diff --git a/tools/approval.py b/tools/approval.py
index b49e444a4e..68a53a01c1 100644
--- a/tools/approval.py
+++ b/tools/approval.py
@@ -342,7 +342,8 @@ def load_permanent_allowlist() -> set:
         if patterns:
             load_permanent(patterns)
         return patterns
-    except Exception:
+    except Exception as e:
+        logger.warning("Failed to load permanent allowlist: %s", e)
         return set()
 
 
@@ -384,7 +385,8 @@ def prompt_dangerous_approval(command: str, description: str,
         try:
             return approval_callback(command, description,
                                      allow_permanent=allow_permanent)
-        except Exception:
+        except Exception as e:
+            logger.error("Approval callback failed: %s", e, exc_info=True)
             return "deny"
 
     os.environ["HERMES_SPINNER_PAUSE"] = "1"
@@ -466,7 +468,8 @@ def _get_approval_config() -> dict:
         from hermes_cli.config import load_config
         config = load_config()
         return config.get("approvals", {}) or {}
-    except Exception:
+    except Exception as e:
+        logger.warning("Failed to load approval config: %s", e)
         return {}
 
 
diff --git a/tools/mcp_oauth.py b/tools/mcp_oauth.py
index c4d7726769..6b0ef12f20 100644
--- a/tools/mcp_oauth.py
+++ b/tools/mcp_oauth.py
@@ -198,8 +198,8 @@ class HermesTokenStorage:
             return None
         try:
             return OAuthToken.model_validate(data)
-        except Exception:
-            logger.warning("Corrupt tokens at %s -- ignoring", self._tokens_path())
+        except (ValueError, TypeError, KeyError) as exc:
+            logger.warning("Corrupt tokens at %s -- ignoring: %s", self._tokens_path(), exc)
             return None
 
     async def set_tokens(self, tokens: "OAuthToken") -> None:
@@ -214,8 +214,8 @@ class HermesTokenStorage:
             return None
         try:
             return OAuthClientInformationFull.model_validate(data)
-        except Exception:
-            logger.warning("Corrupt client info at %s -- ignoring", self._client_info_path())
+        except (ValueError, TypeError, KeyError) as exc:
+            logger.warning("Corrupt client info at %s -- ignoring: %s", self._client_info_path(), exc)
             return None
 
     async def set_client_info(self, client_info: "OAuthClientInformationFull") -> None:
@@ -343,13 +343,14 @@ async def _wait_for_callback() -> tuple[str, str | None]:
     timeout = 300.0
     poll_interval = 0.5
     elapsed = 0.0
-    while elapsed < timeout:
-        if result["auth_code"] is not None or result["error"] is not None:
-            break
-        await asyncio.sleep(poll_interval)
-        elapsed += poll_interval
-
-    server.server_close()
+    try:
+        while elapsed < timeout:
+            if result["auth_code"] is not None or result["error"] is not None:
+                break
+            await asyncio.sleep(poll_interval)
+            elapsed += poll_interval
+    finally:
+        server.server_close()
 
     if result["error"]:
         raise RuntimeError(f"OAuth authorization failed: {result['error']}")