feat: add SOS Emergency feature with sender/receiver integration, audio recording, and boot resilience

[MatthieuTexier]

Summary

Complete SOS Emergency feature for Columba — emergency distress signals over the LXMF/Reticulum mesh network. Works across all transports: LoRa (RNode), BLE, TCP, AutoInterface.

Key capabilities:

• Multi-mode SOS triggers (combinable): shake, tap pattern, power button (3 presses), floating button
• GPS location + battery telemetry in Sideband-compatible FIELD_TELEMETRY (0x02) format
• FIELD_COMMANDS (0x06) for reliable SOS message detection with text-based fallback for legacy/Sideband clients
• Ambient audio recording via FIELD_AUDIO (0x07) (AAC 16kHz, 15-60s configurable)
• Periodic location/battery updates while SOS is active
• "SOS Cancelled — I am safe." message sent on deactivation
• Foreground service (specialUse|microphone) + boot receiver for background detection and reboot resilience
• PIN-protected deactivation, silent auto-answer for incoming calls
• Draggable floating SOS button + "SOS ACTIVE" pill overlay with persisted positions
• Receiver-side: urgent notifications, red chat bubbles, inline audio player, breadcrumb trail on map, SOS active indicator on conversations

Sender Side

State Machine

SosManager implements Idle → Countdown → Sending → Active → Idle with:

• Re-entry guard in trigger() (prevents duplicate sends)
• ensureActive() guards before state mutations (cancel race prevention)
• forceDeactivate() that cancels triggerJob, countdownJob, periodicUpdateJob, audioRecordingJob
• Cancellation message sent from both Active and Sending states
• DataStore state persistence across app/phone restarts

Trigger Detection

SosTriggerDetector supports three independently combinable modes via SensorEventListener + BroadcastReceiver:

• Shake: Sustained acceleration > sensitivity × 9.81 m/s² for 500ms within 1s window
• Tap pattern: Spike-based state machine (rejects walking steps >100ms, debounce 150ms)
• Power button: 3 rapid SCREEN_OFF/SCREEN_ON events within 2s window
• Thread-safe: synchronizedList for timestamps, @Volatile scalar state

SOS Messages

• Template text + GPS coordinates (Locale.US formatting) + battery level
• FIELD_TELEMETRY (0x02): raw msgpack bytes with SID_LOCATION + SID_BATTERY
• FIELD_COMMANDS (0x06): {"sos_state": "active"|"update"|"cancelled"} for reliable detection
• FIELD_AUDIO (0x07): ["m4a", bytes] AAC audio recording

Background & Boot Resilience

• SosTriggerService: foreground service (specialUse|microphone on API 34+) keeps process alive
• BootReceiver: starts ReticulumService + SosTriggerService on BOOT_COMPLETED
• State restored from DataStore on startup — active SOS survives reboots

Receiver Side

• SOS detection: FIELD_COMMANDS (primary) with text fallback (startsWith("SOS"|"URGENCE"|"EMERGENCY"))
• Notifications: urgent persistent notification with "Open Chat" + "View on Map" actions
• Chat styling: red errorContainer bubbles with "SOS EMERGENCY" badge + "View on Map" button
• GPS extraction: from FIELD_TELEMETRY (primary) or text regex (fallback, locale-independent)
• Audio playback: inline player (play/pause + progress + share button, I/O on Dispatchers.IO)
• Breadcrumb trail: red polyline + dot markers on MapLibre from stored received_locations (source=sos_trail)
• SOS active indicator: red border on conversation card via SosActiveTracker (in-memory StateFlow)
• Cancellation: dismisses notification + posts follow-up when "SOS Cancelled" received

Settings (SosEmergencyCard)

Setting	Default	Description
Enable SOS	off	Master toggle
Message Template	"SOS! I need help..."	Customizable text
Countdown	5s	Delay before sending (0 = instant)
Include Location	on	GPS in messages
Trigger Modes	none	Multi-select: shake, tap, power button
Audio Recording	off	Record ambient audio
Audio Duration	30s	Recording length (15-60s)
Periodic Updates	off	Send location updates while active
Update Interval	120s	Between periodic updates
Floating Button	off	Draggable SOS FAB
Silent Auto-Answer	off	Auto-answer calls during SOS
Deactivation PIN	none	Optional PIN to deactivate

Thread Safety & Reliability

• synchronized lists for sensor timestamps, @Volatile scalar state in SosTriggerDetector
• MutableStateFlow.update{} for atomic SosActiveTracker mutations
• ensureActive() guards before state mutations in sendSosMessages() (cancel race prevention)
• try/catch in settings observer to prevent monitoring death on transient errors
• synchronized(lock) for SosAudioRecorder file access
• try/finally with assigned flag for MediaPlayer/MediaRecorder leak prevention
• Contacts fetch wrapped in try/catch in periodic update loop (prevents silent death on DB errors)
• Re-read sosManager.state after forceDeactivate() in startObserving() (prevents stale service restart)

Tests (73 new)

Suite	Count	Coverage
SosManagerTest	34	State machine, telemetry, persistence, restore, cancel races
SosTriggerDetectorTest	28	Shake, tap spike detection, power button, multi-mode, cooldown
SosViewModelTest	7	State propagation, delegation
BootReceiverTest	4	Boot-time service startup

Test Plan

• Scenario 1: Countdown + Cancel
• Scenario 2: Instant Send (0s countdown)
• Scenario 3: GPS Location + Battery Telemetry
• Scenario 4: PIN Deactivation
• Scenario 5: Auto-Answer
• Scenario 6: Periodic Updates
• Scenario 9: Floating Button
• Scenario 10: Custom Template
• Scenario 11: Resilience (App Kill / Phone Restart)
• Scenario 11b: Full Reboot Resilience
• Scenario 12: Repeated Cycle
• Scenario 13: SOS Badge Visibility
• Scenario 14: Receiver Chat Experience
• Scenario 15: Shake Trigger
• Scenario 16: Tap Pattern Trigger
• Scenario 17: Trigger Mode Cooldown
• Scenario 18: Power Button Trigger
• Scenario 19: Multi-Mode Triggers
• Scenario 20: Audio Recording
• Scenario 21: Background Service Lifecycle

[sentry]

Codecov Report

❌ Patch coverage is 25.00000% with 72 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
python/reticulum_wrapper.py	25.00%	72 Missing ⚠️

📢 Thoughts on this report? Let us know!

[greptile-apps]

Greptile Summary

This PR introduces a comprehensive SOS Emergency feature for the Columba LXMF/Reticulum messenger. It encompasses the full sender/receiver stack: multi-mode gesture detection (shake, tap, power button), LXMF field encoding (FIELD_TELEMETRY, FIELD_COMMANDS, FIELD_AUDIO), a foreground service + boot receiver for background resilience, and rich receiver-side UI (red chat bubbles, breadcrumb trails, inline audio player).

Key concerns from prior review rounds addressed in this iteration:

• Concurrent-trigger race replaced Mutex with AtomicBoolean + triggerGeneration — re-triggers after cancel() no longer silently drop
• cancel() and deactivate() both cancel triggerJob; _state.value is SosState.Active guards added before startPeriodicUpdates/startAudioRecording
• SosAudioRecorder.stopRecorder() now uses separate try blocks for stop() and release()
• parseSosLocation FIELD_TELEMETRY primary path fixed: unpack_location_telemetry now returns a dict; poll_received_messages serialises with json.dumps
• FIELD_COMMANDS sos_state extraction added to poll_received_messages
• SosActiveTracker trail rows deleted (deleteSosTrailForSender) on cancellation
• Notification ID overflow fixed with xor
• PIN minimum-length validation (>= 4 digits) now enforced in settings card

Outstanding items from earlier threads not yet resolved: missing FOREGROUND_SERVICE_MICROPHONE permission (causes silent SecurityException on Android 14+) and launcher icon used as notification small icon (R.mipmap.ic_launcher in SosTriggerService and NotificationHelper).

Confidence Score: 4/5

Safe to merge after the two unresolved P1s from previous threads are addressed: missing FOREGROUND_SERVICE_MICROPHONE permission and launcher icon as notification small icon.

This iteration resolved the majority of previously identified concerns. Score held at 4 because two P1 issues from prior threads remain open: (1) missing android.permission.FOREGROUND_SERVICE_MICROPHONE causes a silent SecurityException on Android 14+, killing background detection; (2) R.mipmap.ic_launcher as notification small icon renders as a solid blob on API 21+.

app/src/main/AndroidManifest.xml (missing FOREGROUND_SERVICE_MICROPHONE permission), SosTriggerService.kt and NotificationHelper.kt (launcher icon as notification small icon)

Important Files Changed

Filename	Overview
app/src/main/java/com/lxmf/messenger/service/SosManager.kt	New SOS state machine (Idle→Countdown→Sending→Active→Idle). AtomicBoolean+triggerGeneration replaces previous Mutex. deactivate() cancels triggerJob and _state.value guards prevent post-deactivation job launches.
app/src/main/java/com/lxmf/messenger/service/SosTriggerDetector.kt	New gesture/power-button detector. Thread-safe with synchronizedList and @volatile. startObserving() correctly re-reads state after forceDeactivate().
app/src/main/java/com/lxmf/messenger/service/SosAudioRecorder.kt	AAC recorder with separate try/catch blocks for stop() and release(), fixing the previous MediaRecorder mic-lock issue.
python/reticulum_wrapper.py	FIELD_TELEMETRY now unpacked via unpack_location_telemetry() in both callback and poll paths; poll path now serialises with json.dumps(). FIELD_COMMANDS sos_state extraction added to poll path.
app/src/main/java/com/lxmf/messenger/service/MessageCollector.kt	SOS detection logic integrated: FIELD_COMMANDS primary + text fallback, SosActiveTracker updates, deleteSosTrailForSender on cancellation, trail location inserted for breadcrumb.
app/src/main/java/com/lxmf/messenger/ui/components/AudioMessagePlayer.kt	New inline audio player composable. LaunchedEffect(audioBytes) now properly deletes previous tempFile before writing a new one. Share flow correctly wraps copy in try/finally.
app/src/main/java/com/lxmf/messenger/service/SosTriggerService.kt	Lightweight foreground service. Still uses R.mipmap.ic_launcher as notification small icon and FOREGROUND_SERVICE_MICROPHONE permission is missing (noted in previous threads).
app/src/main/java/com/lxmf/messenger/notifications/NotificationHelper.kt	SOS notification helpers added. parseSosLocation now works for the poll path. Notification IDs use xor (overflow-safe).
app/src/main/java/com/lxmf/messenger/service/SosActiveTracker.kt	New in-memory StateFlow tracker. explicitlyRemoved set prevents stale restore after clear(). MutableStateFlow.update{} used for atomic mutations.
app/src/main/java/com/lxmf/messenger/receiver/BootReceiver.kt	New boot receiver starts ReticulumService and SosTriggerService on BOOT_COMPLETED. Clean error handling and action guard.
data/src/main/java/com/lxmf/messenger/data/db/dao/ReceivedLocationDao.kt	Adds getSosTrailForSender, deleteSosTrailForSender, getRecentSosTrailSenders. Queries scoped to source='sos_trail'.

Sequence Diagram

sequenceDiagram
    participant GD as Gesture/Boot
    participant STD as SosTriggerDetector
    participant SM as SosManager
    participant RP as ReticulumProtocol
    participant SAR as SosAudioRecorder
    participant NH as NotificationHelper
    participant MC as MessageCollector
    participant SAT as SosActiveTracker

    GD->>STD: shake / tap / power press
    STD->>SM: trigger()
    SM->>SM: AtomicBoolean CAS guard
    SM->>SM: startCountdown(n) → SosState.Countdown
    Note over SM: countdown delay (0-30s)
    SM->>SM: sendSosMessages() → SosState.Sending
    SM->>RP: sendLxmfMessage (FIELD_TELEMETRY + FIELD_COMMANDS sos_state=active)
    RP-->>SM: Result
    SM->>SM: SosState.Active → persistSosActiveState()
    SM->>NH: showSosActiveNotification()
    SM->>SM: startPeriodicUpdates() [if enabled]
    SM->>SAR: start() → record AAC audio
    SAR-->>SM: audioBytes
    SM->>RP: sendLxmfMessage (FIELD_AUDIO)

    Note over MC: Receiver side
    RP-->>MC: receivedMessage (FIELD_COMMANDS sos_state=active)
    MC->>SAT: addSender(sourceHash)
    MC->>NH: notifySosReceived(urgent)
    MC->>MC: insert ReceivedLocationEntity (sos_trail)

    Note over SM: User deactivates
    SM->>SM: deactivate() → cancel triggerJob / periodicJob / audioJob
    SM->>SM: SosState.Idle
    SM->>RP: sendLxmfMessage (FIELD_COMMANDS sos_state=cancelled)
    RP-->>MC: receivedMessage (cancelled)
    MC->>SAT: removeSender(sourceHash)
    MC->>MC: deleteSosTrailForSender(sourceHash)
    MC->>NH: cancelNotification + notifyMessageReceived

Loading

_{Reviews (28): Last reviewed commit: "fix: replace runBlocking PIN fallback wi..." | Re-trigger Greptile}

[MatthieuTexier]

This unique feature is ready for merging.
It fullfills my needs, feel free to request some changes or discuss the choices I made.

[serialrf433]

Would this also get solved by this PR? #689

[MatthieuTexier]

Would this also get solved by this PR? #689
No, this PR adds boot start for the Reticulum service, but location sharing sessions are currently stored in memory only — they're lost on restart. So yes, you still need to open Columba for location sharing to resume.

[MatthieuTexier]

Would this also get solved by this PR? #689
No, this PR adds boot start for the Reticulum service, but location sharing sessions are currently stored in memory only — they're lost on restart. So yes, you still need to open Columba for location sharing to resume.

I just did a PR for this on my repo but it needs this one to be merged first so I won't submit it yet.

[serialrf433]

I just did a PR for this on my repo but it needs this one to be merged first so I won't submit it yet.

And i forwarded the information to the person who asked about this in here: #689 (comment)

[MatthieuTexier]

I just did a PR for this on my repo but it needs this one to be merged first so I won't submit it yet.

And i forwarded the information to the person who asked about this in here: #689 (comment)

I may submit the location sharing persistence PR first, as it's a simpler standalone feature — though it'll require some refactoring to decouple it from this one.
I haven't received any feedback here yet — no rush, I'll move forward with the location sharing PR in the meantime.

[MatthieuTexier]

Putting this PR in draft — some changes here (BootReceiver, DB migration for source column, ReceivedLocationEntity changes) now overlap with #744 (location sharing persistence + Doze resistance), which was extracted as a standalone feature.
Once #744 is merged, I'll rebase this branch to remove the duplicated code and resolve any conflicts. The SOS-specific changes (SosManager, SosTriggerDetector, SosAudioRecorder, SOS notifications, SOS UI) are unaffected and will remain as-is.

[brothercorvo]

I love this and I will implement the same function in the https://github.com/FreeTAKTeam/reticulum_mobile_emergency_management
the only aspect to keep in mind would be to maintain some level of compatibility with the TAK standard.

emergency for creation, with values such as 911 Alert, Ring The Bell, Geo-fence Breached, In Contact
emergency cancel="true" for cancellation

[brothercorvo]

Putting this PR in draft — some changes here (BootReceiver, DB migration for source column, ReceivedLocationEntity changes) now overlap with #744 (location sharing persistence + Doze resistance), which was extracted as a standalone feature. Once #744 is merged, I'll rebase this branch to remove the duplicated code and resolve any conflicts. The SOS-specific changes (SosManager, SosTriggerDetector, SosAudioRecorder, SOS notifications, SOS UI) are unaffected and will remain as-is.

@MatthieuTexier 0x06 MUST NOT used for SOS commands because LXMF constants identify it as image data.
Instead, use Sideband/LXMF-compatible FIELD_TELEMETRY = 0x02 and FIELD_COMMANDS = 0x09

[MatthieuTexier]

I love this and I will implement the same function in the https://github.com/FreeTAKTeam/reticulum_mobile_emergency_management the only aspect to keep in mind would be to maintain some level of compatibility with the TAK standard.

emergency for creation, with values such as 911 Alert, Ring The Bell, Geo-fence Breached, In Contact emergency cancel="true" for cancellation

Hi @brothercorvo, I looked for a standard but found nothing relevant, we might converge to a common protocol if it fits both needs.

[MatthieuTexier]

Putting this PR in draft — some changes here (BootReceiver, DB migration for source column, ReceivedLocationEntity changes) now overlap with #744 (location sharing persistence + Doze resistance), which was extracted as a standalone feature. Once #744 is merged, I'll rebase this branch to remove the duplicated code and resolve any conflicts. The SOS-specific changes (SosManager, SosTriggerDetector, SosAudioRecorder, SOS notifications, SOS UI) are unaffected and will remain as-is.

@MatthieuTexier 0x06 MUST NOT used for SOS commands because LXMF constants identify it as image data. Instead, use Sideband/LXMF-compatible FIELD_TELEMETRY = 0x02 and FIELD_COMMANDS = 0x09

Thank you @brothercorvo.
Humm I was pretty sure I used the commands field, might not be up to date... I will check that ASAP.
Regards

[brothercorvo]

I love this and I will implement the same function in the https://github.com/FreeTAKTeam/reticulum_mobile_emergency_management the only aspect to keep in mind would be to maintain some level of compatibility with the TAK standard.
emergency for creation, with values such as 911 Alert, Ring The Bell, Geo-fence Breached, In Contact emergency cancel="true" for cancellation

Hi @brothercorvo, I looked for a standard but found nothing relevant, we might converge to a common protocol if it fits both needs.

I have implemented the Emergency function and created a pre-release. you can take a look here:
https://github.com/FreeTAKTeam/reticulum_mobile_emergency_management/releases

to understand the LXMF fields and create the RUST implementation of Reticulum I used deepwiki

[MatthieuTexier]

@brothercorvo Thanks for the careful review — I checked the code and it already follows your recommendation. SOS state is sent via FIELD_COMMANDS = 0x09 with sub-command COMMAND_SOS_STATE = 0x02 (see reticulum_wrapper.py:4684 sender, :3380 and :6300 receivers), and location telemetry uses FIELD_TELEMETRY = 0x02 (msgpack, Sideband-compatible). FIELD_IMAGE = 0x06 is only used for image attachments and never for SOS.

The greptile bot comment from March 29 that likely prompted your concern was about the poll-receive path falling through to a generic list handler structured like FIELD_IMAGE/FIELD_AUDIO — not about 0x06 being wired to SOS. That fallback was fixed on March 31 in 4ffa4dc.

[MatthieuTexier]

Location sharing is not working anymore in v1, I don't have time for troubleshooting, I will resume the devs once the issue is solved.