Accessibility Audit
Architecture
This skill operates as a single layer. It reads the project environment,
runs automated accessibility tools, maps findings to compliance standards,
and produces output in a configurable format. No external skill dependency
is required.
Store project-specific audit state in the target workspace, not in the
installed skill directory. Default path:
.a11y-audit/PROJECT_CONTEXT.md
at the workspace root. When that file
exists, use it for project-specific configuration: output mode,
additional compliance standards, issue tracker settings, route lists,
color palettes, and cross-references to existing documentation. When
absent, use WCAG 2.1 AA as the sole standard,
as the output
mode, and generic defaults for everything else.
Use
references/project-context-template.md
as the canonical schema for
that file, including minimal and
examples.
Prefer bundled helpers over ad hoc generation when they fit:
scripts/bootstrap-context.js
.a11y-audit/PROJECT_CONTEXT.md
- runs reusable axe-based scans and records optional
Lighthouse execution intent. Use to reduce output size
(keeps full violation detail, strips node data from passes/inapplicable).
- generates the markdown report and JSON data file
from scan.js output. Handles WCAG compliance matrix, violation
aggregation, and color-contrast detail extraction deterministically.
- identifies template groups on large sites and
selects representative pages for scanning. Reads sitemap.xml first,
falls back to HTML navigation crawl. Outputs a scan plan with
template groups and a ready-to-use URL list for scan.js.
Dependencies
scan.js requires
and
. It resolves these in order:
- Skill-local directory (sibling to )
- Target project (and common workspace subdirs)
- Global npm modules
If not found anywhere, scan.js
auto-installs both packages to the
skill-local
directory. This means the skill works against any
project without requiring the target to have accessibility tooling
installed. The
directory is gitignored.
Platform-Specific References
- If running in Claude Code, read
references/claude-code.md
- If running in Codex, read for workspace-local
state handling and execution assumptions.
references/output-contract.md
references/output-schema.json
- Read
references/issue-trackers.md
- If the user wants to operationalize recurring audits in CI, start from
assets/ci/github-actions/accessibility-audit.yml
- Prefer before live ticket creation when you
need a safe review and deduplication pass.
The skill does not modify source code. It is an auditor, not a fixer.
Findings are reported with remediation guidance; the user decides what to
act on.
Output Modes
The skill supports three output modes, configured via the
field in
.a11y-audit/PROJECT_CONTEXT.md
:
| Mode | Output | Use Case |
|---|
| Markdown report only | Human review, documentation |
| Markdown report + JSON data file | CI integration, dashboards, trend tracking |
| Markdown report + issue tracker tickets | Active remediation workflow |
On first run, if no
is set in
.a11y-audit/PROJECT_CONTEXT.md
, ask the user which mode they prefer
and persist their choice by appending an
section to that file. If no context file exists, create it at the
default path following
references/project-context-template.md
. Prefer
scripts/bootstrap-context.js
for first-run context creation when a
simple generated file is sufficient.
The
mode writes a companion file alongside the report:
containing the raw axe-core results, Lighthouse
scores, and the compliance matrix as structured data. This file is
machine-readable and can be consumed by CI pipelines, dashboards, or
trend-tracking tools.
The
mode requires additional configuration in the
context file (see Phase 6).
Pipeline
An accessibility audit moves through six phases. Each phase produces data
the next phase consumes. Phases 1-4 always run. Phase 5 produces output
based on the configured output mode. Phase 6 runs only in
mode and requires explicit user confirmation.
The user can request a partial run. Common patterns:
- "Quick scan": Phases 1-2 only, results summarized in conversation
- "Full audit": Phases 1-5, output per configured mode
- "Audit with issues": Phases 1-6, report plus tracker tickets
Phase 1 -- Environment Discovery
Purpose: Understand the project before scanning.
- Read
.a11y-audit/PROJECT_CONTEXT.md
scripts/bootstrap-context.js
references/project-context-template.md
- Read for tech stack, existing a11y tooling, and
available browser automation ( / ).
- Build a scannable URL list from router config or HTML file glob.
For sites with many pages (>15 routes), prefer
to classify pages into template groups and select representatives.
Review the scan plan with the user before proceeding to Phase 2.
- Confirm a dev server is reachable. Check and
platform-specific references for launch hints. If the app starts on a
different URL than expected, switch to the live URL, record the
mismatch, and update the context file.
- Ask before installing any missing dependencies.
Output: Structured summary reported to the user before proceeding.
Phase 2 -- Automated Scanning
Purpose: Run automated accessibility checks against live pages.
Prerequisite: A running dev server (or production URL provided by
the user).
axe-core Scanning
Prefer the bundled
before writing a throwaway scan
script. Use an ad hoc script only when the workspace needs behavior that
the bundled script does not yet support.
The reusable scanner should:
- Imports and
- Launches a headless browser
- For each target URL:
a. Navigates to the page
b. Waits for network idle (
waitUntil: 'networkidle0'
node_modules/axe-core/axe.min.js
page.evaluate(() => axe.run())
- Closes the browser
- Writes raw results to JSON
Example invocation:
bash
node a11y-audit/scripts/scan.js \
--root . \
--urls http://127.0.0.1:3000/,http://127.0.0.1:3000/about \
--output /tmp/a11y-scan.json \
--summary
Adapt to the project. If dependencies live in a frontend
subdirectory, point
at the workspace root; the bundled script
already checks common frontend paths. If that still fails, fall back to
an ad hoc script or run from the frontend directory directly.
Common mistake: Do not use
in an ES module project. Check
for
. If present, use
syntax
and the
workaround in any ad hoc script. If absent,
is fine.
Playwright alternative: If the project uses Playwright instead of
Puppeteer, adapt the script: replace
with
, use
the same way, and inject
axe-core via
. The axe-core injection pattern is
identical. Use whichever browser automation library the project already
has installed.
Lighthouse Scanning
Run Lighthouse CLI against each target URL:
bash
npx lighthouse <url> \
--output=json \
--output-path=stdout \
--only-categories=accessibility \
--chrome-flags="--headless --no-sandbox" \
--quiet
Parse the JSON output. Extract:
categories.accessibility.score
- where (failed or partial audits)
- Each audit's and
If Lighthouse is unavailable or fails (common in CI environments), skip
it and note the gap in the report. In the executive summary and
methodology, explicitly say whether Lighthouse was skipped because the
CLI was missing, Chrome launch failed, or another runtime error
occurred. axe-core results alone are sufficient for a valid audit.
Scope Control
- Default: scan routes discovered in Phase 1
- If a discover.js scan plan exists, use its for .
The report methodology will record the sampling strategy.
- If more than 10 routes exist and no discover plan is available, ask
the user which to scan or whether to scan all
- The user can provide a specific URL list to override discovery
- For SPAs: navigate via the router, not by reloading the page (some
routes may not work as direct URLs)
Result Structure
For each page, collect:
- : the scanned URL
- : array of axe violations, each with ,
(critical/serious/moderate/minor), , , ,
(WCAG criteria), (affected elements with selectors)
- : count of passing rules
- : rules that could not be fully evaluated
- : 0-100 (if available)
- : failed audit details (if available)
Phase 3 -- Compliance Mapping
Purpose: Map automated findings to WCAG 2.1 AA success criteria and
any project-specific standards.
handles the compliance matrix deterministically. It
hardcodes all 50 WCAG 2.1 Level A and AA criteria, maps axe tags to
success criteria, and produces the matrix as part of its markdown and
JSON output. You do not need to build the matrix manually.
If
.a11y-audit/PROJECT_CONTEXT.md
specifies additional standards
(e.g., CAN-ASC-6.2), build a secondary mapping. Cross-reference
automated findings where the standard maps to WCAG criteria. For
requirements that go beyond WCAG (equity, organizational processes,
transparency), note them as manual review items referencing the
project's existing conformance documentation.
Phase 4 -- Manual Check Guidance
Purpose: Generate targeted checklists for what automation cannot
verify, prioritized by the automated findings.
For each WCAG criterion marked "Manual" in the Phase 3 matrix, generate
a testing item. Organize by testing method: Keyboard Navigation, Screen
Reader, Visual Inspection, Cognitive, and Timing/Motion.
Dynamic prioritization: Do not produce a static checklist. Use the
Phase 2 results to focus manual effort:
- If axe found color-contrast violations, prioritize visual inspection
items (SC 1.4.1, 1.4.11, 1.4.10, 1.4.12, 1.4.13)
- If axe found ARIA or landmark violations, prioritize screen reader
items (SC 1.3.1, 4.1.3, 3.3.1, 3.3.2)
- If axe found heading or structure violations, prioritize keyboard
navigation items (SC 2.4.3, 2.4.7, 2.1.1)
- If no form-related violations were found, deprioritize form testing
(SC 3.3.3, 3.3.4) with a note that automated checks passed
- Always include timing items (SC 2.2.1, 2.2.2, 2.3.1) since these
cannot be automated at all
Each checklist item specifies: the WCAG criterion, what to test, how
to test it, and which pages to focus on (pages where automated issues
were found get priority).
If
.a11y-audit/PROJECT_CONTEXT.md
references an existing testing guide,
cross-link to it rather than duplicating procedures.
Phase 5 -- Output Generation
Purpose: Produce output based on the configured output mode.
Run
to generate the markdown report and JSON data
file from the Phase 2 scan output:
bash
node a11y-audit/scripts/report.js \
--input /tmp/a11y-scan.json \
--output-dir docs/accessibility/audits \
--project-name "Project Name" \
--runtime-url http://127.0.0.1:3000 \
--expected-url http://localhost:3000 \
--discover /tmp/a11y-discover.json
Pass
when a discover.js scan plan was used. This adds a
Sampling Strategy subsection to the report methodology documenting
template groups and coverage ratio.
Pass
--previous <prior-audit.json>
to generate a Delta from Previous
Audit section showing fixed rules, new rules, changed instance counts,
and net progress.
The script produces
and
following the contracts in
references/output-contract.md
and
references/output-schema.json
. You do not need to read those reference
files unless modifying the report script itself.
After running report.js, review its output and fill in the Manual
Testing Recommendations section with the Phase 4 guidance (report.js
leaves a placeholder for this since it requires reasoning about the
specific findings pattern).
.a11y-audit/PROJECT_CONTEXT.md
can override the output path.
If the user wants a recurring or on-demand CI job, adapt
assets/ci/github-actions/accessibility-audit.yml
to the target
workspace instead of inventing a workflow from scratch.
Phase 6 -- Issue Creation (conditional)
Purpose: Create issue tracker tickets for findings. Runs only when
the output mode is
.
This phase requires explicit user confirmation. Before creating any
tickets, show the user how many will be created, at what priority levels,
and ask for approval.
Read
references/issue-trackers.md
for tracker configuration,
deduplication, priority mapping, and ticket structure. Use the tracker
settings from
.a11y-audit/PROJECT_CONTEXT.md
.
Verification
After completing an audit, verify these quality checks:
-
axe results valid: Compare violation count against a manual
axe DevTools browser extension run on the same page. Counts should
match within tolerance (axe versions may differ slightly).
-
Lighthouse score consistent: Compare against a manual Chrome
DevTools Lighthouse run when Lighthouse was actually executed. Should
be within 5 points.
-
WCAG matrix complete: All 50 AA criteria appear in the compliance
matrix. No criterion is missing.
Treat the matrix as evidence-oriented status reporting. Do not frame
it as proof of full conformance, because many WCAG criteria remain
manual even in a strong automated run.
-
Report structure: All required sections present. Tables render
correctly in a markdown viewer.
-
JSON validity (
mode): JSON file parses without
error. Violation counts match the markdown report.
-
Issue deduplication (
mode): Run the skill
twice. The second run should create zero duplicate tickets.
-
Output mode persistence: After first run, verify the output mode
is saved to
.a11y-audit/PROJECT_CONTEXT.md
and used automatically
on next run.
-
Runtime URL reconciliation: If the app started on a different
local URL than expected, verify the report records the mismatch and
the context file reflects the actual working
.
What This Skill Does NOT Do
- Visual regression testing: does not compare screenshots between
runs. Use Percy, Chromatic, or BackstopJS for that.
- PDF accessibility: does not audit PDF documents for tagged
structure, reading order, or alternative text.
- Real device/AT testing: runs in headless Chromium only. Cannot
test on real iOS/Android or with real screen readers. Phase 4
generates manual checklists for this.
- Code fixes: reports findings but does not modify source code.
- VPAT generation: does not produce Voluntary Product Accessibility
Templates (specific legal format).
- Continuous monitoring: runs on demand, not as a CI pipeline.
The output mode provides structured data for building
CI integrations, but the skill itself does not run in CI.
- Third-party auditing: only audits the project's own frontend,
not embedded third-party services.