I filed a critical bug against my own tool. Then I read the code — and my own root cause was wrong. A developer filed a critical bug against their own tool, safari-mcp, after discovering that an AI agent could navigate user tabs. However, upon reading the code, they found that the proposed fix had already been implemented three months prior, and the real bug was a different issue in the same function. The bug was a 'ghost proactive fix' that clamped an out-of-range tab index to the current tab count, potentially causing the agent to target the wrong tab. Three days ago I filed the most serious issue my project has ever had — against myself. The tool is safari-mcp https://github.com/achiya-automation/safari-mcp , an MCP server that lets an AI agent drive the Safari you're already logged into. That premise is the whole value proposition, and it's also the whole danger: the user is using this browser at the same time as the agent. The single promise the project makes is "the agent never touches a tab it didn't open." The issue was that the promise had broken. Two of a user's tabs ended up displaying pages the agent had loaded. Nothing was closed — the back-history survived — but scroll position, in-page state, anything unsaved: gone. I wrote up the incident, traced the root cause, and proposed a fix. Then today I opened the file to actually write that fix. My root cause was wrong. The fix I proposed had already shipped, three months ago. And the real bug was sitting four lines below it, wearing the word "fix" in its own log message. Here's what I wrote in the issue: ownedTabs and every tabIndex parameter is a positional handle to a mutable, user-controlled list. Positional handles are only valid as long as nobody else mutates the list. And the proposed fix: Track ownership by a stable identity, not a position. On safari new tab , inject a sentinel into the page e.g. window. safariMcpTabId = "