agileflow 4.0.0-alpha.2 → 4.0.0-alpha.21

package/content/plugins/audit/skills/agileflow-audit/references/audit-depth-guide.md

@@ -0,0 +1,151 @@
+# Audit Depth & Routing Guide
+
+**Load this when:** deciding which audit to run, at what depth, and in what order.
+
+## Which audit for which situation
+
+| Situation                        | Start here                                |
+| -------------------------------- | ----------------------------------------- |
+| Just shipped a feature           | logic + flow (catch bugs before users do) |
+| Pre-PR / pre-merge               | security + logic + test                   |
+| User-facing forms added          | accessibility + flow                      |
+| New API endpoints                | security + api-quality                    |
+| Database query changes           | performance (query analyzer)              |
+| Auth/payment code touched        | security (always)                         |
+| Lots of new files                | architecture + completeness               |
+| Tests feel thin                  | test quality                              |
+| Full release / audit request     | `/agileflow:audit` (all)                  |
+| Something feels wrong but unsure | logic (broadest coverage)                 |
+
+## Depth levels
+
+| Depth            | What it means                                    | When to use                      |
+| ---------------- | ------------------------------------------------ | -------------------------------- |
+| `DEPTH=quick`    | Top-level scan, highest-confidence findings only | After implementation, pre-commit |
+| `DEPTH=standard` | Default — balanced coverage                      | Normal development               |
+| `DEPTH=deep`     | Exhaustive, includes low-confidence signals      | Pre-release, security reviews    |
+
+## Audit panel structure
+
+Each audit type runs multiple specialized analyzers then a consensus agent:
+
+```
+/agileflow:code:security
+  ├── security-analyzer-auth
+  ├── security-analyzer-authz
+  ├── security-analyzer-injection
+  ├── security-analyzer-input
+  ├── security-analyzer-api
+  ├── security-analyzer-secrets
+  ├── security-analyzer-infra
+  ├── security-analyzer-deps
+  └── security-consensus  ← deduplicates + prioritizes + maps to OWASP/CWE
+
+/agileflow:code:logic
+  ├── logic-analyzer-edge
+  ├── logic-analyzer-flow
+  ├── logic-analyzer-invariant
+  ├── logic-analyzer-race
+  ├── logic-analyzer-type
+  └── logic-consensus
+
+/agileflow:code:performance
+  ├── perf-analyzer-queries
+  ├── perf-analyzer-rendering
+  ├── perf-analyzer-memory
+  ├── perf-analyzer-network
+  ├── perf-analyzer-caching
+  ├── perf-analyzer-bundle
+  ├── perf-analyzer-assets
+  ├── perf-analyzer-compute
+  └── perf-consensus
+
+/agileflow:code:accessibility
+  ├── a11y-analyzer-aria
+  ├── a11y-analyzer-forms
+  ├── a11y-analyzer-keyboard
+  ├── a11y-analyzer-semantic
+  ├── a11y-analyzer-visual
+  └── a11y-consensus  ← maps to WCAG 2.2 success criteria
+
+/agileflow:code:legal
+  ├── legal-analyzer-privacy (GDPR, CCPA)
+  ├── legal-analyzer-security (breach notification, PCI)
+  ├── legal-analyzer-terms
+  ├── legal-analyzer-consumer (dark patterns, FTC)
+  ├── legal-analyzer-a11y (ADA, Section 508)
+  ├── legal-analyzer-licensing (OSS)
+  ├── legal-analyzer-international (LGPD, PIPL)
+  ├── legal-analyzer-ai (EU AI Act)
+  ├── legal-analyzer-content (DMCA, DSA)
+  └── legal-consensus
+
+/agileflow:code:flows
+  ├── flow-analyzer-discovery  ← maps all user journeys first
+  ├── flow-analyzer-wiring     ← UI → API → DB → response chain
+  ├── flow-analyzer-navigation ← routing and redirects
+  ├── flow-analyzer-persistence ← data actually saved?
+  ├── flow-analyzer-feedback   ← loading/success/error states
+  ├── flow-analyzer-errors     ← graceful failure paths
+  ├── flow-analyzer-authorization ← auth gates on each step
+  └── flow-consensus
+
+/agileflow:code:architecture
+  ├── arch-analyzer-circular
+  ├── arch-analyzer-complexity
+  ├── arch-analyzer-coupling
+  ├── arch-analyzer-layering
+  ├── arch-analyzer-patterns
+  └── arch-consensus
+
+/agileflow:code:completeness
+  ├── completeness-analyzer-stubs
+  ├── completeness-analyzer-handlers
+  ├── completeness-analyzer-routes
+  ├── completeness-analyzer-api
+  ├── completeness-analyzer-state
+  ├── completeness-analyzer-imports
+  ├── completeness-analyzer-conditional
+  └── completeness-consensus
+
+/agileflow:code:quality
+  ├── quality-analyzer-naming
+  ├── quality-analyzer-duplication
+  ├── quality-analyzer-comments
+  └── quality-consensus
+
+/agileflow:code:test
+  ├── test-analyzer-coverage
+  ├── test-analyzer-assertions
+  ├── test-analyzer-fragility
+  ├── test-analyzer-mocking
+  ├── test-analyzer-patterns
+  ├── test-analyzer-structure
+  ├── test-analyzer-maintenance
+  ├── test-analyzer-integration
+  └── test-consensus
+
+/agileflow:code:api
+  ├── api-quality-analyzer-conventions
+  ├── api-quality-analyzer-docs
+  ├── api-quality-analyzer-errors
+  ├── api-quality-analyzer-pagination
+  ├── api-quality-analyzer-versioning
+  └── api-quality-consensus
+```
+
+## Priority system
+
+| Priority      | Action                            |
+| ------------- | --------------------------------- |
+| P0 / Critical | Fix immediately — do not commit   |
+| P1 / High     | Fix this session before merging   |
+| P2 / Medium   | Fix this sprint                   |
+| P3 / Low      | Track, fix when touching the area |
+
+## After audit findings
+
+1. Present P0/P1 findings with specific fix recommendations
+2. Ask if user wants to fix P0s now (always recommend yes)
+3. After fixes: re-run the specific analyzer (not the full audit) to confirm
+4. P2/P3: create stories or add to tech debt backlog

package/content/plugins/audit/skills/agileflow-audit/references/dependency-risk-guide.md

@@ -0,0 +1,139 @@
+# Dependency Risk Guide
+
+**Load this when:** Evaluating dependency health, triaging CVEs, or deciding when to upgrade packages.
+
+## CVE Severity Triage
+
+| CVSS Score | Severity | Default action                | Timeline     |
+| ---------- | -------- | ----------------------------- | ------------ |
+| 9.0–10.0   | Critical | Upgrade or remove immediately | Same day     |
+| 7.0–8.9    | High     | Upgrade within sprint         | 1 week       |
+| 4.0–6.9    | Medium   | Schedule in backlog           | 1 month      |
+| 0.1–3.9    | Low      | Batch with routine updates    | Next release |
+
+**Exploitability modifiers** — escalate severity if:
+
+- Vulnerable code path is reachable from public input
+- No authentication required to trigger
+- Exploit is publicly available (check exploit-db, CISA KEV list)
+
+---
+
+## Upgrade Decision Framework
+
+### When to upgrade (do it)
+
+- [ ] CVE with CVSS ≥7.0 in reachable code path
+- [ ] Package is >2 major versions behind
+- [ ] Maintainer has flagged deprecation
+- [ ] Security policy (SOC 2, ISO 27001) mandates current versions
+- [ ] Dependent package requires newer version
+
+### When to defer (acceptable risk)
+
+- [ ] CVE only in dev dependency, not shipped to users
+- [ ] Vulnerable function is not called in your codebase (verify with code search)
+- [ ] No patch available yet — add to watch list
+- [ ] Breaking change cost exceeds risk (document as accepted risk)
+
+### When to remove (replace or delete)
+
+- [ ] Package unmaintained >2 years with open CVEs
+- [ ] Alternative with better security track record exists
+- [ ] Package does something you can implement in <50 lines
+
+---
+
+## Dependency Health Scorecard
+
+Rate each critical dependency:
+
+| Dimension        | Green          | Yellow         | Red                  |
+| ---------------- | -------------- | -------------- | -------------------- |
+| Last release     | <6 months      | 6–18 months    | >18 months           |
+| Open issues      | <100           | 100–500        | >500 stale           |
+| CVEs (unpatched) | 0              | 1–2 low        | Any high/critical    |
+| Downloads/week   | >100k          | 10k–100k       | <10k                 |
+| TypeScript types | Built-in       | @types/ exists | Missing              |
+| License          | MIT/Apache/BSD | LGPL           | GPL/AGPL/proprietary |
+
+---
+
+## License Risk Matrix
+
+| License               | Use in proprietary app | Distribute  | Notes                          |
+| --------------------- | ---------------------- | ----------- | ------------------------------ |
+| MIT                   | Yes                    | Yes         | No restrictions                |
+| Apache 2.0            | Yes                    | Yes         | Attribution required           |
+| BSD 2/3-clause        | Yes                    | Yes         | Attribution required           |
+| ISC                   | Yes                    | Yes         | Like MIT                       |
+| LGPL                  | Yes (dynamic link)     | Conditional | Static linking = copyleft      |
+| GPL v2/v3             | No                     | No          | Copyleft infects product       |
+| AGPL                  | No                     | No          | Network use = distribution     |
+| CC-BY                 | Content only           | Yes         | Not for code                   |
+| Unlicensed/no license | No                     | No          | All rights reserved by default |
+
+---
+
+## npm audit Interpretation
+
+```bash
+npm audit --json | jq '.vulnerabilities | to_entries[] | {name: .key, severity: .value.severity, fixAvailable: .value.fixAvailable}'
+```
+
+| npm audit result                        | Meaning                                      |
+| --------------------------------------- | -------------------------------------------- |
+| `fixAvailable: true`                    | `npm audit fix` will resolve it              |
+| `fixAvailable: { isSemVerMajor: true }` | Major bump required — check breaking changes |
+| `fixAvailable: false`                   | No patch exists yet; manual action needed    |
+| `isDirect: false`                       | Transitive dep — check if reachable          |
+
+---
+
+## Transitive Dependency Overrides
+
+When a transitive dep has a CVE but the direct dep hasn't released a fix:
+
+```json
+// package.json — npm overrides
+{
+  "overrides": {
+    "vulnerable-package": ">=patched-version"
+  }
+}
+
+// package.json — yarn resolutions
+{
+  "resolutions": {
+    "vulnerable-package": "patched-version"
+  }
+}
+```
+
+**Risk:** Overrides may break the parent package. Test thoroughly.
+
+---
+
+## Routine Maintenance Schedule
+
+| Cadence   | Action                                                                    |
+| --------- | ------------------------------------------------------------------------- |
+| Every PR  | `npm audit` in CI — block on high/critical                                |
+| Weekly    | Dependabot / Renovate PR review                                           |
+| Monthly   | Review deferred medium CVEs; check for unmaintained deps                  |
+| Quarterly | Full dependency audit: health scorecard, license scan, bundle size impact |
+| Annually  | Evaluate major framework/runtime version upgrades                         |
+
+---
+
+## Tools Reference
+
+| Tool                         | Purpose                       |
+| ---------------------------- | ----------------------------- |
+| `npm audit`                  | CVE scan for npm packages     |
+| `snyk`                       | Deep CVE + license scanning   |
+| `socket.dev`                 | Supply chain attack detection |
+| `license-checker`            | License compliance scan       |
+| `depcheck`                   | Find unused dependencies      |
+| `bundlephobia`               | Size impact before installing |
+| `renovatebot` / `dependabot` | Automated update PRs          |

package/content/plugins/audit/skills/agileflow-audit/references/owasp-top10.md

@@ -0,0 +1,120 @@
+# OWASP Top 10 Reference
+
+**Load this when:** running a security audit, reviewing auth/authz code, or
+assessing injection risks. Maps each category to what to look for in code.
+
+## A01 — Broken Access Control
+
+Most common. Look for:
+
+- Missing authorization checks before data access
+- IDOR: `GET /api/orders/:id` without verifying ownership
+- Privilege escalation: user can call admin endpoints
+- CORS misconfiguration allowing untrusted origins
+- Path traversal: `../` in file paths
+
+**Code signals:** `req.params.id` used directly in DB query without ownership check,
+`role === 'admin'` checked client-side only, wildcard CORS `*` on authenticated routes.
+
+## A02 — Cryptographic Failures
+
+Look for:
+
+- Passwords hashed with MD5, SHA-1, or unsalted SHA-256
+- Sensitive data in URLs, logs, or error messages
+- HTTP instead of HTTPS for sensitive data
+- Weak or hardcoded encryption keys
+- JWT with `alg: none` or weak secrets
+
+**Code signals:** `crypto.createHash('md5')`, `console.log(user)`, `Math.random()` for tokens.
+
+## A03 — Injection
+
+Look for:
+
+- SQL: string concatenation in queries instead of parameterized statements
+- NoSQL: `$where`, `$regex` with user input
+- Command injection: `exec()`, `spawn()` with user-controlled strings
+- Template injection: user input rendered in template engines
+- LDAP/XPath injection in directory queries
+
+**Code signals:** `db.query("SELECT * FROM users WHERE id = " + req.params.id)`,
+`exec(userInput)`, `res.render(userInput)`.
+
+## A04 — Insecure Design
+
+Look for:
+
+- Missing rate limiting on auth endpoints
+- No account lockout after failed logins
+- Password reset tokens that don't expire
+- Business logic that can be abused (negative quantities, free upgrades)
+- Lack of fraud detection on financial operations
+
+## A05 — Security Misconfiguration
+
+Look for:
+
+- Default credentials not changed
+- Stack traces exposed in production errors
+- Directory listing enabled
+- Unnecessary features/ports/services enabled
+- Missing security headers (CSP, HSTS, X-Frame-Options)
+- Debug mode in production (`DEBUG=true`, `NODE_ENV=development`)
+
+## A06 — Vulnerable Components
+
+Look for:
+
+- Dependencies with known CVEs (`npm audit`, `snyk`)
+- Outdated packages (especially auth libraries, crypto, XML parsers)
+- Unpinned versions (`^`, `~` prefixes hide breaking security patches)
+- Unused dependencies (larger attack surface)
+
+## A07 — Auth & Session Failures
+
+Look for:
+
+- Session tokens in URLs
+- Sessions not invalidated on logout
+- Weak session token generation (`Math.random()`)
+- Missing MFA on sensitive operations
+- JWT tokens without expiration
+- Refresh tokens with no rotation
+
+## A08 — Software & Data Integrity Failures
+
+Look for:
+
+- Dependencies loaded from untrusted CDNs without SRI hashes
+- Auto-update mechanisms without signature verification
+- Deserializing untrusted data (pickle, Java serialization, JSON with `__proto__`)
+- CI/CD pipelines that can be hijacked via dependency confusion
+
+## A09 — Logging & Monitoring Failures
+
+Look for:
+
+- No logging of auth failures, access control violations
+- Logs that contain passwords, tokens, or PII
+- No alerting on suspicious patterns
+- Logs that can be tampered with
+- No audit trail for sensitive operations
+
+## A10 — Server-Side Request Forgery (SSRF)
+
+Look for:
+
+- User-controlled URLs fetched server-side (`axios.get(req.body.url)`)
+- No allowlist for outbound requests
+- Cloud metadata endpoints reachable (`169.254.169.254`)
+- Webhooks that accept arbitrary URLs without validation
+
+## Severity mapping
+
+| CVSS Score | Severity | Action                               |
+| ---------- | -------- | ------------------------------------ |
+| 9.0–10.0   | Critical | Fix before any commit                |
+| 7.0–8.9    | High     | Fix this sprint                      |
+| 4.0–6.9    | Medium   | Fix next sprint                      |
+| 0.1–3.9    | Low      | Track and fix when touching the area |

package/content/plugins/audit/skills/agileflow-audit/references/performance-budget-guide.md

@@ -0,0 +1,143 @@
+# Performance Budget Guide
+
+**Load this when:** Auditing web performance, setting performance targets, or evaluating Lighthouse scores.
+
+## Lighthouse Score Thresholds
+
+| Score  | Label             | Action                             |
+| ------ | ----------------- | ---------------------------------- |
+| 90–100 | Good              | Monitor; optimize incrementally    |
+| 50–89  | Needs improvement | Prioritize fixes; target 90+       |
+| 0–49   | Poor              | Immediate attention; block deploys |
+
+---
+
+## Core Web Vitals Thresholds (field data)
+
+| Metric | Good   | Needs Work | Poor   | What it measures             |
+| ------ | ------ | ---------- | ------ | ---------------------------- |
+| LCP    | ≤2.5s  | 2.5–4s     | >4s    | Largest visible content load |
+| INP    | ≤200ms | 200–500ms  | >500ms | Interaction to Next Paint    |
+| CLS    | ≤0.1   | 0.1–0.25   | >0.25  | Layout shift score           |
+| FCP    | ≤1.8s  | 1.8–3s     | >3s    | First visible content        |
+| TTFB   | ≤800ms | 800ms–1.8s | >1.8s  | Server response time         |
+
+**Note:** INP replaced FID as a Core Web Vital in March 2024.
+
+---
+
+## Resource Budget Targets (per page, gzipped)
+
+| Resource            | Recommended budget | Maximum |
+| ------------------- | ------------------ | ------- |
+| Total page weight   | <500 KB            | 1 MB    |
+| JavaScript (total)  | <200 KB            | 350 KB  |
+| CSS (total)         | <50 KB             | 100 KB  |
+| Images (total)      | <200 KB            | —       |
+| Fonts               | <50 KB             | 100 KB  |
+| Third-party scripts | <50 KB             | 100 KB  |
+| HTTP requests       | <50                | <100    |
+
+---
+
+## Lighthouse Audit Categories and Key Checks
+
+### Performance
+
+- [ ] LCP element identified and optimized
+- [ ] Unused JavaScript removed (tree-shaking, code splitting)
+- [ ] Images: WebP/AVIF, lazy-loaded, explicit dimensions
+- [ ] Render-blocking resources eliminated
+- [ ] Server response time (TTFB) <200ms
+- [ ] Efficient cache policy on static assets (max-age ≥1 year)
+- [ ] No layout shifts from late-loading ads/embeds/fonts
+
+### Accessibility (score target: 100)
+
+- [ ] All images have alt text
+- [ ] Buttons and links have accessible names
+- [ ] Sufficient color contrast (4.5:1 normal, 3:1 large text)
+- [ ] Form inputs have associated labels
+- [ ] Logical heading hierarchy
+
+### Best Practices (score target: 100)
+
+- [ ] HTTPS enforced
+- [ ] No deprecated APIs
+- [ ] No browser errors in console
+- [ ] No vulnerable libraries (npm audit)
+
+### SEO (score target: 100)
+
+- [ ] Title and meta description present
+- [ ] Viewport meta tag set
+- [ ] Links crawlable
+- [ ] robots.txt valid
+
+---
+
+## JavaScript Budget Breakdown
+
+| Category                     | Max size (gzipped) |
+| ---------------------------- | ------------------ |
+| Framework (React/Vue/Svelte) | 45 KB              |
+| App code (first chunk)       | 50 KB              |
+| Routing library              | 10 KB              |
+| State management             | 10 KB              |
+| UI component library         | 30 KB              |
+| Analytics/tracking           | 15 KB              |
+| Remaining third-party        | 40 KB              |
+
+**Tooling:** `bundlephobia.com`, `webpack-bundle-analyzer`, `vite-bundle-visualizer`
+
+---
+
+## Image Optimization Checklist
+
+- [ ] Format: WebP for photos, AVIF where supported, SVG for icons/logos
+- [ ] Responsive images: `srcset` with 1x, 2x breakpoints
+- [ ] Lazy loading: `loading="lazy"` on all below-fold images
+- [ ] Explicit `width` and `height` to prevent CLS
+- [ ] LCP image: preloaded with `<link rel="preload">`
+- [ ] Max dimensions match display size (no oversized images)
+
+---
+
+## Font Loading Strategy
+
+```html
+<!-- Step 1: Preconnect to font origin -->
+<link rel="preconnect" href="https://fonts.googleapis.com" />
+
+<!-- Step 2: Preload critical font files -->
+<link rel="preload" as="font" href="/fonts/brand.woff2" crossorigin />
+
+<!-- Step 3: font-display: swap or optional -->
+@font-face { font-display: swap; }
+```
+
+**font-display values:**
+| Value | Behavior | Use when |
+|-------|----------|----------|
+| `swap` | FOUT; text always visible | Body text |
+| `optional` | Skips if slow | Non-critical decorative |
+| `block` | FOIT; invisible until loaded | Icons (avoid for text) |
+
+---
+
+## Performance Budget Enforcement
+
+```json
+// lighthouserc.json
+{
+  "assert": {
+    "assertions": {
+      "categories:performance": ["error", { "minScore": 0.9 }],
+      "resource-summary:script:size": ["error", { "maxNumericValue": 350000 }],
+      "resource-summary:total:size": ["error", { "maxNumericValue": 1000000 }]
+    }
+  }
+}
+```
+
+CI tools: `@lhci/cli` (Lighthouse CI), `bundlesize`, `size-limit`

package/content/plugins/audit/skills/agileflow-audit/references/wcag-criteria.md

@@ -0,0 +1,117 @@
+# WCAG 2.2 Key Criteria Reference
+
+**Load this when:** running an accessibility audit or reviewing UI components.
+Focuses on the criteria most commonly violated in web apps.
+
+## Conformance levels
+
+| Level | Meaning  | Requirement                                                 |
+| ----- | -------- | ----------------------------------------------------------- |
+| A     | Minimum  | Must meet — basic accessibility                             |
+| AA    | Standard | Target for most apps — legal baseline in most jurisdictions |
+| AAA   | Enhanced | Aspirational — not required for full sites                  |
+
+## Most commonly violated (AA)
+
+### 1.1.1 Non-text Content (A)
+
+Every `<img>`, `<input type="image">`, icon, and chart needs descriptive alt text.
+Decorative images: `alt=""`. Complex charts: long description in addition to alt.
+
+### 1.3.1 Info and Relationships (A)
+
+Structure conveyed visually must be conveyed in markup: headings via `<h1>`–`<h6>`,
+lists via `<ul>`/`<ol>`, tables with `<th>` and `scope`. Don't fake structure with CSS alone.
+
+### 1.4.3 Contrast Minimum (AA)
+
+- Normal text: 4.5:1 contrast ratio minimum
+- Large text (18pt / 14pt bold): 3:1 minimum
+- UI components and focus indicators: 3:1 against adjacent colors
+
+### 1.4.4 Resize Text (AA)
+
+Text must be readable at 200% zoom without loss of content or functionality.
+Avoid `px` for font sizes — use `rem`/`em`.
+
+### 1.4.11 Non-text Contrast (AA)
+
+Form inputs, buttons, focus indicators, icons: 3:1 against background.
+Default browser focus ring often fails — must be explicitly styled.
+
+### 2.1.1 Keyboard (A)
+
+Every interactive element must be operable via keyboard alone.
+No keyboard traps. Custom widgets (dropdowns, modals, datepickers) need full keyboard support.
+
+### 2.1.2 No Keyboard Trap (A)
+
+Keyboard focus must not get stuck in a component. Modals need focus trap
+_within_ the modal, but must release on close/Escape.
+
+### 2.4.3 Focus Order (A)
+
+Tab order must follow logical reading order. `tabindex` > 0 almost always breaks this.
+Use `tabindex="0"` or `-1` only.
+
+### 2.4.7 Focus Visible (AA)
+
+Focus indicator must be visible. Never `outline: none` without a replacement.
+WCAG 2.2 added 2.4.11 (Enhanced Focus Appearance) at AA — 2px minimum, 3:1 contrast.
+
+### 3.2.2 On Input (A)
+
+Changing a form field must not automatically submit the form or navigate away
+without warning.
+
+### 3.3.1 Error Identification (A)
+
+Errors must be described in text, not color alone. `aria-describedby` linking
+the field to the error message.
+
+### 3.3.2 Labels or Instructions (A)
+
+Form inputs need visible labels. `placeholder` is not a label — it disappears on input.
+`aria-label` acceptable when visible label isn't possible.
+
+### 4.1.2 Name, Role, Value (A)
+
+Custom interactive components need ARIA roles, states, and properties:
+
+- Buttons: `role="button"` with `aria-pressed` if toggle
+- Modals: `role="dialog"`, `aria-modal="true"`, `aria-labelledby`
+- Tabs: `role="tablist"`, `role="tab"`, `aria-selected`, `role="tabpanel"`
+- Checkboxes: `role="checkbox"`, `aria-checked`
+
+### 4.1.3 Status Messages (AA)
+
+Success/error messages injected into the DOM must use live regions:
+`aria-live="polite"` for non-urgent, `aria-live="assertive"` for critical errors.
+
+## New in WCAG 2.2
+
+| Criterion                          | Level | What it adds                                       |
+| ---------------------------------- | ----- | -------------------------------------------------- |
+| 2.4.11 Focus Appearance            | AA    | Minimum focus indicator size and contrast          |
+| 2.4.12 Focus Appearance (Enhanced) | AAA   | Stricter focus indicator                           |
+| 2.5.7 Dragging Movements           | AA    | Drag operations need a pointer alternative         |
+| 2.5.8 Target Size Minimum          | AA    | Interactive targets ≥ 24×24px                      |
+| 3.2.6 Consistent Help              | A     | Help mechanisms in consistent location             |
+| 3.3.7 Redundant Entry              | A     | Don't make users re-enter info in same session     |
+| 3.3.8 Accessible Authentication    | AA    | No cognitive tests (CAPTCHAs without alternatives) |
+
+## Quick audit checklist
+
+```
+⬜ All images have meaningful alt text
+⬜ Color is not the only way info is conveyed
+⬜ 4.5:1 contrast for body text, 3:1 for large text and UI
+⬜ All interactive elements keyboard accessible
+⬜ Visible focus indicator on all focusable elements
+⬜ Form fields have visible labels (not just placeholder)
+⬜ Errors described in text, linked to field via aria-describedby
+⬜ Custom widgets have correct ARIA roles/states
+⬜ Status messages use aria-live regions
+⬜ Page has logical heading hierarchy (h1 → h2 → h3)
+⬜ Landmarks present: main, nav, header, footer
+```