fix(windows): capture is not a no-window boundary; route flashing spawns through chokepoint (#53829)

Follow-up to #53791 addressing review feedback: the footgun checker treated
capture_output=/stdout=/stderr=/check_output as proof a subprocess can't pop a
Windows console. That invariant is false — stream redirection controls where a
child's output goes, not whether a console is allocated. From a console-less
parent (Desktop/Electron, pythonw.exe, detached gateway/cron) a console-subsystem
child still flashes a window even when fully captured.

- check-windows-footguns.py: capture/redirect/check_output is no longer a blanket
  safe-pass. Added _WINDOWS_FLASHING_PROGRAMS (git/gh/npm/node/python/uv/ffmpeg/
  docker/powershell/…); calls to those are flagged even when captured. Non-flashing
  programs keep the capture exemption (no 271-site noise). _subprocess_compat.run/
  popen calls are inherently safe (wrapper injects CREATE_NO_WINDOW).
- Routed the 35 genuine flashing git/gh/npm/uv/ffmpeg/docker spawns through the
  _subprocess_compat.run/popen chokepoint (Brooklyn's wrapper from #53810) — the
  durable fix, not per-site annotations. cmd.exe /c start stays # ok (intentional).
- Updated tests + CONTRIBUTING.md rule #17 to the corrected invariant.
This commit is contained in:
Teknium 2026-06-27 14:49:41 -07:00 committed by GitHub
parent 3ac96d3308
commit 2ecca1e7d3
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
21 changed files with 191 additions and 76 deletions

View file

@ -59,6 +59,7 @@ import subprocess
from dataclasses import dataclass
from pathlib import Path
from typing import Any, Optional
from hermes_cli import _subprocess_compat
logger = logging.getLogger("hermes.coding_context")
@ -648,7 +649,7 @@ def _enabled_mcp_servers(config: Optional[dict[str, Any]]) -> list[str]:
def _git(cwd: Path, *args: str) -> str:
try:
out = subprocess.run(
out = _subprocess_compat.run(
["git", "-C", str(cwd), *args],
capture_output=True,
text=True,