Safety tiers¶

Dual-layer gating¶

1. FastMCP tag visibility: Tools are tagged with their tier. Only tags at or below the configured tier are enabled via mcp.enable(tags=..., only=True).

2. Safety middleware: A secondary middleware layer hides tools from listings and blocks execution with clear error messages if a tool above the tier is somehow invoked.

Tool tags¶

Every tool is tagged with exactly one safety tier:

• readonly readonly — Read-only operations that don’t modify tmux state

• mutating mutating — Operations that create, modify, or send input to tmux objects

• destructive destructive — Operations that destroy tmux objects (kill commands)

Fail-closed design¶

Tools without a recognized tier tag are denied by default. This prevents accidentally exposing new tools without explicit safety classification.

macOS TMUX_TMPDIR caveat¶

The self-kill guard resolves the target server’s socket path in three steps (_effective_socket_path in src/libtmux_mcp/_utils.py):

1. Use Server.socket_path if libtmux already has it.

2. Otherwise query the running server via display-message -p '#{socket_path}' — authoritative because tmux itself reports the path it is actually using, regardless of the MCP process environment. This closes the launchd-vs-interactive-shell gap on macOS where TMUX_TMPDIR commonly differs between contexts.

3. Fall back to reconstruction from TMUX_TMPDIR (or /tmp) + euid + socket name. Only reached when the target server is unreachable (not running), in which case no self-kill is possible anyway and _caller_is_on_server’s None-socket branch blocks conservatively.

The structural fix shipped in 0.1.x; setting TMUX_TMPDIR explicitly is no longer required for the guard to work, though it remains a useful diagnostic when investigating mismatched-path bug reports.

pipe_pane¶

pipe_pane mutating pipes a pane’s output to a shell command that the server runs. In practice this means the caller chooses an arbitrary path or pipeline on the server host. There is no allow-list. Assume it can create files anywhere the server process can write.

Mitigations:

• Run the server as an unprivileged user with a scoped home directory.

• Consider LIBTMUX_SAFETY=readonly for untrusted MCP clients.

• Audit log records (see below) capture the output_path argument so reviewers can spot unexpected destinations.

set_environment¶

set_environment mutating writes into tmux’s global, session, or window environment. Those values propagate into every shell tmux spawns afterwards. An agent that writes PATH, LD_PRELOAD, or AWS_* variables can influence every future command on that scope — including commands the user runs directly, not just commands the agent issues.

Mitigations:

• The audit log redacts the value argument to a {len, sha256_prefix} digest so log files don’t leak the secrets agents set, but operators should still treat the tool as high-privilege.

• If only a single command needs an env override, prefer having the agent invoke env VAR=value command via send_keys instead — the blast radius is one command, not every future child.

respawn_pane¶

respawn_pane mutating restarts a pane’s process while preserving the pane id and layout — exactly what an agent wants when a shell wedges. Default kill=True terminates the running process before relaunch. The pane_id and layout are preserved (the point of the tool), but any unsaved REPL state, ssh session, or in-flight job in that pane is lost. Repeated calls are not idempotent — each call kills a new process.

Unlike other mutating tools, the registration carries destructiveHint=True and idempotentHint=False (via the ANNOTATIONS_MUTATING_DESTRUCTIVE preset) so MCP clients see honest annotations even though the tier tag stays at mutating for default-profile recovery.

Mitigations:

• pane_id is required (no fallback to “first pane in session/window”). Agents that pass only session_name get an ExpectedToolError instead of an unintended kill — resolve via list_panes readonly first.

• Any shell argument is briefly visible in the OS process table and tmux’s pane_current_command metadata before the spawned shell takes over; the audit log redacts shell payloads (see below), but do not pass credentials directly even with redaction.

• The optional environment argument (dict[str, str]) maps to one tmux -e KEY=VALUE flag per item. The audit log redacts each value via a {len, sha256_prefix} digest while keeping the keys visible — env var names like DATABASE_URL are usually operator-debug-useful, but their values are the secret. The same OS-process-table caveat as shell applies: respawn-pane -e DB_PASSWORD=... may briefly appear in ps output before the spawned process inherits the env.

• The same self-pane guard that protects the destructive kill commands also refuses to respawn the pane running the MCP server.

send_keys / send_keys_batch / paste_text¶

These can execute anything the pane’s shell accepts. There is no payload validation. The audit log stores a digest of the content, not the content itself, so a secret typed via send_keys or send_keys_batch does not land in logs.