diff --git a/src/agent/loop_.rs b/src/agent/loop_.rs
index 21aa8a2ba..3d0a8b051 100644
--- a/src/agent/loop_.rs
+++ b/src/agent/loop_.rs
@@ -1527,7 +1527,14 @@ fn parse_tool_calls(response: &str) -> (String, Vec<ParsedToolCall>) {
 
             // Try to parse the inner content as JSON arguments
             let json_values = extract_json_values(inner);
-            if !json_values.is_empty() {
+            if json_values.is_empty() {
+                // Log a warning if we found a tool block but couldn't parse arguments
+                tracing::warn!(
+                    tool_name = %tool_name,
+                    inner = %inner.chars().take(100).collect::<String>(),
+                    "Found ```tool <name> block but could not parse JSON arguments"
+                );
+            } else {
                 for value in json_values {
                     let arguments = if value.is_object() {
                         value
@@ -1540,13 +1547,6 @@ fn parse_tool_calls(response: &str) -> (String, Vec<ParsedToolCall>) {
                         tool_call_id: None,
                     });
                 }
-            } else {
-                // Log a warning if we found a tool block but couldn't parse arguments
-                tracing::warn!(
-                    tool_name = %tool_name,
-                    inner = %inner.chars().take(100).collect::<String>(),
-                    "Found ```tool <name> block but could not parse JSON arguments"
-                );
             }
             last_end = full_match.end();
         }
diff --git a/src/gateway/api.rs b/src/gateway/api.rs
index 5d4146b5f..8feff99a8 100644
--- a/src/gateway/api.rs
+++ b/src/gateway/api.rs
@@ -544,6 +544,7 @@ fn mask_vec_secrets(values: &mut [String]) {
     }
 }
 
+#[allow(clippy::ref_option)]
 fn restore_optional_secret(value: &mut Option<String>, current: &Option<String>) {
     if value.as_deref().is_some_and(is_masked_secret) {
         *value = current.clone();
@@ -703,7 +704,7 @@ fn restore_masked_sensitive_fields(
         restore_required_secret(&mut incoming_tunnel.auth_token, &current_tunnel.auth_token);
     }
 
-    for (name, agent) in incoming.agents.iter_mut() {
+    for (name, agent) in &mut incoming.agents {
         if let Some(current_agent) = current.agents.get(name) {
             restore_optional_secret(&mut agent.api_key, &current_agent.api_key);
         }
diff --git a/src/gateway/mod.rs b/src/gateway/mod.rs
index c4f7823d1..26506e6d1 100644
--- a/src/gateway/mod.rs
+++ b/src/gateway/mod.rs
@@ -35,7 +35,6 @@ use axum::{
     Router,
 };
 use parking_lot::Mutex;
-use serde::Deserialize;
 use std::collections::HashMap;
 use std::net::{IpAddr, SocketAddr};
 use std::sync::Arc;
diff --git a/src/onboard/wizard.rs b/src/onboard/wizard.rs
index ea65598c8..69a882550 100644
--- a/src/onboard/wizard.rs
+++ b/src/onboard/wizard.rs
@@ -4,9 +4,8 @@ use crate::config::schema::{
 };
 use crate::config::{
     AutonomyConfig, BrowserConfig, ChannelsConfig, ComposioConfig, Config, DiscordConfig,
-    FeishuConfig, HeartbeatConfig, IMessageConfig, LarkConfig, MatrixConfig, MemoryConfig,
-    ObservabilityConfig, RuntimeConfig, SecretsConfig, SlackConfig, StorageConfig, TelegramConfig,
-    WebhookConfig,
+    HeartbeatConfig, IMessageConfig, LarkConfig, MatrixConfig, MemoryConfig, ObservabilityConfig,
+    RuntimeConfig, SecretsConfig, SlackConfig, StorageConfig, TelegramConfig, WebhookConfig,
 };
 use crate::hardware::{self, HardwareConfig};
 use crate::memory::{
@@ -22,7 +21,7 @@ use console::style;
 use dialoguer::{Confirm, Input, Select};
 use serde::{Deserialize, Serialize};
 use serde_json::Value;
-use std::collections::{BTreeMap, BTreeSet};
+use std::collections::BTreeMap;
 use std::io::IsTerminal;
 use std::path::{Path, PathBuf};
 use std::time::Duration;
@@ -1173,8 +1172,7 @@ fn models_endpoint_for_provider(provider_name: &str) -> Option<&'static str> {
         "glm-cn" | "bigmodel" => Some("https://open.bigmodel.cn/api/paas/v4/models"),
         "zai-cn" | "z.ai-cn" => Some("https://open.bigmodel.cn/api/coding/paas/v4/models"),
         _ => match canonical_provider_name(provider_name) {
-            "openai-codex" => Some("https://api.openai.com/v1/models"),
-            "openai" => Some("https://api.openai.com/v1/models"),
+            "openai-codex" | "openai" => Some("https://api.openai.com/v1/models"),
             "venice" => Some("https://api.venice.ai/api/v1/models"),
             "groq" => Some("https://api.groq.com/openai/v1/models"),
             "mistral" => Some("https://api.mistral.ai/v1/models"),
@@ -2854,8 +2852,7 @@ fn provider_env_var(name: &str) -> &'static str {
     match canonical_provider_name(name) {
         "openrouter" => "OPENROUTER_API_KEY",
         "anthropic" => "ANTHROPIC_API_KEY",
-        "openai-codex" => "OPENAI_API_KEY",
-        "openai" => "OPENAI_API_KEY",
+        "openai-codex" | "openai" => "OPENAI_API_KEY",
         "ollama" => "OLLAMA_API_KEY",
         "llamacpp" => "LLAMACPP_API_KEY",
         "sglang" => "SGLANG_API_KEY",
diff --git a/src/providers/compatible.rs b/src/providers/compatible.rs
index 202f129f7..056f7cfce 100644
--- a/src/providers/compatible.rs
+++ b/src/providers/compatible.rs
@@ -19,6 +19,7 @@ use serde::{Deserialize, Serialize};
 /// A provider that speaks the OpenAI-compatible chat completions API.
 /// Used by: Venice, Vercel AI Gateway, Cloudflare AI Gateway, Moonshot,
 /// Synthetic, `OpenCode` Zen, `Z.AI`, `GLM`, `MiniMax`, Bedrock, Qianfan, Groq, Mistral, `xAI`, etc.
+#[allow(clippy::struct_excessive_bools)]
 pub struct OpenAiCompatibleProvider {
     pub(crate) name: String,
     pub(crate) base_url: String,
diff --git a/src/providers/gemini.rs b/src/providers/gemini.rs
index b4a030517..31ab5becc 100644
--- a/src/providers/gemini.rs
+++ b/src/providers/gemini.rs
@@ -1375,8 +1375,8 @@ mod tests {
     fn oauth_refresh_form_omits_client_credentials_when_missing() {
         let form = build_oauth_refresh_form("refresh-token", None, None);
         let map: std::collections::HashMap<_, _> = form.into_iter().collect();
-        assert!(map.get("client_id").is_none());
-        assert!(map.get("client_secret").is_none());
+        assert!(!map.contains_key("client_id"));
+        assert!(!map.contains_key("client_secret"));
     }
 
     #[test]
@@ -1802,7 +1802,7 @@ mod tests {
         let creds: GeminiCliOAuthCreds = serde_json::from_str(json).unwrap();
         assert_eq!(creds.access_token.as_deref(), Some("ya29.test-token"));
         assert_eq!(creds.refresh_token.as_deref(), Some("1//test-refresh"));
-        assert_eq!(creds.expiry_date, Some(4102444800000));
+        assert_eq!(creds.expiry_date, Some(4_102_444_800_000));
         assert!(creds.expiry.is_none());
     }
 
@@ -1821,7 +1821,7 @@ mod tests {
         assert_eq!(creds.id_token.as_deref(), Some("header.payload.sig"));
         assert_eq!(creds.client_id.as_deref(), Some("test-client-id"));
         assert_eq!(creds.client_secret.as_deref(), Some("test-client-secret"));
-        assert_eq!(creds.expiry_date, Some(4102444800000));
+        assert_eq!(creds.expiry_date, Some(4_102_444_800_000));
     }
 
     #[test]
diff --git a/src/security/prompt_guard.rs b/src/security/prompt_guard.rs
index 56c29a7af..ac5bbaf0d 100644
--- a/src/security/prompt_guard.rs
+++ b/src/security/prompt_guard.rs
@@ -114,7 +114,9 @@ impl PromptGuard {
         // Normalize score to 0.0-1.0 range (max possible is 6.0, one per category)
         let normalized_score = (total_score / 6.0).min(1.0);
 
-        if !detected_patterns.is_empty() {
+        if detected_patterns.is_empty() {
+            GuardResult::Safe
+        } else {
             match self.action {
                 GuardAction::Block if max_score > self.sensitivity => {
                     GuardResult::Blocked(format!(
@@ -125,8 +127,6 @@ impl PromptGuard {
                 }
                 _ => GuardResult::Suspicious(detected_patterns, normalized_score),
             }
-        } else {
-            GuardResult::Safe
         }
     }