fix(desktop): recover chat after sleep/wake by revalidating the cached backend

[AlchemistChaos]

What & why

After the Mac sleeps and wakes, the desktop chat composer stays disabled on the "Starting Hermes…" placeholder and never recovers — only a full quit + reopen fixes it.

The renderer's reconnect loop is actually sound (it retries forever with backoff). The lockout is in the main process: startHermes() returns a cached connectionPromise with no liveness check, and that cache is only invalidated by the local backend child's 'exit'/'error' handlers. In remote / global-remote mode there is no child process (hermesProcess stays null), so the cached descriptor is never invalidated for the life of the main process — the renderer re-dials the same dead remote endpoint forever. A relaunch works only because it resets the module-level connectionPromise.

(The placeholder is a precise signal: "Starting Hermes…" shows only when the gateway is stuck in connecting, never reaching open — composer/index.tsx + chat/index.tsx disabled={!gatewayOpen}.)

A detailed write-up is included in the first commit: docs/bugs/desktop-sleep-wake-reconnect-stale-backend.md.

The fix — revalidate-on-reconnect

The renderer's backoff-paced attemptReconnect now calls getConnection(profile, { revalidate: true }). On a cache hit with that flag, startHermes() fast-probes the public /api/status (token-free fetchPublicJson, ~2.5s) and, if the backend is unreachable, tears the stale connection down via resetHermesConnection() and rebuilds — so the renderer's existing loop gets a fresh, reachable descriptor without an app restart. Recovery lands within a couple of backoff ticks (typically seconds; up to ~35s only if connect attempts hit their 15s timeout).

Guard rails (deliberate, to avoid regressions)

• Opt-in, backoff-paced only. revalidate is wired solely into use-gateway-boot's reconnect — not use-gateway-request, which fires on any transient request blip and could needlessly SIGTERM a healthy local child.
• Remote-only teardown. Only mode === 'remote' connections are rebuilt; local backends self-heal via the child 'exit' handler, so a probe miss there is treated as "WS not reattached yet", not "backend dead".
• 2 consecutive failures within one episode (time-windowed streak) before teardown, so a single captive-portal / VPN-re-establishing blip on wake doesn't trigger a respawn, and a stale miss from an earlier (since-recovered) episode can't pre-load the counter.
• Concurrency-safe. After the probe we re-check connectionPromise === cached with no intervening await (resetHermesConnection is synchronous). A peer rebuild is returned as-is; a cache nulled by a concurrent 'exit'/rejection falls through to a fresh build instead of returning null.
• Zero added latency on cold boot and steady state (both stay revalidate-off).
• The renderer dismisses the boot-progress overlay on the post-boot 'open' transition so an in-place rebuild can't leave the overlay stuck at ~94%.

The liveness/decision/episode logic is extracted into pure, unit-tested helpers in hardening.cjs (probeBackendAlive, shouldRebuildStaleConnection, isFreshRevalidateEpisode), since main.cjs can't be loaded headlessly.

How to test

Repro (before this change):

1. Run Hermes Desktop against a remote gateway (global-remote mode).
2. Open a chat; confirm the composer is enabled.
3. Sleep the Mac (or drop the network long enough to tear the remote WS down), then wake it later.
4. Observe the composer stuck disabled on "Starting Hermes…" indefinitely; quit + reopen restores it.

With this change: on wake, the composer recovers on its own within a couple of backoff ticks — no restart.

Edge cases to exercise: a transient WS drop where the remote is still alive (should reconnect with no rebuild/overlay, since the probe succeeds); a genuinely dead/moved remote (should rebuild + recover); a local-mode backend (a probe miss must never SIGTERM a healthy child).

Tests / platforms

• node --test electron/*.test.cjs (the test:desktop:platforms suite): 84/84 pass, including new pure-helper tests in hardening.test.cjs.
• Code reviewed and red-teamed; findings (streak-reset lifecycle, concurrency, null/rejected-cache handling) addressed.

Honest caveats: this was developed/verified on macOS. I was not able to run tsc -b / eslint in my environment (desktop node_modules not installed) — the TypeScript change is a backward-compatible optional-param widening on getConnection plus one matching call site, verified by auditing all call sites; please let CI confirm. I also could not run a live multi-OS Electron sleep/wake repro. Change is desktop/Electron (JS) only — no Python touched, so the pytest suite is unaffected.

Related

Surfaces in the recent global-remote / multi-profile work (e.g. #39921, #39993), where a remote primary backend is the common configuration.

🤖 Generated with Claude Code

[teknium1]

Merged via #41350 (commit cadb74a on main). Your diagnosis was spot-on — the remote backend has no child process, so the 'exit' handler that would clear the cached connectionPromise never fires, and the renderer re-dials the dead endpoint forever.

We reimplemented the fix on a smaller, more interpretable path (64 added lines vs 555): instead of a failure-streak counter + episode-window timestamps + an extracted helper module, the renderer's existing backoff reconnect loop just asks the main process to liveness-probe the cached remote and drop it if dead — the loop is already the retry mechanism, so it rides out transient post-wake blips on its own. Same recovery behavior.

Your authorship is preserved as a co-author on the fix commit. Thanks for the careful write-up and red-team — it made the simplification easy to verify.

[AlchemistChaos]

Thanks for merging it in! Will be careful next time around how complex the proposed fixes are.