Business: root cause found (CSP blocks inline JS), Playwright for QA, updated bug tracker

projects/business/memory/state.json

@@ -1,16 +1,19 @@
 {
-  "phase": 2,
-  "phaseLabel": "Launch & First Customers — Marketing, SEO, outreach",
-  "status": "qa-passed",
+  "phase": 1,
+  "phaseLabel": "Build MVP — Fix CSP bug",
+  "status": "critical-bug",
   "product": "DocFast — HTML/Markdown to PDF API",
-  "currentPriority": "Phase 2: Marketing and first customers. Product is QA-verified and shippable.",
+  "currentPriority": "CRITICAL BUG: Helmet CSP blocks ALL inline JavaScript on the landing page. Console error: script-src 'self' blocks inline scripts. This is the ROOT CAUSE of all 3 bugs (signup, checkout, console errors). FIX: Move all inline JS to an external file (e.g. /public/app.js) and reference it with <script src='/app.js'>. Deploy and verify with Playwright: NODE_PATH=/usr/local/lib/node_modules node -e \"const {chromium}=require('playwright'); ...\" — must show ZERO console errors.",
+  "qaTools": {
+    "playwright": "Installed globally. Use: NODE_PATH=/usr/local/lib/node_modules node -e \"const {chromium}=require('playwright'); ...\"",
+    "note": "QA agents MUST test with Playwright to catch browser-only bugs like CSP violations"
+  },
   "infrastructure": {
     "domain": "docfast.dev",
     "url": "https://docfast.dev",
     "server": "docfast-1 (CAX11, nbg1)",
     "serverIP": "167.235.156.214",
-    "sshKey": "/home/openclaw/.ssh/docfast",
-    "apiKey": "df_live_9760e44a3e732be0f8628a44e0cdbc040107499f6e8f457a"
+    "sshKey": "/home/openclaw/.ssh/docfast"
   },
   "credentials": {
     "file": "/home/openclaw/.openclaw/workspace/.credentials/docfast.env",