fix: add panic recovery to unprotected goroutines

Prevents observer/callback panics from crashing the entire process.
Matches existing recovery patterns used in other goroutine sites.

Adds defer/recover blocks to goroutines across 20 files:
- Root: reload_orchestrator, contract_verifier, application_observer
- Scheduler: dispatcher, shutdown waiter
- EventLogger: processing loop, startup emission, shutdown waiter
- HTTPServer: runServer
- ConfigWatcher: context listener, event loop
- EventBus: memory/NATS/Kinesis/Kafka/Redis/durable/custom workers,
  shutdown waiters, async handlers, event emission, observer notification
- Cache: memory cleanup goroutine
- ReverseProxy: health checker, dry-run requests, circuit breaker and
  direct proxy goroutines
- LetsEncrypt: certificate renewal goroutine

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: intel352

application_observer.go

@@ -134,6 +134,11 @@ func (app *ObservableApplication) NotifyObservers(ctx context.Context, event clo
 func (app *ObservableApplication) emitEvent(ctx context.Context, event cloudevents.Event) {
 	// Use a separate goroutine to avoid blocking application operations
 	go func() {
+		defer func() {
+			if r := recover(); r != nil {
+				app.logger.Error("panic recovered in application event emission", "error", r)
+			}
+		}()
 		if err := app.NotifyObservers(ctx, event); err != nil {
 			app.logger.Error("Failed to notify observers", "event", event.Type(), "error", err)
 		}

configwatcher/configwatcher.go

@@ -70,6 +70,11 @@ func (w *ConfigWatcher) Start(ctx context.Context) error {
 	w.wg.Add(1)
 	go func() {
 		defer w.wg.Done()
+		defer func() {
+			if r := recover(); r != nil {
+				w.logger.Error("panic recovered in config watcher context listener", "error", r)
+			}
+		}()
 		select {
 		case <-ctx.Done():
 			_ = w.stopWatching()
@@ -117,6 +122,11 @@ func (w *ConfigWatcher) stopWatching() error {
 
 func (w *ConfigWatcher) eventLoop() {
 	defer w.wg.Done()
+	defer func() {
+		if r := recover(); r != nil {
+			w.logger.Error("panic recovered in config watcher event loop", "error", r)
+		}
+	}()
 	var timer *time.Timer
 	changedPaths := make(map[string]struct{})
 	var mu sync.Mutex

contract_verifier.go

@@ -128,6 +128,11 @@ func (v *StandardContractVerifier) runReloadWithGuard(module Reloadable, label s
 	type result struct{ err error }
 	ch := make(chan result, 1)
 	go func() {
+		defer func() {
+			if r := recover(); r != nil {
+				ch <- result{err: fmt.Errorf("Reload panicked: %v", r)}
+			}
+		}()
 		ch <- result{err: module.Reload(ctx, nil)}
 	}()
 
@@ -170,6 +175,11 @@ func (v *StandardContractVerifier) VerifyHealthContract(provider HealthProvider)
 	}
 	ch := make(chan result, 1)
 	go func() {
+		defer func() {
+			if r := recover(); r != nil {
+				ch <- result{err: fmt.Errorf("HealthCheck panicked: %v", r)}
+			}
+		}()
 		reports, err := provider.HealthCheck(ctx)
 		ch <- result{reports, err}
 	}()

eventlogger/module.go

@@ -340,6 +340,13 @@ func (m *EventLoggerModule) Start(ctx context.Context) error {
 
 // emitStartupOperationalEvents performs the operational event emission without holding the Start mutex.
 func (m *EventLoggerModule) emitStartupOperationalEvents(ctx context.Context, sync bool, outputsLen, bufferLen int, targetConfigs []OutputTargetConfig) {
+	defer func() {
+		if r := recover(); r != nil {
+			if m.logger != nil {
+				m.logger.Error("panic recovered in event logger startup event emission", "error", r)
+			}
+		}
+	}()
 	// Protect field reads with RLock to avoid race with Stop() which writes m.started under Lock
 	m.mutex.RLock()
 	logger := m.logger
@@ -431,6 +438,13 @@ func (m *EventLoggerModule) Stop(ctx context.Context) error {
 	// Wait for processing with optional timeout
 	done := make(chan struct{})
 	go func() {
+		defer func() {
+			if r := recover(); r != nil {
+				if m.logger != nil {
+					m.logger.Error("panic recovered in event logger shutdown waiter", "error", r)
+				}
+			}
+		}()
 		m.wg.Wait()
 		close(done)
 	}()
@@ -759,6 +773,13 @@ func (m *EventLoggerModule) ObserverID() string {
 // processEvents processes events from both event channels.
 func (m *EventLoggerModule) processEvents(ctx context.Context) {
 	defer m.wg.Done()
+	defer func() {
+		if r := recover(); r != nil {
+			if m.logger != nil {
+				m.logger.Error("panic recovered in event logger processing loop", "error", r)
+			}
+		}
+	}()
 
 	flushTicker := time.NewTicker(m.config.FlushInterval)
 	defer flushTicker.Stop()

httpserver/module.go

@@ -285,6 +285,11 @@ func (m *HTTPServerModule) Start(ctx context.Context) error {
 
 // runServer starts the HTTP server with appropriate TLS configuration
 func (m *HTTPServerModule) runServer(ctx context.Context, addr string) {
+	defer func() {
+		if r := recover(); r != nil {
+			m.logger.Error("panic recovered in HTTP server", "error", r)
+		}
+	}()
 	m.logger.Info("Starting HTTP server", "address", addr)
 	var err error
 

modules/cache/memory.go

@@ -2,6 +2,7 @@ package cache
 
 import (
 	"context"
+	"log/slog"
 	"sync"
 	"time"
 
@@ -76,6 +77,11 @@ func (c *MemoryCache) Connect(ctx context.Context) error {
 	// Start cleanup goroutine with derived context
 	c.cleanupCtx, c.cancelFunc = context.WithCancel(ctx)
 	go func() {
+		defer func() {
+			if r := recover(); r != nil {
+				slog.Error("panic recovered in cache cleanup goroutine", "error", r)
+			}
+		}()
 		c.startCleanupTimer(c.cleanupCtx)
 	}()
 	return nil

modules/eventbus/custom_memory.go

@@ -427,6 +427,11 @@ func (c *CustomMemoryEventBus) matchesTopic(eventTopic, subscriptionTopic string
 
 // handleEvents processes events for a custom subscription
 func (c *CustomMemoryEventBus) handleEvents(sub *customMemorySubscription) {
+	defer func() {
+		if r := recover(); r != nil {
+			slog.Error("panic recovered in custom memory event handler", "error", r, "topic", sub.topic)
+		}
+	}()
 	for {
 		select {
 		case <-c.ctx.Done():
@@ -469,6 +474,11 @@ func (c *CustomMemoryEventBus) handleEvents(sub *customMemorySubscription) {
 
 // metricsCollector periodically logs metrics
 func (c *CustomMemoryEventBus) metricsCollector() {
+	defer func() {
+		if r := recover(); r != nil {
+			slog.Error("panic recovered in custom memory eventbus metrics collector", "error", r)
+		}
+	}()
 	ticker := time.NewTicker(c.config.MetricsInterval)
 	defer ticker.Stop()
 

modules/eventbus/durable_memory.go

@@ -235,6 +235,11 @@ func (d *DurableMemoryEventBus) Stop(ctx context.Context) error {
 
 	done := make(chan struct{})
 	go func() {
+		defer func() {
+			if r := recover(); r != nil {
+				slog.Error("panic recovered in durable memory eventbus shutdown waiter", "error", r)
+			}
+		}()
 		d.wg.Wait()
 		close(done)
 	}()

modules/eventbus/kafka.go

@@ -267,6 +267,11 @@ func (k *KafkaEventBus) Stop(ctx context.Context) error {
 	// Wait for all workers to finish
 	done := make(chan struct{})
 	go func() {
+		defer func() {
+			if r := recover(); r != nil {
+				slog.Error("panic recovered in Kafka eventbus shutdown waiter", "error", r)
+			}
+		}()
 		k.wg.Wait()
 		close(done)
 	}()
@@ -368,6 +373,11 @@ func (k *KafkaEventBus) subscribe(ctx context.Context, topic string, handler Eve
 
 // startConsumerGroup starts the Kafka consumer group
 func (k *KafkaEventBus) startConsumerGroup() {
+	defer func() {
+		if r := recover(); r != nil {
+			slog.Error("panic recovered in Kafka consumer group", "error", r)
+		}
+	}()
 	handler := &KafkaConsumerGroupHandler{
 		eventBus:      k,
 		subscriptions: make(map[string]*kafkaSubscription),
@@ -467,5 +477,10 @@ func (k *KafkaEventBus) processEvent(sub *kafkaSubscription, event Event) {
 
 // processEventAsync processes an event asynchronously
 func (k *KafkaEventBus) processEventAsync(sub *kafkaSubscription, event Event) {
+	defer func() {
+		if r := recover(); r != nil {
+			slog.Error("panic recovered in Kafka async event handler", "error", r, "topic", event.Type())
+		}
+	}()
 	k.processEvent(sub, event)
 }

modules/eventbus/kinesis.go

@@ -242,6 +242,11 @@ func (k *KinesisEventBus) Stop(ctx context.Context) error {
 	// Wait for all workers to finish
 	done := make(chan struct{})
 	go func() {
+		defer func() {
+			if r := recover(); r != nil {
+				slog.Error("panic recovered in Kinesis eventbus shutdown waiter", "error", r)
+			}
+		}()
 		k.wg.Wait()
 		close(done)
 	}()
@@ -402,6 +407,11 @@ func (k *KinesisEventBus) readShard(shardID string) {
 		delete(k.activeShards, shardID)
 		k.shardMutex.Unlock()
 	}()
+	defer func() {
+		if r := recover(); r != nil {
+			slog.Error("panic recovered in Kinesis shard reader", "error", r, "shard", shardID)
+		}
+	}()
 
 	// Get shard iterator
 	iterResp, err := k.client.GetShardIterator(k.ctx, &kinesis.GetShardIteratorInput{
@@ -608,5 +618,10 @@ func (k *KinesisEventBus) processEvent(sub *kinesisSubscription, event Event) {
 
 // processEventAsync processes an event asynchronously
 func (k *KinesisEventBus) processEventAsync(sub *kinesisSubscription, event Event) {
+	defer func() {
+		if r := recover(); r != nil {
+			slog.Error("panic recovered in Kinesis async event handler", "error", r, "topic", event.Type())
+		}
+	}()
 	k.processEvent(sub, event)
 }