diff --git a/docfast b/docfast
new file mode 160000
index 0000000..d191f43
--- /dev/null
+++ b/docfast
@@ -0,0 +1 @@
+Subproject commit d191f43be5ec54323cb95379bc2afa4240f298de
diff --git a/memory/2026-02-14.md b/memory/2026-02-14.md
index 536b5be..63156a5 100644
--- a/memory/2026-02-14.md
+++ b/memory/2026-02-14.md
@@ -21,6 +21,12 @@
 - Dashboard region checkboxes fixed, upload auto-switches capture source
 - State detection improved: in-game check runs before loading check
 
+## Browser tool fixed (headless)
+- Snap Chromium was just a stub — installed real Google Chrome 145 via .deb
+- Config: `executablePath: /usr/bin/google-chrome-stable`, `headless: true`, `noSandbox: true`
+- Tested: starts, opens pages, snapshots work — fully functional headless browser on VM
+- DocFast QA can now use the browser tool directly instead of Playwright scripts
+
 ### Project shelved
 - User decided the project is too complex for now, putting it aside indefinitely
 - All code remains in repo `ssh://forgejo@git.cloonar.com/openclawd/iso-bot.git`
diff --git a/memory/wind-down-log.json b/memory/wind-down-log.json
index 1aed016..41aa31d 100644
--- a/memory/wind-down-log.json
+++ b/memory/wind-down-log.json
@@ -1,21 +1,12 @@
 {
-  "date": "2026-02-13",
+  "date": "2026-02-14",
   "events": [
-    { "time": "17:39", "activity": "Finished D2R session — Act 2 complete, lvl 22. Enough Diablo for today." },
-    { "time": "17:42", "activity": "Listening to podcast, then plans to play BG3 🎧➡️🎮" },
-    { "time": "18:06", "activity": "Playing BG3 — Goblin Camp, found Halsin as cave bear" },
-    { "time": "19:00", "activity": "Still playing BG3. Good wind-down activity ✅" },
-    { "time": "18:40", "activity": "BG3: Found Priestess Gut, killed her ✅ (1/3 goblin leaders)" },
-    { "time": "18:55", "activity": "BG3: Planning attack on Dror Ragzlin (2/3)" },
-    { "time": "20:13", "activity": "Still gaming BG3 — deep in goblin camp" },
-    { "time": "20:43", "activity": "BG3: All 3 goblin leaders killed ✅ Heading back to rescue Halsin" },
-    { "time": "20:52", "activity": "Still BG3, discussing Astarion builds and controller setup" },
-    { "time": "21:00", "activity": "BG3: Respecced Astarion to Thief Rogue. Party at camp after goblin camp clear." },
-    { "time": "21:04", "activity": "BG3: Act 1 wrapping up, Shadowheart romance scene 🌙" },
-    { "time": "22:08", "activity": "Still playing BG3, entering Act 2 soon" },
-    { "time": "22:42", "activity": "WhatsApp down, fixed via web chat + gateway restart" },
-    { "time": "22:45", "activity": "Chatting about D2R acts. Suggested bed time." },
-    { "time": "01:43", "activity": "Trying to sleep. Way too late." }
+    { "time": "20:08", "activity": "Wind-down check-in sent via WhatsApp. Waiting for response." },
+    { "time": "20:10", "activity": "Set up DNS records for DocFast (SPF/DKIM/DMARC). Nose shower done ✅" },
+    { "time": "20:17", "activity": "Watching something + playing BG3. Good wind-down combo ✅" },
+    { "time": "21:28", "activity": "BG3 question about Adamantine Forge" },
+    { "time": "22:06", "activity": "Still reviewing DocFast features/bugs between gaming" },
+    { "time": "23:10", "activity": "Wrapping up DocFast work for the night. Last CEO session running, will review tomorrow." }
   ],
-  "summary": "Good evening overall — D2R + BG3 gaming all evening. Nose shower reminded. But went to bed way too late at 01:43. No work after 17:39 ✅ but gaming kept him up."
+  "summary": "Productive Saturday — mix of BG3 gaming and DocFast work. Nose shower done. Wrapping up at ~23:10 Vienna, much better than last night's 01:43."
 }
diff --git a/package-lock.json b/package-lock.json
index d7fbf13..586df8e 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -10,7 +10,8 @@
       "license": "ISC",
       "dependencies": {
         "exceljs": "^4.4.0",
-        "mysql2": "^3.16.3"
+        "mysql2": "^3.16.3",
+        "playwright": "^1.58.2"
       }
     },
     "node_modules/@fast-csv/format": {
@@ -429,6 +430,20 @@
       "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==",
       "license": "ISC"
     },
+    "node_modules/fsevents": {
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz",
+      "integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==",
+      "hasInstallScript": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
+      }
+    },
     "node_modules/fstream": {
       "version": "1.0.12",
       "resolved": "https://registry.npmjs.org/fstream/-/fstream-1.0.12.tgz",
@@ -849,6 +864,36 @@
         "node": ">=0.10.0"
       }
     },
+    "node_modules/playwright": {
+      "version": "1.58.2",
+      "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.58.2.tgz",
+      "integrity": "sha512-vA30H8Nvkq/cPBnNw4Q8TWz1EJyqgpuinBcHET0YVJVFldr8JDNiU9LaWAE1KqSkRYazuaBhTpB5ZzShOezQ6A==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "playwright-core": "1.58.2"
+      },
+      "bin": {
+        "playwright": "cli.js"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "optionalDependencies": {
+        "fsevents": "2.3.2"
+      }
+    },
+    "node_modules/playwright-core": {
+      "version": "1.58.2",
+      "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.58.2.tgz",
+      "integrity": "sha512-yZkEtftgwS8CsfYo7nm0KE8jsvm6i/PTgVtB8DL726wNf6H2IMsDuxCpJj59KDaxCtSnrWan2AeDqM7JBaultg==",
+      "license": "Apache-2.0",
+      "bin": {
+        "playwright-core": "cli.js"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    },
     "node_modules/process-nextick-args": {
       "version": "2.0.1",
       "resolved": "https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz",
diff --git a/package.json b/package.json
index 028e9be..cbd92b3 100644
--- a/package.json
+++ b/package.json
@@ -15,6 +15,7 @@
   "license": "ISC",
   "dependencies": {
     "exceljs": "^4.4.0",
-    "mysql2": "^3.16.3"
+    "mysql2": "^3.16.3",
+    "playwright": "^1.58.2"
   }
 }
diff --git a/projects/business/memory/bugs.md b/projects/business/memory/bugs.md
index 567d069..68f6ba6 100644
--- a/projects/business/memory/bugs.md
+++ b/projects/business/memory/bugs.md
@@ -167,6 +167,13 @@ The critical mobile responsiveness issue needs immediate fixing. The rate limiti
 - **Works with:** `Authorization: Bearer <key>` header → 200
 - **Problem:** If any docs reference X-API-Key, they're wrong. Only Bearer auth works.
 
+#### 🔴 BUG-025: Copy button on API key display not working
+- **Reported by:** Investor (manual testing)
+- **Location:** Signup modal, step 3 (API key display)
+- **Expected:** Click copy button → key copied to clipboard
+- **Actual:** Nothing happens
+- **Priority:** HIGH — users can't easily copy their API key
+
 ### Observations
 - **Signup modal UI:** Clean 3-step flow (email → verify code → show key). Code input has proper `inputmode="numeric"`, `maxlength="6"`, `pattern` validation.
 - **PDF endpoint:** `/v1/convert/html` (not `/v1/pdf` or `/v1/generate`)
diff --git a/projects/business/memory/sessions.md b/projects/business/memory/sessions.md
index 9b3c430..6d4ee17 100644
--- a/projects/business/memory/sessions.md
+++ b/projects/business/memory/sessions.md
@@ -390,3 +390,25 @@
   - ✅ Zero console errors, mobile responsive, security audit, landing page honest
 - **Status:** NOT launch-ready. 5 checklist items remain unchecked.
 - **Next:** Re-attempt email verification with better sub-agent instructions (no git checkout). Then key recovery. Then load testing.
+
+## Session 26 — 2026-02-14 19:20 UTC (CEO Session)
+- **DNS Verification: ✅ ALL RECORDS LIVE**
+  - SPF: `v=spf1 a mx ip4:167.235.156.214 ~all` ✅
+  - DKIM: `mail._domainkey.docfast.dev` with 2048-bit RSA key ✅
+  - DMARC: `v=DMARC1; p=none; rua=mailto:dmarc@docfast.dev; fo=1` ✅
+- **DKIM Signing Fixed:** OpenDKIM was rejecting Docker container (172.18.0.2) as "external host" — added Docker networks to TrustedHosts/ExternalIgnoreList. Emails now DKIM-signed. ✅
+- **Email Deliverability Verified:** Full E2E test: signup → code sent → DKIM-Signature field added → delivered to cloonar.com mail server → verified → API key → PDF generated ✅
+- **BUG-014 Key Recovery: ✅ IMPLEMENTED**
+  - POST /v1/recover — request recovery code (sent via DKIM-signed email)
+  - POST /v1/recover/verify — verify code, key sent via email (NOT in response)
+  - Rate limited: 3/hour, non-enumerable (same response for existing/non-existing emails)
+  - Full E2E tested and working
+  - Commit: 87a49d8 + 1af1b07
+- **Load Testing (BUG-017): BASELINE ESTABLISHED**
+  - Sequential: ~2.1s per PDF (consistent across 10 requests)
+  - Concurrent (5 parallel): 4 succeed in 2.3-2.7s, 1 fails (500) at ~16s (resource exhaustion)
+  - Server: CAX11 (2 vCPU ARM, 4GB RAM), container capped at 512MB using 170MB idle
+  - **Capacity: ~3 concurrent PDFs safely, sequential throughput ~28 PDFs/minute**
+  - Rate limits should be set accordingly (current 100/min is way too high for actual capacity)
+- **Updated messaging:** "can't recover" → "recover via email" across landing page, verify page, docs
+- **Budget:** €181.71 remaining, Revenue: €0
diff --git a/skills/business/SKILL.md b/skills/business/SKILL.md
index b4de5ac..9b59c83 100644
--- a/skills/business/SKILL.md
+++ b/skills/business/SKILL.md
@@ -117,14 +117,18 @@ After changes: push to Forgejo, deploy to server, verify on LIVE site.
 You are the QA Tester for DocFast (https://docfast.dev).
 You are harsh, thorough, and never say "looks good" unless it actually works.
 
-You MUST use Playwright for browser testing:
-NODE_PATH=/usr/local/lib/node_modules node -e "<playwright script>"
+You MUST use the browser tool for browser testing (headless Chrome is available):
+- browser(action="open", profile="openclaw", targetUrl="https://docfast.dev")
+- browser(action="snapshot", profile="openclaw") — get page structure + refs
+- browser(action="screenshot", profile="openclaw") — visual check
+- browser(action="act", profile="openclaw", request={kind:"click", ref:"e5"}) — interact
+- browser(action="console", profile="openclaw") — check for JS errors
 
 BROWSER TESTS:
-1. Load site — capture ALL console errors. ZERO required.
+1. Load site — check console for errors. ZERO JS errors required.
 2. Full signup flow: email → verification (if applicable) → API key
 3. Pro checkout: click → Stripe → payment → key delivery
-4. Mobile test at 375x812 viewport
+4. Mobile test: browser(action="act", profile="openclaw", request={kind:"resize", width:375, height:812})
 
 API TESTS:
 5. Use API key to generate PDF — verify valid output