diff --git a/tofu/oci/main.tf b/tofu/oci/main.tf
index 2de3a5f..03432b3 100644
--- a/tofu/oci/main.tf
+++ b/tofu/oci/main.tf
@@ -190,13 +190,13 @@ resource "oci_core_instance" "ampere_instance" {
     # user_data: Talos MachineConfig for omni_ready mode (null = omit for Ubuntu)
     var.omni_ready ? { user_data = base64encode(local._ampere_user_data) } : {},
     # ssh_authorized_keys: Ubuntu cloud-init only (Talos ignores this)
-    !var.omni_ready && var.ssh_public_key != null ? { ssh_authorized_keys = var.ssh_public_key } : {},
+    ! var.omni_ready && var.ssh_public_key != null ? { ssh_authorized_keys = var.ssh_public_key } : {},
   )
 
   lifecycle {
     ignore_changes = [
       source_details[0].source_id, # Ignore image updates after initial deploy
-      metadata,                    # Ignore SSH key / user_data drift on imported instances
+      metadata,
     ]
   }
 }
@@ -229,7 +229,7 @@ resource "oci_core_instance" "micro_instance" {
   lifecycle {
     ignore_changes = [
       source_details[0].source_id,
-      metadata, # Ignore SSH key drift on imported instances
+      metadata,
     ]
   }
 }
diff --git a/tofu/oci/validation.tf b/tofu/oci/validation.tf
index e4a96e0..067b5fa 100644
--- a/tofu/oci/validation.tf
+++ b/tofu/oci/validation.tf
@@ -79,28 +79,28 @@ check "micro_min_boot_vol" {
 
 check "omni_ready_requires_talos_image" {
   assert {
-    condition     = !var.omni_ready || var.talos_image_ocid != null
+    condition     = ! var.omni_ready || var.talos_image_ocid != null
     error_message = "omni_ready = true requires talos_image_ocid. Import the Talos+Tailscale Image Factory image and set talos_image_ocid."
   }
 }
 
 check "omni_ready_requires_endpoint" {
   assert {
-    condition     = !var.omni_ready || var.omni_endpoint != null
+    condition     = ! var.omni_ready || var.omni_endpoint != null
     error_message = "omni_ready = true requires omni_endpoint (e.g. omni.wind-bearded.ts.net:8090)."
   }
 }
 
 check "omni_ready_requires_join_token" {
   assert {
-    condition     = !var.omni_ready || var.omni_join_token != null
+    condition     = ! var.omni_ready || var.omni_join_token != null
     error_message = "omni_ready = true requires omni_join_token. Get from: omnictl get connections -o yaml | grep joinToken."
   }
 }
 
 check "omni_ready_requires_tailscale_key" {
   assert {
-    condition     = !var.omni_ready || var.tailscale_auth_key != null
+    condition     = ! var.omni_ready || var.tailscale_auth_key != null
     error_message = "omni_ready = true requires tailscale_auth_key with tag:oci applied."
   }
 }