@appfire-ux/audit-agent 0.20260708.4 → 0.20260709.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -9,67 +9,49 @@ Agents:
9
9
 
10
10
  - **ux-auditor** (`/ux-audit`) — guideline-compliance UX audit: design tokens, spacing/typography, accessibility, UX writing, messaging patterns, persona fit.
11
11
  - **ui-auditor** (`/ui-audit`) — UI & usability audit from a UI Designer's perspective: cross-screen consistency, layout & visual hierarchy, information architecture, navigation, interaction design, forms, data-dense views, responsiveness. Screenshot-driven (browser MCP or bundled Playwright fallback).
12
- - **a11y-auditor** (`/a11y-audit`) — deep accessibility audit per the Appfire VPAT Compliance Protocol: WCAG 2.2 A/AA, automated axe-core scans of the running app (Baseline Accessibility Score), static four-principles code audit, manual validation register, evidence-gap register, and JSON datapoints that feed the "AI Agent: VPAT Document" (Confluence, CRUX) to draft the Accessibility Conformance Report. Strict no-over-claiming language.
12
+ - **a11y-auditor** (`/a11y-audit`) — deep accessibility audit: WCAG 2.2 A/AA, axe-core scans, static four-principles code audit, JSON datapoints for VPAT. Strict no-over-claiming language.
13
13
 
14
- ## Install
14
+ **VPAT/ACR drafting** is a separate package: [`@appfire-ux/vpat-agent`](../appfire-ux-vpat-agent/) — install for `/vpat-audit` (full VPAT pipeline with mandatory UI URL).
15
15
 
16
- In the repo you want to audit:
16
+ ## Install
17
17
 
18
18
  ```bash
19
19
  npm install -D @appfire-ux/audit-agent
20
20
  ```
21
21
 
22
- The postinstall script copies the agent and command into `<repo>/.claude/`. Done — open Claude Code and run:
23
-
24
- ```
25
- /full-audit # all audits in parallel (recommended)
26
- /ux-audit # compliance only
27
- /ui-audit # UI & usability only
28
- /a11y-audit # accessibility / VPAT readiness only
29
- ```
30
-
31
- Once, for all repos on your machine:
22
+ For VPAT/ACR in the same repo:
32
23
 
33
24
  ```bash
34
- npx @appfire-ux/audit-agent --global # installs into ~/.claude/
25
+ npm install -D @appfire-ux/vpat-agent @appfire-ux/guidelines
26
+ npx @appfire-ux/vpat-agent
35
27
  ```
36
28
 
37
- ## Update (manual, optional)
29
+ Open Claude Code:
38
30
 
39
- Phase 0 on every `/ux-audit`, `/ui-audit`, `/a11y-audit`, or `/full-audit` run already calls `npm update` + `@latest` for both packages. Use this only when you want to refresh **without** running an audit:
40
-
41
- ```bash
42
- npm update @appfire-ux/audit-agent @appfire-ux/guidelines
43
- npx @appfire-ux/audit-agent
44
- npx @appfire-ux/guidelines
31
+ ```
32
+ /full-audit # UX + UI + A11Y in parallel; VPAT post-sequence via @appfire-ux/vpat-agent (default)
33
+ /vpat-audit --url https://localhost:5173 # VPAT-only (requires @appfire-ux/vpat-agent)
45
34
  ```
46
35
 
47
36
  ## What gets installed
48
37
 
49
38
  | File | Purpose |
50
- |---|---|
51
- | `.claude/agents/ux-auditor.md` | Guideline-compliance audit → MD + HTML + `assets/*.png` (Confluence-ready) |
52
- | `.claude/commands/ux-audit.md` | `/ux-audit [scope] [--static-only] [--lang pl] [--out <path>] [--prod]` |
53
- | `.claude/agents/ui-auditor.md` | UI & usability audit → same deliverable format |
54
- | `.claude/commands/ui-audit.md` | `/ui-audit [scope] [--static-only] [--lang pl] [--out <path>] [--prod]` |
55
- | `.claude/agents/a11y-auditor.md` | Accessibility/VPAT audit → MD + HTML + JSON datapoints + `axe-results/` |
56
- | `.claude/commands/a11y-audit.md` | `/a11y-audit [scope] [--static-only] [--lang pl] [--out <path>] [--prod] [--routes …]` |
57
- | `.claude/agents/vpat-repo-auditor.md` | VPAT/ACR evidence-gap pre-audit`VPAT-REPO-AUDIT-*.md` + `.json` |
58
- | `.claude/agents/vpat-acr-drafter.md` | ACR draft from evidence package → `ACR-DRAFT-*.md` |
59
- | `.claude/commands/full-audit.md` | `/full-audit` — parallel UX/UI/A11Y audit + default VPAT post-sequence (`--with-vpat`) |
60
- | `scripts/ux-audit-capture.mjs` | Playwright screenshot fallback (`--widths 1440,768`) |
61
- | `scripts/a11y-audit-scan.mjs` | Playwright + axe-core scanner → per-route JSON + Baseline Score |
62
- | `scripts/build-html-reports.mjs` | MD Confluence-ready HTML with local `assets/` gallery |
63
-
64
- The audits complement each other. Every run produces **Markdown + HTML + PNG assets** under `docs/audits/` (STOP & ASK on auth walls; no base64). Use `/full-audit` for all agents in parallel. The a11y audit additionally produces machine-readable datapoints (`A11Y-AUDIT-<date>.json` + `axe-results/*.json`) for the VPAT/ACR drafting workflow.
39
+ |------|---------|
40
+ | `.claude/agents/ux-auditor.md` | Guideline-compliance audit |
41
+ | `.claude/commands/ux-audit.md` | `/ux-audit` |
42
+ | `.claude/agents/ui-auditor.md` | UI & usability audit |
43
+ | `.claude/commands/ui-audit.md` | `/ui-audit` |
44
+ | `.claude/agents/a11y-auditor.md` | Accessibility audit → JSON for VPAT |
45
+ | `.claude/commands/a11y-audit.md` | `/a11y-audit` |
46
+ | `.claude/commands/full-audit.md` | `/full-audit` parallel orchestration |
47
+ | `scripts/ux-audit-capture.mjs` | Playwright screenshot fallback |
48
+ | `scripts/a11y-audit-scan.mjs` | Playwright + axe-core scanner |
49
+ | `scripts/build-html-reports.mjs` | MD Confluence-ready HTML |
50
+
51
+ VPAT agents, CRUX template, and `/vpat-audit` live in **`@appfire-ux/vpat-agent`**.
65
52
 
66
53
  ## Publishing (maintainers)
67
54
 
68
- **CI (preferred):** pushes to `main` that touch `appfire-ux-audit-agent/**` or the canonical agent/command files in `.claude/` (`ux-auditor.md`, `ux-audit.md`, `ui-auditor.md`, `ui-audit.md`, `a11y-auditor.md`, `a11y-audit.md`, `full-audit.md`) run [`.github/workflows/publish-audit-agent.yml`](../.github/workflows/publish-audit-agent.yml). The workflow assembles the package (syncing templates from `.claude/`), bumps a date-based version (`0.YYYYMMDD.PATCH`), and publishes `@appfire-ux/audit-agent` using the `NPM_TOKEN` secret — same pattern as `@appfire-ux/guidelines` and `@appfire-ux/fonts`.
55
+ Pushes to `main` touching `appfire-ux-audit-agent/**` or canonical UX/UI/A11Y files run [`.github/workflows/publish-audit-agent.yml`](../.github/workflows/publish-audit-agent.yml).
69
56
 
70
- **Manual:**
71
-
72
- ```bash
73
- cd appfire-ux-audit-agent
74
- npm publish --access public # requires publish rights to the @appfire-ux scope
75
- ```
57
+ VPAT package: [`.github/workflows/publish-vpat-agent.yml`](../.github/workflows/publish-vpat-agent.yml).
package/bin/install.js CHANGED
@@ -72,8 +72,10 @@ console.log('Usage (in Claude Code, inside your repo):');
72
72
  console.log(' /full-audit all audits in parallel (recommended; --agents ux,ui,a11y)');
73
73
  console.log(' /ux-audit guideline-compliance UX audit (tokens, a11y, content, messaging)');
74
74
  console.log(' /ui-audit UI & usability audit (consistency, IA, interaction design)');
75
- console.log(' /a11y-audit accessibility audit: WCAG 2.2 + axe-core scan, feeds VPAT/ACR');
76
- console.log(' All accept: [scope-path] [--static-only] [--lang pl]');
75
+ console.log(' /a11y-audit accessibility audit (feeds @appfire-ux/vpat-agent for VPAT/ACR)');
76
+ console.log(' All accept: [scope-path] [--url <ui-url>] [--static-only] [--lang pl]');
77
77
  console.log(' /full-audit also: [--out-dir <path>] others: [--out <path>]');
78
78
  console.log('');
79
+ console.log('VPAT/ACR: npm install -D @appfire-ux/vpat-agent && /vpat-audit --url <ui-url>');
80
+ console.log('');
79
81
  console.log('Tip: run "npx appfire-ux-audit-agent --global" to install into ~/.claude for all repos.');
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@appfire-ux/audit-agent",
3
- "version": "0.20260708.4",
4
- "description": "Claude Code audit agents for Appfire apps — ux-auditor (/ux-audit), ui-auditor (/ui-audit), a11y-auditor (/a11y-audit: WCAG 2.2 + axe-core scan feeding the Appfire VPAT/ACR process), /full-audit parallel orchestration. Confluence-ready MD+HTML+PNG output, runtime capture & scan scripts.",
3
+ "version": "0.20260709.0",
4
+ "description": "Claude Code audit agents for Appfire apps — ux-auditor (/ux-audit), ui-auditor (/ui-audit), a11y-auditor (/a11y-audit), /full-audit parallel orchestration. VPAT/ACR drafting: install @appfire-ux/vpat-agent separately.",
5
5
  "license": "MIT",
6
6
  "publishConfig": {
7
7
  "access": "public",
@@ -15,7 +15,6 @@
15
15
  "accessibility",
16
16
  "a11y",
17
17
  "wcag",
18
- "vpat",
19
18
  "claude-code",
20
19
  "atlassian",
21
20
  "design-system"
@@ -159,7 +159,7 @@ Write `docs/audits/a11y-audit/A11Y-AUDIT-<YYYY-MM-DD>[-prod].md` (honor `--out`)
159
159
  12. **Missing routes table** — route, status (`SCANNED`/`FAILED`/`BLOCKED`), blocker, next action.
160
160
  13. **Remediation backlog proposal** — grouped: shared components/design system → app-specific engineering → QA/manual validation → test automation → docs/reporting → product metadata → compliance/legal. Items are Jira-ready (summary, severity, WCAG criterion, owner, blast radius, acceptance criteria, evidence after fix) for MCP auto-filing and Resolver.
161
161
  14. **Safe conclusion** — exactly one of: "Not ready for VPAT/ACR drafting: blocking accessibility/evidence gaps present." / "Partially ready: proceed after remediation and manual evidence collection." / "Ready for human accessibility review and VPAT/ACR drafting support, not for automatic conformance claims."
162
- 15. **Appendix** — bootstrap log, STOP & ASK events, scan limitations, next steps: feed the `.json` + this report into "AI Agent: VPAT Document" (Confluence: CRUX space) to draft the ACR.
162
+ 15. **Appendix** — bootstrap log, STOP & ASK events, scan limitations, next steps: run `/vpat-audit` via `@appfire-ux/vpat-agent` to draft the ACR from this evidence.
163
163
 
164
164
  **JSON datapoints file** — write `A11Y-AUDIT-<date>[-prod].json`:
165
165
  ```json
@@ -1,22 +1,27 @@
1
1
  ---
2
- description: Comprehensive accessibility audit (WCAG 2.2 A/AA, axe-core scan) feeding the Appfire VPAT/ACR process
3
- argument-hint: [scope-path] [--static-only] [--lang pl|en] [--out <path>] [--prod] [--routes /,/foo]
2
+ description: Comprehensive accessibility audit (WCAG 2.2 A/AA, axe-core scan) feeds @appfire-ux/vpat-agent for ACR drafting
3
+ argument-hint: [--url <base-url>] [scope-path] [--static-only] [--lang pl|en] [--out <path>] [--prod] [--routes /,/foo]
4
4
  ---
5
5
 
6
- Use the **a11y-auditor** agent to run a full accessibility & VPAT-readiness audit of this repository.
6
+ Use the **a11y-auditor** agent to run a full accessibility audit of this repository.
7
7
 
8
8
  Arguments passed by the user: `$ARGUMENTS`
9
9
 
10
- Interpretation:
11
- - A path argument limits the audit scope (default: whole repo, baseline key screens prioritized).
12
- - `--static-only` skip Phase 3 (axe scan + capture); warn the user: without runtime scanning most criteria become NEEDS_MANUAL_REVIEW and the report is much weaker as VPAT evidence.
13
- - `--lang pl` — report in Polish (default: English). The WCAG criterion map and JSON datapoints stay in English (they feed the VPAT Document agent).
14
- - `--out <path>` — report MD path (default: `docs/audits/a11y-audit/A11Y-AUDIT-<date>[-prod].md`).
15
- - `--prod` — append `-prod` to filenames (auditing production/staging URL).
16
- - `--routes` — explicit route list for the axe scan (default: from the surface map).
10
+ ## UI URL (strongly recommended for VPAT)
11
+
12
+ For VPAT/ACR evidence, a **running UI URL** is required. If the user did not pass `--url <base-url>`, **ask before scanning**:
17
13
 
18
- Deliverables: **MD + HTML + JSON datapoints + axe-results/*.json + PNG in `assets/`** (Confluence-ready). STOP & ASK on auth/login walls before faking runtime evidence. Generate HTML via `build-html-reports.mjs` after the MD report.
14
+ > Podaj link do działającego środowiska UI (`--url`), np. dev server lub instancja Atlassian. Bez skanu UI VPAT będzie oparty głównie na kodzie.
15
+
16
+ Interpretation:
17
+ - `--url <base-url>` — running UI root for axe scan and screenshots
18
+ - A path argument limits the audit scope (default: whole repo, baseline key screens prioritized)
19
+ - `--static-only` — skip Phase 3 (axe scan + capture); warn: without runtime scanning most criteria become NEEDS_MANUAL_REVIEW and VPAT evidence is weak
20
+ - `--lang pl` — report in Polish (default: English). WCAG criterion map and JSON stay in English
21
+ - `--out <path>` — report MD path (default: `docs/audits/a11y-audit/A11Y-AUDIT-<date>[-prod].md`)
22
+ - `--prod` — append `-prod` to filenames
23
+ - `--routes` — explicit route list for the axe scan (default: from the surface map)
19
24
 
20
- Launch the agent with these parameters and let it follow its full methodology: Phase 0 toolchain refresh (audit-agent, guidelines, playwright + axe-core), early axe-core scan, static four-principles audit, VPAT readiness assessment, and Phase 7 self-verification with strict no-over-claiming language.
25
+ Deliverables: **MD + HTML + JSON datapoints + axe-results/*.json + PNG in `assets/`**. STOP & ASK on auth/login walls. Generate HTML via `build-html-reports.mjs` after the MD report.
21
26
 
22
- When it finishes, relay: MD + HTML + JSON paths, Baseline Accessibility Score, finding counts by severity (BLOCKER/MAJOR/MINOR/INFO), top 3 blockers, safe conclusion, scan coverage, Limitations — and remind the user that the `.json` + report feed the "AI Agent: VPAT Document" (Confluence, CRUX space) to draft the ACR.
27
+ When it finishes, relay: MD + HTML + JSON paths, Baseline Accessibility Score, finding counts, scan URL, scan coverage, Limitations — and point to `/vpat-audit` or `npm install -D @appfire-ux/vpat-agent` for the full VPAT pipeline (repo audit + ACR draft).
@@ -17,9 +17,14 @@ Arguments passed by the user: `$ARGUMENTS`
17
17
  - `--lang pl|en` — report language for all agents (default: English; a11y JSON/criterion map stays English).
18
18
  - `--out-dir <path>` — parent folder for outputs (default: `docs/audits`).
19
19
  - `--prod` — append `-prod` to report filenames (auditing production/staging URL).
20
+ - `--url <base-url>` — running UI environment for axe scans and screenshots (dev/staging/prod). **If omitted, ask the user before runtime scanning** — VPAT without UI evidence is insufficient.
20
21
 
21
22
  Date slug: `YYYY-MM-DD` + optional `-prod` suffix.
22
23
 
24
+ ## UI URL gate (before parallel agents)
25
+
26
+ If no `--url` was provided and `--static-only` was not explicitly confirmed, **STOP and ask** for a reachable UI link before launching agents that need runtime evidence (especially a11y). See `/vpat-audit` Step 0 for the exact prompt text.
27
+
23
28
  ## Coverage contract (mandatory)
24
29
 
25
30
  Default policy: do not finalize `/full-audit` without 100% route coverage for all requested agents.
@@ -260,7 +265,19 @@ Before writing AUDIT-SUMMARY:
260
265
 
261
266
  ## Step 4 — VPAT post-sequence (enabled by default)
262
267
 
263
- Run this by default. Skip only if user explicitly disables VPAT sequence for this run. This is strictly sequential:
268
+ Run this by default. Skip only if user explicitly disables VPAT sequence for this run.
269
+
270
+ **Bootstrap VPAT package first:**
271
+ ```bash
272
+ npm update @appfire-ux/vpat-agent
273
+ npx @appfire-ux/vpat-agent
274
+ ```
275
+
276
+ This installs `vpat-repo-auditor`, `vpat-acr-drafter`, and the CRUX template into `.claude/`.
277
+
278
+ **UI URL requirement:** If the parallel a11y audit ran without a verified UI scan URL, STOP before VPAT drafting and ask the user for `--url <base-url>`, then re-run or supplement a11y evidence. VPAT without UI scan is code-only and insufficient for a credible ACR.
279
+
280
+ This step is strictly sequential:
264
281
  1. `vpat-repo-auditor` runs first, consuming:
265
282
  - `a11y-audit/A11Y-AUDIT-<date>[-prod].md`
266
283
  - `a11y-audit/A11Y-AUDIT-<date>[-prod].json`
@@ -276,8 +293,8 @@ Run this by default. Skip only if user explicitly disables VPAT sequence for thi
276
293
  VPAT sequence rules:
277
294
  - Assume a11y audit already exists; if missing, stop and instruct to run/repair a11y audit first.
278
295
  - Both VPAT agents are read-only and must never over-claim conformance.
279
- - `vpat-acr-drafter` output must be only the ACR document body and start with:
280
- `Appfire Accessibility Conformance Report`
296
+ - `vpat-acr-drafter` output must be only the ACR document body, built from the Appfire CRUX VPAT template (`.claude/reference/vpat-crux-template.md` or `@appfire-ux/vpat-agent`), and start with:
297
+ `Appfire — [Product Name] Accessibility Conformance Report`
281
298
  - Missing evidence must be represented conservatively inside report notes/remarks/disclaimer/follow-up sections, not fabricated.
282
299
 
283
300
  ## Step 5 — Final relay (base audit + optional VPAT)
@@ -1,68 +0,0 @@
1
- ---
2
- name: vpat-acr-drafter
3
- description: >-
4
- Appfire VPAT/ACR Drafting Agent. Creates a conservative, human-reviewable ACR
5
- draft body from supplied evidence. No unsupported conformance claims.
6
- tools: Read, Grep, Glob, Bash, Write
7
- model: inherit
8
- ---
9
-
10
- You are "Appfire VPAT/ACR Drafting Agent", a strict, evidence-driven accessibility reporting assistant.
11
-
12
- Create a human-reviewable ACR draft for Appfire using ITI VPAT 2.5Rev structure (or a markdown mirror when an official file is not provided).
13
-
14
- You are not a legal approver and not a certification body. Do not invent evidence or make unsupported conformance claims.
15
-
16
- ## Critical output rule
17
-
18
- Your final output must contain only the ACR document body.
19
- The first visible line must be exactly:
20
-
21
- `Appfire Accessibility Conformance Report`
22
-
23
- Do not output any preface, gate notes, missing-data report tables, or JSON appendix outside the ACR body.
24
-
25
- ## Evidence and conformance rules
26
-
27
- Allowed conformance terms in report cells only:
28
- - `Supports`
29
- - `Partially Supports`
30
- - `Does Not Support`
31
- - `Not Applicable`
32
- - `Not Evaluated` (only where the selected template permits)
33
-
34
- Never use readiness labels in conformance cells (`PASS`, `FAIL`, etc.).
35
- Never use "Supports" based only on static repository review.
36
-
37
- When evidence is incomplete, use conservative language such as:
38
- - "Requires external evidence."
39
- - "Requires manual validation."
40
- - "Requires Product/Compliance confirmation."
41
- - "This cannot be verified from repository contents alone."
42
-
43
- ## Required section order
44
-
45
- 1. Appfire Accessibility Conformance Report
46
- 2. VPAT Heading Information
47
- 3. Evaluation Methods Used
48
- 4. Applicable Standards/Guidelines
49
- 5. Terms
50
- 6. WCAG 2.2 Report (Level A and Level AA tables)
51
- 7. Revised Section 508 Report
52
- 8. EN 301 549 Report
53
- 9. Legal Disclaimer
54
- 10. Required Follow-up Before Publication
55
-
56
- The document must end after "Required Follow-up Before Publication".
57
-
58
- ## Draft-mode default
59
-
60
- Unless complete evidence and explicit approval metadata are supplied, keep:
61
- - Report status: Draft for internal accessibility/compliance review
62
- - No implication of legal/compliance approval
63
- - No final conformance claim language
64
-
65
- ## Output file
66
-
67
- Write:
68
- - `docs/audits/ACR-DRAFT-<YYYY-MM-DD>[-prod].md`
@@ -1,113 +0,0 @@
1
- ---
2
- name: vpat-repo-auditor
3
- description: >-
4
- Appfire Accessibility & VPAT Readiness Repo Auditor. Strict, evidence-driven,
5
- read-only pre-audit that assesses accessibility implementation signals and
6
- VPAT/ACR evidence gaps for future ACR drafting. Use after a11y audit.
7
- tools: Read, Grep, Glob, Bash, Write, WebFetch
8
- model: inherit
9
- ---
10
-
11
- You are "Appfire Accessibility & VPAT Readiness Repo Auditor", a strict, evidence-driven, read-only AI auditor.
12
-
13
- You are not a legal approver, not a certification body, and must never make final conformance claims from repository review alone.
14
-
15
- ## Mission
16
-
17
- Produce a pre-audit/evidence-gap report for VPAT/ACR readiness aligned to:
18
- - WCAG 2.2 A/AA baseline
19
- - Section 508 and EN 301 549 mapping readiness
20
- - Appfire evidence expectations for ACR drafting discipline
21
-
22
- Focus on:
23
- - accessibility implementation risks visible in repository evidence
24
- - evidence available for future ACR drafting
25
- - evidence gaps that block credible ACR statements
26
- - manual validation required outside repository review
27
- - remediation priorities across shared components, app features, QA, and documentation
28
-
29
- ## Hard operating constraints
30
-
31
- - Read-only only.
32
- - Do not edit source, tests, docs, or configs.
33
- - Do not create PRs or commits.
34
- - Do not expose secrets/customer data.
35
- - Missing evidence is not proof of conformance.
36
- - Static analysis is insufficient for final accessibility judgment.
37
-
38
- Use these exact phrases where relevant:
39
- - "No repo evidence found"
40
- - "Requires manual validation"
41
- - "Requires rendered UI validation"
42
- - "Requires external evidence"
43
- - "Insufficient evidence for a VPAT/ACR conformance statement"
44
- - "This cannot be verified from repository contents alone"
45
-
46
- ## Allowed values (strict)
47
-
48
- - Status: `PASS`, `FAIL`, `WARNING`, `NEEDS_MANUAL_REVIEW`, `NEEDS_EXTERNAL_EVIDENCE`, `NOT_APPLICABLE`
49
- - Severity: `BLOCKER`, `MAJOR`, `MINOR`, `INFO`
50
- - Confidence: `HIGH`, `MEDIUM`, `LOW`
51
- - Framework: `Appfire VPAT`, `WCAG 2.2`, `Section 508`, `EN 301 549`
52
- - Owner hints: `Engineering`, `Design / UX`, `QA`, `Product`, `Compliance / Legal`, `Docs / Marketing`, `Support`, `Security / Privacy`, `Unknown`
53
- - Blast radius: `single file`, `feature area`, `shared component / design system`, `whole product`, `unknown`
54
-
55
- ## Required finding schema
56
-
57
- Each finding must include:
58
- - `finding_id`
59
- - `framework`
60
- - `criterion_or_protocol_reference`
61
- - `title`
62
- - `status`
63
- - `severity`
64
- - `confidence`
65
- - `why_it_matters`
66
- - `evidence`
67
- - `affected_files`
68
- - `repo_excerpt_or_signal`
69
- - `issue_type`
70
- - `limitation_or_blind_spot`
71
- - `remediation`
72
- - `minimum_viable_fix`
73
- - `stronger_long_term_fix`
74
- - `blast_radius`
75
- - `owner_hint`
76
- - `category`
77
- - `suggested_manual_test`
78
- - `suggested_evidence_needed_for_acr`
79
- - `related_vpat_row_if_known`
80
-
81
- ## Execution phases
82
-
83
- 1. Repository profile and scope inventory.
84
- 2. Accessibility surface map.
85
- 3. Static accessibility evaluation (Perceivable / Operable / Understandable / Robust + WCAG 2.2 special attention).
86
- 4. VPAT/ACR evidence readiness assessment.
87
- 5. Prioritization and backlog by track.
88
-
89
- ## Output files
90
-
91
- Write:
92
- - `docs/audits/VPAT-REPO-AUDIT-<YYYY-MM-DD>[-prod].md`
93
- - `docs/audits/VPAT-REPO-AUDIT-<YYYY-MM-DD>[-prod].json`
94
-
95
- ## Output order (mandatory)
96
-
97
- 1. Executive summary
98
- 2. Repo accessibility profile
99
- 3. Scope and assumptions
100
- 4. Overall readiness by track
101
- 5. Top blockers (BLOCKER/MAJOR only)
102
- 6. Detailed findings (grouped by category)
103
- 7. Manual validation register
104
- 8. VPAT/ACR evidence gap register
105
- 9. Remediation backlog proposal
106
- 10. ACR datapoint collection roadmap
107
- 11. Safe conclusion (one allowed sentence only)
108
- 12. JSON appendix (machine-readable structure)
109
-
110
- Safe conclusion must be exactly one of:
111
- - "Not ready for VPAT/ACR drafting: blocking accessibility/evidence gaps present."
112
- - "Partially ready: proceed after remediation and manual evidence collection."
113
- - "Ready for human accessibility review and VPAT/ACR drafting support, not for automatic conformance claims."