fix(web): default anonymous metrics on + mint installationId unless opted out

[lefarcen]

Why

Author's use case: Checking Settings → Privacy on a local install, the 匿名 ID / Anonymous ID field showed 「已退出 / Opted out」 even though I had never clicked 「不分享 / Don't share」.

The pain: The "Opted out" label is driven purely by installationId == null (PrivacySection.tsx: value={cfg.installationId ?? t('settings.privacyOptedOut')}). An installationId is only ever minted at an explicit opt-in moment (banner accept, Settings → Share, toggling a switch on, Delete-my-data rotation) — never at install time. The daemon, meanwhile, ships a metrics+content default (app-config.ts applyTelemetryDefaults → { metrics: true, content: true }) but never mints an id. So a fresh / upgraded / never-prompted install sits with telemetry on but no id, which renders as "Opted out" — and because that id is also the distinct id, daemon-side reporting never actually stitched.

On top of that, the daemon shipping a default telemetry object trips the one-shot privacyDecisionAt migration in mergeDaemonConfig, so showPrivacyConsent (gated on privacyDecisionAt == null) is never true — the first-run disclosure banner effectively never shows. Net: the product's "data sharing on by default" never reached these users and they looked opted out.

What users will see

In Settings → Privacy, an install that has not explicitly opted out now shows a real Anonymous ID instead of "Opted out", with 匿名指标 (Anonymous metrics) and 对话和工具内容 (Conversation & tool content) on — the product default, identical to what the first-run banner's "I get it" opt-in enables. (项目产物清单 / artifact manifest stays off, as it does on that surface.) Users who previously clicked Don't share are untouched: metrics: false keeps them opted out with no id.

How

In mergeDaemonConfig (apps/web/src/state/config.ts), after merging the daemon's privacy state:

• explicitlyOptedOut = next.telemetry?.metrics === false (the shape Settings → "Don't share" persists, alongside installationId: null).
• If not opted out and there is no installationId: mint one via randomUUID() and keep the product-default channels on (metrics: true, content defaulting on, artifactManifest off), preserving any channel the user had explicitly turned off.

The merged result is persisted back by the bootstrap's syncConfigToDaemon(next), so the daemon-side reporting gate (telemetry.metrics === true) opens. Idempotent: once an id exists the block is skipped on every later boot.

This PR does not change which telemetry channels are on — the daemon already defaults metrics+content on. It only mints the missing installationId and keeps those defaults so the Settings field stops misreporting "Opted out". (An earlier revision's comment/spec claimed content stayed off; corrected per review — see thread.)

Surface area

• Web UI behavior (Settings → Privacy displayed state + effective telemetry default)
• CLI — no od privacy/consent subcommand exists today; this rides the shared /api/app-config state, so no CLI surface to add here.
• Tests

Validation

• pnpm --filter @open-design/web exec vitest run tests/state/config.test.ts → 49/49 (new specs: brand-new install defaults metrics+content on with an id and artifactManifest off; on-but-no-id mints an id; explicit opt-out preserved without an id — the first two went red before the fix).
• pnpm --filter @open-design/web exec vitest run tests/components/{App.connectors,PrivacySection,App.mediaProviders,PrivacyConsentModal}.test.tsx → 14/14
• pnpm --filter @open-design/web typecheck → clean · pnpm guard → 54/54
• Manual (real app, clean OD_DATA_DIR): clean boot auto-minted an id with no interaction (Settings showed the UUID, both toggles on); seeding an explicit opt-out (metrics:false, id:null) via PUT /api/app-config and reloading kept "Opted out" with no id; seeding the bug state (metrics:true, id:null) and reloading auto-minted an id without any toggle.

🤖 Generated with Claude Code

[Siri-Ray]

@lefarcen Thanks for tightening up the anonymous-id path here. I found one privacy-significant issue in the merge behavior that needs to be fixed before this lands: the new default-on branch can still persist content telemetry for an install with no daemon privacy state, even though this PR says only anonymous metrics should be enabled.

_{🔁 Powered by Looper · runner=reviewer · agent=codex · An autonomous AI dev team for your GitHub repos.}

[github-actions]

Visual regression review

Head: fa1d66c · Base: 4978e4c

Some cases used the nearest available ancestor baseline instead of the exact base SHA.

7 changed · 28 unchanged · 0 missing baseline · 0 failed

Changed cases

Case	Main	PR	Diff
visual-avatar-local-agent-list baseline 3 commit(s) behind
visual-new-project-modal baseline 3 commit(s) behind
visual-plugin-details baseline 3 commit(s) behind
visual-project-workspace baseline 3 commit(s) behind
visual-settings-byok baseline 3 commit(s) behind
visual-settings-byok-model-dropdown baseline 3 commit(s) behind
visual-settings-byok-openai baseline 3 commit(s) behind

Unchanged cases

Case	Main	PR	Diff
visual-avatar-menu baseline 3 commit(s) behind
visual-design-system-detail baseline 3 commit(s) behind
visual-design-systems baseline 3 commit(s) behind
visual-home baseline 3 commit(s) behind
visual-home-catalog baseline 3 commit(s) behind
visual-home-context-picker baseline 3 commit(s) behind
visual-home-plugin-filter baseline 3 commit(s) behind
visual-home-plugin-use-staged baseline 3 commit(s) behind
visual-home-plugin-use-with-query baseline 3 commit(s) behind
visual-home-staged-attachment baseline 3 commit(s) behind
visual-integrations baseline 3 commit(s) behind
visual-integrations-mcp baseline 3 commit(s) behind
visual-integrations-use-everywhere baseline 3 commit(s) behind
visual-onboarding-runtime baseline 3 commit(s) behind
visual-plugin-share-menu baseline 3 commit(s) behind
visual-plugins baseline 3 commit(s) behind
visual-project-avatar-model-dropdown baseline 3 commit(s) behind
visual-projects baseline 3 commit(s) behind
visual-projects-kanban baseline 3 commit(s) behind
visual-settings-execution baseline 3 commit(s) behind

Visual diff is advisory only and does not block merging.

[nettee]

I found one blocking privacy-default issue in the new mergeDaemonConfig bootstrap path: the code and PR both frame this change as auto-enabling only anonymous metrics, but the fresh-install path still carries forward the local content default. Details are inline.

_{🔁 Powered by Looper · runner=reviewer · agent=codex · An autonomous AI dev team for your GitHub repos.}

[lefarcen]

Hey @lefarcen — the regression write-up is clear, especially the distinction between anonymous metrics vs. the more sensitive content / artifact-manifest channels.

One PR-body follow-up before the next pass: the template parser still sees Surface area and Bug fix verification as missing, so could you tighten those two bits up in the body? In particular, please tick the applicable Surface area boxes in the expected checklist format and add a short Bug fix verification note that explicitly captures the red → green check for the fresh-install privacy-default path.

💡 To drive this PR to merge hands-free, paste this to your AI coding agent (Claude Code / Codex / opencode / Cursor …):
Take over nexu-io/open-design#4131 until it merges — read https://raw.githubusercontent.com/nexu-io/looper/main/skills/pr-takeover/SKILL.md and follow it.

[lefarcen]

Thanks @Siri-Ray @nettee — you correctly caught a code/claim mismatch: the daemon's applyTelemetryDefaults ships { metrics: true, content: true }, so the fresh-install branch persisted content: true while the comment/PR text claimed only anonymous metrics auto-enabled.

Resolved by a maintainer decision rather than forcing the channels off: metrics + content on by default is the intended product surface (it's exactly what the first-run banner's "I get it" opt-in already enables, and what the daemon has defaulted to). This PR does not change that policy — it only mints the missing installationId so Settings stops misreporting "Opted out".

Pushed fa1d66c9:

• Reworded the block comment to state the metrics+content default honestly (no more "content stays off").
• Made the content default explicit (?? true) instead of relying on the daemon value.
• Added content === true / artifactManifest === false assertions to the brand-new-install spec so the channel policy is locked and can't silently regress.
• Explicit opt-out (metrics === false) still short-circuits the whole block.

Please re-review.

[nettee]

@lefarcen I re-checked the changed ranges on the current head, and the follow-up resolves the earlier content-default mismatch cleanly: mergeDaemonConfig now matches the daemon's metrics+content default, keeps artifactManifest off, and the added state tests lock the fresh-install, missing-id, and explicit-opt-out cases to that intended behavior. I couldn't rerun the Vitest suite in this prepared worktree because apps/web/node_modules is absent here, but I don't see any remaining actionable issue in the current diff. Nice cleanup on the code/comment/test alignment.

_{🔁 Powered by Looper · runner=reviewer · agent=codex · An autonomous AI dev team for your GitHub repos.}

[Siri-Ray]

@lefarcen I reviewed the current changed ranges for the telemetry bootstrap fix. The follow-up now aligns mergeDaemonConfig with the daemon's existing metrics+content default, keeps artifactManifest off by default, preserves explicit opt-outs, and adds focused state coverage for the fresh-install, missing-id, and opted-out paths. I could not rerun the Vitest suite in this prepared worktree because vitest is not installed here, but the code/comment/test alignment looks sound on this head. Thanks for the careful follow-up on the privacy-default behavior.

_{🔁 Powered by Looper · runner=reviewer · agent=codex · An autonomous AI dev team for your GitHub repos.}