keyboard-a11y-tester

Projects that follow the best practices below can voluntarily self-certify and show that they've achieved an Open Source Security Foundation (OpenSSF) best practices badge.

There is no set of practices that can guarantee that software will never have defects or vulnerabilities; even formal methods can fail if the specifications or assumptions are wrong. Nor is there any set of practices that can guarantee that a project will sustain a healthy and well-functioning development community. However, following best practices can help improve the results of projects. For example, some practices enable multi-person review before release, which can both help find otherwise hard-to-find technical vulnerabilities and help build trust and a desire for repeated interaction among developers from different companies. To earn a badge, all MUST and MUST NOT criteria must be met, all SHOULD criteria must be met OR be unmet with justification, and all SUGGESTED criteria must be met OR unmet (we want them considered at least). If you want to enter justification text as a generic comment, instead of being a rationale that the situation is acceptable, start the text block with '//' followed by a space. Feedback is welcome via the GitHub site as issues or pull requests There is also a mailing list for general discussion.

We gladly provide the information in several locales, however, if there is any conflict or inconsistency between the translations, the English version is the authoritative version.
If this is your project, please show your baseline badge status on your project page! The baseline badge status looks like this: Baseline badge level for project 13561 is in_progress Here is how to embed the baseline badge:
You can show your baseline badge status by embedding this in your markdown file:
[![OpenSSF Baseline](https://www.bestpractices.dev/projects/13561/baseline)](https://www.bestpractices.dev/projects/13561)
or by embedding this in your HTML:
<a href="https://www.bestpractices.dev/projects/13561"><img src="https://www.bestpractices.dev/projects/13561/baseline"></a>


These are the Baseline Level 2 criteria. These are criteria version v2026.02.19.

Baseline Series: Baseline Level 1 Baseline Level 2 Baseline Level 3

        

 Basics

  • General

    Note that other projects may use the same name.

    An AI-assisted web accessibility tester that behaves like two W3C personas at once: a keyboard-only user ("Ade") and a screen-reader user ("Lakshmi"). It drives a page keyboard-only, records what happens at every focus stop, and emits evidence-linked findings mapped to specific WCAG success criteria — against any website.

    Please use SPDX license expression format; examples include "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "GPL-2.0+", "LGPL-3.0+", "MIT", and "(BSD-2-Clause OR Ruby)". Do not include single quotes or double quotes.
    If there is more than one language, list them as comma-separated values (spaces optional) and sort them from most to least used. If there is a long list, please list at least the first three most common ones. If there is no language (e.g., this is a documentation-only or test-only project), use the single character "-". Please use a conventional capitalization for each language, e.g., "JavaScript".
    The Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software, and packages. It is used in a number of systems and databases when reporting vulnerabilities.

    keyboard-a11y-tester

    An AI-assisted web accessibility tester that behaves like two W3C personas at once: a
    keyboard-only user ("Ade") and a screen-reader user ("Lakshmi"). It drives a page
    keyboard-only, records what happens at every focus stop, and emits evidence-linked
    findings mapped to specific WCAG success criteria — against any website. Both
    personas run in the same pass by default; a --persona flag restricts to just one.

    It has two layers:

    • a deterministic runner (scripts/runner.mjs) that owns the mechanical, reproducible
      work — driving the page keyboard-only, capturing a per-step trace + screenshots, and
      computing the machine-decidable checks for both personas;
    • an AI-judgment layer — the invoking agent — that reads the trace/screenshots/census
      and judges what rules can't (task completion, logical focus/reading order, form
      quality, announcement quality). See SKILL.md for how an agent drives it.

    Standalone and portable: it depends only on playwright, yaml, pngjs, pixelmatch,
    and @guidepup/virtual-screen-reader, needs no bundled test cases, and writes all output
    to a per-user temp directory (never into this folder). The screen-reader persona
    never drives a real screen reader (NVDA/VoiceOver) — see "Screen-reader detection" below.

    Documentation: docs/usage.md (setup, dependencies, quick start,
    CAPTCHAs) · docs/interface.md (full CLI reference, output file
    schema, WCAG checks table).

    Quick start

    As a Claude Code plugin — register this repo as a plugin marketplace, then install it:

    /plugin marketplace add ezufelt/keyboard-a11y-tester
    /plugin install keyboard-a11y-tester@ezufelt
    

    The first command registers this repo as a marketplace (named ezufelt, per
    .claude-plugin/marketplace.json); the second installs the plugin. Once installed, the
    skill in SKILL.md becomes available to the agent.

    As a standalone clone — clone the repo and install its dependencies:

    git clone https://github.com/ezufelt/keyboard-a11y-tester.git
    cd keyboard-a11y-tester
    npm install
    npx playwright install chromium
    

    Then drive it directly (see Run against any URL).

    Requirements & dependencies

    Requires Node.js ≥ 20 and Chromium (via Playwright), plus five small npm dependencies —
    no build step. Run node scripts/setup-check.mjs to verify both before your first run.

    See docs/usage.md for the full dependency
    table, licensing credit for @guidepup/virtual-screen-reader, and setup instructions.

    Run against any URL (no test file needed)

    # quick unattended blind Tab-crawl of the start page, per viewport
    node scripts/runner.mjs --url https://example.com
    
    # a full scenario, driven live by the agent one keystroke at a time
    node scripts/runner.mjs serve --url https://example.com --goal "find the pricing page" \
    
         --viewport desktop --port 9400
    #   → prints:  READY <session-dir>   (under the system temp dir)
    node scripts/runner.mjs observe <session-dir>
    node scripts/runner.mjs step    <session-dir> --press Tab      # one keystroke; prints observation
    node scripts/runner.mjs step    <session-dir> --press Enter
    node scripts/runner.mjs step    <session-dir> --type "hello@example.com"
    node scripts/runner.mjs finish  <session-dir>                  # writes trace + findings
    node scripts/runner.mjs stop    <session-dir>
    

    See docs/usage.md for the full
    quick-start walkthrough, and docs/interface.md for every CLI flag and
    the complete output file schema.

    Authenticated runs

    Pages behind a login can't be tested with a fresh, logged-out browser. Pass a Playwright
    storageState JSON file with --storage-state <file> to start the browser with its cookies
    and localStorage already loaded (e.g. an already-logged-in session). Generate one with
    context.storageState({ path: 'auth.json' }) or npx playwright codegen --save-storage=auth.json <url>.
    The file is validated (exists, parses as JSON, and looks like a real storageState export —
    i.e. has cookies/origins arrays) before the browser launches — a missing or malformed file
    fails the run immediately rather than silently testing the logged-out site. In serve mode
    it's applied once at launch and the session browser keeps the state alive for every subsequent
    step.

    A storageState file holds live session cookies/tokens — treat it as a secret. Don't commit
    it; .gitignore already excludes auth.json, storageState.json, and *storage-state*.json,
    but a differently-named file won't be caught automatically.

    What the runner does (deterministic layer)

    Playwright (full Chromium, new-headless + SwiftShader for real pixels) drives the page with
    only the keyboard — it never calls .click() or .focus(); if a control is only
    reachable by pointer, that is itself a finding. It drops to a raw CDP session for the
    accessibility tree (Accessibility.getPartialAXTree), the ground truth for name/role/state.
    At startup it fails fast if :focus-visible does not fire on CDP-driven key events
    (every focus-indicator check would otherwise be invalid) — skipped entirely when
    --persona screen-reader is passed, since that persona has no pixel/focus-ring work.

    Checks are evaluated per focus stop the persona actually visits (keyboard persona) or
    against a page-wide structural census (screen-reader persona) — this is scenario
    testing, not an exhaustive page audit. Conformance target: AA is pass/fail, AAA is
    informative.

    WCAG Level Persona Check
    2.4.7 AA keyboard Focus indicator present
    2.4.13 AAA (informative) keyboard Focus indicator strength
    1.4.1 AA keyboard Indicator is not colour-only
    2.1.2 AA keyboard Keyboard trap
    2.4.1 AA keyboard No skip link
    2.4.3 AA keyboard Positive tabindex
    3.2.1 AA keyboard Context change from focus alone
    3.3.2 AA keyboard File input named only by the user-agent default ("Choose File")
    4.1.2 AA keyboard Focusable control with no accessible name
    1.1.1 AA screen-reader Missing alt text/aria-label
    1.3.1 AA screen-reader Heading level skip
    1.3.1 AA screen-reader Duplicate, unlabeled landmark roles
    4.1.2 AA screen-reader Interactive control announced as a bare role
    4.1.3 AA screen-reader Declared live region that never announced anything

    See docs/interface.md for the authoritative version of
    this table (full check descriptions) and the W3C persona references.

    Output

    Everything is written under a per-user temp dir (${TMPDIR}/keyboard-a11y-tester/…, or
    --out): a trace.json (per-step evidence), deterministic-findings.json (WCAG findings),
    screen-reader-census.json (screen-reader persona), and cropped screenshots/step_NNNN.png
    per viewport. See docs/interface.md for the
    complete directory layout and field-by-field schema of every output file.

    Focus-visible detection (2.4.7 AA presence + 2.4.13 AAA strength)

    Presence (AA) uses two independent signals, so a faint-but-real indicator is never
    missed:

    1. the focused element's computed style declares an outline or box-shadow (ground
      truth — recorded in the trace as computed_focus_style), or
    2. pixels change on focus (catches background/colour indicators with no outline).

    Either one means the indicator is present → AA pass. Pixel diffing compares the focused
    frame to a scroll-aligned baseline (the next step's frame, where the element is no longer
    focused — so focus is never manipulated programmatically), measuring ring slices at
    increasing offset (thin and offset outlines), the interior, and top/bottom edge bands.

    Strength (AAA, informative) measures whether the indicator meets 2.4.13 Focus
    Appearance — changed area ≥ a 2px-thick perimeter of the control, and ≥ 3:1 WCAG luminance
    contrast between focused and unfocused states. Advisory only. (This measure is unreliable
    on pages that mutate between steps — e.g. "load more" — because the neighbour-frame
    baseline then differs by content, not just the focus ring; treat AAA numbers on such pages
    with caution. AA presence is unaffected, being driven by the computed style.)

    So 2.4.7 (AA) requires only that an indicator is visible with no size/contrast minimum: a
    faint 1px or low-opacity ring passes AA and is flagged weak at AAA — rather than being
    falsely reported as "no focus indicator."

    Screen-reader detection (Lakshmi)

    The screen-reader persona is emulated, never driven for real: @guidepup/virtual-screen-reader
    builds an ARIA/ACCNAME-spec accessible tree over the live page and computes what a
    spec-compliant screen reader would announce, entirely in the browser's own JS engine — no
    NVDA/JAWS/VoiceOver is launched, and it works the same way on any OS the runner itself
    supports.

    Its self-contained browser bundle is injected via Playwright's context.addInitScript,
    which is not subject to the page's own CSP — verified against both a synthetic CSP-locked
    page and a real CSP-locked production site. Once injected, its virtual cursor tracks
    real keyboard focus automatically
    (it listens for native focusin events), so every
    step you drive with real Tab/Enter/etc. produces a matching sr_announcement with no
    separate "chasing" logic and no drift between what's focused and what's reported as
    announced. The same mechanism also wires a MutationObserver that computes WAI-ARIA
    live-region semantics and captures "assertive: …"/"polite: …" announcements as they
    happen — this is what 4.1.3 (Status Messages) findings are derived from.

    Separately, once per newly-visited page URL, an ephemeral instance walks the entire page
    in reading order (never touching the live per-step monitor) to build
    screen-reader-census.json — the source for the heading-hierarchy, duplicate-landmark,
    missing-alt-text, and bare-role-control checks, since those need whole-page context rather
    than just the stops a keyboard user's Tab order happens to visit.

    This augments but does not replace testing with a real screen reader and real users
    the upstream library's own README says exactly that, and it's worth repeating: this checks
    what a spec-compliant screen reader should announce given the page's ARIA/HTML, not the
    specific quirks of any one real screen reader implementation.

    CAPTCHAs

    CAPTCHAs detect automation and refuse to run; the runner has a page-scoped, human-approved
    compatibility workaround. See docs/usage.md for details.

    License

    MIT © Everett Zufelt. See LICENSE.

 Controls 0/19

  • Controls


    When a CI/CD task is executed with no permissions specified, the CI/CD system MUST default the task's permissions to the lowest permissions granted in the pipeline. [OSPS-AC-04.01]
    Configure the project's settings to assign the lowest available permissions to new pipelines by default, granting additional permissions only when necessary for specific tasks.


    When an official release is created, that release MUST be assigned a unique version identifier. [OSPS-BR-02.01]
    Assign a unique version identifier to each release produced by the project, following a consistent naming convention or numbering scheme. Examples include SemVer, CalVer, or git commit id.


    When an official release is created, that release MUST contain a descriptive log of functional and security modifications. [OSPS-BR-04.01]
    Ensure that all releases include a descriptive change log. It is recommended to ensure that the change log is human-readable and includes details beyond commit messages, such as descriptions of the security impact or relevance to different use cases. To ensure machine readability, place the content under a markdown header such as "## Changelog".


    When a build and release pipeline ingests dependencies, it MUST use standardized tooling where available. [OSPS-BR-05.01]
    Use a common tooling for your ecosystem, such as package managers or dependency management tools to ingest dependencies at build time. This may include using a dependency file, lock file, or manifest to specify the required dependencies, which are then pulled in by the build system.


    When an official release is created, that release MUST be signed or accounted for in a signed manifest including each asset's cryptographic hashes. [OSPS-BR-06.01]
    Sign all released software assets at build time with a cryptographic signature or attestations, such as GPG or PGP signature, Sigstore signatures, SLSA provenance, or SLSA VSAs. Include the cryptographic hashes of each asset in a signed manifest or metadata file.


    When the project has made a release, the project documentation MUST include a description of how the project selects, obtains, and tracks its dependencies. [OSPS-DO-06.01]
    It is recommended to publish this information alongside the project's technical & design documentation on a publicly viewable resource such as the source code repository, project website, or other channel.


    The project documentation MUST include instructions on how to build the software, including required libraries, frameworks, SDKs, and dependencies. [OSPS-DO-07.01]
    It is recommended to publish this information alongside the project's contributor documentation, such as in CONTRIBUTING.md or other developer task documentation. This may also be documented using Makefile targets or other automation scripts.


    While active, the project documentation MUST include a list of project members with access to sensitive resources. [OSPS-GV-01.01]
    Document project participants and their roles through such artifacts as members.md, governance.md, maintainers.md, or similar file within the source code repository of the project. This may be as simple as including names or account handles in a list of maintainers, or more complex depending on the project's governance.


    While active, the project documentation MUST include descriptions of the roles and responsibilities for members of the project. [OSPS-GV-01.02]
    Document project participants and their roles through such artifacts as members.md, governance.md, maintainers.md, or similar file within the source code repository of the project.


    While active, the project documentation MUST include a guide for code contributors that includes requirements for acceptable contributions. [OSPS-GV-03.02]
    Extend the CONTRIBUTING.md or CONTRIBUTING/ contents in the project documentation to outline the requirements for acceptable contributions, including coding standards, testing requirements, and submission guidelines for code contributors. It is recommended that this guide is the source of truth for both contributors and approvers.


    While active, the version control system MUST require all code contributors to assert that they are legally authorized to make the associated contributions on every commit. [OSPS-LE-01.01]
    Include a DCO in the project's repository, requiring code contributors to assert that they are legally authorized to commit the associated contributions on every commit. Use a status check to ensure the assertion is made. A CLA also satisfies this requirement. Some version control systems, such as GitHub, may include this in the platform terms of service.


    When a commit is made to the primary branch, any automated status checks for commits MUST pass or be manually bypassed. [OSPS-QA-03.01]
    Configure the project's version control system to require that all automated status checks pass or require manual acknowledgement before a commit can be merged into the primary branch. It is recommended that any optional status checks are NOT configured as a pass or fail requirement that approvers may be tempted to bypass.


    Prior to a commit being accepted, the project's CI/CD pipelines MUST run at least one automated test suite to ensure the changes meet expectations. [OSPS-QA-06.01]
    Automated tests should be run prior to every merge into the primary branch. The test suite should be run in a CI/CD pipeline and the results should be visible to all contributors. The test suite should be run in a consistent environment and should be run in a way that allows contributors to run the tests locally. Examples of test suites include unit tests, integration tests, and end-to-end tests.


    When the project has made a release, the project documentation MUST include design documentation demonstrating all actions and actors within the system. [OSPS-SA-01.01]
    Include designs in the project documentation that explains the actions and actors. Actors include any subsystem or entity that can influence another segment in the system. Ensure this is updated for new features or breaking changes.


    When the project has made a release, the project documentation MUST include descriptions of all external software interfaces of the released software assets. [OSPS-SA-02.01]
    Document all software interfaces (APIs) of the released software assets, explaining how users can interact with the software and what data is expected or produced. Ensure this is updated for new features or breaking changes.


    When the project has made a release, the project MUST perform a security assessment to understand the most likely and impactful potential security problems that could occur within the software. [OSPS-SA-03.01]
    Performing a security assessment informs both project members as well as downstream consumers that the project understands what problems could arise within the software. Understanding what threats could be realized helps the project manage and address risk. This information is useful to downstream consumers to demonstrate the security acumen and practices of the project. Ensure this is updated for new features or breaking changes.


    While active, the project documentation MUST include a policy for coordinated vulnerability disclosure (CVD), with a clear timeframe for response. [OSPS-VM-01.01]
    Create a SECURITY.md file at the root of the directory, outlining the project's policy for coordinated vulnerability disclosure. Include a method for reporting vulnerabilities. Set expectations for how the project will respond and address reported issues.


    While active, the project documentation MUST provide a means for private vulnerability reporting directly to the security contacts within the project. [OSPS-VM-03.01]
    Provide a means for security researchers to report vulnerabilities privately to the project. This may be a dedicated email address, a web form, VCS specialized tools, email addresses for security contacts, or other methods.


    While active, the project documentation MUST publicly publish data about discovered vulnerabilities. [OSPS-VM-04.01]
    Provide information about known vulnerabilities in a predictable public channel, such as a CVE entry, blog post, or other medium. To the degree possible, this information should include affected version(s), how a consumer can determine if they are vulnerable, and instructions for mitigation or remediation.


This data is available under the Community Data License Agreement – Permissive, Version 2.0 (CDLA-Permissive-2.0). This means that a Data Recipient may share the Data, with or without modifications, so long as the Data Recipient makes available the text of this agreement with the shared Data. Please credit ezufelt and the OpenSSF Best Practices badge contributors.

Project badge entry owned by: ezufelt.
Entry created on 2026-07-10 18:22:26 UTC, last updated on 2026-07-10 21:04:01 UTC. Last achieved passing badge on 2026-07-10 21:04:01 UTC.