fix(gateway): write clean-shutdown marker at start of stop() not end

[luinbytes]

Summary

Moves the .clean_shutdown marker write from the end of _stop_impl() to the very beginning, before any async work (draining, disconnecting, cleanup).

Problem

#8299 introduced the .clean_shutdown marker to prevent suspend_recently_active() from firing after graceful restarts. However, the marker was written near the end of stop(), after draining agents and disconnecting adapters. When the gateway runs as a systemd service with TimeoutStopSec=60, a long-running drain can push stop() past the timeout. systemd then sends SIGKILL, killing the process before the marker is written. The next startup sees no marker, assumes a crash, and suspends all recent sessions — causing unwanted auto-resets.

Fix

Write the marker at the top of _stop_impl(), immediately on entry. The marker is idempotent (touch), so a false-positive (marker written but process crashes mid-drain) only skips one crash-recovery suspension — which is harmless since the drain was already attempted.

Edge case considered

If the process receives SIGTERM, writes the marker, then genuinely crashes during drain — the next startup will skip suspend_recently_active(). This is acceptable because:

1. The drain was already initiated (agents were asked to stop)
2. The only risk is a "stuck" session, but systemd will restart the gateway anyway
3. The alternative (current behavior) is worse: losing ALL session context on every planned restart

Test plan

• Syntax check passes
• Diff is clean against upstream main
• No overlap with other open PRs (only touches gateway/run.py stop() method)
• Verify: hermes gateway restart preserves session after this change

[alt-glitch]

Likely duplicate of #11099 — Clean-shutdown marker written at end of stop() — if drain exceeds systemd TimeoutStopSec, SIGKILL prevents marker write, causing session context loss on restart. Fix moves marker write to start of _stop_impl(). Duplicate of #11099.