fix: --timeout NaN causes immediate request abort

[dmchaledev]

Bug

When --timeout is passed a non-numeric value (e.g. security-headers https://example.com --timeout abc), parseInt('abc', 10) returns NaN. Because NaN is not nullish, the ?? fallback in fetch.ts doesn't kick in:

const timeoutMs = options?.timeoutMs ?? 10000;  // NaN ?? 10000 → NaN
setTimeout(() => controller.abort(), NaN);       // NaN coerces to 0 → fires immediately

setTimeout coerces NaN to 0, so the AbortController fires before the request even leaves the event loop. Every fetch silently times out immediately — the CLI exits with Error: … on every URL, with no hint that the timeout value is the problem.

Fix

src/cli.ts — validate the parsed timeout value and exit with a clear error message before attempting any fetch:

if (timeoutRaw !== undefined && (isNaN(timeoutRaw) || timeoutRaw <= 0)) {
  console.error('Error: --timeout must be a positive integer (milliseconds), e.g. --timeout 5000');
  process.exit(1);
}

src/fetch.ts — harden the public API so that even direct callers passing NaN/Infinity/0 through FetchOptions get the 10 s default rather than a broken timer:

const timeoutMs = (options?.timeoutMs != null && Number.isFinite(options.timeoutMs) && options.timeoutMs > 0)
  ? options.timeoutMs
  : 10000;

Test plan

• security-headers https://example.com --timeout abc → prints Error: --timeout must be a positive integer… and exits 1
• security-headers https://example.com --timeout -1 → same error
• security-headers https://example.com --timeout 5000 → works as before
• security-headers https://example.com (no timeout flag) → works as before, uses 10 s default

🤖 Generated with Claude Code

https://claude.ai/code/session_011hppUsheemA66AhrzS5kDT

---

Generated by Claude Code