@haskal Spotted the bug!

In get_cmd in the server:
crypto_lock first encrypts, putting the ciphertext into chan->data.exec_cmd, and then MACs the ciphertext. But exec_cmd is shared memory; you can exploit a race condition! If you (the client) modify exec_cmd after encryption but before the MAC gets computed, you'll get a good MAC of your modified ciphertext.
ChaCha is a stream cipher so you can do
exec_cmd ^= (old_plaintext ^ "echo 'fuck drm'")

This was super fun! Thank you! :)