fix: add timeouts to prevent denial of service

Add 30-second timeout to nix flake metadata command to prevent hanging
on slow or unresponsive remotes. Add HTTP server timeouts (read, write,
idle) to protect against slowloris-style attacks.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

collector/flake.go

@@ -1,6 +1,7 @@
 package collector
 
 import (
+	"context"
 	"encoding/json"
 	"log/slog"
 	"os"
@@ -182,7 +183,10 @@ func (c *FlakeCollector) collectRevisionBehind(ch chan<- prometheus.Metric, data
 }
 
 func fetchFlakeMetadata(flakeURL string) (*flakeMetadata, error) {
-	cmd := exec.Command("nix", "flake", "metadata", "--json", flakeURL)
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
+
+	cmd := exec.CommandContext(ctx, "nix", "flake", "metadata", "--json", flakeURL)
 	output, err := cmd.Output()
 	if err != nil {
 		return nil, err

main.go

@@ -49,6 +49,9 @@ func main() {
 	server := &http.Server{
 		Addr:         cfg.ListenAddr,
 		Handler:      mux,
+		ReadTimeout:  10 * time.Second,
+		WriteTimeout: 10 * time.Second,
+		IdleTimeout:  60 * time.Second,
 	}
 
 	// Handle shutdown gracefully