From e0d686beaf73ed36f22b3964c521a108f448c3bd Mon Sep 17 00:00:00 2001
From: Cursor Agent <cursoragent@cursor.com>
Date: Fri, 13 Mar 2026 21:02:44 +0000
Subject: [PATCH 1/8] fix: harden parser panic paths

Co-authored-by: EvalOpsBot <EvalOpsBot@users.noreply.github.com>
---
 src/core/diff_parser.rs                | 28 ++++++++++++---
 src/parsing/llm_response.rs            | 50 +++++++++++++++++++++-----
 src/plugins/builtin/secret_scanner.rs  |  4 ++-
 src/review/verification/parser/text.rs | 14 ++------
 4 files changed, 71 insertions(+), 25 deletions(-)

diff --git a/src/core/diff_parser.rs b/src/core/diff_parser.rs
index 24329b8..0671a2b 100644
--- a/src/core/diff_parser.rs
+++ b/src/core/diff_parser.rs
@@ -450,15 +450,35 @@ impl DiffParser {
             .captures(header)
             .ok_or_else(|| anyhow::anyhow!("Invalid hunk header: {}", header))?;
 
-        let old_start = caps.get(1).unwrap().as_str().parse()?;
-        let old_lines = caps.get(2).map_or(1, |m| m.as_str().parse().unwrap_or(1));
-        let new_start = caps.get(3).unwrap().as_str().parse()?;
-        let new_lines = caps.get(4).map_or(1, |m| m.as_str().parse().unwrap_or(1));
+        let old_start = parse_required_capture(&caps, 1, header)?;
+        let old_lines = parse_optional_capture(&caps, 2).unwrap_or(1);
+        let new_start = parse_required_capture(&caps, 3, header)?;
+        let new_lines = parse_optional_capture(&caps, 4).unwrap_or(1);
 
         Ok((old_start, old_lines, new_start, new_lines))
     }
 }
 
+fn parse_required_capture(
+    captures: &regex::Captures<'_>,
+    group: usize,
+    header: &str,
+) -> Result<usize> {
+    captures
+        .get(group)
+        .ok_or_else(|| anyhow::anyhow!("Missing hunk header capture group {}: {}", group, header))?
+        .as_str()
+        .parse()
+        .map_err(Into::into)
+}
+
+fn parse_optional_capture(captures: &regex::Captures<'_>, group: usize) -> Option<usize> {
+    captures
+        .get(group)
+        .and_then(|value| value.as_str().parse::<usize>().ok())
+        .filter(|value| *value > 0)
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
diff --git a/src/parsing/llm_response.rs b/src/parsing/llm_response.rs
index 024064a..a132656 100644
--- a/src/parsing/llm_response.rs
+++ b/src/parsing/llm_response.rs
@@ -122,9 +122,14 @@ fn parse_primary(content: &str, file_path: &Path) -> Result<Vec<core::comment::R
         }
 
         if let Some(caps) = LINE_PATTERN.captures(line) {
-            let line_number: usize = caps.get(1).unwrap().as_str().parse()?;
+            let Some(line_number) = capture_usize(&caps, 1)? else {
+                continue;
+            };
             let metadata = caps.get(2).map(|value| value.as_str()).unwrap_or("");
-            let comment_text = caps.get(3).unwrap().as_str().trim();
+            let Some(comment_text) = capture_text(&caps, 3) else {
+                continue;
+            };
+            let comment_text = comment_text.trim();
             let (inline_rule_id, comment_text) = extract_rule_id_from_text(comment_text);
             let metadata_rule_id = extract_rule_id_from_metadata(metadata);
             let rule_id = inline_rule_id.or(metadata_rule_id);
@@ -184,8 +189,11 @@ fn parse_numbered_list(content: &str, file_path: &Path) -> Vec<core::comment::Ra
     let mut comments = Vec::new();
     for line in content.lines() {
         if let Some(caps) = NUMBERED_PATTERN.captures(line) {
-            if let Ok(line_number) = caps.get(1).unwrap().as_str().parse::<usize>() {
-                let text = caps.get(2).unwrap().as_str().trim().to_string();
+            if let Some(line_number) = capture_usize_lossy(&caps, 1) {
+                let Some(text) = capture_text(&caps, 2) else {
+                    continue;
+                };
+                let text = text.trim().to_string();
                 comments.push(make_raw_comment(file_path, line_number, text));
             }
         }
@@ -205,8 +213,11 @@ fn parse_markdown_bullets(content: &str, file_path: &Path) -> Vec<core::comment:
     let mut comments = Vec::new();
     for line in content.lines() {
         if let Some(caps) = BULLET_PATTERN.captures(line) {
-            if let Ok(line_number) = caps.get(1).unwrap().as_str().parse::<usize>() {
-                let text = caps.get(2).unwrap().as_str().trim().to_string();
+            if let Some(line_number) = capture_usize_lossy(&caps, 1) {
+                let Some(text) = capture_text(&caps, 2) else {
+                    continue;
+                };
+                let text = text.trim().to_string();
                 comments.push(make_raw_comment(file_path, line_number, text));
             }
         }
@@ -226,8 +237,11 @@ fn parse_file_line_format(content: &str, file_path: &Path) -> Vec<core::comment:
     let mut comments = Vec::new();
     for line in content.lines() {
         if let Some(caps) = FILE_LINE_PATTERN.captures(line) {
-            if let Ok(line_number) = caps.get(1).unwrap().as_str().parse::<usize>() {
-                let text = caps.get(2).unwrap().as_str().trim().to_string();
+            if let Some(line_number) = capture_usize_lossy(&caps, 1) {
+                let Some(text) = capture_text(&caps, 2) else {
+                    continue;
+                };
+                let text = text.trim().to_string();
                 comments.push(make_raw_comment(file_path, line_number, text));
             }
         }
@@ -267,7 +281,10 @@ fn extract_json_from_code_block(content: &str) -> Option<String> {
         Lazy::new(|| Regex::new(r"(?s)```(?:json)?\s*\n(.*?)```").unwrap());
 
     for caps in CODE_BLOCK.captures_iter(content) {
-        let block = caps.get(1).unwrap().as_str().trim();
+        let Some(block) = capture_text(&caps, 1) else {
+            continue;
+        };
+        let block = block.trim();
         if block.starts_with('[') || block.starts_with('{') {
             return Some(block.to_string());
         }
@@ -580,6 +597,21 @@ fn make_raw_comment(
     }
 }
 
+fn capture_text<'a>(captures: &'a regex::Captures<'_>, group: usize) -> Option<&'a str> {
+    captures.get(group).map(|value| value.as_str())
+}
+
+fn capture_usize(captures: &regex::Captures<'_>, group: usize) -> Result<Option<usize>> {
+    capture_text(captures, group)
+        .map(|value| value.parse::<usize>())
+        .transpose()
+        .map_err(Into::into)
+}
+
+fn capture_usize_lossy(captures: &regex::Captures<'_>, group: usize) -> Option<usize> {
+    capture_text(captures, group).and_then(|value| value.parse::<usize>().ok())
+}
+
 /// Build a unified-diff-style string from original and suggested code.
 fn build_suggestion_diff(original: &str, suggested: &str) -> String {
     let mut diff = String::new();
diff --git a/src/plugins/builtin/secret_scanner.rs b/src/plugins/builtin/secret_scanner.rs
index f4ad344..47c3778 100644
--- a/src/plugins/builtin/secret_scanner.rs
+++ b/src/plugins/builtin/secret_scanner.rs
@@ -560,7 +560,9 @@ impl SecretScanner {
             let re: &Regex = pattern.regex;
             for caps in re.captures_iter(line) {
                 // Use the first capture group if it exists, otherwise the full match
-                let matched = caps.get(1).unwrap_or_else(|| caps.get(0).unwrap());
+                let Some(matched) = caps.get(1).or_else(|| caps.get(0)) else {
+                    continue;
+                };
                 let value = matched.as_str();
 
                 // False positive checks
diff --git a/src/review/verification/parser/text.rs b/src/review/verification/parser/text.rs
index d34d548..f307a3a 100644
--- a/src/review/verification/parser/text.rs
+++ b/src/review/verification/parser/text.rs
@@ -22,19 +22,11 @@ fn parse_finding_line(line: &str, comments: &[Comment]) -> Option<VerificationRe
         return None;
     }
 
-    let accurate = capture_bool(&captures, 3)
-        .expect("capture group 3 (accurate) must exist after regex match");
-    let score = capture_u8(&captures, 2)
-        .expect("capture group 2 (score) must exist after regex match")
-        .min(10);
+    let accurate = capture_bool(&captures, 3)?;
+    let score = capture_u8(&captures, 2)?.min(10);
     let line_correct = capture_bool(&captures, 4).unwrap_or(accurate);
     let suggestion_sound = capture_bool(&captures, 5).unwrap_or(true);
-    let reason = captures
-        .get(6)
-        .expect("capture group 6 (reason) must exist after regex match")
-        .as_str()
-        .trim()
-        .to_string();
+    let reason = captures.get(6)?.as_str().trim().to_string();
 
     Some(VerificationResult {
         comment_id: comments[index - 1].id.clone(),

From 15262ee70157c856891a393916ff10f159780c82 Mon Sep 17 00:00:00 2001
From: Cursor Agent <cursoragent@cursor.com>
Date: Fri, 13 Mar 2026 21:03:01 +0000
Subject: [PATCH 2/8] refactor: group config domains and trim path modules

Co-authored-by: EvalOpsBot <EvalOpsBot@users.noreply.github.com>
---
 src/commands/eval/command.rs                  |   4 +-
 src/commands/eval/command/batch.rs            |   2 +-
 src/commands/{git.rs => git/mod.rs}           |   2 -
 src/commands/misc/lsp_check.rs                |   8 -
 src/commands/misc/lsp_check/mod.rs            |   5 +
 src/commands/{misc.rs => misc/mod.rs}         |   4 -
 .../review/{command.rs => command/mod.rs}     |   3 -
 src/commands/{review.rs => review/mod.rs}     |   2 -
 src/commands/smart_review.rs                  |   6 -
 src/commands/smart_review/mod.rs              |   4 +
 src/config.rs                                 | 305 ++++++++++--------
 .../pipeline/execution/dispatcher/context.rs  |   6 +-
 .../pipeline/execution/dispatcher/run.rs      |   2 +-
 .../pipeline/postprocess/verification.rs      |   8 +-
 src/review/pipeline/services/adapter_init.rs  |   4 +-
 src/server/api.rs                             |  13 +-
 src/server/github.rs                          |  21 +-
 17 files changed, 220 insertions(+), 179 deletions(-)
 rename src/commands/{git.rs => git/mod.rs} (84%)
 delete mode 100644 src/commands/misc/lsp_check.rs
 create mode 100644 src/commands/misc/lsp_check/mod.rs
 rename src/commands/{misc.rs => misc/mod.rs} (63%)
 rename src/commands/review/{command.rs => command/mod.rs} (59%)
 rename src/commands/{review.rs => review/mod.rs} (69%)
 delete mode 100644 src/commands/smart_review.rs
 create mode 100644 src/commands/smart_review/mod.rs

diff --git a/src/commands/eval/command.rs b/src/commands/eval/command.rs
index 511c604..413172c 100644
--- a/src/commands/eval/command.rs
+++ b/src/commands/eval/command.rs
@@ -24,7 +24,7 @@ pub async fn eval_command(
     output_path: Option<PathBuf>,
     options: EvalRunOptions,
 ) -> Result<()> {
-    config.verification_fail_open = true;
+    config.verification.fail_open = true;
     if options.repeat > 1 || !options.matrix_models.is_empty() {
         return run_eval_batch(config, &fixtures_dir, output_path.as_deref(), &options).await;
     }
@@ -87,7 +87,7 @@ fn build_eval_run_metadata(
             fixture_name_filters: options.fixture_name_filters.clone(),
             max_fixtures: options.max_fixtures,
         },
-        verification_fail_open: config.verification_fail_open,
+        verification_fail_open: config.verification.fail_open,
         trend_file: options
             .trend_file
             .as_ref()
diff --git a/src/commands/eval/command/batch.rs b/src/commands/eval/command/batch.rs
index f900846..90333ee 100644
--- a/src/commands/eval/command/batch.rs
+++ b/src/commands/eval/command/batch.rs
@@ -38,7 +38,7 @@ pub(super) async fn run_eval_batch(
     output_path: Option<&Path>,
     options: &EvalRunOptions,
 ) -> Result<()> {
-    config.verification_fail_open = true;
+    config.verification.fail_open = true;
     let prepared_options = prepare_eval_options(options)?;
     let models = matrix_models(&config, options);
     let repeat_total = options.repeat.max(1);
diff --git a/src/commands/git.rs b/src/commands/git/mod.rs
similarity index 84%
rename from src/commands/git.rs
rename to src/commands/git/mod.rs
index 88ade18..dee6f62 100644
--- a/src/commands/git.rs
+++ b/src/commands/git/mod.rs
@@ -1,8 +1,6 @@
 use clap::Subcommand;
 
-#[path = "git/command.rs"]
 mod command;
-#[path = "git/suggest.rs"]
 mod suggest;
 
 #[derive(Subcommand)]
diff --git a/src/commands/misc/lsp_check.rs b/src/commands/misc/lsp_check.rs
deleted file mode 100644
index 8d3fbad..0000000
--- a/src/commands/misc/lsp_check.rs
+++ /dev/null
@@ -1,8 +0,0 @@
-#[path = "lsp_check/command.rs"]
-mod command;
-#[path = "lsp_check/extensions.rs"]
-mod extensions;
-#[path = "lsp_check/languages.rs"]
-mod languages;
-
-pub use command::lsp_check_command;
diff --git a/src/commands/misc/lsp_check/mod.rs b/src/commands/misc/lsp_check/mod.rs
new file mode 100644
index 0000000..3cb9b67
--- /dev/null
+++ b/src/commands/misc/lsp_check/mod.rs
@@ -0,0 +1,5 @@
+mod command;
+mod extensions;
+mod languages;
+
+pub use command::lsp_check_command;
diff --git a/src/commands/misc.rs b/src/commands/misc/mod.rs
similarity index 63%
rename from src/commands/misc.rs
rename to src/commands/misc/mod.rs
index b91d1c2..84909f6 100644
--- a/src/commands/misc.rs
+++ b/src/commands/misc/mod.rs
@@ -1,10 +1,6 @@
-#[path = "misc/changelog.rs"]
 mod changelog;
-#[path = "misc/discussion.rs"]
 mod discussion;
-#[path = "misc/feedback.rs"]
 mod feedback;
-#[path = "misc/lsp_check.rs"]
 mod lsp_check;
 
 pub use changelog::changelog_command;
diff --git a/src/commands/review/command.rs b/src/commands/review/command/mod.rs
similarity index 59%
rename from src/commands/review/command.rs
rename to src/commands/review/command/mod.rs
index 1751f22..c6cc88b 100644
--- a/src/commands/review/command.rs
+++ b/src/commands/review/command/mod.rs
@@ -1,8 +1,5 @@
-#[path = "command/check.rs"]
 mod check;
-#[path = "command/compare.rs"]
 mod compare;
-#[path = "command/review.rs"]
 mod review;
 
 pub use check::check_command;
diff --git a/src/commands/review.rs b/src/commands/review/mod.rs
similarity index 69%
rename from src/commands/review.rs
rename to src/commands/review/mod.rs
index 8537d09..362ce30 100644
--- a/src/commands/review.rs
+++ b/src/commands/review/mod.rs
@@ -1,6 +1,4 @@
-#[path = "review/command.rs"]
 mod command;
-#[path = "review/input.rs"]
 mod input;
 
 pub use command::{check_command, compare_command, review_command};
diff --git a/src/commands/smart_review.rs b/src/commands/smart_review.rs
deleted file mode 100644
index c4182f9..0000000
--- a/src/commands/smart_review.rs
+++ /dev/null
@@ -1,6 +0,0 @@
-#[path = "smart_review/command.rs"]
-mod command;
-#[path = "smart_review/summary.rs"]
-mod summary;
-
-pub use command::smart_review_command;
diff --git a/src/commands/smart_review/mod.rs b/src/commands/smart_review/mod.rs
new file mode 100644
index 0000000..2e9b25c
--- /dev/null
+++ b/src/commands/smart_review/mod.rs
@@ -0,0 +1,4 @@
+mod command;
+mod summary;
+
+pub use command::smart_review_command;
diff --git a/src/config.rs b/src/config.rs
index 892b37a..a2f56f3 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -45,6 +45,137 @@ impl Default for ProviderConfig {
     }
 }
 
+#[derive(Debug, Clone, Serialize, Deserialize, Default)]
+pub struct VaultConfig {
+    /// HashiCorp Vault server address (e.g., https://vault.example.com:8200).
+    #[serde(default, rename = "vault_addr")]
+    pub addr: Option<String>,
+
+    /// Vault authentication token.
+    #[serde(default, rename = "vault_token")]
+    pub token: Option<String>,
+
+    /// Secret path in Vault (e.g., "diffscope" or "ci/diffscope").
+    #[serde(default, rename = "vault_path")]
+    pub path: Option<String>,
+
+    /// Key within the Vault secret to extract as the API key (default: "api_key").
+    #[serde(default, rename = "vault_key")]
+    pub key: Option<String>,
+
+    /// Vault KV engine mount point (default: "secret").
+    #[serde(default, rename = "vault_mount")]
+    pub mount: Option<String>,
+
+    /// Vault Enterprise namespace.
+    #[serde(default, rename = "vault_namespace")]
+    pub namespace: Option<String>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, Default)]
+pub struct GitHubConfig {
+    #[serde(default, rename = "github_token")]
+    pub token: Option<String>,
+
+    /// GitHub App ID (from app settings page).
+    #[serde(default, rename = "github_app_id")]
+    pub app_id: Option<u64>,
+
+    /// GitHub App OAuth client ID (for device flow auth).
+    #[serde(default, rename = "github_client_id")]
+    pub client_id: Option<String>,
+
+    /// GitHub App OAuth client secret.
+    #[serde(default, rename = "github_client_secret")]
+    pub client_secret: Option<String>,
+
+    /// GitHub App private key (PEM content).
+    #[serde(default, rename = "github_private_key")]
+    pub private_key: Option<String>,
+
+    /// Webhook secret for verifying GitHub webhook signatures.
+    #[serde(default, rename = "github_webhook_secret")]
+    pub webhook_secret: Option<String>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct AgentConfig {
+    /// Enable agent loop for iterative tool-calling review (default false).
+    #[serde(default, rename = "agent_review")]
+    pub enabled: bool,
+
+    /// Maximum number of LLM round-trips in agent mode (default 10).
+    #[serde(
+        default = "default_agent_max_iterations",
+        rename = "agent_max_iterations"
+    )]
+    pub max_iterations: usize,
+
+    /// Optional total token budget for agent loop.
+    #[serde(default, rename = "agent_max_total_tokens")]
+    pub max_total_tokens: Option<usize>,
+
+    /// Which agent tools are enabled. None = all tools enabled.
+    #[serde(default, rename = "agent_tools_enabled")]
+    pub tools_enabled: Option<Vec<String>>,
+}
+
+impl Default for AgentConfig {
+    fn default() -> Self {
+        Self {
+            enabled: false,
+            max_iterations: default_agent_max_iterations(),
+            max_total_tokens: None,
+            tools_enabled: None,
+        }
+    }
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct VerificationConfig {
+    /// Whether to run the verification pass on review comments (default true).
+    #[serde(default = "default_true", rename = "verification_pass")]
+    pub enabled: bool,
+
+    /// Which model role to use for the verification pass (default Weak).
+    #[serde(
+        default = "default_verification_model_role",
+        rename = "verification_model_role"
+    )]
+    pub model_role: ModelRole,
+
+    /// Minimum verification score to keep a comment (0-10, default 5).
+    #[serde(
+        default = "default_verification_min_score",
+        rename = "verification_min_score"
+    )]
+    pub min_score: u8,
+
+    /// Maximum number of comments to send through verification (default 20).
+    #[serde(
+        default = "default_verification_max_comments",
+        rename = "verification_max_comments"
+    )]
+    pub max_comments: usize,
+
+    /// When true, keep original comments if the verification pass fails or
+    /// returns an unparseable response (default false).
+    #[serde(default = "default_false", rename = "verification_fail_open")]
+    pub fail_open: bool,
+}
+
+impl Default for VerificationConfig {
+    fn default() -> Self {
+        Self {
+            enabled: true,
+            model_role: default_verification_model_role(),
+            min_score: default_verification_min_score(),
+            max_comments: default_verification_max_comments(),
+            fail_open: false,
+        }
+    }
+}
+
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct Config {
     #[serde(default = "default_model")]
@@ -195,29 +326,8 @@ pub struct Config {
     #[serde(default = "default_feedback_suppression_margin")]
     pub feedback_suppression_margin: usize,
 
-    /// HashiCorp Vault server address (e.g., https://vault.example.com:8200).
-    #[serde(default)]
-    pub vault_addr: Option<String>,
-
-    /// Vault authentication token.
-    #[serde(default)]
-    pub vault_token: Option<String>,
-
-    /// Secret path in Vault (e.g., "diffscope" or "ci/diffscope").
-    #[serde(default)]
-    pub vault_path: Option<String>,
-
-    /// Key within the Vault secret to extract as the API key (default: "api_key").
-    #[serde(default)]
-    pub vault_key: Option<String>,
-
-    /// Vault KV engine mount point (default: "secret").
-    #[serde(default)]
-    pub vault_mount: Option<String>,
-
-    /// Vault Enterprise namespace.
-    #[serde(default)]
-    pub vault_namespace: Option<String>,
+    #[serde(default, flatten)]
+    pub vault: VaultConfig,
 
     #[serde(default)]
     pub plugins: PluginConfig,
@@ -246,70 +356,19 @@ pub struct Config {
     #[serde(default)]
     pub providers: HashMap<String, ProviderConfig>,
 
-    #[serde(default)]
-    pub github_token: Option<String>,
-
-    /// GitHub App ID (from app settings page).
-    #[serde(default)]
-    pub github_app_id: Option<u64>,
-
-    /// GitHub App OAuth client ID (for device flow auth).
-    #[serde(default)]
-    pub github_client_id: Option<String>,
-
-    /// GitHub App OAuth client secret.
-    #[serde(default)]
-    pub github_client_secret: Option<String>,
-
-    /// GitHub App private key (PEM content).
-    #[serde(default)]
-    pub github_private_key: Option<String>,
-
-    /// Webhook secret for verifying GitHub webhook signatures.
-    #[serde(default)]
-    pub github_webhook_secret: Option<String>,
+    #[serde(default, flatten)]
+    pub github: GitHubConfig,
 
     /// When true, run separate specialized LLM passes for security, correctness,
     /// and style instead of a single monolithic review prompt.
     #[serde(default = "default_false")]
     pub multi_pass_specialized: bool,
 
-    /// Enable agent loop for iterative tool-calling review (default false).
-    #[serde(default)]
-    pub agent_review: bool,
-
-    /// Maximum number of LLM round-trips in agent mode (default 10).
-    #[serde(default = "default_agent_max_iterations")]
-    pub agent_max_iterations: usize,
-
-    /// Optional total token budget for agent loop.
-    #[serde(default)]
-    pub agent_max_total_tokens: Option<usize>,
+    #[serde(default, flatten)]
+    pub agent: AgentConfig,
 
-    /// Which agent tools are enabled. None = all tools enabled.
-    #[serde(default)]
-    pub agent_tools_enabled: Option<Vec<String>>,
-
-    /// Whether to run the verification pass on review comments (default true).
-    #[serde(default = "default_true")]
-    pub verification_pass: bool,
-
-    /// Which model role to use for the verification pass (default Weak).
-    #[serde(default = "default_verification_model_role")]
-    pub verification_model_role: ModelRole,
-
-    /// Minimum verification score to keep a comment (0-10, default 5).
-    #[serde(default = "default_verification_min_score")]
-    pub verification_min_score: u8,
-
-    /// Maximum number of comments to send through verification (default 20).
-    #[serde(default = "default_verification_max_comments")]
-    pub verification_max_comments: usize,
-
-    /// When true, keep original comments if the verification pass fails or
-    /// returns an unparseable response (default false).
-    #[serde(default = "default_false")]
-    pub verification_fail_open: bool,
+    #[serde(default, flatten)]
+    pub verification: VerificationConfig,
 
     /// Enable enhanced feedback loop with per-category/file-pattern tracking
     /// and feedback-adjusted confidence scores (default false).
@@ -481,12 +540,7 @@ impl Default for Config {
             include_fix_suggestions: true,
             feedback_suppression_threshold: default_feedback_suppression_threshold(),
             feedback_suppression_margin: default_feedback_suppression_margin(),
-            vault_addr: None,
-            vault_token: None,
-            vault_path: None,
-            vault_key: None,
-            vault_mount: None,
-            vault_namespace: None,
+            vault: VaultConfig::default(),
             plugins: PluginConfig::default(),
             exclude_patterns: default_exclude_patterns(),
             paths: HashMap::new(),
@@ -496,22 +550,10 @@ impl Default for Config {
             max_active_rules: default_max_active_rules(),
             rule_priority: Vec::new(),
             providers: HashMap::new(),
-            github_token: None,
-            github_app_id: None,
-            github_client_id: None,
-            github_client_secret: None,
-            github_private_key: None,
-            github_webhook_secret: None,
+            github: GitHubConfig::default(),
             multi_pass_specialized: false,
-            agent_review: false,
-            agent_max_iterations: default_agent_max_iterations(),
-            agent_max_total_tokens: None,
-            agent_tools_enabled: None,
-            verification_pass: true,
-            verification_model_role: default_verification_model_role(),
-            verification_min_score: default_verification_min_score(),
-            verification_max_comments: default_verification_max_comments(),
-            verification_fail_open: false,
+            agent: AgentConfig::default(),
+            verification: VerificationConfig::default(),
             enhanced_feedback: false,
             feedback_min_observations: default_feedback_min_observations(),
             semantic_rag: false,
@@ -638,25 +680,25 @@ impl Config {
             self.output_language = Some(v);
         }
         if let Some(v) = cli.vault_addr {
-            self.vault_addr = Some(v);
+            self.vault.addr = Some(v);
         }
         if let Some(v) = cli.vault_path {
-            self.vault_path = Some(v);
+            self.vault.path = Some(v);
         }
         if let Some(v) = cli.vault_key {
-            self.vault_key = Some(v);
+            self.vault.key = Some(v);
         }
         if cli.agent_review {
-            self.agent_review = true;
+            self.agent.enabled = true;
         }
         if let Some(v) = cli.agent_max_iterations {
-            self.agent_max_iterations = v;
+            self.agent.max_iterations = v;
         }
         if let Some(v) = cli.agent_max_total_tokens {
-            self.agent_max_total_tokens = Some(v);
+            self.agent.max_total_tokens = Some(v);
         }
         if let Some(v) = cli.verification_pass {
-            self.verification_pass = v;
+            self.verification.enabled = v;
         }
     }
 
@@ -675,13 +717,13 @@ impl Config {
         }
 
         // Env var fallbacks for GitHub integration
-        if self.github_token.is_none() {
-            self.github_token = std::env::var("GITHUB_TOKEN")
+        if self.github.token.is_none() {
+            self.github.token = std::env::var("GITHUB_TOKEN")
                 .ok()
                 .filter(|s| !s.trim().is_empty());
         }
-        if self.github_webhook_secret.is_none() {
-            self.github_webhook_secret = std::env::var("DIFFSCOPE_WEBHOOK_SECRET")
+        if self.github.webhook_secret.is_none() {
+            self.github.webhook_secret = std::env::var("DIFFSCOPE_WEBHOOK_SECRET")
                 .ok()
                 .filter(|s| !s.trim().is_empty());
         }
@@ -987,7 +1029,10 @@ impl Config {
         for (pattern, config) in &self.paths {
             if self.path_matches(&file_path_str, pattern) {
                 // Keep the most specific match (longest pattern)
-                if best_match.is_none() || pattern.len() > best_match.unwrap().0.len() {
+                if best_match
+                    .as_ref()
+                    .is_none_or(|(best_pattern, _)| pattern.len() > best_pattern.len())
+                {
                     best_match = Some((pattern, config));
                 }
             }
@@ -1162,12 +1207,12 @@ impl Config {
         }
 
         let vault_config = crate::vault::try_build_vault_config(
-            self.vault_addr.as_deref(),
-            self.vault_token.as_deref(),
-            self.vault_path.as_deref(),
-            self.vault_key.as_deref(),
-            self.vault_mount.as_deref(),
-            self.vault_namespace.as_deref(),
+            self.vault.addr.as_deref(),
+            self.vault.token.as_deref(),
+            self.vault.path.as_deref(),
+            self.vault.key.as_deref(),
+            self.vault.mount.as_deref(),
+            self.vault.namespace.as_deref(),
         );
 
         if let Some(vc) = vault_config {
@@ -1992,7 +2037,7 @@ temperature: 0.3
     fn test_agent_tools_enabled_default_is_none() {
         let config = Config::default();
         assert!(
-            config.agent_tools_enabled.is_none(),
+            config.agent.tools_enabled.is_none(),
             "Default should be None (all tools enabled)"
         );
     }
@@ -2011,7 +2056,10 @@ temperature: 0.3
     #[test]
     fn test_agent_tools_enabled_serialize_some() {
         let config = Config {
-            agent_tools_enabled: Some(vec!["read_file".to_string(), "search_code".to_string()]),
+            agent: AgentConfig {
+                tools_enabled: Some(vec!["read_file".to_string(), "search_code".to_string()]),
+                ..AgentConfig::default()
+            },
             ..Config::default()
         };
         let yaml = serde_yaml::to_string(&config).unwrap();
@@ -2028,7 +2076,7 @@ model: claude-opus-4-6
 temperature: 0.3
 "#;
         let config: Config = serde_yaml::from_str(yaml).unwrap();
-        assert!(config.agent_tools_enabled.is_none());
+        assert!(config.agent.tools_enabled.is_none());
     }
 
     #[test]
@@ -2041,7 +2089,7 @@ agent_tools_enabled:
   - list_files
 "#;
         let config: Config = serde_yaml::from_str(yaml).unwrap();
-        let tools = config.agent_tools_enabled.unwrap();
+        let tools = config.agent.tools_enabled.unwrap();
         assert_eq!(tools.len(), 3);
         assert_eq!(tools[0], "read_file");
         assert_eq!(tools[1], "search_code");
@@ -2055,7 +2103,7 @@ model: claude-opus-4-6
 agent_tools_enabled: []
 "#;
         let config: Config = serde_yaml::from_str(yaml).unwrap();
-        let tools = config.agent_tools_enabled.unwrap();
+        let tools = config.agent.tools_enabled.unwrap();
         assert!(
             tools.is_empty(),
             "Empty list should deserialize as Some([])"
@@ -2065,12 +2113,15 @@ agent_tools_enabled: []
     #[test]
     fn test_agent_tools_enabled_round_trip() {
         let original = Config {
-            agent_tools_enabled: Some(vec!["read_file".to_string(), "search_code".to_string()]),
+            agent: AgentConfig {
+                tools_enabled: Some(vec!["read_file".to_string(), "search_code".to_string()]),
+                ..AgentConfig::default()
+            },
             ..Config::default()
         };
         let yaml = serde_yaml::to_string(&original).unwrap();
         let restored: Config = serde_yaml::from_str(&yaml).unwrap();
-        assert_eq!(original.agent_tools_enabled, restored.agent_tools_enabled);
+        assert_eq!(original.agent.tools_enabled, restored.agent.tools_enabled);
     }
 
     #[test]
@@ -2078,6 +2129,6 @@ agent_tools_enabled: []
         let original = Config::default();
         let yaml = serde_yaml::to_string(&original).unwrap();
         let restored: Config = serde_yaml::from_str(&yaml).unwrap();
-        assert_eq!(original.agent_tools_enabled, restored.agent_tools_enabled);
+        assert_eq!(original.agent.tools_enabled, restored.agent.tools_enabled);
     }
 }
diff --git a/src/review/pipeline/execution/dispatcher/context.rs b/src/review/pipeline/execution/dispatcher/context.rs
index bd9bc36..d95c157 100644
--- a/src/review/pipeline/execution/dispatcher/context.rs
+++ b/src/review/pipeline/execution/dispatcher/context.rs
@@ -18,15 +18,15 @@ pub(super) fn build_agent_loop_config(
     context: &ReviewExecutionContext<'_>,
 ) -> core::agent_loop::AgentLoopConfig {
     core::agent_loop::AgentLoopConfig {
-        max_iterations: context.services.config.agent_max_iterations,
-        max_total_tokens: context.services.config.agent_max_total_tokens,
+        max_iterations: context.services.config.agent.max_iterations,
+        max_total_tokens: context.services.config.agent.max_total_tokens,
     }
 }
 
 pub(super) fn build_agent_tool_context(
     context: &ReviewExecutionContext<'_>,
 ) -> Option<Arc<core::agent_tools::ReviewToolContext>> {
-    if !(context.services.config.agent_review && context.services.adapter.supports_tools()) {
+    if !(context.services.config.agent.enabled && context.services.adapter.supports_tools()) {
         return None;
     }
 
diff --git a/src/review/pipeline/execution/dispatcher/run.rs b/src/review/pipeline/execution/dispatcher/run.rs
index c8b1026..3ad54ec 100644
--- a/src/review/pipeline/execution/dispatcher/run.rs
+++ b/src/review/pipeline/execution/dispatcher/run.rs
@@ -18,7 +18,7 @@ pub(in super::super) async fn dispatch_jobs(
 
     let agent_tool_ctx = build_agent_tool_context(context);
     let agent_loop_config = build_agent_loop_config(context);
-    let agent_tools_filter = context.services.config.agent_tools_enabled.clone();
+    let agent_tools_filter = context.services.config.agent.tools_enabled.clone();
 
     futures::stream::iter(jobs)
         .map(|job| {
diff --git a/src/review/pipeline/postprocess/verification.rs b/src/review/pipeline/postprocess/verification.rs
index b698629..7f7427e 100644
--- a/src/review/pipeline/postprocess/verification.rs
+++ b/src/review/pipeline/postprocess/verification.rs
@@ -19,9 +19,9 @@ pub(super) async fn apply_verification_pass(
     let (analyzer_comments, llm_comments): (Vec<_>, Vec<_>) =
         comments.into_iter().partition(is_analyzer_comment);
 
-    let (verified_llm_comments, warnings) = if services.config.verification_pass
+    let (verified_llm_comments, warnings) = if services.config.verification.enabled
         && !llm_comments.is_empty()
-        && llm_comments.len() <= services.config.verification_max_comments
+        && llm_comments.len() <= services.config.verification.max_comments
     {
         let comment_count_before = llm_comments.len();
         let summary = super::super::super::verification::verify_comments(
@@ -30,8 +30,8 @@ pub(super) async fn apply_verification_pass(
             &session.source_files,
             &session.verification_context,
             services.verification_adapter.as_ref(),
-            services.config.verification_min_score,
-            services.config.verification_fail_open,
+            services.config.verification.min_score,
+            services.config.verification.fail_open,
         )
         .await;
 
diff --git a/src/review/pipeline/services/adapter_init.rs b/src/review/pipeline/services/adapter_init.rs
index 02189c1..078fac6 100644
--- a/src/review/pipeline/services/adapter_init.rs
+++ b/src/review/pipeline/services/adapter_init.rs
@@ -32,11 +32,11 @@ fn build_verification_adapter(
     model_config: &ModelConfig,
     adapter: &Arc<dyn adapters::llm::LLMAdapter>,
 ) -> Result<Arc<dyn adapters::llm::LLMAdapter>> {
-    let verification_config = config.to_model_config_for_role(config.verification_model_role);
+    let verification_config = config.to_model_config_for_role(config.verification.model_role);
     if verification_config.model_name != model_config.model_name {
         info!(
             "Using '{}' model '{}' for verification pass",
-            format!("{:?}", config.verification_model_role).to_lowercase(),
+            format!("{:?}", config.verification.model_role).to_lowercase(),
             verification_config.model_name
         );
         Ok(Arc::from(adapters::llm::create_adapter(
diff --git a/src/server/api.rs b/src/server/api.rs
index 227669b..426a7cd 100644
--- a/src/server/api.rs
+++ b/src/server/api.rs
@@ -1210,7 +1210,7 @@ pub struct GhStatusResponse {
 
 pub async fn get_gh_status(State(state): State<Arc<AppState>>) -> Json<GhStatusResponse> {
     let config = state.config.read().await;
-    let token = match config.github_token.as_deref() {
+    let token = match config.github.token.as_deref() {
         Some(t) if !t.is_empty() => t.to_string(),
         _ => {
             return Json(GhStatusResponse {
@@ -1313,7 +1313,8 @@ pub async fn get_gh_repos(
 ) -> Result<Json<Vec<GhRepo>>, (StatusCode, String)> {
     let config = state.config.read().await;
     let token = config
-        .github_token
+        .github
+        .token
         .as_deref()
         .filter(|t| !t.is_empty())
         .ok_or_else(|| {
@@ -1568,7 +1569,8 @@ pub async fn get_gh_prs(
 
     let config = state.config.read().await;
     let token = config
-        .github_token
+        .github
+        .token
         .as_deref()
         .filter(|t| !t.is_empty())
         .ok_or_else(|| {
@@ -1723,7 +1725,8 @@ pub async fn start_pr_review(
 
     let config = state.config.read().await;
     let token = config
-        .github_token
+        .github
+        .token
         .as_deref()
         .filter(|t| !t.is_empty())
         .ok_or_else(|| {
@@ -1817,7 +1820,7 @@ async fn run_pr_review_task(
 
     let config = state.config.read().await.clone();
     let repo_path = state.repo_path.clone();
-    let github_token = config.github_token.clone();
+    let github_token = config.github.token.clone();
     let model = config.model.clone();
     let provider = config.adapter.clone();
     let base_url = config.base_url.clone();
diff --git a/src/server/github.rs b/src/server/github.rs
index 238e5a1..e8a5b7b 100644
--- a/src/server/github.rs
+++ b/src/server/github.rs
@@ -35,7 +35,8 @@ pub async fn start_device_flow(
 ) -> Result<Json<DeviceFlowResponse>, (StatusCode, String)> {
     let config = state.config.read().await;
     let client_id = config
-        .github_client_id
+        .github
+        .client_id
         .as_deref()
         .filter(|s| !s.is_empty())
         .ok_or_else(|| {
@@ -110,7 +111,8 @@ pub async fn poll_device_flow(
 ) -> Result<Json<PollDeviceFlowResponse>, (StatusCode, String)> {
     let config = state.config.read().await;
     let client_id = config
-        .github_client_id
+        .github
+        .client_id
         .as_deref()
         .filter(|s| !s.is_empty())
         .ok_or_else(|| {
@@ -192,7 +194,7 @@ pub async fn poll_device_flow(
     // Store the token in config
     {
         let mut config = state.config.write().await;
-        config.github_token = Some(access_token);
+        config.github.token = Some(access_token);
     }
     AppState::save_config_async(&state);
 
@@ -210,7 +212,7 @@ pub async fn poll_device_flow(
 pub async fn disconnect_github(State(state): State<Arc<AppState>>) -> Json<serde_json::Value> {
     {
         let mut config = state.config.write().await;
-        config.github_token = None;
+        config.github.token = None;
     }
     AppState::save_config_async(&state);
     info!("GitHub disconnected");
@@ -229,7 +231,8 @@ pub struct WebhookStatusResponse {
 pub async fn get_webhook_status(State(state): State<Arc<AppState>>) -> Json<WebhookStatusResponse> {
     let config = state.config.read().await;
     let configured = config
-        .github_webhook_secret
+        .github
+        .webhook_secret
         .as_ref()
         .is_some_and(|s| !s.is_empty());
     Json(WebhookStatusResponse {
@@ -248,7 +251,7 @@ pub async fn handle_webhook(
     let config = state.config.read().await;
 
     // Verify signature if webhook secret is configured
-    if let Some(ref secret) = config.github_webhook_secret {
+    if let Some(ref secret) = config.github.webhook_secret {
         if !secret.is_empty() {
             let signature = headers
                 .get("x-hub-signature-256")
@@ -272,9 +275,9 @@ pub async fn handle_webhook(
 
     tracing::Span::current().record("event_type", event_type);
 
-    let token = config.github_token.clone();
-    let github_app_id = config.github_app_id;
-    let private_key = config.github_private_key.clone();
+    let token = config.github.token.clone();
+    let github_app_id = config.github.app_id;
+    let private_key = config.github.private_key.clone();
     drop(config);
 
     info!(event = %event_type, "Received GitHub webhook");

From 82d6417622ffa08acb38392026d65fb98d2c0d1f Mon Sep 17 00:00:00 2001
From: Cursor Agent <cursoragent@cursor.com>
Date: Fri, 13 Mar 2026 21:03:23 +0000
Subject: [PATCH 3/8] fix: align release metadata with tagged version

Co-authored-by: EvalOpsBot <EvalOpsBot@users.noreply.github.com>
---
 .github/workflows/release.yml | 33 +++++++++++++++++++++++++++++++++
 Cargo.lock                    |  2 +-
 Cargo.toml                    |  2 +-
 charts/diffscope/Chart.yaml   |  2 +-
 4 files changed, 36 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7e2d4da..14f2405 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -26,6 +26,39 @@ jobs:
       - name: Extract version
         id: get_version
         run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT"
+
+      - name: Verify release metadata matches tag
+        env:
+          TAG_NAME: ${{ steps.get_version.outputs.VERSION }}
+        run: |
+          set -euo pipefail
+          expected_version="${TAG_NAME#v}"
+          cargo_version="$(python - <<'PY'
+import tomllib
+from pathlib import Path
+
+print(tomllib.loads(Path("Cargo.toml").read_text())["package"]["version"])
+PY
+)"
+          chart_app_version="$(python - <<'PY'
+import re
+from pathlib import Path
+
+content = Path("charts/diffscope/Chart.yaml").read_text()
+match = re.search(r'^appVersion:\s*"?(.*?)"?\s*$', content, re.MULTILINE)
+if not match:
+    raise SystemExit("charts/diffscope/Chart.yaml is missing appVersion")
+print(match.group(1))
+PY
+)"
+          test "$cargo_version" = "$expected_version" || {
+            echo "Cargo.toml version ($cargo_version) does not match tag ($expected_version)"
+            exit 1
+          }
+          test "$chart_app_version" = "$expected_version" || {
+            echo "Chart appVersion ($chart_app_version) does not match tag ($expected_version)"
+            exit 1
+          }
         
       - name: Create Release
         id: create_release
diff --git a/Cargo.lock b/Cargo.lock
index bd61b85..2fa1d1d 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -543,7 +543,7 @@ dependencies = [
 
 [[package]]
 name = "diffscope"
-version = "0.5.3"
+version = "0.5.26"
 dependencies = [
  "anyhow",
  "async-trait",
diff --git a/Cargo.toml b/Cargo.toml
index 08e84c7..802abdd 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "diffscope"
-version = "0.5.3"
+version = "0.5.26"
 edition = "2021"
 authors = ["Jonathan Haas <jonathan@haas.holdings>"]
 description = "A composable code review engine with smart analysis, confidence scoring, and professional reporting"
diff --git a/charts/diffscope/Chart.yaml b/charts/diffscope/Chart.yaml
index 6abd2c4..66017e0 100644
--- a/charts/diffscope/Chart.yaml
+++ b/charts/diffscope/Chart.yaml
@@ -3,7 +3,7 @@ name: diffscope
 description: AI-powered code review engine with smart analysis and professional reporting
 type: application
 version: 0.1.0
-appVersion: "0.5.3"
+appVersion: "0.5.26"
 home: https://github.com/evalops/diffscope
 sources:
   - https://github.com/evalops/diffscope

From fcc9ecfa513f96fb2d619e2f84d43962cb63144c Mon Sep 17 00:00:00 2001
From: Cursor Agent <cursoragent@cursor.com>
Date: Fri, 13 Mar 2026 21:07:39 +0000
Subject: [PATCH 4/8] build: pin jsonwebtoken for Rust 1.83

Co-authored-by: EvalOpsBot <EvalOpsBot@users.noreply.github.com>
---
 Cargo.lock | 7 +++----
 Cargo.toml | 2 +-
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 2fa1d1d..c3ec865 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1352,17 +1352,16 @@ dependencies = [
 
 [[package]]
 name = "jsonwebtoken"
-version = "10.3.0"
+version = "9.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0529410abe238729a60b108898784df8984c87f6054c9c4fcacc47e4803c1ce1"
+checksum = "5a87cc7a48537badeae96744432de36f4be2b4a34a05a5ef32e9dd8a1c169dde"
 dependencies = [
  "base64",
- "getrandom 0.2.16",
  "js-sys",
  "pem",
+ "ring",
  "serde",
  "serde_json",
- "signature",
  "simple_asn1",
 ]
 
diff --git a/Cargo.toml b/Cargo.toml
index 802abdd..91067c4 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -39,7 +39,7 @@ uuid = { version = "1", features = ["v4"] }
 mime_guess = "2"
 hmac = "0.12"
 sha2 = "0.10"
-jsonwebtoken = "10"
+jsonwebtoken = "9.3"
 base64 = "0.22"
 futures = "0.3"
 opentelemetry = { version = "0.27", features = ["trace"], optional = true }

From 147407736a1d24067618b1a3b49c7287333ce02e Mon Sep 17 00:00:00 2001
From: Cursor Agent <cursoragent@cursor.com>
Date: Fri, 13 Mar 2026 21:10:17 +0000
Subject: [PATCH 5/8] build: pin Rust toolchain for current deps

Co-authored-by: EvalOpsBot <EvalOpsBot@users.noreply.github.com>
---
 Cargo.lock          | 7 ++++---
 Cargo.toml          | 2 +-
 rust-toolchain.toml | 3 +++
 3 files changed, 8 insertions(+), 4 deletions(-)
 create mode 100644 rust-toolchain.toml

diff --git a/Cargo.lock b/Cargo.lock
index c3ec865..2fa1d1d 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1352,16 +1352,17 @@ dependencies = [
 
 [[package]]
 name = "jsonwebtoken"
-version = "9.3.1"
+version = "10.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5a87cc7a48537badeae96744432de36f4be2b4a34a05a5ef32e9dd8a1c169dde"
+checksum = "0529410abe238729a60b108898784df8984c87f6054c9c4fcacc47e4803c1ce1"
 dependencies = [
  "base64",
+ "getrandom 0.2.16",
  "js-sys",
  "pem",
- "ring",
  "serde",
  "serde_json",
+ "signature",
  "simple_asn1",
 ]
 
diff --git a/Cargo.toml b/Cargo.toml
index 91067c4..802abdd 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -39,7 +39,7 @@ uuid = { version = "1", features = ["v4"] }
 mime_guess = "2"
 hmac = "0.12"
 sha2 = "0.10"
-jsonwebtoken = "9.3"
+jsonwebtoken = "10"
 base64 = "0.22"
 futures = "0.3"
 opentelemetry = { version = "0.27", features = ["trace"], optional = true }
diff --git a/rust-toolchain.toml b/rust-toolchain.toml
new file mode 100644
index 0000000..b475f2f
--- /dev/null
+++ b/rust-toolchain.toml
@@ -0,0 +1,3 @@
+[toolchain]
+channel = "1.85.0"
+components = ["rustfmt", "clippy"]

From 6e3b794f83e39f22706c89b42d23496954b4fbf6 Mon Sep 17 00:00:00 2001
From: Cursor Agent <cursoragent@cursor.com>
Date: Fri, 13 Mar 2026 21:11:34 +0000
Subject: [PATCH 6/8] build: raise pinned Rust toolchain to 1.88

Co-authored-by: EvalOpsBot <EvalOpsBot@users.noreply.github.com>
---
 rust-toolchain.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rust-toolchain.toml b/rust-toolchain.toml
index b475f2f..7855e6d 100644
--- a/rust-toolchain.toml
+++ b/rust-toolchain.toml
@@ -1,3 +1,3 @@
 [toolchain]
-channel = "1.85.0"
+channel = "1.88.0"
 components = ["rustfmt", "clippy"]

From 904fa04c24cc94c7632483cd3c6a74b9ea238069 Mon Sep 17 00:00:00 2001
From: Cursor Agent <cursoragent@cursor.com>
Date: Fri, 13 Mar 2026 21:58:36 +0000
Subject: [PATCH 7/8] Preserve zero hunk line counts

---
 src/core/diff_parser.rs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/core/diff_parser.rs b/src/core/diff_parser.rs
index 0671a2b..cf341ee 100644
--- a/src/core/diff_parser.rs
+++ b/src/core/diff_parser.rs
@@ -476,7 +476,6 @@ fn parse_optional_capture(captures: &regex::Captures<'_>, group: usize) -> Optio
     captures
         .get(group)
         .and_then(|value| value.as_str().parse::<usize>().ok())
-        .filter(|value| *value > 0)
 }
 
 #[cfg(test)]
@@ -557,6 +556,8 @@ index 83db48f..0000000\n\
         assert_eq!(diffs.len(), 1);
         assert!(diffs[0].is_deleted);
         assert!(!diffs[0].is_new);
+        assert_eq!(diffs[0].hunks[0].old_lines, 1);
+        assert_eq!(diffs[0].hunks[0].new_lines, 0);
     }
 
     #[test]
@@ -574,6 +575,8 @@ index 0000000..f735c20\n\
         assert_eq!(diffs.len(), 1);
         assert!(diffs[0].is_new);
         assert!(!diffs[0].is_deleted);
+        assert_eq!(diffs[0].hunks[0].old_lines, 0);
+        assert_eq!(diffs[0].hunks[0].new_lines, 1);
     }
 
     #[test]

From d20cd0d056ae4d9456256e72a261ecedd2f63147 Mon Sep 17 00:00:00 2001
From: Jonathan Haas <jonathan@haas.holdings>
Date: Sat, 14 Mar 2026 10:33:13 -0700
Subject: [PATCH 8/8] fix(ci): release.yml YAML parse + clippy
 uninlined_format_args

- release: use python3 -c one-liners for version check (avoid heredoc that actionlint parses as YAML)
- Apply clippy uninlined_format_args fixes across codebase for lint job

Made-with: Cursor
---
 .github/workflows/release.yml                 |  20 +---
 src/adapters/anthropic.rs                     |   9 +-
 src/adapters/ollama.rs                        |  20 ++--
 src/adapters/openai.rs                        |   9 +-
 src/commands/doctor/command/display/config.rs |   7 +-
 .../doctor/command/display/endpoint.rs        |   4 +-
 .../doctor/command/display/inference.rs       |  16 +--
 src/commands/doctor/command/probe.rs          |   6 +-
 src/commands/doctor/command/recommend.rs      |   2 +-
 src/commands/doctor/command/run/command.rs    |   2 +-
 .../doctor/endpoint/inference/request.rs      |   4 +-
 src/commands/doctor/system/output.rs          |   9 +-
 src/commands/doctor/system/probes.rs          |   4 +-
 src/commands/eval/command/batch.rs            |  11 +-
 src/commands/eval/command/fixtures.rs         |   2 +-
 src/commands/eval/pattern/describe.rs         |  22 ++--
 src/commands/eval/report/output.rs            |  28 ++---
 src/commands/eval/runner/execute/repro.rs     |  12 +-
 src/commands/eval/runner/execute/result.rs    |   6 +-
 .../eval/thresholds/evaluation/minimums.rs    |   6 +-
 src/commands/feedback_eval/input.rs           |   2 +-
 src/commands/git/suggest/commit.rs            |   2 +-
 src/commands/git/suggest/pr_title.rs          |   4 +-
 src/commands/misc/changelog/output.rs         |   2 +-
 src/commands/misc/discussion/prompt.rs        |   4 +-
 src/commands/misc/lsp_check/command.rs        |   6 +-
 src/commands/misc/lsp_check/extensions.rs     |   2 +-
 src/commands/misc/lsp_check/languages.rs      |   2 +-
 src/commands/pr/comments/body.rs              |   2 +-
 src/commands/pr/comments/summary.rs           |   2 +-
 src/commands/smart_review/command.rs          |   2 +-
 src/config.rs                                 |   3 +-
 src/core/agent_loop.rs                        |  11 +-
 src/core/agent_tools.rs                       |  61 ++++------
 src/core/changelog.rs                         |  10 +-
 src/core/code_summary.rs                      |  22 ++--
 src/core/comment/identity.rs                  |   2 +-
 src/core/comment/suggestions.rs               |   2 +-
 src/core/comment/summary.rs                   |   3 +-
 src/core/commit_prompt.rs                     |  10 +-
 src/core/composable_pipeline.rs               |   2 +-
 src/core/context.rs                           |  14 +--
 src/core/context_provenance.rs                |  11 +-
 src/core/convention_learner.rs                |  10 +-
 src/core/enhanced_review.rs                   |   2 +-
 src/core/eval_benchmarks.rs                   |   7 +-
 src/core/function_chunker.rs                  |   6 +-
 src/core/git_history.rs                       |  10 +-
 src/core/interactive.rs                       |  26 ++---
 src/core/multi_pass.rs                        |   8 +-
 src/core/offline.rs                           |   5 +-
 src/core/pr_summary.rs                        |  13 +--
 src/core/prompt.rs                            |   4 +-
 src/core/semantic.rs                          |   2 +-
 src/core/semantic/embedding.rs                |   2 +-
 src/core/semantic/persistence.rs              |   2 +-
 src/core/smart_review_prompt.rs               |   2 +-
 src/core/symbol_graph.rs                      |   3 +-
 src/core/symbol_index.rs                      |  20 ++--
 src/main.rs                                   |   2 +-
 src/output/format.rs                          |  41 ++++---
 src/parsing/llm_response.rs                   |   6 +-
 src/parsing/smart_response.rs                 |   6 +-
 src/plugins/builtin/duplicate_filter.rs       |   2 +-
 src/plugins/builtin/eslint.rs                 |  11 +-
 src/plugins/builtin/secret_scanner.rs         |  13 +--
 src/plugins/builtin/supply_chain.rs           |  57 +++------
 src/review/compression.rs                     |  38 ++----
 src/review/compression/summary.rs             |   4 +-
 src/review/context_helpers/ranking.rs         |   4 +-
 src/review/feedback.rs                        |  18 +--
 src/review/feedback/store.rs                  |   2 +-
 src/review/filters/confidence.rs              |   2 +-
 src/review/filters/vague.rs                   |   2 +-
 .../pipeline/context/related/callers.rs       |   2 +-
 .../pipeline/context/related/test_files.rs    |  27 ++---
 src/review/pipeline/guidance/sections.rs      |   9 +-
 src/review/pipeline/postprocess/dedup.rs      |   2 +-
 src/review/pipeline/repo_support/diff.rs      |   4 +-
 src/review/pipeline/services/adapter_init.rs  |   2 +-
 src/review/pipeline/session/build.rs          |   2 +-
 src/review/rule_helpers/reporting/files.rs    |   2 +-
 src/review/rule_helpers/reporting/summary.rs  |   2 +-
 src/review/rule_helpers/runtime/context.rs    |   6 +-
 src/review/verification/prompt/render.rs      |   6 +-
 src/review/verification/tests.rs              |   2 +-
 src/server/api.rs                             |  80 ++++++-------
 src/server/github.rs                          | 108 ++++++++----------
 src/server/mod.rs                             |   6 +-
 src/server/storage_json.rs                    |  20 ++--
 src/vault.rs                                  |  20 ++--
 91 files changed, 418 insertions(+), 592 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 14f2405..5c3e3f4 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -33,24 +33,8 @@ jobs:
         run: |
           set -euo pipefail
           expected_version="${TAG_NAME#v}"
-          cargo_version="$(python - <<'PY'
-import tomllib
-from pathlib import Path
-
-print(tomllib.loads(Path("Cargo.toml").read_text())["package"]["version"])
-PY
-)"
-          chart_app_version="$(python - <<'PY'
-import re
-from pathlib import Path
-
-content = Path("charts/diffscope/Chart.yaml").read_text()
-match = re.search(r'^appVersion:\s*"?(.*?)"?\s*$', content, re.MULTILINE)
-if not match:
-    raise SystemExit("charts/diffscope/Chart.yaml is missing appVersion")
-print(match.group(1))
-PY
-)"
+          cargo_version="$(python3 -c "import tomllib; from pathlib import Path; print(tomllib.loads(Path('Cargo.toml').read_text())['package']['version'])")"
+          chart_app_version="$(python3 -c "import re; from pathlib import Path; c=Path('charts/diffscope/Chart.yaml').read_text(); m=re.search(r'^appVersion:\s*\"?(.*?)\"?\s*\$', c, re.MULTILINE); (exit('Chart.yaml missing appVersion') if not m else print(m.group(1)))")"
           test "$cargo_version" = "$expected_version" || {
             echo "Cargo.toml version ($cargo_version) does not match tag ($expected_version)"
             exit 1
diff --git a/src/adapters/anthropic.rs b/src/adapters/anthropic.rs
index b7cdfaf..7884f35 100644
--- a/src/adapters/anthropic.rs
+++ b/src/adapters/anthropic.rs
@@ -407,8 +407,7 @@ mod tests {
         let err_msg = format!("{:#}", result.unwrap_err());
         assert!(
             err_msg.contains("401") || err_msg.contains("Unauthorized"),
-            "Error should mention 401 or Unauthorized, got: {}",
-            err_msg
+            "Error should mention 401 or Unauthorized, got: {err_msg}"
         );
         mock.assert_async().await;
     }
@@ -502,8 +501,7 @@ mod tests {
         let err = result.unwrap_err().to_string();
         assert!(
             err.contains("Unsupported content type"),
-            "Error should mention unsupported type, got: {}",
-            err
+            "Error should mention unsupported type, got: {err}"
         );
     }
 
@@ -534,8 +532,7 @@ mod tests {
         let err = result.unwrap_err().to_string();
         assert!(
             err.contains("empty content"),
-            "Error should mention empty content: {}",
-            err
+            "Error should mention empty content: {err}"
         );
     }
 
diff --git a/src/adapters/ollama.rs b/src/adapters/ollama.rs
index f66da52..d38d0c4 100644
--- a/src/adapters/ollama.rs
+++ b/src/adapters/ollama.rs
@@ -211,11 +211,10 @@ mod tests {
     fn chat_response_body(content: &str, model: &str, done: bool) -> String {
         format!(
             r#"{{
-                "message": {{"role": "assistant", "content": "{}"}},
-                "model": "{}",
-                "done": {}
-            }}"#,
-            content, model, done
+                "message": {{"role": "assistant", "content": "{content}"}},
+                "model": "{model}",
+                "done": {done}
+            }}"#
         )
     }
 
@@ -227,13 +226,12 @@ mod tests {
     ) -> String {
         format!(
             r#"{{
-                "message": {{"role": "assistant", "content": "{}"}},
-                "model": "{}",
+                "message": {{"role": "assistant", "content": "{content}"}},
+                "model": "{model}",
                 "done": true,
-                "prompt_eval_count": {},
-                "eval_count": {}
-            }}"#,
-            content, model, prompt_eval, eval
+                "prompt_eval_count": {prompt_eval},
+                "eval_count": {eval}
+            }}"#
         )
     }
 
diff --git a/src/adapters/openai.rs b/src/adapters/openai.rs
index 979defd..9d74c94 100644
--- a/src/adapters/openai.rs
+++ b/src/adapters/openai.rs
@@ -771,8 +771,7 @@ mod tests {
         let err_msg = format!("{:#}", result.unwrap_err());
         assert!(
             err_msg.contains("401") || err_msg.contains("Unauthorized"),
-            "Error should mention 401 or Unauthorized, got: {}",
-            err_msg
+            "Error should mention 401 or Unauthorized, got: {err_msg}"
         );
         mock.assert_async().await;
     }
@@ -814,8 +813,7 @@ mod tests {
         let err_msg = format!("{:#}", result.unwrap_err());
         assert!(
             err_msg.contains("429") || err_msg.contains("Rate limited"),
-            "Error should mention rate limiting, got: {}",
-            err_msg
+            "Error should mention rate limiting, got: {err_msg}"
         );
         mock.assert_async().await;
     }
@@ -866,8 +864,7 @@ mod tests {
         let err = result.unwrap_err().to_string();
         assert!(
             err.contains("empty choices"),
-            "Error should mention empty choices: {}",
-            err
+            "Error should mention empty choices: {err}"
         );
     }
 
diff --git a/src/commands/doctor/command/display/config.rs b/src/commands/doctor/command/display/config.rs
index bfe7a98..c4583a2 100644
--- a/src/commands/doctor/command/display/config.rs
+++ b/src/commands/doctor/command/display/config.rs
@@ -27,17 +27,14 @@ pub(in super::super) fn print_configuration(config: &Config) {
         }
     );
     if let Some(cw) = config.context_window {
-        println!("  Context:  {} tokens", cw);
+        println!("  Context:  {cw} tokens");
     }
     println!();
 }
 
 pub(in super::super) fn print_unreachable(base_url: &str) -> Result<()> {
     println!("UNREACHABLE");
-    println!(
-        "\nCannot reach {}. Make sure your LLM server is running.",
-        base_url
-    );
+    println!("\nCannot reach {base_url}. Make sure your LLM server is running.");
     println!("\nQuick start:");
     println!("  Ollama:    ollama serve");
     println!("  vLLM:      vllm serve <model>");
diff --git a/src/commands/doctor/command/display/endpoint.rs b/src/commands/doctor/command/display/endpoint.rs
index 962088e..2bef90e 100644
--- a/src/commands/doctor/command/display/endpoint.rs
+++ b/src/commands/doctor/command/display/endpoint.rs
@@ -1,7 +1,7 @@
 use crate::core::offline::LocalModel;
 
 pub(in super::super) fn print_endpoint_models(endpoint_type: &str, models: &[LocalModel]) {
-    println!("\nEndpoint type: {}", endpoint_type);
+    println!("\nEndpoint type: {endpoint_type}");
     println!("\nAvailable models ({}):", models.len());
     if models.is_empty() {
         println!("  (none found)");
@@ -25,7 +25,7 @@ fn format_model_size_info(model: &LocalModel) -> String {
         + &model
             .quantization
             .as_ref()
-            .map(|quantization| format!(", {}", quantization))
+            .map(|quantization| format!(", {quantization}"))
             .unwrap_or_default()
         + ")"
 }
diff --git a/src/commands/doctor/command/display/inference.rs b/src/commands/doctor/command/display/inference.rs
index 83a0137..0e7dbd4 100644
--- a/src/commands/doctor/command/display/inference.rs
+++ b/src/commands/doctor/command/display/inference.rs
@@ -9,13 +9,10 @@ pub(in super::super) fn print_recommended_model_summary(
     readiness: &ReadinessCheck,
 ) {
     println!("\nRecommended for code review: {}", recommended.name);
-    println!("  Estimated RAM: ~{}MB", estimated_ram_mb);
+    println!("  Estimated RAM: ~{estimated_ram_mb}MB");
 
     if let Some(ctx_size) = detected_context_window {
-        println!(
-            "  Context window: {} tokens (detected from model)",
-            ctx_size
-        );
+        println!("  Context window: {ctx_size} tokens (detected from model)");
     }
 
     if readiness.ready {
@@ -23,7 +20,7 @@ pub(in super::super) fn print_recommended_model_summary(
     } else {
         println!("\nStatus: NOT READY");
         for warning in &readiness.warnings {
-            println!("  Warning: {}", warning);
+            println!("  Warning: {warning}");
         }
     }
 }
@@ -41,14 +38,11 @@ pub(in super::super) fn print_inference_success(elapsed: Duration, tokens_per_se
 
 pub(in super::super) fn print_inference_failure(error: &impl std::fmt::Display) {
     println!("FAILED");
-    println!("  Error: {}", error);
+    println!("  Error: {error}");
     println!("  The model may still be loading. Try again in a moment.");
 }
 
 pub(in super::super) fn print_usage(base_url: &str, model_flag: &str) {
     println!("\nUsage:");
-    println!(
-        "  git diff | diffscope review --base-url {} --model {}",
-        base_url, model_flag
-    );
+    println!("  git diff | diffscope review --base-url {base_url} --model {model_flag}");
 }
diff --git a/src/commands/doctor/command/probe.rs b/src/commands/doctor/command/probe.rs
index a0106c8..30f1e0b 100644
--- a/src/commands/doctor/command/probe.rs
+++ b/src/commands/doctor/command/probe.rs
@@ -18,7 +18,7 @@ impl EndpointProbe {
 
     pub(super) fn model_flag(&self, model_name: &str) -> String {
         if self.is_ollama() {
-            format!("ollama:{}", model_name)
+            format!("ollama:{model_name}")
         } else {
             model_name.to_string()
         }
@@ -49,7 +49,7 @@ pub(super) async fn probe_endpoint(
 }
 
 async fn probe_ollama_endpoint(client: &Client, base_url: &str) -> Result<Option<Vec<LocalModel>>> {
-    let url = format!("{}/api/tags", base_url);
+    let url = format!("{base_url}/api/tags");
     let response = match client.get(&url).send().await {
         Ok(response) => response,
         Err(_) => return Ok(None),
@@ -65,7 +65,7 @@ async fn probe_ollama_endpoint(client: &Client, base_url: &str) -> Result<Option
 }
 
 async fn probe_openai_endpoint(client: &Client, base_url: &str) -> Result<Option<Vec<LocalModel>>> {
-    let url = format!("{}/v1/models", base_url);
+    let url = format!("{base_url}/v1/models");
     let response = match client.get(&url).send().await {
         Ok(response) => response,
         Err(_) => return Ok(None),
diff --git a/src/commands/doctor/command/recommend.rs b/src/commands/doctor/command/recommend.rs
index c615165..a7566c7 100644
--- a/src/commands/doctor/command/recommend.rs
+++ b/src/commands/doctor/command/recommend.rs
@@ -53,7 +53,7 @@ pub(super) async fn inspect_recommended_model(
         &readiness,
     );
 
-    print!("\nTesting model {}... ", recommended_name);
+    print!("\nTesting model {recommended_name}... ");
     let test_client = Client::builder().timeout(Duration::from_secs(10)).build()?;
     let started_at = Instant::now();
     match test_model_inference(
diff --git a/src/commands/doctor/command/run/command.rs b/src/commands/doctor/command/run/command.rs
index 0273b9e..63c3226 100644
--- a/src/commands/doctor/command/run/command.rs
+++ b/src/commands/doctor/command/run/command.rs
@@ -14,7 +14,7 @@ pub async fn doctor_command(config: Config) -> Result<()> {
 
     let base_url = configured_base_url(&config);
 
-    print!("Checking endpoint {}... ", base_url);
+    print!("Checking endpoint {base_url}... ");
     let Some(endpoint) = discover_endpoint(&base_url).await? else {
         return print_unreachable(&base_url);
     };
diff --git a/src/commands/doctor/endpoint/inference/request.rs b/src/commands/doctor/endpoint/inference/request.rs
index dd02036..d9086a9 100644
--- a/src/commands/doctor/endpoint/inference/request.rs
+++ b/src/commands/doctor/endpoint/inference/request.rs
@@ -32,7 +32,7 @@ fn build_probe_messages() -> Value {
 
 fn build_ollama_request(base_url: &str, model_name: &str, messages: Value) -> InferenceRequest {
     InferenceRequest {
-        url: format!("{}/api/chat", base_url),
+        url: format!("{base_url}/api/chat"),
         body: json!({
             "model": model_name,
             "messages": messages,
@@ -44,7 +44,7 @@ fn build_ollama_request(base_url: &str, model_name: &str, messages: Value) -> In
 
 fn build_openai_request(base_url: &str, model_name: &str, messages: Value) -> InferenceRequest {
     InferenceRequest {
-        url: format!("{}/v1/chat/completions", base_url),
+        url: format!("{base_url}/v1/chat/completions"),
         body: json!({
             "model": model_name,
             "messages": messages,
diff --git a/src/commands/doctor/system/output.rs b/src/commands/doctor/system/output.rs
index 6a16636..7ae089b 100644
--- a/src/commands/doctor/system/output.rs
+++ b/src/commands/doctor/system/output.rs
@@ -3,22 +3,19 @@ pub(super) fn print_system_resources_header() {
 }
 
 pub(super) fn print_total_ram(total_ram_gb: f64) {
-    println!("  Total RAM: {:.1} GB", total_ram_gb);
+    println!("  Total RAM: {total_ram_gb:.1} GB");
 }
 
 pub(super) fn print_gpu_lines(gpu_lines: &[String]) {
     for line in gpu_lines {
-        println!("  GPU: {}", line);
+        println!("  GPU: {line}");
     }
 }
 
 pub(super) fn print_apple_chip(chip: &str) {
     #[cfg(target_os = "macos")]
     {
-        println!(
-            "  Chip: {} (unified memory, GPU acceleration available)",
-            chip
-        );
+        println!("  Chip: {chip} (unified memory, GPU acceleration available)");
     }
 
     #[cfg(not(target_os = "macos"))]
diff --git a/src/commands/doctor/system/probes.rs b/src/commands/doctor/system/probes.rs
index 80dbcbc..1c8abd6 100644
--- a/src/commands/doctor/system/probes.rs
+++ b/src/commands/doctor/system/probes.rs
@@ -109,8 +109,8 @@ mod tests {
         #[cfg(any(target_os = "macos", target_os = "linux"))]
         {
             let gb = ram.unwrap();
-            assert!(gb > 0.5, "RAM should be at least 0.5 GB, got {}", gb);
-            assert!(gb < 4096.0, "RAM should be under 4 TB, got {}", gb);
+            assert!(gb > 0.5, "RAM should be at least 0.5 GB, got {gb}");
+            assert!(gb < 4096.0, "RAM should be under 4 TB, got {gb}");
         }
 
         let _ = ram;
diff --git a/src/commands/eval/command/batch.rs b/src/commands/eval/command/batch.rs
index 9812b3d..5a860c7 100644
--- a/src/commands/eval/command/batch.rs
+++ b/src/commands/eval/command/batch.rs
@@ -108,7 +108,7 @@ pub(super) async fn run_eval_batch(
                     .label
                     .clone()
                     .unwrap_or_else(|| report.run.model.clone());
-                format!("{}: {}", label, message)
+                format!("{label}: {message}")
             })
         })
         .collect::<Vec<_>>();
@@ -151,12 +151,9 @@ fn build_run_label(
 ) -> String {
     let prefix = base_label.unwrap_or("eval");
     match (multi_model, repeating) {
-        (true, true) => format!(
-            "{} [{} repeat {}/{}]",
-            prefix, model, repeat_index, repeat_total
-        ),
-        (true, false) => format!("{} [{}]", prefix, model),
-        (false, true) => format!("{} [repeat {}/{}]", prefix, repeat_index, repeat_total),
+        (true, true) => format!("{prefix} [{model} repeat {repeat_index}/{repeat_total}]"),
+        (true, false) => format!("{prefix} [{model}]"),
+        (false, true) => format!("{prefix} [repeat {repeat_index}/{repeat_total}]"),
         (false, false) => prefix.to_string(),
     }
 }
diff --git a/src/commands/eval/command/fixtures.rs b/src/commands/eval/command/fixtures.rs
index 838cd39..a7990c7 100644
--- a/src/commands/eval/command/fixtures.rs
+++ b/src/commands/eval/command/fixtures.rs
@@ -171,7 +171,7 @@ mod tests {
         language: Option<&str>,
     ) -> LoadedEvalFixture {
         LoadedEvalFixture {
-            fixture_path: PathBuf::from(format!("{}.yml", name)),
+            fixture_path: PathBuf::from(format!("{name}.yml")),
             fixture: EvalFixture {
                 name: Some(name.to_string()),
                 diff: Some("diff --git a/a b/b".to_string()),
diff --git a/src/commands/eval/pattern/describe.rs b/src/commands/eval/pattern/describe.rs
index 724cec5..a1e6c6f 100644
--- a/src/commands/eval/pattern/describe.rs
+++ b/src/commands/eval/pattern/describe.rs
@@ -6,16 +6,16 @@ impl EvalPattern {
         if let Some(file) = &self.file {
             let file = file.trim();
             if !file.is_empty() {
-                parts.push(format!("file={}", file));
+                parts.push(format!("file={file}"));
             }
         }
         if let Some(line) = self.line {
-            parts.push(format!("line={}", line));
+            parts.push(format!("line={line}"));
         }
         if let Some(contains) = &self.contains {
             let contains = contains.trim();
             if !contains.is_empty() {
-                parts.push(format!("contains='{}'", contains));
+                parts.push(format!("contains='{contains}'"));
             }
         }
         let contains_any: Vec<&str> = self
@@ -30,19 +30,19 @@ impl EvalPattern {
         }
         if let Some(pattern) = self.matches_regex.as_deref().map(str::trim) {
             if !pattern.is_empty() {
-                parts.push(format!("matches_regex='{}'", pattern));
+                parts.push(format!("matches_regex='{pattern}'"));
             }
         }
         if let Some(severity) = &self.severity {
             let severity = severity.trim();
             if !severity.is_empty() {
-                parts.push(format!("severity={}", severity));
+                parts.push(format!("severity={severity}"));
             }
         }
         if let Some(category) = &self.category {
             let category = category.trim();
             if !category.is_empty() {
-                parts.push(format!("category={}", category));
+                parts.push(format!("category={category}"));
             }
         }
         let tags_any: Vec<&str> = self
@@ -56,24 +56,24 @@ impl EvalPattern {
             parts.push(format!("tags_any={}", tags_any.join("|")));
         }
         if let Some(min_confidence) = self.confidence_at_least {
-            parts.push(format!("confidence>={:.2}", min_confidence));
+            parts.push(format!("confidence>={min_confidence:.2}"));
         }
         if let Some(max_confidence) = self.confidence_at_most {
-            parts.push(format!("confidence<={:.2}", max_confidence));
+            parts.push(format!("confidence<={max_confidence:.2}"));
         }
         if let Some(fix_effort) = &self.fix_effort {
             let fix_effort = fix_effort.trim();
             if !fix_effort.is_empty() {
-                parts.push(format!("fix_effort={}", fix_effort));
+                parts.push(format!("fix_effort={fix_effort}"));
             }
         }
         if let Some(rule_id) = &self.rule_id {
             let rule_id = rule_id.trim();
             if !rule_id.is_empty() {
                 if self.require_rule_id {
-                    parts.push(format!("rule_id={} (required)", rule_id));
+                    parts.push(format!("rule_id={rule_id} (required)"));
                 } else {
-                    parts.push(format!("rule_id={} (label)", rule_id));
+                    parts.push(format!("rule_id={rule_id} (label)"));
                 }
             }
         }
diff --git a/src/commands/eval/report/output.rs b/src/commands/eval/report/output.rs
index f6bbc33..3768c06 100644
--- a/src/commands/eval/report/output.rs
+++ b/src/commands/eval/report/output.rs
@@ -13,7 +13,7 @@ pub(in super::super) fn print_eval_report(report: &EvalReport) {
             report.run.fixtures_discovered
         );
         if let Some(label) = report.run.label.as_deref() {
-            println!("Run label: {}", label);
+            println!("Run label: {label}");
         }
         if !report.run.started_at.is_empty() {
             println!("Started at: {}", report.run.started_at);
@@ -36,18 +36,18 @@ pub(in super::super) fn print_eval_report(report: &EvalReport) {
             );
         }
         if let Some(consensus_mode) = report.run.verification_consensus_mode.as_deref() {
-            println!("Verification consensus: {}", consensus_mode);
+            println!("Verification consensus: {consensus_mode}");
         }
         if let Some(trend_file) = report.run.trend_file.as_deref() {
-            println!("Trend file: {}", trend_file);
+            println!("Trend file: {trend_file}");
         }
         if let Some(artifact_dir) = report.run.artifact_dir.as_deref() {
-            println!("Artifact dir: {}", artifact_dir);
+            println!("Artifact dir: {artifact_dir}");
         }
         if let (Some(repeat_index), Some(repeat_total)) =
             (report.run.repeat_index, report.run.repeat_total)
         {
-            println!("Repeat: {}/{}", repeat_index, repeat_total);
+            println!("Repeat: {repeat_index}/{repeat_total}");
         }
         if report.run.reproduction_validation {
             println!("Reproduction validation: enabled");
@@ -76,7 +76,7 @@ pub(in super::super) fn print_eval_report(report: &EvalReport) {
                 result.required_total
             );
             for failure in &result.failures {
-                println!("  - {}", failure);
+                println!("  - {failure}");
             }
         }
         if let Some(rule_summary) = result.rule_summary {
@@ -90,20 +90,20 @@ pub(in super::super) fn print_eval_report(report: &EvalReport) {
         if let Some(metadata) = result.metadata.as_ref() {
             let mut labels = Vec::new();
             if let Some(category) = metadata.category.as_deref() {
-                labels.push(format!("category={}", category));
+                labels.push(format!("category={category}"));
             }
             if let Some(language) = metadata.language.as_deref() {
-                labels.push(format!("language={}", language));
+                labels.push(format!("language={language}"));
             }
             if let Some(source) = metadata.source.as_deref() {
-                labels.push(format!("source={}", source));
+                labels.push(format!("source={source}"));
             }
             if !labels.is_empty() {
                 println!("  metadata: {}", labels.join(", "));
             }
         }
         for warning in &result.warnings {
-            println!("  warning: {}", warning);
+            println!("  warning: {warning}");
         }
         if let Some(verification_report) = result.verification_report.as_ref() {
             println!(
@@ -138,7 +138,7 @@ pub(in super::super) fn print_eval_report(report: &EvalReport) {
             );
         }
         if let Some(artifact_path) = result.artifact_path.as_deref() {
-            println!("  artifact: {}", artifact_path);
+            println!("  artifact: {artifact_path}");
         }
     }
 
@@ -191,7 +191,7 @@ pub(in super::super) fn print_eval_report(report: &EvalReport) {
                 println!("  suite-thresholds: passed");
             } else {
                 for failure in &suite.threshold_failures {
-                    println!("  suite-threshold-failure: {}", failure);
+                    println!("  suite-threshold-failure: {failure}");
                 }
             }
         }
@@ -296,11 +296,11 @@ pub(in super::super) fn print_eval_report(report: &EvalReport) {
     }
 
     for warning in &report.warnings {
-        println!("Warning: {}", warning);
+        println!("Warning: {warning}");
     }
 
     for failure in &report.threshold_failures {
-        println!("Threshold failure: {}", failure);
+        println!("Threshold failure: {failure}");
     }
 }
 
diff --git a/src/commands/eval/runner/execute/repro.rs b/src/commands/eval/runner/execute/repro.rs
index 6a5e774..318301d 100644
--- a/src/commands/eval/runner/execute/repro.rs
+++ b/src/commands/eval/runner/execute/repro.rs
@@ -363,12 +363,12 @@ async fn gather_reproduction_evidence(
     {
         Ok((output, log)) => {
             if output.starts_with("Error:") {
-                warnings.push(format!("read_file returned '{}'", output));
+                warnings.push(format!("read_file returned '{output}'"));
             }
-            evidence_sections.push(format!("read_file\n{}", output));
+            evidence_sections.push(format!("read_file\n{output}"));
             tool_logs.push(log);
         }
-        Err(error) => warnings.push(format!("read_file failed: {}", error)),
+        Err(error) => warnings.push(format!("read_file failed: {error}")),
     }
 
     if include_git_tools {
@@ -385,12 +385,12 @@ async fn gather_reproduction_evidence(
         {
             Ok((output, log)) => {
                 if output.starts_with("Error:") {
-                    warnings.push(format!("get_blame returned '{}'", output));
+                    warnings.push(format!("get_blame returned '{output}'"));
                 }
-                evidence_sections.push(format!("get_blame\n{}", output));
+                evidence_sections.push(format!("get_blame\n{output}"));
                 tool_logs.push(log);
             }
-            Err(error) => warnings.push(format!("get_blame failed: {}", error)),
+            Err(error) => warnings.push(format!("get_blame failed: {error}")),
         }
     }
 
diff --git a/src/commands/eval/runner/execute/result.rs b/src/commands/eval/runner/execute/result.rs
index 5072615..891bdbd 100644
--- a/src/commands/eval/runner/execute/result.rs
+++ b/src/commands/eval/runner/execute/result.rs
@@ -15,16 +15,14 @@ pub(super) fn append_total_comment_failures(
     if let Some(min_total) = expectations.min_total {
         if total_comments < min_total {
             failures.push(format!(
-                "Expected at least {} comments, got {}",
-                min_total, total_comments
+                "Expected at least {min_total} comments, got {total_comments}"
             ));
         }
     }
     if let Some(max_total) = expectations.max_total {
         if total_comments > max_total {
             failures.push(format!(
-                "Expected at most {} comments, got {}",
-                max_total, total_comments
+                "Expected at most {max_total} comments, got {total_comments}"
             ));
         }
     }
diff --git a/src/commands/eval/thresholds/evaluation/minimums.rs b/src/commands/eval/thresholds/evaluation/minimums.rs
index 5b4e1a0..6e106cb 100644
--- a/src/commands/eval/thresholds/evaluation/minimums.rs
+++ b/src/commands/eval/thresholds/evaluation/minimums.rs
@@ -14,8 +14,7 @@ pub(super) fn check_minimum_thresholds(
         let threshold = threshold.clamp(0.0, 1.0);
         if current_micro_f1 < threshold {
             failures.push(format!(
-                "micro-F1 {:.3} is below minimum {:.3}",
-                current_micro_f1, threshold
+                "micro-F1 {current_micro_f1:.3} is below minimum {threshold:.3}"
             ));
         }
     }
@@ -24,8 +23,7 @@ pub(super) fn check_minimum_thresholds(
         let threshold = threshold.clamp(0.0, 1.0);
         if current_macro_f1 < threshold {
             failures.push(format!(
-                "macro-F1 {:.3} is below minimum {:.3}",
-                current_macro_f1, threshold
+                "macro-F1 {current_macro_f1:.3} is below minimum {threshold:.3}"
             ));
         }
     }
diff --git a/src/commands/feedback_eval/input.rs b/src/commands/feedback_eval/input.rs
index e54e459..5feae2d 100644
--- a/src/commands/feedback_eval/input.rs
+++ b/src/commands/feedback_eval/input.rs
@@ -25,7 +25,7 @@ mod tests {
         severity: Severity,
     ) -> core::Comment {
         core::Comment {
-            id: format!("{}-{}", content, confidence),
+            id: format!("{content}-{confidence}"),
             file_path: PathBuf::from("src/lib.rs"),
             line_number: 12,
             content: content.to_string(),
diff --git a/src/commands/git/suggest/commit.rs b/src/commands/git/suggest/commit.rs
index 6548c76..0957550 100644
--- a/src/commands/git/suggest/commit.rs
+++ b/src/commands/git/suggest/commit.rs
@@ -20,7 +20,7 @@ pub(in super::super) async fn suggest_commit_message(config: config::Config) ->
     let commit_message = core::CommitPromptBuilder::extract_commit_message(&response);
 
     println!("\nSuggested commit message:");
-    println!("{}", commit_message);
+    println!("{commit_message}");
 
     if commit_message.len() > 72 {
         println!(
diff --git a/src/commands/git/suggest/pr_title.rs b/src/commands/git/suggest/pr_title.rs
index dcae375..907e406 100644
--- a/src/commands/git/suggest/pr_title.rs
+++ b/src/commands/git/suggest/pr_title.rs
@@ -14,7 +14,7 @@ pub(in super::super) async fn suggest_pr_title(config: config::Config) -> Result
     let diff_content = git.get_branch_diff(&base_branch)?;
 
     if diff_content.is_empty() {
-        println!("No changes found compared to {} branch.", base_branch);
+        println!("No changes found compared to {base_branch} branch.");
         return Ok(());
     }
 
@@ -24,7 +24,7 @@ pub(in super::super) async fn suggest_pr_title(config: config::Config) -> Result
     let title = extract_title_from_response(&response);
 
     println!("\nSuggested PR title:");
-    println!("{}", title);
+    println!("{title}");
 
     if title.len() > 65 {
         println!(
diff --git a/src/commands/misc/changelog/output.rs b/src/commands/misc/changelog/output.rs
index 98c7c5a..4a589ec 100644
--- a/src/commands/misc/changelog/output.rs
+++ b/src/commands/misc/changelog/output.rs
@@ -7,7 +7,7 @@ pub(super) async fn emit_changelog_output(output_path: Option<&Path>, output: &s
         tokio::fs::write(path, output).await?;
         info!("Changelog written to file");
     } else {
-        println!("{}", output);
+        println!("{output}");
     }
 
     Ok(())
diff --git a/src/commands/misc/discussion/prompt.rs b/src/commands/misc/discussion/prompt.rs
index af08066..22e1ff5 100644
--- a/src/commands/misc/discussion/prompt.rs
+++ b/src/commands/misc/discussion/prompt.rs
@@ -29,7 +29,7 @@ pub(super) async fn answer_discussion_question(
         comment.content
     ));
     if let Some(suggestion) = &comment.suggestion {
-        prompt.push_str(&format!("- suggested fix: {}\n", suggestion));
+        prompt.push_str(&format!("- suggested fix: {suggestion}\n"));
     }
 
     if !history.trim().is_empty() {
@@ -37,7 +37,7 @@ pub(super) async fn answer_discussion_question(
         prompt.push_str(&history);
     }
 
-    prompt.push_str(&format!("\nNew question:\n{}\n", question));
+    prompt.push_str(&format!("\nNew question:\n{question}\n"));
 
     let request = adapters::llm::LLMRequest {
         system_prompt: "You are an expert reviewer assisting with follow-up questions on a specific code review comment. Answer directly, cite tradeoffs, and suggest concrete next steps. If the comment appears weak, say so and explain why.".to_string(),
diff --git a/src/commands/misc/lsp_check/command.rs b/src/commands/misc/lsp_check/command.rs
index 9207a73..a584184 100644
--- a/src/commands/misc/lsp_check/command.rs
+++ b/src/commands/misc/lsp_check/command.rs
@@ -44,16 +44,16 @@ pub async fn lsp_check_command(path: PathBuf, config: config::Config) -> Result<
     };
 
     if let Some(command) = &configured_command {
-        println!("configured LSP command: {}", command);
+        println!("configured LSP command: {command}");
     }
     if let Some(command) = &detected_command {
-        println!("detected LSP command: {}", command);
+        println!("detected LSP command: {command}");
     }
 
     let effective_command = configured_command.or(detected_command);
     if let Some(command) = &effective_command {
         let available = core::SymbolIndex::lsp_command_available(command);
-        println!("effective LSP command: {}", command);
+        println!("effective LSP command: {command}");
         println!(
             "command available: {}",
             if available { "yes" } else { "no" }
diff --git a/src/commands/misc/lsp_check/extensions.rs b/src/commands/misc/lsp_check/extensions.rs
index db067e4..888bb04 100644
--- a/src/commands/misc/lsp_check/extensions.rs
+++ b/src/commands/misc/lsp_check/extensions.rs
@@ -18,7 +18,7 @@ pub(super) fn audit_extension_counts(
     let top_extensions = extension_list
         .iter()
         .take(10)
-        .map(|(ext, count)| format!("{}({})", ext, count))
+        .map(|(ext, count)| format!("{ext}({count})"))
         .collect();
 
     let mut unmapped = extension_counts
diff --git a/src/commands/misc/lsp_check/languages.rs b/src/commands/misc/lsp_check/languages.rs
index 95663cd..c16aa7e 100644
--- a/src/commands/misc/lsp_check/languages.rs
+++ b/src/commands/misc/lsp_check/languages.rs
@@ -15,7 +15,7 @@ pub(super) fn audit_language_map(
         let ext = ext.trim().to_ascii_lowercase();
         let language = language.trim().to_string();
         if ext.is_empty() || language.is_empty() {
-            invalid_entries.push(format!("{}:{}", ext, language));
+            invalid_entries.push(format!("{ext}:{language}"));
             continue;
         }
         normalized.insert(ext, language);
diff --git a/src/commands/pr/comments/body.rs b/src/commands/pr/comments/body.rs
index 0340c7a..7eba966 100644
--- a/src/commands/pr/comments/body.rs
+++ b/src/commands/pr/comments/body.rs
@@ -6,7 +6,7 @@ pub(super) fn build_github_comment_body(comment: &core::Comment) -> String {
         comment.severity, comment.category, comment.content
     );
     if let Some(rule_id) = &comment.rule_id {
-        body.push_str(&format!("\n\n**Rule:** `{}`", rule_id));
+        body.push_str(&format!("\n\n**Rule:** `{rule_id}`"));
     }
     if let Some(suggestion) = &comment.suggestion {
         body.push_str("\n\n**Suggested fix:** ");
diff --git a/src/commands/pr/comments/summary.rs b/src/commands/pr/comments/summary.rs
index eff4a2c..0d57e9c 100644
--- a/src/commands/pr/comments/summary.rs
+++ b/src/commands/pr/comments/summary.rs
@@ -23,7 +23,7 @@ pub(super) fn upsert_pr_summary_comment(
 ) -> Result<()> {
     const SUMMARY_MARKER: &str = "<!-- diffscope:summary -->";
     let summary_body = review::build_pr_summary_comment_body(comments, rule_priority);
-    let full_body = format!("{}\n\n{}", SUMMARY_MARKER, summary_body);
+    let full_body = format!("{SUMMARY_MARKER}\n\n{summary_body}");
 
     let comments_endpoint = format!(
         "repos/{}/issues/{}/comments?per_page=100",
diff --git a/src/commands/smart_review/command.rs b/src/commands/smart_review/command.rs
index d7506a1..9917c4c 100644
--- a/src/commands/smart_review/command.rs
+++ b/src/commands/smart_review/command.rs
@@ -49,7 +49,7 @@ pub async fn smart_review_command(
     if let Some(path) = output_path {
         tokio::fs::write(path, output).await?;
     } else {
-        println!("{}", output);
+        println!("{output}");
     }
 
     Ok(())
diff --git a/src/config.rs b/src/config.rs
index 959d10c..b151d06 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -2079,8 +2079,7 @@ temperature: 0.3
         let model = default_model();
         assert!(
             model.contains("opus"),
-            "Default model should be Opus (frontier), got: {}",
-            model
+            "Default model should be Opus (frontier), got: {model}"
         );
     }
 
diff --git a/src/core/agent_loop.rs b/src/core/agent_loop.rs
index 43b5b78..b586abe 100644
--- a/src/core/agent_loop.rs
+++ b/src/core/agent_loop.rs
@@ -227,13 +227,13 @@ pub async fn run_agent_loop(
                     },
                     Err(e) => ContentBlock::ToolResult {
                         tool_use_id: call_id.clone(),
-                        content: format!("Error: {}", e),
+                        content: format!("Error: {e}"),
                         is_error: true,
                     },
                 },
                 None => ContentBlock::ToolResult {
                     tool_use_id: call_id.clone(),
-                    content: format!("Error: unknown tool '{}'", call_name),
+                    content: format!("Error: unknown tool '{call_name}'"),
                     is_error: true,
                 },
             };
@@ -548,7 +548,7 @@ mod tests {
         for i in 0..5 {
             responses.push(ChatResponse {
                 content: vec![ContentBlock::ToolUse {
-                    id: format!("call_{}", i),
+                    id: format!("call_{i}"),
                     name: "read_file".to_string(),
                     input: serde_json::json!({"file_path": "test.rs"}),
                 }],
@@ -1224,8 +1224,7 @@ mod tests {
         assert_eq!(tokens, 40, "total_tokens should be 15 + 25 = 40");
         assert!(
             reason.contains("EndTurn"),
-            "reason should contain EndTurn, got: {}",
-            reason
+            "reason should contain EndTurn, got: {reason}"
         );
     }
 
@@ -1726,7 +1725,7 @@ mod tests {
         for i in 0..3 {
             responses.push(ChatResponse {
                 content: vec![ContentBlock::ToolUse {
-                    id: format!("c{}", i),
+                    id: format!("c{i}"),
                     name: "read_file".to_string(),
                     input: serde_json::json!({}),
                 }],
diff --git a/src/core/agent_tools.rs b/src/core/agent_tools.rs
index 6df152b..8f379f8 100644
--- a/src/core/agent_tools.rs
+++ b/src/core/agent_tools.rs
@@ -186,7 +186,7 @@ impl ReviewTool for ReadFileTool {
 
         let full_path = self.ctx.repo_path.join(file_path);
         if !full_path.exists() {
-            return Ok(format!("Error: file not found: {}", file_path));
+            return Ok(format!("Error: file not found: {file_path}"));
         }
 
         // Prevent path traversal
@@ -205,7 +205,7 @@ impl ReviewTool for ReadFileTool {
         for (i, line) in lines.iter().enumerate() {
             let line_num = i + 1;
             if line_num >= start && line_num <= end {
-                output.push_str(&format!("{:>4} | {}\n", line_num, line));
+                output.push_str(&format!("{line_num:>4} | {line}\n"));
             }
         }
 
@@ -338,7 +338,7 @@ impl ReviewTool for LookupSymbolTool {
                 }
                 Ok(truncate_output(output))
             }
-            None => Ok(format!("Symbol '{}' not found in index.", symbol_name)),
+            None => Ok(format!("Symbol '{symbol_name}' not found in index.")),
         }
     }
 }
@@ -468,7 +468,7 @@ impl ReviewTool for GetFileHistoryTool {
                 info.is_high_churn(),
                 info.is_bug_prone()
             )),
-            None => Ok(format!("No history found for '{}'.", file_path)),
+            None => Ok(format!("No history found for '{file_path}'.")),
         }
     }
 }
@@ -533,8 +533,7 @@ impl ReviewTool for GetDefinitionsTool {
 
         if chunks.is_empty() {
             return Ok(format!(
-                "No definitions found for {:?} in context of '{}'.",
-                symbols, file_path
+                "No definitions found for {symbols:?} in context of '{file_path}'."
             ));
         }
 
@@ -598,7 +597,7 @@ impl ReviewTool for GitBlameTool {
 
         let full_path = self.ctx.repo_path.join(file_path);
         if !full_path.exists() {
-            return Ok(format!("Error: file not found: {}", file_path));
+            return Ok(format!("Error: file not found: {file_path}"));
         }
 
         // Prevent path traversal
@@ -637,7 +636,7 @@ impl ReviewTool for GitBlameTool {
                 Some(&mut blame_options),
             ) {
                 Ok(b) => b,
-                Err(e) => return Ok(format!("Error: could not blame file: {}", e)),
+                Err(e) => return Ok(format!("Error: could not blame file: {e}")),
             };
 
             let mut commit_message_cache: HashMap<git2::Oid, String> = HashMap::new();
@@ -669,8 +668,7 @@ impl ReviewTool for GitBlameTool {
                         .clone();
 
                     output.push_str(&format!(
-                        "L{}: {} ({}) [{}] {}\n",
-                        line_num, author, date, short_hash, message
+                        "L{line_num}: {author} ({date}) [{short_hash}] {message}\n"
                     ));
                 }
             }
@@ -872,8 +870,7 @@ mod tests {
         if let Ok(msg) = result {
             assert!(
                 msg.contains("not allowed") || msg.contains("not found"),
-                "Got: {}",
-                msg
+                "Got: {msg}"
             );
         }
     }
@@ -918,8 +915,7 @@ mod tests {
             .unwrap();
         assert!(
             result.contains("println"),
-            "Should find println in results: {}",
-            result
+            "Should find println in results: {result}"
         );
     }
 
@@ -942,8 +938,7 @@ mod tests {
             .unwrap();
         assert!(
             result.contains("No matches"),
-            "Should indicate no matches: {}",
-            result
+            "Should indicate no matches: {result}"
         );
     }
 
@@ -991,8 +986,7 @@ mod tests {
             .unwrap();
         assert!(
             result.contains("No history"),
-            "Should indicate no history: {}",
-            result
+            "Should indicate no history: {result}"
         );
     }
 
@@ -1026,8 +1020,7 @@ mod tests {
             .unwrap();
         assert!(
             result.contains("No related"),
-            "Should indicate no related symbols: {}",
-            result
+            "Should indicate no related symbols: {result}"
         );
     }
 
@@ -1067,7 +1060,7 @@ mod tests {
         let names: Vec<&str> = info.iter().map(|t| t.name.as_str()).collect();
         let mut seen = std::collections::HashSet::new();
         for name in &names {
-            assert!(seen.insert(*name), "duplicate tool name: {}", name);
+            assert!(seen.insert(*name), "duplicate tool name: {name}");
         }
     }
 
@@ -1240,7 +1233,7 @@ mod tests {
             .execute(json!({"file_path": "nonexistent.rs"}))
             .await
             .unwrap();
-        assert!(result.contains("not found"), "Got: {}", result);
+        assert!(result.contains("not found"), "Got: {result}");
     }
 
     #[tokio::test]
@@ -1260,8 +1253,7 @@ mod tests {
         if let Ok(msg) = result {
             assert!(
                 msg.contains("not allowed") || msg.contains("not found"),
-                "Got: {}",
-                msg
+                "Got: {msg}"
             );
         }
     }
@@ -1313,18 +1305,15 @@ mod tests {
             .unwrap();
         assert!(
             result.contains("Test User"),
-            "Should contain author name: {}",
-            result
+            "Should contain author name: {result}"
         );
         assert!(
             result.contains("initial commit"),
-            "Should contain commit message: {}",
-            result
+            "Should contain commit message: {result}"
         );
         assert!(
             result.contains("L1:"),
-            "Should contain line numbers: {}",
-            result
+            "Should contain line numbers: {result}"
         );
     }
 
@@ -1350,16 +1339,14 @@ mod tests {
             .unwrap();
         assert!(
             !result.contains("L1:"),
-            "Should not contain line 1: {}",
-            result
+            "Should not contain line 1: {result}"
         );
-        assert!(result.contains("L2:"), "Should contain line 2: {}", result);
-        assert!(result.contains("L3:"), "Should contain line 3: {}", result);
-        assert!(result.contains("L4:"), "Should contain line 4: {}", result);
+        assert!(result.contains("L2:"), "Should contain line 2: {result}");
+        assert!(result.contains("L3:"), "Should contain line 3: {result}");
+        assert!(result.contains("L4:"), "Should contain line 4: {result}");
         assert!(
             !result.contains("L5:"),
-            "Should not contain line 5: {}",
-            result
+            "Should not contain line 5: {result}"
         );
     }
 
diff --git a/src/core/changelog.rs b/src/core/changelog.rs
index dc4c878..8d8ab6f 100644
--- a/src/core/changelog.rs
+++ b/src/core/changelog.rs
@@ -281,7 +281,7 @@ impl ChangelogGenerator {
         let mut output = String::new();
 
         // Header
-        output.push_str(&format!("# Release Notes - v{}\n\n", version));
+        output.push_str(&format!("# Release Notes - v{version}\n\n"));
         output.push_str(&format!(
             "📅 **Release Date**: {}\n\n",
             Local::now().format("%Y-%m-%d")
@@ -300,10 +300,10 @@ impl ChangelogGenerator {
 
         output.push_str("## 📊 Summary\n\n");
         output.push_str(&format!("- 🎯 **Total Changes**: {}\n", entries.len()));
-        output.push_str(&format!("- ✨ **New Features**: {}\n", features));
-        output.push_str(&format!("- 🐛 **Bug Fixes**: {}\n", fixes));
+        output.push_str(&format!("- ✨ **New Features**: {features}\n"));
+        output.push_str(&format!("- 🐛 **Bug Fixes**: {fixes}\n"));
         if breaking > 0 {
-            output.push_str(&format!("- ⚠️  **Breaking Changes**: {}\n", breaking));
+            output.push_str(&format!("- ⚠️  **Breaking Changes**: {breaking}\n"));
         }
         output.push('\n');
 
@@ -358,7 +358,7 @@ impl ChangelogGenerator {
         output.push_str("## 👥 Contributors\n\n");
         output.push_str("Thank you to all contributors:\n\n");
         for (author, count) in contributors.iter().take(10) {
-            output.push_str(&format!("- {} ({} commits)\n", author, count));
+            output.push_str(&format!("- {author} ({count} commits)\n"));
         }
 
         output
diff --git a/src/core/code_summary.rs b/src/core/code_summary.rs
index e15b8fa..a2e8eda 100644
--- a/src/core/code_summary.rs
+++ b/src/core/code_summary.rs
@@ -109,7 +109,7 @@ pub fn summarize_code_heuristic(
     let mut summary_parts = Vec::new();
 
     // Symbol kind and name
-    summary_parts.push(format!("{} `{}`", kind, symbol_name));
+    summary_parts.push(format!("{kind} `{symbol_name}`"));
 
     // Parameters
     if !params.is_empty() {
@@ -118,7 +118,7 @@ pub fn summarize_code_heuristic(
 
     // Return type
     if let Some(ret) = &returns {
-        summary_parts.push(format!("returns {}", ret));
+        summary_parts.push(format!("returns {ret}"));
     }
 
     // Docstring
@@ -140,9 +140,9 @@ pub fn summarize_code_heuristic(
 
     // Complexity
     if complexity > 5 {
-        summary_parts.push(format!("complexity: high ({})", complexity));
+        summary_parts.push(format!("complexity: high ({complexity})"));
     } else if complexity > 2 {
-        summary_parts.push(format!("complexity: medium ({})", complexity));
+        summary_parts.push(format!("complexity: medium ({complexity})"));
     }
 
     let summary = summary_parts.join(". ");
@@ -170,10 +170,7 @@ pub fn build_embedding_text(symbol_name: &str, summary: &str, code: &str) -> Str
     } else {
         code
     };
-    format!(
-        "Symbol: {}\nSummary: {}\nCode:\n{}",
-        symbol_name, summary, code_truncated
-    )
+    format!("Symbol: {symbol_name}\nSummary: {summary}\nCode:\n{code_truncated}")
 }
 
 /// Batch-summarize all symbols in a file.
@@ -743,17 +740,12 @@ mod tests {
         let code = "pub fn process(items: Vec<String>, callback: fn(u32) -> bool) -> Result<()> {";
         let params = extract_parameters(code, "rs");
         // [^)]* stops at the `)` inside fn(u32), truncating the callback param's type
-        assert!(
-            !params.is_empty(),
-            "Should extract params, got: {:?}",
-            params
-        );
+        assert!(!params.is_empty(), "Should extract params, got: {params:?}");
         // callback param should have its full type including -> bool
         let callback_param = params.iter().find(|p| p.contains("callback"));
         assert!(
             callback_param.is_some(),
-            "Should find callback param, got: {:?}",
-            params
+            "Should find callback param, got: {params:?}"
         );
         let cb = callback_param.unwrap();
         assert!(
diff --git a/src/core/comment/identity.rs b/src/core/comment/identity.rs
index b3734d4..e1f29f3 100644
--- a/src/core/comment/identity.rs
+++ b/src/core/comment/identity.rs
@@ -6,7 +6,7 @@ pub fn compute_comment_id(file_path: &Path, content: &str, category: &Category)
     let normalized = normalize_content(content);
     let key = format!("{}|{}|{}", file_path.display(), category, normalized);
     let hash = fnv1a64(key.as_bytes());
-    format!("cmt_{:016x}", hash)
+    format!("cmt_{hash:016x}")
 }
 
 fn fnv1a64(bytes: &[u8]) -> u64 {
diff --git a/src/core/comment/suggestions.rs b/src/core/comment/suggestions.rs
index c155566..456b8e5 100644
--- a/src/core/comment/suggestions.rs
+++ b/src/core/comment/suggestions.rs
@@ -12,7 +12,7 @@ pub(super) fn generate_code_suggestion(raw: &RawComment) -> Option<CodeSuggestio
                 original_code: "// Original code would be extracted from context".to_string(),
                 suggested_code: suggestion.clone(),
                 explanation: "Improved implementation following best practices".to_string(),
-                diff: format!("- original\n+ {}", suggestion),
+                diff: format!("- original\n+ {suggestion}"),
             });
         }
     }
diff --git a/src/core/comment/summary.rs b/src/core/comment/summary.rs
index ee3eeec..c7f2580 100644
--- a/src/core/comment/summary.rs
+++ b/src/core/comment/summary.rs
@@ -69,8 +69,7 @@ fn generate_recommendations(comments: &[Comment]) -> Vec<String> {
 
     if security_count > 0 {
         recommendations.push(format!(
-            "Address {} security issue(s) immediately",
-            security_count
+            "Address {security_count} security issue(s) immediately"
         ));
     }
     if performance_count > 2 {
diff --git a/src/core/commit_prompt.rs b/src/core/commit_prompt.rs
index 100ef7b..11f3cec 100644
--- a/src/core/commit_prompt.rs
+++ b/src/core/commit_prompt.rs
@@ -47,7 +47,7 @@ Commit: docs: update installation instructions for v2.0
 </examples>
 
 <diff>
-{}
+{diff}
 </diff>
 
 <instructions>
@@ -57,8 +57,7 @@ Commit: docs: update installation instructions for v2.0
    - What is the primary purpose of these changes?
 
 2. Then provide your commit message in <commit> tags.
-</instructions>"#,
-            diff
+</instructions>"#
         );
 
         (system_prompt.to_string(), user_prompt)
@@ -124,13 +123,12 @@ Title: Optimize database queries for 3x faster loading
 </examples>
 
 <diff>
-{}
+{diff}
 </diff>
 
 <instructions>
 Analyze the changes and provide a PR title in <title> tags.
-</instructions>"#,
-            diff
+</instructions>"#
         );
 
         (system_prompt.to_string(), user_prompt)
diff --git a/src/core/composable_pipeline.rs b/src/core/composable_pipeline.rs
index 322fe07..5fac27d 100644
--- a/src/core/composable_pipeline.rs
+++ b/src/core/composable_pipeline.rs
@@ -360,7 +360,7 @@ mod tests {
 
     fn make_comment(file: &str, line: usize, content: &str, confidence: f32) -> Comment {
         Comment {
-            id: format!("cmt_{}_{}", file, line),
+            id: format!("cmt_{file}_{line}"),
             file_path: PathBuf::from(file),
             line_number: line,
             content: content.to_string(),
diff --git a/src/core/context.rs b/src/core/context.rs
index 51fbc07..a4d3edd 100644
--- a/src/core/context.rs
+++ b/src/core/context.rs
@@ -209,13 +209,13 @@ impl ContextFetcher {
                     // Look for function/class/interface definitions
                     for (line_num, line) in lines.iter().enumerate() {
                         let trimmed = line.trim();
-                        if trimmed.contains(&format!("function {}", symbol))
-                            || trimmed.contains(&format!("class {}", symbol))
-                            || trimmed.contains(&format!("interface {}", symbol))
-                            || trimmed.contains(&format!("fn {}", symbol))
-                            || trimmed.contains(&format!("struct {}", symbol))
-                            || trimmed.contains(&format!("enum {}", symbol))
-                            || trimmed.contains(&format!("impl {}", symbol))
+                        if trimmed.contains(&format!("function {symbol}"))
+                            || trimmed.contains(&format!("class {symbol}"))
+                            || trimmed.contains(&format!("interface {symbol}"))
+                            || trimmed.contains(&format!("fn {symbol}"))
+                            || trimmed.contains(&format!("struct {symbol}"))
+                            || trimmed.contains(&format!("enum {symbol}"))
+                            || trimmed.contains(&format!("impl {symbol}"))
                         {
                             // Extract a few lines around the definition for context
                             let start_line = line_num.saturating_sub(2);
diff --git a/src/core/context_provenance.rs b/src/core/context_provenance.rs
index d0548f3..16a3cd0 100644
--- a/src/core/context_provenance.rs
+++ b/src/core/context_provenance.rs
@@ -105,25 +105,22 @@ impl ContextProvenance {
     fn label(&self) -> String {
         match self {
             Self::ActiveReviewRules => "active review rules".to_string(),
-            Self::Analyzer { name } => format!("{} analyzer", name),
+            Self::Analyzer { name } => format!("{name} analyzer"),
             Self::CustomContextNotes => "custom context notes".to_string(),
             Self::DependencyGraphNeighborhood => "dependency graph neighborhood".to_string(),
             Self::PathSpecificFocusAreas => "path-specific focus areas".to_string(),
             Self::PatternRepositoryContext { source } => {
-                format!("pattern repository: {}", source)
+                format!("pattern repository: {source}")
             }
             Self::PatternRepositorySource { source } => {
-                format!("pattern repository source: {}", source)
+                format!("pattern repository source: {source}")
             }
             Self::RelatedTestFile => "related test file".to_string(),
             Self::ReverseDependencySummary => "reverse dependency summary".to_string(),
             Self::SemanticRetrieval {
                 similarity,
                 symbol_name,
-            } => format!(
-                "semantic retrieval (similarity={:.2}, symbol={})",
-                similarity, symbol_name
-            ),
+            } => format!("semantic retrieval (similarity={similarity:.2}, symbol={symbol_name})"),
             Self::SymbolGraphPath {
                 relation_path,
                 hops,
diff --git a/src/core/convention_learner.rs b/src/core/convention_learner.rs
index c19d351..a8064cf 100644
--- a/src/core/convention_learner.rs
+++ b/src/core/convention_learner.rs
@@ -221,8 +221,7 @@ impl ConventionStore {
 
             if !boost.is_empty() {
                 guidance.push_str(&format!(
-                    "\nHigh-value {} patterns (team accepts these):\n",
-                    category
+                    "\nHigh-value {category} patterns (team accepts these):\n"
                 ));
                 for p in boost.iter().take(5) {
                     guidance.push_str(&format!(
@@ -234,8 +233,7 @@ impl ConventionStore {
 
             if !suppress.is_empty() {
                 guidance.push_str(&format!(
-                    "\nLow-value {} patterns (team rejects these):\n",
-                    category
+                    "\nLow-value {category} patterns (team rejects these):\n"
                 ));
                 for p in suppress.iter().take(5) {
                     guidance.push_str(&format!(
@@ -406,7 +404,7 @@ mod tests {
         }
 
         let score = store.score_comment("null check missing for user input", "Bug");
-        assert!(score > 0.0, "Expected positive score, got {}", score);
+        assert!(score > 0.0, "Expected positive score, got {score}");
     }
 
     #[test]
@@ -431,7 +429,7 @@ mod tests {
         );
 
         let score = store.score_comment("Consider adding more comments", "Style");
-        assert!(score < 0.0, "Expected negative score, got {}", score);
+        assert!(score < 0.0, "Expected negative score, got {score}");
     }
 
     #[test]
diff --git a/src/core/enhanced_review.rs b/src/core/enhanced_review.rs
index 53e2e78..38f0791 100644
--- a/src/core/enhanced_review.rs
+++ b/src/core/enhanced_review.rs
@@ -145,7 +145,7 @@ fn exercise_symbol_graph(graph: &mut SymbolGraph, diffs: &[UnifiedDiff]) {
     ];
     for kind in kinds {
         let node = SymbolNode {
-            name: format!("_enhanced_{:?}", kind),
+            name: format!("_enhanced_{kind:?}"),
             file_path: PathBuf::from("_enhanced_.rs"),
             line_range: (1, 1),
             kind,
diff --git a/src/core/eval_benchmarks.rs b/src/core/eval_benchmarks.rs
index eabc281..5d961e8 100644
--- a/src/core/eval_benchmarks.rs
+++ b/src/core/eval_benchmarks.rs
@@ -394,10 +394,10 @@ pub fn compare_results(
         ));
     }
     if precision_delta > max_regression {
-        improvements.push(format!("Precision improved by {:.3}", precision_delta));
+        improvements.push(format!("Precision improved by {precision_delta:.3}"));
     }
     if recall_delta > max_regression {
-        improvements.push(format!("Recall improved by {:.3}", recall_delta));
+        improvements.push(format!("Recall improved by {recall_delta:.3}"));
     }
 
     ComparisonResult {
@@ -1024,8 +1024,7 @@ mod tests {
         let (pass, failures) = evaluate_against_thresholds(&result, &thresholds);
         assert!(
             pass,
-            "FPR should be ~0.048 (FP/(FP+TN)), not 0.091 (FP/(FP+TP)): {:?}",
-            failures
+            "FPR should be ~0.048 (FP/(FP+TN)), not 0.091 (FP/(FP+TP)): {failures:?}"
         );
     }
 
diff --git a/src/core/function_chunker.rs b/src/core/function_chunker.rs
index fb9db45..71a2b53 100644
--- a/src/core/function_chunker.rs
+++ b/src/core/function_chunker.rs
@@ -823,8 +823,7 @@ fn next_func() {
         assert_eq!(
             boundaries.len(),
             2,
-            "Should find both functions: {:?}",
-            boundaries
+            "Should find both functions: {boundaries:?}"
         );
         // render() should end at the } on line 5 (before next_func)
         assert!(
@@ -850,8 +849,7 @@ fn next_func() {
         assert_eq!(
             boundaries.len(),
             2,
-            "Should find both methods: {:?}",
-            boundaries
+            "Should find both methods: {boundaries:?}"
         );
         assert_eq!(boundaries[0].name, "handle_request");
         assert_eq!(boundaries[1].name, "process");
diff --git a/src/core/git_history.rs b/src/core/git_history.rs
index 1e93fc4..1733e21 100644
--- a/src/core/git_history.rs
+++ b/src/core/git_history.rs
@@ -405,7 +405,7 @@ mod tests {
             age_days: None,
         };
         let score = info.risk_score();
-        assert!(score > 0.5, "Expected high risk, got {}", score);
+        assert!(score > 0.5, "Expected high risk, got {score}");
     }
 
     #[test]
@@ -421,7 +421,7 @@ mod tests {
             age_days: None,
         };
         let score = info.risk_score();
-        assert!(score < 0.3, "Expected low risk, got {}", score);
+        assert!(score < 0.3, "Expected low risk, got {score}");
     }
 
     #[test]
@@ -466,7 +466,7 @@ mod tests {
         // Add more commits to hot.rs
         for i in 0..20 {
             analyzer.ingest_log(vec![make_entry(
-                &format!("commit_{}", i),
+                &format!("commit_{i}"),
                 "alice",
                 "Fix another bug",
                 vec![("src/hot.rs", 10, 5)],
@@ -490,7 +490,7 @@ mod tests {
         for i in 0..10 {
             let msg = if i % 2 == 0 { "Fix bug" } else { "Add feature" };
             analyzer.ingest_log(vec![make_entry(
-                &format!("c{}", i),
+                &format!("c{i}"),
                 "alice",
                 msg,
                 vec![("buggy.rs", 5, 3)],
@@ -507,7 +507,7 @@ mod tests {
         let mut analyzer = GitHistoryAnalyzer::new();
         for i in 0..15 {
             analyzer.ingest_log(vec![make_entry(
-                &format!("c{}", i),
+                &format!("c{i}"),
                 "alice",
                 "Fix issue",
                 vec![("src/risky.rs", 20, 10)],
diff --git a/src/core/interactive.rs b/src/core/interactive.rs
index a40e9cf..42713b1 100644
--- a/src/core/interactive.rs
+++ b/src/core/interactive.rs
@@ -75,13 +75,10 @@ impl InteractiveCommand {
     ) -> Result<String> {
         if let Some(diff) = diff_content {
             let prompt = if self.args.is_empty() {
-                format!("Review the following code changes:\n\n{}", diff)
+                format!("Review the following code changes:\n\n{diff}")
             } else {
                 let focus = self.args.join(" ");
-                format!(
-                    "Review the following code changes with focus on {}:\n\n{}",
-                    focus, diff
-                )
+                format!("Review the following code changes with focus on {focus}:\n\n{diff}")
             };
 
             let request = LLMRequest {
@@ -108,7 +105,7 @@ impl InteractiveCommand {
             )
         } else {
             let patterns = self.args.join(", ");
-            Ok(format!("✅ Will ignore: {}\n\nAdd these patterns to your .diffscope.yml for permanent configuration.", patterns))
+            Ok(format!("✅ Will ignore: {patterns}\n\nAdd these patterns to your .diffscope.yml for permanent configuration."))
         }
     }
 
@@ -122,17 +119,14 @@ impl InteractiveCommand {
         } else {
             // Try to find specific line or section
             let target = self.args.join(" ");
-            format!(
-                "Explain the following in the context of the code changes: {}",
-                target
-            )
+            format!("Explain the following in the context of the code changes: {target}")
         };
 
         let request = LLMRequest {
             system_prompt:
                 "You are a helpful code explainer. Provide clear, educational explanations."
                     .to_string(),
-            user_prompt: format!("Explain this code or change:\n\n{}", context),
+            user_prompt: format!("Explain this code or change:\n\n{context}"),
             temperature: Some(0.5),
             max_tokens: Some(800),
             response_schema: None,
@@ -155,19 +149,19 @@ impl InteractiveCommand {
         let (system_prompt, user_prompt) = match target {
             "tests" => (
                 "You are a test generation expert. Generate comprehensive tests.",
-                format!("Generate unit tests for the following context: {}", context),
+                format!("Generate unit tests for the following context: {context}"),
             ),
             "docs" => (
                 "You are a documentation expert. Generate clear, comprehensive documentation.",
-                format!("Generate documentation for: {}", context),
+                format!("Generate documentation for: {context}"),
             ),
             "types" => (
                 "You are a TypeScript/type system expert. Generate proper type definitions.",
-                format!("Generate type definitions for: {}", context),
+                format!("Generate type definitions for: {context}"),
             ),
             _ => (
                 "You are a helpful code generator.",
-                format!("Generate {} for: {}", target, context),
+                format!("Generate {target} for: {context}"),
             ),
         };
 
@@ -270,7 +264,7 @@ impl InteractiveProcessor {
     pub fn add_ignore_pattern(&mut self, pattern: &str) {
         if pattern.contains('*') {
             let escaped = regex::escape(pattern).replace(r"\*", ".*");
-            let regex_pattern = format!("^{}$", escaped);
+            let regex_pattern = format!("^{escaped}$");
             if let Ok(re) = Regex::new(&regex_pattern) {
                 self.glob_regexes.push(re);
             }
diff --git a/src/core/multi_pass.rs b/src/core/multi_pass.rs
index 739adf9..af5e412 100644
--- a/src/core/multi_pass.rs
+++ b/src/core/multi_pass.rs
@@ -109,7 +109,7 @@ impl MultiPassReview {
 
         guidance.push_str("\nRisk factors identified:\n");
         for reason in &hotspot.reasons {
-            guidance.push_str(&format!("- {}\n", reason));
+            guidance.push_str(&format!("- {reason}\n"));
         }
 
         guidance.push_str(&format!(
@@ -220,10 +220,10 @@ fn analyze_file_risk(diff: &UnifiedDiff) -> HotspotResult {
 
     if total_changes > 100 {
         risk_score += 0.2;
-        reasons.push(format!("Large change volume ({} lines)", total_changes));
+        reasons.push(format!("Large change volume ({total_changes} lines)"));
     } else if total_changes > 50 {
         risk_score += 0.1;
-        reasons.push(format!("Moderate change volume ({} lines)", total_changes));
+        reasons.push(format!("Moderate change volume ({total_changes} lines)"));
     }
 
     // Content risk patterns
@@ -352,7 +352,7 @@ mod tests {
 
     fn make_comment(file: &str, line: usize, content: &str) -> Comment {
         Comment {
-            id: format!("cmt_{}", line),
+            id: format!("cmt_{line}"),
             file_path: PathBuf::from(file),
             line_number: line,
             content: content.to_string(),
diff --git a/src/core/offline.rs b/src/core/offline.rs
index c0e8143..7efcd00 100644
--- a/src/core/offline.rs
+++ b/src/core/offline.rs
@@ -162,7 +162,7 @@ impl OfflineModelManager {
     pub fn is_model_available(&self, model_name: &str) -> bool {
         self.models
             .iter()
-            .any(|m| m.name == model_name || m.name.starts_with(&format!("{}:", model_name)))
+            .any(|m| m.name == model_name || m.name.starts_with(&format!("{model_name}:")))
     }
 
     /// Get recommended model for code review based on available models.
@@ -770,8 +770,7 @@ mod tests {
             errors
                 .iter()
                 .any(|e| e.contains("URL") || e.contains("url")),
-            "Should flag invalid URL format, got: {:?}",
-            errors
+            "Should flag invalid URL format, got: {errors:?}"
         );
     }
 
diff --git a/src/core/pr_summary.rs b/src/core/pr_summary.rs
index 223bdd2..1e9b3b6 100644
--- a/src/core/pr_summary.rs
+++ b/src/core/pr_summary.rs
@@ -167,7 +167,7 @@ impl PRSummaryGenerator {
         if !commits.is_empty() {
             prompt.push_str("## Recent Commits\n");
             for commit in commits.iter().take(5) {
-                prompt.push_str(&format!("- {}\n", commit));
+                prompt.push_str(&format!("- {commit}\n"));
             }
             prompt.push('\n');
         }
@@ -189,7 +189,7 @@ impl PRSummaryGenerator {
                 .filter(|c| matches!(c.change_type, crate::core::diff_parser::ChangeType::Removed))
                 .count();
 
-            prompt.push_str(&format!("- {} (+{}, -{})\n", path, added, removed));
+            prompt.push_str(&format!("- {path} (+{added}, -{removed})\n"));
         }
 
         prompt.push_str("\n## Instructions\n");
@@ -243,10 +243,7 @@ impl PRSummaryGenerator {
             } else {
                 "modified"
             };
-            prompt.push_str(&format!(
-                "- {} ({}; +{}, -{})\n",
-                path, status, added, removed
-            ));
+            prompt.push_str(&format!("- {path} ({status}; +{added}, -{removed})\n"));
         }
 
         prompt
@@ -396,7 +393,7 @@ impl PRSummary {
         if !self.key_changes.is_empty() {
             output.push_str("## 🎯 Key Changes\n\n");
             for change in &self.key_changes {
-                output.push_str(&format!("- {}\n", change));
+                output.push_str(&format!("- {change}\n"));
             }
             output.push('\n');
         }
@@ -433,7 +430,7 @@ impl PRSummary {
         // Breaking changes
         if let Some(breaking) = &self.breaking_changes {
             output.push_str("## ⚠️ Breaking Changes\n\n");
-            output.push_str(&format!("{}\n\n", breaking));
+            output.push_str(&format!("{breaking}\n\n"));
         }
 
         // Testing notes
diff --git a/src/core/prompt.rs b/src/core/prompt.rs
index d93406d..3d87663 100644
--- a/src/core/prompt.rs
+++ b/src/core/prompt.rs
@@ -446,11 +446,11 @@ impl PromptBuilder {
                 chunk.file_path.display(),
                 chunk
                     .line_range
-                    .map(|(s, e)| format!(":{}-{}", s, e))
+                    .map(|(s, e)| format!(":{s}-{e}"))
                     .unwrap_or_default(),
                 chunk
                     .provenance_label()
-                    .map(|value| format!(" | {}", value))
+                    .map(|value| format!(" | {value}"))
                     .unwrap_or_default(),
                 chunk.content
             );
diff --git a/src/core/semantic.rs b/src/core/semantic.rs
index 1e65abb..5fa57b0 100644
--- a/src/core/semantic.rs
+++ b/src/core/semantic.rs
@@ -530,7 +530,7 @@ fn normalize_relative_path(path: PathBuf) -> PathBuf {
 
 fn hash_text(content: &str) -> String {
     let digest = Sha256::digest(content.as_bytes());
-    format!("{:x}", digest)
+    format!("{digest:x}")
 }
 
 fn is_code_file(path: &Path) -> bool {
diff --git a/src/core/semantic/embedding.rs b/src/core/semantic/embedding.rs
index 99711bf..8fbe886 100644
--- a/src/core/semantic/embedding.rs
+++ b/src/core/semantic/embedding.rs
@@ -41,7 +41,7 @@ pub async fn embed_texts_with_fallback(
 }
 
 pub fn build_feedback_embedding_text(content: &str, category: &str) -> String {
-    format!("Category: {}\nComment: {}", category, content)
+    format!("Category: {category}\nComment: {content}")
 }
 
 pub(super) fn local_hash_embedding(text: &str) -> Vec<f32> {
diff --git a/src/core/semantic/persistence.rs b/src/core/semantic/persistence.rs
index 90e47d4..fb7565e 100644
--- a/src/core/semantic/persistence.rs
+++ b/src/core/semantic/persistence.rs
@@ -18,7 +18,7 @@ pub fn default_semantic_feedback_path(feedback_path: &Path) -> PathBuf {
         .file_stem()
         .and_then(|value| value.to_str())
         .unwrap_or("diffscope.feedback");
-    parent.join(format!("{}.semantic.json", stem))
+    parent.join(format!("{stem}.semantic.json"))
 }
 
 pub fn load_semantic_index(path: &Path) -> SemanticIndex {
diff --git a/src/core/smart_review_prompt.rs b/src/core/smart_review_prompt.rs
index aa131eb..f634cd2 100644
--- a/src/core/smart_review_prompt.rs
+++ b/src/core/smart_review_prompt.rs
@@ -122,7 +122,7 @@ TAGS: [comma-separated relevant tags]
                     chunk.context_type,
                     chunk
                         .provenance_label()
-                        .map(|value| format!(" | {}", value))
+                        .map(|value| format!(" | {value}"))
                         .unwrap_or_default()
                 );
                 let block = format!(
diff --git a/src/core/symbol_graph.rs b/src/core/symbol_graph.rs
index a17264e..8fda140 100644
--- a/src/core/symbol_graph.rs
+++ b/src/core/symbol_graph.rs
@@ -717,8 +717,7 @@ impl Authenticator for AdminAuth {
         let names: HashSet<&str> = related.iter().map(|r| r.name.as_str()).collect();
         assert!(
             names.contains("Role") || names.contains("Authenticator"),
-            "Expected colocated symbols, got: {:?}",
-            names
+            "Expected colocated symbols, got: {names:?}"
         );
     }
 
diff --git a/src/core/symbol_index.rs b/src/core/symbol_index.rs
index 0f4d713..3007d89 100644
--- a/src/core/symbol_index.rs
+++ b/src/core/symbol_index.rs
@@ -597,7 +597,7 @@ fn program_exists_in_dir(dir: &Path, program: &str) -> bool {
             if ext.is_empty() {
                 continue;
             }
-            let candidate = dir.join(format!("{}{}", program, ext));
+            let candidate = dir.join(format!("{program}{ext}"));
             if candidate.is_file() {
                 return true;
             }
@@ -749,8 +749,8 @@ fn extract_dependency_candidates(repo_root: &Path, relative: &Path, line: &str)
         if let Some(module) = captures.get(1) {
             let module_name = module.as_str();
             let candidates = [
-                format!("./{}.rs", module_name),
-                format!("./{}/mod.rs", module_name),
+                format!("./{module_name}.rs"),
+                format!("./{module_name}/mod.rs"),
             ];
             for candidate in candidates {
                 for resolved in resolve_relative_dependency(repo_root, relative, &candidate) {
@@ -764,8 +764,8 @@ fn extract_dependency_candidates(repo_root: &Path, relative: &Path, line: &str)
         if let Some(module_path) = captures.get(1) {
             let normalized = module_path.as_str().replace('.', "/");
             let candidates = [
-                format!("./{}.py", normalized),
-                format!("./{}/__init__.py", normalized),
+                format!("./{normalized}.py"),
+                format!("./{normalized}/__init__.py"),
             ];
             for candidate in candidates {
                 for resolved in resolve_relative_dependency(repo_root, relative, &candidate) {
@@ -1138,7 +1138,7 @@ fn path_to_uri(path: &Path) -> Result<String> {
         .map(url_encode)
         .collect::<Vec<_>>()
         .join("/");
-    Ok(format!("file://{}", encoded))
+    Ok(format!("file://{encoded}"))
 }
 
 fn url_encode(segment: &str) -> String {
@@ -1152,7 +1152,7 @@ fn url_encode(segment: &str) -> String {
         {
             out.push(byte as char);
         } else {
-            out.push_str(&format!("%{:02X}", byte));
+            out.push_str(&format!("%{byte:02X}"));
         }
     }
     out
@@ -1176,8 +1176,7 @@ mod tests {
         let encoded = url_encode("€");
         assert_eq!(
             encoded, "%E2%82%AC",
-            "Multi-byte UTF-8 chars must be percent-encoded per byte, got: {}",
-            encoded
+            "Multi-byte UTF-8 chars must be percent-encoded per byte, got: {encoded}"
         );
     }
 
@@ -1188,8 +1187,7 @@ mod tests {
         let encoded = url_encode("café");
         assert_eq!(
             encoded, "caf%C3%A9",
-            "Two-byte UTF-8 chars must be percent-encoded per byte, got: {}",
-            encoded
+            "Two-byte UTF-8 chars must be percent-encoded per byte, got: {encoded}"
         );
     }
 
diff --git a/src/main.rs b/src/main.rs
index 16f7cca..5ff9ff6 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -604,7 +604,7 @@ async fn main() -> Result<()> {
 
     // Resolve API key from Vault if configured and api_key is not already set
     if let Err(e) = config.resolve_vault_api_key().await {
-        eprintln!("Warning: Failed to fetch API key from Vault: {:#}", e);
+        eprintln!("Warning: Failed to fetch API key from Vault: {e:#}");
     }
 
     match cli.command {
diff --git a/src/output/format.rs b/src/output/format.rs
index cba8c4c..03df8c7 100644
--- a/src/output/format.rs
+++ b/src/output/format.rs
@@ -26,7 +26,7 @@ pub async fn output_comments(
     if let Some(path) = output_path {
         tokio::fs::write(path, output).await?;
     } else {
-        println!("{}", output);
+        println!("{output}");
     }
 
     Ok(())
@@ -43,10 +43,10 @@ pub fn format_as_patch(comments: &[core::Comment]) -> String {
             comment.content
         ));
         if let Some(rule_id) = &comment.rule_id {
-            output.push_str(&format!("# Rule: {}\n", rule_id));
+            output.push_str(&format!("# Rule: {rule_id}\n"));
         }
         if let Some(suggestion) = &comment.suggestion {
-            output.push_str(&format!("# Suggestion: {}\n", suggestion));
+            output.push_str(&format!("# Suggestion: {suggestion}\n"));
         }
         if let Some(code_suggestion) = &comment.code_suggestion {
             output.push_str(&format!("# Code fix:\n{}\n", code_suggestion.diff));
@@ -95,7 +95,7 @@ pub fn format_as_markdown(comments: &[core::Comment], rule_priority: &[String])
             "Suggestion" => "💡",
             _ => "⚪",
         };
-        output.push_str(&format!("{} **{}:** {}\n", emoji, severity, count));
+        output.push_str(&format!("{emoji} **{severity}:** {count}\n"));
     }
     output.push('\n');
 
@@ -128,7 +128,7 @@ pub fn format_as_markdown(comments: &[core::Comment], rule_priority: &[String])
             "Architecture" => "🏗️",
             _ => "💭",
         };
-        output.push_str(&format!("{} **{}:** {}\n", emoji, category, count));
+        output.push_str(&format!("{emoji} **{category}:** {count}\n"));
     }
     output.push('\n');
 
@@ -150,7 +150,7 @@ pub fn format_as_markdown(comments: &[core::Comment], rule_priority: &[String])
     if !summary.recommendations.is_empty() {
         output.push_str("### Recommendations\n\n");
         for rec in &summary.recommendations {
-            output.push_str(&format!("- {}\n", rec));
+            output.push_str(&format!("- {rec}\n"));
         }
         output.push('\n');
     }
@@ -193,14 +193,14 @@ pub fn format_as_markdown(comments: &[core::Comment], rule_priority: &[String])
                 comment.confidence * 100.0
             ));
             if let Some(rule_id) = &comment.rule_id {
-                output.push_str(&format!("**Rule:** `{}`\n", rule_id));
+                output.push_str(&format!("**Rule:** `{rule_id}`\n"));
             }
-            output.push_str(&format!("**Fix Effort:** {}\n\n", effort_badge));
+            output.push_str(&format!("**Fix Effort:** {effort_badge}\n\n"));
 
             output.push_str(&format!("{}\n\n", comment.content));
 
             if let Some(suggestion) = &comment.suggestion {
-                output.push_str(&format!("💡 **Suggestion:** {}\n\n", suggestion));
+                output.push_str(&format!("💡 **Suggestion:** {suggestion}\n\n"));
             }
 
             if let Some(code_suggestion) = &comment.code_suggestion {
@@ -215,7 +215,7 @@ pub fn format_as_markdown(comments: &[core::Comment], rule_priority: &[String])
                     if i > 0 {
                         output.push_str(", ");
                     }
-                    output.push_str(&format!("`{}`", tag));
+                    output.push_str(&format!("`{tag}`"));
                 }
                 output.push_str("\n\n");
             }
@@ -283,7 +283,7 @@ pub fn format_smart_review_output(
     let severities = ["Error", "Warning", "Info", "Suggestion"];
     for severity in severities {
         let sev_count = summary.by_severity.get(severity).unwrap_or(&0);
-        output.push_str(&format!("| {} | {} |\n", severity, sev_count));
+        output.push_str(&format!("| {severity} | {sev_count} |\n"));
     }
     output.push('\n');
 
@@ -303,7 +303,7 @@ pub fn format_smart_review_output(
     ];
     for category in categories {
         let cat_count = summary.by_category.get(category).unwrap_or(&0);
-        output.push_str(&format!("| {} | {} |\n", category, cat_count));
+        output.push_str(&format!("| {category} | {cat_count} |\n"));
     }
     output.push('\n');
 
@@ -428,18 +428,18 @@ pub fn format_detailed_comment(comment: &core::Comment) -> String {
             if i > 0 {
                 output.push_str(", ");
             }
-            output.push_str(&format!("`{}`", tag));
+            output.push_str(&format!("`{tag}`"));
         }
         output.push_str("\n\n");
     }
     if let Some(rule_id) = &comment.rule_id {
-        output.push_str(&format!("**Rule:** `{}`\n\n", rule_id));
+        output.push_str(&format!("**Rule:** `{rule_id}`\n\n"));
     }
 
     output.push_str(&format!("{}\n\n", comment.content));
 
     if let Some(suggestion) = &comment.suggestion {
-        output.push_str(&format!("**💡 Recommended Fix:**\n{}\n\n", suggestion));
+        output.push_str(&format!("**💡 Recommended Fix:**\n{suggestion}\n\n"));
     }
 
     if let Some(code_suggestion) = &comment.code_suggestion {
@@ -467,14 +467,14 @@ pub fn format_pr_summary_section(summary: &core::pr_summary::PRSummary) -> Strin
     if !summary.key_changes.is_empty() {
         output.push_str("### Key Changes\n\n");
         for change in &summary.key_changes {
-            output.push_str(&format!("- {}\n", change));
+            output.push_str(&format!("- {change}\n"));
         }
         output.push('\n');
     }
 
     if let Some(breaking) = &summary.breaking_changes {
         output.push_str("### Breaking Changes\n\n");
-        output.push_str(&format!("{}\n\n", breaking));
+        output.push_str(&format!("{breaking}\n\n"));
     }
 
     if !summary.testing_notes.is_empty() {
@@ -921,7 +921,7 @@ mod tests {
     fn test_walkthrough_not_truncated_at_exactly_max() {
         let diffs: Vec<core::UnifiedDiff> = (0..50)
             .map(|i| core::UnifiedDiff {
-                file_path: PathBuf::from(format!("file{}.rs", i)),
+                file_path: PathBuf::from(format!("file{i}.rs")),
                 old_content: None,
                 new_content: None,
                 is_new: false,
@@ -951,9 +951,8 @@ mod tests {
         // All 50 files should be present
         for i in 0..50 {
             assert!(
-                output.contains(&format!("file{}.rs", i)),
-                "Missing file{}.rs in walkthrough",
-                i
+                output.contains(&format!("file{i}.rs")),
+                "Missing file{i}.rs in walkthrough"
             );
         }
     }
diff --git a/src/parsing/llm_response.rs b/src/parsing/llm_response.rs
index a132656..d22f093 100644
--- a/src/parsing/llm_response.rs
+++ b/src/parsing/llm_response.rs
@@ -469,7 +469,7 @@ fn json_issue_text(item: &serde_json::Value) -> String {
         .filter(|value| !value.is_empty());
 
     match impact {
-        Some(impact) if !issue.contains(impact) => format!("{} Impact: {}", issue, impact),
+        Some(impact) if !issue.contains(impact) => format!("{issue} Impact: {impact}"),
         _ => issue,
     }
 }
@@ -616,10 +616,10 @@ fn capture_usize_lossy(captures: &regex::Captures<'_>, group: usize) -> Option<u
 fn build_suggestion_diff(original: &str, suggested: &str) -> String {
     let mut diff = String::new();
     for line in original.lines() {
-        diff.push_str(&format!("- {}\n", line));
+        diff.push_str(&format!("- {line}\n"));
     }
     for line in suggested.lines() {
-        diff.push_str(&format!("+ {}\n", line));
+        diff.push_str(&format!("+ {line}\n"));
     }
     // Remove trailing newline for consistency
     if diff.ends_with('\n') {
diff --git a/src/parsing/smart_response.rs b/src/parsing/smart_response.rs
index f36d3c1..b80b316 100644
--- a/src/parsing/smart_response.rs
+++ b/src/parsing/smart_response.rs
@@ -436,8 +436,7 @@ TAGS: auth, security
         let conf = parse_smart_confidence("0.85").unwrap();
         assert!(
             (conf - 0.85).abs() < 0.001,
-            "0.85 should be treated as 85% confidence, got {}",
-            conf
+            "0.85 should be treated as 85% confidence, got {conf}"
         );
     }
 
@@ -446,8 +445,7 @@ TAGS: auth, security
         let conf = parse_smart_confidence("0.5").unwrap();
         assert!(
             (conf - 0.5).abs() < 0.001,
-            "0.5 should be treated as 50% confidence, got {}",
-            conf
+            "0.5 should be treated as 50% confidence, got {conf}"
         );
     }
 }
diff --git a/src/plugins/builtin/duplicate_filter.rs b/src/plugins/builtin/duplicate_filter.rs
index b7aca1c..03828f6 100644
--- a/src/plugins/builtin/duplicate_filter.rs
+++ b/src/plugins/builtin/duplicate_filter.rs
@@ -42,7 +42,7 @@ mod tests {
 
     fn make_comment(file: &str, line: usize, content: &str) -> Comment {
         Comment {
-            id: format!("c-{}-{}", file, line),
+            id: format!("c-{file}-{line}"),
             file_path: PathBuf::from(file),
             line_number: line,
             content: content.to_string(),
diff --git a/src/plugins/builtin/eslint.rs b/src/plugins/builtin/eslint.rs
index 00e1336..21e35be 100644
--- a/src/plugins/builtin/eslint.rs
+++ b/src/plugins/builtin/eslint.rs
@@ -209,12 +209,11 @@ mod tests {
     async fn test_eslint_skips_non_js_files() {
         let analyzer = EslintAnalyzer::new();
         for ext in &[".rs", ".py", ".go", ".java", ".rb", ".css", ".html"] {
-            let diff = make_diff(&format!("file{}", ext));
+            let diff = make_diff(&format!("file{ext}"));
             let result = analyzer.run(&diff, "/tmp").await.unwrap();
             assert!(
                 result.context_chunks.is_empty() && result.findings.is_empty(),
-                "Should skip {}",
-                ext
+                "Should skip {ext}"
             );
         }
     }
@@ -225,16 +224,14 @@ mod tests {
         for ext in &[".js", ".ts", ".jsx", ".tsx"] {
             assert!(
                 JS_EXTENSIONS.contains(ext),
-                "JS_EXTENSIONS should contain {}",
-                ext
+                "JS_EXTENSIONS should contain {ext}"
             );
         }
         // And rejects non-JS extensions
         for ext in &[".rs", ".py", ".go"] {
             assert!(
                 !JS_EXTENSIONS.contains(ext),
-                "JS_EXTENSIONS should not contain {}",
-                ext
+                "JS_EXTENSIONS should not contain {ext}"
             );
         }
     }
diff --git a/src/plugins/builtin/secret_scanner.rs b/src/plugins/builtin/secret_scanner.rs
index 47c3778..f60a617 100644
--- a/src/plugins/builtin/secret_scanner.rs
+++ b/src/plugins/builtin/secret_scanner.rs
@@ -509,8 +509,8 @@ impl AllowlistEntry {
 }
 
 fn secret_fingerprint(rule_id: &str, secret: &str) -> String {
-    let digest = Sha256::digest(format!("{}:{}", rule_id, secret).as_bytes());
-    format!("{:x}", digest)
+    let digest = Sha256::digest(format!("{rule_id}:{secret}").as_bytes());
+    format!("{digest:x}")
 }
 
 fn provider_name(rule_id: &str) -> &'static str {
@@ -889,10 +889,7 @@ mod tests {
     fn test_redacts_all_detected_secrets_on_same_line() {
         let github_token = fake_token("ghp_", 'A', 40);
         let slack_webhook = "https://hooks.slack.com/services/TAAAAAAAAA/BAAAAAAAAA/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
-        let line = format!(
-            "GITHUB_TOKEN={} SLACK_WEBHOOK={}",
-            github_token, slack_webhook
-        );
+        let line = format!("GITHUB_TOKEN={github_token} SLACK_WEBHOOK={slack_webhook}");
 
         let findings = SecretScanner::scan_line(&line, 1);
         assert!(findings.len() >= 2, "Should detect both secrets");
@@ -997,7 +994,7 @@ mod tests {
         .unwrap();
         let diff = make_diff_with_lines(
             "config.env",
-            vec![(&format!("TOKEN={}", github_pat), ChangeType::Added)],
+            vec![(&format!("TOKEN={github_pat}"), ChangeType::Added)],
         );
 
         let scanner = SecretScanner::new();
@@ -1018,7 +1015,7 @@ mod tests {
             "BAAAAAAAAA",
             "a".repeat(45)
         );
-        let line = format!("WEBHOOK={}", webhook);
+        let line = format!("WEBHOOK={webhook}");
         let findings = SecretScanner::scan_line(&line, 1);
         assert!(!findings.is_empty(), "Should detect Slack webhook URL");
     }
diff --git a/src/plugins/builtin/supply_chain.rs b/src/plugins/builtin/supply_chain.rs
index a49833e..1ad28ee 100644
--- a/src/plugins/builtin/supply_chain.rs
+++ b/src/plugins/builtin/supply_chain.rs
@@ -167,7 +167,7 @@ impl SupplyChainAnalyzer {
                         findings.push(SupplyChainFinding {
                             rule_id: "sec.supply-chain.non-registry-source",
                             severity: "warning",
-                            description: format!("Git-sourced dependency: {}", trimmed),
+                            description: format!("Git-sourced dependency: {trimmed}"),
                             line_number: line_num,
                         });
                     }
@@ -184,8 +184,7 @@ impl SupplyChainAnalyzer {
                 rule_id: "sec.supply-chain.non-registry-source",
                 severity: "warning",
                 description: format!(
-                    "Git dependency bypasses crates.io checksums — pin to specific rev: {}",
-                    line
+                    "Git dependency bypasses crates.io checksums — pin to specific rev: {line}"
                 ),
                 line_number: line_num,
             });
@@ -194,10 +193,7 @@ impl SupplyChainAnalyzer {
             findings.push(SupplyChainFinding {
                 rule_id: "sec.supply-chain.non-registry-source",
                 severity: "info",
-                description: format!(
-                    "Path dependency (verify this is a workspace member): {}",
-                    line
-                ),
+                description: format!("Path dependency (verify this is a workspace member): {line}"),
                 line_number: line_num,
             });
         }
@@ -205,7 +201,7 @@ impl SupplyChainAnalyzer {
             findings.push(SupplyChainFinding {
                 rule_id: "sec.supply-chain.unpinned-version",
                 severity: "warning",
-                description: format!("Wildcard version allows arbitrary major bumps: {}", line),
+                description: format!("Wildcard version allows arbitrary major bumps: {line}"),
                 line_number: line_num,
             });
         }
@@ -214,8 +210,7 @@ impl SupplyChainAnalyzer {
                 rule_id: "sec.supply-chain.override-directive",
                 severity: "warning",
                 description: format!(
-                    "[patch]/[replace] section can silently redirect dependencies: {}",
-                    line
+                    "[patch]/[replace] section can silently redirect dependencies: {line}"
                 ),
                 line_number: line_num,
             });
@@ -228,8 +223,7 @@ impl SupplyChainAnalyzer {
                 rule_id: "sec.supply-chain.install-scripts",
                 severity: "warning",
                 description: format!(
-                    "Install script detected — executes during npm install: {}",
-                    line
+                    "Install script detected — executes during npm install: {line}"
                 ),
                 line_number: line_num,
             });
@@ -238,7 +232,7 @@ impl SupplyChainAnalyzer {
             findings.push(SupplyChainFinding {
                 rule_id: "sec.supply-chain.non-registry-source",
                 severity: "warning",
-                description: format!("Non-registry dependency source: {}", line),
+                description: format!("Non-registry dependency source: {line}"),
                 line_number: line_num,
             });
         }
@@ -246,10 +240,7 @@ impl SupplyChainAnalyzer {
             findings.push(SupplyChainFinding {
                 rule_id: "sec.supply-chain.unpinned-version",
                 severity: "warning",
-                description: format!(
-                    "Wildcard/latest version — pin to specific version: {}",
-                    line
-                ),
+                description: format!("Wildcard/latest version — pin to specific version: {line}"),
                 line_number: line_num,
             });
         }
@@ -257,10 +248,7 @@ impl SupplyChainAnalyzer {
             findings.push(SupplyChainFinding {
                 rule_id: "sec.supply-chain.override-directive",
                 severity: "info",
-                description: format!(
-                    "Resolution/override section can redirect packages: {}",
-                    line
-                ),
+                description: format!("Resolution/override section can redirect packages: {line}"),
                 line_number: line_num,
             });
         }
@@ -271,10 +259,7 @@ impl SupplyChainAnalyzer {
             findings.push(SupplyChainFinding {
                 rule_id: "sec.supply-chain.non-registry-source",
                 severity: "warning",
-                description: format!(
-                    "Extra/custom index URL — dependency confusion risk: {}",
-                    line
-                ),
+                description: format!("Extra/custom index URL — dependency confusion risk: {line}"),
                 line_number: line_num,
             });
         }
@@ -282,7 +267,7 @@ impl SupplyChainAnalyzer {
             findings.push(SupplyChainFinding {
                 rule_id: "sec.supply-chain.non-registry-source",
                 severity: "warning",
-                description: format!("Git-sourced Python dependency: {}", line),
+                description: format!("Git-sourced Python dependency: {line}"),
                 line_number: line_num,
             });
         }
@@ -290,7 +275,7 @@ impl SupplyChainAnalyzer {
             findings.push(SupplyChainFinding {
                 rule_id: "sec.supply-chain.unpinned-version",
                 severity: "info",
-                description: format!("Unpinned or loosely pinned dependency: {}", line),
+                description: format!("Unpinned or loosely pinned dependency: {line}"),
                 line_number: line_num,
             });
         }
@@ -302,8 +287,7 @@ impl SupplyChainAnalyzer {
                 rule_id: "sec.supply-chain.override-directive",
                 severity: "warning",
                 description: format!(
-                    "Go replace directive — redirects module resolution, risky in production: {}",
-                    line
+                    "Go replace directive — redirects module resolution, risky in production: {line}"
                 ),
                 line_number: line_num,
             });
@@ -318,8 +302,7 @@ impl SupplyChainAnalyzer {
                     rule_id: "sec.supply-chain.ci-injection",
                     severity: "warning",
                     description: format!(
-                        "Action not pinned to full SHA — mutable tag can be hijacked: {}",
-                        line
+                        "Action not pinned to full SHA — mutable tag can be hijacked: {line}"
                     ),
                     line_number: line_num,
                 });
@@ -330,8 +313,7 @@ impl SupplyChainAnalyzer {
                 rule_id: "sec.supply-chain.ci-injection",
                 severity: "error",
                 description: format!(
-                    "Script injection via github.event context — attacker-controlled PR title/body/branch: {}",
-                    line
+                    "Script injection via github.event context — attacker-controlled PR title/body/branch: {line}"
                 ),
                 line_number: line_num,
             });
@@ -341,8 +323,7 @@ impl SupplyChainAnalyzer {
                 rule_id: "sec.supply-chain.ci-injection",
                 severity: "warning",
                 description: format!(
-                    "pull_request_target trigger — if it checks out PR code, it executes untrusted code with write permissions: {}",
-                    line
+                    "pull_request_target trigger — if it checks out PR code, it executes untrusted code with write permissions: {line}"
                 ),
                 line_number: line_num,
             });
@@ -360,8 +341,7 @@ impl SupplyChainAnalyzer {
                 rule_id: "sec.supply-chain.lockfile-tampering",
                 severity: "error",
                 description: format!(
-                    "HTTP (not HTTPS) registry URL in lockfile — MITM risk: {}",
-                    line
+                    "HTTP (not HTTPS) registry URL in lockfile — MITM risk: {line}"
                 ),
                 line_number: line_num,
             });
@@ -374,8 +354,7 @@ impl SupplyChainAnalyzer {
                     rule_id: "sec.supply-chain.lockfile-tampering",
                     severity: "warning",
                     description: format!(
-                        "Non-standard registry URL in lockfile — verify this is intentional: {}",
-                        line
+                        "Non-standard registry URL in lockfile — verify this is intentional: {line}"
                     ),
                     line_number: line_num,
                 });
diff --git a/src/review/compression.rs b/src/review/compression.rs
index e3f6e48..708991a 100644
--- a/src/review/compression.rs
+++ b/src/review/compression.rs
@@ -104,8 +104,8 @@ mod tests {
         let diff = make_simple_diff("file.rs", 400);
         let tokens = estimate_diff_tokens(&diff);
         // Should be approximately 100 + overhead
-        assert!(tokens >= 80, "tokens={} too low", tokens);
-        assert!(tokens <= 200, "tokens={} too high", tokens);
+        assert!(tokens >= 80, "tokens={tokens} too low");
+        assert!(tokens <= 200, "tokens={tokens} too high");
     }
 
     // --- is_deletion_only_hunk ---
@@ -296,7 +296,7 @@ mod tests {
     #[test]
     fn test_multicall_respects_max_calls() {
         let diffs: Vec<_> = (0..10)
-            .map(|i| make_simple_diff(&format!("file{}.rs", i), 2000))
+            .map(|i| make_simple_diff(&format!("file{i}.rs"), 2000))
             .collect();
         let single_tokens = estimate_diff_tokens(&diffs[0]);
         let result = compress_diffs(&diffs, single_tokens + 10, 3);
@@ -317,7 +317,7 @@ mod tests {
     #[test]
     fn test_all_indices_accounted_for() {
         let diffs: Vec<_> = (0..5)
-            .map(|i| make_simple_diff(&format!("f{}.rs", i), 1000))
+            .map(|i| make_simple_diff(&format!("f{i}.rs"), 1000))
             .collect();
         let single_tokens = estimate_diff_tokens(&diffs[0]);
         let result = compress_diffs(&diffs, single_tokens * 2, 3);
@@ -337,7 +337,7 @@ mod tests {
     #[test]
     fn test_batch_indices_sorted() {
         let diffs: Vec<_> = (0..5)
-            .map(|i| make_simple_diff(&format!("f{}.rs", i), 1000))
+            .map(|i| make_simple_diff(&format!("f{i}.rs"), 1000))
             .collect();
         let result = compress_diffs(&diffs, 500, 5);
         for batch in &result.batches {
@@ -383,18 +383,8 @@ mod tests {
         let t_small = estimate_diff_tokens(&small);
         let t_medium = estimate_diff_tokens(&medium);
         let t_large = estimate_diff_tokens(&large);
-        assert!(
-            t_small < t_medium,
-            "small={} >= medium={}",
-            t_small,
-            t_medium
-        );
-        assert!(
-            t_medium < t_large,
-            "medium={} >= large={}",
-            t_medium,
-            t_large
-        );
+        assert!(t_small < t_medium, "small={t_small} >= medium={t_medium}");
+        assert!(t_medium < t_large, "medium={t_medium} >= large={t_large}");
     }
 
     #[test]
@@ -412,9 +402,7 @@ mod tests {
         let clipped_tokens = estimate_diff_tokens(&clipped);
         assert!(
             clipped_tokens < original_tokens,
-            "Clipped ({}) should be smaller than original ({})",
-            clipped_tokens,
-            original_tokens
+            "Clipped ({clipped_tokens}) should be smaller than original ({original_tokens})"
         );
     }
 
@@ -506,15 +494,14 @@ mod tests {
         assert_eq!(
             result.skipped_indices.len(),
             2,
-            "Both deletion-only diffs should be skipped, got {:?}",
-            result
+            "Both deletion-only diffs should be skipped, got {result:?}"
         );
     }
 
     #[test]
     fn test_no_duplicate_indices_across_batches() {
         let diffs: Vec<_> = (0..8)
-            .map(|i| make_simple_diff(&format!("f{}.rs", i), 2000))
+            .map(|i| make_simple_diff(&format!("f{i}.rs"), 2000))
             .collect();
         let single_tokens = estimate_diff_tokens(&diffs[0]);
         let result = compress_diffs(&diffs, single_tokens * 2, 4);
@@ -522,14 +509,13 @@ mod tests {
         let mut seen = std::collections::HashSet::new();
         for batch in &result.batches {
             for &idx in &batch.diff_indices {
-                assert!(seen.insert(idx), "Duplicate index {} across batches", idx);
+                assert!(seen.insert(idx), "Duplicate index {idx} across batches");
             }
         }
         for &idx in &result.skipped_indices {
             assert!(
                 seen.insert(idx),
-                "Index {} appears in both batches and skipped",
-                idx
+                "Index {idx} appears in both batches and skipped"
             );
         }
     }
diff --git a/src/review/compression/summary.rs b/src/review/compression/summary.rs
index 5a32396..a4fda90 100644
--- a/src/review/compression/summary.rs
+++ b/src/review/compression/summary.rs
@@ -25,7 +25,7 @@ pub fn build_skipped_summary(diffs: &[UnifiedDiff], skipped_indices: &[usize]) -
     if !deleted.is_empty() {
         summary.push_str("Deleted files (not reviewed):\n");
         for file in &deleted {
-            summary.push_str(&format!("  - {}\n", file));
+            summary.push_str(&format!("  - {file}\n"));
         }
     }
     if !modified.is_empty() {
@@ -34,7 +34,7 @@ pub fn build_skipped_summary(diffs: &[UnifiedDiff], skipped_indices: &[usize]) -
         }
         summary.push_str("Additional modified files (not reviewed due to context budget):\n");
         for file in &modified {
-            summary.push_str(&format!("  - {}\n", file));
+            summary.push_str(&format!("  - {file}\n"));
         }
     }
     summary
diff --git a/src/review/context_helpers/ranking.rs b/src/review/context_helpers/ranking.rs
index 7965d85..dea7183 100644
--- a/src/review/context_helpers/ranking.rs
+++ b/src/review/context_helpers/ranking.rs
@@ -82,7 +82,7 @@ mod tests {
         };
         let chunks: Vec<core::LLMContextChunk> = (0..5)
             .map(|i| core::LLMContextChunk {
-                content: format!("chunk {}", i),
+                content: format!("chunk {i}"),
                 context_type: core::ContextType::Documentation,
                 file_path: PathBuf::from("test.rs"),
                 line_range: None,
@@ -106,7 +106,7 @@ mod tests {
         };
         let chunks: Vec<core::LLMContextChunk> = (0..5)
             .map(|i| core::LLMContextChunk {
-                content: format!("chunk {} with some content here", i),
+                content: format!("chunk {i} with some content here"),
                 context_type: core::ContextType::Documentation,
                 file_path: PathBuf::from("test.rs"),
                 line_range: None,
diff --git a/src/review/feedback.rs b/src/review/feedback.rs
index d6de0b9..ea0f1d3 100644
--- a/src/review/feedback.rs
+++ b/src/review/feedback.rs
@@ -199,13 +199,11 @@ mod tests {
         let context = generate_feedback_context(&store);
         assert!(
             context.contains("Security"),
-            "Should mention Security: {}",
-            context
+            "Should mention Security: {context}"
         );
         assert!(
             context.contains("thorough"),
-            "Should advise thoroughness: {}",
-            context
+            "Should advise thoroughness: {context}"
         );
     }
 
@@ -219,15 +217,10 @@ mod tests {
             store.record_feedback("Style", None, false);
         }
         let context = generate_feedback_context(&store);
-        assert!(
-            context.contains("Style"),
-            "Should mention Style: {}",
-            context
-        );
+        assert!(context.contains("Style"), "Should mention Style: {context}");
         assert!(
             context.contains("rejected"),
-            "Should note rejection: {}",
-            context
+            "Should note rejection: {context}"
         );
     }
 
@@ -243,8 +236,7 @@ mod tests {
         let context = generate_feedback_context(&store);
         assert!(
             context.contains("*.test.ts"),
-            "Should mention file pattern: {}",
-            context
+            "Should mention file pattern: {context}"
         );
     }
 }
diff --git a/src/review/feedback/store.rs b/src/review/feedback/store.rs
index c6d8215..29ead8b 100644
--- a/src/review/feedback/store.rs
+++ b/src/review/feedback/store.rs
@@ -88,7 +88,7 @@ impl FeedbackStore {
             let fp_stats = self.by_file_pattern.entry(pattern.clone()).or_default();
             update_pattern_stats(fp_stats, accepted);
 
-            let composite = format!("{}|{}", category, pattern);
+            let composite = format!("{category}|{pattern}");
             let comp_stats = self.by_category_file_pattern.entry(composite).or_default();
             update_pattern_stats(comp_stats, accepted);
         }
diff --git a/src/review/filters/confidence.rs b/src/review/filters/confidence.rs
index 45cb458..8138d9a 100644
--- a/src/review/filters/confidence.rs
+++ b/src/review/filters/confidence.rs
@@ -63,7 +63,7 @@ fn lookup_feedback_confidence_stats<'a>(
     file_patterns
         .iter()
         .find_map(|pattern| {
-            let key = format!("{}|{}", category, pattern);
+            let key = format!("{category}|{pattern}");
             feedback.by_category_file_pattern.get(&key)
         })
         .or_else(|| {
diff --git a/src/review/filters/vague.rs b/src/review/filters/vague.rs
index 52cdd85..f01d7de 100644
--- a/src/review/filters/vague.rs
+++ b/src/review/filters/vague.rs
@@ -36,7 +36,7 @@ pub fn is_vague_comment_text(text: &str) -> bool {
     let lower = trimmed.to_ascii_lowercase();
     if VAGUE_COMMENT_PREFIXES
         .iter()
-        .any(|prefix| lower == *prefix || lower.starts_with(&format!("{} ", prefix)))
+        .any(|prefix| lower == *prefix || lower.starts_with(&format!("{prefix} ")))
     {
         return true;
     }
diff --git a/src/review/pipeline/context/related/callers.rs b/src/review/pipeline/context/related/callers.rs
index 130c571..95a00c2 100644
--- a/src/review/pipeline/context/related/callers.rs
+++ b/src/review/pipeline/context/related/callers.rs
@@ -42,7 +42,7 @@ mod tests {
     #[test]
     fn test_utf8_safe_truncation() {
         let prefix = "a".repeat(1999);
-        let value = format!("{}€rest", prefix);
+        let value = format!("{prefix}€rest");
         assert!(value.len() > 2000);
 
         let truncated = truncate_summary(&value);
diff --git a/src/review/pipeline/context/related/test_files.rs b/src/review/pipeline/context/related/test_files.rs
index 4718c03..3fd1b88 100644
--- a/src/review/pipeline/context/related/test_files.rs
+++ b/src/review/pipeline/context/related/test_files.rs
@@ -22,11 +22,8 @@ fn build_test_chunk(test_path: &Path, repo_path: &Path) -> Option<core::LLMConte
     }
 
     Some(
-        core::LLMContextChunk::reference(
-            relative.to_path_buf(),
-            format!("[Test file]\n{}", snippet),
-        )
-        .with_provenance(core::ContextProvenance::RelatedTestFile),
+        core::LLMContextChunk::reference(relative.to_path_buf(), format!("[Test file]\n{snippet}"))
+            .with_provenance(core::ContextProvenance::RelatedTestFile),
     )
 }
 
@@ -39,26 +36,18 @@ fn find_test_files(file_path: &Path, repo_path: &Path) -> Vec<PathBuf> {
     let parent = file_path.parent().unwrap_or(Path::new(""));
 
     vec![
-        repo_path
-            .join(parent)
-            .join(format!("test_{}.{}", stem, ext)),
-        repo_path
-            .join(parent)
-            .join(format!("{}_test.{}", stem, ext)),
-        repo_path
-            .join(parent)
-            .join(format!("{}.test.{}", stem, ext)),
-        repo_path
-            .join(parent)
-            .join(format!("{}.spec.{}", stem, ext)),
+        repo_path.join(parent).join(format!("test_{stem}.{ext}")),
+        repo_path.join(parent).join(format!("{stem}_test.{ext}")),
+        repo_path.join(parent).join(format!("{stem}.test.{ext}")),
+        repo_path.join(parent).join(format!("{stem}.spec.{ext}")),
         repo_path
             .join(parent)
             .join("tests")
-            .join(format!("{}.{}", stem, ext)),
+            .join(format!("{stem}.{ext}")),
         repo_path
             .join(parent)
             .join("__tests__")
-            .join(format!("{}.{}", stem, ext)),
+            .join(format!("{stem}.{ext}")),
     ]
     .into_iter()
     .filter(|path| path.is_file())
diff --git a/src/review/pipeline/guidance/sections.rs b/src/review/pipeline/guidance/sections.rs
index 1ce1d15..903b2a8 100644
--- a/src/review/pipeline/guidance/sections.rs
+++ b/src/review/pipeline/guidance/sections.rs
@@ -54,7 +54,7 @@ fn review_profile_section(config: &config::Config) -> Option<String> {
         _ => None,
     }?;
 
-    Some(format!("Review profile ({}): {}", profile, guidance))
+    Some(format!("Review profile ({profile}): {guidance}"))
 }
 
 fn global_instructions_section(config: &config::Config) -> Option<String> {
@@ -62,7 +62,7 @@ fn global_instructions_section(config: &config::Config) -> Option<String> {
     if instructions.is_empty() {
         None
     } else {
-        Some(format!("Global review instructions:\n{}", instructions))
+        Some(format!("Global review instructions:\n{instructions}"))
     }
 }
 
@@ -71,7 +71,7 @@ fn path_instructions_section(path_config: Option<&config::PathConfig>) -> Option
     if instructions.is_empty() {
         None
     } else {
-        Some(format!("Path-specific instructions:\n{}", instructions))
+        Some(format!("Path-specific instructions:\n{instructions}"))
     }
 }
 
@@ -81,8 +81,7 @@ fn output_language_section(config: &config::Config) -> Option<String> {
         None
     } else {
         Some(format!(
-            "Write all review comments and suggestions in {}.",
-            lang
+            "Write all review comments and suggestions in {lang}."
         ))
     }
 }
diff --git a/src/review/pipeline/postprocess/dedup.rs b/src/review/pipeline/postprocess/dedup.rs
index 817456c..26048d7 100644
--- a/src/review/pipeline/postprocess/dedup.rs
+++ b/src/review/pipeline/postprocess/dedup.rs
@@ -40,7 +40,7 @@ mod tests {
 
     fn make_comment(file: &str, line: usize, content: &str, tag: &str) -> core::Comment {
         core::Comment {
-            id: format!("cmt_{}", line),
+            id: format!("cmt_{line}"),
             file_path: PathBuf::from(file),
             line_number: line,
             content: content.to_string(),
diff --git a/src/review/pipeline/repo_support/diff.rs b/src/review/pipeline/repo_support/diff.rs
index 655d669..73810c2 100644
--- a/src/review/pipeline/repo_support/diff.rs
+++ b/src/review/pipeline/repo_support/diff.rs
@@ -13,7 +13,7 @@ pub(in super::super) fn chunk_diff_for_context(
         let section = if chunks.is_empty() && current_chunk.is_empty() {
             section.to_string()
         } else {
-            format!("diff --git {}", section)
+            format!("diff --git {section}")
         };
 
         if current_chunk.len() + section.len() > max_chars && !current_chunk.is_empty() {
@@ -72,7 +72,7 @@ mod tests {
         let file_a = "diff --git a/a.rs b/a.rs\n+alpha\n";
         let file_b = "\ndiff --git a/b.rs b/b.rs\n+beta\n";
         let file_c = "\ndiff --git a/c.rs b/c.rs\n+gamma\n";
-        let diff = format!("{}{}{}", file_a, file_b, file_c);
+        let diff = format!("{file_a}{file_b}{file_c}");
         let chunks = chunk_diff_for_context(&diff, 50);
         let rejoined = chunks.join("");
         assert!(rejoined.contains("+alpha"));
diff --git a/src/review/pipeline/services/adapter_init.rs b/src/review/pipeline/services/adapter_init.rs
index f2ad66f..c25ea96 100644
--- a/src/review/pipeline/services/adapter_init.rs
+++ b/src/review/pipeline/services/adapter_init.rs
@@ -47,7 +47,7 @@ fn build_verification_adapters(
         if verification_config.model_name != model_config.model_name {
             info!(
                 "Using '{}' model '{}' for verification pass",
-                format!("{:?}", role).to_lowercase(),
+                format!("{role:?}").to_lowercase(),
                 verification_config.model_name
             );
             verification_adapters.push(Arc::from(adapters::llm::create_adapter(
diff --git a/src/review/pipeline/session/build.rs b/src/review/pipeline/session/build.rs
index af2f4b9..8fd353c 100644
--- a/src/review/pipeline/session/build.rs
+++ b/src/review/pipeline/session/build.rs
@@ -113,7 +113,7 @@ fn detect_auto_instructions(services: &PipelineServices) -> Option<String> {
         Some(
             detected
                 .iter()
-                .map(|(name, content)| format!("# From {}\n{}", name, content))
+                .map(|(name, content)| format!("# From {name}\n{content}"))
                 .collect::<Vec<_>>()
                 .join("\n\n"),
         )
diff --git a/src/review/rule_helpers/reporting/files.rs b/src/review/rule_helpers/reporting/files.rs
index c6bab5e..411df79 100644
--- a/src/review/rule_helpers/reporting/files.rs
+++ b/src/review/rule_helpers/reporting/files.rs
@@ -57,7 +57,7 @@ pub fn format_top_findings_by_file(
             let rule = comment
                 .rule_id
                 .as_deref()
-                .map(|rule_id| format!(" rule:{}", rule_id))
+                .map(|rule_id| format!(" rule:{rule_id}"))
                 .unwrap_or_default();
             out.push_str(&format!(
                 "  - `L{}` [{:?}{}] {}\n",
diff --git a/src/review/rule_helpers/reporting/summary.rs b/src/review/rule_helpers/reporting/summary.rs
index d6a4f7f..a2f2b37 100644
--- a/src/review/rule_helpers/reporting/summary.rs
+++ b/src/review/rule_helpers/reporting/summary.rs
@@ -26,7 +26,7 @@ pub fn build_pr_summary_comment_body(
     body.push_str("\n### Severity Breakdown\n");
     for severity in ["Error", "Warning", "Info", "Suggestion"] {
         let count = summary.by_severity.get(severity).copied().unwrap_or(0);
-        body.push_str(&format!("- {}: {}\n", severity, count));
+        body.push_str(&format!("- {severity}: {count}\n"));
     }
 
     let rule_hits = summarize_rule_hits(comments, 8, rule_priority);
diff --git a/src/review/rule_helpers/runtime/context.rs b/src/review/rule_helpers/runtime/context.rs
index ddc2355..68dc140 100644
--- a/src/review/rule_helpers/runtime/context.rs
+++ b/src/review/rule_helpers/runtime/context.rs
@@ -40,13 +40,13 @@ fn format_rule_context_line(rule: &core::ReviewRule) -> String {
 fn rule_context_attributes(rule: &core::ReviewRule) -> Vec<String> {
     let mut attrs = Vec::new();
     if let Some(scope) = &rule.scope {
-        attrs.push(format!("scope={}", scope));
+        attrs.push(format!("scope={scope}"));
     }
     if let Some(severity) = &rule.severity {
-        attrs.push(format!("severity={}", severity));
+        attrs.push(format!("severity={severity}"));
     }
     if let Some(category) = &rule.category {
-        attrs.push(format!("category={}", category));
+        attrs.push(format!("category={category}"));
     }
     if !rule.tags.is_empty() {
         attrs.push(format!("tags={}", rule.tags.join("|")));
diff --git a/src/review/verification/prompt/render.rs b/src/review/verification/prompt/render.rs
index 7f777ea..0d31369 100644
--- a/src/review/verification/prompt/render.rs
+++ b/src/review/verification/prompt/render.rs
@@ -22,7 +22,7 @@ pub(super) fn render_comment_section(
     );
 
     if let Some(suggestion) = comment.suggestion.as_ref() {
-        section.push_str(&format!("- Suggestion: {}\n", suggestion));
+        section.push_str(&format!("- Suggestion: {suggestion}\n"));
     }
 
     if let Some(diff) = diff {
@@ -56,7 +56,7 @@ fn append_code_block(section: &mut String, label: &str, language: &str, content:
     }
 
     section.push_str(label);
-    section.push_str(&format!("```{}\n", language));
+    section.push_str(&format!("```{language}\n"));
     section.push_str(content);
     section.push_str("\n```\n");
 }
@@ -68,7 +68,7 @@ fn format_context_chunk_for_verification(chunk: &LLMContextChunk) -> String {
         chunk.file_path.display(),
         chunk
             .line_range
-            .map(|(start, end)| format!(":{}-{}", start, end))
+            .map(|(start, end)| format!(":{start}-{end}"))
             .unwrap_or_default()
     );
 
diff --git a/src/review/verification/tests.rs b/src/review/verification/tests.rs
index 7f54ca6..c418a26 100644
--- a/src/review/verification/tests.rs
+++ b/src/review/verification/tests.rs
@@ -104,7 +104,7 @@ fn build_prompt_for_tests_with_context(
                 "let query = format!(\"SELECT * FROM users WHERE id = {}\", user_id);".to_string()
             }
             20 => "let user = maybe_user.unwrap();".to_string(),
-            _ => format!("// line {}", line),
+            _ => format!("// line {line}"),
         })
         .collect::<Vec<_>>()
         .join("\n");
diff --git a/src/server/api.rs b/src/server/api.rs
index 55447f7..fbe31fc 100644
--- a/src/server/api.rs
+++ b/src/server/api.rs
@@ -347,7 +347,7 @@ async fn run_review_task(
     let diff_content = match diff_result {
         Ok(diff) => diff,
         Err(e) => {
-            let err_msg = format!("Failed to get diff: {}", e);
+            let err_msg = format!("Failed to get diff: {e}");
             let event = ReviewEventBuilder::new(&review_id, "review.failed", &diff_source, &model)
                 .provider(provider.as_deref())
                 .base_url(base_url.as_deref())
@@ -479,7 +479,7 @@ async fn run_review_task(
             }
         }
         Ok(Err(e)) => {
-            let err_msg = format!("Review failed: {}", e);
+            let err_msg = format!("Review failed: {e}");
             let event = ReviewEventBuilder::new(&review_id, "review.failed", &diff_source, &model)
                 .provider(provider.as_deref())
                 .base_url(base_url.as_deref())
@@ -542,7 +542,7 @@ fn get_diff_from_git(
         "branch" => {
             let base_branch = base.unwrap_or("main");
             Command::new("git")
-                .args(["diff", &format!("{}...HEAD", base_branch)])
+                .args(["diff", &format!("{base_branch}...HEAD")])
                 .current_dir(repo_path)
                 .output()?
         }
@@ -783,7 +783,7 @@ pub async fn get_doctor(State(state): State<Arc<AppState>>) -> Json<serde_json::
     };
 
     // Check Ollama
-    let ollama_url = format!("{}/api/tags", base_url);
+    let ollama_url = format!("{base_url}/api/tags");
     if let Ok(resp) = client.get(&ollama_url).send().await {
         if resp.status().is_success() {
             result["endpoint_reachable"] = serde_json::json!(true);
@@ -818,7 +818,7 @@ pub async fn get_doctor(State(state): State<Arc<AppState>>) -> Json<serde_json::
 
     // Check OpenAI-compatible
     if !result["endpoint_reachable"].as_bool().unwrap_or(false) {
-        let openai_url = format!("{}/v1/models", base_url);
+        let openai_url = format!("{base_url}/v1/models");
         if let Ok(resp) = client.get(&openai_url).send().await {
             if resp.status().is_success() {
                 result["endpoint_reachable"] = serde_json::json!(true);
@@ -857,7 +857,7 @@ pub async fn update_config(
     }
 
     let new_config: crate::config::Config = serde_json::from_value(current)
-        .map_err(|e| (StatusCode::BAD_REQUEST, format!("Invalid config: {}", e)))?;
+        .map_err(|e| (StatusCode::BAD_REQUEST, format!("Invalid config: {e}")))?;
 
     *config = new_config;
     config.normalize();
@@ -930,7 +930,7 @@ pub async fn test_provider(Json(request): Json<TestProviderRequest>) -> Json<Tes
         Err(e) => {
             return Json(TestProviderResponse {
                 ok: false,
-                message: format!("Failed to create HTTP client: {}", e),
+                message: format!("Failed to create HTTP client: {e}"),
                 models: Vec::new(),
             });
         }
@@ -969,7 +969,7 @@ pub async fn test_provider(Json(request): Json<TestProviderRequest>) -> Json<Tes
                 }),
                 Err(e) => Json(TestProviderResponse {
                     ok: false,
-                    message: format!("Failed to connect to Ollama at {}: {}", url, e),
+                    message: format!("Failed to connect to Ollama at {url}: {e}"),
                     models: Vec::new(),
                 }),
             }
@@ -992,7 +992,7 @@ pub async fn test_provider(Json(request): Json<TestProviderRequest>) -> Json<Tes
             }
             let req = client
                 .get(&url)
-                .header("Authorization", format!("Bearer {}", api_key));
+                .header("Authorization", format!("Bearer {api_key}"));
             match req.send().await {
                 Ok(resp) if resp.status().is_success() => {
                     let mut models = Vec::new();
@@ -1021,7 +1021,7 @@ pub async fn test_provider(Json(request): Json<TestProviderRequest>) -> Json<Tes
                     let msg = if status.as_u16() == 401 {
                         "Authentication failed. Check your API key.".to_string()
                     } else {
-                        format!("{} returned status {}: {}", provider, status, body)
+                        format!("{provider} returned status {status}: {body}")
                     };
                     Json(TestProviderResponse {
                         ok: false,
@@ -1031,7 +1031,7 @@ pub async fn test_provider(Json(request): Json<TestProviderRequest>) -> Json<Tes
                 }
                 Err(e) => Json(TestProviderResponse {
                     ok: false,
-                    message: format!("Failed to connect to {}: {}", provider, e),
+                    message: format!("Failed to connect to {provider}: {e}"),
                     models: Vec::new(),
                 }),
             }
@@ -1076,7 +1076,7 @@ pub async fn test_provider(Json(request): Json<TestProviderRequest>) -> Json<Tes
                     let msg = if status.as_u16() == 401 {
                         "Authentication failed. Check your API key.".to_string()
                     } else {
-                        format!("Anthropic returned status {}: {}", status, body_text)
+                        format!("Anthropic returned status {status}: {body_text}")
                     };
                     Json(TestProviderResponse {
                         ok: false,
@@ -1086,7 +1086,7 @@ pub async fn test_provider(Json(request): Json<TestProviderRequest>) -> Json<Tes
                 }
                 Err(e) => Json(TestProviderResponse {
                     ok: false,
-                    message: format!("Failed to connect to Anthropic: {}", e),
+                    message: format!("Failed to connect to Anthropic: {e}"),
                     models: Vec::new(),
                 }),
             }
@@ -1120,11 +1120,11 @@ async fn github_api_get(
 ) -> Result<reqwest::Response, String> {
     let resp = client
         .get(url)
-        .header("Authorization", format!("Bearer {}", token))
+        .header("Authorization", format!("Bearer {token}"))
         .header("Accept", "application/vnd.github+json")
         .send()
         .await
-        .map_err(|e| format!("GitHub API error: {}", e))?;
+        .map_err(|e| format!("GitHub API error: {e}"))?;
 
     log_rate_limit(&resp);
 
@@ -1148,12 +1148,12 @@ async fn github_api_post(
 ) -> Result<reqwest::Response, String> {
     let resp = client
         .post(url)
-        .header("Authorization", format!("Bearer {}", token))
+        .header("Authorization", format!("Bearer {token}"))
         .header("Accept", "application/vnd.github+json")
         .json(body)
         .send()
         .await
-        .map_err(|e| format!("GitHub API error: {}", e))?;
+        .map_err(|e| format!("GitHub API error: {e}"))?;
 
     log_rate_limit(&resp);
     Ok(resp)
@@ -1167,24 +1167,24 @@ async fn github_api_get_diff(
 ) -> Result<String, String> {
     let resp = client
         .get(url)
-        .header("Authorization", format!("Bearer {}", token))
+        .header("Authorization", format!("Bearer {token}"))
         .header("Accept", "application/vnd.github.v3.diff")
         .send()
         .await
-        .map_err(|e| format!("GitHub API error: {}", e))?;
+        .map_err(|e| format!("GitHub API error: {e}"))?;
 
     log_rate_limit(&resp);
 
     if !resp.status().is_success() {
         let status = resp.status();
         let body = resp.text().await.unwrap_or_default();
-        return Err(format!("GitHub API returned {}: {}", status, body));
+        return Err(format!("GitHub API returned {status}: {body}"));
     }
 
     let text = resp
         .text()
         .await
-        .map_err(|e| format!("Failed to read diff response: {}", e))?;
+        .map_err(|e| format!("Failed to read diff response: {e}"))?;
 
     // Enforce diff size limit
     if text.len() > MAX_DIFF_SIZE {
@@ -1355,14 +1355,14 @@ pub async fn get_gh_repos(
             let body = resp.text().await.unwrap_or_default();
             return Err((
                 StatusCode::BAD_GATEWAY,
-                format!("GitHub API returned {}: {}", status, body),
+                format!("GitHub API returned {status}: {body}"),
             ));
         }
 
         let body: serde_json::Value = resp.json().await.map_err(|e| {
             (
                 StatusCode::BAD_GATEWAY,
-                format!("Failed to parse response: {}", e),
+                format!("Failed to parse response: {e}"),
             )
         })?;
 
@@ -1413,8 +1413,7 @@ pub async fn get_gh_repos(
         Ok(Json(repos))
     } else {
         let url = format!(
-            "https://api.github.com/user/repos?sort=updated&per_page={}&page={}",
-            per_page, page,
+            "https://api.github.com/user/repos?sort=updated&per_page={per_page}&page={page}",
         );
 
         let resp = github_api_get(&state.http_client, &token, &url)
@@ -1426,14 +1425,14 @@ pub async fn get_gh_repos(
             let body = resp.text().await.unwrap_or_default();
             return Err((
                 StatusCode::BAD_GATEWAY,
-                format!("GitHub API returned {}: {}", status, body),
+                format!("GitHub API returned {status}: {body}"),
             ));
         }
 
         let items: Vec<serde_json::Value> = resp.json().await.map_err(|e| {
             (
                 StatusCode::BAD_GATEWAY,
-                format!("Failed to parse response: {}", e),
+                format!("Failed to parse response: {e}"),
             )
         })?;
 
@@ -1508,7 +1507,7 @@ async fn get_github_username(client: &reqwest::Client, token: &str) -> Result<St
     let body: serde_json::Value = resp
         .json()
         .await
-        .map_err(|e| format!("Failed to parse user response: {}", e))?;
+        .map_err(|e| format!("Failed to parse user response: {e}"))?;
     body.get("login")
         .and_then(|v| v.as_str())
         .map(|s| s.to_string())
@@ -1603,14 +1602,14 @@ pub async fn get_gh_prs(
         let body = resp.text().await.unwrap_or_default();
         return Err((
             StatusCode::BAD_GATEWAY,
-            format!("GitHub API returned {}: {}", status, body),
+            format!("GitHub API returned {status}: {body}"),
         ));
     }
 
     let items: Vec<serde_json::Value> = resp.json().await.map_err(|e| {
         (
             StatusCode::BAD_GATEWAY,
-            format!("Failed to parse response: {}", e),
+            format!("Failed to parse response: {e}"),
         )
     })?;
 
@@ -1815,7 +1814,7 @@ async fn run_pr_review_task(
     };
 
     let task_start = std::time::Instant::now();
-    let diff_source = format!("pr:{}#{}", repo, pr_number);
+    let diff_source = format!("pr:{repo}#{pr_number}");
     AppState::mark_running(&state, &review_id).await;
 
     let config = state.config.read().await.clone();
@@ -1942,7 +1941,7 @@ async fn run_pr_review_task(
             }
         }
         Ok(Err(e)) => {
-            let err_msg = format!("Review failed: {}", e);
+            let err_msg = format!("Review failed: {e}");
             let event = ReviewEventBuilder::new(&review_id, "review.failed", &diff_source, &model)
                 .provider(provider.as_deref())
                 .base_url(base_url.as_deref())
@@ -2075,17 +2074,17 @@ pub(super) async fn post_pr_review_comments(
     summary: Option<&crate::core::comment::ReviewSummary>,
 ) -> Result<(), String> {
     // Fetch PR head SHA (required for inline comments)
-    let pr_url = format!("https://api.github.com/repos/{}/pulls/{}", repo, pr_number,);
+    let pr_url = format!("https://api.github.com/repos/{repo}/pulls/{pr_number}",);
     let pr_resp = github_api_get(client, token, &pr_url).await?;
     if !pr_resp.status().is_success() {
         let status = pr_resp.status();
         let body = pr_resp.text().await.unwrap_or_default();
-        return Err(format!("Failed to get PR info {}: {}", status, body));
+        return Err(format!("Failed to get PR info {status}: {body}"));
     }
     let pr_data: serde_json::Value = pr_resp
         .json()
         .await
-        .map_err(|e| format!("Failed to parse PR response: {}", e))?;
+        .map_err(|e| format!("Failed to parse PR response: {e}"))?;
     let commit_id = pr_data
         .get("head")
         .and_then(|h| h.get("sha"))
@@ -2113,7 +2112,7 @@ pub(super) async fn post_pr_review_comments(
         comment_body.push_str(&format!("\n\n{}", c.content));
 
         if let Some(ref suggestion) = c.suggestion {
-            comment_body.push_str(&format!("\n\n> **Suggestion:** {}", suggestion));
+            comment_body.push_str(&format!("\n\n> **Suggestion:** {suggestion}"));
         }
         // Calculate the line span for multi-line suggestions.
         // GitHub requires `start_line` + `line` when a suggestion covers multiple lines.
@@ -2171,7 +2170,7 @@ pub(super) async fn post_pr_review_comments(
         if !s.recommendations.is_empty() {
             review_body_text.push_str("**Recommendations:**\n");
             for rec in &s.recommendations {
-                review_body_text.push_str(&format!("- {}\n", rec));
+                review_body_text.push_str(&format!("- {rec}\n"));
             }
             review_body_text.push('\n');
         }
@@ -2202,10 +2201,7 @@ pub(super) async fn post_pr_review_comments(
         "comments": inline_comments,
     });
 
-    let url = format!(
-        "https://api.github.com/repos/{}/pulls/{}/reviews",
-        repo, pr_number,
-    );
+    let url = format!("https://api.github.com/repos/{repo}/pulls/{pr_number}/reviews",);
 
     let resp = github_api_post(client, token, &url, &review_payload).await?;
 
@@ -2215,7 +2211,7 @@ pub(super) async fn post_pr_review_comments(
     } else {
         let status = resp.status();
         let body = resp.text().await.unwrap_or_default();
-        Err(format!("GitHub API returned {}: {}", status, body))
+        Err(format!("GitHub API returned {status}: {body}"))
     }
 }
 
diff --git a/src/server/github.rs b/src/server/github.rs
index e8a5b7b..98cb258 100644
--- a/src/server/github.rs
+++ b/src/server/github.rs
@@ -58,7 +58,7 @@ pub async fn start_device_flow(
         .map_err(|e| {
             (
                 StatusCode::BAD_GATEWAY,
-                format!("GitHub request failed: {}", e),
+                format!("GitHub request failed: {e}"),
             )
         })?;
 
@@ -67,14 +67,14 @@ pub async fn start_device_flow(
         let body = resp.text().await.unwrap_or_default();
         return Err((
             StatusCode::BAD_GATEWAY,
-            format!("GitHub returned {}: {}", status, body),
+            format!("GitHub returned {status}: {body}"),
         ));
     }
 
     let body: serde_json::Value = resp.json().await.map_err(|e| {
         (
             StatusCode::BAD_GATEWAY,
-            format!("Failed to parse response: {}", e),
+            format!("Failed to parse response: {e}"),
         )
     })?;
 
@@ -138,14 +138,14 @@ pub async fn poll_device_flow(
         .map_err(|e| {
             (
                 StatusCode::BAD_GATEWAY,
-                format!("GitHub request failed: {}", e),
+                format!("GitHub request failed: {e}"),
             )
         })?;
 
     let body: serde_json::Value = resp.json().await.map_err(|e| {
         (
             StatusCode::BAD_GATEWAY,
-            format!("Failed to parse response: {}", e),
+            format!("Failed to parse response: {e}"),
         )
     })?;
 
@@ -174,7 +174,7 @@ pub async fn poll_device_flow(
     let user_resp = state
         .http_client
         .get("https://api.github.com/user")
-        .header("Authorization", format!("Bearer {}", access_token))
+        .header("Authorization", format!("Bearer {access_token}"))
         .header("Accept", "application/vnd.github+json")
         .header("User-Agent", "DiffScope")
         .send()
@@ -182,7 +182,7 @@ pub async fn poll_device_flow(
         .map_err(|e| {
             (
                 StatusCode::BAD_GATEWAY,
-                format!("Failed to fetch user: {}", e),
+                format!("Failed to fetch user: {e}"),
             )
         })?;
 
@@ -285,7 +285,7 @@ pub async fn handle_webhook(
     match event_type {
         "pull_request" => {
             let payload: serde_json::Value = serde_json::from_str(&body)
-                .map_err(|e| (StatusCode::BAD_REQUEST, format!("Invalid JSON: {}", e)))?;
+                .map_err(|e| (StatusCode::BAD_REQUEST, format!("Invalid JSON: {e}")))?;
 
             let action = payload["action"].as_str().unwrap_or("");
 
@@ -337,7 +337,7 @@ pub async fn handle_webhook(
                 // Determine whether to fetch an incremental diff or the full PR diff.
                 // For "synchronize" events, if we have a previously reviewed SHA,
                 // fetch only the commits since that SHA via the compare API.
-                let pr_key = format!("{}#{}", repo, pr_number);
+                let pr_key = format!("{repo}#{pr_number}");
                 let last_reviewed_sha = if action == "synchronize" {
                     AppState::get_last_reviewed_sha(&state, &pr_key).await
                 } else {
@@ -354,13 +354,12 @@ pub async fn handle_webhook(
                         "Fetching incremental diff (push-by-push)"
                     );
                     let compare_url = format!(
-                        "https://api.github.com/repos/{}/compare/{}...{}",
-                        repo, base_sha, head_sha,
+                        "https://api.github.com/repos/{repo}/compare/{base_sha}...{head_sha}",
                     );
                     let compare_resp = state
                         .http_client
                         .get(&compare_url)
-                        .header("Authorization", format!("Bearer {}", auth_token))
+                        .header("Authorization", format!("Bearer {auth_token}"))
                         .header("Accept", "application/vnd.github.v3.diff")
                         .header("User-Agent", "DiffScope")
                         .send()
@@ -368,7 +367,7 @@ pub async fn handle_webhook(
                         .map_err(|e| {
                             (
                                 StatusCode::BAD_GATEWAY,
-                                format!("Failed to fetch incremental diff: {}", e),
+                                format!("Failed to fetch incremental diff: {e}"),
                             )
                         })?;
 
@@ -416,7 +415,7 @@ pub async fn handle_webhook(
                 };
 
                 let review_id = uuid::Uuid::new_v4().to_string();
-                let diff_source = format!("pr:{}#{}", repo, pr_number);
+                let diff_source = format!("pr:{repo}#{pr_number}");
 
                 let session = ReviewSession {
                     id: review_id.clone(),
@@ -470,7 +469,7 @@ pub async fn handle_webhook(
         }
         "issue_comment" => {
             let payload: serde_json::Value = serde_json::from_str(&body)
-                .map_err(|e| (StatusCode::BAD_REQUEST, format!("Invalid JSON: {}", e)))?;
+                .map_err(|e| (StatusCode::BAD_REQUEST, format!("Invalid JSON: {e}")))?;
 
             let action = payload["action"].as_str().unwrap_or("");
             let comment_body = payload["comment"]["body"].as_str().unwrap_or("");
@@ -506,9 +505,9 @@ pub async fn handle_webhook(
                             match crate::adapters::llm::create_adapter(&model_config) {
                                 Ok(adapter) => match cmd.execute(adapter.as_ref(), None).await {
                                     Ok(result) => result,
-                                    Err(e) => format!("Command failed: {}", e),
+                                    Err(e) => format!("Command failed: {e}"),
                                 },
-                                Err(e) => format!("Failed to create adapter: {}", e),
+                                Err(e) => format!("Failed to create adapter: {e}"),
                             }
                         }
                     };
@@ -516,13 +515,12 @@ pub async fn handle_webhook(
                     // Post response comment if we have a token
                     if let Some(ref auth) = token {
                         let comment_url = format!(
-                            "https://api.github.com/repos/{}/issues/{}/comments",
-                            repo, issue_number
+                            "https://api.github.com/repos/{repo}/issues/{issue_number}/comments"
                         );
                         let _ = state
                             .http_client
                             .post(&comment_url)
-                            .header("Authorization", format!("Bearer {}", auth))
+                            .header("Authorization", format!("Bearer {auth}"))
                             .header("User-Agent", "DiffScope")
                             .json(&serde_json::json!({ "body": response_body }))
                             .send()
@@ -553,7 +551,7 @@ fn verify_webhook_signature(secret: &str, body: &str, signature: &str) -> Result
         .ok_or_else(|| "Invalid signature format".to_string())?;
 
     let mut mac = Hmac::<Sha256>::new_from_slice(secret.as_bytes())
-        .map_err(|e| format!("HMAC init failed: {}", e))?;
+        .map_err(|e| format!("HMAC init failed: {e}"))?;
     mac.update(body.as_bytes());
 
     let expected = hex::encode(mac.finalize().into_bytes());
@@ -575,11 +573,7 @@ fn verify_webhook_signature(secret: &str, body: &str, signature: &str) -> Result
 /// Hex-encode bytes (avoids adding hex crate).
 mod hex {
     pub fn encode(bytes: impl AsRef<[u8]>) -> String {
-        bytes
-            .as_ref()
-            .iter()
-            .map(|b| format!("{:02x}", b))
-            .collect()
+        bytes.as_ref().iter().map(|b| format!("{b:02x}")).collect()
     }
 }
 
@@ -598,7 +592,7 @@ fn create_app_jwt(app_id: u64, private_key_pem: &str) -> Result<String, String>
 
     let now = std::time::SystemTime::now()
         .duration_since(std::time::UNIX_EPOCH)
-        .map_err(|e| format!("Time error: {}", e))?
+        .map_err(|e| format!("Time error: {e}"))?
         .as_secs();
 
     let claims = Claims {
@@ -608,10 +602,10 @@ fn create_app_jwt(app_id: u64, private_key_pem: &str) -> Result<String, String>
     };
 
     let key = EncodingKey::from_rsa_pem(private_key_pem.as_bytes())
-        .map_err(|e| format!("Invalid private key: {}", e))?;
+        .map_err(|e| format!("Invalid private key: {e}"))?;
 
     encode(&Header::new(Algorithm::RS256), &claims, &key)
-        .map_err(|e| format!("JWT encoding failed: {}", e))
+        .map_err(|e| format!("JWT encoding failed: {e}"))
 }
 
 /// Get an installation access token for a specific installation.
@@ -623,30 +617,27 @@ async fn get_installation_token(
 ) -> Result<String, String> {
     let jwt = create_app_jwt(app_id, private_key_pem)?;
 
-    let url = format!(
-        "https://api.github.com/app/installations/{}/access_tokens",
-        installation_id,
-    );
+    let url = format!("https://api.github.com/app/installations/{installation_id}/access_tokens",);
 
     let resp = client
         .post(&url)
-        .header("Authorization", format!("Bearer {}", jwt))
+        .header("Authorization", format!("Bearer {jwt}"))
         .header("Accept", "application/vnd.github+json")
         .header("User-Agent", "DiffScope")
         .send()
         .await
-        .map_err(|e| format!("Installation token request failed: {}", e))?;
+        .map_err(|e| format!("Installation token request failed: {e}"))?;
 
     if !resp.status().is_success() {
         let status = resp.status();
         let body = resp.text().await.unwrap_or_default();
-        return Err(format!("GitHub returned {}: {}", status, body));
+        return Err(format!("GitHub returned {status}: {body}"));
     }
 
     let body: serde_json::Value = resp
         .json()
         .await
-        .map_err(|e| format!("Failed to parse token response: {}", e))?;
+        .map_err(|e| format!("Failed to parse token response: {e}"))?;
 
     body["token"]
         .as_str()
@@ -715,7 +706,7 @@ async fn create_check_run(
                 summary
                     .recommendations
                     .iter()
-                    .map(|r| format!("- {}", r))
+                    .map(|r| format!("- {r}"))
                     .collect::<Vec<_>>()
                     .join("\n")
             )
@@ -734,17 +725,17 @@ async fn create_check_run(
         },
     });
 
-    let url = format!("https://api.github.com/repos/{}/check-runs", repo);
+    let url = format!("https://api.github.com/repos/{repo}/check-runs");
 
     let resp = client
         .post(&url)
-        .header("Authorization", format!("Bearer {}", token))
+        .header("Authorization", format!("Bearer {token}"))
         .header("Accept", "application/vnd.github+json")
         .header("User-Agent", "DiffScope")
         .json(&check_run)
         .send()
         .await
-        .map_err(|e| format!("Check run request failed: {}", e))?;
+        .map_err(|e| format!("Check run request failed: {e}"))?;
 
     if resp.status().is_success() {
         info!(repo = %repo, sha = %head_sha, conclusion = %conclusion, "Created check run");
@@ -753,7 +744,7 @@ async fn create_check_run(
         let status = resp.status();
         let body = resp.text().await.unwrap_or_default();
         warn!(repo = %repo, status = %status, "Failed to create check run: {}", body);
-        Err(format!("GitHub returned {}: {}", status, body))
+        Err(format!("GitHub returned {status}: {body}"))
     }
 }
 
@@ -767,10 +758,7 @@ async fn post_pr_summary_comment(
     pr_number: u32,
     summary_markdown: &str,
 ) -> Result<(), String> {
-    let url = format!(
-        "https://api.github.com/repos/{}/issues/{}/comments",
-        repo, pr_number,
-    );
+    let url = format!("https://api.github.com/repos/{repo}/issues/{pr_number}/comments",);
 
     let body = serde_json::json!({
         "body": summary_markdown,
@@ -778,13 +766,13 @@ async fn post_pr_summary_comment(
 
     let resp = client
         .post(&url)
-        .header("Authorization", format!("Bearer {}", token))
+        .header("Authorization", format!("Bearer {token}"))
         .header("Accept", "application/vnd.github+json")
         .header("User-Agent", "DiffScope")
         .json(&body)
         .send()
         .await
-        .map_err(|e| format!("Failed to post PR summary comment: {}", e))?;
+        .map_err(|e| format!("Failed to post PR summary comment: {e}"))?;
 
     if resp.status().is_success() {
         info!(repo = %repo, pr = pr_number, "Posted PR summary comment");
@@ -792,7 +780,7 @@ async fn post_pr_summary_comment(
     } else {
         let status = resp.status();
         let body = resp.text().await.unwrap_or_default();
-        Err(format!("GitHub returned {}: {}", status, body))
+        Err(format!("GitHub returned {status}: {body}"))
     }
 }
 
@@ -817,11 +805,11 @@ async fn fetch_full_pr_diff(
     repo: &str,
     pr_number: u32,
 ) -> Result<String, (StatusCode, String)> {
-    let diff_url = format!("https://api.github.com/repos/{}/pulls/{}", repo, pr_number);
+    let diff_url = format!("https://api.github.com/repos/{repo}/pulls/{pr_number}");
     let diff_resp = state
         .http_client
         .get(&diff_url)
-        .header("Authorization", format!("Bearer {}", auth_token))
+        .header("Authorization", format!("Bearer {auth_token}"))
         .header("Accept", "application/vnd.github.v3.diff")
         .header("User-Agent", "DiffScope")
         .send()
@@ -829,7 +817,7 @@ async fn fetch_full_pr_diff(
         .map_err(|e| {
             (
                 StatusCode::BAD_GATEWAY,
-                format!("Failed to fetch diff: {}", e),
+                format!("Failed to fetch diff: {e}"),
             )
         })?;
 
@@ -838,14 +826,14 @@ async fn fetch_full_pr_diff(
         let body = diff_resp.text().await.unwrap_or_default();
         return Err((
             StatusCode::BAD_GATEWAY,
-            format!("GitHub returned {}: {}", status, body),
+            format!("GitHub returned {status}: {body}"),
         ));
     }
 
     diff_resp.text().await.map_err(|e| {
         (
             StatusCode::BAD_GATEWAY,
-            format!("Failed to read diff body: {}", e),
+            format!("Failed to read diff body: {e}"),
         )
     })
 }
@@ -879,7 +867,7 @@ async fn run_webhook_review(state: Arc<AppState>, params: WebhookReviewParams) {
     };
 
     let task_start = std::time::Instant::now();
-    let diff_source = format!("pr:{}#{}", repo, pr_number);
+    let diff_source = format!("pr:{repo}#{pr_number}");
 
     AppState::mark_running(&state, &review_id).await;
 
@@ -915,7 +903,7 @@ async fn run_webhook_review(state: Arc<AppState>, params: WebhookReviewParams) {
         )
         .await;
         // Record the reviewed SHA for future incremental reviews
-        let pr_key = format!("{}#{}", repo, pr_number);
+        let pr_key = format!("{repo}#{pr_number}");
         AppState::record_reviewed_sha(&state, &pr_key, &head_sha).await;
         AppState::save_reviews_async(&state);
         return;
@@ -1034,7 +1022,7 @@ async fn run_webhook_review(state: Arc<AppState>, params: WebhookReviewParams) {
                 .await;
 
             // Record the reviewed SHA for future incremental reviews
-            let pr_key = format!("{}#{}", repo, pr_number);
+            let pr_key = format!("{repo}#{pr_number}");
             AppState::record_reviewed_sha(&state, &pr_key, &head_sha).await;
             if is_incremental {
                 info!(
@@ -1073,7 +1061,7 @@ async fn run_webhook_review(state: Arc<AppState>, params: WebhookReviewParams) {
             }
         }
         Ok(Err(e)) => {
-            let err_msg = format!("Review failed: {}", e);
+            let err_msg = format!("Review failed: {e}");
             warn!(review_id = %review_id, error = %err_msg, "Webhook review failed");
             let event = ReviewEventBuilder::new(&review_id, "review.failed", &diff_source, &model)
                 .provider(provider.as_deref())
@@ -1136,7 +1124,7 @@ mod tests {
         let mut mac = Hmac::<Sha256>::new_from_slice(secret.as_bytes()).unwrap();
         mac.update(body.as_bytes());
         let expected = hex::encode(mac.finalize().into_bytes());
-        let signature = format!("sha256={}", expected);
+        let signature = format!("sha256={expected}");
 
         assert!(verify_webhook_signature(secret, body, &signature).is_ok());
     }
@@ -1176,7 +1164,7 @@ mod tests {
         let mut mac = Hmac::<Sha256>::new_from_slice(secret.as_bytes()).unwrap();
         mac.update(body.as_bytes());
         let expected = hex::encode(mac.finalize().into_bytes());
-        let signature = format!("sha256={}", expected);
+        let signature = format!("sha256={expected}");
 
         assert!(verify_webhook_signature(secret, body, &signature).is_ok());
     }
diff --git a/src/server/mod.rs b/src/server/mod.rs
index 8c8bebf..4fe0eb3 100644
--- a/src/server/mod.rs
+++ b/src/server/mod.rs
@@ -69,8 +69,8 @@ pub async fn start_server(config: Config, host: &str, port: u16) -> anyhow::Resu
     let state = Arc::new(state::AppState::new(config).await?);
 
     let origin_strings = [
-        format!("http://localhost:{}", port),
-        format!("http://127.0.0.1:{}", port),
+        format!("http://localhost:{port}"),
+        format!("http://127.0.0.1:{port}"),
         "http://localhost:5173".to_string(),
     ];
     let allowed_origins: Vec<axum::http::HeaderValue> = origin_strings
@@ -126,7 +126,7 @@ pub async fn start_server(config: Config, host: &str, port: u16) -> anyhow::Resu
         .fallback(serve_embedded)
         .layer(cors);
 
-    let addr: SocketAddr = format!("{}:{}", host, port).parse()?;
+    let addr: SocketAddr = format!("{host}:{port}").parse()?;
     info!("DiffScope server running at http://{}", addr);
     info!("Press Ctrl+C to stop");
 
diff --git a/src/server/storage_json.rs b/src/server/storage_json.rs
index c314559..a8eb8f7 100644
--- a/src/server/storage_json.rs
+++ b/src/server/storage_json.rs
@@ -141,7 +141,7 @@ impl StorageBackend for JsonStorageBackend {
                 let status_ok = filters
                     .status
                     .as_ref()
-                    .is_none_or(|f| e.event_type.eq_ignore_ascii_case(&format!("review.{}", f)));
+                    .is_none_or(|f| e.event_type.eq_ignore_ascii_case(&format!("review.{f}")));
                 // Time filters: if a time bound is specified, events without a
                 // timestamp are excluded (they cannot satisfy the constraint).
                 let time_from_ok = filters
@@ -528,7 +528,7 @@ mod tests {
 
         let base = now_ts();
         for i in 0..5 {
-            let session = make_session(&format!("r{}", i), base + i as i64, ReviewStatus::Complete);
+            let session = make_session(&format!("r{i}"), base + i as i64, ReviewStatus::Complete);
             backend.save_review(&session).await.unwrap();
         }
 
@@ -546,7 +546,7 @@ mod tests {
 
         let base = now_ts();
         for i in 0..5 {
-            let session = make_session(&format!("r{}", i), base + i as i64, ReviewStatus::Complete);
+            let session = make_session(&format!("r{i}"), base + i as i64, ReviewStatus::Complete);
             backend.save_review(&session).await.unwrap();
         }
 
@@ -563,7 +563,7 @@ mod tests {
 
         let base = now_ts();
         for i in 0..5 {
-            let session = make_session(&format!("r{}", i), base + i as i64, ReviewStatus::Complete);
+            let session = make_session(&format!("r{i}"), base + i as i64, ReviewStatus::Complete);
             backend.save_review(&session).await.unwrap();
         }
 
@@ -667,7 +667,7 @@ mod tests {
         for i in 0..5 {
             backend
                 .save_review(&make_session(
-                    &format!("r{}", i),
+                    &format!("r{i}"),
                     now + i as i64,
                     ReviewStatus::Complete,
                 ))
@@ -885,7 +885,7 @@ mod tests {
         for i in 0..5 {
             backend
                 .save_review(&make_session_with_event(
-                    &format!("r{}", i),
+                    &format!("r{i}"),
                     now + i as i64,
                     ReviewStatus::Complete,
                     "review.completed",
@@ -1041,7 +1041,7 @@ mod tests {
         for i in 0..10 {
             backend
                 .save_review(&make_session_with_event(
-                    &format!("r{}", i),
+                    &format!("r{i}"),
                     now + i as i64,
                     ReviewStatus::Complete,
                     "review.completed",
@@ -1307,7 +1307,7 @@ mod tests {
             let b = backend.clone();
             let handle = tokio::spawn(async move {
                 let session = make_session(
-                    &format!("conc-{}", i),
+                    &format!("conc-{i}"),
                     base + i as i64,
                     ReviewStatus::Complete,
                 );
@@ -1626,7 +1626,7 @@ mod tests {
         for i in 0..3 {
             backend
                 .save_review(&make_session(
-                    &format!("r{}", i),
+                    &format!("r{i}"),
                     now - 100000 + i as i64, // old enough to expire
                     ReviewStatus::Complete,
                 ))
@@ -1659,7 +1659,7 @@ mod tests {
         for i in 0..10 {
             backend
                 .save_review(&make_session_with_event(
-                    &format!("r{}", i),
+                    &format!("r{i}"),
                     now + i as i64,
                     ReviewStatus::Complete,
                     "review.completed",
diff --git a/src/vault.rs b/src/vault.rs
index 35f792b..8b881cd 100644
--- a/src/vault.rs
+++ b/src/vault.rs
@@ -237,8 +237,7 @@ mod tests {
         let err = format!("{:#}", result.unwrap_err());
         assert!(
             err.contains("connect") || err.contains("Vault"),
-            "Error should mention connection failure: {}",
-            err
+            "Error should mention connection failure: {err}"
         );
     }
 
@@ -264,8 +263,8 @@ mod tests {
         let result = fetch_secret(&config).await;
         assert!(result.is_err());
         let err = format!("{:#}", result.unwrap_err());
-        assert!(err.contains("404"), "Should contain 404: {}", err);
-        assert!(err.contains("not found"), "Should contain hint: {}", err);
+        assert!(err.contains("404"), "Should contain 404: {err}");
+        assert!(err.contains("not found"), "Should contain hint: {err}");
         mock.assert_async().await;
     }
 
@@ -291,11 +290,10 @@ mod tests {
         let result = fetch_secret(&config).await;
         assert!(result.is_err());
         let err = format!("{:#}", result.unwrap_err());
-        assert!(err.contains("403"), "Should contain 403: {}", err);
+        assert!(err.contains("403"), "Should contain 403: {err}");
         assert!(
             err.contains("read access"),
-            "Should contain token hint: {}",
-            err
+            "Should contain token hint: {err}"
         );
         mock.assert_async().await;
     }
@@ -334,7 +332,7 @@ mod tests {
         };
 
         let result = fetch_secret(&config).await;
-        assert!(result.is_ok(), "Expected success: {:?}", result);
+        assert!(result.is_ok(), "Expected success: {result:?}");
         assert_eq!(result.unwrap(), "sk-secret-from-vault");
         mock.assert_async().await;
     }
@@ -408,14 +406,12 @@ mod tests {
         let err = format!("{:#}", result.unwrap_err());
         assert!(
             err.contains("api_key") && err.contains("not found"),
-            "Should list the missing key: {}",
-            err
+            "Should list the missing key: {err}"
         );
         // Should list available keys
         assert!(
             err.contains("password") || err.contains("token"),
-            "Should list available keys: {}",
-            err
+            "Should list available keys: {err}"
         );
     }