EvidaLux Tools Validation Report

Every run of our 64 audit tools — behaviour lock, agreement with external references, and real-site oracles. Methodology over marketing — bad numbers publish too.
Generated: 2026-07-19T03:01:05.785186+00:00

Section 1 — Cross-Tool Agreement

Diff against industry-reference tools on the same 10-site cohort. cohort: 2026-05-cohort1
21 of 22 plugins measured · cohort coverage 91% · median agreement 1.00
PEND rows mean the reference-tool integration is queued. Each integration may use a different per-site match metric (see plugin.metric). Median agreement is taken across implemented rows only, and each row's agreement is over the sites that could be measured — read it next to coverage, not alone. A row whose coverage is at or below 50% cannot be GREEN (band_capped_by_coverage).
PluginReference toolBandAgreementAgreed / ComparedComparison metric
accessibility.axePa11y (htmlcs runner)GREEN1.0010 / 10hierarchical WCAG agreement (Pa11y htmlcs vs plugin axe-core): T1 filtered-SC Jaccard ≥0.50 · T2 violation-presence boolean · T3 noise tolerance (one side empty ≤ engine noise floor 2). WCAG 4.1.1 (deprecated in 2.2) excluded from both sides.
compliance.iab_tcfhttpx + lxml + Set-Cookie scanGREEN1.008 / 8
2 of 10 sites unmeasured
boolean TCF-surface agreement (independent vantage: Set-Cookie inspection for euconsent-v2 + raw-text JS-marker scan + lxml DOM parse — plugin uses BeautifulSoup + script-body scan only; empty/empty = both agree page has no IAB CMP)
compliance.iab_tcf_verifiedPlaywright + iab-tcf (TC-string decode)GREEN1.008 / 8
2 of 10 sites unmeasured
cmp_id agreement (independent Playwright probe + iab-tcf library decode of tcString vs plugin's JS-callback cmpId; divergence = CMP misconfiguration. Empty/empty = both unable to probe — common when playwright is missing from env)
quality.api_testschemathesis (OpenAPI / Swagger spec loader)GREEN1.006 / 6
4 of 10 sites unmeasured
discovered-endpoint set-Jaccard ≥0.40 with mutual-empty match + |union| ≤2 small-set noise floor. Reference = schemathesis OpenAPI 2.0 / 3.x loader, probing 13 common spec locations (/openapi.json, /swagger.json, /v3/api-docs, /api-docs, /api/openapi.json, ...); spec content-sniffed (must contain `openapi`/`swagger` token) so HTML catch-alls don't false-positive. Plugin = quality.api_test's `_discover_endpoints` discovery sub-component called DIRECTLY (bypassing the registry runner) so the 50-request rate-limit burst probe doesn't fire — the cross-tool is comparing the discovery surface, and firing the burst against 10 cohort sites daily would add ~500 net-new requests/day of noise without signal. Paths normalised both sides: {param} placeholders + concrete digit / UUID / long-hex segments → {}, lowercased, trailing slash stripped — so spec-driven enumeration and convention-probe heuristics meet at the static-prefix shape. 0.40 threshold (vs 0.50 elsewhere) reflects fundamental engine heterogeneity (spec enumeration vs convention probing); most cohort sites hit mutual-empty match (no public OpenAPI spec AND no responding conventional /api* path).
quality.lighthouse_perfGoogle PageSpeed Insights APIGREEN1.009 / 9
1 of 10 sites unmeasured
accessibility delta ≤10 vs PSI v5 (strict, DOM-static — the environment-stable axis); performance + best-practices deltas ≤45 each (sanity cap — Lighthouse FAQ documents these categories as throttle/network-divergent between PSI's GCE upstream + production Chromium and our local subprocess; agreement metric reports per-category deltas in detail for transparency rather than averaging the strict a11y delta into the noisy perf/bp deltas)
quality.owasp_zap_scannuclei cve+exposure+misconfig templatesGREEN1.008 / 8
2 of 10 sites unmeasured
HIGH/CRITICAL presence boolean (nuclei cve+exposure+misconfig templates vs plugin's ZAP spider+active-scan alerts; mirror of vulnerability_nuclei↔ZAP — set-Jaccard on rule IDs is undefined across two engines with disjoint namespaces; agreement = both surface at least one HIGH/CRITICAL OR both are clean of HIGH/CRITICAL)
quality.responsive_testGoogle PageSpeed Insights API (Lighthouse mobile-friendly audits subset)GREEN0.909 / 103-axis responsive feature-vector agreement ≥2/3 (overflow / small_text / tap_targets). Reference = PSI Lighthouse mobile-strategy audits — content-width (overflow), font-size (small_text), tap-targets — scoring an axis as 'issue' when audit score is non-null AND < 0.9 (mirrors meta_tags charitable projection). Plugin = Playwright Chromium 3-viewport probe (mobile 375×812 / tablet 768×1024 / desktop 1440×900) projected to overflow / small_text axes; tap_targets has no plugin equivalent (always False on plugin side) so it's surfaced for transparency but ≥2/3 threshold means the 2 instrumented axes carry the agreement signal. Plugin runtime_error (Chromium / playwright missing in env) → site _skip with PEND, same env-graceful treatment as iab_tcf_verified.
quality.vulnerability_nucleiOWASP ZAP REST API (baseline + passive)GREEN1.0010 / 10HIGH/CRITICAL presence boolean (OWASP ZAP spider + passive-scan alerts vs nuclei cve/exposure/misconfig/tech templates; engines and rule sets differ, so cross-tool set-Jaccard is undefined — agreement = both surface at least one HIGH/CRITICAL OR both are clean of HIGH/CRITICAL)
search.lighthouse_seoGoogle PageSpeed Insights APIGREEN1.009 / 9
1 of 10 sites unmeasured
seo score within ±10 of PSI v5 (mobile+desktop avg)
security.exposed_filesnuclei http/exposures/{files,configs} templatesGREEN1.0010 / 10leaked-path set-Jaccard ≥0.50 (nuclei http/exposures/{files,configs} templates vs plugin's custom path-prober + content-sniffer; both emit a set of leaked URL paths per origin; empty/empty = both agree origin has no exposures)
security.headersMozilla Observatory v2 (MDN)GREEN1.008 / 8
2 of 10 sites unmeasured
letter grade within one band of Mozilla Observatory v2 (#685). Adjudicated against Observatory + hand curl: the two scales weight headers differently — chiefly a missing CSP, which Mozilla penalises to F where we land at D — so this compares relative posture, not an absolute grade, and a two-band gap is a real methodology difference, not a plugin bug. Sites that answer our fetch with a 4xx/5xx anti-bot wall (their real posture is behind the wall) are dropped, not scored.
security.tls_deepSSL Labs APIGREEN1.009 / 9
1 of 10 sites unmeasured
A-F grade-band agreement within ±1 letter (Qualys SSL Labs API v3 vs plugin's score-deduction grader; engines disagree on HSTS-preload + OCSP-stapling weightings the plugin's v1.0 doesn't probe, so exact-grade equality would over-penalize — the broad health bucket is the defensible signal)
seo.broken_linkslinkchecker (W3C)GREEN0.909 / 10in-domain set-Jaccard ≥0.50 OR union ≤2 small-set noise floor (linkchecker --recursion-level=1 --check-extern; external broken findings counted in transparency but excluded from agreement; small-set floor recognises that heterogeneous crawlers — linkchecker BFS vs our SharedFetcher — legitimately diverge on the single-broken-URL case from JS-injection, sitemap-only references, or anti-bot 403/200 flips)
seo.canonical_auditlxml + httpx canonical-chain followerGREEN1.0010 / 104-axis canonical classification agreement ≥3/4 (canonical_present / self_canonical / cross_host / chain_two_hop). Reference = vanilla httpx + lxml clean-room reimplementation of the plugin's chain-follow logic. Independent fetcher (no SharedFetcher etag/cache layer) and parser (lxml vs BeautifulSoup4). Plan §3.2 nominally maps this to Lighthouse SEO subset, but PSI's canonical audit doesn't follow chains — would silently drop the plugin's distinguishing checks; this row's purpose is to cross-tool exactly those.
seo.freshnesshttpx + lxml independent sitemap lastmod walkerYELLOW0.898 / 9
1 of 10 sites unmeasured
stale_ratio agreement within ±0.20 (httpx + lxml independent sitemap.xml lastmod walker vs plugin's combined sitemap + JSON-LD + HTTP Last-Modified scan; same 540-day stale cut-off, 50-URL cap; clean-room ref intentionally skips secondary signals so any plugin regression in sitemap parsing surfaces in the agreement number)
seo.hreflang_validatorlangcodes (BCP 47) + lxmlGREEN1.008 / 8
2 of 10 sites unmeasured
set-equality on invalid hreflang codes (langcodes/BCP 47 vs plugin regex; same page parsed independently via lxml vs BeautifulSoup; empty/empty = no hreflang or all codes pass)
seo.meta_tagsGoogle PageSpeed Insights API (Lighthouse SEO audits subset)YELLOW0.707 / 106-axis meta-tag feature-vector agreement ≥5/6 (title / description / viewport / canonical / is-crawlable / html-has-lang). Reference = PSI Lighthouse SEO audits (charitable OR across mobile+desktop strategies); plugin = BeautifulSoup raw-HTML parse. H1-count + Open Graph completeness excluded — no Lighthouse equivalent (kept in plugin output for customer reports). Lighthouse renders real Chromium with JS, so SPA-injected meta tags surface as divergence — the cross-tool's most valuable signal in this row.
seo.robots_txt_auditGoogle robotstxt parserGREEN0.909 / 10boolean homepage indexability agreement (Protego vs plugin verdict on User-agent: *; empty/empty = both report no readable robots.txt)
seo.sitemaphttpx + lxml inline-XSD sitemap.org 0.9 validatorGREEN0.909 / 10sitemap presence boolean parity + URL count delta ≤ max(10% of larger, 2 small-set noise floor). Reference = vanilla httpx + lxml with inline sitemap.org 0.9 XSD (urlset + sitemapindex schemas embedded clean-room, not fetched). Independent fetcher (no SharedFetcher), independent XSD-validation pipeline (plugin only well-formedness-checks). Both sides mirror plugin discovery (robots.txt Sitemap: directives → /sitemap.xml fallback, cap 5 docs) and count top-level <loc> only — no recursion into sitemap-index children — so URL counts are apples-to-apples; ref XSD-valid count surfaced in per-site detail for schema-conformance transparency.
seo.structured_datavalidator.schema.orgPENDIntegration queued
tech.dns_healthdig +dnssec + Google DNS-over-HTTPSGREEN1.0010 / 107-axis DNS posture feature-vector agreement ≥6/7 (AAAA / NS≥2 / SPF / DMARC-present / DMARC-strong / CAA / DNSSEC). Reference = OR of dig (BIND binary, system resolver) and Google DoH (independent resolver via HTTPS); plugin = dnspython. DKIM excluded — selector probing is informational only (selectors are private, miss ≠ absence).
tech.stack_detectionpython-Wappalyzer (open-source fingerprint engine)GREEN0.909 / 10set-Jaccard ≥0.30 within the plugin-detectable tech universe (python-Wappalyzer 2,000+ fingerprints filtered to the ~40 techs our PATTERNS table claims to fingerprint, so detector-coverage gaps — databases, OSes, build tools — don't count as plugin failures; name aliases normalised; small-set floor when filtered union ≤2; full Wappalyzer detections surfaced in ours_only_outside_universe / ref_only_outside_universe for transparency)

Section 2 — Real-World Correctness

Plugin findings on random real sites (US/Europe/Turkey/Arab/South America) scored against a real-browser + HTTP ground truth. Unreachable sites are INCONCLUSIVE (never gate); a gate failure is a false positive/negative on a reachable site.
RegionWhenVerdictReachableInconclusiveFPFN
arab, europe, south_america, turkey, us2026-07-19 02:37 UTCFAIL881210
arab, europe, south_america, turkey, us2026-07-18 20:31 UTCPASS851500
arab, europe, south_america, turkey, us2026-07-18 19:22 UTCFAIL841650
arab, europe, south_america, turkey, us2026-07-18 18:18 UTCPASS18700
arab, europe, south_america, turkey, us2026-07-18 18:00 UTCFAIL20530
arab, europe, south_america, turkey, us2026-07-18 16:09 UTCFAIL205441
arab, europe, south_america, turkey, us2026-07-04 06:08 UTCFAIL20511
arab, europe, south_america, turkey, us2026-07-03 06:20 UTCFAIL19611

Latest run — 2026-07-19 02:37 UTC

PluginConfirmedFPFNInconclusive
accessibility.eaa_mapping000174
compliance.accessibility_statement770099
compliance.age_verification00088
compliance.ai_disclosure00088
compliance.child_consent00088
compliance.cookie_consent000198
compliance.cross_border_transfer000176
compliance.dark_pattern8800176
compliance.data_subject_request80080
compliance.dpo_contact00088
compliance.eu_representative00088
compliance.geo_consistency000176
compliance.iab_tcf00088
compliance.iab_tcf_verified60082
compliance.legal_disclosure8500179
compliance.odr_link88000
compliance.pay_or_consent_wall00088
compliance.pricing_indication000176
compliance.privacy_policy_content3700120
compliance.purchase_disclosure000176
compliance.required_pages2800072
quality.api_test000225
security.exposed_files1650011
security.headers62700306
security.tls_deep2561090
seo.broken_links330035
seo.canonical_audit52005
seo.duplicate_content00089
seo.freshness350027
seo.hreflang_validator76007
seo.meta_tags163000
seo.robots_txt_audit17001
seo.sitemap86005
seo.structured_data820010
tech.dns_health35200176
tech.stack_detection00088

Wrong findings — latest run (gate)

  • false_positive security.tls_deep/tls.no_https — https://www.isbank.com.tr/ — TLS handshake succeeded independently

Past reports

Legend — column meanings

Cross-Tool Agreement

Plugin
The audit tool we are validating (e.g. seo.lighthouse_seo).
Reference tool
The industry-standard tool whose findings we compare against on the same site (e.g. PageSpeed Insights, Pa11y, W3C linkchecker, Mozilla Observatory).
Band
Bucketed from the agreement score:
GREEN agreement ≥ 0.90.
YELLOW agreement ≥ 0.70.
RED below 0.70.
Agreement
How much our plugin and the reference tool produce the same verdict, on the same site, on the same 10-site cohort (0.00–1.00). High = strong industry consensus that we are seeing the same thing.
Agreed / Compared
On each of the 10 cohort sites, did our plugin and the reference tool give the same verdict? The left number is how many sites we agreed on; the right is how many sites we could actually compare (if either tool fails on a site — timeout, blocked, 5xx — that site does not count).
Comparison metric
Short description of how the agreement number is computed for this pair (e.g. "in-domain Jaccard", "score delta ≤ 5"). The metric is plugin-specific because each reference tool exposes its findings differently.