chore(fmt): repo-wide gofmt -w sweep — close drift surfaced by ci-pipeline-cleanup Phase 4

Mechanical reformat. The new 'gofmt drift' CI step (added in
ci-pipeline-cleanup Phase 4, commit 0f205a8) surfaced 111 files
with accumulated gofmt drift across cmd/, internal/, and deploy/test/.

Each file's diff is gofmt-standard: whitespace adjustments, intra-
group import sorting (alphabetical by import path within blank-line-
separated groups), and struct-tag column alignment. No semantic
changes — verified via 'git diff --ignore-all-space' which shows only
the line-position deltas from import reordering.

The gate stays in place after this commit. Going forward it catches
gofmt drift at PR time.

internal/repository/postgres/agent.go

@@ -1,10 +1,10 @@
 package postgres
 
 import (
-	"github.com/shankar0123/certctl/internal/repository"
 	"context"
 	"database/sql"
 	"fmt"
+	"github.com/shankar0123/certctl/internal/repository"
 	"time"
 
 	"github.com/google/uuid"

internal/repository/postgres/agent_group.go

@@ -1,10 +1,10 @@
 package postgres
 
 import (
-	"github.com/shankar0123/certctl/internal/repository"
 	"context"
 	"database/sql"
 	"fmt"
+	"github.com/shankar0123/certctl/internal/repository"
 	"time"
 
 	"github.com/shankar0123/certctl/internal/domain"

internal/repository/postgres/db_test.go

@@ -52,11 +52,11 @@ func TestWrapPingError_AuthFailureGuidance(t *testing.T) {
 
 	// Contract elements — the operator-facing string is what we ship.
 	wantSubstrings := []string{
-		"SQLSTATE 28P01",                       // operators grep on this
-		"POSTGRES_PASSWORD",                    // names the variable that traps
-		"first boot",                           // the mechanism in plain language
-		"down -v",                              // destructive remediation
-		"ALTER ROLE",                           // non-destructive remediation
+		"SQLSTATE 28P01",    // operators grep on this
+		"POSTGRES_PASSWORD", // names the variable that traps
+		"first boot",        // the mechanism in plain language
+		"down -v",           // destructive remediation
+		"ALTER ROLE",        // non-destructive remediation
 	}
 	for _, s := range wantSubstrings {
 		if !strings.Contains(got, s) {

internal/repository/postgres/health_check_test.go

@@ -235,8 +235,8 @@ func TestHealthCheckRepository_ListDueForCheck(t *testing.T) {
 	ctx := context.Background()
 
 	now := time.Now().UTC().Truncate(time.Microsecond)
-	pastDue := now.Add(-10 * time.Minute)   // > 300s ago, enabled → due
-	recent := now.Add(-30 * time.Second)    // < 300s ago, enabled → not due
+	pastDue := now.Add(-10 * time.Minute) // > 300s ago, enabled → due
+	recent := now.Add(-30 * time.Second)  // < 300s ago, enabled → not due
 
 	// (a) enabled + null last_checked_at — NULLS FIRST puts this first
 	a := newHealthCheck("hc-due-a", "a.example.com:443", domain.HealthStatusUnknown, true)

internal/repository/postgres/issuer.go

@@ -1,10 +1,10 @@
 package postgres
 
 import (
-	"github.com/shankar0123/certctl/internal/repository"
 	"context"
 	"database/sql"
 	"fmt"
+	"github.com/shankar0123/certctl/internal/repository"
 
 	"github.com/google/uuid"
 	"github.com/shankar0123/certctl/internal/domain"

internal/repository/postgres/job.go

@@ -1,10 +1,10 @@
 package postgres
 
 import (
-	"github.com/shankar0123/certctl/internal/repository"
 	"context"
 	"database/sql"
 	"fmt"
+	"github.com/shankar0123/certctl/internal/repository"
 	"time"
 
 	"github.com/google/uuid"

internal/repository/postgres/network_scan.go

@@ -1,10 +1,10 @@
 package postgres
 
 import (
-	"github.com/shankar0123/certctl/internal/repository"
 	"context"
 	"database/sql"
 	"fmt"
+	"github.com/shankar0123/certctl/internal/repository"
 	"time"
 
 	"github.com/lib/pq"

internal/repository/postgres/owner.go

@@ -1,10 +1,10 @@
 package postgres
 
 import (
-	"github.com/shankar0123/certctl/internal/repository"
 	"context"
 	"database/sql"
 	"fmt"
+	"github.com/shankar0123/certctl/internal/repository"
 
 	"github.com/google/uuid"
 	"github.com/shankar0123/certctl/internal/domain"

internal/repository/postgres/repo_test.go

@@ -319,7 +319,7 @@ func TestCertificateRepository_GetExpiringCertificates(t *testing.T) {
 			ID: tc.id, Name: tc.id, CommonName: tc.id + ".example.com",
 			SANs: []string{}, OwnerID: ownerID, TeamID: teamID,
 			IssuerID: issuerID, RenewalPolicyID: policyID,
-			Status: domain.CertificateStatusActive,
+			Status:    domain.CertificateStatusActive,
 			ExpiresAt: tc.expires, Tags: map[string]string{},
 			CreatedAt: now, UpdatedAt: now,
 		}
@@ -780,7 +780,7 @@ func TestJobRepository_CRUD(t *testing.T) {
 		ID: "mc-job-test", Name: "job-test", CommonName: "job.example.com",
 		SANs: []string{}, OwnerID: ownerID, TeamID: teamID,
 		IssuerID: issuerID, RenewalPolicyID: policyID,
-		Status: domain.CertificateStatusActive,
+		Status:    domain.CertificateStatusActive,
 		ExpiresAt: now.Add(30 * 24 * time.Hour), Tags: map[string]string{},
 		CreatedAt: now, UpdatedAt: now,
 	}
@@ -871,7 +871,7 @@ func TestRevocationRepository_CRUD(t *testing.T) {
 		ID: "mc-rev-test", Name: "rev-test", CommonName: "rev.example.com",
 		SANs: []string{}, OwnerID: ownerID, TeamID: teamID,
 		IssuerID: issuerID, RenewalPolicyID: policyID,
-		Status: domain.CertificateStatusRevoked,
+		Status:    domain.CertificateStatusRevoked,
 		ExpiresAt: now.Add(30 * 24 * time.Hour), Tags: map[string]string{},
 		CreatedAt: now, UpdatedAt: now,
 	}
@@ -1250,12 +1250,12 @@ func TestProfileRepository_CRUD(t *testing.T) {
 			{Algorithm: "RSA", MinSize: 2048},
 			{Algorithm: "ECDSA", MinSize: 256},
 		},
-		MaxTTLSeconds:     86400,
-		AllowedEKUs:       []string{"serverAuth"},
-		AllowShortLived:   false,
-		Enabled:           true,
-		CreatedAt:         now,
-		UpdatedAt:         now,
+		MaxTTLSeconds:   86400,
+		AllowedEKUs:     []string{"serverAuth"},
+		AllowShortLived: false,
+		Enabled:         true,
+		CreatedAt:       now,
+		UpdatedAt:       now,
 	}
 
 	if err := repo.Create(ctx, profile); err != nil {
@@ -1306,7 +1306,7 @@ func TestNotificationRepository_CRUD(t *testing.T) {
 		ID: "mc-notif-test", Name: "notif-test", CommonName: "notif.example.com",
 		SANs: []string{}, OwnerID: ownerID, TeamID: teamID,
 		IssuerID: issuerID, RenewalPolicyID: policyID,
-		Status: domain.CertificateStatusActive,
+		Status:    domain.CertificateStatusActive,
 		ExpiresAt: now.Add(30 * 24 * time.Hour), Tags: map[string]string{},
 		CreatedAt: now, UpdatedAt: now,
 	}
@@ -1432,7 +1432,7 @@ func TestDiscoveryRepository_DiscoveredCertCRUD(t *testing.T) {
 		ID: "mc-linked-cert", Name: "linked-cert", CommonName: "linked.example.com",
 		SANs: []string{}, OwnerID: ownerID, TeamID: teamID,
 		IssuerID: issuerID, RenewalPolicyID: policyID,
-		Status: domain.CertificateStatusActive,
+		Status:    domain.CertificateStatusActive,
 		ExpiresAt: now.Add(90 * 24 * time.Hour), Tags: map[string]string{},
 		CreatedAt: now, UpdatedAt: now,
 	}
@@ -1447,7 +1447,7 @@ func TestDiscoveryRepository_DiscoveredCertCRUD(t *testing.T) {
 		NotBefore: &notBefore, NotAfter: &notAfter, KeyAlgorithm: "RSA", KeySize: 2048,
 		IsCA: false, PEMData: "---PEM---", SourcePath: "/etc/ssl/certs/disc.pem",
 		SourceFormat: "PEM", AgentID: "agent-dcert-test",
-		Status: domain.DiscoveryStatusUnmanaged,
+		Status:      domain.DiscoveryStatusUnmanaged,
 		FirstSeenAt: now, LastSeenAt: now, CreatedAt: now, UpdatedAt: now,
 	}
 
@@ -1577,8 +1577,8 @@ func TestNetworkScanRepository_CRUD(t *testing.T) {
 
 	target := &domain.NetworkScanTarget{
 		ID: "ns-test-1", Name: "Internal Network",
-		CIDRs: []string{"10.0.0.0/24", "192.168.1.0/24"},
-		Ports: []int64{443, 8443},
+		CIDRs:   []string{"10.0.0.0/24", "192.168.1.0/24"},
+		Ports:   []int64{443, 8443},
 		Enabled: true, ScanIntervalHours: 6, TimeoutMs: 5000,
 		CreatedAt: now, UpdatedAt: now,
 	}

internal/repository/postgres/revocation.go

@@ -1,10 +1,10 @@
 package postgres
 
 import (
-	"github.com/shankar0123/certctl/internal/repository"
 	"context"
 	"database/sql"
 	"fmt"
+	"github.com/shankar0123/certctl/internal/repository"
 
 	"github.com/shankar0123/certctl/internal/domain"
 )

internal/repository/postgres/target.go

@@ -1,10 +1,10 @@
 package postgres
 
 import (
-	"github.com/shankar0123/certctl/internal/repository"
 	"context"
 	"database/sql"
 	"fmt"
+	"github.com/shankar0123/certctl/internal/repository"
 
 	"github.com/google/uuid"
 	"github.com/shankar0123/certctl/internal/domain"

internal/repository/postgres/team.go

@@ -1,10 +1,10 @@
 package postgres
 
 import (
-	"github.com/shankar0123/certctl/internal/repository"
 	"context"
 	"database/sql"
 	"fmt"
+	"github.com/shankar0123/certctl/internal/repository"
 
 	"github.com/google/uuid"
 	"github.com/shankar0123/certctl/internal/domain"