feat: add Hugging Face fetch timeout flag

[rupayon123]

Adds a --timeout flag for remote Hugging Face fetches. The default stays at 10 seconds, and the value is passed through the metadata, config, index, shard header, and HEAD requests.

I also added CLI coverage for the default/custom timeout values, invalid values, and the remote analysis path passing the timeout into the Hugging Face parser.

I couldn't run the test suite from this environment, so please treat the tests as unverified locally.

Closes #27

Summary by CodeRabbit

Release Notes

• New Features

  • Added --timeout CLI option to configure timeout duration for remote Hugging Face model fetches. Timeout defaults to 10.0 seconds and must be a positive value.

• Tests

  • Added comprehensive test coverage for the new --timeout option, including validation of default values, positive float acceptance, and rejection of invalid values.

[coderabbitai]

Walkthrough

Adds a --timeout CLI option (default 10.0, validated as a positive float) to the modelinfo CLI. The value is threaded through analyze_model into fetch_huggingface_repo, which propagates it to _make_request and _fetch_safetensors_header, replacing all hardcoded 10-second timeouts in urllib calls. Tests cover argument parsing and end-to-end forwarding.

Changes

--timeout flag for remote Hugging Face fetches

Layer / File(s)	Summary
CLI argument, validation, and analyze_model wiring src/modelinfo/cli.py	Adds _positive_float validator, registers --timeout (default 10.0) in parse_args, extends analyze_model signature with timeout: float = 10.0, passes it to fetch_huggingface_repo, and wires args.timeout into both single-model and multi-model call sites in main().
Timeout propagation through huggingface.py network calls src/modelinfo/parsers/huggingface.py	Adds timeout parameter to _make_request (forwarded to urlopen), _fetch_safetensors_header (including the 416-retry path), and all request sites in fetch_huggingface_repo: API metadata, config.json, sharded index, per-shard header closures, and single-file HEAD + header fetch.
CLI parsing and forwarding tests tests/test_cli.py	Adds four --timeout parse tests (default, float, zero-rejection, negative-rejection) and one integration test that monkeypatches fetch_huggingface_repo to assert the timeout value is correctly forwarded by analyze_model.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 5.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat: add Hugging Face fetch timeout flag' clearly and concisely summarizes the main change: adding a timeout flag for Hugging Face fetches.
Description check	✅ Passed	The PR description covers the core changes and includes test coverage notes, but lacks explicit sections matching the repository template (Summary, Motivation & Context structured as separate sections, Type of Change checkbox).
Linked Issues check	✅ Passed	The PR successfully implements all coding requirements from issue #27: adds --timeout flag to CLI, threads it through analyze_model to fetch_huggingface_repo, and replaces hardcoded timeout with the parameter.
Out of Scope Changes check	✅ Passed	All changes in CLI, parser, and tests are directly related to implementing the --timeout flag feature specified in issue #27; no out-of-scope modifications detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[aikido-pr-checks]

Potential user input in HTTP request may allow SSRF attack - medium severity
If an attacker can control the URL input leading into this HTTP request, the attack might be able to perform an SSRF attack. This kind of attack is even more dangerous if the application returns the response of the request to the user. It could allow them to retrieve information from higher privileged services within the network (such as the metadata service, which is commonly available in cloud services, and could allow them to retrieve credentials).

Show fix

Remediation: If possible, only allow requests to allowlisting domains. If not, consult the article linked above to learn about other mitigating techniques such as disabling redirects, blocking private IPs and making sure private services have internal authentication. If you return data coming from the request to the user, validate the data before returning it to make sure you don't return random data.

_{Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info}

[aikido-pr-checks]

_positive_float allows NaN because fvalue <= 0 is false for NaN, so invalid --timeout nan passes parsing and can break request timeout handling.

Details

✨ AI Reasoning
​The new timeout validator is meant to enforce a strictly positive value, but it only checks whether the parsed float is less than or equal to zero. A NaN value bypasses that condition because NaN is neither <= 0 nor > 0. That means an invalid timeout can pass argument parsing and propagate into request logic, where timeout handling may raise runtime errors. This is a control-flow validation bug in the new logic.

🔧 How do I fix it?
Trace execution paths carefully. Ensure precondition checks happen before using values, validate ranges before checking impossible conditions, and don't check for states that the code has already ruled out.

_{Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/modelinfo/cli.py`:
- Around line 44-48: The _positive_float function in src/modelinfo/cli.py
currently accepts non-finite values like nan and inf, which can cause issues
downstream. Add a check after converting the string to float using
math.isfinite() to validate that the value is finite, and raise
argparse.ArgumentTypeError with an appropriate message if it is not (for
example, "timeout must be a finite number"). This validation should occur
alongside the existing check for positive values to ensure all invalid timeout
values are rejected during argument parsing.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: f2f3d51d-d292-418f-9b0a-bd62151f8f38

📥 Commits

Reviewing files that changed from the base of the PR and between 99a7a5f and bd6ce16.

📒 Files selected for processing (3)

• src/modelinfo/cli.py
• src/modelinfo/parsers/huggingface.py
• tests/test_cli.py

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Reject non-finite timeout values in CLI validation.

_positive_float currently allows nan/inf, which can escape argument validation and fail later in networking code.

Suggested fix

 def _positive_float(value: str) -> float:
     fvalue = float(value)
-    if fvalue <= 0:
-        raise argparse.ArgumentTypeError("timeout must be greater than 0")
+    if fvalue <= 0 or fvalue != fvalue or fvalue == float("inf"):
+        raise argparse.ArgumentTypeError(
+            "timeout must be a finite number greater than 0"
+        )
     return fvalue

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/modelinfo/cli.py` around lines 44 - 48, The _positive_float function in
src/modelinfo/cli.py currently accepts non-finite values like nan and inf, which
can cause issues downstream. Add a check after converting the string to float
using math.isfinite() to validate that the value is finite, and raise
argparse.ArgumentTypeError with an appropriate message if it is not (for
example, "timeout must be a finite number"). This validation should occur
alongside the existing check for positive values to ensure all invalid timeout
values are rejected during argument parsing.