diff --git a/src/maestro/helpers.rs b/src/maestro/helpers.rs
index 257f6ba..fa23e8f 100644
--- a/src/maestro/helpers.rs
+++ b/src/maestro/helpers.rs
@@ -38,10 +38,7 @@ fn format_maestro_line(message: impl AsRef<str>, colors_enabled: bool) -> String
 pub(crate) fn print_maestro_line(message: impl AsRef<str>) {
     eprintln!(
         "{}",
-        format_maestro_line(
-            message,
-            MAESTRO_COLORS_ENABLED.load(Ordering::Relaxed)
-        )
+        format_maestro_line(message, MAESTRO_COLORS_ENABLED.load(Ordering::Relaxed))
     );
 }
 
diff --git a/src/protocol/tests/tls_security_tests.rs b/src/protocol/tests/tls_security_tests.rs
index b821fc6..f8b1b2b 100644
--- a/src/protocol/tests/tls_security_tests.rs
+++ b/src/protocol/tests/tls_security_tests.rs
@@ -1702,7 +1702,8 @@ fn select_server_hello_cipher_suite_falls_back_to_offered_tls13_suite() {
 
 #[test]
 fn select_server_hello_cipher_suite_keeps_preferred_for_malformed_clienthello() {
-    let mut ch = build_client_hello_with_ciphers_and_exts(&[[0x13, 0x03]], Vec::new(), "example.com");
+    let mut ch =
+        build_client_hello_with_ciphers_and_exts(&[[0x13, 0x03]], Vec::new(), "example.com");
     ch.truncate(12);
     assert_eq!(
         select_server_hello_cipher_suite(&ch, [0x13, 0x01]),
diff --git a/src/proxy/handshake.rs b/src/proxy/handshake.rs
index b9342c3..a765575 100644
--- a/src/proxy/handshake.rs
+++ b/src/proxy/handshake.rs
@@ -1525,8 +1525,7 @@ where
             config.censorship.tls_new_session_tickets,
         )
     } else {
-        let selected_cipher_suite =
-            tls::select_server_hello_cipher_suite(handshake, [0x13, 0x01]);
+        let selected_cipher_suite = tls::select_server_hello_cipher_suite(handshake, [0x13, 0x01]);
         tls::build_server_hello_with_cipher(
             &validated_secret,
             &validation_digest,
diff --git a/src/proxy/middle_relay/idle.rs b/src/proxy/middle_relay/idle.rs
index d8b2f21..0e8ff12 100644
--- a/src/proxy/middle_relay/idle.rs
+++ b/src/proxy/middle_relay/idle.rs
@@ -98,7 +98,8 @@ pub(super) fn maybe_evict_idle_candidate_on_pressure_in(
     }
     *seen_pressure_seq = latest_pressure_seq;
 
-    if latest_pressure_seq == registry.pressure_consumed_seq.load(Ordering::Relaxed) {
+    let consumed_pressure_seq = registry.pressure_consumed_seq.load(Ordering::Relaxed);
+    if latest_pressure_seq == consumed_pressure_seq {
         return false;
     }
 
@@ -106,9 +107,13 @@ pub(super) fn maybe_evict_idle_candidate_on_pressure_in(
         let mut ordered = registry.ordered.lock();
         loop {
             let Some((mark_order_seq, candidate_conn_id)) = ordered.iter().next().copied() else {
-                registry
-                    .pressure_consumed_seq
-                    .store(latest_pressure_seq, Ordering::Relaxed);
+                // Empty queues consume the event so later candidates cannot replay stale pressure.
+                let _ = registry.pressure_consumed_seq.compare_exchange(
+                    consumed_pressure_seq,
+                    latest_pressure_seq,
+                    Ordering::Relaxed,
+                    Ordering::Relaxed,
+                );
                 return false;
             };
             let Some(candidate_meta) = registry.by_conn_id.get(&candidate_conn_id) else {
@@ -138,15 +143,27 @@ pub(super) fn maybe_evict_idle_candidate_on_pressure_in(
         return false;
     }
 
+    // Claim the global pressure budget before removal; otherwise racing sessions
+    // can observe the next FIFO item and spend the same event more than once.
+    if registry
+        .pressure_consumed_seq
+        .compare_exchange(
+            consumed_pressure_seq,
+            latest_pressure_seq,
+            Ordering::Relaxed,
+            Ordering::Relaxed,
+        )
+        .is_err()
+    {
+        return false;
+    }
+
     if let Some((_, meta)) = registry.by_conn_id.remove(&conn_id) {
         registry
             .ordered
             .lock()
             .remove(&(meta.mark_order_seq, conn_id));
     }
-    registry
-        .pressure_consumed_seq
-        .store(latest_pressure_seq, Ordering::Relaxed);
     stats.increment_relay_pressure_evict_total();
     true
 }
diff --git a/src/tls_front/emulator.rs b/src/tls_front/emulator.rs
index 98f0cb9..5bf307c 100644
--- a/src/tls_front/emulator.rs
+++ b/src/tls_front/emulator.rs
@@ -226,10 +226,7 @@ fn replay_profiled_server_hello_extension(
     }
 }
 
-fn build_profiled_server_hello_extensions(
-    cached: &CachedTlsData,
-    rng: &SecureRandom,
-) -> Vec<u8> {
+fn build_profiled_server_hello_extensions(cached: &CachedTlsData, rng: &SecureRandom) -> Vec<u8> {
     let capacity = cached
         .server_hello_template
         .extensions
@@ -612,7 +609,10 @@ mod tests {
             0,
         );
 
-        assert_eq!(server_hello_extension_types(&response), vec![0x002b, 0x0033]);
+        assert_eq!(
+            server_hello_extension_types(&response),
+            vec![0x002b, 0x0033]
+        );
     }
 
     #[test]