kb: expand authorized lab coverage and intel automation

scripts/intel/pr.py

@@ -0,0 +1,98 @@
+from __future__ import annotations
+
+import os
+import re
+from datetime import datetime
+from typing import Optional
+
+import requests
+
+from intel.config import GENERATED_DIR, ROOT
+from intel.utils import read_json, run
+
+
+PR_PATHS = [
+    "README.md",
+    "05-defense/secure-code",
+    "07-framework-security",
+    "08-threat-intel",
+    "requirements-intel.txt",
+    "scripts/intel",
+]
+
+
+def create_branch_name() -> str:
+    return "codex/intel-" + datetime.now().strftime("%Y%m%d-%H%M")
+
+
+def _parse_origin() -> Optional[dict]:
+    result = run(["git", "-C", str(ROOT), "remote", "get-url", "origin"], check=False)
+    if result.returncode != 0:
+        return None
+    url = result.stdout.strip()
+    match = re.match(r"https://([^/]+)/([^/]+)/([^/.]+)(?:\.git)?", url)
+    if not match:
+        return None
+    return {"host": match.group(1), "owner": match.group(2), "repo": match.group(3), "url": url}
+
+
+def _changed_paths() -> list[str]:
+    status = run(["git", "-C", str(ROOT), "status", "--short", "--", *PR_PATHS], check=False)
+    lines = [line.rstrip() for line in status.stdout.splitlines() if line.strip()]
+    return lines
+
+
+def open_pr(base_branch: str = "main", dry_run: bool = False) -> str:
+    origin = _parse_origin()
+    if not origin:
+        raise RuntimeError("Unable to parse origin remote URL")
+
+    changed = _changed_paths()
+    if not changed:
+        return "No intel-related changes to submit"
+
+    branch = create_branch_name()
+    if dry_run:
+        preview = "\n".join(f"- {line}" for line in changed[:40])
+        return f"Dry run only; would create branch {branch} with these paths:\n{preview}"
+
+    run(["git", "-C", str(ROOT), "checkout", "-b", branch])
+    run(["git", "-C", str(ROOT), "add", "--", *PR_PATHS])
+    run(["git", "-C", str(ROOT), "commit", "-m", f"intel: automated advisory ingest {branch}"])
+    run(["git", "-C", str(ROOT), "push", "-u", "origin", branch])
+
+    token = os.environ.get("GITEA_TOKEN")
+    if not token:
+        return f"Pushed branch {branch}, but GITEA_TOKEN is not set; PR not created"
+
+    summary = read_json(GENERATED_DIR / "run-summary.json", default={}) or {}
+    body_lines = [
+        "Automated advisory ingest update.",
+        "",
+        f"- New advisories: {summary.get('new_count', 0)}",
+        f"- Updated advisories: {summary.get('updated_count', 0)}",
+        f"- Triage count: {summary.get('triage_count', 0)}",
+        f"- Failure count: {len(summary.get('failures', []))}",
+    ]
+    if summary.get("systems_touched"):
+        body_lines.append(f"- Systems touched: {', '.join(summary['systems_touched'])}")
+    if summary.get("failures"):
+        body_lines.extend(["", "Failed source adapters:"])
+        for failure in summary["failures"]:
+            body_lines.append(f"- {failure}")
+
+    payload = {
+        "title": f"Intel ingest {branch}",
+        "head": branch,
+        "base": base_branch,
+        "body": "\n".join(body_lines),
+    }
+    response = requests.post(
+        f"https://{origin['host']}/api/v1/repos/{origin['owner']}/{origin['repo']}/pulls",
+        headers={"Authorization": f"token {token}", "Content-Type": "application/json"},
+        json=payload,
+        timeout=30,
+    )
+    response.raise_for_status()
+    pr_url = response.json().get("html_url") or response.json().get("url")
+    return f"Created PR: {pr_url}"