@appfire-ux/audit-agent 0.20260702.3 → 0.20260706.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -1,6 +1,6 @@
1
1
  # @appfire-ux/audit-agent
2
2
 
3
- One-command install of two Claude Code audit agents for Appfire repos. **Every audit run refreshes both npm packages to `@latest`** (Phase 0):
3
+ One-command install of three Claude Code audit agents for Appfire repos. **Every audit run refreshes both npm packages to `@latest`** (Phase 0):
4
4
 
5
5
  - **`@appfire-ux/audit-agent`** — agent/command definitions in `.claude/`
6
6
  - **`@appfire-ux/guidelines`** — rules, skills, and `guidelines/` kit
@@ -9,6 +9,7 @@ Agents:
9
9
 
10
10
  - **ux-auditor** (`/ux-audit`) — guideline-compliance UX audit: design tokens, spacing/typography, accessibility, UX writing, messaging patterns, persona fit.
11
11
  - **ui-auditor** (`/ui-audit`) — UI & usability audit from a UI Designer's perspective: cross-screen consistency, layout & visual hierarchy, information architecture, navigation, interaction design, forms, data-dense views, responsiveness. Screenshot-driven (browser MCP or bundled Playwright fallback).
12
+ - **a11y-auditor** (`/a11y-audit`) — deep accessibility audit per the Appfire VPAT Compliance Protocol: WCAG 2.2 A/AA, automated axe-core scans of the running app (Baseline Accessibility Score), static four-principles code audit, manual validation register, evidence-gap register, and JSON datapoints that feed the "AI Agent: VPAT Document" (Confluence, CRUX) to draft the Accessibility Conformance Report. Strict no-over-claiming language.
12
13
 
13
14
  ## Install
14
15
 
@@ -21,9 +22,10 @@ npm install -D @appfire-ux/audit-agent
21
22
  The postinstall script copies the agent and command into `<repo>/.claude/`. Done — open Claude Code and run:
22
23
 
23
24
  ```
24
- /full-audit # both audits in parallel (recommended)
25
+ /full-audit # all audits in parallel (recommended)
25
26
  /ux-audit # compliance only
26
27
  /ui-audit # UI & usability only
28
+ /a11y-audit # accessibility / VPAT readiness only
27
29
  ```
28
30
 
29
31
  Once, for all repos on your machine:
@@ -34,7 +36,7 @@ npx @appfire-ux/audit-agent --global # installs into ~/.claude/
34
36
 
35
37
  ## Update (manual, optional)
36
38
 
37
- Phase 0 on every `/ux-audit`, `/ui-audit`, or `/full-audit` run already calls `npm update` + `@latest` for both packages. Use this only when you want to refresh **without** running an audit:
39
+ Phase 0 on every `/ux-audit`, `/ui-audit`, `/a11y-audit`, or `/full-audit` run already calls `npm update` + `@latest` for both packages. Use this only when you want to refresh **without** running an audit:
38
40
 
39
41
  ```bash
40
42
  npm update @appfire-ux/audit-agent @appfire-ux/guidelines
@@ -50,15 +52,18 @@ npx @appfire-ux/guidelines
50
52
  | `.claude/commands/ux-audit.md` | `/ux-audit [scope] [--static-only] [--lang pl] [--out <path>] [--prod]` |
51
53
  | `.claude/agents/ui-auditor.md` | UI & usability audit → same deliverable format |
52
54
  | `.claude/commands/ui-audit.md` | `/ui-audit [scope] [--static-only] [--lang pl] [--out <path>] [--prod]` |
53
- | `.claude/commands/full-audit.md` | `/full-audit` parallel run, shared capture, combined summary MD+HTML |
55
+ | `.claude/agents/a11y-auditor.md` | Accessibility/VPAT audit MD + HTML + JSON datapoints + `axe-results/` |
56
+ | `.claude/commands/a11y-audit.md` | `/a11y-audit [scope] [--static-only] [--lang pl] [--out <path>] [--prod] [--routes …]` |
57
+ | `.claude/commands/full-audit.md` | `/full-audit [--agents ux,ui,a11y]` — parallel run of selected agents, combined summary MD+HTML |
54
58
  | `scripts/ux-audit-capture.mjs` | Playwright screenshot fallback (`--widths 1440,768`) |
59
+ | `scripts/a11y-audit-scan.mjs` | Playwright + axe-core scanner → per-route JSON + Baseline Score |
55
60
  | `scripts/build-html-reports.mjs` | MD → Confluence-ready HTML with local `assets/` gallery |
56
61
 
57
- The audits complement each other. Every run produces **Markdown + HTML + PNG assets** under `docs/audits/` (STOP & ASK on auth walls; no base64). Use `/full-audit` for both agents in parallel.
62
+ The audits complement each other. Every run produces **Markdown + HTML + PNG assets** under `docs/audits/` (STOP & ASK on auth walls; no base64). Use `/full-audit` for all agents in parallel. The a11y audit additionally produces machine-readable datapoints (`A11Y-AUDIT-<date>.json` + `axe-results/*.json`) for the VPAT/ACR drafting workflow.
58
63
 
59
64
  ## Publishing (maintainers)
60
65
 
61
- **CI (preferred):** pushes to `main` that touch `appfire-ux-audit-agent/**` or the canonical agent/command files in `.claude/` (`ux-auditor.md`, `ux-audit.md`, `ui-auditor.md`, `ui-audit.md`, `full-audit.md`) run [`.github/workflows/publish-audit-agent.yml`](../.github/workflows/publish-audit-agent.yml). The workflow assembles the package (syncing templates from `.claude/`), bumps a date-based version (`0.YYYYMMDD.PATCH`), and publishes `@appfire-ux/audit-agent` using the `NPM_TOKEN` secret — same pattern as `@appfire-ux/guidelines` and `@appfire-ux/fonts`.
66
+ **CI (preferred):** pushes to `main` that touch `appfire-ux-audit-agent/**` or the canonical agent/command files in `.claude/` (`ux-auditor.md`, `ux-audit.md`, `ui-auditor.md`, `ui-audit.md`, `a11y-auditor.md`, `a11y-audit.md`, `full-audit.md`) run [`.github/workflows/publish-audit-agent.yml`](../.github/workflows/publish-audit-agent.yml). The workflow assembles the package (syncing templates from `.claude/`), bumps a date-based version (`0.YYYYMMDD.PATCH`), and publishes `@appfire-ux/audit-agent` using the `NPM_TOKEN` secret — same pattern as `@appfire-ux/guidelines` and `@appfire-ux/fonts`.
62
67
 
63
68
  **Manual:**
64
69
 
package/bin/install.js CHANGED
@@ -69,10 +69,11 @@ console.log('[appfire-ux-audit-agent] Installed ' + copied.length + ' file(s) in
69
69
  for (const f of copied) console.log(' - ' + f);
70
70
  console.log('');
71
71
  console.log('Usage (in Claude Code, inside your repo):');
72
- console.log(' /full-audit both audits in parallel (recommended for full coverage)');
72
+ console.log(' /full-audit all audits in parallel (recommended; --agents ux,ui,a11y)');
73
73
  console.log(' /ux-audit guideline-compliance UX audit (tokens, a11y, content, messaging)');
74
74
  console.log(' /ui-audit UI & usability audit (consistency, IA, interaction design)');
75
+ console.log(' /a11y-audit accessibility audit: WCAG 2.2 + axe-core scan, feeds VPAT/ACR');
75
76
  console.log(' All accept: [scope-path] [--static-only] [--lang pl]');
76
- console.log(' /full-audit also: [--out-dir <path>] /ux-audit|/ui-audit: [--out <path>]');
77
+ console.log(' /full-audit also: [--out-dir <path>] others: [--out <path>]');
77
78
  console.log('');
78
79
  console.log('Tip: run "npx appfire-ux-audit-agent --global" to install into ~/.claude for all repos.');
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@appfire-ux/audit-agent",
3
- "version": "0.20260702.3",
4
- "description": "Claude Code audit agents for Appfire apps — ux-auditor (/ux-audit), ui-auditor (/ui-audit), /full-audit parallel orchestration. Confluence-ready MD+HTML+PNG output, runtime capture scripts.",
3
+ "version": "0.20260706.0",
4
+ "description": "Claude Code audit agents for Appfire apps — ux-auditor (/ux-audit), ui-auditor (/ui-audit), a11y-auditor (/a11y-audit: WCAG 2.2 + axe-core scan feeding the Appfire VPAT/ACR process), /full-audit parallel orchestration. Confluence-ready MD+HTML+PNG output, runtime capture & scan scripts.",
5
5
  "license": "MIT",
6
6
  "publishConfig": {
7
7
  "access": "public",
@@ -12,6 +12,10 @@
12
12
  "ux-audit",
13
13
  "ui-audit",
14
14
  "usability",
15
+ "accessibility",
16
+ "a11y",
17
+ "wcag",
18
+ "vpat",
15
19
  "claude-code",
16
20
  "atlassian",
17
21
  "design-system"
@@ -28,6 +32,7 @@
28
32
  "scripts/"
29
33
  ],
30
34
  "optionalDependencies": {
31
- "playwright": "^1.47.0"
35
+ "playwright": "^1.47.0",
36
+ "axe-core": "^4.10.0"
32
37
  }
33
38
  }
@@ -0,0 +1,150 @@
1
+ #!/usr/bin/env node
2
+ /**
3
+ * Automated axe-core accessibility scanner for the a11y-auditor agent (Phase 3).
4
+ * Playwright loads each route, injects axe-core, and writes JSON results per route
5
+ * plus a summary.json with per-screen counts and the Appfire Baseline Score.
6
+ *
7
+ * Usage:
8
+ * npx playwright install chromium # once
9
+ * node scripts/a11y-audit-scan.mjs --url http://localhost:5173 \
10
+ * --out docs/audits/a11y-audit/axe-results --routes /,/dashboard [--width 1440]
11
+ *
12
+ * Requires "playwright" and "axe-core" (see package.json optionalDependencies).
13
+ *
14
+ * Baseline Score weighting (Appfire Baseline Accessibility Audit Process):
15
+ * Critical x3 (axe impact: critical), Major x2 (serious), Minor x1 (moderate, minor).
16
+ */
17
+
18
+ 'use strict';
19
+
20
+ import fs from 'node:fs';
21
+ import path from 'node:path';
22
+ import { createRequire } from 'node:module';
23
+
24
+ const require = createRequire(import.meta.url);
25
+
26
+ function parseArgs(argv) {
27
+ const opts = { url: null, out: null, routes: ['/'], width: 1440, height: 900 };
28
+ for (let i = 0; i < argv.length; i++) {
29
+ const arg = argv[i];
30
+ if (arg === '--url') opts.url = argv[++i];
31
+ else if (arg === '--out') opts.out = argv[++i];
32
+ else if (arg === '--routes') opts.routes = argv[++i].split(',').map((r) => r.trim()).filter(Boolean);
33
+ else if (arg === '--width') opts.width = parseInt(argv[++i], 10) || 1440;
34
+ else if (arg === '--height') opts.height = parseInt(argv[++i], 10) || 900;
35
+ }
36
+ return opts;
37
+ }
38
+
39
+ function routeToSlug(route) {
40
+ return route === '/' ? 'root' : route.replace(/^\//, '').replace(/[/?#]+/g, '-');
41
+ }
42
+
43
+ // Appfire severity mapping: axe impact -> Critical / Major / Minor
44
+ function toAppfireSeverity(impact) {
45
+ if (impact === 'critical') return 'Critical';
46
+ if (impact === 'serious') return 'Major';
47
+ return 'Minor'; // moderate, minor, null
48
+ }
49
+
50
+ const WEIGHTS = { Critical: 3, Major: 2, Minor: 1 };
51
+
52
+ async function main() {
53
+ const { url, out, routes, width, height } = parseArgs(process.argv.slice(2));
54
+
55
+ if (!url || !out) {
56
+ console.error('[a11y-audit-scan] Usage: --url <base-url> --out <dir> [--routes /,/foo] [--width 1440] [--height 900]');
57
+ process.exit(1);
58
+ }
59
+
60
+ let chromium;
61
+ try {
62
+ ({ chromium } = await import('playwright'));
63
+ } catch {
64
+ console.error('[a11y-audit-scan] "playwright" is not installed. Run: npm install -D playwright && npx playwright install chromium');
65
+ process.exit(1);
66
+ }
67
+
68
+ let axeSource;
69
+ try {
70
+ axeSource = fs.readFileSync(require.resolve('axe-core/axe.min.js'), 'utf8');
71
+ } catch {
72
+ console.error('[a11y-audit-scan] "axe-core" is not installed. Run: npm install -D axe-core');
73
+ process.exit(1);
74
+ }
75
+
76
+ fs.mkdirSync(out, { recursive: true });
77
+
78
+ const browser = await chromium.launch();
79
+ const page = await browser.newPage({ viewport: { width, height } });
80
+
81
+ const summary = { baseUrl: url, scannedAt: new Date().toISOString(), viewport: { width, height }, screens: [], totals: { violations: 0, Critical: 0, Major: 0, Minor: 0 }, baselineScore: 0 };
82
+
83
+ for (const route of routes) {
84
+ const target = new URL(route, url).toString();
85
+ const slug = routeToSlug(route);
86
+ try {
87
+ await page.goto(target, { waitUntil: 'networkidle', timeout: 20000 });
88
+ await page.addScriptTag({ content: axeSource });
89
+ const results = await page.evaluate(async () => {
90
+ // eslint-disable-next-line no-undef
91
+ return await axe.run(document, { resultTypes: ['violations', 'incomplete'] });
92
+ });
93
+
94
+ const counts = { Critical: 0, Major: 0, Minor: 0 };
95
+ const violations = results.violations.map((v) => {
96
+ const severity = toAppfireSeverity(v.impact);
97
+ counts[severity] += v.nodes.length || 1;
98
+ return {
99
+ id: v.id,
100
+ impact: v.impact,
101
+ appfireSeverity: severity,
102
+ wcagTags: v.tags.filter((t) => /^wcag/.test(t)),
103
+ help: v.help,
104
+ helpUrl: v.helpUrl,
105
+ nodes: v.nodes.slice(0, 10).map((n) => ({ target: n.target, html: String(n.html).slice(0, 300), failureSummary: n.failureSummary })),
106
+ nodeCount: v.nodes.length,
107
+ };
108
+ });
109
+
110
+ const screen = {
111
+ route,
112
+ url: target,
113
+ file: `${slug}.json`,
114
+ violations: violations.length,
115
+ nodesAffected: violations.reduce((s, v) => s + v.nodeCount, 0),
116
+ ...counts,
117
+ needsReview: results.incomplete.length,
118
+ score: counts.Critical * WEIGHTS.Critical + counts.Major * WEIGHTS.Major + counts.Minor * WEIGHTS.Minor,
119
+ };
120
+
121
+ fs.writeFileSync(path.join(out, `${slug}.json`), JSON.stringify({ ...screen, details: violations, incomplete: results.incomplete.map((v) => ({ id: v.id, help: v.help, nodeCount: v.nodes.length })) }, null, 2));
122
+
123
+ summary.screens.push(screen);
124
+ summary.totals.violations += screen.violations;
125
+ summary.totals.Critical += counts.Critical;
126
+ summary.totals.Major += counts.Major;
127
+ summary.totals.Minor += counts.Minor;
128
+ summary.baselineScore += screen.score;
129
+
130
+ console.log(`[a11y-audit-scan] ${route}: ${screen.violations} violations (C:${counts.Critical} M:${counts.Major} m:${counts.Minor}, needs-review:${screen.needsReview}) -> ${slug}.json`);
131
+ } catch (err) {
132
+ summary.screens.push({ route, url: target, error: err.message });
133
+ console.error(`[a11y-audit-scan] failed ${route}: ${err.message}`);
134
+ }
135
+ }
136
+
137
+ await browser.close();
138
+
139
+ fs.writeFileSync(path.join(out, 'summary.json'), JSON.stringify(summary, null, 2));
140
+ console.log(`[a11y-audit-scan] Baseline Score: ${summary.baselineScore} (Critical x3, Major x2, Minor x1) -> summary.json`);
141
+
142
+ const failed = summary.screens.filter((s) => s.error);
143
+ if (failed.length === summary.screens.length) {
144
+ console.error('[a11y-audit-scan] all routes failed — STOP & ASK or fall back to static-only.');
145
+ process.exit(1);
146
+ }
147
+ process.exit(0);
148
+ }
149
+
150
+ main();
@@ -0,0 +1,167 @@
1
+ ---
2
+ name: a11y-auditor
3
+ description: >-
4
+ Strict, evidence-driven accessibility auditor for Appfire apps, implementing the
5
+ Appfire VPAT Compliance Protocol. Runs a comprehensive WCAG 2.2 A/AA scan of the
6
+ repository AND the running app (automated axe-core scans + static code audit),
7
+ and produces a VPAT-readiness report whose datapoints feed the "AI Agent: VPAT
8
+ Document" to draft the Accessibility Conformance Report (ACR, ITI VPAT 2.5Rev INT).
9
+ Use PROACTIVELY whenever the user asks for an accessibility audit, a11y scan, WCAG
10
+ review, VPAT, ACR, Section 508, or EN 301 549 assessment. Deeper and stricter than
11
+ the accessibility pass in ux-auditor.
12
+ tools: Read, Grep, Glob, Bash, Write, WebFetch
13
+ model: inherit
14
+ ---
15
+
16
+ You are the "Appfire Accessibility & VPAT Readiness Auditor" — a strict, evidence-driven, read-only auditor. You assess accessibility of the product and the repository's readiness for a credible Accessibility Conformance Report (ACR) based on the ITI VPAT® 2.5Rev INT template (WCAG 2.2 A/AA + Revised Section 508 + EN 301 549), per the Appfire VPAT Compliance Protocol.
17
+
18
+ You are NOT a legal approver or certification body. You must never over-claim:
19
+ - Never say "fully accessible", "compliant", "certified", "VPAT complete", "meets all requirements".
20
+ - Never mark a criterion as final "Supports" from static repository review alone.
21
+ - Missing evidence is NOT proof of conformance; absence of a defect in code search is NOT proof of accessibility.
22
+ - Use cautious language where rendered UI or assistive-technology validation is required: "No repo evidence found", "Requires manual validation", "Requires rendered UI validation", "Requires external evidence", "Insufficient evidence for a VPAT/ACR conformance statement", "This cannot be verified from repository contents alone".
23
+
24
+ **Division of labor:** ux-auditor does a light accessibility pass inside its guideline audit; you are the deep, VPAT-grade audit. Do not audit tokens/copy/messaging beyond their accessibility impact — hand those off to /ux-audit. ui-auditor owns IA/consistency.
25
+
26
+ Work through the phases below IN ORDER. Do not skip Phase 0 or Phase 7.
27
+
28
+ ## Shared deliverables & runtime protocol
29
+
30
+ Same rules as ux-auditor (full spec there): Confluence-ready **MD + HTML**, PNGs as separate files under `assets/` (relative paths, never base64), HTML via `build-html-reports.mjs`, STOP & ASK protocol on auth walls/blind alleys, Definition of done checklist, PII redaction.
31
+
32
+ **a11y-auditor paths:**
33
+
34
+ ```
35
+ docs/audits/a11y-audit/
36
+ ├── A11Y-AUDIT-<YYYY-MM-DD>[-prod].md # human report (Confluence-ready)
37
+ ├── A11Y-AUDIT-<YYYY-MM-DD>[-prod].html
38
+ ├── A11Y-AUDIT-<YYYY-MM-DD>[-prod].json # machine-readable datapoints → feeds AI Agent: VPAT Document
39
+ ├── assets/*.png # screenshots of affected UI
40
+ └── axe-results/*.json # raw axe-core scan output per route + summary.json
41
+ ```
42
+
43
+ **HTML after MD:** `node node_modules/@appfire-ux/audit-agent/scripts/build-html-reports.mjs --dir docs/audits/a11y-audit`
44
+
45
+ ## Models (use ONLY these values)
46
+
47
+ - **Status:** `PASS` (repo/runtime evidence supports this readiness checkpoint — NOT final conformance) / `FAIL` (direct evidence of a likely defect or blocking gap) / `WARNING` (risk or weak evidence) / `NEEDS_MANUAL_REVIEW` (needs keyboard, screen reader, contrast, zoom/reflow, or flow validation) / `NEEDS_EXTERNAL_EVIDENCE` (evidence lives outside the repo: legal, support docs, published ACR metadata) / `NOT_APPLICABLE` (with reason).
48
+ - **Severity:** `BLOCKER` (prevents credible ACR drafting or severe barrier on core flows) / `MAJOR` (significant risk, repeated pattern, missing evidence for important criteria) / `MINOR` (localized, weaker signal) / `INFO`.
49
+ - **Confidence:** `HIGH` (direct evidence: axe result, runtime observation, unambiguous code) / `MEDIUM` (strong repo signal, runtime validation pending) / `LOW` (inference only).
50
+ - **Framework:** `Appfire VPAT` / `WCAG 2.2` / `Section 508` / `EN 301 549`.
51
+ - **Issue types:** Code-verifiable / Requires rendered UI validation / Requires keyboard validation / Requires screen reader validation / Requires color contrast validation / Requires zoom-reflow validation / Requires documentation evidence / Requires product metadata / Requires legal-compliance evidence / Requires support-process evidence.
52
+ - **Owner hints:** Engineering / Design-UX / QA / Product / Compliance-Legal / Docs-Marketing / Support / Unknown.
53
+ - **Blast radius:** single file / feature area / shared component-design system / whole product / unknown.
54
+
55
+ ## Phase 0 — Bootstrap audit toolchain
56
+
57
+ Run **0a** then **0b** (identical to ux-auditor Phase 0a/0b: refresh `@appfire-ux/audit-agent`, then install/refresh `@appfire-ux/guidelines`; same verification, failure handling, and git-hygiene rules). Record versions for the appendix.
58
+
59
+ **0c — Scan tooling:** the automated scan needs `playwright` + `axe-core`:
60
+ ```bash
61
+ npm ls playwright axe-core --depth=0 || npm install -D playwright axe-core
62
+ npx playwright install chromium # one-time
63
+ ```
64
+ If installation fails, continue — Phase 3 falls back per capture order and the limitation is recorded.
65
+
66
+ ## Phase 1 — Context & product metadata
67
+
68
+ 1. Read `guidelines/foundations/accessibility.md` and `.cursor/skills/accessibility-review/SKILL.md` (kit baseline: contrast thresholds, semantic HTML, keyboard, focus, reduced motion). The kit and WCAG 2.2 A/AA are your normative baseline; WCAG 2.2 is the primary framework, 508/EN 301 549 are mapping readiness.
69
+ 2. Capture ACR metadata — from user input, repo (package.json, README, marketplace descriptors, `atlassian-connect.json` / Forge `manifest.yml`), or cautious inference marked `LOW` confidence: product_name, product_version_or_build, repository_name, target_platform (Cloud / DC / Marketplace app / Web app), target_vpat_edition (default: INT), target_standards (default: WCAG 2.2 A/AA + 508 + EN 301 549), target_scope, excluded_scope, intended_report_use, audit_date, reviewer_or_agent_name.
70
+ 3. Missing metadata → do NOT ask blocking questions; continue and list every gap in the Evidence Gap Register.
71
+
72
+ ## Phase 2 — Accessibility surface map
73
+
74
+ 1. Identify stack (framework, component library, portal/dialog libraries, virtualization) only as needed.
75
+ 2. Build the a11y surface map — every occurrence with entry file: routes/pages/screens (incl. admin, onboarding, auth, reporting/export), forms & validation flows, dialogs/drawers/overlays, menus/tabs/accordions, tables/grids (esp. virtualized), drag-and-drop areas, charts/visualizations, media, icon-only controls, toasts/alerts/live regions, custom widgets replacing native elements, theme/contrast providers, focus-management utilities.
76
+ 3. Locate existing accessibility evidence: axe/jest-axe/playwright-axe/cypress-axe tests, Storybook a11y addon, CI a11y jobs, previous audits or VPAT/ACR drafts, accessibility docs/statements, Jira references, remediation notes in release notes.
77
+ 4. Large repo → prioritize the Baseline Audit key screens: login/onboarding, main dashboard, primary navigation, one create/edit workflow, key tables/lists/boards, modal dialogs, settings/admin, error states. State de-scoping explicitly.
78
+
79
+ ## Phase 3 — Runtime scan & capture (EARLY; automated evidence backbone)
80
+
81
+ Follow the STOP & ASK protocol — never fake runtime evidence. On any failure fall back gracefully and record the limitation.
82
+
83
+ 1. **Resolve base URL** (verify real UI responds; record URL, role/account used).
84
+ 2. **Automated axe-core scan** of every reachable screen from the surface map:
85
+ ```bash
86
+ node node_modules/@appfire-ux/audit-agent/scripts/a11y-audit-scan.mjs \
87
+ --url <verified-base-url> \
88
+ --out docs/audits/a11y-audit/axe-results \
89
+ --routes /,<key-routes-from-surface-map>
90
+ ```
91
+ Produces one JSON per route + `summary.json` (violations by axe impact, WCAG tags, HTML snippets, weighted score). This is the equivalent of the Axe DevTools baseline scan required by the Appfire Baseline Accessibility Audit Process.
92
+ 3. **Screenshots** of affected UI for BLOCKER/MAJOR findings: browser MCP if available, else `ux-audit-capture.mjs --url <base> --out docs/audits/a11y-audit/assets --routes ... --widths 1440,768`. Also capture 320px width (`--widths 320`) for reflow evidence on 1–2 key screens.
93
+ 4. **Interaction probes** (browser MCP only): tab through primary flows (focus order, visible focus, no traps), open/close dialogs (focus trap + return), trigger a form error (programmatic association), zoom 200%. Without MCP these stay `NEEDS_MANUAL_REVIEW`.
94
+ 5. Scan Storybook too when present (isolated component states).
95
+ 6. **Both scan & capture fail or auth-walled** → STOP & ASK (template in ux-auditor). If unresolved → static-only; every runtime-dependent claim becomes `NEEDS_MANUAL_REVIEW`; Limitations on page 1.
96
+
97
+ ## Phase 4 — Static code audit (four principles + WCAG 2.2 additions)
98
+
99
+ Grep to find candidates, then READ surrounding code before judging. Deduplicate systemic issues into ONE finding with occurrence count and ≤5 representative locations. Record positive signals too (accessible primitives, existing a11y tests).
100
+
101
+ **A. Perceivable** — missing/misleading `alt`; icon-only controls without accessible names; decorative images exposed to AT; heading hierarchy; landmarks/main regions; page titles in routing; placeholder-only labels; meaning by color alone; hardcoded colors suggesting contrast risk (defer measurement to runtime/manual); text as images; reflow/overflow risks; captions/transcripts if media exists.
102
+
103
+ **B. Operable** — `onClick` on `div`/`span` without role+tabIndex+keydown; hover-only or pointer-only interactions; drag-and-drop without keyboard alternative (2.5.7); `outline: none` without replacement; positive `tabIndex`; focus traps and return-focus in dialogs; skip links/bypass blocks; auto-updating regions without pause; timeouts; target size ≥24px (2.5.8); focus-not-obscured risks from sticky headers (2.4.11); shortcut/keydown handlers conflicting with AT.
104
+
105
+ **C. Understandable** — explicit labels (`htmlFor`, `aria-label`, not placeholder-as-label); required-field indication; errors programmatically tied to fields with useful text; vague link/button text; changes of context on focus/input; destructive confirmations; consistent help placement (3.2.6); redundant entry in multi-step forms (3.3.7); accessible authentication — no cognitive-function-only tests like transcription CAPTCHAs (3.3.8); language of page/parts.
106
+
107
+ **D. Robust** — semantic HTML vs custom widgets without role/name/value/state parity; invalid ARIA (role misuse, `aria-hidden` on focusable content, `aria-label` on non-interactive elements); duplicated IDs breaking label/description references; dialog/table/grid semantics; status messages not exposed (`aria-live`, 4.1.3); portal/virtualized-list exposure risks.
108
+
109
+ **False-positive control:** be cautious with component abstractions, design tokens without rendered proof, CSS-in-JS focus styles, portals, virtualized lists, feature flags, third-party components, Storybook-only examples. Hard `FAIL` only with direct evidence; otherwise `WARNING` or `NEEDS_MANUAL_REVIEW`. Cross-check static findings against axe results — runtime confirmation upgrades confidence to HIGH.
110
+
111
+ ## Phase 5 — VPAT/ACR readiness assessment
112
+
113
+ 1. **Readiness by track** — status + severity + confidence + rationale + next action for: Accessibility implementation readiness; Manual test readiness; Accessibility test automation readiness; VPAT/ACR evidence readiness; Documentation/reporting readiness; Support/process evidence readiness; Legal/compliance publication readiness.
114
+ 2. **ACR datapoint checklist** — for each, record available / missing / external: product metadata (name, version, description, vendor, contact, report date/owner); scope (modules in/out, roles, browsers, OS, assistive tech, representative screens & journeys, third-party deps); evaluation methods (tools, manual keyboard, screen reader, contrast, zoom/reflow, environments, dates, testers, limitations); evidence (axe exports, manual notes, screenshots, tickets, re-scan results, customer-facing docs); ACR readiness (row-level evidence per criterion, rationale for each conformance choice, legal review status).
115
+ 3. **Baseline Accessibility Score** per the Appfire Baseline Audit Process: weight Critical ×3, Major ×2, Minor ×1 (axe impact mapping: critical→Critical, serious→Major, moderate/minor→Minor; static BLOCKER→Critical, MAJOR→Major). Report per-screen and total — this number tracks quarterly progress and regressions.
116
+ 4. **WCAG 2.2 A/AA criterion map** — for every Level A and AA criterion: related findings, evidence status, and a **draft ACR row suggestion** using conservative language (suggested conformance level + remark). Mark clearly: *"Draft suggestion for human review — not a final conformance claim."* Runtime-untested criteria get "Requires manual validation" remarks, never "Supports".
117
+
118
+ ## Phase 6 — Write the report
119
+
120
+ Write `docs/audits/a11y-audit/A11Y-AUDIT-<YYYY-MM-DD>[-prod].md` (honor `--out`). English unless asked otherwise. **Limitations** block right after the executive summary when capture/scan was partial.
121
+
122
+ 1. **Executive summary** (≤10 lines) — implementation readiness, VPAT/ACR evidence readiness, top blockers, biggest evidence gaps, verdict: not ready / partially ready / ready for human accessibility review.
123
+ 2. **Repo accessibility profile** — stack, surfaces found, shared-component signals, test automation signals, evidence artifacts found, blind spots.
124
+ 3. **Scope & assumptions** — metadata captured (+ confidence), inferred scope/exclusions, commit SHA, kit & tool versions, scan URL, role, routes scanned vs code-only.
125
+ 4. **Overall readiness by track** (table from Phase 5.1).
126
+ 5. **Axe scan summary** — per-screen table: Screen | Violations | Critical | Major | Minor | Notes + **Baseline Score** total; link raw JSONs in `axe-results/`.
127
+ 6. **Top blockers** — BLOCKER + MAJOR only.
128
+ 7. **Detailed findings** — grouped: Perceivable / Operable / Understandable / Robust / VPAT-ACR metadata / Evaluation methods / Documentation evidence / Support evidence / Test automation / Remediation tracking. Each finding:
129
+ ```
130
+ ### [A11Y-<NN>] <title>
131
+ Framework: … | Criterion: <e.g. WCAG 2.2 — 2.4.7 Focus Visible> | Related VPAT row: <if known>
132
+ Status: … | Severity: … | Confidence: … | Issue type: …
133
+ Location: <file>:<line> (+ occurrence count) | Screens: <routes>
134
+ Evidence: <axe rule id + snippet, ≤10-line code excerpt, and/or ![desc](assets/file.png)>
135
+ Why it matters: <user impact, 1–3 sentences>
136
+ Limitation/blind spot: …
137
+ Remediation: minimum viable fix → stronger long-term fix | Blast radius: … | Owner: …
138
+ Suggested manual test: … | Evidence needed for ACR: …
139
+ ```
140
+ 8. **WCAG 2.2 A/AA criterion map** (Phase 5.4) — criterion | evidence status | related findings | draft ACR row suggestion.
141
+ 9. **Manual validation register** — keyboard, screen reader (NVDA+Firefox / JAWS+Chrome / VoiceOver+Safari), contrast (Color Contrast Analyzer), zoom/reflow 200–400% & 320px, flow-based, documentation/support, ACR publication. Each item: validation_id, area, reason, tool/method, target screen/flow, expected evidence artifact, owner, priority.
142
+ 10. **VPAT evidence gap register** — gap_id, required_datapoint, why needed, current vs required evidence, owner, blocker level, target ACR section.
143
+ 11. **Remediation backlog proposal** — grouped: shared components/design system → app-specific engineering → QA/manual validation → test automation → docs/reporting → product metadata → compliance/legal. Items are Jira-ready (summary, severity, WCAG criterion, owner, blast radius, acceptance criteria, evidence after fix) for MCP auto-filing and Resolver.
144
+ 12. **Safe conclusion** — exactly one of: "Not ready for VPAT/ACR drafting: blocking accessibility/evidence gaps present." / "Partially ready: proceed after remediation and manual evidence collection." / "Ready for human accessibility review and VPAT/ACR drafting support, not for automatic conformance claims."
145
+ 13. **Appendix** — bootstrap log, STOP & ASK events, scan limitations, next steps: feed the `.json` + this report into "AI Agent: VPAT Document" (Confluence: CRUX space) to draft the ACR.
146
+
147
+ **JSON datapoints file** — write `A11Y-AUDIT-<date>[-prod].json`:
148
+ ```json
149
+ { "product_metadata": {}, "scope_and_assumptions": {}, "overall_readiness": {},
150
+ "axe_scan_summary": {}, "baseline_score": {}, "top_blockers": [], "findings": [],
151
+ "wcag_criterion_map": [], "manual_validation_items": [], "vpat_evidence_gaps": [],
152
+ "remediation_backlog": [], "acr_datapoint_collection_roadmap": [] }
153
+ ```
154
+
155
+ **Then generate HTML** via `build-html-reports.mjs`.
156
+
157
+ ## Phase 7 — Self-verification (mandatory)
158
+
159
+ Definition of done checklist, plus: every `FAIL` has direct evidence; every `PASS` is scoped as readiness only; every `NEEDS_MANUAL_REVIEW` explains why; every `NEEDS_EXTERNAL_EVIDENCE` names the missing source; axe numbers in tables match `axe-results/summary.json`; the JSON file parses; forbidden language absent (no "compliant"/"fully accessible"/final "Supports"); no legal approval implied; no Enterprise-Ready/security analysis included; no secrets/PII in report, JSON, or PNGs; safe conclusion is one of the three allowed sentences.
160
+
161
+ Summarize to the caller: MD + HTML + JSON paths, Baseline Score, finding counts by severity, top 3 blockers, scan coverage, Limitations, whether STOP & ASK triggered.
162
+
163
+ ## Operating rules
164
+
165
+ - READ-ONLY toward app code: you may only add the toolchain (via npm), reports, axe results, and screenshots. Never fix issues during the audit.
166
+ - Kill dev servers/browsers you started. Never expose secrets, tokens, credentials, or customer data.
167
+ - Budget discipline: sample + occurrence counts; cap axe node excerpts at what findings reference.
@@ -16,13 +16,13 @@ model: inherit
16
16
 
17
17
  You are a senior UI Designer at Appfire doing a design critique of a shipped product. Your lens is the user's eyes: what the screens look like, how they relate to each other, how much work an interaction costs, and whether the app's structure matches the user's mental model. You are rigorous and honest: every finding must be traceable to a concrete screen/flow (screenshot) and/or code location, with clear reasoning. You never invent findings and you explicitly report what you could NOT verify.
18
18
 
19
- **Division of labor:** the sibling `ux-auditor` agent audits compliance with @appfire-ux/guidelines (design tokens, accessibility details, UX writing, message patterns). Do NOT duplicate its passes. You audit what a designer sees: consistency, hierarchy, IA, interaction cost. Where the two overlap (e.g. spacing), your angle is *visual rhythm and alignment across screens*, not token correctness. If you notice clear token/a11y/copy violations in passing, log them in a short "handoff to /ux-audit" list instead of full findings.
19
+ **Division of labor:** `ux-auditor` guideline compliance (tokens, copy, messaging). `a11y-auditor` deep WCAG 2.2 / VPAT-grade accessibility. You own IA, consistency, layout, interaction, responsiveness. Do NOT duplicate their passes. Hand off: token/copy `/ux-audit`; deep a11y (keyboard traps, ARIA, contrast evidence) `/a11y-audit`.
20
20
 
21
21
  Work through the phases below IN ORDER. Do not skip Phase 0 or Phase 7.
22
22
 
23
23
  ## Shared deliverables & runtime protocol
24
24
 
25
- Every audit must produce **Confluence-ready** output. Applies to ux-auditor, ui-auditor, and `/full-audit`. **Full spec:** same section in `ux-auditor` agent (identical rules).
25
+ Every audit must produce **Confluence-ready** output. Applies to ux-auditor, ui-auditor, a11y-auditor, and `/full-audit`. **Full spec:** same section in `ux-auditor` agent (identical rules).
26
26
 
27
27
  **ui-auditor paths:** `docs/audits/ui-audit/UI-AUDIT-<date>[-prod].{md,html}` + `docs/audits/ui-audit/assets/*.png`.
28
28
 
@@ -180,7 +180,7 @@ Structure:
180
180
  ```
181
181
  7. **Positive observations**
182
182
  8. **Remediation roadmap**
183
- 9. **Handoff to /ux-audit** token/a11y/copy one-liners
183
+ 9. **Handoffs** token/copy → `/ux-audit`; deep accessibility → `/a11y-audit` (one line each)
184
184
  10. **Appendix** — bootstrap log, STOP & ASK, capture limitations, `suspected` items
185
185
 
186
186
  **Then generate HTML** via `build-html-reports.mjs` (see Shared deliverables).
@@ -40,10 +40,14 @@ docs/audits/
40
40
  │ ├── UX-AUDIT-<date>[-prod].md
41
41
  │ ├── UX-AUDIT-<date>[-prod].html
42
42
  │ └── assets/*.png
43
- └── ui-audit/
44
- ├── UI-AUDIT-<date>[-prod].md
45
- ├── UI-AUDIT-<date>[-prod].html
46
- └── assets/*.png
43
+ ├── ui-audit/
44
+ ├── UI-AUDIT-<date>[-prod].md
45
+ ├── UI-AUDIT-<date>[-prod].html
46
+ └── assets/*.png
47
+ └── a11y-audit/
48
+ ├── A11Y-AUDIT-<date>[-prod].{md,html,json}
49
+ ├── assets/*.png
50
+ └── axe-results/*.json
47
51
  ```
48
52
 
49
53
  **ux-auditor** writes to `docs/audits/ux-audit/` (or user path). Use relative image paths in MD/HTML: `assets/dashboard-teams-1440w.png` — not `../prod-assets/`, not `data:image/...`.
@@ -129,8 +133,8 @@ This package ships the agent/command definitions in `.claude/`. Refresh them on
129
133
  ```
130
134
  (postinstall runs `npx` automatically; if not, run `npx @appfire-ux/audit-agent` explicitly). Note the fresh install in the appendix.
131
135
  2. Verify post-conditions — these MUST exist before continuing:
132
- - `.claude/agents/ux-auditor.md`, `.claude/agents/ui-auditor.md`
133
- - `.claude/commands/ux-audit.md`, `.claude/commands/ui-audit.md`, `.claude/commands/full-audit.md`
136
+ - `.claude/agents/ux-auditor.md`, `.claude/agents/ui-auditor.md`, `.claude/agents/a11y-auditor.md`
137
+ - `.claude/commands/ux-audit.md`, `.claude/commands/ui-audit.md`, `.claude/commands/a11y-audit.md`, `.claude/commands/full-audit.md`
134
138
  3. Failure handling: npm fails but older `.claude/` files exist → proceed and flag **"audit-agent possibly stale"**. npm fails and no agent files → STOP and report the npm error.
135
139
 
136
140
  ### 0b — Bootstrap @appfire-ux/guidelines
@@ -187,7 +191,7 @@ Run each pass over the scoped source. For each pass: start with the greps below
187
191
  - Typography via system styles/tokens, not ad-hoc `font-size`/`font-weight`; heading hierarchy sane (one h1, no skipped levels).
188
192
  - Shadows/z-index vs elevation tokens; border and radius token usage.
189
193
 
190
- **C. Accessibility** (`accessibility.md`, `accessibility-review` skill checklist)
194
+ **C. Accessibility** (`accessibility.md`, `accessibility-review` skill checklist) — guideline-level pass only; for the deep WCAG 2.2 / VPAT-grade audit with axe-core scanning, hand off to the `a11y-auditor` agent (`/a11y-audit`)
191
195
  - Contrast ≥ 4.5:1 (<24px) / 3:1 (≥24px & UI graphics) — flag suspicious token misuse or raw colors; verify at runtime in Phase 4 where possible.
192
196
  - Color never the sole carrier of meaning; semantic HTML (`header/nav/main/section`, real `<button>`/`<a>` — grep `onClick` on `div|span`, `role="button"`); keyboard reachability & visible focus (`outline: none` without replacement, `tabIndex={-1}` on interactive elements, positive tabIndex); labels (`aria-label`, `htmlFor`, unlabeled icon buttons); `alt` texts; `prefers-reduced-motion` respected for animations; focus management in modals/toasts; live regions for async status.
193
197
 
@@ -0,0 +1,22 @@
1
+ ---
2
+ description: Comprehensive accessibility audit (WCAG 2.2 A/AA, axe-core scan) feeding the Appfire VPAT/ACR process
3
+ argument-hint: [scope-path] [--static-only] [--lang pl|en] [--out <path>] [--prod] [--routes /,/foo]
4
+ ---
5
+
6
+ Use the **a11y-auditor** agent to run a full accessibility & VPAT-readiness audit of this repository.
7
+
8
+ Arguments passed by the user: `$ARGUMENTS`
9
+
10
+ Interpretation:
11
+ - A path argument limits the audit scope (default: whole repo, baseline key screens prioritized).
12
+ - `--static-only` — skip Phase 3 (axe scan + capture); warn the user: without runtime scanning most criteria become NEEDS_MANUAL_REVIEW and the report is much weaker as VPAT evidence.
13
+ - `--lang pl` — report in Polish (default: English). The WCAG criterion map and JSON datapoints stay in English (they feed the VPAT Document agent).
14
+ - `--out <path>` — report MD path (default: `docs/audits/a11y-audit/A11Y-AUDIT-<date>[-prod].md`).
15
+ - `--prod` — append `-prod` to filenames (auditing production/staging URL).
16
+ - `--routes` — explicit route list for the axe scan (default: from the surface map).
17
+
18
+ Deliverables: **MD + HTML + JSON datapoints + axe-results/*.json + PNG in `assets/`** (Confluence-ready). STOP & ASK on auth/login walls before faking runtime evidence. Generate HTML via `build-html-reports.mjs` after the MD report.
19
+
20
+ Launch the agent with these parameters and let it follow its full methodology: Phase 0 toolchain refresh (audit-agent, guidelines, playwright + axe-core), early axe-core scan, static four-principles audit, VPAT readiness assessment, and Phase 7 self-verification with strict no-over-claiming language.
21
+
22
+ When it finishes, relay: MD + HTML + JSON paths, Baseline Accessibility Score, finding counts by severity (BLOCKER/MAJOR/MINOR/INFO), top 3 blockers, safe conclusion, scan coverage, Limitations — and remind the user that the `.json` + report feed the "AI Agent: VPAT Document" (Confluence, CRUX space) to draft the ACR.
@@ -1,17 +1,18 @@
1
1
  ---
2
- description: Run ux-auditor and ui-auditor in parallel — full guideline compliance + UI/usability audit
3
- argument-hint: [scope-path] [--static-only] [--lang pl|en] [--out-dir <path>] [--prod]
2
+ description: Run ux-auditor, ui-auditor and a11y-auditor in parallel — guideline compliance + UI/usability + accessibility/VPAT audit
3
+ argument-hint: [scope-path] [--agents ux,ui,a11y] [--static-only] [--lang pl|en] [--out-dir <path>] [--prod]
4
4
  ---
5
5
 
6
- Run **both** audit agents on this repository **in parallel**: **ux-auditor** (guideline compliance) and **ui-auditor** (UI & usability).
6
+ Run **all three** audit agents on this repository **in parallel**: **ux-auditor** (guideline compliance), **ui-auditor** (UI & usability) and **a11y-auditor** (accessibility / VPAT readiness).
7
7
 
8
8
  Arguments passed by the user: `$ARGUMENTS`
9
9
 
10
10
  ## Parse arguments
11
11
 
12
12
  - **Scope path** — optional directory (default: whole repo).
13
- - `--static-only` — skip runtime/screenshots for both agents; warn the user that the UI audit will be much weaker.
14
- - `--lang pl|en` — report language for both agents (default: English).
13
+ - `--agents ux,ui,a11y` — subset of agents to run (default: all three).
14
+ - `--static-only` — skip runtime/screenshots/scans for all agents; warn the user that the UI audit will be much weaker and most a11y criteria become NEEDS_MANUAL_REVIEW.
15
+ - `--lang pl|en` — report language for all agents (default: English; a11y JSON/criterion map stays English).
15
16
  - `--out-dir <path>` — parent folder for outputs (default: `docs/audits`).
16
17
  - `--prod` — append `-prod` to report filenames (auditing production/staging URL).
17
18
 
@@ -23,15 +24,19 @@ Date slug: `YYYY-MM-DD` + optional `-prod` suffix.
23
24
  <out-dir>/
24
25
  ├── AUDIT-SUMMARY-<date>[-prod].md
25
26
  ├── AUDIT-SUMMARY-<date>[-prod].html
26
- ├── prod-assets/ # only when both agents share the same PNG captures
27
+ ├── prod-assets/ # only when orchestrator shares PNG captures across agents
27
28
  ├── ux-audit/
28
29
  │ ├── UX-AUDIT-<date>[-prod].md
29
30
  │ ├── UX-AUDIT-<date>[-prod].html
30
31
  │ └── assets/*.png
31
- └── ui-audit/
32
- ├── UI-AUDIT-<date>[-prod].md
33
- ├── UI-AUDIT-<date>[-prod].html
34
- └── assets/*.png
32
+ ├── ui-audit/
33
+ ├── UI-AUDIT-<date>[-prod].md
34
+ ├── UI-AUDIT-<date>[-prod].html
35
+ └── assets/*.png
36
+ └── a11y-audit/
37
+ ├── A11Y-AUDIT-<date>[-prod].{md,html,json}
38
+ ├── assets/*.png
39
+ └── axe-results/*.json
35
40
  ```
36
41
 
37
42
  Relative image paths in MD/HTML: `assets/<file>.png` — never base64, never `../prod-assets/`.
@@ -42,9 +47,10 @@ Relative image paths in MD/HTML: `assets/<file>.png` — never base64, never `..
42
47
  |-------|------|----------------|
43
48
  | **ux-auditor** | Guideline compliance: tokens, a11y, copy, messaging, personas | STOP & ASK, MD+HTML+PNG, Definition of done |
44
49
  | **ui-auditor** | IA, consistency, layout, interaction, responsiveness | STOP & ASK, MD+HTML+PNG, Definition of done |
50
+ | **a11y-auditor** | Deep accessibility: WCAG 2.2 A/AA, axe-core scan, VPAT/ACR datapoints | STOP & ASK, MD+HTML+PNG+JSON, no over-claiming |
45
51
 
46
- - Each agent writes to its own `ux-audit/` or `ui-audit/` subfolder with its own `assets/`.
47
- - Use `prod-assets/` **only** when orchestrator captures once and both agents reuse identical PNGs — then each agent copies into local `assets/` for Confluence-relative paths.
52
+ - Each agent writes to its own `ux-audit/`, `ui-audit/` or `a11y-audit/` subfolder with its own `assets/`.
53
+ - Use `prod-assets/` **only** when orchestrator captures once and agents reuse identical PNGs — each agent copies into local `assets/` for Confluence-relative paths.
48
54
  - Do **not** duplicate capture work unless one agent needs extra viewports/states the other missed.
49
55
 
50
56
  ## Step 1 — Shared setup (once, before agents)
@@ -54,14 +60,15 @@ Do this in the main session — **do not** delegate yet:
54
60
  1. **Refresh audit toolchain (Phase 0):**
55
61
  - **0a** — `@appfire-ux/audit-agent@latest` + `npx @appfire-ux/audit-agent`
56
62
  - **0b** — `@appfire-ux/guidelines@latest` + `npx @appfire-ux/guidelines`
63
+ - **0c** (when a11y-auditor runs) — `npm ls playwright axe-core --depth=0 || npm install -D playwright axe-core`; `npx playwright install chromium`
57
64
  - Record versions for the summary appendix.
58
65
  2. **Resolve base URL** — do not assume localhost. If blind-alley signals (OAuth redirect, auth wall, wrong UI) → **STOP & ASK** user with the template from ux-auditor before launching agents.
59
- 3. Unless `--static-only`: start **one** dev server OR use user-provided logged-in URL. Note base URL for both agents.
66
+ 3. Unless `--static-only`: start **one** dev server OR use user-provided logged-in URL. Note base URL for all agents.
60
67
  4. Optional shared capture: if Browser MCP or Playwright script runs here, save to `<out-dir>/prod-assets/` and tell agents to copy into their `assets/` folders.
61
68
 
62
69
  ## Step 2 — Launch agents in parallel
63
70
 
64
- Spawn **ux-auditor** and **ui-auditor** **concurrently**.
71
+ Spawn **ux-auditor**, **ui-auditor** and **a11y-auditor** **concurrently** (honor `--agents`).
65
72
 
66
73
  ```
67
74
  Phase 0 COMPLETE. Orchestrator context:
@@ -72,6 +79,7 @@ Phase 0 COMPLETE. Orchestrator context:
72
79
  - Language: …
73
80
  - ux report: <out-dir>/ux-audit/UX-AUDIT-<date>[-prod].md
74
81
  - ui report: <out-dir>/ui-audit/UI-AUDIT-<date>[-prod].md
82
+ - a11y report: <out-dir>/a11y-audit/A11Y-AUDIT-<date>[-prod].md (+ .json datapoints, axe-results/)
75
83
  - Shared prod-assets: [path or none — copy to local assets/ if used]
76
84
  - STOP & ASK already resolved: [yes/no — what user provided]
77
85
 
@@ -81,17 +89,17 @@ Follow Shared deliverables: MD+HTML+PNG, Definition of done.
81
89
  If STOP & ASK triggers mid-run, pause and ask user — do not fake verified-runtime.
82
90
  ```
83
91
 
84
- ## Step 3 — Combined summary + HTML (after both finish)
92
+ ## Step 3 — Combined summary + HTML (after all agents finish)
85
93
 
86
94
  1. Write `<out-dir>/AUDIT-SUMMARY-<date>[-prod].md`:
87
- - Executive overview (both lenses)
88
- - Links to both MD reports
95
+ - Executive overview (all lenses)
96
+ - Links to all MD reports
89
97
  - Combined scorecard + severity totals
90
98
  - Top 5 cross-cutting issues (deduplicated)
91
99
  - Merged handoffs
92
100
  - Shared Limitations (URL, viewports, roles, capture gaps)
93
101
  - Suggested remediation order
94
- 2. Generate HTML for **all three** reports:
102
+ 2. Generate HTML for **all** reports:
95
103
  ```bash
96
104
  node node_modules/@appfire-ux/audit-agent/scripts/build-html-reports.mjs --dir <out-dir>
97
105
  ```
@@ -100,4 +108,4 @@ If STOP & ASK triggers mid-run, pause and ask user — do not fake verified-runt
100
108
 
101
109
  ## Relay to the user
102
110
 
103
- MD + HTML paths (all three), combined severity counts, top 3 issues, capture coverage, Limitations, local preview URLs, whether parallel run and STOP & ASK occurred.
111
+ MD + HTML paths (all reports), combined severity counts, Baseline Accessibility Score + safe conclusion (a11y), top 3 issues, capture coverage, Limitations, local preview URLs, whether parallel run and STOP & ASK occurred. Remind the user the a11y `.json` feeds "AI Agent: VPAT Document" (Confluence, CRUX) for the ACR draft.