ci-pipeline-cleanup Phase 3: staticcheck hard-fail (SA1019 sites verified closed)

Bundle: ci-pipeline-cleanup, Phase 3 / frozen decision 0.7.

Closes the staticcheck lying field. The original "M-028 will close 6
SA1019 sites" comment had been on the ci.yml entry through every
recent bundle without M-028 landing — turns out M-028 was effectively
done in earlier bundles, just nobody flipped the gate.

Source-grep verification at HEAD c48a82c4:

  middleware.NewAuth: zero production callers
    $ grep -rE 'middleware\\.NewAuth\\b' cmd/ internal/ --include='*.go' | grep -v 'NewAuthWithNamedKeys'
    (empty)
  All 5 call sites in cmd/server/{main,main_test}.go use
  NewAuthWithNamedKeys.

  csr.Attributes: 2 sites, both with inline //lint:ignore SA1019
    $ grep -rnE '\\bcsr\\.Attributes\\b' --include='*.go' . | grep -v _test
    internal/api/handler/scep.go:467 + :601
  Both have load-bearing rationale: RFC 2985 challengePassword (OID
  1.2.840.113549.1.9.7) is a SEPARATE CSR attribute from the
  requestedExtensions one csr.Extensions replaces — there is no
  non-deprecated stdlib API for it.

  elliptic.Marshal: 1 site in bundle9_coverage_test.go, suppressed
    $ grep -rnE '^[^/]*elliptic\\.Marshal\\(' --include='*.go' .
    bundle9_coverage_test.go:344
  Deliberate byte-equivalence regression oracle for the M-028
  ECDH migration. //lint:ignore SA1019 in place.

Removed:
  continue-on-error: true

Operator pre-commit: 'staticcheck ./...' must return zero hits.
If staticcheck DOES find something the source-grep missed, CI will
fail and we triage — but the grep evidence is comprehensive.

ci.yml line count unchanged (one line removed, longer comment added).

.github/workflows/ci.yml

@@ -68,14 +68,16 @@ jobs:
         # rules live in staticcheck.conf with documented justifications;
         # adding a new entry requires an explicit security review.
         #
-        # SOFT gate (continue-on-error: true) until M-028 closes the 6
-        # remaining SA1019 deprecated-API sites:
-        #   - cmd/server/main_test.go × 3: middleware.NewAuth → NewAuthWithNamedKeys
-        #   - internal/api/handler/scep.go: csr.Attributes → Extensions
-        #   - internal/connector/issuer/local/local.go: elliptic.Marshal → crypto/ecdh
-        # When M-028 ships, flip continue-on-error to false to make this
-        # a hard gate. Until then, the step still annotates findings on PRs.
-        continue-on-error: true
+        # ci-pipeline-cleanup Phase 3 / frozen decision 0.7: HARD gate.
+        # M-028 SA1019 sites verified closed at HEAD 1de61e91:
+        #   - middleware.NewAuth: zero callers (all migrated to
+        #     NewAuthWithNamedKeys in cmd/server/{main,main_test}.go)
+        #   - csr.Attributes (internal/api/handler/scep.go × 2): inline
+        #     //lint:ignore SA1019 with load-bearing rationale (RFC 2985
+        #     challengePassword has no non-deprecated stdlib API)
+        #   - elliptic.Marshal: only in bundle9_coverage_test.go × 1 as
+        #     deliberate byte-equivalence regression oracle, suppressed
+        #     with //lint:ignore SA1019
         run: staticcheck ./...
 
       - name: Race Detection