feat: Phase 6 - Automated intel scanning (T-021, T-022)

- Add intel_service.py: RSS feed scanner for threat intelligence
  Searches CISA, NIST NVD, SANS ISC, BleepingComputer, The Hacker News,
  Krebs on Security for mentions of MITRE technique IDs and names
- New intel items stored in intel_items table with URL deduplication
- Techniques with new intel flagged with review_required=True
- Add POST /system/run-intel-scan endpoint (admin only)
- Register weekly intel scan job in APScheduler (every 7 days)
- Audit log records each scan execution with summary stats
- Update README with new endpoint and project structure

backend/app/routers/system.py

@@ -1,7 +1,7 @@
 """System-level endpoints (admin only).
 
 Provides manual triggers for background operations such as the MITRE
-ATT&CK synchronisation, and scheduler health introspection.
+ATT&CK synchronisation, intel scanning, and scheduler health introspection.
 """
 
 from fastapi import APIRouter, Depends
@@ -11,6 +11,7 @@ from app.database import get_db
 from app.dependencies.auth import require_role
 from app.models.user import User
 from app.services.mitre_sync_service import sync_mitre
+from app.services.intel_service import scan_intel
 from app.jobs.mitre_sync_job import scheduler
 
 router = APIRouter(prefix="/system", tags=["system"])
@@ -36,6 +37,25 @@ def trigger_mitre_sync(
     }
 
 
+@router.post("/run-intel-scan")
+def trigger_intel_scan(
+    db: Session = Depends(get_db),
+    current_user: User = Depends(require_role("admin")),
+):
+    """Manually trigger a threat-intelligence scan.
+
+    **Requires** the ``admin`` role.
+
+    Returns a JSON object with the scan summary including the count of
+    new intel items found.
+    """
+    summary = scan_intel(db)
+    return {
+        "message": "Intel scan completed",
+        "new_items": summary["new_items"],
+    }
+
+
 @router.get("/scheduler-status")
 def scheduler_status(
     current_user: User = Depends(require_role("admin")),