fix(macos): guard all audio input paths against missing microphone (AI-assisted)

[sfo2001]

Summary

• Problem: AVAudioEngine.inputNode access triggers SIGABRT on Macs without an audio input device (Mac mini, Mac Pro, Mac Studio with no external mic). VoiceWakeRuntime auto-starts on launch, causing an unrecoverable crash loop.
• Why it matters: 17 issues filed by 17 distinct users since Jan 25, 2026. 4 PRs attempted (fix(macos): prevent crash on launch when no microphone available #5656, fix(macos): guard against SIGABRT when no audio input device available #12334, macOS: prevent Voice Wake crash when no input device is available #17948, macOS: prevent Voice Wake crash when no input device is available #18235), none merged. 5 issues remain open.
• What changed: Added AudioInputDeviceObserver.hasUsableDefaultInputDevice() (CoreAudio preflight that checks the default device exists AND is alive with input channels) and guards in all 5 inputNode access sites. VoicePushToTalk nils audioEngine before throwing to avoid retaining a dead engine. 2 smoke tests added in AudioInputDeviceObserverTests.swift (no-crash + consistency).
• What did NOT change: Normal mic-present behavior is untouched. No UI changes, no config changes.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes [Bug]: macOS app crashes (SIGABRT) when enabling Microphone / Voice Wake on Mac mini (no input mic) — AVAudioNode installTapOnBus throws #16418, closes macOS app crashes when opening VoiceWake tab (2026.2.14) #17484, closes macOS App: TalkMode crashes on launch with USB audio input (AVAudioEngine InstallTapOnNode) #22667, closes [Bug]: [macOS] Companion app crashes on launch when configured Swabble mic is unavailable #23162, closes Desktop app crashes on Mac mini (no microphone) — VoiceWakeRuntime audio format mismatch #24677
• Related fix(macos): prevent crash on launch when no microphone available #5656, fix(macos): guard against SIGABRT when no audio input device available #12334, macOS: prevent Voice Wake crash when no input device is available #17948, macOS: prevent Voice Wake crash when no input device is available #18235 (prior fix attempts)
• Related Desktop app crashes on Mac mini without microphone (TalkMode + CodeTokenizer) #1853, macOS app crashes on Voice Wake / Talk Mode when no audio input device is available (Mac mini) #3529, Crash: MicLevelMonitor.start() crashes on headless Mac (no audio input device) #4163, macOS app crashes when opening Voice settings (MicLevelMonitor audio format mismatch) #5099, OpenClaw.app crashes when enabling Voice Wake (SIGABRT in AVAudioEngine installTapOnBus) #5407, [Bug]: macOS App crashes on launch when no audio input device is available #5529, [Bug]:Crash on macOS when opening Voice Wake / selecting microphone (SIGABRT in AVAudioEngine InstallTapOnNode; may enter crash loop after mic disconnect) #8831, [Bug]: macOS 26.2 - Enabling Voice Wake causes immediate crash loop (AVAudioEngine SIGABRT) #11834, Mac app: SIGABRT crash when no audio input device available (voice wake) #12169, [Bug]: [macOS] Voice Wakeup settings toggle causes immediate crash (SIGABRT) #13808, macOS app crashes on launch when no audio input device connected (VoiceWakeRuntime) #15740, macOS App crashes on launch when no audio input device is available (VoiceWakeRuntime) #16118, [Bug]: macOS app crashes when enabling Voice Awake with no microphone/default input device #21492 (closed duplicates, none fixed)

User-visible / Behavior Changes

Voice Wake, Talk Mode, Push-to-Talk, and Mic Level Monitor no longer crash when no audio input device is available. Features log an error and remain inactive until a mic is connected.

Security Impact (required)

• New permissions/capabilities? No
• Secrets/tokens handling changed? No
• New/changed network calls? No
• Command/tool execution surface changed? No
• Data access scope changed? No

Repro + Verification

Environment

• OS: macOS (any version supporting OpenClaw)
• Runtime/container: OpenClaw.app (macOS menubar app)
• Model/provider: N/A (crash occurs before any model interaction)
• Integration/channel: N/A
• Relevant config: Voice Wake enabled (default on first launch)

Steps

1. Use a Mac without built-in microphone (Mac mini M4, Mac Pro, Mac Studio) with no external audio input connected
2. Launch OpenClaw.app with Voice Wake enabled
3. Observe behavior

Expected

App launches normally. Voice features show disabled/error state. No crash.

Actual (before fix)

SIGABRT crash loop. App cannot launch. Users must disable Voice Wake via defaults/plist editing or connect an external mic to break the loop.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

2 smoke tests in AudioInputDeviceObserverTests.swift: (1) hasUsableDefaultInputDeviceReturnsBool verifies the composition logic runs without crashing (result depends on host hardware), (2) hasUsableDefaultInputDeviceConsistentWithComponents validates that the composed method matches calling defaultInputDeviceUID() + aliveInputDeviceUIDs() independently. Tests require Xcode/CI to compile and run; not verified locally (no Xcode on this machine).

Human Verification (required)

• Verified scenarios: Code review of all 5 guard sites; error propagation paths traced through each caller; confirmed each guard is placed before the first inputNode access; verified hasUsableDefaultInputDevice() uses the same proven CoreAudio APIs already in AudioInputDeviceObserver; verified VoicePushToTalk.startRecognition() nils audioEngine before throwing to avoid retaining a dead engine; reviewed both smoke tests for correctness
• Edge cases checked: Device UID present but dead (disconnected USB mic -- covered by aliveInputDeviceUIDs() alive check); no device at all (covered by defaultInputDeviceUID() returning nil); haltRecognitionPipeline() in VoiceWakeRuntime accesses self.audioEngine?.inputNode but only when audioEngine was previously started successfully (nil-safe via optional chaining); TOCTOU race (device removed between hasUsableDefaultInputDevice() and inputNode access -- inherent to hardware checks, mitigated by existing try/catch around AVAudioEngine.start())
• What you did not verify: Runtime testing (requires Mac without mic); Swift compilation (no Xcode available). 2 smoke tests exist but await CI validation.

Compatibility / Migration

• Backward compatible? Yes
• Config/env changes? No
• Migration needed? No

Failure Recovery (if this breaks)

• How to disable/revert this change quickly: Revert the single commit
• Files/config to restore: None
• Known bad symptoms reviewers should watch for: hasUsableDefaultInputDevice() returning false negative (device present but check fails) -- voice features would stay inactive despite mic being connected

Risks and Mitigations

• Risk: hasUsableDefaultInputDevice() false negative on an unusual audio device that reports as non-alive despite being functional
  • Mitigation: Uses the same CoreAudio property queries (kAudioDevicePropertyDeviceIsAlive, kAudioDevicePropertyStreamConfiguration) already proven in AudioInputDeviceObserver.aliveInputDeviceUIDs(), which has been in production since the device observer was introduced. Only adds a set-membership check on top.
• Risk: TOCTOU race -- device could be removed between hasUsableDefaultInputDevice() returning true and the subsequent inputNode access
  • Mitigation: Inherent to hardware availability checks; cannot be fully eliminated. Existing try/catch around AVAudioEngine.start() handles this case. The guard reduces the crash surface from always-crash to a narrow race window.
• Risk: TalkModeRuntime.startRecognition() silently returns on missing mic (logs .error, no throw) while the other 4 sites throw NSError
  • Mitigation: Deliberate -- startRecognition() is not a throws function; changing the signature would cascade through callers. The .error log provides diagnostic signal. The caller's state machine does not depend on recognition start succeeding.

---

Issue archaeology

17 issues filed, 12 closed as duplicates or by stale bot, none with a code fix on main:

#1853 --dup--> #1600 (wrong target: CodeTokenizer, not mic)
#4163 --dup--> #3529
#5407 --dup--> #3529
#5529 --dup--> #3529
#8831 --dup--> #3529
#3529 --dup--> #12169 --stale-bot--> CLOSED
#5099 --dup--> #13808 --dup--> #12169 --stale-bot--> CLOSED
#11834 --dup--> #13808 --dup--> #12169 --stale-bot--> CLOSED
#15740 --dup--> #12169 --stale-bot--> CLOSED
#16118 --dup--> #12169 --stale-bot--> CLOSED
#21492 --claimed-fixed--> closed by steipete (commit 45f7f2f not on main)

4 PRs attempted, all closed without merge:

• fix(macos): prevent crash on launch when no microphone available #5656 (sfo2001) -- VoiceWakeRuntime only, stale-closed
• fix(macos): guard against SIGABRT when no audio input device available #12334 (arosstale) -- all 5 files but contaminated branch, self-closed
• macOS: prevent Voice Wake crash when no input device is available #17948 (agisilaos) -- 3 files + tests, superseded by macOS: prevent Voice Wake crash when no input device is available #18235
• macOS: prevent Voice Wake crash when no input device is available #18235 (agisilaos) -- 3 files + tests, stale-closed

Files changed (7 files, +65 lines)

File	Change
AudioInputDeviceObserver.swift	Added hasUsableDefaultInputDevice() static method
VoiceWakeRuntime.swift	Guard before inputNode in start(with:) (throws)
TalkModeRuntime.swift	Guard before inputNode in startRecognition() (early return + log)
MicLevelMonitor.swift	Guard before engine creation in start(onLevel:) (throws)
VoiceWakeTester.swift	Guard before engine creation in start(...) (throws)
VoicePushToTalk.swift	Guard before inputNode in startRecognition(...) (throws); nils audioEngine before throw
AudioInputDeviceObserverTests.swift	Smoke tests for hasUsableDefaultInputDevice() (no-crash + consistency)

---

AI Disclosure: Code changes were co-authored with Claude Code (Anthropic).
Issue/PR archaeology was performed by Claude Code; I manually verified the duplicate chains, close reasons, and commit references across all 17 linked issues and 4 prior PRs.
Lightly tested: 2 unit tests added but not compiled locally (requires Xcode). Awaiting CI validation.

Greptile Summary

This PR adds a hasUsableDefaultInputDevice() CoreAudio preflight check and guards all 5 AVAudioEngine.inputNode access sites to prevent SIGABRT crashes on Macs without a built-in microphone. The approach is sound: the new method composes two existing, proven CoreAudio queries (defaultInputDeviceUID() and aliveInputDeviceUIDs()), and the guards are placed at the correct points before inputNode access.

However, two of the five guard sites have a critical flaw where the error recovery path itself accesses inputNode on a non-nil engine, re-triggering the same crash:

• VoiceWakeRuntime.start(with:): The guard throws, but the catch block calls stop() → haltRecognitionPipeline(), which accesses self.audioEngine?.inputNode on the engine that was just created before the guard. Fix: nil self.audioEngine before throwing (matching the pattern already used in VoicePushToTalk).
• TalkModeRuntime.startRecognition(): The guard returns early but leaves self.audioEngine non-nil. When stopRecognition() is later called, it accesses self.audioEngine?.inputNode on the stale engine. Fix: nil self.audioEngine before returning.

The other three guard sites (MicLevelMonitor, VoiceWakeTester, VoicePushToTalk) are correctly implemented — they either place the guard before engine creation or nil the engine before throwing.

Confidence Score: 2/5

• Two of the five guard sites re-trigger the SIGABRT through their cleanup paths, defeating the purpose of the fix for VoiceWakeRuntime and TalkModeRuntime.
• The overall approach and 3 of 5 guard sites are correct, but VoiceWakeRuntime (the primary crash site from the issue reports) and TalkModeRuntime will still crash via their error recovery paths accessing inputNode on a non-nil engine. These are one-line fixes (add self.audioEngine = nil before the throw/return), but as-is the PR does not fully resolve the crash for the two most critical code paths.
• Pay close attention to apps/macos/Sources/OpenClaw/VoiceWakeRuntime.swift and apps/macos/Sources/OpenClaw/TalkModeRuntime.swift — both need self.audioEngine = nil before their guard exit paths.

_{Last reviewed commit: 1a82915}

[greptile-apps]

_{7 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Guard fails but engine cleanup accesses inputNode

When hasUsableDefaultInputDevice() returns false, the throw reaches the catch block (line 228), which calls self.stop() → haltRecognitionPipeline(). At line 73, haltRecognitionPipeline() accesses self.audioEngine?.inputNode.removeTap(onBus: 0). Since self.audioEngine was just set to a new AVAudioEngine() on lines 164-165 (before this guard), the optional chain does NOT short-circuit, and accessing .inputNode on a device with no mic triggers the same SIGABRT this guard is meant to prevent.

The fix in VoicePushToTalk correctly nils self.audioEngine before throwing (line 248). The same pattern should be applied here:

Suggested change

	guard AudioInputDeviceObserver.hasUsableDefaultInputDevice() else {
	throw NSError(
	domain: "VoiceWakeRuntime",
	code: 1,
	userInfo: [NSLocalizedDescriptionKey: "No usable audio input device available"])
	}
	guard AudioInputDeviceObserver.hasUsableDefaultInputDevice() else {
	self.audioEngine = nil
	throw NSError(
	domain: "VoiceWakeRuntime",
	code: 1,
	userInfo: [NSLocalizedDescriptionKey: "No usable audio input device available"])
	}

Prompt To Fix With AI

This is a comment left during a code review.
Path: apps/macos/Sources/OpenClaw/VoiceWakeRuntime.swift
Line: 169-174

Comment:
**Guard fails but engine cleanup accesses `inputNode`**

When `hasUsableDefaultInputDevice()` returns false, the throw reaches the `catch` block (line 228), which calls `self.stop()` → `haltRecognitionPipeline()`. At line 73, `haltRecognitionPipeline()` accesses `self.audioEngine?.inputNode.removeTap(onBus: 0)`. Since `self.audioEngine` was just set to a new `AVAudioEngine()` on lines 164-165 (before this guard), the optional chain does NOT short-circuit, and accessing `.inputNode` on a device with no mic triggers the same SIGABRT this guard is meant to prevent.

The fix in `VoicePushToTalk` correctly nils `self.audioEngine` before throwing (line 248). The same pattern should be applied here:

```suggestion
            guard AudioInputDeviceObserver.hasUsableDefaultInputDevice() else {
                self.audioEngine = nil
                throw NSError(
                    domain: "VoiceWakeRuntime",
                    code: 1,
                    userInfo: [NSLocalizedDescriptionKey: "No usable audio input device available"])
            }
```

How can I resolve this? If you propose a fix, please make it concise.

[sfo2001]

Good catch, fixed in eb3028d. Both VoiceWakeRuntime and TalkModeRuntime had the same issue: audioEngine was created before the guard but not nilled on the failure path. haltRecognitionPipeline()/stopRecognition() would then access .inputNode on the non-nil engine, triggering the same SIGABRT.

Added self.audioEngine = nil before the throw/return in both files, matching the pattern already in VoicePushToTalk, MicLevelMonitor, and VoiceWakeTester.

[greptile-apps]

Guard fails but engine cleanup accesses inputNode

When hasUsableDefaultInputDevice() returns false, this guard returns early but does NOT nil out self.audioEngine, which was just set to a new AVAudioEngine() on lines 183-184. When stopRecognition() is eventually called (e.g., from stop() → line 150), line 234 accesses self.audioEngine?.inputNode.removeTap(onBus: 0). Since self.audioEngine is non-nil, the optional chain does not short-circuit, and accessing .inputNode on a device with no mic triggers the same SIGABRT this guard is meant to prevent.

Nil out the engine before returning:

Suggested change

	guard AudioInputDeviceObserver.hasUsableDefaultInputDevice() else {
	self.logger.error("talk mode: no usable audio input device")
	return
	}
	guard AudioInputDeviceObserver.hasUsableDefaultInputDevice() else {
	self.audioEngine = nil
	self.logger.error("talk mode: no usable audio input device")
	return
	}

Prompt To Fix With AI

This is a comment left during a code review.
Path: apps/macos/Sources/OpenClaw/TalkModeRuntime.swift
Line: 188-191

Comment:
**Guard fails but engine cleanup accesses `inputNode`**

When `hasUsableDefaultInputDevice()` returns false, this guard returns early but does NOT nil out `self.audioEngine`, which was just set to a new `AVAudioEngine()` on lines 183-184. When `stopRecognition()` is eventually called (e.g., from `stop()` → line 150), line 234 accesses `self.audioEngine?.inputNode.removeTap(onBus: 0)`. Since `self.audioEngine` is non-nil, the optional chain does not short-circuit, and accessing `.inputNode` on a device with no mic triggers the same SIGABRT this guard is meant to prevent.

Nil out the engine before returning:

```suggestion
        guard AudioInputDeviceObserver.hasUsableDefaultInputDevice() else {
            self.audioEngine = nil
            self.logger.error("talk mode: no usable audio input device")
            return
        }
```

How can I resolve this? If you propose a fix, please make it concise.

[sfo2001]

fixed in eb3028d

[steipete]

Landed on main via commit 236b22b6a.

What I changed while landing:

• Kept the broad guard coverage and the follow-up audioEngine = nil crash-path fix from this PR.
• Added changelog entry under 2026.2.24 (Unreleased).
• Preserved co-authorship in the landing commit.

Validation run on the landing branch:

• swift test --package-path apps/macos --filter AudioInputDeviceObserverTests
• swift test --package-path apps/macos --filter VoiceWakeRuntimeTests
• swift test --package-path apps/macos --filter VoicePushToTalkTests

The full swift test --package-path apps/macos run was attempted but stalled in unrelated long-running tests after partial execution; targeted suites above passed and include touched paths.

Thanks for pushing this through.