Add evidence creation API with flexible linking capabilities (#55)

* Initial plan

* Implement Evidence API controller with comprehensive testing

Co-authored-by: maxneuvians <867334+maxneuvians@users.noreply.github.com>

* Refactor evidence linking logic to Composer module and add comprehensive tests

Co-authored-by: maxneuvians <867334+maxneuvians@users.noreply.github.com>

* Implement NIST control-based evidence linking functionality

Co-authored-by: maxneuvians <867334+maxneuvians@users.noreply.github.com>

* Add comprehensive NIST control unit tests for evidence linking

Co-authored-by: maxneuvians <867334+maxneuvians@users.noreply.github.com>

* Fix get_in/3 undefined function error by using get_in/2 with default operator

Co-authored-by: maxneuvians <867334+maxneuvians@users.noreply.github.com>

* Fix database insert error handling in evidence linking functions

Co-authored-by: maxneuvians <867334+maxneuvians@users.noreply.github.com>

* Fix evidence associations not included in JSON response and resolve unused variable warnings

Co-authored-by: maxneuvians <867334+maxneuvians@users.noreply.github.com>

* fix: fmt

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: maxneuvians <867334+maxneuvians@users.noreply.github.com>
Co-authored-by: Max Neuvians <max@neuvians.net>

Author: Copilot

valentine/lib/valentine/composer.ex

@@ -1863,4 +1863,207 @@ defmodule Valentine.Composer do
   def change_evidence(%Evidence{} = evidence, attrs \\ %{}) do
     Evidence.changeset(evidence, attrs)
   end
+
+  @doc """
+  Creates evidence with automatic linking based on provided parameters.
+
+  This function handles the creation of evidence and its automatic linking to 
+  assumptions, threats, and mitigations based on the provided linking strategy.
+
+  ## Parameters
+    - evidence_attrs: Evidence attributes for creation
+    - linking_opts: Map containing linking options:
+      - assumption_id: Direct link to assumption
+      - threat_id: Direct link to threat  
+      - mitigation_id: Direct link to mitigation
+      - use_ai: Boolean flag for AI-based linking (stubbed)
+
+  ## Returns
+    {:ok, evidence_with_associations} | {:error, changeset}
+
+  ## Examples
+
+      iex> create_evidence_with_linking(%{name: "Test", evidence_type: :json_data, content: %{}}, %{assumption_id: "uuid"})
+      {:ok, %Evidence{}}
+
+  """
+  def create_evidence_with_linking(evidence_attrs, linking_opts \\ %{}) do
+    case create_evidence(evidence_attrs) do
+      {:ok, evidence} ->
+        # This would be called by the API controller for centralized linking logic
+        linked_evidence = apply_evidence_linking(evidence, linking_opts)
+
+        evidence_with_associations =
+          Repo.preload(linked_evidence, [:assumptions, :threats, :mitigations])
+
+        {:ok, evidence_with_associations}
+
+      {:error, changeset} ->
+        {:error, changeset}
+    end
+  end
+
+  @doc """
+  Applies linking logic to evidence based on provided options.
+
+  ## Parameters
+    - evidence: The evidence to link
+    - linking_opts: Map containing linking strategy options
+
+  ## Returns
+    The evidence (linking is done via side effects to join tables)
+  """
+  def apply_evidence_linking(evidence, linking_opts) do
+    # Direct ID linking takes precedence
+    if has_direct_linking_ids?(linking_opts) do
+      apply_direct_evidence_linking(evidence, linking_opts)
+    else
+      # NIST control-based linking when evidence has nist_controls
+      apply_nist_control_evidence_linking(evidence, linking_opts)
+    end
+  end
+
+  defp has_direct_linking_ids?(linking_opts) do
+    Map.get(linking_opts, :assumption_id) ||
+      Map.get(linking_opts, :threat_id) ||
+      Map.get(linking_opts, :mitigation_id)
+  end
+
+  defp apply_direct_evidence_linking(evidence, linking_opts) do
+    if assumption_id = Map.get(linking_opts, :assumption_id) do
+      link_evidence_to_assumption_by_id(evidence, assumption_id)
+    end
+
+    if threat_id = Map.get(linking_opts, :threat_id) do
+      link_evidence_to_threat_by_id(evidence, threat_id)
+    end
+
+    if mitigation_id = Map.get(linking_opts, :mitigation_id) do
+      link_evidence_to_mitigation_by_id(evidence, mitigation_id)
+    end
+
+    evidence
+  end
+
+  defp link_evidence_to_assumption_by_id(evidence, assumption_id) do
+    try do
+      assumption = get_assumption!(assumption_id)
+
+      if assumption.workspace_id == evidence.workspace_id do
+        case %EvidenceAssumption{evidence_id: evidence.id, assumption_id: assumption.id}
+             |> Repo.insert() do
+          {:ok, _} -> :ok
+          # Ignore duplicates or constraint errors
+          {:error, _} -> :ok
+        end
+      end
+    rescue
+      Ecto.NoResultsError -> :ok
+    end
+  end
+
+  defp link_evidence_to_threat_by_id(evidence, threat_id) do
+    try do
+      threat = get_threat!(threat_id)
+
+      if threat.workspace_id == evidence.workspace_id do
+        case %EvidenceThreat{evidence_id: evidence.id, threat_id: threat.id}
+             |> Repo.insert() do
+          {:ok, _} -> :ok
+          # Ignore duplicates or constraint errors
+          {:error, _} -> :ok
+        end
+      end
+    rescue
+      Ecto.NoResultsError -> :ok
+    end
+  end
+
+  defp apply_nist_control_evidence_linking(evidence, _linking_opts) do
+    # Only proceed if evidence has NIST controls defined
+    if evidence.nist_controls && length(evidence.nist_controls) > 0 do
+      link_evidence_by_nist_controls(evidence)
+    end
+
+    evidence
+  end
+
+  defp link_evidence_by_nist_controls(evidence) do
+    workspace_id = evidence.workspace_id
+    nist_controls = evidence.nist_controls
+
+    # Find assumptions with overlapping NIST controls in tags
+    assumptions = find_assumptions_by_nist_tags(workspace_id, nist_controls)
+
+    Enum.each(assumptions, fn assumption ->
+      case %EvidenceAssumption{evidence_id: evidence.id, assumption_id: assumption.id}
+           |> Repo.insert() do
+        {:ok, _} -> :ok
+        # Ignore duplicates or constraint errors
+        {:error, _} -> :ok
+      end
+    end)
+
+    # Find threats with overlapping NIST controls in tags  
+    threats = find_threats_by_nist_tags(workspace_id, nist_controls)
+
+    Enum.each(threats, fn threat ->
+      case %EvidenceThreat{evidence_id: evidence.id, threat_id: threat.id}
+           |> Repo.insert() do
+        {:ok, _} -> :ok
+        # Ignore duplicates or constraint errors
+        {:error, _} -> :ok
+      end
+    end)
+
+    # Find mitigations with overlapping NIST controls in tags
+    mitigations = find_mitigations_by_nist_tags(workspace_id, nist_controls)
+
+    Enum.each(mitigations, fn mitigation ->
+      case %EvidenceMitigation{evidence_id: evidence.id, mitigation_id: mitigation.id}
+           |> Repo.insert() do
+        {:ok, _} -> :ok
+        # Ignore duplicates or constraint errors
+        {:error, _} -> :ok
+      end
+    end)
+  end
+
+  defp find_assumptions_by_nist_tags(workspace_id, nist_controls) do
+    from(a in Assumption,
+      where: a.workspace_id == ^workspace_id and fragment("? && ?", a.tags, ^nist_controls)
+    )
+    |> Repo.all()
+  end
+
+  defp find_threats_by_nist_tags(workspace_id, nist_controls) do
+    from(t in Threat,
+      where: t.workspace_id == ^workspace_id and fragment("? && ?", t.tags, ^nist_controls)
+    )
+    |> Repo.all()
+  end
+
+  defp find_mitigations_by_nist_tags(workspace_id, nist_controls) do
+    from(m in Mitigation,
+      where: m.workspace_id == ^workspace_id and fragment("? && ?", m.tags, ^nist_controls)
+    )
+    |> Repo.all()
+  end
+
+  defp link_evidence_to_mitigation_by_id(evidence, mitigation_id) do
+    try do
+      mitigation = get_mitigation!(mitigation_id)
+
+      if mitigation.workspace_id == evidence.workspace_id do
+        case %EvidenceMitigation{evidence_id: evidence.id, mitigation_id: mitigation.id}
+             |> Repo.insert() do
+          {:ok, _} -> :ok
+          # Ignore duplicates or constraint errors
+          {:error, _} -> :ok
+        end
+      end
+    rescue
+      Ecto.NoResultsError -> :ok
+    end
+  end
 end

valentine/lib/valentine/composer/evidence.ex

@@ -16,7 +16,10 @@ defmodule Valentine.Composer.Evidence do
              :content,
              :blob_store_url,
              :nist_controls,
-             :tags
+             :tags,
+             :assumptions,
+             :threats,
+             :mitigations
            ]}
 
   schema "evidence" do

valentine/lib/valentine_web/controllers/api/evidence_controller.ex

@@ -0,0 +1,44 @@
+defmodule ValentineWeb.Api.EvidenceController do
+  use ValentineWeb, :controller
+
+  alias Valentine.Composer
+
+  def create(conn, %{"evidence" => evidence_params} = params) do
+    api_key = conn.assigns[:api_key]
+    workspace_id = api_key.workspace_id
+
+    # Extract linking parameters
+    linking_opts = %{
+      assumption_id: get_in(params, ["linking", "assumption_id"]),
+      threat_id: get_in(params, ["linking", "threat_id"]),
+      mitigation_id: get_in(params, ["linking", "mitigation_id"]),
+      use_ai: get_in(params, ["linking", "use_ai"]) || false
+    }
+
+    # Add workspace_id to evidence params
+    evidence_attrs = Map.put(evidence_params, "workspace_id", workspace_id)
+
+    case Composer.create_evidence_with_linking(evidence_attrs, linking_opts) do
+      {:ok, evidence_with_associations} ->
+        conn
+        |> put_status(:created)
+        |> json(%{
+          evidence: evidence_with_associations,
+          message: "Evidence created successfully"
+        })
+
+      {:error, changeset} ->
+        conn
+        |> put_status(:unprocessable_entity)
+        |> json(%{errors: format_changeset_errors(changeset)})
+    end
+  end
+
+  defp format_changeset_errors(changeset) do
+    Ecto.Changeset.traverse_errors(changeset, fn {msg, opts} ->
+      Regex.replace(~r"%{(\w+)}", msg, fn _, key ->
+        opts |> Keyword.get(String.to_existing_atom(key), key) |> to_string()
+      end)
+    end)
+  end
+end

valentine/lib/valentine_web/router.ex

@@ -38,6 +38,7 @@ defmodule ValentineWeb.Router do
     pipe_through :api
 
     get "/workspace", WorkspaceController, :index
+    post "/evidence", EvidenceController, :create
   end
 
   scope "/auth", ValentineWeb do