fix: bound update-check HTTP request with Timeout and body limit

internal/update/update.go issued a GET against api.github.com through
a bare http.Client{} - no Timeout, no body cap, no
NewRequestWithContext cancellation. Two concrete problems:

  1. A slow or hijacked response would hang the binary on launch
     forever, because the call site uses context.Background() so
     the caller cannot cancel the request.
  2. A malicious or compromised api.github.com response could
     exhaust memory; io.ReadAll on resp.Body has no upper bound.

This change adds a 10s http.Client.Timeout, wraps the body read in
io.LimitReader with a 1 MiB cap, and adds two regression tests.

Touches:
  - internal/update/update.go
  - internal/update/update_test.go

Verification: go vet, staticcheck, gofumpt, go test -short all clean.

Author: Patel230

internal/update/update.go

@@ -8,8 +8,20 @@ import (
 	"net/http"
 	"runtime"
 	"strings"
+	"time"
 )
 
+// checkTimeout bounds the time a single update-check HTTP request can take.
+// The package's public entry point runs the request through context.Background
+// (so it cannot be cancelled by the caller), so without an http.Client
+// Timeout a slow or hijacked response could hang the binary on launch
+// forever. 10s is generous for a single GET against api.github.com.
+const checkTimeout = 10 * time.Second
+
+// maxResponseBytes caps the body read so a malicious or compromised
+// api.github.com response cannot exhaust memory.
+const maxResponseBytes = 1 << 20 // 1 MiB
+
 var updateURL = "https://api.github.com/repos/GrayCodeAI/hawk/releases/latest"
 
 func setUpdateURL(url string) {
@@ -26,14 +38,14 @@ type ReleaseInfo struct {
 
 // Check checks for available updates.
 func Check(currentVersion string) (*ReleaseInfo, error) {
-	req, err := http.NewRequestWithContext(context.Background(), "GET", updateURL, nil)
+	req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, updateURL, nil)
 	if err != nil {
 		return nil, err
 	}
 	req.Header.Set("Accept", "application/vnd.github.v3+json")
 	req.Header.Set("User-Agent", "hawk-cli")
 
-	client := &http.Client{}
+	client := &http.Client{Timeout: checkTimeout}
 	resp, err := client.Do(req)
 	if err != nil {
 		return nil, err
@@ -44,7 +56,7 @@ func Check(currentVersion string) (*ReleaseInfo, error) {
 		return nil, fmt.Errorf("update check failed: %s", resp.Status)
 	}
 
-	body, err := io.ReadAll(resp.Body)
+	body, err := io.ReadAll(io.LimitReader(resp.Body, maxResponseBytes))
 	if err != nil {
 		return nil, err
 	}

internal/update/update_test.go

@@ -5,6 +5,7 @@ import (
 	"net/http"
 	"strings"
 	"testing"
+	"time"
 
 	"github.com/GrayCodeAI/hawk/internal/testutil"
 )
@@ -154,6 +155,68 @@ func TestCheck(t *testing.T) {
 			t.Error("Check() should return error for unreachable server")
 		}
 	})
+
+	t.Run("slow server is bounded by client timeout", func(t *testing.T) {
+		// Server that takes longer than checkTimeout to start writing
+		// the response. The client.Timeout should abort the request
+		// well before the server would have responded.
+		server := testutil.NewLoopbackHTTPServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			time.Sleep(15 * time.Second)
+		}))
+		// server.Close() blocks on the still-active connection; kick
+		// the close off in a goroutine and bound the wait so the test
+		// finishes promptly once the assertion has run.
+		t.Cleanup(func() {
+			done := make(chan struct{})
+			go func() { server.Close(); close(done) }()
+			select {
+			case <-done:
+			case <-time.After(2 * time.Second):
+				// best-effort: the test has already passed; the
+				// runner's process cleanup will finish the job
+			}
+		})
+
+		origURL := updateURL
+		setUpdateURL(server.URL)
+		t.Cleanup(func() { setUpdateURL(origURL) })
+
+		start := time.Now()
+		_, err := Check("0.1.0")
+		elapsed := time.Since(start)
+		if err == nil {
+			t.Fatal("Check() should error when the server stalls")
+		}
+		// checkTimeout is 10s; allow a couple seconds of slack for
+		// goroutine scheduling on slow CI but require the timeout
+		// to have fired (the server sleeps 15s).
+		if elapsed > 12*time.Second {
+			t.Errorf("Check() took %v; expected to be bounded by checkTimeout (10s)", elapsed)
+		}
+	})
+
+	t.Run("oversize response is bounded", func(t *testing.T) {
+		// Server returns > 1 MiB; the LimitReader in Check caps the
+		// body read so JSON unmarshal of a normal release still
+		// succeeds (release fields are populated from the prefix).
+		server := testutil.NewLoopbackHTTPServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.Header().Set("Content-Type", "application/json")
+			_, _ = w.Write([]byte(`{"tag_name":"v9.9.9","name":"x","body":"`))
+			pad := strings.Repeat("a", 2<<20)
+			_, _ = w.Write([]byte(pad))
+			_, _ = w.Write([]byte(`","html_url":"https://example"}`))
+		}))
+		defer server.Close()
+
+		origURL := updateURL
+		setUpdateURL(server.URL)
+		defer setUpdateURL(origURL)
+
+		// We don't care whether Check parses the truncated body — only
+		// that it returns *without* exhausting memory. The 1 MiB cap
+		// guarantees allocation stays bounded.
+		_, _ = Check("0.1.0")
+	})
 }
 
 func TestSummary(t *testing.T) {