[codex] Validate form submitters

[samlaycock]

Summary

Fixes #69.

This updates encode(form, { submitter }) to validate the submitter before walking form controls, matching native FormData(form, submitter) behavior more closely.

Root Cause

submitter was only compared while handling submit buttons in the form element loop. That meant non-submit controls and submit buttons owned by a different form were never rejected up front, so encoding continued and returned normal entries.

Changes

• Reject non-submit controls passed as submitter with TypeError.
• Reject submit buttons not owned by the encoded form with a NotFoundError DOMException where available.
• Preserve valid submit button inclusion and assert it is emitted exactly once.
• Add a patch changeset.

Validation

• bun fmt
• bun lint:fix
• bun run test
• bun typecheck

[greptile-apps]

Greptile Summary

This PR adds upfront submitter validation to encode(form, { submitter }), bringing it in line with native FormData(form, submitter) behaviour. Previously, a non-submit control or a button owned by a different form would pass through silently; now both cases are rejected before the form element loop runs.

• Adds validateSubmitter() in src/encode.ts that throws TypeError for non-submit controls and a DOMException(\"NotFoundError\") (falling back to Error) for submit buttons not owned by the encoded form.
• Converts the affected tests to toEqual assertions (pinning entry order) and adds three new test cases covering each rejection path, including an instanceof DOMException / name === \"NotFoundError\" assertion for the ownership check.

Confidence Score: 5/5

Safe to merge — the new validation is a straightforward upfront guard with no changes to the encoding logic itself.

The implementation is correct: isSubmitButton already guarantees the element is an HTMLButtonElement or HTMLInputElement before the ownership check runs, error types match the spec, and the form-attribute edge case is handled correctly through element.form. No encoding paths were altered.

test/client.test.ts — the sentinel re-throw lives inside the same try block as the call under test.

Important Files Changed

Filename	Overview
src/encode.ts	Adds validateSubmitter() called upfront in encodeForm(); correctly throws TypeError for non-submit controls and DOMException("NotFoundError") for submit buttons not owned by the form.
test/client.test.ts	Adds tests for the three new rejection scenarios; "rejects submit buttons not owned by the form" uses a try/catch pattern with a sentinel re-throw that is caught by the same block, which can produce misleading assertion failures on regression.
.changeset/validate-form-submitter.md	Adds a patch changeset entry accurately describing the new submitter validation behaviour.

_{Reviews (2): Last reviewed commit: "test: assert cross-form submitter error" | Re-trigger Greptile}