Live in-browser test runner at /tests

[brianmhunt]

Summary

New `/tests` page ships a live, in-browser Mocha runner for the TKO spec suite. Visit the URL in any real browser and watch every spec execute against real TKO + real DOM. 2708 pass / 0 fail / 42 pending (pre-existing `it.skip`s) across 145 spec files in ~10s.

Two modes:

• source (default) — iframe-per-spec, isolated module graph per spec. Runs the current in-tree TKO.
• build (`?suite=build&pkg=knockout|reference&ver=X`) — loads a published `@tko/build.` version from jsdelivr and runs only the version-portable `builds//spec/` bundle. Lets anyone verify a published version without cloning.

"Tests" pill added to the top nav next to "Playground".

Architecture

• Bundler (`tko.io/scripts/bundle-tests.mjs`) — emits three outputs:

  • `public/tests/build-bundle.js` — IIFE for build mode.
  • `public/tests/source/setup.js` — IIFE with inlined ko + `browser-setup.js`. Loaded via `<script>` in `tests-frame.html` so globals are ready before any spec module evaluates.
  • `public/tests/source/.js` — one ESM chunk per spec file (`packages//spec/**/.ts` + `builds//spec/**/.{js,ts}`), code-split via esbuild for dedup.
  • `public/tests/source/manifest.json` — lists each spec's slug, file path, and `needsFocus` flag (grep-based).

• Iframe harness (`public/tests-frame.html`) — classic script loads mocha, `mocha.setup('bdd')`, `setup.js` (globals + ko), then dynamic-imports the per-spec ESM chunk. Mocha runner events post back to parent via `postMessage`.

• Parent page (`src/pages/tests.astro`) — TKO-written view model (`ko.observable`, `pureComputed`, `data-bind`; dogfood), receives `postMessage` events, renders reactive suite tree + chips + progress bar.

• Split queue for concurrency:

  • Phase 1: 140 non-focus specs run in parallel (pool=4) in a hidden offscreen host.
  • Phase 2: 5 focus-requiring specs (flagged at bundle time by grepping spec source for `hasfocus`, `.focus(`, `focusin`, `focusout`, `activeElement`) run serially in the visible `#workarea` so each holds sole system focus. Chromium only grants `contentWindow.focus()` system focus to one iframe at a time.

Notable gotchas shipped with fixes

• esbuild chunk ordering reorders ESM imports. Earlier attempts put ko + browser-setup as imports in each per-spec wrapper; the code-splitter hoisted the spec's chunk above the ko + setup chunks. Fix: move ko + setup into a dedicated IIFE loaded by `<script>` tag, outside the module graph entirely.

• Chromium gates `contentWindow.focus()` system focus on iframe layout. Off-screen / 1×1 / opacity:0 iframes never pass `document.hasFocus() === true` inside; `focusin` / `focusout` events never fire. Fix: visible `#workarea` region at the bottom of the page renders the focus-requiring iframe full-size with real layout.

• Scoped Astro CSS doesn't apply to dynamically-created iframes. Switched iframe styles to inline `style.cssText` rather than `className`.

• Specs referenced `ko.*` at module top. ESM imports hoist; wrapper's `globalThis.ko = ko` top-level statement ran after the spec. Fix: classic `<script src="/lib/ko.js">` in the frame loads a knockout IIFE synchronously before any module.

• Dev-mode class-identity collisions. Wrapper's imports hit `packages//src/index.ts` via explicit esbuild `alias`; a `distToSrcPlugin` rewrites `../dist` imports (used pervasively in source specs) to `../src` so one module graph wins.

• Spec hygiene fixes that surfaced as the isolation improved: `restoreAfter(options, 'bindingGlobals')` in `packages/utils.parser/spec/identifierBehaviors.ts`, `restoreAfter(options, 'filters'/'bindingProviderInstance')` in `packages/builder/spec/builderBehaviors.ts`, whitespace-tolerant assertions in `packages/binding.if/spec/elseBehaviors.ts` and `packages/binding.component/spec/componentBindingBehaviors.ts`.

UI

• Header chips: ✓ pass · ✖ fail · ○ pending · done/total · elapsed.
• Progress bar ticks as specs complete.
• Suite tree grouped by spec file; failed suites auto-expand with per-test stack trace.
• Visible `#workarea` at the bottom shows the current focus spec running live.
• `?pool=N` for non-focus parallelism; `?grep=` for filter.

Test plan

• Merge, confirm `deploy-docs.yml` deploys `/tests`, `/tests-frame.html`, `/tests/source/*`.
• Visit `https://tko.io/tests\` — expect 2708 pass / 0 fail / 42 pending / ~10s.
• Visit `https://tko.io/tests?suite=build&pkg=knockout\` — expect ~956 pass / 3 fail against latest.
• Nav "Tests" pill clickable.

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Added a Tests page and header link to run and inspect tests in "source" and "build" modes with per‑spec reporting and live progress.

• Bug Fixes

  • Made many test assertions resilient to extra whitespace and ensured test state is reset between specs.
  • Improved iframe focus handling so focus‑dependent tests run reliably.

• Tests

  • Bundled and served in‑browser test artifacts with per‑spec iframes, parallel/serial execution, and detailed pass/fail reporting.

• Chores

  • Updated site build to bundle tests and ignored generated test output.

[coderabbitai]

Warning

Rate limit exceeded

@brianmhunt has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 41 minutes and 45 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 41 minutes and 45 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b1ec5cb6-dc71-4f1b-9a16-47bdebb9503a

📥 Commits

Reviewing files that changed from the base of the PR and between c5bd8d7 and a7b0a5f.

📒 Files selected for processing (2)

• AGENTS.md
• plans/browser-test-runner.md

📝 Walkthrough

Walkthrough

Adds an in-browser Mocha test ecosystem: a browser test setup module that exposes test globals and patches focus/it semantics, per-spec iframe harness and bundling tooling, a /tests UI to run source/build suites, and small spec fixes to improve isolation and whitespace resilience.

Changes

Cohort / File(s)	Summary
Browser test runtime & helpers builds/knockout/helpers/browser-setup.js	New browser Mocha init: assigns chai/expect/sinon to globalThis, forces isHappyDom false, merges punctuation filters into shared options, patches HTMLElement.prototype.focus/blur inside iframes, restores sinon afterEach, sets ko.options.jsxCleanBatchSize=0 in a top-level before, and wraps it/it.only to support Vitest-style 1-arg tests.
Iframe harness tko.io/public/tests-frame.html	New per-spec iframe page that synchronously loads /tests/source/setup.js, dynamically imports a spec by ?spec=<slug>, runs Mocha, renders results, and posts lifecycle events (start, pass, fail, pending, end, import-error) to the parent.
Test bundle generator tko.io/scripts/bundle-tests.mjs	New build script: discovers specs, writes per-spec ESM wrappers and manifest.json (slug, file, suite, needsFocus), detects focus-needing specs, and emits three esbuild outputs (build-bundle, setup IIFE, per-spec ESM chunks) with a dist→src rewrite plugin.
Test runner UI tko.io/src/pages/tests.astro	New /tests page: source/build modes, fetches manifest or npm versions, loads Mocha and selected build bundle, runs specs (parallel offscreen for non-focus, serial visible for focus-required), aggregates stats, and updates suite/test UI via postMessage events.
Site integration tko.io/package.json, tko.io/src/components/Header.astro, tko.io/.gitignore	Runs bundle-tests.mjs in prebuild, adds "Tests" link to header, and ignores public/tests/.
Spec hygiene & assertions packages/binding.component/spec/componentBindingBehaviors.ts, packages/binding.if/spec/elseBehaviors.ts, packages/builder/spec/builderBehaviors.ts, packages/utils.parser/spec/identifierBehaviors.ts, packages/binding.foreach/spec/eachBehavior.ts	Test adjustments: normalize innerText whitespace comparisons, replace long timeouts with next-frame waits, and add restoreAfter(...) calls to revert shared @tko/utils mutations to avoid cross-test pollution.
Misc tko.io/public/tests-frame.html (added file)	Adds the HTML harness page used by the UI and bundle runner. (Note: file also listed in Iframe harness cohort.)

Sequence Diagrams

sequenceDiagram
    actor User
    participant TestPage as tko.io /tests Page
    participant Manifest as /tests/source/manifest.json
    participant Iframe as Spec Iframe
    participant Parent as Parent Window

    User->>TestPage: Load /tests?suite=source
    TestPage->>Manifest: Fetch manifest.json
    Manifest-->>TestPage: Return specs with needsFocus flag

    rect rgba(200,150,100,0.5)
    Note over TestPage,Iframe: Phase 1 — Parallel offscreen (no focus)
    loop for each non-focus spec
        TestPage->>Iframe: Create tiny offscreen iframe (spec=slug)
        Iframe->>Iframe: Load /tests/source/setup.js and browser-setup
        Iframe->>Iframe: import /tests/source/{slug}.js
        Iframe->>Iframe: Run Mocha tests
        Iframe-->>Parent: postMessage(pass/fail/pending/end)
        Parent->>TestPage: Aggregate results
    end
    end

    rect rgba(150,200,100,0.5)
    Note over TestPage,Iframe: Phase 2 — Serial visible (focus required)
    loop for each focus-requiring spec
        TestPage->>Iframe: Create visible iframe, focus it (spec=slug)
        Iframe->>Iframe: Load setup + spec, run Mocha with focus events patched
        Iframe-->>Parent: postMessage(pass/fail/pending/end)
        Parent->>TestPage: Update UI & stats
    end
    end

    TestPage->>User: Display final aggregated results

Loading

sequenceDiagram
    actor User
    participant TestPage as tko.io /tests Page
    participant NPM as npm Registry
    participant CDN as jsDelivr
    participant Mocha as Mocha (browser)

    User->>TestPage: Load /tests?suite=build
    TestPage->>NPM: Fetch `@tko/build.<pkg>` versions
    NPM-->>TestPage: Return versions
    TestPage->>CDN: Load Mocha and selected `@tko/build` bundle
    CDN-->>TestPage: Scripts loaded
    TestPage->>TestPage: Load /tests/build-bundle.js
    TestPage->>Mocha: mocha.run()
    loop each spec in bundle
        Mocha->>Mocha: Execute test
        Mocha-->>TestPage: Emit runner events (pass/fail/pending/end)
        TestPage->>User: Update aggregated stats
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• Fix intermittent happy-dom teardown race in JSX clean queue #337 — Related change to set ko.options.jsxCleanBatchSize = 0 in tests (same option targeted).
• Chai update / Karma-Tree-Shaking #285 — Related migration for providing Chai/Sinon to browser tests (ESM/global provisioning).
• Replace Karma with Vitest, add Bun support #303 — Overlaps in-browser test setup and helper shims (vitest/mocha setup convergence).

Poem

🐰 I hopped in frames where tiny specs reside,

I patched focus, set globals, and opened wide,
Bundles, manifests, messages on the run—
Tests marched through iframes till the job was done.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and clearly summarizes the primary change: a new live in-browser test runner accessible at the /tests route with real-time Mocha test execution.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/browser-test-runner

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 585c32828e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve suite=build when submitting build form

When the page is opened in build mode (/tests?suite=build), submitting the form drops the suite query param because this branch only writes it when suite !== 'build'. On reload, Page() defaults to source if suite is absent, so clicking Run immediately exits build mode and ignores the selected build/version settings. This breaks the primary build-mode interaction loop.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Keep build-mode bundle independent of local build imports

This loop inlines every build spec into build-bundle.js, including builds/reference specs that import local modules (.. and ../dist/browser.min). Because those imports are bundled from the checkout, /tests?suite=build&pkg=...&ver=... is no longer testing only the selected CDN artifact; part of the run executes local build code, which can mask or misattribute published-version regressions.

Useful? React with 👍 / 👎.

[Copilot]

Pull request overview

Adds a new in-browser Mocha runner to the tko.io docs site at /tests, including a bundling pipeline and harness pages so the TKO spec suite can be executed directly in a real browser (either against in-tree source or against a published build via jsDelivr).

Changes:

• Add /tests parent page UI (TKO-driven) plus tests-frame.html iframe harness to execute specs and aggregate results.
• Add tko.io/scripts/bundle-tests.mjs and wire it into tko.io prebuild to generate public/tests/* bundles + a manifest.
• Add browser-specific spec setup + a few spec hygiene fixes (state restoration, whitespace normalization) uncovered by the runner.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
tko.io/src/pages/tests.astro	New /tests page UI + orchestrator for build/source modes and iframe scheduling.
tko.io/src/components/Header.astro	Adds “Tests” link to site header nav.
tko.io/scripts/bundle-tests.mjs	New bundler script producing build/source bundles and a manifest for the runner.
tko.io/public/tests-frame.html	New per-spec iframe harness loading mocha + setup + the spec chunk and posting results to parent.
tko.io/package.json	Extends prebuild to generate the /tests bundles.
tko.io/.gitignore	Ignores generated public/tests/ output.
packages/utils.parser/spec/identifierBehaviors.ts	Restores mutated options to prevent cross-spec state leakage in the new runner.
packages/builder/spec/builderBehaviors.ts	Restores shared options fields to prevent cross-spec state leakage in the new runner.
packages/binding.if/spec/elseBehaviors.ts	Makes innerText assertions whitespace-tolerant in real browsers.
packages/binding.component/spec/componentBindingBehaviors.ts	Makes innerText assertions whitespace-tolerant in real browsers.
builds/knockout/helpers/browser-setup.js	Adds browser-mode test setup (globals, focus polyfill, sinon cleanup, ctx-style it shim).

[Copilot]

grep is compiled via new RegExp(page.grep().trim(), 'i') without guarding against invalid patterns. An invalid regex (e.g. () will throw and abort source-mode execution. Wrap the RegExp construction in try/catch and surface a friendly validation error (or treat the input as a literal substring match when invalid).

Suggested change

	const rx = new RegExp(page.grep().trim(), 'i')
	specs = specs.filter(s => rx.test(s.file) || rx.test(s.slug))
	const grep = page.grep().trim()
	try {
	const rx = new RegExp(grep, 'i')
	specs = specs.filter(s => rx.test(s.file) || rx.test(s.slug))
	} catch (e) {
	const literal = grep.toLowerCase()
	specs = specs.filter(s =>
	s.file.toLowerCase().includes(literal) || s.slug.toLowerCase().includes(literal)
	)
	}

[Copilot]

The message event handler accepts data from any origin/source and trusts e.data fields. Since iframes use postMessage(..., '*'), another window/frame could spoof results or prematurely end a spec by posting a matching {slug,type} message. Please restrict handling to e.origin === location.origin and e.source belonging to one of the runner iframes (track iframe.contentWindow per slug), and consider using a non-wildcard targetOrigin for postMessage.

[Copilot]

Header comment disagrees with runtime behavior: it says build mode is the default and source mode is opt-in, but the code defaults suite to 'source' and the PR description also states source is default. Please update the comment (and the URL params block) to match the actual defaults to avoid confusion.

[Copilot]

.suite-head is a clickable <div> with no keyboard affordances (no role/tabindex/keydown handling). This makes the suite expand/collapse inaccessible to keyboard and assistive tech users. Prefer a <button> for the header (or add role="button", tabindex="0", and Enter/Space key handling).

Suggested change

	<div class="suite-head" data-bind="click: toggle">
	<span class="name" data-bind="text: file"></span>
	<span class="meta" data-bind="text: pass() + ' / ' + total()"></span>
	</div>
	<button type="button" class="suite-head" data-bind="click: toggle, attr: { 'aria-expanded': open }">
	<span class="name" data-bind="text: file"></span>
	<span class="meta" data-bind="text: pass() + ' / ' + total()"></span>
	</button>

[Copilot]

The CSS class .iframe-hidden is defined but never applied; hidden iframes are currently styled via iframe.style.cssText in runOne(). Consider removing the unused class (or switching runOne() to apply it) to keep the page CSS aligned with the implementation.

Suggested change

	/* Spec iframes need full viewport-sized layout for Chromium
	to grant `iframe.contentWindow.focus()` true system focus.
	Tiny (1×1 or 0×0) or off-viewport (left:-10000px) iframes
	get denied — `document.hasFocus()` inside stays false,
	`focusin`/`focusout` events never fire, 34 hasfocus tests
	fail. Full-viewport iframe with `opacity:0` +
	`pointer-events:none` + `z-index:-1` gives the iframe the
	layout area Chromium needs while remaining invisible and
	non-interactive to the user. Pool=1 means at most one
	such iframe is live at a time, so nothing stacks on top
	of the page chrome. */
	.iframe-hidden {
	position: fixed;
	inset: 0;
	width: 100vw;
	height: 100vh;
	border: 0;
	opacity: 0;
	pointer-events: none;
	z-index: -1;
	}

[Copilot]

The block comment says the per-spec wrapper imports knockout + browser-setup + the spec, but the current architecture loads /tests/source/setup.js via a classic <script> tag and the wrapper only imports the spec module. Please update this comment to reflect the current setup so future changes don't rely on outdated assumptions.

Suggested change

	the key of a spec module under /tests/source/. The spec's
	wrapper imports the knockout build, browser-setup, and the
	the key of a spec module under /tests/source/. This iframe
	first loads `/tests/source/setup.js` via a classic `<script>`
	tag, then the inline module script imports only the selected

[Copilot]

bundle-tests.mjs relies on glob from node:fs/promises. The repo doesn't pin a Node version for the docs build workflow (deploy-docs.yml doesn't run setup-node), so this can break depending on the runner's preinstalled Node version. Consider using a dependency with a stable API (e.g. fast-glob/tinyglobby) or run this script under Bun and use Bun.Glob, so the runtime is pinned by .tool-versions.

[Copilot]

In build mode, pkg and ver come straight from location.search and are interpolated into a jsDelivr script URL. As-is, a crafted query string could cause this page to load and execute an arbitrary third-party script. Please validate/allowlist pkg (knockout|reference) and constrain ver (e.g., latest or a semver-like value) before constructing koUrl, falling back to safe defaults on invalid input.

[coderabbitai]

Actionable comments posted: 7

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@builds/knockout/helpers/browser-setup.js`:
- Around line 1-173: Run the Biome formatter on this JavaScript module and
commit the resulting changes so lint-and-typecheck no longer reports formatting
diffs; specifically, format the file that defines globals like
sharedOptions.filters, HE.__tkoFocusPatched, the before() hook adjusting
ko.options.jsxCleanBatchSize, and the it-wrapping logic (wrap/origIt/wrappedIt),
then stage and commit the formatted file so the CI lint step passes.

In `@tko.io/public/tests-frame.html`:
- Around line 71-82: Replace all uses of parent.postMessage(..., '*') in the
test harness with a same-origin targetOrigin (e.g. window.location.origin) so
messages are only delivered to the embedding /tests page; update every call site
referenced in this diff — the runner.on('pass', ...), runner.on('fail', ...),
runner.on('pending', ...), runner.on('end', ...), the initial
parent.postMessage({ type: 'start', ... }), and the catch block
parent.postMessage({ type: 'import-error', ... }) — to pass the same-origin
string instead of '*'.

In `@tko.io/src/pages/tests.astro`:
- Around line 473-493: The message handler registered with
window.addEventListener('message', ...) trusts any postMessage payload; tighten
it by validating the event origin and source before processing: check
event.origin (and optionally event.source === expectedIframe.contentWindow or
verify a known allowed origins list) and only proceed when the origin/source
match; then perform the existing logic that looks up specs (specs.find(...)),
computes key, calls page.ensureSuite(key), updates suite.running(...) and calls
page.recordTest(...). Apply the same validation in the other matching listener
block that handles messages on lines 538-543 so only messages from the intended
iframe are accepted.
- Line 325: The inline parseInt can produce NaN (e.g. ?pool=abc) and Math.max(1,
NaN) yields NaN, so replace the expression used to set self.pool with a
safe-parse + clamp: read qs.get('pool'), parseInt into a local variable (p), if
p is NaN default to a sensible DEFAULT_POOL (e.g. 4), then clamp to a MAX_POOL
(e.g. 16) using Math.min/Math.max before assigning to self.pool; update any
usage that relies on self.pool (e.g. the worker creation logic referenced around
the code that creates workers at line creating zero workers) to use this
validated value. Ensure you reference the symbols qs.get, parseInt, and
self.pool when making the change.
- Around line 371-378: The onSubmit handler currently omits the suite query when
self.suite() === 'build', which drops suite=build on submit; update the onSubmit
function (the self.onSubmit block) to always include the suite parameter (e.g.,
call next.set('suite', self.suite()) unconditionally) so the current suite
selection (including 'build') is preserved when setting location.search.
- Around line 464-466: Wrap the RegExp construction in a try/catch so malformed
grep values from page.grep() don't throw and abort the runner: attempt const rx
= new RegExp(page.grep().trim(), 'i') inside a try block, and in the catch set
specs to [] (or otherwise filter nothing) and record the failure (e.g.,
console.error or push an error to the page/test runner) so the runner continues
and reports a useful error; keep the existing specs = specs.filter(s =>
rx.test(s.file) || rx.test(s.slug)) logic unchanged when the RegExp succeeds.
- Line 545: The safety timeout currently calls safetyTimer = setTimeout(finish,
30000) which lets a hung iframe silently complete; change the timeout handler to
record the timeout as a failure for the current spec/iframe before finishing —
e.g., replace the direct finish call with a small wrapper that logs or pushes a
failure (use the existing finish, recordFailure or testResults append logic and
the current spec/iframe identifier used in this file) and then calls finish(),
and ensure safetyTimer still clears appropriately; reference symbols:
safetyTimer, finish, and the current spec/iframe identifier used in this file.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1727307e-879e-4452-9138-ccc51ba0d644

📥 Commits

Reviewing files that changed from the base of the PR and between 5657f94 and 585c328.

📒 Files selected for processing (11)

• builds/knockout/helpers/browser-setup.js
• packages/binding.component/spec/componentBindingBehaviors.ts
• packages/binding.if/spec/elseBehaviors.ts
• packages/builder/spec/builderBehaviors.ts
• packages/utils.parser/spec/identifierBehaviors.ts
• tko.io/.gitignore
• tko.io/package.json
• tko.io/public/tests-frame.html
• tko.io/scripts/bundle-tests.mjs
• tko.io/src/components/Header.astro
• tko.io/src/pages/tests.astro

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Constrain postMessage to the same origin.

The harness is intended to report only to the same-origin /tests page, so avoid broadcasting test titles, failures, and stacks to any embedding parent.

🔒 Proposed tightening

+          const post = message => parent.postMessage(message, location.origin)
           const runner = mocha.run()
-          runner.on('pass', t => parent.postMessage({ type: 'pass', slug, title: t.fullTitle(), duration: t.duration }, '*'))
-          runner.on('fail', (t, err) => parent.postMessage({
+          runner.on('pass', t => post({ type: 'pass', slug, title: t.fullTitle(), duration: t.duration }))
+          runner.on('fail', (t, err) => post({
             type: 'fail', slug, title: t.fullTitle(), duration: t.duration,
             err: (err?.message || String(err)),
             stack: err?.stack
-          }, '*'))
-          runner.on('pending', t => parent.postMessage({ type: 'pending', slug, title: t.fullTitle() }, '*'))
-          runner.on('end', () => parent.postMessage({ type: 'end', slug, stats: runner.stats }, '*'))
-          parent.postMessage({ type: 'start', slug, total: runner.total }, '*')
+          }))
+          runner.on('pending', t => post({ type: 'pending', slug, title: t.fullTitle() }))
+          runner.on('end', () => post({ type: 'end', slug, stats: runner.stats }))
+          post({ type: 'start', slug, total: runner.total })
         } catch (err) {
           document.getElementById('err').textContent = 'import failed: ' + (err?.message || err)
-          parent.postMessage({ type: 'import-error', slug, err: err?.message || String(err) }, '*')
+          parent.postMessage({ type: 'import-error', slug, err: err?.message || String(err) }, location.origin)
         }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	runner.on('pass', t => parent.postMessage({ type: 'pass', slug, title: t.fullTitle(), duration: t.duration }, '*'))
	runner.on('fail', (t, err) => parent.postMessage({
	type: 'fail', slug, title: t.fullTitle(), duration: t.duration,
	err: (err?.message || String(err)),
	stack: err?.stack
	}, '*'))
	runner.on('pending', t => parent.postMessage({ type: 'pending', slug, title: t.fullTitle() }, '*'))
	runner.on('end', () => parent.postMessage({ type: 'end', slug, stats: runner.stats }, '*'))
	parent.postMessage({ type: 'start', slug, total: runner.total }, '*')
	} catch (err) {
	document.getElementById('err').textContent = 'import failed: ' + (err?.message || err)
	parent.postMessage({ type: 'import-error', slug, err: err?.message || String(err) }, '*')
	const runner = mocha.run()
	const post = message => parent.postMessage(message, location.origin)
	runner.on('pass', t => post({ type: 'pass', slug, title: t.fullTitle(), duration: t.duration }))
	runner.on('fail', (t, err) => post({
	type: 'fail', slug, title: t.fullTitle(), duration: t.duration,
	err: (err?.message || String(err)),
	stack: err?.stack
	}))
	runner.on('pending', t => post({ type: 'pending', slug, title: t.fullTitle() }))
	runner.on('end', () => post({ type: 'end', slug, stats: runner.stats }))
	post({ type: 'start', slug, total: runner.total })
	} catch (err) {
	document.getElementById('err').textContent = 'import failed: ' + (err?.message || err)
	parent.postMessage({ type: 'import-error', slug, err: err?.message || String(err) }, location.origin)
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tko.io/public/tests-frame.html` around lines 71 - 82, Replace all uses of
parent.postMessage(..., '*') in the test harness with a same-origin targetOrigin
(e.g. window.location.origin) so messages are only delivered to the embedding
/tests page; update every call site referenced in this diff — the
runner.on('pass', ...), runner.on('fail', ...), runner.on('pending', ...),
runner.on('end', ...), the initial parent.postMessage({ type: 'start', ... }),
and the catch block parent.postMessage({ type: 'import-error', ... }) — to pass
the same-origin string instead of '*'.

[coderabbitai]

Actionable comments posted: 3

♻️ Duplicate comments (2)

tko.io/src/pages/tests.astro (2)

327-327: ⚠️ Potential issue | 🟠 Major

Clamp and default the iframe pool size.

parseInt can return NaN, and Math.max(1, NaN) remains NaN; then the hidden queue creates zero workers. Very large values can also spawn excessive iframe concurrency.

🐛 Proposed fix

-        self.pool    = Math.max(1, parseInt(qs.get('pool') || '4', 10))
+        const requestedPool = parseInt(qs.get('pool') || '4', 10)
+        self.pool = Number.isFinite(requestedPool)
+          ? Math.min(16, Math.max(1, requestedPool))
+          : 4

#!/bin/bash
# Demonstrate why invalid pool input currently collapses worker creation.
node - <<'NODE'
for (const raw of ['abc', '0', '4', '1000000']) {
  const pool = Math.max(1, parseInt(raw || '4', 10))
  console.log({ raw, pool, workerCount: Array.from({ length: pool }).length })
}
NODE

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tko.io/src/pages/tests.astro` at line 327, The self.pool initialization using
Math.max(1, parseInt(qs.get('pool') || '4', 10)) can produce NaN or unboundedly
large values; update the setter in tests.astro (the line that assigns self.pool)
to first parse with Number.parseInt or parseInt, then if Number.isNaN(result)
fall back to a default (e.g. 4), and finally clamp the value between a minimum
of 1 and a reasonable maximum (e.g. 64) before assigning to self.pool so invalid
or extreme qs inputs can't create zero or excessive iframe workers.

---

570-570: ⚠️ Potential issue | 🟠 Major

Record iframe timeouts as failures.

The timeout currently removes the iframe silently, so a hung spec can disappear and the run can finish without explaining which file timed out.

🐛 Proposed fix

-            safetyTimer = setTimeout(finish, 30000)
+            safetyTimer = setTimeout(() => {
+              const key = spec.file || spec.slug
+              page.stats.total(Math.max(page.stats.total(), page.stats.done() + 1))
+              page.recordTest(key, 'fail', '(iframe timeout)', 30000, 'No end/import-error event after 30000ms')
+              page.ensureSuite(key).running(false)
+              finish()
+            }, 30000)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tko.io/src/pages/tests.astro` at line 570, The timeout currently just calls
finish silently; change the safetyTimer callback so that instead of silently
removing the iframe it records a failure and provides context: invoke finish
with an explicit timeout/failure error (including the spec/file identifier or
URL) so the run records which iframe timed out, and ensure the same logic still
clears/destroys the iframe afterwards; update the setTimeout call (safetyTimer =
setTimeout(...)) to call finish with an Error or failure result rather than a
silent completion and preserve existing iframe cleanup.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tko.io/scripts/bundle-tests.mjs`:
- Around line 193-198: Update the RELATIVE_IMPORT pattern used in
bundle-tests.mjs so it matches all relative-import forms (e.g., "from './...'",
bare static "import '../...'", "export '../...'", dynamic "import('./...')", and
require('./...')) rather than only "from" clauses; modify the RELATIVE_IMPORT
constant to a single regex that recognizes the keywords "from", "import" (both
bare and call-form), "export", and "require" when followed by a quote containing
./ or ../, keeping the rest of the logic that reads specs (allSpecs -> specs)
unchanged and leaving the surrounding loop and fs.readFile calls intact.

In `@tko.io/src/pages/tests.astro`:
- Around line 511-513: The import-error branch doesn't increment the overall
test count before recording a failure, so update the handler for m.type ===
'import-error' to increment the total (the same counter updated on 'start'
events) before calling page.recordTest; specifically, ensure you increment the
same stats.total variable (or the function that updates totals) prior to
invoking recordTest(key, 'fail', '(iframe import error)', 0, m.err) so
totals/progress remain consistent.
- Line 450: Build-mode currently passes raw page.grep() into window.mocha.grep()
which can throw for invalid regexes; change the call to mirror source-mode
behavior by trimming the grep text, then attempt to construct/use a RegExp for
grep inside a try/catch (using page.grep() and window.mocha.grep), and on
exception fall back to a substring match handler (e.g., a function that checks
indexOf on the test fullTitle) so invalid patterns don't throw — reference the
page.grep() call and window.mocha.grep usage and align with the fallback logic
used around lines 470–480 in source mode.

---

Duplicate comments:
In `@tko.io/src/pages/tests.astro`:
- Line 327: The self.pool initialization using Math.max(1,
parseInt(qs.get('pool') || '4', 10)) can produce NaN or unboundedly large
values; update the setter in tests.astro (the line that assigns self.pool) to
first parse with Number.parseInt or parseInt, then if Number.isNaN(result) fall
back to a default (e.g. 4), and finally clamp the value between a minimum of 1
and a reasonable maximum (e.g. 64) before assigning to self.pool so invalid or
extreme qs inputs can't create zero or excessive iframe workers.
- Line 570: The timeout currently just calls finish silently; change the
safetyTimer callback so that instead of silently removing the iframe it records
a failure and provides context: invoke finish with an explicit timeout/failure
error (including the spec/file identifier or URL) so the run records which
iframe timed out, and ensure the same logic still clears/destroys the iframe
afterwards; update the setTimeout call (safetyTimer = setTimeout(...)) to call
finish with an Error or failure result rather than a silent completion and
preserve existing iframe cleanup.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 15ea1627-9327-45a9-b056-8c8030151643

📥 Commits

Reviewing files that changed from the base of the PR and between 585c328 and 0b5648d.

📒 Files selected for processing (5)

• builds/knockout/helpers/browser-setup.js
• packages/binding.component/spec/componentBindingBehaviors.ts
• tko.io/public/tests-frame.html
• tko.io/scripts/bundle-tests.mjs
• tko.io/src/pages/tests.astro

🚧 Files skipped from review as they are similar to previous changes (3)

• packages/binding.component/spec/componentBindingBehaviors.ts
• tko.io/public/tests-frame.html
• builds/knockout/helpers/browser-setup.js

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Show build specs with relative imports that the current regex misses.
python3 - <<'PY'
from pathlib import Path
import re

current = re.compile(r"from\s+['\"]\.\.?/")
patterns = [
    re.compile(r"^\s*import\s+['\"]\.\.?/", re.M),
    re.compile(r"^\s*import\s+.*?\s+from\s+['\"]\.\.?/", re.M),
    re.compile(r"^\s*export\s+.*?\s+from\s+['\"]\.\.?/", re.M),
    re.compile(r"\bimport\s*\(\s*['\"]\.\.?/"),
    re.compile(r"\brequire\s*\(\s*['\"]\.\.?/"),
]

for base in (Path("builds/knockout/spec"), Path("builds/reference/spec")):
    if not base.exists():
        continue
    for path in sorted([*base.rglob("*.js"), *base.rglob("*.ts")]):
        text = path.read_text(encoding="utf8")
        if any(p.search(text) for p in patterns) and not current.search(text):
            print(path)
PY

Repository: knockout/tko

Length of output: 93

---

🏁 Script executed:

cat -n builds/reference/spec/iifeBehavior.js | head -50

Repository: knockout/tko

Length of output: 489

---

🏁 Script executed:

# Check what patterns iifeBehavior.js actually uses
rg -n "(?:import|require|export)" builds/reference/spec/iifeBehavior.js | head -20

Repository: knockout/tko

Length of output: 218

---

🏁 Script executed:

# Validate the proposed regex pattern works correctly
python3 - <<'PY'
import re

# Current regex
current = re.compile(r"from\s+['\"]\.\.?/")

# Proposed regex from the fix
proposed = re.compile(
    r"(?:^\s*import\s+['\"]\.\.?\/|^\s*import\s+.*?\s+from\s+['\"]\.\.?\/|^\s*export\s+.*?\s+from\s+['\"]\.\.?\/|\bimport\s*\(\s*['\"]\.\.?\/|\brequire\s*\(\s*['\"]\.\.?\/)",
    re.M
)

# Test cases
test_cases = [
    "from '../helper'",  # Should match both
    "import '../helper'",  # Should match proposed, not current
    "import { x } from '../helper'",  # Should match both
    "export { x } from '../helper'",  # Should match proposed, not current
    "await import('../helper')",  # Should match proposed, not current
    "require('../helper')",  # Should match proposed, not current
    "import('./helper')",  # Should match proposed, not current
    "from './helper'",  # Should match both
]

for test in test_cases:
    c_match = "✓" if current.search(test) else "✗"
    p_match = "✓" if proposed.search(test) else "✗"
    print(f"{c_match} current | {p_match} proposed: {test}")
PY

Repository: knockout/tko

Length of output: 425

---

Fix regex to catch all relative import patterns without breaking existing matches.

The issue is real: builds/reference/spec/iifeBehavior.js uses import '../dist/browser.min' (line 4), a bare import statement that the current regex misses. However, the proposed regex introduces a critical regression—it stops matching from imports entirely.

Test results show:

• Current regex ✓ matches from '../...' and from './...'
• Proposed regex ✗ misses both patterns

The fix needs to preserve the original from pattern and add the missing import forms:

- const RELATIVE_IMPORT = /from\s+['"]\.\.?\//
+ const RELATIVE_IMPORT = /(?:from\s+['"]\.\.?\/|^(?:import|export)\s+['"]\.\.?\/|import\s*\(\s*['"]\.\.?\/|require\s*\(\s*['"]\.\.?\/)/m

This catches: from '...', bare import '../...', export '../...', dynamic import(), and require() without dropping existing functionality.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tko.io/scripts/bundle-tests.mjs` around lines 193 - 198, Update the
RELATIVE_IMPORT pattern used in bundle-tests.mjs so it matches all
relative-import forms (e.g., "from './...'", bare static "import '../...'",
"export '../...'", dynamic "import('./...')", and require('./...')) rather than
only "from" clauses; modify the RELATIVE_IMPORT constant to a single regex that
recognizes the keywords "from", "import" (both bare and call-form), "export",
and "require" when followed by a quote containing ./ or ../, keeping the rest of
the logic that reads specs (allSpecs -> specs) unchanged and leaving the
surrounding loop and fs.readFile calls intact.

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tko.io/src/pages/tests.astro`:
- Around line 456-459: The workarea section remains visible outside "source"
mode; update the same mode check that hides the `#mocha` reporter to also hide the
focus workarea by setting document.getElementById('workarea-section').hidden
based on page.suite() (e.g., hidden = page.suite() !== 'source'), keeping the
existing `#workarea` mounting behavior intact; locate the code around the existing
document.getElementById('mocha') line and add the analogous hide logic for
'workarea-section'.
- Around line 4-12: The header comment currently declares "Build mode (default)"
and refers to "?suite=source" as opt-in, but elsewhere the page actually
defaults to source; update the documentation so the "Two modes:" block matches
the implementation by changing the "Build mode (default)" text to indicate that
Source mode is the default and Build is opt-in (or vice‑versa to match runtime),
and adjust the example URL token reference (change "?suite=source" to the
correct opt‑in token, e.g. "?suite=build", or explicitly state which query value
triggers the non‑default mode) — search for the strings "Two modes:", "Build
mode (default)", "?suite=source", and "tests/source/manifest.json" to locate and
edit the mismatched descriptions.
- Around line 595-623: The per-frame message handler can miss messages because
liveFrames.add(...) is only called in the iframe 'load' handler; move the
registration earlier by adding the iframe's contentWindow to liveFrames as soon
as the iframe is created (or register a placeholder/temporary id) and register
the window.message listener (onMsg) before appending the iframe, then keep the
existing cleanup in finish (which deletes from liveFrames and removes the onMsg
listener) so frames are tracked immediately and still cleaned up when finish()
runs; update the code that currently calls liveFrames.add(...) inside the
iframe.addEventListener('load', ...) block accordingly.
- Around line 497-502: The catch block passes a predicate function to
window.mocha.grep which expects a RegExp; instead escape the user-provided
buildGrep into a literal case-insensitive RegExp and pass that to
window.mocha.grep. Specifically, in the catch for window.mocha.grep(new
RegExp(buildGrep, 'i')), build a safe escaped pattern from buildGrep (e.g.,
replace special regex chars) or otherwise create a RegExp using the escaped
string and call window.mocha.grep(escapedRegex) so grep receives a RegExp rather
than a function; refer to window.mocha.grep and the buildGrep/needle handling in
the current block when making the change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9ec06355-5fb7-4399-a8f4-82c530dc0e7b

📥 Commits

Reviewing files that changed from the base of the PR and between 0b5648d and c5bd8d7.

📒 Files selected for processing (4)

• builds/knockout/helpers/browser-setup.js
• packages/binding.foreach/spec/eachBehavior.ts
• tko.io/scripts/bundle-tests.mjs
• tko.io/src/pages/tests.astro

✅ Files skipped from review due to trivial changes (1)

• tko.io/scripts/bundle-tests.mjs

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Update the mode documentation to match the actual default.

Lines 6 and 11 still describe build mode as default/source as opt-in, but Line 20 and Line 356 default to source. This can mislead anyone using the URL contract.

📝 Proposed fix

-//   Build mode (default)
+//   Build mode (URL opt-in: `?suite=build`)
@@
-//   Source mode (URL opt-in: `?suite=source`)
+//   Source mode (default)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// Two modes:
	//
	// Build mode (default)
	// Load a published `@tko/build.*` from jsdelivr and run
	// `tests/build-bundle.js`. Single Mocha run against the
	// built artifact. Version-portable.
	//
	// Source mode (URL opt-in: `?suite=source`)
	// Spawn one iframe per spec file in `tests/source/manifest.json`.
	// Two modes:
	//
	// Build mode (URL opt-in: `?suite=build`)
	// Load a published `@tko/build.*` from jsdelivr and run
	// `tests/build-bundle.js`. Single Mocha run against the
	// built artifact. Version-portable.
	//
	// Source mode (default)
	// Spawn one iframe per spec file in `tests/source/manifest.json`.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tko.io/src/pages/tests.astro` around lines 4 - 12, The header comment
currently declares "Build mode (default)" and refers to "?suite=source" as
opt-in, but elsewhere the page actually defaults to source; update the
documentation so the "Two modes:" block matches the implementation by changing
the "Build mode (default)" text to indicate that Source mode is the default and
Build is opt-in (or vice‑versa to match runtime), and adjust the example URL
token reference (change "?suite=source" to the correct opt‑in token, e.g.
"?suite=build", or explicitly state which query value triggers the non‑default
mode) — search for the strings "Two modes:", "Build mode (default)",
"?suite=source", and "tests/source/manifest.json" to locate and edit the
mismatched descriptions.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Hide the focus workarea outside source mode.

In build mode, the #workarea-section is rendered but never used or removed, leaving the “Focus-requiring specs” panel stuck on screen over the Mocha reporter.

🛠️ Proposed fix

       // Show/hide the out-of-tree mocha host based on mode.
       // (The `#workarea` always exists; iframes mount into it.)
       document.getElementById('mocha').hidden = page.suite() !== 'build'
+      document.getElementById('workarea-section').hidden = page.suite() !== 'source'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tko.io/src/pages/tests.astro` around lines 456 - 459, The workarea section
remains visible outside "source" mode; update the same mode check that hides the
`#mocha` reporter to also hide the focus workarea by setting
document.getElementById('workarea-section').hidden based on page.suite() (e.g.,
hidden = page.suite() !== 'source'), keeping the existing `#workarea` mounting
behavior intact; locate the code around the existing
document.getElementById('mocha') line and add the analogous hide logic for
'workarea-section'.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify Mocha 10 browser grep matcher expectations.
curl -fsSL https://cdn.jsdelivr.net/npm/mocha@10/mocha.js \
  | rg -n -A8 -B8 "grep\\.test|Mocha\\.prototype\\.grep|grep: function"

Repository: knockout/tko

Length of output: 2368

---

🏁 Script executed:

cat -n tko.io/src/pages/tests.astro | sed -n '490,510p'

Repository: knockout/tko

Length of output: 1101

---

🏁 Script executed:

# Verify the regex escape pattern is the standard approach for literal RegExp construction
web_search_result=$(curl -s "https://www.regular-expressions.info/escape.html" | grep -i "escape" | head -5)
python3 << 'EOF'
import re

# Test the escape pattern from the proposed fix
pattern = r"[.*+?^${}()|[\]\\]"
test_string = r"\$&"
buildGrep = "test.suite[invalid](pattern)"

# Apply the escape
escaped = buildGrep.replace(pattern, test_string)
print(f"Original: {buildGrep}")
print(f"Escaped: {escaped}")

# Verify it can be used in RegExp
try:
    regex = re.compile(escaped, re.IGNORECASE)
    print(f"RegExp creation: SUCCESS")
    print(f"Test match for original string: {regex.search(buildGrep) is not None}")
except Exception as e:
    print(f"RegExp creation: FAILED - {e}")

# Standard regex escape characters that should be escaped in a literal pattern
special_chars = r".*+?^${}()|[]\"
print(f"\nSpecial regex chars needing escape: {special_chars}")
EOF

Repository: knockout/tko

Length of output: 204

---

🏁 Script executed:

python3 << 'EOF'
# Test the escape pattern from the proposed fix
buildGrep = "test.suite[invalid](pattern)"

# Apply the escape using Python equivalent of JS pattern
# JS: /[.*+?^${}()|[\]\\]/g with replacement \\$&
escaped = buildGrep.replace(r'[.*+?^${}()|[\]\\]', r'\\$&')
print(f"Original: {buildGrep}")
print(f"Escaped pattern attempt: {escaped}")

# Better: use standard regex escape approach
import re
escaped_correct = re.escape(buildGrep)
print(f"\nUsing re.escape(): {escaped_correct}")

# Verify both can create valid RegExp
try:
    # Test 1: manual escape (proposed fix pattern)
    pattern1 = buildGrep.replace(r'[.*+?^${}()|[\]\\]', r'\\$&')
    regex1 = re.compile(pattern1, re.IGNORECASE)
    print(f"Manual escape RegExp: SUCCESS")
except Exception as e:
    print(f"Manual escape RegExp: FAILED - {e}")

try:
    # Test 2: re.escape (standard approach)
    regex2 = re.compile(re.escape(buildGrep), re.IGNORECASE)
    print(f"re.escape() RegExp: SUCCESS")
except Exception as e:
    print(f"re.escape() RegExp: FAILED - {e}")

# Show the special chars that need escaping in JavaScript regex
print("\nSpecial regex characters that must be escaped:")
special = ".*+?^${}()|[]\\".split()
print(f"Characters: {', '.join([c for c in '.*+?^${}()|[]\\\\'])}")
EOF

Repository: knockout/tko

Length of output: 290

---

🏁 Script executed:

python3 << 'EOF'
import re

buildGrep = "test.suite[invalid](pattern)"

# Test the escape pattern from the proposed fix
# This is the JavaScript approach: /[.*+?^${}()|[\]\\]/g
escaped = buildGrep
for char in r'.*+?^${}()|[]\\":
    escaped = escaped.replace(char, '\\' + char)

print(f"Original: {buildGrep}")
print(f"Escaped (manual): {escaped}")

# Test with Python's re.escape for comparison
escaped_py = re.escape(buildGrep)
print(f"Escaped (re.escape): {escaped_py}")

# Verify both work as literal patterns
try:
    regex1 = re.compile(escaped, re.IGNORECASE)
    print(f"Manual escape RegExp: SUCCESS")
    print(f"  Matches original string: {regex1.search(buildGrep) is not None}")
except Exception as e:
    print(f"Manual escape RegExp: FAILED - {e}")

try:
    regex2 = re.compile(escaped_py, re.IGNORECASE)
    print(f"re.escape() RegExp: SUCCESS")
    print(f"  Matches original string: {regex2.search(buildGrep) is not None}")
except Exception as e:
    print(f"re.escape() RegExp: FAILED - {e}")

print("\nSpecial regex characters that must be escaped:")
special_chars = r'.*+?^${}()|[]\'
print(f"Characters: {special_chars}")
EOF

Repository: knockout/tko

Length of output: 196

---

🏁 Script executed:

python3 << 'EOF'
import re

# Test the proposed escape pattern
buildGrep = "test.suite[invalid](pattern)"

# JavaScript pattern: /[.*+?^${}()|[\]\\]/g with replacement \\$&
# This is equivalent to escaping these characters: . * + ? ^ $ { } ( ) | [ ] \
special_chars = '.^$*+?{}[]|()\\'
escaped = buildGrep

for char in special_chars:
    escaped = escaped.replace(char, '\\' + char)

print("Original pattern:", buildGrep)
print("Escaped pattern:", escaped)

# Test it works as a RegExp
try:
    regex = re.compile(escaped, re.IGNORECASE)
    print("RegExp creation: SUCCESS")
    print("Matches original string:", regex.search(buildGrep) is not None)
except Exception as e:
    print("RegExp creation: FAILED -", e)

# Compare with Python's standard approach
escaped_py = re.escape(buildGrep)
print("\nPython re.escape() result:", escaped_py)
print("Are they equivalent:", escaped == escaped_py)
EOF

Repository: knockout/tko

Length of output: 303

---

🏁 Script executed:

python3 << 'EOF'
import re

buildGrep = "test.suite[invalid](pattern)"

# The escape pattern works - it just needs to match literally
special_chars = '.^$*+?{}[]|()\\'
escaped = buildGrep
for char in special_chars:
    escaped = escaped.replace(char, '\\' + char)

print("Original:", buildGrep)
print("Escaped regex pattern:", escaped)

# When we use this escaped pattern in a regex, it matches the literal string
regex = re.compile(escaped, re.IGNORECASE)

# The regex pattern itself contains backslashes, but when matched against the original string:
print("\nMatching test:")
print("regex.search(original string):", regex.search(buildGrep))

# This is the expected behavior - the backslashes in the pattern escape the special chars
# So the regex matches literal . [ ] ( ) etc in the input

# Now test with a simpler case to show it works
simple = "test.js"
escaped_simple = simple.replace('.', r'\.')
regex_simple = re.compile(escaped_simple)
print("\nSimple test - match 'test.js':", bool(regex_simple.search("test.js")))
print("Should NOT match 'testXjs':", bool(regex_simple.search("testXjs")))
EOF

Repository: knockout/tko

Length of output: 279

---

Pass a literal RegExp to mocha.grep() instead of a function predicate.

Mocha's browser grep() method expects a RegExp with a .test() method. The current catch block passes a predicate function, which will fail at runtime when Mocha tries to call .test() on it. Escape the invalid pattern into a literal case-insensitive RegExp instead.

Proposed fix

         if (buildGrep) {
           try {
             window.mocha.grep(new RegExp(buildGrep, 'i'))
           } catch {
-            const needle = buildGrep.toLowerCase()
-            window.mocha.grep(t => (t.fullTitle?.() || t.title || '').toLowerCase().includes(needle))
+            const escaped = buildGrep.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')
+            window.mocha.grep(new RegExp(escaped, 'i'))
           }
         }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tko.io/src/pages/tests.astro` around lines 497 - 502, The catch block passes
a predicate function to window.mocha.grep which expects a RegExp; instead escape
the user-provided buildGrep into a literal case-insensitive RegExp and pass that
to window.mocha.grep. Specifically, in the catch for window.mocha.grep(new
RegExp(buildGrep, 'i')), build a safe escaped pattern from buildGrep (e.g.,
replace special regex chars) or otherwise create a RegExp using the escaped
string and call window.mocha.grep(escapedRegex) so grep receives a RegExp rather
than a function; refer to window.mocha.grep and the buildGrep/needle handling in
the current block when making the change.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Register live iframes before they can post results.

liveFrames.add(...) currently runs from the iframe load event, but the child can post start/test/end messages while its module script is running before the parent load handler fires. The global aggregator then drops those messages at Line 547, while the per-frame listener can still finish the spec, producing silently missing results.

🐛 Proposed fix

             iframe.addEventListener('load', () => {
-              if (iframe.contentWindow) liveFrames.add(iframe.contentWindow)
               if (grantFocus) {
                 try {
                   iframe.focus()
                   iframe.contentWindow?.focus()
                 } catch {}
@@
             }
             window.addEventListener('message', onMsg)
             host.appendChild(iframe)
+            if (iframe.contentWindow) liveFrames.add(iframe.contentWindow)
             safetyTimer = setTimeout(() => {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tko.io/src/pages/tests.astro` around lines 595 - 623, The per-frame message
handler can miss messages because liveFrames.add(...) is only called in the
iframe 'load' handler; move the registration earlier by adding the iframe's
contentWindow to liveFrames as soon as the iframe is created (or register a
placeholder/temporary id) and register the window.message listener (onMsg)
before appending the iframe, then keep the existing cleanup in finish (which
deletes from liveFrames and removes the onMsg listener) so frames are tracked
immediately and still cleaned up when finish() runs; update the code that
currently calls liveFrames.add(...) inside the iframe.addEventListener('load',
...) block accordingly.