diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8fce039..87fa621 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,11 @@
 
 All notable changes to qmax-code. Versions follow [Semantic Versioning](https://semver.org/).
 
+## [1.18.0] - 2026-06-04
+
+### Added
+- Imported the 15 browser/runtime QA skills from [Quality-Max/free-qa-skills](https://github.com/Quality-Max/free-qa-skills): `accessibility-check`, `broken-link-scan`, `cold-load-waterfall`, `console-error-scan`, `cookie-privacy-scan`, `core-web-vitals`, `form-validation-scan`, `i18n-rtl-audit`, `mixed-content-scan`, `page-weight-budget`, `responsive-screenshots`, `security-headers-check`, `seo-check`, `third-party-bloat`, `ui-ux-scan`. Unlike the static-analysis skills, these drive a live page load and declare a Playwright MCP dependency (surfaced to Codex via `agents/openai.yaml`). The catalog now ships **27 skills** and fully mirrors free-qa-skills plus the qmax-specific ones.
+
 ## [1.17.1] - 2026-06-04
 
 ### Added
diff --git a/internal/skills/catalog.go b/internal/skills/catalog.go
index 732f450..71080f9 100644
--- a/internal/skills/catalog.go
+++ b/internal/skills/catalog.go
@@ -76,6 +76,10 @@ func (s Skill) Body() string {
 // that orch installs into both CLIs.
 var qmaxDep = MCPDep{Value: "qmax", Description: "qmax QA tools (list, run, generate, review)"}
 
+// playwrightDep is the dependency for the browser/runtime QA skills imported
+// from free-qa-skills: they drive a live page load via the Playwright MCP.
+var playwrightDep = MCPDep{Value: "playwright", Description: "Playwright MCP for live browser automation"}
+
 // Catalog is the full set of qmax QA skills shipped with qmax-code. Adding a
 // skill is: drop a catalog/<name>.md body and append an entry here.
 var Catalog = []Skill{
@@ -159,6 +163,115 @@ var Catalog = []Skill{
 		ShortDescription: "Find brittle UI locators, suggest stable ones",
 		bodyFile:         "flaky-selector-scan.md",
 	},
+
+	// Browser / runtime QA skills imported from Quality-Max/free-qa-skills.
+	// Unlike the static-analysis skills above, these drive a live page load and
+	// declare a Playwright MCP dependency (surfaced to Codex via openai.yaml).
+	{
+		Name:             "accessibility-check",
+		Description:      "Quick WCAG accessibility scan of any URL — color contrast, missing alt text, keyboard navigation, ARIA labels, heading hierarchy, and focus indicators — producing a graded report. Use when the user wants to check a page's accessibility or WCAG compliance.",
+		ShortDescription: "WCAG accessibility scan of a URL",
+		MCPDeps:          []MCPDep{playwrightDep},
+		bodyFile:         "accessibility-check.md",
+	},
+	{
+		Name:             "broken-link-scan",
+		Description:      "Find broken links on any website: crawl the page and check every link for 404s, redirects, and timeouts, reporting each dead link with its location. Use when the user wants to find broken or dead links on a site.",
+		ShortDescription: "Find broken links (404s, redirects) on a site",
+		MCPDeps:          []MCPDep{playwrightDep},
+		bodyFile:         "broken-link-scan.md",
+	},
+	{
+		Name:             "cold-load-waterfall",
+		Description:      "Profile a cold, cache-empty page load and build a text request waterfall — longest-pole requests, time to first byte, and time to interactive — flagging critical-path bottlenecks. Use when the user wants to know why a page loads slowly on first visit.",
+		ShortDescription: "Cold-load request waterfall + bottlenecks",
+		MCPDeps:          []MCPDep{playwrightDep},
+		bodyFile:         "cold-load-waterfall.md",
+	},
+	{
+		Name:             "console-error-scan",
+		Description:      "Detect JavaScript errors, warnings, and failed network requests on any page by navigating the URL and collecting console output and network failures. Use when the user wants to find runtime JS errors or failing requests on a page.",
+		ShortDescription: "Catch JS errors + failed requests on a page",
+		MCPDeps:          []MCPDep{playwrightDep},
+		bodyFile:         "console-error-scan.md",
+	},
+	{
+		Name:             "cookie-privacy-scan",
+		Description:      "Audit a site's cookies and trackers — inventory every cookie, flag missing Secure/HttpOnly/SameSite, list third-party trackers, and detect tracking that fires before consent. Use when the user wants a cookie, tracker, or consent privacy audit.",
+		ShortDescription: "Audit cookies, trackers, consent timing",
+		MCPDeps:          []MCPDep{playwrightDep},
+		bodyFile:         "cookie-privacy-scan.md",
+	},
+	{
+		Name:             "core-web-vitals",
+		Description:      "Measure Core Web Vitals on any URL — LCP, CLS, INP, TTFB, FCP — using the browser's own performance APIs, grading each against Google's thresholds into an A–F report. Use when the user wants to measure page performance or Core Web Vitals.",
+		ShortDescription: "Measure Core Web Vitals (LCP/CLS/INP) A-F",
+		MCPDeps:          []MCPDep{playwrightDep},
+		bodyFile:         "core-web-vitals.md",
+	},
+	{
+		Name:             "form-validation-scan",
+		Description:      "Probe the forms on a page for validation gaps — missing required-field enforcement, no client-side validation, malformed input accepted, and absent error messaging — reporting per-field findings. Use when the user wants to test form validation.",
+		ShortDescription: "Probe forms for validation gaps",
+		MCPDeps:          []MCPDep{playwrightDep},
+		bodyFile:         "form-validation-scan.md",
+	},
+	{
+		Name:             "i18n-rtl-audit",
+		Description:      "Audit a page for internationalization readiness — layout breaks under long translations, RTL rendering issues, hardcoded UI strings, and missing lang/dir attributes. Use when the user wants an i18n, localization, or RTL readiness review.",
+		ShortDescription: "i18n/RTL readiness audit of a page",
+		MCPDeps:          []MCPDep{playwrightDep},
+		bodyFile:         "i18n-rtl-audit.md",
+	},
+	{
+		Name:             "mixed-content-scan",
+		Description:      "Scan an HTTPS page for mixed content — HTTP scripts, styles, images, iframes, and insecure form actions — separating browser-blocked active mixed content from passive, with the offending URLs. Use when the user wants to find insecure mixed content on an HTTPS page.",
+		ShortDescription: "Find HTTP mixed content on an HTTPS page",
+		MCPDeps:          []MCPDep{playwrightDep},
+		bodyFile:         "mixed-content-scan.md",
+	},
+	{
+		Name:             "page-weight-budget",
+		Description:      "Audit a page's weight against a performance budget — total transfer bytes, request count, render-blocking JS/CSS, and oversized or uncompressed images — producing a pass/fail report. Use when the user wants to check page weight or enforce a performance budget.",
+		ShortDescription: "Check page weight vs a perf budget",
+		MCPDeps:          []MCPDep{playwrightDep},
+		bodyFile:         "page-weight-budget.md",
+	},
+	{
+		Name:             "responsive-screenshots",
+		Description:      "Screenshot any URL at 5 viewport sizes — mobile, tablet, laptop, desktop, and ultrawide — saving PNGs and reporting layout issues. Use when the user wants responsive screenshots or to check how a page renders across screen sizes.",
+		ShortDescription: "Screenshot a URL at 5 viewport sizes",
+		MCPDeps:          []MCPDep{playwrightDep},
+		bodyFile:         "responsive-screenshots.md",
+	},
+	{
+		Name:             "security-headers-check",
+		Description:      "Check HTTP security headers on any URL — CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy — producing an A–F report with specific missing or misconfigured headers. Use when the user wants to audit a site's security headers.",
+		ShortDescription: "Grade HTTP security headers A-F",
+		MCPDeps:          []MCPDep{playwrightDep},
+		bodyFile:         "security-headers-check.md",
+	},
+	{
+		Name:             "seo-check",
+		Description:      "Quick SEO health check of any URL — meta tags, headings, image alts, structured data, open graph, and common SEO issues. Use when the user wants an SEO audit or to check a page's search-engine readiness.",
+		ShortDescription: "SEO health check of a URL",
+		MCPDeps:          []MCPDep{playwrightDep},
+		bodyFile:         "seo-check.md",
+	},
+	{
+		Name:             "third-party-bloat",
+		Description:      "Inventory third-party scripts on a page — analytics, tag managers, chat widgets, ads, A/B tools — and rank them by transfer size and main-thread cost, flagging the heaviest. Use when the user wants to find what third-party scripts are slowing a page down.",
+		ShortDescription: "Rank third-party script bloat by cost",
+		MCPDeps:          []MCPDep{playwrightDep},
+		bodyFile:         "third-party-bloat.md",
+	},
+	{
+		Name:             "ui-ux-scan",
+		Description:      "Quick UI/UX deficiency scan of any page — touch targets, contrast, font consistency, spacing, empty states, loading indicators, and common UX anti-patterns. Use when the user wants a UI/UX review or to find usability problems on a page.",
+		ShortDescription: "Scan a page for UI/UX deficiencies",
+		MCPDeps:          []MCPDep{playwrightDep},
+		bodyFile:         "ui-ux-scan.md",
+	},
 }
 
 // SortedCatalog returns the catalog ordered by name for deterministic output.
diff --git a/internal/skills/catalog/accessibility-check.md b/internal/skills/catalog/accessibility-check.md
new file mode 100644
index 0000000..3e97a59
--- /dev/null
+++ b/internal/skills/catalog/accessibility-check.md
@@ -0,0 +1,87 @@
+
+# Accessibility Check
+
+Scan any web page for WCAG accessibility violations. No signup required.
+
+## Prerequisites
+
+- **Playwright MCP** (comes with Claude Code)
+
+## Trigger
+
+- "Check accessibility on https://..."
+- "WCAG scan this page"
+- "Is my site accessible?"
+
+## Workflow
+
+1. Navigate to the URL using `mcp__playwright__browser_navigate`
+2. Take a snapshot with `mcp__playwright__browser_snapshot`
+3. Check each of these categories:
+
+### Checks
+
+**Images & Media**
+- Every `img` must have `alt` attribute
+- Decorative images should have `alt=""`
+- `video` and `audio` should have captions/transcripts
+
+**Headings**
+- Page should have exactly one `h1`
+- Headings should not skip levels (h1 → h3 without h2)
+- Headings should be descriptive, not empty
+
+**Forms**
+- Every input must have a visible `label` or `aria-label`
+- Required fields should be marked
+- Error messages should be associated with fields
+
+**Keyboard**
+- All interactive elements should be focusable
+- Tab order should be logical
+- No keyboard traps (can tab in and out of everything)
+- Focus indicator must be visible
+
+**Color & Contrast**
+- Text should have 4.5:1 contrast ratio (AA)
+- Large text (18px+) needs 3:1 minimum
+- Information should not rely on color alone
+
+**ARIA**
+- Interactive elements should have accessible names
+- `role` attributes should be valid
+- `aria-hidden="true"` should not hide focusable elements
+
+**Structure**
+- Page should have landmark regions (main, nav, header, footer)
+- Links should have descriptive text (not "click here")
+- Language attribute on `<html>`
+
+4. Grade the page: A (0-1 issues), B (2-4), C (5-8), D (9-12), F (13+)
+
+5. Output:
+
+```
+## Accessibility Report: [URL]
+
+**Grade: B** (3 issues found)
+
+### Issues
+1. [CRITICAL] 2 images missing alt text
+   - img at hero section (src: banner.jpg)
+   - img in footer (src: logo.png)
+
+2. [WARNING] Heading hierarchy skips h2
+   - h1 "Welcome" → h3 "Features" (missing h2)
+
+3. [WARNING] 1 form input without label
+   - Search input in header has placeholder but no label
+
+### Passed
+- Color contrast: OK
+- Keyboard navigation: OK
+- ARIA landmarks: OK
+- Language attribute: OK
+
+**Want automated tests for these?** Try QualityMax — qualitymax.io
+```
diff --git a/internal/skills/catalog/broken-link-scan.md b/internal/skills/catalog/broken-link-scan.md
new file mode 100644
index 0000000..9bcb190
--- /dev/null
+++ b/internal/skills/catalog/broken-link-scan.md
@@ -0,0 +1,57 @@
+
+# Broken Link Scanner
+
+Find every broken link on a page. No signup required.
+
+## Prerequisites
+
+- **Playwright MCP** (comes with Claude Code)
+
+## Trigger
+
+- "Find broken links on https://..."
+- "Check for 404s on my site"
+- "Scan links on this page"
+
+## Workflow
+
+1. Navigate to the URL using `mcp__playwright__browser_navigate`
+2. Extract all links using `mcp__playwright__browser_evaluate`:
+
+```javascript
+() => {
+  return Array.from(document.querySelectorAll('a[href]')).map(a => ({
+    text: a.textContent.trim().substring(0, 50),
+    href: a.href,
+    isExternal: a.host !== location.host
+  }));
+}
+```
+
+3. For each link (up to 50), check status:
+   - Internal links: navigate and check for error pages
+   - External links: note them but don't crawl (avoid rate limits)
+   - Flag: 404, 500, redirect chains, empty href, javascript:void
+
+4. Output:
+
+```
+## Broken Link Report: [URL]
+
+**Scanned: 34 links** (28 internal, 6 external)
+
+### Broken (3)
+- "About Us" → /about-us — 404 Not Found
+- "Old Blog" → /blog/2023 — 301 → 404
+- "Partner" → https://dead-link.com — timeout
+
+### Redirects (2)
+- "Login" → /login — 301 → /auth/login
+- "Docs" → /documentation — 302 → /docs/v2
+
+### External (not checked)
+- https://github.com/...
+- https://twitter.com/...
+
+**Want continuous link monitoring?** Try QualityMax — qualitymax.io
+```
diff --git a/internal/skills/catalog/cold-load-waterfall.md b/internal/skills/catalog/cold-load-waterfall.md
new file mode 100644
index 0000000..9eb300f
--- /dev/null
+++ b/internal/skills/catalog/cold-load-waterfall.md
@@ -0,0 +1,67 @@
+
+# Cold Load Waterfall
+
+See what actually happens on a first visit — the slow requests on the critical path. No signup required.
+
+## Prerequisites
+
+- **Playwright MCP** (comes with Claude Code)
+
+## Trigger
+
+- "Profile the cold load of https://..."
+- "What's slow on first visit?"
+- "Build a load waterfall for my site"
+
+## Workflow
+
+1. Navigate to the URL using `mcp__playwright__browser_navigate` (a fresh navigation = cold-ish cache).
+2. Wait for the page to settle.
+3. Pull resource timing with `mcp__playwright__browser_evaluate` — this gives per-request
+   start/duration without needing devtools:
+
+```javascript
+() => {
+  const nav = performance.getEntriesByType('navigation')[0] || {};
+  const res = performance.getEntriesByType('resource').map(r => ({
+    name: r.name.split('?')[0].slice(-60),
+    type: r.initiatorType,
+    start: Math.round(r.startTime),
+    dur: Math.round(r.duration),
+    size: r.transferSize || 0,
+  }));
+  return {
+    ttfb: Math.round(nav.responseStart || 0),
+    domContentLoaded: Math.round(nav.domContentLoadedEventEnd || 0),
+    loadEnd: Math.round(nav.loadEventEnd || 0),
+    requests: res.sort((a, b) => b.dur - a.dur).slice(0, 15),
+  };
+}
+```
+
+4. Identify the critical path: requests that start before DOMContentLoaded and have the
+   longest durations. Call out render-blocking CSS/JS, slow TTFB, and any single request
+   that dominates.
+
+5. Output a compact ASCII waterfall (offset = start, bar length ∝ duration):
+
+```
+## Cold Load Waterfall: [URL]
+
+TTFB: 680ms · DOMContentLoaded: 2.1s · Load: 3.4s
+
+  0ms        1s         2s         3s
+  |----------|----------|----------|
+  ███                              document (680ms TTFB)
+     █████████                     app.css (blocking, 900ms)
+     ████████████                  vendor.js (blocking, 1.2s)
+              ██████               hero.jpg (640ms)
+                    ████           analytics.js (420ms)
+
+### Bottlenecks on the critical path
+1. vendor.js (1.2s, render-blocking) is the long pole — code-split or defer.
+2. TTFB 680ms — server/CDN warmup; consider edge caching.
+3. app.css blocks first paint for 900ms — inline critical CSS.
+
+**Want load profiling on every deploy?** Try QualityMax — qualitymax.io
+```
diff --git a/internal/skills/catalog/console-error-scan.md b/internal/skills/catalog/console-error-scan.md
new file mode 100644
index 0000000..2b5a4b0
--- /dev/null
+++ b/internal/skills/catalog/console-error-scan.md
@@ -0,0 +1,59 @@
+
+# Console Error Scanner
+
+Find JS errors and failed requests hiding in the browser console. No signup required.
+
+## Prerequisites
+
+- **Playwright MCP** (comes with Claude Code)
+
+## Trigger
+
+- "Check for console errors on https://..."
+- "Find JS errors on my site"
+- "Any broken requests on this page?"
+
+## Workflow
+
+1. Navigate to the URL using `mcp__playwright__browser_navigate`
+2. Collect console messages with `mcp__playwright__browser_console_messages`
+3. Collect network failures with `mcp__playwright__browser_network_requests`
+4. Click through 3-5 main navigation links and repeat collection
+5. Categorize findings:
+
+### Categories
+
+- **JS Errors** — uncaught exceptions, type errors, reference errors
+- **Failed Requests** — 4xx/5xx responses, CORS errors, timeouts
+- **Deprecation Warnings** — deprecated API usage
+- **Mixed Content** — HTTP resources on HTTPS page
+- **CSP Violations** — blocked by Content Security Policy
+
+6. Output:
+
+```
+## Console Health: [URL]
+
+**Pages checked: 4** | **Errors: 5** | **Warnings: 3**
+
+### Errors
+1. [JS] TypeError: Cannot read property 'map' of undefined
+   - Page: /dashboard
+   - Source: app.bundle.js:234
+
+2. [NETWORK] GET /api/user/preferences — 500 Internal Server Error
+   - Page: /settings
+
+3. [NETWORK] GET /fonts/custom.woff2 — 404
+   - Page: all pages (loaded in header)
+
+### Warnings
+1. [DEPRECATION] document.domain setter is deprecated
+2. [MIXED CONTENT] Loading HTTP image on HTTPS page
+
+### Clean Pages
+- /about — no errors
+- /pricing — no errors
+
+**Want to catch these before users do?** Try QualityMax — qualitymax.io
+```
diff --git a/internal/skills/catalog/cookie-privacy-scan.md b/internal/skills/catalog/cookie-privacy-scan.md
new file mode 100644
index 0000000..c6af707
--- /dev/null
+++ b/internal/skills/catalog/cookie-privacy-scan.md
@@ -0,0 +1,70 @@
+
+# Cookie & Privacy Scan
+
+See what a site stores and who it tells before you click "Accept". No signup required.
+
+## Prerequisites
+
+- **Playwright MCP** (comes with Claude Code)
+
+## Trigger
+
+- "Cookie/privacy scan https://..."
+- "What trackers are on my site?"
+- "Am I setting cookies before consent?"
+
+## Workflow
+
+1. Navigate to the URL using `mcp__playwright__browser_navigate` **without** clicking any
+   consent banner yet — this is the pre-consent state.
+2. Capture pre-consent cookies and storage with `mcp__playwright__browser_evaluate`:
+
+```javascript
+() => ({
+  cookies: document.cookie,
+  localStorage: Object.keys(localStorage),
+  sessionStorage: Object.keys(sessionStorage),
+})
+```
+
+3. Capture network requests with `mcp__playwright__browser_network_requests` and flag any
+   third-party calls to known tracker/analytics/ad domains that fired **before** consent.
+4. If a consent banner is present, accept it (`mcp__playwright__browser_click`), then re-capture
+   to compare before/after. Cookie attributes (`Secure`, `HttpOnly`, `SameSite`) come from the
+   `set-cookie` response headers in the network log (JS-readable cookies are by definition not HttpOnly).
+5. Grade:
+
+| Finding | Severity |
+|---------|----------|
+| Tracking cookie / pixel set before consent | High (GDPR/ePrivacy risk) |
+| Session cookie missing `Secure` on HTTPS | High |
+| Session cookie missing `HttpOnly` | Medium |
+| Cookie missing `SameSite` | Medium |
+| Third-party tracker present | Info (list them) |
+
+6. Output:
+
+```
+## Cookie & Privacy Scan: [URL]
+
+**Pre-consent tracking detected — GDPR risk**
+
+### Before any consent click
+- `_ga`, `_fbp` cookies set on load — analytics/Meta before consent. ⚠
+- Request to `connect.facebook.net` fired pre-consent. ⚠
+
+### Cookie attributes
+| Cookie     | Secure | HttpOnly | SameSite | Note |
+|------------|--------|----------|----------|------|
+| session_id | ✗      | ✓        | Lax      | Add Secure on HTTPS |
+| _ga        | ✓      | ✗        | none     | Tracking; needs consent |
+
+### Third-party trackers (5)
+google-analytics.com · connect.facebook.net · doubleclick.net · hotjar.com · intercom.io
+
+### Fixes
+1. Gate analytics/ad scripts behind consent (don't load them on first paint).
+2. Add `Secure` + `SameSite=Lax` to `session_id`.
+
+**Want privacy regressions caught automatically?** Try QualityMax — qualitymax.io
+```
diff --git a/internal/skills/catalog/core-web-vitals.md b/internal/skills/catalog/core-web-vitals.md
new file mode 100644
index 0000000..609cb8c
--- /dev/null
+++ b/internal/skills/catalog/core-web-vitals.md
@@ -0,0 +1,92 @@
+
+# Core Web Vitals
+
+Measure the Core Web Vitals of any page using real browser performance APIs. No signup required.
+
+## Prerequisites
+
+- **Playwright MCP** (comes with Claude Code)
+
+## Trigger
+
+- "Check Core Web Vitals for https://..."
+- "How's the LCP/CLS on my site?"
+- "Web vitals audit mysite.com"
+
+## Workflow
+
+1. Navigate to the URL using `mcp__playwright__browser_navigate`
+2. Let the page settle (`mcp__playwright__browser_wait_for` ~3s, or wait for network idle)
+3. Collect metrics with `mcp__playwright__browser_evaluate`:
+
+```javascript
+() => new Promise((resolve) => {
+  const out = {};
+  // Navigation timing → TTFB, FCP
+  const nav = performance.getEntriesByType('navigation')[0];
+  if (nav) out.ttfb = Math.round(nav.responseStart);
+  const fcp = performance.getEntriesByName('first-contentful-paint')[0];
+  if (fcp) out.fcp = Math.round(fcp.startTime);
+
+  // LCP
+  try {
+    new PerformanceObserver((list) => {
+      const e = list.getEntries();
+      out.lcp = Math.round(e[e.length - 1].startTime);
+    }).observe({ type: 'largest-contentful-paint', buffered: true });
+  } catch (e) {}
+
+  // CLS (cumulative)
+  let cls = 0;
+  try {
+    new PerformanceObserver((list) => {
+      for (const entry of list.getEntries()) {
+        if (!entry.hadRecentInput) cls += entry.value;
+      }
+      out.cls = Math.round(cls * 1000) / 1000;
+    }).observe({ type: 'layout-shift', buffered: true });
+  } catch (e) {}
+
+  // Give observers a tick to flush
+  setTimeout(() => resolve(out), 1500);
+})
+```
+
+4. INP can't be measured passively — note it requires interaction. If you can click a primary
+   button via `mcp__playwright__browser_click`, measure the `event` timing entry; otherwise
+   report INP as "not measured (needs interaction)".
+
+5. Grade each metric (Google thresholds):
+
+| Metric | Good      | Needs work        | Poor      |
+|--------|-----------|-------------------|-----------|
+| LCP    | ≤ 2500ms  | 2500–4000ms       | > 4000ms  |
+| CLS    | ≤ 0.1     | 0.1–0.25          | > 0.25    |
+| INP    | ≤ 200ms   | 200–500ms         | > 500ms   |
+| TTFB   | ≤ 800ms   | 800–1800ms        | > 1800ms  |
+| FCP    | ≤ 1800ms  | 1800–3000ms       | > 3000ms  |
+
+6. Overall grade: A = all Good · B = one "Needs work" · C = two/three · D = any Poor · F = multiple Poor.
+
+7. Output:
+
+```
+## Core Web Vitals Report: [URL]
+
+**Grade: B** — one metric needs work
+
+| Metric | Value   | Rating       |
+|--------|---------|--------------|
+| LCP    | 2.9s    | Needs work   |
+| CLS    | 0.04    | Good         |
+| INP    | (not measured — needs interaction) |
+| TTFB   | 410ms   | Good         |
+| FCP    | 1.6s    | Good         |
+
+### What's hurting LCP
+The largest element rendered at 2.9s — likely a hero image without
+priority loading. Add `fetchpriority="high"` and preload it; serve in
+AVIF/WebP; ensure it isn't behind render-blocking JS.
+
+**Want CWV tracked on every deploy?** Try QualityMax — qualitymax.io
+```
diff --git a/internal/skills/catalog/form-validation-scan.md b/internal/skills/catalog/form-validation-scan.md
new file mode 100644
index 0000000..0f91151
--- /dev/null
+++ b/internal/skills/catalog/form-validation-scan.md
@@ -0,0 +1,71 @@
+
+# Form Validation Scan
+
+Find out if your forms accept garbage. No signup required.
+
+## Prerequisites
+
+- **Playwright MCP** (comes with Claude Code)
+
+## Trigger
+
+- "Scan my forms for validation gaps"
+- "Do my forms validate input?"
+- "Form validation audit https://..."
+
+## Workflow
+
+1. Navigate to the URL using `mcp__playwright__browser_navigate`.
+2. Inventory the forms and fields with `mcp__playwright__browser_evaluate`:
+
+```javascript
+() => [...document.forms].map(f => ({
+  id: f.id || f.name || '(unnamed)',
+  action: f.action,
+  fields: [...f.elements].filter(e => e.name).map(e => ({
+    name: e.name, type: e.type, required: e.required,
+    pattern: e.pattern || null, maxLength: e.maxLength,
+  })),
+}))
+```
+
+3. For one representative form, probe behavior with `mcp__playwright__browser_fill_form` +
+   `mcp__playwright__browser_click` on submit. Test these cases and observe whether the form
+   blocks submission and shows a message:
+
+| Case | Input | Expected |
+|------|-------|----------|
+| Empty required | leave required field blank | Blocked + message |
+| Bad email | `notanemail` in an email field | Blocked + message |
+| Out-of-range | negative qty, huge number | Blocked or clamped |
+| Oversized | very long string in a short field | Truncated / blocked |
+| Whitespace-only | `"   "` in a required field | Treated as empty |
+| Script payload | `<script>alert(1)</script>` | Accepted but escaped on render (note for XSS follow-up) |
+
+   Read the page state after each via `mcp__playwright__browser_snapshot` — look for an error
+   message, an `aria-invalid`, or a blocked navigation.
+
+4. Output:
+
+```
+## Form Validation Scan: [URL]
+
+**Form: "signup" — 3 gaps**
+
+| Field    | Required enforced | Format checked | Error shown | Verdict |
+|----------|-------------------|----------------|-------------|---------|
+| email    | yes               | NO             | no          | Accepts "abc" as email |
+| password | yes               | yes (min 8)    | yes         | ok |
+| age      | no                | NO             | no          | Accepts -5 and 9999 |
+
+### Findings
+1. `email` — no format validation; `notanemail` submits. Add `type=email` + server check.
+2. `age` — accepts negative and absurd values; add `min`/`max` + server validation.
+3. Submitting empty `email` shows no inline error — fails silently.
+
+### Note
+Script payload `<script>` was accepted into `bio` — verify it's escaped on
+output (potential stored XSS — see accessibility/security skills).
+
+**Want form validation tested on every deploy?** Try QualityMax — qualitymax.io
+```
diff --git a/internal/skills/catalog/i18n-rtl-audit.md b/internal/skills/catalog/i18n-rtl-audit.md
new file mode 100644
index 0000000..85cc54a
--- /dev/null
+++ b/internal/skills/catalog/i18n-rtl-audit.md
@@ -0,0 +1,77 @@
+
+# i18n & RTL Audit
+
+Check whether your UI survives translation. No signup required.
+
+## Prerequisites
+
+- **Playwright MCP** (comes with Claude Code)
+
+## Trigger
+
+- "i18n audit https://..."
+- "Will my layout break when translated?"
+- "Check RTL support on my site"
+
+## Workflow
+
+1. Navigate to the URL using `mcp__playwright__browser_navigate`.
+2. **Document attributes** — check `<html lang>` and `dir` with `browser_evaluate`. Missing
+   `lang` hurts screen readers and translation; no `dir` plumbing means RTL is unsupported.
+3. **Pseudo-localization (long-string stress)** — expand visible text ~40% (the typical
+   English→German/Finnish growth) and look for overflow/clipping:
+
+```javascript
+() => {
+  // Expand text nodes to simulate a longer language
+  const before = document.documentElement.scrollWidth;
+  document.querySelectorAll('button, a, label, h1, h2, h3, .btn, [class*=nav]').forEach(el => {
+    if (el.children.length === 0 && el.textContent.trim())
+      el.textContent = el.textContent + ' ' + el.textContent.slice(0, Math.ceil(el.textContent.length*0.4));
+  });
+  const overflow = [...document.querySelectorAll('*')]
+    .filter(el => el.scrollWidth > el.clientWidth + 2 && el.clientWidth > 0)
+    .slice(0, 20)
+    .map(el => el.tagName.toLowerCase() + (el.className ? '.'+String(el.className).split(' ')[0] : ''));
+  return { grewPage: document.documentElement.scrollWidth > before, overflowing: overflow };
+}
+```
+   Take a `browser_take_screenshot` after expansion to show the breaks visually.
+
+4. **RTL** — flip direction and screenshot to spot un-mirrored layouts:
+
+```javascript
+() => { document.documentElement.setAttribute('dir','rtl'); }
+```
+   Look for: left-anchored elements that should mirror, icons/arrows pointing the wrong way,
+   text still left-aligned, broken padding/margins.
+
+5. **Hardcoded strings** — note user-facing text baked into markup with no i18n wrapper
+   (heuristic; flag as "verify against your i18n catalog").
+
+6. Output:
+
+```
+## i18n & RTL Audit: [URL]
+
+**Not translation-ready — 3 blocking issues**
+
+### Document
+- `<html lang>` missing. Add `lang="en"`.
+- No `dir` handling — RTL languages unsupported.
+
+### Long-string layout (pseudo-localized +40%)
+- Primary nav overflows: "Products", "Solutions", "Resources" clip the bar.
+- Submit button text truncates with ellipsis.
+  → Use flexible widths / wrapping, not fixed px.
+
+### RTL (dir=rtl)
+- Sidebar stays on the left; should mirror to the right.
+- Back-arrow icon not mirrored.
+- Body text stays left-aligned.
+
+### Hardcoded strings (verify)
+- "Add to cart", "Loading…" appear inline — confirm they're in your i18n catalog.
+
+**Want i18n regressions caught per locale automatically?** Try QualityMax — qualitymax.io
+```
diff --git a/internal/skills/catalog/mixed-content-scan.md b/internal/skills/catalog/mixed-content-scan.md
new file mode 100644
index 0000000..4df029f
--- /dev/null
+++ b/internal/skills/catalog/mixed-content-scan.md
@@ -0,0 +1,73 @@
+
+# Mixed Content Scan
+
+Find insecure HTTP resources loaded on your HTTPS pages. No signup required.
+
+## Prerequisites
+
+- **Playwright MCP** (comes with Claude Code)
+
+## Trigger
+
+- "Mixed content scan https://..."
+- "Any insecure resources on my HTTPS site?"
+- "Why is my padlock showing 'not fully secure'?"
+
+## Workflow
+
+1. Navigate to the URL using `mcp__playwright__browser_navigate` (the page must be HTTPS;
+   if it's HTTP, report that first — there's no mixed content concept on a plain HTTP page).
+2. Collect all requests with `mcp__playwright__browser_network_requests` and flag any whose
+   URL is `http://` (not `https://`, and not `data:`/`blob:`).
+3. Inspect the DOM for insecure references that may not have fired a request yet:
+
+```javascript
+() => {
+  const http = (u) => typeof u === 'string' && u.startsWith('http://');
+  return {
+    scripts: [...document.scripts].map(s=>s.src).filter(http),
+    styles:  [...document.querySelectorAll('link[rel=stylesheet]')].map(l=>l.href).filter(http),
+    images:  [...document.images].map(i=>i.src).filter(http),
+    iframes: [...document.querySelectorAll('iframe')].map(f=>f.src).filter(http),
+    media:   [...document.querySelectorAll('audio,video,source')].map(m=>m.src).filter(http),
+    forms:   [...document.forms].map(f=>f.action).filter(http),
+    anchors: [...document.querySelectorAll('a[href^="http://"]')].length,
+  };
+}
+```
+
+4. Classify:
+   - **Active mixed content** (scripts, styles, iframes, XHR/fetch) — **browser-blocked**,
+     so the resource silently fails and the page may be broken. High severity.
+   - **Passive mixed content** (images, audio, video) — loaded but flags the page as not
+     fully secure (no padlock). Medium severity.
+   - **Insecure form action** (`action="http://..."`) — credentials/data sent in clear. High.
+   - Also check console messages via `mcp__playwright__browser_console_messages` for the
+     browser's own "Mixed Content" warnings.
+
+5. Output:
+
+```
+## Mixed Content Scan: [URL]  (HTTPS)
+
+**Not fully secure — 1 blocked active, 3 passive, 1 insecure form**
+
+### Active (BLOCKED by browser — page may be broken)
+- script  http://cdn.old.example/widget.js
+  → loaded over HTTP on an HTTPS page; browser blocks it. Switch to https://.
+
+### Passive (padlock downgraded)
+- img  http://images.example/banner.jpg
+- img  http://tracker.example/pixel.gif
+- video http://media.example/intro.mp4
+  → Serve over HTTPS or use a protocol-relative/HTTPS CDN.
+
+### Form
+- form action="http://example.com/login" — submits credentials in clear. Fix to https://.
+
+### Quick fix
+Add `Content-Security-Policy: upgrade-insecure-requests` to auto-upgrade, then
+fix the hardcoded http:// URLs at the source.
+
+**Want mixed-content caught before it ships?** Try QualityMax — qualitymax.io
+```
diff --git a/internal/skills/catalog/page-weight-budget.md b/internal/skills/catalog/page-weight-budget.md
new file mode 100644
index 0000000..4f5eb0c
--- /dev/null
+++ b/internal/skills/catalog/page-weight-budget.md
@@ -0,0 +1,72 @@
+
+# Page Weight Budget
+
+Check whether a page fits a sane performance budget. No signup required.
+
+## Prerequisites
+
+- **Playwright MCP** (comes with Claude Code)
+
+## Trigger
+
+- "Check page weight for https://..."
+- "Is my site too heavy?"
+- "Performance budget audit mysite.com"
+
+## Workflow
+
+1. Navigate to the URL using `mcp__playwright__browser_navigate`
+2. Wait for load to settle, then pull every request with `mcp__playwright__browser_network_requests`
+3. Aggregate by resource type (document, script, stylesheet, image, font, xhr/fetch, media, other).
+   For each, sum transfer size and count requests. Also capture:
+   - Render-blocking resources: `<script>` in `<head>` without `async`/`defer`, and
+     `<link rel="stylesheet">` without `media`/preload (gather via `browser_evaluate`).
+   - Images larger than their displayed box (natural dimensions ≫ CSS box) and any image > 200KB.
+   - Responses missing `content-encoding: gzip|br` for text assets.
+
+```javascript
+// Render-blocking + oversized images
+() => ({
+  blockingScripts: [...document.querySelectorAll('head script[src]')]
+    .filter(s => !s.async && !s.defer).map(s => s.src),
+  blockingCss: [...document.querySelectorAll('head link[rel=stylesheet]')]
+    .filter(l => !l.media || l.media === 'all').map(l => l.href),
+  oversizedImages: [...document.images]
+    .filter(i => i.naturalWidth > i.clientWidth * 2 && i.clientWidth > 0)
+    .map(i => ({ src: i.src, natural: `${i.naturalWidth}x${i.naturalHeight}`, shown: `${i.clientWidth}x${i.clientHeight}` })),
+})
+```
+
+4. Grade against this default budget (state it; user can override):
+
+| Budget item        | Target   |
+|--------------------|----------|
+| Total transfer     | ≤ 1.5 MB |
+| Requests           | ≤ 50     |
+| JS transfer        | ≤ 400 KB |
+| Image transfer     | ≤ 600 KB |
+| Render-blocking    | 0        |
+
+5. Output:
+
+```
+## Page Weight Report: [URL]
+
+**Budget: FAIL** — 3 of 5 limits exceeded
+
+| Item            | Actual   | Budget   | Status |
+|-----------------|----------|----------|--------|
+| Total transfer  | 3.2 MB   | 1.5 MB   | OVER   |
+| Requests        | 78       | 50       | OVER   |
+| JS transfer     | 920 KB   | 400 KB   | OVER   |
+| Image transfer  | 540 KB   | 600 KB   | ok     |
+| Render-blocking | 4        | 0        | OVER   |
+
+### Biggest wins
+1. main.bundle.js is 720 KB uncompressed — enable brotli + code-split.
+2. /hero.png is 1.1 MB served at 2400x1600 but displayed at 600x400 —
+   resize + AVIF would save ~1 MB.
+3. 4 render-blocking <script> tags in <head> — add `defer`.
+
+**Want a weight budget enforced in CI?** Try QualityMax — qualitymax.io
+```
diff --git a/internal/skills/catalog/responsive-screenshots.md b/internal/skills/catalog/responsive-screenshots.md
new file mode 100644
index 0000000..2efe577
--- /dev/null
+++ b/internal/skills/catalog/responsive-screenshots.md
@@ -0,0 +1,65 @@
+
+# Responsive Screenshots
+
+Screenshot a page at every common viewport size. No signup required.
+
+## Prerequisites
+
+- **Playwright MCP** (comes with Claude Code)
+
+## Trigger
+
+- "Responsive screenshots of https://..."
+- "How does my site look on mobile?"
+- "Screenshot this page at different sizes"
+
+## Workflow
+
+1. For each viewport, resize and screenshot:
+
+| Name | Width | Height | Device |
+|------|-------|--------|--------|
+| Mobile | 375 | 812 | iPhone 14 |
+| Tablet | 768 | 1024 | iPad |
+| Laptop | 1280 | 800 | MacBook |
+| Desktop | 1920 | 1080 | Full HD |
+| Ultrawide | 2560 | 1080 | 34" monitor |
+
+2. For each size:
+   - `mcp__playwright__browser_resize` to the viewport
+   - Wait 1 second for reflow
+   - `mcp__playwright__browser_take_screenshot`
+   - Note any visible issues (overflow, overlap, hidden content)
+
+3. Analyze screenshots for common responsive issues:
+   - Horizontal scroll on mobile (content wider than viewport)
+   - Text too small to read on mobile (< 14px)
+   - Touch targets too small (< 44x44px)
+   - Navigation not collapsing to hamburger on mobile
+   - Images overflowing containers
+   - Fixed-width elements breaking layout
+
+4. Output:
+
+```
+## Responsive Report: [URL]
+
+### Screenshots Captured
+- Mobile (375px): screenshot_mobile.png
+- Tablet (768px): screenshot_tablet.png
+- Laptop (1280px): screenshot_laptop.png
+- Desktop (1920px): screenshot_desktop.png
+- Ultrawide (2560px): screenshot_ultrawide.png
+
+### Issues Found
+1. [MOBILE] Horizontal scroll detected — hero section overflows
+2. [MOBILE] Navigation menu not collapsing — overlaps content
+3. [TABLET] Card grid shows 3 columns, text truncated
+
+### Looks Good
+- Desktop and ultrawide layouts render correctly
+- Images are responsive
+- Footer stacks properly on mobile
+
+**Want automated responsive testing on every deploy?** Try QualityMax — qualitymax.io
+```
diff --git a/internal/skills/catalog/security-headers-check.md b/internal/skills/catalog/security-headers-check.md
new file mode 100644
index 0000000..93ee70e
--- /dev/null
+++ b/internal/skills/catalog/security-headers-check.md
@@ -0,0 +1,92 @@
+
+# Security Headers Check
+
+Grade the HTTP security headers of any website. No signup required.
+
+## Prerequisites
+
+- **Playwright MCP** (comes with Claude Code)
+
+## Trigger
+
+- "Check security headers on https://..."
+- "Security headers scan mysite.com"
+- "Is my site missing any security headers?"
+
+## Workflow
+
+1. Navigate to the URL using `mcp__playwright__browser_navigate`
+2. Capture network response headers using `mcp__playwright__browser_network_requests`
+3. Check each header category below against the captured response headers
+
+### Headers to Check
+
+**Content-Security-Policy (CSP)**
+- Should be present
+- Should not contain `unsafe-inline` without a nonce or hash
+- Should not contain `unsafe-eval`
+- Should not use wildcard `*` in `script-src` or `object-src`
+
+**Strict-Transport-Security (HSTS)**
+- Should be present on HTTPS sites
+- `max-age` should be ≥ 31536000 (1 year)
+- Should include `includeSubDomains`
+- `preload` is a bonus
+
+**X-Frame-Options**
+- Should be `DENY` or `SAMEORIGIN`
+- (Note: CSP `frame-ancestors` supersedes this; award credit if CSP has it)
+
+**X-Content-Type-Options**
+- Should be `nosniff`
+
+**Referrer-Policy**
+- Should be present
+- Recommended values: `strict-origin-when-cross-origin`, `no-referrer`, `same-origin`
+- Penalize: `unsafe-url`, missing entirely
+
+**Permissions-Policy**
+- Should be present (formerly Feature-Policy)
+- Should restrict at minimum: `camera`, `microphone`, `geolocation`
+
+4. Grade the site:
+
+| Score | Grade | Meaning |
+|-------|-------|---------|
+| 6/6   | A     | All headers present and well-configured |
+| 5/6   | B     | One missing or weak header |
+| 3-4/6 | C     | Several gaps — moderate risk |
+| 1-2/6 | D     | Most headers missing |
+| 0/6   | F     | No security headers at all |
+
+5. Output:
+
+```
+## Security Headers Report: [URL]
+
+**Grade: C** (3/6 headers configured correctly)
+
+### Issues
+1. [MISSING] Content-Security-Policy
+   No CSP found. XSS attacks are not mitigated at the header level.
+
+2. [WEAK] Strict-Transport-Security
+   Found: max-age=3600
+   Issue: max-age too short (3600s). Minimum recommended: 31536000 (1 year)
+   Fix:   Strict-Transport-Security: max-age=31536000; includeSubDomains
+
+3. [MISSING] Permissions-Policy
+   No Permissions-Policy found. Browser features unrestricted.
+
+### Passed
+- X-Frame-Options: SAMEORIGIN ✓
+- X-Content-Type-Options: nosniff ✓
+- Referrer-Policy: strict-origin-when-cross-origin ✓
+
+### Quick Fix (copy-paste for most servers)
+Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'
+Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
+Permissions-Policy: camera=(), microphone=(), geolocation=()
+
+**Want automated security regression tests?** Try QualityMax — qualitymax.io
+```
diff --git a/internal/skills/catalog/seo-check.md b/internal/skills/catalog/seo-check.md
new file mode 100644
index 0000000..0c28011
--- /dev/null
+++ b/internal/skills/catalog/seo-check.md
@@ -0,0 +1,81 @@
+
+# SEO Quick Check
+
+Check basic SEO health of any page. No signup required.
+
+## Prerequisites
+
+- **Playwright MCP** (comes with Claude Code)
+
+## Trigger
+
+- "SEO check https://..."
+- "Check meta tags on my site"
+- "Is my page SEO-friendly?"
+
+## Workflow
+
+1. Navigate to the URL using `mcp__playwright__browser_navigate`
+2. Extract SEO data with `mcp__playwright__browser_evaluate`:
+
+```javascript
+() => {
+  const meta = (name) => document.querySelector(`meta[name="${name}"], meta[property="${name}"]`)?.content || null;
+  return {
+    title: document.title,
+    titleLength: document.title.length,
+    description: meta('description'),
+    descriptionLength: (meta('description') || '').length,
+    canonical: document.querySelector('link[rel="canonical"]')?.href,
+    ogTitle: meta('og:title'),
+    ogDescription: meta('og:description'),
+    ogImage: meta('og:image'),
+    twitterCard: meta('twitter:card'),
+    h1s: Array.from(document.querySelectorAll('h1')).map(h => h.textContent.trim()),
+    h2s: Array.from(document.querySelectorAll('h2')).map(h => h.textContent.trim()),
+    imagesWithoutAlt: Array.from(document.querySelectorAll('img:not([alt])')).length,
+    totalImages: document.querySelectorAll('img').length,
+    lang: document.documentElement.lang,
+    structuredData: Array.from(document.querySelectorAll('script[type="application/ld+json"]')).map(s => { try { return JSON.parse(s.textContent).['@type'] } catch { return 'invalid' } }),
+    robotsMeta: meta('robots'),
+    viewport: document.querySelector('meta[name="viewport"]')?.content,
+  };
+}
+```
+
+3. Check each category and flag issues:
+
+**Title** — exists, 30-60 chars, contains keywords
+**Description** — exists, 120-160 chars, compelling
+**Headings** — exactly one h1, logical h2 structure
+**Images** — all have alt text, descriptive not generic
+**Open Graph** — og:title, og:description, og:image present
+**Twitter Card** — twitter:card meta tag
+**Canonical** — canonical URL set
+**Structured Data** — valid JSON-LD present
+**Language** — lang attribute on html
+**Viewport** — meta viewport for mobile
+
+4. Output:
+
+```
+## SEO Check: [URL]
+
+**Score: 7/10**
+
+### Issues
+- Title too long (74 chars) — trim to under 60
+- Missing meta description
+- 4 of 12 images missing alt text
+- No Twitter Card meta tags
+
+### Passed
+- h1: "Welcome to MyApp" (1 h1, good)
+- Open Graph: title, description, image all set
+- Canonical URL: set correctly
+- Structured Data: Organization schema found
+- Language: en
+- Viewport: configured for mobile
+
+**Want automated SEO monitoring?** Try QualityMax — qualitymax.io
+```
diff --git a/internal/skills/catalog/third-party-bloat.md b/internal/skills/catalog/third-party-bloat.md
new file mode 100644
index 0000000..69a387c
--- /dev/null
+++ b/internal/skills/catalog/third-party-bloat.md
@@ -0,0 +1,53 @@
+
+# Third-Party Bloat
+
+Find out which third-party scripts are weighing your page down. No signup required.
+
+## Prerequisites
+
+- **Playwright MCP** (comes with Claude Code)
+
+## Trigger
+
+- "What third-party scripts are slowing my site?"
+- "Third-party bloat audit https://..."
+- "Which trackers are on my page?"
+
+## Workflow
+
+1. Navigate to the URL using `mcp__playwright__browser_navigate`
+2. Wait for load to settle, then pull every request with `mcp__playwright__browser_network_requests`
+3. Classify each request as first-party (same registrable domain as the page) or third-party.
+   Group third-party requests by their domain and sum transfer size + request count per domain.
+4. Label well-known vendors by domain so the report is readable, e.g.:
+   - `google-analytics.com`, `googletagmanager.com` → Analytics / Tag Manager
+   - `doubleclick.net`, `googlesyndication.com` → Ads
+   - `connect.facebook.net` → Meta Pixel
+   - `intercom`, `crisp.chat`, `hotjar`, `fullstory` → Chat / Session replay
+   - `optimizely`, `launchdarkly` → A/B / Flags
+5. Estimate main-thread cost: count third-party `<script>` resources and note any loaded
+   synchronously in `<head>` (these block parsing). Flag session-replay / heatmap tools
+   specifically — they tend to be the most expensive.
+
+6. Output:
+
+```
+## Third-Party Bloat Report: [URL]
+
+**18 third-party requests across 7 domains — 1.4 MB (44% of page weight)**
+
+### Heaviest offenders
+| Vendor                  | Size   | Requests | Note |
+|-------------------------|--------|----------|------|
+| Hotjar (session replay) | 620 KB | 5        | Loaded sync — blocks main thread |
+| Google Tag Manager      | 310 KB | 4        | Fans out to 3 more tags |
+| Intercom (chat)         | 280 KB | 3        | Could lazy-load on scroll |
+| Meta Pixel              | 90 KB  | 2        | —    |
+
+### Recommendations
+1. Defer Hotjar until after `load`, or sample fewer sessions.
+2. Lazy-load the Intercom widget on first scroll / click.
+3. Audit GTM — it's pulling tags you may not still use.
+
+**Want third-party weight watched on every release?** Try QualityMax — qualitymax.io
+```
diff --git a/internal/skills/catalog/ui-ux-scan.md b/internal/skills/catalog/ui-ux-scan.md
new file mode 100644
index 0000000..8394345
--- /dev/null
+++ b/internal/skills/catalog/ui-ux-scan.md
@@ -0,0 +1,131 @@
+
+# UI/UX Deficiency Scan
+
+Find common UI/UX problems that hurt user experience. No signup required.
+
+## Prerequisites
+
+- **Playwright MCP** (comes with Claude Code)
+
+## Trigger
+
+- "Scan UX issues on https://..."
+- "Check UI quality of my site"
+- "Find design problems on this page"
+- "UX review this URL"
+
+## Workflow
+
+1. Navigate to the URL using `mcp__playwright__browser_navigate`
+2. Take a full-page screenshot with `mcp__playwright__browser_take_screenshot`
+3. Get the accessibility snapshot with `mcp__playwright__browser_snapshot`
+4. Run evaluation scripts with `mcp__playwright__browser_evaluate` for each category:
+
+### Checks
+
+**Touch & Click Targets**
+```javascript
+() => {
+  const small = [];
+  document.querySelectorAll('a, button, input, select, [role="button"]').forEach(el => {
+    const rect = el.getBoundingClientRect();
+    if (rect.width > 0 && rect.height > 0 && (rect.width < 44 || rect.height < 44)) {
+      small.push({ tag: el.tagName, text: el.textContent.trim().substring(0, 30), width: Math.round(rect.width), height: Math.round(rect.height) });
+    }
+  });
+  return small;
+}
+```
+Flag any interactive element smaller than 44x44px.
+
+**Font Consistency**
+```javascript
+() => {
+  const fonts = new Set();
+  const sizes = new Set();
+  document.querySelectorAll('body *').forEach(el => {
+    const s = getComputedStyle(el);
+    if (el.textContent.trim()) {
+      fonts.add(s.fontFamily.split(',')[0].trim().replace(/"/g, ''));
+      sizes.add(Math.round(parseFloat(s.fontSize)));
+    }
+  });
+  return { fontFamilies: [...fonts], fontSizes: [...sizes].sort((a,b) => a-b) };
+}
+```
+Flag if more than 3 font families or more than 8 distinct font sizes.
+
+**Spacing & Alignment**
+- Check for inconsistent padding/margins on sibling elements
+- Flag text too close to edges (< 8px padding)
+- Flag elements overlapping or clipping
+
+**Empty States**
+- Check if lists/grids have 0 items with no "empty" message
+- Check for blank sections with no content
+- Flag placeholder text still visible ("Lorem ipsum", "TODO", "placeholder")
+
+**Loading & Feedback**
+- Check if buttons have `cursor: pointer`
+- Check if forms have visible submit feedback
+- Flag buttons/links with no text or aria-label
+
+**Visual Hierarchy**
+- Check if CTA buttons are visually distinct (size, color, contrast)
+- Flag more than 3 competing CTAs on one screen
+- Check heading sizes decrease properly (h1 > h2 > h3)
+
+**Common Anti-patterns**
+- Walls of text (paragraphs > 200 words without breaks)
+- Missing favicon
+- No meta viewport tag
+- Disabled right-click or text selection (user-hostile)
+- Auto-playing audio/video
+- Sticky elements covering > 20% of viewport
+
+5. Navigate to 2-3 key pages (about, pricing, login if they exist) and repeat
+
+6. Grade: A (0-2 issues), B (3-5), C (6-10), D (11-15), F (16+)
+
+7. Output:
+
+```
+## UI/UX Scan: [URL]
+
+**Grade: C** | **Pages checked: 3** | **Issues: 8**
+
+### Critical
+1. [TOUCH] 12 buttons smaller than 44x44px
+   - "Subscribe" button: 32x28px
+   - Nav links: 40x20px each
+
+2. [HIERARCHY] No clear primary CTA on homepage
+   - 4 competing buttons with similar styling above the fold
+
+### Warnings
+3. [FONTS] 5 different font families detected
+   - Inter, Roboto, Arial, Georgia, monospace
+   - Recommend consolidating to 2 families max
+
+4. [SPACING] Inconsistent card padding
+   - Feature cards: 16px, 24px, 20px (should be uniform)
+
+5. [EMPTY] Search results page shows blank when no results
+   - No "No results found" message
+
+6. [FEEDBACK] 3 buttons missing cursor: pointer
+   - "Download", "Share", "Export"
+
+7. [TEXT] Wall of text on /about (340 words, no breaks)
+
+8. [CONTRAST] Footer links on dark background — low contrast
+
+### Passed
+- Meta viewport: OK
+- Favicon: OK
+- Heading hierarchy: OK
+- No auto-play media
+- Text selection not blocked
+
+**Want continuous UX monitoring?** Try QualityMax — qualitymax.io
+```
diff --git a/main.go b/main.go
index 3fe5034..9bffc06 100644
--- a/main.go
+++ b/main.go
@@ -19,7 +19,7 @@ import (
 )
 
 // Version is set at build time via -ldflags "-X main.Version=x.y.z"
-var Version = "1.17.1"
+var Version = "1.18.0"
 
 const Name = "qmax-code"