getdoorman 1.0.0

package/src/rules/compliance/accessibility-ext.js

@@ -0,0 +1,468 @@
+function isSourceFile(f) { return ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'].some(e => f.endsWith(e)); }
+function isWebFile(f) { return ['.html', '.htm', '.jsx', '.tsx', '.vue', '.svelte'].some(e => f.endsWith(e)); }
+
+const rules = [
+  // --- Section 508 Rules ---
+
+  // COMP-SEC508-001: Video without captions
+  {
+    id: 'COMP-SEC508-001',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Video Without Captions',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files.entries()) {
+        if (!isWebFile(filepath)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+
+          // Detect <video> tags without an associated <track> element
+          if (/<video[\s>]/i.test(line)) {
+            // Look ahead up to 15 lines for a closing </video> and a <track element
+            const block = lines.slice(i, i + 15).join('\n');
+            const hasTrack = /<track\s/i.test(block);
+            const hasCaptionAttr = /captions|subtitles/i.test(block);
+            if (!hasTrack && !hasCaptionAttr) {
+              findings.push({
+                ruleId: 'COMP-SEC508-001', category: 'compliance', severity: 'high',
+                title: 'Video element without captions or subtitles track',
+                description: 'Section 508 requires synchronized captions for video content. Add a <track kind="captions"> element inside the <video> tag.',
+                file: filepath, line: i + 1, fix: null,
+              });
+            }
+          }
+
+          // Detect iframe/embed pointing to video services without caption params
+          if (/<(?:iframe|embed)\s[^>]*(?:youtube|vimeo|dailymotion|wistia|vidyard)/i.test(line)) {
+            const hasCaption = /cc_load_policy|texttrack|subtitles|captions|cc=1/i.test(line);
+            if (!hasCaption) {
+              findings.push({
+                ruleId: 'COMP-SEC508-001', category: 'compliance', severity: 'high',
+                title: 'Embedded video player without captions enabled',
+                description: 'Section 508 requires captions for video. Enable captions via the embed URL parameters (e.g., cc_load_policy=1 for YouTube).',
+                file: filepath, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+
+        // Detect video player libraries in source files without caption configuration
+        if (isSourceFile(filepath)) {
+          const usesVideoLib = /(?:video\.js|videojs|ReactPlayer|plyr|hls\.js|dash\.js|JWPlayer|jwplayer)/i.test(content);
+          if (usesVideoLib) {
+            const hasCaptionConfig = /tracks|captions|subtitles|textTracks|addTextTrack|cc|closedCaptions/i.test(content);
+            if (!hasCaptionConfig) {
+              findings.push({
+                ruleId: 'COMP-SEC508-001', category: 'compliance', severity: 'high',
+                title: 'Video player library used without caption configuration',
+                description: 'Section 508 requires synchronized captions. Configure caption/subtitle tracks in your video player setup.',
+                file: filepath, line: 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-SEC508-002: Audio without text alternative
+  {
+    id: 'COMP-SEC508-002',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Audio Without Text Alternative',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files.entries()) {
+        if (!isWebFile(filepath)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+
+          if (/<audio[\s>]/i.test(line)) {
+            // Look for transcript references in the surrounding area (30 lines after)
+            const surroundingBlock = lines.slice(i, i + 30).join('\n');
+            const hasTranscript = /transcript|aria-describedby|aria-description|text.?alternative|\.vtt|\.srt/i.test(surroundingBlock);
+            if (!hasTranscript) {
+              // Also check the whole file for a transcript section
+              const fileHasTranscript = /transcript|text.?alternative|aria-describedby/i.test(content);
+              if (!fileHasTranscript) {
+                findings.push({
+                  ruleId: 'COMP-SEC508-002', category: 'compliance', severity: 'high',
+                  title: 'Audio element without transcript or text alternative',
+                  description: 'Section 508 requires a text transcript for audio-only content. Provide a transcript link or aria-describedby reference near the audio element.',
+                  file: filepath, line: i + 1, fix: null,
+                });
+              }
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-SEC508-003: Time-based content without pause/stop
+  {
+    id: 'COMP-SEC508-003',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Auto-Playing Content Without Pause/Stop Control',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files.entries()) {
+        if (!isWebFile(filepath) && !isSourceFile(filepath)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+
+          // Detect autoplay on video/audio elements
+          if (/<(?:video|audio)\s[^>]*autoplay/i.test(line)) {
+            const surroundingBlock = lines.slice(Math.max(0, i - 10), i + 20).join('\n');
+            const hasPauseControl = /pause|stop|controls[\s>=]/i.test(surroundingBlock);
+            if (!hasPauseControl) {
+              findings.push({
+                ruleId: 'COMP-SEC508-003', category: 'compliance', severity: 'medium',
+                title: 'Auto-playing media without pause/stop controls',
+                description: 'Section 508 requires a mechanism to pause, stop, or hide auto-playing content. Add the "controls" attribute or provide custom pause/stop buttons.',
+                file: filepath, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+
+        // Detect auto-playing carousels/slideshows/animations in source files
+        if (isSourceFile(filepath)) {
+          const hasAutoCarousel = /autoplay|autoPlay|auto.?slide|auto.?scroll|auto.?rotate|setInterval\s*\([^)]*(?:slide|carousel|next|rotate)/i.test(content);
+          if (hasAutoCarousel) {
+            const hasPause = /pause|stop|clearInterval|isPaused|isPlaying|togglePlay|onMouseEnter/i.test(content);
+            if (!hasPause) {
+              findings.push({
+                ruleId: 'COMP-SEC508-003', category: 'compliance', severity: 'medium',
+                title: 'Auto-advancing content without pause mechanism',
+                description: 'Section 508 requires users be able to pause, stop, or hide moving/auto-updating content. Add pause/stop controls to carousels, slideshows, or animations.',
+                file: filepath, line: 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-SEC508-004: Missing skip navigation
+  {
+    id: 'COMP-SEC508-004',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Missing Skip Navigation Link',
+    check({ files }) {
+      const findings = [];
+      const webFiles = [...files.entries()].filter(([f]) => isWebFile(f));
+      if (webFiles.length === 0) return findings;
+
+      // Only check files that look like full pages or layout components
+      for (const [filepath, content] of webFiles) {
+        const isPageLayout = /<(?:html|head|body|header|nav|Header|Navigation|Layout|AppLayout)/i.test(content) ||
+          /function\s+(?:Layout|App|Header|Page)\b/i.test(content) ||
+          /(?:export\s+default\s+)?(?:class|const)\s+(?:Layout|App|Header|Page)\b/i.test(content);
+
+        if (!isPageLayout) continue;
+
+        const hasNav = /<nav[\s>]|role=["']navigation/i.test(content);
+        if (!hasNav) continue;
+
+        const hasSkipLink = /skip.?(?:to|nav|content|main)|skiplink|skip.?link|#main.?content|#content|href=["']#main/i.test(content);
+        if (!hasSkipLink) {
+          findings.push({
+            ruleId: 'COMP-SEC508-004', category: 'compliance', severity: 'high',
+            title: 'Page layout with navigation but no skip navigation link',
+            description: 'Section 508 requires a mechanism to bypass repeated blocks of navigation. Add a "Skip to main content" link as the first focusable element.',
+            file: filepath, line: 1, fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-SEC508-005: Documents without accessibility
+  {
+    id: 'COMP-SEC508-005',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'PDF Generation Without Accessibility Options',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files.entries()) {
+        if (!isSourceFile(filepath)) continue;
+
+        // jsPDF without accessibility
+        if (/jsPDF|new\s+jspdf/i.test(content)) {
+          const hasA11y = /setDocumentProperties|setLanguage|tagged|structTree|markContent|addMetadata|accessibility/i.test(content);
+          if (!hasA11y) {
+            findings.push({
+              ruleId: 'COMP-SEC508-005', category: 'compliance', severity: 'medium',
+              title: 'jsPDF used without accessibility/tagging options',
+              description: 'Section 508 requires accessible (tagged) PDFs. Use jsPDF accessibility plugins or set document properties (title, language, structure tags).',
+              file: filepath, line: 1, fix: null,
+            });
+          }
+        }
+
+        // PDFKit without accessibility
+        if (/require\s*\(\s*['"]pdfkit['"]\)|from\s+['"]pdfkit['"]/i.test(content)) {
+          const hasA11y = /tagged|markContent|structParentTree|addStructure|\.info\s*=|pdfVersion.*['"]1\.[5-9]/i.test(content);
+          if (!hasA11y) {
+            findings.push({
+              ruleId: 'COMP-SEC508-005', category: 'compliance', severity: 'medium',
+              title: 'PDFKit used without tagged PDF or accessibility metadata',
+              description: 'Section 508 requires accessible PDFs. Set document metadata (title, language) and consider generating tagged PDF structure.',
+              file: filepath, line: 1, fix: null,
+            });
+          }
+        }
+
+        // Puppeteer PDF generation without accessibility
+        if (/\.pdf\s*\(|page\.pdf\s*\(/i.test(content) && /puppeteer|playwright/i.test(content)) {
+          const hasA11y = /tagged|accessib|displayHeaderFooter|aria|--enable-tagged-pdf/i.test(content);
+          if (!hasA11y) {
+            findings.push({
+              ruleId: 'COMP-SEC508-005', category: 'compliance', severity: 'medium',
+              title: 'Browser-based PDF generation without accessibility options',
+              description: 'Section 508 requires accessible PDFs. When generating PDFs with Puppeteer/Playwright, use the tagged option and ensure the source HTML is accessible.',
+              file: filepath, line: 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // --- ADA Digital Compliance Rules ---
+
+  // COMP-ADA-001: No accessibility statement
+  {
+    id: 'COMP-ADA-001',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'No Accessibility Statement',
+    check({ files }) {
+      const findings = [];
+      const fileNames = [...files.keys()];
+      const fileContents = [...files.values()];
+
+      // Only flag for web apps (has HTML or component files)
+      const isWebApp = fileNames.some(f => isWebFile(f)) ||
+        fileContents.some(c => /<html|<head|ReactDOM|createApp|createRoot/i.test(c));
+      if (!isWebApp) return findings;
+
+      const hasA11yPage = fileNames.some(f =>
+        /accessib/i.test(f) || /a11y/i.test(f)
+      );
+      const hasA11yLink = fileContents.some(c =>
+        /accessibility.?statement|accessibility.?policy|\/accessibility|\/a11y/i.test(c)
+      );
+
+      if (!hasA11yPage && !hasA11yLink) {
+        findings.push({
+          ruleId: 'COMP-ADA-001', category: 'compliance', severity: 'medium',
+          title: 'No accessibility statement page detected',
+          description: 'ADA best practice requires an accessibility statement describing your commitment to accessibility, conformance level, and contact information for feedback.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-ADA-002: Contact forms without accessible alternatives
+  {
+    id: 'COMP-ADA-002',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Contact Form Without Accessible Alternatives',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files.entries()) {
+        if (!isWebFile(filepath)) continue;
+
+        // Detect contact forms
+        const isContactForm = /contact.?form|contact.?us|<form[^>]*(?:contact|inquiry|feedback)/i.test(content);
+        if (!isContactForm) continue;
+
+        const hasAlternative = /(?:phone|telephone|tel:|call\s+us|tty|tdd|relay\s+service|email\s+us|mail\s+to|mailto:)/i.test(content);
+        if (!hasAlternative) {
+          findings.push({
+            ruleId: 'COMP-ADA-002', category: 'compliance', severity: 'medium',
+            title: 'Contact form without alternative contact methods',
+            description: 'ADA compliance recommends providing alternative contact methods (phone, email, TTY/TDD) alongside web forms so users with disabilities have multiple ways to reach you.',
+            file: filepath, line: 1, fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-ADA-003: CAPTCHA without accessible alternative
+  {
+    id: 'COMP-ADA-003',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'CAPTCHA Without Accessible Alternative',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files.entries()) {
+        if (!isWebFile(filepath) && !isSourceFile(filepath)) continue;
+
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+
+          // Detect reCAPTCHA, hCaptcha, or generic CAPTCHA usage
+          const hasCaptcha = /recaptcha|hcaptcha|g-recaptcha|h-captcha|captcha/i.test(line);
+          if (!hasCaptcha) continue;
+
+          // Skip comment-only lines
+          if (/^\s*(?:\/\/|\/\*|\*|<!--)/.test(line)) continue;
+
+          // Check surrounding context for accessible alternatives
+          const block = lines.slice(Math.max(0, i - 5), i + 15).join('\n');
+          const hasAccessibleAlt = /audio|accessible|a11y|aria-|data-sitekey[^>]*invisible|data-size=["']invisible|challenge.?type.*audio|fallback|alternative/i.test(block);
+
+          // reCAPTCHA v3 and invisible reCAPTCHA are more accessible by design
+          const isAccessibleVersion = /recaptcha\/api.*render=|grecaptcha\.execute\(|captcha_invisible|invisible.?recaptcha|v3/i.test(block);
+
+          if (!hasAccessibleAlt && !isAccessibleVersion) {
+            findings.push({
+              ruleId: 'COMP-ADA-003', category: 'compliance', severity: 'high',
+              title: 'CAPTCHA without accessible alternative',
+              description: 'Visual CAPTCHAs create barriers for users with disabilities. Use reCAPTCHA v3 (invisible), provide an audio alternative, or offer an accessible fallback like email verification.',
+              file: filepath, line: i + 1, fix: null,
+            });
+            break; // One finding per file is sufficient
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-ADA-004: Dynamic content without ARIA live regions
+  {
+    id: 'COMP-ADA-004',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Dynamic Content Without ARIA Live Region',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files.entries()) {
+        if (!isSourceFile(filepath) && !isWebFile(filepath)) continue;
+
+        // Detect dynamic DOM updates in source files
+        if (isSourceFile(filepath)) {
+          const hasDynamicUpdate = /innerHTML\s*[=+]|\.textContent\s*=|\.insertAdjacentHTML|\.append\(|setState\(|\.value\s*=.*(?:message|error|success|notification|toast|alert|status|result)/i.test(content);
+          if (!hasDynamicUpdate) continue;
+
+          // Check for notification/toast/alert patterns without ARIA
+          const hasNotificationPattern = /toast|notification|snackbar|alert.?message|flash.?message|status.?message|error.?message|success.?message/i.test(content);
+          if (!hasNotificationPattern) continue;
+
+          const hasAriaLive = /aria-live|role=["'](?:alert|status|log|timer|marquee)["']|ariaLive|role:\s*["'](?:alert|status)/i.test(content);
+          if (!hasAriaLive) {
+            findings.push({
+              ruleId: 'COMP-ADA-004', category: 'compliance', severity: 'medium',
+              title: 'Dynamic notification/status content without ARIA live region',
+              description: 'ADA compliance requires dynamic content updates (toasts, alerts, status messages) to be announced to screen readers. Use aria-live="polite" or role="alert" on the container.',
+              file: filepath, line: 1, fix: null,
+            });
+          }
+        }
+
+        // Check web template files for dynamic areas lacking aria-live
+        if (isWebFile(filepath)) {
+          const hasNotificationArea = /class=["'][^"']*(?:toast|notification|snackbar|alert|flash|message|status)[^"']*["']/i.test(content);
+          if (!hasNotificationArea) continue;
+
+          const hasAriaLive = /aria-live|role=["'](?:alert|status|log)["']/i.test(content);
+          if (!hasAriaLive) {
+            findings.push({
+              ruleId: 'COMP-ADA-004', category: 'compliance', severity: 'medium',
+              title: 'Notification/alert container without ARIA live region',
+              description: 'Screen readers cannot detect visual-only dynamic updates. Add aria-live="polite" for non-urgent updates or role="alert" for important notifications.',
+              file: filepath, line: 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-ADA-005: Mobile app without screen reader support
+  {
+    id: 'COMP-ADA-005',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Mobile App Without Screen Reader Support',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files.entries()) {
+        if (!isSourceFile(filepath) && !filepath.endsWith('.dart')) continue;
+
+        // React Native detection
+        const isReactNative = /from\s+['"]react-native['"]/i.test(content);
+        if (isReactNative) {
+          const hasInteractiveElements = /TouchableOpacity|TouchableHighlight|Pressable|Button|TextInput|Switch|<Image/i.test(content);
+          if (!hasInteractiveElements) continue;
+
+          const hasA11yProps = /accessibilityLabel|accessibilityHint|accessibilityRole|accessibilityState|accessible=|accessibilityValue|importantForAccessibility|aria-label/i.test(content);
+          if (!hasA11yProps) {
+            findings.push({
+              ruleId: 'COMP-ADA-005', category: 'compliance', severity: 'high',
+              title: 'React Native component without accessibility props',
+              description: 'ADA requires mobile apps to be usable with screen readers. Add accessibilityLabel, accessibilityHint, and accessibilityRole props to interactive React Native components.',
+              file: filepath, line: 1, fix: null,
+            });
+          }
+        }
+
+        // Flutter detection
+        const isFlutter = /import\s+['"]package:flutter/i.test(content);
+        if (isFlutter) {
+          const hasInteractiveWidgets = /ElevatedButton|TextButton|IconButton|GestureDetector|InkWell|TextField|Switch|Checkbox|Image\./i.test(content);
+          if (!hasInteractiveWidgets) continue;
+
+          const hasSemantics = /Semantics\(|semanticsLabel|excludeFromSemantics|tooltip:/i.test(content);
+          if (!hasSemantics) {
+            findings.push({
+              ruleId: 'COMP-ADA-005', category: 'compliance', severity: 'high',
+              title: 'Flutter widget without Semantics wrapper',
+              description: 'ADA requires mobile apps to be usable with screen readers. Wrap interactive widgets with Semantics() or add semanticsLabel to provide screen reader descriptions.',
+              file: filepath, line: 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;