Breadth
8 categories: visual, usability, performance, reliability, security, accessibility, content, SEO
Foundation test · runs on every audit 1 credit/page
Page Analysis.
A vision-capable LLM (Claude / GPT-4o / Gemini 2.x) audits a full-page screenshot together with the rendered HTML, captured console messages, and a network-traffic summary. Returns a numerically scored list of issues across eight categories — the baseline every other test type builds on.
What it does analyzePage()
Playwright loads the URL in headless Chromium (stealth-patched: real Chrome 126 UA, navigator.webdriver patched, no jank fingerprints). After DOMContentLoaded plus a 10s networkidle ceiling, the runner captures a full-page JPEG, the post-render HTML, the console stream (capped at 2,000 chars per message), and a network summary (URLs, methods, statuses — never headers or bodies). All of that goes to the configured LLM with a structured prompt. The model returns strict JSON: a 0–100 score, an array of issues, and a one-line summary. Each issue has a category, severity, confidence (1–10), priority (1–10), affected selector, and a suggested fix.
What it finds
Concrete examples from a real run:
- Visual: "Hero CTA button overlaps the navigation bar at viewport widths between 1100–1280px" — overflow, truncation, contrast clashes, misaligned columns
- Usability: "Primary signup button labelled 'Continue' is below the fold on a 1366px viewport; visitors don't see it without scrolling" — hidden CTAs, dark patterns, dead-end flows
- Performance: "Hero image is 4.2 MB unoptimized PNG; LCP delayed by ~1.8s on a 3G connection" — render-blocking scripts, oversized payloads, slow third-party calls
- Reliability: "Uncaught TypeError in
analytics.js:142on every pageview — telemetry is silently failing" — console errors, failed network calls, broken images - Security: "Page served over HTTPS but loads
http://cdn.example.com/widget.js— browsers will block this as mixed content" — mixed content, exposed tokens, missing CSP/HSTS - Accessibility: "Login form's password field has no associated
<label>— screen readers will announce it as 'edit text, blank'" — quick a11y wins (full audit is the WCAG test) - Content: "Footer still says '© 2023 Acme Corp'" — stale copy, placeholder text, broken external links, missing legal pages
- SEO & meta: "Page has two
<h1>tags and no<meta name=description>— Google will likely truncate the snippet" — canonical issues, missing Open Graph, duplicate headings
Coverage
Depth
Vision LLM sees the rendered pixels + the DOM + the network behaviour together — catches things pure-static analyzers miss
Viewport
Desktop (1366×900). Mobile + tablet captured in the responsive phase that follows
Throughput
~45–90s per page, including capture and LLM call
- Static observation — doesn't click through multi-step flows (that's Test Flows and Exploratory)
- No keyboard-navigation traversal — WCAG covers that with a dedicated in-browser audit
- No real-device performance profiling — payload sizes and timing only, not CPU/memory traces
- No mobile-specific bug surfacing here — the responsive phase runs separately at 768×1024 and 390×844
- Won't catch issues that only appear post-login or behind interactive state (use the
authoption to authenticate, or define a Custom Test)
Sample finding
// One entry from report.analysis.issues[] { "category": "reliability", "severity": "high", "title": "Uncaught TypeError in analytics.js:142", "description": "Pageviews trigger 'Cannot read properties of undefined (reading \\'session\\')'.\nTelemetry is silently failing on every visit — A/B test data + funnel attribution\nis incomplete from this date forward.", "selector": null, "confidence": 9, "priority": 8, "interestingness": 7, "evidence": ["console.log: TypeError @ analytics.js:142"], "prompt_to_fix_this_issue": "Open analytics.js around line 142.\nThe code reads `window.user.session.id` — `window.user` is undefined for\nsigned-out visitors. Add a null-check, or initialise window.user early." }