@mcptoolshop/accessibility-suite 0.1.0

package/src/a11y-ci/pyproject.toml

@@ -0,0 +1,64 @@
+[build-system]
+requires = ["setuptools>=69", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "a11y-ci"
+version = "0.1.0"
+description = "CI gate for a11y-lint scorecards (low-vision-first)."
+readme = "README.md"
+requires-python = ">=3.10"
+license = {text = "MIT"}
+authors = [
+    {name = "mcp-tool-shop", email = "64996768+mcp-tool-shop@users.noreply.github.com"}
+]
+keywords = [
+    "a11y",
+    "accessibility",
+    "ci",
+    "gate",
+    "low-vision",
+    "scorecard",
+    "testing",
+    "quality-assurance",
+]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Environment :: Console",
+    "Intended Audience :: Developers",
+    "License :: OSI Approved :: MIT License",
+    "Operating System :: OS Independent",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Topic :: Software Development :: Quality Assurance",
+    "Topic :: Software Development :: Testing",
+]
+dependencies = [
+  "click>=8.1.7",
+  "jsonschema>=4.22.0",
+]
+
+[project.optional-dependencies]
+dev = [
+  "pytest>=8.0.0",
+  "ruff>=0.6.0",
+]
+
+[project.scripts]
+a11y-ci = "a11y_ci.cli:main"
+
+[project.urls]
+Homepage = "https://github.com/mcp-tool-shop-org/a11y-ci"
+Repository = "https://github.com/mcp-tool-shop-org/a11y-ci"
+Issues = "https://github.com/mcp-tool-shop-org/a11y-ci/issues"
+
+[tool.setuptools.packages.find]
+include = ["a11y_ci*"]
+
+[tool.ruff]
+line-length = 100
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]

package/src/a11y-ci/tests/__init__.py

@@ -0,0 +1 @@
+"""Tests for a11y-ci."""

package/src/a11y-ci/tests/fixtures/allowlist_expired.json

@@ -0,0 +1,10 @@
+{
+  "version": "1",
+  "allow": [
+    {
+      "finding_id": "CLI.COLOR.ONLY",
+      "expires": "2020-01-01",
+      "reason": "Expired suppression should be flagged and removed."
+    }
+  ]
+}

package/src/a11y-ci/tests/fixtures/allowlist_ok.json

@@ -0,0 +1,10 @@
+{
+  "version": "1",
+  "allow": [
+    {
+      "finding_id": "CLI.COLOR.ONLY",
+      "expires": "2026-12-31",
+      "reason": "Temporary suppression for legacy output. Tracked in issue #12."
+    }
+  ]
+}

package/src/a11y-ci/tests/fixtures/baseline_ok.json

@@ -0,0 +1,7 @@
+{
+  "tool": {"name": "a11y-lint", "version": "0.1.0"},
+  "summary": {"critical": 0, "serious": 0, "moderate": 1, "minor": 0, "info": 0},
+  "findings": [
+    {"rule_id": "CLI.LINE.LENGTH", "severity": "moderate", "title": "Line too long"}
+  ]
+}

package/src/a11y-ci/tests/fixtures/current_fail.json

@@ -0,0 +1,6 @@
+{
+  "tool": {"name": "a11y-lint", "version": "0.1.0"},
+  "findings": [
+    {"rule_id": "CLI.COLOR.ONLY", "severity": "serious", "title": "Color-only meaning"}
+  ]
+}

package/src/a11y-ci/tests/fixtures/current_ok.json

@@ -0,0 +1,6 @@
+{
+  "tool": {"name": "a11y-lint", "version": "0.1.0"},
+  "findings": [
+    {"rule_id": "CLI.LINE.LENGTH", "severity": "moderate", "title": "Line too long"}
+  ]
+}

package/src/a11y-ci/tests/fixtures/current_regresses.json

@@ -0,0 +1,7 @@
+{
+  "tool": {"name": "a11y-lint", "version": "0.1.0"},
+  "findings": [
+    {"rule_id": "CLI.COLOR.ONLY", "severity": "serious", "title": "Color-only meaning"},
+    {"rule_id": "CLI.ERROR.STRUCTURE", "severity": "serious", "title": "Missing What/Why/Fix"}
+  ]
+}

package/src/a11y-ci/tests/test_gate.py

@@ -0,0 +1,134 @@
+"""Tests for the gate module."""
+
+from pathlib import Path
+
+import pytest
+
+from a11y_ci.allowlist import Allowlist
+from a11y_ci.gate import gate
+from a11y_ci.scorecard import Scorecard
+
+FIX = Path(__file__).parent / "fixtures"
+
+
+class TestGateBasic:
+    """Basic gate tests without baseline."""
+
+    def test_gate_passes_without_serious(self):
+        """Gate passes when no findings at/above threshold."""
+        current = Scorecard.load(str(FIX / "current_ok.json"))
+        result = gate(current=current, baseline=None, fail_on="serious", allowlist=None)
+        assert result.ok
+        assert result.current_blocking_ids == []
+
+    def test_gate_fails_on_serious_in_current(self):
+        """Gate fails when current has findings at/above threshold."""
+        current = Scorecard.load(str(FIX / "current_fail.json"))
+        result = gate(current=current, baseline=None, fail_on="serious", allowlist=None)
+        assert not result.ok
+        assert "Current run has" in " ".join(result.reasons)
+        assert "CLI.COLOR.ONLY" in result.current_blocking_ids
+
+    def test_gate_passes_when_below_threshold(self):
+        """Gate passes when findings are below the threshold."""
+        current = Scorecard.load(str(FIX / "current_fail.json"))
+        # fail_on=critical means serious is allowed
+        result = gate(current=current, baseline=None, fail_on="critical", allowlist=None)
+        assert result.ok
+
+
+class TestGateWithBaseline:
+    """Gate tests with baseline comparison."""
+
+    def test_gate_regression_vs_baseline_counts_and_ids(self):
+        """Gate fails on regression from baseline."""
+        baseline = Scorecard.load(str(FIX / "baseline_ok.json"))
+        current = Scorecard.load(str(FIX / "current_regresses.json"))
+        result = gate(current=current, baseline=baseline, fail_on="serious", allowlist=None)
+        assert not result.ok
+        assert result.new_blocking_ids  # new serious+ IDs
+        assert "CLI.COLOR.ONLY" in result.new_blocking_ids
+        assert "CLI.ERROR.STRUCTURE" in result.new_blocking_ids
+
+    def test_gate_no_regression_when_same(self):
+        """Gate passes when current matches baseline."""
+        baseline = Scorecard.load(str(FIX / "baseline_ok.json"))
+        current = Scorecard.load(str(FIX / "current_ok.json"))
+        result = gate(current=current, baseline=baseline, fail_on="serious", allowlist=None)
+        assert result.ok
+
+
+class TestGateWithAllowlist:
+    """Gate tests with allowlist."""
+
+    def test_allowlist_suppresses_ids(self):
+        """Allowlist suppresses matching finding IDs."""
+        baseline = Scorecard.load(str(FIX / "baseline_ok.json"))
+        current = Scorecard.load(str(FIX / "current_fail.json"))
+        allow = Allowlist.load(str(FIX / "allowlist_ok.json"))
+
+        result = gate(current=current, baseline=baseline, fail_on="serious", allowlist=allow)
+        # suppression should remove the only serious finding, leaving gate pass
+        assert result.ok
+
+    def test_expired_allowlist_is_reported_as_reason(self):
+        """Expired allowlist entries cause gate failure."""
+        current = Scorecard.load(str(FIX / "current_fail.json"))
+        allow = Allowlist.load(str(FIX / "allowlist_expired.json"))
+        result = gate(current=current, baseline=None, fail_on="serious", allowlist=allow)
+        # Even though it's suppressed, expired allowlist should create a reason
+        assert not result.ok
+        assert any("expired" in r.lower() for r in result.reasons)
+
+
+class TestScorecardLoading:
+    """Tests for scorecard loading and counts."""
+
+    def test_scorecard_loads_findings(self):
+        """Scorecard correctly loads findings."""
+        sc = Scorecard.load(str(FIX / "current_ok.json"))
+        assert len(sc.findings) == 1
+        assert sc.findings[0]["rule_id"] == "CLI.LINE.LENGTH"
+
+    def test_scorecard_counts_from_summary(self):
+        """Scorecard uses summary when present."""
+        sc = Scorecard.load(str(FIX / "baseline_ok.json"))
+        counts = sc.counts()
+        assert counts["moderate"] == 1
+        assert counts["serious"] == 0
+
+    def test_scorecard_counts_from_findings(self):
+        """Scorecard computes counts from findings when no summary."""
+        sc = Scorecard.load(str(FIX / "current_regresses.json"))
+        counts = sc.counts()
+        assert counts["serious"] == 2
+
+    def test_ids_at_or_above(self):
+        """ids_at_or_above returns correct finding IDs."""
+        sc = Scorecard.load(str(FIX / "current_regresses.json"))
+        ids = sc.ids_at_or_above("serious")
+        assert "CLI.COLOR.ONLY" in ids
+        assert "CLI.ERROR.STRUCTURE" in ids
+
+
+class TestAllowlistLoading:
+    """Tests for allowlist loading and validation."""
+
+    def test_allowlist_loads_entries(self):
+        """Allowlist correctly loads entries."""
+        allow = Allowlist.load(str(FIX / "allowlist_ok.json"))
+        assert len(allow.entries) == 1
+        assert allow.entries[0].finding_id == "CLI.COLOR.ONLY"
+        assert allow.entries[0].expires == "2026-12-31"
+
+    def test_allowlist_suppressed_ids(self):
+        """suppressed_ids returns correct set."""
+        allow = Allowlist.load(str(FIX / "allowlist_ok.json"))
+        assert "CLI.COLOR.ONLY" in allow.suppressed_ids()
+
+    def test_allowlist_expired_entries(self):
+        """expired_entries detects expired suppressions."""
+        allow = Allowlist.load(str(FIX / "allowlist_expired.json"))
+        expired = allow.expired_entries()
+        assert len(expired) == 1
+        assert expired[0].finding_id == "CLI.COLOR.ONLY"

package/src/a11y-evidence-engine/.github/workflows/ci.yml

@@ -0,0 +1,53 @@
+name: CI
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node-version: [18.x, 20.x, 22.x]
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Use Node.js ${{ matrix.node-version }}
+      uses: actions/setup-node@v4
+      with:
+        node-version: ${{ matrix.node-version }}
+        cache: 'npm'
+
+    - name: Install dependencies
+      run: npm ci
+
+    - name: Run tests
+      run: npm test
+
+    - name: Verify CLI works
+      run: |
+        node bin/a11y-engine.js scan fixtures/html --out test-results
+        test -d test-results
+
+  lint:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Use Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version: '20.x'
+        cache: 'npm'
+
+    - name: Install dependencies
+      run: npm ci
+
+    - name: Check for syntax errors
+      run: node --check bin/a11y-engine.js src/cli.js

package/src/a11y-evidence-engine/CODE_OF_CONDUCT.md

@@ -0,0 +1,129 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity
+and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the
+  overall community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+[INSERT CONTACT METHOD].
+
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series
+of actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or
+permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior, harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within
+the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.0, available at
+https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct
+enforcement ladder](https://github.com/mozilla/diversity).
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see the FAQ at
+https://www.contributor-covenant.org/faq. Translations are available at
+https://www.contributor-covenant.org/translations.

package/src/a11y-evidence-engine/CONTRIBUTING.md

@@ -0,0 +1,128 @@
+# Contributing to a11y-evidence-engine
+
+Thank you for your interest in contributing to a11y-evidence-engine! We appreciate your help in building a robust accessibility evidence engine with provenance tracking.
+
+## How to Contribute
+
+### Reporting Issues
+
+If you find a bug or have a suggestion:
+
+1. Check if the issue already exists in [GitHub Issues](https://github.com/mcp-tool-shop-org/a11y-evidence-engine/issues)
+2. If not, create a new issue with:
+   - A clear, descriptive title
+   - Steps to reproduce (for bugs)
+   - Expected vs. actual behavior
+   - Your environment (Node version, OS)
+   - Sample HTML if relevant
+
+### Contributing Code
+
+1. **Fork the repository** and create a branch from `main`
+2. **Set up your development environment**
+   ```bash
+   npm install
+   ```
+3. **Make your changes**
+   - Follow the existing code style
+   - Add tests for new functionality
+   - Ensure all tests pass: `npm test`
+   - Update documentation as needed
+4. **Commit your changes**
+   - Use clear, descriptive commit messages
+   - Reference issue numbers when applicable
+5. **Submit a pull request**
+   - Describe what your PR does and why
+   - Link to related issues
+
+### Development Workflow
+
+```bash
+# Install dependencies
+npm install
+
+# Run tests
+npm test
+
+# Scan HTML files (test the CLI)
+npm run scan -- fixtures/html/example.html
+
+# Test the engine directly
+node bin/a11y-engine.js scan path/to/html --out results
+```
+
+### Testing
+
+All new features should include tests. Tests are located in the `test/` directory and use Node's built-in test runner.
+
+```javascript
+// Example test structure
+import { test } from 'node:test';
+import assert from 'node:assert/strict';
+
+test('should detect missing lang attribute', () => {
+  const html = '<html><head></head><body></body></html>';
+  const findings = scan(html);
+  assert.equal(findings[0].rule, 'html.document.missing_lang');
+});
+```
+
+### Adding New Rules
+
+1. Add rule implementation in `src/rules/`
+2. Add test cases in `test/*.test.js`
+3. Update README.md with rule documentation
+4. Ensure provenance records are generated correctly
+
+### Code Style
+
+- Use ES modules (`import`/`export`)
+- Prefer `const` over `let`
+- Use descriptive variable names
+- Add JSDoc comments for public APIs
+- Follow existing patterns for consistency
+
+### Provenance Design Principles
+
+- **Deterministic** - Same input produces same output
+- **Verifiable** - Evidence can be independently verified
+- **Tamper-evident** - SHA-256 digests detect any changes
+- **Traceable** - prov-spec records document all operations
+- **Evidence-anchored** - Findings reference specific artifact locations (JSON Pointer)
+
+## Project Structure
+
+```
+a11y-evidence-engine/
+├── bin/               # CLI entry point
+├── src/               # Source code
+│   ├── cli.js         # CLI implementation
+│   ├── scanner.js     # Core scanner
+│   ├── rules/         # Rule implementations
+│   └── provenance.js  # Provenance generation
+├── test/              # Test suite
+├── fixtures/          # Test fixtures
+└── package.json       # Project configuration
+```
+
+## Exit Codes
+
+Maintain CI-native exit codes:
+- `0` - No findings with severity `error`
+- `2` - At least one `error` finding
+- `3` - Internal engine failure / invalid input
+
+## Provenance Records
+
+Ensure all findings include three prov-spec records:
+1. `record.json` - Evidence extraction
+2. `digest.json` - SHA-256 integrity
+3. `envelope.json` - MCP envelope
+
+## Code of Conduct
+
+Please note that this project is released with a [Code of Conduct](CODE_OF_CONDUCT.md). By participating, you agree to abide by its terms.
+
+## Questions?
+
+Open an issue or start a discussion. We're here to help!

package/src/a11y-evidence-engine/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 mcp-tool-shop
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/src/a11y-evidence-engine/README.md

@@ -0,0 +1,71 @@
+# a11y-evidence-engine
+
+Headless accessibility evidence engine that emits [prov-spec](https://github.com/mcp-tool-shop-org/prov-spec) provenance records.
+
+Designed to pair with **a11y-assist**: this engine finds issues and captures verifiable evidence; a11y-assist turns those findings into fixes.
+
+## Features
+
+- **Deterministic output**: Same input always produces identical findings and provenance
+- **prov-spec compatible**: Every finding includes cryptographically verifiable evidence
+- **CI-friendly**: Exit codes designed for automation
+- **No browser required**: Pure static HTML analysis
+
+## Installation
+
+```bash
+npm install -g a11y-evidence-engine
+```
+
+## Usage
+
+```bash
+# Scan a file or directory
+a11y-engine scan ./path/to/html --out ./results
+
+# View help
+a11y-engine --help
+```
+
+## Output
+
+```
+results/
+├── findings.json                    # All findings with metadata
+└── provenance/
+    └── finding-0001/
+        ├── record.json              # engine.extract.evidence.json_pointer
+        ├── digest.json              # integrity.digest.sha256
+        └── envelope.json            # adapter.wrap.envelope_v0_1
+```
+
+## Exit Codes
+
+| Code | Meaning |
+|------|---------|
+| 0 | No findings with severity `error` |
+| 2 | At least one `error` finding |
+| 3 | Internal engine failure / invalid input |
+
+## Rules (v0.1.0)
+
+| Rule ID | Description |
+|---------|-------------|
+| `html.document.missing_lang` | `<html>` element missing `lang` attribute |
+| `html.img.missing_alt` | `<img>` element missing `alt` attribute |
+| `html.form_control.missing_label` | Form control missing associated label |
+| `html.interactive.missing_name` | Interactive element missing accessible name |
+
+## Provenance
+
+Each finding includes three prov-spec records:
+
+1. **record.json**: Evidence extraction using `engine.extract.evidence.json_pointer`
+2. **digest.json**: SHA-256 hash of canonical evidence using `integrity.digest.sha256`
+3. **envelope.json**: Wrapped result using `adapter.wrap.envelope_v0_1`
+
+These records are independently verifiable without trusting the engine.
+
+## License
+
+MIT

package/src/a11y-evidence-engine/bin/a11y-engine.js

@@ -0,0 +1,11 @@
+#!/usr/bin/env node
+"use strict";
+
+const { run } = require("../src/cli.js");
+
+run(process.argv.slice(2))
+  .then((code) => process.exit(code))
+  .catch((err) => {
+    console.error("Fatal error:", err.message);
+    process.exit(3);
+  });