feat(tool-registry): add trusted capability providers

[YOMXXX]

Summary

• Adds capability_providers config metadata for external capability sources with id, display name, source URI, source digest, trust state, and enabled state.
• Adds a normalized provider registry in tool_registry with list/get/trusted-enabled helpers for policy and diagnostics callers.
• Extends tool policy diagnostics with redacted provider counts and registry validation errors.
• Documents the provider trust metadata contract in the MCP/tool registry docs in English and Chinese.

Problem

• OpenHuman already has a growing tool registry and external MCP-style capability surface, but there was no stable local trust metadata layer for future admission/provenance checks.
• Without normalized provider ids, duplicate or malformed provider definitions could make policy decisions inconsistent.

Solution

• Introduced CapabilityProviderConfig and CapabilityProviderTrustState under the TOML config schema.
• Added CapabilityProviderRegistry that normalizes provider ids, rejects invalid ids, rejects duplicates after normalization, and exposes list/get/trusted-enabled helpers.
• Kept runtime behavior backward-compatible: with no configured providers, the registry is empty and existing tool discovery/dispatch behavior is unchanged.
• Added focused Rust coverage for valid provider registration, disabled/untrusted providers, duplicate ids, invalid ids, TOML parsing, and diagnostics summaries.

Submission Checklist

• Tests added or updated (happy path + at least one failure / edge case) per Testing Strategy
• Diff coverage ≥ 80% — CI coverage gate is running/enforcing changed-line coverage; focused Rust tests cover the changed behavior.
• N/A: Coverage matrix updated — no feature row was added/removed/renamed; existing feature row 11.1.5 Global tool registry remains applicable.
• All affected feature IDs from the matrix are listed in the PR description under ## Related
• No new external network dependencies introduced (mock backend used per Testing Strategy)
• N/A: Manual smoke checklist updated — config/registry metadata only; no release manual smoke flow changed.
• Linked issue closed via Closes #NNN in the ## Related section

Impact

• Runtime/platform impact: Rust core config and tool registry only; no frontend, Tauri shell, or mobile impact.
• Security: fail-closed defaults (trust_state = "untrusted", enabled = false) and duplicate/invalid provider ids are rejected before policy callers consume metadata.
• Compatibility: default config has an empty provider list, so existing MCP/controller tools remain visible and dispatch paths are unchanged.
• Migration: no persisted migration needed; missing capability_providers deserializes to an empty list.

Related

• Closes: Closes Add trusted external capability provider registry #2541
• Coverage matrix feature: 11.1.5 Global tool registry
• Follow-up PR(s)/TODOs: wire generated-tool provenance/admission checks against this provider registry.

---

AI Authored PR Metadata (required for Codex/Linear PRs)

Linear Issue

• Key: N/A
• URL: N/A

Commit & Branch

• Branch: feat/2541-trusted-capability-providers
• Commit SHA: c7d7b078b137e1b7dc1e94fec193ce3d8d2381ad

Validation Run

• N/A: pnpm --filter openhuman-app format:check blocked locally; see Validation Blocked. pnpm format:check delegates to this command.
• N/A: pnpm typecheck not run because there are no TypeScript/frontend changes and local app dependencies are not installed.
• Focused tests:
  • GGML_NATIVE=OFF cargo test --manifest-path Cargo.toml tool_registry --lib
  • GGML_NATIVE=OFF cargo test --manifest-path Cargo.toml config_parses_capability_provider_entries --lib
• Rust fmt/check:
  • cargo fmt --manifest-path Cargo.toml --check
  • GGML_NATIVE=OFF cargo check --manifest-path Cargo.toml
  • git diff --check
• N/A: Tauri fmt/check — no Tauri shell changes.

Validation Blocked

• command: pnpm format:check
• error: local app workspace has no node_modules; prettier: command not found. The environment also reports Node v22.14.0 while openhuman-app wants >=24.0.0.
• impact: Prettier/app format check could not be completed locally; Rust fmt/check and focused Rust tests passed.

Behavior Changes

• Intended behavior change: external capability providers can be declared in config and inspected through the tool-registry provider helpers/diagnostics.
• User-visible effect: none yet; this is governance metadata for future external capability admission/provenance work.

Parity Contract

• Legacy behavior preserved: when no providers are configured, the provider registry is empty and existing tool discovery/dispatch behavior is unchanged.
• Guard/fallback/dispatch parity checks: provider trust only affects new metadata helpers; MCP tools/call and JSON-RPC controller dispatch remain unchanged.

Duplicate / Superseded PR Handling

• Duplicate PR(s): N/A
• Canonical PR: this PR
• Resolution (closed/superseded/updated): N/A

Summary by CodeRabbit

• Documentation

  • Updated MCP server docs (EN/ZH) with a new diagnostics endpoint and guidance for registering external capability providers.

• New Features

  • Support for declaring trusted external capability providers via config metadata.
  • Diagnostics now include redacted capability-provider summaries (total/enabled/trusted/trusted+enabled) and report registry errors (duplicate/invalid IDs).
  • Provider IDs are normalized; only entries with enabled=true and trust_state="trusted" are considered.

• Tests

  • Added comprehensive tests covering provider parsing, normalization, diagnostics, and registry behavior.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bba8fd45-a4ea-4200-aa82-31b91290b2a4

📥 Commits

Reviewing files that changed from the base of the PR and between 57ac91b and 1de8a71.

📒 Files selected for processing (2)

• src/openhuman/tool_registry/ops.rs
• src/openhuman/tool_registry/ops_test.rs

---

📝 Walkthrough

Walkthrough

Adds a config-backed capability-provider schema and registry with ID normalization/validation, exposes registry/listing/lookup helpers, integrates provider summaries into tool-policy diagnostics and the diagnostics RPC, updates re-exports and docs, and adds unit and integration tests.

Changes

Capability Provider Registry Feature

Layer / File(s)	Summary
Configuration Schema Definition src/openhuman/config/schema/capability_providers.rs, src/openhuman/config/schema/mod.rs, src/openhuman/config/schema/types.rs, src/openhuman/config/mod.rs, src/openhuman/config/README.md	Introduces CapabilityProviderConfig and CapabilityProviderTrustState, integrates capability_providers: Vec<CapabilityProviderConfig> into Config (serde-defaulted), adds parsing tests, and updates public re-exports and README.
Provider Registry Core Implementation src/openhuman/tool_registry/providers.rs	Implements CapabilityProviderMetadata, CapabilityProviderRegistry::from_config, ID normalization (normalize_capability_provider_id), duplicate/invalid ID errors, listing/get/get-trusted-enabled helpers, diagnostics summary, and unit tests for normalization, duplicates, and invalid IDs.
Diagnostics Integration and Module Exports src/openhuman/tool_registry/mod.rs, src/openhuman/tool_registry/types.rs, src/openhuman/tool_registry/ops.rs, src/openhuman/tool_registry/schemas.rs	Adds providers submodule and public re-exports, defines CapabilityProviderDiagnostics (redacted counts + registry_errors), refactors diagnostics() to async/config-backed flow with diagnostics_for_config(&Config), updates RPC handler to await diagnostics, and moves/refactors tests wiring.
User-Facing Documentation gitbooks/developing/mcp-server.md, gitbooks/developing/mcp-server.zh-CN.md	Documents openhuman.tool_registry_diagnostics RPC and an “External Capability Providers” config example, governance-only note, ID normalization rules, eligibility (enabled=true and trust_state="trusted"), and backward-compatible behavior when unconfigured.
Tests and Test Helpers src/openhuman/tool_registry/ops_test.rs	Adds tests for registry entries, diagnostics totals (including provider counts and duplicate/error reporting), schema generation checks, helper constructors, and an EnvRestore RAII helper for environment-scoped tests.

Estimated Code Review Effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly Related PRs

• tinyhumansai/openhuman#2336: Extends tool registry diagnostics and the ToolPolicyDiagnostics surface that this PR further augments with capability-provider diagnostics.

Suggested reviewers

• senamakel
• graycyrus

🐰 A tiny registry hops into view,
ids trimmed, slugged, and tidy too,
trust and enabled flags guard the gate,
diagnostics count each configured mate.
Governance hums: only metadata—no code to state.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 68.29% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat(tool-registry): add trusted capability providers' accurately summarizes the main change—adding a capability provider registry with trust metadata.
Linked Issues check	✅ Passed	All acceptance criteria from #2541 are met: provider metadata type defined, config-backed registry implemented, ID validation/normalization in place, lookup/list helpers exposed, backward compatibility preserved, and focused tests added.
Out of Scope Changes check	✅ Passed	All changes are directly aligned with #2541 objectives: config schema, registry implementation, diagnostics integration, documentation, and tests; no unrelated modifications present.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/openhuman/tool_registry/ops.rs (1)

44-73: 🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Add debug/trace diagnostics to the new diagnostics_for_config flow.

Line 44 introduces a new diagnostics path, but it currently has no entry/exit or summary logging. Please add structured debug logs with stable prefix + counts to keep this path diagnosable.

♻️ Proposed logging patch

 pub fn diagnostics_for_config(config: &Config) -> RpcOutcome<ToolPolicyDiagnostics> {
+    log::debug!("[tool_registry] diagnostics_for_config start");
+
     let tools = registry_entries();
     let total_tools = tools.len();
     let enabled_tools = tools.iter().filter(|entry| entry.enabled).count();
@@
     let diagnostics = ToolPolicyDiagnostics {
         total_tools,
         enabled_tools,
         mcp_stdio_tools,
         json_rpc_tools,
         possible_write_surfaces,
         policy_surfaces,
         capability_providers: capability_provider_diagnostics(config),
     };
+
+    log::debug!(
+        "[tool_registry] diagnostics_for_config completed total_tools={} enabled_tools={} mcp_stdio_tools={} json_rpc_tools={} providers_total={} providers_enabled={} providers_trusted={} providers_trusted_enabled={} provider_errors={}",
+        diagnostics.total_tools,
+        diagnostics.enabled_tools,
+        diagnostics.mcp_stdio_tools,
+        diagnostics.json_rpc_tools,
+        diagnostics.capability_providers.total_providers,
+        diagnostics.capability_providers.enabled_providers,
+        diagnostics.capability_providers.trusted_providers,
+        diagnostics.capability_providers.trusted_enabled_providers,
+        diagnostics.capability_providers.registry_errors.len(),
+    );
     RpcOutcome::new(diagnostics, vec![])
 }

As per coding guidelines, "Debug logging must follow these rules: default to verbose diagnostics on new/changed flows... All changes lacking diagnosis logging are incomplete."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/openhuman/tool_registry/ops.rs` around lines 44 - 73, Add structured
debug/trace logging to the diagnostics_for_config flow: at function entry log a
stable prefix (e.g. "tool_registry::diagnostics:entry") with total_tools and
enabled_tools, then log intermediate counts (mcp_stdio_tools, json_rpc_tools)
and the length of possible_write_surfaces and policy_surfaces after they are
computed, and finally log an exit/summary message (e.g.
"tool_registry::diagnostics:summary") that includes all counts and the size of
capability_providers; use the project’s tracing/log macro (trace! or debug!)
consistent with existing code, and place logs near the calls to
registry_entries(), looks_write_capable(), policy_surface_ids(), and
capability_provider_diagnostics(config) so the referenced symbols
(diagnostics_for_config, ToolPolicyDiagnostics, registry_entries,
looks_write_capable, policy_surface_ids, capability_provider_diagnostics) are
easy to locate.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/openhuman/tool_registry/providers.rs`:
- Around line 31-170: Add trace/debug/error logs across the new registry flow:
instrument CapabilityProviderRegistry::from_config to log entry (trace) with
count of config.capability_providers, log a debug when a provider is normalized
(use normalize_capability_provider_id return) and an error/debug when a
DuplicateId is detected before returning
CapabilityProviderRegistryError::DuplicateId, and log debug/error when
clean_string fails to fall back to id; also update
normalize_capability_provider_id to trace invalid/empty inputs and the final
normalized value before returning or returning InvalidId; finally, in
capability_provider_diagnostics and capability_provider_registry add debug/error
logging for the Err path to record the registry error (err.to_string()) so
fallback diagnostics include a logged message.

---

Outside diff comments:
In `@src/openhuman/tool_registry/ops.rs`:
- Around line 44-73: Add structured debug/trace logging to the
diagnostics_for_config flow: at function entry log a stable prefix (e.g.
"tool_registry::diagnostics:entry") with total_tools and enabled_tools, then log
intermediate counts (mcp_stdio_tools, json_rpc_tools) and the length of
possible_write_surfaces and policy_surfaces after they are computed, and finally
log an exit/summary message (e.g. "tool_registry::diagnostics:summary") that
includes all counts and the size of capability_providers; use the project’s
tracing/log macro (trace! or debug!) consistent with existing code, and place
logs near the calls to registry_entries(), looks_write_capable(),
policy_surface_ids(), and capability_provider_diagnostics(config) so the
referenced symbols (diagnostics_for_config, ToolPolicyDiagnostics,
registry_entries, looks_write_capable, policy_surface_ids,
capability_provider_diagnostics) are easy to locate.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ab272e84-9f6c-4220-9848-8ca4e9a8a796

📥 Commits

Reviewing files that changed from the base of the PR and between 2a5d821 and c7d7b07.

📒 Files selected for processing (11)

• gitbooks/developing/mcp-server.md
• gitbooks/developing/mcp-server.zh-CN.md
• src/openhuman/config/README.md
• src/openhuman/config/mod.rs
• src/openhuman/config/schema/capability_providers.rs
• src/openhuman/config/schema/mod.rs
• src/openhuman/config/schema/types.rs
• src/openhuman/tool_registry/mod.rs
• src/openhuman/tool_registry/ops.rs
• src/openhuman/tool_registry/providers.rs
• src/openhuman/tool_registry/types.rs

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/openhuman/tool_registry/ops.rs (1)

43-99: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Wire the public diagnostics RPC to the active config snapshot.

diagnostics_for_config now reports provider counts/errors from config, but diagnostics() still invokes it with Config::default(). That means tool_registry.diagnostics will always hide real capability_providers state and never surface duplicate/invalid provider config at runtime.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/openhuman/tool_registry/ops.rs` around lines 43 - 99,
diagnostics_for_config currently uses the provided Config to report provider
counts/errors, but diagnostics() still calls diagnostics_for_config with
Config::default(), hiding runtime provider state; fix by changing diagnostics()
to pass the active runtime config snapshot instead of Config::default() — locate
the diagnostics() function and replace the Config::default() argument with the
active configuration snapshot provided by your runtime (e.g. the function or
value that returns the current config snapshot used elsewhere in the app), so
diagnostics_for_config and capability_provider_diagnostics receive real runtime
data.

🧹 Nitpick comments (1)

src/openhuman/tool_registry/ops.rs (1)

43-99: 🏗️ Heavy lift

Split this module before it grows further.

This addition lands in a file that is already ~650 lines long. Please peel the diagnostics/provider-specific logic into a smaller sibling module so ops.rs stays focused.

As per coding guidelines: “File size should not exceed approximately 500 lines. When a module grows beyond this threshold, split it into smaller, more focused modules with clear responsibilities.”

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/openhuman/tool_registry/ops.rs` around lines 43 - 99, The
diagnostics/provider logic in ops.rs is making the file too large; extract the
diagnostics implementation into a new sibling module (e.g.,
tool_registry/diagnostics.rs) and move functions and types related to
diagnostics and provider inspection—specifically diagnostics_for_config,
ToolPolicyDiagnostics, capability_provider_diagnostics, and any helpers that
call registry_entries or policy_surface_ids—into that module; update ops.rs to
call the moved functions (keep the public signatures) and re-export types if
needed so callers remain unchanged, and ensure imports/uses are adjusted (use
crate::openhuman::tool_registry::diagnostics::{diagnostics_for_config,
ToolPolicyDiagnostics} or similar) and run tests to confirm behavior is
preserved.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@src/openhuman/tool_registry/ops.rs`:
- Around line 43-99: diagnostics_for_config currently uses the provided Config
to report provider counts/errors, but diagnostics() still calls
diagnostics_for_config with Config::default(), hiding runtime provider state;
fix by changing diagnostics() to pass the active runtime config snapshot instead
of Config::default() — locate the diagnostics() function and replace the
Config::default() argument with the active configuration snapshot provided by
your runtime (e.g. the function or value that returns the current config
snapshot used elsewhere in the app), so diagnostics_for_config and
capability_provider_diagnostics receive real runtime data.

---

Nitpick comments:
In `@src/openhuman/tool_registry/ops.rs`:
- Around line 43-99: The diagnostics/provider logic in ops.rs is making the file
too large; extract the diagnostics implementation into a new sibling module
(e.g., tool_registry/diagnostics.rs) and move functions and types related to
diagnostics and provider inspection—specifically diagnostics_for_config,
ToolPolicyDiagnostics, capability_provider_diagnostics, and any helpers that
call registry_entries or policy_surface_ids—into that module; update ops.rs to
call the moved functions (keep the public signatures) and re-export types if
needed so callers remain unchanged, and ensure imports/uses are adjusted (use
crate::openhuman::tool_registry::diagnostics::{diagnostics_for_config,
ToolPolicyDiagnostics} or similar) and run tests to confirm behavior is
preserved.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a6de0df1-0b5d-47b4-92cd-8a4fd89f9b53

📥 Commits

Reviewing files that changed from the base of the PR and between c7d7b07 and 33a827f.

📒 Files selected for processing (2)

• src/openhuman/tool_registry/ops.rs
• src/openhuman/tool_registry/providers.rs

[coderabbitai]

🧹 Nitpick comments (1)

src/openhuman/tool_registry/ops.rs (1)

490-706: 🏗️ Heavy lift

Move the expanded test block out of ops.rs.

This file is now well past the repo’s ~500-line target, and most of the new growth here is test-only code. Please extract the diagnostics tests/helpers into a sibling ops_test.rs and keep ops.rs focused on runtime logic.

As per coding guidelines, **/*.{ts,tsx,rs} files should not exceed approximately 500 lines, and src/**/*.rs test extractions should prefer a sibling *_test.rs wired with #[cfg(test)] #[path = "..._test.rs"] mod tests;.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/openhuman/tool_registry/ops.rs` around lines 490 - 706, The ops.rs file
has grown >500 lines due to many test helpers and diagnostics tests; extract
them into a sibling ops_test.rs and wire it as a test module. Move the tests
(including async test diagnostics_loads_active_capability_provider_config,
diagnostics_for_config_reports_*, looks_write_capable, is_policy_surface,
insert_registry_entry_skips_duplicate_tool_id, get_tool_*,
controller_json_schema_marks_required_and_optional_fields), helper fn
capability_provider, struct EnvRestore and its impl/Drop, and any test-only uses
of diagnostics() and diagnostics_for_config() into ops_test.rs; then remove
those items from ops.rs and add in ops.rs the test module declaration
#[cfg(test)] #[path = "ops_test.rs"] mod tests; so runtime ops.rs stays under
~500 lines while tests remain compiled only in test builds.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@src/openhuman/tool_registry/ops.rs`:
- Around line 490-706: The ops.rs file has grown >500 lines due to many test
helpers and diagnostics tests; extract them into a sibling ops_test.rs and wire
it as a test module. Move the tests (including async test
diagnostics_loads_active_capability_provider_config,
diagnostics_for_config_reports_*, looks_write_capable, is_policy_surface,
insert_registry_entry_skips_duplicate_tool_id, get_tool_*,
controller_json_schema_marks_required_and_optional_fields), helper fn
capability_provider, struct EnvRestore and its impl/Drop, and any test-only uses
of diagnostics() and diagnostics_for_config() into ops_test.rs; then remove
those items from ops.rs and add in ops.rs the test module declaration
#[cfg(test)] #[path = "ops_test.rs"] mod tests; so runtime ops.rs stays under
~500 lines while tests remain compiled only in test builds.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 54adaeed-a9d6-4aa4-a33f-52ad91581ff7

📥 Commits

Reviewing files that changed from the base of the PR and between 33a827f and 57ac91b.

📒 Files selected for processing (2)

• src/openhuman/tool_registry/ops.rs
• src/openhuman/tool_registry/schemas.rs

[YOMXXX]

@graycyrus @senamakel #2551 is ready for review. I addressed the CodeRabbit feedback, wired diagnostics to the active runtime config, extracted the expanded tests into ops_test.rs, and all non-skipped CI checks are green.

[YOMXXX]

Checked the latest CI. The only blocking check is e2e / E2E (Linux / Appium Chromium).

The failure is in app/test/e2e/specs/mega-flow.spec.ts:

• openhuman.composio_list_triggers returns ok=false at line 251
• openhuman.composio_enable_trigger returns ok=false at line 580

All other checks are green, including Rust/TS/coverage and CodeRabbit. I also checked #2499 and it is failing on the exact same Composio RPC points, so this currently looks more like a shared mega-flow/Composio CI issue than a regression specific to this PR.

The uploaded artifact only contains screenshots/XML/meta, not the core/app log, so the next useful step is to capture the underlying RPC error payload before blindly rerunning.

[YOMXXX]

Follow-up: opened #2609 to make this shared E2E failure diagnosable. It adds runner-temp app log upload paths and changes the mega-flow Composio RPC assertions to include the RPC method/status/error instead of only Expected true / Received false.

Once #2609 CI runs, we should be able to see the underlying core/RPC error payload and decide whether the Composio failure is a shared harness/session issue or a real backend/mock regression.

[YOMXXX]

Follow-up on the shared Linux Appium failure: #2609 now confirms and fixes the root cause. The failing mega-flow Composio RPCs were caused by the E2E app using the OS keyring on headless Linux, where Secret Service access returns permission errors and the backend session token is lost after login.

#2609 defaults E2E sessions to OPENHUMAN_KEYRING_BACKEND=file under the disposable OPENHUMAN_WORKSPACE, keeps the richer RPC diagnostics, and the latest run passes Linux Appium E2E (smoke + mega-flow). Once that lands on main, this PR should be unblocked by rebasing/rerunning CI; alternatively the runner fix can be cherry-picked here if this PR needs to merge first.