fix: accept civitai.red as an allowed CivitAI host

[bigcat88]

Fixes #435

Summary

• civitai.red is an official Civitai domain — the NSFW-inclusive front door that shares accounts, database, and REST API with civitai.com (per Civitai's April 2026 announcement, Two Front Doors).
• check_civitai_url() hardcoded a civitai.com-only host allowlist, so the configured CivitAI API token was never attached to civitai.red downloads and gated content failed with 401.
• Lifted the allowed hosts to a single CIVITAI_ALLOWED_HOSTS constant in constants.py and rewired the host check to use it for both exact-match and subdomain-suffix checks. Adding a future Civitai TLD is now a one-line change. Anti-spoofing semantics are preserved (evilcivitai.red, civitai.red.evil.com, etc. still rejected).

The hardcoded https://civitai.com/api/v1/... REST API URLs are intentionally left alone — Civitai's announcement states "the REST API continues to live on civitai.com and will also be accessible through civitai.red", so civitai.red users' tokens resolve correctly through the civitai.com API.

Test plan

• Added 7 tests mirroring the existing civitai.com coverage on civitai.red: web URL, /api/download/models/..., /api/v1/model-versions/..., www. subdomain, plus anti-spoof rejections for evilcivitai.red and civitai.red.evil.com.
• Manual 29-case regression matrix (including civitai.com.evil.red, civitaired.com, uppercase hosts, deep subdomains) — all expected outcomes.
• pytest tests/comfy_cli/ — 674 passed, 6 skipped, no regressions.
• ruff check . and ruff format --check . — clean.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0fa24bd3-f10e-4faa-94dc-6d0e3520a9cd

📥 Commits

Reviewing files that changed from the base of the PR and between fd6a468 and 9d832a1.

📒 Files selected for processing (3)

• comfy_cli/command/models/models.py
• comfy_cli/constants.py
• tests/comfy_cli/command/models/test_models.py

---

📝 Walkthrough

Walkthrough

Extends Civitai URL validation to accept configured hostnames (adds civitai.red alongside civitai.com) by introducing CIVITAI_ALLOWED_HOSTS and using computed subdomain suffixes in check_civitai_url. Tests added for valid and spoofed civitai.red patterns. A tiny rhyme: new hosts got their say, now red works day and ray.

Changes

Cohort / File(s)	Summary
Configuration comfy_cli/constants.py	Adds CIVITAI_ALLOWED_HOSTS tuple listing permitted Civitai hostnames: civitai.com, civitai.red.
URL Validation comfy_cli/command/models/models.py	Modifies check_civitai_url to validate parsed hostnames against CIVITAI_ALLOWED_HOSTS and uses a derived _CIVITAI_SUBDOMAIN_SUFFIXES tuple for subdomain suffix matching; preserves existing return shape and downstream parsing.
Test Coverage tests/comfy_cli/command/models/test_models.py	Adds tests ensuring civitai.red and www.civitai.red are accepted for page and API endpoints, and that lookalike/spoofed hosts (evilcivitai.red, civitai.red.evil.com) are rejected.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	The pull request directly addresses issue #435 by introducing CIVITAI_ALLOWED_HOSTS constant and updating check_civitai_url to recognize civitai.red, ensuring API tokens are properly attached to civitai.red requests.
Out of Scope Changes check	✅ Passed	All changes are scoped to the linked issue: constant definition, URL validation logic, and comprehensive tests for civitai.red support.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/civitai-red-allowed-host

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch fix/civitai-red-allowed-host

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

@@            Coverage Diff             @@
##             main     #436      +/-   ##
==========================================
+ Coverage   78.01%   78.02%   +0.01%     
==========================================
  Files          35       35              
  Lines        4317     4319       +2     
==========================================
+ Hits         3368     3370       +2     
  Misses        949      949              

Files with missing lines	Coverage Δ
comfy_cli/command/models/models.py	72.91% <100.00%> (+0.11%)	⬆️
comfy_cli/constants.py	100.00% <100.00%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.