keyboard-a11y-tester

遵循以下最佳实践的项目将能够自愿的自我认证,并显示他们已经实现了核心基础设施计划(OpenSSF)徽章。

没有一套可以保证软件永远不会有缺陷或漏洞的做法;如果规范或假设是错误的,即使合适的方法也可能失败。也没有哪些做法可以保证一个项目能够维持健康和运作良好的开发者社区。但是,遵循最佳做法可以帮助改善项目的成果。例如,一些做法可以在发布之前进行多人评估,这可以帮助您找到其他难以找到的技术漏洞,并帮助建立信任,并希望不同公司的开发人员之间进行重复的交互。要获得徽章,必须满足所有“必须”和“禁止”的条款,满足所有“应该”条款或有合适的理由,所有“建议”条款必须满足或未满足(至少希望考虑)。欢迎通过 GitHub网站创建问题或提出请求进行反馈。另外还有一个一般讨论邮件列表

如果这是您的项目,请在项目页面上显示您的基准徽章状态!基准徽章状态如下所示: 项目13561的基准徽章等级为in_progress 以下是如何嵌入基准徽章:
您可以通过将其嵌入到Markdown文件中来显示您的基准徽章状态:
[![OpenSSF Baseline](https://www.bestpractices.dev/projects/13561/baseline)](https://www.bestpractices.dev/projects/13561)
或者将其嵌入到HTML中:
<a href="https://www.bestpractices.dev/projects/13561"><img src="https://www.bestpractices.dev/projects/13561/baseline"></a>


这些是基准等级2的标准。 这些是标准版本 v2026.02.19。

Baseline Series: 基准等级1 基准等级2 基准等级3

        

 基本

  • 常规

    请注意,其他项目可能使用相同的名称。

    An AI-assisted web accessibility tester that behaves like two W3C personas at once: a keyboard-only user ("Ade") and a screen-reader user ("Lakshmi"). It drives a page keyboard-only, records what happens at every focus stop, and emits evidence-linked findings mapped to specific WCAG success criteria — against any website.

    请使用 SPDX许可证表达格式;例子包括“Apache-2.0”,“BSD-2-Clause”,“BSD-3-Clause”,“GPL-2.0+”,“LGPL-3.0 +”,“MIT”和“(BSD-2-Clause OR Ruby)”。
    如果有多种语言,请将它们列为逗号分隔值(可选空格),并将它们从最多到最少使用。如果有长列表,请至少列出前三个最常见的列表。如果没有语言(例如,这是仅文档或仅测试项目),请使用单个字符“ - ”。请使用每种语言的常规大小写,例如“JavaScript”。
    通用平台枚举(CPE)是用于信息技术系统,软件和软件包的结构化命名方案。在报告漏洞时,它可用于多个系统和数据库。

    keyboard-a11y-tester

    An AI-assisted web accessibility tester that behaves like two W3C personas at once: a
    keyboard-only user ("Ade") and a screen-reader user ("Lakshmi"). It drives a page
    keyboard-only, records what happens at every focus stop, and emits evidence-linked
    findings mapped to specific WCAG success criteria — against any website. Both
    personas run in the same pass by default; a --persona flag restricts to just one.

    It has two layers:

    • a deterministic runner (scripts/runner.mjs) that owns the mechanical, reproducible
      work — driving the page keyboard-only, capturing a per-step trace + screenshots, and
      computing the machine-decidable checks for both personas;
    • an AI-judgment layer — the invoking agent — that reads the trace/screenshots/census
      and judges what rules can't (task completion, logical focus/reading order, form
      quality, announcement quality). See SKILL.md for how an agent drives it.

    Standalone and portable: it depends only on playwright, yaml, pngjs, pixelmatch,
    and @guidepup/virtual-screen-reader, needs no bundled test cases, and writes all output
    to a per-user temp directory (never into this folder). The screen-reader persona
    never drives a real screen reader (NVDA/VoiceOver) — see "Screen-reader detection" below.

    Documentation: docs/usage.md (setup, dependencies, quick start,
    CAPTCHAs) · docs/interface.md (full CLI reference, output file
    schema, WCAG checks table).

    Quick start

    As a Claude Code plugin — register this repo as a plugin marketplace, then install it:

    /plugin marketplace add ezufelt/keyboard-a11y-tester
    /plugin install keyboard-a11y-tester@ezufelt
    

    The first command registers this repo as a marketplace (named ezufelt, per
    .claude-plugin/marketplace.json); the second installs the plugin. Once installed, the
    skill in SKILL.md becomes available to the agent.

    As a standalone clone — clone the repo and install its dependencies:

    git clone https://github.com/ezufelt/keyboard-a11y-tester.git
    cd keyboard-a11y-tester
    npm install
    npx playwright install chromium
    

    Then drive it directly (see Run against any URL).

    Requirements & dependencies

    Requires Node.js ≥ 20 and Chromium (via Playwright), plus five small npm dependencies —
    no build step. Run node scripts/setup-check.mjs to verify both before your first run.

    See docs/usage.md for the full dependency
    table, licensing credit for @guidepup/virtual-screen-reader, and setup instructions.

    Run against any URL (no test file needed)

    # quick unattended blind Tab-crawl of the start page, per viewport
    node scripts/runner.mjs --url https://example.com
    
    # a full scenario, driven live by the agent one keystroke at a time
    node scripts/runner.mjs serve --url https://example.com --goal "find the pricing page" \
    
         --viewport desktop --port 9400
    #   → prints:  READY <session-dir>   (under the system temp dir)
    node scripts/runner.mjs observe <session-dir>
    node scripts/runner.mjs step    <session-dir> --press Tab      # one keystroke; prints observation
    node scripts/runner.mjs step    <session-dir> --press Enter
    node scripts/runner.mjs step    <session-dir> --type "hello@example.com"
    node scripts/runner.mjs finish  <session-dir>                  # writes trace + findings
    node scripts/runner.mjs stop    <session-dir>
    

    See docs/usage.md for the full
    quick-start walkthrough, and docs/interface.md for every CLI flag and
    the complete output file schema.

    Authenticated runs

    Pages behind a login can't be tested with a fresh, logged-out browser. Pass a Playwright
    storageState JSON file with --storage-state <file> to start the browser with its cookies
    and localStorage already loaded (e.g. an already-logged-in session). Generate one with
    context.storageState({ path: 'auth.json' }) or npx playwright codegen --save-storage=auth.json <url>.
    The file is validated (exists, parses as JSON, and looks like a real storageState export —
    i.e. has cookies/origins arrays) before the browser launches — a missing or malformed file
    fails the run immediately rather than silently testing the logged-out site. In serve mode
    it's applied once at launch and the session browser keeps the state alive for every subsequent
    step.

    A storageState file holds live session cookies/tokens — treat it as a secret. Don't commit
    it; .gitignore already excludes auth.json, storageState.json, and *storage-state*.json,
    but a differently-named file won't be caught automatically.

    What the runner does (deterministic layer)

    Playwright (full Chromium, new-headless + SwiftShader for real pixels) drives the page with
    only the keyboard — it never calls .click() or .focus(); if a control is only
    reachable by pointer, that is itself a finding. It drops to a raw CDP session for the
    accessibility tree (Accessibility.getPartialAXTree), the ground truth for name/role/state.
    At startup it fails fast if :focus-visible does not fire on CDP-driven key events
    (every focus-indicator check would otherwise be invalid) — skipped entirely when
    --persona screen-reader is passed, since that persona has no pixel/focus-ring work.

    Checks are evaluated per focus stop the persona actually visits (keyboard persona) or
    against a page-wide structural census (screen-reader persona) — this is scenario
    testing, not an exhaustive page audit. Conformance target: AA is pass/fail, AAA is
    informative.

    WCAG Level Persona Check
    2.4.7 AA keyboard Focus indicator present
    2.4.13 AAA (informative) keyboard Focus indicator strength
    1.4.1 AA keyboard Indicator is not colour-only
    2.1.2 AA keyboard Keyboard trap
    2.4.1 AA keyboard No skip link
    2.4.3 AA keyboard Positive tabindex
    3.2.1 AA keyboard Context change from focus alone
    3.3.2 AA keyboard File input named only by the user-agent default ("Choose File")
    4.1.2 AA keyboard Focusable control with no accessible name
    1.1.1 AA screen-reader Missing alt text/aria-label
    1.3.1 AA screen-reader Heading level skip
    1.3.1 AA screen-reader Duplicate, unlabeled landmark roles
    4.1.2 AA screen-reader Interactive control announced as a bare role
    4.1.3 AA screen-reader Declared live region that never announced anything

    See docs/interface.md for the authoritative version of
    this table (full check descriptions) and the W3C persona references.

    Output

    Everything is written under a per-user temp dir (${TMPDIR}/keyboard-a11y-tester/…, or
    --out): a trace.json (per-step evidence), deterministic-findings.json (WCAG findings),
    screen-reader-census.json (screen-reader persona), and cropped screenshots/step_NNNN.png
    per viewport. See docs/interface.md for the
    complete directory layout and field-by-field schema of every output file.

    Focus-visible detection (2.4.7 AA presence + 2.4.13 AAA strength)

    Presence (AA) uses two independent signals, so a faint-but-real indicator is never
    missed:

    1. the focused element's computed style declares an outline or box-shadow (ground
      truth — recorded in the trace as computed_focus_style), or
    2. pixels change on focus (catches background/colour indicators with no outline).

    Either one means the indicator is present → AA pass. Pixel diffing compares the focused
    frame to a scroll-aligned baseline (the next step's frame, where the element is no longer
    focused — so focus is never manipulated programmatically), measuring ring slices at
    increasing offset (thin and offset outlines), the interior, and top/bottom edge bands.

    Strength (AAA, informative) measures whether the indicator meets 2.4.13 Focus
    Appearance — changed area ≥ a 2px-thick perimeter of the control, and ≥ 3:1 WCAG luminance
    contrast between focused and unfocused states. Advisory only. (This measure is unreliable
    on pages that mutate between steps — e.g. "load more" — because the neighbour-frame
    baseline then differs by content, not just the focus ring; treat AAA numbers on such pages
    with caution. AA presence is unaffected, being driven by the computed style.)

    So 2.4.7 (AA) requires only that an indicator is visible with no size/contrast minimum: a
    faint 1px or low-opacity ring passes AA and is flagged weak at AAA — rather than being
    falsely reported as "no focus indicator."

    Screen-reader detection (Lakshmi)

    The screen-reader persona is emulated, never driven for real: @guidepup/virtual-screen-reader
    builds an ARIA/ACCNAME-spec accessible tree over the live page and computes what a
    spec-compliant screen reader would announce, entirely in the browser's own JS engine — no
    NVDA/JAWS/VoiceOver is launched, and it works the same way on any OS the runner itself
    supports.

    Its self-contained browser bundle is injected via Playwright's context.addInitScript,
    which is not subject to the page's own CSP — verified against both a synthetic CSP-locked
    page and a real CSP-locked production site. Once injected, its virtual cursor tracks
    real keyboard focus automatically
    (it listens for native focusin events), so every
    step you drive with real Tab/Enter/etc. produces a matching sr_announcement with no
    separate "chasing" logic and no drift between what's focused and what's reported as
    announced. The same mechanism also wires a MutationObserver that computes WAI-ARIA
    live-region semantics and captures "assertive: …"/"polite: …" announcements as they
    happen — this is what 4.1.3 (Status Messages) findings are derived from.

    Separately, once per newly-visited page URL, an ephemeral instance walks the entire page
    in reading order (never touching the live per-step monitor) to build
    screen-reader-census.json — the source for the heading-hierarchy, duplicate-landmark,
    missing-alt-text, and bare-role-control checks, since those need whole-page context rather
    than just the stops a keyboard user's Tab order happens to visit.

    This augments but does not replace testing with a real screen reader and real users
    the upstream library's own README says exactly that, and it's worth repeating: this checks
    what a spec-compliant screen reader should announce given the page's ARIA/HTML, not the
    specific quirks of any one real screen reader implementation.

    CAPTCHAs

    CAPTCHAs detect automation and refuse to run; the runner has a page-scoped, human-approved
    compatibility workaround. See docs/usage.md for details.

    License

    MIT © Everett Zufelt. See LICENSE.

 控制 0/19

  • 控制


    当执行CI/CD任务且未指定权限时,CI/CD系统必须将任务的权限默认为管道中授予的最低权限。 [OSPS-AC-04.01]
    配置项目的设置,默认情况下为新管道分配最低可用权限,仅在特定任务需要时才授予额外权限。


    当创建正式发布时,该发布必须分配一个唯一的版本标识符。 [OSPS-BR-02.01]
    为项目生成的每个发布分配一个唯一的版本标识符,遵循一致的命名约定或编号方案。示例包括SemVer、CalVer或git提交id。


    当创建正式发布时,该发布必须包含功能和安全修改的描述性日志。 [OSPS-BR-04.01]
    确保所有发布都包含描述性的变更日志。建议确保变更日志是人类可读的,并且包含超出提交消息的详细信息,例如安全影响的描述或与不同用例的相关性。为确保机器可读性,请将内容放在markdown标题下,例如"## Changelog"。


    当构建和发布管道摄取依赖项时,它必须使用标准化工具(如果可用)。 [OSPS-BR-05.01]
    为您的生态系统使用通用工具,例如包管理器或依赖项管理工具,以在构建时摄取依赖项。这可能包括使用依赖项文件、锁文件或清单来指定所需的依赖项,然后由构建系统拉入。


    当创建正式发布时,该发布必须进行签名或在包含每个资产加密哈希值的签名清单中进行说明。 [OSPS-BR-06.01]
    在构建时使用加密签名或证明(例如GPG或PGP签名、Sigstore签名、SLSA来源或SLSA VSA)对所有发布的软件资产进行签名。在签名清单或元数据文件中包含每个资产的加密哈希值。


    当项目发布版本后,项目文档必须包含项目如何选择、获取和跟踪其依赖项的描述。 [OSPS-DO-06.01]
    建议在可公开查看的资源(如源代码存储库、项目网站或其他渠道)上与项目的技术和设计文档一起发布此信息。


    项目文档必须包含如何构建软件的说明,包括所需的库、框架、SDK 和依赖项。 [OSPS-DO-07.01]
    建议将此信息与项目的贡献者文档一起发布,例如在 CONTRIBUTING.md 或其他开发者任务文档中。也可以使用 Makefile 目标或其他自动化脚本来记录此信息。


    在活动期间,项目文档必须包含有权访问敏感资源的项目成员列表。 [OSPS-GV-01.01]
    通过项目源代码存储库中的members.md、governance.md、maintainers.md或类似文件等工件记录项目参与者及其角色。这可以简单到在维护者列表中包含姓名或账户句柄,或者根据项目的治理更复杂。


    在活动期间,项目文档必须包含项目成员的角色和责任的描述。 [OSPS-GV-01.02]
    通过项目源代码存储库中的members.md、governance.md、maintainers.md或类似文件等工件记录项目参与者及其角色。


    在活动期间,项目文档必须包含代码贡献者指南,其中包括可接受贡献的要求。 [OSPS-GV-03.02]
    扩展项目文档中的CONTRIBUTING.md或CONTRIBUTING/的内容,以概述可接受的贡献要求,包括编码标准、测试要求和代码贡献者的提交指南。建议将该指南作为贡献者和批准者的真实来源。


    处于活跃状态时,版本控制系统必须要求所有代码贡献者在每次提交时断言他们有合法授权提交相关的贡献。 [OSPS-LE-01.01]
    在项目的代码库中包含一个DCO,要求代码贡献者在每次提交时断言他们有合法授权提交相关贡献。使用状态检查以确保完成此断言。CLA也满足此要求。某些版本控制系统(例如GitHub)可能会在平台服务条款中包含此项。


    当向主分支提交时,必须通过或手动绕过提交的任何自动化状态检查。 [OSPS-QA-03.01]
    配置项目的版本控制系统,要求所有自动化状态检查通过或在提交合并到主分支之前需要手动确认。建议不要将任何可选状态检查配置为批准者可能会绕过的通过或失败要求。


    在接受提交之前,项目的CI/CD管道必须运行至少一个自动化测试套件,以确保更改符合预期。 [OSPS-QA-06.01]
    应在每次合并到主分支之前运行自动化测试。测试套件应在CI/CD管道中运行,结果应对所有贡献者可见。测试套件应在一致的环境中运行,并应以允许贡献者在本地运行测试的方式运行。测试套件的示例包括单元测试、集成测试和端到端测试。


    当项目发布版本时,项目文档必须包括设计文档,展示系统中的所有操作和参与者。 [OSPS-SA-01.01]
    在项目文档中包括说明操作和参与者的设计。参与者包括可以影响系统中另一段的任何子系统或实体。确保为新功能或重大更改更新此文档。


    当项目发布版本时,项目文档必须包括对已发布软件资产的所有外部软件接口的描述。 [OSPS-SA-02.01]
    记录已发布软件资产的所有软件接口(API),解释用户如何与软件交互以及期望或产生什么数据。确保为新功能或重大更改更新此文档。


    当项目发布版本时,项目必须执行安全评估,以了解软件中可能发生的最可能和最具影响力的潜在安全问题。 [OSPS-SA-03.01]
    执行安全评估可以告知项目成员和下游消费者,项目了解软件中可能出现的问题。了解可能实现的威胁有助于项目管理和应对风险。此信息对下游消费者很有用,可以证明项目的安全敏锐度和实践。确保为新功能或重大更改更新此文档。


    处于活跃状态时,项目文档必须包括协调漏洞披露(CVD)的政策,并有明确的响应时间框架。 [OSPS-VM-01.01]
    在目录根目录创建一个SECURITY.md文件,概述项目的协调漏洞披露政策。包括报告漏洞的方法。设定项目将如何响应和处理报告问题的期望。


    处于活跃状态时,项目文档必须提供一种方法,用于直接向项目内的安全联系人私下报告漏洞。 [OSPS-VM-03.01]
    为安全研究人员提供一种方式,以私下向项目报告漏洞。这可能是专用电子邮件地址、Web表单、VCS专用工具、安全联系人的电子邮件地址或其他方法。


    处于活跃状态时,项目文档必须公开发布有关已发现漏洞的数据。 [OSPS-VM-04.01]
    在可预测的公共渠道(例如CVE条目、博客文章或其他媒体)中提供有关已知漏洞的信息。在可能的情况下,此信息应包括受影响的版本、消费者如何确定他们是否容易受到攻击以及缓解或修复的说明。


该数据可在社区数据许可协议 – 许可性,版本 2.0 (CDLA-Permissive-2.0)下获取。这意味着数据接收方可以共享数据,无论是否经过修改,只要数据接收方在共享数据时提供本协议文本。请注明ezufelt和OpenSSF最佳实践徽章贡献者。

项目徽章条目拥有者: ezufelt.
最后更新于 2026-07-10 18:22:26 UTC, 最后更新于 2026-07-10 21:04:01 UTC。 最后在 2026-07-10 21:04:01 UTC 获得通过徽章。