fix(linux): ensure secretstorage is bundled in Linux binary (ACS-310)

[StillKnotKnown]

Base Branch

• This PR targets the develop branch (required for all feature/fix PRs)

Description

Fixes a build system caching issue where Linux binaries were shipping without the secretstorage package, causing OAuth token storage via Freedesktop.org Secret Service (gnome-keyring/kwallet) to fail silently.

The Python runtime cache was created before secretstorage was added to requirements.txt (ACS-293, January 16, 2026), so the build script's critical packages validation was not checking for this Linux-specific dependency. This caused the app to fall back to .env file storage instead of the system keyring.

This fix adds platform-aware critical packages validation to both the build script (download-python.cjs) and runtime manager (python-env-manager.ts), following the same pattern used for Windows pywin32 validation (ACS-306).

Related Issue

Refs: ACS-310 #1206 #1204

Type of Change

• 🐛 Bug fix

Area

• Backend
• Frontend (build system)

Commit Message Format

Follow conventional commits: <type>: <subject>

Types: feat, fix, docs, style, refactor, test

Example: feat: add user authentication system

Checklist

• I've synced with develop branch
• I've tested my changes locally
• I've followed the code principles (SOLID, DRY, KISS)
• My PR is small and focused

Platform Testing Checklist

• Linux tested - Validates secretstorage on Linux platform
• Windows tested - CI tests validate pywintypes validation not affected
• macOS tested - CI tests validate no platform-specific packages for macOS
• Used centralized platform/ module (isLinux(), isWindows())
• No hardcoded paths

CI/Testing Requirements:

• All backend tests pass (30/30 in test_dependency_validator.py)
• Ruff linting and formatting pass
• Platform-specific validation tests added

Screenshots

N/A - No UI changes

Feature Toggle

N/A - Bug fix

Breaking Changes

Breaking: No

Details: This fix only affects the build and bundling process. Runtime behavior is unchanged - if secretstorage is missing, the app still falls back to .env file storage (now with a warning).

Summary by CodeRabbit

• Bug Fixes

  • Windows missing components continue to block startup; missing Linux keyring support now emits a non-blocking warning instead of preventing startup.

• Improvements

  • Consolidated per-platform package validation and improved detection of packages (including single-file modules).
  • Clearer, more flexible guidance for activating environments across platforms.

• Tests

  • Expanded coverage for platform dependency scenarios, warning vs. exit behavior, and startup/import ordering.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Warning

Rate limit exceeded

@StillKnotKnown has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 21 minutes and 35 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 7a9b813 and b3d403d.

📒 Files selected for processing (1)

• tests/test_dependency_validator.py

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

Adds Linux secretstorage validation (non-blocking warning) and refactors Windows pywin32 checks; centralizes platform-critical package checks in frontend scripts and broadens package-existence detection; expands tests to cover Linux warning path, Windows behavior, and lazy-import ordering.

Changes

Cohort / File(s)	Summary
Backend Dependency Validation apps/backend/core/dependency_validator.py	Adds Linux secretstorage check with a non-blocking _warn_missing_secretstorage(), replaces direct Windows checks with is_windows(), and refactors _exit_with_pywin32_error() to detect activation scripts in sys.prefix Scripts variants and adjust messaging.
Frontend Package Detection (scripts + manager) apps/frontend/scripts/download-python.cjs, apps/frontend/src/main/python-env-manager.ts	Introduces PLATFORM_CRITICAL_PACKAGES / platformCriticalPackages mapping, applies it to pre/post-install validation, and replaces __init__.py-only detection with packageExists() that accepts package directories with __init__.py or single-file modules.
Frontend Tests (integration) apps/frontend/src/__tests__/integration/terminal-copy-paste.test.ts	Adds a global synchronous requestAnimationFrame mock to stabilize xterm.js timing in tests.
Dependency Validation Tests tests/test_dependency_validator.py	Exposes and tests _warn_missing_secretstorage, adds Linux warning-path tests, extends Windows/macOS branches, asserts activation-script messaging and venv path behavior, and adds lazy-import/import-order checks for CLI modules.

Sequence Diagram(s)

(omitted — changes are focused on validation and messaging, not a new multi-component sequential flow)

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related issues

• Linux Binary Missing secretstorage Dependency #1204 — Adds Linux secretstorage validation and platform-critical package mapping across backend/frontend files, matching this PR's objectives.

Possibly related PRs

• fix(windows): ensure pywin32 is bundled in Windows binary (ACS-306) #1197 — Related backend/frontend adjustments around pywin32/pywintypes checks and activation guidance.
• fix(windows): prevent pywintypes import errors before dependency validation (ACS-253) #1057 — Related work on early dependency validation and lazy-import ordering.
• fix(python-bundling): verify critical packages exist, not just marker file (#416) #774 — Similar frontend changes centralizing critical-package checks and module-existence logic.

Suggested labels

confirmed, 🔄 Checking, size/M, priority/medium

Suggested reviewers

• AndyMik90
• AlexMadera

Poem

🐰 I hop through code with nimble feet,
Linux keeps its secrets safe and sweet,
Windows paths now point and guide,
Tests listen close, no warnings hide,
A rabbit munches bugs — all neat! 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 76.92% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly identifies the main fix: ensuring secretstorage is bundled in Linux binaries, directly addressing the PR's primary objective of fixing the missing secretstorage dependency issue.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @StillKnotKnown, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical build system issue that caused Linux binaries to be shipped without the necessary secretstorage package, leading to silent failures in secure OAuth token storage. By introducing platform-aware dependency validation in both the build process and runtime environment, the application now correctly identifies and warns users about missing secretstorage on Linux, ensuring that secure keyring integration is properly maintained or that users are informed about the fallback to less secure .env storage. This change significantly improves the robustness and security posture of the application on Linux platforms.

Highlights

• Linux secretstorage Dependency Validation: Implemented platform-aware validation for the secretstorage package on Linux. This ensures that the application can securely store OAuth tokens via the Freedesktop.org Secret Service (e.g., gnome-keyring, kwallet) and warns the user if the package is missing, explaining the fallback to .env file storage.
• Build System and Runtime Manager Updates: Modified download-python.cjs (build script) and python-env-manager.ts (runtime manager) to incorporate platform-specific critical package checks. This prevents caching issues that previously led to Linux binaries shipping without secretstorage.
• Refined Windows pywin32 Validation: Adjusted the pywin32 dependency validation on Windows to specifically apply to Python versions 3.12 and above, aligning with its actual requirement for the MCP library.
• Comprehensive Test Coverage: Added extensive unit tests for the new Linux secretstorage validation logic, including scenarios for missing and installed packages, and verified that the warning function provides helpful instructions without exiting the application. Existing Windows validation tests were also updated to use platform-aware checks.
• Frontend Test Infrastructure Improvement: Introduced a mock for global.requestAnimationFrame in terminal-copy-paste.test.ts to improve the reliability of xterm.js integration tests.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request effectively addresses the issue of the secretstorage dependency not being bundled in Linux binaries by adding platform-aware validation at both build and runtime. The changes are well-implemented and follow existing patterns for platform-specific dependencies. The test suite has also been thoroughly updated to cover the new logic for Linux, as well as to improve the overall structure of the dependency validation tests.

I have a few points of feedback:

• A critical concern regarding a potential regression in pywin32 validation on Windows, which seems to have been unintentionally altered.
• A suggestion to improve the robustness of the new warning message for missing secretstorage on Linux.
• A note on code duplication in the build script that could be refactored for better maintainability.

Overall, this is a solid fix, and once the critical issue is addressed, it will be a great improvement.

[gemini-code-assist]

This change appears to introduce a regression related to pywin32 validation on Windows. The previous implementation (from ACS-306) validated this dependency on all Windows Python versions, as it was deemed critical for the MCP library. This new logic restricts the check to only Python 3.12+, which could lead to runtime errors for users on older Python versions on Windows.

The removed tests (test_windows_python_311_validates_pywin32, test_windows_python_310_validates_pywin32) confirm this was the intended behavior before. If pywin32 is still required for all versions, this condition should be reverted.

Suggested change

	if is_windows() and sys.version_info >= (3, 12):
	if is_windows():

[gemini-code-assist]

The warning message for missing secretstorage unconditionally includes instructions to source a virtual environment activation script. However, the script at Path(sys.prefix) / "bin" / "activate" may not exist, for example if the user is running with a system Python installation. This could lead to confusing instructions.

To improve this, you could check if venv_activate.exists() before including the activation step in the message, similar to how _exit_with_pywin32_error handles it. This makes the instructions more robust and user-friendly.

def _warn_missing_secretstorage() -> None:
    """Emit warning message for missing secretstorage.

    Note: This is a warning, not a hard error - the app will fall back to .env
    file storage for OAuth tokens. We warn users to ensure they understand the
    security implications.
    """
    # Use sys.prefix to detect the virtual environment path
    venv_activate = Path(sys.prefix) / "bin" / "activate"

    activation_step = ""
    install_step_number = "1."
    if venv_activate.exists():
        activation_step = (
            "1. Activate your virtual environment:\n"
            f"   source {venv_activate}\n\n"
        )
        install_step_number = "2."

    sys.stderr.write(
        "Warning: Linux dependency 'secretstorage' is not installed.\n"
        "\n"
        "Auto Claude can use secretstorage for secure OAuth token storage via\n"
        "the system keyring (gnome-keyring, kwallet, etc.). Without it, tokens\n"
        "will be stored in plaintext in your .env file.\n"
        "\n"
        "To enable keyring integration:\n"
        f"{activation_step}"
        f"{install_step_number} Install secretstorage:\n"
        "   pip install 'secretstorage>=3.3.3'\n"
        "\n"
        "   Or reinstall all dependencies:\n"
        "   pip install -r requirements.txt\n"
        "\n"
        "Note: The app will continue to work, but OAuth tokens will be stored\n"
        "in your .env file instead of the system keyring.\n"
        "\n"
        f"Current Python: {sys.executable}\n"
    )
    sys.stderr.flush()
    # Continue execution - this is a warning, not a blocking error

[gemini-code-assist]

This block of logic for determining and validating critical packages is duplicated later in the file (around line 825). This duplication makes the code harder to maintain, as any changes need to be applied in two places (as was done in this PR).

To improve maintainability, consider refactoring this logic into a reusable helper function. This function could take sitePackagesDir and nodePlatform as arguments and return the list of missing packages.

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@apps/backend/core/dependency_validator.py`:
- Around line 97-121: The warning message unconditionally suggests sourcing
sys.prefix/bin/activate which is often invalid for system Python; update the
logic around venv_activate in dependency_validator.py to only include the
"source {venv_activate}" line when an actual virtualenv activation script exists
or when running inside a venv (e.g., check
Path(sys.prefix)/"bin"/"activate".exists() or compare sys.prefix !=
sys.base_prefix / check VIRTUAL_ENV), otherwise omit that activation instruction
and keep the rest of the message (use the existing venv_activate, sys.prefix,
and sys.stderr.write symbols to find and modify the block).

In `@apps/frontend/src/main/python-env-manager.ts`:
- Around line 131-152: The frontend currently treats secretstorage as a critical
package by listing it under platformCriticalPackages.linux and including it in
criticalPackages (used by the hasBundledPackages check), which forces venv
creation on Linux; remove 'secretstorage' from platformCriticalPackages.linux
and instead add it to an optional/auxiliary packages list checked separately
(e.g., optionalPackages or nonCriticalPackages) and update the missing-check
logic so hasBundledPackages only considers criticalPackages, while the new
optional check logs a warning (using the existing logger) if secretstorage is
absent but does not cause hasBundledPackages() to return false; adjust
references to platformCriticalPackages, criticalPackages, and the
missingPackages/filter logic accordingly.

In `@tests/test_dependency_validator.py`:
- Around line 267-292: The test test_windows_skips_secretstorage_validation
currently patches is_linux instead of forcing the Windows branch; update the
test to patch core.dependency_validator.is_windows (return_value=True) so the
Windows path is exercised, keep the existing patches for builtins.__import__ and
core.dependency_validator._warn_missing_secretstorage and then call
validate_platform_dependencies() and assert mock_warning.assert_not_called() to
ensure secretstorage validation is skipped on Windows.

[sentry]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[AndyMik90]

🤖 Auto Claude PR Review

Merge Verdict: 🔴 BLOCKED

🔴 Blocked - 3 critical/high/medium issue(s) must be fixed.

Blocked by 1 critical issues

Risk Assessment

Factor	Level	Notes
Complexity	High	Based on lines changed
Security Impact	None	Based on security findings
Scope Coherence	Good	Based on structural review

🚨 Blocking Issues (Must Fix)

• Critical: Regression: pywin32 validation restricted to Python 3.12+ instead of all Windows versions (apps/backend/core/dependency_validator.py:23)

Findings Summary

• Critical: 1 issue(s)
• High: 1 issue(s)
• Medium: 1 issue(s)
• Low: 2 issue(s)

---

Generated by Auto Claude PR Review

Findings (5 selected of 5 total)

🔴 [ff18efe7483a] [CRITICAL] Regression: pywin32 validation restricted to Python 3.12+ instead of all Windows versions

📁 apps/backend/core/dependency_validator.py:23

The requirements.txt (line 23) explicitly states 'Required on all Python versions on Windows (ACS-306) - MCP library unconditionally imports win32api'. However, the validator at line 23 only checks if is_windows() and sys.version_info >= (3, 12). This means Windows users on Python 3.10 or 3.11 will NOT receive the helpful error message when pywin32 is missing - they'll get a cryptic import error instead. This directly contradicts the ACS-306 fix intention.

Suggested fix:

Remove the Python version check. Change line 23 from `if is_windows() and sys.version_info >= (3, 12):` to simply `if is_windows():` to validate pywin32 on all Windows Python versions as per ACS-306.

🟠 [7d95d9c9a1fe] [HIGH] Tests explicitly test for the regression behavior

📁 tests/test_dependency_validator.py:99

The test test_windows_python_311_skips_validation (line 99-116) and test_windows_python_310_skips_validation (line 190-206) explicitly verify that Python 3.10/3.11 on Windows skip pywin32 validation. This contradicts the ACS-306 requirement documented in requirements.txt. The tests enforce the incorrect behavior and must be updated alongside the fix.

Suggested fix:

After fixing the validator, update the tests: (1) Remove `test_windows_python_311_skips_validation` and `test_windows_python_310_skips_validation`, (2) Add tests verifying validation RUNS on Python 3.10/3.11 on Windows.

🟡 [6a399c5282a1] [MEDIUM] Duplicated platformCriticalPackages object defined twice in same file

📁 apps/frontend/scripts/download-python.cjs:714

The platformCriticalPackages constant is defined identically at line 714 (cache validation) and line 826 (post-install verification). If the package list changes, both locations must be updated, creating risk of inconsistency. This violates DRY principle.

Suggested fix:

Extract `platformCriticalPackages` to a single constant at module scope (near STRIP_PATTERNS around line 30), then reference it in both validation locations.

🔵 [1efc5e3002f4] [LOW] Inconsistent package classification between build script and runtime manager

📁 apps/frontend/src/main/python-env-manager.ts:131

download-python.cjs treats secretstorage as a 'critical' package (build fails if missing), but python-env-manager.ts treats it as 'optional' (only logs warning). The comment in download-python.cjs says 'Same list exists in python-env-manager.ts - keep them in sync' but they intentionally differ. This inconsistency is confusing and the comment is misleading.

Suggested fix:

Update the comment in download-python.cjs (lines 710, 822) to clarify the intentional difference: 'Note: python-env-manager.ts treats secretstorage as optional (falls back to .env) while this script validates it during build.'

🔵 [fc06737aa2a9] [LOW] Step numbering inconsistency in warning message when venv doesn't exist

📁 apps/backend/core/dependency_validator.py:115

When the venv activate script exists, the message shows steps '1. Activate... 2. Install secretstorage'. But when activate doesn't exist, the message still says '2. Install secretstorage' without a step 1, which is confusing. The pywin32 error message handles this correctly by removing step numbers entirely.

Suggested fix:

Follow the pattern in `_exit_with_pywin32_error()`. When activation_prefix is empty, change '2. Install secretstorage:' to just 'Install secretstorage:' (remove the number).

---

This review was generated by Auto Claude.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@tests/test_dependency_validator.py`:
- Around line 389-402: The assertion logic in
test_warning_message_omits_activation_when_no_script is flawed: replace the
faulty assertion that uses "or" with a check that no line contains the
activation hint; specifically, capture the stderr from calling
_warn_missing_secretstorage() and assert that neither the phrase "Activate your
virtual environment" nor any line containing the substring "source" exists in
message (e.g., ensure all(line.find("source") == -1 for line in
message.splitlines()) ), while still asserting "Install secretstorage" is
present; update the assertions around message, "Activate your virtual
environment", and "source" accordingly.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@tests/test_dependency_validator.py`:
- Around line 264-282: The test
test_linux_with_secretstorage_installed_continues should assert that the warning
helper is NOT invoked; update the test to patch
core.dependency_validator._warn_missing_secretstorage (e.g., with patch or mock)
and after calling validate_platform_dependencies() assert that the patched
_warn_missing_secretstorage was not called, ensuring the absence of
secretstorage does not trigger a warning in this scenario.

[AndyMik90]

🤖 Auto Claude PR Review

🟠 Follow-up Review: Needs Revision

⏳ Ready once CI passes - 3 check(s) pending, all findings addressed.

Resolution Status

• ✅ Resolved: 5 previous findings addressed
• ❌ Unresolved: 0 previous findings remain
• 🆕 New Issues: 0 new findings in recent changes

Verdict

All 5 previous findings have been verified as RESOLVED. The author addressed all issues systematically: (1) CRITICAL pywin32 regression fixed by removing Python version check, (2) HIGH test regression fixed by renaming tests and correcting assertions, (3) MEDIUM duplicate constant consolidated into single PLATFORM_CRITICAL_PACKAGES, (4) LOW package classification inconsistency documented as intentional design, (5) LOW step numbering fixed with conditional logic. No new issues found in code review. However, CI status shows 3 checks still pending - cannot approve for merge until CI completes. Once CI passes, this will be READY_TO_MERGE.

Review Process

Agents invoked: resolution-verifier, new-code-reviewer

---

This is an AI-generated follow-up review using parallel specialist analysis with finding validation.

---

This review identified blockers that must be resolved before merge. Generated by Auto Claude.