chore(fmt): repo-wide gofmt -w sweep — close drift surfaced by ci-pipeline-cleanup Phase 4

Mechanical reformat. The new 'gofmt drift' CI step (added in
ci-pipeline-cleanup Phase 4, commit 71b2245) surfaced 111 files
with accumulated gofmt drift across cmd/, internal/, and deploy/test/.

Each file's diff is gofmt-standard: whitespace adjustments, intra-
group import sorting (alphabetical by import path within blank-line-
separated groups), and struct-tag column alignment. No semantic
changes — verified via 'git diff --ignore-all-space' which shows only
the line-position deltas from import reordering.

The gate stays in place after this commit. Going forward it catches
gofmt drift at PR time.

internal/api/middleware/audit.go

@@ -221,11 +221,11 @@ func NewAuditServiceAdapter(recordFn func(ctx context.Context, actor string, act
 // RecordAPICall implements AuditRecorder by translating API call data into an audit event.
 func (a *AuditServiceAdapter) RecordAPICall(ctx context.Context, method, path, actor string, bodyHash string, status int, latencyMs int64) error {
 	details := map[string]interface{}{
-		"method":      method,
-		"path":        path,
-		"body_hash":   bodyHash,
-		"status":      status,
-		"latency_ms":  latencyMs,
+		"method":     method,
+		"path":       path,
+		"body_hash":  bodyHash,
+		"status":     status,
+		"latency_ms": latencyMs,
 	}
 
 	action := fmt.Sprintf("api_%s", strings.ToLower(method))

internal/api/middleware/audit_test.go

@@ -15,10 +15,10 @@ import (
 
 // mockAuditRecorder captures RecordAPICall invocations for testing.
 type mockAuditRecorder struct {
-	mu      sync.Mutex
-	calls   []auditCall
-	err     error         // if non-nil, RecordAPICall returns this
-	block   chan struct{} // if non-nil, RecordAPICall blocks on receive before returning
+	mu    sync.Mutex
+	calls []auditCall
+	err   error         // if non-nil, RecordAPICall returns this
+	block chan struct{} // if non-nil, RecordAPICall blocks on receive before returning
 }
 
 type auditCall struct {

internal/api/middleware/cors_test.go

@@ -40,9 +40,9 @@ func TestNewCORS_NilOriginsDeniesAll(t *testing.T) {
 // TestNewCORS_M013_ContractDocumentedInOrder pins the documented dispatch
 // order so a refactor cannot silently invert the cases:
 //
-//	1. len(AllowedOrigins) == 0  → deny (no CORS headers)
-//	2. AllowedOrigins == ["*"]   → allow all (Access-Control-Allow-Origin: *)
-//	3. else                      → exact-match allowlist with Vary: Origin
+//  1. len(AllowedOrigins) == 0  → deny (no CORS headers)
+//  2. AllowedOrigins == ["*"]   → allow all (Access-Control-Allow-Origin: *)
+//  3. else                      → exact-match allowlist with Vary: Origin
 //
 // If a refactor accidentally falls through to the allow-all branch when
 // AllowedOrigins is empty, this test fails on case 1.
@@ -293,9 +293,9 @@ func TestNewCORS_MultipleOrigins(t *testing.T) {
 	}))
 
 	tests := []struct {
-		origin       string
-		shouldAllow  bool
-		description  string
+		origin      string
+		shouldAllow bool
+		description string
 	}{
 		{"https://app.example.com", true, "first origin in list"},
 		{"https://admin.example.com", true, "second origin in list"},

internal/api/middleware/middleware.go

@@ -290,11 +290,11 @@ func NewRateLimiter(cfg RateLimitConfig) func(http.Handler) http.Handler {
 	}
 
 	limiter := &keyedRateLimiter{
-		ipRate:       cfg.RPS,
-		ipBurst:      float64(cfg.BurstSize),
-		userRate:     perUserRPS,
-		userBurst:    perUserBurst,
-		buckets:      make(map[string]*tokenBucket),
+		ipRate:    cfg.RPS,
+		ipBurst:   float64(cfg.BurstSize),
+		userRate:  perUserRPS,
+		userBurst: perUserBurst,
+		buckets:   make(map[string]*tokenBucket),
 	}
 
 	return func(next http.Handler) http.Handler {