create-backlist 10.0.3 → 10.0.5

package/src/qa/analyzers/api.js

@@ -0,0 +1,125 @@
+// Real API validator — every result from actual HTTP calls
+import { shortId, formatBytes } from '../qa-engine.js';
+
+const HTTP_TIMEOUT = 12_000;
+
+export class RealAPIValidator {
+  #session;
+
+  constructor(session) { this.#session = session; }
+
+  async probe(url, method = 'GET', options = {}) {
+    const t0 = Date.now();
+
+    try {
+      const controller = new AbortController();
+      const timer      = setTimeout(() => controller.abort(), HTTP_TIMEOUT);
+
+      const response = await fetch(url, {
+        method,
+        signal : controller.signal,
+        headers: {
+          'User-Agent': 'Backlist-QA/12.0',
+          'Accept'    : 'application/json, text/html, */*',
+          ...options.headers,
+        },
+        redirect: 'follow',
+      });
+      clearTimeout(timer);
+
+      const responseTime  = Date.now() - t0;
+      const contentType   = response.headers.get('content-type') || '';
+      const headers       = {};
+      response.headers.forEach((v, k) => { headers[k] = v; });
+
+      let body = '';
+      let bodySize = 0;
+      try {
+        body     = await response.text();
+        bodySize = new TextEncoder().encode(body).length;
+      } catch {}
+
+      let parsedBody = null;
+      if (contentType.includes('json')) {
+        try { parsedBody = JSON.parse(body); } catch {}
+      }
+
+      const statusCode = response.status;
+      const pass       = statusCode >= 200 && statusCode < 400;
+
+      return {
+        url,
+        method,
+        statusCode,
+        pass,
+        message    : pass
+          ? `${method} ${url} → ${statusCode} (${responseTime}ms)`
+          : `${method} ${url} → ${statusCode} FAIL`,
+        responseTime,
+        contentType,
+        headers,
+        body       : body.slice(0, 2000),
+        parsedBody,
+        bodySize,
+        bodySizeStr: formatBytes(bodySize),
+      };
+
+    } catch (err) {
+      const duration = Date.now() - t0;
+      return {
+        url,
+        method,
+        statusCode : 0,
+        pass       : false,
+        message    : `Connection failed: ${err.message}`,
+        responseTime: duration,
+        contentType: '',
+        headers    : {},
+        body       : '',
+        error      : err.message,
+      };
+    }
+  }
+
+  async discoverFromNetworkLog(networkLog) {
+    const seen = new Set();
+    const apis = [];
+
+    for (const entry of networkLog) {
+      if (!entry.url || seen.has(entry.url)) continue;
+      if (!entry.url.includes('/api/') && !entry.url.includes('/graphql')) continue;
+      seen.add(entry.url);
+      apis.push({
+        id    : shortId(),
+        url   : entry.url,
+        method: entry.method || 'GET',
+        type  : 'api',
+        source: 'network-log',
+      });
+    }
+
+    return apis;
+  }
+
+  // Validate API contract: response structure, required fields
+  async validateContract(url, expectedSchema = {}) {
+    const result = await this.probe(url);
+    if (!result.pass || !result.parsedBody) return result;
+
+    const violations = [];
+    for (const [key, type] of Object.entries(expectedSchema)) {
+      const val = result.parsedBody[key];
+      if (val === undefined) {
+        violations.push(`Missing field: ${key}`);
+      } else if (type && typeof val !== type) {
+        violations.push(`Field ${key}: expected ${type}, got ${typeof val}`);
+      }
+    }
+
+    return {
+      ...result,
+      contractPass    : violations.length === 0,
+      contractViolations: violations,
+    };
+  }
+}

package/src/qa/analyzers/performance.js

@@ -0,0 +1,124 @@
+// Performance profiler with HTTP fallback
+import { getBrowserLaunchOptions } from '../browser/installer.js';
+import { formatBytes }             from '../qa-engine.js';
+
+export class PerformanceProfiler {
+  #session;
+
+  constructor(session) { this.#session = session; }
+
+  async profile(url) {
+    const launchOpts = await getBrowserLaunchOptions();
+
+    if (!launchOpts.available) {
+      return this.#httpFallback(url);
+    }
+
+    let playwright;
+    try { playwright = await import('playwright'); }
+    catch { return this.#httpFallback(url); }
+
+    const { executablePath, headless, args } = launchOpts;
+    let browser;
+
+    try {
+      browser = await playwright.chromium.launch({ executablePath, headless, args });
+    } catch {
+      return this.#httpFallback(url);
+    }
+
+    const context       = await browser.newContext({ ignoreHTTPSErrors: true });
+    const page          = await context.newPage();
+    const slowResources = [];
+    const resourceTimings = [];
+
+    page.on('response', async res => {
+      try {
+        const timing   = res.timing();
+        if (!timing || timing.responseEnd <= 0) return;
+        const duration = Math.round(timing.responseEnd - timing.requestStart);
+        const entry    = { url: res.url(), type: res.request().resourceType(), status: res.status(), duration, size: 0 };
+        try { const body = await res.body(); entry.size = body?.length || 0; } catch {}
+        resourceTimings.push(entry);
+        if (duration > 2000) slowResources.push(entry);
+      } catch {}
+    });
+
+    try {
+      await page.goto(url, { waitUntil: 'networkidle', timeout: 30_000 });
+
+      const metrics = await page.evaluate(() => new Promise(resolve => {
+        const result = { lcp: null, fcp: null, cls: null, fid: null, ttfb: null, tbt: null, memoryUsed: null, domNodes: document.querySelectorAll('*').length };
+
+        try {
+          new PerformanceObserver(list => {
+            for (const e of list.getEntries()) {
+              if (e.entryType === 'paint' && e.name === 'first-contentful-paint') result.fcp = Math.round(e.startTime);
+              if (e.entryType === 'largest-contentful-paint') result.lcp = Math.round(e.startTime);
+            }
+          }).observe({ entryTypes: ['paint','largest-contentful-paint'] });
+        } catch {}
+
+        let cls = 0;
+        try {
+          new PerformanceObserver(list => {
+            for (const e of list.getEntries()) if (!e.hadRecentInput) cls += e.value;
+          }).observe({ entryTypes: ['layout-shift'] });
+        } catch {}
+
+        const nav = performance.getEntriesByType('navigation')[0];
+        if (nav) result.ttfb = Math.round(nav.responseStart);
+        if (performance.memory) result.memoryUsed = performance.memory.usedJSHeapSize;
+
+        setTimeout(() => { result.cls = parseFloat(cls.toFixed(4)); resolve(result); }, 5000);
+      }));
+
+      return { ...metrics, slowResources, resourceTimings: resourceTimings.slice(0, 50), url, mode: 'browser' };
+
+    } catch (err) {
+      return { ...this.#emptyMetrics(), error: err.message, url, mode: 'browser-error' };
+    } finally {
+      await page.close().catch(() => {});
+      await context.close().catch(() => {});
+      await browser.close().catch(() => {});
+    }
+  }
+
+  // HTTP-only fallback: measures real TTFB + response time
+  async #httpFallback(url) {
+    const t0 = Date.now();
+    try {
+      const controller = new AbortController();
+      const timer      = setTimeout(() => controller.abort(), 15_000);
+      const res        = await fetch(url, { signal: controller.signal, redirect: 'follow' });
+      clearTimeout(timer);
+      const ttfb       = Date.now() - t0;
+      const body       = await res.text().catch(() => '');
+      const totalTime  = Date.now() - t0;
+      const bodySize   = new TextEncoder().encode(body).length;
+
+      return {
+        lcp          : null,  // requires browser
+        fcp          : null,
+        cls          : null,
+        fid          : null,
+        tbt          : null,
+        ttfb,                 // real TTFB from HTTP
+        totalTime,            // real total response time
+        bodySize,
+        statusCode   : res.status,
+        slowResources: totalTime > 3000 ? [{ url, duration: totalTime, size: bodySize, type: 'document' }] : [],
+        resourceTimings: [],
+        url,
+        mode         : 'http-fallback',
+        note         : 'LCP/FCP/CLS require Playwright browser — run: npx playwright install chromium',
+      };
+    } catch (err) {
+      return { ...this.#emptyMetrics(), ttfb: null, error: err.message, url, mode: 'http-fallback' };
+    }
+  }
+
+  #emptyMetrics() {
+    return { lcp: null, fcp: null, cls: null, fid: null, ttfb: null, tbt: null, slowResources: [], resourceTimings: [] };
+  }
+}

package/src/qa/analyzers/security.js

@@ -0,0 +1,207 @@
+// Real security scanner — every result from actual HTTP responses
+const SECURITY_CHECKS = [
+  {
+    id    : 'csp',
+    name  : 'Content-Security-Policy',
+    header: 'content-security-policy',
+    sev   : 'P1',
+    category: 'headers',
+    validate: (v) => !!v,
+    recommendation: 'Add CSP header to prevent XSS attacks',
+  },
+  {
+    id    : 'hsts',
+    name  : 'HSTS',
+    header: 'strict-transport-security',
+    sev   : 'P1',
+    category: 'headers',
+    validate: (v) => !!v,
+    recommendation: 'Add HSTS to enforce HTTPS',
+  },
+  {
+    id    : 'xframe',
+    name  : 'X-Frame-Options',
+    header: 'x-frame-options',
+    sev   : 'P1',
+    category: 'headers',
+    validate: (v) => v && ['DENY','SAMEORIGIN'].includes(v.toUpperCase()),
+    recommendation: 'Set X-Frame-Options: DENY or SAMEORIGIN',
+  },
+  {
+    id    : 'xcto',
+    name  : 'X-Content-Type-Options',
+    header: 'x-content-type-options',
+    sev   : 'P2',
+    category: 'headers',
+    validate: (v) => v === 'nosniff',
+    recommendation: 'Set X-Content-Type-Options: nosniff',
+  },
+  {
+    id    : 'rp',
+    name  : 'Referrer-Policy',
+    header: 'referrer-policy',
+    sev   : 'P2',
+    category: 'headers',
+    validate: (v) => !!v,
+    recommendation: 'Add Referrer-Policy header',
+  },
+  {
+    id    : 'pp',
+    name  : 'Permissions-Policy',
+    header: 'permissions-policy',
+    sev   : 'P3',
+    category: 'headers',
+    validate: (v) => !!v,
+    recommendation: 'Add Permissions-Policy header',
+  },
+  {
+    id    : 'server',
+    name  : 'Server version not exposed',
+    header: 'server',
+    sev   : 'P2',
+    category: 'information-disclosure',
+    validate: (v) => !v || (!v.includes('/') && !(/\d+\.\d+/.test(v))),
+    recommendation: 'Remove or genericize the Server header',
+  },
+  {
+    id    : 'xpb',
+    name  : 'X-Powered-By not exposed',
+    header: 'x-powered-by',
+    sev   : 'P2',
+    category: 'information-disclosure',
+    validate: (v) => !v,
+    recommendation: 'Remove X-Powered-By header (app.disable("x-powered-by"))',
+  },
+];
+
+const CORS_CHECKS = [
+  {
+    id    : 'cors-wildcard-creds',
+    name  : 'CORS wildcard + credentials',
+    sev   : 'P0',
+    category: 'cors',
+    check : (h) => !(h['access-control-allow-origin'] === '*' && h['access-control-allow-credentials'] === 'true'),
+    recommendation: 'Never combine CORS wildcard with allow-credentials',
+  },
+];
+
+const HTTPS_TIMEOUT = 10_000;
+
+export class SecurityScanner {
+  #session;
+
+  constructor(session) { this.#session = session; }
+
+  async scan(url) {
+    const findings = [];
+
+    // Real HTTP request to get actual headers
+    let headers = {};
+    let statusCode = 0;
+    try {
+      const controller = new AbortController();
+      const timer      = setTimeout(() => controller.abort(), HTTPS_TIMEOUT);
+      const res        = await fetch(url, {
+        method : 'GET',
+        signal : controller.signal,
+        headers: { 'User-Agent': 'Backlist-SecurityScanner/12.0' },
+        redirect: 'follow',
+      });
+      clearTimeout(timer);
+      statusCode = res.status;
+      res.headers.forEach((v, k) => { headers[k] = v; });
+    } catch (err) {
+      findings.push({
+        check  : 'Server reachability',
+        detail : `Cannot reach ${url}: ${err.message}`,
+        pass   : false,
+        severity: 'P0',
+        category: 'connectivity',
+        evidence: { error: err.message },
+        recommendation: 'Ensure server is running and accessible',
+      });
+      return findings;
+    }
+
+    // Check all security headers against real response
+    for (const check of SECURITY_CHECKS) {
+      const value   = headers[check.header] || '';
+      const pass    = check.validate(value);
+      findings.push({
+        check   : check.name,
+        detail  : pass
+          ? `${check.header}: ${value || '(present)'}`
+          : `Missing or invalid ${check.header} — ${check.recommendation}`,
+        pass,
+        severity: pass ? 'INFO' : check.sev,
+        category: check.category,
+        evidence: { header: check.header, value: value || null, allHeaders: headers },
+        recommendation: check.recommendation,
+      });
+    }
+
+    // CORS checks on real headers
+    for (const check of CORS_CHECKS) {
+      const pass = check.check(headers);
+      findings.push({
+        check   : check.name,
+        detail  : pass ? 'CORS configuration looks safe' : `CORS misconfiguration: ${check.recommendation}`,
+        pass,
+        severity: pass ? 'INFO' : check.sev,
+        category: check.category,
+        evidence: {
+          'access-control-allow-origin'     : headers['access-control-allow-origin'],
+          'access-control-allow-credentials': headers['access-control-allow-credentials'],
+        },
+        recommendation: check.recommendation,
+      });
+    }
+
+    // HTTPS check
+    const isHTTPS = url.startsWith('https://');
+    findings.push({
+      check   : 'HTTPS enforced',
+      detail  : isHTTPS ? 'Site uses HTTPS' : 'Site is using HTTP — not encrypted',
+      pass    : isHTTPS,
+      severity: isHTTPS ? 'INFO' : 'P1',
+      category: 'encryption',
+      evidence: { url, protocol: new URL(url).protocol },
+      recommendation: 'Enforce HTTPS with valid SSL certificate',
+    });
+
+    // Probe sensitive files
+    const sensitiveProbes = [
+      { path: '/.env',          name: '.env exposed' },
+      { path: '/.git/config',   name: 'Git config exposed' },
+      { path: '/wp-config.php', name: 'WP config exposed' },
+      { path: '/phpinfo.php',   name: 'phpinfo exposed' },
+      { path: '/server-status', name: 'Apache server-status' },
+      { path: '/actuator',      name: 'Spring actuator exposed' },
+      { path: '/graphql',       name: 'GraphQL introspection' },
+    ];
+
+    const base = new URL(url).origin;
+    for (const probe of sensitiveProbes) {
+      try {
+        const controller = new AbortController();
+        const timer      = setTimeout(() => controller.abort(), 5000);
+        const r          = await fetch(`${base}${probe.path}`, { signal: controller.signal, redirect: 'manual' });
+        clearTimeout(timer);
+        const exposed    = r.status === 200;
+        findings.push({
+          check   : probe.name,
+          detail  : exposed
+            ? `EXPOSED at ${base}${probe.path} — critical security risk`
+            : `Not exposed: ${probe.path}`,
+          pass    : !exposed,
+          severity: exposed ? 'P0' : 'INFO',
+          category: 'information-disclosure',
+          evidence: { url: `${base}${probe.path}`, status: r.status },
+          recommendation: exposed ? `Immediately restrict access to ${probe.path}` : null,
+        });
+      } catch {}
+    }
+
+    return findings;
+  }
+}

package/src/qa/analyzers/seo.js

@@ -0,0 +1,248 @@
+// Real SEO scanner — fetches and parses actual HTML
+export class SEOScanner {
+  #session;
+
+  constructor(session) { this.#session = session; }
+
+  async scan(url) {
+    let html = '';
+    let statusCode = 0;
+    let headers    = {};
+    let responseTime = 0;
+
+    const t0 = Date.now();
+    try {
+      const controller = new AbortController();
+      const timer      = setTimeout(() => controller.abort(), 12_000);
+      const res        = await fetch(url, {
+        headers : { 'User-Agent': 'Googlebot/2.1 (+http://www.google.com/bot.html)' },
+        signal  : controller.signal,
+        redirect: 'follow',
+      });
+      clearTimeout(timer);
+      statusCode   = res.status;
+      responseTime = Date.now() - t0;
+      res.headers.forEach((v, k) => { headers[k] = v; });
+      html = await res.text();
+    } catch (err) {
+      return {
+        pass  : false,
+        checks: [{ name: 'Page reachable', pass: false, detail: err.message, severity: 'P0' }],
+        url,
+      };
+    }
+
+    const checks = [];
+
+    // Real HTML parsing checks
+    const has  = (pattern) => pattern.test(html);
+    const get  = (pattern) => (html.match(pattern) || [])[1]?.trim() || null;
+
+    // Title
+    const title = get(/<title[^>]*>([^<]+)<\/title>/i);
+    checks.push({
+      name    : 'Title tag',
+      pass    : !!title,
+      detail  : title ? `"${title.slice(0, 60)}"` : 'Missing <title> tag',
+      category: 'meta',
+      severity: 'P1',
+      data    : { title, length: title?.length },
+      recommendation: 'Add a unique, descriptive title (50-60 chars)',
+    });
+
+    if (title) {
+      checks.push({
+        name    : 'Title length optimal',
+        pass    : title.length >= 30 && title.length <= 60,
+        detail  : `Title is ${title.length} chars (optimal: 30-60)`,
+        category: 'meta',
+        severity: 'P2',
+        data    : { length: title.length },
+        recommendation: 'Keep title between 30-60 characters',
+      });
+    }
+
+    // Meta description
+    const desc = get(/<meta[^>]+name=["']description["'][^>]+content=["']([^"']+)["']/i)
+               || get(/<meta[^>]+content=["']([^"']+)["'][^>]+name=["']description["']/i);
+    checks.push({
+      name    : 'Meta description',
+      pass    : !!desc,
+      detail  : desc ? `"${desc.slice(0, 80)}..."` : 'Missing meta description',
+      category: 'meta',
+      severity: 'P1',
+      data    : { description: desc, length: desc?.length },
+      recommendation: 'Add meta description (120-160 chars)',
+    });
+
+    if (desc) {
+      checks.push({
+        name    : 'Meta description length',
+        pass    : desc.length >= 120 && desc.length <= 160,
+        detail  : `Description is ${desc.length} chars (optimal: 120-160)`,
+        category: 'meta',
+        severity: 'P2',
+        data    : { length: desc.length },
+        recommendation: 'Keep description between 120-160 characters',
+      });
+    }
+
+    // H1
+    const h1Count = (html.match(/<h1[^>]*>/gi) || []).length;
+    checks.push({
+      name    : 'H1 tag',
+      pass    : h1Count === 1,
+      detail  : h1Count === 0 ? 'No H1 found' : h1Count > 1 ? `${h1Count} H1 tags (should be 1)` : 'Exactly 1 H1',
+      category: 'structure',
+      severity: 'P1',
+      data    : { count: h1Count },
+      recommendation: 'Use exactly one H1 per page',
+    });
+
+    // Viewport
+    const hasViewport = has(/<meta[^>]+name=["']viewport["']/i);
+    checks.push({
+      name    : 'Viewport meta',
+      pass    : hasViewport,
+      detail  : hasViewport ? 'Viewport meta found' : 'Missing viewport meta — mobile SEO broken',
+      category: 'mobile',
+      severity: 'P1',
+      recommendation: 'Add <meta name="viewport" content="width=device-width,initial-scale=1">',
+    });
+
+    // Lang
+    const lang = get(/<html[^>]+lang=["']([^"']+)["']/i);
+    checks.push({
+      name    : 'HTML lang attribute',
+      pass    : !!lang,
+      detail  : lang ? `lang="${lang}"` : 'Missing lang attribute on <html>',
+      category: 'accessibility-seo',
+      severity: 'P1',
+      data    : { lang },
+      recommendation: 'Add lang attribute to <html> element',
+    });
+
+    // Canonical
+    const canonical = get(/<link[^>]+rel=["']canonical["'][^>]+href=["']([^"']+)["']/i);
+    checks.push({
+      name    : 'Canonical link',
+      pass    : !!canonical,
+      detail  : canonical ? `Canonical: ${canonical}` : 'Missing canonical link',
+      category: 'technical-seo',
+      severity: 'P2',
+      data    : { canonical },
+      recommendation: 'Add <link rel="canonical"> to prevent duplicate content',
+    });
+
+    // OG tags
+    const ogTitle = has(/<meta[^>]+property=["']og:title["']/i);
+    const ogDesc  = has(/<meta[^>]+property=["']og:description["']/i);
+    const ogImage = has(/<meta[^>]+property=["']og:image["']/i);
+    const ogUrl   = has(/<meta[^>]+property=["']og:url["']/i);
+    checks.push({
+      name    : 'Open Graph tags',
+      pass    : ogTitle && ogDesc && ogImage,
+      detail  : `og:title=${ogTitle} og:description=${ogDesc} og:image=${ogImage} og:url=${ogUrl}`,
+      category: 'social',
+      severity: 'P2',
+      data    : { ogTitle, ogDesc, ogImage, ogUrl },
+      recommendation: 'Add og:title, og:description, og:image for social sharing',
+    });
+
+    // Twitter card
+    const twitterCard = has(/<meta[^>]+name=["']twitter:card["']/i);
+    checks.push({
+      name    : 'Twitter Card',
+      pass    : twitterCard,
+      detail  : twitterCard ? 'Twitter card found' : 'No Twitter card meta',
+      category: 'social',
+      severity: 'P3',
+      recommendation: 'Add twitter:card meta for Twitter sharing',
+    });
+
+    // Images with alt
+    const imgTotal   = (html.match(/<img[^>]*>/gi) || []).length;
+    const imgNoAlt   = (html.match(/<img(?![^>]*\balt=)[^>]*>/gi) || []).length;
+    checks.push({
+      name    : 'Images have alt text',
+      pass    : imgNoAlt === 0,
+      detail  : imgNoAlt === 0
+        ? `All ${imgTotal} images have alt text`
+        : `${imgNoAlt}/${imgTotal} images missing alt text`,
+      category: 'accessibility-seo',
+      severity: 'P2',
+      data    : { total: imgTotal, missing: imgNoAlt },
+      recommendation: 'Add descriptive alt text to all images',
+    });
+
+    // Structured data
+    const hasStructuredData = has(/application\/ld\+json/i);
+    checks.push({
+      name    : 'Structured data (JSON-LD)',
+      pass    : hasStructuredData,
+      detail  : hasStructuredData ? 'JSON-LD structured data found' : 'No structured data',
+      category: 'structured-data',
+      severity: 'P3',
+      recommendation: 'Add JSON-LD structured data for rich search results',
+    });
+
+    // robots.txt
+    try {
+      const base      = new URL(url).origin;
+      const robotsRes = await fetch(`${base}/robots.txt`, { signal: AbortSignal.timeout(5000) });
+      checks.push({
+        name    : 'robots.txt',
+        pass    : robotsRes.status === 200,
+        detail  : robotsRes.status === 200 ? 'robots.txt accessible' : `robots.txt returned ${robotsRes.status}`,
+        category: 'crawling',
+        severity: 'P1',
+        recommendation: 'Ensure robots.txt exists and is properly configured',
+      });
+    } catch {
+      checks.push({ name: 'robots.txt', pass: false, detail: 'robots.txt unreachable', category: 'crawling', severity: 'P2' });
+    }
+
+    // sitemap.xml
+    try {
+      const base       = new URL(url).origin;
+      const sitemapRes = await fetch(`${base}/sitemap.xml`, { signal: AbortSignal.timeout(5000) });
+      const sitemapOk  = sitemapRes.status === 200;
+      let sitemapValid = false;
+      if (sitemapOk) {
+        const sitemapText = await sitemapRes.text().catch(() => '');
+        sitemapValid = sitemapText.includes('<urlset') || sitemapText.includes('<sitemapindex');
+      }
+      checks.push({
+        name    : 'sitemap.xml',
+        pass    : sitemapOk && sitemapValid,
+        detail  : sitemapOk
+          ? (sitemapValid ? 'Valid sitemap.xml found' : 'sitemap.xml present but invalid XML')
+          : `sitemap.xml returned ${sitemapRes.status}`,
+        category: 'crawling',
+        severity: 'P1',
+        recommendation: 'Add a valid sitemap.xml and submit to Google Search Console',
+      });
+    } catch {
+      checks.push({ name: 'sitemap.xml', pass: false, detail: 'sitemap.xml unreachable', category: 'crawling', severity: 'P2' });
+    }
+
+    // Page speed (response time as SEO factor)
+    checks.push({
+      name    : 'Server response time',
+      pass    : responseTime < 800,
+      detail  : `TTFB: ${responseTime}ms (Google recommends < 800ms)`,
+      category: 'performance-seo',
+      severity: responseTime > 2000 ? 'P1' : 'P2',
+      data    : { responseTime },
+      recommendation: 'Optimize TTFB — use CDN, caching, or faster hosting',
+    });
+
+    return {
+      pass    : checks.every(c => c.pass || c.severity === 'P3'),
+      checks,
+      url,
+      statusCode,
+      responseTime,
+    };
+  }
+}