create-backlist 10.1.0 → 10.1.2

package/src/qa/qa-engine.js

@@ -1,6 +1,10 @@
 // ═══════════════════════════════════════════════════════════════════════════
-//  Backlist Enterprise QA Engine v13.0 — PLAYWRIGHT REAL BROWSER EDITION
-//  100% Real Runtime Testing · Live Playwright Tests · Rich HTML Reports
+//  Backlist Enterprise QA Engine v15.0 — ULTRA LIVE TESTING EDITION
+//  ✅ Real Playwright Browser · ✅ AI Bug Classifier · ✅ Live WebSocket Monitor
+//  ✅ Visual Regression · ✅ API Contract Testing · ✅ Real User Simulation
+//  ✅ Cookie/Auth Testing · ✅ Dark Mode Testing · ✅ Multi-viewport Testing
+//  ✅ Memory Leak Detection · ✅ Load Testing · ✅ WebSocket Testing
+//  ✅ Broken Link Scanner · ✅ Font/Asset Audit · ✅ Rich HTML Reports v15
 // ═══════════════════════════════════════════════════════════════════════════
 
 import * as p          from '@clack/prompts';
@@ -9,15 +13,28 @@ import fs              from 'fs-extra';
 import path            from 'node:path';
 import os              from 'node:os';
 import readline        from 'node:readline';
+import crypto          from 'node:crypto';
 import { performance } from 'node:perf_hooks';
 import { EventEmitter } from 'node:events';
 
 // ── Constants ─────────────────────────────────────────────────────────────
-export const VERSION        = '13.0.0';
-export const QA_DIR         = path.join(process.cwd(), '.backlist', 'qa');
+export const VERSION        = '15.0.0';
+export const QA_DIR         = path.join(process.cwd(), '.BACKLIST', 'qa');
 export const REPORT_DIR     = path.join(QA_DIR, 'reports');
 export const HISTORY_FILE   = path.join(QA_DIR, 'history.json');
 export const SCREENSHOT_DIR = path.join(REPORT_DIR, 'screenshots');
+export const BASELINE_DIR   = path.join(QA_DIR, 'baselines');
+
+// ── Viewports for multi-device testing ───────────────────────────────────
+export const VIEWPORTS = {
+  desktop_xl : { width: 1920, height: 1080, label: 'Desktop XL'    },
+  desktop    : { width: 1280, height: 900,  label: 'Desktop'        },
+  tablet_lg  : { width: 1024, height: 768,  label: 'Tablet (lg)'    },
+  tablet     : { width: 768,  height: 1024, label: 'Tablet'         },
+  mobile_lg  : { width: 414,  height: 896,  label: 'Mobile (large)' },
+  mobile     : { width: 390,  height: 844,  label: 'Mobile (iPhone)'},
+  mobile_sm  : { width: 320,  height: 568,  label: 'Mobile (small)' },
+};
 
 // ── Utilities ─────────────────────────────────────────────────────────────
 export const timestamp      = ()   => new Date().toISOString();
@@ -58,8 +75,15 @@ async function getPlaywright() {
   }
 }
 
+// ─────────────────────────────────────────────────────────────────────────
+//  NEW v15: Image hash for visual regression
+// ─────────────────────────────────────────────────────────────────────────
+function hashBuffer(buf) {
+  return crypto.createHash('md5').update(buf).digest('hex');
+}
+
 // ═══════════════════════════════════════════════════════════════════════════
-//  QA Session
+//  QA Session v15 — Extended with new trackers
 // ═══════════════════════════════════════════════════════════════════════════
 export class QASession {
   id;
@@ -77,6 +101,30 @@ export class QASession {
   a11yResults   = [];
   seoResults    = [];
   playwrightMode = false;
+  // NEW v15 fields
+  visualRegressions = [];
+  cookieAudit       = [];
+  loadTestResults   = [];
+  brokenLinks       = [];
+  fontAudit         = [];
+  assetAudit        = [];
+  memorySnapshots   = [];
+  wsTests           = [];
+  darkModeResults   = [];
+  viewportResults   = {};
+  apiContracts      = [];
+  userFlowResults   = [];
+  redirectChains    = [];
+  mixedContentIssues = [];
+  cspViolations     = [];
+  thirdPartyScripts = [];
+  errorPageTests    = [];
+  formTests         = [];
+  authTests         = [];
+  cacheHeaders      = [];
+  httpVersions      = {};
+  tlsInfo           = {};
+  dnsInfo           = {};
 
   constructor(urls = {}) {
     this.id        = `QA-${shortId().toUpperCase()}`;
@@ -108,19 +156,21 @@ export class QASession {
 }
 
 // ═══════════════════════════════════════════════════════════════════════════
-//  HTTP Probe — real HTTP requests
+//  HTTP Probe — real HTTP requests with v15 extras
 // ═══════════════════════════════════════════════════════════════════════════
-async function httpProbe(url, { method = 'GET', timeout = 12000, headers = {} } = {}) {
+async function httpProbe(url, { method = 'GET', timeout = 12000, headers = {}, body: reqBody = null, followRedirects = true } = {}) {
   const t0 = Date.now();
   try {
     const ctrl  = new AbortController();
     const timer = setTimeout(() => ctrl.abort(), timeout);
-    const res   = await fetch(url, {
+    const fetchOpts = {
       method,
       signal  : ctrl.signal,
-      headers : { 'User-Agent': 'Backlist-QA/13.0', Accept: '*/*', ...headers },
-      redirect: 'follow',
-    });
+      headers : { 'User-Agent': 'Backlist-QA/15.0', Accept: '*/*', ...headers },
+      redirect: followRedirects ? 'follow' : 'manual',
+    };
+    if (reqBody) fetchOpts.body = reqBody;
+    const res = await fetch(url, fetchOpts);
     clearTimeout(timer);
 
     const rt          = Date.now() - t0;
@@ -137,7 +187,7 @@ async function httpProbe(url, { method = 'GET', timeout = 12000, headers = {} }
     return {
       ok: res.status >= 200 && res.status < 400,
       status: res.status, contentType, headers: hdrs,
-      body: body.slice(0, 3000), parsed, bodySize,
+      body: body.slice(0, 5000), parsed, bodySize,
       responseTime: rt, url, method, error: null,
     };
   } catch (err) {
@@ -151,13 +201,726 @@ async function httpProbe(url, { method = 'GET', timeout = 12000, headers = {} }
 }
 
 // ═══════════════════════════════════════════════════════════════════════════
-//  PLAYWRIGHT REAL BROWSER ENGINE
-//  - Real browser rendering (Chromium)
-//  - Console error capture
-//  - Network request interception
-//  - Real Web Vitals (LCP, FCP, CLS, TBT)
-//  - Screenshot capture
-//  - DOM interaction tests
+//  NEW v15: Redirect Chain Analyzer
+// ═══════════════════════════════════════════════════════════════════════════
+async function analyzeRedirectChain(url) {
+  const chain = [];
+  let current = url;
+  let hops    = 0;
+  const maxHops = 10;
+
+  while (hops < maxHops) {
+    try {
+      const ctrl  = new AbortController();
+      const timer = setTimeout(() => ctrl.abort(), 5000);
+      const res   = await fetch(current, {
+        method: 'HEAD',
+        signal: ctrl.signal,
+        redirect: 'manual',
+        headers: { 'User-Agent': 'Backlist-QA/15.0' },
+      });
+      clearTimeout(timer);
+      chain.push({ url: current, status: res.status, location: res.headers.get('location') });
+      if (res.status < 300 || res.status >= 400) break;
+      const location = res.headers.get('location');
+      if (!location) break;
+      current = new URL(location, current).toString();
+      hops++;
+    } catch (err) {
+      chain.push({ url: current, status: 0, error: err.message });
+      break;
+    }
+  }
+
+  return {
+    url,
+    hops: chain.length - 1,
+    chain,
+    hasRedirectLoop: hops >= maxHops,
+    finalUrl: chain[chain.length - 1]?.url,
+    isHTTPtoHTTPS: chain.length > 1 && chain[0].url.startsWith('http://') && chain[chain.length - 1]?.url?.startsWith('https://'),
+  };
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+//  NEW v15: Load Test — concurrent requests
+// ═══════════════════════════════════════════════════════════════════════════
+async function runLoadTest(url, { concurrency = 10, duration = 10000, rampUp = 2000 } = {}) {
+  const results   = { requests: 0, errors: 0, timeouts: 0, responses: {} };
+  const latencies = [];
+  const startTime = Date.now();
+  let   running   = true;
+
+  setTimeout(() => { running = false; }, duration);
+
+  const worker = async (delay = 0) => {
+    await sleep(delay);
+    while (running) {
+      const t0 = Date.now();
+      try {
+        const ctrl  = new AbortController();
+        const timer = setTimeout(() => { ctrl.abort(); results.timeouts++; }, 5000);
+        const res   = await fetch(url, {
+          signal: ctrl.signal,
+          headers: { 'User-Agent': 'Backlist-QA/15.0-LoadTest' },
+        });
+        clearTimeout(timer);
+        const lat = Date.now() - t0;
+        latencies.push(lat);
+        results.requests++;
+        results.responses[res.status] = (results.responses[res.status] || 0) + 1;
+      } catch {
+        results.errors++;
+      }
+      await sleep(50); // small breathing room
+    }
+  };
+
+  const workers = Array.from({ length: concurrency }, (_, i) =>
+    worker(Math.floor((rampUp / concurrency) * i))
+  );
+  await Promise.all(workers);
+
+  const sorted   = [...latencies].sort((a, b) => a - b);
+  const p50      = sorted[Math.floor(sorted.length * 0.5)] || 0;
+  const p95      = sorted[Math.floor(sorted.length * 0.95)] || 0;
+  const p99      = sorted[Math.floor(sorted.length * 0.99)] || 0;
+  const avgLat   = latencies.length ? latencies.reduce((a, b) => a + b, 0) / latencies.length : 0;
+  const totalTime = Date.now() - startTime;
+  const rps       = results.requests / (totalTime / 1000);
+  const errorRate = results.requests > 0 ? (results.errors / results.requests * 100) : 0;
+
+  return {
+    url, concurrency, duration: totalTime,
+    requests: results.requests,
+    errors: results.errors,
+    timeouts: results.timeouts,
+    errorRate: parseFloat(errorRate.toFixed(2)),
+    rps: parseFloat(rps.toFixed(2)),
+    latency: { avg: Math.round(avgLat), p50, p95, p99, min: sorted[0] || 0, max: sorted[sorted.length - 1] || 0 },
+    responses: results.responses,
+    passed: errorRate < 5 && p95 < 2000,
+  };
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+//  NEW v15: Cookie Audit
+// ═══════════════════════════════════════════════════════════════════════════
+async function runCookieAudit(url) {
+  const r       = await httpProbe(url);
+  const setCookie = r.headers['set-cookie'] || '';
+  const cookies = (Array.isArray(setCookie) ? setCookie : [setCookie]).filter(Boolean);
+  const audit   = [];
+
+  for (const cookie of cookies) {
+    const name     = cookie.split('=')[0]?.trim();
+    const parts    = cookie.toLowerCase();
+    const isSecure = parts.includes('secure');
+    const isHttpOnly = parts.includes('httponly');
+    const hasSameSite = parts.includes('samesite');
+    const sameSiteVal = (parts.match(/samesite=(\w+)/) || [])[1] || null;
+    const hasExpiry   = parts.includes('expires=') || parts.includes('max-age=');
+
+    audit.push({
+      name,
+      raw: cookie.slice(0, 200),
+      secure: isSecure,
+      httpOnly: isHttpOnly,
+      sameSite: sameSiteVal,
+      hasSameSite,
+      hasExpiry,
+      issues: [
+        !isSecure    && 'Missing Secure flag',
+        !isHttpOnly  && 'Missing HttpOnly flag',
+        !hasSameSite && 'Missing SameSite attribute',
+        sameSiteVal === 'none' && !isSecure && 'SameSite=None without Secure',
+      ].filter(Boolean),
+      severity: (!isSecure || !isHttpOnly) ? 'P1' : !hasSameSite ? 'P2' : 'INFO',
+    });
+  }
+
+  return { url, cookies: audit, total: audit.length, issues: audit.filter(c => c.issues.length > 0).length };
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+//  NEW v15: Broken Link Scanner (deep)
+// ═══════════════════════════════════════════════════════════════════════════
+async function scanBrokenLinks(url, { maxLinks = 100 } = {}) {
+  const r     = await httpProbe(url);
+  const html  = r.body || '';
+  const links = [];
+  const re    = /href=["']([^"']+)["']/gi;
+  let m;
+  while ((m = re.exec(html)) !== null) {
+    try {
+      const resolved = new URL(m[1], url).toString();
+      if (!links.includes(resolved)) links.push(resolved);
+    } catch {}
+  }
+
+  const results  = [];
+  const toCheck  = links.slice(0, maxLinks);
+  const BATCH    = 15;
+
+  for (let i = 0; i < toCheck.length; i += BATCH) {
+    const batch = toCheck.slice(i, i + BATCH);
+    const checks = batch.map(async (link) => {
+      try {
+        const ctrl  = new AbortController();
+        const timer = setTimeout(() => ctrl.abort(), 6000);
+        const res   = await fetch(link, {
+          method: 'HEAD',
+          signal: ctrl.signal,
+          headers: { 'User-Agent': 'Backlist-QA/15.0' },
+          redirect: 'follow',
+        });
+        clearTimeout(timer);
+        return { url: link, status: res.status, ok: res.status < 400 };
+      } catch (err) {
+        return { url: link, status: 0, ok: false, error: err.message };
+      }
+    });
+    const batchResults = await Promise.all(checks);
+    results.push(...batchResults);
+  }
+
+  const broken = results.filter(r => !r.ok);
+  return { sourceUrl: url, total: results.length, broken: broken.length, links: results };
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+//  NEW v15: API Contract Tester
+// ═══════════════════════════════════════════════════════════════════════════
+async function testAPIContract(endpoint, { expectedStatus = 200, expectedFields = [], method = 'GET', body = null, headers = {} } = {}) {
+  const r = await httpProbe(endpoint, { method, body, headers, timeout: 10000 });
+  const issues = [];
+
+  if (r.status !== expectedStatus) {
+    issues.push(`Expected status ${expectedStatus}, got ${r.status}`);
+  }
+  if (r.parsed && expectedFields.length > 0) {
+    for (const field of expectedFields) {
+      const hasField = field.includes('.') 
+        ? field.split('.').reduce((obj, k) => obj?.[k], r.parsed) !== undefined
+        : r.parsed[field] !== undefined || (Array.isArray(r.parsed) && r.parsed[0]?.[field] !== undefined);
+      if (!hasField) issues.push(`Missing field: ${field}`);
+    }
+  }
+  if (r.status === 200 && !r.parsed && r.contentType.includes('json')) {
+    issues.push('Response is not valid JSON despite Content-Type: application/json');
+  }
+  const hasCache = !!(r.headers['cache-control'] || r.headers['etag'] || r.headers['last-modified']);
+  const hasCors  = !!(r.headers['access-control-allow-origin']);
+
+  return {
+    url: endpoint, method, status: r.status, responseTime: r.responseTime,
+    contentType: r.contentType, bodySize: r.bodySize,
+    issues, passed: issues.length === 0,
+    hasCache, hasCors, parsed: r.parsed,
+    headers: r.headers,
+  };
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+//  NEW v15: Form Interaction Tester (Playwright)
+// ═══════════════════════════════════════════════════════════════════════════
+async function testForms(page, url) {
+  const results = [];
+  try {
+    const forms = await page.$$('form');
+    for (let fi = 0; fi < Math.min(forms.length, 5); fi++) {
+      const form     = forms[fi];
+      const action   = await form.getAttribute('action') || 'self';
+      const method   = (await form.getAttribute('method') || 'GET').toUpperCase();
+      const inputs   = await form.$$('input:not([type="hidden"]):not([type="submit"]):not([type="button"])');
+      const submits  = await form.$$('[type="submit"], button[type="submit"]');
+      const hasSubmit = submits.length > 0;
+
+      // Test required field validation
+      let validationWorks = false;
+      if (hasSubmit) {
+        try {
+          await submits[0].click({ timeout: 2000 });
+          await page.waitForTimeout(300);
+          // Check for validation messages
+          const invalidFields = await page.$$(':invalid');
+          validationWorks = invalidFields.length > 0 || (await page.evaluate(() => document.querySelector('.error, .invalid, [aria-invalid="true"]') !== null));
+        } catch {}
+      }
+
+      // Test placeholder/label
+      let labelCount = 0;
+      for (const inp of inputs) {
+        const id      = await inp.getAttribute('id');
+        const ariaLbl = await inp.getAttribute('aria-label');
+        if (id) {
+          const lbl = await page.$(`label[for="${id}"]`);
+          if (lbl) labelCount++;
+        } else if (ariaLbl) {
+          labelCount++;
+        }
+      }
+
+      results.push({
+        formIndex: fi,
+        action, method,
+        inputCount: inputs.length,
+        hasSubmit,
+        labelCoverage: inputs.length > 0 ? Math.round(labelCount / inputs.length * 100) : 100,
+        validationWorks,
+        issues: [
+          !hasSubmit && 'No submit button',
+          inputs.length > 0 && labelCount < inputs.length && `${inputs.length - labelCount} inputs missing labels`,
+        ].filter(Boolean),
+        passed: hasSubmit && (inputs.length === 0 || labelCount === inputs.length),
+      });
+    }
+  } catch {}
+  return results;
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+//  NEW v15: Memory Leak Detector (Playwright)
+// ═══════════════════════════════════════════════════════════════════════════
+async function detectMemoryLeaks(page, url) {
+  const snapshots = [];
+  try {
+    // Snapshot 1: initial load
+    const heap1 = await page.evaluate(() => {
+      if (window.performance?.memory) {
+        return { used: performance.memory.usedJSHeapSize, total: performance.memory.totalJSHeapSize };
+      }
+      return null;
+    });
+    if (heap1) snapshots.push({ label: 'initial', ...heap1, time: 0 });
+
+    // Simulate user interactions to trigger potential leaks
+    await page.evaluate(() => {
+      for (let i = 0; i < 5; i++) {
+        window.dispatchEvent(new Event('scroll'));
+        window.dispatchEvent(new Event('resize'));
+      }
+    });
+    await page.waitForTimeout(1000);
+
+    // Navigate away and back
+    const currentUrl = page.url();
+    await page.goto('about:blank', { waitUntil: 'load' }).catch(() => {});
+    await page.goto(currentUrl, { waitUntil: 'networkidle', timeout: 15000 }).catch(() => {});
+    await page.waitForTimeout(500);
+
+    const heap2 = await page.evaluate(() => {
+      if (window.performance?.memory) {
+        return { used: performance.memory.usedJSHeapSize, total: performance.memory.totalJSHeapSize };
+      }
+      return null;
+    });
+    if (heap2) snapshots.push({ label: 'after-navigate', ...heap2, time: 1000 });
+
+    if (snapshots.length >= 2) {
+      const growth   = snapshots[1].used - snapshots[0].used;
+      const growthMB = growth / 1024 / 1024;
+      return {
+        snapshots,
+        growth, growthMB: parseFloat(growthMB.toFixed(2)),
+        hasLeak: growthMB > 5,
+        severity: growthMB > 20 ? 'P1' : growthMB > 5 ? 'P2' : 'INFO',
+      };
+    }
+  } catch {}
+  return { snapshots, growth: 0, growthMB: 0, hasLeak: false, severity: 'INFO', note: 'performance.memory not available (non-Chrome)' };
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+//  NEW v15: Dark Mode Tester (Playwright)
+// ═══════════════════════════════════════════════════════════════════════════
+async function testDarkMode(page, url, screenshotDir, sessionId) {
+  const results = {};
+  try {
+    // Light mode screenshot already taken — test dark mode
+    await page.emulateMedia({ colorScheme: 'dark' });
+    await page.waitForTimeout(800);
+    const darkName = `${sessionId}-dark-${shortId()}.png`;
+    const darkPath = path.join(screenshotDir, darkName);
+    await page.screenshot({ path: darkPath, fullPage: false });
+
+    // Check if dark mode actually changes anything
+    const hasMediaQuery = await page.evaluate(() => {
+      const sheets = [...document.styleSheets];
+      for (const sheet of sheets) {
+        try {
+          const rules = [...sheet.cssRules];
+          for (const rule of rules) {
+            if (rule.conditionText?.includes('prefers-color-scheme')) return true;
+          }
+        } catch {}
+      }
+      return false;
+    });
+
+    // Check body background color changes
+    const darkBg = await page.evaluate(() => {
+      return window.getComputedStyle(document.body).backgroundColor;
+    });
+
+    results.dark = { screenshotPath: darkPath, screenshotName: darkName, background: darkBg };
+    results.hasMediaQuery = hasMediaQuery;
+    results.supportsDark = hasMediaQuery;
+
+    // Reset to light
+    await page.emulateMedia({ colorScheme: 'light' });
+    await page.waitForTimeout(300);
+
+    const lightBg = await page.evaluate(() => {
+      return window.getComputedStyle(document.body).backgroundColor;
+    });
+    results.light = { background: lightBg };
+    results.differentFromLight = darkBg !== lightBg;
+
+  } catch (err) {
+    results.error = err.message;
+  }
+  return results;
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+//  NEW v15: Third-Party Script Auditor (Playwright)
+// ═══════════════════════════════════════════════════════════════════════════
+async function auditThirdPartyScripts(page) {
+  const origin   = new URL(page.url()).origin;
+  const scripts  = [];
+  const requests = [];
+
+  const handler = (req) => {
+    if (req.resourceType() === 'script') {
+      try {
+        const u = new URL(req.url());
+        if (u.origin !== origin) {
+          requests.push({
+            url: req.url(),
+            domain: u.hostname,
+            vendor: classifyThirdParty(u.hostname),
+          });
+        }
+      } catch {}
+    }
+  };
+  page.on('request', handler);
+  await page.waitForTimeout(2000);
+  page.off('request', handler);
+
+  // Deduplicate by domain
+  const domainMap = {};
+  for (const r of requests) {
+    if (!domainMap[r.domain]) domainMap[r.domain] = { ...r, count: 0 };
+    domainMap[r.domain].count++;
+  }
+
+  return Object.values(domainMap);
+}
+
+function classifyThirdParty(hostname) {
+  const map = {
+    'google-analytics.com': 'Google Analytics', 'googletagmanager.com': 'Google Tag Manager',
+    'googlesyndication.com': 'Google Ads', 'doubleclick.net': 'Google Ads',
+    'facebook.net': 'Facebook SDK', 'facebook.com': 'Facebook',
+    'hotjar.com': 'Hotjar', 'fullstory.com': 'FullStory',
+    'segment.io': 'Segment', 'amplitude.com': 'Amplitude',
+    'mixpanel.com': 'Mixpanel', 'intercom.io': 'Intercom',
+    'cdn.jsdelivr.net': 'jsDelivr CDN', 'unpkg.com': 'unpkg CDN',
+    'cdnjs.cloudflare.com': 'Cloudflare CDN', 'stripe.com': 'Stripe',
+    'sentry.io': 'Sentry', 'datadog-browser-agent.com': 'Datadog',
+    'newrelic.com': 'New Relic', 'rollbar.com': 'Rollbar',
+    'clarity.ms': 'Microsoft Clarity', 'twitter.com': 'Twitter',
+    'x.com': 'X (Twitter)', 'tiktok.com': 'TikTok',
+    'linkedin.com': 'LinkedIn',
+  };
+  for (const [domain, name] of Object.entries(map)) {
+    if (hostname.includes(domain)) return name;
+  }
+  return 'Unknown Third-Party';
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+//  NEW v15: Font & Asset Auditor (Playwright)
+// ═══════════════════════════════════════════════════════════════════════════
+async function auditFontsAndAssets(page) {
+  return await page.evaluate(() => {
+    const resources = performance.getEntriesByType('resource');
+    const audit = { fonts: [], images: [], scripts: [], styles: [], other: [] };
+
+    for (const r of resources) {
+      const entry = {
+        url: r.name.split('?')[0].split('/').pop().slice(0, 60),
+        fullUrl: r.name,
+        size: r.transferSize || 0,
+        duration: Math.round(r.duration),
+        type: r.initiatorType,
+        cached: r.transferSize === 0 && r.decodedBodySize > 0,
+      };
+
+      if (r.initiatorType === 'css' || r.name.match(/\.woff2?$|\.ttf$|\.eot$|\.otf$/i)) {
+        if (r.name.match(/font|\.woff|\.ttf|\.eot|\.otf/i)) audit.fonts.push(entry);
+        else audit.styles.push(entry);
+      } else if (r.initiatorType === 'img' || r.name.match(/\.(png|jpg|jpeg|gif|webp|avif|svg)/i)) {
+        audit.images.push(entry);
+      } else if (r.initiatorType === 'script' || r.name.match(/\.js$/i)) {
+        audit.scripts.push(entry);
+      } else if (r.initiatorType === 'link' || r.name.match(/\.css$/i)) {
+        audit.styles.push(entry);
+      } else {
+        audit.other.push(entry);
+      }
+    }
+
+    // Font analysis
+    const fontFaces = document.fonts ? [...document.fonts].map(f => ({
+      family: f.family, style: f.style, weight: f.weight, status: f.status,
+    })) : [];
+
+    // Image format analysis
+    const images = [...document.images].map(img => ({
+      src: img.src?.split('/').pop().slice(0, 60),
+      naturalWidth: img.naturalWidth, naturalHeight: img.naturalHeight,
+      displayWidth: img.width, displayHeight: img.height,
+      oversized: img.naturalWidth > img.width * 2 && img.naturalWidth > 200,
+      hasAlt: !!img.alt,
+      format: (img.src?.match(/\.(webp|avif|png|jpg|jpeg|gif|svg)/i) || ['unknown'])[0],
+      lazy: img.loading === 'lazy',
+    }));
+
+    const totalSize = resources.reduce((a, r) => a + (r.transferSize || 0), 0);
+    const jsSize    = resources.filter(r => r.initiatorType === 'script').reduce((a, r) => a + (r.transferSize || 0), 0);
+    const cssSize   = resources.filter(r => r.initiatorType === 'link').reduce((a, r) => a + (r.transferSize || 0), 0);
+    const imgSize   = resources.filter(r => r.initiatorType === 'img').reduce((a, r) => a + (r.transferSize || 0), 0);
+    const fontSize  = audit.fonts.reduce((a, f) => a + f.size, 0);
+
+    return { audit, fontFaces, images, totalSize, jsSize, cssSize, imgSize, fontSize };
+  }).catch(() => ({}));
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+//  NEW v15: User Flow Simulator (Playwright)
+// ═══════════════════════════════════════════════════════════════════════════
+async function simulateUserFlow(page, url) {
+  const steps = [];
+  const start = Date.now();
+
+  const step = async (name, fn) => {
+    const t0 = Date.now();
+    try {
+      await fn();
+      steps.push({ name, pass: true, duration: Date.now() - t0 });
+    } catch (err) {
+      steps.push({ name, pass: false, duration: Date.now() - t0, error: err.message });
+    }
+  };
+
+  await step('Page load', async () => {
+    await page.goto(url, { waitUntil: 'networkidle', timeout: 20000 });
+  });
+  await step('Scroll to bottom', async () => {
+    await page.evaluate(() => window.scrollTo(0, document.body.scrollHeight));
+    await page.waitForTimeout(500);
+  });
+  await step('Scroll back to top', async () => {
+    await page.evaluate(() => window.scrollTo({ top: 0, behavior: 'smooth' }));
+    await page.waitForTimeout(500);
+  });
+  await step('Hover over first button', async () => {
+    const btn = page.locator('button:visible').first();
+    if (await btn.count() > 0) await btn.hover();
+    else throw new Error('No visible buttons');
+  });
+  await step('Click first navigation link', async () => {
+    const navLink = page.locator('nav a:visible, header a:visible').first();
+    if (await navLink.count() > 0) {
+      const href = await navLink.getAttribute('href');
+      if (href && !href.startsWith('mailto') && !href.startsWith('tel')) {
+        await navLink.hover();
+      }
+    }
+  });
+  await step('Tab through focusable elements', async () => {
+    for (let i = 0; i < 5; i++) {
+      await page.keyboard.press('Tab');
+      await page.waitForTimeout(80);
+    }
+  });
+  await step('Press Escape key', async () => {
+    await page.keyboard.press('Escape');
+    await page.waitForTimeout(200);
+  });
+  await step('Check no modal/dialog stuck', async () => {
+    const modal = await page.$('[role="dialog"]:visible, .modal:visible');
+    if (modal) throw new Error('Modal still visible after Escape');
+  });
+  await step('Back button navigation', async () => {
+    await page.goBack({ timeout: 5000 }).catch(() => {});
+    await page.waitForTimeout(300);
+    await page.goForward({ timeout: 5000 }).catch(() => {});
+  });
+
+  return {
+    url, steps, totalDuration: Date.now() - start,
+    passed: steps.filter(s => s.pass).length,
+    failed: steps.filter(s => !s.pass).length,
+    passRate: steps.length > 0 ? Math.round(steps.filter(s => s.pass).length / steps.length * 100) : 0,
+  };
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+//  NEW v15: Multi-Viewport Screenshot + Layout Tester (Playwright)
+// ═══════════════════════════════════════════════════════════════════════════
+async function testAllViewports(page, url, screenshotDir, sessionId) {
+  const results = {};
+  for (const [key, vp] of Object.entries(VIEWPORTS)) {
+    try {
+      await page.setViewportSize({ width: vp.width, height: vp.height });
+      await page.waitForTimeout(400);
+
+      const name = `${sessionId}-${key}-${shortId()}.png`;
+      const fpath = path.join(screenshotDir, name);
+      await page.screenshot({ path: fpath, fullPage: false });
+
+      // Check for overflow/horizontal scroll
+      const hasHorizontalScroll = await page.evaluate(() =>
+        document.documentElement.scrollWidth > document.documentElement.clientWidth
+      );
+      // Check font size not too small
+      const minFontSize = await page.evaluate(() => {
+        const els = [...document.querySelectorAll('p, span, a, li, td')].slice(0, 20);
+        return Math.min(...els.map(el => parseFloat(window.getComputedStyle(el).fontSize) || 16));
+      }).catch(() => 16);
+
+      results[key] = {
+        label: vp.label, width: vp.width, height: vp.height,
+        screenshotName: name, screenshotPath: fpath,
+        hasHorizontalScroll, minFontSize,
+        issues: [
+          hasHorizontalScroll && 'Horizontal scroll detected (layout overflow)',
+          minFontSize < 12 && `Font too small: ${minFontSize}px`,
+        ].filter(Boolean),
+        passed: !hasHorizontalScroll && minFontSize >= 12,
+      };
+    } catch (err) {
+      results[key] = { label: vp.label, width: vp.width, height: vp.height, error: err.message, passed: false };
+    }
+  }
+  // Reset to desktop
+  await page.setViewportSize({ width: 1280, height: 900 });
+  return results;
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+//  NEW v15: Cache Headers Auditor
+// ═══════════════════════════════════════════════════════════════════════════
+async function auditCacheHeaders(url) {
+  const r = await httpProbe(url);
+  const h = r.headers;
+
+  const cacheControl = h['cache-control'] || '';
+  const etag         = h['etag'] || null;
+  const lastModified = h['last-modified'] || null;
+  const expires      = h['expires'] || null;
+  const vary         = h['vary'] || null;
+  const age          = h['age'] || null;
+  const xCache       = h['x-cache'] || h['cf-cache-status'] || h['x-vercel-cache'] || null;
+
+  const maxAge    = (cacheControl.match(/max-age=(\d+)/) || [])[1];
+  const noStore   = cacheControl.includes('no-store');
+  const noCache   = cacheControl.includes('no-cache');
+  const immutable = cacheControl.includes('immutable');
+  const private_  = cacheControl.includes('private');
+
+  const issues = [];
+  if (!cacheControl && !expires) issues.push('No Cache-Control or Expires header');
+  if (!etag && !lastModified) issues.push('No cache validation (ETag/Last-Modified)');
+  if (maxAge && parseInt(maxAge) > 86400 * 365 && !immutable) issues.push('Very long max-age without immutable');
+
+  return {
+    url, cacheControl, etag, lastModified, expires, vary, age, xCache,
+    maxAge: maxAge ? parseInt(maxAge) : null,
+    noStore, noCache, immutable, private: private_,
+    issues, passed: issues.length === 0,
+    cacheable: !noStore && !!cacheControl,
+  };
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+//  NEW v15: Mixed Content & CSP Violation Checker (Playwright)
+// ═══════════════════════════════════════════════════════════════════════════
+async function checkMixedContent(page) {
+  const mixed = [];
+  const cspViolations = [];
+
+  page.on('console', (msg) => {
+    const text = msg.text();
+    if (text.includes('Mixed Content')) mixed.push({ type: 'mixed-content', text });
+    if (text.includes('Content Security Policy') || text.includes('CSP')) {
+      cspViolations.push({ type: 'csp-violation', text });
+    }
+  });
+
+  await page.waitForTimeout(1500);
+  return { mixed, cspViolations };
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+//  NEW v15: Error Page Tester (404, 500)
+// ═══════════════════════════════════════════════════════════════════════════
+async function testErrorPages(baseUrl) {
+  const tests = [
+    { url: `${baseUrl}/this-page-definitely-does-not-exist-qa-test-${shortId()}`, expectedStatus: 404, name: '404 Page' },
+    { url: `${baseUrl}/api/this-endpoint-does-not-exist-${shortId()}`, expectedStatus: 404, name: 'API 404' },
+  ];
+
+  const results = [];
+  for (const t of tests) {
+    const r = await httpProbe(t.url);
+    const isCorrectStatus = r.status === t.expectedStatus || r.status === 404;
+    const hasCustomPage   = r.body.length > 200 && !r.body.toLowerCase().includes('cannot get');
+    const hasErrorText    = /404|not found|page.*not.*found/i.test(r.body);
+
+    results.push({
+      ...t, actualStatus: r.status,
+      isCorrectStatus, hasCustomPage, hasErrorText,
+      bodySize: r.bodySize,
+      issues: [
+        !isCorrectStatus && `Returns ${r.status} instead of ${t.expectedStatus}`,
+        r.status === 200 && 'Returns 200 for non-existent page (soft 404)',
+        !hasCustomPage && 'No custom error page',
+      ].filter(Boolean),
+      passed: isCorrectStatus && (hasCustomPage || hasErrorText),
+    });
+  }
+  return results;
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+//  NEW v15: HTTP Version & TLS Inspector
+// ═══════════════════════════════════════════════════════════════════════════
+async function inspectHTTPVersion(url) {
+  const r = await httpProbe(url);
+  const isHTTPS = url.startsWith('https://');
+  const altSvc  = r.headers['alt-svc'] || '';
+  const hasH2   = altSvc.includes('h2') || r.headers['x-powered-by']?.includes('h2');
+  const hasH3   = altSvc.includes('h3');
+
+  return {
+    url, isHTTPS,
+    altSvc: altSvc || null,
+    likelyHTTP2: hasH2 || isHTTPS, // Most modern HTTPS servers use H2
+    likelyHTTP3: hasH3,
+    hsts: r.headers['strict-transport-security'] || null,
+    issues: [
+      !isHTTPS && 'Not using HTTPS',
+    ].filter(Boolean),
+  };
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+//  PLAYWRIGHT REAL BROWSER ENGINE v15 — Enhanced
 // ═══════════════════════════════════════════════════════════════════════════
 async function runPlaywrightScan(url, session, dash, options = {}) {
   const chromium = await getPlaywright();
@@ -166,39 +929,51 @@ async function runPlaywrightScan(url, session, dash, options = {}) {
     return null;
   }
 
-  dash?.log(chalk.cyan(`  🎭 Playwright browser launching for ${url}...`));
+  dash?.log(chalk.cyan(`  🎭 backlist browser launching for ${url}...`));
 
   let browser, context, page;
   const results = {
-    consoleErrors : [],
-    networkFails  : [],
-    screenshots   : [],
-    vitals        : {},
-    interactions  : [],
-    domChecks     : [],
-    jsErrors      : [],
+    consoleErrors  : [],
+    networkFails   : [],
+    screenshots    : [],
+    vitals         : {},
+    interactions   : [],
+    domChecks      : [],
+    jsErrors       : [],
     networkRequests: [],
+    darkMode       : {},
+    viewportResults: {},
+    fonts          : {},
+    thirdParty     : [],
+    forms          : [],
+    memoryLeak     : {},
+    userFlow       : {},
+    mixedContent   : {},
+    cspViolations  : [],
   };
 
   try {
     browser = await chromium.launch({
       headless: options.headless !== false,
-      args: ['--no-sandbox', '--disable-setuid-sandbox', '--disable-dev-shm-usage'],
+      args: ['--no-sandbox', '--disable-setuid-sandbox', '--disable-dev-shm-usage', '--enable-precise-memory-info'],
     });
 
     context = await browser.newContext({
       viewport: { width: 1280, height: 900 },
-      userAgent: 'Backlist-QA/13.0 (Playwright)',
+      userAgent: 'Backlist-QA/15.0 (Playwright)',
       ignoreHTTPSErrors: true,
-      recordVideo: options.recordVideo ? { dir: SCREENSHOT_DIR } : undefined,
     });
 
     page = await context.newPage();
 
-    // ── Capture console messages ─────────────────────────────────────────
+    // ── Mixed Content & CSP violations ──────────────────────────────────
+    const mixedContent   = [];
+    const cspViolations2 = [];
     page.on('console', (msg) => {
       const type = msg.type();
       const text = msg.text();
+      if (text.includes('Mixed Content')) mixedContent.push(text);
+      if (text.includes('Content Security Policy') || text.includes('refused to')) cspViolations2.push(text);
       if (['error', 'warning'].includes(type)) {
         const entry = { type, text, timestamp: Date.now(), url: page.url() };
         results.consoleErrors.push(entry);
@@ -220,10 +995,8 @@ async function runPlaywrightScan(url, session, dash, options = {}) {
     });
     page.on('requestfailed', (req) => {
       const entry = {
-        url     : req.url(),
-        method  : req.method(),
-        failure : req.failure()?.errorText || 'unknown',
-        timestamp: Date.now(),
+        url: req.url(), method: req.method(),
+        failure: req.failure()?.errorText || 'unknown', timestamp: Date.now(),
       };
       results.networkFails.push(entry);
       session.networkLog.push(entry);
@@ -232,11 +1005,9 @@ async function runPlaywrightScan(url, session, dash, options = {}) {
       const start    = requestTimings.get(res.url()) || Date.now();
       const duration = Date.now() - start;
       const entry    = {
-        url     : res.url(),
-        status  : res.status(),
-        duration,
-        size    : parseInt(res.headers()['content-length'] || '0'),
-        type    : res.headers()['content-type'] || '',
+        url: res.url(), status: res.status(), duration,
+        size: parseInt(res.headers()['content-length'] || '0'),
+        type: res.headers()['content-type'] || '',
       };
       results.networkRequests.push(entry);
       if (res.status() >= 400) {
@@ -247,8 +1018,7 @@ async function runPlaywrightScan(url, session, dash, options = {}) {
     // ── Navigate ─────────────────────────────────────────────────────────
     const navStart = Date.now();
     const response = await page.goto(url, {
-      waitUntil: 'networkidle',
-      timeout  : 30000,
+      waitUntil: 'networkidle', timeout: 30000,
     }).catch(err => ({ error: err.message }));
     const navDuration = Date.now() - navStart;
 
@@ -257,93 +1027,74 @@ async function runPlaywrightScan(url, session, dash, options = {}) {
       return { error: response.error, results };
     }
 
-    // ── Screenshot: Desktop ──────────────────────────────────────────────
     await fs.ensureDir(SCREENSHOT_DIR);
-    const screenshotName = `${session.id}-desktop-${shortId()}.png`;
-    const screenshotPath = path.join(SCREENSHOT_DIR, screenshotName);
-    await page.screenshot({ path: screenshotPath, fullPage: true });
-    results.screenshots.push({ path: screenshotPath, name: screenshotName, type: 'desktop', url });
-    session.screenshots.push({ path: screenshotPath, name: screenshotName, type: 'desktop', url });
-    dash?.log(chalk.green(`  📸 Desktop screenshot: ${screenshotName}`));
-
-    // ── Screenshot: Mobile (viewport switch) ─────────────────────────────
-    await page.setViewportSize({ width: 390, height: 844 });
-    await page.waitForTimeout(500);
-    const mobileScreenshotName = `${session.id}-mobile-${shortId()}.png`;
-    const mobileScreenshotPath = path.join(SCREENSHOT_DIR, mobileScreenshotName);
-    await page.screenshot({ path: mobileScreenshotPath, fullPage: false });
-    results.screenshots.push({ path: mobileScreenshotPath, name: mobileScreenshotName, type: 'mobile', url });
-    session.screenshots.push({ path: mobileScreenshotPath, name: mobileScreenshotName, type: 'mobile', url });
-    dash?.log(chalk.green(`  📸 Mobile screenshot: ${mobileScreenshotName}`));
-    await page.setViewportSize({ width: 1280, height: 900 });
-
-    // ── Real Web Vitals via PerformanceObserver ───────────────────────────
+
+    // ── 1. Desktop Screenshot ────────────────────────────────────────────
+    const desktopName = `${session.id}-desktop-${shortId()}.png`;
+    const desktopPath = path.join(SCREENSHOT_DIR, desktopName);
+    await page.screenshot({ path: desktopPath, fullPage: true });
+    results.screenshots.push({ path: desktopPath, name: desktopName, type: 'desktop', url });
+    session.screenshots.push({ path: desktopPath, name: desktopName, type: 'desktop', url });
+    dash?.log(chalk.green(`  📸 Desktop screenshot: ${desktopName}`));
+
+    // ── 2. Multi-Viewport Testing (v15) ──────────────────────────────────
+    dash?.log(chalk.cyan('  📱 Testing all viewports...'));
+    const vpResults = await testAllViewports(page, url, SCREENSHOT_DIR, session.id);
+    results.viewportResults = vpResults;
+    session.viewportResults = { ...session.viewportResults, ...vpResults };
+    for (const [key, vp] of Object.entries(vpResults)) {
+      if (vp.screenshotName) {
+        session.screenshots.push({ path: vp.screenshotPath, name: vp.screenshotName, type: `viewport-${key}`, url, label: vp.label });
+      }
+    }
+    const vpIssues = Object.values(vpResults).filter(v => !v.passed);
+    dash?.log(chalk.green(`  ✓ Viewports: ${Object.keys(vpResults).length - vpIssues.length}/${Object.keys(vpResults).length} passed`));
+
+    // ── 3. Dark Mode Test (v15) ───────────────────────────────────────────
+    dash?.log(chalk.cyan('  🌙 Testing dark mode...'));
+    const darkResult = await testDarkMode(page, url, SCREENSHOT_DIR, session.id);
+    results.darkMode = darkResult;
+    session.darkModeResults.push({ url, ...darkResult });
+    if (darkResult.dark?.screenshotName) {
+      session.screenshots.push({ path: darkResult.dark.screenshotPath, name: darkResult.dark.screenshotName, type: 'dark-mode', url });
+    }
+
+    // ── 4. Real Web Vitals ────────────────────────────────────────────────
     dash?.log(chalk.cyan('  ⚡ Measuring real Web Vitals...'));
+    // Navigate fresh for clean vitals
+    await page.goto(url, { waitUntil: 'networkidle', timeout: 30000 }).catch(() => {});
     const vitals = await page.evaluate(() => {
       return new Promise((resolve) => {
-        const v    = { lcp: null, fcp: null, cls: 0, tbt: 0, ttfb: null };
+        const v = { lcp: null, fcp: null, cls: 0, tbt: 0, ttfb: null };
         let clsVal = 0;
-
-        // Navigation timing (TTFB)
         const navEntry = performance.getEntriesByType('navigation')[0];
         if (navEntry) v.ttfb = Math.round(navEntry.responseStart - navEntry.requestStart);
-
-        // FCP
-        const fcpEntry = performance.getEntriesByName('first-contentful-paint')[0];
-        if (fcpEntry) v.fcp = Math.round(fcpEntry.startTime);
-
-        // Paint entries
         const paintEntries = performance.getEntriesByType('paint');
-        paintEntries.forEach(entry => {
-          if (entry.name === 'first-contentful-paint') v.fcp = Math.round(entry.startTime);
-        });
-
-        // LCP Observer
-        try {
-          new PerformanceObserver((list) => {
-            const entries = list.getEntries();
-            const last    = entries[entries.length - 1];
-            if (last) v.lcp = Math.round(last.startTime);
-          }).observe({ type: 'largest-contentful-paint', buffered: true });
-        } catch {}
-
-        // CLS Observer
-        try {
-          new PerformanceObserver((list) => {
-            for (const entry of list.getEntries()) {
-              if (!entry.hadRecentInput) clsVal += entry.value;
-            }
-            v.cls = parseFloat(clsVal.toFixed(4));
-          }).observe({ type: 'layout-shift', buffered: true });
-        } catch {}
-
-        // Long tasks (TBT estimation)
-        try {
-          new PerformanceObserver((list) => {
-            for (const entry of list.getEntries()) {
-              if (entry.duration > 50) v.tbt += Math.round(entry.duration - 50);
-            }
-          }).observe({ type: 'longtask', buffered: true });
-        } catch {}
-
-        // Wait for all observers
-        setTimeout(() => {
+        paintEntries.forEach(e => { if (e.name === 'first-contentful-paint') v.fcp = Math.round(e.startTime); });
+        try { new PerformanceObserver((list) => {
+          const e = list.getEntries(); const last = e[e.length - 1];
+          if (last) v.lcp = Math.round(last.startTime);
+        }).observe({ type: 'largest-contentful-paint', buffered: true }); } catch {}
+        try { new PerformanceObserver((list) => {
+          for (const e of list.getEntries()) { if (!e.hadRecentInput) clsVal += e.value; }
           v.cls = parseFloat(clsVal.toFixed(4));
-          resolve(v);
-        }, 2000);
+        }).observe({ type: 'layout-shift', buffered: true }); } catch {}
+        try { new PerformanceObserver((list) => {
+          for (const e of list.getEntries()) { if (e.duration > 50) v.tbt += Math.round(e.duration - 50); }
+        }).observe({ type: 'longtask', buffered: true }); } catch {}
+        setTimeout(() => { v.cls = parseFloat(clsVal.toFixed(4)); resolve(v); }, 2500);
       });
     }).catch(() => ({}));
 
-    // Merge with navigation timing
     const navTiming = await page.evaluate(() => {
       const nav = performance.getEntriesByType('navigation')[0];
       if (!nav) return {};
       return {
-        ttfb        : Math.round(nav.responseStart - nav.requestStart),
-        domLoad     : Math.round(nav.domContentLoadedEventEnd),
-        fullLoad    : Math.round(nav.loadEventEnd),
-        dnsLookup   : Math.round(nav.domainLookupEnd - nav.domainLookupStart),
-        tcpConnect  : Math.round(nav.connectEnd - nav.connectStart),
+        ttfb: Math.round(nav.responseStart - nav.requestStart),
+        domLoad: Math.round(nav.domContentLoadedEventEnd),
+        fullLoad: Math.round(nav.loadEventEnd),
+        dnsLookup: Math.round(nav.domainLookupEnd - nav.domainLookupStart),
+        tcpConnect: Math.round(nav.connectEnd - nav.connectStart),
         transferSize: nav.transferSize,
       };
     }).catch(() => ({}));
@@ -351,73 +1102,90 @@ async function runPlaywrightScan(url, session, dash, options = {}) {
     results.vitals = { ...vitals, ...navTiming, navDuration };
     dash?.log(chalk.green(`  ✓ Vitals: TTFB=${navTiming.ttfb||'?'}ms LCP=${vitals.lcp||'?'}ms FCP=${vitals.fcp||'?'}ms CLS=${vitals.cls??'?'}`));
 
-    // ── DOM Checks ───────────────────────────────────────────────────────
+    // ── 5. Memory Leak Detection (v15) ────────────────────────────────────
+    dash?.log(chalk.cyan('  🧠 Detecting memory leaks...'));
+    const memResult = await detectMemoryLeaks(page, url);
+    results.memoryLeak = memResult;
+    session.memorySnapshots.push({ url, ...memResult });
+    if (memResult.hasLeak) {
+      dash?.log(chalk.yellow(`  ⚠ Memory leak detected: +${memResult.growthMB}MB`));
+    }
+
+    // ── 6. DOM Checks ────────────────────────────────────────────────────
     dash?.log(chalk.cyan('  🔍 Running DOM checks...'));
+    await page.goto(url, { waitUntil: 'networkidle', timeout: 30000 }).catch(() => {});
     const domChecks = await page.evaluate(() => {
       const checks = [];
-
-      // Title
       const title = document.title;
       checks.push({ name: 'Page title', pass: !!title && title.length > 0, value: title?.slice(0, 80) });
-
-      // H1
       const h1s = document.querySelectorAll('h1');
       checks.push({ name: 'Single H1', pass: h1s.length === 1, value: `${h1s.length} H1 tags` });
-
-      // Images without alt
-      const imgs    = document.querySelectorAll('img');
-      const noAlt   = [...imgs].filter(i => !i.getAttribute('alt')).length;
+      const imgs   = document.querySelectorAll('img');
+      const noAlt  = [...imgs].filter(i => !i.getAttribute('alt')).length;
       checks.push({ name: 'Images alt text', pass: noAlt === 0, value: `${noAlt}/${imgs.length} missing alt` });
-
-      // Buttons accessible
       const btns   = document.querySelectorAll('button');
       const noText = [...btns].filter(b => !b.textContent?.trim() && !b.getAttribute('aria-label')).length;
       checks.push({ name: 'Buttons accessible', pass: noText === 0, value: `${noText} buttons missing label` });
-
-      // Links with href
-      const links    = document.querySelectorAll('a');
-      const noHref   = [...links].filter(l => !l.href || l.href === '#' || l.href === window.location.href + '#').length;
+      const links  = document.querySelectorAll('a');
+      const noHref = [...links].filter(l => !l.href || l.href === '#' || l.href === window.location.href + '#').length;
       checks.push({ name: 'Links have href', pass: noHref === 0, value: `${noHref}/${links.length} empty links` });
-
-      // Forms with submit
       const forms    = document.querySelectorAll('form');
       const noSubmit = [...forms].filter(f => !f.querySelector('[type="submit"], button')).length;
       checks.push({ name: 'Forms have submit', pass: noSubmit === 0 || forms.length === 0, value: `${forms.length} forms` });
-
-      // Meta viewport
       const vp = document.querySelector('meta[name="viewport"]');
       checks.push({ name: 'Viewport meta', pass: !!vp, value: vp?.content || 'missing' });
-
-      // Color contrast check (heuristic)
-      const body = document.body;
-      const bodyStyle = window.getComputedStyle(body);
+      const bodyStyle = window.getComputedStyle(document.body);
       checks.push({ name: 'Body has styles', pass: !!bodyStyle.backgroundColor || !!bodyStyle.color, value: 'CSS applied' });
-
-      // Broken internal links check
-      const internalLinks = [...links].filter(l => {
-        try { return new URL(l.href).origin === window.location.origin; } catch { return false; }
-      });
+      // NEW v15 DOM checks
+      const skipLink = document.querySelector('a[href="#main"], a[href="#content"], .skip-link');
+      checks.push({ name: 'Skip navigation link', pass: !!skipLink, value: skipLink ? 'Present' : 'Missing (accessibility)' });
+      const mainEl = document.querySelector('main, [role="main"]');
+      checks.push({ name: 'Main landmark', pass: !!mainEl, value: mainEl ? 'Present' : 'Missing' });
+      const footerEl = document.querySelector('footer, [role="contentinfo"]');
+      checks.push({ name: 'Footer landmark', pass: !!footerEl, value: footerEl ? 'Present' : 'Missing' });
+      const focusableEls = document.querySelectorAll('a[href], button:not([disabled]), input:not([disabled]), select:not([disabled]), textarea:not([disabled]), [tabindex]:not([tabindex="-1"])');
+      checks.push({ name: 'Focusable elements exist', pass: focusableEls.length > 0, value: `${focusableEls.length} focusable` });
+      const langAttr = document.documentElement.lang;
+      checks.push({ name: 'HTML lang attribute', pass: !!langAttr, value: langAttr || 'missing' });
+      const canonical = document.querySelector('link[rel="canonical"]');
+      checks.push({ name: 'Canonical URL', pass: !!canonical, value: canonical?.href || 'missing' });
+      const ogTitle = document.querySelector('meta[property="og:title"]');
+      checks.push({ name: 'Open Graph title', pass: !!ogTitle, value: ogTitle?.content?.slice(0, 60) || 'missing' });
+      const robots = document.querySelector('meta[name="robots"]');
+      checks.push({ name: 'Robots meta', pass: true, value: robots?.content || 'none (indexable)' });
+      const internalLinks = [...links].filter(l => { try { return new URL(l.href).origin === window.location.origin; } catch { return false; } });
       checks.push({ name: 'Internal links count', pass: true, value: `${internalLinks.length} internal links` });
-
       return checks;
     }).catch(() => []);
 
     results.domChecks = domChecks;
     dash?.log(chalk.green(`  ✓ DOM: ${domChecks.filter(c => c.pass).length}/${domChecks.length} checks passed`));
 
-    // ── Interaction Tests ────────────────────────────────────────────────
+    // ── 7. Form Tests (v15) ───────────────────────────────────────────────
+    dash?.log(chalk.cyan('  📝 Testing forms...'));
+    const formResults = await testForms(page, url);
+    results.forms = formResults;
+    session.formTests.push(...formResults.map(f => ({ url, ...f })));
+
+    // ── 8. Third-Party Script Audit (v15) ─────────────────────────────────
+    dash?.log(chalk.cyan('  📦 Auditing third-party scripts...'));
+    const thirdPartyScripts = await auditThirdPartyScripts(page);
+    results.thirdParty = thirdPartyScripts;
+    session.thirdPartyScripts.push(...thirdPartyScripts.map(s => ({ url, ...s })));
+
+    // ── 9. Font & Asset Audit (v15) ───────────────────────────────────────
+    dash?.log(chalk.cyan('  🔤 Auditing fonts and assets...'));
+    const assetData = await auditFontsAndAssets(page);
+    results.fonts   = assetData;
+    session.assetAudit.push({ url, ...assetData });
+
+    // ── 10. Interaction Tests ─────────────────────────────────────────────
     dash?.log(chalk.cyan('  🖱️  Testing interactions...'));
     const interactions = [];
-
-    // Test all clickable buttons
-    const buttonCount = await page.locator('button:visible').count().catch(() => 0);
+    const buttonCount  = await page.locator('button:visible').count().catch(() => 0);
     interactions.push({ name: 'Visible buttons found', pass: true, value: `${buttonCount} buttons` });
-
-    // Test form inputs exist
     const inputCount = await page.locator('input:visible').count().catch(() => 0);
     interactions.push({ name: 'Form inputs found', pass: true, value: `${inputCount} inputs` });
-
-    // Test scroll behavior
     try {
       await page.evaluate(() => window.scrollTo(0, document.body.scrollHeight));
       await page.waitForTimeout(300);
@@ -426,8 +1194,6 @@ async function runPlaywrightScan(url, session, dash, options = {}) {
     } catch (err) {
       interactions.push({ name: 'Page scroll', pass: false, value: err.message });
     }
-
-    // Test keyboard navigation (Tab key)
     try {
       await page.keyboard.press('Tab');
       await page.waitForTimeout(100);
@@ -436,28 +1202,39 @@ async function runPlaywrightScan(url, session, dash, options = {}) {
     } catch {
       interactions.push({ name: 'Keyboard navigation', pass: false, value: 'Tab focus failed' });
     }
-
-    // Hover test on first link
     try {
       const firstLink = page.locator('a:visible').first();
-      if (await firstLink.count() > 0) {
-        await firstLink.hover();
-        interactions.push({ name: 'Link hover', pass: true, value: 'Hover works' });
-      }
-    } catch {
-      interactions.push({ name: 'Link hover', pass: false, value: 'Hover failed' });
-    }
+      if (await firstLink.count() > 0) { await firstLink.hover(); interactions.push({ name: 'Link hover', pass: true, value: 'Hover works' }); }
+    } catch { interactions.push({ name: 'Link hover', pass: false, value: 'Hover failed' }); }
+    // NEW v15: right-click test
+    try {
+      await page.mouse.click(640, 400, { button: 'right' });
+      await page.waitForTimeout(200);
+      await page.keyboard.press('Escape');
+      interactions.push({ name: 'Right-click (context menu)', pass: true, value: 'Works' });
+    } catch { interactions.push({ name: 'Right-click', pass: false, value: 'Failed' }); }
+    // NEW v15: copy text test
+    try {
+      await page.keyboard.press('Control+a');
+      await page.waitForTimeout(100);
+      interactions.push({ name: 'Select all text', pass: true, value: 'Ctrl+A works' });
+    } catch { interactions.push({ name: 'Select all text', pass: false, value: 'Failed' }); }
 
     results.interactions = interactions;
     dash?.log(chalk.green(`  ✓ Interactions: ${interactions.filter(i => i.pass).length}/${interactions.length} passed`));
 
-    // ── Resource Analysis ─────────────────────────────────────────────────
+    // ── 11. User Flow Simulation (v15) ────────────────────────────────────
+    dash?.log(chalk.cyan('  🧑‍💻 Simulating user flow...'));
+    const flowResult = await simulateUserFlow(page, url);
+    results.userFlow = flowResult;
+    session.userFlowResults.push(flowResult);
+    dash?.log(chalk.green(`  ✓ User flow: ${flowResult.passed}/${flowResult.steps.length} steps passed`));
+
+    // ── 12. Resource Analysis ─────────────────────────────────────────────
     const resourceStats = await page.evaluate(() => {
       const entries = performance.getEntriesByType('resource');
       const byType  = {};
       let totalSize = 0;
-      let totalTime = 0;
-
       for (const e of entries) {
         const t = e.initiatorType || 'other';
         if (!byType[t]) byType[t] = { count: 0, size: 0, time: 0, slow: [] };
@@ -465,15 +1242,18 @@ async function runPlaywrightScan(url, session, dash, options = {}) {
         byType[t].size += e.transferSize || 0;
         byType[t].time += e.duration;
         totalSize += e.transferSize || 0;
-        totalTime += e.duration;
-        if (e.duration > 500) {
-          byType[t].slow.push({ url: e.name.split('/').pop().slice(0, 60), duration: Math.round(e.duration), size: e.transferSize || 0 });
-        }
+        if (e.duration > 500) byType[t].slow.push({ url: e.name.split('/').pop().slice(0, 60), duration: Math.round(e.duration), size: e.transferSize || 0 });
       }
-      return { byType, totalSize, totalTime: Math.round(totalTime), count: entries.length };
+      return { byType, totalSize, count: entries.length };
     }).catch(() => ({}));
 
-    results.resourceStats = resourceStats;
+    results.resourceStats    = resourceStats;
+    results.mixedContent     = mixedContent;
+    results.cspViolations    = cspViolations2;
+
+    // Store mixed content/CSP in session
+    session.mixedContentIssues.push(...mixedContent.map(m => ({ url, text: m })));
+    session.cspViolations.push(...cspViolations2.map(c => ({ url, text: c })));
 
     return { results, navDuration, error: null };
 
@@ -490,7 +1270,7 @@ async function runPlaywrightScan(url, session, dash, options = {}) {
 // ═══════════════════════════════════════════════════════════════════════════
 //  Route Crawler — real HTTP crawl
 // ═══════════════════════════════════════════════════════════════════════════
-async function crawlSite(baseUrl, { maxPages = 50, onRoute } = {}) {
+async function crawlSite(baseUrl, { maxPages = 60, onRoute } = {}) {
   const visited = new Set();
   const queue   = [{ url: baseUrl, depth: 0 }];
   const routes  = [];
@@ -501,16 +1281,17 @@ async function crawlSite(baseUrl, { maxPages = 50, onRoute } = {}) {
   while (queue.length > 0 && routes.length < maxPages) {
     const { url, depth } = queue.shift();
     const n = norm(url);
-    if (!n || visited.has(n) || !sameOrigin(n) || depth > 3) continue;
+    if (!n || visited.has(n) || !sameOrigin(n) || depth > 4) continue;
     visited.add(n);
 
     const r    = await httpProbe(n, { timeout: 10000 });
     const type = (() => {
-      if (r.status >= 400)                                              return 'error-page';
-      if (r.contentType.includes('json') || n.includes('/api/'))       return 'api';
-      if (n.endsWith('.xml') || n.endsWith('.txt'))                     return 'resource';
-      if (/\/(login|signin|auth)/i.test(n))                            return 'auth';
-      if (/\/(admin)/i.test(n))                                        return 'admin';
+      if (r.status >= 400)                                            return 'error-page';
+      if (r.contentType.includes('json') || n.includes('/api/'))     return 'api';
+      if (n.endsWith('.xml') || n.endsWith('.txt'))                   return 'resource';
+      if (/\/(login|signin|auth)/i.test(n))                          return 'auth';
+      if (/\/(admin)/i.test(n))                                      return 'admin';
+      if (/\.(css|js|woff|png|jpg|gif|svg|ico)/i.test(n))           return 'asset';
       return 'page';
     })();
 
@@ -523,7 +1304,7 @@ async function crawlSite(baseUrl, { maxPages = 50, onRoute } = {}) {
       }
     }
 
-    const forms  = [];
+    const forms = [];
     const formRe = /<form([^>]*)>([\s\S]*?)<\/form>/gi;
     let fm;
     while ((fm = formRe.exec(r.body)) !== null) {
@@ -539,7 +1320,7 @@ async function crawlSite(baseUrl, { maxPages = 50, onRoute } = {}) {
       forms.push({ action, method, fields });
     }
 
-    const route = { id: shortId(), url: n, type, status: r.status, depth, links, forms, contentType: r.contentType, error: r.error };
+    const route = { id: shortId(), url: n, type, status: r.status, depth, links, forms, contentType: r.contentType, error: r.error, responseTime: r.responseTime };
     routes.push(route);
     if (onRoute) onRoute(route);
 
@@ -549,8 +1330,15 @@ async function crawlSite(baseUrl, { maxPages = 50, onRoute } = {}) {
     }
   }
 
-  // Common paths probe
-  const commonPaths = ['/api/health','/health','/api/status','/api/v1/health','/api/docs','/robots.txt','/sitemap.xml'];
+  // Common paths probe (v15 extended)
+  const commonPaths = [
+    '/api/health', '/health', '/api/status', '/api/v1/health',
+    '/api/docs', '/robots.txt', '/sitemap.xml', '/manifest.json',
+    '/sw.js', '/service-worker.js', '/favicon.ico',
+    '/.well-known/security.txt', '/security.txt',
+    '/api/v1', '/api/v2', '/graphql',
+    '/changelog', '/version',
+  ];
   for (const p2 of commonPaths) {
     try {
       const u = new URL(p2, baseUrl).toString();
@@ -559,7 +1347,7 @@ async function crawlSite(baseUrl, { maxPages = 50, onRoute } = {}) {
       visited.add(n);
       const r = await httpProbe(u, { timeout: 5000 });
       if (r.status > 0 && r.status < 500) {
-        const route = { id: shortId(), url: u, type: p2.includes('/api') ? 'api' : 'resource', status: r.status, depth: 0, links: [], forms: [] };
+        const route = { id: shortId(), url: u, type: p2.includes('/api') ? 'api' : 'resource', status: r.status, depth: 0, links: [], forms: [], responseTime: r.responseTime };
         routes.push(route);
         if (onRoute) onRoute(route);
       }
@@ -570,36 +1358,41 @@ async function crawlSite(baseUrl, { maxPages = 50, onRoute } = {}) {
 }
 
 // ═══════════════════════════════════════════════════════════════════════════
-//  Security Scanner
+//  Security Scanner v15 — Extended
 // ═══════════════════════════════════════════════════════════════════════════
 async function runSecurityScan(url) {
   const findings = [];
   const r        = await httpProbe(url);
 
   if (!r.ok && r.status === 0) {
-    return [{
-      check: 'Server reachable', pass: false, severity: 'P0', category: 'connectivity',
-      detail: `Cannot reach ${url}: ${r.error}`, recommendation: 'Ensure server is running',
-    }];
+    return [{ check: 'Server reachable', pass: false, severity: 'P0', category: 'connectivity',
+      detail: `Cannot reach ${url}: ${r.error}`, recommendation: 'Ensure server is running' }];
   }
 
   const h = r.headers;
 
   const headerChecks = [
-    { id: 'csp',    name: 'Content-Security-Policy',  header: 'content-security-policy',    sev: 'P1',
+    { id: 'csp',    name: 'Content-Security-Policy',      header: 'content-security-policy',    sev: 'P1',
       validate: v => !!v, rec: 'Add CSP header to prevent XSS' },
-    { id: 'hsts',   name: 'HSTS',                    header: 'strict-transport-security',   sev: 'P1',
+    { id: 'hsts',   name: 'HSTS',                         header: 'strict-transport-security',  sev: 'P1',
       validate: v => !!v, rec: 'Add HSTS to enforce HTTPS' },
-    { id: 'xframe', name: 'X-Frame-Options',          header: 'x-frame-options',             sev: 'P1',
+    { id: 'xframe', name: 'X-Frame-Options',              header: 'x-frame-options',            sev: 'P1',
       validate: v => v && ['DENY','SAMEORIGIN'].includes(v.toUpperCase()), rec: 'Set X-Frame-Options: DENY' },
-    { id: 'xcto',   name: 'X-Content-Type-Options',   header: 'x-content-type-options',      sev: 'P2',
+    { id: 'xcto',   name: 'X-Content-Type-Options',       header: 'x-content-type-options',     sev: 'P2',
       validate: v => v === 'nosniff', rec: 'Set X-Content-Type-Options: nosniff' },
-    { id: 'rp',     name: 'Referrer-Policy',           header: 'referrer-policy',             sev: 'P2',
+    { id: 'rp',     name: 'Referrer-Policy',              header: 'referrer-policy',            sev: 'P2',
       validate: v => !!v, rec: 'Add Referrer-Policy header' },
-    { id: 'server', name: 'Server version hidden',     header: 'server',                      sev: 'P2',
+    { id: 'pp',     name: 'Permissions-Policy',           header: 'permissions-policy',         sev: 'P2',
+      validate: v => !!v, rec: 'Add Permissions-Policy to restrict browser features' },
+    { id: 'server', name: 'Server version hidden',        header: 'server',                     sev: 'P2',
       validate: v => !v || (!v.includes('/') && !/\d+\.\d+/.test(v)), rec: 'Genericize Server header' },
-    { id: 'xpb',    name: 'X-Powered-By hidden',       header: 'x-powered-by',               sev: 'P2',
+    { id: 'xpb',    name: 'X-Powered-By hidden',          header: 'x-powered-by',              sev: 'P2',
       validate: v => !v, rec: 'Remove X-Powered-By header' },
+    // NEW v15
+    { id: 'coep',   name: 'Cross-Origin-Embedder-Policy', header: 'cross-origin-embedder-policy', sev: 'P3',
+      validate: v => !!v, rec: 'Add COEP for isolation' },
+    { id: 'coop',   name: 'Cross-Origin-Opener-Policy',   header: 'cross-origin-opener-policy',  sev: 'P3',
+      validate: v => !!v, rec: 'Add COOP header' },
   ];
 
   for (const c of headerChecks) {
@@ -616,28 +1409,49 @@ async function runSecurityScan(url) {
   findings.push({
     check: 'HTTPS enforced', pass: isHTTPS, severity: isHTTPS ? 'INFO' : 'P1',
     category: 'encryption', detail: isHTTPS ? 'HTTPS in use' : 'HTTP — unencrypted',
-    recommendation: 'Use HTTPS with valid SSL', evidence: { protocol: new URL(url).protocol },
+    recommendation: 'Use HTTPS with valid SSL',
   });
 
   const corsOrigin = h['access-control-allow-origin'];
   const corsCreds  = h['access-control-allow-credentials'];
   const corsPass   = !(corsOrigin === '*' && corsCreds === 'true');
   findings.push({
-    check: 'CORS wildcard + credentials', pass: corsPass,
-    severity: corsPass ? 'INFO' : 'P0', category: 'cors',
+    check: 'CORS wildcard + credentials', pass: corsPass, severity: corsPass ? 'INFO' : 'P0', category: 'cors',
     detail: corsPass ? 'CORS config safe' : 'Wildcard CORS + credentials = critical vulnerability',
     recommendation: 'Never combine CORS * with allow-credentials',
-    evidence: { 'access-control-allow-origin': corsOrigin, 'access-control-allow-credentials': corsCreds },
   });
 
-  const base      = new URL(url).origin;
+  // NEW v15: Check for version disclosure in other headers
+  const versionHeaders = ['x-aspnet-version', 'x-aspnetmvc-version', 'x-drupal-cache', 'x-generator'];
+  for (const vh of versionHeaders) {
+    if (h[vh]) findings.push({
+      check: `${vh} disclosure`, pass: false, severity: 'P2', category: 'information-disclosure',
+      detail: `${vh}: ${h[vh]}`, recommendation: `Remove ${vh} header`,
+    });
+  }
+
+  const base = new URL(url).origin;
   const sensitives = [
-    { path: '/.env',          name: '.env exposed' },
-    { path: '/.git/config',   name: 'Git config exposed' },
-    { path: '/phpinfo.php',   name: 'phpinfo exposed' },
-    { path: '/server-status', name: 'Apache server-status' },
-    { path: '/actuator',      name: 'Spring actuator exposed' },
-    { path: '/graphql',       name: 'GraphQL introspection' },
+    { path: '/.env',             name: '.env exposed' },
+    { path: '/.env.local',       name: '.env.local exposed' },
+    { path: '/.git/config',      name: 'Git config exposed' },
+    { path: '/phpinfo.php',      name: 'phpinfo exposed' },
+    { path: '/server-status',    name: 'Apache server-status' },
+    { path: '/actuator',         name: 'Spring actuator' },
+    { path: '/actuator/env',     name: 'Spring actuator env' },
+    { path: '/graphql',          name: 'GraphQL introspection' },
+    { path: '/api/swagger.json', name: 'Swagger docs exposed' },
+    { path: '/api/openapi.json', name: 'OpenAPI docs exposed' },
+    { path: '/config.json',      name: 'config.json exposed' },
+    { path: '/debug',            name: 'Debug endpoint' },
+    // NEW v15
+    { path: '/.DS_Store',        name: '.DS_Store exposed' },
+    { path: '/wp-config.php',    name: 'WordPress config' },
+    { path: '/package.json',     name: 'package.json exposed' },
+    { path: '/composer.json',    name: 'composer.json exposed' },
+    { path: '/.htaccess',        name: '.htaccess exposed' },
+    { path: '/backup.sql',       name: 'SQL backup exposed' },
+    { path: '/dump.sql',         name: 'SQL dump exposed' },
   ];
   for (const s of sensitives) {
     try {
@@ -660,7 +1474,7 @@ async function runSecurityScan(url) {
 }
 
 // ═══════════════════════════════════════════════════════════════════════════
-//  SEO Scanner
+//  SEO Scanner v15 — Extended
 // ═══════════════════════════════════════════════════════════════════════════
 async function runSEOScan(url) {
   const t0   = Date.now();
@@ -674,60 +1488,71 @@ async function runSEOScan(url) {
 
   const title = get(/<title[^>]*>([^<]+)<\/title>/i);
   checks.push({ name: 'Title tag', pass: !!title, severity: 'P1', category: 'meta',
-    detail: title ? `"${title.slice(0,60)}"` : 'Missing <title>', data: { title, length: title?.length },
-    recommendation: 'Add unique title (50-60 chars)' });
-
+    detail: title ? `"${title.slice(0,60)}"` : 'Missing <title>' });
   if (title) checks.push({ name: 'Title length', pass: title.length >= 30 && title.length <= 60,
-    severity: 'P2', category: 'meta', detail: `${title.length} chars (optimal 30-60)`,
-    recommendation: 'Keep title 30-60 chars' });
+    severity: 'P2', category: 'meta', detail: `${title.length} chars (optimal 30-60)` });
 
   const desc = get(/<meta[^>]+name=["']description["'][^>]+content=["']([^"']+)["']/i)
             || get(/<meta[^>]+content=["']([^"']+)["'][^>]+name=["']description["']/i);
   checks.push({ name: 'Meta description', pass: !!desc, severity: 'P1', category: 'meta',
-    detail: desc ? `"${desc.slice(0,80)}"` : 'Missing meta description',
-    recommendation: 'Add meta description (120-160 chars)' });
+    detail: desc ? `"${desc.slice(0,80)}"` : 'Missing meta description' });
+  if (desc) checks.push({ name: 'Description length', pass: desc.length >= 120 && desc.length <= 160,
+    severity: 'P2', category: 'meta', detail: `${desc.length} chars (optimal 120-160)` });
 
   const h1Count = (html.match(/<h1[^>]*>/gi) || []).length;
   checks.push({ name: 'H1 tag', pass: h1Count === 1, severity: 'P1', category: 'structure',
-    detail: h1Count === 0 ? 'No H1' : h1Count > 1 ? `${h1Count} H1 tags (should be 1)` : '1 H1 ✓',
-    recommendation: 'Use exactly one H1 per page' });
+    detail: h1Count === 0 ? 'No H1' : h1Count > 1 ? `${h1Count} H1s (should be 1)` : '1 H1 ✓' });
+
+  const h2Count = (html.match(/<h2[^>]*>/gi) || []).length;
+  checks.push({ name: 'H2 tags', pass: h2Count > 0, severity: 'P3', category: 'structure',
+    detail: `${h2Count} H2 tags found` });
 
   const hasVP = has(/<meta[^>]+name=["']viewport["']/i);
-  checks.push({ name: 'Viewport meta', pass: hasVP, severity: 'P1', category: 'mobile',
-    detail: hasVP ? 'Viewport found' : 'Missing viewport meta',
-    recommendation: 'Add viewport meta tag' });
+  checks.push({ name: 'Viewport meta', pass: hasVP, severity: 'P1', category: 'mobile', detail: hasVP ? 'Viewport found' : 'Missing' });
 
   const lang = get(/<html[^>]+lang=["']([^"']+)["']/i);
-  checks.push({ name: 'HTML lang', pass: !!lang, severity: 'P1', category: 'accessibility-seo',
-    detail: lang ? `lang="${lang}"` : 'Missing lang attribute', recommendation: 'Add lang to <html>' });
+  checks.push({ name: 'HTML lang', pass: !!lang, severity: 'P1', category: 'accessibility-seo', detail: lang ? `lang="${lang}"` : 'Missing' });
 
   const canonical = get(/<link[^>]+rel=["']canonical["'][^>]+href=["']([^"']+)["']/i);
-  checks.push({ name: 'Canonical link', pass: !!canonical, severity: 'P2', category: 'technical-seo',
-    detail: canonical ? `Canonical: ${canonical}` : 'Missing canonical',
-    recommendation: 'Add <link rel="canonical">' });
+  checks.push({ name: 'Canonical link', pass: !!canonical, severity: 'P2', category: 'technical-seo', detail: canonical ? `Canonical: ${canonical}` : 'Missing' });
 
   const ogOk = has(/<meta[^>]+property=["']og:title["']/i) && has(/<meta[^>]+property=["']og:description["']/i);
-  checks.push({ name: 'Open Graph tags', pass: ogOk, severity: 'P2', category: 'social',
-    detail: ogOk ? 'OG tags present' : 'Missing og:title or og:description',
-    recommendation: 'Add og:title, og:description, og:image' });
+  checks.push({ name: 'Open Graph tags', pass: ogOk, severity: 'P2', category: 'social', detail: ogOk ? 'OG tags present' : 'Missing og:title/description' });
+  const ogImage = has(/<meta[^>]+property=["']og:image["']/i);
+  checks.push({ name: 'OG image', pass: ogImage, severity: 'P2', category: 'social', detail: ogImage ? 'og:image present' : 'Missing og:image' });
+
+  const twitterCard = has(/<meta[^>]+name=["']twitter:card["']/i);
+  checks.push({ name: 'Twitter Card', pass: twitterCard, severity: 'P3', category: 'social', detail: twitterCard ? 'Twitter card present' : 'Missing' });
+
+  const structuredData = has(/<script[^>]+type=["']application\/ld\+json["']/i);
+  checks.push({ name: 'Structured data (JSON-LD)', pass: structuredData, severity: 'P2', category: 'structured-data', detail: structuredData ? 'JSON-LD found' : 'No structured data' });
 
   const imgTotal = (html.match(/<img[^>]*>/gi) || []).length;
   const imgNoAlt = (html.match(/<img(?![^>]*\balt=)[^>]*>/gi) || []).length;
   checks.push({ name: 'Images alt text', pass: imgNoAlt === 0, severity: 'P2', category: 'accessibility-seo',
-    detail: imgNoAlt === 0 ? `All ${imgTotal} images have alt` : `${imgNoAlt}/${imgTotal} missing alt`,
-    recommendation: 'Add alt text to all images' });
+    detail: imgNoAlt === 0 ? `All ${imgTotal} images have alt` : `${imgNoAlt}/${imgTotal} missing alt` });
 
   checks.push({ name: 'Server response time', pass: rt < 800, severity: rt > 2000 ? 'P1' : 'P2',
-    category: 'performance-seo', detail: `TTFB: ${rt}ms (Google: <800ms)`,
-    recommendation: 'Optimize TTFB with CDN and caching' });
+    category: 'performance-seo', detail: `TTFB: ${rt}ms (Google: <800ms)` });
+
+  // NEW v15: Heading hierarchy
+  const headings = (html.match(/<h[1-6][^>]*>/gi) || []).map(h => parseInt(h[2]));
+  let hierOk = true;
+  for (let i = 1; i < headings.length; i++) {
+    if (headings[i] > headings[i-1] + 1) { hierOk = false; break; }
+  }
+  checks.push({ name: 'Heading hierarchy', pass: hierOk, severity: 'P2', category: 'structure', detail: hierOk ? 'Headings in order' : 'Skipped heading levels' });
+
+  // NEW v15: noindex check
+  const noindex = has(/<meta[^>]+name=["']robots["'][^>]+content=["'][^"']*noindex/i);
+  checks.push({ name: 'Not noindexed', pass: !noindex, severity: noindex ? 'P1' : 'INFO', category: 'crawling', detail: noindex ? 'Page is noindexed!' : 'Indexable' });
 
   const base = new URL(url).origin;
   for (const [file, name] of [['/robots.txt','robots.txt'],['/sitemap.xml','sitemap.xml']]) {
     try {
       const rr = await httpProbe(`${base}${file}`, { timeout: 4000 });
       checks.push({ name, pass: rr.ok, severity: 'P1', category: 'crawling',
-        detail: rr.ok ? `${name} accessible` : `${name} returned ${rr.status}`,
-        recommendation: `Ensure ${name} exists` });
+        detail: rr.ok ? `${name} accessible` : `${name} returned ${rr.status}` });
     } catch {
       checks.push({ name, pass: false, severity: 'P2', category: 'crawling', detail: `${name} unreachable` });
     }
@@ -737,7 +1562,7 @@ async function runSEOScan(url) {
 }
 
 // ═══════════════════════════════════════════════════════════════════════════
-//  Accessibility Scanner — HTML analysis
+//  Accessibility Scanner v15 — Extended
 // ═══════════════════════════════════════════════════════════════════════════
 async function runA11yScan(url) {
   const r    = await httpProbe(url, { timeout: 12000 });
@@ -745,20 +1570,28 @@ async function runA11yScan(url) {
   const violations = [], passes = [];
 
   const checks = [
-    { id: 'html-lang',      impact: 'serious',  test: () => !/<html[^>]+lang=["'][^"']+["']/i.test(html),     pass: 'HTML lang present',    desc: 'HTML must have lang attribute' },
-    { id: 'img-alt',        impact: 'critical', test: () => /<img(?![^>]*\balt=)[^>]*>/i.test(html),           pass: 'Images have alt text', desc: 'Images must have alternate text' },
-    { id: 'document-title', impact: 'serious',  test: () => !/<title[^>]*>[^<]+<\/title>/i.test(html),        pass: 'Document has title',   desc: 'Document must have title' },
-    { id: 'viewport',       impact: 'critical', test: () => /user-scalable=no|maximum-scale=1/i.test(html),   pass: 'Viewport allows scaling', desc: 'Viewport must not disable scaling' },
-    { id: 'main-landmark',  impact: 'moderate', test: () => !/<main[^>]*>/i.test(html),                        pass: 'Main landmark present', desc: 'Page should have <main>' },
-    { id: 'h1-present',     impact: 'moderate', test: () => !/<h1[^>]*>/i.test(html),                          pass: 'H1 heading present',   desc: 'Page should have H1' },
-    { id: 'link-text',      impact: 'serious',  test: () => /<a[^>]*>\s*<\/a>/i.test(html),                   pass: 'Links have text',      desc: 'Links must have discernible text' },
+    { id: 'html-lang',      impact: 'serious',  test: () => !/<html[^>]+lang=["'][^"']+["']/i.test(html),    pass: 'HTML lang present',       desc: 'HTML must have lang attribute' },
+    { id: 'img-alt',        impact: 'critical', test: () => /<img(?![^>]*\balt=)[^>]*>/i.test(html),          pass: 'Images have alt text',    desc: 'Images must have alternate text' },
+    { id: 'document-title', impact: 'serious',  test: () => !/<title[^>]*>[^<]+<\/title>/i.test(html),       pass: 'Document has title',      desc: 'Document must have title' },
+    { id: 'viewport',       impact: 'critical', test: () => /user-scalable=no|maximum-scale=1/i.test(html),  pass: 'Viewport allows scaling', desc: 'Viewport must not disable scaling' },
+    { id: 'main-landmark',  impact: 'moderate', test: () => !/<main[^>]*>/i.test(html),                       pass: 'Main landmark present',   desc: 'Page should have <main>' },
+    { id: 'h1-present',     impact: 'moderate', test: () => !/<h1[^>]*>/i.test(html),                         pass: 'H1 heading present',      desc: 'Page should have H1' },
+    { id: 'link-text',      impact: 'serious',  test: () => /<a[^>]*>\s*<\/a>/i.test(html),                  pass: 'Links have text',         desc: 'Links must have discernible text' },
     { id: 'form-labels',    impact: 'critical', test: () => /<input(?![^>]*(?:aria-label|aria-labelledby|id=))[^>]*type=(?!"hidden")[^>]*>/i.test(html), pass: 'Form inputs have labels', desc: 'Form elements must have labels' },
+    // NEW v15
+    { id: 'skip-nav',       impact: 'moderate', test: () => !/<a[^>]*href=["']#(?:main|content|skip)[^"']*["']/i.test(html), pass: 'Skip nav link', desc: 'Page should have skip navigation link' },
+    { id: 'table-headers',  impact: 'serious',  test: () => /<table/i.test(html) && !/<th/i.test(html),      pass: 'Tables have headers',     desc: 'Tables must have header cells' },
+    { id: 'input-purpose',  impact: 'serious',  test: () => /<input[^>]*type=["'](email|tel|name)[^"']*["']/i.test(html) && !/<input[^>]*autocomplete/i.test(html), pass: 'Inputs have autocomplete', desc: 'Contact inputs should have autocomplete' },
+    { id: 'focus-visible',  impact: 'serious',  test: () => /:focus\s*\{\s*outline\s*:\s*none/i.test(html) || /:focus\s*\{\s*outline\s*:\s*0/i.test(html), pass: 'Focus indicator not removed', desc: 'CSS must not hide focus indicator' },
+    { id: 'color-contrast-meta', impact: 'moderate', test: () => false, pass: 'Color contrast (check manually with browser)', desc: 'Ensure sufficient color contrast' },
+    { id: 'nav-landmark',   impact: 'moderate', test: () => !/<nav[^>]*>/i.test(html),                         pass: 'Nav landmark present',    desc: 'Navigation should use <nav>' },
+    { id: 'button-type',    impact: 'minor',    test: () => /<button(?![^>]*type=)/i.test(html),               pass: 'Buttons have type',       desc: 'Buttons should have explicit type attribute' },
   ];
 
   for (const c of checks) {
     if (c.test()) {
       violations.push({ id: c.id, description: c.desc, help: c.desc, impact: c.impact,
-        tags: ['wcag2a'], category: 'wcag2a', nodes: 1, affectedNodes: [],
+        tags: ['wcag2a'], category: 'wcag2a', nodes: 1,
         helpUrl: `https://dequeuniversity.com/rules/axe/4.9/${c.id}` });
     } else {
       passes.push({ id: c.id, description: c.pass, nodes: 1 });
@@ -766,56 +1599,60 @@ async function runA11yScan(url) {
   }
 
   const score = passes.length > 0 ? Math.round(passes.length / (passes.length + violations.length) * 100) : 0;
-  return { pass: violations.length === 0, violations, passes, incomplete: [], score, url, mode: 'http-html-analysis' };
+  return { pass: violations.length === 0, violations, passes, incomplete: [], score, url };
 }
 
 // ═══════════════════════════════════════════════════════════════════════════
-//  AI Bug Classifier
+//  AI Bug Classifier v15 — Enhanced patterns
 // ═══════════════════════════════════════════════════════════════════════════
 const SEV_PATTERNS = {
-  P0: [/security|auth.*bypass|sql.inject|xss|rce|exposed.*secret|password.*leak|critical/i, /crash|fatal|500|server.*down|data.*loss/i],
-  P1: [/login.*fail|auth.*error|jwt|token.*invalid|api.*timeout|cors.*error/i, /lcp|performance.*poor|wcag.*critical|a11y.*serious/i],
-  P2: [/console.*error|js.*error|network.*fail|404|missing.*meta|seo.*issue/i],
-  P3: [/warning|minor|style|typo|cosmetic/i],
+  P0: [/security|auth.*bypass|sql.inject|xss|rce|exposed.*secret|password.*leak|critical|\.env.*exposed|git.*config.*exposed|database.*dump/i, /crash|fatal|500|server.*down|data.*loss|memory.*leak.*critical/i],
+  P1: [/login.*fail|auth.*error|jwt|token.*invalid|api.*timeout|cors.*error|mixed.*content/i, /lcp|performance.*poor|wcag.*critical|a11y.*serious|viewport.*overflow/i],
+  P2: [/console.*error|js.*error|network.*fail|404|missing.*meta|seo.*issue|cookie.*missing|broken.*link/i],
+  P3: [/warning|minor|style|typo|cosmetic|twitter.*card/i],
 };
 const CAT_PATTERNS = {
-  security    : /security|csp|hsts|cors|xss|injection|auth|token/i,
-  performance : /lcp|fcp|cls|ttfb|slow|timeout|render/i,
-  accessibility: /wcag|a11y|aria|alt.*text|contrast|keyboard/i,
-  seo         : /title|meta|description|canonical|sitemap|robots/i,
-  api         : /api|endpoint|status.*code|response|rest/i,
-  javascript  : /js.*error|console.*error|uncaught|undefined|null/i,
-  network     : /network|fetch|connection|request.*fail/i,
+  security      : /security|csp|hsts|cors|xss|injection|auth|token|cookie|env.*exposed/i,
+  performance   : /lcp|fcp|cls|ttfb|slow|timeout|render|memory.*leak|resource/i,
+  accessibility : /wcag|a11y|aria|alt.*text|contrast|keyboard|skip.*nav|focus/i,
+  seo           : /title|meta|description|canonical|sitemap|robots|structured.*data/i,
+  api           : /api|endpoint|status.*code|response|rest|contract/i,
+  javascript    : /js.*error|console.*error|uncaught|undefined|null|pageerror/i,
+  network       : /network|fetch|connection|request.*fail|broken.*link/i,
+  viewport      : /viewport|responsive|mobile|overflow|horizontal.*scroll/i,
+  darkMode      : /dark.*mode|color.*scheme|prefers-color/i,
 };
 function classifyBug(bug) {
   const text = `${bug.title} ${bug.description || ''}`;
   let severity = bug.severity || 'P3', confidence = 0.7;
   for (const [sev, pats] of Object.entries(SEV_PATTERNS)) {
-    if (pats.some(p => p.test(text))) { severity = sev; confidence = 0.85; break; }
+    if (pats.some(p => p.test(text))) { severity = sev; confidence = 0.87; break; }
   }
   let category = bug.type || 'general';
   for (const [cat, pat] of Object.entries(CAT_PATTERNS)) {
     if (pat.test(text)) { category = cat; break; }
   }
   const recs = {
-    security     : 'Review security config and run penetration test',
-    performance  : 'Run Lighthouse and optimize assets/server',
-    accessibility: 'Fix WCAG 2.1 AA violations with aXe DevTools',
-    seo          : 'Fix meta tags and submit sitemap to Search Console',
-    api          : 'Check API contract and add proper error handling',
-    javascript   : 'Debug in browser DevTools, add error boundaries',
-    network      : 'Check CDN, server logs, network config',
+    security      : 'Review security config immediately and run penetration test',
+    performance   : 'Run Lighthouse, optimize assets, review bundle size',
+    accessibility : 'Fix WCAG 2.1 AA violations with axe DevTools',
+    seo           : 'Fix meta tags and submit updated sitemap to Search Console',
+    api           : 'Check API contract, add proper error handling and typing',
+    javascript    : 'Debug in DevTools, add error boundaries, check for undefined refs',
+    network       : 'Check CDN, server logs, review network config and CORS policy',
+    viewport      : 'Test on real devices, fix overflow, check responsive breakpoints',
+    darkMode      : 'Add prefers-color-scheme media query support',
   };
-  return { severity, category, recommendation: recs[category] || 'Review error details', confidence };
+  return { severity, category, recommendation: recs[category] || 'Review and fix error details', confidence };
 }
 
 // ═══════════════════════════════════════════════════════════════════════════
-//  Terminal Dashboard
+//  Terminal Dashboard v15 — Enhanced live display
 // ═══════════════════════════════════════════════════════════════════════════
 class TerminalDashboard {
   #session; #lines = 0; #active = false; #timer = null;
   #phase = 'Initializing...'; #currentTest = ''; #log = []; #startTime = Date.now();
-  #pwMode = false;
+  #pwMode = false; #subPhase = '';
 
   constructor(s) { this.#session = s; this.#pwMode = s.playwrightMode; }
 
@@ -823,7 +1660,7 @@ class TerminalDashboard {
     this.#active = true; this.#startTime = Date.now();
     process.stdout.write('\x1b[?25l');
     this.#render();
-    this.#timer = setInterval(() => this.#render(), 600);
+    this.#timer = setInterval(() => this.#render(), 400);
   }
 
   stop() {
@@ -834,12 +1671,13 @@ class TerminalDashboard {
     this.#printFinal();
   }
 
-  setPhase(p)       { this.#phase = p; this.log(chalk.cyan(p)); }
+  setPhase(p)       { this.#phase = p; this.#subPhase = ''; this.log(chalk.cyan(p)); }
+  setSubPhase(p)    { this.#subPhase = p; }
   setCurrentTest(t) { this.#currentTest = t; }
   addResult()       { this.#currentTest = ''; }
   log(msg) {
     this.#log.push(`${chalk.gray(new Date().toLocaleTimeString())} ${msg}`);
-    if (this.#log.length > 8) this.#log.shift();
+    if (this.#log.length > 10) this.#log.shift();
   }
 
   #render() {
@@ -867,48 +1705,53 @@ class TerminalDashboard {
     const total   = s.results.length;
     const rate    = total > 0 ? Math.round(passed / total * 100) : 0;
     const heapMB  = (process.memoryUsage().heapUsed / 1024 / 1024).toFixed(0);
-    const w       = Math.min(process.stdout.columns || 80, 88);
+    const w       = Math.min(process.stdout.columns || 90, 92);
     const bar     = '─'.repeat(w - 2);
     const c1      = chalk.hex('#00F5FF');
     const c2      = chalk.hex('#BF40FF');
     const pad     = (s, n = w - 2) => String(s).slice(0, n).padEnd(n);
-    const pwTag   = this.#pwMode ? chalk.hex('#BF40FF')(' 🎭 PLAYWRIGHT') : chalk.gray(' HTTP');
+    const pwTag   = this.#pwMode ? chalk.hex('#BF40FF')(' 🎭 BACKLIST') : chalk.gray(' HTTP');
+
+    const spin = ['⠋','⠙','⠹','⠸','⠼','⠴','⠦','⠧','⠇','⠏'][Math.floor(Date.now() / 100) % 10];
 
     const pBar = (() => {
-      const f   = Math.min(Math.round(rate / 100 * 26), 26);
+      const f   = Math.min(Math.round(rate / 100 * 30), 30);
       const col = rate >= 90 ? chalk.green : rate >= 70 ? chalk.yellow : chalk.red;
-      return col('█'.repeat(f)) + chalk.gray('░'.repeat(26 - f));
+      return col('█'.repeat(f)) + chalk.gray('░'.repeat(30 - f));
     })();
 
     const out = [
       c1(`┌${bar}┐`),
-      c1('│') + c2.bold(pad(`  ⚡ BACKLIST QA v${VERSION} — REAL BROWSER TESTING${pwTag}`)) + c1('│'),
+      c1('│') + c2.bold(pad(`  ⚡ BACKLIST QA v${VERSION} — ULTRA LIVE TESTING EDITION${pwTag}`)) + c1('│'),
       c1(`├${bar}┤`),
       c1('│') + pad(`  ${chalk.cyan('Phase:')} ${chalk.white(this.#phase.slice(0, w - 14))}`) + c1('│'),
+      this.#subPhase
+        ? c1('│') + pad(`  ${chalk.gray('↳')} ${chalk.gray(this.#subPhase.slice(0, w - 8))}`) + c1('│')
+        : c1('│') + pad('') + c1('│'),
       c1(`├${bar}┤`),
-      c1('│') + pad(`  ${chalk.green('✓')} ${chalk.bold(passed)} passed  ${chalk.red('✗')} ${chalk.bold(failed)} failed  ${chalk.cyan('🐛')} ${chalk.bold(s.bugs.length)} bugs  ${chalk.gray('⏱')} ${chalk.white(elapsed + 's')}  ${chalk.gray('Heap')} ${chalk.white(heapMB + 'MB')}`) + c1('│'),
+      c1('│') + pad(`  ${chalk.green('✓')} ${chalk.bold(passed)} passed  ${chalk.red('✗')} ${chalk.bold(failed)} failed  ${chalk.cyan('🐛')} ${chalk.bold(s.bugs.length)} bugs  ${chalk.magenta('📸')} ${chalk.bold(s.screenshots.length)}  ${chalk.gray('⏱')} ${chalk.white(elapsed + 's')}  ${chalk.gray('Heap')} ${chalk.white(heapMB + 'MB')}`) + c1('│'),
       c1('│') + pad(`  [${pBar}] ${chalk.bold(rate + '%')} (${total} tests)`) + c1('│'),
       c1(`├${bar}┤`),
-      c1('│') + pad(this.#currentTest ? `  ${chalk.yellow('⟳')} ${chalk.yellow(this.#currentTest.slice(0, w - 8))}` : `  ${chalk.gray('⊙  Running...')}`) + c1('│'),
+      c1('│') + pad(this.#currentTest ? `  ${chalk.yellow(spin)} ${chalk.yellow(this.#currentTest.slice(0, w - 8))}` : `  ${chalk.gray('⊙  Scanning...')}`) + c1('│'),
       c1(`├${bar}┤`),
-      c1('│') + pad(`  ${chalk.cyan('Routes:')} ${chalk.white(s.routeMap.length)}  ${chalk.cyan('Screenshots:')} ${chalk.white(s.screenshots.length)}  ${chalk.cyan('Bugs:')} ${chalk.white(s.bugs.length)}  ${chalk.cyan('Net Errors:')} ${chalk.white(s.networkLog.length)}`) + c1('│'),
+      c1('│') + pad(`  ${chalk.cyan('Routes:')} ${chalk.white(s.routeMap.length)}  ${chalk.cyan('Sec:')} ${chalk.white(s.secFindings.length)}  ${chalk.cyan('Broken links:')} ${chalk.white(s.brokenLinks.length)}  ${chalk.cyan('3rd-party:')} ${chalk.white(s.thirdPartyScripts.length)}  ${chalk.cyan('Net Err:')} ${chalk.white(s.networkLog.length)}`) + c1('│'),
       c1(`├${bar}┤`),
     ];
 
-    const recent = s.results.slice(-5);
+    const recent = s.results.slice(-6);
     for (const r of recent) {
       const icon = r.status === 'PASS' ? chalk.green('✓') : r.status === 'FAIL' ? chalk.red('✗') : chalk.yellow('⚠');
-      out.push(c1('│') + pad(`  ${icon} ${chalk.gray('[' + (r.type||'').padEnd(12) + ']')} ${chalk.white((r.name||'').slice(0, w - 30))}`) + c1('│'));
+      out.push(c1('│') + pad(`  ${icon} ${chalk.gray('[' + (r.type||'').padEnd(14) + ']')} ${chalk.white((r.name||'').slice(0, w - 32))}`) + c1('│'));
     }
-    for (let i = recent.length; i < 5; i++) out.push(c1('│') + pad('') + c1('│'));
+    for (let i = recent.length; i < 6; i++) out.push(c1('│') + pad('') + c1('│'));
 
     out.push(c1(`├${bar}┤`));
-    for (const entry of this.#log.slice(-4)) {
+    for (const entry of this.#log.slice(-5)) {
       out.push(c1('│') + ('  ' + entry).slice(0, w - 2).padEnd(w - 2) + c1('│'));
     }
-    for (let i = this.#log.length; i < 4; i++) out.push(c1('│') + pad('') + c1('│'));
+    for (let i = this.#log.length; i < 5; i++) out.push(c1('│') + pad('') + c1('│'));
     out.push(c1(`└${bar}┘`));
-    out.push(chalk.dim(`  Real browser data · ${total} tests · ${s.bugs.length} bugs · Ctrl+C to stop`));
+    out.push(chalk.dim(`  v${VERSION} · ${total} tests · ${s.bugs.length} bugs · ${s.screenshots.length} screenshots · Ctrl+C to stop`));
 
     return out;
   }
@@ -917,21 +1760,24 @@ class TerminalDashboard {
     const s   = this.#session.getSummary();
     const col = Number(s.passRate) >= 90 ? chalk.green : Number(s.passRate) >= 70 ? chalk.yellow : chalk.red;
     console.log('');
-    console.log(chalk.hex('#00F5FF').bold('  ── QA Complete ──────────────────────────────────────'));
+    console.log(chalk.hex('#00F5FF').bold('  ── QA Complete (v15) ───────────────────────────────────────'));
     console.log(`  Tests:       ${chalk.white.bold(s.total)}`);
     console.log(`  Passed:      ${chalk.green.bold(s.passed)}`);
     console.log(`  Failed:      ${chalk.red.bold(s.failed)}`);
     console.log(`  Pass rate:   ${col.bold(s.passRate + '%')}`);
     console.log(`  Bugs found:  ${chalk.cyan.bold(this.#session.bugs.length)}`);
-    console.log(`  Screenshots: ${chalk.white(this.#session.screenshots.length)}`);
+    console.log(`  Screenshots: ${chalk.magenta.bold(this.#session.screenshots.length)} (${Object.keys(VIEWPORTS).length} viewports)`);
+    console.log(`  Broken Links:${chalk.white(this.#session.brokenLinks.length)}`);
+    console.log(`  3rd Party:   ${chalk.white(this.#session.thirdPartyScripts.length)} scripts`);
+    console.log(`  Load Test:   ${this.#session.loadTestResults.length > 0 ? chalk.white(this.#session.loadTestResults[0].rps + ' req/s') : chalk.gray('not run')}`);
     console.log(`  Duration:    ${chalk.white(formatDuration(s.duration))}`);
-    console.log(`  Mode:        ${this.#pwMode ? chalk.hex('#BF40FF').bold('🎭 Playwright (Real Browser)') : chalk.gray('HTTP-only')}`);
+    console.log(`  Mode:        ${this.#pwMode ? chalk.hex('#BF40FF').bold('🎭 Backlist (Real Browser)') : chalk.gray('HTTP-only')}`);
     console.log('');
   }
 }
 
 // ═══════════════════════════════════════════════════════════════════════════
-//  HTML Report Builder — v13, Dark Theme, Screenshot Gallery + Vitals
+//  HTML Report Builder v15 — Ultra Rich
 // ═══════════════════════════════════════════════════════════════════════════
 function buildHTMLReport(session) {
   const summary   = session.getSummary();
@@ -954,25 +1800,33 @@ function buildHTMLReport(session) {
   const esc = (s) => String(s||'').replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;').replace(/"/g,'&quot;');
 
   // ── Screenshot gallery ───────────────────────────────────────────────────
+  const screenshotsByType = {};
+  for (const sc of session.screenshots) {
+    const t = sc.type || 'other';
+    if (!screenshotsByType[t]) screenshotsByType[t] = [];
+    screenshotsByType[t].push(sc);
+  }
+
   const screenshotCards = session.screenshots.length
     ? session.screenshots.map(sc => {
-        // Embed screenshot as base64 if possible, else show path
         let imgTag = '';
         try {
           const data = fs.readFileSync(sc.path);
-          const b64  = data.toString('base64');
-          imgTag     = `<img src="data:image/png;base64,${b64}" alt="${esc(sc.type)} screenshot" loading="lazy">`;
+          imgTag = `<img src="data:image/png;base64,${data.toString('base64')}" alt="${esc(sc.type)}" loading="lazy">`;
         } catch {
-          imgTag = `<div class="no-img">Screenshot: ${esc(sc.name)}</div>`;
+          imgTag = `<div class="no-img">📸 ${esc(sc.name)}</div>`;
         }
-        return `
-        <div class="screenshot-card">
-          <div class="sc-header">
-            <span class="sc-type">${esc(sc.type)}</span>
-            <span class="sc-url">${esc(sc.url || '')}</span>
+        const typeColors = {
+          desktop: '#00f5ff', mobile: '#bf40ff', 'dark-mode': '#f59e0b',
+        };
+        const typeColor = Object.entries(typeColors).find(([k]) => (sc.type||'').includes(k))?.[1] || '#64748b';
+        return `<div class="screenshot-card">
+          <div class="sc-header" style="border-bottom-color:${typeColor}33">
+            <span class="sc-type" style="background:${typeColor}22;color:${typeColor}">${esc(sc.label || sc.type)}</span>
+            <span class="sc-url">${esc((sc.url || '').split('/').slice(0,4).join('/'))}</span>
           </div>
           <div class="sc-img-wrap">${imgTag}</div>
-          <div class="sc-path">${esc(sc.path)}</div>
+          <div class="sc-path">${esc(sc.name)}</div>
         </div>`;
       }).join('')
     : '<p class="no-data">No screenshots (Playwright not available)</p>';
@@ -995,7 +1849,7 @@ function buildHTMLReport(session) {
       <div class="bug-header">
         <span class="bug-id">${esc(b.id)}</span>
         <span class="sev sev-${(b.aiSeverity||b.severity||'p3').toLowerCase()}">${b.aiSeverity||b.severity}</span>
-        <span class="badge">${b.type||'general'}</span>
+        <span class="badge">${b.aiCategory||b.type||'general'}</span>
         ${b.aiConfidence ? `<span class="ai-badge">🤖 ${Math.round((b.aiConfidence||0)*100)}%</span>` : ''}
       </div>
       <div class="bug-title">${esc(b.title)}</div>
@@ -1011,6 +1865,7 @@ function buildHTMLReport(session) {
       <td><code class="url">${esc(r.url)}</code></td>
       <td><span class="badge">${r.type}</span></td>
       <td class="${r.status >= 400 ? 'fail' : 'pass'}">${r.status || '–'}</td>
+      <td>${r.responseTime ? `${r.responseTime}ms` : '–'}</td>
       <td>${r.forms?.length || 0}</td>
       <td>${r.error ? `<span class="fail">${esc(r.error)}</span>` : '✓'}</td>
     </tr>`).join('');
@@ -1051,14 +1906,10 @@ function buildHTMLReport(session) {
         <span>Score: <strong>${r.score??'–'}%</strong></span>
         <span class="${r.pass?'pass':'fail'}">${r.violations?.length||0} violations</span>
       </div>
-      ${(r.violations||[]).map(v => `
-        <div class="violation impact-${v.impact}">
-          <div class="violation-header">
-            <span class="impact-badge">${v.impact}</span>
-            <strong>${esc(v.description)}</strong>
-          </div>
-          <p>${esc(v.help)}</p>
-        </div>`).join('') || '<p class="no-data">No violations ✓</p>'}
+      ${(r.violations||[]).map(v => `<div class="violation impact-${v.impact}">
+        <div class="violation-header"><span class="impact-badge">${v.impact}</span><strong>${esc(v.description)}</strong></div>
+        <p>${esc(v.help)}</p>
+      </div>`).join('') || '<p class="no-data">No violations ✓</p>'}
     </div>`).join('') || '<p class="no-data">No accessibility scans</p>';
 
   // ── Performance section ───────────────────────────────────────────────────
@@ -1076,46 +1927,29 @@ function buildHTMLReport(session) {
   };
 
   const perfSection = Object.entries(session.perfMetrics).map(([label, m]) => {
-    const slowResHtml = (m.slowResources||[]).length ? `
-      <h4 style="color:#f87171;margin-top:1rem">Slow Resources</h4>
-      <table><thead><tr><th>URL</th><th>Time</th><th>Size</th></tr></thead>
-      <tbody>${m.slowResources.map(r => `<tr>
-        <td class="url">${esc((r.url||'').split('/').pop())}</td>
-        <td class="fail">${r.duration}ms</td>
-        <td>${formatBytes(r.size)}</td>
-      </tr>`).join('')}</tbody></table>` : '';
-
-    const resourceTableHtml = m.resourceStats?.byType ? `
-      <h4 style="color:#94a3b8;margin-top:1.5rem">Resource Breakdown</h4>
-      <table><thead><tr><th>Type</th><th>Count</th><th>Total Size</th><th>Total Time</th></tr></thead>
-      <tbody>${Object.entries(m.resourceStats.byType).map(([t, d]) => `<tr>
-        <td><span class="badge">${esc(t)}</span></td>
-        <td>${d.count}</td>
-        <td>${formatBytes(d.size)}</td>
-        <td>${Math.round(d.time)}ms</td>
-      </tr>`).join('')}</tbody></table>` : '';
-
     const domChecksHtml = m.domChecks?.length ? `
       <h4 style="color:#94a3b8;margin-top:1.5rem">DOM Checks</h4>
       <table><thead><tr><th>Check</th><th>Status</th><th>Value</th></tr></thead>
-      <tbody>${m.domChecks.map(c => `<tr>
-        <td>${esc(c.name)}</td>
+      <tbody>${m.domChecks.map(c => `<tr><td>${esc(c.name)}</td>
         <td><span class="status ${c.pass?'status-pass':'status-fail'}">${c.pass?'PASS':'FAIL'}</span></td>
-        <td>${esc(c.value||'')}</td>
-      </tr>`).join('')}</tbody></table>` : '';
+        <td>${esc(c.value||'')}</td></tr>`).join('')}</tbody></table>` : '';
 
     const interactionsHtml = m.interactions?.length ? `
       <h4 style="color:#94a3b8;margin-top:1.5rem">Interaction Tests</h4>
       <table><thead><tr><th>Test</th><th>Status</th><th>Value</th></tr></thead>
-      <tbody>${m.interactions.map(i => `<tr>
-        <td>${esc(i.name)}</td>
+      <tbody>${m.interactions.map(i => `<tr><td>${esc(i.name)}</td>
         <td><span class="status ${i.pass?'status-pass':'status-fail'}">${i.pass?'PASS':'FAIL'}</span></td>
-        <td>${esc(i.value||'')}</td>
-      </tr>`).join('')}</tbody></table>` : '';
+        <td>${esc(i.value||'')}</td></tr>`).join('')}</tbody></table>` : '';
+
+    const resourceHtml = m.resourceStats?.byType ? `
+      <h4 style="color:#94a3b8;margin-top:1.5rem">Resource Breakdown</h4>
+      <table><thead><tr><th>Type</th><th>Count</th><th>Total Size</th><th>Total Time</th></tr></thead>
+      <tbody>${Object.entries(m.resourceStats.byType).map(([t, d]) => `<tr>
+        <td><span class="badge">${esc(t)}</span></td><td>${d.count}</td>
+        <td>${formatBytes(d.size)}</td><td>${Math.round(d.time)}ms</td></tr>`).join('')}</tbody></table>` : '';
 
-    return `
-    <div class="perf-card">
-      <h3>${esc(label)} ${m.playwrightMode ? '<span class="pw-badge">🎭 Playwright</span>' : ''}</h3>
+    return `<div class="perf-card">
+      <h3>${esc(label)} ${m.playwrightMode ? '<span class="pw-badge">🎭 Real Vitals</span>' : ''}</h3>
       <div class="vitals-grid">
         ${vitalCard('TTFB', m.ttfb,    800,  'ms')}
         ${vitalCard('LCP',  m.lcp,     2500, 'ms')}
@@ -1124,15 +1958,195 @@ function buildHTMLReport(session) {
         ${vitalCard('TBT',  m.tbt,     200,  'ms')}
         ${vitalCard('DOM Load', m.domLoad, 3000, 'ms')}
         ${vitalCard('DNS', m.dnsLookup, 100, 'ms')}
+        ${vitalCard('TCP', m.tcpConnect, 200, 'ms')}
       </div>
       ${m.note ? `<p class="perf-note">ℹ️ ${esc(m.note)}</p>` : ''}
-      ${slowResHtml}
-      ${resourceTableHtml}
-      ${domChecksHtml}
-      ${interactionsHtml}
+      ${resourceHtml}${domChecksHtml}${interactionsHtml}
     </div>`;
   }).join('') || '<p class="no-data">No performance data</p>';
 
+  // ── NEW v15: Load Test section ────────────────────────────────────────────
+  const loadTestSection = session.loadTestResults.length
+    ? session.loadTestResults.map(lt => `
+    <div class="load-test-card ${lt.passed ? 'lt-pass' : 'lt-fail'}">
+      <h3>${esc(lt.url)} <span class="badge">${lt.concurrency} concurrent</span></h3>
+      <div class="vitals-grid">
+        ${vitalCard('RPS', lt.rps, 10, '')}
+        ${vitalCard('Avg Lat', lt.latency?.avg, 500, 'ms')}
+        ${vitalCard('p95', lt.latency?.p95, 2000, 'ms')}
+        ${vitalCard('p99', lt.latency?.p99, 5000, 'ms')}
+        ${vitalCard('Error%', lt.errorRate, 5, '%')}
+      </div>
+      <p style="color:#94a3b8;font-size:.8rem;margin-top:.75rem">${lt.requests} requests · ${lt.errors} errors · ${lt.timeouts} timeouts · ${formatDuration(lt.duration)}</p>
+      <p style="color:#94a3b8;font-size:.78rem">Status codes: ${Object.entries(lt.responses||{}).map(([k,v]) => `${k}: ${v}`).join(', ')}</p>
+    </div>`).join('')
+    : '<p class="no-data">Load test not run (use runUrlQA with loadTest:true)</p>';
+
+  // ── NEW v15: Viewport section ─────────────────────────────────────────────
+  const vpSection = Object.keys(session.viewportResults || {}).length
+    ? `<div class="viewport-grid">${Object.entries(session.viewportResults).map(([key, vp]) => `
+      <div class="vp-card ${vp.passed ? '' : 'vp-fail'}">
+        <div class="vp-label">${esc(vp.label || key)}</div>
+        <div class="vp-dims">${vp.width}×${vp.height}</div>
+        <div class="vp-status"><span class="status ${vp.passed?'status-pass':'status-fail'}">${vp.passed?'PASS':'FAIL'}</span></div>
+        ${(vp.issues||[]).map(i => `<div class="vp-issue">⚠ ${esc(i)}</div>`).join('')}
+      </div>`).join('')}</div>`
+    : '<p class="no-data">No viewport tests (Playwright required)</p>';
+
+  // ── NEW v15: Broken links section ─────────────────────────────────────────
+  const brokenLinksSection = session.brokenLinks.length
+    ? session.brokenLinks.map(bl => `
+    <div class="card" style="margin-bottom:1rem">
+      <div class="card-title">Broken Links on ${esc(bl.sourceUrl)} <span>${bl.broken}/${bl.total} broken</span></div>
+      ${bl.links?.filter(l => !l.ok).length ? `<table>
+        <thead><tr><th>URL</th><th>Status</th><th>Error</th></tr></thead>
+        <tbody>${bl.links.filter(l => !l.ok).map(l => `<tr>
+          <td class="url">${esc(l.url)}</td>
+          <td class="fail">${l.status || 'timeout'}</td>
+          <td class="fail">${esc(l.error || '')}</td>
+        </tr>`).join('')}</tbody>
+      </table>` : '<p class="no-data">No broken links 🎉</p>'}
+    </div>`).join('')
+    : '<p class="no-data">No broken link scans run</p>';
+
+  // ── NEW v15: Cookie audit ─────────────────────────────────────────────────
+  const cookieSection = session.cookieAudit.length
+    ? session.cookieAudit.map(ca => `
+    <div class="card" style="margin-bottom:1rem">
+      <div class="card-title">Cookies for ${esc(ca.url)} <span>${ca.total} cookies · ${ca.issues} with issues</span></div>
+      ${ca.cookies?.length ? `<table>
+        <thead><tr><th>Name</th><th>Secure</th><th>HttpOnly</th><th>SameSite</th><th>Issues</th></tr></thead>
+        <tbody>${ca.cookies.map(c => `<tr class="${c.issues.length ? 'fail-row' : ''}">
+          <td><code>${esc(c.name)}</code></td>
+          <td>${c.secure ? '✓' : '<span class="fail">✗</span>'}</td>
+          <td>${c.httpOnly ? '✓' : '<span class="fail">✗</span>'}</td>
+          <td>${c.sameSite || '<span class="fail">missing</span>'}</td>
+          <td>${c.issues.map(i => `<span class="sev sev-p2">${esc(i)}</span>`).join(' ')}</td>
+        </tr>`).join('')}</tbody>
+      </table>` : '<p class="no-data">No cookies set</p>'}
+    </div>`).join('')
+    : '<p class="no-data">No cookie audits</p>';
+
+  // ── NEW v15: Third-party scripts ──────────────────────────────────────────
+  const thirdPartySection = session.thirdPartyScripts.length
+    ? `<table>
+      <thead><tr><th>Vendor</th><th>Domain</th><th>Count</th><th>URL</th></tr></thead>
+      <tbody>${session.thirdPartyScripts.map(s => `<tr>
+        <td><strong>${esc(s.vendor)}</strong></td>
+        <td>${esc(s.domain)}</td>
+        <td>${s.count || 1}</td>
+        <td class="url">${esc((s.url||'').slice(0, 80))}</td>
+      </tr>`).join('')}</tbody>
+    </table>`
+    : '<p class="no-data">No third-party scripts detected</p>';
+
+  // ── NEW v15: User Flow section ────────────────────────────────────────────
+  const userFlowSection = session.userFlowResults.length
+    ? session.userFlowResults.map(f => `
+    <div class="card" style="margin-bottom:1rem">
+      <div class="card-title">User Flow: ${esc(f.url)} <span>${f.passed}/${f.steps.length} steps · ${f.passRate}%</span></div>
+      <table>
+        <thead><tr><th>Step</th><th>Status</th><th>Duration</th><th>Error</th></tr></thead>
+        <tbody>${f.steps.map(s => `<tr>
+          <td>${esc(s.name)}</td>
+          <td><span class="status ${s.pass?'status-pass':'status-fail'}">${s.pass?'PASS':'FAIL'}</span></td>
+          <td>${s.duration}ms</td>
+          <td>${s.error ? `<span class="fail">${esc(s.error)}</span>` : '–'}</td>
+        </tr>`).join('')}</tbody>
+      </table>
+    </div>`).join('')
+    : '<p class="no-data">No user flow simulations</p>';
+
+  // ── NEW v15: Memory section ───────────────────────────────────────────────
+  const memorySection = session.memorySnapshots.length
+    ? session.memorySnapshots.map(m => `
+    <div class="card" style="margin-bottom:1rem">
+      <div class="card-title">Memory Analysis: ${esc(m.url)}</div>
+      ${m.note ? `<p class="perf-note">${esc(m.note)}</p>` : ''}
+      <div class="vitals-grid">
+        ${vitalCard('Growth', m.growthMB, 5, 'MB')}
+        ${m.snapshots[0] ? vitalCard('Init Heap', Math.round(m.snapshots[0].used/1024/1024), 50, 'MB') : ''}
+        ${m.snapshots[1] ? vitalCard('After Nav', Math.round(m.snapshots[1].used/1024/1024), 60, 'MB') : ''}
+      </div>
+      ${m.hasLeak ? `<div class="bug-rec" style="margin-top:.75rem">⚠️ Possible memory leak: +${m.growthMB}MB after navigation. Check for event listener leaks and detached DOM nodes.</div>` : '<p style="color:#22c55e;margin-top:.75rem">✓ No significant memory growth detected</p>'}
+    </div>`).join('')
+    : '<p class="no-data">No memory tests (Playwright required)</p>';
+
+  // ── NEW v15: Dark mode section ────────────────────────────────────────────
+  const darkModeSection = session.darkModeResults.length
+    ? session.darkModeResults.map(dm => `
+    <div class="card" style="margin-bottom:1rem">
+      <div class="card-title">Dark Mode: ${esc(dm.url)}</div>
+      <div class="metrics" style="grid-template-columns:repeat(3,1fr)">
+        <div class="mc"><div class="ml">Supports Dark Mode</div><div class="mv" style="font-size:1.2rem;color:${dm.supportsDark?'#22c55e':'#ef4444'}">${dm.supportsDark ? '✓ Yes' : '✗ No'}</div></div>
+        <div class="mc"><div class="ml">Media Query Found</div><div class="mv" style="font-size:1.2rem;color:${dm.hasMediaQuery?'#22c55e':'#64748b'}">${dm.hasMediaQuery ? '✓' : '–'}</div></div>
+        <div class="mc"><div class="ml">Background Changes</div><div class="mv" style="font-size:1.2rem;color:${dm.differentFromLight?'#22c55e':'#64748b'}">${dm.differentFromLight ? '✓' : '–'}</div></div>
+      </div>
+      ${!dm.supportsDark ? `<div class="bug-rec">💡 Consider adding dark mode with <code>@media (prefers-color-scheme: dark)</code></div>` : ''}
+    </div>`).join('')
+    : '<p class="no-data">No dark mode tests (Playwright required)</p>';
+
+  // ── NEW v15: Redirect chains section ─────────────────────────────────────
+  const redirectSection = session.redirectChains.length
+    ? session.redirectChains.map(rc => `
+    <div class="card" style="margin-bottom:1rem">
+      <div class="card-title">Redirect Chain: ${esc(rc.url)} <span>${rc.hops} hop${rc.hops !== 1 ? 's' : ''}</span></div>
+      ${rc.hasRedirectLoop ? '<div class="bug-rec" style="background:rgba(239,68,68,.1)">🔴 Redirect loop detected!</div>' : ''}
+      ${rc.isHTTPtoHTTPS ? '<p style="color:#22c55e;margin-bottom:.5rem">✓ HTTP → HTTPS redirect in place</p>' : ''}
+      <table>
+        <thead><tr><th>URL</th><th>Status</th><th>Location</th></tr></thead>
+        <tbody>${rc.chain.map(c => `<tr>
+          <td class="url">${esc(c.url)}</td>
+          <td class="${c.status >= 300 && c.status < 400 ? 'status-flaky' : c.status >= 400 ? 'fail' : 'pass'}">${c.status}</td>
+          <td class="url">${esc(c.location || '–')}</td>
+        </tr>`).join('')}</tbody>
+      </table>
+    </div>`).join('')
+    : '<p class="no-data">No redirect chains analyzed</p>';
+
+  // ── Form tests section ────────────────────────────────────────────────────
+  const formTestSection = session.formTests.length
+    ? session.formTests.map(f => `
+    <div class="card" style="margin-bottom:1rem">
+      <div class="card-title">Form #${f.formIndex + 1} — ${esc(f.url)}</div>
+      <div style="display:flex;gap:1rem;flex-wrap:wrap;margin-bottom:.75rem">
+        <span class="badge">${f.method} ${f.action || 'self'}</span>
+        <span>${f.inputCount} inputs</span>
+        <span class="${f.hasSubmit ? 'pass' : 'fail'}">${f.hasSubmit ? '✓ Has submit' : '✗ No submit'}</span>
+        <span>Label coverage: ${f.labelCoverage}%</span>
+      </div>
+      ${(f.issues||[]).map(i => `<div class="vp-issue">⚠ ${esc(i)}</div>`).join('')}
+    </div>`).join('')
+    : '<p class="no-data">No forms found or Playwright not available</p>';
+
+  // ── Cache headers section ─────────────────────────────────────────────────
+  const cacheSection = session.cacheHeaders.length
+    ? `<table>
+      <thead><tr><th>URL</th><th>Cache-Control</th><th>ETag</th><th>Max-Age</th><th>CDN Cache</th><th>Status</th></tr></thead>
+      <tbody>${session.cacheHeaders.map(c => `<tr>
+        <td class="url">${esc(c.url)}</td>
+        <td><code style="font-size:.7rem">${esc((c.cacheControl||'none').slice(0,50))}</code></td>
+        <td>${c.etag ? '✓' : '–'}</td>
+        <td>${c.maxAge ? `${c.maxAge}s` : '–'}</td>
+        <td>${esc(c.xCache || '–')}</td>
+        <td><span class="status ${c.passed?'status-pass':'status-fail'}">${c.passed?'PASS':'FAIL'}</span></td>
+      </tr>`).join('')}</tbody>
+    </table>`
+    : '<p class="no-data">No cache audits</p>';
+
+  // ── Error pages section ───────────────────────────────────────────────────
+  const errorPageSection = session.errorPageTests.length
+    ? `<table>
+      <thead><tr><th>Test</th><th>Actual Status</th><th>Custom Page</th><th>Status</th></tr></thead>
+      <tbody>${session.errorPageTests.map(e => `<tr>
+        <td>${esc(e.name)}</td>
+        <td class="${e.isCorrectStatus ? 'pass' : 'fail'}">${e.actualStatus}</td>
+        <td>${e.hasCustomPage ? '✓' : '–'}</td>
+        <td><span class="status ${e.passed?'status-pass':'status-fail'}">${e.passed?'PASS':'FAIL'}</span></td>
+      </tr>`).join('')}</tbody>
+    </table>`
+    : '<p class="no-data">No error page tests</p>';
+
   // ── Console errors table ──────────────────────────────────────────────────
   const consoleSection = session.consoleErrors.length
     ? `<table>
@@ -1157,23 +2171,37 @@ function buildHTMLReport(session) {
       </table>`
     : '<p class="no-data">No network failures 🎉</p>';
 
-  const urlsStr    = Object.entries(session.urls).filter(([,v])=>v)
+  // Mixed content
+  const mixedContentSection = session.mixedContentIssues.length
+    ? `<table>
+        <thead><tr><th>URL</th><th>Issue</th></tr></thead>
+        <tbody>${session.mixedContentIssues.map(m => `<tr>
+          <td class="url">${esc(m.url)}</td>
+          <td class="fail">${esc(m.text?.slice(0, 200))}</td>
+        </tr>`).join('')}</tbody>
+      </table>`
+    : '<p class="no-data">No mixed content issues 🎉</p>';
+
+  const urlsStr = Object.entries(session.urls).filter(([,v])=>v)
     .map(([k,v]) => `<div class="url-card"><span class="url-label">${k}</span><a href="${esc(v)}" target="_blank">${esc(v)}</a></div>`).join('');
 
   const chartTypes  = JSON.stringify(Object.keys(coverage));
   const chartPass2  = JSON.stringify(Object.values(coverage).map(c=>c.pass));
   const chartFail2  = JSON.stringify(Object.values(coverage).map(c=>c.fail));
   const bugSevData  = JSON.stringify([sevCounts.P0, sevCounts.P1, sevCounts.P2, sevCounts.P3]);
-  const pwBadge     = session.playwrightMode
-    ? '<span style="background:#1a1a3b;color:#c084fc;border:1px solid #bf40ff44;padding:3px 10px;border-radius:20px;font-size:.7rem">🎭 Playwright</span>'
-    : '<span style="background:#1e293b;color:#64748b;padding:3px 10px;border-radius:20px;font-size:.7rem">HTTP-only</span>';
+  const pwBadge = session.playwrightMode
+    ? '<span style="background:#1a1a3b;color:#c084fc;border:1px solid #bf40ff44;padding:3px 12px;border-radius:20px;font-size:.7rem">🎭 Backlist Real Browser</span>'
+    : '<span style="background:#1e293b;color:#64748b;padding:3px 12px;border-radius:20px;font-size:.7rem">HTTP-only</span>';
+
+  const vpCount = Object.keys(session.viewportResults || {}).length;
+  const brokenCount = session.brokenLinks.reduce((a, bl) => a + (bl.broken || 0), 0);
 
   return `<!DOCTYPE html>
 <html lang="en">
 <head>
 <meta charset="UTF-8">
 <meta name="viewport" content="width=device-width,initial-scale=1">
-<title>Backlist QA Report — ${esc(session.id)}</title>
+<title>Backlist QA v15 Report — ${esc(session.id)}</title>
 <script src="https://cdnjs.cloudflare.com/ajax/libs/Chart.js/4.4.1/chart.umd.js"></script>
 <style>
 @import url('https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;700&family=Syne:wght@400;600;700;800&display=swap');
@@ -1182,96 +2210,106 @@ function buildHTMLReport(session) {
 body{font-family:'Syne',sans-serif;background:var(--bg);color:var(--text);font-size:14px;line-height:1.6;min-height:100vh}
 a{color:var(--cyan);text-decoration:none}a:hover{text-decoration:underline}
 header{background:linear-gradient(135deg,#0a0a1a,#12122a);border-bottom:1px solid #00f5ff22;padding:1.5rem 2rem;display:flex;justify-content:space-between;align-items:flex-start;position:sticky;top:0;z-index:100;backdrop-filter:blur(10px)}
-.logo{font-size:1.4rem;font-weight:800;background:linear-gradient(135deg,var(--cyan),var(--purple));-webkit-background-clip:text;-webkit-text-fill-color:transparent;background-clip:text}
-.header-meta{font-family:'JetBrains Mono',monospace;font-size:.75rem;color:var(--dim);margin-top:.25rem}
-nav{background:var(--surface);border-bottom:1px solid var(--border);padding:0 2rem;display:flex;overflow-x:auto;gap:0}
-.nav-tab{padding:.75rem 1.25rem;border:none;background:none;color:var(--dim);cursor:pointer;font-size:.82rem;border-bottom:2px solid transparent;white-space:nowrap;transition:.2s;font-family:'Syne',sans-serif}
+.logo{font-size:1.4rem;font-weight:800;background:linear-gradient(135deg,var(--cyan),var(--purple));-webkit-background-clip:text;-webkit-text-fill-color:transparent}
+.header-meta{font-family:'JetBrains Mono',monospace;font-size:.72rem;color:var(--dim);margin-top:.3rem}
+nav{background:var(--surface);border-bottom:1px solid var(--border);padding:0 1rem;display:flex;overflow-x:auto;gap:0;scrollbar-width:none}
+nav::-webkit-scrollbar{display:none}
+.nav-tab{padding:.65rem 1rem;border:none;background:none;color:var(--dim);cursor:pointer;font-size:.78rem;border-bottom:2px solid transparent;white-space:nowrap;transition:.2s;font-family:'Syne',sans-serif}
 .nav-tab.active,.nav-tab:hover{color:var(--cyan);border-bottom-color:var(--cyan)}
 .container{max-width:1400px;margin:0 auto;padding:2rem}
 .tab-panel{display:none}.tab-panel.active{display:block}
-.pw-banner{background:rgba(191,64,255,.08);border:1px solid #bf40ff44;border-radius:8px;padding:.75rem 1rem;margin-bottom:1.5rem;font-size:.83rem;color:#c084fc;display:flex;align-items:center;gap:.5rem}
-.real-banner{background:rgba(0,245,255,.06);border:1px solid #00f5ff33;border-radius:8px;padding:.75rem 1rem;margin-bottom:1rem;font-size:.83rem;color:var(--cyan);display:flex;align-items:center;gap:.5rem}
-.metrics{display:grid;grid-template-columns:repeat(auto-fit,minmax(120px,1fr));gap:.75rem;margin-bottom:1.5rem}
-.mc{background:var(--surface);border:1px solid var(--border);border-radius:10px;padding:1rem;transition:.2s;cursor:default}
+.pw-banner{background:rgba(191,64,255,.08);border:1px solid #bf40ff44;border-radius:8px;padding:.75rem 1rem;margin-bottom:1rem;font-size:.82rem;color:#c084fc;display:flex;align-items:center;gap:.5rem}
+.real-banner{background:rgba(0,245,255,.06);border:1px solid #00f5ff33;border-radius:8px;padding:.75rem 1rem;margin-bottom:1rem;font-size:.82rem;color:var(--cyan);display:flex;align-items:center;gap:.5rem}
+.metrics{display:grid;grid-template-columns:repeat(auto-fit,minmax(110px,1fr));gap:.6rem;margin-bottom:1.5rem}
+.mc{background:var(--surface);border:1px solid var(--border);border-radius:10px;padding:.9rem;transition:.2s;cursor:default}
 .mc:hover{border-color:var(--cyan);transform:translateY(-2px)}
-.ml{font-size:.65rem;color:var(--dim);text-transform:uppercase;letter-spacing:.08em}
-.mv{font-size:1.8rem;font-weight:800;margin-top:4px;font-family:'JetBrains Mono',monospace}
+.ml{font-size:.62rem;color:var(--dim);text-transform:uppercase;letter-spacing:.08em}
+.mv{font-size:1.7rem;font-weight:800;margin-top:4px;font-family:'JetBrains Mono',monospace}
 .grid2{display:grid;grid-template-columns:1fr 1fr;gap:1rem;margin-bottom:1rem}
 .card{background:var(--surface);border:1px solid var(--border);border-radius:10px;padding:1.5rem;margin-bottom:1rem}
-.card-title{font-size:.9rem;font-weight:700;color:#cbd5e1;border-bottom:1px solid var(--border);padding-bottom:.75rem;margin-bottom:1rem;display:flex;justify-content:space-between;align-items:center}
-.chart-wrap{position:relative;height:240px}
-.search-bar{display:flex;gap:.75rem;margin-bottom:1.25rem}
-.search-bar input,.search-bar select{background:var(--surface);border:1px solid var(--border);color:var(--text);padding:.5rem .75rem;border-radius:6px;font-size:.83rem;flex:1;font-family:'Syne',sans-serif}
-table{width:100%;border-collapse:collapse;font-size:.8rem}
-th{text-align:left;color:var(--dim);font-weight:600;padding:.5rem .75rem;border-bottom:1px solid var(--border);font-size:.72rem;text-transform:uppercase;letter-spacing:.05em}
-td{padding:.45rem .75rem;border-bottom:1px solid #0f0f1e;vertical-align:top;word-break:break-word}
+.card-title{font-size:.88rem;font-weight:700;color:#cbd5e1;border-bottom:1px solid var(--border);padding-bottom:.75rem;margin-bottom:1rem;display:flex;justify-content:space-between;align-items:center}
+.chart-wrap{position:relative;height:220px}
+.search-bar{display:flex;gap:.75rem;margin-bottom:1.25rem;flex-wrap:wrap}
+.search-bar input,.search-bar select{background:var(--surface);border:1px solid var(--border);color:var(--text);padding:.5rem .75rem;border-radius:6px;font-size:.82rem;flex:1;font-family:'Syne',sans-serif;min-width:120px}
+table{width:100%;border-collapse:collapse;font-size:.78rem}
+th{text-align:left;color:var(--dim);font-weight:600;padding:.5rem .75rem;border-bottom:1px solid var(--border);font-size:.7rem;text-transform:uppercase;letter-spacing:.05em}
+td{padding:.4rem .75rem;border-bottom:1px solid #0f0f1e;vertical-align:top;word-break:break-word}
 tr.fail-row td{background:rgba(239,68,68,.04)}
 .pass{color:var(--green)}.fail{color:var(--red)}
-.status{display:inline-block;padding:2px 8px;border-radius:4px;font-size:.7rem;font-weight:700;font-family:'JetBrains Mono',monospace}
+.status{display:inline-block;padding:2px 8px;border-radius:4px;font-size:.68rem;font-weight:700;font-family:'JetBrains Mono',monospace}
 .status-pass{background:#064e3b;color:#34d399}.status-fail{background:#450a0a;color:#f87171}.status-flaky{background:#422006;color:#fbbf24}.status-skip{background:#1e293b;color:#94a3b8}
-.sev{padding:2px 7px;border-radius:3px;font-size:.7rem;font-weight:800}
-.sev-p0{background:#450a0a;color:#f87171}.sev-p1{background:#422006;color:#fbbf24}.sev-p2{background:#1e3a5f;color:#60a5fa}.sev-p3{background:#1e293b;color:#94a3b8}
-.badge{display:inline-block;padding:1px 7px;border-radius:3px;font-size:.7rem;background:#1e293b;color:#94a3b8}
-.pw-badge{display:inline-block;padding:1px 7px;border-radius:3px;font-size:.7rem;background:#1a1a3b;color:#c084fc;border:1px solid #bf40ff44}
-.url{font-family:'JetBrains Mono',monospace;font-size:.75rem;color:var(--cyan);word-break:break-all}
-code{font-family:'JetBrains Mono',monospace;font-size:.75rem;background:#0f1a2e;padding:2px 6px;border-radius:3px;color:#93c5fd}
-pre{white-space:pre-wrap;word-break:break-all;font-size:.73rem;padding:.75rem;background:#080814;border-radius:6px;overflow-x:auto;max-height:300px;font-family:'JetBrains Mono',monospace}
-details summary{cursor:pointer;color:var(--cyan);font-size:.78rem;user-select:none}
+.sev{padding:2px 7px;border-radius:3px;font-size:.68rem;font-weight:800}
+.sev-p0{background:#450a0a;color:#f87171}.sev-p1{background:#422006;color:#fbbf24}.sev-p2{background:#1e3a5f;color:#60a5fa}.sev-p3{background:#1e293b;color:#94a3b8}.sev-info{background:#1e293b;color:#64748b}
+.badge{display:inline-block;padding:1px 7px;border-radius:3px;font-size:.68rem;background:#1e293b;color:#94a3b8}
+.pw-badge{display:inline-block;padding:1px 7px;border-radius:3px;font-size:.68rem;background:#1a1a3b;color:#c084fc;border:1px solid #bf40ff44}
+.url{font-family:'JetBrains Mono',monospace;font-size:.72rem;color:var(--cyan);word-break:break-all}
+code{font-family:'JetBrains Mono',monospace;font-size:.72rem;background:#0f1a2e;padding:2px 6px;border-radius:3px;color:#93c5fd}
+pre{white-space:pre-wrap;word-break:break-all;font-size:.7rem;padding:.75rem;background:#080814;border-radius:6px;overflow-x:auto;max-height:300px;font-family:'JetBrains Mono',monospace}
+details summary{cursor:pointer;color:var(--cyan);font-size:.76rem;user-select:none}
 .bug-card{border-radius:8px;padding:1rem 1.25rem;margin-bottom:.75rem;background:var(--surface);border-left:3px solid var(--border);transition:.2s}
 .bug-card:hover{border-left-color:var(--cyan)}
 .sev-border-p0{border-left-color:#ef4444;background:rgba(239,68,68,.05)}
 .sev-border-p1{border-left-color:#f59e0b;background:rgba(245,158,11,.04)}
 .sev-border-p2{border-left-color:#3b82f6;background:rgba(59,130,246,.04)}
 .bug-header{display:flex;flex-wrap:wrap;gap:.5rem;align-items:center;margin-bottom:.5rem}
-.bug-id{font-family:'JetBrains Mono',monospace;font-size:.7rem;color:var(--dim)}
+.bug-id{font-family:'JetBrains Mono',monospace;font-size:.68rem;color:var(--dim)}
 .bug-title{font-weight:700;margin-bottom:.3rem}
-.bug-url{font-size:.75rem;margin-bottom:.3rem}
-.bug-rec{font-size:.78rem;color:#86efac;padding:.5rem;background:rgba(134,239,172,.06);border-radius:4px;margin-top:.5rem}
-.ai-badge{font-size:.68rem;padding:2px 7px;border-radius:10px;background:#1a1a3b;color:#c084fc;border:1px solid #bf40ff44}
-.rec{font-size:.75rem;color:#86efac}
+.bug-url{font-size:.73rem;margin-bottom:.3rem}
+.bug-rec{font-size:.76rem;color:#86efac;padding:.5rem;background:rgba(134,239,172,.06);border-radius:4px;margin-top:.5rem}
+.ai-badge{font-size:.67rem;padding:2px 7px;border-radius:10px;background:#1a1a3b;color:#c084fc;border:1px solid #bf40ff44}
+.rec{font-size:.73rem;color:#86efac}
 .no-data{color:var(--dim);font-style:italic;padding:1.5rem 0;text-align:center}
 .url-card{display:flex;justify-content:space-between;align-items:center;padding:.75rem 1rem;background:#0f0f1e;border-radius:6px;margin-bottom:.5rem}
-.url-label{font-size:.7rem;color:var(--dim);text-transform:uppercase;min-width:90px}
-/* Screenshot gallery */
-.screenshot-gallery{display:grid;grid-template-columns:repeat(auto-fill,minmax(380px,1fr));gap:1.25rem;margin-top:1rem}
+.url-label{font-size:.68rem;color:var(--dim);text-transform:uppercase;min-width:90px}
+.screenshot-gallery{display:grid;grid-template-columns:repeat(auto-fill,minmax(300px,1fr));gap:1rem;margin-top:1rem}
 .screenshot-card{background:var(--surface);border:1px solid var(--border);border-radius:10px;overflow:hidden;transition:.2s}
-.screenshot-card:hover{border-color:var(--purple);transform:translateY(-3px);box-shadow:0 8px 32px rgba(191,64,255,.15)}
-.sc-header{display:flex;justify-content:space-between;align-items:center;padding:.75rem 1rem;border-bottom:1px solid var(--border)}
-.sc-type{font-size:.7rem;padding:2px 8px;border-radius:4px;background:#1a1a3b;color:#c084fc;text-transform:uppercase;font-weight:700}
-.sc-url{font-size:.72rem;color:var(--dim);font-family:'JetBrains Mono',monospace;overflow:hidden;text-overflow:ellipsis;max-width:240px}
-.sc-img-wrap{background:#000;min-height:200px;display:flex;align-items:center;justify-content:center;overflow:hidden}
-.sc-img-wrap img{width:100%;height:auto;display:block;max-height:400px;object-fit:cover}
+.screenshot-card:hover{border-color:var(--purple);transform:translateY(-2px);box-shadow:0 8px 24px rgba(191,64,255,.12)}
+.sc-header{display:flex;justify-content:space-between;align-items:center;padding:.65rem 1rem;border-bottom:2px solid transparent}
+.sc-type{font-size:.68rem;padding:2px 8px;border-radius:4px;text-transform:uppercase;font-weight:700}
+.sc-url{font-size:.7rem;color:var(--dim);font-family:'JetBrains Mono',monospace;overflow:hidden;text-overflow:ellipsis;max-width:200px}
+.sc-img-wrap{background:#000;min-height:160px;display:flex;align-items:center;justify-content:center;overflow:hidden}
+.sc-img-wrap img{width:100%;height:auto;display:block;max-height:350px;object-fit:cover}
 .no-img{color:var(--dim);font-style:italic;padding:2rem;text-align:center}
-.sc-path{font-family:'JetBrains Mono',monospace;font-size:.67rem;color:var(--dim);padding:.5rem 1rem;background:#080810}
-/* Vitals */
-.vitals-grid{display:grid;grid-template-columns:repeat(auto-fit,minmax(110px,1fr));gap:.75rem;margin:.75rem 0}
-.vital-card{border-radius:8px;padding:1rem;text-align:center;border:1px solid var(--border)}
-.vital-value{font-size:1.5rem;font-weight:800;margin:.25rem 0;font-family:'JetBrains Mono',monospace}
-.vital-label{font-size:.65rem;color:var(--dim);text-transform:uppercase;letter-spacing:.08em}
-.vital-threshold{font-size:.68rem;color:var(--dim);margin-top:2px}
+.sc-path{font-family:'JetBrains Mono',monospace;font-size:.65rem;color:var(--dim);padding:.4rem 1rem;background:#080810}
+.vitals-grid{display:grid;grid-template-columns:repeat(auto-fit,minmax(100px,1fr));gap:.65rem;margin:.75rem 0}
+.vital-card{border-radius:8px;padding:.875rem;text-align:center;border:1px solid var(--border)}
+.vital-value{font-size:1.4rem;font-weight:800;margin:.2rem 0;font-family:'JetBrains Mono',monospace}
+.vital-label{font-size:.62rem;color:var(--dim);text-transform:uppercase;letter-spacing:.08em}
+.vital-threshold{font-size:.65rem;color:var(--dim);margin-top:2px}
 .vital-pass{background:rgba(34,197,94,.08);border-color:#22c55e}
 .vital-fail{background:rgba(239,68,68,.08);border-color:#ef4444}
 .vital-na{background:var(--surface)}
 .perf-card{background:var(--surface);border:1px solid var(--border);border-radius:10px;padding:1.5rem;margin-bottom:1rem}
 .perf-card h3{color:var(--cyan);margin-bottom:.5rem}
-.perf-note{font-size:.78rem;color:var(--dim);font-style:italic;margin-top:.75rem}
+.perf-note{font-size:.76rem;color:var(--dim);font-style:italic;margin-top:.75rem}
+.load-test-card{border:1px solid var(--border);border-radius:10px;padding:1.5rem;margin-bottom:1rem}
+.lt-pass{background:rgba(34,197,94,.05);border-color:#22c55e44}
+.lt-fail{background:rgba(239,68,68,.05);border-color:#ef444444}
 .seo-page,.a11y-page{background:var(--surface);border:1px solid var(--border);border-radius:8px;padding:1rem;margin-bottom:1rem}
-.seo-header,.a11y-header{display:flex;justify-content:space-between;flex-wrap:wrap;gap:.5rem;margin-bottom:.75rem;font-size:.85rem}
+.seo-header,.a11y-header{display:flex;justify-content:space-between;flex-wrap:wrap;gap:.5rem;margin-bottom:.75rem;font-size:.83rem}
 .violation{border-radius:6px;padding:.75rem;margin-bottom:.5rem;border-left:3px solid var(--border)}
 .impact-critical{border-left-color:#ef4444;background:rgba(239,68,68,.06)}
 .impact-serious{border-left-color:#f59e0b;background:rgba(245,158,11,.05)}
 .impact-moderate{border-left-color:#3b82f6;background:rgba(59,130,246,.05)}
+.impact-minor{border-left-color:#64748b;background:rgba(100,116,139,.04)}
 .violation-header{display:flex;gap:.5rem;align-items:center;flex-wrap:wrap;margin-bottom:.25rem}
-.impact-badge{font-size:.7rem;padding:2px 6px;border-radius:4px;background:#1e293b;color:#94a3b8}
-.err-cell details{font-size:.78rem}
-footer{text-align:center;color:var(--dim);font-size:.7rem;padding:2rem;border-top:1px solid var(--border);margin-top:2rem;font-family:'JetBrains Mono',monospace}
+.impact-badge{font-size:.68rem;padding:2px 6px;border-radius:4px;background:#1e293b;color:#94a3b8}
+.err-cell details{font-size:.76rem}
+.viewport-grid{display:grid;grid-template-columns:repeat(auto-fill,minmax(140px,1fr));gap:.75rem;margin-top:1rem}
+.vp-card{background:var(--surface);border:1px solid var(--border);border-radius:8px;padding:1rem;text-align:center}
+.vp-fail{border-color:#ef444444;background:rgba(239,68,68,.05)}
+.vp-label{font-size:.78rem;font-weight:700;margin-bottom:.25rem}
+.vp-dims{font-family:'JetBrains Mono',monospace;font-size:.7rem;color:var(--dim);margin-bottom:.5rem}
+.vp-status{margin-bottom:.5rem}
+.vp-issue{font-size:.7rem;color:#f87171;margin-top:.25rem}
+footer{text-align:center;color:var(--dim);font-size:.68rem;padding:2rem;border-top:1px solid var(--border);margin-top:2rem;font-family:'JetBrains Mono',monospace}
 @media(max-width:768px){.grid2{grid-template-columns:1fr}.metrics{grid-template-columns:repeat(2,1fr)}.screenshot-gallery{grid-template-columns:1fr}}
 </style>
 </head>
 <body>
 <header>
   <div>
-    <div class="logo">⚡ Backlist Enterprise QA</div>
+    <div class="logo">⚡ Backlist Enterprise QA v15</div>
     <div class="header-meta">
       Run: ${esc(session.id)} · ${new Date(session.startedAt).toLocaleString()} · ${formatDuration(summary.duration)} · v${VERSION}
     </div>
@@ -1282,21 +2320,34 @@ footer{text-align:center;color:var(--dim);font-size:.7rem;padding:2rem;border-to
 <nav>
   <button class="nav-tab active" onclick="showTab('overview',this)">📊 Overview</button>
   <button class="nav-tab" onclick="showTab('screenshots',this)">📸 Screenshots (${session.screenshots.length})</button>
+  <button class="nav-tab" onclick="showTab('viewports',this)">📱 Viewports (${vpCount})</button>
   <button class="nav-tab" onclick="showTab('tests',this)">🧪 Tests (${summary.total})</button>
   <button class="nav-tab" onclick="showTab('bugs',this)">🐛 Bugs (${session.bugs.length})</button>
   <button class="nav-tab" onclick="showTab('routes',this)">🗺️ Routes (${session.routeMap.length})</button>
   <button class="nav-tab" onclick="showTab('security',this)">🛡️ Security (${session.secFindings.length})</button>
   <button class="nav-tab" onclick="showTab('performance',this)">⚡ Performance</button>
+  <button class="nav-tab" onclick="showTab('loadtest',this)">🔥 Load Test</button>
   <button class="nav-tab" onclick="showTab('a11y',this)">♿ A11y</button>
   <button class="nav-tab" onclick="showTab('seo',this)">🔎 SEO</button>
+  <button class="nav-tab" onclick="showTab('darkmode',this)">🌙 Dark Mode</button>
+  <button class="nav-tab" onclick="showTab('userflow',this)">🧑‍💻 User Flow</button>
+  <button class="nav-tab" onclick="showTab('forms',this)">📝 Forms</button>
+  <button class="nav-tab" onclick="showTab('cookies',this)">🍪 Cookies</button>
+  <button class="nav-tab" onclick="showTab('memory',this)">🧠 Memory</button>
+  <button class="nav-tab" onclick="showTab('brokenlinks',this)">🔗 Links (${brokenCount} broken)</button>
+  <button class="nav-tab" onclick="showTab('redirects',this)">↪ Redirects</button>
+  <button class="nav-tab" onclick="showTab('thirdparty',this)">📦 3rd Party (${session.thirdPartyScripts.length})</button>
+  <button class="nav-tab" onclick="showTab('cache',this)">💾 Cache</button>
+  <button class="nav-tab" onclick="showTab('errorpages',this)">🚫 Error Pages</button>
+  <button class="nav-tab" onclick="showTab('mixed',this)">⚠️ Mixed Content</button>
   <button class="nav-tab" onclick="showTab('console',this)">🖥️ Console (${session.consoleErrors.length})</button>
   <button class="nav-tab" onclick="showTab('network',this)">📡 Network</button>
 </nav>
 
 <div class="container">
 
-${session.playwrightMode ? '<div class="pw-banner">🎭 <strong>Playwright Real Browser Mode</strong> — Screenshots, Web Vitals, DOM tests, Interaction tests captured from live Chromium browser</div>' : ''}
-<div class="real-banner">✅ <strong>100% Real Runtime Data</strong> — All results from actual HTTP requests and live application testing.</div>
+${session.playwrightMode ? '<div class="pw-banner">🎭 <strong>BACKLIST Real Browser Mode</strong> — Screenshots, Web Vitals, DOM tests, Interactions, User Flow, Memory, Dark Mode, All Viewports</div>' : ''}
+<div class="real-banner">✅ <strong>100% Real Runtime Data</strong> — All results from actual HTTP requests and live Chromium browser testing.</div>
 
 <!-- OVERVIEW -->
 <div id="tab-overview" class="tab-panel active">
@@ -1310,10 +2361,14 @@ ${session.playwrightMode ? '<div class="pw-banner">🎭 <strong>Playwright Real
     <div class="mc"><div class="ml">P0 Critical</div><div class="mv" style="color:var(--red)">${sevCounts.P0}</div></div>
     <div class="mc"><div class="ml">P1 High</div><div class="mv" style="color:var(--yellow)">${sevCounts.P1}</div></div>
     <div class="mc"><div class="ml">Screenshots</div><div class="mv" style="color:#c084fc">${session.screenshots.length}</div></div>
+    <div class="mc"><div class="ml">Viewports</div><div class="mv">${vpCount}</div></div>
     <div class="mc"><div class="ml">Routes Found</div><div class="mv">${session.routeMap.length}</div></div>
+    <div class="mc"><div class="ml">Broken Links</div><div class="mv" style="color:${brokenCount > 0 ? 'var(--red)' : 'var(--green)'}">${brokenCount}</div></div>
     <div class="mc"><div class="ml">Sec Checks</div><div class="mv">${session.secFindings.length}</div></div>
-    <div class="mc"><div class="ml">Console Errors</div><div class="mv" style="color:${session.consoleErrors.length>0?'var(--yellow)':'var(--green)'}">${session.consoleErrors.length}</div></div>
-    <div class="mc"><div class="ml">Duration</div><div class="mv" style="font-size:1rem;padding-top:.4rem">${formatDuration(summary.duration)}</div></div>
+    <div class="mc"><div class="ml">3rd Party</div><div class="mv">${session.thirdPartyScripts.length}</div></div>
+    <div class="mc"><div class="ml">Console Errs</div><div class="mv" style="color:${session.consoleErrors.length > 0 ? 'var(--yellow)' : 'var(--green)'}">${session.consoleErrors.length}</div></div>
+    <div class="mc"><div class="ml">Dark Mode</div><div class="mv" style="font-size:1rem">${session.darkModeResults.some(d => d.supportsDark) ? '✓' : '–'}</div></div>
+    <div class="mc"><div class="ml">Duration</div><div class="mv" style="font-size:.95rem;padding-top:.4rem">${formatDuration(summary.duration)}</div></div>
   </div>
   <div class="grid2">
     <div class="card"><div class="card-title">Tests by Category</div><div class="chart-wrap"><canvas id="coverageChart"></canvas></div></div>
@@ -1324,12 +2379,19 @@ ${session.playwrightMode ? '<div class="pw-banner">🎭 <strong>Playwright Real
 <!-- SCREENSHOTS -->
 <div id="tab-screenshots" class="tab-panel">
   <div class="card">
-    <div class="card-title">Browser Screenshots <span>${session.screenshots.length} captured</span></div>
-    ${session.playwrightMode ? '' : '<div class="perf-note" style="margin-bottom:1rem">⚠️ Screenshots require Playwright. Install: <code>npm install playwright && npx playwright install chromium</code></div>'}
+    <div class="card-title">Browser Screenshots <span>${session.screenshots.length} captured (${vpCount} viewports + dark mode)</span></div>
     <div class="screenshot-gallery">${screenshotCards}</div>
   </div>
 </div>
 
+<!-- VIEWPORTS -->
+<div id="tab-viewports" class="tab-panel">
+  <div class="card">
+    <div class="card-title">Multi-Viewport Testing <span>${vpCount} viewports</span></div>
+    ${vpSection}
+  </div>
+</div>
+
 <!-- TESTS -->
 <div id="tab-tests" class="tab-panel">
   <div class="search-bar">
@@ -1362,6 +2424,10 @@ ${session.playwrightMode ? '<div class="pw-banner">🎭 <strong>Playwright Real
       <option value="P0">P0 Critical</option><option value="P1">P1 High</option>
       <option value="P2">P2 Medium</option><option value="P3">P3 Low</option>
     </select>
+    <select id="bugCat" onchange="filterBugs()">
+      <option value="">All categories</option>
+      ${[...new Set(session.bugs.map(b=>b.aiCategory||b.type||'general'))].map(c=>`<option value="${esc(c)}">${c}</option>`).join('')}
+    </select>
   </div>
   <div id="bugList">${bugCards}</div>
 </div>
@@ -1371,8 +2437,8 @@ ${session.playwrightMode ? '<div class="pw-banner">🎭 <strong>Playwright Real
   <div class="card">
     <div class="card-title">Discovered Routes <span>${session.routeMap.length} pages/APIs</span></div>
     <table>
-      <thead><tr><th>URL</th><th>Type</th><th>Status</th><th>Forms</th><th>Result</th></tr></thead>
-      <tbody>${routeRows || '<tr><td colspan="5" class="no-data">No routes discovered</td></tr>'}</tbody>
+      <thead><tr><th>URL</th><th>Type</th><th>Status</th><th>Time</th><th>Forms</th><th>Result</th></tr></thead>
+      <tbody>${routeRows || '<tr><td colspan="6" class="no-data">No routes discovered</td></tr>'}</tbody>
     </table>
   </div>
 </div>
@@ -1380,7 +2446,7 @@ ${session.playwrightMode ? '<div class="pw-banner">🎭 <strong>Playwright Real
 <!-- SECURITY -->
 <div id="tab-security" class="tab-panel">
   <div class="card">
-    <div class="card-title">Security Scan Results <span>${session.secFindings.length} checks</span></div>
+    <div class="card-title">Security Scan <span>${session.secFindings.length} checks · ${session.secFindings.filter(f=>!f.pass).length} issues</span></div>
     <table>
       <thead><tr><th>Check</th><th>Category</th><th>Result</th><th>Severity</th><th>Detail</th><th>Fix</th></tr></thead>
       <tbody>${secRows || '<tr><td colspan="6" class="no-data">No security scans</td></tr>'}</tbody>
@@ -1390,22 +2456,102 @@ ${session.playwrightMode ? '<div class="pw-banner">🎭 <strong>Playwright Real
 
 <!-- PERFORMANCE -->
 <div id="tab-performance" class="tab-panel">
-  <div class="card-title" style="padding:.5rem 0 1rem">Performance — Real Web Vitals + Resource Analysis</div>
+  <div class="card-title" style="padding:.5rem 0 1rem">Performance — Real Web Vitals (Playwright Chromium)</div>
   ${perfSection}
 </div>
 
-<!-- ACCESSIBILITY -->
+<!-- LOAD TEST -->
+<div id="tab-loadtest" class="tab-panel">
+  <div class="card-title" style="padding:.5rem 0 1rem">Load Testing — Concurrent Requests</div>
+  ${loadTestSection}
+</div>
+
+<!-- A11Y -->
 <div id="tab-a11y" class="tab-panel">
-  <div class="card-title" style="padding:.5rem 0 1rem">Accessibility — WCAG HTML Analysis</div>
+  <div class="card-title" style="padding:.5rem 0 1rem">Accessibility — WCAG 2.1 HTML Analysis (15 rules)</div>
   ${a11ySection}
 </div>
 
 <!-- SEO -->
 <div id="tab-seo" class="tab-panel">
-  <div class="card-title" style="padding:.5rem 0 1rem">SEO Analysis — Googlebot User-Agent</div>
+  <div class="card-title" style="padding:.5rem 0 1rem">SEO Analysis — Googlebot User-Agent (21 checks)</div>
   ${seoSection}
 </div>
 
+<!-- DARK MODE -->
+<div id="tab-darkmode" class="tab-panel">
+  <div class="card-title" style="padding:.5rem 0 1rem">Dark Mode Testing</div>
+  ${darkModeSection}
+</div>
+
+<!-- USER FLOW -->
+<div id="tab-userflow" class="tab-panel">
+  <div class="card-title" style="padding:.5rem 0 1rem">User Flow Simulation</div>
+  ${userFlowSection}
+</div>
+
+<!-- FORMS -->
+<div id="tab-forms" class="tab-panel">
+  <div class="card-title" style="padding:.5rem 0 1rem">Form Testing</div>
+  ${formTestSection}
+</div>
+
+<!-- COOKIES -->
+<div id="tab-cookies" class="tab-panel">
+  <div class="card-title" style="padding:.5rem 0 1rem">Cookie Security Audit</div>
+  ${cookieSection}
+</div>
+
+<!-- MEMORY -->
+<div id="tab-memory" class="tab-panel">
+  <div class="card-title" style="padding:.5rem 0 1rem">Memory Leak Detection</div>
+  ${memorySection}
+</div>
+
+<!-- BROKEN LINKS -->
+<div id="tab-brokenlinks" class="tab-panel">
+  <div class="card-title" style="padding:.5rem 0 1rem">Broken Link Scanner</div>
+  ${brokenLinksSection}
+</div>
+
+<!-- REDIRECTS -->
+<div id="tab-redirects" class="tab-panel">
+  <div class="card-title" style="padding:.5rem 0 1rem">Redirect Chain Analysis</div>
+  ${redirectSection}
+</div>
+
+<!-- THIRD PARTY -->
+<div id="tab-thirdparty" class="tab-panel">
+  <div class="card">
+    <div class="card-title">Third-Party Script Audit <span>${session.thirdPartyScripts.length} external scripts</span></div>
+    ${thirdPartySection}
+  </div>
+</div>
+
+<!-- CACHE -->
+<div id="tab-cache" class="tab-panel">
+  <div class="card">
+    <div class="card-title">Cache Headers Audit</div>
+    ${cacheSection}
+  </div>
+</div>
+
+<!-- ERROR PAGES -->
+<div id="tab-errorpages" class="tab-panel">
+  <div class="card">
+    <div class="card-title">Error Page Testing</div>
+    ${errorPageSection}
+  </div>
+</div>
+
+<!-- MIXED CONTENT -->
+<div id="tab-mixed" class="tab-panel">
+  <div class="card">
+    <div class="card-title">Mixed Content Issues</div>
+    ${mixedContentSection}
+  </div>
+</div>
+
 <!-- CONSOLE -->
 <div id="tab-console" class="tab-panel">
   <div class="card">
@@ -1424,7 +2570,7 @@ ${session.playwrightMode ? '<div class="pw-banner">🎭 <strong>Playwright Real
 
 </div>
 
-<footer>Backlist Enterprise QA v${VERSION} · ${summary.total} tests · ${session.bugs.length} bugs · ${session.routeMap.length} routes · ${session.screenshots.length} screenshots · ${new Date().toLocaleString()}</footer>
+<footer>Backlist Enterprise QA v${VERSION} · ${summary.total} tests · ${session.bugs.length} bugs · ${session.routeMap.length} routes · ${session.screenshots.length} screenshots · ${vpCount} viewports · ${new Date().toLocaleString()}</footer>
 
 <script>
 function showTab(name, el) {
@@ -1444,28 +2590,31 @@ function filterTests() {
 function filterBugs() {
   const s  = (document.getElementById('bugSearch')?.value||'').toLowerCase();
   const sv = document.getElementById('bugSev')?.value||'';
+  const ca = document.getElementById('bugCat')?.value||'';
   document.querySelectorAll('#bugList .bug-card').forEach(card => {
-    card.style.display = (card.textContent.toLowerCase().includes(s) && (!sv || card.dataset.severity===sv)) ? '' : 'none';
+    const matchSev = !sv || card.dataset.severity===sv;
+    const matchCat = !ca || card.textContent.toLowerCase().includes(ca.toLowerCase());
+    card.style.display = (card.textContent.toLowerCase().includes(s) && matchSev && matchCat) ? '' : 'none';
   });
 }
 const chartCfg = {
-  plugins:{legend:{labels:{color:'#94a3b8',font:{size:11}}}},
-  scales:{x:{ticks:{color:'#64748b'},grid:{color:'#1e293b'}},y:{ticks:{color:'#64748b',stepSize:1},grid:{color:'#1e293b'},beginAtZero:true}}
+  plugins:{legend:{labels:{color:'#94a3b8',font:{size:10}}}},
+  scales:{x:{ticks:{color:'#64748b',font:{size:10}},grid:{color:'#1e293b'}},y:{ticks:{color:'#64748b',stepSize:1,font:{size:10}},grid:{color:'#1e293b'},beginAtZero:true}}
 };
 new Chart(document.getElementById('coverageChart'),{type:'bar',data:{labels:${chartTypes},datasets:[
   {label:'Passed',data:${chartPass2},backgroundColor:'#34d399',borderRadius:3},
   {label:'Failed',data:${chartFail2},backgroundColor:'#f87171',borderRadius:3}
 ]},options:{responsive:true,maintainAspectRatio:false,...chartCfg,scales:{...chartCfg.scales,x:{...chartCfg.scales.x,stacked:true},y:{...chartCfg.scales.y,stacked:true}}}});
-new Chart(document.getElementById('bugChart'),{type:'doughnut',data:{labels:['P0 Critical','P1 High','P2 Medium','P3 Low'],datasets:[{data:${bugSevData},backgroundColor:['#ef4444','#f59e0b','#3b82f6','#64748b'],borderWidth:0}]},options:{responsive:true,maintainAspectRatio:false,plugins:{legend:{labels:{color:'#94a3b8',font:{size:11}}}}}});
+new Chart(document.getElementById('bugChart'),{type:'doughnut',data:{labels:['P0 Critical','P1 High','P2 Medium','P3 Low'],datasets:[{data:${bugSevData},backgroundColor:['#ef4444','#f59e0b','#3b82f6','#64748b'],borderWidth:0}]},options:{responsive:true,maintainAspectRatio:false,plugins:{legend:{labels:{color:'#94a3b8',font:{size:10}}}}}});
 </script>
 </body>
 </html>`;
 }
 
 // ═══════════════════════════════════════════════════════════════════════════
-//  Main QA Runner — v13 with Playwright integration
+//  Main QA Runner v15 — All phases
 // ═══════════════════════════════════════════════════════════════════════════
-async function runQAEngine(session) {
+async function runQAEngine(session, opts = {}) {
   const dash = new TerminalDashboard(session);
   dash.start();
 
@@ -1484,161 +2633,206 @@ async function runQAEngine(session) {
       dash.log(`Crawling ${label}: ${url}`);
       const t0     = Date.now();
       const routes = await crawlSite(url, {
-        maxPages: 50,
+        maxPages: 60,
         onRoute: (route) => {
           session.routeMap.push(route);
-          dash.log(`  Found: ${route.url} (${route.type})`);
+          dash.setSubPhase(`Found: ${route.url} (${route.type})`);
         },
       });
-      addResult({ name: `[${label}] Route Discovery`, type: 'discovery', category: 'crawl',
+      addResult({ name: `[${label}] Route Discovery`, type: 'discovery',
         status: routes.length > 0 ? 'PASS' : 'FAIL',
         message: `Discovered ${routes.length} routes in ${Date.now()-t0}ms`, url, label });
     }
 
-    // ── Phase 2: Playwright Real Browser Tests ───────────────────────────
-    dash.setPhase('🎭 Phase 2: Playwright Real Browser Tests');
+    // ── Phase 2: Redirect Chain Analysis (v15) ───────────────────────────
+    dash.setPhase('↪ Phase 2: Redirect Chain Analysis');
+    for (const [label, url] of Object.entries(session.urls)) {
+      if (!url) continue;
+      dash.setCurrentTest(`Redirect: ${url}`);
+      const rc = await analyzeRedirectChain(url);
+      session.redirectChains.push(rc);
+      addResult({ name: `[${label}] Redirect Chain`, type: 'redirect',
+        status: rc.hasRedirectLoop ? 'FAIL' : 'PASS',
+        message: `${rc.hops} hops → ${rc.finalUrl}`, url, label });
+      if (rc.hasRedirectLoop) session.addBug({ title: `Redirect loop: ${url}`, severity: 'P1', type: 'network', url });
+      if (!rc.isHTTPtoHTTPS && url.startsWith('http://')) {
+        session.addBug({ title: `No HTTP→HTTPS redirect: ${url}`, severity: 'P2', type: 'security', url });
+      }
+    }
+
+    // ── Phase 3: Playwright Real Browser ────────────────────────────────
+    dash.setPhase('🎭 Phase 3: Playwright Real Browser Tests');
     const chromium = await getPlaywright();
 
     if (chromium) {
       session.playwrightMode = true;
-      dash.log(chalk.hex('#BF40FF')('  🎭 Playwright available! Running real browser tests...'));
+      dash.log(chalk.hex('#BF40FF')('  🎭 Backlist available! Real browser mode ACTIVE'));
 
       for (const [label, url] of Object.entries(session.urls)) {
         if (!url) continue;
         dash.setCurrentTest(`🎭 Browser: ${url}`);
-        dash.log(chalk.cyan(`  Launching Chromium for ${label}...`));
 
         const pwResult = await runPlaywrightScan(url, session, dash);
 
         if (pwResult && !pwResult.error) {
           const { results: pw } = pwResult;
 
-          // Store playwright perf data merged with session
           session.perfMetrics[label] = {
             ...session.perfMetrics[label],
             ...pw.vitals,
-            slowResources : pw.networkFails.filter(n => n.duration > 1000),
-            resourceStats : pw.resourceStats,
-            domChecks     : pw.domChecks,
-            interactions  : pw.interactions,
+            slowResources: pw.networkFails.filter(n => n.duration > 1000),
+            resourceStats: pw.resourceStats,
+            domChecks: pw.domChecks,
+            interactions: pw.interactions,
             playwrightMode: true,
           };
 
-          // Add DOM check results
           for (const check of pw.domChecks || []) {
-            addResult({ name: `DOM: ${check.name}`, type: 'browser-dom', category: 'playwright',
+            addResult({ name: `DOM: ${check.name}`, type: 'browser-dom',
               status: check.pass ? 'PASS' : 'FAIL', message: check.value, url, label });
           }
 
-          // Add interaction results
-          for (const interaction of pw.interactions || []) {
-            addResult({ name: `Interaction: ${interaction.name}`, type: 'browser-interaction', category: 'playwright',
-              status: interaction.pass ? 'PASS' : 'FAIL', message: interaction.value, url, label });
-            if (!interaction.pass) {
-              session.addBug({ title: `Interaction Failed: ${interaction.name}`,
-                severity: 'P2', type: 'javascript', url, evidence: { value: interaction.value } });
+          for (const i of pw.interactions || []) {
+            addResult({ name: `Interaction: ${i.name}`, type: 'browser-interaction',
+              status: i.pass ? 'PASS' : 'FAIL', message: i.value, url, label });
+            if (!i.pass) session.addBug({ title: `Interaction Failed: ${i.name}`, severity: 'P2', type: 'javascript', url, evidence: { value: i.value } });
+          }
+
+          // Viewport results
+          for (const [vk, vp] of Object.entries(pw.viewportResults || {})) {
+            if (!vp.error) {
+              addResult({ name: `Viewport: ${vp.label}`, type: 'viewport',
+                status: vp.passed ? 'PASS' : 'FAIL', message: (vp.issues||[]).join(', ') || 'OK', url, label });
+              if (!vp.passed) session.addBug({ title: `Viewport Issue (${vp.label}): ${(vp.issues||[]).join(', ')}`, severity: 'P2', type: 'viewport', url, evidence: { viewport: vk, issues: vp.issues } });
             }
           }
 
-          // Add network failure results
-          for (const fail of pw.networkFails || []) {
-            addResult({ name: `Network Fail: ${fail.url?.split('/').pop()?.slice(0,40)}`, type: 'network', category: 'playwright',
-              status: 'FAIL', message: fail.failure || `HTTP ${fail.status}`, url: fail.url, label });
-            session.addBug({ title: `Network Failure: ${fail.url?.split('/').pop()}`,
-              severity: fail.status >= 500 ? 'P1' : 'P2', type: 'network', url: fail.url,
-              evidence: { status: fail.status, failure: fail.failure } });
+          // User flow
+          if (pw.userFlow?.steps) {
+            for (const step of pw.userFlow.steps) {
+              addResult({ name: `Flow: ${step.name}`, type: 'user-flow',
+                status: step.pass ? 'PASS' : 'FAIL', message: step.error || `${step.duration}ms`, url, label });
+            }
           }
 
-          // Add console error results
-          for (const err of pw.jsErrors || []) {
-            addResult({ name: `JS Error: ${err.message?.slice(0,60)}`, type: 'javascript', category: 'playwright',
-              status: 'FAIL', message: err.message, url, label, severity: 'P2' });
-            session.addBug({ title: `JS Error: ${err.message?.slice(0,80)}`,
-              severity: 'P2', type: 'javascript', url, evidence: { message: err.message, stack: err.stack?.slice(0,200) } });
+          // Dark mode
+          if (pw.darkMode && !pw.darkMode.error) {
+            addResult({ name: `[${label}] Dark Mode Support`, type: 'dark-mode',
+              status: pw.darkMode.supportsDark ? 'PASS' : 'FAIL',
+              message: pw.darkMode.supportsDark ? 'prefers-color-scheme supported' : 'No dark mode support', url, label });
           }
 
-          // Web vitals results
-          const { lcp, fcp, cls, tbt, ttfb } = pw.vitals || {};
-          if (ttfb !== undefined && ttfb !== null) {
-            addResult({ name: `[${label}] TTFB`, type: 'performance', category: 'web-vitals',
-              status: ttfb <= 800 ? 'PASS' : 'FAIL', message: `TTFB: ${ttfb}ms`, url, label, duration: ttfb });
+          // Memory
+          if (pw.memoryLeak) {
+            addResult({ name: `[${label}] Memory Leak Check`, type: 'memory',
+              status: pw.memoryLeak.hasLeak ? 'FAIL' : 'PASS',
+              message: `Heap growth: ${pw.memoryLeak.growthMB}MB`, url, label });
+            if (pw.memoryLeak.hasLeak) session.addBug({ title: `Memory leak: +${pw.memoryLeak.growthMB}MB`, severity: pw.memoryLeak.severity, type: 'performance', url, evidence: pw.memoryLeak });
           }
-          if (lcp !== undefined && lcp !== null) {
-            addResult({ name: `[${label}] LCP`, type: 'performance', category: 'web-vitals',
-              status: lcp <= 2500 ? 'PASS' : 'FAIL', message: `LCP: ${lcp}ms (≤2500ms)`, url, label });
-            if (lcp > 2500) session.addBug({ title: `Poor LCP: ${lcp}ms`, severity: lcp > 4000 ? 'P1' : 'P2',
-              type: 'performance', url, evidence: { lcp }, recommendation: 'Optimize largest contentful paint' });
+
+          // Form tests
+          for (const f of pw.forms || []) {
+            addResult({ name: `Form #${f.formIndex+1}: ${f.action||'self'}`, type: 'form',
+              status: f.passed ? 'PASS' : 'FAIL', message: (f.issues||[]).join(', ') || 'OK', url, label });
           }
-          if (fcp !== undefined && fcp !== null) {
-            addResult({ name: `[${label}] FCP`, type: 'performance', category: 'web-vitals',
-              status: fcp <= 1800 ? 'PASS' : 'FAIL', message: `FCP: ${fcp}ms (≤1800ms)`, url, label });
+
+          // Third-party
+          if (pw.thirdParty?.length > 0) {
+            addResult({ name: `[${label}] Third-party scripts`, type: 'third-party',
+              status: 'PASS', message: `${pw.thirdParty.length} external scripts: ${pw.thirdParty.map(t=>t.vendor).join(', ')}`, url, label });
           }
-          if (cls !== undefined && cls !== null) {
-            addResult({ name: `[${label}] CLS`, type: 'performance', category: 'web-vitals',
-              status: cls <= 0.1 ? 'PASS' : 'FAIL', message: `CLS: ${cls} (≤0.1)`, url, label });
-            if (cls > 0.1) session.addBug({ title: `High CLS: ${cls}`, severity: 'P2', type: 'performance',
-              url, evidence: { cls }, recommendation: 'Fix layout shifts — set image dimensions, avoid dynamic content insertion' });
+
+          // JS errors
+          for (const err of pw.jsErrors || []) {
+            addResult({ name: `JS Error: ${err.message?.slice(0,60)}`, type: 'javascript',
+              status: 'FAIL', message: err.message, url, label, severity: 'P2' });
+            session.addBug({ title: `JS Error: ${err.message?.slice(0,80)}`, severity: 'P2', type: 'javascript', url, evidence: { message: err.message } });
           }
-          if (tbt !== undefined && tbt !== null) {
-            addResult({ name: `[${label}] TBT`, type: 'performance', category: 'web-vitals',
-              status: tbt <= 200 ? 'PASS' : 'FAIL', message: `TBT: ${tbt}ms (≤200ms)`, url, label });
+
+          // Network failures
+          for (const fail of pw.networkFails || []) {
+            addResult({ name: `Network Fail: ${fail.url?.split('/').pop()?.slice(0,40)}`, type: 'network',
+              status: 'FAIL', message: fail.failure || `HTTP ${fail.status}`, url: fail.url, label });
+            session.addBug({ title: `Network Failure: ${fail.url?.split('/').pop()}`, severity: fail.status >= 500 ? 'P1' : 'P2', type: 'network', url: fail.url });
           }
 
-          addResult({ name: `[${label}] Playwright Scan`, type: 'browser', category: 'playwright',
-            status: 'PASS', message: `${pw.screenshots?.length || 0} screenshots, ${pw.domChecks?.length || 0} DOM checks`, url, label });
+          // Mixed content
+          for (const mc of pw.mixedContent || []) {
+            addResult({ name: `Mixed Content`, type: 'security', status: 'FAIL', message: mc, url, label });
+            session.addBug({ title: `Mixed Content detected`, severity: 'P1', type: 'security', url, evidence: { text: mc } });
+          }
+
+          // Web Vitals
+          const { lcp, fcp, cls, tbt, ttfb } = pw.vitals || {};
+          const vitalTests = [
+            { name: 'TTFB', val: ttfb || pw.vitals?.ttfb, threshold: 800 },
+            { name: 'LCP',  val: lcp,  threshold: 2500 },
+            { name: 'FCP',  val: fcp,  threshold: 1800 },
+            { name: 'CLS',  val: cls,  threshold: 0.1  },
+            { name: 'TBT',  val: tbt,  threshold: 200  },
+          ];
+          for (const vt of vitalTests) {
+            if (vt.val !== undefined && vt.val !== null) {
+              addResult({ name: `[${label}] ${vt.name}`, type: 'performance',
+                status: vt.val <= vt.threshold ? 'PASS' : 'FAIL',
+                message: `${vt.name}: ${vt.val}`, url, label });
+              if (vt.val > vt.threshold && vt.name === 'LCP') {
+                session.addBug({ title: `Poor LCP: ${lcp}ms`, severity: lcp > 4000 ? 'P1' : 'P2', type: 'performance', url, evidence: { lcp } });
+              }
+              if (vt.val > vt.threshold && vt.name === 'CLS') {
+                session.addBug({ title: `High CLS: ${cls}`, severity: 'P2', type: 'performance', url, evidence: { cls } });
+              }
+            }
+          }
+
+          addResult({ name: `[${label}] Playwright Scan`, type: 'browser', status: 'PASS',
+            message: `${pw.screenshots?.length||0} screenshots, ${pw.domChecks?.length||0} DOM checks, ${Object.keys(pw.viewportResults||{}).length} viewports`, url, label });
 
-          dash.log(chalk.green(`  ✅ Playwright scan complete for ${label}`));
         } else {
-          dash.log(chalk.yellow(`  ⚠ Playwright scan failed: ${pwResult?.error || 'unknown error'}`));
           addResult({ name: `[${label}] Playwright Scan`, type: 'browser', status: 'FAIL',
             message: pwResult?.error || 'Playwright scan failed', url, label });
         }
       }
     } else {
-      dash.log(chalk.yellow('  ⚠ Playwright not installed. HTTP-only mode.'));
-      dash.log(chalk.gray('  Install: npm install playwright && npx playwright install chromium'));
-      // Fallback: HTTP TTFB
+      dash.log(chalk.yellow('  ⚠ Playwright not installed — HTTP-only mode'));
       for (const [label, url] of Object.entries(session.urls)) {
         if (!url) continue;
         const t0   = Date.now();
         const r    = await httpProbe(url, { timeout: 15000 });
         const ttfb = Date.now() - t0;
-        session.perfMetrics[label] = { ttfb, bodySize: r.bodySize, statusCode: r.status,
-          slowResources: [], note: 'Install Playwright for real Web Vitals (LCP, FCP, CLS)' };
-        addResult({ name: `[${label}] TTFB`, type: 'performance', category: 'web-vitals',
-          status: ttfb <= 800 ? 'PASS' : 'FAIL',
-          message: `TTFB: ${ttfb}ms (threshold: ≤800ms)`, url, label, duration: ttfb });
-        if (ttfb > 800) session.addBug({ title: `Slow TTFB: ${ttfb}ms`, severity: ttfb > 2000 ? 'P1' : 'P2',
-          type: 'performance', url, evidence: { ttfb }, recommendation: 'Optimize server response time' });
+        session.perfMetrics[label] = { ttfb, bodySize: r.bodySize, statusCode: r.status, slowResources: [],
+          note: 'Install Playwright for real Web Vitals, screenshots, dark mode, viewport tests' };
+        addResult({ name: `[${label}] TTFB`, type: 'performance',
+          status: ttfb <= 800 ? 'PASS' : 'FAIL', message: `TTFB: ${ttfb}ms`, url, label });
       }
     }
 
-    // ── Phase 3: API Validation ──────────────────────────────────────────
-    dash.setPhase('📡 Phase 3: API Validation');
+    // ── Phase 4: API Validation ──────────────────────────────────────────
+    dash.setPhase('📡 Phase 4: API Validation & Contract Testing');
     const apiRoutes = session.routeMap.filter(r => r.type === 'api' || r.url?.includes('/api/'));
     dash.log(`Validating ${apiRoutes.length} API endpoints...`);
     for (const route of apiRoutes) {
       dash.setCurrentTest(`API: ${route.url}`);
-      const r = await httpProbe(route.url);
-      session.apiLog.push({ ...r, id: shortId() });
-      addResult({ name: `API: ${route.url}`, type: 'api', category: 'api',
-        status: r.ok ? 'PASS' : 'FAIL',
-        message: `${r.status} ${r.ok ? 'OK' : 'FAIL'} (${r.responseTime}ms)`,
-        url: route.url, duration: r.responseTime });
-      if (!r.ok) session.addBug({ title: `API Failure: ${route.url}`,
-        severity: r.status >= 500 ? 'P0' : 'P1', type: 'api',
-        description: r.error || `HTTP ${r.status}`, evidence: { status: r.status, error: r.error } });
+      const contract = await testAPIContract(route.url);
+      session.apiContracts.push(contract);
+      session.apiLog.push({ ...contract, id: shortId() });
+      addResult({ name: `API: ${route.url}`, type: 'api',
+        status: contract.passed ? 'PASS' : 'FAIL',
+        message: `${contract.status} (${contract.responseTime}ms)${contract.issues.length ? ' · ' + contract.issues.join(', ') : ''}`,
+        url: route.url, duration: contract.responseTime });
+      if (!contract.passed) session.addBug({ title: `API Issue: ${route.url}`, severity: contract.status >= 500 ? 'P0' : 'P1', type: 'api',
+        description: contract.issues.join(', '), evidence: { status: contract.status, issues: contract.issues } });
     }
 
-    // ── Phase 4: Security ────────────────────────────────────────────────
-    dash.setPhase('🛡️  Phase 4: Security Scan');
+    // ── Phase 5: Security ────────────────────────────────────────────────
+    dash.setPhase('🛡️  Phase 5: Security Scan (20+ checks)');
     for (const [label, url] of Object.entries(session.urls)) {
       if (!url) continue;
       dash.setCurrentTest(`Security: ${url}`);
       const findings = await runSecurityScan(url);
       session.secFindings.push(...findings);
       for (const f of findings) {
-        addResult({ name: `Security: ${f.check}`, type: 'security', category: f.category,
+        addResult({ name: `Security: ${f.check}`, type: 'security',
           status: f.pass ? 'PASS' : 'FAIL', message: f.detail, severity: f.severity, url, label });
         if (!f.pass && ['P0','P1'].includes(f.severity)) {
           session.addBug({ title: `Security: ${f.check}`, severity: f.severity, type: 'security',
@@ -1647,47 +2841,126 @@ async function runQAEngine(session) {
       }
     }
 
-    // ── Phase 5: Accessibility ───────────────────────────────────────────
-    dash.setPhase('♿ Phase 5: Accessibility Check');
-    const pageRoutes = session.routeMap.filter(r => r.type === 'page' || r.type === 'auth').slice(0, 10);
-    for (const route of pageRoutes) {
+    // ── Phase 6: Cookie Audit (v15) ──────────────────────────────────────
+    dash.setPhase('🍪 Phase 6: Cookie Security Audit');
+    for (const [label, url] of Object.entries(session.urls)) {
+      if (!url) continue;
+      dash.setCurrentTest(`Cookies: ${url}`);
+      const cookieResult = await runCookieAudit(url);
+      session.cookieAudit.push(cookieResult);
+      for (const cookie of cookieResult.cookies) {
+        addResult({ name: `Cookie: ${cookie.name}`, type: 'security',
+          status: cookie.issues.length === 0 ? 'PASS' : 'FAIL',
+          message: cookie.issues.join(', ') || 'Secure', url, label, severity: cookie.severity });
+        if (cookie.issues.length > 0 && cookie.severity !== 'INFO') {
+          session.addBug({ title: `Cookie "${cookie.name}": ${cookie.issues.join(', ')}`, severity: cookie.severity, type: 'security', url, evidence: { cookie: cookie.name, issues: cookie.issues } });
+        }
+      }
+    }
+
+    // ── Phase 7: Cache Headers (v15) ─────────────────────────────────────
+    dash.setPhase('💾 Phase 7: Cache Headers Audit');
+    for (const [label, url] of Object.entries(session.urls)) {
+      if (!url) continue;
+      const cacheResult = await auditCacheHeaders(url);
+      session.cacheHeaders.push(cacheResult);
+      addResult({ name: `[${label}] Cache Headers`, type: 'performance',
+        status: cacheResult.passed ? 'PASS' : 'FAIL',
+        message: cacheResult.cacheControl || 'No cache headers', url, label });
+    }
+
+    // ── Phase 8: Broken Links (v15) ──────────────────────────────────────
+    dash.setPhase('🔗 Phase 8: Broken Link Scanner');
+    const pageRoutes8 = session.routeMap.filter(r => r.type === 'page').slice(0, 5);
+    for (const route of pageRoutes8) {
+      dash.setCurrentTest(`Links: ${route.url}`);
+      const blResult = await scanBrokenLinks(route.url, { maxLinks: 60 });
+      session.brokenLinks.push(blResult);
+      addResult({ name: `Broken Links: ${route.url}`, type: 'broken-links',
+        status: blResult.broken === 0 ? 'PASS' : 'FAIL',
+        message: `${blResult.broken}/${blResult.total} links broken`, url: route.url });
+      for (const bl of blResult.links.filter(l => !l.ok).slice(0, 5)) {
+        session.addBug({ title: `Broken link: ${bl.url}`, severity: 'P2', type: 'network',
+          url: route.url, evidence: { brokenUrl: bl.url, status: bl.status } });
+      }
+    }
+
+    // ── Phase 9: Error Pages (v15) ───────────────────────────────────────
+    dash.setPhase('🚫 Phase 9: Error Page Testing');
+    for (const [label, url] of Object.entries(session.urls)) {
+      if (!url) continue;
+      const errResults = await testErrorPages(url);
+      session.errorPageTests.push(...errResults);
+      for (const er of errResults) {
+        addResult({ name: `${er.name}: ${url}`, type: 'error-page',
+          status: er.passed ? 'PASS' : 'FAIL', message: er.issues.join(', ') || 'OK', url, label });
+        if (!er.passed) session.addBug({ title: `${er.name} issue: ${er.issues.join(', ')}`, severity: 'P2', type: 'api', url, evidence: { test: er.name, status: er.actualStatus, issues: er.issues } });
+      }
+    }
+
+    // ── Phase 10: Accessibility ──────────────────────────────────────────
+    dash.setPhase('♿ Phase 10: Accessibility Check (WCAG 2.1)');
+    const pageRoutes10 = session.routeMap.filter(r => r.type === 'page' || r.type === 'auth').slice(0, 10);
+    for (const route of pageRoutes10) {
       dash.setCurrentTest(`A11y: ${route.url}`);
       const result = await runA11yScan(route.url);
       session.a11yResults.push({ url: route.url, ...result });
       for (const v of result.violations) {
-        addResult({ name: `A11y [${v.impact}]: ${v.description}`, type: 'accessibility', category: 'wcag',
-          status: 'FAIL', message: v.help, severity: v.impact === 'critical' ? 'P0' : v.impact === 'serious' ? 'P1' : 'P2',
-          url: route.url });
-        if (['critical','serious'].includes(v.impact)) session.addBug({
-          title: `A11y: ${v.description}`, severity: v.impact === 'critical' ? 'P0' : 'P1',
-          type: 'accessibility', description: v.help, url: route.url, recommendation: v.helpUrl });
+        addResult({ name: `A11y [${v.impact}]: ${v.description}`, type: 'accessibility',
+          status: 'FAIL', message: v.help, severity: v.impact === 'critical' ? 'P0' : 'P1', url: route.url });
+        if (['critical','serious'].includes(v.impact)) session.addBug({ title: `A11y: ${v.description}`, severity: v.impact === 'critical' ? 'P0' : 'P1', type: 'accessibility', description: v.help, url: route.url });
       }
-      for (const pass of result.passes.slice(0, 3)) {
+      for (const pass of result.passes.slice(0, 4)) {
         addResult({ name: `A11y ✓: ${pass.description}`, type: 'accessibility', status: 'PASS', url: route.url });
       }
     }
 
-    // ── Phase 6: SEO ─────────────────────────────────────────────────────
-    dash.setPhase('🔎 Phase 6: SEO Validation');
+    // ── Phase 11: SEO ────────────────────────────────────────────────────
+    dash.setPhase('🔎 Phase 11: SEO Validation (21 checks)');
     const seoRoutes = session.routeMap.filter(r => r.type === 'page').slice(0, 10);
     for (const route of seoRoutes) {
       dash.setCurrentTest(`SEO: ${route.url}`);
       const result = await runSEOScan(route.url);
       session.seoResults.push({ url: route.url, ...result });
       for (const c of result.checks) {
-        addResult({ name: `SEO: ${c.name}`, type: 'seo', category: c.category,
+        addResult({ name: `SEO: ${c.name}`, type: 'seo',
           status: c.pass ? 'PASS' : 'FAIL', message: c.detail, severity: c.severity, url: route.url });
-        if (!c.pass && ['P0','P1'].includes(c.severity)) session.addBug({
-          title: `SEO: ${c.name}`, severity: c.severity, type: 'seo',
-          description: c.detail, url: route.url, recommendation: c.recommendation });
+        if (!c.pass && ['P0','P1'].includes(c.severity)) session.addBug({ title: `SEO: ${c.name}`, severity: c.severity, type: 'seo', description: c.detail, url: route.url });
       }
     }
 
-    // ── Phase 7: AI Classification ───────────────────────────────────────
-    dash.setPhase('🤖 Phase 7: AI Bug Classification');
+    // ── Phase 12: Load Test (v15) ────────────────────────────────────────
+    if (opts.loadTest !== false) {
+      dash.setPhase('🔥 Phase 12: Load Testing');
+      for (const [label, url] of Object.entries(session.urls)) {
+        if (!url) continue;
+        dash.setCurrentTest(`Load test: ${url} (10 concurrent, 10s)`);
+        dash.log(chalk.yellow(`  🔥 Load testing ${url}...`));
+        const lt = await runLoadTest(url, { concurrency: 10, duration: 10000, rampUp: 2000 });
+        session.loadTestResults.push(lt);
+        addResult({ name: `[${label}] Load Test`, type: 'load-test',
+          status: lt.passed ? 'PASS' : 'FAIL',
+          message: `${lt.rps} req/s · p95=${lt.latency.p95}ms · ${lt.errorRate}% errors`, url, label });
+        if (!lt.passed) session.addBug({ title: `Load test failed: ${lt.errorRate}% error rate or slow p95`, severity: lt.errorRate > 20 ? 'P1' : 'P2', type: 'performance', url, evidence: { rps: lt.rps, p95: lt.latency.p95, errorRate: lt.errorRate } });
+        dash.log(chalk.green(`  ✓ Load test: ${lt.rps} req/s, p95=${lt.latency.p95}ms`));
+      }
+    }
+
+    // ── Phase 13: HTTP Version (v15) ─────────────────────────────────────
+    dash.setPhase('🌐 Phase 13: HTTP Version & Protocol Check');
+    for (const [label, url] of Object.entries(session.urls)) {
+      if (!url) continue;
+      const http = await inspectHTTPVersion(url);
+      session.httpVersions[label] = http;
+      addResult({ name: `[${label}] HTTPS`, type: 'security',
+        status: http.isHTTPS ? 'PASS' : 'FAIL', message: http.isHTTPS ? 'HTTPS in use' : 'HTTP only', url, label });
+    }
+
+    // ── Phase 14: AI Classification ──────────────────────────────────────
+    dash.setPhase('🤖 Phase 14: AI Bug Classification');
     dash.log(`Classifying ${session.bugs.length} bugs...`);
     for (const bug of session.bugs) {
-      const cls            = classifyBug(bug);
+      const cls = classifyBug(bug);
       bug.aiSeverity       = cls.severity;
       bug.aiCategory       = cls.category;
       bug.aiRecommendation = cls.recommendation;
@@ -1722,12 +2995,20 @@ async function generateReports(session) {
     urls: session.urls, summary, results: session.results, bugs: session.bugs,
     routeMap: session.routeMap, apiLog: session.apiLog, secFindings: session.secFindings,
     perfMetrics: session.perfMetrics, a11yResults: session.a11yResults, seoResults: session.seoResults,
-    screenshots: session.screenshots.map(s => ({ ...s, path: undefined })), // strip paths from JSON
+    cookieAudit: session.cookieAudit, loadTestResults: session.loadTestResults,
+    brokenLinks: session.brokenLinks, redirectChains: session.redirectChains,
+    memorySnapshots: session.memorySnapshots, darkModeResults: session.darkModeResults,
+    viewportResults: session.viewportResults, userFlowResults: session.userFlowResults,
+    thirdPartyScripts: session.thirdPartyScripts, cacheHeaders: session.cacheHeaders,
+    errorPageTests: session.errorPageTests, formTests: session.formTests,
+    mixedContentIssues: session.mixedContentIssues, cspViolations: session.cspViolations,
+    httpVersions: session.httpVersions,
+    screenshots: session.screenshots.map(s => ({ ...s, path: undefined })),
     playwrightMode: session.playwrightMode,
     ci: {
       exitCode: summary.failed > 0 || session.bugs.some(b => b.severity === 'P0') ? 1 : 0,
-      p0Bugs  : session.bugs.filter(b => b.severity === 'P0').length,
-      p1Bugs  : session.bugs.filter(b => b.severity === 'P1').length,
+      p0Bugs: session.bugs.filter(b => b.severity === 'P0').length,
+      p1Bugs: session.bugs.filter(b => b.severity === 'P1').length,
       passRate: summary.passRate,
     },
   }, { spaces: 2 });
@@ -1742,6 +3023,7 @@ export async function initQASystem() {
   await fs.ensureDir(QA_DIR);
   await fs.ensureDir(REPORT_DIR);
   await fs.ensureDir(SCREENSHOT_DIR);
+  await fs.ensureDir(BASELINE_DIR);
   if (!await fs.pathExists(HISTORY_FILE)) {
     await fs.writeJson(HISTORY_FILE, { runs: [], version: VERSION }, { spaces: 2 });
   }
@@ -1765,7 +3047,7 @@ async function saveToHistory(session, htmlPath, jsonPath) {
 // ═══════════════════════════════════════════════════════════════════════════
 //  Public API — runUrlQA (main entry point)
 // ═══════════════════════════════════════════════════════════════════════════
-export async function runUrlQA({ localUrl, stagingUrl, prodUrl } = {}) {
+export async function runUrlQA({ localUrl, stagingUrl, prodUrl, loadTest = true } = {}) {
   const urls = {};
   if (localUrl)   urls.localhost  = localUrl;
   if (stagingUrl) urls.staging    = stagingUrl;
@@ -1773,20 +3055,22 @@ export async function runUrlQA({ localUrl, stagingUrl, prodUrl } = {}) {
 
   if (!Object.keys(urls).length) { console.log(chalk.red('  No URLs provided.')); return null; }
 
-  // Check Playwright availability and warn
   const chromium = await getPlaywright();
+  console.log('');
+  console.log(chalk.hex('#00F5FF').bold(`  ⚡ Backlist QA Engine v${VERSION}`));
+  console.log(chalk.hex('#00F5FF')('  ─────────────────────────────────────────'));
   if (chromium) {
-    console.log(chalk.hex('#BF40FF')('  🎭 Playwright detected — Real browser mode ENABLED'));
-    console.log(chalk.gray('     Screenshots, Web Vitals, DOM tests, Interactions will be captured'));
+    console.log(chalk.hex('#BF40FF')('  🎭 Backlist: Real Browser Mode ACTIVE'));
+    console.log(chalk.gray('     Multi-viewport · Dark mode · Memory · User flows'));
+    console.log(chalk.gray('     Screenshots (7 viewports) · Web Vitals · Forms'));
   } else {
     console.log(chalk.yellow('  ⚠ Playwright not found — HTTP-only mode'));
-    console.log(chalk.gray('     Install: npm install playwright && npx playwright install chromium'));
-    console.log(chalk.gray('     For real Web Vitals, screenshots, and DOM tests'));
+    console.log(chalk.gray('     Run: npm install playwright && npx playwright install chromium'));
   }
   console.log('');
 
   const session = new QASession(urls);
-  await runQAEngine(session);
+  await runQAEngine(session, { loadTest });
   const { htmlPath, jsonPath } = await generateReports(session);
   await saveToHistory(session, htmlPath, jsonPath);
 
@@ -1794,9 +3078,7 @@ export async function runUrlQA({ localUrl, stagingUrl, prodUrl } = {}) {
   console.log(chalk.hex('#00F5FF').bold(`  ✓ ${session.id} — ${summary.total} tests · ${summary.failed} failed · ${session.bugs.length} bugs · ${session.screenshots.length} screenshots`));
   console.log(chalk.gray(`  📄 HTML: ${htmlPath}`));
   console.log(chalk.gray(`  📋 JSON: ${jsonPath}`));
-  if (session.screenshots.length > 0) {
-    console.log(chalk.hex('#BF40FF')(`  📸 Screenshots: ${SCREENSHOT_DIR}`));
-  }
+  if (session.screenshots.length > 0) console.log(chalk.hex('#BF40FF')(`  📸 Screenshots: ${SCREENSHOT_DIR}`));
 
   try {
     const { exec } = await import('node:child_process');
@@ -1808,14 +3090,14 @@ export async function runUrlQA({ localUrl, stagingUrl, prodUrl } = {}) {
   return { session, htmlPath, jsonPath };
 }
 
-export async function runAutomatedQA({ continuous = false, localUrl, stagingUrl, prodUrl } = {}) {
+export async function runAutomatedQA({ continuous = false, localUrl, stagingUrl, prodUrl, loadTest = false } = {}) {
   const run = async () => {
     const urls = {};
     if (localUrl)   urls.localhost  = localUrl;
     if (stagingUrl) urls.staging    = stagingUrl;
     if (prodUrl)    urls.production = prodUrl;
     const session = new QASession(urls);
-    await runQAEngine(session);
+    await runQAEngine(session, { loadTest });
     const { htmlPath, jsonPath } = await generateReports(session);
     await saveToHistory(session, htmlPath, jsonPath);
     console.log(chalk.gray(`  📄 Report: ${htmlPath}`));
@@ -1836,12 +3118,15 @@ export async function runManualQA() {
   const action = await p.select({
     message: 'Manual QA mode:',
     options: [
-      { value: 'full',     label: '🌐 Full Scan (All phases + Playwright)' },
-      { value: 'browser',  label: '🎭 Browser-only (Playwright: screenshots + vitals)' },
-      { value: 'security', label: '🛡️  Security only' },
-      { value: 'seo',      label: '🔎 SEO only' },
-      { value: 'a11y',     label: '♿ Accessibility only' },
-      { value: 'perf',     label: '⚡ Performance only' },
+      { value: 'full',       label: '🌐 Full Scan (All 14 phases + Playwright)' },
+      { value: 'browser',    label: '🎭 Browser-only (screenshots, vitals, dark mode, viewports)' },
+      { value: 'security',   label: '🛡️  Security only (20+ checks)' },
+      { value: 'seo',        label: '🔎 SEO only (21 checks)' },
+      { value: 'a11y',       label: '♿ Accessibility only (WCAG 2.1)' },
+      { value: 'perf',       label: '⚡ Performance + Load Test' },
+      { value: 'links',      label: '🔗 Broken Link Scanner' },
+      { value: 'cookies',    label: '🍪 Cookie Audit' },
+      { value: 'userflow',   label: '🧑‍💻 User Flow Simulation' },
     ],
   });
   if (p.isCancel(action)) { p.cancel('Cancelled.'); return; }
@@ -1853,48 +3138,62 @@ export async function runManualQA() {
   const sess = new QASession({ localhost: url });
 
   if (action === 'full') {
-    await runQAEngine(sess);
+    await runQAEngine(sess, { loadTest: true });
   } else {
     const dash = new TerminalDashboard(sess);
     dash.start();
     try {
       if (action === 'browser') {
         const chromium = await getPlaywright();
-        if (!chromium) { dash.log(chalk.red('Playwright not installed! Run: npm install playwright && npx playwright install chromium')); }
+        if (!chromium) { dash.log(chalk.red('Playwright not installed!')); }
         else {
           sess.playwrightMode = true;
           await runPlaywrightScan(url, sess, dash);
-          sess.perfMetrics.localhost = { ...sess.perfMetrics.localhost, playwrightMode: true };
         }
       } else if (action === 'security') {
-        const f = await runSecurityScan(url);
-        sess.secFindings.push(...f);
-        f.forEach(finding => sess.addResult({ id: shortId(), name: `Security: ${finding.check}`, type: 'security',
-          status: finding.pass ? 'PASS' : 'FAIL', message: finding.detail, timestamp: timestamp() }));
+        const findings = await runSecurityScan(url);
+        sess.secFindings.push(...findings);
+        findings.forEach(f => sess.addResult({ id: shortId(), name: `Security: ${f.check}`, type: 'security', status: f.pass ? 'PASS' : 'FAIL', message: f.detail, timestamp: timestamp() }));
       } else if (action === 'seo') {
         const r = await runSEOScan(url);
         sess.seoResults.push({ url, ...r });
-        r.checks.forEach(c => sess.addResult({ id: shortId(), name: `SEO: ${c.name}`, type: 'seo',
-          status: c.pass ? 'PASS' : 'FAIL', message: c.detail, timestamp: timestamp() }));
+        r.checks.forEach(c => sess.addResult({ id: shortId(), name: `SEO: ${c.name}`, type: 'seo', status: c.pass ? 'PASS' : 'FAIL', message: c.detail, timestamp: timestamp() }));
       } else if (action === 'a11y') {
         const r = await runA11yScan(url);
         sess.a11yResults.push({ url, ...r });
-        r.violations.forEach(v => sess.addResult({ id: shortId(), name: `A11y: ${v.description}`, type: 'accessibility',
-          status: 'FAIL', message: v.help, timestamp: timestamp() }));
+        r.violations.forEach(v => sess.addResult({ id: shortId(), name: `A11y: ${v.description}`, type: 'accessibility', status: 'FAIL', message: v.help, timestamp: timestamp() }));
+        r.passes.forEach(p => sess.addResult({ id: shortId(), name: `A11y ✓: ${p.description}`, type: 'accessibility', status: 'PASS', timestamp: timestamp() }));
       } else if (action === 'perf') {
         const chromium2 = await getPlaywright();
         if (chromium2) {
           sess.playwrightMode = true;
           await runPlaywrightScan(url, sess, dash);
+        }
+        const lt = await runLoadTest(url, { concurrency: 10, duration: 8000 });
+        sess.loadTestResults.push(lt);
+        sess.addResult({ id: shortId(), name: `Load Test: ${lt.rps} req/s`, type: 'load-test', status: lt.passed ? 'PASS' : 'FAIL', message: `p95=${lt.latency.p95}ms errors=${lt.errorRate}%`, timestamp: timestamp() });
+      } else if (action === 'links') {
+        dash.log(chalk.cyan('Scanning for broken links...'));
+        const bl = await scanBrokenLinks(url, { maxLinks: 100 });
+        sess.brokenLinks.push(bl);
+        sess.addResult({ id: shortId(), name: `Broken Links: ${bl.broken}/${bl.total}`, type: 'broken-links', status: bl.broken === 0 ? 'PASS' : 'FAIL', message: `${bl.broken} broken links found`, timestamp: timestamp() });
+      } else if (action === 'cookies') {
+        const ca = await runCookieAudit(url);
+        sess.cookieAudit.push(ca);
+        ca.cookies.forEach(c => sess.addResult({ id: shortId(), name: `Cookie: ${c.name}`, type: 'security', status: c.issues.length === 0 ? 'PASS' : 'FAIL', message: c.issues.join(', ') || 'OK', timestamp: timestamp() }));
+      } else if (action === 'userflow') {
+        const chromium3 = await getPlaywright();
+        if (chromium3) {
+          sess.playwrightMode = true;
+          const browser = await chromium3.launch({ headless: true, args: ['--no-sandbox'] });
+          const context = await browser.newContext({ viewport: { width: 1280, height: 900 } });
+          const page    = await context.newPage();
+          const flow    = await simulateUserFlow(page, url);
+          sess.userFlowResults.push(flow);
+          flow.steps.forEach(s => sess.addResult({ id: shortId(), name: `Flow: ${s.name}`, type: 'user-flow', status: s.pass ? 'PASS' : 'FAIL', message: s.error || `${s.duration}ms`, timestamp: timestamp() }));
+          await page.close(); await context.close(); await browser.close();
         } else {
-          const m = await (async () => {
-            const t0 = Date.now(); const r = await httpProbe(url, { timeout: 15000 });
-            return { ttfb: Date.now()-t0, bodySize: r.bodySize, statusCode: r.status, slowResources: [],
-              note: 'Install Playwright for real LCP/FCP/CLS metrics' };
-          })();
-          sess.perfMetrics.localhost = m;
-          sess.addResult({ id: shortId(), name: `TTFB: ${m.ttfb}ms`, type: 'performance',
-            status: m.ttfb <= 800 ? 'PASS' : 'FAIL', message: `${m.ttfb}ms`, timestamp: timestamp() });
+          dash.log(chalk.red('Playwright required for user flow simulation'));
         }
       }
     } finally { dash.stop(); }
@@ -1926,14 +3225,14 @@ export async function viewQAHistory() {
   if (!history.runs?.length) { console.log(chalk.yellow('\n  No QA history found.\n')); return; }
 
   console.log('');
-  console.log(chalk.hex('#00F5FF').bold('  QA History'));
-  console.log(chalk.gray('  ──────────────────────────────────────────────────'));
+  console.log(chalk.hex('#00F5FF').bold('  QA History — v15'));
+  console.log(chalk.gray('  ──────────────────────────────────────────────────────'));
   for (const run of history.runs.slice(0, 15)) {
     const rate = run.summary?.passRate ?? '–';
     const col  = Number(rate) >= 90 ? chalk.green : Number(rate) >= 70 ? chalk.yellow : chalk.red;
     const urls = Object.values(run.urls||{}).filter(Boolean).join(', ');
     const pwIcon = run.playwrightMode ? chalk.hex('#BF40FF')('🎭') : chalk.gray('⚡');
-    console.log(`  ${chalk.gray(run.id.padEnd(16))} ${chalk.gray(new Date(run.startedAt).toLocaleString().padEnd(22))} ${col((rate+'%').padStart(7))} ${chalk.cyan((run.bugCount||0)+' bugs')} ${pwIcon} ${chalk.dim(urls.slice(0,40))}`);
+    console.log(`  ${chalk.gray(run.id.padEnd(16))} ${chalk.gray(new Date(run.startedAt).toLocaleString().padEnd(22))} ${col((rate+'%').padStart(7))} ${chalk.cyan((run.bugCount||0)+' bugs')} ${chalk.magenta((run.screenshotCount||0)+' 📸')} ${pwIcon} ${chalk.dim(urls.slice(0,40))}`);
   }
   console.log('');
 
@@ -1960,4 +3259,4 @@ export async function viewQAHistory() {
   } else {
     console.log(chalk.yellow('  Report file not found.'));
   }
-}
+}