From fcb37d5cfe657d5cd87ac6f040f5c5a1e45b076c Mon Sep 17 00:00:00 2001
From: Garry Tan <garrytan@gmail.com>
Date: Mon, 6 Apr 2026 16:28:22 -0700
Subject: [PATCH] fix: newtab blocked by tab ownership check for scoped tokens

The tab ownership check ran before the newtab handler, checking
the active tab (owned by root) against the scoped token. Since
the scoped token doesn't own the root tab, newtab returned 403.
Skip the ownership check for newtab since it creates a new tab.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 browse/src/server.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/browse/src/server.ts b/browse/src/server.ts
index df4dccd8..161d079d 100644
--- a/browse/src/server.ts
+++ b/browse/src/server.ts
@@ -929,7 +929,8 @@ async function handleCommandInternal(
   }
 
   // ─── Tab ownership check (for scoped tokens) ──────────────
-  if (tokenInfo && tokenInfo.clientId !== 'root' && (WRITE_COMMANDS.has(command) || tokenInfo.tabPolicy === 'own-only')) {
+  // Skip for newtab — it creates a new tab, doesn't access an existing one.
+  if (command !== 'newtab' && tokenInfo && tokenInfo.clientId !== 'root' && (WRITE_COMMANDS.has(command) || tokenInfo.tabPolicy === 'own-only')) {
     const targetTab = tabId ?? browserManager.getActiveTabId();
     if (!browserManager.checkTabAccess(targetTab, tokenInfo.clientId, { isWrite: WRITE_COMMANDS.has(command), ownOnly: tokenInfo.tabPolicy === 'own-only' })) {
       return {