refactor(adminui): tidy cert-audit review nits (fallthrough comment + single PkiStoreRoot read)

src/Server/ZB.MOM.WW.OtOpcUa.AdminUI/Components/Pages/Certificates.razor

@@ -127,7 +127,7 @@ else
     private void LoadAll()
     {
         DisposeRows();
-        var pkiRoot = Config.GetValue<string?>("OpcUa:PkiStoreRoot") ?? "pki";
+        var pkiRoot = CertManager.PkiRoot; // Single source: manager already resolved OpcUa:PkiStoreRoot (default "pki").
         _rows = new()
         {
             LoadStore("Own", StoreKind.Own, Path.Combine(pkiRoot, "own", "certs")),
@@ -200,8 +200,14 @@ else
             {
                 StoreKind.Trusted  => CertManager.Delete("trusted", p.Thumbprint, actor),
                 StoreKind.Rejected => CertManager.Delete("rejected", p.Thumbprint, actor),
+                // Unreachable defensive guard — action buttons only render for Trusted/Rejected stores
+                // + the 3 literal verbs (Trust/Untrust/Delete); this arm never executes, so it
+                // intentionally does not route through CertificateStoreManager/audit.
                 _                  => CertActionResult.Fail($"cannot delete from {p.Kind}"),
             },
+            // Unreachable defensive guard — action buttons only render for Trusted/Rejected stores
+            // + the 3 literal verbs (Trust/Untrust/Delete); this arm never executes, so it
+            // intentionally does not route through CertificateStoreManager/audit.
             _ => CertActionResult.Fail("unknown action"),
         };
         _statusError = !result.Success;