huggingface: add bucket scanning

[julien-c]

HF recently shipped storage buckets (Xet-backed object storage)

• new --bucket <namespace/name> flag, plus --include-buckets / --ignore-buckets / --skip-all-buckets; --org / --user scans pick up buckets automatically
• buckets aren't git repos, so this is a separate scan path modeled on the S3 source: list via the tree API, download, chunk through handlers.HandleFile

Tested against a real public bucket (results identical to trufflehog filesystem on the same file), and a planted canary AWS key comes back as a verified finding with correct bucket metadata.

cc @dxa4481

---

Note

Medium Risk
New external HF API and file download path with token auth; follows existing S3-style patterns but increases network surface and scan scope for org/user runs.

Overview
Adds Hugging Face storage bucket support to the huggingface source so TruffleHog can scan object storage alongside models, datasets, and spaces.

CLI and config: New --bucket, --include-buckets, --ignore-buckets, and --skip-all-buckets flags (plus proto/engine wiring). Org/user scans enumerate buckets automatically unless skipped. Validation now accepts bucket as a scan target.

Scan behavior: Buckets are not git repos. The source lists files via the HF tree API (with Link pagination), downloads each file through a dedicated client (no whole-request timeout on body reads), skips files over 250MB, and chunks content via handlers.HandleFile with HuggingFace bucket metadata—similar to the S3 source path.

API client: GetBucket, ListBucketsByAuthor, ListBucketFiles, and DownloadBucketFile with path-segment escaping for resolve URLs.

Docs (README, man page) and minor comment fixes on ScanHuggingface are updated.

^{Reviewed by Cursor Bugbot for commit 5a76b32. Bugbot is set up for automated code reviews on this repo. Configure here.}

[CLAassistant]

All committers have signed the CLA.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

^{Reviewed by Cursor Bugbot for commit e4f90eb. Configure here.}

[unsmith]

Looks solid to me, left a couple of small non-blocking comments.

[unsmith]

Just noting that this new function doesn't have any unit tests.

[unsmith]

This isn't something specific to this PR, but the pattern here of moving to the next key on error means that prior errors silently skip downstream checks that might be ok. If it's valid to (for example) check buckets if spaces happens to fail, then this could be broken up into separate checks that don't cancel each other.

[unsmith]

Same thing here re: continue

[amanfcp]

Approving to unblock. Clean extension that mirrors the existing huggingface patterns well: the download-timeout handling is correct and tested, path escaping is tested, error aggregation is thread-safe, and docs/man are updated.

A few non-blocking follow-ups:

1. Guard the BucketID slash-split (bucket.go:154-155). strings.Split(bucket.BucketID, "/")[1] panics if the API returns an id without a /, and it runs synchronously in enumerate(), so it crashes the whole scan. Use SplitN + a length check. Mirrors pre-existing cacheRepoInfo, but worth fixing for the new code.

2. Unit-test parseNextLink. Hand-rolled RFC 5988 parser; the naive Split(header, ",") mis-parses a next URL whose cursor contains a comma. A small table test is cheap insurance.