fix(gateway): don't dead-end setup wizard when only system-scope unit is installed

[teknium1]

Summary

The setup wizard no longer drops users at a bare shell prompt when a system-scope systemd unit exists and the user isn't root.

Root cause: _require_root_for_system_service called sys.exit(1). The wizard's except Exception guards don't catch SystemExit (it's a BaseException), so the whole process died mid-setup. Users who had previously run sudo hermes setup (or equivalent) hit this every time they later ran hermes setup as a regular user — no explanation, just a shell prompt.

Changes

• hermes_cli/gateway.py
  • New SystemScopeRequiresRootError(RuntimeError) with a clean __str__ so format strings render the message (not the (msg, action) tuple).
  • _require_root_for_system_service raises instead of sys.exit.
  • gateway_command catches the new error and exits 1 — preserves the direct hermes gateway start --system CLI path unchanged.
  • New _system_scope_wizard_would_need_root() pre-check and _print_system_scope_remediation() helper.
  • 3 wizard prompt sites in gateway_setup() now check the guard first and fall back to the remediation printer in a defensive except SystemScopeRequiresRootError branch.
• hermes_cli/setup.py
  • Same treatment for the 2 wizard prompt sites in setup_gateway(), plus the post-install "Start the service now?" sub-branch.
• tests/hermes_cli/test_gateway_service.py
  • 12 new tests across 4 classes covering: exception contract, pre-check matrix, remediation output per action, and the direct-CLI exit-1 path.

Validation

	Before	After
hermes setup wizard as non-root with system unit present	sys.exit(1) → shell prompt	Prints actionable remediation, wizard continues
hermes gateway start --system as non-root	exit 1 + "requires root"	exit 1 + "requires root" (unchanged)
hermes setup as root	unchanged	unchanged

Test results: scripts/run_tests.sh tests/hermes_cli/test_gateway_service.py tests/hermes_cli/test_gateway.py tests/hermes_cli/test_setup.py tests/hermes_cli/test_setup_reconfigure.py tests/hermes_cli/test_setup_noninteractive.py — 186/186 passing, 12 new.

E2E (non-root + /etc/systemd/system/hermes-gateway.service present) now prints:

⚠ Gateway is installed as a system-wide service — start requires root.
    Options:
      1. Start it this time:
           sudo systemctl start hermes-gateway
      2. Switch to a per-user service (recommended for personal use):
           sudo hermes gateway uninstall --system
           hermes gateway install
           hermes gateway start

Reported by a user whose terminal dropped to a bare shell after answering Y to "Start the gateway service?" with only a System gateway start requires root. Re-run with sudo. line above it.

[github-actions]

🚨 CRITICAL Supply Chain Risk Detected

This PR contains a pattern that has been used in real supply chain attacks. A maintainer must review the flagged code carefully before merging.

🚨 CRITICAL: Install-hook file added or modified

These files can execute code during package installation or interpreter startup.

Files:

hermes_cli/setup.py

---

Scanner only fires on high-signal indicators: .pth files, base64+exec/eval combos, subprocess with encoded commands, or install-hook files. Low-signal warnings were removed intentionally — if you're seeing this comment, the finding is worth inspecting.

[github-actions]

🔎 Lint report: hermes/hermes-46b86ac0 vs origin/main

ruff

Total: 0 on HEAD, 0 on base (➖ 0)

🆕 New issues: none

✅ Fixed issues: none

Unchanged: 0 pre-existing issues carried over.

ty (type checker)

Total: 7441 on HEAD, 7441 on base (➖ 0)

🆕 New issues: none

✅ Fixed issues: none

Unchanged: 3911 pre-existing issues carried over.

Diagnostics are surfaced as warnings — this check never fails the build.