallRecord>;
   providerCallIdMap: Map<string, CallId>;
   processedEventIds: Set<string>;
   /** Provider call IDs we already sent a reject hangup for; avoids duplicate hangup calls. */
   rejectedProviderCallIds: Set<string>;
-  /** Optional runtime hook invoked after an event transitions a call into answered state. */
-  onCallAnswered?: (call: CallRecord) => void;
+};
+
+export type CallManagerRuntimeDeps = {
   provider: VoiceCallProvider | null;
   config: VoiceCallConfig;
   storePath: string;
   webhookUrl: string | null;
+};
+
+export type CallManagerTransientState = {
   transcriptWaiters: Map<CallId, TranscriptWaiter>;
   maxDurationTimers: Map<CallId, NodeJS.Timeout>;
 };
+
+export type CallManagerHooks = {
+  /** Optional runtime hook invoked after an event transitions a call into answered state. */
+  onCallAnswered?: (call: CallRecord) => void;
+};
+
+export type CallManagerContext = CallManagerRuntimeState &
+  CallManagerRuntimeDeps &
+  CallManagerTransientState &
+  CallManagerHooks;

package/src/manager/events.ts

@@ -13,10 +13,21 @@ import {
   startMaxDurationTimer,
 } from "./timers.js";
 
-function shouldAcceptInbound(
-  config: CallManagerContext["config"],
-  from: string | undefined,
-): boolean {
+type EventContext = Pick<
+  CallManagerContext,
+  | "activeCalls"
+  | "providerCallIdMap"
+  | "processedEventIds"
+  | "rejectedProviderCallIds"
+  | "provider"
+  | "config"
+  | "storePath"
+  | "transcriptWaiters"
+  | "maxDurationTimers"
+  | "onCallAnswered"
+>;
+
+function shouldAcceptInbound(config: EventContext["config"], from: string | undefined): boolean {
   const { inboundPolicy: policy, allowFrom } = config;
 
   switch (policy) {
@@ -49,7 +60,7 @@ function shouldAcceptInbound(
 }
 
 function createInboundCall(params: {
-  ctx: CallManagerContext;
+  ctx: EventContext;
   providerCallId: string;
   from: string;
   to: string;
@@ -80,7 +91,7 @@ function createInboundCall(params: {
   return callRecord;
 }
 
-export function processEvent(ctx: CallManagerContext, event: NormalizedEvent): void {
+export function processEvent(ctx: EventContext, event: NormalizedEvent): void {
   if (ctx.processedEventIds.has(event.id)) {
     return;
   }

package/src/manager/outbound.ts

@@ -19,8 +19,39 @@ import {
 } from "./timers.js";
 import { generateNotifyTwiml } from "./twiml.js";
 
+type InitiateContext = Pick<
+  CallManagerContext,
+  "activeCalls" | "providerCallIdMap" | "provider" | "config" | "storePath" | "webhookUrl"
+>;
+
+type SpeakContext = Pick<
+  CallManagerContext,
+  "activeCalls" | "providerCallIdMap" | "provider" | "config" | "storePath"
+>;
+
+type ConversationContext = Pick<
+  CallManagerContext,
+  | "activeCalls"
+  | "providerCallIdMap"
+  | "provider"
+  | "config"
+  | "storePath"
+  | "transcriptWaiters"
+  | "maxDurationTimers"
+>;
+
+type EndCallContext = Pick<
+  CallManagerContext,
+  | "activeCalls"
+  | "providerCallIdMap"
+  | "provider"
+  | "storePath"
+  | "transcriptWaiters"
+  | "maxDurationTimers"
+>;
+
 export async function initiateCall(
-  ctx: CallManagerContext,
+  ctx: InitiateContext,
   to: string,
   sessionKey?: string,
   options?: OutboundCallOptions | string,
@@ -113,7 +144,7 @@ export async function initiateCall(
 }
 
 export async function speak(
-  ctx: CallManagerContext,
+  ctx: SpeakContext,
   callId: CallId,
   text: string,
 ): Promise<{ success: boolean; error?: string }> {
@@ -149,7 +180,7 @@ export async function speak(
 }
 
 export async function speakInitialMessage(
-  ctx: CallManagerContext,
+  ctx: ConversationContext,
   providerCallId: string,
 ): Promise<void> {
   const call = getCallByProviderCallId({
@@ -197,7 +228,7 @@ export async function speakInitialMessage(
 }
 
 export async function continueCall(
-  ctx: CallManagerContext,
+  ctx: ConversationContext,
   callId: CallId,
   prompt: string,
 ): Promise<{ success: boolean; transcript?: string; error?: string }> {
@@ -234,7 +265,7 @@ export async function continueCall(
 }
 
 export async function endCall(
-  ctx: CallManagerContext,
+  ctx: EndCallContext,
   callId: CallId,
 ): Promise<{ success: boolean; error?: string }> {
   const call = ctx.activeCalls.get(callId);

package/src/manager/timers.ts

@@ -2,7 +2,20 @@ import type { CallManagerContext } from "./context.js";
 import { TerminalStates, type CallId } from "../types.js";
 import { persistCallRecord } from "./store.js";
 
-export function clearMaxDurationTimer(ctx: CallManagerContext, callId: CallId): void {
+type TimerContext = Pick<
+  CallManagerContext,
+  "activeCalls" | "maxDurationTimers" | "config" | "storePath" | "transcriptWaiters"
+>;
+type MaxDurationTimerContext = Pick<
+  TimerContext,
+  "activeCalls" | "maxDurationTimers" | "config" | "storePath"
+>;
+type TranscriptWaiterContext = Pick<TimerContext, "transcriptWaiters">;
+
+export function clearMaxDurationTimer(
+  ctx: Pick<MaxDurationTimerContext, "maxDurationTimers">,
+  callId: CallId,
+): void {
   const timer = ctx.maxDurationTimers.get(callId);
   if (timer) {
     clearTimeout(timer);
@@ -11,7 +24,7 @@ export function clearMaxDurationTimer(ctx: CallManagerContext, callId: CallId):
 }
 
 export function startMaxDurationTimer(params: {
-  ctx: CallManagerContext;
+  ctx: MaxDurationTimerContext;
   callId: CallId;
   onTimeout: (callId: CallId) => Promise<void>;
 }): void {
@@ -38,7 +51,7 @@ export function startMaxDurationTimer(params: {
   params.ctx.maxDurationTimers.set(params.callId, timer);
 }
 
-export function clearTranscriptWaiter(ctx: CallManagerContext, callId: CallId): void {
+export function clearTranscriptWaiter(ctx: TranscriptWaiterContext, callId: CallId): void {
   const waiter = ctx.transcriptWaiters.get(callId);
   if (!waiter) {
     return;
@@ -48,7 +61,7 @@ export function clearTranscriptWaiter(ctx: CallManagerContext, callId: CallId):
 }
 
 export function rejectTranscriptWaiter(
-  ctx: CallManagerContext,
+  ctx: TranscriptWaiterContext,
   callId: CallId,
   reason: string,
 ): void {
@@ -61,7 +74,7 @@ export function rejectTranscriptWaiter(
 }
 
 export function resolveTranscriptWaiter(
-  ctx: CallManagerContext,
+  ctx: TranscriptWaiterContext,
   callId: CallId,
   transcript: string,
 ): void {
@@ -73,7 +86,7 @@ export function resolveTranscriptWaiter(
   waiter.resolve(transcript);
 }
 
-export function waitForFinalTranscript(ctx: CallManagerContext, callId: CallId): Promise<string> {
+export function waitForFinalTranscript(ctx: TimerContext, callId: CallId): Promise<string> {
   // Only allow one in-flight waiter per call.
   rejectTranscriptWaiter(ctx, callId, "Transcript waiter replaced");
 

package/src/manager.ts

@@ -1,23 +1,21 @@
-import crypto from "node:crypto";
 import fs from "node:fs";
-import fsp from "node:fs/promises";
 import os from "node:os";
 import path from "node:path";
-import type { CallMode, VoiceCallConfig } from "./config.js";
+import type { VoiceCallConfig } from "./config.js";
 import type { CallManagerContext } from "./manager/context.js";
 import type { VoiceCallProvider } from "./providers/base.js";
+import type { CallId, CallRecord, NormalizedEvent, OutboundCallOptions } from "./types.js";
 import { processEvent as processManagerEvent } from "./manager/events.js";
+import { getCallByProviderCallId as getCallByProviderCallIdFromMaps } from "./manager/lookup.js";
 import {
-  type CallId,
-  type CallRecord,
-  CallRecordSchema,
-  type NormalizedEvent,
-  type OutboundCallOptions,
-  TerminalStates,
-  type TranscriptEntry,
-} from "./types.js";
+  continueCall as continueCallWithContext,
+  endCall as endCallWithContext,
+  initiateCall as initiateCallWithContext,
+  speak as speakWithContext,
+  speakInitialMessage as speakInitialMessageWithContext,
+} from "./manager/outbound.js";
+import { getCallHistoryFromStore, loadActiveCallsFromStore } from "./manager/store.js";
 import { resolveUserPath } from "./utils.js";
-import { escapeXml, mapVoiceToPolly } from "./voice-mapping.js";
 
 function resolveDefaultStoreBase(config: VoiceCallConfig, storePath?: string): string {
   const rawOverride = storePath?.trim() || config.store?.trim();
@@ -38,11 +36,11 @@ function resolveDefaultStoreBase(config: VoiceCallConfig, storePath?: string): s
 }
 
 /**
- * Manages voice calls: state machine, persistence, and provider coordination.
+ * Manages voice calls: state ownership and delegation to manager helper modules.
  */
 export class CallManager {
   private activeCalls = new Map<CallId, CallRecord>();
-  private providerCallIdMap = new Map<string, CallId>(); // providerCallId -> internal callId
+  private providerCallIdMap = new Map<string, CallId>();
   private processedEventIds = new Set<string>();
   private rejectedProviderCallIds = new Set<string>();
   private provider: VoiceCallProvider | null = null;
@@ -57,12 +55,10 @@ export class CallManager {
       timeout: NodeJS.Timeout;
     }
   >();
-  /** Max duration timers to auto-hangup calls after configured timeout */
   private maxDurationTimers = new Map<CallId, NodeJS.Timeout>();
 
   constructor(config: VoiceCallConfig, storePath?: string) {
     this.config = config;
-    // Resolve store path with tilde expansion (like other config values)
     this.storePath = resolveDefaultStoreBase(config, storePath);
   }
 
@@ -73,11 +69,13 @@ export class CallManager {
     this.provider = provider;
     this.webhookUrl = webhookUrl;
 
-    // Ensure store directory exists
     fs.mkdirSync(this.storePath, { recursive: true });
 
-    // Load any persisted active calls
-    this.loadActiveCalls();
+    const persisted = loadActiveCallsFromStore(this.storePath);
+    this.activeCalls = persisted.activeCalls;
+    this.providerCallIdMap = persisted.providerCallIdMap;
+    this.processedEventIds = persisted.processedEventIds;
+    this.rejectedProviderCallIds = persisted.rejectedProviderCallIds;
   }
 
   /**
@@ -89,242 +87,27 @@ export class CallManager {
 
   /**
    * Initiate an outbound call.
-   * @param to - The phone number to call
-   * @param sessionKey - Optional session key for context
-   * @param options - Optional call options (message, mode)
    */
   async initiateCall(
     to: string,
     sessionKey?: string,
     options?: OutboundCallOptions | string,
   ): Promise<{ callId: CallId; success: boolean; error?: string }> {
-    // Support legacy string argument for initialMessage
-    const opts: OutboundCallOptions =
-      typeof options === "string" ? { message: options } : (options ?? {});
-    const initialMessage = opts.message;
-    const mode = opts.mode ?? this.config.outbound.defaultMode;
-    if (!this.provider) {
-      return { callId: "", success: false, error: "Provider not initialized" };
-    }
-
-    if (!this.webhookUrl) {
-      return {
-        callId: "",
-        success: false,
-        error: "Webhook URL not configured",
-      };
-    }
-
-    // Check concurrent call limit
-    const activeCalls = this.getActiveCalls();
-    if (activeCalls.length >= this.config.maxConcurrentCalls) {
-      return {
-        callId: "",
-        success: false,
-        error: `Maximum concurrent calls (${this.config.maxConcurrentCalls}) reached`,
-      };
-    }
-
-    const callId = crypto.randomUUID();
-    const from =
-      this.config.fromNumber || (this.provider?.name === "mock" ? "+15550000000" : undefined);
-    if (!from) {
-      return { callId: "", success: false, error: "fromNumber not configured" };
-    }
-
-    // Create call record with mode in metadata
-    const callRecord: CallRecord = {
-      callId,
-      provider: this.provider.name,
-      direction: "outbound",
-      state: "initiated",
-      from,
-      to,
-      sessionKey,
-      startedAt: Date.now(),
-      transcript: [],
-      processedEventIds: [],
-      metadata: {
-        ...(initialMessage && { initialMessage }),
-        mode,
-      },
-    };
-
-    this.activeCalls.set(callId, callRecord);
-    this.persistCallRecord(callRecord);
-
-    try {
-      // For notify mode with a message, use inline TwiML with <Say>
-      let inlineTwiml: string | undefined;
-      if (mode === "notify" && initialMessage) {
-        const pollyVoice = mapVoiceToPolly(this.config.tts?.openai?.voice);
-        inlineTwiml = this.generateNotifyTwiml(initialMessage, pollyVoice);
-        console.log(`[voice-call] Using inline TwiML for notify mode (voice: ${pollyVoice})`);
-      }
-
-      const result = await this.provider.initiateCall({
-        callId,
-        from,
-        to,
-        webhookUrl: this.webhookUrl,
-        inlineTwiml,
-      });
-
-      callRecord.providerCallId = result.providerCallId;
-      this.providerCallIdMap.set(result.providerCallId, callId); // Map providerCallId to internal callId
-      this.persistCallRecord(callRecord);
-
-      return { callId, success: true };
-    } catch (err) {
-      callRecord.state = "failed";
-      callRecord.endedAt = Date.now();
-      callRecord.endReason = "failed";
-      this.persistCallRecord(callRecord);
-      this.activeCalls.delete(callId);
-      if (callRecord.providerCallId) {
-        this.providerCallIdMap.delete(callRecord.providerCallId);
-      }
-
-      return {
-        callId,
-        success: false,
-        error: err instanceof Error ? err.message : String(err),
-      };
-    }
+    return initiateCallWithContext(this.getContext(), to, sessionKey, options);
   }
 
   /**
    * Speak to user in an active call.
    */
   async speak(callId: CallId, text: string): Promise<{ success: boolean; error?: string }> {
-    const call = this.activeCalls.get(callId);
-    if (!call) {
-      return { success: false, error: "Call not found" };
-    }
-
-    if (!this.provider || !call.providerCallId) {
-      return { success: false, error: "Call not connected" };
-    }
-
-    if (TerminalStates.has(call.state)) {
-      return { success: false, error: "Call has ended" };
-    }
-
-    try {
-      // Update state
-      call.state = "speaking";
-      this.persistCallRecord(call);
-
-      // Add to transcript
-      this.addTranscriptEntry(call, "bot", text);
-
-      // Play TTS
-      const voice = this.provider?.name === "twilio" ? this.config.tts?.openai?.voice : undefined;
-      await this.provider.playTts({
-        callId,
-        providerCallId: call.providerCallId,
-        text,
-        voice,
-      });
-
-      return { success: true };
-    } catch (err) {
-      return {
-        success: false,
-        error: err instanceof Error ? err.message : String(err),
-      };
-    }
+    return speakWithContext(this.getContext(), callId, text);
   }
 
   /**
    * Speak the initial message for a call (called when media stream connects).
-   * This is used to auto-play the message passed to initiateCall.
-   * In notify mode, auto-hangup after the message is delivered.
    */
   async speakInitialMessage(providerCallId: string): Promise<void> {
-    const call = this.getCallByProviderCallId(providerCallId);
-    if (!call) {
-      console.warn(`[voice-call] speakInitialMessage: no call found for ${providerCallId}`);
-      return;
-    }
-
-    const initialMessage = call.metadata?.initialMessage as string | undefined;
-    const mode = (call.metadata?.mode as CallMode) ?? "conversation";
-
-    if (!initialMessage) {
-      console.log(`[voice-call] speakInitialMessage: no initial message for ${call.callId}`);
-      return;
-    }
-
-    // Clear the initial message so we don't speak it again
-    if (call.metadata) {
-      delete call.metadata.initialMessage;
-      this.persistCallRecord(call);
-    }
-
-    console.log(`[voice-call] Speaking initial message for call ${call.callId} (mode: ${mode})`);
-    const result = await this.speak(call.callId, initialMessage);
-    if (!result.success) {
-      console.warn(`[voice-call] Failed to speak initial message: ${result.error}`);
-      return;
-    }
-
-    // In notify mode, auto-hangup after delay
-    if (mode === "notify") {
-      const delaySec = this.config.outbound.notifyHangupDelaySec;
-      console.log(`[voice-call] Notify mode: auto-hangup in ${delaySec}s for call ${call.callId}`);
-      setTimeout(async () => {
-        const currentCall = this.getCall(call.callId);
-        if (currentCall && !TerminalStates.has(currentCall.state)) {
-          console.log(`[voice-call] Notify mode: hanging up call ${call.callId}`);
-          await this.endCall(call.callId);
-        }
-      }, delaySec * 1000);
-    }
-  }
-
-  /**
-   * Clear max duration timer for a call.
-   */
-  private clearMaxDurationTimer(callId: CallId): void {
-    const timer = this.maxDurationTimers.get(callId);
-    if (timer) {
-      clearTimeout(timer);
-      this.maxDurationTimers.delete(callId);
-    }
-  }
-
-  private clearTranscriptWaiter(callId: CallId): void {
-    const waiter = this.transcriptWaiters.get(callId);
-    if (!waiter) {
-      return;
-    }
-    clearTimeout(waiter.timeout);
-    this.transcriptWaiters.delete(callId);
-  }
-
-  private rejectTranscriptWaiter(callId: CallId, reason: string): void {
-    const waiter = this.transcriptWaiters.get(callId);
-    if (!waiter) {
-      return;
-    }
-    this.clearTranscriptWaiter(callId);
-    waiter.reject(new Error(reason));
-  }
-
-  private waitForFinalTranscript(callId: CallId): Promise<string> {
-    // Only allow one in-flight waiter per call.
-    this.rejectTranscriptWaiter(callId, "Transcript waiter replaced");
-
-    const timeoutMs = this.config.transcriptTimeoutMs;
-    return new Promise((resolve, reject) => {
-      const timeout = setTimeout(() => {
-        this.transcriptWaiters.delete(callId);
-        reject(new Error(`Timed out waiting for transcript after ${timeoutMs}ms`));
-      }, timeoutMs);
-
-      this.transcriptWaiters.set(callId, { resolve, reject, timeout });
-    });
+    return speakInitialMessageWithContext(this.getContext(), providerCallId);
   }
 
   /**
@@ -334,91 +117,14 @@ export class CallManager {
     callId: CallId,
     prompt: string,
   ): Promise<{ success: boolean; transcript?: string; error?: string }> {
-    const call = this.activeCalls.get(callId);
-    if (!call) {
-      return { success: false, error: "Call not found" };
-    }
-
-    if (!this.provider || !call.providerCallId) {
-      return { success: false, error: "Call not connected" };
-    }
-
-    if (TerminalStates.has(call.state)) {
-      return { success: false, error: "Call has ended" };
-    }
-
-    try {
-      await this.speak(callId, prompt);
-
-      call.state = "listening";
-      this.persistCallRecord(call);
-
-      await this.provider.startListening({
-        callId,
-        providerCallId: call.providerCallId,
-      });
-
-      const transcript = await this.waitForFinalTranscript(callId);
-
-      // Best-effort: stop listening after final transcript.
-      await this.provider.stopListening({
-        callId,
-        providerCallId: call.providerCallId,
-      });
-
-      return { success: true, transcript };
-    } catch (err) {
-      return {
-        success: false,
-        error: err instanceof Error ? err.message : String(err),
-      };
-    } finally {
-      this.clearTranscriptWaiter(callId);
-    }
+    return continueCallWithContext(this.getContext(), callId, prompt);
   }
 
   /**
    * End an active call.
    */
   async endCall(callId: CallId): Promise<{ success: boolean; error?: string }> {
-    const call = this.activeCalls.get(callId);
-    if (!call) {
-      return { success: false, error: "Call not found" };
-    }
-
-    if (!this.provider || !call.providerCallId) {
-      return { success: false, error: "Call not connected" };
-    }
-
-    if (TerminalStates.has(call.state)) {
-      return { success: true }; // Already ended
-    }
-
-    try {
-      await this.provider.hangupCall({
-        callId,
-        providerCallId: call.providerCallId,
-        reason: "hangup-bot",
-      });
-
-      call.state = "hangup-bot";
-      call.endedAt = Date.now();
-      call.endReason = "hangup-bot";
-      this.persistCallRecord(call);
-      this.clearMaxDurationTimer(callId);
-      this.rejectTranscriptWaiter(callId, "Call ended: hangup-bot");
-      this.activeCalls.delete(callId);
-      if (call.providerCallId) {
-        this.providerCallIdMap.delete(call.providerCallId);
-      }
-
-      return { success: true };
-    } catch (err) {
-      return {
-        success: false,
-        error: err instanceof Error ? err.message : String(err),
-      };
-    }
+    return endCallWithContext(this.getContext(), callId);
   }
 
   private getContext(): CallManagerContext {
@@ -427,15 +133,15 @@ export class CallManager {
       providerCallIdMap: this.providerCallIdMap,
       processedEventIds: this.processedEventIds,
       rejectedProviderCallIds: this.rejectedProviderCallIds,
-      onCallAnswered: (call) => {
-        this.maybeSpeakInitialMessageOnAnswered(call);
-      },
       provider: this.provider,
       config: this.config,
       storePath: this.storePath,
       webhookUrl: this.webhookUrl,
       transcriptWaiters: this.transcriptWaiters,
       maxDurationTimers: this.maxDurationTimers,
+      onCallAnswered: (call) => {
+        this.maybeSpeakInitialMessageOnAnswered(call);
+      },
     };
   }
 
@@ -478,20 +184,11 @@ export class CallManager {
    * Get an active call by provider call ID (e.g., Twilio CallSid).
    */
   getCallByProviderCallId(providerCallId: string): CallRecord | undefined {
-    // Fast path: use the providerCallIdMap for O(1) lookup
-    const callId = this.providerCallIdMap.get(providerCallId);
-    if (callId) {
-      return this.activeCalls.get(callId);
-    }
-
-    // Fallback: linear search for cases where map wasn't populated
-    // (e.g., providerCallId set directly on call record)
-    for (const call of this.activeCalls.values()) {
-      if (call.providerCallId === providerCallId) {
-        return call;
-      }
-    }
-    return undefined;
+    return getCallByProviderCallIdFromMaps({
+      activeCalls: this.activeCalls,
+      providerCallIdMap: this.providerCallIdMap,
+      providerCallId,
+    });
   }
 
   /**
@@ -505,109 +202,6 @@ export class CallManager {
    * Get call history (from persisted logs).
    */
   async getCallHistory(limit = 50): Promise<CallRecord[]> {
-    const logPath = path.join(this.storePath, "calls.jsonl");
-
-    try {
-      await fsp.access(logPath);
-    } catch {
-      return [];
-    }
-
-    const content = await fsp.readFile(logPath, "utf-8");
-    const lines = content.trim().split("\n").filter(Boolean);
-    const calls: CallRecord[] = [];
-
-    // Parse last N lines
-    for (const line of lines.slice(-limit)) {
-      try {
-        const parsed = CallRecordSchema.parse(JSON.parse(line));
-        calls.push(parsed);
-      } catch {
-        // Skip invalid lines
-      }
-    }
-
-    return calls;
-  }
-
-  /**
-   * Add an entry to the call transcript.
-   */
-  private addTranscriptEntry(call: CallRecord, speaker: "bot" | "user", text: string): void {
-    const entry: TranscriptEntry = {
-      timestamp: Date.now(),
-      speaker,
-      text,
-      isFinal: true,
-    };
-    call.transcript.push(entry);
-  }
-
-  /**
-   * Persist a call record to disk (fire-and-forget async).
-   */
-  private persistCallRecord(call: CallRecord): void {
-    const logPath = path.join(this.storePath, "calls.jsonl");
-    const line = `${JSON.stringify(call)}\n`;
-    // Fire-and-forget async write to avoid blocking event loop
-    fsp.appendFile(logPath, line).catch((err) => {
-      console.error("[voice-call] Failed to persist call record:", err);
-    });
-  }
-
-  /**
-   * Load active calls from persistence (for crash recovery).
-   * Uses streaming to handle large log files efficiently.
-   */
-  private loadActiveCalls(): void {
-    const logPath = path.join(this.storePath, "calls.jsonl");
-    if (!fs.existsSync(logPath)) {
-      return;
-    }
-
-    // Read file synchronously and parse lines
-    const content = fs.readFileSync(logPath, "utf-8");
-    const lines = content.split("\n");
-
-    // Build map of latest state per call
-    const callMap = new Map<CallId, CallRecord>();
-
-    for (const line of lines) {
-      if (!line.trim()) {
-        continue;
-      }
-      try {
-        const call = CallRecordSchema.parse(JSON.parse(line));
-        callMap.set(call.callId, call);
-      } catch {
-        // Skip invalid lines
-      }
-    }
-
-    // Only keep non-terminal calls
-    for (const [callId, call] of callMap) {
-      if (!TerminalStates.has(call.state)) {
-        this.activeCalls.set(callId, call);
-        // Populate providerCallId mapping for lookups
-        if (call.providerCallId) {
-          this.providerCallIdMap.set(call.providerCallId, callId);
-        }
-        // Populate processed event IDs
-        for (const eventId of call.processedEventIds) {
-          this.processedEventIds.add(eventId);
-        }
-      }
-    }
-  }
-
-  /**
-   * Generate TwiML for notify mode (speak message and hang up).
-   */
-  private generateNotifyTwiml(message: string, voice: string): string {
-    return `<?xml version="1.0" encoding="UTF-8"?>
-<Response>
-  <Say voice="${voice}">${escapeXml(message)}</Say>
-  <Hangup/>
-</Response>`;
+    return getCallHistoryFromStore(this.storePath, limit);
   }
 }

package/src/providers/telnyx.test.ts

@@ -0,0 +1,121 @@
+import crypto from "node:crypto";
+import { describe, expect, it } from "vitest";
+import type { WebhookContext } from "../types.js";
+import { TelnyxProvider } from "./telnyx.js";
+
+function createCtx(params?: Partial<WebhookContext>): WebhookContext {
+  return {
+    headers: {},
+    rawBody: "{}",
+    url: "http://localhost/voice/webhook",
+    method: "POST",
+    query: {},
+    remoteAddress: "127.0.0.1",
+    ...params,
+  };
+}
+
+function decodeBase64Url(input: string): Buffer {
+  const normalized = input.replace(/-/g, "+").replace(/_/g, "/");
+  const padLen = (4 - (normalized.length % 4)) % 4;
+  const padded = normalized + "=".repeat(padLen);
+  return Buffer.from(padded, "base64");
+}
+
+describe("TelnyxProvider.verifyWebhook", () => {
+  it("fails closed when public key is missing and skipVerification is false", () => {
+    const provider = new TelnyxProvider(
+      { apiKey: "KEY123", connectionId: "CONN456", publicKey: undefined },
+      { skipVerification: false },
+    );
+
+    const result = provider.verifyWebhook(createCtx());
+    expect(result.ok).toBe(false);
+  });
+
+  it("allows requests when skipVerification is true (development only)", () => {
+    const provider = new TelnyxProvider(
+      { apiKey: "KEY123", connectionId: "CONN456", publicKey: undefined },
+      { skipVerification: true },
+    );
+
+    const result = provider.verifyWebhook(createCtx());
+    expect(result.ok).toBe(true);
+  });
+
+  it("fails when signature headers are missing (with public key configured)", () => {
+    const provider = new TelnyxProvider(
+      { apiKey: "KEY123", connectionId: "CONN456", publicKey: "public-key" },
+      { skipVerification: false },
+    );
+
+    const result = provider.verifyWebhook(createCtx({ headers: {} }));
+    expect(result.ok).toBe(false);
+  });
+
+  it("verifies a valid signature with a raw Ed25519 public key (Base64)", () => {
+    const { publicKey, privateKey } = crypto.generateKeyPairSync("ed25519");
+
+    const jwk = publicKey.export({ format: "jwk" }) as JsonWebKey;
+    expect(jwk.kty).toBe("OKP");
+    expect(jwk.crv).toBe("Ed25519");
+    expect(typeof jwk.x).toBe("string");
+
+    const rawPublicKey = decodeBase64Url(jwk.x as string);
+    const rawPublicKeyBase64 = rawPublicKey.toString("base64");
+
+    const provider = new TelnyxProvider(
+      { apiKey: "KEY123", connectionId: "CONN456", publicKey: rawPublicKeyBase64 },
+      { skipVerification: false },
+    );
+
+    const rawBody = JSON.stringify({
+      event_type: "call.initiated",
+      payload: { call_control_id: "x" },
+    });
+    const timestamp = String(Math.floor(Date.now() / 1000));
+    const signedPayload = `${timestamp}|${rawBody}`;
+    const signature = crypto.sign(null, Buffer.from(signedPayload), privateKey).toString("base64");
+
+    const result = provider.verifyWebhook(
+      createCtx({
+        rawBody,
+        headers: {
+          "telnyx-signature-ed25519": signature,
+          "telnyx-timestamp": timestamp,
+        },
+      }),
+    );
+    expect(result.ok).toBe(true);
+  });
+
+  it("verifies a valid signature with a DER SPKI public key (Base64)", () => {
+    const { publicKey, privateKey } = crypto.generateKeyPairSync("ed25519");
+    const spkiDer = publicKey.export({ format: "der", type: "spki" }) as Buffer;
+    const spkiDerBase64 = spkiDer.toString("base64");
+
+    const provider = new TelnyxProvider(
+      { apiKey: "KEY123", connectionId: "CONN456", publicKey: spkiDerBase64 },
+      { skipVerification: false },
+    );
+
+    const rawBody = JSON.stringify({
+      event_type: "call.initiated",
+      payload: { call_control_id: "x" },
+    });
+    const timestamp = String(Math.floor(Date.now() / 1000));
+    const signedPayload = `${timestamp}|${rawBody}`;
+    const signature = crypto.sign(null, Buffer.from(signedPayload), privateKey).toString("base64");
+
+    const result = provider.verifyWebhook(
+      createCtx({
+        rawBody,
+        headers: {
+          "telnyx-signature-ed25519": signature,
+          "telnyx-timestamp": timestamp,
+        },
+      }),
+    );
+    expect(result.ok).toBe(true);
+  });
+});

package/src/providers/telnyx.ts

@@ -14,6 +14,7 @@ import type {
   WebhookVerificationResult,
 } from "../types.js";
 import type { VoiceCallProvider } from "./base.js";
+import { verifyTelnyxWebhook } from "../webhook-security.js";
 
 /**
  * Telnyx Voice API provider implementation.
@@ -22,8 +23,8 @@ import type { VoiceCallProvider } from "./base.js";
  * @see https://developers.telnyx.com/docs/api/v2/call-control
  */
 export interface TelnyxProviderOptions {
-  /** Allow unsigned webhooks when no public key is configured */
-  allowUnsignedWebhooks?: boolean;
+  /** Skip webhook signature verification (development only, NOT for production) */
+  skipVerification?: boolean;
 }
 
 export class TelnyxProvider implements VoiceCallProvider {
@@ -82,65 +83,11 @@ export class TelnyxProvider implements VoiceCallProvider {
    * Verify Telnyx webhook signature using Ed25519.
    */
   verifyWebhook(ctx: WebhookContext): WebhookVerificationResult {
-    if (!this.publicKey) {
-      if (this.options.allowUnsignedWebhooks) {
-        console.warn("[telnyx] Webhook verification skipped (no public key configured)");
-        return { ok: true, reason: "verification skipped (no public key configured)" };
-      }
-      return {
-        ok: false,
-        reason: "Missing telnyx.publicKey (configure to verify webhooks)",
-      };
-    }
-
-    const signature = ctx.headers["telnyx-signature-ed25519"];
-    const timestamp = ctx.headers["telnyx-timestamp"];
-
-    if (!signature || !timestamp) {
-      return { ok: false, reason: "Missing signature or timestamp header" };
-    }
-
-    const signatureStr = Array.isArray(signature) ? signature[0] : signature;
-    const timestampStr = Array.isArray(timestamp) ? timestamp[0] : timestamp;
-
-    if (!signatureStr || !timestampStr) {
-      return { ok: false, reason: "Empty signature or timestamp" };
-    }
-
-    try {
-      const signedPayload = `${timestampStr}|${ctx.rawBody}`;
-      const signatureBuffer = Buffer.from(signatureStr, "base64");
-      const publicKeyBuffer = Buffer.from(this.publicKey, "base64");
-
-      const isValid = crypto.verify(
-        null, // Ed25519 doesn't use a digest
-        Buffer.from(signedPayload),
-        {
-          key: publicKeyBuffer,
-          format: "der",
-          type: "spki",
-        },
-        signatureBuffer,
-      );
-
-      if (!isValid) {
-        return { ok: false, reason: "Invalid signature" };
-      }
-
-      // Check timestamp is within 5 minutes
-      const eventTime = parseInt(timestampStr, 10) * 1000;
-      const now = Date.now();
-      if (Math.abs(now - eventTime) > 5 * 60 * 1000) {
-        return { ok: false, reason: "Timestamp too old" };
-      }
+    const result = verifyTelnyxWebhook(ctx, this.publicKey, {
+      skipVerification: this.options.skipVerification,
+    });
 
-      return { ok: true };
-    } catch (err) {
-      return {
-        ok: false,
-        reason: `Verification error: ${err instanceof Error ? err.message : String(err)}`,
-      };
-    }
+    return { ok: result.ok, reason: result.reason };
   }
 
   /**

package/src/runtime.ts

@@ -55,8 +55,7 @@ function resolveProvider(config: VoiceCallConfig): VoiceCallProvider {
           publicKey: config.telnyx?.publicKey,
         },
         {
-          allowUnsignedWebhooks:
-            config.inboundPolicy === "open" || config.inboundPolicy === "disabled",
+          skipVerification: config.skipSignatureVerification,
         },
       );
     case "twilio":
@@ -113,6 +112,12 @@ export async function createVoiceCallRuntime(params: {
     throw new Error("Voice call disabled. Enable the plugin entry in config.");
   }
 
+  if (config.skipSignatureVerification) {
+    log.warn(
+      "[voice-call] SECURITY WARNING: skipSignatureVerification=true disables webhook signature verification (development only). Do not use in production.",
+    );
+  }
+
   const validation = validateProviderConfig(config);
   if (!validation.valid) {
     throw new Error(`Invalid voice-call config: ${validation.errors.join("; ")}`);

package/src/webhook-security.test.ts

@@ -222,9 +222,16 @@ describe("verifyTwilioWebhook", () => {
     expect(result.reason).toMatch(/Invalid signature/);
   });
 
-  it("allows invalid signatures for ngrok free tier only on loopback", () => {
+  it("accepts valid signatures for ngrok free tier on loopback when compatibility mode is enabled", () => {
     const authToken = "test-auth-token";
     const postBody = "CallSid=CS123&CallStatus=completed&From=%2B15550000000";
+    const webhookUrl = "https://local.ngrok-free.app/voice/webhook";
+
+    const signature = twilioSignature({
+      authToken,
+      url: webhookUrl,
+      postBody,
+    });
 
     const result = verifyTwilioWebhook(
       {
@@ -232,7 +239,7 @@ describe("verifyTwilioWebhook", () => {
           host: "127.0.0.1:3334",
           "x-forwarded-proto": "https",
           "x-forwarded-host": "local.ngrok-free.app",
-          "x-twilio-signature": "invalid",
+          "x-twilio-signature": signature,
         },
         rawBody: postBody,
         url: "http://127.0.0.1:3334/voice/webhook",
@@ -244,8 +251,33 @@ describe("verifyTwilioWebhook", () => {
     );
 
     expect(result.ok).toBe(true);
+    expect(result.verificationUrl).toBe(webhookUrl);
+  });
+
+  it("does not allow invalid signatures for ngrok free tier on loopback", () => {
+    const authToken = "test-auth-token";
+    const postBody = "CallSid=CS123&CallStatus=completed&From=%2B15550000000";
+
+    const result = verifyTwilioWebhook(
+      {
+        headers: {
+          host: "127.0.0.1:3334",
+          "x-forwarded-proto": "https",
+          "x-forwarded-host": "local.ngrok-free.app",
+          "x-twilio-signature": "invalid",
+        },
+        rawBody: postBody,
+        url: "http://127.0.0.1:3334/voice/webhook",
+        method: "POST",
+        remoteAddress: "127.0.0.1",
+      },
+      authToken,
+      { allowNgrokFreeTierLoopbackBypass: true },
+    );
+
+    expect(result.ok).toBe(false);
+    expect(result.reason).toMatch(/Invalid signature/);
     expect(result.isNgrokFreeTier).toBe(true);
-    expect(result.reason).toMatch(/compatibility mode/);
   });
 
   it("ignores attacker X-Forwarded-Host without allowedHosts or trustForwardingHeaders", () => {

package/src/webhook-security.ts

@@ -330,6 +330,111 @@ export interface TwilioVerificationResult {
   isNgrokFreeTier?: boolean;
 }
 
+export interface TelnyxVerificationResult {
+  ok: boolean;
+  reason?: string;
+}
+
+function decodeBase64OrBase64Url(input: string): Buffer {
+  // Telnyx docs say Base64; some tooling emits Base64URL. Accept both.
+  const normalized = input.replace(/-/g, "+").replace(/_/g, "/");
+  const padLen = (4 - (normalized.length % 4)) % 4;
+  const padded = normalized + "=".repeat(padLen);
+  return Buffer.from(padded, "base64");
+}
+
+function base64UrlEncode(buf: Buffer): string {
+  return buf.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+
+function importEd25519PublicKey(publicKey: string): crypto.KeyObject | string {
+  const trimmed = publicKey.trim();
+
+  // PEM (spki) support.
+  if (trimmed.startsWith("-----BEGIN")) {
+    return trimmed;
+  }
+
+  // Base64-encoded raw Ed25519 key (32 bytes) or Base64-encoded DER SPKI key.
+  const decoded = decodeBase64OrBase64Url(trimmed);
+  if (decoded.length === 32) {
+    // JWK is the easiest portable way to import raw Ed25519 keys in Node crypto.
+    return crypto.createPublicKey({
+      key: { kty: "OKP", crv: "Ed25519", x: base64UrlEncode(decoded) },
+      format: "jwk",
+    });
+  }
+
+  return crypto.createPublicKey({
+    key: decoded,
+    format: "der",
+    type: "spki",
+  });
+}
+
+/**
+ * Verify Telnyx webhook signature using Ed25519.
+ *
+ * Telnyx signs `timestamp|payload` and provides:
+ * - `telnyx-signature-ed25519` (Base64 signature)
+ * - `telnyx-timestamp` (Unix seconds)
+ */
+export function verifyTelnyxWebhook(
+  ctx: WebhookContext,
+  publicKey: string | undefined,
+  options?: {
+    /** Skip verification entirely (only for development) */
+    skipVerification?: boolean;
+    /** Maximum allowed clock skew (ms). Defaults to 5 minutes. */
+    maxSkewMs?: number;
+  },
+): TelnyxVerificationResult {
+  if (options?.skipVerification) {
+    return { ok: true, reason: "verification skipped (dev mode)" };
+  }
+
+  if (!publicKey) {
+    return { ok: false, reason: "Missing telnyx.publicKey (configure to verify webhooks)" };
+  }
+
+  const signature = getHeader(ctx.headers, "telnyx-signature-ed25519");
+  const timestamp = getHeader(ctx.headers, "telnyx-timestamp");
+
+  if (!signature || !timestamp) {
+    return { ok: false, reason: "Missing signature or timestamp header" };
+  }
+
+  const eventTimeSec = parseInt(timestamp, 10);
+  if (!Number.isFinite(eventTimeSec)) {
+    return { ok: false, reason: "Invalid timestamp header" };
+  }
+
+  try {
+    const signedPayload = `${timestamp}|${ctx.rawBody}`;
+    const signatureBuffer = decodeBase64OrBase64Url(signature);
+    const key = importEd25519PublicKey(publicKey);
+
+    const isValid = crypto.verify(null, Buffer.from(signedPayload), key, signatureBuffer);
+    if (!isValid) {
+      return { ok: false, reason: "Invalid signature" };
+    }
+
+    const maxSkewMs = options?.maxSkewMs ?? 5 * 60 * 1000;
+    const eventTimeMs = eventTimeSec * 1000;
+    const now = Date.now();
+    if (Math.abs(now - eventTimeMs) > maxSkewMs) {
+      return { ok: false, reason: "Timestamp too old" };
+    }
+
+    return { ok: true };
+  } catch (err) {
+    return {
+      ok: false,
+      reason: `Verification error: ${err instanceof Error ? err.message : String(err)}`,
+    };
+  }
+}
+
 /**
  * Verify Twilio webhook with full context and detailed result.
  */
@@ -339,7 +444,13 @@ export function verifyTwilioWebhook(
   options?: {
     /** Override the public URL (e.g., from config) */
     publicUrl?: string;
-    /** Allow ngrok free tier compatibility mode (loopback only, less secure) */
+    /**
+     * Allow ngrok free tier compatibility mode (loopback only).
+     *
+     * IMPORTANT: This does NOT bypass signature verification.
+     * It only enables trusting forwarded headers on loopback so we can
+     * reconstruct the public ngrok URL that Twilio used for signing.
+     */
     allowNgrokFreeTierLoopbackBypass?: boolean;
     /** Skip verification entirely (only for development) */
     skipVerification?: boolean;
@@ -401,18 +512,6 @@ export function verifyTwilioWebhook(
   const isNgrokFreeTier =
     verificationUrl.includes(".ngrok-free.app") || verificationUrl.includes(".ngrok.io");
 
-  if (isNgrokFreeTier && options?.allowNgrokFreeTierLoopbackBypass && isLoopback) {
-    console.warn(
-      "[voice-call] Twilio signature validation failed (ngrok free tier compatibility, loopback only)",
-    );
-    return {
-      ok: true,
-      reason: "ngrok free tier compatibility mode (loopback only)",
-      verificationUrl,
-      isNgrokFreeTier: true,
-    };
-  }
-
   return {
     ok: false,
     reason: `Invalid signature for URL: ${verificationUrl}`,