chore(fmt): gofmt cleanup on three pre-bundle drift files surfaced by v2.1.0 release-gate Phase 1

Phase 1 (make verify) of cowork/v2.1.0-release-gate.md surfaced three
files with pre-existing gofmt drift that pre-dated the 2026-05-11 fix
bundle work:

  internal/auth/oidc/domain/types.go
  internal/auth/oidc/integration_keycloak_rotate_test.go
  internal/auth/oidc/test_discovery.go

The 2026-05-11 Fix 08 fmt-cleanup commit (b3e3a8d) fixed four files
that the merge introduced; these three were noted as pre-existing
master drift and intentionally left untouched at the time. The
v2.1.0 release-gate spec's Phase 1 requires zero gofmt output from
'go fmt ./...' (Makefile::verify form), so the drift must close
before tagging.

Pure whitespace alignment, no semantic change.

internal/auth/oidc/domain/types.go

@@ -33,20 +33,20 @@ import (
 // the field is non-empty + carries the v2 magic byte; actual
 // encryption / decryption happens in the service layer.
 type OIDCProvider struct {
-	ID                    string    `json:"id"` // prefix `op-`
-	TenantID              string    `json:"tenant_id"`
-	Name                  string    `json:"name"`
-	IssuerURL             string    `json:"issuer_url"`
-	ClientID              string    `json:"client_id"`
-	ClientSecretEncrypted []byte    `json:"-"` // v2 blob; never JSON-encoded
-	RedirectURI           string    `json:"redirect_uri"`
-	GroupsClaimPath       string    `json:"groups_claim_path"`
-	GroupsClaimFormat     string    `json:"groups_claim_format"`
-	FetchUserinfo         bool      `json:"fetch_userinfo"`
-	Scopes                []string  `json:"scopes"`
-	AllowedEmailDomains   []string  `json:"allowed_email_domains"`
-	IATWindowSeconds      int       `json:"iat_window_seconds"`
-	JWKSCacheTTLSeconds   int       `json:"jwks_cache_ttl_seconds"`
+	ID                    string   `json:"id"` // prefix `op-`
+	TenantID              string   `json:"tenant_id"`
+	Name                  string   `json:"name"`
+	IssuerURL             string   `json:"issuer_url"`
+	ClientID              string   `json:"client_id"`
+	ClientSecretEncrypted []byte   `json:"-"` // v2 blob; never JSON-encoded
+	RedirectURI           string   `json:"redirect_uri"`
+	GroupsClaimPath       string   `json:"groups_claim_path"`
+	GroupsClaimFormat     string   `json:"groups_claim_format"`
+	FetchUserinfo         bool     `json:"fetch_userinfo"`
+	Scopes                []string `json:"scopes"`
+	AllowedEmailDomains   []string `json:"allowed_email_domains"`
+	IATWindowSeconds      int      `json:"iat_window_seconds"`
+	JWKSCacheTTLSeconds   int      `json:"jwks_cache_ttl_seconds"`
 	// Enabled gates whether the provider is offered on the LoginPage and
 	// accepted at HandleAuthRequest. Audit 2026-05-10 MED-9 closure:
 	// pre-fix the only way to take a provider offline was DELETE (which

internal/auth/oidc/integration_keycloak_rotate_test.go

@@ -46,10 +46,10 @@ import (
 //  2. Rotate the realm's RSA key via the Keycloak admin API.
 //  3. Run a fresh /auth/oidc/login → /auth/oidc/callback flow.
 //     - Keycloak signs the new ID token under the new (higher-priority)
-//       key.
+//     key.
 //     - certctl's verifier holds the pre-rotate JWKS in cache.
 //     - The verify trips kid-not-in-cache → MED-6 auto-refresh fires →
-//       second verify succeeds.
+//     second verify succeeds.
 //  4. Assert the callback succeeded without the test having called
 //     RefreshKeys (which would mask the MED-6 path).
 //

internal/auth/oidc/test_discovery.go

@@ -21,16 +21,16 @@ import (
 // (e.g. discovery OK but alg-downgrade tripped) returns
 // DiscoverySucceeded=true + a non-empty Errors slice.
 type TestDiscoveryResult struct {
-	DiscoverySucceeded  bool     `json:"discovery_succeeded"`
-	JWKSReachable       bool     `json:"jwks_reachable"`
-	SupportedAlgValues  []string `json:"supported_alg_values"`
-	IssParamSupported   bool     `json:"iss_param_supported"`
-	IssuerEcho          string   `json:"issuer_echo,omitempty"` // the iss value the IdP advertised
-	AuthorizationURL    string   `json:"authorization_url,omitempty"`
-	TokenURL            string   `json:"token_url,omitempty"`
-	JWKSURI             string   `json:"jwks_uri,omitempty"`
-	UserInfoEndpoint    string   `json:"userinfo_endpoint,omitempty"`
-	Errors              []string `json:"errors,omitempty"`
+	DiscoverySucceeded bool     `json:"discovery_succeeded"`
+	JWKSReachable      bool     `json:"jwks_reachable"`
+	SupportedAlgValues []string `json:"supported_alg_values"`
+	IssParamSupported  bool     `json:"iss_param_supported"`
+	IssuerEcho         string   `json:"issuer_echo,omitempty"` // the iss value the IdP advertised
+	AuthorizationURL   string   `json:"authorization_url,omitempty"`
+	TokenURL           string   `json:"token_url,omitempty"`
+	JWKSURI            string   `json:"jwks_uri,omitempty"`
+	UserInfoEndpoint   string   `json:"userinfo_endpoint,omitempty"`
+	Errors             []string `json:"errors,omitempty"`
 }
 
 // TestDiscovery runs the read-only subset of getOrLoad against a