hydro13 · hydro13 · Apr 1, 2026 · Apr 1, 2026 · Apr 1, 2026
@@ -91,7 +91,7 @@ tandem-browser/
 ### 2. Test Your Own Work
 
 - **Always compile:** `npx tsc` must be error-free before you finish
-- **Start the app:** `npm run dev` and verify startup without crashes
+- **Start the app:** `npm start` and verify startup without crashes
 - **Test API endpoints:** Use `curl` for every new or changed endpoint
 - **Test the UI:** Take a screenshot and verify it looks correct
 - **Run tests:** `npx vitest run`; all existing tests must keep passing
@@ -430,7 +430,7 @@ After each session, provide:
 ## Tested
 - ✅ npx tsc — no errors
 - ✅ npx vitest run — all tests pass
-- ✅ npm run dev — app starts without crashes
+- ✅ npm start — app starts without crashes
 - ✅ curl localhost:8765/new-endpoint — response OK
 - ⚠️ [any issues found]
 

@@ -7,6 +7,18 @@ All notable changes to Tandem Browser will be documented in this file.
 ### Added
 - `POST /tabs/open` now accepts `inheritSessionFrom` and copies IndexedDB data from the source tab into the new tab before reloading the destination, preserving Discord-style IndexedDB-backed logins.
 
+## [v0.66.0] - 2026-04-02
+
+### Added
+- `X-Tab-Id` header support for background-tab targeting on `GET /snapshot`, `GET /page-content`, `GET /page-html`, `POST /execute-js`, `POST /wait`, `GET /links`, and `GET /forms`
+- Snapshot refs now remember which tab produced them, so ref follow-up actions stay attached to the correct tab
+
+### Changed
+- `skill/SKILL.md` now reflects the current Tandem API targeting model and includes ClawHub frontmatter metadata
+
+### Fixed
+- `/find/click` and `/find/fill` now catch thrown route errors and return JSON `500` responses instead of dropping the connection
+
 ## [v0.65.5] - 2026-03-21
 
 - fix: CodeQL config — exclude security scanner modules from XSS taint analysis

@@ -23,7 +23,7 @@ The security layer exists because when an AI has access to your browser, your th
 Data stays local. Sessions are isolated. Nothing leaves the machine through Tandem without going through a filter first.
 
 **GitHub:** `hydro13/tandem-browser`  
-**Current version:** `0.57.6`  
+**Current version:** `0.66.0`  
 **Repository status:** Public developer preview  
 **Started:** February 11, 2026
 
@@ -222,6 +222,10 @@ Current route modules:
 - `sync.ts` — sync surfaces
 - `pinboards.ts` — pinboard CRUD and panel data
 
+Selected read and browser routes now accept `X-Tab-Id` so agents can target
+background tabs without stealing focus. Current support includes `/snapshot`,
+`/page-content`, `/page-html`, `/execute-js`, `/wait`, `/links`, and `/forms`.
+
 Security routes are registered separately from `src/security/routes.ts`.
 
 ---

@@ -110,6 +110,8 @@ Examples:
 - Human + AI shared browsing with one local browser session
 - Local HTTP API for tabs, navigation, screenshots, content extraction,
   sessions, devtools surfaces, and automation
+- Background-tab-safe API targeting via `X-Tab-Id` for snapshots, page reads,
+  JS evaluation, waits, links, and form inspection without forcing focus
 - Security-by-default browsing with multi-layer filtering and review points
 - OpenClaw-first runtime integration for chat, browser control, and local agent workflows
 - Local-first persistence for sessions, history, workspaces, bookmarks, and

@@ -14,7 +14,7 @@ Last updated: March 17, 2026
 
 ## Current Snapshot
 
-- Current app version: `0.62.16`
+- Current app version: `0.66.0`
 - The codebase scope is larger than this backlog summary and includes major subsystems such as `sidebar`, `workspaces`, `pinboards`, `sync`, `headless`, and `sessions`.
 - Scheduled browsing already exists in baseline form via `WatchManager` and the `/watch/*` API routes.
 - Session isolation already exists in baseline form via `SessionManager` and the `/sessions/*` API routes.
@@ -86,6 +86,7 @@ Last updated: March 17, 2026
 
 ## Recently Completed
 
+- [x] API `X-Tab-Id` targeting for `/snapshot`, `/page-content`, `/page-html`, and `/execute-js`, with background-tab-safe CDP evaluation and tab-scoped snapshot refs
 - [x] Password manager: local SQLite + AES-256-GCM vault, master password, autofill, password generator, and `GET /passwords/suggest`
 - [x] Behavioral learning models: profile compiler, typing timing model, mouse trajectory replay, and fallback humanization behavior
 - [x] SPA rendering fix for `/page-content` on dynamic pages; see `docs/archive/plans/spa-rendering-bug.md`
@@ -35,6 +35,30 @@ cookies or localStorage.
 If the source tab does not exist, Tandem still opens the tab and ignores the
 inheritance request.
 
+## `X-Tab-Id` Background Targeting
+
+Use `X-Tab-Id: <tabId>` when you want to inspect or evaluate a background tab
+without focusing it first.
+
+### Current route support
+
+- `GET /snapshot`
+- `GET /page-content`
+- `GET /page-html`
+- `POST /execute-js`
+- `POST /wait`
+- `GET /links`
+- `GET /forms`
+
+`POST /execute-js` also still accepts `tabId` in the JSON body, but the header
+is the preferred targeting mechanism.
+
+### Snapshot refs
+
+Snapshot refs now remember which tab produced them, so `/snapshot/text`,
+`/snapshot/click`, and `/snapshot/fill` keep resolving against that source tab
+instead of whichever tab happens to be active later.
+
 ## Injection Scanner Middleware
 
 The injection scanner sits on agent-facing content routes:

@@ -1,4 +1,10 @@
 #!/bin/bash
+
+branch=$(git branch --show-current)
+if [ "$branch" != "main" ]; then
+  exit 0
+fi
+
 # Auto-bump version + update CHANGELOG + update about.html on every commit
 
 # Get last commit message

@@ -1,6 +1,6 @@
 {
   "name": "tandem-browser",
-  "version": "0.65.5",
+  "version": "0.66.0",
   "description": "First-party OpenClaw companion browser for human-AI collaboration with built-in security controls",
   "main": "dist/main.js",
   "author": "Tandem Browser contributors",

@@ -476,7 +476,7 @@
   <div class="settings-header">
     <span class="logo">🧀</span>
     <h1>Tandem Settings</h1>
-    <span class="version">v0.1.0</span>
+    <span class="version">v0.66.0</span>
   </div>
 
   <nav class="settings-nav" id="settings-nav">