Add trust evaluation and scoring system for agents and users with ATPL integration (#75)

* Initial plan

* Add trust evaluation backend infrastructure

- Created AgentTrustScoreHistory entity for storing trust scores
- Created AgentTrustScoreHistoryRepository for data access
- Created AgentTrustScoreService for managing trust scores
- Created TrustEvaluationService in analytics agent for scheduled evaluations
- Created TrustScoreApiController for REST API endpoints
- Created TrustScoreViewController for UI rendering
- Made TrustScoreCalculator public for analytics module access
- All builds and tests passing

Co-authored-by: phrocker <1781585+phrocker@users.noreply.github.com>

* Add trust scores UI pages and navigation

- Created trust_scores.html for viewing all agent trust scores
- Created agent_trust_score.html for detailed agent trust score history
- Added navigation link to sidebar for Trust Scores page
- Created unit tests for AgentTrustScoreService
- All tests passing, full build successful

Co-authored-by: phrocker <1781585+phrocker@users.noreply.github.com>

* Enhanced behavior evaluation and added comprehensive documentation

- Improved AgentContext.evaluateBehavior() with granular scoring based on prior runs and incidents
- Added TRUST_EVALUATION.md with complete system documentation
- Documented architecture, API endpoints, configuration, and usage examples
- Included troubleshooting guide and future enhancement ideas
- All builds passing

Co-authored-by: phrocker <1781585+phrocker@users.noreply.github.com>

* Extend trust evaluation to include human users

- Modified TrustEvaluationService to evaluate both agents and human users
- Added SessionLogRepository to track human user session activity
- Created buildHumanUserContext() to evaluate users based on session history
- Renamed evaluateAllAgents() to evaluateAllAgentsAndUsers()
- Added evaluateEntity() method that handles both USER and NON_PERSON_ENTITY types
- Updated UI labels from "Agent Trust Scores" to "Trust Scores - Agents & Users"
- Updated documentation to reflect support for human users
- Human users are evaluated based on session activity (prior sessions vs prior runs)
- All builds and tests passing

Co-authored-by: phrocker <1781585+phrocker@users.noreply.github.com>

* Add database migration for agent_trust_score_history table

- Created V34__create_agent_trust_score_history.sql Flyway migration
- Defines table schema with all required columns (id, agent_id, trust_score, component scores, etc.)
- Creates indexes for optimal query performance on agent_id, timestamp, and evaluation_result
- Fixes PostgreSQL error: "relation agent_trust_score_history does not exist"
- Migration will run automatically on application startup

Co-authored-by: phrocker <1781585+phrocker@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: phrocker <1781585+phrocker@users.noreply.github.com>

Author: Copilot

analytics/src/main/java/io/sentrius/agent/analysis/agents/trust/TrustEvaluationService.java

@@ -0,0 +1,289 @@
+package io.sentrius.agent.analysis.agents.trust;
+
+import io.sentrius.sso.core.model.AgentHeartbeat;
+import io.sentrius.sso.core.model.sessions.SessionLog;
+import io.sentrius.sso.core.model.trust.AgentTrustScoreHistory;
+import io.sentrius.sso.core.model.users.User;
+import io.sentrius.sso.core.model.security.enums.IdentityType;
+import io.sentrius.sso.core.repository.AgentCommunicationRepository;
+import io.sentrius.sso.core.repository.AgentHeartbeatRepository;
+import io.sentrius.sso.core.repository.SessionLogRepository;
+import io.sentrius.sso.core.services.ATPLPolicyService;
+import io.sentrius.sso.core.services.UserService;
+import io.sentrius.sso.core.services.trust.AgentTrustScoreService;
+import io.sentrius.sso.core.trust.*;
+import io.sentrius.sso.provenance.ProvenanceEvent;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.scheduling.annotation.Scheduled;
+import org.springframework.stereotype.Service;
+
+import java.sql.Timestamp;
+import java.time.LocalDateTime;
+import java.util.*;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.stream.Collectors;
+
+@Service
+@Slf4j
+@ConditionalOnProperty(name = "sentrius.trust.evaluation.enabled", havingValue = "true", matchIfMissing = true)
+public class TrustEvaluationService {
+    
+    private final AgentHeartbeatRepository heartbeatRepository;
+    private final AgentCommunicationRepository communicationRepository;
+    private final SessionLogRepository sessionLogRepository;
+    private final AgentTrustScoreService trustScoreService;
+    private final ATPLPolicyService atplPolicyService;
+    private final UserService userService;
+    
+    private final Map<String, List<ProvenanceEvent>> provenanceCache = new ConcurrentHashMap<>();
+    private final Map<String, Integer> incidentTracker = new ConcurrentHashMap<>();
+    
+    public TrustEvaluationService(
+            AgentHeartbeatRepository heartbeatRepository,
+            AgentCommunicationRepository communicationRepository,
+            SessionLogRepository sessionLogRepository,
+            AgentTrustScoreService trustScoreService,
+            ATPLPolicyService atplPolicyService,
+            UserService userService) {
+        this.heartbeatRepository = heartbeatRepository;
+        this.communicationRepository = communicationRepository;
+        this.sessionLogRepository = sessionLogRepository;
+        this.trustScoreService = trustScoreService;
+        this.atplPolicyService = atplPolicyService;
+        this.userService = userService;
+    }
+    
+    @Scheduled(fixedRate = 300000, initialDelay = 60000)
+    public void evaluateAllAgentsAndUsers() {
+        log.info("Starting scheduled trust evaluation for all agents and users");
+        
+        // Evaluate agents (NON_PERSON_ENTITY)
+        List<AgentHeartbeat> activeAgents = heartbeatRepository.findAll().stream()
+            .filter(hb -> hb.getLastHeartbeat() != null && 
+                         hb.getLastHeartbeat().isAfter(LocalDateTime.now().minusMinutes(30)))
+            .collect(Collectors.toList());
+        
+        log.info("Found {} active agents to evaluate", activeAgents.size());
+        
+        for (AgentHeartbeat heartbeat : activeAgents) {
+            try {
+                evaluateEntity(heartbeat.getAgentId(), heartbeat.getAgentName(), IdentityType.NON_PERSON_ENTITY);
+            } catch (Exception e) {
+                log.error("Error evaluating agent {}: {}", heartbeat.getAgentId(), e.getMessage(), e);
+            }
+        }
+        
+        // Evaluate human users (USER)
+        List<User> humanUsers = userService.getAllUsers("USER").stream()
+            .map(dto -> userService.getUserByUserid(dto.getId().toString()))
+            .filter(Objects::nonNull)
+            .collect(Collectors.toList());
+        
+        log.info("Found {} human users to evaluate", humanUsers.size());
+        
+        for (User user : humanUsers) {
+            try {
+                evaluateEntity(user.getUserId(), user.getUsername(), IdentityType.USER);
+            } catch (Exception e) {
+                log.error("Error evaluating user {}: {}", user.getUserId(), e.getMessage(), e);
+            }
+        }
+    }
+    
+    /**
+     * Evaluate trust score for a specific entity (agent or user).
+     * @deprecated Use evaluateEntity instead
+     */
+    @Deprecated
+    public AgentTrustScoreHistory evaluateAgent(String agentId, String agentName) {
+        return evaluateEntity(agentId, agentName, IdentityType.NON_PERSON_ENTITY);
+    }
+    
+    public AgentTrustScoreHistory evaluateEntity(String entityId, String entityName, IdentityType identityType) {
+        log.debug("Evaluating trust score for entity: {} ({}) type: {}", entityName, entityId, identityType);
+        
+        User user = userService.getUserByUserid(entityId);
+        if (user == null) {
+            log.warn("No user found for entity ID: {}", entityId);
+            return null;
+        }
+        
+        Optional<ATPLPolicy> policyOpt = atplPolicyService.getPolicy(user);
+        if (policyOpt.isEmpty()) {
+            log.debug("No ATPL policy found for entity: {}", entityId);
+            return null;
+        }
+        
+        ATPLPolicy policy = policyOpt.get();
+        AgentContext context = buildEntityContext(entityId, entityName, identityType);
+        
+        TrustScoreCalculator calculator = new TrustScoreCalculator();
+        int trustScore = calculator.calculate(context, policy);
+        
+        TrustScoreResult result = determineResult(trustScore, policy.getTrustScore());
+        
+        AgentTrustScoreHistory history = AgentTrustScoreHistory.builder()
+            .agentId(entityId)
+            .agentName(entityName)
+            .trustScore(trustScore)
+            .identityScore(context.evaluateIdentity())
+            .provenanceScore(context.evaluateProvenance())
+            .runtimeScore(context.evaluateRuntime())
+            .behaviorScore(context.evaluateBehavior())
+            .evaluationResult(result.name())
+            .policyId(policy.getPolicyId())
+            .timestamp(LocalDateTime.now())
+            .priorRuns(context.getPriorRuns())
+            .incidentCount(context.getIncidentCount())
+            .enclaveVerified(context.isEnclaveVerified())
+            .evaluationNotes(generateEvaluationNotes(context, trustScore, result, identityType))
+            .build();
+        
+        AgentTrustScoreHistory saved = trustScoreService.recordTrustScore(history);
+        log.info("Trust score evaluated for {} {}: score={}, result={}", 
+            identityType == IdentityType.USER ? "user" : "agent", entityName, trustScore, result);
+        
+        return saved;
+    }
+    
+    private AgentContext buildEntityContext(String entityId, String entityName, IdentityType identityType) {
+        if (identityType == IdentityType.USER) {
+            return buildHumanUserContext(entityId, entityName);
+        } else {
+            return buildAgentContext(entityId, entityName);
+        }
+    }
+    
+    private AgentContext buildHumanUserContext(String userId, String username) {
+        // For human users, we track sessions instead of heartbeats
+        List<SessionLog> userSessions = sessionLogRepository.findByUsername(username);
+        
+        int priorRuns = calculatePriorSessions(userSessions);
+        int incidentCount = incidentTracker.getOrDefault(userId, 0);
+        
+        // Human users are verified through Keycloak authentication
+        List<ProvenanceEvent> events = provenanceCache.getOrDefault(userId, Collections.emptyList());
+        String identityIssuer = "keycloak"; // Always verified for authenticated users
+        
+        // Enclave verification doesn't apply to human users, but we can consider
+        // if they're accessing from a secure/verified location
+        boolean enclaveVerified = false; // Could be enhanced with IP/location verification
+        
+        return AgentContext.builder()
+            .agentId(userId)
+            .tags(extractUserTags(username))
+            .identityIssuer(identityIssuer)
+            .enclaveVerified(enclaveVerified)
+            .priorRuns(priorRuns)
+            .incidentCount(incidentCount)
+            .build();
+    }
+    
+    private int calculatePriorSessions(List<SessionLog> sessions) {
+        // Count sessions in the last 30 days
+        LocalDateTime thirtyDaysAgo = LocalDateTime.now().minusDays(30);
+        Timestamp thirtyDaysAgoTimestamp = Timestamp.valueOf(thirtyDaysAgo);
+        
+        return (int) sessions.stream()
+            .filter(session -> session.getSessionTm() != null && 
+                             session.getSessionTm().after(thirtyDaysAgoTimestamp))
+            .count();
+    }
+    
+    private Set<String> extractUserTags(String username) {
+        Set<String> tags = new HashSet<>();
+        if (username != null) {
+            tags.add("human-user");
+            // Could add role-based tags here if needed
+        }
+        return tags;
+    }
+    
+    private AgentContext buildAgentContext(String agentId, String agentName) {
+        Optional<AgentHeartbeat> heartbeatOpt = heartbeatRepository.findByAgentId(agentId);
+        int priorRuns = calculatePriorRuns(agentId);
+        int incidentCount = incidentTracker.getOrDefault(agentId, 0);
+        
+        boolean enclaveVerified = heartbeatOpt
+            .map(hb -> hb.getStatus() != null && hb.getStatus().contains("verified"))
+            .orElse(false);
+        
+        List<ProvenanceEvent> events = provenanceCache.getOrDefault(agentId, Collections.emptyList());
+        String identityIssuer = events.isEmpty() ? null : "keycloak";
+        
+        return AgentContext.builder()
+            .agentId(agentId)
+            .tags(extractTags(agentName))
+            .identityIssuer(identityIssuer)
+            .enclaveVerified(enclaveVerified)
+            .priorRuns(priorRuns)
+            .incidentCount(incidentCount)
+            .build();
+    }
+    
+    private int calculatePriorRuns(String agentId) {
+        LocalDateTime thirtyDaysAgo = LocalDateTime.now().minusDays(30);
+        return (int) heartbeatRepository.findAll().stream()
+            .filter(hb -> hb.getAgentId().equals(agentId))
+            .filter(hb -> hb.getLastHeartbeat() != null && hb.getLastHeartbeat().isAfter(thirtyDaysAgo))
+            .count();
+    }
+    
+    private Set<String> extractTags(String agentName) {
+        Set<String> tags = new HashSet<>();
+        if (agentName != null) {
+            if (agentName.contains("analytics")) tags.add("analytics");
+            if (agentName.contains("ai")) tags.add("ai");
+            if (agentName.contains("chat")) tags.add("chat");
+            if (agentName.contains("monitor")) tags.add("monitor");
+        }
+        return tags;
+    }
+    
+    private TrustScoreResult determineResult(int trustScore, TrustScore config) {
+        if (trustScore >= config.getMinimum()) {
+            return TrustScoreResult.SUCCESS;
+        } else if (trustScore >= config.getMarginalThreshold()) {
+            return TrustScoreResult.MARGINAL;
+        } else {
+            return TrustScoreResult.FAILURE;
+        }
+    }
+    
+    private String generateEvaluationNotes(AgentContext context, int score, TrustScoreResult result, IdentityType identityType) {
+        StringBuilder notes = new StringBuilder();
+        notes.append("Trust evaluation completed for ");
+        notes.append(identityType == IdentityType.USER ? "human user" : "agent");
+        notes.append(". ");
+        notes.append("Identity: ").append(context.getIdentityIssuer() != null ? "verified" : "unverified").append(". ");
+        if (identityType != IdentityType.USER) {
+            notes.append("Enclave: ").append(context.isEnclaveVerified() ? "verified" : "not verified").append(". ");
+        }
+        notes.append("Prior ").append(identityType == IdentityType.USER ? "sessions" : "runs").append(": ").append(context.getPriorRuns()).append(". ");
+        notes.append("Incidents: ").append(context.getIncidentCount()).append(".");
+        return notes.toString();
+    }
+    
+    public void cacheProvenanceEvent(ProvenanceEvent event) {
+        if (event.getActor() != null) {
+            provenanceCache.computeIfAbsent(event.getActor(), k -> new ArrayList<>()).add(event);
+            
+            List<ProvenanceEvent> events = provenanceCache.get(event.getActor());
+            if (events.size() > 100) {
+                events.remove(0);
+            }
+        }
+    }
+    
+    public void recordIncident(String agentId) {
+        incidentTracker.merge(agentId, 1, Integer::sum);
+        log.warn("Incident recorded for agent: {}. Total incidents: {}", 
+            agentId, incidentTracker.get(agentId));
+    }
+    
+    public void clearIncidents(String agentId) {
+        incidentTracker.put(agentId, 0);
+        log.info("Incidents cleared for agent: {}", agentId);
+    }
+}