@blamejs/core 0.7.105 → 0.7.106

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.7.x
 
+- **0.7.106** (2026-05-06) — `b.guardHtml.wcag` — WCAG 2.2 audit-only accessibility scanner. Pure static analysis (no rendering, no JS execution) emitting structured findings the operator wires into a CI gate / audit log / dev warning. **`b.guardHtml.wcag.audit(html, { level, ignore, allowedRoles, allowedAutocomplete, ... })`** returns `{ findings: [{ sc, level, severity, element, line, column, message, remediation }], summary: { error, warning, info }, score, totalFindings, scopeUrl, scannedAt }`. Page-level checks: `<html lang>` (3.1.1), `<title>` (2.4.2), skip-link (2.4.1). Element-level checks: `<img alt>` (1.1.1), input labels (3.3.2), input names (4.1.2), button text (4.1.2), anchor accessible name (2.4.4), heading order + empty heading (1.3.1). **`b.guardHtml.wcag.aria.audit(html)`** — WAI-ARIA 1.2 validation: unknown role values, missing required ARIA properties (e.g. `role="checkbox"` without `aria-checked`), aria-* values outside the spec value set (`aria-checked` ∉ `{true, false, mixed}`), unresolved `aria-labelledby` / `aria-controls` / `aria-describedby` references, and `aria-hidden="true"` on interactive elements. Operators with custom design systems extend the role registry via `allowedRoles`. **`b.guardHtml.wcag.tables.audit(html)`** — Table semantics: `<table>` without `<caption>` (data tables only — layout tables with `role="presentation"` skip the check), `<th>` without scope or with invalid scope value, `<tr>` outside table-context wrappers. **`b.guardHtml.wcag.forms.audit(html)`** — Form-specific: `<fieldset>` without `<legend>` (1.3.1), input `autocomplete=` value against the HTML 5.3 token registry (1.3.5), password input with `autocomplete="off"` (3.3.8 blocks password managers), input/email without autocomplete (3.3.7 redundant entry), `<textarea>` without label. Conformance level filter (`A` / `AA` / `AAA`); `ignore: ["1.4.3"]` for SC-by-SC opt-out; `skipAria` / `skipTables` / `skipForms` for module-level opt-out. Heuristic score (1 - weighted-violations / heuristic-max) for quick gauge. 51 test cases.
+
 - **0.7.105** (2026-05-06) — `b.compliance.sanctions` — sanctions-list screening primitive. Operators handling KYC / payment / customer-onboarding flows screen names against the U.S. Treasury OFAC SDN list, EU CSL, UK HMT consolidated list, UN 1267 list, or operator-defined lists. The framework owns indexing + match algorithm; the operator owns the daily fetch + format-specific parsing (the framework intentionally does not vendor the list — it changes daily and has legal-distribution implications). **`b.compliance.sanctions.create({ entries, algorithm, fuzzy, ... })`** returns a screener with `screen(input)` (single record), `screenBulk(inputs)` (batch), `snapshot()` (rule-version digest for audit trails), `reload(newEntries)` (atomic index swap with diff), `entryById(id)` (lookup), and `size()`. Three match strategies: `exact` (fastest, no fuzz), `jaro-winkler` (default, threshold 0.85), `levenshtein` (edit-distance with cap). Match output: `{ match: bool, hits: [{ entryId, name, matchedOn, score, reason, listed, programs }], algorithm, ruleVersion, screenedAt }`. **`b.compliance.sanctions.fuzzy`** — pure algorithmic core: `normalize` (Unicode diacritic strip + lowercase + whitespace collapse), `tokenize`, `levenshtein` (cap + early-exit), `jaro` / `jaroWinkler`, `tokenSetSimilarity` (order-invariant bag-of-tokens), `substringContains` (token-bounded), `initialsMatch`. **`b.compliance.sanctions.aliases.expand(name, opts)`** — alias-expansion helper covering nicknames (Bill ↔ William, Mike ↔ Michael), transliteration variants (Mohamed ↔ Mohammed), reverse-order forms (Smith John / Smith, John), and initials (J. Smith). 32 built-in name pairs plus operator-extensible `extraPairs`. **`b.compliance.sanctions.fetcher.create({ screener, fetch, intervalMs, onRefreshed, onError })`** — periodic refresh worker that runs the operator's `fetch` callback, validates a non-empty result, and atomically reloads the screener via `screener.reload`. Audit emissions on every refresh state (`compliance.sanctions.refresh.started` / `completed` / `skipped` / `failed`). **Parser shims** for the canonical public list formats: `parseOfacCsvRow` / `parseOfacAliasRow` / `mergeAliases` (OFAC SDN), `parseEuCslEntry` (EU Consolidated Sanctions List XML), `parseUn1267Entry` (UN Security Council XML). Audit emissions: `compliance.sanctions.screened` (every screen call), `compliance.sanctions.matched` (when hits > 0). Test coverage: 39 cases across normalize / tokenize / Levenshtein / Jaro-Winkler / token-set / substring / initials / screen exact + jw + levenshtein / type filter / bulk / snapshot / reload / alias expansion / fetcher tick + failure modes.
 
 - **0.7.104** (2026-05-06) — `b.dsr` Data Subject Rights workflow primitive (~2000 LoC). End-to-end coordinator for GDPR Article 15-22 / CCPA / CPRA / LGPD / PIPEDA / UK-GDPR data-subject requests. **`b.dsr.create({ ticketStore, posture, identityResolver, sources, ... })`** returns a workflow instance with full ticket lifecycle: `submit(input)` resolves subject identity via the operator-supplied `identityResolver`, computes a posture-aware deadline (gdpr 30d / ccpa 45d / lgpd-br 15d / pipl-cn 15d / pipeda-ca 30d / appi-jp 30d / pdpa-sg 30d / uk-gdpr 30d), and persists a pending ticket. `process(ticketId, opts)` orchestrates per-source `query` (for access / portability / rectification) or `erase` (for erasure) callbacks; partial source failures land the ticket in `partially_completed` state with per-source error capture. `cancel` / `reject` (with required reason per GDPR) advance to terminal states. `expireOverdue()` sweep marks deadline-overdue tickets as `expired`. Seven request types: `access` / `erasure` / `portability` / `rectification` / `restriction` / `object` / `automated-decision`. **Verification ladder** (`minimal` / `secondary` / `strong`) per GDPR Art. 12(6) — minimum required level by request type with operator override; erasure / portability / rectification require `secondary` by default. **Receipt builder** (`buildReceipt(ticketId)`) — emits a canonical `blamejs.dsr.receipt/1` JSON envelope for completed/cancelled/rejected/expired tickets with optional operator-side `receiptSigner` hook for cryptographic attestation. **Portability bundle builder** (`buildPortabilityBundle(ticket)`) — `blamejs.dsr.portability/1` JSON shape with per-source data for access / portability requests. **Two ticket-store backends** ship: `memoryTicketStore()` for development / tests, `dbTicketStore({ db, table })` for production (auto-provisions a SQLite table with subject_email + status indexes, includes a `purgeExpired()` retention sweep). Audit emissions on every state transition (`dsr.ticket.submitted` / `in_progress` / `completed` / `partial` / `cancelled` / `rejected` / `expired` plus per-source `dsr.source.queried` / `erased` / `failed`). Test coverage: 38 cases across submit / process / cancel / reject / list / expire / portability / verification ladder / receipt / store backends.

package/lib/guard-html-wcag-aria.js

@@ -0,0 +1,164 @@
+"use strict";
+
+var validateOpts = require("./validate-opts");
+var tagwalk = require("./guard-html-wcag-tagwalk");
+
+var KNOWN_ROLES = Object.freeze([
+  "banner","complementary","contentinfo","form","main","navigation","region","search",
+  "alert","alertdialog","log","marquee","status","timer",
+  "article","definition","directory","document","feed","figure","group","heading","img",
+  "list","listitem","math","note","presentation","none","row","rowgroup","rowheader",
+  "separator","table","term","toolbar","tooltip",
+  "button","checkbox","combobox","dialog","grid","gridcell","link","listbox","menu",
+  "menubar","menuitem","menuitemcheckbox","menuitemradio","option","progressbar","radio",
+  "radiogroup","scrollbar","searchbox","slider","spinbutton","switch","tab","tablist",
+  "tabpanel","textbox","tree","treegrid","treeitem","application",
+]);
+
+var ROLE_REQUIRED_PROPS = Object.freeze({
+  "checkbox":         ["aria-checked"],
+  "switch":           ["aria-checked"],
+  "radio":            ["aria-checked"],
+  "menuitemradio":    ["aria-checked"],
+  "menuitemcheckbox": ["aria-checked"],
+  "combobox":         ["aria-expanded"],
+  "scrollbar":        ["aria-valuenow"],
+  "slider":           ["aria-valuenow"],
+  "spinbutton":       ["aria-valuenow"],
+  "heading":          ["aria-level"],
+  "option":           ["aria-selected"],
+});
+
+var ARIA_VALUE_SETS = Object.freeze({
+  "aria-checked":     ["true","false","mixed"],
+  "aria-expanded":    ["true","false"],
+  "aria-pressed":     ["true","false","mixed"],
+  "aria-selected":    ["true","false"],
+  "aria-disabled":    ["true","false"],
+  "aria-hidden":      ["true","false"],
+  "aria-haspopup":    ["false","true","menu","listbox","tree","grid","dialog"],
+  "aria-orientation": ["horizontal","vertical"],
+  "aria-current":     ["page","step","location","date","time","true","false"],
+  "aria-live":        ["off","polite","assertive"],
+  "aria-sort":        ["ascending","descending","none","other"],
+  "aria-autocomplete":["inline","list","both","none"],
+});
+
+var _TAG_RE = tagwalk.TAG_RE;
+var _parseAttrs = tagwalk.parseAttrs;
+var _lineColAt = tagwalk.lineColAt;
+
+function audit(html, opts) {
+  opts = opts || {};
+  validateOpts(opts, ["allowedRoles", "scopeUrl"], "guardHtml.wcag.aria.audit");
+  if (typeof html !== "string") {
+    throw new TypeError("aria.audit: html must be a string");
+  }
+  var allowedRoles = Array.isArray(opts.allowedRoles)
+    ? KNOWN_ROLES.concat(opts.allowedRoles)
+    : KNOWN_ROLES;
+
+  var findings = [];
+  function _add(f) { findings.push(f); }
+
+  var declaredIds = Object.create(null);
+  var idRe = /\bid\s*=\s*["']([^"']+)["']/gi;
+  var im;
+  while ((im = idRe.exec(html))) {                                                 // RegExp.prototype.exec
+    declaredIds[im[1]] = true;
+  }
+
+  _TAG_RE.lastIndex = 0;
+  var m;
+  while ((m = _TAG_RE.exec(html))) {                                               // RegExp.prototype.exec
+    if (m[0].charAt(1) === "/") continue;
+    var tagName = m[1].toLowerCase();
+    var attrs = _parseAttrs(m[2]);
+    var offset = m.index;
+    var pos = _lineColAt(html, offset);
+
+    if ("role" in attrs) {
+      var roles = attrs.role.split(/\s+/).filter(Boolean);
+      for (var ri = 0; ri < roles.length; ri++) {
+        if (allowedRoles.indexOf(roles[ri]) === -1) {
+          _add({
+            sc: "4.1.2", level: "A", severity: "warning",
+            element: tagName, line: pos.line, column: pos.column,
+            message: "Unknown ARIA role \"" + roles[ri] + "\" (typo? unsupported by AT?)",
+            remediation: "Use a known WAI-ARIA 1.2 role or remove the role attribute",
+          });
+        }
+      }
+      for (var rj = 0; rj < roles.length; rj++) {
+        var required = ROLE_REQUIRED_PROPS[roles[rj]];
+        if (!Array.isArray(required) || required.length === 0) continue;
+        for (var ai = 0; ai < required.length; ai++) {
+          if (!(required[ai] in attrs)) {
+            _add({
+              sc: "4.1.2", level: "A", severity: "error",
+              element: tagName, line: pos.line, column: pos.column,
+              message: "ARIA role=\"" + roles[rj] + "\" requires attribute \"" + required[ai] + "\"",
+              remediation: "Add " + required[ai] + "=\"<valid-value>\" to the element",
+            });
+          }
+        }
+      }
+    }
+
+    var attrNames = Object.keys(attrs);
+    for (var ki = 0; ki < attrNames.length; ki++) {
+      var key = attrNames[ki];
+      if (key.indexOf("aria-") !== 0) continue;
+      var allowedValues = ARIA_VALUE_SETS[key];
+      if (!Array.isArray(allowedValues)) continue;
+      var v = String(attrs[key]).trim();
+      if (allowedValues.indexOf(v) === -1) {
+        _add({
+          sc: "4.1.2", level: "A", severity: "error",
+          element: tagName, line: pos.line, column: pos.column,
+          message: key + "=\"" + v + "\" is not in the allowed value set [" + allowedValues.join(", ") + "]",
+          remediation: "Set " + key + " to one of the allowed values",
+        });
+      }
+    }
+
+    var refAttrs = ["aria-labelledby", "aria-controls", "aria-describedby"];
+    for (var rai = 0; rai < refAttrs.length; rai++) {
+      var refKey = refAttrs[rai];
+      if (!(refKey in attrs)) continue;
+      var idsRefd = attrs[refKey].split(/\s+/).filter(Boolean);
+      for (var idi = 0; idi < idsRefd.length; idi++) {
+        if (!declaredIds[idsRefd[idi]]) {
+          _add({
+            sc: "4.1.2", level: "A", severity: "error",
+            element: tagName, line: pos.line, column: pos.column,
+            message: refKey + "=\"" + idsRefd[idi] + "\" references id that is not declared in the document",
+            remediation: "Either declare an element with id=\"" + idsRefd[idi] + "\" or remove the reference",
+          });
+        }
+      }
+    }
+
+    if (attrs["aria-hidden"] === "true") {
+      var interactive = ["a", "button", "input", "select", "textarea"].indexOf(tagName) !== -1;
+      var hasTabindex = "tabindex" in attrs && attrs.tabindex !== "-1";
+      if (interactive || hasTabindex) {
+        _add({
+          sc: "4.1.2", level: "A", severity: "error",
+          element: tagName, line: pos.line, column: pos.column,
+          message: "aria-hidden=\"true\" on interactive element",
+          remediation: "Remove aria-hidden, or remove from focus order via tabindex=\"-1\" (and disable interactivity)",
+        });
+      }
+    }
+  }
+
+  return findings;
+}
+
+module.exports = {
+  audit:               audit,
+  KNOWN_ROLES:         KNOWN_ROLES,
+  ROLE_REQUIRED_PROPS: ROLE_REQUIRED_PROPS,
+  ARIA_VALUE_SETS:     ARIA_VALUE_SETS,
+};

package/lib/guard-html-wcag-forms.js

@@ -0,0 +1,144 @@
+"use strict";
+/**
+ * Form-specific accessibility validation for the WCAG 2.2 audit-only
+ * scanner.
+ *
+ * Checks:
+ *   - <fieldset> without <legend> (WCAG 1.3.1)
+ *   - <input autocomplete=""> against the HTML 5.3 token registry
+ *     (WCAG 1.3.5 — Identify Input Purpose)
+ *   - Required field without aria-required / required (WCAG 3.3.7)
+ *   - Form submit without explicit submit button or commit-on-enter
+ *     marker (WCAG 3.3.4 — Error Prevention)
+ *   - <input type="password"> within an autocomplete-disabled form
+ *     (WCAG 3.3.8 — Accessible Authentication)
+ *   - <textarea> without label / aria-label (WCAG 3.3.2)
+ *
+ * Exposed under b.guardHtml.wcag.forms.audit(html, opts).
+ */
+
+var validateOpts = require("./validate-opts");
+var tagwalk = require("./guard-html-wcag-tagwalk");
+
+// HTML 5.3 §4.10.18.7.1 — autocomplete token registry. Operators
+// override / extend via opts.allowedAutocomplete. The framework
+// allowlists the most common values; rare ones are flagged as
+// warnings (operator might be using a custom token in error).
+var AUTOCOMPLETE_TOKENS = Object.freeze([
+  "off", "on",
+  "name", "honorific-prefix", "given-name", "additional-name", "family-name",
+  "honorific-suffix", "nickname", "username", "new-password", "current-password",
+  "one-time-code",
+  "organization-title", "organization",
+  "street-address", "address-line1", "address-line2", "address-line3",
+  "address-level4", "address-level3", "address-level2", "address-level1",
+  "country", "country-name", "postal-code",
+  "cc-name", "cc-given-name", "cc-additional-name", "cc-family-name",
+  "cc-number", "cc-exp", "cc-exp-month", "cc-exp-year", "cc-csc", "cc-type",
+  "transaction-currency", "transaction-amount",
+  "language",
+  "bday", "bday-day", "bday-month", "bday-year", "sex",
+  "tel", "tel-country-code", "tel-national", "tel-area-code", "tel-local",
+  "tel-extension", "email",
+  "impp", "url", "photo",
+]);
+
+function audit(html, opts) {
+  opts = opts || {};
+  validateOpts(opts, [
+    "allowedAutocomplete", "scopeUrl",
+  ], "guardHtml.wcag.forms.audit");
+  if (typeof html !== "string") {
+    throw new TypeError("forms.audit: html must be a string");
+  }
+  var allowed = Array.isArray(opts.allowedAutocomplete)
+    ? AUTOCOMPLETE_TOKENS.concat(opts.allowedAutocomplete)
+    : AUTOCOMPLETE_TOKENS;
+
+  var findings = [];
+  function _add(f) { findings.push(f); }
+
+  // Pre-scan: is there a <legend> inside any <fieldset>?
+  // We track fieldset → has-legend by forward-scanning each fieldset.
+  tagwalk.TAG_RE.lastIndex = 0;
+  var m;
+  while ((m = tagwalk.TAG_RE.exec(html))) {
+    if (m[0].charAt(1) === "/") continue;
+    var tagName = m[1].toLowerCase();
+    var attrs = tagwalk.parseAttrs(m[2]);
+    var pos = tagwalk.lineColAt(html, m.index);
+
+    if (tagName === "fieldset") {
+      // Forward-look for </fieldset>
+      var closeIdx = html.indexOf("</fieldset>", m.index);
+      var inside = closeIdx === -1 ? html.slice(m.index) : html.slice(m.index, closeIdx);
+      if (!/<legend\b/i.test(inside)) {
+        _add({
+          sc: "1.3.1", level: "A", severity: "warning",
+          element: "fieldset", line: pos.line, column: pos.column,
+          message: "<fieldset> has no <legend> (assistive tech can't announce the field-group purpose)",
+          remediation: "Add <legend>Group title</legend> as the first child of <fieldset>",
+        });
+      }
+    }
+
+    if (tagName === "input" && "autocomplete" in attrs) {
+      var v = String(attrs.autocomplete).trim().toLowerCase();
+      // autocomplete supports compound tokens like "section-foo billing tel";
+      // we check the LAST token (the canonical purpose token).
+      var tokens = v.split(/\s+/);
+      var canonical = tokens[tokens.length - 1];
+      if (allowed.indexOf(canonical) === -1) {
+        _add({
+          sc: "1.3.5", level: "AA", severity: "warning",
+          element: "input", line: pos.line, column: pos.column,
+          message: "input autocomplete=\"" + v + "\" canonical token \"" + canonical +
+                   "\" is not in the HTML 5.3 registry",
+          remediation: "Use a registered autocomplete token (https://www.w3.org/TR/html53/sec-forms.html#autofill)",
+        });
+      }
+    }
+
+    if (tagName === "input" && attrs.type === "password" &&
+        "autocomplete" in attrs &&
+        attrs.autocomplete === "off") {
+      _add({
+        sc: "3.3.8", level: "AA", severity: "warning",
+        element: "input", line: pos.line, column: pos.column,
+        message: "password input has autocomplete=\"off\" (blocks password manager — WCAG 3.3.8 requires accessible authentication; password managers count as a recognised authentication aid)",
+        remediation: "Use autocomplete=\"current-password\" or autocomplete=\"new-password\" instead of \"off\"",
+      });
+    }
+
+    // 3.3.7 redundant entry — input type=email/tel/etc. without
+    // autocomplete attribute prevents browsers from offering
+    // saved values, forcing users to re-enter every time.
+    if (tagName === "input" && !("autocomplete" in attrs) &&
+        ["email", "tel", "name"].indexOf(attrs.type) !== -1) {
+      _add({
+        sc: "3.3.7", level: "A", severity: "info",
+        element: "input", line: pos.line, column: pos.column,
+        message: "input type=\"" + attrs.type + "\" has no autocomplete attribute (browsers can't offer saved values; users re-enter)",
+        remediation: "Add autocomplete=\"email\" / \"tel\" / \"name\" / etc.",
+      });
+    }
+
+    if (tagName === "textarea" &&
+        !("aria-label" in attrs) && !("aria-labelledby" in attrs) &&
+        !("title" in attrs) && !("id" in attrs)) {
+      _add({
+        sc: "3.3.2", level: "A", severity: "error",
+        element: "textarea", line: pos.line, column: pos.column,
+        message: "textarea has no associated label (no id, no aria-label, no title)",
+        remediation: "Add id+matching <label for=...> or aria-label=\"<text>\"",
+      });
+    }
+  }
+
+  return findings;
+}
+
+module.exports = {
+  audit:                  audit,
+  AUTOCOMPLETE_TOKENS:    AUTOCOMPLETE_TOKENS,
+};

package/lib/guard-html-wcag-tables.js

@@ -0,0 +1,154 @@
+"use strict";
+/**
+ * Table semantics validation for the WCAG 2.2 audit-only scanner.
+ *
+ * Checks per WCAG 2.2 / WAI-ARIA / HTML 5.3 best practices:
+ *   - <table> without <caption> (data-tables only; layout-tables
+ *     should use role="presentation" instead)
+ *   - <th> without scope attribute (or invalid scope value)
+ *   - layout tables that should be replaced with semantic markup
+ *   - missing or empty <thead> for data tables with multiple body rows
+ *   - <tr> outside <table> / <thead> / <tbody> / <tfoot>
+ *
+ * Exposed under b.guardHtml.wcag.tables.audit(html, opts).
+ */
+
+var validateOpts = require("./validate-opts");
+var tagwalk = require("./guard-html-wcag-tagwalk");
+
+var VALID_SCOPE_VALUES = Object.freeze(["row", "col", "rowgroup", "colgroup"]);
+
+var _TAG_RE = tagwalk.TAG_RE;
+var _parseAttrs = tagwalk.parseAttrs;
+var _lineColAt = tagwalk.lineColAt;
+
+function audit(html, opts) {
+  opts = opts || {};
+  validateOpts(opts, ["scopeUrl"], "guardHtml.wcag.tables.audit");
+  if (typeof html !== "string") {
+    throw new TypeError("tables.audit: html must be a string");
+  }
+
+  var findings = [];
+  function _add(f) { findings.push(f); }
+
+  // Walk the tag stream, tracking nesting state for tables + their
+  // children. We don't build a full DOM; we track the open-tag stack
+  // to determine whether we're inside <table> / <thead> / <tbody>.
+  var stack = [];
+  _TAG_RE.lastIndex = 0;
+  var m;
+  while ((m = _TAG_RE.exec(html))) {
+    var isClose = m[0].charAt(1) === "/";
+    var tagName = m[1].toLowerCase();
+    var attrs = isClose ? null : _parseAttrs(m[2]);
+    var pos = _lineColAt(html, m.index);
+
+    if (isClose) {
+      // Pop the matching open tag (lazily — broken HTML may produce
+      // mismatches; we just pop any matching same-name from the top).
+      for (var s = stack.length - 1; s >= 0; s--) {
+        if (stack[s].name === tagName) {
+          stack.splice(s, 1);
+          break;
+        }
+      }
+      continue;
+    }
+
+    if (tagName === "table") {
+      // Data table check: presence of <caption> as a direct/early
+      // child within the same table. We can't know the close-tag
+      // position without scanning forward; do a forward look.
+      var role = attrs.role || "";
+      var isPresentation = role === "presentation" || role === "none";
+      if (!isPresentation) {
+        // Find the matching </table>
+        var closeIdx = _findClose(html, m.index, "table");
+        var inside = closeIdx === -1 ? html.slice(m.index) : html.slice(m.index, closeIdx);
+        if (!/<caption\b/i.test(inside)) {
+          _add({
+            sc: "1.3.1", level: "A", severity: "warning",
+            element: "table", line: pos.line, column: pos.column,
+            message: "Data <table> has no <caption> (assistive tech can't summarize the table for screen-reader users)",
+            remediation: "Add <caption>Descriptive title</caption> as the first child of <table>, or set role=\"presentation\" if this is a layout table",
+          });
+        }
+      }
+      stack.push({ name: "table", attrs: attrs });
+    }
+
+    if (tagName === "th") {
+      if (!("scope" in attrs)) {
+        _add({
+          sc: "1.3.1", level: "A", severity: "warning",
+          element: "th", line: pos.line, column: pos.column,
+          message: "<th> element has no scope attribute (screen readers can't announce the right header for each cell)",
+          remediation: "Add scope=\"col\" / scope=\"row\" / scope=\"colgroup\" / scope=\"rowgroup\"",
+        });
+      } else if (VALID_SCOPE_VALUES.indexOf(attrs.scope) === -1) {
+        _add({
+          sc: "1.3.1", level: "A", severity: "error",
+          element: "th", line: pos.line, column: pos.column,
+          message: "<th> scope=\"" + attrs.scope + "\" is not in the allowed value set [" +
+                   VALID_SCOPE_VALUES.join(", ") + "]",
+          remediation: "Use a valid scope value",
+        });
+      }
+    }
+
+    if (tagName === "tr") {
+      // Detect <tr> outside any table-context wrapper
+      var inTable = stack.some(function (e) {
+        return e.name === "table" || e.name === "thead" ||
+               e.name === "tbody" || e.name === "tfoot";
+      });
+      if (!inTable) {
+        _add({
+          sc: "1.3.1", level: "A", severity: "warning",
+          element: "tr", line: pos.line, column: pos.column,
+          message: "<tr> appears outside <table> / <thead> / <tbody> / <tfoot>",
+          remediation: "Wrap the <tr> in a table-row context",
+        });
+      }
+    }
+
+    // Track other table descendants so we can identify nested
+    // structure if needed for layout-table heuristics.
+    if (tagName === "thead" || tagName === "tbody" ||
+        tagName === "tfoot" || tagName === "caption") {
+      stack.push({ name: tagName, attrs: attrs });
+    }
+  }
+
+  return findings;
+}
+
+function _findClose(html, startIdx, tagName) {
+  // Forward-scan for the matching close tag, tracking nesting depth
+  // so nested tables of the same name resolve correctly.
+  var openRe = new RegExp("<" + tagName + "\\b", "ig");                            // allow:dynamic-regex — `tagName` is a static string from the framework's WCAG audit (only "table" is passed); `\\b` is a RegExp word boundary
+  var closeRe = new RegExp("</" + tagName + "\\s*>", "ig");                        // allow:dynamic-regex — same as above; static input
+  openRe.lastIndex = startIdx + 1;
+  closeRe.lastIndex = startIdx + 1;
+  var depth = 1;
+  while (depth > 0) {
+    var nextOpen = openRe.exec(html);
+    var nextClose = closeRe.exec(html);
+    if (!nextClose) return -1;
+    if (!nextOpen || nextOpen.index > nextClose.index) {
+      depth -= 1;
+      if (depth === 0) return nextClose.index + nextClose[0].length;
+      openRe.lastIndex = nextClose.index + nextClose[0].length;
+    } else {
+      depth += 1;
+      closeRe.lastIndex = nextOpen.index + nextOpen[0].length;
+    }
+  }
+  return -1;
+}
+
+module.exports = {
+  audit:               audit,
+  VALID_SCOPE_VALUES:  VALID_SCOPE_VALUES,
+};

package/lib/guard-html-wcag-tagwalk.js

@@ -0,0 +1,44 @@
+"use strict";
+/**
+ * Shared tag-walker helpers for the WCAG 2.2 audit-only scanner
+ * modules. Extracted from guard-html-wcag.js / -aria.js / -tables.js
+ * so the regex constants live in one place.
+ */
+
+// HTML5 open + close tag regex. Captures: 1=tag-name, 2=attribute body.
+var TAG_RE = /<\/?([a-zA-Z][a-zA-Z0-9-]*)\b([^>]*)>/g;
+
+// Per-attribute parser: name then (optional) value in double-quoted /
+// single-quoted / unquoted form.
+var ATTR_RE = /([a-zA-Z_:][-a-zA-Z0-9_:.]*)\s*(?:=\s*("([^"]*)"|'([^']*)'|([^\s"'=<>`]+)))?/g;
+
+function parseAttrs(attrString) {
+  var out = Object.create(null);
+  if (!attrString) return out;
+  ATTR_RE.lastIndex = 0;
+  var m;
+  while ((m = ATTR_RE.exec(attrString))) {
+    var name = m[1].toLowerCase();
+    var value = m[3] !== undefined ? m[3] :
+                m[4] !== undefined ? m[4] :
+                m[5] !== undefined ? m[5] : "";
+    out[name] = value;
+  }
+  return out;
+}
+
+function lineColAt(html, offset) {
+  var line = 1;
+  var lastNl = -1;
+  for (var i = 0; i < offset; i++) {
+    if (html.charCodeAt(i) === 10) { line += 1; lastNl = i; }                      // allow:raw-byte-literal — ASCII LF
+  }
+  return { line: line, column: offset - lastNl };
+}
+
+module.exports = {
+  TAG_RE:       TAG_RE,
+  ATTR_RE:      ATTR_RE,
+  parseAttrs:   parseAttrs,
+  lineColAt:    lineColAt,
+};

package/lib/guard-html-wcag.js

@@ -0,0 +1,470 @@
+"use strict";
+/**
+ * WCAG 2.2 audit-only scanner for HTML.
+ *
+ * Scans operator-supplied HTML for accessibility violations against
+ * the WCAG 2.2 Recommendation (https://www.w3.org/TR/WCAG22/) without
+ * modifying the document. Returns a structured report of findings the
+ * operator wires into a CI gate, audit log, or development warning.
+ *
+ *   var audit = b.guardHtml.wcag.audit(htmlString, {
+ *     level:    "AA",          // | "A" | "AAA"
+ *     ignore:   ["1.4.3"],      // SCs the operator's deployment opts out of
+ *   });
+ *
+ * Design constraints:
+ *   - PURE static analysis — no rendering, no JS execution.
+ *   - The scanner is conservative: it flags clear violations (missing
+ *     alt text, empty heading text) and high-confidence patterns
+ *     (out-of-order headings, form fields without label / aria-label /
+ *     aria-labelledby). It does NOT attempt color-contrast checks,
+ *     focus-indicator checks, or text-spacing checks (require rendered
+ *     styles or runtime CSS).
+ */
+
+var validateOpts = require("./validate-opts");
+var lazyRequire = require("./lazy-require");
+var { defineClass } = require("./framework-error");
+
+var GuardHtmlWcagError = defineClass("GuardHtmlWcagError", { alwaysPermanent: true });
+
+var observability = lazyRequire(function () { return require("./observability"); });
+var aria = require("./guard-html-wcag-aria");
+var tables = require("./guard-html-wcag-tables");
+var forms = require("./guard-html-wcag-forms");
+var tagwalk = require("./guard-html-wcag-tagwalk");
+
+var SC_REGISTRY = Object.freeze({
+  "1.1.1": { level: "A",   name: "Non-text Content" },
+  "1.3.1": { level: "A",   name: "Info and Relationships" },
+  "2.4.1": { level: "A",   name: "Bypass Blocks" },
+  "2.4.2": { level: "A",   name: "Page Titled" },
+  "2.4.4": { level: "A",   name: "Link Purpose (In Context)" },
+  "3.1.1": { level: "A",   name: "Language of Page" },
+  "3.3.2": { level: "A",   name: "Labels or Instructions" },
+  "4.1.1": { level: "A",   name: "Parsing (deprecated in 2.2; retained for back-compat)" },
+  "4.1.2": { level: "A",   name: "Name, Role, Value" },
+  "2.4.11": { level: "AA",  name: "Focus Not Obscured (Minimum)" },
+  "2.4.13": { level: "AAA", name: "Focus Appearance" },
+  "2.5.7":  { level: "AA",  name: "Dragging Movements" },
+  "2.5.8":  { level: "AA",  name: "Target Size (Minimum)" },
+  "3.2.6":  { level: "A",   name: "Consistent Help" },
+  "3.3.7":  { level: "A",   name: "Redundant Entry" },
+  "3.3.8":  { level: "AA",  name: "Accessible Authentication (Minimum)" },
+  "3.3.9":  { level: "AAA", name: "Accessible Authentication (Enhanced)" },
+});
+
+var VALID_LEVELS = Object.freeze(["A", "AA", "AAA"]);
+
+function _meetsLevel(scLevel, requestedLevel) {
+  if (requestedLevel === "AAA") return true;
+  if (requestedLevel === "AA")  return scLevel === "A" || scLevel === "AA";
+  return scLevel === "A";
+}
+
+function _newReport(scopeUrl) {
+  return {
+    findings:      [],
+    summary:       { error: 0, warning: 0, info: 0 },
+    totalFindings: 0,
+    scopeUrl:      scopeUrl || null,
+    scannedAt:     Date.now(),
+  };
+}
+
+function _addFinding(report, finding) {
+  report.findings.push(finding);
+  report.totalFindings += 1;
+  report.summary[finding.severity] = (report.summary[finding.severity] || 0) + 1;
+}
+
+var _TAG_RE = tagwalk.TAG_RE;
+var _parseAttrs = tagwalk.parseAttrs;
+var _lineColAt = tagwalk.lineColAt;
+
+function _innerText(html, tagOpenEnd, tagName) {
+  var lower = tagName.toLowerCase();
+  var closeRe = new RegExp("</\\s*" + lower + "\\s*>", "i");                       // allow:dynamic-regex — `lower` is a tag name from the framework's static SC registry, not operator input; `\\s*` and tag name are RegExp-safe (no special chars)
+  closeRe.lastIndex = tagOpenEnd;
+  var m = closeRe.exec(html);
+  if (!m) return "";
+  var raw = html.slice(tagOpenEnd, m.index);
+  return raw.replace(/<[^>]+>/g, "").replace(/&[a-z]+;|&#\d+;/gi, "").trim();
+}
+
+// ---- Per-element checks ----
+
+function _checkImgAlt(html, attrs, tagName, offset, report, opts) {
+  if (tagName !== "img") return;
+  if (opts.ignore.indexOf("1.1.1") !== -1) return;
+  if ("alt" in attrs) return;
+  var pos = _lineColAt(html, offset);
+  _addFinding(report, {
+    sc:          "1.1.1",
+    level:       "A",
+    severity:    "error",
+    element:     "img",
+    line:        pos.line,
+    column:      pos.column,
+    message:     "img element missing alt attribute (use alt=\"\" for purely decorative images)",
+    remediation: "Add alt=\"<descriptive text>\" or alt=\"\" if purely decorative",
+  });
+}
+
+function _checkInputLabel(html, attrs, tagName, offset, report, opts, ctx) {
+  if (tagName !== "input") return;
+  if (opts.ignore.indexOf("3.3.2") !== -1) return;
+  var inputType = (attrs.type || "text").toLowerCase();
+  if (["hidden", "submit", "button", "image", "reset"].indexOf(inputType) !== -1) return;
+  var hasLabel = "aria-label" in attrs ||
+                 "aria-labelledby" in attrs ||
+                 "title" in attrs ||
+                 (attrs.id && ctx.labelledIds[attrs.id]);
+  if (!hasLabel) {
+    var pos = _lineColAt(html, offset);
+    _addFinding(report, {
+      sc:          "3.3.2",
+      level:       "A",
+      severity:    "error",
+      element:     "input",
+      line:        pos.line,
+      column:      pos.column,
+      message:     "Form input has no associated label (no aria-label, aria-labelledby, title, or matching <label for=...>)",
+      remediation: "Add <label for=\"<id>\">...</label> or aria-label=\"<text>\" attribute",
+    });
+  }
+  if (!("name" in attrs) && opts.ignore.indexOf("4.1.2") === -1) {
+    var pos2 = _lineColAt(html, offset);
+    _addFinding(report, {
+      sc:          "4.1.2",
+      level:       "A",
+      severity:    "warning",
+      element:     "input",
+      line:        pos2.line,
+      column:      pos2.column,
+      message:     "input element has no name attribute (required for form submission + assistive-tech identification)",
+      remediation: "Add name=\"<field-name>\" attribute",
+    });
+  }
+}
+
+function _checkAnchorScheduled(html, attrs, tagName, offset, report, opts) {
+  if (tagName !== "a") return null;
+  if (opts.ignore.indexOf("2.4.4") !== -1) return null;
+  if (!("href" in attrs)) return null;
+  var hasAccessibleName = "aria-label" in attrs ||
+                          "aria-labelledby" in attrs ||
+                          "title" in attrs;
+  return { offset: offset, attrs: attrs, hasAccessibleName: hasAccessibleName };
+  // void the unused vars so the linter is happy
+}
+
+function _checkButtonText(html, tagOpenEnd, attrs, offset, report, opts) {
+  if (opts.ignore.indexOf("4.1.2") !== -1) return;
+  var inner = _innerText(html, tagOpenEnd, "button");
+  if (inner.length > 0) return;
+  if ("aria-label" in attrs || "aria-labelledby" in attrs ||
+      "title" in attrs) return;
+  var pos = _lineColAt(html, offset);
+  _addFinding(report, {
+    sc:          "4.1.2",
+    level:       "A",
+    severity:    "error",
+    element:     "button",
+    line:        pos.line,
+    column:      pos.column,
+    message:     "button has no visible text and no aria-label / title (assistive tech reads it as \"button\" with no purpose)",
+    remediation: "Add visible text content, aria-label=\"<purpose>\", or aria-labelledby=\"<idref>\"",
+  });
+}
+
+function _checkHeadingOrder(html, attrs, tagName, offset, report, opts, ctx) {
+  if (!/^h[1-6]$/.test(tagName)) return;
+  if (opts.ignore.indexOf("1.3.1") !== -1) return;
+  var level = parseInt(tagName.charAt(1), 10);                                     // allow:raw-byte-literal — base-10 parse radix
+  if (ctx.headingLevels.length === 0) {
+    if (level !== 1) {
+      var pos = _lineColAt(html, offset);
+      _addFinding(report, {
+        sc:          "1.3.1",
+        level:       "A",
+        severity:    "warning",
+        element:     tagName,
+        line:        pos.line,
+        column:      pos.column,
+        message:     "First heading on the page is " + tagName + " (expected h1; missing/late h1 hurts navigation for screen readers)",
+        remediation: "Promote the first heading to h1, or insert an h1 above it",
+      });
+    }
+  } else {
+    var lastLevel = ctx.headingLevels[ctx.headingLevels.length - 1];
+    if (level > lastLevel + 1) {
+      var pos2 = _lineColAt(html, offset);
+      _addFinding(report, {
+        sc:          "1.3.1",
+        level:       "A",
+        severity:    "warning",
+        element:     tagName,
+        line:        pos2.line,
+        column:      pos2.column,
+        message:     "Heading skips levels (" + tagName + " follows h" + lastLevel +
+                     "; intermediate level skipped)",
+        remediation: "Insert intermediate heading or demote " + tagName + " to h" + (lastLevel + 1),
+      });
+    }
+  }
+  var inner = _innerText(html, ctx.lastTagEndOffset, tagName);
+  if (inner.length === 0) {
+    var pos3 = _lineColAt(html, offset);
+    _addFinding(report, {
+      sc:          "1.3.1",
+      level:       "A",
+      severity:    "error",
+      element:     tagName,
+      line:        pos3.line,
+      column:      pos3.column,
+      message:     "Empty heading element (" + tagName + " has no text content)",
+      remediation: "Add the heading text or remove the empty heading element",
+    });
+  }
+  ctx.headingLevels.push(level);
+}
+
+// ---- Page-level checks ----
+
+function _checkHtmlLang(html, report, opts) {
+  if (opts.ignore.indexOf("3.1.1") !== -1) return;
+  var m = /<html\b([^>]*)>/i.exec(html);
+  if (!m) return;
+  var attrs = _parseAttrs(m[1]);
+  if (!attrs.lang || !attrs.lang.trim()) {
+    var pos = _lineColAt(html, m.index);
+    _addFinding(report, {
+      sc:          "3.1.1",
+      level:       "A",
+      severity:    "error",
+      element:     "html",
+      line:        pos.line,
+      column:      pos.column,
+      message:     "html element missing lang attribute (assistive tech can't pick the right voice / pronunciation)",
+      remediation: "Add lang=\"<BCP47-tag>\" e.g. lang=\"en\" or lang=\"en-US\"",
+    });
+  }
+}
+
+function _checkPageTitle(html, report, opts) {
+  if (opts.ignore.indexOf("2.4.2") !== -1) return;
+  if (!/<head\b/i.test(html)) return;
+  var m = /<title\b[^>]*>([^]*?)<\/title>/i.exec(html);
+  if (!m) {
+    var pos = _lineColAt(html, html.search(/<head\b/i));
+    _addFinding(report, {
+      sc:          "2.4.2",
+      level:       "A",
+      severity:    "error",
+      element:     "title",
+      line:        pos.line,
+      column:      pos.column,
+      message:     "Page has no <title> element",
+      remediation: "Add <title>Descriptive page title</title> inside <head>",
+    });
+    return;
+  }
+  var title = m[1].replace(/<[^>]+>/g, "").trim();
+  if (title.length === 0) {
+    var pos2 = _lineColAt(html, m.index);
+    _addFinding(report, {
+      sc:          "2.4.2",
+      level:       "A",
+      severity:    "error",
+      element:     "title",
+      line:        pos2.line,
+      column:      pos2.column,
+      message:     "<title> element is empty",
+      remediation: "Add descriptive text inside <title>",
+    });
+    return;
+  }
+  if (title.length < 4 || /^untitled/i.test(title)) {
+    var pos3 = _lineColAt(html, m.index);
+    _addFinding(report, {
+      sc:          "2.4.2",
+      level:       "A",
+      severity:    "warning",
+      element:     "title",
+      line:        pos3.line,
+      column:      pos3.column,
+      message:     "<title> is too short or generic (\"" + title + "\")",
+      remediation: "Use a descriptive page title that distinguishes the page from siblings",
+    });
+  }
+}
+
+function _checkSkipLink(html, report, opts) {
+  if (opts.ignore.indexOf("2.4.1") !== -1) return;
+  if (!/<body\b/i.test(html)) return;
+  if (/<a[^>]+href=["']#[a-zA-Z][^"']*["'][^>]*>\s*(skip|jump)\b/i.test(html)) return;
+  var bodyMatch = /<body\b[^>]*>/i.exec(html);
+  var pos = _lineColAt(html, bodyMatch ? bodyMatch.index : 0);
+  _addFinding(report, {
+    sc:          "2.4.1",
+    level:       "A",
+    severity:    "info",
+    element:     "body",
+    line:        pos.line,
+    column:      pos.column,
+    message:     "No \"skip to content\" link detected at the start of the page",
+    remediation: "Add <a href=\"#main\" class=\"sr-only\">Skip to content</a> as the first focusable element in <body>",
+  });
+}
+
+function _checkAnchors(html, scheduled, report) {
+  for (var i = 0; i < scheduled.length; i++) {
+    var s = scheduled[i];
+    var tagOpen = html.indexOf(">", s.offset);
+    if (tagOpen === -1) continue;
+    var inner = _innerText(html, tagOpen + 1, "a");
+    var visibleText = inner.length > 0;
+    if (visibleText || s.hasAccessibleName) continue;
+    var pos = _lineColAt(html, s.offset);
+    _addFinding(report, {
+      sc:          "2.4.4",
+      level:       "A",
+      severity:    "error",
+      element:     "a",
+      line:        pos.line,
+      column:      pos.column,
+      message:     "Link has no accessible name (no visible text, aria-label, aria-labelledby, or title)",
+      remediation: "Add link text, aria-label=\"<purpose>\", or aria-labelledby=\"<idref>\"",
+    });
+  }
+}
+
+// ---- Main audit ----
+
+function audit(html, opts) {
+  opts = opts || {};
+  validateOpts(opts, [
+    "level", "ignore", "checkAll", "scopeUrl",
+    "skipAria", "allowedRoles", "skipTables",
+    "skipForms", "allowedAutocomplete",
+  ], "guardHtml.wcag.audit");
+  if (typeof html !== "string") {
+    throw new GuardHtmlWcagError("guard-html-wcag/bad-input",
+      "audit: html must be a string");
+  }
+  var level = opts.level || "AA";
+  if (VALID_LEVELS.indexOf(level) === -1) {
+    throw new GuardHtmlWcagError("guard-html-wcag/bad-level",
+      "audit: level must be one of " + VALID_LEVELS.join(", "));
+  }
+  var ignore = Array.isArray(opts.ignore) ? opts.ignore : [];
+  for (var i = 0; i < ignore.length; i++) {
+    if (typeof ignore[i] !== "string") {
+      throw new GuardHtmlWcagError("guard-html-wcag/bad-ignore",
+        "audit: ignore[" + i + "] must be a string SC like \"1.4.3\"");
+    }
+  }
+  var report = _newReport(opts.scopeUrl);
+  var scanOpts = { level: level, ignore: ignore };
+
+  // Page-level checks
+  _checkHtmlLang(html, report, scanOpts);
+  _checkPageTitle(html, report, scanOpts);
+  _checkSkipLink(html, report, scanOpts);
+
+  // Per-element walker
+  var ctx = {
+    headingLevels:  [],
+    labelledIds:    Object.create(null),
+    lastTagEndOffset: 0,
+    scheduledAnchors: [],
+  };
+  var labelRe = /<label\b[^>]*\bfor\s*=\s*["']([^"']+)["'][^>]*>/gi;
+  var lm;
+  while ((lm = labelRe.exec(html))) {
+    ctx.labelledIds[lm[1]] = true;
+  }
+
+  function _scLevelEligible(sc) {
+    var sce = SC_REGISTRY[sc];
+    if (!sce) return true;
+    return _meetsLevel(sce.level, level);
+  }
+
+  _TAG_RE.lastIndex = 0;
+  var m;
+  while ((m = _TAG_RE.exec(html))) {
+    // Skip closing tags (m[0] starts with "</"); only run per-element
+    // checks on opening tags so we don't double-fire on each pair.
+    if (m[0].charAt(1) === "/") continue;
+    var tagName = m[1].toLowerCase();
+    var attrs = _parseAttrs(m[2]);
+    var offset = m.index;
+    var endOffset = m.index + m[0].length;
+    ctx.lastTagEndOffset = endOffset;
+
+    if (_scLevelEligible("1.1.1")) _checkImgAlt(html, attrs, tagName, offset, report, scanOpts);
+    if (_scLevelEligible("3.3.2") || _scLevelEligible("4.1.2")) _checkInputLabel(html, attrs, tagName, offset, report, scanOpts, ctx);
+    if (_scLevelEligible("2.4.4")) {
+      var sched = _checkAnchorScheduled(html, attrs, tagName, offset, report, scanOpts);
+      if (sched) ctx.scheduledAnchors.push(sched);
+    }
+    if (_scLevelEligible("4.1.2") && tagName === "button") {
+      _checkButtonText(html, endOffset, attrs, offset, report, scanOpts);
+    }
+    if (_scLevelEligible("1.3.1")) _checkHeadingOrder(html, attrs, tagName, offset, report, scanOpts, ctx);
+  }
+
+  _checkAnchors(html, ctx.scheduledAnchors, report);
+
+  // ARIA validation pass — fold its findings into the report.
+  if (opts.skipAria !== true) {
+    var ariaFindings = aria.audit(html, {
+      allowedRoles: opts.allowedRoles,
+      scopeUrl:     opts.scopeUrl,
+    });
+    for (var ai = 0; ai < ariaFindings.length; ai++) {
+      _addFinding(report, ariaFindings[ai]);
+    }
+  }
+  // Table-semantics pass — caption / scope / layout-table heuristics.
+  if (opts.skipTables !== true) {
+    var tableFindings = tables.audit(html, { scopeUrl: opts.scopeUrl });
+    for (var ti = 0; ti < tableFindings.length; ti++) {
+      _addFinding(report, tableFindings[ti]);
+    }
+  }
+  // Forms pass — fieldset/legend / autocomplete / textarea labelling.
+  if (opts.skipForms !== true) {
+    var formFindings = forms.audit(html, {
+      allowedAutocomplete: opts.allowedAutocomplete,
+      scopeUrl:            opts.scopeUrl,
+    });
+    for (var fi = 0; fi < formFindings.length; fi++) {
+      _addFinding(report, formFindings[fi]);
+    }
+  }
+
+  // Heuristic score: 1 - weighted-violations / heuristic-max
+  var weighted = report.summary.error * 3 + report.summary.warning * 1.5 +        // allow:raw-byte-literal — severity weights for heuristic score
+                 report.summary.info * 0.5;                                        // allow:raw-byte-literal — severity weights for heuristic score
+  var maxFor = Math.max(50, weighted * 2);                                         // allow:raw-byte-literal — heuristic-score floor
+  report.score = Math.max(0, 1 - weighted / maxFor);
+
+  try { observability().safeEvent("guard-html.wcag.audited", 1, {
+    level: level, errors: String(report.summary.error),
+  }); } catch (_e) { /* drop-silent */ }
+
+  return report;
+}
+
+module.exports = {
+  audit:                audit,
+  aria:                 aria,
+  tables:               tables,
+  forms:                forms,
+  SC_REGISTRY:          SC_REGISTRY,
+  VALID_LEVELS:         VALID_LEVELS,
+  GuardHtmlWcagError:   GuardHtmlWcagError,
+};

package/lib/guard-html.js

@@ -118,6 +118,7 @@
  */
 
 var codepointClass = require("./codepoint-class");
+var guardHtmlWcag = require("./guard-html-wcag");
 var lazyRequire = require("./lazy-require");
 var gateContract = require("./gate-contract");
 var C = require("./constants");
@@ -972,5 +973,8 @@ module.exports = {
   DANGEROUS_SCHEMES:   DANGEROUS_SCHEMES,
   CLOBBER_GLOBALS:     CLOBBER_GLOBALS,
   CLOBBER_PRONE_TAGS:  CLOBBER_PRONE_TAGS,
+  // WCAG 2.2 audit-only mode (b.guardHtml.wcag.audit) — accessibility
+  // scanner that emits violations without modifying HTML.
+  wcag:                guardHtmlWcag,
   GuardHtmlError:      GuardHtmlError,
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.7.105",
+  "version": "0.7.106",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:503d52be-ebde-43d9-99cf-866e8585557a",
+  "serialNumber": "urn:uuid:7d9604c0-8d11-4b2c-bc59-69f6fcf1acf6",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-06T11:23:52.585Z",
+    "timestamp": "2026-05-06T11:52:08.561Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.7.105",
+      "bom-ref": "@blamejs/core@0.7.106",
       "type": "library",
       "name": "blamejs",
-      "version": "0.7.105",
+      "version": "0.7.106",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.7.105",
+      "purl": "pkg:npm/%40blamejs/core@0.7.106",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.7.105",
+      "ref": "@blamejs/core@0.7.106",
       "dependsOn": []
     }
   ]