chore(fmt): repo-wide gofmt -w sweep — close drift surfaced by ci-pipeline-cleanup Phase 4

Mechanical reformat. The new 'gofmt drift' CI step (added in
ci-pipeline-cleanup Phase 4, commit 71b2245) surfaced 111 files
with accumulated gofmt drift across cmd/, internal/, and deploy/test/.

Each file's diff is gofmt-standard: whitespace adjustments, intra-
group import sorting (alphabetical by import path within blank-line-
separated groups), and struct-tag column alignment. No semantic
changes — verified via 'git diff --ignore-all-space' which shows only
the line-position deltas from import reordering.

The gate stays in place after this commit. Going forward it catches
gofmt drift at PR time.

internal/domain/policy.go

@@ -21,12 +21,12 @@ type PolicyRule struct {
 type PolicyType string
 
 const (
-	PolicyTypeAllowedIssuers       PolicyType = "AllowedIssuers"
-	PolicyTypeAllowedDomains       PolicyType = "AllowedDomains"
-	PolicyTypeRequiredMetadata     PolicyType = "RequiredMetadata"
-	PolicyTypeAllowedEnvironments  PolicyType = "AllowedEnvironments"
-	PolicyTypeRenewalLeadTime      PolicyType = "RenewalLeadTime"
-	PolicyTypeCertificateLifetime  PolicyType = "CertificateLifetime"
+	PolicyTypeAllowedIssuers      PolicyType = "AllowedIssuers"
+	PolicyTypeAllowedDomains      PolicyType = "AllowedDomains"
+	PolicyTypeRequiredMetadata    PolicyType = "RequiredMetadata"
+	PolicyTypeAllowedEnvironments PolicyType = "AllowedEnvironments"
+	PolicyTypeRenewalLeadTime     PolicyType = "RenewalLeadTime"
+	PolicyTypeCertificateLifetime PolicyType = "CertificateLifetime"
 )
 
 // PolicyViolation records an instance of a certificate violating a policy rule.