feat(ui,webview): compact tab bar, hide inactive tabs, harden CEF link handling

[senamakel]

Summary

• Bottom tab bar: compact icon-only by default; labels animate in on hover/focus/active. Hides tabs for unreleased features (Home, Memory/Intelligence, Screen Intelligence built-in skill). Home + Memory (relabeled from Intelligence) restored after the trim.
• CEF child webview hardening: opts out of tauri-plugin-opener's default JS injection (init-iife.js), adds a CLAUDE.md rule forbidding new JS injection into `acct_*` webviews, and unwraps LinkedIn's `/safety/go/?url=...` redirect in Rust so the system browser lands on the real destination (was breaking because the safety page requires LinkedIn session which lives only inside the embedded webview).
• macOS opener fix: `open_in_system_browser` now shells out to `/usr/bin/open` directly instead of `tauri_plugin_opener::open_url`, which returned Ok but no browser actually launched under CEF.
• Window default: 1000×800 instead of 800×720.

Known follow-up

• Loading-overlay work for first-time account opens is deferred to Show loading overlay over account webviews during first-time load #867 — on_page_load doesn't fire for our CDP-driven navigation and CEF's set_visible races with async browser creation. Captured that context in the issue.

Test plan

• `yarn typecheck` passes (verified locally).
• `cargo check --manifest-path app/src-tauri/Cargo.toml` passes.
• Bottom tab bar shows icon-only at rest; labels slide in on hover and stay on active with the 500ms ease-out-quint.
• Skills page no longer lists Screen Intelligence.
• Click external link (e.g. `https://example.com\`) from LinkedIn message → opens in default browser at the real URL, not the `linkedin.com/safety/go` wrapper.
• Click external link from Slack / Gmail / Discord → opens in default browser.
• No `plugin:opener|open_url` IPC calls from `acct_*` webviews (verify in DevTools Network tab; previously they 500'd with "Origin header is not a valid URL").

Summary by CodeRabbit

• New Features

  • Tab labels now animate and reveal on hover/focus for a refined UI experience.

• UI/UX Improvements

  • Renamed "Intelligence" tab to "Memory."
  • Increased default window size for better visibility.
  • Optimized tab bar spacing and layout.

• Bug Fixes

  • Fixed LinkedIn redirect link handling to resolve actual destinations.
  • Improved macOS system browser navigation.

• Documentation

  • Updated README with GitHub star section and social follow links.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updates enforce restrictions on webview JavaScript injection via policy documentation and Tauri plugin configuration; improve LinkedIn URL handling with native browser launching; refactor tab bar UI with animations and spacing adjustments; refine Skills page typing and remove a built-in entry; update window size and README marketing elements.

Changes

Cohort / File(s)	Summary
JavaScript Injection Policy CLAUDE.md, app/src-tauri/src/lib.rs	Establishes governance forbidding new JS injection for migrated webviews and disables the Tauri opener plugin's default click-handling JS injection by switching from init() to Builder with open_js_links_on_click disabled.
Provider URL Handling & Browser Launch app/src-tauri/src/webview_accounts/mod.rs	Adds LinkedIn URL unwrapping to extract real destinations from redirect wrapper endpoints; implements macOS native browser launching via direct /usr/bin/open spawn with fallback to plugin; updates both navigation and new-window routing to use unwrapped URLs.
Frontend UI Components app/src/components/BottomTabBar.tsx, app/src/pages/Skills.tsx	Renames "Intelligence" tab to "Memory", tightens spacing, implements animated label reveal on hover/focus/active states; updates Skills catalog with explicit typing and removes the screen-intelligence built-in entry from active configuration.
Configuration & Marketing app/src-tauri/tauri.conf.json, README.md	Increases main window default size (800×720 → 1000×800); updates README with x.com/intent/follow link, additional creator follow link, and uncomments GitHub star-history section for visibility.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related PRs

• Improve settings, rewards, chat, and skills UI polish #328 — Modifies the same BottomTabBar.tsx and Skills.tsx components, altering layout, spacing, and skills page content.
• feat(webview): browser-like permission management for embedded apps (#713) #721 — Overlaps in app/src-tauri/src/webview_accounts/mod.rs and app/src-tauri/src/lib.rs, affecting webview and external URL handling.
• feat(webview): native OS notifications from embedded webview apps (#714) #727 — Addresses webview JS injection strategy; may conflict with the JS injection governance introduced in this PR.

Poem

🐰 No more JS scripts shall secretly creep,
Through webviews sleeping deep!
LinkedIn's URLs now unwrapped, clean and true,
Tab bars dance with hover's debut—
A tidier warren, from Rust to React's hue! 🎨✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat(ui,webview): compact tab bar, hide inactive tabs, harden CEF link handling' accurately captures the main changes across UI (compact tab bar, hidden inactive tabs) and webview/CEF improvements (hardened link handling, JS injection prevention).
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@app/src-tauri/src/webview_accounts/mod.rs`:
- Around line 225-244: In open_in_system_browser, the macOS branch logs that it
will "fall back to opener plugin" on Err but doesn't actually call the fallback;
update the Err arm of the
std::process::Command::new("/usr/bin/open").arg(url).spawn() match to invoke
tauri_plugin_opener::open_url(url, None::<&str>) and log its result (success or
error) so failures to spawn /usr/bin/open truly fall back to the plugin; keep
existing log context and include the original spawn error when reporting the
fallback outcome.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 780f0708-416a-4af6-ba4f-4827074d27a8

📥 Commits

Reviewing files that changed from the base of the PR and between c0f6e39 and 3e4a9c2.

📒 Files selected for processing (7)

• CLAUDE.md
• README.md
• app/src-tauri/src/lib.rs
• app/src-tauri/src/webview_accounts/mod.rs
• app/src-tauri/tauri.conf.json
• app/src/components/BottomTabBar.tsx
• app/src/pages/Skills.tsx

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

macOS fallback logs intent but doesn't execute.

The warning message says "falling back to opener plugin" but the function returns without actually calling tauri_plugin_opener::open_url. If /usr/bin/open fails (e.g., sandboxing edge case), the URL silently drops.

🐛 Proposed fix to actually fall back

 fn open_in_system_browser(url: &str) {
     #[cfg(target_os = "macos")]
     {
         match std::process::Command::new("/usr/bin/open").arg(url).spawn() {
             Ok(_) => log::info!("[webview-accounts] opened externally (macos open): {}", url),
             Err(e) => {
                 log::warn!(
                     "[webview-accounts] /usr/bin/open {} failed: {} — falling back to opener plugin",
                     url,
                     e
                 );
+                // Actually fall back to the opener plugin
+                if let Err(e2) = tauri_plugin_opener::open_url(url, None::<&str>) {
+                    log::warn!("[webview-accounts] opener plugin fallback also failed: {}", e2);
+                }
             }
         }
     }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	fn open_in_system_browser(url: &str) {
	match tauri_plugin_opener::open_url(url, None::<&str>) {
	Ok(()) => log::info!("[webview-accounts] opened externally: {}", url),
	Err(e) => log::warn!("[webview-accounts] open_url({}) failed: {}", url, e),
	#[cfg(target_os = "macos")]
	{
	match std::process::Command::new("/usr/bin/open").arg(url).spawn() {
	Ok(_) => log::info!("[webview-accounts] opened externally (macos open): {}", url),
	Err(e) => log::warn!(
	"[webview-accounts] /usr/bin/open {} failed: {} — falling back to opener plugin",
	url,
	e
	),
	}
	}
	#[cfg(not(target_os = "macos"))]
	{
	match tauri_plugin_opener::open_url(url, None::<&str>) {
	Ok(()) => log::info!("[webview-accounts] opened externally: {}", url),
	Err(e) => log::warn!("[webview-accounts] open_url({}) failed: {}", url, e),
	}
	}
	}
	fn open_in_system_browser(url: &str) {
	#[cfg(target_os = "macos")]
	{
	match std::process::Command::new("/usr/bin/open").arg(url).spawn() {
	Ok(_) => log::info!("[webview-accounts] opened externally (macos open): {}", url),
	Err(e) => {
	log::warn!(
	"[webview-accounts] /usr/bin/open {} failed: {} — falling back to opener plugin",
	url,
	e
	);
	// Actually fall back to the opener plugin
	if let Err(e2) = tauri_plugin_opener::open_url(url, None::<&str>) {
	log::warn!("[webview-accounts] opener plugin fallback also failed: {}", e2);
	}
	}
	}
	}
	#[cfg(not(target_os = "macos"))]
	{
	match tauri_plugin_opener::open_url(url, None::<&str>) {
	Ok(()) => log::info!("[webview-accounts] opened externally: {}", url),
	Err(e) => log::warn!("[webview-accounts] open_url({}) failed: {}", url, e),
	}
	}
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/src-tauri/src/webview_accounts/mod.rs` around lines 225 - 244, In
open_in_system_browser, the macOS branch logs that it will "fall back to opener
plugin" on Err but doesn't actually call the fallback; update the Err arm of the
std::process::Command::new("/usr/bin/open").arg(url).spawn() match to invoke
tauri_plugin_opener::open_url(url, None::<&str>) and log its result (success or
error) so failures to spawn /usr/bin/open truly fall back to the plugin; keep
existing log context and include the original spawn error when reporting the
fallback outcome.