mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-04-25 00:51:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: guard against None tirith path in security scanner

Browse source 
When _resolve_tirith_path() returns None (e.g. install failed on
unsupported platform or all resolution paths exhausted), the function
passed None directly to subprocess.run(), causing a TypeError instead
of respecting the fail_open config.

Add a None check before the subprocess call that allows or blocks
according to the configured fail_open policy, matching the existing
error handling behavior for OSError and TimeoutExpired.
This commit is contained in:
MikeFac 2026-04-07 17:07:37 +10:00 committed by Teknium
parent 4f4fd21149
commit 78e213710c
1 changed files with 6 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
tools/tirith_security.py
View file

@ -631,6 +631,12 @@ def check_command_security(command: str) -> dict:
timeout = cfg["tirith_timeout"]
fail_open = cfg["tirith_fail_open"]
if tirith_path is None:
logger.warning("tirith path resolved to None; scanning disabled")
if fail_open:
return {"action": "allow", "findings": [], "summary": "tirith path unavailable"}
return {"action": "block", "findings": [], "summary": "tirith path unavailable (fail-closed)"}
try:
result = subprocess.run(
[tirith_path, "check", "--json", "--non-interactive",