chore(fmt): gofmt cleanup on files touched by audit-2026-05-11 fix bundle

Whitespace alignment drift surfaced by gofmt -l after merging 7 fix branches.
Pure formatting, no semantic change. Pre-existing master drift in
internal/auth/oidc/{domain/types.go, integration_keycloak_rotate_test.go,
test_discovery.go} left untouched — that's separate tech debt.

cmd/server/main.go

@@ -457,7 +457,7 @@ func main() {
 			Secure:   true,
 		},
 	).WithBCLReplayConsumer(bclReplayRepo, bclMaxAge). // HIGH-3 jti consumed-set.
-														WithPermissionChecker(authCheckerAdapter)      // MED-2 auth.session.list.all gate.
+								WithPermissionChecker(authCheckerAdapter) // MED-2 auth.session.list.all gate.
 
 	// =========================================================================
 	// Auth Bundle 2 Phase 7 — OIDC first-admin bootstrap hook.
@@ -1344,17 +1344,17 @@ func main() {
 				// Lazy build — re-read cfg.Auth.* values on every call so
 				// post-startup re-evaluation reflects any (future) mutation.
 				return map[string]string{
-					"CERTCTL_AUTH_TYPE":                  string(cfg.Auth.Type),
-					"CERTCTL_SESSION_SAMESITE":           cfg.Auth.Session.SameSite,
-					"CERTCTL_OIDC_BCL_MAX_AGE_SECONDS":   strconv.Itoa(cfg.Auth.OIDCBCLMaxAgeSeconds),
-					"CERTCTL_OIDC_PRELOGIN_REQUIRE_UA":   strconv.FormatBool(cfg.Auth.OIDCPreLoginRequireUA),
-					"CERTCTL_OIDC_PRELOGIN_REQUIRE_IP":   strconv.FormatBool(cfg.Auth.OIDCPreLoginRequireIP),
-					"CERTCTL_BREAKGLASS_ENABLED":         strconv.FormatBool(cfg.Auth.Breakglass.Enabled),
+					"CERTCTL_AUTH_TYPE":                    string(cfg.Auth.Type),
+					"CERTCTL_SESSION_SAMESITE":             cfg.Auth.Session.SameSite,
+					"CERTCTL_OIDC_BCL_MAX_AGE_SECONDS":     strconv.Itoa(cfg.Auth.OIDCBCLMaxAgeSeconds),
+					"CERTCTL_OIDC_PRELOGIN_REQUIRE_UA":     strconv.FormatBool(cfg.Auth.OIDCPreLoginRequireUA),
+					"CERTCTL_OIDC_PRELOGIN_REQUIRE_IP":     strconv.FormatBool(cfg.Auth.OIDCPreLoginRequireIP),
+					"CERTCTL_BREAKGLASS_ENABLED":           strconv.FormatBool(cfg.Auth.Breakglass.Enabled),
 					"CERTCTL_BREAKGLASS_LOCKOUT_THRESHOLD": strconv.Itoa(cfg.Auth.Breakglass.LockoutThreshold),
-					"CERTCTL_DEMO_MODE_ACK":              strconv.FormatBool(cfg.Auth.DemoModeAck),
-					"CERTCTL_TRUSTED_PROXIES_COUNT":      strconv.Itoa(len(cfg.Auth.TrustedProxies)),
-					"CERTCTL_BOOTSTRAP_TOKEN_SET":        strconv.FormatBool(cfg.Auth.BootstrapToken != ""),
-					"CERTCTL_BOOTSTRAP_OIDC_PROVIDER_ID": cfg.Auth.BootstrapOIDCProviderID,
+					"CERTCTL_DEMO_MODE_ACK":                strconv.FormatBool(cfg.Auth.DemoModeAck),
+					"CERTCTL_TRUSTED_PROXIES_COUNT":        strconv.Itoa(len(cfg.Auth.TrustedProxies)),
+					"CERTCTL_BOOTSTRAP_TOKEN_SET":          strconv.FormatBool(cfg.Auth.BootstrapToken != ""),
+					"CERTCTL_BOOTSTRAP_OIDC_PROVIDER_ID":   cfg.Auth.BootstrapOIDCProviderID,
 					"CERTCTL_BOOTSTRAP_ADMIN_GROUPS_COUNT": strconv.Itoa(len(cfg.Auth.BootstrapAdminGroups)),
 				}
 			},

internal/api/handler/audit.go

@@ -284,5 +284,3 @@ func (h AuditHandler) ExportAudit(w http.ResponseWriter, r *http.Request) {
 			"actor_id", actorID, "rows", len(events), "err", err)
 	}
 }
-
-

internal/auth/protocol_endpoints.go

@@ -40,7 +40,7 @@ import "strings"
 var ProtocolEndpointPrefixes = []string{
 	"/acme",
 	"/scep",
-	"/scep-mtls",            // SCEP + mTLS sibling route (Phase 6.5)
+	"/scep-mtls", // SCEP + mTLS sibling route (Phase 6.5)
 	"/.well-known/est",
 	"/.well-known/est-mtls", // EST + mTLS sibling route (EST hardening Phase 2)
 	"/.well-known/pki/ocsp",

internal/config/config_test.go

@@ -530,7 +530,7 @@ func TestIsLoopbackAddr(t *testing.T) {
 		{"10.0.0.1", false},
 		{"192.168.1.1", false},
 		{"203.0.113.42", false},
-		{"example.com", false},          // hostname → fail closed
+		{"example.com", false}, // hostname → fail closed
 		{"my-cert-server.internal", false},
 		// Defensive: host:port form should still classify the host part.
 		{"127.0.0.1:8443", true},