Goal
Isolate the four *.tick() stages in the 60s watchdog so a raise in one (usage-limit parking, prompt routing, polite-message delivery, context auto-management) is logged and skipped rather than silently aborting the rest of the cycle.
Why it matters
cmd_limits_tick (limits_cli.py:104-107) calls usage_limit.tick(), prompt_router.tick(), inbox.tick(), session_context.tick() sequentially with NO inter-stage try/except, and the CLI dispatcher (__main__.py:12760 return args.func(args)) is also unwrapped — so a raise in the first stage (usage-limit, run first by design) propagates out, the process exits, launchd silently reruns next minute, and the inbox drain + context auto-clear never run that cycle. The failure is invisible (no crash visible, no alert). Contrast the scheduler loop (scheduler.py:1855+) which wraps each stage and backs off. CORRECTION to original framing: route_prompt (prompt_router.py:500-534) is already fully wrapped and cannot raise, and the inner sweep calls are largely defensive (_capture swallows tmux errors) — so the real, worth-fixing gap is the cross-stage isolation in cmd_limits_tick, not the per-pane loop bodies (those are mostly handled). The inbox/session_context docstrings already advertise 'Never raises,' showing the author's intent.
Proposed approach
Wrap each of the four *.tick() calls in cmd_limits_tick in its own try/except that logs to a jsonl event and continues to the next stage. (Per-pane try/except in the sweep loops is mostly redundant given existing swallow-and-continue patterns; add only where an unguarded parse/notify could realistically raise.)
Effort / risk
Effort S. Risk: very low (pure defensive wrapping).
Goal
Isolate the four
*.tick()stages in the 60s watchdog so a raise in one (usage-limit parking, prompt routing, polite-message delivery, context auto-management) is logged and skipped rather than silently aborting the rest of the cycle.Why it matters
cmd_limits_tick(limits_cli.py:104-107) callsusage_limit.tick(),prompt_router.tick(),inbox.tick(),session_context.tick()sequentially with NO inter-stage try/except, and the CLI dispatcher (__main__.py:12760return args.func(args)) is also unwrapped — so a raise in the first stage (usage-limit, run first by design) propagates out, the process exits, launchd silently reruns next minute, and the inbox drain + context auto-clear never run that cycle. The failure is invisible (no crash visible, no alert). Contrast the scheduler loop (scheduler.py:1855+) which wraps each stage and backs off. CORRECTION to original framing:route_prompt(prompt_router.py:500-534) is already fully wrapped and cannot raise, and the inner sweep calls are largely defensive (_captureswallows tmux errors) — so the real, worth-fixing gap is the cross-stage isolation incmd_limits_tick, not the per-pane loop bodies (those are mostly handled). Theinbox/session_contextdocstrings already advertise 'Never raises,' showing the author's intent.Proposed approach
Wrap each of the four
*.tick()calls incmd_limits_tickin its own try/except that logs to a jsonl event and continues to the next stage. (Per-pane try/except in the sweep loops is mostly redundant given existing swallow-and-continue patterns; add only where an unguarded parse/notify could realistically raise.)Effort / risk
Effort S. Risk: very low (pure defensive wrapping).