PRODUCT
Automated WCAG 2.1/WCAG 2.2 Accessibility Auditing Platform
Last updated: 19 March 2026 Version: 1.0
Executive Summary
wcag-scan is a vertical SaaS product that automates web accessibility compliance testing against the WCAG 2.1 and 2.2 standards. It targets a regulatory tailwind: the European Accessibility Act (EAA), in effect since June 2025, requires all private-sector digital products sold in the EU to meet WCAG 2.1 AA — with violations carrying fines and civil liability.
The platform differentiates through a multi-engine detection architecture that cross-references four independent testing tools in a single scan, a deterministic scoring algorithm that produces consistent, reproducible compliance scores, and AI-driven remediation that generates element-level code fixes. Every scan produces court-ready PDF and CSV outputs suitable for legal and procurement workflows.
The product currently ships three tiers (Free, Pro, Team), is monetised via Stripe subscription billing, and has a fully operational GitHub Agent that opens automated pull requests with fixes.
1. Market Context
Regulatory Drivers
European Accessibility Act (EAA)
EU (27 member states)
All private-sector digital products and services
In force since 28 June 2025
ADA Title III
United States
All public-facing commercial websites
Active; litigation volume increasing yearly
EN 301 549 v3.2.1
EU public sector
Government and publicly-funded websites
In force since 2021
AODA
Canada (Ontario)
Organisations with 50+ employees
Phase-in through 2025
Equality Act 2010
United Kingdom
All businesses offering goods/services to the public
In force
Barrierefreiheitsstärkungsgesetz (BFSG)
Germany (EAA transposition)
All B2C digital products
In force since 28 June 2025
The EAA is the single most significant catalyst. Unlike the ADA, which relies on litigation, the EAA establishes positive compliance obligations with administrative enforcement. Non-compliant businesses face market access restrictions across all 27 EU member states.
Market Data
Websites failing basic WCAG 2.1 AA
95.9 % of the top 1,000,000
WebAIM Million Report, February 2025
US ADA website lawsuits filed (2024)
4,061
UsableNet Mid-Year ADA Litigation Report
Average ADA lawsuit settlement range
$25,000 – $150,000
Seyfarth Shaw ADA Title III Summary
Global web accessibility software market (2024)
$590 M
Grand View Research
Projected market (2030)
$2.0 B (CAGR 22.4 %)
Grand View Research
2. Product Overview
What a Scan Produces
Compliance score (0–100, deterministic)
✓
✓
✓
WCAG conformance level (AAA / AA / A / Fail)
✓
✓
✓
Prioritised violation list with code snippets
✓ (capped at 20 violations)
✓ (up to 35 violations)
✓ (up to 35 violations)
Developer-actionable fix for each violation
✓
✓ (includes corrected code)
✓ (includes corrected code)
Effort estimate per issue
—
✓ (low / medium / high)
✓
Affected user groups per issue
—
✓
✓
PDF report
Watermarked
Clean, unbranded
Clean, unbranded
CSV export
—
✓
✓
Summary and quick wins
✓
✓
✓
Manual check recommendations
✓
✓
✓
Customer Segments
| Segment | Use case | Plan | |---|---|---|---| | Individual developer | One-off audits, personal projects | Free | | Freelance web developer / agency | Client deliverable, audit report PDF | Pro | | In-house engineering team | Continuous monitoring, regression tracking | Pro / Team | | Legal / compliance team | Documentation for EAA / ADA compliance evidence | Team | | Enterprise buyer | Multi-domain monitoring, CI/CD integration (roadmap) | Team + upcoming Enterprise |
3. Detection Architecture
Principle: Multi-Source Corroboration
A single testing engine always has blind spots. axe-core, the industry standard, covers approximately 57 rules for WCAG 2.1 A/AA. It deliberately skips heuristic checks (vague alt text, placeholder-as-label patterns, autocomplete attributes). Static DOM analysis cannot evaluate the computed accessibility tree that assistive technology actually reads. And no static tool simulates keyboard interaction.
wcag-scan addresses this by running four independent detection sources in a single headless Chromium session:
Proprietary Rule Inventory (wcag-engine)
Layer 1 — DOM Heuristic Rules (10 rules)
These complement axe-core by checking patterns axe deliberately skips.
1
alt-text
1.1.1
A
0.60
Generic or filename-based alt text (axe only checks missing alt)
2
form-labels
1.3.1
A
0.70
Placeholder-as-label anti-pattern
3
aria
4.1.2
A
0.85
Invalid WAI-ARIA 1.2 / DPUB-ARIA roles; aria-hidden on focusable elements
4
heading-hierarchy
2.4.6
AA
0.80
Zero headings on text-heavy pages
5
skip-links
2.4.1
A
0.75
Missing or broken skip links
6
landmark-regions
1.3.6
AA
0.75
Missing main/nav/footer; duplicate landmarks without unique labels
7
link-purpose
2.4.4
A
0.70
Vague link text ("click here", "read more", "learn more")
8
error-identification
3.3.1
A
0.65
Forms without visible error identification
9
target-size
2.5.8
AA
0.85
Tap targets below 24×24px minimum (WCAG 2.2 — axe has not implemented this)
10
input-type
1.3.5
AA
0.70
Missing autocomplete attributes on personal data fields
Layer 2 — Accessibility Tree Rules (3 rules)
These use the browser's computed accessibility tree (page.accessibility.snapshot()) — the same data structure screen readers consume. This is authoritative for computed names, roles, and states.
11
tree-interactive-names
4.1.2
A
0.85
Interactive elements with no computed accessible name (post-ARIA resolution)
12
tree-landmark-coverage
1.3.6
AA
0.75
Missing main landmark — uses full tree traversal (handles React/Next.js deep nesting)
13
tree-live-regions
4.1.3
AA
0.65
Dynamic UI (expandable elements) with no aria-live region for announcements
Layer 3 — Keyboard Simulation Rules (3 rules)
These use Puppeteer's keyboard API to simulate real Tab/Escape key interaction. No other commercial automated tool performs this.
14
keyboard-hidden-focusable
2.4.3
A
0.80
Elements in the tab order that are not visible (with skip-link exemption)
15
keyboard-focus-trap
2.1.2
A
0.90
Modal dialogs ([aria-modal="true"]) that fail to trap keyboard focus
16
keyboard-escape-modal
2.1.2
A
0.85
Modal dialogs that don't close on Escape key
Deduplication
When multiple engines detect the same issue (e.g. both axe and wcag-engine flag a missing form label on the same element), the deduplication layer merges them into a single unified violation. The merge logic:
Key: WCAG criterion + element fingerprint (tag, id, role, name, class)
Confidence boost: when both source confidences are ≥ 0.70, the merged confidence increases by 0.05 (capped at 1.0)
Severity: the more severe of the two is kept
Fix text: the longer (more detailed) fix wins
4. Scoring Methodology
wcag-scan produces two compliance outputs per scan: a numeric score (0–100) and a conformance level (AAA / AA / A / Fail). Both are computed deterministically from the raw violation data. The AI does not influence the score or level — its output is overridden before the result is returned.
Numeric Score
The score starts at 100 and subtracts penalties per violation, weighted by severity:
Critical
−20
−4 per additional node
Serious
−10
−2 per additional node
Moderate
−5
−1 per additional node
Minor
−2
−0
For violations from wcag-engine (Layers 1–3), the penalty is scaled by the violation's confidence score:
This means a heuristic detection at 0.65 confidence contributes only 65 % of its full penalty weight, while a high-confidence axe finding at 0.95 contributes nearly full weight.
Double-penalty prevention: if axe-core already penalised a given WCAG criterion, wcag-engine violations on the same criterion are skipped in the score calculation.
Final formula:
Conformance Level
Fail
Any Level A success criterion is violated (fixable violations only)
A
Level A passes; one or more Level AA criteria violated
AA
Both A and AA pass — meets EAA / ADA / EN 301 549 requirements
AAA
Zero violations detected across all engines
Only violations with confidence ≥ 0.75 influence the level determination. This prevents low-confidence heuristic detections from shifting the conformance verdict.
Non-Fixable Exemption
Issues originating from third-party infrastructure outside the site owner's control — Cloudflare challenge pages, cookie consent overlays (OneTrust, Cookiebot), live chat widgets (Intercom, Zendesk, Drift), analytics scripts, CDN error pages — are flagged with fixable: false by the AI analysis layer.
If every issue in a report has fixable: false:
The level is capped at AA (not Fail) — the site developer has nothing actionable to fix
The score is floored at 50 — the visual indicator (score ring) does not show red for a clean site
This prevents sites from being penalised for code they do not control.
5. Plan Structure and Limits
Tier Comparison
Sign-in required
No
Yes (Clerk)
Yes (Clerk)
Scan type
Single page
Single page
Single + multi-page
Domains
—
3 tracked domains
10 tracked domains
Team seats
—
1
5 (owner + 4 members)
AI model
Claude Haiku
Claude Sonnet
Claude Sonnet
Max violations analysed
20
35
35
Report schema
Basic (fix)
Full (code_fix, effort, affected_groups)
Full
Watermarked
Clean
Clean
CSV export
—
✓
✓
Scan history
—
Last 100 per domain
Last 100 per domain
Auto-scan monitoring
—
✓ (weekly, per domain)
✓
Score-change email alerts
—
✓
✓
Email digest
—
Weekly or monthly
Weekly or monthly
GitHub Agent (auto-fix PRs)
—
—
✓ (5 runs/month)
Multi-page crawl
—
—
Up to 20 pages/run
SEO audit
—
✓
✓
Scan timeout
30 s
90 s
360 s (multi-page)
Free Tier Rate Limits (from code)
Scans per domain (global)
3
7 days (rolling)
Unique domains per IP
3
7 days (rolling)
Scans per IP per domain
3
7 days (rolling)
Email sends per IP
10
24 hours
Datacenter / VPN IPs
Blocked
—
Multi-Page Scan Mechanics (Team Plan)
6. Technical Architecture
Stack
API server
Node.js + Express
Single deployable, modular route files
Browser automation
Puppeteer + headless Chromium
One session per scan; media + fonts blocked for speed
Detection engine 1
axe-core
Tags: wcag2a, wcag2aa, best-practice
Detection engine 2
wcag-engine (proprietary, 3 layers)
16 rules across DOM, a11y tree, keyboard
Detection engine 3
IBM Equal Access (ACE)
Loaded via browser-injectable bundle
Detection engine 4
W3C Nu Html Checker
Structural HTML validation via API
AI layer
Anthropic Claude API
Sonnet 4 for Pro/Team; Haiku 4.5 for Free
Authentication
Clerk
JWT-based, webhook-provisioned accounts
Database
Supabase (PostgreSQL)
Scans, domains, subscriptions, agent runs
Payments
Stripe
Embedded checkout; subscription lifecycle via webhooks
Transactional email
Resend
Reports, digests, score alerts, team invitations
Deployment
Railway (Nixpacks)
—
Frontend
Next.js
SSR + client-side dashboard
Concurrency control
PQueue (in-process)
Limits simultaneous browser sessions
Scan Pipeline (Single Page)
GitHub Agent Pipeline (Team Plan)
API Routes
POST
/audit
None
Free-tier single-page scan
POST
/email
None
Email PDF report (free tier)
POST
/report/download
None
Download watermarked PDF (free tier)
GET/POST/DELETE
/domains/*
Clerk + Sub
Domain CRUD, trigger scan, toggle auto-scan
GET/DELETE
/scans/*
Clerk + Sub
Scan history, CSV, PDF, report JSON
POST/GET/DELETE
/seo/*
Clerk + Sub
SEO scan, history, CSV, PDF
POST/GET/DELETE
/agent/*
Clerk + Sub
GitHub OAuth, connection, agent runs (SSE)
GET/POST/PUT
/subscription*
Clerk + Sub
Plan info, cancel, reactivate, digest settings
POST/GET
/team/*
Varies
Team checkout, invitation, member management
7. Security, Privacy, and Compliance
Data at rest
Only violation metadata and scores stored (Supabase / PostgreSQL). Full page HTML is processed in-memory and never persisted.
SSRF protection
URLs are sanitised and validated before Puppeteer navigates. Internal/private IP ranges are rejected.
Bot / automation protection
Free-tier scans check the requesting IP against ip-api.com's hosting/datacenter flag. Datacenter IPs are blocked.
Authentication
All paid-tier routes verify a Clerk JWT. Team member access is scoped to the subscription.
Authorisation
Destructive actions (delete domain, cancel subscription, run agent) require owner or admin role.
Payment security
Stripe Embedded Checkout handles all card data. No PCI-scoped data touches our servers.
Rate limiting
Domain, IP, and email rate limits enforced in-memory (see Section 5).
Data retention
Scans are soft-deleted (deleted_at timestamp). Hard purge runs on a scheduled interval.
Dependency supply chain
axe-core, IBM ACE, and Puppeteer are loaded from pinned npm packages. No remote script injection.
8. Competitive Position
Landscape
Detection sources
4 independent engines
1 (axe)
1 (proprietary)
1 (proprietary)
Partial axe subset
Proprietary rules
16 (gap-filling axe + keyboard + tree)
—
Proprietary
Proprietary
—
Real keyboard simulation
✓ (Tab order, focus trap, Escape)
✗
✗
✗
✗
Accessibility tree analysis
✓ (computed names, landmarks, live regions)
✗
Unknown
✗
✗
AI-generated code fixes
✓ (per-issue, with corrected code)
Partial (Deque AI)
✗
✗
✗
Automated fix PRs
✓ (GitHub Agent)
✗
✗
✗
✗
Deterministic scoring
✓ (algorithm, not AI)
✓
✓
N/A (no score)
✓
Continuous monitoring
✓ (auto-scan + email alerts)
✓
✓
✗
✗
Multi-page crawl
✓ (sitemap + fallback, 20 pages/run)
✓
✓
✗
✗
Free tier
✓ (no sign-in)
Limited (browser ext)
✗
✓
✓ (CLI)
Pricing segment
SMB / mid-market
Mid-market / enterprise ($$$)
Enterprise ($$$)
Free
Free
Primary Differentiators
9. Product Roadmap
Shipped (Current State)
4-engine WCAG scan (axe + wcag-engine + IBM ACE + W3C)
All
16 proprietary gap-filling rules across 3 detection layers
All
Deterministic scoring with confidence weighting
All
Non-fixable issue exemption (third-party infra)
All
False positive suppression (full-tree landmark walk, skip-link guard, role filters)
All
PDF report (watermarked free / clean paid)
All
CSV export
Pro, Team
AI-powered fix descriptions and code corrections
Pro, Team
Scan history and regression tracking
Pro, Team
Automated weekly monitoring with score-change email alerts
Pro, Team
Weekly / monthly email digest
Pro, Team
SEO audit (parallel product)
Pro, Team
Multi-page crawl with sitemap-aware route discovery
Team
GitHub Agent — automated fix pull requests (SSE-streamed)
Team
Team seats with invitation workflow (up to 5 members)
Team
Planned — Near-Term (next 6 months)
CI/CD integration (GitHub Action + CLI binary)
Unlocks dev-workflow adoption; shift-left testing in PRs
Remediation tracking — mark issues as fixed, re-verify
Closes the remediation loop; reduces time-to-compliance
White-label PDF — custom branding and logo
Agency and consultancy revenue; per-client billing potential
Slack / Teams / webhook alerts
Enterprise notification workflows
Screenshot annotations — violations overlaid on page screenshot
Visual context for non-technical stakeholders
Planned — Mid-Term (6–12 months)
API access (REST + webhooks for scan results)
Enables integrations, reseller and agency workflows
WCAG 2.2 full coverage (axe-core parity + 2.5.7, 2.5.8, 3.2.6, 3.3.7, 3.3.8, 3.3.9)
Complete coverage of the latest standard
Component-level scanning (Storybook / design system integration)
Shift-left — catch issues before deployment
Scan diff — show changes between consecutive scans on the same page
Regression analysis and progress tracking
Planned — Long-Term (12–18 months)
Enterprise SSO (SAML 2.0, SCIM provisioning)
Required for enterprise buyer procurement
Assistive technology simulation (NVDA / VoiceOver script replay)
Moves beyond static tree analysis to real screen reader output
Legal audit trail — timestamped, digitally signed PDF reports
Litigation defence and EAA compliance evidence
Managed remediation service (AI + human expert hybrid)
High-margin professional services layer
This document describes the product as built and deployed. Market data points include attributed sources. Roadmap features reflect current planning and are subject to change.