fix(e2ee): revert to PR #904 branch, add MAT-144 diagnostics

PR #921 requires custom WebRTC build not yet available.
Added diagnostic logging: encryption_type per track, frame_cryptors count,
and DEC_FAILED re-keying cooldown (5s) to reduce log spam.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Dockerfile

@@ -1,8 +1,7 @@
-# Stage 1: Build patched Rust FFI with native HKDF support for Element Call E2EE
+# Stage 1: Build patched Rust FFI with HKDF support for Element Call E2EE
-# Fork: onestacked/livekit-rust-sdks branch EC-compat-changes-webrtc-change
+# Fork: onestacked/livekit-rust-sdks branch EC-compat-changes
-# PR: https://github.com/livekit/rust-sdks/pull/921 (proper HKDF at WebRTC C++ level)
+# PR: https://github.com/livekit/rust-sdks/pull/904
-# Replaces #904 which used a callback hack that only worked for the first frame cryptor
+# NOTE: PR #921 (native HKDF at C++ level) requires custom WebRTC build not yet available.
-# (audio), causing DEC_FAILED on video tracks (MAT-144).
 # Must use rust:latest (trixie/sid) — bookworm GCC 12 can't compile webrtc C++20 code
 FROM rust:latest AS rust-build
 RUN apt-get update && apt-get install -y --no-install-recommends \
@@ -10,7 +9,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     libva-dev libglib2.0-dev nasm make clang \
     && rm -rf /var/lib/apt/lists/*
 WORKDIR /build
-RUN git clone --branch EC-compat-changes-webrtc-change --depth 1 --recurse-submodules \
+RUN git clone --branch EC-compat-changes --depth 1 --recurse-submodules \
     https://github.com/onestacked/livekit-rust-sdks.git
 WORKDIR /build/livekit-rust-sdks/livekit-ffi
 RUN cargo build --release

voice.py

@@ -671,14 +671,12 @@ class VoiceSession:
 
             @self.lk_room.on("track_subscribed")
             def on_ts(t, pub, p):
-                logger.info("Track sub: %s %s kind=%s muted=%s", p.identity, pub.sid, t.kind, pub.muted)
+                # MAT-144: Log encryption_type to diagnose frame cryptor creation
-                # NOTE: Do NOT create rtc.AudioStream here — it competes with AgentSession's
+                enc_type = getattr(pub, 'encryption_type', 'N/A')
-                # internal audio pipeline for event loop time, causing intermittent VAD failures
+                logger.info("Track sub: %s %s kind=%s muted=%s enc_type=%s source=%s",
-                # (user_state stuck on "away"). See MAT-40. Use e2ee_state_changed for flow confirmation.
+                            p.identity, pub.sid, t.kind, pub.muted, enc_type,
-                # MAT-144: Pre-derive HKDF in Python, pass derived key with KDF_RAW.
+                            getattr(pub, 'source', 'N/A'))
-                # This ensures exact HKDF match with Element Call JS for both audio AND video.
                 # Store video track for on-demand vision (look_at_screen tool)
-                # Screen share = source "screen_share" or "screenshare"; camera = "camera" or default
                 if int(t.kind) == 2:  # video track (LiveKit: 1=audio, 2=video)
                     track_source = getattr(pub, 'source', None) or "unknown"
                     self._video_track = t
@@ -690,6 +688,13 @@ class VoiceSession:
                                 track_type, caller_id, len(self._caller_all_keys))
                     try:
                         kp_local = self.lk_room.e2ee_manager.key_provider
+                        # MAT-144: Log frame cryptors count for diagnostics
+                        try:
+                            fc_map = self.lk_room.e2ee_manager.frame_cryptors()
+                            logger.info("E2EE_DIAG: frame_cryptors count=%d keys=%s",
+                                        len(fc_map), list(fc_map.keys()) if fc_map else [])
+                        except Exception:
+                            logger.info("E2EE_DIAG: frame_cryptors() not available")
                         if self._caller_all_keys:
                             for idx, base_k in sorted(self._caller_all_keys.items()):
                                 _derive_and_set_key(kp_local, caller_id, base_k, idx)