security: strong API-key hashing + safe int conversion + workflow permissions (CodeQL)

[intel352]

Summary

Fixes three GitHub CodeQL alerts.

---

1. go/weak-sensitive-data-hashing (HIGH) — store/api_keys.go

Issue: CodeQL flagged hashKey for hashing a sensitive API key token.

Finding: The implementation already uses crypto/sha256 (SHA-256) with crypto/subtle.ConstantTimeCompare for all in-memory lookups — both the correct algorithm and the correct comparison primitive for a high-entropy random token (128 bits of randomness from crypto/rand). SHA-256 is appropriate here because this is a deterministic lookup hash (the raw key is a one-time secret; the hash is stored and later used to look up the record), not a password. A slow KDF (bcrypt/argon2) would not be appropriate since it would prevent efficient index lookups.

Fix: Added TestHashKeyUsesSHA256 and TestConstantTimeHashCompare as regression guards. Any future regression to MD5 (32-char hex output) or SHA-1 (40-char hex output) will fail immediately at CI.

Compatibility: No change to stored hashes. The algorithm was already SHA-256 — no migration needed.

---

2. go/incorrect-integer-conversion (HIGH) — schema/reflect.go

Issue: parseDefault called strconv.ParseInt(s, 10, 64) and then cast the int64 result directly to int. On 32-bit platforms int is 32 bits wide, so any parsed value in the range [math.MaxInt32+1, math.MaxInt64] silently overflows.

Fix: Added a bounds check before the cast:

if i < math.MinInt || i > math.MaxInt {
    return s // out-of-range: preserve as string
}
return int(i)

Values within [math.MinInt, math.MaxInt] (platform-native int bounds) are converted as before. Out-of-range values fall through to the string representation, which is the same behaviour the function applies to any value that fails both numeric parses.

Added TestParseDefaultIntOverflow covering MaxInt, MinInt, and the 32-bit overflow path.

---

3. actions/missing-workflow-permissions (MEDIUM) — .github/workflows/test-dispatch.yml

Issue: No permissions: block was declared, so the workflow inherited the repository default token permissions (potentially broad write access).

Fix: Added a top-level least-privilege permissions: contents: read block. The peter-evans/repository-dispatch step and gh run list call both use REPO_DISPATCH_TOKEN (a caller-supplied PAT) rather than GITHUB_TOKEN, so no GITHUB_TOKEN permission escalation at the job level is required.

---

Test plan

• go build ./... — clean
• go test ./store/... ./schema/... — all pass
• go vet ./store/... ./schema/... — clean
• gofmt -l — no dirty files
• golangci-lint run ./store/... ./schema/... — 0 issues
• python3 -c "import yaml; yaml.safe_load(...)" on test-dispatch.yml — parses OK

🤖 Generated with Claude Code

[codecov]

Codecov Report

❌ Patch coverage is 0% with 2 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
schema/reflect.go	0.00%	1 Missing and 1 partial ⚠️

📢 Thoughts on this report? Let us know!

[github-actions]

⏱ Benchmark Results

✅ No significant performance regressions detected.

benchstat comparison (baseline → PR)

## benchstat: baseline → PR
baseline-bench.txt:298: parsing iteration count: invalid syntax
baseline-bench.txt:339395: parsing iteration count: invalid syntax
baseline-bench.txt:638985: parsing iteration count: invalid syntax
baseline-bench.txt:924214: parsing iteration count: invalid syntax
baseline-bench.txt:1209170: parsing iteration count: invalid syntax
baseline-bench.txt:1532805: parsing iteration count: invalid syntax
benchmark-results.txt:298: parsing iteration count: invalid syntax
benchmark-results.txt:274625: parsing iteration count: invalid syntax
benchmark-results.txt:606492: parsing iteration count: invalid syntax
benchmark-results.txt:923239: parsing iteration count: invalid syntax
benchmark-results.txt:1258535: parsing iteration count: invalid syntax
benchmark-results.txt:1591659: parsing iteration count: invalid syntax
goos: linux
goarch: amd64
pkg: github.com/GoCodeAlone/workflow/dynamic
cpu: AMD EPYC 7763 64-Core Processor                
                            │ baseline-bench.txt │       benchmark-results.txt        │
                            │       sec/op       │    sec/op     vs base              │
InterpreterCreation-4              10.425m ± 62%   9.598m ± 63%  -7.93% (p=0.041 n=6)
ComponentLoad-4                     3.553m ±  1%   3.597m ± 11%  +1.24% (p=0.026 n=6)
ComponentExecute-4                  1.910µ ±  1%   1.949µ ±  1%  +2.04% (p=0.002 n=6)
PoolContention/workers-1-4          1.083µ ±  2%   1.095µ ±  2%       ~ (p=0.102 n=6)
PoolContention/workers-2-4          1.071µ ±  3%   1.088µ ±  2%  +1.63% (p=0.041 n=6)
PoolContention/workers-4-4          1.070µ ±  1%   1.088µ ±  1%  +1.68% (p=0.002 n=6)
PoolContention/workers-8-4          1.067µ ±  0%   1.083µ ±  1%  +1.55% (p=0.002 n=6)
PoolContention/workers-16-4         1.073µ ±  1%   1.092µ ±  1%  +1.72% (p=0.004 n=6)
ComponentLifecycle-4                3.634m ±  2%   3.613m ±  1%       ~ (p=0.093 n=6)
SourceValidation-4                  2.364µ ±  1%   2.337µ ±  1%  -1.16% (p=0.017 n=6)
RegistryConcurrent-4                815.8n ±  5%   810.5n ±  4%       ~ (p=0.937 n=6)
LoaderLoadFromString-4              3.591m ±  1%   3.639m ±  1%  +1.34% (p=0.004 n=6)
geomean                             19.21µ         19.24µ        +0.13%

                            │ baseline-bench.txt │        benchmark-results.txt         │
                            │        B/op        │     B/op      vs base                │
InterpreterCreation-4               2.027Mi ± 0%   2.027Mi ± 0%       ~ (p=1.000 n=6)
ComponentLoad-4                     2.180Mi ± 0%   2.180Mi ± 0%       ~ (p=0.056 n=6)
ComponentExecute-4                  1.203Ki ± 0%   1.203Ki ± 0%       ~ (p=1.000 n=6) ¹
PoolContention/workers-1-4          1.203Ki ± 0%   1.203Ki ± 0%       ~ (p=1.000 n=6) ¹
PoolContention/workers-2-4          1.203Ki ± 0%   1.203Ki ± 0%       ~ (p=1.000 n=6) ¹
PoolContention/workers-4-4          1.203Ki ± 0%   1.203Ki ± 0%       ~ (p=1.000 n=6) ¹
PoolContention/workers-8-4          1.203Ki ± 0%   1.203Ki ± 0%       ~ (p=1.000 n=6) ¹
PoolContention/workers-16-4         1.203Ki ± 0%   1.203Ki ± 0%       ~ (p=1.000 n=6) ¹
ComponentLifecycle-4                2.183Mi ± 0%   2.183Mi ± 0%       ~ (p=0.677 n=6)
SourceValidation-4                  1.984Ki ± 0%   1.984Ki ± 0%       ~ (p=1.000 n=6) ¹
RegistryConcurrent-4                1.133Ki ± 0%   1.133Ki ± 0%       ~ (p=1.000 n=6) ¹
LoaderLoadFromString-4              2.182Mi ± 0%   2.182Mi ± 0%       ~ (p=0.413 n=6)
geomean                             15.25Ki        15.25Ki       -0.00%
¹ all samples are equal

                            │ baseline-bench.txt │        benchmark-results.txt        │
                            │     allocs/op      │  allocs/op   vs base                │
InterpreterCreation-4                15.68k ± 0%   15.68k ± 0%       ~ (p=1.000 n=6)
ComponentLoad-4                      18.02k ± 0%   18.02k ± 0%       ~ (p=1.000 n=6)
ComponentExecute-4                    25.00 ± 0%    25.00 ± 0%       ~ (p=1.000 n=6) ¹
PoolContention/workers-1-4            25.00 ± 0%    25.00 ± 0%       ~ (p=1.000 n=6) ¹
PoolContention/workers-2-4            25.00 ± 0%    25.00 ± 0%       ~ (p=1.000 n=6) ¹
PoolContention/workers-4-4            25.00 ± 0%    25.00 ± 0%       ~ (p=1.000 n=6) ¹
PoolContention/workers-8-4            25.00 ± 0%    25.00 ± 0%       ~ (p=1.000 n=6) ¹
PoolContention/workers-16-4           25.00 ± 0%    25.00 ± 0%       ~ (p=1.000 n=6) ¹
ComponentLifecycle-4                 18.07k ± 0%   18.07k ± 0%       ~ (p=1.000 n=6) ¹
SourceValidation-4                    32.00 ± 0%    32.00 ± 0%       ~ (p=1.000 n=6) ¹
RegistryConcurrent-4                  2.000 ± 0%    2.000 ± 0%       ~ (p=1.000 n=6) ¹
LoaderLoadFromString-4               18.06k ± 0%   18.06k ± 0%       ~ (p=1.000 n=6) ¹
geomean                               183.3         183.3       +0.00%
¹ all samples are equal

pkg: github.com/GoCodeAlone/workflow/middleware
                                  │ baseline-bench.txt │       benchmark-results.txt       │
                                  │       sec/op       │   sec/op     vs base              │
CircuitBreakerDetection-4                  283.4n ± 4%   285.9n ± 2%       ~ (p=0.288 n=6)
CircuitBreakerExecution_Success-4          21.53n ± 0%   21.51n ± 0%       ~ (p=0.303 n=6)
CircuitBreakerExecution_Failure-4          66.38n ± 0%   66.27n ± 1%       ~ (p=0.368 n=6)
geomean                                    73.98n        74.14n       +0.22%

                                  │ baseline-bench.txt │       benchmark-results.txt        │
                                  │        B/op        │    B/op     vs base                │
CircuitBreakerDetection-4                 144.0 ± 0%     144.0 ± 0%       ~ (p=1.000 n=6) ¹
CircuitBreakerExecution_Success-4         0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
CircuitBreakerExecution_Failure-4         0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
geomean                                              ²               +0.00%               ²
¹ all samples are equal
² summaries must be >0 to compute geomean

                                  │ baseline-bench.txt │       benchmark-results.txt        │
                                  │     allocs/op      │ allocs/op   vs base                │
CircuitBreakerDetection-4                 1.000 ± 0%     1.000 ± 0%       ~ (p=1.000 n=6) ¹
CircuitBreakerExecution_Success-4         0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
CircuitBreakerExecution_Failure-4         0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
geomean                                              ²               +0.00%               ²
¹ all samples are equal
² summaries must be >0 to compute geomean

pkg: github.com/GoCodeAlone/workflow/module
                                 │ baseline-bench.txt │       benchmark-results.txt        │
                                 │       sec/op       │    sec/op     vs base              │
IaCStateBackend_InProcess-4              342.1n ± 20%   323.8n ± 29%       ~ (p=0.485 n=6)
IaCStateBackend_GRPC-4                   9.384m ±  3%   9.578m ±  4%  +2.07% (p=0.026 n=6)
JQTransform_Simple-4                     676.1n ± 32%   703.8n ± 30%       ~ (p=0.394 n=6)
JQTransform_ObjectConstruction-4         1.446µ ±  1%   1.476µ ±  1%  +2.08% (p=0.002 n=6)
JQTransform_ArraySelect-4                3.284µ ±  2%   3.451µ ±  2%  +5.10% (p=0.002 n=6)
JQTransform_Complex-4                    38.06µ ±  2%   39.40µ ±  1%  +3.53% (p=0.002 n=6)
JQTransform_Throughput-4                 1.743µ ±  1%   1.813µ ±  1%  +4.05% (p=0.002 n=6)
SSEPublishDelivery-4                     77.91n ±  1%   72.31n ±  1%  -7.18% (p=0.002 n=6)
geomean                                  3.897µ         3.934µ        +0.95%

                                 │ baseline-bench.txt │        benchmark-results.txt         │
                                 │        B/op        │     B/op      vs base                │
IaCStateBackend_InProcess-4             416.0 ±  0%       416.0 ± 0%       ~ (p=1.000 n=6) ¹
IaCStateBackend_GRPC-4                5.812Mi ± 10%     5.760Mi ± 8%       ~ (p=0.818 n=6)
JQTransform_Simple-4                  1.273Ki ±  0%     1.273Ki ± 0%       ~ (p=1.000 n=6) ¹
JQTransform_ObjectConstruction-4      1.773Ki ±  0%     1.773Ki ± 0%       ~ (p=1.000 n=6) ¹
JQTransform_ArraySelect-4             2.625Ki ±  0%     2.625Ki ± 0%       ~ (p=1.000 n=6) ¹
JQTransform_Complex-4                 16.31Ki ±  0%     16.31Ki ± 0%       ~ (p=1.000 n=6) ¹
JQTransform_Throughput-4              1.984Ki ±  0%     1.984Ki ± 0%       ~ (p=1.000 n=6) ¹
SSEPublishDelivery-4                    0.000 ±  0%       0.000 ± 0%       ~ (p=1.000 n=6) ¹
geomean                                             ²                 -0.11%               ²
¹ all samples are equal
² summaries must be >0 to compute geomean

                                 │ baseline-bench.txt │        benchmark-results.txt        │
                                 │     allocs/op      │  allocs/op   vs base                │
IaCStateBackend_InProcess-4              2.000 ± 0%      2.000 ± 0%       ~ (p=1.000 n=6) ¹
IaCStateBackend_GRPC-4                  6.830k ± 0%     6.833k ± 0%       ~ (p=0.965 n=6)
JQTransform_Simple-4                     10.00 ± 0%      10.00 ± 0%       ~ (p=1.000 n=6) ¹
JQTransform_ObjectConstruction-4         15.00 ± 0%      15.00 ± 0%       ~ (p=1.000 n=6) ¹
JQTransform_ArraySelect-4                30.00 ± 0%      30.00 ± 0%       ~ (p=1.000 n=6) ¹
JQTransform_Complex-4                    328.0 ± 0%      328.0 ± 0%       ~ (p=1.000 n=6) ¹
JQTransform_Throughput-4                 17.00 ± 0%      17.00 ± 0%       ~ (p=1.000 n=6) ¹
SSEPublishDelivery-4                     0.000 ± 0%      0.000 ± 0%       ~ (p=1.000 n=6) ¹
geomean                                             ²                +0.00%               ²
¹ all samples are equal
² summaries must be >0 to compute geomean

pkg: github.com/GoCodeAlone/workflow/schema
                                    │ baseline-bench.txt │       benchmark-results.txt       │
                                    │       sec/op       │   sec/op     vs base              │
SchemaValidation_Simple-4                   1.085µ ±  5%   1.101µ ± 2%       ~ (p=0.294 n=6)
SchemaValidation_AllFields-4                1.651µ ± 29%   1.677µ ± 3%       ~ (p=0.699 n=6)
SchemaValidation_FormatValidation-4         1.585µ ±  1%   1.566µ ± 2%       ~ (p=0.058 n=6)
SchemaValidation_ManySchemas-4              1.826µ ±  3%   1.830µ ± 2%       ~ (p=0.794 n=6)
geomean                                     1.509µ         1.516µ       +0.49%

                                    │ baseline-bench.txt │       benchmark-results.txt        │
                                    │        B/op        │    B/op     vs base                │
SchemaValidation_Simple-4                   0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
SchemaValidation_AllFields-4                0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
SchemaValidation_FormatValidation-4         0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
SchemaValidation_ManySchemas-4              0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
geomean                                                ²               +0.00%               ²
¹ all samples are equal
² summaries must be >0 to compute geomean

                                    │ baseline-bench.txt │       benchmark-results.txt        │
                                    │     allocs/op      │ allocs/op   vs base                │
SchemaValidation_Simple-4                   0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
SchemaValidation_AllFields-4                0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
SchemaValidation_FormatValidation-4         0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
SchemaValidation_ManySchemas-4              0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
geomean                                                ²               +0.00%               ²
¹ all samples are equal
² summaries must be >0 to compute geomean

pkg: github.com/GoCodeAlone/workflow/store
                                   │ baseline-bench.txt │        benchmark-results.txt        │
                                   │       sec/op       │    sec/op     vs base               │
EventStoreAppend_InMemory-4                1.193µ ± 14%   1.167µ ± 12%        ~ (p=0.589 n=6)
EventStoreAppend_SQLite-4                  1.775m ± 16%   1.343m ±  4%  -24.31% (p=0.002 n=6)
GetTimeline_InMemory/events-10-4           13.92µ ±  3%   14.74µ ±  2%   +5.87% (p=0.002 n=6)
GetTimeline_InMemory/events-50-4           78.09µ ±  3%   82.43µ ±  5%   +5.56% (p=0.004 n=6)
GetTimeline_InMemory/events-100-4          152.4µ ± 21%   167.4µ ± 23%        ~ (p=0.240 n=6)
GetTimeline_InMemory/events-500-4          619.1µ ±  1%   662.7µ ±  0%   +7.04% (p=0.002 n=6)
GetTimeline_InMemory/events-1000-4         1.258m ±  0%   1.360m ±  1%   +8.04% (p=0.002 n=6)
GetTimeline_SQLite/events-10-4             104.0µ ±  1%   110.9µ ±  1%   +6.55% (p=0.002 n=6)
GetTimeline_SQLite/events-50-4             244.2µ ±  0%   258.3µ ±  1%   +5.79% (p=0.002 n=6)
GetTimeline_SQLite/events-100-4            414.0µ ±  1%   440.8µ ±  1%   +6.47% (p=0.002 n=6)
GetTimeline_SQLite/events-500-4            1.772m ±  1%   1.879m ±  1%   +6.03% (p=0.002 n=6)
GetTimeline_SQLite/events-1000-4           3.443m ±  0%   3.681m ±  1%   +6.91% (p=0.002 n=6)
geomean                                    225.8µ         232.6µ         +3.03%

                                   │ baseline-bench.txt │        benchmark-results.txt         │
                                   │        B/op        │     B/op      vs base                │
EventStoreAppend_InMemory-4                  799.5 ± 6%     789.5 ± 6%       ~ (p=0.699 n=6)
EventStoreAppend_SQLite-4                  1.984Ki ± 3%   1.988Ki ± 2%       ~ (p=0.359 n=6)
GetTimeline_InMemory/events-10-4           7.953Ki ± 0%   7.953Ki ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_InMemory/events-50-4           46.62Ki ± 0%   46.62Ki ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_InMemory/events-100-4          94.48Ki ± 0%   94.48Ki ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_InMemory/events-500-4          472.8Ki ± 0%   472.8Ki ± 0%       ~ (p=0.061 n=6)
GetTimeline_InMemory/events-1000-4         944.3Ki ± 0%   944.3Ki ± 0%       ~ (p=0.121 n=6)
GetTimeline_SQLite/events-10-4             16.74Ki ± 0%   16.74Ki ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_SQLite/events-50-4             87.14Ki ± 0%   87.14Ki ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_SQLite/events-100-4            175.4Ki ± 0%   175.4Ki ± 0%       ~ (p=1.000 n=6)
GetTimeline_SQLite/events-500-4            846.1Ki ± 0%   846.1Ki ± 0%  +0.00% (p=0.009 n=6)
GetTimeline_SQLite/events-1000-4           1.639Mi ± 0%   1.639Mi ± 0%  -0.00% (p=0.043 n=6)
geomean                                    67.41Ki        67.35Ki       -0.09%
¹ all samples are equal

                                   │ baseline-bench.txt │        benchmark-results.txt        │
                                   │     allocs/op      │  allocs/op   vs base                │
EventStoreAppend_InMemory-4                  7.000 ± 0%    7.000 ± 0%       ~ (p=1.000 n=6) ¹
EventStoreAppend_SQLite-4                    53.00 ± 0%    53.00 ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_InMemory/events-10-4             125.0 ± 0%    125.0 ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_InMemory/events-50-4             653.0 ± 0%    653.0 ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_InMemory/events-100-4           1.306k ± 0%   1.306k ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_InMemory/events-500-4           6.514k ± 0%   6.514k ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_InMemory/events-1000-4          13.02k ± 0%   13.02k ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_SQLite/events-10-4               382.0 ± 0%    382.0 ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_SQLite/events-50-4              1.852k ± 0%   1.852k ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_SQLite/events-100-4             3.681k ± 0%   3.681k ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_SQLite/events-500-4             18.54k ± 0%   18.54k ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_SQLite/events-1000-4            37.29k ± 0%   37.29k ± 0%       ~ (p=1.000 n=6) ¹
geomean                                     1.162k        1.162k       +0.00%
¹ all samples are equal

Benchmarks run with go test -bench=. -benchmem -count=6.
Regressions ≥ 20% are flagged. Results compared via benchstat.