haltija 1.3.0-beta.7 → 1.3.0-beta.9

package/README.md

@@ -141,9 +141,9 @@ Raw DOM events are noise. Haltija aggregates them into intent:
 
 Screenshots include a chyron (title, URL, timestamp) so agents always know what they're looking at. Disable with `chyron: false` for clean captures.
 
-### Multi-Window & Session Affinity
+### Multi-Window
 
-Control multiple tabs. Session headers (`X-Haltija-Session`) give agents sticky window targeting — no need to specify window ID every call.
+Control multiple tabs. The focused tab receives untargeted commands; pass `?window=<id>` (REST) or `--window <id>` (CLI) to target a specific tab.
 
 ### Selection Tool
 
@@ -190,6 +190,59 @@ Your agent uses the same `hj` commands either way — it doesn't know or care wh
 
 ---
 
+## Embed Haltija in Your Own App
+
+Building a tool, dev environment, or product that wants an agent eye built in? Run a haltija server on a port you choose and import the widget directly. Two flavours:
+
+```js
+// Visible — widget renders its own UI in the corner
+import { inject } from 'haltija/component'
+inject('ws://localhost:9123/ws/browser')
+
+// Headless — widget is present but invisible; agent still has full control
+inject('ws://localhost:9123/ws/browser', { mode: 'headless' })
+```
+
+Or via HTML, no JS required:
+
+```html
+<haltija-dev server="ws://localhost:9123/ws/browser"></haltija-dev>
+```
+
+Tell `hj` which server to talk to (per-shell):
+
+```bash
+# Named instance — recommended, no port juggling
+haltija --name dashboard --server     # in one shell: register as "dashboard"
+export HALTIJA_NAME=dashboard          # in your other shells
+hj tree                                # finds dashboard via ~/.haltija/servers/
+
+# Port-based — if you'd rather pin a number
+haltija --port 9123 --server
+export HALTIJA_PORT=9123
+hj tree
+```
+
+If you don't pass `--port`, haltija tries 8700 first and falls back to a kernel-assigned ephemeral port — `--name` records whichever port it ends up on so `hj` can find it. A different shell can target a different project; there's no global state, just one named instance per haltija server.
+
+**Production embedding.** When haltija is reachable beyond loopback, gate it with a shared-secret token:
+
+```bash
+haltija --port 9123 --token $(openssl rand -hex 16) --server
+```
+
+```js
+inject('ws://your-host:9123/ws/browser', { token: 'same-secret' })
+```
+
+```bash
+HALTIJA_TOKEN=same-secret hj tree
+```
+
+The server rejects every REST/WebSocket request without a matching `X-Haltija-Token` (or `?token=` for WebSockets). This is a stub — provide your own TLS, key rotation, and per-agent identity if you need them.
+
+---
+
 ## Installation
 
 ```bash
@@ -200,6 +253,7 @@ npm install -g haltija     # Install globally
 # Server options
 haltija --https            # HTTPS mode
 haltija --port 3000        # Custom port
+haltija --token <secret>   # Require X-Haltija-Token on every request
 haltija --headless         # For CI pipelines
 haltija --setup-mcp        # Configure Claude Desktop
 ```
@@ -241,6 +295,30 @@ hj --help                     # CLI subcommand reference
 
 ---
 
+## 1.3.0-beta.8 — change of direction
+
+Earlier 1.3 betas tried to support multiple agents on a single haltija server by issuing each widget a *session token* and routing requests by `X-Haltija-Session`. The model was load-bearing but leaky — six of the last fifteen commits before this release were firefighting session-isolation regressions.
+
+beta.8 deletes the entire mechanism and replaces it with **process boundaries**: each project runs its own haltija server, and the agent talks to the right one by **port** or by **name**.
+
+```bash
+haltija --name dashboard --server     # one project, registers itself in ~/.haltija/servers/
+HALTIJA_NAME=dashboard hj tree         # any shell can address it by name
+```
+
+What this means for you, depending on how you used 1.3.0-beta.7:
+
+- **`bunx haltija` desktop app** — works the same; no migration needed. The outer "chrome" widget that lets the app inspect itself now lives on a separate internal port (8701) so it never appears in agent-facing window listings.
+- **`HALTIJA_SESSION` / `--session` / `--secure` / the click-to-copy session badge** — gone. If you were setting `HALTIJA_SESSION` in your shell, replace it with `HALTIJA_NAME` (and start the server with `--name <foo>`) or `HALTIJA_PORT`.
+- **`inject(url, { session })`** — the `session` option is removed. If you need auth, use `inject(url, { token })` (matches `haltija --token <secret>`); for embedding without auth, just `inject(url)` or `inject(url, { mode: 'headless' })`.
+- **`hj-chrome` exclusion logic** — gone from the public REST API. To inspect the desktop app's outer UI from `hj`, target the internal port directly: `HALTIJA_PORT=8701 hj tree`.
+
+Net code change: ~830 lines removed, ~150 added back for the simpler model. Test count went up (we now have integration coverage for the token stub, named instances, and auto-port fallback that the previous betas lacked).
+
+The pre-revert state is preserved on the `multi-user-isolation` branch in case the multi-agent-on-one-server design ever needs revisiting.
+
+---
+
 ## License
 
 Apache 2.0

package/apps/desktop/main.js

@@ -33,18 +33,20 @@ process.stderr.on('error', () => {})
 const HALTIJA_PORT = parseInt(process.env.HALTIJA_PORT || '8700')
 const HALTIJA_SERVER = `http://localhost:${HALTIJA_PORT}`
 
+// Internal port for the chrome widget (the haltija UI inspecting itself).
+// Lives on a separate server so it never appears in agent-facing window lists
+// — agents see only content tabs unless they explicitly target this port.
+const HALTIJA_INTERNAL_PORT = parseInt(process.env.HALTIJA_INTERNAL_PORT || '8701')
+const HALTIJA_INTERNAL_SERVER = `http://localhost:${HALTIJA_INTERNAL_PORT}`
+
 // Unique app instance ID - used to create stable window IDs across navigations
 // Combined with webContents.id to create globally unique tab identifiers
 const APP_INSTANCE_ID = `${Date.now().toString(36)}-${Math.random().toString(36).slice(2, 6)}`
 
-// Pending session: when an agent opens a tab with a session, store it here
-// so injectWidget can include it in the widget config for the next new tab
-let pendingTabSession = null
-
-// Stable session per webContents — persists across navigations within the same tab.
-// Without this, each page load re-injects the widget with a new random session,
-// causing agents to lose track of their tab and open duplicates.
-const tabSessions = new Map() // webContents.id → session string
+// Pending navigate-url requests: main asks renderer to route a navigation,
+// then awaits a result so the widget's promise resolves with real success/failure.
+const pendingNavigates = new Map()
+let navigateRequestId = 0
 
 // ============================================
 // Preferences
@@ -64,7 +66,7 @@ const DEFAULT_PREFS = {
 const prefs = { ...DEFAULT_PREFS }
 
 let mainWindow = null
-let embeddedServer = null
+const embeddedServers = []
 
 // ============================================
 // MCP Setup for Claude Desktop
@@ -779,23 +781,6 @@ async function injectWidget(webContents) {
     const wsUrl = HALTIJA_SERVER.replace('http:', 'ws:') + '/ws/browser'
     const windowId = `hj-${APP_INSTANCE_ID}-${webContents.id}`
     const configObj = { serverUrl: wsUrl, windowId, mode: 'headless' }
-    // Session priority: pending session from agent's tabs/open > previously used session for this tab > env var > auto-generate
-    // Stable session per tab prevents agents from losing their window after navigation.
-    if (pendingTabSession) {
-      configObj.session = pendingTabSession
-      tabSessions.set(webContents.id, pendingTabSession)
-      pendingTabSession = null // Consume — only applies to the next tab
-    } else if (tabSessions.has(webContents.id)) {
-      configObj.session = tabSessions.get(webContents.id)
-    } else if (process.env.HALTIJA_SESSION) {
-      configObj.session = process.env.HALTIJA_SESSION
-      tabSessions.set(webContents.id, process.env.HALTIJA_SESSION)
-    } else {
-      // Generate a stable session for this tab so it survives navigations
-      const generated = Math.random().toString(36).slice(2, 10)
-      configObj.session = generated
-      tabSessions.set(webContents.id, generated)
-    }
     await webContents.executeJavaScript(
       `window.__haltija_config__ = ${JSON.stringify(configObj)};`,
     )
@@ -928,25 +913,39 @@ function setupScreenCapture() {
   })
 
   // Navigate URL with smart fallback (called from widget in webview)
-  // Routes through renderer's navigate() which has https->http fallback
-  // Passes the sender's webContentsId so the renderer navigates the correct tab
+  // Routes through renderer's navigate() which has https->http fallback.
+  // Awaits a result from the renderer so failures (no matching tab, terminal
+  // tab targeted, etc.) propagate back to the widget — and to `hj navigate`.
   ipcMain.handle('navigate-url', async (event, url) => {
-    if (!mainWindow) return { success: false, error: 'No window' }
+    if (!mainWindow) throw new Error('No window')
+
+    const id = ++navigateRequestId
+    const senderWcId = event.sender.id
+    const result = await new Promise((resolve) => {
+      const timeout = setTimeout(() => {
+        pendingNavigates.delete(id)
+        resolve({ success: false, error: 'navigate-url: renderer did not respond within 5s' })
+      }, 5000)
+      pendingNavigates.set(id, { resolve, timeout })
+      mainWindow.webContents.send('navigate-url', { id, url, webContentsId: senderWcId })
+    })
 
-    try {
-      const senderWcId = event.sender.id
-      mainWindow.webContents.send('navigate-url', { url, webContentsId: senderWcId })
-      return { success: true }
-    } catch (err) {
-      return { success: false, error: err.message }
-    }
+    if (!result.success) throw new Error(result.error || 'Navigation failed')
+    return result
+  })
+
+  ipcMain.on('navigate-url-result', (event, { id, success, error }) => {
+    const pending = pendingNavigates.get(id)
+    if (!pending) return
+    clearTimeout(pending.timeout)
+    pendingNavigates.delete(id)
+    pending.resolve({ success, error })
   })
 
   // Tab management — forwarded to renderer
-  ipcMain.handle('open-tab', async (event, url, session) => {
+  ipcMain.handle('open-tab', async (event, url) => {
     if (!mainWindow) return false
-    if (session) pendingTabSession = session
-    mainWindow.webContents.send('open-tab', { url, session })
+    mainWindow.webContents.send('open-tab', { url })
     return true
   })
 
@@ -1164,6 +1163,62 @@ function checkServerRunning() {
   })
 }
 
+/**
+ * Spawn a single haltija server subprocess on a given port.
+ * Stdout/stderr are piped to the desktop app's console with a label, and
+ * `__NEED_WINDOW__` from the public server triggers window recreation.
+ */
+function spawnHaltijaServer({ port, role, serverPath, useCompiledBinary, componentDir }) {
+  const env = { ...process.env, PORT: port.toString(), HALTIJA_DESKTOP: '1' }
+  let proc
+  if (serverPath && useCompiledBinary) {
+    proc = spawn(serverPath, [], {
+      stdio: ['ignore', 'pipe', 'pipe'],
+      cwd: componentDir || path.dirname(serverPath),
+      env,
+    })
+  } else if (serverPath) {
+    proc = spawn('bun', ['run', serverPath], {
+      stdio: ['ignore', 'pipe', 'pipe'],
+      env,
+    })
+  } else {
+    proc = spawn('bunx', ['haltija', '--port', port.toString()], {
+      stdio: ['ignore', 'pipe', 'pipe'],
+      env,
+    })
+  }
+
+  const label = `[${role} server]`
+
+  proc.stdout.on('data', (data) => {
+    try {
+      const text = data.toString().trim()
+      console.log(`${label} ${text}`)
+      if (role === 'public' && text.includes('__NEED_WINDOW__') && BrowserWindow.getAllWindows().length === 0) {
+        console.log('[Haltija Desktop] Server requested window, recreating...')
+        createWindow()
+      }
+    } catch {}
+  })
+  proc.stderr.on('data', (data) => {
+    try { console.error(`${label} ${data.toString().trim()}`) } catch {}
+  })
+  proc.stdout.on('error', () => {})
+  proc.stderr.on('error', () => {})
+  proc.on('error', (err) => {
+    console.error(`[Haltija Desktop] Failed to start ${role} server:`, err)
+  })
+  proc.on('exit', (code) => {
+    console.log(`[Haltija Desktop] ${role} server exited with code ${code}`)
+    const idx = embeddedServers.indexOf(proc)
+    if (idx !== -1) embeddedServers.splice(idx, 1)
+  })
+
+  embeddedServers.push(proc)
+  return proc
+}
+
 /**
  * Start embedded Haltija server
  */
@@ -1204,7 +1259,6 @@ async function startEmbeddedServer() {
     serverPath || 'fallback to bunx',
   )
 
-  // Find component.js - server needs this to inject session ID
   const componentPaths = [
     path.join(process.resourcesPath || '', 'component.js'),
     path.join(__dirname, 'resources', 'component.js'),
@@ -1218,68 +1272,11 @@ async function startEmbeddedServer() {
     }
   }
 
-  if (serverPath && useCompiledBinary) {
-    // Run compiled standalone binary with cwd set to find component.js
-    embeddedServer = spawn(serverPath, [], {
-      stdio: ['ignore', 'pipe', 'pipe'],
-      cwd: componentDir || path.dirname(serverPath),
-      env: { ...process.env, PORT: HALTIJA_PORT.toString() },
-    })
-  } else if (serverPath) {
-    // Run with bun (development)
-    embeddedServer = spawn('bun', ['run', serverPath], {
-      stdio: ['ignore', 'pipe', 'pipe'],
-      env: { ...process.env, PORT: HALTIJA_PORT.toString() },
-    })
-  } else {
-    // Fallback to bunx haltija
-    embeddedServer = spawn(
-      'bunx',
-      ['haltija', '--port', HALTIJA_PORT.toString()],
-      {
-        stdio: ['ignore', 'pipe', 'pipe'],
-      },
-    )
-  }
-
-  embeddedServer.stdout.on('data', (data) => {
-    try {
-      const text = data.toString().trim()
-      console.log(`[Server] ${text}`)
-      // Server signals it needs a window but none exist (app alive, all windows closed).
-      // Re-create the main window so the agent has something to work with.
-      if (text.includes('__NEED_WINDOW__') && BrowserWindow.getAllWindows().length === 0) {
-        console.log('[Haltija Desktop] Server requested window, recreating...')
-        createWindow()
-      }
-    } catch (e) {
-      // Ignore write errors when app is closing
-    }
-  })
-
-  embeddedServer.stderr.on('data', (data) => {
-    try {
-      console.error(`[Server] ${data.toString().trim()}`)
-    } catch (e) {
-      // Ignore write errors when app is closing
-    }
-  })
-
-  embeddedServer.stdout.on('error', () => {})
-  embeddedServer.stderr.on('error', () => {})
-
-  embeddedServer.on('error', (err) => {
-    console.error('[Haltija Desktop] Failed to start server:', err)
-  })
+  spawnHaltijaServer({ port: HALTIJA_PORT, role: 'public', serverPath, useCompiledBinary, componentDir })
+  spawnHaltijaServer({ port: HALTIJA_INTERNAL_PORT, role: 'internal', serverPath, useCompiledBinary, componentDir })
 
-  embeddedServer.on('exit', (code) => {
-    if (embeddedServer) {
-      console.log(`[Haltija Desktop] Server exited with code ${code}`)
-      embeddedServer = null
-    }
-  })
-
-  // Wait for server to be ready
+  // Wait for the public server to be ready (the internal one is best-effort —
+  // the chrome widget will retry until it connects).
   for (let i = 0; i < 30; i++) {
     await new Promise((r) => setTimeout(r, 200))
     if (await checkServerRunning()) {
@@ -1295,49 +1292,48 @@ async function startEmbeddedServer() {
 /**
  * Ensure Haltija server is available
  */
-async function killZombieServer() {
-  if (os.platform() === 'win32') return
+async function killZombieOnPort(port) {
+  if (os.platform() === 'win32') return true
 
   const { execSync } = require('child_process')
-  
-  // Try up to 3 times to kill the process
+
   for (let attempt = 1; attempt <= 3; attempt++) {
     try {
-      const pids = execSync(`lsof -ti:${HALTIJA_PORT} 2>/dev/null`, { encoding: 'utf-8' }).trim()
+      const pids = execSync(`lsof -ti:${port} 2>/dev/null`, { encoding: 'utf-8' }).trim()
       if (!pids) {
-        console.log(`[Haltija Desktop] Port ${HALTIJA_PORT} is free`)
+        console.log(`[Haltija Desktop] Port ${port} is free`)
         return true
       }
-      
-      console.log(`[Haltija Desktop] Attempt ${attempt}: Killing process(es) on port ${HALTIJA_PORT}: ${pids.replace(/\n/g, ', ')}`)
-      
-      // Use SIGTERM first, then SIGKILL if needed
+
+      console.log(`[Haltija Desktop] Attempt ${attempt}: Killing process(es) on port ${port}: ${pids.replace(/\n/g, ', ')}`)
+
       const signal = attempt < 3 ? '' : '-9'
-      execSync(`lsof -ti:${HALTIJA_PORT} | xargs kill ${signal} 2>/dev/null`, { encoding: 'utf-8' })
-      
-      // Wait for process to die
+      execSync(`lsof -ti:${port} | xargs kill ${signal} 2>/dev/null`, { encoding: 'utf-8' })
+
       await new Promise(r => setTimeout(r, 500 * attempt))
-      
-      // Check if port is now free
+
       try {
-        execSync(`lsof -ti:${HALTIJA_PORT} 2>/dev/null`, { encoding: 'utf-8' })
-        // Still occupied, continue trying
+        execSync(`lsof -ti:${port} 2>/dev/null`, { encoding: 'utf-8' })
       } catch {
-        // No process found = success
-        console.log(`[Haltija Desktop] Port ${HALTIJA_PORT} freed successfully`)
+        console.log(`[Haltija Desktop] Port ${port} freed successfully`)
         return true
       }
     } catch {
-      // lsof found nothing = port is free
-      console.log(`[Haltija Desktop] Port ${HALTIJA_PORT} is free`)
+      console.log(`[Haltija Desktop] Port ${port} is free`)
       return true
     }
   }
-  
-  console.error(`[Haltija Desktop] Warning: Could not free port ${HALTIJA_PORT} after 3 attempts`)
+
+  console.error(`[Haltija Desktop] Warning: Could not free port ${port} after 3 attempts`)
   return false
 }
 
+async function killZombieServer() {
+  const publicOk = await killZombieOnPort(HALTIJA_PORT)
+  const internalOk = await killZombieOnPort(HALTIJA_INTERNAL_PORT)
+  return publicOk && internalOk
+}
+
 async function ensureServer() {
   const running = await checkServerRunning()
 
@@ -1391,6 +1387,13 @@ if (!gotTheLock) {
   // App lifecycle
   app.whenReady().then(async () => {
     console.log('[Haltija Desktop] App ready, starting initialization...')
+
+    // Clear the "manually quit" marker — user is explicitly starting Haltija,
+    // so hj should resume auto-launching when needed.
+    try {
+      const quitMarker = path.join(os.homedir(), '.haltija', 'last-quit')
+      if (fs.existsSync(quitMarker)) fs.rmSync(quitMarker, { force: true })
+    } catch {}
     
     try {
       // Start or connect to server first
@@ -1441,12 +1444,20 @@ if (!gotTheLock) {
   })
 
   app.on('will-quit', () => {
-    // Kill embedded server when app quits
-    if (embeddedServer) {
-      console.log('[Haltija Desktop] Stopping embedded server')
-      embeddedServer.kill()
-      embeddedServer = null
+    if (embeddedServers.length > 0) {
+      console.log(`[Haltija Desktop] Stopping ${embeddedServers.length} embedded server(s)`)
+      for (const proc of embeddedServers) {
+        try { proc.kill() } catch {}
+      }
+      embeddedServers.length = 0
     }
+    // Drop a marker so hj's auto-launch knows the user explicitly quit.
+    // Cleared next time the user manually starts Haltija.
+    try {
+      const dir = path.join(os.homedir(), '.haltija')
+      fs.mkdirSync(dir, { recursive: true })
+      fs.writeFileSync(path.join(dir, 'last-quit'), String(Date.now()))
+    } catch {}
   })
 
   // Handle certificate errors (for self-signed certs in dev)

package/apps/desktop/package.json

@@ -1,6 +1,7 @@
 {
   "name": "haltija-desktop",
-  "version": "1.3.0-beta.7",
+  "version": "1.3.0-beta.9",
+  "private": true,
   "description": "Haltija Desktop - God Mode Browser for AI Agents",
   "homepage": "https://github.com/tonioloewald/haltija",
   "author": {
@@ -43,9 +44,7 @@
       "extendInfo": {
         "CFBundleIconName": "AppIcon"
       },
-      "notarize": {
-        "teamId": "TSAD7CQ4HH"
-      },
+      "notarize": true,
       "target": [
         {
           "target": "dmg",

package/apps/desktop/preload.js

@@ -13,6 +13,8 @@ const webviewPreloadPath = __dirname + '/webview-preload.js'
 contextBridge.exposeInMainWorld('haltija', {
   // Path to webview preload script
   webviewPreloadPath: webviewPreloadPath,
+  // Internal-server port (chrome widget connects here, hidden from public agent traffic)
+  internalPort: parseInt(process.env.HALTIJA_INTERNAL_PORT || '8701'),
   // Navigation
   navigate: (url) => ipcRenderer.send('navigate', url),
   goBack: () => ipcRenderer.send('go-back'),
@@ -62,7 +64,8 @@ contextBridge.exposeInMainWorld('haltija', {
   
   // Navigation (from widget via main process) - uses renderer's smart navigate with fallback
   onNavigateUrl: (callback) => ipcRenderer.on('navigate-url', (event, data) => callback(data)),
-  
+  navigateUrlResult: (result) => ipcRenderer.send('navigate-url-result', result),
+
   // Tab management from widget (via main process)
   onOpenTab: (callback) => ipcRenderer.on('open-tab', (event, data) => callback(data)),
   onCloseTab: (callback) => ipcRenderer.on('close-tab', (event, data) => callback(data)),

package/apps/desktop/renderer/tabs.js

@@ -357,14 +357,16 @@ export function getActiveWebview() {
 
 export function navigate(url, tabId = activeTabId) {
   const tab = tabs.find((t) => t.id === tabId)
-  if (!tab) return
+  if (!tab) {
+    const error = `navigate: no tab found for id ${tabId}`
+    console.error('[Haltija]', error)
+    return { success: false, error }
+  }
 
-  // Never navigate terminal/agent iframes — they aren't browser tabs
   if (tab.isTerminal) {
-    console.warn('[Haltija] Refusing to navigate terminal tab, finding content tab instead')
-    const contentTab = tabs.find(t => !t.isTerminal)
-    if (contentTab) return navigate(url, contentTab.id)
-    return
+    const error = `navigate: refusing to navigate terminal/agent tab ${tabId}`
+    console.error('[Haltija]', error)
+    return { success: false, error }
   }
 
   let addedHttps = false
@@ -406,6 +408,8 @@ export function navigate(url, tabId = activeTabId) {
   if (tabId === activeTabId && !tab.isTerminal) {
     el.urlInput.value = tab.url
   }
+
+  return { success: true }
 }
 
 export async function changeTerminalDirectory(tab, path) {

package/apps/desktop/renderer.js

@@ -35,33 +35,31 @@ createTab()
 // Periodic status check
 setInterval(checkHaltija, 5000)
 
-// Inject outer widget (headless) into the renderer for persistence + self-inspection
-// Lives in the Electron chrome, survives page navigations, can inspect the app's own UI
+// Inject outer widget (headless) into the renderer for persistence + self-inspection.
+// Connects to the *internal* server (default port 8701) so it doesn't appear in
+// agent-facing window lists on the public server. To inspect the outer Haltija
+// UI from `hj`, target the internal port: HALTIJA_PORT=8701 hj tree
 ;(async function injectOuterWidget() {
-  const serverUrl = getServerUrl()
-  try {
-    const resp = await fetch(`${serverUrl}/component.js`)
+  const internalPort = window.haltija?.internalPort || 8701
+  const internalUrl = getServerUrl().replace(/:\d+/, `:${internalPort}`)
+  const wsUrl = internalUrl.replace('http:', 'ws:') + '/ws/browser'
+  const tryInject = async () => {
+    const resp = await fetch(`${internalUrl}/component.js`)
     if (!resp.ok) throw new Error(`${resp.status}`)
-    const wsUrl = serverUrl.replace('http:', 'ws:') + '/ws/browser'
-    window.__haltija_config__ = { serverUrl: wsUrl, windowId: 'hj-chrome', mode: 'headless', session: 'chrome' }
+    window.__haltija_config__ = { serverUrl: wsUrl, windowId: 'hj-chrome', mode: 'headless' }
     const code = await resp.text()
     const script = document.createElement('script')
     script.textContent = code
     document.head.appendChild(script)
-    console.log('[Haltija Desktop] Outer widget injected (headless, windowId: hj-chrome)')
+  }
+  try {
+    await tryInject()
+    console.log('[Haltija Desktop] Outer widget injected (internal port, windowId: hj-chrome)')
   } catch (err) {
-    console.log('[Haltija Desktop] Outer widget deferred — server not yet ready:', err.message)
-    // Retry once after server comes up (checkHaltija runs every 5s)
+    console.log('[Haltija Desktop] Outer widget deferred — internal server not ready:', err.message)
     const retry = setInterval(async () => {
       try {
-        const resp = await fetch(`${serverUrl}/component.js`)
-        if (!resp.ok) return
-        const wsUrl = serverUrl.replace('http:', 'ws:') + '/ws/browser'
-        window.__haltija_config__ = { serverUrl: wsUrl, windowId: 'hj-chrome', mode: 'headless', session: 'chrome' }
-        const code = await resp.text()
-        const script = document.createElement('script')
-        script.textContent = code
-        document.head.appendChild(script)
+        await tryInject()
         console.log('[Haltija Desktop] Outer widget injected (retry)')
         clearInterval(retry)
       } catch { /* keep retrying */ }
@@ -165,7 +163,7 @@ document.addEventListener('keydown', (e) => {
 // ============================================
 
 // Tab management from widget (via main process IPC)
-window.haltija?.onOpenTab?.((data) => createTab(data.url, { session: data.session }))
+window.haltija?.onOpenTab?.((data) => createTab(data.url))
 window.haltija?.onCloseTab?.((data) => {
   const tab = findTabByWindowId(data.windowId)
   if (tab) closeTab(tab.id)
@@ -240,8 +238,9 @@ if (window.haltija) {
 
   window.haltija.onNavigateUrl?.((data) => {
     console.log('[Haltija Desktop] Navigate request from widget:', data.url, 'wcId:', data.webContentsId)
-    // Find the tab that owns the webview that sent the navigate request
-    // so we navigate the correct tab, not the active (possibly terminal) tab
+    // Resolve the tab that owns the webview which sent the navigate request.
+    // No fallback: silently routing to "some other tab" hides bugs and lets
+    // hj navigate report success when nothing actually navigated.
     let targetTabId = undefined
     if (data.webContentsId) {
       const match = tabs.find(t => {
@@ -251,12 +250,14 @@ if (window.haltija) {
       })
       if (match) targetTabId = match.id
     }
-    // Fallback: navigate the first non-terminal tab (never navigate a terminal/agent iframe)
     if (!targetTabId) {
-      const contentTab = tabs.find(t => !t.isTerminal)
-      if (contentTab) targetTabId = contentTab.id
+      const error = `navigate: could not resolve target tab (webContentsId: ${data.webContentsId})`
+      console.error('[Haltija Desktop]', error)
+      window.haltija.navigateUrlResult?.({ id: data.id, success: false, error })
+      return
     }
-    navigate(data.url, targetTabId)
+    const result = navigate(data.url, targetTabId)
+    window.haltija.navigateUrlResult?.({ id: data.id, success: result?.success !== false, error: result?.error })
   })
 }