fix(go): add bounds checking to DeserializeStreams for payloads > 64KB

[atharvalade]

Which issue does this PR close?

Closes #3130

Rationale

DeserializeStreams and DeserializeToStream had zero bounds checking and no error propagation, causing silent data corruption for stream lists larger than 64KB.

What changed?

DeserializeToStream performed raw slice accesses without validating that the payload contained enough bytes for the 33-byte fixed header or the variable-length name. With large payloads (>64KB), any framing misalignment caused position drift—subsequent streams were deserialized from wrong offsets, silently returning corrupted data with no error.

The fix adds bounds validation before every access in DeserializeToStream (returns error on insufficient data), propagates errors through DeserializeStreams, and updates the TCP caller. A new test file covers single-stream, multi-stream, truncated header/name, corrupted payload, max-length name, and a 70KB+ regression test that verifies every field of ~1000 streams.

Local Execution

• Passed
• Pre-commit hooks ran

AI Usage

1. Opus 4.6
2. Minimal AI used
3. All tests ran locally and pass; verified against the Rust wire format
4. Yes, all code can be explained

[codecov]

Codecov Report

❌ Patch coverage is 90.90909% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 72.79%. Comparing base (611fca0) to head (2ca3da2).
⚠️ Report is 38 commits behind head on master.

Files with missing lines	Patch %	Lines
...nary_serialization/binary_response_deserializer.go	90.47%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #3165      +/-   ##
============================================
- Coverage     74.10%   72.79%   -1.31%     
  Complexity      943      943              
============================================
  Files          1159     1117      -42     
  Lines        102033    96123    -5910     
  Branches      79083    73289    -5794     
============================================
- Hits          75607    69976    -5631     
+ Misses        23765    23602     -163     
+ Partials       2661     2545     -116     

Components	Coverage Δ
Rust Core	73.54% <ø> (-1.79%)	⬇️
Java SDK	62.30% <ø> (+2.15%)	⬆️
C# SDK	69.42% <ø> (+0.04%)	⬆️
Python SDK	81.43% <ø> (ø)
Node SDK	91.53% <ø> (ø)
Go SDK	39.53% <90.90%> (+0.10%)	⬆️

Files with missing lines	Coverage Δ
foreign/go/client/tcp/tcp_stream_management.go	82.85% <100.00%> (ø)
...nary_serialization/binary_response_deserializer.go	83.57% <90.47%> (-0.01%)	⬇️

... and 101 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.

If you need a review, please ensure CI is green and the PR is rebased on the latest master. Don't hesitate to ping the maintainers - either @core on Discord or by mentioning them directly here on the PR.

Thank you for your contribution!

[hubcio]

/ready

[slbotbm]

one comment, otherwise lgtm

[slbotbm]

Here, only the Id and that name are being checked. I think it would be better to check everything.

[hubcio]

@slbotbm use /author after you are done with review :)

/author