security: fix CodeQL warnings for integer overflow and workflow permissions

- handlers_tower.go: add bounds checks before int-to-int16 and int-to-uint16
  conversions to prevent overflow/wraparound (CodeQL #7, #8)
- go-improved.yml, go.yml: add top-level `permissions: contents: read` to
  restrict workflow token scope (CodeQL #15, #16, #17)

.github/workflows/go-improved.yml

@@ -20,6 +20,9 @@ on:
       - main
       - develop
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test