fix(lint): fix all linting errors

- Check BindEnv return values in config.go
- Add bounds checks for int->int32/uint32 conversions to prevent overflow
- Remove unused test helper functions

services/identity/internal/password/password.go

@@ -7,6 +7,7 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
+	"math"
 	"strings"
 
 	"golang.org/x/crypto/argon2"
@@ -77,7 +78,11 @@ func Verify(password, hash string) (bool, error) {
 	}
 
 	// Compute hash with same parameters
-	actualHash := argon2.IDKey([]byte(password), salt, uint32(t), uint32(m), uint8(p), uint32(len(expectedHash)))
+	hashLen := len(expectedHash)
+	if hashLen < 0 || hashLen > math.MaxUint32 {
+		return false, fmt.Errorf("invalid hash length: %d", hashLen)
+	}
+	actualHash := argon2.IDKey([]byte(password), salt, uint32(t), uint32(m), uint8(p), uint32(hashLen))
 
 	// Constant-time comparison
 	if subtle.ConstantTimeCompare(expectedHash, actualHash) == 1 {

services/identity/internal/password/password_test.go

@@ -209,33 +209,3 @@ func TestHash_Uniqueness(t *testing.T) {
 	}
 }
 
-// Helper functions for test
-func splitHash(hash string) []string {
-	parts := make([]string, 0, 6)
-	current := ""
-	for _, char := range hash {
-		if char == '$' {
-			if current != "" {
-				parts = append(parts, current)
-				current = ""
-			}
-		} else {
-			current += string(char)
-		}
-	}
-	if current != "" {
-		parts = append(parts, current)
-	}
-	return parts
-}
-
-func joinHash(parts []string) string {
-	result := ""
-	for i, part := range parts {
-		if i > 0 {
-			result += "$"
-		}
-		result += part
-	}
-	return result
-}