feat(intel): wire GreyNoise, AbuseIPDB, Feodo Tracker + ThreatFox

Four concrete IntelProvider impls — three per-IP queries plus one bulk
feed:

* GreyNoiseProvider — community endpoint, optional API key for higher
  rate limit. 404 = unknown (cache the absence so we don't re-query).
* AbuseIPDBProvider — score threshold mapping (>=75 malicious, >=25
  suspicious, else benign). Self-disables with a clear error when no
  API key is configured rather than burning quota.
* FeodoProvider — fetches the bulk botnet C2 IP feed once per refresh
  window and answers every lookup from an in-memory set. Listed = C2.
* ThreatFoxProvider — POST /api/v1/ search_ioc query, optional Auth-Key
  header. Match in data[] = malicious; no_result = absence-not-benign.

Every provider routes through decnet.net.http.stealth_client so the
egress UA never leaks 'DECNET'.

tests/intel/test_abuseipdb.py

@@ -0,0 +1,109 @@
+"""Unit tests for the AbuseIPDB provider."""
+from __future__ import annotations
+
+import json
+
+import httpx
+import pytest
+
+from decnet.intel.abuseipdb import AbuseIPDBProvider, _score_to_verdict
+
+
+def _install_transport(handler) -> list[httpx.Request]:
+    captured: list[httpx.Request] = []
+
+    async def _wrapped(request: httpx.Request) -> httpx.Response:
+        captured.append(request)
+        return await handler(request)
+
+    transport = httpx.MockTransport(_wrapped)
+    from decnet.intel import abuseipdb as mod
+
+    def _factory():
+        return httpx.AsyncClient(
+            transport=transport,
+            headers={"User-Agent": "curl/7.88.1"},
+        )
+
+    mod.stealth_client = _factory  # type: ignore[assignment]
+    return captured
+
+
+def test_score_thresholds():
+    assert _score_to_verdict(0) == "benign"
+    assert _score_to_verdict(24) == "benign"
+    assert _score_to_verdict(25) == "suspicious"
+    assert _score_to_verdict(74) == "suspicious"
+    assert _score_to_verdict(75) == "malicious"
+    assert _score_to_verdict(100) == "malicious"
+
+
+@pytest.mark.anyio
+async def test_missing_api_key_returns_error_no_egress(monkeypatch):
+    monkeypatch.delenv("DECNET_ABUSEIPDB_API_KEY", raising=False)
+    captured = _install_transport(
+        lambda r: (_ for _ in ()).throw(AssertionError("must not egress"))
+    )
+    provider = AbuseIPDBProvider()
+    result = await provider.lookup("1.2.3.4")
+    assert result.error == "DECNET_ABUSEIPDB_API_KEY not configured"
+    assert result.column_updates == {}
+    assert captured == []  # no request made
+
+
+@pytest.mark.anyio
+async def test_high_score_maps_to_malicious(monkeypatch):
+    monkeypatch.setenv("DECNET_ABUSEIPDB_API_KEY", "k3y")
+
+    async def handler(request: httpx.Request) -> httpx.Response:
+        return httpx.Response(
+            200,
+            json={"data": {
+                "ipAddress": "1.2.3.4",
+                "abuseConfidenceScore": 92,
+                "totalReports": 41,
+                "countryCode": "RU",
+            }},
+        )
+
+    captured = _install_transport(handler)
+    provider = AbuseIPDBProvider()
+    result = await provider.lookup("1.2.3.4")
+    assert result.verdict == "malicious"
+    assert result.column_updates["abuseipdb_score"] == 92
+    raw = json.loads(result.column_updates["abuseipdb_raw"])
+    assert raw["countryCode"] == "RU"
+    # Key header sent, query params correct.
+    req = captured[0]
+    assert req.headers["key"] == "k3y"
+    assert "ipAddress=1.2.3.4" in str(req.url)
+
+
+@pytest.mark.anyio
+async def test_low_score_maps_to_benign(monkeypatch):
+    monkeypatch.setenv("DECNET_ABUSEIPDB_API_KEY", "k3y")
+
+    async def handler(request: httpx.Request) -> httpx.Response:
+        return httpx.Response(
+            200, json={"data": {"abuseConfidenceScore": 0}},
+        )
+
+    _install_transport(handler)
+    provider = AbuseIPDBProvider()
+    result = await provider.lookup("8.8.8.8")
+    assert result.verdict == "benign"
+    assert result.column_updates["abuseipdb_score"] == 0
+
+
+@pytest.mark.anyio
+async def test_429_returns_error(monkeypatch):
+    monkeypatch.setenv("DECNET_ABUSEIPDB_API_KEY", "k3y")
+
+    async def handler(request: httpx.Request) -> httpx.Response:
+        return httpx.Response(429)
+
+    _install_transport(handler)
+    provider = AbuseIPDBProvider()
+    result = await provider.lookup("1.1.1.1")
+    assert result.error == "HTTP 429"
+    assert result.column_updates == {}

tests/intel/test_feodo.py

@@ -0,0 +1,99 @@
+"""Unit tests for the abuse.ch Feodo Tracker provider.
+
+Bulk-feed semantics: one HTTP fetch loads the in-memory set, all
+subsequent ``lookup`` calls hit memory. We assert:
+
+* a fresh provider triggers exactly one refresh, then answers from cache
+* a listed IP returns verdict='malicious' with the upstream record
+* an unlisted IP returns verdict=None (absence ≠ benign)
+* a feed fetch failure is reported as an error, not silently swallowed
+"""
+from __future__ import annotations
+
+import json
+
+import httpx
+import pytest
+
+from decnet.intel.feodo import FeodoProvider
+
+
+def _install_transport(handler) -> list[httpx.Request]:
+    captured: list[httpx.Request] = []
+
+    async def _wrapped(request: httpx.Request) -> httpx.Response:
+        captured.append(request)
+        return await handler(request)
+
+    transport = httpx.MockTransport(_wrapped)
+    from decnet.intel import feodo as mod
+
+    def _factory(*, timeout: float = 20.0):
+        return httpx.AsyncClient(
+            transport=transport,
+            headers={"User-Agent": "curl/7.88.1"},
+            timeout=timeout,
+        )
+
+    mod.stealth_client = _factory  # type: ignore[assignment]
+    return captured
+
+
+_FEED = [
+    {"ip_address": "9.9.9.9", "port": 443, "malware": "TrickBot"},
+    {"ip_address": "10.10.10.10", "port": 80, "malware": "Emotet"},
+]
+
+
+@pytest.mark.anyio
+async def test_listed_ip_yields_malicious_verdict():
+    async def handler(request: httpx.Request) -> httpx.Response:
+        return httpx.Response(200, json=_FEED)
+
+    captured = _install_transport(handler)
+    provider = FeodoProvider(refresh_interval_s=999.0)
+
+    result = await provider.lookup("9.9.9.9")
+    assert result.verdict == "malicious"
+    assert result.column_updates["feodo_listed"] is True
+    raw = json.loads(result.column_updates["feodo_raw"])
+    assert raw["malware"] == "TrickBot"
+    assert len(captured) == 1
+
+
+@pytest.mark.anyio
+async def test_subsequent_lookups_dont_refetch():
+    async def handler(request: httpx.Request) -> httpx.Response:
+        return httpx.Response(200, json=_FEED)
+
+    captured = _install_transport(handler)
+    provider = FeodoProvider(refresh_interval_s=999.0)
+
+    await provider.lookup("9.9.9.9")
+    await provider.lookup("10.10.10.10")
+    await provider.lookup("not-listed.example")
+    assert len(captured) == 1  # one refresh, three answers
+
+
+@pytest.mark.anyio
+async def test_unlisted_ip_returns_no_verdict():
+    async def handler(request: httpx.Request) -> httpx.Response:
+        return httpx.Response(200, json=_FEED)
+
+    _install_transport(handler)
+    provider = FeodoProvider(refresh_interval_s=999.0)
+    result = await provider.lookup("1.2.3.4")
+    assert result.verdict is None
+    assert result.column_updates["feodo_listed"] is False
+
+
+@pytest.mark.anyio
+async def test_feed_failure_reports_error():
+    async def handler(request: httpx.Request) -> httpx.Response:
+        return httpx.Response(503)
+
+    _install_transport(handler)
+    provider = FeodoProvider(refresh_interval_s=999.0)
+    result = await provider.lookup("1.2.3.4")
+    assert result.error == "HTTP 503"
+    assert result.column_updates == {}

tests/intel/test_greynoise.py

@@ -0,0 +1,136 @@
+"""Unit tests for the GreyNoise Community provider.
+
+Mocks httpx via ``MockTransport`` and asserts:
+
+* request URL + headers (API key when present, none when absent)
+* malicious / benign / suspicious classification → verdict mapping
+* 404 → verdict='unknown' with no error (cache the absence)
+* non-200/404 → error populated, no column writes
+* network exception → error populated
+* the row never advertises DECNET in the egress UA
+"""
+from __future__ import annotations
+
+import json
+
+import httpx
+import pytest
+
+from decnet.intel.greynoise import GreyNoiseProvider
+
+
+def _install_transport(provider: GreyNoiseProvider, handler) -> list[httpx.Request]:
+    """Patch ``stealth_client`` so it returns a client wired to ``handler``."""
+    captured: list[httpx.Request] = []
+
+    async def _wrapped(request: httpx.Request) -> httpx.Response:
+        captured.append(request)
+        return await handler(request)
+
+    transport = httpx.MockTransport(_wrapped)
+
+    from decnet.intel import greynoise as gn_mod
+
+    def _factory():
+        return httpx.AsyncClient(
+            transport=transport,
+            headers={"User-Agent": "curl/7.88.1"},
+        )
+
+    gn_mod.stealth_client = _factory  # type: ignore[assignment]
+    return captured
+
+
+@pytest.mark.anyio
+async def test_malicious_classification_maps_to_verdict():
+    async def handler(request: httpx.Request) -> httpx.Response:
+        return httpx.Response(
+            200,
+            json={
+                "ip": "1.2.3.4",
+                "noise": True,
+                "classification": "malicious",
+                "name": "Mirai-like",
+            },
+        )
+
+    provider = GreyNoiseProvider()
+    captured = _install_transport(provider, handler)
+
+    result = await provider.lookup("1.2.3.4")
+    assert result.error is None
+    assert result.verdict == "malicious"
+    assert result.column_updates["greynoise_classification"] == "malicious"
+    raw = json.loads(result.column_updates["greynoise_raw"])
+    assert raw["name"] == "Mirai-like"
+    assert "1.2.3.4" in str(captured[0].url)
+    # No DECNET label leaks in the UA.
+    assert "decnet" not in captured[0].headers["user-agent"].lower()
+
+
+@pytest.mark.anyio
+async def test_api_key_is_sent_when_configured(monkeypatch):
+    monkeypatch.setenv("DECNET_GREYNOISE_API_KEY", "k3y-abc")
+
+    async def handler(request: httpx.Request) -> httpx.Response:
+        return httpx.Response(200, json={"classification": "benign"})
+
+    provider = GreyNoiseProvider()
+    captured = _install_transport(provider, handler)
+
+    await provider.lookup("8.8.8.8")
+    assert captured[0].headers.get("key") == "k3y-abc"
+
+
+@pytest.mark.anyio
+async def test_no_api_key_means_no_header(monkeypatch):
+    monkeypatch.delenv("DECNET_GREYNOISE_API_KEY", raising=False)
+
+    async def handler(request: httpx.Request) -> httpx.Response:
+        return httpx.Response(200, json={"classification": "benign"})
+
+    provider = GreyNoiseProvider()
+    captured = _install_transport(provider, handler)
+
+    await provider.lookup("8.8.8.8")
+    assert "key" not in captured[0].headers
+
+
+@pytest.mark.anyio
+async def test_404_caches_unknown_without_error():
+    async def handler(request: httpx.Request) -> httpx.Response:
+        return httpx.Response(404, json={"message": "IP not observed"})
+
+    provider = GreyNoiseProvider()
+    _install_transport(provider, handler)
+
+    result = await provider.lookup("10.0.0.5")
+    assert result.error is None
+    assert result.verdict == "unknown"
+    assert result.column_updates["greynoise_classification"] == "unknown"
+
+
+@pytest.mark.anyio
+async def test_429_returns_error_no_writes():
+    async def handler(request: httpx.Request) -> httpx.Response:
+        return httpx.Response(429)
+
+    provider = GreyNoiseProvider()
+    _install_transport(provider, handler)
+
+    result = await provider.lookup("1.1.1.1")
+    assert result.error == "HTTP 429"
+    assert result.column_updates == {}
+
+
+@pytest.mark.anyio
+async def test_network_failure_becomes_error():
+    async def handler(request: httpx.Request) -> httpx.Response:
+        raise httpx.ConnectError("upstream unreachable")
+
+    provider = GreyNoiseProvider()
+    _install_transport(provider, handler)
+
+    result = await provider.lookup("1.1.1.1")
+    assert result.error and result.error.startswith("network:")
+    assert result.column_updates == {}

tests/intel/test_threatfox.py

@@ -0,0 +1,111 @@
+"""Unit tests for the abuse.ch ThreatFox provider."""
+from __future__ import annotations
+
+import json
+
+import httpx
+import pytest
+
+from decnet.intel.threatfox import ThreatFoxProvider
+
+
+def _install_transport(handler) -> list[httpx.Request]:
+    captured: list[httpx.Request] = []
+
+    async def _wrapped(request: httpx.Request) -> httpx.Response:
+        captured.append(request)
+        return await handler(request)
+
+    transport = httpx.MockTransport(_wrapped)
+    from decnet.intel import threatfox as mod
+
+    def _factory():
+        return httpx.AsyncClient(
+            transport=transport,
+            headers={"User-Agent": "curl/7.88.1"},
+        )
+
+    mod.stealth_client = _factory  # type: ignore[assignment]
+    return captured
+
+
+@pytest.mark.anyio
+async def test_match_returns_malicious(monkeypatch):
+    monkeypatch.delenv("DECNET_THREATFOX_API_KEY", raising=False)
+
+    async def handler(request: httpx.Request) -> httpx.Response:
+        body = json.loads(request.content.decode())
+        assert body == {"query": "search_ioc", "search_term": "1.2.3.4"}
+        return httpx.Response(
+            200,
+            json={
+                "query_status": "ok",
+                "data": [
+                    {
+                        "ioc": "1.2.3.4",
+                        "ioc_type": "ip:port",
+                        "malware": "Cobalt Strike",
+                        "confidence_level": 80,
+                    }
+                ],
+            },
+        )
+
+    captured = _install_transport(handler)
+    provider = ThreatFoxProvider()
+    result = await provider.lookup("1.2.3.4")
+    assert result.verdict == "malicious"
+    assert result.column_updates["threatfox_listed"] is True
+    raw = json.loads(result.column_updates["threatfox_raw"])
+    assert raw[0]["malware"] == "Cobalt Strike"
+    # No Auth-Key when none configured.
+    assert "auth-key" not in {h.lower() for h in captured[0].headers}
+
+
+@pytest.mark.anyio
+async def test_auth_key_sent_when_configured(monkeypatch):
+    monkeypatch.setenv("DECNET_THREATFOX_API_KEY", "tfx-key")
+
+    async def handler(request: httpx.Request) -> httpx.Response:
+        return httpx.Response(200, json={"query_status": "no_result"})
+
+    captured = _install_transport(handler)
+    provider = ThreatFoxProvider()
+    await provider.lookup("8.8.8.8")
+    assert captured[0].headers["auth-key"] == "tfx-key"
+
+
+@pytest.mark.anyio
+async def test_no_result_caches_unlisted():
+    async def handler(request: httpx.Request) -> httpx.Response:
+        return httpx.Response(200, json={"query_status": "no_result"})
+
+    _install_transport(handler)
+    provider = ThreatFoxProvider()
+    result = await provider.lookup("8.8.8.8")
+    assert result.verdict is None
+    assert result.column_updates["threatfox_listed"] is False
+    assert result.error is None
+
+
+@pytest.mark.anyio
+async def test_unexpected_status_is_error():
+    async def handler(request: httpx.Request) -> httpx.Response:
+        return httpx.Response(200, json={"query_status": "illegal_search"})
+
+    _install_transport(handler)
+    provider = ThreatFoxProvider()
+    result = await provider.lookup("oops")
+    assert result.error and "illegal_search" in result.error
+    assert result.column_updates == {}
+
+
+@pytest.mark.anyio
+async def test_http_error_surfaces():
+    async def handler(request: httpx.Request) -> httpx.Response:
+        return httpx.Response(502)
+
+    _install_transport(handler)
+    provider = ThreatFoxProvider()
+    result = await provider.lookup("1.1.1.1")
+    assert result.error == "HTTP 502"