Initial Opensource release

Author: Repulsiveprogress

.env.example

@@ -0,0 +1,11 @@
+MATRIX_HS_URL=https://matrix.example.org
+MATRIX_USER_ID=@transcriptbot:example.org
+MATRIX_ACCESS_TOKEN=syt_...
+# Optional - required only to auto-prune stale bot devices for E2EE hygiene
+MATRIX_PASSWORD=
+
+# Optional
+LOCALE=en
+ASR_MODEL_NAME=nvidia/parakeet-tdt-0.6b-v3
+MAX_AUDIO_BYTES=26214400
+STORE_PATH=/data/store

.github/workflows/lint.yml

@@ -0,0 +1,78 @@
+name: Lint & Security
+
+on:
+  push:
+    branches: ["main", "master"]
+  pull_request:
+    branches: ["main", "master"]
+
+jobs:
+  ruff:
+    name: Ruff (lint + format)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install ruff
+        run: pip install ruff
+
+      - name: Lint
+        run: ruff check src/
+
+      - name: Format check
+        run: ruff format --check src/
+
+  bandit:
+    name: Bandit (security)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install bandit
+        run: pip install "bandit[toml]"
+
+      - name: Run bandit
+        run: bandit -r src/ -c pyproject.toml --format json -o bandit-report.json --exit-zero
+
+      - name: Print bandit report
+        if: always()
+        run: |
+          if [ -f bandit-report.json ]; then
+            python - <<'EOF'
+          import json, sys
+          with open("bandit-report.json") as f:
+              r = json.load(f)
+          issues = r.get("results", [])
+          if not issues:
+              print("No security issues found.")
+              sys.exit(0)
+          for i in issues:
+              sev = i["issue_severity"]
+              conf = i["issue_confidence"]
+              text = i["issue_text"]
+              loc = f"{i['filename']}:{i['line_number']}"
+              print(f"[{sev}/{conf}] {loc}: {text}")
+          high = [i for i in issues if i["issue_severity"] == "HIGH"]
+          if high:
+              print(f"\n{len(high)} HIGH severity issue(s) found - failing.")
+              sys.exit(1)
+          EOF
+          fi
+
+      - name: Upload bandit report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: bandit-report
+          path: bandit-report.json
+          if-no-files-found: ignore

.gitignore

@@ -0,0 +1,14 @@
+.env
+.env.local
+data/
+*.db
+__pycache__/
+*.py[cod]
+*$py.class
+.Python
+.venv/
+venv/
+.idea/
+.vscode/
+*.log
+.DS_Store

Dockerfile

@@ -0,0 +1,36 @@
+FROM python:3.11-slim
+
+# ffmpeg is required by pydub for audio decoding/conversion
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        ffmpeg \
+        libolm-dev \
+        libolm3 \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /app
+
+# Install CPU-only PyTorch first as a separate layer, saves ~2 GB vs CUDA wheels
+RUN --mount=type=cache,target=/root/.cache/pip \
+    pip install --timeout 300 --retries 5 \
+    torch \
+    torchaudio \
+    --extra-index-url https://download.pytorch.org/whl/cpu
+
+COPY requirements.txt .
+RUN --mount=type=cache,target=/root/.cache/pip \
+    pip install -r requirements.txt
+
+COPY src ./src
+
+# Mount a volume here to cache the 2.4 GB Parakeet checkpoint across container restarts
+ENV NEMO_CACHE_DIR=/models
+ENV PYTHONUNBUFFERED=1
+
+# Disable NVIDIA/NeMo telemetry
+ENV NEMO_ONE_LOGGER_ENABLED=false
+ENV ONE_LOGGER_ENABLED=false
+ENV NVIDIA_TF32_OVERRIDE=0
+ENV HF_HUB_DISABLE_TELEMETRY=1
+ENV DO_NOT_TRACK=1
+
+CMD ["python", "-m", "src.main"]

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 SASHARD
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,59 @@
+# Matrix Voice Transcript
+
+Matrix bot that transcribes voice messages and audio files using [NVIDIA NeMo Parakeet TDT](https://huggingface.co/nvidia/parakeet-tdt-0.6b-v2) running locally on CPU. Supports E2EE rooms. No audio leaves the server.
+
+## Requirements
+
+- Matrix bot account with an access token.
+- `MATRIX_PASSWORD` recommended for E2EE rooms (enables stale-device pruning; without it decryption may fail on first run).
+- ~2.5 GB disk space for the model checkpoint (cached in `./models`, downloaded on first start).
+
+## Quick start
+
+1. Copy `.env.example` to `.env` and fill in the variables.
+2. `docker compose up -d`
+3. Invite the bot to a Matrix room.
+
+## Environment variables
+
+| Variable | Description |
+|---|---|
+| `MATRIX_HS_URL` | Homeserver URL (with `https://`) |
+| `MATRIX_USER_ID` | Full bot MXID, e.g. `@voicebot:example.org` |
+| `MATRIX_ACCESS_TOKEN` | Bot access token |
+| `MATRIX_PASSWORD` | Optional. Prunes stale E2EE devices on startup; required for reliable decryption in encrypted rooms. |
+| `LOCALE` | Message language: `en` (default) or `ru` |
+| `ASR_MODEL_NAME` | NeMo model (default: `nvidia/parakeet-tdt-0.6b-v2`) |
+| `MAX_AUDIO_BYTES` | Max file size in bytes (default: `26214400` = 25 MB) |
+| `STORE_PATH` | Olm key store path inside the container (default: `/data/store`) |
+
+**Supported formats:** ogg/opus, webm, mp4/m4a, aac, flac, mp3, wav.
+
+## Message language / Смена языка
+
+```env
+LOCALE=en   # English (default)
+LOCALE=ru   # Russian / Русский
+```
+
+`docker compose restart` to apply.
+
+## Local development
+
+Requires Python 3.11+ and `ffmpeg` on PATH.
+
+```bash
+python -m venv .venv && .venv\Scripts\activate   # Windows
+pip install -r requirements.txt
+python -m src.main
+```
+
+## Security
+
+- Never commit `.env`.
+- Transcribed text is never written to logs.
+- Temp audio files are deleted immediately after transcription.
+
+## License
+
+MIT

docker-compose.yml

@@ -0,0 +1,8 @@
+services:
+  bot:
+    build: .
+    restart: unless-stopped
+    env_file: .env
+    volumes:
+      - ./models:/models
+      - ./store:/data/store

pyproject.toml

@@ -0,0 +1,30 @@
+[tool.ruff]
+target-version = "py311"
+line-length = 100
+
+[tool.ruff.lint]
+select = [
+    "E", "W", "F", "I", "UP", "B", "C4", "SIM", "S", "T20", "RUF",
+]
+ignore = [
+    "S101",
+    "S104",
+    "S311",
+]
+
+[tool.ruff.lint.per-file-ignores]
+"src/__init__.py" = ["F401"]
+"src/strings.py" = ["RUF001"]
+
+[tool.ruff.lint.isort]
+known-first-party = ["src"]
+
+[tool.ruff.format]
+quote-style = "double"
+indent-style = "space"
+
+[tool.bandit]
+targets = ["src"]
+severity = "medium"
+confidence = "medium"
+skips = ["B101", "B311", "B404", "B603"]

requirements-dev.txt

@@ -0,0 +1,2 @@
+ruff>=0.4.0
+bandit[toml]>=1.7.0

requirements.txt

@@ -0,0 +1,8 @@
+matrix-nio[e2e]>=0.24.0,<0.26
+pydantic-settings>=2.2.0
+aiohttp>=3.9.0
+nemo_toolkit[asr]>=2.0.0
+torch>=2.0.0
+torchaudio>=2.0.0
+pydub>=0.25.1
+soundfile>=0.12.1