chore(fmt): repo-wide gofmt -w sweep — close drift surfaced by ci-pipeline-cleanup Phase 4

Mechanical reformat. The new 'gofmt drift' CI step (added in
ci-pipeline-cleanup Phase 4, commit 71b2245) surfaced 111 files
with accumulated gofmt drift across cmd/, internal/, and deploy/test/.

Each file's diff is gofmt-standard: whitespace adjustments, intra-
group import sorting (alphabetical by import path within blank-line-
separated groups), and struct-tag column alignment. No semantic
changes — verified via 'git diff --ignore-all-space' which shows only
the line-position deltas from import reordering.

The gate stays in place after this commit. Going forward it catches
gofmt drift at PR time.

internal/connector/discovery/awssm/awssm_test.go

@@ -20,10 +20,10 @@ import (
 
 // mockSMClient is a mock implementation of SMClient for testing.
 type mockSMClient struct {
-	secrets          map[string]string            // secret name -> secret value
-	secretMetadata   map[string]SecretMetadata    // secret name -> metadata
-	listError        error
-	getErrors        map[string]error // secret name -> error
+	secrets        map[string]string         // secret name -> secret value
+	secretMetadata map[string]SecretMetadata // secret name -> metadata
+	listError      error
+	getErrors      map[string]error // secret name -> error
 }
 
 func newMockSMClient() *mockSMClient {
@@ -369,4 +369,3 @@ func TestSource_Discover_AgentIDAndSourcePath(t *testing.T) {
 		t.Errorf("expected source path 'aws-sm://eu-west-1/my-secret', got %s", report.Certificates[0].SourcePath)
 	}
 }
-

internal/connector/discovery/azurekv/azurekv.go

@@ -69,10 +69,10 @@ type certificateListResponse struct {
 	Value []struct {
 		ID         string `json:"id"`
 		Attributes struct {
-			Enabled int64  `json:"enabled"`
-			Created int64  `json:"created"`
-			Updated int64  `json:"updated"`
-			Exp     int64  `json:"exp"`
+			Enabled int64 `json:"enabled"`
+			Created int64 `json:"created"`
+			Updated int64 `json:"updated"`
+			Exp     int64 `json:"exp"`
 		} `json:"attributes,omitempty"`
 		Tags map[string]string `json:"tags,omitempty"`
 	} `json:"value"`
@@ -84,10 +84,10 @@ type certificateBundle struct {
 	ID         string `json:"id"`
 	CER        string `json:"cer"`
 	Attributes struct {
-		Enabled int64  `json:"enabled"`
-		Created int64  `json:"created"`
-		Updated int64  `json:"updated"`
-		Exp     int64  `json:"exp"`
+		Enabled int64 `json:"enabled"`
+		Created int64 `json:"created"`
+		Updated int64 `json:"updated"`
+		Exp     int64 `json:"exp"`
 	} `json:"attributes,omitempty"`
 }
 
@@ -170,10 +170,10 @@ func (s *Source) Discover(ctx context.Context) (*domain.DiscoveryReport, error)
 	s.logger.Info("starting Azure Key Vault discovery", "vault_url", s.config.VaultURL)
 
 	report := &domain.DiscoveryReport{
-		AgentID:     "cloud-azure-kv",
-		Directories: []string{fmt.Sprintf("azure-kv://%s/", s.config.VaultURL)},
+		AgentID:      "cloud-azure-kv",
+		Directories:  []string{fmt.Sprintf("azure-kv://%s/", s.config.VaultURL)},
 		Certificates: []domain.DiscoveredCertEntry{},
-		Errors:      []string{},
+		Errors:       []string{},
 	}
 
 	startTime := time.Now()

internal/connector/discovery/gcpsm/gcpsm_test.go

@@ -82,7 +82,7 @@ func generateTestCertificate(cn string, expire time.Duration) (*x509.Certificate
 		ExtKeyUsage: []x509.ExtKeyUsage{
 			x509.ExtKeyUsageServerAuth,
 		},
-		DNSNames:    []string{"example.com", "*.example.com"},
+		DNSNames:       []string{"example.com", "*.example.com"},
 		EmailAddresses: []string{"test@example.com"},
 	}