refactor(intel): migrate AttackerIntel JSON-string columns to native SQLAlchemy JSON

Five list columns (greynoise_tags, abuseipdb_categories, threatfox_threat_types, threatfox_ioc_types, threatfox_malware_families) and four dict columns (*_raw) are now Column(JSON) with list/dict type annotations and default_factory=list/dict. Providers return native Python objects; the application-layer json.dumps/json.loads round-trip and _decode_json_list helpers are gone. to_intel_event_payload() reads columns directly. Also caps pytest xdist at -n 4 and excludes tests/api from norecursedirs to prevent schemathesis workers from OOM-killing the dev loop.
2026-05-10 09:17:15 -04:00
parent de3634d739
commit 9a7b03700c
16 changed files with 90 additions and 193 deletions
--- a/decnet/intel/threatfox.py
+++ b/decnet/intel/threatfox.py
@@ -12,7 +12,6 @@ caps requests/min — the provider works either way.
 """
 from __future__ import annotations

-import json
 import os
 from datetime import datetime, timezone
 from typing import Optional
@@ -71,10 +70,10 @@ class ThreatFoxProvider(IntelProvider):
                verdict=None,  # absence is not a benign signal
                column_updates={
                    "threatfox_listed": False,
-                    "threatfox_threat_types": "[]",
-                    "threatfox_ioc_types": "[]",
-                    "threatfox_malware_families": "[]",
-                    "threatfox_raw": "{}",
+                    "threatfox_threat_types": [],
+                    "threatfox_ioc_types": [],
+                    "threatfox_malware_families": [],
+                    "threatfox_raw": {},
                    "threatfox_queried_at": datetime.now(timezone.utc),
                },
            )
@@ -113,10 +112,10 @@ class ThreatFoxProvider(IntelProvider):
            verdict="malicious" if listed else None,
            column_updates={
                "threatfox_listed": listed,
-                "threatfox_threat_types": json.dumps(sorted(threat_types)),
-                "threatfox_ioc_types": json.dumps(sorted(ioc_types)),
-                "threatfox_malware_families": json.dumps(sorted(families)),
-                "threatfox_raw": json.dumps(data),
+                "threatfox_threat_types": sorted(threat_types),
+                "threatfox_ioc_types": sorted(ioc_types),
+                "threatfox_malware_families": sorted(families),
+                "threatfox_raw": data,
                "threatfox_queried_at": datetime.now(timezone.utc),
            },
        )