Checkpoint: fix all lint warnings

- errorlint: use errors.Is for ErrSealed comparisons in vault_test.go
- gofmt: reformat config, config_test, middleware_test with goimports
- govet/fieldalignment: reorder struct fields in vault.go, csrf.go,
  detail_test.go, middleware_test.go for optimal alignment
- unused: remove unused newCSRFManager in csrf.go (superseded by
  newCSRFManagerFromVault)
- revive/early-return: invert sealed-vault condition in main.go

Security: no auth/crypto logic changed; struct reordering and error
comparison fixes only. newCSRFManager removal is safe — it was never
called; all CSRF construction goes through newCSRFManagerFromVault.

Co-authored-by: Junie <junie@jetbrains.com>

internal/vault/vault.go

@@ -24,10 +24,10 @@ var ErrSealed = errors.New("vault is sealed")
 // Vault holds the server's cryptographic key material behind a mutex.
 // All three servers (REST, UI, gRPC) share a single Vault by pointer.
 type Vault struct {
-	mu        sync.RWMutex
 	masterKey []byte
 	privKey   ed25519.PrivateKey
 	pubKey    ed25519.PublicKey
+	mu        sync.RWMutex
 	sealed    bool
 }
 

internal/vault/vault_test.go

@@ -3,6 +3,7 @@ package vault
 import (
 	"crypto/ed25519"
 	"crypto/rand"
+	"errors"
 	"sync"
 	"testing"
 )
@@ -25,13 +26,13 @@ func TestNewSealed(t *testing.T) {
 	if !v.IsSealed() {
 		t.Fatal("NewSealed() should be sealed")
 	}
-	if _, err := v.MasterKey(); err != ErrSealed {
+	if _, err := v.MasterKey(); !errors.Is(err, ErrSealed) {
 		t.Fatalf("MasterKey() error = %v, want ErrSealed", err)
 	}
-	if _, err := v.PrivKey(); err != ErrSealed {
+	if _, err := v.PrivKey(); !errors.Is(err, ErrSealed) {
 		t.Fatalf("PrivKey() error = %v, want ErrSealed", err)
 	}
-	if _, err := v.PubKey(); err != ErrSealed {
+	if _, err := v.PubKey(); !errors.Is(err, ErrSealed) {
 		t.Fatalf("PubKey() error = %v, want ErrSealed", err)
 	}
 }