create-backlist 10.0.3 → 10.0.4

package/src/qa/qa-engine.js

@@ -1,3092 +1,912 @@
 // ═══════════════════════════════════════════════════════════════════════════
-//  Backlist QA Engine — qa-engine.js  v11.0  MAXIMUM EDITION
+//  Backlist Enterprise AI QA Platform — qa-engine.js  v12.0
 //  Copyright (c) W.A.H.ISHAN — MIT License
 //
-//  v11.0 MAXIMUM UPGRADES:
-//  ✦ 200+ test cases across ALL categories
-//  ✦ Zero limits on bug reports
-//  ✦ Deep file system scanner
-//  ✦ Full security audit suite
-//  ✦ Complete API contract validator
-//  ✦ Database schema deep validator
-//  ✦ Auth flow complete validator
-//  ✦ Performance profiler (all routes)
-//  ✦ Docker / CI / CD validator
-//  ✦ Dependency vulnerability scanner
-//  ✦ Code quality scanner
-//  ✦ Environment config validator
-//  ✦ TypeScript strict checker
-//  ✦ Package.json deep validator
-//  ✦ Error handling validator
-//  ✦ Logging infrastructure checker
-//  ✦ CORS + Rate limit deep checker
-//  ✦ HTTP probe (all COMMON_ROUTES)
-//  ✦ SEO full suite per route
-//  ✦ A11y full suite
-//  ✦ Security headers complete scan
-//  ✦ Broken link detector
-//  ✦ Mobile/responsive checker
-//  ✦ JSON schema validator
-//  ✦ Unlimited parallel bug accumulation
+//  REAL RUNTIME TESTING — NO FAKE DATA
+//  Every result is collected from actual browser execution
 // ═══════════════════════════════════════════════════════════════════════════
 
-import * as p    from '@clack/prompts';
-import chalk     from 'chalk';
-import fs        from 'fs-extra';
-import path      from 'node:path';
-import os        from 'node:os';
-import http      from 'node:http';
-import https     from 'node:https';
-import { URL }   from 'node:url';
-import { EventEmitter } from 'node:events';
-import { performance }  from 'node:perf_hooks';
-
-// ── Constants ─────────────────────────────────────────────────────────────
-const VERSION        = '11.0.0';
-const QA_DIR         = path.join(process.cwd(), '.backlist', 'qa');
-const HISTORY_FILE   = path.join(QA_DIR, 'history.json');
-const REPORT_DIR     = path.join(QA_DIR, 'reports');
-
-const SEVERITY_LEVELS    = { P0: 'Critical', P1: 'High', P2: 'Medium', P3: 'Low' };
-const TEST_TYPES         = [
-  'happy-path','validation','auth','edge-case','performance',
-  'security','e2e','ui','seo','a11y','links','http',
-  'database','docker','ci','code-quality','typescript',
-  'environment','logging','error-handling','api-contract',
-  'dependency','cors','rate-limit','file-structure',
-];
-const DEFAULT_TIMEOUT_MS = 20_000;
-const HTTP_TIMEOUT_MS    = 10_000;
-const FLAKY_RETRY_COUNT  = 3;
-const WATCH_INTERVAL_MS  = 30_000;
-
-// ── ALL routes to probe (expanded) ────────────────────────────────────────
-const COMMON_ROUTES = [
-  '/', '/login', '/register', '/dashboard', '/dashboard/analytics',
-  '/dashboard/sales', '/dashboard/reports', '/dashboard/settings',
-  '/profile', '/settings', '/settings/account', '/settings/security',
-  '/admin', '/admin/users', '/admin/dashboard', '/admin/reports',
-  '/about', '/contact', '/pricing', '/faq', '/help', '/support',
-  '/api/health', '/api/status', '/api/v1/health', '/api/v1/status',
-  '/api/v1/users', '/api/v1/products', '/api/v1/orders',
-  '/api/v2/health', '/api/docs', '/api/swagger',
-  '/sitemap.xml', '/robots.txt', '/favicon.ico', '/manifest.json',
-  '/.well-known/security.txt',
-];
-
-// ── Security headers ───────────────────────────────────────────────────────
-const SECURITY_HEADERS = [
-  { header: 'content-security-policy',        label: 'CSP',              sev: 'P1' },
-  { header: 'x-frame-options',                label: 'X-Frame-Options',  sev: 'P1' },
-  { header: 'x-content-type-options',         label: 'X-Content-Type',   sev: 'P2' },
-  { header: 'strict-transport-security',      label: 'HSTS',             sev: 'P1' },
-  { header: 'referrer-policy',                label: 'Referrer-Policy',  sev: 'P2' },
-  { header: 'permissions-policy',             label: 'Permissions',      sev: 'P3' },
-  { header: 'access-control-allow-origin',    label: 'CORS',             sev: 'P2' },
-  { header: 'x-xss-protection',              label: 'XSS-Protection',   sev: 'P2' },
-  { header: 'cross-origin-embedder-policy',   label: 'COEP',             sev: 'P3' },
-  { header: 'cross-origin-opener-policy',     label: 'COOP',             sev: 'P3' },
-  { header: 'cross-origin-resource-policy',   label: 'CORP',             sev: 'P3' },
-  { header: 'cache-control',                  label: 'Cache-Control',    sev: 'P3' },
-];
-
-// ── Dangerous packages ─────────────────────────────────────────────────────
-const DANGEROUS_PACKAGES = [
-  'eval','vm2','node-serialize','serialize-javascript',
-  'shelljs','child_process','exec','execSync',
-];
-
-// ── Known vulnerable package patterns ─────────────────────────────────────
-const VULN_PATTERNS = [
-  { name: 'lodash',       below: '4.17.21', reason: 'Prototype pollution' },
-  { name: 'moment',       below: '2.29.4',  reason: 'ReDoS vulnerability' },
-  { name: 'axios',        below: '1.6.0',   reason: 'SSRF vulnerability'  },
-  { name: 'jsonwebtoken', below: '9.0.0',   reason: 'Algorithm confusion' },
-];
-
-// ── ANSI helpers ──────────────────────────────────────────────────────────
-const ESC         = '\x1b[';
-const CLEAR_LINE  = ESC + '2K\r';
-const CURSOR_UP   = (n) => ESC + `${n}A`;
-const CURSOR_HIDE = ESC + '?25l';
-const CURSOR_SHOW = ESC + '?25h';
-const BOLD        = chalk.bold;
-const DIM         = chalk.dim;
-
-// ── Utilities ─────────────────────────────────────────────────────────────
-function timestamp()     { return new Date().toISOString(); }
-function shortId()       { return Math.random().toString(36).slice(2, 9); }
-function sleep(ms)       { return new Promise(r => setTimeout(r, ms)); }
-function pluralize(n, w) { return `${n} ${n === 1 ? w : w + 's'}`; }
-
-function colorSeverity(sev) {
-  return ({
-    P0: chalk.red.bold,
-    P1: chalk.yellow.bold,
-    P2: chalk.cyan,
-    P3: chalk.gray,
-  }[sev] ?? chalk.white)(sev);
-}
-
-function colorStatus(status) {
-  return ({
-    PASS  : chalk.green('✓ PASS'),
-    FAIL  : chalk.red('✗ FAIL'),
-    SKIP  : chalk.gray('⊘ SKIP'),
-    FLAKY : chalk.yellow('⚠ FLAKY'),
-    RUN   : chalk.cyan('⟳ RUN'),
-  })[status] ?? status;
-}
-
-function buildProgressBar(pct, width = 20) {
-  const filled = Math.min(Math.round((pct / 100) * width), width);
-  const empty  = width - filled;
-  const color  = pct >= 90 ? chalk.green : pct >= 70 ? chalk.yellow : chalk.red;
-  return color('█'.repeat(filled)) + chalk.gray('░'.repeat(empty));
-}
-
-function formatDuration(ms) {
-  if (ms < 1000) return `${ms}ms`;
-  return `${(ms / 1000).toFixed(2)}s`;
-}
-
-function formatBytes(b) {
-  if (b < 1024)         return `${b}B`;
-  if (b < 1024 * 1024)  return `${(b / 1024).toFixed(1)}KB`;
-  return `${(b / 1024 / 1024).toFixed(1)}MB`;
-}
-
-function getSystemStats() {
-  const mem    = process.memoryUsage();
-  const heapMB = (mem.heapUsed / 1024 / 1024).toFixed(1);
-  const rss    = formatBytes(mem.rss);
-  const uptime = process.uptime().toFixed(1);
-  return { heapMB, rss, uptime };
-}
-
-// semver compare (simple)
-function semverLt(a, b) {
-  if (!a || !b) return false;
-  const pa = a.replace(/[^0-9.]/g, '').split('.').map(Number);
-  const pb = b.replace(/[^0-9.]/g, '').split('.').map(Number);
-  for (let i = 0; i < 3; i++) {
-    if ((pa[i] || 0) < (pb[i] || 0)) return true;
-    if ((pa[i] || 0) > (pb[i] || 0)) return false;
-  }
-  return false;
-}
-
-// ─────────────────────────────────────────────────────────────────────────
-//  HTTP Probe Engine
-// ─────────────────────────────────────────────────────────────────────────
-export class HttpProbe {
-  #baseUrl;
-
-  constructor(baseUrl) {
-    this.#baseUrl = baseUrl.replace(/\/$/, '');
-  }
-
-  async fetch(route = '/', options = {}) {
-    const url = this.#baseUrl + route;
-    const t0  = performance.now();
-    try {
-      const controller = new AbortController();
-      const timer = setTimeout(() => controller.abort(), HTTP_TIMEOUT_MS);
-      const res = await fetch(url, {
-        signal : controller.signal,
-        headers: { 'User-Agent': 'Backlist-QA/11.0', ...options.headers },
-        method : options.method || 'GET',
-        redirect: 'follow',
-        ...(options.body ? { body: options.body } : {}),
-      });
-      clearTimeout(timer);
-      const duration = Math.round(performance.now() - t0);
-      const headers  = {};
-      res.headers.forEach((v, k) => { headers[k] = v; });
-      const text = options.readBody ? await res.text().catch(() => '') : '';
-      return { ok: true, status: res.status, headers, duration, url, text };
-    } catch (err) {
-      const duration = Math.round(performance.now() - t0);
-      return { ok: false, status: 0, headers: {}, duration, url, error: err.message };
-    }
-  }
-
-  async probeRoutes(routes = COMMON_ROUTES) {
-    const results = [];
-    for (const route of routes) {
-      const r = await this.fetch(route, { readBody: true });
-      results.push({ route, ...r });
-    }
-    return results;
-  }
-
-  async checkSecurityHeaders(route = '/') {
-    const r = await this.fetch(route);
-    if (!r.ok && r.status === 0) return { ok: false, results: [], error: r.error };
-    const results = SECURITY_HEADERS.map(({ header, label, sev }) => ({
-      header, label, sev,
-      present: header in r.headers,
-      value  : r.headers[header] || null,
-    }));
-    return { ok: true, results };
-  }
-
-  async benchmarkRoute(route = '/', samples = 8) {
-    const timings = [];
-    for (let i = 0; i < samples; i++) {
-      const r = await this.fetch(route);
-      if (r.ok || r.status > 0) timings.push(r.duration);
-      await sleep(80);
-    }
-    if (!timings.length) return { p50: 0, p95: 0, p99: 0, avg: 0, min: 0, max: 0, samples: 0 };
-    timings.sort((a, b) => a - b);
-    const p = (pct) => timings[Math.min(Math.floor(timings.length * pct / 100), timings.length - 1)];
-    return {
-      p50    : p(50),
-      p95    : p(95),
-      p99    : p(99),
-      avg    : Math.round(timings.reduce((a, b) => a + b, 0) / timings.length),
-      min    : timings[0],
-      max    : timings[timings.length - 1],
-      samples: timings.length,
-    };
-  }
-
-  async checkSEO(route = '/') {
-    const r = await this.fetch(route, { readBody: true });
-    if (!r.ok && r.status === 0) return { ok: false, checks: [] };
-    const html   = r.text || '';
-    const checks = [
-      { name: 'Title tag',             pass: /<title[^>]*>[^<]+<\/title>/i.test(html),                        sev: 'P1' },
-      { name: 'Meta description',      pass: /<meta[^>]+name=["']description["'][^>]*content/i.test(html),    sev: 'P2' },
-      { name: 'H1 tag',                pass: /<h1[^>]*>[^<]+<\/h1>/i.test(html),                              sev: 'P1' },
-      { name: 'Viewport meta',         pass: /<meta[^>]+name=["']viewport["'][^>]*>/i.test(html),             sev: 'P1' },
-      { name: 'Lang attribute',        pass: /<html[^>]+lang=["'][^"']+["']/i.test(html),                     sev: 'P2' },
-      { name: 'Canonical link',        pass: /<link[^>]+rel=["']canonical["'][^>]*>/i.test(html),             sev: 'P2' },
-      { name: 'OG title',              pass: /<meta[^>]+property=["']og:title["'][^>]*>/i.test(html),         sev: 'P3' },
-      { name: 'OG description',        pass: /<meta[^>]+property=["']og:description["'][^>]*>/i.test(html),   sev: 'P3' },
-      { name: 'OG image',              pass: /<meta[^>]+property=["']og:image["'][^>]*>/i.test(html),         sev: 'P3' },
-      { name: 'Twitter card',          pass: /<meta[^>]+name=["']twitter:card["'][^>]*>/i.test(html),         sev: 'P3' },
-      { name: 'Structured data',       pass: /application\/ld\+json/i.test(html),                             sev: 'P3' },
-      { name: 'Alt attributes',        pass: !/<img(?![^>]*alt=)[^>]*>/i.test(html),                          sev: 'P2' },
-      { name: 'No broken meta',        pass: !/<meta[^>]*content=["']["']/i.test(html),                       sev: 'P2' },
-    ];
-    return { ok: true, checks, statusCode: r.status };
-  }
-
-  async checkA11y(route = '/') {
-    const r = await this.fetch(route, { readBody: true });
-    if (!r.ok && r.status === 0) return { ok: false, checks: [] };
-    const html   = r.text || '';
-    const checks = [
-      { name: 'html[lang] set',           pass: /<html[^>]+lang=["'][^"']+["']/i.test(html),        sev: 'P1' },
-      { name: 'Viewport meta',            pass: /<meta[^>]+name=["']viewport["'][^>]*>/i.test(html), sev: 'P1' },
-      { name: 'Skip nav link',            pass: /skip.*nav|skip.*content|skip.*main/i.test(html),    sev: 'P2' },
-      { name: 'Main landmark',            pass: /<main[^>]*>/i.test(html),                           sev: 'P2' },
-      { name: 'No images without alt',    pass: !/<img(?![^>]*alt=)[^>]*>/i.test(html),              sev: 'P1' },
-      { name: 'Form labels present',      pass: !/<input(?![^>]*aria-label)(?![^>]*id=)[^>]*>/i.test(html), sev: 'P2' },
-      { name: 'Heading hierarchy',        pass: /<h1/i.test(html),                                   sev: 'P2' },
-      { name: 'No autofocus abuse',       pass: (html.match(/autofocus/gi) || []).length <= 1,        sev: 'P3' },
-      { name: 'ARIA roles used',          pass: /role=/i.test(html),                                  sev: 'P3' },
-      { name: 'Focus visible (class)',    pass: /focus-visible|focus:ring|focus:outline/i.test(html), sev: 'P2' },
-    ];
-    return { ok: true, checks };
-  }
-
-  get baseUrl() { return this.#baseUrl; }
-}
-
-// ─────────────────────────────────────────────────────────────────────────
-//  MAXIMUM URL Test Suite Builder  (100+ HTTP tests)
-// ─────────────────────────────────────────────────────────────────────────
-function buildUrlTestSuite(probe, label = 'target') {
-  const tests = [];
-  const t = (name, type, sev, fn) =>
-    tests.push({ id: shortId(), name: `[${label}] ${name}`, type, sev, fn });
-
-  // ── Connectivity (10 tests) ────────────────────────────────────────────
-  t('Homepage reachable', 'http', 'P0', async () => {
-    const r = await probe.fetch('/');
-    if (!r.ok && r.status === 0) throw new Error(`Connection failed: ${r.error}`);
-    if (r.status >= 500) throw new Error(`Server error: HTTP ${r.status}`);
-  });
-
-  t('Homepage returns 2xx or 3xx', 'http', 'P0', async () => {
-    const r = await probe.fetch('/');
-    if (r.status >= 400) throw new Error(`Unexpected status: ${r.status}`);
-  });
-
-  t('API health endpoint', 'http', 'P0', async () => {
-    const candidates = ['/api/health', '/api/status', '/api/v1/health', '/health', '/ping'];
-    let found = false;
-    for (const c of candidates) {
-      const r = await probe.fetch(c);
-      if (r.status >= 200 && r.status < 400) { found = true; break; }
-    }
-    if (!found) throw new Error('No reachable API health endpoint found');
-  });
-
-  t('404 handler works', 'http', 'P1', async () => {
-    const r = await probe.fetch('/this-route-does-not-exist-' + shortId());
-    if (r.status !== 404) throw new Error(`Expected 404, got ${r.status}`);
-  });
-
-  t('405 Method Not Allowed', 'http', 'P2', async () => {
-    const r = await probe.fetch('/', { method: 'DELETE' });
-    if (r.status === 200) throw new Error('DELETE / should not return 200');
-  });
-
-  t('HEAD request supported', 'http', 'P3', async () => {
-    const r = await probe.fetch('/', { method: 'HEAD' });
-    if (r.status >= 500) throw new Error(`HEAD / returned ${r.status}`);
-  });
-
-  t('OPTIONS request supported', 'http', 'P3', async () => {
-    const r = await probe.fetch('/', { method: 'OPTIONS' });
-    if (r.status >= 500) throw new Error(`OPTIONS returned server error ${r.status}`);
-  });
-
-  t('No directory listing exposed', 'http', 'P0', async () => {
-    const r = await probe.fetch('/static', { readBody: true });
-    if (r.text && /index of\//i.test(r.text)) throw new Error('Directory listing exposed at /static');
-  });
-
-  t('No server version in header', 'http', 'P1', async () => {
-    const r = await probe.fetch('/');
-    const server = r.headers['server'] || '';
-    if (/apache\//i.test(server) || /nginx\//i.test(server) || /express/i.test(server)) {
-      throw new Error(`Server version exposed: ${server}`);
-    }
-  });
-
-  t('No X-Powered-By header', 'http', 'P1', async () => {
-    const r = await probe.fetch('/');
-    if (r.headers['x-powered-by']) throw new Error(`X-Powered-By exposed: ${r.headers['x-powered-by']}`);
-  });
-
-  // ── Security Headers (12 tests) ────────────────────────────────────────
-  t('CSP header present', 'security', 'P1', async () => {
-    const r = await probe.fetch('/');
-    if (!r.headers['content-security-policy']) throw new Error('Missing Content-Security-Policy header');
-  });
-
-  t('HSTS header present', 'security', 'P1', async () => {
-    const r = await probe.fetch('/');
-    if (!r.headers['strict-transport-security']) throw new Error('Missing Strict-Transport-Security header');
-  });
-
-  t('X-Frame-Options present', 'security', 'P1', async () => {
-    const r = await probe.fetch('/');
-    const xfo = r.headers['x-frame-options'];
-    if (!xfo) throw new Error('Missing X-Frame-Options header — clickjacking risk');
-    if (!['DENY','SAMEORIGIN'].includes(xfo.toUpperCase()))
-      throw new Error(`X-Frame-Options value invalid: ${xfo}`);
-  });
-
-  t('X-Content-Type-Options present', 'security', 'P2', async () => {
-    const r = await probe.fetch('/');
-    if (r.headers['x-content-type-options'] !== 'nosniff')
-      throw new Error('Missing or incorrect X-Content-Type-Options header');
-  });
-
-  t('Referrer-Policy present', 'security', 'P2', async () => {
-    const r = await probe.fetch('/');
-    if (!r.headers['referrer-policy']) throw new Error('Missing Referrer-Policy header');
-  });
-
-  t('All security headers scan', 'security', 'P1', async () => {
-    const scan = await probe.checkSecurityHeaders('/');
-    if (!scan.ok) throw new Error(`Could not reach server: ${scan.error}`);
-    const critical = scan.results.filter(r => !r.present && (r.sev === 'P0' || r.sev === 'P1'));
-    if (critical.length > 0)
-      throw new Error(`Missing critical headers: ${critical.map(r => r.label).join(', ')}`);
-  });
-
-  t('HTTPS redirect enforced', 'security', 'P1', async () => {
-    if (probe.baseUrl.startsWith('http://')) {
-      const r = await probe.fetch('/');
-      if (r.status === 200 && !r.url?.startsWith('https'))
-        throw new Error('HTTP serving without HTTPS redirect');
-    }
-  });
-
-  t('No sensitive data in headers', 'security', 'P0', async () => {
-    const r = await probe.fetch('/');
-    const dangerous = ['authorization','cookie','set-cookie'];
-    for (const h of dangerous) {
-      if (r.headers[h] && r.headers[h].includes('secret'))
-        throw new Error(`Sensitive data in ${h} header`);
-    }
-  });
-
-  t('CORS header not wildcard on auth routes', 'security', 'P1', async () => {
-    const r = await probe.fetch('/api/health');
-    const cors = r.headers['access-control-allow-origin'];
-    if (cors === '*' && r.headers['access-control-allow-credentials'] === 'true')
-      throw new Error('CORS wildcard + credentials — security vulnerability');
-  });
-
-  t('No cache on API responses', 'security', 'P2', async () => {
-    const r = await probe.fetch('/api/health');
-    const cc = r.headers['cache-control'] || '';
-    if (r.status === 200 && !cc.includes('no-store') && !cc.includes('no-cache') && !cc.includes('private'))
-      throw new Error(`API response may be cached: cache-control: ${cc || '(missing)'}`);
-  });
-
-  t('XSS Protection header', 'security', 'P2', async () => {
-    const r = await probe.fetch('/');
-    const xss = r.headers['x-xss-protection'];
-    if (!xss) throw new Error('Missing X-XSS-Protection header');
-  });
-
-  t('Permissions-Policy present', 'security', 'P3', async () => {
-    const r = await probe.fetch('/');
-    if (!r.headers['permissions-policy']) throw new Error('Missing Permissions-Policy header');
-  });
-
-  // ── Authentication (12 tests) ──────────────────────────────────────────
-  t('Login page accessible', 'auth', 'P1', async () => {
-    const candidates = ['/login','/auth/login','/signin','/auth','/user/login','/account/login'];
-    for (const c of candidates) {
-      const r = await probe.fetch(c);
-      if (r.status >= 200 && r.status < 400) return;
-    }
-    throw new Error('No login page found at common paths');
-  });
-
-  t('Register page accessible', 'auth', 'P2', async () => {
-    const candidates = ['/register','/signup','/auth/register','/create-account','/join'];
-    for (const c of candidates) {
-      const r = await probe.fetch(c);
-      if (r.status >= 200 && r.status < 400) return;
-    }
-    throw new Error('No registration page found');
-  });
-
-  t('Dashboard protected', 'auth', 'P0', async () => {
-    const r = await probe.fetch('/dashboard', { readBody: true });
-    if (r.status === 200) {
-      const html = r.text || '';
-      if (!/login|signin|unauthorized|forbidden|redirect/i.test(html))
-        throw new Error('/dashboard accessible without auth (no redirect detected)');
-    }
-  });
-
-  t('Admin panel protected', 'auth', 'P0', async () => {
-    const r = await probe.fetch('/admin', { readBody: true });
-    if (r.status === 200) {
-      const html = r.text || '';
-      if (!/login|signin|unauthorized|forbidden|redirect/i.test(html))
-        throw new Error('/admin accessible without auth');
-    }
-  });
-
-  t('Profile page protected', 'auth', 'P0', async () => {
-    const r = await probe.fetch('/profile');
-    if (r.status === 200) throw new Error('/profile accessible without auth');
-  });
-
-  t('Settings page protected', 'auth', 'P0', async () => {
-    const r = await probe.fetch('/settings');
-    if (r.status === 200) throw new Error('/settings accessible without auth');
-  });
-
-  t('API requires auth token', 'auth', 'P0', async () => {
-    const r = await probe.fetch('/api/v1/users');
-    if (r.status === 200) throw new Error('/api/v1/users returns data without auth token');
-  });
-
-  t('Invalid token rejected', 'auth', 'P0', async () => {
-    const r = await probe.fetch('/api/v1/users', {
-      headers: { Authorization: 'Bearer invalid-token-xyz-123' },
-    });
-    if (r.status === 200) throw new Error('Invalid token accepted by API');
-  });
-
-  t('No JWT in URL params', 'auth', 'P1', async () => {
-    const r = await probe.fetch('/api/health?token=eyJtest');
-    const body = r.text || '';
-    if (/token.*ey[A-Za-z0-9]/i.test(r.url || ''))
-      throw new Error('JWT token appears to be accepted in URL param');
-  });
-
-  t('Password reset page exists', 'auth', 'P2', async () => {
-    const candidates = ['/forgot-password','/reset-password','/auth/forgot','/password-reset'];
-    for (const c of candidates) {
-      const r = await probe.fetch(c);
-      if (r.status >= 200 && r.status < 400) return;
-    }
-    throw new Error('No password reset page found');
-  });
-
-  t('Logout endpoint exists', 'auth', 'P2', async () => {
-    const candidates = ['/logout','/signout','/auth/logout','/api/auth/logout'];
-    for (const c of candidates) {
-      const r = await probe.fetch(c);
-      if (r.status < 500) return;
-    }
-    throw new Error('No logout endpoint found');
-  });
-
-  t('MFA/2FA page exists', 'auth', 'P3', async () => {
-    const candidates = ['/2fa','/mfa','/auth/2fa','/verify','/two-factor'];
-    for (const c of candidates) {
-      const r = await probe.fetch(c);
-      if (r.status < 500) return;
-    }
-    throw new Error('No 2FA/MFA page found — consider implementing MFA');
-  });
-
-  // ── Performance (10 tests) ─────────────────────────────────────────────
-  t('Homepage avg response < 2s', 'performance', 'P1', async () => {
-    const b = await probe.benchmarkRoute('/', 5);
-    if (b.avg > 2000) throw new Error(`Avg ${b.avg}ms exceeds 2000ms threshold`);
-  });
-
-  t('Homepage p95 < 3s', 'performance', 'P1', async () => {
-    const b = await probe.benchmarkRoute('/', 5);
-    if (b.p95 > 3000) throw new Error(`p95 ${b.p95}ms exceeds 3000ms`);
-  });
-
-  t('API health p50 < 500ms', 'performance', 'P1', async () => {
-    const candidates = ['/api/health','/api/status','/health'];
-    for (const c of candidates) {
-      const r = await probe.fetch(c);
-      if (r.status > 0) {
-        const b = await probe.benchmarkRoute(c, 5);
-        if (b.p50 > 500) throw new Error(`API p50 ${b.p50}ms on ${c} exceeds 500ms`);
-        return;
-      }
-    }
-  });
-
-  t('API health p95 < 1s', 'performance', 'P2', async () => {
-    const candidates = ['/api/health','/api/status','/health'];
-    for (const c of candidates) {
-      const r = await probe.fetch(c);
-      if (r.status > 0) {
-        const b = await probe.benchmarkRoute(c, 5);
-        if (b.p95 > 1000) throw new Error(`API p95 ${b.p95}ms exceeds 1000ms`);
-        return;
-      }
-    }
-  });
-
-  t('No response > 10s', 'performance', 'P0', async () => {
-    const r = await probe.fetch('/');
-    if (r.duration > 10000) throw new Error(`Response took ${r.duration}ms — exceeds 10s`);
-  });
-
-  t('Login page loads < 3s', 'performance', 'P2', async () => {
-    const r = await probe.fetch('/login');
-    if (r.duration > 3000) throw new Error(`Login page took ${r.duration}ms`);
-  });
-
-  t('Static assets fast', 'performance', 'P2', async () => {
-    const r = await probe.fetch('/favicon.ico');
-    if (r.status === 200 && r.duration > 2000)
-      throw new Error(`favicon.ico took ${r.duration}ms`);
-  });
-
-  t('Consistent response times (no spike)', 'performance', 'P2', async () => {
-    const b = await probe.benchmarkRoute('/', 6);
-    if (b.max > b.avg * 5) throw new Error(`Response spike: max=${b.max}ms avg=${b.avg}ms`);
-  });
-
-  t('Gzip/Brotli compression', 'performance', 'P2', async () => {
-    const r = await probe.fetch('/', { headers: { 'Accept-Encoding': 'gzip, deflate, br' } });
-    const enc = r.headers['content-encoding'] || '';
-    if (r.status === 200 && !enc) throw new Error('No compression detected (gzip/br)');
-  });
-
-  t('ETag or Last-Modified caching', 'performance', 'P3', async () => {
-    const r = await probe.fetch('/');
-    if (!r.headers['etag'] && !r.headers['last-modified'])
-      throw new Error('No caching headers (ETag/Last-Modified)');
-  });
-
-  // ── SEO (13 tests) ─────────────────────────────────────────────────────
-  t('Homepage SEO P1 tags', 'seo', 'P1', async () => {
-    const seo = await probe.checkSEO('/');
-    if (!seo.ok) throw new Error('Could not fetch homepage');
-    const failing = seo.checks.filter(c => !c.pass && c.sev === 'P1');
-    if (failing.length > 0) throw new Error(`Missing P1 SEO: ${failing.map(c => c.name).join(', ')}`);
-  });
-
-  t('Homepage SEO P2 tags', 'seo', 'P2', async () => {
-    const seo = await probe.checkSEO('/');
-    if (!seo.ok) throw new Error('Could not fetch homepage');
-    const failing = seo.checks.filter(c => !c.pass && c.sev === 'P2');
-    if (failing.length > 2) throw new Error(`${failing.length} P2 SEO issues: ${failing.map(c => c.name).join(', ')}`);
-  });
-
-  t('robots.txt accessible', 'seo', 'P1', async () => {
-    const r = await probe.fetch('/robots.txt');
-    if (r.status !== 200) throw new Error(`robots.txt returned ${r.status}`);
-  });
-
-  t('robots.txt content valid', 'seo', 'P2', async () => {
-    const r = await probe.fetch('/robots.txt', { readBody: true });
-    if (r.status !== 200) return;
-    if (!r.text?.includes('User-agent')) throw new Error('robots.txt missing User-agent directive');
-  });
-
-  t('sitemap.xml accessible', 'seo', 'P1', async () => {
-    const r = await probe.fetch('/sitemap.xml');
-    if (r.status !== 200) throw new Error(`sitemap.xml returned ${r.status}`);
-  });
-
-  t('sitemap.xml is valid XML', 'seo', 'P2', async () => {
-    const r = await probe.fetch('/sitemap.xml', { readBody: true });
-    if (r.status !== 200) return;
-    if (!r.text?.includes('<urlset') && !r.text?.includes('<sitemapindex'))
-      throw new Error('sitemap.xml missing <urlset> or <sitemapindex>');
-  });
-
-  t('OG meta tags present', 'seo', 'P2', async () => {
-    const seo = await probe.checkSEO('/');
-    if (!seo.ok) return;
-    const og = seo.checks.filter(c => c.name.startsWith('OG') && !c.pass);
-    if (og.length > 1) throw new Error(`Missing OG tags: ${og.map(c => c.name).join(', ')}`);
-  });
-
-  t('Twitter card present', 'seo', 'P3', async () => {
-    const seo = await probe.checkSEO('/');
-    const tc  = seo.checks?.find(c => c.name === 'Twitter card');
-    if (tc && !tc.pass) throw new Error('Missing Twitter card meta tag');
-  });
-
-  t('Structured data (JSON-LD)', 'seo', 'P3', async () => {
-    const seo = await probe.checkSEO('/');
-    const sd  = seo.checks?.find(c => c.name === 'Structured data');
-    if (sd && !sd.pass) throw new Error('No JSON-LD structured data found');
-  });
-
-  t('Canonical link present', 'seo', 'P2', async () => {
-    const seo = await probe.checkSEO('/');
-    const cl  = seo.checks?.find(c => c.name === 'Canonical link');
-    if (cl && !cl.pass) throw new Error('Missing canonical link tag');
-  });
-
-  t('Images have alt text', 'seo', 'P2', async () => {
-    const seo = await probe.checkSEO('/');
-    const ia  = seo.checks?.find(c => c.name === 'Alt attributes');
-    if (ia && !ia.pass) throw new Error('Images without alt attributes detected');
-  });
-
-  t('manifest.json present', 'seo', 'P3', async () => {
-    const r = await probe.fetch('/manifest.json');
-    if (r.status !== 200) throw new Error(`manifest.json returned ${r.status}`);
-  });
-
-  t('favicon accessible', 'seo', 'P2', async () => {
-    const r = await probe.fetch('/favicon.ico');
-    if (r.status !== 200) throw new Error(`favicon.ico returned ${r.status}`);
-  });
-
-  // ── Accessibility (10 tests) ───────────────────────────────────────────
-  t('HTML lang attribute', 'a11y', 'P1', async () => {
-    const a = await probe.checkA11y('/');
-    if (!a.ok) throw new Error('Could not fetch page');
-    const c = a.checks.find(c => c.name === 'html[lang] set');
-    if (c && !c.pass) throw new Error('Missing lang attribute on <html>');
-  });
-
-  t('Viewport meta tag', 'a11y', 'P1', async () => {
-    const a = await probe.checkA11y('/');
-    if (!a.ok) throw new Error('Could not fetch page');
-    const c = a.checks.find(c => c.name === 'Viewport meta');
-    if (c && !c.pass) throw new Error('Missing viewport meta — mobile broken');
-  });
-
-  t('Main landmark present', 'a11y', 'P2', async () => {
-    const a = await probe.checkA11y('/');
-    if (!a.ok) return;
-    const c = a.checks.find(c => c.name === 'Main landmark');
-    if (c && !c.pass) throw new Error('No <main> landmark element found');
-  });
-
-  t('Images have alt text (a11y)', 'a11y', 'P1', async () => {
-    const a = await probe.checkA11y('/');
-    if (!a.ok) return;
-    const c = a.checks.find(c => c.name === 'No images without alt');
-    if (c && !c.pass) throw new Error('Images without alt attributes — screen reader issue');
-  });
-
-  t('Heading hierarchy', 'a11y', 'P2', async () => {
-    const a = await probe.checkA11y('/');
-    if (!a.ok) return;
-    const c = a.checks.find(c => c.name === 'Heading hierarchy');
-    if (c && !c.pass) throw new Error('No H1 tag found — heading hierarchy broken');
-  });
-
-  t('ARIA roles used', 'a11y', 'P2', async () => {
-    const a = await probe.checkA11y('/');
-    if (!a.ok) return;
-    const c = a.checks.find(c => c.name === 'ARIA roles used');
-    if (c && !c.pass) throw new Error('No ARIA roles found — accessibility reduced');
-  });
-
-  t('Skip nav link present', 'a11y', 'P2', async () => {
-    const a = await probe.checkA11y('/');
-    if (!a.ok) return;
-    const c = a.checks.find(c => c.name === 'Skip nav link');
-    if (c && !c.pass) throw new Error('No skip navigation link found');
-  });
-
-  t('Focus visible styles', 'a11y', 'P2', async () => {
-    const a = await probe.checkA11y('/');
-    if (!a.ok) return;
-    const c = a.checks.find(c => c.name === 'Focus visible (class)');
-    if (c && !c.pass) throw new Error('No focus-visible styles detected');
-  });
-
-  t('No autofocus abuse', 'a11y', 'P3', async () => {
-    const a = await probe.checkA11y('/');
-    if (!a.ok) return;
-    const c = a.checks.find(c => c.name === 'No autofocus abuse');
-    if (c && !c.pass) throw new Error('Multiple autofocus attributes detected');
-  });
-
-  t('All a11y checks pass', 'a11y', 'P2', async () => {
-    const a = await probe.checkA11y('/');
-    if (!a.ok) return;
-    const failing = a.checks.filter(c => !c.pass && (c.sev === 'P1' || c.sev === 'P2'));
-    if (failing.length > 2)
-      throw new Error(`${failing.length} a11y issues: ${failing.map(c => c.name).join(', ')}`);
-  });
-
-  // ── Content-Type & API Contract (8 tests) ─────────────────────────────
-  t('HTML content-type correct', 'http', 'P1', async () => {
-    const r = await probe.fetch('/');
-    if (!r.ok && r.status === 0) throw new Error('Connection failed');
-    const ct = r.headers['content-type'] || '';
-    if (!ct.includes('text/html')) throw new Error(`Expected text/html, got: ${ct}`);
-  });
-
-  t('API returns JSON', 'api-contract', 'P1', async () => {
-    const candidates = ['/api/health','/api/status','/api/v1/health'];
-    for (const c of candidates) {
-      const r = await probe.fetch(c);
-      if (r.status > 0 && r.status < 500) {
-        const ct = r.headers['content-type'] || '';
-        if (!ct.includes('json')) throw new Error(`${c} does not return JSON (${ct})`);
-        return;
-      }
-    }
-  });
-
-  t('API charset UTF-8', 'api-contract', 'P2', async () => {
-    const candidates = ['/api/health','/api/status'];
-    for (const c of candidates) {
-      const r = await probe.fetch(c);
-      if (r.status > 0) {
-        const ct = r.headers['content-type'] || '';
-        if (ct.includes('json') && !ct.includes('utf-8') && !ct.includes('UTF-8'))
-          throw new Error(`API missing UTF-8 charset in content-type: ${ct}`);
-        return;
-      }
-    }
-  });
-
-  t('Error response is JSON', 'api-contract', 'P2', async () => {
-    const r = await probe.fetch('/api/nonexistent-' + shortId());
-    const ct = r.headers['content-type'] || '';
-    if (r.status === 404 && !ct.includes('json'))
-      throw new Error('404 API response is not JSON');
-  });
-
-  t('API versioning present', 'api-contract', 'P2', async () => {
-    const r1 = await probe.fetch('/api/v1/health');
-    const r2 = await probe.fetch('/api/v2/health');
-    if (r1.status === 0 && r2.status === 0)
-      throw new Error('No versioned API endpoints found (/api/v1/ or /api/v2/)');
-  });
-
-  t('API docs accessible', 'api-contract', 'P2', async () => {
-    const candidates = ['/api/docs','/docs','/swagger','/api-docs','/openapi.json'];
-    for (const c of candidates) {
-      const r = await probe.fetch(c);
-      if (r.status >= 200 && r.status < 400) return;
-    }
-    throw new Error('No API documentation endpoint found');
-  });
-
-  t('Core routes return non-500', 'e2e', 'P1', async () => {
-    const routes = ['/', '/login', '/about', '/contact'];
-    const errors = [];
-    for (const route of routes) {
-      const r = await probe.fetch(route);
-      if (r.status >= 500) errors.push(`${route} → ${r.status}`);
-    }
-    if (errors.length > 0) throw new Error(`Server errors: ${errors.join(', ')}`);
-  });
-
-  t('Admin routes return non-500', 'e2e', 'P1', async () => {
-    const routes = ['/admin', '/admin/users', '/admin/dashboard'];
-    const errors = [];
-    for (const route of routes) {
-      const r = await probe.fetch(route);
-      if (r.status >= 500) errors.push(`${route} → ${r.status}`);
-    }
-    if (errors.length > 0) throw new Error(`Admin server errors: ${errors.join(', ')}`);
-  });
-
-  // ── Links & Redirects (5 tests) ────────────────────────────────────────
-  t('No redirect loops', 'links', 'P1', async () => {
-    const r = await probe.fetch('/');
-    if (r.error?.includes('redirect') || r.error?.includes('loop'))
-      throw new Error(`Redirect loop detected: ${r.error}`);
-  });
-
-  t('HTTPS upgrade redirect', 'links', 'P2', async () => {
-    if (!probe.baseUrl.startsWith('https')) return;
-    const httpUrl = probe.baseUrl.replace('https://', 'http://');
-    try {
-      const r = await (new HttpProbe(httpUrl)).fetch('/');
-      if (r.status >= 200 && r.status < 300 && !r.url?.startsWith('https'))
-        throw new Error('HTTP not redirecting to HTTPS');
-    } catch {}
-  });
-
-  t('www redirect consistent', 'links', 'P3', async () => {
-    // Just checks the base URL works
-    const r = await probe.fetch('/');
-    if (r.status === 0) throw new Error('Base URL not reachable');
-  });
-
-  t('No 5xx on common routes', 'links', 'P1', async () => {
-    const routes = COMMON_ROUTES.slice(0, 15);
-    const errors = [];
-    for (const route of routes) {
-      const r = await probe.fetch(route);
-      if (r.status >= 500) errors.push(`${route}(${r.status})`);
-    }
-    if (errors.length > 0) throw new Error(`Server errors: ${errors.join(', ')}`);
-  });
-
-  t('security.txt present', 'security', 'P3', async () => {
-    const r = await probe.fetch('/.well-known/security.txt');
-    if (r.status !== 200) throw new Error('Missing /.well-known/security.txt');
-  });
-
-  return tests;
-}
-
-// ─────────────────────────────────────────────────────────────────────────
-//  MAXIMUM File System Test Suite  (120+ tests)
-// ─────────────────────────────────────────────────────────────────────────
-function buildFullSystemTests(projectDir = process.cwd()) {
-  const tests = [];
-  const t = (name, type, sev, fn) =>
-    tests.push({ id: shortId(), name, type, sev, fn });
-
-  // ── Project Structure (15 tests) ───────────────────────────────────────
-  t('Project directory exists', 'file-structure', 'P0', async () => {
-    if (!await fs.pathExists(projectDir)) throw new Error('Project directory not found');
-  });
-
-  t('package.json exists', 'file-structure', 'P0', async () => {
-    if (!await fs.pathExists(path.join(projectDir, 'package.json')))
-      throw new Error('package.json missing');
-  });
-
-  t('package.json valid JSON', 'validation', 'P0', async () => {
-    const p = path.join(projectDir, 'package.json');
-    if (!await fs.pathExists(p)) throw new Error('package.json missing');
-    const pkg = await fs.readJson(p).catch(e => { throw new Error(`Invalid JSON: ${e.message}`); });
-    if (!pkg.name)    throw new Error('package.json missing "name"');
-    if (!pkg.version) throw new Error('package.json missing "version"');
-  });
-
-  t('package.json has scripts', 'validation', 'P1', async () => {
-    const pkg = await fs.readJson(path.join(projectDir, 'package.json')).catch(() => ({}));
-    if (!pkg.scripts || Object.keys(pkg.scripts).length === 0)
-      throw new Error('No scripts defined in package.json');
-  });
-
-  t('npm start or dev script', 'validation', 'P1', async () => {
-    const pkg = await fs.readJson(path.join(projectDir, 'package.json')).catch(() => ({}));
-    if (!pkg.scripts?.start && !pkg.scripts?.dev)
-      throw new Error('No start or dev script in package.json');
-  });
-
-  t('npm test script', 'validation', 'P2', async () => {
-    const pkg = await fs.readJson(path.join(projectDir, 'package.json')).catch(() => ({}));
-    if (!pkg.scripts?.test) throw new Error('No test script in package.json');
-  });
-
-  t('npm build script', 'validation', 'P2', async () => {
-    const pkg = await fs.readJson(path.join(projectDir, 'package.json')).catch(() => ({}));
-    if (!pkg.scripts?.build) throw new Error('No build script in package.json');
-  });
-
-  t('Dependencies declared', 'validation', 'P1', async () => {
-    const pkg  = await fs.readJson(path.join(projectDir, 'package.json')).catch(() => ({}));
-    const deps = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
-    if (Object.keys(deps).length === 0) throw new Error('No dependencies declared');
-  });
-
-  t('No duplicate deps in dev+prod', 'validation', 'P2', async () => {
-    const pkg  = await fs.readJson(path.join(projectDir, 'package.json')).catch(() => ({}));
-    const prod = Object.keys(pkg.dependencies || {});
-    const dev  = Object.keys(pkg.devDependencies || {});
-    const dups = prod.filter(d => dev.includes(d));
-    if (dups.length > 0) throw new Error(`Deps in both dependencies+devDependencies: ${dups.join(', ')}`);
-  });
-
-  t('Entry point exists', 'file-structure', 'P0', async () => {
-    const candidates = [
-      'src/index.ts','src/index.js','index.ts','index.js',
-      'main.py','main.go','Program.cs','src/main.ts','src/main.js',
-    ];
-    for (const c of candidates) {
-      if (await fs.pathExists(path.join(projectDir, c))) return;
-    }
-    throw new Error('No recognisable entry point found');
-  });
-
-  t('Routes directory exists', 'file-structure', 'P1', async () => {
-    const candidates = ['src/routes','routes','src/api','api','src/controllers','controllers'];
-    for (const c of candidates) {
-      if (await fs.pathExists(path.join(projectDir, c))) return;
-    }
-    throw new Error('No routes/api directory found');
-  });
-
-  t('Source directory exists', 'file-structure', 'P1', async () => {
-    if (!await fs.pathExists(path.join(projectDir, 'src')))
-      throw new Error('No src/ directory found');
-  });
-
-  t('README.md present', 'file-structure', 'P2', async () => {
-    if (!await fs.pathExists(path.join(projectDir, 'README.md')))
-      throw new Error('README.md missing');
-  });
-
-  t('README.md not empty', 'file-structure', 'P3', async () => {
-    const rp = path.join(projectDir, 'README.md');
-    if (!await fs.pathExists(rp)) return;
-    const content = await fs.readFile(rp, 'utf8').catch(() => '');
-    if (content.trim().length < 100) throw new Error('README.md is too short (< 100 chars)');
-  });
-
-  t('.gitignore present', 'file-structure', 'P2', async () => {
-    if (!await fs.pathExists(path.join(projectDir, '.gitignore')))
-      throw new Error('.gitignore missing');
-  });
-
-  // ── Environment Config (8 tests) ──────────────────────────────────────
-  t('Env config file present', 'environment', 'P1', async () => {
-    const candidates = ['.env','.env.example','.env.sample','.env.local'];
-    for (const c of candidates) {
-      if (await fs.pathExists(path.join(projectDir, c))) return;
-    }
-    throw new Error('No environment config file found');
-  });
-
-  t('.env not committed (has .env.example)', 'environment', 'P0', async () => {
-    const gitignorePath = path.join(projectDir, '.gitignore');
-    if (await fs.pathExists(gitignorePath)) {
-      const content = await fs.readFile(gitignorePath, 'utf8').catch(() => '');
-      if (!content.includes('.env'))
-        throw new Error('.env not in .gitignore — secrets may be committed');
-    }
-  });
-
-  t('PORT env variable referenced', 'environment', 'P2', async () => {
-    const candidates = ['src/index.ts','src/index.js','index.js','index.ts','src/main.ts'];
-    for (const c of candidates) {
-      const fp = path.join(projectDir, c);
-      if (await fs.pathExists(fp)) {
-        const content = await fs.readFile(fp, 'utf8').catch(() => '');
-        if (content.includes('process.env.PORT') || content.includes('PORT')) return;
-      }
-    }
-    throw new Error('PORT env variable not referenced in entry point');
-  });
-
-  t('DATABASE_URL env referenced', 'environment', 'P1', async () => {
-    const candidates = ['src/index.ts','src/index.js','.env.example','.env.sample'];
-    for (const c of candidates) {
-      const fp = path.join(projectDir, c);
-      if (await fs.pathExists(fp)) {
-        const content = await fs.readFile(fp, 'utf8').catch(() => '');
-        if (/DATABASE_URL|MONGO_URI|DB_HOST|CONNECTION_STRING/i.test(content)) return;
-      }
-    }
-    throw new Error('No database connection env variable referenced');
-  });
-
-  t('JWT_SECRET env referenced', 'environment', 'P1', async () => {
-    const candidates = ['src/index.ts','src/index.js','.env.example','.env.sample','src/config'];
-    for (const c of candidates) {
-      const fp = path.join(projectDir, c);
-      if (await fs.pathExists(fp)) {
-        const content = await fs.readFile(fp, 'utf8').catch(() => '');
-        if (/JWT_SECRET|JWT_KEY|TOKEN_SECRET/i.test(content)) return;
-      }
-    }
-    throw new Error('JWT_SECRET not referenced — auth may use hardcoded secret');
-  });
-
-  t('NODE_ENV handling', 'environment', 'P2', async () => {
-    const candidates = ['src/index.ts','src/index.js','src/app.ts','src/app.js'];
-    for (const c of candidates) {
-      const fp = path.join(projectDir, c);
-      if (await fs.pathExists(fp)) {
-        const content = await fs.readFile(fp, 'utf8').catch(() => '');
-        if (content.includes('NODE_ENV')) return;
-      }
-    }
-    throw new Error('NODE_ENV not referenced — no environment mode handling');
-  });
-
-  t('No hardcoded passwords', 'environment', 'P0', async () => {
-    const pattern = /(?:password|passwd|pwd)\s*[:=]\s*['"][^'"]{4,}['"]/i;
-    const candidates = ['src/index.ts','src/index.js','src/app.ts','src/config.ts','src/config.js'];
-    for (const c of candidates) {
-      const fp = path.join(projectDir, c);
-      if (await fs.pathExists(fp)) {
-        const content = await fs.readFile(fp, 'utf8').catch(() => '');
-        if (pattern.test(content)) throw new Error(`Hardcoded password in ${c}`);
-      }
-    }
-  });
-
-  t('No hardcoded API keys', 'environment', 'P0', async () => {
-    const pattern = /(?:apikey|api_key|apiSecret|secret)\s*[:=]\s*['"][a-zA-Z0-9]{16,}['"]/i;
-    const candidates = ['src/index.ts','src/index.js','src/app.ts','src/config.ts'];
-    for (const c of candidates) {
-      const fp = path.join(projectDir, c);
-      if (await fs.pathExists(fp)) {
-        const content = await fs.readFile(fp, 'utf8').catch(() => '');
-        if (pattern.test(content)) throw new Error(`Hardcoded API key in ${c}`);
-      }
-    }
-  });
-
-  // ── Security (15 tests) ───────────────────────────────────────────────
-  t('Password hashing library', 'security', 'P0', async () => {
-    const pkg  = await fs.readJson(path.join(projectDir, 'package.json')).catch(() => ({}));
-    const deps = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
-    if (!['bcrypt','bcryptjs','argon2','scrypt','crypto'].some(d => deps[d]))
-      throw new Error('No password hashing library found (bcrypt/argon2)');
-  });
-
-  t('JWT library present', 'security', 'P0', async () => {
-    const pkg  = await fs.readJson(path.join(projectDir, 'package.json')).catch(() => ({}));
-    const deps = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
-    if (!['jsonwebtoken','jose','@auth/core','passport-jwt'].some(d => deps[d]))
-      throw new Error('No JWT library found');
-  });
-
-  t('Rate limiting library', 'security', 'P1', async () => {
-    const pkg  = await fs.readJson(path.join(projectDir, 'package.json')).catch(() => ({}));
-    const deps = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
-    if (!['express-rate-limit','rate-limiter-flexible','@nestjs/throttler','fastapi-limiter'].some(d => deps[d]))
-      throw new Error('No rate limiting library found');
-  });
-
-  t('CORS library configured', 'cors', 'P1', async () => {
-    const candidates = ['src/index.ts','src/index.js','src/app.ts','src/app.js','index.js'];
-    for (const c of candidates) {
-      const fp = path.join(projectDir, c);
-      if (await fs.pathExists(fp)) {
-        const content = await fs.readFile(fp, 'utf8').catch(() => '');
-        if (/cors|CORS/i.test(content)) return;
-      }
-    }
-    throw new Error('No CORS configuration detected');
-  });
-
-  t('Helmet or security middleware', 'security', 'P1', async () => {
-    const pkg  = await fs.readJson(path.join(projectDir, 'package.json')).catch(() => ({}));
-    const deps = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
-    if (!['helmet','@fastify/helmet','django-security'].some(d => deps[d]))
-      throw new Error('No security headers middleware (helmet) found');
-  });
-
-  t('Input validation library', 'security', 'P1', async () => {
-    const pkg  = await fs.readJson(path.join(projectDir, 'package.json')).catch(() => ({}));
-    const deps = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
-    if (!['zod','joi','yup','class-validator','express-validator','marshmallow'].some(d => deps[d]))
-      throw new Error('No input validation library (zod/joi/yup) found');
-  });
-
-  t('XSS prevention library', 'security', 'P1', async () => {
-    const pkg  = await fs.readJson(path.join(projectDir, 'package.json')).catch(() => ({}));
-    const deps = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
-    if (!['xss','dompurify','sanitize-html','isomorphic-dompurify'].some(d => deps[d]))
-      throw new Error('No XSS prevention library found');
-  });
-
-  t('No eval() usage', 'security', 'P0', async () => {
-    const candidates = ['src/index.ts','src/index.js','src/app.ts','src/app.js'];
-    for (const c of candidates) {
-      const fp = path.join(projectDir, c);
-      if (await fs.pathExists(fp)) {
-        const content = await fs.readFile(fp, 'utf8').catch(() => '');
-        if (/\beval\s*\(/.test(content)) throw new Error(`eval() found in ${c} — security risk`);
-      }
-    }
-  });
-
-  t('No dangerous packages', 'security', 'P0', async () => {
-    const pkg  = await fs.readJson(path.join(projectDir, 'package.json')).catch(() => ({}));
-    const deps = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
-    const found = DANGEROUS_PACKAGES.filter(d => deps[d]);
-    if (found.length > 0) throw new Error(`Dangerous packages found: ${found.join(', ')}`);
-  });
-
-  t('CSRF protection configured', 'security', 'P1', async () => {
-    const pkg  = await fs.readJson(path.join(projectDir, 'package.json')).catch(() => ({}));
-    const deps = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
-    const candidates = ['src/index.ts','src/index.js','src/app.ts'];
-    let hasCSRF = ['csurf','csrf','@nestjs/csrf'].some(d => deps[d]);
-    if (!hasCSRF) {
-      for (const c of candidates) {
-        const fp = path.join(projectDir, c);
-        if (await fs.pathExists(fp)) {
-          const content = await fs.readFile(fp, 'utf8').catch(() => '');
-          if (/csrf|CSRF/i.test(content)) { hasCSRF = true; break; }
-        }
-      }
-    }
-    if (!hasCSRF) throw new Error('No CSRF protection found');
-  });
-
-  t('SQL injection prevention', 'security', 'P0', async () => {
-    const pkg  = await fs.readJson(path.join(projectDir, 'package.json')).catch(() => ({}));
-    const deps = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
-    const hasORM = ['prisma','typeorm','sequelize','mongoose','sqlalchemy','hibernate'].some(d => deps[d]);
-    if (!hasORM) {
-      const candidates = ['src/index.ts','src/index.js'];
-      for (const c of candidates) {
-        const fp = path.join(projectDir, c);
-        if (await fs.pathExists(fp)) {
-          const content = await fs.readFile(fp, 'utf8').catch(() => '');
-          if (/query\s*\+\s*req\.|query\s*\+\s*params/i.test(content))
-            throw new Error(`Potential SQL injection: string concatenation in query in ${c}`);
-        }
-      }
-    }
-  });
-
-  t('Sensitive files not exposed', 'security', 'P0', async () => {
-    const dangerous = ['.env','.git/config','config/database.yml'];
-    for (const f of dangerous) {
-      const fp = path.join(projectDir, 'public', f);
-      if (await fs.pathExists(fp)) throw new Error(`Sensitive file in public/: ${f}`);
-    }
-  });
-
-  t('Cookie security settings', 'security', 'P1', async () => {
-    const candidates = ['src/index.ts','src/index.js','src/app.ts'];
-    for (const c of candidates) {
-      const fp = path.join(projectDir, c);
-      if (await fs.pathExists(fp)) {
-        const content = await fs.readFile(fp, 'utf8').catch(() => '');
-        if (/cookie/.test(content)) {
-          if (!content.includes('httpOnly') && !content.includes('secure'))
-            throw new Error(`Cookie without httpOnly/secure flags in ${c}`);
-          return;
-        }
-      }
-    }
-  });
-
-  t('Dependency vulnerability check', 'dependency', 'P1', async () => {
-    const pkg  = await fs.readJson(path.join(projectDir, 'package.json')).catch(() => ({}));
-    const deps = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
-    const vulns = [];
-    for (const { name, below, reason } of VULN_PATTERNS) {
-      const ver = deps[name];
-      if (ver && semverLt(ver, below))
-        vulns.push(`${name}@${ver} (${reason} — upgrade to ${below}+)`);
-    }
-    if (vulns.length > 0) throw new Error(`Vulnerable deps: ${vulns.join('; ')}`);
-  });
-
-  t('No .npmrc with auth tokens in repo', 'security', 'P0', async () => {
-    const fp = path.join(projectDir, '.npmrc');
-    if (await fs.pathExists(fp)) {
-      const content = await fs.readFile(fp, 'utf8').catch(() => '');
-      if (content.includes('_authToken') || content.includes('//registry'))
-        throw new Error('.npmrc contains auth tokens — must not be committed');
-    }
-  });
-
-  // ── Database (10 tests) ───────────────────────────────────────────────
-  t('Database schema/models exist', 'database', 'P1', async () => {
-    const candidates = [
-      'prisma/schema.prisma','schema.prisma',
-      'src/models','models','src/entities','entities',
-    ];
-    for (const c of candidates) {
-      if (await fs.pathExists(path.join(projectDir, c))) return;
-    }
-    throw new Error('No database schema/models directory found');
-  });
-
-  t('Prisma schema valid fields', 'database', 'P1', async () => {
-    const fp = path.join(projectDir, 'prisma', 'schema.prisma');
-    if (!await fs.pathExists(fp)) return;
-    const content = await fs.readFile(fp, 'utf8').catch(() => '');
-    if (!content.includes('model '))  throw new Error('Prisma schema has no models defined');
-    if (!content.includes('datasource')) throw new Error('Prisma schema missing datasource block');
-    if (!content.includes('generator')) throw new Error('Prisma schema missing generator block');
-  });
-
-  t('Prisma migrations directory', 'database', 'P2', async () => {
-    const prismaPath = path.join(projectDir, 'prisma', 'schema.prisma');
-    if (!await fs.pathExists(prismaPath)) return;
-    if (!await fs.pathExists(path.join(projectDir, 'prisma', 'migrations')))
-      throw new Error('Prisma migrations directory missing — run prisma migrate dev');
-  });
-
-  t('Database seeder file', 'database', 'P2', async () => {
-    const candidates = [
-      'prisma/seed.ts','prisma/seed.js','src/seeders','seeders','src/database/seed',
-    ];
-    for (const c of candidates) {
-      if (await fs.pathExists(path.join(projectDir, c))) return;
-    }
-    throw new Error('No database seeder found');
-  });
-
-  t('Models have ID fields', 'database', 'P1', async () => {
-    const fp = path.join(projectDir, 'prisma', 'schema.prisma');
-    if (!await fs.pathExists(fp)) return;
-    const content = await fs.readFile(fp, 'utf8').catch(() => '');
-    const models  = content.match(/model\s+\w+\s*{[^}]+}/g) || [];
-    const missing = models.filter(m => !/@id/.test(m)).map(m => (m.match(/model\s+(\w+)/) || [])[1]);
-    if (missing.length > 0) throw new Error(`Models missing @id: ${missing.join(', ')}`);
-  });
-
-  t('Models have timestamps', 'database', 'P2', async () => {
-    const fp = path.join(projectDir, 'prisma', 'schema.prisma');
-    if (!await fs.pathExists(fp)) return;
-    const content = await fs.readFile(fp, 'utf8').catch(() => '');
-    if (!content.includes('createdAt') && !content.includes('updatedAt'))
-      throw new Error('No timestamp fields (createdAt/updatedAt) in Prisma schema');
-  });
-
-  t('Database connection pool configured', 'database', 'P2', async () => {
-    const candidates = ['src/index.ts','src/index.js','src/db.ts','src/database.ts'];
-    for (const c of candidates) {
-      const fp = path.join(projectDir, c);
-      if (await fs.pathExists(fp)) {
-        const content = await fs.readFile(fp, 'utf8').catch(() => '');
-        if (/pool|connection_limit|maxPoolSize/i.test(content)) return;
-      }
-    }
-    throw new Error('No connection pool configuration found');
-  });
-
-  t('No raw SQL string concatenation', 'database', 'P0', async () => {
-    const candidates = ['src/repositories','src/models','src/services'];
-    for (const c of candidates) {
-      const dir = path.join(projectDir, c);
-      if (!await fs.pathExists(dir)) continue;
-      const files = await fs.readdir(dir).catch(() => []);
-      for (const f of files) {
-        if (!/\.(ts|js)$/.test(f)) continue;
-        const content = await fs.readFile(path.join(dir, f), 'utf8').catch(() => '');
-        if (/query\s*\(`[^`]*\$\{req\./i.test(content))
-          throw new Error(`Raw SQL with user input in ${c}/${f}`);
-      }
-    }
-  });
-
-  t('ORM or query builder used', 'database', 'P1', async () => {
-    const pkg  = await fs.readJson(path.join(projectDir, 'package.json')).catch(() => ({}));
-    const deps = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
-    if (!['prisma','typeorm','sequelize','mongoose','knex','mikro-orm','drizzle-orm'].some(d => deps[d]))
-      throw new Error('No ORM or query builder found');
-  });
-
-  t('Database index strategy', 'database', 'P3', async () => {
-    const fp = path.join(projectDir, 'prisma', 'schema.prisma');
-    if (!await fs.pathExists(fp)) return;
-    const content = await fs.readFile(fp, 'utf8').catch(() => '');
-    if (!content.includes('@@index') && !content.includes('@unique') && !content.includes('@@unique'))
-      throw new Error('No indexes defined in Prisma schema — query performance may be poor');
-  });
-
-  // ── TypeScript (8 tests) ──────────────────────────────────────────────
-  t('tsconfig.json present', 'typescript', 'P1', async () => {
-    const tsp = path.join(projectDir, 'tsconfig.json');
-    if (!await fs.pathExists(tsp)) throw new Error('tsconfig.json missing');
-  });
-
-  t('tsconfig strict mode', 'typescript', 'P2', async () => {
-    const tsp = path.join(projectDir, 'tsconfig.json');
-    if (!await fs.pathExists(tsp)) return;
-    const tsconfig = await fs.readJson(tsp).catch(() => ({}));
-    if (!tsconfig.compilerOptions?.strict)
-      throw new Error('TypeScript strict mode not enabled in tsconfig.json');
-  });
-
-  t('No "any" types in main files', 'typescript', 'P2', async () => {
-    const candidates = ['src/index.ts','src/app.ts','src/server.ts'];
-    let anyCount = 0;
-    for (const c of candidates) {
-      const fp = path.join(projectDir, c);
-      if (await fs.pathExists(fp)) {
-        const content = await fs.readFile(fp, 'utf8').catch(() => '');
-        anyCount += (content.match(/:\s*any\b/g) || []).length;
-      }
-    }
-    if (anyCount > 5) throw new Error(`${anyCount} "any" type usages detected — use proper types`);
-  });
-
-  t('TypeScript paths configured', 'typescript', 'P3', async () => {
-    const tsp = path.join(projectDir, 'tsconfig.json');
-    if (!await fs.pathExists(tsp)) return;
-    const tsconfig = await fs.readJson(tsp).catch(() => ({}));
-    if (!tsconfig.compilerOptions?.paths && !tsconfig.compilerOptions?.baseUrl)
-      throw new Error('No path aliases configured in tsconfig');
-  });
-
-  t('TypeScript compiler target >= ES2020', 'typescript', 'P2', async () => {
-    const tsp = path.join(projectDir, 'tsconfig.json');
-    if (!await fs.pathExists(tsp)) return;
-    const tsconfig = await fs.readJson(tsp).catch(() => ({}));
-    const target   = tsconfig.compilerOptions?.target || '';
-    const oldTargets = ['es5','es6','es2015','es2016','es2017','es2018','es2019'];
-    if (oldTargets.includes(target.toLowerCase()))
-      throw new Error(`TypeScript target ${target} is outdated — use ES2020+`);
-  });
-
-  t('No @ts-ignore abuse', 'typescript', 'P2', async () => {
-    const candidates = ['src/index.ts','src/app.ts','src/server.ts'];
-    let count = 0;
-    for (const c of candidates) {
-      const fp = path.join(projectDir, c);
-      if (await fs.pathExists(fp)) {
-        const content = await fs.readFile(fp, 'utf8').catch(() => '');
-        count += (content.match(/@ts-ignore/g) || []).length;
-      }
-    }
-    if (count > 3) throw new Error(`${count} @ts-ignore comments found — fix type errors instead`);
-  });
-
-  t('TypeScript declaration files', 'typescript', 'P3', async () => {
-    const tsp = path.join(projectDir, 'tsconfig.json');
-    if (!await fs.pathExists(tsp)) return;
-    const tsconfig = await fs.readJson(tsp).catch(() => ({}));
-    if (tsconfig.compilerOptions?.declaration === false)
-      throw new Error('TypeScript declaration generation disabled');
-  });
-
-  t('ESLint or TSLint configured', 'code-quality', 'P2', async () => {
-    const candidates = ['.eslintrc','.eslintrc.json','.eslintrc.js','.eslintrc.ts','eslint.config.js'];
-    for (const c of candidates) {
-      if (await fs.pathExists(path.join(projectDir, c))) return;
-    }
-    throw new Error('No ESLint configuration found');
-  });
-
-  // ── Logging (6 tests) ─────────────────────────────────────────────────
-  t('Logging library present', 'logging', 'P1', async () => {
-    const pkg  = await fs.readJson(path.join(projectDir, 'package.json')).catch(() => ({}));
-    const deps = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
-    if (!['winston','pino','bunyan','morgan','log4js','loglevel'].some(d => deps[d]))
-      throw new Error('No structured logging library found (winston/pino)');
-  });
-
-  t('HTTP request logging (morgan/pino-http)', 'logging', 'P2', async () => {
-    const pkg  = await fs.readJson(path.join(projectDir, 'package.json')).catch(() => ({}));
-    const deps = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
-    if (!['morgan','pino-http','http-pino'].some(d => deps[d]))
-      throw new Error('No HTTP request logging middleware (morgan/pino-http)');
-  });
-
-  t('No console.log in production code', 'logging', 'P2', async () => {
-    const candidates = ['src/routes','src/controllers','src/services'];
-    let count = 0;
-    for (const c of candidates) {
-      const dir = path.join(projectDir, c);
-      if (!await fs.pathExists(dir)) continue;
-      const files = await fs.readdir(dir).catch(() => []);
-      for (const f of files) {
-        if (!/\.(ts|js)$/.test(f)) continue;
-        const content = await fs.readFile(path.join(dir, f), 'utf8').catch(() => '');
-        count += (content.match(/console\.log\(/g) || []).length;
-      }
-    }
-    if (count > 10) throw new Error(`${count} console.log() in source files — use logger instead`);
-  });
-
-  t('Error logging configured', 'logging', 'P1', async () => {
-    const candidates = ['src/index.ts','src/index.js','src/app.ts','src/middleware'];
-    for (const c of candidates) {
-      const fp = path.join(projectDir, c);
-      if (await fs.pathExists(fp)) {
-        const content = typeof fp === 'string' && (await fs.stat(fp)).isFile()
-          ? await fs.readFile(fp, 'utf8').catch(() => '')
-          : '';
-        if (/error.*log|log.*error|\.error\(/i.test(content)) return;
-      }
-    }
-    throw new Error('No error logging configured');
-  });
-
-  t('Log level configuration', 'logging', 'P3', async () => {
-    const candidates = ['src/index.ts','src/index.js','src/logger.ts','src/logger.js'];
-    for (const c of candidates) {
-      const fp = path.join(projectDir, c);
-      if (await fs.pathExists(fp)) {
-        const content = await fs.readFile(fp, 'utf8').catch(() => '');
-        if (/LOG_LEVEL|logLevel|level.*process\.env/i.test(content)) return;
-      }
-    }
-    throw new Error('Log level not configurable via environment');
-  });
-
-  t('Separate logger module', 'logging', 'P3', async () => {
-    const candidates = ['src/logger.ts','src/logger.js','src/utils/logger.ts','src/utils/logger.js','src/lib/logger.ts'];
-    for (const c of candidates) {
-      if (await fs.pathExists(path.join(projectDir, c))) return;
-    }
-    throw new Error('No dedicated logger module found');
-  });
-
-  // ── Error Handling (8 tests) ──────────────────────────────────────────
-  t('Global error handler middleware', 'error-handling', 'P0', async () => {
-    const candidates = ['src/index.ts','src/index.js','src/app.ts','src/app.js','src/middleware'];
-    for (const c of candidates) {
-      const fp = path.join(projectDir, c);
-      if (await fs.pathExists(fp)) {
-        const stat = await fs.stat(fp);
-        const content = stat.isFile()
-          ? await fs.readFile(fp, 'utf8').catch(() => '')
-          : '';
-        if (/err.*next|next.*err|errorHandler|error.*middleware/i.test(content)) return;
-      }
-    }
-    throw new Error('No global error handler middleware found');
-  });
-
-  t('Try-catch in async routes', 'error-handling', 'P1', async () => {
-    const candidates = ['src/routes','src/controllers'];
-    let hasTryCatch = false;
-    for (const c of candidates) {
-      const dir = path.join(projectDir, c);
-      if (!await fs.pathExists(dir)) continue;
-      const files = await fs.readdir(dir).catch(() => []);
-      for (const f of files) {
-        if (!/\.(ts|js)$/.test(f)) continue;
-        const content = await fs.readFile(path.join(dir, f), 'utf8').catch(() => '');
-        if (/try\s*\{[\s\S]*\}\s*catch/.test(content)) { hasTryCatch = true; break; }
-      }
-    }
-    if (!hasTryCatch) throw new Error('No try-catch blocks in routes/controllers');
-  });
-
-  t('Async error wrapper utility', 'error-handling', 'P2', async () => {
-    const candidates = ['src/utils','src/helpers','src/middleware'];
-    for (const c of candidates) {
-      const dir = path.join(projectDir, c);
-      if (!await fs.pathExists(dir)) continue;
-      const files = await fs.readdir(dir).catch(() => []);
-      for (const f of files) {
-        const content = await fs.readFile(path.join(dir, f), 'utf8').catch(() => '');
-        if (/asyncHandler|catchAsync|wrapAsync/i.test(content)) return;
-      }
-    }
-    throw new Error('No async error wrapper utility (asyncHandler/catchAsync)');
-  });
-
-  t('HTTP error codes correct', 'error-handling', 'P2', async () => {
-    const candidates = ['src/routes','src/controllers'];
-    for (const c of candidates) {
-      const dir = path.join(projectDir, c);
-      if (!await fs.pathExists(dir)) continue;
-      const files = await fs.readdir(dir).catch(() => []);
-      for (const f of files) {
-        const content = await fs.readFile(path.join(dir, f), 'utf8').catch(() => '');
-        if (/res\.status\(200\).*catch|res\.send\(.*error/i.test(content))
-          throw new Error(`Returning 200 in catch block in ${c}/${f}`);
-      }
-    }
-  });
-
-  t('No unhandledRejection without handler', 'error-handling', 'P1', async () => {
-    const candidates = ['src/index.ts','src/index.js','index.js','server.ts'];
-    for (const c of candidates) {
-      const fp = path.join(projectDir, c);
-      if (await fs.pathExists(fp)) {
-        const content = await fs.readFile(fp, 'utf8').catch(() => '');
-        if (content.includes('unhandledRejection') || content.includes('uncaughtException')) return;
-      }
-    }
-    throw new Error('No unhandledRejection/uncaughtException handler in entry point');
-  });
-
-  t('Process exit handling', 'error-handling', 'P2', async () => {
-    const candidates = ['src/index.ts','src/index.js','index.js'];
-    for (const c of candidates) {
-      const fp = path.join(projectDir, c);
-      if (await fs.pathExists(fp)) {
-        const content = await fs.readFile(fp, 'utf8').catch(() => '');
-        if (/SIGTERM|SIGINT|graceful/i.test(content)) return;
-      }
-    }
-    throw new Error('No graceful shutdown handler (SIGTERM/SIGINT)');
-  });
-
-  t('Custom error classes', 'error-handling', 'P2', async () => {
-    const candidates = ['src/errors','src/exceptions','src/utils/errors.ts','src/utils/errors.js'];
-    for (const c of candidates) {
-      if (await fs.pathExists(path.join(projectDir, c))) return;
-    }
-    throw new Error('No custom error classes directory found');
-  });
-
-  t('Validation error responses', 'error-handling', 'P1', async () => {
-    const candidates = ['src/middleware','src/validators'];
-    for (const c of candidates) {
-      const dir = path.join(projectDir, c);
-      if (!await fs.pathExists(dir)) continue;
-      const files = await fs.readdir(dir).catch(() => []);
-      for (const f of files) {
-        const content = await fs.readFile(path.join(dir, f), 'utf8').catch(() => '');
-        if (/validationError|ValidationError|400/i.test(content)) return;
-      }
-    }
-    throw new Error('No validation error handling found (400 responses)');
-  });
-
-  // ── Docker & CI (10 tests) ────────────────────────────────────────────
-  t('Dockerfile present', 'docker', 'P1', async () => {
-    if (!await fs.pathExists(path.join(projectDir, 'Dockerfile')))
-      throw new Error('Dockerfile missing');
-  });
-
-  t('docker-compose.yml present', 'docker', 'P1', async () => {
-    const candidates = ['docker-compose.yml','docker-compose.yaml'];
-    for (const c of candidates) {
-      if (await fs.pathExists(path.join(projectDir, c))) return;
-    }
-    throw new Error('docker-compose.yml missing');
-  });
-
-  t('Dockerfile uses non-root user', 'docker', 'P1', async () => {
-    const fp = path.join(projectDir, 'Dockerfile');
-    if (!await fs.pathExists(fp)) return;
-    const content = await fs.readFile(fp, 'utf8').catch(() => '');
-    if (!content.includes('USER') || content.includes('USER root'))
-      throw new Error('Dockerfile does not set non-root USER — security risk');
-  });
-
-  t('Dockerfile uses specific base image tag', 'docker', 'P2', async () => {
-    const fp = path.join(projectDir, 'Dockerfile');
-    if (!await fs.pathExists(fp)) return;
-    const content = await fs.readFile(fp, 'utf8').catch(() => '');
-    const fromLine = content.match(/^FROM\s+([^\s]+)/m)?.[1] || '';
-    if (fromLine.endsWith(':latest'))
-      throw new Error('Dockerfile uses :latest tag — pin to specific version');
-  });
-
-  t('Dockerfile multi-stage build', 'docker', 'P2', async () => {
-    const fp = path.join(projectDir, 'Dockerfile');
-    if (!await fs.pathExists(fp)) return;
-    const content = await fs.readFile(fp, 'utf8').catch(() => '');
-    const fromCount = (content.match(/^FROM /gm) || []).length;
-    if (fromCount < 2) throw new Error('Dockerfile not using multi-stage build — image may be large');
-  });
-
-  t('.dockerignore present', 'docker', 'P2', async () => {
-    if (!await fs.pathExists(path.join(projectDir, '.dockerignore')))
-      throw new Error('.dockerignore missing — node_modules may be included in image');
-  });
-
-  t('GitHub Actions workflow', 'ci', 'P1', async () => {
-    if (!await fs.pathExists(path.join(projectDir, '.github', 'workflows')))
-      throw new Error('No GitHub Actions workflows directory');
-  });
-
-  t('CI workflow has test step', 'ci', 'P2', async () => {
-    const wfDir = path.join(projectDir, '.github', 'workflows');
-    if (!await fs.pathExists(wfDir)) return;
-    const files = await fs.readdir(wfDir).catch(() => []);
-    for (const f of files) {
-      const content = await fs.readFile(path.join(wfDir, f), 'utf8').catch(() => '');
-      if (/run.*test|npm.*test|yarn.*test/i.test(content)) return;
-    }
-    throw new Error('No test step in CI workflow');
-  });
-
-  t('CI workflow has lint step', 'ci', 'P2', async () => {
-    const wfDir = path.join(projectDir, '.github', 'workflows');
-    if (!await fs.pathExists(wfDir)) return;
-    const files = await fs.readdir(wfDir).catch(() => []);
-    for (const f of files) {
-      const content = await fs.readFile(path.join(wfDir, f), 'utf8').catch(() => '');
-      if (/run.*lint|npm.*lint|eslint/i.test(content)) return;
-    }
-    throw new Error('No lint step in CI workflow');
-  });
-
-  t('CI workflow has build step', 'ci', 'P2', async () => {
-    const wfDir = path.join(projectDir, '.github', 'workflows');
-    if (!await fs.pathExists(wfDir)) return;
-    const files = await fs.readdir(wfDir).catch(() => []);
-    for (const f of files) {
-      const content = await fs.readFile(path.join(wfDir, f), 'utf8').catch(() => '');
-      if (/run.*build|npm.*build|yarn.*build/i.test(content)) return;
-    }
-    throw new Error('No build step in CI workflow');
-  });
-
-  // ── Testing (8 tests) ─────────────────────────────────────────────────
-  t('Test directory exists', 'e2e', 'P1', async () => {
-    const testDirs = ['tests','test','__tests__','spec','src/__tests__'];
-    for (const d of testDirs) {
-      if (await fs.pathExists(path.join(projectDir, d))) return;
-    }
-    throw new Error('No test directory found');
-  });
-
-  t('Test files exist', 'e2e', 'P1', async () => {
-    const testDirs = ['tests','test','__tests__','spec'];
-    for (const d of testDirs) {
-      const dir = path.join(projectDir, d);
-      if (await fs.pathExists(dir)) {
-        const files = await fs.readdir(dir).catch(() => []);
-        const testFiles = files.filter(f => /\.(test|spec)\.(ts|js)$/.test(f));
-        if (testFiles.length > 0) return;
-      }
-    }
-    throw new Error('No test files (.test.ts/.spec.ts) found');
-  });
-
-  t('Test framework configured', 'e2e', 'P1', async () => {
-    const pkg  = await fs.readJson(path.join(projectDir, 'package.json')).catch(() => ({}));
-    const deps = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
-    if (!['jest','vitest','mocha','jasmine','@nestjs/testing','pytest','junit'].some(d => deps[d]))
-      throw new Error('No test framework found (jest/vitest/mocha)');
-  });
-
-  t('Test coverage configured', 'e2e', 'P2', async () => {
-    const pkg = await fs.readJson(path.join(projectDir, 'package.json')).catch(() => ({}));
-    const hasJestConfig = !!pkg.jest;
-    const hasVitestConfig = await fs.pathExists(path.join(projectDir, 'vitest.config.ts')) ||
-                            await fs.pathExists(path.join(projectDir, 'vitest.config.js'));
-    if (!hasJestConfig && !hasVitestConfig)
-      throw new Error('No test coverage configuration (jest/vitest config)');
-  });
-
-  t('API integration tests', 'e2e', 'P1', async () => {
-    const pkg  = await fs.readJson(path.join(projectDir, 'package.json')).catch(() => ({}));
-    const deps = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
-    if (!['supertest','axios-mock-adapter','nock','httpretty'].some(d => deps[d]))
-      throw new Error('No API testing library (supertest/nock) found');
-  });
-
-  t('E2E test directory', 'e2e', 'P2', async () => {
-    const candidates = ['e2e','tests/e2e','test/e2e','cypress','playwright'];
-    for (const c of candidates) {
-      if (await fs.pathExists(path.join(projectDir, c))) return;
-    }
-    throw new Error('No E2E test directory found');
-  });
-
-  t('Mock/fixture files', 'e2e', 'P3', async () => {
-    const candidates = ['tests/fixtures','test/fixtures','src/__mocks__','__fixtures__','mocks'];
-    for (const c of candidates) {
-      if (await fs.pathExists(path.join(projectDir, c))) return;
-    }
-    throw new Error('No test fixtures/mocks directory found');
-  });
-
-  t('Minimum test file count', 'e2e', 'P2', async () => {
-    const testDirs = ['tests','test','__tests__','spec'];
-    let total = 0;
-    for (const d of testDirs) {
-      const dir = path.join(projectDir, d);
-      if (await fs.pathExists(dir)) {
-        const files = await fs.readdir(dir).catch(() => []);
-        total += files.filter(f => /\.(test|spec)\.(ts|js)$/.test(f)).length;
-      }
-    }
-    if (total < 3) throw new Error(`Only ${total} test file(s) — need at least 3`);
-  });
-
-  // ── API Documentation (5 tests) ───────────────────────────────────────
-  t('API documentation library', 'api-contract', 'P2', async () => {
-    const pkg  = await fs.readJson(path.join(projectDir, 'package.json')).catch(() => ({}));
-    const deps = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
-    if (!['swagger-ui-express','swagger-jsdoc','@nestjs/swagger','fastapi','springdoc-openapi'].some(d => deps[d]))
-      throw new Error('No API documentation library (swagger-ui-express)');
-  });
-
-  t('OpenAPI spec file', 'api-contract', 'P3', async () => {
-    const candidates = ['openapi.json','openapi.yaml','swagger.json','swagger.yaml','api-spec.json'];
-    for (const c of candidates) {
-      if (await fs.pathExists(path.join(projectDir, c))) return;
-    }
-    throw new Error('No OpenAPI/Swagger spec file found');
-  });
-
-  t('API versioning in routes', 'api-contract', 'P2', async () => {
-    const candidates = ['src/routes','src/controllers'];
-    for (const c of candidates) {
-      const dir = path.join(projectDir, c);
-      if (!await fs.pathExists(dir)) continue;
-      const files = await fs.readdir(dir).catch(() => []);
-      for (const f of files) {
-        const content = await fs.readFile(path.join(dir, f), 'utf8').catch(() => '');
-        if (/v1|v2|api\/v/i.test(content)) return;
-      }
-    }
-    throw new Error('No API versioning in routes (e.g. /api/v1/)');
-  });
-
-  t('Request/response DTOs defined', 'api-contract', 'P2', async () => {
-    const candidates = ['src/dto','src/dtos','src/types','src/interfaces','dto'];
-    for (const c of candidates) {
-      if (await fs.pathExists(path.join(projectDir, c))) return;
-    }
-    throw new Error('No DTO/interface definitions found');
-  });
-
-  t('Response envelope pattern', 'api-contract', 'P3', async () => {
-    const candidates = ['src/utils','src/helpers','src/middleware'];
-    for (const c of candidates) {
-      const dir = path.join(projectDir, c);
-      if (!await fs.pathExists(dir)) continue;
-      const files = await fs.readdir(dir).catch(() => []);
-      for (const f of files) {
-        const content = await fs.readFile(path.join(dir, f), 'utf8').catch(() => '');
-        if (/success.*true|status.*success|data.*message/i.test(content)) return;
-      }
-    }
-    throw new Error('No response envelope pattern (success/data/message) found');
-  });
-
-  // ── Performance + System (6 tests) ────────────────────────────────────
-  t('Heap memory acceptable', 'performance', 'P1', async () => {
-    const heapMB = process.memoryUsage().heapUsed / 1024 / 1024;
-    if (heapMB > 512) throw new Error(`Heap ${heapMB.toFixed(0)}MB exceeds 512MB`);
-  });
-
-  t('RSS memory acceptable', 'performance', 'P2', async () => {
-    const rssMB = process.memoryUsage().rss / 1024 / 1024;
-    if (rssMB > 1024) throw new Error(`RSS ${rssMB.toFixed(0)}MB exceeds 1GB`);
-  });
+import * as p           from '@clack/prompts';
+import chalk            from 'chalk';
+import fs               from 'fs-extra';
+import path             from 'node:path';
+import os               from 'node:os';
+import { performance }  from 'node:perf_hooks';
+import { EventEmitter } from 'node:events';
 
-  t('Node.js version current', 'environment', 'P1', async () => {
-    const major = parseInt(process.version.replace('v','').split('.')[0]);
-    if (major < 18) throw new Error(`Node.js ${process.version} — requires v18+`);
-  });
+import { SmartCrawler }        from './browser/crawler.js';
+import { BrowserInteractor }   from './browser/interactions.js';
+import { ScreenshotCapture }   from './browser/screenshot.js';
+import { RealAPIValidator }    from './analyzers/api.js';
+import { SecurityScanner }     from './analyzers/security.js';
+import { PerformanceProfiler } from './analyzers/performance.js';
+import { AccessibilityChecker} from './analyzers/accessibility.js';
+import { SEOScanner }          from './analyzers/seo.js';
+import { HTMLReporter }        from './reporters/html.js';
+import { TerminalDashboard }   from './reporters/terminal.js';
+import { JSONReporter }        from './reporters/json.js';
+import { AIClassifier }        from './utils/ai-classifier.js';
 
-  t('QA system operational', 'e2e', 'P3', async () => {
-    await fs.ensureDir(QA_DIR);
-  });
+// ── Constants ─────────────────────────────────────────────────────────────
+export const VERSION      = '12.0.0';
+export const QA_DIR       = path.join(process.cwd(), '.backlist', 'qa');
+export const REPORT_DIR   = path.join(QA_DIR, 'reports');
+export const HISTORY_FILE = path.join(QA_DIR, 'history.json');
+export const SCREENSHOT_DIR = path.join(REPORT_DIR, 'screenshots');
 
-  t('Report directory writable', 'e2e', 'P3', async () => {
-    await fs.ensureDir(REPORT_DIR);
-    const testFile = path.join(REPORT_DIR, `.write-${shortId()}`);
-    await fs.writeFile(testFile, 'ok');
-    await fs.remove(testFile);
-  });
+// ── Utilities ─────────────────────────────────────────────────────────────
+export function timestamp()     { return new Date().toISOString(); }
+export function shortId()       { return Math.random().toString(36).slice(2, 9); }
+export function sleep(ms)       { return new Promise(r => setTimeout(r, ms)); }
+export function formatDuration(ms) {
+  if (ms < 1000) return `${Math.round(ms)}ms`;
+  return `${(ms / 1000).toFixed(2)}s`;
+}
+export function formatBytes(b) {
+  if (!b || b < 0) return '0B';
+  if (b < 1024)        return `${b}B`;
+  if (b < 1024 * 1024) return `${(b / 1024).toFixed(1)}KB`;
+  return `${(b / 1024 / 1024).toFixed(1)}MB`;
+}
 
-  t('Project size reasonable', 'performance', 'P3', async () => {
-    const srcDir = path.join(projectDir, 'src');
-    if (!await fs.pathExists(srcDir)) return;
-    let totalSize = 0;
-    const walk = async (dir) => {
-      const entries = await fs.readdir(dir, { withFileTypes: true }).catch(() => []);
-      for (const e of entries) {
-        if (e.name === 'node_modules') continue;
-        const fp = path.join(dir, e.name);
-        if (e.isDirectory()) await walk(fp);
-        else { const s = await fs.stat(fp).catch(() => ({ size: 0 })); totalSize += s.size; }
-      }
+// ── QA Session ────────────────────────────────────────────────────────────
+export class QASession {
+  id;
+  startedAt;
+  urls = {};
+  results    = [];  // real test results only
+  bugs       = [];  // real detected bugs only
+  screenshots = []; // real screenshots
+  consoleErrors = [];
+  networkLog  = [];
+  apiLog      = [];
+  routeMap    = [];
+  perfMetrics = {};
+  secFindings = [];
+  a11yResults = [];
+  seoResults  = [];
+
+  constructor(urls) {
+    this.id        = `QA-${shortId()}`;
+    this.startedAt = timestamp();
+    this.urls      = urls;
+  }
+
+  addResult(result) {
+    this.results.push(result);
+  }
+
+  addBug(bug) {
+    this.bugs.push({ ...bug, id: `BUG-${shortId()}`, createdAt: timestamp() });
+  }
+
+  getSummary() {
+    const passed  = this.results.filter(r => r.status === 'PASS').length;
+    const failed  = this.results.filter(r => r.status === 'FAIL').length;
+    const skipped = this.results.filter(r => r.status === 'SKIP').length;
+    const flaky   = this.results.filter(r => r.status === 'FLAKY').length;
+    const total   = this.results.length;
+    return {
+      total, passed, failed, skipped, flaky,
+      passRate: total > 0 ? ((passed + flaky) / total * 100).toFixed(1) : '0.0',
+      duration: Date.now() - new Date(this.startedAt).getTime(),
     };
-    await walk(srcDir);
-    if (totalSize > 50 * 1024 * 1024) throw new Error(`src/ is ${(totalSize/1024/1024).toFixed(0)}MB — unusually large`);
-  });
+  }
+}
 
-  // ── Code Quality (8 tests) ────────────────────────────────────────────
-  t('Prettier configured', 'code-quality', 'P2', async () => {
-    const candidates = ['.prettierrc','.prettierrc.json','.prettierrc.js','prettier.config.js'];
-    for (const c of candidates) {
-      if (await fs.pathExists(path.join(projectDir, c))) return;
+// ── Main QA Engine ────────────────────────────────────────────────────────
+export class QAEngine extends EventEmitter {
+  #session;
+  #terminal;
+  #crawler;
+  #interactor;
+  #screenshotter;
+  #apiValidator;
+  #security;
+  #performance;
+  #a11y;
+  #seo;
+  #aiClassifier;
+  #aborted = false;
+
+  constructor(session, options = {}) {
+    super();
+    this.#session      = session;
+    this.#terminal     = new TerminalDashboard(session);
+    this.#screenshotter = new ScreenshotCapture(SCREENSHOT_DIR);
+    this.#aiClassifier  = new AIClassifier();
+  }
+
+  async init() {
+    // Dynamically import Playwright — optional peer dependency
+    let playwright;
+    try {
+      playwright = await import('playwright');
+    } catch {
+      throw new Error(
+        'Playwright not installed. Run: npm install playwright && npx playwright install chromium'
+      );
     }
-    throw new Error('No Prettier configuration found');
-  });
-
-  t('Husky/lint-staged configured', 'code-quality', 'P3', async () => {
-    const pkg  = await fs.readJson(path.join(projectDir, 'package.json')).catch(() => ({}));
-    const deps = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
-    if (!deps['husky'] && !deps['lint-staged'] && !pkg['lint-staged'])
-      throw new Error('No Husky/lint-staged pre-commit hooks configured');
-  });
 
-  t('No TODO/FIXME in production code', 'code-quality', 'P3', async () => {
-    const candidates = ['src/routes','src/controllers','src/services'];
-    let count = 0;
-    for (const c of candidates) {
-      const dir = path.join(projectDir, c);
-      if (!await fs.pathExists(dir)) continue;
-      const files = await fs.readdir(dir).catch(() => []);
-      for (const f of files) {
-        const content = await fs.readFile(path.join(dir, f), 'utf8').catch(() => '');
-        count += (content.match(/\/\/\s*(TODO|FIXME|HACK|XXX)/g) || []).length;
-      }
-    }
-    if (count > 5) throw new Error(`${count} TODO/FIXME comments in production code`);
-  });
+    this.#crawler     = new SmartCrawler(playwright);
+    this.#interactor  = new BrowserInteractor(playwright, this.#session);
+    this.#apiValidator = new RealAPIValidator(this.#session);
+    this.#security    = new SecurityScanner(this.#session);
+    this.#performance = new PerformanceProfiler(this.#session);
+    this.#a11y        = new AccessibilityChecker(playwright, this.#session);
+    this.#seo         = new SEOScanner(this.#session);
 
-  t('Function complexity acceptable', 'code-quality', 'P3', async () => {
-    const candidates = ['src/controllers','src/services'];
-    for (const c of candidates) {
-      const dir = path.join(projectDir, c);
-      if (!await fs.pathExists(dir)) continue;
-      const files = await fs.readdir(dir).catch(() => []);
-      for (const f of files) {
-        const content = await fs.readFile(path.join(dir, f), 'utf8').catch(() => '');
-        const lines   = content.split('\n');
-        if (lines.length > 500)
-          throw new Error(`${c}/${f} has ${lines.length} lines — split into smaller files`);
-      }
-    }
-  });
+    await this.#interactor.launch();
+    await this.#screenshotter.init();
+  }
 
-  t('No commented-out code blocks', 'code-quality', 'P3', async () => {
-    const candidates = ['src/routes','src/controllers'];
-    let count = 0;
-    for (const c of candidates) {
-      const dir = path.join(projectDir, c);
-      if (!await fs.pathExists(dir)) continue;
-      const files = await fs.readdir(dir).catch(() => []);
-      for (const f of files) {
-        const content = await fs.readFile(path.join(dir, f), 'utf8').catch(() => '');
-        count += (content.match(/\/\/.*(?:function|const|let|var|class|return|if\s*\()/g) || []).length;
-      }
-    }
-    if (count > 15) throw new Error(`${count} lines of commented-out code detected`);
-  });
+  async run() {
+    this.#terminal.start();
+    this.emit('session:start', this.#session);
 
-  t('Import organization consistent', 'code-quality', 'P3', async () => {
-    const candidates = ['src/index.ts','src/app.ts','src/server.ts'];
-    for (const c of candidates) {
-      const fp = path.join(projectDir, c);
-      if (await fs.pathExists(fp)) {
-        const content = await fs.readFile(fp, 'utf8').catch(() => '');
-        const lines = content.split('\n').slice(0, 30);
-        const importLines = lines.filter(l => l.startsWith('import'));
-        if (importLines.length < 2) throw new Error(`${c} has very few imports — may be incomplete`);
-        return;
-      }
-    }
-  });
+    try {
+      // Phase 1 — Discovery
+      this.#terminal.setPhase('🔍 Phase 1: Route Discovery & Crawling');
+      await this.#phaseDiscovery();
 
-  t('No circular dependencies (basic check)', 'code-quality', 'P2', async () => {
-    const pkg  = await fs.readJson(path.join(projectDir, 'package.json')).catch(() => ({}));
-    const deps = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
-    if (!deps['madge'] && !deps['dependency-cruiser'])
-      throw new Error('No circular dependency checker (madge/dependency-cruiser) in devDeps');
-  });
+      // Phase 2 — API Validation
+      this.#terminal.setPhase('📡 Phase 2: Real API Validation');
+      await this.#phaseAPIValidation();
 
-  t('Consistent file naming', 'code-quality', 'P3', async () => {
-    const candidates = ['src/routes','src/controllers','src/services'];
-    for (const c of candidates) {
-      const dir = path.join(projectDir, c);
-      if (!await fs.pathExists(dir)) continue;
-      const files = await fs.readdir(dir).catch(() => []);
-      const mixedCase = files.filter(f => /[A-Z]/.test(f) && /-/.test(f));
-      if (mixedCase.length > 0)
-        throw new Error(`Mixed naming conventions in ${c}: ${mixedCase.join(', ')}`);
-    }
-  });
+      // Phase 3 — Browser Interactions
+      this.#terminal.setPhase('🖱️  Phase 3: Browser Interaction Testing');
+      await this.#phaseBrowserInteractions();
 
-  return tests;
-}
+      // Phase 4 — Security Scan
+      this.#terminal.setPhase('🛡️  Phase 4: Security Deep Scan');
+      await this.#phaseSecurityScan();
 
-// ── UI Tests (12 tests) ───────────────────────────────────────────────────
-function buildUITests(srcDir = path.join(process.cwd(), 'src')) {
-  const tests = [];
-  const t = (name, type, sev, fn) => tests.push({ id: shortId(), name, type, sev, fn });
+      // Phase 5 — Performance
+      this.#terminal.setPhase('⚡ Phase 5: Performance Profiling');
+      await this.#phasePerformance();
 
-  t('Frontend src directory exists', 'ui', 'P1', async () => {
-    if (!await fs.pathExists(srcDir)) throw new Error(`src not found: ${srcDir}`);
-  });
+      // Phase 6 — Accessibility
+      this.#terminal.setPhase('♿ Phase 6: Accessibility Testing');
+      await this.#phaseAccessibility();
 
-  t('Component files present', 'ui', 'P1', async () => {
-    const exts = ['.tsx','.jsx','.vue','.svelte'];
-    let found  = false;
-    const walk = async (dir) => {
-      const entries = await fs.readdir(dir, { withFileTypes: true }).catch(() => []);
-      for (const e of entries) {
-        if (e.isDirectory() && e.name !== 'node_modules') await walk(path.join(dir, e.name));
-        else if (exts.some(x => e.name.endsWith(x))) { found = true; return; }
-      }
-    };
-    await walk(srcDir);
-    if (!found) throw new Error('No component files found (.tsx/.jsx/.vue/.svelte)');
-  });
+      // Phase 7 — SEO
+      this.#terminal.setPhase('🔎 Phase 7: SEO Validation');
+      await this.#phaseSEO();
 
-  t('Styles configured', 'ui', 'P2', async () => {
-    const patterns = ['tailwind.config','postcss.config','vite.config','styles','css','scss'];
-    const entries  = await fs.readdir(process.cwd()).catch(() => []);
-    if (!entries.some(f => patterns.some(p => f.includes(p))))
-      throw new Error('No styling configuration found');
-  });
+      // Phase 8 — AI Bug Classification
+      this.#terminal.setPhase('🤖 Phase 8: AI Bug Classification');
+      await this.#phaseAIClassification();
 
-  t('API client configuration', 'ui', 'P2', async () => {
-    const apiFiles = ['src/api','src/services','src/lib','src/utils','src/hooks'];
-    for (const f of apiFiles) {
-      if (await fs.pathExists(path.join(process.cwd(), f))) return;
+    } catch (err) {
+      this.emit('engine:error', err);
+      throw err;
+    } finally {
+      this.#terminal.stop();
+      await this.#interactor.close().catch(() => {});
     }
-    throw new Error('No API client/services directory found');
-  });
-
-  t('State management configured', 'ui', 'P2', async () => {
-    const pkg  = await fs.readJson(path.join(process.cwd(), 'package.json')).catch(() => ({}));
-    const deps = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
-    if (!['redux','@reduxjs/toolkit','zustand','mobx','recoil','jotai','pinia','vuex'].some(d => deps[d]))
-      throw new Error('No state management library found');
-  });
-
-  t('Router configured', 'ui', 'P1', async () => {
-    const pkg  = await fs.readJson(path.join(process.cwd(), 'package.json')).catch(() => ({}));
-    const deps = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
-    if (!['react-router','react-router-dom','@reach/router','next','nuxt','@angular/router'].some(d => deps[d]))
-      throw new Error('No router library found');
-  });
 
-  t('Form handling library', 'ui', 'P2', async () => {
-    const pkg  = await fs.readJson(path.join(process.cwd(), 'package.json')).catch(() => ({}));
-    const deps = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
-    if (!['react-hook-form','formik','vee-validate','@angular/forms'].some(d => deps[d]))
-      throw new Error('No form handling library (react-hook-form/formik)');
-  });
+    return this.#session;
+  }
 
-  t('HTTP client configured', 'ui', 'P1', async () => {
-    const pkg  = await fs.readJson(path.join(process.cwd(), 'package.json')).catch(() => ({}));
-    const deps = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
-    if (!['axios','swr','@tanstack/react-query','ky','got','node-fetch'].some(d => deps[d]))
-      throw new Error('No HTTP client library (axios/@tanstack/react-query)');
-  });
+  abort() {
+    this.#aborted = true;
+    this.#terminal.stop();
+    this.#interactor.close().catch(() => {});
+  }
 
-  t('UI component library', 'ui', 'P3', async () => {
-    const pkg  = await fs.readJson(path.join(process.cwd(), 'package.json')).catch(() => ({}));
-    const deps = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
-    if (!['@mui/material','antd','chakra-ui','shadcn-ui','@headlessui/react','radix-ui','mantine'].some(d => deps[d]))
-      throw new Error('No UI component library found');
-  });
+  // ── Phase 1: Discovery ─────────────────────────────────────────────────
+  async #phaseDiscovery() {
+    for (const [label, url] of Object.entries(this.#session.urls)) {
+      if (!url) continue;
+      this.#terminal.log(`Crawling ${label}: ${url}`);
 
-  t('Internationalization (i18n)', 'ui', 'P3', async () => {
-    const pkg  = await fs.readJson(path.join(process.cwd(), 'package.json')).catch(() => ({}));
-    const deps = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
-    if (!['i18next','react-i18next','vue-i18n','@angular/localize','next-intl'].some(d => deps[d]))
-      throw new Error('No i18n library found — consider adding internationalization');
-  });
+      const routes = await this.#crawler.crawl(url, {
+        maxPages   : 60,
+        maxDepth   : 4,
+        onRoute    : (route) => {
+          this.#session.routeMap.push(route);
+          this.#terminal.log(`  Found: ${route.url} (${route.type})`);
+        },
+      });
 
-  t('Error boundary component', 'ui', 'P2', async () => {
-    const candidates = ['src/components/ErrorBoundary','src/components/error-boundary','src/ErrorBoundary'];
-    for (const c of candidates) {
-      if (await fs.pathExists(path.join(process.cwd(), c))) return;
+      this.#addResult({
+        name    : `[${label}] Route Discovery`,
+        type    : 'discovery',
+        category: 'crawl',
+        status  : routes.length > 0 ? 'PASS' : 'FAIL',
+        message : routes.length > 0
+          ? `Discovered ${routes.length} routes`
+          : 'No routes discovered — site may be unreachable',
+        data    : { routeCount: routes.length, routes },
+        url,
+        label,
+      });
     }
-    throw new Error('No ErrorBoundary component found');
-  });
+  }
 
-  t('Loading/skeleton components', 'ui', 'P3', async () => {
-    const candidates = ['src/components/Loading','src/components/Skeleton','src/components/Spinner'];
-    for (const c of candidates) {
-      if (await fs.pathExists(path.join(process.cwd(), c))) return;
-    }
-    throw new Error('No Loading/Skeleton component found');
-  });
+  // ── Phase 2: Real API Validation ───────────────────────────────────────
+  async #phaseAPIValidation() {
+    const apiRoutes = this.#session.routeMap.filter(r =>
+      r.type === 'api' || r.url.includes('/api/')
+    );
 
-  return tests;
-}
+    this.#terminal.log(`Validating ${apiRoutes.length} API endpoints...`);
 
-// ── Endpoint Tests (unchanged logic + unlimited) ──────────────────────────
-function buildEndpointTests(endpoints) {
-  const tests = [];
-  for (const ep of endpoints) {
-    const label = `${ep.method} ${ep.route}`;
-
-    tests.push({ id: shortId(), name: `Happy path: ${label}`, type: 'happy-path', sev: 'P2', fn: async () => {
-      await sleep(30 + Math.random() * 80);
-      if (!ep.route || !ep.method) throw new Error('Endpoint missing route or method');
-    }});
-
-    if (ep.schemaFields && Object.keys(ep.schemaFields).length > 0) {
-      tests.push({ id: shortId(), name: `Validation: ${label}`, type: 'validation', sev: 'P2', fn: async () => {
-        await sleep(25);
-        const missing = Object.entries(ep.schemaFields).filter(([, t]) => !t);
-        if (missing.length) throw new Error(`Fields missing types: ${missing.map(([k]) => k).join(', ')}`);
-      }});
-
-      tests.push({ id: shortId(), name: `Edge case — empty payload: ${label}`, type: 'edge-case', sev: 'P2', fn: async () => {
-        await sleep(20);
-      }});
-
-      tests.push({ id: shortId(), name: `Edge case — oversized payload: ${label}`, type: 'edge-case', sev: 'P3', fn: async () => {
-        await sleep(20);
-      }});
-    }
+    for (const route of apiRoutes) {
+      if (this.#aborted) break;
+      this.#terminal.setCurrentTest(`API: ${route.url}`);
+
+      const result = await this.#apiValidator.probe(route.url);
+      this.#session.apiLog.push(result);
+
+      this.#addResult({
+        name    : `API: ${route.url}`,
+        type    : 'api',
+        category: 'api-validation',
+        status  : result.pass ? 'PASS' : 'FAIL',
+        message : result.message,
+        data    : {
+          statusCode : result.statusCode,
+          responseTime: result.responseTime,
+          contentType: result.contentType,
+          body       : result.body?.slice(0, 500),
+          headers    : result.headers,
+        },
+        url     : route.url,
+        duration: result.responseTime,
+      });
 
-    if (/\/admin|\/user|\/auth|\/profile|\/dashboard|\/private|\/me/i.test(ep.route)) {
-      tests.push({ id: shortId(), name: `Auth guard: ${label}`, type: 'auth', sev: 'P0', fn: async () => {
-        await sleep(40);
-      }});
-      tests.push({ id: shortId(), name: `Auth — expired token: ${label}`, type: 'auth', sev: 'P1', fn: async () => {
-        await sleep(30);
-      }});
-      tests.push({ id: shortId(), name: `Auth — invalid role: ${label}`, type: 'auth', sev: 'P1', fn: async () => {
-        await sleep(30);
-      }});
+      if (!result.pass) {
+        this.#session.addBug({
+          title      : `API Failure: ${route.url}`,
+          severity   : result.statusCode >= 500 ? 'P0' : 'P1',
+          type       : 'api',
+          description: result.message,
+          evidence   : result,
+        });
+      }
     }
 
-    tests.push({ id: shortId(), name: `Response time < 2s: ${label}`, type: 'performance', sev: 'P2', fn: async () => {
-      await sleep(10);
-    }});
+    // Detect APIs from network traffic
+    const discoveredAPIs = await this.#apiValidator.discoverFromNetworkLog(
+      this.#session.networkLog
+    );
+    for (const api of discoveredAPIs) {
+      if (!apiRoutes.find(r => r.url === api.url)) {
+        this.#session.apiLog.push(api);
+      }
+    }
   }
-  return tests;
-}
 
-// ─────────────────────────────────────────────────────────────────────────
-//  Live Dashboard
-// ─────────────────────────────────────────────────────────────────────────
-class LiveDashboard {
-  #lines       = 0;
-  #active      = false;
-  #startTime   = Date.now();
-  #lastResults = [];
-  #runningTest = null;
-  #bugs        = [];
-  #log         = [];
-
-  start() {
-    this.#active    = true;
-    this.#startTime = Date.now();
-    process.stdout.write(CURSOR_HIDE);
-    this.render({});
-  }
+  // ── Phase 3: Browser Interactions ─────────────────────────────────────
+  async #phaseBrowserInteractions() {
+    const pageRoutes = this.#session.routeMap.filter(r =>
+      r.type === 'page' || r.type === 'unknown'
+    );
 
-  stop() {
-    this.#active = false;
-    process.stdout.write(CURSOR_SHOW);
-    this.#clearLines();
-  }
+    for (const route of pageRoutes.slice(0, 25)) {
+      if (this.#aborted) break;
+      this.#terminal.setCurrentTest(`Browser: ${route.url}`);
+
+      const result = await this.#interactor.testPage(route.url, {
+        onConsoleError: (err) => {
+          this.#session.consoleErrors.push({ url: route.url, ...err });
+        },
+        onNetworkEvent: (event) => {
+          this.#session.networkLog.push({ url: route.url, ...event });
+        },
+      });
 
-  updateRunning(name) { this.#runningTest = name; }
-  addResult(r)        { this.#lastResults.push(r); this.#runningTest = null; }
-  addBug(b)           { this.#bugs.push(b); }       // ← NO LIMIT
-  addLog(msg)         { this.#log.push(`${DIM(new Date().toLocaleTimeString())} ${msg}`); if (this.#log.length > 8) this.#log.shift(); }
-
-  render(summary) {
-    if (!this.#active) return;
-    this.#clearLines();
-    const lines = this.#buildLines(summary);
-    this.#lines = lines.length;
-    process.stdout.write(lines.join('\n') + '\n');
-  }
+      // Real screenshot on failure
+      if (!result.pass || result.consoleErrors.length > 0) {
+        const screenshot = await this.#screenshotter.capture(
+          result.page,
+          `fail-${shortId()}`
+        );
+        if (screenshot) {
+          result.screenshotPath = screenshot;
+          this.#session.screenshots.push({ url: route.url, path: screenshot, reason: result.failReason });
+        }
+      }
 
-  #clearLines() {
-    if (this.#lines > 0) {
-      process.stdout.write(CURSOR_UP(this.#lines) + CLEAR_LINE);
-      for (let i = 1; i < this.#lines; i++) process.stdout.write('\n' + CLEAR_LINE);
-      process.stdout.write(CURSOR_UP(this.#lines - 1));
-    }
-  }
+      this.#addResult({
+        name    : `Page: ${route.url}`,
+        type    : 'browser',
+        category: 'interaction',
+        status  : result.pass ? (result.consoleErrors.length > 0 ? 'FLAKY' : 'PASS') : 'FAIL',
+        message : result.message,
+        data    : {
+          loadTime      : result.loadTime,
+          consoleErrors : result.consoleErrors,
+          networkErrors : result.networkErrors,
+          interactedElements: result.interactedElements,
+          screenshotPath: result.screenshotPath,
+          jsErrors      : result.jsErrors,
+          resourcesFailed: result.resourcesFailed,
+          renderTime    : result.renderTime,
+          domContentLoaded: result.domContentLoaded,
+        },
+        url     : route.url,
+        duration: result.loadTime,
+        screenshotPath: result.screenshotPath,
+      });
 
-  #buildLines(summary = {}) {
-    const elapsed  = ((Date.now() - this.#startTime) / 1000).toFixed(1);
-    const sys      = getSystemStats();
-    const results  = this.#lastResults;
-    const total    = results.length;
-    const passed   = results.filter(r => ['PASS','FLAKY'].includes(r.status)).length;
-    const failed   = results.filter(r => r.status === 'FAIL').length;
-    const flaky    = results.filter(r => r.status === 'FLAKY').length;
-    const passRate = total > 0 ? Math.round((passed / total) * 100) : 0;
-
-    const lines = [];
-    const w     = Math.min(process.stdout.columns || 80, 90);
-    const bar   = '─'.repeat(w - 2);
-
-    lines.push(chalk.hex('#00F5FF').bold(`┌${bar}┐`));
-    lines.push(chalk.hex('#00F5FF').bold('│') + chalk.hex('#BF40FF').bold(`  ⚡ BACKLIST MAXIMUM QA — v${VERSION}`.padEnd(w - 2)) + chalk.hex('#00F5FF').bold('│'));
-    lines.push(chalk.hex('#00F5FF').bold(`├${bar}┤`));
-
-    const metrics = [
-      `${chalk.green('✓')} ${chalk.white.bold(passed)} passed`,
-      `${chalk.red('✗')} ${chalk.white.bold(failed)} failed`,
-      `${chalk.yellow('⚠')} ${chalk.white.bold(flaky)} flaky`,
-      `${chalk.cyan('🐛')} ${chalk.white.bold(this.#bugs.length)} bugs`,
-      `${chalk.gray('⏱')} ${chalk.white(elapsed + 's')}`,
-    ].map(m => m.padEnd(22)).join('  ');
-    lines.push(chalk.hex('#00F5FF').bold('│') + '  ' + metrics.slice(0, w - 4) + chalk.hex('#00F5FF').bold('│'));
-
-    const pBar = buildProgressBar(passRate, 30);
-    lines.push(chalk.hex('#00F5FF').bold('│') + `  [${pBar}] ${chalk.white.bold(passRate + '%')} (${total} tests run)`.padEnd(w - 2) + chalk.hex('#00F5FF').bold('│'));
-    lines.push(chalk.hex('#00F5FF').bold('│') + `  ${DIM('Heap')} ${chalk.white(sys.heapMB + 'MB')}  ${DIM('RSS')} ${chalk.white(sys.rss)}  ${DIM('Up')} ${chalk.white(sys.uptime + 's')}  ${DIM('Node')} ${chalk.white(process.version)}`.padEnd(w - 2) + chalk.hex('#00F5FF').bold('│'));
-    lines.push(chalk.hex('#00F5FF').bold(`├${bar}┤`));
-
-    const runLine = this.#runningTest
-      ? `  ${chalk.cyan('⟳')} ${chalk.cyan('Running:')} ${chalk.white(this.#runningTest.slice(0, w - 18))}`
-      : `  ${chalk.gray('⊘  Idle...')}`;
-    lines.push(chalk.hex('#00F5FF').bold('│') + runLine.padEnd(w - 2) + chalk.hex('#00F5FF').bold('│'));
-    lines.push(chalk.hex('#00F5FF').bold(`├${bar}┤`));
-
-    lines.push(chalk.hex('#00F5FF').bold('│') + chalk.gray('  Recent results:').padEnd(w - 2) + chalk.hex('#00F5FF').bold('│'));
-    const recent = results.slice(-6);
-    for (const r of recent) {
-      const type = chalk.gray(`[${(r.type || '').padEnd(13)}]`);
-      const dur  = chalk.gray(formatDuration(r.duration));
-      const row  = `  ${colorStatus(r.status)}  ${type} ${chalk.white(r.name.slice(0, w - 44))}  ${dur}`;
-      lines.push(chalk.hex('#00F5FF').bold('│') + row.padEnd(w - 2) + chalk.hex('#00F5FF').bold('│'));
-    }
-    for (let i = recent.length; i < 6; i++) {
-      lines.push(chalk.hex('#00F5FF').bold('│') + '  '.padEnd(w - 2) + chalk.hex('#00F5FF').bold('│'));
-    }
+      // Real console errors → bugs
+      for (const err of result.consoleErrors) {
+        this.#session.addBug({
+          title      : `JS Error: ${err.text?.slice(0, 80)}`,
+          severity   : err.type === 'error' ? 'P1' : 'P2',
+          type       : 'javascript',
+          description: err.text,
+          url        : route.url,
+          evidence   : err,
+        });
+      }
 
-    lines.push(chalk.hex('#00F5FF').bold(`├${bar}┤`));
-    lines.push(chalk.hex('#00F5FF').bold('│') + chalk.gray(`  Bugs (${this.#bugs.length} total — unlimited):`).padEnd(w - 2) + chalk.hex('#00F5FF').bold('│'));
-    const recentBugs = this.#bugs.slice(-4);
-    for (const b of recentBugs) {
-      const bugLine = `  ${colorSeverity(b.severity)} ${chalk.white(b.title.slice(0, w - 22))}`;
-      lines.push(chalk.hex('#00F5FF').bold('│') + bugLine.padEnd(w - 2) + chalk.hex('#00F5FF').bold('│'));
-    }
-    for (let i = recentBugs.length; i < 4; i++) {
-      lines.push(chalk.hex('#00F5FF').bold('│') + '  '.padEnd(w - 2) + chalk.hex('#00F5FF').bold('│'));
-    }
+      // Real network failures → bugs
+      for (const nErr of result.networkErrors) {
+        this.#session.addBug({
+          title      : `Network Failure: ${nErr.url}`,
+          severity   : 'P2',
+          type       : 'network',
+          description: `${nErr.method} ${nErr.url} → ${nErr.failure}`,
+          url        : route.url,
+          evidence   : nErr,
+        });
+      }
 
-    lines.push(chalk.hex('#00F5FF').bold(`├${bar}┤`));
-    lines.push(chalk.hex('#00F5FF').bold('│') + chalk.gray('  Event log:').padEnd(w - 2) + chalk.hex('#00F5FF').bold('│'));
-    const recentLogs = this.#log.slice(-4);
-    for (const entry of recentLogs) {
-      lines.push(chalk.hex('#00F5FF').bold('│') + ('  ' + entry).slice(0, w - 2).padEnd(w - 2) + chalk.hex('#00F5FF').bold('│'));
-    }
-    for (let i = recentLogs.length; i < 4; i++) {
-      lines.push(chalk.hex('#00F5FF').bold('│') + '  '.padEnd(w - 2) + chalk.hex('#00F5FF').bold('│'));
-    }
+      // Test forms on the page
+      if (result.forms && result.forms.length > 0) {
+        await this.#testForms(route.url, result.forms, result.page);
+      }
 
-    lines.push(chalk.hex('#00F5FF').bold(`└${bar}┘`));
-    lines.push(DIM(`  ${total} tests run · ${this.#bugs.length} bugs · Ctrl+C to stop`));
-    return lines;
+      // Test auth flows
+      if (this.#isAuthPage(route.url)) {
+        await this.#testAuthFlow(route.url, result.page);
+      }
+    }
   }
-}
 
-// ─────────────────────────────────────────────────────────────────────────
-//  Test Runner  (unlimited bugs, 3 retries)
-// ─────────────────────────────────────────────────────────────────────────
-class TestRunner extends EventEmitter {
-  #results  = [];
-  #running  = false;
-  #aborted  = false;
+  // ── Phase 4: Security ─────────────────────────────────────────────────
+  async #phaseSecurityScan() {
+    for (const [label, url] of Object.entries(this.#session.urls)) {
+      if (!url) continue;
 
-  async run(tests, dashboard = null) {
-    this.#running = true;
-    this.#aborted = false;
-    this.#results = [];
+      const findings = await this.#security.scan(url);
+      this.#session.secFindings.push(...findings);
 
-    for (const test of tests) {
-      if (this.#aborted) break;
-      if (dashboard) {
-        dashboard.updateRunning(test.name);
-        dashboard.addLog(`▶ ${test.name}`);
-        dashboard.render({});
-      }
+      for (const finding of findings) {
+        this.#addResult({
+          name    : `Security: ${finding.check}`,
+          type    : 'security',
+          category: finding.category,
+          status  : finding.pass ? 'PASS' : 'FAIL',
+          message : finding.detail,
+          data    : finding.evidence,
+          url,
+          label,
+          severity: finding.severity,
+        });
 
-      const result = await this.#runOne(test);
-      this.#results.push(result);
-      this.emit('result', result);
-
-      if (dashboard) {
-        dashboard.addResult(result);
-        if (result.status === 'FAIL') {
-          dashboard.addBug({
-            id      : `BUG-${shortId()}`,
-            title   : test.name,
-            severity: test.sev || this.#classifySeverity(test.type, result.error),
-            status  : 'OPEN',
+        if (!finding.pass && (finding.severity === 'P0' || finding.severity === 'P1')) {
+          this.#session.addBug({
+            title      : `Security: ${finding.check}`,
+            severity   : finding.severity,
+            type       : 'security',
+            description: finding.detail,
+            url,
+            evidence   : finding.evidence,
+            recommendation: finding.recommendation,
           });
-          dashboard.addLog(chalk.red(`✗ FAIL: ${test.name}`));
-        } else {
-          dashboard.addLog(chalk.green(`✓ ${result.status}: ${test.name} (${formatDuration(result.duration)})`));
         }
-        dashboard.render({});
-        await sleep(40);
       }
     }
-
-    this.#running = false;
-    return [...this.#results];
   }
 
-  abort() { this.#aborted = true; }
+  // ── Phase 5: Performance ──────────────────────────────────────────────
+  async #phasePerformance() {
+    for (const [label, url] of Object.entries(this.#session.urls)) {
+      if (!url) continue;
+
+      const metrics = await this.#performance.profile(url);
+      this.#session.perfMetrics[label] = metrics;
+
+      // Core Web Vitals as real test results
+      const vitals = [
+        { name: 'LCP',  value: metrics.lcp,  threshold: 2500,  unit: 'ms' },
+        { name: 'FID',  value: metrics.fid,  threshold: 100,   unit: 'ms' },
+        { name: 'CLS',  value: metrics.cls,  threshold: 0.1,   unit: ''   },
+        { name: 'FCP',  value: metrics.fcp,  threshold: 1800,  unit: 'ms' },
+        { name: 'TTFB', value: metrics.ttfb, threshold: 800,   unit: 'ms' },
+        { name: 'TTI',  value: metrics.tti,  threshold: 3800,  unit: 'ms' },
+        { name: 'TBT',  value: metrics.tbt,  threshold: 200,   unit: 'ms' },
+      ];
+
+      for (const vital of vitals) {
+        const pass = vital.value !== null && vital.value <= vital.threshold;
+        const na   = vital.value === null;
+
+        this.#addResult({
+          name    : `[${label}] ${vital.name} — Core Web Vital`,
+          type    : 'performance',
+          category: 'web-vitals',
+          status  : na ? 'SKIP' : (pass ? 'PASS' : 'FAIL'),
+          message : na
+            ? `${vital.name} not measurable`
+            : `${vital.name}: ${vital.value}${vital.unit} (threshold: ${vital.threshold}${vital.unit})`,
+          data    : { value: vital.value, threshold: vital.threshold, unit: vital.unit },
+          url,
+          label,
+          duration: vital.value,
+        });
 
-  #classifySeverity(type, error = '') {
-    if (type === 'auth' || type === 'security')              return 'P0';
-    if (type === 'e2e'  || error?.includes('crash'))         return 'P1';
-    if (type === 'database' || type === 'error-handling')    return 'P1';
-    if (type === 'validation' || type === 'performance')     return 'P2';
-    if (type === 'docker' || type === 'ci')                  return 'P2';
-    return 'P3';
-  }
+        if (!na && !pass) {
+          this.#session.addBug({
+            title      : `Poor ${vital.name}: ${vital.value}${vital.unit} (>${vital.threshold}${vital.unit})`,
+            severity   : vital.name === 'LCP' || vital.name === 'CLS' ? 'P1' : 'P2',
+            type       : 'performance',
+            description: `${vital.name} exceeds threshold on ${label}`,
+            url,
+            evidence   : { value: vital.value, threshold: vital.threshold },
+            recommendation: `Optimize ${vital.name} — see https://web.dev/vitals`,
+          });
+        }
+      }
 
-  async #runOne(test) {
-    const { id, name, type, sev, fn, timeout = DEFAULT_TIMEOUT_MS } = test;
-    const start   = Date.now();
-    let lastError = null;
-
-    for (let attempt = 0; attempt <= FLAKY_RETRY_COUNT; attempt++) {
-      try {
-        await Promise.race([
-          fn(),
-          sleep(timeout).then(() => { throw new Error(`Timed out after ${timeout}ms`); }),
-        ]);
-        const status = attempt > 0 ? 'FLAKY' : 'PASS';
-        return { id, name, type, sev, status, duration: Date.now() - start, retries: attempt, error: null };
-      } catch (err) {
-        lastError = err.message;
-        if (attempt < FLAKY_RETRY_COUNT) await sleep(300);
+      // Real resource analysis
+      for (const resource of (metrics.slowResources || [])) {
+        this.#addResult({
+          name    : `[${label}] Slow resource: ${resource.url.split('/').pop()}`,
+          type    : 'performance',
+          category: 'resource',
+          status  : 'FAIL',
+          message : `${resource.url} took ${resource.duration}ms (${formatBytes(resource.size)})`,
+          data    : resource,
+          url,
+          label,
+          duration: resource.duration,
+        });
       }
     }
-
-    return { id, name, type, sev, status: 'FAIL', duration: Date.now() - start, retries: FLAKY_RETRY_COUNT, error: lastError };
   }
-}
 
-// ─────────────────────────────────────────────────────────────────────────
-//  URL-Based QA  (no limit)
-// ─────────────────────────────────────────────────────────────────────────
-export async function runUrlQA({ localUrl, prodUrl, silent = false } = {}) {
-  const runId     = `UQA-${shortId()}`;
-  const startedAt = timestamp();
-  const allTests  = [];
-  const probes    = [];
+  // ── Phase 6: Accessibility ────────────────────────────────────────────
+  async #phaseAccessibility() {
+    const pageRoutes = this.#session.routeMap
+      .filter(r => r.type === 'page' || r.type === 'unknown')
+      .slice(0, 15);
 
-  if (!localUrl && !prodUrl) {
-    console.log(chalk.red('  No URLs provided.'));
-    return null;
-  }
+    for (const route of pageRoutes) {
+      if (this.#aborted) break;
+      this.#terminal.setCurrentTest(`A11y: ${route.url}`);
+
+      const result = await this.#a11y.check(route.url);
+      this.#session.a11yResults.push({ url: route.url, ...result });
+
+      for (const violation of result.violations) {
+        this.#addResult({
+          name    : `A11y [${violation.impact}]: ${violation.description}`,
+          type    : 'accessibility',
+          category: violation.category || 'wcag',
+          status  : 'FAIL',
+          message : `${violation.nodes} element(s) affected — ${violation.help}`,
+          data    : {
+            impact  : violation.impact,
+            wcagTags: violation.tags,
+            nodes   : violation.affectedNodes,
+            helpUrl : violation.helpUrl,
+          },
+          url     : route.url,
+          severity: violation.impact === 'critical' ? 'P0'
+                  : violation.impact === 'serious'  ? 'P1'
+                  : violation.impact === 'moderate' ? 'P2' : 'P3',
+        });
 
-  if (!silent) {
-    console.log('');
-    console.log(chalk.hex('#00F5FF').bold(`  ── 🌐 URL-Based QA v${VERSION} — MAXIMUM ────────────────`));
-    console.log('');
-  }
+        if (violation.impact === 'critical' || violation.impact === 'serious') {
+          this.#session.addBug({
+            title      : `A11y: ${violation.description}`,
+            severity   : violation.impact === 'critical' ? 'P0' : 'P1',
+            type       : 'accessibility',
+            description: `${violation.nodes} element(s): ${violation.help}`,
+            url        : route.url,
+            evidence   : violation.affectedNodes,
+            recommendation: violation.helpUrl,
+          });
+        }
+      }
 
-  if (localUrl) {
-    const probe = new HttpProbe(localUrl);
-    probes.push({ probe, label: 'localhost', url: localUrl });
-    if (!silent) console.log(chalk.gray(`  → localhost: ${localUrl}`));
-  }
-  if (prodUrl) {
-    const probe = new HttpProbe(prodUrl);
-    probes.push({ probe, label: 'production', url: prodUrl });
-    if (!silent) console.log(chalk.gray(`  → production: ${prodUrl}`));
+      // Passes also recorded as real results
+      for (const pass of (result.passes || []).slice(0, 5)) {
+        this.#addResult({
+          name    : `A11y Pass: ${pass.description}`,
+          type    : 'accessibility',
+          category: 'wcag',
+          status  : 'PASS',
+          message : `${pass.nodes} element(s) verified`,
+          data    : pass,
+          url     : route.url,
+        });
+      }
+    }
   }
 
-  for (const { probe, label } of probes) {
-    allTests.push(...buildUrlTestSuite(probe, label));
-  }
+  // ── Phase 7: SEO ──────────────────────────────────────────────────────
+  async #phaseSEO() {
+    const pageRoutes = this.#session.routeMap
+      .filter(r => r.type === 'page' || r.type === 'unknown')
+      .slice(0, 20);
 
-  if (!silent) {
-    console.log(chalk.gray(`\n  ${allTests.length} HTTP tests across ${probes.length} target(s) — no limit\n`));
-  }
+    for (const route of pageRoutes) {
+      if (this.#aborted) break;
+      this.#terminal.setCurrentTest(`SEO: ${route.url}`);
+
+      const result = await this.#seo.scan(route.url);
+      this.#session.seoResults.push({ url: route.url, ...result });
+
+      for (const check of result.checks) {
+        this.#addResult({
+          name    : `SEO: ${check.name} — ${new URL(route.url).pathname}`,
+          type    : 'seo',
+          category: check.category,
+          status  : check.pass ? 'PASS' : 'FAIL',
+          message : check.detail,
+          data    : check.data,
+          url     : route.url,
+          severity: check.severity,
+        });
 
-  const dashboard = silent ? null : new LiveDashboard();
-  const runner    = new TestRunner();
-  const autoBugs  = [];
-
-  // ← UNLIMITED: every failure = a bug report, no cap
-  runner.on('result', r => {
-    if (r.status === 'FAIL') {
-      autoBugs.push({
-        id         : `HTTP-${shortId()}`,
-        title      : r.name,
-        severity   : r.sev || (r.type === 'security' || r.type === 'auth' ? 'P0' : 'P2'),
-        status     : 'OPEN',
-        description: r.error || '',
-        type       : r.type,
-        createdAt  : timestamp(),
-      });
+        if (!check.pass && (check.severity === 'P0' || check.severity === 'P1')) {
+          this.#session.addBug({
+            title      : `SEO: ${check.name}`,
+            severity   : check.severity,
+            type       : 'seo',
+            description: check.detail,
+            url        : route.url,
+            recommendation: check.recommendation,
+          });
+        }
+      }
     }
-  });
-
-  if (dashboard) dashboard.start();
-  const results = await runner.run(allTests, dashboard);
-  if (dashboard) dashboard.stop();
-
-  const routeScans = [];
-  for (const { probe, label } of probes) {
-    if (!silent) console.log(chalk.gray(`\n  Route scan for ${label} (${COMMON_ROUTES.length} routes)...`));
-    const ps = await probe.probeRoutes(COMMON_ROUTES);
-    routeScans.push(...ps.map(r => ({ label, ...r })));
   }
 
-  const duration = Date.now() - new Date(startedAt).getTime();
-  const summary  = buildSummary(results);
-  const coverage = buildCoverageMatrix(results);
-
-  if (!silent) printResultsSummary(results, autoBugs);
-
-  const run = {
-    id: runId, type: 'url-qa', version: VERSION, startedAt, duration,
-    urls: probes.map(p => ({ label: p.label, url: p.url })),
-    results, bugReports: autoBugs, summary, coverage, routeScans,
-  };
-
-  await saveRun(run);
-  const reportFile = await exportReport(run);
-  if (!silent && reportFile) console.log(chalk.gray(`  📄 Report: ${reportFile}`));
-
-  return run;
-}
-
-// ─────────────────────────────────────────────────────────────────────────
-//  Automated QA — Full Maximum Scan
-// ─────────────────────────────────────────────────────────────────────────
-export async function runAutomatedQA({ continuous = false, localUrl, prodUrl } = {}) {
-  const runOnce = async () => {
-    const runId     = `AQA-${shortId()}`;
-    const startedAt = timestamp();
-
-    console.log('');
-    console.log(chalk.hex('#BF40FF').bold(`  ── 🤖 MAXIMUM Automated QA v${VERSION} ────────────────`));
-    console.log('');
-
-    let endpoints = [];
-    try {
-      const { analyzeFrontend } = await import('../analyzer.js');
-      endpoints = await analyzeFrontend(path.join(process.cwd(), 'src'));
-    } catch {}
-
-    const allTests = [
-      ...buildFullSystemTests(),
-      ...buildEndpointTests(endpoints),
-      ...buildUITests(),
-    ];
+  // ── Phase 8: AI Classification ────────────────────────────────────────
+  async #phaseAIClassification() {
+    this.#terminal.log(`AI classifying ${this.#session.bugs.length} bugs...`);
 
-    console.log(chalk.gray(
-      `  ${allTests.length} tests · ${new Set(allTests.map(t => t.type)).size} categories · unlimited bugs\n`
-    ));
+    for (const bug of this.#session.bugs) {
+      const classification = await this.#aiClassifier.classify(bug, this.#session);
+      bug.aiSeverity     = classification.severity;
+      bug.aiCategory     = classification.category;
+      bug.aiRecommendation = classification.recommendation;
+      bug.aiConfidence   = classification.confidence;
+    }
 
-    const dashboard = new LiveDashboard();
-    const runner    = new TestRunner();
-    const autoBugs  = [];
-
-    // ← UNLIMITED bugs
-    runner.on('result', r => {
-      if (r.status === 'FAIL') {
-        autoBugs.push({
-          id        : `AUTO-${shortId()}`,
-          title     : `Automated: ${r.name}`,
-          severity  : r.sev || (r.type === 'security' || r.type === 'auth' ? 'P0' :
-                     r.type === 'database' || r.type === 'error-handling' ? 'P1' :
-                     r.type === 'e2e' ? 'P1' : 'P2'),
-          status    : 'OPEN',
-          description: r.error || '',
-          type      : r.type,
-          createdAt : timestamp(),
-        });
-      }
+    // Sort bugs by AI-determined severity
+    this.#session.bugs.sort((a, b) => {
+      const order = { P0: 0, P1: 1, P2: 2, P3: 3 };
+      return (order[a.aiSeverity || a.severity] || 3) - (order[b.aiSeverity || b.severity] || 3);
     });
+  }
 
-    dashboard.start();
-    const results = await runner.run(allTests, dashboard);
-    dashboard.stop();
+  // ── Form Testing ──────────────────────────────────────────────────────
+  async #testForms(url, forms, page) {
+    for (const form of forms.slice(0, 3)) {
+      this.#terminal.setCurrentTest(`Form: ${url} — ${form.action || 'unknown'}`);
+
+      const result = await this.#interactor.testForm(page, form);
+
+      this.#addResult({
+        name    : `Form test: ${url} → ${form.action || 'inline'}`,
+        type    : 'form',
+        category: 'user-flow',
+        status  : result.pass ? 'PASS' : 'FAIL',
+        message : result.message,
+        data    : {
+          fields      : form.fields,
+          action      : form.action,
+          method      : form.method,
+          validationOk: result.validationOk,
+          submissionOk: result.submissionOk,
+          errors      : result.errors,
+        },
+        url,
+        duration: result.duration,
+      });
 
-    // URL QA on top
-    if (localUrl || prodUrl) {
-      const urlRun = await runUrlQA({ localUrl, prodUrl, silent: true });
-      if (urlRun) {
-        results.push(...urlRun.results);
-        autoBugs.push(...urlRun.bugReports);
+      if (!result.pass) {
+        this.#session.addBug({
+          title      : `Form broken: ${form.action || url}`,
+          severity   : 'P1',
+          type       : 'form',
+          description: result.message,
+          url,
+          evidence   : result.errors,
+        });
       }
     }
-
-    const duration = Date.now() - new Date(startedAt).getTime();
-    const summary  = buildSummary(results);
-    const coverage = buildCoverageMatrix(results);
-
-    printResultsSummary(results, autoBugs);
-
-    const run = {
-      id: runId, type: 'automated', version: VERSION, startedAt, duration,
-      results, bugReports: autoBugs, summary, coverage,
-      urls: [localUrl, prodUrl].filter(Boolean).map((u, i) => ({
-        label: i === 0 ? 'localhost' : 'production', url: u,
-      })),
-    };
-
-    await saveRun(run);
-    const reportFile = await exportReport(run);
-    if (reportFile) console.log(chalk.gray(`  📄 Report: ${reportFile}`));
-    await printRunDiff(run);
-
-    p.outro(chalk.hex('#00F5FF').bold(
-      `Run ${runId} — ${results.length} tests · ${autoBugs.length} bugs · ${formatDuration(duration)}`
-    ));
-    return run;
-  };
-
-  if (!continuous) { await runOnce(); return; }
-
-  console.log(chalk.cyan(`  ⚡ Continuous mode — every ${WATCH_INTERVAL_MS / 1000}s. Ctrl+C to stop.\n`));
-  let i = 0;
-  while (true) {
-    console.log(chalk.gray(`\n  ── Iteration ${++i} ── ${new Date().toLocaleTimeString()}`));
-    await runOnce();
-    await sleep(WATCH_INTERVAL_MS);
   }
-}
 
-// ─────────────────────────────────────────────────────────────────────────
-//  Helpers
-// ─────────────────────────────────────────────────────────────────────────
-function buildCoverageMatrix(results) {
-  const matrix = {};
-  for (const r of results) {
-    if (!matrix[r.type]) matrix[r.type] = { total: 0, passed: 0, failed: 0, skipped: 0, flaky: 0 };
-    matrix[r.type].total++;
-    if (r.status === 'PASS')  matrix[r.type].passed++;
-    if (r.status === 'FAIL')  matrix[r.type].failed++;
-    if (r.status === 'SKIP')  matrix[r.type].skipped++;
-    if (r.status === 'FLAKY') { matrix[r.type].flaky++; matrix[r.type].passed++; }
-  }
-  return matrix;
-}
+  // ── Auth Flow Testing ─────────────────────────────────────────────────
+  async #testAuthFlow(url, page) {
+    this.#terminal.setCurrentTest(`Auth flow: ${url}`);
 
-function buildSummary(results) {
-  return {
-    total  : results.length,
-    passed : results.filter(r => ['PASS','FLAKY'].includes(r.status)).length,
-    failed : results.filter(r => r.status === 'FAIL').length,
-    skipped: results.filter(r => r.status === 'SKIP').length,
-    flaky  : results.filter(r => r.status === 'FLAKY').length,
-  };
-}
+    const result = await this.#interactor.testAuthFlow(page, url, {
+      testCredentials: [
+        { username: 'test@example.com',  password: 'wrong-password-test', expectFail: true },
+        { username: 'invalid@test.com',  password: 'wrong123',            expectFail: true },
+        { username: '',                  password: '',                    expectFail: true },
+      ],
+    });
 
-function printResultsSummary(results, bugs = []) {
-  const passed   = results.filter(r => ['PASS','FLAKY'].includes(r.status)).length;
-  const failed   = results.filter(r => r.status === 'FAIL').length;
-  const passRate = results.length ? Math.round((passed / results.length) * 100) : 0;
+    this.#addResult({
+      name    : `Auth flow: ${url}`,
+      type    : 'auth',
+      category: 'authentication',
+      status  : result.pass ? 'PASS' : 'FAIL',
+      message : result.message,
+      data    : result.details,
+      url,
+      duration: result.duration,
+    });
 
-  // Group bugs by severity
-  const sevGroups = { P0: [], P1: [], P2: [], P3: [] };
-  bugs.forEach(b => { if (sevGroups[b.severity]) sevGroups[b.severity].push(b); });
+    if (!result.pass) {
+      this.#session.addBug({
+        title      : `Auth flow issue: ${url}`,
+        severity   : 'P0',
+        type       : 'auth',
+        description: result.message,
+        url,
+        evidence   : result.details,
+      });
+    }
+  }
 
-  console.log('');
-  console.log(chalk.hex('#00F5FF').bold('  ── MAXIMUM Scan Results ──────────────────────────────'));
-  console.log(`  Tests:     ${chalk.white.bold(results.length)} total`);
-  console.log(`  Pass rate: [${buildProgressBar(passRate, 24)}] ${chalk.white.bold(passRate + '%')}`);
-  console.log(`  ${chalk.green('✓')} ${passed} passed  ${chalk.red('✗')} ${failed} failed`);
-  console.log(`  Bugs: ${chalk.white.bold(bugs.length)} total — ${chalk.red.bold(sevGroups.P0.length)} P0 · ${chalk.yellow.bold(sevGroups.P1.length)} P1 · ${chalk.cyan(sevGroups.P2.length)} P2 · ${chalk.gray(sevGroups.P3.length)} P3`);
-
-  if (failed > 0) {
-    console.log('');
-    console.log(chalk.red.bold('  Failed Tests:'));
-    results.filter(r => r.status === 'FAIL').forEach(f => {
-      const sev = f.sev ? ` [${colorSeverity(f.sev)}]` : '';
-      console.log(chalk.red(`    ✗${sev} [${f.type}] ${f.name}`));
-      if (f.error) console.log(chalk.gray(`      → ${f.error}`));
-    });
+  #isAuthPage(url) {
+    return /\/(login|signin|auth|register|signup)/i.test(url);
   }
 
-  if (bugs.length > 0 && sevGroups.P0.length + sevGroups.P1.length > 0) {
-    console.log('');
-    console.log(chalk.red.bold('  Critical Bug Reports (P0/P1):'));
-    [...sevGroups.P0, ...sevGroups.P1].forEach(b => {
-      console.log(`    ${colorSeverity(b.severity)} ${b.title}`);
-      if (b.description) console.log(chalk.gray(`      → ${b.description}`));
-    });
+  // ── Add real result ────────────────────────────────────────────────────
+  #addResult(result) {
+    const r = {
+      id       : shortId(),
+      timestamp: timestamp(),
+      duration : result.duration || 0,
+      ...result,
+    };
+    this.#session.addResult(r);
+    this.#terminal.addResult(r);
+    this.emit('result', r);
+    return r;
   }
-  console.log('');
 }
 
 // ─────────────────────────────────────────────────────────────────────────
-//  HTML Report v11 — Full Maximum
+//  Public API — exported functions
 // ─────────────────────────────────────────────────────────────────────────
-function buildHTMLReport(runData) {
-  const { id, startedAt, duration, results, bugReports, coverage, summary, urls = [], routeScans = [] } = runData;
-  const passRate    = summary.total > 0 ? ((summary.passed / summary.total) * 100).toFixed(1) : 0;
-  const statusColor = passRate >= 90 ? '#22c55e' : passRate >= 70 ? '#f59e0b' : '#ef4444';
-
-  const typeColors = {
-    'happy-path'    : ['#064e3b','#34d399'],
-    'validation'    : ['#1e3a5f','#60a5fa'],
-    'auth'          : ['#3b1f5e','#c084fc'],
-    'edge-case'     : ['#3b2a1a','#f59e0b'],
-    'performance'   : ['#1a2a3b','#38bdf8'],
-    'security'      : ['#450a0a','#f87171'],
-    'e2e'           : ['#1a3b2a','#4ade80'],
-    'ui'            : ['#2a1a3b','#a78bfa'],
-    'http'          : ['#0f2a3b','#38bdf8'],
-    'seo'           : ['#1a2e0f','#86efac'],
-    'a11y'          : ['#2e1a0f','#fca5a5'],
-    'links'         : ['#0f1a2e','#93c5fd'],
-    'database'      : ['#1a1a3b','#818cf8'],
-    'docker'        : ['#0f2a2a','#2dd4bf'],
-    'ci'            : ['#1a2e1a','#86efac'],
-    'code-quality'  : ['#2e2a0f','#fde68a'],
-    'typescript'    : ['#0f1a3b','#60a5fa'],
-    'environment'   : ['#2a0f1a','#f9a8d4'],
-    'logging'       : ['#1a2a1a','#4ade80'],
-    'error-handling': ['#3b1a1a','#fca5a5'],
-    'api-contract'  : ['#1a0f2e','#c4b5fd'],
-    'dependency'    : ['#2a1a0f','#fdba74'],
-    'cors'          : ['#0f2a1a','#6ee7b7'],
-    'rate-limit'    : ['#2a0f2a','#d8b4fe'],
-    'file-structure': ['#0f1a1a','#7dd3fc'],
-  };
-
-  const badgeStyle = (type) => {
-    const [bg, fg] = typeColors[type] ?? ['#1e293b','#94a3b8'];
-    return `background:${bg};color:${fg};padding:2px 8px;border-radius:4px;font-size:.7rem;font-weight:500`;
-  };
-
-  const covBars = Object.entries(coverage).map(([type, d]) => {
-    const pct = d.total ? ((d.passed / d.total) * 100).toFixed(0) : 0;
-    const [, fg] = typeColors[type] ?? ['','#94a3b8'];
-    return `<div style="display:flex;align-items:center;gap:.75rem;margin-bottom:.5rem">
-      <div style="width:130px;font-size:.75rem;color:#94a3b8">${type}</div>
-      <div style="flex:1;background:#2d2d4e;border-radius:4px;height:7px;overflow:hidden">
-        <div style="height:100%;width:${pct}%;background:${fg};border-radius:4px"></div>
-      </div>
-      <div style="width:70px;text-align:right;font-size:.75rem;color:#64748b">${d.passed}/${d.total} (${pct}%)</div>
-    </div>`;
-  }).join('');
-
-  const rows = results.map(r => `<tr class="${r.status.toLowerCase()}">
-    <td>${r.name}</td>
-    <td><span style="${badgeStyle(r.type)}">${r.type}</span></td>
-    <td><span class="status status-${r.status.toLowerCase()}">${r.status}</span></td>
-    <td>${r.sev ? `<span class="sev-${(r.sev||'').toLowerCase()}">${r.sev}</span>` : '—'}</td>
-    <td>${r.duration}ms</td>
-    <td>${r.retries > 0 ? `<span style="background:#422006;color:#fb923c;padding:2px 6px;border-radius:3px;font-size:.7rem">${r.retries}x</span>` : '—'}</td>
-    <td class="err">${r.error ? `<code>${r.error}</code>` : '—'}</td>
-  </tr>`).join('');
-
-  // All bug reports — no limit
-  const sevOrder = { P0: 0, P1: 1, P2: 2, P3: 3 };
-  const sortedBugs = [...bugReports].sort((a, b) => (sevOrder[a.severity] || 3) - (sevOrder[b.severity] || 3));
-  const bugCards = sortedBugs.length
-    ? sortedBugs.map(b => `
-      <div class="bug-card bug-${(b.severity||'p3').toLowerCase()}">
-        <div class="bug-header">
-          <span class="bug-id">${b.id}</span>
-          <span class="bug-sev">${b.severity}</span>
-          <span class="bug-type">[${b.type || 'general'}]</span>
-          <span class="bug-st">${b.status}</span>
-        </div>
-        <div class="bug-title">${b.title}</div>
-        ${b.description ? `<div class="bug-desc">${b.description}</div>` : ''}
-      </div>`).join('')
-    : '<p style="color:#34d399;text-align:center;padding:1rem">No bugs 🎉</p>';
-
-  const sevCounts = { P0: 0, P1: 0, P2: 0, P3: 0 };
-  bugReports.forEach(b => { if (sevCounts[b.severity] !== undefined) sevCounts[b.severity]++; });
-
-  const routeCards = routeScans.length
-    ? routeScans.map(r => `
-      <div style="display:flex;align-items:center;gap:.75rem;padding:.4rem .75rem;border-bottom:1px solid #1a1a2e;font-size:.78rem">
-        <span style="font-family:monospace;min-width:36px;color:${r.status>=200&&r.status<400?'#34d399':r.status>=500?'#f87171':'#f59e0b'}">${r.status||'ERR'}</span>
-        <span style="flex:1;color:#94a3b8;font-family:monospace">${r.route}</span>
-        <span style="color:#64748b">${r.duration}ms</span>
-        <span style="font-size:.68rem;padding:1px 5px;background:#1e293b;color:#64748b;border-radius:3px">${r.label}</span>
-      </div>`).join('')
-    : '<p style="color:#64748b;font-size:.85rem;padding:.5rem">No route scans.</p>';
-
-  const urlCards = urls.length
-    ? urls.map(u => `
-      <div style="background:#1e1e30;border:1px solid #2d2d4e;border-radius:8px;padding:.75rem 1rem;margin-bottom:.5rem;display:flex;justify-content:space-between;align-items:center">
-        <span style="font-size:.75rem;color:#64748b;text-transform:uppercase">${u.label}</span>
-        <a href="${u.url}" target="_blank" style="font-size:.8rem;color:#60a5fa">${u.url}</a>
-      </div>`).join('')
-    : '';
-
-  const chartLabels  = JSON.stringify(Object.keys(coverage));
-  const chartPassed  = JSON.stringify(Object.values(coverage).map(d => d.passed));
-  const chartFailed  = JSON.stringify(Object.values(coverage).map(d => d.failed));
-  const chartFlaky   = JSON.stringify(Object.values(coverage).map(d => d.flaky));
-
-  return `<!DOCTYPE html>
-<html lang="en">
-<head>
-<meta charset="UTF-8">
-<meta name="viewport" content="width=device-width,initial-scale=1">
-<title>Backlist MAXIMUM QA v${VERSION} — ${id}</title>
-<script src="https://cdnjs.cloudflare.com/ajax/libs/Chart.js/4.4.1/chart.umd.js"></script>
-<style>
-*{box-sizing:border-box;margin:0;padding:0}
-body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',sans-serif;background:#0a0a12;color:#e2e8f0;font-size:14px;line-height:1.6}
-header{background:#0f0f1e;border-bottom:2px solid #00f5ff33;padding:1.5rem 2rem;display:flex;align-items:center;justify-content:space-between}
-header h1{font-size:1.3rem;font-weight:700;color:#00f5ff}
-header p{color:#64748b;font-size:.82rem;margin-top:4px}
-.badge{font-size:.72rem;color:#BF40FF;padding:3px 12px;border:1px solid #BF40FF;border-radius:20px}
-.container{max-width:1300px;margin:0 auto;padding:2rem}
-.metrics{display:grid;grid-template-columns:repeat(auto-fit,minmax(130px,1fr));gap:.75rem;margin-bottom:1.5rem}
-.mc{background:#1e1e30;border:1px solid #2d2d4e;border-radius:10px;padding:1rem 1.25rem;transition:border .2s}
-.mc:hover{border-color:#00f5ff44}
-.ml{font-size:.68rem;color:#64748b;text-transform:uppercase;letter-spacing:.08em}
-.mv{font-size:1.9rem;font-weight:700;margin-top:4px}
-.section{background:#1e1e30;border:1px solid #2d2d4e;border-radius:10px;padding:1.5rem;margin-bottom:1.25rem}
-.section-title{font-size:.92rem;font-weight:600;margin-bottom:1rem;color:#cbd5e1;border-bottom:1px solid #2d2d4e;padding-bottom:.75rem;display:flex;justify-content:space-between;align-items:center}
-.grid2{display:grid;grid-template-columns:1fr 1fr;gap:1rem}
-.grid3{display:grid;grid-template-columns:1fr 1fr 1fr;gap:1rem}
-table{width:100%;border-collapse:collapse;font-size:.8rem}
-th{text-align:left;color:#64748b;font-weight:500;padding:.5rem .75rem;border-bottom:1px solid #2d2d4e;white-space:nowrap}
-td{padding:.45rem .75rem;border-bottom:1px solid #1a1a2e;vertical-align:top;word-break:break-word}
-tr.fail td{background:rgba(239,68,68,.04)}
-tr.flaky td{background:rgba(245,158,11,.03)}
-.status{display:inline-block;padding:2px 8px;border-radius:4px;font-size:.7rem;font-weight:600}
-.status-pass{background:#064e3b;color:#34d399}
-.status-fail{background:#450a0a;color:#f87171}
-.status-skip{background:#1e293b;color:#94a3b8}
-.status-flaky{background:#422006;color:#fbbf24}
-.sev-p0{background:#450a0a;color:#f87171;padding:2px 6px;border-radius:3px;font-size:.7rem;font-weight:700}
-.sev-p1{background:#422006;color:#fbbf24;padding:2px 6px;border-radius:3px;font-size:.7rem;font-weight:700}
-.sev-p2{background:#1e3a5f;color:#60a5fa;padding:2px 6px;border-radius:3px;font-size:.7rem}
-.sev-p3{background:#1e293b;color:#94a3b8;padding:2px 6px;border-radius:3px;font-size:.7rem}
-.err code{font-size:.7rem;color:#f87171;background:#1a0a0a;padding:2px 6px;border-radius:3px}
-.bug-card{border-radius:8px;padding:.9rem 1rem;margin-bottom:.6rem;border-left:3px solid}
-.bug-p0{background:rgba(239,68,68,.08);border-color:#ef4444}
-.bug-p1{background:rgba(245,158,11,.07);border-color:#f59e0b}
-.bug-p2{background:rgba(96,165,250,.07);border-color:#60a5fa}
-.bug-p3{background:rgba(148,163,184,.06);border-color:#64748b}
-.bug-header{display:flex;gap:.6rem;align-items:center;margin-bottom:.4rem;flex-wrap:wrap}
-.bug-id{font-family:monospace;font-size:.72rem;color:#475569}
-.bug-sev{font-size:.7rem;font-weight:700;color:#f87171}
-.bug-type{font-size:.68rem;color:#64748b}
-.bug-st{font-size:.68rem;padding:2px 6px;border-radius:4px;background:#1e293b;color:#94a3b8}
-.bug-title{font-weight:600;margin-bottom:.2rem;font-size:.88rem}
-.bug-desc{font-size:.78rem;color:#94a3b8}
-.chart-wrap{position:relative;height:280px}
-.summary-bar{display:flex;gap:.5rem;align-items:center;margin:.5rem 0}
-footer{text-align:center;color:#334155;font-size:.7rem;padding:2rem;border-top:1px solid #1e293b;margin-top:2rem}
-@media(max-width:768px){.grid2,.grid3{grid-template-columns:1fr}}
-</style>
-</head>
-<body>
-<header>
-  <div>
-    <h1>🧪 Backlist MAXIMUM QA Report</h1>
-    <p>Run: ${id} &nbsp;·&nbsp; ${new Date(startedAt).toLocaleString()} &nbsp;·&nbsp; ${formatDuration(duration)} &nbsp;·&nbsp; ${results.length} tests &nbsp;·&nbsp; ${bugReports.length} bugs</p>
-  </div>
-  <span class="badge">v${VERSION} MAXIMUM</span>
-</header>
-<div class="container">
-
-  ${urlCards ? `<div class="section"><div class="section-title">Target URLs</div>${urlCards}</div>` : ''}
-
-  <div class="metrics">
-    <div class="mc"><div class="ml">Pass Rate</div><div class="mv" style="color:${statusColor}">${passRate}%</div></div>
-    <div class="mc"><div class="ml">Total Tests</div><div class="mv">${summary.total}</div></div>
-    <div class="mc"><div class="ml">Passed</div><div class="mv" style="color:#34d399">${summary.passed}</div></div>
-    <div class="mc"><div class="ml">Failed</div><div class="mv" style="color:#f87171">${summary.failed}</div></div>
-    <div class="mc"><div class="ml">Flaky</div><div class="mv" style="color:#fbbf24">${summary.flaky}</div></div>
-    <div class="mc"><div class="ml">Total Bugs</div><div class="mv" style="color:#c084fc">${bugReports.length}</div></div>
-    <div class="mc"><div class="ml">P0 Critical</div><div class="mv" style="color:#ef4444">${sevCounts.P0}</div></div>
-    <div class="mc"><div class="ml">P1 High</div><div class="mv" style="color:#f59e0b">${sevCounts.P1}</div></div>
-    <div class="mc"><div class="ml">P2 Medium</div><div class="mv" style="color:#60a5fa">${sevCounts.P2}</div></div>
-    <div class="mc"><div class="ml">P3 Low</div><div class="mv" style="color:#94a3b8">${sevCounts.P3}</div></div>
-    <div class="mc"><div class="ml">Categories</div><div class="mv">${Object.keys(coverage).length}</div></div>
-    <div class="mc"><div class="ml">Duration</div><div class="mv" style="font-size:1.3rem">${formatDuration(duration)}</div></div>
-  </div>
-
-  <div class="grid2">
-    <div class="section">
-      <div class="section-title">Coverage by Category <span style="font-size:.75rem;color:#64748b">${Object.keys(coverage).length} types</span></div>
-      ${covBars}
-    </div>
-    <div class="section">
-      <div class="section-title">Pass / Fail / Flaky by Type</div>
-      <div class="chart-wrap"><canvas id="typeChart"></canvas></div>
-    </div>
-  </div>
-
-  <div class="section">
-    <div class="section-title">
-      Bug Reports
-      <span style="font-size:.78rem;color:#64748b">${bugReports.length} bugs total — unlimited — sorted by severity</span>
-    </div>
-    ${bugCards}
-  </div>
-
-  <div class="section">
-    <div class="section-title">
-      Route Scan
-      <span style="font-size:.78rem;color:#64748b">${routeScans.length} routes probed</span>
-    </div>
-    ${routeCards}
-  </div>
-
-  <div class="section">
-    <div class="section-title">
-      All Test Results
-      <span style="font-size:.78rem;color:#64748b">${results.length} tests</span>
-    </div>
-    <table>
-      <thead>
-        <tr>
-          <th>Test Name</th><th>Type</th><th>Status</th>
-          <th>Sev</th><th>Duration</th><th>Retries</th><th>Error</th>
-        </tr>
-      </thead>
-      <tbody>${rows}</tbody>
-    </table>
-  </div>
-</div>
-
-<footer>
-  Backlist MAXIMUM QA v${VERSION} — ${results.length} tests · ${bugReports.length} bugs · Generated ${new Date().toLocaleString()}
-</footer>
-
-<script>
-new Chart(document.getElementById('typeChart'), {
-  type: 'bar',
-  data: {
-    labels: ${chartLabels},
-    datasets: [
-      { label: 'Passed', data: ${chartPassed}, backgroundColor: '#34d399', borderRadius: 3 },
-      { label: 'Failed', data: ${chartFailed}, backgroundColor: '#f87171', borderRadius: 3 },
-      { label: 'Flaky',  data: ${chartFlaky},  backgroundColor: '#fbbf24', borderRadius: 3 },
-    ],
-  },
-  options: {
-    responsive: true,
-    maintainAspectRatio: false,
-    plugins: {
-      legend: { labels: { color: '#94a3b8', font: { size: 11 } } },
-    },
-    scales: {
-      x: { stacked: true, ticks: { color: '#64748b', font: { size: 10 } }, grid: { color: '#1e293b' } },
-      y: { stacked: true, ticks: { color: '#64748b', stepSize: 1, font: { size: 10 } }, grid: { color: '#1e293b' } },
-    },
-  },
-});
-</script>
-</body>
-</html>`;
-}
 
-// ── History helpers ────────────────────────────────────────────────────────
 export async function initQASystem() {
   await fs.ensureDir(QA_DIR);
   await fs.ensureDir(REPORT_DIR);
+  await fs.ensureDir(SCREENSHOT_DIR);
   if (!await fs.pathExists(HISTORY_FILE)) {
-    await fs.writeJson(HISTORY_FILE, { runs: [] }, { spaces: 2 });
+    await fs.writeJson(HISTORY_FILE, { runs: [], version: VERSION }, { spaces: 2 });
   }
 }
 
-async function loadHistory() {
-  try { return await fs.readJson(HISTORY_FILE); }
-  catch { return { runs: [] }; }
+export async function saveSession(session) {
+  const history = await loadHistory();
+  const summary = session.getSummary();
+  history.runs.unshift({
+    id       : session.id,
+    startedAt: session.startedAt,
+    urls     : session.urls,
+    summary,
+    version  : VERSION,
+    bugCount : session.bugs.length,
+    screenshotCount: session.screenshots.length,
+  });
+  if (history.runs.length > 100) history.runs = history.runs.slice(0, 100);
+  await fs.writeJson(HISTORY_FILE, history, { spaces: 2 });
 }
 
-async function saveRun(run) {
-  const hist = await loadHistory();
-  hist.runs.unshift(run);
-  if (hist.runs.length > 100) hist.runs = hist.runs.slice(0, 100); // keep more history
-  await fs.writeJson(HISTORY_FILE, hist, { spaces: 2 });
+export async function loadHistory() {
+  try { return await fs.readJson(HISTORY_FILE); }
+  catch { return { runs: [], version: VERSION }; }
 }
 
-async function exportReport(run) {
-  try {
-    const slug     = run.id.toLowerCase();
-    const htmlPath = path.join(REPORT_DIR, `${slug}.html`);
-    const jsonPath = path.join(REPORT_DIR, `${slug}.json`);
-    await fs.writeFile(htmlPath, buildHTMLReport(run));
-    await fs.writeJson(jsonPath, run, { spaces: 2 });
-    return htmlPath;
-  } catch (err) {
-    console.error(chalk.gray(`  [warn] Report write failed: ${err.message}`));
+// ── URL QA entry point ────────────────────────────────────────────────────
+export async function runUrlQA({ localUrl, stagingUrl, prodUrl, options = {} } = {}) {
+  const urls = {};
+  if (localUrl)   urls.localhost  = localUrl;
+  if (stagingUrl) urls.staging    = stagingUrl;
+  if (prodUrl)    urls.production = prodUrl;
+
+  if (Object.keys(urls).length === 0) {
+    console.log(chalk.red('  No URLs provided.'));
     return null;
   }
+
+  const session = new QASession(urls);
+  const engine  = new QAEngine(session, options);
+
+  await engine.init();
+  await engine.run();
+  await saveSession(session);
+
+  const htmlReporter = new HTMLReporter(session);
+  const jsonReporter = new JSONReporter(session);
+
+  const htmlPath = await htmlReporter.generate(REPORT_DIR);
+  const jsonPath = await jsonReporter.generate(REPORT_DIR);
+
+  return { session, htmlPath, jsonPath };
 }
 
-async function printRunDiff(currentRun) {
-  try {
-    const hist = await loadHistory();
-    const prev = hist.runs.find(r => r.id !== currentRun.id && r.type === currentRun.type);
-    if (!prev) return;
-    const prevRate = prev.summary.total ? (prev.summary.passed / prev.summary.total * 100).toFixed(0) : 0;
-    const currRate = currentRun.summary.total
-      ? (currentRun.summary.passed / currentRun.summary.total * 100).toFixed(0) : 0;
-    const delta = Number(currRate) - Number(prevRate);
-    if (delta === 0) return;
-    const arrow = delta > 0 ? chalk.green(`↑ +${delta}%`) : chalk.red(`↓ ${delta}%`);
-    console.log(chalk.gray(`  vs previous run (${prev.id}): ${arrow} pass rate`));
-  } catch {}
+// ── Automated QA entry point ──────────────────────────────────────────────
+export async function runAutomatedQA({ continuous = false, localUrl, prodUrl, stagingUrl } = {}) {
+  const runOnce = async () => {
+    const urls = {};
+    if (localUrl)   urls.localhost  = localUrl;
+    if (stagingUrl) urls.staging    = stagingUrl;
+    if (prodUrl)    urls.production = prodUrl;
+
+    if (Object.keys(urls).length === 0) {
+      console.log(chalk.yellow('  No URLs configured. Skipping URL-based tests.'));
+    }
+
+    const session = new QASession(urls);
+    const engine  = new QAEngine(session);
+
+    await engine.init();
+    await engine.run();
+    await saveSession(session);
+
+    const htmlPath = await new HTMLReporter(session).generate(REPORT_DIR);
+    const jsonPath = await new JSONReporter(session).generate(REPORT_DIR);
+
+    const summary = session.getSummary();
+    console.log(chalk.hex('#00F5FF').bold(
+      `\n  ✓ Run ${session.id} — ${summary.total} tests · ${summary.failed} failed · ` +
+      `${session.bugs.length} bugs · ${formatDuration(summary.duration)}`
+    ));
+    if (htmlPath) console.log(chalk.gray(`  📄 Report: ${htmlPath}`));
+    return session;
+  };
+
+  if (!continuous) return runOnce();
+
+  console.log(chalk.cyan('  ⚡ Continuous mode — re-runs every 60s. Ctrl+C to stop.\n'));
+  let i = 0;
+  while (true) {
+    console.log(chalk.gray(`\n  ── Run #${++i} ── ${new Date().toLocaleTimeString()}`));
+    await runOnce();
+    await sleep(60_000);
+  }
 }
 
-// ─────────────────────────────────────────────────────────────────────────
-//  Manual QA Flow
-// ─────────────────────────────────────────────────────────────────────────
+// ── Manual QA ─────────────────────────────────────────────────────────────
 export async function runManualQA() {
-  const runId     = `MQA-${shortId()}`;
-  const startedAt = timestamp();
-  const runner    = new TestRunner();
-  const bugs      = [];
-  const manualResults = [];
-
   console.log('');
+
   const action = await p.select({
-    message: 'Manual QA — Maximum Mode:',
+    message: 'Manual QA — what to run?',
     options: [
-      { value: 'url-scan',      label: '🌐 URL-Based Scan',              hint: 'HTTP probe — all routes, security, SEO, a11y' },
-      { value: 'full-scan',     label: '🔬 Maximum Full System Scan',    hint: '120+ file system tests' },
-      { value: 'security-scan', label: '🛡️  Security Deep Scan',         hint: 'All security + auth tests' },
-      { value: 'db-scan',       label: '🗄️  Database Deep Scan',          hint: 'Schema, indexes, seeder, ORM' },
-      { value: 'docker-scan',   label: '🐳 Docker + CI/CD Scan',         hint: 'Dockerfile, compose, workflows' },
-      { value: 'code-quality',  label: '📐 Code Quality Scan',           hint: 'ESLint, Prettier, TS strict' },
-      { value: 'ui-tests',      label: '🖥️  UI/Frontend Tests',          hint: '12 frontend checks' },
-      { value: 'new-test',      label: '✏️  Custom Test',                 hint: 'Create and run your own' },
-      { value: 'log-bug',       label: '🐛  Log Bug Report',             hint: 'Unlimited bug logging' },
+      { value: 'full-url',  label: '🌐 Full URL-Based Real Scan', hint: 'Browser + API + Security + Perf + SEO + A11y' },
+      { value: 'security',  label: '🛡️  Security Only',           hint: 'Real HTTP security header + vuln scan'         },
+      { value: 'perf',      label: '⚡ Performance Only',          hint: 'Real Core Web Vitals measurement'             },
+      { value: 'a11y',      label: '♿ Accessibility Only',        hint: 'Real axe-core WCAG scan'                      },
+      { value: 'seo',       label: '🔎 SEO Only',                  hint: 'Real meta, og, robots, sitemap scan'          },
+      { value: 'api',       label: '📡 API Only',                  hint: 'Real endpoint probe + contract validation'    },
     ],
   });
   if (p.isCancel(action)) { p.cancel('Cancelled.'); return; }
 
-  const dashboard = new LiveDashboard();
-
-  if (action === 'url-scan') {
-    const localUrl = await p.text({ message: 'Localhost URL:', placeholder: 'http://localhost:3000' });
-    const prodUrl  = await p.text({ message: 'Production URL (blank to skip):', placeholder: 'https://yoursite.com' });
-    if (p.isCancel(localUrl)) { p.cancel('Cancelled.'); return; }
-    const run = await runUrlQA({
-      localUrl: String(localUrl).trim() || undefined,
-      prodUrl : String(prodUrl).trim()  || undefined,
-    });
-    if (run) manualResults.push(...run.results);
-
-  } else if (action === 'log-bug') {
-    await logBugInteractive(bugs);
-
-  } else if (action === 'new-test') {
-    await createAndRunTestInteractive(runner, manualResults, dashboard);
-
-  } else if (action === 'full-scan') {
-    dashboard.start();
-    const results = await runner.run([...buildFullSystemTests(), ...buildUITests()], dashboard);
-    manualResults.push(...results);
-    dashboard.stop();
-    printResultsSummary(results);
-
-  } else if (action === 'ui-tests') {
-    dashboard.start();
-    const results = await runner.run(buildUITests(), dashboard);
-    manualResults.push(...results);
-    dashboard.stop();
-    printResultsSummary(results);
-
-  } else if (action === 'security-scan') {
-    const all = buildFullSystemTests();
-    const sec = all.filter(t => ['security','auth','cors','rate-limit','environment'].includes(t.type));
-    dashboard.start();
-    const results = await runner.run(sec, dashboard);
-    manualResults.push(...results);
-    dashboard.stop();
-    printResultsSummary(results);
-
-  } else if (action === 'db-scan') {
-    const all = buildFullSystemTests();
-    const db  = all.filter(t => t.type === 'database');
-    dashboard.start();
-    const results = await runner.run(db, dashboard);
-    manualResults.push(...results);
-    dashboard.stop();
-    printResultsSummary(results);
-
-  } else if (action === 'docker-scan') {
-    const all    = buildFullSystemTests();
-    const docker = all.filter(t => ['docker','ci'].includes(t.type));
-    dashboard.start();
-    const results = await runner.run(docker, dashboard);
-    manualResults.push(...results);
-    dashboard.stop();
-    printResultsSummary(results);
-
-  } else if (action === 'code-quality') {
-    const all = buildFullSystemTests();
-    const cq  = all.filter(t => ['code-quality','typescript','logging','error-handling'].includes(t.type));
-    dashboard.start();
-    const results = await runner.run(cq, dashboard);
-    manualResults.push(...results);
-    dashboard.stop();
-    printResultsSummary(results);
-  }
+  const localUrl = await p.text({
+    message    : 'Localhost URL:',
+    placeholder: 'http://localhost:3000',
+  });
+  if (p.isCancel(localUrl)) { p.cancel('Cancelled.'); return; }
 
-  const again = await p.confirm({ message: 'Run another scan?' });
-  if (!p.isCancel(again) && again) return runManualQA();
+  const prodUrl = await p.text({
+    message    : 'Production URL (blank to skip):',
+    placeholder: 'https://yoursite.com',
+  });
 
-  const duration = Date.now() - new Date(startedAt).getTime();
-  const summary  = buildSummary(manualResults);
-  const coverage = buildCoverageMatrix(manualResults);
-  const run = {
-    id: runId, type: 'manual', version: VERSION, startedAt, duration,
-    results: manualResults, bugReports: bugs, summary, coverage,
+  const urls = {
+    localhost : String(localUrl).trim() || undefined,
+    production: !p.isCancel(prodUrl) ? String(prodUrl).trim() || undefined : undefined,
   };
-  await saveRun(run);
-  const reportFile = await exportReport(run);
 
-  p.outro(chalk.hex('#00F5FF').bold(`✓ Session — ${pluralize(manualResults.length, 'test')}, ${pluralize(bugs.length, 'bug')}`));
-  if (reportFile) console.log(chalk.gray(`  📄 Report: ${reportFile}`));
-}
+  const session = new QASession(urls);
+  const engine  = new QAEngine(session);
+  await engine.init();
 
-async function logBugInteractive(bugs) {
-  const title = await p.text({ message: 'Bug title:' });
-  if (p.isCancel(title)) return;
-  const severity = await p.select({
-    message: 'Severity:',
-    options: Object.entries(SEVERITY_LEVELS).map(([k, v]) => ({ value: k, label: `${k} — ${v}` })),
-  });
-  if (p.isCancel(severity)) return;
-  const type = await p.select({
-    message: 'Category:',
-    options: TEST_TYPES.map(t => ({ value: t, label: t })),
-  });
-  if (p.isCancel(type)) return;
-  const description = await p.text({ message: 'Description:', placeholder: 'Steps to reproduce…' });
-  bugs.push({
-    id: `BUG-${shortId()}`, title: String(title),
-    severity: String(severity), type: String(type), status: 'OPEN',
-    description: p.isCancel(description) ? '' : String(description),
-    createdAt: timestamp(),
-  });
-  console.log(chalk.green(`  ✓ Bug logged: ${colorSeverity(String(severity))} — unlimited bug tracking active`));
-}
+  // Only run selected phases
+  await engine.runPhase(action);
 
-async function createAndRunTestInteractive(runner, results, dashboard) {
-  const name = await p.text({ message: 'Test name:' });
-  if (p.isCancel(name)) return;
-  const type = await p.select({ message: 'Category:', options: TEST_TYPES.map(t => ({ value: t, label: t })) });
-  if (p.isCancel(type)) return;
-  const sev = await p.select({
-    message: 'Severity:',
-    options: ['P0','P1','P2','P3'].map(s => ({ value: s, label: s })),
-  });
-  if (p.isCancel(sev)) return;
-  const expectPass = await p.confirm({ message: 'Should this test pass?' });
-
-  dashboard.start();
-  const [result] = await runner.run([{
-    id: shortId(), name: String(name), type: String(type), sev: String(sev),
-    fn: async () => {
-      await sleep(400 + Math.random() * 300);
-      if (!expectPass) throw new Error('Test manually marked as failure');
-    },
-  }], dashboard);
-  results.push(result);
-  dashboard.stop();
-  console.log(`  ${colorStatus(result.status)}  ${result.name}  ${chalk.gray(formatDuration(result.duration))}`);
+  await saveSession(session);
+  const htmlPath = await new HTMLReporter(session).generate(REPORT_DIR);
+  if (htmlPath) {
+    p.outro(chalk.hex('#00F5FF').bold('✓ QA complete'));
+    console.log(chalk.gray(`  📄 Report: ${htmlPath}`));
+  }
 }
 
-// ── Post-gen validation ────────────────────────────────────────────────────
+// ── Post-generation validation ────────────────────────────────────────────
 export async function autoRunPostGeneration(options = {}) {
   console.log('');
-  console.log(chalk.hex('#00F5FF').bold(`  ── 🔬 Post-Generation MAXIMUM QA v${VERSION} ──────────`));
-  console.log(chalk.gray(`  Validating: ${options.projectName || path.basename(process.cwd())}`));
+  console.log(chalk.hex('#00F5FF').bold(`  ── 🔬 Post-Generation Real QA v${VERSION} ──`));
+  console.log(chalk.gray('  Note: Start your server first, then provide its URL'));
   console.log('');
 
-  const projectDir = options.projectDir || process.cwd();
-  const tests      = buildFullSystemTests(projectDir);
-  const runner     = new TestRunner();
-  const dashboard  = new LiveDashboard();
-  const autoBugs   = [];
-
-  console.log(chalk.gray(`  ${tests.length} tests — no limit on bug reports\n`));
-
-  runner.on('result', r => {
-    if (r.status === 'FAIL') {
-      autoBugs.push({
-        id: `POST-${shortId()}`, title: r.name,
-        severity  : r.sev || (r.type === 'security' ? 'P0' : r.type === 'database' ? 'P1' : 'P2'),
-        status    : 'OPEN', description: r.error || '',
-        type      : r.type, createdAt: timestamp(),
-      });
-    }
+  const url = await p.text({
+    message    : 'Server URL to validate:',
+    placeholder: 'http://localhost:3000',
+    defaultValue: 'http://localhost:3000',
   });
+  if (p.isCancel(url)) { p.cancel('Cancelled.'); return; }
 
-  dashboard.start();
-  const results = await runner.run(tests, dashboard);
-  dashboard.stop();
-
-  const summary  = buildSummary(results);
-  const coverage = buildCoverageMatrix(results);
-  const run      = {
-    id: `POST-${shortId()}`, type: 'post-generation', version: VERSION,
-    startedAt: timestamp(), duration: 0,
-    results, bugReports: autoBugs, summary, coverage,
-  };
-
-  await saveRun(run);
-  const reportFile = await exportReport(run);
-  printResultsSummary(results, autoBugs);
-
-  if (autoBugs.length > 0) {
-    console.log(chalk.red.bold(`  ⚠  ${autoBugs.length} issue(s) found:`));
-    autoBugs.forEach(b => console.log(chalk.red(`    ${colorSeverity(b.severity)} [${b.type}] ${b.title}`)));
-    console.log('');
+  const result = await runUrlQA({ localUrl: String(url).trim() });
+  if (result?.htmlPath) {
+    console.log(chalk.gray(`  📄 Report: ${result.htmlPath}`));
   }
-  if (reportFile) console.log(chalk.gray(`  📄 Report: ${reportFile}`));
 }
 
-// ── QA History ─────────────────────────────────────────────────────────────
+// ── View History ──────────────────────────────────────────────────────────
 export async function viewQAHistory() {
-  const hist = await loadHistory();
-  if (!hist.runs.length) { console.log(chalk.yellow('\n  No QA history.\n')); return; }
+  const history = await loadHistory();
+  if (!history.runs?.length) {
+    console.log(chalk.yellow('\n  No QA history found.\n'));
+    return;
+  }
 
   console.log('');
-  console.log(chalk.hex('#00F5FF').bold('  QA History — Maximum Edition (most recent)'));
-  console.log(chalk.gray('  ─────────────────────────────────────────────────────'));
+  console.log(chalk.hex('#00F5FF').bold('  QA History (real runs only)'));
+  console.log(chalk.gray('  ──────────────────────────────────────────────────────'));
+
+  for (const run of history.runs.slice(0, 15)) {
+    const rate   = run.summary?.passRate ?? '–';
+    const color  = Number(rate) >= 90 ? chalk.green : Number(rate) >= 70 ? chalk.yellow : chalk.red;
+    const bugs   = run.bugCount ?? 0;
+    const shots  = run.screenshotCount ?? 0;
+    const urlStr = Object.values(run.urls || {}).filter(Boolean).join(', ');
 
-  for (const run of hist.runs.slice(0, 15)) {
-    const passRate  = run.summary.total ? ((run.summary.passed / run.summary.total) * 100).toFixed(0) : '–';
-    const rateColor = Number(passRate) >= 90 ? chalk.green : Number(passRate) >= 70 ? chalk.yellow : chalk.red;
-    const bugs      = run.bugReports?.length ?? 0;
     console.log(
-      `  ${chalk.gray(run.id.padEnd(18))}  ${chalk.gray(new Date(run.startedAt).toLocaleString().padEnd(22))}` +
-      `  ${rateColor(`${passRate}%`.padStart(5))}  ${chalk.gray(`${run.summary.total} tests`)}  ${chalk.cyan(`${bugs} bugs`)}` +
-      `  ${chalk.dim(`v${run.version || '?'}`)}`
+      `  ${chalk.gray(run.id.padEnd(14))} ` +
+      `${chalk.gray(new Date(run.startedAt).toLocaleString().padEnd(24))} ` +
+      `${color(String(rate + '%').padStart(6))} ` +
+      `${chalk.gray(String(run.summary?.total || 0) + ' tests')} ` +
+      `${chalk.cyan(bugs + ' bugs')} ` +
+      `${chalk.gray(shots + ' shots')} ` +
+      `${chalk.dim(urlStr.slice(0, 40))}`
     );
   }
   console.log('');
 
   const chosen = await p.select({
-    message: 'View a run?',
+    message: 'Open a report?',
     options: [
-      ...hist.runs.slice(0, 8).map(r => ({
+      ...history.runs.slice(0, 8).map(r => ({
         value: r.id,
-        label: `${r.id} — ${new Date(r.startedAt).toLocaleString()} — ${r.bugReports?.length ?? 0} bugs`,
+        label: `${r.id} — ${new Date(r.startedAt).toLocaleString()} — ${r.bugCount} bugs`,
       })),
       { value: '__back', label: '↩ Back' },
     ],
   });
   if (p.isCancel(chosen) || chosen === '__back') return;
 
-  const run = hist.runs.find(r => r.id === chosen);
-  if (!run) return;
-
-  console.log('');
-  console.log(chalk.bold(`  Run: ${run.id} (${run.type}) v${run.version || '?'}`));
-  console.log(chalk.gray(`  ${new Date(run.startedAt).toLocaleString()}  ·  ${formatDuration(run.duration)}  ·  ${run.results.length} tests  ·  ${run.bugReports?.length ?? 0} bugs`));
-  if (run.urls?.length) console.log(chalk.gray(`  URLs: ${run.urls.map(u => u.url).join(', ')}`));
-  console.log('');
-
-  for (const r of run.results) {
-    console.log(`  ${colorStatus(r.status)}  [${r.type}] ${r.name}  ${chalk.gray(formatDuration(r.duration))}`);
-    if (r.error) console.log(chalk.red(`       ↳ ${r.error}`));
-  }
-
-  if (run.bugReports?.length) {
-    console.log('');
-    console.log(chalk.bold(`  All ${run.bugReports.length} Bug Reports:`));
-    for (const b of run.bugReports) {
-      console.log(`  ${colorSeverity(b.severity)}  [${b.type || ''}] ${b.title}  ${chalk.gray(`[${b.status}]`)}`);
-      if (b.description) console.log(chalk.gray(`       → ${b.description}`));
-    }
+  const reportPath = path.join(REPORT_DIR, `${chosen.toLowerCase()}.html`);
+  if (await fs.pathExists(reportPath)) {
+    console.log(chalk.green(`  📄 Report: ${reportPath}`));
+    // Open in browser if possible
+    try {
+      const { exec } = await import('node:child_process');
+      const cmd = process.platform === 'darwin' ? 'open'
+                : process.platform === 'win32'  ? 'start'
+                : 'xdg-open';
+      exec(`${cmd} "${reportPath}"`);
+    } catch {}
+  } else {
+    console.log(chalk.yellow('  Report file not found — may have been deleted.'));
   }
-  console.log('');
 }