Sweep: empty-provider-output fail-closed raises that still kill their callers (follow-up to #935)

[FidoCanCode]

Observed

After merging #937 (which fixed the _notify_thread_change call site), the same crash pattern surfaced from a different call site:

21:49:34 CRITICAL [-] uncaught exception in thread reorder-home
  File "/workspace/src/fido/tasks.py", line 578, in reorder_tasks
    _on_done()
  File "/workspace/src/fido/events.py", line 1534, in on_done
    rewrite_fn(...)
  File "/workspace/src/fido/events.py", line 1481, in _rewrite_pr_description
    _write_pr_description(...)
  File "/workspace/src/fido/worker.py", line 866, in _write_pr_description
    raise ValueError(
      "_write_pr_description: provider returned no <body> content for PR #934 (raw='')"
    )

Same root cause: the voice turn was preempted by an incoming webhook (result_len=0, cancelled=True), caller couldn't distinguish that from a real empty-Opus-reply, and raise ValueError killed the daemon thread.

What to audit

Every raise ValueError / RuntimeError inside an agent call path whose caller runs on a thread without surrounding try/except. Known instances so far:

• _notify_thread_change (events.py ~1378) — fixed in Don't treat preempted voice turn as Opus failure (fixes #935) #937
• _write_pr_description (worker.py ~866) — unfixed, hit 21:49

Probable cousins (worth checking):

• _rewrite_pr_description (events.py ~1481)
• PR-body composers that call agent.run_turn
• Reply generators (generate_ACT_reply, generate_DO_reply, etc.) if any raise on empty
• The generate_persona_status / generate_persona_emoji pair in gh_status.py (already raises ValueError in the code we read earlier — same shape, probably same bug; falls back to _FALLBACK_MESSAGES via the caller's except Exception, but that's hidden behind a broad catch)

Fix shape

Same as #937:

1. Pass retry_on_preempt=True to run_turn at each site.
2. On genuine empty-after-retries, fall back to a plain-text default (or skip + log, depending on call-site semantics — PR-description rewrite can legitimately no-op if the rewrite would have been a no-op anyway).
3. Update the corresponding raise ValueError sites to log + fallback, not raise, since the callers run on daemon threads without a top-level handler.

Alternative design consideration: a module-level safe_voice_turn helper that wraps run_turn with retry_on_preempt=True + empty-result → fallback + log. Every call site that currently raises on empty gets switched to use this helper. One place to fix, one place to audit.

Related

• reorder-home thread crashes uncaught when notify_thread_change Opus call returns empty #935 / Don't treat preempted voice turn as Opus failure (fixes #935) #937 — initial instance and fix
• Drain ClaudeSession stderr into the logger (progress on #921) #922 — stderr drain that made this class of crash observable in the first place
  EOF
  )

[FidoCanCode]

Diagnosis update — it's not preempt, it's unwrapped output

Fresh crash evidence from this afternoon on confusio:

ValueError: _write_pr_description: provider returned no <body> content for PR #285
(raw="\n\n*tail wag* Ready and waiting for the next task! The outbound dispatcher's
core pipeline is all wired up — outbox, fan-out, delivery, and webhook integration
are humming along with 779 tests passing.")

The raw is not empty. Opus returned a full Fido-voice response. It just ignored the <body>...</body> wrapper the prompt asked for and wrote the reply as prose.

So _write_pr_description isn't hitting the preempt-cancelled pattern _notify_thread_change was hitting (#935). It's hitting a prompt-format-compliance problem: when Opus decides to just talk instead of wrapping, the parser's strict <body> tag match fails and raises.

What actually needs to change

The retry_on_preempt=True + empty-fallback approach from PR #937 doesn't fit here — retry would get more unwrapped prose, and the "genuinely empty" branch wouldn't trigger because the raw isn't empty.

Two options:

1. Tighten the prompt so Opus reliably wraps in <body>. Explicit format spec at the end of the system prompt, maybe with a counter-example of what NOT to return. Still brittle — Opus will occasionally ignore format anyway.
2. Accept unwrapped output as the body. If the parser can't find <body> tags, treat the whole stripped response as the body content. Cheap, permissive, converts a crash into a slightly worse but still usable PR description.

Probably do both: tighten the prompt AND add the permissive fallback so prompt-regressions don't crash the worker.

Revised sweep

The earlier "audit every raise-on-empty-provider-output" premise still applies — but the failure modes are now:

• Empty + cancelled (preempt) — covered by retry_on_preempt=True, Don't treat preempted voice turn as Opus failure (fixes #935) #937 fixed _notify_thread_change.
• Empty + not cancelled (real provider failure) — plain-text fallback, Don't treat preempted voice turn as Opus failure (fixes #935) #937 also covers.
• Non-empty but wrong shape (prompt compliance) — needs permissive parser. Distinct bug class.

The third class is what crashed _write_pr_description twice today (this boot and the previous one). safe_voice_turn helper should cover all three; it needs a "parser" parameter so each caller can define what "shape the reply should be in" and what the permissive fallback is when Opus doesn't comply.

Retitling the issue mentally: "Empty-provider-output" was too narrow — the real bug class is "caller raises when provider output isn't the expected shape".

[FidoCanCode]

Picking up this issue! Time to sniff out those fail-closed raises that are still taking down their callers — follow-up fetch from #935. 🐕