@diegovelasquezweb/a11y-engine 0.1.8 → 0.2.0

package/CHANGELOG.md

@@ -7,6 +7,37 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- **Programmatic API** — 7 exported functions accessible via `import { ... } from "@diegovelasquezweb/a11y-engine"`:
+  - `getEnrichedFindings(input, options?)` — normalizes raw findings, canonicalizes pa11y rules, enriches with fix intelligence, infers effort, sorts by severity. Accepts a full scan payload or a raw findings array. Supports `screenshotUrlBuilder` callback for consumer-specific screenshot URLs.
+  - `getAuditSummary(findings, payload?)` — computes severity totals, compliance score, grade label, WCAG pass/fail status, persona impact groups, quick wins, target URL, and detected stack from metadata.
+  - `getPDFReport(payload, options?)` — generates a formal A4 PDF compliance report via Playwright. Returns `{ buffer, contentType }`.
+  - `getChecklist(options?)` — generates a standalone manual accessibility testing checklist as HTML. Returns `{ html, contentType }`.
+  - `getHTMLReport(payload, options?)` — generates an interactive HTML audit dashboard with severity filters and fix guidance. Supports embedded base64 screenshots via `screenshotsDir`. Returns `{ html, contentType }`.
+  - `getRemediationGuide(payload, options?)` — generates a Markdown remediation guide optimized for AI agents. Supports optional `patternFindings` from source scanner. Returns `{ markdown, contentType }`.
+  - `getSourcePatterns(projectDir, options?)` — scans project source code for accessibility patterns not detectable by axe-core. Returns `{ findings, summary }`.
+- **TypeScript type declarations** shipped with the package (`scripts/index.d.mts`):
+  - `Finding` — raw finding with all snake_case fields
+  - `EnrichedFinding` — extends Finding with camelCase aliases and enriched fields
+  - `AuditSummary` — full audit summary including totals, score, personas, quick wins, detected stack
+  - `SeverityTotals`, `PersonaGroup`, `DetectedStack`, `ComplianceScore`
+  - `ScanPayload`, `EnrichmentOptions`, `ReportOptions`
+  - `PDFReport`, `HTMLReport`, `ChecklistReport`, `RemediationGuide`
+  - `SourcePatternFinding`, `SourcePatternResult`, `SourcePatternOptions`
+- `exports` and `main` fields in `package.json` pointing to `scripts/index.mjs`
+- `--axe-tags` CLI flag passthrough from `audit.mjs` to `dom-scanner.mjs`
+- `resolveScanDirs` exported from `source-scanner.mjs` for programmatic use
+
+### Changed
+
+- `getEnrichedFindings` always creates camelCase aliases (`fixDescription`, `fixCode`, `screenshotPath`, `wcagCriterionId`, `impactedUsers`, etc.) regardless of whether the finding already has fix data — fixes bug where camelCase fields were `undefined` when snake_case data existed
+- `getEnrichedFindings` infers `effort` field after intelligence enrichment: findings with `fixCode` default to `"low"`, others to `"high"` — unless an explicit effort value already exists
+- `getEnrichedFindings` normalizes raw findings internally — consumers no longer need to pre-process the findings array
+- `getEnrichedFindings` sorts findings by severity (Critical > Serious > Moderate > Minor) then by ID
+- `getAuditSummary` now includes `quickWins` (top 3 Critical/Serious findings with fix code), `targetUrl` (extracted from metadata with fallbacks), and `detectedStack` (framework/CMS/libraries from project context)
+- CLI (`audit.mjs`) continues to work standalone — the programmatic API is additive
+
 ---
 
 ## [0.1.3] — 2026-03-14

package/README.md

@@ -1,176 +1,218 @@
 # @diegovelasquezweb/a11y-engine
 
-Multi-engine WCAG 2.2 AA accessibility audit engine. Combines three scanning engines (axe-core, Chrome DevTools Protocol, and pa11y), merges and deduplicates their findings, enriches results with fix intelligence, and produces structured artifacts for developers, agents, and stakeholders.
+Multi-engine WCAG 2.2 accessibility audit engine. Combines three scanning engines (axe-core, Chrome DevTools Protocol, and pa11y), merges and deduplicates their findings, enriches results with fix intelligence, and produces structured artifacts for developers, agents, and stakeholders.
 
 ## What it is
 
-A Node.js CLI and programmatic engine that:
+A Node.js package that works two ways:
 
-1. Crawls a target URL and discovers routes automatically
-2. Runs three independent accessibility engines against each page:
-   - **axe-core** — industry-standard WCAG rule engine, injected into the live page via Playwright
-   - **CDP** (Chrome DevTools Protocol) — queries the browser's accessibility tree directly for issues axe may miss (missing accessible names, aria-hidden on focusable elements)
-   - **pa11y** (HTML CodeSniffer) — catches WCAG violations around heading hierarchy, link purpose, and form associations
-3. Merges and deduplicates findings across all three engines
-4. Optionally scans project source code for patterns no runtime engine can detect
-5. Enriches each finding with stack-aware fix guidance, selectors, and verification commands
-6. Produces a full artifact set: JSON data, Markdown remediation guide, HTML dashboard, PDF compliance report, and manual testing checklist
+1. **CLI** — run `npx a11y-audit --base-url <url>` to scan a site and generate reports
+2. **Programmatic API** — import functions directly to normalize findings, compute scores, and generate reports in your own application
 
-## Why use this engine
+## Programmatic API
 
-| Capability | With this engine | Without |
+```bash
+npm install @diegovelasquezweb/a11y-engine
+```
+
+```ts
+import {
+  getEnrichedFindings,
+  getAuditSummary,
+  getPDFReport,
+  getChecklist,
+  getHTMLReport,
+  getRemediationGuide,
+  getSourcePatterns,
+} from "@diegovelasquezweb/a11y-engine";
+```
+
+### getEnrichedFindings
+
+Normalizes raw scan findings, canonicalizes pa11y rules to axe equivalents, enriches with fix intelligence, infers effort, and sorts by severity.
+
+```ts
+const findings = getEnrichedFindings(scanPayload, {
+  screenshotUrlBuilder: (path) => `/api/screenshot?path=${encodeURIComponent(path)}`,
+});
+```
+
+| Parameter | Type | Description |
 | :--- | :--- | :--- |
-| **Multi-engine scanning** | axe-core + CDP accessibility tree + pa11y (HTML CodeSniffer) with cross-engine deduplication | Single engine — higher false-negative rate |
-| **Full WCAG 2.2 Coverage** | Three runtime engines + source code pattern scanner | Runtime scan only — misses structural and source-level issues |
-| **Fix Intelligence** | Stack-aware patches with code snippets tailored to detected framework | Raw rule violations with no remediation context |
-| **Structured Artifacts** | JSON + Markdown + HTML + PDF + Checklist — ready to consume or forward | Findings exist only in the terminal session |
-| **CI/Agent Integration** | Deterministic exit codes, stdout-parseable output paths, JSON schema | Requires wrapper scripting |
+| `input` | `ScanPayload \| Finding[] \| Record<string, unknown>[]` | Raw scan output or findings array |
+| `options.screenshotUrlBuilder` | `(rawPath: string) => string` | Transforms screenshot file paths into consumer-specific URLs |
 
-## How the scan pipeline works
+**Returns**: `EnrichedFinding[]` — normalized, enriched, sorted findings with both snake_case and camelCase fields.
+
+### getAuditSummary
+
+Computes a complete audit summary from enriched findings.
 
+```ts
+const summary = getAuditSummary(findings, scanPayload);
+// summary.score         → 72
+// summary.label         → "Good"
+// summary.wcagStatus    → "Fail"
+// summary.totals        → { Critical: 1, Serious: 3, Moderate: 5, Minor: 2 }
+// summary.personaGroups → { screenReader: {...}, keyboard: {...}, ... }
+// summary.quickWins     → [top 3 fixable Critical/Serious findings]
+// summary.targetUrl     → "https://example.com"
+// summary.detectedStack → { framework: "nextjs", cms: null, uiLibraries: [] }
 ```
-URL
- |
- v
-[1. Crawl & Discover]  sitemap.xml / BFS link crawl / explicit --routes
- |
- v
-[2. Navigate]           Playwright opens each route in Chromium
- |
- +---> [axe-core]       Injects axe into the page, runs WCAG tag checks
- |
- +---> [CDP]            Opens a CDP session, reads the full accessibility tree
- |
- +---> [pa11y]          Launches HTML CodeSniffer via Puppeteer Chrome
- |
- v
-[3. Merge & Dedup]      Combines findings, removes cross-engine duplicates
- |
- v
-[4. Analyze]            Enriches with WCAG mapping, severity, fix code, framework hints
- |
- v
-[5. Reports]            HTML dashboard, PDF, checklist, Markdown remediation
+
+| Parameter | Type | Description |
+| :--- | :--- | :--- |
+| `findings` | `EnrichedFinding[]` | Output from `getEnrichedFindings` |
+| `payload` | `ScanPayload \| null` | Original scan payload for metadata extraction |
+
+**Returns**: `AuditSummary`
+
+### getPDFReport
+
+Generates a formal A4 PDF compliance report using Playwright.
+
+```ts
+const { buffer, contentType } = await getPDFReport(scanPayload, {
+  baseUrl: "https://example.com",
+});
+fs.writeFileSync("report.pdf", buffer);
 ```
 
-## Installation
+**Returns**: `Promise<PDFReport>` — `{ buffer: Buffer, contentType: "application/pdf" }`
 
-```bash
-npm install @diegovelasquezweb/a11y-engine
-npx playwright install chromium
-npx puppeteer browsers install chrome
+### getHTMLReport
+
+Generates an interactive HTML audit dashboard with severity filters, persona impact, and fix guidance.
+
+```ts
+const { html, contentType } = await getHTMLReport(scanPayload, {
+  baseUrl: "https://example.com",
+  screenshotsDir: "/path/to/.audit/screenshots",
+});
 ```
 
-```bash
-pnpm add @diegovelasquezweb/a11y-engine
-pnpm exec playwright install chromium
-npx puppeteer browsers install chrome
+**Returns**: `Promise<HTMLReport>` — `{ html: string, contentType: "text/html" }`
+
+### getChecklist
+
+Generates a standalone manual accessibility testing checklist.
+
+```ts
+const { html, contentType } = await getChecklist({
+  baseUrl: "https://example.com",
+});
 ```
 
-> **Two browsers are required:**
-> - **Playwright Chromium** — used by axe-core and CDP checks
-> - **Puppeteer Chrome** — used by pa11y (HTML CodeSniffer)
->
-> These are separate browser installations. If Puppeteer Chrome is missing, pa11y checks fail silently (non-fatal) and the scan continues with axe + CDP only.
+**Returns**: `Promise<ChecklistReport>` — `{ html: string, contentType: "text/html" }`
+
+### getRemediationGuide
+
+Generates a Markdown remediation guide optimized for AI agents.
+
+```ts
+const { markdown, contentType } = await getRemediationGuide(scanPayload, {
+  baseUrl: "https://example.com",
+  patternFindings: sourcePatternResult,
+});
+```
+
+**Returns**: `Promise<RemediationGuide>` — `{ markdown: string, contentType: "text/markdown" }`
+
+### getSourcePatterns
+
+Scans project source code for accessibility patterns not detectable by axe-core at runtime.
+
+```ts
+const { findings, summary } = await getSourcePatterns("/path/to/project", {
+  framework: "nextjs",
+});
+// summary → { total: 12, confirmed: 10, potential: 2 }
+```
+
+**Returns**: `Promise<SourcePatternResult>` — `{ findings: SourcePatternFinding[], summary: { total, confirmed, potential } }`
+
+## CLI usage
 
-## Quick start
+The CLI runs the full scan pipeline: crawl, scan with 3 engines, merge, analyze, and generate reports.
 
 ```bash
-# Minimal scan — produces remediation.md in .audit/
+# Minimal scan
 npx a11y-audit --base-url https://example.com
 
 # Full audit with all reports
 npx a11y-audit --base-url https://example.com --with-reports --output ./audit/report.html
 
-# Scan with source code intelligence (for stack-aware fix guidance)
+# Scan with source code intelligence
 npx a11y-audit --base-url http://localhost:3000 --project-dir . --with-reports --output ./audit/report.html
 ```
 
-## CLI usage
-
-```
-a11y-audit --base-url <url> [options]
-```
-
-### Targeting & scope
+### Targeting and scope
 
 | Flag | Argument | Default | Description |
 | :--- | :--- | :--- | :--- |
-| `--base-url` | `<url>` | (Required) | Starting URL for the audit. |
-| `--max-routes` | `<num>` | `10` | Max routes to discover and scan. |
-| `--crawl-depth` | `<num>` | `2` | BFS link-follow depth during discovery (1-3). |
-| `--routes` | `<csv>` | — | Explicit path list, bypasses auto-discovery. |
-| `--project-dir` | `<path>` | — | Path to project source. Enables source pattern scanner and framework auto-detection. |
+| `--base-url` | `<url>` | (Required) | Starting URL for the audit |
+| `--max-routes` | `<num>` | `10` | Max routes to discover and scan |
+| `--crawl-depth` | `<num>` | `2` | BFS link-follow depth during discovery (1-3) |
+| `--routes` | `<csv>` | — | Explicit path list, bypasses auto-discovery |
+| `--project-dir` | `<path>` | — | Path to project source for stack-aware fixes and source pattern scanning |
 
 ### Audit intelligence
 
 | Flag | Argument | Default | Description |
 | :--- | :--- | :--- | :--- |
-| `--target` | `<text>` | `WCAG 2.2 AA` | Compliance target label in reports. |
-| `--only-rule` | `<id>` | — | Run a single axe rule (e.g. `color-contrast`). |
-| `--ignore-findings` | `<csv>` | — | Rule IDs to exclude from output. |
-| `--exclude-selectors` | `<csv>` | — | CSS selectors to skip during DOM scan. |
-| `--axe-tags` | `<csv>` | `wcag2a,wcag2aa,wcag21a,wcag21aa,wcag22a,wcag22aa` | axe-core WCAG tag filter. |
-| `--framework` | `<name>` | — | Override auto-detected stack. Supported: `nextjs`, `gatsby`, `react`, `nuxt`, `vue`, `angular`, `astro`, `svelte`, `shopify`, `wordpress`, `drupal`. |
+| `--target` | `<text>` | `WCAG 2.2 AA` | Compliance target label in reports |
+| `--axe-tags` | `<csv>` | `wcag2a,wcag2aa,wcag21a,wcag21aa,wcag22a,wcag22aa` | axe-core WCAG tag filter |
+| `--only-rule` | `<id>` | — | Run a single axe rule (e.g. `color-contrast`) |
+| `--ignore-findings` | `<csv>` | — | Rule IDs to exclude from output |
+| `--exclude-selectors` | `<csv>` | — | CSS selectors to skip during DOM scan |
+| `--framework` | `<name>` | — | Override auto-detected stack (`nextjs`, `react`, `vue`, `angular`, `svelte`, `shopify`, `wordpress`, etc.) |
 
-### Execution & emulation
+### Execution and emulation
 
 | Flag | Argument | Default | Description |
 | :--- | :--- | :--- | :--- |
-| `--color-scheme` | `light\|dark` | `light` | Emulate `prefers-color-scheme`. |
-| `--wait-until` | `domcontentloaded\|load\|networkidle` | `domcontentloaded` | Playwright page load strategy. Use `networkidle` for SPAs. |
-| `--viewport` | `<WxH>` | — | Viewport size (e.g. `375x812`, `1440x900`). |
-| `--wait-ms` | `<num>` | `2000` | Delay after page load before running axe (ms). |
-| `--timeout-ms` | `<num>` | `30000` | Network timeout per page (ms). |
-| `--headed` | — | `false` | Run browser in visible mode. |
-| `--affected-only` | — | `false` | Re-scan only routes with previous violations. Requires a prior scan in `.audit/`. |
+| `--color-scheme` | `light\|dark` | `light` | Emulate `prefers-color-scheme` |
+| `--wait-until` | `domcontentloaded\|load\|networkidle` | `domcontentloaded` | Playwright page load strategy |
+| `--viewport` | `<WxH>` | — | Viewport size (e.g. `375x812`) |
+| `--wait-ms` | `<num>` | `2000` | Delay after page load before scanning (ms) |
+| `--timeout-ms` | `<num>` | `30000` | Network timeout per page (ms) |
+| `--headed` | — | `false` | Run browser in visible mode |
+| `--affected-only` | — | `false` | Re-scan only routes with previous violations |
 
 ### Output generation
 
 | Flag | Argument | Default | Description |
 | :--- | :--- | :--- | :--- |
-| `--with-reports` | — | `false` | Generate HTML + PDF + Checklist reports. Requires `--output`. |
-| `--skip-reports` | — | `true` | Skip visual report generation (default). |
-| `--output` | `<path>` | — | Output path for `report.html` (PDF and checklist derive from it). |
-| `--skip-patterns` | — | `false` | Disable source code pattern scanner even when `--project-dir` is set. |
-
-## Common command patterns
-
-```bash
-# Focused audit — one rule, one route
-a11y-audit --base-url https://example.com --only-rule color-contrast --routes /checkout --max-routes 1
-
-# Dark mode audit
-a11y-audit --base-url https://example.com --color-scheme dark
+| `--with-reports` | — | `false` | Generate HTML + PDF + Checklist reports |
+| `--output` | `<path>` | — | Output path for `report.html` |
+| `--skip-patterns` | — | `false` | Disable source code pattern scanner |
 
-# SPA with deferred rendering
-a11y-audit --base-url https://example.com --wait-until networkidle --wait-ms 3000
-
-# Mobile viewport
-a11y-audit --base-url https://example.com --viewport 375x812
-
-# Fast re-audit after fixes (skips clean pages)
-a11y-audit --base-url https://example.com --affected-only
+## How the scan pipeline works
 
-# Ignore known false positives
-a11y-audit --base-url https://example.com --ignore-findings color-contrast,frame-title
 ```
-
-## Output artifacts
-
-All artifacts are written to `.audit/` relative to the package root.
-
-| File | Always generated | Description |
-| :--- | :--- | :--- |
-| `a11y-scan-results.json` | Yes | Raw merged results from axe-core + CDP + pa11y per route |
-| `a11y-findings.json` | Yes | Enriched findings with fix intelligence, WCAG mapping, and severity |
-| `progress.json` | Yes | Real-time scan progress with per-engine step status and finding counts |
-| `remediation.md` | Yes | AI-agent-optimized remediation roadmap |
-| `report.html` | With `--with-reports` | Interactive HTML dashboard |
-| `report.pdf` | With `--with-reports` | Formal compliance PDF |
-| `checklist.html` | With `--with-reports` | Manual WCAG testing checklist |
-
-See [Output Artifacts](docs/outputs.md) for full schema reference.
+URL
+ |
+ v
+[1. Crawl & Discover]  sitemap.xml / BFS link crawl / explicit --routes
+ |
+ v
+[2. Navigate]           Playwright opens each route in Chromium
+ |
+ +---> [axe-core]       Injects axe into the page, runs WCAG tag checks
+ |
+ +---> [CDP]            Opens a CDP session, reads the full accessibility tree
+ |
+ +---> [pa11y]          Launches HTML CodeSniffer via Puppeteer Chrome
+ |
+ v
+[3. Merge & Dedup]      Combines findings, removes cross-engine duplicates
+ |
+ v
+[4. Analyze]            Enriches with WCAG mapping, severity, fix code, framework hints
+ |
+ v
+[5. Reports]            HTML dashboard, PDF, checklist, Markdown remediation
+```
 
 ## Scan engines
 
@@ -181,52 +223,48 @@ The primary engine. Runs Deque's axe-core rule set against the live DOM inside P
 ### CDP (Chrome DevTools Protocol)
 
 Queries the browser's full accessibility tree via a CDP session. Catches issues axe may miss:
-- Interactive elements (buttons, links, inputs) with no accessible name
+- Interactive elements with no accessible name
 - Focusable elements hidden with `aria-hidden`
 
 ### pa11y (HTML CodeSniffer)
 
-Runs Squiz's HTML CodeSniffer via Puppeteer Chrome. Catches WCAG violations around:
-- Heading hierarchy
-- Link purpose
-- Form label associations
+Runs Squiz's HTML CodeSniffer via Puppeteer Chrome. Catches WCAG violations around heading hierarchy, link purpose, and form label associations.
 
 Requires a separate Chrome installation (`npx puppeteer browsers install chrome`). If Chrome is missing, pa11y fails silently and the scan continues with axe + CDP.
 
-### Merge & deduplication
-
-After all three engines run, findings are merged and deduplicated:
-- axe findings are added first (baseline)
-- CDP findings are checked against axe equivalents (e.g. `cdp-missing-accessible-name` vs `button-name`) to avoid duplicates
-- pa11y findings are checked against existing selectors to avoid triple-reporting the same element
-
-## Troubleshooting
-
-**`Error: browserType.launch: Executable doesn't exist`**
-Run `npx playwright install chromium` (or `pnpm exec playwright install chromium`).
+## Output artifacts
 
-**`pa11y checks failed (non-fatal): Could not find Chrome`**
-pa11y requires Puppeteer's Chrome, which is separate from Playwright's Chromium. Install it with `npx puppeteer browsers install chrome`.
+All artifacts are written to `.audit/` relative to the package root.
 
-**`Missing required argument: --base-url`**
-The flag is required. Provide a full URL including protocol: `--base-url https://example.com`.
+| File | Always generated | Description |
+| :--- | :--- | :--- |
+| `a11y-scan-results.json` | Yes | Raw merged results from axe + CDP + pa11y per route |
+| `a11y-findings.json` | Yes | Enriched findings with fix intelligence |
+| `progress.json` | Yes | Real-time scan progress with per-engine step status |
+| `remediation.md` | Yes | AI-agent-optimized remediation roadmap |
+| `report.html` | With `--with-reports` | Interactive HTML dashboard |
+| `report.pdf` | With `--with-reports` | Formal compliance PDF |
+| `checklist.html` | With `--with-reports` | Manual WCAG testing checklist |
 
-**Scan returns 0 findings on an SPA**
-Use `--wait-until networkidle --wait-ms 3000` to let async content render before the engines run.
+## Installation
 
-**`--with-reports` exits without generating PDF**
-Ensure `--output` is also set and points to an `.html` file path: `--output ./audit/report.html`.
+```bash
+npm install @diegovelasquezweb/a11y-engine
+npx playwright install chromium
+npx puppeteer browsers install chrome
+```
 
-**Chromium crashes in CI**
-Add `--no-sandbox` via the `PLAYWRIGHT_CHROMIUM_LAUNCH_OPTIONS` env var, or run Playwright with the `--with-deps` flag during browser installation.
+> **Two browsers are required:**
+> - **Playwright Chromium** — used by axe-core and CDP checks
+> - **Puppeteer Chrome** — used by pa11y (HTML CodeSniffer)
 
 ## Documentation
 
 | Resource | Description |
 | :--- | :--- |
-| [Architecture](https://github.com/diegovelasquezweb/a11y-engine/blob/main/docs/architecture.md) | How the multi-engine scanner pipeline works |
-| [CLI Handbook](https://github.com/diegovelasquezweb/a11y-engine/blob/main/docs/cli-handbook.md) | Full flag reference and usage patterns |
-| [Output Artifacts](https://github.com/diegovelasquezweb/a11y-engine/blob/main/docs/outputs.md) | Schema and structure of every generated file |
+| [Architecture](docs/architecture.md) | How the multi-engine scanner pipeline works |
+| [CLI Handbook](docs/cli-handbook.md) | Full flag reference and usage patterns |
+| [Output Artifacts](docs/outputs.md) | Schema and structure of every generated file |
 
 ## License
 

package/docs/architecture.md

@@ -205,6 +205,28 @@ Assets are static JSON files bundled with the package under `assets/`. They are
 | `remediation/axe-check-maps.json` | axe check-to-rule mapping |
 | `remediation/source-boundaries.json` | Framework-specific source file locations |
 
+## Programmatic API
+
+In addition to the CLI pipeline, the engine exports 7 functions via `scripts/index.mjs` for direct consumption by Node.js applications (e.g. `a11y-scanner`). These functions reuse the same internal renderers, assets, and enrichment logic as the CLI — no duplication.
+
+```
+scripts/index.mjs (public API)
+  ├── getEnrichedFindings()   ← uses asset-loader, intelligence.json, pa11y-config.json
+  ├── getAuditSummary()       ← uses compliance-config.json, wcag-reference.json
+  ├── getPDFReport()          ← uses reports/renderers/pdf.mjs + Playwright
+  ├── getHTMLReport()         ← uses reports/renderers/html.mjs + findings.mjs
+  ├── getChecklist()          ← uses reports/renderers/html.mjs (manual checks)
+  ├── getRemediationGuide()   ← uses reports/renderers/md.mjs
+  └── getSourcePatterns()     ← uses engine/source-scanner.mjs
+```
+
+### Key design decisions
+
+- **No filesystem output** — all API functions return data in memory (strings, Buffers, arrays). The consumer decides where to write.
+- **Payload in, results out** — functions accept the raw `{ findings, metadata }` payload that `a11y-findings.json` contains. No need to resolve paths or read files.
+- **`screenshotUrlBuilder` callback** — `getEnrichedFindings` accepts an optional function to transform raw screenshot paths (e.g. `screenshots/0-color-contrast.png`) into consumer-specific URLs (e.g. `/api/scan/{id}/screenshot?path=...`). This keeps URL construction out of the engine.
+- **CLI unaffected** — the `audit.mjs` orchestrator and all CLI builders continue to work exactly as before. The API is additive.
+
 ## Execution model and timeouts
 
 `audit.mjs` spawns each stage as a child process via `node:child_process`. All child processes:

package/docs/cli-handbook.md

@@ -235,3 +235,7 @@ The engine never exits `1` just because findings were found. Exit `1` only indic
 REMEDIATION_PATH=<abs-path>   # always printed on success
 REPORT_PATH=<abs-path>        # only printed when --with-reports is set
 ```
+
+## Programmatic alternative
+
+For applications that embed the engine as a dependency (e.g. web dashboards, CI pipelines), the engine also exports a programmatic API that processes scan data in memory without filesystem operations. See the [README](../README.md#programmatic-api) for full documentation.

package/docs/outputs.md

@@ -257,40 +257,54 @@ Written to the same directory as `--output` as `checklist.html`.
 
 ## Consuming outputs programmatically
 
-### Reading `a11y-findings.json` from an integration
-
-```js
-import fs from "node:fs";
-import path from "node:path";
-import { createRequire } from "node:module";
-
-// Resolve real path (handles pnpm symlinks)
-const req = createRequire(import.meta.url);
-const auditScript = req.resolve("@diegovelasquezweb/a11y-engine/scripts/audit.mjs");
-const engineRoot = path.dirname(path.dirname(auditScript));
-const findingsPath = path.join(engineRoot, ".audit", "a11y-findings.json");
-
-const { findings, metadata } = JSON.parse(fs.readFileSync(findingsPath, "utf-8"));
+### Using the programmatic API (recommended)
+
+The engine exports functions that process scan data directly in memory — no filesystem path resolution needed:
+
+```ts
+import {
+  getEnrichedFindings,
+  getAuditSummary,
+  getPDFReport,
+  getHTMLReport,
+  getChecklist,
+  getRemediationGuide,
+  getSourcePatterns,
+} from "@diegovelasquezweb/a11y-engine";
+
+// After running audit.mjs via CLI, read the findings file
+const payload = JSON.parse(fs.readFileSync(findingsPath, "utf-8"));
+
+// Enrich findings with fix intelligence
+const findings = getEnrichedFindings(payload, {
+  screenshotUrlBuilder: (path) => `/api/screenshot?path=${encodeURIComponent(path)}`,
+});
+
+// Get full audit summary
+const summary = getAuditSummary(findings, payload);
+
+// Generate reports
+const pdf = await getPDFReport(payload, { baseUrl: "https://example.com" });
+const html = await getHTMLReport(payload, { baseUrl: "https://example.com" });
+const checklist = await getChecklist({ baseUrl: "https://example.com" });
+const guide = await getRemediationGuide(payload, { baseUrl: "https://example.com" });
+
+// Scan source code patterns
+const patterns = await getSourcePatterns("/path/to/project", { framework: "nextjs" });
 ```
 
-> Note: `import.meta.url` may be mangled by bundlers (e.g. Next.js). In that case, use `fs.realpathSync` on the known symlink instead:
-
-```js
-const symlinkBase = path.join(process.cwd(), "node_modules", "@diegovelasquezweb", "a11y-engine");
-const engineRoot = fs.realpathSync(symlinkBase);
-const findingsPath = path.join(engineRoot, ".audit", "a11y-findings.json");
-```
+See the [README](../README.md#programmatic-api) for full API documentation and type signatures.
 
 ### Reading `progress.json` for live UI updates
 
+During CLI execution, `progress.json` is written to `.audit/` in real-time. This is relevant when using the CLI via `child_process` — the programmatic API does not write progress files.
+
 ```js
 const progressPath = path.join(engineRoot, ".audit", "progress.json");
 
-// Poll this file during scan execution
 if (fs.existsSync(progressPath)) {
   const progress = JSON.parse(fs.readFileSync(progressPath, "utf-8"));
   console.log(`Current step: ${progress.currentStep}`);
-  console.log(`axe found: ${progress.steps?.axe?.found ?? "pending"}`);
 }
 ```
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@diegovelasquezweb/a11y-engine",
-  "version": "0.1.8",
+  "version": "0.2.0",
   "description": "WCAG 2.2 AA accessibility audit engine — scanner, analyzer, and report builders",
   "type": "module",
   "license": "MIT",