fix(gateway): clear stale PID file from crashed gateway on startup (closes #13655)

[RhythrosaLabs]

Summary

Closes #13655

After a gateway process is killed with SIGKILL (or dies from OOM, systemd stop-timeout, etc.) the handler never fires and is left on disk containing the dead process's PID. On the next startup this stale file causes an unrecoverable restart loop.

Root Cause

The call chain on startup was:

get_running_pid()
  → os.kill(dead_pid, 0)          # ProcessLookupError — process is gone
  → _cleanup_invalid_pid_path()
      → remove_pid_file()          # BUG: checks file_pid != os.getpid()
                                   #      dead_pid ≠ new_pid → does nothing
  → returns None

write_pid_file()                   # O_CREAT | O_EXCL
  → FileExistsError                # stale file still present
  → 'PID file race lost. Exiting.'

remove_pid_file() intentionally guards against removing a file belonging to another live process (the --replace handoff race), but after a crash the guarded process is dead — the guard is wrong here.

Fix

In _cleanup_invalid_pid_path(), replace the call to remove_pid_file() with a direct force-unlink (pid_path.unlink(missing_ok=True)). By the time this helper is called we have already confirmed the recorded PID is dead or invalid, so skipping the ownership guard is correct.

The concurrent-write race (--replace with two competing starters) is unaffected: both processes see the stale file, both unlink it (idempotent), then their write_pid_file() O_CREAT|O_EXCL calls race as intended — exactly one wins.

Changes

File	Change
gateway/status.py	_cleanup_invalid_pid_path(): direct unlink() instead of remove_pid_file()
tests/gateway/test_status.py	Two new regression tests covering the crash→restart scenario

Regression Tests Added

All 29 existing tests in tests/gateway/test_status.py continue to pass.

Before / After

Checklist

• Bug confirmed reproduced in the field by two independent users (Bug: Stale gateway.pid causes gateway restart loop after crash/SIGKILL #13655)
• Root cause identified with full call-chain analysis
• Minimal, targeted fix (9 lines changed in production code)
• Regression tests covering exact failure sequence
• All existing tests pass
• No behaviour change for the normal --replace race path

[alt-glitch]

Likely duplicate of #13658 — both fix stale PID file cleanup on gateway startup after hard crash. Also overlaps with #9703. Recommend consolidating.

[alt-glitch]

Likely duplicate of #13658 — both fix stale PID file cleanup on gateway startup after hard crash. Also overlaps with #9703. Recommend consolidating.

[teknium1]

Thanks for the well-researched PR and clear root cause analysis — the call chain diagram and the explanation of why remove_pid_file()'s ownership guard is wrong in the crash scenario are exactly right.

This is an automated hermes-sweeper review. The fix has already landed on main via a consolidated salvage:

• Commit 402d048e (fix(gateway): also unlink stale PID + lock files on cleanup, 2026-04-22) applies the identical change to _cleanup_invalid_pid_path() in gateway/status.py — replacing remove_pid_file() with a direct pid_path.unlink(missing_ok=True) plus sibling gateway.lock cleanup.
• Regression test coverage for the dead-foreign-PID scenario was included in the same commit (tests/gateway/test_status.py).
• As noted by @alt-glitch, this overlaps with fix: force-clean stale PID file on gateway startup #13658 and fix(gateway): clear stale pid file before service start #9703; the fix was consolidated via PR fix(gateway): recover stale pid and planned restart state #14179.

Closing as implemented. Your analysis directly informed the fix — appreciate the contribution!