v1.6.0 — Baseline Rename Protection & Config Hardenin

What's New in v1.6.0

Baseline Rename Protection

Renaming or moving a file no longer makes --fail-on-new treat its existing violations as new.

• AllyCat detects renames via git history and matches violations to the file's new path automatically.
• After a rename, AllyCat reminds you to re-run --save-baseline to keep things in sync — your baseline file is never
  modified automatically.
• Existing baseline files keep working unchanged.

---

Fixed

• --fail-on-new could incorrectly report existing baseline violations as new after unrelated edits elsewhere in the file
  — including page-level rules like html-has-lang and document-title
• Baselines saved on Windows now work correctly when checked on Linux CI (and vice versa) — paths are compared
  consistently across operating systems
• A corrupted allycat-baseline.json no longer crashes --fail-on-new — AllyCat now warns and skips the check, same as a
  missing file
• A broken allycat.config.json (e.g. null, an array, or plain text) no longer crashes the scan — AllyCat falls back to
  defaults and leaves your file untouched
• Hand-edited configs with missing fields no longer crash allycat scan — missing fields are filled in with defaults
  automatically
• Config migration no longer crashes on a read-only allycat.config.json — AllyCat warns and retries on the next run
• Invalid config values (e.g. an unsupported standard) are no longer silently accepted — AllyCat validates, warns, and
  falls back to the default. The scan banner now shows the full standard name (e.g. WCAG 2.1 AA)

---

Upgrade Notes

• No breaking changes. Existing baselines and config files keep working without re-saving.
• In CI, rename detection requires git history — see the CI/CD Integration Guide (docs/ci-integration.md) for
  fetch-depth / GIT_DEPTH settings.
• No allycat init re-run needed.

---

Full changelog→ CHANGELOG.md

v1.5.0 - Terminal Commands

What's New in v1.5.0

New Commands — report, feedback, update

Three new terminal commands that keep you in the terminal instead of switching context:

• allycat update — checks the npm registry for a newer version and shows exactly which command to run. Opens release notes or the full changelog directly from the prompt.
• allycat report — opens your last allycat-report.html in the browser without hunting for the file. Prints a clear message if no report exists yet.
• allycat feedback — opens GitHub Issues in your browser to report a bug or request a feature without leaving the terminal.

---

Security — Browser Open Hardened

exec replaced with execFile in all browser-open code paths, eliminating a shell injection vector. No behavior change for users.

---

Fixed

• Config files with invalid JSON now show a clear error with the relative file path instead of a raw Node.js stack trace
• allycat update uses the built-in https module instead of fetch — fully compatible with Node.js 20
• Version comparison in allycat update correctly handles pre-release versions (e.g. 1.6.0-beta.1)

---

Upgrade Notes

• No breaking changes. All existing flags and config fields work as before.
• No allycat init re-run needed.

---

Full changelog→ CHANGELOG.md

v1.4.1

What's New in v1.4.1

Bug Fix — allycat-report.html No Longer Scanned

The generated report file is now excluded from all scan modes — normal scan, watch mode, and --changed. Previously, it could appear in the results if it existed in the target directory or showed up in the git diff.

No config changes needed. The exclusion is automatic and unconditional.

---

UX — allycat init Report Delivery Defaults

Two small prompt changes to make first-time setup less intrusive:

• "Ask me each time" is now the first option in the report delivery prompt instead of "Auto-open in browser" — a safer default that doesn't surprise new users.

  • The "Open fix-prompt report in browser?" prompt now defaults to No — pressing Enter skips the browser open and prints the path instead.

  ---

Upgrade Notes

• No breaking changes. All existing flags and config fields work as before.
• No allycat init re-run needed — these are prompt defaults only.

---

Full changelog→ CHANGELOG.md

v1.4.0 - WCAG 2.2 AA

What's New in v1.4.0

WCAG 2.2 AA Scanning Mode

AllyCat now supports WCAG 2.2 AA as a selectable standard — pick it in allycat init or set it directly in your config.

{
  "selectedStandard": "wcag-22-aa"
}

Uses axe-core's full WCAG 2.2 tag set. In axe-core v4.11.1 this adds one additional automated rule over WCAG 2.1 AA: target-size (SC 2.5.8 — minimum 24×24px touch target). Recommended for new projects targeting the 2025+ standard.

---

Bug Fix — Init Summary Display

The allycat init confirmation screen now shows the correct human-readable standard name instead of the raw config value.

┌─────────────────┬────────────┬────────────────────────────┐
│ Standard picked │   Before   │           After            │
├─────────────────┼────────────┼────────────────────────────┤
│ WCAG 2.1 AA     │ WCAG-AA    │ WCAG 2.1 AA                │
├─────────────────┼────────────┼────────────────────────────┤
│ WCAG 2.2 AA     │ WCAG-22-AA │ WCAG 2.2 AA                │
├─────────────────┼────────────┼────────────────────────────┤
│ WCAG AAA        │ WCAG-AAA   │ WCAG AAA (automated rules) │
└─────────────────┴────────────┴────────────────────────────┘

---

Bug Fix — Ghost axe-core Tag Removed

The WCAG AAA tag set included wcag21aaa, a tag that does not exist in axe-core v4.11.1. It was silently contributing zero rules. Removed.

---

AAA Standard Relabeled

AAA mode is now labeled "WCAG AAA (automated rules)" everywhere — init wizard, reports, and help text. The previous label ("WCAG 2.1 AAA") overstated coverage. Full AAA conformance always requires a manual audit alongside automated tooling.

---

Upgrade Notes

• Run allycat init to select WCAG 2.2 AA, or add "selectedStandard": "wcag-22-aa" to your existing allycat.config.json.
• No breaking changes. All existing flags and config fields work as before.

---

Full changelog→ CHANGELOG.md

v1.3.0 — Smarter Excludes & Config Migration Engine

What's New in v1.3.0

Smarter --exclude Path Resolution

When scanning a subdirectory, --exclude names are now automatically resolved relative to your target — no more full paths needed.

# Before: had to write the full path
allycat scan src/pages --exclude src/pages/legacy.html

# Now: just the name
allycat scan src/pages --exclude legacy.html

Glob patterns and absolute paths are passed through unchanged, so nothing breaks.

---

Config Migration Engine

allycat.config.json now tracks a configVersion field. When you upgrade AllyCat and your config is from an older version, it's automatically migrated and saved — no manual edits required.

Old configs (no configVersion) are silently upgraded on first run. Future schema changes will migrate with a clear message so you know what changed.

---

Bug Fix — Watch Mode Exclude Scoping

In --watch mode, real-time file filtering now applies the same exclude scoping as the initial scan. Previously, a scoped exclude like --exclude legacy.html could suppress violations on first scan but miss them when files changed.

---

Upgrade Notes

• Run allycat init to get a fresh config with configVersion: 1, or just run any scan — your existing config will be migrated automatically.
• No breaking changes. All existing flags and config fields work as before.

---

Full changelog→ CHANGELOG.md

v1.2.1 — Full Scan Fix

---

What's New in v1.2.1

🔧 Fixed

Full Scan Works After Global Install

allycat scan --full now works correctly out of the box after a global install — no extra steps, no silent failures.

• Root cause: playwright and @axe-core/playwright were listed under devDependencies, which npm skips entirely during a global install (npm install -g allycat). Users who followed the README and ran npx playwright install chromium were downloading the browser correctly, but the playwright npm package itself was never present, causing --full to fail.
• Fix: Both packages are now listed under dependencies and always ship with Allycat (~5MB). The Chromium browser (~300MB) remains a separate, optional step — only needed if you use --full.

# Install Allycat (Playwright ships with it automatically)
npm install -g allycat

# Only if you want a full scan with contrast checking:
npx playwright install chromium

# Full scan
allycat scan ./src --full

CI: Production Install Smoke Test

Added a new CI step that simulates the exact user install path — packs the tarball without devDependencies, installs it into a clean directory, and runs a full scan. This catches any future dependency miscategorisation before it reaches users.

---

📦 Install / Upgrade

npm i -g allycat

---

📖 Full Changelog

See CHANGELOG.md for the complete historical breakdown.

v1.2.0 — Exclude Flag & Update Notifier

---

What's New in v1.2.0

🚀 Added

--exclude Flag

Exclude specific paths and glob patterns from the scan. The flag is repeatable — stack as many patterns as needed.

allycat scan ./src --exclude "src/legacy/**" --exclude "**/*.test.tsx"

• Comprehensive Support: Works in both normal scan and --watch mode.
• Pre-Resolution Performance: Files are filtered out before they reach the scanner, ensuring excluded files never run.
• Smart Stacking: Extends and stacks on top of built-in ignores (node_modules, dist, build).
• Visual Confirmation: Displayed in the config panel at scan start so you can verify what's being excluded.
• Scoped Filtering: --changed scoped scans respect --exclude — pre-resolved changed files are filtered before dispatching.

Update Notifier

Users running an outdated global install will now see an automated upgrade banner at startup:

 ╭──────────────────────────────────────╮
 │   Update available: 1.1.0 → 1.2.0    │
 │   Run: npm i -g allycat              │
 ╰──────────────────────────────────────╯

> Note: Runs asynchronously in the background and will never block or delay your scan.

---

🔧 Fixed

• Dependency Cleanup: Moved Playwright back to devDependencies to restore package-lock.json integrity and unblock npm publish in CI.
• Scoped Filtering Fix: Pre-resolved --changed files are now correctly filtered against --exclude before being dispatched to the scanner.
• Watch Mode Consistency: Excluded files are properly skipped on re-scans during --watch mode, not just the initial scan.

---

📦 Install / Upgrade

npm i -g allycat

---

📖 Full Changelog

See CHANGELOG.md for the complete historical breakdown.

v1.1.0

Added

• ai.reportBehavior config option — controls how the fix-prompt report is delivered after each scan:
  auto-open (opens in browser), path-only (prints relative + absolute path to terminal), ask (prompts
  each time). Defaults to path-only on upgrade, so existing installs never get a surprise browser open.
• allycat init now includes a 3-choice delivery question (shown when AI fix prompts are enabled)

Fixed

• --fail-on-* exit codes were bypassed in non-interactive environments (CI, piped stdin) when
  ai.reportBehavior was set to ask — @clack/prompts was calling process.exit(0) before the exit gate
  logic ran. Added a process.stdin.isTTY guard to fall back to path-only in non-interactive contexts.

Changed

• Fix prompts — renamed from "AI fix suggestions" to "fix prompts for your AI agent" for clearer
  intent
• RTL is now a standalone opt-in feature (rules.rtl: true in allycat.config.json), decoupled from any
  accessibility standard. Works for Hebrew, Arabic, Persian, and all other RTL languages. Violation rule
  ID renamed from israel-rtl → rtl-direction.

Removed

• Israeli Standard IS 5568 was removed as a selectable accessibility standard. The standard caused naming
  friction and generated false positives on bilingual pages (ISSUE-008). RTL checking has been promoted
  to a standalone, language-agnostic opt-in feature independent of any regional standard.

v1.0.0 — Initial Release

allycat — Accessibility CLI for Source Files

Scan JSX, Vue, Angular, and HTML for accessibility violations without a running server.
Exact source line numbers. Watch mode. CI gates. AI fix prompts.

---

Why allycat?

Most accessibility tools require a live browser. allycat works directly on your source files —
making it fast enough for watch mode and simple enough to drop into any CI pipeline.

---

What's included in v1.0.0

Scanning

• Quick mode — JSDOM-based, ~1s per file, no browser needed
• Full mode — Playwright/Chromium for accurate color contrast checking
• Supports HTML, JSX/TSX, Vue (.vue), and Angular templates (inline + external)

Standards

• WCAG 2.1 Level AA and AAA
• Israeli Standard IS 5568
• RTL layout violation detection for Hebrew/Arabic content

CI & Workflow

• --fail-on-critical / --fail-on-serious / --fail-on-any — granular exit codes for CI gates
• --save-baseline / --fail-on-new — adopt incrementally without being blocked by pre-existing
  violations
• --changed — scan only files modified since the last git commit
• --watch — live re-scan on save with NEW/FIXED delta labels

Output

• Exact source line numbers for every violation
• Clickable vscode:// links to jump directly to the line in VS Code
• Self-contained HTML report — dark/light toggle, filters, AI fix prompt modals
• JSON output for custom pipelines

---

Install

npm install -g allycat
allycat scan ./src

Full docs → README