fix(data): handle SSL certificate verification failures in dataset download

[Lidang-Jiang]

Summary

Fixes #3477. Also addresses #3492 (same root cause on Windows).

When downloading datasets behind a corporate proxy that performs TLS interception, urlretrieve throws a bare SSLCertVerificationError with no guidance. This PR adds:

1. Actionable error message — catches SSLCertVerificationError and re-raises as RuntimeError with three resolution options (CA trust store, SSL_CERT_FILE, ANOMALIB_NO_VERIFY_SSL).
2. _ssl_context() context manager — when ANOMALIB_NO_VERIFY_SSL=1 is set, temporarily disables SSL verification for the download block only, restoring the original context on exit.

Changed files

File	Change
src/anomalib/data/utils/download.py	Add _ssl_context(), catch SSLCertVerificationError with guidance, minor cleanup (startswith tuple)
tests/unit/data/utils/test_download.py	New — 7 unit tests for SSL context behavior and error handling

Before (upstream main) — raw SSL traceback with no guidance

```
Traceback (most recent call last):
...
File ".../urllib/request.py", line 1344, in do_open
raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed: unable to get local issuer certificate
(_ssl.c:1000)>
```

User has no idea how to fix this.

After (this PR) — actionable RuntimeError

```
RuntimeError: SSL certificate verification failed while downloading MVTecAD:
('[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed',)
If you are behind a corporate proxy, you can either:

1. Add the proxy CA certificate to your system trust store, or
2. Set the SSL_CERT_FILE environment variable to point to your CA bundle, or
3. Set ANOMALIB_NO_VERIFY_SSL=1 to skip verification (not recommended).
   ```

After (this PR) — ANOMALIB_NO_VERIFY_SSL=1 bypass works

```python

import os; os.environ['ANOMALIB_NO_VERIFY_SSL'] = '1'
from anomalib.data.utils.download import _ssl_context
import ssl
original = ssl._create_default_https_context
with _ssl_context():
... print(f'Disabled: {ssl._create_default_https_context is ssl._create_unverified_context}')
WARNING: SSL certificate verification is disabled via ANOMALIB_NO_VERIFY_SSL.
Disabled: True
print(f'Restored: {ssl._create_default_https_context is original}')
Restored: True
```

Unit tests

```
tests/unit/data/utils/test_download.py::TestSSLContext::test_default_does_not_change_ssl PASSED
tests/unit/data/utils/test_download.py::TestSSLContext::test_no_verify_disables_ssl PASSED
tests/unit/data/utils/test_download.py::TestSSLContext::test_no_verify_true_string PASSED
tests/unit/data/utils/test_download.py::TestSSLContext::test_no_verify_false_keeps_ssl PASSED
tests/unit/data/utils/test_download.py::TestSSLContext::test_context_restores_on_exception PASSED
tests/unit/data/utils/test_download.py::TestDownloadSSLError::test_ssl_error_gives_actionable_message PASSED
tests/unit/data/utils/test_download.py::TestDownloadSSLError::test_invalid_scheme_raises PASSED
======================== 7 passed in 0.03s =========================
```

Test plan

• 7 unit tests cover default behavior, env var activation (1/true/false), context restoration on exception, actionable error message, and invalid URL scheme
• ruff check / ruff format / mypy / bandit all pass
• All pre-commit hooks pass

[ashwinvaidya17]

@AlexanderBarabanov what do you think is the security implication of this? Personally I feel people should install the right certificates in their system for SSL to work. My concern is that we might be introducing unsafe download option that might compomize any downstream library.

[AlexanderBarabanov]

@ashwinvaidya17 Yes, I agree.
If code cannot use certificates from common places (e.g., OS cert store, SSL_CERT_FILE or REQUESTS_CA_BUNDLE env variables), it should guide users on how to properly install certs and use them.

Also, I propose to double-check submitted issues, as in #3477 (Ubuntu + Python package), based on provided logs, it was possible to download pretrained weights from Hugging Face Hub:

INFO     Initializing Patchcore model.                                                                              anomalib_module.py:131
2026-03-27 00:35:22,557 - timm.models._builder - INFO - Loading pretrained weights from Hugging Face hub (timm/wide_resnet50_2.racm_in1k)
[03/27/26 00:35:22] INFO     Loading pretrained weights from Hugging Face hub (timm/wide_resnet50_2.racm_in1k)                                 _builder.py:217
2026-03-27 00:35:22,916 - httpx - INFO - HTTP Request: HEAD https://huggingface.co/timm/wide_resnet50_2.racm_in1k/resolve/main/model.safetensors "HTTP/1.1 302 Found"
                    INFO     HTTP Request: HEAD https://huggingface.co/timm/wide_resnet50_2.racm_in1k/resolve/main/model.safetensors "HTTP/1.1 _client.py:1025
                             302 Found"                                                                   

and there was an issue with mvtecad dataset.

In #3492 (Windows + Windows App) - download from HF was unsuccessful.