chore(fmt): repo-wide gofmt -w sweep — close drift surfaced by ci-pipeline-cleanup Phase 4

Mechanical reformat. The new 'gofmt drift' CI step (added in
ci-pipeline-cleanup Phase 4, commit 71b2245) surfaced 111 files
with accumulated gofmt drift across cmd/, internal/, and deploy/test/.

Each file's diff is gofmt-standard: whitespace adjustments, intra-
group import sorting (alphabetical by import path within blank-line-
separated groups), and struct-tag column alignment. No semantic
changes — verified via 'git diff --ignore-all-space' which shows only
the line-position deltas from import reordering.

The gate stays in place after this commit. Going forward it catches
gofmt drift at PR time.

internal/connector/target/envoy/envoy.go

@@ -19,11 +19,11 @@ import (
 // to a directory that Envoy watches via its SDS (Secret Discovery Service)
 // file-based configuration or static filename references in the bootstrap config.
 type Config struct {
-	CertDir       string `json:"cert_dir"`        // Directory where Envoy watches for cert files (required)
-	CertFilename  string `json:"cert_filename"`   // Filename for certificate (default: cert.pem)
-	KeyFilename   string `json:"key_filename"`    // Filename for private key (default: key.pem)
-	ChainFilename string `json:"chain_filename"`  // Optional filename for chain (if set, chain written separately)
-	SDSConfig     bool   `json:"sds_config"`      // If true, write an SDS discovery JSON file for file-based SDS
+	CertDir       string `json:"cert_dir"`       // Directory where Envoy watches for cert files (required)
+	CertFilename  string `json:"cert_filename"`  // Filename for certificate (default: cert.pem)
+	KeyFilename   string `json:"key_filename"`   // Filename for private key (default: key.pem)
+	ChainFilename string `json:"chain_filename"` // Optional filename for chain (if set, chain written separately)
+	SDSConfig     bool   `json:"sds_config"`     // If true, write an SDS discovery JSON file for file-based SDS
 }
 
 // SDSResource represents an Envoy SDS tls_certificate resource for file-based SDS.
@@ -34,9 +34,9 @@ type SDSResource struct {
 
 // SDSTLSCertificate represents a single SDS tls_certificate entry.
 type SDSTLSCertificate struct {
-	Type            string         `json:"@type"`
-	Name            string         `json:"name"`
-	TLSCertificate  TLSCertificate `json:"tls_certificate"`
+	Type           string         `json:"@type"`
+	Name           string         `json:"name"`
+	TLSCertificate TLSCertificate `json:"tls_certificate"`
 }
 
 // TLSCertificate contains the file paths for cert and key in Envoy's SDS format.

internal/connector/target/f5/f5.go

@@ -457,13 +457,13 @@ func (c *Connector) DeployCertificate(ctx context.Context, request target.Deploy
 		Message:       "Certificate uploaded and SSL profile updated via iControl REST",
 		DeployedAt:    time.Now(),
 		Metadata: map[string]string{
-			"host":             c.config.Host,
-			"partition":        c.config.Partition,
-			"ssl_profile":      c.config.SSLProfile,
-			"cert_object_name": certName,
-			"key_object_name":  keyName,
+			"host":              c.config.Host,
+			"partition":         c.config.Partition,
+			"ssl_profile":       c.config.SSLProfile,
+			"cert_object_name":  certName,
+			"key_object_name":   keyName,
 			"chain_object_name": chainName,
-			"duration_ms":      fmt.Sprintf("%d", deploymentDuration.Milliseconds()),
+			"duration_ms":       fmt.Sprintf("%d", deploymentDuration.Milliseconds()),
 		},
 	}, nil
 }
@@ -561,12 +561,12 @@ func (c *Connector) ValidateDeployment(ctx context.Context, request target.Valid
 		Message:       fmt.Sprintf("SSL profile %q has cert %q configured", c.config.SSLProfile, profile.Cert),
 		ValidatedAt:   time.Now(),
 		Metadata: map[string]string{
-			"host":        c.config.Host,
-			"ssl_profile": c.config.SSLProfile,
-			"current_cert": profile.Cert,
-			"current_key":  profile.Key,
+			"host":          c.config.Host,
+			"ssl_profile":   c.config.SSLProfile,
+			"current_cert":  profile.Cert,
+			"current_key":   profile.Key,
 			"current_chain": profile.Chain,
-			"duration_ms": fmt.Sprintf("%d", validationDuration.Milliseconds()),
+			"duration_ms":   fmt.Sprintf("%d", validationDuration.Milliseconds()),
 		},
 	}, nil
 }

internal/connector/target/f5/f5_test.go

@@ -25,14 +25,14 @@ type mockF5Client struct {
 	calls []mockCall
 
 	// Configurable responses per method
-	authenticateErr     error
-	authenticateCount   int // tracks number of Authenticate calls
-	uploadFileErr       error
-	uploadFileErrOn     string // only error when filename contains this substring
-	installCertErr      error
-	installCertErrOn    string
-	installKeyErr       error
-	createTransactionID string
+	authenticateErr      error
+	authenticateCount    int // tracks number of Authenticate calls
+	uploadFileErr        error
+	uploadFileErrOn      string // only error when filename contains this substring
+	installCertErr       error
+	installCertErrOn     string
+	installKeyErr        error
+	createTransactionID  string
 	createTransactionErr error
 	commitTransactionErr error
 	updateSSLProfileErr  error

internal/connector/target/iis/winrm.go

@@ -59,9 +59,9 @@ func newWinRMExecutor(cfg *WinRMConfig) (*winrmExecutor, error) {
 		port,
 		cfg.UseHTTPS,
 		cfg.Insecure,
-		nil,  // CA cert
-		nil,  // Client cert
-		nil,  // Client key
+		nil, // CA cert
+		nil, // Client cert
+		nil, // Client key
 		timeout,
 	)
 

internal/connector/target/javakeystore/javakeystore.go

@@ -263,10 +263,10 @@ func (c *Connector) DeployCertificate(ctx context.Context, request target.Deploy
 		Message:       fmt.Sprintf("Certificate imported to %s (alias: %s, thumbprint: %s)", c.config.KeystorePath, c.config.Alias, thumbprint),
 		DeployedAt:    time.Now(),
 		Metadata: map[string]string{
-			"thumbprint":     thumbprint,
-			"alias":          c.config.Alias,
-			"keystore_type":  c.config.KeystoreType,
-			"keystore_path":  c.config.KeystorePath,
+			"thumbprint":    thumbprint,
+			"alias":         c.config.Alias,
+			"keystore_type": c.config.KeystoreType,
+			"keystore_path": c.config.KeystorePath,
 		},
 	}, nil
 }

internal/connector/target/javakeystore/javakeystore_test.go

@@ -240,7 +240,7 @@ func TestDeployCertificate_Success(t *testing.T) {
 
 	mock := &mockExecutor{
 		responses: []mockResponse{
-			{Output: "", Err: nil},                    // keytool -delete (alias may not exist)
+			{Output: "", Err: nil},                         // keytool -delete (alias may not exist)
 			{Output: "Import command completed", Err: nil}, // keytool -importkeystore
 		},
 	}
@@ -355,8 +355,8 @@ func TestDeployCertificate_WithReload(t *testing.T) {
 	mock := &mockExecutor{
 		responses: []mockResponse{
 			// No existing keystore → delete skipped → import is call 0, reload is call 1
-			{Output: "Imported", Err: nil},   // import
-			{Output: "restarted", Err: nil},  // reload
+			{Output: "Imported", Err: nil},  // import
+			{Output: "restarted", Err: nil}, // reload
 		},
 	}
 	c := NewWithExecutor(&Config{
@@ -391,8 +391,8 @@ func TestDeployCertificate_ReloadFailed_NonFatal(t *testing.T) {
 
 	mock := &mockExecutor{
 		responses: []mockResponse{
-			{Output: "", Err: nil},                        // delete
-			{Output: "Imported", Err: nil},                // import
+			{Output: "", Err: nil},                                   // delete
+			{Output: "Imported", Err: nil},                           // import
 			{Output: "Failed to restart", Err: fmt.Errorf("exit 1")}, // reload fails
 		},
 	}

internal/connector/target/k8ssecret/k8ssecret.go

@@ -21,9 +21,9 @@ import (
 // Supports in-cluster auth by default (ServiceAccount token auto-mounted) or
 // out-of-cluster auth via kubeconfig file.
 type Config struct {
-	Namespace      string            `json:"namespace"`                // Required. Kubernetes namespace.
-	SecretName     string            `json:"secret_name"`              // Required. Name of the kubernetes.io/tls Secret.
-	Labels         map[string]string `json:"labels,omitempty"`         // Optional. Additional labels to add to the Secret.
+	Namespace      string            `json:"namespace"`                 // Required. Kubernetes namespace.
+	SecretName     string            `json:"secret_name"`               // Required. Name of the kubernetes.io/tls Secret.
+	Labels         map[string]string `json:"labels,omitempty"`          // Optional. Additional labels to add to the Secret.
 	KubeconfigPath string            `json:"kubeconfig_path,omitempty"` // Optional. Path to kubeconfig for out-of-cluster auth.
 }
 

internal/connector/target/k8ssecret/k8ssecret_test.go

@@ -93,7 +93,7 @@ func (m *mockK8sClient) DeleteSecret(ctx context.Context, namespace, name string
 
 func TestValidateConfig_Success_MinimalConfig(t *testing.T) {
 	cfg := map[string]interface{}{
-		"namespace":  "default",
+		"namespace":   "default",
 		"secret_name": "my-cert",
 	}
 
@@ -644,4 +644,3 @@ func contains(s, substr string) bool {
 	}
 	return false
 }
-

internal/connector/target/ssh/ssh.go

@@ -411,9 +411,9 @@ func (c *realSSHClient) Connect(ctx context.Context) error {
 	}
 
 	sshConfig := &ssh.ClientConfig{
-		User:            c.config.User,
-		Auth:            authMethods,
-		Timeout:         time.Duration(c.config.Timeout) * time.Second,
+		User:    c.config.User,
+		Auth:    authMethods,
+		Timeout: time.Duration(c.config.Timeout) * time.Second,
 		// InsecureIgnoreHostKey is used intentionally: certctl deploys to known
 		// infrastructure (the operator explicitly configures each target host).
 		// This is the same security rationale as network scanner's InsecureSkipVerify

internal/connector/target/ssh/ssh_server_fixture_test.go

@@ -42,15 +42,15 @@ type fakeSSHServer struct {
 	user     string
 	password string
 
-	wg       sync.WaitGroup
-	mu       sync.Mutex
-	closed   bool
+	wg     sync.WaitGroup
+	mu     sync.Mutex
+	closed bool
 
 	// Optional behaviour toggles for failure-mode tests.
-	rejectAuth      bool   // reject all auth attempts (auth failure path)
-	dropOnHandshake bool   // close conn before SSH NewServerConn returns (handshake failure)
-	failExec        bool   // exec sessions return non-zero exit (Execute error path)
-	failSFTP        bool   // refuse sftp subsystem (SFTP failure path)
+	rejectAuth      bool // reject all auth attempts (auth failure path)
+	dropOnHandshake bool // close conn before SSH NewServerConn returns (handshake failure)
+	failExec        bool // exec sessions return non-zero exit (Execute error path)
+	failSFTP        bool // refuse sftp subsystem (SFTP failure path)
 }
 
 // startFakeSSHServer binds a fresh server on a random local port and returns

internal/connector/target/wincertstore/wincertstore.go

@@ -310,4 +310,3 @@ func (c *Connector) ValidateDeployment(ctx context.Context, request target.Valid
 
 // Ensure Connector implements target.Connector.
 var _ target.Connector = (*Connector)(nil)
-

internal/connector/target/wincertstore/wincertstore_test.go

@@ -26,10 +26,10 @@ func testLogger() *slog.Logger {
 
 // mockExecutor records PowerShell scripts and returns configurable responses.
 type mockExecutor struct {
-	scripts    []string
-	responses  []string
-	errors     []error
-	callIndex  int
+	scripts   []string
+	responses []string
+	errors    []error
+	callIndex int
 }
 
 func (m *mockExecutor) Execute(ctx context.Context, script string) (string, error) {