@mcptoolshop/a11y-evidence-engine 0.2.0

package/.github/workflows/ci.yml

@@ -0,0 +1,53 @@
+name: CI
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node-version: [18.x, 20.x, 22.x]
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Use Node.js ${{ matrix.node-version }}
+      uses: actions/setup-node@v4
+      with:
+        node-version: ${{ matrix.node-version }}
+        cache: 'npm'
+
+    - name: Install dependencies
+      run: npm ci
+
+    - name: Run tests
+      run: npm test
+
+    - name: Verify CLI works
+      run: |
+        node bin/a11y-engine.js scan fixtures/html --out test-results
+        test -d test-results
+
+  lint:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Use Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version: '20.x'
+        cache: 'npm'
+
+    - name: Install dependencies
+      run: npm ci
+
+    - name: Check for syntax errors
+      run: node --check bin/a11y-engine.js src/cli.js

package/CODE_OF_CONDUCT.md

@@ -0,0 +1,129 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity
+and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the
+  overall community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+[INSERT CONTACT METHOD].
+
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series
+of actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or
+permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior, harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within
+the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.0, available at
+https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct
+enforcement ladder](https://github.com/mozilla/diversity).
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see the FAQ at
+https://www.contributor-covenant.org/faq. Translations are available at
+https://www.contributor-covenant.org/translations.

package/CONTRIBUTING.md

@@ -0,0 +1,128 @@
+# Contributing to a11y-evidence-engine
+
+Thank you for your interest in contributing to a11y-evidence-engine! We appreciate your help in building a robust accessibility evidence engine with provenance tracking.
+
+## How to Contribute
+
+### Reporting Issues
+
+If you find a bug or have a suggestion:
+
+1. Check if the issue already exists in [GitHub Issues](https://github.com/mcp-tool-shop/a11y-evidence-engine/issues)
+2. If not, create a new issue with:
+   - A clear, descriptive title
+   - Steps to reproduce (for bugs)
+   - Expected vs. actual behavior
+   - Your environment (Node version, OS)
+   - Sample HTML if relevant
+
+### Contributing Code
+
+1. **Fork the repository** and create a branch from `main`
+2. **Set up your development environment**
+   ```bash
+   npm install
+   ```
+3. **Make your changes**
+   - Follow the existing code style
+   - Add tests for new functionality
+   - Ensure all tests pass: `npm test`
+   - Update documentation as needed
+4. **Commit your changes**
+   - Use clear, descriptive commit messages
+   - Reference issue numbers when applicable
+5. **Submit a pull request**
+   - Describe what your PR does and why
+   - Link to related issues
+
+### Development Workflow
+
+```bash
+# Install dependencies
+npm install
+
+# Run tests
+npm test
+
+# Scan HTML files (test the CLI)
+npm run scan -- fixtures/html/example.html
+
+# Test the engine directly
+node bin/a11y-engine.js scan path/to/html --out results
+```
+
+### Testing
+
+All new features should include tests. Tests are located in the `test/` directory and use Node's built-in test runner.
+
+```javascript
+// Example test structure
+import { test } from 'node:test';
+import assert from 'node:assert/strict';
+
+test('should detect missing lang attribute', () => {
+  const html = '<html><head></head><body></body></html>';
+  const findings = scan(html);
+  assert.equal(findings[0].rule, 'html.document.missing_lang');
+});
+```
+
+### Adding New Rules
+
+1. Add rule implementation in `src/rules/`
+2. Add test cases in `test/*.test.js`
+3. Update README.md with rule documentation
+4. Ensure provenance records are generated correctly
+
+### Code Style
+
+- Use ES modules (`import`/`export`)
+- Prefer `const` over `let`
+- Use descriptive variable names
+- Add JSDoc comments for public APIs
+- Follow existing patterns for consistency
+
+### Provenance Design Principles
+
+- **Deterministic** - Same input produces same output
+- **Verifiable** - Evidence can be independently verified
+- **Tamper-evident** - SHA-256 digests detect any changes
+- **Traceable** - prov-spec records document all operations
+- **Evidence-anchored** - Findings reference specific artifact locations (JSON Pointer)
+
+## Project Structure
+
+```
+a11y-evidence-engine/
+├── bin/               # CLI entry point
+├── src/               # Source code
+│   ├── cli.js         # CLI implementation
+│   ├── scanner.js     # Core scanner
+│   ├── rules/         # Rule implementations
+│   └── provenance.js  # Provenance generation
+├── test/              # Test suite
+├── fixtures/          # Test fixtures
+└── package.json       # Project configuration
+```
+
+## Exit Codes
+
+Maintain CI-native exit codes:
+- `0` - No findings with severity `error`
+- `2` - At least one `error` finding
+- `3` - Internal engine failure / invalid input
+
+## Provenance Records
+
+Ensure all findings include three prov-spec records:
+1. `record.json` - Evidence extraction
+2. `digest.json` - SHA-256 integrity
+3. `envelope.json` - MCP envelope
+
+## Code of Conduct
+
+Please note that this project is released with a [Code of Conduct](CODE_OF_CONDUCT.md). By participating, you agree to abide by its terms.
+
+## Questions?
+
+Open an issue or start a discussion. We're here to help!

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 mcp-tool-shop
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,71 @@
+# a11y-evidence-engine
+
+Headless accessibility evidence engine that emits [prov-spec](https://github.com/mcp-tool-shop/prov-spec) provenance records.
+
+Designed to pair with **a11y-assist**: this engine finds issues and captures verifiable evidence; a11y-assist turns those findings into fixes.
+
+## Features
+
+- **Deterministic output**: Same input always produces identical findings and provenance
+- **prov-spec compatible**: Every finding includes cryptographically verifiable evidence
+- **CI-friendly**: Exit codes designed for automation
+- **No browser required**: Pure static HTML analysis
+
+## Installation
+
+```bash
+npm install -g a11y-evidence-engine
+```
+
+## Usage
+
+```bash
+# Scan a file or directory
+a11y-engine scan ./path/to/html --out ./results
+
+# View help
+a11y-engine --help
+```
+
+## Output
+
+```
+results/
+├── findings.json                    # All findings with metadata
+└── provenance/
+    └── finding-0001/
+        ├── record.json              # engine.extract.evidence.json_pointer
+        ├── digest.json              # integrity.digest.sha256
+        └── envelope.json            # adapter.wrap.envelope_v0_1
+```
+
+## Exit Codes
+
+| Code | Meaning |
+|------|---------|
+| 0 | No findings with severity `error` |
+| 2 | At least one `error` finding |
+| 3 | Internal engine failure / invalid input |
+
+## Rules (v0.1.0)
+
+| Rule ID | Description |
+|---------|-------------|
+| `html.document.missing_lang` | `<html>` element missing `lang` attribute |
+| `html.img.missing_alt` | `<img>` element missing `alt` attribute |
+| `html.form_control.missing_label` | Form control missing associated label |
+| `html.interactive.missing_name` | Interactive element missing accessible name |
+
+## Provenance
+
+Each finding includes three prov-spec records:
+
+1. **record.json**: Evidence extraction using `engine.extract.evidence.json_pointer`
+2. **digest.json**: SHA-256 hash of canonical evidence using `integrity.digest.sha256`
+3. **envelope.json**: Wrapped result using `adapter.wrap.envelope_v0_1`
+
+These records are independently verifiable without trusting the engine.
+
+## License
+
+MIT

package/bin/a11y-engine.js

@@ -0,0 +1,11 @@
+#!/usr/bin/env node
+"use strict";
+
+const { run } = require("../src/cli.js");
+
+run(process.argv.slice(2))
+  .then((code) => process.exit(code))
+  .catch((err) => {
+    console.error("Fatal error:", err.message);
+    process.exit(3);
+  });

package/fixtures/bad/button-no-name.html

@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <title>Buttons Without Names</title>
+</head>
+<body>
+  <h1>Interactive Elements</h1>
+
+  <!-- Empty button -->
+  <button type="button"></button>
+
+  <!-- Icon button without label -->
+  <button type="button" class="icon-btn">
+    <span class="icon"></span>
+  </button>
+
+  <!-- Empty link -->
+  <a href="/somewhere"></a>
+
+  <!-- This is fine -->
+  <button type="submit">Submit Form</button>
+
+  <!-- This is fine (has aria-label) -->
+  <button type="button" aria-label="Close dialog"></button>
+
+  <!-- This is fine (has title) -->
+  <a href="/help" title="Get Help"></a>
+</body>
+</html>

package/fixtures/bad/img-missing-alt.html

@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <title>Missing Alt Text</title>
+</head>
+<body>
+  <h1>Images Without Alt</h1>
+
+  <!-- This image is missing alt text -->
+  <img src="photo.jpg">
+
+  <!-- This one too -->
+  <img src="banner.png" class="hero">
+
+  <!-- This is fine (decorative) -->
+  <img src="divider.gif" role="presentation">
+</body>
+</html>

package/fixtures/bad/input-missing-label.html

@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <title>Missing Labels</title>
+</head>
+<body>
+  <h1>Form Without Labels</h1>
+
+  <form>
+    <!-- Missing label -->
+    <input type="text" name="username" placeholder="Username">
+
+    <!-- Missing label -->
+    <input type="password" name="password">
+
+    <!-- This is fine (has aria-label) -->
+    <input type="search" aria-label="Search the site">
+
+    <!-- This is fine (hidden) -->
+    <input type="hidden" name="token" value="abc">
+
+    <button type="submit">Login</button>
+  </form>
+</body>
+</html>

package/fixtures/bad/missing-lang.html

@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="UTF-8">
+  <title>Missing Language</title>
+</head>
+<body>
+  <h1>Page Without Language</h1>
+  <p>This page is missing the lang attribute on the html element.</p>
+</body>
+</html>

package/fixtures/good/index.html

@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <title>Accessible Page</title>
+</head>
+<body>
+  <h1>Welcome</h1>
+
+  <img src="logo.png" alt="Company Logo">
+  <img src="decorative.png" role="presentation">
+
+  <form>
+    <label for="name">Name:</label>
+    <input type="text" id="name" name="name">
+
+    <label for="email">Email:</label>
+    <input type="email" id="email" name="email">
+
+    <input type="hidden" name="csrf" value="token">
+    <button type="submit">Submit</button>
+  </form>
+
+  <nav>
+    <a href="/home">Home</a>
+    <a href="/about">About Us</a>
+  </nav>
+</body>
+</html>

package/package.json

@@ -0,0 +1,44 @@
+{
+  "name": "@mcptoolshop/a11y-evidence-engine",
+  "version": "0.2.0",
+  "description": "Headless accessibility evidence engine with prov-spec provenance",
+  "main": "src/cli.js",
+  "bin": {
+    "a11y-engine": "./bin/a11y-engine.js"
+  },
+  "scripts": {
+    "test": "node --test test/*.test.js",
+    "scan": "node bin/a11y-engine.js scan"
+  },
+  "keywords": [
+    "accessibility",
+    "a11y",
+    "wcag",
+    "provenance",
+    "prov-spec",
+    "evidence",
+    "testing",
+    "headless"
+  ],
+  "author": "mcp-tool-shop <64996768+mcp-tool-shop@users.noreply.github.com>",
+  "license": "MIT",
+  "homepage": "https://github.com/mcp-tool-shop/a11y-evidence-engine#readme",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/mcp-tool-shop/a11y-evidence-engine.git"
+  },
+  "bugs": {
+    "url": "https://github.com/mcp-tool-shop/a11y-evidence-engine/issues"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "publishConfig": {
+    "access": "public",
+    "registry": "https://registry.npmjs.org"
+  },
+  "dependencies": {
+    "htmlparser2": "^9.1.0"
+  },
+  "devDependencies": {}
+}

package/src/cli.js

@@ -0,0 +1,74 @@
+"use strict";
+
+const { scan } = require("./scan.js");
+const path = require("path");
+
+const HELP = `
+a11y-engine - Headless accessibility evidence engine
+
+USAGE:
+  a11y-engine scan <path> --out <dir>   Scan HTML files and emit findings
+  a11y-engine --help                    Show this help
+
+OPTIONS:
+  --out <dir>   Output directory for findings.json and provenance (default: ./out)
+
+EXIT CODES:
+  0   No findings with severity 'error'
+  2   At least one 'error' finding
+  3   Internal engine failure / invalid input
+`;
+
+async function run(args) {
+  if (args.length === 0 || args.includes("--help") || args.includes("-h")) {
+    console.log(HELP);
+    return 0;
+  }
+
+  const command = args[0];
+
+  if (command === "scan") {
+    return runScan(args.slice(1));
+  }
+
+  console.error(`Unknown command: ${command}`);
+  console.log(HELP);
+  return 3;
+}
+
+async function runScan(args) {
+  // Parse arguments
+  let targetPath = null;
+  let outDir = "./out";
+
+  for (let i = 0; i < args.length; i++) {
+    if (args[i] === "--out" && args[i + 1]) {
+      outDir = args[++i];
+    } else if (!args[i].startsWith("-")) {
+      targetPath = args[i];
+    }
+  }
+
+  if (!targetPath) {
+    console.error("Error: No target path specified");
+    return 3;
+  }
+
+  try {
+    const result = await scan(targetPath, outDir);
+
+    console.log(`Scanned ${result.summary.files_scanned} file(s)`);
+    console.log(`  Errors:   ${result.summary.errors}`);
+    console.log(`  Warnings: ${result.summary.warnings}`);
+    console.log(`  Info:     ${result.summary.info}`);
+    console.log(`\nOutput: ${path.resolve(outDir)}/findings.json`);
+
+    // Exit code based on error count
+    return result.summary.errors > 0 ? 2 : 0;
+  } catch (err) {
+    console.error(`Scan failed: ${err.message}`);
+    return 3;
+  }
+}
+
+module.exports = { run };