chore(fmt): repo-wide gofmt -w sweep — close drift surfaced by ci-pipeline-cleanup Phase 4

Mechanical reformat. The new 'gofmt drift' CI step (added in
ci-pipeline-cleanup Phase 4, commit 0f205a8) surfaced 111 files
with accumulated gofmt drift across cmd/, internal/, and deploy/test/.

Each file's diff is gofmt-standard: whitespace adjustments, intra-
group import sorting (alphabetical by import path within blank-line-
separated groups), and struct-tag column alignment. No semantic
changes — verified via 'git diff --ignore-all-space' which shows only
the line-position deltas from import reordering.

The gate stays in place after this commit. Going forward it catches
gofmt drift at PR time.

cmd/agent/agent_test.go

@@ -692,10 +692,10 @@ func TestMakeRequest_InvalidURL(t *testing.T) {
 // TestCertKeyInfo tests extraction of key algorithm and size from certificates.
 func TestCertKeyInfo(t *testing.T) {
 	tests := []struct {
-		name         string
-		genKey       func() interface{}
-		expectedAlg  string
-		minBitSize   int
+		name        string
+		genKey      func() interface{}
+		expectedAlg string
+		minBitSize  int
 	}{
 		{
 			name: "ECDSA P-256",
@@ -1503,9 +1503,9 @@ func TestValidateHTTPSScheme(t *testing.T) {
 			wantErrSub: "plaintext http://",
 		},
 		{
-			name:       "bare host missing scheme falls through to unsupported",
-			serverURL:  "localhost:8443",
-			wantErr:    true,
+			name:      "bare host missing scheme falls through to unsupported",
+			serverURL: "localhost:8443",
+			wantErr:   true,
 			// url.Parse treats "localhost:8443" as scheme=localhost,
 			// opaque=8443 — exercises the default arm (unsupported scheme)
 			// rather than the empty-scheme arm. Both are fail-closed, which

cmd/agent/main.go

@@ -34,16 +34,16 @@ import (
 	"github.com/shankar0123/certctl/internal/connector/target/apache"
 	"github.com/shankar0123/certctl/internal/connector/target/caddy"
 	"github.com/shankar0123/certctl/internal/connector/target/envoy"
-	pf "github.com/shankar0123/certctl/internal/connector/target/postfix"
-	sshconn "github.com/shankar0123/certctl/internal/connector/target/ssh"
 	"github.com/shankar0123/certctl/internal/connector/target/f5"
-	jks "github.com/shankar0123/certctl/internal/connector/target/javakeystore"
-	k8s "github.com/shankar0123/certctl/internal/connector/target/k8ssecret"
-	wcs "github.com/shankar0123/certctl/internal/connector/target/wincertstore"
 	"github.com/shankar0123/certctl/internal/connector/target/haproxy"
 	"github.com/shankar0123/certctl/internal/connector/target/iis"
+	jks "github.com/shankar0123/certctl/internal/connector/target/javakeystore"
+	k8s "github.com/shankar0123/certctl/internal/connector/target/k8ssecret"
 	"github.com/shankar0123/certctl/internal/connector/target/nginx"
+	pf "github.com/shankar0123/certctl/internal/connector/target/postfix"
+	sshconn "github.com/shankar0123/certctl/internal/connector/target/ssh"
 	"github.com/shankar0123/certctl/internal/connector/target/traefik"
+	wcs "github.com/shankar0123/certctl/internal/connector/target/wincertstore"
 )
 
 // AgentConfig represents the agent-side configuration.
@@ -80,10 +80,10 @@ type Agent struct {
 	client *http.Client
 
 	// Configuration
-	heartbeatInterval     time.Duration
-	pollInterval          time.Duration
-	discoveryInterval     time.Duration
-	consecutiveFailures   int
+	heartbeatInterval   time.Duration
+	pollInterval        time.Duration
+	discoveryInterval   time.Duration
+	consecutiveFailures int
 
 	// I-004: terminal retirement signal. retiredSignal is closed exactly once
 	// (guarded by retiredOnce) when either sendHeartbeat or pollForWork

cmd/agent/verify.go

@@ -75,8 +75,8 @@ func verifyDeployment(
 		// calls, issuer connector communication, or any operation that trusts the
 		// certificate. The verification result compares SHA-256 fingerprints only.
 		// See TICKET-016 for full security audit rationale.
-		InsecureSkipVerify: true, //nolint:gosec // verification probe; documented above + docs/tls.md L-001 table
-		ServerName:        targetHost, // For SNI
+		InsecureSkipVerify: true,       //nolint:gosec // verification probe; documented above + docs/tls.md L-001 table
+		ServerName:         targetHost, // For SNI
 	})
 	if err != nil {
 		return nil, fmt.Errorf("failed to connect to %s: %w", address, err)
@@ -161,11 +161,11 @@ func (a *Agent) reportVerificationResult(
 
 	// Build the request payload
 	payload := map[string]interface{}{
-		"target_id":             targetID,
-		"expected_fingerprint":  result.ExpectedFingerprint,
-		"actual_fingerprint":    result.ActualFingerprint,
-		"verified":              result.Verified,
-		"error":                 result.Error,
+		"target_id":            targetID,
+		"expected_fingerprint": result.ExpectedFingerprint,
+		"actual_fingerprint":   result.ActualFingerprint,
+		"verified":             result.Verified,
+		"error":                result.Error,
 	}
 
 	body, err := json.Marshal(payload)
@@ -247,7 +247,7 @@ func (a *Agent) verifyAndReportDeployment(
 ) {
 	// Perform verification with configured timeout and delay
 	result, err := verifyDeployment(ctx, targetHost, targetPort, certPEM,
-		2*time.Second, // delay before probing
+		2*time.Second,  // delay before probing
 		10*time.Second, // timeout for TLS connection
 		a.logger)
 
@@ -261,7 +261,7 @@ func (a *Agent) verifyAndReportDeployment(
 		}
 		// Probe failure: report error but continue
 		result = &VerificationResult{
-			Error: err.Error(),
+			Error:      err.Error(),
 			VerifiedAt: time.Now().UTC(),
 		}
 	}

cmd/agent/verify_test.go

@@ -114,9 +114,9 @@ func TestExtractTargetHostAndPort_InvalidJSON(t *testing.T) {
 
 func TestExtractTargetHostAndPort_AlternativeFieldNames(t *testing.T) {
 	tests := []struct {
-		name      string
-		config    map[string]interface{}
-		expected  string
+		name     string
+		config   map[string]interface{}
+		expected string
 	}{
 		{"host", map[string]interface{}{"host": "host1.com"}, "host1.com"},
 		{"hostname", map[string]interface{}{"hostname": "host2.com"}, "host2.com"},