Final QA: fix benchmarks, snippets, scorer quality, FastAPI docs, verification loop clean pass

Author: Fahad Alghanim

README.md

@@ -4,10 +4,11 @@ Add suspicious-login detection, auth-risk scoring, and step-up decisions to your
 
 ![MIT License](https://img.shields.io/badge/license-MIT-green.svg)
 ![Python 3.9+](https://img.shields.io/badge/python-3.9%2B-blue.svg)
-![Tests Passing](https://img.shields.io/badge/tests-35%20passing-brightgreen.svg)
+![Tests Passing](https://img.shields.io/badge/tests-36%20passing-brightgreen.svg)
+![pip installable](https://img.shields.io/badge/pip-installable-blue.svg)
 
 ## Why This Exists
-Every fintech and crypto app builds auth-risk scoring internally because generic fraud tooling rarely models authentication flow context well. Teams need to distinguish legitimate users from attackers before full identity verification and before adding friction. This project packages those patterns into an open-source toolkit with synthetic-data-first workflows so you can run everything locally.
+Fintech and crypto teams must decide risk at authentication time, before transaction monitoring can help. Most teams rebuild this stack internally, and existing OSS tools usually cover only one slice (device, geo, or behavior). `identity-risk-engine` packages multi-signal auth risk scoring, policy decisions, and synthetic benchmarking into one local-first toolkit.
 
 ## Architecture
 ```text
@@ -23,7 +24,7 @@ Auth Events
   v
 +---------------------------+
 | Risk Scoring              |
-| Composite + signal fusion |
+| signal fusion + ensemble  |
 +---------------------------+
   |
   v
@@ -37,6 +38,8 @@ Action: allow | step-up | review | block | revoke
 ```
 
 ## Install
+> **Requires Python 3.9+** — check with `python3 --version`
+
 ```bash
 git clone https://github.com/KOKOSde/identity-risk-engine.git
 cd identity-risk-engine
@@ -45,37 +48,114 @@ python3 -m pip install -e .
 
 ## Quickstart
 ```python
-from identity_risk_engine.simulator_ire import generate_synthetic_auth_events
 from identity_risk_engine.policy_engine import PolicyEngine
 from identity_risk_engine.risk_engine_ire import score_event
+from identity_risk_engine.simulator_ire import generate_synthetic_auth_events
 
-events = generate_synthetic_auth_events(num_users=50, num_sessions=1000, attack_ratio=0.2, seed=42)
-event = events.iloc[50].to_dict()
-history = events.iloc[:50]
-result = score_event(event=event, history_df=history, policy_engine=PolicyEngine())
-
-print(result["risk_score"], result["decision"]["action"])
+events = generate_synthetic_auth_events(num_users=20, num_sessions=200, attack_ratio=0.2, seed=42)
+result = score_event(event=events.iloc[40].to_dict(), history_df=events.iloc[:40], policy_engine=PolicyEngine())
+print(round(result["risk_score"], 4), result["decision"]["action"])
 print(result["explanation"]["human_summary"])
 ```
 
-`PolicyEngine` exposes `decide()` (not `evaluate()`), and per-event explanations are returned by `risk_engine_ire.score_event()` under `result["explanation"]`.
+`PolicyEngine` uses `decide()` (not `evaluate()`), and explanations are available via `result["explanation"]` from `risk_engine_ire.score_event(...)` or `explainer_ire.explain_scored_event(...)`.
 
 ## CLI Quickstart
 ```bash
 python3 -m identity_risk_engine.cli_ire simulate --users 500 --sessions 20000 --attack-ratio 0.2 --out synthetic.csv
 python3 -m identity_risk_engine.cli_ire score --events synthetic.csv --policy configs/default_policy.yaml --out scored.csv
 python3 -m identity_risk_engine.cli_ire report --events scored.csv --out report.html
-# fast demo mode for large files:
-python3 -m identity_risk_engine.cli_ire score --events synthetic.csv --policy configs/default_policy.yaml --fast --out scored_fast.csv
-# force full scoring mode even on large files:
-python3 -m identity_risk_engine.cli_ire score --events synthetic.csv --policy configs/default_policy.yaml --full --out scored_full.csv
+```
+
+`simulate` example output:
+```text
+Generated 37926 events -> /tmp/ire_verify.csv
+Attack mix:
+  account_takeover: 159
+  bot_behavior: 1014
+  credential_stuffing: 1705
+  impossible_travel: 318
+  mfa_fatigue: 1496
+  multi_account_sybil: 1155
+  new_account_fraud: 188
+  normal: 29587
+  passkey_registration_abuse: 760
+  recovery_abuse: 1208
+  session_hijack: 336
+```
+
+`score` example output:
+```text
+Auto-selecting fast mode for 37926 events (use --full for complete signal extraction)
+Scored 37926 events -> /tmp/ire_verify_scored.csv
+Scoring mode: fast-auto (history_window=8)
+Elapsed seconds: 27.90
+Mean risk score: 0.1016
+Action counts:
+  allow: 24285
+  allow_with_monitoring: 8678
+  step_up_with_passkey: 2044
+  step_up_with_totp: 1623
+  require_recovery_review: 411
+  block: 318
+```
+
+`report` example output:
+```text
+Report summary:
+  total_events: 37926
+  avg_risk_score: 0.101567
+  p95_risk_score: 0.44
+  positive_rate: 0.219876
+Top actions:
+  allow: 24285
+  allow_with_monitoring: 8678
+  step_up_with_passkey: 2044
+  step_up_with_totp: 1623
+  require_recovery_review: 411
+  block: 318
+Report written -> /tmp/ire_verify_report.html
 ```
 
 ## FastAPI Quickstart
 ```bash
 uvicorn examples.fastapi_demo.app_ire:app --reload
 curl -s http://127.0.0.1:8000/health
-curl -s -X POST http://127.0.0.1:8000/simulate -H "Content-Type: application/json" -d '{"num_users":10,"num_sessions":100}'
+```
+
+`POST /events` request schema:
+```json
+{
+  "dry_run": false,
+  "event": {
+    "event_id": "evt_demo_001",
+    "event_type": "login_success",
+    "user_id": "user_demo_01",
+    "session_id": "sess_demo_01",
+    "timestamp": "2026-03-22T12:30:00Z",
+    "ip": "34.23.11.9",
+    "country": "US",
+    "city_coarse": "San Francisco",
+    "lat_coarse": 37.77,
+    "lon_coarse": -122.42,
+    "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/122.0",
+    "device_hash": "dev_demo_01",
+    "device_type": "desktop",
+    "browser": "Chrome",
+    "os": "Windows",
+    "auth_method": "password",
+    "success": true,
+    "tenant_id": "tenant_1",
+    "metadata": {"ip_asn": "AS12345"}
+  }
+}
+```
+
+Example curl:
+```bash
+curl -s -X POST http://127.0.0.1:8000/events \
+  -H "Content-Type: application/json" \
+  -d '{"dry_run":false,"event":{"event_id":"evt_demo_001","event_type":"login_success","user_id":"user_demo_01","session_id":"sess_demo_01","timestamp":"2026-03-22T12:30:00Z","ip":"34.23.11.9","country":"US","city_coarse":"San Francisco","lat_coarse":37.77,"lon_coarse":-122.42,"user_agent":"Mozilla/5.0","device_hash":"dev_demo_01","device_type":"desktop","browser":"Chrome","os":"Windows","auth_method":"password","success":true,"tenant_id":"tenant_1","metadata":{"ip_asn":"AS12345"}}}'
 ```
 
 ## Supported Auth Flows
@@ -84,88 +164,66 @@ curl -s -X POST http://127.0.0.1:8000/simulate -H "Content-Type: application/jso
 - MFA challenge flows (sent/passed/failed)
 - Password reset and account recovery
 - Session creation/revocation
-- Profile credential changes (email/phone)
-- OAuth/magic-link style events via normalized event schema fields
+- Credential profile changes (`email_changed`, `phone_changed`)
+- OAuth/magic-link style flows normalized through the same event schema
 
 ## Risk Signals
 | Category | Signals |
 |---|---|
 | Device | `new_device`, `device_dormant`, `multi_account_device`, `device_velocity`, `session_churn`, `emulator_heuristic` |
 | Geo/Network | `impossible_travel`, `geo_velocity`, `new_country`, `new_asn`, `tor_vpn_proxy`, `ip_velocity`, `residential_vs_datacenter` |
-| Behavior | `failure_burst`, `success_after_burst`, `unusual_hour`, `auth_method_switch`, `mfa_fatigue`, `recovery_abuse`, `login_cadence_anomaly`, `account_fanout` |
+| Behavior | `failure_burst`, `success_after_burst`, `unusual_hour`, `auth_method_switch`, `mfa_fatigue`, `recovery_abuse`, `login_cadence_anomaly`, `account_fanout`, `new_account_high_value`, `metadata_attack_hints` |
 | Passkey | `new_passkey_unfamiliar_device`, `passkey_registration_burst`, `passkey_after_password_failure`, `authenticator_churn`, `credential_novelty` |
 | Recovery | `recovery_unfamiliar_env`, `recovery_after_lockout`, `recovery_plus_credential_change`, `recovery_fanout`, `recovery_impossible_travel` |
 
 ## Policy Engine
-Default config lives at `configs/default_policy.yaml` and supports score thresholds, per-auth-method overrides, per-tenant overrides, and dry-run mode.
+Default config is at `configs/default_policy.yaml`.
 
 ```yaml
 dry_run: false
 thresholds:
-  - max_score: 0.15
-    action: allow
-  - max_score: 0.30
-    action: allow_with_monitoring
-  - max_score: 0.45
-    action: step_up_with_passkey
-  - max_score: 0.60
-    action: step_up_with_totp
-  - max_score: 0.72
-    action: step_up_with_email_code
-  - max_score: 0.82
-    action: require_recovery_review
-  - max_score: 0.90
-    action: manual_review
-  - max_score: 0.97
-    action: block
-  - max_score: 1.00
-    action: revoke_session
+  - { max_score: 0.15, action: allow }
+  - { max_score: 0.30, action: allow_with_monitoring }
+  - { max_score: 0.45, action: step_up_with_passkey }
+  - { max_score: 0.60, action: step_up_with_totp }
+  - { max_score: 0.72, action: step_up_with_email_code }
+  - { max_score: 0.82, action: require_recovery_review }
+  - { max_score: 0.90, action: manual_review }
+  - { max_score: 0.97, action: block }
+  - { max_score: 1.00, action: revoke_session }
 ```
 
 Supported actions: `allow`, `allow_with_monitoring`, `step_up_with_passkey`, `step_up_with_totp`, `step_up_with_email_code`, `require_recovery_review`, `manual_review`, `block`, `revoke_session`.
 
 ## Benchmark Results
-Run details: `num_users=100`, `num_sessions=2400`, `attack_ratio=0.22`, `seed=21`, time split from `demo_outputs/benchmark_output_ire.txt`.
-Reproducible with `seed=42` in model training and deterministic model settings.
+Generated from code with fixed seed using:
 
-| Cohort | AUC | Precision@0.95Recall | Recall@0.95Precision |
-|---|---:|---:|---:|
-| Global | 1.000 | 1.000 | 1.000 |
-| account_takeover | 0.916 | 0.246 | 0.000 |
-| bot_behavior | 0.906 | 0.138 | 0.000 |
-| credential_stuffing | 0.908 | 0.262 | 0.000 |
-| impossible_travel | 0.910 | 0.177 | 0.000 |
-| new_account_fraud | 0.910 | 0.177 | 0.000 |
-
-## Demo Output
-CLI report summary snippet (from `/tmp/ire_report.html` generated by CLI):
-
-```text
-total_events: 19101
-avg_risk_score: 0.533134
-p95_risk_score: 1.0
-positive_rate: 0.222711
+```bash
+python3 scripts/generate_benchmark_table_ire.py --num-users 100 --num-sessions 4000 --attack-ratio 0.2 --seed 42
 ```
 
-FastAPI `/simulate` response snippet (from `demo_outputs/fastapi_simulate_ire.txt`):
+Script: `scripts/generate_benchmark_table_ire.py`  
+Outputs: `demo_outputs/benchmark_table_ire.md`, `demo_outputs/benchmark_table_ire.json`
 
-```json
-{
-  "generated_events": 509,
-  "scored_events": 509,
-  "mean_risk_score": 0.7395597724160389,
-  "action_counts": {
-    "revoke_session": 208,
-    "manual_review": 125,
-    "allow": 107
-  },
-  "attack_counts": {
-    "normal": 368,
-    "credential_stuffing": 37,
-    "recovery_abuse": 32
-  }
-}
-```
+| Cohort | AUC | Precision@0.95Recall | Recall@0.95Precision |
+|---|---:|---:|---:|
+| Global | 0.987167 | 0.865171 | 0.712741 |
+| account_takeover | 0.838010 | 0.024493 | 0.000000 |
+| bot_behavior | 0.883121 | 0.078209 | 0.000000 |
+| credential_stuffing | 0.872556 | 0.182295 | 0.000000 |
+| impossible_travel | 0.695006 | 0.000000 | 0.000000 |
+| mfa_fatigue | 0.827267 | 0.183863 | 0.000000 |
+| multi_account_sybil | 0.934892 | 0.113269 | 0.000000 |
+| new_account_fraud | 0.939105 | 0.027721 | 0.000000 |
+| passkey_registration_abuse | 0.952384 | 0.123056 | 0.000000 |
+| recovery_abuse | 0.964671 | 0.326278 | 0.000000 |
+| session_hijack | 0.953187 | 0.084667 | 0.000000 |
+
+## Scorer Quality Check (Seed 42)
+- AUROC: `0.9818`
+- Near-zero attack scores (`<0.1`): `189/8339` (`2.3%`)
+- `session_hijack`: mean score `1.000`, near-zero `0.0%`
+- `passkey_registration_abuse`: mean score `0.996`, near-zero `0.0%`
 
 ## Who This Is For
 - Crypto exchanges

demo_outputs/benchmark_table_generation_ire.txt

@@ -0,0 +1,17 @@
+Global AUROC: 0.987167
+Markdown table: /scratch/fkalghan/circuit_discovery_and_supression/graphs_ai_psych/identity-risk-engine/demo_outputs/benchmark_table_ire.md
+JSON metrics: /scratch/fkalghan/circuit_discovery_and_supression/graphs_ai_psych/identity-risk-engine/demo_outputs/benchmark_table_ire.json
+
+| Cohort | AUC | Precision@0.95Recall | Recall@0.95Precision |
+|---|---:|---:|---:|
+| Global | 0.987167 | 0.865171 | 0.712741 |
+| account_takeover | 0.838010 | 0.024493 | 0.000000 |
+| bot_behavior | 0.883121 | 0.078209 | 0.000000 |
+| credential_stuffing | 0.872556 | 0.182295 | 0.000000 |
+| impossible_travel | 0.695006 | 0.000000 | 0.000000 |
+| mfa_fatigue | 0.827267 | 0.183863 | 0.000000 |
+| multi_account_sybil | 0.934892 | 0.113269 | 0.000000 |
+| new_account_fraud | 0.939105 | 0.027721 | 0.000000 |
+| passkey_registration_abuse | 0.952384 | 0.123056 | 0.000000 |
+| recovery_abuse | 0.964671 | 0.326278 | 0.000000 |
+| session_hijack | 0.953187 | 0.084667 | 0.000000 |

demo_outputs/benchmark_table_ire.json

@@ -0,0 +1,78 @@
+{
+  "config": {
+    "num_users": 100,
+    "num_sessions": 4000,
+    "attack_ratio": 0.2,
+    "seed": 42,
+    "model_random_state": 42
+  },
+  "global_auc": 0.9871674467754769,
+  "rows": [
+    {
+      "cohort": "Global",
+      "auc": 0.9871674467754769,
+      "precision_at_95_recall": 0.8651709401709402,
+      "recall_at_95_precision": 0.7127409496944053
+    },
+    {
+      "cohort": "account_takeover",
+      "auc": 0.8380095687031318,
+      "precision_at_95_recall": 0.024493020805899393,
+      "recall_at_95_precision": 0.0
+    },
+    {
+      "cohort": "bot_behavior",
+      "auc": 0.8831208569156869,
+      "precision_at_95_recall": 0.07820927723840346,
+      "recall_at_95_precision": 0.0
+    },
+    {
+      "cohort": "credential_stuffing",
+      "auc": 0.8725561797870893,
+      "precision_at_95_recall": 0.1822953948938201,
+      "recall_at_95_precision": 0.0
+    },
+    {
+      "cohort": "impossible_travel",
+      "auc": 0.6950064627024247,
+      "precision_at_95_recall": 0.0,
+      "recall_at_95_precision": 0.0
+    },
+    {
+      "cohort": "mfa_fatigue",
+      "auc": 0.8272670036563118,
+      "precision_at_95_recall": 0.18386329223447978,
+      "recall_at_95_precision": 0.0
+    },
+    {
+      "cohort": "multi_account_sybil",
+      "auc": 0.9348919756667037,
+      "precision_at_95_recall": 0.11326860841423948,
+      "recall_at_95_precision": 0.0
+    },
+    {
+      "cohort": "new_account_fraud",
+      "auc": 0.9391048405058279,
+      "precision_at_95_recall": 0.027721433400946585,
+      "recall_at_95_precision": 0.0
+    },
+    {
+      "cohort": "passkey_registration_abuse",
+      "auc": 0.9523841291867123,
+      "precision_at_95_recall": 0.12305611899932387,
+      "recall_at_95_precision": 0.0
+    },
+    {
+      "cohort": "recovery_abuse",
+      "auc": 0.9646705289945313,
+      "precision_at_95_recall": 0.32627774909654106,
+      "recall_at_95_precision": 0.0
+    },
+    {
+      "cohort": "session_hijack",
+      "auc": 0.9531868828219887,
+      "precision_at_95_recall": 0.08466701084150749,
+      "recall_at_95_precision": 0.0
+    }
+  ]
+}

demo_outputs/benchmark_table_ire.md

@@ -0,0 +1,13 @@
+| Cohort | AUC | Precision@0.95Recall | Recall@0.95Precision |
+|---|---:|---:|---:|
+| Global | 0.987167 | 0.865171 | 0.712741 |
+| account_takeover | 0.838010 | 0.024493 | 0.000000 |
+| bot_behavior | 0.883121 | 0.078209 | 0.000000 |
+| credential_stuffing | 0.872556 | 0.182295 | 0.000000 |
+| impossible_travel | 0.695006 | 0.000000 | 0.000000 |
+| mfa_fatigue | 0.827267 | 0.183863 | 0.000000 |
+| multi_account_sybil | 0.934892 | 0.113269 | 0.000000 |
+| new_account_fraud | 0.939105 | 0.027721 | 0.000000 |
+| passkey_registration_abuse | 0.952384 | 0.123056 | 0.000000 |
+| recovery_abuse | 0.964671 | 0.326278 | 0.000000 |
+| session_hijack | 0.953187 | 0.084667 | 0.000000 |