From 78e213710ca484362216070f1d75c16f074ab374 Mon Sep 17 00:00:00 2001
From: MikeFac <michaelfackerell@gmail.com>
Date: Tue, 7 Apr 2026 17:07:37 +1000
Subject: [PATCH] fix: guard against None tirith path in security scanner

When _resolve_tirith_path() returns None (e.g. install failed on
unsupported platform or all resolution paths exhausted), the function
passed None directly to subprocess.run(), causing a TypeError instead
of respecting the fail_open config.

Add a None check before the subprocess call that allows or blocks
according to the configured fail_open policy, matching the existing
error handling behavior for OSError and TimeoutExpired.
---
 tools/tirith_security.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/tools/tirith_security.py b/tools/tirith_security.py
index 85281e27d..2d0ebf497 100644
--- a/tools/tirith_security.py
+++ b/tools/tirith_security.py
@@ -631,6 +631,12 @@ def check_command_security(command: str) -> dict:
     timeout = cfg["tirith_timeout"]
     fail_open = cfg["tirith_fail_open"]
 
+    if tirith_path is None:
+        logger.warning("tirith path resolved to None; scanning disabled")
+        if fail_open:
+            return {"action": "allow", "findings": [], "summary": "tirith path unavailable"}
+        return {"action": "block", "findings": [], "summary": "tirith path unavailable (fail-closed)"}
+
     try:
         result = subprocess.run(
             [tirith_path, "check", "--json", "--non-interactive",