Checkpoint: fix all lint warnings

- errorlint: use errors.Is for ErrSealed comparisons in vault_test.go
- gofmt: reformat config, config_test, middleware_test with goimports
- govet/fieldalignment: reorder struct fields in vault.go, csrf.go,
  detail_test.go, middleware_test.go for optimal alignment
- unused: remove unused newCSRFManager in csrf.go (superseded by
  newCSRFManagerFromVault)
- revive/early-return: invert sealed-vault condition in main.go

Security: no auth/crypto logic changed; struct reordering and error
comparison fixes only. newCSRFManager removal is safe — it was never
called; all CSRF construction goes through newCSRFManagerFromVault.

Co-authored-by: Junie <junie@jetbrains.com>

internal/config/config.go

@@ -174,8 +174,8 @@ func (c *Config) validate() error {
 	// generous to accommodate a range of legitimate deployments while
 	// catching obvious typos (e.g. "876000h" instead of "8760h").
 	const (
-		maxDefaultExpiry = 30 * 24 * time.Hour  // 30 days
-		maxAdminExpiry   = 24 * time.Hour        // 24 hours
+		maxDefaultExpiry = 30 * 24 * time.Hour      // 30 days
+		maxAdminExpiry   = 24 * time.Hour           // 24 hours
 		maxServiceExpiry = 5 * 365 * 24 * time.Hour // 5 years
 	)
 	if c.Tokens.DefaultExpiry.Duration <= 0 {

internal/config/config_test.go

@@ -213,9 +213,9 @@ threads = 4
 // TestTrustedProxyValidation verifies that trusted_proxy must be a valid IP.
 func TestTrustedProxyValidation(t *testing.T) {
 	tests := []struct {
-		name        string
-		proxy       string
-		wantErr     bool
+		name    string
+		proxy   string
+		wantErr bool
 	}{
 		{"empty is valid (disabled)", "", false},
 		{"valid IPv4", "127.0.0.1", false},