WCAG 2.2 AA Remediation Log¶
Companion to docs/quality/wcag-audit-2026-04.md (the original audit). This log records what each remediation session closed, what remains open, and what cannot be closed by static-source remediation.
Sessions¶
s51 -- 2026-04-XX -- Audit (read-only)¶
Static source review of 6 standalone HTML tools (crypto-toolkit.html, pattern-hunter.html, daily-practice.html, skill-mastery-map.html, did-web-vc-demo.html, incident-cost-calculator.html). Output: docs/quality/wcag-audit-2026-04.md. Severity tally on the audited surface: ~2 CRITICAL, ~14 HIGH, ~17 MEDIUM, ~5 LOW. No code changes.
s52 -- 2026-04-XX -- CRITICAL closure pass¶
Closed the two CRITICAL keyboard-trap findings on the audited tools:
pattern-hunter.html--.example-pill<span>elements converted to<button class="example-pill">so keyboard users can load examples.skill-mastery-map.html--.concept-item<div>elements gainedrole="button" tabindex="0" aria-pressedplus Enter/Space key handling so keyboard users can mark concepts mastered..group-cardgot the same treatment.
Plus the most-impactful HIGH-severity systemic items:
- Tab UIs across all 6 tools refactored to the WAI-ARIA tab pattern (
role="tablist"/role="tab"/role="tabpanel"/aria-selected/aria-controls) plus arrow-key / Home / End keyboard navigation. :focus-visibleoutline rule added across all 6 tools.aria-liveregions added to result containers.
s53 -- 2026-04-XX -- HIGH/MEDIUM closure pass¶
- Label-input association (
for/id) gaps closed on the audited tools. aria-valuetextadded to<input type="range">sliders inincident-cost-calculator.html.<canvas role="img" aria-label="...">andaria-livetext-summary descriptions added to chart canvases inincident-cost-calculator.html.aria-labeladded to dynamic claim-row inputs indid-web-vc-demo.html(replaces placeholder-as-label).aria-labeladded to the✕remove-claim button indid-web-vc-demo.html..icc-sr-onlyutility class introduced inincident-cost-calculator.html.- Slider thumb expanded to 24x24 in
incident-cost-calculator.html(closes 2.5.8 strict-spec borderline). - Info-icon
?element bumped from 16x16 to 24x24 inincident-cost-calculator.html(closes 2.5.8 FAIL).
s54 -- 2026-04-23 -- Final closure pass (this log)¶
Applied the remaining ~5 unaddressed-by-prior-tasks items across the 6 audited tools, plus the same fixes on the 11 optional tools where the patterns naturally appear.
Per-file fix matrix:
| Tool | reduced-motion | sr-only | table caption | info->button | JSON-LD desc | new-tab label |
|---|---|---|---|---|---|---|
| crypto-toolkit.html | yes | yes (added) | n/a | n/a | n/a | n/a |
| pattern-hunter.html | yes | yes (added) | yes (1 syntax-help) | n/a | n/a | n/a |
| daily-practice.html | yes | yes (added) | n/a | n/a | n/a | n/a |
| skill-mastery-map.html | yes | yes (added) | n/a | n/a | n/a | n/a |
| did-web-vc-demo.html | yes | yes (added) | yes (3: 2 compare + 1 kv-table) | n/a | yes (5 outputs: dd-jwk, dd-doc, iss-unsigned, iss-signed, vp-out) | yes (7 links) |
| incident-cost-calculator.html | yes | already present (.icc-sr-only) | yes (2: fines + compare) | yes (8 info icons) | n/a | n/a |
| threat-actor-playbook-generator.html | yes | yes (added) | n/a | n/a | n/a | n/a |
| incident-post-mortem-generator.html | yes | yes (added) | n/a | n/a | n/a | n/a |
| detection-query-optimizer.html | yes | yes (added) | n/a | n/a | n/a | n/a |
| ai-jailbreak-tester.html | yes | yes (added) | n/a | n/a | n/a | n/a |
| soc-digital-twin.html | yes | yes (added) | yes (1 assumptions) | n/a | n/a | n/a |
| query-translator.html | yes | yes (added) | yes (1 field-mapping) | n/a | n/a | n/a |
| regex-tester.html | yes | yes (added) | n/a | n/a | n/a | n/a |
| packet-parser.html | yes | yes (added) | yes (1 packets) | n/a | n/a | n/a |
| skill-portfolio.html | yes | yes (added) | n/a | n/a | yes (1 vp-out) | n/a |
| skill-tree-viz.html | yes | yes (added) | n/a | n/a | n/a | yes (1 link, in tooltip JS) |
| chapter-practice.html | yes | yes (added) | n/a | n/a | n/a | n/a |
Totals (this session):
- 17
prefers-reduced-motionblocks added (one per tool) - 16
.sr-onlyutility classes added (incident-cost-calculator already had.icc-sr-only) - 9
<table><caption class="sr-only">additions - 8 info-icon spans converted to
<button class="icc-info">witharia-label - 6 JSON-LD URI announcements (sr-only sibling description +
aria-describedby+role="region"+aria-labelon the output box) - 8 opens-in-new-tab announcements (7 in did-web-vc-demo, 1 in skill-tree-viz tooltip JS)
Build verification: python -m mkdocs build --strict ran post-edit -- PASS in 218.83 seconds, exit 0, zero warnings. (The "exists in docs but not in nav" notice for quality/y-js-poc-deployment.md is informational and pre-existing -- unrelated to this remediation.)
Estimated WCAG 2.2 AA conformance after s54¶
Cumulative closure across s52 + s53 + s54 (audited 6 tools):
- 2 CRITICAL closed (s52)
- ~14 HIGH closed (s52 + s53; all systemic S1, S2, S3, S4 plus tooltip-icon focus and label associations)
- ~17 MEDIUM closed (s52 + s53 + s54; including small-button target sizes, slider aria-valuetext, gradient-button text contrast, canvas alt text, kv-table caption, claim-row aria-labels, JSON-LD URI announcements, table captions)
- ~5 LOW closed (s53 + s54; including new-tab announcements, prefers-reduced-motion, info-icon discoverability, decorative-glyph aria-hidden where applied)
Status: the 6 audited tools should now be WCAG 2.2 AA conformant on every success criterion that can be verified by static-source review. The 11 unaudited optional tools received the same systemic patches (prefers-reduced-motion, .sr-only, <caption> where tables exist, opens-in-new-tab where applicable, JSON-LD URI announcement where applicable). The unaudited optional tools were not given a full per-criterion audit; expect the same residual systemic issues as the original audit predicted (label/input associations, decorative-glyph leakage, etc.) to remain in proportion to how heavily each tool reused the shared boilerplate.
Findings still open¶
O1 -- Manual third-party AT (Assistive Technology) test¶
Cannot be closed by automation. Static-source review and contrast computation cannot tell you how NVDA, JAWS, VoiceOver, or TalkBack actually announce a tool. Some of the fixes shipped (live regions, aria-describedby, sr-only descriptions) may behave differently across AT vendor / version / browser combinations. Some announcements that look correct in source may be redundant, missed, or mis-ordered when read aloud.
Required for full WCAG 2.2 AA conformance claim:
- NVDA (Windows, Firefox + Chrome) -- minimum 2 audited tools
- JAWS (Windows, Chrome) -- minimum 2 audited tools (license required)
- VoiceOver (macOS Safari + iOS Safari) -- minimum 2 audited tools
- TalkBack (Android Chrome) -- minimum 2 audited tools
Recommended scope: the three highest-traffic tools -- once analytics activates and traffic is measurable. Until then, pick incident-cost-calculator.html (most complex form surface), did-web-vc-demo.html (multi-step cross-tab workflow), and daily-practice.html (rapid keyboard-driven loop) as representative.
O2 -- Unaudited tools not yet given full per-criterion audits¶
The 11 optional tools modified in s54 received the systemic patches but not full per-criterion audits. Notably remaining-unknown:
attck-coverage-heatmap.html,detection-browser.html,red-team-report-generator.html,security-budget-calculator.html,security-metrics-dashboard.html,soar-playbook-designer.html,threat-model-canvas.html,ir-tabletop-generator.html-- not in scope for s54.- The 47 microsim files (
docs/microsims/*.html) -- not yet audited. - The 543-node knowledge graph 3D visualization (if shipped) -- not yet audited (will likely need WCAG 2.5.7 dragging-movement consideration).
O3 -- Automated CI accessibility check¶
axe-core / pa11y / Lighthouse CI not yet wired. Recommended once GitHub Actions quota resets (2026-05-01) or once the repo goes public (Actions minutes become unlimited). Wire npx @axe-core/cli against the built site for every PR.
O4 -- Cognitive accessibility¶
Out of scope for the audit. Voice-rewrite phase (s36-s43) addressed clarity at the chapter level; tool-surface cognitive load is its own pass.
O5 -- Internationalization / RTL¶
Out of scope. All tools currently lock lang="en"; no localization layer exists.
Recommended next steps¶
- Schedule the third-party AT manual test as a one-off task -- ideally outsource to a paid AT-accessibility consultant for the three representative tools above. Budget ~2-4 hours of consultant time.
- Wire
axe-coreinto CI once quota / public-repo path clears. - Audit the remaining ~12 unaudited tools -- can be a single-pass static review using the same methodology as
wcag-audit-2026-04.md. - Microsim audit pass -- separate audit task (47 files).
- Public-launch sequence -- accessibility conformance claim at "WCAG 2.2 AA conformant for sighted keyboard users; substantially conformant for screen-reader users (manual AT test pending)" is defensible after s54.
References¶
- Original audit:
docs/quality/wcag-audit-2026-04.md - WCAG 2.2 spec: https://www.w3.org/TR/WCAG22/
- ARIA Authoring Practices Guide: https://www.w3.org/WAI/ARIA/apg/
- Deque axe-core: https://github.com/dequelabs/axe-core