feat: Phase 6 - Automated intel scanning (T-021, T-022)

- Add intel_service.py: RSS feed scanner for threat intelligence
  Searches CISA, NIST NVD, SANS ISC, BleepingComputer, The Hacker News,
  Krebs on Security for mentions of MITRE technique IDs and names
- New intel items stored in intel_items table with URL deduplication
- Techniques with new intel flagged with review_required=True
- Add POST /system/run-intel-scan endpoint (admin only)
- Register weekly intel scan job in APScheduler (every 7 days)
- Audit log records each scan execution with summary stats
- Update README with new endpoint and project structure

README.md

@@ -125,6 +125,7 @@ Once the backend is running, access the interactive API documentation at:
 | Method | Route | Auth | Description |
 |--------|-------|------|-------------|
 | POST | `/api/v1/system/sync-mitre` | Admin | Manually trigger MITRE ATT&CK sync |
+| POST | `/api/v1/system/run-intel-scan` | Admin | Manually trigger threat-intel RSS scan |
 | GET | `/api/v1/system/scheduler-status` | Admin | Background scheduler health & job list |
 
 ### Metrics
@@ -177,11 +178,12 @@ Aegis/
 │       ├── dependencies/       # FastAPI dependencies (DI)
 │       │   └── auth.py         # get_current_user, require_role, require_any_role
 │       ├── jobs/               # Background scheduled jobs
-│       │   └── mitre_sync_job.py  # APScheduler job: sync MITRE every 24h
+│       │   └── mitre_sync_job.py  # APScheduler: MITRE sync (24h) + Intel scan (7d)
 │       └── services/           # Business logic services
 │           ├── audit_service.py
 │           ├── status_service.py  # Recalculate technique status from tests
-│           └── mitre_sync_service.py  # MITRE ATT&CK sync via TAXII / GitHub
+│           ├── mitre_sync_service.py  # MITRE ATT&CK sync via TAXII / GitHub
+│           └── intel_service.py   # Automated intel scan via RSS feeds
 └── frontend/                   # React frontend (coming soon)
 ```