@diegovelasquezweb/a11y-engine 0.1.3 → 0.1.5

package/CHANGELOG.md

@@ -9,6 +9,32 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+## [0.1.3] — 2026-03-14
+
+### Added
+
+- **Multi-engine scanning**: three independent engines now run against each page:
+  - **axe-core** (via `@axe-core/playwright`) — primary WCAG rule engine injected into the live page
+  - **CDP** (Chrome DevTools Protocol) — queries the browser's accessibility tree for missing accessible names and aria-hidden on focusable elements
+  - **pa11y** (HTML CodeSniffer via Puppeteer) — catches heading hierarchy, link purpose, and form association issues
+- Cross-engine merge and deduplication in `mergeViolations()` — removes duplicate findings across axe, CDP, and pa11y based on rule equivalence and selector matching
+- Real-time `progress.json` with per-engine step tracking and finding counts (`found` for each engine, `merged` total after dedup)
+- `--axe-tags` CLI flag for filtering axe-core WCAG tag sets (also determines pa11y standard)
+- Non-visible element skip list for screenshots (`<meta>`, `<link>`, `<style>`, `<script>`, `<title>`, `<base>`) — prevents timeout warnings on elements that cannot be scrolled into view
+
+### Changed
+
+- `a11y-scan-results.json` now contains merged violations from all three engines (previously axe-core only)
+- Each violation includes a `source` field (`"cdp"` or `"pa11y"`) to identify which engine produced it (axe-core violations have no `source` field for backwards compatibility)
+- README rewritten to reflect multi-engine architecture
+- All documentation (`architecture.md`, `cli-handbook.md`, `outputs.md`) updated to describe the three-engine pipeline, merge/dedup logic, progress tracking, and dual browser requirements
+
+### Fixed
+
+- Screenshot capture no longer attempts to scroll non-visible `<head>` elements into view
+
+---
+
 ## [0.1.2] — 2026-03-13
 
 ### Fixed

package/README.md

@@ -1,39 +1,77 @@
 # @diegovelasquezweb/a11y-engine
 
-WCAG 2.2 AA accessibility audit engine. Runs Playwright + axe-core scans, enriches findings with fix intelligence, and produces structured artifacts for developers, agents, and stakeholders.
+Multi-engine WCAG 2.2 AA accessibility audit engine. Combines three scanning engines (axe-core, Chrome DevTools Protocol, and pa11y), merges and deduplicates their findings, enriches results with fix intelligence, and produces structured artifacts for developers, agents, and stakeholders.
 
 ## What it is
 
 A Node.js CLI and programmatic engine that:
 
 1. Crawls a target URL and discovers routes automatically
-2. Runs axe-core WCAG 2.2 AA checks across all discovered pages
-3. Optionally scans project source code for patterns axe cannot detect at runtime
-4. Enriches each finding with stack-aware fix guidance, selectors, and verification commands
-5. Produces a full artifact set: JSON data, Markdown remediation guide, HTML dashboard, PDF compliance report, and manual testing checklist
+2. Runs three independent accessibility engines against each page:
+   - **axe-core** — industry-standard WCAG rule engine, injected into the live page via Playwright
+   - **CDP** (Chrome DevTools Protocol) — queries the browser's accessibility tree directly for issues axe may miss (missing accessible names, aria-hidden on focusable elements)
+   - **pa11y** (HTML CodeSniffer) — catches WCAG violations around heading hierarchy, link purpose, and form associations
+3. Merges and deduplicates findings across all three engines
+4. Optionally scans project source code for patterns no runtime engine can detect
+5. Enriches each finding with stack-aware fix guidance, selectors, and verification commands
+6. Produces a full artifact set: JSON data, Markdown remediation guide, HTML dashboard, PDF compliance report, and manual testing checklist
 
 ## Why use this engine
 
 | Capability | With this engine | Without |
 | :--- | :--- | :--- |
-| **Full WCAG 2.2 Coverage** | axe-core runtime scan + source code pattern scanner | Runtime scan only — misses CSS/source-level issues |
+| **Multi-engine scanning** | axe-core + CDP accessibility tree + pa11y (HTML CodeSniffer) with cross-engine deduplication | Single engine — higher false-negative rate |
+| **Full WCAG 2.2 Coverage** | Three runtime engines + source code pattern scanner | Runtime scan only — misses structural and source-level issues |
 | **Fix Intelligence** | Stack-aware patches with code snippets tailored to detected framework | Raw rule violations with no remediation context |
 | **Structured Artifacts** | JSON + Markdown + HTML + PDF + Checklist — ready to consume or forward | Findings exist only in the terminal session |
 | **CI/Agent Integration** | Deterministic exit codes, stdout-parseable output paths, JSON schema | Requires wrapper scripting |
 
+## How the scan pipeline works
+
+```
+URL
+ |
+ v
+[1. Crawl & Discover]  sitemap.xml / BFS link crawl / explicit --routes
+ |
+ v
+[2. Navigate]           Playwright opens each route in Chromium
+ |
+ +---> [axe-core]       Injects axe into the page, runs WCAG tag checks
+ |
+ +---> [CDP]            Opens a CDP session, reads the full accessibility tree
+ |
+ +---> [pa11y]          Launches HTML CodeSniffer via Puppeteer Chrome
+ |
+ v
+[3. Merge & Dedup]      Combines findings, removes cross-engine duplicates
+ |
+ v
+[4. Analyze]            Enriches with WCAG mapping, severity, fix code, framework hints
+ |
+ v
+[5. Reports]            HTML dashboard, PDF, checklist, Markdown remediation
+```
+
 ## Installation
 
 ```bash
 npm install @diegovelasquezweb/a11y-engine
 npx playwright install chromium
+npx puppeteer browsers install chrome
 ```
 
 ```bash
 pnpm add @diegovelasquezweb/a11y-engine
 pnpm exec playwright install chromium
+npx puppeteer browsers install chrome
 ```
 
-> Chromium must be installed separately. The engine uses Playwright's bundled browser — not a system Chrome.
+> **Two browsers are required:**
+> - **Playwright Chromium** — used by axe-core and CDP checks
+> - **Puppeteer Chrome** — used by pa11y (HTML CodeSniffer)
+>
+> These are separate browser installations. If Puppeteer Chrome is missing, pa11y checks fail silently (non-fatal) and the scan continues with axe + CDP only.
 
 ## Quick start
 
@@ -60,7 +98,7 @@ a11y-audit --base-url <url> [options]
 | :--- | :--- | :--- | :--- |
 | `--base-url` | `<url>` | (Required) | Starting URL for the audit. |
 | `--max-routes` | `<num>` | `10` | Max routes to discover and scan. |
-| `--crawl-depth` | `<num>` | `2` | BFS link-follow depth during discovery (1–3). |
+| `--crawl-depth` | `<num>` | `2` | BFS link-follow depth during discovery (1-3). |
 | `--routes` | `<csv>` | — | Explicit path list, bypasses auto-discovery. |
 | `--project-dir` | `<path>` | — | Path to project source. Enables source pattern scanner and framework auto-detection. |
 
@@ -72,6 +110,7 @@ a11y-audit --base-url <url> [options]
 | `--only-rule` | `<id>` | — | Run a single axe rule (e.g. `color-contrast`). |
 | `--ignore-findings` | `<csv>` | — | Rule IDs to exclude from output. |
 | `--exclude-selectors` | `<csv>` | — | CSS selectors to skip during DOM scan. |
+| `--axe-tags` | `<csv>` | `wcag2a,wcag2aa,wcag21a,wcag21aa,wcag22a,wcag22aa` | axe-core WCAG tag filter. |
 | `--framework` | `<name>` | — | Override auto-detected stack. Supported: `nextjs`, `gatsby`, `react`, `nuxt`, `vue`, `angular`, `astro`, `svelte`, `shopify`, `wordpress`, `drupal`. |
 
 ### Execution & emulation
@@ -123,8 +162,9 @@ All artifacts are written to `.audit/` relative to the package root.
 
 | File | Always generated | Description |
 | :--- | :--- | :--- |
-| `a11y-scan-results.json` | Yes | Raw axe-core results per route |
-| `a11y-findings.json` | Yes | Enriched findings with fix intelligence |
+| `a11y-scan-results.json` | Yes | Raw merged results from axe-core + CDP + pa11y per route |
+| `a11y-findings.json` | Yes | Enriched findings with fix intelligence, WCAG mapping, and severity |
+| `progress.json` | Yes | Real-time scan progress with per-engine step status and finding counts |
 | `remediation.md` | Yes | AI-agent-optimized remediation roadmap |
 | `report.html` | With `--with-reports` | Interactive HTML dashboard |
 | `report.pdf` | With `--with-reports` | Formal compliance PDF |
@@ -132,16 +172,47 @@ All artifacts are written to `.audit/` relative to the package root.
 
 See [Output Artifacts](docs/outputs.md) for full schema reference.
 
+## Scan engines
+
+### axe-core (via @axe-core/playwright)
+
+The primary engine. Runs Deque's axe-core rule set against the live DOM inside Playwright's Chromium. Covers the majority of automatable WCAG 2.2 AA success criteria.
+
+### CDP (Chrome DevTools Protocol)
+
+Queries the browser's full accessibility tree via a CDP session. Catches issues axe may miss:
+- Interactive elements (buttons, links, inputs) with no accessible name
+- Focusable elements hidden with `aria-hidden`
+
+### pa11y (HTML CodeSniffer)
+
+Runs Squiz's HTML CodeSniffer via Puppeteer Chrome. Catches WCAG violations around:
+- Heading hierarchy
+- Link purpose
+- Form label associations
+
+Requires a separate Chrome installation (`npx puppeteer browsers install chrome`). If Chrome is missing, pa11y fails silently and the scan continues with axe + CDP.
+
+### Merge & deduplication
+
+After all three engines run, findings are merged and deduplicated:
+- axe findings are added first (baseline)
+- CDP findings are checked against axe equivalents (e.g. `cdp-missing-accessible-name` vs `button-name`) to avoid duplicates
+- pa11y findings are checked against existing selectors to avoid triple-reporting the same element
+
 ## Troubleshooting
 
 **`Error: browserType.launch: Executable doesn't exist`**
 Run `npx playwright install chromium` (or `pnpm exec playwright install chromium`).
 
+**`pa11y checks failed (non-fatal): Could not find Chrome`**
+pa11y requires Puppeteer's Chrome, which is separate from Playwright's Chromium. Install it with `npx puppeteer browsers install chrome`.
+
 **`Missing required argument: --base-url`**
 The flag is required. Provide a full URL including protocol: `--base-url https://example.com`.
 
 **Scan returns 0 findings on an SPA**
-Use `--wait-until networkidle --wait-ms 3000` to let async content render before axe runs.
+Use `--wait-until networkidle --wait-ms 3000` to let async content render before the engines run.
 
 **`--with-reports` exits without generating PDF**
 Ensure `--output` is also set and points to an `.html` file path: `--output ./audit/report.html`.
@@ -153,7 +224,7 @@ Add `--no-sandbox` via the `PLAYWRIGHT_CHROMIUM_LAUNCH_OPTIONS` env var, or run
 
 | Resource | Description |
 | :--- | :--- |
-| [Architecture](https://github.com/diegovelasquezweb/a11y-engine/blob/main/docs/architecture.md) | How the scanner → analyzer → report pipeline works |
+| [Architecture](https://github.com/diegovelasquezweb/a11y-engine/blob/main/docs/architecture.md) | How the multi-engine scanner pipeline works |
 | [CLI Handbook](https://github.com/diegovelasquezweb/a11y-engine/blob/main/docs/cli-handbook.md) | Full flag reference and usage patterns |
 | [Output Artifacts](https://github.com/diegovelasquezweb/a11y-engine/blob/main/docs/outputs.md) | Schema and structure of every generated file |
 

package/assets/engine/cdp-checks.json

@@ -0,0 +1,30 @@
+{
+  "interactiveRoles": [
+    "button", "link", "textbox", "combobox", "listbox",
+    "menuitem", "tab", "checkbox", "radio", "switch", "slider"
+  ],
+  "rules": [
+    {
+      "id": "cdp-missing-accessible-name",
+      "condition": "interactive-no-name",
+      "impact": "serious",
+      "tags": ["wcag2a", "wcag412", "cdp-check"],
+      "help": "Interactive elements must have an accessible name",
+      "helpUrl": "https://dequeuniversity.com/rules/axe/4.11/button-name",
+      "description": "Interactive element with role \"{{role}}\" has no accessible name",
+      "failureMessage": "Element with role \"{{role}}\" has no accessible name in the accessibility tree",
+      "axeEquivalents": ["button-name", "link-name", "input-name", "aria-command-name"]
+    },
+    {
+      "id": "cdp-aria-hidden-focusable",
+      "condition": "hidden-focusable",
+      "impact": "serious",
+      "tags": ["wcag2a", "wcag412", "cdp-check"],
+      "help": "aria-hidden elements must not be focusable",
+      "helpUrl": "https://dequeuniversity.com/rules/axe/4.11/aria-hidden-focus",
+      "description": "Focusable element with role \"{{role}}\" is aria-hidden",
+      "failureMessage": "Focusable element with role \"{{role}}\" is hidden from the accessibility tree",
+      "axeEquivalents": ["aria-hidden-focus"]
+    }
+  ]
+}

package/assets/engine/pa11y-config.json

@@ -0,0 +1,53 @@
+{
+  "ignoreByPrinciple": [
+    "Principle1.Guideline1_4.1_4_3.G18.Fail",
+    "Principle4.Guideline4_1.4_1_2.H91.A.NoContent"
+  ],
+  "impactMap": {
+    "1": "serious",
+    "2": "moderate",
+    "3": "minor"
+  },
+  "equivalenceMap": {
+    "Principle1.Guideline1_4.1_4_3.G145": "color-contrast",
+    "Principle1.Guideline1_4.1_4_3.G18": "color-contrast",
+    "Principle1.Guideline1_4.1_4_3.G145.Fail": "color-contrast",
+    "Principle1.Guideline1_4.1_4_3.G18.Fail": "color-contrast",
+    "Principle1.Guideline1_3.1_3_1.H42": "heading-order",
+    "Principle1.Guideline1_3.1_3_1.H42.2": "empty-heading",
+    "Principle1.Guideline1_3.1_3_1.H44": "label",
+    "Principle1.Guideline1_3.1_3_1.H65": "label",
+    "Principle1.Guideline1_3.1_3_1.H71": "label",
+    "Principle1.Guideline1_3.1_3_1.H85": "listitem",
+    "Principle1.Guideline1_3.1_3_1.H48": "list",
+    "Principle1.Guideline1_3.1_3_1.H39": "table-fake-caption",
+    "Principle1.Guideline1_3.1_3_1.H73": "table-fake-caption",
+    "Principle1.Guideline1_1.1_1_1.H37": "image-alt",
+    "Principle1.Guideline1_1.1_1_1.H67": "image-alt",
+    "Principle1.Guideline1_1.1_1_1.H36": "input-image-alt",
+    "Principle1.Guideline1_1.1_1_1.H2": "image-redundant-alt",
+    "Principle1.Guideline1_1.1_1_1.H53": "object-alt",
+    "Principle1.Guideline1_1.1_1_1.G94": "image-alt",
+    "Principle1.Guideline1_1.1_1_1.H24": "area-alt",
+    "Principle2.Guideline2_4.2_4_1.H64": "frame-title",
+    "Principle2.Guideline2_4.2_4_1.G1": "bypass",
+    "Principle2.Guideline2_4.2_4_1.G124": "bypass",
+    "Principle2.Guideline2_4.2_4_2.H25": "document-title",
+    "Principle2.Guideline2_4.2_4_4.H77": "link-name",
+    "Principle1.Guideline1_1.1_1_1.H30": "link-name",
+    "Principle2.Guideline2_4.2_4_6.G197": "label",
+    "Principle2.Guideline2_1.2_1_1.G202": "scrollable-region-focusable",
+    "Principle3.Guideline3_1.3_1_1.H57": "html-has-lang",
+    "Principle3.Guideline3_1.3_1_1.H57.2": "html-has-lang",
+    "Principle3.Guideline3_1.3_1_1.H57.3": "html-lang-valid",
+    "Principle3.Guideline3_1.3_1_1.H57.3.Lang": "html-lang-valid",
+    "Principle3.Guideline3_2.3_2_1.G107": "select-name",
+    "Principle3.Guideline3_3.3_3_2.G131": "label",
+    "Principle4.Guideline4_1.4_1_1.F77": "duplicate-id",
+    "Principle4.Guideline4_1.4_1_2.H91": "button-name",
+    "Principle4.Guideline4_1.4_1_2.H91.A": "link-name",
+    "Principle4.Guideline4_1.4_1_2.H91.Button": "button-name",
+    "Principle4.Guideline4_1.4_1_2.H91.InputText": "label",
+    "Principle4.Guideline4_1.4_1_2.H91.Select": "select-name"
+  }
+}

package/docs/architecture.md

@@ -8,6 +8,11 @@
 
 - [Pipeline overview](#pipeline-overview)
 - [Stage 1: DOM scanner](#stage-1-dom-scanner)
+  - [axe-core](#axe-core)
+  - [CDP checks](#cdp-checks)
+  - [pa11y](#pa11y)
+  - [Merge and deduplication](#merge-and-deduplication)
+- [Stage 1b: Source scanner](#optional-source-scanner)
 - [Stage 2: Analyzer](#stage-2-analyzer)
 - [Stage 3: Report builders](#stage-3-report-builders)
 - [Assets and rule intelligence](#assets-and-rule-intelligence)
@@ -23,59 +28,133 @@ The engine operates as a three-stage pipeline. Each stage is an independent Node
 Target URL
     │
     ▼
-┌─────────────────────────────┐
-│  Stage 1: DOM Scanner       │  Playwright + axe-core
-│  dom-scanner.mjs            │  Route discovery + WCAG scan
-└──────────────┬──────────────┘
-               │ a11y-scan-results.json
-               ▼
-┌─────────────────────────────┐
-│  Stage 1b: Source Scanner   │  Static regex analysis
-│  source-scanner.mjs         │  (optional — requires --project-dir)
-└──────────────┬──────────────┘
-               │ merges into a11y-findings.json
-               ▼
-┌─────────────────────────────┐
-│  Stage 2: Analyzer          │  Fix intelligence enrichment
-│  analyzer.mjs               │  intelligence.json + guardrails
-└──────────────┬──────────────┘
-               │ a11y-findings.json
-               ▼
-┌─────────────────────────────┐
-│  Stage 3: Report Builders   │  Parallel rendering
-│  md / html / pdf / checklist│
-└──────────────┬──────────────┘
-               │
-    ┌──────────┼──────────┬──────────────┐
-    ▼          ▼          ▼              ▼
-remediation  report    report         checklist
-   .md       .html      .pdf            .html
+┌─────────────────────────────────┐
+│  Stage 1: DOM Scanner           │  Three engines per route:
+│  dom-scanner.mjs                │
+│                                 │
+│  ┌──────────┐  ┌──────┐        │
+│  │ axe-core │  │ CDP  │        │  Playwright Chromium
+│  └────┬─────┘  └──┬───┘        │
+│       │           │             │
+│  ┌────▼───────────▼────┐       │
+│  │      pa11y          │       │  Puppeteer Chrome
+│  └────────┬────────────┘       │
+│           │                    │
+│  ┌────────▼────────────┐       │
+│  │  Merge & Dedup      │       │
+│  └────────┬────────────┘       │
+└───────────┼─────────────────────┘
+            │ a11y-scan-results.json
+            │ progress.json
+            ▼
+┌─────────────────────────────────┐
+│  Stage 1b: Source Scanner       │  Static regex analysis
+│  source-scanner.mjs             │  (optional — requires --project-dir)
+└───────────┬─────────────────────┘
+            │ merges into a11y-findings.json
+            ▼
+┌─────────────────────────────────┐
+│  Stage 2: Analyzer              │  Fix intelligence enrichment
+│  analyzer.mjs                   │  intelligence.json + guardrails
+└───────────┬─────────────────────┘
+            │ a11y-findings.json
+            ▼
+┌─────────────────────────────────┐
+│  Stage 3: Report Builders       │  Parallel rendering
+│  md / html / pdf / checklist    │
+└───────────┬─────────────────────┘
+            │
+    ┌───────┼──────────┬──────────────┐
+    ▼       ▼          ▼              ▼
+remediation report   report        checklist
+   .md      .html     .pdf           .html
 ```
 
 ## Stage 1: DOM scanner
 
 **Script**: `scripts/engine/dom-scanner.mjs`
 
-Launches a Playwright-controlled Chromium browser and runs axe-core against each discovered route.
+Launches a Playwright-controlled Chromium browser, discovers routes, and runs three independent accessibility engines against each page. Results are merged and deduplicated before output.
+
+### Route discovery
 
-**Route discovery**:
 - If the site exposes a `sitemap.xml`, all listed URLs are scanned (up to `--max-routes`).
 - Otherwise, BFS crawl starting from `--base-url`, following same-origin `<a href>` links up to `--crawl-depth` levels deep.
 - Routes are deduplicated and normalized before scanning.
+- 3 parallel browser tabs scan routes concurrently (~2-3x faster than sequential).
+
+### axe-core
+
+**Dependency**: `@axe-core/playwright`
+
+The primary engine. Injects axe-core into the live page via Playwright and runs WCAG 2.2 A/AA tag checks. Covers the majority of automatable WCAG success criteria (~80+ rules).
+
+- Configurable via `--axe-tags` (default: `wcag2a,wcag2aa,wcag21a,wcag21aa,wcag22a,wcag22aa`)
+- Supports `--only-rule` for focused single-rule audits
+- Supports `--exclude-selectors` to skip specific elements
+
+### CDP checks
+
+**Dependency**: Playwright's built-in CDP session (`page.context().newCDPSession()`)
+
+Queries the browser's full accessibility tree via Chrome DevTools Protocol. Catches issues axe may miss because it operates on the computed accessibility tree rather than the DOM:
+
+- **Missing accessible names** — interactive elements (`button`, `link`, `textbox`, `combobox`, etc.) with empty names in the accessibility tree
+- **aria-hidden on focusable elements** — elements that are focusable but hidden from assistive technology
+
+CDP findings use axe-compatible violation format with `source: "cdp"` for downstream processing.
+
+### pa11y
+
+**Dependency**: `pa11y` (which uses Puppeteer + Chrome internally)
+
+Runs Squiz's HTML CodeSniffer against each page URL. Catches WCAG violations that axe and CDP may miss:
+
+- Heading hierarchy issues
+- Link purpose violations
+- Form label associations
+- Additional WCAG2AA/WCAG2AAA checks from HTML CodeSniffer's rule set
+
+pa11y requires a separate Chrome installation (`npx puppeteer browsers install chrome`). This is separate from Playwright's Chromium. If Chrome is missing, pa11y fails silently (non-fatal) and the scan continues with axe + CDP only.
+
+pa11y findings use axe-compatible violation format with `source: "pa11y"` for downstream processing.
+
+### Merge and deduplication
+
+After all three engines complete, `mergeViolations()` combines findings and removes cross-engine duplicates:
+
+1. **axe findings** are added first as the baseline
+2. **CDP findings** are checked against axe equivalents (e.g. `cdp-missing-accessible-name` maps to `button-name`, `link-name`, `input-name`, `aria-command-name`). Only truly new findings are added.
+3. **pa11y findings** are checked against existing selectors. If the same element is already flagged by axe or CDP, the pa11y finding is dropped.
+
+The merged violations are written to `a11y-scan-results.json` per route.
+
+### Progress tracking
+
+The scanner writes `progress.json` in real-time as each engine runs. This file is used by integrations (like `a11y-scanner`) for live progress UI:
+
+```json
+{
+  "steps": {
+    "page":  { "status": "done", "updatedAt": "..." },
+    "axe":   { "status": "done", "updatedAt": "...", "found": 8 },
+    "cdp":   { "status": "done", "updatedAt": "...", "found": 3 },
+    "pa11y": { "status": "done", "updatedAt": "...", "found": 2 },
+    "merge": { "status": "done", "updatedAt": "...", "axe": 8, "cdp": 3, "pa11y": 2, "merged": 11 }
+  },
+  "currentStep": "merge"
+}
+```
 
-**Scanning**:
-- 3 parallel browser tabs scan routes concurrently (~2–3× faster than sequential).
-- axe-core 4.11+ runs WCAG 2.2 A, AA, and best-practice tag sets.
-- Screenshots of affected elements are captured for each violation.
-- `--color-scheme`, `--viewport`, `--wait-until`, and `--wait-ms` control the browser environment.
+### Screenshots
 
-**Output**: `a11y-scan-results.json` — raw axe results per route with DOM snapshots.
+After merging, element screenshots are captured for each violation. Non-visible elements (`<meta>`, `<link>`, `<script>`, etc.) are automatically skipped. Screenshots are stored in `.audit/screenshots/` and referenced by each violation's `screenshot_path` field.
 
 ### Optional: Source scanner
 
 **Script**: `scripts/engine/source-scanner.mjs` — runs when `--project-dir` is set and `--skip-patterns` is not.
 
-Performs static analysis of source files for accessibility issues axe cannot detect at runtime (e.g. focus outline suppression, missing alt text in templates). Uses regex patterns from `assets/remediation/code-patterns.json` scoped to framework-specific file boundaries from `assets/remediation/source-boundaries.json`.
+Performs static analysis of source files for accessibility issues no runtime engine can detect (e.g. focus outline suppression, missing alt text in templates). Uses regex patterns from `assets/remediation/code-patterns.json` scoped to framework-specific file boundaries from `assets/remediation/source-boundaries.json`.
 
 Findings are classified as `confirmed` (pattern unambiguously matches) or `potential` (requires human verification).
 
@@ -83,13 +162,13 @@ Findings are classified as `confirmed` (pattern unambiguously matches) or `poten
 
 **Script**: `scripts/engine/analyzer.mjs`
 
-Reads `a11y-scan-results.json` and enriches each violation with:
+Reads `a11y-scan-results.json` (which contains merged axe + CDP + pa11y results) and enriches each violation with:
 
-- **Fix intelligence** from `assets/remediation/intelligence.json` — 106 axe-core rules with code snippets, MDN links, framework-specific notes, and WCAG criterion mapping.
+- **Fix intelligence** from `assets/remediation/intelligence.json` — 106 axe-core rules with code snippets, MDN links, framework-specific notes, and WCAG criterion mapping. CDP and pa11y findings receive generic enrichment based on their rule structure.
 - **Selector scoring** — picks the most stable selector from axe's `nodes` list. Priority: `#id` > `[data-*]` > `[aria-*]` > `[type=]`, with penalty for Tailwind utility classes.
 - **Framework context** — `assets/discovery/stack-detection.json` fingerprints the DOM to detect framework and CMS. Per-finding `framework_notes` and `cms_notes` are filtered to the detected stack.
 - **Guardrails** — `assets/remediation/guardrails.json` defines scope rules that prevent agents from touching backend code, third-party scripts, or minified files.
-- **Compliance scoring** — `assets/reporting/compliance-config.json` weights findings by severity to produce a 0–100 score with grade thresholds.
+- **Compliance scoring** — `assets/reporting/compliance-config.json` weights findings by severity to produce a 0-100 score with grade thresholds.
 - **Persona impact groups** — `assets/reporting/wcag-reference.json` maps findings to disability personas (visual, motor, cognitive, etc.).
 
 **Output**: `a11y-findings.json` — enriched findings array with all intelligence fields.
@@ -116,7 +195,7 @@ Assets are static JSON files bundled with the package under `assets/`. They are
 | Asset | Purpose |
 | :--- | :--- |
 | `reporting/compliance-config.json` | Score weights, grade thresholds, legal regulation list |
-| `reporting/wcag-reference.json` | WCAG criterion map, persona config, persona–rule mapping |
+| `reporting/wcag-reference.json` | WCAG criterion map, persona config, persona-rule mapping |
 | `reporting/manual-checks.json` | 41 manual checks for the WCAG checklist |
 | `discovery/crawler-config.json` | BFS crawl defaults (timeouts, concurrency) |
 | `discovery/stack-detection.json` | Framework/CMS DOM fingerprints |

package/docs/cli-handbook.md

@@ -7,6 +7,7 @@
 ## Table of Contents
 
 - [Basic usage](#basic-usage)
+- [Prerequisites](#prerequisites)
 - [Flag groups](#flag-groups)
   - [Targeting & scope](#targeting--scope)
   - [Audit intelligence](#audit-intelligence)
@@ -33,6 +34,22 @@ The only required flag is `--base-url`. All other flags are optional.
 
 ---
 
+## Prerequisites
+
+The engine uses two separate browser installations:
+
+```bash
+# Required — used by axe-core and CDP checks
+npx playwright install chromium
+
+# Required for pa11y — uses Puppeteer's Chrome (separate from Playwright)
+npx puppeteer browsers install chrome
+```
+
+If Puppeteer Chrome is missing, pa11y checks fail silently (non-fatal) and the scan continues with axe-core + CDP only.
+
+---
+
 ## Flag groups
 
 ### Targeting & scope
@@ -43,7 +60,7 @@ Controls what gets scanned.
 | :--- | :--- | :--- | :--- |
 | `--base-url` | `<url>` | (Required) | Starting URL. Must include protocol (`https://` or `http://`). |
 | `--max-routes` | `<num>` | `10` | Maximum unique same-origin paths to discover and scan. |
-| `--crawl-depth` | `<num>` | `2` | How deep to follow links during BFS discovery (1–3). Has no effect when `--routes` is set. |
+| `--crawl-depth` | `<num>` | `2` | How deep to follow links during BFS discovery (1-3). Has no effect when `--routes` is set. |
 | `--routes` | `<csv>` | — | Explicit paths to scan (e.g. `/,/about,/contact`). Overrides auto-discovery entirely. |
 | `--project-dir` | `<path>` | — | Path to the audited project source. Enables the source code pattern scanner and framework auto-detection from `package.json`. |
 
@@ -64,6 +81,7 @@ Controls how findings are interpreted and filtered.
 | `--only-rule` | `<id>` | — | Run a single axe rule ID only. Useful for focused re-audits after fixing a specific issue. |
 | `--ignore-findings` | `<csv>` | — | Comma-separated list of axe rule IDs to suppress from output entirely. |
 | `--exclude-selectors` | `<csv>` | — | CSS selectors to skip. Elements matching these selectors are excluded from axe scanning. |
+| `--axe-tags` | `<csv>` | `wcag2a,wcag2aa,wcag21a,wcag21aa,wcag22a,wcag22aa` | axe-core WCAG tag filter. Also determines the pa11y standard (`WCAG2A`, `WCAG2AA`, or `WCAG2AAA`). |
 | `--framework` | `<name>` | — | Override auto-detected framework. Affects which fix notes and source boundaries are applied. |
 
 **Supported `--framework` values**: `nextjs`, `gatsby`, `react`, `nuxt`, `vue`, `angular`, `astro`, `svelte`, `shopify`, `wordpress`, `drupal`.
@@ -79,7 +97,7 @@ Controls browser behavior during scanning.
 | `--color-scheme` | `light\|dark` | `light` | Emulates `prefers-color-scheme` media query. |
 | `--wait-until` | `domcontentloaded\|load\|networkidle` | `domcontentloaded` | Playwright page load strategy. Use `networkidle` for SPAs with async rendering. |
 | `--viewport` | `<WxH>` | `1280x800` | Browser viewport in pixels (e.g. `375x812` for mobile, `1440x900` for desktop). |
-| `--wait-ms` | `<num>` | `2000` | Fixed delay (ms) after page load before axe runs. Useful when JS renders content after `DOMContentLoaded`. |
+| `--wait-ms` | `<num>` | `2000` | Fixed delay (ms) after page load before the engines run. Useful when JS renders content after `DOMContentLoaded`. |
 | `--timeout-ms` | `<num>` | `30000` | Network timeout per page load (ms). |
 | `--headed` | — | `false` | Launch browser in visible mode. Useful for debugging page rendering issues. |
 | `--affected-only` | — | `false` | Re-scan only routes that had violations in the previous scan. Reads `.audit/a11y-scan-results.json` to determine affected routes. Falls back to full scan if no prior results exist. |
@@ -190,6 +208,16 @@ a11y-audit \
   --project-dir .
 ```
 
+### Custom axe-core WCAG tags
+
+```bash
+# Only WCAG 2.0 A checks
+a11y-audit --base-url https://example.com --axe-tags wcag2a
+
+# Include AAA checks
+a11y-audit --base-url https://example.com --axe-tags wcag2a,wcag2aa,wcag2aaa
+```
+
 ---
 
 ## Exit codes