diff --git a/.gitignore b/.gitignore
index 28b5b26..5e30fb8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,6 @@
 # Binary
-bin/
+/bin/
+/browser/bin/agent-browser-*
 cdp
 
 # Go
diff --git a/.goreleaser.yml b/.goreleaser.yml
index e9af4f5..0a7d2e5 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -2,6 +2,10 @@ version: 2
 
 project_name: tap
 
+before:
+  hooks:
+    - scripts/prepare-agent-browser.sh
+
 builds:
   - main: ./cmd/tap
     binary: tap
@@ -14,6 +18,9 @@ builds:
     goarch:
       - amd64
       - arm64
+    ignore:
+      - goos: windows
+        goarch: arm64
     ldflags:
       - -s -w -X main.version={{.Version}}
 
diff --git a/AGENTS.md b/AGENTS.md
index bea295f..8b78a68 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -2,11 +2,11 @@
 
 ## Project
 
-Go CLI and library for running JS scripts against websites (QuickJS + Chrome CDP fallback) and extracting clean content from URLs via go-defuddle.
+Go CLI and library for running JS scripts against websites (QuickJS + agent-browser fallback) and extracting clean content from URLs via go-defuddle.
 
 ## Stack
 
-Go 1.26+, urfave/cli v3, QuickJS (fastschema/qjs), chromedp, go-defuddle, mise.
+Go 1.26+, urfave/cli v3, QuickJS (fastschema/qjs), agent-browser, go-defuddle, mise.
 
 ## Commands
 
@@ -35,8 +35,8 @@ Emoji-prefixed Conventional Commits: `✨ feat:`, `🐛 fix:`, `♻️ refactor:
 
 ```
 tap.go / options.go   → Client API + functional options
-transport/            → Shared HTTP + CDP browser layer
-browser/              → Persistent sessions, tabs, network interception
+transport/            → Shared HTTP + agent-browser bridge
+browser/              → agent-browser adapter, binary install, pass-through types
 engine/               → QuickJS + browser fallback
 fetch/                → URL → clean content (go-defuddle)
 cmd/tap/              → CLI (site, fetch, sync, browser)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index e8c5a57..608d3a6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/).
 
 ## [Unreleased]
 
+### Changed
+
+- **Replaced browser backend with embedded agent-browser** — removed ~4,000 lines of hand-rolled chromedp/CDP code and switched to [agent-browser](https://github.com/vercel-labs/agent-browser) as the sole browser backend. Tap embeds the native agent-browser binary for supported release platforms and lets agent-browser manage Chrome/browser installation.
+- **Removed chromedp dependency** — `go.mod` no longer depends on `chromedp/chromedp`, `chromedp/cdproto`, or `chromedp/sysutil`.
+
+### Added
+
+- **New browser pass-through commands** — `tap browser set` (viewport, device, geo, offline, headers, credentials, media), `tap browser storage` (local/session), `tap browser state` (save/load/list/show/clear), `tap browser auth` (save/login/list/show/delete), `tap browser get` (text/html/value/attr/title/url/count/box/styles), `tap browser vitals`, `tap browser diff` (snapshot/screenshot/url).
+- **Global Lightpanda engine flag** — `--lightpanda` / `--lp` selects Lightpanda as the agent-browser engine for browser-backed commands.
+
 ## [0.4.8] - 2026-05-18
 
 ### Added
diff --git a/README.md b/README.md
index ac823a2..3f8fb04 100644
--- a/README.md
+++ b/README.md
@@ -20,7 +20,7 @@ Upgrade later with:
 tap upgrade
 ```
 
-Browser features use Chrome by default. Check dependencies with `tap doctor`.
+Browser features use the embedded agent-browser backend. Run `tap doctor --install` to let agent-browser install browser dependencies.
 
 ## Quick start
 
@@ -54,7 +54,7 @@ tap fetch -b https://github.com/notifications
 
 ### Reuse your existing Chrome
 
-Chrome must already expose DevTools.
+agent-browser manages Chrome automatically. To attach to an existing Chrome with DevTools enabled:
 
 ```bash
 tap attach chrome
@@ -70,7 +70,6 @@ You can also attach explicitly:
 
 ```bash
 tap attach chrome --browser-url http://127.0.0.1:9222
-tap attach chrome --port-file ~/Library/Application\ Support/Google/Chrome/DevToolsActivePort
 ```
 
 ### Browser workflow
@@ -79,7 +78,7 @@ tap attach chrome --port-file ~/Library/Application\ Support/Google/Chrome/DevTo
 tap browser open https://news.ycombinator.com
 tap browser open https://github.com --new-tab
 tap browser tabs
-tap browser switch tab-2
+tap browser switch t2
 tap browser screenshot --output github.png
 tap browser status
 ```
@@ -152,9 +151,9 @@ These show up on the relevant commands instead of only in global help:
 | `--wait-selector` | Wait for a CSS selector |
 | `--wait-js` | Wait for a JS expression |
 | `--timeout` | Set execution timeout |
-| `--browser-url` | One-shot DevTools override |
+| `--browser-url` | One-shot agent-browser/DevTools connection override |
 | `--profile-dir` | One-shot profile override |
-| `--lightpanda`, `--lp` | Use Lightpanda instead of Chrome |
+| `--lightpanda`, `--lp` | Use Lightpanda as the browser engine |
 
 Compatibility aliases still work:
 - `--ws-url` -> `--browser-url`
@@ -171,16 +170,18 @@ tap browser snapshot
 tap browser forms
 tap browser cookies ...
 tap browser network ...
+tap browser set ...
+tap browser storage ...
+tap browser state ...
+tap browser auth ...
+tap browser get ...
+tap browser vitals
+tap browser diff ...
 ```
 
-## Lightpanda
+## Browser backend
 
-| Backend | Platforms | Best for |
-| --- | --- | --- |
-| Chrome | macOS, Linux, Windows | Full browser automation, auth, network interception |
-| Lightpanda | macOS, Linux | Fast headless rendering without auth-heavy flows |
-
-Install or update Lightpanda with:
+Tap embeds agent-browser as the single browser backend. Chrome is the default engine; pass `--lightpanda`/`--lp` to use Lightpanda for fast browser-backed rendering. agent-browser manages browser installation for full automation, auth, screenshots, and network workflows. Install browser dependencies with:
 
 ```bash
 tap doctor --install
diff --git a/browser/agentbrowser.go b/browser/agentbrowser.go
new file mode 100644
index 0000000..93e8f39
--- /dev/null
+++ b/browser/agentbrowser.go
@@ -0,0 +1,140 @@
+package browser
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"os/exec"
+	"slices"
+	"strings"
+)
+
+const DefaultAgentBrowserSession = "default"
+
+type AgentBrowser struct {
+	Path        string
+	SessionName string
+	ProfileDir  string
+	Headed      bool
+	Attached    bool
+	Engine      string
+}
+
+type OpenOpts struct {
+	Headed     bool
+	Headers    map[string]string
+	InitScript string
+}
+
+type ExecResult struct {
+	Stdout json.RawMessage
+	Stderr string
+}
+
+func NewAgentBrowser(path string) (*AgentBrowser, error) {
+	if path == "" {
+		resolved, err := ResolveAgentBrowserPath()
+		if err != nil {
+			return nil, err
+		}
+		path = resolved
+	}
+	return &AgentBrowser{Path: path, SessionName: DefaultAgentBrowserSession}, nil
+}
+
+func (a *AgentBrowser) Exec(ctx context.Context, args ...string) (json.RawMessage, string, error) {
+	return a.exec(ctx, nil, args...)
+}
+
+func (a *AgentBrowser) exec(ctx context.Context, stdin []byte, args ...string) (json.RawMessage, string, error) {
+	cmdArgs := a.commandArgs(args...)
+	cmd := exec.CommandContext(ctx, a.Path, cmdArgs...)
+	if stdin != nil {
+		cmd.Stdin = bytes.NewReader(stdin)
+	}
+	var stdout, stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+	if err := cmd.Run(); err != nil {
+		return nil, stderr.String(), fmt.Errorf("agent-browser %s: %w: %s", strings.Join(cmdArgs, " "), err, strings.TrimSpace(stderr.String()))
+	}
+	return json.RawMessage(bytes.TrimSpace(stdout.Bytes())), stderr.String(), nil
+}
+
+func (a *AgentBrowser) commandArgs(args ...string) []string {
+	out := make([]string, 0, len(args)+8)
+	out = append(out, args...)
+	if !slices.Contains(out, "--json") {
+		out = append(out, "--json")
+	}
+	if !a.Attached && a.SessionName != "" && !hasFlag(out, "--session-name") {
+		out = append(out, "--session-name", a.SessionName)
+	}
+	if a.ProfileDir != "" && !hasFlag(out, "--profile") {
+		out = append(out, "--profile", a.ProfileDir)
+	}
+	if a.Headed && !slices.Contains(out, "--headed") {
+		out = append(out, "--headed")
+	}
+	if a.Engine != "" && !hasFlag(out, "--engine") {
+		out = append(out, "--engine", a.Engine)
+	}
+	return out
+}
+
+func hasFlag(args []string, flag string) bool {
+	for _, arg := range args {
+		if arg == flag || strings.HasPrefix(arg, flag+"=") {
+			return true
+		}
+	}
+	return false
+}
+
+func (a *AgentBrowser) Open(ctx context.Context, url string, opts OpenOpts) error {
+	args := []string{"open", url}
+	if opts.Headed {
+		args = append(args, "--headed")
+	}
+	if opts.InitScript != "" {
+		args = append(args, "--init-script", opts.InitScript)
+	}
+	for name, value := range opts.Headers {
+		args = append(args, "--headers", name+": "+value)
+	}
+	_, _, err := a.Exec(ctx, args...)
+	return err
+}
+
+func (a *AgentBrowser) Eval(ctx context.Context, js string) (any, error) {
+	out, stderr, err := a.exec(ctx, []byte(js), "eval", "--stdin")
+	if err != nil {
+		return nil, err
+	}
+	var envelope AgentBrowserEnvelope[map[string]any]
+	if err := json.Unmarshal(out, &envelope); err == nil && envelope.Success {
+		return envelope.Data["result"], nil
+	}
+	var value any
+	if err := json.Unmarshal(out, &value); err != nil {
+		return nil, fmt.Errorf("parse eval JSON: %w: %s", err, stderr)
+	}
+	return value, nil
+}
+
+func (a *AgentBrowser) GetHTML(ctx context.Context) (string, error) {
+	value, err := a.Eval(ctx, "document.documentElement.outerHTML")
+	if err != nil {
+		return "", err
+	}
+	if s, ok := value.(string); ok {
+		return s, nil
+	}
+	return "", fmt.Errorf("agent-browser html result is %T, not string", value)
+}
+
+func (a *AgentBrowser) Close(ctx context.Context) error {
+	_, _, err := a.Exec(ctx, "close")
+	return err
+}
diff --git a/browser/agentbrowser_test.go b/browser/agentbrowser_test.go
new file mode 100644
index 0000000..ec7179a
--- /dev/null
+++ b/browser/agentbrowser_test.go
@@ -0,0 +1,55 @@
+package browser
+
+import (
+	"slices"
+	"testing"
+)
+
+func TestAgentBrowserCommandArgs(t *testing.T) {
+	ab := &AgentBrowser{Path: "agent-browser", SessionName: "dev", ProfileDir: "/tmp/profile", Headed: true}
+	args := ab.commandArgs("open", "https://example.com")
+	for _, want := range []string{"open", "https://example.com", "--json", "--session-name", "dev", "--profile", "/tmp/profile", "--headed"} {
+		if !slices.Contains(args, want) {
+			t.Fatalf("args %v missing %q", args, want)
+		}
+	}
+}
+
+func TestAgentBrowserCommandArgsIncludesEngine(t *testing.T) {
+	ab := &AgentBrowser{Path: "agent-browser", SessionName: "dev", Engine: "lightpanda"}
+	args := ab.commandArgs("open", "https://example.com")
+	for _, want := range []string{"--engine", "lightpanda"} {
+		if !slices.Contains(args, want) {
+			t.Fatalf("args %v missing %q", args, want)
+		}
+	}
+}
+
+func TestAgentBrowserCommandArgsAttachedSkipsSession(t *testing.T) {
+	ab := &AgentBrowser{Path: "agent-browser", SessionName: "dev", Attached: true}
+	args := ab.commandArgs("get", "url")
+	if slices.Contains(args, "--session-name") {
+		t.Fatalf("attached args included session name: %v", args)
+	}
+}
+
+func TestAgentBrowserCommandArgsPreservesExplicitJSONAndSession(t *testing.T) {
+	ab := &AgentBrowser{Path: "agent-browser", SessionName: "dev"}
+	args := ab.commandArgs("session", "--json", "--session-name", "other")
+	if got := count(args, "--json"); got != 1 {
+		t.Fatalf("--json count = %d, want 1 in %v", got, args)
+	}
+	if got := count(args, "--session-name"); got != 1 {
+		t.Fatalf("--session-name count = %d, want 1 in %v", got, args)
+	}
+}
+
+func count(values []string, target string) int {
+	var n int
+	for _, value := range values {
+		if value == target {
+			n++
+		}
+	}
+	return n
+}
diff --git a/browser/cdp.go b/browser/cdp.go
deleted file mode 100644
index 08dcb22..0000000
--- a/browser/cdp.go
+++ /dev/null
@@ -1,752 +0,0 @@
-package browser
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"io"
-	"net/http"
-	"time"
-
-	"github.com/chromedp/cdproto/cdp"
-	"github.com/chromedp/cdproto/dom"
-	"github.com/chromedp/cdproto/input"
-	"github.com/chromedp/cdproto/network"
-	"github.com/chromedp/cdproto/page"
-	"github.com/chromedp/cdproto/runtime"
-	"github.com/chromedp/cdproto/target"
-	"github.com/chromedp/chromedp"
-)
-
-const TargetTypePage = "page"
-
-// TargetInfo holds metadata about a CDP target (browser tab).
-type TargetInfo struct {
-	TargetID string
-	Title    string
-	URL      string
-	Type     string
-}
-
-// ListTargets enumerates page targets in a browser reachable at debugURL.
-func ListTargets(ctx context.Context, debugURL string) ([]TargetInfo, error) {
-	bctx, cancel := withBrowser(ctx, debugURL)
-	defer cancel()
-
-	var out []TargetInfo
-	err := chromedp.Run(bctx, chromedp.ActionFunc(func(ctx context.Context) error {
-		infos, err := target.GetTargets().Do(ctx)
-		if err != nil {
-			return err
-		}
-		for _, ti := range infos {
-			if ti.Type != TargetTypePage {
-				continue
-			}
-			out = append(out, TargetInfo{
-				TargetID: string(ti.TargetID),
-				Title:    ti.Title,
-				URL:      ti.URL,
-				Type:     ti.Type,
-			})
-		}
-		return nil
-	}))
-	if err != nil {
-		return nil, fmt.Errorf("list targets: %w", err)
-	}
-	return out, nil
-}
-
-// ListTargetsHTTP enumerates page targets via the HTTP /json/list endpoint.
-// This is more compatible with Electron apps and CEF-based browsers that may
-// not support the Target.getTargets CDP command over the browser WebSocket.
-func ListTargetsHTTP(ctx context.Context, debugURL string) ([]TargetInfo, error) {
-	httpBase, err := debugURLToHTTP(debugURL)
-	if err != nil {
-		return nil, fmt.Errorf("list targets: %w", err)
-	}
-	req, err := http.NewRequestWithContext(ctx, http.MethodGet, httpBase+"/json/list", nil)
-	if err != nil {
-		return nil, fmt.Errorf("list targets: build request: %w", err)
-	}
-	client := &http.Client{Timeout: 10 * time.Second}
-	resp, err := client.Do(req)
-	if err != nil {
-		return nil, fmt.Errorf("list targets: %w", err)
-	}
-	defer func() {
-		_, _ = io.Copy(io.Discard, resp.Body)
-		_ = resp.Body.Close()
-	}()
-
-	var raw []struct {
-		ID    string `json:"id"`
-		Title string `json:"title"`
-		URL   string `json:"url"`
-		Type  string `json:"type"`
-	}
-	if err := json.NewDecoder(resp.Body).Decode(&raw); err != nil {
-		return nil, fmt.Errorf("list targets: parse response: %w", err)
-	}
-
-	out := make([]TargetInfo, 0, len(raw))
-	for _, t := range raw {
-		if t.Type != TargetTypePage {
-			continue
-		}
-		out = append(out, TargetInfo{
-			TargetID: t.ID,
-			Title:    t.Title,
-			URL:      t.URL,
-			Type:     t.Type,
-		})
-	}
-	return out, nil
-}
-
-// CreateTarget creates a new browser tab navigated to url and returns its target ID.
-func CreateTarget(ctx context.Context, debugURL string, url string) (string, error) {
-	bctx, cancel := withBrowser(ctx, debugURL)
-	defer cancel()
-
-	var id target.ID
-	err := chromedp.Run(bctx, chromedp.ActionFunc(func(ctx context.Context) error {
-		var err error
-		id, err = target.CreateTarget(url).WithBackground(true).Do(ctx)
-		return err
-	}))
-	if err != nil {
-		return "", fmt.Errorf("create target: %w", err)
-	}
-	return string(id), nil
-}
-
-// CloseTarget closes the browser tab identified by targetID.
-func CloseTarget(ctx context.Context, debugURL string, targetID string) error {
-	bctx, cancel := withBrowser(ctx, debugURL)
-	defer cancel()
-
-	// Use the browser-level executor because chromedp's tab-level Target.Execute
-	// intercepts and rejects CloseTarget commands.
-	return chromedp.Run(bctx, chromedp.ActionFunc(func(ctx context.Context) error {
-		// Use bctx (the outer chromedp context) to reach the Browser executor.
-		// The inner ctx from ActionFunc is bound to the tab-level Target executor
-		// which intercepts CloseTarget, so we need the browser-level one.
-		c := chromedp.FromContext(bctx)
-		if c == nil || c.Browser == nil {
-			return fmt.Errorf("close target: no browser connection")
-		}
-		browserCtx := cdp.WithExecutor(ctx, c.Browser)
-		if err := target.CloseTarget(target.ID(targetID)).Do(browserCtx); err != nil {
-			return fmt.Errorf("close target: %w", err)
-		}
-		return nil
-	}))
-}
-
-// NavigateTarget navigates an existing browser tab to url and waits for the body to be ready.
-func NavigateTarget(ctx context.Context, debugURL string, targetID string, url string) error {
-	if err := withTarget(ctx, debugURL, targetID,
-		chromedp.Navigate(url),
-		chromedp.WaitReady("body"),
-	); err != nil {
-		return fmt.Errorf("navigate target: %w", err)
-	}
-	return nil
-}
-
-// EvalTarget evaluates JavaScript in the context of an existing browser tab
-// and returns the result.
-func EvalTarget(ctx context.Context, debugURL string, targetID string, js string) (any, error) {
-	var result any
-	err := withTarget(ctx, debugURL, targetID,
-		chromedp.Evaluate(js, &result, func(p *runtime.EvaluateParams) *runtime.EvaluateParams {
-			return p.WithReturnByValue(true).WithAwaitPromise(true)
-		}),
-	)
-	if err != nil {
-		return nil, fmt.Errorf("eval target: %w", err)
-	}
-	return result, nil
-}
-
-// ScreenshotTarget captures a full-page screenshot of an existing browser tab
-// and returns the PNG bytes.
-func ScreenshotTarget(ctx context.Context, debugURL string, targetID string) ([]byte, error) {
-	var buf []byte
-	err := withTarget(ctx, debugURL, targetID,
-		chromedp.FullScreenshot(&buf, 90),
-	)
-	if err != nil {
-		return nil, fmt.Errorf("screenshot target: %w", err)
-	}
-	return buf, nil
-}
-
-// FormField describes a fillable form element on the page.
-type FormField struct {
-	Selector    string `json:"selector"`
-	Tag         string `json:"tag"`
-	Type        string `json:"type,omitempty"`
-	Name        string `json:"name,omitempty"`
-	ID          string `json:"id,omitempty"`
-	Placeholder string `json:"placeholder,omitempty"`
-	Value       string `json:"value,omitempty"`
-	Label       string `json:"label,omitempty"`
-	Required    bool   `json:"required,omitempty"`
-	Disabled    bool   `json:"disabled,omitempty"`
-	Role        string `json:"role,omitempty"`
-}
-
-// FillField pairs a CSS selector with the value to fill.
-type FillField struct {
-	Selector string
-	Value    string
-}
-
-// FormsTarget discovers fillable form elements in a browser tab.
-func FormsTarget(ctx context.Context, debugURL string, targetID string) ([]FormField, error) {
-	js := `
-(() => {
-  const els = document.querySelectorAll('input, textarea, select, button[type="submit"], button:not([type]), input[type="submit"]');
-  return [...els].map(el => {
-    const tag = el.tagName.toLowerCase();
-    let selector = "";
-    if (el.id) {
-      selector = "#" + CSS.escape(el.id);
-    } else if (el.name) {
-      selector = tag + "[name=" + JSON.stringify(el.name) + "]";
-      // Disambiguate when multiple elements share the same name (radio groups, checkboxes)
-      const dupes = document.querySelectorAll(selector);
-      if (dupes.length > 1) {
-        if (el.value) {
-          selector += "[value=" + JSON.stringify(el.value) + "]";
-        } else {
-          const idx = [...dupes].indexOf(el);
-          if (idx > 0) {
-            // nth-of-type won't work here; use a parent-scoped index
-            const parent = el.parentElement;
-            if (parent) {
-              const siblings = [...parent.querySelectorAll(selector)];
-              const sIdx = siblings.indexOf(el);
-              if (sIdx >= 0) {
-                let parentSel = parent.id ? "#" + CSS.escape(parent.id) : parent.tagName.toLowerCase();
-                selector = parentSel + " " + selector + ":nth-of-type(" + (sIdx + 1) + ")";
-              }
-            }
-          }
-        }
-      }
-    } else if (el.placeholder) {
-      selector = tag + "[placeholder=" + JSON.stringify(el.placeholder) + "]";
-    } else if (el.type === "submit" || (tag === "button" && !el.type)) {
-      const parent = el.parentElement;
-      if (parent) {
-        const siblings = [...parent.children].filter(c => c.tagName.toLowerCase() === tag);
-        const idx = siblings.indexOf(el);
-        if (idx >= 0) {
-          // Build a unique path: parent selector + child nth-of-type
-          let parentSel = "";
-          if (parent.id) {
-            parentSel = "#" + CSS.escape(parent.id);
-          } else {
-            parentSel = parent.tagName.toLowerCase();
-            const gp = parent.parentElement;
-            if (gp) {
-              const pSiblings = [...gp.children].filter(c => c.tagName.toLowerCase() === parent.tagName.toLowerCase());
-              const pIdx = pSiblings.indexOf(parent);
-              if (pIdx >= 0) parentSel += ":nth-of-type(" + (pIdx + 1) + ")";
-            }
-          }
-          selector = parentSel + " > " + tag + ":nth-of-type(" + (idx + 1) + ")";
-        }
-      }
-    }
-
-    let label = "";
-    if (el.id) {
-      const lbl = document.querySelector("label[for=" + JSON.stringify(el.id) + "]");
-      if (lbl) label = lbl.textContent.trim();
-    }
-    if (!label && el.closest("label")) {
-      label = el.closest("label").textContent.trim();
-    }
-    if (!label && el.getAttribute("aria-label")) {
-      label = el.getAttribute("aria-label");
-    }
-
-    let role = "";
-    if (tag === "button" || el.type === "submit") role = "submit";
-    else if (tag === "select") role = "select";
-    else if (tag === "textarea") role = "text";
-    else if (["text","email","password","search","tel","url","number"].includes(el.type)) role = "text";
-    else if (["checkbox","radio"].includes(el.type)) role = "toggle";
-    else if (el.type === "hidden") role = "hidden";
-    else if (el.type === "file") role = "file";
-
-    return {
-      selector: selector,
-      tag: tag,
-      type: el.type || "",
-      name: el.name || "",
-      id: el.id || "",
-      placeholder: el.placeholder || "",
-      value: tag === "select" ? el.value || "" : el.value || "",
-      label: label,
-      required: el.required || false,
-      disabled: el.disabled || false,
-      role: role,
-    };
-  }).filter(f => f.role !== "hidden" && f.selector !== "");
-})()
-`
-	var fields []FormField
-	err := withTarget(ctx, debugURL, targetID,
-		chromedp.Evaluate(js, &fields, func(p *runtime.EvaluateParams) *runtime.EvaluateParams {
-			return p.WithReturnByValue(true).WithAwaitPromise(true)
-		}),
-	)
-	if err != nil {
-		return nil, fmt.Errorf("forms target: %w", err)
-	}
-	return fields, nil
-}
-
-// FillTarget fills form fields in a browser tab using React-compatible value setting.
-func FillTarget(ctx context.Context, debugURL string, targetID string, fields []FillField, submitSelector string) error {
-	var actions []chromedp.Action
-
-	for _, f := range fields {
-		sel := f.Selector
-		val := f.Value
-		// Use a JS snippet that sets value via native setter and dispatches events.
-		// This works with React, Vue, Angular, and vanilla HTML forms.
-		js := fmt.Sprintf(`
-(() => {
-  const el = document.querySelector(%q);
-  if (!el) throw new Error("element not found: " + %q);
-  el.focus();
-  const tag = el.tagName.toLowerCase();
-  if (tag === "select") {
-    el.value = %q;
-    el.dispatchEvent(new Event("change", { bubbles: true }));
-  } else if (el.type === "checkbox" || el.type === "radio") {
-    const want = %q;
-    if (want === "true" || want === "1" || want === "on") {
-      if (!el.checked) el.click();
-    } else {
-      if (el.checked) el.click();
-    }
-  } else {
-    const setter = (tag === "textarea")
-      ? Object.getOwnPropertyDescriptor(window.HTMLTextAreaElement.prototype, "value")?.set
-      : Object.getOwnPropertyDescriptor(window.HTMLInputElement.prototype, "value")?.set;
-    if (setter) {
-      setter.call(el, %q);
-    } else {
-      el.value = %q;
-    }
-    el.dispatchEvent(new Event("input", { bubbles: true }));
-    el.dispatchEvent(new Event("change", { bubbles: true }));
-  }
-  return true;
-})()
-`, sel, sel, val, val, val, val)
-
-		var ok bool
-		actions = append(actions, chromedp.Evaluate(js, &ok, func(p *runtime.EvaluateParams) *runtime.EvaluateParams {
-			return p.WithReturnByValue(true).WithAwaitPromise(true)
-		}))
-	}
-
-	if submitSelector != "" {
-		submitJS := fmt.Sprintf(`
-(() => {
-  const el = document.querySelector(%q);
-  if (!el) throw new Error("submit element not found: " + %q);
-  el.click();
-  return true;
-})()
-`, submitSelector, submitSelector)
-		var ok bool
-		actions = append(actions, chromedp.Evaluate(submitJS, &ok, func(p *runtime.EvaluateParams) *runtime.EvaluateParams {
-			return p.WithReturnByValue(true).WithAwaitPromise(true)
-		}))
-	}
-
-	if err := withTarget(ctx, debugURL, targetID, actions...); err != nil {
-		return fmt.Errorf("fill target: %w", err)
-	}
-	return nil
-}
-
-// GetHTMLTarget returns the outerHTML of the element matching sel, or the full
-// page HTML if sel is empty.
-func GetHTMLTarget(ctx context.Context, debugURL string, targetID string, sel string) (string, string, error) {
-	if sel == "" {
-		sel = "html"
-	}
-	js := fmt.Sprintf(`
-(() => {
-  const el = document.querySelector(%q);
-  if (!el) return {html: "", url: location.href};
-  return {html: el.outerHTML, url: location.href};
-})()
-`, sel)
-	var result struct {
-		HTML string `json:"html"`
-		URL  string `json:"url"`
-	}
-	err := withTarget(ctx, debugURL, targetID,
-		chromedp.Evaluate(js, &result, func(p *runtime.EvaluateParams) *runtime.EvaluateParams {
-			return p.WithReturnByValue(true).WithAwaitPromise(true)
-		}),
-	)
-	if err != nil {
-		return "", "", fmt.Errorf("get html target: %w", err)
-	}
-	return result.HTML, result.URL, nil
-}
-
-// KeypressTarget sends key events to the page (not a specific element).
-// The keys string uses chromedp/kb constants: "\r" for Enter, "\t" for Tab,
-// "\u001b" for Escape, etc. Regular characters are sent as-is.
-func KeypressTarget(ctx context.Context, debugURL string, targetID string, keys string) error {
-	if err := withTarget(ctx, debugURL, targetID,
-		chromedp.KeyEvent(keys),
-	); err != nil {
-		return fmt.Errorf("keypress target: %w", err)
-	}
-	return nil
-}
-
-// DialogTarget accepts or dismisses a pending JavaScript dialog (alert/confirm/prompt).
-// For prompt dialogs, promptText is entered before accepting.
-func DialogTarget(ctx context.Context, debugURL string, targetID string, accept bool, promptText string) error {
-	err := withTarget(ctx, debugURL, targetID,
-		chromedp.ActionFunc(func(ctx context.Context) error {
-			p := page.HandleJavaScriptDialog(accept)
-			if promptText != "" {
-				p = p.WithPromptText(promptText)
-			}
-			return p.Do(ctx)
-		}),
-	)
-	if err != nil {
-		return fmt.Errorf("dialog target: %w", err)
-	}
-	return nil
-}
-
-// CookieEntry represents a browser cookie for JSON output.
-type CookieEntry struct {
-	Name     string  `json:"name"`
-	Value    string  `json:"value"`
-	Domain   string  `json:"domain"`
-	Path     string  `json:"path"`
-	Expires  float64 `json:"expires"`
-	HTTPOnly bool    `json:"httpOnly"`
-	Secure   bool    `json:"secure"`
-	Session  bool    `json:"session"`
-	SameSite string  `json:"sameSite,omitempty"`
-}
-
-// GetCookiesTarget returns all cookies for the current page.
-func GetCookiesTarget(ctx context.Context, debugURL string, targetID string) ([]CookieEntry, error) {
-	var cookies []CookieEntry
-	err := withTarget(ctx, debugURL, targetID,
-		chromedp.ActionFunc(func(ctx context.Context) error {
-			raw, err := network.GetCookies().Do(ctx)
-			if err != nil {
-				return err
-			}
-			for _, c := range raw {
-				cookies = append(cookies, CookieEntry{
-					Name:     c.Name,
-					Value:    c.Value,
-					Domain:   c.Domain,
-					Path:     c.Path,
-					Expires:  c.Expires,
-					HTTPOnly: c.HTTPOnly,
-					Secure:   c.Secure,
-					Session:  c.Session,
-					SameSite: string(c.SameSite),
-				})
-			}
-			return nil
-		}),
-	)
-	if err != nil {
-		return nil, fmt.Errorf("get cookies target: %w", err)
-	}
-	return cookies, nil
-}
-
-// SetCookieTarget sets a cookie on the page.
-func SetCookieTarget(ctx context.Context, debugURL string, targetID string, name, value, domain, path string) error {
-	err := withTarget(ctx, debugURL, targetID,
-		chromedp.ActionFunc(func(ctx context.Context) error {
-			p := network.SetCookie(name, value)
-			if domain != "" {
-				p = p.WithDomain(domain)
-			}
-			if path != "" {
-				p = p.WithPath(path)
-			}
-			return p.Do(ctx)
-		}),
-	)
-	if err != nil {
-		return fmt.Errorf("set cookie target: %w", err)
-	}
-	return nil
-}
-
-// ClearCookiesTarget deletes all cookies for the current page.
-func ClearCookiesTarget(ctx context.Context, debugURL string, targetID string) error {
-	err := withTarget(ctx, debugURL, targetID,
-		chromedp.ActionFunc(func(ctx context.Context) error {
-			raw, err := network.GetCookies().Do(ctx)
-			if err != nil {
-				return err
-			}
-			for _, c := range raw {
-				if err := network.DeleteCookies(c.Name).WithDomain(c.Domain).WithPath(c.Path).Do(ctx); err != nil {
-					return fmt.Errorf("delete cookie %q: %w", c.Name, err)
-				}
-			}
-			return nil
-		}),
-	)
-	if err != nil {
-		return fmt.Errorf("clear cookies target: %w", err)
-	}
-	return nil
-}
-
-// PDFTarget saves the current page as PDF and returns the bytes.
-func PDFTarget(ctx context.Context, debugURL string, targetID string, landscape bool, printBackground bool, scale float64) ([]byte, error) {
-	var buf []byte
-	err := withTarget(ctx, debugURL, targetID,
-		chromedp.ActionFunc(func(ctx context.Context) error {
-			params := page.PrintToPDF().
-				WithLandscape(landscape).
-				WithPrintBackground(printBackground)
-			if scale > 0 {
-				params = params.WithScale(scale)
-			}
-			data, _, err := params.Do(ctx)
-			if err != nil {
-				return err
-			}
-			buf = data
-			return nil
-		}),
-	)
-	if err != nil {
-		return nil, fmt.Errorf("pdf target: %w", err)
-	}
-	return buf, nil
-}
-
-// ClickTarget dispatches a real mouse click on the first element matching sel.
-// chromedp.Click sends the full mouseMoved → mousePressed → mouseReleased sequence.
-func ClickTarget(ctx context.Context, debugURL string, targetID string, sel string) error {
-	if err := withTarget(ctx, debugURL, targetID,
-		chromedp.Click(sel, chromedp.ByQuery, chromedp.NodeVisible),
-	); err != nil {
-		return fmt.Errorf("click target: %w", err)
-	}
-	return nil
-}
-
-// TypeTarget sends individual key events to the element matching sel.
-// Unlike FillTarget which sets .value directly, this dispatches keyDown/keyUp
-// per character — behaving like a real user typing.
-func TypeTarget(ctx context.Context, debugURL string, targetID string, sel string, text string) error {
-	if err := withTarget(ctx, debugURL, targetID,
-		chromedp.Click(sel, chromedp.ByQuery, chromedp.NodeVisible),
-		chromedp.SendKeys(sel, text, chromedp.ByQuery),
-	); err != nil {
-		return fmt.Errorf("type target: %w", err)
-	}
-	return nil
-}
-
-// HoverTarget moves the mouse to the center of the element matching sel,
-// dispatching mouseMoved events that trigger CSS :hover states and mouseenter listeners.
-func HoverTarget(ctx context.Context, debugURL string, targetID string, sel string) error {
-	var nodes []*cdp.Node
-	if err := withTarget(ctx, debugURL, targetID,
-		chromedp.Nodes(sel, &nodes, chromedp.ByQuery, chromedp.NodeVisible),
-		chromedp.ActionFunc(func(ctx context.Context) error {
-			if len(nodes) == 0 {
-				return fmt.Errorf("no element matching %q", sel)
-			}
-			box, err := dom.GetBoxModel().WithNodeID(nodes[0].NodeID).Do(ctx)
-			if err != nil {
-				return fmt.Errorf("get box model: %w", err)
-			}
-			c := box.Content
-			x := (c[0] + c[2] + c[4] + c[6]) / 4
-			y := (c[1] + c[3] + c[5] + c[7]) / 4
-			return chromedp.MouseEvent(input.MouseMoved, x, y).Do(ctx)
-		}),
-	); err != nil {
-		return fmt.Errorf("hover target: %w", err)
-	}
-	return nil
-}
-
-// ScrollTarget scrolls the element matching sel into view. If sel is empty,
-// scrolls to the given x,y pixel coordinates.
-func ScrollTarget(ctx context.Context, debugURL string, targetID string, sel string, x, y float64) error {
-	var actions []chromedp.Action
-	if sel != "" {
-		actions = append(actions, chromedp.ScrollIntoView(sel, chromedp.ByQuery))
-	} else {
-		js := fmt.Sprintf("window.scrollTo(%f, %f)", x, y)
-		var ignore any
-		actions = append(actions, chromedp.Evaluate(js, &ignore))
-	}
-	if err := withTarget(ctx, debugURL, targetID, actions...); err != nil {
-		return fmt.Errorf("scroll target: %w", err)
-	}
-	return nil
-}
-
-// SelectTarget selects an option in a <select> element by value, dispatching
-// focus, input, and change events.
-func SelectTarget(ctx context.Context, debugURL string, targetID string, sel string, value string) error {
-	js := fmt.Sprintf(`
-(() => {
-  const el = document.querySelector(%q);
-  if (!el) throw new Error("element not found: " + %q);
-  if (el.tagName.toLowerCase() !== "select") throw new Error("element is not a <select>");
-  el.focus();
-  el.value = %q;
-  el.dispatchEvent(new Event("input", { bubbles: true }));
-  el.dispatchEvent(new Event("change", { bubbles: true }));
-  return true;
-})()
-`, sel, sel, value)
-	var ok bool
-	if err := withTarget(ctx, debugURL, targetID,
-		chromedp.Evaluate(js, &ok, func(p *runtime.EvaluateParams) *runtime.EvaluateParams {
-			return p.WithReturnByValue(true).WithAwaitPromise(true)
-		}),
-	); err != nil {
-		return fmt.Errorf("select target: %w", err)
-	}
-	return nil
-}
-
-// WaitForTarget waits until the element matching sel is visible in the tab.
-// The caller controls the deadline via ctx.
-func WaitForTarget(ctx context.Context, debugURL string, targetID string, sel string, timeout time.Duration) error {
-	waitCtx := ctx
-	if timeout > 0 {
-		var cancel context.CancelFunc
-		waitCtx, cancel = context.WithTimeout(ctx, timeout)
-		defer cancel()
-	}
-	if err := withTarget(waitCtx, debugURL, targetID,
-		chromedp.WaitVisible(sel, chromedp.ByQuery),
-	); err != nil {
-		return fmt.Errorf("wait for target: %w", err)
-	}
-	return nil
-}
-
-// BackTarget navigates the tab backwards in history.
-func BackTarget(ctx context.Context, debugURL string, targetID string) error {
-	if err := withTarget(ctx, debugURL, targetID,
-		chromedp.NavigateBack(),
-	); err != nil {
-		return fmt.Errorf("back target: %w", err)
-	}
-	return nil
-}
-
-// ForwardTarget navigates the tab forwards in history.
-func ForwardTarget(ctx context.Context, debugURL string, targetID string) error {
-	if err := withTarget(ctx, debugURL, targetID,
-		chromedp.NavigateForward(),
-	); err != nil {
-		return fmt.Errorf("forward target: %w", err)
-	}
-	return nil
-}
-
-// ReloadTarget reloads the current page in the tab.
-func ReloadTarget(ctx context.Context, debugURL string, targetID string) error {
-	if err := withTarget(ctx, debugURL, targetID,
-		chromedp.Reload(),
-	); err != nil {
-		return fmt.Errorf("reload target: %w", err)
-	}
-	return nil
-}
-
-// withTargetListen connects to debugURL, attaches to the specific target, and
-// returns a long-lived context suitable for event listening. Unlike withTarget,
-// it does NOT run actions or detach automatically — the caller controls the
-// session lifetime.
-//
-// Usage:
-//  1. Call withTargetListen to get taskCtx.
-//  2. Register event listeners with chromedp.ListenTarget(taskCtx, ...).
-//  3. Enable the domain with chromedp.Run(taskCtx, ...).
-//  4. Wait/process events.
-//  5. Call cancel — clears TargetID first (detach-without-close).
-func withTargetListen(ctx context.Context, debugURL string, targetID string) (context.Context, func(), error) {
-	allocCtx, allocCancel := chromedp.NewRemoteAllocator(ctx, debugURL, chromedp.NoModifyURL)
-	taskCtx, taskCancel := chromedp.NewContext(allocCtx, chromedp.WithTargetID(target.ID(targetID)))
-
-	// Run an empty action to force the CDP session to attach to the target.
-	if err := chromedp.Run(taskCtx); err != nil {
-		taskCancel()
-		allocCancel()
-		return nil, nil, fmt.Errorf("attach target for listen: %w", err)
-	}
-
-	cancel := func() {
-		// Clear TargetID BEFORE cancel so chromedp's cancel handler does not
-		// close the tab. Same detach-without-close trick as withTarget.
-		if c := chromedp.FromContext(taskCtx); c != nil && c.Target != nil {
-			c.Target.TargetID = ""
-		}
-		taskCancel()
-		allocCancel()
-	}
-
-	return taskCtx, cancel, nil
-}
-
-// withBrowser connects to debugURL at the browser level and returns contexts for CDP commands.
-func withBrowser(ctx context.Context, debugURL string) (context.Context, context.CancelFunc) {
-	allocCtx, allocCancel := chromedp.NewRemoteAllocator(ctx, debugURL, chromedp.NoModifyURL)
-	taskCtx, taskCancel := chromedp.NewContext(allocCtx)
-	return taskCtx, func() { taskCancel(); allocCancel() }
-}
-
-// withTarget connects to debugURL, attaches to the specific target, runs the actions, and cleans up.
-// It detaches from the target without closing it so the tab survives across calls.
-func withTarget(ctx context.Context, debugURL string, targetID string, actions ...chromedp.Action) error {
-	allocCtx, allocCancel := chromedp.NewRemoteAllocator(ctx, debugURL, chromedp.NoModifyURL)
-
-	taskCtx, taskCancel := chromedp.NewContext(allocCtx, chromedp.WithTargetID(target.ID(targetID)))
-
-	err := chromedp.Run(taskCtx, actions...)
-
-	// Clear TargetID BEFORE cancel so chromedp's cancel handler does not
-	// close the tab. We attach to an existing tab we don't own.
-	if c := chromedp.FromContext(taskCtx); c != nil && c.Target != nil {
-		c.Target.TargetID = ""
-	}
-	taskCancel()
-	allocCancel()
-
-	return err
-}
diff --git a/browser/cdp_snapshot.go b/browser/cdp_snapshot.go
deleted file mode 100644
index f725d5e..0000000
--- a/browser/cdp_snapshot.go
+++ /dev/null
@@ -1,272 +0,0 @@
-package browser
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"strings"
-
-	"github.com/chromedp/cdproto/accessibility"
-	"github.com/chromedp/cdproto/cdp"
-	"github.com/chromedp/cdproto/dom"
-	"github.com/chromedp/cdproto/input"
-	"github.com/chromedp/cdproto/runtime"
-	"github.com/chromedp/chromedp"
-)
-
-// SnapshotTarget builds an AX-powered semantic snapshot for a target tab.
-func SnapshotTarget(ctx context.Context, debugURL, targetID string, opts SnapshotOptions) (*SnapshotResult, error) {
-	if opts.Mode == "" {
-		opts.Mode = "auto"
-	}
-
-	out := &SnapshotResult{Mode: "ax"}
-	err := withTarget(ctx, debugURL, targetID, chromedp.ActionFunc(func(ctx context.Context) error {
-		if err := accessibility.Enable().Do(ctx); err != nil {
-			return fmt.Errorf("enable accessibility: %w", err)
-		}
-		defer func() { _ = accessibility.Disable().Do(ctx) }()
-
-		var nodes []*accessibility.Node
-		var err error
-		if opts.Depth > 0 {
-			nodes, err = accessibility.GetFullAXTree().WithDepth(opts.Depth).Do(ctx)
-		} else {
-			nodes, err = accessibility.GetFullAXTree().Do(ctx)
-		}
-		if err != nil {
-			return fmt.Errorf("get full ax tree: %w", err)
-		}
-		meta, err := EvalTarget(ctx, debugURL, targetID, `({
-  url: location.href,
-  title: document.title || "",
-  key: [location.href, performance.timeOrigin || 0, document.body ? document.body.childElementCount : 0].join("|")
-})`)
-		if err != nil {
-			return fmt.Errorf("snapshot metadata: %w", err)
-		}
-		if m, ok := meta.(map[string]any); ok {
-			if v, ok := m["url"].(string); ok {
-				out.URL = v
-			}
-			if v, ok := m["title"].(string); ok {
-				out.Title = v
-			}
-			if v, ok := m["key"].(string); ok {
-				out.DocumentKey = v
-			}
-		}
-		buildSnapshotTree(out, nodes, opts)
-		return nil
-	}))
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
-func buildSnapshotTree(out *SnapshotResult, axNodes []*accessibility.Node, opts SnapshotOptions) {
-	idToNode := make(map[accessibility.NodeID]*accessibility.Node, len(axNodes))
-	for _, n := range axNodes {
-		idToNode[n.NodeID] = n
-	}
-
-	interactiveRoles := map[string]bool{
-		"button": true, "link": true, "textbox": true, "searchbox": true, "checkbox": true,
-		"radio": true, "combobox": true, "option": true, "menuitem": true, "tab": true,
-	}
-	structuralRoles := map[string]bool{
-		"rootwebarea": true, "document": true, "main": true, "article": true,
-		"heading": true, "list": true, "listitem": true, "dialog": true,
-	}
-
-	axToIndex := make(map[accessibility.NodeID]int, len(axNodes))
-	nextRef := 1
-	for _, n := range axNodes {
-		role := normalizeAXValue(n.Role)
-		name := normalizeAXValue(n.Name)
-		if n.Ignored && !interactiveRoles[role] {
-			continue
-		}
-		keep := structuralRoles[role] || interactiveRoles[role] || name != ""
-		if opts.InteractiveOnly && !interactiveRoles[role] {
-			keep = false
-		}
-		if !keep {
-			continue
-		}
-
-		node := SnapshotNode{
-			Role:        role,
-			Name:        name,
-			Value:       normalizeAXValue(n.Value),
-			Description: normalizeAXValue(n.Description),
-			States:      axStates(n.Properties),
-		}
-		if interactiveRoles[role] {
-			node.Ref = fmt.Sprintf("@e%d", nextRef)
-			nextRef++
-			out.Refs = append(out.Refs, SnapshotRef{
-				Ref:              node.Ref,
-				BackendDOMNodeID: int64(n.BackendDOMNodeID),
-				AXNodeID:         string(n.NodeID),
-				FrameID:          string(n.FrameID),
-				Role:             role,
-				Name:             name,
-			})
-		}
-		axToIndex[n.NodeID] = len(out.Nodes)
-		out.Nodes = append(out.Nodes, node)
-	}
-
-	for _, n := range axNodes {
-		parentIdx, ok := axToIndex[n.NodeID]
-		if !ok {
-			continue
-		}
-		for _, childID := range n.ChildIDs {
-			if childIdx, ok := axToIndex[childID]; ok {
-				out.Nodes[parentIdx].Children = append(out.Nodes[parentIdx].Children, childIdx)
-			}
-		}
-	}
-}
-
-func normalizeAXValue(v *accessibility.Value) string {
-	if v == nil {
-		return ""
-	}
-	var anyv any
-	if err := json.Unmarshal(v.Value, &anyv); err != nil {
-		return ""
-	}
-	switch tv := anyv.(type) {
-	case string:
-		return strings.TrimSpace(tv)
-	case bool, float64:
-		return fmt.Sprintf("%v", tv)
-	default:
-		return ""
-	}
-}
-
-func axStates(props []*accessibility.Property) []string {
-	out := make([]string, 0, len(props))
-	for _, p := range props {
-		name := string(p.Name)
-		if name == "disabled" || name == "checked" || name == "expanded" || name == "selected" {
-			val := normalizeAXValue(p.Value)
-			if val == "" {
-				val = "true"
-			}
-			out = append(out, fmt.Sprintf("%s=%s", name, val))
-		}
-	}
-	return out
-}
-
-func ClickTargetByBackendNodeID(ctx context.Context, debugURL, targetID string, backendNodeID cdp.BackendNodeID) error {
-	return withTarget(ctx, debugURL, targetID, chromedp.ActionFunc(func(ctx context.Context) error {
-		if err := dom.ScrollIntoViewIfNeeded().WithBackendNodeID(backendNodeID).Do(ctx); err != nil {
-			return fmt.Errorf("scroll into view: %w", err)
-		}
-		box, err := dom.GetBoxModel().WithBackendNodeID(backendNodeID).Do(ctx)
-		if err != nil {
-			return fmt.Errorf("get box model: %w", err)
-		}
-		q := box.Content
-		x := (q[0] + q[2] + q[4] + q[6]) / 4
-		y := (q[1] + q[3] + q[5] + q[7]) / 4
-		if err := input.DispatchMouseEvent(input.MouseMoved, x, y).Do(ctx); err != nil {
-			return err
-		}
-		if err := input.DispatchMouseEvent(input.MousePressed, x, y).WithButton(input.Left).WithClickCount(1).Do(ctx); err != nil {
-			return err
-		}
-		return input.DispatchMouseEvent(input.MouseReleased, x, y).WithButton(input.Left).WithClickCount(1).Do(ctx)
-	}))
-}
-
-func FillTargetByBackendNodeID(ctx context.Context, debugURL, targetID string, backendNodeID cdp.BackendNodeID, value string) error {
-	return withTarget(ctx, debugURL, targetID, chromedp.ActionFunc(func(ctx context.Context) error {
-		obj, err := dom.ResolveNode().WithBackendNodeID(backendNodeID).Do(ctx)
-		if err != nil {
-			return fmt.Errorf("resolve node: %w", err)
-		}
-		fn := `function(v){
-  this.focus();
-  const tag = this.tagName ? this.tagName.toLowerCase() : "";
-  if (tag === "select") {
-    this.value = v;
-    this.dispatchEvent(new Event("change", { bubbles: true }));
-    return true;
-  }
-  const setter = (tag === "textarea")
-    ? Object.getOwnPropertyDescriptor(window.HTMLTextAreaElement.prototype, "value")?.set
-    : Object.getOwnPropertyDescriptor(window.HTMLInputElement.prototype, "value")?.set;
-  if (setter) setter.call(this, v); else this.value = v;
-  this.dispatchEvent(new Event("input", { bubbles: true }));
-  this.dispatchEvent(new Event("change", { bubbles: true }));
-  return true;
-}`
-		_, ex, err := runtime.CallFunctionOn(fmt.Sprintf(`function(){ return (%s).call(this, %q) }`, fn, value)).
-			WithObjectID(obj.ObjectID).
-			WithAwaitPromise(true).
-			WithReturnByValue(true).
-			Do(ctx)
-		if err != nil {
-			return fmt.Errorf("fill by backend node: %w", err)
-		}
-		if ex != nil {
-			return fmt.Errorf("fill by backend node: javascript exception")
-		}
-		return nil
-	}))
-}
-
-func TypeTargetByBackendNodeID(ctx context.Context, debugURL, targetID string, backendNodeID cdp.BackendNodeID, text string) error {
-	return withTarget(ctx, debugURL, targetID, chromedp.ActionFunc(func(ctx context.Context) error {
-		obj, err := dom.ResolveNode().WithBackendNodeID(backendNodeID).Do(ctx)
-		if err != nil {
-			return fmt.Errorf("resolve node: %w", err)
-		}
-		if _, ex, err := runtime.CallFunctionOn(`function(){ this.focus(); return true; }`).
-			WithObjectID(obj.ObjectID).
-			WithReturnByValue(true).
-			Do(ctx); err != nil {
-			return err
-		} else if ex != nil {
-			return fmt.Errorf("focus by backend node: javascript exception")
-		}
-		return input.InsertText(text).Do(ctx)
-	}))
-}
-
-func SelectTargetByBackendNodeID(ctx context.Context, debugURL, targetID string, backendNodeID cdp.BackendNodeID, value string) error {
-	return withTarget(ctx, debugURL, targetID, chromedp.ActionFunc(func(ctx context.Context) error {
-		obj, err := dom.ResolveNode().WithBackendNodeID(backendNodeID).Do(ctx)
-		if err != nil {
-			return fmt.Errorf("resolve node: %w", err)
-		}
-		fn := `function(v){
-  if (!this.tagName || this.tagName.toLowerCase() !== "select") throw new Error("element is not select");
-  this.focus();
-  this.value = v;
-  this.dispatchEvent(new Event("input", { bubbles: true }));
-  this.dispatchEvent(new Event("change", { bubbles: true }));
-  return true;
-}`
-		_, ex, err := runtime.CallFunctionOn(fmt.Sprintf(`function(){ return (%s).call(this, %q) }`, fn, value)).
-			WithObjectID(obj.ObjectID).
-			WithAwaitPromise(true).
-			WithReturnByValue(true).
-			Do(ctx)
-		if err != nil {
-			return err
-		}
-		if ex != nil {
-			return fmt.Errorf("select by backend node: javascript exception")
-		}
-		return nil
-	}))
-}
diff --git a/browser/cdp_test.go b/browser/cdp_test.go
deleted file mode 100644
index 4cc77c3..0000000
--- a/browser/cdp_test.go
+++ /dev/null
@@ -1,9 +0,0 @@
-package browser
-
-import "testing"
-
-func TestTargetTypePageConstant(t *testing.T) {
-	if TargetTypePage != "page" {
-		t.Fatalf("TargetTypePage = %q, want %q", TargetTypePage, "page")
-	}
-}
diff --git a/browser/chrome.go b/browser/chrome.go
deleted file mode 100644
index 83a0f75..0000000
--- a/browser/chrome.go
+++ /dev/null
@@ -1,41 +0,0 @@
-package browser
-
-import (
-	"os/exec"
-	"strings"
-)
-
-// ChromeInfo holds information about an installed Chrome browser.
-type ChromeInfo struct {
-	Path    string
-	Version string
-}
-
-// DetectChrome finds a Chrome/Chromium installation and returns its path and version.
-// It reuses the same discovery logic as the browser launcher (findChrome).
-// Returns nil if no Chrome is found.
-func DetectChrome() *ChromeInfo {
-	path, err := findChrome()
-	if err != nil {
-		return nil
-	}
-
-	out, err := exec.Command(path, "--version").Output()
-	if err != nil {
-		return &ChromeInfo{Path: path}
-	}
-	return &ChromeInfo{
-		Path:    path,
-		Version: parseVersion(string(out)),
-	}
-}
-
-func parseVersion(output string) string {
-	// "Google Chrome 125.0.6422.141" → "125.0.6422.141"
-	output = strings.TrimSpace(output)
-	parts := strings.Fields(output)
-	if len(parts) == 0 {
-		return ""
-	}
-	return parts[len(parts)-1]
-}
diff --git a/browser/daemon.go b/browser/daemon.go
deleted file mode 100644
index e15c76a..0000000
--- a/browser/daemon.go
+++ /dev/null
@@ -1,198 +0,0 @@
-package browser
-
-import (
-	"context"
-	"crypto/rand"
-	"encoding/hex"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"io"
-	"net"
-	"net/http"
-	"strings"
-	"time"
-)
-
-const (
-	AttachStateDetached      = "detached"
-	AttachStateAttachedReady = "attached-ready"
-	AttachStateAttachedStale = "attached-stale"
-)
-
-type ProxyDaemonHealth struct {
-	CheckedAt         time.Time `json:"checked_at"`
-	PIDAlive          bool      `json:"pid_alive"`
-	DaemonReachable   bool      `json:"daemon_reachable"`
-	UpstreamReachable bool      `json:"upstream_reachable"`
-	Healthy           bool      `json:"healthy"`
-	Status            string    `json:"status"`
-	Reason            string    `json:"reason,omitempty"`
-}
-
-func GenerateOwnershipToken() (string, error) {
-	buf := make([]byte, 16)
-	if _, err := rand.Read(buf); err != nil {
-		return "", fmt.Errorf("generate ownership token: %w", err)
-	}
-	return hex.EncodeToString(buf), nil
-}
-
-func ProxyEndpointForListenAddr(listenAddr string) string {
-	return fmt.Sprintf("ws://%s/devtools/browser/proxy", listenAddr)
-}
-
-func ProxyHTTPBaseForListenAddr(listenAddr string) string {
-	return fmt.Sprintf("http://%s", listenAddr)
-}
-
-func CheckProxyDaemon(ctx context.Context, record *ProxyDaemonRecord) ProxyDaemonHealth {
-	health := ProxyDaemonHealth{CheckedAt: time.Now().UTC(), Status: AttachStateDetached}
-	if record == nil {
-		health.Reason = "no proxy daemon recorded"
-		return health
-	}
-
-	var reasons []string
-	health.Status = AttachStateAttachedStale
-	if record.PID > 0 && isProcessAlive(record.PID) {
-		health.PIDAlive = true
-	} else {
-		reasons = append(reasons, "daemon pid is not alive")
-	}
-
-	client := &http.Client{Timeout: 3 * time.Second}
-	if strings.TrimSpace(record.ListenAddr) != "" {
-		req, err := http.NewRequestWithContext(ctx, http.MethodGet, ProxyHTTPBaseForListenAddr(record.ListenAddr)+"/healthz", nil)
-		if err == nil {
-			resp, err := client.Do(req)
-			if err == nil {
-				var payload struct {
-					UpstreamReady bool `json:"upstreamReady"`
-				}
-				body, _ := io.ReadAll(resp.Body)
-				_ = resp.Body.Close()
-				_ = json.Unmarshal(body, &payload)
-				if resp.StatusCode == http.StatusOK {
-					health.DaemonReachable = true
-				}
-				if payload.UpstreamReady {
-					health.UpstreamReachable = true
-				}
-			} else {
-				reasons = append(reasons, fmt.Sprintf("daemon health check failed: %v", err))
-			}
-		} else {
-			reasons = append(reasons, fmt.Sprintf("daemon health request failed: %v", err))
-		}
-	} else {
-		reasons = append(reasons, "daemon listen address is missing")
-	}
-
-	if !health.DaemonReachable {
-		reasons = append(reasons, "daemon endpoint is unreachable")
-	}
-	if !health.UpstreamReachable {
-		reasons = append(reasons, "upstream Chrome is unreachable")
-	}
-	if health.PIDAlive && health.DaemonReachable && health.UpstreamReachable {
-		health.Healthy = true
-		health.Status = AttachStateAttachedReady
-		health.Reason = ""
-		return health
-	}
-	if len(reasons) == 0 {
-		reasons = append(reasons, "proxy daemon is unhealthy")
-	}
-	health.Reason = strings.Join(uniqueStrings(reasons), "; ")
-	return health
-}
-
-func ShouldReuseProxyDaemon(record *ProxyDaemonRecord, discoveredUpstreamWSURL string, health ProxyDaemonHealth) bool {
-	return record != nil && record.UpstreamWSURL == strings.TrimSpace(discoveredUpstreamWSURL) && health.Healthy
-}
-
-func ShutdownProxyDaemon(ctx context.Context, record *ProxyDaemonRecord) error {
-	if record == nil {
-		return nil
-	}
-	if strings.TrimSpace(record.ListenAddr) == "" {
-		return errors.New("proxy daemon listen address is missing")
-	}
-	if strings.TrimSpace(record.OwnershipToken) == "" {
-		return errors.New("proxy daemon ownership token is missing")
-	}
-	req, err := http.NewRequestWithContext(ctx, http.MethodPost, ProxyHTTPBaseForListenAddr(record.ListenAddr)+"/shutdown", nil)
-	if err != nil {
-		return fmt.Errorf("build proxy shutdown request: %w", err)
-	}
-	req.Header.Set("X-Tap-Ownership-Token", record.OwnershipToken)
-	resp, err := (&http.Client{Timeout: 3 * time.Second}).Do(req)
-	if err != nil {
-		return fmt.Errorf("request proxy shutdown: %w", err)
-	}
-	defer func() {
-		_, _ = io.Copy(io.Discard, resp.Body)
-		_ = resp.Body.Close()
-	}()
-	if resp.StatusCode != http.StatusOK {
-		return fmt.Errorf("proxy shutdown returned status %d", resp.StatusCode)
-	}
-	return nil
-}
-
-func WaitForProxyDaemonExit(ctx context.Context, record *ProxyDaemonRecord) error {
-	if record == nil || record.PID <= 0 {
-		return nil
-	}
-	ticker := time.NewTicker(100 * time.Millisecond)
-	defer ticker.Stop()
-	for {
-		if !isProcessAlive(record.PID) {
-			return nil
-		}
-		select {
-		case <-ctx.Done():
-			return ctx.Err()
-		case <-ticker.C:
-		}
-	}
-}
-
-func WaitForProxyDaemonHealth(ctx context.Context, record *ProxyDaemonRecord) (ProxyDaemonHealth, error) {
-	ticker := time.NewTicker(100 * time.Millisecond)
-	defer ticker.Stop()
-	for {
-		health := CheckProxyDaemon(ctx, record)
-		if health.Healthy {
-			return health, nil
-		}
-		select {
-		case <-ctx.Done():
-			return health, ctx.Err()
-		case <-ticker.C:
-		}
-	}
-}
-
-func IsListenAddrInUse(err error) bool {
-	var opErr *net.OpError
-	return errors.As(err, &opErr) && strings.Contains(strings.ToLower(opErr.Err.Error()), "address already in use") || strings.Contains(strings.ToLower(err.Error()), "address already in use")
-}
-
-func uniqueStrings(items []string) []string {
-	seen := make(map[string]struct{}, len(items))
-	out := make([]string, 0, len(items))
-	for _, item := range items {
-		item = strings.TrimSpace(item)
-		if item == "" {
-			continue
-		}
-		if _, ok := seen[item]; ok {
-			continue
-		}
-		seen[item] = struct{}{}
-		out = append(out, item)
-	}
-	return out
-}
diff --git a/browser/daemon_test.go b/browser/daemon_test.go
deleted file mode 100644
index 0f02bc0..0000000
--- a/browser/daemon_test.go
+++ /dev/null
@@ -1,167 +0,0 @@
-package browser
-
-import (
-	"context"
-	"net"
-	"net/http"
-	"net/http/httptest"
-	"os"
-	"strings"
-	"testing"
-	"time"
-
-	"github.com/gorilla/websocket"
-)
-
-func startFakeUpstreamWS(t *testing.T) (string, func()) {
-	t.Helper()
-	upgrader := websocket.Upgrader{CheckOrigin: func(_ *http.Request) bool { return true }}
-	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.URL.Path != "/devtools/browser/test" {
-			http.NotFound(w, r)
-			return
-		}
-		conn, err := upgrader.Upgrade(w, r, nil)
-		if err != nil {
-			return
-		}
-		defer func() { _ = conn.Close() }()
-		for {
-			if _, _, err := conn.NextReader(); err != nil {
-				return
-			}
-		}
-	}))
-	wsURL := "ws" + strings.TrimPrefix(srv.URL, "http") + "/devtools/browser/test"
-	return wsURL, srv.Close
-}
-
-func startProxyForTest(t *testing.T, upstream, token string) (*ProxyDaemonRecord, func()) {
-	t.Helper()
-	ln, err := net.Listen("tcp", "127.0.0.1:0")
-	if err != nil {
-		t.Fatal(err)
-	}
-	record := &ProxyDaemonRecord{
-		PID:            os.Getpid(),
-		ListenAddr:     ln.Addr().String(),
-		Endpoint:       ProxyEndpointForListenAddr(ln.Addr().String()),
-		UpstreamWSURL:  upstream,
-		OwnershipToken: token,
-	}
-	proxy := NewProxy(ProxyConfig{ListenAddr: record.ListenAddr, Upstream: upstream, OwnershipToken: token})
-	errCh := make(chan error, 1)
-	go func() {
-		errCh <- proxy.ServeListener(t.Context(), ln)
-	}()
-	ctx, cancel := context.WithTimeout(t.Context(), 5*time.Second)
-	defer cancel()
-	if _, err := WaitForProxyDaemonHealth(ctx, record); err != nil {
-		t.Fatalf("WaitForProxyDaemonHealth failed: %v", err)
-	}
-	cleanup := func() {
-		shutdownCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-		defer cancel()
-		_ = ShutdownProxyDaemon(shutdownCtx, record)
-		select {
-		case <-time.After(250 * time.Millisecond):
-		case <-errCh:
-		}
-	}
-	return record, cleanup
-}
-
-func TestStorePersistsProxyDaemonState(t *testing.T) {
-	store := testStore(t)
-	now := time.Date(2026, 4, 7, 12, 0, 0, 0, time.UTC)
-	want := &ProxyDaemonRecord{
-		PID:               42,
-		ListenAddr:        "127.0.0.1:12345",
-		Endpoint:          "ws://127.0.0.1:12345/devtools/browser/proxy",
-		UpstreamWSURL:     "ws://127.0.0.1:9222/devtools/browser/test",
-		OwnershipToken:    "token-1",
-		State:             AttachStateAttachedReady,
-		Status:            AttachStateAttachedReady,
-		LastHealthCheckAt: now,
-		LastHealthyAt:     now,
-		StartedAt:         now,
-		UpdatedAt:         now,
-	}
-	if err := store.Update(func(state *State) error {
-		state.ProxyDaemon = want
-		return nil
-	}); err != nil {
-		t.Fatalf("Update failed: %v", err)
-	}
-	reloaded, err := store.Load()
-	if err != nil {
-		t.Fatalf("Load failed: %v", err)
-	}
-	if reloaded.ProxyDaemon == nil {
-		t.Fatal("ProxyDaemon = nil, want record")
-	}
-	if reloaded.ProxyDaemon.Endpoint != want.Endpoint {
-		t.Fatalf("Endpoint = %q, want %q", reloaded.ProxyDaemon.Endpoint, want.Endpoint)
-	}
-	if reloaded.ProxyDaemon.OwnershipToken != want.OwnershipToken {
-		t.Fatalf("OwnershipToken = %q, want %q", reloaded.ProxyDaemon.OwnershipToken, want.OwnershipToken)
-	}
-}
-
-func TestShouldReuseProxyDaemon(t *testing.T) {
-	record := &ProxyDaemonRecord{UpstreamWSURL: "ws://127.0.0.1:9222/devtools/browser/test"}
-	health := ProxyDaemonHealth{Healthy: true}
-	if !ShouldReuseProxyDaemon(record, record.UpstreamWSURL, health) {
-		t.Fatal("ShouldReuseProxyDaemon = false, want true")
-	}
-	if ShouldReuseProxyDaemon(record, "ws://127.0.0.1:9223/devtools/browser/test", health) {
-		t.Fatal("ShouldReuseProxyDaemon should be false for changed upstream")
-	}
-	if ShouldReuseProxyDaemon(record, record.UpstreamWSURL, ProxyDaemonHealth{}) {
-		t.Fatal("ShouldReuseProxyDaemon should be false for unhealthy daemon")
-	}
-}
-
-func TestCheckProxyDaemonDetectsStaleReasons(t *testing.T) {
-	health := CheckProxyDaemon(t.Context(), &ProxyDaemonRecord{
-		PID:            999999,
-		ListenAddr:     "127.0.0.1:1",
-		Endpoint:       "ws://127.0.0.1:1/devtools/browser/proxy",
-		UpstreamWSURL:  "ws://127.0.0.1:2/devtools/browser/test",
-		OwnershipToken: "token",
-	})
-	if health.Healthy {
-		t.Fatal("health.Healthy = true, want false")
-	}
-	if !strings.Contains(health.Reason, "daemon pid is not alive") {
-		t.Fatalf("health.Reason = %q, want pid reason", health.Reason)
-	}
-	if !strings.Contains(health.Reason, "daemon endpoint is unreachable") {
-		t.Fatalf("health.Reason = %q, want endpoint reason", health.Reason)
-	}
-}
-
-func TestShutdownProxyDaemonRequiresOwnershipToken(t *testing.T) {
-	upstream, closeUpstream := startFakeUpstreamWS(t)
-	defer closeUpstream()
-	record, cleanup := startProxyForTest(t, upstream, "correct-token")
-	defer cleanup()
-
-	wrong := *record
-	wrong.OwnershipToken = "wrong-token"
-	shutdownCtx, cancel := context.WithTimeout(t.Context(), 2*time.Second)
-	defer cancel()
-	if err := ShutdownProxyDaemon(shutdownCtx, &wrong); err == nil {
-		t.Fatal("ShutdownProxyDaemon with wrong token should fail")
-	}
-	health := CheckProxyDaemon(t.Context(), record)
-	if !health.Healthy {
-		t.Fatalf("health after wrong-token shutdown = %+v, want healthy", health)
-	}
-
-	shutdownCtx, cancel = context.WithTimeout(t.Context(), 2*time.Second)
-	defer cancel()
-	if err := ShutdownProxyDaemon(shutdownCtx, record); err != nil {
-		t.Fatalf("ShutdownProxyDaemon failed: %v", err)
-	}
-}
diff --git a/browser/discover.go b/browser/discover.go
deleted file mode 100644
index 22880af..0000000
--- a/browser/discover.go
+++ /dev/null
@@ -1,92 +0,0 @@
-package browser
-
-import (
-	"fmt"
-	"os"
-	"path/filepath"
-	"runtime"
-	"strconv"
-	"strings"
-)
-
-// DiscoverUserChromeDebugURL resolves the browser WebSocket URL for an already
-// running user Chrome/Chromium instance that has remote debugging enabled.
-// It reads the DevToolsActivePort file from common user-data directories.
-func DiscoverUserChromeDebugURL() (string, string, error) {
-	for _, path := range devToolsActivePortCandidates() {
-		url, err := ResolveDebugURLFromDevToolsFile(path)
-		if err == nil {
-			return url, path, nil
-		}
-		if !os.IsNotExist(err) {
-			return "", path, err
-		}
-	}
-	return "", "", fmt.Errorf("could not find DevToolsActivePort for a running user Chrome; enable remote debugging on your existing browser or pass --upstream")
-}
-
-// ResolveDebugURLFromDevToolsFile parses a DevToolsActivePort file and returns
-// the browser WebSocket URL.
-func ResolveDebugURLFromDevToolsFile(path string) (string, error) {
-	content, err := os.ReadFile(path)
-	if err != nil {
-		return "", err
-	}
-	return parseDevToolsActivePort(string(content))
-}
-
-func parseDevToolsActivePort(content string) (string, error) {
-	lines := strings.Split(strings.TrimSpace(content), "\n")
-	if len(lines) < 2 {
-		return "", fmt.Errorf("invalid DevToolsActivePort content")
-	}
-
-	port, err := strconv.Atoi(strings.TrimSpace(lines[0]))
-	if err != nil || port <= 0 {
-		return "", fmt.Errorf("invalid DevToolsActivePort port")
-	}
-
-	wsPath := strings.TrimSpace(lines[1])
-	if !strings.HasPrefix(wsPath, "/") {
-		return "", fmt.Errorf("invalid DevToolsActivePort websocket path")
-	}
-
-	return fmt.Sprintf("ws://127.0.0.1:%d%s", port, wsPath), nil
-}
-
-func devToolsActivePortCandidates() []string {
-	home, _ := os.UserHomeDir()
-	xdgConfig := os.Getenv("XDG_CONFIG_HOME")
-	if xdgConfig == "" && home != "" {
-		xdgConfig = filepath.Join(home, ".config")
-	}
-
-	switch runtime.GOOS {
-	case "darwin":
-		return existingCandidates(home,
-			filepath.Join(home, "Library", "Application Support", "Google", "Chrome", "DevToolsActivePort"),
-			filepath.Join(home, "Library", "Application Support", "Google", "Chrome Beta", "DevToolsActivePort"),
-			filepath.Join(home, "Library", "Application Support", "Chromium", "DevToolsActivePort"),
-		)
-	case "windows":
-		localAppData := os.Getenv("LOCALAPPDATA")
-		return existingCandidates(localAppData,
-			filepath.Join(localAppData, "Google", "Chrome", "User Data", "DevToolsActivePort"),
-			filepath.Join(localAppData, "Google", "Chrome Beta", "User Data", "DevToolsActivePort"),
-			filepath.Join(localAppData, "Chromium", "User Data", "DevToolsActivePort"),
-		)
-	default:
-		return existingCandidates(xdgConfig,
-			filepath.Join(xdgConfig, "google-chrome", "DevToolsActivePort"),
-			filepath.Join(xdgConfig, "google-chrome-beta", "DevToolsActivePort"),
-			filepath.Join(xdgConfig, "chromium", "DevToolsActivePort"),
-		)
-	}
-}
-
-func existingCandidates(root string, paths ...string) []string {
-	if strings.TrimSpace(root) == "" {
-		return nil
-	}
-	return paths
-}
diff --git a/browser/discover_test.go b/browser/discover_test.go
deleted file mode 100644
index 412073f..0000000
--- a/browser/discover_test.go
+++ /dev/null
@@ -1,28 +0,0 @@
-package browser
-
-import "testing"
-
-func TestParseDevToolsActivePort(t *testing.T) {
-	t.Run("valid content", func(t *testing.T) {
-		got, err := parseDevToolsActivePort("9222\n/devtools/browser/abc\n")
-		if err != nil {
-			t.Fatalf("parseDevToolsActivePort returned error: %v", err)
-		}
-		want := "ws://127.0.0.1:9222/devtools/browser/abc"
-		if got != want {
-			t.Fatalf("parseDevToolsActivePort = %q, want %q", got, want)
-		}
-	})
-
-	t.Run("invalid port", func(t *testing.T) {
-		if _, err := parseDevToolsActivePort("abc\n/devtools/browser/abc\n"); err == nil {
-			t.Fatal("parseDevToolsActivePort should reject invalid ports")
-		}
-	})
-
-	t.Run("invalid websocket path", func(t *testing.T) {
-		if _, err := parseDevToolsActivePort("9222\ndevtools/browser/abc\n"); err == nil {
-			t.Fatal("parseDevToolsActivePort should reject invalid websocket paths")
-		}
-	})
-}
diff --git a/browser/doc.go b/browser/doc.go
index d956f1f..c5126c4 100644
--- a/browser/doc.go
+++ b/browser/doc.go
@@ -1,21 +1,21 @@
-// Package browser defines the persistent browser session metadata model used by
-// the planned `tap browser ...` workflow.
+// Package browser provides the agent-browser adapter for tap.
 //
-// Phase 1 establishes the durable state contract before the runtime is added:
+// It extracts tap's embedded agent-browser binary and provides a thin Go wrapper around the agent-browser CLI with --json
+// output. The adapter handles --session-name injection, stdin-based eval,
+// and basic typed wrappers for common commands.
 //
-//   - A session is one persistent browser instance, either local or remote.
-//   - A tab is a named tracked browser target within a session.
-//   - Stored metadata is the source of truth for names and selection defaults.
-//   - Each command must reconcile metadata against live targets before acting.
-//   - Untracked live browser tabs are ignored by default.
-//   - Missing tracked targets become stale until they are recreated or removed.
+// Key types:
 //
-// The package also defines the initial local-vs-remote capability matrix used
-// by CLI help text and README documentation:
+//   - AgentBrowser: the core adapter with Exec(), Open(), Eval(), GetHTML(), Close()
+//   - AgentBrowserInstall: extracts and manages the embedded agent-browser binary
+//   - AgentBrowserEnvelope[T]: generic JSON response envelope
 //
-//   - Local sessions own their browser process and profile directory.
-//   - Remote sessions bind metadata to an explicit CDP WebSocket endpoint.
-//   - Remote session creation validates the endpoint up front.
-//   - Remote session close removes tap metadata only and never kills the remote
-//     browser process.
+// Binary resolution order:
+//  1. $TAP_AGENT_BROWSER env var
+//  2. embedded binary extracted to ~/.cache/tap/agent-browser/agent-browser
+//  3. agent-browser on $PATH
+//
+// Session model:
+//   - Default sessions use --session-name default for durable persistence
+//   - Attached mode uses agent-browser connect (no --session-name)
 package browser
diff --git a/browser/electron.go b/browser/electron.go
deleted file mode 100644
index ddc01ee..0000000
--- a/browser/electron.go
+++ /dev/null
@@ -1,104 +0,0 @@
-package browser
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"io"
-	"net/http"
-	"os/exec"
-	"time"
-)
-
-// ElectronProcess describes a running process that exposes a CDP debug port.
-type ElectronProcess struct {
-	PID  int
-	Name string // basename of the binary
-	Port int
-}
-
-// ScanElectronProcesses returns all running processes that have
-// --remote-debugging-port=PORT in their command line. It works for Electron
-// apps, CEF-based apps, and any Chromium-derived binary launched with a debug
-// port. Returns an empty slice (not an error) when no matching processes exist.
-func ScanElectronProcesses(ctx context.Context) ([]ElectronProcess, error) {
-	return scanElectronProcesses(ctx)
-}
-
-// ResolveElectronDebugURL queries /json/version at the given port and returns
-// the WebSocket debug URL. Electron (and Chrome) publish the exact WS URL
-// including the browser UUID path in the webSocketDebuggerUrl field.
-func ResolveElectronDebugURL(ctx context.Context, port int) (string, error) {
-	httpURL := fmt.Sprintf("http://127.0.0.1:%d/json/version", port)
-	req, err := http.NewRequestWithContext(ctx, http.MethodGet, httpURL, nil)
-	if err != nil {
-		return "", fmt.Errorf("build request: %w", err)
-	}
-	client := &http.Client{Timeout: 10 * time.Second}
-	resp, err := client.Do(req)
-	if err != nil {
-		return "", fmt.Errorf("query /json/version at port %d: %w", port, err)
-	}
-	defer func() {
-		_, _ = io.Copy(io.Discard, resp.Body)
-		_ = resp.Body.Close()
-	}()
-
-	var info struct {
-		WebSocketDebuggerURL string `json:"webSocketDebuggerUrl"`
-	}
-	if err := json.NewDecoder(resp.Body).Decode(&info); err != nil {
-		return "", fmt.Errorf("parse /json/version: %w", err)
-	}
-	if info.WebSocketDebuggerURL == "" {
-		return "", fmt.Errorf("no webSocketDebuggerUrl in /json/version response at port %d", port)
-	}
-	return info.WebSocketDebuggerURL, nil
-}
-
-// LaunchElectronApp starts an Electron (or Electron-based) binary with
-// --remote-debugging-port=0 prepended to the argument list. The OS assigns a
-// free port; the debug WebSocket URL is extracted from stderr exactly as with
-// Chrome. extra holds any additional arguments to pass to the binary.
-//
-// The returned ProcessRecord contains the PID and debug URL. The process is
-// released (detached) so it survives tap exit; callers are responsible for
-// tracking lifecycle via the PID and debug URL.
-func LaunchElectronApp(ctx context.Context, binaryPath string, extra []string) (*ProcessRecord, error) {
-	args := make([]string, 0, 1+len(extra))
-	args = append(args, "--remote-debugging-port=0")
-	args = append(args, extra...)
-
-	// Use exec.Command (not CommandContext) so the Electron process is not
-	// killed when the CLI context is cancelled — same pattern as LaunchBrowser.
-	cmd := exec.Command(binaryPath, args...)
-	cmd.SysProcAttr = platformSysProcAttr()
-
-	stderrPipe, err := cmd.StderrPipe()
-	if err != nil {
-		return nil, fmt.Errorf("pipe electron stderr: %w", err)
-	}
-	if err := cmd.Start(); err != nil {
-		return nil, fmt.Errorf("start electron app: %w", err)
-	}
-
-	// parseDebugURL reuses the same logic as Chrome (both emit the same line).
-	debugURL, err := parseDebugURL(stderrPipe, 15*time.Second)
-	if c, ok := stderrPipe.(io.Closer); ok {
-		_ = c.Close()
-	}
-	if err != nil {
-		_ = cmd.Process.Kill()
-		_ = cmd.Wait()
-		return nil, fmt.Errorf("parse electron debug URL: %w", err)
-	}
-
-	pid := cmd.Process.Pid
-	_ = cmd.Process.Release()
-
-	return &ProcessRecord{
-		PID:       pid,
-		DebugURL:  debugURL,
-		StartedAt: time.Now().UTC(),
-	}, nil
-}
diff --git a/browser/electron_unix.go b/browser/electron_unix.go
deleted file mode 100644
index 27cb117..0000000
--- a/browser/electron_unix.go
+++ /dev/null
@@ -1,65 +0,0 @@
-//go:build !windows
-
-package browser
-
-import (
-	"context"
-	"os/exec"
-	"path/filepath"
-	"strconv"
-	"strings"
-)
-
-// scanElectronProcesses uses ps to list all processes and filters those that
-// carry --remote-debugging-port=PORT in their command line.
-func scanElectronProcesses(ctx context.Context) ([]ElectronProcess, error) {
-	out, err := exec.CommandContext(ctx, "ps", "-ax", "-o", "pid=,args=").Output()
-	if err != nil {
-		return nil, nil // ps failure is non-fatal; return empty list
-	}
-
-	var procs []ElectronProcess
-	for _, line := range strings.Split(string(out), "\n") {
-		line = strings.TrimSpace(line)
-		if line == "" {
-			continue
-		}
-		fields := strings.Fields(line)
-		if len(fields) < 2 {
-			continue
-		}
-		pid, err := strconv.Atoi(fields[0])
-		if err != nil {
-			continue
-		}
-		port := extractDebugPort(strings.Join(fields[1:], " "))
-		if port == 0 {
-			continue
-		}
-		procs = append(procs, ElectronProcess{
-			PID:  pid,
-			Name: filepath.Base(fields[1]),
-			Port: port,
-		})
-	}
-	return procs, nil
-}
-
-// extractDebugPort parses --remote-debugging-port=PORT from a command line
-// string. Returns 0 if not found or not a valid port.
-func extractDebugPort(cmdline string) int {
-	const prefix = "--remote-debugging-port="
-	idx := strings.Index(cmdline, prefix)
-	if idx < 0 {
-		return 0
-	}
-	rest := cmdline[idx+len(prefix):]
-	if end := strings.IndexAny(rest, " \t"); end >= 0 {
-		rest = rest[:end]
-	}
-	port, _ := strconv.Atoi(rest)
-	if port <= 0 || port > 65535 {
-		return 0
-	}
-	return port
-}
diff --git a/browser/electron_windows.go b/browser/electron_windows.go
deleted file mode 100644
index 4fd142a..0000000
--- a/browser/electron_windows.go
+++ /dev/null
@@ -1,17 +0,0 @@
-//go:build windows
-
-package browser
-
-import "context"
-
-// scanElectronProcesses is not yet implemented on Windows.
-// Returns an empty list without error.
-func scanElectronProcesses(_ context.Context) ([]ElectronProcess, error) {
-	return nil, nil
-}
-
-// extractDebugPort parses --remote-debugging-port=PORT from a command line.
-// Shared definition for Windows (unix version lives in electron_unix.go).
-func extractDebugPort(_ string) int {
-	return 0
-}
diff --git a/browser/embedded_darwin_amd64.go b/browser/embedded_darwin_amd64.go
new file mode 100644
index 0000000..2b5a85b
--- /dev/null
+++ b/browser/embedded_darwin_amd64.go
@@ -0,0 +1,8 @@
+//go:build darwin && amd64
+
+package browser
+
+import _ "embed"
+
+//go:embed bin/agent-browser-darwin-x64
+var embeddedAgentBrowser []byte
diff --git a/browser/embedded_darwin_arm64.go b/browser/embedded_darwin_arm64.go
new file mode 100644
index 0000000..d838a60
--- /dev/null
+++ b/browser/embedded_darwin_arm64.go
@@ -0,0 +1,8 @@
+//go:build darwin && arm64
+
+package browser
+
+import _ "embed"
+
+//go:embed bin/agent-browser-darwin-arm64
+var embeddedAgentBrowser []byte
diff --git a/browser/embedded_linux_amd64.go b/browser/embedded_linux_amd64.go
new file mode 100644
index 0000000..d3ff00c
--- /dev/null
+++ b/browser/embedded_linux_amd64.go
@@ -0,0 +1,8 @@
+//go:build linux && amd64 && !musl
+
+package browser
+
+import _ "embed"
+
+//go:embed bin/agent-browser-linux-x64
+var embeddedAgentBrowser []byte
diff --git a/browser/embedded_linux_arm64.go b/browser/embedded_linux_arm64.go
new file mode 100644
index 0000000..1036f41
--- /dev/null
+++ b/browser/embedded_linux_arm64.go
@@ -0,0 +1,8 @@
+//go:build linux && arm64 && !musl
+
+package browser
+
+import _ "embed"
+
+//go:embed bin/agent-browser-linux-arm64
+var embeddedAgentBrowser []byte
diff --git a/browser/embedded_unsupported.go b/browser/embedded_unsupported.go
new file mode 100644
index 0000000..85a464c
--- /dev/null
+++ b/browser/embedded_unsupported.go
@@ -0,0 +1,5 @@
+//go:build !(darwin && arm64) && !(darwin && amd64) && !(linux && arm64) && !(linux && amd64) && !(windows && amd64)
+
+package browser
+
+var embeddedAgentBrowser []byte
diff --git a/browser/embedded_windows_amd64.go b/browser/embedded_windows_amd64.go
new file mode 100644
index 0000000..6f84ac6
--- /dev/null
+++ b/browser/embedded_windows_amd64.go
@@ -0,0 +1,8 @@
+//go:build windows && amd64
+
+package browser
+
+import _ "embed"
+
+//go:embed bin/agent-browser-win32-x64.exe
+var embeddedAgentBrowser []byte
diff --git a/browser/endpoint.go b/browser/endpoint.go
deleted file mode 100644
index 2886895..0000000
--- a/browser/endpoint.go
+++ /dev/null
@@ -1,71 +0,0 @@
-package browser
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"io"
-	"net/http"
-	"net/url"
-	"strings"
-	"time"
-)
-
-// ResolveDebugURL accepts either a CDP browser WebSocket URL or an HTTP(S)
-// DevTools base URL (for example http://127.0.0.1:9222) and returns the browser
-// WebSocket URL that chromedp expects.
-func ResolveDebugURL(ctx context.Context, endpoint string) (string, error) {
-	endpoint = strings.TrimSpace(endpoint)
-	if endpoint == "" {
-		return "", fmt.Errorf("debug endpoint is empty")
-	}
-
-	u, err := url.Parse(endpoint)
-	if err != nil {
-		return "", fmt.Errorf("parse debug endpoint: %w", err)
-	}
-
-	switch u.Scheme {
-	case "ws", "wss":
-		return endpoint, nil
-	case "http", "https":
-		base := strings.TrimRight(endpoint, "/")
-		if u.Path != "" && u.Path != "/" {
-			u.Path = ""
-			u.RawQuery = ""
-			u.Fragment = ""
-			base = strings.TrimRight(u.String(), "/")
-		}
-
-		req, err := http.NewRequestWithContext(ctx, http.MethodGet, base+"/json/version", nil)
-		if err != nil {
-			return "", fmt.Errorf("build debug endpoint request: %w", err)
-		}
-
-		resp, err := (&http.Client{Timeout: 10 * time.Second}).Do(req)
-		if err != nil {
-			return "", fmt.Errorf("resolve debug endpoint: %w", err)
-		}
-		defer func() {
-			_, _ = io.Copy(io.Discard, resp.Body)
-			_ = resp.Body.Close()
-		}()
-
-		if resp.StatusCode != http.StatusOK {
-			return "", fmt.Errorf("resolve debug endpoint: status %d", resp.StatusCode)
-		}
-
-		var payload struct {
-			WebSocketDebuggerURL string `json:"webSocketDebuggerUrl"`
-		}
-		if err := json.NewDecoder(resp.Body).Decode(&payload); err != nil {
-			return "", fmt.Errorf("decode debug endpoint response: %w", err)
-		}
-		if strings.TrimSpace(payload.WebSocketDebuggerURL) == "" {
-			return "", fmt.Errorf("debug endpoint response missing webSocketDebuggerUrl")
-		}
-		return payload.WebSocketDebuggerURL, nil
-	default:
-		return "", fmt.Errorf("unsupported debug endpoint scheme %q", u.Scheme)
-	}
-}
diff --git a/browser/endpoint_test.go b/browser/endpoint_test.go
deleted file mode 100644
index 78797fd..0000000
--- a/browser/endpoint_test.go
+++ /dev/null
@@ -1,66 +0,0 @@
-package browser
-
-import (
-	"context"
-	"fmt"
-	"net/http"
-	"net/http/httptest"
-	"testing"
-)
-
-func TestResolveDebugURLFromEndpoint(t *testing.T) {
-	t.Run("passes through websocket endpoints", func(t *testing.T) {
-		got, err := ResolveDebugURL(context.Background(), "ws://127.0.0.1:9222/devtools/browser/abc")
-		if err != nil {
-			t.Fatalf("ResolveDebugURL returned error: %v", err)
-		}
-		want := "ws://127.0.0.1:9222/devtools/browser/abc"
-		if got != want {
-			t.Fatalf("ResolveDebugURL = %q, want %q", got, want)
-		}
-	})
-
-	t.Run("resolves browser websocket from http endpoint", func(t *testing.T) {
-		server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			if r.URL.Path != "/json/version" {
-				t.Fatalf("unexpected path: %s", r.URL.Path)
-			}
-			_, _ = fmt.Fprint(w, `{"webSocketDebuggerUrl":"ws://127.0.0.1:12345/devtools/browser/proxy"}`)
-		}))
-		defer server.Close()
-
-		got, err := ResolveDebugURL(context.Background(), server.URL)
-		if err != nil {
-			t.Fatalf("ResolveDebugURL returned error: %v", err)
-		}
-		want := "ws://127.0.0.1:12345/devtools/browser/proxy"
-		if got != want {
-			t.Fatalf("ResolveDebugURL = %q, want %q", got, want)
-		}
-	})
-
-	t.Run("strips extra path from http endpoint", func(t *testing.T) {
-		server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			if r.URL.Path != "/json/version" {
-				t.Fatalf("unexpected path: %s", r.URL.Path)
-			}
-			_, _ = fmt.Fprint(w, `{"webSocketDebuggerUrl":"ws://127.0.0.1:9222/devtools/browser/xyz"}`)
-		}))
-		defer server.Close()
-
-		got, err := ResolveDebugURL(context.Background(), server.URL+"/devtools/browser/ignored")
-		if err != nil {
-			t.Fatalf("ResolveDebugURL returned error: %v", err)
-		}
-		want := "ws://127.0.0.1:9222/devtools/browser/xyz"
-		if got != want {
-			t.Fatalf("ResolveDebugURL = %q, want %q", got, want)
-		}
-	})
-
-	t.Run("rejects unsupported schemes", func(t *testing.T) {
-		if _, err := ResolveDebugURL(context.Background(), "ftp://example.com"); err == nil {
-			t.Fatal("ResolveDebugURL should reject unsupported schemes")
-		}
-	})
-}
diff --git a/browser/install.go b/browser/install.go
new file mode 100644
index 0000000..88ab1ae
--- /dev/null
+++ b/browser/install.go
@@ -0,0 +1,153 @@
+package browser
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"time"
+)
+
+const (
+	AgentBrowserVersion = "0.27.0"
+	EnvAgentBrowser     = "TAP_AGENT_BROWSER"
+)
+
+type AgentBrowserInstall struct {
+	binDir  string
+	version string
+}
+
+type AgentBrowserMeta struct {
+	InstalledAt time.Time `json:"installed_at"`
+	Source      string    `json:"source"`
+	Version     string    `json:"version"`
+}
+
+func NewAgentBrowserInstall(binDir string) *AgentBrowserInstall {
+	if binDir == "" {
+		home, _ := os.UserHomeDir()
+		binDir = filepath.Join(home, ".cache", "tap", "agent-browser")
+	}
+	return &AgentBrowserInstall{binDir: binDir, version: AgentBrowserVersion}
+}
+
+func ResolveAgentBrowserPath() (string, error) {
+	if path := os.Getenv(EnvAgentBrowser); path != "" {
+		return path, nil
+	}
+	install := NewAgentBrowserInstall("")
+	if err := install.EnsureInstalled(context.Background()); err == nil {
+		return install.binPath(), nil
+	}
+	if path, err := exec.LookPath("agent-browser"); err == nil {
+		return path, nil
+	}
+	return "", errors.New("agent-browser embedded binary is unavailable for this platform; set TAP_AGENT_BROWSER")
+}
+
+func (a *AgentBrowserInstall) Installed() bool {
+	fi, err := os.Stat(a.binPath())
+	return err == nil && fi.Size() > 0
+}
+
+func (a *AgentBrowserInstall) Update(ctx context.Context) error {
+	return a.extract(ctx)
+}
+
+func (a *AgentBrowserInstall) EnsureInstalled(ctx context.Context) error {
+	if a.Installed() {
+		return nil
+	}
+	return a.extract(ctx)
+}
+
+func (a *AgentBrowserInstall) ReadMeta() (*AgentBrowserMeta, error) {
+	data, err := os.ReadFile(a.metaPath())
+	if err != nil {
+		if errors.Is(err, os.ErrNotExist) {
+			return nil, nil
+		}
+		return nil, err
+	}
+	var meta AgentBrowserMeta
+	if err := json.Unmarshal(data, &meta); err != nil {
+		return nil, err
+	}
+	return &meta, nil
+}
+
+func (a *AgentBrowserInstall) binPath() string {
+	name := "agent-browser"
+	if runtime.GOOS == "windows" {
+		name += ".exe"
+	}
+	return filepath.Join(a.binDir, name)
+}
+
+func (a *AgentBrowserInstall) metaPath() string {
+	return a.binPath() + ".meta.json"
+}
+
+func (a *AgentBrowserInstall) extract(ctx context.Context) error {
+	select {
+	case <-ctx.Done():
+		return ctx.Err()
+	default:
+	}
+	if len(embeddedAgentBrowser) == 0 {
+		return fmt.Errorf("embedded agent-browser is unavailable for %s/%s", runtime.GOOS, runtime.GOARCH)
+	}
+	if err := os.MkdirAll(a.binDir, 0o755); err != nil {
+		return fmt.Errorf("create dir: %w", err)
+	}
+
+	bin := a.binPath()
+	tmp := bin + ".tmp"
+	if err := os.WriteFile(tmp, embeddedAgentBrowser, 0o755); err != nil {
+		_ = os.Remove(tmp)
+		return fmt.Errorf("write embedded binary: %w", err)
+	}
+	if err := os.Rename(tmp, bin); err != nil {
+		_ = os.Remove(tmp)
+		return fmt.Errorf("rename binary: %w", err)
+	}
+	return a.writeMeta("embedded")
+}
+
+func (a *AgentBrowserInstall) writeMeta(source string) error {
+	meta := AgentBrowserMeta{InstalledAt: time.Now().UTC(), Source: source, Version: a.version}
+	data, err := json.MarshalIndent(meta, "", "  ")
+	if err != nil {
+		return err
+	}
+	return os.WriteFile(a.metaPath(), data, 0o644)
+}
+
+func agentBrowserPlatform(goos, goarch string) (string, error) {
+	switch goos {
+	case "darwin":
+		if goarch == "arm64" {
+			return "darwin-arm64", nil
+		}
+		if goarch == "amd64" {
+			return "darwin-x64", nil
+		}
+	case "linux":
+		if goarch == "arm64" {
+			return "linux-arm64", nil
+		}
+		if goarch == "amd64" {
+			return "linux-x64", nil
+		}
+	case "windows":
+		if goarch == "amd64" {
+			return "win32-x64", nil
+		}
+	}
+	return "", fmt.Errorf("unsupported platform for agent-browser: %s/%s", goos, goarch)
+}
diff --git a/browser/install_test.go b/browser/install_test.go
new file mode 100644
index 0000000..8c91455
--- /dev/null
+++ b/browser/install_test.go
@@ -0,0 +1,52 @@
+package browser
+
+import (
+	"context"
+	"os"
+	"testing"
+)
+
+func TestAgentBrowserPlatform(t *testing.T) {
+	tests := []struct {
+		goos string
+		arch string
+		want string
+	}{
+		{"darwin", "arm64", "darwin-arm64"},
+		{"darwin", "amd64", "darwin-x64"},
+		{"linux", "arm64", "linux-arm64"},
+		{"linux", "amd64", "linux-x64"},
+		{"windows", "amd64", "win32-x64"},
+	}
+	for _, tt := range tests {
+		got, err := agentBrowserPlatform(tt.goos, tt.arch)
+		if err != nil {
+			t.Fatalf("agentBrowserPlatform(%q, %q): %v", tt.goos, tt.arch, err)
+		}
+		if got != tt.want {
+			t.Fatalf("agentBrowserPlatform(%q, %q) = %q, want %q", tt.goos, tt.arch, got, tt.want)
+		}
+	}
+}
+
+func TestAgentBrowserExtract(t *testing.T) {
+	dir := t.TempDir()
+	install := NewAgentBrowserInstall(dir)
+	if err := install.Update(context.Background()); err != nil {
+		t.Fatal(err)
+	}
+	fi, err := os.Stat(install.binPath())
+	if err != nil {
+		t.Fatal(err)
+	}
+	if fi.Size() == 0 {
+		t.Fatal("extracted binary is empty")
+	}
+	meta, err := install.ReadMeta()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if meta == nil || meta.Source != "embedded" || meta.Version != AgentBrowserVersion {
+		t.Fatalf("meta = %#v", meta)
+	}
+}
diff --git a/browser/lightpanda.go b/browser/lightpanda.go
deleted file mode 100644
index 2e27c7e..0000000
--- a/browser/lightpanda.go
+++ /dev/null
@@ -1,317 +0,0 @@
-// Package browser manages alternative browser backends for CDP-based automation.
-package browser
-
-import (
-	"context"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"io"
-	"log"
-	"net"
-	"net/http"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"runtime"
-	"time"
-)
-
-const (
-	lightpandaReleaseURL  = "https://github.com/lightpanda-io/browser/releases/download/nightly"
-	lightpandaDefaultPort = "9224"
-	lightpandaTimeout     = "180"
-)
-
-// Lightpanda manages the Lightpanda browser process.
-type Lightpanda struct {
-	cmd    *exec.Cmd
-	binDir string
-	port   string
-}
-
-// NewLightpanda creates a new Lightpanda manager.
-// binDir is where the binary is stored; if empty, defaults to ~/.cache/tap/lightpanda/.
-// port is the CDP port; if empty, defaults to 9222.
-func NewLightpanda(binDir, port string) *Lightpanda {
-	if binDir == "" {
-		home, _ := os.UserHomeDir()
-		binDir = filepath.Join(home, ".cache", "tap", "lightpanda")
-	}
-	if port == "" {
-		port = lightpandaDefaultPort
-	}
-	return &Lightpanda{binDir: binDir, port: port}
-}
-
-// WSURL returns the WebSocket URL for the running Lightpanda instance.
-func (lp *Lightpanda) WSURL() string {
-	return "ws://127.0.0.1:" + lp.port + "/"
-}
-
-// EnsureInstalled downloads the Lightpanda binary if it doesn't exist or is empty.
-func (lp *Lightpanda) EnsureInstalled(ctx context.Context) error {
-	bin := lp.binPath()
-	if fi, err := os.Stat(bin); err == nil && fi.Size() > 0 {
-		return nil // already installed
-	}
-
-	log.Println("downloading lightpanda browser")
-	return lp.download(ctx)
-}
-
-// Running reports whether the Lightpanda server is currently running.
-func (lp *Lightpanda) Running() bool {
-	return lp.cmd != nil
-}
-
-// Start launches the Lightpanda server and waits for it to be ready.
-// It is safe to call multiple times — subsequent calls are no-ops if already running.
-func (lp *Lightpanda) Start(ctx context.Context) error {
-	if lp.cmd != nil {
-		return nil
-	}
-
-	if err := lp.EnsureInstalled(ctx); err != nil {
-		return fmt.Errorf("ensure installed: %w", err)
-	}
-
-	// If the configured port is already in use, pick a free one.
-	if isPortInUse(lp.port) {
-		free, err := freePort()
-		if err != nil {
-			return fmt.Errorf("find free port: %w", err)
-		}
-		log.Printf("port %s in use, using %s", lp.port, free)
-		lp.port = free
-	}
-
-	bin := lp.binPath()
-	cmd := exec.CommandContext(ctx, bin, "--port", lp.port, "--timeout", lightpandaTimeout)
-	cmd.Stdout = io.Discard
-	cmd.Stderr = io.Discard
-
-	if err := cmd.Start(); err != nil {
-		return fmt.Errorf("start lightpanda: %w", err)
-	}
-
-	// Monitor process exit to detect early failures (e.g. port already in use).
-	exited := make(chan error, 1)
-	go func() { exited <- cmd.Wait() }()
-
-	if err := waitForPortOrExit(ctx, lp.port, 10*time.Second, exited); err != nil {
-		_ = cmd.Process.Kill()
-		<-exited
-		return err
-	}
-
-	lp.cmd = cmd
-	log.Printf("lightpanda browser ready: %s", lp.WSURL())
-	return nil
-}
-
-// Stop terminates the Lightpanda process.
-func (lp *Lightpanda) Stop() {
-	if lp.cmd == nil || lp.cmd.Process == nil {
-		return
-	}
-	_ = lp.cmd.Process.Kill()
-	_ = lp.cmd.Wait()
-	lp.cmd = nil
-	log.Println("lightpanda stopped")
-}
-
-// Cleanup removes the downloaded binary and its metadata.
-func (lp *Lightpanda) Cleanup() error {
-	bin := lp.binPath()
-	if err := os.Remove(bin); err != nil && !errors.Is(err, os.ErrNotExist) {
-		return fmt.Errorf("remove lightpanda binary: %w", err)
-	}
-	// Best-effort removal of metadata file.
-	_ = os.Remove(lp.metaPath())
-	return nil
-}
-
-// Meta holds metadata about the installed Lightpanda binary.
-type Meta struct {
-	DownloadedAt time.Time `json:"downloaded_at"`
-	URL          string    `json:"url"`
-}
-
-// Installed reports whether the Lightpanda binary exists and is non-empty.
-func (lp *Lightpanda) Installed() bool {
-	fi, err := os.Stat(lp.binPath())
-	return err == nil && fi.Size() > 0
-}
-
-// ReadMeta reads the metadata file for the installed binary.
-// Returns nil if no metadata file exists.
-func (lp *Lightpanda) ReadMeta() (*Meta, error) {
-	data, err := os.ReadFile(lp.metaPath())
-	if err != nil {
-		if errors.Is(err, os.ErrNotExist) {
-			return nil, nil
-		}
-		return nil, err
-	}
-	var m Meta
-	if err := json.Unmarshal(data, &m); err != nil {
-		return nil, err
-	}
-	return &m, nil
-}
-
-// Update re-downloads the Lightpanda binary regardless of whether it exists.
-func (lp *Lightpanda) Update(ctx context.Context) error {
-	log.Println("updating lightpanda browser")
-	return lp.download(ctx)
-}
-
-func (lp *Lightpanda) writeMeta(url string) error {
-	m := Meta{
-		DownloadedAt: time.Now().UTC(),
-		URL:          url,
-	}
-	data, err := json.MarshalIndent(m, "", "  ")
-	if err != nil {
-		return err
-	}
-	return os.WriteFile(lp.metaPath(), data, 0o644)
-}
-
-func (lp *Lightpanda) metaPath() string {
-	return lp.binPath() + ".meta.json"
-}
-
-func (lp *Lightpanda) binPath() string {
-	return filepath.Join(lp.binDir, "lightpanda")
-}
-
-func (lp *Lightpanda) download(ctx context.Context) error {
-	url, err := lightpandaNightlyURL()
-	if err != nil {
-		return err
-	}
-
-	// Create dir if needed.
-	if err := os.MkdirAll(lp.binDir, 0o755); err != nil {
-		return fmt.Errorf("create dir: %w", err)
-	}
-
-	bin := lp.binPath()
-	tmp := bin + ".tmp"
-
-	f, err := os.OpenFile(tmp, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0o755)
-	if err != nil {
-		return fmt.Errorf("open file: %w", err)
-	}
-	defer func() {
-		_ = f.Close()
-		_ = os.Remove(tmp) // clean up on failure; no-op after successful rename
-	}()
-
-	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
-	if err != nil {
-		return fmt.Errorf("create request: %w", err)
-	}
-
-	client := &http.Client{}
-	defer client.CloseIdleConnections()
-
-	resp, err := client.Do(req)
-	if err != nil {
-		return fmt.Errorf("download: %w", err)
-	}
-	defer func() { _ = resp.Body.Close() }()
-
-	if resp.StatusCode != http.StatusOK {
-		return fmt.Errorf("download failed: HTTP %d", resp.StatusCode)
-	}
-
-	if _, err := io.Copy(f, resp.Body); err != nil {
-		return fmt.Errorf("write binary: %w", err)
-	}
-
-	if err := f.Close(); err != nil {
-		return fmt.Errorf("close file: %w", err)
-	}
-
-	if err := os.Rename(tmp, bin); err != nil {
-		return fmt.Errorf("rename binary: %w", err)
-	}
-
-	if err := lp.writeMeta(url); err != nil {
-		log.Printf("warning: failed to write metadata: %v", err)
-	}
-
-	log.Printf("lightpanda browser downloaded: %s", bin)
-	return nil
-}
-
-// lightpandaNightlyURL returns the download URL for the current OS/arch.
-func lightpandaNightlyURL() (string, error) {
-	var osName string
-	switch runtime.GOOS {
-	case "linux":
-		osName = "linux"
-	case "darwin":
-		osName = "macos"
-	default:
-		return "", fmt.Errorf("unsupported OS for lightpanda: %s", runtime.GOOS)
-	}
-
-	var arch string
-	switch runtime.GOARCH {
-	case "amd64":
-		arch = "x86_64"
-	case "arm64":
-		arch = "aarch64"
-	default:
-		return "", fmt.Errorf("unsupported arch for lightpanda: %s", runtime.GOARCH)
-	}
-
-	return fmt.Sprintf("%s/lightpanda-%s-%s", lightpandaReleaseURL, arch, osName), nil
-}
-
-func isPortInUse(port string) bool {
-	conn, err := net.DialTimeout("tcp", "127.0.0.1:"+port, 500*time.Millisecond)
-	if err != nil {
-		return false
-	}
-	_ = conn.Close()
-	return true
-}
-
-func freePort() (string, error) {
-	ln, err := net.Listen("tcp", "127.0.0.1:0")
-	if err != nil {
-		return "", err
-	}
-	defer func() { _ = ln.Close() }()
-	addr := ln.Addr().(*net.TCPAddr)
-	return fmt.Sprintf("%d", addr.Port), nil
-}
-
-// waitForPortOrExit polls until the port accepts connections or the process exits.
-func waitForPortOrExit(ctx context.Context, port string, timeout time.Duration, exited <-chan error) error {
-	deadline := time.Now().Add(timeout)
-	for time.Now().Before(deadline) {
-		select {
-		case err := <-exited:
-			if err != nil {
-				return fmt.Errorf("lightpanda exited: %w", err)
-			}
-			return fmt.Errorf("lightpanda exited unexpectedly")
-		case <-ctx.Done():
-			return ctx.Err()
-		default:
-		}
-		conn, err := net.DialTimeout("tcp", "127.0.0.1:"+port, 500*time.Millisecond)
-		if err == nil {
-			_ = conn.Close()
-			return nil
-		}
-		time.Sleep(200 * time.Millisecond)
-	}
-	return fmt.Errorf("timeout waiting for port %s", port)
-}
diff --git a/browser/lock.go b/browser/lock.go
deleted file mode 100644
index a5fefe7..0000000
--- a/browser/lock.go
+++ /dev/null
@@ -1,62 +0,0 @@
-//go:build !windows
-
-package browser
-
-import (
-	"fmt"
-	"os"
-	"path/filepath"
-	"syscall"
-	"time"
-)
-
-type fileLock struct {
-	file *os.File
-}
-
-// lockFile acquires an exclusive file lock. It retries with LOCK_NB to avoid
-// blocking indefinitely if another process holds the lock and never releases it.
-func lockFile(path string) (*fileLock, error) {
-	if err := os.MkdirAll(filepath.Dir(path), 0o755); err != nil {
-		return nil, fmt.Errorf("create lock dir: %w", err)
-	}
-
-	file, err := os.OpenFile(path, os.O_CREATE|os.O_RDWR, 0o600)
-	if err != nil {
-		return nil, fmt.Errorf("open lock file: %w", err)
-	}
-
-	// Retry with non-blocking flock to avoid hanging forever.
-	deadline := time.After(30 * time.Second)
-	ticker := time.NewTicker(50 * time.Millisecond)
-	defer ticker.Stop()
-
-	for {
-		err := syscall.Flock(int(file.Fd()), syscall.LOCK_EX|syscall.LOCK_NB)
-		if err == nil {
-			return &fileLock{file: file}, nil
-		}
-		if err != syscall.EWOULDBLOCK {
-			_ = file.Close()
-			return nil, fmt.Errorf("lock file: %w", err)
-		}
-		select {
-		case <-deadline:
-			_ = file.Close()
-			return nil, fmt.Errorf("lock file %s: timed out after 30s", filepath.Base(path))
-		case <-ticker.C:
-		}
-	}
-}
-
-func (l *fileLock) Unlock() error {
-	if l == nil || l.file == nil {
-		return nil
-	}
-	err := syscall.Flock(int(l.file.Fd()), syscall.LOCK_UN)
-	closeErr := l.file.Close()
-	if err != nil {
-		return err
-	}
-	return closeErr
-}
diff --git a/browser/lock_test.go b/browser/lock_test.go
deleted file mode 100644
index 638a8cc..0000000
--- a/browser/lock_test.go
+++ /dev/null
@@ -1,54 +0,0 @@
-//go:build !windows
-
-package browser
-
-import (
-	"testing"
-	"time"
-)
-
-func TestSessionLockSerializesConcurrentAccess(t *testing.T) {
-	store, err := NewStore(t.TempDir())
-	if err != nil {
-		t.Fatalf("NewStore failed: %v", err)
-	}
-
-	firstLocked := make(chan struct{})
-	releaseFirst := make(chan struct{})
-	secondDone := make(chan struct{})
-
-	go func() {
-		if err := store.WithSessionLock("alpha", func() error {
-			close(firstLocked)
-			<-releaseFirst
-			return nil
-		}); err != nil {
-			t.Errorf("first WithSessionLock failed: %v", err)
-		}
-	}()
-
-	<-firstLocked
-
-	go func() {
-		if err := store.WithSessionLock("alpha", func() error {
-			close(secondDone)
-			return nil
-		}); err != nil {
-			t.Errorf("second WithSessionLock failed: %v", err)
-		}
-	}()
-
-	select {
-	case <-secondDone:
-		t.Fatal("second session lock acquired before first lock released")
-	case <-time.After(75 * time.Millisecond):
-	}
-
-	close(releaseFirst)
-
-	select {
-	case <-secondDone:
-	case <-time.After(2 * time.Second):
-		t.Fatal("second session lock did not acquire after release")
-	}
-}
diff --git a/browser/lock_windows.go b/browser/lock_windows.go
deleted file mode 100644
index bde887f..0000000
--- a/browser/lock_windows.go
+++ /dev/null
@@ -1,83 +0,0 @@
-//go:build windows
-
-package browser
-
-import (
-	"errors"
-	"fmt"
-	"os"
-	"path/filepath"
-	"runtime"
-	"time"
-
-	"golang.org/x/sys/windows"
-)
-
-type fileLock struct {
-	file *os.File
-}
-
-// lockFile acquires an exclusive file lock on Windows using LockFileEx.
-// It retries with LOCKFILE_FAIL_IMMEDIATELY to avoid blocking indefinitely.
-func lockFile(path string) (*fileLock, error) {
-	if err := os.MkdirAll(filepath.Dir(path), 0o755); err != nil {
-		return nil, fmt.Errorf("create lock dir: %w", err)
-	}
-
-	file, err := os.OpenFile(path, os.O_CREATE|os.O_RDWR, 0o600)
-	if err != nil {
-		return nil, fmt.Errorf("open lock file: %w", err)
-	}
-
-	// Overlay for LockFileEx — lock the entire file.
-	ol := new(windows.Overlapped)
-
-	deadline := time.After(30 * time.Second)
-	ticker := time.NewTicker(50 * time.Millisecond)
-	defer ticker.Stop()
-
-	for {
-		err := windows.LockFileEx(
-			windows.Handle(file.Fd()),
-			windows.LOCKFILE_EXCLUSIVE_LOCK|windows.LOCKFILE_FAIL_IMMEDIATELY,
-			0, // reserved
-			1, // lock 1 byte
-			0, // high-order bytes
-			ol,
-		)
-		if err == nil {
-			// Prevent GC from finalizing file before LockFileEx completes.
-			runtime.KeepAlive(file)
-			return &fileLock{file: file}, nil
-		}
-
-		// Only retry on ERROR_LOCK_VIOLATION (lock held by another process).
-		// Any other error is unexpected and should be returned immediately.
-		if !errors.Is(err, windows.ERROR_LOCK_VIOLATION) {
-			_ = file.Close()
-			return nil, fmt.Errorf("lock file: %w", err)
-		}
-
-		select {
-		case <-deadline:
-			_ = file.Close()
-			return nil, fmt.Errorf("lock file %s: timed out after 30s", filepath.Base(path))
-		case <-ticker.C:
-		}
-	}
-}
-
-func (l *fileLock) Unlock() error {
-	if l == nil || l.file == nil {
-		return nil
-	}
-	ol := new(windows.Overlapped)
-	err := windows.UnlockFileEx(windows.Handle(l.file.Fd()), 0, 1, 0, ol)
-	// Prevent GC from finalizing file before UnlockFileEx completes.
-	runtime.KeepAlive(l.file)
-	closeErr := l.file.Close()
-	if err != nil {
-		return err
-	}
-	return closeErr
-}
diff --git a/browser/manager.go b/browser/manager.go
deleted file mode 100644
index a6ef3dc..0000000
--- a/browser/manager.go
+++ /dev/null
@@ -1,1236 +0,0 @@
-package browser
-
-import (
-	"context"
-	"fmt"
-	"os"
-	"path/filepath"
-	"sort"
-	"sync"
-	"time"
-
-	"github.com/chromedp/cdproto/cdp"
-)
-
-// SessionOptions holds optional settings for session creation.
-type SessionOptions struct {
-	// Headless controls whether a local browser launches headlessly.
-	Headless bool
-	// WSURL is the remote browser WebSocket endpoint (remote mode only).
-	WSURL string
-}
-
-// Manager coordinates browser session lifecycle, tab management, and
-// browser actions using the metadata store and CDP transport layer.
-type Manager struct {
-	store *Store
-
-	// interceptMu guards interceptCancel for concurrent access.
-	interceptMu sync.Mutex
-	// interceptCancel tracks the active Fetch domain interception cancel func
-	// per target (keyed by "session:tab"). When new rules are set, the previous
-	// cancel is called first to prevent goroutine leaks.
-	interceptCancel map[string]func()
-}
-
-// NewManager creates a session manager backed by the given store.
-func NewManager(store *Store) *Manager {
-	return &Manager{store: store, interceptCancel: make(map[string]func())}
-}
-
-// ---------------------------------------------------------------------------
-// Session lifecycle
-// ---------------------------------------------------------------------------
-
-// CreateSession launches or connects to a browser and persists session metadata.
-func (m *Manager) CreateSession(ctx context.Context, name string, mode Mode, opts SessionOptions) error {
-	if err := ValidateSessionName(name); err != nil {
-		return fmt.Errorf("create session: %w", err)
-	}
-	now := time.Now()
-
-	switch mode {
-	case ModeLocal:
-		profileDir := filepath.Join(m.store.Root(), "profiles", name)
-
-		proc, err := LaunchBrowser(ctx, LocalConfig{ProfileDir: profileDir, Headless: opts.Headless})
-		if err != nil {
-			return fmt.Errorf("create session: %w", err)
-		}
-
-		session, err := NewLocalSession(name, profileDir, opts.Headless, now)
-		if err != nil {
-			// Best-effort cleanup of the just-launched browser.
-			_ = KillProcess(proc)
-			return fmt.Errorf("create session: %w", err)
-		}
-		session.Process = proc
-
-		if err := m.store.Update(func(state *State) error {
-			if err := state.CreateSession(session); err != nil {
-				return err
-			}
-			if name == DefaultSessionName {
-				if err := state.SetDefaultContext(name, DefaultContextManaged, now); err != nil {
-					return err
-				}
-			}
-			return nil
-		}); err != nil {
-			_ = KillProcess(proc)
-			return fmt.Errorf("create session: %w", err)
-		}
-
-	case ModeRemote:
-		resolvedURL, err := ResolveDebugURL(ctx, opts.WSURL)
-		if err != nil {
-			return fmt.Errorf("create session: %w", err)
-		}
-		if err := checkDebugEndpoint(ctx, resolvedURL); err != nil {
-			return fmt.Errorf("create session: %w", err)
-		}
-
-		session, err := NewRemoteSession(name, resolvedURL, now)
-		if err != nil {
-			return fmt.Errorf("create session: %w", err)
-		}
-		session.Process = &ProcessRecord{DebugURL: resolvedURL}
-
-		if err := m.store.Update(func(state *State) error {
-			if err := state.CreateSession(session); err != nil {
-				return err
-			}
-			if name == DefaultSessionName {
-				if err := state.SetDefaultContext(name, DefaultContextAttached, now); err != nil {
-					return err
-				}
-			}
-			return nil
-		}); err != nil {
-			return fmt.Errorf("create session: %w", err)
-		}
-
-	default:
-		return fmt.Errorf("create session: unsupported mode %q", mode)
-	}
-
-	return nil
-}
-
-// CloseSession terminates a browser session, kills the local process if
-// applicable, and removes all related metadata.
-func (m *Manager) CloseSession(ctx context.Context, name string) error {
-	resolved, err := m.resolveSessionName(ctx, name, false)
-	if err != nil {
-		return fmt.Errorf("close session: %w", err)
-	}
-	name = resolved
-	return m.store.WithSessionLock(name, func() error {
-		// Phase 1: read process info under state lock.
-		var proc *ProcessRecord
-		var profileDir string
-		var isLocal bool
-		err := m.store.Update(func(state *State) error {
-			session, err := state.ResolveSession(name)
-			if err != nil {
-				return err
-			}
-			isLocal = session.Mode == ModeLocal
-			if session.Process != nil {
-				p := *session.Process
-				proc = &p
-			}
-			if session.Local != nil {
-				profileDir = session.Local.ProfileDir
-			}
-			return nil
-		})
-		if err != nil {
-			return fmt.Errorf("close session: %w", err)
-		}
-
-		// Phase 2: kill the local browser process outside the state lock.
-		if isLocal && proc != nil {
-			// Best-effort: don't fail if the process is already dead.
-			_ = KillProcess(proc)
-			// Only remove the profile after confirming the process is gone,
-			// so we don't delete files Chrome is still writing to.
-			if profileDir != "" && (proc.PID <= 0 || !isProcessAlive(proc.PID)) {
-				removeProfileDir(profileDir)
-			}
-		}
-
-		// Phase 3: atomically remove session from state.
-		return m.store.Update(func(state *State) error {
-			if err := state.DeleteSession(name); err != nil {
-				return fmt.Errorf("close session: %w", err)
-			}
-			return nil
-		})
-	})
-}
-
-// SessionList holds the result of listing sessions.
-type SessionList struct {
-	Sessions []*SessionRecord
-}
-
-// ListSessions returns all tracked sessions sorted by name.
-func (m *Manager) ListSessions(_ context.Context) (*SessionList, error) {
-	state, err := m.store.Load()
-	if err != nil {
-		return nil, fmt.Errorf("list sessions: %w", err)
-	}
-
-	sessions := make([]*SessionRecord, 0, len(state.Sessions))
-	for _, s := range state.Sessions {
-		sessions = append(sessions, s)
-	}
-	sort.Slice(sessions, func(i, j int) bool {
-		return sessions[i].Name < sessions[j].Name
-	})
-	return &SessionList{Sessions: sessions}, nil
-}
-
-// DefaultContext returns the persisted default browser context metadata.
-func (m *Manager) DefaultContext(_ context.Context) (*DefaultContextRecord, error) {
-	state, err := m.store.Load()
-	if err != nil {
-		return nil, fmt.Errorf("default context: %w", err)
-	}
-	return state.DefaultContext, nil
-}
-
-// SetDefaultContext persists the default browser context resolution.
-func (m *Manager) SetDefaultContext(_ context.Context, sessionName string, kind DefaultContextKind) error {
-	return m.store.Update(func(state *State) error {
-		return state.SetDefaultContext(sessionName, kind, time.Now())
-	})
-}
-
-// ClearDefaultContext removes the persisted default browser context.
-func (m *Manager) ClearDefaultContext(_ context.Context) error {
-	return m.store.Update(func(state *State) error {
-		state.ClearDefaultContext()
-		return nil
-	})
-}
-
-// GetSession resolves a session by name or the persisted default context.
-func (m *Manager) GetSession(_ context.Context, name string) (*SessionRecord, error) {
-	state, err := m.store.Load()
-	if err != nil {
-		return nil, fmt.Errorf("get session: %w", err)
-	}
-
-	session, err := state.ResolveSessionByPreference(name)
-	if err != nil {
-		return nil, fmt.Errorf("get session: %w", err)
-	}
-	return session, nil
-}
-
-// ---------------------------------------------------------------------------
-// Tab lifecycle
-// ---------------------------------------------------------------------------
-
-// CreateTab opens a new browser tab and tracks it in session metadata.
-func (m *Manager) CreateTab(ctx context.Context, sessionName string, tabName string, url string) error {
-	resolved, err := m.resolveSessionName(ctx, sessionName, true)
-	if err != nil {
-		return fmt.Errorf("create tab: %w", err)
-	}
-	sessionName = resolved
-
-	// Phase 1: resolve debug URL and check for duplicates under lock.
-	var debugURL string
-	err = m.store.UpdateSession(sessionName, func(_ *State, session *SessionRecord) error {
-		if _, exists := session.Tabs[tabName]; exists {
-			return fmt.Errorf("create tab: tab %q already exists in session %q", tabName, sessionName)
-		}
-		du, err := resolveDebugURL(session)
-		if err != nil {
-			return fmt.Errorf("create tab: %w", err)
-		}
-		debugURL = du
-		return nil
-	})
-	if err != nil {
-		return err
-	}
-
-	// Phase 2: create CDP target outside the state lock.
-	targetID, err := CreateTarget(ctx, debugURL, url)
-	if err != nil {
-		return fmt.Errorf("create tab: %w", err)
-	}
-
-	// Phase 3: persist tab metadata under lock. Re-check for duplicates
-	// since another CreateTab could have raced between Phase 1 and Phase 3.
-	// On any failure, best-effort close the orphaned CDP target.
-	err = m.store.UpdateSession(sessionName, func(state *State, session *SessionRecord) error {
-		if _, exists := session.Tabs[tabName]; exists {
-			return fmt.Errorf("create tab: tab %q already exists in session %q", tabName, sessionName)
-		}
-		now := time.Now()
-		tab, err := NewTab(tabName, targetID, url, now)
-		if err != nil {
-			return fmt.Errorf("create tab: %w", err)
-		}
-
-		if err := state.UpsertTab(sessionName, tab); err != nil {
-			return fmt.Errorf("create tab: %w", err)
-		}
-		return nil
-	})
-	if err != nil {
-		// Best-effort cleanup of the orphaned CDP target.
-		_ = CloseTarget(ctx, debugURL, targetID)
-		return err
-	}
-	return nil
-}
-
-// AdoptTab registers an existing CDP target as a tracked tab without creating
-// a new browser target. Use this to import pre-existing Electron windows or
-// other targets that were not launched by tap. targetID must be a live target
-// reachable through the session's debug URL.
-func (m *Manager) AdoptTab(ctx context.Context, sessionName string, tabName string, targetID string, url string) error {
-	resolved, err := m.resolveSessionName(ctx, sessionName, true)
-	if err != nil {
-		return fmt.Errorf("adopt tab: %w", err)
-	}
-	sessionName = resolved
-
-	now := time.Now()
-	return m.store.UpdateSession(sessionName, func(state *State, session *SessionRecord) error {
-		if _, exists := session.Tabs[tabName]; exists {
-			return fmt.Errorf("adopt tab: tab %q already exists in session %q", tabName, sessionName)
-		}
-		tab, err := NewTab(tabName, targetID, url, now)
-		if err != nil {
-			return fmt.Errorf("adopt tab: %w", err)
-		}
-		if err := state.UpsertTab(sessionName, tab); err != nil {
-			return fmt.Errorf("adopt tab: %w", err)
-		}
-		return nil
-	})
-}
-
-// CloseTab closes a browser tab and removes it from session metadata.
-func (m *Manager) CloseTab(ctx context.Context, sessionName string, tabName string) error {
-	resolved, err := m.resolveSessionName(ctx, sessionName, true)
-	if err != nil {
-		return fmt.Errorf("close tab: %w", err)
-	}
-	sessionName = resolved
-
-	// Phase 1: resolve tab info under lock.
-	var debugURL, targetID, resolvedTab string
-	var isLive bool
-	err = m.store.UpdateSession(sessionName, func(_ *State, session *SessionRecord) error {
-		tab, err := session.ResolveTab(tabName)
-		if err != nil {
-			return fmt.Errorf("close tab: %w", err)
-		}
-		resolvedTab = tab.Name
-		isLive = tab.Status == TabStatusLive && tab.TargetID != ""
-		if isLive {
-			du, err := resolveDebugURL(session)
-			if err != nil {
-				return fmt.Errorf("close tab: %w", err)
-			}
-			debugURL = du
-			targetID = tab.TargetID
-		}
-		return nil
-	})
-	if err != nil {
-		return err
-	}
-
-	// Phase 2: close the CDP target outside the lock.
-	if isLive {
-		if err := CloseTarget(ctx, debugURL, targetID); err != nil {
-			return fmt.Errorf("close tab: %w", err)
-		}
-	}
-
-	// Phase 3: remove tab metadata under lock.
-	return m.store.UpdateSession(sessionName, func(state *State, _ *SessionRecord) error {
-		if err := state.DeleteTab(sessionName, resolvedTab); err != nil {
-			return fmt.Errorf("close tab: %w", err)
-		}
-		return nil
-	})
-}
-
-// TabList holds the result of listing tabs including the current selection.
-type TabList struct {
-	Tabs        []*TabRecord
-	SelectedTab string
-}
-
-// ListTabs returns all tracked tabs for a session sorted by creation time.
-func (m *Manager) ListTabs(_ context.Context, sessionName string) (*TabList, error) {
-	state, err := m.store.Load()
-	if err != nil {
-		return nil, fmt.Errorf("list tabs: %w", err)
-	}
-
-	session, err := state.ResolveSessionByPreference(sessionName)
-	if err != nil {
-		return nil, fmt.Errorf("list tabs: %w", err)
-	}
-
-	tabs := make([]*TabRecord, 0, len(session.Tabs))
-	for _, t := range session.Tabs {
-		tabs = append(tabs, t)
-	}
-	sort.Slice(tabs, func(i, j int) bool {
-		if tabs[i].CreatedAt.Equal(tabs[j].CreatedAt) {
-			return tabs[i].Name < tabs[j].Name
-		}
-		return tabs[i].CreatedAt.Before(tabs[j].CreatedAt)
-	})
-	return &TabList{Tabs: tabs, SelectedTab: session.SelectedTab}, nil
-}
-
-// SelectTab persists the default tab used when --tab is omitted.
-func (m *Manager) SelectTab(ctx context.Context, sessionName string, tabName string) error {
-	resolved, err := m.resolveSessionName(ctx, sessionName, true)
-	if err != nil {
-		return fmt.Errorf("select tab: %w", err)
-	}
-	sessionName = resolved
-	return m.store.UpdateSession(sessionName, func(state *State, _ *SessionRecord) error {
-		if err := state.SelectTab(sessionName, tabName); err != nil {
-			return fmt.Errorf("select tab: %w", err)
-		}
-		return nil
-	})
-}
-
-// ---------------------------------------------------------------------------
-// Browser actions
-// ---------------------------------------------------------------------------
-
-// Navigate changes the URL of a tracked tab.
-func (m *Manager) Navigate(ctx context.Context, sessionName string, tabName string, url string) error {
-	resolved, err := m.resolveSessionName(ctx, sessionName, true)
-	if err != nil {
-		return fmt.Errorf("navigate: %w", err)
-	}
-	sessionName = resolved
-	// Phase 1: resolve session/tab under lock, release before CDP I/O.
-	var debugURL, targetID, resolvedSession, resolvedTab string
-	err = m.store.UpdateSession(sessionName, func(_ *State, session *SessionRecord) error {
-		tab, err := session.ResolveTab(tabName)
-		if err != nil {
-			return fmt.Errorf("navigate: %w", err)
-		}
-		if err := requireLiveTab(tab); err != nil {
-			return fmt.Errorf("navigate: %w", err)
-		}
-		du, err := resolveDebugURL(session)
-		if err != nil {
-			return fmt.Errorf("navigate: %w", err)
-		}
-		debugURL = du
-		targetID = tab.TargetID
-		resolvedSession = session.Name
-		resolvedTab = tab.Name
-		return nil
-	})
-	if err != nil {
-		return err
-	}
-
-	// Phase 2: CDP navigation outside any lock.
-	if err := NavigateTarget(ctx, debugURL, targetID, url); err != nil {
-		return fmt.Errorf("navigate: %w", err)
-	}
-
-	// Phase 3: persist URL update under lock.
-	return m.store.UpdateSession(resolvedSession, func(_ *State, session *SessionRecord) error {
-		tab, ok := session.Tabs[resolvedTab]
-		if !ok {
-			// Tab was deleted between Phase 2 and Phase 3. Navigation
-			// succeeded in the browser but we can't update metadata.
-			return fmt.Errorf("navigate: tab %q was removed during navigation", resolvedTab)
-		}
-		tab.URL = url
-		tab.UpdatedAt = time.Now().UTC()
-		return nil
-	})
-}
-
-// Evaluate runs JavaScript in a tracked tab and returns the result.
-func (m *Manager) Evaluate(ctx context.Context, sessionName string, tabName string, js string) (any, error) {
-	// Resolve session/tab under lock, then release before CDP I/O.
-	rt, err := m.resolveTarget(ctx, sessionName, tabName, "evaluate")
-	if err != nil {
-		return nil, err
-	}
-
-	result, err := EvalTarget(ctx, rt.DebugURL, rt.TargetID, js)
-	if err != nil {
-		return nil, fmt.Errorf("evaluate: %w", err)
-	}
-	return result, nil
-}
-
-// ScreenshotResult holds the screenshot data and resolved names.
-type ScreenshotResult struct {
-	Data        []byte
-	SessionName string
-	TabName     string
-}
-
-// Screenshot captures a full-page PNG of a tracked tab.
-func (m *Manager) Screenshot(ctx context.Context, sessionName string, tabName string) (*ScreenshotResult, error) {
-	// Resolve session/tab under lock, then release before CDP I/O.
-	rt, err := m.resolveTarget(ctx, sessionName, tabName, "screenshot")
-	if err != nil {
-		return nil, err
-	}
-
-	buf, err := ScreenshotTarget(ctx, rt.DebugURL, rt.TargetID)
-	if err != nil {
-		return nil, fmt.Errorf("screenshot: %w", err)
-	}
-	return &ScreenshotResult{Data: buf, SessionName: rt.SessionName, TabName: rt.TabName}, nil
-}
-
-// Forms discovers fillable form elements in a tracked tab.
-func (m *Manager) Forms(ctx context.Context, sessionName string, tabName string) ([]FormField, error) {
-	rt, err := m.resolveTarget(ctx, sessionName, tabName, "forms")
-	if err != nil {
-		return nil, err
-	}
-
-	fields, err := FormsTarget(ctx, rt.DebugURL, rt.TargetID)
-	if err != nil {
-		return nil, fmt.Errorf("forms: %w", err)
-	}
-	return fields, nil
-}
-
-// Fill sets values in form fields of a tracked tab.
-func (m *Manager) Fill(ctx context.Context, sessionName string, tabName string, fields []FillField, submitSelector string) error {
-	rt, err := m.resolveTarget(ctx, sessionName, tabName, "fill")
-	if err != nil {
-		return err
-	}
-
-	if err := FillTarget(ctx, rt.DebugURL, rt.TargetID, fields, submitSelector); err != nil {
-		return fmt.Errorf("fill: %w", err)
-	}
-	return nil
-}
-
-// FillInput represents a fill target (CSS selector or snapshot ref) and value.
-type FillInput struct {
-	Target string
-	Value  string
-}
-
-// Snapshot captures and persists the latest semantic page snapshot for a tab.
-func (m *Manager) Snapshot(ctx context.Context, sessionName string, tabName string, opts SnapshotOptions) (*SnapshotResult, error) {
-	rt, err := m.resolveTarget(ctx, sessionName, tabName, "snapshot")
-	if err != nil {
-		return nil, err
-	}
-	result, err := SnapshotTarget(ctx, rt.DebugURL, rt.TargetID, opts)
-	if err != nil {
-		return nil, fmt.Errorf("snapshot: %w", err)
-	}
-	result.GeneratedAt = time.Now().UTC()
-	if err := m.saveSnapshot(rt.SessionName, rt.TabName, result); err != nil {
-		return nil, err
-	}
-	return result, nil
-}
-
-// PDFResult holds the PDF data and resolved names.
-type PDFResult struct {
-	Data        []byte
-	SessionName string
-	TabName     string
-}
-
-// PDF saves the current page as PDF from a tracked tab.
-func (m *Manager) PDF(ctx context.Context, sessionName string, tabName string, landscape bool, printBackground bool, scale float64) (*PDFResult, error) {
-	rt, err := m.resolveTarget(ctx, sessionName, tabName, "pdf")
-	if err != nil {
-		return nil, err
-	}
-	buf, err := PDFTarget(ctx, rt.DebugURL, rt.TargetID, landscape, printBackground, scale)
-	if err != nil {
-		return nil, fmt.Errorf("pdf: %w", err)
-	}
-	return &PDFResult{Data: buf, SessionName: rt.SessionName, TabName: rt.TabName}, nil
-}
-
-// Click dispatches a real mouse click on the element matching sel in a tracked tab.
-func (m *Manager) Click(ctx context.Context, sessionName string, tabName string, sel string) error {
-	rt, err := m.resolveTarget(ctx, sessionName, tabName, "click")
-	if err != nil {
-		return err
-	}
-	if err := ClickTarget(ctx, rt.DebugURL, rt.TargetID, sel); err != nil {
-		return fmt.Errorf("click: %w", err)
-	}
-	return nil
-}
-
-// ClickElement clicks an element by CSS selector or snapshot ref (e.g. @e12).
-func (m *Manager) ClickElement(ctx context.Context, sessionName, tabName, arg string) error {
-	rt, err := m.resolveTarget(ctx, sessionName, tabName, "click")
-	if err != nil {
-		return err
-	}
-	selector, backendNodeID, err := m.resolveElementArg(ctx, rt, arg)
-	if err != nil {
-		return err
-	}
-	if backendNodeID > 0 {
-		if err := ClickTargetByBackendNodeID(ctx, rt.DebugURL, rt.TargetID, backendNodeID); err != nil {
-			return fmt.Errorf("click: %w", err)
-		}
-		return nil
-	}
-	if err := ClickTarget(ctx, rt.DebugURL, rt.TargetID, selector); err != nil {
-		return fmt.Errorf("click: %w", err)
-	}
-	return nil
-}
-
-// Type sends individual key events to the element matching sel in a tracked tab.
-func (m *Manager) Type(ctx context.Context, sessionName string, tabName string, sel string, text string) error {
-	rt, err := m.resolveTarget(ctx, sessionName, tabName, "type")
-	if err != nil {
-		return err
-	}
-	if err := TypeTarget(ctx, rt.DebugURL, rt.TargetID, sel, text); err != nil {
-		return fmt.Errorf("type: %w", err)
-	}
-	return nil
-}
-
-// TypeElement types into an element by CSS selector or snapshot ref.
-func (m *Manager) TypeElement(ctx context.Context, sessionName, tabName, arg, text string) error {
-	rt, err := m.resolveTarget(ctx, sessionName, tabName, "type")
-	if err != nil {
-		return err
-	}
-	selector, backendNodeID, err := m.resolveElementArg(ctx, rt, arg)
-	if err != nil {
-		return err
-	}
-	if backendNodeID > 0 {
-		if err := TypeTargetByBackendNodeID(ctx, rt.DebugURL, rt.TargetID, backendNodeID, text); err != nil {
-			return fmt.Errorf("type: %w", err)
-		}
-		return nil
-	}
-	if err := TypeTarget(ctx, rt.DebugURL, rt.TargetID, selector, text); err != nil {
-		return fmt.Errorf("type: %w", err)
-	}
-	return nil
-}
-
-// Hover moves the mouse to the element matching sel in a tracked tab.
-func (m *Manager) Hover(ctx context.Context, sessionName string, tabName string, sel string) error {
-	rt, err := m.resolveTarget(ctx, sessionName, tabName, "hover")
-	if err != nil {
-		return err
-	}
-	if err := HoverTarget(ctx, rt.DebugURL, rt.TargetID, sel); err != nil {
-		return fmt.Errorf("hover: %w", err)
-	}
-	return nil
-}
-
-// Scroll scrolls to the element matching sel, or to absolute x,y if sel is empty.
-func (m *Manager) Scroll(ctx context.Context, sessionName string, tabName string, sel string, x, y float64) error {
-	rt, err := m.resolveTarget(ctx, sessionName, tabName, "scroll")
-	if err != nil {
-		return err
-	}
-	if err := ScrollTarget(ctx, rt.DebugURL, rt.TargetID, sel, x, y); err != nil {
-		return fmt.Errorf("scroll: %w", err)
-	}
-	return nil
-}
-
-// Select selects an option by value in a <select> element in a tracked tab.
-func (m *Manager) Select(ctx context.Context, sessionName string, tabName string, sel string, value string) error {
-	rt, err := m.resolveTarget(ctx, sessionName, tabName, "select")
-	if err != nil {
-		return err
-	}
-	if err := SelectTarget(ctx, rt.DebugURL, rt.TargetID, sel, value); err != nil {
-		return fmt.Errorf("select: %w", err)
-	}
-	return nil
-}
-
-// SelectElement selects option value by CSS selector or snapshot ref.
-func (m *Manager) SelectElement(ctx context.Context, sessionName, tabName, arg, value string) error {
-	rt, err := m.resolveTarget(ctx, sessionName, tabName, "select")
-	if err != nil {
-		return err
-	}
-	selector, backendNodeID, err := m.resolveElementArg(ctx, rt, arg)
-	if err != nil {
-		return err
-	}
-	if backendNodeID > 0 {
-		if err := SelectTargetByBackendNodeID(ctx, rt.DebugURL, rt.TargetID, backendNodeID, value); err != nil {
-			return fmt.Errorf("select: %w", err)
-		}
-		return nil
-	}
-	if err := SelectTarget(ctx, rt.DebugURL, rt.TargetID, selector, value); err != nil {
-		return fmt.Errorf("select: %w", err)
-	}
-	return nil
-}
-
-// FillElements fills values by CSS selector or snapshot refs.
-func (m *Manager) FillElements(ctx context.Context, sessionName, tabName string, inputs []FillInput, submitArg string) error {
-	rt, err := m.resolveTarget(ctx, sessionName, tabName, "fill")
-	if err != nil {
-		return err
-	}
-
-	selectorFields := make([]FillField, 0, len(inputs))
-	for _, in := range inputs {
-		selector, backendNodeID, err := m.resolveElementArg(ctx, rt, in.Target)
-		if err != nil {
-			return err
-		}
-		if backendNodeID > 0 {
-			if err := FillTargetByBackendNodeID(ctx, rt.DebugURL, rt.TargetID, backendNodeID, in.Value); err != nil {
-				return fmt.Errorf("fill: %w", err)
-			}
-			continue
-		}
-		selectorFields = append(selectorFields, FillField{Selector: selector, Value: in.Value})
-	}
-
-	submitSelector := submitArg
-	var submitBackendNodeID cdp.BackendNodeID
-	if isElementRef(submitArg) {
-		selector, backendNodeID, err := m.resolveElementArg(ctx, rt, submitArg)
-		if err != nil {
-			return err
-		}
-		if backendNodeID > 0 {
-			submitBackendNodeID = backendNodeID
-			submitSelector = ""
-		} else {
-			submitSelector = selector
-		}
-	}
-
-	if len(selectorFields) > 0 || submitSelector != "" {
-		if err := FillTarget(ctx, rt.DebugURL, rt.TargetID, selectorFields, submitSelector); err != nil {
-			return fmt.Errorf("fill: %w", err)
-		}
-	}
-	if submitBackendNodeID > 0 {
-		if err := ClickTargetByBackendNodeID(ctx, rt.DebugURL, rt.TargetID, submitBackendNodeID); err != nil {
-			return fmt.Errorf("fill submit: %w", err)
-		}
-	}
-	return nil
-}
-
-// WaitFor waits until the element matching sel is visible in a tracked tab.
-func (m *Manager) WaitFor(ctx context.Context, sessionName string, tabName string, sel string, timeout time.Duration) error {
-	rt, err := m.resolveTarget(ctx, sessionName, tabName, "wait")
-	if err != nil {
-		return err
-	}
-	if err := WaitForTarget(ctx, rt.DebugURL, rt.TargetID, sel, timeout); err != nil {
-		return fmt.Errorf("wait: %w", err)
-	}
-	return nil
-}
-
-func (m *Manager) resolveElementArg(ctx context.Context, rt resolvedTarget, arg string) (string, cdp.BackendNodeID, error) {
-	if !isElementRef(arg) {
-		return arg, 0, nil
-	}
-	s, err := m.loadSnapshot(rt.SessionName, rt.TabName)
-	if err != nil {
-		return "", 0, fmt.Errorf("resolve %s: snapshot not found, run 'tap browser snapshot' first: %w", arg, err)
-	}
-	if err := ensureSnapshotFresh(ctx, rt.DebugURL, rt.TargetID, s); err != nil {
-		return "", 0, fmt.Errorf("resolve %s: %w", arg, err)
-	}
-	for _, ref := range s.Refs {
-		if ref.Ref != arg {
-			continue
-		}
-		if ref.BackendDOMNodeID > 0 {
-			return ref.SelectorHint, cdp.BackendNodeID(ref.BackendDOMNodeID), nil
-		}
-		if ref.SelectorHint != "" {
-			return ref.SelectorHint, 0, nil
-		}
-		return "", 0, fmt.Errorf("resolve %s: missing backend node ID", arg)
-	}
-	return "", 0, fmt.Errorf("resolve %s: ref not found in latest snapshot", arg)
-}
-
-func ensureSnapshotFresh(ctx context.Context, debugURL, targetID string, snapshot *SnapshotResult) error {
-	if snapshot == nil {
-		return fmt.Errorf("snapshot not found, run 'tap browser snapshot' first")
-	}
-	if snapshot.DocumentKey == "" {
-		return fmt.Errorf("snapshot is missing document metadata, run 'tap browser snapshot' again")
-	}
-	currentKey, err := documentKey(ctx, debugURL, targetID)
-	if err != nil {
-		return fmt.Errorf("validate snapshot freshness: %w", err)
-	}
-	if currentKey != snapshot.DocumentKey {
-		return fmt.Errorf("snapshot is stale for the current page, run 'tap browser snapshot' again")
-	}
-	return nil
-}
-
-func documentKey(ctx context.Context, debugURL, targetID string) (string, error) {
-	meta, err := EvalTarget(ctx, debugURL, targetID, `({
-  key: [location.href, performance.timeOrigin || 0, document.body ? document.body.childElementCount : 0].join("|")
-})`)
-	if err != nil {
-		return "", err
-	}
-	m, ok := meta.(map[string]any)
-	if !ok {
-		return "", fmt.Errorf("unexpected metadata result type %T", meta)
-	}
-	key, ok := m["key"].(string)
-	if !ok || key == "" {
-		return "", fmt.Errorf("missing document key")
-	}
-	return key, nil
-}
-
-// Back navigates the tracked tab backwards in history.
-func (m *Manager) Back(ctx context.Context, sessionName string, tabName string) error {
-	rt, err := m.resolveTarget(ctx, sessionName, tabName, "back")
-	if err != nil {
-		return err
-	}
-	if err := BackTarget(ctx, rt.DebugURL, rt.TargetID); err != nil {
-		return fmt.Errorf("back: %w", err)
-	}
-	return nil
-}
-
-// Forward navigates the tracked tab forwards in history.
-func (m *Manager) Forward(ctx context.Context, sessionName string, tabName string) error {
-	rt, err := m.resolveTarget(ctx, sessionName, tabName, "forward")
-	if err != nil {
-		return err
-	}
-	if err := ForwardTarget(ctx, rt.DebugURL, rt.TargetID); err != nil {
-		return fmt.Errorf("forward: %w", err)
-	}
-	return nil
-}
-
-// Reload reloads the current page in a tracked tab.
-func (m *Manager) Reload(ctx context.Context, sessionName string, tabName string) error {
-	rt, err := m.resolveTarget(ctx, sessionName, tabName, "reload")
-	if err != nil {
-		return err
-	}
-	if err := ReloadTarget(ctx, rt.DebugURL, rt.TargetID); err != nil {
-		return fmt.Errorf("reload: %w", err)
-	}
-	return nil
-}
-
-// Keypress sends key events to the page in a tracked tab.
-func (m *Manager) Keypress(ctx context.Context, sessionName string, tabName string, keys string) error {
-	rt, err := m.resolveTarget(ctx, sessionName, tabName, "keypress")
-	if err != nil {
-		return err
-	}
-	if err := KeypressTarget(ctx, rt.DebugURL, rt.TargetID, keys); err != nil {
-		return fmt.Errorf("keypress: %w", err)
-	}
-	return nil
-}
-
-// Dialog accepts or dismisses a pending JavaScript dialog in a tracked tab.
-func (m *Manager) Dialog(ctx context.Context, sessionName string, tabName string, accept bool, promptText string) error {
-	rt, err := m.resolveTarget(ctx, sessionName, tabName, "dialog")
-	if err != nil {
-		return err
-	}
-	if err := DialogTarget(ctx, rt.DebugURL, rt.TargetID, accept, promptText); err != nil {
-		return fmt.Errorf("dialog: %w", err)
-	}
-	return nil
-}
-
-// GetCookies returns all cookies for the current page in a tracked tab.
-func (m *Manager) GetCookies(ctx context.Context, sessionName string, tabName string) ([]CookieEntry, error) {
-	rt, err := m.resolveTarget(ctx, sessionName, tabName, "cookies get")
-	if err != nil {
-		return nil, err
-	}
-	cookies, err := GetCookiesTarget(ctx, rt.DebugURL, rt.TargetID)
-	if err != nil {
-		return nil, fmt.Errorf("cookies get: %w", err)
-	}
-	return cookies, nil
-}
-
-// SetCookie sets a cookie in a tracked tab.
-func (m *Manager) SetCookie(ctx context.Context, sessionName string, tabName string, name, value, domain, path string) error {
-	rt, err := m.resolveTarget(ctx, sessionName, tabName, "cookies set")
-	if err != nil {
-		return err
-	}
-	if err := SetCookieTarget(ctx, rt.DebugURL, rt.TargetID, name, value, domain, path); err != nil {
-		return fmt.Errorf("cookies set: %w", err)
-	}
-	return nil
-}
-
-// ClearCookies deletes all cookies for the current page in a tracked tab.
-func (m *Manager) ClearCookies(ctx context.Context, sessionName string, tabName string) error {
-	rt, err := m.resolveTarget(ctx, sessionName, tabName, "cookies clear")
-	if err != nil {
-		return err
-	}
-	if err := ClearCookiesTarget(ctx, rt.DebugURL, rt.TargetID); err != nil {
-		return fmt.Errorf("cookies clear: %w", err)
-	}
-	return nil
-}
-
-// NetworkWait blocks until a network request matching the filter completes in a
-// tracked tab. If includeBody is true, the response body is fetched before
-// returning. The caller controls the timeout via ctx.
-func (m *Manager) NetworkWait(ctx context.Context, sessionName string, tabName string, filter NetworkFilter, includeBody bool) (*NetworkEntry, error) {
-	rt, err := m.resolveTarget(ctx, sessionName, tabName, "network wait")
-	if err != nil {
-		return nil, err
-	}
-
-	entry, err := WaitForRequest(ctx, rt.DebugURL, rt.TargetID, filter, includeBody)
-	if err != nil {
-		return nil, fmt.Errorf("network wait: %w", err)
-	}
-	return entry, nil
-}
-
-// NetworkGetBody fetches the response body for a completed request by its
-// request ID from a tracked tab.
-func (m *Manager) NetworkGetBody(ctx context.Context, sessionName string, tabName string, requestID string) ([]byte, error) {
-	rt, err := m.resolveTarget(ctx, sessionName, tabName, "network body")
-	if err != nil {
-		return nil, err
-	}
-
-	body, err := GetResponseBody(ctx, rt.DebugURL, rt.TargetID, requestID)
-	if err != nil {
-		return nil, fmt.Errorf("network body: %w", err)
-	}
-	return body, nil
-}
-
-// NetworkLog starts capturing network requests for a tracked tab and streams
-// completed entries to the returned channel. Call cancel to stop capturing.
-func (m *Manager) NetworkLog(ctx context.Context, sessionName string, tabName string, filter NetworkFilter) (<-chan NetworkEntry, func(), error) {
-	rt, err := m.resolveTarget(ctx, sessionName, tabName, "network log")
-	if err != nil {
-		return nil, nil, err
-	}
-
-	ch, cancel, err := EnableNetworkLog(ctx, rt.DebugURL, rt.TargetID, filter)
-	if err != nil {
-		return nil, nil, fmt.Errorf("network log: %w", err)
-	}
-	return ch, cancel, nil
-}
-
-// interceptKey returns the map key for tracking intercept cancel funcs.
-func interceptKey(session, tab string) string {
-	return session + ":" + tab
-}
-
-// cancelIntercept cancels and removes any active interception for the given key.
-func (m *Manager) cancelIntercept(key string) {
-	m.interceptMu.Lock()
-	if prev, ok := m.interceptCancel[key]; ok {
-		prev()
-		delete(m.interceptCancel, key)
-	}
-	m.interceptMu.Unlock()
-}
-
-// NetworkIntercept sets Fetch domain interception rules on a tracked tab.
-// Replaces any previously set rules (cancels the old interception goroutine).
-func (m *Manager) NetworkIntercept(ctx context.Context, sessionName string, tabName string, rules []InterceptRule) error {
-	rt, err := m.resolveTarget(ctx, sessionName, tabName, "network intercept")
-	if err != nil {
-		return err
-	}
-
-	key := interceptKey(rt.SessionName, rt.TabName)
-	m.cancelIntercept(key)
-
-	cancel, err := SetInterceptRules(ctx, rt.DebugURL, rt.TargetID, rules)
-	if err != nil {
-		return fmt.Errorf("network intercept: %w", err)
-	}
-	m.interceptMu.Lock()
-	m.interceptCancel[key] = cancel
-	m.interceptMu.Unlock()
-	return nil
-}
-
-// NetworkClearIntercept removes all Fetch domain interception rules from a
-// tracked tab.
-func (m *Manager) NetworkClearIntercept(ctx context.Context, sessionName string, tabName string) error {
-	rt, err := m.resolveTarget(ctx, sessionName, tabName, "network clear")
-	if err != nil {
-		return err
-	}
-
-	m.cancelIntercept(interceptKey(rt.SessionName, rt.TabName))
-
-	if err := ClearIntercept(ctx, rt.DebugURL, rt.TargetID); err != nil {
-		return fmt.Errorf("network clear: %w", err)
-	}
-	return nil
-}
-
-// ---------------------------------------------------------------------------
-// Reconciliation
-// ---------------------------------------------------------------------------
-
-// Reconcile refreshes tab liveness by comparing metadata against live CDP targets.
-func (m *Manager) Reconcile(ctx context.Context, sessionName string) error {
-	resolved, err := m.resolveSessionName(ctx, sessionName, true)
-	if err != nil {
-		return fmt.Errorf("reconcile: %w", err)
-	}
-	sessionName = resolved
-
-	// Phase 1: resolve debug URL under lock.
-	var debugURL string
-	err = m.store.UpdateSession(sessionName, func(_ *State, session *SessionRecord) error {
-		du, err := resolveDebugURL(session)
-		if err != nil {
-			return fmt.Errorf("reconcile: %w", err)
-		}
-		debugURL = du
-		return nil
-	})
-	if err != nil {
-		return err
-	}
-
-	// Phase 2: list live CDP targets outside the lock.
-	targets, err := ListTargets(ctx, debugURL)
-	if err != nil {
-		return fmt.Errorf("reconcile: %w", err)
-	}
-
-	targetIDs := make([]string, len(targets))
-	for i, t := range targets {
-		targetIDs[i] = t.TargetID
-	}
-
-	// Phase 3: reconcile metadata under lock.
-	now := time.Now()
-	return m.store.UpdateSession(sessionName, func(state *State, _ *SessionRecord) error {
-		if err := state.ReconcileSession(sessionName, targetIDs, now); err != nil {
-			return fmt.Errorf("reconcile: %w", err)
-		}
-		return nil
-	})
-}
-
-// ---------------------------------------------------------------------------
-// Helpers
-// ---------------------------------------------------------------------------
-
-// ResolveTarget resolves a session and tab to their CDP connection details.
-// Exported for commands that need direct CDP access (e.g., text extraction).
-func (m *Manager) ResolveTarget(ctx context.Context, sessionName string, tabName string) (ResolvedTarget, error) {
-	return m.resolveTarget(ctx, sessionName, tabName, "resolve")
-}
-
-// ResolvedTarget holds the result of resolving a session and tab for CDP I/O.
-type ResolvedTarget = resolvedTarget
-
-// resolvedTarget holds the result of resolving a session and tab for CDP I/O.
-type resolvedTarget struct {
-	DebugURL    string
-	TargetID    string
-	SessionName string
-	TabName     string
-}
-
-// resolveTarget resolves a session and tab under lock and returns the debug URL,
-// target ID, and resolved names for use outside the lock during CDP I/O.
-func (m *Manager) resolveTarget(ctx context.Context, sessionName string, tabName string, op string) (resolvedTarget, error) {
-	resolved, err := m.resolveSessionName(ctx, sessionName, true)
-	if err != nil {
-		return resolvedTarget{}, fmt.Errorf("%s: %w", op, err)
-	}
-	sessionName = resolved
-	var rt resolvedTarget
-	var mode Mode
-	rt.SessionName = sessionName
-	err = m.store.WithSessionLock(sessionName, func() error {
-		state, err := m.store.Load()
-		if err != nil {
-			return err
-		}
-		session, err := state.ResolveSession(sessionName)
-		if err != nil {
-			return err
-		}
-		mode = session.Mode
-		tab, err := session.ResolveTab(tabName)
-		if err != nil {
-			return err
-		}
-		if err := requireLiveTab(tab); err != nil {
-			return err
-		}
-		du, err := resolveDebugURL(session)
-		if err != nil {
-			return err
-		}
-		rt.DebugURL = du
-		rt.TargetID = tab.TargetID
-		rt.TabName = tab.Name
-		return nil
-	})
-	if err != nil {
-		return resolvedTarget{}, fmt.Errorf("%s: %w", op, err)
-	}
-	if mode == ModeRemote {
-		if err := checkDebugEndpoint(ctx, rt.DebugURL); err != nil {
-			markErr := m.markSessionStale(sessionName, fmt.Sprintf("debug endpoint unreachable: %v", err))
-			if markErr != nil {
-				return resolvedTarget{}, fmt.Errorf("%s: %w (also failed to mark session stale: %v)", op, err, markErr)
-			}
-			return resolvedTarget{}, fmt.Errorf("%s: remote session %q is unreachable: %w", op, sessionName, err)
-		}
-		_ = m.markSessionHealthy(sessionName)
-	}
-	return rt, nil
-}
-
-// resolveSessionName resolves an optional session name to a concrete name.
-// When name is empty it defaults to "default", auto-creating a headless
-// session if one does not yet exist. Set autoCreate to false (e.g. for
-// CloseSession) to skip the auto-creation step.
-func (m *Manager) resolveSessionName(ctx context.Context, name string, autoCreate bool) (string, error) {
-	state, err := m.store.Load()
-	if err != nil {
-		return "", err
-	}
-	if name != "" {
-		session, err := state.ResolveSession(name)
-		if err != nil {
-			return "", err
-		}
-		return session.Name, nil
-	}
-
-	if session, err := state.ResolveSessionByPreference(""); err == nil {
-		return session.Name, nil
-	} else if state.DefaultContext != nil {
-		return "", err
-	}
-
-	if !autoCreate {
-		return "", fmt.Errorf("%w: %s", ErrSessionNotFound, DefaultSessionName)
-	}
-
-	// Auto-create the managed local default session only when no persisted
-	// default context exists. This preserves explicit attached-context failures.
-	if err := m.CreateSession(ctx, DefaultSessionName, ModeLocal, SessionOptions{Headless: true}); err != nil {
-		if s, loadErr := m.store.Load(); loadErr == nil {
-			if session, resolveErr := s.ResolveSessionByPreference(""); resolveErr == nil {
-				return session.Name, nil
-			}
-		}
-		return "", fmt.Errorf("auto-create default session: %w", err)
-	}
-	return DefaultSessionName, nil
-}
-
-// resolveDebugURL extracts the CDP debug endpoint from session metadata.
-func resolveDebugURL(session *SessionRecord) (string, error) {
-	if session.Process != nil && session.Process.DebugURL != "" {
-		return session.Process.DebugURL, nil
-	}
-	if session.Mode == ModeRemote && session.Remote != nil {
-		return session.Remote.WSURL, nil
-	}
-	return "", fmt.Errorf("session %q has no debug endpoint", session.Name)
-}
-
-// markSessionStale reconciles a session to an all-stale state and annotates the
-// persisted default context when it points at the same session.
-func (m *Manager) markSessionStale(sessionName string, reason string) error {
-	now := time.Now()
-	return m.store.UpdateSession(sessionName, func(state *State, _ *SessionRecord) error {
-		if err := state.ReconcileSession(sessionName, nil, now); err != nil {
-			return err
-		}
-		state.MarkDefaultContextStale(sessionName, reason, now)
-		return nil
-	})
-}
-
-// markSessionHealthy clears any stale marker from the persisted default context.
-func (m *Manager) markSessionHealthy(sessionName string) error {
-	now := time.Now()
-	return m.store.Update(func(state *State) error {
-		state.MarkDefaultContextHealthy(sessionName, now)
-		return nil
-	})
-}
-
-// requireLiveTab ensures a tab is in a usable state for browser actions.
-func requireLiveTab(tab *TabRecord) error {
-	if tab.Status != TabStatusLive {
-		return fmt.Errorf("tab %q is %s, not live", tab.Name, tab.Status)
-	}
-	if tab.TargetID == "" {
-		return fmt.Errorf("tab %q has no target ID", tab.Name)
-	}
-	return nil
-}
-
-// removeProfileDir removes a Chrome profile directory with a retry loop to
-// handle transient file locks (e.g., antivirus or indexing services on Windows).
-func removeProfileDir(dir string) {
-	for range 3 {
-		if err := os.RemoveAll(dir); err == nil {
-			return
-		}
-		time.Sleep(500 * time.Millisecond)
-	}
-	// Final best-effort attempt.
-	_ = os.RemoveAll(dir)
-}
diff --git a/browser/manager_test.go b/browser/manager_test.go
deleted file mode 100644
index 3d5d5fc..0000000
--- a/browser/manager_test.go
+++ /dev/null
@@ -1,255 +0,0 @@
-package browser
-
-import (
-	"testing"
-	"time"
-)
-
-func testStore(t *testing.T) *Store {
-	t.Helper()
-	store, err := NewStore(t.TempDir())
-	if err != nil {
-		t.Fatal(err)
-	}
-	return store
-}
-
-func TestManagerCreateSessionLocalValidation(t *testing.T) {
-	store := testStore(t)
-	mgr := NewManager(store)
-
-	// Empty name should fail validation.
-	err := mgr.CreateSession(t.Context(), "", ModeLocal, SessionOptions{})
-	if err == nil {
-		t.Fatal("CreateSession with empty name should return error")
-	}
-
-	// Invalid name (spaces) should fail.
-	err = mgr.CreateSession(t.Context(), "bad name", ModeLocal, SessionOptions{})
-	if err == nil {
-		t.Fatal("CreateSession with invalid name should return error")
-	}
-}
-
-func TestManagerCreateSessionRemoteInvalidEndpoint(t *testing.T) {
-	store := testStore(t)
-	mgr := NewManager(store)
-
-	// Unreachable endpoint should fail.
-	err := mgr.CreateSession(t.Context(), "remote1", ModeRemote, SessionOptions{
-		WSURL: "ws://127.0.0.1:1/devtools/browser/unreachable",
-	})
-	if err == nil {
-		t.Fatal("CreateSession with unreachable remote endpoint should return error")
-	}
-}
-
-func TestManagerListSessionsEmpty(t *testing.T) {
-	store := testStore(t)
-	mgr := NewManager(store)
-
-	list, err := mgr.ListSessions(t.Context())
-	if err != nil {
-		t.Fatalf("ListSessions error: %v", err)
-	}
-	if len(list.Sessions) != 0 {
-		t.Fatalf("ListSessions = %d sessions, want 0", len(list.Sessions))
-	}
-}
-
-func TestManagerGetSessionUsesPersistedDefaultContext(t *testing.T) {
-	store := testStore(t)
-	mgr := NewManager(store)
-	now := time.Date(2026, 4, 1, 10, 0, 0, 0, time.UTC)
-
-	err := store.Update(func(state *State) error {
-		def, err := NewLocalSession(DefaultSessionName, store.Root()+"/profiles/default", true, now)
-		if err != nil {
-			return err
-		}
-		other, err := NewRemoteSession("other", "wss://remote:9222/devtools/browser/1", now)
-		if err != nil {
-			return err
-		}
-		if err := state.CreateSession(def); err != nil {
-			return err
-		}
-		if err := state.CreateSession(other); err != nil {
-			return err
-		}
-		return state.SetDefaultContext("other", DefaultContextAttached, now)
-	})
-	if err != nil {
-		t.Fatalf("seed sessions: %v", err)
-	}
-
-	session, err := mgr.GetSession(t.Context(), "")
-	if err != nil {
-		t.Fatalf("GetSession error: %v", err)
-	}
-	if session.Name != "other" {
-		t.Fatalf("GetSession(\"\") = %q, want other", session.Name)
-	}
-}
-
-func TestManagerGetSessionResolution(t *testing.T) {
-	store := testStore(t)
-	mgr := NewManager(store)
-	now := time.Date(2026, 4, 1, 10, 0, 0, 0, time.UTC)
-
-	// Insert a "default" session and another session.
-	err := store.Update(func(state *State) error {
-		s1, err := NewLocalSession(DefaultSessionName, store.Root()+"/profiles/default", true, now)
-		if err != nil {
-			return err
-		}
-		if err := state.CreateSession(s1); err != nil {
-			return err
-		}
-
-		s2, err := NewRemoteSession("other", "wss://remote:9222/devtools/browser/1", now)
-		if err != nil {
-			return err
-		}
-		return state.CreateSession(s2)
-	})
-	if err != nil {
-		t.Fatalf("seed sessions: %v", err)
-	}
-
-	// GetSession with empty name should resolve to "default".
-	session, err := mgr.GetSession(t.Context(), "")
-	if err != nil {
-		t.Fatalf("GetSession error: %v", err)
-	}
-	if session.Name != DefaultSessionName {
-		t.Fatalf("GetSession(\"\") = %q, want %q", session.Name, DefaultSessionName)
-	}
-
-	// GetSession with explicit name should resolve correctly.
-	session, err = mgr.GetSession(t.Context(), "other")
-	if err != nil {
-		t.Fatalf("GetSession(other) error: %v", err)
-	}
-	if session.Name != "other" {
-		t.Fatalf("GetSession(other) = %q, want other", session.Name)
-	}
-}
-
-func TestResolveDebugURL(t *testing.T) {
-	t.Run("local with process debug URL", func(t *testing.T) {
-		session := &SessionRecord{
-			Name: "local1",
-			Mode: ModeLocal,
-			Process: &ProcessRecord{
-				DebugURL: "ws://127.0.0.1:9222/devtools/browser/abc",
-			},
-		}
-		got, err := resolveDebugURL(session)
-		if err != nil {
-			t.Fatalf("resolveDebugURL error: %v", err)
-		}
-		if got != "ws://127.0.0.1:9222/devtools/browser/abc" {
-			t.Fatalf("resolveDebugURL = %q, want ws://127.0.0.1:9222/devtools/browser/abc", got)
-		}
-	})
-
-	t.Run("remote with WSURL", func(t *testing.T) {
-		session := &SessionRecord{
-			Name:   "remote1",
-			Mode:   ModeRemote,
-			Remote: &RemoteConfig{WSURL: "wss://remote:9222/devtools/browser/xyz"},
-		}
-		got, err := resolveDebugURL(session)
-		if err != nil {
-			t.Fatalf("resolveDebugURL error: %v", err)
-		}
-		if got != "wss://remote:9222/devtools/browser/xyz" {
-			t.Fatalf("resolveDebugURL = %q, want wss://remote:9222/devtools/browser/xyz", got)
-		}
-	})
-
-	t.Run("no debug endpoint", func(t *testing.T) {
-		session := &SessionRecord{
-			Name: "empty",
-			Mode: ModeLocal,
-		}
-		_, err := resolveDebugURL(session)
-		if err == nil {
-			t.Fatal("resolveDebugURL should return error when no debug endpoint")
-		}
-	})
-}
-
-func TestResolveTargetMarksUnreachableRemoteSessionStale(t *testing.T) {
-	store := testStore(t)
-	mgr := NewManager(store)
-	now := time.Date(2026, 4, 1, 10, 0, 0, 0, time.UTC)
-
-	err := store.Update(func(state *State) error {
-		session, err := NewRemoteSession("attached", "ws://127.0.0.1:1/devtools/browser/unreachable", now)
-		if err != nil {
-			return err
-		}
-		tab, err := NewTab("main", "target-1", "https://example.com", now)
-		if err != nil {
-			return err
-		}
-		session.Tabs[tab.Name] = tab
-		session.SelectedTab = tab.Name
-		session.Process = &ProcessRecord{DebugURL: session.Remote.WSURL}
-		if err := state.CreateSession(session); err != nil {
-			return err
-		}
-		return state.SetDefaultContext("attached", DefaultContextAttached, now)
-	})
-	if err != nil {
-		t.Fatalf("seed remote session: %v", err)
-	}
-
-	if _, err := mgr.ResolveTarget(t.Context(), "", ""); err == nil {
-		t.Fatal("ResolveTarget should fail for unreachable remote session")
-	}
-
-	state, err := store.Load()
-	if err != nil {
-		t.Fatalf("Load failed: %v", err)
-	}
-	session := state.Sessions["attached"]
-	if session.Tabs["main"].Status != TabStatusStale {
-		t.Fatalf("tab status = %q, want stale", session.Tabs["main"].Status)
-	}
-	if state.DefaultContext == nil || !state.DefaultContext.Stale {
-		t.Fatal("default context should be marked stale")
-	}
-}
-
-func TestRequireLiveTab(t *testing.T) {
-	t.Run("live tab with target ID", func(t *testing.T) {
-		tab := &TabRecord{Name: "t1", Status: TabStatusLive, TargetID: "target-1"}
-		if err := requireLiveTab(tab); err != nil {
-			t.Fatalf("requireLiveTab error: %v", err)
-		}
-	})
-
-	t.Run("stale tab", func(t *testing.T) {
-		tab := &TabRecord{Name: "t2", Status: TabStatusStale}
-		if err := requireLiveTab(tab); err == nil {
-			t.Fatal("requireLiveTab should return error for stale tab")
-		}
-	})
-
-	t.Run("closed tab", func(t *testing.T) {
-		tab := &TabRecord{Name: "t3", Status: TabStatusClosed}
-		if err := requireLiveTab(tab); err == nil {
-			t.Fatal("requireLiveTab should return error for closed tab")
-		}
-	})
-
-	t.Run("live tab with empty target ID", func(t *testing.T) {
-		tab := &TabRecord{Name: "t4", Status: TabStatusLive, TargetID: ""}
-		if err := requireLiveTab(tab); err == nil {
-			t.Fatal("requireLiveTab should return error for live tab with empty target ID")
-		}
-	})
-}
diff --git a/browser/network.go b/browser/network.go
deleted file mode 100644
index 179ae50..0000000
--- a/browser/network.go
+++ /dev/null
@@ -1,474 +0,0 @@
-package browser
-
-import (
-	"context"
-	"encoding/base64"
-	"fmt"
-	"regexp"
-	"strings"
-	"time"
-
-	"github.com/chromedp/cdproto/fetch"
-	"github.com/chromedp/cdproto/network"
-	"github.com/chromedp/chromedp"
-)
-
-// NetworkEntry represents a captured network request/response pair.
-type NetworkEntry struct {
-	RequestID    string            `json:"requestId"`
-	URL          string            `json:"url"`
-	Method       string            `json:"method"`
-	Status       int64             `json:"status"`
-	MIMEType     string            `json:"mimeType,omitempty"`
-	ResourceType string            `json:"resourceType,omitempty"`
-	ReqHeaders   map[string]string `json:"reqHeaders,omitempty"`
-	ResHeaders   map[string]string `json:"resHeaders,omitempty"`
-	Body         string            `json:"body,omitempty"`
-	Error        string            `json:"error,omitempty"`
-	Timestamp    time.Time         `json:"timestamp"`
-}
-
-// NetworkFilter specifies criteria for matching network requests.
-type NetworkFilter struct {
-	URLPattern    string   `json:"urlPattern,omitempty"`
-	Methods       []string `json:"methods,omitempty"`
-	ResourceTypes []string `json:"resourceTypes,omitempty"`
-}
-
-// compileURLPattern compiles a glob-like URL pattern into a regexp.
-// An empty pattern returns nil (matches everything).
-func compileURLPattern(pattern string) *regexp.Regexp {
-	if pattern == "" {
-		return nil
-	}
-	escaped := regexp.QuoteMeta(pattern)
-	rePattern := "^" + strings.ReplaceAll(escaped, `\*`, `.*`) + "$"
-	return regexp.MustCompile(rePattern)
-}
-
-// matchURL matches a URL against a glob-like pattern where * matches any
-// characters including /. An empty pattern matches everything.
-func matchURL(pattern, url string) bool {
-	re := compileURLPattern(pattern)
-	if re == nil {
-		return true
-	}
-	return re.MatchString(url)
-}
-
-// compiledFilter is a pre-compiled version of NetworkFilter for efficient
-// repeated matching against many entries.
-type compiledFilter struct {
-	urlRe         *regexp.Regexp
-	methods       []string
-	resourceTypes []string
-}
-
-// compileFilter pre-compiles a NetworkFilter for repeated use.
-func compileFilter(f NetworkFilter) compiledFilter {
-	return compiledFilter{
-		urlRe:         compileURLPattern(f.URLPattern),
-		methods:       f.Methods,
-		resourceTypes: f.ResourceTypes,
-	}
-}
-
-// containsFold reports whether any element in slice equals s (case-insensitive).
-func containsFold(slice []string, s string) bool {
-	for _, v := range slice {
-		if strings.EqualFold(v, s) {
-			return true
-		}
-	}
-	return false
-}
-
-// matches checks whether a NetworkEntry matches this compiled filter.
-func (cf compiledFilter) matches(entry NetworkEntry) bool {
-	if cf.urlRe != nil && !cf.urlRe.MatchString(entry.URL) {
-		return false
-	}
-	if len(cf.methods) > 0 && !containsFold(cf.methods, entry.Method) {
-		return false
-	}
-	if len(cf.resourceTypes) > 0 && !containsFold(cf.resourceTypes, entry.ResourceType) {
-		return false
-	}
-	return true
-}
-
-// matchesFilter checks whether a NetworkEntry matches the given filter.
-// An empty/zero filter matches everything.
-func matchesFilter(entry NetworkEntry, filter NetworkFilter) bool {
-	return compileFilter(filter).matches(entry)
-}
-
-// headersToMap converts CDP Headers (map[string]any) to map[string]string.
-func headersToMap(h network.Headers) map[string]string {
-	if len(h) == 0 {
-		return nil
-	}
-	out := make(map[string]string, len(h))
-	for k, v := range h {
-		out[k] = fmt.Sprintf("%v", v)
-	}
-	return out
-}
-
-// ---------------------------------------------------------------------------
-// Shared request tracker
-// ---------------------------------------------------------------------------
-
-// requestState tracks the lifecycle of a single network request.
-type requestState struct {
-	entry   NetworkEntry
-	gotResp bool
-}
-
-// requestTracker accumulates Network domain events and emits completed entries
-// that match the filter via the onMatch callback.
-type requestTracker struct {
-	filter   compiledFilter
-	onMatch  func(NetworkEntry)
-	requests map[network.RequestID]*requestState
-}
-
-// newRequestTracker creates a tracker with a pre-compiled filter.
-func newRequestTracker(filter NetworkFilter, onMatch func(NetworkEntry)) *requestTracker {
-	return &requestTracker{
-		filter:   compileFilter(filter),
-		onMatch:  onMatch,
-		requests: make(map[network.RequestID]*requestState),
-	}
-}
-
-// handleEvent processes a single CDP Network event.
-func (rt *requestTracker) handleEvent(ev interface{}) {
-	switch e := ev.(type) {
-	case *network.EventRequestWillBeSent:
-		rt.requests[e.RequestID] = &requestState{
-			entry: NetworkEntry{
-				RequestID:    string(e.RequestID),
-				URL:          e.Request.URL,
-				Method:       e.Request.Method,
-				ResourceType: string(e.Type),
-				ReqHeaders:   headersToMap(e.Request.Headers),
-				Timestamp:    time.Now(),
-			},
-		}
-
-	case *network.EventResponseReceived:
-		rs, ok := rt.requests[e.RequestID]
-		if !ok {
-			rs = &requestState{
-				entry: NetworkEntry{
-					RequestID: string(e.RequestID),
-					Timestamp: time.Now(),
-				},
-			}
-			rt.requests[e.RequestID] = rs
-		}
-		rs.entry.Status = e.Response.Status
-		rs.entry.MIMEType = e.Response.MimeType
-		rs.entry.ResHeaders = headersToMap(e.Response.Headers)
-		if rs.entry.URL == "" {
-			rs.entry.URL = e.Response.URL
-		}
-		if rs.entry.ResourceType == "" {
-			rs.entry.ResourceType = string(e.Type)
-		}
-		rs.gotResp = true
-
-	case *network.EventLoadingFinished:
-		rs, ok := rt.requests[e.RequestID]
-		if !ok {
-			return
-		}
-		entry := rs.entry
-		gotResp := rs.gotResp
-		delete(rt.requests, e.RequestID)
-		if gotResp && rt.filter.matches(entry) {
-			rt.onMatch(entry)
-		}
-
-	case *network.EventLoadingFailed:
-		rs, ok := rt.requests[e.RequestID]
-		if !ok {
-			return
-		}
-		entry := rs.entry
-		entry.Error = e.ErrorText
-		delete(rt.requests, e.RequestID)
-		// Match even without ResponseReceived — a request can fail before
-		// getting a response (e.g. DNS failure, connection refused).
-		if rt.filter.matches(entry) {
-			rt.onMatch(entry)
-		}
-	}
-}
-
-// ---------------------------------------------------------------------------
-// Network domain primitives
-// ---------------------------------------------------------------------------
-
-// WaitForRequest enables the Network domain and blocks until a request matching
-// the filter completes (response received + loading finished/failed). It returns
-// the first matching NetworkEntry. If includeBody is true, the response body is
-// fetched before returning.
-//
-// The caller controls the timeout via ctx (e.g. context.WithTimeout).
-func WaitForRequest(ctx context.Context, debugURL string, targetID string, filter NetworkFilter, includeBody bool) (*NetworkEntry, error) {
-	taskCtx, cancel, err := withTargetListen(ctx, debugURL, targetID)
-	if err != nil {
-		return nil, fmt.Errorf("wait for request: %w", err)
-	}
-	defer cancel()
-
-	done := make(chan NetworkEntry, 1)
-	tracker := newRequestTracker(filter, func(entry NetworkEntry) {
-		select {
-		case done <- entry:
-		default:
-		}
-	})
-
-	chromedp.ListenTarget(taskCtx, tracker.handleEvent)
-
-	if err := chromedp.Run(taskCtx, network.Enable()); err != nil {
-		return nil, fmt.Errorf("wait for request: enable network: %w", err)
-	}
-
-	select {
-	case entry := <-done:
-		if includeBody && entry.Error == "" {
-			body, err := getResponseBodyOn(taskCtx, network.RequestID(entry.RequestID))
-			if err == nil {
-				entry.Body = string(body)
-			}
-			// Non-fatal: body fetch can fail for redirected/cached requests.
-		}
-		return &entry, nil
-	case <-ctx.Done():
-		return nil, fmt.Errorf("wait for request: %w", ctx.Err())
-	}
-}
-
-// GetResponseBody fetches the response body for a completed request by its ID.
-func GetResponseBody(ctx context.Context, debugURL string, targetID string, requestID string) ([]byte, error) {
-	var body []byte
-	err := withTarget(ctx, debugURL, targetID,
-		chromedp.ActionFunc(func(ctx context.Context) error {
-			var fetchErr error
-			body, fetchErr = getResponseBodyOn(ctx, network.RequestID(requestID))
-			return fetchErr
-		}),
-	)
-	if err != nil {
-		return nil, fmt.Errorf("get response body: %w", err)
-	}
-	return body, nil
-}
-
-// getResponseBodyOn fetches the response body using the given CDP execution context.
-func getResponseBodyOn(ctx context.Context, requestID network.RequestID) ([]byte, error) {
-	body, err := network.GetResponseBody(requestID).Do(ctx)
-	if err != nil {
-		return nil, fmt.Errorf("get response body %s: %w", requestID, err)
-	}
-	return body, nil
-}
-
-// EnableNetworkLog enables the Network domain on a target and streams completed
-// request/response entries to the returned channel. The channel is buffered
-// (256 entries); if the buffer fills, new entries are dropped.
-//
-// Call the returned cancel func to stop capturing and close the channel.
-// The caller should drain the channel or call cancel to avoid goroutine leaks.
-func EnableNetworkLog(ctx context.Context, debugURL string, targetID string, filter NetworkFilter) (<-chan NetworkEntry, func(), error) {
-	taskCtx, taskCancel, err := withTargetListen(ctx, debugURL, targetID)
-	if err != nil {
-		return nil, nil, fmt.Errorf("enable network log: %w", err)
-	}
-
-	ch := make(chan NetworkEntry, 256)
-	tracker := newRequestTracker(filter, func(entry NetworkEntry) {
-		select {
-		case ch <- entry:
-		default:
-			// Buffer full — drop entry.
-		}
-	})
-
-	chromedp.ListenTarget(taskCtx, tracker.handleEvent)
-
-	if err := chromedp.Run(taskCtx, network.Enable()); err != nil {
-		taskCancel()
-		return nil, nil, fmt.Errorf("enable network log: enable network: %w", err)
-	}
-
-	// Goroutine closes the channel when the CDP session ends.
-	go func() {
-		<-taskCtx.Done()
-		close(ch)
-	}()
-
-	return ch, taskCancel, nil
-}
-
-// InterceptRule defines how to modify or block requests matching a filter.
-// Block and MockBody are mutually exclusive.
-type InterceptRule struct {
-	Filter      NetworkFilter     `json:"filter"`
-	Block       bool              `json:"block,omitempty"`
-	AddHeaders  map[string]string `json:"addHeaders,omitempty"`
-	MockStatus  int               `json:"mockStatus,omitempty"`
-	MockBody    string            `json:"mockBody,omitempty"`
-	MockHeaders map[string]string `json:"mockHeaders,omitempty"`
-}
-
-// ValidateInterceptRules checks that rules are well-formed.
-func ValidateInterceptRules(rules []InterceptRule) error {
-	for i, r := range rules {
-		if r.Block && r.MockBody != "" {
-			return fmt.Errorf("rule %d: block and mock body are mutually exclusive", i)
-		}
-		if r.MockBody != "" && r.MockStatus == 0 {
-			return fmt.Errorf("rule %d: mock body requires mock status", i)
-		}
-	}
-	return nil
-}
-
-// SetInterceptRules enables Fetch domain interception with the given rules.
-// It replaces any previously set rules. The returned cancel func stops the
-// interception goroutine and disables the Fetch domain.
-//
-// Pass nil/empty rules to effectively disable interception (or use ClearIntercept).
-func SetInterceptRules(ctx context.Context, debugURL string, targetID string, rules []InterceptRule) (func(), error) {
-	if err := ValidateInterceptRules(rules); err != nil {
-		return nil, fmt.Errorf("set intercept rules: %w", err)
-	}
-
-	taskCtx, taskCancel, err := withTargetListen(ctx, debugURL, targetID)
-	if err != nil {
-		return nil, fmt.Errorf("set intercept rules: %w", err)
-	}
-
-	// Build CDP RequestPattern entries from rules.
-	var patterns []*fetch.RequestPattern
-	for _, r := range rules {
-		p := &fetch.RequestPattern{}
-		if r.Filter.URLPattern != "" {
-			p.URLPattern = r.Filter.URLPattern
-		}
-		if len(r.Filter.ResourceTypes) == 1 {
-			p.ResourceType = network.ResourceType(r.Filter.ResourceTypes[0])
-		}
-		patterns = append(patterns, p)
-	}
-	if len(patterns) == 0 {
-		// Match all requests if no patterns specified.
-		patterns = []*fetch.RequestPattern{{}}
-	}
-
-	// Register the event handler before enabling the domain.
-	chromedp.ListenTarget(taskCtx, func(ev interface{}) {
-		e, ok := ev.(*fetch.EventRequestPaused)
-		if !ok {
-			return
-		}
-
-		// Find the first matching rule.
-		entry := NetworkEntry{
-			URL:          e.Request.URL,
-			Method:       e.Request.Method,
-			ResourceType: string(e.ResourceType),
-		}
-
-		var matched *InterceptRule
-		for i := range rules {
-			if matchesFilter(entry, rules[i].Filter) {
-				matched = &rules[i]
-				break
-			}
-		}
-
-		// Must respond to every paused request. If no rule matches, continue.
-		// Run CDP commands in a goroutine to avoid blocking the event loop.
-		go func() {
-			if matched == nil {
-				_ = fetch.ContinueRequest(e.RequestID).Do(taskCtx)
-				return
-			}
-
-			if matched.Block {
-				_ = fetch.FailRequest(e.RequestID, network.ErrorReasonBlockedByClient).Do(taskCtx)
-				return
-			}
-
-			if matched.MockBody != "" {
-				headers := []*fetch.HeaderEntry{}
-				for k, v := range matched.MockHeaders {
-					headers = append(headers, &fetch.HeaderEntry{Name: k, Value: v})
-				}
-				if len(headers) == 0 {
-					headers = append(headers, &fetch.HeaderEntry{
-						Name: "Content-Type", Value: "application/json",
-					})
-				}
-				_ = fetch.FulfillRequest(e.RequestID, int64(matched.MockStatus)).
-					WithResponseHeaders(headers).
-					WithBody(base64.StdEncoding.EncodeToString([]byte(matched.MockBody))).
-					Do(taskCtx)
-				return
-			}
-
-			// AddHeaders only — continue with modified headers.
-			if len(matched.AddHeaders) > 0 {
-				// Build a case-insensitive map to deduplicate headers.
-				// AddHeaders overrides existing headers with the same name.
-				merged := make(map[string]string)
-				mergedKeys := make(map[string]string) // lowercase → original case
-				for k, v := range e.Request.Headers {
-					lk := strings.ToLower(k)
-					merged[lk] = fmt.Sprintf("%v", v)
-					mergedKeys[lk] = k
-				}
-				for k, v := range matched.AddHeaders {
-					lk := strings.ToLower(k)
-					merged[lk] = v
-					mergedKeys[lk] = k // prefer the casing from AddHeaders
-				}
-				headers := make([]*fetch.HeaderEntry, 0, len(merged))
-				for lk, v := range merged {
-					headers = append(headers, &fetch.HeaderEntry{Name: mergedKeys[lk], Value: v})
-				}
-				_ = fetch.ContinueRequest(e.RequestID).WithHeaders(headers).Do(taskCtx)
-				return
-			}
-
-			// Rule matched but no action specified — continue normally.
-			_ = fetch.ContinueRequest(e.RequestID).Do(taskCtx)
-		}()
-	})
-
-	if err := chromedp.Run(taskCtx, fetch.Enable().WithPatterns(patterns)); err != nil {
-		taskCancel()
-		return nil, fmt.Errorf("set intercept rules: enable fetch: %w", err)
-	}
-
-	return taskCancel, nil
-}
-
-// ClearIntercept disables the Fetch domain on a target.
-func ClearIntercept(ctx context.Context, debugURL string, targetID string) error {
-	err := withTarget(ctx, debugURL, targetID,
-		chromedp.ActionFunc(func(ctx context.Context) error {
-			return fetch.Disable().Do(ctx)
-		}),
-	)
-	if err != nil {
-		return fmt.Errorf("clear intercept: %w", err)
-	}
-	return nil
-}
diff --git a/browser/network_test.go b/browser/network_test.go
deleted file mode 100644
index 58ab9c5..0000000
--- a/browser/network_test.go
+++ /dev/null
@@ -1,147 +0,0 @@
-package browser
-
-import (
-	"testing"
-)
-
-func TestMatchURL(t *testing.T) {
-	tests := []struct {
-		name    string
-		pattern string
-		url     string
-		want    bool
-	}{
-		// Empty pattern matches everything.
-		{"empty pattern", "", "https://example.com/api/v1/users", true},
-		{"empty pattern empty url", "", "", true},
-
-		// Exact match.
-		{"exact match", "https://example.com/api", "https://example.com/api", true},
-		{"exact no match", "https://example.com/api", "https://example.com/other", false},
-
-		// Single * matches across path segments (unlike filepath.Match).
-		{"star prefix", "*/api/*", "https://example.com/api/v1/users", true},
-		{"star suffix", "https://example.com/*", "https://example.com/api/v1/users", true},
-		{"star middle", "https://*/api/*", "https://example.com/api/v1/users", true},
-		{"star only", "*", "https://example.com/anything", true},
-		{"star no match", "*/api/*", "https://example.com/other/v1", false},
-
-		// Multiple stars.
-		{"multi star", "*api*users*", "https://example.com/api/v1/users?page=1", true},
-		{"multi star no match", "*api*admin*", "https://example.com/api/v1/users", false},
-
-		// Pattern with dots (regex special chars).
-		{"dot in pattern", "*.ads.*", "https://tracker.ads.example.com/pixel", true},
-		{"dot literal", "*.ads.*", "https://tracker-ads-example.com/pixel", false},
-
-		// Pattern with query strings.
-		{"query match", "*/search?q=*", "https://example.com/search?q=hello", true},
-		{"literal question mark", "*/api?key=*", "https://example.com/api?key=123", true},
-
-		// Edge cases.
-		{"url empty pattern nonempty", "https://example.com", "", false},
-		{"pattern is star empty url", "*", "", true},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			got := matchURL(tt.pattern, tt.url)
-			if got != tt.want {
-				t.Errorf("matchURL(%q, %q) = %v, want %v", tt.pattern, tt.url, got, tt.want)
-			}
-		})
-	}
-}
-
-func TestMatchesFilter(t *testing.T) {
-	base := NetworkEntry{
-		RequestID:    "1",
-		URL:          "https://api.example.com/v1/users",
-		Method:       "GET",
-		Status:       200,
-		ResourceType: "XHR",
-	}
-
-	tests := []struct {
-		name   string
-		entry  NetworkEntry
-		filter NetworkFilter
-		want   bool
-	}{
-		// Empty filter matches everything.
-		{"empty filter", base, NetworkFilter{}, true},
-
-		// URL pattern only.
-		{"url match", base, NetworkFilter{URLPattern: "*/v1/users"}, true},
-		{"url no match", base, NetworkFilter{URLPattern: "*/v2/*"}, false},
-
-		// Method filter.
-		{"method match", base, NetworkFilter{Methods: []string{"GET"}}, true},
-		{"method case insensitive", base, NetworkFilter{Methods: []string{"get"}}, true},
-		{"method no match", base, NetworkFilter{Methods: []string{"POST"}}, false},
-		{"method multi", base, NetworkFilter{Methods: []string{"POST", "GET"}}, true},
-
-		// ResourceType filter.
-		{"type match", base, NetworkFilter{ResourceTypes: []string{"XHR"}}, true},
-		{"type case insensitive", base, NetworkFilter{ResourceTypes: []string{"xhr"}}, true},
-		{"type no match", base, NetworkFilter{ResourceTypes: []string{"Document"}}, false},
-		{"type multi", base, NetworkFilter{ResourceTypes: []string{"Document", "XHR"}}, true},
-
-		// Combined filters (all must match).
-		{"url+method match", base, NetworkFilter{
-			URLPattern: "*/users",
-			Methods:    []string{"GET"},
-		}, true},
-		{"url+method partial", base, NetworkFilter{
-			URLPattern: "*/users",
-			Methods:    []string{"POST"},
-		}, false},
-		{"all three match", base, NetworkFilter{
-			URLPattern:    "*api*",
-			Methods:       []string{"GET"},
-			ResourceTypes: []string{"XHR"},
-		}, true},
-		{"all three one fails", base, NetworkFilter{
-			URLPattern:    "*api*",
-			Methods:       []string{"GET"},
-			ResourceTypes: []string{"Document"},
-		}, false},
-
-		// Entry with empty fields.
-		{"empty method entry", NetworkEntry{URL: "https://x.com"}, NetworkFilter{Methods: []string{"GET"}}, false},
-		{"empty type entry", NetworkEntry{URL: "https://x.com"}, NetworkFilter{ResourceTypes: []string{"XHR"}}, false},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			got := matchesFilter(tt.entry, tt.filter)
-			if got != tt.want {
-				t.Errorf("matchesFilter() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
-
-func TestValidateInterceptRules(t *testing.T) {
-	tests := []struct {
-		name    string
-		rules   []InterceptRule
-		wantErr bool
-	}{
-		{"empty rules", nil, false},
-		{"block only", []InterceptRule{{Block: true}}, false},
-		{"mock only", []InterceptRule{{MockBody: `{"ok":true}`, MockStatus: 200}}, false},
-		{"headers only", []InterceptRule{{AddHeaders: map[string]string{"X-Test": "1"}}}, false},
-		{"block and mock", []InterceptRule{{Block: true, MockBody: "body"}}, true},
-		{"mock without status", []InterceptRule{{MockBody: "body"}}, true},
-		{"multiple valid", []InterceptRule{{Block: true}, {MockBody: "x", MockStatus: 200}}, false},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			err := ValidateInterceptRules(tt.rules)
-			if (err != nil) != tt.wantErr {
-				t.Errorf("ValidateInterceptRules() error = %v, wantErr %v", err, tt.wantErr)
-			}
-		})
-	}
-}
diff --git a/browser/process.go b/browser/process.go
deleted file mode 100644
index ad0c368..0000000
--- a/browser/process.go
+++ /dev/null
@@ -1,262 +0,0 @@
-package browser
-
-import (
-	"bufio"
-	"context"
-	"crypto/rand"
-	"encoding/hex"
-	"errors"
-	"fmt"
-	"io"
-	"net/http"
-	"net/url"
-	"os"
-	"os/exec"
-	"strings"
-	"time"
-
-	"github.com/gorilla/websocket"
-)
-
-// findChrome discovers the first available Chrome or Chromium binary.
-func findChrome() (string, error) {
-	// Try PATH lookup first (works on all platforms).
-	for _, name := range chromeLookPathNames() {
-		if p, err := exec.LookPath(name); err == nil {
-			return p, nil
-		}
-	}
-
-	// Fall back to well-known absolute paths.
-	for _, p := range chromeFallbackPaths() {
-		if _, err := os.Stat(p); err == nil {
-			return p, nil
-		}
-	}
-
-	return "", errors.New("chrome binary not found: install Google Chrome or Chromium")
-}
-
-// LaunchBrowser starts a managed Chrome process with remote debugging enabled.
-// The returned ProcessRecord contains the PID, debug WebSocket URL, and an
-// ownership token that later calls can use for verification.
-func LaunchBrowser(ctx context.Context, config LocalConfig) (*ProcessRecord, error) {
-	chromePath, err := findChrome()
-	if err != nil {
-		return nil, err
-	}
-
-	// Generate a unique ownership token (16 random bytes, hex-encoded).
-	tokenBytes := make([]byte, 16)
-	if _, err := rand.Read(tokenBytes); err != nil {
-		return nil, fmt.Errorf("generate ownership token: %w", err)
-	}
-	ownershipToken := hex.EncodeToString(tokenBytes)
-
-	// Ensure the profile directory exists.
-	if err := os.MkdirAll(config.ProfileDir, 0o755); err != nil {
-		return nil, fmt.Errorf("create browser profile dir: %w", err)
-	}
-
-	// Build Chrome args.
-	args := []string{
-		"--remote-debugging-port=0",
-		"--user-data-dir=" + config.ProfileDir,
-		"--no-first-run",
-		"--no-default-browser-check",
-		"--disable-gpu",
-	}
-	if config.Headless {
-		args = append(args, "--headless=new")
-	}
-
-	cmd := exec.Command(chromePath, args...)
-
-	// Run Chrome in its own process group so it survives tap exit.
-	cmd.SysProcAttr = platformSysProcAttr()
-
-	// Pipe stderr to parse the DevTools debug URL.
-	stderrPipe, err := cmd.StderrPipe()
-	if err != nil {
-		return nil, fmt.Errorf("pipe chrome stderr: %w", err)
-	}
-
-	if err := cmd.Start(); err != nil {
-		return nil, fmt.Errorf("start chrome: %w", err)
-	}
-
-	// Parse the debug URL from Chrome's stderr output with a timeout.
-	debugURL, err := parseDebugURL(stderrPipe, 10*time.Second)
-
-	// Close the stderr pipe so the scanner goroutine in parseDebugURL can exit.
-	if c, ok := stderrPipe.(io.Closer); ok {
-		_ = c.Close()
-	}
-
-	if err != nil {
-		// Best-effort cleanup: kill and reap to avoid zombies.
-		_ = cmd.Process.Kill()
-		_ = cmd.Wait()
-		return nil, fmt.Errorf("parse chrome debug URL: %w", err)
-	}
-
-	// Capture PID before Release, which sets Pid to -1.
-	pid := cmd.Process.Pid
-
-	// Release the process handle so Go's runtime does not track this child.
-	// Chrome runs detached and is managed via PID from metadata.
-	_ = cmd.Process.Release()
-
-	return &ProcessRecord{
-		PID:            pid,
-		DebugURL:       debugURL,
-		OwnershipToken: ownershipToken,
-		StartedAt:      time.Now().UTC(),
-	}, nil
-}
-
-// parseDebugURL reads from r line by line looking for the DevTools listening
-// message. It returns the WebSocket URL or an error if the timeout expires.
-func parseDebugURL(r io.Reader, timeout time.Duration) (string, error) {
-	type result struct {
-		url string
-		err error
-	}
-	ch := make(chan result, 1)
-
-	go func() {
-		scanner := bufio.NewScanner(r)
-		for scanner.Scan() {
-			line := scanner.Text()
-			if strings.HasPrefix(line, "DevTools listening on ") {
-				ch <- result{url: strings.TrimPrefix(line, "DevTools listening on ")}
-				return
-			}
-		}
-		if err := scanner.Err(); err != nil {
-			ch <- result{err: fmt.Errorf("read stderr: %w", err)}
-			return
-		}
-		ch <- result{err: errors.New("chrome stderr closed without debug URL")}
-	}()
-
-	select {
-	case res := <-ch:
-		return res.url, res.err
-	case <-time.After(timeout):
-		return "", errors.New("timed out waiting for chrome debug URL")
-	}
-}
-
-// CheckProcess verifies that the process described by record is alive and
-// its debug endpoint is reachable.
-func CheckProcess(record *ProcessRecord) error {
-	return CheckProcessContext(context.Background(), record)
-}
-
-// CheckProcessContext is like CheckProcess but accepts a context for cancellation.
-func CheckProcessContext(ctx context.Context, record *ProcessRecord) error {
-	if record == nil || record.PID <= 0 {
-		return errors.New("no process record to check")
-	}
-
-	if !isProcessAlive(record.PID) {
-		return fmt.Errorf("process %d is not alive", record.PID)
-	}
-
-	return checkDebugEndpoint(ctx, record.DebugURL)
-}
-
-// checkDebugEndpoint verifies that a CDP debug endpoint is reachable by
-// hitting its /json/version path.
-func checkDebugEndpoint(ctx context.Context, debugURL string) error {
-	resolvedURL, err := ResolveDebugURL(ctx, debugURL)
-	if err != nil {
-		return fmt.Errorf("parse debug URL: %w", err)
-	}
-
-	httpURL, err := debugURLToHTTP(resolvedURL)
-	if err != nil {
-		return fmt.Errorf("parse debug URL: %w", err)
-	}
-
-	req, err := http.NewRequestWithContext(ctx, http.MethodGet, httpURL+"/json/version", nil)
-	if err != nil {
-		return fmt.Errorf("create debug request: %w", err)
-	}
-
-	client := &http.Client{Timeout: 10 * time.Second}
-	resp, err := client.Do(req)
-	if err != nil {
-		return fmt.Errorf("debug endpoint unreachable: %w", err)
-	}
-	_, _ = io.Copy(io.Discard, resp.Body)
-	_ = resp.Body.Close()
-
-	if resp.StatusCode == http.StatusOK {
-		return nil
-	}
-
-	// Some CDP endpoints expose a valid browser WebSocket but do not serve
-	// /json/version from the derived HTTP base. Fall back to a WebSocket
-	// handshake before rejecting the endpoint.
-	dialCtx, cancel := context.WithTimeout(ctx, 10*time.Second)
-	defer cancel()
-	conn, _, dialErr := websocket.DefaultDialer.DialContext(dialCtx, resolvedURL, nil)
-	if dialErr == nil {
-		_ = conn.Close()
-		return nil
-	}
-
-	return fmt.Errorf("debug endpoint returned status %d", resp.StatusCode)
-}
-
-// KillProcess terminates the Chrome process described by record. It sends
-// a graceful shutdown signal first and falls back to forceful termination
-// after a grace period.
-func KillProcess(record *ProcessRecord) error {
-	if record == nil || record.PID <= 0 {
-		return nil
-	}
-
-	// Check whether the process is still alive.
-	if !isProcessAlive(record.PID) {
-		return nil // already dead
-	}
-
-	// Verify we own this process by checking the debug endpoint.
-	// If the endpoint is unreachable (PID reuse), skip termination.
-	if record.DebugURL != "" {
-		if err := CheckProcess(record); err != nil {
-			return nil // can't verify ownership — skip kill
-		}
-	}
-
-	return killProcessPlatform(record.PID)
-}
-
-// debugURLToHTTP converts a DevTools WebSocket URL to its HTTP equivalent.
-func debugURLToHTTP(debugURL string) (string, error) {
-	if debugURL == "" {
-		return "", errors.New("debug URL is empty")
-	}
-
-	u, err := url.Parse(debugURL)
-	if err != nil {
-		return "", fmt.Errorf("parse debug URL: %w", err)
-	}
-
-	switch u.Scheme {
-	case "ws":
-		u.Scheme = "http"
-	case "wss":
-		u.Scheme = "https"
-	default:
-		return "", fmt.Errorf("unexpected debug URL scheme %q", u.Scheme)
-	}
-
-	u.Path = ""
-	u.RawQuery = ""
-	u.Fragment = ""
-	return u.String(), nil
-}
diff --git a/browser/process_test.go b/browser/process_test.go
deleted file mode 100644
index 9c2fb29..0000000
--- a/browser/process_test.go
+++ /dev/null
@@ -1,149 +0,0 @@
-package browser
-
-import (
-	"io"
-	"strings"
-	"testing"
-	"time"
-)
-
-func TestDebugURLToHTTP(t *testing.T) {
-	tests := []struct {
-		name    string
-		input   string
-		want    string
-		wantErr bool
-	}{
-		{
-			name:  "ws to http",
-			input: "ws://127.0.0.1:9222/devtools/browser/abc",
-			want:  "http://127.0.0.1:9222",
-		},
-		{
-			name:  "wss to https",
-			input: "wss://remote:9222/devtools/browser/abc",
-			want:  "https://remote:9222",
-		},
-		{
-			name:    "empty string",
-			input:   "",
-			wantErr: true,
-		},
-		{
-			name:    "invalid scheme http",
-			input:   "http://127.0.0.1:9222/devtools/browser/abc",
-			wantErr: true,
-		},
-		{
-			name:    "invalid scheme https",
-			input:   "https://127.0.0.1:9222/devtools/browser/abc",
-			wantErr: true,
-		},
-		{
-			name:  "strips path",
-			input: "ws://localhost:9222/deep/path/here",
-			want:  "http://localhost:9222",
-		},
-		{
-			name:  "strips query",
-			input: "ws://localhost:9222/devtools?token=abc",
-			want:  "http://localhost:9222",
-		},
-		{
-			name:  "strips fragment",
-			input: "ws://localhost:9222/devtools#section",
-			want:  "http://localhost:9222",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			got, err := debugURLToHTTP(tt.input)
-			if tt.wantErr {
-				if err == nil {
-					t.Fatalf("debugURLToHTTP(%q) = %q, want error", tt.input, got)
-				}
-				return
-			}
-			if err != nil {
-				t.Fatalf("debugURLToHTTP(%q) error: %v", tt.input, err)
-			}
-			if got != tt.want {
-				t.Fatalf("debugURLToHTTP(%q) = %q, want %q", tt.input, got, tt.want)
-			}
-		})
-	}
-}
-
-func TestParseDebugURL(t *testing.T) {
-	t.Run("devtools line present", func(t *testing.T) {
-		input := "DevTools listening on ws://127.0.0.1:9222/devtools/browser/abc\n"
-		got, err := parseDebugURL(strings.NewReader(input), 5*time.Second)
-		if err != nil {
-			t.Fatalf("parseDebugURL error: %v", err)
-		}
-		want := "ws://127.0.0.1:9222/devtools/browser/abc"
-		if got != want {
-			t.Fatalf("parseDebugURL = %q, want %q", got, want)
-		}
-	})
-
-	t.Run("devtools line after noise", func(t *testing.T) {
-		input := "Some startup noise\nAnother line\nDevTools listening on ws://127.0.0.1:5555/devtools/browser/xyz\n"
-		got, err := parseDebugURL(strings.NewReader(input), 5*time.Second)
-		if err != nil {
-			t.Fatalf("parseDebugURL error: %v", err)
-		}
-		want := "ws://127.0.0.1:5555/devtools/browser/xyz"
-		if got != want {
-			t.Fatalf("parseDebugURL = %q, want %q", got, want)
-		}
-	})
-
-	t.Run("pipe closed without line", func(t *testing.T) {
-		input := "some output\nno devtools line here\n"
-		_, err := parseDebugURL(strings.NewReader(input), 5*time.Second)
-		if err == nil {
-			t.Fatal("parseDebugURL should return error when pipe closes without DevTools line")
-		}
-	})
-
-	t.Run("timeout with no output", func(t *testing.T) {
-		// Use a pipe that blocks forever (never writes).
-		r, w := io.Pipe()
-		defer func() { _ = w.Close() }()
-
-		_, err := parseDebugURL(r, 50*time.Millisecond)
-		if err == nil {
-			t.Fatal("parseDebugURL should return timeout error")
-		}
-		if !strings.Contains(err.Error(), "timed out") {
-			t.Fatalf("parseDebugURL error = %q, want timeout error", err.Error())
-		}
-	})
-}
-
-func TestFindChrome(t *testing.T) {
-	// Just verify findChrome doesn't panic. It may return a path or an error
-	// depending on the environment.
-	_, _ = findChrome()
-}
-
-func TestKillProcessNilRecord(t *testing.T) {
-	if err := KillProcess(nil); err != nil {
-		t.Fatalf("KillProcess(nil) = %v, want nil", err)
-	}
-}
-
-func TestKillProcessZeroPID(t *testing.T) {
-	if err := KillProcess(&ProcessRecord{PID: 0}); err != nil {
-		t.Fatalf("KillProcess(PID=0) = %v, want nil", err)
-	}
-}
-
-func TestCheckProcessNilRecord(t *testing.T) {
-	err := CheckProcess(nil)
-	if err == nil {
-		t.Fatal("CheckProcess(nil) should return error")
-	}
-}
diff --git a/browser/process_unix.go b/browser/process_unix.go
deleted file mode 100644
index 56be10f..0000000
--- a/browser/process_unix.go
+++ /dev/null
@@ -1,94 +0,0 @@
-//go:build !windows
-
-package browser
-
-import (
-	"errors"
-	"fmt"
-	"os/exec"
-	"runtime"
-	"syscall"
-	"time"
-)
-
-// platformSysProcAttr returns SysProcAttr to run Chrome in its own process
-// group so it survives tap exit on unix systems.
-func platformSysProcAttr() *syscall.SysProcAttr {
-	return &syscall.SysProcAttr{Setpgid: true}
-}
-
-// isProcessAlive checks whether a process with the given PID exists.
-func isProcessAlive(pid int) bool {
-	return syscall.Kill(pid, 0) == nil
-}
-
-// killProcessPlatform terminates a process using SIGTERM first, falling back
-// to SIGKILL after a 5-second grace period.
-func killProcessPlatform(pid int) error {
-	// Send SIGTERM for a graceful shutdown.
-	if err := syscall.Kill(pid, syscall.SIGTERM); err != nil {
-		if errors.Is(err, syscall.ESRCH) {
-			return nil
-		}
-		return fmt.Errorf("send SIGTERM to %d: %w", pid, err)
-	}
-
-	// Wait up to 5 seconds for the process to exit.
-	deadline := time.After(5 * time.Second)
-	ticker := time.NewTicker(100 * time.Millisecond)
-	defer ticker.Stop()
-
-	for {
-		select {
-		case <-deadline:
-			// Process didn't exit in time — force kill.
-			if err := syscall.Kill(pid, syscall.SIGKILL); err != nil {
-				if errors.Is(err, syscall.ESRCH) {
-					return nil
-				}
-				return fmt.Errorf("send SIGKILL to %d: %w", pid, err)
-			}
-			return nil
-		case <-ticker.C:
-			if !isProcessAlive(pid) {
-				return nil // process exited
-			}
-		}
-	}
-}
-
-// chromeFallbackPaths returns well-known absolute Chrome/Chromium paths for
-// macOS and Linux.
-func chromeFallbackPaths() []string {
-	switch runtime.GOOS {
-	case "darwin":
-		return []string{
-			"/Applications/Google Chrome.app/Contents/MacOS/Google Chrome",
-			"/Applications/Chromium.app/Contents/MacOS/Chromium",
-		}
-	default:
-		return []string{
-			"/usr/bin/google-chrome",
-			"/usr/bin/google-chrome-stable",
-			"/usr/bin/chromium-browser",
-			"/usr/bin/chromium",
-		}
-	}
-}
-
-// chromeLookPathNames returns binary names to search via exec.LookPath.
-func chromeLookPathNames() []string {
-	names := []string{
-		"google-chrome",
-		"google-chrome-stable",
-		"chromium-browser",
-		"chromium",
-	}
-	// On macOS also try the .app bundle name via open.
-	if runtime.GOOS == "darwin" {
-		if p, err := exec.LookPath("Google Chrome"); err == nil {
-			return []string{p}
-		}
-	}
-	return names
-}
diff --git a/browser/process_windows.go b/browser/process_windows.go
deleted file mode 100644
index d16e76f..0000000
--- a/browser/process_windows.go
+++ /dev/null
@@ -1,127 +0,0 @@
-//go:build windows
-
-package browser
-
-import (
-	"os"
-	"os/exec"
-	"path/filepath"
-	"strconv"
-	"syscall"
-	"time"
-
-	"golang.org/x/sys/windows"
-	"golang.org/x/sys/windows/registry"
-)
-
-// stillActive is the exit code returned by GetExitCodeProcess when the
-// process has not yet terminated (Win32 STILL_ACTIVE / STATUS_PENDING).
-const stillActive = 259
-
-// platformSysProcAttr returns SysProcAttr to run Chrome in a new process group
-// so it is not killed when tap exits.
-func platformSysProcAttr() *syscall.SysProcAttr {
-	return &syscall.SysProcAttr{CreationFlags: syscall.CREATE_NEW_PROCESS_GROUP}
-}
-
-// isProcessAlive checks whether a process with the given PID exists and is
-// still running on Windows.
-func isProcessAlive(pid int) bool {
-	if pid <= 0 {
-		return false
-	}
-
-	h, err := windows.OpenProcess(windows.PROCESS_QUERY_LIMITED_INFORMATION, false, uint32(pid))
-	if err != nil {
-		return false
-	}
-	defer windows.CloseHandle(h) //nolint:errcheck
-
-	var exitCode uint32
-	if err := windows.GetExitCodeProcess(h, &exitCode); err != nil {
-		return false
-	}
-	// Note: a process that exits with code 259 would be falsely reported as
-	// alive. This is a known Win32 limitation. Chrome does not exit with 259.
-	return exitCode == stillActive
-}
-
-// killProcessPlatform terminates a process on Windows. It first tries a
-// graceful shutdown via taskkill (sends WM_CLOSE), then falls back to
-// forceful termination after a 5-second grace period.
-func killProcessPlatform(pid int) error {
-	pidStr := strconv.Itoa(pid)
-
-	// Phase 1: graceful shutdown (WM_CLOSE via taskkill without /F).
-	_ = exec.Command("taskkill", "/T", "/PID", pidStr).Run()
-
-	// Wait up to 5 seconds for the process to exit.
-	deadline := time.After(5 * time.Second)
-	ticker := time.NewTicker(100 * time.Millisecond)
-	defer ticker.Stop()
-
-	for {
-		select {
-		case <-deadline:
-			// Process didn't exit in time — force kill.
-			return exec.Command("taskkill", "/F", "/T", "/PID", pidStr).Run()
-		case <-ticker.C:
-			if !isProcessAlive(pid) {
-				return nil
-			}
-		}
-	}
-}
-
-// chromeFallbackPaths returns well-known absolute Chrome paths on Windows,
-// including per-user and system-wide install locations and registry lookup.
-func chromeFallbackPaths() []string {
-	var paths []string
-
-	// Standard install locations.
-	programFiles := os.Getenv("ProgramFiles")
-	programFilesX86 := os.Getenv("ProgramFiles(x86)")
-	localAppData := os.Getenv("LOCALAPPDATA")
-
-	for _, root := range []string{programFiles, programFilesX86, localAppData} {
-		if root == "" {
-			continue
-		}
-		paths = append(paths, filepath.Join(root, "Google", "Chrome", "Application", "chrome.exe"))
-	}
-
-	// Registry lookup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe
-	if p := chromeFromRegistry(); p != "" {
-		paths = append(paths, p)
-	}
-
-	return paths
-}
-
-// chromeLookPathNames returns binary names to search via exec.LookPath on Windows.
-// exec.LookPath appends PATHEXT extensions automatically, so bare names suffice.
-func chromeLookPathNames() []string {
-	return []string{
-		"chrome",
-		"chromium",
-	}
-}
-
-// chromeFromRegistry reads the default Chrome path from the Windows registry.
-func chromeFromRegistry() string {
-	k, err := registry.OpenKey(
-		registry.LOCAL_MACHINE,
-		`SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe`,
-		registry.QUERY_VALUE,
-	)
-	if err != nil {
-		return ""
-	}
-	defer k.Close() //nolint:errcheck
-
-	val, _, err := k.GetStringValue("")
-	if err != nil {
-		return ""
-	}
-	return val
-}
diff --git a/browser/proxy.go b/browser/proxy.go
deleted file mode 100644
index 9e044b6..0000000
--- a/browser/proxy.go
+++ /dev/null
@@ -1,710 +0,0 @@
-package browser
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"net"
-	"net/http"
-	"strings"
-	"sync"
-	"sync/atomic"
-	"time"
-
-	"github.com/gorilla/websocket"
-)
-
-const (
-	DefaultProxyListenAddr = "127.0.0.1:12345"
-	pendingRequestTTL      = 60 * time.Second
-	pendingCleanupInterval = 30 * time.Second
-	reconnectInterval      = 2 * time.Second
-	cdpRequestTimeout      = 10 * time.Second
-)
-
-var blockedClientMethods = map[string]struct{}{
-	"Target.activateTarget": {},
-	"Page.bringToFront":     {},
-}
-
-// ProxyConfig configures the local CDP proxy.
-type ProxyConfig struct {
-	ListenAddr     string
-	Upstream       string
-	OwnershipToken string
-}
-
-type Proxy struct {
-	cfg ProxyConfig
-
-	httpServer *http.Server
-	upgrader   websocket.Upgrader
-	dialer     websocket.Dialer
-
-	nextID atomic.Int64
-
-	mu              sync.RWMutex
-	upstreamWriteMu sync.Mutex
-	upstreamConn    *websocket.Conn
-	upstreamReady   bool
-	reconnecting    bool
-
-	pending       map[int64]*pendingRequest
-	sessionOwners map[string]*proxyClient
-	targetOwners  map[string]*proxyClient
-	clientState   map[*proxyClient]*proxyState
-}
-
-type pendingRequest struct {
-	client     *proxyClient
-	originalID int64
-	method     string
-	createdAt  time.Time
-	internal   chan map[string]any
-}
-
-type proxyState struct {
-	tabs     map[string]struct{}
-	sessions map[string]struct{}
-	proxyIDs map[int64]struct{}
-}
-
-type proxyClient struct {
-	conn *websocket.Conn
-	mu   sync.Mutex
-}
-
-func NewProxy(cfg ProxyConfig) *Proxy {
-	if strings.TrimSpace(cfg.ListenAddr) == "" {
-		cfg.ListenAddr = DefaultProxyListenAddr
-	}
-	return &Proxy{
-		cfg: cfg,
-		upgrader: websocket.Upgrader{
-			CheckOrigin: func(_ *http.Request) bool { return true },
-		},
-		pending:       make(map[int64]*pendingRequest),
-		sessionOwners: make(map[string]*proxyClient),
-		targetOwners:  make(map[string]*proxyClient),
-		clientState:   make(map[*proxyClient]*proxyState),
-	}
-}
-
-func (p *Proxy) Serve(ctx context.Context) error {
-	ln, err := net.Listen("tcp", p.cfg.ListenAddr)
-	if err != nil {
-		return err
-	}
-	defer func() { _ = ln.Close() }()
-	return p.ServeListener(ctx, ln)
-}
-
-func (p *Proxy) ServeListener(ctx context.Context, ln net.Listener) error {
-	mux := http.NewServeMux()
-	mux.HandleFunc("/json/version", p.handleJSONVersion)
-	mux.HandleFunc("/json", p.handleJSONList)
-	mux.HandleFunc("/json/list", p.handleJSONList)
-	mux.HandleFunc("/json/new", p.handleJSONNew)
-	mux.HandleFunc("/proxy/status", p.handleStatus)
-	mux.HandleFunc("/healthz", p.handleHealthz)
-	mux.HandleFunc("/shutdown", p.handleShutdown)
-	mux.HandleFunc("/devtools/browser/proxy", p.handleBrowserWS)
-
-	p.httpServer = &http.Server{Handler: mux}
-
-	if err := p.connectUpstream(ctx); err != nil {
-		return err
-	}
-
-	go p.cleanupPendingLoop(ctx)
-	go func() {
-		<-ctx.Done()
-		shutdownCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-		defer cancel()
-		_ = p.httpServer.Shutdown(shutdownCtx)
-		p.closeUpstream()
-	}()
-
-	err := p.httpServer.Serve(ln)
-	if err == nil || err == http.ErrServerClosed {
-		return nil
-	}
-	return err
-}
-
-func (p *Proxy) connectUpstream(ctx context.Context) error {
-	resolvedURL, err := ResolveDebugURL(ctx, p.cfg.Upstream)
-	if err != nil {
-		return fmt.Errorf("resolve upstream debug endpoint: %w", err)
-	}
-
-	conn, _, err := p.dialer.DialContext(ctx, resolvedURL, nil)
-	if err != nil {
-		return fmt.Errorf("connect upstream debug endpoint: %w", err)
-	}
-
-	p.mu.Lock()
-	if p.upstreamConn != nil {
-		_ = p.upstreamConn.Close()
-	}
-	p.upstreamConn = conn
-	p.upstreamReady = true
-	p.reconnecting = false
-	p.mu.Unlock()
-
-	go p.readUpstreamLoop(ctx, conn)
-	return nil
-}
-
-func (p *Proxy) scheduleReconnect(ctx context.Context) {
-	p.mu.Lock()
-	if p.reconnecting {
-		p.mu.Unlock()
-		return
-	}
-	p.reconnecting = true
-	p.upstreamReady = false
-	p.upstreamConn = nil
-	p.resetOwnershipStateLocked()
-	p.mu.Unlock()
-
-	go func() {
-		defer func() {
-			p.mu.Lock()
-			p.reconnecting = false
-			p.mu.Unlock()
-		}()
-		for {
-			select {
-			case <-ctx.Done():
-				return
-			case <-time.After(reconnectInterval):
-			}
-			if err := p.connectUpstream(ctx); err == nil {
-				return
-			}
-		}
-	}()
-}
-
-func (p *Proxy) closeUpstream() {
-	p.mu.Lock()
-	defer p.mu.Unlock()
-	if p.upstreamConn != nil {
-		_ = p.upstreamConn.Close()
-		p.upstreamConn = nil
-	}
-	p.upstreamReady = false
-}
-
-func (p *Proxy) cleanupPendingLoop(ctx context.Context) {
-	ticker := time.NewTicker(pendingCleanupInterval)
-	defer ticker.Stop()
-
-	for {
-		select {
-		case <-ctx.Done():
-			return
-		case <-ticker.C:
-			now := time.Now()
-
-			p.mu.Lock()
-			for id, req := range p.pending {
-				if now.Sub(req.createdAt) <= pendingRequestTTL {
-					continue
-				}
-				p.removePendingRequestLocked(id, req)
-			}
-			p.mu.Unlock()
-		}
-	}
-}
-
-func (p *Proxy) readUpstreamLoop(ctx context.Context, conn *websocket.Conn) {
-	for {
-		var msg map[string]any
-		if err := conn.ReadJSON(&msg); err != nil {
-			p.scheduleReconnect(ctx)
-			return
-		}
-		p.handleUpstreamMessage(msg)
-	}
-}
-
-func (p *Proxy) handleUpstreamMessage(msg map[string]any) {
-	if id, ok := messageID(msg); ok {
-		p.mu.Lock()
-		req := p.pending[id]
-		if req != nil {
-			delete(p.pending, id)
-			if req.client != nil {
-				if state := p.clientState[req.client]; state != nil {
-					delete(state.proxyIDs, id)
-				}
-			}
-		}
-		p.mu.Unlock()
-
-		if req == nil {
-			return
-		}
-
-		p.recordOwnership(msg, req)
-
-		msg["id"] = req.originalID
-		if req.internal != nil {
-			select {
-			case req.internal <- msg:
-			default:
-			}
-			return
-		}
-		if req.client != nil {
-			_ = req.client.writeJSON(msg)
-		}
-		return
-	}
-
-	method, _ := msg["method"].(string)
-	if method == "" {
-		p.broadcast(msg)
-		return
-	}
-
-	if sessionID, _ := msg["sessionId"].(string); sessionID != "" {
-		p.mu.RLock()
-		owner := p.sessionOwners[sessionID]
-		p.mu.RUnlock()
-		if owner != nil {
-			_ = owner.writeJSON(msg)
-			return
-		}
-	}
-
-	if strings.HasPrefix(method, "Target.") {
-		if targetID := extractTargetID(msg["params"]); targetID != "" {
-			p.mu.RLock()
-			owner := p.targetOwners[targetID]
-			p.mu.RUnlock()
-			if owner != nil {
-				_ = owner.writeJSON(msg)
-				return
-			}
-		}
-	}
-
-	p.broadcast(msg)
-}
-
-func (p *Proxy) broadcast(msg map[string]any) {
-	p.mu.RLock()
-	clients := make([]*proxyClient, 0, len(p.clientState))
-	for client := range p.clientState {
-		clients = append(clients, client)
-	}
-	p.mu.RUnlock()
-
-	for _, client := range clients {
-		_ = client.writeJSON(msg)
-	}
-}
-
-func (p *Proxy) handleBrowserWS(w http.ResponseWriter, r *http.Request) {
-	conn, err := p.upgrader.Upgrade(w, r, nil)
-	if err != nil {
-		return
-	}
-	client := &proxyClient{conn: conn}
-
-	p.mu.Lock()
-	p.clientState[client] = newProxyState()
-	p.mu.Unlock()
-
-	defer p.removeClient(client)
-
-	for {
-		var msg map[string]any
-		if err := conn.ReadJSON(&msg); err != nil {
-			return
-		}
-		if err := p.handleClientMessage(client, msg); err != nil {
-			_ = client.writeJSON(proxyErrorResponse(msg, err))
-		}
-	}
-}
-
-func (p *Proxy) handleClientMessage(client *proxyClient, msg map[string]any) error {
-	method, _ := msg["method"].(string)
-	if _, blocked := blockedClientMethods[method]; blocked {
-		resp := map[string]any{"id": msg["id"], "result": map[string]any{}}
-		if sessionID, _ := msg["sessionId"].(string); sessionID != "" {
-			resp["sessionId"] = sessionID
-		}
-		return client.writeJSON(resp)
-	}
-
-	if method == "Target.createTarget" {
-		params, _ := msg["params"].(map[string]any)
-		if params == nil {
-			params = make(map[string]any)
-		}
-		params["background"] = true
-		params["focus"] = false
-		msg["params"] = params
-	}
-
-	if id, ok := messageID(msg); ok {
-		proxyID := p.nextID.Add(1)
-		req := &pendingRequest{
-			client:     client,
-			originalID: id,
-			method:     method,
-			createdAt:  time.Now(),
-		}
-
-		p.mu.Lock()
-		state := p.clientState[client]
-		if state != nil {
-			state.proxyIDs[proxyID] = struct{}{}
-		}
-		p.pending[proxyID] = req
-		p.mu.Unlock()
-		msg["id"] = proxyID
-
-		if err := p.sendUpstream(msg); err != nil {
-			p.mu.Lock()
-			p.removePendingRequestLocked(proxyID, req)
-			p.mu.Unlock()
-			return &proxyClientMessageError{originalID: id, sessionID: messageSessionID(msg), err: err}
-		}
-		return nil
-	}
-
-	return p.sendUpstream(msg)
-}
-
-func (p *Proxy) sendUpstream(msg map[string]any) error {
-	p.mu.RLock()
-	conn := p.upstreamConn
-	ready := p.upstreamReady
-	p.mu.RUnlock()
-	if !ready || conn == nil {
-		return fmt.Errorf("upstream browser not connected")
-	}
-
-	p.upstreamWriteMu.Lock()
-	defer p.upstreamWriteMu.Unlock()
-	return conn.WriteJSON(msg)
-}
-
-func (p *Proxy) cdpRequest(method string, params map[string]any) (map[string]any, error) {
-	proxyID := p.nextID.Add(1)
-	ch := make(chan map[string]any, 1)
-
-	p.mu.Lock()
-	p.pending[proxyID] = &pendingRequest{
-		originalID: proxyID,
-		method:     method,
-		createdAt:  time.Now(),
-		internal:   ch,
-	}
-	p.mu.Unlock()
-
-	msg := map[string]any{
-		"id":     proxyID,
-		"method": method,
-	}
-	if params != nil {
-		msg["params"] = params
-	}
-	if err := p.sendUpstream(msg); err != nil {
-		p.mu.Lock()
-		delete(p.pending, proxyID)
-		p.mu.Unlock()
-		return nil, err
-	}
-
-	select {
-	case resp := <-ch:
-		if errField, ok := resp["error"]; ok && errField != nil {
-			return nil, fmt.Errorf("cdp error: %v", errField)
-		}
-		return resp, nil
-	case <-time.After(cdpRequestTimeout):
-		p.mu.Lock()
-		delete(p.pending, proxyID)
-		p.mu.Unlock()
-		return nil, fmt.Errorf("cdp request timeout")
-	}
-}
-
-func (p *Proxy) handleJSONVersion(w http.ResponseWriter, r *http.Request) {
-	wsURL := proxyWSURL(r)
-	writeJSON(w, http.StatusOK, map[string]any{
-		"Browser":              "Chrome (via tap proxy)",
-		"webSocketDebuggerUrl": wsURL,
-	})
-}
-
-func (p *Proxy) handleJSONList(w http.ResponseWriter, r *http.Request) {
-	resp, err := p.cdpRequest("Target.getTargets", nil)
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusServiceUnavailable)
-		return
-	}
-
-	result, _ := resp["result"].(map[string]any)
-	targetInfos, _ := result["targetInfos"].([]any)
-	out := make([]map[string]any, 0, len(targetInfos))
-	for _, raw := range targetInfos {
-		info, _ := raw.(map[string]any)
-		if info == nil {
-			continue
-		}
-		if info["type"] != TargetTypePage {
-			continue
-		}
-		out = append(out, map[string]any{
-			"id":    info["targetId"],
-			"title": info["title"],
-			"url":   info["url"],
-			"type":  info["type"],
-		})
-	}
-	writeJSON(w, http.StatusOK, out)
-}
-
-func (p *Proxy) handleJSONNew(w http.ResponseWriter, r *http.Request) {
-	resp, err := p.cdpRequest("Target.createTarget", map[string]any{
-		"url":        "about:blank",
-		"background": true,
-		"focus":      false,
-	})
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusServiceUnavailable)
-		return
-	}
-	writeJSON(w, http.StatusOK, resp["result"])
-}
-
-func (p *Proxy) handleStatus(w http.ResponseWriter, _ *http.Request) {
-	p.mu.RLock()
-	defer p.mu.RUnlock()
-	writeJSON(w, http.StatusOK, map[string]any{
-		"upstream":        p.cfg.Upstream,
-		"upstreamReady":   p.upstreamReady,
-		"clients":         len(p.clientState),
-		"sessions":        len(p.sessionOwners),
-		"targets":         len(p.targetOwners),
-		"pendingRequests": len(p.pending),
-	})
-}
-
-func (p *Proxy) handleHealthz(w http.ResponseWriter, _ *http.Request) {
-	p.mu.RLock()
-	upstreamReady := p.upstreamReady
-	p.mu.RUnlock()
-	status := http.StatusServiceUnavailable
-	if upstreamReady {
-		status = http.StatusOK
-	}
-	writeJSON(w, status, map[string]any{
-		"ok":            upstreamReady,
-		"upstreamReady": upstreamReady,
-	})
-}
-
-func (p *Proxy) handleShutdown(w http.ResponseWriter, r *http.Request) {
-	if r.Method != http.MethodPost {
-		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
-		return
-	}
-	if p.cfg.OwnershipToken == "" || r.Header.Get("X-Tap-Ownership-Token") != p.cfg.OwnershipToken {
-		http.Error(w, "forbidden", http.StatusForbidden)
-		return
-	}
-	writeJSON(w, http.StatusOK, map[string]any{"ok": true})
-	go func() {
-		shutdownCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-		defer cancel()
-		_ = p.httpServer.Shutdown(shutdownCtx)
-		p.closeUpstream()
-	}()
-}
-
-func (p *Proxy) removeClient(client *proxyClient) {
-	p.mu.Lock()
-	defer p.mu.Unlock()
-
-	state := p.clientState[client]
-	for sessionID, owner := range p.sessionOwners {
-		if owner == client {
-			delete(p.sessionOwners, sessionID)
-		}
-	}
-	for targetID, owner := range p.targetOwners {
-		if owner == client {
-			delete(p.targetOwners, targetID)
-		}
-	}
-	if state != nil {
-		for proxyID := range state.proxyIDs {
-			delete(p.pending, proxyID)
-		}
-	}
-	delete(p.clientState, client)
-	_ = client.conn.Close()
-}
-
-func (p *Proxy) resetOwnershipStateLocked() {
-	for sessionID := range p.sessionOwners {
-		delete(p.sessionOwners, sessionID)
-	}
-	for targetID := range p.targetOwners {
-		delete(p.targetOwners, targetID)
-	}
-	for _, state := range p.clientState {
-		state.tabs = make(map[string]struct{})
-		state.sessions = make(map[string]struct{})
-	}
-}
-
-func (p *Proxy) removePendingRequestLocked(id int64, req *pendingRequest) {
-	if req.client != nil {
-		if state := p.clientState[req.client]; state != nil {
-			delete(state.proxyIDs, id)
-		}
-	}
-	delete(p.pending, id)
-}
-
-func (p *Proxy) recordOwnership(msg map[string]any, req *pendingRequest) {
-	if req == nil || req.client == nil {
-		return
-	}
-
-	result, _ := msg["result"].(map[string]any)
-	if result == nil {
-		return
-	}
-
-	p.mu.Lock()
-	defer p.mu.Unlock()
-
-	state := p.clientState[req.client]
-	switch req.method {
-	case "Target.createTarget":
-		targetID, _ := result["targetId"].(string)
-		if targetID == "" {
-			return
-		}
-		p.targetOwners[targetID] = req.client
-		if state != nil {
-			state.tabs[targetID] = struct{}{}
-		}
-	case "Target.attachToTarget":
-		sessionID, _ := result["sessionId"].(string)
-		if sessionID == "" {
-			return
-		}
-		p.sessionOwners[sessionID] = req.client
-		if state != nil {
-			state.sessions[sessionID] = struct{}{}
-		}
-	}
-}
-
-func newProxyState() *proxyState {
-	return &proxyState{
-		tabs:     make(map[string]struct{}),
-		sessions: make(map[string]struct{}),
-		proxyIDs: make(map[int64]struct{}),
-	}
-}
-
-func (c *proxyClient) writeJSON(msg map[string]any) error {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	return c.conn.WriteJSON(msg)
-}
-
-type proxyClientMessageError struct {
-	originalID int64
-	sessionID  string
-	err        error
-}
-
-func (e *proxyClientMessageError) Error() string {
-	return e.err.Error()
-}
-
-func (e *proxyClientMessageError) Unwrap() error {
-	return e.err
-}
-
-func proxyErrorResponse(msg map[string]any, err error) map[string]any {
-	resp := map[string]any{
-		"id":    msg["id"],
-		"error": map[string]any{"code": -1, "message": err.Error()},
-	}
-
-	if typedErr, ok := err.(*proxyClientMessageError); ok {
-		resp["id"] = typedErr.originalID
-		if typedErr.sessionID != "" {
-			resp["sessionId"] = typedErr.sessionID
-		}
-	}
-
-	return resp
-}
-
-func messageSessionID(msg map[string]any) string {
-	sessionID, _ := msg["sessionId"].(string)
-	return sessionID
-}
-
-func messageID(msg map[string]any) (int64, bool) {
-	switch v := msg["id"].(type) {
-	case float64:
-		return int64(v), true
-	case int64:
-		return v, true
-	case int:
-		return int64(v), true
-	case json.Number:
-		i, err := v.Int64()
-		return i, err == nil
-	default:
-		return 0, false
-	}
-}
-
-func extractTargetID(raw any) string {
-	params, _ := raw.(map[string]any)
-	if params == nil {
-		return ""
-	}
-	if targetID, _ := params["targetId"].(string); targetID != "" {
-		return targetID
-	}
-	if info, _ := params["targetInfo"].(map[string]any); info != nil {
-		if targetID, _ := info["targetId"].(string); targetID != "" {
-			return targetID
-		}
-	}
-	return ""
-}
-
-func proxyWSURL(r *http.Request) string {
-	scheme := "ws"
-	if r.TLS != nil {
-		scheme = "wss"
-	}
-	return fmt.Sprintf("%s://%s/devtools/browser/proxy", scheme, r.Host)
-}
-
-func writeJSON(w http.ResponseWriter, status int, v any) {
-	w.Header().Set("Content-Type", "application/json")
-	w.WriteHeader(status)
-	_ = json.NewEncoder(w).Encode(v)
-}
diff --git a/browser/proxy_test.go b/browser/proxy_test.go
deleted file mode 100644
index 7c0a651..0000000
--- a/browser/proxy_test.go
+++ /dev/null
@@ -1,34 +0,0 @@
-package browser
-
-import (
-	"errors"
-	"testing"
-)
-
-func TestProxyErrorResponseUsesOriginalID(t *testing.T) {
-	msg := map[string]any{"id": int64(42)}
-	err := &proxyClientMessageError{
-		originalID: 7,
-		sessionID:  "session-1",
-		err:        errors.New("upstream browser not connected"),
-	}
-
-	resp := proxyErrorResponse(msg, err)
-	if got, want := resp["id"], int64(7); got != want {
-		t.Fatalf("proxyErrorResponse id = %#v, want %#v", got, want)
-	}
-	if got, want := resp["sessionId"], "session-1"; got != want {
-		t.Fatalf("proxyErrorResponse sessionId = %#v, want %#v", got, want)
-	}
-}
-
-func TestProxyErrorResponseFallsBackToMessageID(t *testing.T) {
-	msg := map[string]any{"id": int64(42)}
-	resp := proxyErrorResponse(msg, errors.New("boom"))
-	if got, want := resp["id"], int64(42); got != want {
-		t.Fatalf("proxyErrorResponse id = %#v, want %#v", got, want)
-	}
-	if _, ok := resp["sessionId"]; ok {
-		t.Fatal("proxyErrorResponse should not set sessionId for generic errors")
-	}
-}
diff --git a/browser/snapshot.go b/browser/snapshot.go
deleted file mode 100644
index 2d6b892..0000000
--- a/browser/snapshot.go
+++ /dev/null
@@ -1,90 +0,0 @@
-package browser
-
-import (
-	"encoding/json"
-	"fmt"
-	"os"
-	"path/filepath"
-	"strings"
-	"time"
-)
-
-// SnapshotOptions controls browser snapshot generation.
-type SnapshotOptions struct {
-	InteractiveOnly bool
-	Selector        string
-	Depth           int64
-	Mode            string // auto | ax
-}
-
-// SnapshotResult is an AI-friendly semantic snapshot of the current page.
-type SnapshotResult struct {
-	URL         string         `json:"url"`
-	Title       string         `json:"title,omitempty"`
-	Mode        string         `json:"mode"`
-	GeneratedAt time.Time      `json:"generatedAt"`
-	DocumentKey string         `json:"documentKey"`
-	Nodes       []SnapshotNode `json:"nodes"`
-	Refs        []SnapshotRef  `json:"refs"`
-}
-
-// SnapshotNode is one node in the compact semantic tree.
-type SnapshotNode struct {
-	Ref         string   `json:"ref,omitempty"`
-	Role        string   `json:"role,omitempty"`
-	Name        string   `json:"name,omitempty"`
-	Value       string   `json:"value,omitempty"`
-	Description string   `json:"description,omitempty"`
-	States      []string `json:"states,omitempty"`
-	Children    []int    `json:"children,omitempty"`
-}
-
-// SnapshotRef maps an element ref to backend IDs for follow-up actions.
-type SnapshotRef struct {
-	Ref              string `json:"ref"`
-	BackendDOMNodeID int64  `json:"backendDomNodeId,omitempty"`
-	AXNodeID         string `json:"axNodeId,omitempty"`
-	FrameID          string `json:"frameId,omitempty"`
-	SelectorHint     string `json:"selectorHint,omitempty"`
-	Role             string `json:"role,omitempty"`
-	Name             string `json:"name,omitempty"`
-}
-
-func isElementRef(arg string) bool {
-	return strings.HasPrefix(strings.TrimSpace(arg), "@e")
-}
-
-func (m *Manager) saveSnapshot(sessionName, tabName string, result *SnapshotResult) error {
-	if result == nil {
-		return fmt.Errorf("snapshot is required")
-	}
-	path := m.snapshotPath(sessionName, tabName)
-	if err := os.MkdirAll(filepath.Dir(path), 0o755); err != nil {
-		return fmt.Errorf("create snapshot dir: %w", err)
-	}
-	data, err := json.MarshalIndent(result, "", "  ")
-	if err != nil {
-		return fmt.Errorf("encode snapshot: %w", err)
-	}
-	if err := os.WriteFile(path, data, 0o644); err != nil {
-		return fmt.Errorf("write snapshot: %w", err)
-	}
-	return nil
-}
-
-func (m *Manager) loadSnapshot(sessionName, tabName string) (*SnapshotResult, error) {
-	path := m.snapshotPath(sessionName, tabName)
-	data, err := os.ReadFile(path)
-	if err != nil {
-		return nil, fmt.Errorf("read snapshot: %w", err)
-	}
-	var out SnapshotResult
-	if err := json.Unmarshal(data, &out); err != nil {
-		return nil, fmt.Errorf("decode snapshot: %w", err)
-	}
-	return &out, nil
-}
-
-func (m *Manager) snapshotPath(sessionName, tabName string) string {
-	return filepath.Join(m.store.Root(), "snapshots", sessionName, tabName+".json")
-}
diff --git a/browser/state.go b/browser/state.go
deleted file mode 100644
index bbf930a..0000000
--- a/browser/state.go
+++ /dev/null
@@ -1,754 +0,0 @@
-package browser
-
-import (
-	"errors"
-	"fmt"
-	"regexp"
-	"sort"
-	"strings"
-	"time"
-)
-
-const (
-	// StateVersion is the current on-disk schema version for browser metadata.
-	StateVersion = 1
-
-	// DefaultSessionName is the session used when --session is omitted.
-	DefaultSessionName = "default"
-
-	// EnvStateRoot overrides the default durable state directory.
-	EnvStateRoot = "TAP_BROWSER_STATE_DIR"
-)
-
-var namePattern = regexp.MustCompile(`^[A-Za-z0-9][A-Za-z0-9._-]{0,62}$`)
-
-var (
-	ErrSessionNotFound       = errors.New("browser session not found")
-	ErrNoTabs                = errors.New("no tracked tabs found")
-	ErrAmbiguousTab          = errors.New("browser tab selection is ambiguous")
-	ErrTabNotFound           = errors.New("browser tab not found")
-	ErrClosedTabSelected     = errors.New("browser tab is closed")
-	ErrStaleTabSelected      = errors.New("browser tab is stale")
-	ErrDefaultContextNotSet  = errors.New("default browser context is not set")
-	ErrDefaultContextInvalid = errors.New("default browser context is invalid")
-)
-
-// Mode identifies how a session connects to Chrome.
-type Mode string
-
-const (
-	ModeLocal  Mode = "local"
-	ModeRemote Mode = "remote"
-)
-
-type DefaultContextKind string
-
-const (
-	DefaultContextManaged  DefaultContextKind = "managed"
-	DefaultContextAttached DefaultContextKind = "attached"
-)
-
-// Operation is a user-facing browser action supported by the session manager.
-type Operation string
-
-const (
-	OperationSessionNew   Operation = "session_new"
-	OperationSessionClose Operation = "session_close"
-	OperationTabNew       Operation = "tab_new"
-	OperationTabClose     Operation = "tab_close"
-	OperationNavigate     Operation = "navigate"
-	OperationEvaluate     Operation = "evaluate"
-	OperationScreenshot   Operation = "screenshot"
-)
-
-// TabStatus tracks whether a named tab can be used directly.
-type TabStatus string
-
-const (
-	TabStatusLive   TabStatus = "live"
-	TabStatusStale  TabStatus = "stale"
-	TabStatusClosed TabStatus = "closed"
-)
-
-// Capability describes whether an operation is supported for a session mode.
-type Capability struct {
-	Supported bool   `json:"supported"`
-	Notes     string `json:"notes,omitempty"`
-}
-
-// LocalConfig freezes local launch settings into session metadata.
-type LocalConfig struct {
-	ProfileDir string `json:"profile_dir"`
-	Headless   bool   `json:"headless"`
-}
-
-// RemoteConfig freezes the remote reconnect endpoint into session metadata.
-type RemoteConfig struct {
-	WSURL string `json:"ws_url"`
-}
-
-// ProcessRecord stores the launch markers needed for later ownership checks.
-type ProcessRecord struct {
-	PID            int       `json:"pid,omitempty"`
-	DebugURL       string    `json:"debug_url,omitempty"`
-	OwnershipToken string    `json:"ownership_token,omitempty"`
-	StartedAt      time.Time `json:"started_at,omitempty"`
-}
-
-// TabRecord stores the durable metadata for a tracked browser target.
-type TabRecord struct {
-	Name       string    `json:"name"`
-	TargetID   string    `json:"target_id,omitempty"`
-	URL        string    `json:"url,omitempty"`
-	Status     TabStatus `json:"status"`
-	CreatedAt  time.Time `json:"created_at"`
-	UpdatedAt  time.Time `json:"updated_at"`
-	LastSeenAt time.Time `json:"last_seen_at,omitempty"`
-}
-
-// SessionRecord stores one persistent browser session and its tracked tabs.
-type SessionRecord struct {
-	Name             string                   `json:"name"`
-	Mode             Mode                     `json:"mode"`
-	Local            *LocalConfig             `json:"local,omitempty"`
-	Remote           *RemoteConfig            `json:"remote,omitempty"`
-	Process          *ProcessRecord           `json:"process,omitempty"`
-	SelectedTab      string                   `json:"selected_tab,omitempty"`
-	Tabs             map[string]*TabRecord    `json:"tabs,omitempty"`
-	Capabilities     map[Operation]Capability `json:"capabilities,omitempty"`
-	CreatedAt        time.Time                `json:"created_at"`
-	UpdatedAt        time.Time                `json:"updated_at"`
-	LastReconciledAt time.Time                `json:"last_reconciled_at,omitempty"`
-}
-
-// DefaultContextRecord stores the persisted default browser context resolution.
-type DefaultContextRecord struct {
-	SessionName string             `json:"session_name"`
-	Kind        DefaultContextKind `json:"kind"`
-	Stale       bool               `json:"stale,omitempty"`
-	Reason      string             `json:"reason,omitempty"`
-	UpdatedAt   time.Time          `json:"updated_at,omitempty"`
-}
-
-// ProxyDaemonRecord stores the internal CDP proxy metadata used for attached Chrome.
-type ProxyDaemonRecord struct {
-	PID               int       `json:"pid,omitempty"`
-	ListenAddr        string    `json:"listen_addr,omitempty"`
-	Endpoint          string    `json:"endpoint,omitempty"`
-	UpstreamWSURL     string    `json:"upstream_ws_url,omitempty"`
-	OwnershipToken    string    `json:"ownership_token,omitempty"`
-	State             string    `json:"state,omitempty"`
-	Status            string    `json:"status,omitempty"`
-	LastHealthCheckAt time.Time `json:"last_health_check_at,omitempty"`
-	LastHealthyAt     time.Time `json:"last_healthy_at,omitempty"`
-	LastError         string    `json:"last_error,omitempty"`
-	StartedAt         time.Time `json:"started_at,omitempty"`
-	UpdatedAt         time.Time `json:"updated_at,omitempty"`
-}
-
-// State is the durable browser session metadata written to disk.
-type State struct {
-	Version        int                       `json:"version"`
-	DefaultContext *DefaultContextRecord     `json:"default_context,omitempty"`
-	ProxyDaemon    *ProxyDaemonRecord        `json:"proxy_daemon,omitempty"`
-	Sessions       map[string]*SessionRecord `json:"sessions"`
-}
-
-// NewState returns an empty metadata state with initialized maps.
-func NewState() *State {
-	return &State{
-		Version:  StateVersion,
-		Sessions: make(map[string]*SessionRecord),
-	}
-}
-
-var localCapabilities = map[Operation]Capability{
-	OperationSessionNew: {
-		Supported: true,
-		Notes:     "Launch a managed local Chrome with a dedicated profile and debugging endpoint.",
-	},
-	OperationSessionClose: {
-		Supported: true,
-		Notes:     "Terminate the managed browser after ownership checks, then remove local metadata and profile state.",
-	},
-	OperationTabNew: {
-		Supported: true,
-		Notes:     "Create a tracked target within the managed local browser.",
-	},
-	OperationTabClose: {
-		Supported: true,
-		Notes:     "Close the tracked target and drop its metadata.",
-	},
-	OperationNavigate: {
-		Supported: true,
-		Notes:     "Navigate an explicit or selected tracked tab.",
-	},
-	OperationEvaluate: {
-		Supported: true,
-		Notes:     "Run JavaScript on an explicit or selected tracked tab.",
-	},
-	OperationScreenshot: {
-		Supported: true,
-		Notes:     "Capture a screenshot from an explicit or selected tracked tab.",
-	},
-}
-
-var remoteCapabilities = map[Operation]Capability{
-	OperationSessionNew: {
-		Supported: true,
-		Notes:     "Bind the session to an explicit --ws-url and validate connection/auth/TLS up front.",
-	},
-	OperationSessionClose: {
-		Supported: true,
-		Notes:     "Remove tap metadata only. Remote browser processes are never terminated by tap.",
-	},
-	OperationTabNew: {
-		Supported: true,
-		Notes:     "Supported when the remote endpoint allows target creation; failures must be returned clearly.",
-	},
-	OperationTabClose: {
-		Supported: true,
-		Notes:     "Supported when the remote endpoint allows target closure; tap removes metadata only after confirmation.",
-	},
-	OperationNavigate: {
-		Supported: true,
-		Notes:     "Operate through the persisted session endpoint, ignoring later global --ws-url overrides.",
-	},
-	OperationEvaluate: {
-		Supported: true,
-		Notes:     "Operate through the persisted session endpoint, ignoring later global --ws-url overrides.",
-	},
-	OperationScreenshot: {
-		Supported: true,
-		Notes:     "Operate through the persisted session endpoint, ignoring later global --ws-url overrides.",
-	},
-}
-
-// CapabilitiesForMode returns the documented capability contract for the given mode.
-func CapabilitiesForMode(mode Mode) map[Operation]Capability {
-	switch mode {
-	case ModeLocal:
-		return localCapabilities
-	case ModeRemote:
-		return remoteCapabilities
-	default:
-		return nil
-	}
-}
-
-// NewLocalSession builds a validated local session record.
-func NewLocalSession(name string, profileDir string, headless bool, now time.Time) (*SessionRecord, error) {
-	if err := ValidateSessionName(name); err != nil {
-		return nil, err
-	}
-	if strings.TrimSpace(profileDir) == "" {
-		return nil, errors.New("local browser profile directory is required")
-	}
-	return &SessionRecord{
-		Name:         name,
-		Mode:         ModeLocal,
-		Local:        &LocalConfig{ProfileDir: profileDir, Headless: headless},
-		Tabs:         make(map[string]*TabRecord),
-		Capabilities: CapabilitiesForMode(ModeLocal),
-		CreatedAt:    now.UTC(),
-		UpdatedAt:    now.UTC(),
-	}, nil
-}
-
-// NewRemoteSession builds a validated remote session record.
-func NewRemoteSession(name string, wsURL string, now time.Time) (*SessionRecord, error) {
-	if err := ValidateSessionName(name); err != nil {
-		return nil, err
-	}
-	if strings.TrimSpace(wsURL) == "" {
-		return nil, errors.New("remote browser WebSocket URL is required")
-	}
-	return &SessionRecord{
-		Name:         name,
-		Mode:         ModeRemote,
-		Remote:       &RemoteConfig{WSURL: wsURL},
-		Tabs:         make(map[string]*TabRecord),
-		Capabilities: CapabilitiesForMode(ModeRemote),
-		CreatedAt:    now.UTC(),
-		UpdatedAt:    now.UTC(),
-	}, nil
-}
-
-// NewTab builds a validated tracked tab record.
-func NewTab(name string, targetID string, url string, now time.Time) (*TabRecord, error) {
-	if err := ValidateTabName(name); err != nil {
-		return nil, err
-	}
-	return &TabRecord{
-		Name:       name,
-		TargetID:   strings.TrimSpace(targetID),
-		URL:        strings.TrimSpace(url),
-		Status:     TabStatusLive,
-		CreatedAt:  now.UTC(),
-		UpdatedAt:  now.UTC(),
-		LastSeenAt: now.UTC(),
-	}, nil
-}
-
-// ValidateSessionName checks the user-facing session naming rules.
-func ValidateSessionName(name string) error {
-	return validateName("session", name)
-}
-
-// ValidateTabName checks the user-facing tab naming rules.
-func ValidateTabName(name string) error {
-	return validateName("tab", name)
-}
-
-func validateName(kind string, name string) error {
-	trimmed := strings.TrimSpace(name)
-	if trimmed == "" {
-		return fmt.Errorf("%s name is required", kind)
-	}
-	if trimmed != name {
-		return fmt.Errorf("%s name cannot have leading or trailing whitespace", kind)
-	}
-	if !namePattern.MatchString(name) {
-		return fmt.Errorf("%s name must match %q", kind, namePattern.String())
-	}
-	return nil
-}
-
-// Normalize repairs nil maps and empty versions loaded from disk.
-func (s *State) Normalize() {
-	if s.Version == 0 {
-		s.Version = StateVersion
-	}
-	if s.Sessions == nil {
-		s.Sessions = make(map[string]*SessionRecord)
-	}
-	if s.DefaultContext != nil {
-		s.DefaultContext.SessionName = strings.TrimSpace(s.DefaultContext.SessionName)
-		if s.DefaultContext.SessionName == "" {
-			s.DefaultContext = nil
-		}
-	}
-	if s.ProxyDaemon != nil {
-		s.ProxyDaemon.ListenAddr = strings.TrimSpace(s.ProxyDaemon.ListenAddr)
-		s.ProxyDaemon.Endpoint = strings.TrimSpace(s.ProxyDaemon.Endpoint)
-		s.ProxyDaemon.UpstreamWSURL = strings.TrimSpace(s.ProxyDaemon.UpstreamWSURL)
-		s.ProxyDaemon.OwnershipToken = strings.TrimSpace(s.ProxyDaemon.OwnershipToken)
-		if s.ProxyDaemon.Endpoint == "" && s.ProxyDaemon.ListenAddr == "" && s.ProxyDaemon.PID == 0 {
-			s.ProxyDaemon = nil
-		}
-	}
-	for name, session := range s.Sessions {
-		if session == nil {
-			delete(s.Sessions, name)
-			continue
-		}
-		if session.Name == "" {
-			session.Name = name
-		}
-		if session.Tabs == nil {
-			session.Tabs = make(map[string]*TabRecord)
-		}
-		for tabName, tab := range session.Tabs {
-			if tab == nil {
-				delete(session.Tabs, tabName)
-				continue
-			}
-			if tab.Name == "" {
-				tab.Name = tabName
-			}
-			if tab.Status == "" {
-				tab.Status = TabStatusLive
-			}
-		}
-	}
-}
-
-// Validate checks that the in-memory state satisfies the Phase 1 metadata contract.
-func (s *State) Validate() error {
-	if s.Version != StateVersion {
-		return fmt.Errorf("unsupported browser state version %d", s.Version)
-	}
-	for name, session := range s.Sessions {
-		if err := ValidateSessionName(name); err != nil {
-			return err
-		}
-		if session.Name != name {
-			return fmt.Errorf("session %q must match map key", name)
-		}
-		if err := session.validate(); err != nil {
-			return fmt.Errorf("session %q: %w", name, err)
-		}
-	}
-	if s.DefaultContext != nil {
-		if err := s.DefaultContext.validate(s); err != nil {
-			return fmt.Errorf("default context: %w", err)
-		}
-	}
-	if s.ProxyDaemon != nil {
-		if err := s.ProxyDaemon.validate(); err != nil {
-			return fmt.Errorf("proxy daemon: %w", err)
-		}
-	}
-	return nil
-}
-
-func (s *SessionRecord) validate() error {
-	if err := ValidateSessionName(s.Name); err != nil {
-		return err
-	}
-	switch s.Mode {
-	case ModeLocal:
-		if s.Local == nil {
-			return errors.New("local session config is required")
-		}
-		if s.Remote != nil {
-			return errors.New("local session cannot have remote config")
-		}
-		if strings.TrimSpace(s.Local.ProfileDir) == "" {
-			return errors.New("local session profile directory is required")
-		}
-	case ModeRemote:
-		if s.Remote == nil {
-			return errors.New("remote session config is required")
-		}
-		if s.Local != nil {
-			return errors.New("remote session cannot have local config")
-		}
-		if strings.TrimSpace(s.Remote.WSURL) == "" {
-			return errors.New("remote session WebSocket URL is required")
-		}
-	default:
-		return fmt.Errorf("unsupported session mode %q", s.Mode)
-	}
-	if s.Tabs == nil {
-		s.Tabs = make(map[string]*TabRecord)
-	}
-	if s.SelectedTab != "" {
-		tab, ok := s.Tabs[s.SelectedTab]
-		if !ok {
-			return fmt.Errorf("selected tab %q is missing", s.SelectedTab)
-		}
-		if tab.Status == TabStatusClosed {
-			return fmt.Errorf("selected tab %q is closed", s.SelectedTab)
-		}
-		if tab.Status == TabStatusStale {
-			return fmt.Errorf("selected tab %q is stale", s.SelectedTab)
-		}
-	}
-	for name, tab := range s.Tabs {
-		if err := ValidateTabName(name); err != nil {
-			return err
-		}
-		if tab.Name != name {
-			return fmt.Errorf("tab %q must match map key", name)
-		}
-		if err := tab.validate(); err != nil {
-			return fmt.Errorf("tab %q: %w", name, err)
-		}
-	}
-	return nil
-}
-
-func (pd *ProxyDaemonRecord) validate() error {
-	if pd == nil {
-		return nil
-	}
-	if pd.PID < 0 {
-		return errors.New("pid cannot be negative")
-	}
-	if pd.ListenAddr == "" {
-		return errors.New("listen address is required")
-	}
-	if pd.Endpoint == "" {
-		return errors.New("endpoint is required")
-	}
-	if pd.UpstreamWSURL == "" {
-		return errors.New("upstream WebSocket URL is required")
-	}
-	if pd.OwnershipToken == "" {
-		return errors.New("ownership token is required")
-	}
-	return nil
-}
-
-func (dc *DefaultContextRecord) validate(state *State) error {
-	if dc == nil {
-		return nil
-	}
-	if strings.TrimSpace(dc.SessionName) == "" {
-		return ErrDefaultContextNotSet
-	}
-	switch dc.Kind {
-	case DefaultContextManaged, DefaultContextAttached:
-	default:
-		return fmt.Errorf("unsupported default context kind %q", dc.Kind)
-	}
-	if _, ok := state.Sessions[dc.SessionName]; !ok {
-		return fmt.Errorf("%w: %s", ErrDefaultContextInvalid, dc.SessionName)
-	}
-	return nil
-}
-
-func (t *TabRecord) validate() error {
-	if err := ValidateTabName(t.Name); err != nil {
-		return err
-	}
-	switch t.Status {
-	case TabStatusLive, TabStatusStale, TabStatusClosed:
-		return nil
-	default:
-		return fmt.Errorf("unsupported tab status %q", t.Status)
-	}
-}
-
-// CreateSession adds a new named session.
-func (s *State) CreateSession(session *SessionRecord) error {
-	if session == nil {
-		return errors.New("session is required")
-	}
-	if err := session.validate(); err != nil {
-		return err
-	}
-	if _, exists := s.Sessions[session.Name]; exists {
-		return fmt.Errorf("session %q already exists", session.Name)
-	}
-	s.Sessions[session.Name] = session
-	return nil
-}
-
-// DeleteSession removes a session.
-func (s *State) DeleteSession(name string) error {
-	if _, ok := s.Sessions[name]; !ok {
-		return fmt.Errorf("%w: %s", ErrSessionNotFound, name)
-	}
-	delete(s.Sessions, name)
-	if s.DefaultContext != nil && s.DefaultContext.SessionName == name {
-		s.DefaultContext = nil
-	}
-	return nil
-}
-
-// ResolveSession returns the session matching name, or the "default" session
-// when name is empty. Callers that need persisted-context resolution should use
-// ResolveSessionByPreference or Manager.resolveSessionName instead.
-func (s *State) ResolveSession(name string) (*SessionRecord, error) {
-	if name == "" {
-		name = DefaultSessionName
-	}
-	session, ok := s.Sessions[name]
-	if !ok {
-		return nil, fmt.Errorf("%w: %s", ErrSessionNotFound, name)
-	}
-	return session, nil
-}
-
-func (s *State) SetDefaultContext(sessionName string, kind DefaultContextKind, now time.Time) error {
-	if _, ok := s.Sessions[sessionName]; !ok {
-		return fmt.Errorf("%w: %s", ErrSessionNotFound, sessionName)
-	}
-	s.DefaultContext = &DefaultContextRecord{
-		SessionName: sessionName,
-		Kind:        kind,
-		UpdatedAt:   now.UTC(),
-	}
-	return nil
-}
-
-func (s *State) ClearDefaultContext() {
-	s.DefaultContext = nil
-}
-
-func (s *State) MarkDefaultContextStale(sessionName string, reason string, now time.Time) {
-	if s.DefaultContext == nil || s.DefaultContext.SessionName != sessionName {
-		return
-	}
-	s.DefaultContext.Stale = true
-	s.DefaultContext.Reason = strings.TrimSpace(reason)
-	s.DefaultContext.UpdatedAt = now.UTC()
-}
-
-func (s *State) MarkDefaultContextHealthy(sessionName string, now time.Time) {
-	if s.DefaultContext == nil || s.DefaultContext.SessionName != sessionName {
-		return
-	}
-	s.DefaultContext.Stale = false
-	s.DefaultContext.Reason = ""
-	s.DefaultContext.UpdatedAt = now.UTC()
-}
-
-func (s *State) ResolveSessionByPreference(name string) (*SessionRecord, error) {
-	if name != "" {
-		return s.ResolveSession(name)
-	}
-	if s.DefaultContext != nil {
-		session, ok := s.Sessions[s.DefaultContext.SessionName]
-		if !ok {
-			return nil, fmt.Errorf("%w: %s", ErrDefaultContextInvalid, s.DefaultContext.SessionName)
-		}
-		return session, nil
-	}
-	return s.ResolveSession(DefaultSessionName)
-}
-
-// UpsertTab creates or updates a tracked tab. The first live tab becomes selected.
-func (s *State) UpsertTab(sessionName string, tab *TabRecord) error {
-	if tab == nil {
-		return errors.New("tab is required")
-	}
-	session, ok := s.Sessions[sessionName]
-	if !ok {
-		return fmt.Errorf("%w: %s", ErrSessionNotFound, sessionName)
-	}
-	if err := tab.validate(); err != nil {
-		return err
-	}
-	if session.Tabs == nil {
-		session.Tabs = make(map[string]*TabRecord)
-	}
-	if existing, ok := session.Tabs[tab.Name]; ok {
-		tab.CreatedAt = existing.CreatedAt
-	}
-	session.Tabs[tab.Name] = tab
-	session.UpdatedAt = time.Now().UTC()
-	if session.SelectedTab == "" && tab.Status == TabStatusLive {
-		session.SelectedTab = tab.Name
-	}
-	return nil
-}
-
-// DeleteTab removes a tracked tab and advances selection to the next live tab.
-func (s *State) DeleteTab(sessionName string, tabName string) error {
-	session, ok := s.Sessions[sessionName]
-	if !ok {
-		return fmt.Errorf("%w: %s", ErrSessionNotFound, sessionName)
-	}
-	if _, ok := session.Tabs[tabName]; !ok {
-		return fmt.Errorf("%w: %s", ErrTabNotFound, tabName)
-	}
-	delete(session.Tabs, tabName)
-	if session.SelectedTab == tabName {
-		session.SelectedTab = session.nextLiveTabName()
-	}
-	session.UpdatedAt = time.Now().UTC()
-	return nil
-}
-
-// SelectTab persists the default live tab used when --tab is omitted.
-func (s *State) SelectTab(sessionName string, tabName string) error {
-	session, ok := s.Sessions[sessionName]
-	if !ok {
-		return fmt.Errorf("%w: %s", ErrSessionNotFound, sessionName)
-	}
-	tab, ok := session.Tabs[tabName]
-	if !ok {
-		return fmt.Errorf("%w: %s", ErrTabNotFound, tabName)
-	}
-	if tab.Status == TabStatusClosed {
-		return fmt.Errorf("%w: %s", ErrClosedTabSelected, tabName)
-	}
-	if tab.Status == TabStatusStale {
-		return fmt.Errorf("%w: %s", ErrStaleTabSelected, tabName)
-	}
-	session.SelectedTab = tabName
-	session.UpdatedAt = time.Now().UTC()
-	return nil
-}
-
-// ResolveTab returns an explicit tab, the selected tab, or the only live tracked
-// tab when exactly one live tab exists.
-func (s *SessionRecord) ResolveTab(name string) (*TabRecord, error) {
-	if s == nil {
-		return nil, ErrNoTabs
-	}
-	if s.Tabs == nil {
-		s.Tabs = make(map[string]*TabRecord)
-	}
-	if name != "" {
-		tab, ok := s.Tabs[name]
-		if !ok {
-			return nil, fmt.Errorf("%w: %s", ErrTabNotFound, name)
-		}
-		return tab, nil
-	}
-	if s.SelectedTab != "" {
-		tab, ok := s.Tabs[s.SelectedTab]
-		if ok {
-			return tab, nil
-		}
-	}
-	liveTabs := s.liveTabs()
-	switch len(liveTabs) {
-	case 0:
-		return nil, ErrNoTabs
-	case 1:
-		return liveTabs[0], nil
-	}
-	return nil, fmt.Errorf("%w: use --tab or 'tap browser tab select <name>'", ErrAmbiguousTab)
-}
-
-// ReconcileSession updates tab liveness after reloading or reconnecting a browser session.
-func (s *State) ReconcileSession(sessionName string, liveTargetIDs []string, now time.Time) error {
-	session, ok := s.Sessions[sessionName]
-	if !ok {
-		return fmt.Errorf("%w: %s", ErrSessionNotFound, sessionName)
-	}
-
-	liveTargets := make(map[string]struct{}, len(liveTargetIDs))
-	for _, targetID := range liveTargetIDs {
-		targetID = strings.TrimSpace(targetID)
-		if targetID == "" {
-			continue
-		}
-		liveTargets[targetID] = struct{}{}
-	}
-
-	for _, tab := range session.Tabs {
-		if tab.Status == TabStatusClosed {
-			continue
-		}
-		if _, ok := liveTargets[tab.TargetID]; ok && tab.TargetID != "" {
-			tab.Status = TabStatusLive
-			tab.LastSeenAt = now.UTC()
-			tab.UpdatedAt = now.UTC()
-			continue
-		}
-		tab.Status = TabStatusStale
-		tab.TargetID = ""
-		tab.UpdatedAt = now.UTC()
-	}
-
-	if session.SelectedTab != "" {
-		selected, ok := session.Tabs[session.SelectedTab]
-		if !ok || selected.Status != TabStatusLive {
-			session.SelectedTab = ""
-		}
-	}
-	session.LastReconciledAt = now.UTC()
-	session.UpdatedAt = now.UTC()
-	return nil
-}
-
-func (s *SessionRecord) nextLiveTabName() string {
-	liveTabs := s.liveTabs()
-	if len(liveTabs) == 0 {
-		return ""
-	}
-	return liveTabs[0].Name
-}
-
-func (s *SessionRecord) liveTabs() []*TabRecord {
-	var tabs []*TabRecord
-	for _, tab := range s.Tabs {
-		if tab.Status != TabStatusLive {
-			continue
-		}
-		tabs = append(tabs, tab)
-	}
-	sort.Slice(tabs, func(i int, j int) bool {
-		if tabs[i].CreatedAt.Equal(tabs[j].CreatedAt) {
-			return tabs[i].Name < tabs[j].Name
-		}
-		return tabs[i].CreatedAt.Before(tabs[j].CreatedAt)
-	})
-	return tabs
-}
diff --git a/browser/state_test.go b/browser/state_test.go
deleted file mode 100644
index 4eb21f7..0000000
--- a/browser/state_test.go
+++ /dev/null
@@ -1,238 +0,0 @@
-package browser
-
-import (
-	"errors"
-	"path/filepath"
-	"testing"
-	"time"
-)
-
-func TestStateSessionResolution(t *testing.T) {
-	state := NewState()
-	now := time.Date(2026, 4, 1, 8, 0, 0, 0, time.UTC)
-
-	// Create a session named "default".
-	def, err := NewLocalSession(DefaultSessionName, filepath.Join(t.TempDir(), "default"), true, now)
-	if err != nil {
-		t.Fatalf("NewLocalSession failed: %v", err)
-	}
-	if err := state.CreateSession(def); err != nil {
-		t.Fatalf("CreateSession(default) failed: %v", err)
-	}
-
-	// Empty name resolves to the "default" session.
-	if session, err := state.ResolveSession(""); err != nil {
-		t.Fatalf("ResolveSession('') failed: %v", err)
-	} else if session.Name != DefaultSessionName {
-		t.Fatalf("ResolveSession('') = %q, want %q", session.Name, DefaultSessionName)
-	}
-
-	// Explicit name resolves correctly.
-	other, err := NewRemoteSession("other", "wss://example.com/devtools/browser/1", now.Add(time.Minute))
-	if err != nil {
-		t.Fatalf("NewRemoteSession failed: %v", err)
-	}
-	if err := state.CreateSession(other); err != nil {
-		t.Fatalf("CreateSession(other) failed: %v", err)
-	}
-	if session, err := state.ResolveSession("other"); err != nil {
-		t.Fatalf("ResolveSession(other) failed: %v", err)
-	} else if session.Name != "other" {
-		t.Fatalf("ResolveSession(other) = %q, want other", session.Name)
-	}
-
-	// Empty name still resolves to "default" even with multiple sessions.
-	if session, err := state.ResolveSession(""); err != nil {
-		t.Fatalf("ResolveSession('') with multiple sessions failed: %v", err)
-	} else if session.Name != DefaultSessionName {
-		t.Fatalf("ResolveSession('') = %q, want %q", session.Name, DefaultSessionName)
-	}
-
-	// Non-existent session returns error.
-	if _, err := state.ResolveSession("nonexistent"); !errors.Is(err, ErrSessionNotFound) {
-		t.Fatalf("ResolveSession(nonexistent) error = %v, want ErrSessionNotFound", err)
-	}
-}
-
-func TestResolveSessionByPreferenceUsesPersistedDefaultContext(t *testing.T) {
-	state := NewState()
-	now := time.Date(2026, 4, 1, 8, 0, 0, 0, time.UTC)
-
-	alpha, err := NewRemoteSession("alpha", "wss://example.com/devtools/browser/1", now)
-	if err != nil {
-		t.Fatalf("NewRemoteSession(alpha) failed: %v", err)
-	}
-	beta, err := NewLocalSession(DefaultSessionName, filepath.Join(t.TempDir(), "default"), true, now)
-	if err != nil {
-		t.Fatalf("NewLocalSession(default) failed: %v", err)
-	}
-	if err := state.CreateSession(alpha); err != nil {
-		t.Fatalf("CreateSession(alpha) failed: %v", err)
-	}
-	if err := state.CreateSession(beta); err != nil {
-		t.Fatalf("CreateSession(default) failed: %v", err)
-	}
-	if err := state.SetDefaultContext("alpha", DefaultContextAttached, now); err != nil {
-		t.Fatalf("SetDefaultContext failed: %v", err)
-	}
-
-	session, err := state.ResolveSessionByPreference("")
-	if err != nil {
-		t.Fatalf("ResolveSessionByPreference failed: %v", err)
-	}
-	if session.Name != "alpha" {
-		t.Fatalf("ResolveSessionByPreference(empty) = %q, want alpha", session.Name)
-	}
-}
-
-func TestResolveSessionWithoutDefault(t *testing.T) {
-	state := NewState()
-	now := time.Date(2026, 4, 1, 8, 0, 0, 0, time.UTC)
-
-	// No sessions: empty name fails with ErrSessionNotFound for "default".
-	if _, err := state.ResolveSession(""); !errors.Is(err, ErrSessionNotFound) {
-		t.Fatalf("ResolveSession('') with no sessions: error = %v, want ErrSessionNotFound", err)
-	}
-
-	// Only non-default session: empty name still fails (looks for "default").
-	other, err := NewRemoteSession("other", "wss://example.com/devtools/browser/1", now)
-	if err != nil {
-		t.Fatalf("NewRemoteSession failed: %v", err)
-	}
-	if err := state.CreateSession(other); err != nil {
-		t.Fatalf("CreateSession(other) failed: %v", err)
-	}
-	if _, err := state.ResolveSession(""); !errors.Is(err, ErrSessionNotFound) {
-		t.Fatalf("ResolveSession('') without default: error = %v, want ErrSessionNotFound", err)
-	}
-}
-
-func TestSessionTabSelectionAndDeletion(t *testing.T) {
-	state := NewState()
-	now := time.Date(2026, 4, 1, 9, 0, 0, 0, time.UTC)
-
-	session, err := NewLocalSession("alpha", filepath.Join(t.TempDir(), "alpha"), false, now)
-	if err != nil {
-		t.Fatalf("NewLocalSession failed: %v", err)
-	}
-	if err := state.CreateSession(session); err != nil {
-		t.Fatalf("CreateSession failed: %v", err)
-	}
-
-	first, err := NewTab("first", "target-1", "https://example.com/1", now)
-	if err != nil {
-		t.Fatalf("NewTab(first) failed: %v", err)
-	}
-	second, err := NewTab("second", "target-2", "https://example.com/2", now.Add(time.Minute))
-	if err != nil {
-		t.Fatalf("NewTab(second) failed: %v", err)
-	}
-
-	if err := state.UpsertTab("alpha", first); err != nil {
-		t.Fatalf("UpsertTab(first) failed: %v", err)
-	}
-	if err := state.UpsertTab("alpha", second); err != nil {
-		t.Fatalf("UpsertTab(second) failed: %v", err)
-	}
-
-	if session.SelectedTab != "first" {
-		t.Fatalf("SelectedTab after first insert = %q, want first", session.SelectedTab)
-	}
-	if err := state.SelectTab("alpha", "second"); err != nil {
-		t.Fatalf("SelectTab(second) failed: %v", err)
-	}
-	if session.SelectedTab != "second" {
-		t.Fatalf("SelectedTab after select = %q, want second", session.SelectedTab)
-	}
-
-	if err := state.DeleteTab("alpha", "second"); err != nil {
-		t.Fatalf("DeleteTab(second) failed: %v", err)
-	}
-	if session.SelectedTab != "first" {
-		t.Fatalf("SelectedTab after delete = %q, want first", session.SelectedTab)
-	}
-
-	resolved, err := session.ResolveTab("")
-	if err != nil {
-		t.Fatalf("ResolveTab(selected) failed: %v", err)
-	}
-	if resolved.Name != "first" {
-		t.Fatalf("ResolveTab(selected) = %q, want first", resolved.Name)
-	}
-}
-
-func TestResolveTabRequiresSelectionWhenMultipleLiveTabsExist(t *testing.T) {
-	session, err := NewLocalSession("alpha", filepath.Join(t.TempDir(), "alpha"), true, time.Now().UTC())
-	if err != nil {
-		t.Fatalf("NewLocalSession failed: %v", err)
-	}
-
-	first, _ := NewTab("first", "target-1", "", time.Now().UTC())
-	second, _ := NewTab("second", "target-2", "", time.Now().UTC().Add(time.Minute))
-	session.Tabs[first.Name] = first
-	session.Tabs[second.Name] = second
-	session.SelectedTab = ""
-
-	if _, err := session.ResolveTab(""); !errors.Is(err, ErrAmbiguousTab) {
-		t.Fatalf("ResolveTab(ambiguous) error = %v, want ErrAmbiguousTab", err)
-	}
-}
-
-func TestReconcileSessionMarksMissingTargetsStale(t *testing.T) {
-	state := NewState()
-	now := time.Date(2026, 4, 1, 10, 0, 0, 0, time.UTC)
-
-	session, err := NewLocalSession("alpha", filepath.Join(t.TempDir(), "alpha"), true, now)
-	if err != nil {
-		t.Fatalf("NewLocalSession failed: %v", err)
-	}
-	tab, err := NewTab("first", "target-1", "https://example.com", now)
-	if err != nil {
-		t.Fatalf("NewTab failed: %v", err)
-	}
-	session.Tabs[tab.Name] = tab
-	session.SelectedTab = tab.Name
-
-	if err := state.CreateSession(session); err != nil {
-		t.Fatalf("CreateSession failed: %v", err)
-	}
-
-	if err := state.ReconcileSession("alpha", []string{"target-2"}, now.Add(5*time.Minute)); err != nil {
-		t.Fatalf("ReconcileSession failed: %v", err)
-	}
-
-	if tab.Status != TabStatusStale {
-		t.Fatalf("tab status = %q, want stale", tab.Status)
-	}
-	if tab.TargetID != "" {
-		t.Fatalf("tab target id = %q, want empty", tab.TargetID)
-	}
-	if session.SelectedTab != "" {
-		t.Fatalf("SelectedTab after reconcile = %q, want empty", session.SelectedTab)
-	}
-}
-
-func TestValidateNameRules(t *testing.T) {
-	tests := []struct {
-		name  string
-		value string
-		want  bool
-	}{
-		{name: "empty", value: "", want: false},
-		{name: "space", value: "bad name", want: false},
-		{name: "slash", value: "bad/name", want: false},
-		{name: "valid", value: "good-name_1", want: true},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			err := ValidateSessionName(tc.value)
-			if tc.want && err != nil {
-				t.Fatalf("ValidateSessionName(%q) failed: %v", tc.value, err)
-			}
-			if !tc.want && err == nil {
-				t.Fatalf("ValidateSessionName(%q) succeeded, want error", tc.value)
-			}
-		})
-	}
-}
diff --git a/browser/store.go b/browser/store.go
deleted file mode 100644
index 2e4ad61..0000000
--- a/browser/store.go
+++ /dev/null
@@ -1,191 +0,0 @@
-package browser
-
-import (
-	"encoding/json"
-	"errors"
-	"fmt"
-	"os"
-	"path/filepath"
-)
-
-const (
-	stateFileName = "state.json"
-	lockDirName   = "locks"
-)
-
-// Store manages durable browser metadata with atomic writes and file locks.
-type Store struct {
-	root string
-}
-
-// DefaultStateRoot returns the durable directory used for browser metadata.
-// Uses $XDG_CACHE_HOME/tap/browser, falling back to ~/.cache/tap/browser.
-func DefaultStateRoot() (string, error) {
-	if root := os.Getenv(EnvStateRoot); root != "" {
-		return root, nil
-	}
-	if dir := os.Getenv("XDG_CACHE_HOME"); dir != "" {
-		return filepath.Join(dir, "tap", "browser"), nil
-	}
-	home, err := os.UserHomeDir()
-	if err != nil {
-		return "", fmt.Errorf("resolve user home dir: %w", err)
-	}
-	return filepath.Join(home, ".cache", "tap", "browser"), nil
-}
-
-// NewStore initializes a metadata store rooted at the provided directory.
-func NewStore(root string) (*Store, error) {
-	var err error
-	if root == "" {
-		root, err = DefaultStateRoot()
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	if err := os.MkdirAll(filepath.Join(root, lockDirName), 0o755); err != nil {
-		return nil, fmt.Errorf("create browser state dir: %w", err)
-	}
-
-	return &Store{root: root}, nil
-}
-
-// Root returns the store's durable state directory.
-func (s *Store) Root() string {
-	return s.root
-}
-
-// Load reads the current browser metadata state from disk.
-func (s *Store) Load() (*State, error) {
-	if s == nil {
-		return nil, errors.New("browser store is required")
-	}
-
-	data, err := os.ReadFile(s.statePath())
-	if err != nil {
-		if errors.Is(err, os.ErrNotExist) {
-			return NewState(), nil
-		}
-		return nil, fmt.Errorf("read browser state: %w", err)
-	}
-
-	state := NewState()
-	if err := json.Unmarshal(data, state); err != nil {
-		return nil, fmt.Errorf("decode browser state: %w", err)
-	}
-	state.Normalize()
-	if err := state.Validate(); err != nil {
-		return nil, fmt.Errorf("validate browser state: %w", err)
-	}
-	return state, nil
-}
-
-// Save writes the full metadata state atomically.
-func (s *Store) Save(state *State) error {
-	if s == nil {
-		return errors.New("browser store is required")
-	}
-	if state == nil {
-		return errors.New("browser state is required")
-	}
-	if err := state.Validate(); err != nil {
-		return err
-	}
-	unlock, err := s.lock("state")
-	if err != nil {
-		return err
-	}
-	defer func() { _ = unlock() }()
-	return s.writeState(state)
-}
-
-// Update takes an exclusive store lock, mutates the current state, and saves it.
-func (s *Store) Update(fn func(*State) error) error {
-	unlock, err := s.lock("state")
-	if err != nil {
-		return err
-	}
-	defer func() { _ = unlock() }()
-
-	state, err := s.Load()
-	if err != nil {
-		return err
-	}
-
-	if err := fn(state); err != nil {
-		return err
-	}
-
-	return s.writeState(state)
-}
-
-// WithSessionLock serializes higher-level runtime work for one session.
-func (s *Store) WithSessionLock(sessionName string, fn func() error) error {
-	if err := ValidateSessionName(sessionName); err != nil {
-		return err
-	}
-	unlock, err := s.lock("session-" + sessionName)
-	if err != nil {
-		return err
-	}
-	defer func() { _ = unlock() }()
-	return fn()
-}
-
-// UpdateSession combines session-scoped locking with durable store mutation.
-func (s *Store) UpdateSession(sessionName string, fn func(*State, *SessionRecord) error) error {
-	return s.WithSessionLock(sessionName, func() error {
-		return s.Update(func(state *State) error {
-			session, err := state.ResolveSession(sessionName)
-			if err != nil {
-				return err
-			}
-			return fn(state, session)
-		})
-	})
-}
-
-func (s *Store) writeState(state *State) error {
-	data, err := json.MarshalIndent(state, "", "  ")
-	if err != nil {
-		return fmt.Errorf("encode browser state: %w", err)
-	}
-
-	tmp, err := os.CreateTemp(s.root, "state-*.json")
-	if err != nil {
-		return fmt.Errorf("create temp browser state: %w", err)
-	}
-	tmpName := tmp.Name()
-	defer func() {
-		_ = os.Remove(tmpName)
-	}()
-
-	if _, err := tmp.Write(data); err != nil {
-		_ = tmp.Close()
-		return fmt.Errorf("write temp browser state: %w", err)
-	}
-	if err := tmp.Sync(); err != nil {
-		_ = tmp.Close()
-		return fmt.Errorf("sync temp browser state: %w", err)
-	}
-	if err := tmp.Close(); err != nil {
-		return fmt.Errorf("close temp browser state: %w", err)
-	}
-	if err := os.Rename(tmpName, s.statePath()); err != nil {
-		return fmt.Errorf("replace browser state: %w", err)
-	}
-	return nil
-}
-
-func (s *Store) lock(name string) (func() error, error) {
-	lock, err := lockFile(filepath.Join(s.root, lockDirName, name+".lock"))
-	if err != nil {
-		return nil, err
-	}
-	return lock.Unlock, nil
-}
-
-func (s *Store) statePath() string {
-	return filepath.Join(s.root, stateFileName)
-}
diff --git a/browser/store_test.go b/browser/store_test.go
deleted file mode 100644
index 20d4646..0000000
--- a/browser/store_test.go
+++ /dev/null
@@ -1,102 +0,0 @@
-package browser
-
-import (
-	"os"
-	"path/filepath"
-	"testing"
-	"time"
-)
-
-func TestDefaultStateRootUsesEnvOverride(t *testing.T) {
-	root := t.TempDir()
-	t.Setenv(EnvStateRoot, root)
-
-	got, err := DefaultStateRoot()
-	if err != nil {
-		t.Fatalf("DefaultStateRoot failed: %v", err)
-	}
-	if got != root {
-		t.Fatalf("DefaultStateRoot = %q, want %q", got, root)
-	}
-}
-
-func TestStoreUpdatePersistsState(t *testing.T) {
-	store, err := NewStore(t.TempDir())
-	if err != nil {
-		t.Fatalf("NewStore failed: %v", err)
-	}
-	now := time.Date(2026, 4, 1, 11, 0, 0, 0, time.UTC)
-
-	err = store.Update(func(state *State) error {
-		session, err := NewLocalSession("alpha", filepath.Join(store.Root(), "profiles", "alpha"), true, now)
-		if err != nil {
-			return err
-		}
-		if err := state.CreateSession(session); err != nil {
-			return err
-		}
-		tab, err := NewTab("first", "target-1", "https://example.com", now)
-		if err != nil {
-			return err
-		}
-		return state.UpsertTab("alpha", tab)
-	})
-	if err != nil {
-		t.Fatalf("Update failed: %v", err)
-	}
-
-	reloaded, err := store.Load()
-	if err != nil {
-		t.Fatalf("Load failed: %v", err)
-	}
-	session, err := reloaded.ResolveSession("alpha")
-	if err != nil {
-		t.Fatalf("ResolveSession failed: %v", err)
-	}
-	if session.SelectedTab != "first" {
-		t.Fatalf("SelectedTab = %q, want first", session.SelectedTab)
-	}
-	if _, err := os.Stat(filepath.Join(store.Root(), stateFileName)); err != nil {
-		t.Fatalf("state file missing: %v", err)
-	}
-}
-
-func TestStoreUpdateSessionAppliesSessionScopedMutation(t *testing.T) {
-	store, err := NewStore(t.TempDir())
-	if err != nil {
-		t.Fatalf("NewStore failed: %v", err)
-	}
-	now := time.Date(2026, 4, 1, 12, 0, 0, 0, time.UTC)
-
-	if err := store.Update(func(state *State) error {
-		session, err := NewRemoteSession("remote", "wss://example.com/devtools/browser/1", now)
-		if err != nil {
-			return err
-		}
-		return state.CreateSession(session)
-	}); err != nil {
-		t.Fatalf("seed Update failed: %v", err)
-	}
-
-	if err := store.UpdateSession("remote", func(state *State, session *SessionRecord) error {
-		tab, err := NewTab("docs", "target-9", "https://example.com/docs", now.Add(time.Minute))
-		if err != nil {
-			return err
-		}
-		return state.UpsertTab(session.Name, tab)
-	}); err != nil {
-		t.Fatalf("UpdateSession failed: %v", err)
-	}
-
-	reloaded, err := store.Load()
-	if err != nil {
-		t.Fatalf("Load failed: %v", err)
-	}
-	session, err := reloaded.ResolveSession("remote")
-	if err != nil {
-		t.Fatalf("ResolveSession failed: %v", err)
-	}
-	if _, ok := session.Tabs["docs"]; !ok {
-		t.Fatalf("remote session tabs = %v, want docs", session.Tabs)
-	}
-}
diff --git a/browser/types.go b/browser/types.go
new file mode 100644
index 0000000..9cb5eb5
--- /dev/null
+++ b/browser/types.go
@@ -0,0 +1,7 @@
+package browser
+
+type AgentBrowserEnvelope[T any] struct {
+	Success bool   `json:"success"`
+	Data    T      `json:"data"`
+	Error   string `json:"error,omitempty"`
+}
diff --git a/cmd/tap/attach.go b/cmd/tap/attach.go
index 41d6fa1..69fc056 100644
--- a/cmd/tap/attach.go
+++ b/cmd/tap/attach.go
@@ -16,8 +16,6 @@ func attachCmd() *cli.Command {
 		Usage: "Connect tap to existing Chrome or Electron apps",
 		Description: `Attach tap to an already-running browser or app for reuse.
 
-This command establishes a persistent connection to your existing Chrome/Chromium.
-
 Once attached, all tap browser commands will use this context.
 
 Examples:
@@ -39,14 +37,11 @@ func attachChromeCmd() *cli.Command {
 		Usage: "Attach to your existing Chrome/Chromium browser",
 		Description: `Attach tap to an already-running Chrome or Chromium instance.
 
-Your browser must have remote debugging enabled. Common ways:
-- Chrome started with --remote-debugging-port=9222
-- Chrome with "Developer Tools" open in user data dir
+Your browser must have remote debugging enabled.
 
 Examples:
   tap attach chrome                    Auto-discover from DevToolsActivePort
-  tap attach chrome --browser-url http://localhost:9222
-  tap attach chrome --port-file ~/Library/Application\ Support/Google/Chrome/DevToolsActivePort`,
+  tap attach chrome --browser-url http://localhost:9222`,
 		Flags: []cli.Flag{
 			&cli.StringFlag{
 				Name:    "browser-url",
@@ -57,23 +52,6 @@ Examples:
 				Name:  "port-file",
 				Usage: "Path to DevToolsActivePort file",
 			},
-			&cli.StringFlag{
-				Name:   "listen",
-				Usage:  "Internal proxy listen address (advanced)",
-				Value:  browser.DefaultProxyListenAddr,
-				Hidden: true,
-			},
-			// Compatibility aliases
-			&cli.StringFlag{
-				Name:   "user-chrome",
-				Usage:  "Compatibility: auto-discover user Chrome (now default)",
-				Hidden: true,
-			},
-			&cli.StringFlag{
-				Name:   "devtools-port-file",
-				Usage:  "Compatibility: explicit port file",
-				Hidden: true,
-			},
 		},
 		Action: func(ctx context.Context, cmd *cli.Command) error {
 			configureLogging(cmd)
@@ -83,126 +61,31 @@ Examples:
 }
 
 func runAttachChrome(ctx context.Context, cmd *cli.Command) error {
-	var debugURL string
-	var source string
-
-	// Resolve debug URL from various sources
-	if url := cmd.String("browser-url"); url != "" {
-		debugURL = url
-		source = "explicit URL"
-	} else if path := cmd.String("port-file"); path != "" {
-		url, err := browser.ResolveDebugURLFromDevToolsFile(path)
-		if err != nil {
-			return fmt.Errorf("resolve port file: %w", err)
-		}
-		debugURL = url
-		source = fmt.Sprintf("port file: %s", path)
-	} else if path := cmd.String("devtools-port-file"); path != "" {
-		url, err := browser.ResolveDebugURLFromDevToolsFile(path)
-		if err != nil {
-			return fmt.Errorf("resolve port file: %w", err)
+	url := cmd.String("browser-url")
+	if url == "" {
+		if portFile := cmd.String("port-file"); portFile != "" {
+			return fmt.Errorf("port-file auto-discovery not yet implemented with agent-browser")
 		}
-		debugURL = url
-		source = fmt.Sprintf("port file: %s", path)
-	} else {
-		// Auto-discover
-		url, path, err := browser.DiscoverUserChromeDebugURL()
-		if err != nil {
-			return fmt.Errorf(`could not find a running Chrome with remote debugging enabled.
-
-To use tap attach chrome, you need:
-1. Chrome already running with --remote-debugging-port=9222, OR
-2. Chrome with DevToolsActivePort in a standard location
-
-Try one of:
-  tap attach chrome --browser-url http://localhost:9222
-  google-chrome --remote-debugging-port=9222 &
-  tap attach chrome
-
-Original error: %w`, err)
-		}
-		debugURL = url
-		source = fmt.Sprintf("auto-discovered: %s", path)
-	}
-
-	// Resolve to WebSocket URL if HTTP base URL provided
-	wsURL, err := browser.ResolveDebugURL(ctx, debugURL)
-	if err != nil {
-		return fmt.Errorf("resolve debug URL: %w", err)
+		return fmt.Errorf("no Chrome URL provided; use --browser-url http://localhost:9222")
 	}
 
-	mgr, err := newBrowserManager(cmd)
+	ab, err := browser.NewAgentBrowser("")
 	if err != nil {
 		return err
 	}
-	store, err := newBrowserStore(cmd)
+	ab.SessionName = ""
+	_, _, err = ab.Exec(ctx, "connect", url)
 	if err != nil {
-		return err
-	}
-
-	proxyRecord, health, reused, err := ensureAttachedChromeProxy(ctx, cmd, wsURL, cmd.String("listen"))
-	if err != nil {
-		return fmt.Errorf("ensure proxy daemon: %w", err)
+		return fmt.Errorf("connect: %w", err)
 	}
 
-	sessionName := browser.DefaultSessionName
-	if _, err := mgr.GetSession(ctx, sessionName); err == nil {
-		if err := mgr.CloseSession(ctx, sessionName); err != nil {
-			return fmt.Errorf("close existing session: %w", err)
-		}
-	}
-	if err := mgr.CreateSession(ctx, sessionName, browser.ModeRemote, browser.SessionOptions{WSURL: proxyRecord.Endpoint}); err != nil {
-		return fmt.Errorf("create attached session: %w", err)
-	}
-	if err := mgr.SetDefaultContext(ctx, sessionName, browser.DefaultContextAttached); err != nil {
-		return fmt.Errorf("set default context: %w", err)
-	}
-	if err := persistProxyDaemonRecord(store, proxyRecord, health); err != nil {
-		return fmt.Errorf("persist proxy daemon state: %w", err)
+	if err := setAttachedMode(); err != nil {
+		return fmt.Errorf("set attached mode: %w", err)
 	}
 
 	c := true
 	fmt.Fprintf(os.Stderr, "%s Attached to Chrome\n", green(c, "✓"))
-	fmt.Fprintf(os.Stderr, "  Source: %s\n", source)
-	fmt.Fprintf(os.Stderr, "  Session: %s\n", sessionName)
-	fmt.Fprintf(os.Stderr, "  Proxy: %s\n", proxyRecord.Endpoint)
-	if reused {
-		fmt.Fprintf(os.Stderr, "  Daemon: reused\n")
-	} else {
-		fmt.Fprintf(os.Stderr, "  Daemon: started (pid %d)\n", proxyRecord.PID)
-	}
-
-	// Auto-discover/adopt tabs from the attached browser.
-	if err := autoAdoptTabs(ctx, mgr, sessionName, proxyRecord.Endpoint); err != nil {
-		fmt.Fprintf(os.Stderr, "  Warning: could not auto-adopt tabs: %v\n", err)
-	}
-
-	return nil
-}
-
-func autoAdoptTabs(ctx context.Context, mgr *browser.Manager, sessionName, debugURL string) error {
-	// List live targets via HTTP
-	targets, err := browser.ListTargetsHTTP(ctx, debugURL)
-	if err != nil {
-		return err
-	}
-
-	if len(targets) == 0 {
-		return nil
-	}
-
-	// Adopt first target as current tab
-	for i, t := range targets {
-		tabName := fmt.Sprintf("tab-%d", i+1)
-		if err := mgr.AdoptTab(ctx, sessionName, tabName, t.TargetID, t.URL); err != nil {
-			continue // skip on error
-		}
-		if i == 0 {
-			// Select first as current
-			_ = mgr.SelectTab(ctx, sessionName, tabName)
-		}
-	}
-
+	fmt.Fprintf(os.Stderr, "  URL: %s\n", url)
 	return nil
 }
 
@@ -224,135 +107,51 @@ func attachStatusCmd() *cli.Command {
 }
 
 func runAttachStatus(ctx context.Context, cmd *cli.Command) error {
-	mgr, err := newBrowserManager(cmd)
-	if err != nil {
-		return err
-	}
-	store, err := newBrowserStore(cmd)
-	if err != nil {
-		return err
-	}
-	state, err := store.Load()
+	ab, err := browser.NewAgentBrowser("")
 	if err != nil {
 		return err
 	}
+	ab.SessionName = ""
 
-	defaultContext, _ := mgr.DefaultContext(ctx)
-	var session *browser.SessionRecord
-	if current, err := mgr.GetSession(ctx, ""); err == nil {
-		session = current
-	}
+	sessionOut, _, _ := ab.Exec(ctx, "session", "list", "--json")
+	urlOut, _, _ := ab.Exec(ctx, "get", "url", "--json")
 
-	var health browser.ProxyDaemonHealth
-	if state.ProxyDaemon != nil {
-		health = browser.CheckProxyDaemon(ctx, state.ProxyDaemon)
-		_ = persistProxyDaemonHealth(store, state.ProxyDaemon, health)
-	}
+	var sessionEnv browser.AgentBrowserEnvelope[[]any]
+	_ = json.Unmarshal(sessionOut, &sessionEnv)
 
-	isAttached := (defaultContext != nil && defaultContext.Kind == browser.DefaultContextAttached) || state.ProxyDaemon != nil
-	if !isAttached {
-		if cmd.Bool("json") {
-			return printAttachStatusJSON(defaultContext, nil, nil, browser.ProxyDaemonHealth{}, "no_session")
-		}
-		fmt.Println("No attachment active.")
-		fmt.Println()
-		fmt.Println("To attach:")
-		fmt.Println("  tap attach chrome")
-		return nil
+	var urlEnv browser.AgentBrowserEnvelope[string]
+	_ = json.Unmarshal(urlOut, &urlEnv)
+
+	attached := isAttachedMode()
+
+	result := map[string]any{
+		"attached": attached,
+		"sessions": sessionEnv.Data,
+		"url":      urlEnv.Data,
 	}
 
 	if cmd.Bool("json") {
-		return printAttachStatusJSON(defaultContext, session, state.ProxyDaemon, health, "")
+		out, _ := json.MarshalIndent(result, "", "  ")
+		fmt.Println(string(out))
+		return nil
 	}
-	return printAttachStatusHuman(defaultContext, session, state.ProxyDaemon, health)
-}
 
-func printAttachStatusHuman(defaultContext *browser.DefaultContextRecord, session *browser.SessionRecord, proxy *browser.ProxyDaemonRecord, health browser.ProxyDaemonHealth) error {
 	c := true
-	if defaultContext != nil {
-		fmt.Printf("%s %s (%s)\n", bold(c, "Default context:"), defaultContext.SessionName, defaultContext.Kind)
-		if defaultContext.Stale {
-			fmt.Printf("%s %s\n", bold(c, "State:"), yellow(c, "stale"))
-			if defaultContext.Reason != "" {
-				fmt.Printf("%s %s\n", bold(c, "Reason:"), defaultContext.Reason)
-			}
-		}
-	}
-	if session != nil {
-		fmt.Printf("%s %s\n", bold(c, "Session:"), session.Name)
-		fmt.Printf("%s %s\n", bold(c, "Mode:"), session.Mode)
-		if session.Remote != nil {
-			fmt.Printf("%s %s\n", bold(c, "Remote URL:"), session.Remote.WSURL)
-		}
-	}
-	if proxy != nil {
-		fmt.Println()
-		fmt.Printf("%s %s\n", bold(c, "Proxy daemon:"), proxy.Endpoint)
-		fmt.Printf("%s %d\n", bold(c, "PID:"), proxy.PID)
-		fmt.Printf("%s %s\n", bold(c, "Listen:"), proxy.ListenAddr)
-		fmt.Printf("%s %s\n", bold(c, "Upstream:"), proxy.UpstreamWSURL)
-		statusColor := green(c, health.Status)
-		if !health.Healthy {
-			statusColor = yellow(c, health.Status)
-		}
-		fmt.Printf("%s %s\n", bold(c, "Health:"), statusColor)
-		if health.Reason != "" {
-			fmt.Printf("%s %s\n", bold(c, "Stale reason:"), health.Reason)
-		}
-	}
-	if session != nil && len(session.Tabs) > 0 {
+	if attached {
+		fmt.Printf("%s Attached mode active\n", green(c, "✓"))
+	} else {
+		fmt.Println("No attachment active.")
 		fmt.Println()
-		fmt.Printf("%s %d\n", bold(c, "Adopted tabs:"), len(session.Tabs))
-		for name, tab := range session.Tabs {
-			marker := ""
-			if name == session.SelectedTab {
-				marker = green(c, " (current)")
-			}
-			fmt.Printf("  %s: %s%s\n", name, tab.URL, marker)
-		}
-	}
-	return nil
-}
-
-func printAttachStatusJSON(defaultContext *browser.DefaultContextRecord, session *browser.SessionRecord, proxy *browser.ProxyDaemonRecord, health browser.ProxyDaemonHealth, errorState string) error {
-	result := map[string]any{"error": errorState}
-	if defaultContext != nil {
-		result["defaultContext"] = map[string]any{
-			"sessionName": defaultContext.SessionName,
-			"kind":        defaultContext.Kind,
-			"stale":       defaultContext.Stale,
-			"reason":      defaultContext.Reason,
-		}
+		fmt.Println("To attach:")
+		fmt.Println("  tap attach chrome --browser-url http://localhost:9222")
+		return nil
 	}
-	if session != nil {
-		sessionMap := map[string]any{
-			"name":        session.Name,
-			"mode":        session.Mode,
-			"selectedTab": session.SelectedTab,
-			"tabs":        len(session.Tabs),
-		}
-		if session.Remote != nil {
-			sessionMap["remoteURL"] = session.Remote.WSURL
-		}
-		if session.Process != nil {
-			sessionMap["processURL"] = session.Process.DebugURL
-		}
-		result["session"] = sessionMap
+	if urlEnv.Success && urlEnv.Data != "" {
+		fmt.Printf("%s Current URL: %s\n", bold(c, "URL:"), urlEnv.Data)
 	}
-	if proxy != nil {
-		result["proxyDaemon"] = map[string]any{
-			"pid":             proxy.PID,
-			"listenAddr":      proxy.ListenAddr,
-			"endpoint":        proxy.Endpoint,
-			"upstreamWSURL":   proxy.UpstreamWSURL,
-			"status":          health.Status,
-			"healthy":         health.Healthy,
-			"reason":          health.Reason,
-			"lastHealthCheck": health.CheckedAt,
-		}
+	if sessions := sessionEnv.Data; len(sessions) > 0 {
+		fmt.Printf("%s %d sessions\n", bold(c, "Sessions:"), len(sessions))
 	}
-	out, _ := json.MarshalIndent(result, "", "  ")
-	fmt.Println(string(out))
 	return nil
 }
 
@@ -372,41 +171,15 @@ cookies. It only stops tap from using this target as the default context.`,
 }
 
 func runAttachClear(ctx context.Context, cmd *cli.Command) error {
-	mgr, err := newBrowserManager(cmd)
-	if err != nil {
-		return err
-	}
-	store, err := newBrowserStore(cmd)
-	if err != nil {
-		return err
-	}
-	state, err := store.Load()
+	ab, err := browser.NewAgentBrowser("")
 	if err != nil {
 		return err
 	}
+	ab.SessionName = ""
+	_, _, _ = ab.Exec(ctx, "close")
+
+	_ = clearAttachedMode()
 
-	defaultContext := state.DefaultContext
-	if defaultContext == nil && state.ProxyDaemon == nil {
-		fmt.Println("No attachment to clear.")
-		return nil
-	}
-	if defaultContext != nil {
-		if session, err := mgr.GetSession(ctx, defaultContext.SessionName); err == nil && session.Remote != nil {
-			if err := mgr.CloseSession(ctx, defaultContext.SessionName); err != nil {
-				return fmt.Errorf("close session: %w", err)
-			}
-		}
-	}
-	if state.ProxyDaemon != nil {
-		_ = stopOwnedProxyDaemon(ctx, state.ProxyDaemon)
-	}
-	if err := store.Update(func(state *browser.State) error {
-		state.ClearDefaultContext()
-		state.ProxyDaemon = nil
-		return nil
-	}); err != nil {
-		return fmt.Errorf("clear attachment metadata: %w", err)
-	}
 	c := true
 	fmt.Fprintf(os.Stderr, "%s Cleared attached Chrome metadata\n", green(c, "✓"))
 	return nil
diff --git a/cmd/tap/attach_proxy.go b/cmd/tap/attach_proxy.go
deleted file mode 100644
index 18d436c..0000000
--- a/cmd/tap/attach_proxy.go
+++ /dev/null
@@ -1,196 +0,0 @@
-package main
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"time"
-
-	"github.com/urfave/cli/v3"
-	"github.com/vaayne/tap/browser"
-)
-
-func newBrowserStore(cmd *cli.Command) (*browser.Store, error) {
-	root := browserStateRoot(cmd)
-	store, err := browser.NewStore(root)
-	if err != nil {
-		return nil, fmt.Errorf("init browser store: %w", err)
-	}
-	return store, nil
-}
-
-func ensureAttachedChromeProxy(ctx context.Context, cmd *cli.Command, upstreamWSURL, listenAddr string) (*browser.ProxyDaemonRecord, browser.ProxyDaemonHealth, bool, error) {
-	store, err := newBrowserStore(cmd)
-	if err != nil {
-		return nil, browser.ProxyDaemonHealth{}, false, err
-	}
-	state, err := store.Load()
-	if err != nil {
-		return nil, browser.ProxyDaemonHealth{}, false, fmt.Errorf("load browser state: %w", err)
-	}
-
-	if existing := state.ProxyDaemon; existing != nil {
-		health := browser.CheckProxyDaemon(ctx, existing)
-		if existing.UpstreamWSURL == upstreamWSURL && health.Healthy {
-			_ = persistProxyDaemonHealth(store, existing, health)
-			return existing, health, true, nil
-		}
-		if existing.UpstreamWSURL != upstreamWSURL {
-			health.Healthy = false
-			health.Status = browser.AttachStateAttachedStale
-			if health.Reason == "" {
-				health.Reason = fmt.Sprintf("saved upstream changed from %s to %s", existing.UpstreamWSURL, upstreamWSURL)
-			} else {
-				health.Reason += fmt.Sprintf("; saved upstream changed from %s to %s", existing.UpstreamWSURL, upstreamWSURL)
-			}
-		}
-		_ = persistProxyDaemonHealth(store, existing, health)
-		_ = stopOwnedProxyDaemon(ctx, existing)
-	}
-
-	record, health, err := startAttachedChromeProxy(ctx, cmd, listenAddr, upstreamWSURL)
-	if err != nil {
-		return nil, health, false, err
-	}
-	if err := persistProxyDaemonRecord(store, record, health); err != nil {
-		return nil, health, false, err
-	}
-	return record, health, false, nil
-}
-
-func persistProxyDaemonRecord(store *browser.Store, record *browser.ProxyDaemonRecord, health browser.ProxyDaemonHealth) error {
-	return store.Update(func(state *browser.State) error {
-		record.State = health.Status
-		record.Status = health.Status
-		record.LastHealthCheckAt = health.CheckedAt
-		if health.Healthy {
-			record.LastHealthyAt = health.CheckedAt
-			record.LastError = ""
-		} else {
-			record.LastError = health.Reason
-		}
-		record.UpdatedAt = time.Now().UTC()
-		state.ProxyDaemon = record
-		if state.DefaultContext != nil && state.DefaultContext.Kind == browser.DefaultContextAttached {
-			if health.Healthy {
-				state.MarkDefaultContextHealthy(state.DefaultContext.SessionName, health.CheckedAt)
-			} else {
-				state.MarkDefaultContextStale(state.DefaultContext.SessionName, health.Reason, health.CheckedAt)
-			}
-		}
-		return nil
-	})
-}
-
-func persistProxyDaemonHealth(store *browser.Store, record *browser.ProxyDaemonRecord, health browser.ProxyDaemonHealth) error {
-	return store.Update(func(state *browser.State) error {
-		if state.ProxyDaemon == nil {
-			return nil
-		}
-		state.ProxyDaemon.State = health.Status
-		state.ProxyDaemon.Status = health.Status
-		state.ProxyDaemon.LastHealthCheckAt = health.CheckedAt
-		if health.Healthy {
-			state.ProxyDaemon.LastHealthyAt = health.CheckedAt
-			state.ProxyDaemon.LastError = ""
-		} else {
-			state.ProxyDaemon.LastError = health.Reason
-		}
-		state.ProxyDaemon.UpdatedAt = time.Now().UTC()
-		if state.DefaultContext != nil && state.DefaultContext.Kind == browser.DefaultContextAttached {
-			if health.Healthy {
-				state.MarkDefaultContextHealthy(state.DefaultContext.SessionName, health.CheckedAt)
-			} else {
-				state.MarkDefaultContextStale(state.DefaultContext.SessionName, health.Reason, health.CheckedAt)
-			}
-		}
-		return nil
-	})
-}
-
-func stopOwnedProxyDaemon(ctx context.Context, record *browser.ProxyDaemonRecord) error {
-	if record == nil {
-		return nil
-	}
-	if err := browser.ShutdownProxyDaemon(ctx, record); err != nil {
-		return err
-	}
-	waitCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-	defer cancel()
-	return browser.WaitForProxyDaemonExit(waitCtx, record)
-}
-
-func startAttachedChromeProxy(ctx context.Context, cmd *cli.Command, listenAddr, upstreamWSURL string) (*browser.ProxyDaemonRecord, browser.ProxyDaemonHealth, error) {
-	token, err := browser.GenerateOwnershipToken()
-	if err != nil {
-		return nil, browser.ProxyDaemonHealth{}, err
-	}
-
-	record, err := spawnProxyDaemon(ctx, listenAddr, upstreamWSURL, token)
-	if err != nil && listenAddr == browser.DefaultProxyListenAddr {
-		record, err = spawnProxyDaemon(ctx, "127.0.0.1:0", upstreamWSURL, token)
-	}
-	if err != nil {
-		return nil, browser.ProxyDaemonHealth{}, err
-	}
-
-	healthCtx, cancel := context.WithTimeout(ctx, 10*time.Second)
-	defer cancel()
-	health, err := browser.WaitForProxyDaemonHealth(healthCtx, record)
-	if err != nil {
-		return record, health, fmt.Errorf("wait for proxy daemon health: %w", err)
-	}
-	return record, health, nil
-}
-
-func spawnProxyDaemon(ctx context.Context, listenAddr, upstreamWSURL, ownershipToken string) (*browser.ProxyDaemonRecord, error) {
-	exe, err := os.Executable()
-	if err != nil {
-		return nil, fmt.Errorf("resolve tap executable: %w", err)
-	}
-
-	readyFile := filepath.Join(os.TempDir(), fmt.Sprintf("tap-proxy-daemon-%d-%d.json", os.Getpid(), time.Now().UnixNano()))
-	defer func() { _ = os.Remove(readyFile) }()
-
-	args := []string{
-		"internal", "proxy-daemon",
-		"--listen", listenAddr,
-		"--upstream-ws-url", upstreamWSURL,
-		"--ownership-token", ownershipToken,
-		"--ready-file", readyFile,
-	}
-	proc := exec.Command(exe, args...)
-	devNull, err := os.OpenFile(os.DevNull, os.O_RDWR, 0)
-	if err != nil {
-		return nil, fmt.Errorf("open %s: %w", os.DevNull, err)
-	}
-	defer func() { _ = devNull.Close() }()
-	proc.Stdin = devNull
-	proc.Stdout = devNull
-	proc.Stderr = devNull
-	if err := proc.Start(); err != nil {
-		return nil, fmt.Errorf("start proxy daemon: %w", err)
-	}
-	_ = proc.Process.Release()
-
-	deadline := time.Now().Add(10 * time.Second)
-	for time.Now().Before(deadline) {
-		data, err := os.ReadFile(readyFile)
-		if err == nil {
-			var record browser.ProxyDaemonRecord
-			if err := json.Unmarshal(data, &record); err != nil {
-				return nil, fmt.Errorf("decode proxy daemon ready file: %w", err)
-			}
-			return &record, nil
-		}
-		select {
-		case <-ctx.Done():
-			return nil, ctx.Err()
-		case <-time.After(100 * time.Millisecond):
-		}
-	}
-	return nil, fmt.Errorf("timed out waiting for proxy daemon startup")
-}
diff --git a/cmd/tap/browser.go b/cmd/tap/browser.go
index 444c623..80568b5 100644
--- a/cmd/tap/browser.go
+++ b/cmd/tap/browser.go
@@ -2,6 +2,8 @@ package main
 
 import (
 	"fmt"
+	"os"
+	"path/filepath"
 
 	"github.com/urfave/cli/v3"
 	"github.com/vaayne/tap/browser"
@@ -33,7 +35,12 @@ Default behavior:
 			&cli.StringFlag{
 				Name:    "state-root",
 				Usage:   "Durable state directory for browser sessions and tabs",
-				Sources: cli.EnvVars(browser.EnvStateRoot),
+				Sources: cli.EnvVars("TAP_BROWSER_STATE_ROOT"),
+			},
+			&cli.BoolFlag{
+				Name:    "lightpanda",
+				Aliases: []string{"lp"},
+				Usage:   "Use Lightpanda as the browser engine",
 			},
 		},
 		Commands: []*cli.Command{
@@ -59,40 +66,53 @@ Default behavior:
 			withCategory("Interaction", browserSelectCmd()),
 			withCategory("Interaction", browserWaitCmd()),
 			withCategory("Interaction", browserKeypressCmd()),
-			withCategory("Interaction", browserDialogCmd()),
 			withCategory("State", browserFormsCmd()),
 			withCategory("State", browserCookiesCmd()),
 			withCategory("Network", browserNetworkCmd()),
+			withCategory("Emulation", browserSetCmd()),
+			withCategory("Storage", browserStorageCmd()),
+			withCategory("State", browserStateCmd()),
+			withCategory("Auth", browserAuthCmd()),
+			withCategory("Info", browserGetCmd()),
+			withCategory("Performance", browserVitalsCmd()),
+			withCategory("Diff", browserDiffCmd()),
 		},
 	}
 }
 
-func newBrowserManager(cmd *cli.Command) (*browser.Manager, error) {
-	root := browserStateRoot(cmd)
-	store, err := browser.NewStore(root)
+func newAgentBrowser(cmd *cli.Command) (*browser.AgentBrowser, error) {
+	ab, err := browser.NewAgentBrowser("")
 	if err != nil {
-		return nil, fmt.Errorf("init browser store: %w", err)
+		return nil, fmt.Errorf("agent-browser: %w", err)
+	}
+	if name := cmd.String("session"); name != "" {
+		ab.SessionName = name
+	}
+	if cmd.Bool("lightpanda") {
+		ab.Engine = "lightpanda"
+	}
+	if isAttachedMode() {
+		if ab.Engine == "lightpanda" {
+			return nil, fmt.Errorf("--lightpanda cannot be used with an attached Chrome session")
+		}
+		ab.Attached = true
+		ab.SessionName = ""
 	}
-	return browser.NewManager(store), nil
+	return ab, nil
 }
 
 func browserActionFlags(includeOutput bool) []cli.Flag {
 	flags := []cli.Flag{
 		&cli.StringFlag{
 			Name:   "session",
-			Usage:  "Advanced session override",
-			Hidden: true,
-		},
-		&cli.StringFlag{
-			Name:   "tab",
-			Usage:  "Advanced tab override",
+			Usage:  "Session name (maps to --session-name)",
 			Hidden: true,
 		},
 	}
 	if includeOutput {
 		flags = append(flags, &cli.StringFlag{
 			Name:  "output",
-			Usage: "Write the screenshot to this file; defaults to a generated path when omitted",
+			Usage: "Write output to this file; defaults to a generated path when omitted",
 		})
 	}
 	return flags
@@ -103,14 +123,23 @@ func withCategory(cat string, cmd *cli.Command) *cli.Command {
 	return cmd
 }
 
-func browserStateRoot(cmd *cli.Command) string {
-	root := cmd.String("state-root")
-	if root != "" {
-		return root
-	}
-	defaultRoot, err := browser.DefaultStateRoot()
-	if err != nil {
-		return ""
-	}
-	return defaultRoot
+func attachedFlagPath() string {
+	home, _ := os.UserHomeDir()
+	return filepath.Join(home, ".cache", "tap", "browser", "attached")
+}
+
+func isAttachedMode() bool {
+	_, err := os.Stat(attachedFlagPath())
+	return err == nil
+}
+
+func setAttachedMode() error {
+	p := attachedFlagPath()
+	_ = os.MkdirAll(filepath.Dir(p), 0o755)
+	return os.WriteFile(p, []byte{}, 0o644)
+}
+
+func clearAttachedMode() error {
+	_ = os.Remove(attachedFlagPath())
+	return nil
 }
diff --git a/cmd/tap/browser_action.go b/cmd/tap/browser_action.go
index 3058cf5..0be27a8 100644
--- a/cmd/tap/browser_action.go
+++ b/cmd/tap/browser_action.go
@@ -2,81 +2,34 @@ package main
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"os"
 	"strconv"
-	"strings"
 	"time"
 
-	"github.com/chromedp/chromedp/kb"
 	"github.com/urfave/cli/v3"
 	defuddle "github.com/vaayne/go-defuddle"
 	"github.com/vaayne/tap/browser"
 )
 
-// resolveKeyName maps human-readable key names to chromedp/kb constants.
-func resolveKeyName(name string) string {
-	// Handle modifier combinations like Ctrl+a
-	if strings.Contains(name, "+") {
-		parts := strings.SplitN(name, "+", 2)
-		modifier := resolveKeyName(parts[0])
-		key := resolveKeyName(parts[1])
-		return modifier + key + modifier
-	}
-
-	keyMap := map[string]string{
-		"enter":      kb.Enter,
-		"return":     kb.Enter,
-		"tab":        kb.Tab,
-		"escape":     kb.Escape,
-		"esc":        kb.Escape,
-		"backspace":  kb.Backspace,
-		"delete":     kb.Delete,
-		"space":      " ",
-		"arrowup":    kb.ArrowUp,
-		"arrowdown":  kb.ArrowDown,
-		"arrowleft":  kb.ArrowLeft,
-		"arrowright": kb.ArrowRight,
-		"home":       kb.Home,
-		"end":        kb.End,
-		"pageup":     kb.PageUp,
-		"pagedown":   kb.PageDown,
-		"ctrl":       kb.Control,
-		"control":    kb.Control,
-		"alt":        kb.Alt,
-		"shift":      kb.Shift,
-		"meta":       kb.Meta,
-	}
-	if v, ok := keyMap[strings.ToLower(name)]; ok {
-		return v
-	}
-	return name
-}
-
 func browserNavigateCmd() *cli.Command {
 	return &cli.Command{
 		Name:      "navigate",
 		Usage:     "Navigate a tracked browser tab to a URL",
 		ArgsUsage: "<url>",
 		Flags:     browserActionFlags(false),
-		Description: `Navigate the resolved tracked tab to the given URL.
-
-Examples:
-  tap browser navigate https://example.com
-  tap browser navigate --session dev --tab main https://example.com`,
 		Action: func(ctx context.Context, cmd *cli.Command) error {
 			configureLogging(cmd)
 			url := cmd.Args().First()
 			if url == "" {
 				return fmt.Errorf("URL required")
 			}
-			mgr, err := newBrowserManager(cmd)
+			ab, err := newAgentBrowser(cmd)
 			if err != nil {
 				return err
 			}
-			sessionName := cmd.String("session")
-			tabName := cmd.String("tab")
-			if err := mgr.Navigate(ctx, sessionName, tabName, url); err != nil {
+			if err := ab.Open(ctx, url, browser.OpenOpts{}); err != nil {
 				return err
 			}
 			fmt.Fprintf(os.Stderr, "Navigated to %s\n", url)
@@ -96,27 +49,17 @@ func browserEvaluateCmd() *cli.Command {
 			Usage:   "Output format: json, pretty (default), raw",
 			Value:   formatPretty,
 		}),
-		Description: `Evaluate JavaScript in the resolved tracked tab.
-
-Output formatting follows the same pretty/json/raw conventions used by 'tap site'.
-
-Examples:
-  tap browser evaluate "document.title"
-  tap browser evaluate "document.querySelectorAll('a').length"
-  tap browser evaluate "JSON.stringify(performance.timing)" -f json`,
 		Action: func(ctx context.Context, cmd *cli.Command) error {
 			configureLogging(cmd)
 			js := cmd.Args().First()
 			if js == "" {
 				return fmt.Errorf("JavaScript expression required")
 			}
-			mgr, err := newBrowserManager(cmd)
+			ab, err := newAgentBrowser(cmd)
 			if err != nil {
 				return err
 			}
-			sessionName := cmd.String("session")
-			tabName := cmd.String("tab")
-			result, err := mgr.Evaluate(ctx, sessionName, tabName, js)
+			result, err := ab.Eval(ctx, js)
 			if err != nil {
 				return err
 			}
@@ -131,36 +74,23 @@ func browserScreenshotCmd() *cli.Command {
 		Usage:     "Capture a screenshot from a tracked browser tab",
 		ArgsUsage: "",
 		Flags:     browserActionFlags(true),
-		Description: `Capture a screenshot from the resolved tracked tab.
-
-When --output is omitted, tap will generate a deterministic file path from the
-session name, tab name, and current timestamp.
-
-Examples:
-  tap browser screenshot
-  tap browser screenshot --output page.png
-  tap browser screenshot --session dev --tab main`,
 		Action: func(ctx context.Context, cmd *cli.Command) error {
 			configureLogging(cmd)
-			mgr, err := newBrowserManager(cmd)
-			if err != nil {
-				return err
-			}
-			sessionName := cmd.String("session")
-			tabName := cmd.String("tab")
-			result, err := mgr.Screenshot(ctx, sessionName, tabName)
+			ab, err := newAgentBrowser(cmd)
 			if err != nil {
 				return err
 			}
 
 			outPath := cmd.String("output")
 			if outPath == "" {
-				outPath = fmt.Sprintf("screenshot-%s-%s-%d.png", result.SessionName, result.TabName, time.Now().Unix())
+				outPath = fmt.Sprintf("screenshot-%d.png", time.Now().Unix())
 			}
 
-			if err := os.WriteFile(outPath, result.Data, 0o644); err != nil {
-				return fmt.Errorf("write screenshot: %w", err)
+			_, _, err = ab.Exec(ctx, "screenshot", outPath)
+			if err != nil {
+				return err
 			}
+
 			fmt.Fprintf(os.Stderr, "%s\n", outPath)
 			return nil
 		},
@@ -178,31 +108,16 @@ func browserTextCmd() *cli.Command {
 			Usage:   "Output format: json, pretty (default), raw",
 			Value:   formatPretty,
 		}),
-		Description: `Extract clean, readable content from the current page using defuddle.
-Strips navigation, ads, scripts, and boilerplate — returns only the main content
-as Markdown (default) or JSON with metadata.
-
-Optionally scope to a CSS selector to extract from a specific section.
-
-This is the most token-efficient way to read page content — far cheaper
-than evaluating outerHTML.
-
-Examples:
-  tap browser text                       Extract main content as Markdown
-  tap browser text "#article"            Extract from a specific section
-  tap browser text -f json               Include metadata (title, word count)`,
 		Action: func(ctx context.Context, cmd *cli.Command) error {
 			configureLogging(cmd)
 			sel := cmd.Args().First()
-			mgr, err := newBrowserManager(cmd)
-			if err != nil {
-				return err
-			}
-			rt, err := mgr.ResolveTarget(ctx, cmd.String("session"), cmd.String("tab"))
+
+			ab, err := newAgentBrowser(cmd)
 			if err != nil {
 				return err
 			}
-			html, pageURL, err := browser.GetHTMLTarget(ctx, rt.DebugURL, rt.TargetID, sel)
+
+			html, err := ab.GetHTML(ctx)
 			if err != nil {
 				return err
 			}
@@ -210,6 +125,24 @@ Examples:
 				fmt.Fprintln(os.Stderr, "No content found.")
 				return nil
 			}
+
+			if sel != "" {
+				val, err := ab.Eval(ctx, fmt.Sprintf("document.querySelector(%q)?.outerHTML || ''", sel))
+				if err != nil {
+					return err
+				}
+				if s, ok := val.(string); ok {
+					html = s
+				}
+			}
+
+			// Get current URL for defuddle
+			urlVal, _ := ab.Eval(ctx, "window.location.href")
+			pageURL := ""
+			if s, ok := urlVal.(string); ok {
+				pageURL = s
+			}
+
 			parser, err := defuddle.NewParser()
 			if err != nil {
 				return fmt.Errorf("init parser: %w", err)
@@ -230,7 +163,6 @@ Examples:
 					"url":         pageURL,
 				})
 			}
-			// Default: print markdown directly
 			content := dr.Markdown
 			if content == "" {
 				content = dr.Content
@@ -268,34 +200,34 @@ func browserSnapshotCmd() *cli.Command {
 				Value:   formatPretty,
 			},
 		),
-		Description: `Capture a compact semantic tree from the current page and assign stable refs
-for interactive elements (e.g. @e1, @e2). Refs can be reused in click/type/fill/select.
-
-Examples:
-  tap browser snapshot
-  tap browser snapshot --interactive -f json
-  tap browser click @e3
-  tap browser type @e1 "hello"`,
 		Action: func(ctx context.Context, cmd *cli.Command) error {
 			configureLogging(cmd)
-			mgr, err := newBrowserManager(cmd)
+			ab, err := newAgentBrowser(cmd)
 			if err != nil {
 				return err
 			}
-			result, err := mgr.Snapshot(ctx, cmd.String("session"), cmd.String("tab"), browser.SnapshotOptions{
-				InteractiveOnly: cmd.Bool("interactive"),
-				Selector:        cmd.String("selector"),
-				Depth:           int64(cmd.Int("depth")),
-				Mode:            "auto",
-			})
+			args := []string{"snapshot", "--json"}
+			if cmd.Bool("interactive") {
+				args = append(args, "--interactive")
+			}
+			if sel := cmd.String("selector"); sel != "" {
+				args = append(args, "--selector", sel)
+			}
+			if d := cmd.Int("depth"); d > 0 {
+				args = append(args, "--depth", strconv.Itoa(d))
+			}
+			out, _, err := ab.Exec(ctx, args...)
 			if err != nil {
 				return err
 			}
-			if len(result.Nodes) == 0 {
-				fmt.Fprintln(os.Stderr, "No snapshot nodes captured.")
-				return nil
+			var envelope browser.AgentBrowserEnvelope[map[string]any]
+			if err := json.Unmarshal(out, &envelope); err != nil {
+				return fmt.Errorf("parse snapshot: %w", err)
 			}
-			return printResult(cmd, result)
+			if !envelope.Success {
+				return fmt.Errorf("snapshot: %s", envelope.Error)
+			}
+			return printResult(cmd, envelope.Data)
 		},
 	}
 }
@@ -320,32 +252,32 @@ func browserPDFCmd() *cli.Command {
 				Value: 1.0,
 			},
 		),
-		Description: `Save the current page of the resolved tracked tab as a PDF file.
-
-When --output is omitted, tap generates a file name from the session,
-tab name, and timestamp.
-
-Examples:
-  tap browser pdf
-  tap browser pdf --output report.pdf --landscape
-  tap browser pdf --scale 0.8 --background=false`,
 		Action: func(ctx context.Context, cmd *cli.Command) error {
 			configureLogging(cmd)
-			mgr, err := newBrowserManager(cmd)
-			if err != nil {
-				return err
-			}
-			result, err := mgr.PDF(ctx, cmd.String("session"), cmd.String("tab"),
-				cmd.Bool("landscape"), cmd.Bool("background"), cmd.Float64("scale"))
+			ab, err := newAgentBrowser(cmd)
 			if err != nil {
 				return err
 			}
+
 			outPath := cmd.String("output")
 			if outPath == "" {
-				outPath = fmt.Sprintf("page-%s-%s-%d.pdf", result.SessionName, result.TabName, time.Now().Unix())
+				outPath = fmt.Sprintf("page-%d.pdf", time.Now().Unix())
+			}
+
+			args := []string{"pdf", outPath}
+			if cmd.Bool("landscape") {
+				args = append(args, "--landscape")
 			}
-			if err := os.WriteFile(outPath, result.Data, 0o644); err != nil {
-				return fmt.Errorf("write pdf: %w", err)
+			if !cmd.Bool("background") {
+				args = append(args, "--no-background")
+			}
+			if s := cmd.Float64("scale"); s != 1.0 {
+				args = append(args, "--scale", strconv.FormatFloat(s, 'f', -1, 64))
+			}
+
+			_, _, err = ab.Exec(ctx, args...)
+			if err != nil {
+				return err
 			}
 			fmt.Fprintf(os.Stderr, "%s\n", outPath)
 			return nil
@@ -363,29 +295,32 @@ func browserFormsCmd() *cli.Command {
 			Usage:   "Output format: json, pretty (default), raw",
 			Value:   formatPretty,
 		}),
-		Description: `List all fillable form elements (inputs, textareas, selects, buttons)
-in the resolved tracked tab.
-
-Each element includes its best CSS selector, type, name, placeholder, current
-value, associated label, and role (text, toggle, select, submit). Use the
-reported selectors with 'tap browser fill'.`,
 		Action: func(ctx context.Context, cmd *cli.Command) error {
 			configureLogging(cmd)
-			mgr, err := newBrowserManager(cmd)
+			ab, err := newAgentBrowser(cmd)
 			if err != nil {
 				return err
 			}
-			sessionName := cmd.String("session")
-			tabName := cmd.String("tab")
-			fields, err := mgr.Forms(ctx, sessionName, tabName)
+			value, err := ab.Eval(ctx, `Array.from(document.querySelectorAll('input, textarea, select, button')).map((el, i) => ({
+				index: i,
+				tag: el.tagName.toLowerCase(),
+				type: el.getAttribute('type') || '',
+				name: el.getAttribute('name') || '',
+				id: el.id || '',
+				placeholder: el.getAttribute('placeholder') || '',
+				value: el.value || '',
+				text: el.textContent?.trim() || '',
+				selector: el.id ? '#' + CSS.escape(el.id) : el.name ? el.tagName.toLowerCase() + '[name="' + CSS.escape(el.name) + '"]' : el.tagName.toLowerCase() + ':nth-of-type(' + (i + 1) + ')'
+			}))`)
 			if err != nil {
 				return err
 			}
-			if len(fields) == 0 {
+			items, _ := value.([]any)
+			if len(items) == 0 {
 				fmt.Fprintln(os.Stderr, "No fillable form elements found.")
 				return nil
 			}
-			return printResult(cmd, fields)
+			return printResult(cmd, items)
 		},
 	}
 }
@@ -399,18 +334,6 @@ func browserFillCmd() *cli.Command {
 			Name:  "submit",
 			Usage: "CSS selector of element to click after filling (e.g. button[type=submit])",
 		}),
-		Description: `Fill one or more form fields by CSS selector, then optionally submit.
-
-Arguments are target/value pairs. Targets can be CSS selectors or snapshot refs.
-Values are set using React-compatible
-native setters with proper input/change event dispatch, so this works with
-React, Vue, Angular, and vanilla HTML forms.
-
-Examples:
-  tap browser fill "#username" "myuser"
-  tap browser fill @e1 "me@example.com"
-  tap browser fill "#email" "me@example.com" "#password" "secret" --submit "button[type=submit]"
-  tap browser fill "input[type=search]" "query text"`,
 		Action: func(ctx context.Context, cmd *cli.Command) error {
 			configureLogging(cmd)
 			args := cmd.Args().Slice()
@@ -418,31 +341,29 @@ Examples:
 				return fmt.Errorf("arguments must be selector/value pairs (got %d args)", len(args))
 			}
 
-			var inputs []browser.FillInput
-			for i := 0; i < len(args); i += 2 {
-				inputs = append(inputs, browser.FillInput{
-					Target: args[i],
-					Value:  args[i+1],
-				})
-			}
-
-			mgr, err := newBrowserManager(cmd)
+			ab, err := newAgentBrowser(cmd)
 			if err != nil {
 				return err
 			}
-			sessionName := cmd.String("session")
-			tabName := cmd.String("tab")
-			submitSelector := cmd.String("submit")
 
-			if err := mgr.FillElements(ctx, sessionName, tabName, inputs, submitSelector); err != nil {
+			execArgs := []string{"fill"}
+			for i := 0; i < len(args); i += 2 {
+				execArgs = append(execArgs, args[i], args[i+1])
+			}
+			if submit := cmd.String("submit"); submit != "" {
+				execArgs = append(execArgs, "--submit", submit)
+			}
+
+			_, _, err = ab.Exec(ctx, execArgs...)
+			if err != nil {
 				return err
 			}
 
-			for _, f := range inputs {
-				fmt.Fprintf(os.Stderr, "Filled %s\n", f.Target)
+			for i := 0; i < len(args); i += 2 {
+				fmt.Fprintf(os.Stderr, "Filled %s\n", args[i])
 			}
-			if submitSelector != "" {
-				fmt.Fprintf(os.Stderr, "Clicked %s\n", submitSelector)
+			if submit := cmd.String("submit"); submit != "" {
+				fmt.Fprintf(os.Stderr, "Clicked %s\n", submit)
 			}
 			return nil
 		},
@@ -455,67 +376,21 @@ func browserKeypressCmd() *cli.Command {
 		Usage:     "Send keyboard events to the page",
 		ArgsUsage: "<key>",
 		Flags:     browserActionFlags(false),
-		Description: `Send key events to the page. Common keys:
-  Enter, Tab, Escape, Backspace, Delete, ArrowUp, ArrowDown, ArrowLeft, ArrowRight,
-  Space, Home, End, PageUp, PageDown, F1-F12
-
-For modifier combinations, separate with +: Ctrl+a, Ctrl+c, Ctrl+v, Shift+Tab
-
-Regular text is sent as individual keystrokes.`,
 		Action: func(ctx context.Context, cmd *cli.Command) error {
 			configureLogging(cmd)
 			key := cmd.Args().First()
 			if key == "" {
 				return fmt.Errorf("key required")
 			}
-			mgr, err := newBrowserManager(cmd)
+			ab, err := newAgentBrowser(cmd)
 			if err != nil {
 				return err
 			}
-			keys := resolveKeyName(key)
-			if err := mgr.Keypress(ctx, cmd.String("session"), cmd.String("tab"), keys); err != nil {
-				return err
-			}
-			fmt.Fprintf(os.Stderr, "Sent key: %s\n", key)
-			return nil
-		},
-	}
-}
-
-func browserDialogCmd() *cli.Command {
-	return &cli.Command{
-		Name:  "dialog",
-		Usage: "Accept or dismiss a JavaScript dialog",
-		Flags: append(browserActionFlags(false),
-			&cli.BoolFlag{
-				Name:  "accept",
-				Usage: "Accept the dialog (default: true)",
-				Value: true,
-			},
-			&cli.StringFlag{
-				Name:  "text",
-				Usage: "Text to enter for prompt dialogs",
-			},
-		),
-		Description: `Handle a pending JavaScript dialog (alert, confirm, prompt, onbeforeunload).
-
-Unhandled dialogs block all CDP commands. Use this to dismiss them.`,
-		Action: func(ctx context.Context, cmd *cli.Command) error {
-			configureLogging(cmd)
-			mgr, err := newBrowserManager(cmd)
+			_, _, err = ab.Exec(ctx, "press", key)
 			if err != nil {
 				return err
 			}
-			accept := cmd.Bool("accept")
-			text := cmd.String("text")
-			if err := mgr.Dialog(ctx, cmd.String("session"), cmd.String("tab"), accept, text); err != nil {
-				return err
-			}
-			if accept {
-				fmt.Fprintln(os.Stderr, "Dialog accepted")
-			} else {
-				fmt.Fprintln(os.Stderr, "Dialog dismissed")
-			}
+			fmt.Fprintf(os.Stderr, "Sent key: %s\n", key)
 			return nil
 		},
 	}
@@ -525,9 +400,6 @@ func browserCookiesCmd() *cli.Command {
 	return &cli.Command{
 		Name:  "cookies",
 		Usage: "Manage browser cookies (includes httpOnly)",
-		Description: `Get, set, or clear cookies for the current page.
-
-Unlike document.cookie, this uses CDP and can access httpOnly cookies.`,
 		Commands: []*cli.Command{
 			browserCookiesGetCmd(),
 			browserCookiesSetCmd(),
@@ -548,14 +420,22 @@ func browserCookiesGetCmd() *cli.Command {
 		}),
 		Action: func(ctx context.Context, cmd *cli.Command) error {
 			configureLogging(cmd)
-			mgr, err := newBrowserManager(cmd)
+			ab, err := newAgentBrowser(cmd)
 			if err != nil {
 				return err
 			}
-			cookies, err := mgr.GetCookies(ctx, cmd.String("session"), cmd.String("tab"))
+			out, _, err := ab.Exec(ctx, "cookies", "--json")
 			if err != nil {
 				return err
 			}
+			var envelope browser.AgentBrowserEnvelope[map[string]any]
+			if err := json.Unmarshal(out, &envelope); err != nil {
+				return fmt.Errorf("parse cookies: %w", err)
+			}
+			if !envelope.Success {
+				return fmt.Errorf("cookies: %s", envelope.Error)
+			}
+			cookies, _ := envelope.Data["cookies"].([]any)
 			if len(cookies) == 0 {
 				fmt.Fprintln(os.Stderr, "No cookies found.")
 				return nil
@@ -570,11 +450,6 @@ func browserCookiesSetCmd() *cli.Command {
 		Name:      "set",
 		Usage:     "Set a cookie",
 		ArgsUsage: "<name> <value>",
-		Description: `Set a browser cookie via CDP (can set httpOnly cookies).
-
-Examples:
-  tap browser cookies set "session_id" "abc123"
-  tap browser cookies set "token" "xyz" --domain .example.com --path /api`,
 		Flags: append(browserActionFlags(false),
 			&cli.StringFlag{
 				Name:  "domain",
@@ -592,12 +467,19 @@ Examples:
 			if len(args) < 2 {
 				return fmt.Errorf("usage: tap browser cookies set <name> <value>")
 			}
-			mgr, err := newBrowserManager(cmd)
+			ab, err := newAgentBrowser(cmd)
 			if err != nil {
 				return err
 			}
-			if err := mgr.SetCookie(ctx, cmd.String("session"), cmd.String("tab"),
-				args[0], args[1], cmd.String("domain"), cmd.String("path")); err != nil {
+			execArgs := []string{"cookies", "set", args[0], args[1]}
+			if domain := cmd.String("domain"); domain != "" {
+				execArgs = append(execArgs, "--domain", domain)
+			}
+			if path := cmd.String("path"); path != "" {
+				execArgs = append(execArgs, "--path", path)
+			}
+			_, _, err = ab.Exec(ctx, execArgs...)
+			if err != nil {
 				return err
 			}
 			fmt.Fprintf(os.Stderr, "Cookie %q set\n", args[0])
@@ -613,11 +495,12 @@ func browserCookiesClearCmd() *cli.Command {
 		Flags: browserActionFlags(false),
 		Action: func(ctx context.Context, cmd *cli.Command) error {
 			configureLogging(cmd)
-			mgr, err := newBrowserManager(cmd)
+			ab, err := newAgentBrowser(cmd)
 			if err != nil {
 				return err
 			}
-			if err := mgr.ClearCookies(ctx, cmd.String("session"), cmd.String("tab")); err != nil {
+			_, _, err = ab.Exec(ctx, "cookies", "clear")
+			if err != nil {
 				return err
 			}
 			fmt.Fprintln(os.Stderr, "Cookies cleared")
@@ -632,27 +515,18 @@ func browserClickCmd() *cli.Command {
 		Usage:     "Click an element by CSS selector or snapshot ref",
 		ArgsUsage: "<selector|@eN>",
 		Flags:     browserActionFlags(false),
-		Description: `Dispatch a real mouse click (mouseMoved → mousePressed → mouseReleased)
-on the first visible element matching the CSS selector.
-
-Unlike JavaScript .click(), this triggers hover states and works with
-sites that listen on mousedown or have hover-triggered menus.
-
-Examples:
-  tap browser click "button.submit"
-  tap browser click @e3
-  tap browser click "a[href='/login']"`,
 		Action: func(ctx context.Context, cmd *cli.Command) error {
 			configureLogging(cmd)
 			sel := cmd.Args().First()
 			if sel == "" {
 				return fmt.Errorf("CSS selector required")
 			}
-			mgr, err := newBrowserManager(cmd)
+			ab, err := newAgentBrowser(cmd)
 			if err != nil {
 				return err
 			}
-			if err := mgr.ClickElement(ctx, cmd.String("session"), cmd.String("tab"), sel); err != nil {
+			_, _, err = ab.Exec(ctx, "click", sel)
+			if err != nil {
 				return err
 			}
 			fmt.Fprintf(os.Stderr, "Clicked %s\n", sel)
@@ -667,27 +541,18 @@ func browserTypeCmd() *cli.Command {
 		Usage:     "Type text into an element with real key events",
 		ArgsUsage: "<selector|@eN> <text>",
 		Flags:     browserActionFlags(false),
-		Description: `Focus the element matching the CSS selector and send individual
-keyDown/keyUp events for each character — behaving like a real user typing.
-
-Use this instead of 'fill' when the site validates per-keystroke input
-or has anti-bot detection.
-
-Examples:
-  tap browser type "#search" "golang tutorials"
-  tap browser type @e1 "hello world"
-  tap browser type "input[name=q]" "hello world"`,
 		Action: func(ctx context.Context, cmd *cli.Command) error {
 			configureLogging(cmd)
 			args := cmd.Args().Slice()
 			if len(args) < 2 {
 				return fmt.Errorf("usage: tap browser type <selector> <text>")
 			}
-			mgr, err := newBrowserManager(cmd)
+			ab, err := newAgentBrowser(cmd)
 			if err != nil {
 				return err
 			}
-			if err := mgr.TypeElement(ctx, cmd.String("session"), cmd.String("tab"), args[0], args[1]); err != nil {
+			_, _, err = ab.Exec(ctx, "type", args[0], args[1])
+			if err != nil {
 				return err
 			}
 			fmt.Fprintf(os.Stderr, "Typed into %s\n", args[0])
@@ -702,24 +567,18 @@ func browserHoverCmd() *cli.Command {
 		Usage:     "Move mouse to an element to trigger hover state",
 		ArgsUsage: "<selector>",
 		Flags:     browserActionFlags(false),
-		Description: `Move the mouse to the center of the first visible element matching
-the CSS selector. Dispatches real mouseMoved events that trigger
-CSS :hover states and mouseenter/mouseover listeners.
-
-Examples:
-  tap browser hover "nav.menu > li:first-child"
-  tap browser hover ".dropdown-trigger"`,
 		Action: func(ctx context.Context, cmd *cli.Command) error {
 			configureLogging(cmd)
 			sel := cmd.Args().First()
 			if sel == "" {
 				return fmt.Errorf("CSS selector required")
 			}
-			mgr, err := newBrowserManager(cmd)
+			ab, err := newAgentBrowser(cmd)
 			if err != nil {
 				return err
 			}
-			if err := mgr.Hover(ctx, cmd.String("session"), cmd.String("tab"), sel); err != nil {
+			_, _, err = ab.Exec(ctx, "hover", sel)
+			if err != nil {
 				return err
 			}
 			fmt.Fprintf(os.Stderr, "Hovered %s\n", sel)
@@ -743,19 +602,10 @@ func browserScrollCmd() *cli.Command {
 				Usage: "Absolute Y pixel position (when no selector given)",
 			},
 		),
-		Description: `Scroll the element matching the CSS selector into view. If no selector
-is provided, scroll to the absolute pixel position given by --x and --y.
-
-Use this to trigger lazy-loaded content or scroll-based UI updates.
-
-Examples:
-  tap browser scroll "#comments"
-  tap browser scroll --y 1000
-  tap browser scroll --x 0 --y 99999`,
 		Action: func(ctx context.Context, cmd *cli.Command) error {
 			configureLogging(cmd)
 			sel := cmd.Args().First()
-			mgr, err := newBrowserManager(cmd)
+			ab, err := newAgentBrowser(cmd)
 			if err != nil {
 				return err
 			}
@@ -764,7 +614,14 @@ Examples:
 			if sel == "" && x == 0 && y == 0 {
 				return fmt.Errorf("provide a CSS selector or --x/--y position")
 			}
-			if err := mgr.Scroll(ctx, cmd.String("session"), cmd.String("tab"), sel, x, y); err != nil {
+			args := []string{"scroll"}
+			if sel != "" {
+				args = append(args, sel)
+			} else {
+				args = append(args, "--x", strconv.FormatFloat(x, 'f', -1, 64), "--y", strconv.FormatFloat(y, 'f', -1, 64))
+			}
+			_, _, err = ab.Exec(ctx, args...)
+			if err != nil {
 				return err
 			}
 			if sel != "" {
@@ -783,21 +640,18 @@ func browserSelectCmd() *cli.Command {
 		Usage:     "Select an option in a <select> element",
 		ArgsUsage: "<selector|@eN> <value>",
 		Flags:     browserActionFlags(false),
-		Description: `Select an option by value in a <select> element, dispatching
-focus, input, and change events. Works with native HTML selects.
-
-For custom dropdown components (React Select, etc.), use 'click' instead.`,
 		Action: func(ctx context.Context, cmd *cli.Command) error {
 			configureLogging(cmd)
 			args := cmd.Args().Slice()
 			if len(args) < 2 {
 				return fmt.Errorf("usage: tap browser select <selector|@eN> <value>")
 			}
-			mgr, err := newBrowserManager(cmd)
+			ab, err := newAgentBrowser(cmd)
 			if err != nil {
 				return err
 			}
-			if err := mgr.SelectElement(ctx, cmd.String("session"), cmd.String("tab"), args[0], args[1]); err != nil {
+			_, _, err = ab.Exec(ctx, "select", args[0], args[1])
+			if err != nil {
 				return err
 			}
 			fmt.Fprintf(os.Stderr, "Selected %q in %s\n", args[1], args[0])
@@ -818,20 +672,20 @@ func browserWaitCmd() *cli.Command {
 				Value: 30 * time.Second,
 			},
 		),
-		Description: `Wait until the first element matching the CSS selector becomes visible.
-Uses CDP's built-in visibility polling — more reliable than JS-based polling.`,
 		Action: func(ctx context.Context, cmd *cli.Command) error {
 			configureLogging(cmd)
 			sel := cmd.Args().First()
 			if sel == "" {
 				return fmt.Errorf("CSS selector required")
 			}
-			mgr, err := newBrowserManager(cmd)
+			ab, err := newAgentBrowser(cmd)
 			if err != nil {
 				return err
 			}
-			timeout := cmd.Duration("timeout")
-			if err := mgr.WaitFor(ctx, cmd.String("session"), cmd.String("tab"), sel, timeout); err != nil {
+			waitCtx, cancel := context.WithTimeout(ctx, cmd.Duration("timeout"))
+			defer cancel()
+			_, _, err = ab.Exec(waitCtx, "wait", sel)
+			if err != nil {
 				return err
 			}
 			fmt.Fprintf(os.Stderr, "Element %s is visible\n", sel)
@@ -845,18 +699,14 @@ func browserBackCmd() *cli.Command {
 		Name:  "back",
 		Usage: "Navigate back in history",
 		Flags: browserActionFlags(false),
-		Description: `Navigate the resolved tracked tab back one entry in browser history.
-
-Examples:
-  tap browser back
-  tap browser back --session dev --tab main`,
 		Action: func(ctx context.Context, cmd *cli.Command) error {
 			configureLogging(cmd)
-			mgr, err := newBrowserManager(cmd)
+			ab, err := newAgentBrowser(cmd)
 			if err != nil {
 				return err
 			}
-			if err := mgr.Back(ctx, cmd.String("session"), cmd.String("tab")); err != nil {
+			_, _, err = ab.Exec(ctx, "back")
+			if err != nil {
 				return err
 			}
 			fmt.Fprintln(os.Stderr, "Navigated back")
@@ -870,18 +720,14 @@ func browserForwardCmd() *cli.Command {
 		Name:  "forward",
 		Usage: "Navigate forward in history",
 		Flags: browserActionFlags(false),
-		Description: `Navigate the resolved tracked tab forward one entry in browser history.
-
-Examples:
-  tap browser forward
-  tap browser forward --session dev --tab main`,
 		Action: func(ctx context.Context, cmd *cli.Command) error {
 			configureLogging(cmd)
-			mgr, err := newBrowserManager(cmd)
+			ab, err := newAgentBrowser(cmd)
 			if err != nil {
 				return err
 			}
-			if err := mgr.Forward(ctx, cmd.String("session"), cmd.String("tab")); err != nil {
+			_, _, err = ab.Exec(ctx, "forward")
+			if err != nil {
 				return err
 			}
 			fmt.Fprintln(os.Stderr, "Navigated forward")
@@ -895,18 +741,14 @@ func browserReloadCmd() *cli.Command {
 		Name:  "reload",
 		Usage: "Reload the current page",
 		Flags: browserActionFlags(false),
-		Description: `Reload the current page of the resolved tracked tab.
-
-Examples:
-  tap browser reload
-  tap browser reload --session dev --tab main`,
 		Action: func(ctx context.Context, cmd *cli.Command) error {
 			configureLogging(cmd)
-			mgr, err := newBrowserManager(cmd)
+			ab, err := newAgentBrowser(cmd)
 			if err != nil {
 				return err
 			}
-			if err := mgr.Reload(ctx, cmd.String("session"), cmd.String("tab")); err != nil {
+			_, _, err = ab.Exec(ctx, "reload")
+			if err != nil {
 				return err
 			}
 			fmt.Fprintln(os.Stderr, "Reloaded")
diff --git a/cmd/tap/browser_network.go b/cmd/tap/browser_network.go
index 93ec7b0..9a8e79b 100644
--- a/cmd/tap/browser_network.go
+++ b/cmd/tap/browser_network.go
@@ -1,407 +1,16 @@
 package main
 
-import (
-	"context"
-	"encoding/base64"
-	"encoding/json"
-	"fmt"
-	"os"
-	"strings"
-	"time"
-
-	"github.com/urfave/cli/v3"
-	"github.com/vaayne/tap/browser"
-)
+import "github.com/urfave/cli/v3"
 
 func browserNetworkCmd() *cli.Command {
 	return &cli.Command{
 		Name:  "network",
-		Usage: "Capture and intercept network requests in a tracked browser tab",
-		Description: `Network observation and interception for tracked browser tabs.
-
-Uses the CDP Network domain for passive capture (wait, log, body) and
-the Fetch domain for active interception (intercept, clear).`,
+		Usage: "Capture and intercept network requests",
 		Commands: []*cli.Command{
-			browserNetworkWaitCmd(),
-			browserNetworkBodyCmd(),
-			browserNetworkLogCmd(),
-			browserNetworkInterceptCmd(),
-			browserNetworkClearCmd(),
-		},
-	}
-}
-
-func browserNetworkWaitCmd() *cli.Command {
-	return &cli.Command{
-		Name:  "wait",
-		Usage: "Wait for a network request matching filters",
-		Flags: append(browserActionFlags(false),
-			&cli.StringFlag{
-				Name:  "url-pattern",
-				Usage: "Glob pattern to match request URLs (* matches any chars including /)",
-			},
-			&cli.StringFlag{
-				Name:  "method",
-				Usage: "HTTP method(s) to match, comma-separated (e.g. GET,POST)",
-			},
-			&cli.StringFlag{
-				Name:  "resource-type",
-				Usage: "Resource type(s) to match, comma-separated (e.g. XHR,Fetch,Document)",
-			},
-			&cli.DurationFlag{
-				Name:  "timeout",
-				Usage: "Maximum time to wait for a matching request",
-				Value: 30 * time.Second,
-			},
-			&cli.BoolFlag{
-				Name:  "body",
-				Usage: "Include the response body in the output",
-			},
-			&cli.StringFlag{
-				Name:    "format",
-				Aliases: []string{"f"},
-				Usage:   "Output format: json, pretty (default), raw",
-				Value:   formatPretty,
-			},
-		),
-		Description: `Block until a network request matching the given filters completes,
-then print the captured request/response entry.
-
-The --url-pattern flag uses glob syntax where * matches any characters
-including path separators. For example:
-  */api/*         matches https://example.com/api/v1/users
-  *.ads.*         matches https://tracker.ads.example.com/pixel
-
-Examples:
-  tap browser network wait --url-pattern "*/api/search*"
-  tap browser network wait --url-pattern "*/graphql" --method POST --body
-  tap browser network wait --resource-type XHR,Fetch --timeout 10s`,
-		Action: func(ctx context.Context, cmd *cli.Command) error {
-			configureLogging(cmd)
-
-			filter := buildNetworkFilter(cmd)
-			timeout := cmd.Duration("timeout")
-			includeBody := cmd.Bool("body")
-
-			mgr, err := newBrowserManager(cmd)
-			if err != nil {
-				return err
-			}
-
-			sessionName := cmd.String("session")
-			tabName := cmd.String("tab")
-
-			waitCtx, cancel := context.WithTimeout(ctx, timeout)
-			defer cancel()
-
-			entry, err := mgr.NetworkWait(waitCtx, sessionName, tabName, filter, includeBody)
-			if err != nil {
-				return err
-			}
-
-			return printResult(cmd, entry)
-		},
-	}
-}
-
-func browserNetworkBodyCmd() *cli.Command {
-	return &cli.Command{
-		Name:      "body",
-		Usage:     "Fetch the response body for a completed request by ID",
-		ArgsUsage: "<requestId>",
-		Flags: append(browserActionFlags(false),
-			&cli.StringFlag{
-				Name:    "format",
-				Aliases: []string{"f"},
-				Usage:   "Output format: json (base64-encoded), raw (binary to stdout)",
-				Value:   formatRaw,
-			},
-		),
-		Description: `Fetch and print the response body for a network request identified
-by its request ID (from 'tap browser network wait' or 'tap browser network log' output).
-
-Examples:
-  tap browser network body "12345.67"
-  tap browser network body "12345.67" --format json`,
-		Action: func(ctx context.Context, cmd *cli.Command) error {
-			configureLogging(cmd)
-
-			requestID := cmd.Args().First()
-			if requestID == "" {
-				return fmt.Errorf("request ID required")
-			}
-
-			mgr, err := newBrowserManager(cmd)
-			if err != nil {
-				return err
-			}
-
-			sessionName := cmd.String("session")
-			tabName := cmd.String("tab")
-
-			body, err := mgr.NetworkGetBody(ctx, sessionName, tabName, requestID)
-			if err != nil {
-				return err
-			}
-
-			format := cmd.String("format")
-			switch format {
-			case formatJSON:
-				// Output as base64-encoded JSON string.
-				encoded := base64.StdEncoding.EncodeToString(body)
-				fmt.Printf("%q\n", encoded)
-			default: // raw
-				_, _ = os.Stdout.Write(body)
-			}
-			return nil
-		},
-	}
-}
-
-// buildNetworkFilter constructs a NetworkFilter from CLI flags.
-func buildNetworkFilter(cmd *cli.Command) browser.NetworkFilter {
-	var filter browser.NetworkFilter
-
-	if p := cmd.String("url-pattern"); p != "" {
-		filter.URLPattern = p
-	}
-	if m := cmd.String("method"); m != "" {
-		filter.Methods = splitCSV(m)
-	}
-	if rt := cmd.String("resource-type"); rt != "" {
-		filter.ResourceTypes = splitCSV(rt)
-	}
-
-	return filter
-}
-
-// splitCSV splits a comma-separated string into trimmed non-empty parts.
-func splitCSV(s string) []string {
-	parts := strings.Split(s, ",")
-	var out []string
-	for _, p := range parts {
-		p = strings.TrimSpace(p)
-		if p != "" {
-			out = append(out, p)
-		}
-	}
-	return out
-}
-
-func browserNetworkLogCmd() *cli.Command {
-	return &cli.Command{
-		Name:  "log",
-		Usage: "Stream captured network requests as NDJSON",
-		Flags: append(browserActionFlags(false),
-			&cli.StringFlag{
-				Name:  "url-pattern",
-				Usage: "Glob pattern to match request URLs",
-			},
-			&cli.StringFlag{
-				Name:  "method",
-				Usage: "HTTP method(s) to match, comma-separated",
-			},
-			&cli.StringFlag{
-				Name:  "resource-type",
-				Usage: "Resource type(s) to match, comma-separated",
-			},
-			&cli.DurationFlag{
-				Name:  "timeout",
-				Usage: "Maximum duration to capture (0 = until interrupted)",
-				Value: 0,
-			},
-		),
-		Description: `Enable the Network domain and stream completed request/response entries
-as newline-delimited JSON (NDJSON) to stdout.
-
-Runs until --timeout expires or the process is interrupted (Ctrl-C).
-
-Examples:
-  tap browser network log
-  tap browser network log --url-pattern "*/api/*" --timeout 30s
-  tap browser network log --resource-type XHR,Fetch`,
-		Action: func(ctx context.Context, cmd *cli.Command) error {
-			configureLogging(cmd)
-
-			filter := buildNetworkFilter(cmd)
-
-			mgr, err := newBrowserManager(cmd)
-			if err != nil {
-				return err
-			}
-
-			sessionName := cmd.String("session")
-			tabName := cmd.String("tab")
-
-			logCtx := ctx
-			var logCancel context.CancelFunc
-			if timeout := cmd.Duration("timeout"); timeout > 0 {
-				logCtx, logCancel = context.WithTimeout(ctx, timeout)
-				defer logCancel()
-			}
-
-			ch, cancel, err := mgr.NetworkLog(logCtx, sessionName, tabName, filter)
-			if err != nil {
-				return err
-			}
-			defer cancel()
-
-			enc := json.NewEncoder(os.Stdout)
-			for entry := range ch {
-				if err := enc.Encode(entry); err != nil {
-					return fmt.Errorf("write entry: %w", err)
-				}
-			}
-			return nil
-		},
-	}
-}
-
-func browserNetworkInterceptCmd() *cli.Command {
-	return &cli.Command{
-		Name:  "intercept",
-		Usage: "Set request interception rules (block, mock, or modify headers)",
-		Flags: append(browserActionFlags(false),
-			&cli.StringFlag{
-				Name:  "url-pattern",
-				Usage: "Glob pattern to match request URLs",
-			},
-			&cli.StringFlag{
-				Name:  "method",
-				Usage: "HTTP method(s) to match, comma-separated",
-			},
-			&cli.StringFlag{
-				Name:  "resource-type",
-				Usage: "Resource type(s) to match, comma-separated",
-			},
-			&cli.BoolFlag{
-				Name:  "block",
-				Usage: "Block matching requests (mutually exclusive with --respond)",
-			},
-			&cli.StringSliceFlag{
-				Name:  "header",
-				Usage: `Add/override request header (repeatable, format "Key: Value")`,
-			},
-			&cli.StringFlag{
-				Name:  "respond",
-				Usage: "Mock response body (mutually exclusive with --block)",
-			},
-			&cli.IntFlag{
-				Name:  "status",
-				Usage: "Mock response HTTP status code (required with --respond)",
-				Value: 200,
-			},
-			&cli.StringFlag{
-				Name:  "content-type",
-				Usage: "Mock response Content-Type header",
-				Value: "application/json",
-			},
-		),
-		Description: `Set Fetch domain interception rules on a tracked tab.
-
-Rules are replace-all: each call replaces any previously set rules.
-Pass a single rule per invocation. Use 'tap browser network clear' to
-remove all rules.
-
-Examples:
-  # Block ad requests
-  tap browser network intercept --block --url-pattern "*.ads.*"
-
-  # Mock an API response
-  tap browser network intercept --url-pattern "*/api/user" \\
-    --respond '{"name":"test"}' --status 200
-
-  # Add auth header to API requests
-  tap browser network intercept --url-pattern "*/api/*" \\
-    --header "Authorization: Bearer tok_abc123"`,
-		Action: func(ctx context.Context, cmd *cli.Command) error {
-			configureLogging(cmd)
-
-			filter := buildNetworkFilter(cmd)
-			block := cmd.Bool("block")
-			respondBody := cmd.String("respond")
-
-			if block && respondBody != "" {
-				return fmt.Errorf("--block and --respond are mutually exclusive")
-			}
-
-			rule := browser.InterceptRule{
-				Filter: filter,
-				Block:  block,
-			}
-
-			if respondBody != "" {
-				rule.MockBody = respondBody
-				rule.MockStatus = cmd.Int("status")
-				rule.MockHeaders = map[string]string{
-					"Content-Type": cmd.String("content-type"),
-				}
-			}
-
-			// Parse --header flags.
-			for _, h := range cmd.StringSlice("header") {
-				parts := strings.SplitN(h, ":", 2)
-				if len(parts) != 2 {
-					return fmt.Errorf("invalid header format %q (expected \"Key: Value\")", h)
-				}
-				if rule.AddHeaders == nil {
-					rule.AddHeaders = make(map[string]string)
-				}
-				rule.AddHeaders[strings.TrimSpace(parts[0])] = strings.TrimSpace(parts[1])
-			}
-
-			mgr, err := newBrowserManager(cmd)
-			if err != nil {
-				return err
-			}
-
-			sessionName := cmd.String("session")
-			tabName := cmd.String("tab")
-
-			if err := mgr.NetworkIntercept(ctx, sessionName, tabName, []browser.InterceptRule{rule}); err != nil {
-				return err
-			}
-
-			if block {
-				fmt.Fprintln(os.Stderr, "Blocking matching requests")
-			} else if respondBody != "" {
-				fmt.Fprintf(os.Stderr, "Mocking matching requests with status %d\n", rule.MockStatus)
-			} else if len(rule.AddHeaders) > 0 {
-				fmt.Fprintln(os.Stderr, "Adding headers to matching requests")
-			}
-
-			// Keep the process alive so the interception goroutine stays active.
-			<-ctx.Done()
-			return nil
-		},
-	}
-}
-
-func browserNetworkClearCmd() *cli.Command {
-	return &cli.Command{
-		Name:  "clear",
-		Usage: "Remove all Fetch domain interception rules",
-		Flags: browserActionFlags(false),
-		Description: `Disable the Fetch domain and remove all interception rules
-from the resolved tracked tab.
-
-This does not affect passive Network domain capture (log/wait).`,
-		Action: func(ctx context.Context, cmd *cli.Command) error {
-			configureLogging(cmd)
-
-			mgr, err := newBrowserManager(cmd)
-			if err != nil {
-				return err
-			}
-
-			sessionName := cmd.String("session")
-			tabName := cmd.String("tab")
-
-			if err := mgr.NetworkClearIntercept(ctx, sessionName, tabName); err != nil {
-				return err
-			}
-			fmt.Fprintln(os.Stderr, "Interception rules cleared")
-			return nil
+			passthroughCmd("requests", "List captured network requests", "network", "requests"),
+			passthroughCmd("route", "Set request interception rules", "network", "route"),
+			passthroughCmd("unroute", "Remove request interception rules", "network", "unroute"),
+			passthroughCmd("har", "Start or stop HAR capture", "network", "har"),
 		},
 	}
 }
diff --git a/cmd/tap/browser_new.go b/cmd/tap/browser_new.go
new file mode 100644
index 0000000..2336418
--- /dev/null
+++ b/cmd/tap/browser_new.go
@@ -0,0 +1,151 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/urfave/cli/v3"
+)
+
+// passthroughCmd creates a simple command that forwards arguments to agent-browser.
+func passthroughCmd(name, usage string, prefixArgs ...string) *cli.Command {
+	return &cli.Command{
+		Name:            name,
+		Usage:           usage,
+		ArgsUsage:       "[args...]",
+		SkipFlagParsing: true,
+		Action: func(ctx context.Context, cmd *cli.Command) error {
+			configureLogging(cmd)
+			ab, err := newAgentBrowser(cmd)
+			if err != nil {
+				return err
+			}
+			rawArgs, sessionName := extractPassthroughSession(cmd.Args().Slice())
+			if sessionName != "" {
+				ab.SessionName = sessionName
+				ab.Attached = false
+			}
+			execArgs := append([]string{}, prefixArgs...)
+			execArgs = append(execArgs, rawArgs...)
+			out, _, err := ab.Exec(ctx, execArgs...)
+			if err != nil {
+				return err
+			}
+			if len(out) > 0 {
+				fmt.Println(string(out))
+			}
+			return nil
+		},
+	}
+}
+
+func extractPassthroughSession(args []string) ([]string, string) {
+	out := make([]string, 0, len(args))
+	var session string
+	for i := 0; i < len(args); i++ {
+		arg := args[i]
+		if arg == "--session" {
+			if i+1 < len(args) {
+				session = args[i+1]
+				i++
+			}
+			continue
+		}
+		if strings.HasPrefix(arg, "--session=") {
+			session = strings.TrimPrefix(arg, "--session=")
+			continue
+		}
+		out = append(out, arg)
+	}
+	return out, session
+}
+
+func browserSetCmd() *cli.Command {
+	return &cli.Command{
+		Name:  "set",
+		Usage: "Configure browser emulation settings",
+		Commands: []*cli.Command{
+			passthroughCmd("viewport", "Set viewport size", "set", "viewport"),
+			passthroughCmd("device", "Emulate a device", "set", "device"),
+			passthroughCmd("geo", "Set geolocation", "set", "geo"),
+			passthroughCmd("offline", "Toggle offline mode", "set", "offline"),
+			passthroughCmd("headers", "Set extra HTTP headers", "set", "headers"),
+			passthroughCmd("credentials", "Set HTTP auth credentials", "set", "credentials"),
+			passthroughCmd("media", "Set CSS media type", "set", "media"),
+		},
+	}
+}
+
+func browserStorageCmd() *cli.Command {
+	return &cli.Command{
+		Name:  "storage",
+		Usage: "Manage local/session storage",
+		Commands: []*cli.Command{
+			passthroughCmd("local", "Manage localStorage", "storage", "local"),
+			passthroughCmd("session", "Manage sessionStorage", "storage", "session"),
+		},
+	}
+}
+
+func browserStateCmd() *cli.Command {
+	return &cli.Command{
+		Name:  "state",
+		Usage: "Manage saved browser states",
+		Commands: []*cli.Command{
+			passthroughCmd("save", "Save current state", "state", "save"),
+			passthroughCmd("load", "Load saved state", "state", "load"),
+			passthroughCmd("list", "List saved states", "state", "list"),
+			passthroughCmd("show", "Show state details", "state", "show"),
+			passthroughCmd("clear", "Clear saved states", "state", "clear"),
+		},
+	}
+}
+
+func browserAuthCmd() *cli.Command {
+	return &cli.Command{
+		Name:  "auth",
+		Usage: "Manage authentication state",
+		Commands: []*cli.Command{
+			passthroughCmd("save", "Save auth credentials", "auth", "save"),
+			passthroughCmd("login", "Perform login", "auth", "login"),
+			passthroughCmd("list", "List saved auth", "auth", "list"),
+			passthroughCmd("show", "Show auth details", "auth", "show"),
+			passthroughCmd("delete", "Delete saved auth", "auth", "delete"),
+		},
+	}
+}
+
+func browserGetCmd() *cli.Command {
+	return &cli.Command{
+		Name:  "get",
+		Usage: "Get page properties and values",
+		Commands: []*cli.Command{
+			passthroughCmd("text", "Get element or page text", "get", "text"),
+			passthroughCmd("html", "Get element or page HTML", "get", "html"),
+			passthroughCmd("value", "Get input value", "get", "value"),
+			passthroughCmd("attr", "Get element attribute", "get", "attr"),
+			passthroughCmd("title", "Get page title", "get", "title"),
+			passthroughCmd("url", "Get current URL", "get", "url"),
+			passthroughCmd("count", "Count elements matching selector", "get", "count"),
+			passthroughCmd("box", "Get element bounding box", "get", "box"),
+			passthroughCmd("styles", "Get computed styles", "get", "styles"),
+		},
+	}
+}
+
+func browserVitalsCmd() *cli.Command {
+	return passthroughCmd("vitals", "Get Web Vitals metrics", "vitals")
+}
+
+func browserDiffCmd() *cli.Command {
+	return &cli.Command{
+		Name:  "diff",
+		Usage: "Compare snapshots, screenshots, or URLs",
+		Commands: []*cli.Command{
+			passthroughCmd("snapshot", "Compare page snapshots", "diff", "snapshot"),
+			passthroughCmd("screenshot", "Compare screenshots", "diff", "screenshot"),
+			passthroughCmd("url", "Compare URL responses", "diff", "url"),
+		},
+	}
+}
diff --git a/cmd/tap/browser_new_test.go b/cmd/tap/browser_new_test.go
new file mode 100644
index 0000000..c932f1c
--- /dev/null
+++ b/cmd/tap/browser_new_test.go
@@ -0,0 +1,29 @@
+package main
+
+import "testing"
+
+func TestExtractPassthroughSession(t *testing.T) {
+	args, session := extractPassthroughSession([]string{"--filter", "api", "--session", "dev", "--limit", "10"})
+	if session != "dev" {
+		t.Fatalf("session = %q, want dev", session)
+	}
+	want := []string{"--filter", "api", "--limit", "10"}
+	if len(args) != len(want) {
+		t.Fatalf("args = %v, want %v", args, want)
+	}
+	for i := range want {
+		if args[i] != want[i] {
+			t.Fatalf("args = %v, want %v", args, want)
+		}
+	}
+}
+
+func TestExtractPassthroughSessionEquals(t *testing.T) {
+	args, session := extractPassthroughSession([]string{"--session=dev", "--abort"})
+	if session != "dev" {
+		t.Fatalf("session = %q, want dev", session)
+	}
+	if len(args) != 1 || args[0] != "--abort" {
+		t.Fatalf("args = %v, want [--abort]", args)
+	}
+}
diff --git a/cmd/tap/browser_simple.go b/cmd/tap/browser_simple.go
index 74b59fb..30e54ea 100644
--- a/cmd/tap/browser_simple.go
+++ b/cmd/tap/browser_simple.go
@@ -11,8 +11,6 @@ import (
 	"github.com/vaayne/tap/browser"
 )
 
-// browserSimpleCmd returns commands that provide the simplified browser UX
-// These are aliases or wrappers around existing browser session/tab commands
 func browserOpenCmd() *cli.Command {
 	return &cli.Command{
 		Name:      "open",
@@ -68,115 +66,47 @@ func runBrowserOpen(ctx context.Context, cmd *cli.Command) error {
 	}
 	url := cmd.Args().First()
 
-	mgr, err := newBrowserManager(cmd)
+	ab, err := newAgentBrowser(cmd)
 	if err != nil {
 		return err
 	}
 
-	sessionName := cmd.String("session")
-
-	// Resolve the active context first. Only auto-create a managed local default
-	// when no persisted context exists at all.
-	session, err := mgr.GetSession(ctx, sessionName)
-	if err != nil {
-		if sessionName != "" {
-			return err
-		}
-		opts := browser.SessionOptions{Headless: !cmd.Bool("show")}
-		if err := mgr.CreateSession(ctx, browser.DefaultSessionName, browser.ModeLocal, opts); err != nil {
-			return fmt.Errorf("create session: %w", err)
-		}
-		if err := mgr.SetDefaultContext(ctx, browser.DefaultSessionName, browser.DefaultContextManaged); err != nil {
-			return fmt.Errorf("set default context: %w", err)
-		}
-		session, err = mgr.GetSession(ctx, browser.DefaultSessionName)
+	if cmd.Bool("new-tab") {
+		_, _, err := ab.Exec(ctx, "tab", "new", url)
 		if err != nil {
-			return err
-		}
-	}
-	sessionName = session.Name
-
-	// Determine if we need a new tab
-	createNewTab := cmd.Bool("new-tab")
-	var targetTab string
-
-	if !createNewTab && session.SelectedTab != "" {
-		// Check if selected tab is live
-		if tab, ok := session.Tabs[session.SelectedTab]; ok && tab.Status == browser.TabStatusLive {
-			targetTab = session.SelectedTab
-		}
-	}
-
-	if targetTab == "" {
-		// Need to create a new tab
-		targetTab = generateNextTabName(session)
-		if err := mgr.CreateTab(ctx, sessionName, targetTab, "about:blank"); err != nil {
-			return fmt.Errorf("create tab: %w", err)
+			return fmt.Errorf("open new tab: %w", err)
 		}
-		// Select it
-		if err := mgr.SelectTab(ctx, sessionName, targetTab); err != nil {
-			return err
+	} else {
+		if err := ab.Open(ctx, url, browser.OpenOpts{Headed: cmd.Bool("show")}); err != nil {
+			return fmt.Errorf("open: %w", err)
 		}
 	}
 
-	// Navigate the tab
-	if err := mgr.Navigate(ctx, sessionName, targetTab, url); err != nil {
-		return fmt.Errorf("navigate: %w", err)
-	}
-
-	// Handle wait flags
 	if d := cmd.Duration("wait"); d > 0 {
-		// Simple sleep - actual implementation would need proper wait
 		select {
 		case <-ctx.Done():
 			return ctx.Err()
 		case <-time.After(d):
 		}
 	}
-
-	// Handle wait-selector if provided (simplified for Phase 1)
 	if sel := cmd.String("wait-selector"); sel != "" {
-		// TODO: Implement proper wait using Evaluate with polling
-		// For now, just do a fixed delay as a placeholder
-		select {
-		case <-ctx.Done():
-			return ctx.Err()
-		case <-time.After(2 * time.Second):
+		_, _, err := ab.Exec(ctx, "wait", sel)
+		if err != nil {
+			return fmt.Errorf("wait selector: %w", err)
 		}
 	}
 
 	c := true
 	fmt.Fprintf(os.Stderr, "%s Opened %s\n", green(c, "✓"), url)
-	if targetTab != session.SelectedTab || createNewTab {
-		fmt.Fprintf(os.Stderr, "  Tab: %s\n", targetTab)
-	}
-
 	return nil
 }
 
-func generateNextTabName(session *browser.SessionRecord) string {
-	// Find highest tab-N number
-	maxNum := 0
-	for name := range session.Tabs {
-		var num int
-		if _, err := fmt.Sscanf(name, "tab-%d", &num); err == nil {
-			if num > maxNum {
-				maxNum = num
-			}
-		}
-	}
-	return fmt.Sprintf("tab-%d", maxNum+1)
-}
-
-// browserTabsCmd is a user-friendly alias for "browser tab list"
 func browserTabsCmd() *cli.Command {
 	return &cli.Command{
 		Name:  "tabs",
 		Usage: "List browser tabs",
 		Description: `Show all tabs in the current browser context.
 
-This is a simplified view of tracked tabs with stable IDs.
-
 Examples:
   tap browser tabs
   tap browser tabs --json`,
@@ -198,92 +128,48 @@ Examples:
 }
 
 func runBrowserTabs(ctx context.Context, cmd *cli.Command) error {
-	mgr, err := newBrowserManager(cmd)
+	ab, err := newAgentBrowser(cmd)
 	if err != nil {
 		return err
 	}
-
-	sessionName := cmd.String("session")
-	list, err := mgr.ListTabs(ctx, sessionName)
+	out, _, err := ab.Exec(ctx, "tab", "--json")
 	if err != nil {
 		return err
 	}
 
-	if cmd.Bool("json") {
-		return printTabsJSON(list)
+	var envelope browser.AgentBrowserEnvelope[map[string]any]
+	if err := json.Unmarshal(out, &envelope); err != nil {
+		return fmt.Errorf("parse tabs: %w", err)
+	}
+	if !envelope.Success {
+		return fmt.Errorf("tabs: %s", envelope.Error)
 	}
 
-	return printTabsHuman(list)
-}
+	if cmd.Bool("json") {
+		pretty, _ := json.MarshalIndent(envelope.Data, "", "  ")
+		fmt.Println(string(pretty))
+		return nil
+	}
 
-func printTabsHuman(list *browser.TabList) error {
-	if len(list.Tabs) == 0 {
+	data := envelope.Data
+	tabs, _ := data["tabs"].([]any)
+	if len(tabs) == 0 {
 		fmt.Println("No tabs found.")
-		fmt.Println("Run: tap browser open <url>")
 		return nil
 	}
 
 	c := true
-	fmt.Printf("%s %d tabs\n\n", bold(c, "Tabs:"), len(list.Tabs))
-
-	fmt.Printf("%-10s %-20s %-40s %-8s %s\n", "ID", "TITLE", "URL", "CURRENT", "STATUS")
-	fmt.Println("------------------------------------------------------------------------------------------")
-
-	for _, tab := range list.Tabs {
-		current := ""
-		if tab.Name == list.SelectedTab {
-			current = green(c, "yes")
+	fmt.Printf("%s %d tabs\n\n", bold(c, "Tabs:"), len(tabs))
+	for _, t := range tabs {
+		if m, ok := t.(map[string]any); ok {
+			id, _ := m["id"].(string)
+			url, _ := m["url"].(string)
+			fmt.Printf("  %-6s %s\n", id, url)
 		}
-
-		status := string(tab.Status)
-		switch tab.Status {
-		case browser.TabStatusLive:
-			status = green(c, status)
-		case browser.TabStatusStale:
-			status = yellow(c, status)
-		}
-
-		title := "-"
-		url := tab.URL
-		if len(url) > 38 {
-			url = url[:35] + "..."
-		}
-
-		fmt.Printf("%-10s %-20s %-40s %-8s %s\n", tab.Name, title, url, current, status)
 	}
-
-	if list.SelectedTab == "" {
-		fmt.Println()
-		fmt.Println("No current tab selected. Run: tap browser open <url>")
-	}
-
-	return nil
-}
-
-func printTabsJSON(list *browser.TabList) error {
-	result := map[string]any{
-		"selectedTab": list.SelectedTab,
-		"count":       len(list.Tabs),
-	}
-
-	tabs := make([]map[string]any, 0, len(list.Tabs))
-	for _, tab := range list.Tabs {
-		tabs = append(tabs, map[string]any{
-			"id":     tab.Name,
-			"title":  "",
-			"status": tab.Status,
-			"url":    tab.URL,
-			"target": tab.TargetID,
-		})
-	}
-	result["tabs"] = tabs
-
-	out, _ := json.MarshalIndent(result, "", "  ")
-	fmt.Println(string(out))
 	return nil
 }
 
-// browserSwitchCmd is a user-friendly alias for "browser tab select"
 func browserSwitchCmd() *cli.Command {
 	return &cli.Command{
 		Name:      "switch",
@@ -292,8 +178,8 @@ func browserSwitchCmd() *cli.Command {
 		Description: `Set the current working tab.
 
 Examples:
-  tap browser switch tab-2
-  tap browser switch tab-1`,
+  tap browser switch t2
+  tap browser switch t1`,
 		Flags: []cli.Flag{
 			&cli.StringFlag{
 				Name:  "session",
@@ -309,38 +195,34 @@ Examples:
 
 func runBrowserSwitch(ctx context.Context, cmd *cli.Command) error {
 	if cmd.Args().Len() == 0 {
-		return fmt.Errorf("tab ID required (e.g., tab-1, tab-2)")
+		return fmt.Errorf("tab ID required (e.g., t1, t2)")
 	}
-	tabName := cmd.Args().First()
+	tabID := cmd.Args().First()
 
-	mgr, err := newBrowserManager(cmd)
+	ab, err := newAgentBrowser(cmd)
 	if err != nil {
 		return err
 	}
 
-	sessionName := cmd.String("session")
-	if err := mgr.SelectTab(ctx, sessionName, tabName); err != nil {
+	_, _, err = ab.Exec(ctx, "tab", tabID)
+	if err != nil {
 		return fmt.Errorf("switch tab: %w", err)
 	}
 
 	c := true
-	fmt.Fprintf(os.Stderr, "%s Switched to %s\n", green(c, "✓"), tabName)
+	fmt.Fprintf(os.Stderr, "%s Switched to %s\n", green(c, "✓"), tabID)
 	return nil
 }
 
-// browserCloseTabCmd is a user-friendly alias for "browser tab close"
 func browserCloseTabCmd() *cli.Command {
 	return &cli.Command{
 		Name:      "close-tab",
 		Usage:     "Close a browser tab",
-		ArgsUsage: "[tab-id]",
-		Description: `Close a tab. If no tab ID is given, closes the current tab.
-
-After closing, the next live tab becomes current.
+		ArgsUsage: "<tab-id>",
+		Description: `Close a specific tab.
 
 Examples:
-  tap browser close-tab        # Close current tab
-  tap browser close-tab tab-2  # Close specific tab`,
+  tap browser close-tab t2`,
 		Flags: []cli.Flag{
 			&cli.StringFlag{
 				Name:  "session",
@@ -355,37 +237,26 @@ Examples:
 }
 
 func runBrowserCloseTab(ctx context.Context, cmd *cli.Command) error {
-	tabName := cmd.Args().First() // Empty means current/resolved tab
+	if cmd.Args().Len() == 0 {
+		return fmt.Errorf("tab ID required")
+	}
+	tabID := cmd.Args().First()
 
-	mgr, err := newBrowserManager(cmd)
+	ab, err := newAgentBrowser(cmd)
 	if err != nil {
 		return err
 	}
 
-	sessionName := cmd.String("session")
-
-	// If no tab specified, resolve current
-	if tabName == "" {
-		session, err := mgr.GetSession(ctx, sessionName)
-		if err != nil {
-			return err
-		}
-		tabName = session.SelectedTab
-		if tabName == "" {
-			return fmt.Errorf("no current tab to close")
-		}
-	}
-
-	if err := mgr.CloseTab(ctx, sessionName, tabName); err != nil {
+	_, _, err = ab.Exec(ctx, "tab", "close", tabID)
+	if err != nil {
 		return fmt.Errorf("close tab: %w", err)
 	}
 
 	c := true
-	fmt.Fprintf(os.Stderr, "%s Closed %s\n", green(c, "✓"), tabName)
+	fmt.Fprintf(os.Stderr, "%s Closed %s\n", green(c, "✓"), tabID)
 	return nil
 }
 
-// browserStatusCmd is a user-friendly alias for "browser session info"
 func browserStatusCmd() *cli.Command {
 	return &cli.Command{
 		Name:  "status",
@@ -414,31 +285,58 @@ Examples:
 }
 
 func runBrowserStatus(ctx context.Context, cmd *cli.Command) error {
-	mgr, err := newBrowserManager(cmd)
+	ab, err := newAgentBrowser(cmd)
 	if err != nil {
 		return err
 	}
 
-	sessionName := cmd.String("session")
-	defaultContext, _ := mgr.DefaultContext(ctx)
-	session, err := mgr.GetSession(ctx, sessionName)
-	if err != nil {
-		if cmd.Bool("json") {
-			return printStatusJSON(defaultContext, nil, nil, "no_session")
-		}
-		fmt.Println("No browser session active.")
-		fmt.Println("Run: tap browser open <url>")
-		return nil
+	sessionOut, _, _ := ab.Exec(ctx, "session", "--json")
+	tabOut, _, _ := ab.Exec(ctx, "tab", "--json")
+	urlOut, _, _ := ab.Exec(ctx, "get", "url", "--json")
+
+	var sessionEnv browser.AgentBrowserEnvelope[map[string]any]
+	_ = json.Unmarshal(sessionOut, &sessionEnv)
+
+	var tabEnv browser.AgentBrowserEnvelope[map[string]any]
+	_ = json.Unmarshal(tabOut, &tabEnv)
+
+	var urlEnv browser.AgentBrowserEnvelope[map[string]any]
+	_ = json.Unmarshal(urlOut, &urlEnv)
+	url, _ := urlEnv.Data["url"].(string)
+	if url == "" {
+		url, _ = urlEnv.Data["result"].(string)
 	}
 
-	var currentTab *browser.TabRecord
-	if session.SelectedTab != "" {
-		currentTab = session.Tabs[session.SelectedTab]
+	result := map[string]any{
+		"session": sessionEnv.Data,
+		"tabs":    tabEnv.Data,
+		"url":     url,
+	}
+	if isAttachedMode() {
+		result["attached"] = true
 	}
 
 	if cmd.Bool("json") {
-		return printStatusJSON(defaultContext, session, currentTab, "")
+		out, _ := json.MarshalIndent(result, "", "  ")
+		fmt.Println(string(out))
+		return nil
 	}
 
-	return printStatusHuman(defaultContext, session, currentTab)
+	c := true
+	if name, ok := sessionEnv.Data["name"].(string); ok && name != "" {
+		fmt.Printf("%s %s\n", bold(c, "Session:"), name)
+	} else if sessionEnv.Success {
+		fmt.Printf("%s %v\n", bold(c, "Session:"), sessionEnv.Data)
+	}
+	if urlEnv.Success && url != "" {
+		fmt.Printf("%s %s\n", bold(c, "URL:"), url)
+	}
+	if tabs, ok := tabEnv.Data["tabs"].([]any); ok {
+		fmt.Printf("%s %d\n", bold(c, "Tabs:"), len(tabs))
+	}
+	if isAttachedMode() {
+		fmt.Printf("%s attached mode\n", bold(c, "Mode:"))
+	}
+
+	return nil
 }
diff --git a/cmd/tap/doctor.go b/cmd/tap/doctor.go
index 2b03d12..cbccb39 100644
--- a/cmd/tap/doctor.go
+++ b/cmd/tap/doctor.go
@@ -4,7 +4,8 @@ import (
 	"context"
 	"fmt"
 	"log"
-	"runtime"
+	"os"
+	"os/exec"
 	"time"
 
 	"github.com/urfave/cli/v3"
@@ -18,7 +19,7 @@ func doctorCmd() *cli.Command {
 		Flags: []cli.Flag{
 			&cli.BoolFlag{
 				Name:  "install",
-				Usage: "Install or update Lightpanda to the latest nightly build",
+				Usage: "Extract embedded agent-browser and let it install browser dependencies",
 			},
 		},
 		Action: func(ctx context.Context, cmd *cli.Command) error {
@@ -28,74 +29,56 @@ func doctorCmd() *cli.Command {
 }
 
 func runDoctor(ctx context.Context, cmd *cli.Command) error {
-	// Suppress library log output in doctor; we print our own messages.
 	log.SetOutput(nopWriter{})
 
 	color := useColor(cmd)
 	install := cmd.Bool("install")
 
 	ok := checkMark(color)
-	fail := failMark(color)
 	warn := warnMark(color)
 
-	// --- tap version ---
 	fmt.Printf("%s tap %s\n", ok, bold(color, version))
 
-	// --- Chrome ---
-	chrome := browser.DetectChrome()
-	if chrome != nil {
-		v := chrome.Version
-		if v == "" {
-			v = "unknown version"
-		}
-		fmt.Printf("%s Chrome %s\n", ok, v)
-		fmt.Printf("  %s\n", dim(color, chrome.Path))
-	} else {
-		fmt.Printf("%s Chrome not found\n", fail)
-		fmt.Printf("  %s\n", dim(color, "Install Chrome or use --lightpanda as an alternative"))
-	}
-
-	// --- Lightpanda (macOS/Linux only) ---
-	if runtime.GOOS == "windows" {
-		fmt.Printf("%s Lightpanda not available on Windows\n", dim(color, "-"))
-		return nil
-	}
-
-	lp := browser.NewLightpanda("", "")
-
+	agentInstall := browser.NewAgentBrowserInstall("")
 	if install {
-		action := "Installing"
-		if lp.Installed() {
-			action = "Updating"
+		action := "Extracting"
+		if agentInstall.Installed() {
+			action = "Refreshing"
 		}
-		fmt.Printf("  %s Lightpanda... ", action)
-		if err := lp.Update(ctx); err != nil {
-			return fmt.Errorf("install lightpanda: %w", err)
+		fmt.Printf("  %s embedded agent-browser... ", action)
+		if err := agentInstall.Update(ctx); err != nil {
+			return fmt.Errorf("extract agent-browser: %w", err)
 		}
 		fmt.Println("done")
-		fmt.Printf("%s Lightpanda installed\n", ok)
-		return nil
+
+		path, err := browser.ResolveAgentBrowserPath()
+		if err != nil {
+			return err
+		}
+		fmt.Printf("  Running agent-browser install...\n")
+		installCmd := exec.CommandContext(ctx, path, "install")
+		installCmd.Stdout = os.Stdout
+		installCmd.Stderr = os.Stderr
+		if err := installCmd.Run(); err != nil {
+			return fmt.Errorf("agent-browser install: %w", err)
+		}
 	}
 
-	if lp.Installed() {
-		meta, _ := lp.ReadMeta()
-		if meta != nil {
-			age := time.Since(meta.DownloadedAt)
-			ageStr := formatAge(age)
-			fmt.Printf("%s Lightpanda installed (%s ago)\n", ok, ageStr)
-			fmt.Printf("  %s\n", dim(color, "Downloaded: "+meta.DownloadedAt.Format(time.RFC3339)))
-			if age > 7*24*time.Hour {
-				fmt.Printf("  %s Run %s to get the latest nightly\n", warn, bold(color, "tap doctor --install"))
-			}
-		} else {
-			fmt.Printf("%s Lightpanda installed (unknown age)\n", warn)
-			fmt.Printf("  %s Run %s to get the latest nightly\n", warn, bold(color, "tap doctor --install"))
+	if path, err := browser.ResolveAgentBrowserPath(); err == nil {
+		fmt.Printf("%s agent-browser embedded (%s)\n", ok, browser.AgentBrowserVersion)
+		fmt.Printf("  %s\n", dim(color, path))
+		if meta, _ := agentInstall.ReadMeta(); meta != nil {
+			age := time.Since(meta.InstalledAt)
+			fmt.Printf("  %s\n", dim(color, "Extracted: "+meta.InstalledAt.Format(time.RFC3339)+" ("+formatAge(age)+" ago)"))
 		}
 	} else {
-		fmt.Printf("%s Lightpanda not installed\n", warn)
-		fmt.Printf("  %s Run %s to download it\n", dim(color, "→"), bold(color, "tap doctor --install"))
+		fmt.Printf("%s agent-browser unavailable\n", warn)
+		fmt.Printf("  %s\n", dim(color, err.Error()))
 	}
 
+	fmt.Printf("%s Chrome managed by agent-browser\n", ok)
+	fmt.Printf("  %s\n", dim(color, "Run tap doctor --install to let agent-browser install browser dependencies"))
+
 	return nil
 }
 
@@ -103,13 +86,6 @@ func checkMark(color bool) string {
 	return green(color, "✓")
 }
 
-func failMark(color bool) string {
-	if !color {
-		return "✗"
-	}
-	return "\033[31m✗\033[0m"
-}
-
 func warnMark(color bool) string {
 	return yellow(color, "!")
 }
diff --git a/cmd/tap/fetch.go b/cmd/tap/fetch.go
index 8ffff5f..5eb2d11 100644
--- a/cmd/tap/fetch.go
+++ b/cmd/tap/fetch.go
@@ -20,14 +20,13 @@ navigation, scripts, and boilerplate via go-defuddle.
 Examples:
   tap fetch https://example.com/article          Clean Markdown output
   tap fetch --json https://example.com/article   Full metadata as JSON
-  tap fetch -b https://example.com               Use browser for JS-rendered pages
-  tap fetch --lp https://example.com             Use Lightpanda (fast headless, no auth)`,
+  tap fetch -b https://example.com               Use browser for JS-rendered pages`,
 		Flags: append([]cli.Flag{
 			&cli.BoolFlag{
 				Name:  "json",
 				Usage: "Output as JSON with full metadata",
 			},
-		}, browserClientFlags(true)...),
+		}, browserClientFlags()...),
 		Action: func(ctx context.Context, cmd *cli.Command) error {
 			configureLogging(cmd)
 			if cmd.Args().Len() == 0 {
diff --git a/cmd/tap/internal.go b/cmd/tap/internal.go
deleted file mode 100644
index 8397f9d..0000000
--- a/cmd/tap/internal.go
+++ /dev/null
@@ -1,71 +0,0 @@
-package main
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"net"
-	"os"
-	"time"
-
-	"github.com/urfave/cli/v3"
-	"github.com/vaayne/tap/browser"
-)
-
-func internalCmd() *cli.Command {
-	return &cli.Command{
-		Name:   "internal",
-		Usage:  "Internal tap entrypoints",
-		Hidden: true,
-		Commands: []*cli.Command{
-			proxyDaemonCmd(),
-		},
-	}
-}
-
-func proxyDaemonCmd() *cli.Command {
-	return &cli.Command{
-		Name:   "proxy-daemon",
-		Usage:  "Run the internal CDP proxy daemon",
-		Hidden: true,
-		Flags: []cli.Flag{
-			&cli.StringFlag{Name: "listen", Required: true, Hidden: true},
-			&cli.StringFlag{Name: "upstream-ws-url", Required: true, Hidden: true},
-			&cli.StringFlag{Name: "ownership-token", Required: true, Hidden: true},
-			&cli.StringFlag{Name: "ready-file", Required: true, Hidden: true},
-		},
-		Action: func(ctx context.Context, cmd *cli.Command) error {
-			ln, err := net.Listen("tcp", cmd.String("listen"))
-			if err != nil {
-				return err
-			}
-			defer func() { _ = ln.Close() }()
-
-			record := &browser.ProxyDaemonRecord{
-				PID:            os.Getpid(),
-				ListenAddr:     ln.Addr().String(),
-				Endpoint:       browser.ProxyEndpointForListenAddr(ln.Addr().String()),
-				UpstreamWSURL:  cmd.String("upstream-ws-url"),
-				OwnershipToken: cmd.String("ownership-token"),
-				State:          browser.AttachStateAttachedReady,
-				Status:         browser.AttachStateAttachedReady,
-				StartedAt:      time.Now().UTC(),
-				UpdatedAt:      time.Now().UTC(),
-			}
-			data, err := json.Marshal(record)
-			if err != nil {
-				return fmt.Errorf("encode proxy daemon ready file: %w", err)
-			}
-			if err := os.WriteFile(cmd.String("ready-file"), data, 0o600); err != nil {
-				return fmt.Errorf("write proxy daemon ready file: %w", err)
-			}
-
-			proxy := browser.NewProxy(browser.ProxyConfig{
-				ListenAddr:     record.ListenAddr,
-				Upstream:       record.UpstreamWSURL,
-				OwnershipToken: record.OwnershipToken,
-			})
-			return proxy.ServeListener(ctx, ln)
-		},
-	}
-}
diff --git a/cmd/tap/main.go b/cmd/tap/main.go
index 9d0b41d..28212d2 100644
--- a/cmd/tap/main.go
+++ b/cmd/tap/main.go
@@ -5,12 +5,10 @@ import (
 	"fmt"
 	"log"
 	"os"
-	"path/filepath"
 
 	"github.com/joho/godotenv"
 	"github.com/urfave/cli/v3"
 	"github.com/vaayne/tap"
-	"github.com/vaayne/tap/browser"
 	"github.com/vaayne/tap/transport"
 )
 
@@ -68,7 +66,6 @@ Use 'tap <command> --help' for details on any command.`,
 			doctorCmd(),
 			upgradeCmd(),
 			skillCmd(),
-			internalCmd(),
 		},
 	}
 }
@@ -101,17 +98,16 @@ func globalFlags() []cli.Flag {
 			Sources: cli.EnvVars("TAP_BROWSER"),
 			Hidden:  true,
 		},
-		&cli.BoolFlag{
-			Name:    "no-headless",
-			Aliases: []string{"show"},
-			Usage:   "Run browser in visible mode (advanced)",
-			Hidden:  true,
-		},
 		&cli.BoolFlag{
 			Name:    "lightpanda",
 			Aliases: []string{"lp"},
-			Usage:   "Use Lightpanda instead of Chrome (advanced)",
+			Usage:   "Use Lightpanda as the browser engine",
 			Sources: cli.EnvVars("TAP_LIGHTPANDA"),
+		},
+		&cli.BoolFlag{
+			Name:    "no-headless",
+			Aliases: []string{"show"},
+			Usage:   "Run browser in visible mode (advanced)",
 			Hidden:  true,
 		},
 		&cli.BoolFlag{
@@ -207,9 +203,8 @@ func newClient(ctx context.Context, cmd *cli.Command) (*tap.Client, error) {
 
 	if cmd.Bool("lightpanda") {
 		opts = append(opts, tap.WithBrowserType(transport.BrowserLightpanda))
-		opts = append(opts, tap.WithForceBrowser(true))
 	}
-	if cmd.Bool("browser") || hasPauseMode(cmd) {
+	if cmd.Bool("browser") || cmd.Bool("lightpanda") || hasPauseMode(cmd) {
 		opts = append(opts, tap.WithForceBrowser(true))
 	}
 	if cmd.Bool("no-headless") || cmd.Bool("show") || cmd.Bool("pause") {
@@ -235,61 +230,9 @@ func resolveBrowserClientOptions(ctx context.Context, cmd *cli.Command, forceMan
 		return append(opts, tap.WithProfileDir(dir)), nil
 	}
 
-	mgr, err := newBrowserManager(cmd)
-	if err != nil {
-		return nil, err
-	}
-	defaultContext, err := mgr.DefaultContext(ctx)
-	if err != nil {
-		return nil, err
-	}
-	store, err := newBrowserStore(cmd)
-	if err != nil {
-		return nil, err
-	}
-	state, err := store.Load()
-	if err != nil {
-		return nil, err
-	}
-	if defaultContext != nil && defaultContext.Kind == browser.DefaultContextAttached {
-		if state.ProxyDaemon == nil {
-			return nil, fmt.Errorf("attached Chrome is stale: proxy daemon metadata is missing (run 'tap attach chrome')")
-		}
-		health := browser.CheckProxyDaemon(ctx, state.ProxyDaemon)
-		if err := persistProxyDaemonHealth(store, state.ProxyDaemon, health); err == nil && !health.Healthy {
-			defaultContext.Reason = health.Reason
-			defaultContext.Stale = true
-		}
-		if !health.Healthy {
-			return nil, fmt.Errorf("attached Chrome is stale: %s (run 'tap attach chrome')", health.Reason)
-		}
-	}
-	if defaultContext != nil && defaultContext.Stale {
-		return nil, fmt.Errorf("default browser context %q is stale: %s (run 'tap attach chrome')", defaultContext.SessionName, defaultContext.Reason)
-	}
-
-	session, err := mgr.GetSession(ctx, "")
-	if err == nil {
-		switch {
-		case session.Remote != nil && session.Remote.WSURL != "":
-			return append(opts, tap.WithWSURL(session.Remote.WSURL)), nil
-		case session.Local != nil && session.Local.ProfileDir != "":
-			return append(opts, tap.WithProfileDir(session.Local.ProfileDir)), nil
-		}
-	}
-	if defaultContext != nil {
-		return nil, fmt.Errorf("resolve default browser context %q: %w", defaultContext.SessionName, err)
-	}
-	if forceManagedDefault {
-		return append(opts, tap.WithProfileDir(defaultManagedProfileDir(cmd))), nil
-	}
 	return opts, nil
 }
 
-func defaultManagedProfileDir(cmd *cli.Command) string {
-	return filepath.Join(browserStateRoot(cmd), "profiles", browser.DefaultSessionName)
-}
-
 func firstString(cmd *cli.Command, names ...string) string {
 	for _, name := range names {
 		if value := cmd.String(name); value != "" {
@@ -299,7 +242,7 @@ func firstString(cmd *cli.Command, names ...string) string {
 	return ""
 }
 
-func browserClientFlags(includeLightpanda bool) []cli.Flag {
+func browserClientFlags() []cli.Flag {
 	flags := []cli.Flag{
 		&cli.BoolFlag{
 			Name:    "browser",
@@ -338,13 +281,11 @@ func browserClientFlags(includeLightpanda bool) []cli.Flag {
 			Name:  "profile-dir",
 			Usage: "One-shot browser profile override",
 		},
-	}
-	if includeLightpanda {
-		flags = append(flags, &cli.BoolFlag{
+		&cli.BoolFlag{
 			Name:    "lightpanda",
 			Aliases: []string{"lp"},
-			Usage:   "Use Lightpanda instead of Chrome (implies --browser)",
-		})
+			Usage:   "Use Lightpanda as the browser engine",
+		},
 	}
 	return flags
 }
diff --git a/cmd/tap/pause.go b/cmd/tap/pause.go
index c6ba3d3..bedcbe8 100644
--- a/cmd/tap/pause.go
+++ b/cmd/tap/pause.go
@@ -5,11 +5,11 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"os/exec"
 	"time"
 
-	"github.com/chromedp/cdproto/runtime"
-	"github.com/chromedp/chromedp"
 	"github.com/urfave/cli/v3"
+	"github.com/vaayne/tap/browser"
 	"github.com/vaayne/tap/transport"
 )
 
@@ -70,38 +70,27 @@ func delayPause(d time.Duration) transport.PauseFunc {
 
 func waitForSelector(selector string) transport.PauseFunc {
 	return func(ctx context.Context) error {
-		if err := chromedp.Run(ctx, chromedp.WaitVisible(selector, chromedp.ByQuery)); err != nil {
-			return fmt.Errorf("wait for selector %q: %w", selector, err)
+		path, err := browser.ResolveAgentBrowserPath()
+		if err != nil {
+			return err
 		}
-		return nil
+		cmd := exec.CommandContext(ctx, path, "wait", selector, "--session-name", "default", "--json")
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stderr
+		return cmd.Run()
 	}
 }
 
 func waitForJS(expr string) transport.PauseFunc {
-	wrapped := fmt.Sprintf(`(async () => Boolean(await (%s)))()`, expr)
-
 	return func(ctx context.Context) error {
-		ticker := time.NewTicker(200 * time.Millisecond)
-		defer ticker.Stop()
-
-		for {
-			var ready bool
-			err := chromedp.Run(ctx, chromedp.Evaluate(wrapped, &ready, func(p *runtime.EvaluateParams) *runtime.EvaluateParams {
-				return p.WithReturnByValue(true).WithAwaitPromise(true)
-			}))
-			if err == nil && ready {
-				return nil
-			}
-
-			select {
-			case <-ticker.C:
-			case <-ctx.Done():
-				if err != nil {
-					return fmt.Errorf("wait for js %q: %w", expr, err)
-				}
-				return ctx.Err()
-			}
+		path, err := browser.ResolveAgentBrowserPath()
+		if err != nil {
+			return err
 		}
+		cmd := exec.CommandContext(ctx, path, "wait", "--fn", expr, "--session-name", "default", "--json")
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stderr
+		return cmd.Run()
 	}
 }
 
diff --git a/cmd/tap/site.go b/cmd/tap/site.go
index fb78ac7..bb737ca 100644
--- a/cmd/tap/site.go
+++ b/cmd/tap/site.go
@@ -40,7 +40,7 @@ Examples:
 				Usage:   "Output format: json, pretty (default), raw",
 				Value:   formatPretty,
 			},
-		}, browserClientFlags(true)...),
+		}, browserClientFlags()...),
 		Commands: []*cli.Command{
 			siteRunCmd(),
 			siteListCmd(),
@@ -68,7 +68,7 @@ func siteRunCmd() *cli.Command {
 				Usage:   "Output format: json, pretty (default), raw",
 				Value:   formatPretty,
 			},
-		}, browserClientFlags(true)...),
+		}, browserClientFlags()...),
 		Action: func(ctx context.Context, cmd *cli.Command) error {
 			configureLogging(cmd)
 			return runSiteScript(ctx, cmd, cmd.Args().Slice())
diff --git a/cmd/tap/status.go b/cmd/tap/status.go
index ffabb44..d30e1f1 100644
--- a/cmd/tap/status.go
+++ b/cmd/tap/status.go
@@ -16,9 +16,6 @@ func statusCmd() *cli.Command {
 		Description: `Display the current default browser context, authentication state,
 and active tab information.
 
-This command helps you understand which browser context and tab
-will be used by subsequent tap commands.
-
 Examples:
   tap status              Show human-readable status
   tap status --json       Show machine-readable status`,
@@ -36,162 +33,70 @@ Examples:
 }
 
 func runStatus(ctx context.Context, cmd *cli.Command) error {
-	mgr, err := newBrowserManager(cmd)
+	ab, err := browser.NewAgentBrowser("")
 	if err != nil {
 		return err
 	}
+	if isAttachedMode() {
+		ab.Attached = true
+		ab.SessionName = ""
+	}
 
-	defaultContext, _ := mgr.DefaultContext(ctx)
+	sessionOut, _, _ := ab.Exec(ctx, "session", "--json")
+	tabOut, _, _ := ab.Exec(ctx, "tab", "--json")
+	urlOut, _, _ := ab.Exec(ctx, "get", "url", "--json")
 
-	// Get default session info
-	session, err := mgr.GetSession(ctx, "")
-	if err != nil {
-		// No default session - show empty state
-		if cmd.Bool("json") {
-			return printStatusJSON(defaultContext, nil, nil, "no_default_session")
-		}
-		return printStatusEmpty()
-	}
+	var sessionEnv browser.AgentBrowserEnvelope[map[string]any]
+	_ = json.Unmarshal(sessionOut, &sessionEnv)
 
-	// Get current tab
-	var currentTab *browser.TabRecord
-	if session.SelectedTab != "" {
-		if tab, ok := session.Tabs[session.SelectedTab]; ok {
-			currentTab = tab
-		}
+	var tabEnv browser.AgentBrowserEnvelope[map[string]any]
+	_ = json.Unmarshal(tabOut, &tabEnv)
+
+	var urlEnv browser.AgentBrowserEnvelope[string]
+	_ = json.Unmarshal(urlOut, &urlEnv)
+
+	result := map[string]any{
+		"session": sessionEnv.Data,
+		"tabs":    tabEnv.Data,
+		"url":     urlEnv.Data,
+	}
+	if isAttachedMode() {
+		result["attached"] = true
 	}
 
 	if cmd.Bool("json") {
-		return printStatusJSON(defaultContext, session, currentTab, "")
+		out, _ := json.MarshalIndent(result, "", "  ")
+		fmt.Println(string(out))
+		return nil
 	}
 
-	return printStatusHuman(defaultContext, session, currentTab)
-}
-
-func printStatusEmpty() error {
-	c := true // assume color for now
-	fmt.Println("No active browser context.")
-	fmt.Println()
-	fmt.Printf("%s\n", bold(c, "Quick start:"))
-	fmt.Println("  tap attach chrome         Attach to your existing Chrome")
-	fmt.Println("  tap browser open <url>    Open a page in managed browser")
-	return nil
+	return printStatusHuman(result)
 }
 
-func printStatusHuman(defaultContext *browser.DefaultContextRecord, session *browser.SessionRecord, currentTab *browser.TabRecord) error {
+func printStatusHuman(result map[string]any) error {
 	c := true
 
-	// Context type
-	contextType := "Managed local browser"
-	if defaultContext != nil {
-		fmt.Printf("%s %s (%s)\n", bold(c, "Default context:"), defaultContext.SessionName, defaultContext.Kind)
-		if defaultContext.Stale {
-			fmt.Printf("%s %s\n", bold(c, "Context state:"), yellow(c, "stale"))
-			if defaultContext.Reason != "" {
-				fmt.Printf("%s %s\n", bold(c, "Reason:"), defaultContext.Reason)
-			}
-		}
+	if attached, ok := result["attached"].(bool); ok && attached {
+		fmt.Printf("%s Attached mode\n", bold(c, "Context:"))
 	}
-	if session.Remote != nil {
-		contextType = "Attached remote browser"
-	}
-
-	fmt.Printf("%s %s\n", bold(c, "Browser context:"), contextType)
-	fmt.Printf("%s %s\n", bold(c, "Session:"), session.Name)
 
-	if session.Process != nil && session.Process.DebugURL != "" {
-		fmt.Printf("%s %s\n", bold(c, "Debug URL:"), session.Process.DebugURL)
-	} else if session.Remote != nil {
-		fmt.Printf("%s %s\n", bold(c, "Remote URL:"), session.Remote.WSURL)
+	if session, ok := result["session"].(map[string]any); ok {
+		if name, ok := session["name"].(string); ok && name != "" {
+			fmt.Printf("%s %s\n", bold(c, "Session:"), name)
+		}
+	}
+	if url, ok := result["url"].(string); ok && url != "" {
+		fmt.Printf("%s %s\n", bold(c, "URL:"), url)
 	}
 
-	// Tab info
-	fmt.Println()
-	if currentTab != nil {
-		fmt.Printf("%s %s\n", bold(c, "Current tab:"), currentTab.Name)
-		fmt.Printf("%s %s\n", bold(c, "Status:"), string(currentTab.Status))
-		if currentTab.URL != "" {
-			fmt.Printf("%s %s\n", bold(c, "URL:"), currentTab.URL)
+	if tabs, ok := result["tabs"].(map[string]any); ok {
+		if list, ok := tabs["tabs"].([]any); ok && len(list) > 0 {
+			fmt.Printf("%s %d tabs\n", bold(c, "Tabs:"), len(list))
 		}
 	} else {
 		fmt.Println("No current tab selected.")
 		fmt.Println("Run: tap browser open <url>")
 	}
 
-	// Tab count
-	liveCount := 0
-	for _, tab := range session.Tabs {
-		if tab.Status == browser.TabStatusLive {
-			liveCount++
-		}
-	}
-	if len(session.Tabs) > 0 {
-		fmt.Println()
-		fmt.Printf("%s %d total (%d live)\n", bold(c, "Tabs:"), len(session.Tabs), liveCount)
-	}
-
-	return nil
-}
-
-func printStatusJSON(defaultContext *browser.DefaultContextRecord, session *browser.SessionRecord, currentTab *browser.TabRecord, errorState string) error {
-	result := map[string]any{
-		"error": errorState,
-	}
-
-	if defaultContext != nil {
-		result["defaultContext"] = map[string]any{
-			"sessionName": defaultContext.SessionName,
-			"kind":        defaultContext.Kind,
-			"stale":       defaultContext.Stale,
-			"reason":      defaultContext.Reason,
-			"updatedAt":   defaultContext.UpdatedAt,
-		}
-	}
-
-	if session != nil {
-		result["session"] = map[string]any{
-			"name":      session.Name,
-			"mode":      session.Mode,
-			"createdAt": session.CreatedAt,
-		}
-
-		if session.Process != nil {
-			result["process"] = map[string]any{
-				"pid":      session.Process.PID,
-				"debugURL": session.Process.DebugURL,
-			}
-		}
-
-		if session.Remote != nil {
-			result["remote"] = map[string]any{
-				"wsURL": session.Remote.WSURL,
-			}
-		}
-
-		tabs := make([]map[string]any, 0, len(session.Tabs))
-		for name, tab := range session.Tabs {
-			tabInfo := map[string]any{
-				"name":   name,
-				"status": tab.Status,
-				"url":    tab.URL,
-			}
-			tabs = append(tabs, tabInfo)
-		}
-		result["tabs"] = tabs
-
-		if currentTab != nil {
-			result["currentTab"] = map[string]any{
-				"name":   currentTab.Name,
-				"status": currentTab.Status,
-				"url":    currentTab.URL,
-			}
-		}
-	}
-
-	out, err := json.MarshalIndent(result, "", "  ")
-	if err != nil {
-		return fmt.Errorf("marshal status: %w", err)
-	}
-	fmt.Println(string(out))
 	return nil
 }
diff --git a/docs/browser.md b/docs/browser.md
index abb8707..fefd36e 100644
--- a/docs/browser.md
+++ b/docs/browser.md
@@ -1,12 +1,12 @@
 # Browser Automation
 
-Tap now exposes a task-first browser UX for common workflows while keeping the older session/tab/proxy commands for advanced use.
+Tap uses the embedded embedded agent-browser backend — a standalone native binary that provides ~138 commands with zero runtime dependencies.
 
 ## Common workflows
 
 ### Reuse your existing Chrome
 
-Chrome must already expose a DevTools endpoint.
+Chrome must already expose a DevTools endpoint, or use the managed embedded agent-browser backend.
 
 ```bash
 tap attach chrome
@@ -49,7 +49,7 @@ Auth state lives in the resolved browser context:
 tap browser open https://news.ycombinator.com
 tap browser open https://github.com --new-tab
 tap browser tabs
-tap browser switch tab-2
+tap browser switch t2
 tap browser screenshot --output github.png
 tap browser status
 ```
@@ -57,7 +57,7 @@ tap browser status
 Default behavior:
 - `tap browser open <url>` navigates the current tab
 - `--new-tab` creates another tracked tab
-- `tap browser tabs` shows stable tab IDs like `tab-1`, `tab-2`
+- `tap browser tabs` shows stable tab IDs like `t1`, `t2`
 - `tap browser switch <tab-id>` switches by exact ID
 - `tap browser close-tab` closes the current tab
 
@@ -76,7 +76,7 @@ Or launch and attach in one step:
 tap attach electron --launch /Applications/MyApp.app/Contents/MacOS/MyApp
 ```
 
-`--port` must be a **browser CDP port**, not a generic Node inspector port.
+`--port` must be a **browser DevTools port**, not a generic Node inspector port.
 
 ## Status commands
 
@@ -140,6 +140,7 @@ Common commands expose browser-related flags directly:
 --timeout <duration>   Set execution timeout
 --browser-url <url>    One-shot DevTools override
 --profile-dir <path>   One-shot profile override
+--lightpanda, --lp     Use Lightpanda as the browser engine
 ```
 
 Compatibility aliases remain accepted:
diff --git a/docs/command-ux-migration.md b/docs/command-ux-migration.md
index 7fa9356..f80f143 100644
--- a/docs/command-ux-migration.md
+++ b/docs/command-ux-migration.md
@@ -52,7 +52,7 @@ tap site -b github/notifications
 tap browser open https://news.ycombinator.com
 tap browser open https://github.com --new-tab
 tap browser tabs
-tap browser switch tab-2
+tap browser switch t2
 ```
 
 ## Browser-related flags
@@ -67,4 +67,3 @@ Use these on `site`, `fetch`, and relevant `browser` commands:
 - `--timeout`
 - `--browser-url`
 - `--profile-dir`
-- `--lightpanda`
diff --git a/docs/network.md b/docs/network.md
index 2d36f30..8b53a34 100644
--- a/docs/network.md
+++ b/docs/network.md
@@ -1,336 +1,53 @@
 # Network Interception
 
-Tap can capture, inspect, and intercept network requests on the current browser tab using Chrome DevTools Protocol (CDP). This covers two use cases:
-
-- **Passive capture** (Network domain): observe requests, wait for specific API responses, stream network logs
-- **Active interception** (Fetch domain): block, mock, or modify requests
-
-All commands operate on the resolved current tab. Advanced `--session` and `--tab` overrides still exist but are hidden from the common UX.
-
-## Quick Start
-
-```bash
-# Open a page in the default browser context
-tap browser open https://example.com
-
-# Wait for a specific API request to complete
-tap browser network wait --url-pattern "*/api/*"
-
-# Stream all network activity as NDJSON
-tap browser network log
-
-# Block ad requests
-tap browser network intercept --block --url-pattern "*.ads.*"
-
-# Clear interception rules
-tap browser network clear
-```
+Tap forwards network commands to agent-browser for the current managed or attached browser session.
 
 ## Commands
 
-### `tap browser network wait`
-
-Block until a network request matching filters completes, then print the captured entry.
-
-```bash
-tap browser network wait [flags]
-```
-
-| Flag | Description | Default |
-|---|---|---|
-| `--url-pattern` | Glob pattern (`*` matches any chars including `/`) | match all |
-| `--method` | HTTP method(s), comma-separated | match all |
-| `--resource-type` | Resource type(s), comma-separated (e.g. `XHR,Fetch,Document`) | match all |
-| `--timeout` | Maximum time to wait | `30s` |
-| `--body` | Include the response body in output | `false` |
-| `--format` | Output format: `pretty`, `json`, `raw` | `pretty` |
-
-```bash
-# Wait for any XHR/Fetch request
-tap browser network wait --resource-type XHR,Fetch
-
-# Wait for a specific API endpoint and capture the response body
-tap browser network wait --url-pattern "*/api/search*" --body --timeout 10s
-
-# Wait for a POST request
-tap browser network wait --url-pattern "*/graphql" --method POST --body --format json
-```
-
-The output is a `NetworkEntry` object:
-
-```json
-{
-  "requestId": "1234.56",
-  "url": "https://example.com/api/search?q=hello",
-  "method": "GET",
-  "status": 200,
-  "mimeType": "application/json",
-  "resourceType": "XHR",
-  "reqHeaders": { "Accept": "application/json" },
-  "resHeaders": { "Content-Type": "application/json" },
-  "body": "{\"results\": [...]}",
-  "timestamp": "2026-04-02T12:00:00Z"
-}
-```
-
-If a request fails before receiving a response (DNS failure, connection refused), the entry has `status: 0` and a populated `error` field.
-
-### `tap browser network body`
-
-Fetch the response body for a completed request by its request ID.
-
 ```bash
-tap browser network body <requestId> [flags]
-```
-
-| Flag | Description | Default |
-|---|---|---|
-| `--format` | `raw` (binary to stdout) or `json` (base64-encoded) | `raw` |
-
-```bash
-# Get the request ID from a previous wait/log
-tap browser network wait --url-pattern "*/api/data" --format json | jq -r .requestId
-# => 1234.56
-
-# Fetch the body
-tap browser network body "1234.56"
-tap browser network body "1234.56" --format json
-```
-
-### `tap browser network log`
-
-Stream completed network requests as newline-delimited JSON (NDJSON).
-
-```bash
-tap browser network log [flags]
-```
-
-| Flag | Description | Default |
-|---|---|---|
-| `--url-pattern` | Glob pattern to filter URLs | match all |
-| `--method` | HTTP method(s), comma-separated | match all |
-| `--resource-type` | Resource type(s), comma-separated | match all |
-| `--timeout` | Duration to capture (0 = until interrupted) | `0` |
+# List captured requests
+tap browser network requests
+tap browser network requests --filter "*/api/*"
 
-```bash
-# Stream all network requests
-tap browser network log
+# Route or block matching requests
+tap browser network route "*.ads.*" --abort
+tap browser network route "*/api/mock" --body '{"ok":true}'
 
-# Only XHR/Fetch requests for 30 seconds
-tap browser network log --resource-type XHR,Fetch --timeout 30s
+# Remove routes
+tap browser network unroute
+tap browser network unroute "*.ads.*"
 
-# Filter to API calls, pipe through jq
-tap browser network log --url-pattern "*/api/*" | jq '.url, .status'
+# HAR capture
+tap browser network har start /tmp/session.har
+tap browser network har stop
 ```
 
-Each line is a JSON `NetworkEntry` object. The stream runs until `--timeout` expires or the process is interrupted (Ctrl-C).
+All arguments after the tap subcommand are passed through to agent-browser. Use `--session <name>` with these pass-through commands to target a named tap session.
 
-### `tap browser network intercept`
+## Common workflows
 
-Set Fetch domain interception rules. Rules are **replace-all**: each invocation replaces any previously set rules.
+### Inspect API calls
 
 ```bash
-tap browser network intercept [flags]
+tap browser open https://example.com --show
+tap browser network requests --filter api
 ```
 
-| Flag | Description | Default |
-|---|---|---|
-| `--url-pattern` | Glob pattern to match request URLs | match all |
-| `--method` | HTTP method(s), comma-separated | match all |
-| `--resource-type` | Resource type(s), comma-separated | match all |
-| `--block` | Block matching requests | `false` |
-| `--header` | Add/override a request header (repeatable, `"Key: Value"`) | — |
-| `--respond` | Mock response body | — |
-| `--status` | Mock response HTTP status code | `200` |
-| `--content-type` | Mock response Content-Type | `application/json` |
-
-The `--block` and `--respond` flags are mutually exclusive.
-
-The process stays alive while interception is active. Press Ctrl-C to stop.
+### Block noisy requests
 
 ```bash
-# Block ad/tracking requests
-tap browser network intercept --block --url-pattern "*.doubleclick.net*"
-tap browser network intercept --block --url-pattern "*.google-analytics.com*"
-
-# Mock an API endpoint
-tap browser network intercept \
-  --url-pattern "*/api/user/profile" \
-  --respond '{"name":"test","plan":"premium"}' \
-  --status 200
-
-# Add an auth header to all API requests
-tap browser network intercept \
-  --url-pattern "*/api/*" \
-  --header "Authorization: Bearer tok_abc123"
-
-# Combine header injection with content-type
-tap browser network intercept \
-  --url-pattern "*/api/*" \
-  --header "Authorization: Bearer tok_abc123" \
-  --header "X-Custom: value"
+tap browser network route "*.doubleclick.net*" --abort
+tap browser reload
 ```
 
-### `tap browser network clear`
-
-Disable the Fetch domain and remove all interception rules.
+### Clear interception rules
 
 ```bash
-tap browser network clear
+tap browser network unroute
 ```
 
-This only clears active interception rules. Passive capture (`wait`, `log`) is unaffected.
-
-## URL Pattern Syntax
-
-URL patterns use glob-style matching where `*` matches **any characters including `/`**. This differs from `filepath.Match` which treats `/` as a boundary.
-
-| Pattern | Matches | Doesn't Match |
-|---|---|---|
-| `*/api/*` | `https://example.com/api/v1/users` | `https://example.com/other/v1` |
-| `*.ads.*` | `https://tracker.ads.example.com/pixel` | `https://tracker-ads-example.com/pixel` |
-| `*/search?q=*` | `https://example.com/search?q=hello` | `https://example.com/search` |
-| `*` | anything | — |
-
-An empty pattern (or omitted `--url-pattern`) matches all URLs.
-
-## Resource Types
-
-CDP resource types correspond to how Chrome classifies each request:
+## Notes
 
-| Type | Description |
-|---|---|
-| `Document` | HTML pages |
-| `Stylesheet` | CSS files |
-| `Image` | Images |
-| `Media` | Audio/video |
-| `Font` | Web fonts |
-| `Script` | JavaScript files |
-| `XHR` | XMLHttpRequest |
-| `Fetch` | Fetch API requests |
-| `WebSocket` | WebSocket connections |
-| `Other` | Everything else |
-
-Use `--resource-type XHR,Fetch` to capture only API calls.
-
-## Use Cases
-
-### Capture API responses behind SPAs
-
-Many modern sites (Twitter/X, Instagram, Reddit) load data via internal API calls. The JSON from these APIs is far cleaner than scraping the DOM.
-
-```bash
-tap browser open https://x.com/elonmusk --show
-
-# Wait for the tweets API endpoint
-tap browser network wait --url-pattern "*/UserTweets*" --body --format json
-```
-
-### Debug page network activity
-
-Record what a page loads to find hidden API endpoints or audit third-party requests.
-
-```bash
-tap browser network log --timeout 30s | jq '{url: .url, status: .status, type: .resourceType}'
-```
-
-### Wait for API response after a user action
-
-Fill a search form and capture the resulting API call.
-
-```bash
-# In one terminal: start waiting for the search API
-tap browser network wait --url-pattern "*/api/search*" --body
-
-# In another terminal: trigger the search
-tap browser fill "#search" "golang" --submit "#submit-btn"
-```
-
-### Speed up page loads by blocking resources
-
-Block ads, trackers, and heavy assets.
-
-```bash
-tap browser network intercept --block --url-pattern "*.doubleclick.net*"
-
-# Navigate — the blocked requests will fail immediately
-tap browser navigate https://news-site.com/article
-```
-
-### Inject authentication headers
-
-Add auth tokens to API requests without modifying the page.
-
-```bash
-tap browser network intercept \
-  --url-pattern "*/api/*" \
-  --header "Authorization: Bearer tok_abc123"
-```
-
-### Mock API responses for testing
-
-Return custom responses to test frontend behavior.
-
-```bash
-tap browser network intercept \
-  --url-pattern "*/api/feature-flags" \
-  --respond '{"dark_mode": true, "beta_features": true}' \
-  --status 200
-
-tap browser navigate https://app.example.com
-tap browser screenshot --output with-feature-flags.png
-```
-
-## Limitations
-
-- **Chrome only.** Network interception requires Chrome/Chromium. Lightpanda does not support the Network or Fetch CDP domains. Run `tap doctor` to verify Chrome is installed.
-- **Ephemeral.** Network logs are not persisted. They exist only for the lifetime of the `wait`/`log` process.
-- **`body` fetch may fail** for redirected or cached requests. This is a CDP limitation.
-- **`intercept` is process-bound.** The interception goroutine runs in the `tap browser network intercept` process. When the process exits, interception stops.
-- **`log` channel buffer.** The log stream buffers up to 256 entries. If the consumer can't keep up, newer entries are dropped silently.
-- **No WebSocket frame capture.** Only HTTP/HTTPS requests are captured.
-
-## Go Library
-
-The network primitives are available as Go functions in the `browser` package:
-
-```go
-import "github.com/vaayne/tap/browser"
-
-// Wait for a matching request (single-shot)
-entry, err := browser.WaitForRequest(ctx, debugURL, targetID, browser.NetworkFilter{
-    URLPattern: "*/api/*",
-    Methods:    []string{"GET"},
-}, true) // includeBody
-
-// Fetch response body by request ID
-body, err := browser.GetResponseBody(ctx, debugURL, targetID, "1234.56")
-
-// Stream network activity
-ch, cancel, err := browser.EnableNetworkLog(ctx, debugURL, targetID, browser.NetworkFilter{})
-defer cancel()
-for entry := range ch {
-    fmt.Println(entry.URL, entry.Status)
-}
-
-// Set interception rules
-cancel, err := browser.SetInterceptRules(ctx, debugURL, targetID, []browser.InterceptRule{
-    {Filter: browser.NetworkFilter{URLPattern: "*.ads.*"}, Block: true},
-})
-defer cancel()
-
-// Clear interception
-err = browser.ClearIntercept(ctx, debugURL, targetID)
-```
-
-Or use the `Manager` for session/tab resolution:
-
-```go
-mgr := browser.NewManager(store)
-
-entry, err := mgr.NetworkWait(ctx, "session", "tab", filter, true)
-body, err := mgr.NetworkGetBody(ctx, "session", "tab", "1234.56")
-ch, cancel, err := mgr.NetworkLog(ctx, "session", "tab", filter)
-err = mgr.NetworkIntercept(ctx, "session", "tab", rules)
-err = mgr.NetworkClearIntercept(ctx, "session", "tab")
-```
+- Request history is collected by the browser backend for the active session.
+- Route rules apply while the agent-browser session is active.
+- For exact flag support, run `agent-browser network <action> --help` or `agent-browser skills get core --full`.
diff --git a/engine/browser.go b/engine/browser.go
index 45612fc..77e58d7 100644
--- a/engine/browser.go
+++ b/engine/browser.go
@@ -4,24 +4,26 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"os"
 
+	"github.com/vaayne/tap/browser"
 	"github.com/vaayne/tap/script"
 	"github.com/vaayne/tap/transport"
 )
 
-// Browser executes scripts in a real Chrome browser via CDP.
+// Browser executes scripts in a real browser via agent-browser.
 type Browser struct {
-	transport *transport.Transport
-	pauseFn   transport.PauseFunc
+	agentBrowser *browser.AgentBrowser
+	pauseFn      transport.PauseFunc
 }
 
-// NewBrowser creates a new Browser engine backed by the given transport.
-func NewBrowser(tp *transport.Transport, pauseFn transport.PauseFunc) *Browser {
-	return &Browser{transport: tp, pauseFn: pauseFn}
+// NewBrowser creates a new Browser engine backed by agent-browser.
+func NewBrowser(ab *browser.AgentBrowser, pauseFn transport.PauseFunc) *Browser {
+	return &Browser{agentBrowser: ab, pauseFn: pauseFn}
 }
 
 func (b *Browser) Name() string { return "Browser" }
-func (b *Browser) Close() error { return nil }
+func (b *Browser) Close() error  { return nil }
 
 func (b *Browser) Run(ctx context.Context, s *script.Script, args map[string]string, opts RunOpts) (any, error) {
 	argsJSON, err := json.Marshal(args)
@@ -36,5 +38,36 @@ func (b *Browser) Run(ctx context.Context, s *script.Script, args map[string]str
 		navURL = "https://" + s.Meta.Domain
 	}
 
-	return b.transport.BrowseEvalWithPause(ctx, navURL, js, b.pauseFn, opts.Headers)
+	// Preserve the native fetch before page scripts can override it.
+	preserveNativeFetch := `window.__nativeFetch = window.fetch.bind(window);`
+	tmpfile, err := os.CreateTemp("", "tap-init-*.js")
+	if err != nil {
+		return nil, fmt.Errorf("browse eval: %w", err)
+	}
+	defer func() { _ = os.Remove(tmpfile.Name()) }()
+	if _, err := tmpfile.WriteString(preserveNativeFetch); err != nil {
+		_ = tmpfile.Close()
+		return nil, fmt.Errorf("write init script: %w", err)
+	}
+	if err := tmpfile.Close(); err != nil {
+		return nil, fmt.Errorf("close init script: %w", err)
+	}
+
+	openOpts := browser.OpenOpts{InitScript: tmpfile.Name()}
+	if len(opts.Headers) > 0 {
+		openOpts.Headers = opts.Headers
+	}
+	if err := b.agentBrowser.Open(ctx, navURL, openOpts); err != nil {
+		return nil, fmt.Errorf("browse eval: %w", err)
+	}
+	if b.pauseFn != nil {
+		if err := b.pauseFn(ctx); err != nil {
+			return nil, fmt.Errorf("pause: %w", err)
+		}
+	}
+	wrappedJS := fmt.Sprintf(
+		`(function(){ const fetch = window.__nativeFetch || window.fetch; return %s; })()`,
+		js,
+	)
+	return b.agentBrowser.Eval(ctx, wrappedJS)
 }
diff --git a/fetch/fetch.go b/fetch/fetch.go
index 3278e59..1491667 100644
--- a/fetch/fetch.go
+++ b/fetch/fetch.go
@@ -9,6 +9,7 @@ import (
 	"log"
 
 	defuddle "github.com/vaayne/go-defuddle"
+	"github.com/vaayne/tap/browser"
 	"github.com/vaayne/tap/transport"
 )
 
@@ -104,7 +105,19 @@ func (f *Fetcher) Fetch(ctx context.Context, url string, opts *Options) (*Result
 }
 
 func (f *Fetcher) fetchViaBrowser(ctx context.Context, url string, opts *Options, defOpts *defuddle.Options) (*Result, error) {
-	html, err := f.transport.BrowseHTMLWithPause(ctx, url, opts.PauseFunc)
+	ab := f.transport.AgentBrowser()
+	if ab == nil {
+		return nil, fmt.Errorf("browser fetch: no agent-browser available")
+	}
+	if err := ab.Open(ctx, url, browser.OpenOpts{}); err != nil {
+		return nil, fmt.Errorf("browser fetch: %w", err)
+	}
+	if opts.PauseFunc != nil {
+		if err := opts.PauseFunc(ctx); err != nil {
+			return nil, fmt.Errorf("pause: %w", err)
+		}
+	}
+	html, err := ab.GetHTML(ctx)
 	if err != nil {
 		return nil, fmt.Errorf("browser fetch: %w", err)
 	}
diff --git a/go.mod b/go.mod
index 0e56fe7..c714b09 100644
--- a/go.mod
+++ b/go.mod
@@ -3,16 +3,12 @@ module github.com/vaayne/tap
 go 1.26
 
 require (
-	github.com/chromedp/cdproto v0.0.0-20260321001828-e3e3800016bc
-	github.com/chromedp/chromedp v0.15.1
 	github.com/fastschema/qjs v0.0.6
-	github.com/gorilla/websocket v1.5.3
 	github.com/joho/godotenv v1.5.1
 	github.com/refraction-networking/utls v1.8.2
 	github.com/urfave/cli/v3 v3.8.0
 	github.com/vaayne/go-defuddle v0.1.2
 	golang.org/x/net v0.47.0
-	golang.org/x/sys v0.42.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
@@ -20,13 +16,9 @@ require (
 	github.com/JohannesKaufmann/dom v0.2.0 // indirect
 	github.com/JohannesKaufmann/html-to-markdown/v2 v2.5.0 // indirect
 	github.com/andybalholm/brotli v1.0.6 // indirect
-	github.com/chromedp/sysutil v1.1.0 // indirect
-	github.com/go-json-experiment/json v0.0.0-20260214004413-d219187c3433 // indirect
-	github.com/gobwas/httphead v0.1.0 // indirect
-	github.com/gobwas/pool v0.2.1 // indirect
-	github.com/gobwas/ws v1.4.0 // indirect
 	github.com/klauspost/compress v1.17.4 // indirect
 	github.com/tetratelabs/wazero v1.9.0 // indirect
 	golang.org/x/crypto v0.45.0 // indirect
+	golang.org/x/sys v0.42.0 // indirect
 	golang.org/x/text v0.31.0 // indirect
 )
diff --git a/go.sum b/go.sum
index 5ae0f1f..14f6921 100644
--- a/go.sum
+++ b/go.sum
@@ -4,34 +4,14 @@ github.com/JohannesKaufmann/html-to-markdown/v2 v2.5.0 h1:mklaPbT4f/EiDr1Q+zPrEt
 github.com/JohannesKaufmann/html-to-markdown/v2 v2.5.0/go.mod h1:D56Cl9r8M5i3UwAchE+LlLc5hPN3kJtdZNVJn06lSHU=
 github.com/andybalholm/brotli v1.0.6 h1:Yf9fFpf49Zrxb9NlQaluyE92/+X7UVHlhMNJN2sxfOI=
 github.com/andybalholm/brotli v1.0.6/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
-github.com/chromedp/cdproto v0.0.0-20260321001828-e3e3800016bc h1:wkN/LMi5vc60pBRWx6qpbk/aEvq3/ZVNpnMvsw8PVVU=
-github.com/chromedp/cdproto v0.0.0-20260321001828-e3e3800016bc/go.mod h1:cbyjALe67vDvlvdiG9369P8w5U2w6IshwtyD2f2Tvag=
-github.com/chromedp/chromedp v0.15.1 h1:EJWiPm7BNqDqjYy6U0lTSL5wNH+iNt9GjC3a4gfjNyQ=
-github.com/chromedp/chromedp v0.15.1/go.mod h1:CdTHtUqD/dqaFw/cvFWtTydoEQS44wLBuwbMR9EkOY4=
-github.com/chromedp/sysutil v1.1.0 h1:PUFNv5EcprjqXZD9nJb9b/c9ibAbxiYo4exNWZyipwM=
-github.com/chromedp/sysutil v1.1.0/go.mod h1:WiThHUdltqCNKGc4gaU50XgYjwjYIhKWoHGPTUfWTJ8=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/fastschema/qjs v0.0.6 h1:C45KMmQMd21UwsUAmQHxUxiWOfzwTg1GJW0DA0AbFEE=
 github.com/fastschema/qjs v0.0.6/go.mod h1:bbg36wxXnx8g0FdKIe5+nCubrQvHa7XEVWqUptjHt/A=
-github.com/go-json-experiment/json v0.0.0-20260214004413-d219187c3433 h1:vymEbVwYFP/L05h5TKQxvkXoKxNvTpjxYKdF1Nlwuao=
-github.com/go-json-experiment/json v0.0.0-20260214004413-d219187c3433/go.mod h1:tphK2c80bpPhMOI4v6bIc2xWywPfbqi1Z06+RcrMkDg=
-github.com/gobwas/httphead v0.1.0 h1:exrUm0f4YX0L7EBwZHuCF4GDp8aJfVeBrlLQrs6NqWU=
-github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM=
-github.com/gobwas/pool v0.2.1 h1:xfeeEhW7pwmX8nuLVlqbzVc7udMDrwetjEv+TZIz1og=
-github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
-github.com/gobwas/ws v1.4.0 h1:CTaoG1tojrh4ucGPcoJFiAQUAsEWekEWvLy7GsVNqGs=
-github.com/gobwas/ws v1.4.0/go.mod h1:G3gNqMNtPppf5XUz7O4shetPpcZ1VJ7zt18dlUeakrc=
-github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
-github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
 github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
 github.com/klauspost/compress v1.17.4 h1:Ej5ixsIri7BrIjBkRZLTo6ghwrEtHFk7ijlczPW4fZ4=
 github.com/klauspost/compress v1.17.4/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM=
-github.com/ledongthuc/pdf v0.0.0-20220302134840-0c2507a12d80 h1:6Yzfa6GP0rIo/kULo2bwGEkFvCePZ3qHDDTC3/J9Swo=
-github.com/ledongthuc/pdf v0.0.0-20220302134840-0c2507a12d80/go.mod h1:imJHygn/1yfhB7XSJJKlFZKl/J+dCPAknuiaGOshXAs=
-github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde h1:x0TT0RDC7UhAVbbWWBzr41ElhJx5tXPWkIHA2HWPRuw=
-github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde/go.mod h1:nZgzbfBr3hhjoZnS66nKrHmduYNpc34ny7RK4z5/HM0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/refraction-networking/utls v1.8.2 h1:j4Q1gJj0xngdeH+Ox/qND11aEfhpgoEvV+S9iJ2IdQo=
@@ -54,7 +34,6 @@ golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
 golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
 golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
 golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
-golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
 golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
diff --git a/mise.toml b/mise.toml
index 9441989..c1cdbde 100644
--- a/mise.toml
+++ b/mise.toml
@@ -5,16 +5,23 @@ goreleaser = "latest"
 node = "latest"
 pnpm = "latest"
 
+[tasks.prepare-agent-browser]
+description = "Download agent-browser binaries used by go:embed"
+run = "scripts/prepare-agent-browser.sh"
+
 [tasks.build]
 description = "Build the tap binary"
+depends = ["prepare-agent-browser"]
 run = "go build -o bin/tap ./cmd/tap"
 
 [tasks.test]
 description = "Run tests"
+depends = ["prepare-agent-browser"]
 run = "go test ./..."
 
 [tasks.lint]
 description = "Run golangci-lint"
+depends = ["prepare-agent-browser"]
 run = "golangci-lint run"
 
 [tasks.fmt]
@@ -32,6 +39,7 @@ run = "rm -rf bin/"
 
 [tasks.release]
 description = "Build a snapshot release with goreleaser"
+depends = ["prepare-agent-browser"]
 run = "goreleaser release --snapshot --clean"
 
 [tasks.tidy]
diff --git a/options.go b/options.go
index a568685..ec8008f 100644
--- a/options.go
+++ b/options.go
@@ -82,7 +82,7 @@ func WithPause(fn transport.PauseFunc) Option {
 	}
 }
 
-// WithBrowserType selects the browser backend ("chrome" or "lightpanda").
+// WithBrowserType selects the agent-browser engine ("chrome" or "lightpanda").
 func WithBrowserType(bt transport.BrowserType) Option {
 	return func(o *options) {
 		o.browserType = bt
diff --git a/scripts/prepare-agent-browser.sh b/scripts/prepare-agent-browser.sh
new file mode 100755
index 0000000..e30f6cd
--- /dev/null
+++ b/scripts/prepare-agent-browser.sh
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+VERSION="${AGENT_BROWSER_VERSION:-0.27.0}"
+ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+OUT_DIR="$ROOT/browser/bin"
+BASE_URL="https://github.com/vercel-labs/agent-browser/releases/download/v${VERSION}"
+
+mkdir -p "$OUT_DIR"
+
+fetch() {
+  local asset="$1"
+  local path="$OUT_DIR/$asset"
+  if [ -s "$path" ]; then
+    return 0
+  fi
+  local tmp="$path.tmp"
+  echo "Downloading $asset"
+  curl -fsSL -o "$tmp" "$BASE_URL/$asset"
+  chmod 0755 "$tmp"
+  mv "$tmp" "$path"
+}
+
+fetch agent-browser-darwin-arm64
+fetch agent-browser-darwin-x64
+fetch agent-browser-linux-arm64
+fetch agent-browser-linux-x64
+fetch agent-browser-win32-x64.exe
diff --git a/skills/tap-web/SKILL.md b/skills/tap-web/SKILL.md
index 02538ba..b5d35d1 100644
--- a/skills/tap-web/SKILL.md
+++ b/skills/tap-web/SKILL.md
@@ -8,7 +8,7 @@ description: >
   Supports structured site scripts, readable page extraction, and browser automation
   for tabs, screenshots, forms, cookies, JavaScript evaluation, and network capture.
   Use for web lookup, page reading, content extraction, browser interaction,
-  authenticated sessions, request interception, or CDP-connected desktop apps.
+  authenticated sessions, request interception, or agent-browser-connected desktop apps.
 ---
 
 # tap-web
@@ -96,15 +96,21 @@ tap browser scroll [selector]
 tap browser select <selector|@eN> <value>
 tap browser wait <selector>
 tap browser keypress <key>
-tap browser dialog
 
 # Page state / network
 tap browser forms
 tap browser cookies get|set|clear
-tap browser network wait --url-pattern "*/api/*" --body
-tap browser network log --resource-type XHR,Fetch --timeout 30s
-tap browser network intercept --block --url-pattern "*.ads.*"
-tap browser network clear
+tap browser network requests --filter "*/api/*"
+tap browser network requests --filter api
+tap browser network route "*.ads.*" --abort
+tap browser network unroute
+tap browser set viewport 1280 720
+tap browser storage local get key
+tap browser state save name
+tap browser auth list
+tap browser get url
+tap browser vitals
+tap browser diff screenshot before.png after.png
 ```
 
 ## Browser-backed flags
@@ -117,9 +123,9 @@ tap browser network clear
 | `--wait-selector <sel>` | Wait for a specific element |
 | `--wait-js <expr>` | Wait for a JS condition |
 | `--timeout <dur>` | Limit execution time |
-| `--browser-url <url>` | One-shot DevTools override |
+| `--browser-url <url>` | One-shot agent-browser/DevTools connection override |
 | `--profile-dir <path>` | One-shot profile override |
-| `--lp`, `--lightpanda` | Fast JS rendering without Chrome auth flows |
+| `--lightpanda`, `--lp` | Use Lightpanda as the browser engine |
 
 Compatibility aliases exist, but prefer the names above.
 
@@ -136,7 +142,7 @@ tap browser open https://example.com/login --show
 
 Then reuse that same browser context with `tap site -b`, `tap fetch -b`, and later `tap browser ...` commands.
 
-`tap attach chrome` owns an internal proxy daemon for the attached browser. If that attached state goes stale, normal commands fail explicitly and should be repaired with `tap attach chrome`, not by switching contexts implicitly.
+`tap attach chrome` asks agent-browser to connect to the attached browser. If that attached state goes stale, repair it with `tap attach chrome` or reset it with `tap attach clear`.
 
 ## Context resolution
 
@@ -172,7 +178,7 @@ Never dump full HTML unless there is no cheaper path.
 Preferred order:
 1. Site script
 2. `tap fetch`
-3. `tap browser network wait --body`
+3. `tap browser network requests --filter api`
 4. `tap browser snapshot` for semantic interactive discovery
 5. `tap browser text`
 6. targeted `tap browser evaluate`
diff --git a/skills/tap-web/references/browser.md b/skills/tap-web/references/browser.md
index 642d4df..b719eb6 100644
--- a/skills/tap-web/references/browser.md
+++ b/skills/tap-web/references/browser.md
@@ -50,9 +50,15 @@ tap browser scroll [selector]
 tap browser select <selector|@eN> <value>
 tap browser wait <selector>
 tap browser keypress <key>
-tap browser dialog
 tap browser forms
 tap browser cookies get|set|clear
+tap browser set viewport|device|geo|offline|headers|credentials|media [args...]
+tap browser storage local|session [args...]
+tap browser state save|load|list|show|clear [args...]
+tap browser auth save|login|list|show|delete [args...]
+tap browser get text|html|value|attr|title|url|count|box|styles [args...]
+tap browser vitals [args...]
+tap browser diff snapshot|screenshot|url [args...]
 ```
 
 ## Common workflows
@@ -91,7 +97,7 @@ tap browser open https://github.com
 tap browser open https://news.ycombinator.com
 tap browser open https://github.com --new-tab
 tap browser tabs
-tap browser switch tab-2
+tap browser switch t2
 tap browser screenshot --output github.png
 ```
 
@@ -121,7 +127,7 @@ Tab resolution is:
 ## Notes
 
 - `tap browser open <url>` navigates the current tab by default.
-- `--new-tab` creates a fresh tracked tab with the next stable ID (`tab-1`, `tab-2`, ...).
+- `--new-tab` creates a fresh tab with the next stable agent-browser ID (`t1`, `t2`, ...).
 - `tap browser tabs` is the common tab-management entrypoint.
 - `tap browser status --json` and `tap browser tabs --json` are the machine-readable contracts.
 - `tap browser snapshot` captures a semantic tree and assigns stable refs like `@e1` for interactive nodes.
diff --git a/skills/tap-web/references/network.md b/skills/tap-web/references/network.md
index 9a76875..45c9082 100644
--- a/skills/tap-web/references/network.md
+++ b/skills/tap-web/references/network.md
@@ -1,54 +1,52 @@
 # Network Capture & Interception
 
-Capture, inspect, and intercept network requests on the current browser tab via CDP.
-
-- **Network domain**: `wait`, `log`, `body`
-- **Fetch domain**: `intercept`, `clear`
+Capture, inspect, and intercept network requests on the current browser tab via agent-browser.
 
 ## Commands
 
 ```bash
-tap browser network wait --url-pattern "*/api/*" --body --timeout 30s
-tap browser network body <requestId>
-tap browser network log --resource-type XHR,Fetch --timeout 30s
-tap browser network intercept --block --url-pattern "*.ads.*"
-tap browser network clear
-```
+# List captured requests
+tap browser network requests
+tap browser network requests --filter "*/api/*"
 
-## Quick workflow
+# Route/block requests
+tap browser network route "*.ads.*" --abort
+tap browser network route "*/api/mock" --body '{"ok":true}'
 
-```bash
-tap browser open https://example.com --show
-tap browser network wait --url-pattern "*/api/*" --body --timeout 30s
+# Remove routes
+tap browser network unroute
+tap browser network unroute "*.ads.*"
+
+# HAR capture
+tap browser network har start /tmp/session.har
+tap browser network har stop
 ```
 
-Or stream requests while interacting with the page:
+## Quick workflow
 
 ```bash
-tap browser network log --resource-type XHR,Fetch --timeout 15s
+tap browser open https://example.com --show
+tap browser network requests --filter "*/api/*"
 ```
 
 ## Notes
 
-- Always set `--timeout` on `log`, or it will run until interrupted.
-- Prefer `network wait --body` over scraping DOM when the site has clean JSON APIs.
-- Network interception requires Chrome/CDP; Lightpanda does not support these domains.
-- Commands operate on the resolved current tab. Hidden `--session` / `--tab` overrides still exist for advanced use, but they are not part of the common UX.
+- Prefer `network requests --filter api` over scraping DOM when the site has clean JSON APIs.
+- Network interception runs through agent-browser against managed or attached Chrome sessions.
+- Pass-through commands accept agent-browser flags directly; use `--session <name>` to target a named tap session.
 
 ## Example: capture SPA data
 
 ```bash
 tap browser open https://x.com/elonmusk --show
-tap browser network wait --url-pattern "*/UserTweets*" --body --format json
+tap browser network requests --filter "UserTweets"
 ```
 
 ## Example: capture after a form action
 
 ```bash
-# terminal 1
-tap browser network wait --url-pattern "*/api/search*" --body --timeout 30s
-
-# terminal 2
+tap browser open https://example.com/search --show
 tap browser fill "#search" "golang"
 tap browser keypress Enter
+tap browser network requests --filter "api/search"
 ```
diff --git a/skills/tap-web/references/script-development.md b/skills/tap-web/references/script-development.md
index a316425..0c0a106 100644
--- a/skills/tap-web/references/script-development.md
+++ b/skills/tap-web/references/script-development.md
@@ -18,10 +18,10 @@ Open the target site in the default browser context, then capture its API calls.
 tap browser open https://www.example.com --show
 
 # Trigger the page action you want to inspect, then:
-tap browser network log --resource-type XHR,Fetch --timeout 15s
+tap browser network requests --filter api
 
 # Or wait for one specific request and capture its body
-tap browser network wait --url-pattern "*/api/*" --body --timeout 30s
+tap browser network requests --filter "*/api/*" --timeout 30s
 ```
 
 Focus on:
diff --git a/skills/tap-web/references/site-notes.md b/skills/tap-web/references/site-notes.md
index be43d69..c5aabe2 100644
--- a/skills/tap-web/references/site-notes.md
+++ b/skills/tap-web/references/site-notes.md
@@ -30,7 +30,7 @@ Last updated: 2026-04-07
 
 ## Working endpoints
 - `GET /api/v1/data?q=foo`
-- Best extraction: `tap browser network wait --url-pattern "*/api/v1/*" --body`
+- Best extraction: `tap browser network requests --filter "api/v1"`
 
 ## Broken
 - `GET /old/api` returns 403 since 2026-04-01
diff --git a/tap.go b/tap.go
index f739235..fed92c8 100644
--- a/tap.go
+++ b/tap.go
@@ -25,6 +25,7 @@ import (
 	"os"
 	"strings"
 
+	"github.com/vaayne/tap/browser"
 	"github.com/vaayne/tap/engine"
 	"github.com/vaayne/tap/fetch"
 	"github.com/vaayne/tap/script"
@@ -58,6 +59,16 @@ func New(ctx context.Context, optFns ...Option) (*Client, error) {
 		}
 	}
 
+	ab, err := browser.NewAgentBrowser("")
+	if err != nil {
+		return nil, fmt.Errorf("agent-browser: %w", err)
+	}
+	ab.ProfileDir = opts.profileDir
+	ab.Headed = !opts.headless
+	if opts.browserType == transport.BrowserLightpanda {
+		ab.Engine = "lightpanda"
+	}
+
 	tp, err := transport.New(ctx, transport.Config{
 		WSURL:      opts.wsURL,
 		ProfileDir: opts.profileDir,
@@ -77,12 +88,12 @@ func New(ctx context.Context, optFns ...Option) (*Client, error) {
 	var engines []engine.Engine
 	if opts.forceBrowser {
 		engines = []engine.Engine{
-			engine.NewBrowser(tp, opts.pauseFn),
+			engine.NewBrowser(ab, opts.pauseFn),
 		}
 	} else {
 		engines = []engine.Engine{
 			engine.NewQuickJS(tp),
-			engine.NewBrowser(tp, opts.pauseFn),
+			engine.NewBrowser(ab, opts.pauseFn),
 		}
 	}
 
diff --git a/transport/transport.go b/transport/transport.go
index d9937f2..5ee1ba6 100644
--- a/transport/transport.go
+++ b/transport/transport.go
@@ -1,5 +1,5 @@
 // Package transport provides a shared network layer for fetching web content.
-// It supports two levels: direct HTTP and browser-based (CDP).
+// It supports two levels: direct HTTP and browser-based (agent-browser).
 package transport
 
 import (
@@ -8,22 +8,20 @@ import (
 	"io"
 	"net/http"
 	"os"
-	"path/filepath"
 
-	"github.com/chromedp/cdproto/network"
-	"github.com/chromedp/cdproto/page"
-	"github.com/chromedp/cdproto/runtime"
-	"github.com/chromedp/chromedp"
 	"github.com/vaayne/tap/browser"
 )
 
 // BrowserType identifies which browser backend to use.
+// Deprecated: agent-browser is the only backend.
 type BrowserType string
 
 const (
 	// BrowserChrome uses the system Chrome/Chromium (default).
+	// Deprecated: agent-browser manages Chrome internally.
 	BrowserChrome BrowserType = "chrome"
 	// BrowserLightpanda uses the Lightpanda headless browser.
+	// Deprecated: not supported with agent-browser.
 	BrowserLightpanda BrowserType = "lightpanda"
 )
 
@@ -35,52 +33,33 @@ type Config struct {
 	ProfileDir string
 	// Headless controls whether Chrome runs in headless mode (default: true).
 	Headless bool
-	// Browser selects the browser backend (default: "chrome").
+	// Browser selects the agent-browser engine (default: "chrome").
 	Browser BrowserType
 }
 
 // Transport provides shared HTTP and browser-based network access.
 type Transport struct {
-	config     Config
-	http       *http.Client
-	lightpanda *browser.Lightpanda
-
-	// lpAllocCtx is a shared CDP allocator context for Lightpanda.
-	// Created once at startup, reused for each browser context.
-	lpAllocCtx    context.Context
-	lpAllocCancel context.CancelFunc
+	config       Config
+	http         *http.Client
+	agentBrowser *browser.AgentBrowser
 }
 
 // New creates a new Transport with the given config.
-// If the Lightpanda browser backend is selected, it downloads (if needed)
-// and starts the Lightpanda server eagerly so errors surface immediately.
 func New(ctx context.Context, config Config) (*Transport, error) {
-	if config.WSURL != "" {
-		resolvedURL, err := browser.ResolveDebugURL(ctx, config.WSURL)
-		if err != nil {
-			return nil, fmt.Errorf("resolve debug endpoint: %w", err)
-		}
-		config.WSURL = resolvedURL
+	ab, err := browser.NewAgentBrowser("")
+	if err != nil {
+		return nil, fmt.Errorf("agent-browser: %w", err)
 	}
-
-	t := &Transport{
-		config: config,
-		http:   newHTTPClient(),
+	ab.ProfileDir = config.ProfileDir
+	ab.Headed = !config.Headless
+	if config.Browser == BrowserLightpanda {
+		ab.Engine = "lightpanda"
 	}
 
-	if config.Browser == BrowserLightpanda && config.WSURL == "" {
-		lp := browser.NewLightpanda("", "")
-		if err := lp.Start(ctx); err != nil {
-			return nil, fmt.Errorf("start lightpanda: %w", err)
-		}
-		t.lightpanda = lp
-
-		// Create a shared allocator for the Lightpanda lifetime.
-		allocCtx, allocCancel := chromedp.NewRemoteAllocator(
-			context.Background(), lp.WSURL(), chromedp.NoModifyURL,
-		)
-		t.lpAllocCtx = allocCtx
-		t.lpAllocCancel = allocCancel
+	t := &Transport{
+		config:       config,
+		http:         newHTTPClient(),
+		agentBrowser: ab,
 	}
 
 	return t, nil
@@ -88,15 +67,14 @@ func New(ctx context.Context, config Config) (*Transport, error) {
 
 // Close releases resources held by the transport.
 func (t *Transport) Close() error {
-	if t.lpAllocCancel != nil {
-		t.lpAllocCancel()
-	}
-	if t.lightpanda != nil {
-		t.lightpanda.Stop()
-	}
 	return nil
 }
 
+// AgentBrowser returns the underlying agent-browser adapter.
+func (t *Transport) AgentBrowser() *browser.AgentBrowser {
+	return t.agentBrowser
+}
+
 // GetHTML fetches a URL via direct HTTP and returns the response body as a string.
 func (t *Transport) GetHTML(ctx context.Context, url string) (string, error) {
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
@@ -143,29 +121,18 @@ func (t *Transport) BrowseHTML(ctx context.Context, url string) (string, error)
 
 // BrowseHTMLWithPause is like BrowseHTML but calls pauseFn after navigation.
 func (t *Transport) BrowseHTMLWithPause(ctx context.Context, url string, pauseFn PauseFunc) (string, error) {
-	bctx, cancel := t.newBrowserContext(ctx)
-	defer cancel()
-
-	if err := chromedp.Run(bctx,
-		chromedp.Navigate(url),
-		chromedp.WaitReady("body"),
-	); err != nil {
+	if err := t.agentBrowser.Open(ctx, url, browser.OpenOpts{}); err != nil {
 		return "", fmt.Errorf("browse html: %w", err)
 	}
-
 	if pauseFn != nil {
-		if err := pauseFn(bctx); err != nil {
+		if err := pauseFn(ctx); err != nil {
 			return "", fmt.Errorf("pause: %w", err)
 		}
 	}
-
-	var html string
-	if err := chromedp.Run(bctx,
-		chromedp.OuterHTML("html", &html),
-	); err != nil {
+	html, err := t.agentBrowser.GetHTML(ctx)
+	if err != nil {
 		return "", fmt.Errorf("browse html: %w", err)
 	}
-
 	return html, nil
 }
 
@@ -176,57 +143,42 @@ func (t *Transport) BrowseEval(ctx context.Context, url string, js string, heade
 
 // BrowseEvalWithPause is like BrowseEval but calls pauseFn after navigation.
 func (t *Transport) BrowseEvalWithPause(ctx context.Context, url string, js string, pauseFn PauseFunc, headers map[string]string) (any, error) {
-	bctx, cancel := t.newBrowserContext(ctx)
-	defer cancel()
-
-	// Preserve the native fetch before page scripts can override it.
-	// Some sites (e.g. GitHub) replace window.fetch with a custom
-	// implementation that blocks cross-origin requests.
 	preserveNativeFetch := `window.__nativeFetch = window.fetch.bind(window);`
 
-	// Wrap the user script so that `fetch` resolves to the preserved native version.
+	tmpfile, err := os.CreateTemp("", "tap-init-*.js")
+	if err != nil {
+		return nil, fmt.Errorf("browse eval: %w", err)
+	}
+	defer func() { _ = os.Remove(tmpfile.Name()) }()
+	if _, err := tmpfile.WriteString(preserveNativeFetch); err != nil {
+		_ = tmpfile.Close()
+		return nil, fmt.Errorf("browse eval: %w", err)
+	}
+	if err := tmpfile.Close(); err != nil {
+		return nil, fmt.Errorf("browse eval: %w", err)
+	}
+
 	wrappedJS := fmt.Sprintf(
 		`(function(){ const fetch = window.__nativeFetch || window.fetch; return %s; })()`,
 		js,
 	)
 
-	actions := []chromedp.Action{
-		chromedp.ActionFunc(func(ctx context.Context) error {
-			_, err := page.AddScriptToEvaluateOnNewDocument(preserveNativeFetch).Do(ctx)
-			return err
-		}),
-	}
+	openOpts := browser.OpenOpts{InitScript: tmpfile.Name()}
 	if len(headers) > 0 {
-		nh := make(network.Headers, len(headers))
-		for k, v := range headers {
-			nh[k] = v
-		}
-		actions = append(actions, network.SetExtraHTTPHeaders(nh))
+		openOpts.Headers = headers
 	}
-	actions = append(actions,
-		chromedp.Navigate(url),
-		chromedp.WaitReady("body"),
-	)
-
-	if err := chromedp.Run(bctx, actions...); err != nil {
+	if err := t.agentBrowser.Open(ctx, url, openOpts); err != nil {
 		return nil, fmt.Errorf("browse eval: %w", err)
 	}
-
 	if pauseFn != nil {
-		if err := pauseFn(bctx); err != nil {
+		if err := pauseFn(ctx); err != nil {
 			return nil, fmt.Errorf("pause: %w", err)
 		}
 	}
-
-	var result any
-	if err := chromedp.Run(bctx,
-		chromedp.Evaluate(wrappedJS, &result, func(p *runtime.EvaluateParams) *runtime.EvaluateParams {
-			return p.WithReturnByValue(true).WithAwaitPromise(true)
-		}),
-	); err != nil {
+	result, err := t.agentBrowser.Eval(ctx, wrappedJS)
+	if err != nil {
 		return nil, fmt.Errorf("browse eval: %w", err)
 	}
-
 	return result, nil
 }
 
@@ -235,76 +187,13 @@ func (t *Transport) BrowseEvalWithPause(ctx context.Context, url string, js stri
 // with a site (login, solve CAPTCHAs) while cookies are persisted in the
 // Chrome profile directory.
 func (t *Transport) BrowseInteractive(ctx context.Context, url string, pauseFn PauseFunc) error {
-	bctx, cancel := t.newBrowserContext(ctx)
-	defer cancel()
-
-	if err := chromedp.Run(bctx,
-		chromedp.Navigate(url),
-		chromedp.WaitReady("body"),
-	); err != nil {
+	if err := t.agentBrowser.Open(ctx, url, browser.OpenOpts{Headed: true}); err != nil {
 		return fmt.Errorf("browse interactive: %w", err)
 	}
-
 	if pauseFn != nil {
-		if err := pauseFn(bctx); err != nil {
+		if err := pauseFn(ctx); err != nil {
 			return fmt.Errorf("pause: %w", err)
 		}
 	}
-
 	return nil
 }
-
-func (t *Transport) newBrowserContext(parent context.Context) (context.Context, context.CancelFunc) {
-	// Remote CDP endpoint (explicit --ws-url or resolved from an HTTP DevTools base URL).
-	if t.config.WSURL != "" {
-		ctx, cancel1 := chromedp.NewRemoteAllocator(parent, t.config.WSURL, chromedp.NoModifyURL)
-		ctx, cancel2 := chromedp.NewContext(ctx)
-		return ctx, func() { cancel2(); cancel1() }
-	}
-
-	// Lightpanda browser backend.
-	if t.config.Browser == BrowserLightpanda {
-		return t.newLightpandaContext(parent)
-	}
-
-	// Default: local Chrome.
-	opts := append(
-		chromedp.DefaultExecAllocatorOptions[:],
-		chromedp.Flag("headless", t.config.Headless),
-		chromedp.Flag("disable-gpu", true),
-		chromedp.Flag("no-first-run", true),
-		chromedp.Flag("no-default-browser-check", true),
-		chromedp.Flag("disable-web-security", true),
-	)
-
-	profileDir := t.config.ProfileDir
-	if profileDir == "" {
-		profileDir = defaultProfileDir()
-	}
-	opts = append(opts, chromedp.UserDataDir(profileDir))
-
-	ctx, cancel1 := chromedp.NewExecAllocator(parent, opts...)
-	ctx, cancel2 := chromedp.NewContext(ctx)
-	return ctx, func() { cancel2(); cancel1() }
-}
-
-func (t *Transport) newLightpandaContext(parent context.Context) (context.Context, context.CancelFunc) {
-	ctx, cancel1 := chromedp.NewContext(t.lpAllocCtx)
-
-	// Respect the caller's context deadline/cancellation.
-	ctx, cancel2 := context.WithCancel(ctx)
-	go func() {
-		select {
-		case <-parent.Done():
-			cancel2()
-		case <-ctx.Done():
-		}
-	}()
-
-	return ctx, func() { cancel2(); cancel1() }
-}
-
-func defaultProfileDir() string {
-	home, _ := os.UserHomeDir()
-	return filepath.Join(home, ".cache", "tap", "chrome-profile-"+os.Getenv("USER"))
-}