From d88626afb707067c8402e68859dbdcb615934c79 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 20 May 2026 14:28:47 +0000 Subject: [PATCH 01/11] Initial plan From c173685a9ad7190ef7592b6134bc3017b51c6883 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 20 May 2026 15:06:58 +0000 Subject: [PATCH 02/11] docs: add explicit a11y and security checklists to PR templates Agent-Logs-Url: https://github.com/lightspeedwp/.github/sessions/ba044d72-7bd9-4995-9823-190a7c1e498f --- .github/PULL_REQUEST_TEMPLATE/README.md | 4 +++- .github/PULL_REQUEST_TEMPLATE/pr_bug.md | 12 ++++++++++-- .github/PULL_REQUEST_TEMPLATE/pr_chore.md | 12 ++++++++++-- .github/PULL_REQUEST_TEMPLATE/pr_ci.md | 12 ++++++++++-- .github/PULL_REQUEST_TEMPLATE/pr_dep_update.md | 12 ++++++++++-- .github/PULL_REQUEST_TEMPLATE/pr_docs.md | 12 ++++++++++-- .github/PULL_REQUEST_TEMPLATE/pr_feature.md | 12 ++++++++++-- .github/PULL_REQUEST_TEMPLATE/pr_hotfix.md | 12 ++++++++++-- .github/PULL_REQUEST_TEMPLATE/pr_refactor.md | 12 ++++++++++-- .github/PULL_REQUEST_TEMPLATE/pr_release.md | 12 ++++++++++-- .github/instructions/pull-requests.instructions.md | 6 ++++-- .github/pull_request_template.md | 12 ++++++++++-- docs/PR_CREATION_PROCESS.md | 2 ++ 13 files changed, 109 insertions(+), 23 deletions(-) diff --git a/.github/PULL_REQUEST_TEMPLATE/README.md b/.github/PULL_REQUEST_TEMPLATE/README.md index 518751b3..b390de92 100644 --- a/.github/PULL_REQUEST_TEMPLATE/README.md +++ b/.github/PULL_REQUEST_TEMPLATE/README.md @@ -51,6 +51,7 @@ These templates integrate with: - **Status Tracking**: PR status is automatically managed through the workflow - **Changelog Integration**: Release PRs automatically update changelogs - **Quality Gates**: Automated checks ensure PR meets quality standards +- **Review Checklists**: Every template includes explicit accessibility and security checks ## 📚 Related Documentation @@ -64,7 +65,8 @@ These templates integrate with: 1. **Template Selection**: Choose the template that best matches your PR type 2. **Required Fields**: Complete all required sections in the template 3. **Branch Naming**: Follow the [branching strategy](../docs/BRANCHING_STRATEGY.md) for automatic detection -4. **Automation**: Let the system handle labeling and assignment - avoid manual changes +4. **A11y & Security**: Complete the WCAG 2.1 AA+ and OWASP-aligned checklist items before review +5. **Automation**: Let the system handle labeling and assignment - avoid manual changes ## ⚠️ Important Notes diff --git a/.github/PULL_REQUEST_TEMPLATE/pr_bug.md b/.github/PULL_REQUEST_TEMPLATE/pr_bug.md index 32e1a7af..d6554fdf 100644 --- a/.github/PULL_REQUEST_TEMPLATE/pr_bug.md +++ b/.github/PULL_REQUEST_TEMPLATE/pr_bug.md @@ -93,9 +93,17 @@ If no user-facing changelog entry is needed, apply the skip-changelog label to t - [ ] All AC met and demonstrated - [ ] Tests added/updated (unit/E2E as appropriate) -- [ ] A11y considerations addressed where relevant +- [ ] Accessibility checklist completed (where relevant): + - [ ] Semantic HTML and heading order verified + - [ ] Keyboard navigation and visible focus states verified + - [ ] ARIA used only where needed + - [ ] Contrast and non-colour cues reviewed (WCAG 2.1 AA or higher) - [ ] Docs/readme/changelog updated (if user-facing) -- [ ] Security/perf impact reviewed where relevant +- [ ] Security checklist completed (where relevant): + - [ ] Untrusted input validated and sanitised + - [ ] Output escaped for its rendering context + - [ ] Privileged actions enforce nonce and capability checks + - [ ] No secrets/sensitive data introduced; OWASP risks reviewed - [ ] Code/design reviews approved - [ ] CI green; linked issues closed; release notes prepared (if shipping) diff --git a/.github/PULL_REQUEST_TEMPLATE/pr_chore.md b/.github/PULL_REQUEST_TEMPLATE/pr_chore.md index e1425cf1..84d2020b 100644 --- a/.github/PULL_REQUEST_TEMPLATE/pr_chore.md +++ b/.github/PULL_REQUEST_TEMPLATE/pr_chore.md @@ -86,9 +86,17 @@ If no user-facing changelog entry is needed, apply the skip-changelog label to t - [ ] All AC met and demonstrated - [ ] Tests added/updated (unit/E2E as appropriate) -- [ ] A11y considerations addressed where relevant +- [ ] Accessibility checklist completed (where relevant): + - [ ] Semantic HTML and heading order verified + - [ ] Keyboard navigation and visible focus states verified + - [ ] ARIA used only where needed + - [ ] Contrast and non-colour cues reviewed (WCAG 2.1 AA or higher) - [ ] Docs/readme/changelog updated (if user-facing) -- [ ] Security/perf impact reviewed where relevant +- [ ] Security checklist completed (where relevant): + - [ ] Untrusted input validated and sanitised + - [ ] Output escaped for its rendering context + - [ ] Privileged actions enforce nonce and capability checks + - [ ] No secrets/sensitive data introduced; OWASP risks reviewed - [ ] Code/design reviews approved - [ ] CI green; linked issues closed; release notes prepared (if shipping) diff --git a/.github/PULL_REQUEST_TEMPLATE/pr_ci.md b/.github/PULL_REQUEST_TEMPLATE/pr_ci.md index 625df382..e8d742ae 100644 --- a/.github/PULL_REQUEST_TEMPLATE/pr_ci.md +++ b/.github/PULL_REQUEST_TEMPLATE/pr_ci.md @@ -93,9 +93,17 @@ If no user-facing changelog entry is needed, apply the skip-changelog label to t - [ ] All AC met and demonstrated - [ ] Tests added/updated (unit/E2E as appropriate) -- [ ] A11y considerations addressed where relevant +- [ ] Accessibility checklist completed (where relevant): + - [ ] Semantic HTML and heading order verified + - [ ] Keyboard navigation and visible focus states verified + - [ ] ARIA used only where needed + - [ ] Contrast and non-colour cues reviewed (WCAG 2.1 AA or higher) - [ ] Docs/readme/changelog updated (if user-facing) -- [ ] Security/perf impact reviewed where relevant +- [ ] Security checklist completed (where relevant): + - [ ] Untrusted input validated and sanitised + - [ ] Output escaped for its rendering context + - [ ] Privileged actions enforce nonce and capability checks + - [ ] No secrets/sensitive data introduced; OWASP risks reviewed - [ ] Code/design reviews approved - [ ] CI green; linked issues closed; release notes prepared (if shipping) diff --git a/.github/PULL_REQUEST_TEMPLATE/pr_dep_update.md b/.github/PULL_REQUEST_TEMPLATE/pr_dep_update.md index 0285bda5..33e35231 100644 --- a/.github/PULL_REQUEST_TEMPLATE/pr_dep_update.md +++ b/.github/PULL_REQUEST_TEMPLATE/pr_dep_update.md @@ -83,9 +83,17 @@ If no user-facing changelog entry is needed, apply the skip-changelog label to t - [ ] All AC met and demonstrated - [ ] Tests added/updated (unit/E2E as appropriate) -- [ ] A11y considerations addressed where relevant +- [ ] Accessibility checklist completed (where relevant): + - [ ] Semantic HTML and heading order verified + - [ ] Keyboard navigation and visible focus states verified + - [ ] ARIA used only where needed + - [ ] Contrast and non-colour cues reviewed (WCAG 2.1 AA or higher) - [ ] Docs/readme/changelog updated (if user-facing) -- [ ] Security/perf impact reviewed where relevant +- [ ] Security checklist completed (where relevant): + - [ ] Untrusted input validated and sanitised + - [ ] Output escaped for its rendering context + - [ ] Privileged actions enforce nonce and capability checks + - [ ] No secrets/sensitive data introduced; OWASP risks reviewed - [ ] Code/design reviews approved - [ ] CI green; linked issues closed; release notes prepared (if shipping) diff --git a/.github/PULL_REQUEST_TEMPLATE/pr_docs.md b/.github/PULL_REQUEST_TEMPLATE/pr_docs.md index fbaf27a5..0ea35d86 100644 --- a/.github/PULL_REQUEST_TEMPLATE/pr_docs.md +++ b/.github/PULL_REQUEST_TEMPLATE/pr_docs.md @@ -81,9 +81,17 @@ If no user-facing changelog entry is needed, apply the skip-changelog label to t - [ ] All AC met and demonstrated - [ ] Tests added/updated (unit/E2E as appropriate) -- [ ] A11y considerations addressed where relevant +- [ ] Accessibility checklist completed (where relevant): + - [ ] Semantic HTML and heading order verified + - [ ] Keyboard navigation and visible focus states verified + - [ ] ARIA used only where needed + - [ ] Contrast and non-colour cues reviewed (WCAG 2.1 AA or higher) - [ ] Docs/readme/changelog updated (if user-facing) -- [ ] Security/perf impact reviewed where relevant +- [ ] Security checklist completed (where relevant): + - [ ] Untrusted input validated and sanitised + - [ ] Output escaped for its rendering context + - [ ] Privileged actions enforce nonce and capability checks + - [ ] No secrets/sensitive data introduced; OWASP risks reviewed - [ ] Code/design reviews approved - [ ] CI green; linked issues closed; release notes prepared (if shipping) diff --git a/.github/PULL_REQUEST_TEMPLATE/pr_feature.md b/.github/PULL_REQUEST_TEMPLATE/pr_feature.md index d6d0cc95..24ba1915 100644 --- a/.github/PULL_REQUEST_TEMPLATE/pr_feature.md +++ b/.github/PULL_REQUEST_TEMPLATE/pr_feature.md @@ -64,9 +64,17 @@ If no user-facing changelog entry is needed, apply the skip-changelog label to t - [ ] All AC met and demonstrated - [ ] Tests added/updated (unit/E2E as appropriate) -- [ ] A11y considerations addressed where relevant +- [ ] Accessibility checklist completed (where relevant): + - [ ] Semantic HTML and heading order verified + - [ ] Keyboard navigation and visible focus states verified + - [ ] ARIA used only where needed + - [ ] Contrast and non-colour cues reviewed (WCAG 2.1 AA or higher) - [ ] Docs/readme/changelog updated (if user-facing) -- [ ] Security/perf impact reviewed where relevant +- [ ] Security checklist completed (where relevant): + - [ ] Untrusted input validated and sanitised + - [ ] Output escaped for its rendering context + - [ ] Privileged actions enforce nonce and capability checks + - [ ] No secrets/sensitive data introduced; OWASP risks reviewed - [ ] Code/design reviews approved - [ ] CI green; linked issues closed; release notes prepared (if shipping) diff --git a/.github/PULL_REQUEST_TEMPLATE/pr_hotfix.md b/.github/PULL_REQUEST_TEMPLATE/pr_hotfix.md index 8cff0779..e7b4b421 100644 --- a/.github/PULL_REQUEST_TEMPLATE/pr_hotfix.md +++ b/.github/PULL_REQUEST_TEMPLATE/pr_hotfix.md @@ -71,9 +71,17 @@ If no user-facing changelog entry is needed, apply the skip-changelog label to t - [ ] All AC met and demonstrated - [ ] Tests added/updated (unit/E2E as appropriate) -- [ ] A11y considerations addressed where relevant +- [ ] Accessibility checklist completed (where relevant): + - [ ] Semantic HTML and heading order verified + - [ ] Keyboard navigation and visible focus states verified + - [ ] ARIA used only where needed + - [ ] Contrast and non-colour cues reviewed (WCAG 2.1 AA or higher) - [ ] Docs/readme/changelog updated (if user-facing) -- [ ] Security/perf impact reviewed where relevant +- [ ] Security checklist completed (where relevant): + - [ ] Untrusted input validated and sanitised + - [ ] Output escaped for its rendering context + - [ ] Privileged actions enforce nonce and capability checks + - [ ] No secrets/sensitive data introduced; OWASP risks reviewed - [ ] Code/design reviews approved - [ ] CI green; linked issues closed; release notes prepared (if shipping) diff --git a/.github/PULL_REQUEST_TEMPLATE/pr_refactor.md b/.github/PULL_REQUEST_TEMPLATE/pr_refactor.md index b018d1bd..7bfc8b9d 100644 --- a/.github/PULL_REQUEST_TEMPLATE/pr_refactor.md +++ b/.github/PULL_REQUEST_TEMPLATE/pr_refactor.md @@ -93,9 +93,17 @@ If no user-facing changelog entry is needed, apply the skip-changelog label to t - [ ] All AC met and demonstrated - [ ] Tests added/updated (unit/E2E as appropriate) -- [ ] A11y considerations addressed where relevant +- [ ] Accessibility checklist completed (where relevant): + - [ ] Semantic HTML and heading order verified + - [ ] Keyboard navigation and visible focus states verified + - [ ] ARIA used only where needed + - [ ] Contrast and non-colour cues reviewed (WCAG 2.1 AA or higher) - [ ] Docs/readme/changelog updated (if user-facing) -- [ ] Security/perf impact reviewed where relevant +- [ ] Security checklist completed (where relevant): + - [ ] Untrusted input validated and sanitised + - [ ] Output escaped for its rendering context + - [ ] Privileged actions enforce nonce and capability checks + - [ ] No secrets/sensitive data introduced; OWASP risks reviewed - [ ] Code/design reviews approved - [ ] CI green; linked issues closed; release notes prepared (if shipping) diff --git a/.github/PULL_REQUEST_TEMPLATE/pr_release.md b/.github/PULL_REQUEST_TEMPLATE/pr_release.md index e1c46939..dd5d3d4c 100644 --- a/.github/PULL_REQUEST_TEMPLATE/pr_release.md +++ b/.github/PULL_REQUEST_TEMPLATE/pr_release.md @@ -66,9 +66,17 @@ If no user-facing changelog entry is needed, apply the skip-changelog label to t - [ ] All AC met and demonstrated - [ ] Tests added/updated (unit/E2E as appropriate) -- [ ] A11y considerations addressed where relevant +- [ ] Accessibility checklist completed (where relevant): + - [ ] Semantic HTML and heading order verified + - [ ] Keyboard navigation and visible focus states verified + - [ ] ARIA used only where needed + - [ ] Contrast and non-colour cues reviewed (WCAG 2.1 AA or higher) - [ ] Docs/readme/changelog updated (if user-facing) -- [ ] Security/perf impact reviewed where relevant +- [ ] Security checklist completed (where relevant): + - [ ] Untrusted input validated and sanitised + - [ ] Output escaped for its rendering context + - [ ] Privileged actions enforce nonce and capability checks + - [ ] No secrets/sensitive data introduced; OWASP risks reviewed - [ ] Code/design reviews approved - [ ] CI green; linked issues closed; release notes prepared (if shipping) diff --git a/.github/instructions/pull-requests.instructions.md b/.github/instructions/pull-requests.instructions.md index 4080a035..a6b1b282 100644 --- a/.github/instructions/pull-requests.instructions.md +++ b/.github/instructions/pull-requests.instructions.md @@ -109,7 +109,7 @@ See [BRANCHING_STRATEGY.md](../BRANCHING_STRATEGY.md) for full details and enfor - **Linked issues:** Use `Closes #123` or similar. - **Description:** Clearly state *what* changed and *why*. - **Changelog section:** [Required for release automation.] - - **Checklist:** Complete all items (tests, docs, a11y, linked issues, CI, etc.). + - **Checklist:** Complete all items, including explicit accessibility and security checks. 4. **Write a clear title** Format: `[Type] Area/Component: Brief summary (Closes #issue)` @@ -151,7 +151,9 @@ See [BRANCHING_STRATEGY.md](../BRANCHING_STRATEGY.md) for full details and enfor ## 6. PR Review & Lifecycle -- **Checklist must be completed** (tests, docs, a11y, linked issues, etc.). +- **Checklist must be completed** (tests, docs, linked issues, CI, and explicit accessibility/security checks). +- **Accessibility baseline:** Confirm semantic structure, keyboard/focus behaviour, and contrast/non-colour cues against WCAG 2.1 AA or higher. +- **Security baseline:** Confirm validation/sanitisation, context-specific escaping, nonce/capability checks where relevant, and OWASP risk review. - **CI and all status checks must pass.** - **Respond promptly to reviewer feedback**; see [awaiting-author.md](../SAVED_REPLIES/pull-requests/awaiting-author.md) - **Ready for review:** Mark as ready and ping reviewers; see [ready-for-review.md](../SAVED_REPLIES/pull-requests/ready-for-review.md) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 6e6b8ddf..fbcb61cd 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -137,9 +137,17 @@ Include: - [ ] All AC met and demonstrated - [ ] Tests added/updated (unit/E2E as appropriate) -- [ ] A11y considerations addressed where relevant +- [ ] Accessibility checklist completed (where relevant): + - [ ] Semantic HTML and heading order verified + - [ ] Keyboard navigation and visible focus states verified + - [ ] ARIA used only where needed + - [ ] Contrast and non-colour cues reviewed (WCAG 2.1 AA or higher) - [ ] Docs/readme/changelog updated (if user-facing) -- [ ] Security/perf impact reviewed where relevant +- [ ] Security checklist completed (where relevant): + - [ ] Untrusted input validated and sanitised + - [ ] Output escaped for its rendering context + - [ ] Privileged actions enforce nonce and capability checks + - [ ] No secrets/sensitive data introduced; OWASP risks reviewed - [ ] Code/design reviews approved - [ ] CI green; linked issues closed; release notes prepared (if shipping) - [ ] Risk assessment completed above diff --git a/docs/PR_CREATION_PROCESS.md b/docs/PR_CREATION_PROCESS.md index eff0b712..310c8254 100644 --- a/docs/PR_CREATION_PROCESS.md +++ b/docs/PR_CREATION_PROCESS.md @@ -114,6 +114,8 @@ Each PR template includes a checklist. Ensure you: - [ ] Ran all tests and linters - [ ] Updated documentation (if needed) - [ ] Added/updated tests +- [ ] Completed accessibility checks (semantic structure, keyboard/focus, ARIA only when needed, contrast/non-colour cues; WCAG 2.1 AA or higher) +- [ ] Completed security checks (validation/sanitisation, context-specific escaping, nonce/capability checks where relevant, and OWASP risk review) - [ ] Linked issues - [ ] Provided screenshots or video (for UI changes) - [ ] Selected appropriate labels From 9214723e3e5c6313c54c98516dbe87084aa107bc Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 20 May 2026 15:18:56 +0000 Subject: [PATCH 03/11] docs: align saved reply security/testing guidance with new checklist Agent-Logs-Url: https://github.com/lightspeedwp/.github/sessions/8ff4812c-49a5-4b05-8c66-359a731249a7 --- .github/SAVED_REPLIES/pull-requests/security.md | 12 ++++++++---- .github/SAVED_REPLIES/pull-requests/testing.md | 4 ++-- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/.github/SAVED_REPLIES/pull-requests/security.md b/.github/SAVED_REPLIES/pull-requests/security.md index 1e499aea..6240799e 100644 --- a/.github/SAVED_REPLIES/pull-requests/security.md +++ b/.github/SAVED_REPLIES/pull-requests/security.md @@ -17,14 +17,16 @@ Thank you for your contribution! Since this PR touches security-sensitive areas **Checklist:** -- [ ] Validate and sanitize all user input +- [ ] Validate and sanitise all untrusted input +- [ ] Escape output for the correct rendering context +- [ ] Enforce nonce and capability checks for privileged actions - [ ] Avoid exposing secrets or sensitive data -- [ ] Follow least privilege for permissions and tokens - [ ] Add or update security tests if appropriate **Resources:** -- [Security Guidelines](.github/instructions/security.md) +- [PR Security Baseline](../../instructions/pull-requests.instructions.md#6-pr-review--lifecycle) +- [OWASP Top 10](https://owasp.org/www-project-top-ten/) If you have questions about security best practices, please ask! ``` @@ -41,7 +43,9 @@ Thank you for your PR. We've identified a potential security vulnerability in th **What to Address:** - Ensure no secrets or credentials are exposed -- Validate all user input and outputs +- Validate and sanitise untrusted input +- Escape output for the correct rendering context +- Add nonce/capability checks where privileged actions are involved - Avoid command injection, directory traversal, or similar risks Once these concerns are addressed, let us know so we can proceed with merging. diff --git a/.github/SAVED_REPLIES/pull-requests/testing.md b/.github/SAVED_REPLIES/pull-requests/testing.md index 0be4b217..7f504c6c 100644 --- a/.github/SAVED_REPLIES/pull-requests/testing.md +++ b/.github/SAVED_REPLIES/pull-requests/testing.md @@ -19,7 +19,7 @@ Thank you for your contribution! Before we can merge this PR, we need to ensure - Add or update automated tests to cover your changes - Tests should verify both typical use and edge cases -- Please follow our [testing guidelines](.github/instructions/bats-tests-and-runner-scripts.md) +- Please follow our [testing guidelines](../../instructions/quality-assurance.instructions.md) **Checklist:** @@ -48,7 +48,7 @@ Thanks for including tests in this PR! There are a few ways we can improve test **Resources:** -- [Testing Guidelines](.github/instructions/bats-tests-and-runner-scripts.md) +- [Quality Assurance Instructions](../../instructions/quality-assurance.instructions.md) If you have questions about these suggestions, let us know! ``` From f5831cf9f504e07726dd777e3239591154400be1 Mon Sep 17 00:00:00 2001 From: Ash Shaw Date: Wed, 20 May 2026 19:24:41 +0200 Subject: [PATCH 04/11] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Ash Shaw --- .github/PULL_REQUEST_TEMPLATE/pr_release.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/PULL_REQUEST_TEMPLATE/pr_release.md b/.github/PULL_REQUEST_TEMPLATE/pr_release.md index dd5d3d4c..94260017 100644 --- a/.github/PULL_REQUEST_TEMPLATE/pr_release.md +++ b/.github/PULL_REQUEST_TEMPLATE/pr_release.md @@ -70,7 +70,7 @@ If no user-facing changelog entry is needed, apply the skip-changelog label to t - [ ] Semantic HTML and heading order verified - [ ] Keyboard navigation and visible focus states verified - [ ] ARIA used only where needed - - [ ] Contrast and non-colour cues reviewed (WCAG 2.1 AA or higher) + - [ ] Contrast and non-colour cues reviewed (WCAG 2.2 AA) - [ ] Docs/readme/changelog updated (if user-facing) - [ ] Security checklist completed (where relevant): - [ ] Untrusted input validated and sanitised From 1a6831f01e3fb0a7a98e5487cedb32719a67844e Mon Sep 17 00:00:00 2001 From: Ash Shaw Date: Wed, 20 May 2026 19:25:45 +0200 Subject: [PATCH 05/11] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Ash Shaw --- docs/PR_CREATION_PROCESS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/PR_CREATION_PROCESS.md b/docs/PR_CREATION_PROCESS.md index 310c8254..76127b7e 100644 --- a/docs/PR_CREATION_PROCESS.md +++ b/docs/PR_CREATION_PROCESS.md @@ -114,7 +114,7 @@ Each PR template includes a checklist. Ensure you: - [ ] Ran all tests and linters - [ ] Updated documentation (if needed) - [ ] Added/updated tests -- [ ] Completed accessibility checks (semantic structure, keyboard/focus, ARIA only when needed, contrast/non-colour cues; WCAG 2.1 AA or higher) +- [ ] Completed accessibility checks (semantic structure, keyboard/focus, ARIA only when needed, contrast/non-colour cues; WCAG 2.2 AA) - [ ] Completed security checks (validation/sanitisation, context-specific escaping, nonce/capability checks where relevant, and OWASP risk review) - [ ] Linked issues - [ ] Provided screenshots or video (for UI changes) From 6d21aa3f80d2cd46d361f4edc02d1ebdff0044e6 Mon Sep 17 00:00:00 2001 From: Ash Shaw Date: Wed, 20 May 2026 19:26:01 +0200 Subject: [PATCH 06/11] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Ash Shaw --- .github/pull_request_template.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index fbcb61cd..f78021f0 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -141,7 +141,7 @@ Include: - [ ] Semantic HTML and heading order verified - [ ] Keyboard navigation and visible focus states verified - [ ] ARIA used only where needed - - [ ] Contrast and non-colour cues reviewed (WCAG 2.1 AA or higher) + - [ ] Contrast and non-colour cues reviewed (WCAG 2.2 AA) - [ ] Docs/readme/changelog updated (if user-facing) - [ ] Security checklist completed (where relevant): - [ ] Untrusted input validated and sanitised From 7fdd46a0c5cdffbb899fb864c2dfadcfc6bf1c9b Mon Sep 17 00:00:00 2001 From: Ash Shaw Date: Wed, 20 May 2026 19:26:15 +0200 Subject: [PATCH 07/11] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Ash Shaw --- .github/PULL_REQUEST_TEMPLATE/pr_refactor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/PULL_REQUEST_TEMPLATE/pr_refactor.md b/.github/PULL_REQUEST_TEMPLATE/pr_refactor.md index 7bfc8b9d..5efb702c 100644 --- a/.github/PULL_REQUEST_TEMPLATE/pr_refactor.md +++ b/.github/PULL_REQUEST_TEMPLATE/pr_refactor.md @@ -97,7 +97,7 @@ If no user-facing changelog entry is needed, apply the skip-changelog label to t - [ ] Semantic HTML and heading order verified - [ ] Keyboard navigation and visible focus states verified - [ ] ARIA used only where needed - - [ ] Contrast and non-colour cues reviewed (WCAG 2.1 AA or higher) + - [ ] Contrast and non-colour cues reviewed (WCAG 2.2 AA) - [ ] Docs/readme/changelog updated (if user-facing) - [ ] Security checklist completed (where relevant): - [ ] Untrusted input validated and sanitised From 947cdcb46bdbc42bf56d892c43a6b0457db11052 Mon Sep 17 00:00:00 2001 From: Ash Shaw Date: Wed, 20 May 2026 19:26:28 +0200 Subject: [PATCH 08/11] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Ash Shaw --- .github/PULL_REQUEST_TEMPLATE/pr_docs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/PULL_REQUEST_TEMPLATE/pr_docs.md b/.github/PULL_REQUEST_TEMPLATE/pr_docs.md index 0ea35d86..4adaf5b9 100644 --- a/.github/PULL_REQUEST_TEMPLATE/pr_docs.md +++ b/.github/PULL_REQUEST_TEMPLATE/pr_docs.md @@ -85,7 +85,7 @@ If no user-facing changelog entry is needed, apply the skip-changelog label to t - [ ] Semantic HTML and heading order verified - [ ] Keyboard navigation and visible focus states verified - [ ] ARIA used only where needed - - [ ] Contrast and non-colour cues reviewed (WCAG 2.1 AA or higher) + - [ ] Contrast and non-colour cues reviewed (WCAG 2.2 AA) - [ ] Docs/readme/changelog updated (if user-facing) - [ ] Security checklist completed (where relevant): - [ ] Untrusted input validated and sanitised From 706c31725d49759c9cf2aa0c8a34c0841e884ad1 Mon Sep 17 00:00:00 2001 From: Ash Shaw Date: Wed, 20 May 2026 19:26:39 +0200 Subject: [PATCH 09/11] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Ash Shaw --- .github/PULL_REQUEST_TEMPLATE/pr_feature.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/PULL_REQUEST_TEMPLATE/pr_feature.md b/.github/PULL_REQUEST_TEMPLATE/pr_feature.md index 24ba1915..9bf39ec2 100644 --- a/.github/PULL_REQUEST_TEMPLATE/pr_feature.md +++ b/.github/PULL_REQUEST_TEMPLATE/pr_feature.md @@ -68,7 +68,7 @@ If no user-facing changelog entry is needed, apply the skip-changelog label to t - [ ] Semantic HTML and heading order verified - [ ] Keyboard navigation and visible focus states verified - [ ] ARIA used only where needed - - [ ] Contrast and non-colour cues reviewed (WCAG 2.1 AA or higher) + - [ ] Contrast and non-colour cues reviewed (WCAG 2.2 AA or higher) - [ ] Docs/readme/changelog updated (if user-facing) - [ ] Security checklist completed (where relevant): - [ ] Untrusted input validated and sanitised From 0291e9666b490b4fe8c22decdc67e95fabafee0b Mon Sep 17 00:00:00 2001 From: Ash Shaw Date: Wed, 20 May 2026 19:26:51 +0200 Subject: [PATCH 10/11] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Ash Shaw --- .github/PULL_REQUEST_TEMPLATE/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/PULL_REQUEST_TEMPLATE/README.md b/.github/PULL_REQUEST_TEMPLATE/README.md index 93cbb1c6..641ba7ca 100644 --- a/.github/PULL_REQUEST_TEMPLATE/README.md +++ b/.github/PULL_REQUEST_TEMPLATE/README.md @@ -65,7 +65,7 @@ These templates integrate with: 1. **Template Selection**: Choose the template that best matches your PR type 2. **Required Fields**: Complete all required sections in the template 3. **Branch Naming**: Follow the [branching strategy](../docs/BRANCHING_STRATEGY.md) for automatic detection -4. **A11y & Security**: Complete the WCAG 2.1 AA+ and OWASP-aligned checklist items before review +4. **A11y & Security**: Complete the WCAG 2.2 AA and OWASP-aligned checklist items before review 5. **Automation**: Let the system handle labeling and assignment - avoid manual changes ## ⚠️ Important Notes From c7380b1815416fbbdaf72591e12ab368c3c96ac1 Mon Sep 17 00:00:00 2001 From: Ash Shaw Date: Wed, 20 May 2026 19:27:05 +0200 Subject: [PATCH 11/11] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Ash Shaw --- .github/PULL_REQUEST_TEMPLATE/pr_hotfix.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/PULL_REQUEST_TEMPLATE/pr_hotfix.md b/.github/PULL_REQUEST_TEMPLATE/pr_hotfix.md index e7b4b421..2c214466 100644 --- a/.github/PULL_REQUEST_TEMPLATE/pr_hotfix.md +++ b/.github/PULL_REQUEST_TEMPLATE/pr_hotfix.md @@ -75,7 +75,7 @@ If no user-facing changelog entry is needed, apply the skip-changelog label to t - [ ] Semantic HTML and heading order verified - [ ] Keyboard navigation and visible focus states verified - [ ] ARIA used only where needed - - [ ] Contrast and non-colour cues reviewed (WCAG 2.1 AA or higher) + - [ ] Contrast and non-colour cues reviewed (WCAG 2.2 AA) - [ ] Docs/readme/changelog updated (if user-facing) - [ ] Security checklist completed (where relevant): - [ ] Untrusted input validated and sanitised