chore(fmt): repo-wide gofmt -w sweep — close drift surfaced by ci-pipeline-cleanup Phase 4

Mechanical reformat. The new 'gofmt drift' CI step (added in ci-pipeline-cleanup Phase 4, commit 71b2245) surfaced 111 files with accumulated gofmt drift across cmd/, internal/, and deploy/test/. Each file's diff is gofmt-standard: whitespace adjustments, intra- group import sorting (alphabetical by import path within blank-line- separated groups), and struct-tag column alignment. No semantic changes — verified via 'git diff --ignore-all-space' which shows only the line-position deltas from import reordering. The gate stays in place after this commit. Going forward it catches gofmt drift at PR time.
2026-06-10 21:28:52 +00:00 · 2026-04-30 22:33:57 +00:00
parent 251db46f26
commit 482c7e8047
111 changed files with 761 additions and 770 deletions
@@ -4,14 +4,14 @@ import "testing"

 func TestCertificateStatus_Constants(t *testing.T) {
 	tests := map[string]CertificateStatus{
-		"Pending":             CertificateStatusPending,
-		"Active":              CertificateStatusActive,
-		"Expiring":            CertificateStatusExpiring,
-		"Expired":             CertificateStatusExpired,
-		"RenewalInProgress":   CertificateStatusRenewalInProgress,
-		"Failed":              CertificateStatusFailed,
-		"Revoked":             CertificateStatusRevoked,
-		"Archived":            CertificateStatusArchived,
+		"Pending":           CertificateStatusPending,
+		"Active":            CertificateStatusActive,
+		"Expiring":          CertificateStatusExpiring,
+		"Expired":           CertificateStatusExpired,
+		"RenewalInProgress": CertificateStatusRenewalInProgress,
+		"Failed":            CertificateStatusFailed,
+		"Revoked":           CertificateStatusRevoked,
+		"Archived":          CertificateStatusArchived,
 	}
 	for expected, got := range tests {
 		if string(got) != expected {
@@ -11,7 +11,7 @@ type Issuer struct {
 	Name            string          `json:"name"`
 	Type            IssuerType      `json:"type"`
 	Config          json.RawMessage `json:"config"`
-	EncryptedConfig []byte          `json:"-"`                         // AES-GCM encrypted full config (never exposed via API)
+	EncryptedConfig []byte          `json:"-"` // AES-GCM encrypted full config (never exposed via API)
 	Enabled         bool            `json:"enabled"`
 	LastTestedAt    *time.Time      `json:"last_tested_at,omitempty"`
 	TestStatus      string          `json:"test_status,omitempty"`
@@ -27,13 +27,13 @@ type DeploymentTarget struct {
 	Type            TargetType      `json:"type"`
 	AgentID         string          `json:"agent_id"`
 	Config          json.RawMessage `json:"config"`
-	EncryptedConfig []byte          `json:"-"`                         // AES-GCM encrypted full config (never exposed via API)
+	EncryptedConfig []byte          `json:"-"` // AES-GCM encrypted full config (never exposed via API)
 	Enabled         bool            `json:"enabled"`
 	LastTestedAt    *time.Time      `json:"last_tested_at,omitempty"`
 	TestStatus      string          `json:"test_status,omitempty"`
 	Source          string          `json:"source,omitempty"`
-	RetiredAt       *time.Time      `json:"retired_at,omitempty"`      // I-004: soft-retirement timestamp (nil = active)
-	RetiredReason   *string         `json:"retired_reason,omitempty"`  // I-004: reason captured at cascade retirement
+	RetiredAt       *time.Time      `json:"retired_at,omitempty"`     // I-004: soft-retirement timestamp (nil = active)
+	RetiredReason   *string         `json:"retired_reason,omitempty"` // I-004: reason captured at cascade retirement
 	CreatedAt       time.Time       `json:"created_at"`
 	UpdatedAt       time.Time       `json:"updated_at"`
 }
@@ -65,11 +65,11 @@ type Agent struct {
 	// docs/architecture.md ER diagram (which documents DB shape, not API
 	// shape) and coverage-gap-audit-2026-04-24-v5/unified-audit.md
 	// cat-s5-apikey_leak for the full closure rationale.
-	APIKeyHash      string      `json:"-"`
-	OS              string      `json:"os"`
-	Architecture    string      `json:"architecture"`
-	IPAddress       string      `json:"ip_address"`
-	Version         string      `json:"version"`
+	APIKeyHash   string `json:"-"`
+	OS           string `json:"os"`
+	Architecture string `json:"architecture"`
+	IPAddress    string `json:"ip_address"`
+	Version      string `json:"version"`
 	// I-004: soft-retirement fields. An agent with RetiredAt != nil is the
 	// canonical "retired" state. The Status column remains as before (Online
 	// / Offline / Degraded) and is preserved at retirement time as the
@@ -115,9 +115,9 @@ func (a *Agent) IsRetired() bool { return a != nil && a.RetiredAt != nil }
 // any non-zero count blocks a default retire with HTTP 409 and requires an
 // explicit ?force=true&reason=... escape hatch from the operator.
 type AgentDependencyCounts struct {
-	ActiveTargets     int `json:"active_targets"`     // deployment_targets.agent_id=id AND retired_at IS NULL
+	ActiveTargets      int `json:"active_targets"`      // deployment_targets.agent_id=id AND retired_at IS NULL
 	ActiveCertificates int `json:"active_certificates"` // certificates currently deployed via one of this agent's active targets
-	PendingJobs       int `json:"pending_jobs"`       // jobs.agent_id=id AND status IN (Pending, AwaitingCSR, AwaitingApproval, Running)
+	PendingJobs        int `json:"pending_jobs"`        // jobs.agent_id=id AND status IN (Pending, AwaitingCSR, AwaitingApproval, Running)
 }

 // HasDependencies reports whether any preflight counter is non-zero.
@@ -180,14 +180,14 @@ const (
 type IssuerType string

 const (
-	IssuerTypeACME      IssuerType = "ACME"
-	IssuerTypeGenericCA IssuerType = "GenericCA"
-	IssuerTypeStepCA    IssuerType = "StepCA"
-	IssuerTypeOpenSSL   IssuerType = "OpenSSL"
-	IssuerTypeVault     IssuerType = "VaultPKI"
-	IssuerTypeDigiCert  IssuerType = "DigiCert"
-	IssuerTypeSectigo   IssuerType = "Sectigo"
-	IssuerTypeGoogleCAS IssuerType = "GoogleCAS"
+	IssuerTypeACME       IssuerType = "ACME"
+	IssuerTypeGenericCA  IssuerType = "GenericCA"
+	IssuerTypeStepCA     IssuerType = "StepCA"
+	IssuerTypeOpenSSL    IssuerType = "OpenSSL"
+	IssuerTypeVault      IssuerType = "VaultPKI"
+	IssuerTypeDigiCert   IssuerType = "DigiCert"
+	IssuerTypeSectigo    IssuerType = "Sectigo"
+	IssuerTypeGoogleCAS  IssuerType = "GoogleCAS"
 	IssuerTypeAWSACMPCA  IssuerType = "AWSACMPCA"
 	IssuerTypeEntrust    IssuerType = "Entrust"
 	IssuerTypeGlobalSign IssuerType = "GlobalSign"
@@ -198,16 +198,16 @@ const (
 type TargetType string

 const (
-	TargetTypeNGINX    TargetType = "NGINX"
-	TargetTypeApache   TargetType = "Apache"
-	TargetTypeHAProxy  TargetType = "HAProxy"
-	TargetTypeF5       TargetType = "F5"
-	TargetTypeIIS      TargetType = "IIS"
-	TargetTypeTraefik  TargetType = "Traefik"
-	TargetTypeCaddy    TargetType = "Caddy"
-	TargetTypeEnvoy    TargetType = "Envoy"
-	TargetTypePostfix  TargetType = "Postfix"
-	TargetTypeDovecot  TargetType = "Dovecot"
+	TargetTypeNGINX             TargetType = "NGINX"
+	TargetTypeApache            TargetType = "Apache"
+	TargetTypeHAProxy           TargetType = "HAProxy"
+	TargetTypeF5                TargetType = "F5"
+	TargetTypeIIS               TargetType = "IIS"
+	TargetTypeTraefik           TargetType = "Traefik"
+	TargetTypeCaddy             TargetType = "Caddy"
+	TargetTypeEnvoy             TargetType = "Envoy"
+	TargetTypePostfix           TargetType = "Postfix"
+	TargetTypeDovecot           TargetType = "Dovecot"
 	TargetTypeSSH               TargetType = "SSH"
 	TargetTypeWinCertStore      TargetType = "WinCertStore"
 	TargetTypeJavaKeystore      TargetType = "JavaKeystore"
@@ -24,34 +24,34 @@ func IsValidHealthStatus(s string) bool {

 // EndpointHealthCheck represents a monitored TLS endpoint.
 type EndpointHealthCheck struct {
-	ID                  string        `json:"id"`
-	Endpoint            string        `json:"endpoint"`
-	CertificateID       *string       `json:"certificate_id,omitempty"`
-	NetworkScanTargetID *string       `json:"network_scan_target_id,omitempty"`
-	ExpectedFingerprint string        `json:"expected_fingerprint"`
-	ObservedFingerprint string        `json:"observed_fingerprint"`
-	Status              HealthStatus  `json:"status"`
-	ConsecutiveFailures int           `json:"consecutive_failures"`
-	ResponseTimeMs      int           `json:"response_time_ms"`
-	TLSVersion          string        `json:"tls_version"`
-	CipherSuite         string        `json:"cipher_suite"`
-	CertSubject         string        `json:"cert_subject"`
-	CertIssuer          string        `json:"cert_issuer"`
-	CertExpiry          *time.Time    `json:"cert_expiry,omitempty"`
-	LastCheckedAt       *time.Time    `json:"last_checked_at,omitempty"`
-	LastSuccessAt       *time.Time    `json:"last_success_at,omitempty"`
-	LastFailureAt       *time.Time    `json:"last_failure_at,omitempty"`
-	LastTransitionAt    *time.Time    `json:"last_transition_at,omitempty"`
-	FailureReason       string        `json:"failure_reason"`
-	DegradedThreshold   int           `json:"degraded_threshold"`
-	DownThreshold       int           `json:"down_threshold"`
-	CheckIntervalSecs   int           `json:"check_interval_seconds"`
-	Enabled             bool          `json:"enabled"`
-	Acknowledged        bool          `json:"acknowledged"`
-	AcknowledgedBy      string        `json:"acknowledged_by,omitempty"`
-	AcknowledgedAt      *time.Time    `json:"acknowledged_at,omitempty"`
-	CreatedAt           time.Time     `json:"created_at"`
-	UpdatedAt           time.Time     `json:"updated_at"`
+	ID                  string       `json:"id"`
+	Endpoint            string       `json:"endpoint"`
+	CertificateID       *string      `json:"certificate_id,omitempty"`
+	NetworkScanTargetID *string      `json:"network_scan_target_id,omitempty"`
+	ExpectedFingerprint string       `json:"expected_fingerprint"`
+	ObservedFingerprint string       `json:"observed_fingerprint"`
+	Status              HealthStatus `json:"status"`
+	ConsecutiveFailures int          `json:"consecutive_failures"`
+	ResponseTimeMs      int          `json:"response_time_ms"`
+	TLSVersion          string       `json:"tls_version"`
+	CipherSuite         string       `json:"cipher_suite"`
+	CertSubject         string       `json:"cert_subject"`
+	CertIssuer          string       `json:"cert_issuer"`
+	CertExpiry          *time.Time   `json:"cert_expiry,omitempty"`
+	LastCheckedAt       *time.Time   `json:"last_checked_at,omitempty"`
+	LastSuccessAt       *time.Time   `json:"last_success_at,omitempty"`
+	LastFailureAt       *time.Time   `json:"last_failure_at,omitempty"`
+	LastTransitionAt    *time.Time   `json:"last_transition_at,omitempty"`
+	FailureReason       string       `json:"failure_reason"`
+	DegradedThreshold   int          `json:"degraded_threshold"`
+	DownThreshold       int          `json:"down_threshold"`
+	CheckIntervalSecs   int          `json:"check_interval_seconds"`
+	Enabled             bool         `json:"enabled"`
+	Acknowledged        bool         `json:"acknowledged"`
+	AcknowledgedBy      string       `json:"acknowledged_by,omitempty"`
+	AcknowledgedAt      *time.Time   `json:"acknowledged_at,omitempty"`
+	CreatedAt           time.Time    `json:"created_at"`
+	UpdatedAt           time.Time    `json:"updated_at"`
 }

 // TransitionStatus computes the new health status based on the probe result.
@@ -89,13 +89,13 @@ func (h *EndpointHealthCheck) TransitionStatus(probeSuccess bool, observedFinger

 // HealthHistoryEntry represents a single probe record.
 type HealthHistoryEntry struct {
-	ID            string    `json:"id"`
-	HealthCheckID string    `json:"health_check_id"`
-	Status        string    `json:"status"`
-	ResponseTimeMs int      `json:"response_time_ms"`
-	Fingerprint   string    `json:"fingerprint"`
-	FailureReason string    `json:"failure_reason"`
-	CheckedAt     time.Time `json:"checked_at"`
+	ID             string    `json:"id"`
+	HealthCheckID  string    `json:"health_check_id"`
+	Status         string    `json:"status"`
+	ResponseTimeMs int       `json:"response_time_ms"`
+	Fingerprint    string    `json:"fingerprint"`
+	FailureReason  string    `json:"failure_reason"`
+	CheckedAt      time.Time `json:"checked_at"`
 }

 // HealthCheckSummary contains aggregate counts by status.
@@ -7,23 +7,23 @@ import (

 // Job represents a unit of work in the certificate control plane.
 type Job struct {
-	ID                  string             `json:"id"`
-	Type                JobType            `json:"type"`
-	CertificateID       string             `json:"certificate_id"`
-	TargetID            *string            `json:"target_id,omitempty"`
-	AgentID             *string            `json:"agent_id,omitempty"`
-	Status              JobStatus          `json:"status"`
-	Attempts            int                `json:"attempts"`
-	MaxAttempts         int                `json:"max_attempts"`
-	LastError           *string            `json:"last_error,omitempty"`
-	ScheduledAt         time.Time          `json:"scheduled_at"`
-	StartedAt           *time.Time         `json:"started_at,omitempty"`
-	CompletedAt         *time.Time         `json:"completed_at,omitempty"`
-	CreatedAt           time.Time          `json:"created_at"`
-	VerificationStatus  VerificationStatus `json:"verification_status"`
-	VerifiedAt          *time.Time         `json:"verified_at,omitempty"`
-	VerificationError   *string            `json:"verification_error,omitempty"`
-	VerificationFp      *string            `json:"verification_fingerprint,omitempty"`
+	ID                 string             `json:"id"`
+	Type               JobType            `json:"type"`
+	CertificateID      string             `json:"certificate_id"`
+	TargetID           *string            `json:"target_id,omitempty"`
+	AgentID            *string            `json:"agent_id,omitempty"`
+	Status             JobStatus          `json:"status"`
+	Attempts           int                `json:"attempts"`
+	MaxAttempts        int                `json:"max_attempts"`
+	LastError          *string            `json:"last_error,omitempty"`
+	ScheduledAt        time.Time          `json:"scheduled_at"`
+	StartedAt          *time.Time         `json:"started_at,omitempty"`
+	CompletedAt        *time.Time         `json:"completed_at,omitempty"`
+	CreatedAt          time.Time          `json:"created_at"`
+	VerificationStatus VerificationStatus `json:"verification_status"`
+	VerifiedAt         *time.Time         `json:"verified_at,omitempty"`
+	VerificationError  *string            `json:"verification_error,omitempty"`
+	VerificationFp     *string            `json:"verification_fingerprint,omitempty"`
 }

 // JobType represents the classification of work to be performed.
@@ -104,15 +104,15 @@ func TestNotificationEvent_RetryFields(t *testing.T) {
 	next := time.Now().Add(2 * time.Minute)
 	lastErr := "connection refused"
 	event := &NotificationEvent{
-		ID:           "notif-retry-001",
-		Type:         NotificationTypeExpirationWarning,
-		Channel:      NotificationChannelWebhook,
-		Recipient:    "https://hooks.example.com/certs",
-		Message:      "retry me",
-		Status:       string(NotificationStatusFailed),
-		RetryCount:   3,
-		NextRetryAt:  &next,
-		LastError:    &lastErr,
+		ID:          "notif-retry-001",
+		Type:        NotificationTypeExpirationWarning,
+		Channel:     NotificationChannelWebhook,
+		Recipient:   "https://hooks.example.com/certs",
+		Message:     "retry me",
+		Status:      string(NotificationStatusFailed),
+		RetryCount:  3,
+		NextRetryAt: &next,
+		LastError:   &lastErr,
 	}

 	if event.RetryCount != 3 {
@@ -12,10 +12,10 @@ import "time"
 type OCSPResponseCacheEntry struct {
 	IssuerID         string    `json:"issuer_id"`
 	SerialHex        string    `json:"serial_hex"`
-	ResponseDER      []byte    `json:"-"` // raw DER, omitted from admin JSON to keep responses lean
-	CertStatus       string    `json:"cert_status"`                  // "good" | "revoked" | "unknown"
-	RevocationReason int       `json:"revocation_reason,omitempty"`  // only set when CertStatus == "revoked"
-	RevokedAt        time.Time `json:"revoked_at,omitempty"`         // only set when CertStatus == "revoked"
+	ResponseDER      []byte    `json:"-"`                           // raw DER, omitted from admin JSON to keep responses lean
+	CertStatus       string    `json:"cert_status"`                 // "good" | "revoked" | "unknown"
+	RevocationReason int       `json:"revocation_reason,omitempty"` // only set when CertStatus == "revoked"
+	RevokedAt        time.Time `json:"revoked_at,omitempty"`        // only set when CertStatus == "revoked"
 	ThisUpdate       time.Time `json:"this_update"`
 	NextUpdate       time.Time `json:"next_update"`
 	GeneratedAt      time.Time `json:"generated_at"`
@@ -21,12 +21,12 @@ type PolicyRule struct {
 type PolicyType string

 const (
-	PolicyTypeAllowedIssuers       PolicyType = "AllowedIssuers"
-	PolicyTypeAllowedDomains       PolicyType = "AllowedDomains"
-	PolicyTypeRequiredMetadata     PolicyType = "RequiredMetadata"
-	PolicyTypeAllowedEnvironments  PolicyType = "AllowedEnvironments"
-	PolicyTypeRenewalLeadTime      PolicyType = "RenewalLeadTime"
-	PolicyTypeCertificateLifetime  PolicyType = "CertificateLifetime"
+	PolicyTypeAllowedIssuers      PolicyType = "AllowedIssuers"
+	PolicyTypeAllowedDomains      PolicyType = "AllowedDomains"
+	PolicyTypeRequiredMetadata    PolicyType = "RequiredMetadata"
+	PolicyTypeAllowedEnvironments PolicyType = "AllowedEnvironments"
+	PolicyTypeRenewalLeadTime     PolicyType = "RenewalLeadTime"
+	PolicyTypeCertificateLifetime PolicyType = "CertificateLifetime"
 )

 // PolicyViolation records an instance of a certificate violating a policy rule.