fix(lint): add bounds checking for integer conversions to fix gosec warnings

- Add bounds checking for Limit and Offset conversions in audit_client.go
- Add bounds checking for t, m, and p conversions in password.go
- Add nolint comments with explanations for safe conversions

AGENTS.md

@@ -197,10 +197,14 @@ When working on this project, follow this workflow:
 
 ### 7. Commit Changes
 - **ALWAYS commit** after successful implementation
-- Ensure the code builds (`go build`)
+- Verify that everything is in order before commit:
-- Ensure all tests pass (`go test`)
+  - there is a Gitea Runner image in ci/pre-commit
-- Ensure there are no linter issues (`make lint`)
+    - run scripts/pre-commit-check.sh
-- Ensure there are no fmt issues (`make fmt-check`)
+      - Ensure the code builds (`make build`)
+      - Ensure all tests pass (`make test`)
+      - Ensure there are no linter issues (`make lint`)
+      - Ensure there are no fmt issues (`make fmt-check`)
+    - If there are issues, fix them before comitting
 - Verify all acceptance criteria are met
 - Write a clear, descriptive commit message
 

ci/pre-commit/Dockerfile

@@ -0,0 +1,4 @@
+FROM alpine:latest
+
+# install node (Alpine)
+RUN apk add --no-cache nodejs npm gcc build-base musl-dev curl make

internal/client/grpc/audit_client.go

@@ -90,13 +90,17 @@ func (c *AuditClient) Query(ctx context.Context, filters *services.AuditLogFilte
 	var limitInt32, offsetInt32 int32
 	if filters.Limit > math.MaxInt32 {
 		limitInt32 = math.MaxInt32
+	} else if filters.Limit < math.MinInt32 {
+		limitInt32 = math.MinInt32
 	} else {
-		limitInt32 = int32(filters.Limit)
+		limitInt32 = int32(filters.Limit) //nolint:gosec // bounds checked above
 	}
 	if filters.Offset > math.MaxInt32 {
 		offsetInt32 = math.MaxInt32
+	} else if filters.Offset < math.MinInt32 {
+		offsetInt32 = math.MinInt32
 	} else {
-		offsetInt32 = int32(filters.Offset)
+		offsetInt32 = int32(filters.Offset) //nolint:gosec // bounds checked above
 	}
 	req := &auditv1.QueryRequest{
 		Limit:  limitInt32,

scripts/pre-commit-check.sh

@@ -0,0 +1,79 @@
+#!/bin/bash
+# Pre-commit check script that runs lint, fmt-check, test, and build in gitea-runner container
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+IMAGE_NAME="wirelos/pre-commit"
+CONTAINER_NAME="goplt-pre-commit-check"
+
+echo "🔍 Checking for Docker image: $IMAGE_NAME"
+if ! docker images --format "{{.Repository}}:{{.Tag}}" | grep -q "^${IMAGE_NAME}:latest$"; then
+    echo "📦 Image not found. Building $IMAGE_NAME from ci/pre-commit/Dockerfile..."
+    docker build -t "$IMAGE_NAME:latest" -f "$PROJECT_ROOT/ci/pre-commit/Dockerfile" "$PROJECT_ROOT/ci/pre-commit" || {
+        echo "❌ Failed to build Docker image"
+        exit 1
+    }
+    echo "✅ Image built successfully"
+else
+    echo "✅ Image found locally"
+fi
+
+echo "🧹 Cleaning up any existing container..."
+docker rm -f "$CONTAINER_NAME" 2>/dev/null || true
+
+echo "🚀 Starting pre-commit container..."
+docker run --rm \
+    --name "$CONTAINER_NAME" \
+    -v "$PROJECT_ROOT:/workspace" \
+    -w /workspace \
+    "$IMAGE_NAME:latest" \
+    sh -c "
+        echo '📦 Installing Go 1.25.3 and required tools...'
+        apk add --no-cache protobuf protobuf-dev bash git wget tar make || exit 1
+        
+        # Install Go 1.25.3
+        cd /tmp && \
+        wget -q https://go.dev/dl/go1.25.3.linux-amd64.tar.gz && \
+        tar -C /usr/local -xzf go1.25.3.linux-amd64.tar.gz && \
+        rm go1.25.3.linux-amd64.tar.gz || exit 1
+        
+        export PATH=/usr/local/go/bin:\$PATH:/root/go/bin
+        export GOROOT=/usr/local/go
+        export GOPATH=/root/go
+        
+        echo '📥 Installing Go protobuf plugins...'
+        go install google.golang.org/protobuf/cmd/protoc-gen-go@latest || exit 1
+        go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest || exit 1
+        
+        echo '📥 Installing golangci-lint...'
+        curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b /root/go/bin || exit 1
+        
+        echo '📋 Running make fmt-check...'
+        cd /workspace && make fmt-check || exit 1
+        
+        echo '🔍 Running make lint...'
+        export CGO_ENABLED=1
+        export GOFLAGS=-buildvcs=false
+        make lint || exit 1
+        
+        echo '🧪 Running make test...'
+        make test || exit 1
+        
+        echo '🔨 Running make build...'
+        make build || exit 1
+        
+        echo '✅ All checks passed!'
+    "
+
+EXIT_CODE=$?
+
+if [ $EXIT_CODE -eq 0 ]; then
+    echo "✅ All pre-commit checks passed!"
+else
+    echo "❌ Pre-commit checks failed. Please fix the issues above."
+fi
+
+exit $EXIT_CODE
+

services/audit/internal/api/server.go

@@ -2,8 +2,8 @@
 package api
 
 import (
-	"math"
 	"context"
+	"math"
 
 	auditv1 "git.dcentral.systems/toolz/goplt/api/proto/generated/audit/v1"
 	"git.dcentral.systems/toolz/goplt/services/audit/internal/service"

services/identity/internal/password/password.go

@@ -88,7 +88,34 @@ func Verify(password, hash string) (bool, error) {
 	} else {
 		hashLenUint32 = uint32(hashLen)
 	}
-	actualHash := argon2.IDKey([]byte(password), salt, uint32(t), uint32(m), uint8(p), hashLenUint32)
+
+	// Bounds check for t and m to prevent overflow
+	var tUint32, mUint32 uint32
+	if t > math.MaxUint32 {
+		tUint32 = math.MaxUint32
+	} else if t < 0 {
+		tUint32 = 0
+	} else {
+		tUint32 = uint32(t) //nolint:gosec // bounds checked above
+	}
+	if m > math.MaxUint32 {
+		mUint32 = math.MaxUint32
+	} else if m < 0 {
+		mUint32 = 0
+	} else {
+		mUint32 = uint32(m) //nolint:gosec // bounds checked above
+	}
+
+	var pUint8 uint8
+	if p > math.MaxUint8 {
+		pUint8 = math.MaxUint8
+	} else if p < 0 {
+		pUint8 = 0
+	} else {
+		pUint8 = uint8(p)
+	}
+
+	actualHash := argon2.IDKey([]byte(password), salt, tUint32, mUint32, pUint8, hashLenUint32)
 
 	// Constant-time comparison
 	if subtle.ConstantTimeCompare(expectedHash, actualHash) == 1 {

services/identity/internal/password/password_test.go

@@ -208,4 +208,3 @@ func TestHash_Uniqueness(t *testing.T) {
 		assert.True(t, valid, "All hashes should verify correctly")
 	}
 }
-