diff --git a/src/wp-includes/css-api/class-wp-css-builder.php b/src/wp-includes/css-api/class-wp-css-builder.php
new file mode 100644
index 0000000000000..56ae7a5ba009a
--- /dev/null
+++ b/src/wp-includes/css-api/class-wp-css-builder.php
@@ -0,0 +1,241 @@
+<?php
+
+abstract class WP_CSS_Builder {
+	/**
+	 * Create a CSS ident token from a plain PHP string value.
+	 *
+	 * Characters not valid in CSS identifiers are hex-escaped. This uses
+	 * the same safety escaping as {@see WP_CSS_Builder::string()} for HTML
+	 * and CSS-sensitive characters, plus escaping of whitespace and other
+	 * characters not permitted in idents.
+	 *
+	 * @see https://www.w3.org/TR/css-syntax-3/#escaping
+	 * @see https://www.w3.org/TR/css-syntax-3/#would-start-an-identifier
+	 *
+	 * @param string $value Decoded string value to encode as a CSS ident.
+	 * @return string CSS ident token text.
+	 */
+	public static function ident( string $value ): string {
+		$value  = wp_scrub_utf8( $value );
+		$result = '';
+		$length = strlen( $value );
+
+		for ( $i = 0; $i < $length; $i++ ) {
+			$byte = ord( $value[ $i ] );
+
+			// NULL → U+FFFD REPLACEMENT CHARACTER.
+			if ( 0x00 === $byte ) {
+				$result .= "\u{FFFD}";
+				continue;
+			}
+
+			// Non-ASCII bytes (≥ 0x80): valid in idents, pass through.
+			if ( $byte >= 0x80 ) {
+				$result .= $value[ $i ];
+				continue;
+			}
+
+			// ASCII letters and underscore: always valid in idents.
+			if (
+				( $byte >= 0x41 && $byte <= 0x5A ) || // A-Z
+				( $byte >= 0x61 && $byte <= 0x7A ) || // a-z
+				0x5F === $byte                         // _
+			) {
+				$result .= $value[ $i ];
+				continue;
+			}
+
+			// Hyphen: valid in idents, but check for hyphen-digit at start.
+			if ( 0x2D === $byte ) {
+				// Hyphen at position 0 followed by a digit at position 1: escape the digit.
+				if ( 0 === $i && $i + 1 < $length && ord( $value[ $i + 1 ] ) >= 0x30 && ord( $value[ $i + 1 ] ) <= 0x39 ) {
+					$result .= '-';
+					++$i;
+					$result .= sprintf( '\\%X ', ord( $value[ $i ] ) );
+					continue;
+				}
+				$result .= '-';
+				continue;
+			}
+
+			// Digits: valid except at position 0.
+			if ( $byte >= 0x30 && $byte <= 0x39 ) {
+				if ( 0 === $i ) {
+					$result .= sprintf( '\\%X ', $byte );
+				} else {
+					$result .= $value[ $i ];
+				}
+				continue;
+			}
+
+			// Everything else: hex-escape.
+			$result .= sprintf( '\\%X ', $byte );
+		}
+
+		return $result;
+	}
+
+	/**
+	 * Create a quoted CSS string from a plain PHP string value.
+	 *
+	 * Example:
+	 *     $value = 'CSS & a "<style>" tag\'s strings';
+	 *     $css_string = WP_CSS_Builder::string( $value );
+	 *     echo "<style>*::before { content: {$css_string}; }</style>";
+	 *
+	 * CSS strings are quoted many characters that are problematic in HTML
+	 * or may be complicated for rudimentary CSS or HTML processors to handle
+	 * are encoded using Unicode escape sequences.
+	 *
+	 * @see https://www.w3.org/TR/css-syntax-3/#escaping
+	 */
+	public static function string( string $value ): string {
+		$value   = wp_scrub_utf8( $value );
+		$escaped = strtr(
+			$value,
+			array(
+				// Escape existing backslashes to prevent unintentional escapes in result.
+				'\\'   => '\\5C ',
+
+				// Pre-processing replaces NULLs and some newlines. Replace and escape as necessary.
+				"\0"   => "\u{FFFD}",
+
+				// Normalize and replace newlines. https://www.w3.org/TR/css-syntax-3/#input-preprocessing
+				"\r\n" => '\\A ',
+				"\r"   => '\\A ',
+				"\f"   => '\\A ',
+
+				// Newlines must be escaped in CSS strings.
+				"\n"   => '\\A ',
+
+				// Arbitrary characters for Unicode escaping:
+
+				// HTML syntax may be problematic.
+				'<'    => '\\3C ',
+				'>'    => '\\3E ',
+				'&'    => '\\26 ',
+
+				// CSS syntax may be problematic.
+				','    => '\\2C ',
+				';'    => '\\3B ',
+				'{'    => '\\7B ',
+				'}'    => '\\7D ',
+				'"'    => '\\22 ',
+				"'"    => '\\27 ',
+			)
+		);
+		return "\"{$escaped}\"";
+	}
+
+	public static function normalize_and_escape_css( string $css ): string {
+		$css = wp_scrub_utf8( $css );
+		$processor = WP_CSS_Token_Processor::create( $css );
+		if ( null === $processor ) {
+			return '';
+		}
+
+		$normalized_css = '';
+
+		while ( $processor->next_token() ) {
+			switch ( $processor->get_token_type() ) {
+
+				// Basic punctuation:
+				case WP_CSS_Token_Processor::TOKEN_SEMICOLON: $normalized_css .= ';'; break;
+				case WP_CSS_Token_Processor::TOKEN_COMMA: $normalized_css .= ','; break;
+				case WP_CSS_Token_Processor::TOKEN_WHITESPACE: $normalized_css .= ' '; break;
+				case WP_CSS_Token_Processor::TOKEN_COLON: $normalized_css .= ':'; break;
+
+				// Paired punctuation:
+				case WP_CSS_Token_Processor::TOKEN_LEFT_BRACE: $normalized_css .= '{'; break;
+				case WP_CSS_Token_Processor::TOKEN_RIGHT_BRACE: $normalized_css .= '}'; break;
+				case WP_CSS_Token_Processor::TOKEN_LEFT_PAREN: $normalized_css .= '('; break;
+				case WP_CSS_Token_Processor::TOKEN_RIGHT_PAREN: $normalized_css .= ')'; break;
+				case WP_CSS_Token_Processor::TOKEN_LEFT_BRACKET: $normalized_css .= '['; break;
+				case WP_CSS_Token_Processor::TOKEN_RIGHT_BRACKET: $normalized_css .= ']'; break;
+
+				// "@" + ident
+				case WP_CSS_Token_Processor::TOKEN_AT_KEYWORD:
+					$normalized_css .= '@' . self::ident( $processor->get_token_value() );
+					break;
+
+				// ident + "("
+				case WP_CSS_Token_Processor::TOKEN_FUNCTION:
+					$normalized_css .= self::ident( $processor->get_token_value() ) . '(';
+					break;
+
+				/*
+				 * Hash tokens are not idents but their value can be escaped as such.
+				 *
+				 *     ‖→ "#" →─┐   ┌──────────────────────────────┐   ┌─→‖
+				 *              ├─→─┤ a-z A-Z 0-9 _ - or non-ASCII ├─→─┤
+				 *              │   └──────────────────────────────┘   │
+				 *              │   ┌──────────────────────────────┐   │
+				 *              ├─→─┤            escape            ├─→─┤
+				 *              │   └──────────────────────────────┘   │
+				 *              └──────────────────←───────────────────┘
+				 */
+				case WP_CSS_Token_Processor::TOKEN_HASH:
+					$normalized_css .= '#' . self::ident( $processor->get_token_value() );
+					break;
+
+				case WP_CSS_Token_Processor::TOKEN_DIMENSION:
+					$normalized_css .= $processor->get_token_value() . $processor->get_token_unit();
+					break;
+
+				case WP_CSS_Token_Processor::TOKEN_PERCENTAGE:
+					$normalized_css .= "%{$processor->get_token_value()}";
+					break;
+
+				case WP_CSS_Token_Processor::TOKEN_NUMBER:
+					$normalized_css .= $processor->get_token_value();
+					break;
+
+				case WP_CSS_Token_Processor::TOKEN_DELIM:
+					$normalized_css .= $processor->get_token_value();
+					break;
+
+				case WP_CSS_Token_Processor::TOKEN_IDENT:
+					$normalized_css .= self::ident( $processor->get_token_value() );
+					break;
+
+				case WP_CSS_Token_Processor::TOKEN_STRING:
+					var_dump( $processor->get_token_value() );
+					$normalized_css .= self::string( $processor->get_token_value() );
+					break;
+
+				// Keep or strip comments?
+				case WP_CSS_Token_Processor::TOKEN_COMMENT:
+					$normalized_css .= substr( $css, $processor->get_token_start(), $processor->get_token_length() );
+					break;
+
+				/**
+				 * A <bad-string-token> is an open string that reaches a newline.
+				 *
+				 * @see https://www.w3.org/TR/css-syntax-3/#consume-string-token
+				 *
+				 * @see https://www.w3.org/TR/css-syntax-3/#preserved-tokens
+				 * > Note: The tokens <}-token>s, <)-token>s, <]-token>, <bad-string-token>, and <bad-url-token> are always parse errors, but they are preserved in the token stream by this specification to allow other specs, such as Media Queries, to define more fine-grained error-handling than just dropping an entire declaration or block.
+				 */
+				case WP_CSS_Token_Processor::TOKEN_BAD_STRING:
+					$normalized_css .= substr( $css, $processor->get_token_start(), $processor->get_token_length() ) . "\n";
+					break;
+
+				case WP_CSS_Token_Processor::TOKEN_URL:
+				case WP_CSS_Token_Processor::TOKEN_BAD_URL:
+				case WP_CSS_Token_Processor::TOKEN_CDC:
+				case WP_CSS_Token_Processor::TOKEN_CDO:
+				default:
+					throw new Error( 'unhandled token type ' . $processor->get_token_type() . ' with value ' . var_export( $processor->get_token_value(), true ) );
+			}
+		}
+
+		return strtr(
+			$normalized_css,
+			array(
+				' ' => '␠',
+				"\t" => "␉\t",
+				"\n" => "␊\n",
+			)
+		);
+	}
+}
diff --git a/src/wp-includes/css-api/class-wp-css-token-processor.php b/src/wp-includes/css-api/class-wp-css-token-processor.php
new file mode 100644
index 0000000000000..f61775fdf6228
--- /dev/null
+++ b/src/wp-includes/css-api/class-wp-css-token-processor.php
@@ -0,0 +1,1845 @@
+<?php
+
+/**
+ * Tokenizes CSS according to the CSS Syntax Level 3 specification.
+ *
+ * This class follows the algorithm in https://www.w3.org/TR/css-syntax-3/ and
+ * exposes a pull-based API so callers can stream over large stylesheets without
+ * allocating every token up front. Each call to next_token() advances the cursor
+ * and fills in metadata (type, value, raw slice, byte offsets) that you can read
+ * through the getter methods.
+ *
+ * ## Design choices
+ *
+ * ### On-the-fly normalization
+ *
+ * The CSS Spec requires the following normalization step:
+ *
+ * > Replace any U+000D CARRIAGE RETURN (CR) code points, U+000C FORM FEED (FF)
+ * > code points, or pairs of U+000D CARRIAGE RETURN (CR) followed by U+000A LINE
+ * > FEED (LF) in input by a single U+000A LINE FEED (LF) code point.
+ * > Replace any U+0000 NULL or surrogate code points in input with U+FFFD REPLACEMENT
+ * > CHARACTER (�).
+ *
+ * This processor delays normalization as much as possible. That keeps the raw byte
+ * positions intact for accurate rewrites while still letting consumers ask for a
+ * normalized token when they need one.
+ *
+ * ### No EOF token
+ *
+ * The EOF token is a CSS parsing concept, not CSS tokenization concept. Therefore,
+ * this processor does not produce it.
+ *
+ * ### UTF-8 handling
+ *
+ * Only UTF-8 strings are supported. Invalid sequences are replaced with U+FFFD (�)
+ * using the maximal subpart approach described in
+ * https://www.unicode.org/versions/Unicode9.0.0/ch03.pdf, section 3.9 Best Practices
+ * for Using U+FFFD.
+ *
+ * ## Usage
+ *
+ * Basic iteration:
+ *
+ *     $css = 'width: 10px;';
+ *     $processor = WP_CSS_Token_Processor::create( $css );
+ *     while ( $processor->next_token() ) {
+ *         echo $processor->get_normalized_token();
+ *     }
+ *     // Outputs:
+ *     // width: 10px;
+ *
+ * Rewriting a URL while keeping the rest of the stylesheet intact:
+ *
+ *     $css = 'background: url(old.jpg) center / cover;';
+ *     $processor = WP_CSS_Token_Processor::create( $css );
+ *     while ( $processor->next_token() ) {
+ *         if ( WP_CSS_Token_Processor::TOKEN_URL === $processor->get_token_type() ) {
+ *             $processor->set_value( 'uploads/new.jpg' );
+ *         }
+ *     }
+ *     $result = $processor->get_updated_css();
+ *     // background: url(uploads/new.jpg) center / cover;
+ *
+ * Gathering diagnostics with byte offsets:
+ *
+ *     $css = "color: red;\ncolor: re\nd;";
+ *     $processor = WP_CSS_Token_Processor::create( $css );
+ *     $bad_strings = array();
+ *     while ( $processor->next_token() ) {
+ *         if ( WP_CSS_Token_Processor::TOKEN_BAD_STRING === $processor->get_token_type() ) {
+ *             $bad_strings[] = array(
+ *                 'start'  => $processor->get_token_start(),
+ *                 'length' => $processor->get_token_length(),
+ *                 'value'  => $processor->get_unnormalized_token(),
+ *             );
+ *         }
+ *     }
+ *
+ * @see https://www.w3.org/TR/css-syntax-3/#tokenization
+ */
+class WP_CSS_Token_Processor {
+	/**
+	 * Token type constants matching the CSS Syntax Level 3 specification.
+	 *
+	 * @see https://www.w3.org/TR/css-syntax-3/#tokenization
+	 */
+	public const TOKEN_WHITESPACE = 'whitespace-token';
+	public const TOKEN_COMMENT    = 'comment';
+	public const TOKEN_STRING     = 'string-token';
+
+	/**
+	 * BAD-STRING tokens occur when a string contains an unescaped newline.
+	 *
+	 * Valid strings: "hello", 'world', "line1\Aline2" (escaped newline)
+	 * Invalid (produces bad-string): "hello
+	 *                                 world"  (literal newline breaks the string)
+	 *
+	 * The processor stops at the newline and produces a bad-string token for error recovery.
+	 *
+	 * @see https://www.w3.org/TR/css-syntax-3/#typedef-bad-string-token
+	 */
+	public const TOKEN_BAD_STRING    = 'bad-string-token';
+	public const TOKEN_HASH          = 'hash-token';
+	public const HASH_TOKEN_ID       = 'id';
+	public const HASH_TOKEN_UNRESTRICTED = 'unrestricted';
+	public const TOKEN_DELIM         = 'delim-token';
+	public const TOKEN_NUMBER        = 'number-token';
+	public const TOKEN_PERCENTAGE    = 'percentage-token';
+	public const TOKEN_DIMENSION     = 'dimension-token';
+	public const TOKEN_AT_KEYWORD    = 'at-keyword-token';
+	public const TOKEN_COLON         = 'colon-token';
+	public const TOKEN_SEMICOLON     = 'semicolon-token';
+	public const TOKEN_COMMA         = 'comma-token';
+	public const TOKEN_LEFT_PAREN    = '(-token';
+	public const TOKEN_RIGHT_PAREN   = ')-token';
+	public const TOKEN_LEFT_BRACKET  = '[-token';
+	public const TOKEN_RIGHT_BRACKET = ']-token';
+	public const TOKEN_LEFT_BRACE    = '{-token';
+	public const TOKEN_RIGHT_BRACE   = '}-token';
+	public const TOKEN_FUNCTION      = 'function-token';
+
+	/**
+	 * URL tokens represent unquoted URLs in url() notation.
+	 *
+	 * For example, `url(image.jpg)` is a URL token.
+	 *
+	 * Quoted URLs like `url( "https://example.com" )` are handled as a function
+	 * token, _not_ a URL token.
+	 *
+	 * Bad URL tokens are created when invalid characters are encountered in
+	 * a URL token.
+	 *
+	 * @see https://www.w3.org/TR/css-syntax-3/#typedef-url-token
+	 */
+	public const TOKEN_URL = 'url-token';
+
+	/**
+	 * BAD-URL tokens occur when a URL contains invalid characters.
+	 *
+	 * Invalid characters: quotes ("), apostrophes ('), parentheses (()
+	 * Example invalid: url(image(.jpg) or url(image".jpg)
+	 *
+	 * When detected, the processor consumes everything up to ) or EOF.
+	 * This prevents the bad URL from breaking subsequent tokens.
+	 *
+	 * @see https://www.w3.org/TR/css-syntax-3/#typedef-bad-url-token
+	 */
+	public const TOKEN_BAD_URL = 'bad-url-token';
+
+	/**
+	 * Identifier tokens, such as `color`, `margin-top`, `red`,
+	 * `inherit`, `--my-var`, `\x-escaped`, `über` (Unicode), etc.
+	 *
+	 * There are restrictions on the codepoints that start or are contained in
+	 * an identifier, and identifiers may contain escape sequences.
+	 *
+	 * @see https://www.w3.org/TR/css-syntax-3/#typedef-ident-token
+	 */
+	public const TOKEN_IDENT = 'ident-token';
+
+	/**
+	 * CDC (Comment Delimiter Close) token: -->
+	 *
+	 * Legacy token from when CSS was embedded in HTML <style> tags
+	 * and needed to be hidden from old browsers using HTML comments:
+	 *
+	 *   <style>
+	 *   <!--
+	 *   body { color: red; }
+	 *   -->
+	 *   </style>
+	 *
+	 * Modern CSS no longer needs these, but they're preserved for compatibility.
+	 * In stylesheets, they're typically treated like whitespace.
+	 *
+	 * @see https://www.w3.org/TR/css-syntax-3/#typedef-CDC-token
+	 */
+	public const TOKEN_CDC = 'CDC-token';
+
+	/**
+	 * CDO (Comment Delimiter Open) token: <!--
+	 *
+	 * Legacy token from when CSS was embedded in HTML <style> tags.
+	 * See TOKEN_CDC for full explanation of HTML comment compatibility.
+	 *
+	 * @see https://www.w3.org/TR/css-syntax-3/#typedef-CDO-token
+	 */
+	public const TOKEN_CDO = 'CDO-token';
+
+	/**
+	 * @var string
+	 */
+	private $css;
+
+	/**
+	 * @var int
+	 */
+	private $length = 0;
+
+	/**
+	 * @var int
+	 */
+	private $at = 0;
+
+	/**
+	 * The type of the current token. One of the self::TOKEN_* constants.
+	 *
+	 * @var string|null
+	 * @phpstan-var self::TOKEN_*|null
+	 */
+	private $token_type = null;
+
+	/**
+	 * The type flag for the current token, if it has one.
+	 *
+	 * Hash tokens have either the "id" or "unrestricted" type flag.
+	 *
+	 * @var string|null
+	 */
+	private $token_type_flag = null;
+
+	/**
+	 * The byte offset at which the current token starts.
+	 *
+	 * Example:
+	 *
+	 * background-image: url(https://example.com/image.jpg);
+	 *                   ^ token_starts_at
+	 *
+	 * @var int|null
+	 */
+	private $token_starts_at = null;
+
+	/**
+	 * The byte length of the current token.
+	 *
+	 * Example:
+	 *
+	 * background-image: url(https://example.com/image.jpg);
+	 *                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+	 *                             token_length
+	 *
+	 * @var int|null
+	 */
+	private $token_length = null;
+
+	/**
+	 * The byte offset at which the value of the current token starts.
+	 *
+	 * It is used for STRING and URL tokens. For example:
+	 *
+	 * background-image: url(https://example.com/image.jpg);
+	 *                       ^ token_value_starts_at
+	 *
+	 * @var int|null
+	 */
+	private $token_value_starts_at = null;
+
+	/**
+	 * The byte offset at which the value of the current token starts.
+	 *
+	 * It is relevant for STRING and URL tokens. For example:
+	 *
+	 * background-image: url(https://example.com/image.jpg);
+	 *                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+	 *                             token_value_length
+	 *
+	 * @var int|null
+	 */
+	private $token_value_length = null;
+
+	/**
+	 * The string value of the current token.
+	 *
+	 * For numbers, this is a float.
+	 * For identifiers/functions/strings/URLs with escapes, this is a decoded string.
+	 * Otherwise, it's null and the value is computed from token indices.
+	 *
+	 * @var string|float|null
+	 */
+	private $token_value = null;
+
+	/**
+	 * The unit of the current token, e.g. "px", "em", "deg", etc.
+	 *
+	 * @var string|null
+	 */
+	private $token_unit = null;
+
+	/**
+	 * Lexical replacements to apply to input CSS document.
+	 *
+	 * Tracks modifications to be applied to the CSS, such as changing URL values.
+	 * Each entry is an associative array with 'start', 'length', and 'text' keys.
+	 *
+	 * @var array[]
+	 */
+	private $lexical_updates = array();
+
+	/**
+	 * Constructor for the CSS processor.
+	 *
+	 * Do not instantiate directly. Use WP_CSS_Token_Processor::create() instead.
+	 *
+	 * @param string $css         CSS source to tokenize.
+	 */
+	private function __construct( string $css ) {
+		$this->css    = $css;
+		$this->length = strlen( $css );
+	}
+
+	/**
+	 * Creates a CSS processor for the given CSS string.
+	 *
+	 * Use this method to create a CSS processor instance.
+	 *
+	 * ## Current Support
+	 *
+	 * - The only supported document encoding is `UTF-8`, which is the default value.
+	 *
+	 * @param string $css      CSS source to tokenize.
+	 * @param string $encoding Text encoding of the document; must be default of 'UTF-8'.
+	 * @return static|null The created processor if successful, otherwise null.
+	 */
+	public static function create( string $css, string $encoding = 'UTF-8' ) {
+		if ( 'UTF-8' !== $encoding ) {
+			return null;
+		}
+
+		return new static( $css );
+	}
+
+	/**
+	 * Moves to the next token in the CSS stream.
+	 *
+	 * Implements the main tokenization loop, consuming the next token from the input stream.
+	 *
+	 * @see https://www.w3.org/TR/css-syntax-3/#consume-token
+	 *
+	 * @return bool Whether a token was found.
+	 */
+	public function next_token(): bool {
+		$this->after_token();
+
+		// Bale out once we reach the end.
+		if ( $this->at >= $this->length ) {
+			return false;
+		}
+
+		/*
+		 * CSS comments. They are not preserved as tokens in the specification, but we
+		 * still track them.
+		 *
+		 * @see https://www.w3.org/TR/css-syntax-3/#consume-comment
+		 */
+		if (
+			$this->at + 1 < $this->length &&
+			'/' === $this->css[ $this->at ] &&
+			'*' === $this->css[ $this->at + 1 ]
+		) {
+			$this->token_type            = self::TOKEN_COMMENT;
+			$this->token_starts_at       = $this->at;
+			$this->token_value_starts_at = $this->at;
+
+			$end                      = strpos( $this->css, '*/', $this->at + 2 );
+			$this->at                 = false !== $end ? $end + 2 : $this->length;
+			$this->token_length       = $this->at - $this->token_starts_at;
+			$this->token_value_length = $this->token_length - 4;
+			return true;
+		}
+
+		/*
+		 * Whitespace tokens.
+		 *
+		 * We consider U+000A LINE FEED, U+0009 CHARACTER TABULATION, and U+0020 SPACE bytes covered by the spec.
+		 * In addition, we also capture U+000D CARRIAGE RETURN and U+000C FORM FEED that are normally converted to
+		 * U+000A LINE FEED during the preprocessing phase.
+		 *
+		 * @see https://www.w3.org/TR/css-syntax-3/#newline
+		 * @see https://www.w3.org/TR/css-syntax-3/#whitespace
+		 */
+		$whitespace_length = strspn( $this->css, "\t\n\f\r ", $this->at );
+		if ( $whitespace_length > 0 ) {
+			$this->token_type      = self::TOKEN_WHITESPACE;
+			$this->token_length    = $whitespace_length;
+			$this->token_starts_at = $this->at;
+			$this->at             += $whitespace_length;
+			return true;
+		}
+
+		/*
+		 * String tokens with either " or ' as delimiters.
+		 *
+		 * @see https://www.w3.org/TR/css-syntax-3/#consume-string-token
+		 */
+		if ( '"' === $this->css[ $this->at ] || "'" === $this->css[ $this->at ] ) {
+			return $this->consume_string();
+		}
+
+		$char                  = $this->css[ $this->at ];
+		$this->token_starts_at = $this->at;
+
+		/*
+		 * U+0023 NUMBER SIGN (#)
+		 *
+		 * A hash token is created when # is followed by an ident code point or valid escape.
+		 * This is commonly used for hex colors (#fff) or ID selectors (#header).
+		 *
+		 * @see https://www.w3.org/TR/css-syntax-3/#consume-token
+		 */
+		if ( '#' === $char ) {
+			if ( $this->at + 1 < $this->length ) {
+				if (
+					$this->consume_ident_codepoint( $this->at + 1 ) > 0 ||
+					// The next two input code points are a valid escape.
+					$this->is_valid_escape( $this->at + 1 )
+				) {
+					// Create a <hash-token>.
+					++$this->at;
+
+					// > If the next 3 input code points would start an ident sequence,
+					// > set the <hash-token>'s type flag to "id".
+					$this->token_type_flag = $this->check_if_3_code_points_start_an_ident_sequence( $this->at )
+						? self::HASH_TOKEN_ID
+						: self::HASH_TOKEN_UNRESTRICTED;
+
+					// Consume an ident sequence, and set the <hash-token>'s value to the returned string.
+					$this->consume_ident_sequence();
+					$this->token_type   = self::TOKEN_HASH;
+					$this->token_length = $this->at - $this->token_starts_at;
+					return true;
+				}
+			}
+			// Otherwise, return a <delim-token> with its value set to the current input code point.
+			++$this->at;
+			$this->token_type   = self::TOKEN_DELIM;
+			$this->token_length = 1;
+			return true;
+		}
+
+		/*
+		 * Simple single-byte tokens
+		 *
+		 * These characters form their own tokens when encountered.
+		 * Note: ( tokens here are not function tokens - those are handled
+		 * in consume_ident_like() when ( follows an identifier.
+		 *
+		 * @see https://www.w3.org/TR/css-syntax-3/#tokenization
+		 */
+		$simple = array(
+			'(' => self::TOKEN_LEFT_PAREN,
+			')' => self::TOKEN_RIGHT_PAREN,
+			',' => self::TOKEN_COMMA,
+			':' => self::TOKEN_COLON,
+			';' => self::TOKEN_SEMICOLON,
+			'[' => self::TOKEN_LEFT_BRACKET,
+			']' => self::TOKEN_RIGHT_BRACKET,
+			'{' => self::TOKEN_LEFT_BRACE,
+			'}' => self::TOKEN_RIGHT_BRACE,
+		);
+		if ( isset( $simple[ $char ] ) ) {
+			++$this->at;
+			$this->token_type   = $simple[ $char ];
+			$this->token_length = 1;
+			return true;
+		}
+
+		/*
+		 * U+0040 COMMERCIAL AT (@)
+		 *
+		 * An at-keyword is @ followed by an identifier, used for at-rules like
+		 * @media, @import, @keyframes, etc.
+		 *
+		 * @see https://www.w3.org/TR/css-syntax-3/#consume-token
+		 */
+		if ( '@' === $char ) {
+			++$this->at;
+			// If the next 3 input code points after the @ would start an ident sequence,
+			// consume an ident sequence, create an <at-keyword-token> with its value set to the returned value,
+			// and return it.
+			if ( $this->check_if_3_code_points_start_an_ident_sequence( $this->at ) ) {
+				$this->consume_ident_sequence();
+				$this->token_type   = self::TOKEN_AT_KEYWORD;
+				$this->token_length = $this->at - $this->token_starts_at;
+				return true;
+			} else {
+				// Otherwise, return a <delim-token> with its value set to the current input code point.
+				$this->token_type   = self::TOKEN_DELIM;
+				$this->token_length = 1;
+				return true;
+			}
+		}
+
+		/*
+		 * Numbers start with digits, the plus sign, minus sign, and decimal point.
+		 *
+		 * @see https://www.w3.org/TR/css-syntax-3/#starts-with-a-number
+		 */
+		if ( $this->would_next_3_code_points_start_a_number() ) {
+			return $this->consume_numeric();
+		}
+
+		/*
+		 * U+002D HYPHEN-MINUS (-)
+		 */
+		if ( '-' === $char ) {
+			// This case is covered above:
+			// > If the input stream starts with a number.
+
+			/*
+			 * If followed by another hyphen and >, this is a CDC token (-->)
+			 *
+			 * Comment Delimiter Close - legacy HTML comment syntax in CSS.
+			 *
+			 * @see https://www.w3.org/TR/css-syntax-3/#CDC-token-diagram
+			 */
+			if (
+				$this->at + 2 < $this->length &&
+				'-' === $this->css[ $this->at + 1 ] &&
+				'>' === $this->css[ $this->at + 2 ]
+			) {
+				// Consume them and return a <CDC-token>.
+				$this->at          += 3;
+				$this->token_type   = self::TOKEN_CDC;
+				$this->token_length = 3;
+				return true;
+			}
+
+			// Otherwise, if the input stream starts with an ident sequence,
+			// reconsume the current input code point, consume an ident-like
+			// token, and return it.
+			if ( $this->check_if_3_code_points_start_an_ident_sequence( $this->at ) ) {
+				return $this->consume_ident_like();
+			}
+
+			// Otherwise, return a <delim-token> with its value set to the current input code point.
+			++$this->at;
+			$this->token_type   = self::TOKEN_DELIM;
+			$this->token_length = 1;
+			return true;
+		}
+
+		/*
+		 * U+003C LESS-THAN SIGN (<)
+		 * If followed by !--, this is a CDO token (<!--)
+		 *
+		 * Comment Delimiter Open - legacy HTML comment syntax in CSS.
+		 *
+		 * @see https://www.w3.org/TR/css-syntax-3/#CDO-token-diagram
+		 */
+		if ( '<' === $char && $this->at + 3 < $this->length &&
+			'!' === $this->css[ $this->at + 1 ] &&
+			'-' === $this->css[ $this->at + 2 ] &&
+			'-' === $this->css[ $this->at + 3 ] ) {
+			// Consume them and return a <CDO-token>.
+			$this->at          += 4;
+			$this->token_type   = self::TOKEN_CDO;
+			$this->token_length = 4;
+			return true;
+		}
+
+		/*
+		 * Ident-start code point
+		 *
+		 * If the input stream starts with an ident sequence, reconsume the current
+		 * input code point, consume an ident-like token, and return it.
+		 *
+		 * Could be an identifier, function, or url() token.
+		 *
+		 * @see https://www.w3.org/TR/css-syntax-3/#consume-ident-like-token
+		 */
+		if ( $this->check_if_3_code_points_start_an_ident_sequence( $this->at ) ) {
+			return $this->consume_ident_like();
+		}
+
+		/*
+		 * Delim token (delimiter)
+		 *
+		 * Any code point that doesn't match above rules becomes a delim token.
+		 * Handle multi-byte UTF-8 characters properly.
+		 *
+		 * @see https://www.w3.org/TR/css-syntax-3/#delim-token-diagram
+		 */
+		if ( ord( $char ) >= 0x80 ) {
+			$new_at         = $this->at;
+			$invalid_length = 0;
+			if ( 1 !== _wp_scan_utf8( $this->css, $new_at, $invalid_length, null, 1 ) ) {
+				/**
+				 * Trouble ahead!
+				 * Bytes at $at are not a valid UTF-8 sequence.
+				 *
+				 * We'll move forward by $invalid_length bytes and continue processing.
+				 * Later on, during the string decoding, we'll replace the invalid bytes with U+FFFD
+				 * via maximal subpart”replacement.
+				 */
+				$matched_bytes = $invalid_length;
+			} else {
+				$matched_bytes = $new_at - $this->at;
+			}
+
+			$this->at          += $matched_bytes;
+			$this->token_type   = self::TOKEN_DELIM;
+			$this->token_length = $matched_bytes;
+			return true;
+		}
+
+		// Single ASCII delim.
+		++$this->at;
+		$this->token_type   = self::TOKEN_DELIM;
+		$this->token_length = 1;
+		return true;
+	}
+
+	/**
+	 * Gets the current token type.
+	 *
+	 * @return string|null
+	 * @phpstan-return self::TOKEN_*|null
+	 */
+	public function get_token_type(): ?string {
+		return $this->token_type;
+	}
+
+	/**
+	 * Gets the current token's type flag, if it has one.
+	 *
+	 * Hash tokens expose the CSS Syntax hash-token type flag. Other token
+	 * flags are not currently tracked and return null.
+	 *
+	 * @return string|null
+	 */
+	public function get_token_type_flag(): ?string {
+		return $this->token_type_flag;
+	}
+
+	/**
+	 * Gets the normalized token text from the CSS source.
+	 *
+	 * Returns the token with CSS normalization and escape decoding applied:
+	 * - CSS escapes decoded (e.g., \6c → l, \2f → /, \A → newline)
+	 * - \r\n, \r, \f → \n
+	 * - \x00 → U+FFFD (�)
+	 *
+	 * This is different from get_token_value() which returns the semantic value
+	 * (e.g., for strings: content without quotes; for numbers: numeric value).
+	 *
+	 * @return string|null
+	 */
+	public function get_normalized_token(): ?string {
+		if ( null === $this->token_starts_at || null === $this->token_length ) {
+			return null;
+		}
+
+		return $this->decode_range(
+			$this->token_starts_at,
+			$this->token_length,
+			self::TOKEN_STRING === $this->token_type
+		);
+	}
+
+	/**
+	 * Gets the raw, unnormalized token text from the CSS source.
+	 *
+	 * Returns the exact bytes from the source without any normalization.
+	 * This preserves original line endings (\r\n, \r, \f) and null bytes.
+	 *
+	 * @return string|null
+	 */
+	public function get_unnormalized_token(): ?string {
+		if ( null === $this->token_starts_at || null === $this->token_length ) {
+			return null;
+		}
+		return substr( $this->css, $this->token_starts_at, $this->token_length );
+	}
+
+	/**
+	 * Gets the current token value as a normalized and decoded string. This is
+	 * a slight divergence from the CSS Syntax Level 3 spec, where all the numberic
+	 * values are parsed as numbers. This processor is only concerned with their
+	 * textual representation.
+	 *
+	 * Returns the semantic value of the token per CSS Syntax Level 3 spec:
+	 *
+	 * - For delimiters: the single code point
+	 * - For numbers/percentages: the string representation of the number
+	 * - For dimensions: the string representation of the number (use get_token_unit() for the unit)
+	 * - For identifiers/functions/hash/at-keywords: the decoded identifier string
+	 * - For strings/URLs: the decoded string value
+	 * - For other tokens: null
+	 *
+	 * @see https://www.w3.org/TR/css-syntax-3/#token-value
+	 * @return string|null
+	 */
+	public function get_token_value() {
+		if ( null === $this->token_value ) {
+			if ( null === $this->token_starts_at || null === $this->token_length ) {
+				return null;
+			}
+
+			switch ( $this->token_type ) {
+				case self::TOKEN_HASH:
+					// Hash value starts after the # character.
+					$this->token_value = $this->decode_range( $this->token_starts_at + 1, $this->token_length - 1 );
+					break;
+
+				case self::TOKEN_AT_KEYWORD:
+					// At-keyword value starts after the @ character.
+					$this->token_value = $this->decode_range( $this->token_starts_at + 1, $this->token_length - 1 );
+					break;
+
+				case self::TOKEN_FUNCTION:
+					// Function name is everything except the final (.
+					$this->token_value = $this->decode_range( $this->token_starts_at, $this->token_length - 1 );
+					break;
+
+				case self::TOKEN_IDENT:
+					// Identifier is the entire token.
+					$this->token_value = $this->decode_range( $this->token_starts_at, $this->token_length );
+					break;
+
+				case self::TOKEN_BAD_STRING:
+					$this->token_value = null;
+					break;
+
+				case self::TOKEN_STRING:
+					if ( null !== $this->token_value_starts_at && null !== $this->token_value_length ) {
+						$this->token_value = $this->decode_range(
+							$this->token_value_starts_at,
+							$this->token_value_length,
+							true
+						);
+					} else {
+						$this->token_value = null;
+					}
+					break;
+
+				case self::TOKEN_URL:
+					// Decode and cache the URL value.
+					if ( null !== $this->token_value_starts_at && null !== $this->token_value_length ) {
+						$this->token_value = $this->decode_range(
+							$this->token_value_starts_at,
+							$this->token_value_length
+						);
+					} else {
+						$this->token_value = null;
+					}
+					break;
+
+				case self::TOKEN_DELIM:
+					// Delim value is the single code point.
+					$this->token_value = $this->decode_range( $this->token_starts_at, $this->token_length );
+					break;
+
+				case self::TOKEN_NUMBER:
+					// Return the string representation of the number (not parsed to float).
+					$this->token_value = substr( $this->css, $this->token_starts_at, $this->token_length );
+					break;
+
+				case self::TOKEN_PERCENTAGE:
+					// Return the string representation of the number (without the %).
+					$this->token_value = substr( $this->css, $this->token_starts_at, $this->token_length - 1 );
+					break;
+
+				case self::TOKEN_DIMENSION:
+					// Return the string representation of the number (without the unit).
+					$this->token_value = substr( $this->get_normalized_token(), 0, -strlen( $this->token_unit ) );
+					break;
+
+				default:
+					$this->token_value = null;
+					break;
+			}
+		}
+
+		return $this->token_value;
+	}
+
+	/**
+	 * Determines whether the current token is a data URI.
+	 *
+	 * Only meaningful for URL and STRING tokens. Returns false for all other token types.
+	 *
+	 * @return bool Whether the current token value starts with "data:" (case-insensitive).
+	 */
+	public function is_data_uri(): bool {
+		if ( null === $this->token_value_starts_at || null === $this->token_value_length ) {
+			return false;
+		}
+
+		if ( $this->token_value_length < 5 ) {
+			return false;
+		}
+
+		$offset = $this->token_value_starts_at;
+		return (
+			( 'd' === $this->css[ $offset ] || 'D' === $this->css[ $offset ] ) &&
+			( 'a' === $this->css[ $offset + 1 ] || 'A' === $this->css[ $offset + 1 ] ) &&
+			( 't' === $this->css[ $offset + 2 ] || 'T' === $this->css[ $offset + 2 ] ) &&
+			( 'a' === $this->css[ $offset + 3 ] || 'A' === $this->css[ $offset + 3 ] ) &&
+			':' === $this->css[ $offset + 4 ]
+		);
+	}
+
+	/**
+	 * Gets the token start at.
+	 *
+	 * @return int|null
+	 */
+	public function get_token_start(): ?int {
+		return $this->token_starts_at;
+	}
+
+	/**
+	 * Gets the token length.
+	 *
+	 * @return int|null
+	 */
+	public function get_token_length(): ?int {
+		return $this->token_length;
+	}
+
+	/**
+	 * Gets the unit for dimension tokens.
+	 *
+	 * @return string|null
+	 */
+	public function get_token_unit(): ?string {
+		return $this->token_unit;
+	}
+
+	/**
+	 * Gets the byte at where the token value starts (for STRING and URL tokens).
+	 *
+	 * @return int|null
+	 */
+	public function get_token_value_start(): ?int {
+		return $this->token_value_starts_at;
+	}
+
+	/**
+	 * Gets the byte length of the token value (for STRING and URL tokens).
+	 *
+	 * @return int|null
+	 */
+	public function get_token_value_length(): ?int {
+		return $this->token_value_length;
+	}
+
+	/**
+	 * Sets the value of the current URL token.
+	 *
+	 * This method allows modifying the URL value in url() tokens. The new value
+	 * will be properly escaped according to CSS URL syntax rules.
+	 *
+	 * Currently only URL tokens are supported. Attempting to set the value on
+	 * other token types will return false.
+	 *
+	 * Example:
+	 *
+	 *     $css = 'background: url(old.jpg);';
+	 *     $processor = WP_CSS_Token_Processor::create( $css );
+	 *     while ( $processor->next_token() ) {
+	 *         if ( WP_CSS_Token_Processor::TOKEN_URL === $processor->get_token_type() ) {
+	 *             $processor->set_token_value( 'new.jpg' );
+	 *         }
+	 *     }
+	 *     echo $processor->get_updated_css();
+	 *     // Outputs: background: url(new.jpg);
+	 *
+	 * @param string $new_value The new URL value (should not include url() wrapper).
+	 * @return bool Whether the value was successfully updated.
+	 */
+	public function set_token_value( string $new_value ): bool {
+		// Only URL and string tokens are currently supported.
+		switch ( $this->token_type ) {
+			case self::TOKEN_URL:
+				$this->lexical_updates[] = array(
+					'start'  => $this->token_value_starts_at,
+					'length' => $this->token_value_length,
+					'text'   => WP_CSS_Builder::string( $new_value ),
+				);
+				return true;
+			case self::TOKEN_STRING:
+				$this->lexical_updates[] = array(
+					'start'  => $this->token_starts_at,
+					'length' => $this->token_length,
+					'text'   => WP_CSS_Builder::string( $new_value ),
+				);
+				return true;
+			default:
+				return false;
+		}
+	}
+
+	/**
+	 * Returns the CSS with all modifications applied.
+	 *
+	 * This method applies all queued lexical updates and returns the modified CSS.
+	 * If no modifications were made, returns the original CSS.
+	 *
+	 * Example:
+	 *
+	 *     $css = 'background: url(old.jpg);';
+	 *     $processor = WP_CSS_Token_Processor::create( $css );
+	 *     while ( $processor->next_token() ) {
+	 *         if ( WP_CSS_Token_Processor::TOKEN_URL === $processor->get_token_type() ) {
+	 *             $processor->set_token_value( 'new.jpg' );
+	 *         }
+	 *     }
+	 *     echo $processor->get_updated_css();
+	 *     // Outputs: background: url(new.jpg);
+	 *
+	 * @return string The modified CSS.
+	 */
+	public function get_updated_css(): string {
+		if ( empty( $this->lexical_updates ) ) {
+			return $this->css;
+		}
+
+		// Sort updates by start position in ascending order.
+		usort(
+			$this->lexical_updates,
+			function ( $a, $b ) {
+				return $a['start'] - $b['start'];
+			}
+		);
+
+		// Build the output by concatenating original CSS fragments with replacements.
+		$bytes_already_copied = 0;
+		$output               = '';
+
+		foreach ( $this->lexical_updates as $update ) {
+			$output              .= substr( $this->css, $bytes_already_copied, $update['start'] - $bytes_already_copied );
+			$output              .= $update['text'];
+			$bytes_already_copied = $update['start'] + $update['length'];
+		}
+
+		// Copy remaining CSS after last update.
+		$output .= substr( $this->css, $bytes_already_copied );
+
+		return $output;
+	}
+
+	/**
+	 * Clears token state between tokens.
+	 */
+	private function after_token(): void {
+		$this->token_type            = null;
+		$this->token_type_flag       = null;
+		$this->token_starts_at       = null;
+		$this->token_length          = null;
+		$this->token_value           = null;
+		$this->token_unit            = null;
+		$this->token_value_starts_at = null;
+		$this->token_value_length    = null;
+	}
+
+	/**
+	 * Consumes a string token.
+	 *
+	 * Strings are quoted with either " or ' and can contain escape sequences.
+	 * Newlines inside strings (without escaping) make the string invalid.
+	 *
+	 * @see https://www.w3.org/TR/css-syntax-3/#consume-string-token
+	 *
+	 * @return bool
+	 */
+	private function consume_string(): bool {
+		// Initially create a <string-token> with its value set to the empty string.
+		$this->token_starts_at = $this->at;
+		$ending_char           = $this->css[ $this->at ];
+
+		// Skip past the opening quote.
+		++$this->at;
+		$value_starts_at = $this->at;
+
+		// Characters that need special handling: the ending quote, newlines, backslashes.
+		$special_chars = "'" === $ending_char ? "'\n\f\r\\" : "\"\n\f\r\\";
+
+		while ( $this->at < $this->length ) {
+			// Consume normal characters until we hit a special character.
+			$normal_len = strcspn( $this->css, $special_chars, $this->at );
+			if ( $normal_len > 0 ) {
+				$this->at += $normal_len;
+			}
+
+			if ( $this->at >= $this->length ) {
+				break; // EOF.
+			}
+
+			$char = $this->css[ $this->at ];
+			switch ( $char ) {
+				case $ending_char:
+					// Ending quote.
+					// Return the <string-token>.
+					++$this->at;
+					$this->token_type            = self::TOKEN_STRING;
+					$this->token_length          = $this->at - $this->token_starts_at;
+					$this->token_value_starts_at = $value_starts_at;
+					$this->token_value_length    = $this->at - $value_starts_at - 1;
+					return true;
+
+				case "\n":
+				case "\f":
+				case "\r":
+					/*
+					 * Newline.
+					 *
+					 * This is a parse error. Reconsume the current input code point,
+					 * create a <bad-string-token>, and return it.
+					 *
+					 * Unescaped newlines are not allowed in strings. To include a newline,
+					 * it must be escaped as \A or the string must end and a new one begin.
+					 *
+					 * @see https://www.w3.org/TR/css-syntax-3/#consume-string-token
+					 */
+					$this->token_type            = self::TOKEN_BAD_STRING;
+					$this->token_length          = $this->at - $this->token_starts_at;
+					$this->token_value_starts_at = $value_starts_at;
+					$this->token_value_length    = $this->at - $value_starts_at;
+					return true;
+
+				case '\\':
+					// U+005C REVERSE SOLIDUS (\)
+					// If the next input code point is EOF, do nothing.
+					++$this->at;
+					if ( $this->at >= $this->length ) {
+						// Backslash-EOF: do nothing, just consume the backslash.
+						continue 2;
+					}
+
+					// Otherwise, if the next input code point is a newline, consume it.
+					$next = $this->css[ $this->at ];
+					if ( "\n" === $next || "\f" === $next ) {
+						++$this->at;
+						continue 2;
+					} elseif ( "\r" === $next ) {
+						++$this->at;
+						// Handle \r\n as a single newline.
+						if ( $this->at < $this->length && "\n" === $this->css[ $this->at ] ) {
+							++$this->at;
+						}
+						continue 2;
+					}
+
+					// Otherwise, (the stream starts with a valid escape) consume an escaped
+					// code point (just to advance position, don't store the result).
+					$this->decode_escape_at( $this->at, $matched_bytes );
+					$this->at += $matched_bytes;
+					continue 2;
+
+				default:
+					_doing_it_wrong( __METHOD__, 'Unexpected character in string: ' . $char, '1.0.0' );
+					break;
+			}
+		}
+
+		// EOF
+		// This is a parse error. Return the <string-token>.
+		$this->token_type            = self::TOKEN_STRING;
+		$this->token_length          = $this->at - $this->token_starts_at;
+		$this->token_value_starts_at = $value_starts_at;
+		$this->token_value_length    = $this->at - $value_starts_at;
+		return true;
+	}
+
+	/**
+	 * Consumes a numeric token (number, percentage, dimension).
+	 *
+	 * Numbers can be integers or decimals, with optional sign and exponent.
+	 * They can be followed by % (percentage) or an identifier (dimension).
+	 *
+	 * @TODO: Keep track of the "type" flag ("integer" or "number").
+	 *
+	 * @see https://www.w3.org/TR/css-syntax-3/#consume-numeric-token
+	 * @see https://www.w3.org/TR/css-syntax-3/#consume-number
+	 *
+	 * @return bool
+	 */
+	private function consume_numeric(): bool {
+		// Consume a number and let number be the result.
+
+		// If the next input code point is U+002B PLUS SIGN (+) or U+002D HYPHEN-MINUS (-),
+		// consume it and append it to repr.
+		if ( '+' === $this->css[ $this->at ] || '-' === $this->css[ $this->at ] ) {
+			++$this->at;
+		}
+
+		// While the next input code point is a digit, consume it and append it to repr.
+		$digits = strspn( $this->css, '0123456789', $this->at );
+		if ( $digits > 0 ) {
+			$this->at += $digits;
+		}
+
+		// If the next 2 input code points are U+002E FULL STOP (.) followed by a digit, then.
+		if (
+			$this->at + 1 < $this->length &&
+			'.' === $this->css[ $this->at ] &&
+			$this->css[ $this->at + 1 ] >= '0' &&
+			$this->css[ $this->at + 1 ] <= '9'
+		) {
+			// Consume them.
+			++$this->at;
+			// While the next input code point is a digit, consume it and append it to repr.
+			$digits = strspn( $this->css, '0123456789', $this->at );
+			if ( $digits > 0 ) {
+				$this->at += $digits;
+			}
+		}
+
+		// If the next 2 or 3 input code points are U+0045 LATIN CAPITAL LETTER E (E)
+		// or U+0065 LATIN SMALL LETTER E (e), optionally followed by U+002D HYPHEN-MINUS (-)
+		// or U+002B PLUS SIGN (+), followed by a digit, then.
+		if ( $this->at < $this->length ) {
+			$e = $this->css[ $this->at ];
+			if ( 'e' === $e || 'E' === $e ) {
+				$save_pos = $this->at;
+				++$this->at;
+				$has_exp = false;
+
+				if ( $this->at < $this->length ) {
+					$next = $this->css[ $this->at ];
+					if ( ( '+' === $next || '-' === $next ) && $this->at + 1 < $this->length &&
+						$this->css[ $this->at + 1 ] >= '0' && $this->css[ $this->at + 1 ] <= '9' ) {
+						// Consume them.
+						++$this->at;
+						$has_exp = true;
+					} elseif ( $next >= '0' && $next <= '9' ) {
+						$has_exp = true;
+					}
+				}
+
+				if ( $has_exp ) {
+					// While the next input code point is a digit, consume it and append it to repr.
+					$digits = strspn( $this->css, '0123456789', $this->at );
+					if ( $digits > 0 ) {
+						$this->at += $digits;
+					}
+				} else {
+					$this->at = $save_pos;
+				}
+			}
+		}
+
+		/**
+		 * This is the end of spec section 4.3.12. Consume a number.
+		 * We still have some work to do as specified in section 4.3.3. Consume a numeric token:
+		 * https://www.w3.org/TR/css-syntax-3/#consume-numeric-token
+		 */
+
+		// If the next 3 input code points would start an ident sequence, then.
+		if ( $this->check_if_3_code_points_start_an_ident_sequence( $this->at ) ) {
+			// Create a <dimension-token> with the same value and type flag as number,
+			// and a unit set initially to the empty string.
+			// Consume an ident sequence. Set the <dimension-token>'s unit to the returned value.
+			$unit_starts_at = $this->at;
+			$this->consume_ident_sequence();
+			$this->token_unit   = $this->decode_range( $unit_starts_at, $this->at - $unit_starts_at );
+			$this->token_type   = self::TOKEN_DIMENSION;
+			$this->token_length = $this->at - $this->token_starts_at;
+			return true;
+		}
+
+		// Otherwise, if the next input code point is U+0025 PERCENTAGE SIGN (%), consume it.
+		// Create a <percentage-token> with the same value as number, and return it.
+		if ( $this->at < $this->length && '%' === $this->css[ $this->at ] ) {
+			++$this->at;
+			$this->token_type   = self::TOKEN_PERCENTAGE;
+			$this->token_length = $this->at - $this->token_starts_at;
+			return true;
+		}
+
+		// Otherwise, create a <number-token> with the same value and type flag as number, and return it.
+		$this->token_type   = self::TOKEN_NUMBER;
+		$this->token_length = $this->at - $this->token_starts_at;
+		return true;
+	}
+
+	/**
+	 * Consumes an ident-like token (function, url, ident).
+	 *
+	 * After consuming an identifier, checks if it's followed by '(' to determine
+	 * if it's a function or url() token, otherwise it's a plain identifier.
+	 *
+	 * @see https://www.w3.org/TR/css-syntax-3/#consume-ident-like-token
+	 *
+	 * @return bool
+	 */
+	private function consume_ident_like(): bool {
+		// Consume an ident sequence, and let string be the result.
+		$ident_start = $this->at;
+		$decoded     = $this->consume_ident_sequence();
+		$string      = $decoded ?? $this->decode_range( $ident_start, $this->at - $ident_start );
+
+		// If string's value is an ASCII case-insensitive match for "url",
+		// and the next input code point is U+0028 LEFT PARENTHESIS (().
+		if ( 0 === strcasecmp( $string, 'url' ) && $this->at < $this->length && '(' === $this->css[ $this->at ] ) {
+			// Consume it.
+			++$this->at;
+
+			// While the next two input code points are whitespace, consume the next input code point.
+			$ws_len = strspn( $this->css, "\t\n\f\r ", $this->at );
+
+			// If the next one or two input code points are U+0022 QUOTATION MARK ("),
+			// U+0027 APOSTROPHE ('), or whitespace followed by U+0022 QUOTATION MARK (")
+			// or U+0027 APOSTROPHE (').
+			if ( $this->at + $ws_len < $this->length ) {
+				$next = $this->css[ $this->at + $ws_len ];
+				if ( '"' === $next || "'" === $next ) {
+					// then create a <function-token> with its value set to string and return it.
+					if ( null !== $decoded ) {
+						$this->token_value = $decoded;
+					}
+					$this->token_type   = self::TOKEN_FUNCTION;
+					$this->token_length = $this->at - $this->token_starts_at;
+					return true;
+				}
+			}
+
+			// Otherwise, consume a url token, and return it.
+			$this->at += $ws_len;
+			return $this->consume_url();
+		}
+
+		// Otherwise, if the next input code point is U+0028 LEFT PARENTHESIS (().
+		if ( $this->at < $this->length && '(' === $this->css[ $this->at ] ) {
+			// Consume it.
+			++$this->at;
+			// Create a <function-token> with its value set to string and return it.
+			if ( null !== $decoded ) {
+				$this->token_value = $decoded;
+			}
+			$this->token_type   = self::TOKEN_FUNCTION;
+			$this->token_length = $this->at - $this->token_starts_at;
+			return true;
+		}
+
+		// Otherwise, create an <ident-token> with its value set to string and return it.
+		if ( null !== $decoded ) {
+			$this->token_value = $decoded;
+		}
+		$this->token_type   = self::TOKEN_IDENT;
+		$this->token_length = $this->at - $this->token_starts_at;
+		return true;
+	}
+
+	/**
+	 * Consumes a url token.
+	 *
+	 * URL tokens can contain unquoted URLs with escape sequences but not quotes,
+	 * parentheses, or certain control characters. Invalid characters create a
+	 * bad-url token.
+	 *
+	 * @see https://www.w3.org/TR/css-syntax-3/#consume-url-token
+	 *
+	 * @return bool
+	 */
+	private function consume_url(): bool {
+		// Initially create a <url-token> with its value set to the empty string.
+		// Consume as much whitespace as possible.
+		$this->at += strspn( $this->css, "\t\n\f\r ", $this->at );
+
+		$value_starts_at = $this->at;
+
+		// Repeatedly consume the next input code point from the stream.
+		while ( $this->at < $this->length ) {
+			// U+0029 RIGHT PARENTHESIS ())
+			// Return the <url-token>.
+			if ( ')' === $this->css[ $this->at ] ) {
+				++$this->at;
+				$this->token_type            = self::TOKEN_URL;
+				$this->token_length          = $this->at - $this->token_starts_at;
+				$this->token_value_starts_at = $value_starts_at;
+				$this->token_value_length    = $this->at - $value_starts_at - 1;
+				return true;
+			}
+
+			// whitespace
+			// Consume as much whitespace as possible. If the next input code point is
+			// U+0029 RIGHT PARENTHESIS ()) or EOF, consume it and return the <url-token>
+			// (if EOF was encountered, this is a parse error); otherwise, consume the
+			// remnants of a bad url, create a <bad-url-token>, and return it.
+			$ws_len = strspn( $this->css, "\t\n\f\r ", $this->at );
+			if ( $ws_len > 0 ) {
+				$value_ends_at = $this->at;
+				$this->at     += $ws_len;
+				// Accept either ) or EOF after whitespace.
+				if ( $this->at >= $this->length ) {
+					// EOF is a parse error, but we return the <url-token> anyway.
+					$this->token_type            = self::TOKEN_URL;
+					$this->token_length          = $this->at - $this->token_starts_at;
+					$this->token_value_starts_at = $value_starts_at;
+					$this->token_value_length    = $value_ends_at - $value_starts_at;
+					return true;
+				}
+
+				if ( ')' === $this->css[ $this->at ] ) {
+					// Skip the closing parenthesis and return the <url-token>.
+					++$this->at;
+					$this->token_type            = self::TOKEN_URL;
+					$this->token_length          = $this->at - $this->token_starts_at;
+					$this->token_value_starts_at = $value_starts_at;
+					$this->token_value_length    = $value_ends_at - $value_starts_at;
+					return true;
+				}
+
+				return $this->consume_remnants_of_bad_url();
+			}
+
+			// These codepoints trigger a parse error.
+			$byte = ord( $this->css[ $this->at ] );
+			if (
+				'"' === $this->css[ $this->at ] ||
+				"'" === $this->css[ $this->at ] ||
+				'(' === $this->css[ $this->at ] ||
+
+				// Non-printable code point.
+				$byte <= 0x08 ||
+
+				// Line Tabulation.
+				0x0B === $byte ||
+
+				// Control characters.
+				( $byte >= 0x000E && $byte <= 0x001F ) ||
+
+				// Delete.
+				0x7F === $byte
+			) {
+				// Consume the remnants of a bad url,
+				// create a <bad-url-token>, and return it.
+				return $this->consume_remnants_of_bad_url();
+			}
+
+			// U+005C REVERSE SOLIDUS (\)
+			// If the stream starts with a valid escape, consume an escaped code point.
+			if ( '\\' === $this->css[ $this->at ] ) {
+				if ( $this->is_valid_escape( $this->at ) ) {
+					++$this->at;
+					$this->decode_escape_at( $this->at, $matched_bytes );
+					$this->at += $matched_bytes;
+					continue;
+				}
+				// Otherwise, this is a parse error. Consume the remnants of a bad url,
+				// create a <bad-url-token>, and return it.
+				return $this->consume_remnants_of_bad_url();
+			}
+
+			$at             = $this->at;
+			$invalid_length = 0;
+			if ( 1 !== _wp_scan_utf8( $this->css, $at, $invalid_length, null, 1 ) ) {
+				/**
+				 * Trouble ahead!
+				 * Bytes at $at are not a valid UTF-8 sequence.
+				 *
+				 * We'll move forward by $invalid_length bytes and continue processing.
+				 * Later on, during the string decoding, we'll replace the invalid bytes with U+FFFD
+				 * via maximal subpart”replacement.
+				 */
+				$this->at += $invalid_length;
+			} else {
+				$this->at = $at;
+			}
+		}
+
+		// EOF
+		// This is a parse error. Return the <url-token>.
+		$this->token_type            = self::TOKEN_URL;
+		$this->token_length          = $this->at - $this->token_starts_at;
+		$this->token_value_starts_at = $value_starts_at;
+		$this->token_value_length    = $this->at - $value_starts_at;
+		return true;
+	}
+
+	/**
+	 * Finishes a bad url token by consuming remnants.
+	 *
+	 * When an invalid character is encountered in a URL, we must consume
+	 * the remainder of the URL up to the closing ) or EOF.
+	 *
+	 * @see https://www.w3.org/TR/css-syntax-3/#consume-remnants-of-bad-url
+	 *
+	 * @return bool
+	 */
+	private function consume_remnants_of_bad_url(): bool {
+		while ( $this->at < $this->length ) {
+			$this->at += strcspn( $this->css, ')\\', $this->at );
+
+			if ( $this->at >= $this->length ) {
+				break;
+			}
+
+			if ( '\\' === $this->css[ $this->at ] ) {
+				++$this->at;
+				if ( $this->is_valid_escape( $this->at - 1 ) ) {
+					$this->decode_escape_at( $this->at, $matched_bytes );
+					$this->at += $matched_bytes;
+					continue;
+				}
+			} elseif ( ')' === $this->css[ $this->at ] ) {
+				++$this->at;
+				break;
+			}
+		}
+
+		$this->token_type   = self::TOKEN_BAD_URL;
+		$this->token_length = $this->at - $this->token_starts_at;
+		return true;
+	}
+
+	/**
+	 * Consumes an identifier sequence.
+	 *
+	 * Identifiers can contain letters, digits, hyphens, underscores, non-ASCII
+	 * characters, and escape sequences. Null bytes are replaced with U+FFFD.
+	 *
+	 * Returns the decoded identifier string if escapes were encountered,
+	 * or null if no decoding was needed (can use raw substring).
+	 *
+	 * @see https://www.w3.org/TR/css-syntax-3/#consume-name
+	 */
+	private function consume_ident_sequence() {
+		while ( $this->at < $this->length ) {
+			$codepoint_bytes = $this->consume_ident_codepoint( $this->at );
+			if ( $codepoint_bytes > 0 ) {
+				$this->at += $codepoint_bytes;
+				continue;
+			}
+
+			if ( $this->is_valid_escape( $this->at ) ) {
+				++$this->at;
+
+				$this->decode_escape_at( $this->at, $matched_bytes );
+				$this->at += $matched_bytes;
+				continue;
+			}
+
+			break;
+		}
+	}
+
+	/**
+	 * Ident-start code point
+	 *     A letter, a non-ASCII code point, or U+005F LOW LINE (_).
+	 *
+	 * Ident code point
+	 *     An ident-start code point, a digit, or U+002D HYPHEN-MINUS (-).
+	 *
+	 * @see https://www.w3.org/TR/css-syntax-3/#ident-start-code-point
+	 * @return int The number of bytes consumed.
+	 */
+	private function consume_ident_codepoint( $at ): int {
+		// ident code points.
+		if ( ( $this->css[ $at ] >= '0' && $this->css[ $at ] <= '9' ) ||
+			'-' === $this->css[ $at ] ) {
+			return 1;
+		}
+
+		return $this->consume_ident_start_codepoint( $at );
+	}
+
+
+	/**
+	 * Ident-start code point
+	 *     A letter, a non-ASCII code point, or U+005F LOW LINE (_).
+	 *
+	 * Ident code point
+	 *     An ident-start code point, a digit, or U+002D HYPHEN-MINUS (-).
+	 *
+	 * @see https://www.w3.org/TR/css-syntax-3/#ident-start-code-point
+	 * @return int The number of bytes consumed.
+	 */
+	private function consume_ident_start_codepoint( $at ): int {
+		if ( $at >= $this->length ) {
+			return 0;
+		}
+
+		// ASCII codepoints.
+		if ( ( $this->css[ $at ] >= 'A' && $this->css[ $at ] <= 'Z' ) ||
+			( $this->css[ $at ] >= 'a' && $this->css[ $at ] <= 'z' ) ||
+			'_' === $this->css[ $at ] ) {
+			return 1;
+		}
+
+		// Special case for null bytes – they are replaced with U+FFFD during preprocessing.
+		if ( "\x00" === $this->css[ $at ] ) {
+			return 1;
+		}
+
+		$new_at         = $at;
+		$invalid_length = 0;
+		if ( 1 !== _wp_scan_utf8( $this->css, $new_at, $invalid_length, null, 1 ) ) {
+			/**
+			 * Trouble ahead!
+			 * Bytes at $at are not a valid UTF-8 sequence.
+			 *
+			 * We'll move forward by $invalid_length bytes and continue processing.
+			 * Later on, during the string decoding, we'll replace the invalid bytes with U+FFFD
+			 * via maximal subpart”replacement.
+			 */
+			return $invalid_length;
+		}
+
+		$codepoint_byte_length = $new_at - $at;
+		$codepoint             = self::utf8_ord( substr( $this->css, $at, $codepoint_byte_length ) );
+		if ( null !== $codepoint && $codepoint >= 0x80 ) {
+			return $codepoint_byte_length;
+		}
+		return 0;
+	}
+
+	/**
+	 * Decodes and normalizes ident-like or string CSS values from a byte range.
+	 *
+	 * @param int  $start          Start byte offset.
+	 * @param int  $length         Length of the substring to decode.
+	 * @param bool $string_escapes Optional, default false. When true, apply additional escape
+	 *                             rules that apply only to string tokens.
+	 * @return string Decoded and normalized string.
+	 */
+	private function decode_range( int $start, int $length, bool $string_escapes = false ): string {
+		// Fast path: check if any processing is needed.
+		$slice         = wp_scrub_utf8( substr( $this->css, $start, $length ) );
+		$special_chars = "\\\r\f\x00";
+		if ( false === strpbrk( $slice, $special_chars ) ) {
+			// No special chars - return raw substring (almost zero allocations).
+			return $slice;
+		}
+
+		// Slow path: build decoded string (one allocation).
+		$decoded = '';
+		$at      = $start;
+		$end     = $start + $length;
+
+		while ( $at < $end ) {
+			// Find next special character.
+			$normal_len = strcspn( $this->css, $special_chars, $at );
+			if ( $normal_len > 0 ) {
+				// Clamp to not exceed the end boundary.
+				$normal_len = min( $normal_len, $end - $at );
+				$decoded   .= wp_scrub_utf8( substr( $this->css, $at, $normal_len ) );
+				$at        += $normal_len;
+			}
+
+			if ( $at >= $end ) {
+				break;
+			}
+
+			$char = $this->css[ $at ];
+
+			// Handle escapes (if enabled).
+			if ( '\\' === $char ) {
+				if ( $string_escapes ) {
+					if ( $at + 1 >= $end ) {
+						// Backslash-EOF: consume the backslash and stop.
+						++$at;
+						continue;
+					}
+
+					$next = $this->css[ $at + 1 ];
+					if ( "\n" === $next || "\f" === $next ) {
+						// Backslash followed by LF or FF is a string line continuation.
+						$at += 2;
+						continue;
+					}
+
+					if ( "\r" === $next ) {
+						// Backslash followed by CR or CRLF is a string line continuation.
+						$at += 2;
+						if ( $at < $end && "\n" === $this->css[ $at ] ) {
+							++$at;
+						}
+						continue;
+					}
+				}
+
+				if ( $this->is_valid_escape( $at ) ) {
+					++$at;
+					$decoded .= $this->decode_escape_at( $at, $bytes_consumed );
+					$at      += $bytes_consumed;
+					continue;
+				}
+				// Invalid escape - consume the backslash and keep going.
+				$decoded .= '\\';
+				++$at;
+				continue;
+			}
+
+			// CSS normalization: \r\n, \r, and \f all become \n.
+			if ( "\r" === $char ) {
+				$decoded .= "\n";
+				++$at;
+				// Handle \r\n as single newline.
+				if ( $at < $end && "\n" === $this->css[ $at ] ) {
+					++$at;
+				}
+				continue;
+			}
+
+			if ( "\f" === $char ) {
+				$decoded .= "\n";
+				++$at;
+				continue;
+			}
+
+			// Null bytes become U+FFFD.
+			if ( "\x00" === $char ) {
+				$decoded .= "\u{FFFD}";
+				++$at;
+				continue;
+			}
+		}
+
+		return $decoded;
+	}
+
+	/**
+	 * Decodes an escape sequence starting at the given offset without
+	 * modifying $this->at.
+	 *
+	 * Escape sequences are backslash followed by 1-6 hex digits (with optional
+	 * trailing whitespace) or any other character. Invalid code points are
+	 * replaced with U+FFFD.
+	 *
+	 * @see https://www.w3.org/TR/css-syntax-3/#consume-escaped-code-point
+	 *
+	 * @param int $offset Byte offset (should point to the character after the backslash).
+	 * @param int &$bytes_consumed Output parameter: number of bytes consumed.
+	 * @return string The decoded character(s).
+	 */
+	private function decode_escape_at( int $offset, &$bytes_consumed ): string {
+		// This method assumes the U+005C REVERSE SOLIDUS (\) has already been consumed
+		// and the next input code point has already been verified to be part of a valid
+		// escape sequence.
+		$at = $offset;
+
+		// EOF.
+		if ( $at >= $this->length ) {
+			// This is a parse error. Return U+FFFD REPLACEMENT CHARACTER (�).
+			$bytes_consumed = 0;
+			return "\u{FFFD}";
+		}
+
+		// Hex digits.
+		$hex_len = strspn( $this->css, '0123456789ABCDEFabcdef', $at );
+		if ( $hex_len > 0 ) {
+			// Consume up to 6 hex digits.
+			$hex_len = min( $hex_len, 6 );
+			$hex     = substr( $this->css, $at, $hex_len );
+			$at     += $hex_len;
+
+			// If the next input code point is whitespace, consume it as well.
+			if ( $at < $this->length ) {
+				$next = $this->css[ $at ];
+				if ( "\t" === $next || "\n" === $next || "\f" === $next || ' ' === $next ) {
+					++$at;
+				} elseif ( "\r" === $next ) {
+					++$at;
+					// Handle \r\n as a single whitespace – the preprocessing phase would replace \r\n with \n.
+					if ( $at < $this->length && "\n" === $this->css[ $at ] ) {
+						++$at;
+					}
+				}
+			}
+
+			$bytes_consumed = $at - $offset;
+			$code_point     = hexdec( $hex );
+			if (
+				$code_point <= 0 ||
+				( $code_point >= 0xD800 && $code_point <= 0xDFFF ) ||
+				$code_point > 0x10FFFF
+			) {
+				return "\u{FFFD}";
+			}
+
+			// Convert the hex digits to a UTF-8 string.
+			return WP_HTML_Decoder::code_point_to_utf8_bytes( $code_point );
+		}
+
+		// Anything else.
+		// Return the current input code point.
+		// Null bytes are replaced with U+FFFD during preprocessing.
+		if ( "\x00" === $this->css[ $at ] ) {
+			$bytes_consumed = 1;
+			return "\u{FFFD}";
+		}
+
+		$new_at         = $at;
+		$invalid_length = 0;
+		if ( 1 !== _wp_scan_utf8( $this->css, $new_at, $invalid_length, null, 1 ) ) {
+			// Consume the invalid subpart and return U+FFFD.
+			$bytes_consumed = $invalid_length;
+			return "\u{FFFD}";
+		}
+
+		$bytes_consumed = $new_at - $at;
+		return substr( $this->css, $at, $bytes_consumed );
+	}
+
+	/**
+	 * Checks if current position starts a valid escape sequence.
+	 *
+	 * A valid escape is a backslash not followed by a newline or EOF.
+	 *
+	 * @see https://www.w3.org/TR/css-syntax-3/#starts-with-a-valid-escape
+	 *
+	 * @param int $offset Byte offset.
+	 * @return bool
+	 */
+	private function is_valid_escape( int $offset ): bool {
+		// If the first code point is not U+005C REVERSE SOLIDUS (\), return false.
+		if ( $offset >= $this->length || '\\' !== $this->css[ $offset ] ) {
+			return false;
+		}
+		// Otherwise, if the second code point is a newline, return false.
+		if ( $offset + 1 >= $this->length ) {
+			// Second code point is EOF - this is a valid escape per spec (weird!)
+			// Are we sure we're interpreting the spec correctly?
+			return true;
+		}
+
+		// Otherwise, if the second code point is not a newline, return true.
+		return (
+			"\n" !== $this->css[ $offset + 1 ] &&
+
+			// Form feed is normalized to newline during preprocessing.
+			"\f" !== $this->css[ $offset + 1 ] &&
+
+			// Carriage return is normalized to newline during preprocessing.
+			"\r" !== $this->css[ $offset + 1 ]
+
+			// We don't need to check for \r\n separately here. The \r check alone covers
+			// that scenario.
+		);
+	}
+
+	/**
+	 * Checks if the next 3 code points would start a number.
+	 *
+	 * @see https://www.w3.org/TR/css-syntax-3/#starts-with-a-number
+	 *
+	 * @return bool
+	 */
+	private function would_next_3_code_points_start_a_number(): bool {
+		if ( $this->at >= $this->length ) {
+			return false;
+		}
+
+		// Look at the first code point.
+
+		// U+002B PLUS SIGN (+) or U+002D HYPHEN-MINUS (-).
+		if ( '+' === $this->css[ $this->at ] || '-' === $this->css[ $this->at ] ) {
+			if ( $this->at + 1 >= $this->length ) {
+				return false;
+			}
+			// If the second code point is a digit, return true.
+			if ( $this->css[ $this->at + 1 ] >= '0' && $this->css[ $this->at + 1 ] <= '9' ) {
+				return true;
+			}
+			// Otherwise, the second code point must be a full stop (.) and the third code point must be a digit.
+			if ( '.' === $this->css[ $this->at + 1 ] && $this->at + 2 < $this->length ) {
+				return $this->css[ $this->at + 2 ] >= '0' && $this->css[ $this->at + 2 ] <= '9';
+			}
+
+			// Otherwise, return false.
+			return false;
+		}
+
+		// U+002E FULL STOP (.).
+		if ( '.' === $this->css[ $this->at ] ) {
+			if ( $this->at + 1 >= $this->length ) {
+				return false;
+			}
+			return $this->css[ $this->at + 1 ] >= '0' && $this->css[ $this->at + 1 ] <= '9';
+		}
+
+		// Digit.
+		if ( $this->css[ $this->at ] >= '0' && $this->css[ $this->at ] <= '9' ) {
+			return true;
+		}
+
+		// Anything else – return false.
+		return false;
+	}
+
+	/**
+	 * Checks if three code points would start an identifier sequence.
+	 *
+	 * This implements the CSS spec's "Check if three code points would start an ident sequence"
+	 * algorithm, which checks the code point at $offset and the following two code points.
+	 *
+	 * NOTE: "Three code points" means three Unicode code points, not three bytes.
+	 * Multi-byte UTF-8 sequences count as single code points.
+	 *
+	 * @see https://www.w3.org/TR/css-syntax-3/#would-start-an-identifier
+	 *
+	 * @param int $offset Byte offset of the first code point to check.
+	 * @return bool
+	 */
+	private function check_if_3_code_points_start_an_ident_sequence( int $offset ): bool {
+		if ( $offset >= $this->length ) {
+			return false;
+		}
+
+		if ( '-' === $this->css[ $offset ] ) {
+			// If the second code point is a U+002D HYPHEN-MINUS (-), return true.
+			// e.g. --custom-property.
+			if ( $offset + 1 < $this->length && '-' === $this->css[ $offset + 1 ] ) {
+				return true;
+			}
+			// Otherwise, check if the second code point is an ident-START code point or valid escape.
+			// Note: After a hyphen, only ident-START code points are valid, NOT digits or hyphens.
+			++$offset;
+		}
+
+		return $this->consume_ident_start_codepoint( $offset ) > 0 || $this->is_valid_escape( $offset );
+	}
+
+	/**
+	 * Convert a UTF-8 byte sequence to its Unicode codepoint.
+	 *
+	 * @param  string $character  UTF-8 encoded byte sequence representing a single Unicode character.
+	 *
+	 * @return int Unicode codepoint.
+	 */
+	private static function utf8_ord( string $character ): int {
+		// Convert the byte sequence to its binary representation.
+		$bytes = unpack( 'C*', $character );
+
+		// Initialize the codepoint.
+		$codepoint = 0;
+
+		// Calculate the codepoint based on the number of bytes.
+		if ( 1 === count( $bytes ) ) {
+			$codepoint = $bytes[1];
+		} elseif ( 2 === count( $bytes ) ) {
+			$codepoint = ( ( $bytes[1] & 0x1F ) << 6 ) | ( $bytes[2] & 0x3F );
+		} elseif ( 3 === count( $bytes ) ) {
+			$codepoint = ( ( $bytes[1] & 0x0F ) << 12 ) | ( ( $bytes[2] & 0x3F ) << 6 ) | ( $bytes[3] & 0x3F );
+		} elseif ( 4 === count( $bytes ) ) {
+			$codepoint = ( ( $bytes[1] & 0x07 ) << 18 ) | ( ( $bytes[2] & 0x3F ) << 12 ) | ( ( $bytes[3] & 0x3F ) << 6 ) | ( $bytes[4] & 0x3F );
+		}
+
+		return $codepoint;
+	}
+}
diff --git a/src/wp-includes/html-api/class-wp-html-processor.php b/src/wp-includes/html-api/class-wp-html-processor.php
index 56ea0f705c2b8..1419e623a8246 100644
--- a/src/wp-includes/html-api/class-wp-html-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-processor.php
@@ -658,6 +658,57 @@ public function get_unsupported_exception() {
 		return $this->unsupported_exception;
 	}
 
+	/**
+	 * Progress through a document pausing on tags matching the provided CSS selector string.
+	 *
+	 * Example:
+	 *
+	 *     $processor = WP_HTML_Processor::create_fragment(
+	 *         '<meta charset="utf-8"><title>Example</title><meta property="og:type" content="website"><meta property="og:description" content="An example.">'
+	 *     );
+	 *     while ( $processor->select( 'meta[property^="og:" i]' ) ) {
+	 *         // Loop is entered twice.
+	 *         var_dump(
+	 *             $processor->get_tag(),                   // string(4) "META"
+	 *             $processor->get_attribute( 'property' ), // string(7) "og:type" / string(14) "og:description"
+	 *             $processor->get_attribute( 'content' ),  // string(7) "website" / string(11) "An example."
+	 *         );
+	 *     }
+	 *
+	 * @since {WP_VERSION}
+	 *
+	 * @param string $selector_string Selector string.
+	 * @return bool Whether a selection was found.
+	 */
+	public function select( $selector_string ): bool {
+		static $previous_selector_string = null;
+		static $previous_selector        = null;
+
+		$selector = $selector_string === $previous_selector_string
+			? $previous_selector
+			: WP_CSS_Complex_Selector_List::from_selectors( $selector_string );
+
+		$previous_selector        = $selector;
+		$previous_selector_string = $selector_string;
+
+		if ( null === $selector ) {
+			_doing_it_wrong(
+				__METHOD__,
+				sprintf( 'Received unsupported or invalid selector "%s".', $selector_string ),
+				'{WP_VERSION}'
+			);
+			return false;
+		}
+
+		while ( $this->next_tag() ) {
+			if ( $selector->matches( $this ) ) {
+				return true;
+			}
+		}
+
+		return false;
+	}
+
 	/**
 	 * Finds the next tag matching the $query.
 	 *
diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index 501a623afb10b..9e0b22eb15bc3 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -537,6 +537,10 @@ class WP_HTML_Tag_Processor {
 	 */
 	protected $compat_mode = self::NO_QUIRKS_MODE;
 
+	public function is_quirks_mode() {
+		return self::QUIRKS_MODE === $this->compat_mode;
+	}
+
 	/**
 	 * Indicates whether the parser is inside foreign content,
 	 * e.g. inside an SVG or MathML element.
@@ -864,6 +868,57 @@ public function change_parsing_namespace( string $new_namespace ): bool {
 		return true;
 	}
 
+	/**
+	 * Progress through a document pausing on tags matching the provided CSS selector string.
+	 *
+	 * Example:
+	 *
+	 *     $processor = new WP_HTML_Tag_Processor(
+	 *         '<meta charset="utf-8"><title>Example</title><meta property="og:type" content="website"><meta property="og:description" content="An example.">'
+	 *     );
+	 *     while ( $processor->select( 'meta[property^="og:" i]' ) ) {
+	 *         // Loop is entered twice.
+	 *         var_dump(
+	 *             $processor->get_tag(),                   // string(4) "META"
+	 *             $processor->get_attribute( 'property' ), // string(7) "og:type" / string(14) "og:description"
+	 *             $processor->get_attribute( 'content' ),  // string(7) "website" / string(11) "An example."
+	 *         );
+	 *     }
+	 *
+	 * @since {WP_VERSION}
+	 *
+	 * @param string $selector_string Selector string.
+	 * @return bool Whether a selection was found.
+	 */
+	public function select( $selector_string ): bool {
+		static $previous_selector_string = null;
+		static $previous_selector        = null;
+
+		$selector = $selector_string === $previous_selector_string
+			? $previous_selector
+			: WP_CSS_Compound_Selector_List::from_selectors( $selector_string );
+
+		$previous_selector        = $selector;
+		$previous_selector_string = $selector_string;
+
+		if ( null === $selector ) {
+			_doing_it_wrong(
+				__METHOD__,
+				sprintf( 'Received unsupported or invalid selector "%s".', $selector_string ),
+				'{WP_VERSION}'
+			);
+			return false;
+		}
+
+		while ( $this->next_tag() ) {
+			if ( $selector->matches( $this ) ) {
+				return true;
+			}
+		}
+
+		return false;
+	}
+
 	/**
 	 * Finds the next tag matching the $query.
 	 *
diff --git a/src/wp-includes/html-api/css/class-wp-css-attribute-selector.php b/src/wp-includes/html-api/css/class-wp-css-attribute-selector.php
new file mode 100644
index 0000000000000..197a9a2cdabb3
--- /dev/null
+++ b/src/wp-includes/html-api/css/class-wp-css-attribute-selector.php
@@ -0,0 +1,444 @@
+<?php
+/**
+ * HTML API: WP_CSS_Attribute_Selector class
+ *
+ * @package WordPress
+ * @subpackage HTML-API
+ * @since {WP_VERSION}
+ */
+
+/**
+ * CSS attribute selector.
+ *
+ * This class is used to test for matching HTML tags in a {@see WP_HTML_Tag_Processor}.
+ *
+ * @since {WP_VERSION}
+ *
+ * @access private
+ */
+final class WP_CSS_Attribute_Selector extends WP_CSS_Selector_Parser_Matcher {
+	const WHITESPACE_CHARACTERS = " \t\r\n\f";
+
+	/**
+	 * The attribute value is matched exactly.
+	 *
+	 * @example
+	 *
+	 *     [attr=val]
+	 */
+	const MATCH_EXACT = 'exact';
+
+	/**
+	 * The attribute value matches any value in a whitespace separated list of words exactly.
+	 *
+	 * @example
+	 *
+	 *     [attr~=value]
+	 */
+	const MATCH_ONE_OF_EXACT = 'one-of';
+
+	/**
+	 * The attribute value is matched exactly or matches the beginning of the attribute
+	 * immediately followed by a hyphen.
+	 *
+	 * @example
+	 *
+	 *     [attr|=value]
+	 */
+	const MATCH_EXACT_OR_HYPHEN_SUFFIXED = 'exact-or-hyphen-suffixed';
+
+	/**
+	 * The attribute value matches the start of the attribute.
+	 *
+	 * @example
+	 *
+	 *     [attr^=value]
+	 */
+	const MATCH_PREFIXED_BY = 'prefixed';
+
+	/**
+	 * The attribute value matches the end of the attribute.
+	 *
+	 * @example
+	 *
+	 *     [attr$=value]
+	 */
+	const MATCH_SUFFIXED_BY = 'suffixed';
+
+	/**
+	 * The attribute value is contained in the attribute.
+	 *
+	 * @example
+	 *
+	 *     [attr*=value]
+	 */
+	const MATCH_CONTAINS = 'contains';
+
+	/**
+	 * Modifier for case sensitive matching.
+	 *
+	 * @example
+	 *
+	 *     [attr=value s]
+	 */
+	const MODIFIER_CASE_SENSITIVE = 'case-sensitive';
+
+	/**
+	 * Modifier for case insensitive matching.
+	 *
+	 * @example
+	 *
+	 *     [attr=value i]
+	 */
+	const MODIFIER_CASE_INSENSITIVE = 'case-insensitive';
+
+	/**
+	 * The attributes whose values HTML defines as ASCII case-insensitive
+	 * for attribute selectors on an HTML element, when the selector has no
+	 * `i`/`s` modifier. An explicit `s` modifier forces case-sensitive
+	 * matching even for these attributes; elements in other namespaces
+	 * (SVG, MathML) are unaffected.
+	 *
+	 * The names are stored as array keys for constant-time lookup.
+	 *
+	 * @see https://html.spec.whatwg.org/multipage/semantics-other.html#case-sensitivity-of-selectors
+	 */
+	const HTML_CASE_INSENSITIVE_ATTRIBUTE_VALUES = array(
+		'accept'         => true,
+		'accept-charset' => true,
+		'align'          => true,
+		'alink'          => true,
+		'axis'           => true,
+		'bgcolor'        => true,
+		'charset'        => true,
+		'checked'        => true,
+		'clear'          => true,
+		'codetype'       => true,
+		'color'          => true,
+		'compact'        => true,
+		'declare'        => true,
+		'defer'          => true,
+		'dir'            => true,
+		'direction'      => true,
+		'disabled'       => true,
+		'enctype'        => true,
+		'face'           => true,
+		'frame'          => true,
+		'hreflang'       => true,
+		'http-equiv'     => true,
+		'lang'           => true,
+		'language'       => true,
+		'link'           => true,
+		'media'          => true,
+		'method'         => true,
+		'multiple'       => true,
+		'nohref'         => true,
+		'noresize'       => true,
+		'noshade'        => true,
+		'nowrap'         => true,
+		'readonly'       => true,
+		'rel'            => true,
+		'rev'            => true,
+		'rules'          => true,
+		'scope'          => true,
+		'scrolling'      => true,
+		'selected'       => true,
+		'shape'          => true,
+		'target'         => true,
+		'text'           => true,
+		'type'           => true,
+		'valign'         => true,
+		'valuetype'      => true,
+		'vlink'          => true,
+	);
+
+	/**
+	 * The name of the attribute to match.
+	 *
+	 * @var string
+	 */
+	public $name;
+
+	/**
+	 * The attribute matcher.
+	 *
+	 * Allowed string values are the class constants:
+	 *   - {@see WP_CSS_Attribute_Selector::MATCH_EXACT}
+	 *   - {@see WP_CSS_Attribute_Selector::MATCH_ONE_OF_EXACT}
+	 *   - {@see WP_CSS_Attribute_Selector::MATCH_EXACT_OR_HYPHEN_SUFFIXED}
+	 *   - {@see WP_CSS_Attribute_Selector::MATCH_PREFIXED_BY}
+	 *   - {@see WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY}
+	 *   - {@see WP_CSS_Attribute_Selector::MATCH_CONTAINS}
+	 *
+	 * @var string|null
+	 */
+	public $matcher;
+
+	/**
+	 * The attribute value to match.
+	 *
+	 * @var string|null
+	 */
+	public $value;
+
+	/**
+	 * The attribute modifier.
+	 *
+	 * Allowed string values are the class constants:
+	 *   - {@see WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE}
+	 *   - {@see WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE}
+	 *
+	 * @var string|null
+	 */
+	public $modifier;
+
+	/**
+	 * Constructor.
+	 *
+	 * @param string $name The attribute name.
+	 * @param string|null $matcher The attribute matcher.
+	 *        Must be one of the class MATCH_* constants or null.
+	 * @param string|null $value The attribute value to match.
+	 * @param string|null $modifier The attribute case modifier.
+	 *        Must be one of the class MODIFIER_* constants or null.
+	 */
+	private function __construct( string $name, ?string $matcher = null, ?string $value = null, ?string $modifier = null ) {
+		$this->name     = $name;
+		$this->matcher  = $matcher;
+		$this->value    = $value;
+		$this->modifier = $modifier;
+	}
+
+	/**
+	 * Determines if the processor's current position matches the selector.
+	 *
+	 * @param WP_HTML_Tag_Processor $processor The processor.
+	 * @return bool True if the processor's current position matches the selector.
+	 */
+	public function matches( WP_HTML_Tag_Processor $processor ): bool {
+		$attr_value = $processor->get_attribute( $this->name );
+		if ( null === $attr_value ) {
+			return false;
+		}
+
+		if ( null === $this->value ) {
+			return true;
+		}
+
+		/*
+		 * The substring matchers match nothing when the value is empty:
+		 *
+		 * > If "val" is the empty string then the selector does not represent anything.
+		 *
+		 * https://www.w3.org/TR/selectors-4/#attribute-substrings
+		 */
+		if (
+			'' === $this->value &&
+			(
+				self::MATCH_PREFIXED_BY === $this->matcher ||
+				self::MATCH_SUFFIXED_BY === $this->matcher ||
+				self::MATCH_CONTAINS === $this->matcher
+			)
+		) {
+			return false;
+		}
+
+		if ( true === $attr_value ) {
+			$attr_value = '';
+		}
+
+		/*
+		 * Without an explicit modifier, HTML defines some attributes' values
+		 * as ASCII case-insensitive on HTML elements. An explicit `s`
+		 * modifier forces case-sensitive matching even for those.
+		 */
+		$case_insensitive = self::MODIFIER_CASE_INSENSITIVE === $this->modifier || (
+			null === $this->modifier &&
+			'html' === $processor->get_namespace() &&
+			isset( self::HTML_CASE_INSENSITIVE_ATTRIBUTE_VALUES[ strtolower( $this->name ) ] )
+		);
+
+		switch ( $this->matcher ) {
+			case self::MATCH_EXACT:
+				return $case_insensitive
+					? 0 === strcasecmp( $attr_value, $this->value )
+					: $attr_value === $this->value;
+
+			case self::MATCH_ONE_OF_EXACT:
+				foreach ( $this->whitespace_delimited_list( $attr_value ) as $val ) {
+					if (
+						$case_insensitive
+							? 0 === strcasecmp( $val, $this->value )
+							: $val === $this->value
+					) {
+						return true;
+					}
+				}
+				return false;
+
+			case self::MATCH_EXACT_OR_HYPHEN_SUFFIXED:
+				$exact_length   = strlen( $this->value );
+				$matches_prefix = substr_compare( $attr_value, $this->value, 0, $exact_length, $case_insensitive );
+				return (
+					0 === $matches_prefix &&
+					( strlen( $attr_value ) === $exact_length || '-' === $attr_value[ $exact_length ] )
+				);
+
+			case self::MATCH_PREFIXED_BY:
+				return 0 === substr_compare( $attr_value, $this->value, 0, strlen( $this->value ), $case_insensitive );
+
+			case self::MATCH_SUFFIXED_BY:
+				return 0 === substr_compare( $attr_value, $this->value, -strlen( $this->value ), null, $case_insensitive );
+
+			case self::MATCH_CONTAINS:
+				return false !== (
+					$case_insensitive
+						? stripos( $attr_value, $this->value )
+						: strpos( $attr_value, $this->value )
+				);
+		}
+	}
+
+	/**
+	 * Splits a string into a list of whitespace delimited values.
+	 *
+	 * This is useful for the {@see WP_CSS_Attribute_Selector::MATCH_ONE_OF_EXACT} matcher.
+	 *
+	 * @param string $input
+	 *
+	 * @return Generator<string> Yields each whitespace-delimited value from the input string.
+	 */
+	private function whitespace_delimited_list( string $input ): Generator {
+		// Start by skipping whitespace.
+		$offset = strspn( $input, self::WHITESPACE_CHARACTERS );
+
+		while ( $offset < strlen( $input ) ) {
+			// Find the byte length until the next boundary.
+			$length = strcspn( $input, self::WHITESPACE_CHARACTERS, $offset );
+			$value  = substr( $input, $offset, $length );
+
+			// Move past trailing whitespace.
+			$offset += $length + strspn( $input, self::WHITESPACE_CHARACTERS, $offset + $length );
+
+			yield $value;
+		}
+	}
+
+	/**
+	 * Parses CSS selector tokens to create a selector instance.
+	 *
+	 * To create an instance of this class, use the {@see WP_CSS_Compound_Selector_List::from_selectors()} method.
+	 *
+	 * The end of input acts like a closing `]`: tokenization auto-closes
+	 * unterminated simple blocks (and unterminated strings) at EOF, so
+	 * `[att=val` is the same selector as `[att=val]`. Truncation inside the
+	 * selector grammar itself (e.g. `[` or `[att=`) is still invalid.
+	 *
+	 * https://www.w3.org/TR/css-syntax-3/#consume-simple-block
+	 *
+	 * @param WP_CSS_Selector_Token_Stream $tokens The selector token stream.
+	 * @return static|null The selector instance, or null if the parse was unsuccessful.
+	 */
+	public static function parse( WP_CSS_Selector_Token_Stream $tokens ) {
+		$bookmark = $tokens->bookmark();
+
+		if ( ! $tokens->consume( WP_CSS_Token_Processor::TOKEN_LEFT_BRACKET ) ) {
+			return null;
+		}
+
+		$tokens->consume_whitespace();
+		$attr_name = $tokens->consume_ident();
+		if ( null === $attr_name ) {
+			$tokens->seek( $bookmark );
+			return null;
+		}
+		$tokens->consume_whitespace();
+
+		if (
+			$tokens->consume( WP_CSS_Token_Processor::TOKEN_RIGHT_BRACKET ) ||
+			$tokens->is_eof()
+		) {
+			return new WP_CSS_Attribute_Selector( $attr_name );
+		}
+
+		if ( $tokens->consume_delim( '=' ) ) {
+			$attr_matcher = WP_CSS_Attribute_Selector::MATCH_EXACT;
+		} else {
+			$matcher_token = $tokens->get_token_value();
+			$attr_matcher  = null;
+
+			if ( $tokens->consume( WP_CSS_Token_Processor::TOKEN_DELIM ) && $tokens->consume_delim( '=' ) ) {
+				switch ( $matcher_token ) {
+					case '~':
+						$attr_matcher = WP_CSS_Attribute_Selector::MATCH_ONE_OF_EXACT;
+						break;
+					case '|':
+						$attr_matcher = WP_CSS_Attribute_Selector::MATCH_EXACT_OR_HYPHEN_SUFFIXED;
+						break;
+					case '^':
+						$attr_matcher = WP_CSS_Attribute_Selector::MATCH_PREFIXED_BY;
+						break;
+					case '$':
+						$attr_matcher = WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY;
+						break;
+					case '*':
+						$attr_matcher = WP_CSS_Attribute_Selector::MATCH_CONTAINS;
+						break;
+					default:
+						$attr_matcher = null;
+						break;
+				}
+			}
+
+			if ( null === $attr_matcher ) {
+				$tokens->seek( $bookmark );
+				return null;
+			}
+		}
+
+		$tokens->consume_whitespace();
+		if ( $tokens->matches( WP_CSS_Token_Processor::TOKEN_STRING ) ) {
+			$attr_val = $tokens->get_token_value();
+			$tokens->consume( WP_CSS_Token_Processor::TOKEN_STRING );
+		} else {
+			$attr_val = $tokens->consume_ident();
+		}
+
+		if ( null === $attr_val ) {
+			$tokens->seek( $bookmark );
+			return null;
+		}
+
+		$tokens->consume_whitespace();
+
+		$attr_modifier = null;
+		if ( $tokens->matches( WP_CSS_Token_Processor::TOKEN_IDENT ) ) {
+			$modifier = $tokens->get_token_value();
+
+			switch ( strtolower( $modifier ) ) {
+				case 'i':
+					$attr_modifier = WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE;
+					break;
+
+				case 's':
+					$attr_modifier = WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE;
+					break;
+			}
+
+			if ( null !== $attr_modifier ) {
+				$tokens->consume( WP_CSS_Token_Processor::TOKEN_IDENT );
+				$tokens->consume_whitespace();
+			}
+		}
+
+		if (
+			$tokens->consume( WP_CSS_Token_Processor::TOKEN_RIGHT_BRACKET ) ||
+			$tokens->is_eof()
+		) {
+			return new self( $attr_name, $attr_matcher, $attr_val, $attr_modifier );
+		}
+
+		$tokens->seek( $bookmark );
+		return null;
+	}
+}
diff --git a/src/wp-includes/html-api/css/class-wp-css-class-selector.php b/src/wp-includes/html-api/css/class-wp-css-class-selector.php
new file mode 100644
index 0000000000000..5acf0133b91b0
--- /dev/null
+++ b/src/wp-includes/html-api/css/class-wp-css-class-selector.php
@@ -0,0 +1,69 @@
+<?php
+/**
+ * HTML API: WP_CSS_Class_Selector class
+ *
+ * @package WordPress
+ * @subpackage HTML-API
+ * @since {WP_VERSION}
+ */
+
+/**
+ * CSS class selector.
+ *
+ * This class is used to test for matching HTML tags in a {@see WP_HTML_Tag_Processor}.
+ *
+ * @since {WP_VERSION}
+ *
+ * @access private
+ */
+final class WP_CSS_Class_Selector extends WP_CSS_Selector_Parser_Matcher {
+	/**
+	 * The class name to match.
+	 *
+	 * @var string
+	 */
+	public $class_name;
+
+	/**
+	 * Constructor.
+	 *
+	 * @param string $class_name The class name to match.
+	 */
+	private function __construct( string $class_name ) {
+		$this->class_name = $class_name;
+	}
+
+	/**
+	 * Determines if the processor's current position matches the selector.
+	 *
+	 * @param WP_HTML_Tag_Processor $processor The processor.
+	 * @return bool True if the processor's current position matches the selector.
+	 */
+	public function matches( WP_HTML_Tag_Processor $processor ): bool {
+		return (bool) $processor->has_class( $this->class_name );
+	}
+
+	/**
+	 * Parses CSS selector tokens to create a selector instance.
+	 *
+	 * To create an instance of this class, use the {@see WP_CSS_Compound_Selector_List::from_selectors()} method.
+	 *
+	 * @param WP_CSS_Selector_Token_Stream $tokens The selector token stream.
+	 * @return static|null The selector instance, or null if the parse was unsuccessful.
+	 */
+	public static function parse( WP_CSS_Selector_Token_Stream $tokens ) {
+		$bookmark = $tokens->bookmark();
+
+		if ( ! $tokens->consume_delim( '.' ) ) {
+			return null;
+		}
+
+		$result = $tokens->consume_ident();
+		if ( null === $result ) {
+			$tokens->seek( $bookmark );
+			return null;
+		}
+
+		return new self( $result );
+	}
+}
diff --git a/src/wp-includes/html-api/css/class-wp-css-complex-selector-list.php b/src/wp-includes/html-api/css/class-wp-css-complex-selector-list.php
new file mode 100644
index 0000000000000..c4a36b1e780f6
--- /dev/null
+++ b/src/wp-includes/html-api/css/class-wp-css-complex-selector-list.php
@@ -0,0 +1,76 @@
+<?php
+/**
+ * HTML API: WP_CSS_Complex_Selector_List class
+ *
+ * @package WordPress
+ * @subpackage HTML-API
+ * @since {WP_VERSION}
+ */
+
+/**
+ * Core class used by the {@see WP_HTML_Processor} to parse and match CSS selectors.
+ *
+ * This class is designed for internal use by the HTML processor.
+ *
+ * For usage, see {@see WP_HTML_Processor::select()}.
+ *
+ * This class is instantiated via the {@see WP_CSS_Complex_Selector_List::from_selectors()} method.
+ * It takes a CSS selector string and returns an instance of itself or `null` if the selector
+ * is invalid or unsupported.
+ *
+ * A subset of the CSS selector grammar is supported. The grammar is defined in the CSS Syntax
+ * specification, which is available at {@link https://www.w3.org/TR/selectors/#grammar}.
+ *
+ * This class is roughly analogous to the <selector-list> in the grammar.
+ * See {@see WP_CSS_Compound_Selector_List} for more details on the grammar.
+ *
+ * This class supports the same selector syntax as {@see WP_CSS_Compound_Selector_List} as well as
+ * the following combinators:
+ *   - Descendant (`ancestor descendant`)
+ *   - Child (`parent > child`)
+ *
+ * Combinators may only be used with type selectors in the non-final position, for example:
+ *   - `div [type=input]` is valid because the `div` type selector appears in a non-final position.
+ *   - `[disabled] option` is NOT valid, because the `[disabled]` attribute selector appears
+ *     in a non-final position.
+ *
+ * These combinators are not supported:
+ *   - Next sibling (`former-sibling + next-sibling`)
+ *   - Subsequent sibling (`former-sibling ~ subsequent-sibling`)
+ *
+ * @since {WP_VERSION}
+ *
+ * @access private
+ */
+class WP_CSS_Complex_Selector_List extends WP_CSS_Compound_Selector_List {
+	/**
+	 * Parses CSS selector tokens to create a selector instance.
+	 *
+	 * To create an instance of this class, use the {@see WP_CSS_Compound_Selector_List::from_selectors()} method.
+	 *
+	 * @param WP_CSS_Selector_Token_Stream $tokens The selector token stream.
+	 * @return static|null The selector instance, or null if the parse was unsuccessful.
+	 */
+	public static function parse( WP_CSS_Selector_Token_Stream $tokens ) {
+		$bookmark = $tokens->bookmark();
+		$selector = WP_CSS_Complex_Selector::parse( $tokens );
+		if ( null === $selector ) {
+			return null;
+		}
+		$tokens->consume_whitespace();
+
+		$selectors = array( $selector );
+		while ( $tokens->consume( WP_CSS_Token_Processor::TOKEN_COMMA ) ) {
+			$tokens->consume_whitespace();
+			$selector = WP_CSS_Complex_Selector::parse( $tokens );
+			if ( null === $selector ) {
+				$tokens->seek( $bookmark );
+				return null;
+			}
+			$selectors[] = $selector;
+			$tokens->consume_whitespace();
+		}
+
+		return new self( $selectors );
+	}
+}
diff --git a/src/wp-includes/html-api/css/class-wp-css-complex-selector.php b/src/wp-includes/html-api/css/class-wp-css-complex-selector.php
new file mode 100644
index 0000000000000..5b3e5ee1ecdbe
--- /dev/null
+++ b/src/wp-includes/html-api/css/class-wp-css-complex-selector.php
@@ -0,0 +1,253 @@
+<?php
+/**
+ * HTML API: WP_CSS_Complex_Selector class
+ *
+ * @package WordPress
+ * @subpackage HTML-API
+ * @since {WP_VERSION}
+ */
+
+/**
+ * CSS complex selector.
+ *
+ * This class is used to test for matching HTML tags in a {@see WP_HTML_Processor}.
+ *
+ * A complex selector is at least a single compound selector. There may be additional selectors
+ * with combinators.
+ *
+ * @since {WP_VERSION}
+ *
+ * @access private
+ */
+final class WP_CSS_Complex_Selector extends WP_CSS_Selector_Parser_Matcher {
+	/**
+	 * Child combinator.
+	 */
+	const COMBINATOR_CHILD = '>';
+
+	/**
+	 * Descendant combinator.
+	 */
+	const COMBINATOR_DESCENDANT = ' ';
+
+	/**
+	 * Next sibling combinator.
+	 *
+	 * This combinator is not currently supported.
+	 */
+	const COMBINATOR_NEXT_SIBLING = '+';
+
+	/**
+	 * Subsequent sibling combinator.
+	 *
+	 * This combinator is not currently supported.
+	 */
+	const COMBINATOR_SUBSEQUENT_SIBLING = '~';
+
+	/**
+	 * The "self selector" is the last element in a complex selector, it corresponds to the
+	 * selected element.
+	 *
+	 * Example:
+	 *
+	 *                   $self_selector
+	 *                   ┏━━━━┻━━━━┓
+	 *     .heading h1 > el.selected
+	 *
+	 * @readonly
+	 * @var WP_CSS_Compound_Selector
+	 */
+	public $self_selector;
+
+	/**
+	 * The "context selectors" are zero or more elements that provide additional constraints for
+	 * the "self selector."
+	 *
+	 * These selectors are represented as 2-tuples where the element at index 0 is the selector and
+	 * the element at index 1 is the combinator string constant from this class,
+	 * e.g. `WP_CSS_Complex_Selector::COMBINATOR_CHILD`.
+	 *
+	 * In the example selector below, an element like `<strong class="selected">` matches iff:
+	 *   - it is a child of an `H1` element
+	 *   - that `H1` element is a descendant of a `SECTION` element.
+	 *
+	 * The `section` and `h1` parts of this selector and their combinators are the
+	 * "context selectors." Note that this terminology does not correspond to language in the
+	 * specification texts.
+	 *
+	 *     $context_selectors
+	 *     ┏━━━━━┻━━━━┓
+	 *     section h1 > strong.selected
+	 *
+	 * The example would have the following context selectors:
+	 *
+	 *     // Pseudo-code
+	 *     array(
+	 *       array( WP_CSS_Type_Selector( 'type'=>'h1' ), '>' ),
+	 *       array( WP_CSS_Type_Selector( 'type'=>'section' ), ' ' ),
+	 *     )
+	 *
+	 * Context selectors are ordered from right to left in the selector text. The selectors closest
+	 * to the target appear at the start of the `context_selectors` array.
+	 *
+	 * @readonly
+	 * @var array{WP_CSS_Type_Selector, string}[]|null
+	 */
+	public $context_selectors;
+
+	/**
+	 * Constructor.
+	 *
+	 * @param WP_CSS_Compound_Selector $self_selector The selector in the final position.
+	 * @param array{WP_CSS_Type_Selector, string}[]|null $context_selectors The context selectors.
+	 */
+	private function __construct(
+		WP_CSS_Compound_Selector $self_selector,
+		?array $context_selectors
+	) {
+		$this->self_selector     = $self_selector;
+		$this->context_selectors = $context_selectors;
+	}
+
+	/**
+	 * Determines if the processor's current position matches the selector.
+	 *
+	 * @param WP_HTML_Processor $processor The processor.
+	 * @return bool True if the processor's current position matches the selector.
+	 */
+	public function matches( $processor ): bool {
+		// First selector must match this location.
+		if ( ! $this->self_selector->matches( $processor ) ) {
+			return false;
+		}
+
+		if ( null === $this->context_selectors || array() === $this->context_selectors ) {
+			return true;
+		}
+
+		$breadcrumbs = array_slice( array_reverse( $processor->get_breadcrumbs() ), 1 );
+		return $this->explore_matches( $this->context_selectors, $breadcrumbs );
+	}
+
+	/**
+	 * Checks for matches by recursively comparing context selectors with breadcrumbs.
+	 *
+	 * @param array{WP_CSS_Type_Selector, string}[] $selectors Selectors to match.
+	 * @param string[] $breadcrumbs Breadcrumbs.
+	 * @return bool True if a match is found, otherwise false.
+	 */
+	private function explore_matches( array $selectors, array $breadcrumbs ): bool {
+		if ( array() === $selectors ) {
+			return true;
+		}
+		if ( array() === $breadcrumbs ) {
+			return false;
+		}
+
+		$selector   = $selectors[0][0];
+		$combinator = $selectors[0][1];
+
+		switch ( $combinator ) {
+			case self::COMBINATOR_CHILD:
+				if ( $selector->matches_tag( $breadcrumbs[0] ) ) {
+					return $this->explore_matches( array_slice( $selectors, 1 ), array_slice( $breadcrumbs, 1 ) );
+				}
+				return false;
+
+			case self::COMBINATOR_DESCENDANT:
+				// Find _all_ the breadcrumbs that match and recurse from each of them.
+				for ( $i = 0; $i < count( $breadcrumbs ); $i++ ) {
+					if ( $selector->matches_tag( $breadcrumbs[ $i ] ) ) {
+						$next_breadcrumbs = array_slice( $breadcrumbs, $i + 1 );
+						if ( $this->explore_matches( array_slice( $selectors, 1 ), $next_breadcrumbs ) ) {
+							return true;
+						}
+					}
+				}
+				return false;
+
+			default:
+				_doing_it_wrong(
+					__METHOD__,
+					sprintf(
+						// translators: %s: A CSS selector combinator like ">" or "+".
+						__( 'Unsupported combinator "%s" found.' ),
+						$combinator
+					),
+					'{WP_VERSION}'
+				);
+				return false;
+		}
+	}
+
+	/**
+	 * Parses CSS selector tokens to create a selector instance.
+	 *
+	 * To create an instance of this class, use the {@see WP_CSS_Compound_Selector_List::from_selectors()} method.
+	 *
+	 * @param WP_CSS_Selector_Token_Stream $tokens The selector token stream.
+	 * @return static|null The selector instance, or null if the parse was unsuccessful.
+	 */
+	public static function parse( WP_CSS_Selector_Token_Stream $tokens ) {
+		$bookmark      = $tokens->bookmark();
+		$self_selector = WP_CSS_Compound_Selector::parse( $tokens );
+		if ( null === $self_selector ) {
+			return null;
+		}
+		/** @var array{WP_CSS_Compound_Selector, string}[] */
+		$selectors = array();
+
+		$found_whitespace = $tokens->consume_whitespace();
+		while ( ! $tokens->is_eof() ) {
+			$combinator    = null;
+			$next_selector = null;
+
+			// Sibling (`+` and `~`) combinators are not supported at this time.
+			if (
+				$tokens->matches( WP_CSS_Token_Processor::TOKEN_DELIM, WP_CSS_Complex_Selector::COMBINATOR_NEXT_SIBLING ) ||
+				$tokens->matches( WP_CSS_Token_Processor::TOKEN_DELIM, WP_CSS_Complex_Selector::COMBINATOR_SUBSEQUENT_SIBLING )
+			) {
+				$tokens->seek( $bookmark );
+				return null;
+			} elseif ( $tokens->consume_delim( WP_CSS_Complex_Selector::COMBINATOR_CHILD ) ) {
+				$combinator = WP_CSS_Complex_Selector::COMBINATOR_CHILD;
+				$tokens->consume_whitespace();
+
+				// A combinator has been found, failure to find a selector here is a parse error.
+				$next_selector = WP_CSS_Compound_Selector::parse( $tokens );
+				if ( null === $next_selector ) {
+					$tokens->seek( $bookmark );
+					return null;
+				}
+			} elseif ( $found_whitespace ) {
+				/*
+				 * Whitespace is ambiguous, it could be a descendant combinator or
+				 * insignificant whitespace.
+				 */
+				$next_selector = WP_CSS_Compound_Selector::parse( $tokens );
+				if ( null !== $next_selector ) {
+					$combinator = WP_CSS_Complex_Selector::COMBINATOR_DESCENDANT;
+				}
+			}
+
+			if ( null === $next_selector ) {
+				break;
+			}
+
+			// $self_selector will pass to a relative selector where only the type selector is allowed.
+			if ( null !== $self_selector->subclass_selectors || null === $self_selector->type_selector ) {
+				$tokens->seek( $bookmark );
+				return null;
+			}
+
+			/** @var array{WP_CSS_Type_Selector, string} */
+			$selector_pair = array( $self_selector->type_selector, $combinator );
+			$selectors[]   = $selector_pair;
+			$self_selector = $next_selector;
+
+			$found_whitespace = $tokens->consume_whitespace();
+		}
+
+		return new self( $self_selector, array_reverse( $selectors ) );
+	}
+}
diff --git a/src/wp-includes/html-api/css/class-wp-css-compound-selector-list.php b/src/wp-includes/html-api/css/class-wp-css-compound-selector-list.php
new file mode 100644
index 0000000000000..00b65ae7965e6
--- /dev/null
+++ b/src/wp-includes/html-api/css/class-wp-css-compound-selector-list.php
@@ -0,0 +1,193 @@
+<?php
+/**
+ * HTML API: WP_CSS_Compound_Selector_List class
+ *
+ * @package WordPress
+ * @subpackage HTML-API
+ * @since {WP_VERSION}
+ */
+
+/**
+ * Core class used by the {@see WP_HTML_Tag_Processor} to parse and match CSS selectors.
+ *
+ * This class is designed for internal use by the HTML Tag Processor.
+ *
+ * For usage, see {@see WP_HTML_Tag_Processor::select()}.
+ *
+ * This class is instantiated via the {@see WP_CSS_Compound_Selector_List::from_selectors()} method.
+ * It takes a CSS selector string and returns an instance of itself or `null` if the selector
+ * is invalid or unsupported.
+ *
+ * ### Text Encoding
+ *
+ * Selector strings are UTF-8 text. Ill-formed byte sequences in a selector string are
+ * replaced with U+FFFD REPLACEMENT CHARACTER (visually "�"), one per maximal subpart,
+ * before parsing — following the byte-decoding step CSS Syntax specifies for input
+ * byte streams (via the WHATWG Encoding Standard's UTF-8 decoder), not a browser's
+ * `querySelector`, which receives already-decoded strings and can never see ill-formed
+ * input. The replacement also triggers a `_doing_it_wrong()` notice, since a selector
+ * containing ill-formed bytes is almost always a developer error and, once replaced,
+ * matches only literal U+FFFD characters in the document.
+ *
+ * Note that the document side is byte-oriented and unscrubbed: the Tag Processor
+ * reports attribute values and class names with their raw bytes intact (see the
+ * "Text Encoding" section of {@see WP_HTML_Tag_Processor}). A selector containing
+ * ill-formed bytes therefore never matches those same raw bytes in a document.
+ * Selectors for non-UTF-8 ( but ASCII-compatible ) documents can only reliably match
+ * non-ASCII values by converting the selector and document to UTF-8 beforehand.
+ *
+ * @link https://www.w3.org/TR/css-syntax-3/#input-byte-stream
+ *
+ * A subset of the CSS selector grammar is supported. The grammar is defined in the CSS Syntax
+ * specification, which is available at {@link https://www.w3.org/TR/selectors/#grammar}.
+ *
+ * This class is analogous to <compound-selector-list> in the grammar. The supported grammar is:
+ *
+ *     <selector-list> = <complex-selector-list>
+ *     <complex-selector-list> = <complex-selector>#
+ *     <compound-selector-list> = <compound-selector>#
+ *     <complex-selector> = [ <type-selector> <combinator>? ]* <compound-selector>
+ *     <compound-selector> = [ <type-selector>? <subclass-selector>* ]!
+ *     <combinator> = '>' | [ '|' '|' ]
+ *     <type-selector> = <ident-token> | '*'
+ *     <subclass-selector> = <id-selector> | <class-selector> | <attribute-selector>
+ *     <id-selector> = <hash-token>
+ *     <class-selector> = '.' <ident-token>
+ *     <attribute-selector> = '[' <ident-token> ']' |
+ *                            '[' <ident-token> <attr-matcher> [ <string-token> | <ident-token> ] <attr-modifier>? ']'
+ *     <attr-matcher> = [ '~' | '|' | '^' | '$' | '*' ]? '='
+ *     <attr-modifier> = i | s
+ *
+ * @link https://www.w3.org/TR/selectors/#grammar Refer to the grammar for more details.
+ *
+ * This class of selectors does not support "complex" selectors. That is any selector with a
+ * combinator such as descendant (`.ancestor .descendant`) or child (`.parent > .child`).
+ * See {@see WP_CSS_Complex_Selector_List} for support of some combinators.
+ *
+ * Note that this grammar has been adapted and does not support the full CSS selector grammar.
+ * Supported selector syntax:
+ * - Type selectors (tag names, e.g. `div`)
+ * - Class selectors (e.g. `.class-name`)
+ * - ID selectors (e.g. `#unique-id`)
+ * - Attribute selectors (e.g. `[attribute-name]` or `[attribute-name="value"]`)
+ * - Comma-separated selector lists (e.g. `.selector-1, .selector-2`)
+ * - Compound selectors (e.g. `div.class-name#id[attr]`)
+ *
+ * Unsupported selector syntax:
+ * - Pseudo-element selectors (`::before`)
+ * - Pseudo-class selectors (`:hover` or `:nth-child(2)`)
+ * - Namespace prefixes (`svg|title` or `[xlink|href]`)
+ * - Combinators are not supported by this class (descendant, child, next sibling,
+ *   subsequent sibling). See {@see WP_CSS_Complex_Selector_List} for combinator support.
+ *
+ * Future ideas:
+ * - Namespace type selectors could be implemented with select namespaces in order to
+ *   select elements from a namespace, for example:
+ *   - `svg|*` to select all SVG elements
+ *   - `html|title` to select only HTML TITLE elements.
+ *
+ * @since {WP_VERSION}
+ *
+ * @access private
+ *
+ * @link https://www.w3.org/TR/css-syntax-3/
+ * @link https://www.w3.org/tr/selectors/
+ * @link https://www.w3.org/TR/selectors-api2/
+ * @link https://www.w3.org/TR/selectors-4/
+ */
+class WP_CSS_Compound_Selector_List extends WP_CSS_Selector_Parser_Matcher {
+	/**
+	 * Determines if the processor's current position matches the selector.
+	 *
+	 * @param WP_HTML_Tag_Processor $processor The processor.
+	 * @return bool True if the processor's current position matches the selector.
+	 */
+	public function matches( $processor ): bool {
+		if ( $processor->get_token_type() !== '#tag' ) {
+			return false;
+		}
+
+		foreach ( $this->selectors as $selector ) {
+			if ( $selector->matches( $processor ) ) {
+				return true;
+			}
+		}
+		return false;
+	}
+
+	/**
+	 * Array of selectors.
+	 *
+	 * @var array
+	 */
+	private $selectors;
+
+	/**
+	 * Constructor.
+	 *
+	 * @param array $selectors Array of selectors.
+	 */
+	protected function __construct( array $selectors ) {
+		$this->selectors = $selectors;
+	}
+
+	/**
+	 * Takes a CSS selector string and returns an instance of itself or `null` if the selector
+	 * string is invalid or unsupported.
+	 *
+	 * The selector string must be UTF-8: ill-formed byte sequences are replaced with
+	 * U+FFFD per maximal subpart before parsing and reported with `_doing_it_wrong()`.
+	 * See the "Text Encoding" section of the class documentation.
+	 *
+	 * @param string $input CSS selectors.
+	 * @return static|null
+	 */
+	public static function from_selectors( string $input ) {
+		$tokens = WP_CSS_Selector_Token_Stream::from_selectors( $input, get_called_class() );
+		$tokens->consume_whitespace();
+
+		if ( $tokens->is_eof() ) {
+			return null;
+		}
+
+		$selectors = static::parse( $tokens );
+		$tokens->consume_whitespace();
+
+		if ( null === $selectors || ! $tokens->is_eof() ) {
+			return null;
+		}
+
+		return $selectors;
+	}
+
+	/**
+	 * Parses CSS selector tokens to create a selector instance.
+	 *
+	 * To create an instance of this class, use the {@see WP_CSS_Compound_Selector_List::from_selectors()} method.
+	 *
+	 * @param WP_CSS_Selector_Token_Stream $tokens The selector token stream.
+	 * @return static|null The selector instance, or null if the parse was unsuccessful.
+	 */
+	public static function parse( WP_CSS_Selector_Token_Stream $tokens ) {
+		$bookmark = $tokens->bookmark();
+		$selector = WP_CSS_Compound_Selector::parse( $tokens );
+		if ( null === $selector ) {
+			return null;
+		}
+		$tokens->consume_whitespace();
+
+		$selectors = array( $selector );
+		while ( $tokens->consume( WP_CSS_Token_Processor::TOKEN_COMMA ) ) {
+			$tokens->consume_whitespace();
+			$selector = WP_CSS_Compound_Selector::parse( $tokens );
+			if ( null === $selector ) {
+				$tokens->seek( $bookmark );
+				return null;
+			}
+			$selectors[] = $selector;
+			$tokens->consume_whitespace();
+		}
+
+		return new self( $selectors );
+	}
+}
diff --git a/src/wp-includes/html-api/css/class-wp-css-compound-selector.php b/src/wp-includes/html-api/css/class-wp-css-compound-selector.php
new file mode 100644
index 0000000000000..9ec646f815747
--- /dev/null
+++ b/src/wp-includes/html-api/css/class-wp-css-compound-selector.php
@@ -0,0 +1,125 @@
+<?php
+/**
+ * HTML API: WP_CSS_Compound_Selector class
+ *
+ * @package WordPress
+ * @subpackage HTML-API
+ * @since {WP_VERSION}
+ */
+
+/**
+ * CSS compound selector.
+ *
+ * This class is used to test for matching HTML tags in a {@see WP_HTML_Tag_Processor}.
+ *
+ * A compound selector is a combination of:
+ *   - An optional type selector.
+ *   - Zero or more subclass selectors (ID, class, or attribute selectors).
+ *   - At least one of the above.
+ *
+ * @since {WP_VERSION}
+ *
+ * @access private
+ */
+final class WP_CSS_Compound_Selector extends WP_CSS_Selector_Parser_Matcher {
+	/**
+	 * The type selector.
+	 *
+	 * @var WP_CSS_Type_Selector|null
+	 */
+	public $type_selector;
+
+	/**
+	 * The subclass selectors.
+	 *
+	 * Subclass selectors are ID, class, or attribute selectors.
+	 *
+	 * @var (WP_CSS_ID_Selector|WP_CSS_Class_Selector|WP_CSS_Attribute_Selector)[]|null
+	 */
+	public $subclass_selectors;
+
+	/**
+	 * Constructor.
+	 *
+	 * @param WP_CSS_Type_Selector|null $type_selector The type selector or null.
+	 * @param (WP_CSS_ID_Selector|WP_CSS_Class_Selector|WP_CSS_Attribute_Selector)[]|null $subclass_selectors
+	 *        The array of subclass selectors or null.
+	 */
+	private function __construct( ?WP_CSS_Type_Selector $type_selector, ?array $subclass_selectors ) {
+		$this->type_selector      = $type_selector;
+		$this->subclass_selectors = array() === $subclass_selectors ? null : $subclass_selectors;
+	}
+
+	/**
+	 * Determines if the processor's current position matches the selector.
+	 *
+	 * @param WP_HTML_Tag_Processor $processor The processor.
+	 * @return bool True if the processor's current position matches the selector.
+	 */
+	public function matches( WP_HTML_Tag_Processor $processor ): bool {
+		if ( $this->type_selector && ! $this->type_selector->matches( $processor ) ) {
+			return false;
+		}
+		if ( null !== $this->subclass_selectors ) {
+			foreach ( $this->subclass_selectors as $subclass_selector ) {
+				if ( ! $subclass_selector->matches( $processor ) ) {
+					return false;
+				}
+			}
+		}
+		return true;
+	}
+
+	/**
+	 * Parses CSS selector tokens to create a selector instance.
+	 *
+	 * To create an instance of this class, use the {@see WP_CSS_Compound_Selector_List::from_selectors()} method.
+	 *
+	 * @param WP_CSS_Selector_Token_Stream $tokens The selector token stream.
+	 * @return static|null The selector instance, or null if the parse was unsuccessful.
+	 */
+	public static function parse( WP_CSS_Selector_Token_Stream $tokens ) {
+		$bookmark = $tokens->bookmark();
+
+		$type_selector = WP_CSS_Type_Selector::parse( $tokens );
+
+		$subclass_selectors            = array();
+		$last_parsed_subclass_selector = self::parse_subclass_selector( $tokens );
+		while ( null !== $last_parsed_subclass_selector ) {
+			$subclass_selectors[]          = $last_parsed_subclass_selector;
+			$last_parsed_subclass_selector = self::parse_subclass_selector( $tokens );
+		}
+
+		// There must be at least one selector.
+		if ( null === $type_selector && array() === $subclass_selectors ) {
+			$tokens->seek( $bookmark );
+			return null;
+		}
+
+		return new self( $type_selector, $subclass_selectors );
+	}
+
+	/**
+	 * Parses a subclass selector.
+	 *
+	 * > <subclass-selector> = <id-selector> | <class-selector> | <attribute-selector>
+	 *
+	 * @return WP_CSS_ID_Selector|WP_CSS_Class_Selector|WP_CSS_Attribute_Selector|null
+	 */
+	private static function parse_subclass_selector( WP_CSS_Selector_Token_Stream $tokens ) {
+		foreach (
+			array(
+				WP_CSS_Class_Selector::class,
+				WP_CSS_ID_Selector::class,
+				WP_CSS_Attribute_Selector::class,
+			) as $selector_class
+		) {
+			$selector = $selector_class::parse( $tokens );
+			if ( null !== $selector ) {
+				return $selector;
+			}
+		}
+
+		return null;
+	}
+}
diff --git a/src/wp-includes/html-api/css/class-wp-css-id-selector.php b/src/wp-includes/html-api/css/class-wp-css-id-selector.php
new file mode 100644
index 0000000000000..14e3fc66075c9
--- /dev/null
+++ b/src/wp-includes/html-api/css/class-wp-css-id-selector.php
@@ -0,0 +1,80 @@
+<?php
+/**
+ * HTML API: WP_CSS_ID_Selector class
+ *
+ * @package WordPress
+ * @subpackage HTML-API
+ * @since {WP_VERSION}
+ */
+
+/**
+ * CSS ID selector.
+ *
+ * This class is used to test for matching HTML tags in a {@see WP_HTML_Tag_Processor}.
+ *
+ * @since {WP_VERSION}
+ *
+ * @access private
+ */
+final class WP_CSS_ID_Selector extends WP_CSS_Selector_Parser_Matcher {
+	/**
+	 * The ID to match.
+	 *
+	 * @var string
+	 */
+	public $id;
+
+	/**
+	 * Constructor.
+	 *
+	 * @param string $id The ID to match.
+	 */
+	private function __construct( string $id ) {
+		$this->id = $id;
+	}
+
+	/**
+	 * Determines if the processor's current position matches the selector.
+	 *
+	 * @param WP_HTML_Tag_Processor $processor The processor.
+	 * @return bool True if the processor's current position matches the selector.
+	 */
+	public function matches( WP_HTML_Tag_Processor $processor ): bool {
+		$id = $processor->get_attribute( 'id' );
+		if ( ! is_string( $id ) ) {
+			return false;
+		}
+
+		$case_insensitive = $processor->is_quirks_mode();
+
+		return $case_insensitive
+			? 0 === strcasecmp( $id, $this->id )
+			: $id === $this->id;
+	}
+
+	/**
+	 * Parses CSS selector tokens to create a selector instance.
+	 *
+	 * To create an instance of this class, use the {@see WP_CSS_Compound_Selector_List::from_selectors()} method.
+	 *
+	 * @param WP_CSS_Selector_Token_Stream $tokens The selector token stream.
+	 * @return static|null The selector instance, or null if the parse was unsuccessful.
+	 */
+	public static function parse( WP_CSS_Selector_Token_Stream $tokens ) {
+		if (
+			! $tokens->matches( WP_CSS_Token_Processor::TOKEN_HASH ) ||
+			WP_CSS_Token_Processor::HASH_TOKEN_ID !== $tokens->get_token_type_flag()
+		) {
+			return null;
+		}
+
+		$id = $tokens->get_token_value();
+		if ( null === $id ) {
+			return null;
+		}
+
+		$tokens->consume( WP_CSS_Token_Processor::TOKEN_HASH );
+
+		return new self( $id );
+	}
+}
diff --git a/src/wp-includes/html-api/css/class-wp-css-selector-parser-matcher.php b/src/wp-includes/html-api/css/class-wp-css-selector-parser-matcher.php
new file mode 100644
index 0000000000000..200f3994f3cfb
--- /dev/null
+++ b/src/wp-includes/html-api/css/class-wp-css-selector-parser-matcher.php
@@ -0,0 +1,33 @@
+<?php
+/**
+ * HTML API: WP_CSS_Selector_Parser_Matcher class
+ *
+ * @package WordPress
+ * @subpackage HTML-API
+ * @since 6.8.0
+ */
+
+/**
+ * Base class for all CSS Selector parser/matcher classes.
+ *
+ * @since 6.8.0
+ *
+ * @access private
+ */
+abstract class WP_CSS_Selector_Parser_Matcher {
+	/**
+	 * Determines if the processor's current position matches the selector.
+	 *
+	 * @param WP_HTML_Tag_Processor $processor The processor.
+	 * @return bool True if the processor's current position matches the selector.
+	 */
+	abstract public function matches( WP_HTML_Tag_Processor $processor ): bool;
+
+	/**
+	 * Parses CSS selector tokens to create a selector instance.
+	 *
+	 * @param WP_CSS_Selector_Token_Stream $tokens The selector token stream.
+	 * @return static|null The selector instance, or null if the parse was unsuccessful.
+	 */
+	abstract public static function parse( WP_CSS_Selector_Token_Stream $tokens );
+}
diff --git a/src/wp-includes/html-api/css/class-wp-css-selector-token-stream.php b/src/wp-includes/html-api/css/class-wp-css-selector-token-stream.php
new file mode 100644
index 0000000000000..d9f14c7b2bdb4
--- /dev/null
+++ b/src/wp-includes/html-api/css/class-wp-css-selector-token-stream.php
@@ -0,0 +1,239 @@
+<?php
+/**
+ * HTML API: WP_CSS_Selector_Token_Stream class
+ *
+ * @package WordPress
+ * @subpackage HTML-API
+ * @since {WP_VERSION}
+ */
+
+/**
+ * Token stream used by CSS selector parsers.
+ *
+ * This class is a thin grammar-facing wrapper around {@see WP_CSS_Token_Processor}.
+ * Selector classes consume these tokens instead of inspecting selector bytes.
+ *
+ * @since {WP_VERSION}
+ *
+ * @access private
+ */
+final class WP_CSS_Selector_Token_Stream {
+	/**
+	 * Selector input after UTF-8 byte-stream decoding.
+	 *
+	 * @var string
+	 */
+	private $input;
+
+	/**
+	 * Token metadata from WP_CSS_Token_Processor.
+	 *
+	 * @var array<int, array{type:string, value:string|null, type_flag:string|null, start:int, length:int}>
+	 */
+	private $tokens;
+
+	/**
+	 * Current token index.
+	 *
+	 * @var int
+	 */
+	private $index = 0;
+
+	/**
+	 * Constructor.
+	 *
+	 * @param string $input Selector input after UTF-8 decoding.
+	 * @param array  $tokens Token metadata.
+	 */
+	private function __construct( string $input, array $tokens ) {
+		$this->input  = $input;
+		$this->tokens = $tokens;
+	}
+
+	/**
+	 * Creates a selector token stream.
+	 *
+	 * Selector strings are UTF-8 text. Ill-formed byte sequences are replaced
+	 * with U+FFFD before tokenization, matching CSS Syntax's byte-stream decode
+	 * step, and reported because they are usually developer mistakes.
+	 *
+	 * @param string $input CSS selector input.
+	 * @param string $called_class Parser class name used for incorrect-usage notices.
+	 * @return self
+	 */
+	public static function from_selectors( string $input, string $called_class ): self {
+		$scrubbed = wp_scrub_utf8( $input );
+		if ( $scrubbed !== $input ) {
+			_doing_it_wrong(
+				$called_class . '::from_selectors',
+				'Selector strings must be valid UTF-8: ill-formed byte sequences were replaced with U+FFFD (�), which is unlikely to match the intended elements.',
+				'{WP_VERSION}'
+			);
+			$input = $scrubbed;
+		}
+
+		$processor = WP_CSS_Token_Processor::create( $input );
+		$tokens    = array();
+
+		while ( $processor->next_token() ) {
+			/*
+			 * CSS comments are consumed during tokenization and do not become
+			 * parser tokens. The token processor exposes them for stylesheet
+			 * rewriting, but selector grammar should never see them.
+			 */
+			if ( WP_CSS_Token_Processor::TOKEN_COMMENT === $processor->get_token_type() ) {
+				continue;
+			}
+
+			$tokens[] = array(
+				'type'      => $processor->get_token_type(),
+				'value'     => $processor->get_token_value(),
+				'type_flag' => $processor->get_token_type_flag(),
+				'start'     => $processor->get_token_start(),
+				'length'    => $processor->get_token_length(),
+			);
+		}
+
+		return new self( $input, $tokens );
+	}
+
+	/**
+	 * Returns whether the stream is positioned at EOF.
+	 *
+	 * @return bool
+	 */
+	public function is_eof(): bool {
+		return $this->index >= count( $this->tokens );
+	}
+
+	/**
+	 * Returns a bookmark for the current stream position.
+	 *
+	 * @return int
+	 */
+	public function bookmark(): int {
+		return $this->index;
+	}
+
+	/**
+	 * Restores the stream to a previous bookmark.
+	 *
+	 * @param int $bookmark Bookmark returned by {@see WP_CSS_Selector_Token_Stream::bookmark()}.
+	 */
+	public function seek( int $bookmark ): void {
+		$this->index = $bookmark;
+	}
+
+	/**
+	 * Returns the current token type.
+	 *
+	 * @return string|null
+	 */
+	public function get_token_type(): ?string {
+		return $this->tokens[ $this->index ]['type'] ?? null;
+	}
+
+	/**
+	 * Returns the current token value.
+	 *
+	 * @return string|null
+	 */
+	public function get_token_value(): ?string {
+		return $this->tokens[ $this->index ]['value'] ?? null;
+	}
+
+	/**
+	 * Returns the current token type flag.
+	 *
+	 * @return string|null
+	 */
+	public function get_token_type_flag(): ?string {
+		return $this->tokens[ $this->index ]['type_flag'] ?? null;
+	}
+
+	/**
+	 * Checks whether the current token matches a type and optional value.
+	 *
+	 * @param string      $type Token type.
+	 * @param string|null $value Optional token value.
+	 * @return bool
+	 */
+	public function matches( string $type, ?string $value = null ): bool {
+		if ( $type !== $this->get_token_type() ) {
+			return false;
+		}
+
+		return null === $value || $value === $this->get_token_value();
+	}
+
+	/**
+	 * Consumes the current token when it matches a type and optional value.
+	 *
+	 * @param string      $type Token type.
+	 * @param string|null $value Optional token value.
+	 * @return bool Whether a matching token was consumed.
+	 */
+	public function consume( string $type, ?string $value = null ): bool {
+		if ( ! $this->matches( $type, $value ) ) {
+			return false;
+		}
+
+		++$this->index;
+		return true;
+	}
+
+	/**
+	 * Consumes a delimiter token with the given value.
+	 *
+	 * @param string $value Delimiter value.
+	 * @return bool Whether a matching delimiter was consumed.
+	 */
+	public function consume_delim( string $value ): bool {
+		return $this->consume( WP_CSS_Token_Processor::TOKEN_DELIM, $value );
+	}
+
+	/**
+	 * Consumes an ident token and returns its value.
+	 *
+	 * @return string|null Ident token value, or null if the current token is not an ident.
+	 */
+	public function consume_ident(): ?string {
+		if ( ! $this->matches( WP_CSS_Token_Processor::TOKEN_IDENT ) ) {
+			return null;
+		}
+
+		$value = $this->get_token_value();
+		++$this->index;
+		return $value;
+	}
+
+	/**
+	 * Consumes whitespace tokens.
+	 *
+	 * @return bool Whether any whitespace was consumed.
+	 */
+	public function consume_whitespace(): bool {
+		$advanced = false;
+
+		while ( $this->consume( WP_CSS_Token_Processor::TOKEN_WHITESPACE ) ) {
+			$advanced = true;
+		}
+
+		return $advanced;
+	}
+
+	/**
+	 * Returns the remaining original selector text from the current token.
+	 *
+	 * This is intended for parser tests and diagnostics, not selector grammar.
+	 *
+	 * @return string
+	 */
+	public function get_remaining_text(): string {
+		if ( $this->is_eof() ) {
+			return '';
+		}
+
+		return substr( $this->input, $this->tokens[ $this->index ]['start'] );
+	}
+}
diff --git a/src/wp-includes/html-api/css/class-wp-css-type-selector.php b/src/wp-includes/html-api/css/class-wp-css-type-selector.php
new file mode 100644
index 0000000000000..fcb92fd34bc25
--- /dev/null
+++ b/src/wp-includes/html-api/css/class-wp-css-type-selector.php
@@ -0,0 +1,83 @@
+<?php
+/**
+ * HTML API: WP_CSS_Type_Selector class
+ *
+ * @package WordPress
+ * @subpackage HTML-API
+ * @since {WP_VERSION}
+ */
+
+/**
+ * CSS type selector.
+ *
+ * This class is used to test for matching HTML tags in a {@see WP_HTML_Tag_Processor}.
+ *
+ * @since {WP_VERSION}
+ *
+ * @access private
+ */
+final class WP_CSS_Type_Selector extends WP_CSS_Selector_Parser_Matcher {
+	/**
+	 * The element type (tag name) to match or '*' to match any element.
+	 *
+	 * @var string
+	 */
+	public $type;
+
+	/**
+	 * Constructor.
+	 *
+	 * @param string $type The element type (tag name) to match or '*' to match any element.
+	 */
+	private function __construct( string $type ) {
+		$this->type = $type;
+	}
+
+	/**
+	 * Determines if the processor's current position matches the selector.
+	 *
+	 * @param WP_HTML_Tag_Processor $processor The processor.
+	 * @return bool True if the processor's current position matches the selector.
+	 */
+	public function matches( WP_HTML_Tag_Processor $processor ): bool {
+		$tag_name = $processor->get_tag();
+		if ( null === $tag_name ) {
+			return false;
+		}
+		return $this->matches_tag( $tag_name );
+	}
+
+	/**
+	 * Checks whether the selector matches the provided tag name.
+	 *
+	 * @param string $tag_name
+	 * @return bool
+	 */
+	public function matches_tag( string $tag_name ): bool {
+		if ( '*' === $this->type ) {
+			return true;
+		}
+		return 0 === strcasecmp( $tag_name, $this->type );
+	}
+
+	/**
+	 * Parses CSS selector tokens to create a selector instance.
+	 *
+	 * To create an instance of this class, use the {@see WP_CSS_Compound_Selector_List::from_selectors()} method.
+	 *
+	 * @param WP_CSS_Selector_Token_Stream $tokens The selector token stream.
+	 * @return static|null The selector instance, or null if the parse was unsuccessful.
+	 */
+	public static function parse( WP_CSS_Selector_Token_Stream $tokens ) {
+		if ( $tokens->consume_delim( '*' ) ) {
+			return new WP_CSS_Type_Selector( '*' );
+		}
+
+		$result = $tokens->consume_ident();
+		if ( null === $result ) {
+			return null;
+		}
+
+		return new self( $result );
+	}
+}
diff --git a/src/wp-settings.php b/src/wp-settings.php
index ef5c7784ee561..3f1dc456bf0cc 100644
--- a/src/wp-settings.php
+++ b/src/wp-settings.php
@@ -277,7 +277,19 @@
 require ABSPATH . WPINC . '/html-api/class-wp-html-stack-event.php';
 require ABSPATH . WPINC . '/html-api/class-wp-html-processor-state.php';
 require ABSPATH . WPINC . '/html-api/class-wp-html-processor.php';
+require ABSPATH . WPINC . '/css-api/class-wp-css-builder.php';
+require ABSPATH . WPINC . '/css-api/class-wp-css-token-processor.php';
 require ABSPATH . WPINC . '/class-wp-block-processor.php';
+require ABSPATH . WPINC . '/html-api/css/class-wp-css-selector-token-stream.php';
+require ABSPATH . WPINC . '/html-api/css/class-wp-css-selector-parser-matcher.php';
+require ABSPATH . WPINC . '/html-api/css/class-wp-css-attribute-selector.php';
+require ABSPATH . WPINC . '/html-api/css/class-wp-css-class-selector.php';
+require ABSPATH . WPINC . '/html-api/css/class-wp-css-id-selector.php';
+require ABSPATH . WPINC . '/html-api/css/class-wp-css-type-selector.php';
+require ABSPATH . WPINC . '/html-api/css/class-wp-css-compound-selector.php';
+require ABSPATH . WPINC . '/html-api/css/class-wp-css-complex-selector.php';
+require ABSPATH . WPINC . '/html-api/css/class-wp-css-compound-selector-list.php';
+require ABSPATH . WPINC . '/html-api/css/class-wp-css-complex-selector-list.php';
 require ABSPATH . WPINC . '/class-wp-http.php';
 require ABSPATH . WPINC . '/class-wp-http-streams.php';
 require ABSPATH . WPINC . '/class-wp-http-curl.php';
diff --git a/tests/phpunit/data/css-api/css-test-cases.json b/tests/phpunit/data/css-api/css-test-cases.json
new file mode 100644
index 0000000000000..542814a39be70
--- /dev/null
+++ b/tests/phpunit/data/css-api/css-test-cases.json
@@ -0,0 +1,4923 @@
+{
+	"tests/at-keyword/0001": {
+		"css": "@foo\n",
+		"tokens": [
+			{
+				"type": "at-keyword-token",
+				"raw": "@foo",
+				"startIndex": 0,
+				"endIndex": 4,
+				"normalized": "@foo",
+				"value": "foo"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 4,
+				"endIndex": 5,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/at-keyword/0002": {
+		"css": "@--\n",
+		"tokens": [
+			{
+				"type": "at-keyword-token",
+				"raw": "@--",
+				"startIndex": 0,
+				"endIndex": 3,
+				"normalized": "@--",
+				"value": "--"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 3,
+				"endIndex": 4,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/at-keyword/0003": {
+		"css": "@-1\n",
+		"tokens": [
+			{
+				"type": "delim-token",
+				"raw": "@",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": "@",
+				"value": "@"
+			},
+			{
+				"type": "number-token",
+				"raw": "-1",
+				"startIndex": 1,
+				"endIndex": 3,
+				"normalized": "-1",
+				"value": "-1"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 3,
+				"endIndex": 4,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/at-keyword/0004": {
+		"css": "@--1\n",
+		"tokens": [
+			{
+				"type": "at-keyword-token",
+				"raw": "@--1",
+				"startIndex": 0,
+				"endIndex": 4,
+				"normalized": "@--1",
+				"value": "--1"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 4,
+				"endIndex": 5,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/at-keyword/0005": {
+		"css": "@\\@\n",
+		"tokens": [
+			{
+				"type": "at-keyword-token",
+				"raw": "@\\@",
+				"startIndex": 0,
+				"endIndex": 3,
+				"normalized": "@@",
+				"value": "@"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 3,
+				"endIndex": 4,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/at-keyword/0006": {
+		"css": "@_\n",
+		"tokens": [
+			{
+				"type": "at-keyword-token",
+				"raw": "@_",
+				"startIndex": 0,
+				"endIndex": 2,
+				"normalized": "@_",
+				"value": "_"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 2,
+				"endIndex": 3,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/at-keyword/0007": {
+		"css": "@\n",
+		"tokens": [
+			{
+				"type": "delim-token",
+				"raw": "@",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": "@",
+				"value": "@"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 1,
+				"endIndex": 2,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/at-keyword/0008": {
+		"css": "pvA3@\\\neBnP\n",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "pvA3",
+				"startIndex": 0,
+				"endIndex": 4,
+				"normalized": "pvA3",
+				"value": "pvA3"
+			},
+			{
+				"type": "delim-token",
+				"raw": "@",
+				"startIndex": 4,
+				"endIndex": 5,
+				"normalized": "@",
+				"value": "@"
+			},
+			{
+				"type": "delim-token",
+				"raw": "\\",
+				"startIndex": 5,
+				"endIndex": 6,
+				"normalized": "\\",
+				"value": "\\"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 6,
+				"endIndex": 7,
+				"normalized": "\n",
+				"value": null
+			},
+			{
+				"type": "ident-token",
+				"raw": "eBnP",
+				"startIndex": 7,
+				"endIndex": 11,
+				"normalized": "eBnP",
+				"value": "eBnP"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 11,
+				"endIndex": 12,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/at-keyword/0009": {
+		"css": "@aa𐀀\n",
+		"tokens": [
+			{
+				"type": "at-keyword-token",
+				"raw": "@aa𐀀",
+				"startIndex": 0,
+				"endIndex": 7,
+				"normalized": "@aa𐀀",
+				"value": "aa𐀀"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 7,
+				"endIndex": 8,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/bad-string/0001": {
+		"css": "\"foo\n\"\n",
+		"tokens": [
+			{
+				"type": "bad-string-token",
+				"raw": "\"foo",
+				"startIndex": 0,
+				"endIndex": 4,
+				"normalized": "\"foo",
+				"value": null
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 4,
+				"endIndex": 5,
+				"normalized": "\n",
+				"value": null
+			},
+			{
+				"type": "bad-string-token",
+				"raw": "\"",
+				"startIndex": 5,
+				"endIndex": 6,
+				"normalized": "\"",
+				"value": null
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 6,
+				"endIndex": 7,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/bad-string/0002": {
+		"css": "\"foo\\\n\"\n",
+		"tokens": [
+			{
+				"type": "string-token",
+				"raw": "\"foo\\\n\"",
+				"startIndex": 0,
+				"endIndex": 7,
+				"normalized": "\"foo\"",
+				"value": "foo"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 7,
+				"endIndex": 8,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/bad-string/0003": {
+		"css": "\"foo\r\n\"\n",
+		"tokens": [
+			{
+				"type": "bad-string-token",
+				"raw": "\"foo",
+				"startIndex": 0,
+				"endIndex": 4,
+				"normalized": "\"foo",
+				"value": null
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\r\n",
+				"startIndex": 4,
+				"endIndex": 6,
+				"normalized": "\n",
+				"value": null
+			},
+			{
+				"type": "bad-string-token",
+				"raw": "\"",
+				"startIndex": 6,
+				"endIndex": 7,
+				"normalized": "\"",
+				"value": null
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 7,
+				"endIndex": 8,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/bad-string/0004": {
+		"css": "\"foo\\\r\n\"\n",
+		"tokens": [
+			{
+				"type": "string-token",
+				"raw": "\"foo\\\r\n\"",
+				"startIndex": 0,
+				"endIndex": 8,
+				"normalized": "\"foo\"",
+				"value": "foo"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 8,
+				"endIndex": 9,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/bad-string/0005": {
+		"css": "\"aa𐀀\n",
+		"tokens": [
+			{
+				"type": "bad-string-token",
+				"raw": "\"aa𐀀",
+				"startIndex": 0,
+				"endIndex": 7,
+				"normalized": "\"aa𐀀",
+				"value": null
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 7,
+				"endIndex": 8,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/bad-url/0001": {
+		"css": "url(\n",
+		"tokens": [
+			{
+				"type": "url-token",
+				"raw": "url(\n",
+				"startIndex": 0,
+				"endIndex": 5,
+				"normalized": "url(\n",
+				"value": ""
+			}
+		]
+	},
+	"tests/bad-url/0002": {
+		"css": "url( a\n",
+		"tokens": [
+			{
+				"type": "url-token",
+				"raw": "url( a\n",
+				"startIndex": 0,
+				"endIndex": 7,
+				"normalized": "url( a\n",
+				"value": "a"
+			}
+		]
+	},
+	"tests/bad-url/0003": {
+		"css": "url( a a\n",
+		"tokens": [
+			{
+				"type": "bad-url-token",
+				"raw": "url( a a\n",
+				"startIndex": 0,
+				"endIndex": 9,
+				"normalized": "url( a a\n",
+				"value": null
+			}
+		]
+	},
+	"tests/bad-url/0004": {
+		"css": "url( a a)\n",
+		"tokens": [
+			{
+				"type": "bad-url-token",
+				"raw": "url( a a)",
+				"startIndex": 0,
+				"endIndex": 9,
+				"normalized": "url( a a)",
+				"value": null
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 9,
+				"endIndex": 10,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/bad-url/0005": {
+		"css": "url( a a\\)\n",
+		"tokens": [
+			{
+				"type": "bad-url-token",
+				"raw": "url( a a\\)\n",
+				"startIndex": 0,
+				"endIndex": 11,
+				"normalized": "url( a a)\n",
+				"value": null
+			}
+		]
+	},
+	"tests/bad-url/0006": {
+		"css": "url( \\\n",
+		"tokens": [
+			{
+				"type": "bad-url-token",
+				"raw": "url( \\\n",
+				"startIndex": 0,
+				"endIndex": 7,
+				"normalized": "url( \\\n",
+				"value": null
+			}
+		]
+	},
+	"tests/bad-url/0007": {
+		"css": "url(a'')\n",
+		"tokens": [
+			{
+				"type": "bad-url-token",
+				"raw": "url(a'')",
+				"startIndex": 0,
+				"endIndex": 8,
+				"normalized": "url(a'')",
+				"value": null
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 8,
+				"endIndex": 9,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/bad-url/0008": {
+		"css": "url(a\")\n",
+		"tokens": [
+			{
+				"type": "bad-url-token",
+				"raw": "url(a\")",
+				"startIndex": 0,
+				"endIndex": 7,
+				"normalized": "url(a\")",
+				"value": null
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 7,
+				"endIndex": 8,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/colon/0001": {
+		"css": ":\n",
+		"tokens": [
+			{
+				"type": "colon-token",
+				"raw": ":",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": ":",
+				"value": null
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 1,
+				"endIndex": 2,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/comma/0001": {
+		"css": ",\n",
+		"tokens": [
+			{
+				"type": "comma-token",
+				"raw": ",",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": ",",
+				"value": null
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 1,
+				"endIndex": 2,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/comment/0001": {
+		"css": "/* a comment */\n",
+		"tokens": [
+			{
+				"type": "comment",
+				"raw": "/* a comment */",
+				"startIndex": 0,
+				"endIndex": 15,
+				"normalized": "/* a comment */",
+				"value": null
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 15,
+				"endIndex": 16,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/comment/0002": {
+		"css": "/* a comment ",
+		"tokens": [
+			{
+				"type": "comment",
+				"raw": "/* a comment ",
+				"startIndex": 0,
+				"endIndex": 13,
+				"normalized": "/* a comment ",
+				"value": null
+			}
+		]
+	},
+	"tests/comment/0003": {
+		"css": "a/**/b\n",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "a",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": "a",
+				"value": "a"
+			},
+			{
+				"type": "comment",
+				"raw": "/**/",
+				"startIndex": 1,
+				"endIndex": 5,
+				"normalized": "/**/",
+				"value": null
+			},
+			{
+				"type": "ident-token",
+				"raw": "b",
+				"startIndex": 5,
+				"endIndex": 6,
+				"normalized": "b",
+				"value": "b"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 6,
+				"endIndex": 7,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/comment/0004": {
+		"css": "/*\\*/*/\n",
+		"tokens": [
+			{
+				"type": "comment",
+				"raw": "/*\\*/",
+				"startIndex": 0,
+				"endIndex": 5,
+				"normalized": "/**/",
+				"value": null
+			},
+			{
+				"type": "delim-token",
+				"raw": "*",
+				"startIndex": 5,
+				"endIndex": 6,
+				"normalized": "*",
+				"value": "*"
+			},
+			{
+				"type": "delim-token",
+				"raw": "/",
+				"startIndex": 6,
+				"endIndex": 7,
+				"normalized": "/",
+				"value": "/"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 7,
+				"endIndex": 8,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/comment/0005": {
+		"css": "/* a comment *",
+		"tokens": [
+			{
+				"type": "comment",
+				"raw": "/* a comment *",
+				"startIndex": 0,
+				"endIndex": 14,
+				"normalized": "/* a comment *",
+				"value": null
+			}
+		]
+	},
+	"tests/comment/0006": {
+		"css": "/*a𐀀*/\n",
+		"tokens": [
+			{
+				"type": "comment",
+				"raw": "/*a𐀀*/",
+				"startIndex": 0,
+				"endIndex": 9,
+				"normalized": "/*a𐀀*/",
+				"value": null
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 9,
+				"endIndex": 10,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/digit/0001": {
+		"css": "0\n1\n2\n3\n4\n5\n6\n7\n8\n9\n",
+		"tokens": [
+			{
+				"type": "number-token",
+				"raw": "0",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": "0",
+				"value": "0"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 1,
+				"endIndex": 2,
+				"normalized": "\n",
+				"value": null
+			},
+			{
+				"type": "number-token",
+				"raw": "1",
+				"startIndex": 2,
+				"endIndex": 3,
+				"normalized": "1",
+				"value": "1"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 3,
+				"endIndex": 4,
+				"normalized": "\n",
+				"value": null
+			},
+			{
+				"type": "number-token",
+				"raw": "2",
+				"startIndex": 4,
+				"endIndex": 5,
+				"normalized": "2",
+				"value": "2"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 5,
+				"endIndex": 6,
+				"normalized": "\n",
+				"value": null
+			},
+			{
+				"type": "number-token",
+				"raw": "3",
+				"startIndex": 6,
+				"endIndex": 7,
+				"normalized": "3",
+				"value": "3"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 7,
+				"endIndex": 8,
+				"normalized": "\n",
+				"value": null
+			},
+			{
+				"type": "number-token",
+				"raw": "4",
+				"startIndex": 8,
+				"endIndex": 9,
+				"normalized": "4",
+				"value": "4"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 9,
+				"endIndex": 10,
+				"normalized": "\n",
+				"value": null
+			},
+			{
+				"type": "number-token",
+				"raw": "5",
+				"startIndex": 10,
+				"endIndex": 11,
+				"normalized": "5",
+				"value": "5"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 11,
+				"endIndex": 12,
+				"normalized": "\n",
+				"value": null
+			},
+			{
+				"type": "number-token",
+				"raw": "6",
+				"startIndex": 12,
+				"endIndex": 13,
+				"normalized": "6",
+				"value": "6"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 13,
+				"endIndex": 14,
+				"normalized": "\n",
+				"value": null
+			},
+			{
+				"type": "number-token",
+				"raw": "7",
+				"startIndex": 14,
+				"endIndex": 15,
+				"normalized": "7",
+				"value": "7"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 15,
+				"endIndex": 16,
+				"normalized": "\n",
+				"value": null
+			},
+			{
+				"type": "number-token",
+				"raw": "8",
+				"startIndex": 16,
+				"endIndex": 17,
+				"normalized": "8",
+				"value": "8"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 17,
+				"endIndex": 18,
+				"normalized": "\n",
+				"value": null
+			},
+			{
+				"type": "number-token",
+				"raw": "9",
+				"startIndex": 18,
+				"endIndex": 19,
+				"normalized": "9",
+				"value": "9"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 19,
+				"endIndex": 20,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/dimension/0001": {
+		"css": "10px\n",
+		"tokens": [
+			{
+				"type": "dimension-token",
+				"raw": "10px",
+				"startIndex": 0,
+				"endIndex": 4,
+				"normalized": "10px",
+				"value": "10",
+				"unit": "px"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 4,
+				"endIndex": 5,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/dimension/0002": {
+		"css": "10\\70 x\n",
+		"tokens": [
+			{
+				"type": "dimension-token",
+				"raw": "10\\70 x",
+				"startIndex": 0,
+				"endIndex": 7,
+				"normalized": "10px",
+				"value": "10",
+				"unit": "px"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 7,
+				"endIndex": 8,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/dimension/0003": {
+		"css": "10--custom-px\n",
+		"tokens": [
+			{
+				"type": "dimension-token",
+				"raw": "10--custom-px",
+				"startIndex": 0,
+				"endIndex": 13,
+				"normalized": "10--custom-px",
+				"value": "10",
+				"unit": "--custom-px"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 13,
+				"endIndex": 14,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/dimension/0004": {
+		"css": "10e2px\n",
+		"tokens": [
+			{
+				"type": "dimension-token",
+				"raw": "10e2px",
+				"startIndex": 0,
+				"endIndex": 6,
+				"normalized": "10e2px",
+				"value": "10e2",
+				"unit": "px"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 6,
+				"endIndex": 7,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/dimension/0005": {
+		"css": "10E2PX\n",
+		"tokens": [
+			{
+				"type": "dimension-token",
+				"raw": "10E2PX",
+				"startIndex": 0,
+				"endIndex": 6,
+				"normalized": "10E2PX",
+				"value": "10E2",
+				"unit": "PX"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 6,
+				"endIndex": 7,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/dimension/0006": {
+		"css": "10\\0\n",
+		"tokens": [
+			{
+				"type": "dimension-token",
+				"raw": "10\\0\n",
+				"startIndex": 0,
+				"endIndex": 5,
+				"normalized": "10�",
+				"value": "10",
+				"unit": "�"
+			}
+		]
+	},
+	"tests/dimension/0007": {
+		"css": "10a𐀀\n",
+		"tokens": [
+			{
+				"type": "dimension-token",
+				"raw": "10a𐀀",
+				"startIndex": 0,
+				"endIndex": 7,
+				"normalized": "10a𐀀",
+				"value": "10",
+				"unit": "a𐀀"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 7,
+				"endIndex": 8,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/dimension/0008": {
+		"css": "10a\u0000",
+		"tokens": [
+			{
+				"type": "dimension-token",
+				"raw": "10a\u0000",
+				"startIndex": 0,
+				"endIndex": 4,
+				"normalized": "10a�",
+				"value": "10",
+				"unit": "a�"
+			}
+		]
+	},
+	"tests/escaped-code-point/0001": {
+		"css": "\\",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "\\",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": "�",
+				"value": "�"
+			}
+		]
+	},
+	"tests/escaped-code-point/0002": {
+		"css": "\\0",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "\\0",
+				"startIndex": 0,
+				"endIndex": 2,
+				"normalized": "�",
+				"value": "�"
+			}
+		]
+	},
+	"tests/escaped-code-point/0003": {
+		"css": "\\\\",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "\\\\",
+				"startIndex": 0,
+				"endIndex": 2,
+				"normalized": "\\",
+				"value": "\\"
+			}
+		]
+	},
+	"tests/escaped-code-point/0004": {
+		"css": "\\0a b\n",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "\\0a b",
+				"startIndex": 0,
+				"endIndex": 5,
+				"normalized": "\nb",
+				"value": "\nb"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 5,
+				"endIndex": 6,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/escaped-code-point/0005": {
+		"css": "\\0ab \n",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "\\0ab ",
+				"startIndex": 0,
+				"endIndex": 5,
+				"normalized": "«",
+				"value": "«"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 5,
+				"endIndex": 6,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/escaped-code-point/0006": {
+		"css": "\\0ab (foo)\n",
+		"tokens": [
+			{
+				"type": "function-token",
+				"raw": "\\0ab (",
+				"startIndex": 0,
+				"endIndex": 6,
+				"normalized": "«(",
+				"value": "«"
+			},
+			{
+				"type": "ident-token",
+				"raw": "foo",
+				"startIndex": 6,
+				"endIndex": 9,
+				"normalized": "foo",
+				"value": "foo"
+			},
+			{
+				"type": ")-token",
+				"raw": ")",
+				"startIndex": 9,
+				"endIndex": 10,
+				"normalized": ")",
+				"value": null
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 10,
+				"endIndex": 11,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/escaped-code-point/0007": {
+		"css": "\\0ab  (foo)\n",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "\\0ab ",
+				"startIndex": 0,
+				"endIndex": 5,
+				"normalized": "«",
+				"value": "«"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": " ",
+				"startIndex": 5,
+				"endIndex": 6,
+				"normalized": " ",
+				"value": null
+			},
+			{
+				"type": "(-token",
+				"raw": "(",
+				"startIndex": 6,
+				"endIndex": 7,
+				"normalized": "(",
+				"value": null
+			},
+			{
+				"type": "ident-token",
+				"raw": "foo",
+				"startIndex": 7,
+				"endIndex": 10,
+				"normalized": "foo",
+				"value": "foo"
+			},
+			{
+				"type": ")-token",
+				"raw": ")",
+				"startIndex": 10,
+				"endIndex": 11,
+				"normalized": ")",
+				"value": null
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 11,
+				"endIndex": 12,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/escaped-code-point/0008": {
+		"css": "\\0000ab\n",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "\\0000ab\n",
+				"startIndex": 0,
+				"endIndex": 8,
+				"normalized": "«",
+				"value": "«"
+			}
+		]
+	},
+	"tests/escaped-code-point/0009": {
+		"css": "\\00000ab\n",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "\\00000ab",
+				"startIndex": 0,
+				"endIndex": 8,
+				"normalized": "\nb",
+				"value": "\nb"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 8,
+				"endIndex": 9,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/escaped-code-point/0010": {
+		"css": "\\110000\n",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "\\110000\n",
+				"startIndex": 0,
+				"endIndex": 8,
+				"normalized": "�",
+				"value": "�"
+			}
+		]
+	},
+	"tests/escaped-code-point/0011": {
+		"css": "\\00D800\n",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "\\00D800\n",
+				"startIndex": 0,
+				"endIndex": 8,
+				"normalized": "�",
+				"value": "�"
+			}
+		]
+	},
+	"tests/escaped-code-point/0012": {
+		"css": "\\00DFFF\n",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "\\00DFFF\n",
+				"startIndex": 0,
+				"endIndex": 8,
+				"normalized": "�",
+				"value": "�"
+			}
+		]
+	},
+	"tests/escaped-code-point/0013": {
+		"css": "\\\n",
+		"tokens": [
+			{
+				"type": "delim-token",
+				"raw": "\\",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": "\\",
+				"value": "\\"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 1,
+				"endIndex": 2,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/escaped-code-point/0014": {
+		"css": "\\\u0000\n",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "\\\u0000",
+				"startIndex": 0,
+				"endIndex": 2,
+				"normalized": "�",
+				"value": "�"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 2,
+				"endIndex": 3,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/escaped-code-point/0015": {
+		"css": "\\\u0000\b\n",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "\\\u0000",
+				"startIndex": 0,
+				"endIndex": 2,
+				"normalized": "�",
+				"value": "�"
+			},
+			{
+				"type": "delim-token",
+				"raw": "\b",
+				"startIndex": 2,
+				"endIndex": 3,
+				"normalized": "\b",
+				"value": "\b"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 3,
+				"endIndex": 4,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/escaped-code-point/0016": {
+		"css": "\"a\\12\r\nb\"",
+		"tokens": [
+			{
+				"type": "string-token",
+				"raw": "\"a\\12\r\nb\"",
+				"startIndex": 0,
+				"endIndex": 9,
+				"normalized": "\"a\u0012b\"",
+				"value": "a\u0012b"
+			}
+		]
+	},
+	"tests/full-stop/0001": {
+		"css": ".\n",
+		"tokens": [
+			{
+				"type": "delim-token",
+				"raw": ".",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": ".",
+				"value": "."
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 1,
+				"endIndex": 2,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/full-stop/0002": {
+		"css": ".a\n",
+		"tokens": [
+			{
+				"type": "delim-token",
+				"raw": ".",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": ".",
+				"value": "."
+			},
+			{
+				"type": "ident-token",
+				"raw": "a",
+				"startIndex": 1,
+				"endIndex": 2,
+				"normalized": "a",
+				"value": "a"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 2,
+				"endIndex": 3,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/full-stop/0003": {
+		"css": ".1\n",
+		"tokens": [
+			{
+				"type": "number-token",
+				"raw": ".1",
+				"startIndex": 0,
+				"endIndex": 2,
+				"normalized": ".1",
+				"value": ".1"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 2,
+				"endIndex": 3,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/fuzz/01a166c0-ca20-43a5-9ab0-0984e4a5362b": {
+		"css": "4waPtwEEGH\\\u0000jV3zM6hh6w30N0PC 7m8KM0HcWGOPw28Gt(r19",
+		"tokens": [
+			{
+				"type": "dimension-token",
+				"raw": "4waPtwEEGH\\\u0000jV3zM6hh6w30N0PC",
+				"startIndex": 0,
+				"endIndex": 28,
+				"normalized": "4waPtwEEGH�jV3zM6hh6w30N0PC",
+				"value": "4",
+				"unit": "waPtwEEGH�jV3zM6hh6w30N0PC"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": " ",
+				"startIndex": 28,
+				"endIndex": 29,
+				"normalized": " ",
+				"value": null
+			},
+			{
+				"type": "dimension-token",
+				"raw": "7m8KM0HcWGOPw28Gt",
+				"startIndex": 29,
+				"endIndex": 46,
+				"normalized": "7m8KM0HcWGOPw28Gt",
+				"value": "7",
+				"unit": "m8KM0HcWGOPw28Gt"
+			},
+			{
+				"type": "(-token",
+				"raw": "(",
+				"startIndex": 46,
+				"endIndex": 47,
+				"normalized": "(",
+				"value": null
+			},
+			{
+				"type": "ident-token",
+				"raw": "r19",
+				"startIndex": 47,
+				"endIndex": 50,
+				"normalized": "r19",
+				"value": "r19"
+			}
+		]
+	},
+	"tests/fuzz/2abe9406-c063-4e9a-85ac-b13660671553": {
+		"css": "ak]P0A}808G\"lQh{R5M!QyOWE}oC2{2K TIa9}zb2oXWREY]0aj5J\\\r\nBJ5CO-16W5H7noF 19䀹41H3e8Z9%tg[O5AHEY24xh'9\"\"c34Q\"iiC0e45Da5f\"F5X3\"o(",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "ak",
+				"startIndex": 0,
+				"endIndex": 2,
+				"normalized": "ak",
+				"value": "ak"
+			},
+			{
+				"type": "]-token",
+				"raw": "]",
+				"startIndex": 2,
+				"endIndex": 3,
+				"normalized": "]",
+				"value": null
+			},
+			{
+				"type": "ident-token",
+				"raw": "P0A",
+				"startIndex": 3,
+				"endIndex": 6,
+				"normalized": "P0A",
+				"value": "P0A"
+			},
+			{
+				"type": "}-token",
+				"raw": "}",
+				"startIndex": 6,
+				"endIndex": 7,
+				"normalized": "}",
+				"value": null
+			},
+			{
+				"type": "dimension-token",
+				"raw": "808G",
+				"startIndex": 7,
+				"endIndex": 11,
+				"normalized": "808G",
+				"value": "808",
+				"unit": "G"
+			},
+			{
+				"type": "string-token",
+				"raw": "\"lQh{R5M!QyOWE}oC2{2K TIa9}zb2oXWREY]0aj5J\\\r\nBJ5CO-16W5H7noF 19䀹41H3e8Z9%tg[O5AHEY24xh'9\"",
+				"startIndex": 11,
+				"endIndex": 102,
+				"normalized": "\"lQh{R5M!QyOWE}oC2{2K TIa9}zb2oXWREY]0aj5JBJ5CO-16W5H7noF 19䀹41H3e8Z9%tg[O5AHEY24xh'9\"",
+				"value": "lQh{R5M!QyOWE}oC2{2K TIa9}zb2oXWREY]0aj5JBJ5CO-16W5H7noF 19䀹41H3e8Z9%tg[O5AHEY24xh'9"
+			},
+			{
+				"type": "string-token",
+				"raw": "\"c34Q\"",
+				"startIndex": 102,
+				"endIndex": 108,
+				"normalized": "\"c34Q\"",
+				"value": "c34Q"
+			},
+			{
+				"type": "ident-token",
+				"raw": "iiC0e45Da5f",
+				"startIndex": 108,
+				"endIndex": 119,
+				"normalized": "iiC0e45Da5f",
+				"value": "iiC0e45Da5f"
+			},
+			{
+				"type": "string-token",
+				"raw": "\"F5X3\"",
+				"startIndex": 119,
+				"endIndex": 125,
+				"normalized": "\"F5X3\"",
+				"value": "F5X3"
+			},
+			{
+				"type": "function-token",
+				"raw": "o(",
+				"startIndex": 125,
+				"endIndex": 127,
+				"normalized": "o(",
+				"value": "o"
+			}
+		]
+	},
+	"tests/fuzz/4e630a47-507b-4b79-b00f-57f7dc1cc79d": {
+		"css": "\u000e7rSD6I5L1lglVRlL2X7BbEk\\3HCd\r94 \\\u0000skoW25d4%l64UUskN\"pHun\"!",
+		"tokens": [
+			{
+				"type": "delim-token",
+				"raw": "\u000e",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": "\u000e",
+				"value": "\u000e"
+			},
+			{
+				"type": "dimension-token",
+				"raw": "7rSD6I5L1lglVRlL2X7BbEk\\3HCd",
+				"startIndex": 1,
+				"endIndex": 29,
+				"normalized": "7rSD6I5L1lglVRlL2X7BbEk\u0003HCd",
+				"value": "7",
+				"unit": "rSD6I5L1lglVRlL2X7BbEk\u0003HCd"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\r",
+				"startIndex": 29,
+				"endIndex": 30,
+				"normalized": "\n",
+				"value": null
+			},
+			{
+				"type": "number-token",
+				"raw": "94",
+				"startIndex": 30,
+				"endIndex": 32,
+				"normalized": "94",
+				"value": "94"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": " ",
+				"startIndex": 32,
+				"endIndex": 33,
+				"normalized": " ",
+				"value": null
+			},
+			{
+				"type": "ident-token",
+				"raw": "\\\u0000skoW25d4",
+				"startIndex": 33,
+				"endIndex": 43,
+				"normalized": "�skoW25d4",
+				"value": "�skoW25d4"
+			},
+			{
+				"type": "delim-token",
+				"raw": "%",
+				"startIndex": 43,
+				"endIndex": 44,
+				"normalized": "%",
+				"value": "%"
+			},
+			{
+				"type": "ident-token",
+				"raw": "l64UUskN",
+				"startIndex": 44,
+				"endIndex": 52,
+				"normalized": "l64UUskN",
+				"value": "l64UUskN"
+			},
+			{
+				"type": "string-token",
+				"raw": "\"pHun\"",
+				"startIndex": 52,
+				"endIndex": 58,
+				"normalized": "\"pHun\"",
+				"value": "pHun"
+			},
+			{
+				"type": "delim-token",
+				"raw": "!",
+				"startIndex": 58,
+				"endIndex": 59,
+				"normalized": "!",
+				"value": "!"
+			}
+		]
+	},
+	"tests/fuzz/4f865903-e4dd-4a0b-83ed-e630cfa9dcca": {
+		"css": "gzO0{(p{DzQ7\u0000(a1;r1iN7w)",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "gzO0",
+				"startIndex": 0,
+				"endIndex": 4,
+				"normalized": "gzO0",
+				"value": "gzO0"
+			},
+			{
+				"type": "{-token",
+				"raw": "{",
+				"startIndex": 4,
+				"endIndex": 5,
+				"normalized": "{",
+				"value": null
+			},
+			{
+				"type": "(-token",
+				"raw": "(",
+				"startIndex": 5,
+				"endIndex": 6,
+				"normalized": "(",
+				"value": null
+			},
+			{
+				"type": "ident-token",
+				"raw": "p",
+				"startIndex": 6,
+				"endIndex": 7,
+				"normalized": "p",
+				"value": "p"
+			},
+			{
+				"type": "{-token",
+				"raw": "{",
+				"startIndex": 7,
+				"endIndex": 8,
+				"normalized": "{",
+				"value": null
+			},
+			{
+				"type": "function-token",
+				"raw": "DzQ7\u0000(",
+				"startIndex": 8,
+				"endIndex": 14,
+				"normalized": "DzQ7�(",
+				"value": "DzQ7�"
+			},
+			{
+				"type": "ident-token",
+				"raw": "a1",
+				"startIndex": 14,
+				"endIndex": 16,
+				"normalized": "a1",
+				"value": "a1"
+			},
+			{
+				"type": "semicolon-token",
+				"raw": ";",
+				"startIndex": 16,
+				"endIndex": 17,
+				"normalized": ";",
+				"value": null
+			},
+			{
+				"type": "ident-token",
+				"raw": "r1iN7w",
+				"startIndex": 17,
+				"endIndex": 23,
+				"normalized": "r1iN7w",
+				"value": "r1iN7w"
+			},
+			{
+				"type": ")-token",
+				"raw": ")",
+				"startIndex": 23,
+				"endIndex": 24,
+				"normalized": ")",
+				"value": null
+			}
+		]
+	},
+	"tests/fuzz/5181013c-60ab-483b-9c06-fb32c7e1e7e8": {
+		"css": "565'E{z\u0000U\u001fEG2}2Verb>nj3TVk3mu7wX1J\b.H\u000bi1Ga8f5 dserqydJ3\"xj398xy.W\" uHQbv7Bw1NtF;N3PwNY7Vx00BF o\"4CXzvP\"{594 6r}8QQKNQw135i1\\\r\nrey\thg7[5%rBK8RUC64Lu␌17O{E\\90873u}1O3vx4gHTC55Q9i4\"V3Vx4\"7r(34L]F\"ns2pPf\"V7b)EOBGH8rdC7\"\u000eVJ4OQ[ 9jtoMdINgS7o�206vo72kTcKkZR9wl30G'vK\ndhCEs3tValX ",
+		"tokens": [
+			{
+				"type": "number-token",
+				"raw": "565",
+				"startIndex": 0,
+				"endIndex": 3,
+				"normalized": "565",
+				"value": "565"
+			},
+			{
+				"type": "string-token",
+				"raw": "'E{z\u0000U\u001fEG2}2Verb>nj3TVk3mu7wX1J\b.H\u000bi1Ga8f5 dserqydJ3\"xj398xy.W\" uHQbv7Bw1NtF;N3PwNY7Vx00BF o\"4CXzvP\"{594 6r}8QQKNQw135i1\\\r\nrey\thg7[5%rBK8RUC64Lu␌17O{E\\90873u}1O3vx4gHTC55Q9i4\"V3Vx4\"7r(34L]F\"ns2pPf\"V7b)EOBGH8rdC7\"\u000eVJ4OQ[ 9jtoMdINgS7o�206vo72kTcKkZR9wl30G'",
+				"startIndex": 3,
+				"endIndex": 263,
+				"normalized": "'E{z�U\u001fEG2}2Verb>nj3TVk3mu7wX1J\b.H\u000bi1Ga8f5 dserqydJ3\"xj398xy.W\" uHQbv7Bw1NtF;N3PwNY7Vx00BF o\"4CXzvP\"{594 6r}8QQKNQw135i1rey\thg7[5%rBK8RUC64Lu␌17O{E򐡳u}1O3vx4gHTC55Q9i4\"V3Vx4\"7r(34L]F\"ns2pPf\"V7b)EOBGH8rdC7\"\u000eVJ4OQ[ 9jtoMdINgS7o�206vo72kTcKkZR9wl30G'",
+				"value": "E{z�U\u001fEG2}2Verb>nj3TVk3mu7wX1J\b.H\u000bi1Ga8f5 dserqydJ3\"xj398xy.W\" uHQbv7Bw1NtF;N3PwNY7Vx00BF o\"4CXzvP\"{594 6r}8QQKNQw135i1rey\thg7[5%rBK8RUC64Lu␌17O{E򐡳u}1O3vx4gHTC55Q9i4\"V3Vx4\"7r(34L]F\"ns2pPf\"V7b)EOBGH8rdC7\"\u000eVJ4OQ[ 9jtoMdINgS7o�206vo72kTcKkZR9wl30G"
+			},
+			{
+				"type": "ident-token",
+				"raw": "vK",
+				"startIndex": 263,
+				"endIndex": 265,
+				"normalized": "vK",
+				"value": "vK"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 265,
+				"endIndex": 266,
+				"normalized": "\n",
+				"value": null
+			},
+			{
+				"type": "ident-token",
+				"raw": "dhCEs3tValX",
+				"startIndex": 266,
+				"endIndex": 277,
+				"normalized": "dhCEs3tValX",
+				"value": "dhCEs3tValX"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": " ",
+				"startIndex": 277,
+				"endIndex": 278,
+				"normalized": " ",
+				"value": null
+			}
+		]
+	},
+	"tests/fuzz/6d07fc79-586f-4efa-a0a2-37d4dd3beb09": {
+		"css": "FWUNqr7uv8300nz\b,8lU0j6B186kh \u00009 \u000eGZafxf2GIhL9%",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "FWUNqr7uv8300nz",
+				"startIndex": 0,
+				"endIndex": 15,
+				"normalized": "FWUNqr7uv8300nz",
+				"value": "FWUNqr7uv8300nz"
+			},
+			{
+				"type": "delim-token",
+				"raw": "\b",
+				"startIndex": 15,
+				"endIndex": 16,
+				"normalized": "\b",
+				"value": "\b"
+			},
+			{
+				"type": "comma-token",
+				"raw": ",",
+				"startIndex": 16,
+				"endIndex": 17,
+				"normalized": ",",
+				"value": null
+			},
+			{
+				"type": "dimension-token",
+				"raw": "8lU0j6B186kh",
+				"startIndex": 17,
+				"endIndex": 29,
+				"normalized": "8lU0j6B186kh",
+				"value": "8",
+				"unit": "lU0j6B186kh"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": " ",
+				"startIndex": 29,
+				"endIndex": 30,
+				"normalized": " ",
+				"value": null
+			},
+			{
+				"type": "ident-token",
+				"raw": "\u00009",
+				"startIndex": 30,
+				"endIndex": 32,
+				"normalized": "�9",
+				"value": "�9"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": " ",
+				"startIndex": 32,
+				"endIndex": 33,
+				"normalized": " ",
+				"value": null
+			},
+			{
+				"type": "delim-token",
+				"raw": "\u000e",
+				"startIndex": 33,
+				"endIndex": 34,
+				"normalized": "\u000e",
+				"value": "\u000e"
+			},
+			{
+				"type": "ident-token",
+				"raw": "GZafxf2GIhL9",
+				"startIndex": 34,
+				"endIndex": 46,
+				"normalized": "GZafxf2GIhL9",
+				"value": "GZafxf2GIhL9"
+			},
+			{
+				"type": "delim-token",
+				"raw": "%",
+				"startIndex": 46,
+				"endIndex": 47,
+				"normalized": "%",
+				"value": "%"
+			}
+		]
+	},
+	"tests/fuzz/7f49c8fc-8292-4a3e-828b-b5d028a80d5f": {
+		"css": "FZ 0B120h5QUbNbmTD2K8mAD傿i+Yv9V0KS14Ng18ag'\\\r\n{X<E/9b}0nIa%eSz-vapw2GqeMsri#e1BQf3b\u001fPlEnFQg{ofB)L9b571J4!{mCN㐥a\\BgK48qgu9'jVRS䎟ROYRbe0m5508k,O0C\u001f",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "FZ",
+				"startIndex": 0,
+				"endIndex": 2,
+				"normalized": "FZ",
+				"value": "FZ"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": " ",
+				"startIndex": 2,
+				"endIndex": 3,
+				"normalized": " ",
+				"value": null
+			},
+			{
+				"type": "dimension-token",
+				"raw": "0B120h5QUbNbmTD2K8mAD傿i",
+				"startIndex": 3,
+				"endIndex": 28,
+				"normalized": "0B120h5QUbNbmTD2K8mAD傿i",
+				"value": "0",
+				"unit": "B120h5QUbNbmTD2K8mAD傿i"
+			},
+			{
+				"type": "delim-token",
+				"raw": "+",
+				"startIndex": 28,
+				"endIndex": 29,
+				"normalized": "+",
+				"value": "+"
+			},
+			{
+				"type": "ident-token",
+				"raw": "Yv9V0KS14Ng18ag",
+				"startIndex": 29,
+				"endIndex": 44,
+				"normalized": "Yv9V0KS14Ng18ag",
+				"value": "Yv9V0KS14Ng18ag"
+			},
+			{
+				"type": "string-token",
+				"raw": "'\\\r\n{X<E/9b}0nIa%eSz-vapw2GqeMsri#e1BQf3b\u001fPlEnFQg{ofB)L9b571J4!{mCN㐥a\\BgK48qgu9'",
+				"startIndex": 44,
+				"endIndex": 126,
+				"normalized": "'{X<E/9b}0nIa%eSz-vapw2GqeMsri#e1BQf3b\u001fPlEnFQg{ofB)L9b571J4!{mCN㐥a\u000bgK48qgu9'",
+				"value": "{X<E/9b}0nIa%eSz-vapw2GqeMsri#e1BQf3b\u001fPlEnFQg{ofB)L9b571J4!{mCN㐥a\u000bgK48qgu9"
+			},
+			{
+				"type": "ident-token",
+				"raw": "jVRS䎟ROYRbe0m5508k",
+				"startIndex": 126,
+				"endIndex": 146,
+				"normalized": "jVRS䎟ROYRbe0m5508k",
+				"value": "jVRS䎟ROYRbe0m5508k"
+			},
+			{
+				"type": "comma-token",
+				"raw": ",",
+				"startIndex": 146,
+				"endIndex": 147,
+				"normalized": ",",
+				"value": null
+			},
+			{
+				"type": "ident-token",
+				"raw": "O0C",
+				"startIndex": 147,
+				"endIndex": 150,
+				"normalized": "O0C",
+				"value": "O0C"
+			},
+			{
+				"type": "delim-token",
+				"raw": "\u001f",
+				"startIndex": 150,
+				"endIndex": 151,
+				"normalized": "\u001f",
+				"value": "\u001f"
+			}
+		]
+	},
+	"tests/fuzz/864d7812-b82f-47c2-94e4-8402ba6ba94a": {
+		"css": "'TR(:\b5RN)_e3w<gD5iL1EO-3zZw ntX3@0<KP9}V0 3Q80{Tqp}7dkUykEm ks �(ZnXhqsp3)G4JKqbWAfx7sPRW\"zKg19p\"Gcoi22xb\"3h5WQan.I4EUmЕ1IBofxvJ73hTA2Em\bA97(qOU)1\u0000rV7P'5528LZ14)䓑gqcRX\"aiu� \"z3i74FJ3\u00004x8F-V5b1f(U\u000b bUc",
+		"tokens": [
+			{
+				"type": "string-token",
+				"raw": "'TR(:\b5RN)_e3w<gD5iL1EO-3zZw ntX3@0<KP9}V0 3Q80{Tqp}7dkUykEm ks �(ZnXhqsp3)G4JKqbWAfx7sPRW\"zKg19p\"Gcoi22xb\"3h5WQan.I4EUmЕ1IBofxvJ73hTA2Em\bA97(qOU)1\u0000rV7P'",
+				"startIndex": 0,
+				"endIndex": 156,
+				"normalized": "'TR(:\b5RN)_e3w<gD5iL1EO-3zZw ntX3@0<KP9}V0 3Q80{Tqp}7dkUykEm ks �(ZnXhqsp3)G4JKqbWAfx7sPRW\"zKg19p\"Gcoi22xb\"3h5WQan.I4EUmЕ1IBofxvJ73hTA2Em\bA97(qOU)1�rV7P'",
+				"value": "TR(:\b5RN)_e3w<gD5iL1EO-3zZw ntX3@0<KP9}V0 3Q80{Tqp}7dkUykEm ks �(ZnXhqsp3)G4JKqbWAfx7sPRW\"zKg19p\"Gcoi22xb\"3h5WQan.I4EUmЕ1IBofxvJ73hTA2Em\bA97(qOU)1�rV7P"
+			},
+			{
+				"type": "dimension-token",
+				"raw": "5528LZ14",
+				"startIndex": 156,
+				"endIndex": 164,
+				"normalized": "5528LZ14",
+				"value": "5528",
+				"unit": "LZ14"
+			},
+			{
+				"type": ")-token",
+				"raw": ")",
+				"startIndex": 164,
+				"endIndex": 165,
+				"normalized": ")",
+				"value": null
+			},
+			{
+				"type": "ident-token",
+				"raw": "䓑gqcRX",
+				"startIndex": 165,
+				"endIndex": 173,
+				"normalized": "䓑gqcRX",
+				"value": "䓑gqcRX"
+			},
+			{
+				"type": "string-token",
+				"raw": "\"aiu� \"",
+				"startIndex": 173,
+				"endIndex": 182,
+				"normalized": "\"aiu� \"",
+				"value": "aiu� "
+			},
+			{
+				"type": "function-token",
+				"raw": "z3i74FJ3\u00004x8F-V5b1f(",
+				"startIndex": 182,
+				"endIndex": 202,
+				"normalized": "z3i74FJ3�4x8F-V5b1f(",
+				"value": "z3i74FJ3�4x8F-V5b1f"
+			},
+			{
+				"type": "ident-token",
+				"raw": "U",
+				"startIndex": 202,
+				"endIndex": 203,
+				"normalized": "U",
+				"value": "U"
+			},
+			{
+				"type": "delim-token",
+				"raw": "\u000b",
+				"startIndex": 203,
+				"endIndex": 204,
+				"normalized": "\u000b",
+				"value": "\u000b"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": " ",
+				"startIndex": 204,
+				"endIndex": 205,
+				"normalized": " ",
+				"value": null
+			},
+			{
+				"type": "ident-token",
+				"raw": "bUc",
+				"startIndex": 205,
+				"endIndex": 208,
+				"normalized": "bUc",
+				"value": "bUc"
+			}
+		]
+	},
+	"tests/fuzz/91de56d3-d1c7-41c9-93e2-4b0770e36e79": {
+		"css": "\tb6SUejoqAEDa\u000e9,kYO\\",
+		"tokens": [
+			{
+				"type": "whitespace-token",
+				"raw": "\t",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": "\t",
+				"value": null
+			},
+			{
+				"type": "ident-token",
+				"raw": "b6SUejoqAEDa",
+				"startIndex": 1,
+				"endIndex": 13,
+				"normalized": "b6SUejoqAEDa",
+				"value": "b6SUejoqAEDa"
+			},
+			{
+				"type": "delim-token",
+				"raw": "\u000e",
+				"startIndex": 13,
+				"endIndex": 14,
+				"normalized": "\u000e",
+				"value": "\u000e"
+			},
+			{
+				"type": "number-token",
+				"raw": "9",
+				"startIndex": 14,
+				"endIndex": 15,
+				"normalized": "9",
+				"value": "9"
+			},
+			{
+				"type": "comma-token",
+				"raw": ",",
+				"startIndex": 15,
+				"endIndex": 16,
+				"normalized": ",",
+				"value": null
+			},
+			{
+				"type": "ident-token",
+				"raw": "kYO\\",
+				"startIndex": 16,
+				"endIndex": 20,
+				"normalized": "kYO�",
+				"value": "kYO�"
+			}
+		]
+	},
+	"tests/fuzz/b69ece36-057f-4450-9423-a1661787bce6": {
+		"css": "Iv1\u0000B}1E+X9oO\u001fN3G",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "Iv1\u0000B",
+				"startIndex": 0,
+				"endIndex": 8,
+				"normalized": "Iv1�B",
+				"value": "Iv1�B"
+			},
+			{
+				"type": "}-token",
+				"raw": "}",
+				"startIndex": 8,
+				"endIndex": 9,
+				"normalized": "}",
+				"value": null
+			},
+			{
+				"type": "dimension-token",
+				"raw": "1E",
+				"startIndex": 9,
+				"endIndex": 11,
+				"normalized": "1E",
+				"value": "1",
+				"unit": "E"
+			},
+			{
+				"type": "delim-token",
+				"raw": "+",
+				"startIndex": 11,
+				"endIndex": 12,
+				"normalized": "+",
+				"value": "+"
+			},
+			{
+				"type": "ident-token",
+				"raw": "X9oO",
+				"startIndex": 12,
+				"endIndex": 16,
+				"normalized": "X9oO",
+				"value": "X9oO"
+			},
+			{
+				"type": "delim-token",
+				"raw": "\u001f",
+				"startIndex": 16,
+				"endIndex": 17,
+				"normalized": "\u001f",
+				"value": "\u001f"
+			},
+			{
+				"type": "ident-token",
+				"raw": "N3G",
+				"startIndex": 17,
+				"endIndex": 20,
+				"normalized": "N3G",
+				"value": "N3G"
+			}
+		]
+	},
+	"tests/fuzz/ccfaf86d-7471-465b-bbc8-5b65be03e9cf": {
+		"css": "H%7Zkc0P17 m2cqKMI5Cz34YPit.2.7,oP ",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "H",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": "H",
+				"value": "H"
+			},
+			{
+				"type": "delim-token",
+				"raw": "%",
+				"startIndex": 1,
+				"endIndex": 2,
+				"normalized": "%",
+				"value": "%"
+			},
+			{
+				"type": "dimension-token",
+				"raw": "7Zkc0P17",
+				"startIndex": 2,
+				"endIndex": 10,
+				"normalized": "7Zkc0P17",
+				"value": "7",
+				"unit": "Zkc0P17"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": " ",
+				"startIndex": 10,
+				"endIndex": 11,
+				"normalized": " ",
+				"value": null
+			},
+			{
+				"type": "ident-token",
+				"raw": "m2cqKMI5Cz34YPit",
+				"startIndex": 11,
+				"endIndex": 27,
+				"normalized": "m2cqKMI5Cz34YPit",
+				"value": "m2cqKMI5Cz34YPit"
+			},
+			{
+				"type": "number-token",
+				"raw": ".2",
+				"startIndex": 27,
+				"endIndex": 29,
+				"normalized": ".2",
+				"value": ".2"
+			},
+			{
+				"type": "number-token",
+				"raw": ".7",
+				"startIndex": 29,
+				"endIndex": 31,
+				"normalized": ".7",
+				"value": ".7"
+			},
+			{
+				"type": "comma-token",
+				"raw": ",",
+				"startIndex": 31,
+				"endIndex": 32,
+				"normalized": ",",
+				"value": null
+			},
+			{
+				"type": "ident-token",
+				"raw": "oP",
+				"startIndex": 32,
+				"endIndex": 34,
+				"normalized": "oP",
+				"value": "oP"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": " ",
+				"startIndex": 34,
+				"endIndex": 35,
+				"normalized": " ",
+				"value": null
+			}
+		]
+	},
+	"tests/fuzz/eb11f9d4-f8ef-4e11-88dc-2cbf7f56e537": {
+		"css": ">u)k2a76}y4\\6fb9ONI\\",
+		"tokens": [
+			{
+				"type": "delim-token",
+				"raw": ">",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": ">",
+				"value": ">"
+			},
+			{
+				"type": "ident-token",
+				"raw": "u",
+				"startIndex": 1,
+				"endIndex": 2,
+				"normalized": "u",
+				"value": "u"
+			},
+			{
+				"type": ")-token",
+				"raw": ")",
+				"startIndex": 2,
+				"endIndex": 3,
+				"normalized": ")",
+				"value": null
+			},
+			{
+				"type": "ident-token",
+				"raw": "k2a76",
+				"startIndex": 3,
+				"endIndex": 8,
+				"normalized": "k2a76",
+				"value": "k2a76"
+			},
+			{
+				"type": "}-token",
+				"raw": "}",
+				"startIndex": 8,
+				"endIndex": 9,
+				"normalized": "}",
+				"value": null
+			},
+			{
+				"type": "ident-token",
+				"raw": "y4\\6fb9ONI\\",
+				"startIndex": 9,
+				"endIndex": 20,
+				"normalized": "y4澹ONI�",
+				"value": "y4澹ONI�"
+			}
+		]
+	},
+	"tests/hash/0001": {
+		"css": "#1\n",
+		"tokens": [
+			{
+				"type": "hash-token",
+				"raw": "#1",
+				"startIndex": 0,
+				"endIndex": 2,
+				"normalized": "#1",
+				"value": "1"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 2,
+				"endIndex": 3,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/hash/0002": {
+		"css": "#-2\n",
+		"tokens": [
+			{
+				"type": "hash-token",
+				"raw": "#-2",
+				"startIndex": 0,
+				"endIndex": 3,
+				"normalized": "#-2",
+				"value": "-2"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 3,
+				"endIndex": 4,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/hash/0003": {
+		"css": "#--3\n",
+		"tokens": [
+			{
+				"type": "hash-token",
+				"raw": "#--3",
+				"startIndex": 0,
+				"endIndex": 4,
+				"normalized": "#--3",
+				"value": "--3"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 4,
+				"endIndex": 5,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/hash/0004": {
+		"css": "#---4\n",
+		"tokens": [
+			{
+				"type": "hash-token",
+				"raw": "#---4",
+				"startIndex": 0,
+				"endIndex": 5,
+				"normalized": "#---4",
+				"value": "---4"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 5,
+				"endIndex": 6,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/hash/0005": {
+		"css": "#a\n",
+		"tokens": [
+			{
+				"type": "hash-token",
+				"raw": "#a",
+				"startIndex": 0,
+				"endIndex": 2,
+				"normalized": "#a",
+				"value": "a"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 2,
+				"endIndex": 3,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/hash/0006": {
+		"css": "#-b\n",
+		"tokens": [
+			{
+				"type": "hash-token",
+				"raw": "#-b",
+				"startIndex": 0,
+				"endIndex": 3,
+				"normalized": "#-b",
+				"value": "-b"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 3,
+				"endIndex": 4,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/hash/0007": {
+		"css": "#--c\n",
+		"tokens": [
+			{
+				"type": "hash-token",
+				"raw": "#--c",
+				"startIndex": 0,
+				"endIndex": 4,
+				"normalized": "#--c",
+				"value": "--c"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 4,
+				"endIndex": 5,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/hash/0008": {
+		"css": "#---d\n",
+		"tokens": [
+			{
+				"type": "hash-token",
+				"raw": "#---d",
+				"startIndex": 0,
+				"endIndex": 5,
+				"normalized": "#---d",
+				"value": "---d"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 5,
+				"endIndex": 6,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/hash/0009": {
+		"css": "#_\n",
+		"tokens": [
+			{
+				"type": "hash-token",
+				"raw": "#_",
+				"startIndex": 0,
+				"endIndex": 2,
+				"normalized": "#_",
+				"value": "_"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 2,
+				"endIndex": 3,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/hash/0010": {
+		"css": "#_1\n",
+		"tokens": [
+			{
+				"type": "hash-token",
+				"raw": "#_1",
+				"startIndex": 0,
+				"endIndex": 3,
+				"normalized": "#_1",
+				"value": "_1"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 3,
+				"endIndex": 4,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/hash/0011": {
+		"css": "#-\n",
+		"tokens": [
+			{
+				"type": "hash-token",
+				"raw": "#-",
+				"startIndex": 0,
+				"endIndex": 2,
+				"normalized": "#-",
+				"value": "-"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 2,
+				"endIndex": 3,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/hash/0012": {
+		"css": "#+\n",
+		"tokens": [
+			{
+				"type": "delim-token",
+				"raw": "#",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": "#",
+				"value": "#"
+			},
+			{
+				"type": "delim-token",
+				"raw": "+",
+				"startIndex": 1,
+				"endIndex": 2,
+				"normalized": "+",
+				"value": "+"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 2,
+				"endIndex": 3,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/hash/0013": {
+		"css": "##\n",
+		"tokens": [
+			{
+				"type": "delim-token",
+				"raw": "#",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": "#",
+				"value": "#"
+			},
+			{
+				"type": "delim-token",
+				"raw": "#",
+				"startIndex": 1,
+				"endIndex": 2,
+				"normalized": "#",
+				"value": "#"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 2,
+				"endIndex": 3,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/hash/0014": {
+		"css": "#",
+		"tokens": [
+			{
+				"type": "delim-token",
+				"raw": "#",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": "#",
+				"value": "#"
+			}
+		]
+	},
+	"tests/hash/0015": {
+		"css": "#aa𐀀\n",
+		"tokens": [
+			{
+				"type": "hash-token",
+				"raw": "#aa𐀀",
+				"startIndex": 0,
+				"endIndex": 7,
+				"normalized": "#aa𐀀",
+				"value": "aa𐀀"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 7,
+				"endIndex": 8,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/hyphen-minus/0001": {
+		"css": "-\n",
+		"tokens": [
+			{
+				"type": "delim-token",
+				"raw": "-",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": "-",
+				"value": "-"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 1,
+				"endIndex": 2,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/hyphen-minus/0002": {
+		"css": "-1\n",
+		"tokens": [
+			{
+				"type": "number-token",
+				"raw": "-1",
+				"startIndex": 0,
+				"endIndex": 2,
+				"normalized": "-1",
+				"value": "-1"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 2,
+				"endIndex": 3,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/hyphen-minus/0003": {
+		"css": "-.1\n",
+		"tokens": [
+			{
+				"type": "number-token",
+				"raw": "-.1",
+				"startIndex": 0,
+				"endIndex": 3,
+				"normalized": "-.1",
+				"value": "-.1"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 3,
+				"endIndex": 4,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/hyphen-minus/0004": {
+		"css": "--1\n",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "--1",
+				"startIndex": 0,
+				"endIndex": 3,
+				"normalized": "--1",
+				"value": "--1"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 3,
+				"endIndex": 4,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/hyphen-minus/0005": {
+		"css": "-0\n",
+		"tokens": [
+			{
+				"type": "number-token",
+				"raw": "-0",
+				"startIndex": 0,
+				"endIndex": 2,
+				"normalized": "-0",
+				"value": "-0"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 2,
+				"endIndex": 3,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/hyphen-minus/0006": {
+		"css": "-->\n",
+		"tokens": [
+			{
+				"type": "CDC-token",
+				"raw": "-->",
+				"startIndex": 0,
+				"endIndex": 3,
+				"normalized": "-->",
+				"value": null
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 3,
+				"endIndex": 4,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/ident/0001": {
+		"css": "foo\n",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "foo",
+				"startIndex": 0,
+				"endIndex": 3,
+				"normalized": "foo",
+				"value": "foo"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 3,
+				"endIndex": 4,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/ident/0002": {
+		"css": "--\n",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "--",
+				"startIndex": 0,
+				"endIndex": 2,
+				"normalized": "--",
+				"value": "--"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 2,
+				"endIndex": 3,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/ident/0003": {
+		"css": "--0\n",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "--0",
+				"startIndex": 0,
+				"endIndex": 3,
+				"normalized": "--0",
+				"value": "--0"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 3,
+				"endIndex": 4,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/ident/0004": {
+		"css": "-\\\n",
+		"tokens": [
+			{
+				"type": "delim-token",
+				"raw": "-",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": "-",
+				"value": "-"
+			},
+			{
+				"type": "delim-token",
+				"raw": "\\",
+				"startIndex": 1,
+				"endIndex": 2,
+				"normalized": "\\",
+				"value": "\\"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 2,
+				"endIndex": 3,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/ident/0005": {
+		"css": "-\\ \n",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "-\\ ",
+				"startIndex": 0,
+				"endIndex": 3,
+				"normalized": "- ",
+				"value": "- "
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 3,
+				"endIndex": 4,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/ident/0006": {
+		"css": "--💅\n",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "--💅",
+				"startIndex": 0,
+				"endIndex": 6,
+				"normalized": "--💅",
+				"value": "--💅"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 6,
+				"endIndex": 7,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/ident/0007": {
+		"css": "-§\n",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "-§",
+				"startIndex": 0,
+				"endIndex": 3,
+				"normalized": "-§",
+				"value": "-§"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 3,
+				"endIndex": 4,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/ident/0008": {
+		"css": "-×\n",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "-×",
+				"startIndex": 0,
+				"endIndex": 3,
+				"normalized": "-×",
+				"value": "-×"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 3,
+				"endIndex": 4,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/ident/0009": {
+		"css": "--a𐀀\n",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "--a𐀀",
+				"startIndex": 0,
+				"endIndex": 7,
+				"normalized": "--a𐀀",
+				"value": "--a𐀀"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 7,
+				"endIndex": 8,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/ident-like/0001": {
+		"css": "url(foo)\n",
+		"tokens": [
+			{
+				"type": "url-token",
+				"raw": "url(foo)",
+				"startIndex": 0,
+				"endIndex": 8,
+				"normalized": "url(foo)",
+				"value": "foo"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 8,
+				"endIndex": 9,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/ident-like/0002": {
+		"css": "\\75 Rl(foo)\n",
+		"tokens": [
+			{
+				"type": "url-token",
+				"raw": "\\75 Rl(foo)",
+				"startIndex": 0,
+				"endIndex": 11,
+				"normalized": "uRl(foo)",
+				"value": "foo"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 11,
+				"endIndex": 12,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/ident-like/0003": {
+		"css": "uR\\6c (foo)\n",
+		"tokens": [
+			{
+				"type": "url-token",
+				"raw": "uR\\6c (foo)",
+				"startIndex": 0,
+				"endIndex": 11,
+				"normalized": "uRl(foo)",
+				"value": "foo"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 11,
+				"endIndex": 12,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/ident-like/0004": {
+		"css": "url('foo')\n",
+		"tokens": [
+			{
+				"type": "function-token",
+				"raw": "url(",
+				"startIndex": 0,
+				"endIndex": 4,
+				"normalized": "url(",
+				"value": "url"
+			},
+			{
+				"type": "string-token",
+				"raw": "'foo'",
+				"startIndex": 4,
+				"endIndex": 9,
+				"normalized": "'foo'",
+				"value": "foo"
+			},
+			{
+				"type": ")-token",
+				"raw": ")",
+				"startIndex": 9,
+				"endIndex": 10,
+				"normalized": ")",
+				"value": null
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 10,
+				"endIndex": 11,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/ident-like/0005": {
+		"css": "url( 'foo')\n",
+		"tokens": [
+			{
+				"type": "function-token",
+				"raw": "url(",
+				"startIndex": 0,
+				"endIndex": 4,
+				"normalized": "url(",
+				"value": "url"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": " ",
+				"startIndex": 4,
+				"endIndex": 5,
+				"normalized": " ",
+				"value": null
+			},
+			{
+				"type": "string-token",
+				"raw": "'foo'",
+				"startIndex": 5,
+				"endIndex": 10,
+				"normalized": "'foo'",
+				"value": "foo"
+			},
+			{
+				"type": ")-token",
+				"raw": ")",
+				"startIndex": 10,
+				"endIndex": 11,
+				"normalized": ")",
+				"value": null
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 11,
+				"endIndex": 12,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/ident-like/0006": {
+		"css": "url(  'foo')\n",
+		"tokens": [
+			{
+				"type": "function-token",
+				"raw": "url(",
+				"startIndex": 0,
+				"endIndex": 4,
+				"normalized": "url(",
+				"value": "url"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "  ",
+				"startIndex": 4,
+				"endIndex": 6,
+				"normalized": "  ",
+				"value": null
+			},
+			{
+				"type": "string-token",
+				"raw": "'foo'",
+				"startIndex": 6,
+				"endIndex": 11,
+				"normalized": "'foo'",
+				"value": "foo"
+			},
+			{
+				"type": ")-token",
+				"raw": ")",
+				"startIndex": 11,
+				"endIndex": 12,
+				"normalized": ")",
+				"value": null
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 12,
+				"endIndex": 13,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/ident-like/0007": {
+		"css": "url(   'foo')\n",
+		"tokens": [
+			{
+				"type": "function-token",
+				"raw": "url(",
+				"startIndex": 0,
+				"endIndex": 4,
+				"normalized": "url(",
+				"value": "url"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "   ",
+				"startIndex": 4,
+				"endIndex": 7,
+				"normalized": "   ",
+				"value": null
+			},
+			{
+				"type": "string-token",
+				"raw": "'foo'",
+				"startIndex": 7,
+				"endIndex": 12,
+				"normalized": "'foo'",
+				"value": "foo"
+			},
+			{
+				"type": ")-token",
+				"raw": ")",
+				"startIndex": 12,
+				"endIndex": 13,
+				"normalized": ")",
+				"value": null
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 13,
+				"endIndex": 14,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/ident-like/0008": {
+		"css": "not-url(   'foo')\n",
+		"tokens": [
+			{
+				"type": "function-token",
+				"raw": "not-url(",
+				"startIndex": 0,
+				"endIndex": 8,
+				"normalized": "not-url(",
+				"value": "not-url"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "   ",
+				"startIndex": 8,
+				"endIndex": 11,
+				"normalized": "   ",
+				"value": null
+			},
+			{
+				"type": "string-token",
+				"raw": "'foo'",
+				"startIndex": 11,
+				"endIndex": 16,
+				"normalized": "'foo'",
+				"value": "foo"
+			},
+			{
+				"type": ")-token",
+				"raw": ")",
+				"startIndex": 16,
+				"endIndex": 17,
+				"normalized": ")",
+				"value": null
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 17,
+				"endIndex": 18,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/ident-like/0009": {
+		"css": "url(   foo)\n",
+		"tokens": [
+			{
+				"type": "url-token",
+				"raw": "url(   foo)",
+				"startIndex": 0,
+				"endIndex": 11,
+				"normalized": "url(   foo)",
+				"value": "foo"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 11,
+				"endIndex": 12,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/left-curly-bracket/0001": {
+		"css": "{\n",
+		"tokens": [
+			{
+				"type": "{-token",
+				"raw": "{",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": "{",
+				"value": null
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 1,
+				"endIndex": 2,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/left-parenthesis/0001": {
+		"css": "(\n",
+		"tokens": [
+			{
+				"type": "(-token",
+				"raw": "(",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": "(",
+				"value": null
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 1,
+				"endIndex": 2,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/left-square-bracket/0001": {
+		"css": "[\n",
+		"tokens": [
+			{
+				"type": "[-token",
+				"raw": "[",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": "[",
+				"value": null
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 1,
+				"endIndex": 2,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/less-than/0001": {
+		"css": "<\n",
+		"tokens": [
+			{
+				"type": "delim-token",
+				"raw": "<",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": "<",
+				"value": "<"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 1,
+				"endIndex": 2,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/less-than/0002": {
+		"css": "<!--\n",
+		"tokens": [
+			{
+				"type": "CDO-token",
+				"raw": "<!--",
+				"startIndex": 0,
+				"endIndex": 4,
+				"normalized": "<!--",
+				"value": null
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 4,
+				"endIndex": 5,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/less-than/0003": {
+		"css": "<--\n",
+		"tokens": [
+			{
+				"type": "delim-token",
+				"raw": "<",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": "<",
+				"value": "<"
+			},
+			{
+				"type": "ident-token",
+				"raw": "--",
+				"startIndex": 1,
+				"endIndex": 3,
+				"normalized": "--",
+				"value": "--"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 3,
+				"endIndex": 4,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/less-than/0004": {
+		"css": "<!-\n",
+		"tokens": [
+			{
+				"type": "delim-token",
+				"raw": "<",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": "<",
+				"value": "<"
+			},
+			{
+				"type": "delim-token",
+				"raw": "!",
+				"startIndex": 1,
+				"endIndex": 2,
+				"normalized": "!",
+				"value": "!"
+			},
+			{
+				"type": "delim-token",
+				"raw": "-",
+				"startIndex": 2,
+				"endIndex": 3,
+				"normalized": "-",
+				"value": "-"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 3,
+				"endIndex": 4,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/number/0001": {
+		"css": "10\n",
+		"tokens": [
+			{
+				"type": "number-token",
+				"raw": "10",
+				"startIndex": 0,
+				"endIndex": 2,
+				"normalized": "10",
+				"value": "10"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 2,
+				"endIndex": 3,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/number/0002": {
+		"css": "+10\n",
+		"tokens": [
+			{
+				"type": "number-token",
+				"raw": "+10",
+				"startIndex": 0,
+				"endIndex": 3,
+				"normalized": "+10",
+				"value": "+10"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 3,
+				"endIndex": 4,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/number/0003": {
+		"css": "-10\n",
+		"tokens": [
+			{
+				"type": "number-token",
+				"raw": "-10",
+				"startIndex": 0,
+				"endIndex": 3,
+				"normalized": "-10",
+				"value": "-10"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 3,
+				"endIndex": 4,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/number/0004": {
+		"css": "0\n",
+		"tokens": [
+			{
+				"type": "number-token",
+				"raw": "0",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": "0",
+				"value": "0"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 1,
+				"endIndex": 2,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/number/0005": {
+		"css": "+0\n",
+		"tokens": [
+			{
+				"type": "number-token",
+				"raw": "+0",
+				"startIndex": 0,
+				"endIndex": 2,
+				"normalized": "+0",
+				"value": "+0"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 2,
+				"endIndex": 3,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/number/0006": {
+		"css": "-0\n",
+		"tokens": [
+			{
+				"type": "number-token",
+				"raw": "-0",
+				"startIndex": 0,
+				"endIndex": 2,
+				"normalized": "-0",
+				"value": "-0"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 2,
+				"endIndex": 3,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/number/0007": {
+		"css": ".0\n",
+		"tokens": [
+			{
+				"type": "number-token",
+				"raw": ".0",
+				"startIndex": 0,
+				"endIndex": 2,
+				"normalized": ".0",
+				"value": ".0"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 2,
+				"endIndex": 3,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/number/0008": {
+		"css": ".1\n",
+		"tokens": [
+			{
+				"type": "number-token",
+				"raw": ".1",
+				"startIndex": 0,
+				"endIndex": 2,
+				"normalized": ".1",
+				"value": ".1"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 2,
+				"endIndex": 3,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/number/0009": {
+		"css": "+.1\n",
+		"tokens": [
+			{
+				"type": "number-token",
+				"raw": "+.1",
+				"startIndex": 0,
+				"endIndex": 3,
+				"normalized": "+.1",
+				"value": "+.1"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 3,
+				"endIndex": 4,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/number/0010": {
+		"css": "-.1\n",
+		"tokens": [
+			{
+				"type": "number-token",
+				"raw": "-.1",
+				"startIndex": 0,
+				"endIndex": 3,
+				"normalized": "-.1",
+				"value": "-.1"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 3,
+				"endIndex": 4,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/number/0011": {
+		"css": "1.1\n",
+		"tokens": [
+			{
+				"type": "number-token",
+				"raw": "1.1",
+				"startIndex": 0,
+				"endIndex": 3,
+				"normalized": "1.1",
+				"value": "1.1"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 3,
+				"endIndex": 4,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/number/0012": {
+		"css": "+1.1\n",
+		"tokens": [
+			{
+				"type": "number-token",
+				"raw": "+1.1",
+				"startIndex": 0,
+				"endIndex": 4,
+				"normalized": "+1.1",
+				"value": "+1.1"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 4,
+				"endIndex": 5,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/number/0013": {
+		"css": "-1.1\n",
+		"tokens": [
+			{
+				"type": "number-token",
+				"raw": "-1.1",
+				"startIndex": 0,
+				"endIndex": 4,
+				"normalized": "-1.1",
+				"value": "-1.1"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 4,
+				"endIndex": 5,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/number/0014": {
+		"css": "1.1e2\n",
+		"tokens": [
+			{
+				"type": "number-token",
+				"raw": "1.1e2",
+				"startIndex": 0,
+				"endIndex": 5,
+				"normalized": "1.1e2",
+				"value": "1.1e2"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 5,
+				"endIndex": 6,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/number/0015": {
+		"css": "+1.1e+2\n",
+		"tokens": [
+			{
+				"type": "number-token",
+				"raw": "+1.1e+2",
+				"startIndex": 0,
+				"endIndex": 7,
+				"normalized": "+1.1e+2",
+				"value": "+1.1e+2"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 7,
+				"endIndex": 8,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/number/0016": {
+		"css": "-1.1e-2\n",
+		"tokens": [
+			{
+				"type": "number-token",
+				"raw": "-1.1e-2",
+				"startIndex": 0,
+				"endIndex": 7,
+				"normalized": "-1.1e-2",
+				"value": "-1.1e-2"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 7,
+				"endIndex": 8,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/number/0017": {
+		"css": "-1.1e-22\n",
+		"tokens": [
+			{
+				"type": "number-token",
+				"raw": "-1.1e-22",
+				"startIndex": 0,
+				"endIndex": 8,
+				"normalized": "-1.1e-22",
+				"value": "-1.1e-22"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 8,
+				"endIndex": 9,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/number/0018": {
+		"css": "-1.1e-22e\n",
+		"tokens": [
+			{
+				"type": "dimension-token",
+				"raw": "-1.1e-22e",
+				"startIndex": 0,
+				"endIndex": 9,
+				"normalized": "-1.1e-22e",
+				"value": "-1.1e-22",
+				"unit": "e"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 9,
+				"endIndex": 10,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/number/0019": {
+		"css": "1e+\n",
+		"tokens": [
+			{
+				"type": "dimension-token",
+				"raw": "1e",
+				"startIndex": 0,
+				"endIndex": 2,
+				"normalized": "1e",
+				"value": "1",
+				"unit": "e"
+			},
+			{
+				"type": "delim-token",
+				"raw": "+",
+				"startIndex": 2,
+				"endIndex": 3,
+				"normalized": "+",
+				"value": "+"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 3,
+				"endIndex": 4,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/number/0020": {
+		"css": ".2.7\n",
+		"tokens": [
+			{
+				"type": "number-token",
+				"raw": ".2",
+				"startIndex": 0,
+				"endIndex": 2,
+				"normalized": ".2",
+				"value": ".2"
+			},
+			{
+				"type": "number-token",
+				"raw": ".7",
+				"startIndex": 2,
+				"endIndex": 4,
+				"normalized": ".7",
+				"value": ".7"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 4,
+				"endIndex": 5,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/numeric/0001": {
+		"css": "-123.753e-2\n",
+		"tokens": [
+			{
+				"type": "number-token",
+				"raw": "-123.753e-2",
+				"startIndex": 0,
+				"endIndex": 11,
+				"normalized": "-123.753e-2",
+				"value": "-123.753e-2"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 11,
+				"endIndex": 12,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/numeric/0002": {
+		"css": "-123.753e-2px\n",
+		"tokens": [
+			{
+				"type": "dimension-token",
+				"raw": "-123.753e-2px",
+				"startIndex": 0,
+				"endIndex": 13,
+				"normalized": "-123.753e-2px",
+				"value": "-123.753e-2",
+				"unit": "px"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 13,
+				"endIndex": 14,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/numeric/0003": {
+		"css": "-123.753e-2%\n",
+		"tokens": [
+			{
+				"type": "percentage-token",
+				"raw": "-123.753e-2%",
+				"startIndex": 0,
+				"endIndex": 12,
+				"normalized": "-123.753e-2%",
+				"value": "-123.753e-2"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 12,
+				"endIndex": 13,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/numeric/0004": {
+		"css": "1.2.3\n",
+		"tokens": [
+			{
+				"type": "number-token",
+				"raw": "1.2",
+				"startIndex": 0,
+				"endIndex": 3,
+				"normalized": "1.2",
+				"value": "1.2"
+			},
+			{
+				"type": "number-token",
+				"raw": ".3",
+				"startIndex": 3,
+				"endIndex": 5,
+				"normalized": ".3",
+				"value": ".3"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 5,
+				"endIndex": 6,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/plus/0001": {
+		"css": "+\n",
+		"tokens": [
+			{
+				"type": "delim-token",
+				"raw": "+",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": "+",
+				"value": "+"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 1,
+				"endIndex": 2,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/plus/0002": {
+		"css": "+1\n",
+		"tokens": [
+			{
+				"type": "number-token",
+				"raw": "+1",
+				"startIndex": 0,
+				"endIndex": 2,
+				"normalized": "+1",
+				"value": "+1"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 2,
+				"endIndex": 3,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/plus/0003": {
+		"css": "+.1\n",
+		"tokens": [
+			{
+				"type": "number-token",
+				"raw": "+.1",
+				"startIndex": 0,
+				"endIndex": 3,
+				"normalized": "+.1",
+				"value": "+.1"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 3,
+				"endIndex": 4,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/plus/0004": {
+		"css": "++1\n",
+		"tokens": [
+			{
+				"type": "delim-token",
+				"raw": "+",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": "+",
+				"value": "+"
+			},
+			{
+				"type": "number-token",
+				"raw": "+1",
+				"startIndex": 1,
+				"endIndex": 3,
+				"normalized": "+1",
+				"value": "+1"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 3,
+				"endIndex": 4,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/reverse-solidus/0001": {
+		"css": "\\\n",
+		"tokens": [
+			{
+				"type": "delim-token",
+				"raw": "\\",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": "\\",
+				"value": "\\"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 1,
+				"endIndex": 2,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/reverse-solidus/0002": {
+		"css": "\\#\n",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "\\#",
+				"startIndex": 0,
+				"endIndex": 2,
+				"normalized": "#",
+				"value": "#"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 2,
+				"endIndex": 3,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/reverse-solidus/0003": {
+		"css": "\\ \n",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "\\ ",
+				"startIndex": 0,
+				"endIndex": 2,
+				"normalized": " ",
+				"value": " "
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 2,
+				"endIndex": 3,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/reverse-solidus/0004": {
+		"css": "\\61 b\n",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "\\61 b",
+				"startIndex": 0,
+				"endIndex": 5,
+				"normalized": "ab",
+				"value": "ab"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 5,
+				"endIndex": 6,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/reverse-solidus/0005": {
+		"css": "\\",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "\\",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": "�",
+				"value": "�"
+			}
+		]
+	},
+	"tests/right-curly-bracket/0001": {
+		"css": "}\n",
+		"tokens": [
+			{
+				"type": "}-token",
+				"raw": "}",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": "}",
+				"value": null
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 1,
+				"endIndex": 2,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/right-parenthesis/0001": {
+		"css": ")\n",
+		"tokens": [
+			{
+				"type": ")-token",
+				"raw": ")",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": ")",
+				"value": null
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 1,
+				"endIndex": 2,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/right-square-bracket/0001": {
+		"css": "]\n",
+		"tokens": [
+			{
+				"type": "]-token",
+				"raw": "]",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": "]",
+				"value": null
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 1,
+				"endIndex": 2,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/semi-colon/0001": {
+		"css": ";\n",
+		"tokens": [
+			{
+				"type": "semicolon-token",
+				"raw": ";",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": ";",
+				"value": null
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 1,
+				"endIndex": 2,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/string/0001": {
+		"css": "\"foo\"\n'foo'\n",
+		"tokens": [
+			{
+				"type": "string-token",
+				"raw": "\"foo\"",
+				"startIndex": 0,
+				"endIndex": 5,
+				"normalized": "\"foo\"",
+				"value": "foo"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 5,
+				"endIndex": 6,
+				"normalized": "\n",
+				"value": null
+			},
+			{
+				"type": "string-token",
+				"raw": "'foo'",
+				"startIndex": 6,
+				"endIndex": 11,
+				"normalized": "'foo'",
+				"value": "foo"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 11,
+				"endIndex": 12,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/string/0002": {
+		"css": "\"foo",
+		"tokens": [
+			{
+				"type": "string-token",
+				"raw": "\"foo",
+				"startIndex": 0,
+				"endIndex": 4,
+				"normalized": "\"foo",
+				"value": "foo"
+			}
+		]
+	},
+	"tests/string/0003": {
+		"css": "\"fo\no\"",
+		"tokens": [
+			{
+				"type": "bad-string-token",
+				"raw": "\"fo",
+				"startIndex": 0,
+				"endIndex": 3,
+				"normalized": "\"fo",
+				"value": null
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 3,
+				"endIndex": 4,
+				"normalized": "\n",
+				"value": null
+			},
+			{
+				"type": "ident-token",
+				"raw": "o",
+				"startIndex": 4,
+				"endIndex": 5,
+				"normalized": "o",
+				"value": "o"
+			},
+			{
+				"type": "string-token",
+				"raw": "\"",
+				"startIndex": 5,
+				"endIndex": 6,
+				"normalized": "\"",
+				"value": ""
+			}
+		]
+	},
+	"tests/string/0004": {
+		"css": "\"fo\\\no\"\n",
+		"tokens": [
+			{
+				"type": "string-token",
+				"raw": "\"fo\\\no\"",
+				"startIndex": 0,
+				"endIndex": 7,
+				"normalized": "\"foo\"",
+				"value": "foo"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 7,
+				"endIndex": 8,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/string/0005": {
+		"css": "\"fo\\",
+		"tokens": [
+			{
+				"type": "string-token",
+				"raw": "\"fo\\",
+				"startIndex": 0,
+				"endIndex": 4,
+				"normalized": "\"fo",
+				"value": "fo"
+			}
+		]
+	},
+	"tests/string/0006": {
+		"css": "\"esc\\61 ped\"\n",
+		"tokens": [
+			{
+				"type": "string-token",
+				"raw": "\"esc\\61 ped\"",
+				"startIndex": 0,
+				"endIndex": 12,
+				"normalized": "\"escaped\"",
+				"value": "escaped"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 12,
+				"endIndex": 13,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/string/0007": {
+		"css": "\"foo\\\"",
+		"tokens": [
+			{
+				"type": "string-token",
+				"raw": "\"foo\\\"",
+				"startIndex": 0,
+				"endIndex": 6,
+				"normalized": "\"foo\"",
+				"value": "foo\""
+			}
+		]
+	},
+	"tests/string/0008": {
+		"css": "\"'foo'\"\n'\"foo\"'\n",
+		"tokens": [
+			{
+				"type": "string-token",
+				"raw": "\"'foo'\"",
+				"startIndex": 0,
+				"endIndex": 7,
+				"normalized": "\"'foo'\"",
+				"value": "'foo'"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 7,
+				"endIndex": 8,
+				"normalized": "\n",
+				"value": null
+			},
+			{
+				"type": "string-token",
+				"raw": "'\"foo\"'",
+				"startIndex": 8,
+				"endIndex": 15,
+				"normalized": "'\"foo\"'",
+				"value": "\"foo\""
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 15,
+				"endIndex": 16,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/string/0009": {
+		"css": "\"\\\"foo\\\"\"\n'\\'foo\\''\n",
+		"tokens": [
+			{
+				"type": "string-token",
+				"raw": "\"\\\"foo\\\"\"",
+				"startIndex": 0,
+				"endIndex": 9,
+				"normalized": "\"\"foo\"\"",
+				"value": "\"foo\""
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 9,
+				"endIndex": 10,
+				"normalized": "\n",
+				"value": null
+			},
+			{
+				"type": "string-token",
+				"raw": "'\\'foo\\''",
+				"startIndex": 10,
+				"endIndex": 19,
+				"normalized": "''foo''",
+				"value": "'foo'"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 19,
+				"endIndex": 20,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/url/0001": {
+		"css": "url(\n",
+		"tokens": [
+			{
+				"type": "url-token",
+				"raw": "url(\n",
+				"startIndex": 0,
+				"endIndex": 5,
+				"normalized": "url(\n",
+				"value": ""
+			}
+		]
+	},
+	"tests/url/0002": {
+		"css": "url(a\n",
+		"tokens": [
+			{
+				"type": "url-token",
+				"raw": "url(a\n",
+				"startIndex": 0,
+				"endIndex": 6,
+				"normalized": "url(a\n",
+				"value": "a"
+			}
+		]
+	},
+	"tests/url/0003": {
+		"css": "url( a\n",
+		"tokens": [
+			{
+				"type": "url-token",
+				"raw": "url( a\n",
+				"startIndex": 0,
+				"endIndex": 7,
+				"normalized": "url( a\n",
+				"value": "a"
+			}
+		]
+	},
+	"tests/url/0004": {
+		"css": "url()\n",
+		"tokens": [
+			{
+				"type": "url-token",
+				"raw": "url()",
+				"startIndex": 0,
+				"endIndex": 5,
+				"normalized": "url()",
+				"value": ""
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 5,
+				"endIndex": 6,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/url/0005": {
+		"css": "url( )\n",
+		"tokens": [
+			{
+				"type": "url-token",
+				"raw": "url( )",
+				"startIndex": 0,
+				"endIndex": 6,
+				"normalized": "url( )",
+				"value": ""
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 6,
+				"endIndex": 7,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/url/0006": {
+		"css": "url( a)\n",
+		"tokens": [
+			{
+				"type": "url-token",
+				"raw": "url( a)",
+				"startIndex": 0,
+				"endIndex": 7,
+				"normalized": "url( a)",
+				"value": "a"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 7,
+				"endIndex": 8,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/url/0007": {
+		"css": "url( a )\n",
+		"tokens": [
+			{
+				"type": "url-token",
+				"raw": "url( a )",
+				"startIndex": 0,
+				"endIndex": 8,
+				"normalized": "url( a )",
+				"value": "a"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 8,
+				"endIndex": 9,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/url/0008": {
+		"css": "url( \\) )\n",
+		"tokens": [
+			{
+				"type": "url-token",
+				"raw": "url( \\) )",
+				"startIndex": 0,
+				"endIndex": 9,
+				"normalized": "url( ) )",
+				"value": ")"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 9,
+				"endIndex": 10,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/url/0009": {
+		"css": "url(https://https:⁄⁄www.netmeister.org@https://www.netmeister.org/https:⁄⁄www.netmeister.org⁄?https://www.netmeister.org=https://www.netmeister.org;https://www.netmeister.org#https://www.netmeister.org)\n",
+		"tokens": [
+			{
+				"type": "url-token",
+				"raw": "url(https://https:⁄⁄www.netmeister.org@https://www.netmeister.org/https:⁄⁄www.netmeister.org⁄?https://www.netmeister.org=https://www.netmeister.org;https://www.netmeister.org#https://www.netmeister.org)",
+				"startIndex": 0,
+				"endIndex": 212,
+				"normalized": "url(https://https:⁄⁄www.netmeister.org@https://www.netmeister.org/https:⁄⁄www.netmeister.org⁄?https://www.netmeister.org=https://www.netmeister.org;https://www.netmeister.org#https://www.netmeister.org)",
+				"value": "https://https:⁄⁄www.netmeister.org@https://www.netmeister.org/https:⁄⁄www.netmeister.org⁄?https://www.netmeister.org=https://www.netmeister.org;https://www.netmeister.org#https://www.netmeister.org"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 212,
+				"endIndex": 213,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/url/0010": {
+		"css": "url(https://www.netmeister.org/%62%6C%6F%67/%75%72%6C%73%2E%68%74%6D%6C?!@#$%25=+_\\)\\(*&^#top)\n",
+		"tokens": [
+			{
+				"type": "url-token",
+				"raw": "url(https://www.netmeister.org/%62%6C%6F%67/%75%72%6C%73%2E%68%74%6D%6C?!@#$%25=+_\\)\\(*&^#top)",
+				"startIndex": 0,
+				"endIndex": 94,
+				"normalized": "url(https://www.netmeister.org/%62%6C%6F%67/%75%72%6C%73%2E%68%74%6D%6C?!@#$%25=+_)(*&^#top)",
+				"value": "https://www.netmeister.org/%62%6C%6F%67/%75%72%6C%73%2E%68%74%6D%6C?!@#$%25=+_)(*&^#top"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 94,
+				"endIndex": 95,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/url/0011": {
+		"css": "Url(a)\n",
+		"tokens": [
+			{
+				"type": "url-token",
+				"raw": "Url(a)",
+				"startIndex": 0,
+				"endIndex": 6,
+				"normalized": "Url(a)",
+				"value": "a"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 6,
+				"endIndex": 7,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/url/0012": {
+		"css": "uRl(a)\n",
+		"tokens": [
+			{
+				"type": "url-token",
+				"raw": "uRl(a)",
+				"startIndex": 0,
+				"endIndex": 6,
+				"normalized": "uRl(a)",
+				"value": "a"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 6,
+				"endIndex": 7,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/url/0013": {
+		"css": "urL(a)\n",
+		"tokens": [
+			{
+				"type": "url-token",
+				"raw": "urL(a)",
+				"startIndex": 0,
+				"endIndex": 6,
+				"normalized": "urL(a)",
+				"value": "a"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 6,
+				"endIndex": 7,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/url/0014": {
+		"css": "uri(a)\n",
+		"tokens": [
+			{
+				"type": "function-token",
+				"raw": "uri(",
+				"startIndex": 0,
+				"endIndex": 4,
+				"normalized": "uri(",
+				"value": "uri"
+			},
+			{
+				"type": "ident-token",
+				"raw": "a",
+				"startIndex": 4,
+				"endIndex": 5,
+				"normalized": "a",
+				"value": "a"
+			},
+			{
+				"type": ")-token",
+				"raw": ")",
+				"startIndex": 5,
+				"endIndex": 6,
+				"normalized": ")",
+				"value": null
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 6,
+				"endIndex": 7,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/url/0015": {
+		"css": "uul(a)\n",
+		"tokens": [
+			{
+				"type": "function-token",
+				"raw": "uul(",
+				"startIndex": 0,
+				"endIndex": 4,
+				"normalized": "uul(",
+				"value": "uul"
+			},
+			{
+				"type": "ident-token",
+				"raw": "a",
+				"startIndex": 4,
+				"endIndex": 5,
+				"normalized": "a",
+				"value": "a"
+			},
+			{
+				"type": ")-token",
+				"raw": ")",
+				"startIndex": 5,
+				"endIndex": 6,
+				"normalized": ")",
+				"value": null
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 6,
+				"endIndex": 7,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/whitespace/0001": {
+		"css": "\n",
+		"tokens": [
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/whitespace/0002": {
+		"css": " \n",
+		"tokens": [
+			{
+				"type": "whitespace-token",
+				"raw": " \n",
+				"startIndex": 0,
+				"endIndex": 2,
+				"normalized": " \n",
+				"value": null
+			}
+		]
+	},
+	"tests/whitespace/0003": {
+		"css": "a  b\n",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "a",
+				"startIndex": 0,
+				"endIndex": 1,
+				"normalized": "a",
+				"value": "a"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "  ",
+				"startIndex": 1,
+				"endIndex": 3,
+				"normalized": "  ",
+				"value": null
+			},
+			{
+				"type": "ident-token",
+				"raw": "b",
+				"startIndex": 3,
+				"endIndex": 4,
+				"normalized": "b",
+				"value": "b"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 4,
+				"endIndex": 5,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/whitespace/0004": {
+		"css": "\\61 b\n",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "\\61 b",
+				"startIndex": 0,
+				"endIndex": 5,
+				"normalized": "ab",
+				"value": "ab"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 5,
+				"endIndex": 6,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/whitespace/0005": {
+		"css": "\\000061 b\n",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "\\000061 b",
+				"startIndex": 0,
+				"endIndex": 9,
+				"normalized": "ab",
+				"value": "ab"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 9,
+				"endIndex": 10,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/whitespace/0006": {
+		"css": "\\61  b\n",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "\\61 ",
+				"startIndex": 0,
+				"endIndex": 4,
+				"normalized": "a",
+				"value": "a"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": " ",
+				"startIndex": 4,
+				"endIndex": 5,
+				"normalized": " ",
+				"value": null
+			},
+			{
+				"type": "ident-token",
+				"raw": "b",
+				"startIndex": 5,
+				"endIndex": 6,
+				"normalized": "b",
+				"value": "b"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 6,
+				"endIndex": 7,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	},
+	"tests/whitespace/0007": {
+		"css": "\t\n",
+		"tokens": [
+			{
+				"type": "whitespace-token",
+				"raw": "\t\n",
+				"startIndex": 0,
+				"endIndex": 2,
+				"normalized": "\t\n",
+				"value": null
+			}
+		]
+	},
+	"tests/whitespace/0008": {
+		"css": "f\\ o\\\to\n",
+		"tokens": [
+			{
+				"type": "ident-token",
+				"raw": "f\\ o\\\to",
+				"startIndex": 0,
+				"endIndex": 7,
+				"normalized": "f o\to",
+				"value": "f o\to"
+			},
+			{
+				"type": "whitespace-token",
+				"raw": "\n",
+				"startIndex": 7,
+				"endIndex": 8,
+				"normalized": "\n",
+				"value": null
+			}
+		]
+	}
+}
diff --git a/tests/phpunit/tests/css-api/wpCssTokenProcessor.php b/tests/phpunit/tests/css-api/wpCssTokenProcessor.php
new file mode 100644
index 0000000000000..054c03dc9c094
--- /dev/null
+++ b/tests/phpunit/tests/css-api/wpCssTokenProcessor.php
@@ -0,0 +1,2558 @@
+<?php
+
+/**
+ * Comprehensive CSS processor tests based on the CSS Syntax Level 3 specification.
+ *
+ * @group css-api
+ */
+class Tests_CssApi_WpCssTokenProcessor extends WP_UnitTestCase {
+	/**
+	 * Tests that the processor produces the expected tokens for all test cases.
+	 *
+	 * @dataProvider corpus_provider
+	 */
+	public function test_processor_matches_spec( string $css, array $expected_tokens ): void {
+		$processor     = WP_CSS_Token_Processor::create( $css );
+		$actual_tokens = $this->collect_tokens( $processor );
+		$this->assertSame( $expected_tokens, $actual_tokens );
+	}
+
+	/**
+	 * Provides the test cases from the @rmenke/css-processor-test test corpus.
+	 *
+	 * @see https://github.com/romainmenke/css-processor-tests/
+	 * @return array
+	 */
+	public static function corpus_provider(): array {
+		return json_decode( file_get_contents( DIR_TESTDATA . '/css-api/css-test-cases.json' ), true );
+	}
+
+	/**
+	 * Collects all tokens from a CSS processor into an array.
+	 *
+	 * @param WP_CSS_Token_Processor $processor The CSS processor.
+	 * @return array Array of tokens with type, raw, startIndex, endIndex, structured.
+	 */
+	public static function collect_tokens( WP_CSS_Token_Processor $processor, $keys = null ): array {
+		$tokens = array();
+
+		while ( $processor->next_token() ) {
+			$type = $processor->get_token_type();
+
+			$byte_start = $processor->get_token_start();
+			$byte_end   = $byte_start + $processor->get_token_length();
+
+			$token = array(
+				'type'       => $type,
+				'raw'        => $processor->get_unnormalized_token(),
+				'startIndex' => $byte_start,
+				'endIndex'   => $byte_end,
+				'normalized' => $processor->get_normalized_token(),
+				'value'      => $processor->get_token_value(),
+			);
+			if ( null !== $processor->get_token_unit() ) {
+				$token['unit'] = $processor->get_token_unit();
+			}
+
+			if ( null !== $keys ) {
+				$token = array_intersect_key( $token, array_flip( $keys ) );
+			}
+
+			$tokens[] = $token;
+		}
+
+		return $tokens;
+	}
+
+	/**
+	 * A string-ending backslash followed by EOF is consumed without adding
+	 * anything to the string token value.
+	 *
+	 * @ticket 62653
+	 */
+	public function test_string_token_backslash_eof_does_not_decode_to_replacement_character(): void {
+		$processor = WP_CSS_Token_Processor::create( '"b\\' );
+
+		$this->assertTrue( $processor->next_token() );
+		$this->assertSame( WP_CSS_Token_Processor::TOKEN_STRING, $processor->get_token_type() );
+		$this->assertSame( 'b', $processor->get_token_value() );
+		$this->assertFalse( $processor->next_token() );
+	}
+
+	/**
+	 * A backslash followed by a newline inside a string consumes both code
+	 * points without adding anything to the string token value.
+	 *
+	 * @ticket 62653
+	 */
+	public function test_string_token_escaped_newline_does_not_appear_in_value(): void {
+		$processor = WP_CSS_Token_Processor::create( "\"a\\\nb\"" );
+
+		$this->assertTrue( $processor->next_token() );
+		$this->assertSame( WP_CSS_Token_Processor::TOKEN_STRING, $processor->get_token_type() );
+		$this->assertSame( 'ab', $processor->get_token_value() );
+		$this->assertFalse( $processor->next_token() );
+	}
+
+	/**
+	 * Bad string tokens have no associated value.
+	 *
+	 * @ticket 62653
+	 */
+	public function test_bad_string_token_value_is_null(): void {
+		$processor = WP_CSS_Token_Processor::create( "'str\ning'" );
+
+		$this->assertTrue( $processor->next_token() );
+		$this->assertSame( WP_CSS_Token_Processor::TOKEN_BAD_STRING, $processor->get_token_type() );
+		$this->assertNull( $processor->get_token_value() );
+	}
+
+	/**
+	 * @ticket 62653
+	 */
+	public function test_hash_token_type_flag(): void {
+		$processor = WP_CSS_Token_Processor::create( '#id #1id .' );
+
+		$this->assertTrue( $processor->next_token() );
+		$this->assertSame( WP_CSS_Token_Processor::TOKEN_HASH, $processor->get_token_type() );
+		$this->assertSame( WP_CSS_Token_Processor::HASH_TOKEN_ID, $processor->get_token_type_flag() );
+
+		$this->assertTrue( $processor->next_token() );
+		$this->assertSame( WP_CSS_Token_Processor::TOKEN_WHITESPACE, $processor->get_token_type() );
+		$this->assertNull( $processor->get_token_type_flag() );
+
+		$this->assertTrue( $processor->next_token() );
+		$this->assertSame( WP_CSS_Token_Processor::TOKEN_HASH, $processor->get_token_type() );
+		$this->assertSame( WP_CSS_Token_Processor::HASH_TOKEN_UNRESTRICTED, $processor->get_token_type_flag() );
+
+		$this->assertTrue( $processor->next_token() );
+		$this->assertSame( WP_CSS_Token_Processor::TOKEN_WHITESPACE, $processor->get_token_type() );
+		$this->assertNull( $processor->get_token_type_flag() );
+
+		$this->assertTrue( $processor->next_token() );
+		$this->assertSame( WP_CSS_Token_Processor::TOKEN_DELIM, $processor->get_token_type() );
+		$this->assertNull( $processor->get_token_type_flag() );
+	}
+
+	/**
+	 * Tests handling of non-UTF-8 byte sequences in identifiers.
+	 *
+	 * Invalid UTF-8 sequences should be replaced with U+FFFD replacement characters
+	 * during tokenization, allowing the CSS to continue processing.
+	 */
+	public function test_non_utf8_sequences_in_identifiers(): void {
+		// Invalid UTF-8 sequence 0xC0 0x80 (overlong encoding).
+		$css = ".class\xF1name";
+
+		$expected = array(
+			// .class�name (0xF1 replaced with U+FFFD).
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_DELIM,
+				'raw'        => '.',
+				'normalized' => '.',
+				'value'      => '.',
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'        => "class\xF1name",
+				'normalized' => 'class�name',
+				'value'      => 'class�name',
+			),
+		);
+
+		$processor     = WP_CSS_Token_Processor::create( $css );
+		$actual_tokens = $this->collect_tokens( $processor, array( 'type', 'raw', 'normalized', 'value', 'unit' ) );
+		$this->assertSame( $expected, $actual_tokens );
+	}
+
+	public function test_invalid_utf8_in_normal_segment_combined_with_escape(): void {
+		$css = ".test\xF1\\41name";
+
+		$expected = array(
+			array(
+				'type'  => WP_CSS_Token_Processor::TOKEN_DELIM,
+				'raw'   => '.',
+				'value' => '.',
+			),
+			array(
+				'type'  => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'   => "test\xF1\\41name",
+				'value' => "test\u{FFFD}Aname",
+			),
+		);
+
+		$processor     = WP_CSS_Token_Processor::create( $css );
+		$actual_tokens = $this->collect_tokens( $processor, array( 'type', 'raw', 'value' ) );
+		$this->assertSame( $expected, $actual_tokens );
+	}
+
+	public function test_invalid_utf8_as_escaped_character(): void {
+		$css = ".a\\\xF1b";
+
+		$expected = array(
+			array(
+				'type'  => WP_CSS_Token_Processor::TOKEN_DELIM,
+				'raw'   => '.',
+				'value' => '.',
+			),
+			array(
+				'type'  => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'   => "a\\\xF1b",
+				'value' => "a\u{FFFD}b",
+			),
+		);
+
+		$processor     = WP_CSS_Token_Processor::create( $css );
+		$actual_tokens = $this->collect_tokens( $processor, array( 'type', 'raw', 'value' ) );
+		$this->assertSame( $expected, $actual_tokens );
+	}
+
+	public function test_invalid_utf8_with_valid_prefix_in_identifiers(): void {
+		// Invalid 2-byte prefix is replaced with a single U+FFFD.
+		$css = ".test\xE2\x80name";
+
+		$expected = array(
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_DELIM,
+				'raw'        => '.',
+				'normalized' => '.',
+				'value'      => '.',
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'        => "test\xE2\x80name",
+				'normalized' => 'test�name',
+				'value'      => 'test�name',
+			),
+		);
+
+		$processor     = WP_CSS_Token_Processor::create( $css );
+		$actual_tokens = $this->collect_tokens( $processor, array( 'type', 'raw', 'normalized', 'value' ) );
+		$this->assertSame( $expected, $actual_tokens );
+	}
+
+	public function test_invalid_utf8_with_two_single_byte_invalid_sequences(): void {
+		// Two distinct single byte invalid sequences are replaced with
+		// two separate U+FFFD replacement characters.
+		$css = ".test\xE2\xE2name";
+
+		$expected = array(
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_DELIM,
+				'raw'        => '.',
+				'normalized' => '.',
+				'value'      => '.',
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'        => "test\xE2\xE2name",
+				'normalized' => 'test��name',
+				'value'      => 'test��name',
+			),
+		);
+
+		$processor     = WP_CSS_Token_Processor::create( $css );
+		$actual_tokens = $this->collect_tokens( $processor, array( 'type', 'raw', 'normalized', 'value' ) );
+		$this->assertSame( $expected, $actual_tokens );
+	}
+
+	/**
+	 * Legacy test to ensure basic tokenization still works.
+	 */
+	public function test_tokenize_labels_core_tokens(): void {
+		$css = <<<CSS
+@media screen and (min-width: 10px) {
+	background: url("/images/a.png");
+}
+CSS;
+
+		$expected = array(
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_AT_KEYWORD,
+				'raw'  => '@media',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'screen',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'and',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_LEFT_PAREN,
+				'raw'  => '(',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'min-width',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COLON,
+				'raw'  => ':',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_DIMENSION,
+				'raw'  => '10px',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_RIGHT_PAREN,
+				'raw'  => ')',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_LEFT_BRACE,
+				'raw'  => '{',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => "\n\t",
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'background',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COLON,
+				'raw'  => ':',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_FUNCTION,
+				'raw'  => 'url(',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_STRING,
+				'raw'  => '"/images/a.png"',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_RIGHT_PAREN,
+				'raw'  => ')',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_SEMICOLON,
+				'raw'  => ';',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => "\n",
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_RIGHT_BRACE,
+				'raw'  => '}',
+			),
+		);
+
+		$processor     = WP_CSS_Token_Processor::create( $css );
+		$actual_tokens = $this->collect_tokens( $processor, array( 'type', 'raw' ) );
+		$this->assertSame( $actual_tokens, $expected );
+	}
+
+	/**
+	 * Tests tokenization of complex selectors with pseudo-classes.
+	 */
+	public function test_complex_selector_with_pseudo_classes(): void {
+		$css = 'a:hover::before, div.class#id:not(.disabled)';
+
+		$expected = array(
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'a',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COLON,
+				'raw'  => ':',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'hover',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COLON,
+				'raw'  => ':',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COLON,
+				'raw'  => ':',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'before',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COMMA,
+				'raw'  => ',',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'div',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_DELIM,
+				'raw'  => '.',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'class',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_HASH,
+				'raw'  => '#id',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COLON,
+				'raw'  => ':',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_FUNCTION,
+				'raw'  => 'not(',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_DELIM,
+				'raw'  => '.',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'disabled',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_RIGHT_PAREN,
+				'raw'  => ')',
+			),
+		);
+
+		$processor     = WP_CSS_Token_Processor::create( $css );
+		$actual_tokens = $this->collect_tokens( $processor, array( 'type', 'raw' ) );
+		$this->assertSame( $actual_tokens, $expected );
+	}
+
+	/**
+	 * Tests tokenization of CSS comments.
+	 */
+	public function test_css_comments(): void {
+		$css = '/* This is a comment */ .class { color: red; /* Another comment */ }';
+
+		$expected = array(
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COMMENT,
+				'raw'  => '/* This is a comment */',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_DELIM,
+				'raw'  => '.',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'class',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_LEFT_BRACE,
+				'raw'  => '{',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'color',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COLON,
+				'raw'  => ':',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'red',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_SEMICOLON,
+				'raw'  => ';',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COMMENT,
+				'raw'  => '/* Another comment */',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_RIGHT_BRACE,
+				'raw'  => '}',
+			),
+		);
+
+		$processor     = WP_CSS_Token_Processor::create( $css );
+		$actual_tokens = $this->collect_tokens( $processor, array( 'type', 'raw' ) );
+		$this->assertSame( $actual_tokens, $expected );
+	}
+
+	/**
+	 * Tests tokenization of media queries.
+	 */
+	public function test_media_query(): void {
+		$css = '@media screen and (min-width: 768px) and (max-width: 1024px)';
+
+		$expected = array(
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_AT_KEYWORD,
+				'raw'  => '@media',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'screen',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'and',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_LEFT_PAREN,
+				'raw'  => '(',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'min-width',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COLON,
+				'raw'  => ':',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_DIMENSION,
+				'raw'  => '768px',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_RIGHT_PAREN,
+				'raw'  => ')',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'and',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_LEFT_PAREN,
+				'raw'  => '(',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'max-width',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COLON,
+				'raw'  => ':',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_DIMENSION,
+				'raw'  => '1024px',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_RIGHT_PAREN,
+				'raw'  => ')',
+			),
+		);
+
+		$processor     = WP_CSS_Token_Processor::create( $css );
+		$actual_tokens = $this->collect_tokens( $processor, array( 'type', 'raw' ) );
+		$this->assertSame( $actual_tokens, $expected );
+	}
+
+	/**
+	 * Tests tokenization of keyframes animation.
+	 */
+	public function test_keyframes_animation(): void {
+		$css = '@keyframes slide-in { 0% { opacity: 0; } 100% { opacity: 1; } }';
+
+		$expected = array(
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_AT_KEYWORD,
+				'raw'  => '@keyframes',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'slide-in',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_LEFT_BRACE,
+				'raw'  => '{',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_PERCENTAGE,
+				'raw'  => '0%',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_LEFT_BRACE,
+				'raw'  => '{',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'opacity',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COLON,
+				'raw'  => ':',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_NUMBER,
+				'raw'  => '0',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_SEMICOLON,
+				'raw'  => ';',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_RIGHT_BRACE,
+				'raw'  => '}',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_PERCENTAGE,
+				'raw'  => '100%',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_LEFT_BRACE,
+				'raw'  => '{',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'opacity',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COLON,
+				'raw'  => ':',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_NUMBER,
+				'raw'  => '1',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_SEMICOLON,
+				'raw'  => ';',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_RIGHT_BRACE,
+				'raw'  => '}',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_RIGHT_BRACE,
+				'raw'  => '}',
+			),
+		);
+
+		$processor     = WP_CSS_Token_Processor::create( $css );
+		$actual_tokens = $this->collect_tokens( $processor, array( 'type', 'raw' ) );
+		$this->assertSame( $actual_tokens, $expected );
+	}
+
+	/**
+	 * Tests tokenization of vendor-prefixed properties.
+	 */
+	public function test_vendor_prefixed_properties(): void {
+		$css = '-webkit-transform: rotate(45deg); -moz-border-radius: 5px;';
+
+		$expected = array(
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => '-webkit-transform',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COLON,
+				'raw'  => ':',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_FUNCTION,
+				'raw'  => 'rotate(',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_DIMENSION,
+				'raw'  => '45deg',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_RIGHT_PAREN,
+				'raw'  => ')',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_SEMICOLON,
+				'raw'  => ';',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => '-moz-border-radius',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COLON,
+				'raw'  => ':',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_DIMENSION,
+				'raw'  => '5px',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_SEMICOLON,
+				'raw'  => ';',
+			),
+		);
+
+		$processor     = WP_CSS_Token_Processor::create( $css );
+		$actual_tokens = $this->collect_tokens( $processor, array( 'type', 'raw' ) );
+		$this->assertSame( $actual_tokens, $expected );
+	}
+
+	/**
+	 * Tests tokenization of attribute selectors.
+	 */
+	public function test_attribute_selectors(): void {
+		$css = 'input[type="text"][required], a[href^="https://"]';
+
+		$expected = array(
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'input',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_LEFT_BRACKET,
+				'raw'  => '[',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'type',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_DELIM,
+				'raw'  => '=',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_STRING,
+				'raw'  => '"text"',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_RIGHT_BRACKET,
+				'raw'  => ']',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_LEFT_BRACKET,
+				'raw'  => '[',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'required',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_RIGHT_BRACKET,
+				'raw'  => ']',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COMMA,
+				'raw'  => ',',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'a',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_LEFT_BRACKET,
+				'raw'  => '[',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'href',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_DELIM,
+				'raw'  => '^',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_DELIM,
+				'raw'  => '=',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_STRING,
+				'raw'  => '"https://"',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_RIGHT_BRACKET,
+				'raw'  => ']',
+			),
+		);
+
+		$processor     = WP_CSS_Token_Processor::create( $css );
+		$actual_tokens = $this->collect_tokens( $processor, array( 'type', 'raw' ) );
+		$this->assertSame( $actual_tokens, $expected );
+	}
+
+	/**
+	 * Tests tokenization of calc() function with complex expressions.
+	 */
+	public function test_calc_function(): void {
+		$css = 'width: calc(100% - 20px * 2 + 5em);';
+
+		$expected = array(
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'width',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COLON,
+				'raw'  => ':',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_FUNCTION,
+				'raw'  => 'calc(',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_PERCENTAGE,
+				'raw'  => '100%',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_DELIM,
+				'raw'  => '-',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_DIMENSION,
+				'raw'  => '20px',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_DELIM,
+				'raw'  => '*',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_NUMBER,
+				'raw'  => '2',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_DELIM,
+				'raw'  => '+',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_DIMENSION,
+				'raw'  => '5em',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_RIGHT_PAREN,
+				'raw'  => ')',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_SEMICOLON,
+				'raw'  => ';',
+			),
+		);
+
+		$processor     = WP_CSS_Token_Processor::create( $css );
+		$actual_tokens = $this->collect_tokens( $processor, array( 'type', 'raw' ) );
+		$this->assertSame( $actual_tokens, $expected );
+	}
+
+	/**
+	 * Tests tokenization of RGB/RGBA color functions.
+	 */
+	public function test_color_functions(): void {
+		$css = 'color: rgb(255, 128, 0); background: rgba(0, 0, 0, 0.5);';
+
+		$expected = array(
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'color',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COLON,
+				'raw'  => ':',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_FUNCTION,
+				'raw'  => 'rgb(',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_NUMBER,
+				'raw'  => '255',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COMMA,
+				'raw'  => ',',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_NUMBER,
+				'raw'  => '128',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COMMA,
+				'raw'  => ',',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_NUMBER,
+				'raw'  => '0',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_RIGHT_PAREN,
+				'raw'  => ')',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_SEMICOLON,
+				'raw'  => ';',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'background',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COLON,
+				'raw'  => ':',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_FUNCTION,
+				'raw'  => 'rgba(',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_NUMBER,
+				'raw'  => '0',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COMMA,
+				'raw'  => ',',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_NUMBER,
+				'raw'  => '0',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COMMA,
+				'raw'  => ',',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_NUMBER,
+				'raw'  => '0',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COMMA,
+				'raw'  => ',',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_NUMBER,
+				'raw'  => '0.5',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_RIGHT_PAREN,
+				'raw'  => ')',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_SEMICOLON,
+				'raw'  => ';',
+			),
+		);
+
+		$processor     = WP_CSS_Token_Processor::create( $css );
+		$actual_tokens = $this->collect_tokens( $processor, array( 'type', 'raw' ) );
+		$this->assertSame( $actual_tokens, $expected );
+	}
+
+	/**
+	 * Tests tokenization of CSS custom properties (variables).
+	 */
+	public function test_css_variables(): void {
+		$css = '--main-color: #ff0000; color: var(--main-color);';
+
+		$expected = array(
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => '--main-color',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COLON,
+				'raw'  => ':',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_HASH,
+				'raw'  => '#ff0000',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_SEMICOLON,
+				'raw'  => ';',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'color',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COLON,
+				'raw'  => ':',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_FUNCTION,
+				'raw'  => 'var(',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => '--main-color',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_RIGHT_PAREN,
+				'raw'  => ')',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_SEMICOLON,
+				'raw'  => ';',
+			),
+		);
+
+		$processor     = WP_CSS_Token_Processor::create( $css );
+		$actual_tokens = $this->collect_tokens( $processor, array( 'type', 'raw' ) );
+		$this->assertSame( $actual_tokens, $expected );
+	}
+
+	/**
+	 * Tests tokenization of gradient functions.
+	 */
+	public function test_gradient_functions(): void {
+		$css = 'background: linear-gradient(to right, red 0%, blue 100%);';
+
+		$expected = array(
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'background',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COLON,
+				'raw'  => ':',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_FUNCTION,
+				'raw'  => 'linear-gradient(',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'to',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'right',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COMMA,
+				'raw'  => ',',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'red',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_PERCENTAGE,
+				'raw'  => '0%',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COMMA,
+				'raw'  => ',',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'blue',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_PERCENTAGE,
+				'raw'  => '100%',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_RIGHT_PAREN,
+				'raw'  => ')',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_SEMICOLON,
+				'raw'  => ';',
+			),
+		);
+
+		$processor     = WP_CSS_Token_Processor::create( $css );
+		$actual_tokens = $this->collect_tokens( $processor, array( 'type', 'raw' ) );
+		$this->assertSame( $actual_tokens, $expected );
+	}
+
+	/**
+	 * Tests tokenization of grid layout properties.
+	 */
+	public function test_grid_layout(): void {
+		$css = 'grid-template-columns: repeat(3, 1fr); gap: 10px 20px;';
+
+		$expected = array(
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'grid-template-columns',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COLON,
+				'raw'  => ':',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_FUNCTION,
+				'raw'  => 'repeat(',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_NUMBER,
+				'raw'  => '3',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COMMA,
+				'raw'  => ',',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_DIMENSION,
+				'raw'  => '1fr',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_RIGHT_PAREN,
+				'raw'  => ')',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_SEMICOLON,
+				'raw'  => ';',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'gap',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COLON,
+				'raw'  => ':',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_DIMENSION,
+				'raw'  => '10px',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_DIMENSION,
+				'raw'  => '20px',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_SEMICOLON,
+				'raw'  => ';',
+			),
+		);
+
+		$processor     = WP_CSS_Token_Processor::create( $css );
+		$actual_tokens = $this->collect_tokens( $processor, array( 'type', 'raw' ) );
+		$this->assertSame( $actual_tokens, $expected );
+	}
+
+	/**
+	 * Tests tokenization of URL functions with various formats.
+	 */
+	public function test_url_formats(): void {
+		$css = 'background: url("image.png"), url(\'font.woff\'), url(https://example.com/bg.jpg);';
+
+		$expected = array(
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'background',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COLON,
+				'raw'  => ':',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_FUNCTION,
+				'raw'  => 'url(',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_STRING,
+				'raw'  => '"image.png"',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_RIGHT_PAREN,
+				'raw'  => ')',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COMMA,
+				'raw'  => ',',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_FUNCTION,
+				'raw'  => 'url(',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_STRING,
+				'raw'  => "'font.woff'",
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_RIGHT_PAREN,
+				'raw'  => ')',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COMMA,
+				'raw'  => ',',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_URL,
+				'raw'  => 'url(https://example.com/bg.jpg)',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_SEMICOLON,
+				'raw'  => ';',
+			),
+		);
+
+		$processor     = WP_CSS_Token_Processor::create( $css );
+		$actual_tokens = $this->collect_tokens( $processor, array( 'type', 'raw' ) );
+		$this->assertSame( $actual_tokens, $expected );
+	}
+
+	/**
+	 * Tests tokenization of !important declarations.
+	 */
+	public function test_important_declarations(): void {
+		$css = 'color: red !important; margin: 0px !important;';
+
+		$expected = array(
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'color',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COLON,
+				'raw'  => ':',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'red',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_DELIM,
+				'raw'  => '!',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'important',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_SEMICOLON,
+				'raw'  => ';',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'margin',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COLON,
+				'raw'  => ':',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_DIMENSION,
+				'raw'  => '0px',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_DELIM,
+				'raw'  => '!',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'important',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_SEMICOLON,
+				'raw'  => ';',
+			),
+		);
+
+		$processor     = WP_CSS_Token_Processor::create( $css );
+		$actual_tokens = $this->collect_tokens( $processor, array( 'type', 'raw' ) );
+		$this->assertSame( $actual_tokens, $expected );
+	}
+
+	/**
+	 * Tests tokenization of multiple selectors with combinators.
+	 */
+	public function test_complex_combinators(): void {
+		$css = 'div > p + span ~ a.link';
+
+		$expected = array(
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'div',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_DELIM,
+				'raw'  => '>',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'p',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_DELIM,
+				'raw'  => '+',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'span',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_DELIM,
+				'raw'  => '~',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'a',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_DELIM,
+				'raw'  => '.',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'link',
+			),
+		);
+
+		$processor     = WP_CSS_Token_Processor::create( $css );
+		$actual_tokens = $this->collect_tokens( $processor, array( 'type', 'raw' ) );
+		$this->assertSame( $actual_tokens, $expected );
+	}
+
+	/**
+	 * Tests tokenization of escaped characters in identifiers.
+	 */
+	public function test_escaped_identifiers(): void {
+		$css = '.class\\:name, #id\\@special { color: blue; }';
+
+		$expected = array(
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_DELIM,
+				'raw'  => '.',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'class\\:name',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COMMA,
+				'raw'  => ',',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_HASH,
+				'raw'  => '#id\\@special',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_LEFT_BRACE,
+				'raw'  => '{',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'color',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_COLON,
+				'raw'  => ':',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'  => 'blue',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_SEMICOLON,
+				'raw'  => ';',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'  => ' ',
+			),
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_RIGHT_BRACE,
+				'raw'  => '}',
+			),
+		);
+
+		$processor     = WP_CSS_Token_Processor::create( $css );
+		$actual_tokens = $this->collect_tokens( $processor, array( 'type', 'raw' ) );
+		$this->assertSame( $actual_tokens, $expected );
+	}
+
+	/**
+	 * Tests that get_normalized_token() applies CSS normalization.
+	 *
+	 * Uses a comprehensive CSS selector with rules that includes:
+	 * - CSS escapes in class names and IDs
+	 * - URLs with escape sequences
+	 * - String values with escapes and line endings
+	 * - Comments with various line ending characters
+	 * - Null bytes in identifiers
+	 * - Mixed line endings (\r\n, \r, \f) that need normalization
+	 */
+	public function test_get_normalized_token_applies_normalization(): void {
+		// Comprehensive CSS with normalization requirements.
+		$css = "/* Comment\r\nwith\flines */\r\n" .
+				".c\\6c ass.n\\61 me\r#id\\@value\r\n{\r\n" .
+				"\tbackground:\furl(path\\2f to\\2f image.png);\r\n" .
+				"\tcontent:\r\"text\\A string\";\r\n" .
+				'}';
+
+		$expected = array(
+			// Comment with \r\n and \f.
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_COMMENT,
+				'raw'        => "/* Comment\r\nwith\flines */",
+				'normalized' => "/* Comment\nwith\nlines */",
+				'value'      => null,
+			),
+			// Whitespace with \r\n.
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'        => "\r\n",
+				'normalized' => "\n",
+				'value'      => null,
+			),
+			// Class selector delimiter.
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_DELIM,
+				'raw'        => '.',
+				'normalized' => '.',
+				'value'      => '.',
+			),
+			// Class name with escape (\6c = 'l'), space gets consumed by escape.
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'        => 'c\\6c ass',
+				'normalized' => 'class', // Escapes decoded.
+				'value'      => 'class', // Decoded: \6c → l, space consumed.
+			),
+			// Delimiter.
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_DELIM,
+				'raw'        => '.',
+				'normalized' => '.',
+				'value'      => '.',
+			),
+			// Identifier with escape (\61 = 'a'), space gets consumed.
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'        => 'n\\61 me',
+				'normalized' => 'name', // Escapes decoded.
+				'value'      => 'name', // Decoded: \61 → a, space consumed.
+			),
+			// Whitespace with \r.
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'        => "\r",
+				'normalized' => "\n",
+				'value'      => null,
+			),
+			// ID selector with escape.
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_HASH,
+				'raw'        => '#id\\@value',
+				'normalized' => '#id@value', // Escapes decoded.
+				'value'      => 'id@value', // Decoded value.
+			),
+			// Whitespace with \r\n.
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'        => "\r\n",
+				'normalized' => "\n",
+				'value'      => null,
+			),
+			// Opening brace.
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_LEFT_BRACE,
+				'raw'        => '{',
+				'normalized' => '{',
+				'value'      => null,
+			),
+			// Whitespace with \r\n and tab (consumed together).
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'        => "\r\n\t",
+				'normalized' => "\n\t",
+				'value'      => null,
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'        => 'background',
+				'normalized' => 'background',
+				'value'      => 'background',
+			),
+			// Colon.
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_COLON,
+				'raw'        => ':',
+				'normalized' => ':',
+				'value'      => null,
+			),
+			// Whitespace with \f.
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'        => "\f",
+				'normalized' => "\n",
+				'value'      => null,
+			),
+			// URL token with escapes (entire url(...) is one token).
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_URL,
+				'raw'        => 'url(path\\2f to\\2f image.png)',
+				'normalized' => 'url(path/to/image.png)', // Escapes decoded.
+				'value'      => 'path/to/image.png', // Decoded: \2f → /, spaces consumed.
+			),
+			// Semicolon.
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_SEMICOLON,
+				'raw'        => ';',
+				'normalized' => ';',
+				'value'      => null,
+			),
+			// Whitespace with \r\n and tab (consumed together).
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'        => "\r\n\t",
+				'normalized' => "\n\t",
+				'value'      => null,
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'        => 'content',
+				'normalized' => 'content',
+				'value'      => 'content',
+			),
+			// Colon.
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_COLON,
+				'raw'        => ':',
+				'normalized' => ':',
+				'value'      => null,
+			),
+			// Whitespace with \r.
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'        => "\r",
+				'normalized' => "\n",
+				'value'      => null,
+			),
+			// String with escape (\A = newline, space consumed).
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_STRING,
+				'raw'        => '"text\\A string"',
+				'normalized' => "\"text\nstring\"", // Escapes decoded, quotes preserved.
+				'value'      => "text\nstring", // \A → \n, space consumed.
+			),
+			// Semicolon.
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_SEMICOLON,
+				'raw'        => ';',
+				'normalized' => ';',
+				'value'      => null,
+			),
+			// Whitespace with \r\n.
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'        => "\r\n",
+				'normalized' => "\n",
+				'value'      => null,
+			),
+			// Closing brace.
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_RIGHT_BRACE,
+				'raw'        => '}',
+				'normalized' => '}',
+				'value'      => null,
+			),
+		);
+
+		$processor     = WP_CSS_Token_Processor::create( $css );
+		$actual_tokens = $this->collect_tokens( $processor, array( 'type', 'raw', 'normalized', 'value' ) );
+		$this->assertSame( $expected, $actual_tokens );
+	}
+
+	public function test_dimension_token_value(): void {
+		$css           = '10px;15em;20%;30pt;40pc;50vw;';
+		$expected      = array(
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_DIMENSION,
+				'raw'        => '10px',
+				'normalized' => '10px',
+				'value'      => '10',
+				'unit'       => 'px',
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_SEMICOLON,
+				'raw'        => ';',
+				'normalized' => ';',
+				'value'      => null,
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_DIMENSION,
+				'raw'        => '15em',
+				'normalized' => '15em',
+				'value'      => '15',
+				'unit'       => 'em',
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_SEMICOLON,
+				'raw'        => ';',
+				'normalized' => ';',
+				'value'      => null,
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_PERCENTAGE,
+				'raw'        => '20%',
+				'normalized' => '20%',
+				'value'      => '20',
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_SEMICOLON,
+				'raw'        => ';',
+				'normalized' => ';',
+				'value'      => null,
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_DIMENSION,
+				'raw'        => '30pt',
+				'normalized' => '30pt',
+				'value'      => '30',
+				'unit'       => 'pt',
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_SEMICOLON,
+				'raw'        => ';',
+				'normalized' => ';',
+				'value'      => null,
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_DIMENSION,
+				'raw'        => '40pc',
+				'normalized' => '40pc',
+				'value'      => '40',
+				'unit'       => 'pc',
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_SEMICOLON,
+				'raw'        => ';',
+				'normalized' => ';',
+				'value'      => null,
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_DIMENSION,
+				'raw'        => '50vw',
+				'normalized' => '50vw',
+				'value'      => '50',
+				'unit'       => 'vw',
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_SEMICOLON,
+				'raw'        => ';',
+				'normalized' => ';',
+				'value'      => null,
+			),
+		);
+		$processor     = WP_CSS_Token_Processor::create( $css );
+		$actual_tokens = $this->collect_tokens( $processor, array( 'type', 'raw', 'normalized', 'value', 'unit' ) );
+		$this->assertSame( $expected, $actual_tokens );
+	}
+
+	/**
+	 * Tests that create() validates encoding and only accepts UTF-8.
+	 */
+	public function test_create_validates_encoding(): void {
+		// UTF-8 encoding should work (default).
+		$processor = WP_CSS_Token_Processor::create( '.class { color: red; }' );
+		$this->assertInstanceOf( WP_CSS_Token_Processor::class, $processor );
+
+		// UTF-8 encoding should work (explicit).
+		$processor = WP_CSS_Token_Processor::create( '.class { color: red; }', 'UTF-8' );
+		$this->assertInstanceOf( WP_CSS_Token_Processor::class, $processor );
+
+		// Other encodings should return null.
+		$processor = WP_CSS_Token_Processor::create( '.class { color: red; }', 'ISO-8859-1' );
+		$this->assertNull( $processor );
+
+		$processor = WP_CSS_Token_Processor::create( '.class { color: red; }', 'Windows-1252' );
+		$this->assertNull( $processor );
+	}
+
+	/**
+	 * Tests escape sequences in unusual and edge-case positions.
+	 *
+	 * Covers:
+	 * - Multiple consecutive escapes
+	 * - Escapes in function names
+	 * - Escapes in at-keywords
+	 * - Escapes in dimension units
+	 * - Null byte escapes (\0)
+	 * - Escaped special characters (@, #, !, etc.)
+	 * - Escaped whitespace that gets consumed by the escape
+	 * - Unicode escapes for various characters
+	 */
+	public function test_escape_sequences_in_unusual_places() {
+		// Complex CSS with escapes in many unusual but valid positions
+		$css = '@\\6D edia ' . // @media with \6D (m) and space consumed
+				'\\73 creen ' . // screen with \73 (s) and space consumed
+				'{' .
+				' .\\63 l\\61 ss\\5F name ' . // .class_name with escapes and spaces consumed
+				"#\\69 d\\5C 0test\x00 " . // #id\0test with null byte escape (should be preserved)
+														// AND an actual null byte (should be replaced with a U+FFFD REPLACEMENT CHARACTER)
+				'{' .
+				' c\\6F lor: ' . // color: with \6F (o) and space consumed
+				'r\\65 d ' . // red with escape
+				'\\21 important;' . // !important with escaped !
+				' w\\69 dth: ' . // width:
+				'10\\70 x;' . // 10px (dimension with escaped unit)
+				' background: ' .
+				'\\75 rl(' . // url( with escaped u
+				'"p\\61 th\\2F img\\2E png"' . // "path/img.png" with escapes
+				');' .
+				' content: "\\5C \\5C ";' . // "\\ \\" - escaped backslashes
+				' font-family: \\22 Arial\\22 ;' . // "Arial" with escaped quotes
+				' }' .
+				'}';
+
+		$expected = array(
+			// @\6D edia -> @media
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_AT_KEYWORD,
+				'raw'        => '@\\6D edia',
+				'normalized' => '@media',
+				'value'      => 'media',
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'        => ' ',
+				'normalized' => ' ',
+				'value'      => null,
+			),
+			// \73 creen -> screen
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'        => '\\73 creen',
+				'normalized' => 'screen',
+				'value'      => 'screen',
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'        => ' ',
+				'normalized' => ' ',
+				'value'      => null,
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_LEFT_BRACE,
+				'raw'        => '{',
+				'normalized' => '{',
+				'value'      => null,
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'        => ' ',
+				'normalized' => ' ',
+				'value'      => null,
+			),
+			// Delimiter .
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_DELIM,
+				'raw'        => '.',
+				'normalized' => '.',
+				'value'      => '.',
+			),
+			// \63 l\61 ss\5F name -> class_name
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'        => '\\63 l\\61 ss\\5F name',
+				'normalized' => 'class_name',
+				'value'      => 'class_name',
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'        => ' ',
+				'normalized' => ' ',
+				'value'      => null,
+			),
+			// #\69 d\5C 0test -> #id\0test (with encoded null byte)
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_HASH,
+				'raw'        => "#\\69 d\\5C 0test\x00",
+				'normalized' => "#id\\0test�",
+				// Ensure the value is normalized.
+				'value'      => "id\\0test�",
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'        => ' ',
+				'normalized' => ' ',
+				'value'      => null,
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_LEFT_BRACE,
+				'raw'        => '{',
+				'normalized' => '{',
+				'value'      => null,
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'        => ' ',
+				'normalized' => ' ',
+				'value'      => null,
+			),
+			// c\6F lor -> color
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'        => 'c\\6F lor',
+				'normalized' => 'color',
+				'value'      => 'color',
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_COLON,
+				'raw'        => ':',
+				'normalized' => ':',
+				'value'      => null,
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'        => ' ',
+				'normalized' => ' ',
+				'value'      => null,
+			),
+			// r\65 d -> red
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'        => 'r\\65 d',
+				'normalized' => 'red',
+				'value'      => 'red',
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'        => ' ',
+				'normalized' => ' ',
+				'value'      => null,
+			),
+			// \21 important -> !important (single identifier with escaped !)
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'        => '\\21 important',
+				'normalized' => '!important',
+				'value'      => '!important',
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_SEMICOLON,
+				'raw'        => ';',
+				'normalized' => ';',
+				'value'      => null,
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'        => ' ',
+				'normalized' => ' ',
+				'value'      => null,
+			),
+			// w\69 dth -> width
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'        => 'w\\69 dth',
+				'normalized' => 'width',
+				'value'      => 'width',
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_COLON,
+				'raw'        => ':',
+				'normalized' => ':',
+				'value'      => null,
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'        => ' ',
+				'normalized' => ' ',
+				'value'      => null,
+			),
+			// 10\70 x -> 10px (dimension with escaped unit)
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_DIMENSION,
+				'raw'        => '10\\70 x',
+				'normalized' => '10px',
+				'value'      => '10',
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_SEMICOLON,
+				'raw'        => ';',
+				'normalized' => ';',
+				'value'      => null,
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'        => ' ',
+				'normalized' => ' ',
+				'value'      => null,
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'        => 'background',
+				'normalized' => 'background',
+				'value'      => 'background',
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_COLON,
+				'raw'        => ':',
+				'normalized' => ':',
+				'value'      => null,
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'        => ' ',
+				'normalized' => ' ',
+				'value'      => null,
+			),
+			// \75 rl( -> url( (escaped function name)
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_FUNCTION,
+				'raw'        => '\\75 rl(',
+				'normalized' => 'url(',
+				'value'      => 'url',
+			),
+			// String with escapes: "p\61 th\2F img\2E png"
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_STRING,
+				'raw'        => '"p\\61 th\\2F img\\2E png"',
+				'normalized' => '"path/img.png"',
+				'value'      => 'path/img.png',
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_RIGHT_PAREN,
+				'raw'        => ')',
+				'normalized' => ')',
+				'value'      => null,
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_SEMICOLON,
+				'raw'        => ';',
+				'normalized' => ';',
+				'value'      => null,
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'        => ' ',
+				'normalized' => ' ',
+				'value'      => null,
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'        => 'content',
+				'normalized' => 'content',
+				'value'      => 'content',
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_COLON,
+				'raw'        => ':',
+				'normalized' => ':',
+				'value'      => null,
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'        => ' ',
+				'normalized' => ' ',
+				'value'      => null,
+			),
+			// String with escaped backslashes: "\5C \5C " -> "\\"
+			// Each \5C sequence (with trailing space consumed) becomes one backslash
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_STRING,
+				'raw'        => '"\\5C \\5C "',
+				'normalized' => '"\\\\"',
+				'value'      => '\\\\',  // Two backslashes total
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_SEMICOLON,
+				'raw'        => ';',
+				'normalized' => ';',
+				'value'      => null,
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'        => ' ',
+				'normalized' => ' ',
+				'value'      => null,
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'        => 'font-family',
+				'normalized' => 'font-family',
+				'value'      => 'font-family',
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_COLON,
+				'raw'        => ':',
+				'normalized' => ':',
+				'value'      => null,
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'        => ' ',
+				'normalized' => ' ',
+				'value'      => null,
+			),
+			// \22 Arial\22 -> "Arial" (escaped quotes make it an ident)
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_IDENT,
+				'raw'        => '\\22 Arial\\22 ',
+				'normalized' => '"Arial"',
+				'value'      => '"Arial"',
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_SEMICOLON,
+				'raw'        => ';',
+				'normalized' => ';',
+				'value'      => null,
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_WHITESPACE,
+				'raw'        => ' ',
+				'normalized' => ' ',
+				'value'      => null,
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_RIGHT_BRACE,
+				'raw'        => '}',
+				'normalized' => '}',
+				'value'      => null,
+			),
+			array(
+				'type'       => WP_CSS_Token_Processor::TOKEN_RIGHT_BRACE,
+				'raw'        => '}',
+				'normalized' => '}',
+				'value'      => null,
+			),
+		);
+
+		$processor     = WP_CSS_Token_Processor::create( $css );
+		$actual_tokens = $this->collect_tokens( $processor, array( 'type', 'raw', 'normalized', 'value' ) );
+		$this->assertSame( $expected, $actual_tokens );
+	}
+
+	/**
+	 * Tests that set_token_value() only works on URL tokens.
+	 */
+	public function test_set_token_value_only_works_on_url_tokens(): void {
+		$css       = 'color: red; background: url(old.jpg);';
+		$processor = WP_CSS_Token_Processor::create( $css );
+
+		while ( $processor->next_token() ) {
+			$token_type = $processor->get_token_type();
+
+			if ( WP_CSS_Token_Processor::TOKEN_URL === $token_type ) {
+				// Should succeed on URL tokens.
+				$this->assertTrue( $processor->set_token_value( 'new.jpg' ) );
+			} else {
+				// Should fail on non-URL tokens.
+				$this->assertFalse( $processor->set_token_value( 'test' ) );
+			}
+		}
+
+		// Verify the update was applied.
+		$updated = $processor->get_updated_css();
+		$this->assertSame( 'color: red; background: url("new.jpg");', $updated );
+	}
+
+	/**
+	 * Tests that set_token_value() properly escapes special characters in quoted URLs.
+	 */
+	public function test_set_token_value_escapes_special_characters(): void {
+		$css       = 'background: url(old.jpg);';
+		$processor = WP_CSS_Token_Processor::create( $css );
+
+		while ( $processor->next_token() ) {
+			if ( WP_CSS_Token_Processor::TOKEN_URL === $processor->get_token_type() ) {
+				// URL with spaces, quotes, and parentheses.
+				$processor->set_token_value( 'path with spaces("special").jpg' );
+			}
+		}
+
+		$updated = $processor->get_updated_css();
+
+		$this->assertSame( 'background: url("path with spaces(\\22 special\\22 ).jpg");', $updated );
+	}
+
+	/**
+	 * Tests that set_token_value() preserves Unicode characters in quoted URLs.
+	 */
+	public function test_set_token_value_encodes_unicode(): void {
+		$css       = 'background: url(old.jpg);';
+		$processor = WP_CSS_Token_Processor::create( $css );
+
+		while ( $processor->next_token() ) {
+			if ( WP_CSS_Token_Processor::TOKEN_URL === $processor->get_token_type() ) {
+				// URL with Unicode characters: "测试.jpg" (Chinese characters).
+				$processor->set_token_value( '测试.jpg' );
+			}
+		}
+
+		$updated = $processor->get_updated_css();
+
+		$this->assertSame( 'background: url("测试.jpg");', $updated );
+	}
+
+	/**
+	 * Tests that set_token_value() preserves emoji in quoted URLs.
+	 */
+	public function test_set_token_value_handles_emoji(): void {
+		$css       = 'background: url(old.jpg);';
+		$processor = WP_CSS_Token_Processor::create( $css );
+
+		while ( $processor->next_token() ) {
+			if ( WP_CSS_Token_Processor::TOKEN_URL === $processor->get_token_type() ) {
+				// URL with emoji: "image😀.jpg".
+				$processor->set_token_value( 'image😀.jpg' );
+			}
+		}
+
+		$updated = $processor->get_updated_css();
+
+		$this->assertSame( 'background: url("image😀.jpg");', $updated );
+	}
+
+	/**
+	 * Tests that multiple URL values can be updated in the same CSS.
+	 */
+	public function test_set_token_value_multiple_urls(): void {
+		$css       = 'background: url(old1.jpg); border-image: url(old2.png);';
+		$processor = WP_CSS_Token_Processor::create( $css );
+
+		$url_count = 0;
+		while ( $processor->next_token() ) {
+			if ( WP_CSS_Token_Processor::TOKEN_URL === $processor->get_token_type() ) {
+				++$url_count;
+				if ( 1 === $url_count ) {
+					$processor->set_token_value( 'new1.jpg' );
+				} elseif ( 2 === $url_count ) {
+					$processor->set_token_value( 'new2.png' );
+				}
+			}
+		}
+
+		$updated = $processor->get_updated_css();
+
+		// Verify both URLs were updated.
+		$this->assertSame( 'background: url("new1.jpg"); border-image: url("new2.png");', $updated );
+	}
+
+	/**
+	 * Tests that newlines are properly escaped in quoted URLs.
+	 */
+	public function test_set_token_value_escapes_control_characters(): void {
+		$css       = 'background: url(old.jpg);';
+		$processor = WP_CSS_Token_Processor::create( $css );
+
+		while ( $processor->next_token() ) {
+			if ( WP_CSS_Token_Processor::TOKEN_URL === $processor->get_token_type() ) {
+				// URL with newlines and carriage returns.
+				$processor->set_token_value( "path\nwith\rnewlines\ftest.jpg" );
+			}
+		}
+
+		$updated = $processor->get_updated_css();
+
+		$this->assertSame( 'background: url("path\\A with\\A newlines\\A test.jpg");', $updated );
+	}
+
+	/**
+	 * Tests that backslashes are properly escaped in quoted URLs.
+	 */
+	public function test_set_token_value_escapes_backslashes(): void {
+		$css       = 'background: url(old.jpg);';
+		$processor = WP_CSS_Token_Processor::create( $css );
+
+		while ( $processor->next_token() ) {
+			if ( WP_CSS_Token_Processor::TOKEN_URL === $processor->get_token_type() ) {
+				$processor->set_token_value( 'path\\with\\backslashes.jpg' );
+			}
+		}
+
+		$updated = $processor->get_updated_css();
+
+		// Verify backslashes are escaped as \\.
+		$this->assertSame( 'background: url("path\\5C with\\5C backslashes.jpg");', $updated );
+	}
+
+	/**
+	 * Tests that get_updated_css() returns original CSS when no changes are made.
+	 */
+	public function test_get_updated_css_returns_original_when_unchanged(): void {
+		$css       = 'background: url(image.jpg); color: red;';
+		$processor = WP_CSS_Token_Processor::create( $css );
+
+		// Iterate through tokens without making changes.
+		while ( $processor->next_token() ) {
+			// Do nothing.
+		}
+
+		$updated = $processor->get_updated_css();
+
+		// Should return original CSS.
+		$this->assertSame( $css, $updated );
+	}
+
+	/**
+	 * Tests that safe ASCII characters are preserved in quoted URLs.
+	 */
+	public function test_set_token_value_preserves_safe_characters(): void {
+		$css       = 'background: url(old.jpg);';
+		$processor = WP_CSS_Token_Processor::create( $css );
+
+		while ( $processor->next_token() ) {
+			if ( WP_CSS_Token_Processor::TOKEN_URL === $processor->get_token_type() ) {
+				// URL with safe characters: letters, digits, hyphens, underscores, dots, slashes.
+				$processor->set_token_value( 'path/to/my-image_2024.jpg' );
+			}
+		}
+
+		$updated = $processor->get_updated_css();
+
+		// Verify safe characters are preserved as-is in quoted URL.
+		$this->assertSame( 'background: url("path/to/my-image_2024.jpg");', $updated );
+	}
+
+	/**
+	 * Tests that invalid UTF-8 sequences are replaced in quoted URLs.
+	 */
+	public function test_set_token_with_invalid_utf8_sequence(): void {
+		$css       = 'background: url(old.jpg);';
+		$processor = WP_CSS_Token_Processor::create( $css );
+
+		while ( $processor->next_token() ) {
+			if ( WP_CSS_Token_Processor::TOKEN_URL === $processor->get_token_type() ) {
+				$processor->set_token_value( "\xC0.jpg" );
+			}
+		}
+
+		$updated = $processor->get_updated_css();
+
+		$this->assertSame( 'background: url("�.jpg");', $updated );
+	}
+
+	/**
+	 * Test bounds check when consuming and ident start token.
+	 */
+	public function test_ident_start_codepoint_bounds_check(): void {
+		$processor       = WP_CSS_Token_Processor::create( '-' );
+		$actual_tokens   = $this->collect_tokens( $processor, array( 'type', 'raw' ) );
+		$expected_tokens = array(
+			array(
+				'type' => WP_CSS_Token_Processor::TOKEN_DELIM,
+				'raw'  => '-',
+			),
+		);
+		$this->assertSame( $expected_tokens, $actual_tokens );
+	}
+}
diff --git a/tests/phpunit/tests/html-api/wpCssAttributeSelector.php b/tests/phpunit/tests/html-api/wpCssAttributeSelector.php
new file mode 100644
index 0000000000000..72b3cc86ffa58
--- /dev/null
+++ b/tests/phpunit/tests/html-api/wpCssAttributeSelector.php
@@ -0,0 +1,133 @@
+<?php
+/**
+ * Unit tests covering WP_CSS_Attribute_Selector functionality.
+ *
+ * @package WordPress
+ *
+ * @subpackage HTML-API
+ *
+ * @since {WP_VERSION}
+ *
+ * @group html-api
+ *
+ * @coversDefaultClass WP_CSS_Attribute_Selector
+ */
+class Tests_HtmlApi_WpCssAttributeSelector extends WP_UnitTestCase {
+	/**
+	 * @ticket 62653
+	 *
+	 * @dataProvider data_attribute_selectors
+	 */
+	public function test_parse_attribute(
+		string $input,
+		?string $expected_name = null,
+		?string $expected_matcher = null,
+		?string $expected_value = null,
+		?string $expected_modifier = null,
+		?string $rest = null
+	) {
+		$tokens = WP_CSS_Selector_Token_Stream::from_selectors( $input, WP_CSS_Attribute_Selector::class );
+		$result = WP_CSS_Attribute_Selector::parse( $tokens );
+		if ( null === $expected_name ) {
+			$this->assertNull( $result );
+		} else {
+			$this->assertNotNull( $result, "Failed to parse attribute selector: {$input}" );
+			$this->assertSame( $expected_name, $result->name );
+			$this->assertSame( $expected_matcher, $result->matcher );
+			$this->assertSame( $expected_value, $result->value );
+			$this->assertSame( $expected_modifier, $result->modifier );
+			$this->assertSame( $rest, $tokens->get_remaining_text() );
+		}
+	}
+
+	/**
+	 * @ticket 62653
+	 */
+	public function test_parse_invalid_attribute_selector_restores_token_stream() {
+		$tokens = WP_CSS_Selector_Token_Stream::from_selectors( '[a=', WP_CSS_Attribute_Selector::class );
+
+		$this->assertNull( WP_CSS_Attribute_Selector::parse( $tokens ) );
+		$this->assertSame( '[a=', $tokens->get_remaining_text() );
+	}
+
+	/**
+	 * Data provider.
+	 *
+	 * @return array
+	 */
+	public static function data_attribute_selectors(): array {
+		return array(
+			'[href]'                   => array( '[href]', 'href', null, null, null, '' ),
+			'[href] type'              => array( '[href] type', 'href', null, null, null, ' type' ),
+			'[href]#id'                => array( '[href]#id', 'href', null, null, null, '#id' ),
+			'[href].class'             => array( '[href].class', 'href', null, null, null, '.class' ),
+			'[href][href2]'            => array( '[href][href2]', 'href', null, null, null, '[href2]' ),
+			'[\n href\t\r]'            => array( "[\n href\t\r]", 'href', null, null, null, '' ),
+			'[href=foo]'               => array( '[href=foo]', 'href', WP_CSS_Attribute_Selector::MATCH_EXACT, 'foo', null, '' ),
+			'[a=b]'                    => array( '[a=b]', 'a', WP_CSS_Attribute_Selector::MATCH_EXACT, 'b', null, '' ),
+			'[href \n =   bar   ]'     => array( "[href \n =   bar   ]", 'href', WP_CSS_Attribute_Selector::MATCH_EXACT, 'bar', null, '' ),
+			'[href \n ^=   baz   ]'    => array( "[href \n ^=   baz   ]", 'href', WP_CSS_Attribute_Selector::MATCH_PREFIXED_BY, 'baz', null, '' ),
+
+			'[match $= insensitive i]' => array( '[match $= insensitive i]', 'match', WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY, 'insensitive', WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, '' ),
+			'[match|=sensitive s]'     => array( '[match|=sensitive s]', 'match', WP_CSS_Attribute_Selector::MATCH_EXACT_OR_HYPHEN_SUFFIXED, 'sensitive', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ),
+			'[att=val I]'              => array( '[att=val I]', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'val', WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, '' ),
+			'[att=val S]'              => array( '[att=val S]', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'val', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ),
+
+			'[match~="quoted[][]"]'    => array( '[match~="quoted[][]"]', 'match', WP_CSS_Attribute_Selector::MATCH_ONE_OF_EXACT, 'quoted[][]', null, '' ),
+			"[match$='quoted!{}']"     => array( "[match$='quoted!{}']", 'match', WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY, 'quoted!{}', null, '' ),
+			"[match*='quoted's]"       => array( "[match*='quoted's]", 'match', WP_CSS_Attribute_Selector::MATCH_CONTAINS, 'quoted', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ),
+
+			'[escape-nl="foo\\nbar"]'  => array( "[escape-nl='foo\\\nbar']", 'escape-nl', WP_CSS_Attribute_Selector::MATCH_EXACT, 'foobar', null, '' ),
+			'[escape-seq="\\31 23"]'   => array( "[escape-seq='\\31 23']", 'escape-seq', WP_CSS_Attribute_Selector::MATCH_EXACT, '123', null, '' ),
+
+			/*
+			 * The end of input closes an open attribute selector: tokenization
+			 * auto-closes unterminated simple blocks (and strings) at EOF.
+			 *
+			 * https://www.w3.org/TR/css-syntax-3/#consume-simple-block
+			 */
+			'EOF [foo'                 => array( '[foo', 'foo', null, null, null, '' ),
+			'EOF [ \n foo'             => array( "[ \n foo", 'foo', null, null, null, '' ),
+			'EOF [foo '                => array( '[foo ', 'foo', null, null, null, '' ),
+			'EOF [a=b'                 => array( '[a=b', 'a', WP_CSS_Attribute_Selector::MATCH_EXACT, 'b', null, '' ),
+			'EOF [att=val '            => array( '[att=val ', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'val', null, '' ),
+			'EOF [a="b'                => array( '[a="b', 'a', WP_CSS_Attribute_Selector::MATCH_EXACT, 'b', null, '' ),
+			"EOF [a='b"                => array( "[a='b", 'a', WP_CSS_Attribute_Selector::MATCH_EXACT, 'b', null, '' ),
+			'EOF [a="b\\'              => array( '[a="b\\', 'a', WP_CSS_Attribute_Selector::MATCH_EXACT, 'b', null, '' ),
+			'EOF [a=b\\'               => array( '[a=b\\', 'a', WP_CSS_Attribute_Selector::MATCH_EXACT, "b\u{FFFD}", null, '' ),
+			'EOF [a^=b'                => array( '[a^=b', 'a', WP_CSS_Attribute_Selector::MATCH_PREFIXED_BY, 'b', null, '' ),
+			'EOF [att=val i'           => array( '[att=val i', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'val', WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, '' ),
+			'EOF [att=val i '          => array( '[att=val i ', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'val', WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, '' ),
+			'EOF [att="val"s'          => array( '[att="val"s', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'val', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ),
+
+			// Invalid
+			'Invalid: (empty string)'  => array( '' ),
+			'Invalid: foo'             => array( 'foo' ),
+			'Invalid: ['               => array( '[' ),
+			'Invalid: [ '              => array( '[ ' ),
+			'Invalid: [a='             => array( '[a=' ),
+			'Invalid: [a= '            => array( '[a= ' ),
+			'Invalid: [a~'             => array( '[a~' ),
+			'Invalid: [a=b x'          => array( '[a=b x' ),
+			'Invalid: [a i'            => array( '[a i' ),
+			'Invalid: [#foo]'          => array( '[#foo]' ),
+			'Invalid: [*|*]'           => array( '[*|*]' ),
+			'Invalid: [ns|*]'          => array( '[ns|*]' ),
+			'Invalid: [* |att]'        => array( '[* |att]' ),
+			'Invalid: [*| att]'        => array( '[*| att]' ),
+			'Invalid: [att * =]'       => array( '[att * =]' ),
+			'Invalid: [att+=val]'      => array( '[att+=val]' ),
+			'Invalid: [a=]'            => array( '[a=]' ),
+			'Invalid: [a~=]'           => array( '[a~=]' ),
+			'Invalid: [a==b]'          => array( '[a==b]' ),
+			'Invalid: [a=1]'           => array( '[a=1]' ),
+			'Invalid: [a=1'            => array( '[a=1' ),
+			'Invalid: [att i]'         => array( '[att i]' ),
+			'Invalid: [att s]'         => array( '[att s]' ),
+			"Invalid: [att='val\\n']"  => array( "[att='val\n']" ),
+			"Invalid: [att='val\\n"    => array( "[att='val\n" ),
+			'Invalid: [att="val"ix'    => array( '[att="val"ix' ),
+			'Invalid: [att="val"ix '   => array( '[att="val"ix ' ),
+		);
+	}
+}
diff --git a/tests/phpunit/tests/html-api/wpCssClassSelector.php b/tests/phpunit/tests/html-api/wpCssClassSelector.php
new file mode 100644
index 0000000000000..ed254b2af4411
--- /dev/null
+++ b/tests/phpunit/tests/html-api/wpCssClassSelector.php
@@ -0,0 +1,50 @@
+<?php
+/**
+ * Unit tests covering WP_CSS_Class_Selector functionality.
+ *
+ * @package WordPress
+ *
+ * @subpackage HTML-API
+ *
+ * @since {WP_VERSION}
+ *
+ * @group html-api
+ *
+ * @coversDefaultClass WP_CSS_Class_Selector
+ */
+class Tests_HtmlApi_WpCssClassSelector extends WP_UnitTestCase {
+	/**
+	 * @ticket 62653
+	 *
+	 * @dataProvider data_class_selectors
+	 */
+	public function test_parse_class( string $input, ?string $expected = null, ?string $rest = null ) {
+		$tokens = WP_CSS_Selector_Token_Stream::from_selectors( $input, WP_CSS_Class_Selector::class );
+		$result = WP_CSS_Class_Selector::parse( $tokens );
+		if ( null === $expected ) {
+			$this->assertNull( $result );
+		} else {
+			$this->assertSame( $expected, $result->class_name );
+			$this->assertSame( $rest, $tokens->get_remaining_text() );
+		}
+	}
+
+	/**
+	 * Data provider.
+	 *
+	 * @return array
+	 */
+	public static function data_class_selectors(): array {
+		return array(
+			'valid ._-foo123'             => array( '._-foo123', '_-foo123', '' ),
+			'valid .foo.bar'              => array( '.foo.bar', 'foo', '.bar' ),
+			'escaped .\31 23'             => array( '.\\31 23', '123', '' ),
+			'with descendant .\31 23 div' => array( '.\\31 23 div', '123', ' div' ),
+			'escape at EOF .foo\\'        => array( '.foo\\', "foo\u{fffd}", '' ),
+
+			'not class foo'               => array( 'foo' ),
+			'not class #bar'              => array( '#bar' ),
+			'not valid .1foo'             => array( '.1foo' ),
+		);
+	}
+}
diff --git a/tests/phpunit/tests/html-api/wpCssComplexSelector.php b/tests/phpunit/tests/html-api/wpCssComplexSelector.php
new file mode 100644
index 0000000000000..cb25de498e6c5
--- /dev/null
+++ b/tests/phpunit/tests/html-api/wpCssComplexSelector.php
@@ -0,0 +1,68 @@
+<?php
+/**
+ * Unit tests covering WP_CSS_Complex_Selector functionality.
+ *
+ * @package WordPress
+ *
+ * @subpackage HTML-API
+ *
+ * @since {WP_VERSION}
+ *
+ * @group html-api
+ *
+ * @coversDefaultClass WP_CSS_Complex_Selector
+ */
+class Tests_HtmlApi_WpCssComplexSelector extends WP_UnitTestCase {
+	/**
+	 * @ticket 62653
+	 */
+	public function test_parse_complex_selector() {
+		$input  = 'el1 el2 > .child#bar[baz=quux] , rest';
+		$tokens = WP_CSS_Selector_Token_Stream::from_selectors( $input, WP_CSS_Complex_Selector::class );
+
+		/** @var WP_CSS_Complex_Selector|null */
+		$sel = WP_CSS_Complex_Selector::parse( $tokens );
+
+		$this->assertSame( 2, count( $sel->context_selectors ) );
+
+		// Relative selectors should be reverse ordered.
+		$this->assertSame( 'el2', $sel->context_selectors[0][0]->type );
+		$this->assertSame( WP_CSS_Complex_Selector::COMBINATOR_CHILD, $sel->context_selectors[0][1] );
+
+		$this->assertSame( 'el1', $sel->context_selectors[1][0]->type );
+		$this->assertSame( WP_CSS_Complex_Selector::COMBINATOR_DESCENDANT, $sel->context_selectors[1][1] );
+
+		$this->assertSame( 3, count( $sel->self_selector->subclass_selectors ) );
+		$this->assertNull( $sel->self_selector->type_selector );
+		$this->assertSame( 'child', $sel->self_selector->subclass_selectors[0]->class_name );
+
+		$this->assertSame( ', rest', $tokens->get_remaining_text() );
+	}
+
+	/**
+	 * @ticket 62653
+	 */
+	public function test_parse_invalid_complex_selector() {
+		$tokens = WP_CSS_Selector_Token_Stream::from_selectors( 'el.foo#bar[baz=quux] > , rest', WP_CSS_Complex_Selector::class );
+		$result = WP_CSS_Complex_Selector::parse( $tokens );
+		$this->assertNull( $result );
+	}
+
+	/**
+	 * @ticket 62653
+	 */
+	public function test_parse_invalid_complex_selector_nonfinal_subclass() {
+		$tokens = WP_CSS_Selector_Token_Stream::from_selectors( 'el.foo#bar[baz=quux] > final, rest', WP_CSS_Complex_Selector::class );
+		$result = WP_CSS_Complex_Selector::parse( $tokens );
+		$this->assertNull( $result );
+	}
+
+	/**
+	 * @ticket 62653
+	 */
+	public function test_parse_empty_complex_selector() {
+		$tokens = WP_CSS_Selector_Token_Stream::from_selectors( '', WP_CSS_Complex_Selector::class );
+		$result = WP_CSS_Complex_Selector::parse( $tokens );
+		$this->assertNull( $result );
+	}
+}
diff --git a/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php b/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php
new file mode 100644
index 0000000000000..93a3746ea2d6e
--- /dev/null
+++ b/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php
@@ -0,0 +1,89 @@
+<?php
+/**
+ * Unit tests covering WP_CSS_Complex_Selector_List functionality.
+ *
+ * @package WordPress
+ *
+ * @subpackage HTML-API
+ *
+ * @since {WP_VERSION}
+ *
+ * @group html-api
+ *
+ * @coversDefaultClass WP_CSS_Complex_Selector_List
+ */
+class Tests_HtmlApi_WpCssComplexSelectorList extends WP_UnitTestCase {
+	/**
+	 * @ticket 62653
+	 */
+	public function test_parse_complex_selector_list() {
+		$input  = 'el1 el2 el.foo#bar[baz=quux], second > selector';
+		$result = WP_CSS_Complex_Selector_List::from_selectors( $input );
+		$this->assertNotNull( $result );
+	}
+
+	/**
+	 * @ticket 62653
+	 */
+	public function test_parse_invalid_selector_list() {
+		$input  = 'el,,';
+		$result = WP_CSS_Complex_Selector_List::from_selectors( $input );
+		$this->assertNull( $result );
+	}
+
+	/**
+	 * @ticket 62653
+	 */
+	public function test_parse_invalid_selector_list2() {
+		$input  = 'el!';
+		$result = WP_CSS_Complex_Selector_List::from_selectors( $input );
+		$this->assertNull( $result );
+	}
+
+	/**
+	 * @ticket 62653
+	 *
+	 * @dataProvider data_invalid_trailing_attribute_selectors
+	 */
+	public function test_parse_invalid_trailing_attribute_selector_rejects_whole_selector_list( string $selector ) {
+		$result = WP_CSS_Complex_Selector_List::from_selectors( $selector );
+		$this->assertNull( $result );
+	}
+
+	/**
+	 * @ticket 62653
+	 */
+	public function test_parse_empty_selector_list() {
+		$input  = " \t   \t\n\r\f";
+		$result = WP_CSS_Complex_Selector_List::from_selectors( $input );
+		$this->assertNull( $result );
+	}
+
+	/**
+	 * The invalid-UTF-8 scrub notice reports the called class: through this
+	 * class it must be named WP_CSS_Complex_Selector_List::from_selectors,
+	 * not the WP_CSS_Compound_Selector_List parent where from_selectors()
+	 * and the scrub are implemented. The fuzzer's notice model depends on
+	 * the per-class name.
+	 *
+	 * @expectedIncorrectUsage WP_CSS_Complex_Selector_List::from_selectors
+	 */
+	public function test_invalid_utf8_scrub_notice_reports_the_called_class() {
+		$result = WP_CSS_Complex_Selector_List::from_selectors( "el \xC2.child" );
+		$this->assertNotNull( $result, 'Selector with invalid UTF-8 should parse after scrubbing.' );
+	}
+
+	/**
+	 * Data provider.
+	 *
+	 * @return array<string, array{string}>
+	 */
+	public static function data_invalid_trailing_attribute_selectors(): array {
+		return array(
+			'missing attribute value before close' => array( 'ancestor .ok[a=]' ),
+			'missing attribute value at EOF'       => array( 'ancestor .ok[a=' ),
+			'unsupported matcher'                  => array( 'ancestor .ok[att+=val]' ),
+			'bad modifier remainder'               => array( 'ancestor .ok[att="val"ix]' ),
+		);
+	}
+}
diff --git a/tests/phpunit/tests/html-api/wpCssCompoundSelector.php b/tests/phpunit/tests/html-api/wpCssCompoundSelector.php
new file mode 100644
index 0000000000000..b9b862acfa8fa
--- /dev/null
+++ b/tests/phpunit/tests/html-api/wpCssCompoundSelector.php
@@ -0,0 +1,43 @@
+<?php
+/**
+ * Unit tests covering WP_CSS_Compound_Selector functionality.
+ *
+ * @package WordPress
+ *
+ * @subpackage HTML-API
+ *
+ * @since {WP_VERSION}
+ *
+ * @group html-api
+ *
+ * @coversDefaultClass WP_CSS_Compound_Selector
+ */
+class Tests_HtmlApi_WpCssCompoundSelector extends WP_UnitTestCase {
+	/**
+	 * @ticket 62653
+	 */
+	public function test_parse_selector() {
+		$input  = 'el.foo#bar[baz=quux] > .child';
+		$tokens = WP_CSS_Selector_Token_Stream::from_selectors( $input, WP_CSS_Compound_Selector::class );
+		$sel    = WP_CSS_Compound_Selector::parse( $tokens );
+
+		$this->assertSame( 'el', $sel->type_selector->type );
+		$this->assertSame( 3, count( $sel->subclass_selectors ) );
+		$this->assertSame( 'foo', $sel->subclass_selectors[0]->class_name, 'foo' );
+		$this->assertSame( 'bar', $sel->subclass_selectors[1]->id, 'bar' );
+		$this->assertSame( 'baz', $sel->subclass_selectors[2]->name, 'baz' );
+		$this->assertSame( WP_CSS_Attribute_Selector::MATCH_EXACT, $sel->subclass_selectors[2]->matcher );
+		$this->assertSame( 'quux', $sel->subclass_selectors[2]->value );
+		$this->assertSame( ' > .child', $tokens->get_remaining_text() );
+	}
+
+	/**
+	 * @ticket 62653
+	 */
+	public function test_parse_empty_selector() {
+		$tokens = WP_CSS_Selector_Token_Stream::from_selectors( '', WP_CSS_Compound_Selector::class );
+		$result = WP_CSS_Compound_Selector::parse( $tokens );
+		$this->assertNull( $result );
+		$this->assertSame( '', $tokens->get_remaining_text() );
+	}
+}
diff --git a/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php b/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php
new file mode 100644
index 0000000000000..256f69c28b624
--- /dev/null
+++ b/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php
@@ -0,0 +1,167 @@
+<?php
+/**
+ * Unit tests covering WP_CSS_Compound_Selector_List functionality.
+ *
+ * @package WordPress
+ *
+ * @subpackage HTML-API
+ *
+ * @since {WP_VERSION}
+ *
+ * @group html-api
+ *
+ * @coversDefaultClass WP_CSS_Compound_Selector_List
+ */
+class Tests_HtmlApi_WpCssCompoundSelectorList extends WP_UnitTestCase {
+	/**
+	 * @ticket 62653
+	 */
+	public function test_parse_selector_list() {
+		$input  = 'el1, el2, el.foo#bar[baz=quux]';
+		$result = WP_CSS_Compound_Selector_List::from_selectors( $input );
+		$this->assertNotNull( $result );
+	}
+
+	/**
+	 * @ticket 62653
+	 */
+	public function test_parse_invalid_selector_list() {
+		$input  = 'el,,';
+		$result = WP_CSS_Compound_Selector_List::from_selectors( $input );
+		$this->assertNull( $result );
+	}
+
+	/**
+	 * @ticket 62653
+	 */
+	public function test_parse_invalid_selector_list2() {
+		$input  = 'el!';
+		$result = WP_CSS_Compound_Selector_List::from_selectors( $input );
+		$this->assertNull( $result );
+	}
+
+	/**
+	 * @ticket 62653
+	 *
+	 * @dataProvider data_invalid_trailing_attribute_selectors
+	 */
+	public function test_parse_invalid_trailing_attribute_selector_rejects_whole_selector_list( string $selector ) {
+		$result = WP_CSS_Compound_Selector_List::from_selectors( $selector );
+		$this->assertNull( $result );
+	}
+
+	/**
+	 * An escaped whitespace code point at the end of input belongs to the
+	 * ident and must survive input normalization: `.foo\ ` is the valid
+	 * class `foo ` (with a space), not a backslash at the end of input.
+	 *
+	 * @ticket 62653
+	 */
+	public function test_parse_escaped_whitespace_at_end_of_input() {
+		$result = WP_CSS_Compound_Selector_List::from_selectors( '.foo\\ ' );
+		$this->assertNotNull( $result );
+	}
+
+	/**
+	 * A backslash before a newline is not a valid escape; at the end of
+	 * input it must not be mistaken for trimmable trailing whitespace.
+	 *
+	 * @ticket 62653
+	 */
+	public function test_parse_escape_before_newline_at_end_of_input_is_invalid() {
+		$result = WP_CSS_Compound_Selector_List::from_selectors( ".foo\\\n" );
+		$this->assertNull( $result );
+	}
+
+	/**
+	 * @ticket 62653
+	 */
+	public function test_parse_empty_selector_list() {
+		$input  = " \t   \t\n\r\f";
+		$result = WP_CSS_Compound_Selector_List::from_selectors( $input );
+		$this->assertNull( $result );
+	}
+
+	/**
+	 * @ticket 62653
+	 */
+	public function test_unsupported_complex_selector() {
+		$input  = 'ancestor descendant';
+		$result = WP_CSS_Compound_Selector_List::from_selectors( $input );
+		$this->assertNull( $result );
+	}
+
+	/**
+	 * Selector strings are UTF-8 text: invalid byte sequences are replaced
+	 * with U+FFFD per maximal subpart (CSS Syntax §3.2 via the WHATWG
+	 * Encoding Standard) before parsing, so the selector parses rather than
+	 * being rejected. The replacement is almost certainly not what the
+	 * developer meant, so it also triggers `_doing_it_wrong()`.
+	 *
+	 * @expectedIncorrectUsage WP_CSS_Compound_Selector_List::from_selectors
+	 */
+	public function test_invalid_utf8_is_scrubbed_to_replacement_character_and_notifies() {
+		$result = WP_CSS_Compound_Selector_List::from_selectors( ".B\xFCcher" );
+		$this->assertNotNull( $result, 'Selector with invalid UTF-8 should parse after scrubbing.' );
+	}
+
+	/**
+	 * Valid UTF-8 — including a literal U+FFFD — must parse without any
+	 * incorrect-usage notice: scrubbing is the identity function on valid
+	 * input.
+	 */
+	public function test_valid_utf8_with_literal_replacement_character_is_not_notified() {
+		$result = WP_CSS_Compound_Selector_List::from_selectors( ".B\u{FFFD}cher" );
+		$this->assertNotNull( $result, 'Selector containing a literal U+FFFD should parse.' );
+	}
+
+	/**
+	 * The whole input is scrubbed uniformly, so a selector list with invalid
+	 * bytes in one of several selectors still parses as a list.
+	 *
+	 * @expectedIncorrectUsage WP_CSS_Compound_Selector_List::from_selectors
+	 */
+	public function test_invalid_utf8_in_selector_list_is_scrubbed() {
+		$result = WP_CSS_Compound_Selector_List::from_selectors( ".ok, .B\xE2\x8Ccher" );
+		$this->assertNotNull( $result, 'Selector list with invalid UTF-8 should parse after scrubbing.' );
+	}
+
+	/**
+	 * A selector consisting of nothing but an invalid byte parses: it scrubs
+	 * to U+FFFD, which is an ident-start code point and therefore a valid
+	 * type selector. Surprising, but it follows from the scrub running
+	 * before tokenization — the parser never sees the invalid byte.
+	 *
+	 * @expectedIncorrectUsage WP_CSS_Compound_Selector_List::from_selectors
+	 */
+	public function test_lone_invalid_byte_parses_as_replacement_character_type_selector() {
+		$result = WP_CSS_Compound_Selector_List::from_selectors( "\x80" );
+		$this->assertNotNull( $result, 'A lone invalid byte should parse as a U+FFFD type selector.' );
+	}
+
+	/**
+	 * The scrub notice reports the byte replacement, which happens before
+	 * parsing — it fires even when the scrubbed selector is then rejected
+	 * by the grammar.
+	 *
+	 * @expectedIncorrectUsage WP_CSS_Compound_Selector_List::from_selectors
+	 */
+	public function test_invalid_utf8_notice_fires_even_when_selector_is_rejected() {
+		$result = WP_CSS_Compound_Selector_List::from_selectors( "\x80 div" );
+		$this->assertNull( $result, 'Descendant combinators are unsupported by the compound list; the scrubbed selector should still be rejected.' );
+	}
+
+	/**
+	 * Data provider.
+	 *
+	 * @return array<string, array{string}>
+	 */
+	public static function data_invalid_trailing_attribute_selectors(): array {
+		return array(
+			'missing attribute value before close' => array( '.ok[a=]' ),
+			'missing attribute value at EOF'       => array( '.ok[a=' ),
+			'unsupported matcher'                  => array( '.ok[att+=val]' ),
+			'bad modifier remainder'               => array( '.ok[att="val"ix]' ),
+		);
+	}
+}
diff --git a/tests/phpunit/tests/html-api/wpCssIdSelector.php b/tests/phpunit/tests/html-api/wpCssIdSelector.php
new file mode 100644
index 0000000000000..6b8e262f2f843
--- /dev/null
+++ b/tests/phpunit/tests/html-api/wpCssIdSelector.php
@@ -0,0 +1,51 @@
+<?php
+/**
+ * Unit tests covering WP_CSS_ID_Selector functionality.
+ *
+ * @package WordPress
+ *
+ * @subpackage HTML-API
+ *
+ * @since {WP_VERSION}
+ *
+ * @group html-api
+ *
+ * @coversDefaultClass WP_CSS_ID_Selector
+ */
+class Tests_HtmlApi_WpCssIdSelector extends WP_UnitTestCase {
+	/**
+	 * @ticket 62653
+	 *
+	 * @dataProvider data_id_selectors
+	 */
+	public function test_parse_id( string $input, ?string $expected = null, ?string $rest = null ) {
+		$tokens = WP_CSS_Selector_Token_Stream::from_selectors( $input, WP_CSS_ID_Selector::class );
+		$result = WP_CSS_ID_Selector::parse( $tokens );
+		if ( null === $expected ) {
+			$this->assertNull( $result );
+		} else {
+			$this->assertSame( $expected, $result->id );
+			$this->assertSame( $rest, $tokens->get_remaining_text() );
+		}
+	}
+
+	/**
+	 * Data provider.
+	 *
+	 * @return array
+	 */
+	public static function data_id_selectors(): array {
+		return array(
+			'valid #_-foo123'             => array( '#_-foo123', '_-foo123', '' ),
+			'valid #foo#bar'              => array( '#foo#bar', 'foo', '#bar' ),
+			'escaped #\31 23'             => array( '#\\31 23', '123', '' ),
+			'with descendant #\31 23 div' => array( '#\\31 23 div', '123', ' div' ),
+			'escape at EOF #foo\\'        => array( '#foo\\', "foo\u{fffd}", '' ),
+
+			// Invalid
+			'not ID foo'                  => array( 'foo' ),
+			'not ID .bar'                 => array( '.bar' ),
+			'not valid #1foo'             => array( '#1foo' ),
+		);
+	}
+}
diff --git a/tests/phpunit/tests/html-api/wpCssTypeSelector.php b/tests/phpunit/tests/html-api/wpCssTypeSelector.php
new file mode 100644
index 0000000000000..917ab005b6980
--- /dev/null
+++ b/tests/phpunit/tests/html-api/wpCssTypeSelector.php
@@ -0,0 +1,52 @@
+<?php
+/**
+ * Unit tests covering WP_CSS_Type_Selector functionality.
+ *
+ * @package WordPress
+ *
+ * @subpackage HTML-API
+ *
+ * @since {WP_VERSION}
+ *
+ * @group html-api
+ *
+ * @coversDefaultClass WP_CSS_Type_Selector
+ */
+class Tests_HtmlApi_WpCssTypeSelector extends WP_UnitTestCase {
+	/**
+	 * @ticket 62653
+	 *
+	 * @dataProvider data_type_selectors
+	 */
+	public function test_parse_type( string $input, ?string $expected = null, ?string $rest = null ) {
+		$tokens = WP_CSS_Selector_Token_Stream::from_selectors( $input, WP_CSS_Type_Selector::class );
+		$result = WP_CSS_Type_Selector::parse( $tokens );
+		if ( null === $expected ) {
+			$this->assertNull( $result );
+		} else {
+			$this->assertSame( $expected, $result->type );
+			$this->assertSame( $rest, $tokens->get_remaining_text() );
+		}
+	}
+
+	/**
+	 * Data provider.
+	 *
+	 * @return array
+	 */
+	public static function data_type_selectors(): array {
+		return array(
+			'any *'                   => array( '* .class', '*', ' .class' ),
+			'a'                       => array( 'a', 'a', '' ),
+			'div.class'               => array( 'div.class', 'div', '.class' ),
+			'custom-type#id'          => array( 'custom-type#id', 'custom-type', '#id' ),
+			'escape at EOF foo\\'     => array( 'foo\\', "foo\u{fffd}", '' ),
+
+			// Invalid
+			'Invalid: (empty string)' => array( '' ),
+			'Invalid: #id'            => array( '#id' ),
+			'Invalid: .class'         => array( '.class' ),
+			'Invalid: [attr]'         => array( '[attr]' ),
+		);
+	}
+}
diff --git a/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php b/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php
new file mode 100644
index 0000000000000..fcb1acf3fa7d6
--- /dev/null
+++ b/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php
@@ -0,0 +1,110 @@
+<?php
+/**
+ * Unit tests covering WP_HTML_Processor select functionality.
+ *
+ * Covers functionality related to CSS selectors and the {@see WP_HTML_Processor::select()}
+ * and {@see WP_HTML_Processor::select()} methods.
+ *
+ * @since {WP_VERSION}
+ *
+ * @group html-api
+ */
+class Tests_HtmlApi_WpHtmlProcessor_Select extends WP_UnitTestCase {
+	/**
+	 * @ticket 62653
+	 */
+	public function test_select_miss() {
+		$processor = WP_HTML_Processor::create_full_parser( '<span>' );
+		$this->assertFalse( $processor->select( 'div' ) );
+	}
+
+	/**
+	 * @ticket 62653
+	 *
+	 * @dataProvider data_selectors
+	 */
+	public function test_selects_all_matches( string $html, string $selector, int $match_count ) {
+		$processor = WP_HTML_Processor::create_full_parser( $html );
+		$count     = 0;
+		while ( $processor->select( $selector ) ) {
+			$breadcrumb_string = implode( ', ', $processor->get_breadcrumbs() );
+			$this->assertTrue(
+				$processor->get_attribute( 'match' ),
+				"Matched unexpected tag {$processor->get_tag()} @ {$breadcrumb_string}"
+			);
+			++$count;
+		}
+		$this->assertSame( $match_count, $count, 'Did not match expected number of tags.' );
+	}
+
+	/**
+	 * Data provider.
+	 *
+	 * @return array
+	 */
+	public static function data_selectors(): array {
+		return array(
+			'any'                            => array( '<html match><head match><meta match><body match><p match>', '*', 5 ),
+			'quirks mode ID'                 => array( '<p id="id" match><p id="ID" match>In quirks mode, ID matching is case-insensitive.', '#id', 2 ),
+			'quirks mode class'              => array( '<p class="c" match><p class="C" match>In quirks mode, class matching is case-insensitive.', '.c', 2 ),
+			'no-quirks mode ID'              => array( '<!DOCTYPE html><p id="id" match><p id="ID" match>In no-quirks mode, ID matching is case-sensitive.', '#id', 1 ),
+			'no-quirks mode class'           => array( '<!DOCTYPE html><p class="c" match><p class="C">In no-quirks mode, class matching is case-sensitive.', '.c', 1 ),
+			'any descendant'                 => array( '<section><p match><i match><em match><p match>', 'section *', 4 ),
+			'any child matches all children' => array( '<section><p match><i><em><p match>', 'section > *', 2 ),
+
+			'multiple complex selectors'     => array( '<section><div><p><span><i></i><p><i match>', 'section > div p > i', 1 ),
+
+			// Per Selectors-4, the substring matchers ^= $= *= match nothing when the value
+			// is empty. ~= also matches nothing: an empty string is never a list item.
+			'empty value ^= matches nothing' => array( '<i x=""><b x="abc">', '[x^=""]', 0 ),
+			'empty value $= matches nothing' => array( '<i x=""><b x="abc">', '[x$=""]', 0 ),
+			'empty value *= matches nothing' => array( '<i x=""><b x="abc">', '[x*=""]', 0 ),
+			'empty value ~= matches nothing' => array( '<i x=""><b x="abc">', '[x~=""]', 0 ),
+			'empty value ^= i matches nothing' => array( '<i x=""><b x="abc">', '[x^="" i]', 0 ),
+			'empty value = matches empty'    => array( '<i x="" match><b x="abc">', '[x=""]', 1 ),
+			'empty value |= matches empty or hyphen-prefixed' => array( '<i x="" match><s x="-foo" match><b x="abc">', '[x|=""]', 2 ),
+
+			/*
+			 * HTML's case-insensitive attribute value list applies to
+			 * "an HTML element in an HTML document": a foreign element with
+			 * the same attribute name keeps case-sensitive matching.
+			 * ( Chromium applies the list to foreign elements as well,
+			 * diverging from the HTML specification here. )
+			 *
+			 * https://html.spec.whatwg.org/multipage/semantics-other.html#case-sensitivity-of-selectors
+			 */
+			'HTML-namespace-only attribute case-insensitivity' => array( '<!DOCTYPE html><a type="text" match></a><svg><a type="text"></a></svg>', '[type=TEXT]', 1 ),
+		);
+	}
+
+	/**
+	 * @ticket 62653
+	 *
+	 * @expectedIncorrectUsage WP_HTML_Processor::select
+	 *
+	 * @dataProvider data_invalid_selectors
+	 */
+	public function test_invalid_selector( string $selector ) {
+		$processor = WP_HTML_Processor::create_fragment( 'irrelevant' );
+		$this->assertFalse( $processor->select( $selector ) );
+	}
+
+	/**
+	 * Data provider.
+	 *
+	 * @return array
+	 */
+	public static function data_invalid_selectors(): array {
+		return array(
+			'invalid selector'                        => array( '[invalid!selector]' ),
+
+			// The class selectors below are not allowed in non-final position.
+			'unsupported child selector'              => array( '.parent > .child' ),
+			'unsupported descendant selector'         => array( '.ancestor .descendant' ),
+
+			// Unsupported combinators
+			'unsupported next sibling selector'       => array( 'p + p' ),
+			'unsupported subsequent sibling selector' => array( 'p ~ p' ),
+		);
+	}
+}
diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php
new file mode 100644
index 0000000000000..96bb8e1b4457d
--- /dev/null
+++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php
@@ -0,0 +1,214 @@
+<?php
+/**
+ * Unit tests covering WP_HTML_Tag_Processor CSS selection functionality.
+ *
+ * Covers functionality related to CSS selectors and the {@see WP_HTML_Tag_Processor::select()} method.
+ *
+ * @since {WP_VERSION}
+ *
+ * @group html-api
+ */
+class Tests_HtmlApi_WpHtmlTagProcessor_Select extends WP_UnitTestCase {
+	/**
+	 * @ticket 62653
+	 */
+	public function test_select_miss() {
+		$processor = new WP_HTML_Tag_Processor( '<span>' );
+		$this->assertFalse( $processor->select( 'div' ) );
+	}
+
+	/**
+	 * @ticket 62653
+	 *
+	 * @dataProvider data_selectors
+	 */
+	public function test_select( string $html, string $selector, int $match_count ) {
+		$processor = new WP_HTML_Tag_Processor( $html );
+		$count     = 0;
+		while ( $processor->select( $selector ) ) {
+			$this->assertTrue(
+				$processor->get_attribute( 'match' ),
+				"Matched unexpected tag {$processor->get_tag()}"
+			);
+			++$count;
+		}
+		$this->assertSame( $match_count, $count, 'Did not match expected number of tags.' );
+	}
+
+	/**
+	 * Data provider.
+	 *
+	 * @return array
+	 */
+	public static function data_selectors(): array {
+		return array(
+			'simple type'                         => array( '<div match><div match><span>', 'div', 2 ),
+			'any type'                            => array( '<div match><span match>', '*', 2 ),
+			'simple class'                        => array( '<div><div class="x" match><span><span class="x" match>', '.x', 2 ),
+			'simple id'                           => array( '<div><div id="x" match><span id="x" match>', '#x', 2 ),
+
+			'attribute presence'                  => array( '<div tta><div att match><span att="foo" match>', '[att]', 2 ),
+			'attribute empty string match'        => array( '<div tta><div att match><span match att=>', '[att=""]', 2 ),
+			'attribute value'                     => array( '<div att="v"><div att="val" match><p match att=val>', '[att=val]', 2 ),
+			'attribute quoted value'              => array( '<div att><div att="::" match><p att=\'::\' match>', '[att="::"]', 2 ),
+			'attribute case insensitive'          => array( '<div att="value"><div att="val" match><p match att=VaL>', '[att="VAL"i]', 2 ),
+			'attribute case sensitive mod'        => array( '<div att="VAL"><div att="val" match><p att=val match>', '[att="val"s]', 2 ),
+
+			'attribute one of'                    => array( '<div att="a B c"><div att="a b c" match><p att="b" match><p att="abc"><p att="abcdef b   " match>', '[att~="b"]', 3 ),
+			'attribute one of insensitive'        => array( '<div att="a c"><div att="a B c" match>', '[att~="b"i]', 1 ),
+			'attribute one of mod sensitive'      => array( '<div att="a B c"><div att="a b c" match>', '[att~="b"s]', 1 ),
+			'attribute one of whitespace cases'   => array( "<div att='     a'><div att='\na\ta   b   ' match>", '[att~="b"]', 1 ),
+
+			'attribute with-hyphen'               => array( '<p att="special_not"><p att="special" match><p att="special-great" match>', '[att|="special"]', 2 ),
+			'attribute with-hyphen insensitive'   => array( '<p att="special_not"><p att="SPECIAL" match><p att="SPECIAL-great" match>', '[att|="special" i]', 2 ),
+			'attribute with-hyphen sensitive mod' => array( '<p att="SPECIAL"><p att="special" match>', '[att|="special"s]', 1 ),
+
+			'attribute prefixed'                  => array( '<p att="notprefix"><p att="prefix" match><p att="perfect" match>', '[att^="p"]', 2 ),
+			'attribute prefixed insensitive'      => array( '<p att="notprefix"><p att="Prefix" match>', '[att^="p"i]', 1 ),
+			'attribute prefixed sensitive mod'    => array( '<p att="Prefix"><p att="prefix" match>', '[att^="p"s]', 1 ),
+
+			'attribute suffixed'                  => array( '<p att="suffix_"><p att="suffix" match><p att="brilliant…x" match>', '[att$="x"]', 2 ),
+			'attribute suffixed insensitive'      => array( '<p att="suffix_"><p att="suffiX" match>', '[att$="x"i]', 1 ),
+			'attribute suffixed sensitive mod'    => array( '<p att="suffiX"><p att="suffix" match>', '[att$="x"s]', 1 ),
+
+			'attribute contains'                  => array( '<p att="abcyz"><p att="abcxyz" match><p att="x" match>', '[att*="x"]', 2 ),
+			'attribute contains insensitive'      => array( '<p att="abcyz"><p att="abcXyz" match>', '[att*="x"i]', 1 ),
+			'attribute contains sensitive mod'    => array( '<p att="abcXyz"><p att="abcxyz" match>', '[att*="x"s]', 1 ),
+
+			/*
+			 * An escaped trailing whitespace code point is part of the ident,
+			 * not trailing whitespace: `.foo\ ` is the class `foo ` (with a
+			 * space). Class attribute values are whitespace-separated token
+			 * lists, so such a class can never match. It must NOT be confused
+			 * with a backslash at the end of input, which decodes to U+FFFD.
+			 */
+			'escaped space at end'                => array( "<div class=\"foo\u{FFFD}\"><div class=\"foo\"><div class=\"foo \">", '.foo\\ ', 0 ),
+			'escaped tab at end'                  => array( "<div class=\"foo\u{FFFD}\"><div class=\"foo\"><div class=\"foo\t\">", ".foo\\\t", 0 ),
+
+			/*
+			 * The end of input closes an open attribute selector ( and an
+			 * unterminated string ): tokenization auto-closes simple blocks
+			 * at EOF.
+			 */
+			'EOF-truncated attribute presence'    => array( '<div att match><span>', '[att', 1 ),
+			'EOF-truncated attribute value'       => array( '<div att=val match><div att=other>', '[att=val', 1 ),
+			'EOF-truncated quoted value'          => array( '<div att="a b" match><div att="a">', '[att="a b', 1 ),
+			'EOF-truncated with modifier'         => array( '<div att="VAL" match><div att=x>', '[att=val i', 1 ),
+
+			/*
+			 * HTML defines a set of attributes whose values must match ASCII
+			 * case-insensitively in selectors when no modifier is present.
+			 * An explicit `s` modifier still forces case-sensitive matching.
+			 * Attributes outside the list stay case-sensitive by default.
+			 *
+			 * https://html.spec.whatwg.org/multipage/semantics-other.html#case-sensitivity-of-selectors
+			 */
+			'HTML insensitive attribute ='        => array( '<input type="text" match><input type="TEXT" match><input type="other">', '[type=TEXT]', 2 ),
+			'HTML insensitive attribute ~='       => array( '<a rel="NoFollow external" match><a rel="me">', '[rel~=nofollow]', 1 ),
+			'HTML insensitive attribute ^='       => array( '<b media="SCREEN and x" match><b media="print">', '[media^=screen]', 1 ),
+			'HTML insensitive attribute |='       => array( '<b hreflang="EN-US" match><b hreflang="deu">', '[hreflang|=en]', 1 ),
+			'HTML insensitive attribute s mod'    => array( '<input type="text" match><input type="TEXT">', '[type=text s]', 1 ),
+			'HTML insensitive attribute i mod'    => array( '<input type="text" match><input type="TEXT" match>', '[type=text i]', 2 ),
+			'unlisted attribute stays sensitive'  => array( '<i data-type="text"><i data-type="TEXT" match>', '[data-type=TEXT]', 1 ),
+			'listed attribute name is matched case-insensitively in the list' => array( '<input type="text" match>', '[TYPE=TEXT]', 1 ),
+
+			'list'                                => array( '<div><p match><a match><span>', 'a, p, .class, #id, [att]', 2 ),
+			'compound'                            => array( '<div att><custom-el att="bar" fruit="APPLE BANANA" match>', 'custom-el[att="bar"][    fruit ~= "banana" i]', 1 ),
+		);
+	}
+
+	/**
+	 * @ticket 62653
+	 *
+	 * @expectedIncorrectUsage WP_HTML_Tag_Processor::select
+	 *
+	 * @dataProvider data_invalid_selectors
+	 */
+	public function test_invalid_selector( string $selector ) {
+		$processor = new WP_HTML_Tag_Processor( 'irrelevant' );
+		$this->assertFalse( $processor->select( $selector ) );
+	}
+
+	/**
+	 * Data provider.
+	 *
+	 * @return array
+	 */
+	public static function data_invalid_selectors(): array {
+		return array(
+			'complex descendant'              => array( 'div *' ),
+			'complex child'                   => array( 'div > *' ),
+			'invalid selector'                => array( '[invalid!selector]' ),
+
+			/*
+			 * A backslash before a newline at the end of input is not a valid
+			 * escape and is not trailing whitespace: the selector is invalid.
+			 * The CR and FF variants are normalized to a newline before
+			 * tokenizing.
+			 */
+			'escape before newline at end'    => array( ".foo\\\n" ),
+			'escape before CR at end'         => array( ".foo\\\r" ),
+			'escape before FF at end'         => array( ".foo\\\f" ),
+
+			/*
+			 * EOF auto-closes an open attribute selector block, but
+			 * grammar-level truncation is still invalid.
+			 */
+			'truncated matcher without value' => array( '[a=' ),
+			'truncated half matcher'          => array( '[a~' ),
+			'lone open bracket'               => array( '[' ),
+		);
+	}
+
+	/**
+	 * Selector strings are UTF-8 text: invalid byte sequences are replaced
+	 * with U+FFFD per maximal subpart before parsing. A selector containing
+	 * invalid bytes therefore matches a literal U+FFFD in the document, and
+	 * an identity escape of an invalid byte is equivalent to the same byte
+	 * unescaped — both are scrubbed before tokenization.
+	 *
+	 * @expectedIncorrectUsage WP_CSS_Compound_Selector_List::from_selectors
+	 */
+	public function test_select_scrubbed_selector_matches_replacement_character() {
+		$html = "<div class=\"a\u{FFFD}b\">";
+
+		$processor = new WP_HTML_Tag_Processor( $html );
+		$this->assertTrue(
+			$processor->select( ".a\xC0b" ),
+			'Scrubbed selector should match the replacement character in the document.'
+		);
+
+		$processor = new WP_HTML_Tag_Processor( $html );
+		$this->assertTrue(
+			$processor->select( ".a\\\xC0b" ),
+			'An identity escape of an invalid byte should be equivalent to the unescaped byte.'
+		);
+	}
+
+	/**
+	 * A selector containing invalid bytes can never match those same raw
+	 * bytes in a document: the selector side is scrubbed to U+FFFD while
+	 * the Tag Processor reports raw document bytes untouched.
+	 *
+	 * This pins a deliberate, documented divergence. If the HTML API value
+	 * getters (get_attribute(), class_list(), …) are ever changed to scrub
+	 * invalid UTF-8 in their return values, both sides become U+FFFD and
+	 * this case flips to a match — update this expectation in the same
+	 * change.
+	 *
+	 * The selector byte (0xC1) is unique within this file on purpose:
+	 * select() memoizes the most recently parsed selector string, so the
+	 * scrub notice only fires when this test's selector was not already
+	 * parsed by an earlier test. A unique selector string guarantees a
+	 * fresh parse regardless of test order.
+	 *
+	 * @expectedIncorrectUsage WP_CSS_Compound_Selector_List::from_selectors
+	 */
+	public function test_select_scrubbed_selector_does_not_match_raw_invalid_document_bytes() {
+		$processor = new WP_HTML_Tag_Processor( "<div class=\"a\xC1b\">" );
+		$this->assertFalse(
+			$processor->select( ".a\xC1b" ),
+			'Scrubbed selector should not match raw invalid bytes in the document.'
+		);
+	}
+}
diff --git a/tools/css-selector-fuzz/COVERAGE.md b/tools/css-selector-fuzz/COVERAGE.md
new file mode 100644
index 0000000000000..e7b715c0a8894
--- /dev/null
+++ b/tools/css-selector-fuzz/COVERAGE.md
@@ -0,0 +1,119 @@
+# CSS Selector Fuzzer — Coverage Report
+
+Line coverage of `src/wp-includes/html-api/css/` under the fuzzer, measured
+with phpdbg's opcode log over 3000 deterministic seeds:
+
+    phpdbg -qrr tools/css-selector-fuzz/coverage.php --seeds 3000 --list-uncovered
+
+| file | covered / executable | % |
+|---|---|---|
+| class-wp-css-attribute-selector.php       | 108 / 119 | 90.8% |
+| class-wp-css-class-selector.php           |  10 / 10  | 100%  |
+| class-wp-css-complex-selector-list.php    |  16 / 16  | 100%  |
+| class-wp-css-complex-selector.php         |  59 / 66  | 89.4% |
+| class-wp-css-compound-selector-list.php   |  27 / 28  | 96.4% |
+| class-wp-css-compound-selector.php        |  29 / 32  | 90.6% |
+| class-wp-css-id-selector.php              |  12 / 12  | 100%  |
+| class-wp-css-selector-parser-matcher.php  | 120 / 124 | 96.8% |
+| class-wp-css-type-selector.php            |  15 / 17  | 88.2% |
+| **TOTAL**                                 | **396 / 424** | **93.4%** |
+
+The 28 unreached lines are all accounted for below: twelve are a phpdbg
+measurement artifact (the code executes), twelve are defensive guards the
+public entry points cannot reach, two are the escape decoder's
+invalid-byte arm that the input scrub made unreachable through
+`from_selectors()`, and two are reachable lines this seed window happens
+to miss. Counting the artifact lines as covered, effective coverage is
+**408 / 424 = 96.2%**.
+
+(Executable-line totals grew from 408 to 424 with the case-insensitive
+attribute value list and the invalid-UTF-8 scrub changes.)
+
+## phpdbg `case`-label artifact (12 lines — code executes)
+
+phpdbg attributes a `switch` arm's execution to the body line, not the bare
+`case X:` label line. The fuzzer exercises every one of these arms (verified
+directly: the body line immediately after each label is covered, and the
+lexbor differential + self-check confirm the corresponding behavior). These
+are not real gaps:
+
+- `class-wp-css-attribute-selector.php`
+  - 378, 382, 386, 390, 394 — the `~= |= ^= $= *=` matcher operators.
+  - 419, 420, 425, 426 — the `i`/`I`/`s`/`S` case modifiers.
+- `class-wp-css-compound-selector.php`
+  - 120, 122, 124 — the `.` / `#` / `[` subclass-selector dispatch.
+
+## Defensive guards unreachable from the public API (12 lines)
+
+These are internal precondition checks that the calling code already
+guarantees, or branches for grammar the parser never emits:
+
+- `class-wp-css-attribute-selector.php:351` — `return null` when the first
+  byte is not `[`. `parse()` is only ever called by
+  `parse_subclass_selector()` *after* it has matched `[`, so the guard never
+  fires.
+- `class-wp-css-complex-selector.php:170–179` — the `_doing_it_wrong`
+  "unsupported combinator" arm in the match walker. The parser only ever
+  stores `' '` (descendant) or `'>'` (child) combinators, so the match-time
+  default arm is dead defensively.
+- `class-wp-css-compound-selector-list.php:107` — `return false` when the
+  processor is not on a `#tag` token. `select()` only invokes matching while
+  positioned on a tag; reachable only by calling `matches()` directly off a
+  non-tag token.
+- `class-wp-css-selector-parser-matcher.php:375` —
+  `next_two_are_valid_escape()` EOF guard; every caller either bound-checks
+  first or only calls it on a known backslash byte.
+- `class-wp-css-type-selector.php:45` — `return false` when `get_tag()` is
+  null during matching; matching only runs on resolved element tokens.
+- `class-wp-css-type-selector.php:75` — `parse()` EOF guard; the compound
+  parser checks `offset < strlen` before calling.
+
+## Un-normalized input only (2 lines — pinned by PHPUnit)
+
+- `class-wp-css-selector-parser-matcher.php:287–288` — the escape decoder's
+  invalid-byte arm (consume the maximal subpart `_wp_scan_utf8()` reported,
+  return one U+FFFD). The invalid-UTF-8 scrub in `normalize_selector_input()`
+  made this arm structurally unreachable through `from_selectors()` — the
+  fuzzer's only entry point — and it exists for direct `parse()` callers
+  with un-normalized input. The escape pins in
+  `tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php` exercise it
+  for every invalid-byte decode class under the U+2603 canary.
+
+## Reachable, but missed by this seed window (2 lines)
+
+Both lines are demonstrably reachable (witnesses verified directly under
+phpdbg) but sit behind enough generator coin flips that a fixed 3000-seed
+window may or may not sample them; earlier revisions of this report saw
+them flicker in and out across windows:
+
+- `class-wp-css-attribute-selector.php:345` — the `[x` minimum-length
+  guard; witness: `[` (also `.a[`, `a[`) at the end of input.
+- `class-wp-css-selector-parser-matcher.php:149` — `parse_string()`'s
+  break when plain string content runs to end of input; witness: `[a="b`
+  (the `eof-truncated` edge-escape kind reaches it only when its quote-drop
+  and no-backslash coins both land, ~1 expected case per 3000 seeds).
+
+## Notes on what raised coverage
+
+- The `edge-escape` bucket drives the U+FFFD escape-decoder branch
+  (`consume_escaped_codepoint` for NUL / surrogate / over-max codepoints)
+  and the `normalize_selector_input` NUL→U+FFFD and CR/CRLF/FF→LF paths,
+  which the structural generators cannot reach. Its `eof-escape` kind covers
+  the backslash-at-end-of-input → U+FFFD decode, and its `eof-truncated`
+  kind covers the EOF auto-close paths in the attribute parser, including
+  unterminated strings (with and without a trailing "do nothing" backslash,
+  which keeps the `parse_string` backslash-at-EOF arm exercised).
+- The `invalid-utf8` bucket and the `mutated` bucket's raw-byte splice
+  drive the `wp_scrub_utf8()` replacement branch and its
+  `_doing_it_wrong()` notice in `normalize_selector_input()`
+  deterministically (previously hit only organically — `chaos`
+  byte-slicing its multibyte `unicode` alphabet, `mutated` corrupting the
+  pools' few multibyte characters), and the splice makes the
+  unparseable-and-invalid-UTF-8 notice ordering in the worker hot.
+- A few `invalid`-bucket templates (`[a=`, `[a~`, `[a="b<LF>c`, `a.`) reach
+  attribute / string / class parse guards that random structural generation
+  rarely lands on. With them the per-file numbers above are stable
+  at the documented 3000-seed window (e.g. `class-wp-css-class-selector.php`
+  reaches 10/10 reliably rather than depending on whether a bare `.` happened
+  to be sampled) — apart from the two borderline-frequency lines listed
+  above.
diff --git a/tools/css-selector-fuzz/FINDINGS.md b/tools/css-selector-fuzz/FINDINGS.md
new file mode 100644
index 0000000000000..16ed2d734e79e
--- /dev/null
+++ b/tools/css-selector-fuzz/FINDINGS.md
@@ -0,0 +1,173 @@
+# CSS Selector Fuzzer — Findings
+
+Run: branch `html-css-fuzz` @ `5da3afedd0`, PHP 8.4.21. 5000 deterministic
+seeds, 0 crashes/timeouts. Three distinct, reproduced WordPress-core correctness
+bugs in the new HTML-API CSS selector support. Every selector below is valid,
+supported CSS that the API mis-handles **without** reporting lack of support.
+
+**Status: all three bugs are fixed on this branch** (commit prefix
+`CSS selector:` — Bug 1 `aed6cfb4aa`, Bug 2 `989e18da8a`, Bug 3 `0a87b20178`),
+each with PHPUnit regression tests that fail pre-fix. A post-fix 5000-seed run
+is clean (0 failures, 0 crashes). The repros below no longer trigger; they
+remain as regression anchors and Trac-ready minimal test cases.
+
+No new bugs surfaced beyond these three, and no fuzzer-side (oracle or
+generator) defect surfaced: with all three fixes applied a 5000-seed run is
+completely clean, and the lexbor differential (third independent oracle) agreed
+with the reference matcher on every compared no-quirks case (0 `lexbor-divergence`).
+Caveats on the strength of that agreement: roughly half of the `compared`
+cases (and ~62% of all match assertions across buckets) are vacuous `[] == []`;
+older lexbor builds with #368 exclude quirks-mode class/ID matching from the
+differential, though current harnesses include it when the startup probe reports
+reliable class/#id behavior in both no-quirks and quirks mode. See `README.md`
+for the full disclosure.
+
+Reproduce any case: `php tools/css-selector-fuzz/replay.php --selector '<sel>' [--html '<html>']`.
+Auto-minimize a failing seed: `php tools/css-selector-fuzz/minimize.php --seed <seed>`
+(faithful for seeds with a self-contained failure; seeds whose only recorded
+failure is generator-side — `ast-mismatch`, `parse-expectation` — are refused
+unless a related self-contained signature is opted into with `--signature`).
+
+---
+
+## Bug 1 — Identity escapes mis-decode after a multibyte character (mis-parse)
+
+**Invariant:** `ast-mismatch` (57 hits, the dominant signature).
+
+`WP_CSS_Selector_Parser_Matcher::consume_escaped_codepoint()` decodes a
+non-hex ("identity") escape with:
+
+```php
+$codepoint_char = mb_substr( $input, $offset, 1, 'UTF-8' );
+```
+
+`$offset` is a **byte** offset (threaded by reference through the whole
+selector-string parse), but `mb_substr()`'s 2nd argument is a **character**
+index. The two diverge by one per multibyte continuation byte seen earlier in
+the string, so an identity escape preceded by any multibyte content decodes the
+**wrong codepoint** (reads N characters too far right, N = preceding continuation bytes).
+
+Minimal reproduction (second selector's type should be `sup`):
+
+| selector | parsed context type |
+|---|---|
+| `#abc,\sup #x`  | `sup` ✅ |
+| `#Ü,\sup #x`    | `uup` ❌ |
+| `#ÜÜ,\sup #x`   | `pup` ❌ |
+| `#ÜÜÜ,\sup #x`  | `" up"` ❌ |
+
+Hex escapes (`\75 `) use byte-correct `substr` and are unaffected; only the
+non-hex identity-escape branch is wrong. Depending on what wrong codepoint is
+produced this also causes spurious parse failures (a valid selector returns
+`null`).
+
+**Fix (landed in `aed6cfb4aa`):** read the next codepoint from the byte
+offset: `mb_substr( substr( $input, $offset ), 0, 1, 'UTF-8' )`.
+
+---
+
+## Bug 2 — Empty-value `^=` `*=` `$=` match everything instead of nothing (mis-match)
+
+**Invariant:** `match-mismatch-html` / `match-mismatch-tag` (12 hits).
+
+Per Selectors-4, `[attr^=""]`, `[attr*=""]`, `[attr$=""]` match **nothing** (an
+empty operand never matches). `WP_CSS_Attribute_Selector::matches()` instead:
+
+- `^=`: `substr_compare($attr,'',0,0) === 0` → always 0 → matches any element with the attribute.
+- `*=`: `strpos($attr,'') === 0` (PHP) → matches any element with the attribute.
+- `$=`: matches elements whose attribute value is exactly `""`.
+
+`~=` is handled correctly (returns nothing for an empty/whitespace operand).
+
+Reproduction against `<i x="">…</i><b x="abc">…</b><u>…</u>`:
+
+| selector | WP matches | spec |
+|---|---|---|
+| `[x^=""]` | `I, B` | none |
+| `[x*=""]` | `I, B` | none |
+| `[x$=""]` | `I`    | none |
+| `[x~=""]` | none ✅ | none |
+
+**Fix (landed in `989e18da8a`):** in `matches()`, return `false` for `^= $= *=`
+when `'' === $this->value`, before the `substr_compare`/`strpos` calls. `~=`
+needs no guard — a whitespace-delimited list never yields an empty item — and
+a test pins that. (No `substr_compare` length edge exists here: `-strlen('')`
+is `0`, and PHP clamps out-of-range negative offsets rather than erroring.)
+
+---
+
+## Bug 3 — Off-by-one length guard rejects `[name=x]` at end of string (false reject)
+
+**Invariant:** `parse-expectation` (1 hit; valid selector → `null`).
+
+`WP_CSS_Attribute_Selector::parse()` guards "need at least `=x]` remaining":
+
+```php
+// need to match at least `=x]` at this point
+if ( $updated_offset + 3 >= strlen( $input ) ) {
+    return null;
+}
+```
+
+`>=` is off by one: it also rejects the exact-fit case where `=x]` **is** the
+remaining tail. This rejects a valid attribute selector that uses the exact-match
+`=` operator with a single-character **unquoted** value when its `]` is the last
+character of the selector string.
+
+| selector | result |
+|---|---|
+| `[a=b]`        | `null` ❌ |
+| `div.x[y=z]`   | `null` ❌ |
+| `[a=bb]`       | parsed ✅ (2-char value) |
+| `[a="b"]`      | parsed ✅ (quoted) |
+| `[a^=b]`       | parsed ✅ (2-char operator) |
+| `[a=b].c`      | parsed ✅ (trailing content) |
+
+**Fix (landed in `0a87b20178`):** change `>=` to `>` (need
+`strlen - $updated_offset >= 3`).
+
+---
+
+## Triage of the 5000-seed run (unpatched core)
+
+427 failures, every one attributable to one of the three bugs above. The
+signature → bug mapping (and why each is a WP finding, not a fuzzer defect):
+
+| signature | hits | bug | how it manifests |
+|---|---|---|---|
+| `metamorphic-ast` (5 variants) | 328 | Bug 1 | a re-rendered / escaped variant of a selector parses to a different AST because an identity escape after multibyte content mis-decodes |
+| `ast-mismatch` | 71 | Bug 1 | generated AST ≠ parsed AST, same root cause |
+| `path-expectation` | 1 | Bug 1 | a path-directed selector with a multibyte-then-identity-escape value (`Über90\ x`) mis-parses, so the element it was built from no longer matches |
+| `metamorphic-parse` (4 variants) | 9 | Bug 3 | a re-rendered variant ending in a single-char unquoted value at EOF is wrongly rejected |
+| `parse-expectation` (2 variants) | 7 | Bug 3 | the generated selector itself ends in `=x]` and is wrongly rejected (e.g. `[dir =a]`) |
+| `match-mismatch-html` | 7 | Bug 2 | empty-operand `^= *= $=` match elements the spec says they must not |
+| `match-mismatch-tag` | 4 | Bug 2 | same, via the tag processor |
+
+Zero `lexbor-divergence`, zero `model-desync`, zero crashes/timeouts. With all
+three fixes applied, the same 5000 seeds run with **0 failures** — confirming
+the fuzzer reports exactly these three bugs and nothing spurious.
+
+## Fuzzer status
+
+Implemented and validated:
+
+- Deterministic seeds, seed-based replay, self-check suite
+  (`php tools/css-selector-fuzz/tests/self-check.php` passes).
+- Seven-bucket selector generation including **path-directed** synthesis
+  (combinator positive-match rate ~68% vs ~14% before) and **edge-escape**
+  (U+FFFD escape decoder, input normalization).
+- Three independent match oracles: the spec-faithful `ReferenceMatcher`, the
+  AST round-trip, and a **lexbor differential** (liblexbor v3.0.0, no-quirks
+  documents, tree-equality gated). The three agree on every compared case.
+- **Metamorphic invariants** (oracle-free): meaning-preserving transforms keep
+  the match set; AST-preserving transforms keep the AST.
+- **Parser-derived oracle tree** (`TreeCapture`): the processor's own parse is
+  ground truth, so **wild / restructured HTML** and **`<body>` fragments** are
+  fuzzed, not only clean trees.
+- **Line coverage** measured (93.4%, see `COVERAGE.md` — the source of truth
+  for current numbers; 96.2% effective, remainder justified).
+- **Automatic minimizer** (`minimize.php`): delta-debugs selector and HTML to a
+  minimal reproducer preserving a chosen signature.
+
+See `README.md` for usage and `NEXT-STEPS.md` for the roadmap this work
+completed.
diff --git a/tools/css-selector-fuzz/NEXT-STEPS.md b/tools/css-selector-fuzz/NEXT-STEPS.md
new file mode 100644
index 0000000000000..322d666ad1fe4
--- /dev/null
+++ b/tools/css-selector-fuzz/NEXT-STEPS.md
@@ -0,0 +1,363 @@
+# CSS Selector Fuzzer — Next Steps / Improvement Roadmap
+
+> **Status: all seven work items below are implemented and validated** (see
+> `README.md`, `COVERAGE.md`, `FINDINGS.md`). The acceptance bar is met:
+> coverage measured (93.4%; 96.2% effective — `COVERAGE.md` is the source
+> of truth for the current numbers, remainder justified);
+> three oracles agree on no-quirks supported cases with every divergence
+> triaged; metamorphic invariants passing; combinator positive-match rate
+> raised from 14.5% to ~68% (path-directed bucket); minimizer working; a clean
+> 5000-seed run with all signatures triaged to the three known bugs, all of
+> which still reproduce. The notes below are retained as the design rationale.
+>
+> **Core fixes landed:** the three FINDINGS.md bugs are fixed on this branch
+> (`CSS selector:` commits `aed6cfb4aa` / `989e18da8a` / `0a87b20178`), each
+> with PHPUnit regression tests. A post-fix 5000-seed run is clean.
+>
+> **Fuzzer-side follow-up hardening implemented (2026-06-12):**
+> `tests/self-check.php` now allowlists known core parse-bug signatures in its
+> fixed seed-window parse-expectation loop, while unknown mismatches still fail.
+> The safe and wild document generators now inject NUL into random class tokens
+> and expose the decoded U+FFFD token to class-selector generation, without
+> leaking raw class values into the generic attribute-value pool. The lexbor
+> differential includes quirks documents whenever the startup probe confirms
+> class/#id behavior in both no-quirks and quirks mode (local master-built
+> harness `3a2d595fe8c50e5076ac79c02b2ded79a777bb52` passes), and `runner.php`
+> reports per-bucket/per-target vacuous and non-vacuous match assertion rates
+> under `matchStats`.
+>
+> **Candidate finding 4 — FIXED:** per CSS Syntax 3 §4.3.8, `\` followed by
+> EOF is a valid escape (EOF is not a newline), and §4.3.7 says consuming it
+> returns U+FFFD — so `.foo\` parses as class `foo\u{FFFD}`. Verified against
+> lexbor (agrees: `.foo\` matches class `foo\u{FFFD}`; `\` parses as type
+> `\u{FFFD}`). Fixed on this branch (`CSS selector:` commit): EOF guard in
+> `consume_escaped_codepoint()` returns U+FFFD, `next_two_are_valid_escape()`
+> accepts a backslash as the final byte. Review of the fix surfaced a second
+> bug in the same family: `normalize_selector_input()` trimmed *trailing*
+> whitespace before tokenizing, so `.foo\ ` (escaped space — valid class
+> `foo `, matches nothing) and `.foo\<LF>` (invalid escape — must be
+> rejected) both collapsed to `.foo\` and matched class `foo\u{FFFD}` — a
+> wrong-match-set bug. Fixed by switching to `ltrim()`; the grammar consumes
+> insignificant trailing whitespace. Fuzzer updated to match: the lone `\`
+> invalid-bucket entry became `\<LF>` (still invalid), and `edge-escape`
+> gained an `eof-escape` kind covering `.name\` / `#name\` / `name\`.
+>
+> **Candidate finding 5 (recorded 2026-06-10, low severity, not fixed):**
+> the attribute-selector case modifier is matched byte-wise (`i`/`I`/`s`/`S`
+> literals), so an *escaped* modifier ident like `[a=b \69]` (tokenizes to
+> the ident `i`) is rejected. Per the Selectors-4 grammar `<attr-modifier> =
+> i | s` these are ident tokens, so escapes should arguably be accepted —
+> but browsers are themselves inconsistent (Chromium accepts `[a=b \69]`
+> and rejects `[a=b \73]`). Fail-safe refusal, not a mis-match; revisit only
+> if the matcher ever moves to token-level parsing.
+>
+> **EOF auto-close for attribute selectors — IMPLEMENTED (2026-06-10):**
+> per CSS Syntax 3 §5.4.8/§4.3.5, the end of input closes an unterminated
+> simple block (and an unterminated string), so `[att=val`, `[att`,
+> `[att="a b`, and `[att=val i` are valid selectors; grammar-level
+> truncations (`[`, `[a=`, `[a~`, `[a=b, div`) stay invalid. Verified
+> against Chromium form-by-form, including an exhaustive per-byte
+> truncation table in review. lexbor rejects all EOF-truncated forms
+> (drafted as `lexbor/UPSTREAM-ISSUES.md` issue 4); the differential is
+> unaffected because it compares canonical re-renders. Fuzzer gained an
+> `eof-truncated` edge-escape kind and the invalid corpus was reshuffled
+> along the new validity boundary; COVERAGE.md regenerated.
+>
+> **Invalid-UTF-8 input policy — IMPLEMENTED as scrub (2026-06-11):**
+> selector strings are UTF-8 text; `normalize_selector_input()` now decodes
+> the byte stream first via `wp_scrub_utf8()` (WP 6.9, maximal-subpart
+> U+FFFD replacement, matching the WHATWG decoder CSS Syntax §3.2 invokes),
+> and reports a `_doing_it_wrong()` (named `<class>::from_selectors`) when
+> the input changed. The `mb_substitute_character()` leak in
+> `consume_escaped_codepoint()` is gone structurally: the identity arm's
+> `mb_substr()` fallback is replaced by "consume the maximal subpart the
+> `_wp_scan_utf8()` scan already reported, return one U+FFFD" — reachable
+> only via direct `parse()` calls with un-normalized input, and consistent
+> with the scrub when it is. Decision history: reject (`wp_is_valid_utf8()`
+> → null) and raw passthrough were rejected after a three-persona
+> adversarial panel; scrub is the unique option stable under both the
+> current raw value getters and their likely scrubbed future. The U+2603
+> canary in `wpCssSelectorParserMatcher.php` set_up() is retained
+> permanently — its job inverted from documenting the leak to proving
+> setting-independence. Worker.php learned the notice contract (scrub
+> notice expected iff `!wp_is_valid_utf8(selector)`) and flushes the
+> `select()` parse caches before each notice-assertion window so the
+> once-per-parse notice is deterministic under case re-runs.
+> **Linked obligation:** the select-level pin
+> `test_select_scrubbed_selector_does_not_match_raw_invalid_document_bytes`
+> documents that scrubbed selectors cannot match raw invalid document
+> bytes; if the HTML API value getters (`get_attribute()`, `class_list()`,
+> …) are ever changed to scrub their return values, that case flips to a
+> match and the pin must be updated in the same change.
+> **Optional follow-up:** tightening the `parse()` prototype from public to
+> protected (the classes are `@access private`) would make un-normalized
+> input structurally impossible and let the defensive escape arm be
+> deleted.
+>
+> **HTML case-insensitive attribute value list — IMPLEMENTED (2026-06-10):**
+> per https://html.spec.whatwg.org/multipage/semantics-other.html#case-sensitivity-of-selectors
+> the values of ~46 listed attributes (`type`, `rel`, `lang`, `dir`,
+> `media`, ...) match ASCII case-insensitively on HTML elements when the
+> selector has no modifier; an explicit `s` still forces sensitivity, and
+> elements outside the html namespace are unaffected. Oracle notes from
+> verification:
+> - **lexbor does not implement the rule at all** (`[rel=nofollow]` does
+>   not match `rel="NOFOLLOW"`) — compensated in the differential the same
+>   way as lexbor #368 (lexbor is compared against the reference run with
+>   the list disabled); drafted as `lexbor/UPSTREAM-ISSUES.md` issue 5.
+> - The case-flip generator twist in `path_attr_feature` makes the folding
+>   load-bearing for `mustMatchFid` (mutation-tested: disabling the core
+>   branch fires 11 failures in 3000 seeds). Minor leftovers from review:
+>   the unused `expected_*_processor_matches` back-compat helpers in
+>   `ReferenceMatcher` silently default rows to the html namespace — fine
+>   today (the safe model generator emits no foreign content) but a trap
+>   for a future caller; and `s`-forces-sensitivity only gets differential
+>   coverage when sampled values happen to differ in case (pinned by unit
+>   tests instead).
+> - **Chromium applies the list to foreign elements too** (`[type=TEXT]`
+>   matches `<svg><a type="text">`), diverging from the HTML spec's "on an
+>   HTML element" scoping. WP follows the spec (html namespace only, via
+>   `get_namespace()`). The standalone Tag Processor has no namespace
+>   tracking and applies the list to every element — an inherent
+>   tag-processor approximation, same as its ancestor-blind matching.
+>
+> **Session decisions (2026-06-10, both since implemented — see the
+> IMPLEMENTED entries above):** EOF-truncated selectors (`div[a=b`) are
+> spec-conformant (CSS Syntax auto-closes open blocks at EOF) rather than
+> documented as an intentional rejection. HTML's default case-insensitive
+> attribute value list is implemented (no-modifier + html-namespace +
+> listed attribute; explicit `s` keeps forcing case-sensitivity).
+> Grammar-level truncations (`[`, `[a=`, `div >`, `div,`) stay invalid —
+> browsers reject those too. No Trac tickets for any of this.
+>
+> **O(1) identity-escape decode — IMPLEMENTED (2026-06-11, perf only):**
+> `consume_escaped_codepoint()`'s identity arm no longer copies the input
+> tail per escape (`mb_substr( substr( … ) )`); it sizes the code point in
+> place with `_wp_scan_utf8( $input, $at, $invalid_length, 4, 1 )`
+> (`compat-utf8.php`, WP 6.9). 200KB all-escape selector: 180 ms → 45 ms,
+> scaling now linear (47/90/180 ms at 200/400/800KB; previously ~4× per
+> doubling). Behavior is byte-identical by construction: escapes of
+> *invalid* UTF-8 still fall through to the literal old `mb_substr()` line
+> (re-verified ~74M differential cases, 0 mismatches, including non-default
+> `mb_substitute_character` settings), so the open invalid-UTF-8 policy
+> decision is untouched — and that fallback path remains quadratic for
+> selectors made of escaped invalid bytes (accepted; developer-supplied
+> input). Caution recorded in-code: `_wp_utf8_codepoint_span()` looks like
+> the natural helper but passes `max_bytes = null`, making its ASCII
+> fast-path O(tail) per call — quadratic again. Escape pin coverage grew to
+> 14 cases (2/3/4-byte chars incl. at-EOF, NUL, each invalid-byte class).
+> (Superseded the same day for invalid bytes: the `mb_substr()` fallback and
+> its quadratic tail were removed by the scrub implementation — see the
+> invalid-UTF-8 policy entry above.)
+>
+> **Fuzzer coverage for the scrub surface — IMPLEMENTED (2026-06-11):**
+> the deferred coverage work for the invalid-UTF-8 scrub landed in three
+> pieces. (1) A dedicated `invalid-utf8` generator bucket injects raw
+> ill-formed sequences into class/ID/attribute-name idents and quoted
+> string operands and carries the post-scrub AST; the per-class maximal-
+> subpart U+FFFD counts are pinned independently of `wp_scrub_utf8()`
+> (self-check additionally duplicates the class names and byte values, so
+> a deleted or drifted table entry fails instead of shrinking the
+> assertion). (2) A `mutated`-bucket splice kind inserts raw ill-formed
+> sequences at arbitrary byte offsets — no expectations, but it makes the
+> worker's invalid-UTF-8 rejection branch hot (scrub + two `select()`
+> notices), which no other bucket reached. (3) The explicit lexbor probe:
+> lexbor accepts raw invalid selector bytes and replaces them with U+FFFD,
+> but NOT per the WHATWG maximal-subpart rule — one U+FFFD per byte for
+> truncated sequences (`E2 8C` → 2, spec 1) and one per whole sequence for
+> UTF-8-encoded surrogate halves (`ED A0 80` → 1, spec 3) — drafted as
+> `lexbor/UPSTREAM-ISSUES.md` issue 6. The differential is unaffected and
+> stays live for the bucket: it feeds lexbor the canonical re-render of
+> the post-scrub AST (escaped, pure ASCII), the same mechanism that
+> sidesteps lexbor's other byte-level parsing bugs. Doc-side observation:
+> lexbor keeps raw invalid bytes in the DOM unchanged (same stance as the
+> Tag Processor), so raw doc bytes match nothing in either engine. The
+> handoff's optional metamorphic relation `parse(s) === parse(scrub(s))`
+> was skipped deliberately: it is near-tautological (it could only catch
+> a `from_selectors()` bypass, and no public path bypasses it).
+>
+> **Still open:** `gen_chaos()`'s whole-codepoint `unicode` branch is dead
+> code — it compares the alphabet *string* against the key `'unicode'` after
+> the value lookup already happened — so the unicode alphabet is byte-sliced
+> by the generic fallback instead. That slicing is what makes chaos emit
+> invalid UTF-8 organically (~15% of chaos cases), so making the branch live
+> is a behavior decision, not just a cleanup: it would remove chaos's organic
+> ill-formed-byte production, leaving the deliberate paths (`invalid-utf8`
+> bucket, `mutated` splice) plus `mutated`'s residual organic corruption of
+> pool multibyte characters (~2% of mutated cases even without the splice).
+
+Repo: `/Users/jonsurrell/a8c/wordpress-develop/html-css-fuzz`, branch
+`html-css-fuzz` (trunk + merged `html-api/add-css-selector-parser`).
+PHP 8.4.21. The fuzzer and all fixes are committed on this branch
+(`CSS selector:` / `CSS selector fuzz:` prefixed commits). `/artifacts` is
+gitignored (runner output lives there).
+
+## Measured weaknesses driving this plan
+
+- Match oracle is a hand-reimplementation (`ReferenceMatcher`) by the same author
+  who could share a spec misreading with WP — no third opinion exists today.
+- Positive-match rate is low (measured): supported-compound 39.6% of parseable
+  cases match ≥1 element; supported-complex only **14.5%**; ~72% of all supported
+  cases match nothing. Most match assertions are vacuous `[] == []`.
+- The "structurally safe element set" restriction (needed so `model ==
+  parse-tree` holds) means combinator/breadcrumb matching is only ever tested on
+  clean trees — never on foster-parented / adoption-agency / foreign-content /
+  implied-end-tag restructured trees, which are the hard cases.
+- No metamorphic invariants (the cheapest oracle-free signal class) — absent.
+- Line coverage never measured. Some target branches are provably unreachable by
+  the current generator (e.g. `consume_escaped_codepoint`'s U+FFFD path for
+  null/surrogate/over-max codepoints; the `normalize_selector_input` NUL→U+FFFD
+  path).
+- No automatic minimizer (the sibling `html-api-fuzz` branch ships
+  `tools/html-api-fuzz/minimize.php` as a pattern to copy).
+- Match path only exercises `WP_HTML_Processor::create_full_parser`; fragment
+  contexts and varied quirks-mode triggers (only doctype presence is toggled)
+  are untested.
+
+## Work items, in priority order
+
+### 1. Metamorphic invariants (cheapest, highest signal-per-effort, no deps)
+
+Add oracle-free relations to `Worker::run_case` that must hold for any parseable
+supported selector over any document. For each, transform the selector, assert
+the match set (both processors) is unchanged — or for AST-level ones, assert the
+extracted AST is unchanged:
+
+- ASCII-case-fold a type-selector name → identical matches (type names are
+  case-insensitive).
+- Reorder subclass selectors within a compound (`div.a#b[c]` ≡ any permutation of
+  the subclass part) → identical matches and structurally-equivalent AST.
+- Escape an arbitrary ident codepoint that does not require escaping → identical
+  AST and matches (exercises the escape decoder against the no-op case).
+- Append a redundant universal (`sel` vs `sel:where`-free `*sel` where the type
+  slot is empty → `*` + subclasses) → identical matches.
+- Duplicate a selector-list branch (`a, a`) → identical matches.
+- Whitespace-insert around combinators and commas where insignificant → identical
+  matches.
+
+These need no external engine; they would have independently caught Bug 1.
+
+### 2. Path-directed generation (fix the 14.5% positive-match rate)
+
+Add a generation mode that GUARANTEES positive matches and meaningful negatives:
+
+- Pick a random element in the generated model tree.
+- Synthesize a selector that must match it: type from its tag, subclasses from a
+  subset of its real classes/id/attributes, and (for complex) a context chain
+  drawn from its real ancestor tags with `>`/descendant combinators matching the
+  actual nesting.
+- Emit the matching selector (assert it matches that element) AND near-miss
+  mutations (swap one ancestor combinator `>`↔descendant, drop/extend a class,
+  change one attribute operator) and assert the flip.
+
+This makes the combinator/breadcrumb walker actually exercised with real depth
+and real positive/negative boundaries instead of mostly-empty match sets. Keep
+the existing buckets; add this as a new bucket.
+
+### 3. lexbor differential oracle (the match-oracle correctness ceiling)
+
+Use lexbor as a THIRD, independent oracle — primarily to validate
+`ReferenceMatcher`, secondarily to unlock wilder HTML. Build cost is acceptable
+(confirmed by maintainer). Refs: https://lexbor.com/modules/selectors/ and the
+HTML module for selector matching.
+
+Design:
+
+- C harness linking liblexbor: read many `{html, selector}` cases from stdin
+  (one process, batched — invoked by the runner like the existing PHP worker
+  subprocess; isolate crashes). Parse HTML with `lxb_html_document_parse`, parse
+  the selector with the CSS/selectors module, run `lxb_selectors_find`, and via
+  the callback collect each matched element's unique `data-fid` attribute. Emit
+  one line of matched-fid sets per case. FFI to `liblexbor.so` is an acceptable
+  alternative but a standalone CLI isolates crashes better.
+- Mark every generated element with a unique `data-fid` (the generator already
+  does this).
+- **Tree-equality gate:** only run the differential on cases where WP's tree and
+  lexbor's tree agree (compare the fid→tag→breadcrumb sequence from each). This
+  isolates the SELECTOR layer from HTML tree-construction differences (which are
+  a different fuzzer's concern — see `html-api-fuzz`). Bonus: this gate lets you
+  fuzz ARBITRARY/wild HTML and keep any case where the two trees agree, which
+  relaxes the current "safe element set" restriction and reaches restructured
+  trees the present generator can't produce.
+- Three-way verdict: `reference ≠ lexbor` ⇒ fuzzer-oracle bug (fix the fuzzer);
+  `reference == lexbor ≠ WP` ⇒ high-confidence WP finding.
+
+**CRITICAL CAVEAT — quirks-mode / case-sensitivity:** lexbor has a known
+class/ID case-sensitivity bug — https://github.com/lexbor/lexbor/issues/368.
+WP folds class/ID names ASCII-case-insensitively in QUIRKS mode and
+case-sensitively in no-quirks (`WP_HTML_Tag_Processor::is_quirks_mode()`); type
+names are always case-insensitive. Do NOT trust lexbor on quirks-mode case
+behavior. Restrict the lexbor differential to **no-quirks documents** (emit
+`<!DOCTYPE html>`), and keep `ReferenceMatcher` as the authority for the
+quirks-mode path. Record the exact lexbor master commit used and note whether
+#368 is fixed in it. Re-evaluate enabling quirks comparison only after verifying
+lexbor's behavior against that issue.
+
+- Also surface (don't auto-fail) **attribute default case-insensitivity**:
+  Selectors-4/HTML define a set of attributes matched case-insensitively by
+  default; WP appears to implement only explicit `i`/`s` modifiers. lexbor may
+  implement the default set, producing divergence that is either a real WP
+  conformance gap or an intentional subset limitation — triage per case and
+  report.
+
+### 4. Parser-derived oracle tree (decouple "tree right" from "match right")
+
+Instead of asserting `model == parse-tree`, walk the processor ONCE to capture
+the ground-truth tree (fid → tag → breadcrumbs → attributes), then run both the
+reference matcher and the lexbor differential against arbitrary/wild HTML using
+that captured tree as truth for the selector layer. This is the structural
+change that makes #3's wild-HTML mode fully general and lets the generator reuse
+`html-api-fuzz`'s nasty-HTML generator. (`model-desync` becomes a separate,
+optional sanity check rather than a precondition.)
+
+### 5. Coverage measurement + reach the unreachable branches
+
+- Wire line/branch coverage (phpdbg is available: `phpdbg -qrr` with
+  coverage, or install pcov/xdebug) over the `src/wp-includes/html-api/css/`
+  classes; gate "done" on a coverage target and a written list of intentionally-
+  unreached lines.
+- Add a generator path emitting raw hex escapes for null / surrogate
+  (U+D800–U+DFFF) / over-max (> U+10FFFF) codepoints and assert they decode to
+  U+FFFD (currently unreachable — the renderer only escapes real codepoints).
+- Fuzz NUL bytes and CR/FF in the selector INPUT to exercise
+  `normalize_selector_input` (NUL→U+FFFD, CR/CRLF/FF→LF).
+
+### 6. Automatic minimizer
+
+Port the delta-debugging pattern from `tools/html-api-fuzz/minimize.php`: given a
+failing seed, shrink both the HTML and the selector (byte/structural deletes,
+keep-failing) to a minimal reproducer. Wire into `replay.php` or a new
+`minimize.php`. Bugs 1 and 3 were hand-minimized; automate it.
+
+### 7. Broaden match surface
+
+- Run the match oracle through `create_fragment` with varied fragment contexts,
+  not just `create_full_parser`.
+- Vary all quirks-mode triggers (not only doctype presence): no-doctype,
+  malformed doctype, `<!DOCTYPE html SYSTEM ...>`, limited-quirks doctypes.
+
+## Acceptance bar for "exacting standards"
+
+- Coverage measured and reported for the `css/` classes, with a justified list of
+  any unreached lines.
+- Three independent oracles agree on no-quirks supported cases (AST round-trip,
+  `ReferenceMatcher`, lexbor); divergences are triaged to either a WP finding or
+  a fuzzer-oracle fix — never left ambiguous.
+- Metamorphic invariants in place and passing.
+- Positive-match rate for combinator selectors materially raised (path-directed
+  generation): ~68% in that bucket vs ~14% before, so the combinator/breadcrumb
+  walker is genuinely exercised. (Aggregate across all buckets remains ~62%
+  vacuous `[] == []`, by design — the negative-oriented and parse-focused
+  buckets are intentionally mostly empty-set; see `README.md`.)
+- Minimizer produces minimal repros automatically.
+- A clean multi-thousand-seed run with all signatures triaged; `FINDINGS.md`
+  updated with any new bugs (each with a minimal repro and a one-line fix
+  direction), and confirmation that the three known bugs still reproduce.
+
+## Existing bugs to keep verifying (regression anchors)
+
+From `FINDINGS.md` — all three are fixed on this branch and pinned by PHPUnit
+tests; the minimal repros must now NOT trigger (a clean 5000-seed run confirms):
+1. Identity escape after multibyte mis-decodes: `#Ü,\sup #x` → type must be `sup`.
+2. Empty-value substring matchers: `[x^=""]`, `[x*=""]`, `[x$=""]` must match nothing.
+3. Off-by-one length guard: `[a=b]` (single-char unquoted value, exact `=`, at EOF) must parse.
diff --git a/tools/css-selector-fuzz/README.md b/tools/css-selector-fuzz/README.md
new file mode 100644
index 0000000000000..6025b6e45a10f
--- /dev/null
+++ b/tools/css-selector-fuzz/README.md
@@ -0,0 +1,230 @@
+# CSS Selector Fuzzer
+
+Generative fuzzer for the HTML API CSS selector support:
+`WP_CSS_Compound_Selector_List`, `WP_CSS_Complex_Selector_List`, and the
+`select()` methods on `WP_HTML_Tag_Processor` and `WP_HTML_Processor`.
+
+Every case is fully deterministic from its integer seed: the same seed always
+produces the same document, the same selector, and the same verdict.
+
+## What a case does
+
+1. Generate a random HTML document — 70% from a structurally "safe" element
+   set with a known model tree (of these, ~20% are parsed as a `<body>`
+   fragment via `create_fragment` instead of a full document, exercising the
+   fragment `select()` path), 30% "wild" (misnested, implied-end-tag,
+   foreign-content, token soup with one of five doctypes spanning no-quirks,
+   quirks, and limited-quirks). `create_fragment` only accepts the `<body>`
+   context publicly, so that is the fragment context fuzzed.
+2. Capture the processor's own view of the document as the matching oracle's
+   ground truth (`TreeCapture`): a flat list of rows in visit order, each
+   carrying the element's tag, attributes, and ancestor tag list (context
+   selectors are type-only, so that is everything matching can observe).
+   For safe documents the capture must agree with the generated model
+   (`model-desync`) — that soundness check is what justifies trusting the
+   capture on wild documents. Wild documents that hit a construct the
+   processor bails on (foster parenting, complex adoption-agency runs) are
+   deterministically regenerated a bounded number of times.
+3. Generate a selector in one of nine buckets:
+   - `supported-compound` — must parse in both grammars; carries intended AST.
+   - `supported-complex` — uses `>`/descendant combinators; must parse only
+     in the complex grammar; carries intended AST.
+   - `path-directed` — synthesized from a real element of the generated tree
+     (type from its tag, subclasses from its actual classes/id/attributes,
+     context chain from its actual ancestors), guaranteed by construction to
+     match that element — or flipped into a near-miss (wrong type/class/attr
+     guarantees a non-match; loosening `>` to descendant must keep matching).
+     The guarantee is asserted against the reference matcher
+     (`path-expectation`). Within this bucket ~67% of match assertions are
+     non-vacuous (positive-match rate ~68% for combinator selectors, vs ~14%
+     in `supported-complex`). Across *all* buckets ~38% of match assertions
+     are non-vacuous: the negative-oriented buckets (`unsupported`,
+     `invalid`, much of `supported-*`) and `edge-escape` (which targets the
+     parse/escape-decode path, not matching) are intentionally mostly
+     empty-set, so the aggregate `[] == []` rate is ~62%. The point of
+     path-directed generation is that the *combinator/breadcrumb* walker —
+     the part most likely to harbor a matching bug — is now exercised with
+     real depth, not that every assertion is non-vacuous.
+     `runner.php` persists per-bucket/per-target match assertion counts and
+     vacuous/non-vacuous rates under `matchStats` in `state.json`, so this
+     distribution is reported on every run instead of relying on stale notes.
+   - `unsupported` — valid CSS the API intentionally rejects (pseudo-classes
+     and -elements, `+`/`~`/`||` combinators, namespaces, non-type context
+     selectors); must not parse.
+   - `invalid` — not valid CSS; must not parse.
+   - `invalid-utf8` — a small supported selector with a raw ill-formed UTF-8
+     byte sequence (lone continuation, truncated 2/3/4-byte, overlong,
+     surrogate half, beyond U+10FFFF) injected into a class/ID/attribute
+     ident or string operand; `from_selectors()` scrubs the input first, so
+     the case must parse and carries the post-scrub AST (one U+FFFD per
+     maximal subpart, with per-class subpart counts pinned independently of
+     `wp_scrub_utf8()`).
+   - `chaos` — arbitrary bytes; no parse expectation.
+   - `mutated` — a supported selector with random byte mutations, including
+     raw ill-formed UTF-8 splices at arbitrary byte offsets; no parse
+     expectation.
+   - `edge-escape` — selectors that exercise otherwise-unreachable parser
+     branches: hex escapes for NUL / surrogate / over-max codepoints (must
+     decode to U+FFFD) and raw NUL / CR / CRLF / FF bytes in the input (must
+     normalize during selector token-stream preprocessing); carries the intended AST.
+4. Check invariants:
+   - No PHP error/warning/exception from parsing or matching, ever.
+   - Parse result (instance vs `null`) matches the bucket's expectation.
+   - Anything the compound grammar parses, the complex grammar parses, and
+     both produce the same AST.
+   - Parsed AST equals the generated AST (escapes, strings, whitespace and
+     case randomization must not change meaning).
+   - For any selector that parses (including chaos/mutated), the `select()`
+     match set equals an independent spec-faithful reference matcher, on both
+     processors, including quirks-mode class/ID case-insensitivity.
+   - For any selector that does not parse, `select()` returns `false`,
+     `_doing_it_wrong` fires exactly once per call (also via the parse
+     cache), and the processor remains usable.
+   - The processor ends with no `get_last_error()`/unsupported state.
+   - Metamorphic relations (oracle-free, run on otherwise-clean cases whose
+     selector parsed): meaning-preserving transforms of the selector must
+     select exactly the same elements as the original, and AST-preserving
+     transforms must parse to exactly the transformed AST. Transforms:
+     re-render with fresh whitespace/quoting and aggressive no-op escapes,
+     ASCII-case-fold of type names, subclass reordering within a compound,
+     explicit `*` for an omitted type, and selector-list branch duplication.
+     Skipped for ASTs containing invalid UTF-8 (reachable only from
+     chaos/mutated inputs), which the renderer cannot round-trip.
+   - lexbor differential (third, independent oracle; requires the harness —
+     see below): on full-document cases whose selector parsed, a canonical
+     re-render of the verified AST is matched by liblexbor and compared,
+     as a multiset of fids, against the reference matcher. Quirks documents
+     participate only when the startup probe confirms lexbor's class/#id
+     folding behavior in both no-quirks and quirks mode. Gated on WP and
+     lexbor building the same element tree (fid/tag/ancestry), so it tests
+     the selector layer, not tree construction. Verdicts:
+     `lexbor-divergence` (lexbor ≠ reference) is a fuzzer-oracle problem;
+     `match-mismatch-html` with no accompanying divergence means reference
+     == lexbor ≠ WP — a high-confidence WP finding.
+   - Repeating a case yields a byte-identical result digest (determinism).
+     Note the digest covers the WP-under-test surface (selector, html,
+     parse-nullness, ASTs, failure invariants) but **not** the lexbor
+     oracle's own output, so it would not flag a flaky lexbor result that
+     never escalates to a `lexbor-divergence` failure.
+
+## lexbor harness
+
+Build with `sh tools/css-selector-fuzz/lexbor/build.sh` (clones and builds
+liblexbor from upstream `master`; the build script prints the exact commit).
+The worker auto-detects the binary at `tools/css-selector-fuzz/lexbor/harness`
+and reports per-batch tallies, persisted to `state.json` under `lexbor`:
+
+- `compared` — the differential ran and matched fid-multisets.
+- `tree-gated` — WP and lexbor built different trees; differential skipped.
+- `skipped-quirks` / `skipped-utf8` — quirks document while lexbor class/#id
+  case behavior is not trusted / non-UTF-8 AST.
+- `n/a` — the differential does not apply (unparseable selector, fragment, no
+  captured tree).
+- `unavailable` / `error` — the harness was missing or died. The runner prints
+  a loud warning if these appear after the harness had run, so a third oracle
+  that dies mid-run cannot hide behind a green run.
+
+Known lexbor issues compensated for when present:
+
+- [#368](https://github.com/lexbor/lexbor/issues/368):
+  class and `#id` selectors match ASCII case-insensitively even in
+  no-quirks documents (`[id=…]` attribute matching is correctly
+  case-sensitive). Detected by a startup probe; when present, lexbor is
+  compared against the reference matcher run with quirks-style class/ID
+  folding, and quirks-mode documents are excluded from the differential
+  entirely. The same startup probe also checks class and `#id` selectors in
+  quirks mode; only when all four probes pass is quirks-mode class/ID matching
+  included in the differential.
+- lexbor rejects uppercase `I`/`S` attribute-selector modifiers, and its
+  non-ASCII ident-codepoint table omits U+00B7 and U+00C0–U+00F6 (it
+  starts at U+00F8), rejecting e.g. `.Über` while accepting `.über`.
+  Both sidestepped by the canonical re-render (lowercase modifiers, all
+  non-ASCII hex-escaped); both are candidate upstream reports, not WP
+  findings.
+- `lxb_selectors_find` reports a node once per matching selector-list
+  branch; `LXB_SELECTORS_OPT_MATCH_FIRST` dedupes.
+- lexbor matches `[x~=""]` against whitespace-only attribute values
+  (e.g. `x=" "`); Selectors-4 and Chrome say an empty operand never
+  matches a list item, and WP agrees with them. Latent
+  `lexbor-divergence` noise source if the generator ever pairs `~=""`
+  with whitespace-valued attributes; candidate upstream report, not a
+  WP finding.
+
+## Known oracle limitations (document-side decoding)
+
+The match oracle's independence differs between class and attribute selectors:
+
+- **Class values are matched by two genuinely independent tokenizers.** WP's
+  `select('.x')` goes through `WP_HTML_Tag_Processor::class_list()`, which
+  splits on ASCII whitespace and folds NUL → U+FFFD per token;
+  `ReferenceMatcher::class_matches()` reimplements that independently (and is
+  pinned against `class_list()` on NUL/FF boundary inputs by `self-check.php`).
+  The safe and wild random document generators now inject NUL into class
+  tokens occasionally and expose the decoded U+FFFD token to class-selector
+  generation. Raw class attribute values are intentionally kept out of the
+  generic `attrValues` pool so attribute-selector generation does not inherit
+  class-list-only decoding semantics.
+- **Attribute values are matched through a single shared read.** Both WP's
+  attribute matcher and `ReferenceMatcher::attr_matches()` read the same
+  `get_attribute()` output, so a value-decoding bug there would be shared and
+  invisible regardless of input — a genuine shared-oracle limitation that no
+  generator change can close (it needs an independent attribute-value decoder,
+  which lexbor partly provides on no-quirks documents).
+
+## Usage
+
+Bounded fuzz run (process-isolated chunks, crash/hang attribution):
+
+    php tools/css-selector-fuzz/runner.php --max-seeds 1000 --duration-seconds 60
+
+Artifacts go to `artifacts/css-selector-fuzz/run-*/` and are intentionally
+small: `state.json` (counters, per-signature tallies) and `failures.ndjson`
+(one line per failure, with base64 selector + document for offline analysis).
+
+Replay a failure by seed:
+
+    php tools/css-selector-fuzz/replay.php --seed 42 --show-html
+    php tools/css-selector-fuzz/replay.php --seed 42 --json
+
+Probe a specific selector:
+
+    php tools/css-selector-fuzz/replay.php --selector 'section > div.cls' --html '<section><div class=cls></div></section>'
+
+Minimize a failing case to a small reproducer (delta-debugging; shrinks
+both the selector and the HTML while preserving a failure signature):
+
+    php tools/css-selector-fuzz/minimize.php --seed 1234
+    php tools/css-selector-fuzz/minimize.php --selector 'sel' --html '<…>' --signature match-mismatch
+
+The minimizer drives `Worker::run_pair`, which checks only **self-contained**
+invariants — those computable from the (selector, html) pair without the
+generator's intended AST: `match-mismatch-*`, `metamorphic-*`,
+`lexbor-divergence`, `parse-error`, `ast-shape`, `ast-cross-grammar`, and the
+rejection checks. The generator-side invariants `ast-mismatch`,
+`parse-expectation`, `path-expectation`, and `model-desync` are **not**
+self-contained and cannot be reproduced from the pair alone.
+
+So `--seed` faithfully minimizes only seeds whose failure is self-contained.
+The three known bugs each *also* surface a self-contained signature (Bug 1 →
+`metamorphic-ast`, Bug 2 → `match-mismatch-html`, Bug 3 → `metamorphic-parse`),
+but a seed whose recorded failure is *only* the generator-side form (e.g. a
+Bug-1 seed that recorded `ast-mismatch` before the metamorphic phase ran) is
+**refused by default** rather than silently retargeted — pass `--signature`
+to opt into minimizing a related self-contained signature, which is then
+clearly labelled as a retarget in the output.
+
+Run a batch in-process (no isolation, faster):
+
+    php tools/css-selector-fuzz/worker.php --start-seed 1 --count 500
+
+Measure line coverage of the `css/` classes (see `COVERAGE.md` for the
+current report and a justified list of unreached lines):
+
+    phpdbg -qrr tools/css-selector-fuzz/coverage.php --seeds 3000 --list-uncovered
+
+Options of note:
+
+- `runner.php --stop-on-failure` stops at the first failing chunk.
+- `worker.php --determinism-every N` re-runs every Nth seed twice (default 16).
+- `worker.php --max-failures N` stops a batch after N failures (default 200)
+  to bound artifact size.
diff --git a/tools/css-selector-fuzz/coverage.php b/tools/css-selector-fuzz/coverage.php
new file mode 100644
index 0000000000000..64c60a7d5e42c
--- /dev/null
+++ b/tools/css-selector-fuzz/coverage.php
@@ -0,0 +1,92 @@
+#!/usr/bin/env php
+<?php
+/**
+ * Line coverage of the html-api/css classes under fuzzing, via phpdbg.
+ *
+ * Usage:
+ *   phpdbg -qrr tools/css-selector-fuzz/coverage.php [--seeds N] [--list-uncovered]
+ *
+ * Runs N sequential fuzz cases in-process with the opcode log enabled and
+ * reports, per target file, executable vs covered line counts and
+ * (optionally) every uncovered line with its source.
+ */
+
+require_once __DIR__ . '/lib/autoload.php';
+
+use CssSelectorFuzz\Worker;
+use function CssSelectorFuzz\option_bool;
+use function CssSelectorFuzz\option_int;
+use function CssSelectorFuzz\parse_cli_options;
+use function CssSelectorFuzz\repo_root;
+
+if ( ! function_exists( 'phpdbg_start_oplog' ) ) {
+	fwrite( STDERR, "Run under phpdbg: phpdbg -qrr tools/css-selector-fuzz/coverage.php\n" );
+	exit( 1 );
+}
+
+$options        = parse_cli_options( $argv );
+$seeds          = option_int( $options, 'seeds', 2000 );
+$list_uncovered = option_bool( $options, 'list-uncovered', false );
+
+$target_dir = repo_root() . '/src/wp-includes/html-api/css';
+$targets    = glob( $target_dir . '/*.php' );
+
+\CssSelectorFuzz\Bootstrap::load();
+
+/*
+ * The oplog records every executed opcode, so it must be drained in chunks
+ * — only the per-file covered-line sets are kept.
+ */
+$oplog = array();
+$chunk = 25;
+for ( $start = 1; $start <= $seeds; $start += $chunk ) {
+	phpdbg_start_oplog();
+	$limit = min( $seeds, $start + $chunk - 1 );
+	for ( $seed = $start; $seed <= $limit; $seed++ ) {
+		Worker::run_case( $seed );
+	}
+	foreach ( phpdbg_end_oplog() as $file => $lines ) {
+		foreach ( $lines as $line => $hits ) {
+			$oplog[ $file ][ $line ] = true;
+		}
+	}
+}
+
+$executable = phpdbg_get_executable( array( 'files' => $targets ) );
+
+$total_exec    = 0;
+$total_covered = 0;
+
+foreach ( $targets as $file ) {
+	$exec_lines    = array_keys( $executable[ $file ] ?? array() );
+	$covered_lines = array_keys( $oplog[ $file ] ?? array() );
+	$covered_lines = array_intersect( $covered_lines, $exec_lines );
+	$uncovered     = array_diff( $exec_lines, $covered_lines );
+
+	$total_exec    += count( $exec_lines );
+	$total_covered += count( $covered_lines );
+
+	printf(
+		"%-55s %4d/%4d lines  %5.1f%%\n",
+		basename( $file ),
+		count( $covered_lines ),
+		count( $exec_lines ),
+		count( $exec_lines ) > 0 ? 100 * count( $covered_lines ) / count( $exec_lines ) : 100
+	);
+
+	if ( $list_uncovered && array() !== $uncovered ) {
+		$source = file( $file );
+		sort( $uncovered );
+		foreach ( $uncovered as $line ) {
+			printf( "    !%4d  %s\n", $line, rtrim( $source[ $line - 1 ] ?? '' ) );
+		}
+	}
+}
+
+printf(
+	"%-55s %4d/%4d lines  %5.1f%%\n",
+	'TOTAL',
+	$total_covered,
+	$total_exec,
+	$total_exec > 0 ? 100 * $total_covered / $total_exec : 100
+);
diff --git a/tools/css-selector-fuzz/lexbor/UPSTREAM-ISSUES.md b/tools/css-selector-fuzz/lexbor/UPSTREAM-ISSUES.md
new file mode 100644
index 0000000000000..40c2ccb80f97c
--- /dev/null
+++ b/tools/css-selector-fuzz/lexbor/UPSTREAM-ISSUES.md
@@ -0,0 +1,278 @@
+# lexbor — draft upstream bug reports
+
+Six spec-conformance bugs in liblexbor's CSS selectors support, found while
+using lexbor as a differential oracle for the WordPress HTML-API CSS selector
+fuzzer (`tools/css-selector-fuzz/`). Issues 1–3 were re-verified directly
+against the harness on 2026-06-10; issues 4–5 surfaced during the WP
+conformance-fix session and were re-verified on 2026-06-11; issue 6 came out
+of the explicit invalid-byte probe for the WP scrub coverage work
+(2026-06-11).
+
+- **Default build target:** lexbor upstream `master`, built by
+  `tools/css-selector-fuzz/lexbor/build.sh`. Record the exact commit printed
+  by the build script when verifying any issue.
+- **Upstream repo:** https://github.com/lexbor/lexbor
+- **Already filed upstream — do NOT refile:**
+  [#368](https://github.com/lexbor/lexbor/issues/368) (class/`#id` selectors
+  match ASCII case-insensitively in no-quirks documents).
+
+## Instructions for the filing agent
+
+1. **Re-verify at current lexbor master first.** Any of these may already be
+   fixed. Run `build.sh` and re-run the repros below. Only file what still
+   reproduces, and say in the report which commit you tested.
+2. **Search for duplicates** before filing (suggested queries: `~=`,
+   `attr-modifier`, `case insensitive modifier`, `ident code point`,
+   `U+00B7`, `non-ascii`, `EOF`, `unclosed`, `simple block`,
+   `case-insensitive attribute`, `querySelector`). #368 shows the
+   maintainer's preferred repro style.
+3. **One issue per bug.** Reduce each to a self-contained C repro (sketch
+   below); maintainers should not need this repo's harness.
+4. Reproduction via this repo (fast path): build the harness
+   (`sh tools/css-selector-fuzz/lexbor/build.sh`), then feed it
+   `base64(html) TAB base64(selector)` lines on stdin. Response lines per
+   case: `R<TAB>tag<TAB>fid<TAB>ancestors` (tree rows), `M<TAB>fid` (match),
+   `X<TAB>reason` (selector parse error), terminated by `D`. See
+   `lib/LexborOracle.php` for a reference client and `harness.c` for the
+   exact lexbor API usage (`lxb_html_document_parse`,
+   `lxb_css_selectors_parse`, `lxb_selectors_find`).
+
+Minimal C repro skeleton (adapt per issue; `harness.c` is the full reference):
+
+```c
+/* cc repro.c -llexbor */
+#include <lexbor/html/html.h>
+#include <lexbor/css/css.h>
+#include <lexbor/selectors/selectors.h>
+
+static lxb_status_t cb(lxb_dom_node_t *n, lxb_css_selector_specificity_t s, void *ctx) {
+    (*(int *)ctx)++;
+    return LXB_STATUS_OK;
+}
+
+int main(void) {
+    const lxb_char_t html[] = "<!DOCTYPE html><i x=\" \"></i>";
+    const lxb_char_t sel[]  = "[x~=\"\"]";
+    int hits = 0;
+
+    lxb_html_document_t *doc = lxb_html_document_create();
+    lxb_html_document_parse(doc, html, sizeof(html) - 1);
+
+    lxb_css_parser_t *parser = lxb_css_parser_create();
+    lxb_css_parser_init(parser, NULL);
+    lxb_selectors_t *selectors = lxb_selectors_create();
+    lxb_selectors_init(selectors);
+
+    lxb_css_selector_list_t *list =
+        lxb_css_selectors_parse(parser, sel, sizeof(sel) - 1);
+    if (list == NULL) { printf("selector parse error\n"); return 1; }
+
+    lxb_selectors_find(selectors, lxb_dom_interface_node(doc),
+                       list, cb, &hits);
+    printf("matches: %d\n", hits); /* spec: 0 */
+    return 0;
+}
+```
+
+---
+
+## Issue 1 — `[x~=""]` matches whitespace-only attribute values
+
+Per Selectors Level 4, `[att~=val]` with an empty `val` never matches:
+
+> If "val" is the empty string, it will never represent anything.
+> — https://www.w3.org/TR/selectors-4/#attribute-representation (§6.1)
+
+lexbor instead matches elements whose attribute value consists only of
+whitespace, suggesting its list-splitting yields an empty token for
+whitespace-only values. Verified at v3.0.0 (`data-fid="a"` on the element):
+
+| document                  | selector  | lexbor    | spec / Chrome 149 |
+|---------------------------|-----------|-----------|-------------------|
+| `<i x=" ">` (space)       | `[x~=""]` | matches ❌ | no match          |
+| `<i x="&#9;">` (tab)      | `[x~=""]` | matches ❌ | no match          |
+| `<i x="">`                | `[x~=""]` | no match ✅ | no match          |
+| `<i x="a b">`             | `[x~=""]` | no match ✅ | no match          |
+| `<i x="a b">` (control)   | `[x~=a]`  | matches ✅ | matches           |
+
+Chrome 149 (`document.querySelectorAll`) returns no match for all `[x~=""]`
+rows (verified 2026-06-10 via Playwright during the WordPress fix review).
+
+## Issue 2 — uppercase `I`/`S` attribute-selector modifiers rejected
+
+Selectors Level 4 §6.3 defines the modifiers explicitly as case-insensitive:
+
+> ...adding the identifier `i` (or `I`) ... adding the identifier `s` (or `S`) ...
+> — https://www.w3.org/TR/selectors-4/#attribute-case
+
+lexbor parses the lowercase forms but reports a selector parse error for the
+uppercase forms. Verified at v3.0.0:
+
+| selector     | lexbor        | spec    |
+|--------------|---------------|---------|
+| `[x=abc i]`  | parses ✅      | parses  |
+| `[x=abc I]`  | parse error ❌ | parses  |
+| `[x=abc s]`  | parses ✅      | parses  |
+| `[x=abc S]`  | parse error ❌ | parses  |
+
+Note for browser comparison: Chrome 149 had not shipped the `s` modifier at
+all (throws SyntaxError), so compare `I` against Chrome and `S` against the
+spec text / Firefox.
+
+## Issue 3 — non-ASCII ident code points below U+00F8 rejected
+
+CSS Syntax Level 3 defines the non-ASCII ident code points to include
+U+00B7 and U+00C0–U+00D6 / U+00D8–U+00F6:
+
+> non-ASCII ident code point: U+00B7, U+00C0 to U+00D6, U+00D8 to U+00F6,
+> U+00F8 to U+037D, ...
+> — https://www.w3.org/TR/css-syntax-3/#non-ascii-ident-code-point
+
+lexbor's table appears to start at U+00F8: code points in the earlier ranges
+are rejected both in ident-start and non-start positions. Verified at v3.0.0
+(raw UTF-8 selectors; class attribute contains the same characters):
+
+| selector  | codepoint(s)        | lexbor        | spec    |
+|-----------|---------------------|---------------|---------|
+| `.über`   | U+00FC (≥ U+00F8)   | parses ✅      | parses  |
+| `.øx`     | U+00F8 (boundary)   | parses ✅      | parses  |
+| `.Über`   | U+00DC (U+00D8–F6)  | parse error ❌ | parses  |
+| `.a·b`    | U+00B7 (non-start)  | parse error ❌ | parses  |
+| `.÷x`     | U+00F7 (excluded)   | parse error ✅ | error   |
+
+The U+00F7 row is a control: the division sign is correctly NOT an ident code
+point, so lexbor's boundary is off by exactly the U+00B7 / U+00C0–U+00F6
+ranges. Workaround used by this fuzzer: hex-escape all non-ASCII (`\dc ber`
+parses fine), which is why this surfaces only with raw multibyte selectors.
+
+## Issue 4 — EOF does not auto-close an open attribute selector block
+
+Per CSS Syntax Level 3, tokenization auto-closes unterminated simple blocks
+at the end of input (a parse error, but the block is returned), and an
+unterminated string at EOF returns the string token:
+
+> \<EOF-token\>: This is a parse error. Return the block.
+> — https://www.w3.org/TR/css-syntax-3/#consume-simple-block (§5.4.8)
+
+> EOF: This is a parse error. Return the \<string-token\>.
+> — https://www.w3.org/TR/css-syntax-3/#consume-string-token (§4.3.5)
+
+So `[att=val` is the same selector as `[att=val]`, and `[att="a b` carries
+the string value `a b`. lexbor reports a selector parse error for every
+EOF-truncated attribute selector. Verified at v3.0.0 against
+`<div att="val">` / `<div att="a b">`:
+
+| selector        | lexbor        | spec / Chrome 149 |
+|-----------------|---------------|-------------------|
+| `[att]`         | parses ✅      | parses            |
+| `[att=val]`     | parses ✅      | parses            |
+| `[att`          | parse error ❌ | parses, matches   |
+| `[att=val`      | parse error ❌ | parses, matches   |
+| `[att="a b`     | parse error ❌ | parses, matches   |
+| `[att=val i`    | parse error ❌ | parses, matches   |
+| `div[att`       | parse error ❌ | parses, matches   |
+| `[att=`         | parse error ✅ | error (grammar)   |
+| `[att~`         | parse error ✅ | error (grammar)   |
+| `[`             | parse error ✅ | error (grammar)   |
+| `[att=val, div` | parse error ✅ | error (comma is inside the open block) |
+
+The last four rows are controls: truncation inside the selector *grammar*
+(matcher without value, lone bracket) is invalid even after auto-close, and
+lexbor correctly rejects those. Chrome 149 (`document.querySelectorAll`)
+accepts and rejects exactly per the table (verified 2026-06-10 via
+Playwright). Note lexbor's escape handling at EOF is fine — `.foo\` parses
+as class `foo\u{FFFD}` per §4.3.7 — the gap is specifically the simple-block
+auto-close.
+
+## Issue 5 — HTML's case-insensitive attribute value list not implemented
+
+HTML defines 46 attributes (`type`, `rel`, `lang`, `dir`, `media`,
+`hreflang`, `http-equiv`, ...) whose values must match ASCII
+case-insensitively in attribute selectors on an HTML element when the
+selector has no `i`/`s` modifier:
+
+> Attribute selectors on an HTML element in an HTML document must treat the
+> values of attributes with the following names as ASCII case-insensitive: …
+> — https://html.spec.whatwg.org/multipage/semantics-other.html#case-sensitivity-of-selectors
+
+lexbor matches all attribute values case-sensitively unless the selector
+carries an explicit `i`. Verified at v3.0.0 against
+`<a rel="NOFOLLOW">` (`e1`), `<a rel="nofollow">` (`e2`),
+`<i data-x="ABC">` (`e3`):
+
+| selector           | lexbor       | spec / Chrome 149 |
+|--------------------|--------------|-------------------|
+| `[rel=nofollow]`   | `e2` only ❌  | `e1` and `e2`     |
+| `[rel=NOFOLLOW]`   | `e1` only ❌  | `e1` and `e2`     |
+| `[rel=nofollow i]` | `e1`, `e2` ✅ | `e1` and `e2`     |
+| `[rel=nofollow s]` | `e2` only ✅  | `e2` only         |
+| `[data-x=abc]`     | no match ✅   | no match (unlisted attribute) |
+
+The last three rows are controls: explicit modifiers work, and attributes
+outside the list stay case-sensitive. Chrome 149 agrees with the spec column
+(verified 2026-06-10 via Playwright), with one scoping caveat the report
+should mention: the spec restricts the rule to elements in the HTML
+namespace, but Chrome also folds on SVG-namespace elements
+(`<svg><a type="text">` matches `[type=TEXT]`), so an implementation true
+to the spec letter would scope by element namespace. This may be framed as
+a feature request rather than a bug if lexbor considers document-language
+selector rules out of scope for its selectors module — but lexbor is an
+HTML engine and browsers uniformly implement the folding, so matching
+against HTML documents diverges from every browser without it.
+
+## Issue 6 — ill-formed UTF-8 in selectors is not decoded per the Encoding Standard
+
+CSS Syntax Level 3 decodes the input byte stream via the Encoding Standard
+before tokenizing:
+
+> To decode bytes, ... Otherwise, decode bytes with fallback encoding utf-8.
+> — https://www.w3.org/TR/css-syntax-3/#input-byte-stream (§3.2)
+
+The Encoding Standard's UTF-8 decoder replaces each **maximal subpart of an
+ill-formed subsequence** with a single U+FFFD (the boundaries follow the
+decoder's byte-range tables; see also Unicode §3.9 "U+FFFD Substitution of
+Maximal Subparts"):
+
+> https://encoding.spec.whatwg.org/#utf-8-decoder
+
+lexbor accepts raw ill-formed bytes in selectors (no parse error) and
+replaces them with U+FFFD, but with different boundaries: a truncated
+multi-byte sequence yields one U+FFFD **per byte** instead of one per
+maximal subpart, and a UTF-8-encoded surrogate half (`ED A0 80`–`ED BF
+BF`) is decoded permissively as a **single unit** yielding one U+FFFD
+instead of three. Verified at v3.0.0 by matching raw-byte class selectors
+against elements whose class attributes contain literal U+FFFD runs
+(`<div class="a�b">` = 1×U+FFFD ... `<div class="a����b">` = 4×U+FFFD;
+`�` below is U+FFFD, U+FFFD counts in parentheses):
+
+| selector bytes        | WHATWG decode  | lexbor         |
+|-----------------------|----------------|----------------|
+| `.a<E2 8C>b`          | `a�b` (1) ✅   | `a��b` (2) ❌   |
+| `.a<F0 9F 82>b`       | `a�b` (1) ✅   | `a���b` (3) ❌  |
+| `.a<ED A0 80>b`       | `a���b` (3) ✅ | `a�b` (1) ❌    |
+| `.a<ED B0 80>b`       | `a���b` (3) ✅ | `a�b` (1) ❌    |
+| `.a<80>b`             | `a�b` (1)      | `a�b` (1) ✅    |
+| `.a<C3>b`             | `a�b` (1)      | `a�b` (1) ✅    |
+| `.a<C0 80>b`          | `a��b` (2)     | `a��b` (2) ✅   |
+| `.a<E0 80 80>b`       | `a���b` (3)    | `a���b` (3) ✅  |
+| `.a<F4 90 80 80>b`    | `a����b` (4)   | `a����b` (4) ✅ |
+
+The agreeing rows are controls where per-byte replacement coincides with
+the maximal-subpart rule (lone continuation/lead bytes, overlongs whose
+subparts are all single bytes, beyond-U+10FFFF). The same behavior applies
+inside string tokens (`[x="p<80>q"]` matches `x="p�q"`). Two truncated
+sequences are exactly where the algorithms separate: `E2 8C` is **one**
+maximal subpart (E2 accepts two continuations and 8C is a valid first
+continuation), while `ED A0` is **not** a subpart at all (ED restricts its
+first continuation to 80–9F), so `ED A0 80` is three.
+
+Notes for the filing agent: browsers only exercise this decode through the
+stylesheet byte stream (JS `querySelectorAll` strings are already UTF-16),
+so compare against an external stylesheet with raw bytes, or against
+another Encoding Standard implementation (e.g. `TextDecoder('utf-8')`,
+whose output for the byte sequences above shows the maximal-subpart
+boundaries directly). Document-side context: lexbor stores raw ill-formed
+bytes from the HTML byte stream unchanged in the DOM (a raw `<80>` in a
+class attribute is matched by no selector, not even one with the same raw
+bytes), so the repro must put literal U+FFFD characters in the document
+and raw bytes only in the selector.
diff --git a/tools/css-selector-fuzz/lexbor/build.sh b/tools/css-selector-fuzz/lexbor/build.sh
new file mode 100644
index 0000000000000..a1471675bc815
--- /dev/null
+++ b/tools/css-selector-fuzz/lexbor/build.sh
@@ -0,0 +1,47 @@
+#!/bin/sh
+#
+# Builds the lexbor differential harness.
+#
+# Builds against upstream lexbor master. The exact commit is printed after
+# each build and recorded in the build cache.
+# Note: lexbor issue #368 ("Class/ID selectors are ASCII case-insensitive
+# even in no-quirks mode") is detected at startup and compensated for when
+# present (see LexborOracle.php).
+#
+# Usage:
+#   sh tools/css-selector-fuzz/lexbor/build.sh [lexbor-src-dir]
+#
+# Produces tools/css-selector-fuzz/lexbor/harness.
+
+set -e
+
+HERE="$(cd "$(dirname "$0")" && pwd)"
+SRC="${1:-/tmp/lexbor-src}"
+BRANCH="master"
+
+if [ ! -d "$SRC" ]; then
+    echo "Cloning lexbor into $SRC ..."
+    git clone https://github.com/lexbor/lexbor "$SRC"
+fi
+
+git -C "$SRC" fetch --quiet origin "$BRANCH"
+git -C "$SRC" checkout --quiet -B "$BRANCH" "origin/$BRANCH"
+REV="$(git -C "$SRC" rev-parse --verify HEAD)"
+STAMP="$SRC/build/.lexbor-rev"
+
+if [ ! -f "$SRC/build/liblexbor_static.a" ] || [ ! -f "$STAMP" ] || [ "$(cat "$STAMP")" != "$REV" ]; then
+    echo "Building liblexbor_static ($BRANCH $REV) ..."
+    mkdir -p "$SRC/build"
+    cd "$SRC/build"
+    cmake -DCMAKE_BUILD_TYPE=Release -DLEXBOR_BUILD_SHARED=OFF \
+          -DLEXBOR_BUILD_STATIC=ON -DLEXBOR_BUILD_TESTS=OFF \
+          -DLEXBOR_BUILD_EXAMPLES=OFF .. > /dev/null
+    make -j8 lexbor_static > /dev/null
+    printf '%s\n' "$REV" > "$STAMP"
+    cd "$HERE"
+fi
+
+cc -O2 -Wall -Wextra -o "$HERE/harness" "$HERE/harness.c" \
+   -I "$SRC/source" "$SRC/build/liblexbor_static.a"
+
+echo "Built $HERE/harness (lexbor $BRANCH $REV)"
diff --git a/tools/css-selector-fuzz/lexbor/harness.c b/tools/css-selector-fuzz/lexbor/harness.c
new file mode 100644
index 0000000000000..582c387a92f86
--- /dev/null
+++ b/tools/css-selector-fuzz/lexbor/harness.c
@@ -0,0 +1,290 @@
+/*
+ * lexbor differential harness for the CSS selector fuzzer.
+ *
+ * Reads one case per line from stdin:
+ *
+ *     base64(html) "\t" base64(selector) "\n"
+ *
+ * For each case, parses the HTML with lexbor, parses the selector with the
+ * lexbor CSS selectors module, runs lxb_selectors_find over the whole
+ * document, and emits:
+ *
+ *     R "\t" TAG "\t" FID "\t" ANC1,ANC2,...   one per element, document
+ *                                              pre-order; ancestors are
+ *                                              nearest-first uppercase tags
+ *     M "\t" FID                               one per match, in find order
+ *     X "\t" parse                             selector did not parse
+ *     X "\t" html                              html did not parse
+ *     D                                        end of case (then flush)
+ *
+ * FID is the element's data-fid attribute value, or "(missing-fid:TAG)"
+ * for elements without one (matching the fuzzer's placeholder convention).
+ * Tags are ASCII-uppercased.
+ *
+ * Build: see build.sh next to this file. The script builds upstream lexbor
+ * master and prints the exact commit used.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <lexbor/html/html.h>
+#include <lexbor/css/css.h>
+#include <lexbor/selectors/selectors.h>
+
+#define MAX_DEPTH 512
+
+static unsigned char *
+b64_decode(const char *in, size_t in_len, size_t *out_len)
+{
+    static const signed char table[256] = {
+        ['A'] = 0,  ['B'] = 1,  ['C'] = 2,  ['D'] = 3,  ['E'] = 4,
+        ['F'] = 5,  ['G'] = 6,  ['H'] = 7,  ['I'] = 8,  ['J'] = 9,
+        ['K'] = 10, ['L'] = 11, ['M'] = 12, ['N'] = 13, ['O'] = 14,
+        ['P'] = 15, ['Q'] = 16, ['R'] = 17, ['S'] = 18, ['T'] = 19,
+        ['U'] = 20, ['V'] = 21, ['W'] = 22, ['X'] = 23, ['Y'] = 24,
+        ['Z'] = 25, ['a'] = 26, ['b'] = 27, ['c'] = 28, ['d'] = 29,
+        ['e'] = 30, ['f'] = 31, ['g'] = 32, ['h'] = 33, ['i'] = 34,
+        ['j'] = 35, ['k'] = 36, ['l'] = 37, ['m'] = 38, ['n'] = 39,
+        ['o'] = 40, ['p'] = 41, ['q'] = 42, ['r'] = 43, ['s'] = 44,
+        ['t'] = 45, ['u'] = 46, ['v'] = 47, ['w'] = 48, ['x'] = 49,
+        ['y'] = 50, ['z'] = 51, ['0'] = 52, ['1'] = 53, ['2'] = 54,
+        ['3'] = 55, ['4'] = 56, ['5'] = 57, ['6'] = 58, ['7'] = 59,
+        ['8'] = 60, ['9'] = 61, ['+'] = 62, ['/'] = 63,
+    };
+
+    unsigned char *out = malloc(in_len / 4 * 3 + 4);
+    size_t o = 0;
+    unsigned int acc = 0;
+    int bits = 0;
+
+    if (out == NULL) {
+        return NULL;
+    }
+
+    for (size_t i = 0; i < in_len; i++) {
+        unsigned char c = (unsigned char) in[i];
+        /*
+         * The PHP adapter always feeds well-formed base64_encode() output,
+         * but guard anyway: skip padding/whitespace, and actually skip any
+         * byte not in the alphabet ('A' legitimately maps to 0, so test the
+         * byte itself, not its table value). c is unsigned, so table[c] is
+         * always in bounds.
+         */
+        if (c == '=' || c == '\n' || c == '\r') {
+            continue;
+        }
+        if (c != 'A' && table[c] == 0) {
+            continue;
+        }
+        acc = (acc << 6) | (unsigned int) table[c];
+        bits += 6;
+        if (bits >= 8) {
+            bits -= 8;
+            out[o++] = (unsigned char) ((acc >> bits) & 0xFF);
+        }
+    }
+
+    *out_len = o;
+    return out;
+}
+
+static void
+put_upper(const lxb_char_t *name, size_t len)
+{
+    for (size_t i = 0; i < len; i++) {
+        unsigned char c = name[i];
+        if (c >= 'a' && c <= 'z') {
+            c = (unsigned char) (c - 'a' + 'A');
+        }
+        putchar(c);
+    }
+}
+
+/*
+ * Emit a data-fid value, replacing the framing bytes TAB / LF / CR with '?'.
+ * Generated documents only ever use fids like "w12" / "e3", so this never
+ * fires in practice; it guards the line-and-tab protocol against a fid that
+ * contains a control char (which would otherwise desync row/match parsing on
+ * the PHP side). LexborOracle applies the identical replacement when reading
+ * WP's own fids, so a sanitized fid still compares equal — the worst case is
+ * a benign tree-gated skip, never a false divergence.
+ */
+static void
+put_fid_value(const lxb_char_t *value, size_t value_len)
+{
+    for (size_t i = 0; i < value_len; i++) {
+        unsigned char c = value[i];
+        putchar((c == '\t' || c == '\n' || c == '\r') ? '?' : c);
+    }
+}
+
+static void
+put_fid(lxb_dom_node_t *node)
+{
+    lxb_dom_element_t *element = lxb_dom_interface_element(node);
+    size_t value_len = 0;
+    const lxb_char_t *value = lxb_dom_element_get_attribute(
+        element, (const lxb_char_t *) "data-fid", 8, &value_len);
+
+    if (value != NULL) {
+        put_fid_value(value, value_len);
+        return;
+    }
+
+    size_t name_len = 0;
+    const lxb_char_t *name = lxb_dom_element_qualified_name(element, &name_len);
+    fputs("(missing-fid:", stdout);
+    put_upper(name, name_len);
+    putchar(')');
+}
+
+struct walk_state {
+    const lxb_char_t *stack[MAX_DEPTH]; /* uppercase emitted on the fly */
+    size_t stack_len[MAX_DEPTH];
+    int depth;
+};
+
+static void
+walk(lxb_dom_node_t *node, struct walk_state *state)
+{
+    for (lxb_dom_node_t *child = node->first_child; child != NULL;
+         child = child->next) {
+        if (child->type != LXB_DOM_NODE_TYPE_ELEMENT) {
+            continue;
+        }
+
+        size_t name_len = 0;
+        const lxb_char_t *name = lxb_dom_element_qualified_name(
+            lxb_dom_interface_element(child), &name_len);
+
+        fputs("R\t", stdout);
+        put_upper(name, name_len);
+        putchar('\t');
+        put_fid(child);
+        putchar('\t');
+        for (int i = state->depth - 1; i >= 0; i--) {
+            put_upper(state->stack[i], state->stack_len[i]);
+            if (i > 0) {
+                putchar(',');
+            }
+        }
+        putchar('\n');
+
+        if (state->depth < MAX_DEPTH) {
+            state->stack[state->depth] = name;
+            state->stack_len[state->depth] = name_len;
+            state->depth++;
+            walk(child, state);
+            state->depth--;
+        }
+    }
+}
+
+static lxb_status_t
+find_callback(lxb_dom_node_t *node, lxb_css_selector_specificity_t spec,
+              void *ctx)
+{
+    (void) spec;
+    (void) ctx;
+    fputs("M\t", stdout);
+    put_fid(node);
+    putchar('\n');
+    return LXB_STATUS_OK;
+}
+
+int
+main(void)
+{
+    char *line = NULL;
+    size_t line_cap = 0;
+    ssize_t line_len;
+
+    while ((line_len = getline(&line, &line_cap, stdin)) > 0) {
+        char *tab = memchr(line, '\t', (size_t) line_len);
+        if (tab == NULL) {
+            fputs("X\tprotocol\nD\n", stdout);
+            fflush(stdout);
+            continue;
+        }
+
+        size_t html_len = 0;
+        size_t selector_len = 0;
+        unsigned char *html = b64_decode(line, (size_t) (tab - line), &html_len);
+        unsigned char *selector = b64_decode(
+            tab + 1, (size_t) (line + line_len - tab - 1), &selector_len);
+
+        if (html == NULL || selector == NULL) {
+            fputs("X\tprotocol\nD\n", stdout);
+            fflush(stdout);
+            free(html);
+            free(selector);
+            continue;
+        }
+
+        lxb_html_document_t *document = lxb_html_document_create();
+        if (lxb_html_document_parse(document, html, html_len)
+            != LXB_STATUS_OK) {
+            fputs("X\thtml\nD\n", stdout);
+            fflush(stdout);
+            lxb_html_document_destroy(document);
+            free(html);
+            free(selector);
+            continue;
+        }
+
+        struct walk_state state = { .depth = 0 };
+        walk(lxb_dom_interface_node(document), &state);
+
+        /*
+         * Parser and selectors engine are created per case:
+         * lxb_css_selector_list_destroy_memory() releases the parser's
+         * whole arena, so reuse across cases is unsafe.
+         */
+        lxb_css_parser_t *parser = lxb_css_parser_create();
+        lxb_selectors_t *selectors = lxb_selectors_create();
+        if (lxb_css_parser_init(parser, NULL) != LXB_STATUS_OK
+            || lxb_selectors_init(selectors) != LXB_STATUS_OK) {
+            fputs("X\tinit\nD\n", stdout);
+            fflush(stdout);
+            lxb_selectors_destroy(selectors, true);
+            lxb_css_parser_destroy(parser, true);
+            lxb_html_document_destroy(document);
+            free(html);
+            free(selector);
+            continue;
+        }
+
+        /* Report each node once even when several list branches match. */
+        lxb_selectors_opt_set(selectors, LXB_SELECTORS_OPT_MATCH_FIRST);
+
+        lxb_css_selector_list_t *list = lxb_css_selectors_parse(
+            parser, selector, selector_len);
+
+        if (parser->status != LXB_STATUS_OK || list == NULL) {
+            fputs("X\tparse\n", stdout);
+        }
+        else {
+            lxb_status_t status = lxb_selectors_find(
+                selectors, lxb_dom_interface_node(document), list,
+                find_callback, NULL);
+            if (status != LXB_STATUS_OK) {
+                fputs("X\tfind\n", stdout);
+            }
+            lxb_css_selector_list_destroy_memory(list);
+        }
+
+        fputs("D\n", stdout);
+        fflush(stdout);
+
+        lxb_selectors_destroy(selectors, true);
+        lxb_css_parser_destroy(parser, true);
+        lxb_html_document_destroy(document);
+        free(html);
+        free(selector);
+    }
+
+    free(line);
+    return EXIT_SUCCESS;
+}
diff --git a/tools/css-selector-fuzz/lib/AstExtractor.php b/tools/css-selector-fuzz/lib/AstExtractor.php
new file mode 100644
index 0000000000000..ed81beac30c3e
--- /dev/null
+++ b/tools/css-selector-fuzz/lib/AstExtractor.php
@@ -0,0 +1,149 @@
+<?php
+namespace CssSelectorFuzz;
+
+/**
+ * Converts parsed WP_CSS_* selector objects into the canonical plain-array
+ * AST that SelectorGenerator produces and ReferenceMatcher consumes.
+ *
+ * Also performs structural sanity checks: any deviation from the documented
+ * object shape is reported as an invariant violation by throwing.
+ */
+class AstExtractor {
+
+	/** @param \WP_CSS_Complex_Selector_List $list */
+	public static function from_complex_list( $list ): array {
+		$out = array();
+		foreach ( self::get_private( $list, 'selectors', \WP_CSS_Compound_Selector_List::class ) as $selector ) {
+			if ( ! $selector instanceof \WP_CSS_Complex_Selector ) {
+				throw new \UnexpectedValueException( 'Complex selector list contains non-complex selector: ' . self::describe( $selector ) );
+			}
+			$out[] = self::from_complex( $selector );
+		}
+		return $out;
+	}
+
+	/**
+	 * Extracts from a compound selector list into the same canonical shape
+	 * ( complex selectors with empty context ) for direct comparison.
+	 *
+	 * @param \WP_CSS_Compound_Selector_List $list
+	 */
+	public static function from_compound_list( $list ): array {
+		$out = array();
+		foreach ( self::get_private( $list, 'selectors', \WP_CSS_Compound_Selector_List::class ) as $selector ) {
+			if ( ! $selector instanceof \WP_CSS_Compound_Selector ) {
+				throw new \UnexpectedValueException( 'Compound selector list contains non-compound selector: ' . self::describe( $selector ) );
+			}
+			$out[] = array(
+				'context' => array(),
+				'self'    => self::from_compound( $selector ),
+			);
+		}
+		return $out;
+	}
+
+	private static function from_complex( \WP_CSS_Complex_Selector $selector ): array {
+		$context = array();
+		foreach ( (array) $selector->context_selectors as $pair ) {
+			if ( ! is_array( $pair ) || 2 !== count( $pair ) ) {
+				throw new \UnexpectedValueException( 'Context selector pair has unexpected shape.' );
+			}
+			if ( ! $pair[0] instanceof \WP_CSS_Type_Selector ) {
+				throw new \UnexpectedValueException( 'Context selector is not a type selector: ' . self::describe( $pair[0] ) );
+			}
+			if ( ! in_array( $pair[1], array( ' ', '>' ), true ) ) {
+				throw new \UnexpectedValueException( 'Context selector uses unsupported combinator: ' . var_export( $pair[1], true ) );
+			}
+			$context[] = array( $pair[0]->type, $pair[1] );
+		}
+
+		return array(
+			'context' => $context,
+			'self'    => self::from_compound( $selector->self_selector ),
+		);
+	}
+
+	private static function from_compound( \WP_CSS_Compound_Selector $selector ): array {
+		$subs = null;
+		if ( null !== $selector->subclass_selectors ) {
+			if ( array() === $selector->subclass_selectors ) {
+				throw new \UnexpectedValueException( 'Compound selector has empty (non-null) subclass selector array.' );
+			}
+			$subs = array();
+			foreach ( $selector->subclass_selectors as $sub ) {
+				$subs[] = self::from_subclass( $sub );
+			}
+		}
+
+		if ( null === $selector->type_selector && null === $subs ) {
+			throw new \UnexpectedValueException( 'Compound selector has neither type nor subclass selectors.' );
+		}
+
+		return array(
+			'type' => null === $selector->type_selector ? null : $selector->type_selector->type,
+			'subs' => $subs,
+		);
+	}
+
+	private static function from_subclass( $sub ): array {
+		if ( $sub instanceof \WP_CSS_Class_Selector ) {
+			return array(
+				'kind' => 'class',
+				'name' => $sub->class_name,
+			);
+		}
+		if ( $sub instanceof \WP_CSS_ID_Selector ) {
+			return array(
+				'kind' => 'id',
+				'name' => $sub->id,
+			);
+		}
+		if ( $sub instanceof \WP_CSS_Attribute_Selector ) {
+			$valid_matchers = array(
+				null,
+				\WP_CSS_Attribute_Selector::MATCH_EXACT,
+				\WP_CSS_Attribute_Selector::MATCH_ONE_OF_EXACT,
+				\WP_CSS_Attribute_Selector::MATCH_EXACT_OR_HYPHEN_SUFFIXED,
+				\WP_CSS_Attribute_Selector::MATCH_PREFIXED_BY,
+				\WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY,
+				\WP_CSS_Attribute_Selector::MATCH_CONTAINS,
+			);
+			if ( ! in_array( $sub->matcher, $valid_matchers, true ) ) {
+				throw new \UnexpectedValueException( 'Attribute selector has unknown matcher: ' . var_export( $sub->matcher, true ) );
+			}
+			$valid_modifiers = array(
+				null,
+				\WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE,
+				\WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE,
+			);
+			if ( ! in_array( $sub->modifier, $valid_modifiers, true ) ) {
+				throw new \UnexpectedValueException( 'Attribute selector has unknown modifier: ' . var_export( $sub->modifier, true ) );
+			}
+			if ( ( null === $sub->matcher ) !== ( null === $sub->value ) ) {
+				throw new \UnexpectedValueException( 'Attribute selector matcher/value nullness mismatch.' );
+			}
+			return array(
+				'kind'     => 'attr',
+				'name'     => $sub->name,
+				'matcher'  => $sub->matcher,
+				'value'    => $sub->value,
+				'modifier' => $sub->modifier,
+			);
+		}
+		throw new \UnexpectedValueException( 'Unknown subclass selector: ' . self::describe( $sub ) );
+	}
+
+	private static function get_private( $object, string $property, string $declaring_class ) {
+		$reflection = new \ReflectionProperty( $declaring_class, $property );
+		$reflection->setAccessible( true );
+		$value = $reflection->getValue( $object );
+		if ( ! is_array( $value ) ) {
+			throw new \UnexpectedValueException( "Property {$property} is not an array." );
+		}
+		return $value;
+	}
+
+	private static function describe( $value ): string {
+		return is_object( $value ) ? get_class( $value ) : gettype( $value );
+	}
+}
diff --git a/tools/css-selector-fuzz/lib/Bootstrap.php b/tools/css-selector-fuzz/lib/Bootstrap.php
new file mode 100644
index 0000000000000..886ed602660f7
--- /dev/null
+++ b/tools/css-selector-fuzz/lib/Bootstrap.php
@@ -0,0 +1,66 @@
+<?php
+namespace CssSelectorFuzz;
+
+class Bootstrap {
+	private static $loaded = false;
+
+	public static function load(): void {
+		if ( self::$loaded ) {
+			return;
+		}
+
+		require_once __DIR__ . '/wp-stubs.php';
+
+		$root  = repo_root();
+		$files = array(
+			'src/wp-includes/compat.php',
+			'src/wp-includes/compat-utf8.php',
+			'src/wp-includes/utf8.php',
+			'src/wp-includes/class-wp-token-map.php',
+			'src/wp-includes/html-api/html5-named-character-references.php',
+			'src/wp-includes/html-api/class-wp-html-attribute-token.php',
+			'src/wp-includes/html-api/class-wp-html-span.php',
+			'src/wp-includes/html-api/class-wp-html-doctype-info.php',
+			'src/wp-includes/html-api/class-wp-html-text-replacement.php',
+			'src/wp-includes/html-api/class-wp-html-decoder.php',
+			'src/wp-includes/html-api/class-wp-html-tag-processor.php',
+			'src/wp-includes/html-api/class-wp-html-unsupported-exception.php',
+			'src/wp-includes/html-api/class-wp-html-active-formatting-elements.php',
+			'src/wp-includes/html-api/class-wp-html-open-elements.php',
+			'src/wp-includes/html-api/class-wp-html-token.php',
+			'src/wp-includes/html-api/class-wp-html-stack-event.php',
+			'src/wp-includes/html-api/class-wp-html-processor-state.php',
+			'src/wp-includes/html-api/class-wp-html-processor.php',
+			'src/wp-includes/css-api/class-wp-css-builder.php',
+			'src/wp-includes/css-api/class-wp-css-token-processor.php',
+			'src/wp-includes/html-api/css/class-wp-css-selector-token-stream.php',
+			'src/wp-includes/html-api/css/class-wp-css-selector-parser-matcher.php',
+			'src/wp-includes/html-api/css/class-wp-css-type-selector.php',
+			'src/wp-includes/html-api/css/class-wp-css-id-selector.php',
+			'src/wp-includes/html-api/css/class-wp-css-class-selector.php',
+			'src/wp-includes/html-api/css/class-wp-css-attribute-selector.php',
+			'src/wp-includes/html-api/css/class-wp-css-compound-selector.php',
+			'src/wp-includes/html-api/css/class-wp-css-compound-selector-list.php',
+			'src/wp-includes/html-api/css/class-wp-css-complex-selector.php',
+			'src/wp-includes/html-api/css/class-wp-css-complex-selector-list.php',
+		);
+
+		foreach ( $files as $file ) {
+			$path = $root . DIRECTORY_SEPARATOR . $file;
+			if ( is_file( $path ) ) {
+				require_once $path;
+			}
+		}
+
+		self::$loaded = true;
+	}
+
+	public static function reset_doing_it_wrong(): void {
+		$GLOBALS['css_selector_fuzz_doing_it_wrong'] = array();
+	}
+
+	/** @return array<int, array{function: string, message: string}> */
+	public static function doing_it_wrong_calls(): array {
+		return $GLOBALS['css_selector_fuzz_doing_it_wrong'];
+	}
+}
diff --git a/tools/css-selector-fuzz/lib/DocumentGenerator.php b/tools/css-selector-fuzz/lib/DocumentGenerator.php
new file mode 100644
index 0000000000000..20da2825b6ed2
--- /dev/null
+++ b/tools/css-selector-fuzz/lib/DocumentGenerator.php
@@ -0,0 +1,628 @@
+<?php
+namespace CssSelectorFuzz;
+
+/**
+ * Generates a random HTML document together with a model of its element tree.
+ *
+ * Elements are drawn exclusively from a "structurally safe" set: properly
+ * nested combinations of these tags parse verbatim (no auto-closing, no
+ * foster parenting, no adoption agency restructuring, no implied elements
+ * beyond the explicit html/head/body that are always rendered). This makes
+ * the model tree provably identical to the tree the HTML processor builds,
+ * so the model can serve as a matching oracle.
+ *
+ * Each element carries a unique `data-fid` attribute used to identify
+ * matches when comparing actual vs. expected selections.
+ */
+class DocumentGenerator {
+
+	const SAFE_TAGS = array(
+		'div',
+		'section',
+		'article',
+		'aside',
+		'nav',
+		'main',
+		'header',
+		'footer',
+		'figure',
+		'blockquote',
+		'address',
+		'span',
+		'em',
+		'strong',
+		'b',
+		'i',
+		'code',
+		'small',
+		'sub',
+		'sup',
+		'u',
+		's',
+		'q',
+		'abbr',
+		'cite',
+		'kbd',
+		'mark',
+		'samp',
+		'time',
+		'var',
+		'dfn',
+		'bdi',
+		'x-fuzz',
+		'fuzz-box',
+	);
+
+	const VOID_TAGS = array( 'br', 'hr', 'img', 'wbr', 'input', 'embed' );
+
+	const ATTR_NAMES = array(
+		'class',
+		'id',
+		'title',
+		'lang',
+		'dir',
+		'name',
+		'value',
+		'type',
+		'href',
+		'src',
+		'alt',
+		'rel',
+		'role',
+		'data-x',
+		'data-foo',
+		'data-test-value',
+		'data-Mixed-Case',
+		'aria-label',
+		'disabled',
+		'hidden',
+		'tabindex',
+	);
+
+	/** @var Prng */
+	private $prng;
+	private $fid_counter   = 0;
+	private $element_count = 0;
+	private $max_elements;
+	private $pools;
+
+	private function __construct( Prng $prng, int $max_elements ) {
+		$this->prng         = $prng;
+		$this->max_elements = $max_elements;
+		$this->pools        = array(
+			'tags'       => array(),
+			'classes'    => array(),
+			'ids'        => array(),
+			'attrNames'  => array(),
+			'attrValues' => array(),
+		);
+	}
+
+	/**
+	 * @return array{model: array, html: string, quirks: bool, pools: array}
+	 */
+	public static function generate( Prng $prng ): array {
+		$generator = new self( $prng, $prng->int( 8, 40 ) );
+		return $generator->build();
+	}
+
+	/**
+	 * Generates a `<body>`-context fragment: body-level content rendered
+	 * without the document wrapper, parsed via create_fragment. The model's
+	 * top-level elements carry the implicit BODY/HTML ancestors the fragment
+	 * parser reports in breadcrumbs.
+	 *
+	 * @return array{
+	 *     model: null,
+	 *     children: array,
+	 *     html: string,
+	 *     context: string,
+	 *     fragment: true,
+	 *     quirks: bool,
+	 *     pools: array,
+	 * }
+	 */
+	public static function generate_fragment( Prng $prng ): array {
+		$generator = new self( $prng, $prng->int( 6, 30 ) );
+		return $generator->build_fragment();
+	}
+
+	private function build_fragment(): array {
+		$children     = array();
+		$child_budget = $this->prng->int( 1, 6 );
+		for ( $i = 0; $i < $child_budget && $this->element_count < $this->max_elements; $i++ ) {
+			$children[] = $this->random_subtree( 0 );
+		}
+
+		$bits = array();
+		foreach ( $children as $child ) {
+			$bits[] = $this->render_element( $child );
+		}
+		$filler = array( '', 'text', ' more ', "\n  ", '&amp; x', 'café ✓', '<!-- c -->' );
+		$html   = '';
+		foreach ( $bits as $bit ) {
+			if ( $this->prng->chance( 35 ) ) {
+				$html .= $this->prng->choice( $filler );
+			}
+			$html .= $bit;
+		}
+
+		foreach ( $this->pools as $key => $values ) {
+			$this->pools[ $key ] = array_values( array_unique( $values ) );
+		}
+
+		return array(
+			'model'    => null,
+			'children' => $children,
+			'html'     => $html,
+			'context'  => '<body>',
+			'fragment' => true,
+			'quirks'   => false,
+			'pools'    => $this->pools,
+		);
+	}
+
+	/**
+	 * Rows ( TreeCapture shape ) for a `<body>`-context fragment: the
+	 * top-level children flattened with the implicit HTML/BODY ancestors the
+	 * fragment parser reports.
+	 */
+	public static function rows_from_fragment( array $children ): array {
+		$html_root = array( 'tag' => 'html', 'fid' => '(html)', 'attrs' => array(), 'children' => array() );
+		$body_root = array( 'tag' => 'body', 'fid' => '(body)', 'attrs' => array(), 'children' => $children );
+
+		$rows = array();
+		foreach ( $children as $child ) {
+			foreach ( self::flatten_with_ancestors( $child, array( $body_root, $html_root ) ) as $pair ) {
+				list( $element, $ancestors ) = $pair;
+
+				$attrs = array();
+				$seen  = array();
+				foreach ( $element['attrs'] as $attr ) {
+					$lower = ascii_strtolower( $attr[0] );
+					if ( isset( $seen[ $lower ] ) ) {
+						continue;
+					}
+					$seen[ $lower ] = true;
+					$attrs[]        = array( $lower, $attr[1] );
+				}
+
+				$ancestor_tags = array();
+				foreach ( $ancestors as $ancestor ) {
+					$ancestor_tags[] = strtoupper( ascii_strtolower( $ancestor['tag'] ) );
+				}
+
+				$rows[] = array(
+					'tag'          => strtoupper( ascii_strtolower( $element['tag'] ) ),
+					'fid'          => $element['fid'],
+					'attrs'        => $attrs,
+					'ancestorTags' => $ancestor_tags,
+				);
+			}
+		}
+		return $rows;
+	}
+
+	private function build(): array {
+		$has_doctype = $this->prng->chance( 85 );
+
+		$head_children = array();
+		if ( $this->prng->chance( 60 ) ) {
+			$head_children[] = $this->make_element( 'title', array(), array() );
+		}
+		if ( $this->prng->chance( 30 ) ) {
+			$head_children[] = $this->make_element( 'meta', $this->random_attrs(), array() );
+		}
+
+		$body_children = array();
+		$child_budget  = $this->prng->int( 1, 6 );
+		for ( $i = 0; $i < $child_budget && $this->element_count < $this->max_elements; $i++ ) {
+			$body_children[] = $this->random_subtree( 0 );
+		}
+
+		$head = $this->make_element( 'head', array(), $head_children );
+		$body = $this->make_element( 'body', $this->prng->chance( 30 ) ? $this->random_attrs() : array(), $body_children );
+		$html = $this->make_element( 'html', $this->prng->chance( 20 ) ? $this->random_attrs() : array(), array( $head, $body ) );
+
+		$rendered = ( $has_doctype ? '<!DOCTYPE html>' : '' ) . $this->render_element( $html );
+
+		foreach ( $this->pools as $key => $values ) {
+			$this->pools[ $key ] = array_values( array_unique( $values ) );
+		}
+
+		return array(
+			'model'  => $html,
+			'html'   => $rendered,
+			'quirks' => ! $has_doctype,
+			'pools'  => $this->pools,
+		);
+	}
+
+	private function random_subtree( int $depth ): array {
+		++$this->element_count;
+
+		if ( $depth >= 7 || $this->element_count >= $this->max_elements || $this->prng->chance( 25 ) ) {
+			// Leaf.
+			if ( $this->prng->chance( 25 ) ) {
+				return $this->make_element( $this->prng->choice( self::VOID_TAGS ), $this->random_attrs(), array(), true );
+			}
+			return $this->make_element( $this->prng->choice( self::SAFE_TAGS ), $this->random_attrs(), array() );
+		}
+
+		$children    = array();
+		$child_count = $this->prng->int( 1, 4 );
+		for ( $i = 0; $i < $child_count && $this->element_count < $this->max_elements; $i++ ) {
+			$children[] = $this->random_subtree( $depth + 1 );
+		}
+
+		return $this->make_element( $this->prng->choice( self::SAFE_TAGS ), $this->random_attrs(), $children );
+	}
+
+	private function make_element( string $tag, array $attrs, array $children, bool $is_void = false ): array {
+		$fid = 'e' . $this->fid_counter++;
+
+		$written_tag = $this->prng->chance( 15 ) ? $this->random_case( $tag ) : $tag;
+
+		$this->pools['tags'][] = $tag;
+
+		return array(
+			'tag'      => $written_tag,
+			'fid'      => $fid,
+			'attrs'    => $attrs,
+			'children' => $children,
+			'void'     => $is_void || in_array( strtolower( $tag ), array( 'meta', 'br', 'hr', 'img', 'wbr', 'input', 'embed' ), true ),
+		);
+	}
+
+	/** @return array<int, array{0: string, 1: string|true}> name/value pairs in source order. */
+	private function random_attrs(): array {
+		$attrs = array();
+		$count = $this->prng->weighted(
+			array(
+				0 => 15,
+				1 => 30,
+				2 => 30,
+				3 => 15,
+				4 => 10,
+			)
+		);
+
+		$used_names = array();
+		for ( $i = 0; $i < $count; $i++ ) {
+			$name = $this->prng->choice( self::ATTR_NAMES );
+
+			// Occasionally repeat an attribute name: the processor keeps the first.
+			$is_duplicate = isset( $used_names[ ascii_strtolower( $name ) ] );
+			if ( $is_duplicate && ! $this->prng->chance( 20 ) ) {
+				continue;
+			}
+			$used_names[ ascii_strtolower( $name ) ] = true;
+
+			if ( $this->prng->chance( 12 ) ) {
+				$name = $this->random_case( $name );
+			}
+
+			$lower = ascii_strtolower( $name );
+			if ( 'class' === $lower ) {
+				$value = $this->random_class_value();
+			} elseif ( 'id' === $lower ) {
+				$value = $this->prng->chance( 85 ) ? $this->random_id_value() : ( $this->prng->chance( 50 ) ? '' : true );
+			} elseif ( in_array( $lower, array( 'disabled', 'hidden' ), true ) ) {
+				$value = $this->prng->chance( 70 ) ? true : $this->prng->choice( array( '', 'disabled', 'true' ) );
+			} else {
+				$value = $this->prng->chance( 12 ) ? true : $this->random_attr_value();
+			}
+
+			$this->pools['attrNames'][] = ascii_strtolower( $name );
+			if ( is_string( $value ) && 'class' !== $lower ) {
+				$this->pools['attrValues'][] = $value;
+			}
+
+			$attrs[] = array( $name, $value );
+		}
+
+		return $attrs;
+	}
+
+	private function random_class_value(): string {
+		$count   = $this->prng->int( 1, 4 );
+		$classes = array();
+		for ( $i = 0; $i < $count; $i++ ) {
+			$class     = $this->random_word( true );
+			$raw_class = $this->maybe_inject_class_nul( $class );
+			$classes[] = $raw_class;
+			foreach ( self::class_tokens( $raw_class ) as $token ) {
+				$this->pools['classes'][] = $token;
+			}
+		}
+
+		$ws    = array( ' ', ' ', ' ', "\t", "\n", "\f", '  ' );
+		$value = $this->prng->chance( 20 ) ? $this->prng->choice( $ws ) : '';
+		foreach ( $classes as $i => $class ) {
+			if ( $i > 0 ) {
+				$value .= $this->prng->choice( $ws );
+			}
+			$value .= $class;
+		}
+		if ( $this->prng->chance( 20 ) ) {
+			$value .= $this->prng->choice( $ws );
+		}
+		return $value;
+	}
+
+	private function maybe_inject_class_nul( string $class ): string {
+		if ( '' === $class || ! $this->prng->chance( 12 ) ) {
+			return $class;
+		}
+
+		$points = utf8_codepoints( $class );
+		$at     = $this->prng->int( 0, count( $points ) );
+		$out    = '';
+		foreach ( $points as $i => $point ) {
+			if ( $i === $at ) {
+				$out .= "\0";
+			}
+			$out .= $point[0];
+		}
+		return $at === count( $points ) ? $out . "\0" : $out;
+	}
+
+	private function random_id_value(): string {
+		$id                   = $this->random_word( true );
+		$this->pools['ids'][] = $id;
+		return $id;
+	}
+
+	private function random_attr_value(): string {
+		$kind = $this->prng->weighted(
+			array(
+				'word'       => 35,
+				'words'      => 20,
+				'hyphenated' => 15,
+				'empty'      => 8,
+				'spicy'      => 12,
+				'unicode'    => 10,
+			)
+		);
+
+		switch ( $kind ) {
+			case 'word':
+				return $this->random_word( true );
+			case 'words':
+				$parts = array();
+				$n     = $this->prng->int( 2, 4 );
+				for ( $i = 0; $i < $n; $i++ ) {
+					$parts[] = $this->random_word( true );
+				}
+				return implode( $this->prng->choice( array( ' ', ' ', "\t", "\n" ) ), $parts );
+			case 'hyphenated':
+				return $this->random_word( false ) . '-' . $this->random_word( false );
+			case 'empty':
+				return '';
+			case 'spicy':
+				$spice = array( 'a"b', "a'b", 'a&b', 'a<b', 'a>b', 'a=b', 'a b c', '&amp;', '&quot;x', '100%', 'semi;colon', 'a,b' );
+				return $this->prng->choice( $spice );
+			case 'unicode':
+				$unicode = array( 'héllo', 'ÄÖÜ', '✓done', 'naïve', 'Ωmega', '\u{1F600}smile' );
+				$value   = $this->prng->choice( $unicode );
+				return str_replace( '\u{1F600}', "\u{1F600}", $value );
+		}
+		return 'fallback';
+	}
+
+	private function random_word( bool $allow_mixed_case ): string {
+		$stems = array( 'alpha', 'beta', 'gamma', 'delta', 'box', 'col', 'item', 'note', 'wide', 'main-item', 'x', 'a', '-lead', '--var', '_under', 'Über', 'mixedCase' );
+		$word  = $this->prng->choice( $stems );
+		if ( $this->prng->chance( 30 ) ) {
+			$word .= (string) $this->prng->int( 0, 99 );
+		}
+		if ( $allow_mixed_case && $this->prng->chance( 15 ) ) {
+			$word = $this->random_case( $word );
+		}
+		return $word;
+	}
+
+	private function random_case( string $input ): string {
+		$out = '';
+		for ( $i = 0; $i < strlen( $input ); $i++ ) {
+			$c    = $input[ $i ];
+			$out .= $this->prng->chance( 50 ) ? strtoupper( $c ) : strtolower( $c );
+		}
+		return $out;
+	}
+
+	/*
+	 * ---------
+	 * Rendering
+	 * ---------
+	 */
+
+	private function render_element( array $element ): string {
+		$out = '<' . $element['tag'];
+
+		$rendered_attrs = array( ' data-fid="' . $element['fid'] . '"' );
+		foreach ( $element['attrs'] as $attr ) {
+			$rendered_attrs[] = ' ' . $this->render_attr( $attr[0], $attr[1] );
+		}
+		$out .= implode( '', $rendered_attrs );
+
+		if ( $element['void'] ) {
+			$out .= $this->prng->chance( 25 ) ? ' />' : '>';
+			return $out;
+		}
+
+		$out .= '>';
+
+		$child_bits = array();
+		foreach ( $element['children'] as $child ) {
+			$child_bits[] = $this->render_element( $child );
+		}
+
+		/*
+		 * Sprinkle text and comments between children — but never directly
+		 * inside `html` or `head`, where character tokens would trigger
+		 * insertion-mode changes (early body creation, head popping) that
+		 * desynchronize the model from the parsed tree.
+		 */
+		$lower_tag       = strtolower( $element['tag'] );
+		$may_have_filler = ! in_array( $lower_tag, array( 'html', 'head' ), true );
+		$filler_options  = array(
+			'',
+			'text',
+			' more text ',
+			"\n  ",
+			'&amp; &lt;escaped&gt;',
+			'<!-- comment -->',
+			'café ✓',
+		);
+		$content         = '';
+		foreach ( $child_bits as $bit ) {
+			if ( $may_have_filler && $this->prng->chance( 40 ) ) {
+				$content .= $this->prng->choice( $filler_options );
+			}
+			$content .= $bit;
+		}
+		if ( $may_have_filler && $this->prng->chance( 40 ) ) {
+			$content .= $this->prng->choice( $filler_options );
+		}
+		if ( 'title' === $lower_tag ) {
+			// RAWTEXT: keep it plain.
+			$content = $this->prng->chance( 60 ) ? 'Fuzz Title' : '';
+		}
+
+		return $out . $content . '</' . $element['tag'] . '>';
+	}
+
+	/** @param string|true $value */
+	private function render_attr( string $name, $value ): string {
+		if ( true === $value ) {
+			return $name;
+		}
+
+		$style = $this->prng->weighted(
+			array(
+				'double'   => 60,
+				'single'   => 20,
+				'unquoted' => 20,
+			)
+		);
+
+		if ( 'unquoted' === $style && ( '' === $value || strlen( $value ) !== strspn( $value, 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789._:-' ) ) ) {
+			$style = 'double';
+		}
+
+		switch ( $style ) {
+			case 'unquoted':
+				return $name . '=' . $value;
+			case 'single':
+				return $name . "='" . str_replace( array( '&', "'", '<' ), array( '&amp;', '&#39;', '&lt;' ), $value ) . "'";
+			default:
+				return $name . '="' . str_replace( array( '&', '"', '<' ), array( '&amp;', '&quot;', '&lt;' ), $value ) . '"';
+		}
+	}
+
+	/*
+	 * ----------------
+	 * Model utilities
+	 * ----------------
+	 */
+
+	/** Pre-order (document order) list of elements. */
+	public static function flatten( array $element ): array {
+		$out = array( $element );
+		foreach ( $element['children'] as $child ) {
+			foreach ( self::flatten( $child ) as $descendant ) {
+				$out[] = $descendant;
+			}
+		}
+		return $out;
+	}
+
+	/**
+	 * Pre-order list of ( element, ancestors ) pairs where ancestors is the
+	 * chain from nearest ancestor to root — the same orientation as
+	 * WP_HTML_Processor::get_breadcrumbs() reversed past self.
+	 */
+	public static function flatten_with_ancestors( array $element, array $ancestors = array() ): array {
+		$out            = array( array( $element, $ancestors ) );
+		$next_ancestors = array_merge( array( $element ), $ancestors );
+		foreach ( $element['children'] as $child ) {
+			foreach ( self::flatten_with_ancestors( $child, $next_ancestors ) as $pair ) {
+				$out[] = $pair;
+			}
+		}
+		return $out;
+	}
+
+	/**
+	 * Flat element rows ( the TreeCapture row shape ) derived from a model:
+	 * pre-order, tags uppercased, attribute names lowercased with the first
+	 * of duplicates winning — directly comparable to a TreeCapture of the
+	 * rendered document.
+	 */
+	public static function rows_from_model( array $model ): array {
+		$rows = array();
+		foreach ( self::flatten_with_ancestors( $model ) as $pair ) {
+			list( $element, $ancestors ) = $pair;
+
+			$attrs = array();
+			$seen  = array();
+			foreach ( $element['attrs'] as $attr ) {
+				$lower = ascii_strtolower( $attr[0] );
+				if ( isset( $seen[ $lower ] ) ) {
+					continue;
+				}
+				$seen[ $lower ] = true;
+				$attrs[]        = array( $lower, $attr[1] );
+			}
+
+			$ancestor_tags = array();
+			foreach ( $ancestors as $ancestor ) {
+				$ancestor_tags[] = strtoupper( ascii_strtolower( $ancestor['tag'] ) );
+			}
+
+			$rows[] = array(
+				'tag'          => strtoupper( ascii_strtolower( $element['tag'] ) ),
+				'fid'          => $element['fid'],
+				'attrs'        => $attrs,
+				'ancestorTags' => $ancestor_tags,
+			);
+		}
+		return $rows;
+	}
+
+	/** First attribute value for a name, ASCII case-insensitive; null if absent. */
+	public static function get_attribute_value( array $element, string $name ) {
+		$comparable = ascii_strtolower( $name );
+		foreach ( $element['attrs'] as $attr ) {
+			if ( ascii_strtolower( $attr[0] ) === $comparable ) {
+				return $attr[1];
+			}
+		}
+		return null;
+	}
+
+	/**
+	 * Class tokens as seen by selector matching: ASCII whitespace separates
+	 * tokens, and NUL inside a token is exposed as U+FFFD by class_list().
+	 *
+	 * @return string[]
+	 */
+	public static function class_tokens( string $class_value ): array {
+		$tokens = array();
+		$length = strlen( $class_value );
+		$at     = 0;
+		$ws     = " \t\r\n\f";
+		while ( $at < $length ) {
+			$at += strspn( $class_value, $ws, $at );
+			if ( $at >= $length ) {
+				break;
+			}
+
+			$token_length = strcspn( $class_value, $ws, $at );
+			$tokens[]     = str_replace( "\0", "\u{FFFD}", substr( $class_value, $at, $token_length ) );
+			$at          += $token_length;
+		}
+		return $tokens;
+	}
+}
diff --git a/tools/css-selector-fuzz/lib/LexborOracle.php b/tools/css-selector-fuzz/lib/LexborOracle.php
new file mode 100644
index 0000000000000..afb508ddc1278
--- /dev/null
+++ b/tools/css-selector-fuzz/lib/LexborOracle.php
@@ -0,0 +1,215 @@
+<?php
+namespace CssSelectorFuzz;
+
+/**
+ * Adapter for the lexbor differential harness ( lexbor/harness.c ): a
+ * persistent child process fed one {html, selector} case per line, which
+ * answers with lexbor's element tree rows and match list.
+ *
+ * lexbor is the THIRD, independent matching opinion ( alongside the WP
+ * implementation under test and the fuzzer's ReferenceMatcher ). Verdicts:
+ *
+ *   reference != lexbor             => fuzzer-oracle problem ( investigate
+ *                                      the fuzzer, 'lexbor-divergence' ).
+ *   reference == lexbor != WP       => high-confidence WP finding ( the
+ *                                      regular match-mismatch-html failure
+ *                                      with no accompanying divergence ).
+ *
+ * Known bug compensated for: lexbor #368 — class and #id selectors match
+ * ASCII case-insensitively even in no-quirks mode ( attribute selectors
+ * like [id=x] are correctly case-sensitive ). Detected by probe at startup;
+ * when present, lexbor is compared against the reference matcher run with
+ * quirks-style class/ID folding. Quirks documents are compared only when
+ * the probe also confirms class and #id selectors fold in quirks mode.
+ */
+class LexborOracle {
+
+	const READ_TIMEOUT_SECONDS = 5;
+
+	/** @var resource|null */
+	private static $process = null;
+	/** @var array|null */
+	private static $pipes = null;
+	/** @var bool|null */
+	private static $available = null;
+	/** @var bool */
+	private static $issue368 = false;
+	/** @var bool */
+	private static $quirks_class_id_reliable = false;
+
+	public static function harness_path(): string {
+		return dirname( __DIR__ ) . '/lexbor/harness';
+	}
+
+	/** Whether the harness is built, starts, and answered the probes. */
+	public static function available(): bool {
+		if ( null !== self::$available ) {
+			return self::$available;
+		}
+
+		self::$available = false;
+		if ( ! is_executable( self::harness_path() ) || ! self::start() ) {
+			return false;
+		}
+
+		// Probe: sanity plus class/#id case-sensitivity behavior.
+		$sane = self::query( '<!DOCTYPE html><div class="a" data-fid="x"></div>', 'div.a' );
+		if ( null === $sane || array( 'x' ) !== $sane['matches'] ) {
+			self::stop();
+			return false;
+		}
+
+		$no_quirks_class = self::query( '<!DOCTYPE html><div class="a" data-fid="x"></div>', '.A' );
+		$no_quirks_id    = self::query( '<!DOCTYPE html><div id="a" data-fid="x"></div>', '#A' );
+		$quirks_class    = self::query( '<div class="a" data-fid="x"></div>', '.A' );
+		$quirks_id       = self::query( '<div id="a" data-fid="x"></div>', '#A' );
+		foreach ( array( $no_quirks_class, $no_quirks_id, $quirks_class, $quirks_id ) as $probe ) {
+			if ( null === $probe || null !== $probe['error'] ) {
+				self::stop();
+				return false;
+			}
+		}
+
+		self::$issue368 = array( 'x' ) === $no_quirks_class['matches']
+			|| array( 'x' ) === $no_quirks_id['matches'];
+		self::$quirks_class_id_reliable = ! self::$issue368
+			&& array() === $no_quirks_class['matches']
+			&& array() === $no_quirks_id['matches']
+			&& array( 'x' ) === $quirks_class['matches']
+			&& array( 'x' ) === $quirks_id['matches'];
+		self::$available = true;
+		return true;
+	}
+
+	/** Whether the built lexbor exhibits issue #368 ( class/ID case folding ). */
+	public static function has_issue_368(): bool {
+		return self::$issue368;
+	}
+
+	/** Whether lexbor can be trusted on quirks class/#id case folding. */
+	public static function quirks_class_id_reliable(): bool {
+		return self::$quirks_class_id_reliable;
+	}
+
+	/**
+	 * Runs one case through lexbor.
+	 *
+	 * @return array{
+	 *     rows: array<int, array{tag: string, fid: string, ancestorTags: string[]}>,
+	 *     matches: string[],
+	 *     error: string|null,
+	 * }|null Null when the harness is unavailable or misbehaved ( the
+	 *        harness is stopped; the caller should skip the differential ).
+	 */
+	public static function query( string $html, string $selector ): ?array {
+		if ( null === self::$process && ! self::start() ) {
+			return null;
+		}
+
+		$line    = base64_encode( $html ) . "\t" . base64_encode( $selector ) . "\n";
+		$written = fwrite( self::$pipes[0], $line );
+		fflush( self::$pipes[0] );
+		if ( strlen( $line ) !== $written ) {
+			self::stop();
+			self::$available = false;
+			return null;
+		}
+
+		$rows    = array();
+		$matches = array();
+		$error   = null;
+
+		while ( true ) {
+			$response = self::read_line();
+			if ( null === $response ) {
+				self::stop();
+				self::$available = false;
+				return null;
+			}
+			if ( 'D' === $response ) {
+				break;
+			}
+
+			$parts = explode( "\t", $response );
+			switch ( $parts[0] ) {
+				case 'R':
+					$rows[] = array(
+						'tag'          => $parts[1] ?? '',
+						'fid'          => $parts[2] ?? '',
+						'ancestorTags' => '' === ( $parts[3] ?? '' ) ? array() : explode( ',', $parts[3] ),
+					);
+					break;
+				case 'M':
+					$matches[] = $parts[1] ?? '';
+					break;
+				case 'X':
+					$error = $parts[1] ?? 'unknown';
+					break;
+			}
+		}
+
+		return array(
+			'rows'    => $rows,
+			'matches' => $matches,
+			'error'   => $error,
+		);
+	}
+
+	private static function start(): bool {
+		$descriptors = array(
+			0 => array( 'pipe', 'r' ),
+			1 => array( 'pipe', 'w' ),
+			2 => array( 'file', '/dev/null', 'w' ),
+		);
+
+		$process = proc_open( array( self::harness_path() ), $descriptors, $pipes );
+		if ( ! is_resource( $process ) ) {
+			return false;
+		}
+
+		self::$process = $process;
+		self::$pipes   = $pipes;
+		stream_set_blocking( $pipes[1], false );
+		return true;
+	}
+
+	private static function stop(): void {
+		if ( null === self::$process ) {
+			return;
+		}
+		@fclose( self::$pipes[0] );
+		@fclose( self::$pipes[1] );
+		@proc_terminate( self::$process, 9 );
+		@proc_close( self::$process );
+		self::$process = null;
+		self::$pipes   = null;
+	}
+
+	/** Reads one newline-terminated line with a timeout; null on failure. */
+	private static function read_line(): ?string {
+		$line     = '';
+		$deadline = microtime( true ) + self::READ_TIMEOUT_SECONDS;
+
+		while ( true ) {
+			$read   = array( self::$pipes[1] );
+			$write  = null;
+			$except = null;
+			$left   = $deadline - microtime( true );
+			if ( $left <= 0 ) {
+				return null;
+			}
+			$ready = stream_select( $read, $write, $except, 0, (int) ( $left * 1e6 ) );
+			if ( false === $ready || 0 === $ready ) {
+				return null;
+			}
+			$chunk = fgets( self::$pipes[1] );
+			if ( false === $chunk ) {
+				return null;
+			}
+			$line .= $chunk;
+			if ( str_ends_with( $line, "\n" ) ) {
+				return substr( $line, 0, -1 );
+			}
+		}
+	}
+}
diff --git a/tools/css-selector-fuzz/lib/Metamorph.php b/tools/css-selector-fuzz/lib/Metamorph.php
new file mode 100644
index 0000000000000..159d8e8bedd52
--- /dev/null
+++ b/tools/css-selector-fuzz/lib/Metamorph.php
@@ -0,0 +1,150 @@
+<?php
+namespace CssSelectorFuzz;
+
+/**
+ * Metamorphic transforms over the canonical selector AST.
+ *
+ * Each transform produces a variant selector that must select exactly the
+ * same elements as the original — no external oracle needed, the original's
+ * own match set is the expectation. AST-preserving transforms additionally
+ * assert that parsing the variant yields the transformed AST (so escape,
+ * whitespace, and case randomization cannot silently change meaning).
+ *
+ * Transforms:
+ *  - rerender:       same AST, fresh whitespace/quoting randomness with
+ *                    aggressive no-op ident escapes.
+ *  - typecase:       ASCII-random-case every type selector name (type
+ *                    matching is case-insensitive in HTML documents).
+ *  - subs-reorder:   rotate the subclass selectors of each compound with two
+ *                    or more (subclass order is commutative).
+ *  - universal:      write the omitted type selector as an explicit `*`.
+ *  - dup-branch:     append a duplicate of one selector-list branch
+ *                    (a, a ≡ a).
+ */
+class Metamorph {
+
+	/**
+	 * @param array $list_ast Canonical complex-list AST of the original.
+	 * @param Prng  $prng     Variant rendering randomness.
+	 * @return array<int, array{
+	 *     name: string,
+	 *     selector: string,
+	 *     ast: array,
+	 *     astMustMatch: bool,
+	 * }>
+	 */
+	public static function variants( array $list_ast, Prng $prng ): array {
+		/*
+		 * from_selectors() scrubs invalid UTF-8 to U+FFFD before parsing, so
+		 * parsed AST names are always valid UTF-8 and this guard should be
+		 * unreachable. It stays as defense in depth: the renderer can only
+		 * round-trip valid UTF-8 names, and a future AST source that skips
+		 * normalization would otherwise corrupt the variants silently.
+		 */
+		if ( ! ast_strings_are_utf8( $list_ast ) ) {
+			return array();
+		}
+
+		$out = array();
+
+		$out[] = array(
+			'name'         => 'rerender',
+			'selector'     => SelectorGenerator::render( $prng->fork( 'rerender' ), $list_ast, true ),
+			'ast'          => $list_ast,
+			'astMustMatch' => true,
+		);
+
+		$typecase = self::map_types(
+			$list_ast,
+			static function ( string $type ) use ( $prng ): string {
+				if ( '*' === $type ) {
+					return $type;
+				}
+				$out = '';
+				for ( $i = 0; $i < strlen( $type ); $i++ ) {
+					$c    = $type[ $i ];
+					$out .= $prng->chance( 50 ) ? strtoupper( $c ) : strtolower( $c );
+				}
+				return $out;
+			}
+		);
+		if ( $typecase !== $list_ast ) {
+			$out[] = array(
+				'name'         => 'typecase',
+				'selector'     => SelectorGenerator::render( $prng->fork( 'typecase' ), $typecase ),
+				'ast'          => $typecase,
+				'astMustMatch' => true,
+			);
+		}
+
+		$reordered = self::rotate_subs( $list_ast );
+		if ( $reordered !== $list_ast ) {
+			$out[] = array(
+				'name'         => 'subs-reorder',
+				'selector'     => SelectorGenerator::render( $prng->fork( 'subs-reorder' ), $reordered ),
+				'ast'          => $reordered,
+				'astMustMatch' => true,
+			);
+		}
+
+		$universal = self::explicit_universal( $list_ast );
+		if ( $universal !== $list_ast ) {
+			$out[] = array(
+				'name'         => 'universal',
+				'selector'     => SelectorGenerator::render( $prng->fork( 'universal' ), $universal ),
+				'ast'          => $universal,
+				'astMustMatch' => true,
+			);
+		}
+
+		$duplicated   = $list_ast;
+		$duplicated[] = $list_ast[ $prng->int( 0, count( $list_ast ) - 1 ) ];
+		$out[]        = array(
+			'name'         => 'dup-branch',
+			'selector'     => SelectorGenerator::render( $prng->fork( 'dup-branch' ), $duplicated ),
+			'ast'          => $duplicated,
+			'astMustMatch' => true,
+		);
+
+		return $out;
+	}
+
+	/** Applies $fn to every type-selector name: compound types and context types. */
+	private static function map_types( array $list_ast, callable $fn ): array {
+		foreach ( $list_ast as &$complex ) {
+			foreach ( $complex['context'] as &$pair ) {
+				$pair[0] = $fn( $pair[0] );
+			}
+			unset( $pair );
+			if ( null !== $complex['self']['type'] ) {
+				$complex['self']['type'] = $fn( $complex['self']['type'] );
+			}
+		}
+		unset( $complex );
+		return $list_ast;
+	}
+
+	/** Rotates the subclass list of every compound that has two or more. */
+	private static function rotate_subs( array $list_ast ): array {
+		foreach ( $list_ast as &$complex ) {
+			$subs = $complex['self']['subs'];
+			if ( is_array( $subs ) && count( $subs ) >= 2 ) {
+				$subs[]                  = array_shift( $subs );
+				$complex['self']['subs'] = $subs;
+			}
+		}
+		unset( $complex );
+		return $list_ast;
+	}
+
+	/** Writes an explicit `*` wherever a compound omitted its type selector. */
+	private static function explicit_universal( array $list_ast ): array {
+		foreach ( $list_ast as &$complex ) {
+			if ( null === $complex['self']['type'] && null !== $complex['self']['subs'] ) {
+				$complex['self']['type'] = '*';
+			}
+		}
+		unset( $complex );
+		return $list_ast;
+	}
+}
diff --git a/tools/css-selector-fuzz/lib/Prng.php b/tools/css-selector-fuzz/lib/Prng.php
new file mode 100644
index 0000000000000..b8d8737304277
--- /dev/null
+++ b/tools/css-selector-fuzz/lib/Prng.php
@@ -0,0 +1,65 @@
+<?php
+namespace CssSelectorFuzz;
+
+/**
+ * Deterministic PRNG: a sha256-keyed byte stream.
+ *
+ * The same ( seed, label ) always yields the same byte sequence regardless
+ * of platform, PHP version, or global RNG state.
+ */
+class Prng {
+	private $key;
+	private $counter = 0;
+	private $buffer  = '';
+
+	public function __construct( string $seed, string $label = '' ) {
+		$this->key = $seed . "\x1f" . $label;
+	}
+
+	/** Derives an independent child stream; consuming it does not affect this stream. */
+	public function fork( string $label ): Prng {
+		return new Prng( $this->key, $label . ':' . $this->uint32() );
+	}
+
+	public function bytes( int $length ): string {
+		while ( strlen( $this->buffer ) < $length ) {
+			$this->buffer .= hash( 'sha256', $this->key . ':' . $this->counter++, true );
+		}
+		$out          = substr( $this->buffer, 0, $length );
+		$this->buffer = substr( $this->buffer, $length );
+		return $out;
+	}
+
+	public function uint32(): int {
+		$parts = unpack( 'Nvalue', $this->bytes( 4 ) );
+		return (int) $parts['value'];
+	}
+
+	public function int( int $min, int $max ): int {
+		if ( $max <= $min ) {
+			return $min;
+		}
+		return $min + ( $this->uint32() % ( $max - $min + 1 ) );
+	}
+
+	public function chance( int $numerator, int $denominator = 100 ): bool {
+		return $this->int( 1, $denominator ) <= $numerator;
+	}
+
+	public function choice( array $values ) {
+		return $values[ $this->int( 0, count( $values ) - 1 ) ];
+	}
+
+	/** @param array<string|int, int> $weights value => weight */
+	public function weighted( array $weights ) {
+		$total = array_sum( $weights );
+		$pick  = $this->int( 1, max( 1, (int) $total ) );
+		foreach ( $weights as $value => $weight ) {
+			$pick -= $weight;
+			if ( $pick <= 0 ) {
+				return $value;
+			}
+		}
+		return array_key_first( $weights );
+	}
+}
diff --git a/tools/css-selector-fuzz/lib/ReferenceMatcher.php b/tools/css-selector-fuzz/lib/ReferenceMatcher.php
new file mode 100644
index 0000000000000..ea422078e9893
--- /dev/null
+++ b/tools/css-selector-fuzz/lib/ReferenceMatcher.php
@@ -0,0 +1,323 @@
+<?php
+namespace CssSelectorFuzz;
+
+/**
+ * Independent implementation of the supported CSS selector semantics.
+ *
+ * Operates on flat element "rows" in visit order — either derived from the
+ * generated document model or captured from the processor itself
+ * ( TreeCapture ). Each row carries the element's tag, attributes, and
+ * ( for the html processor view ) its nearest-first ancestor tag list,
+ * which is all the supported grammar can observe: context selectors are
+ * type-only.
+ *
+ * Semantics follow the CSS Selectors Level 4 specification:
+ *  - Tag names match ASCII case-insensitively (HTML documents).
+ *  - Attribute names match ASCII case-insensitively; the first of duplicate
+ *    attributes wins.
+ *  - Class and ID matching is exact, except in quirks mode where it is
+ *    ASCII case-insensitive.
+ *  - Attribute value matching is exact (byte-wise) unless the `i` modifier
+ *    requests ASCII case-insensitivity, or the attribute is in HTML's
+ *    case-insensitive list, the selector has no modifier, and the element
+ *    is in the html namespace (rows without a namespace field are html).
+ *  - For `^=`, `$=`, `*=` and `~=`, an empty (or for `~=`, whitespace-
+ *    containing) value matches nothing.
+ *
+ * Divergence between this matcher and the HTML API is a fuzzer finding.
+ */
+class ReferenceMatcher {
+
+	const WHITESPACE = " \t\r\n\f";
+
+	/**
+	 * HTML's case-insensitive attribute value list: with no `i`/`s`
+	 * modifier, these attributes' values match ASCII case-insensitively on
+	 * HTML elements. Independent copy — the matcher must not share a
+	 * possible misreading with the implementation under test.
+	 *
+	 * https://html.spec.whatwg.org/multipage/semantics-other.html#case-sensitivity-of-selectors
+	 */
+	const HTML_CASE_INSENSITIVE_ATTRIBUTES = array(
+		'accept'         => true,
+		'accept-charset' => true,
+		'align'          => true,
+		'alink'          => true,
+		'axis'           => true,
+		'bgcolor'        => true,
+		'charset'        => true,
+		'checked'        => true,
+		'clear'          => true,
+		'codetype'       => true,
+		'color'          => true,
+		'compact'        => true,
+		'declare'        => true,
+		'defer'          => true,
+		'dir'            => true,
+		'direction'      => true,
+		'disabled'       => true,
+		'enctype'        => true,
+		'face'           => true,
+		'frame'          => true,
+		'hreflang'       => true,
+		'http-equiv'     => true,
+		'lang'           => true,
+		'language'       => true,
+		'link'           => true,
+		'media'          => true,
+		'method'         => true,
+		'multiple'       => true,
+		'nohref'         => true,
+		'noresize'       => true,
+		'noshade'        => true,
+		'nowrap'         => true,
+		'readonly'       => true,
+		'rel'            => true,
+		'rev'            => true,
+		'rules'          => true,
+		'scope'          => true,
+		'scrolling'      => true,
+		'selected'       => true,
+		'shape'          => true,
+		'target'         => true,
+		'text'           => true,
+		'type'           => true,
+		'valign'         => true,
+		'valuetype'      => true,
+		'vlink'          => true,
+	);
+
+	/**
+	 * Expected match list for WP_HTML_Processor::select().
+	 *
+	 * @param array $list_ast     Canonical complex selector list AST.
+	 * @param array $rows         Element rows in visit order, with ancestorTags.
+	 * @param bool  $quirks       Whether the document parses in quirks mode.
+	 * @param bool  $html_attr_ci Whether HTML's case-insensitive attribute value
+	 *                            list applies. True models WP/browsers; false
+	 *                            models an engine without the rule ( lexbor ).
+	 * @return string[] data-fid values in visit order.
+	 */
+	public static function expected_html_matches_rows( array $list_ast, array $rows, bool $quirks, bool $html_attr_ci = true ): array {
+		$out = array();
+		foreach ( $rows as $row ) {
+			if ( self::list_matches_row( $list_ast, $row, $quirks, $html_attr_ci ) ) {
+				$out[] = $row['fid'];
+			}
+		}
+		return $out;
+	}
+
+	/**
+	 * Expected match list for WP_HTML_Tag_Processor::select() over the same
+	 * markup. The tag processor never enters quirks mode on its own and a
+	 * compound selector list never inspects ancestors.
+	 *
+	 * @param array $list_ast Canonical complex selector list AST ( contexts must be empty ).
+	 * @param array $rows     Tag-view element rows in token order.
+	 * @return string[] data-fid values in token order.
+	 */
+	public static function expected_tag_matches_rows( array $list_ast, array $rows ): array {
+		$out = array();
+		foreach ( $rows as $row ) {
+			$matched = false;
+			foreach ( $list_ast as $complex ) {
+				if ( self::compound_matches( $complex['self'], $row, false, true ) ) {
+					$matched = true;
+					break;
+				}
+			}
+			if ( $matched ) {
+				$out[] = $row['fid'];
+			}
+		}
+		return $out;
+	}
+
+	/** Back-compat: expected html-processor matches from a generated model. */
+	public static function expected_html_processor_matches( array $list_ast, array $model, bool $quirks ): array {
+		return self::expected_html_matches_rows( $list_ast, DocumentGenerator::rows_from_model( $model ), $quirks );
+	}
+
+	/** Back-compat: expected tag-processor matches from a generated model. */
+	public static function expected_tag_processor_matches( array $list_ast, array $model ): array {
+		return self::expected_tag_matches_rows( $list_ast, DocumentGenerator::rows_from_model( $model ) );
+	}
+
+	public static function list_matches_row( array $list_ast, array $row, bool $quirks, bool $html_attr_ci = true ): bool {
+		foreach ( $list_ast as $complex ) {
+			if (
+				self::compound_matches( $complex['self'], $row, $quirks, $html_attr_ci ) &&
+				self::explore_context( $complex['context'], $row['ancestorTags'] )
+			) {
+				return true;
+			}
+		}
+		return false;
+	}
+
+	/**
+	 * @param array    $context       Right-to-left ( type, combinator ) pairs.
+	 * @param string[] $ancestor_tags Nearest-ancestor-first tag names.
+	 */
+	private static function explore_context( array $context, array $ancestor_tags ): bool {
+		if ( array() === $context ) {
+			return true;
+		}
+		if ( array() === $ancestor_tags ) {
+			return false;
+		}
+
+		list( $type, $combinator ) = $context[0];
+		$rest                      = array_slice( $context, 1 );
+
+		if ( '>' === $combinator ) {
+			return self::type_matches( $type, $ancestor_tags[0] )
+				&& self::explore_context( $rest, array_slice( $ancestor_tags, 1 ) );
+		}
+
+		// Descendant: try every matching ancestor.
+		$count = count( $ancestor_tags );
+		for ( $i = 0; $i < $count; $i++ ) {
+			if (
+				self::type_matches( $type, $ancestor_tags[ $i ] ) &&
+				self::explore_context( $rest, array_slice( $ancestor_tags, $i + 1 ) )
+			) {
+				return true;
+			}
+		}
+		return false;
+	}
+
+	public static function compound_matches( array $compound, array $row, bool $quirks, bool $html_attr_ci = true ): bool {
+		if ( null !== $compound['type'] && ! self::type_matches( $compound['type'], $row['tag'] ) ) {
+			return false;
+		}
+		foreach ( (array) $compound['subs'] as $sub ) {
+			if ( ! self::sub_matches( $sub, $row, $quirks, $html_attr_ci ) ) {
+				return false;
+			}
+		}
+		return true;
+	}
+
+	private static function type_matches( string $type, string $tag ): bool {
+		return '*' === $type || ascii_strtolower( $type ) === ascii_strtolower( $tag );
+	}
+
+	private static function sub_matches( array $sub, array $row, bool $quirks, bool $html_attr_ci ): bool {
+		switch ( $sub['kind'] ) {
+			case 'class':
+				return self::class_matches( $sub['name'], $row, $quirks );
+			case 'id':
+				return self::id_matches( $sub['name'], $row, $quirks );
+			case 'attr':
+				return self::attr_matches( $sub, $row, $html_attr_ci );
+		}
+		return false;
+	}
+
+	private static function class_matches( string $wanted, array $row, bool $quirks ): bool {
+		$class_value = DocumentGenerator::get_attribute_value( $row, 'class' );
+		if ( ! is_string( $class_value ) ) {
+			return false;
+		}
+
+		foreach ( DocumentGenerator::class_tokens( $class_value ) as $word ) {
+			if (
+				$quirks
+					? ascii_strtolower( $word ) === ascii_strtolower( $wanted )
+					: $word === $wanted
+			) {
+				return true;
+			}
+		}
+		return false;
+	}
+
+	private static function id_matches( string $wanted, array $row, bool $quirks ): bool {
+		$id = DocumentGenerator::get_attribute_value( $row, 'id' );
+		if ( ! is_string( $id ) ) {
+			return false;
+		}
+		return $quirks
+			? ascii_strtolower( $id ) === ascii_strtolower( $wanted )
+			: $id === $wanted;
+	}
+
+	private static function attr_matches( array $sub, array $row, bool $html_attr_ci ): bool {
+		$attr_value = DocumentGenerator::get_attribute_value( $row, $sub['name'] );
+		if ( null === $attr_value ) {
+			return false;
+		}
+		if ( null === $sub['matcher'] ) {
+			return true;
+		}
+		if ( true === $attr_value ) {
+			$attr_value = '';
+		}
+
+		$wanted           = (string) $sub['value'];
+		$case_insensitive = 'case-insensitive' === $sub['modifier'] || (
+			$html_attr_ci &&
+			null === $sub['modifier'] &&
+			'html' === ( $row['namespace'] ?? 'html' ) &&
+			isset( self::HTML_CASE_INSENSITIVE_ATTRIBUTES[ ascii_strtolower( $sub['name'] ) ] )
+		);
+		if ( $case_insensitive ) {
+			$attr_value = ascii_strtolower( $attr_value );
+			$wanted     = ascii_strtolower( $wanted );
+		}
+
+		switch ( $sub['matcher'] ) {
+			case 'exact':
+				return $attr_value === $wanted;
+
+			case 'one-of':
+				if ( '' === $wanted || strlen( $wanted ) !== strcspn( $wanted, self::WHITESPACE ) ) {
+					return false;
+				}
+				$length = strlen( $attr_value );
+				$at     = 0;
+				while ( $at < $length ) {
+					$at += strspn( $attr_value, self::WHITESPACE, $at );
+					if ( $at >= $length ) {
+						break;
+					}
+					$word_length = strcspn( $attr_value, self::WHITESPACE, $at );
+					if ( substr( $attr_value, $at, $word_length ) === $wanted ) {
+						return true;
+					}
+					$at += $word_length;
+				}
+				return false;
+
+			case 'exact-or-hyphen-suffixed':
+				if ( $attr_value === $wanted ) {
+					return true;
+				}
+				return 0 === strncmp( $attr_value, $wanted . '-', strlen( $wanted ) + 1 );
+
+			case 'prefixed':
+				if ( '' === $wanted ) {
+					return false;
+				}
+				return 0 === strncmp( $attr_value, $wanted, strlen( $wanted ) );
+
+			case 'suffixed':
+				if ( '' === $wanted ) {
+					return false;
+				}
+				return strlen( $attr_value ) >= strlen( $wanted )
+					&& substr( $attr_value, -strlen( $wanted ) ) === $wanted;
+
+			case 'contains':
+				if ( '' === $wanted ) {
+					return false;
+				}
+				return false !== strpos( $attr_value, $wanted );
+		}
+
+		return false;
+	}
+}
diff --git a/tools/css-selector-fuzz/lib/SelectorGenerator.php b/tools/css-selector-fuzz/lib/SelectorGenerator.php
new file mode 100644
index 0000000000000..a41a3525878c2
--- /dev/null
+++ b/tools/css-selector-fuzz/lib/SelectorGenerator.php
@@ -0,0 +1,1736 @@
+<?php
+namespace CssSelectorFuzz;
+
+/**
+ * Generates CSS selector strings in several buckets:
+ *
+ *  - supported-compound: within the grammar of WP_CSS_Compound_Selector_List.
+ *    Must parse in both list grammars. Carries the intended AST.
+ *  - supported-complex: uses descendant/child combinators with type-only
+ *    context selectors. Must parse as a complex list, must NOT parse as a
+ *    compound list. Carries the intended AST.
+ *  - unsupported: valid CSS that the parsers deliberately do not support
+ *    (pseudo-classes/elements, sibling/column combinators, namespaces,
+ *    non-type context selectors). Must not parse in either grammar.
+ *  - invalid: not valid CSS selectors at all. Must not parse.
+ *  - invalid-utf8: a supported compound with a raw ill-formed UTF-8 byte
+ *    sequence injected into an ident or string operand. from_selectors()
+ *    scrubs the input before parsing ( one U+FFFD per maximal subpart, CSS
+ *    Syntax §3.2 via the WHATWG decoder ), so the case carries the
+ *    post-scrub AST.
+ *  - chaos: arbitrary bytes. No parse expectation.
+ *  - mutated: a supported selector with random byte mutations. No parse
+ *    expectation.
+ *
+ * Whenever a generated selector carries an AST, the rendered string is
+ * randomized (whitespace, escapes, quoting styles) such that parsing it
+ * must yield exactly that AST.
+ */
+class SelectorGenerator {
+
+	const BUCKETS = array(
+		'supported-compound',
+		'supported-complex',
+		'path-directed',
+		'unsupported',
+		'invalid',
+		'invalid-utf8',
+		'chaos',
+		'mutated',
+		'edge-escape',
+	);
+
+	/**
+	 * Ill-formed UTF-8 byte classes and the number of U+FFFD replacements the
+	 * WHATWG UTF-8 decoder produces for each ( one per maximal subpart ).
+	 * The counts are pinned here as an independent expectation — computing
+	 * them with wp_scrub_utf8() would make the AST check a tautology.
+	 *
+	 * The counts assume the byte after the sequence is not a continuation
+	 * byte ( it could complete a truncated sequence ); the generator always
+	 * follows an injected sequence with ASCII or end of input.
+	 */
+	const INVALID_UTF8_CLASSES = array(
+		'lone-continuation' => array( "\x80", 1 ),
+		'truncated-2-byte'  => array( "\xC3", 1 ),
+		'truncated-3-byte'  => array( "\xE2\x8C", 1 ),
+		'truncated-4-byte'  => array( "\xF0\x9F\x82", 1 ),
+		'invalid-lead-f5'   => array( "\xF5", 1 ),
+		'invalid-lead-ff'   => array( "\xFF", 1 ),
+		'overlong-min'      => array( "\xC0\x80", 2 ),
+		'overlong-max'      => array( "\xC1\xBF", 2 ),
+		'surrogate-half'    => array( "\xED\xA0\x80", 3 ),
+		'beyond-max'        => array( "\xF4\x90\x80\x80", 4 ),
+	);
+
+	/** @var Prng */
+	private $prng;
+	/** @var array */
+	private $pools;
+	/** @var bool Escape ident codepoints aggressively when rendering. */
+	private $escape_boost = false;
+
+	private function __construct( Prng $prng, array $pools ) {
+		$this->prng  = $prng;
+		$this->pools = $pools;
+	}
+
+	/**
+	 * Renders a canonical complex-list AST to a selector string. Parsing the
+	 * result must yield exactly the given AST. With $escape_boost, idents are
+	 * escaped far more often (exercises the escape decoder on no-op escapes).
+	 */
+	public static function render( Prng $prng, array $list_ast, bool $escape_boost = false ): string {
+		$generator               = new self( $prng, array() );
+		$generator->escape_boost = $escape_boost;
+		return $generator->render_complex_list( $list_ast );
+	}
+
+	/**
+	 * Renders a canonical complex-list AST deterministically with minimal
+	 * escaping: single spaces around combinators, `, ` between branches,
+	 * double-quoted attribute values, lowercase `i`/`s` modifiers, and all
+	 * non-ASCII codepoints hex-escaped. Used to hand a semantically-identical
+	 * selector to external engines: lexbor rejects some byte-level forms WP
+	 * correctly accepts ( uppercase I/S attribute modifiers; raw non-ASCII
+	 * ident codepoints in U+00B7, U+00C0-U+00F6 — its non-ASCII ident table
+	 * starts at U+00F8 ). Escaping sidesteps codepoint classification.
+	 */
+	public static function render_canonical( array $list_ast ): string {
+		$branches = array();
+		foreach ( $list_ast as $complex ) {
+			$out = '';
+			foreach ( array_reverse( $complex['context'] ) as $pair ) {
+				list( $type, $combinator ) = $pair;
+				$out                      .= '*' === $type ? '*' : self::canonical_ident( $type );
+				$out                      .= '>' === $combinator ? ' > ' : ' ';
+			}
+
+			$compound = $complex['self'];
+			if ( null !== $compound['type'] ) {
+				$out .= '*' === $compound['type'] ? '*' : self::canonical_ident( $compound['type'] );
+			}
+			foreach ( (array) $compound['subs'] as $sub ) {
+				switch ( $sub['kind'] ) {
+					case 'class':
+						$out .= '.' . self::canonical_ident( $sub['name'] );
+						break;
+					case 'id':
+						$out .= '#' . self::canonical_ident( $sub['name'] );
+						break;
+					case 'attr':
+						$out .= '[' . self::canonical_ident( $sub['name'] );
+						if ( null !== $sub['matcher'] ) {
+							$matchers = array(
+								'exact'                    => '=',
+								'one-of'                   => '~=',
+								'exact-or-hyphen-suffixed' => '|=',
+								'prefixed'                 => '^=',
+								'suffixed'                 => '$=',
+								'contains'                 => '*=',
+							);
+							$out     .= $matchers[ $sub['matcher'] ] . self::canonical_string( (string) $sub['value'] );
+							if ( 'case-insensitive' === $sub['modifier'] ) {
+								$out .= ' i';
+							} elseif ( 'case-sensitive' === $sub['modifier'] ) {
+								$out .= ' s';
+							}
+						}
+						$out .= ']';
+						break;
+				}
+			}
+			$branches[] = $out;
+		}
+		return implode( ', ', $branches );
+	}
+
+	private static function canonical_ident( string $name ): string {
+		$points = utf8_codepoints( $name );
+		$count  = count( $points );
+		$out    = '';
+
+		foreach ( $points as $i => $point ) {
+			list( $char, $cp ) = $point;
+
+			$is_digit      = $cp >= 0x30 && $cp <= 0x39;
+			$is_ident_char = (
+				'-' === $char ||
+				'_' === $char ||
+				$is_digit ||
+				( $cp >= 0x41 && $cp <= 0x5A ) ||
+				( $cp >= 0x61 && $cp <= 0x7A )
+			);
+
+			$must_escape = ! $is_ident_char
+				|| ( 0 === $i && $is_digit )
+				|| ( 1 === $i && '-' === $points[0][0] && $is_digit )
+				|| ( 1 === $count && '-' === $char );
+
+			$out .= $must_escape ? '\\' . dechex( $cp ) . ' ' : $char;
+		}
+
+		return $out;
+	}
+
+	private static function canonical_string( string $value ): string {
+		$out = '"';
+		foreach ( utf8_codepoints( $value ) as $point ) {
+			list( $char, $cp ) = $point;
+			if ( '"' === $char || '\\' === $char || $cp < 0x20 || $cp > 0x7E ) {
+				$out .= '\\' . dechex( $cp ) . ' ';
+			} else {
+				$out .= $char;
+			}
+		}
+		return $out . '"';
+	}
+
+	/**
+	 * @param array      $pools Pools from DocumentGenerator ( tags, classes, ids, attrNames, attrValues ).
+	 * @param array|null $rows  Element rows ( TreeCapture shape ) with real
+	 *                          fids; enables the path-directed bucket.
+	 * @return array{
+	 *     bucket: string,
+	 *     selector: string,
+	 *     expectCompound: bool|null,
+	 *     expectComplex: bool|null,
+	 *     ast: array|null,
+	 *     mustMatchFid: string|null,
+	 *     mustNotMatchFid: string|null,
+	 * }
+	 */
+	public static function generate( Prng $prng, array $pools, ?array $rows = null, ?string $bucket = null ): array {
+		$generator = new self( $prng, $pools );
+
+		if ( null === $bucket ) {
+			$bucket = $prng->weighted(
+				null === $rows || array() === $rows
+					? array(
+						'supported-compound' => 28,
+						'supported-complex'  => 24,
+						'unsupported'        => 14,
+						'invalid'            => 11,
+						'invalid-utf8'       => 5,
+						'chaos'              => 8,
+						'mutated'            => 10,
+						'edge-escape'        => 5,
+					)
+					: array(
+						'supported-compound' => 23,
+						'supported-complex'  => 19,
+						'path-directed'      => 21,
+						'unsupported'        => 11,
+						'invalid'            => 9,
+						'invalid-utf8'       => 5,
+						'chaos'              => 6,
+						'mutated'            => 6,
+						'edge-escape'        => 5,
+					)
+			);
+		}
+
+		if ( 'path-directed' === $bucket && ( null === $rows || array() === $rows ) ) {
+			$bucket = 'supported-complex';
+		}
+
+		switch ( $bucket ) {
+			case 'supported-compound':
+				$ast = $generator->gen_complex_list( false );
+				return array(
+					'bucket'         => $bucket,
+					'selector'       => $generator->render_complex_list( $ast ),
+					'expectCompound' => true,
+					'expectComplex'  => true,
+					'ast'            => $ast,
+				);
+
+			case 'supported-complex':
+				$ast = $generator->gen_complex_list( true );
+				return array(
+					'bucket'         => $bucket,
+					'selector'       => $generator->render_complex_list( $ast ),
+					'expectCompound' => false,
+					'expectComplex'  => true,
+					'ast'            => $ast,
+				);
+
+			case 'path-directed':
+				return $generator->gen_path_directed( $rows );
+
+			case 'edge-escape':
+				return $generator->gen_edge_escape();
+
+			case 'invalid-utf8':
+				return $generator->gen_invalid_utf8();
+
+			case 'unsupported':
+				return array(
+					'bucket'         => $bucket,
+					'selector'       => $generator->gen_unsupported(),
+					'expectCompound' => false,
+					'expectComplex'  => false,
+					'ast'            => null,
+				);
+
+			case 'invalid':
+				return array(
+					'bucket'         => $bucket,
+					'selector'       => $generator->gen_invalid(),
+					'expectCompound' => false,
+					'expectComplex'  => false,
+					'ast'            => null,
+				);
+
+			case 'chaos':
+				return array(
+					'bucket'         => $bucket,
+					'selector'       => $generator->gen_chaos(),
+					'expectCompound' => null,
+					'expectComplex'  => null,
+					'ast'            => null,
+				);
+
+			case 'mutated':
+			default:
+				$ast      = $generator->gen_complex_list( $generator->prng->chance( 50 ) );
+				$rendered = $generator->render_complex_list( $ast );
+				return array(
+					'bucket'         => 'mutated',
+					'selector'       => $generator->mutate( $rendered ),
+					'expectCompound' => null,
+					'expectComplex'  => null,
+					'ast'            => null,
+				);
+		}
+	}
+
+	/*
+	 * --------------
+	 * AST generation
+	 * --------------
+	 *
+	 * Canonical AST shapes (matching what AstExtractor produces from
+	 * parsed WP_CSS_* objects):
+	 *
+	 *   list:     array of complex
+	 *   complex:  array( 'context' => array( array( type, combinator ) ... right-to-left ), 'self' => compound )
+	 *   compound: array( 'type' => string|null, 'subs' => array|null )
+	 *   sub:      array( 'kind' => 'class'|'id', 'name' => string )
+	 *           | array( 'kind' => 'attr', 'name' => string, 'matcher' => string|null,
+	 *                    'value' => string|null, 'modifier' => string|null )
+	 */
+
+	private function gen_complex_list( bool $require_combinator ): array {
+		$count = $this->prng->weighted(
+			array(
+				1 => 55,
+				2 => 30,
+				3 => 15,
+			)
+		);
+
+		$list                 = array();
+		$combinator_at        = $require_combinator ? $this->prng->int( 0, $count - 1 ) : -1;
+		for ( $i = 0; $i < $count; $i++ ) {
+			$wants_combinators = $i === $combinator_at || ( $require_combinator && $this->prng->chance( 30 ) );
+			$list[]            = $this->gen_complex( $require_combinator ? $wants_combinators : false );
+		}
+		return $list;
+	}
+
+	private function gen_complex( bool $with_combinators ): array {
+		$context = array();
+		if ( $with_combinators ) {
+			$context_count = $this->prng->int( 1, 3 );
+			for ( $i = 0; $i < $context_count; $i++ ) {
+				$context[] = array(
+					$this->gen_type_name( true ),
+					$this->prng->chance( 50 ) ? ' ' : '>',
+				);
+			}
+		}
+
+		return array(
+			'context' => $context,
+			'self'    => $this->gen_compound(),
+		);
+	}
+
+	private function gen_compound(): array {
+		$has_type  = $this->prng->chance( 65 );
+		$sub_count = $this->prng->weighted(
+			array(
+				0 => 30,
+				1 => 40,
+				2 => 20,
+				3 => 10,
+			)
+		);
+		if ( ! $has_type && 0 === $sub_count ) {
+			if ( $this->prng->chance( 50 ) ) {
+				$has_type = true;
+			} else {
+				$sub_count = 1;
+			}
+		}
+
+		$subs = array();
+		for ( $i = 0; $i < $sub_count; $i++ ) {
+			$subs[] = $this->gen_subclass();
+		}
+
+		return array(
+			'type' => $has_type ? $this->gen_type_name( false ) : null,
+			'subs' => array() === $subs ? null : $subs,
+		);
+	}
+
+	private function gen_type_name( bool $for_context ): string {
+		if ( $this->prng->chance( $for_context ? 25 : 12 ) ) {
+			return '*';
+		}
+		$pool = $this->pools['tags'] ?? array();
+		if ( array() !== $pool && $this->prng->chance( 70 ) ) {
+			$name = $this->prng->choice( $pool );
+			return $this->prng->chance( 25 ) ? $this->random_case( $name ) : $name;
+		}
+		return $this->prng->choice( array( 'video', 'table', 'x-absent', 'object', 'span' ) );
+	}
+
+	private function gen_subclass(): array {
+		$kind = $this->prng->weighted(
+			array(
+				'class' => 40,
+				'id'    => 25,
+				'attr'  => 35,
+			)
+		);
+
+		switch ( $kind ) {
+			case 'class':
+				return array(
+					'kind' => 'class',
+					'name' => $this->pick_name( 'classes' ),
+				);
+			case 'id':
+				return array(
+					'kind' => 'id',
+					'name' => $this->pick_name( 'ids' ),
+				);
+			default:
+				return $this->gen_attr_selector();
+		}
+	}
+
+	private function gen_attr_selector(): array {
+		$name = $this->pick_name( 'attrNames' );
+
+		$matcher = $this->prng->weighted(
+			array(
+				''                         => 25,
+				'exact'                    => 20,
+				'one-of'                   => 12,
+				'exact-or-hyphen-suffixed' => 11,
+				'prefixed'                 => 11,
+				'suffixed'                 => 11,
+				'contains'                 => 10,
+			)
+		);
+		$matcher = '' === $matcher ? null : $matcher;
+
+		if ( null === $matcher ) {
+			return array(
+				'kind'     => 'attr',
+				'name'     => $name,
+				'matcher'  => null,
+				'value'    => null,
+				'modifier' => null,
+			);
+		}
+
+		$modifier = $this->prng->weighted(
+			array(
+				''                 => 70,
+				'case-insensitive' => 18,
+				'case-sensitive'   => 12,
+			)
+		);
+
+		$value = $this->gen_attr_value();
+
+		/*
+		 * HTML's case-insensitive attribute value list: with no modifier,
+		 * the values of listed attributes ( type, rel, lang, dir, ... )
+		 * match ASCII case-insensitively on HTML elements. Sometimes flip
+		 * the case of the selector value for a listed attribute so the
+		 * differential exercises that rule rather than relying on sampled
+		 * values happening to differ in case.
+		 */
+		if (
+			'' === $modifier &&
+			isset( ReferenceMatcher::HTML_CASE_INSENSITIVE_ATTRIBUTES[ ascii_strtolower( $name ) ] ) &&
+			$this->prng->chance( 40 )
+		) {
+			$value = $this->prng->chance( 50 ) ? ascii_strtoupper( $value ) : str_shuffle_case( $value, $this->prng );
+		}
+
+		return array(
+			'kind'     => 'attr',
+			'name'     => $name,
+			'matcher'  => $matcher,
+			'value'    => $value,
+			'modifier' => '' === $modifier ? null : $modifier,
+		);
+	}
+
+	private function gen_attr_value(): string {
+		$pool = $this->pools['attrValues'] ?? array();
+
+		$kind = $this->prng->weighted(
+			array(
+				'pool'      => 35,
+				'pool-part' => 20,
+				'pool-case' => 10,
+				'empty'     => 10,
+				'word'      => 15,
+				'tricky'    => 10,
+			)
+		);
+
+		if ( in_array( $kind, array( 'pool', 'pool-part', 'pool-case' ), true ) && array() === $pool ) {
+			$kind = 'word';
+		}
+
+		switch ( $kind ) {
+			case 'pool':
+				return $this->prng->choice( $pool );
+
+			case 'pool-part':
+				$value = $this->prng->choice( $pool );
+				if ( '' === $value ) {
+					return '';
+				}
+				$points = utf8_codepoints( $value );
+				$total  = count( $points );
+				$start  = $this->prng->int( 0, max( 0, $total - 1 ) );
+				$length = $this->prng->int( 1, $total - $start );
+				$part   = '';
+				for ( $i = $start; $i < $start + $length; $i++ ) {
+					$part .= $points[ $i ][0];
+				}
+				return $part;
+
+			case 'pool-case':
+				return $this->random_case( $this->prng->choice( $pool ) );
+
+			case 'empty':
+				return '';
+
+			case 'word':
+				return $this->prng->choice( array( 'alpha', 'beta9', 'value', 'main-item', 'Z', 'i', 's', 'one two', 'x-y-z' ) );
+
+			case 'tricky':
+			default:
+				return $this->prng->choice(
+					array(
+						'a b',
+						" lead",
+						"trail ",
+						"tab\there",
+						"line\nbreak",
+						'quote"inside',
+						"apos'inside",
+						'back\\slash',
+						'-',
+						'--',
+						'0digit',
+						'ünïcode',
+					)
+				);
+		}
+	}
+
+	private function pick_name( string $pool_key ): string {
+		$pool = $this->pools[ $pool_key ] ?? array();
+		if ( array() !== $pool && $this->prng->chance( 65 ) ) {
+			$name = $this->prng->choice( $pool );
+			if ( '' !== $name && $this->prng->chance( 20 ) ) {
+				$name = $this->random_case( $name );
+			}
+			if ( '' !== $name ) {
+				return $name;
+			}
+		}
+		return $this->prng->choice(
+			array(
+				'absent',
+				'no-such-thing',
+				'x',
+				'-lead',
+				'--double',
+				'_under',
+				'Ünïcode',
+				'with space',
+				'9starts-with-digit',
+				'-9hyphen-digit',
+				'mixedCase',
+			)
+		);
+	}
+
+	/*
+	 * ---------------------------
+	 * Edge-case escapes and input
+	 * ---------------------------
+	 *
+	 * Targets parser branches the structural generators can't reach:
+	 *  - hex escapes whose codepoint is NUL / a surrogate / over-max, which
+	 *    the tokenizer must decode to U+FFFD;
+	 *  - raw NUL / CR / CRLF / FF bytes in the selector input, which
+	 *    the selector token stream preprocesses ( NUL→U+FFFD, the rest→LF ).
+	 *
+	 * These carry a known intended AST: the decoded ident is the U+FFFD
+	 * replacement character ( or, for input normalization, the same selector
+	 * with whitespace normalized ), so the AST round-trip still applies.
+	 */
+	private function gen_edge_escape(): array {
+		$kind = $this->prng->weighted(
+			array(
+				'fffd-ident'    => 35,
+				'eof-escape'    => 20,
+				'eof-truncated' => 15,
+				'nul-input'     => 15,
+				'ws-input'      => 15,
+			)
+		);
+
+		if ( 'eof-truncated' === $kind ) {
+			/*
+			 * The end of input auto-closes an unterminated attribute selector
+			 * block ( and an unterminated string inside it ): `[a=b` is the
+			 * same selector as `[a=b]`.
+			 *
+			 * https://www.w3.org/TR/css-syntax-3/#consume-simple-block
+			 */
+			$matcher  = $this->prng->choice( array( null, 'exact', 'one-of', 'exact-or-hyphen-suffixed', 'prefixed', 'suffixed', 'contains' ) );
+			$value    = null === $matcher ? null : $this->prng->choice( array( 'v' . $this->prng->int( 0, 99 ), 'a b', '', 'x,y', "caf\u{E9}" ) );
+			$modifier = null !== $matcher && $this->prng->chance( 30 )
+				? $this->prng->choice( array( 'case-insensitive', 'case-sensitive' ) )
+				: null;
+			$compound = array(
+				'type' => $this->prng->chance( 50 ) ? 'div' : null,
+				'subs' => array(
+					array(
+						'kind'     => 'attr',
+						'name'     => 'a' . $this->prng->int( 0, 99 ),
+						'matcher'  => $matcher,
+						'value'    => $value,
+						'modifier' => $modifier,
+					),
+				),
+			);
+
+			// The attribute selector is the final rendered unit, so the render always ends with ']'.
+			$rendered  = $this->render_compound( $compound );
+			$truncated = substr( $rendered, 0, -1 );
+
+			// Sometimes also drop a closing string quote: EOF terminates the string, then closes the block.
+			$last_byte = substr( $truncated, -1 );
+			if ( ( '"' === $last_byte || "'" === $last_byte ) && $this->prng->chance( 50 ) ) {
+				$truncated = substr( $truncated, 0, -1 );
+
+				// A backslash at the end of an unterminated string "does nothing": the value is unchanged.
+				if ( $this->prng->chance( 40 ) ) {
+					$truncated .= '\\';
+				}
+			}
+
+			return array(
+				'bucket'         => 'edge-escape',
+				'selector'       => $truncated,
+				'expectCompound' => true,
+				'expectComplex'  => true,
+				'ast'            => array(
+					array(
+						'context' => array(),
+						'self'    => $compound,
+					),
+				),
+			);
+		}
+
+		if ( 'eof-escape' === $kind ) {
+			/*
+			 * A backslash at the end of input is a valid escape ( EOF is not
+			 * a newline ) and decodes to U+FFFD, in ident context only:
+			 * `.foo\` is the class `foo\u{FFFD}`.
+			 *
+			 * https://www.w3.org/TR/css-syntax-3/#consume-escaped-code-point
+			 */
+			$name = $this->prng->chance( 30 ) ? '' : 'a' . $this->prng->int( 0, 99 );
+			list( $selector, $self ) = $this->prng->choice(
+				array(
+					array(
+						'.' . $name . '\\',
+						array(
+							'type' => null,
+							'subs' => array( array( 'kind' => 'class', 'name' => $name . "\u{FFFD}" ) ),
+						),
+					),
+					array(
+						'#' . $name . '\\',
+						array(
+							'type' => null,
+							'subs' => array( array( 'kind' => 'id', 'name' => $name . "\u{FFFD}" ) ),
+						),
+					),
+					array(
+						$name . '\\',
+						array(
+							'type' => $name . "\u{FFFD}",
+							'subs' => null,
+						),
+					),
+				)
+			);
+			return array(
+				'bucket'         => 'edge-escape',
+				'selector'       => $selector,
+				'expectCompound' => true,
+				'expectComplex'  => true,
+				'ast'            => array(
+					array(
+						'context' => array(),
+						'self'    => $self,
+					),
+				),
+			);
+		}
+
+		if ( 'fffd-ident' === $kind ) {
+			// A class selector whose name is a single U+FFFD, produced by a
+			// hex escape for an out-of-range codepoint.
+			$hex = $this->prng->choice(
+				array(
+					'0',
+					'00',
+					'000000',
+					dechex( $this->prng->int( 0xD800, 0xDFFF ) ),       // surrogate
+					dechex( $this->prng->int( 0x110000, 0xFFFFFF ) ),   // over-max
+				)
+			);
+			if ( $this->prng->chance( 40 ) ) {
+				$hex = strtoupper( $hex );
+			}
+			$selector = '.\\' . $hex . ' ';
+			$ast      = array(
+				array(
+					'context' => array(),
+					'self'    => array(
+						'type' => null,
+						'subs' => array( array( 'kind' => 'class', 'name' => "\u{FFFD}" ) ),
+					),
+				),
+			);
+			return array(
+				'bucket'         => 'edge-escape',
+				'selector'       => $selector,
+				'expectCompound' => true,
+				'expectComplex'  => true,
+				'ast'            => $ast,
+			);
+		}
+
+		/*
+		 * Raw control bytes in the selector input. A small fixed compound
+		 * keeps the case focused on selector input preprocessing and avoids
+		 * entangling with unrelated attribute-selector edge cases.
+		 */
+		$compound = array(
+			'type' => $this->prng->chance( 50 ) ? 'span' : null,
+			'subs' => array(
+				array( 'kind' => 'class', 'name' => 'foo' ),
+				array( 'kind' => 'id', 'name' => 'bar' ),
+			),
+		);
+		if ( null === $compound['type'] && $this->prng->chance( 50 ) ) {
+			array_pop( $compound['subs'] );
+		}
+		$rendered = $this->render_compound( $compound );
+
+		if ( 'nul-input' === $kind ) {
+			// A NUL between a class dot's selectors becomes part of an ident
+			// only in limited spots; simplest reliable case: a class whose
+			// name contains a NUL ( → U+FFFD ).
+			$ast = array(
+				array(
+					'context' => array(),
+					'self'    => array(
+						'type' => null,
+						'subs' => array( array( 'kind' => 'class', 'name' => "a\u{FFFD}b" ) ),
+					),
+				),
+			);
+			return array(
+				'bucket'         => 'edge-escape',
+				'selector'       => ".a\0b",
+				'expectCompound' => true,
+				'expectComplex'  => true,
+				'ast'            => $ast,
+			);
+		}
+
+		// ws-input: wrap/insert CR, CRLF, FF as insignificant whitespace.
+		$lead  = $this->prng->choice( array( "\r", "\f", "\r\n", "\r\r", "\f\f" ) );
+		$trail = $this->prng->choice( array( "\r", "\f", "\r\n", '' ) );
+		return array(
+			'bucket'         => 'edge-escape',
+			'selector'       => $lead . $rendered . $trail,
+			'expectCompound' => true,
+			'expectComplex'  => true,
+			'ast'            => array(
+				array(
+					'context' => array(),
+					'self'    => $compound,
+				),
+			),
+		);
+	}
+
+	/*
+	 * -----------------------
+	 * Invalid-UTF-8 injection
+	 * -----------------------
+	 *
+	 * Raw ill-formed UTF-8 byte sequences in the selector input, mirroring
+	 * the nul-input pattern: a small fixed simple selector keeps the case
+	 * focused on the selector token stream scrub. Each maximal subpart
+	 * of the injected sequence decodes to one U+FFFD ( per-class counts
+	 * pinned in INVALID_UTF8_CLASSES ), and U+FFFD is a valid ident
+	 * codepoint — including in start position — so the scrubbed selector
+	 * must parse and the post-scrub AST is known by construction.
+	 */
+	private function gen_invalid_utf8(): array {
+		list( $bytes, $subparts ) = $this->prng->choice( array_values( self::INVALID_UTF8_CLASSES ) );
+
+		$position = $this->prng->choice( array( 'lead', 'mid', 'trail', 'whole' ) );
+		$prefix   = in_array( $position, array( 'lead', 'whole' ), true ) ? '' : 'a' . $this->prng->int( 0, 9 );
+		$suffix   = in_array( $position, array( 'trail', 'whole' ), true ) ? '' : 'z' . $this->prng->int( 0, 9 );
+		$raw      = $prefix . $bytes . $suffix;
+		$decoded  = $prefix . str_repeat( "\u{FFFD}", $subparts ) . $suffix;
+
+		switch ( $this->prng->choice( array( 'class', 'id', 'attr-name', 'attr-value' ) ) ) {
+			case 'class':
+				$rendered = '.' . $raw;
+				$sub      = array(
+					'kind' => 'class',
+					'name' => $decoded,
+				);
+				break;
+
+			case 'id':
+				$rendered = '#' . $raw;
+				$sub      = array(
+					'kind' => 'id',
+					'name' => $decoded,
+				);
+				break;
+
+			case 'attr-name':
+				$rendered = '[' . $raw . ']';
+				$sub      = array(
+					'kind'     => 'attr',
+					'name'     => $decoded,
+					'matcher'  => null,
+					'value'    => null,
+					'modifier' => null,
+				);
+				break;
+
+			case 'attr-value':
+			default:
+				$name     = 'a' . $this->prng->int( 0, 99 );
+				$quote    = $this->prng->chance( 50 ) ? '"' : "'";
+				$rendered = '[' . $name . '=' . $quote . $raw . $quote . ']';
+				$sub      = array(
+					'kind'     => 'attr',
+					'name'     => $name,
+					'matcher'  => 'exact',
+					'value'    => $decoded,
+					'modifier' => null,
+				);
+				break;
+		}
+
+		$type = $this->prng->chance( 40 ) ? 'span' : null;
+
+		return array(
+			'bucket'         => 'invalid-utf8',
+			'selector'       => ( null === $type ? '' : $type ) . $rendered,
+			'expectCompound' => true,
+			'expectComplex'  => true,
+			'ast'            => array(
+				array(
+					'context' => array(),
+					'self'    => array(
+						'type' => $type,
+						'subs' => array( $sub ),
+					),
+				),
+			),
+		);
+	}
+
+	/*
+	 * ------------------------
+	 * Path-directed generation
+	 * ------------------------
+	 *
+	 * Synthesizes a selector from a real element of the model tree so that
+	 * the selector is guaranteed (by construction) to match that element:
+	 * the type comes from its tag, subclasses from its actual classes / id /
+	 * attributes, and the context chain from its actual ancestor tags with
+	 * combinators consistent with the real nesting. Optionally one feature
+	 * is then flipped into a "near-miss" that is guaranteed NOT to match
+	 * the element ( or, for combinator loosening, still guaranteed to ).
+	 */
+
+	private function gen_path_directed( array $rows ): array {
+		// Bias toward elements deep enough for a meaningful context chain.
+		$deep = array();
+		foreach ( $rows as $row ) {
+			if ( count( $row['ancestorTags'] ) >= 2 ) {
+				$deep[] = $row;
+			}
+		}
+		$element = array() !== $deep && $this->prng->chance( 75 )
+			? $this->prng->choice( $deep )
+			: $this->prng->choice( $rows );
+
+		$compound = $this->path_compound_for( $element );
+		$context  = array() !== $element['ancestorTags'] && $this->prng->chance( 75 )
+			? $this->path_context_for( $element['ancestorTags'] )
+			: array();
+
+		$list = array(
+			array(
+				'context' => $context,
+				'self'    => $compound,
+			),
+		);
+
+		$must_match     = $element['fid'];
+		$must_not_match = null;
+
+		if ( $this->prng->chance( 40 ) ) {
+			list( $list, $must_match, $must_not_match ) = $this->path_near_miss( $list, $element );
+		} elseif ( $this->prng->chance( 20 ) ) {
+			// Extra unrelated branch: a list union can only add matches.
+			$list[] = $this->gen_complex( $this->prng->chance( 30 ) );
+		}
+
+		$has_context = false;
+		foreach ( $list as $complex ) {
+			if ( array() !== $complex['context'] ) {
+				$has_context = true;
+				break;
+			}
+		}
+
+		return array(
+			'bucket'          => 'path-directed',
+			'selector'        => $this->render_complex_list( $list ),
+			'expectCompound'  => ! $has_context,
+			'expectComplex'   => true,
+			'ast'             => $list,
+			'mustMatchFid'    => $must_match,
+			'mustNotMatchFid' => $must_not_match,
+		);
+	}
+
+	/** A compound selector built only from features the element row really has. */
+	private function path_compound_for( array $element ): array {
+		$tag = ascii_strtolower( $element['tag'] );
+
+		$features = array();
+
+		$class_value = DocumentGenerator::get_attribute_value( $element, 'class' );
+		if ( is_string( $class_value ) ) {
+			foreach ( DocumentGenerator::class_tokens( $class_value ) as $word ) {
+				$features[] = array( 'kind' => 'class', 'name' => $word );
+			}
+		}
+
+		$id_value = DocumentGenerator::get_attribute_value( $element, 'id' );
+		if ( is_string( $id_value ) && '' !== $id_value ) {
+			$features[] = array( 'kind' => 'id', 'name' => $id_value );
+		}
+
+		$seen_attrs = array();
+		foreach ( $element['attrs'] as $attr ) {
+			$lower = ascii_strtolower( $attr[0] );
+			if ( isset( $seen_attrs[ $lower ] ) ) {
+				continue;
+			}
+			$seen_attrs[ $lower ] = true;
+			if ( 'class' === $lower && is_string( $attr[1] ) && false !== strpos( $attr[1], "\0" ) ) {
+				continue;
+			}
+			$features[]           = $this->path_attr_feature( $lower, $attr[1], 'html' === ( $element['namespace'] ?? 'html' ) );
+		}
+
+		$subs      = array();
+		$available = count( $features );
+		if ( $available > 0 ) {
+			$want = min( $available, $this->prng->weighted( array( 0 => 25, 1 => 40, 2 => 25, 3 => 10 ) ) );
+			for ( $i = 0; $i < $want; $i++ ) {
+				$at     = $this->prng->int( 0, count( $features ) - 1 );
+				$subs[] = $features[ $at ];
+				array_splice( $features, $at, 1 );
+			}
+		}
+
+		$type = null;
+		if ( array() === $subs || $this->prng->chance( 70 ) ) {
+			$type = $this->prng->chance( 12 ) ? '*' : ( $this->prng->chance( 30 ) ? $this->random_case( $tag ) : $tag );
+		}
+
+		return array(
+			'type' => $type,
+			'subs' => array() === $subs ? null : $subs,
+		);
+	}
+
+	/** An attribute selector that the (name, value) pair satisfies. */
+	private function path_attr_feature( string $name, $value, bool $is_html_namespace = true ): array {
+		$presence = array(
+			'kind'     => 'attr',
+			'name'     => $this->prng->chance( 15 ) ? $this->random_case( $name ) : $name,
+			'matcher'  => null,
+			'value'    => null,
+			'modifier' => null,
+		);
+
+		if ( true === $value ) {
+			// A boolean attribute has the empty string as its value.
+			$value = '';
+		}
+		if ( ! is_string( $value ) || $this->prng->chance( 30 ) ) {
+			return $presence;
+		}
+
+		$points = utf8_codepoints( $value );
+		$total  = count( $points );
+
+		$candidates = array( array( 'exact', $value ) );
+
+		foreach ( preg_split( '/[ \t\n\f\r]+/', $value, -1, PREG_SPLIT_NO_EMPTY ) as $word ) {
+			$candidates[] = array( 'one-of', $word );
+			break;
+		}
+
+		$hyphen_at = strpos( $value, '-' );
+		$candidates[] = array( 'exact-or-hyphen-suffixed', false === $hyphen_at ? $value : substr( $value, 0, $hyphen_at ) );
+
+		if ( $total > 0 ) {
+			$slice = static function ( array $points, int $start, int $length ): string {
+				$out = '';
+				for ( $i = $start; $i < $start + $length; $i++ ) {
+					$out .= $points[ $i ][0];
+				}
+				return $out;
+			};
+
+			$candidates[] = array( 'prefixed', $slice( $points, 0, $this->prng->int( 1, $total ) ) );
+			$length       = $this->prng->int( 1, $total );
+			$candidates[] = array( 'suffixed', $slice( $points, $total - $length, $length ) );
+			$start        = $this->prng->int( 0, $total - 1 );
+			$candidates[] = array( 'contains', $slice( $points, $start, $this->prng->int( 1, $total - $start ) ) );
+		}
+
+		list( $matcher, $operand ) = $this->prng->choice( $candidates );
+
+		/*
+		 * `|=` with an operand cut at a hyphen only matches when the operand
+		 * is non-empty and actually a value prefix; an operand equal to the
+		 * value always matches. Guard the degenerate empty-operand cases.
+		 */
+		if ( 'exact-or-hyphen-suffixed' === $matcher && '' === $operand && '' !== $value ) {
+			$matcher = 'exact';
+			$operand = $value;
+		}
+		if ( in_array( $matcher, array( 'one-of', 'prefixed', 'suffixed', 'contains' ), true ) && '' === $operand ) {
+			return $presence;
+		}
+
+		$modifier = null;
+		if ( $this->prng->chance( 25 ) ) {
+			if ( $this->prng->chance( 60 ) ) {
+				$modifier = 'case-insensitive';
+				$operand  = $this->random_case( $operand );
+			} else {
+				$modifier = 'case-sensitive';
+			}
+		} elseif (
+			$is_html_namespace &&
+			isset( ReferenceMatcher::HTML_CASE_INSENSITIVE_ATTRIBUTES[ $name ] ) &&
+			$this->prng->chance( 50 )
+		) {
+			/*
+			 * HTML's case-insensitive attribute value list: with no modifier
+			 * the flipped operand still satisfies the (name, value) pair on
+			 * an html-namespace element, which makes the folding rule
+			 * load-bearing for the mustMatchFid invariant — name and value
+			 * here come from the same real element, unlike the independent
+			 * pools in gen_attr_selector.
+			 */
+			$operand = $this->random_case( $operand );
+		}
+
+		return array(
+			'kind'     => 'attr',
+			'name'     => $presence['name'],
+			'matcher'  => $matcher,
+			'value'    => $operand,
+			'modifier' => $modifier,
+		);
+	}
+
+	/**
+	 * A context chain ( right-to-left ( type, combinator ) pairs ) drawn from
+	 * the element's real ancestors so the chain is satisfied by construction:
+	 * `>` is only used for the immediately-next ancestor, descendant
+	 * combinators may skip generations.
+	 *
+	 * @param string[] $ancestor_tags Nearest-first ancestor tag names.
+	 */
+	private function path_context_for( array $ancestor_tags ): array {
+		$chain = array();
+		$pos   = 0;
+		$count = count( $ancestor_tags );
+
+		while ( $pos < $count && ( array() === $chain || $this->prng->chance( 45 ) ) ) {
+			$jump = $this->prng->chance( 65 ) ? 0 : $this->prng->int( 0, $count - 1 - $pos );
+			$at   = $pos + $jump;
+
+			$combinator = ( 0 === $jump && $this->prng->chance( 55 ) ) ? '>' : ' ';
+			$tag        = ascii_strtolower( $ancestor_tags[ $at ] );
+			$type       = $this->prng->chance( 12 )
+				? '*'
+				: ( $this->prng->chance( 25 ) ? $this->random_case( $tag ) : $tag );
+
+			$chain[] = array( $type, $combinator );
+			$pos     = $at + 1;
+		}
+
+		return $chain;
+	}
+
+	/**
+	 * Flips one feature of the guaranteed-match selector. Most flips
+	 * guarantee the element no longer matches; loosening a `>` to a
+	 * descendant combinator must keep it matching.
+	 *
+	 * @return array{0: array, 1: string|null, 2: string|null} list, mustMatchFid, mustNotMatchFid.
+	 */
+	private function path_near_miss( array $list, array $element ): array {
+		$complex  = $list[0];
+		$compound = $complex['self'];
+		$fid      = $element['fid'];
+
+		$flips = array( 'wrong-class', 'wrong-attr' );
+		if ( null !== $compound['type'] && '*' !== $compound['type'] ) {
+			$flips[] = 'wrong-type';
+		}
+		foreach ( $complex['context'] as $pair ) {
+			if ( '>' === $pair[1] ) {
+				$flips[] = 'loosen-combinator';
+			}
+			$flips[] = 'tighten-combinator';
+			break;
+		}
+
+		switch ( $this->prng->choice( $flips ) ) {
+			case 'wrong-type':
+				$tag = ascii_strtolower( $element['tag'] );
+				do {
+					$other = $this->prng->choice( DocumentGenerator::SAFE_TAGS );
+				} while ( $other === $tag );
+				$complex['self']['type'] = $this->prng->chance( 25 ) ? $this->random_case( $other ) : $other;
+				return array( array( $complex ), null, $fid );
+
+			case 'wrong-attr':
+				$subs   = (array) $complex['self']['subs'];
+				$subs[] = array(
+					'kind'     => 'attr',
+					'name'     => 'zz-no-such-attr',
+					'matcher'  => null,
+					'value'    => null,
+					'modifier' => null,
+				);
+				$complex['self']['subs'] = $subs;
+				return array( array( $complex ), null, $fid );
+
+			case 'loosen-combinator':
+				// Replacing every `>` with a descendant combinator can only
+				// widen the context; the element must still match.
+				foreach ( $complex['context'] as &$pair ) {
+					$pair[1] = ' ';
+				}
+				unset( $pair );
+				$list[0] = $complex;
+				return array( $list, $fid, null );
+
+			case 'tighten-combinator':
+				// May or may not still match; no membership expectation.
+				$at = $this->prng->int( 0, count( $complex['context'] ) - 1 );
+				$complex['context'][ $at ][1] = '>';
+				$list[0]                      = $complex;
+				return array( $list, null, null );
+
+			case 'wrong-class':
+			default:
+				$subs   = (array) $complex['self']['subs'];
+				$subs[] = array(
+					'kind' => 'class',
+					'name' => 'zz-no-such-class',
+				);
+				$complex['self']['subs'] = $subs;
+				return array( array( $complex ), null, $fid );
+		}
+	}
+
+	/*
+	 * ---------
+	 * Rendering
+	 * ---------
+	 */
+
+	private function render_complex_list( array $list ): string {
+		$bits = array();
+		foreach ( $list as $complex ) {
+			$bits[] = $this->render_complex( $complex );
+		}
+
+		$out = $this->maybe_ws( 25 );
+		foreach ( $bits as $i => $bit ) {
+			if ( $i > 0 ) {
+				$out .= $this->maybe_ws( 40 ) . ',' . $this->maybe_ws( 60 );
+			}
+			$out .= $bit;
+		}
+		return $out . $this->maybe_ws( 25 );
+	}
+
+	private function render_complex( array $complex ): string {
+		$out = '';
+		// Context selectors are stored right-to-left; render left-to-right.
+		$reversed = array_reverse( $complex['context'] );
+		foreach ( $reversed as $pair ) {
+			list( $type, $combinator ) = $pair;
+			$out .= '*' === $type ? '*' : $this->render_ident( $type );
+			if ( '>' === $combinator ) {
+				$out .= $this->maybe_ws( 50 ) . '>' . $this->maybe_ws( 50 );
+			} else {
+				$out .= $this->ws();
+			}
+		}
+		return $out . $this->render_compound( $complex['self'] );
+	}
+
+	private function render_compound( array $compound ): string {
+		$out = '';
+		if ( null !== $compound['type'] ) {
+			$out .= '*' === $compound['type'] ? '*' : $this->render_ident( $compound['type'] );
+		}
+		foreach ( (array) $compound['subs'] as $sub ) {
+			switch ( $sub['kind'] ) {
+				case 'class':
+					$out .= '.' . $this->render_ident( $sub['name'] );
+					break;
+				case 'id':
+					$out .= '#' . $this->render_ident( $sub['name'] );
+					break;
+				case 'attr':
+					$out .= $this->render_attr_selector( $sub );
+					break;
+			}
+		}
+		return $out;
+	}
+
+	private function render_attr_selector( array $sub ): string {
+		$out = '[' . $this->maybe_ws( 20 ) . $this->render_ident( $sub['name'] ) . $this->maybe_ws( 20 );
+
+		if ( null === $sub['matcher'] ) {
+			return $out . ']';
+		}
+
+		$matcher_strings = array(
+			'exact'                    => '=',
+			'one-of'                   => '~=',
+			'exact-or-hyphen-suffixed' => '|=',
+			'prefixed'                 => '^=',
+			'suffixed'                 => '$=',
+			'contains'                 => '*=',
+		);
+		$out            .= $matcher_strings[ $sub['matcher'] ] . $this->maybe_ws( 25 );
+
+		$value          = $sub['value'];
+		$value_as_ident = '' !== $value && $this->can_render_as_ident( $value ) && $this->prng->chance( 45 );
+		if ( $value_as_ident ) {
+			$out .= $this->render_ident( $value );
+		} else {
+			$out .= $this->render_string( $value );
+		}
+
+		if ( null !== $sub['modifier'] ) {
+			// After an ident value, whitespace is mandatory before the modifier.
+			$out .= $value_as_ident ? $this->ws() : $this->maybe_ws( 60 );
+
+			if ( 'case-insensitive' === $sub['modifier'] ) {
+				$out .= $this->prng->chance( 70 ) ? 'i' : 'I';
+			} else {
+				$out .= $this->prng->chance( 70 ) ? 's' : 'S';
+			}
+		}
+
+		return $out . $this->maybe_ws( 25 ) . ']';
+	}
+
+	/**
+	 * Whether a value contains only codepoints this renderer is willing to
+	 * put in an ident token (everything can be escaped, but a value ending
+	 * in whitespace as an ident is fragile to read — strings handle those).
+	 */
+	private function can_render_as_ident( string $value ): bool {
+		return '' !== $value;
+	}
+
+	/**
+	 * Renders a name as a CSS ident token, escaping wherever required and
+	 * sometimes where merely allowed. Parsing the result must yield $name.
+	 */
+	private function render_ident( string $name ): string {
+		$points = utf8_codepoints( $name );
+		$count  = count( $points );
+		$out    = '';
+
+		foreach ( $points as $i => $point ) {
+			list( $char, $cp ) = $point;
+
+			$is_digit      = $cp >= 0x30 && $cp <= 0x39;
+			$is_ident_char = (
+				'-' === $char ||
+				'_' === $char ||
+				$is_digit ||
+				( $cp >= 0x41 && $cp <= 0x5A ) ||
+				( $cp >= 0x61 && $cp <= 0x7A ) ||
+				$cp > 0x7F
+			);
+
+			$must_escape = ! $is_ident_char
+				|| ( 0 === $i && $is_digit )
+				|| ( 1 === $i && '-' === $points[0][0] && $is_digit )
+				|| ( 1 === $count && '-' === $char );
+
+			if ( $must_escape || $this->prng->chance( $this->escape_boost ? 50 : 8 ) ) {
+				$out .= $this->render_escape( $char, $cp );
+			} else {
+				$out .= $char;
+			}
+		}
+
+		return $out;
+	}
+
+	/**
+	 * Renders one codepoint as a CSS escape sequence that decodes back to it.
+	 */
+	private function render_escape( string $char, int $cp ): string {
+		$is_hex_digit = ( $cp >= 0x30 && $cp <= 0x39 )
+			|| ( $cp >= 0x41 && $cp <= 0x46 )
+			|| ( $cp >= 0x61 && $cp <= 0x66 );
+		$is_newline_like = "\n" === $char || "\r" === $char || "\f" === $char;
+
+		/*
+		 * Identity escapes are only safe for single-byte chars that are not
+		 * hex digits (they would start a hex escape) and not newlines
+		 * (backslash-newline is not a valid escape).
+		 */
+		$identity_ok = ! $is_hex_digit && ! $is_newline_like && $cp >= 0x20;
+
+		if ( $identity_ok && $this->prng->chance( 35 ) ) {
+			return '\\' . $char;
+		}
+
+		$hex = dechex( $cp );
+		if ( $this->prng->chance( 25 ) && strlen( $hex ) < 6 ) {
+			$hex = str_pad( $hex, $this->prng->int( strlen( $hex ), 6 ), '0', STR_PAD_LEFT );
+		}
+		if ( $this->prng->chance( 30 ) ) {
+			$hex = strtoupper( $hex );
+		}
+
+		// The trailing space is always emitted; it is consumed by the escape.
+		return '\\' . $hex . ' ';
+	}
+
+	/**
+	 * Renders a value as a CSS string token. Parsing must yield $value.
+	 */
+	private function render_string( string $value ): string {
+		$quote  = $this->prng->chance( 60 ) ? '"' : "'";
+		$out    = $quote;
+		$points = utf8_codepoints( $value );
+
+		foreach ( $points as $point ) {
+			list( $char, $cp ) = $point;
+
+			if ( "\n" === $char || "\r" === $char || "\f" === $char ) {
+				// Literal newlines end (break) the string; always hex-escape.
+				$out .= '\\' . dechex( $cp ) . ' ';
+				continue;
+			}
+			if ( $char === $quote || '\\' === $char ) {
+				$out .= $this->prng->chance( 60 ) ? '\\' . $char : '\\' . dechex( $cp ) . ' ';
+				continue;
+			}
+			if ( $this->prng->chance( 5 ) ) {
+				$out .= $this->render_escape( $char, $cp );
+				continue;
+			}
+			$out .= $char;
+		}
+
+		// Rarely add a backslash-newline line continuation (decodes to nothing).
+		if ( $this->prng->chance( 4 ) ) {
+			$out .= "\\\n";
+		}
+
+		return $out . $quote;
+	}
+
+	private function ws(): string {
+		$options = array( ' ', ' ', ' ', "\t", "\n", "\f", "\r", '  ', " \t " );
+		return $this->prng->choice( $options );
+	}
+
+	private function maybe_ws( int $percent ): string {
+		return $this->prng->chance( $percent ) ? $this->ws() : '';
+	}
+
+	private function random_case( string $input ): string {
+		$out = '';
+		for ( $i = 0; $i < strlen( $input ); $i++ ) {
+			$c    = $input[ $i ];
+			$out .= $this->prng->chance( 50 ) ? strtoupper( $c ) : strtolower( $c );
+		}
+		return $out;
+	}
+
+	/*
+	 * -------------------
+	 * Unsupported selectors
+	 * -------------------
+	 */
+
+	private function gen_unsupported(): string {
+		$kind = $this->prng->weighted(
+			array(
+				'pseudo-class'       => 25,
+				'pseudo-element'     => 15,
+				'sibling-combinator' => 20,
+				'column-combinator'  => 8,
+				'namespace-type'     => 12,
+				'namespace-attr'     => 8,
+				'non-type-context'   => 12,
+			)
+		);
+
+		switch ( $kind ) {
+			case 'pseudo-class':
+				$pseudo = $this->prng->choice(
+					array(
+						':hover',
+						':focus',
+						':first-child',
+						':last-child',
+						':nth-child(2n+1)',
+						':nth-of-type(3)',
+						':not(.excluded)',
+						':is(div, span)',
+						':where(*)',
+						':root',
+						':empty',
+						':checked',
+						':lang(en)',
+						':has(> img)',
+					)
+				);
+				return $this->render_compound( $this->gen_compound() ) . $pseudo;
+
+			case 'pseudo-element':
+				$pseudo = $this->prng->choice( array( '::before', '::after', '::first-line', '::first-letter', '::marker', '::placeholder' ) );
+				return $this->render_compound( $this->gen_compound() ) . $pseudo;
+
+			case 'sibling-combinator':
+				$combinator = $this->prng->choice( array( '+', '~' ) );
+				return $this->render_compound( $this->gen_compound() )
+					. $this->maybe_ws( 60 ) . $combinator . $this->maybe_ws( 60 )
+					. $this->render_compound( $this->gen_compound() );
+
+			case 'column-combinator':
+				return $this->gen_type_name( true )
+					. $this->maybe_ws( 50 ) . '||' . $this->maybe_ws( 50 )
+					. $this->gen_type_name( true );
+
+			case 'namespace-type':
+				$ns = $this->prng->choice( array( 'svg', 'html', '*', '' ) );
+				return $ns . '|' . $this->prng->choice( array( 'title', 'a', 'circle', 'div' ) );
+
+			case 'namespace-attr':
+				// `[ns|name]` — must not be confused with the `|=` matcher,
+				// so the char after `|` must not be `=`.
+				$ns = $this->prng->choice( array( 'xlink', 'svg', 'xml' ) );
+				return '[' . $ns . '|href]';
+
+			case 'non-type-context':
+			default:
+				// A context selector that is not a bare type selector.
+				$context = $this->prng->choice( array( '.ctx', '#ctx', '[ctx]', 'div.ctx', 'div#ctx', 'div[ctx]', '*.ctx' ) );
+				$joiner  = $this->prng->chance( 50 )
+					? $this->ws()
+					: $this->maybe_ws( 50 ) . '>' . $this->maybe_ws( 50 );
+				return $context . $joiner . $this->render_compound( $this->gen_compound() );
+		}
+	}
+
+	/*
+	 * -----------------
+	 * Invalid selectors
+	 * -----------------
+	 */
+
+	private function gen_invalid(): string {
+		$kind = $this->prng->weighted(
+			array(
+				'template'         => 45,
+				'trailing-garbage' => 25,
+				'leading-garbage'  => 15,
+				'comma-trouble'    => 15,
+			)
+		);
+
+		switch ( $kind ) {
+			case 'template':
+				return $this->prng->choice(
+					array(
+						'',
+						'   ',
+						"\t\n\f ",
+						'.',
+						'a.',
+						'#',
+						'[',
+						']',
+						'[]',
+						'[ ]',
+						'.5x',
+						'#5',
+						'. x',
+						'..a',
+						'.#a',
+						/*
+						 * EOF auto-closes an open attribute selector block
+						 * ( '[a', '[a=b', '[a="b]', '[a=b i' are valid ), but
+						 * grammar-level truncation is still invalid.
+						 */
+						'[a=',
+						'[a= ',
+						'[a~',
+						'[a^',
+						'[a=]',
+						'[=b]',
+						'[a==b]',
+						'[a~b]',
+						'[a!=b]',
+						"[a=\"b\nc\"]",
+						"[a=\"b\nc",
+						'[a=b x]',
+						'[a=b x',
+						'[a=b ix]',
+						'[a=b ix',
+						'[a=b i x',
+						'[5=b]',
+						'[5=b',
+						'a >',
+						'> a',
+						'a > > b',
+						'a >> b',
+						'>',
+						'-',
+						// A lone '\' is a valid escape at EOF ( type selector U+FFFD );
+						// '\' before a newline is not a valid escape.
+						"\\\n",
+						"a\\\nb",
+						'a/**/b',
+						'!important',
+						'@media screen',
+						'{}',
+						';',
+						'a;b',
+						'a{color:red}',
+						'()',
+						'a()',
+						'*5',
+						'%',
+						'a%',
+					)
+				);
+
+			case 'trailing-garbage':
+				$garbage = $this->prng->choice( array( ':', '(', ')', '{', '}', ';', '!', '@', '%', '/', '=', '|', '^', '$' ) );
+				return $this->render_compound( $this->gen_compound() ) . $garbage;
+
+			case 'leading-garbage':
+				$garbage = $this->prng->choice( array( '%', ';', ')', '}', '=', '~', '+', '/', ',' ) );
+				return $garbage . $this->render_compound( $this->gen_compound() );
+
+			case 'comma-trouble':
+			default:
+				$compound = $this->render_compound( $this->gen_compound() );
+				return $this->prng->choice(
+					array(
+						$compound . ',',
+						',' . $compound,
+						$compound . ',,' . $compound,
+						$compound . ', ,' . $compound,
+						$compound . ' , ',
+					)
+				);
+		}
+	}
+
+	/*
+	 * -----
+	 * Chaos
+	 * -----
+	 */
+
+	private function gen_chaos(): string {
+		$alphabets = array(
+			'css'     => '.#[]=~|^$*>+,:()"\'\\ \t\n-_',
+			'ident'   => 'abcXYZ019-_',
+			'mixed'   => '.#[]=~|^$*>+,:()"\'\\ abcXYZ019-_iIsS',
+			'unicode' => '✓Ωé🙂',
+		);
+
+		$alphabet = $alphabets[ $this->prng->weighted(
+			array(
+				'css'     => 25,
+				'ident'   => 15,
+				'mixed'   => 45,
+				'unicode' => 15,
+			)
+		) ];
+
+		if ( 'unicode' === $alphabet ) {
+			$points = utf8_codepoints( $alphabet . '.#[]= aZ9' );
+			$length = $this->prng->int( 0, 24 );
+			$out    = '';
+			for ( $i = 0; $i < $length; $i++ ) {
+				$out .= $this->prng->choice( $points )[0];
+			}
+			return $out;
+		}
+
+		$length = $this->prng->int( 0, 40 );
+		$out    = '';
+		for ( $i = 0; $i < $length; $i++ ) {
+			$out .= $alphabet[ $this->prng->int( 0, strlen( $alphabet ) - 1 ) ];
+		}
+		return $out;
+	}
+
+	/*
+	 * --------
+	 * Mutation
+	 * --------
+	 */
+
+	private function mutate( string $selector ): string {
+		$mutation_count = $this->prng->int( 1, 4 );
+		$alphabet       = '.#[]=~|^$*>+,:()"\'\\ \t\niIsSabcXYZ019-_';
+
+		for ( $m = 0; $m < $mutation_count; $m++ ) {
+			$length = strlen( $selector );
+			$kind   = $this->prng->weighted(
+				array(
+					'insert'       => 30,
+					'delete'       => 25,
+					'replace'      => 25,
+					'duplicate'    => 10,
+					'case-flip'    => 10,
+					'invalid-utf8' => 12,
+				)
+			);
+
+			switch ( $kind ) {
+				case 'insert':
+					$at       = $this->prng->int( 0, $length );
+					$char     = $alphabet[ $this->prng->int( 0, strlen( $alphabet ) - 1 ) ];
+					$selector = substr( $selector, 0, $at ) . $char . substr( $selector, $at );
+					break;
+
+				case 'delete':
+					if ( $length > 0 ) {
+						$at       = $this->prng->int( 0, $length - 1 );
+						$selector = substr( $selector, 0, $at ) . substr( $selector, $at + 1 );
+					}
+					break;
+
+				case 'replace':
+					if ( $length > 0 ) {
+						$at       = $this->prng->int( 0, $length - 1 );
+						$char     = $alphabet[ $this->prng->int( 0, strlen( $alphabet ) - 1 ) ];
+						$selector = substr( $selector, 0, $at ) . $char . substr( $selector, $at + 1 );
+					}
+					break;
+
+				case 'duplicate':
+					if ( $length > 0 ) {
+						$start    = $this->prng->int( 0, $length - 1 );
+						$span     = $this->prng->int( 1, min( 6, $length - $start ) );
+						$selector = substr( $selector, 0, $start + $span )
+							. substr( $selector, $start, $span )
+							. substr( $selector, $start + $span );
+					}
+					break;
+
+				case 'case-flip':
+					if ( $length > 0 ) {
+						$at   = $this->prng->int( 0, $length - 1 );
+						$char = $selector[ $at ];
+						$flip = ctype_lower( $char ) ? strtoupper( $char ) : strtolower( $char );
+						$selector = substr( $selector, 0, $at ) . $flip . substr( $selector, $at + 1 );
+					}
+					break;
+
+				case 'invalid-utf8':
+					// Splice a raw ill-formed sequence at an arbitrary byte
+					// offset — possibly splitting an existing multibyte
+					// character or landing before a continuation byte that
+					// completes a truncated lead. No expectations here; these
+					// exercise crash / scrub-notice / differential paths.
+					$bytes    = $this->prng->choice( array_column( self::INVALID_UTF8_CLASSES, 0 ) );
+					$at       = $this->prng->int( 0, $length );
+					$selector = substr( $selector, 0, $at ) . $bytes . substr( $selector, $at );
+					break;
+			}
+		}
+
+		return $selector;
+	}
+}
diff --git a/tools/css-selector-fuzz/lib/TreeCapture.php b/tools/css-selector-fuzz/lib/TreeCapture.php
new file mode 100644
index 0000000000000..2350db024c8ad
--- /dev/null
+++ b/tools/css-selector-fuzz/lib/TreeCapture.php
@@ -0,0 +1,145 @@
+<?php
+namespace CssSelectorFuzz;
+
+/**
+ * Captures the processor's own view of a document as the matching oracle's
+ * ground truth, so arbitrary (restructured, foster-parented, misnested)
+ * HTML can be fuzzed without a hand-built model.
+ *
+ * The capture is a flat list of rows in VISIT order — the order next_tag()
+ * (and therefore select()) encounters elements, which for restructured
+ * content is token order, not final-DOM document order. Context selectors
+ * in the supported grammar are type-only, so per element the matcher needs
+ * only the tag, the attributes, and the ancestor tag list — exactly what
+ * get_breadcrumbs() provides at each visit. Virtual (implied) elements are
+ * visited too and captured with a placeholder fid.
+ *
+ * Row shape:
+ *   html row: array( tag: string, fid: string, attrs: array<[name, value]>,
+ *                    ancestorTags: string[] nearest-first )
+ *   tag row:  same without ancestorTags.
+ */
+class TreeCapture {
+
+	const CAPTURE_ITERATION_LIMIT = 20000;
+
+	/**
+	 * Captures the processor's view of a document or a fragment.
+	 *
+	 * @param string      $html    The markup ( full document or fragment ).
+	 * @param string|null $context When set, parse as a fragment in this
+	 *                             context ( e.g. '<body>' ); the tag
+	 *                             processor has no fragment mode, so tagRows
+	 *                             is null in that case.
+	 * @return array{
+	 *     htmlRows: array|null,
+	 *     tagRows: array|null,
+	 *     quirks: bool,
+	 *     error: string|null,
+	 * }
+	 */
+	public static function capture( string $html, ?string $context = null ): array {
+		$out = array(
+			'htmlRows' => null,
+			'tagRows'  => null,
+			'quirks'   => false,
+			'error'    => null,
+		);
+
+		$processor = null === $context
+			? \WP_HTML_Processor::create_full_parser( $html )
+			: \WP_HTML_Processor::create_fragment( $html, $context );
+		if ( null === $processor ) {
+			$out['error'] = 'fragment-context-unsupported';
+			return $out;
+		}
+		$rows       = array();
+		$iterations = 0;
+		while ( $processor->next_tag() ) {
+			if ( ++$iterations > self::CAPTURE_ITERATION_LIMIT ) {
+				$out['error'] = 'html-capture-iteration-limit';
+				return $out;
+			}
+			$breadcrumbs = $processor->get_breadcrumbs();
+			array_pop( $breadcrumbs );
+			$rows[] = array(
+				'tag'          => (string) $processor->get_tag(),
+				'fid'          => self::fid_of( $processor ),
+				'attrs'        => self::attrs_of( $processor ),
+				'ancestorTags' => array_reverse( $breadcrumbs ),
+				'namespace'    => $processor->get_namespace(),
+			);
+		}
+
+		if ( null !== $processor->get_last_error() ) {
+			$out['error'] = 'html-processor-error: ' . $processor->get_last_error();
+			return $out;
+		}
+		if ( null !== $processor->get_unsupported_exception() ) {
+			$out['error'] = 'html-processor-unsupported: ' . $processor->get_unsupported_exception()->getMessage();
+			return $out;
+		}
+
+		$out['htmlRows'] = $rows;
+		$out['quirks']   = $processor->is_quirks_mode();
+
+		// The tag processor has no fragment mode; a fragment case exercises
+		// the html processor's select() only.
+		if ( null !== $context ) {
+			return $out;
+		}
+
+		$tag_processor = new \WP_HTML_Tag_Processor( $html );
+		$tag_rows      = array();
+		$iterations    = 0;
+		while ( $tag_processor->next_tag() ) {
+			if ( ++$iterations > self::CAPTURE_ITERATION_LIMIT ) {
+				$out['error'] = 'tag-capture-iteration-limit';
+				return $out;
+			}
+			$tag_rows[] = array(
+				'tag'   => (string) $tag_processor->get_tag(),
+				'fid'   => self::fid_of( $tag_processor ),
+				'attrs' => self::attrs_of( $tag_processor ),
+			);
+		}
+		$out['tagRows'] = $tag_rows;
+
+		return $out;
+	}
+
+	/** The element's data-fid, or the same placeholder collect_matches() uses. */
+	private static function fid_of( $processor ): string {
+		$fid = $processor->get_attribute( 'data-fid' );
+		return is_string( $fid ) ? self::sanitize_fid( $fid ) : '(missing-fid:' . $processor->get_tag() . ')';
+	}
+
+	/**
+	 * Replaces the lexbor protocol framing bytes ( TAB / LF / CR ) in a fid
+	 * with '?'. Generated fids never contain these, but the lexbor harness
+	 * applies the same replacement, so matching this here keeps the two trees
+	 * comparable even for a hypothetical control-char fid ( the worst case is
+	 * a benign tree-gated skip, never a false divergence ).
+	 */
+	public static function sanitize_fid( string $fid ): string {
+		return strtr( $fid, "\t\n\r", '???' );
+	}
+
+	/**
+	 * All attributes as ( lowercase name, decoded value ) pairs, excluding
+	 * data-fid ( stored separately, mirroring the generated model's shape ).
+	 *
+	 * @return array<int, array{0: string, 1: string|true}>
+	 */
+	private static function attrs_of( $processor ): array {
+		$attrs = array();
+		foreach ( (array) $processor->get_attribute_names_with_prefix( '' ) as $name ) {
+			if ( 'data-fid' === $name ) {
+				continue;
+			}
+			$value   = $processor->get_attribute( $name );
+			$attrs[] = array( $name, true === $value ? true : (string) $value );
+		}
+		return $attrs;
+	}
+}
diff --git a/tools/css-selector-fuzz/lib/WildDocumentGenerator.php b/tools/css-selector-fuzz/lib/WildDocumentGenerator.php
new file mode 100644
index 0000000000000..3cd7dada17cc6
--- /dev/null
+++ b/tools/css-selector-fuzz/lib/WildDocumentGenerator.php
@@ -0,0 +1,381 @@
+<?php
+namespace CssSelectorFuzz;
+
+/**
+ * Generates structurally adventurous ("wild") HTML: misnested formatting
+ * elements (simple adoption-agency runs), implied end tags and implied
+ * table sections, stray and unclosed tags, foreign content, and varied
+ * doctypes. No model tree is built — TreeCapture takes the processor's own
+ * parse as ground truth for the selector layer.
+ *
+ * WP_HTML_Processor bails (ERROR_UNSUPPORTED) on several constructs —
+ * foster parenting, non-whitespace text in table context, complex
+ * adoption-agency loops, FORM end tags over open elements — so inside an
+ * open table context only table-structure tags and whitespace are emitted,
+ * and FORM is excluded. Residual bails still occur (and are skipped by the
+ * worker); this keeps them rare instead of dominant.
+ *
+ * Every emitted start tag carries a unique data-fid. Implied (virtual)
+ * elements and adoption-agency clones surface in the capture as placeholder
+ * or duplicated fids; the match comparison is list-based in visit order, so
+ * neither breaks the oracle.
+ */
+class WildDocumentGenerator {
+
+	const TAGS = array(
+		'div',
+		'p',
+		'span',
+		'a',
+		'b',
+		'i',
+		'em',
+		'strong',
+		'u',
+		's',
+		'code',
+		'small',
+		'table',
+		'caption',
+		'thead',
+		'tbody',
+		'tfoot',
+		'tr',
+		'td',
+		'th',
+		'ul',
+		'ol',
+		'li',
+		'dl',
+		'dt',
+		'dd',
+		'h1',
+		'h2',
+		'h3',
+		'blockquote',
+		'figure',
+		'figcaption',
+		'header',
+		'footer',
+		'section',
+		'article',
+		'nav',
+		'aside',
+		'main',
+		'address',
+		'button',
+		'select',
+		'option',
+		'optgroup',
+		'label',
+		'fieldset',
+		'legend',
+		'details',
+		'summary',
+		'svg',
+		'math',
+		'x-wild',
+	);
+
+	const VOID_TAGS = array( 'br', 'hr', 'img', 'input', 'wbr', 'col', 'source', 'area' );
+
+	const DOCTYPES = array(
+		'none'          => '',
+		'html'          => '<!DOCTYPE html>',
+		'legacy-compat' => '<!DOCTYPE html SYSTEM "about:legacy-compat">',
+		'quirky'        => '<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">',
+		'limited'       => '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">',
+	);
+
+	/** @var Prng */
+	private $prng;
+	private $fid_counter = 0;
+	private $pools;
+
+	private function __construct( Prng $prng ) {
+		$this->prng  = $prng;
+		$this->pools = array(
+			'tags'       => array( 'html', 'head', 'body' ),
+			'classes'    => array(),
+			'ids'        => array(),
+			'attrNames'  => array(),
+			'attrValues' => array(),
+		);
+	}
+
+	/**
+	 * @return array{model: null, html: string, pools: array, wild: true, doctype: string}
+	 */
+	public static function generate( Prng $prng ): array {
+		$generator = new self( $prng );
+		return $generator->build();
+	}
+
+	private function build(): array {
+		$doctype_kind = $this->prng->weighted(
+			array(
+				'none'          => 25,
+				'html'          => 45,
+				'legacy-compat' => 10,
+				'quirky'        => 12,
+				'limited'       => 8,
+			)
+		);
+
+		$out = self::DOCTYPES[ $doctype_kind ];
+
+		if ( $this->prng->chance( 15 ) ) {
+			$out .= '<html' . $this->render_attrs( $this->random_attrs() ) . '>';
+		}
+		if ( $this->prng->chance( 10 ) ) {
+			$out .= '<body' . $this->render_attrs( $this->random_attrs() ) . '>';
+		}
+
+		$max_elements = $this->prng->int( 4, 35 );
+		$token_budget = $this->prng->int( 8, 70 );
+		$open         = array();
+
+		for ( $i = 0; $i < $token_budget; $i++ ) {
+			$in_table = $this->in_table_context( $open );
+
+			$kind = $this->prng->weighted(
+				array(
+					'start'   => 42,
+					'void'    => $in_table ? 0 : 8,
+					'end'     => 24,
+					'text'    => 16,
+					'comment' => 5,
+					'stray'   => $in_table ? 0 : 5,
+				)
+			);
+
+			switch ( $kind ) {
+				case 'start':
+					if ( $this->fid_counter >= $max_elements ) {
+						break;
+					}
+					$tag                    = $in_table
+						? $this->prng->choice( array( 'caption', 'colgroup', 'thead', 'tbody', 'tfoot', 'tr', 'tr', 'td', 'td', 'th' ) )
+						: $this->prng->choice( self::TAGS );
+					if ( 'a' === $tag && in_array( 'a', $open, true ) ) {
+						// A nested <a> immediately runs the adoption agency.
+						$tag = 'span';
+					}
+					$this->pools['tags'][]  = $tag;
+					$out                   .= '<' . $this->maybe_case( $tag )
+						. ' data-fid="w' . $this->fid_counter++ . '"'
+						. $this->render_attrs( $this->random_attrs() ) . '>';
+					$open[]                 = $tag;
+					break;
+
+				case 'void':
+					if ( $this->fid_counter >= $max_elements ) {
+						break;
+					}
+					$tag                   = $this->prng->choice( self::VOID_TAGS );
+					$this->pools['tags'][] = $tag;
+					$out                  .= '<' . $this->maybe_case( $tag )
+						. ' data-fid="w' . $this->fid_counter++ . '"'
+						. $this->render_attrs( $this->random_attrs() )
+						. ( $this->prng->chance( 25 ) ? ' />' : '>' );
+					break;
+
+				case 'end':
+					if ( array() === $open ) {
+						break;
+					}
+					$pick = $this->prng->weighted(
+						array(
+							'top'    => 60,
+							'random' => 40,
+						)
+					);
+					if ( 'top' === $pick ) {
+						$tag = array_pop( $open );
+					} else {
+						/*
+						 * Close a non-top open element: misnesting. Never
+						 * across a formatting element — the processor only
+						 * supports the trivial adoption-agency cases and
+						 * bails on the rest ( "any other end tag" /
+						 * "common ancestor" / reconstruction-with-rewind ).
+						 */
+						$formatting = array( 'a', 'b', 'i', 'em', 'strong', 'u', 's', 'code', 'small' );
+						$lowest     = count( $open ) - 1;
+						while ( $lowest > 0 && ! in_array( $open[ $lowest ], $formatting, true ) ) {
+							$lowest--;
+						}
+						if ( in_array( $open[ $lowest ], $formatting, true ) ) {
+							$lowest++;
+						}
+						if ( $lowest > count( $open ) - 1 ) {
+							$tag = array_pop( $open );
+						} else {
+							$at  = $this->prng->int( $lowest, count( $open ) - 1 );
+							$tag = $open[ $at ];
+							array_splice( $open, $at, 1 );
+						}
+					}
+					$out .= '</' . $this->maybe_case( $tag ) . '>';
+					break;
+
+				case 'text':
+					// Non-whitespace text in table context is unsupported
+					// (pending-table-character-tokens), keep it whitespace.
+					$out .= $in_table
+						? "\n  "
+						: $this->prng->choice(
+							array(
+								'text',
+								' wild text ',
+								"\n",
+								'&amp; &lt;x&gt;',
+								'café ✓',
+								'a < b',
+							)
+						);
+					break;
+
+				case 'comment':
+					$out .= '<!-- wild -->';
+					break;
+
+				case 'stray':
+					// An end tag for something that is not open.
+					// No formatting tags here: a stray formatting end tag
+					// runs the adoption agency's unsupported branches.
+					$out .= '</' . $this->prng->choice( array( 'div', 'p', 'table', 'tr', 'li', 'span', 'x-wild' ) ) . '>';
+					break;
+			}
+		}
+
+		// Leave roughly half of the still-open elements unclosed.
+		foreach ( array_reverse( $open ) as $tag ) {
+			if ( $this->prng->chance( 50 ) ) {
+				$out .= '</' . $this->maybe_case( $tag ) . '>';
+			}
+		}
+
+		foreach ( $this->pools as $key => $values ) {
+			$this->pools[ $key ] = array_values( array_unique( $values ) );
+		}
+
+		return array(
+			'model'   => null,
+			'html'    => $out,
+			'pools'   => $this->pools,
+			'wild'    => true,
+			'doctype' => $doctype_kind,
+		);
+	}
+
+	/**
+	 * Whether the insertion point is in table context outside any cell or
+	 * caption — where arbitrary content would foster-parent (unsupported).
+	 */
+	private function in_table_context( array $open ): bool {
+		for ( $i = count( $open ) - 1; $i >= 0; $i-- ) {
+			$tag = $open[ $i ];
+			if ( in_array( $tag, array( 'td', 'th', 'caption' ), true ) ) {
+				return false;
+			}
+			if ( in_array( $tag, array( 'table', 'thead', 'tbody', 'tfoot', 'tr', 'colgroup' ), true ) ) {
+				return true;
+			}
+		}
+		return false;
+	}
+
+	/** @return array<int, array{0: string, 1: string|true}> */
+	private function random_attrs(): array {
+		$attrs = array();
+		$count = $this->prng->weighted( array( 0 => 30, 1 => 35, 2 => 25, 3 => 10 ) );
+
+		for ( $i = 0; $i < $count; $i++ ) {
+			$name = $this->prng->choice( DocumentGenerator::ATTR_NAMES );
+
+			$lower = ascii_strtolower( $name );
+			if ( 'class' === $lower ) {
+				$words = array();
+				$n     = $this->prng->int( 1, 3 );
+				for ( $j = 0; $j < $n; $j++ ) {
+					$word    = $this->maybe_inject_class_nul( $this->random_word() );
+					$words[] = $word;
+					foreach ( DocumentGenerator::class_tokens( $word ) as $token ) {
+						$this->pools['classes'][] = $token;
+					}
+				}
+				$value = implode( ' ', $words );
+			} elseif ( 'id' === $lower ) {
+				$value                = $this->random_word();
+				$this->pools['ids'][] = $value;
+			} elseif ( $this->prng->chance( 15 ) ) {
+				$value = true;
+			} else {
+				$value = $this->random_word();
+				if ( $this->prng->chance( 20 ) ) {
+					$value .= ' ' . $this->random_word();
+				}
+			}
+
+			$this->pools['attrNames'][] = $lower;
+			if ( is_string( $value ) && 'class' !== $lower ) {
+				$this->pools['attrValues'][] = $value;
+			}
+			$attrs[] = array( $name, $value );
+		}
+
+		return $attrs;
+	}
+
+	private function maybe_inject_class_nul( string $class ): string {
+		if ( '' === $class || ! $this->prng->chance( 12 ) ) {
+			return $class;
+		}
+
+		$points = utf8_codepoints( $class );
+		$at     = $this->prng->int( 0, count( $points ) );
+		$out    = '';
+		foreach ( $points as $i => $point ) {
+			if ( $i === $at ) {
+				$out .= "\0";
+			}
+			$out .= $point[0];
+		}
+		return $at === count( $points ) ? $out . "\0" : $out;
+	}
+
+	private function render_attrs( array $attrs ): string {
+		$out = '';
+		foreach ( $attrs as $attr ) {
+			list( $name, $value ) = $attr;
+			if ( true === $value ) {
+				$out .= ' ' . $name;
+				continue;
+			}
+			$out .= ' ' . $name . '="' . str_replace( array( '&', '"', '<' ), array( '&amp;', '&quot;', '&lt;' ), $value ) . '"';
+		}
+		return $out;
+	}
+
+	private function random_word(): string {
+		$stems = array( 'wild', 'soup', 'alpha', 'beta', 'item', 'note', 'x', 'mixedCase', 'Über', 'main-thing', '--var', '_u' );
+		$word  = $this->prng->choice( $stems );
+		if ( $this->prng->chance( 30 ) ) {
+			$word .= (string) $this->prng->int( 0, 99 );
+		}
+		return $word;
+	}
+
+	private function maybe_case( string $tag ): string {
+		if ( ! $this->prng->chance( 15 ) ) {
+			return $tag;
+		}
+		$out = '';
+		for ( $i = 0; $i < strlen( $tag ); $i++ ) {
+			$c    = $tag[ $i ];
+			$out .= $this->prng->chance( 50 ) ? strtoupper( $c ) : strtolower( $c );
+		}
+		return $out;
+	}
+}
diff --git a/tools/css-selector-fuzz/lib/Worker.php b/tools/css-selector-fuzz/lib/Worker.php
new file mode 100644
index 0000000000000..f701d87974657
--- /dev/null
+++ b/tools/css-selector-fuzz/lib/Worker.php
@@ -0,0 +1,1308 @@
+<?php
+namespace CssSelectorFuzz;
+
+/**
+ * Executes fuzz cases and checks invariants.
+ *
+ * Invariants checked per case:
+ *
+ *  - model-desync:            the parsed document disagrees with the generated
+ *                             model ( oracle soundness check ).
+ *  - parse-error:             from_selectors() raised an error/exception.
+ *  - parse-expectation:       parse success/failure does not match the
+ *                             generated bucket's expectation.
+ *  - compound-implies-complex: a selector parsed in the compound grammar but
+ *                             not in the complex grammar ( a superset ).
+ *  - parse-determinism:       parsing the same input twice gave different results.
+ *  - ast-shape:               parsed selector objects violate documented shape.
+ *  - ast-mismatch:            parsed AST differs from the intended generated AST.
+ *  - ast-cross-grammar:       compound-list and complex-list ASTs disagree.
+ *  - match-error:             select()/matches() raised an error/exception.
+ *  - match-mismatch-html:     WP_HTML_Processor::select() match set differs
+ *                             from the reference matcher.
+ *  - match-mismatch-tag:      WP_HTML_Tag_Processor::select() match set
+ *                             differs from the reference matcher.
+ *  - doing-it-wrong-unexpected: the _doing_it_wrong calls during matching did
+ *                             not equal the expected set ( exactly one scrub
+ *                             notice for an invalid-UTF-8 selector, none
+ *                             otherwise ).
+ *  - doing-it-wrong-missing:  the _doing_it_wrong calls for an unparseable
+ *                             selector did not equal the expected set ( one
+ *                             select() notice per call, plus one leading
+ *                             scrub notice when the selector is invalid
+ *                             UTF-8 ).
+ *  - select-on-null:          select() returned true for an unparseable selector.
+ *  - processor-error:         the processor entered an error/unsupported state.
+ *  - case-determinism:        running the full case twice gave different digests.
+ *  - metamorphic-parse:       a meaning-preserving transform of a parseable
+ *                             selector no longer parses.
+ *  - metamorphic-ast:         an AST-preserving transform parsed to a
+ *                             different AST.
+ *  - metamorphic-mismatch:    a meaning-preserving transform selected a
+ *                             different element set than the original.
+ *  - metamorphic-error:       parsing/matching a transformed selector raised.
+ *  - path-expectation:        a path-directed selector's guaranteed
+ *                             (non-)membership does not hold in the reference
+ *                             matcher ( generator/oracle defect ).
+ */
+class Worker {
+
+	const SELECT_ITERATION_LIMIT = 10000;
+
+	/** Metamorphic PRNG draws tried per pair in run_pair (minimizer). */
+	const PAIR_METAMORPH_DRAWS = 12;
+
+	/**
+	 * Runs a single fuzz case.
+	 *
+	 * @return array{
+	 *     seed: int,
+	 *     bucket: string,
+	 *     digest: string,
+	 *     failures: array,
+	 *     selector: string,
+	 *     html: string,
+	 *     lexbor: string,
+	 *     matchStats: array,
+	 * }
+	 */
+	public static function run_case( int $seed ): array {
+		Bootstrap::load();
+
+		$prng        = new Prng( (string) $seed, 'css-selector-fuzz-case' );
+		$is_wild     = $prng->chance( 30 );
+		$is_fragment = ! $is_wild && $prng->chance( 20 );
+
+		$failures = array();
+		$record   = static function ( string $invariant, array $detail ) use ( &$failures ) {
+			$failures[] = array(
+				'invariant' => $invariant,
+				'detail'    => $detail,
+			);
+		};
+		$match_stats = array();
+
+		/*
+		 * The processor's own parse is the matching oracle's ground truth.
+		 * For safe (model-built) documents the model must agree with the
+		 * capture — that soundness check is what lets the capture be trusted
+		 * on wild documents, where no model exists.
+		 *
+		 * Wild documents that hit one of the processor's unsupported
+		 * constructs (it bails on foster parenting, complex adoption-agency
+		 * runs, …) are deterministically regenerated a bounded number of
+		 * times so nearly every wild case carries a usable ground truth.
+		 */
+		$document      = null;
+		$capture       = null;
+		$capture_error = null;
+		$attempts      = $is_wild ? 8 : 1;
+		for ( $attempt = 0; $attempt < $attempts; $attempt++ ) {
+			if ( $is_wild ) {
+				$document = WildDocumentGenerator::generate( $prng->fork( "wild-document:{$attempt}" ) );
+			} elseif ( $is_fragment ) {
+				$document = DocumentGenerator::generate_fragment( $prng->fork( 'fragment' ) );
+			} else {
+				$document = DocumentGenerator::generate( $prng->fork( 'document' ) );
+			}
+
+			$context = ( $document['fragment'] ?? false ) ? $document['context'] : null;
+			list( $capture, $capture_error ) = self::guard(
+				static function () use ( $document, $context ) {
+					return TreeCapture::capture( $document['html'], $context );
+				}
+			);
+
+			if ( null === $capture_error && null === $capture['error'] ) {
+				break;
+			}
+		}
+
+		$rows     = null;
+		$tag_rows = null;
+		$quirks   = false;
+
+		if ( null !== $capture_error ) {
+			$record( 'model-desync', array( 'phase' => 'capture', 'error' => self::describe_throwable( $capture_error ) ) );
+		} elseif ( null !== $capture['error'] ) {
+			if ( ! $is_wild ) {
+				$record( 'model-desync', array( 'phase' => 'capture', 'error' => $capture['error'] ) );
+			}
+			// Wild markup the processor cannot fully visit is skipped:
+			// parsing invariants still run, matching has no ground truth.
+		} else {
+			$rows     = $capture['htmlRows'];
+			$tag_rows = $capture['tagRows'];
+			$quirks   = $capture['quirks'];
+
+			if ( $is_fragment ) {
+				self::check_fragment_capture_against_model( $document, $capture, $record );
+			} elseif ( ! $is_wild ) {
+				self::check_capture_against_model( $document, $capture, $record );
+			}
+		}
+
+		$path_rows = null;
+		if ( null !== $rows ) {
+			$path_rows = array();
+			foreach ( $rows as $row ) {
+				if ( 0 !== strpos( $row['fid'], '(missing-fid:' ) ) {
+					$path_rows[] = $row;
+				}
+			}
+		}
+
+		$selector = SelectorGenerator::generate( $prng->fork( 'selector' ), $document['pools'], $path_rows );
+
+		$selector_string = $selector['selector'];
+
+		// --- Parse phase -------------------------------------------------
+
+		list( $compound_list, $compound_error ) = self::guard(
+			static function () use ( $selector_string ) {
+				return \WP_CSS_Compound_Selector_List::from_selectors( $selector_string );
+			}
+		);
+		list( $complex_list, $complex_error )   = self::guard(
+			static function () use ( $selector_string ) {
+				return \WP_CSS_Complex_Selector_List::from_selectors( $selector_string );
+			}
+		);
+
+		if ( null !== $compound_error ) {
+			$record( 'parse-error', array( 'grammar' => 'compound', 'error' => self::describe_throwable( $compound_error ) ) );
+		}
+		if ( null !== $complex_error ) {
+			$record( 'parse-error', array( 'grammar' => 'complex', 'error' => self::describe_throwable( $complex_error ) ) );
+		}
+
+		if ( null === $compound_error && null !== $selector['expectCompound'] && $selector['expectCompound'] !== ( null !== $compound_list ) ) {
+			$record(
+				'parse-expectation',
+				array(
+					'grammar'  => 'compound',
+					'expected' => $selector['expectCompound'] ? 'parse' : 'null',
+					'actual'   => null !== $compound_list ? 'parse' : 'null',
+				)
+			);
+		}
+		if ( null === $complex_error && null !== $selector['expectComplex'] && $selector['expectComplex'] !== ( null !== $complex_list ) ) {
+			$record(
+				'parse-expectation',
+				array(
+					'grammar'  => 'complex',
+					'expected' => $selector['expectComplex'] ? 'parse' : 'null',
+					'actual'   => null !== $complex_list ? 'parse' : 'null',
+				)
+			);
+		}
+
+		if ( null !== $compound_list && null === $complex_list && null === $complex_error ) {
+			$record( 'compound-implies-complex', array() );
+		}
+
+		// Parse determinism: a second parse must agree with the first.
+		list( $compound_again, ) = self::guard(
+			static function () use ( $selector_string ) {
+				return \WP_CSS_Compound_Selector_List::from_selectors( $selector_string );
+			}
+		);
+		list( $complex_again, )  = self::guard(
+			static function () use ( $selector_string ) {
+				return \WP_CSS_Complex_Selector_List::from_selectors( $selector_string );
+			}
+		);
+		if ( ( null === $compound_list ) !== ( null === $compound_again ) || ( null === $complex_list ) !== ( null === $complex_again ) ) {
+			$record( 'parse-determinism', array( 'note' => 'null-ness changed between identical parses' ) );
+		}
+
+		// --- AST extraction ----------------------------------------------
+
+		$compound_ast = null;
+		$complex_ast  = null;
+
+		if ( null !== $compound_list ) {
+			list( $compound_ast, $shape_error ) = self::guard(
+				static function () use ( $compound_list ) {
+					return AstExtractor::from_compound_list( $compound_list );
+				}
+			);
+			if ( null !== $shape_error ) {
+				$record( 'ast-shape', array( 'grammar' => 'compound', 'error' => self::describe_throwable( $shape_error ) ) );
+			}
+		}
+		if ( null !== $complex_list ) {
+			list( $complex_ast, $shape_error ) = self::guard(
+				static function () use ( $complex_list ) {
+					return AstExtractor::from_complex_list( $complex_list );
+				}
+			);
+			if ( null !== $shape_error ) {
+				$record( 'ast-shape', array( 'grammar' => 'complex', 'error' => self::describe_throwable( $shape_error ) ) );
+			}
+		}
+
+		if ( null !== $compound_ast && null !== $complex_ast && $compound_ast !== $complex_ast ) {
+			$record(
+				'ast-cross-grammar',
+				array(
+					'compoundAst' => $compound_ast,
+					'complexAst'  => $complex_ast,
+				)
+			);
+		}
+
+		if ( null !== $selector['ast'] && null !== $complex_ast && $selector['ast'] !== $complex_ast ) {
+			$record(
+				'ast-mismatch',
+				array(
+					'generatedAst' => $selector['ast'],
+					'parsedAst'    => $complex_ast,
+				)
+			);
+		}
+
+		// --- Match phase ---------------------------------------------------
+
+		$html_matches = null;
+		// 'n/a' = the lexbor differential does not apply to this case
+		// ( unparseable selector, fragment, no captured tree ). Distinct from
+		// 'unavailable', which check_lexbor_differential reports only when the
+		// harness itself is missing or died — so a silently-dropped third
+		// oracle shows up in the per-batch tally instead of hiding in 'off'.
+		$lexbor_state = 'n/a';
+		if ( null !== $complex_ast && null !== $rows ) {
+			$expected = ReferenceMatcher::expected_html_matches_rows( $complex_ast, $rows, $quirks );
+
+			/*
+			 * Path-directed selectors are guaranteed by construction to match
+			 * ( or, for near-misses, not to match ) a specific element. The
+			 * reference matcher disagreeing means the generator or the
+			 * reference matcher itself is wrong — a fuzzer-side defect.
+			 */
+			$must_match     = $selector['mustMatchFid'] ?? null;
+			$must_not_match = $selector['mustNotMatchFid'] ?? null;
+			if ( null !== $must_match && ! in_array( $must_match, $expected, true ) ) {
+				$record(
+					'path-expectation',
+					array(
+						'expectation' => 'must-match',
+						'fid'         => $must_match,
+						'expected'    => $expected,
+					)
+				);
+			}
+			if ( null !== $must_not_match && in_array( $must_not_match, $expected, true ) ) {
+				$record(
+					'path-expectation',
+					array(
+						'expectation' => 'must-not-match',
+						'fid'         => $must_not_match,
+						'expected'    => $expected,
+					)
+				);
+			}
+
+			$html_matches = self::check_select_matches( 'html', $selector_string, $document, $expected, $record );
+			if ( null !== $html_matches ) {
+				self::note_match_assertion( $match_stats, 'html', $expected, $html_matches );
+			}
+
+			// lexbor parses full documents only; fragments skip it.
+			if ( ! ( $document['fragment'] ?? false ) ) {
+				$lexbor_state = self::check_lexbor_differential( $complex_ast, $selector_string, $document, $rows, $quirks, $expected, $record );
+			}
+		} elseif ( null === $complex_list && null === $complex_error ) {
+			self::check_select_rejection( 'html', $selector_string, $document, $record );
+		}
+
+		if ( null !== $compound_ast && null !== $tag_rows ) {
+			$expected = ReferenceMatcher::expected_tag_matches_rows( $compound_ast, $tag_rows );
+			$tag_matches = self::check_select_matches( 'tag', $selector_string, $document, $expected, $record );
+			if ( null !== $tag_matches ) {
+				self::note_match_assertion( $match_stats, 'tag', $expected, $tag_matches );
+			}
+		} elseif ( null === $compound_list && null === $compound_error ) {
+			self::check_select_rejection( 'tag', $selector_string, $document, $record );
+		}
+
+		// --- Metamorphic phase ----------------------------------------------
+		// Oracle-free relations: meaning-preserving transforms of the selector
+		// must select exactly the same elements. Run only on otherwise-clean
+		// cases so a single root cause does not multiply into noise.
+
+		if ( null !== $complex_ast && null !== $html_matches && array() === $failures ) {
+			self::check_metamorphic( $complex_ast, $html_matches, $document, $prng->fork( 'metamorph' ), $record );
+		}
+
+		$digest = sha1(
+			json_encode_safe(
+				array(
+					$selector_string,
+					$document['html'],
+					null !== $compound_list,
+					null !== $complex_list,
+					$compound_ast,
+					$complex_ast,
+					array_map(
+						static function ( $failure ) {
+							return $failure['invariant'];
+						},
+						$failures
+					),
+				)
+			)
+		);
+
+		$signatures = array();
+		foreach ( $failures as $failure ) {
+			$signatures[] = self::signature( $failure );
+		}
+
+		return array(
+			'seed'       => $seed,
+			'bucket'     => $selector['bucket'],
+			'digest'     => $digest,
+			'failures'   => $failures,
+			'signatures' => array_values( array_unique( $signatures ) ),
+			'selector'   => $selector_string,
+			'html'       => $document['html'],
+			'lexbor'     => $lexbor_state,
+			'matchStats' => $match_stats,
+		);
+	}
+
+	/**
+	 * Runs the SELF-CONTAINED invariants on an explicit ( selector, html )
+	 * pair — no generated model, intended AST, or parse expectation. This is
+	 * what the minimizer drives: every checked property is computable from
+	 * the pair alone ( WP select() vs the reference matcher over WP's own
+	 * parsed AST and the captured tree; metamorphic relations; the lexbor
+	 * differential; parse/shape/cross-grammar invariants; rejection
+	 * bookkeeping for unparseable selectors ).
+	 *
+	 * Bug 1 surfaces here as metamorphic-ast, Bug 2 as match-mismatch-*,
+	 * Bug 3 as metamorphic-parse — so all three known bugs are minimizable
+	 * without the generator.
+	 *
+	 * @return array{
+	 *     failures: array,
+	 *     signatures: string[],
+	 * }
+	 */
+	public static function run_pair( string $selector_string, string $html, ?string $target = null ): array {
+		Bootstrap::load();
+
+		$failures = array();
+		$record   = static function ( string $invariant, array $detail ) use ( &$failures ) {
+			$failures[] = array(
+				'invariant' => $invariant,
+				'detail'    => $detail,
+			);
+		};
+
+		// When the minimizer fixes a target signature, the metamorphic loop
+		// ( the only expensive, multi-draw stage ) is only worth running if
+		// the target is itself a metamorphic signature.
+		$target_invariant     = null === $target ? null : substr( strrchr( $target, ':' ), 1 );
+		$target_is_metamorph  = null !== $target_invariant && 0 === strpos( $target_invariant, 'metamorphic' );
+		$has_target_signature = static function () use ( &$failures, $target ) {
+			if ( null === $target ) {
+				return false;
+			}
+			foreach ( $failures as $failure ) {
+				if ( self::signature( $failure ) === $target ) {
+					return true;
+				}
+			}
+			return false;
+		};
+
+		list( $capture, $capture_error ) = self::guard(
+			static function () use ( $html ) {
+				return TreeCapture::capture( $html );
+			}
+		);
+
+		$rows     = null;
+		$tag_rows = null;
+		$quirks   = false;
+		if ( null === $capture_error && null === $capture['error'] ) {
+			$rows     = $capture['htmlRows'];
+			$tag_rows = $capture['tagRows'];
+			$quirks   = $capture['quirks'];
+		}
+
+		$document = array( 'html' => $html );
+
+		list( $compound_list, $compound_error ) = self::guard(
+			static function () use ( $selector_string ) {
+				return \WP_CSS_Compound_Selector_List::from_selectors( $selector_string );
+			}
+		);
+		list( $complex_list, $complex_error )   = self::guard(
+			static function () use ( $selector_string ) {
+				return \WP_CSS_Complex_Selector_List::from_selectors( $selector_string );
+			}
+		);
+
+		if ( null !== $compound_error ) {
+			$record( 'parse-error', array( 'grammar' => 'compound', 'error' => self::describe_throwable( $compound_error ) ) );
+		}
+		if ( null !== $complex_error ) {
+			$record( 'parse-error', array( 'grammar' => 'complex', 'error' => self::describe_throwable( $complex_error ) ) );
+		}
+		if ( null !== $compound_list && null === $complex_list && null === $complex_error ) {
+			$record( 'compound-implies-complex', array() );
+		}
+
+		$compound_ast = null;
+		$complex_ast  = null;
+		if ( null !== $compound_list ) {
+			list( $compound_ast, $shape_error ) = self::guard(
+				static function () use ( $compound_list ) {
+					return AstExtractor::from_compound_list( $compound_list );
+				}
+			);
+			if ( null !== $shape_error ) {
+				$record( 'ast-shape', array( 'grammar' => 'compound', 'error' => self::describe_throwable( $shape_error ) ) );
+			}
+		}
+		if ( null !== $complex_list ) {
+			list( $complex_ast, $shape_error ) = self::guard(
+				static function () use ( $complex_list ) {
+					return AstExtractor::from_complex_list( $complex_list );
+				}
+			);
+			if ( null !== $shape_error ) {
+				$record( 'ast-shape', array( 'grammar' => 'complex', 'error' => self::describe_throwable( $shape_error ) ) );
+			}
+		}
+		if ( null !== $compound_ast && null !== $complex_ast && $compound_ast !== $complex_ast ) {
+			$record( 'ast-cross-grammar', array( 'compoundAst' => $compound_ast, 'complexAst' => $complex_ast ) );
+		}
+
+		$html_matches = null;
+		if ( null !== $complex_ast && null !== $rows ) {
+			$expected     = ReferenceMatcher::expected_html_matches_rows( $complex_ast, $rows, $quirks );
+			$html_matches = self::check_select_matches( 'html', $selector_string, $document, $expected, $record );
+			self::check_lexbor_differential( $complex_ast, $selector_string, $document, $rows, $quirks, $expected, $record );
+		} elseif ( null === $complex_list && null === $complex_error && null !== $rows ) {
+			self::check_select_rejection( 'html', $selector_string, $document, $record );
+		}
+
+		if ( null !== $compound_ast && null !== $tag_rows ) {
+			$expected = ReferenceMatcher::expected_tag_matches_rows( $compound_ast, $tag_rows );
+			self::check_select_matches( 'tag', $selector_string, $document, $expected, $record );
+		} elseif ( null === $compound_list && null === $compound_error && null !== $tag_rows ) {
+			self::check_select_rejection( 'tag', $selector_string, $document, $record );
+		}
+
+		$run_metamorph = ( null === $target || $target_is_metamorph )
+			&& null !== $complex_ast && null !== $html_matches && array() === $failures;
+		if ( $run_metamorph ) {
+			/*
+			 * Metamorphic transforms randomize escapes / case / order, so a
+			 * transform-sensitive bug ( e.g. Bug 1 and Bug 3 ) only fires for
+			 * some PRNG draws. run_case sees one draw; here several fixed
+			 * draws are tried so minimization can reliably preserve such a
+			 * signature regardless of which draw first exposed it. With a
+			 * target fixed, stop at the first draw that reproduces it.
+			 */
+			for ( $i = 0; $i < self::PAIR_METAMORPH_DRAWS && array() === $failures; $i++ ) {
+				// A FIXED draw seed ( not derived from the pair ) keeps the
+				// test monotonic under shrinking: the same coin-flips apply to
+				// whatever AST survives, so a smaller selector that still has
+				// the bug reproduces the same transform signature.
+				$metamorph_prng = new Prng( 'css-selector-fuzz-minimize', "metamorph:{$i}" );
+				self::check_metamorphic( $complex_ast, $html_matches, $document, $metamorph_prng, $record );
+				if ( $has_target_signature() ) {
+					break;
+				}
+			}
+		}
+
+		$signatures = array();
+		foreach ( $failures as $failure ) {
+			$signatures[] = self::signature( $failure );
+		}
+
+		return array(
+			'failures'   => $failures,
+			'signatures' => array_values( array_unique( $signatures ) ),
+		);
+	}
+
+	/**
+	 * Fragment analogue of check_capture_against_model: the `<body>`-context
+	 * fragment capture must equal the model rows built from the body-level
+	 * children ( with the implicit HTML/BODY ancestors ).
+	 */
+	private static function check_fragment_capture_against_model( array $document, array $capture, callable $record ): void {
+		$model_rows = DocumentGenerator::rows_from_fragment( $document['children'] );
+
+		$normalize = static function ( array $rows ): array {
+			$out = array();
+			foreach ( $rows as $row ) {
+				$attrs = array();
+				foreach ( $row['attrs'] as $attr ) {
+					$attrs[ $attr[0] ] = $attr[1];
+				}
+				ksort( $attrs );
+				$out[] = array(
+					'tag'          => $row['tag'],
+					'fid'          => $row['fid'],
+					'attrs'        => $attrs,
+					'ancestorTags' => $row['ancestorTags'],
+				);
+			}
+			return $out;
+		};
+
+		$expected = $normalize( $model_rows );
+		$actual   = $normalize( $capture['htmlRows'] );
+		if ( $expected !== $actual ) {
+			$record(
+				'model-desync',
+				array(
+					'processor' => 'fragment',
+					'expected'  => $expected,
+					'actual'    => $actual,
+				)
+			);
+		}
+	}
+
+	/**
+	 * Verifies that the processor's captured view of a safe (model-built)
+	 * document agrees with the generated model — this guards the oracle
+	 * itself against renderer/model drift, and is what justifies trusting
+	 * the capture on wild documents.
+	 */
+	private static function check_capture_against_model( array $document, array $capture, callable $record ): void {
+		$model_rows = DocumentGenerator::rows_from_model( $document['model'] );
+
+		$normalize = static function ( array $rows, bool $with_ancestors ): array {
+			$out = array();
+			foreach ( $rows as $row ) {
+				$attrs = array();
+				foreach ( $row['attrs'] as $attr ) {
+					$attrs[ $attr[0] ] = $attr[1];
+				}
+				ksort( $attrs );
+				$normalized = array(
+					'tag'   => $row['tag'],
+					'fid'   => $row['fid'],
+					'attrs' => $attrs,
+				);
+				if ( $with_ancestors ) {
+					$normalized['ancestorTags'] = $row['ancestorTags'];
+				}
+				$out[] = $normalized;
+			}
+			return $out;
+		};
+
+		$expected = $normalize( $model_rows, true );
+		$actual   = $normalize( $capture['htmlRows'], true );
+		if ( $expected !== $actual ) {
+			$record(
+				'model-desync',
+				array(
+					'processor' => 'html',
+					'expected'  => $expected,
+					'actual'    => $actual,
+				)
+			);
+		}
+
+		$expected_tags = $normalize( $model_rows, false );
+		$actual_tags   = $normalize( $capture['tagRows'], false );
+		if ( $expected_tags !== $actual_tags ) {
+			$record(
+				'model-desync',
+				array(
+					'processor' => 'tag',
+					'expected'  => $expected_tags,
+					'actual'    => $actual_tags,
+				)
+			);
+		}
+
+		if ( $document['quirks'] !== $capture['quirks'] ) {
+			$record(
+				'model-desync',
+				array(
+					'processor' => 'quirks',
+					'expected'  => $document['quirks'],
+					'actual'    => $capture['quirks'],
+				)
+			);
+		}
+	}
+
+	/**
+	 * Runs a select() loop over the document, collecting matched data-fids.
+	 *
+	 * @param string $target   'html' or 'tag'.
+	 * @param array  $document The case document ( may request fragment mode ).
+	 * @return array{0: string[]|null, 1: \Throwable|null}
+	 */
+	private static function collect_matches( string $target, string $selector_string, array $document ): array {
+		$html    = $document['html'];
+		$context = ( $document['fragment'] ?? false ) ? $document['context'] : null;
+		return self::guard(
+			static function () use ( $target, $selector_string, $html, $context ) {
+				if ( 'tag' === $target ) {
+					$processor = new \WP_HTML_Tag_Processor( $html );
+				} elseif ( null !== $context ) {
+					$processor = \WP_HTML_Processor::create_fragment( $html, $context );
+				} else {
+					$processor = \WP_HTML_Processor::create_full_parser( $html );
+				}
+
+				$matches    = array();
+				$iterations = 0;
+				while ( $processor->select( $selector_string ) ) {
+					$fid       = $processor->get_attribute( 'data-fid' );
+					// Sanitize identically to TreeCapture/lexbor so a fid with
+					// a control char can never produce a false divergence on
+					// the match path ( unreachable today: fids are integers ).
+					$matches[] = is_string( $fid ) ? TreeCapture::sanitize_fid( $fid ) : '(missing-fid:' . $processor->get_tag() . ')';
+					if ( ++$iterations > self::SELECT_ITERATION_LIMIT ) {
+						throw new \RuntimeException( 'select() did not terminate within the iteration limit.' );
+					}
+				}
+
+				if ( $processor instanceof \WP_HTML_Processor ) {
+					if ( null !== $processor->get_last_error() ) {
+						throw new \RuntimeException( 'Processor error state: ' . $processor->get_last_error() );
+					}
+					if ( null !== $processor->get_unsupported_exception() ) {
+						throw new \RuntimeException( 'Processor unsupported state: ' . $processor->get_unsupported_exception()->getMessage() );
+					}
+				}
+
+				return $matches;
+			}
+		);
+	}
+
+	/**
+	 * Flushes the select() parse caches.
+	 *
+	 * Both select() implementations memoize the most recently parsed selector
+	 * string in a function-static cache, so whether a select() call re-parses
+	 * — and therefore whether parse-time notices ( the invalid-UTF-8 scrub
+	 * notice from from_selectors() ) fire — depends on what the worker
+	 * happened to parse before. Parsing a sentinel selector first makes the
+	 * next select() call for the case selector deterministic: it always
+	 * re-parses, so exactly one parse happens inside each notice-assertion
+	 * window regardless of worker history or case re-runs.
+	 */
+	private static function flush_select_parse_caches(): void {
+		( new \WP_HTML_Tag_Processor( '' ) )->select( '#-fuzz-cache-flush-' );
+		\WP_HTML_Processor::create_full_parser( '' )->select( '#-fuzz-cache-flush-' );
+	}
+
+	/**
+	 * The _doing_it_wrong() name under which from_selectors() reports that an
+	 * invalid-UTF-8 selector string was scrubbed to U+FFFD before parsing.
+	 *
+	 * @param string $target 'html' or 'tag'.
+	 */
+	private static function scrub_notice_name( string $target ): string {
+		return ( 'tag' === $target ? 'WP_CSS_Compound_Selector_List' : 'WP_CSS_Complex_Selector_List' ) . '::from_selectors';
+	}
+
+	/**
+	 * Runs a select() loop on a parseable selector and compares the match set
+	 * against the reference matcher.
+	 *
+	 * @param string $target 'html' or 'tag'.
+	 * @return string[]|null The actual match set, or null when matching failed.
+	 */
+	private static function check_select_matches( string $target, string $selector_string, array $document, array $expected, callable $record ): ?array {
+		self::flush_select_parse_caches();
+		Bootstrap::reset_doing_it_wrong();
+
+		list( $actual, $error ) = self::collect_matches( $target, $selector_string, $document );
+
+		if ( null !== $error ) {
+			$record(
+				'match-error',
+				array(
+					'target' => $target,
+					'error'  => self::describe_throwable( $error ),
+				)
+			);
+			return null;
+		}
+
+		/*
+		 * A selector string containing invalid UTF-8 is scrubbed to U+FFFD by
+		 * from_selectors(), which reports the replacement with exactly one
+		 * notice on the (single, cache-flushed) parse. Anything else is
+		 * unexpected for a selector that parses.
+		 */
+		$expected_calls = \wp_is_valid_utf8( $selector_string )
+			? array()
+			: array(
+				array(
+					'function' => self::scrub_notice_name( $target ),
+				),
+			);
+
+		$doing_it_wrong = Bootstrap::doing_it_wrong_calls();
+		if ( ! self::notices_match( $expected_calls, $doing_it_wrong ) ) {
+			$record(
+				'doing-it-wrong-unexpected',
+				array(
+					'target'        => $target,
+					'expectedCalls' => $expected_calls,
+					'calls'         => $doing_it_wrong,
+				)
+			);
+		}
+
+		if ( $actual !== $expected ) {
+			$record(
+				'match-mismatch-' . $target,
+				array(
+					'expected' => $expected,
+					'actual'   => $actual,
+				)
+			);
+		}
+
+		return $actual;
+	}
+
+	private static function note_match_assertion( array &$match_stats, string $target, array $expected, array $actual ): void {
+		if ( ! isset( $match_stats[ $target ] ) ) {
+			$match_stats[ $target ] = array(
+				'assertions' => 0,
+				'nonVacuous' => 0,
+			);
+		}
+
+		++$match_stats[ $target ]['assertions'];
+		if ( array() !== $expected || array() !== $actual ) {
+			++$match_stats[ $target ]['nonVacuous'];
+		}
+	}
+
+	private static function finalize_match_stats( array $match_stats ): array {
+		foreach ( $match_stats as $bucket => $targets ) {
+			foreach ( $targets as $target => $counts ) {
+				$assertions  = (int) ( $counts['assertions'] ?? 0 );
+				$non_vacuous = (int) ( $counts['nonVacuous'] ?? 0 );
+				$vacuous     = max( 0, $assertions - $non_vacuous );
+
+				$match_stats[ $bucket ][ $target ]['vacuous']         = $vacuous;
+				$match_stats[ $bucket ][ $target ]['nonVacuousRate'] = $assertions > 0 ? round( $non_vacuous / $assertions, 4 ) : 0.0;
+				$match_stats[ $bucket ][ $target ]['vacuousRate']    = $assertions > 0 ? round( $vacuous / $assertions, 4 ) : 0.0;
+			}
+		}
+		return $match_stats;
+	}
+
+	/**
+	 * Runs the lexbor differential — the THIRD, independent matching opinion.
+	 *
+	 * Quirks-mode documents are excluded unless the startup probe confirms
+	 * lexbor has reliable class/#id case folding in both no-quirks and quirks
+	 * mode. The comparison only runs when lexbor built the same element tree
+	 * as WP ( fid/tag/ancestry multiset ), so it tests the selector layer,
+	 * not tree construction.
+	 *
+	 * Verdict triage:
+	 *  - 'lexbor-divergence'   lexbor != reference: a fuzzer-oracle problem
+	 *                          ( or an un-compensated lexbor bug ) — never a
+	 *                          WP verdict on its own.
+	 *  - 'lexbor-parse-reject' lexbor refused a selector WP accepted.
+	 *  - match-mismatch-html with NO lexbor-divergence on the same case
+	 *                          means reference == lexbor != WP: a
+	 *                          high-confidence WP finding.
+	 *
+	 * @return string Tally state:
+	 *   unavailable|skipped-quirks|skipped-utf8|error|tree-gated|compared.
+	 */
+	private static function check_lexbor_differential( array $complex_ast, string $selector_string, array $document, array $rows, bool $quirks, array $expected, callable $record ): string {
+		if ( ! LexborOracle::available() ) {
+			return 'unavailable';
+		}
+		if ( $quirks && ! LexborOracle::quirks_class_id_reliable() ) {
+			return 'skipped-quirks';
+		}
+
+		/*
+		 * lexbor receives a canonical re-render of the (already verified)
+		 * AST rather than the original byte form: the differential targets
+		 * matching semantics, while byte-level parsing (escapes, whitespace,
+		 * modifier case — lexbor e.g. rejects uppercase I/S modifiers) is
+		 * covered by the AST round-trip and metamorphic invariants. ASTs
+		 * containing invalid UTF-8 cannot be re-rendered; since
+		 * from_selectors() scrubs input to U+FFFD before parsing, none should
+		 * exist and this skip is defensive ( a nonzero skipped-utf8 tally
+		 * indicates a normalization bypass ).
+		 */
+		if ( ! ast_strings_are_utf8( $complex_ast ) ) {
+			return 'skipped-utf8';
+		}
+		$canonical = SelectorGenerator::render_canonical( $complex_ast );
+
+		$lex = LexborOracle::query( $document['html'], $canonical );
+		if ( null === $lex ) {
+			return 'error';
+		}
+
+		if ( 'parse' === $lex['error'] ) {
+			$record(
+				'lexbor-parse-reject',
+				array(
+					'note'      => 'lexbor rejected the canonical form of a selector the WP parser accepted',
+					'canonical' => printable_bytes( $canonical ),
+				)
+			);
+			return 'compared';
+		}
+		if ( null !== $lex['error'] ) {
+			return 'error';
+		}
+
+		if ( ! self::trees_agree( $rows, $lex['rows'] ) ) {
+			return 'tree-gated';
+		}
+
+		/*
+		 * Two known lexbor deviations are compensated for so the rest of the
+		 * semantics still get differential coverage; WP itself is still held
+		 * to the strict expectation:
+		 *
+		 *  - lexbor #368: class/#id match ASCII case-insensitively even in
+		 *    no-quirks documents. Compare lexbor against the reference run
+		 *    with quirks-style class/ID folding.
+		 *  - lexbor does not implement HTML's case-insensitive attribute
+		 *    value list ( [rel=NOFOLLOW] does not match rel="nofollow" ),
+		 *    where browsers and WP do. Compare lexbor against the reference
+		 *    run with that list disabled.
+		 */
+		$expected_for_lexbor = ReferenceMatcher::expected_html_matches_rows(
+			$complex_ast,
+			$rows,
+			LexborOracle::has_issue_368() ? true : $quirks,
+			false
+		);
+
+		// lexbor reports in document order, WP/reference in visit order —
+		// compare as multisets.
+		$lex_matches = $lex['matches'];
+		sort( $lex_matches );
+		sort( $expected_for_lexbor );
+
+		if ( $lex_matches !== $expected_for_lexbor ) {
+			$record(
+				'lexbor-divergence',
+				array(
+					'reference' => $expected_for_lexbor,
+					'lexbor'    => $lex_matches,
+					'issue368'  => LexborOracle::has_issue_368(),
+				)
+			);
+		}
+
+		return 'compared';
+	}
+
+	/** Multiset equality of ( tag, fid, ancestry ) between WP and lexbor rows. */
+	private static function trees_agree( array $wp_rows, array $lexbor_rows ): bool {
+		$serialize = static function ( array $rows ): array {
+			$out = array();
+			foreach ( $rows as $row ) {
+				$out[] = $row['tag'] . '|' . $row['fid'] . '|' . implode( ',', $row['ancestorTags'] );
+			}
+			sort( $out );
+			return $out;
+		};
+
+		return $serialize( $wp_rows ) === $serialize( $lexbor_rows );
+	}
+
+	/**
+	 * Checks the metamorphic relations: each meaning-preserving transform of
+	 * the parsed selector must parse, must (for AST-preserving transforms)
+	 * parse to exactly the transformed AST, and must select exactly the same
+	 * elements the original selector selected.
+	 *
+	 * @param array    $complex_ast  Canonical AST of the original selector.
+	 * @param string[] $html_matches The original's WP_HTML_Processor match set.
+	 */
+	private static function check_metamorphic( array $complex_ast, array $html_matches, array $document, Prng $prng, callable $record ): void {
+		foreach ( Metamorph::variants( $complex_ast, $prng ) as $variant ) {
+			$transform        = $variant['name'];
+			$variant_selector = $variant['selector'];
+
+			list( $variant_list, $parse_error ) = self::guard(
+				static function () use ( $variant_selector ) {
+					return \WP_CSS_Complex_Selector_List::from_selectors( $variant_selector );
+				}
+			);
+
+			if ( null !== $parse_error ) {
+				$record(
+					'metamorphic-error',
+					array(
+						'transform' => $transform,
+						'selector'  => printable_bytes( $variant_selector ),
+						'error'     => self::describe_throwable( $parse_error ),
+					)
+				);
+				continue;
+			}
+
+			if ( null === $variant_list ) {
+				$record(
+					'metamorphic-parse',
+					array(
+						'transform' => $transform,
+						'selector'  => printable_bytes( $variant_selector ),
+					)
+				);
+				continue;
+			}
+
+			if ( $variant['astMustMatch'] ) {
+				list( $variant_ast, $shape_error ) = self::guard(
+					static function () use ( $variant_list ) {
+						return AstExtractor::from_complex_list( $variant_list );
+					}
+				);
+				if ( null !== $shape_error ) {
+					$record(
+						'metamorphic-error',
+						array(
+							'transform' => $transform,
+							'selector'  => printable_bytes( $variant_selector ),
+							'error'     => self::describe_throwable( $shape_error ),
+						)
+					);
+					continue;
+				}
+				if ( $variant_ast !== $variant['ast'] ) {
+					$record(
+						'metamorphic-ast',
+						array(
+							'transform'   => $transform,
+							'selector'    => printable_bytes( $variant_selector ),
+							'expectedAst' => $variant['ast'],
+							'parsedAst'   => $variant_ast,
+						)
+					);
+					continue;
+				}
+			}
+
+			Bootstrap::reset_doing_it_wrong();
+			list( $variant_matches, $match_error ) = self::collect_matches( 'html', $variant_selector, $document );
+
+			if ( null !== $match_error ) {
+				$record(
+					'metamorphic-error',
+					array(
+						'transform' => $transform,
+						'selector'  => printable_bytes( $variant_selector ),
+						'error'     => self::describe_throwable( $match_error ),
+					)
+				);
+				continue;
+			}
+
+			if ( $variant_matches !== $html_matches ) {
+				$record(
+					'metamorphic-mismatch',
+					array(
+						'transform' => $transform,
+						'selector'  => printable_bytes( $variant_selector ),
+						'expected'  => $html_matches,
+						'actual'    => $variant_matches,
+					)
+				);
+			}
+		}
+	}
+
+	/**
+	 * For unparseable selectors: select() must return false, leave the
+	 * processor usable, and report misuse exactly once per call.
+	 */
+	private static function check_select_rejection( string $target, string $selector_string, array $document, callable $record ): void {
+		self::flush_select_parse_caches();
+		Bootstrap::reset_doing_it_wrong();
+
+		$context = ( $document['fragment'] ?? false ) ? $document['context'] : null;
+		list( $results, $error ) = self::guard(
+			static function () use ( $target, $selector_string, $document, $context ) {
+				if ( 'tag' === $target ) {
+					$processor = new \WP_HTML_Tag_Processor( $document['html'] );
+				} elseif ( null !== $context ) {
+					$processor = \WP_HTML_Processor::create_fragment( $document['html'], $context );
+				} else {
+					$processor = \WP_HTML_Processor::create_full_parser( $document['html'] );
+				}
+
+				// Two calls: the second exercises the parse cache.
+				return array( $processor->select( $selector_string ), $processor->select( $selector_string ) );
+			}
+		);
+
+		if ( null !== $error ) {
+			$record(
+				'match-error',
+				array(
+					'target'   => $target,
+					'rejected' => true,
+					'error'    => self::describe_throwable( $error ),
+				)
+			);
+			return;
+		}
+
+		if ( array( false, false ) !== $results ) {
+			$record(
+				'select-on-null',
+				array(
+					'target'  => $target,
+					'results' => $results,
+				)
+			);
+		}
+
+		/*
+		 * Two select() calls report the unparseable selector once each; the
+		 * parse cache only skips re-parsing, never the per-call notice. An
+		 * invalid-UTF-8 selector additionally reports the U+FFFD scrub once,
+		 * on the first call ( the only one that parses after the flush ).
+		 */
+		$select_notice_name = ( 'tag' === $target ? 'WP_HTML_Tag_Processor' : 'WP_HTML_Processor' ) . '::select';
+		$expected_calls     = array(
+			array( 'function' => $select_notice_name ),
+			array( 'function' => $select_notice_name ),
+		);
+		if ( ! \wp_is_valid_utf8( $selector_string ) ) {
+			array_unshift( $expected_calls, array( 'function' => self::scrub_notice_name( $target ) ) );
+		}
+
+		$doing_it_wrong = Bootstrap::doing_it_wrong_calls();
+		if ( ! self::notices_match( $expected_calls, $doing_it_wrong ) ) {
+			$record(
+				'doing-it-wrong-missing',
+				array(
+					'target'        => $target,
+					'expectedCalls' => $expected_calls,
+					'calls'         => $doing_it_wrong,
+				)
+			);
+		}
+	}
+
+	/**
+	 * Compares recorded _doing_it_wrong() calls against expectations: same
+	 * count, in order, matching on every key the expectation specifies
+	 * ( recorded calls also carry 'message', which expectations omit ).
+	 *
+	 * @param array[] $expected_calls Expected calls, each a subset of record keys.
+	 * @param array[] $actual_calls   Recorded calls.
+	 */
+	private static function notices_match( array $expected_calls, array $actual_calls ): bool {
+		if ( count( $expected_calls ) !== count( $actual_calls ) ) {
+			return false;
+		}
+		foreach ( $expected_calls as $i => $expected_call ) {
+			foreach ( $expected_call as $key => $value ) {
+				if ( ( $actual_calls[ $i ][ $key ] ?? null ) !== $value ) {
+					return false;
+				}
+			}
+		}
+		return true;
+	}
+
+	/*
+	 * -------------
+	 * Batch running
+	 * -------------
+	 */
+
+	/**
+	 * Runs a batch of sequential seeds.
+	 *
+	 * @return array Summary.
+	 */
+	public static function run_batch( array $options ): array {
+		Bootstrap::load();
+
+		$start_seed        = option_int( $options, 'start-seed', 1 );
+		$count             = option_int( $options, 'count', 100 );
+		$failures_out      = option_string( $options, 'failures-out', null );
+		$progress_file     = option_string( $options, 'progress-file', null );
+		$determinism_every = option_int( $options, 'determinism-every', 16 );
+		$max_failures      = option_int( $options, 'max-failures', 200 );
+
+		$started_at  = microtime( true );
+		$failures    = 0;
+		$buckets     = array();
+		$signatures  = array();
+		$lexbor      = array();
+		$match_stats = array();
+		$last_seed   = null;
+		$stop_reason = 'completed';
+
+		for ( $seed = $start_seed; $seed < $start_seed + $count; $seed++ ) {
+			if ( $max_failures > 0 && $failures >= $max_failures ) {
+				$stop_reason = 'max-failures';
+				break;
+			}
+			if ( null !== $progress_file ) {
+				file_put_contents( $progress_file, (string) $seed );
+			}
+
+			$result = self::run_case( $seed );
+
+			if ( $determinism_every > 0 && 0 === $seed % $determinism_every ) {
+				$repeat = self::run_case( $seed );
+				if ( $repeat['digest'] !== $result['digest'] ) {
+					$result['failures'][] = array(
+						'invariant' => 'case-determinism',
+						'detail'    => array(
+							'firstDigest'  => $result['digest'],
+							'secondDigest' => $repeat['digest'],
+						),
+					);
+				}
+			}
+
+			$buckets[ $result['bucket'] ] = ( $buckets[ $result['bucket'] ] ?? 0 ) + 1;
+			$lexbor[ $result['lexbor'] ]  = ( $lexbor[ $result['lexbor'] ] ?? 0 ) + 1;
+			$last_seed                    = $seed;
+			foreach ( $result['matchStats'] as $target => $stats ) {
+				if ( ! isset( $match_stats[ $result['bucket'] ][ $target ] ) ) {
+					$match_stats[ $result['bucket'] ][ $target ] = array(
+						'assertions' => 0,
+						'nonVacuous' => 0,
+					);
+				}
+				$match_stats[ $result['bucket'] ][ $target ]['assertions'] += $stats['assertions'];
+				$match_stats[ $result['bucket'] ][ $target ]['nonVacuous'] += $stats['nonVacuous'];
+			}
+
+			foreach ( $result['failures'] as $failure ) {
+				++$failures;
+				$signature                = self::signature( $failure );
+				$signatures[ $signature ] = ( $signatures[ $signature ] ?? 0 ) + 1;
+
+				$entry = array(
+					'kind'            => 'css-selector-fuzz-failure',
+					'seed'            => $result['seed'],
+					'bucket'          => $result['bucket'],
+					'invariant'       => $failure['invariant'],
+					'signature'       => $signature,
+					'selector'        => printable_bytes( $result['selector'] ),
+					'selectorBase64'  => base64_encode( $result['selector'] ),
+					'htmlBase64'      => base64_encode( $result['html'] ),
+					'detail'          => $failure['detail'],
+				);
+				if ( null !== $failures_out ) {
+					append_ndjson( $failures_out, $entry );
+				} else {
+					fwrite( STDERR, json_encode_safe( $entry ) . "\n" );
+				}
+			}
+		}
+
+		return array(
+			'kind'        => 'css-selector-fuzz-batch-summary',
+			'startSeed'   => $start_seed,
+			'count'       => $count,
+			'lastSeed'    => $last_seed,
+			'failures'    => $failures,
+			'buckets'     => $buckets,
+			'signatures'  => $signatures,
+			'lexbor'      => $lexbor,
+			'matchStats'  => self::finalize_match_stats( $match_stats ),
+			'stopReason'  => $stop_reason,
+			'durationMs'  => (int) round( 1000 * ( microtime( true ) - $started_at ) ),
+		);
+	}
+
+	/** Stable identity for de-duplicating equivalent failures. */
+	private static function signature( array $failure ): string {
+		$parts = array( $failure['invariant'] );
+		if ( isset( $failure['detail']['grammar'] ) ) {
+			$parts[] = $failure['detail']['grammar'];
+		}
+		if ( isset( $failure['detail']['target'] ) ) {
+			$parts[] = $failure['detail']['target'];
+		}
+		if ( isset( $failure['detail']['transform'] ) ) {
+			$parts[] = $failure['detail']['transform'];
+		}
+		if ( isset( $failure['detail']['error']['class'] ) ) {
+			$parts[] = $failure['detail']['error']['class'];
+			$parts[] = preg_replace( '/[0-9]+/', 'N', (string) ( $failure['detail']['error']['message'] ?? '' ) );
+		}
+		return substr( sha1( implode( '|', $parts ) ), 0, 12 ) . ':' . $failure['invariant'];
+	}
+
+	/*
+	 * -------
+	 * Helpers
+	 * -------
+	 */
+
+	/**
+	 * Calls $fn with PHP warnings/notices converted to exceptions.
+	 *
+	 * @return array{0: mixed, 1: \Throwable|null}
+	 */
+	private static function guard( callable $fn ): array {
+		set_error_handler(
+			static function ( $severity, $message, $file, $line ) {
+				if ( E_DEPRECATED === $severity || E_USER_DEPRECATED === $severity ) {
+					return true;
+				}
+				throw new \ErrorException( $message, 0, $severity, $file, $line );
+			}
+		);
+		try {
+			return array( $fn(), null );
+		} catch ( \Throwable $e ) {
+			return array( null, $e );
+		} finally {
+			restore_error_handler();
+		}
+	}
+
+	public static function describe_throwable( \Throwable $e ): array {
+		$root = repo_root() . DIRECTORY_SEPARATOR;
+		return array(
+			'class'   => get_class( $e ),
+			'message' => $e->getMessage(),
+			'at'      => str_replace( $root, '', $e->getFile() ) . ':' . $e->getLine(),
+			'trace'   => array_slice(
+				array_map(
+					static function ( $frame ) use ( $root ) {
+						$location = isset( $frame['file'] )
+							? str_replace( $root, '', $frame['file'] ) . ':' . ( $frame['line'] ?? '?' )
+							: '[internal]';
+						$callable = ( $frame['class'] ?? '' ) . ( $frame['type'] ?? '' ) . ( $frame['function'] ?? '' );
+						return $location . ' ' . $callable;
+					},
+					$e->getTrace()
+				),
+				0,
+				6
+			),
+		);
+	}
+}
diff --git a/tools/css-selector-fuzz/lib/autoload.php b/tools/css-selector-fuzz/lib/autoload.php
new file mode 100644
index 0000000000000..6ebdcbc75d6c3
--- /dev/null
+++ b/tools/css-selector-fuzz/lib/autoload.php
@@ -0,0 +1,13 @@
+<?php
+require_once __DIR__ . '/util.php';
+require_once __DIR__ . '/Prng.php';
+require_once __DIR__ . '/Bootstrap.php';
+require_once __DIR__ . '/DocumentGenerator.php';
+require_once __DIR__ . '/WildDocumentGenerator.php';
+require_once __DIR__ . '/TreeCapture.php';
+require_once __DIR__ . '/SelectorGenerator.php';
+require_once __DIR__ . '/AstExtractor.php';
+require_once __DIR__ . '/ReferenceMatcher.php';
+require_once __DIR__ . '/Metamorph.php';
+require_once __DIR__ . '/LexborOracle.php';
+require_once __DIR__ . '/Worker.php';
diff --git a/tools/css-selector-fuzz/lib/util.php b/tools/css-selector-fuzz/lib/util.php
new file mode 100644
index 0000000000000..d70d5cff9bae1
--- /dev/null
+++ b/tools/css-selector-fuzz/lib/util.php
@@ -0,0 +1,189 @@
+<?php
+namespace CssSelectorFuzz;
+
+function repo_root(): string {
+	return dirname( __DIR__, 3 );
+}
+
+function parse_cli_options( array $argv ): array {
+	$options = array( '_' => array() );
+	$count   = count( $argv );
+	for ( $i = 1; $i < $count; $i++ ) {
+		$arg = $argv[ $i ];
+		if ( 0 === strpos( $arg, '--' ) ) {
+			$name = substr( $arg, 2 );
+			if ( false !== strpos( $name, '=' ) ) {
+				list( $name, $value ) = explode( '=', $name, 2 );
+				$options[ $name ]     = $value;
+			} elseif ( $i + 1 < $count && 0 !== strpos( $argv[ $i + 1 ], '--' ) ) {
+				$options[ $name ] = $argv[ ++$i ];
+			} else {
+				$options[ $name ] = true;
+			}
+		} else {
+			$options['_'][] = $arg;
+		}
+	}
+	return $options;
+}
+
+function option_string( array $options, string $name, ?string $default = null ): ?string {
+	if ( ! array_key_exists( $name, $options ) || true === $options[ $name ] ) {
+		return $default;
+	}
+	return (string) $options[ $name ];
+}
+
+function option_int( array $options, string $name, int $default ): int {
+	$value = option_string( $options, $name, null );
+	return null === $value ? $default : (int) $value;
+}
+
+function option_float( array $options, string $name, float $default ): float {
+	$value = option_string( $options, $name, null );
+	return null === $value ? $default : (float) $value;
+}
+
+function option_bool( array $options, string $name, bool $default ): bool {
+	if ( ! array_key_exists( $name, $options ) ) {
+		return $default;
+	}
+	$value = $options[ $name ];
+	if ( true === $value ) {
+		return true;
+	}
+	return in_array( strtolower( (string) $value ), array( '1', 'true', 'yes', 'on' ), true );
+}
+
+function ensure_dir( string $dir ): void {
+	if ( ! is_dir( $dir ) && ! mkdir( $dir, 0777, true ) && ! is_dir( $dir ) ) {
+		throw new \RuntimeException( "Could not create directory: {$dir}" );
+	}
+}
+
+function json_encode_safe( $value ): string {
+	$encoded = json_encode( $value, JSON_UNESCAPED_SLASHES | JSON_INVALID_UTF8_SUBSTITUTE );
+	if ( false === $encoded ) {
+		$encoded = json_encode( array( 'jsonError' => json_last_error_msg() ) );
+	}
+	return $encoded;
+}
+
+function write_json_file( string $path, $value ): void {
+	file_put_contents( $path, json_encode_safe( $value ) . "\n" );
+}
+
+function read_json_file( string $path ): ?array {
+	if ( ! is_file( $path ) ) {
+		return null;
+	}
+	$decoded = json_decode( (string) file_get_contents( $path ), true );
+	return is_array( $decoded ) ? $decoded : null;
+}
+
+function append_ndjson( string $path, array $value ): void {
+	file_put_contents( $path, json_encode_safe( $value ) . "\n", FILE_APPEND | LOCK_EX );
+}
+
+function timestamp(): string {
+	return gmdate( 'Ymd-His' );
+}
+
+/**
+ * Renders bytes for human inspection: printable ASCII passes through,
+ * everything else becomes \xHH.
+ */
+function printable_bytes( string $bytes, int $max_length = 4096 ): string {
+	$out       = '';
+	$truncated = strlen( $bytes ) > $max_length;
+	$bytes     = substr( $bytes, 0, $max_length );
+	for ( $i = 0; $i < strlen( $bytes ); $i++ ) {
+		$c = $bytes[ $i ];
+		$o = ord( $c );
+		if ( $o >= 0x20 && $o <= 0x7E ) {
+			$out .= '\\' === $c ? '\\\\' : $c;
+		} else {
+			$out .= sprintf( '\\x%02X', $o );
+		}
+	}
+	return $out . ( $truncated ? '…(truncated)' : '' );
+}
+
+function git_metadata(): array {
+	$head   = trim( (string) shell_exec( 'git -C ' . escapeshellarg( repo_root() ) . ' rev-parse HEAD 2>/dev/null' ) );
+	$branch = trim( (string) shell_exec( 'git -C ' . escapeshellarg( repo_root() ) . ' rev-parse --abbrev-ref HEAD 2>/dev/null' ) );
+	return array(
+		'head'   => '' !== $head ? $head : null,
+		'branch' => '' !== $branch ? $branch : null,
+	);
+}
+
+/** Whether every string anywhere in a nested array is valid UTF-8. */
+function ast_strings_are_utf8( $node ): bool {
+	if ( is_string( $node ) ) {
+		return (bool) preg_match( '//u', $node );
+	}
+	if ( is_array( $node ) ) {
+		foreach ( $node as $child ) {
+			if ( ! ast_strings_are_utf8( $child ) ) {
+				return false;
+			}
+		}
+	}
+	return true;
+}
+
+function ascii_strtolower( string $input ): string {
+	return strtr( $input, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz' );
+}
+
+function ascii_strtoupper( string $input ): string {
+	return strtr( $input, 'abcdefghijklmnopqrstuvwxyz', 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' );
+}
+
+/** Flips the case of each ASCII letter independently with 50% probability. */
+function str_shuffle_case( string $input, Prng $prng ): string {
+	$out = '';
+	for ( $i = 0; $i < strlen( $input ); $i++ ) {
+		$byte = $input[ $i ];
+		if ( $prng->chance( 50 ) ) {
+			$byte = ctype_lower( $byte ) ? ascii_strtoupper( $byte ) : ascii_strtolower( $byte );
+		}
+		$out .= $byte;
+	}
+	return $out;
+}
+
+/**
+ * Splits a valid UTF-8 string into codepoints.
+ *
+ * @return array<int, array{0: string, 1: int}> Pairs of ( utf8 bytes, codepoint value ).
+ */
+function utf8_codepoints( string $input ): array {
+	$out = array();
+	$len = strlen( $input );
+	$i   = 0;
+	while ( $i < $len ) {
+		$byte = ord( $input[ $i ] );
+		if ( $byte < 0x80 ) {
+			$size = 1;
+			$cp   = $byte;
+		} elseif ( 0xC0 === ( $byte & 0xE0 ) ) {
+			$size = 2;
+			$cp   = $byte & 0x1F;
+		} elseif ( 0xE0 === ( $byte & 0xF0 ) ) {
+			$size = 3;
+			$cp   = $byte & 0x0F;
+		} else {
+			$size = 4;
+			$cp   = $byte & 0x07;
+		}
+		$size = min( $size, $len - $i );
+		for ( $j = 1; $j < $size; $j++ ) {
+			$cp = ( $cp << 6 ) | ( ord( $input[ $i + $j ] ) & 0x3F );
+		}
+		$out[] = array( substr( $input, $i, $size ), $cp );
+		$i    += $size;
+	}
+	return $out;
+}
diff --git a/tools/css-selector-fuzz/lib/wp-stubs.php b/tools/css-selector-fuzz/lib/wp-stubs.php
new file mode 100644
index 0000000000000..ec9b154ee58d6
--- /dev/null
+++ b/tools/css-selector-fuzz/lib/wp-stubs.php
@@ -0,0 +1,62 @@
+<?php
+/**
+ * Minimal WordPress function stubs so the HTML API can run standalone.
+ *
+ * `_doing_it_wrong` calls are recorded so the fuzzer can assert exactly
+ * when the selector API reports unsupported/invalid input.
+ */
+
+$GLOBALS['css_selector_fuzz_doing_it_wrong'] = array();
+
+if ( ! function_exists( '__' ) ) {
+	function __( $text, $domain = 'default' ) {
+		return $text;
+	}
+}
+
+if ( ! function_exists( '_doing_it_wrong' ) ) {
+	function _doing_it_wrong( $function_name, $message, $version ) {
+		$GLOBALS['css_selector_fuzz_doing_it_wrong'][] = array(
+			'function' => (string) $function_name,
+			'message'  => (string) $message,
+		);
+	}
+}
+
+if ( ! function_exists( '_deprecated_argument' ) ) {
+	function _deprecated_argument( $function_name, $version, $message = '' ) {
+	}
+}
+
+if ( ! function_exists( 'wp_trigger_error' ) ) {
+	function wp_trigger_error( $function_name, $message, $error_level = E_USER_NOTICE ) {
+		$GLOBALS['css_selector_fuzz_doing_it_wrong'][] = array(
+			'function' => (string) $function_name,
+			'message'  => (string) $message,
+		);
+	}
+}
+
+if ( ! function_exists( 'wp_kses_uri_attributes' ) ) {
+	function wp_kses_uri_attributes() {
+		return array(
+			'action',
+			'archive',
+			'background',
+			'cite',
+			'classid',
+			'codebase',
+			'data',
+			'formaction',
+			'href',
+			'icon',
+			'longdesc',
+			'manifest',
+			'poster',
+			'profile',
+			'src',
+			'usemap',
+			'xmlns',
+		);
+	}
+}
diff --git a/tools/css-selector-fuzz/minimize.php b/tools/css-selector-fuzz/minimize.php
new file mode 100644
index 0000000000000..c7fe1f1cb3dda
--- /dev/null
+++ b/tools/css-selector-fuzz/minimize.php
@@ -0,0 +1,268 @@
+#!/usr/bin/env php
+<?php
+/**
+ * Delta-debugging minimizer for CSS-selector fuzz failures.
+ *
+ * Given a failing case — by seed, or by explicit selector/html — shrinks
+ * BOTH the selector string and the HTML document to a minimal pair that
+ * still reproduces a chosen failure signature, then prints the reproducer.
+ *
+ * The minimizer drives Worker::run_pair, which checks only self-contained
+ * invariants (computable from the pair alone), so it needs no generator
+ * intent. --seed faithfully minimizes only seeds whose failure is
+ * self-contained; the generator-side invariants (ast-mismatch,
+ * parse-expectation, path-expectation, model-desync) are invisible to
+ * run_pair, so a seed whose failure is only those is refused by default
+ * (each of the three known bugs DOES also surface a self-contained
+ * signature — Bug 1 -> metamorphic-ast, Bug 2 -> match-mismatch-html,
+ * Bug 3 -> metamorphic-parse — reachable via --signature).
+ *
+ * Usage:
+ *   php tools/css-selector-fuzz/minimize.php --seed 1234 [--signature SUBSTR]
+ *   php tools/css-selector-fuzz/minimize.php --selector 'sel' --html '<…>' [--signature SUBSTR]
+ *
+ * Options:
+ *   --signature SUBSTR  Target a signature whose id or invariant contains
+ *                       SUBSTR. For --seed, also the way to opt into a
+ *                       related self-contained signature when the seed's own
+ *                       failure is generator-side (printed as a retarget).
+ *   --max-attempts N    Cap test evaluations (default 4000).
+ *   --json              Emit the reproducer as JSON.
+ */
+
+require_once __DIR__ . '/lib/autoload.php';
+
+use CssSelectorFuzz\Worker;
+use function CssSelectorFuzz\json_encode_safe;
+use function CssSelectorFuzz\option_bool;
+use function CssSelectorFuzz\option_int;
+use function CssSelectorFuzz\option_string;
+use function CssSelectorFuzz\parse_cli_options;
+use function CssSelectorFuzz\printable_bytes;
+
+$options      = parse_cli_options( $argv );
+$max_attempts = option_int( $options, 'max-attempts', 20000 );
+$sig_filter   = option_string( $options, 'signature', null );
+
+/*
+ * In --seed mode, the seed's OWN failures ( from run_case ) are the source
+ * of truth. The minimizer can only preserve "self-contained" signatures
+ * ( those run_pair re-checks without the generator's intended AST ); the
+ * generator-side ones ( ast-mismatch, parse-expectation, path-expectation,
+ * model-desync ) are invisible to run_pair. Targeting must therefore be
+ * restricted to the intersection of the seed's failures and run_pair's
+ * view — otherwise the minimizer could silently retarget to an unrelated
+ * incidental signature and report a false "reproduced".
+ */
+$seed            = option_int( $options, 'seed', -1 );
+$seed_signatures = null;
+if ( $seed >= 0 ) {
+	$case            = Worker::run_case( $seed );
+	$selector        = $case['selector'];
+	$html            = $case['html'];
+	$seed_signatures = $case['signatures'];
+	if ( array() === $seed_signatures ) {
+		fwrite( STDERR, "Seed {$seed} produced no failure; nothing to minimize.\n" );
+		exit( 1 );
+	}
+} else {
+	$selector = option_string( $options, 'selector', null );
+	$html     = option_string( $options, 'html', null );
+	if ( null === $selector || null === $html ) {
+		fwrite( STDERR, "Provide --seed N, or both --selector and --html.\n" );
+		exit( 1 );
+	}
+}
+
+/** Signatures produced by a pair ( $target lets run_pair short-circuit ). */
+$signatures_of = static function ( string $selector, string $html, ?string $target = null ): array {
+	return Worker::run_pair( $selector, $html, $target )['signatures'];
+};
+
+$baseline = $signatures_of( $selector, $html );
+if ( array() === $baseline ) {
+	fwrite( STDERR, "The starting pair does not reproduce any self-contained failure.\n" );
+	if ( null !== $seed_signatures ) {
+		fwrite( STDERR, 'Seed failure(s): ' . implode( ', ', $seed_signatures ) . "\n" );
+		fwrite( STDERR, "These are generator-side signatures the minimizer cannot reproduce from the\n" );
+		fwrite( STDERR, "pair alone. Minimize a seed whose failure is self-contained, or pass\n" );
+		fwrite( STDERR, "--selector/--html directly.\n" );
+	}
+	fwrite( STDERR, 'selector: ' . printable_bytes( $selector ) . "\n" );
+	exit( 1 );
+}
+
+/*
+ * Candidate targets are matched at the INVARIANT level, not the exact
+ * signature hash: a signature embeds transform-specific detail ( e.g.
+ * metamorphic-parse via `rerender` vs via `dup-branch` ), and run_pair's
+ * fixed metamorphic draws may expose the same invariant through a
+ * different transform than run_case did. Same invariant == same bug class,
+ * so that is faithful. A DIFFERENT invariant ( e.g. the seed's generator-
+ * side ast-mismatch vs an incidental self-contained metamorphic-ast ) is a
+ * genuine retarget and must be opted into.
+ */
+$invariant_of = static function ( string $signature ): string {
+	$pos = strrpos( $signature, ':' );
+	return false === $pos ? $signature : substr( $signature, $pos + 1 );
+};
+
+$retargeted = false;
+if ( null === $seed_signatures ) {
+	$candidates = $baseline;
+} else {
+	$seed_invariants = array_map( $invariant_of, $seed_signatures );
+	$candidates      = array();
+	foreach ( $baseline as $signature ) {
+		if ( in_array( $invariant_of( $signature ), $seed_invariants, true ) ) {
+			$candidates[] = $signature;
+		}
+	}
+}
+
+if ( array() === $candidates ) {
+	// The seed's failures are all generator-side ( no self-contained
+	// invariant in common ); refuse to silently minimize an unrelated
+	// incidental signature.
+	fwrite( STDERR, "Seed {$seed}'s failures are not self-contained, so the minimizer cannot\n" );
+	fwrite( STDERR, "faithfully reproduce them.\n" );
+	fwrite( STDERR, 'Seed failure(s):       ' . implode( ', ', $seed_signatures ) . "\n" );
+	fwrite( STDERR, 'Self-contained nearby: ' . implode( ', ', $baseline ) . "\n" );
+	fwrite( STDERR, "Re-run with --signature <id> to minimize one of the nearby signatures\n" );
+	fwrite( STDERR, "explicitly ( understanding it is a related, not identical, failure ).\n" );
+	if ( null === $sig_filter ) {
+		exit( 1 );
+	}
+	// User explicitly opted into a nearby signature.
+	$candidates = $baseline;
+	$retargeted = true;
+}
+
+// Pick the target signature from the eligible candidates.
+$target = $candidates[0];
+if ( null !== $sig_filter ) {
+	foreach ( $candidates as $candidate ) {
+		if ( false !== strpos( $candidate, $sig_filter ) ) {
+			$target = $candidate;
+			break;
+		}
+	}
+}
+
+$attempts = 0;
+$reproduces = static function ( string $selector, string $html ) use ( $signatures_of, $target, &$attempts, $max_attempts ): bool {
+	if ( $attempts >= $max_attempts ) {
+		return false;
+	}
+	++$attempts;
+	return in_array( $target, $signatures_of( $selector, $html, $target ), true );
+};
+
+/**
+ * Delta-debugging shrink of one byte string: ddmin chunk removal followed
+ * by per-position single-byte simplification. $test( candidate ) decides
+ * whether a candidate still reproduces.
+ */
+$shrink = static function ( string $current, callable $test ) use ( &$attempts, $max_attempts ): string {
+	$chunks = 2;
+	while ( strlen( $current ) > 0 && $attempts < $max_attempts ) {
+		$length     = strlen( $current );
+		$chunk_size = (int) ceil( $length / $chunks );
+		$changed    = false;
+
+		for ( $offset = 0; $offset < $length && $attempts < $max_attempts; $offset += $chunk_size ) {
+			$candidate = substr( $current, 0, $offset ) . substr( $current, min( $length, $offset + $chunk_size ) );
+			if ( $candidate === $current ) {
+				continue;
+			}
+			if ( $test( $candidate ) ) {
+				$current = $candidate;
+				$chunks  = max( 2, $chunks - 1 );
+				$changed = true;
+				break;
+			}
+		}
+
+		if ( ! $changed ) {
+			if ( $chunks >= $length ) {
+				break;
+			}
+			$chunks = min( $length, $chunks * 2 );
+		}
+	}
+
+	// Per-byte canonicalization: replace each byte with a simpler stand-in.
+	$replacements = array( 'a', ' ', '' );
+	for ( $i = 0; $i < strlen( $current ) && $attempts < $max_attempts; $i++ ) {
+		foreach ( $replacements as $replacement ) {
+			$candidate = substr( $current, 0, $i ) . $replacement . substr( $current, $i + 1 );
+			if ( $candidate === $current ) {
+				continue;
+			}
+			if ( $test( $candidate ) ) {
+				$current = $candidate;
+				$i       = max( -1, $i - 2 );
+				break;
+			}
+		}
+	}
+
+	return $current;
+};
+
+// Alternate shrinking the HTML and the selector until neither moves.
+// HTML first: when the signature is selector-only (e.g. metamorphic-parse)
+// the document collapses cheaply before the costlier selector pass.
+$prev = null;
+while ( $attempts < $max_attempts && ( $selector . "\0" . $html ) !== $prev ) {
+	$prev = $selector . "\0" . $html;
+
+	$html = $shrink(
+		$html,
+		static function ( string $candidate ) use ( $reproduces, &$selector ): bool {
+			return $reproduces( $selector, $candidate );
+		}
+	);
+	$selector = $shrink(
+		$selector,
+		static function ( string $candidate ) use ( $reproduces, &$html ): bool {
+			return $reproduces( $candidate, $html );
+		}
+	);
+}
+
+$final = $signatures_of( $selector, $html );
+$ok    = in_array( $target, $final, true );
+
+if ( option_bool( $options, 'json', false ) ) {
+	echo json_encode_safe(
+		array(
+			'target'        => $target,
+			'retargeted'    => $retargeted,
+			'seedSignatures' => $seed_signatures,
+			'reproduced'    => $ok,
+			'attempts'      => $attempts,
+			'selector'      => printable_bytes( $selector ),
+			'selectorBytes' => strlen( $selector ),
+			'html'          => printable_bytes( $html ),
+			'htmlBytes'     => strlen( $html ),
+			'selectorBase64' => base64_encode( $selector ),
+			'htmlBase64'     => base64_encode( $html ),
+		)
+	) . "\n";
+	exit( $ok ? 0 : 2 );
+}
+
+echo "target:    {$target}\n";
+if ( $retargeted ) {
+	echo 'NOTE:      seed failure(s) ' . implode( ', ', $seed_signatures ) . " are generator-side;\n";
+	echo "           minimized the related self-contained signature above instead.\n";
+}
+echo 'reproduced: ' . ( $ok ? 'yes' : 'NO' ) . "\n";
+echo "attempts:  {$attempts}\n";
+echo 'selector:  ' . printable_bytes( $selector ) . ' (' . strlen( $selector ) . " bytes)\n";
+echo 'html:      ' . printable_bytes( $html ) . ' (' . strlen( $html ) . " bytes)\n";
+echo "\nreplay:\n";
+echo '  php tools/css-selector-fuzz/replay.php --selector ' . escapeshellarg( $selector )
+	. ' --html ' . escapeshellarg( $html ) . "\n";
+exit( $ok ? 0 : 2 );
diff --git a/tools/css-selector-fuzz/replay.php b/tools/css-selector-fuzz/replay.php
new file mode 100644
index 0000000000000..38ffb8a43678e
--- /dev/null
+++ b/tools/css-selector-fuzz/replay.php
@@ -0,0 +1,91 @@
+#!/usr/bin/env php
+<?php
+/**
+ * Replays a single fuzz case by seed, with a full human-readable dump.
+ *
+ * Generation is fully deterministic from the seed, so a seed from a
+ * failures.ndjson record is all that's needed to reproduce a case.
+ *
+ * Usage:
+ *   php tools/css-selector-fuzz/replay.php --seed 42 [--json] [--show-html]
+ *   php tools/css-selector-fuzz/replay.php --selector '.foo > bar' [--html '<div>…</div>']
+ */
+
+require_once __DIR__ . '/lib/autoload.php';
+
+use CssSelectorFuzz\Bootstrap;
+use CssSelectorFuzz\Worker;
+use function CssSelectorFuzz\json_encode_safe;
+use function CssSelectorFuzz\option_bool;
+use function CssSelectorFuzz\option_int;
+use function CssSelectorFuzz\option_string;
+use function CssSelectorFuzz\parse_cli_options;
+use function CssSelectorFuzz\printable_bytes;
+
+$options = parse_cli_options( $argv );
+
+$probe_selector = option_string( $options, 'selector', null );
+if ( null !== $probe_selector ) {
+	// Quick probe mode: parse a selector and report what the API does with it.
+	Bootstrap::load();
+
+	$compound = \WP_CSS_Compound_Selector_List::from_selectors( $probe_selector );
+	$complex  = \WP_CSS_Complex_Selector_List::from_selectors( $probe_selector );
+
+	$report = array(
+		'selector'      => printable_bytes( $probe_selector ),
+		'compoundList'  => null === $compound ? null : \CssSelectorFuzz\AstExtractor::from_compound_list( $compound ),
+		'complexList'   => null === $complex ? null : \CssSelectorFuzz\AstExtractor::from_complex_list( $complex ),
+	);
+
+	$html = option_string( $options, 'html', null );
+	if ( null !== $html && null !== $complex ) {
+		$processor = \WP_HTML_Processor::create_full_parser( $html );
+		$matches   = array();
+		while ( $processor->select( $probe_selector ) ) {
+			$matches[] = array(
+				'tag'         => $processor->get_tag(),
+				'breadcrumbs' => $processor->get_breadcrumbs(),
+			);
+		}
+		$report['htmlProcessorMatches'] = $matches;
+	}
+
+	echo json_encode_safe( $report ) . "\n";
+	exit( 0 );
+}
+
+$seed = option_int( $options, 'seed', -1 );
+if ( $seed < 0 ) {
+	echo "Usage: php tools/css-selector-fuzz/replay.php --seed N [--json] [--show-html]\n";
+	echo "       php tools/css-selector-fuzz/replay.php --selector 'div > .cls' [--html '<div>…</div>']\n";
+	exit( 1 );
+}
+
+$result = Worker::run_case( $seed );
+
+if ( option_bool( $options, 'json', false ) ) {
+	echo json_encode_safe( $result ) . "\n";
+	exit( array() === $result['failures'] ? 0 : 2 );
+}
+
+echo "seed:     {$result['seed']}\n";
+echo "bucket:   {$result['bucket']}\n";
+echo 'selector: ' . printable_bytes( $result['selector'] ) . "\n";
+echo "digest:   {$result['digest']}\n";
+
+if ( option_bool( $options, 'show-html', false ) ) {
+	echo "html:     " . printable_bytes( $result['html'] ) . "\n";
+}
+
+if ( array() === $result['failures'] ) {
+	echo "failures: none\n";
+	exit( 0 );
+}
+
+echo 'failures: ' . count( $result['failures'] ) . "\n";
+foreach ( $result['failures'] as $i => $failure ) {
+	echo "--- failure {$i}: {$failure['invariant']} ---\n";
+	echo json_encode_safe( $failure['detail'] ) . "\n";
+}
+exit( 2 );
diff --git a/tools/css-selector-fuzz/runner.php b/tools/css-selector-fuzz/runner.php
new file mode 100644
index 0000000000000..414eb167a660e
--- /dev/null
+++ b/tools/css-selector-fuzz/runner.php
@@ -0,0 +1,337 @@
+#!/usr/bin/env php
+<?php
+/**
+ * CSS selector fuzzer runner.
+ *
+ * Spawns worker processes over chunks of the seed space so that fatal
+ * errors and hangs in the target code are isolated and attributed to a
+ * specific seed.
+ *
+ * Usage:
+ *   php tools/css-selector-fuzz/runner.php \
+ *       [--start-seed N] [--max-seeds N] [--duration-seconds N] \
+ *       [--chunk-size N] [--timeout-ms N] [--output-dir DIR] \
+ *       [--stop-on-failure]
+ *
+ * Artifacts ( kept intentionally small ):
+ *   OUTPUT_DIR/state.json       — run state and counters
+ *   OUTPUT_DIR/failures.ndjson  — one line per invariant failure
+ */
+
+require_once __DIR__ . '/lib/autoload.php';
+
+use function CssSelectorFuzz\append_ndjson;
+use function CssSelectorFuzz\ensure_dir;
+use function CssSelectorFuzz\git_metadata;
+use function CssSelectorFuzz\json_encode_safe;
+use function CssSelectorFuzz\option_bool;
+use function CssSelectorFuzz\option_int;
+use function CssSelectorFuzz\option_string;
+use function CssSelectorFuzz\parse_cli_options;
+use function CssSelectorFuzz\repo_root;
+use function CssSelectorFuzz\timestamp;
+use function CssSelectorFuzz\write_json_file;
+
+/**
+ * Runs a PHP child process with a wall-clock timeout.
+ *
+ * @return array{code: int|null, timedOut: bool, stdout: string, stderr: string, durationMs: int}
+ */
+function css_selector_fuzz_run_php( array $args, int $timeout_ms ): array {
+	$command = array_merge(
+		array( PHP_BINARY, '-d', 'error_reporting=E_ALL', '-d', 'display_errors=stderr', '-d', 'memory_limit=256M' ),
+		$args
+	);
+
+	$descriptors = array(
+		0 => array( 'pipe', 'r' ),
+		1 => array( 'pipe', 'w' ),
+		2 => array( 'pipe', 'w' ),
+	);
+
+	$started = microtime( true );
+	$proc    = proc_open( $command, $descriptors, $pipes, repo_root() );
+	if ( ! is_resource( $proc ) ) {
+		return array(
+			'code'       => null,
+			'timedOut'   => false,
+			'stdout'     => '',
+			'stderr'     => 'proc_open failed',
+			'durationMs' => 0,
+		);
+	}
+
+	fclose( $pipes[0] );
+	stream_set_blocking( $pipes[1], false );
+	stream_set_blocking( $pipes[2], false );
+
+	$stdout    = '';
+	$stderr    = '';
+	$timed_out = false;
+	$deadline  = $started + $timeout_ms / 1000;
+
+	while ( true ) {
+		$status  = proc_get_status( $proc );
+		$stdout .= (string) stream_get_contents( $pipes[1] );
+		$stderr .= (string) stream_get_contents( $pipes[2] );
+
+		if ( ! $status['running'] ) {
+			$code = $status['exitcode'];
+			break;
+		}
+		if ( microtime( true ) > $deadline ) {
+			$timed_out = true;
+			proc_terminate( $proc, 9 );
+			$code = null;
+			break;
+		}
+		usleep( 10000 );
+	}
+
+	$stdout .= (string) stream_get_contents( $pipes[1] );
+	$stderr .= (string) stream_get_contents( $pipes[2] );
+	fclose( $pipes[1] );
+	fclose( $pipes[2] );
+	proc_close( $proc );
+
+	return array(
+		'code'       => $code,
+		'timedOut'   => $timed_out,
+		'stdout'     => $stdout,
+		'stderr'     => $stderr,
+		'durationMs' => (int) round( 1000 * ( microtime( true ) - $started ) ),
+	);
+}
+
+/** Extracts the batch summary from worker stdout, or null. */
+function css_selector_fuzz_worker_summary( string $stdout ): ?array {
+	foreach ( array_reverse( explode( "\n", trim( $stdout ) ) ) as $line ) {
+		$decoded = json_decode( $line, true );
+		if ( is_array( $decoded ) && 'css-selector-fuzz-batch-summary' === ( $decoded['kind'] ?? null ) ) {
+			return $decoded;
+		}
+	}
+	return null;
+}
+
+/** Merges per-bucket/per-target match assertion counts. */
+function css_selector_fuzz_merge_match_stats( array &$target, array $source ): void {
+	foreach ( $source as $bucket => $targets ) {
+		foreach ( $targets as $match_target => $stats ) {
+			if ( ! isset( $target[ $bucket ][ $match_target ] ) ) {
+				$target[ $bucket ][ $match_target ] = array(
+					'assertions' => 0,
+					'nonVacuous' => 0,
+				);
+			}
+			$target[ $bucket ][ $match_target ]['assertions'] += (int) ( $stats['assertions'] ?? 0 );
+			$target[ $bucket ][ $match_target ]['nonVacuous'] += (int) ( $stats['nonVacuous'] ?? 0 );
+		}
+	}
+}
+
+/** Adds derived rates after all count aggregation is finished. */
+function css_selector_fuzz_finalize_match_stats( array $stats ): array {
+	foreach ( $stats as $bucket => $targets ) {
+		foreach ( $targets as $match_target => $counts ) {
+			$assertions  = (int) ( $counts['assertions'] ?? 0 );
+			$non_vacuous = (int) ( $counts['nonVacuous'] ?? 0 );
+			$vacuous     = max( 0, $assertions - $non_vacuous );
+
+			$stats[ $bucket ][ $match_target ]['vacuous']         = $vacuous;
+			$stats[ $bucket ][ $match_target ]['nonVacuousRate'] = $assertions > 0 ? round( $non_vacuous / $assertions, 4 ) : 0.0;
+			$stats[ $bucket ][ $match_target ]['vacuousRate']    = $assertions > 0 ? round( $vacuous / $assertions, 4 ) : 0.0;
+		}
+	}
+	return $stats;
+}
+
+function css_selector_fuzz_write_state( string $state_path, array $state ): void {
+	$state['matchStats'] = css_selector_fuzz_finalize_match_stats( $state['matchStats'] ?? array() );
+	write_json_file( $state_path, $state );
+}
+
+function css_selector_fuzz_state_for_output( array $state ): array {
+	$state['matchStats'] = css_selector_fuzz_finalize_match_stats( $state['matchStats'] ?? array() );
+	return $state;
+}
+
+$options = parse_cli_options( $argv );
+if ( option_bool( $options, 'help', false ) || option_bool( $options, 'h', false ) ) {
+	echo "Usage: php tools/css-selector-fuzz/runner.php [--start-seed N] [--max-seeds N] [--duration-seconds N] [--chunk-size N] [--timeout-ms N] [--output-dir DIR] [--stop-on-failure]\n";
+	exit( 0 );
+}
+
+$start_seed       = option_int( $options, 'start-seed', 1 );
+$max_seeds        = option_int( $options, 'max-seeds', 1000 );
+$duration_seconds = option_int( $options, 'duration-seconds', 120 );
+$chunk_size       = max( 1, option_int( $options, 'chunk-size', 200 ) );
+$timeout_ms       = option_int( $options, 'timeout-ms', 0 );
+$stop_on_failure  = option_bool( $options, 'stop-on-failure', false );
+$output_dir       = option_string( $options, 'output-dir', repo_root() . '/artifacts/css-selector-fuzz/run-' . timestamp() );
+
+if ( $max_seeds < 1 ) {
+	fwrite( STDERR, "--max-seeds must be at least 1; refusing to run unbounded.\n" );
+	exit( 1 );
+}
+if ( 0 === $timeout_ms ) {
+	// Generous per-chunk budget: ~50ms per case plus startup.
+	$timeout_ms = $chunk_size * 50 + 10000;
+}
+
+ensure_dir( $output_dir );
+$failures_path = $output_dir . '/failures.ndjson';
+$state_path    = $output_dir . '/state.json';
+$worker_script = __DIR__ . '/worker.php';
+
+$state = array(
+	'kind'             => 'css-selector-fuzz-runner-state',
+	'startedAt'        => gmdate( 'c' ),
+	'updatedAt'        => gmdate( 'c' ),
+	'git'              => git_metadata(),
+	'phpVersion'       => PHP_VERSION,
+	'outputDir'        => $output_dir,
+	'startSeed'        => $start_seed,
+	'maxSeeds'         => $max_seeds,
+	'durationSeconds'  => $duration_seconds,
+	'chunkSize'        => $chunk_size,
+	'casesCompleted'   => 0,
+	'failures'         => 0,
+	'crashes'          => 0,
+	'buckets'          => array(),
+	'signatures'       => array(),
+	'lexbor'           => array(),
+	'matchStats'       => array(),
+	'nextSeed'         => $start_seed,
+	'stopReason'       => null,
+);
+css_selector_fuzz_write_state( $state_path, $state );
+
+$deadline = $duration_seconds > 0 ? microtime( true ) + $duration_seconds : null;
+$seed     = $start_seed;
+$end_seed = $start_seed + $max_seeds;
+
+while ( $seed < $end_seed ) {
+	if ( null !== $deadline && microtime( true ) > $deadline ) {
+		$state['stopReason'] = 'duration-elapsed';
+		break;
+	}
+
+	$count = min( $chunk_size, $end_seed - $seed );
+	$args  = array(
+		$worker_script,
+		'--start-seed',
+		(string) $seed,
+		'--count',
+		(string) $count,
+		'--failures-out',
+		$failures_path,
+		'--progress-file',
+		$output_dir . '/progress.txt',
+	);
+
+	$proc    = css_selector_fuzz_run_php( $args, $timeout_ms );
+	$summary = css_selector_fuzz_worker_summary( $proc['stdout'] );
+
+	if ( null === $summary ) {
+		/*
+		 * The worker crashed, hung, or died fatally. Re-run each seed of the
+		 * chunk in its own process to attribute the crash.
+		 */
+		fwrite( STDERR, "chunk seed={$seed} count={$count}: worker crashed/hung; isolating…\n" );
+		for ( $isolated = $seed; $isolated < $seed + $count; $isolated++ ) {
+			$single = css_selector_fuzz_run_php(
+				array(
+					$worker_script,
+					'--start-seed',
+					(string) $isolated,
+					'--count',
+					'1',
+					'--failures-out',
+					$failures_path,
+					'--determinism-every',
+					'0',
+				),
+				max( 5000, (int) ( $timeout_ms / $count ) + 5000 )
+			);
+			$single_summary = css_selector_fuzz_worker_summary( $single['stdout'] );
+			if ( null === $single_summary ) {
+				++$state['crashes'];
+				++$state['failures'];
+				append_ndjson(
+					$failures_path,
+					array(
+						'kind'       => 'css-selector-fuzz-failure',
+						'seed'       => $isolated,
+						'invariant'  => $single['timedOut'] ? 'worker-timeout' : 'worker-crash',
+						'signature'  => $single['timedOut'] ? 'worker-timeout' : 'worker-crash',
+						'exitCode'   => $single['code'],
+						'stderrTail' => substr( $single['stderr'], -2000 ),
+					)
+				);
+				$key                         = $single['timedOut'] ? 'worker-timeout' : 'worker-crash';
+				$state['signatures'][ $key ] = ( $state['signatures'][ $key ] ?? 0 ) + 1;
+			} else {
+				++$state['casesCompleted'];
+				$state['failures'] += $single_summary['failures'];
+				foreach ( $single_summary['buckets'] as $bucket => $bucket_count ) {
+					$state['buckets'][ $bucket ] = ( $state['buckets'][ $bucket ] ?? 0 ) + $bucket_count;
+				}
+				foreach ( $single_summary['signatures'] as $signature => $signature_count ) {
+					$state['signatures'][ $signature ] = ( $state['signatures'][ $signature ] ?? 0 ) + $signature_count;
+				}
+				foreach ( $single_summary['lexbor'] ?? array() as $lexbor_state => $lexbor_count ) {
+					$state['lexbor'][ $lexbor_state ] = ( $state['lexbor'][ $lexbor_state ] ?? 0 ) + $lexbor_count;
+				}
+				css_selector_fuzz_merge_match_stats( $state['matchStats'], $single_summary['matchStats'] ?? array() );
+			}
+		}
+	} else {
+		$state['casesCompleted'] += array_sum( $summary['buckets'] );
+		$state['failures']       += $summary['failures'];
+		foreach ( $summary['buckets'] as $bucket => $bucket_count ) {
+			$state['buckets'][ $bucket ] = ( $state['buckets'][ $bucket ] ?? 0 ) + $bucket_count;
+		}
+		foreach ( $summary['signatures'] as $signature => $signature_count ) {
+			$state['signatures'][ $signature ] = ( $state['signatures'][ $signature ] ?? 0 ) + $signature_count;
+		}
+		foreach ( $summary['lexbor'] ?? array() as $lexbor_state => $lexbor_count ) {
+			$state['lexbor'][ $lexbor_state ] = ( $state['lexbor'][ $lexbor_state ] ?? 0 ) + $lexbor_count;
+		}
+		css_selector_fuzz_merge_match_stats( $state['matchStats'], $summary['matchStats'] ?? array() );
+	}
+
+	$seed             += $count;
+	$state['nextSeed'] = $seed;
+	$state['updatedAt'] = gmdate( 'c' );
+	css_selector_fuzz_write_state( $state_path, $state );
+
+	if ( $stop_on_failure && $state['failures'] > 0 ) {
+		$state['stopReason'] = 'stop-on-failure';
+		break;
+	}
+}
+
+if ( null === $state['stopReason'] ) {
+	$state['stopReason'] = 'max-seeds';
+}
+$state['updatedAt'] = gmdate( 'c' );
+css_selector_fuzz_write_state( $state_path, $state );
+
+/*
+ * The lexbor differential is the third oracle. If it ever ran ( 'compared' )
+ * it was built and live; any 'unavailable' or 'error' tally then means it
+ * was missing for some cases or died mid-run, so part of the run had only
+ * two oracles. Surface that loudly rather than letting a green run hide it.
+ */
+$lexbor       = $state['lexbor'];
+$lexbor_ran   = ( $lexbor['compared'] ?? 0 ) > 0;
+$lexbor_lost  = ( $lexbor['unavailable'] ?? 0 ) + ( $lexbor['error'] ?? 0 );
+if ( $lexbor_ran && $lexbor_lost > 0 ) {
+	fwrite( STDERR, "WARNING: lexbor third oracle was unavailable/errored for {$lexbor_lost} case(s); those ran with two oracles.\n" );
+} elseif ( ! $lexbor_ran ) {
+	fwrite( STDERR, "NOTE: lexbor third oracle never ran (harness not built?); run `sh tools/css-selector-fuzz/lexbor/build.sh` for the differential.\n" );
+}
+
+echo json_encode_safe( css_selector_fuzz_state_for_output( $state ) ) . "\n";
+exit( 0 === $state['failures'] ? 0 : 2 );
diff --git a/tools/css-selector-fuzz/tests/self-check.php b/tools/css-selector-fuzz/tests/self-check.php
new file mode 100644
index 0000000000000..9664367f1e300
--- /dev/null
+++ b/tools/css-selector-fuzz/tests/self-check.php
@@ -0,0 +1,368 @@
+#!/usr/bin/env php
+<?php
+/**
+ * Fuzzer self-check: fast, deterministic assertions over the fuzzer's own
+ * machinery (PRNG determinism, generator expectations, oracle agreement on
+ * known cases). Run after changing the fuzzer:
+ *
+ *     php tools/css-selector-fuzz/tests/self-check.php
+ */
+
+require_once dirname( __DIR__ ) . '/lib/autoload.php';
+
+use CssSelectorFuzz\Bootstrap;
+use CssSelectorFuzz\DocumentGenerator;
+use CssSelectorFuzz\Prng;
+use CssSelectorFuzz\SelectorGenerator;
+use CssSelectorFuzz\WildDocumentGenerator;
+use CssSelectorFuzz\Worker;
+use function CssSelectorFuzz\utf8_codepoints;
+
+$failures = 0;
+
+function check( bool $condition, string $message ): void {
+	global $failures;
+	if ( $condition ) {
+		return;
+	}
+	++$failures;
+	fwrite( STDERR, "FAIL: {$message}\n" );
+}
+
+function known_core_parse_mismatch( string $selector, bool $expected, bool $actual ): ?string {
+	if ( $expected === $actual || ! $expected || $actual ) {
+		return null;
+	}
+
+	if ( ! wp_is_valid_utf8( $selector ) ) {
+		return 'invalid-utf8-input-scrub';
+	}
+	if ( str_ends_with( $selector, '\\' ) ) {
+		return 'backslash-at-eof-escape';
+	}
+	if ( substr_count( $selector, '[' ) > substr_count( $selector, ']' ) ) {
+		return 'eof-auto-closes-attribute-selector';
+	}
+	if ( preg_match( '/\\[[^\\]]*=\\s*[-_a-zA-Z0-9]\\]$/', $selector ) ) {
+		return 'single-char-unquoted-attribute-value-at-eof';
+	}
+	if ( has_identity_escape_after_multibyte( $selector ) ) {
+		return 'identity-escape-after-multibyte';
+	}
+
+	return null;
+}
+
+function has_identity_escape_after_multibyte( string $selector ): bool {
+	$seen_multibyte = false;
+	$length         = strlen( $selector );
+	for ( $i = 0; $i < $length; $i++ ) {
+		$byte = ord( $selector[ $i ] );
+		if ( $byte > 0x7F ) {
+			$seen_multibyte = true;
+			continue;
+		}
+		if ( ! $seen_multibyte || '\\' !== $selector[ $i ] || $i + 1 >= $length ) {
+			continue;
+		}
+
+		$next = $selector[ $i + 1 ];
+		if ( "\n" === $next || "\r" === $next || "\f" === $next || ctype_xdigit( $next ) ) {
+			continue;
+		}
+		return true;
+	}
+	return false;
+}
+
+Bootstrap::load();
+
+// --- Prng determinism and independence -------------------------------------
+
+$a = new Prng( '42', 'label' );
+$b = new Prng( '42', 'label' );
+check( $a->bytes( 64 ) === $b->bytes( 64 ), 'Identical seeds produce identical streams.' );
+
+$c = new Prng( '42', 'label' );
+$d = new Prng( '43', 'label' );
+check( $c->bytes( 64 ) !== $d->bytes( 64 ), 'Different seeds produce different streams.' );
+
+$e     = new Prng( '42', 'fork-test' );
+$f     = new Prng( '42', 'fork-test' );
+$fork1 = $e->fork( 'x' );
+$fork2 = $f->fork( 'x' );
+check( $fork1->bytes( 32 ) === $fork2->bytes( 32 ), 'Forked streams are deterministic.' );
+
+// --- utf8_codepoints --------------------------------------------------------
+
+$points = utf8_codepoints( "a\u{E9}\u{1F600}" );
+check( 3 === count( $points ), 'utf8_codepoints splits into 3 codepoints.' );
+check( 0x61 === $points[0][1] && 0xE9 === $points[1][1] && 0x1F600 === $points[2][1], 'utf8_codepoints decodes values.' );
+
+// --- Document generator: model matches parse for many seeds ---------------
+// ( Worker::run_case checks this per case as model-desync; here only a couple
+//   of seeds are sampled for a fast signal. )
+
+for ( $seed = 1; $seed <= 3; $seed++ ) {
+	$document = DocumentGenerator::generate( new Prng( (string) $seed, 'self-check-doc' ) );
+	check( is_string( $document['html'] ) && '' !== $document['html'], "Document {$seed} renders." );
+	check( str_contains( $document['html'], 'data-fid' ) || false !== strpos( $document['html'], 'data-fid' ), "Document {$seed} has fids." );
+}
+
+// --- Selector generator expectations over many seeds -----------------------
+
+$by_bucket = array();
+$allowed_parse_mismatches = array();
+for ( $seed = 1; $seed <= 400; $seed++ ) {
+	$prng     = new Prng( (string) $seed, 'self-check-selector' );
+	$document = DocumentGenerator::generate( $prng->fork( 'doc' ) );
+	$selector = SelectorGenerator::generate( $prng->fork( 'sel' ), $document['pools'] );
+
+	$by_bucket[ $selector['bucket'] ] = ( $by_bucket[ $selector['bucket'] ] ?? 0 ) + 1;
+
+	$compound = WP_CSS_Compound_Selector_List::from_selectors( $selector['selector'] );
+	$complex  = WP_CSS_Complex_Selector_List::from_selectors( $selector['selector'] );
+
+	if ( null !== $selector['expectCompound'] ) {
+		$expected = $selector['expectCompound'];
+		$actual   = null !== $compound;
+		$known    = known_core_parse_mismatch( $selector['selector'], $expected, $actual );
+		if ( null !== $known ) {
+			$allowed_parse_mismatches[ "compound:{$known}" ] = ( $allowed_parse_mismatches[ "compound:{$known}" ] ?? 0 ) + 1;
+		} else {
+			check(
+				$expected === $actual,
+				"Seed {$seed} ({$selector['bucket']}): compound parse expectation for: " . \CssSelectorFuzz\printable_bytes( $selector['selector'] )
+			);
+		}
+	}
+	if ( null !== $selector['expectComplex'] ) {
+		$expected = $selector['expectComplex'];
+		$actual   = null !== $complex;
+		$known    = known_core_parse_mismatch( $selector['selector'], $expected, $actual );
+		if ( null !== $known ) {
+			$allowed_parse_mismatches[ "complex:{$known}" ] = ( $allowed_parse_mismatches[ "complex:{$known}" ] ?? 0 ) + 1;
+		} else {
+			check(
+				$expected === $actual,
+				"Seed {$seed} ({$selector['bucket']}): complex parse expectation for: " . \CssSelectorFuzz\printable_bytes( $selector['selector'] )
+			);
+		}
+	}
+}
+
+check( count( $by_bucket ) >= 5, 'Bucket variety: saw ' . count( $by_bucket ) . ' buckets.' );
+if ( array() !== $allowed_parse_mismatches ) {
+	fwrite( STDERR, 'Allowed known core parse bug signatures: ' . \CssSelectorFuzz\json_encode_safe( $allowed_parse_mismatches ) . "\n" );
+}
+
+// --- Document generator: randomized class NUL injection --------------------
+
+$safe_class_nul = 0;
+for ( $seed = 1; $seed <= 200; $seed++ ) {
+	$document = DocumentGenerator::generate( new Prng( (string) $seed, 'self-check-class-nul-safe' ) );
+	if ( false !== strpos( $document['html'], "\0" ) ) {
+		++$safe_class_nul;
+		check( false === str_contains( implode( "\n", $document['pools']['attrValues'] ), "\0" ), "Safe document {$seed}: class NUL does not leak into attrValues pool." );
+		check( \CssSelectorFuzz\ast_strings_are_utf8( $document['pools']['classes'] ), "Safe document {$seed}: class pool strings stay valid UTF-8." );
+		check( in_array( true, array_map( static function ( string $class ): bool {
+			return false !== strpos( $class, "\u{FFFD}" );
+		}, $document['pools']['classes'] ), true ), "Safe document {$seed}: class pool contains decoded U+FFFD token." );
+	}
+}
+check( $safe_class_nul > 0, "Safe document generator emits randomized class NUL values ({$safe_class_nul} of 200)." );
+
+$wild_class_nul = 0;
+for ( $seed = 1; $seed <= 200; $seed++ ) {
+	$document = WildDocumentGenerator::generate( new Prng( (string) $seed, 'self-check-class-nul-wild' ) );
+	if ( false !== strpos( $document['html'], "\0" ) ) {
+		++$wild_class_nul;
+		check( false === str_contains( implode( "\n", $document['pools']['attrValues'] ), "\0" ), "Wild document {$seed}: class NUL does not leak into attrValues pool." );
+		check( \CssSelectorFuzz\ast_strings_are_utf8( $document['pools']['classes'] ), "Wild document {$seed}: class pool strings stay valid UTF-8." );
+		check( in_array( true, array_map( static function ( string $class ): bool {
+			return false !== strpos( $class, "\u{FFFD}" );
+		}, $document['pools']['classes'] ), true ), "Wild document {$seed}: class pool contains decoded U+FFFD token." );
+	}
+}
+check( $wild_class_nul > 0, "Wild document generator emits randomized class NUL values ({$wild_class_nul} of 200)." );
+
+// --- Invalid-UTF-8 bucket: post-scrub AST expectations by construction ------
+// from_selectors() replaces each maximal subpart of an ill-formed UTF-8
+// sequence with one U+FFFD before parsing ( CSS Syntax §3.2 via the WHATWG
+// decoder ). The bucket injects raw ill-formed sequences and carries the
+// post-scrub AST, with the per-class subpart counts hard-coded in the
+// generator — independent of wp_scrub_utf8(), so this loop is a real
+// differential between the generator's WHATWG expectations and the core
+// scrub + parse pipeline.
+
+$fffd_ast_counts = array();
+$injection_sites = array();
+$byte_classes    = array();
+
+// The class names AND byte values are duplicated here on purpose: tallying
+// from the generator's own table would silently shrink the assertion with a
+// deleted entry and self-validate on a drifted byte value.
+$expected_byte_classes = array(
+	'lone-continuation' => "\x80",
+	'truncated-2-byte'  => "\xC3",
+	'truncated-3-byte'  => "\xE2\x8C",
+	'truncated-4-byte'  => "\xF0\x9F\x82",
+	'invalid-lead-f5'   => "\xF5",
+	'invalid-lead-ff'   => "\xFF",
+	'overlong-min'      => "\xC0\x80",
+	'overlong-max'      => "\xC1\xBF",
+	'surrogate-half'    => "\xED\xA0\x80",
+	'beyond-max'        => "\xF4\x90\x80\x80",
+);
+
+$count_fffd = static function ( $node ) use ( &$count_fffd ): int {
+	if ( is_string( $node ) ) {
+		return substr_count( $node, "\u{FFFD}" );
+	}
+	$total = 0;
+	if ( is_array( $node ) ) {
+		foreach ( $node as $child ) {
+			$total += $count_fffd( $child );
+		}
+	}
+	return $total;
+};
+
+for ( $seed = 1; $seed <= 150; $seed++ ) {
+	$prng      = new Prng( (string) $seed, 'self-check-invalid-utf8' );
+	$document  = DocumentGenerator::generate( $prng->fork( 'doc' ) );
+	$case      = SelectorGenerator::generate( $prng->fork( 'sel' ), $document['pools'], null, 'invalid-utf8' );
+	$printable = \CssSelectorFuzz\printable_bytes( $case['selector'] );
+
+	check( 'invalid-utf8' === $case['bucket'], "Seed {$seed}: forced invalid-utf8 bucket, got {$case['bucket']}." );
+	check( ! wp_is_valid_utf8( $case['selector'] ), "Seed {$seed}: selector must contain invalid UTF-8: {$printable}" );
+	check( true === $case['expectCompound'] && true === $case['expectComplex'], "Seed {$seed}: invalid-utf8 cases must expect to parse in both grammars." );
+	check( is_array( $case['ast'] ) && \CssSelectorFuzz\ast_strings_are_utf8( $case['ast'] ), "Seed {$seed}: expected AST must be valid UTF-8." );
+
+	$compound = WP_CSS_Compound_Selector_List::from_selectors( $case['selector'] );
+	$complex  = WP_CSS_Complex_Selector_List::from_selectors( $case['selector'] );
+	check( null !== $compound, "Seed {$seed}: compound parse after scrub for: {$printable}" );
+	check( null !== $complex, "Seed {$seed}: complex parse after scrub for: {$printable}" );
+	if ( null === $complex || ! is_array( $case['ast'] ) ) {
+		continue;
+	}
+
+	$parsed_ast = \CssSelectorFuzz\AstExtractor::from_complex_list( $complex );
+	check( $case['ast'] === $parsed_ast, "Seed {$seed}: parsed AST equals maximal-subpart scrub expectation for: {$printable}" );
+
+	$fffd_ast_counts[ $count_fffd( $case['ast'] ) ] = true;
+	foreach ( (array) $case['ast'][0]['self']['subs'] as $sub ) {
+		$injection_sites[ 'attr' === $sub['kind'] && null !== $sub['matcher'] ? 'attr-value' : $sub['kind'] ] = true;
+	}
+	foreach ( $expected_byte_classes as $class_name => $class_bytes ) {
+		// Substring attribution is ambiguous only for lone-continuation,
+		// whose byte occurs inside three longer classes — good enough for
+		// an at-least-once variety tally.
+		if ( str_contains( $case['selector'], $class_bytes ) ) {
+			$byte_classes[ $class_name ] = true;
+		}
+	}
+}
+
+foreach ( array( 1, 2, 3, 4 ) as $expected_count ) {
+	check( isset( $fffd_ast_counts[ $expected_count ] ), "Invalid-utf8 variety: a {$expected_count}-subpart byte class was generated." );
+}
+foreach ( array( 'class', 'id', 'attr', 'attr-value' ) as $site ) {
+	check( isset( $injection_sites[ $site ] ), "Invalid-utf8 variety: injection site {$site} was generated." );
+}
+foreach ( array_keys( $expected_byte_classes ) as $class_name ) {
+	check( isset( $byte_classes[ $class_name ] ), "Invalid-utf8 variety: byte class {$class_name} was generated." );
+}
+
+// --- Mutated bucket: raw invalid-byte splicing -------------------------------
+// mutate() must be able to splice raw ill-formed UTF-8 into a selector at
+// arbitrary byte offsets; these cases carry no AST expectation and exercise
+// crash / scrub-notice / differential paths only. The marker bytes here can
+// appear in NO rendered selector (the pools' multibyte characters use other
+// lead bytes), so their presence proves the mutation operation fired.
+
+$mutated_with_invalid = 0;
+for ( $seed = 1; $seed <= 200; $seed++ ) {
+	$prng     = new Prng( (string) $seed, 'self-check-mutated-utf8' );
+	$document = DocumentGenerator::generate( $prng->fork( 'doc' ) );
+	$case     = SelectorGenerator::generate( $prng->fork( 'sel' ), $document['pools'], null, 'mutated' );
+	if ( false !== strpbrk( $case['selector'], "\xC0\xC1\xED\xF4\xF5\xFF" ) ) {
+		++$mutated_with_invalid;
+	}
+}
+check( $mutated_with_invalid >= 10, "Mutated bucket splices raw invalid bytes ({$mutated_with_invalid} of 200 seeds)." );
+
+// --- Known-answer matching cases -------------------------------------------
+
+$known_html = '<!DOCTYPE html><html data-fid="e0"><head data-fid="e1"></head><body data-fid="e2">'
+	. '<div data-fid="e3" class="a b"><span data-fid="e4" class="b" id="x" data-v="hello-world"></span></div>'
+	. '<section data-fid="e5"><div data-fid="e6"><em data-fid="e7" lang="en-US"></em></div></section>'
+	. '</body></html>';
+
+function select_fids( string $html, string $selector ): array {
+	$processor = WP_HTML_Processor::create_full_parser( $html );
+	$out       = array();
+	while ( $processor->select( $selector ) ) {
+		$out[] = $processor->get_attribute( 'data-fid' );
+	}
+	return $out;
+}
+
+check( array( 'e4' ) === select_fids( $known_html, '#x' ), 'Known: #x.' );
+check( array( 'e3', 'e4' ) === select_fids( $known_html, '.b' ), 'Known: .b.' );
+check( array( 'e4' ) === select_fids( $known_html, 'div > span.b' ), 'Known: div > span.b.' );
+check( array( 'e7' ) === select_fids( $known_html, 'section em' ), 'Known: section em.' );
+check( array() === select_fids( $known_html, 'section > em' ), 'Known: section > em matches nothing.' );
+check( array( 'e4' ) === select_fids( $known_html, '[data-v|="hello"]' ), 'Known: [data-v|=hello].' );
+check( array( 'e7' ) === select_fids( $known_html, '[lang^="en"]' ), 'Known: [lang^=en].' );
+
+// --- Class-value decode boundary (ReferenceMatcher vs WP class_list) --------
+// WP's class_list() folds NUL -> U+FFFD and treats FF as a separator; the
+// reference matcher reimplements tokenization independently. Pin both engines
+// against each other on these boundary inputs; randomized generator sampling
+// above verifies that the same NUL boundary is present in the hot path. Each
+// case also checks the reference matcher agrees with select() over a
+// TreeCapture of the same markup.
+
+function ref_fids( string $html, string $selector ): array {
+	$capture = \CssSelectorFuzz\TreeCapture::capture( $html );
+	$list    = WP_CSS_Complex_Selector_List::from_selectors( $selector );
+	if ( null !== $capture['error'] || null === $list ) {
+		return array( '(error)' );
+	}
+	$ast = \CssSelectorFuzz\AstExtractor::from_complex_list( $list );
+	return \CssSelectorFuzz\ReferenceMatcher::expected_html_matches_rows( $ast, $capture['htmlRows'], $capture['quirks'] );
+}
+
+$nul_html = "<!DOCTYPE html><i data-fid=\"n0\" class=\"foo\x00bar\"></i><b data-fid=\"n1\" class=\"x\x00\"></b>";
+$ff_html  = "<!DOCTYPE html><i data-fid=\"f0\" class=\"alpha\x0Cbeta\"></i>";
+
+$nul_cases = array(
+	array( "class NUL -> FFFD", $nul_html, ".foo\u{FFFD}bar", array( 'n0' ) ),
+	array( "class trailing NUL", $nul_html, ".x\u{FFFD}", array( 'n1' ) ),
+	array( "class raw NUL no-match", $nul_html, '.foobar', array() ),
+	array( "class FF separator (first)", $ff_html, '.alpha', array( 'f0' ) ),
+	array( "class FF separator (second)", $ff_html, '.beta', array( 'f0' ) ),
+);
+foreach ( $nul_cases as $case ) {
+	list( $label, $html, $selector, $expected ) = $case;
+	$wp  = select_fids( $html, $selector );
+	$ref = ref_fids( $html, $selector );
+	check( $expected === $wp, "Decode boundary ({$label}): select() == expected." );
+	check( $ref === $wp, "Decode boundary ({$label}): ReferenceMatcher == select()." );
+}
+
+// --- Worker end-to-end on a few seeds ---------------------------------------
+
+for ( $seed = 1; $seed <= 5; $seed++ ) {
+	$first  = Worker::run_case( $seed );
+	$second = Worker::run_case( $seed );
+	check( $first['digest'] === $second['digest'], "Seed {$seed}: case digest is deterministic." );
+}
+
+if ( 0 === $failures ) {
+	echo "self-check OK\n";
+	exit( 0 );
+}
+echo "self-check FAILED: {$failures} failure(s)\n";
+exit( 1 );
diff --git a/tools/css-selector-fuzz/worker.php b/tools/css-selector-fuzz/worker.php
new file mode 100644
index 0000000000000..bdcde442aa943
--- /dev/null
+++ b/tools/css-selector-fuzz/worker.php
@@ -0,0 +1,34 @@
+#!/usr/bin/env php
+<?php
+/**
+ * Runs a batch of fuzz cases in this process.
+ *
+ * Usage:
+ *   php tools/css-selector-fuzz/worker.php --start-seed 1 --count 500 \
+ *       [--failures-out FILE] [--progress-file FILE] \
+ *       [--determinism-every N] [--max-failures N]
+ *
+ * Prints a batch summary JSON line to stdout.
+ * Exit codes: 0 = clean, 2 = invariant failures found, 1 = fatal.
+ */
+
+require_once __DIR__ . '/lib/autoload.php';
+
+$options = \CssSelectorFuzz\parse_cli_options( $argv );
+
+try {
+	$summary = \CssSelectorFuzz\Worker::run_batch( $options );
+	echo \CssSelectorFuzz\json_encode_safe( $summary ) . "\n";
+	exit( 0 === $summary['failures'] ? 0 : 2 );
+} catch ( Throwable $e ) {
+	fwrite(
+		STDERR,
+		\CssSelectorFuzz\json_encode_safe(
+			array(
+				'kind'  => 'css-selector-fuzz-worker-fatal',
+				'error' => \CssSelectorFuzz\Worker::describe_throwable( $e ),
+			)
+		) . "\n"
+	);
+	exit( 1 );
+}