diff --git a/crates/punktfunk-host/src/mgmt_token.rs b/crates/punktfunk-host/src/mgmt_token.rs
index 05c09ff..0fa4c1e 100644
--- a/crates/punktfunk-host/src/mgmt_token.rs
+++ b/crates/punktfunk-host/src/mgmt_token.rs
@@ -36,7 +36,8 @@ pub fn load_or_generate() -> Result<String> {
     let token = hex::encode(buf);
     let dir = crate::gamestream::config_dir();
     // Owner-private dir (0700 Unix / DACL-locked Windows) so the token can't leak via the config path.
-    crate::gamestream::create_private_dir(&dir).with_context(|| format!("create {}", dir.display()))?;
+    crate::gamestream::create_private_dir(&dir)
+        .with_context(|| format!("create {}", dir.display()))?;
     write_token(&path, &token)?;
     tracing::info!(path = %path.display(), "generated and persisted management API token (owner-only)");
     Ok(token)
diff --git a/crates/punktfunk-host/src/vdisplay/linux/gamescope.rs b/crates/punktfunk-host/src/vdisplay/linux/gamescope.rs
index b9d00b8..515b6b4 100644
--- a/crates/punktfunk-host/src/vdisplay/linux/gamescope.rs
+++ b/crates/punktfunk-host/src/vdisplay/linux/gamescope.rs
@@ -806,7 +806,9 @@ fn spawn(w: u32, h: u32, hz: u32, cmd: Option<&str>) -> Result<Child> {
         .filter(|s| !s.trim().is_empty())
         // Read the env fallback under the shared env lock so it can't race a concurrent session's
         // `set_var` of the same key (security-review 2026-06-28 #7).
-        .or_else(|| crate::vdisplay::with_env_lock(|| std::env::var("PUNKTFUNK_GAMESCOPE_APP").ok()))
+        .or_else(|| {
+            crate::vdisplay::with_env_lock(|| std::env::var("PUNKTFUNK_GAMESCOPE_APP").ok())
+        })
         .filter(|s| !s.trim().is_empty())
         .unwrap_or_else(|| "sleep infinity".to_string());
     let relay = ei_socket_file();