chore(fmt): repo-wide gofmt -w sweep — close drift surfaced by ci-pipeline-cleanup Phase 4

Mechanical reformat. The new 'gofmt drift' CI step (added in
ci-pipeline-cleanup Phase 4, commit 0f205a8) surfaced 111 files
with accumulated gofmt drift across cmd/, internal/, and deploy/test/.

Each file's diff is gofmt-standard: whitespace adjustments, intra-
group import sorting (alphabetical by import path within blank-line-
separated groups), and struct-tag column alignment. No semantic
changes — verified via 'git diff --ignore-all-space' which shows only
the line-position deltas from import reordering.

The gate stays in place after this commit. Going forward it catches
gofmt drift at PR time.

internal/api/handler/adversarial_path_test.go

@@ -56,8 +56,8 @@ func adversarialPathInputs() []struct {
 		{"null_byte_trailing", "mc-001\x00"},
 		{"null_byte_embedded", "mc-\x00-001"},
 		{"long_id_10k", strings.Repeat("A", 10000)},
-		{"unicode_homoglyph_hyphen", "mc\u2010001"},          // U+2010 HYPHEN
-		{"unicode_homoglyph_fullwidth", "mc\uFF0D001"},       // U+FF0D FULLWIDTH HYPHEN-MINUS
+		{"unicode_homoglyph_hyphen", "mc\u2010001"},    // U+2010 HYPHEN
+		{"unicode_homoglyph_fullwidth", "mc\uFF0D001"}, // U+FF0D FULLWIDTH HYPHEN-MINUS
 		{"control_char_newline", "mc-001\n"},
 		{"control_char_tab", "mc\t001"},
 		{"control_char_bell", "mc\x07001"},

internal/api/handler/agent_groups.go

@@ -1,10 +1,10 @@
 package handler
 
 import (
-	"github.com/shankar0123/certctl/internal/repository"
-	"errors"
 	"context"
 	"encoding/json"
+	"errors"
+	"github.com/shankar0123/certctl/internal/repository"
 	"net/http"
 	"strconv"
 	"strings"

internal/api/handler/agent_handler_test.go

@@ -28,8 +28,8 @@ type MockAgentService struct {
 	// I-004: soft-retirement hooks. Tests that don't set these receive nil
 	// results and nil errors, which mirrors the safest default (no-op) for
 	// unrelated suites that mock only the legacy surface.
-	RetireAgentFn        func(agentID, actor string, force bool, reason string) (*service.AgentRetirementResult, error)
-	ListRetiredAgentsFn  func(page, perPage int) ([]domain.Agent, int64, error)
+	RetireAgentFn       func(agentID, actor string, force bool, reason string) (*service.AgentRetirementResult, error)
+	ListRetiredAgentsFn func(page, perPage int) ([]domain.Agent, int64, error)
 }
 
 func (m *MockAgentService) ListAgents(_ context.Context, page, perPage int) ([]domain.Agent, int64, error) {

internal/api/handler/agent_retire_handler_test.go

@@ -56,10 +56,10 @@ func TestRetireAgentHandler_Success_200(t *testing.T) {
 	}
 
 	var body struct {
-		RetiredAt      time.Time                     `json:"retired_at"`
-		AlreadyRetired bool                          `json:"already_retired"`
-		Cascade        bool                          `json:"cascade"`
-		Counts         domain.AgentDependencyCounts  `json:"counts"`
+		RetiredAt      time.Time                    `json:"retired_at"`
+		AlreadyRetired bool                         `json:"already_retired"`
+		Cascade        bool                         `json:"cascade"`
+		Counts         domain.AgentDependencyCounts `json:"counts"`
 	}
 	if err := json.NewDecoder(w.Body).Decode(&body); err != nil {
 		t.Fatalf("decode 200 body: %v", err)
@@ -273,10 +273,10 @@ func TestRetireAgentHandler_ForceCascade_200(t *testing.T) {
 	}
 
 	var body struct {
-		RetiredAt      time.Time                     `json:"retired_at"`
-		AlreadyRetired bool                          `json:"already_retired"`
-		Cascade        bool                          `json:"cascade"`
-		Counts         domain.AgentDependencyCounts  `json:"counts"`
+		RetiredAt      time.Time                    `json:"retired_at"`
+		AlreadyRetired bool                         `json:"already_retired"`
+		Cascade        bool                         `json:"cascade"`
+		Counts         domain.AgentDependencyCounts `json:"counts"`
 	}
 	if err := json.NewDecoder(w.Body).Decode(&body); err != nil {
 		t.Fatalf("decode force-cascade 200 body: %v", err)

internal/api/handler/agents.go

@@ -1,10 +1,10 @@
 package handler
 
 import (
-	"github.com/shankar0123/certctl/internal/repository"
 	"context"
 	"encoding/json"
 	"errors"
+	"github.com/shankar0123/certctl/internal/repository"
 	"log/slog"
 	"net/http"
 	"strconv"

internal/api/handler/audit_handler_test.go

@@ -9,14 +9,14 @@ import (
 	"testing"
 	"time"
 
-	"github.com/shankar0123/certctl/internal/domain"
 	"github.com/shankar0123/certctl/internal/api/middleware"
+	"github.com/shankar0123/certctl/internal/domain"
 )
 
 // mockAuditService implements AuditService for testing.
 type mockAuditService struct {
-	listFunc  func(page, perPage int) ([]domain.AuditEvent, int64, error)
-	getFunc   func(id string) (*domain.AuditEvent, error)
+	listFunc func(page, perPage int) ([]domain.AuditEvent, int64, error)
+	getFunc  func(id string) (*domain.AuditEvent, error)
 }
 
 func (m *mockAuditService) ListAuditEvents(_ context.Context, page, perPage int) ([]domain.AuditEvent, int64, error) {

internal/api/handler/bulk_partial_failure_test.go

@@ -86,10 +86,10 @@ func TestBulkRenew_PartialFailure_ReportsBoth(t *testing.T) {
 	svc := &mockBulkRenewalService{
 		BulkRenewFn: func(ctx context.Context, criteria domain.BulkRenewalCriteria, actor string) (*domain.BulkRenewalResult, error) {
 			return &domain.BulkRenewalResult{
-				TotalMatched: 3,
+				TotalMatched:  3,
 				TotalEnqueued: 2,
-				TotalSkipped: 0,
-				TotalFailed:  1,
+				TotalSkipped:  0,
+				TotalFailed:   1,
 				Errors: []domain.BulkOperationError{
 					{CertificateID: "mc-failed", Error: "renewal job enqueue failed: db timeout"},
 				},

internal/api/handler/est_handler_test.go

@@ -98,12 +98,12 @@ func generateTestCertPEM(t *testing.T) string {
 		t.Fatalf("failed to generate key: %v", err)
 	}
 	template := &x509.Certificate{
-		SerialNumber: big.NewInt(1),
-		Subject:      pkix.Name{CommonName: "Test CA"},
-		NotBefore:    time.Now().Add(-1 * time.Hour),
-		NotAfter:     time.Now().Add(24 * time.Hour),
-		KeyUsage:     x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
-		IsCA:         true,
+		SerialNumber:          big.NewInt(1),
+		Subject:               pkix.Name{CommonName: "Test CA"},
+		NotBefore:             time.Now().Add(-1 * time.Hour),
+		NotAfter:              time.Now().Add(24 * time.Hour),
+		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
+		IsCA:                  true,
 		BasicConstraintsValid: true,
 	}
 	certDER, err := x509.CreateCertificate(rand.Reader, template, template, &key.PublicKey, key)

internal/api/handler/export.go

@@ -1,11 +1,11 @@
 package handler
 
 import (
-	"github.com/shankar0123/certctl/internal/repository"
-	"errors"
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
+	"github.com/shankar0123/certctl/internal/repository"
 	"log/slog"
 	"net/http"
 	"strings"

internal/api/handler/health_check.go

@@ -59,12 +59,12 @@ func (h *HealthCheckHandler) ListHealthChecks(w http.ResponseWriter, r *http.Req
 	}
 
 	filter := &repository.HealthCheckFilter{
-		Status:               status,
-		CertificateID:        certificateID,
-		NetworkScanTargetID:  networkScanTargetID,
-		Enabled:              enabledFilter,
-		Page:                 page,
-		PerPage:              perPage,
+		Status:              status,
+		CertificateID:       certificateID,
+		NetworkScanTargetID: networkScanTargetID,
+		Enabled:             enabledFilter,
+		Page:                page,
+		PerPage:             perPage,
 	}
 
 	checks, total, err := h.service.List(r.Context(), filter)

internal/api/handler/issuers.go

@@ -1,10 +1,10 @@
 package handler
 
 import (
-	"github.com/shankar0123/certctl/internal/repository"
-	"errors"
 	"context"
 	"encoding/json"
+	"errors"
+	"github.com/shankar0123/certctl/internal/repository"
 	"log/slog"
 	"net/http"
 	"strconv"

internal/api/handler/jobs.go

@@ -1,10 +1,10 @@
 package handler
 
 import (
-	"github.com/shankar0123/certctl/internal/repository"
 	"context"
 	"encoding/json"
 	"errors"
+	"github.com/shankar0123/certctl/internal/repository"
 	"io"
 	"net/http"
 	"strconv"

internal/api/handler/notifications.go

@@ -1,9 +1,9 @@
 package handler
 
 import (
-	"github.com/shankar0123/certctl/internal/repository"
-	"errors"
 	"context"
+	"errors"
+	"github.com/shankar0123/certctl/internal/repository"
 	"net/http"
 	"strconv"
 	"strings"

internal/api/handler/owners.go

@@ -1,10 +1,10 @@
 package handler
 
 import (
-	"github.com/shankar0123/certctl/internal/repository"
-	"errors"
 	"context"
 	"encoding/json"
+	"errors"
+	"github.com/shankar0123/certctl/internal/repository"
 	"net/http"
 	"strconv"
 	"strings"

internal/api/handler/profile_handler_test.go

@@ -237,9 +237,9 @@ func TestCreateProfile_Success(t *testing.T) {
 	}
 
 	body := map[string]interface{}{
-		"name":          "New Profile",
+		"name":            "New Profile",
 		"max_ttl_seconds": 86400,
-		"allowed_ekus":  []string{"serverAuth"},
+		"allowed_ekus":    []string{"serverAuth"},
 	}
 	bodyBytes, _ := json.Marshal(body)
 
@@ -331,7 +331,7 @@ func TestUpdateProfile_Success(t *testing.T) {
 	}
 
 	body := map[string]interface{}{
-		"name":          "Updated Profile",
+		"name":            "Updated Profile",
 		"max_ttl_seconds": 172800,
 	}
 	bodyBytes, _ := json.Marshal(body)

internal/api/handler/profiles.go

@@ -1,10 +1,10 @@
 package handler
 
 import (
-	"github.com/shankar0123/certctl/internal/repository"
-	"errors"
 	"context"
 	"encoding/json"
+	"errors"
+	"github.com/shankar0123/certctl/internal/repository"
 	"net/http"
 	"strconv"
 	"strings"

internal/api/handler/renewal_policy.go

@@ -1,10 +1,10 @@
 package handler
 
 import (
-	"github.com/shankar0123/certctl/internal/repository"
 	"context"
 	"encoding/json"
 	"errors"
+	"github.com/shankar0123/certctl/internal/repository"
 	"net/http"
 	"strconv"
 	"strings"

internal/api/handler/renewal_policy_handler_test.go

@@ -26,11 +26,11 @@ import (
 
 // MockRenewalPolicyService is a mock implementation of RenewalPolicyService.
 type MockRenewalPolicyService struct {
-	ListRenewalPoliciesFn  func(page, perPage int) ([]domain.RenewalPolicy, int64, error)
-	GetRenewalPolicyFn     func(id string) (*domain.RenewalPolicy, error)
-	CreateRenewalPolicyFn  func(rp domain.RenewalPolicy) (*domain.RenewalPolicy, error)
-	UpdateRenewalPolicyFn  func(id string, rp domain.RenewalPolicy) (*domain.RenewalPolicy, error)
-	DeleteRenewalPolicyFn  func(id string) error
+	ListRenewalPoliciesFn func(page, perPage int) ([]domain.RenewalPolicy, int64, error)
+	GetRenewalPolicyFn    func(id string) (*domain.RenewalPolicy, error)
+	CreateRenewalPolicyFn func(rp domain.RenewalPolicy) (*domain.RenewalPolicy, error)
+	UpdateRenewalPolicyFn func(id string, rp domain.RenewalPolicy) (*domain.RenewalPolicy, error)
+	DeleteRenewalPolicyFn func(id string) error
 }
 
 func (m *MockRenewalPolicyService) ListRenewalPolicies(_ context.Context, page, perPage int) ([]domain.RenewalPolicy, int64, error) {
@@ -199,11 +199,11 @@ func TestCreateRenewalPolicy_Success(t *testing.T) {
 	}
 
 	body := map[string]interface{}{
-		"name":                  "New Policy",
-		"renewal_window_days":   30,
-		"max_retries":           3,
+		"name":                   "New Policy",
+		"renewal_window_days":    30,
+		"max_retries":            3,
 		"retry_interval_seconds": 3600,
-		"auto_renew":            true,
+		"auto_renew":             true,
 	}
 	bodyBytes, _ := json.Marshal(body)
 
@@ -221,8 +221,8 @@ func TestCreateRenewalPolicy_Success(t *testing.T) {
 
 func TestCreateRenewalPolicy_MissingName(t *testing.T) {
 	body := map[string]interface{}{
-		"renewal_window_days":   30,
-		"max_retries":           3,
+		"renewal_window_days":    30,
+		"max_retries":            3,
 		"retry_interval_seconds": 3600,
 	}
 	bodyBytes, _ := json.Marshal(body)
@@ -261,9 +261,9 @@ func TestCreateRenewalPolicy_DuplicateName(t *testing.T) {
 	}
 
 	body := map[string]interface{}{
-		"name":                  "Duplicate",
-		"renewal_window_days":   30,
-		"max_retries":           3,
+		"name":                   "Duplicate",
+		"renewal_window_days":    30,
+		"max_retries":            3,
 		"retry_interval_seconds": 3600,
 	}
 	bodyBytes, _ := json.Marshal(body)
@@ -308,11 +308,11 @@ func TestUpdateRenewalPolicy_Success(t *testing.T) {
 	}
 
 	body := map[string]interface{}{
-		"name":                  "Updated Policy",
-		"renewal_window_days":   45,
-		"max_retries":           5,
+		"name":                   "Updated Policy",
+		"renewal_window_days":    45,
+		"max_retries":            5,
 		"retry_interval_seconds": 1800,
-		"auto_renew":            true,
+		"auto_renew":             true,
 	}
 	bodyBytes, _ := json.Marshal(body)
 
@@ -336,9 +336,9 @@ func TestUpdateRenewalPolicy_NotFound(t *testing.T) {
 	}
 
 	body := map[string]interface{}{
-		"name":                  "Updated",
-		"renewal_window_days":   30,
-		"max_retries":           3,
+		"name":                   "Updated",
+		"renewal_window_days":    30,
+		"max_retries":            3,
 		"retry_interval_seconds": 3600,
 	}
 	bodyBytes, _ := json.Marshal(body)

internal/api/handler/response_test.go

@@ -346,8 +346,8 @@ func TestCursorPagedResponse_EmptyNextCursor(t *testing.T) {
 
 func TestFilterFields_SingleObject(t *testing.T) {
 	data := map[string]interface{}{
-		"id":    "cert-123",
-		"name":  "My Cert",
+		"id":     "cert-123",
+		"name":   "My Cert",
 		"expiry": "2025-01-01",
 		"status": "active",
 	}
@@ -379,8 +379,8 @@ func TestFilterFields_SingleObject(t *testing.T) {
 func TestFilterFields_EmptyFields(t *testing.T) {
 	// Empty fields list should return data unchanged
 	data := map[string]interface{}{
-		"id":    "cert-123",
-		"name":  "My Cert",
+		"id":   "cert-123",
+		"name": "My Cert",
 	}
 
 	result := filterFields(data, []string{})
@@ -398,8 +398,8 @@ func TestFilterFields_EmptyFields(t *testing.T) {
 
 func TestFilterFields_NoMatchingFields(t *testing.T) {
 	data := map[string]interface{}{
-		"id":    "cert-123",
-		"name":  "My Cert",
+		"id":   "cert-123",
+		"name": "My Cert",
 	}
 
 	result := filterFields(data, []string{"nonexistent", "also-not-there"})

internal/api/handler/validation_test.go

@@ -333,7 +333,7 @@ func TestValidateCSRPEM_InvalidInputs(t *testing.T) {
 // TestValidatePolicyType_ValidTypes tests valid policy types.
 func TestValidatePolicyType_ValidTypes(t *testing.T) {
 	validTypes := []struct {
-		name string
+		name  string
 		ptype interface{}
 	}{
 		{

internal/api/handler/verification.go

@@ -97,8 +97,8 @@ func (h VerificationHandler) VerifyDeployment(w http.ResponseWriter, r *http.Req
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(http.StatusOK)
 	json.NewEncoder(w).Encode(map[string]interface{}{
-		"job_id":   jobID,
-		"verified": req.Verified,
+		"job_id":      jobID,
+		"verified":    req.Verified,
 		"verified_at": result.VerifiedAt,
 	})
 }