diff --git a/packages/common/chirp-workflow/core/src/ctx/workflow.rs b/packages/common/chirp-workflow/core/src/ctx/workflow.rs
index 5d8e813521..b98a57c8ed 100644
--- a/packages/common/chirp-workflow/core/src/ctx/workflow.rs
+++ b/packages/common/chirp-workflow/core/src/ctx/workflow.rs
@@ -517,7 +517,9 @@ impl WorkflowCtx {
 
 					let duration = (u64::try_from(wake_deadline_ts)?)
 						.saturating_sub(u64::try_from(rivet_util::timestamp::now())?);
-					tokio::time::sleep(Duration::from_millis(duration)).await;
+					tokio::time::sleep(Duration::from_millis(duration))
+						.instrument(tracing::info_span!("backoff_sleep"))
+						.await;
 				}
 
 				match self
diff --git a/packages/edge/infra/client/manager/src/actor/setup.rs b/packages/edge/infra/client/manager/src/actor/setup.rs
index 99bd1e889e..21e557f1ac 100644
--- a/packages/edge/infra/client/manager/src/actor/setup.rs
+++ b/packages/edge/infra/client/manager/src/actor/setup.rs
@@ -522,7 +522,7 @@ impl Actor {
 		let cmd_out = Command::new("ip")
 			.arg("netns")
 			.arg("add")
-			.arg(self.actor_id.to_string())
+			.arg(netns_path.file_name().context("bad netns path")?)
 			.output()
 			.await?;
 		ensure!(
@@ -750,7 +750,7 @@ impl Actor {
 							match Command::new("cnitool")
 								.arg("del")
 								.arg(&ctx.config().cni.network_name())
-								.arg(netns_path)
+								.arg(&netns_path)
 								.env("CNI_PATH", &ctx.config().cni.bin_path())
 								.env("NETCONFPATH", &ctx.config().cni.config_path())
 								.env("CNI_IFNAME", &ctx.config().cni.network_interface)
@@ -789,33 +789,42 @@ impl Actor {
 						}
 					}
 
-					// Clean up network
-					match Command::new("ip")
-						.arg("netns")
-						.arg("del")
-						.arg(self.actor_id.to_string())
-						.output()
-						.await
-					{
-						Result::Ok(cmd_out) => {
-							if !cmd_out.status.success() {
+					if let Some(netns_name) = netns_path.file_name() {
+						// Clean up network
+						match Command::new("ip")
+							.arg("netns")
+							.arg("del")
+							.arg(netns_name)
+							.output()
+							.await
+						{
+							Result::Ok(cmd_out) => {
+								if !cmd_out.status.success() {
+									tracing::error!(
+										actor_id=?self.actor_id,
+										generation=?self.generation,
+										stdout=%std::str::from_utf8(&cmd_out.stdout).unwrap_or("<failed to parse stdout>"),
+										stderr=%std::str::from_utf8(&cmd_out.stderr).unwrap_or("<failed to parse stderr>"),
+										"failed `ip netns` command",
+									);
+								}
+							}
+							Err(err) => {
 								tracing::error!(
 									actor_id=?self.actor_id,
 									generation=?self.generation,
-									stdout=%std::str::from_utf8(&cmd_out.stdout).unwrap_or("<failed to parse stdout>"),
-									stderr=%std::str::from_utf8(&cmd_out.stderr).unwrap_or("<failed to parse stderr>"),
-									"failed `ip netns` command",
+									?err,
+									"failed to run `ip` command",
 								);
 							}
 						}
-						Err(err) => {
-							tracing::error!(
-								actor_id=?self.actor_id,
-								generation=?self.generation,
-								?err,
-								"failed to run `ip` command",
-							);
-						}
+					} else {
+						tracing::error!(
+							actor_id=?self.actor_id,
+							generation=?self.generation,
+							?netns_path,
+							"invalid netns path",
+						);
 					}
 				}
 			}
diff --git a/packages/edge/infra/guard/core/src/proxy_service.rs b/packages/edge/infra/guard/core/src/proxy_service.rs
index e6bb5328e8..2a1ca88e6a 100644
--- a/packages/edge/infra/guard/core/src/proxy_service.rs
+++ b/packages/edge/infra/guard/core/src/proxy_service.rs
@@ -276,7 +276,7 @@ impl ProxyState {
 		}
 	}
 
-	#[tracing::instrument(skip_all)]
+	#[tracing::instrument(skip(self))]
 	async fn resolve_route(
 		&self,
 		hostname: &str,
diff --git a/packages/edge/infra/guard/core/src/server.rs b/packages/edge/infra/guard/core/src/server.rs
index 03b8d05eda..0dffaecb9b 100644
--- a/packages/edge/infra/guard/core/src/server.rs
+++ b/packages/edge/infra/guard/core/src/server.rs
@@ -125,12 +125,15 @@ pub async fn run_server(
 		let conn = server.serve_connection_with_upgrades(io, service);
 		let conn = graceful.watch(conn.into_owned());
 
-		tokio::spawn(async move {
-			if let Err(err) = conn.await {
-				error!("{} connection error: {}", port_type_str, err);
+		tokio::spawn(
+			async move {
+				if let Err(err) = conn.await {
+					error!("{} connection error: {}", port_type_str, err);
+				}
+				info!("{} connection dropped: {}", port_type_str, remote_addr);
 			}
-			info!("{} connection dropped: {}", port_type_str, remote_addr);
-		}.instrument(tracing::info_span!("process_connection_task")));
+			.instrument(tracing::info_span!(parent: None, "process_connection_task")),
+		);
 	}
 
 	// Accept connections until we receive a shutdown signal
@@ -176,7 +179,11 @@ pub async fn run_server(
 
 									// Accept TLS connection in a separate task to avoid ownership issues
 									tokio::spawn(async move {
-										match acceptor_clone.accept(tcp_stream).await {
+										match acceptor_clone
+											.accept(tcp_stream)
+											.instrument(tracing::info_span!("accept"))
+											.await
+										{
 											Ok(tls_stream) => {
 												info!("TLS handshake successful for {}", remote_addr);
 
@@ -206,7 +213,7 @@ pub async fn run_server(
 												error!("TLS handshake failed for {}: {}", remote_addr, e);
 											}
 										}
-									}.instrument(tracing::info_span!("process_tls_connection_task")));
+									}.instrument(tracing::info_span!(parent: None, "process_tls_connection_task")));
 								} else {
 									// Fallback to non-TLS handling (useful for testing)
 									// In production, this would not secure the connection