Fix trust scores showing static value by persisting policy violation events (#171)

* Initial plan

* Add PolicyViolationEvent persistence for accurate trust score calculation

- Created PolicyViolationEvent entity to persist policy violation events
- Created PolicyViolationEventType enum for violation event types
- Created PolicyViolationEventRepository for data access
- Created PolicyViolationEventService for managing violation events
- Modified ZeroTrustAccessTokenService to record violations on approve/deny
- Modified TrustEvaluationService to use persistent incident counts
- Added comprehensive tests for PolicyViolationEventService

Co-authored-by: phrocker <[email protected]>

* Address code review feedback: use constructor injection

- Convert field injection to constructor injection in ZeroTrustAccessTokenService
- Convert field injection to constructor injection in TrustEvaluationService
- All tests pass

Co-authored-by: phrocker <[email protected]>

* Add Flyway migration V39 for policy_violation_events table

Creates policy_violation_events table with columns matching the
PolicyViolationEvent JPA entity and appropriate indexes for
efficient querying by entity_id, timestamp, and approval status.

Co-authored-by: phrocker <[email protected]>

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: phrocker <[email protected]>

Author: Copilot

analytics/src/main/java/io/sentrius/agent/analysis/agents/trust/TrustEvaluationService.java

@@ -12,6 +12,7 @@
 import io.sentrius.sso.core.services.ATPLPolicyService;
 import io.sentrius.sso.core.services.UserService;
 import io.sentrius.sso.core.services.trust.AgentTrustScoreService;
+import io.sentrius.sso.core.services.trust.PolicyViolationEventService;
 import io.sentrius.sso.core.trust.*;
 import io.sentrius.sso.provenance.ProvenanceEvent;
 import lombok.extern.slf4j.Slf4j;
@@ -37,32 +38,33 @@ public class TrustEvaluationService {
     private final AgentTrustScoreService trustScoreService;
     private final ATPLPolicyService atplPolicyService;
     private final UserService userService;
-    
-    @Autowired(required = false)
-    private LLMGuidedSchedulerService llmScheduler;
+    private final LLMGuidedSchedulerService llmScheduler;
+    private final io.sentrius.sso.core.services.feedback.RLHFFeedbackService rlhfFeedbackService;
+    private final PolicyViolationEventService policyViolationEventService;
 
     private final Map<String, List<ProvenanceEvent>> provenanceCache = new ConcurrentHashMap<>();
     private final Map<String, Integer> incidentTracker = new ConcurrentHashMap<>();
 
-    // Optional RLHF service - may not be available in all contexts
-    private final io.sentrius.sso.core.services.feedback.RLHFFeedbackService rlhfFeedbackService;
-    
+    @Autowired
     public TrustEvaluationService(
             AgentHeartbeatRepository heartbeatRepository,
             AgentCommunicationRepository communicationRepository,
             SessionLogRepository sessionLogRepository,
             AgentTrustScoreService trustScoreService,
             ATPLPolicyService atplPolicyService,
             UserService userService,
-            @org.springframework.beans.factory.annotation.Autowired(required = false) 
-            io.sentrius.sso.core.services.feedback.RLHFFeedbackService rlhfFeedbackService) {
+            @Autowired(required = false) LLMGuidedSchedulerService llmScheduler,
+            @Autowired(required = false) io.sentrius.sso.core.services.feedback.RLHFFeedbackService rlhfFeedbackService,
+            @Autowired(required = false) PolicyViolationEventService policyViolationEventService) {
         this.heartbeatRepository = heartbeatRepository;
         this.communicationRepository = communicationRepository;
         this.sessionLogRepository = sessionLogRepository;
         this.trustScoreService = trustScoreService;
         this.atplPolicyService = atplPolicyService;
         this.userService = userService;
+        this.llmScheduler = llmScheduler;
         this.rlhfFeedbackService = rlhfFeedbackService;
+        this.policyViolationEventService = policyViolationEventService;
     }
 
     @Scheduled(fixedRate = 300000, initialDelay = 60000)
@@ -193,7 +195,7 @@ private AgentContext buildHumanUserContext(String userId, String username) {
         List<SessionLog> userSessions = sessionLogRepository.findByUsername(username);
 
         int priorRuns = calculatePriorSessions(userSessions);
-        int incidentCount = incidentTracker.getOrDefault(userId, 0);
+        int incidentCount = getIncidentCount(userId);
 
         // Human users are verified through Keycloak authentication
         List<ProvenanceEvent> events = provenanceCache.getOrDefault(userId, Collections.emptyList());
@@ -236,7 +238,7 @@ private Set<String> extractUserTags(String username) {
     private AgentContext buildAgentContext(String agentId, String agentName) {
         Optional<AgentHeartbeat> heartbeatOpt = heartbeatRepository.findByAgentId(agentId);
         int priorRuns = calculatePriorRuns(agentId);
-        int incidentCount = incidentTracker.getOrDefault(agentId, 0);
+        int incidentCount = getIncidentCount(agentId);
 
         boolean enclaveVerified = heartbeatOpt
             .map(hb -> hb.getStatus() != null && hb.getStatus().contains("verified"))
@@ -263,6 +265,19 @@ private AgentContext buildAgentContext(String agentId, String agentName) {
             .build();
     }
 
+    /**
+     * Get the incident count for an entity from the persistent store if available,
+     * otherwise fall back to the in-memory tracker.
+     */
+    private int getIncidentCount(String entityId) {
+        // First try to get from persistent store (policy violation events)
+        if (policyViolationEventService != null) {
+            return policyViolationEventService.getIncidentCount(entityId);
+        }
+        // Fall back to in-memory tracker
+        return incidentTracker.getOrDefault(entityId, 0);
+    }
+    
     private int calculatePriorRuns(String agentId) {
         LocalDateTime thirtyDaysAgo = LocalDateTime.now().minusDays(30);
         return (int) heartbeatRepository.findAll().stream()
@@ -317,14 +332,56 @@ public void cacheProvenanceEvent(ProvenanceEvent event) {
         }
     }
 
+    /**
+     * Record an incident for an entity. This is now primarily for legacy/manual incident tracking.
+     * For policy violations, use the PolicyViolationEventService directly.
+     */
     public void recordIncident(String agentId) {
         incidentTracker.merge(agentId, 1, Integer::sum);
-        log.warn("Incident recorded for agent: {}. Total incidents: {}", 
+        log.warn("Incident recorded for agent: {}. Total in-memory incidents: {}", 
             agentId, incidentTracker.get(agentId));
     }
 
+    /**
+     * Record a policy violation incident that will affect trust scores.
+     * This persists the violation to the database for accurate trust score calculation.
+     */
+    public void recordPolicyViolation(String entityId, String entityName, String endpoint, boolean approved, String approverId) {
+        if (policyViolationEventService != null) {
+            if (approved) {
+                policyViolationEventService.recordZtatApproval(
+                    entityId, entityName, endpoint, null, approverId, null,
+                    "Policy violation recorded via TrustEvaluationService"
+                );
+            } else {
+                policyViolationEventService.recordZtatDenial(
+                    entityId, entityName, endpoint, null, approverId, null,
+                    "Policy violation recorded via TrustEvaluationService"
+                );
+            }
+            log.info("Policy violation recorded for entity {}: endpoint={}, approved={}", 
+                entityId, endpoint, approved);
+        } else {
+            // Fall back to in-memory tracking if persistent service is not available
+            if (!approved) {
+                recordIncident(entityId);
+            }
+        }
+    }
+    
+    /**
+     * Clear incidents for an entity. Note: this only clears the in-memory tracker.
+     * Persistent policy violations cannot be cleared (they are part of the audit trail).
+     */
     public void clearIncidents(String agentId) {
         incidentTracker.put(agentId, 0);
-        log.info("Incidents cleared for agent: {}", agentId);
+        log.info("In-memory incidents cleared for agent: {}", agentId);
+    }
+    
+    /**
+     * Get the total incident count for an entity (from both persistent and in-memory stores).
+     */
+    public int getTotalIncidentCount(String entityId) {
+        return getIncidentCount(entityId);
     }
 }

api/src/main/resources/db/migration/V39__create_policy_violation_events.sql

@@ -0,0 +1,25 @@
+-- Create policy_violation_events table for tracking policy violation events
+-- These events are used to calculate behavior scores in trust evaluations
+CREATE TABLE IF NOT EXISTS policy_violation_events (
+    id BIGSERIAL PRIMARY KEY,
+    entity_id VARCHAR(255) NOT NULL,
+    entity_name VARCHAR(255),
+    event_type VARCHAR(50) NOT NULL,
+    approved BOOLEAN NOT NULL,
+    endpoint VARCHAR(1024),
+    policy_id VARCHAR(255),
+    approver_id VARCHAR(255),
+    ztat_request_id BIGINT,
+    description TEXT,
+    timestamp TIMESTAMP NOT NULL
+);
+
+-- Create indexes for better query performance
+CREATE INDEX IF NOT EXISTS idx_pv_entity_id_timestamp 
+    ON policy_violation_events(entity_id, timestamp DESC);
+CREATE INDEX IF NOT EXISTS idx_pv_timestamp 
+    ON policy_violation_events(timestamp DESC);
+CREATE INDEX IF NOT EXISTS idx_pv_entity_id 
+    ON policy_violation_events(entity_id);
+CREATE INDEX IF NOT EXISTS idx_pv_approved 
+    ON policy_violation_events(approved);

dataplane/src/main/java/io/sentrius/sso/core/model/trust/PolicyViolationEvent.java

@@ -0,0 +1,95 @@
+package io.sentrius.sso.core.model.trust;
+
+import java.time.LocalDateTime;
+import jakarta.persistence.*;
+import lombok.*;
+
+/**
+ * Records policy violation events when an agent/user tries to access an endpoint
+ * outside their policy, and the resulting approval/denial decision.
+ * These events are used to calculate behavior scores in trust evaluations.
+ */
+@Entity
+@Table(name = "policy_violation_events", indexes = {
+    @Index(name = "idx_pv_entity_id_timestamp", columnList = "entity_id,timestamp"),
+    @Index(name = "idx_pv_timestamp", columnList = "timestamp")
+})
+@Getter
+@Setter
+@Builder
+@NoArgsConstructor
+@AllArgsConstructor
+public class PolicyViolationEvent {
+    
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    private Long id;
+    
+    /**
+     * The ID of the entity (agent or user) that attempted the policy violation
+     */
+    @Column(name = "entity_id", nullable = false)
+    private String entityId;
+    
+    /**
+     * The name of the entity
+     */
+    @Column(name = "entity_name")
+    private String entityName;
+    
+    /**
+     * The type of violation event
+     */
+    @Enumerated(EnumType.STRING)
+    @Column(name = "event_type", nullable = false, length = 50)
+    private PolicyViolationEventType eventType;
+    
+    /**
+     * Whether the violation was approved by a supervisor
+     */
+    @Column(name = "approved", nullable = false)
+    private Boolean approved;
+    
+    /**
+     * The endpoint that was accessed outside the policy
+     */
+    @Column(name = "endpoint")
+    private String endpoint;
+    
+    /**
+     * The policy ID that was violated
+     */
+    @Column(name = "policy_id")
+    private String policyId;
+    
+    /**
+     * The ID of the user who approved/denied the violation
+     */
+    @Column(name = "approver_id")
+    private String approverId;
+    
+    /**
+     * The ZTAT request ID associated with this event
+     */
+    @Column(name = "ztat_request_id")
+    private Long ztatRequestId;
+    
+    /**
+     * Description or notes about the violation
+     */
+    @Column(name = "description", columnDefinition = "TEXT")
+    private String description;
+    
+    /**
+     * When this event occurred
+     */
+    @Column(name = "timestamp", nullable = false)
+    private LocalDateTime timestamp;
+    
+    @PrePersist
+    protected void onCreate() {
+        if (timestamp == null) {
+            timestamp = LocalDateTime.now();
+        }
+    }
+}

dataplane/src/main/java/io/sentrius/sso/core/model/trust/PolicyViolationEventType.java

@@ -0,0 +1,36 @@
+package io.sentrius.sso.core.model.trust;
+
+/**
+ * Types of policy violation events that can be recorded.
+ */
+public enum PolicyViolationEventType {
+    /**
+     * Agent/user accessed an endpoint outside their policy and was approved
+     */
+    OUT_OF_POLICY_ACCESS_APPROVED,
+    
+    /**
+     * Agent/user accessed an endpoint outside their policy and was denied
+     */
+    OUT_OF_POLICY_ACCESS_DENIED,
+    
+    /**
+     * A ZTAT (Zero Trust Access Token) request was approved
+     */
+    ZTAT_REQUEST_APPROVED,
+    
+    /**
+     * A ZTAT request was denied
+     */
+    ZTAT_REQUEST_DENIED,
+    
+    /**
+     * An OPS JIT request was approved
+     */
+    OPS_JIT_APPROVED,
+    
+    /**
+     * An OPS JIT request was denied
+     */
+    OPS_JIT_DENIED
+}

dataplane/src/main/java/io/sentrius/sso/core/repository/trust/PolicyViolationEventRepository.java

@@ -0,0 +1,59 @@
+package io.sentrius.sso.core.repository.trust;
+
+import io.sentrius.sso.core.model.trust.PolicyViolationEvent;
+import io.sentrius.sso.core.model.trust.PolicyViolationEventType;
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.data.jpa.repository.Query;
+import org.springframework.data.repository.query.Param;
+import org.springframework.stereotype.Repository;
+
+import java.time.LocalDateTime;
+import java.util.List;
+
+@Repository
+public interface PolicyViolationEventRepository extends JpaRepository<PolicyViolationEvent, Long> {
+    
+    /**
+     * Find all policy violation events for an entity ordered by timestamp descending
+     */
+    List<PolicyViolationEvent> findByEntityIdOrderByTimestampDesc(String entityId);
+    
+    /**
+     * Find policy violation events for an entity within a time range
+     */
+    List<PolicyViolationEvent> findByEntityIdAndTimestampBetweenOrderByTimestampDesc(
+        String entityId, LocalDateTime start, LocalDateTime end);
+    
+    /**
+     * Count denied violations (incidents) for an entity since a given time
+     */
+    @Query("SELECT COUNT(e) FROM PolicyViolationEvent e WHERE e.entityId = :entityId " +
+           "AND e.approved = false AND e.timestamp >= :since")
+    long countDeniedViolations(@Param("entityId") String entityId, @Param("since") LocalDateTime since);
+    
+    /**
+     * Count approved violations for an entity since a given time
+     */
+    @Query("SELECT COUNT(e) FROM PolicyViolationEvent e WHERE e.entityId = :entityId " +
+           "AND e.approved = true AND e.timestamp >= :since")
+    long countApprovedViolations(@Param("entityId") String entityId, @Param("since") LocalDateTime since);
+    
+    /**
+     * Count all violations (both approved and denied) for an entity since a given time
+     */
+    @Query("SELECT COUNT(e) FROM PolicyViolationEvent e WHERE e.entityId = :entityId " +
+           "AND e.timestamp >= :since")
+    long countAllViolations(@Param("entityId") String entityId, @Param("since") LocalDateTime since);
+    
+    /**
+     * Find violations by event type for an entity
+     */
+    List<PolicyViolationEvent> findByEntityIdAndEventTypeOrderByTimestampDesc(
+        String entityId, PolicyViolationEventType eventType);
+    
+    /**
+     * Find recent violations across all entities
+     */
+    @Query("SELECT e FROM PolicyViolationEvent e WHERE e.timestamp >= :since ORDER BY e.timestamp DESC")
+    List<PolicyViolationEvent> findRecentViolations(@Param("since") LocalDateTime since);
+}