chore(fmt): repo-wide gofmt -w sweep — close drift surfaced by ci-pipeline-cleanup Phase 4

Mechanical reformat. The new 'gofmt drift' CI step (added in ci-pipeline-cleanup Phase 4, commit 0f205a8) surfaced 111 files with accumulated gofmt drift across cmd/, internal/, and deploy/test/. Each file's diff is gofmt-standard: whitespace adjustments, intra- group import sorting (alphabetical by import path within blank-line- separated groups), and struct-tag column alignment. No semantic changes — verified via 'git diff --ignore-all-space' which shows only the line-position deltas from import reordering. The gate stays in place after this commit. Going forward it catches gofmt drift at PR time.
2026-06-07 15:01:32 +00:00 · 2026-04-30 22:33:57 +00:00
parent e2298c8222
commit 7cb453a336
111 changed files with 761 additions and 770 deletions
@@ -20,10 +20,10 @@ import (

 // mockSMClient is a mock implementation of SMClient for testing.
 type mockSMClient struct {
-	secrets          map[string]string            // secret name -> secret value
-	secretMetadata   map[string]SecretMetadata    // secret name -> metadata
-	listError        error
-	getErrors        map[string]error // secret name -> error
+	secrets        map[string]string         // secret name -> secret value
+	secretMetadata map[string]SecretMetadata // secret name -> metadata
+	listError      error
+	getErrors      map[string]error // secret name -> error
 }

 func newMockSMClient() *mockSMClient {
@@ -369,4 +369,3 @@ func TestSource_Discover_AgentIDAndSourcePath(t *testing.T) {
 		t.Errorf("expected source path 'aws-sm://eu-west-1/my-secret', got %s", report.Certificates[0].SourcePath)
 	}
 }
-
@@ -69,10 +69,10 @@ type certificateListResponse struct {
 	Value []struct {
 		ID         string `json:"id"`
 		Attributes struct {
-			Enabled int64  `json:"enabled"`
-			Created int64  `json:"created"`
-			Updated int64  `json:"updated"`
-			Exp     int64  `json:"exp"`
+			Enabled int64 `json:"enabled"`
+			Created int64 `json:"created"`
+			Updated int64 `json:"updated"`
+			Exp     int64 `json:"exp"`
 		} `json:"attributes,omitempty"`
 		Tags map[string]string `json:"tags,omitempty"`
 	} `json:"value"`
@@ -84,10 +84,10 @@ type certificateBundle struct {
 	ID         string `json:"id"`
 	CER        string `json:"cer"`
 	Attributes struct {
-		Enabled int64  `json:"enabled"`
-		Created int64  `json:"created"`
-		Updated int64  `json:"updated"`
-		Exp     int64  `json:"exp"`
+		Enabled int64 `json:"enabled"`
+		Created int64 `json:"created"`
+		Updated int64 `json:"updated"`
+		Exp     int64 `json:"exp"`
 	} `json:"attributes,omitempty"`
 }

@@ -170,10 +170,10 @@ func (s *Source) Discover(ctx context.Context) (*domain.DiscoveryReport, error)
 	s.logger.Info("starting Azure Key Vault discovery", "vault_url", s.config.VaultURL)

 	report := &domain.DiscoveryReport{
-		AgentID:     "cloud-azure-kv",
-		Directories: []string{fmt.Sprintf("azure-kv://%s/", s.config.VaultURL)},
+		AgentID:      "cloud-azure-kv",
+		Directories:  []string{fmt.Sprintf("azure-kv://%s/", s.config.VaultURL)},
 		Certificates: []domain.DiscoveredCertEntry{},
-		Errors:      []string{},
+		Errors:       []string{},
 	}

 	startTime := time.Now()
@@ -82,7 +82,7 @@ func generateTestCertificate(cn string, expire time.Duration) (*x509.Certificate
 		ExtKeyUsage: []x509.ExtKeyUsage{
 			x509.ExtKeyUsageServerAuth,
 		},
-		DNSNames:    []string{"example.com", "*.example.com"},
+		DNSNames:       []string{"example.com", "*.example.com"},
 		EmailAddresses: []string{"test@example.com"},
 	}

@@ -798,9 +798,9 @@ func TestValidateConfig_DNSPersistIssuerDomainRequired(t *testing.T) {

 	c := New(nil, testLogger())
 	cfg, _ := json.Marshal(map[string]string{
-		"directory_url":     srv.URL,
-		"email":             "test@example.com",
-		"challenge_type":    "dns-persist-01",
+		"directory_url":      srv.URL,
+		"email":              "test@example.com",
+		"challenge_type":     "dns-persist-01",
 		"dns_present_script": "/tmp/script.sh",
 		// Missing dns_persist_issuer_domain
 	})
@@ -870,9 +870,9 @@ func TestValidateConfig_DNS01WithPresentScript(t *testing.T) {

 	c := New(nil, testLogger())
 	cfg, _ := json.Marshal(map[string]string{
-		"directory_url":     srv.URL,
-		"email":             "test@example.com",
-		"challenge_type":    "dns-01",
+		"directory_url":      srv.URL,
+		"email":              "test@example.com",
+		"challenge_type":     "dns-01",
 		"dns_present_script": "/bin/sh",
 		"dns_cleanup_script": "/bin/sh",
 	})
@@ -897,10 +897,10 @@ func TestValidateConfig_DNSPersist01WithAllFields(t *testing.T) {

 	c := New(nil, testLogger())
 	cfg, _ := json.Marshal(map[string]string{
-		"directory_url":           srv.URL,
-		"email":                   "test@example.com",
-		"challenge_type":          "dns-persist-01",
-		"dns_present_script":      "/bin/sh",
+		"directory_url":             srv.URL,
+		"email":                     "test@example.com",
+		"challenge_type":            "dns-persist-01",
+		"dns_present_script":        "/bin/sh",
 		"dns_persist_issuer_domain": "letsencrypt.org",
 	})

@@ -74,8 +74,8 @@ func TestGetRenewalInfo_NotFound(t *testing.T) {
 		if r.URL.Path == "/directory" && r.Method == http.MethodGet {
 			w.Header().Set("Content-Type", "application/json")
 			json.NewEncoder(w).Encode(map[string]string{
-				"newOrder":    "/acme/new-order",
-				"newAccount":  "/acme/new-account",
+				"newOrder":   "/acme/new-order",
+				"newAccount": "/acme/new-account",
 			})
 			return
 		}
@@ -115,8 +115,8 @@ func TestGetRenewalInfo_ServerError(t *testing.T) {
 		if r.URL.Path == "/directory" && r.Method == http.MethodGet {
 			w.Header().Set("Content-Type", "application/json")
 			json.NewEncoder(w).Encode(map[string]string{
-				"newOrder":    "/acme/new-order",
-				"newAccount":  "/acme/new-account",
+				"newOrder":   "/acme/new-order",
+				"newAccount": "/acme/new-account",
 			})
 			return
 		}
@@ -106,7 +106,7 @@ type pebbleMockServer struct {
 	idSeq    int64
 	// Behavior toggles for failure-mode tests.
 	failNewAccount   bool
-	rateLimitedOrder int32 // atomic counter; non-zero ⇒ first N orders return 429
+	rateLimitedOrder int32  // atomic counter; non-zero ⇒ first N orders return 429
 	finalizeReturns  string // "" (default), "processing-stuck", "invalid"
 	authzPending     bool   // when true, new authzs start as "pending" and only flip to "valid" after the challenge endpoint is POSTed
 	challengeType    string // when set, the per-authz challenge type emitted (default "http-01")
@@ -990,12 +990,12 @@ func TestPebbleMock_ContextCancel_DuringIssuance(t *testing.T) {
 // ─────────────────────────────────────────────────────────────────────────────

 type mockDNSSolver struct {
-	mu              sync.Mutex
-	presented       map[string]string // domain → keyAuth (or recordValue)
-	cleanedUp       map[string]bool
-	presentErr      error
-	cleanErr        error
-	presentDelay    time.Duration
+	mu           sync.Mutex
+	presented    map[string]string // domain → keyAuth (or recordValue)
+	cleanedUp    map[string]bool
+	presentErr   error
+	cleanErr     error
+	presentDelay time.Duration
 }

 func newMockDNSSolver() *mockDNSSolver {
@@ -249,4 +249,3 @@ func signJWS(key *ecdsa.PrivateKey, kid, nonce, targetURL string, payload []byte

 	return json.Marshal(jws)
 }
-
@@ -105,9 +105,9 @@ type GetCertificateOutput struct {

 // RevokeCertificateInput represents the request to revoke a certificate.
 type RevokeCertificateInput struct {
-	CAArn               string
-	CertificateSerial   string
-	RevocationReason    string
+	CAArn             string
+	CertificateSerial string
+	RevocationReason  string
 }

 // GetCACertificateInput represents the request to retrieve the CA certificate.
@@ -395,14 +395,14 @@ func mapRevocationReason(reason *string) string {
 	}

 	reasonMap := map[string]string{
-		"unspecified":           "UNSPECIFIED",
-		"keyCompromise":         "KEY_COMPROMISE",
-		"caCompromise":          "CERTIFICATE_AUTHORITY_COMPROMISE",
-		"affiliationChanged":    "AFFILIATION_CHANGED",
-		"superseded":            "SUPERSEDED",
-		"cessationOfOperation":  "CESSATION_OF_OPERATION",
-		"certificateHold":       "CERTIFICATE_HOLD",
-		"privilegeWithdrawn":    "PRIVILEGE_WITHDRAWN",
+		"unspecified":          "UNSPECIFIED",
+		"keyCompromise":        "KEY_COMPROMISE",
+		"caCompromise":         "CERTIFICATE_AUTHORITY_COMPROMISE",
+		"affiliationChanged":   "AFFILIATION_CHANGED",
+		"superseded":           "SUPERSEDED",
+		"cessationOfOperation": "CESSATION_OF_OPERATION",
+		"certificateHold":      "CERTIFICATE_HOLD",
+		"privilegeWithdrawn":   "PRIVILEGE_WITHDRAWN",
 	}

 	if mapped, ok := reasonMap[*reason]; ok {
@@ -22,15 +22,15 @@ import (

 // mockACMPCAClient implements the ACMPCAClient interface for testing.
 type mockACMPCAClient struct {
-	issueCertificateErr    error
-	getCertificateErr      error
-	revokeCertificateErr   error
-	getCACertificateErr    error
-	issuedCertPEM          string
-	issuedChainPEM         string
-	caCertPEM              string
-	caCertChainPEM         string
-	lastIssueCertificateInput *awsacmpca.IssueCertificateInput
+	issueCertificateErr        error
+	getCertificateErr          error
+	revokeCertificateErr       error
+	getCACertificateErr        error
+	issuedCertPEM              string
+	issuedChainPEM             string
+	caCertPEM                  string
+	caCertChainPEM             string
+	lastIssueCertificateInput  *awsacmpca.IssueCertificateInput
 	lastRevokeCertificateInput *awsacmpca.RevokeCertificateInput
 }

@@ -90,9 +90,9 @@ func New(config *Config, logger *slog.Logger) *Connector {

 // orderRequest is the JSON body for DigiCert certificate order submission.
 type orderRequest struct {
-	Certificate   orderCert   `json:"certificate"`
-	Organization  orderOrg    `json:"organization"`
-	ValidityYears int         `json:"validity_years"`
+	Certificate   orderCert `json:"certificate"`
+	Organization  orderOrg  `json:"organization"`
+	ValidityYears int       `json:"validity_years"`
 }

 type orderCert struct {
@@ -162,7 +162,7 @@ func (c *Connector) IssueCertificate(ctx context.Context, request issuer.Issuanc
 	csrBase64 := base64.StdEncoding.EncodeToString(csrBlock.Bytes)

 	enrollReq := map[string]interface{}{
-		"certificate_request":      csrBase64,
+		"certificate_request":        csrBase64,
 		"certificate_authority_name": c.config.CAName,
 	}

@@ -175,7 +175,7 @@ func TestEJBCAConnector(t *testing.T) {
 				w.Header().Set("Content-Type", "application/json")

 				respData := map[string]interface{}{
-					"certificate":      base64.StdEncoding.EncodeToString(certBlock.Bytes),
+					"certificate":       base64.StdEncoding.EncodeToString(certBlock.Bytes),
 					"certificate_chain": []string{base64.StdEncoding.EncodeToString(chainBlock.Bytes)},
 					"serial_number":     "123456",
 				}
@@ -242,7 +242,7 @@ func TestEJBCAConnector(t *testing.T) {
 				w.WriteHeader(http.StatusOK)
 				w.Header().Set("Content-Type", "application/json")
 				respData := map[string]interface{}{
-					"certificate":      base64.StdEncoding.EncodeToString(certBlock.Bytes),
+					"certificate":       base64.StdEncoding.EncodeToString(certBlock.Bytes),
 					"certificate_chain": []string{},
 					"serial_number":     "789012",
 				}
@@ -314,7 +314,7 @@ func TestEJBCAConnector(t *testing.T) {
 				w.WriteHeader(http.StatusOK)
 				w.Header().Set("Content-Type", "application/json")
 				respData := map[string]interface{}{
-					"certificate":      base64.StdEncoding.EncodeToString(certBlock.Bytes),
+					"certificate":       base64.StdEncoding.EncodeToString(certBlock.Bytes),
 					"certificate_chain": []string{},
 					"serial_number":     "123456",
 				}
@@ -356,7 +356,7 @@ func TestEJBCAConnector(t *testing.T) {
 				w.WriteHeader(http.StatusOK)
 				w.Header().Set("Content-Type", "application/json")
 				respData := map[string]interface{}{
-					"certificate":      base64.StdEncoding.EncodeToString(certBlock.Bytes),
+					"certificate":       base64.StdEncoding.EncodeToString(certBlock.Bytes),
 					"certificate_chain": []string{},
 					"serial_number":     "654321",
 				}
@@ -89,9 +89,9 @@ func NewWithHTTPClient(config *Config, logger *slog.Logger, client *http.Client)

 // enrollmentRequest is the JSON body for Entrust enrollment submission.
 type enrollmentRequest struct {
-	CSR                 string `json:"csr"`
-	ProfileId           string `json:"profileId,omitempty"`
-	SubjectAltNames     []san  `json:"subjectAltNames,omitempty"`
+	CSR                  string `json:"csr"`
+	ProfileId            string `json:"profileId,omitempty"`
+	SubjectAltNames      []san  `json:"subjectAltNames,omitempty"`
 	CertificateAuthority string `json:"certificateAuthority,omitempty"`
 }

@@ -107,9 +107,9 @@ func NewWithHTTPClient(config *Config, logger *slog.Logger, client *http.Client)

 // certificateRequest is the JSON body for GlobalSign certificate order submission.
 type certificateRequest struct {
-	CSR      string            `json:"csr"`
+	CSR       string           `json:"csr"`
 	SubjectDN subjectDNRequest `json:"subject_dn"`
-	SAN      sanRequest        `json:"san,omitempty"`
+	SAN       sanRequest       `json:"san,omitempty"`
 }

 type subjectDNRequest struct {
@@ -93,10 +93,10 @@ type Connector struct {
 	httpClient *http.Client

 	// OAuth2 token caching
-	mu          sync.Mutex
-	tokenCache  *cachedToken
-	saKey       *serviceAccountKey
-	rsaKey      *rsa.PrivateKey
+	mu         sync.Mutex
+	tokenCache *cachedToken
+	saKey      *serviceAccountKey
+	rsaKey     *rsa.PrivateKey
 }

 // New creates a new Google CAS connector with the given configuration and logger.
@@ -479,9 +479,9 @@ func (c *Connector) parseCertificate(certPEM []byte) (*x509.Certificate, string,
 // Format: [{"serial": "...", "revoked_at": "...", "reason_code": ...}, ...]
 func (c *Connector) marshalRevokedSerials(revokedCerts []issuer.RevokedCertEntry) ([]byte, error) {
 	type RevokedEntry struct {
-		Serial      string `json:"serial"`
-		RevokedAt   string `json:"revoked_at"`
-		ReasonCode  int    `json:"reason_code"`
+		Serial     string `json:"serial"`
+		RevokedAt  string `json:"revoked_at"`
+		ReasonCode int    `json:"reason_code"`
 	}

 	entries := make([]RevokedEntry, len(revokedCerts))
@@ -643,7 +643,7 @@ func generateTestCSR(cn string) (*x509.CertificateRequest, string, error) {
 	}

 	csrTemplate := x509.CertificateRequest{
-		Subject: subject,
+		Subject:  subject,
 		DNSNames: []string{cn, "www." + cn},
 	}

@@ -168,9 +168,9 @@ type signRequest struct {

 // signResponse is the JSON response from the step-ca /sign endpoint.
 type signResponse struct {
-	ServerPEM certificateChain `json:"serverPEM,omitempty"`
-	CaPEM     certificateChain `json:"caPEM,omitempty"`
-	CertChainPEM []certBlock  `json:"certChainPEM,omitempty"`
+	ServerPEM    certificateChain `json:"serverPEM,omitempty"`
+	CaPEM        certificateChain `json:"caPEM,omitempty"`
+	CertChainPEM []certBlock      `json:"certChainPEM,omitempty"`
 }

 type certificateChain struct {
@@ -380,14 +380,14 @@ func (c *Connector) generateProvisionerToken(subject string, sans []string) (str

 	// step-ca expects: aud = <ca-url>/1.0/sign (the sign endpoint audience)
 	claims := map[string]interface{}{
-		"sub":  subject,
-		"iss":  c.config.ProvisionerName,
-		"aud":  c.config.CAURL + "/1.0/sign",
-		"nbf":  now.Unix(),
-		"iat":  now.Unix(),
-		"exp":  now.Add(5 * time.Minute).Unix(),
-		"jti":  generateJTI(),
-		"sha":  kid, // step-ca uses this to look up the provisioner by key fingerprint
+		"sub": subject,
+		"iss": c.config.ProvisionerName,
+		"aud": c.config.CAURL + "/1.0/sign",
+		"nbf": now.Unix(),
+		"iat": now.Unix(),
+		"exp": now.Add(5 * time.Minute).Unix(),
+		"jti": generateJTI(),
+		"sha": kid, // step-ca uses this to look up the provisioner by key fingerprint
 	}

 	if len(sans) > 0 {
@@ -1574,9 +1574,9 @@ func TestLoadProvisionerKey_FileNotReadable(t *testing.T) {

 	// Test with a provisioner key path that can't be read
 	config := stepca.Config{
-		CAURL:              srv.URL,
-		ProvisionerName:    "test-provisioner",
-		ProvisionerKeyPath: "/root/.ssh/no_such_key", // Permission denied or doesn't exist
+		CAURL:               srv.URL,
+		ProvisionerName:     "test-provisioner",
+		ProvisionerKeyPath:  "/root/.ssh/no_such_key", // Permission denied or doesn't exist
 		ProvisionerPassword: "password",
 	}

@@ -1770,4 +1770,3 @@ func TestIntegration_FullLifecycle(t *testing.T) {
 		t.Errorf("Expected status 'completed', got '%s'", status.Status)
 	}
 }
-
@@ -86,9 +86,9 @@ func New(config *Config, logger *slog.Logger) *Connector {

 // vaultResponse is the standard Vault API response wrapper.
 type vaultResponse struct {
-	Data    json.RawMessage `json:"data"`
-	Errors  []string        `json:"errors,omitempty"`
-	Warnings []string       `json:"warnings,omitempty"`
+	Data     json.RawMessage `json:"data"`
+	Errors   []string        `json:"errors,omitempty"`
+	Warnings []string        `json:"warnings,omitempty"`
 }

 // signData holds the data returned from the /sign endpoint.
@@ -88,11 +88,11 @@ func TestEmail_ValidateConfig_MissingPort(t *testing.T) {

 func TestEmail_ValidateConfig_MissingFromAddress(t *testing.T) {
 	cfg := &Config{
-		SMTPHost:   "smtp.example.com",
-		SMTPPort:   587,
-		Username:   "user",
-		Password:   "pass",
-		UseTLS:     true,
+		SMTPHost: "smtp.example.com",
+		SMTPPort: 587,
+		Username: "user",
+		Password: "pass",
+		UseTLS:   true,
 	}

 	rawConfig, _ := json.Marshal(cfg)
@@ -19,11 +19,11 @@ import (
 // to a directory that Envoy watches via its SDS (Secret Discovery Service)
 // file-based configuration or static filename references in the bootstrap config.
 type Config struct {
-	CertDir       string `json:"cert_dir"`        // Directory where Envoy watches for cert files (required)
-	CertFilename  string `json:"cert_filename"`   // Filename for certificate (default: cert.pem)
-	KeyFilename   string `json:"key_filename"`    // Filename for private key (default: key.pem)
-	ChainFilename string `json:"chain_filename"`  // Optional filename for chain (if set, chain written separately)
-	SDSConfig     bool   `json:"sds_config"`      // If true, write an SDS discovery JSON file for file-based SDS
+	CertDir       string `json:"cert_dir"`       // Directory where Envoy watches for cert files (required)
+	CertFilename  string `json:"cert_filename"`  // Filename for certificate (default: cert.pem)
+	KeyFilename   string `json:"key_filename"`   // Filename for private key (default: key.pem)
+	ChainFilename string `json:"chain_filename"` // Optional filename for chain (if set, chain written separately)
+	SDSConfig     bool   `json:"sds_config"`     // If true, write an SDS discovery JSON file for file-based SDS
 }

 // SDSResource represents an Envoy SDS tls_certificate resource for file-based SDS.
@@ -34,9 +34,9 @@ type SDSResource struct {

 // SDSTLSCertificate represents a single SDS tls_certificate entry.
 type SDSTLSCertificate struct {
-	Type            string         `json:"@type"`
-	Name            string         `json:"name"`
-	TLSCertificate  TLSCertificate `json:"tls_certificate"`
+	Type           string         `json:"@type"`
+	Name           string         `json:"name"`
+	TLSCertificate TLSCertificate `json:"tls_certificate"`
 }

 // TLSCertificate contains the file paths for cert and key in Envoy's SDS format.
@@ -457,13 +457,13 @@ func (c *Connector) DeployCertificate(ctx context.Context, request target.Deploy
 		Message:       "Certificate uploaded and SSL profile updated via iControl REST",
 		DeployedAt:    time.Now(),
 		Metadata: map[string]string{
-			"host":             c.config.Host,
-			"partition":        c.config.Partition,
-			"ssl_profile":      c.config.SSLProfile,
-			"cert_object_name": certName,
-			"key_object_name":  keyName,
+			"host":              c.config.Host,
+			"partition":         c.config.Partition,
+			"ssl_profile":       c.config.SSLProfile,
+			"cert_object_name":  certName,
+			"key_object_name":   keyName,
 			"chain_object_name": chainName,
-			"duration_ms":      fmt.Sprintf("%d", deploymentDuration.Milliseconds()),
+			"duration_ms":       fmt.Sprintf("%d", deploymentDuration.Milliseconds()),
 		},
 	}, nil
 }
@@ -561,12 +561,12 @@ func (c *Connector) ValidateDeployment(ctx context.Context, request target.Valid
 		Message:       fmt.Sprintf("SSL profile %q has cert %q configured", c.config.SSLProfile, profile.Cert),
 		ValidatedAt:   time.Now(),
 		Metadata: map[string]string{
-			"host":        c.config.Host,
-			"ssl_profile": c.config.SSLProfile,
-			"current_cert": profile.Cert,
-			"current_key":  profile.Key,
+			"host":          c.config.Host,
+			"ssl_profile":   c.config.SSLProfile,
+			"current_cert":  profile.Cert,
+			"current_key":   profile.Key,
 			"current_chain": profile.Chain,
-			"duration_ms": fmt.Sprintf("%d", validationDuration.Milliseconds()),
+			"duration_ms":   fmt.Sprintf("%d", validationDuration.Milliseconds()),
 		},
 	}, nil
 }
@@ -25,14 +25,14 @@ type mockF5Client struct {
 	calls []mockCall

 	// Configurable responses per method
-	authenticateErr     error
-	authenticateCount   int // tracks number of Authenticate calls
-	uploadFileErr       error
-	uploadFileErrOn     string // only error when filename contains this substring
-	installCertErr      error
-	installCertErrOn    string
-	installKeyErr       error
-	createTransactionID string
+	authenticateErr      error
+	authenticateCount    int // tracks number of Authenticate calls
+	uploadFileErr        error
+	uploadFileErrOn      string // only error when filename contains this substring
+	installCertErr       error
+	installCertErrOn     string
+	installKeyErr        error
+	createTransactionID  string
 	createTransactionErr error
 	commitTransactionErr error
 	updateSSLProfileErr  error
@@ -59,9 +59,9 @@ func newWinRMExecutor(cfg *WinRMConfig) (*winrmExecutor, error) {
 		port,
 		cfg.UseHTTPS,
 		cfg.Insecure,
-		nil,  // CA cert
-		nil,  // Client cert
-		nil,  // Client key
+		nil, // CA cert
+		nil, // Client cert
+		nil, // Client key
 		timeout,
 	)

@@ -263,10 +263,10 @@ func (c *Connector) DeployCertificate(ctx context.Context, request target.Deploy
 		Message:       fmt.Sprintf("Certificate imported to %s (alias: %s, thumbprint: %s)", c.config.KeystorePath, c.config.Alias, thumbprint),
 		DeployedAt:    time.Now(),
 		Metadata: map[string]string{
-			"thumbprint":     thumbprint,
-			"alias":          c.config.Alias,
-			"keystore_type":  c.config.KeystoreType,
-			"keystore_path":  c.config.KeystorePath,
+			"thumbprint":    thumbprint,
+			"alias":         c.config.Alias,
+			"keystore_type": c.config.KeystoreType,
+			"keystore_path": c.config.KeystorePath,
 		},
 	}, nil
 }
@@ -240,7 +240,7 @@ func TestDeployCertificate_Success(t *testing.T) {

 	mock := &mockExecutor{
 		responses: []mockResponse{
-			{Output: "", Err: nil},                    // keytool -delete (alias may not exist)
+			{Output: "", Err: nil},                         // keytool -delete (alias may not exist)
 			{Output: "Import command completed", Err: nil}, // keytool -importkeystore
 		},
 	}
@@ -355,8 +355,8 @@ func TestDeployCertificate_WithReload(t *testing.T) {
 	mock := &mockExecutor{
 		responses: []mockResponse{
 			// No existing keystore → delete skipped → import is call 0, reload is call 1
-			{Output: "Imported", Err: nil},   // import
-			{Output: "restarted", Err: nil},  // reload
+			{Output: "Imported", Err: nil},  // import
+			{Output: "restarted", Err: nil}, // reload
 		},
 	}
 	c := NewWithExecutor(&Config{
@@ -391,8 +391,8 @@ func TestDeployCertificate_ReloadFailed_NonFatal(t *testing.T) {

 	mock := &mockExecutor{
 		responses: []mockResponse{
-			{Output: "", Err: nil},                        // delete
-			{Output: "Imported", Err: nil},                // import
+			{Output: "", Err: nil},                                   // delete
+			{Output: "Imported", Err: nil},                           // import
 			{Output: "Failed to restart", Err: fmt.Errorf("exit 1")}, // reload fails
 		},
 	}
@@ -21,9 +21,9 @@ import (
 // Supports in-cluster auth by default (ServiceAccount token auto-mounted) or
 // out-of-cluster auth via kubeconfig file.
 type Config struct {
-	Namespace      string            `json:"namespace"`                // Required. Kubernetes namespace.
-	SecretName     string            `json:"secret_name"`              // Required. Name of the kubernetes.io/tls Secret.
-	Labels         map[string]string `json:"labels,omitempty"`         // Optional. Additional labels to add to the Secret.
+	Namespace      string            `json:"namespace"`                 // Required. Kubernetes namespace.
+	SecretName     string            `json:"secret_name"`               // Required. Name of the kubernetes.io/tls Secret.
+	Labels         map[string]string `json:"labels,omitempty"`          // Optional. Additional labels to add to the Secret.
 	KubeconfigPath string            `json:"kubeconfig_path,omitempty"` // Optional. Path to kubeconfig for out-of-cluster auth.
 }

@@ -93,7 +93,7 @@ func (m *mockK8sClient) DeleteSecret(ctx context.Context, namespace, name string

 func TestValidateConfig_Success_MinimalConfig(t *testing.T) {
 	cfg := map[string]interface{}{
-		"namespace":  "default",
+		"namespace":   "default",
 		"secret_name": "my-cert",
 	}

@@ -644,4 +644,3 @@ func contains(s, substr string) bool {
 	}
 	return false
 }
-
@@ -411,9 +411,9 @@ func (c *realSSHClient) Connect(ctx context.Context) error {
 	}

 	sshConfig := &ssh.ClientConfig{
-		User:            c.config.User,
-		Auth:            authMethods,
-		Timeout:         time.Duration(c.config.Timeout) * time.Second,
+		User:    c.config.User,
+		Auth:    authMethods,
+		Timeout: time.Duration(c.config.Timeout) * time.Second,
 		// InsecureIgnoreHostKey is used intentionally: certctl deploys to known
 		// infrastructure (the operator explicitly configures each target host).
 		// This is the same security rationale as network scanner's InsecureSkipVerify
@@ -42,15 +42,15 @@ type fakeSSHServer struct {
 	user     string
 	password string

-	wg       sync.WaitGroup
-	mu       sync.Mutex
-	closed   bool
+	wg     sync.WaitGroup
+	mu     sync.Mutex
+	closed bool

 	// Optional behaviour toggles for failure-mode tests.
-	rejectAuth      bool   // reject all auth attempts (auth failure path)
-	dropOnHandshake bool   // close conn before SSH NewServerConn returns (handshake failure)
-	failExec        bool   // exec sessions return non-zero exit (Execute error path)
-	failSFTP        bool   // refuse sftp subsystem (SFTP failure path)
+	rejectAuth      bool // reject all auth attempts (auth failure path)
+	dropOnHandshake bool // close conn before SSH NewServerConn returns (handshake failure)
+	failExec        bool // exec sessions return non-zero exit (Execute error path)
+	failSFTP        bool // refuse sftp subsystem (SFTP failure path)
 }

 // startFakeSSHServer binds a fresh server on a random local port and returns
@@ -310,4 +310,3 @@ func (c *Connector) ValidateDeployment(ctx context.Context, request target.Valid

 // Ensure Connector implements target.Connector.
 var _ target.Connector = (*Connector)(nil)
-
@@ -26,10 +26,10 @@ func testLogger() *slog.Logger {

 // mockExecutor records PowerShell scripts and returns configurable responses.
 type mockExecutor struct {
-	scripts    []string
-	responses  []string
-	errors     []error
-	callIndex  int
+	scripts   []string
+	responses []string
+	errors    []error
+	callIndex int
 }

 func (m *mockExecutor) Execute(ctx context.Context, script string) (string, error) {