Changelog

Track version updates, shipped features, and release milestones for Accessibility Quality Gate.

v1.7.1

Latest
Added
  • Added image alt-text remediation for local FAL image findings, allowing editors to apply reviewed alternative text directly from the AQG image finding card.
  • Added decorative image handling in the image remediation workflow, allowing editors to mark image findings as decorative or informative when they have the required permission.
  • Added AI-assisted alt-text suggestions for Pro and Agency, with mandatory editor review before any suggested text can be applied.
  • Added site-specific encrypted OpenAI project key configuration for AI alt-text suggestions, with masked key display and support for the global AQG_OPENAI_API_KEY environment fallback.
  • Added connection verification for the current key, selected model, prompt version and AQG connection-test contract before AI suggestions can be used.
  • Added an explicit non-admin image-remediation capability via User TSConfig: options.a11y_quality_gate.allowImageRemediation = 1.
Changed
  • AI alt-text suggestions now use OpenAI Responses API requests with strict Structured Outputs, bounded server-derived context, store=false and the final aqg_alt_text_v3 prompt.
  • AI Settings now use a shared server-derived UI state for model selection, verification status, timestamps, safe error codes and action availability.
  • The selected OpenAI model is now site-specific and verification is valid only for the current key fingerprint, selected model, prompt version and connection-test contract.
  • FREE and PRO backend local page-scan handling now share an idempotent JavaScript initializer so “Scan this page” behaves consistently across backend module variants.
  • Settings navigation and AI Settings layouts were improved for narrow TYPO3 backend viewports, light mode, dark mode, keyboard focus and responsive wrapping.
  • Image remediation permission handling now combines the explicit AQG capability with TYPO3 page, record, table, field, workspace and language checks before any write operation.
Fixed
  • Fixed the PRO Page Detail “Scan this page” action so the enabled button triggers the local page-scan request instead of remaining inert.
  • Fixed AI Settings state rendering so non-2xx connection-test responses update the visible status, safe error code, timestamps and button states without relying on a page reload.
  • Fixed responsive overflow in the AQG Settings tab navigation on narrow backend viewports.
  • Fixed image-remediation write endpoints so non-admin users without the explicit AQG image-remediation capability receive permission_denied before any FAL reference or finding state is mutated.
  • Fixed permission-denied image-remediation requests so sys_file_reference values and finding metadata remain unchanged.
Security
  • Image-remediation write endpoints now require server-side authorization before changing FAL reference data or resolving findings.
  • Non-admin image remediation is denied by default unless explicitly enabled through User TSConfig.
  • OpenAI API keys remain encrypted at rest and are never displayed after saving.
  • OpenAI diagnostics expose only bounded technical status codes and do not expose API keys, authorization headers, image payloads or full provider responses.
  • AI suggestions are never applied automatically; editors must review and explicitly apply the suggested text.

v1.6.0

Added
  • Added the Accessibility Statement Draft Assistant with English and German preview, HTML, TXT and PDF exports, configurable statement details and clear automated-draft disclaimers.
  • Added PRO frontend scan history for site and single-page scans, including scan comparison, regression signals and recommended remediation plans.
  • Added a centralized rule metadata presentation layer with friendly titles, plain-language guidance, affected user groups, WCAG references, techniques, documentation links, recommended owner and fix type.
  • Added the conservative rendered.landmark_unique check for duplicate or missing accessible landmark names.
  • Added the rte.form_control_missing_label check for form controls without an accessible label in RTE content.
  • Added presentation and reporting support for the WCAG 2.2 target-size axe-core rule and expanded color-contrast remediation metadata.
  • Added German translations for the new editor guidance, reporting and statement workflows.
Changed
  • Improved Remote Overview and Remote Page Detail so recommendations, history and regression information are easier to understand and act on.
  • Improved rule presentation across backend views, CSV, PDF and report output with consistent metadata and remediation guidance.
  • Improved accessibility wording so automated findings are presented as workflow support rather than proof of legal or WCAG compliance.
  • Improved frontend scan history handling for site scans and single-page scans, including clearer separation of scan contexts.
  • Improved dark mode, responsive layout and readability across new 1.6.0 backend components.
Fixed
  • Fixed duplicate documentation links in Remote Page Detail while preserving complete metadata in overview, CSV and PDF outputs.
  • Fixed remote scan history and regression data loading for the currently selected site or page context.
  • Fixed several dark-mode contrast and layout issues in history, regression and remediation components.
  • Fixed remote scan persistence and presentation edge cases that could leave stale or incomplete result states.

v1.5.0

Added
  • Redesigned Frontend scan overview for PRO remote scans with an automated accessibility signal, priority fixes, affected pages, report support and export actions.
  • “What to fix first” recommendations based on impact, affected pages, WCAG mapping and remediation guidance.
  • Report and audit support blocks for remote scan results, including WCAG / BFSG / BITV reporting aid, manual review checklist and automated review disclaimers.
  • Additional automated signals for remote scans, including keyboard exploration, page structure and shared template/component signals.
  • Remediation summaries for remote scan results to group suggested work by editor/content, developer/template and design-related fixes.
  • Page-level “Start here” recommendations in Remote Page Detail.
  • Node-level remediation guidance for common frontend accessibility findings.
  • Color contrast remediation details for remote color-contrast findings, including current colors, actual/required ratio, candidate colors, preferred candidate and estimated contrast ratios.
  • Compact color candidate output to Remote Page Detail, CSV export and PDF export.
  • API contract feature metadata so the TYPO3 integration can detect available remote crawler capabilities.
  • CSV export columns for remote contrast remediation data.
Changed
  • Improved Remote Overview wording to consistently describe results as automated signals and reporting aids, not as compliance confirmation.
  • Improved Remote Overview export links so CSV and PDF exports use the currently displayed remote scan context.
  • Improved Remote Page Detail PDF generation for better server-side performance.
  • Remote Page Detail PDF now uses a compact export layout and omits heavy screenshots in favour of a placeholder when needed.
  • Improved PDF layout for remote report summaries, screenshots, candidate colors and remediation summaries.
  • Improved dark/auto mode support for TYPO3 14 backend themes, including data-theme="fresh" and data-color-scheme="auto".
  • Improved responsive layout and spacing in Remote Overview priority cards, report support sections and affected page tables.
  • Improved PRO capability resolution across site and language base URLs.
  • Improved PRO cache invalidation after licence re-validation.
  • Improved remote scan recovery and persistence for newer optional crawler fields while keeping backward compatibility with older scans.
Fixed
  • Fixed Remote Overview CSV/PDF exports falling back to an unrelated latest site scan instead of the currently displayed page scan.
  • Fixed empty or incomplete Remote Overview exports for page-scope remote scans.
  • Fixed Remote Page Detail handling of contrast detail data stored as either a list or a single object.
  • Fixed persistence of remote page remediation and recommendation data.
  • Fixed Remote Overview visibility when existing remote results are available but the PRO status cache is stale.
  • Fixed dark mode hover and focus states for report support summaries, manual review rows, reporting tables, toggle badges and affected page action links.
  • Fixed duplicated SCSS override layers in the Remote Overview styles.
  • Fixed “Last scan” label formatting in Remote Overview.
  • Fixed protected local issues so ignored or muted issues are not reopened or updated incorrectly during later upserts.
  • Fixed resolved issue recovery when a matching issue is found by source and rule but its fingerprint changed.
  • Fixed local issue lifecycle consistency for ignored issue expiry data.
Security
  • Hardened Settings permissions so licence keys, PRO configuration, remote scan access and quality gate administration settings can only be changed by administrators.
  • Hardened remote scan status, summary and cancel actions with local job ownership and site-context validation.
  • Hardened remote crawler response handling with job/site identity checks before persisting results.
  • Reduced debug data exposure in remote crawler error responses outside development/admin debug contexts.
  • Hardened remote scan access helpers for scanner token, HTTP Basic Auth and remote access test actions.

v1.4.1

Fixed
  • Fixed remote frontend scanner token not activating AQG debug markers on the TYPO3 frontend. Remote scans now correctly embed content-element markers and map issues to source records.
  • Fixed scanner token validation to accept site-specific ruleset tokens in addition to the default scanner token.
  • Cleaned up the TypoScript marker condition to read PSR-7 request attributes instead of performing redundant token validation.
  • Clarified scanner token help text and warning layout in Remote Scan Access settings.

v1.4.0

Added
  • TYPO3 14 compatibility while keeping TYPO3 13.4 LTS support.
  • TYPO3 14 compatible Scheduler task handling.
  • Improved PRO/Agency/Trial frontend scan support.
  • Trial status and scan limits.
Changed
  • AQG module placement for TYPO3 14.
  • Remote Overview deduplication and search.
  • Remote Page Detail and screenshot/report handling.
  • Toolbar and Page Module scan status.
  • Empty Remote Overview summary state.
Fixed
  • Scheduler task creation, editing and execution compatibility.
  • Settings save behavior.
  • Agency and Trial remote scan access.
  • Site-specific scanner token persistence.
  • Frontend scan submission compatibility with crawler validation.
  • Remote Overview PDF/CSV exports.
  • Screenshot embedding in PDF exports.
  • Dark mode contrast issues.
  • Completed scan messages.
  • Show PRO hints switch.
  • Quality Gate behavior on TYPO3 14.

v1.3.1

Fixed
  • Rendered scans no longer create accessibility issues when the fetched frontend response is a detected technical error page. The scan reports a warning instead.
  • Old rendered false positives with stored technical error snippets are automatically resolved on the next scan that detects an error page for the same page.
  • Overview pagination now correctly preserves local, remote and failed-remote list state, including language and search parameters.
  • Settings → Remote scan access now shows a PRO/Trial gate in FREE mode instead of the scanner token and crawler setup forms.
  • Rendered Frontend URLs in Page Detail technical details are now clickable links.
  • Language switcher in Overview and Page Detail now only offers languages that have an existing page translation.
  • Rendered page checks are now skipped for non-frontend page types while custom renderable page types remain eligible.
  • Reduced rendered-scan false positives for inert template content, hidden tracking iframes, SVG sprite containers, hidden helper controls and SVGs inside already-named links or buttons.
  • structured.header_level_is_h1 review noise is suppressed when a successful rendered scan confirms the final HTML contains exactly one <h1>.
  • Rule messages, hints and severity are refreshed for re-seen issues on rescan, so wording fixes apply without a manual delete-and-rescan.
  • Updated rte.link_new_window_no_warning wording to “new window or tab”.
Changed
  • Improved user-facing warnings for rendered fetch failures, private/local host blocking, oversized responses and unsupported page types.
  • Clarified Settings and Page Detail copy: local rendered checks inspect server-rendered HTML only and do not execute JavaScript, AJAX or lazy-loaded content.

v1.3.0

Added
  • Added rendered page check (FREE, no licence key required): fetches and analyzes the live rendered HTML of the current page, running a dedicated set of HTML-level accessibility rules alongside the existing TCA/RTE checks.
  • Added short-lived HMAC nonce authentication for rendered page checks so FREE users can run page scans without configuring a scanner token in Settings.
  • Added rendered HTML scanner, SSRF-hardened fetcher, URL resolver, analyzer, rule registry, issue factory and issue mapper.
  • Added source_type, frontend_url and css_selector metadata fields to local issues to track rendered issue origin and position.
  • Added rendered HTML issue mapping via data-aqg-content-uid / data-aqg-c-type frontend debug markers; issues outside a mapped marker fall back to the page record with a template/layout attribution hint.
  • Added 13 rendered HTML rules: missing image alt, empty links, empty buttons, empty headings, missing iframe title, missing form label, duplicate IDs, missing table header, empty table header, SVG missing accessible name, missing HTML lang, missing page title, missing main landmark.
  • Added custom TypoScript ExpressionLanguage condition aqgDebugMarkers(request) replacing the previously unsupported request.getAttribute() approach.
  • Added FE.cacheHash.excludedParameters registration in ext_localconf.php for all rendered check URL parameters (aqgDebug, aqgh, tx_aqg_rendered_check, _aqg_page, _aqg_lang, _aqg_nonce).
  • Added a ruleset setting to disable rendered page checks per project.
  • Added an explicit allowPrivateHosts development override for private/local frontend hosts; production default remains blocked for SSRF safety.
Changed
  • Rendered checks are intentionally HTML-only: no sitemap crawling, Playwright, axe-core, screenshots, JavaScript execution or scheduled scans.
  • Rendered checks run only during manual Scan this page page scans; site/subtree scans and scheduled tasks do not trigger rendered checks.
  • tx_aqg_rendered_check=1 requests now require either a valid short-lived HMAC nonce or a valid scanner token to render debug markers; backend-user login alone is not sufficient for rendered check requests.
  • Hardened rendered URL validation for same-host redirects with optional site port checks.
  • Tightened media transcript review hints so uploads document lists are not flagged by CType alone.
  • Extended aria-labelledby lookup helpers with content validation and reused them across RTE accessible-name checks.
  • Replaced remaining manual backend language parameter parsing in Overview and Page Detail controllers with the shared RequestParameterService.
Fixed
  • Fixed fingerprint backward compatibility so rendered issues include rendered and cssSelector in their hash while existing RTE and structured issues keep their previous fingerprint; ignored issues from earlier versions are not re-opened after upgrade.
  • Fixed CKEditor live validation for new and unsaved tt_content records by resolving pageUid from context and falling back to page-level content permissions when the record UID does not yet exist.
  • Fixed CKEditor live validation for escaped HTML fragments (image alt, document links) submitted as plain text in live validation requests.
  • Fixed CKEditor issue panel to show server-side live issues even when a matching editable DOM target cannot be found.
  • Fixed Settings module stylesheet loading so Remote scan access buttons use correct AQG/TYPO3 styling instead of browser defaults.
  • Fixed Copy token button in Remote scan access so the icon is preserved when the token is regenerated.

v1.2.0

Added
  • Batch ignore workflow in local Page Detail, including selectable issue cards, a sticky bulk action bar, required reason confirmation, group selection, and rule-based ignore shortcuts.
  • Temporary ignore expiry for single and batch ignores with 7, 30, 90 day and custom-date options.
  • Automatic reopening of expired ignored issues with audit metadata for reopened ignores.
  • Settings → Rules management for enabling and disabling individual accessibility rules per site/default ruleset.
  • Rule configuration filtering for local scans, CKEditor live validation, existing issue APIs, overview counts, and Quality Gate checks.
  • Remote scan access settings for HTTP Basic Authentication, excluded URL patterns, priority URLs, and cookie accept selectors.
  • Scanner token warning notice in the Overview remote scan section when hidden/draft page scanning is not configured.
  • Show-once scanner token handling in Settings → Remote scan access.
  • Local and remote scan progress blocks above the source tabs, including completed, cancelled, and running states.
  • Local content scan cancellation and remote scan cancellation UI handling.
  • Language-aware scan state handling for Overview, Page Detail, toolbar, and Page Module Indicator.
  • Page Module Indicator for accessibility status directly in the TYPO3 Page module.
  • Improved toolbar scan card/dropdown UI and mobile handling.
  • Reusable empty state for modules opened without page/site context.
  • Cookie consent selector support in crawler submit payloads.
Changed
  • Renamed local scan actions to match frontend scan wording: Scan this page and Scan site.
  • Improved Overview and Page Detail responsive behaviour, especially toolbar rows and horizontally scrollable tables on narrow screens.
  • Improved scan completion UX so local and frontend scans briefly show a green completed state before reloading results.
  • Changed scanner token settings so raw tokens are no longer rendered in the DOM or editable through TCA.
  • Changed HTTP Basic Auth testing to resolve the target URL from TYPO3 Site configuration instead of accepting arbitrary request URLs.
  • Changed remote single-page scan validation so submitted URLs must belong to the configured TYPO3 Site base or one of its language bases.
  • Changed remote crawler submit payload handling to include scanner token, HTTP auth, excluded patterns, priority URLs, cookie selectors, and language metadata where configured.
  • Changed Quality Gate checks and issue count queries to ignore disabled rules.
  • Changed scan language constraints so all-language scans (language_uid = -1) are considered when viewing a specific language.
  • Refactored repeated site/language resolving and URL generation into shared services.
  • Refactored language switcher, expiry picker, and other repeated UI pieces into shared partials where appropriate.
Fixed
  • Fixed root Overview showing “No scan on record” after all-language subtree scans.
  • Fixed Quality Gate blocking so blocked publish/unhide actions re-hide the page after DataHandler has completed.
  • Fixed local and remote scan progress not reliably refreshing the backend iframe after completion.
  • Fixed remote scan completion recovery so completed crawler jobs are persisted without requiring a manual “View issues” click.
  • Fixed frontend scan state leaking across languages in the Page module and toolbar.
  • Fixed secondary-language frontend scan buttons being disabled when a usable site/language URL can be resolved.
  • Fixed stale running scan states and improved local scan cancel handling.
  • Fixed duplicate escapeHtml() definition in backend JavaScript.
  • Fixed unsupported rte.heading_order fallback handling in CKEditor JavaScript.
  • Fixed SiteNotFoundException namespace usage and consolidated site resolving code.
  • Fixed scanner token notice placement and styling without affecting the language switcher.
  • Fixed mobile overview toolbar layout and table horizontal scrolling.
  • Fixed text columns in ext_tables.sql by removing unstable default values.
  • Fixed cookie accept selector fallback between site-specific and default rulesets.
Security
  • Hardened scanner token handling: raw tokens are shown only immediately after regeneration and are no longer rendered into normal settings HTML.
  • Hid scanner token storage from TCA forms by using passthrough configuration.
  • Added TYPO3 record/page permission checks to CKEditor issue APIs, local scan AJAX actions, remote scan submit actions, and Page Detail ignore workflows.
  • Added verification that ignored CKEditor issues belong to the requested content record.
  • Added site-base validation for single-page remote scan URLs to reduce SSRF/open-crawler risk.
  • Hardened HTTP Basic Auth testing by deriving the test target from TYPO3 Site configuration and blocking localhost/private/reserved targets.
  • Added explicit removal option for stored HTTP Basic Auth passwords.
  • Prevented crawler client exceptions from exposing raw response bodies in backend responses.
  • Kept crawler payload log sanitization for scanner tokens and HTTP auth passwords.

v1.1.0

Added
  • Licence validation and feature gating for FREE, Trial, PRO, and Agency plans
  • Trial licence support with time-limited access to PRO features
  • Remote crawler integration for frontend accessibility scans (PRO)
  • Remote scan overview with summary cards, top affected pages, and failed pages (PRO)
  • Remote page detail view for frontend accessibility results (PRO)
  • Remote CSV export for crawler results
  • PDF export for overview and page detail reports (PRO)
  • Screenshot preview in remote page detail
  • Screenshot embedding in remote PDF exports
  • Per-site quality gate configuration
  • Quality gate blocking mode for publish and unhide actions (PRO)
  • Multi-site support with per-site licence assignment (Agency)
  • Cookie consent handling in remote scans with fallback strategies for blocking banners
  • PRO upgrade hints in backend UI
  • Issue history for new and resolved remote issues between scans
Changed
  • Refactored PDF generation to use Fluid templates
  • Improved placement and consistency of export actions across overview and detail modules
  • Simplified remote CSV export columns by removing internal-only values
  • Improved remote detail workflow and export visibility in the backend UI
  • Updated remote report rendering and screenshot handling to avoid storing screenshots permanently in TYPO3 project files
Fixed
  • Fixed invalid docheader export button usage that caused LinkButton validation exceptions
  • Fixed export action rendering in local page detail
  • Fixed export action rendering in remote page detail
  • Fixed stylesheet loading for generated PDF reports
  • Fixed severity and status badge styling in local page PDF exports
  • Fixed quality gate success flash so it is not shown when a page has zero remaining issues
  • Added WCAG reference to the Duplicate ID rule hint
  • Removed an unused dependency from PublishHook
  • Cleaned remote export output to avoid exposing unusable internal screenshot identifiers in CSV files

v1.0.0 (Stable)

Added
  • CKEditor 5 accessibility highlighting
  • Backend overview and page detail modules
  • Ignore and unignore workflow
  • CLI scans
  • TYPO3 Scheduler integration
  • Changed-only scan mode
  • CSV export
  • TCA-based field discovery for tt_content
  • Settings module for enabled scan fields
  • Quality gate warning mode for publish and unhide actions
  • RTE and structured accessibility rules for common editor-facing issues

Stay Updated

Get notified when the next stable release ships and track upcoming release notes.