PRD.md

# Product Requirements Document: ScamShield AI
## Agentic Honeypot System for Scam Detection & Intelligence Extraction

**Version:** 1.0  
**Date:** January 26, 2026  
**Owner:** Product & Architecture Team  
**Target Competition:** India AI Impact Buildathon 2026 - Challenge 2  
**Submission Deadline:** February 5, 2026

---

## EXECUTIVE SUMMARY

ScamShield AI is an autonomous AI-powered honeypot system designed to detect scam messages, actively engage scammers using believable personas, and extract actionable intelligence including bank accounts, UPI IDs, and phishing links. Built exclusively with free-tier technologies, the system targets 90%+ detection accuracy and multi-turn conversational engagement in English and Hindi.

**Target Outcome:** TOP 10 ranking from 40,000 participants through technical superiority and production-grade implementation.

---

## PROBLEM STATEMENT

### Market Context
- 500,000+ scam calls/messages daily in India (TRAI 2025)
- ₹60+ crore daily losses to fraud
- 47% of Indians affected by or know victims of scam fraud
- Predominant scams: UPI fraud, fake loans, police/bank impersonation

### Solution Gap
Existing solutions focus on passive detection. ScamShield AI introduces active engagement to extract intelligence while scammers remain unaware they're interacting with an AI system.

---

## PRODUCT VISION

**Mission:** Proactively combat digital fraud through autonomous AI agents that gather actionable intelligence from scammers.

**Core Differentiators:**
1. **Active Engagement:** Multi-turn conversations (up to 20 turns) vs. single-response detection
2. **Intelligence Extraction:** Structured extraction of UPI IDs, bank accounts, IFSC codes, phone numbers, phishing links
3. **Persona Simulation:** Dynamic, believable personas (elderly, eager victim, confused user)
4. **Bilingual:** Native English + Hindi support with Hinglish handling
5. **Cost-Effective:** 100% free-tier implementation

---

## TARGET USERS

**Primary:** Competition judges evaluating via Mock Scammer API integration

**Secondary (Future):**
- Financial institutions (banks, payment providers)
- Law enforcement agencies
- Consumer protection organizations
- Telecom operators

---

## PRODUCT REQUIREMENTS

### Phase 1: Text-Based Honeypot (Feb 5, 2026)

#### FR-1: Scam Detection
- **Requirement:** Classify incoming messages as scam/not-scam with confidence scores
- **Accuracy Target:** ≥90% on test dataset
- **Languages:** English, Hindi, Hinglish (code-mixed)
- **Confidence Threshold:** 0.7 (trigger engagement)

#### FR-2: Agentic Engagement
- **Requirement:** Conduct multi-turn conversations to extract intelligence
- **Turn Range:** 1-20 turns per conversation
- **Persona Types:** Elderly (60+), Eager Victim (middle-aged), Confused User (young)
- **Strategy:** Progressive engagement (interest → confusion → probing)

#### FR-3: Intelligence Extraction
- **Requirement:** Extract and validate financial/contact information
- **Target Types:**
  - UPI IDs (e.g., user@paytm)
  - Bank Account Numbers (9-18 digits)
  - IFSC Codes (11 characters, format: XXXX0XXXXXX)
  - Phone Numbers (Indian mobile: +91XXXXXXXXXX or 10-digit)
  - Phishing Links (http/https URLs)
- **Precision Target:** ≥85%
- **Recall Target:** ≥80%

#### FR-4: API Integration
- **Requirement:** REST API endpoint for competition testing
- **Response Time:** <2 seconds per request
- **Format:** Structured JSON output
- **Session Management:** Stateful conversation tracking

#### FR-5: State Persistence
- **Requirement:** Maintain conversation context across turns
- **Storage:** PostgreSQL (logs), Redis (active sessions), ChromaDB (embeddings)
- **Session Expiry:** 1 hour for active sessions

### Phase 2: Audio Extension (Post-Competition)
- Whisper-based audio transcription
- Voice deepfake detection
- Phone call integration

---

## NON-FUNCTIONAL REQUIREMENTS

### Performance
- API Latency: <2s (p95), <1s (p50)
- Throughput: 100 requests/minute
- Concurrent Sessions: 50+

### Reliability
- Uptime: 99%+ during competition testing window
- Error Rate: <1%
- Graceful degradation on LLM rate limits

### Scalability
- Horizontal scaling via containerization
- Stateless API design (state in external stores)
- Database connection pooling

### Security
- No storage of real user PII
- Anonymization of extracted phone numbers
- Safe engagement (no provocation/threats)
- Data retention: 30 days max

### Compliance
- DPDP Act 2023 adherence
- Ethical AI guidelines (no harm principle)
- Transparent data handling

---

## SUCCESS METRICS

### Competition Metrics
1. **Detection Accuracy:** >90% (true positive rate)
2. **False Positive Rate:** <5%
3. **Engagement Quality:** >10 turns average
4. **Extraction Precision:** >85%
5. **Response Time:** <2s per request
6. **System Uptime:** 99%+ during testing

### Technical Metrics
- Code Coverage: >80%
- Documentation Completeness: 100%
- API Compliance: 100% (all endpoints functional)
- Error Handling: All edge cases covered

---

## CONSTRAINTS & ASSUMPTIONS

### Constraints
- **Cost:** $0 operational cost (free tier only)
- **Time:** 10 days to production deployment
- **Languages:** English + Hindi only (no Gujarati/Tamil/etc.)
- **Modality:** Text only in Phase 1

### Assumptions
- Competition provides functional Mock Scammer API
- Groq API maintains 30 req/min free tier
- Test dataset representative of real scam messages
- Judges evaluate on detection accuracy, engagement quality, extraction precision

---

## DEPENDENCIES

### External Services
- Groq Cloud API (LLM)
- Supabase (PostgreSQL)
- Redis Cloud (cache)
- Hugging Face (model downloads)

### Critical Risks
| Risk | Impact | Mitigation |
|------|--------|-----------|
| Groq rate limits | High | Retry logic, exponential backoff, request queueing |
| Model loading time | Medium | Load at startup, cache in memory |
| Database connectivity | High | Connection pooling, auto-reconnect, local fallback |
| Competition API changes | Medium | Flexible schema design, extensive pre-testing |

---

## OUT OF SCOPE (Phase 1)

- Audio/voice call handling (Phase 2)
- Real-time phone system integration
- Automated police reporting
- Gujarati or other regional languages
- Web scraping of phishing sites
- Blockchain/cryptocurrency scam detection (unless text-based)

---

## ACCEPTANCE CRITERIA

**Phase 1 Launch Readiness:**
1. ✅ API endpoint deployed and publicly accessible
2. ✅ Health check endpoint returns 200 OK
3. ✅ Detection accuracy ≥85% on 100+ test cases
4. ✅ Extraction precision ≥80% on validation dataset
5. ✅ Response time <2s for 95% of requests
6. ✅ Multi-turn engagement averages >8 turns
7. ✅ Hindi and English both functional
8. ✅ JSON output matches specified schema
9. ✅ Monitoring dashboard active
10. ✅ Documentation complete (API docs, deployment guide)

---

## ROADMAP

### Week 1 (Jan 26 - Feb 1): Core Development
- Days 1-2: Project setup, dependencies, database initialization
- Days 3-4: Detection module (IndicBERT, language detection)
- Days 5-6: Agentic module (LangGraph, Groq integration, personas)
- Day 7: Extraction module (spaCy NER, regex patterns)

### Week 2 (Feb 2 - Feb 5): Testing & Deployment
- Day 8: Integration and end-to-end testing
- Day 9: Unit/integration/load testing
- Day 10: Production deployment to Render/Railway
- Day 11: Final testing and competition submission

---

## APPENDIX

### Technology Stack
- **Detection:** IndicBERT (ai4bharat/indic-bert), langdetect
- **LLM:** Groq Llama 3.1 70B (free tier)
- **Orchestration:** LangGraph + LangChain
- **Extraction:** spaCy (en_core_web_sm), regex patterns
- **API:** FastAPI + Uvicorn + Pydantic
- **Storage:** PostgreSQL, Redis, ChromaDB (all local/free)
- **Deployment:** Docker, Render/Railway

### Key Performance Indicators
- Scam detection calls: target 1000+ during competition testing
- Average engagement turns: target 12
- Intelligence pieces extracted per conversation: target 2.5
- System uptime during judging window: 99.9%

---

**Document Status:** Approved for Implementation  
**Next Steps:** Proceed to FRD.md for detailed functional specifications