tirith: repeated WARNING spam on every terminal command when binary is not installed (Windows)

[jerrydong1988]

Description

On Windows, the tirith security binary is not installed by default. However, security.tirith_enabled defaults to true, so every terminal command triggers a spawn attempt → OSError → WARNING log. With tirith_fail_open: true (the default), commands are still allowed, but the log is flooded:

WARNING tools.tirith_security: tirith spawn failed: [WinError 2] The system cannot find the file specified.

This repeats for every single terminal command, making it difficult to spot real warnings/errors in the log.

Environment

• Windows 11
• Hermes via pip install (no Rust toolchain for tirith)
• No tirith binary in PATH or installed separately

Expected Behavior

Either:

1. Auto-detect the absence of tirith on startup and set tirith_enabled = false (or log once, not per-command), OR
2. Suppress the per-command warning when tirith is persistently unavailable (cache the failure result), OR
3. Default tirith_enabled to false on Windows (or add Windows-specific skip logic in _initialize_dev)

Actual Behavior

Every terminal command logs a WARNING. On a session with 20+ terminal calls, the log has 20+ identical tirith warnings.

Root Cause

In tools/tirith_security.py:648-653:

except OSError as exc:
    logger.warning("tirith spawn failed: %s", exc)
    if fail_open:
        return {"action": "allow", ...}
    return {"action": "block", ...}

The spawn attempt happens unconditionally regardless of platform. Once the binary is found to be missing, the result should be cached so subsequent calls don't retry and re-log.

Workaround

Set tirith_enabled: false in config.yaml to disable tirith entirely on Windows.

[reefmind]

Closing as resolved by merged PR(s): #26618, #26718.

[teknium1]

This looks resolved on current main by the merged tirith Windows fixes. This is an automated hermes-sweeper review.

Evidence:

• tools/tirith_security.py:712 now skips tirith entirely on unsupported platforms before resolving or spawning the binary, so Windows no longer attempts tirith on every terminal command.
• tools/tirith_security.py:619 also makes startup/ensure logic silent on unsupported platforms: no PATH probe, no download thread, no failure marker.
• The remaining spawn-failure fallback uses warn-once dedupe via _warn_once() at tools/tirith_security.py:113 and the OSError handler at tools/tirith_security.py:740.
• Regression coverage at tests/tools/test_tirith_security.py:1199 verifies repeated [WinError 2]-style failures log exactly one tirith spawn failed warning across repeated checks while preserving fail-open allow behavior.
• The docs now state the intended Windows behavior at website/docs/user-guide/security.md:560: tirith is silently skipped on platforms without a prebuilt binary, while pattern-matching guards still run.
• The relevant commits are 4aec25bc4411edb4563292cadbd02c365c846286 and c5dc9700ebc8b890e349c0cc3e978d133395909b (#26718), matching the prior comment that linked fix(windows): stop spamming cwd-missing + tirith-spawn warnings on every terminal call #26618/fix(windows): silence tirith-unavailable CLI banner on platforms with no tirith build #26718.