# Regression & Fuzz Boundaries

> Maps the quality signals that make each project maintainable: tmux has shell regressions and fuzzers around command parsing, input, style, and formats; cmux has Swift unit and UI tests around sockets, browser panes, sessions, hooks, and app regressions.

- Repository: tmux/tmux-with-manaflow-ai-cmux
- GitHub: https://github.com/tmux/tmux
- Human wiki: https://grok-wiki.com/public/wiki/tmux-tmux-with-manaflow-ai-cmux-62db34dfaddc
- Complete Markdown: https://grok-wiki.com/public/wiki/tmux-tmux-with-manaflow-ai-cmux-62db34dfaddc/llms-full.txt

## Source Files

- `tmux-tmux:fuzz/input-fuzzer.c`
- `tmux-tmux:fuzz/cmd-parse-fuzzer.c`
- `tmux-tmux:regress/control-client-sanity.sh`
- `tmux-tmux:regress/input-keys.sh`
- `manaflow-ai-cmux:cmuxTests/TerminalControllerSocketSecurityTests.swift`
- `manaflow-ai-cmux:cmuxTests/BrowserPanelTests.swift`
- `manaflow-ai-cmux:cmuxTests/CLIGenericHookPersistenceTests.swift`
- `manaflow-ai-cmux:cmuxUITests/AutomationSocketUITests.swift`

---

<details>
<summary>Relevant source files</summary>
The following files were used as context for generating this wiki page:
- [tmux-tmux:fuzz/input-fuzzer.c](tmux-tmux/fuzz/input-fuzzer.c)
- [tmux-tmux:fuzz/cmd-parse-fuzzer.c](tmux-tmux/fuzz/cmd-parse-fuzzer.c)
- [tmux-tmux:fuzz/format-fuzzer.c](tmux-tmux/fuzz/format-fuzzer.c)
- [tmux-tmux:fuzz/style-fuzzer.c](tmux-tmux/fuzz/style-fuzzer.c)
- [tmux-tmux:Makefile.am](tmux-tmux/Makefile.am)
- [tmux-tmux:regress/control-client-sanity.sh](tmux-tmux/regress/control-client-sanity.sh)
- [tmux-tmux:regress/input-keys.sh](tmux-tmux/regress/input-keys.sh)
- [tmux-tmux:regress/format-strings.sh](tmux-tmux/regress/format-strings.sh)
- [tmux-tmux:regress/style-trim.sh](tmux-tmux/regress/style-trim.sh)
- [manaflow-ai-cmux:cmuxTests/TerminalControllerSocketSecurityTests.swift](manaflow-ai-cmux/cmuxTests/TerminalControllerSocketSecurityTests.swift)
- [manaflow-ai-cmux:cmuxTests/BrowserPanelTests.swift](manaflow-ai-cmux/cmuxTests/BrowserPanelTests.swift)
- [manaflow-ai-cmux:cmuxTests/CLIGenericHookPersistenceTests.swift](manaflow-ai-cmux/cmuxTests/CLIGenericHookPersistenceTests.swift)
- [manaflow-ai-cmux:cmuxUITests/AutomationSocketUITests.swift](manaflow-ai-cmux/cmuxUITests/AutomationSocketUITests.swift)
- [manaflow-ai-cmux:cmux.xcodeproj/xcshareddata/xcschemes/cmux-ci.xcscheme](manaflow-ai-cmux/cmux.xcodeproj/xcshareddata/xcschemes/cmux-ci.xcscheme)
- [manaflow-ai-cmux:scripts/test-unit.sh](manaflow-ai-cmux/scripts/test-unit.sh)
</details>

# Regression & Fuzz Boundaries

This page compares how `tmux` and `cmux` keep risky behavior maintainable. `tmux` leans on small shell regressions plus fuzzers around parser-like surfaces: terminal input, command parsing, formats, and style strings. `cmux` leans on XCTest unit and UI coverage around app-facing state: sockets, browser panes, session restoration, hooks, and app regression behavior.

The useful contrast is not “which project has more tests.” It is where each project draws its quality boundary. `tmux` hardens compact C entry points and executable CLI behavior; `cmux` hardens macOS application contracts, socket control policy, UI lifecycle, and provider-neutral agent hook persistence.

## Boundary Map

| Project | Main quality signal | Boundary being protected | Why it fits |
|---|---|---|---|
| `tmux` | Shell regressions and libFuzzer binaries | CLI/server behavior, terminal input bytes, command parser, format and style parsers | Core behavior is mostly process, parser, and terminal-state driven. |
| `cmux` | Swift unit tests, UI tests, Xcode schemes, helper scripts | App socket modes, JSON-RPC command routing, browser/WebKit pane behavior, generic agent hook persistence | Core behavior crosses UI, app state, sockets, and external CLI agents. |

Sources: [tmux-tmux:Makefile.am:243-256](), [tmux-tmux:regress/control-client-sanity.sh:13-39](), [manaflow-ai-cmux:cmux.xcodeproj/xcshareddata/xcschemes/cmux-ci.xcscheme:13-27](), [manaflow-ai-cmux:scripts/test-unit.sh:6-21]()

```text
tmux quality boundary
  bytes / CLI commands
      -> parser or tmux server
      -> exact shell-visible output, layout, or no-crash invariant

cmux quality boundary
  app/UI/socket/hook event
      -> Swift controller, pane, workspace, or CLI hook
      -> XCTest assertion over policy, state, persistence, or UI socket behavior
```

## tmux: Fuzzers Guard Parser-Like Surfaces

The `tmux` fuzz boundary is deliberately narrow and direct. `Makefile.am` wires four fuzz targets when fuzzing is enabled: `input-fuzzer`, `cmd-parse-fuzzer`, `format-fuzzer`, and `style-fuzzer`. That list mirrors high-risk string/byte interpreters rather than broad end-to-end application flows.

Sources: [tmux-tmux:Makefile.am:243-256]()

### Terminal Input Bytes

`input-fuzzer.c` creates an 80x25 window and pane, attaches a bufferevent pair, feeds arbitrary input bytes into `input_parse_buffer`, drains the command queue, runs a nonblocking libevent loop, and asserts the window reference count returns to one. The invariant is less about a specific rendered result and more about “random terminal input should not corrupt lifecycle ownership or crash the parser path.”

Sources: [tmux-tmux:fuzz/input-fuzzer.c:23-63](), [tmux-tmux:fuzz/input-fuzzer.c:71-95]()

```c
/* tmux-tmux:fuzz/input-fuzzer.c */
if (size > FUZZER_MAXLEN)
    return 0;

w = window_create(PANE_WIDTH, PANE_HEIGHT, 0, 0);
wp = window_add_pane(w, NULL, 0, 0);
...
input_parse_buffer(wp, (u_char *)data, size);
while (cmdq_next(NULL) != 0)
    ;
...
assert(w->references == 1);
```

### Command Parsing

`cmd-parse-fuzzer.c` targets `cmd_parse_from_buffer` with quiet parsing. The file comment names the intended blast radius: yacc grammar and lexer, command lookup and validation, argument parsing, target resolution, and option lookup. The test frees successful command lists and parse errors, so the fuzzer also exercises cleanup paths for both accepted and rejected command buffers.

Sources: [tmux-tmux:fuzz/cmd-parse-fuzzer.c:17-26](), [tmux-tmux:fuzz/cmd-parse-fuzzer.c:35-59]()

### Formats And Styles

`format-fuzzer.c` null-terminates fuzz input, creates a `format_tree`, seeds realistic format variables such as `session_name`, `window_index`, `pane_id`, dimensions, and host, then calls `format_expand`. `style-fuzzer.c` similarly null-terminates input, initializes a style and grid cell, and calls `style_parse`. These are parser fuzzers with small fake worlds: enough context to enter real parsing logic, not enough to require a running tmux server.

Sources: [tmux-tmux:fuzz/format-fuzzer.c:17-24](), [tmux-tmux:fuzz/format-fuzzer.c:33-64](), [tmux-tmux:fuzz/style-fuzzer.c:17-23](), [tmux-tmux:fuzz/style-fuzzer.c:32-55]()

## tmux: Shell Regressions Encode Observable Contracts

The shell regression tests complement fuzzing by checking exact behavior that random input cannot define. `control-client-sanity.sh` launches tmux with a 200x200 server, drives a control client through pane/window mutations, then compares the final `pane_id` and `window_layout` output exactly. This protects the control-client/layout contract at the CLI boundary.

Sources: [tmux-tmux:regress/control-client-sanity.sh:13-39]()

`input-keys.sh` builds a raw `cat -tv` target and defines `assert_key`, which sends keys through tmux, captures pane output, and compares exact escape/control sequences. The table of assertions covers control keys, meta combinations, function keys, insert/delete, page keys, arrows, and keypad cases.

Sources: [tmux-tmux:regress/input-keys.sh:17-45](), [tmux-tmux:regress/input-keys.sh:47-80](), [tmux-tmux:regress/input-keys.sh:175-220]()

`format-strings.sh` checks user-visible `display-message -p` expansion behavior, including conditionals, escapes, comma handling, nested conditionals, and style fragments inside formats. `style-trim.sh` goes one step further by comparing both `display -p` values and captured terminal rendering after setting status formats with escaped style sequences.

Sources: [tmux-tmux:regress/format-strings.sh:11-24](), [tmux-tmux:regress/format-strings.sh:71-98](), [tmux-tmux:regress/format-strings.sh:139-157](), [tmux-tmux:regress/style-trim.sh:29-40](), [tmux-tmux:regress/style-trim.sh:42-88]()

## cmux: Swift Tests Guard Socket And App Policy

`cmux` uses Xcode test targets for both unit and UI tests: the CI scheme includes `cmuxTests.xctest` and `cmuxUITests.xctest`, while `scripts/test-unit.sh` runs the `cmux-unit` scheme through `xcodebuild`. This makes the regression boundary native to the macOS app/toolchain rather than a custom shell-only harness.

Sources: [manaflow-ai-cmux:cmux.xcodeproj/xcshareddata/xcschemes/cmux-ci.xcscheme:13-27](), [manaflow-ai-cmux:scripts/test-unit.sh:6-21]()

`TerminalControllerSocketSecurityTests.swift` covers several socket boundaries: filesystem permissions for different access modes, password-mode rejection of unauthenticated commands, focus-vs-non-focus command policy, JSON-RPC parameter validation, sensitive SSH configuration omission from remote status payloads, and remote PTY worker dispatch. The tests are written against `TerminalController.shared` and concrete socket paths, so they protect both policy and transport assumptions.

Sources: [manaflow-ai-cmux:cmuxTests/TerminalControllerSocketSecurityTests.swift:28-50](), [manaflow-ai-cmux:cmuxTests/TerminalControllerSocketSecurityTests.swift:52-75](), [manaflow-ai-cmux:cmuxTests/TerminalControllerSocketSecurityTests.swift:77-140](), [manaflow-ai-cmux:cmuxTests/TerminalControllerSocketSecurityTests.swift:143-176](), [manaflow-ai-cmux:cmuxTests/TerminalControllerSocketSecurityTests.swift:178-203](), [manaflow-ai-cmux:cmuxTests/TerminalControllerSocketSecurityTests.swift:205-241]()

`AutomationSocketUITests.swift` moves the same socket idea into launched-app behavior. It starts the app with mode-specific launch arguments and `CMUX_SOCKET_PATH`, verifies socket creation, deletion/recreation, disabled mode behavior, and uses a small Unix-domain socket client to send `ping` and expect `PONG`.

Sources: [manaflow-ai-cmux:cmuxUITests/AutomationSocketUITests.swift:20-35](), [manaflow-ai-cmux:cmuxUITests/AutomationSocketUITests.swift:37-59](), [manaflow-ai-cmux:cmuxUITests/AutomationSocketUITests.swift:61-81](), [manaflow-ai-cmux:cmuxUITests/AutomationSocketUITests.swift:106-119](), [manaflow-ai-cmux:cmuxUITests/AutomationSocketUITests.swift:184-242]()

## cmux: Browser And Pane Regressions Are Stateful

`BrowserPanelTests.swift` is broad because browser panes are stateful and AppKit/WebKit-heavy. The file includes tests for browser chrome colors, `showOpenFilePicker` bridge installation and cancellation, initial navigation preservation without rendering, profile isolation, address-bar focus requests, React grab/pasteback behavior, host view hit-testing, inspector resizing, portal lifecycle, and web view rehosting.

Sources: [manaflow-ai-cmux:cmuxTests/BrowserPanelTests.swift:56-88](), [manaflow-ai-cmux:cmuxTests/BrowserPanelTests.swift:91-211](), [manaflow-ai-cmux:cmuxTests/BrowserPanelTests.swift:214-228](), [manaflow-ai-cmux:cmuxTests/BrowserPanelTests.swift:270-364](), [manaflow-ai-cmux:cmuxTests/BrowserPanelTests.swift:365-557](), [manaflow-ai-cmux:cmuxTests/BrowserPanelTests.swift:557-890](), [manaflow-ai-cmux:cmuxTests/BrowserPanelTests.swift:2220-3226]()

This is a different regression shape from `tmux`. The target is not a parser accepting hostile bytes; it is a long-lived UI surface where regressions appear as stale navigation, wrong profile writes, stuck focus requests, lost pasteback targets, broken inspector dividers, or portal reparenting problems.

Sources: [manaflow-ai-cmux:cmuxTests/BrowserPanelTests.swift:272-317](), [manaflow-ai-cmux:cmuxTests/BrowserPanelTests.swift:319-364](), [manaflow-ai-cmux:cmuxTests/BrowserPanelTests.swift:375-532](), [manaflow-ai-cmux:cmuxTests/BrowserPanelTests.swift:1158-1350](), [manaflow-ai-cmux:cmuxTests/BrowserPanelTests.swift:2348-2507]()

## cmux: Hook Tests Preserve Provider-Neutral Session Restore

`CLIGenericHookPersistenceTests.swift` is the strongest BYOC/BYOK signal in the sampled tests. It defines generic hook scenarios across multiple agent names and executable locations. The expected persisted arguments keep portable launch configuration such as model, sandbox, permission, `--cwd`, or config-home paths, while initial prompts, resume identifiers, and secret API-key environment variables are excluded from the expected persisted environment.

Sources: [manaflow-ai-cmux:cmuxTests/CLIGenericHookPersistenceTests.swift:16-73](), [manaflow-ai-cmux:cmuxTests/CLIGenericHookPersistenceTests.swift:102-160](), [manaflow-ai-cmux:cmuxTests/CLIGenericHookPersistenceTests.swift:161-249]()

That boundary matters architecturally: the app can support different upstream agents without hard-coding a single model provider or assuming one hosted service. The regression contract is about safe, sanitized session restoration across command shapes and environment conventions.

Sources: [manaflow-ai-cmux:cmuxTests/CLIGenericHookPersistenceTests.swift:252-257](), [manaflow-ai-cmux:cmuxTests/CLIGenericHookPersistenceTests.swift:277-314](), [manaflow-ai-cmux:cmuxTests/CLIGenericHookPersistenceTests.swift:316-420]()

## Portable Lessons

| Lesson | From `tmux` | From `cmux` | Portable rule |
|---|---|---|---|
| Put fuzzers at grammar/byte boundaries | Input, command, format, and style fuzzers | Not the dominant pattern in sampled Swift tests | Fuzz compact interpreters where success is “no crash, no corrupted ownership.” |
| Put regressions at observable contracts | Exact layout, key, format, and render output | Exact socket responses, JSON-RPC errors, UI state | Use deterministic expected output where behavior is user-visible. |
| Keep fake worlds small | Fuzzers seed just enough options/window/format context | Unit tests build focused `TabManager`, `Workspace`, socket, or `BrowserPanel` state | Avoid full app boot unless the boundary requires it. |
| Stay provider-neutral | Not a central concern in sampled tmux tests | Generic hook persistence spans several agent command shapes and avoids persisting API keys | BYOC/BYOK support belongs in regression tests, not just design docs. |

Sources: [tmux-tmux:fuzz/cmd-parse-fuzzer.c:41-57](), [tmux-tmux:fuzz/format-fuzzer.c:49-61](), [tmux-tmux:regress/control-client-sanity.sh:34-39](), [manaflow-ai-cmux:cmuxTests/TerminalControllerSocketSecurityTests.swift:223-240](), [manaflow-ai-cmux:cmuxTests/CLIGenericHookPersistenceTests.swift:61-73](), [manaflow-ai-cmux:cmuxTests/CLIGenericHookPersistenceTests.swift:119-132]()

## Method Note

No `STRATEGY.md` or `docs/solutions/**` source was present in the prepared workspace, so this page uses repository code and test configuration as source of truth. The requested Compound Engineering profile was applied as portable page-shape guidance only; no installed local Compound Engineering skill source was executed or cited.

## Summary

`tmux` protects maintainability by separating random-input robustness from exact CLI regressions: fuzzers cover parser-like internals, while shell scripts pin observable server, key, format, and style behavior. `cmux` protects maintainability through Swift tests that encode application contracts around sockets, browser panes, session restore, hooks, and UI launch behavior. The shared pattern is boundary-first testing: choose the smallest harness that reaches the risky boundary, then assert the invariant that future maintainers must not break. Sources: [tmux-tmux:Makefile.am:243-256](), [tmux-tmux:regress/input-keys.sh:17-45](), [manaflow-ai-cmux:cmux.xcodeproj/xcshareddata/xcschemes/cmux-ci.xcscheme:13-27](), [manaflow-ai-cmux:cmuxUITests/AutomationSocketUITests.swift:37-59]()