keyboard-a11y-tester

Projects that follow the best practices below can voluntarily self-certify and show that they've achieved an Open Source Security Foundation (OpenSSF) best practices badge.

There is no set of practices that can guarantee that software will never have defects or vulnerabilities; even formal methods can fail if the specifications or assumptions are wrong. Nor is there any set of practices that can guarantee that a project will sustain a healthy and well-functioning development community. However, following best practices can help improve the results of projects. For example, some practices enable multi-person review before release, which can both help find otherwise hard-to-find technical vulnerabilities and help build trust and a desire for repeated interaction among developers from different companies. To earn a badge, all MUST and MUST NOT criteria must be met, all SHOULD criteria must be met OR be unmet with justification, and all SUGGESTED criteria must be met OR unmet (we want them considered at least). If you want to enter justification text as a generic comment, instead of being a rationale that the situation is acceptable, start the text block with '//' followed by a space. Feedback is welcome via the GitHub site as issues or pull requests There is also a mailing list for general discussion.

We gladly provide the information in several locales, however, if there is any conflict or inconsistency between the translations, the English version is the authoritative version.
If this is your project, please show your baseline badge status on your project page! The baseline badge status looks like this: Baseline badge level for project 13561 is in_progress Here is how to embed the baseline badge:
You can show your baseline badge status by embedding this in your markdown file:
[![OpenSSF Baseline](https://www.bestpractices.dev/projects/13561/baseline)](https://www.bestpractices.dev/projects/13561)
or by embedding this in your HTML:
<a href="https://www.bestpractices.dev/projects/13561"><img src="https://www.bestpractices.dev/projects/13561/baseline"></a>


These are the Baseline Level 1 criteria. These are criteria version v2026.02.19.

Baseline Series: Baseline Level 1 Baseline Level 2 Baseline Level 3

        

 Basics

  • General

    Note that other projects may use the same name.

    An AI-assisted web accessibility tester that behaves like two W3C personas at once: a keyboard-only user ("Ade") and a screen-reader user ("Lakshmi"). It drives a page keyboard-only, records what happens at every focus stop, and emits evidence-linked findings mapped to specific WCAG success criteria — against any website.

    Please use SPDX license expression format; examples include "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "GPL-2.0+", "LGPL-3.0+", "MIT", and "(BSD-2-Clause OR Ruby)". Do not include single quotes or double quotes.
    If there is more than one language, list them as comma-separated values (spaces optional) and sort them from most to least used. If there is a long list, please list at least the first three most common ones. If there is no language (e.g., this is a documentation-only or test-only project), use the single character "-". Please use a conventional capitalization for each language, e.g., "JavaScript".
    The Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software, and packages. It is used in a number of systems and databases when reporting vulnerabilities.

    keyboard-a11y-tester

    An AI-assisted web accessibility tester that behaves like two W3C personas at once: a
    keyboard-only user ("Ade") and a screen-reader user ("Lakshmi"). It drives a page
    keyboard-only, records what happens at every focus stop, and emits evidence-linked
    findings mapped to specific WCAG success criteria — against any website. Both
    personas run in the same pass by default; a --persona flag restricts to just one.

    It has two layers:

    • a deterministic runner (scripts/runner.mjs) that owns the mechanical, reproducible
      work — driving the page keyboard-only, capturing a per-step trace + screenshots, and
      computing the machine-decidable checks for both personas;
    • an AI-judgment layer — the invoking agent — that reads the trace/screenshots/census
      and judges what rules can't (task completion, logical focus/reading order, form
      quality, announcement quality). See SKILL.md for how an agent drives it.

    Standalone and portable: it depends only on playwright, yaml, pngjs, pixelmatch,
    and @guidepup/virtual-screen-reader, needs no bundled test cases, and writes all output
    to a per-user temp directory (never into this folder). The screen-reader persona
    never drives a real screen reader (NVDA/VoiceOver) — see "Screen-reader detection" below.

    Documentation: docs/usage.md (setup, dependencies, quick start,
    CAPTCHAs) · docs/interface.md (full CLI reference, output file
    schema, WCAG checks table).

    Quick start

    As a Claude Code plugin — register this repo as a plugin marketplace, then install it:

    /plugin marketplace add ezufelt/keyboard-a11y-tester
    /plugin install keyboard-a11y-tester@ezufelt
    

    The first command registers this repo as a marketplace (named ezufelt, per
    .claude-plugin/marketplace.json); the second installs the plugin. Once installed, the
    skill in SKILL.md becomes available to the agent.

    As a standalone clone — clone the repo and install its dependencies:

    git clone https://github.com/ezufelt/keyboard-a11y-tester.git
    cd keyboard-a11y-tester
    npm install
    npx playwright install chromium
    

    Then drive it directly (see Run against any URL).

    Requirements & dependencies

    Requires Node.js ≥ 20 and Chromium (via Playwright), plus five small npm dependencies —
    no build step. Run node scripts/setup-check.mjs to verify both before your first run.

    See docs/usage.md for the full dependency
    table, licensing credit for @guidepup/virtual-screen-reader, and setup instructions.

    Run against any URL (no test file needed)

    # quick unattended blind Tab-crawl of the start page, per viewport
    node scripts/runner.mjs --url https://example.com
    
    # a full scenario, driven live by the agent one keystroke at a time
    node scripts/runner.mjs serve --url https://example.com --goal "find the pricing page" \
    
         --viewport desktop --port 9400
    #   → prints:  READY <session-dir>   (under the system temp dir)
    node scripts/runner.mjs observe <session-dir>
    node scripts/runner.mjs step    <session-dir> --press Tab      # one keystroke; prints observation
    node scripts/runner.mjs step    <session-dir> --press Enter
    node scripts/runner.mjs step    <session-dir> --type "hello@example.com"
    node scripts/runner.mjs finish  <session-dir>                  # writes trace + findings
    node scripts/runner.mjs stop    <session-dir>
    

    See docs/usage.md for the full
    quick-start walkthrough, and docs/interface.md for every CLI flag and
    the complete output file schema.

    Authenticated runs

    Pages behind a login can't be tested with a fresh, logged-out browser. Pass a Playwright
    storageState JSON file with --storage-state <file> to start the browser with its cookies
    and localStorage already loaded (e.g. an already-logged-in session). Generate one with
    context.storageState({ path: 'auth.json' }) or npx playwright codegen --save-storage=auth.json <url>.
    The file is validated (exists, parses as JSON, and looks like a real storageState export —
    i.e. has cookies/origins arrays) before the browser launches — a missing or malformed file
    fails the run immediately rather than silently testing the logged-out site. In serve mode
    it's applied once at launch and the session browser keeps the state alive for every subsequent
    step.

    A storageState file holds live session cookies/tokens — treat it as a secret. Don't commit
    it; .gitignore already excludes auth.json, storageState.json, and *storage-state*.json,
    but a differently-named file won't be caught automatically.

    What the runner does (deterministic layer)

    Playwright (full Chromium, new-headless + SwiftShader for real pixels) drives the page with
    only the keyboard — it never calls .click() or .focus(); if a control is only
    reachable by pointer, that is itself a finding. It drops to a raw CDP session for the
    accessibility tree (Accessibility.getPartialAXTree), the ground truth for name/role/state.
    At startup it fails fast if :focus-visible does not fire on CDP-driven key events
    (every focus-indicator check would otherwise be invalid) — skipped entirely when
    --persona screen-reader is passed, since that persona has no pixel/focus-ring work.

    Checks are evaluated per focus stop the persona actually visits (keyboard persona) or
    against a page-wide structural census (screen-reader persona) — this is scenario
    testing, not an exhaustive page audit. Conformance target: AA is pass/fail, AAA is
    informative.

    WCAG Level Persona Check
    2.4.7 AA keyboard Focus indicator present
    2.4.13 AAA (informative) keyboard Focus indicator strength
    1.4.1 AA keyboard Indicator is not colour-only
    2.1.2 AA keyboard Keyboard trap
    2.4.1 AA keyboard No skip link
    2.4.3 AA keyboard Positive tabindex
    3.2.1 AA keyboard Context change from focus alone
    3.3.2 AA keyboard File input named only by the user-agent default ("Choose File")
    4.1.2 AA keyboard Focusable control with no accessible name
    1.1.1 AA screen-reader Missing alt text/aria-label
    1.3.1 AA screen-reader Heading level skip
    1.3.1 AA screen-reader Duplicate, unlabeled landmark roles
    4.1.2 AA screen-reader Interactive control announced as a bare role
    4.1.3 AA screen-reader Declared live region that never announced anything

    See docs/interface.md for the authoritative version of
    this table (full check descriptions) and the W3C persona references.

    Output

    Everything is written under a per-user temp dir (${TMPDIR}/keyboard-a11y-tester/…, or
    --out): a trace.json (per-step evidence), deterministic-findings.json (WCAG findings),
    screen-reader-census.json (screen-reader persona), and cropped screenshots/step_NNNN.png
    per viewport. See docs/interface.md for the
    complete directory layout and field-by-field schema of every output file.

    Focus-visible detection (2.4.7 AA presence + 2.4.13 AAA strength)

    Presence (AA) uses two independent signals, so a faint-but-real indicator is never
    missed:

    1. the focused element's computed style declares an outline or box-shadow (ground
      truth — recorded in the trace as computed_focus_style), or
    2. pixels change on focus (catches background/colour indicators with no outline).

    Either one means the indicator is present → AA pass. Pixel diffing compares the focused
    frame to a scroll-aligned baseline (the next step's frame, where the element is no longer
    focused — so focus is never manipulated programmatically), measuring ring slices at
    increasing offset (thin and offset outlines), the interior, and top/bottom edge bands.

    Strength (AAA, informative) measures whether the indicator meets 2.4.13 Focus
    Appearance — changed area ≥ a 2px-thick perimeter of the control, and ≥ 3:1 WCAG luminance
    contrast between focused and unfocused states. Advisory only. (This measure is unreliable
    on pages that mutate between steps — e.g. "load more" — because the neighbour-frame
    baseline then differs by content, not just the focus ring; treat AAA numbers on such pages
    with caution. AA presence is unaffected, being driven by the computed style.)

    So 2.4.7 (AA) requires only that an indicator is visible with no size/contrast minimum: a
    faint 1px or low-opacity ring passes AA and is flagged weak at AAA — rather than being
    falsely reported as "no focus indicator."

    Screen-reader detection (Lakshmi)

    The screen-reader persona is emulated, never driven for real: @guidepup/virtual-screen-reader
    builds an ARIA/ACCNAME-spec accessible tree over the live page and computes what a
    spec-compliant screen reader would announce, entirely in the browser's own JS engine — no
    NVDA/JAWS/VoiceOver is launched, and it works the same way on any OS the runner itself
    supports.

    Its self-contained browser bundle is injected via Playwright's context.addInitScript,
    which is not subject to the page's own CSP — verified against both a synthetic CSP-locked
    page and a real CSP-locked production site. Once injected, its virtual cursor tracks
    real keyboard focus automatically
    (it listens for native focusin events), so every
    step you drive with real Tab/Enter/etc. produces a matching sr_announcement with no
    separate "chasing" logic and no drift between what's focused and what's reported as
    announced. The same mechanism also wires a MutationObserver that computes WAI-ARIA
    live-region semantics and captures "assertive: …"/"polite: …" announcements as they
    happen — this is what 4.1.3 (Status Messages) findings are derived from.

    Separately, once per newly-visited page URL, an ephemeral instance walks the entire page
    in reading order (never touching the live per-step monitor) to build
    screen-reader-census.json — the source for the heading-hierarchy, duplicate-landmark,
    missing-alt-text, and bare-role-control checks, since those need whole-page context rather
    than just the stops a keyboard user's Tab order happens to visit.

    This augments but does not replace testing with a real screen reader and real users
    the upstream library's own README says exactly that, and it's worth repeating: this checks
    what a spec-compliant screen reader should announce given the page's ARIA/HTML, not the
    specific quirks of any one real screen reader implementation.

    CAPTCHAs

    CAPTCHAs detect automation and refuse to run; the runner has a page-scoped, human-approved
    compatibility workaround. See docs/usage.md for details.

    License

    MIT © Everett Zufelt. See LICENSE.

 Controls 0/24

  • Controls


    When a user attempts to read or modify a sensitive resource in the project's authoritative repository, the system MUST require the user to complete a multi-factor authentication process. [OSPS-AC-01.01]
    Enforce multi-factor authentication for the project's version control system, requiring collaborators to provide a second form of authentication when accessing sensitive data or modifying repository settings. Passkeys are acceptable for this control.


    When a new collaborator is added, the version control system MUST require manual permission assignment, or restrict the collaborator permissions to the lowest available privileges by default. [OSPS-AC-02.01]
    Most public version control systems are configured in this manner. Ensure the project's version control system always assigns the lowest available permissions to collaborators by default when added, granting additional permissions only when necessary.


    When a direct commit is attempted on the project's primary branch, an enforcement mechanism MUST prevent the change from being applied. [OSPS-AC-03.01]
    If the VCS is centralized, set branch protection on the primary branch in the project's VCS. Alternatively, use a decentralized approach, like the Linux kernel's, where changes are first proposed in another repository, and merging changes into the primary repository requires a specific separate act.


    When an attempt is made to delete the project's primary branch, the version control system MUST treat this as a sensitive activity and require explicit confirmation of intent. [OSPS-AC-03.02]
    Set branch protection on the primary branch in the project's version control system to prevent deletion.


    When a CI/CD pipeline operates on untrusted metadata, those parameters MUST be sanitized and validated prior to use in the pipeline. [OSPS-BR-01.01]
    CI/CD pipelines should sanitize (quote, escape or exit on expected values) all metadata inputs which correspond to untrusted sources. This includes data such as branch names, commit messages, tags, pull request titles, and author information.


    When a CI/CD pipeline operates on untrusted code snapshots, it MUST prevent access to privileged CI/CD credentials and assets. [OSPS-BR-01.03]
    CI/CD pipelines should isolate untrusted code snapshots from privileged credentials and assets. In particular, projects should be careful to ensure that workflows which build or execute code prior to review by a collaborator do not have access to CI/CD credentials.


    When the project lists a URI as an official project channel, that URI MUST be exclusively delivered using encrypted channels. [OSPS-BR-03.01]
    Configure the project's websites and version control systems to use encrypted channels such as SSH or HTTPS for data transmission. Ensure all tools and domains referenced in project documentation can only be accessed via encrypted channels.


    When the project lists a URI as an official distribution channel, that channel MUST be protected from adversary-in-the-middle attacks using cryptographically authenticated channels. [OSPS-BR-03.02]
    Artifacts distributed by the project should be distributed through channels which ensure integrity and authenticity. Use of HTTPS for downloads, signed releases, or distribution through trusted package managers are all acceptable methods to protect against adversary-in-the-middle attacks.


    The project MUST prevent the unintentional storage of unencrypted sensitive data, such as secrets and credentials, in the version control system. [OSPS-BR-07.01]
    Configure .gitignore or equivalent to exclude files that may contain sensitive information. Use pre-commit hooks and automated scanning tools to detect and prevent the inclusion of sensitive data in commits.


    When the project has made a release, the project documentation MUST include user guides for all basic functionality. [OSPS-DO-01.01]
    Create user guides or documentation for all basic functionality of the project, explaining how to install, configure, and use the project's features. If there are any known dangerous or destructive actions available, include highly-visible warnings.


    When the project has made a release, the project documentation MUST include a guide for reporting defects. [OSPS-DO-02.01]
    It is recommended that projects use their VCS default issue tracker. If an external source is used, ensure that the project documentation and contributing guide clearly and visibly explain how to use the reporting system. It is recommended that project documentation also sets expectations for how defects will be triaged and resolved.


    While active, the project MUST have one or more mechanisms for public discussions about proposed changes and usage obstacles. [OSPS-GV-02.01]
    Establish one or more mechanisms for public discussions within the project, such as mailing lists, instant messaging, or issue trackers, to facilitate open communication and feedback.


    While active, the project documentation MUST include an explanation of the contribution process. [OSPS-GV-03.01]
    Create a CONTRIBUTING.md or CONTRIBUTING/ directory to outline the contribution process including the steps for submitting changes, and engaging with the project maintainers.


    While active, the license for the source code MUST meet the OSI Open Source Definition or the FSF Free Software Definition. [OSPS-LE-02.01]
    Add a LICENSE file to the project's repo with a license that is an approved license by the Open Source Initiative (OSI), or a free license as approved by the Free Software Foundation (FSF). Examples of such licenses include the MIT, BSD 2-clause, BSD 3-clause revised, Apache 2.0, Lesser GNU General Public License (LGPL), and the GNU General Public License (GPL). Releasing to the public domain meets this control if there are no other encumbrances such as patents.


    While active, the license for the released software assets MUST meet the OSI Open Source Definition or the FSF Free Software Definition. [OSPS-LE-02.02]
    If a different license is included with released software assets, ensure it is an approved license by the Open Source Initiative (OSI), or a free license as approved by the Free Software Foundation (FSF). Examples of such licenses include the MIT, BSD 2-clause, BSD 3-clause revised, Apache 2.0, Lesser GNU General Public License (LGPL), and the GNU General Public License (GPL). Note that the license for the released software assets may be different than the source code.


    While active, the license for the source code MUST be maintained in the corresponding repository's LICENSE file, COPYING file, or LICENSE/ directory. [OSPS-LE-03.01]
    Include the project's source code license in the project's LICENSE file, COPYING file, or LICENSE/ directory to provide visibility and clarity on the licensing terms. The filename MAY have an extension. If the project has multiple repositories, ensure that each repository includes the license file.


    While active, the license for the released software assets MUST be included in the released source code, or in a LICENSE file, COPYING file, or LICENSE/ directory alongside the corresponding release assets. [OSPS-LE-03.02]
    Include the project's released software assets license in the released source code, or in a LICENSE file, COPYING file, or LICENSE/ directory alongside the corresponding release assets to provide visibility and clarity on the licensing terms. The filename MAY have an extension. If the project has multiple repositories, ensure that each repository includes the license file.


    While active, the project's source code repository MUST be publicly readable at a static URL. [OSPS-QA-01.01]
    Use a common VCS such as GitHub, GitLab, or Bitbucket. Ensure the repository is publicly readable. Avoid duplication or mirroring of repositories unless highly visible documentation clarifies the primary source. Avoid frequent changes to the repository that would impact the repository URL. Ensure the repository is public.


    The version control system MUST contain a publicly readable record of all changes made, who made the changes, and when the changes were made. [OSPS-QA-01.02]
    Use a common VCS such as GitHub, GitLab, or Bitbucket to maintain a publicly readable commit history. Avoid squashing or rewriting commits in a way that would obscure the author of any commits.


    When the package management system supports it, the source code repository MUST contain a dependency list that accounts for the direct language dependencies. [OSPS-QA-02.01]
    This may take the form of a package manager or language dependency file that enumerates all direct dependencies such as package.json, Gemfile, or go.mod.


    Projects with multiple repositories MUST document a list of codebases that are part of the project. [OSPS-QA-04.01]
    Document any additional subproject code repositories produced by the project and compiled into a release. This documentation should include the status and intent of the respective codebase.


    While active, the version control system MUST NOT contain generated executable artifacts. [OSPS-QA-05.01]
    Remove generated executable artifacts in the project's version control system. It is recommended that any scenario where a generated executable artifact appears critical to a process such as testing, it should be instead be generated at build time or stored separately and fetched during a specific well-documented pipeline step.


    While active, the version control system MUST NOT contain unreviewable binary artifacts. [OSPS-QA-05.02]
    Do not add any unreviewable binary artifacts to the project's version control system. This includes executable application binaries, library files, and similar artifacts. It does not include assets such as graphical images, sound or music files, and similar content typically stored in a binary format.


    While active, the project documentation MUST contain security contacts. [OSPS-VM-02.01]
    Create a security.md (or similarly-named) file that contains security contacts for the project.


This data is available under the Community Data License Agreement – Permissive, Version 2.0 (CDLA-Permissive-2.0). This means that a Data Recipient may share the Data, with or without modifications, so long as the Data Recipient makes available the text of this agreement with the shared Data. Please credit ezufelt and the OpenSSF Best Practices badge contributors.

Project badge entry owned by: ezufelt.
Entry created on 2026-07-10 18:22:26 UTC, last updated on 2026-07-10 21:04:01 UTC. Last achieved passing badge on 2026-07-10 21:04:01 UTC.