fix(gateway): wire launchd_restart to drain-aware SIGUSR1 path (#27745)

[briandevans]

What does this PR do?

hermes gateway restart on macOS (launchd) bypassed its own SIGUSR1 drain handler when invoked from a fresh shell — operator-requested restarts went straight to SIGTERM and killed in-flight agent runs. launchd_restart (hermes_cli/gateway.py:3021) gated its only SIGUSR1 call on _request_gateway_self_restart, which is itself guarded by _is_pid_ancestor_of_current_process. That ancestor guard is correct for the in-process self-restart case (gateway/run.py handlers asking their own gateway ancestor to restart) but returns False whenever the calling CLI process is a sibling under launchd — which is exactly the fresh-shell case. The fallback was terminate_pid(pid, force=False) (SIGTERM, no drain wait). This PR switches launchd_restart to the unconditional drain-aware helper _graceful_restart_via_sigusr1(...), matching what systemd_restart (line 2585) and the macOS hermes update flow already use. On successful drain, runs launchctl kickstart (without -k) to bypass launchd's throttle while preserving the drained in-flight runs.

Related Issue

Fixes #27745

Type of Change

• 🐛 Bug fix (non-breaking change that fixes an issue)
• ✨ New feature (non-breaking change that adds functionality)
• 🔒 Security fix
• 📝 Documentation update
• ✅ Tests (adding or improving test coverage)
• ♻️ Refactor (no behavior change)
• 🎯 New skill (bundled or hub)

Changes Made

• hermes_cli/gateway.py — launchd_restart now calls _graceful_restart_via_sigusr1(pid, drain_timeout + 5) unconditionally (same budget as systemd_restart). On success, launchctl kickstart without -k bypasses throttle but preserves drained runs. On failure, the original SIGTERM + kickstart -k fallback is kept intact.
• tests/hermes_cli/test_gateway_service.py — new test_launchd_restart_drains_then_kickstarts_without_force (mocks a non-ancestor PID, verifies SIGUSR1 fires and unforced launchctl kickstart follows), and rewrote test_launchd_restart_falls_back_to_sigterm_when_drain_fails to mock the drain failing and verify the SIGTERM + kickstart -k path is preserved.

How to Test

1. uv run --with pytest --with pytest-xdist --with pytest-asyncio python3 -m pytest tests/hermes_cli/test_gateway_service.py -v -k launchd — 13 passed.
2. Regression guard: before the fix, _request_gateway_self_restart was mocked to False in the drain test, proving the SIGTERM path. After the fix that mock is unreachable; the new test exercises the SIGUSR1 path explicitly and asserts no SIGTERM call.

Checklist

Code

• I've read the Contributing Guide
• My commit messages follow Conventional Commits (fix(scope):, feat(scope):, etc.)
• I searched for existing PRs to make sure this isn't a duplicate
• My PR contains only changes related to this fix/feature (no unrelated commits)
• I've run focused tests for the touched code and all pass
• I've added tests for my changes (required for bug fixes, strongly encouraged for features)
• I've tested on my platform: macOS 15.x (launchd is the affected platform)

Documentation & Housekeeping

• I've updated relevant documentation (README, docs/, docstrings) — or N/A
• I've updated cli-config.yaml.example if I added/changed config keys — or N/A
• I've updated CONTRIBUTING.md or AGENTS.md if I changed architecture or workflows — or N/A
• I've considered cross-platform impact (Windows, macOS) per the compatibility guide — or N/A
• I've updated tool descriptions/schemas if I changed tool behavior — or N/A

Sibling Audit

Sibling cleanup: the legacy _request_gateway_self_restart helper is now unused outside its own definition. Happy to drop it (and the underlying _is_pid_ancestor_of_current_process) in this PR or a follow-up if preferred.

Related

• Complements macOS: launchd_restart() returns early after SIGUSR1, leaving gateway permanently dead #11932 / PR fix(gateway): kickstart launchd after SIGUSR1 self-restart on macOS #24993 (in-process SIGUSR1 self-restart path, post-SIGUSR1 kickstart). macOS launchd: hermes gateway restart never invokes _graceful_restart_via_sigusr1, always takes non-drain SIGTERM path from fresh shells #27745 is the upstream gap — the SIGUSR1 path never fired today for fresh-shell invocations.
• Same shape as hermes gateway restart: CLI deadline equals gateway drain budget, false-fires 'still running after 60s' warning and force-kills mid-cleanup #25966 (drain timeout race on the SIGTERM fallback path).

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates launchd_restart() to prefer a drain-aware SIGUSR1 restart path (with an immediate unforced launchctl kickstart) and adjusts tests to cover the new drain-first behavior and SIGTERM fallback.

Changes:

• Replace the launchd “self-restart request” path with _graceful_restart_via_sigusr1(...) drain behavior.
• On successful drain, run launchctl kickstart (without -k) to avoid killing in-flight work.
• Update/rename gateway service tests to validate the new drain/kickstart flow and fallback behavior.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
tests/hermes_cli/test_gateway_service.py	Updates tests to validate SIGUSR1 drain + unforced kickstart, and fallback-to-SIGTERM when drain fails.
hermes_cli/gateway.py	Changes launchd restart logic to use SIGUSR1 drain path and unforced kickstart to respawn immediately.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[briandevans]

Closing to focus the queue on security/file-safety work where civilian merges are landing. Happy to reopen if maintainers want this picked up.