mozilla-it
diff --git a/‎CODE_OF_CONDUCT.md‎
Lines changed: 15 additions & 0 deletions b/‎CODE_OF_CONDUCT.md‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 21 additions & 0 deletions b/‎README.md‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎src/rir_updater/arin/client.py‎
Lines changed: 37 additions & 20 deletions b/‎src/rir_updater/arin/client.py‎
Lines changed: 37 additions & 20 deletions
diff --git a/‎src/rir_updater/main.py‎
Lines changed: 115 additions & 65 deletions b/‎src/rir_updater/main.py‎
Lines changed: 115 additions & 65 deletions
@@ -0,0 +1,15 @@
+# Community Participation Guidelines
+
+This repository is governed by Mozilla's code of conduct and etiquette guidelines.
+For more details, please read the
+[Mozilla Community Participation Guidelines](https://www.mozilla.org/about/governance/policies/participation/).
+
+## How to Report
+For more information on how to report violations of the Community Participation Guidelines, please read our '[How to Report](https://www.mozilla.org/about/governance/policies/participation/reporting/)' page.
+
+<!--
+## Project Specific Etiquette
+
+In some cases, there will be additional project etiquette i.e.: (https://bugzilla.mozilla.org/page.cgi?id=etiquette.html).
+Please update for your project.
+-->
@@ -81,6 +81,27 @@ radb:
 
 `roas` is optional. If omitted, only route objects are synced. ROA sync only manages prefixes explicitly listed — other ROAs in the account are left untouched.
 
+### Deleting route objects
+
+Set `delete: true` on any route entry to remove it from the registry instead of syncing it:
+
+```yaml
+routes:
+  - prefix: "192.0.2.0/24"
+    origin: "AS12345"
+    delete: true
+```
+
+### Automatic RADb mirroring
+
+When a `radb` section is present in the config, every RIPE and ARIN route change (create, update, or delete) is automatically mirrored to RADb. You do not need to list the same prefix in the `radb.routes` section — duplicates are skipped automatically.
+
+Routes listed exclusively under `radb.routes` (with no corresponding RIPE/ARIN entry) are still synced to RADb directly.
+
+### Attribute preservation
+
+On update, only fields managed by this tool (`route`/`route6`, `origin`, `mnt-by`, `source`, `changed`, and optionally `descr`) are modified. All other attributes already present in the registry object (e.g. `remarks`, `admin-c`, `tech-c`) are preserved.
+
 ## Credentials
 
 Secrets are fetched from 1Password via the `op` CLI. The `credentials` block in the config file specifies the 1Password reference for each secret:
 
@@ -132,42 +132,63 @@ def list_roas(self) -> list[ROA]:
             )
         return result
 
-    def _route_exists(self, route: RouteObject) -> bool:
+    def _get_existing_route(self, route: RouteObject) -> str | None:
         resp = self._http.get(self._route_url(route), params=self._params())
-        return resp.status_code == 200
+        if resp.status_code == 404:
+            return None
+        _raise_for_status(resp, f"fetch arin route {route.prefix}")
+        return resp.text
+
+    def _merge_route_body(self, existing_xml: str, route: RouteObject) -> str:
+        """Build a PUT body by updating managed fields while preserving the rest."""
+        root = ET.fromstring(existing_xml)
+        managed_tags = {
+            "orgHandle": self._org_handle,
+            "originAS": route.origin.upper(),
+            "prefix": route.prefix,
+            "source": "ARIN",
+        }
+        for child in root:
+            tag = child.tag.split("}")[-1] if "}" in child.tag else child.tag
+            if tag in managed_tags:
+                child.text = managed_tags[tag]
+            elif tag == "description":
+                for item in list(child):
+                    child.remove(item)
+                for i, text in enumerate((route.description or "").splitlines()):
+                    line_el = SubElement(child, f"{{{CORE_NS}}}line")
+                    line_el.set("number", str(i))
+                    line_el.text = text
+        return ET.tostring(root, encoding="unicode")
 
     def delete_route(self, route: RouteObject) -> str:
-        """Delete a route object. Returns 'deleted', 'not-found', or 'dry-run'."""
-        obj_type = "route6" if ":" in route.prefix else "route"
-        asn = route.origin.upper()
+        """Delete a route object. Returns 'deleted', 'not-found', or 'dry-run-delete'."""  # noqa: E501
         if self._dry_run:
-            print(f"[dry-run] would delete arin {obj_type} {route.prefix} {asn}")
-            return "dry-run"
+            return "dry-run-delete"
         url = self._route_url(route)
         resp = self._http.delete(url, params=self._params())
         if resp.status_code == 404:
             return "not-found"
+        asn = route.origin.upper()
         _raise_for_status(resp, f"delete arin route {route.prefix} {asn}")
         return "deleted"
 
     def sync_route(self, route: RouteObject) -> str:
-        """Sync a route object. Returns 'created', 'updated', or 'dry-run'."""
-        exists = self._route_exists(route)
-        obj_type = "route6" if ":" in route.prefix else "route"
-        asn = route.origin.upper()
+        """Sync a route object. Returns 'created', 'updated', or a dry-run variant."""
+        existing = self._get_existing_route(route)
 
         if self._dry_run:
-            action = "update" if exists else "create"
-            print(f"[dry-run] would {action} arin {obj_type} {route.prefix} {asn}")
-            return "dry-run"
+            return "dry-run-update" if existing is not None else "dry-run-create"
 
-        body = self._route_body(route)
         url = self._route_url(route)
-        if exists:
+        asn = route.origin.upper()
+        if existing is not None:
+            body = self._merge_route_body(existing, route)
             resp = self._http.put(url, params=self._params(), content=body)
             _raise_for_status(resp, f"update arin route {route.prefix} {asn}")
             return "updated"
         else:
+            body = self._route_body(route)
             # Unlike RIPE, ARIN POST uses the key URL (not the collection URL).
             resp = self._http.post(url, params=self._params(), content=body)
             _raise_for_status(resp, f"create arin route {route.prefix} {asn}")
@@ -268,10 +289,6 @@ def sync_roas(self, roas: list[ROA]) -> dict[str, int]:
         to_delete_handles = [current_managed[k] for k in to_delete_keys]
 
         if self._dry_run:
-            for prefix, asn, max_len in to_add:
-                print(f"[dry-run] would add arin ROA {prefix} {asn} max={max_len}")
-            for prefix, asn, max_len in to_delete_keys:
-                print(f"[dry-run] would delete arin ROA {prefix} {asn} max={max_len}")
             return {"added": len(to_add), "deleted": len(to_delete_keys)}
 
         if not to_add and not to_delete_handles:
 
@@ -16,6 +16,7 @@
 from rir_updater.exceptions import ApiError, CredentialError, RirUpdaterError
 from rir_updater.radb.client import RadbClient
 from rir_updater.ripe.client import RipeClient
+from rir_updater.summary import Summary
 
 
 def main():
@@ -91,76 +92,125 @@ def should_run(name: str) -> bool:
         _setup_arin_ote(config.arin, creds, args.commit)
         return
 
-    if config.ripe and should_run("ripe"):
-        creds = config.ripe.credentials
-        use_test_env = not args.production
-        # The test DB may have a separate account (RIPE test accounts are distinct
-        # from production). Fall back to production credentials if not configured.
-        if use_test_env and creds.test_db_username and creds.test_db_password:
-            db_auth = get_ripe_db_auth(creds.test_db_username, creds.test_db_password)
-        else:
-            db_auth = get_ripe_db_auth(creds.db_username, creds.db_password)
-        with RipeClient(
-            db_auth=db_auth,
-            rpki_key=get_ripe_rpki_key(creds.rpki_api_key),
-            maintainer=config.ripe.maintainer,
-            dry_run=not args.commit,
-            use_test_env=use_test_env,
-        ) as client:
-            if args.setup_test:
-                client.setup_test_env(config.ripe.routes, config.ripe.sso_emails)
-                return
-
-            for route in config.ripe.routes:
-                result = client.sync_route(route)
-                print(f"{result}: ripe route {route.prefix} {route.origin}")
-
-            if config.ripe.roas:
-                counts = client.sync_roas(config.ripe.roas)
-                added, deleted = counts["added"], counts["deleted"]
-                print(f"RIPE ROAs: {added} added, {deleted} deleted")
-
-    if config.arin and should_run("arin"):
-        creds = config.arin.credentials
-        use_test_env = not args.production
-        if use_test_env and creds.test_api_key:
-            arin_api_key = get_arin_api_key(creds.test_api_key)
-        else:
-            arin_api_key = get_arin_api_key(creds.api_key)
-        with ArinClient(
-            org_handle=config.arin.org_handle,
-            api_key=arin_api_key,
-            dry_run=not args.commit,
-            use_test_env=use_test_env,
-        ) as client:
-            for route in config.arin.routes:
-                if route.delete:
-                    result = client.delete_route(route)
-                else:
-                    result = client.sync_route(route)
-                print(f"{result}: arin route {route.prefix} {route.origin}")
-
-            if config.arin.roas:
-                counts = client.sync_roas(config.arin.roas)
-                added, deleted = counts["added"], counts["deleted"]
-                print(f"ARIN ROAs: {added} added, {deleted} deleted")
-
-    if config.radb and should_run("radb"):
-        creds = config.radb.credentials
-        portal_username, portal_password = get_radb_portal_auth(
-            creds.portal_username, creds.portal_password
+    summary = Summary(dry_run=not args.commit)
+    mirrored_prefixes: set[str] = set()
+
+    # Build RadbClient upfront — used for both explicit RADb routes and
+    # automatic mirroring of every RIPE/ARIN route change.
+    radb_client = None
+    if config.radb:
+        radb_creds = config.radb.credentials
+        radb_portal_u, radb_portal_p = get_radb_portal_auth(
+            radb_creds.portal_username, radb_creds.portal_password
         )
-        with RadbClient(
+        radb_client = RadbClient(
             maintainer=config.radb.maintainer,
-            portal_username=portal_username,
-            portal_password=portal_password,
-            mntner_password=get_radb_mntner_password(creds.mntner_password),
+            portal_username=radb_portal_u,
+            portal_password=radb_portal_p,
+            mntner_password=get_radb_mntner_password(radb_creds.mntner_password),
             contact_email=config.radb.contact_email,
             dry_run=not args.commit,
-        ) as client:
+        )
+
+    try:
+        if config.ripe and should_run("ripe"):
+            label = "RIPE (production)" if args.production else "RIPE (test)"
+            creds = config.ripe.credentials
+            use_test_env = not args.production
+            # The test DB may have a separate account (RIPE test accounts are
+            # distinct from production). Fall back to production creds if not set.
+            if use_test_env and creds.test_db_username and creds.test_db_password:
+                db_auth = get_ripe_db_auth(
+                    creds.test_db_username, creds.test_db_password
+                )
+            else:
+                db_auth = get_ripe_db_auth(creds.db_username, creds.db_password)
+            with RipeClient(
+                db_auth=db_auth,
+                rpki_key=get_ripe_rpki_key(creds.rpki_api_key),
+                maintainer=config.ripe.maintainer,
+                dry_run=not args.commit,
+                use_test_env=use_test_env,
+            ) as client:
+                if args.setup_test:
+                    client.setup_test_env(config.ripe.routes, config.ripe.sso_emails)
+                    return
+
+                summary.start_registry(label)
+                for route in config.ripe.routes:
+                    if route.delete:
+                        result = client.delete_route(route)
+                    else:
+                        result = client.sync_route(route)
+                    summary.record_route(label, result, route.prefix, route.origin)
+                    if radb_client:
+                        radb_result = (
+                            radb_client.delete_route(route)
+                            if route.delete
+                            else radb_client.sync_route(route)
+                        )
+                        summary.record_route(
+                            "RADb", radb_result, route.prefix, route.origin
+                        )
+                        mirrored_prefixes.add(route.prefix)
+
+                if config.ripe.roas:
+                    counts = client.sync_roas(config.ripe.roas)
+                    summary.record_roas(label, counts["added"], counts["deleted"])
+
+        if config.arin and should_run("arin"):
+            label = "ARIN (production)" if args.production else "ARIN (OTE)"
+            creds = config.arin.credentials
+            use_test_env = not args.production
+            if use_test_env and creds.test_api_key:
+                arin_api_key = get_arin_api_key(creds.test_api_key)
+            else:
+                arin_api_key = get_arin_api_key(creds.api_key)
+            with ArinClient(
+                org_handle=config.arin.org_handle,
+                api_key=arin_api_key,
+                dry_run=not args.commit,
+                use_test_env=use_test_env,
+            ) as client:
+                summary.start_registry(label)
+                for route in config.arin.routes:
+                    if route.delete:
+                        result = client.delete_route(route)
+                    else:
+                        result = client.sync_route(route)
+                    summary.record_route(label, result, route.prefix, route.origin)
+                    if radb_client:
+                        radb_result = (
+                            radb_client.delete_route(route)
+                            if route.delete
+                            else radb_client.sync_route(route)
+                        )
+                        summary.record_route(
+                            "RADb", radb_result, route.prefix, route.origin
+                        )
+                        mirrored_prefixes.add(route.prefix)
+
+                if config.arin.roas:
+                    counts = client.sync_roas(config.arin.roas)
+                    summary.record_roas(label, counts["added"], counts["deleted"])
+
+        if radb_client and should_run("radb"):
+            summary.start_registry("RADb")
             for route in config.radb.routes:
-                result = client.sync_route(route)
-                print(f"{result}: radb route {route.prefix} {route.origin}")
+                if route.prefix in mirrored_prefixes:
+                    continue  # already synced via mirroring
+                result = (
+                    radb_client.delete_route(route)
+                    if route.delete
+                    else radb_client.sync_route(route)
+                )
+                summary.record_route("RADb", result, route.prefix, route.origin)
+
+    finally:
+        if radb_client:
+            radb_client.close()
+
+    summary.print_jira()
 
 
 def _setup_arin_ote(arin_config, creds, commit: bool) -> None: