@wcag-checkr/ci 1.0.0-rc.31 → 1.0.0-rc.310

package/dist/devtools/panel.html

@@ -3,16 +3,17 @@
   <head>
     <meta charset="UTF-8" />
     <title>wcagcheckr</title>
-    <script type="module" crossorigin src="/assets/devtools-panel-DQ3Bbomf.js"></script>
+    <script type="module" crossorigin src="/assets/devtools-panel-DFQvqKKj.js"></script>
     <link rel="modulepreload" crossorigin href="/assets/modulepreload-polyfill-B5Qt9EMX.js">
     <link rel="modulepreload" crossorigin href="/assets/_commonjsHelpers-Cpj98o6Y.js">
-    <link rel="modulepreload" crossorigin href="/assets/crash-reporter-Dc5lvxvY.js">
-    <link rel="modulepreload" crossorigin href="/assets/state-PELIq3oj.js">
-    <link rel="modulepreload" crossorigin href="/assets/styles-C4Kq0zOO.js">
-    <link rel="modulepreload" crossorigin href="/assets/preload-helper-D7HrI6pR.js">
-    <link rel="modulepreload" crossorigin href="/assets/forensic-log-B1UCXZ23.js">
-    <link rel="modulepreload" crossorigin href="/assets/ErrorBoundary-BLcMSVSr.js">
-    <link rel="stylesheet" crossorigin href="/assets/styles-Cevp58mS.css">
+    <link rel="modulepreload" crossorigin href="/assets/crash-reporter-Bu2p8K-p.js">
+    <link rel="modulepreload" crossorigin href="/assets/ai-usage-log-BX3L6bKl.js">
+    <link rel="modulepreload" crossorigin href="/assets/styles-Cn731SYD.js">
+    <link rel="modulepreload" crossorigin href="/assets/diff-DA41zYPc.js">
+    <link rel="modulepreload" crossorigin href="/assets/scheduled-audit-runner-DyKpb3zg.js">
+    <link rel="modulepreload" crossorigin href="/assets/design-system-audit-DpxJrxnb.js">
+    <link rel="modulepreload" crossorigin href="/assets/ErrorBoundary-C-kswn4E.js">
+    <link rel="stylesheet" crossorigin href="/assets/styles-d5msFsnl.css">
   </head>
   <body class="bg-slate-50">
     <div id="root"></div>

package/dist/manifest.json

@@ -2,8 +2,8 @@
   "manifest_version": 3,
   "name": "wcagcheckr",
   "description": "Audit components across hover, focus, dark mode, forced colors, RTL — every state your users actually encounter. Per-component baselines surface only NEW violations.",
-  "version": "1.0.0.31",
-  "version_name": "1.0.0-rc.31",
+  "version": "1.0.0.310",
+  "version_name": "1.0.0-rc.310",
   "author": "Locustware",
   "homepage_url": "https://wcagcheckr.com",
   "icons": {
@@ -19,7 +19,8 @@
     "scripting",
     "tabs",
     "alarms",
-    "nativeMessaging"
+    "nativeMessaging",
+    "downloads"
   ],
   "host_permissions": [
     "<all_urls>"
@@ -36,7 +37,7 @@
   "content_scripts": [
     {
       "js": [
-        "assets/content-script.ts-loader-Dfu1UEfD.js"
+        "assets/content-script.ts-loader-CBHeu186.js"
       ],
       "matches": [
         "<all_urls>"
@@ -58,13 +59,15 @@
         "side-panel/*",
         "assets/*",
         "fonts/*",
-        "assets/preload-helper-D7HrI6pR.js",
-        "assets/crash-reporter-Dc5lvxvY.js",
-        "assets/diff-D4sCAdXf.js",
+        "axe.min.js",
+        "assets/diff-DA41zYPc.js",
+        "assets/crash-reporter-Bu2p8K-p.js",
         "assets/_commonjsHelpers-Cpj98o6Y.js",
         "assets/custom-rules-CAe0nbES.js",
+        "assets/design-system-audit-DpxJrxnb.js",
         "assets/reflow-analyzer-DNgBX8N_.js",
-        "assets/content-script.ts-CwcUMq3e.js"
+        "assets/dom-criterion-analyzers-DoUaJV5C.js",
+        "assets/content-script.ts-FuMy_sE5.js"
       ],
       "use_dynamic_url": false
     }

package/dist/options/options.html

@@ -4,15 +4,14 @@
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>wcagcheckr — Settings</title>
-    <script type="module" crossorigin src="/assets/options-BG2i5vFf.js"></script>
+    <script type="module" crossorigin src="/assets/options-BPhjrbGI.js"></script>
     <link rel="modulepreload" crossorigin href="/assets/modulepreload-polyfill-B5Qt9EMX.js">
     <link rel="modulepreload" crossorigin href="/assets/_commonjsHelpers-Cpj98o6Y.js">
-    <link rel="modulepreload" crossorigin href="/assets/crash-reporter-Dc5lvxvY.js">
-    <link rel="modulepreload" crossorigin href="/assets/state-PELIq3oj.js">
-    <link rel="modulepreload" crossorigin href="/assets/styles-C4Kq0zOO.js">
-    <link rel="modulepreload" crossorigin href="/assets/ai-usage-log-Dj9Ub_DT.js">
+    <link rel="modulepreload" crossorigin href="/assets/crash-reporter-Bu2p8K-p.js">
+    <link rel="modulepreload" crossorigin href="/assets/ai-usage-log-BX3L6bKl.js">
+    <link rel="modulepreload" crossorigin href="/assets/styles-Cn731SYD.js">
     <link rel="modulepreload" crossorigin href="/assets/custom-rules-CAe0nbES.js">
-    <link rel="stylesheet" crossorigin href="/assets/styles-Cevp58mS.css">
+    <link rel="stylesheet" crossorigin href="/assets/styles-d5msFsnl.css">
   </head>
   <body class="m-0 p-0 bg-slate-50">
     <div id="root"></div>

package/dist/service-worker-loader.js

@@ -1 +1 @@
-import './assets/service-worker.ts-CO86CV_p.js';
+import './assets/service-worker.ts-CMkltOzu.js';

package/dist/side-panel/App.tsx

@@ -1,5 +1,15 @@
-import { useEffect } from 'react';
+import { useEffect, useState } from 'react';
 import { useStore } from './store';
+import {
+  HEADLESS_BUILD_LOCKDOWN,
+  isLockoutInEffectForTier,
+} from '../shared/headless-build-lockdown';
+// rc.79 — Reverted the rc.72 lazy-load NormalApp routing. Owner mode
+// goes back to using OwnerView (lawfare-risk grade, Quick/Thorough
+// scan depth, USER_RECIPES, full export set, no Suspense boundary).
+// rc.72's NormalApp stripped those features and added a chunk-load
+// step that wasn't there before; the regression wasn't worth the
+// "two code paths" structural symmetry it claimed.
 import {
   wireMessaging,
   refreshBaselineList,
@@ -11,11 +21,15 @@ import {
 import { primeAuditLauncher } from './audit-launcher';
 import { sendToTab } from '../shared/messaging';
 import { getAuditTargetTabId } from '../shared/active-tab';
+import { loadAcknowledged } from '../shared/acknowledged-findings';
+import { getDismissalsForUrl } from '../shared/dismissals';
+import { loadSiteCrawlReport } from '../shared/site-crawl-storage';
 import { Header } from './components/Header';
 import { AuditControls } from './components/AuditControls';
 import { VisualizerTools } from './components/VisualizerTools';
 import { ProgressBar } from './components/ProgressBar';
 import { MatrixView } from './views/MatrixView';
+import { GeneralReportView } from './views/GeneralReportView';
 import { DeltaView } from './views/DeltaView';
 import { ActivityView } from './views/ActivityView';
 import { GuidedView } from './views/GuidedView';
@@ -35,12 +49,36 @@ import { UserModeWizard } from './components/UserModeWizard';
 import { OwnerView } from './views/OwnerView';
 import { ForensicLogView } from './views/ForensicLogView';
 import { WcagEmView } from './views/WcagEmView';
+import { SchedulesView } from './views/SchedulesView';
+import { RiskView } from './views/RiskView';
+import { CopilotView } from './views/CopilotView';
+import { AxTreeView } from './views/AxTreeView';
+import { Wcag3View } from './views/Wcag3View';
+import { DesignSystemView } from './views/DesignSystemView';
+import { OnboardingChecklist } from './components/OnboardingChecklist';
 import { UpgradeCard } from './components/UpgradeCard';
 import { CriticalBanner } from './components/MessagesBell';
+import { LicenseRequiredView } from './views/LicenseRequiredView';
 
 export function App() {
   const view = useStore((s) => s.view);
   const userMode = useStore((s) => s.userMode);
+  const tier = useStore((s) => s.tier);
+  // rc.124 — Headless-build lockdown. When active, only team-license holders
+  // get the full UI; everyone else sees the license-entry surface. The check
+  // is rendered EARLY so no other UI mounts for locked-out users (no audit
+  // controls, no visualizers, no exports). The audit dispatchers + export
+  // handlers also gate on the same helper for defense-in-depth.
+  const [tierResolved, setTierResolved] = useState(false);
+  useEffect(() => {
+    // Wait one tick for the initial refreshLicenseTier() call below to land
+    // before deciding lockout — otherwise the store's default 'trial' would
+    // render LicenseRequiredView for a real team license that's still being
+    // validated.
+    const t = setTimeout(() => setTierResolved(true), 600);
+    return () => clearTimeout(t);
+  }, []);
+  const lockoutActive = HEADLESS_BUILD_LOCKDOWN && tierResolved && isLockoutInEffectForTier(tier);
 
   useEffect(() => {
     const port = startKeepalive();
@@ -74,6 +112,55 @@ export function App() {
     // The Header shows the audited domain so the user always knows which
     // page the displayed results belong to.
     loadLastAudit().catch(() => {});
+    // rc.37 — load the user's "acknowledged" matchKeys so every
+    // ViolationCard can render the acknowledged pill immediately on
+    // mount (in every view, not just Delta).
+    loadAcknowledged()
+      .then((all) => {
+        useStore.getState().setAcknowledgedKeys(new Set(all.map((a) => a.matchKey)));
+      })
+      .catch(() => {});
+
+    // rc.200 — Subscribe to results changes and reload dismissals for
+    // the audited page URL. Dismissals are URL-scoped (not matchKey-
+    // scoped like acks), so we re-fetch every time a new audit
+    // completes against a different page.
+    const unsubResults = useStore.subscribe((state, prev) => {
+      const url = state.results[0]?.pageUrl;
+      const prevUrl = prev.results[0]?.pageUrl;
+      if (!url || url === prevUrl) return;
+      void getDismissalsForUrl(url)
+        .then((d) => {
+          useStore.getState().setDismissedKeys(new Set(Object.keys(d)));
+        })
+        .catch(() => {});
+    });
+
+    // rc.111 — rehydrate the most-recent site-crawl report so the AI fixer
+    // prompt's "## Site-wide context" section survives panel close / SW
+    // restart. setState (not setSiteCrawlReport) so we don't re-write the
+    // same data back to storage on hydration.
+    // rc.263 — Phase 2 of screen consolidation: when a crawl is in
+    // storage on side-panel open AND the user hasn't navigated
+    // somewhere else yet, default the view to 'crawl' so they land
+    // on the new inline-expandable master view instead of the empty
+    // Dashboard. Cliff: "we have so many screens for the user that
+    // it is fully confusing." If results from a single-page audit
+    // also exist, prefer 'report' (the user just did an audit and
+    // wants to see those results). View stays at whatever the user
+    // explicitly switches to after first paint.
+    loadSiteCrawlReport()
+      .then((report) => {
+        if (!report) return;
+        useStore.setState((prev) => {
+          const next: Partial<typeof prev> = { siteCrawlReport: report };
+          if (prev.view === 'matrix' && prev.results.length === 0) {
+            next.view = 'crawl';
+          }
+          return next;
+        });
+      })
+      .catch(() => {});
 
     // Esc inside the side panel clears the highlight pin. The page's own keydown
     // handler (in element-highlighter) only fires when the page has focus.
@@ -98,9 +185,21 @@ export function App() {
       port.disconnect();
       trackerPort?.disconnect();
       window.removeEventListener('keydown', onEsc);
+      unsubResults();
     };
   }, []);
 
+  // rc.124 — Headless-build lockdown takes precedence over EVERY other view.
+  // No persona wizard, no owner view, no dev view. Just the license entry.
+  if (lockoutActive) {
+    return (
+      <>
+        <LicenseRequiredView />
+        <Announcer />
+      </>
+    );
+  }
+
   // First launch — show the persona picker. Once chosen it persists in
   // chrome.storage.local; subsequent loads bypass the wizard.
   if (userMode === null) {
@@ -114,6 +213,8 @@ export function App() {
 
   // Owner mode — simplified surface. No view tabs, no visualizers, no IGT.
   // OwnerView holds its own header + footer for the simplified flow.
+  // (rc.79 reverted the rc.72 NormalApp routing; OwnerView is the right
+  // surface for Owner mode and was working before I broke it.)
   if (userMode === 'owner') {
     return (
       <>
@@ -140,20 +241,37 @@ export function App() {
       <UpgradeCard />
       <CriticalBanner />
       <Header />
+      <OnboardingChecklist />
       <main
         id="main-content"
         className="flex-1 flex flex-col overflow-hidden"
         aria-label="wcagcheckr"
       >
-        <AuditControls />
-        <VisualizerTools />
-        <StorybookHint />
-        <ResumeAuditBanner />
+        {/* rc.163 — Audit-launching surface (mode picker, throttle, target
+            chooser, visualizer toggles, storybook hint, resume banner) is
+            only relevant on the Dashboard, where the user is configuring
+            and starting an audit. On Findings and the other specialized
+            views these widgets just clutter the screen — Cliff: "remove
+            the form fields from the findings tab — distracting and
+            serves no real purpose being there — the tab will be better
+            fully focused on the findings."
+            Progress / error / AI-failure banners stay GLOBAL because
+            they're audit-state alerts the user needs to see regardless
+            of which view they happened to navigate to. */}
+        {view === 'matrix' && (
+          <>
+            <AuditControls />
+            <VisualizerTools />
+            <StorybookHint />
+            <ResumeAuditBanner />
+          </>
+        )}
         <ProgressBar />
         <ErrorBanner />
         <AiFailureBanner />
         <div className="flex-1 overflow-y-auto" role="region" aria-label={`${view} view`}>
           {view === 'matrix' && <MatrixView />}
+          {view === 'report' && <GeneralReportView />}
           {view === 'delta' && <DeltaView />}
           {view === 'activity' && <ActivityView />}
           {view === 'guided' && <GuidedView />}
@@ -162,6 +280,12 @@ export function App() {
           {view === 'crawl' && <SiteCrawlPanel />}
           {view === 'forensic' && <ForensicLogView />}
           {view === 'compliance' && <WcagEmView />}
+          {view === 'schedules' && <SchedulesView />}
+          {view === 'risk' && <RiskView />}
+          {view === 'copilot' && <CopilotView />}
+          {view === 'ax-tree' && <AxTreeView />}
+          {view === 'wcag3' && <Wcag3View />}
+          {view === 'tokens' && <DesignSystemView />}
         </div>
       </main>
       <ComplianceDisclaimer />

package/dist/side-panel/audit-launcher.ts

@@ -19,6 +19,8 @@
 
 import { send } from '../shared/messaging';
 import type { StartAuditAction, StartSiteCrawl } from '../shared/messages';
+import { saveSiteCrawlReport } from '../shared/site-crawl-storage';
+import { useStore } from './store';
 
 let cachedWindowId: number | null = null;
 
@@ -58,8 +60,26 @@ export function openFallbackPanel(): void {
 /** Drop-in replacement for `send(startAuditMessage)` at audit-start sites.
  *  Opens chrome.sidePanel first (preserving user-gesture), then dispatches
  *  the audit start to the service worker. Use for both START_AUDIT and
- *  START_SITE_CRAWL — both run the state-matrix audit pipeline. */
+ *  START_SITE_CRAWL — both run the state-matrix audit pipeline.
+ *
+ *  rc.165 — Clear the cached site-crawl report at every audit start.
+ *  Cliff's mental model: "remember when I click baseline, else not."
+ *  Pre-rc.165 the crawl report persisted in chrome.storage.local
+ *  forever (rc.111 added the persistence to survive panel close mid-
+ *  crawl), so a single-page audit run days after a crawl would pull
+ *  the stale crawl into the AI fix prompt's "Site-wide context"
+ *  section. Now the crawl is session-ephemeral: any new audit start
+ *  (single-page OR a fresh crawl) wipes the cached report. If the
+ *  audit is itself a crawl, the new crawl will write a fresh report
+ *  at completion. */
 export function launchAudit(msg: StartAuditAction | StartSiteCrawl): void {
   openFallbackPanel();
+  // Clear in-memory store first so any UI reads the empty state
+  // immediately, then clear persisted storage (best-effort).
+  useStore.getState().setSiteCrawlReport(null);
+  void saveSiteCrawlReport(null).catch(() => {
+    // Storage clears are best-effort; the in-memory clear above is the
+    // user-visible source of truth for the current session.
+  });
   void send(msg);
 }

package/dist/side-panel/azure-devops-issue.test.ts

@@ -0,0 +1,68 @@
+// rc.139 — G9 — Unit tests for the Azure DevOps issue URL builder.
+
+import { describe, it, expect } from 'vitest';
+import { buildAzureDevOpsIssueUrl } from './azure-devops-issue';
+import type { Violation } from '../types/audit';
+
+function v(over: Partial<Violation> = {}): Violation {
+  return {
+    ruleId: 'image-alt', wcagCriterion: '1.1.1', wcagLevel: 'A', impact: 'serious',
+    description: 'Images must have alt', helpUrl: 'https://x',
+    target: { selector: 'img.hero', outerHTML: '<img>', failureSummary: '', tagName: 'IMG', role: null, accessibleName: null, textSnippet: null, attrId: null, attrTestid: null },
+    componentId: '::c', currentState: { pseudoState: 'default', theme: 'light', direction: 'ltr', viewport: 'desktop' } as unknown as Violation['currentState'],
+    axeVersion: '4.11.4', detectedAt: '2026-05-22T00:00:00Z', matchKey: 'mk',
+    ...over,
+  };
+}
+
+describe('buildAzureDevOpsIssueUrl (rc.139)', () => {
+  it('builds a URL targeting the Bug type by default', () => {
+    const r = buildAzureDevOpsIssueUrl('https://dev.azure.com/myorg/myproject', '::c', [v()]);
+    expect(r.url.startsWith('https://dev.azure.com/myorg/myproject/_workitems/create/Bug?')).toBe(true);
+  });
+
+  it('honors a custom work-item type', () => {
+    const r = buildAzureDevOpsIssueUrl(
+      'https://dev.azure.com/myorg/myproject',
+      '::c',
+      [v()],
+      'Accessibility Defect',
+    );
+    expect(r.url).toContain('/_workitems/create/Accessibility%20Defect?');
+  });
+
+  it('embeds title + description as bracketed params', () => {
+    const r = buildAzureDevOpsIssueUrl('https://dev.azure.com/myorg/myproject', '::c', [v()]);
+    // URLSearchParams encodes the bracket bytes; verify presence in the URL.
+    expect(r.url).toMatch(/%5BTitle%5D=/);
+    expect(r.url).toMatch(/%5BDescription%5D=/);
+    expect(r.title).toContain('1 new violation');
+    expect(r.description).toContain('image-alt');
+    expect(r.description).toContain('1.1.1');
+  });
+
+  it('caps URL length at 7800', () => {
+    // Build a huge violation set to overflow.
+    const many = Array.from({ length: 200 }, (_, i) =>
+      v({
+        ruleId: `rule-${i}`,
+        target: { ...v().target, selector: `.really.long.selector.with.lots.of.classes.number-${i}` },
+      }),
+    );
+    const r = buildAzureDevOpsIssueUrl('https://dev.azure.com/org/proj', '::c', many);
+    expect(r.url.length).toBeLessThanOrEqual(7800);
+  });
+
+  it('dedupes by rule + selector + aggregates state labels', () => {
+    const viols = [
+      v({ matchKey: 'a', currentState: { pseudoState: 'default', theme: 'light', direction: 'ltr', viewport: 'desktop' } as unknown as Violation['currentState'] }),
+      v({ matchKey: 'b', currentState: { pseudoState: 'hover', theme: 'light', direction: 'ltr', viewport: 'desktop' } as unknown as Violation['currentState'] }),
+    ];
+    const r = buildAzureDevOpsIssueUrl('https://dev.azure.com/org/proj', '::c', viols);
+    // Single ticket section since the rule + selector matched.
+    expect(r.description.match(/### `image-alt`/g)?.length).toBe(1);
+    // But both states aggregated.
+    expect(r.description).toContain(':default');
+    expect(r.description).toContain(':hover');
+  });
+});

package/dist/side-panel/azure-devops-issue.ts

@@ -0,0 +1,89 @@
+// rc.139 — G9 — Azure DevOps work-item pre-fill URL builder.
+//
+// Mirrors the GitHub + Jira filer pattern: take a base URL (Azure
+// DevOps org+project), the audited component id, and the list of NEW
+// violations; return a clickable URL pre-filled with a structured
+// title + description so the user lands on a ready-to-save work item.
+//
+// Azure DevOps create-work-item URL pattern (Cloud + Server):
+//   https://dev.azure.com/{org}/{project}/_workitems/create/{type}
+//     ?[Title]=...&[Description]=...
+//
+// Description is markdown — Azure DevOps' work-item editor renders
+// markdown in the description field as of 2023. Falls back to plain
+// text for older Server installs.
+
+import type { Violation } from '../types/audit';
+
+export type AzureDevOpsIssueBuild = { url: string; title: string; description: string };
+
+const URL_LIMIT = 7800;
+
+export function buildAzureDevOpsIssueUrl(
+  /** Base URL — e.g. `https://dev.azure.com/myorg/myproject`. */
+  baseUrl: string,
+  componentId: string | null,
+  newViolations: Violation[],
+  /** Work-item type. Default 'Bug' fits accessibility regressions.
+   *  Users with custom types ('Accessibility Defect', 'Issue', etc.)
+   *  can pass the exact label. */
+  workItemType: string = 'Bug',
+): AzureDevOpsIssueBuild {
+  const cleaned = baseUrl.replace(/\/$/, '');
+
+  const groups: Array<Violation & { _states: string[] }> = [];
+  for (const v of newViolations) {
+    const key = `${v.ruleId}::${v.target.selector}`;
+    const stateLabel = `:${v.currentState.pseudoState} · ${v.currentState.theme} · ${v.currentState.direction}`;
+    const existing = groups.find((g) => `${g.ruleId}::${g.target.selector}` === key);
+    if (existing) {
+      if (!existing._states.includes(stateLabel)) existing._states.push(stateLabel);
+      continue;
+    }
+    groups.push({ ...v, _states: [stateLabel] });
+  }
+
+  const title = `a11y: ${groups.length} new violation${groups.length === 1 ? '' : 's'} in ${componentId ?? 'audited component'}`;
+
+  const lines: string[] = [];
+  lines.push(`**Component:** \`${componentId ?? 'unknown'}\``);
+  lines.push('');
+  lines.push(
+    'Detected by WCAG Component Auditor as **new** vs the saved baseline — these are violations introduced since the last accepted baseline.',
+  );
+  lines.push('');
+  lines.push('---');
+  lines.push('');
+  for (const v of groups) {
+    lines.push(`### \`${v.ruleId}\` — ${v.impact}`);
+    lines.push('');
+    lines.push(v.description);
+    lines.push('');
+    lines.push(`- **WCAG:** ${v.wcagCriterion} (${v.wcagLevel})`);
+    lines.push(`- **Selector:** \`${v.target.selector}\``);
+    lines.push(`- **Found in state(s):** ${v._states.join(', ')}`);
+    if (v.helpUrl) lines.push(`- **More info:** ${v.helpUrl}`);
+    lines.push('');
+    lines.push('```html');
+    lines.push(v.target.outerHTML);
+    lines.push('```');
+    lines.push('');
+  }
+  lines.push('---');
+  lines.push('');
+  lines.push('_Filed via WCAG Component Auditor (delta-only — inherited debt not included)._');
+
+  const description = lines.join('\n');
+  // Azure DevOps work-item URL params:
+  //   ?[Title]=... → title field
+  //   ?[Description]=... → description (rendered as markdown)
+  // Square brackets are part of the param name (a reference syntax).
+  const params = new URLSearchParams({
+    '[Title]': title,
+    '[Description]': description,
+  });
+  let url = `${cleaned}/_workitems/create/${encodeURIComponent(workItemType)}?${params.toString()}`;
+  if (url.length > URL_LIMIT) url = url.slice(0, URL_LIMIT);
+
+  return { url, title, description };
+}

package/dist/side-panel/gitlab-issue.test.ts

@@ -0,0 +1,53 @@
+// rc.139 — G9 — Unit tests for the GitLab issue URL builder.
+
+import { describe, it, expect } from 'vitest';
+import { buildGitLabIssueUrl } from './gitlab-issue';
+import type { Violation } from '../types/audit';
+
+function v(over: Partial<Violation> = {}): Violation {
+  return {
+    ruleId: 'image-alt', wcagCriterion: '1.1.1', wcagLevel: 'A', impact: 'serious',
+    description: 'Images must have alt', helpUrl: 'https://x',
+    target: { selector: 'img.hero', outerHTML: '<img>', failureSummary: '', tagName: 'IMG', role: null, accessibleName: null, textSnippet: null, attrId: null, attrTestid: null },
+    componentId: '::c', currentState: { pseudoState: 'default', theme: 'light', direction: 'ltr', viewport: 'desktop' } as unknown as Violation['currentState'],
+    axeVersion: '4.11.4', detectedAt: '2026-05-22T00:00:00Z', matchKey: 'mk',
+    ...over,
+  };
+}
+
+describe('buildGitLabIssueUrl (rc.139)', () => {
+  it('builds a URL targeting GitLab.com new-issue endpoint', () => {
+    const r = buildGitLabIssueUrl('https://gitlab.com/mygroup/myproject', '::c', [v()]);
+    expect(r.url.startsWith('https://gitlab.com/mygroup/myproject/-/issues/new?')).toBe(true);
+  });
+
+  it('handles self-hosted GitLab instances with the same pattern', () => {
+    const r = buildGitLabIssueUrl('https://gitlab.my-org.com/team/repo', '::c', [v()]);
+    expect(r.url.startsWith('https://gitlab.my-org.com/team/repo/-/issues/new?')).toBe(true);
+  });
+
+  it('embeds title + description as issue[*] params', () => {
+    const r = buildGitLabIssueUrl('https://gitlab.com/g/p', '::c', [v()]);
+    expect(r.url).toMatch(/issue%5Btitle%5D=/);
+    expect(r.url).toMatch(/issue%5Bdescription%5D=/);
+    expect(r.title).toContain('1 new violation');
+    expect(r.description).toContain('image-alt');
+    expect(r.description).toContain('1.1.1');
+  });
+
+  it('caps URL length at 7800', () => {
+    const many = Array.from({ length: 200 }, (_, i) =>
+      v({
+        ruleId: `rule-${i}`,
+        target: { ...v().target, selector: `.really.long.selector.number-${i}` },
+      }),
+    );
+    const r = buildGitLabIssueUrl('https://gitlab.com/g/p', '::c', many);
+    expect(r.url.length).toBeLessThanOrEqual(7800);
+  });
+
+  it('strips the trailing slash from the project URL', () => {
+    const r = buildGitLabIssueUrl('https://gitlab.com/g/p/', '::c', [v()]);
+    expect(r.url.startsWith('https://gitlab.com/g/p/-/issues/new?')).toBe(true);
+  });
+});

package/dist/side-panel/gitlab-issue.ts

@@ -0,0 +1,78 @@
+// rc.139 — G9 — GitLab issue pre-fill URL builder.
+//
+// Mirrors the GitHub flow but targets GitLab's new-issue endpoint.
+// GitLab's URL pattern is /-/issues/new (vs GitHub's /issues/new).
+// Description is markdown; renders natively.
+//
+//   https://gitlab.com/{group}/{project}/-/issues/new
+//     ?issue[title]=...&issue[description]=...
+
+import type { Violation } from '../types/audit';
+
+export type GitLabIssueBuild = { url: string; title: string; description: string };
+
+const URL_LIMIT = 7800;
+
+export function buildGitLabIssueUrl(
+  /** Project URL — e.g. `https://gitlab.com/group/project`.
+   *  Self-hosted instances work the same: pass `https://gitlab.your-org.com/group/project`. */
+  projectUrl: string,
+  componentId: string | null,
+  newViolations: Violation[],
+): GitLabIssueBuild {
+  const cleaned = projectUrl.replace(/\/$/, '');
+
+  const groups: Array<Violation & { _states: string[] }> = [];
+  for (const v of newViolations) {
+    const key = `${v.ruleId}::${v.target.selector}`;
+    const stateLabel = `:${v.currentState.pseudoState} · ${v.currentState.theme} · ${v.currentState.direction}`;
+    const existing = groups.find((g) => `${g.ruleId}::${g.target.selector}` === key);
+    if (existing) {
+      if (!existing._states.includes(stateLabel)) existing._states.push(stateLabel);
+      continue;
+    }
+    groups.push({ ...v, _states: [stateLabel] });
+  }
+
+  const title = `a11y: ${groups.length} new violation${groups.length === 1 ? '' : 's'} in ${componentId ?? 'audited component'}`;
+
+  const lines: string[] = [];
+  lines.push(`**Component:** \`${componentId ?? 'unknown'}\``);
+  lines.push('');
+  lines.push(
+    'Detected by WCAG Component Auditor as **new** vs the saved baseline — these are violations introduced since the last accepted baseline.',
+  );
+  lines.push('');
+  lines.push('---');
+  lines.push('');
+  for (const v of groups) {
+    lines.push(`### \`${v.ruleId}\` — ${v.impact}`);
+    lines.push('');
+    lines.push(v.description);
+    lines.push('');
+    lines.push(`- **WCAG:** ${v.wcagCriterion} (${v.wcagLevel})`);
+    lines.push(`- **Selector:** \`${v.target.selector}\``);
+    lines.push(`- **Found in state(s):** ${v._states.join(', ')}`);
+    if (v.helpUrl) lines.push(`- **More info:** ${v.helpUrl}`);
+    lines.push('');
+    lines.push('```html');
+    lines.push(v.target.outerHTML);
+    lines.push('```');
+    lines.push('');
+  }
+  lines.push('---');
+  lines.push('');
+  lines.push('_Filed via WCAG Component Auditor (delta-only — inherited debt not included)._');
+
+  const description = lines.join('\n');
+  // GitLab's new-issue endpoint uses bracketed param names that
+  // express a nested form payload.
+  const params = new URLSearchParams({
+    'issue[title]': title,
+    'issue[description]': description,
+  });
+  let url = `${cleaned}/-/issues/new?${params.toString()}`;
+  if (url.length > URL_LIMIT) url = url.slice(0, URL_LIMIT);
+
+  return { url, title, description };
+}