fix: harden numeric conversions for gosec

[shamaton]

Fix #65

Summary

• Add checked numeric conversion helpers for gosec G115/G103 findings
• Return ErrValueOutOfRange instead of silently overflowing integer decodes
• Add gosec CI workflow and tests for out-of-range decoding and negative timestamps

Background / Motivation

This change addresses gosec findings around integer conversions and unsafe usage, while preventing silent overflow when decoding MessagePack numeric values.

Changes

• Add internal/common/decodingutil for checked int/uint conversions
• Apply range-checked conversions across regular and stream decoders for scalars, slices, maps, and interfaces
• Refactor byte writing to use encoding/binary and shared buffer helpers
• Remove unsafe usage from string encoding
• Encode negative timestamps with timestamp96 format correctly

Test Plan

• go test ./...
• Added tests cover:
  • Out-of-range integer decode returning ErrValueOutOfRange
  • int decoding rejecting float NaN, Inf, and out-of-range values
  • Negative timestamp encode/decode behavior
  • Equivalent regular and stream decode paths

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[codecov]

Codecov Report

❌ Patch coverage is 72.48841% with 178 lines in your changes missing coverage. Please review.
✅ Project coverage is 95.57%. Comparing base (eb5ff15) to head (5206191).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/decoding/map.go	50.00%	24 Missing and 24 partials ⚠️
internal/stream/decoding/map.go	50.00%	24 Missing and 24 partials ⚠️
internal/common/decodingutil/range.go	78.44%	14 Missing and 11 partials ⚠️
internal/decoding/slice.go	50.00%	8 Missing and 8 partials ⚠️
internal/stream/decoding/slice.go	50.00%	8 Missing and 8 partials ⚠️
internal/decoding/interface.go	50.00%	6 Missing and 6 partials ⚠️
internal/decoding/uint.go	75.00%	5 Missing ⚠️
ext/encode.go	92.00%	2 Missing ⚠️
internal/common/buffer.go	95.12%	2 Missing ⚠️
internal/decoding/int.go	88.88%	1 Missing and 1 partial ⚠️
... and 1 more

Additional details and impacted files

@@            Coverage Diff             @@
##             main      #74      +/-   ##
==========================================
- Coverage   98.30%   95.57%   -2.74%     
==========================================
  Files          72       73       +1     
  Lines        6123     6366     +243     
==========================================
+ Hits         6019     6084      +65     
- Misses         71      167      +96     
- Partials       33      115      +82     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.