prerelease: cost-cutting fixes #5497 #5498 #5499 (#5529)

## Prerelease: 3 Verified Cost-Cutting Fixes

Combines PRs #5497, #5498, #5499 into a single merge-ready branch. All
independently verified (PR #5505 — 16/16 tests + physical device E2E on
Pixel 7a).

### Merge Order (preserved in branch)
1. **PR #5498** — Fix translate debounce: temporal window instead of
inert segment-ID tracking
2. **PR #5497** — fix(app): break token refresh infinite retry loop
3. **PR #5499** — fix(backend-listen): WebSocket auth sends close frame
instead of crashing handshake

### Verification Evidence
- Combined verification: #5505
- 16/16 unit tests pass (all 3 PRs)
- Physical device E2E (Pixel 7a + Omi BLE, LOCAL_DEVELOPMENT=false): 30s
+ 5min podcast tests PASS
- Re-verification after auth fix (split WS auth):
#5505 (comment)
- Physical device E2E evidence:
#5505 (comment)

### Ancestry Check
All 3 sub-PR HEADs confirmed as ancestors of this branch:
- `fix/translate-debounce-5444` (c8a1406) ✓
- `fix/token-refresh-infinite-retry-5448` (c937df7) ✓  
- `fix/ws-auth-handshake-5447` (35c0b5c) ✓

### For @mon
This PR is ready to merge. Regular merge (no squash).

Author: beastoin

app/lib/providers/auth_provider.dart

@@ -50,10 +50,10 @@ class AuthenticationProvider extends BaseProvider {
       });
       _auth.idTokenChanges().distinct((p, n) => p?.uid == n?.uid).listen((User? user) async {
         if (user == null) {
-          Logger.debug('User is currently signed out or the token has been revoked! ${user == null}');
-          // Don't clear cached token - allows fallback for dev builds
-          // SharedPreferencesUtil().authToken = '';
-          // authToken = null;
+          Logger.debug('User is currently signed out or the token has been revoked!');
+          SharedPreferencesUtil().authToken = '';
+          SharedPreferencesUtil().tokenExpirationTime = 0;
+          authToken = null;
         } else {
           Logger.debug('User is signed in at ${DateTime.now()} with user ${user.uid}');
           try {
@@ -72,20 +72,7 @@ class AuthenticationProvider extends BaseProvider {
   }
 
   bool isSignedIn() {
-    // Check Firebase SDK first
-    if (_auth.currentUser != null && !_auth.currentUser!.isAnonymous) {
-      return true;
-    }
-    // Fallback: check cached credentials (for dev builds where Keychain doesn't persist)
-    // This matches the Swift desktop app behavior
-    final cachedUid = SharedPreferencesUtil().uid;
-    final cachedToken = SharedPreferencesUtil().authToken;
-    print('DEBUG AuthProvider.isSignedIn: cachedUid="${cachedUid}", tokenLength=${cachedToken.length}');
-    if (cachedUid.isNotEmpty && cachedToken.isNotEmpty) {
-      print('DEBUG AuthProvider: Using cached credentials fallback - uid=$cachedUid');
-      return true;
-    }
-    return false;
+    return _auth.currentUser != null && !_auth.currentUser!.isAnonymous;
   }
 
   void setLoading(bool value) {

app/lib/providers/capture_provider.dart

@@ -16,6 +16,7 @@ import 'package:permission_handler/permission_handler.dart';
 import 'package:omi/backend/http/api/conversations.dart';
 import 'package:omi/backend/http/api/users.dart';
 import 'package:omi/backend/preferences.dart';
+import 'package:omi/services/auth_service.dart';
 import 'package:omi/backend/schema/bt_device/bt_device.dart';
 import 'package:omi/backend/schema/conversation.dart';
 import 'package:omi/backend/schema/geolocation.dart';
@@ -1338,6 +1339,12 @@ class CaptureProvider extends ChangeNotifier
         return;
       }
 
+      if (!AuthService.instance.isSignedIn()) {
+        Logger.debug("[Provider] keep alive - user not signed in, cancelling reconnect");
+        t.cancel();
+        return;
+      }
+
       if (_recordingDevice != null) {
         BleAudioCodec codec = await _getAudioCodec(_recordingDevice!.id);
         await _initiateWebsocket(audioCodec: codec, source: _getConversationSourceFromDevice());

app/lib/services/auth_service.dart

@@ -169,11 +169,22 @@ class AuthService {
   }
 
   Future<void> signOut() async {
+    _clearCachedAuth();
     await FirebaseAuth.instance.signOut();
   }
 
+  void _clearCachedAuth() {
+    SharedPreferencesUtil().authToken = '';
+    SharedPreferencesUtil().tokenExpirationTime = 0;
+  }
+
   Future<String?> getIdToken() async {
     try {
+      if (FirebaseAuth.instance.currentUser == null) {
+        Logger.debug('getIdToken: currentUser is null, clearing cached token');
+        _clearCachedAuth();
+        return null;
+      }
       IdTokenResult? newToken = await FirebaseAuth.instance.currentUser?.getIdTokenResult(true);
       if (newToken?.token != null) {
         var user = FirebaseAuth.instance.currentUser!;
@@ -194,16 +205,12 @@ class AuthService {
         }
         return newToken?.token;
       }
-      // Fallback: use cached token if Firebase has no user (for dev builds)
-      final cachedToken = SharedPreferencesUtil().authToken;
-      if (cachedToken.isNotEmpty) {
-        print('DEBUG AuthService.getIdToken: Using cached token fallback');
-        return cachedToken;
-      }
+      Logger.debug('getIdToken: token refresh returned null');
       return null;
     } catch (e) {
-      Logger.debug(e.toString());
-      return SharedPreferencesUtil().authToken;
+      Logger.debug('getIdToken: token refresh failed: $e');
+      _clearCachedAuth();
+      return null;
     }
   }
 

app/test.sh

@@ -51,3 +51,4 @@ flutter test test/unit/audio_player_utils_test.dart
 flutter test test/unit/env_test.dart
 flutter test test/unit/testflight_preferences_test.dart
 flutter test test/unit/multipart_401_retry_test.dart
+flutter test test/unit/token_refresh_loop_test.dart