From a9814d701dc6eda5c881179712ed268c07eab717 Mon Sep 17 00:00:00 2001
From: Elina Onchul <elina.onchul@codecentric.de>
Date: Wed, 15 Apr 2026 11:48:22 +0200
Subject: [PATCH 1/6] feat: add accessibility scanner workflow

---
 .github/workflows/a11y-scan.yaml | 133 +++++++++++++++++++++++++++++++
 1 file changed, 133 insertions(+)
 create mode 100644 .github/workflows/a11y-scan.yaml

diff --git a/.github/workflows/a11y-scan.yaml b/.github/workflows/a11y-scan.yaml
new file mode 100644
index 000000000..0dd72b1cb
--- /dev/null
+++ b/.github/workflows/a11y-scan.yaml
@@ -0,0 +1,133 @@
+name: Accessibility Scanner
+
+on:
+  workflow_dispatch:
+  # TODO: remove push trigger before merging — workflow_dispatch only works from the default branch
+  push:
+    branches:
+      - a11y-scanner-setup
+
+jobs:
+  accessibility_scanner:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
+    env:
+      AUTH_INITIAL_ADMIN_USERNAME: admin@example.com
+      AUTH_INITIAL_ADMIN_PASSWORD: secret
+    steps:
+      - name: Create Docker network
+        run: docker network create a11y-network
+
+      - name: Start database
+        run: |
+          docker run -d \
+            --network a11y-network \
+            --name postgres \
+            -e POSTGRES_USER=admin \
+            -e POSTGRES_PASSWORD=secret \
+            -e POSTGRES_DB=cccc \
+            pgvector/pgvector:pg16
+
+      - name: Wait for database
+        run: |
+          db_ready=false
+          for i in $(seq 1 30); do
+            if docker exec postgres pg_isready -U admin -d cccc; then
+              echo "Database is ready"
+              db_ready=true
+              break
+            fi
+            echo "Waiting for database... ($i/30)"
+            sleep 1
+          done
+
+          if [ "$db_ready" != "true" ]; then
+            echo "Database did not become ready in time"
+            exit 1
+          fi
+
+      - name: Start backend
+        run: |
+          docker run -d \
+            --network a11y-network \
+            --name backend \
+            -e BASE_URL="http://localhost:3080" \
+            -e DB_URL="postgres://admin:secret@postgres:5432/cccc" \
+            -e C4_DB_RETRY_DELAY="6000" \
+            -e NODE_ENV="development" \
+            -e AUTH_ENABLE_PASSWORD="true" \
+            -e AUTH_INITIAL_ADMIN_USERNAME="${{ env.AUTH_INITIAL_ADMIN_USERNAME }}" \
+            -e AUTH_INITIAL_ADMIN_PASSWORD="${{ env.AUTH_INITIAL_ADMIN_PASSWORD }}" \
+            -e SESSION_SECRET="a11y-scanner-session-secret" \
+            ghcr.io/codecentric/c4-genai-suite/backend:latest
+
+      - name: Start frontend
+        run: |
+          docker run -d \
+            --network a11y-network \
+            --name frontend \
+            ghcr.io/codecentric/c4-genai-suite/frontend:latest
+
+      - name: Start gateway proxy
+        run: |
+          docker run -d \
+            -p 3080:3080 \
+            --network a11y-network \
+            --name gateway \
+            -e FRONTEND_PORT=3080 \
+            -e PORT=3080 \
+            -e BACKEND_PORT=3000 \
+            ghcr.io/codecentric/c4-genai-suite/dev-helper/caddy-gateway-proxy:latest
+
+      - name: Wait for application
+        run: |
+          app_ready=false
+          for i in $(seq 1 60); do
+            if curl -sf http://localhost:3080/api/health > /dev/null 2>&1; then
+              echo "Application is ready!"
+              app_ready=true
+              break
+            fi
+            echo "Waiting for application... ($i/60)"
+            sleep 2
+          done
+
+          if [ "$app_ready" != "true" ]; then
+            echo "Application did not become ready in time"
+            exit 1
+          fi
+
+      - uses: github/accessibility-scanner@v2
+        with:
+          urls: |
+            http://localhost:3080
+            http://localhost:3080/chat
+            http://localhost:3080/admin/dashboard
+            http://localhost:3080/admin/theme
+            http://localhost:3080/admin/files
+            http://localhost:3080/admin/users
+            http://localhost:3080/admin/user-groups
+            http://localhost:3080/admin/audit-log
+          repository: ${{ github.repository }}
+          token: ${{ secrets.GH_TOKEN_A11Y }}
+          cache_key: cached_results-c4-local.json
+          login_url: http://localhost:3080 # Optional: URL of the login page if authentication is required
+          username: ${{ env.AUTH_INITIAL_ADMIN_USERNAME }} # Optional: Username for authentication
+          password: ${{ env.AUTH_INITIAL_ADMIN_PASSWORD }} # Optional: Password for authentication (use secrets!)
+          open_grouped_issues: true # Optional: Set to true to open an issue grouping individual issues per violation
+          # auth_context: # Optional: Stringified JSON object for complex authentication
+          # skip_copilot_assignment: false # Optional: Set to true to skip assigning issues to GitHub Copilot (or if you don't have GitHub Copilot)
+          # include_screenshots: false # Optional: Set to true to capture screenshots and include links to them in filed issues
+          # reduced_motion: no-preference # Optional: Playwright reduced motion configuration option
+          # color_scheme: light # Optional: Playwright color scheme configuration option
+          # scans: '["axe","reflow-scan"]' # Optional: An array of scans (or plugins) to be performed. If not provided, only Axe will be performed.
+
+      - name: Get backend logs
+        if: ${{ !cancelled() }}
+        run: docker logs backend
+
+      - name: Get gateway logs
+        if: ${{ !cancelled() }}
+        run: docker logs gateway

From 428aff1333df04583b51328e32ed3986587967f1 Mon Sep 17 00:00:00 2001
From: Elina Onchul <elina.onchul@codecentric.de>
Date: Wed, 15 Apr 2026 16:51:12 +0200
Subject: [PATCH 2/6] chore: add screenshots to a11y issues found by scanner

---
 .github/workflows/a11y-scan.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/a11y-scan.yaml b/.github/workflows/a11y-scan.yaml
index 0dd72b1cb..c2b3da86b 100644
--- a/.github/workflows/a11y-scan.yaml
+++ b/.github/workflows/a11y-scan.yaml
@@ -113,13 +113,13 @@ jobs:
           repository: ${{ github.repository }}
           token: ${{ secrets.GH_TOKEN_A11Y }}
           cache_key: cached_results-c4-local.json
-          login_url: http://localhost:3080 # Optional: URL of the login page if authentication is required
+          login_url: http://localhost:3080/login # Optional: URL of the login page if authentication is required
           username: ${{ env.AUTH_INITIAL_ADMIN_USERNAME }} # Optional: Username for authentication
           password: ${{ env.AUTH_INITIAL_ADMIN_PASSWORD }} # Optional: Password for authentication (use secrets!)
           open_grouped_issues: true # Optional: Set to true to open an issue grouping individual issues per violation
+          skip_copilot_assignment: true # Optional: Set to true to skip assigning issues to GitHub Copilot (or if you don't have GitHub Copilot)
+          include_screenshots: true # Optional: Set to true to capture screenshots and include links to them in filed issues
           # auth_context: # Optional: Stringified JSON object for complex authentication
-          # skip_copilot_assignment: false # Optional: Set to true to skip assigning issues to GitHub Copilot (or if you don't have GitHub Copilot)
-          # include_screenshots: false # Optional: Set to true to capture screenshots and include links to them in filed issues
           # reduced_motion: no-preference # Optional: Playwright reduced motion configuration option
           # color_scheme: light # Optional: Playwright color scheme configuration option
           # scans: '["axe","reflow-scan"]' # Optional: An array of scans (or plugins) to be performed. If not provided, only Axe will be performed.

From e683c06b9c20bf72f9ce1cd3049457e858f57fd1 Mon Sep 17 00:00:00 2001
From: Elina Onchul <elina.onchul@codecentric.de>
Date: Thu, 16 Apr 2026 08:19:25 +0200
Subject: [PATCH 3/6] fix: add labels to login form inputs

---
 frontend/src/pages/login/LoginPage.tsx | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/frontend/src/pages/login/LoginPage.tsx b/frontend/src/pages/login/LoginPage.tsx
index e3651c3b5..0b052191f 100644
--- a/frontend/src/pages/login/LoginPage.tsx
+++ b/frontend/src/pages/login/LoginPage.tsx
@@ -122,11 +122,22 @@ function LoginForm() {
       )}
 
       <div className="mb-3">
-        <TextInput placeholder={texts.common.email} autoFocus key={form.key('email')} {...form.getInputProps('email')} />
+        <TextInput
+          placeholder={texts.common.email}
+          autoFocus
+          key={form.key('email')}
+          label="username"
+          {...form.getInputProps('email')}
+        />
       </div>
 
       <div className="mb-3">
-        <PasswordInput placeholder={texts.common.password} key={form.key('password')} {...form.getInputProps('password')} />
+        <PasswordInput
+          placeholder={texts.common.password}
+          key={form.key('password')}
+          label="password"
+          {...form.getInputProps('password')}
+        />
       </div>
 
       <Button type="submit" className="w-full">

From 447d45eaaa1eb14c0e2e6ca6dbf8b466172c3db8 Mon Sep 17 00:00:00 2001
From: Elina Onchul <elina.onchul@codecentric.de>
Date: Thu, 16 Apr 2026 08:41:36 +0200
Subject: [PATCH 4/6] chore: build container images for accessibility scanner

---
 .github/workflows/a11y-scan.yaml | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/a11y-scan.yaml b/.github/workflows/a11y-scan.yaml
index c2b3da86b..33dfb2098 100644
--- a/.github/workflows/a11y-scan.yaml
+++ b/.github/workflows/a11y-scan.yaml
@@ -8,7 +8,11 @@ on:
       - a11y-scanner-setup
 
 jobs:
+  build:
+    uses: ./.github/workflows/build-container-images.yaml
+
   accessibility_scanner:
+    needs: build
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -48,8 +52,14 @@ jobs:
             exit 1
           fi
 
+      - uses: actions/download-artifact@v8
+        with:
+          name: backend
+          path: /tmp/
+
       - name: Start backend
         run: |
+          docker load --input /tmp/backend.tar
           docker run -d \
             --network a11y-network \
             --name backend \
@@ -61,14 +71,20 @@ jobs:
             -e AUTH_INITIAL_ADMIN_USERNAME="${{ env.AUTH_INITIAL_ADMIN_USERNAME }}" \
             -e AUTH_INITIAL_ADMIN_PASSWORD="${{ env.AUTH_INITIAL_ADMIN_PASSWORD }}" \
             -e SESSION_SECRET="a11y-scanner-session-secret" \
-            ghcr.io/codecentric/c4-genai-suite/backend:latest
+            backend:commit-${{ github.sha }}
+
+      - uses: actions/download-artifact@v8
+        with:
+          name: frontend
+          path: /tmp/
 
       - name: Start frontend
         run: |
+          docker load --input /tmp/frontend.tar
           docker run -d \
             --network a11y-network \
             --name frontend \
-            ghcr.io/codecentric/c4-genai-suite/frontend:latest
+            frontend:commit-${{ github.sha }}
 
       - name: Start gateway proxy
         run: |

From 7f4b76cfae5aa6883f4db853e442bd1a0aa21e47 Mon Sep 17 00:00:00 2001
From: Elina Onchul <elina.onchul@codecentric.de>
Date: Thu, 16 Apr 2026 09:04:20 +0200
Subject: [PATCH 5/6] fix: authenticate via API in a11y scanner to bypass async
 form rendering

---
 .github/workflows/a11y-scan.yaml | 45 +++++++++++++++++++++++++++-----
 1 file changed, 38 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/a11y-scan.yaml b/.github/workflows/a11y-scan.yaml
index 33dfb2098..5059bac15 100644
--- a/.github/workflows/a11y-scan.yaml
+++ b/.github/workflows/a11y-scan.yaml
@@ -115,6 +115,37 @@ jobs:
             exit 1
           fi
 
+      - name: Authenticate via API
+        id: auth
+        run: |
+          # Login via backend API and capture session cookie
+          curl -s -c /tmp/cookies.txt \
+            -X POST http://localhost:3080/api/auth/login \
+            -H 'Content-Type: application/json' \
+            -d '{"email":"${{ env.AUTH_INITIAL_ADMIN_USERNAME }}","password":"${{ env.AUTH_INITIAL_ADMIN_PASSWORD }}"}'
+
+          # Convert Netscape cookie jar to Playwright auth_context JSON
+          # HttpOnly cookies are prefixed with #HttpOnly_ in curl's cookie jar
+          AUTH_CONTEXT=$(awk '
+            /^#HttpOnly_/ {
+              sub(/^#HttpOnly_/, "", $1)
+              printf "{\"name\":\"%s\",\"value\":\"%s\",\"domain\":\"%s\",\"path\":\"%s\",\"secure\":%s,\"httpOnly\":true}\n",
+                $6, $7, $1, $3, ($4=="TRUE"?"true":"false")
+              next
+            }
+            !/^#/ && NF {
+              printf "{\"name\":\"%s\",\"value\":\"%s\",\"domain\":\"%s\",\"path\":\"%s\",\"secure\":%s,\"httpOnly\":false}\n",
+                $6, $7, $1, $3, ($4=="TRUE"?"true":"false")
+            }
+          ' /tmp/cookies.txt | jq -sc '{
+            username: "${{ env.AUTH_INITIAL_ADMIN_USERNAME }}",
+            password: "${{ env.AUTH_INITIAL_ADMIN_PASSWORD }}",
+            cookies: .,
+            localStorage: {}
+          }')
+
+          echo "auth_context=$AUTH_CONTEXT" >> "$GITHUB_OUTPUT"
+
       - uses: github/accessibility-scanner@v2
         with:
           urls: |
@@ -129,13 +160,13 @@ jobs:
           repository: ${{ github.repository }}
           token: ${{ secrets.GH_TOKEN_A11Y }}
           cache_key: cached_results-c4-local.json
-          login_url: http://localhost:3080/login # Optional: URL of the login page if authentication is required
-          username: ${{ env.AUTH_INITIAL_ADMIN_USERNAME }} # Optional: Username for authentication
-          password: ${{ env.AUTH_INITIAL_ADMIN_PASSWORD }} # Optional: Password for authentication (use secrets!)
-          open_grouped_issues: true # Optional: Set to true to open an issue grouping individual issues per violation
-          skip_copilot_assignment: true # Optional: Set to true to skip assigning issues to GitHub Copilot (or if you don't have GitHub Copilot)
-          include_screenshots: true # Optional: Set to true to capture screenshots and include links to them in filed issues
-          # auth_context: # Optional: Stringified JSON object for complex authentication
+          auth_context: ${{ steps.auth.outputs.auth_context }}
+          open_grouped_issues: true
+          skip_copilot_assignment: true
+          include_screenshots: true
+          # login_url: # Optional: URL of the login page if authentication is required
+          # username: # Optional: Username for authentication
+          # password: ${{ secrets.PASSWORD }} # Optional: Password for authentication (use secrets!)
           # reduced_motion: no-preference # Optional: Playwright reduced motion configuration option
           # color_scheme: light # Optional: Playwright color scheme configuration option
           # scans: '["axe","reflow-scan"]' # Optional: An array of scans (or plugins) to be performed. If not provided, only Axe will be performed.

From a63906b45092a87807ff99d28bff943cfd5bb4cb Mon Sep 17 00:00:00 2001
From: Elina Onchul <elina.onchul@codecentric.de>
Date: Thu, 16 Apr 2026 15:30:32 +0200
Subject: [PATCH 6/6] chore: add axe timing verification step to a11y scanner
 workflow

---
 .github/workflows/a11y-scan.yaml | 48 +++++++++++++++++++++++++++++++-
 1 file changed, 47 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/a11y-scan.yaml b/.github/workflows/a11y-scan.yaml
index 5059bac15..13c931eef 100644
--- a/.github/workflows/a11y-scan.yaml
+++ b/.github/workflows/a11y-scan.yaml
@@ -146,7 +146,53 @@ jobs:
 
           echo "auth_context=$AUTH_CONTEXT" >> "$GITHUB_OUTPUT"
 
-      - uses: github/accessibility-scanner@v2
+      - name: Verify axe timing issue (immediate vs after wait)
+        run: |
+          npm install playwright @axe-core/playwright
+          npx playwright install chromium --with-deps
+
+          node << 'SCRIPT'
+          const { chromium } = require('playwright');
+          const { default: AxeBuilder } = require('@axe-core/playwright');
+          const AUTH_CONTEXT = JSON.parse(process.env.AUTH_CONTEXT);
+
+          (async () => {
+            const browser = await chromium.launch();
+            const context = await browser.newContext({
+              storageState: {
+                cookies: AUTH_CONTEXT.cookies.map(c => ({ ...c, sameSite: 'Lax', expires: -1 })),
+                origins: []
+              }
+            });
+
+            const urls = [
+              'http://localhost:3080/admin/theme',
+              'http://localhost:3080/admin/dashboard',
+              'http://localhost:3080/chat'
+            ];
+
+            for (const url of urls) {
+              const page = await context.newPage();
+              await page.goto(url);
+
+              const immediate = await new AxeBuilder({ page }).analyze();
+              console.log(`\n=== ${url} ===`);
+              console.log('Without wait:', immediate.violations.map(v => v.id));
+
+              await page.waitForLoadState('networkidle');
+              const waited = await new AxeBuilder({ page }).analyze();
+              console.log('With wait:   ', waited.violations.map(v => v.id));
+
+              await page.close();
+            }
+
+            await browser.close();
+          })();
+          SCRIPT
+        env:
+          AUTH_CONTEXT: ${{ steps.auth.outputs.auth_context }}
+
+      - uses: github/accessibility-scanner@v3
         with:
           urls: |
             http://localhost:3080