feat(onboarding,ui): trust-first onboarding + Button primitive + honest privacy surface

[jwalin-shah]

Summary

• New reusable <Button variant size> primitive (4 variants × 5 sizes) with focus ring baked in — foundation for future UI consolidation.
• New WhatLeavesMyComputerSheet + WhatLeavesLink privacy surface, reused in onboarding footer and Settings → Privacy & Security. Copy is intentionally conservative and matches what the backend actually does.
• ContextGatheringStep no longer auto-runs the Rust-side LinkedIn enrichment pipeline on mount. It is now user-driven: an intro card explains what will happen, with "Start when ready" and "Skip for now" controls.
• WelcomeStep slide 1 rewritten to the design handoff copy (mono eyebrow, display-font title, honest subtitle). Carousel slides 2/3 preserved.
• E2E login-flow.spec.ts updated to match the new ContextGatheringStep headings and prefer "Skip for now" so the real enrichment pipeline stays out of E2E.

Problem

Two trust-shaped gaps in the current onboarding:

1. Silent surveillance shape. ContextGatheringStep kicked off a Gmail → LinkedIn scrape pipeline inside useEffect on mount, before the user had seen what was about to happen. That is exactly the "nothing ever leaves your computer" lie the README explicitly rejects.
2. Privacy copy was either missing or overclaiming. No consistent way to see "what actually leaves my computer" near the moments a network call is about to happen. The existing PrivacyPanel only surfaced the analytics toggle.

A third, lower-level gap: there was no shared Button component, so every flow reinvented the same Tailwind utilities slightly differently.

Solution

UI primitive (app/src/components/ui/Button.tsx)
Matches the design handoff spec exactly: 4 variants (primary / secondary / ghost / danger) × 5 sizes (xs / sm / md / lg / xl). forwardRef, default type="button", focus-visible ring applied by default on every instance. Intentionally not ripping existing ad-hoc buttons in this PR — it lands the primitive cleanly and leaves adoption incremental.

Privacy surface (app/src/features/privacy/)
whatLeavesItems.ts is the single source of truth: 5 items that really do leave the laptop (model downloads; cloud provider calls; skill sync summaries to the memory service; crash reports; sign-in / billing / chat routing). WhatLeavesMyComputerSheet is a portal modal with backdrop, Escape-to-close, aria-modal. WhatLeavesLink is a tiny underlined trigger for any screen that might hit the network. PrivacyPanel in Settings now surfaces the same list above the analytics toggle.

Copy audit was intentional before commit — three lines were softened because they were slightly stronger than what the backend actually supports (skill data does sync to our memory service per 17-skills-memory-inference-flow.md; chat messages are routed through our backend to the selected model per chat.rs; the LinkedIn pipeline uses Apify, not a user-chosen scraper).

Onboarding honesty pass

• WelcomeStep slide 1: eyebrow OPENHUMAN · LOCAL BY DEFAULT + display-font "Hi. I'm OpenHuman." + honest subtitle ("routes to the cloud when you pick a cloud model"). Footer has WhatLeavesLink. Slides 2/3 untouched.
• ContextGatheringStep: the pipeline now fires only from an explicit user click. Intro card describes what gets read, and "skip this and nothing is read" is finally a true statement. The running UI keeps its existing progress visualization, plus WhatLeavesLink. Body copy is softened throughout.

Intentional deferrals (keeping the bar high on overpromise):

• No sourcesSlice — would duplicate the existing draft.connectedSources state in Onboarding.tsx.
• No MirrorMomentStep — no Rust-side scan_sources / observation generator exists, so any stub would fake the payoff and undercut everything else this PR is trying to do. Gate hard = don't create.

Drift commit (9f7e43fe): the pre-push hook surfaced two unrelated items already drifting on main (cargo fmt ordering in src-tauri/src/lib.rs, one-line wrap in webview_accounts/mod.rs, Cargo.lock version 0.52.27 → 0.52.28 to match package.json). Picked up here so this PR can push cleanly rather than ride --no-verify.

Submission Checklist

• Unit tests — 24 new Vitest tests: 10 Button, 6 privacy sheet/link, 4 WelcomeStep, 4 ContextGatheringStep. Full yarn test:unit green (498 passed, 2 pre-existing skips).
• E2E / integration — login-flow.spec.ts updated to match new ContextGatheringStep heading markers and to prefer "Skip for now" so the real Rust enrichment pipeline stays out of E2E. No new E2E file.
• Doc comments — whatLeavesItems.ts carries a short rationale block explaining why the list exists and why copy must not soften. Privacy components are small and self-evident.
• Inline comments — Added only where flow is not obvious (e.g. E2E spec comment block explaining why we prefer Skip).

Impact

• Runtime: desktop only. No change to Tauri commands, core sidecar, or JSON-RPC surface. All changes are frontend.
• User-visible: (1) ContextGatheringStep now requires an explicit click to start — meaningful UX change; the step no longer auto-completes on reachable users. (2) New "What leaves my computer?" affordance visible on WelcomeStep and ContextGatheringStep. (3) Settings → Privacy & Security now explains what leaves the machine in addition to the analytics toggle.
• Security / privacy: strictly tightens trust posture — removes silent network behavior and makes privacy claims conservative and capability-backed where possible.
• Migration: none.
• Follow-ups: (a) longer term, the static privacy list should become capability-backed so the UI can't drift from reality; (b) ad-hoc buttons across the app can migrate to the new <Button> primitive incrementally.

Related

• Design handoff: openhumanclaudedesign.zip (v2 onboarding pass).
• Issue(s): none filed — this is a design-directed pass.
• Follow-up PR(s)/TODOs: capability-backed privacy list; incremental <Button> adoption.

[coderabbitai]

Warning

Rate limit exceeded

@senamakel has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 23 minutes and 40 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 23 minutes and 40 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9b7fe3fa-1e4f-4b7d-bf5e-9c2bf8fc7ee5

📥 Commits

Reviewing files that changed from the base of the PR and between 7961a32 and bd6030d.

📒 Files selected for processing (18)

• app/src/components/settings/panels/PrivacyPanel.tsx
• app/src/components/settings/panels/__tests__/PrivacyPanel.test.tsx
• app/src/components/ui/Button.test.tsx
• app/src/components/ui/Button.tsx
• app/src/features/privacy/WhatLeavesLink.tsx
• app/src/features/privacy/WhatLeavesMyComputerSheet.test.tsx
• app/src/features/privacy/WhatLeavesMyComputerSheet.tsx
• app/src/features/privacy/whatLeavesItems.ts
• app/src/pages/onboarding/Onboarding.tsx
• app/src/pages/onboarding/steps/ContextGatheringStep.tsx
• app/src/pages/onboarding/steps/WelcomeStep.tsx
• app/src/pages/onboarding/steps/__tests__/ContextGatheringStep.test.tsx
• app/src/pages/onboarding/steps/__tests__/WelcomeStep.test.tsx
• app/src/utils/tauriCommands/aboutApp.ts
• app/test/e2e/helpers/artifacts.ts
• app/test/e2e/specs/agent-review.spec.ts
• app/test/e2e/specs/login-flow.spec.ts
• app/test/wdio.conf.ts

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}