Looking for technical docs? wcagaudit.io/docs/cli

License-gated install · one-shot fix prompt

Scan. Auto-fix 60%. Let Claude Code handle the rest.

One command audits every route — including pages behind login — runs 10 deterministic codemods on the spot, then writes a WCAG_FIXES.prompt.md your AI editor applies in a single pass. No manual triaging.

Docs

Not just a linter. A complete fix pipeline.

Crawl only public pages
No auth support
Headless blind spots

Just a report — no fixes
Manual triaging required
No AI-powered vision review

No deterministic codemods
No false-positive registry
No AI editor integration

Full route discovery
Interactive auth flow
Role-gated coverage

10 deterministic codemods (~60% auto-fixed)
One-shot fix prompt for remaining findings
AI vision + real VoiceOver

False-positive registry (persistent)
GitHub Action included
xlsx, JSON, Markdown output

Three phases. One command.

Public pages — logged out

Scans all routes as a logged-out visitor with 12 checkers: axe-core, keyboard navigation, viewport, forms, motion, and more.

Phase 1 — Auditing public pages
  /                ▸ axe-core (8 issues)
  /pricing         ▸ axe-core (2 issues)
  /signup          ▸ axe-core (1 issue)

Authenticate & continue

Auth-blocked routes are detected automatically. A browser opens — you log in, press Enter, and the CLI resumes with your session.

⚠ 8 routes require auth.
  Log in? (y/n) y
  → browser opened
  ✓ session saved

Authenticated pages — full coverage

Re-audits every auth-blocked route with the same 12 checkers. Supports multi-role: loop again as admin, superadmin, etc.

Phase 2 — Authenticated pages
  /dashboard       ▸ 4 issues
  /admin           ▸ 2 issues
✓ 100% route coverage

Scan outputs. Everything your team needs.

New · AI-ready

WCAG_FIXES.prompt.md

Structured fix prompt with Multi-Agent Protocol (Claude Code parallel sub-agents) and Linear Protocol (Cursor / Windsurf sequential). Open it and say “apply these fixes.” 3-attempt cap, structured worker handoff, stop criteria included.

wcag-report.xlsx

Classic compliance spreadsheet. Share with auditors, legal, or leadership immediately after the scan.

wcag-ai-fix.json

Structured fix prompts per issue with fixPrompt and fixContext — designed for AI coding tools to consume programmatically.

wcag-coverage.json

Machine-readable coverage data: audited vs auth-blocked vs errored routes. Feed into dashboards or CI status checks.

10 deterministic codemods. ~60% auto-fixed before AI even runs.

Install the Next.js plugin for exact source mapping. Codemods apply at scan time — no LLM, no review needed.

text-spacing-clip

Fixes overflow clipping that breaks text-spacing injection

fixed-width-overflow

Removes fixed px widths that prevent 320px reflow

color-contrast

Replaces failing color pairs with WCAG AA-passing equivalents

label-content-name-mismatch

Aligns aria-label with visible button/link text

redundant-alt

Removes "image of" / "photo of" from alt text

button-name

Adds accessible names to icon-only buttons

link-name

Adds descriptive text to empty or generic links

image-alt

Adds missing alt attributes to img elements

lang-html

Adds or corrects lang attribute on the html element

missing-form-label

Associates unlabelled inputs with a visible label

Next.js plugin

`wcag-audit plugin-init` — exact source mapping for codemods

Wraps your next.config.{js,ts,mjs} with withWcagAudit() and sets WCAG_AUDIT=1 in .env.local. With the plugin active, the CLI maps every finding to an exact file:line — enabling codemods to apply automatically at scan time. Production builds are no-ops when WCAG_AUDIT is not set.

$ wcag-audit plugin-init

12 accessibility checkers.

Covers 52 of 55 WCAG 2.2 Level A + AA criteria — more than any single automated tool can achieve alone.

axe-core

Industry-standard automated rules (100+ checks)

Keyboard / focus

Tab order, focus traps, visible focus indicators

Viewport / reflow

Responsive layout, text spacing, zoom to 200%

Hover & on-focus

Tooltip dismiss, persist, hover stability

Motion / flashes

Autoplay detection, animation, flashing content

Forms / errors

Labels, error messages, validation feedback

Pointer & gestures

Target size (24px minimum), multi-point gestures

Audio / video

Caption and transcript presence detection

Accessible auth

Copy-paste allowed, no cognitive function tests

Multi-page consistency

Same navigation, same labels across pages

AI vision review

Claude analyzes screenshots for visual issues (included on paid plans)

Business tier — The differentiator

+ Checker 13

Real VoiceOver (macOS) & NVDA (Windows) walkthrough

Not a simulator. The CLI drives the actual screen reader via guidepup, captures what it announces, and grades each announcement with AI. This is the only accessibility tool in the market that does this. Requires macOS (for VoiceOver) or Windows (for NVDA).

Commands

scan --authFull auth-aware audit. Runs codemods, writes WCAG_FIXES.prompt.md, then audits public + authenticated routes.

verify <rc-id>Deterministic-only re-verify of a specific finding. Zero AI cost. Used by the fix prompt to validate each fix before moving on.

dismiss <rc-id> --reason "..."Record a false positive permanently in .wcag-audit/false-positives.json. Reason must be ≥ 20 chars. Persists across scans via stable sha1 fingerprint.

plugin-initAuto-installs @wcag-audit/next-plugin into your Next.js project. Enables exact file:line source mapping so codemods apply automatically.

scan --auth --target https://staging.example.comDiscover routes from your local filesystem but audit against a deployed URL.

scan --url https://example.comBFS crawl a deployed site (no source access needed). Works on any website.

scan --resumeResume from last scan — only re-audit auth-blocked and pending routes.

scan --dry-runPreview routes and credit cost without scanning.

scan --auth-storage ./auth.jsonUse a Playwright storageState file for headless/CI authenticated scanning.

ci --fail-on criticalCI-optimized scan. Exit 1 on critical findings for PR gating.

watchWatch source files. Re-scan on every change (debounced 2s).

doctorDiagnose setup (license, AI vision availability, framework, dev script).

Built for the teams that ship.

⚡

Vibe coders

Built something with AI and need a compliance sweep before launch? One command, every route, zero config. Paste the output into Cursor and you're done.

🔁

CI/CD pipelines

Block PRs that introduce critical accessibility regressions. Use the GitHub Action + auth storage for fully automated pre-merge gating on every pull request.

🏢

Agencies & consultants

Audit a client's entire app — including their authenticated dashboard — and hand them an Excel report and fix-prompt.json the same day. No manual page-by-page testing.

Install in one command.

The installer is license-gated. Get your key at wcagaudit.io/pricing, then run:

Install (requires license key)

curl -fsSL https://wcagaudit.io/install | bash -s -- <your-license-key>

After install, all commands are available as wcag-audit. Run wcag-audit doctor to verify your setup.

GitHub Action — one-line PR gate

Block PRs with critical accessibility issues before they merge:

# .github/workflows/a11y.yml
name: Accessibility

on: pull_request

jobs:
  wcag-audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: wcagauditdev-commits/wcag-documentation-creator/action@main
        with:
          license-key: ${{ secrets.WCAG_AUDIT_LICENSE_KEY }}
          fail-on: critical

What it doesn't do

We believe in honest tooling. Here's what the CLI cannot cover today.

PDF documents

The CLI audits web pages only. For PDF accessibility, use PAC 2024.

Cross-origin iframes

Browser security prevents auditing content loaded from a different domain.

Replace manual assistive technology testing

Automated tools catch structural issues. Real screen-reader and keyboard testing by humans is still essential.

All 55 WCAG 2.2 criteria fully automated

3 of 55 Level A+AA criteria require manual review. See the full breakdown at /coverage.

Frequently asked questions

Does the CLI send my app's code or content anywhere?

All audits run locally on your machine. Only license validation and page count are sent to wcagaudit.io for credit metering. If you enable AI vision review, page screenshots and a subset of the DOM are forwarded through wcagaudit.io to Anthropic Claude — we do not retain screenshots or model output beyond the request lifecycle.

How does auth work? Is my password stored?

The CLI opens a visible browser window and lets you log in normally — just like you would in any browser. Your credentials are never intercepted or stored. You can optionally save the browser session (Playwright storageState) for CI use, and delete it any time with scan --clear-auth.

What frameworks are supported?

Next.js (App + Pages Router), Vite + React Router v6+, SvelteKit, Remix v2, Astro. For any other stack, use scan --url https://example.com for BFS crawl-based discovery, or scan --routes to provide a manual list.

Does it work on staging / deployed URLs?

Yes. Use scan --auth --target https://staging.example.com to discover routes from your local filesystem but audit against a deployed URL. Or use scan --url to crawl any live site.

What's the difference between the CLI and the Chrome extension?

Both run the same checker engine. The CLI audits your entire application (all routes, including authenticated ones) in one command. The extension is for quick single-page spot-checks while you're developing. Together they cover 52 of 55 WCAG 2.2 Level A + AA criteria.

How does credit counting work?

Credits are consumed per page audited. A scan --dry-run previews your exact credit cost before spending any. Free tier: 10 pages/month with no card required. Pro: 500 pages/month. Business: 2,000 pages/month.

Can I use it in CI without a browser opening?

Yes. Export a Playwright storageState file once (scan --export-auth ./auth.json), commit it securely as a CI secret, then use ci --auth-storage ./auth.json for fully headless authenticated CI runs.

What is WCAG_FIXES.prompt.md?

The main output of every scan. A structured fix prompt with two protocols: Multi-Agent Protocol (Claude Code spawns parallel sub-agents to fix issues concurrently) and Linear Protocol (Cursor / Windsurf apply fixes sequentially). Each finding includes a verify step using wcag-audit verify so the agent can confirm the fix landed before moving on. 3-attempt cap per finding, structured worker handoff JSON, and stop criteria are all built in.

What is wcag-audit verify?

A deterministic-only re-check of a specific finding (by rc-id). Uses the same rule-based checkers as the scan, no AI, so it's fast and free. The fix prompt calls verify after each fix to confirm the issue is resolved before continuing.

What is wcag-audit dismiss?

Records a confirmed false positive in .wcag-audit/false-positives.json. The reason must be at least 20 characters — this forces a real WCAG analysis, not a skip. Once dismissed, the finding won't appear in future scans (stable sha1 fingerprint). Your AI agent can call dismiss directly when it determines the audit rule is firing incorrectly.

Scan. Auto-fix. Verify. One command.

Get a license key at wcagaudit.io/pricing, then install with the curl command. Pro and above required for CLI access.

Pricing

Need help? Book a demo