From b8fac592005c071b7054547049e99de8621cb0c5 Mon Sep 17 00:00:00 2001
From: shankar0123 <skreddy040@gmail.com>
Date: Mon, 11 May 2026 11:29:48 +0000
Subject: [PATCH] chore(fmt): gofmt cleanup on files touched by
 audit-2026-05-11 fix bundle
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Whitespace alignment drift surfaced by gofmt -l after merging 7 fix branches.
Pure formatting, no semantic change. Pre-existing master drift in
internal/auth/oidc/{domain/types.go, integration_keycloak_rotate_test.go,
test_discovery.go} left untouched — that's separate tech debt.
---
 cmd/server/main.go                  | 22 +++++++++++-----------
 internal/api/handler/audit.go       |  2 --
 internal/auth/protocol_endpoints.go |  2 +-
 internal/config/config_test.go      |  2 +-
 4 files changed, 13 insertions(+), 15 deletions(-)

diff --git a/cmd/server/main.go b/cmd/server/main.go
index 94bbdfe..fc3f51b 100644
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@@ -457,7 +457,7 @@ func main() {
 			Secure:   true,
 		},
 	).WithBCLReplayConsumer(bclReplayRepo, bclMaxAge). // HIGH-3 jti consumed-set.
-														WithPermissionChecker(authCheckerAdapter)      // MED-2 auth.session.list.all gate.
+								WithPermissionChecker(authCheckerAdapter) // MED-2 auth.session.list.all gate.
 
 	// =========================================================================
 	// Auth Bundle 2 Phase 7 — OIDC first-admin bootstrap hook.
@@ -1344,17 +1344,17 @@ func main() {
 				// Lazy build — re-read cfg.Auth.* values on every call so
 				// post-startup re-evaluation reflects any (future) mutation.
 				return map[string]string{
-					"CERTCTL_AUTH_TYPE":                  string(cfg.Auth.Type),
-					"CERTCTL_SESSION_SAMESITE":           cfg.Auth.Session.SameSite,
-					"CERTCTL_OIDC_BCL_MAX_AGE_SECONDS":   strconv.Itoa(cfg.Auth.OIDCBCLMaxAgeSeconds),
-					"CERTCTL_OIDC_PRELOGIN_REQUIRE_UA":   strconv.FormatBool(cfg.Auth.OIDCPreLoginRequireUA),
-					"CERTCTL_OIDC_PRELOGIN_REQUIRE_IP":   strconv.FormatBool(cfg.Auth.OIDCPreLoginRequireIP),
-					"CERTCTL_BREAKGLASS_ENABLED":         strconv.FormatBool(cfg.Auth.Breakglass.Enabled),
+					"CERTCTL_AUTH_TYPE":                    string(cfg.Auth.Type),
+					"CERTCTL_SESSION_SAMESITE":             cfg.Auth.Session.SameSite,
+					"CERTCTL_OIDC_BCL_MAX_AGE_SECONDS":     strconv.Itoa(cfg.Auth.OIDCBCLMaxAgeSeconds),
+					"CERTCTL_OIDC_PRELOGIN_REQUIRE_UA":     strconv.FormatBool(cfg.Auth.OIDCPreLoginRequireUA),
+					"CERTCTL_OIDC_PRELOGIN_REQUIRE_IP":     strconv.FormatBool(cfg.Auth.OIDCPreLoginRequireIP),
+					"CERTCTL_BREAKGLASS_ENABLED":           strconv.FormatBool(cfg.Auth.Breakglass.Enabled),
 					"CERTCTL_BREAKGLASS_LOCKOUT_THRESHOLD": strconv.Itoa(cfg.Auth.Breakglass.LockoutThreshold),
-					"CERTCTL_DEMO_MODE_ACK":              strconv.FormatBool(cfg.Auth.DemoModeAck),
-					"CERTCTL_TRUSTED_PROXIES_COUNT":      strconv.Itoa(len(cfg.Auth.TrustedProxies)),
-					"CERTCTL_BOOTSTRAP_TOKEN_SET":        strconv.FormatBool(cfg.Auth.BootstrapToken != ""),
-					"CERTCTL_BOOTSTRAP_OIDC_PROVIDER_ID": cfg.Auth.BootstrapOIDCProviderID,
+					"CERTCTL_DEMO_MODE_ACK":                strconv.FormatBool(cfg.Auth.DemoModeAck),
+					"CERTCTL_TRUSTED_PROXIES_COUNT":        strconv.Itoa(len(cfg.Auth.TrustedProxies)),
+					"CERTCTL_BOOTSTRAP_TOKEN_SET":          strconv.FormatBool(cfg.Auth.BootstrapToken != ""),
+					"CERTCTL_BOOTSTRAP_OIDC_PROVIDER_ID":   cfg.Auth.BootstrapOIDCProviderID,
 					"CERTCTL_BOOTSTRAP_ADMIN_GROUPS_COUNT": strconv.Itoa(len(cfg.Auth.BootstrapAdminGroups)),
 				}
 			},
diff --git a/internal/api/handler/audit.go b/internal/api/handler/audit.go
index 5ca03b3..84674b3 100644
--- a/internal/api/handler/audit.go
+++ b/internal/api/handler/audit.go
@@ -284,5 +284,3 @@ func (h AuditHandler) ExportAudit(w http.ResponseWriter, r *http.Request) {
 			"actor_id", actorID, "rows", len(events), "err", err)
 	}
 }
-
-
diff --git a/internal/auth/protocol_endpoints.go b/internal/auth/protocol_endpoints.go
index 0d7f460..4b4b2ae 100644
--- a/internal/auth/protocol_endpoints.go
+++ b/internal/auth/protocol_endpoints.go
@@ -40,7 +40,7 @@ import "strings"
 var ProtocolEndpointPrefixes = []string{
 	"/acme",
 	"/scep",
-	"/scep-mtls",            // SCEP + mTLS sibling route (Phase 6.5)
+	"/scep-mtls", // SCEP + mTLS sibling route (Phase 6.5)
 	"/.well-known/est",
 	"/.well-known/est-mtls", // EST + mTLS sibling route (EST hardening Phase 2)
 	"/.well-known/pki/ocsp",
diff --git a/internal/config/config_test.go b/internal/config/config_test.go
index 973ffca..34ee2a6 100644
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -530,7 +530,7 @@ func TestIsLoopbackAddr(t *testing.T) {
 		{"10.0.0.1", false},
 		{"192.168.1.1", false},
 		{"203.0.113.42", false},
-		{"example.com", false},          // hostname → fail closed
+		{"example.com", false}, // hostname → fail closed
 		{"my-cert-server.internal", false},
 		// Defensive: host:port form should still classify the host part.
 		{"127.0.0.1:8443", true},