Swarm QA (Beta)

Swarm QA is a multi-agent scanning system that deploys specialized AI agents to probe your web application for security, accessibility, and reliability issues — all in parallel.

Swarm QA Dashboard

How It Works

Instead of a single AI agent, Swarm QA launches a coordinated team of agents, each with a specific mission profile. All agents operate simultaneously against your target URL and report findings back to a central dashboard.

Agent Types

Link Patrol

Crawls the application and checks every link for:

Broken links (404, 500 errors).
Redirect chains.
External links pointing to unreachable domains.

HTTP Guard

Inspects HTTP responses for security and correctness:

Missing security headers (CSP, HSTS, X-Frame-Options).
Mixed content warnings (HTTP resources on HTTPS pages).
Cookie configuration issues (SameSite, Secure, HttpOnly).

Runs automated accessibility checks against WCAG and BFSG standards:

Missing alt text, ARIA labels, and landmark regions.
Color contrast violations.
Keyboard navigation issues.

Smoke Flow

Executes rapid functional checks:

Page load verification across all discovered routes.
Console error detection.
Critical rendering failures (blank pages, JavaScript exceptions).

Perf Sentinel

Measures Core Web Vitals and resource performance:

LCP (Largest Contentful Paint) — flags pages exceeding 2.5s.
CLS (Cumulative Layout Shift) — detects visual instability above 0.1.
TTFB (Time to First Byte) — identifies slow server responses.
Large resource detection — images > 500KB, JS/CSS bundles > 300KB.
Total page load time tracking with thresholds.

SEO Recon

Audits search engine optimization across all discovered pages:

Meta tags — title (length 30-60 chars), description (120-160 chars).
Open Graph — og:title, og:description, og:image for social sharing.
Canonical URLs — prevents duplicate content in search engines.
H1 structure — exactly one H1 per page.
robots.txt & sitemap.xml — existence checks.
Structured data — JSON-LD detection.
Duplicate titles — flags identical titles across pages.
Image alt text — counts images without alt attributes.
lang attribute — ensures HTML lang is set.

Form Fuzzer

Tests form validation and security with automated fuzzing:

Empty submit — tries submitting forms with empty required fields.
XSS probes — checks if <script> payloads are reflected in the DOM.
SQL injection — tests common SQL injection patterns.
Overflow — sends 5000+ character strings to uncapped fields.
Edge cases — negative numbers, unicode, special characters.
Error feedback — checks if visible error messages appear on invalid input.
Accessible errors — verifies error messages use ARIA attributes.

API Health

Discovers and tests API endpoints automatically:

Endpoint discovery — intercepts XHR/fetch requests during page load to find API endpoints.
Well-known paths — probes /health, /api/status, /api/health, /graphql.
Status checks — flags non-2xx responses (5xx = high severity, 4xx = medium).
Response time — reports endpoints slower than 2000ms.
Unreachable endpoints — detects connection failures and timeouts.

Presets

Swarm QA ships with predefined mission presets for common scenarios:

Preset	Agents	Time	Pages	Depth	Use Case
Quick Smoke	Link Patrol, Smoke Flow	60s	5	1	CI pipelines, fast health checks
Standard Scan	6 agents (excl. Form Fuzzer)	180s	20	2	Sprint QA, regular checks
Deep Audit	All 8 agents	420s	50	3	Release candidates, thorough audits

In Expert Mode, all parameters (agents, time, pages, screenshots, AI tokens, crawl depth) can be configured manually.

Findings & Criticality

Each agent produces structured findings with classification:

Severity: Critical, High, Medium, Low, Info.
Action Category: Fix-now, Review, Monitor, Ignore/expected.
Scope: First-party (your app) vs. Third-party (external resources).
Location: URL and element where the issue was found.
Evidence: Screenshot, HTTP response, or console log.

Findings are automatically sorted by priority: first-party fix-now issues appear first.

AI Enrichment

When an AI provider is connected, Swarm QA enriches each finding with:

Root Cause Hypothesis — Technical explanation of why the issue occurs.
Business Impact — How the issue affects users.
Suggested Next Action — Actionable fix recommendation.

Tabs

The Swarm QA page is organized into four tabs:

Live

The real-time scan interface. Configure your target URL, choose a preset or use expert mode, and watch findings stream in as agents discover them. Shows agent status, pages visited, and guardrail skip counts.

History

A chronological list of all past scan runs with:

Score badges (0-100) with color coding (green/yellow/red).
Trend arrows showing score improvement or degradation.
Finding counts and fix-now tallies.
Expandable detail view with full findings table per run.
Average score across all runs.

Findings

Aggregated findings across all recent runs, deduplicated and grouped:

Recurring indicator shows how many runs a finding appeared in (e.g., 3/5 runs).
Filter by severity and scope (first-party / third-party).
"Analyze with AI" button sends all aggregated findings to the AI for a comprehensive analysis including:
- Executive summary.
- Critical issues requiring immediate attention.
- Recurring patterns (regression risk).
- Quality trends across runs.
- Prioritized recommended actions.

Schedule

Configure automated background scans:

Interval: Every 30 min, 1h, 4h, 12h, or 24h.
Preset: Choose which scan preset to use for scheduled runs.
Target URL: The URL to scan on each interval.
Enable/disable toggle — schedule persists across app restarts.
Scheduled runs execute silently in the background while the app is open.
Results appear in the History tab.

Note: For 24/7 monitoring without the app running, use the CLI Runner via TeamCity or cron.

Webhook Notifications

Get notified when scheduled scans find issues. Configure webhooks in the Schedule tab:

Platforms: Slack, Microsoft Teams, Discord, or Generic JSON.
Score threshold: Notify when the score drops below a configurable value (default: 70).
Fix-now alerts: Always notify when critical fix-now findings are detected.
Test button: Send a test notification with sample data to verify your webhook URL works.

Webhook payloads include the run score, finding counts, top issues, and assessment — formatted natively for each platform (Slack blocks, Teams adaptive cards, Discord embeds).

Run Comparison

Compare any two runs side by side to identify regressions and improvements:

Select two runs from the History tab and click Compare Runs.
Delta overview: Score change, new issues, resolved issues, unchanged findings.
Fingerprint-based diff: Findings are matched by title + type + severity to detect true new/resolved issues.
Collapsible sections: New, resolved, and unchanged findings grouped and sorted by severity.

Visual Regression

Detect visual changes between runs with pixel-level screenshot comparison:

Automatically compares screenshots from the current run against the most recent previous run for the same target URL.
Uses pixelmatch for accurate pixel-level diffing with a configurable threshold (0.1% default).
Side-by-side view: Baseline, current, and diff images displayed in a three-column layout.
Diff-only view: Focused view highlighting only the changed pixels.
Handles different viewport sizes by cropping to the smaller dimensions.
Visual diffs are cached in {runDir}/visual-diffs/ for later review.

PDF Export

Generate professional PDF reports for sharing and archival:

Single run reports: Export any run from the History tab as a detailed PDF including score badge, summary cards, and full findings table.
Aggregate reports: Export a multi-run overview PDF from the Findings tab, optionally including the AI analysis.
Reports are generated using Electron's native printToPDF — no external dependencies.
A4-optimized layout with professional styling, color-coded severity badges, and score visualization.

Authentication

Swarm QA supports scanning protected pages with configurable authentication:

Login URL, username/password selectors, and submit button selector.
Credentials are stored securely per project.
Success indicator to verify login worked before agents start.

CLI Runner

A headless command-line scanner is available in xyva-runtime for CI/CD integration:

bash

# Standard scan
npm run swarm:run -- --target https://your-app.com

# Quick smoke for CI
npm run swarm:quick -- --target https://your-app.com

# Deep audit with JSON output
npm run swarm:deep -- --target https://your-app.com --json

# Save results to disk
npm run swarm:run -- --target https://your-app.com --out ./results

The CLI scanner:

Crawls same-origin pages up to the configured depth.
Checks HTTP status codes, response times, and external links.
Calculates a score using the same algorithm as the UI.
Exits with code 1 if score < 50 or fix-now issues are found.
Outputs human-readable colored text or --json for machine consumption.

Advanced Deployment Options

Swarm QA is part of the paid core product. Scheduled scans, webhooks, and Ops Portal workflows remain available as private deployment options on request. The opsPortal feature flag controls visibility for those setups.

Limitations (Beta)

Agents do not share session state (each agent starts with a fresh browser context).
Scheduled runs require the app to be open — use the CLI runner for always-on monitoring.
The CLI runner uses lightweight HTTP checks rather than full Playwright browser automation.

Swarm QA (Beta) ​

How It Works ​

Agent Types ​

Link Patrol ​

HTTP Guard ​

A11y Scout ​

Smoke Flow ​

Perf Sentinel ​

SEO Recon ​

Form Fuzzer ​

API Health ​

Presets ​

Findings & Criticality ​

AI Enrichment ​

Tabs ​

Live ​

History ​

Findings ​

Schedule ​

Webhook Notifications ​

Run Comparison ​

Visual Regression ​

PDF Export ​

Authentication ​

CLI Runner ​

Advanced Deployment Options ​

Limitations (Beta) ​