Checkpoint: fix all lint warnings

- errorlint: use errors.Is for ErrSealed comparisons in vault_test.go
- gofmt: reformat config, config_test, middleware_test with goimports
- govet/fieldalignment: reorder struct fields in vault.go, csrf.go,
  detail_test.go, middleware_test.go for optimal alignment
- unused: remove unused newCSRFManager in csrf.go (superseded by
  newCSRFManagerFromVault)
- revive/early-return: invert sealed-vault condition in main.go

Security: no auth/crypto logic changed; struct reordering and error
comparison fixes only. newCSRFManager removal is safe — it was never
called; all CSRF construction goes through newCSRFManagerFromVault.

Co-authored-by: Junie <junie@jetbrains.com>

cmd/mciassrv/main.go

@@ -87,17 +87,16 @@ func run(configPath string, logger *slog.Logger) error {
 	masterKey, mkErr := loadMasterKey(cfg, database)
 	if mkErr != nil {
 		// Check if we can start sealed (passphrase mode, empty env var).
-		if cfg.MasterKey.KeyFile == "" && os.Getenv(cfg.MasterKey.PassphraseEnv) == "" {
-			// Verify that this is not a first run — the signing key must already exist.
-			enc, nonce, scErr := database.ReadServerConfig()
-			if scErr != nil || enc == nil || nonce == nil {
-				return fmt.Errorf("first run requires passphrase: %w", mkErr)
-			}
-			v = vault.NewSealed()
-			logger.Info("vault starting in sealed state")
-		} else {
+		if cfg.MasterKey.KeyFile != "" || os.Getenv(cfg.MasterKey.PassphraseEnv) != "" {
 			return fmt.Errorf("load master key: %w", mkErr)
 		}
+		// Verify that this is not a first run — the signing key must already exist.
+		enc, nonce, scErr := database.ReadServerConfig()
+		if scErr != nil || enc == nil || nonce == nil {
+			return fmt.Errorf("first run requires passphrase: %w", mkErr)
+		}
+		v = vault.NewSealed()
+		logger.Info("vault starting in sealed state")
 	} else {
 		// Load or generate the Ed25519 signing key.
 		// Security: The private signing key is stored AES-256-GCM encrypted in the