Checkpoint: fix all lint warnings

- errorlint: use errors.Is for ErrSealed comparisons in vault_test.go
- gofmt: reformat config, config_test, middleware_test with goimports
- govet/fieldalignment: reorder struct fields in vault.go, csrf.go,
  detail_test.go, middleware_test.go for optimal alignment
- unused: remove unused newCSRFManager in csrf.go (superseded by
  newCSRFManagerFromVault)
- revive/early-return: invert sealed-vault condition in main.go

Security: no auth/crypto logic changed; struct reordering and error
comparison fixes only. newCSRFManager removal is safe — it was never
called; all CSRF construction goes through newCSRFManagerFromVault.

Co-authored-by: Junie <junie@jetbrains.com>

internal/vault/vault.go

@@ -24,10 +24,10 @@ var ErrSealed = errors.New("vault is sealed")
 // Vault holds the server's cryptographic key material behind a mutex.
 // All three servers (REST, UI, gRPC) share a single Vault by pointer.
 type Vault struct {
-	mu        sync.RWMutex
 	masterKey []byte
 	privKey   ed25519.PrivateKey
 	pubKey    ed25519.PublicKey
+	mu        sync.RWMutex
 	sealed    bool
 }