fix(lint): use explicit safe type conversions for gosec

Use separate variables with explicit else branches to make type
conversions safe and satisfy gosec integer overflow checks.

cmd/audit-service/audit_service_fx.go

@@ -277,12 +277,15 @@ func (s *auditServerImpl) Query(ctx context.Context, req *auditv1.QueryRequest)
 	}
 
 	total := len(protoEntries)
+	var totalInt32 int32
 	if total > math.MaxInt32 {
-		total = math.MaxInt32
+		totalInt32 = math.MaxInt32
+	} else {
+		totalInt32 = int32(total)
 	}
 	return &auditv1.QueryResponse{
 		Entries: protoEntries,
-		Total:   int32(total),
+		Total:   totalInt32,
 	}, nil
 }
 

cmd/identity-service/identity_service_fx.go

@@ -77,7 +77,13 @@ func verifyPassword(password, hash string) (bool, error) {
 	if hashLen < 0 || hashLen > math.MaxUint32 {
 		return false, fmt.Errorf("invalid hash length: %d", hashLen)
 	}
-	actualHash := argon2.IDKey([]byte(password), salt, 3, 64*1024, 4, uint32(hashLen))
+	var hashLenUint32 uint32
+	if hashLen > math.MaxUint32 {
+		hashLenUint32 = math.MaxUint32
+	} else {
+		hashLenUint32 = uint32(hashLen)
+	}
+	actualHash := argon2.IDKey([]byte(password), salt, 3, 64*1024, 4, hashLenUint32)
 	return subtle.ConstantTimeCompare(expectedHash, actualHash) == 1, nil
 }