From 138c4179e078736ae4b8da729fdf7b7fc5e3b1de Mon Sep 17 00:00:00 2001
From: "claude[bot]" <claude[bot]@users.noreply.github.com>
Date: Wed, 22 Apr 2026 12:30:10 +0000
Subject: [PATCH] fix(hooks): verify tmux socket exists before trusting TMUX
 env var
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

block-dev-server.js allowed dev server commands when process.env.TMUX
was set. However, TMUX is just an environment variable — any parent
process can set it without actually running inside tmux, which would
bypass the guard.

TMUX is set by tmux to the socket path (format: socket,pid,session).
We now verify the socket file exists with fs.existsSync() on the
first comma-delimited segment, confirming a real tmux server is
running rather than trusting the variable alone.

Co-Authored-By: Claude Code <noreply@anthropic.com>
---
 hooks/scripts/block-dev-server.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/hooks/scripts/block-dev-server.js b/hooks/scripts/block-dev-server.js
index 8e77492..a3404b7 100644
--- a/hooks/scripts/block-dev-server.js
+++ b/hooks/scripts/block-dev-server.js
@@ -1,3 +1,5 @@
+const fs = require("fs");
+
 const input = JSON.parse(process.argv[2] || "{}");
 const command = (input.command || "").toLowerCase();
 
@@ -24,7 +26,8 @@ if (!isDevServer) {
   process.exit(0);
 }
 
-const inTmux = !!process.env.TMUX;
+const tmuxVal = process.env.TMUX || "";
+const inTmux = tmuxVal !== "" && fs.existsSync(tmuxVal.split(",")[0]);
 const inScreen = !!process.env.STY;
 
 if (!inTmux && !inScreen) {