@wcag-checkr/ci 1.0.0-rc.31 → 1.0.0-rc.310

package/wcagcheckr-ci.mjs

@@ -68,6 +68,10 @@ function parseArgs(argv) {
       args.inputFile = a;
       continue;
     }
+    if (args.command === 'pdf' && !args.pdfTarget && !a.startsWith('--')) {
+      args.pdfTarget = a;
+      continue;
+    }
     if (a === '--format') args.format = argv[++i];
     else if (a === '--output') args.output = argv[++i];
     else if (a === '--threshold') args.threshold = argv[++i];
@@ -76,6 +80,9 @@ function parseArgs(argv) {
     else if (a === '--quiet') args.quiet = true;
     else if (a === '--license') args.license = argv[++i];
     else if (a === '--public-key-url') args.publicKeyUrl = argv[++i];
+    else if (a === '--watch') args.watch = true;
+    else if (a === '--watch-dir') args.watchDir = argv[++i];
+    else if (a === '--watch-debounce') args.watchDebounce = parseInt(argv[++i], 10);
     else if (a === '--help' || a === '-h') args.help = true;
   }
   return args;
@@ -87,6 +94,13 @@ function printUsage() {
 Usage:
   wcagcheckr-ci audit <url> [options]
   wcagcheckr-ci verify <forensic-log.json> [options]
+  wcagcheckr-ci pdf <path-or-url> [options]
+
+pdf options:
+  --output <file>                 Write JSON report to file
+  --threshold <none|critical|serious|moderate|minor>
+                                  Severity gate for non-zero exit
+  --quiet                         Suppress progress output
 
 audit options:
   --format <json|sarif|junit>     Output format (default: json)
@@ -97,6 +111,12 @@ audit options:
   --timeout <ms>                  Audit timeout (default: 120000)
   --license <token>               Activate this license token before auditing
                                   (gates paid features like forensic anchoring)
+  --watch                         Stay open after the initial audit and re-run
+                                  whenever a file under --watch-dir changes
+  --watch-dir <path>              Directory to watch when --watch is on
+                                  (default: current working directory)
+  --watch-debounce <ms>           Debounce window after a change before
+                                  re-auditing (default: 1500)
   --quiet                         Suppress progress output
 
 verify options:
@@ -137,6 +157,52 @@ if (args.command === 'verify') {
   // runVerify exits the process itself.
 }
 
+// ─── pdf subcommand (rc.153, G3) ────────────────────────────────────────────
+//
+// Metadata-level PDF accessibility audit. No page rendering — checks
+// the document Catalog for tagged status, document language, title,
+// structure-tree root. The #1 PDF accessibility failure (untagged) is
+// catchable at this level.
+
+if (args.command === 'pdf') {
+  if (!args.pdfTarget) {
+    console.error('✗ pdf: missing PDF path or URL.\n');
+    printUsage();
+    process.exit(2);
+  }
+  const { auditPdfFile, auditPdfUrl } = await import('./pdf-audit.mjs');
+  const isUrl = /^https?:\/\//.test(args.pdfTarget);
+  log(`auditing PDF metadata for ${args.pdfTarget}`);
+  const result = isUrl
+    ? await auditPdfUrl(args.pdfTarget)
+    : await auditPdfFile(args.pdfTarget);
+  if (!result.ok) {
+    console.error(`✗ ${result.fatalError ?? 'PDF audit failed.'}`);
+    process.exit(2);
+  }
+  if (args.output) {
+    const { writeFileSync } = await import('node:fs');
+    writeFileSync(args.output, JSON.stringify(result, null, 2), 'utf8');
+    log(`output written to ${args.output}`);
+  } else {
+    process.stdout.write(JSON.stringify(result, null, 2));
+    process.stdout.write('\n');
+  }
+  const exceeds = args.threshold === 'none'
+    ? false
+    : result.findings.some((f) => {
+        const rank = SEVERITY_RANK[f.impact];
+        const cap = SEVERITY_RANK[args.threshold];
+        return rank <= cap;
+      });
+  log(
+    `${result.findings.length} finding${result.findings.length === 1 ? '' : 's'} ` +
+    `(version ${result.version ?? '?'}, tagged=${result.metadata?.tagged ?? '?'}, ` +
+    `lang=${result.metadata?.lang ?? '?'}, title=${result.metadata?.title ? 'yes' : 'no'})`,
+  );
+  process.exit(exceeds ? 1 : 0);
+}
+
 if (args.command !== 'audit' || !args.url) {
   console.error(`✗ Unknown command or missing URL.\n`);
   printUsage();
@@ -162,6 +228,9 @@ if (!['none', 'critical', 'serious', 'moderate', 'minor'].includes(args.threshol
 
 log(`Loading extension from ${EXT_DIR}`);
 log(`Auditing ${args.url} (threshold: ${args.threshold}, format: ${args.format})`);
+if (args.watch) {
+  log(`watch mode ON — re-audits on file changes under ${args.watchDir ?? process.cwd()}`);
+}
 
 // Chrome extensions cannot load in legacy `headless: true` mode, so we
 // pass `--headless=new` as a Chromium arg (the modern headless mode that
@@ -179,8 +248,10 @@ const context = await chromium.launchPersistentContext('', {
 });
 
 let exitCode = 0;
+let targetPage;
+let sidePanel;
 try {
-  const [targetPage] = context.pages();
+  [targetPage] = context.pages();
   await targetPage.goto(args.url, { waitUntil: 'domcontentloaded', timeout: 30_000 });
   log('target page loaded');
 
@@ -193,7 +264,7 @@ try {
   if (!extId) throw new Error('extension SW did not register within 10s');
   log(`extension loaded (id: ${extId.slice(0, 8)}…)`);
 
-  const sidePanel = await context.newPage();
+  sidePanel = await context.newPage();
   await sidePanel.goto(`chrome-extension://${extId}/side-panel/side-panel.html`);
 
   // Headless persona — pick dev mode if wizard appears.
@@ -204,27 +275,40 @@ try {
   }
   await sidePanel.waitForSelector('h1:has-text("wcagcheckr")', { timeout: 10_000 });
 
-  // Activate license token, if provided. Gated paid features (forensic
-  // anchoring, AI-summary, etc.) need an active license at audit time.
-  if (args.license) {
-    log('activating license token');
-    const activated = await sidePanel.evaluate(
-      async (token) =>
-        await new Promise((resolve) => {
-          chrome.runtime.sendMessage(
-            { type: 'LICENSE_SET_REQUEST', token },
-            (response) => resolve(response ?? null),
-          );
-        }),
-      args.license,
+  // rc.124 — Headless-build lockdown gate. A team license is required to
+  // run audits during the private build phase. If --license is omitted
+  // OR validates to a non-team tier, refuse before doing any audit work.
+  if (!args.license) {
+    throw new Error(
+      'wcagcheckr is in private build phase. A team license is required to use the CLI. ' +
+      'Pass --license <token>. Email cliff@locustware.com for beta access.',
     );
-    if (!activated || activated.tier === 'free') {
-      throw new Error(
-        `license activation did not yield a paid tier — got ${JSON.stringify(activated)}`,
-      );
-    }
-    log(`license active — tier: ${activated.tier}`);
   }
+  log('activating license token');
+  const activated = await sidePanel.evaluate(
+    async (token) =>
+      await new Promise((resolve) => {
+        chrome.runtime.sendMessage(
+          { type: 'LICENSE_SET_REQUEST', token },
+          (response) => resolve(response ?? null),
+        );
+      }),
+    args.license,
+  );
+  if (!activated || !activated.validated) {
+    throw new Error(
+      `license activation failed — got ${JSON.stringify(activated)}`,
+    );
+  }
+  // Per the headless-build strategy, only team-tier licenses can use the CLI.
+  // At launch this constraint relaxes per per-feature tier mapping.
+  if (activated.tier !== 'team') {
+    throw new Error(
+      `wcagcheckr CLI requires a team-tier license during private build (got tier='${activated.tier}'). ` +
+      'Email cliff@locustware.com for beta access.',
+    );
+  }
+  log(`license active — tier: ${activated.tier}`);
 
   // Skip onboarding tour
   for (let i = 0; i < 5; i++) {
@@ -242,21 +326,43 @@ try {
     break;
   }
 
-  await sidePanel.getByLabel('Audit mode').selectOption('full-page');
-  await targetPage.bringToFront();
-  await targetPage.waitForTimeout(500);
-  await sidePanel.bringToFront();
-  await sidePanel.waitForTimeout(300);
-  await sidePanel.getByRole('button', { name: /Scan page|Auditing/ }).click();
-  log('audit started');
+  // The per-audit work: navigate target (re-load on subsequent runs to
+  // pick up code changes), kick off the scan, wait for completion, export,
+  // print, threshold-check. Returns the exit code that THIS audit pass
+  // should produce — the watch loop overall stays at 0 until Ctrl+C.
+  async function runOneAudit() {
+    // On re-runs, navigate the target page again so it picks up source
+    // changes (assumes the dev server hot-reloads or the URL serves fresh
+    // content).
+    await targetPage.bringToFront();
+    await targetPage.reload({ waitUntil: 'domcontentloaded', timeout: 30_000 });
+    await targetPage.waitForTimeout(500);
+    await sidePanel.bringToFront();
+    await sidePanel.waitForTimeout(300);
+
+    await sidePanel.getByLabel('Audit mode').selectOption('full-page');
+    await sidePanel.getByRole('button', { name: /Scan page|Auditing/ }).click();
+    log('audit started');
+
+    await sidePanel
+      .getByText(/\d+\s+states?\s+·\s+\d+\s+unique\s+violations?/, { exact: false })
+      .waitFor({ timeout: args.timeout });
+    log('audit completed');
+
+    return await collectResults();
+  }
+
+  // Result-export + threshold-check, extracted so runOneAudit returns the
+  // exit code suggestion. Closure over `args`, `sidePanel`, etc.
+  async function collectResults() {
+    return await doExportAndThresholdCheck();
+  }
 
-  await sidePanel
-    .getByText(/\d+\s+states?\s+·\s+\d+\s+unique\s+violations?/, { exact: false })
-    .waitFor({ timeout: args.timeout });
-  log('audit completed');
+  await runOneAudit();
 
   // Trigger the existing export pipeline. The SW handles EXPORT_REQUEST and
   // returns the formatted content for the requested format.
+  async function doExportAndThresholdCheck() {
   const formatMap = { json: 'json', sarif: 'sarif', junit: 'junit' };
   const exportFormat = formatMap[args.format];
 
@@ -340,6 +446,61 @@ try {
       log(`✓ threshold not exceeded (--threshold=${args.threshold})`);
     }
   }
+  } // end doExportAndThresholdCheck
+
+  // Watch mode: keep the browser open, watch the directory tree, re-audit
+  // on change (debounced). Ctrl+C exits.
+  if (args.watch) {
+    const watchDir = args.watchDir ?? process.cwd();
+    const debounceMs = args.watchDebounce ?? 1500;
+    const { watch } = await import('node:fs');
+    log(`watching ${watchDir} (debounce ${debounceMs}ms) — Ctrl+C to exit`);
+    let pending = false;
+    let inFlight = false;
+    let runCount = 1;
+    function trigger() {
+      if (inFlight) {
+        pending = true;
+        return;
+      }
+      inFlight = true;
+      setTimeout(async () => {
+        try {
+          runCount++;
+          log(`\n── Re-audit #${runCount} ──`);
+          await runOneAudit();
+          if (pending) {
+            pending = false;
+            inFlight = false;
+            trigger();
+          } else {
+            inFlight = false;
+          }
+        } catch (err) {
+          log(`re-audit failed: ${err.message}`);
+          inFlight = false;
+        }
+      }, debounceMs);
+    }
+    try {
+      watch(watchDir, { recursive: true }, (eventType, filename) => {
+        // Skip noise: node_modules, dist artifacts, .git, dotfiles other
+        // than the typical source files.
+        if (!filename) return;
+        const f = String(filename);
+        if (f.includes('node_modules')) return;
+        if (f.includes('.git')) return;
+        if (f.includes('/dist/') || f.startsWith('dist/') || f.includes('\\dist\\') || f.startsWith('dist\\')) return;
+        log(`change: ${f}`);
+        trigger();
+      });
+    } catch (err) {
+      log(`fs.watch failed (recursive may not be supported on this platform): ${err.message}`);
+      log('watch mode disabled; exiting after this audit.');
+    }
+    // Block forever until the user kills the process.
+    await new Promise(() => {});
+  }
 } catch (err) {
   console.error(`✗ ${err.message}`);
   if (err.stack && !args.quiet) console.error(err.stack);