Voice Truthgate by mosADD
(formerly VoiceCheck)
Is this really my contact — live? Honest voice authenticity. Open-core, MIT.
Voice authenticity that's honest about its own limits. It never gives you a bare "REAL / FAKE" — it gives you a confidence signal and a plain disclaimer, because getting this wrong about a real person is harmful.
Why "detect the deepfake" is the wrong game — and what we do instead
The whole voice-AI industry races to generate speech; almost nobody ships an honest tool to tell you what's real. The naïve answer — a standalone "is this audio AI?" detector — is a losing game, and we have our own numbers to prove it: on modern premium TTS, our best single-clip detector measured AUC ≈ 0.61 (barely better than a coin). Anyone selling you "99% deepfake detection" is selling snake oil.
So Voice Truthgate asks a better, answerable question: "is this really my contact, live?" We answer it by fusing signals, not by guessing at a waveform:
- L0 — Identity. Who is this, and are they a known human or a known agent? (An agent should sound synthetic — that's not an alarm.)
- L1 — Voiceprint. Does the voice match this specific person's enrolled print? Strong at rejecting a different human (≈0% false accept in our tests, ~4.6% EER on clean speech).
- L2 — Acoustic. A weak, abstain-heavy synthetic-speech signal (the on-device band below).
- L3 — Live rhythm. The un-copyable part — see the moat.
Every layer is a signal, not a verdict, fused with the others and shipped with a disclaimer. We would rather abstain than be confidently wrong.
The honest proof: why voiceprint alone isn't enough
We ran a targeted-clone test on our own voiceprint engine — clone an enrolled person, then try to pass as them. Result: a targeted clone was accepted 63% of the time at our operating threshold, and no threshold cleanly separates "a clone of you" from "you" without also rejecting real callers. That's not a flaw we hide — it's *the reason the product fuses identity
- voiceprint + liveness instead of trusting the voice alone.* Voice is one signal. Never the whole decision.
Three ways to use it
1. Open SDK — on-device, MIT, zero infra
The acoustic band (L2) runs in the browser — your audio never leaves the device.
import { analyzeVoiceTruthgate } from "@mosadd/voice-truthgate";
// Decode your audio to mono PCM (a Float32Array), e.g. at 16 kHz.
const result = await analyzeVoiceTruthgate({ samples, sampleRate: 16000 });
console.log(result.band.label); // "Likely authentic" | "Uncertain" | "Likely synthetic"
console.log(result.confidence); // 0..1 — lead with the band, not this number
console.log(result.disclaimer); // ALWAYS present — render it next to the result
Inject your own trained model as an optional server detector — the SDK never hard-codes an endpoint or key, and it fails open (unreachable model ⇒ the on-device band still stands and never silently becomes "authentic"):
import { analyzeVoiceTruthgate, createHeuristicDetector, createServerDetector } from "@mosadd/voice-truthgate";
const server = createServerDetector({
analyze: async (payload) => callYourModel(payload), // → { confidence, modelVersion }
version: "your-model-v1",
});
const result = await analyzeVoiceTruthgate({ samples, sampleRate: 16000 },
{ detectors: [createHeuristicDetector(), server] });
The SDK packages aren't on npm yet — clone this repo (
npm installwires the workspaces) or vendorpackages/*. Runnable demo:npm run example, or openexamples/browser-check.
2. MCP tool — give any AI agent an authenticity check
Live on npm. Enrol a voice and verify a call clip from Claude, Cursor, your own fleet — any MCP agent:
npx -y @mosadd/voice-truthgate-mcp
{ "mcpServers": { "voice-truthgate": {
"command": "npx", "args": ["-y", "@mosadd/voice-truthgate-mcp"],
"env": { "VTG_API_KEY": "vtg_live_your_key" }
} } }
Tools: voice_truthgate_enroll, voice_truthgate_verify, voice_truthgate_list_subjects. See
mcp/.
3. Market API — enrol / verify from any app
For contact centres, IVRs, or any backend. Enrol the voices you protect, then verify a call
clip against a subject → an honest banded verdict (likely_same_person / likely_different_person
/ inconclusive) with a synthetic-voice caution:
curl -X POST "$VTG_URL" -H "X-API-Key: $KEY" \
-F action=verify -F subject_id=ceo -F audio=@incoming_call.wav
Full reference: docs/VOICE-TRUTHGATE-API.md · machine-readable OpenAPI spec (import as an OpenAI GPT Action / any tool).
Drop it into your stack: copy-paste recipes for Claude, OpenAI (GPT Action + Agents SDK), Vercel AI SDK, v0, and LangChain → docs/USE-IN-YOUR-AGENT.md. One MCP server, every ecosystem.
The moat: fake live conversation, not fake file
A live AI impersonation runs speech → STT → LLM → TTS — which is half-duplex and turn-based. It categorically cannot reply in <~300 ms, overlap you, backchannel ("mhm" while you talk), or interrupt mid-sentence. Humans in live conversation do all four constantly. We can measure this because we own the channel's millisecond, per-speaker turn timing — nobody holding only an audio file can. (In corpus analysis, overlap rate alone separates a bot pipeline from human turn-taking almost perfectly.)
This is L3, and it's the un-copyable signal. It's held to the same honesty rail as everything else: it only fires from a profile calibrated on real labelled turn logs — until then it measures, never accuses. That calibration is the frontier we're building toward.
The three confidence bands (L2 acoustic)
| Band | Score | What it means |
|---|---|---|
| 🟢 Likely authentic | 0.00 – 0.35 | No strong synthetic-voice signals. This does NOT prove the voice is real — a good deepfake can score here. |
| 🟡 Uncertain | 0.35 – 0.65 | Mixed / weak signals. Inconclusive; prefer a longer, uncompressed sample + human review. |
| 🔴 Likely synthetic | 0.65 – 1.00 | Signals consistent with AI-generated or cloned speech. NOT proof — verify with a human before acting. |
Every result carries this disclaimer, verbatim:
This is a signal, not a verdict. Automated voice-authenticity detection is probabilistic and can be wrong in both directions. Do not use this result alone to accuse, identify, or make legal/forensic decisions about a person.
Architecture (the open SDK)
Two stages, both on-device; an optional trained model is injected by the host app.
┌──────────────── your device / browser (nothing leaves it) ────────────────┐
mic / │ record or decode to STAGE 1: instant heuristic │
file ──┼─▶ upload ─────▶ 16 kHz mono ───▶ (pure DSP, 0 MB, default) ──────────────┼──▶ band
│ Float32 PCM └▶ STAGE 2: stronger model (opt-in) ─────────┼──▶ +
│ (a real classifier via transformers.js) │ disclaimer
└──────────────────────────────────────────────────────────────────────────┘
(optional) injected SERVER detector — your model, your transport;
authoritative when it answers, FAIL-OPEN when it doesn't.
Fusion is band-first and fails to "unknown", never to "safe" — nothing usable ⇒
available: false, band uncertain, never likely-authentic. Deeper design:
docs/ARCHITECTURE.md.
Packages
| Package | Role |
|---|---|
@mosadd/voice-truthgate | The brains — fuses the stages into an honest band, always attaches the disclaimer. |
@mosadd/voice-analyzer-core | Stage 1: the instant, pure-DSP on-device heuristic. |
@mosadd/detection-sdk | Pluggable Detector / Verdict frame + fail-open runDetectors. |
@mosadd/threat-engine | Shared severity/scoring primitives (transitive dependency). |
@mosadd/voice-truthgate-mcp | On npm — the MCP server (enrol/verify tools for AI agents). |
Honesty — the caveats, stated plainly
- Standalone detection is a losing game. Our own single-clip detector measured AUC ≈ 0.61 on modern premium TTS. The product's value is fusion + honesty, not a magic detector.
- Voiceprint is foolable by a targeted clone (~63% accepted in our test) → it's a signal to fuse, never a standalone verdict. Great at rejecting a different human; weak against a clone of you.
- Codec compression is the #1 accuracy killer (Opus / MP3 / telephony, −10–40%). Prefer uploaded, less-compressed clips.
- L3 live-rhythm is un-calibrated today — it measures but does not accuse until fit on real labelled turn logs (weight-zero-until-calibrated).
- Short, noisy, or distressed real speech raises false positives; accuracy varies by language and accent.
- npm: the MCP server is published; the SDK packages are publish-ready but not yet on npm.
- Not for accusations, forensics, or legal decisions. See each package's
MODEL_CARD.md.
Privacy — on-device by design
The public checker has nowhere to send your audio: Stage 1 and the opt-in Stage 2 run locally. The SDK ships no transport and no endpoint. A server model (or the market API) is something you opt into; the SDK sends nothing on its own. The market API holds enrolled voiceprints server-side under strict access control and returns only a signal, never the raw biometric.
Part of the mosADD ecosystem
Voice Truthgate is the authenticity / trust layer of mosADD — the open comms stack for AI agents and the humans who direct them. It composes with:
- mosADD-OS — the comms layer: E2EE DMs,
channels, web rooms, and email, all exposed as MCP tools (
npx -y @mosadd/mcp). Your agents talk and coordinate there; Voice Truthgate answers "is this contact really who they claim, live?" on the same channel. - mosadd.com — the product + the live checker + the in-app add-on.
Both are open, both publish under the @mosadd/* npm scope. (mosADD-OS is Apache-2.0; this repo
is MIT — the public authenticity SDK stays maximally permissive.)
Roadmap
- Publish the MCP server to npm (
@mosadd/voice-truthgate-mcp) - Publish the SDK packages to npm (
@mosadd/*) - Calibrate L3 live-rhythm on real labelled turn logs (the moat — turn it from measure to trigger)
- Threat-informed, always-fresh accuracy benchmark (per-condition numbers, no headline claim)
- Quantize the opt-in Stage-2 model (~379 MB → ~95 MB)
Contributing
Issues and PRs welcome — see CONTRIBUTING.md and the Code of Conduct. Keep the honesty rails intact (no bare verdicts, keep the disclaimer, no accuracy claims). Security: SECURITY.md.
License
MIT © mosADD. Third-party attributions (transformers.js, the referenced Hugging Face model) are in NOTICE.