fix: address gemini-code-assist 3rd review on PR #1

Type precision:
- schema.Item.source_kind is now Literal["rss", "github"] instead of
  bare str, matching the comment and actual usage.

Robustness:
- report.render now escapes both `[` and `]` in titles (previously only
  `]`), so titles like "[CVE-2026-xxx]" cannot collide with markdown
  link parsing.
- normalize.normalize: narrow the two bare `except Exception` blocks
  to `(OSError, json.JSONDecodeError)` so genuine bugs surface instead
  of being swallowed.
- collect_github._get: narrow the fallback `except Exception` to
  `(URLError, TimeoutError, json.JSONDecodeError)` (HTTPError is still
  caught separately above).

Reproducibility:
- requirements.txt and requirements-dev.txt now pin exact versions
  with `==`. Dependabot continues to PR upgrades, but a fresh checkout
  + `pip install -r ...` now resolves to a known-good set.

Config / docs:
- tracks/iam/config/sources.yaml: drop `spiffe/spiffe` (verified via
  GitHub API: repo exists but has zero releases — it's the specs
  tree, not a release surface).
- README.md: remove the duplicate 3-bullet "CI" section that the new
  CI table superseded.

Regenerated today's seed reports under tracks/*/reports/ so they
match the new formatter output (extra `\[` escape would only matter
on titles containing `[`, but regen keeps the committed sample byte-
identical to what CI would produce now).

Author: kanywst

README.md

@@ -45,12 +45,6 @@ tracks/<name>/
 web/                               # Astro 6 + Tailwind v4 + recharts (React island)
 ```
 
-## CI
-
-- Daily at 06:00 UTC: `make update` for every track in parallel; raw / normalized / scored / daily.md get committed.
-- Monday at 08:00 UTC: `make weekly` generates the weekly digest.
-- Push to `main`: `web/` is rebuilt and deployed to Pages.
-
 ## Local
 
 ```bash

requirements-dev.txt

@@ -1,5 +1,5 @@
-pytest>=8.3.0
-pytest-cov>=6.0.0
-ruff>=0.8.0
-pip-audit>=2.7.0
-pip-licenses>=5.0.0
+pytest==9.0.3
+pytest-cov==7.1.0
+ruff==0.15.13
+pip-audit==2.10.0
+pip-licenses==5.5.5

requirements.txt

@@ -1,2 +1,2 @@
-feedparser>=6.0.11
-PyYAML>=6.0.2
+feedparser==6.0.12
+PyYAML==6.0.3

scripts/awsdd/collect_github.py

@@ -5,7 +5,7 @@
 import json
 import os
 from datetime import UTC, datetime
-from urllib.error import HTTPError
+from urllib.error import HTTPError, URLError
 from urllib.request import Request, urlopen
 
 from .config import load_sources, track_dir
@@ -38,7 +38,7 @@ def _get(path: str) -> list[dict]:
     except HTTPError as e:
         print(f"[collect_github] {path}: HTTP {e.code}")
         return []
-    except Exception as e:
+    except (URLError, TimeoutError, json.JSONDecodeError) as e:
         print(f"[collect_github] {path}: error {e}")
         return []
 

scripts/awsdd/normalize.py

@@ -15,7 +15,7 @@ def normalize(track: str) -> None:
         try:
             for it in json.loads(out.read_text()):
                 by_id[it["id"]] = it
-        except Exception as e:
+        except (OSError, json.JSONDecodeError) as e:
             print(f"[normalize] existing normalized.json unreadable: {e}")
 
     if raw_dir.exists():
@@ -29,7 +29,7 @@ def normalize(track: str) -> None:
                             prev.get("fetched_at", it["fetched_at"]), it["fetched_at"]
                         )
                     by_id[it["id"]] = it
-            except Exception as e:
+            except (OSError, json.JSONDecodeError) as e:
                 print(f"[normalize] {path.name}: {e}")
 
     items = sorted(by_id.values(), key=lambda x: x.get("published_at", ""), reverse=True)

scripts/awsdd/report.py

@@ -72,7 +72,9 @@ def render(track: str, mode: str) -> None:
             lines.append(f"## {kind.upper()}")
             lines.append("")
             for it in g:
-                title = (it.get("title") or "(untitled)").replace("]", r"\]")
+                # escape both brackets so titles like "[CVE-...] thing" don't
+                # collide with markdown link parsing
+                title = (it.get("title") or "(untitled)").replace("[", r"\[").replace("]", r"\]")
                 url = it.get("url", "")
                 src = it.get("source", "")
                 pub = (it.get("published_at") or "")[:10]

scripts/awsdd/schema.py

@@ -1,15 +1,17 @@
 from __future__ import annotations
 
 from dataclasses import asdict, dataclass, field
-from typing import Any
+from typing import Any, Literal
+
+SourceKind = Literal["rss", "github"]
 
 
 @dataclass
 class Item:
     id: str
     track: str
     source: str  # e.g. "rss:aws-security-blog"
-    source_kind: str  # "rss" | "github"
+    source_kind: SourceKind
     url: str
     title: str
     summary: str

tracks/iam/config/sources.yaml

@@ -47,4 +47,4 @@ github:
   - repo: kubernetes-sigs/aws-iam-authenticator
   - repo: aws/rolesanywhere-credential-helper
   - repo: spiffe/spire
-  - repo: spiffe/spiffe
+  # spiffe/spiffe is the specs repo with no GitHub releases; drop until it has any.