ADD : Docer

adaptiveauth/__init__.py

@@ -56,7 +56,7 @@ from .risk import (
 from .auth import AuthService, OTPService, EmailService
 from .routers import (
     auth_router, user_router, admin_router,
-    risk_router, adaptive_router
+    risk_router, adaptive_router, demo_router, session_intel_router
 )
 
 
@@ -140,7 +140,9 @@ class AdaptiveAuth:
         self._router.include_router(auth_router)
         self._router.include_router(user_router)
         self._router.include_router(admin_router)
-        
+        self._router.include_router(demo_router)
+        self._router.include_router(session_intel_router)
+
         if self.enable_risk_assessment:
             self._router.include_router(risk_router)
             self._router.include_router(adaptive_router)
@@ -353,4 +355,5 @@ __all__ = [
     "admin_router",
     "risk_router",
     "adaptive_router",
+    "demo_router",
 ]

adaptiveauth/auth/service.py

@@ -250,7 +250,8 @@ class AuthService:
         if challenge.challenge_type == 'otp':
             verified = self.otp_service.verify_otp(user.tfa_secret, code)
         elif challenge.challenge_type == 'email':
-            verified = challenge.challenge_code == code
+            from ..core.security import constant_time_compare
+            verified = constant_time_compare(challenge.challenge_code or '', code)
         
         challenge.attempts += 1
         

adaptiveauth/models.py

@@ -311,6 +311,42 @@ class AnomalyPattern(Base):
     resolved_at = Column(DateTime, nullable=True)
 
 
+class SessionTrustEvent(Base):
+    """Trust score change events throughout a session's lifecycle. (Feature 1 & 3)"""
+    __tablename__ = "adaptiveauth_trust_events"
+
+    id = Column(Integer, primary_key=True, index=True)
+    session_id = Column(Integer, ForeignKey("adaptiveauth_sessions.id", ondelete="CASCADE"), index=True)
+    user_id = Column(Integer, ForeignKey("adaptiveauth_users.id", ondelete="CASCADE"), index=True)
+
+    trust_score = Column(Float, nullable=False)   # score AFTER this event
+    delta = Column(Float, default=0.0)            # how much it changed
+    event_type = Column(String(100), nullable=False)  # decay | behavior | context_change | micro_challenge | impossible_travel
+    reason = Column(String(255), nullable=True)
+    signals = Column(JSON, default=dict)          # contributing signal values
+
+    created_at = Column(DateTime, default=datetime.utcnow, index=True)
+
+
+class BehaviorSignalRecord(Base):
+    """Privacy-first behavior signal records. Only aggregated scores are stored. (Feature 2 & 8)"""
+    __tablename__ = "adaptiveauth_behavior_signals"
+
+    id = Column(Integer, primary_key=True, index=True)
+    session_id = Column(Integer, ForeignKey("adaptiveauth_sessions.id", ondelete="CASCADE"), index=True)
+    user_id = Column(Integer, ForeignKey("adaptiveauth_users.id", ondelete="CASCADE"), index=True)
+
+    # Client-computed signals (0.0–1.0 each). Raw keystrokes/mouse coords are NEVER sent.
+    typing_entropy = Column(Float, nullable=True)    # 1.0 = very human-like keystroke rhythm
+    mouse_linearity = Column(Float, nullable=True)   # higher = more curved/natural paths
+    scroll_variance = Column(Float, nullable=True)   # moderate variance = normal human
+    local_risk_score = Column(Float, nullable=True)  # client-side composite (privacy-first)
+
+    anomaly_score = Column(Float, default=0.0)       # server-computed 0–100
+
+    recorded_at = Column(DateTime, default=datetime.utcnow, index=True)
+
+
 class StepUpChallenge(Base):
     """Step-up authentication challenges."""
     __tablename__ = "adaptiveauth_stepup_challenges"

adaptiveauth/risk/__init__.py

@@ -12,6 +12,14 @@ from .factors import (
 )
 from .analyzer import BehaviorAnalyzer
 from .monitor import SessionMonitor, AnomalyDetector
+from .session_intelligence import (
+    TrustScoreManager,
+    BehaviorSignalProcessor,
+    ImpossibleTravelDetector,
+    MicroChallengeEngine,
+    RiskExplainer,
+    StatisticalAnomalyDetector,
+)
 
 __all__ = [
     "RiskEngine",
@@ -25,4 +33,10 @@ __all__ = [
     "BehaviorAnalyzer",
     "SessionMonitor",
     "AnomalyDetector",
+    "TrustScoreManager",
+    "BehaviorSignalProcessor",
+    "ImpossibleTravelDetector",
+    "MicroChallengeEngine",
+    "RiskExplainer",
+    "StatisticalAnomalyDetector",
 ]

adaptiveauth/risk/session_intelligence.py

@@ -0,0 +1,671 @@
+"""
+Session Intelligence Engine
+===========================
+Implements 8 advanced security capabilities beyond standard login-time auth:
+
+  1. Continuous Verification   – verify context throughout session lifecycle
+  2. Behavioral Intelligence   – typing rhythm, mouse paths, scroll patterns
+  3. Dynamic Trust Score       – evolving 0-100 score; decays + recovers
+  4. Low-Friction Micro-Challenges – triggered only when trust drops
+  5. Explainable Risk          – factor contributions, confidence, audit trail
+  6. AI-Powered Anomaly Scoring – isolation-forest-inspired statistical model
+  7. Impossible Travel         – haversine geo-velocity detection
+  8. Privacy-First Design      – client computes signals; server receives only score
+"""
+
+import math
+import hashlib
+import random
+from datetime import datetime, timedelta
+from typing import Optional, List, Dict, Any, Tuple
+from sqlalchemy.orm import Session
+
+from ..models import (
+    User, UserSession, LoginAttempt, AnomalyPattern, RiskLevel,
+    SessionTrustEvent, BehaviorSignalRecord,
+)
+
+# ── City Geo-Coordinates ────────────────────────────────────────────────────
+CITY_COORDS: Dict[str, Tuple[float, float]] = {
+    "new york":      (40.7128,  -74.0060),
+    "moscow":        (55.7558,   37.6173),
+    "beijing":       (39.9042,  116.4074),
+    "london":        (51.5074,   -0.1278),
+    "tokyo":         (35.6762,  139.6503),
+    "sydney":       (-33.8688,  151.2093),
+    "paris":         (48.8566,    2.3522),
+    "dubai":         (25.2048,   55.2708),
+    "singapore":     ( 1.3521,  103.8198),
+    "toronto":       (43.6532,  -79.3832),
+    "chicago":       (41.8781,  -87.6298),
+    "miami":         (25.7617,  -80.1918),
+    "berlin":        (52.5200,   13.4050),
+    "mumbai":        (19.0760,   72.8777),
+    "bangkok":       (13.7563,  100.5018),
+    "cairo":         (30.0444,   31.2357),
+    "johannesburg": (-26.2041,   28.0473),
+    "sao paulo":    (-23.5505,  -46.6333),
+    "buenos aires": (-34.6037,  -58.3816),
+    "seattle":       (47.6062, -122.3321),
+    "los angeles":   (34.0522, -118.2437),
+    "mexico city":   (19.4326,  -99.1332),
+}
+
+# ── Behavior Baseline (mean, std) for each client-collected metric ──────────
+BEHAVIOR_BASELINE: Dict[str, Tuple[float, float]] = {
+    "typing_entropy":  (0.70, 0.15),   # 1.0 = perfectly human-like rhythm
+    "mouse_linearity": (0.62, 0.18),   # 1.0 = natural curved paths
+    "scroll_variance": (0.48, 0.22),   # moderate = organic human scrolling
+}
+
+# ── Trust score baselines by security level ─────────────────────────────────
+TRUST_BASELINE: Dict[int, float] = {0: 95.0, 1: 80.0, 2: 60.0, 3: 35.0, 4: 10.0}
+
+# ── In-memory caches ─────────────────────────────────────────────────────────
+# {session_id: {"score": float, "last_update": datetime}}
+_trust_cache: Dict[int, Dict[str, Any]] = {}
+
+# {challenge_id: {"answer_hash": str, "expires": datetime, "attempts": int}}
+_micro_challenges: Dict[str, Dict[str, Any]] = {}
+
+
+# ═══════════════════════════════════════════════════════════════════════════
+# Helper math
+# ═══════════════════════════════════════════════════════════════════════════
+
+def haversine(lat1: float, lon1: float, lat2: float, lon2: float) -> float:
+    """Great-circle distance in km between two geographic points."""
+    R = 6371.0
+    d_lat = math.radians(lat2 - lat1)
+    d_lon = math.radians(lon2 - lon1)
+    a = (math.sin(d_lat / 2) ** 2
+         + math.cos(math.radians(lat1)) * math.cos(math.radians(lat2))
+         * math.sin(d_lon / 2) ** 2)
+    return R * 2 * math.atan2(math.sqrt(a), math.sqrt(1 - a))
+
+
+def _z_anomaly(value: float, mean: float, std: float) -> float:
+    """Convert value to 0–100 anomaly score using a Z-score transform."""
+    if std < 1e-6:
+        return 0.0 if abs(value - mean) < 0.01 else 50.0
+    z = abs(value - mean) / std
+    return min(100.0, (z / 3.5) ** 0.75 * 100.0)
+
+
+def _resolve_coords(
+    city: Optional[str],
+    lat: Optional[float],
+    lon: Optional[float],
+) -> Tuple[Optional[float], Optional[float]]:
+    if lat is not None and lon is not None:
+        return lat, lon
+    if city:
+        return CITY_COORDS.get(city.lower().strip(), (None, None))
+    return None, None
+
+
+def _classify_anomaly(score: float) -> str:
+    if score >= 80: return "critical"
+    if score >= 60: return "high"
+    if score >= 40: return "medium"
+    if score >= 20: return "low"
+    return "normal"
+
+
+def _build_summary(anomalous_factors: List[str], security_level: int) -> str:
+    if not anomalous_factors:
+        return "All signals normal. Trusted session context."
+    if len(anomalous_factors) == 1:
+        return f"{anomalous_factors[0]} flagged. Minimal elevated risk."
+    return (
+        f"{len(anomalous_factors)} risk signals triggered: "
+        + ", ".join(anomalous_factors[:3])
+        + (f" and {len(anomalous_factors) - 3} more." if len(anomalous_factors) > 3 else ".")
+    )
+
+
+# ═══════════════════════════════════════════════════════════════════════════
+# Feature 1 & 3 – Continuous Verification + Dynamic Trust Score
+# ═══════════════════════════════════════════════════════════════════════════
+
+class TrustScoreManager:
+    """
+    Maintains an evolving Trust Score (0–100) throughout the session lifecycle.
+
+    Decay rules:
+      • Time-based: –0.25 pts/min of inactivity
+      • Behavior anomaly: –4 to –24 depending on severity
+      • Context change (IP/device): –20
+      • Impossible travel: –50
+
+    Recovery rules:
+      • Good behavior signal: +2 to +6
+      • Micro-challenge pass:  +20
+    """
+
+    DECAY_RATE = 0.25   # pts / minute inactive
+
+    def __init__(self, db: Session):
+        self.db = db
+
+    def get(self, session: UserSession) -> float:
+        """Return current trust score, hydrating from DB if not cached."""
+        sid = session.id
+        if sid in _trust_cache:
+            return _trust_cache[sid]["score"]
+
+        last = (
+            self.db.query(SessionTrustEvent)
+            .filter(SessionTrustEvent.session_id == sid)
+            .order_by(SessionTrustEvent.created_at.desc())
+            .first()
+        )
+        score = float(last.trust_score) if last else TRUST_BASELINE.get(
+            {"low": 0, "medium": 1, "high": 2, "critical": 3}.get(
+                session.current_risk_level or "low", 1
+            ), 80.0
+        )
+        _trust_cache[sid] = {"score": score, "last_update": datetime.utcnow()}
+        return score
+
+    def apply_decay(self, session: UserSession) -> Tuple[float, float]:
+        """Apply time-based trust decay. Returns (new_score, delta)."""
+        sid = session.id
+        cache = _trust_cache.get(sid)
+        if not cache:
+            return self.get(session), 0.0
+
+        elapsed_minutes = (datetime.utcnow() - cache["last_update"]).total_seconds() / 60
+        delta = -self.DECAY_RATE * elapsed_minutes
+        new_score = max(0.0, cache["score"] + delta)
+        _trust_cache[sid] = {"score": new_score, "last_update": datetime.utcnow()}
+        return new_score, delta
+
+    def update(
+        self,
+        session: UserSession,
+        delta: float,
+        event_type: str,
+        reason: str,
+        signals: Optional[Dict] = None,
+    ) -> float:
+        """Apply delta, clamp to [0, 100], persist to DB, update cache."""
+        current = self.get(session)
+        new_score = max(0.0, min(100.0, current + delta))
+        _trust_cache[session.id] = {"score": new_score, "last_update": datetime.utcnow()}
+
+        self.db.add(SessionTrustEvent(
+            session_id=session.id,
+            user_id=session.user_id,
+            trust_score=new_score,
+            delta=delta,
+            event_type=event_type,
+            reason=reason,
+            signals=signals or {},
+        ))
+        self.db.commit()
+        return new_score
+
+    def get_history(self, session_id: int, limit: int = 40) -> List[Dict]:
+        events = (
+            self.db.query(SessionTrustEvent)
+            .filter(SessionTrustEvent.session_id == session_id)
+            .order_by(SessionTrustEvent.created_at.desc())
+            .limit(limit)
+            .all()
+        )
+        return [
+            {
+                "score": e.trust_score,
+                "delta": e.delta,
+                "event_type": e.event_type,
+                "reason": e.reason,
+                "at": e.created_at.isoformat(),
+            }
+            for e in reversed(events)
+        ]
+
+    @staticmethod
+    def label(score: float) -> str:
+        if score >= 80: return "trusted"
+        if score >= 60: return "watchful"
+        if score >= 40: return "elevated"
+        if score >= 20: return "high_risk"
+        return "critical"
+
+    @staticmethod
+    def color(score: float) -> str:
+        if score >= 80: return "#22c55e"
+        if score >= 60: return "#84cc16"
+        if score >= 40: return "#f59e0b"
+        if score >= 20: return "#f97316"
+        return "#ef4444"
+
+
+# ═══════════════════════════════════════════════════��═══════════════════════
+# Feature 2 & 8 – Behavioral Intelligence + Privacy-First Design
+# ═══════════════════════════════════════════════════════════════════════════
+
+class BehaviorSignalProcessor:
+    """
+    Processes privacy-first behavior signals submitted by the client.
+
+    The client JS collects raw events (keydown timings, mouse paths,
+    scroll deltas) and computes aggregated 0–1 scores LOCALLY.
+    Only those aggregated scores are transmitted — no raw events ever leave
+    the browser (Feature 8: Privacy-First Design).
+
+    Server validates plausibility, computes anomaly_score,
+    and derives a trust delta.
+    """
+
+    def process(
+        self,
+        session: UserSession,
+        typing_entropy: float,
+        mouse_linearity: float,
+        scroll_variance: float,
+        local_risk_score: float,
+        db: Session,
+    ) -> Dict[str, Any]:
+        # Clamp all inputs to [0, 1]
+        te = max(0.0, min(1.0, float(typing_entropy)))
+        ml = max(0.0, min(1.0, float(mouse_linearity)))
+        sv = max(0.0, min(1.0, float(scroll_variance)))
+        lr = max(0.0, min(1.0, float(local_risk_score)))
+
+        # Per-feature anomaly (0–100, higher = more anomalous)
+        te_a = _z_anomaly(te, *BEHAVIOR_BASELINE["typing_entropy"]) if te > 0 else 50.0
+        ml_a = _z_anomaly(ml, *BEHAVIOR_BASELINE["mouse_linearity"]) if ml > 0 else 50.0
+        sv_a = _z_anomaly(sv, *BEHAVIOR_BASELINE["scroll_variance"]) if sv > 0 else 50.0
+
+        # Weighted composite server score
+        server_score = 0.40 * te_a + 0.35 * ml_a + 0.25 * sv_a
+        # Blend with client-reported composite (60/40 split)
+        final = 0.60 * server_score + 0.40 * (lr * 100.0)
+
+        # Trust delta
+        if   final < 20: td = +6.0
+        elif final < 40: td = +2.0
+        elif final < 60: td = -4.0
+        elif final < 80: td = -12.0
+        else:            td = -24.0
+
+        db.add(BehaviorSignalRecord(
+            session_id=session.id,
+            user_id=session.user_id,
+            typing_entropy=te,
+            mouse_linearity=ml,
+            scroll_variance=sv,
+            local_risk_score=lr,
+            anomaly_score=final,
+        ))
+        db.commit()
+
+        return {
+            "anomaly_score": round(final, 2),
+            "trust_delta": td,
+            "signals": {
+                "typing_entropy":  round(te, 3),
+                "mouse_linearity": round(ml, 3),
+                "scroll_variance": round(sv, 3),
+                "local_risk_score": round(lr, 3),
+            },
+            "per_feature_anomaly": {
+                "typing": round(te_a, 1),
+                "mouse":  round(ml_a, 1),
+                "scroll": round(sv_a, 1),
+            },
+            "classification": _classify_anomaly(final),
+            "privacy_note": (
+                "Raw keystrokes, mouse coordinates, and scroll positions "
+                "were processed entirely in-browser. Only aggregated scores "
+                "were transmitted to the server."
+            ),
+        }
+
+
+# ═══════════════════════════════════════════════════════════════════════════
+# Feature 7 – Impossible Travel + Pattern Clustering
+# ═══════════════════════════════════════════════════════════════════════════
+
+class ImpossibleTravelDetector:
+    """
+    Detects impossible travel using haversine distance + elapsed time.
+
+    Thresholds:
+      > 900 km/h → IMPOSSIBLE  (fastest commercial jet ~900 km/h)
+      > 400 km/h → SUSPICIOUS  (implausible without air travel)
+      < 400 km/h → PLAUSIBLE
+    """
+
+    IMPOSSIBLE_KMH  = 900.0
+    SUSPICIOUS_KMH  = 400.0
+
+    def __init__(self, db: Session):
+        self.db = db
+
+    def check(
+        self,
+        user_id: int,
+        city_now: str,
+        country_now: str,
+        lat_now: Optional[float] = None,
+        lon_now: Optional[float] = None,
+        time_gap_hours: Optional[float] = None,   # override for demo mode
+    ) -> Dict[str, Any]:
+        """
+        Compare the current login location against the most recent successful login.
+        Pass time_gap_hours to simulate an arbitrary gap for demos.
+        """
+        last = (
+            self.db.query(LoginAttempt)
+            .filter(
+                LoginAttempt.user_id == user_id,
+                LoginAttempt.success == True,
+                LoginAttempt.city.isnot(None),
+            )
+            .order_by(LoginAttempt.attempted_at.desc())
+            .first()
+        )
+
+        if not last:
+            return self._no_history(city_now, country_now, lat_now, lon_now)
+
+        lat1, lon1 = _resolve_coords(last.city, last.latitude, last.longitude)
+        lat2, lon2 = _resolve_coords(city_now, lat_now, lon_now)
+
+        if lat1 is None or lat2 is None:
+            return {
+                "possible": True,
+                "verdict": "coords_unknown",
+                "message": f"Cannot resolve coordinates for '{last.city}' or '{city_now}'.",
+                "distance_km": 0.0, "speed_kmh": 0.0, "time_gap_minutes": 0.0,
+                "trust_delta": 0.0,
+            }
+
+        distance_km = haversine(lat1, lon1, lat2, lon2)
+
+        if time_gap_hours is not None:
+            time_gap_s = time_gap_hours * 3600
+        else:
+            time_gap_s = (datetime.utcnow() - last.attempted_at).total_seconds()
+
+        time_gap_min = max(time_gap_s / 60, 0.001)
+        speed_kmh = (distance_km / (time_gap_s / 3600)) if time_gap_s > 0 else 0.0
+
+        if distance_km < 50:
+            verdict, possible, trust_delta = "same_area", True, 0.0
+            msg = f"Same area as last login ({last.city}). No anomaly."
+        elif speed_kmh > self.IMPOSSIBLE_KMH:
+            verdict, possible, trust_delta = "impossible", False, -50.0
+            msg = (
+                f"IMPOSSIBLE TRAVEL: {distance_km:.0f} km in {time_gap_min:.0f} min "
+                f"= {speed_kmh:.0f} km/h (fastest jet ~900 km/h)."
+            )
+        elif speed_kmh > self.SUSPICIOUS_KMH:
+            verdict, possible, trust_delta = "suspicious", True, -20.0
+            msg = (
+                f"Suspicious speed: {speed_kmh:.0f} km/h over "
+                f"{distance_km:.0f} km from {last.city} in {time_gap_min:.0f} min."
+            )
+        else:
+            verdict, possible, trust_delta = "plausible", True, 0.0
+            msg = (
+                f"Plausible: {distance_km:.0f} km from {last.city} "
+                f"at {speed_kmh:.0f} km/h in {time_gap_min:.0f} min."
+            )
+
+        return {
+            "possible": possible,
+            "verdict": verdict,
+            "message": msg,
+            "distance_km": round(distance_km, 1),
+            "speed_kmh": round(speed_kmh, 1),
+            "time_gap_minutes": round(time_gap_min, 1),
+            "from": {"city": last.city, "lat": lat1, "lon": lon1},
+            "to": {"city": city_now, "country": country_now, "lat": lat2, "lon": lon2},
+            "trust_delta": trust_delta,
+        }
+
+    def _no_history(self, city, country, lat, lon) -> Dict[str, Any]:
+        return {
+            "possible": True, "verdict": "no_history",
+            "message": "No previous login on record — travel check skipped.",
+            "distance_km": 0.0, "speed_kmh": 0.0, "time_gap_minutes": 0.0,
+            "from": None,
+            "to": {"city": city, "country": country, "lat": lat, "lon": lon},
+            "trust_delta": 0.0,
+        }
+
+
+# ═══════════════════════════════════════════════════════════════════════════
+# Feature 4 – Low-Friction Micro-Challenges
+# ═══════════════════════════════════════════════════════════════════════════
+
+class MicroChallengeEngine:
+    """
+    Issues lightweight inline challenges ONLY when trust drops below a threshold.
+    Inspired by CAPTCHA but far less intrusive — a single arithmetic question.
+
+    Trust restored: +20 on pass, –15 on fail.
+    Threshold: trust < 40 → challenge recommended.
+    """
+
+    THRESHOLD = 40.0
+
+    def should_challenge(self, trust_score: float) -> bool:
+        return trust_score < self.THRESHOLD
+
+    def generate(self) -> Dict[str, Any]:
+        ops = [('+', lambda a, b: a + b), ('-', lambda a, b: a - b),
+               ('×', lambda a, b: a * b)]
+        sym, fn = random.choice(ops)
+        a = random.randint(2, 9) if sym == '×' else random.randint(10, 50)
+        b = random.randint(2, 9) if sym == '×' else random.randint(1, 20)
+        answer = fn(a, b)
+
+        cid = hashlib.sha256(
+            f"{datetime.utcnow().isoformat()}{random.random()}".encode()
+        ).hexdigest()[:16]
+
+        _micro_challenges[cid] = {
+            "answer_hash": hashlib.sha256(str(answer).encode()).hexdigest(),
+            "expires": datetime.utcnow() + timedelta(minutes=5),
+            "attempts": 0,
+            "type": "math",
+        }
+        return {
+            "challenge_id": cid,
+            "type": "math",
+            "question": f"What is  {a} {sym} {b} ?",
+            "hint": "Answer is an integer.",
+            "expires_in_seconds": 300,
+        }
+
+    def verify(self, challenge_id: str, response: str) -> Dict[str, Any]:
+        ch = _micro_challenges.get(challenge_id)
+        if not ch:
+            return {"correct": False, "reason": "Challenge not found or already used.", "trust_delta": -5.0}
+        if ch["expires"] < datetime.utcnow():
+            _micro_challenges.pop(challenge_id, None)
+            return {"correct": False, "reason": "Challenge expired.", "trust_delta": -5.0}
+
+        given_hash = hashlib.sha256(response.strip().encode()).hexdigest()
+        correct = given_hash == ch["answer_hash"]
+        ch["attempts"] = ch.get("attempts", 0) + 1
+
+        if correct or ch["attempts"] >= 3:
+            _micro_challenges.pop(challenge_id, None)
+
+        return {
+            "correct": correct,
+            "trust_delta": +20.0 if correct else -15.0,
+            "reason": (
+                "✅ Correct – trust score restored." if correct
+                else f"❌ Incorrect. {'Max attempts reached.' if ch['attempts'] >= 3 else 'Try again.'}"
+            ),
+        }
+
+
+# ═══════════════════════════════════════════════════════════════════════════
+# Feature 5 – Explainable Risk Transparency
+# ═══════════════════════════════════════════════════════════════════════════
+
+class RiskExplainer:
+    """
+    Generates audit-ready, human-readable risk explanations.
+    Shows exactly: which signals contributed, their magnitude, and confidence.
+    """
+
+    _FACTOR_META = {
+        "location":  {"icon": "🌍", "label": "Location",       "weight": "97.68%"},
+        "device":    {"icon": "💻", "label": "Device",         "weight": "0.21%"},
+        "time":      {"icon": "🕐", "label": "Time Pattern",   "weight": "0.02%"},
+        "velocity":  {"icon": "⚡", "label": "Velocity",       "weight": "2.08%"},
+        "behavior":  {"icon": "🧠", "label": "Behavior",       "weight": "0.01%"},
+    }
+    _LEVEL_LABEL = {
+        0: "No step-up – trusted context",
+        1: "Standard password auth",
+        2: "Email verification required (new IP)",
+        3: "2FA required (unknown device)",
+        4: "Access BLOCKED – critical risk",
+    }
+
+    def explain_login(
+        self,
+        risk_factors: Dict[str, float],
+        risk_level: str,
+        security_level: int,
+    ) -> Dict[str, Any]:
+        factors = []
+        for key, score in risk_factors.items():
+            meta = self._FACTOR_META.get(key, {"icon": "📌", "label": key.title(), "weight": "N/A"})
+            anomalous = score > 30.0
+            factors.append({
+                "factor":       meta["label"],
+                "score":        round(score, 1),
+                "icon":         meta["icon"],
+                "model_weight": meta["weight"],
+                "status":       "anomalous" if anomalous else "normal",
+                "detail":       self._detail(key, anomalous),
+                "contribution": round(-score * 0.4 if anomalous else (30 - score) * 0.1, 1),
+            })
+        factors.sort(key=lambda x: abs(x["contribution"]), reverse=True)
+
+        anomalous_names = [f["factor"] for f in factors if f["status"] == "anomalous"]
+        confidence = max(0.50, min(0.99, 1.0 - len(anomalous_names) * 0.08))
+
+        return {
+            "audit_id":       hashlib.sha256(
+                                  f"{datetime.utcnow().isoformat()}{str(risk_factors)}".encode()
+                              ).hexdigest()[:12],
+            "timestamp":      datetime.utcnow().isoformat(),
+            "risk_level":     risk_level,
+            "security_level": security_level,
+            "action":         self._LEVEL_LABEL.get(security_level, "Unknown"),
+            "confidence":     round(confidence, 2),
+            "factors":        factors,
+            "summary":        _build_summary(anomalous_names, security_level),
+        }
+
+    def explain_trust_event(self, event_type: str, delta: float, signals: Dict) -> str:
+        msgs = {
+            "behavior_good":        f"Human-like behavior signals (+{abs(delta):.0f} trust)",
+            "behavior_anomaly":     f"Unusual behavior pattern (–{abs(delta):.0f} trust)",
+            "decay":                f"Inactivity decay (–{abs(delta):.1f} trust)",
+            "context_change":       f"IP or device changed (–{abs(delta):.0f} trust)",
+            "micro_challenge_pass": "Micro-challenge passed (+20 trust)",
+            "micro_challenge_fail": "Micro-challenge failed (–15 trust)",
+            "impossible_travel":    "Impossible travel detected (–50 trust)",
+            "init":                 "Session initialised",
+        }
+        return msgs.get(event_type, f"Trust updated by {delta:+.1f}")
+
+    @staticmethod
+    def _detail(key: str, anomalous: bool) -> str:
+        details = {
+            "location": ("Location matches behavioral profile.", "New or unexpected country/city."),
+            "device":   ("Known device fingerprint.", "Unknown device fingerprint."),
+            "time":     ("Login within typical hours.", "Login outside typical hours."),
+            "velocity": ("Normal login frequency.", "Rapid or repeated attempts detected."),
+            "behavior": ("Behavior matches past patterns.", "Behavioral deviation detected."),
+        }
+        pair = details.get(key, ("Normal.", "Anomalous."))
+        return pair[1] if anomalous else pair[0]
+
+
+# ═══════════════════════════════════════════════════════════════════════════
+# Feature 6 – AI-Powered Anomaly Detection (Statistical Isolation Forest)
+# ═══════════════════════════════════════════════════════════════════════════
+
+class StatisticalAnomalyDetector:
+    """
+    Isolation-Forest–inspired anomaly scorer.
+
+    Scores a multi-dimensional feature vector against a learned baseline.
+    Each feature's anomaly contribution is computed via Z-score transform,
+    then weighted into a composite 0–100 anomaly score.
+
+    In production this would be replaced with a trained sklearn IsolationForest
+    or an LSTM sequence model; the interface is kept identical for easy swap-in.
+    """
+
+    BASELINE: Dict[str, Tuple[float, float]] = {
+        # feature → (mean, std) derived from research on legitimate user behavior
+        "typing_entropy":        (0.70, 0.15),
+        "mouse_linearity":       (0.62, 0.18),
+        "scroll_variance":       (0.48, 0.22),
+        "hour_normalized":       (0.55, 0.28),   # 0 = midnight, 1 = noon normalised to [0,1]
+        "failed_attempts_norm":  (0.03, 0.10),   # recent failed attempts / 20
+    }
+    WEIGHTS: Dict[str, float] = {
+        "typing_entropy":       0.28,
+        "mouse_linearity":      0.24,
+        "scroll_variance":      0.14,
+        "hour_normalized":      0.18,
+        "failed_attempts_norm": 0.16,
+    }
+
+    def score(self, features: Dict[str, float]) -> Dict[str, Any]:
+        """
+        Score a feature vector. Returns anomaly_score ∈ [0, 100].
+        Higher means more anomalous.
+        """
+        per_feature: Dict[str, float] = {}
+        total = 0.0
+        for feat, (mean, std) in self.BASELINE.items():
+            val = features.get(feat, mean)
+            a   = _z_anomaly(float(val), mean, std)
+            per_feature[feat] = round(a, 1)
+            total += a * self.WEIGHTS.get(feat, 0.10)
+
+        label, color = self._classify(total)
+        confidence = round(min(0.99, 0.50 + total / 200.0), 2)
+
+        return {
+            "anomaly_score":    round(total, 2),
+            "classification":   label,
+            "color":            color,
+            "confidence":       confidence,
+            "per_feature":      per_feature,
+            "baseline_comparison": {
+                feat: {
+                    "your_value":     round(features.get(feat, mean), 3),
+                    "typical_mean":   mean,
+                    "typical_std":    std,
+                    "z_score":        round(abs(features.get(feat, mean) - mean) / max(std, 1e-6), 2),
+                }
+                for feat, (mean, std) in self.BASELINE.items()
+            },
+            "method": "statistical_isolation_forest_analogy",
+        }
+
+    @staticmethod
+    def _classify(score: float) -> Tuple[str, str]:
+        if score >= 80: return "CRITICAL", "#ef4444"
+        if score >= 60: return "HIGH",     "#f97316"
+        if score >= 40: return "MEDIUM",   "#f59e0b"
+        if score >= 20: return "LOW",      "#84cc16"
+        return "NORMAL", "#22c55e"

adaptiveauth/routers/__init__.py

@@ -6,6 +6,8 @@ from .user import router as user_router
 from .admin import router as admin_router
 from .risk import router as risk_router
 from .adaptive import router as adaptive_router
+from .demo import router as demo_router
+from .session_intel import router as session_intel_router
 
 __all__ = [
     "auth_router",
@@ -13,4 +15,6 @@ __all__ = [
     "admin_router",
     "risk_router",
     "adaptive_router",
+    "demo_router",
+    "session_intel_router",
 ]

adaptiveauth/routers/adaptive.py

@@ -179,7 +179,8 @@ async def verify_challenge(
             current_user.tfa_secret, request.code
         )
     elif challenge.challenge_type == 'email':
-        verified = challenge.challenge_code == request.code
+        from ..core.security import constant_time_compare
+        verified = constant_time_compare(challenge.challenge_code or '', request.code)
     
     challenge.attempts += 1
     

adaptiveauth/routers/admin.py

@@ -20,6 +20,35 @@ from .. import schemas
 router = APIRouter(prefix="/admin", tags=["Admin"])
 
 
+@router.get("/email-status")
+async def email_status(
+    current_user: User = Depends(require_admin()),
+):
+    """Check email service configuration status (admin only)."""
+    from ..auth.email import get_email_service
+    from ..config import get_settings
+    svc = get_email_service()
+    s = get_settings()
+    return {
+        "configured": svc.is_configured,
+        "fields": {
+            "MAIL_USERNAME": bool(s.MAIL_USERNAME),
+            "MAIL_PASSWORD": bool(s.MAIL_PASSWORD),
+            "MAIL_SERVER": bool(s.MAIL_SERVER),
+            "MAIL_FROM": bool(s.MAIL_FROM),
+        },
+        "mail_port": s.MAIL_PORT,
+        "starttls": s.MAIL_STARTTLS,
+        "env_prefix": "ADAPTIVEAUTH_",
+        "setup_instructions": (
+            "Create a .env file in the project root with: "
+            "ADAPTIVEAUTH_MAIL_USERNAME, ADAPTIVEAUTH_MAIL_PASSWORD, "
+            "ADAPTIVEAUTH_MAIL_SERVER, ADAPTIVEAUTH_MAIL_FROM, "
+            "ADAPTIVEAUTH_MAIL_PORT=587, ADAPTIVEAUTH_MAIL_STARTTLS=True"
+        )
+    }
+
+
 @router.get("/users", response_model=schemas.AdminUserList)
 async def list_users(
     page: int = Query(1, ge=1),

adaptiveauth/routers/demo.py

@@ -0,0 +1,763 @@
+"""
+AdaptiveAuth Demo Router
+Specialized endpoints for demonstrating the two core framework scenarios.
+
+Scenario 1: User Behavior Anomaly Detection
+  - User has an established behavioral profile (normal IP, device, hours)
+  - When they log in from a suspicious context (new country, new device)
+  - The framework detects the behavior change and escalates security
+
+Scenario 2: Anomaly (Attack) Detection
+  - An attacker makes repeated failed login attempts (brute force)
+  - The AnomalyDetector fires and flags the attacker's IP
+  - Future logins from that IP are blocked/escalated
+  - Demonstrates how the framework protects the entire application
+
+FOR DEMONSTRATION PURPOSES ONLY - Do not expose in production without auth.
+"""
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy.orm import Session
+from datetime import datetime, timedelta
+from typing import Optional
+
+from ..core.database import get_db
+from ..core.security import hash_password, constant_time_compare
+from ..auth.service import AuthService
+from ..models import (
+    User, UserProfile, LoginAttempt, AnomalyPattern,
+    StepUpChallenge, RiskLevel, RiskEvent
+)
+from ..risk.analyzer import BehaviorAnalyzer
+from ..risk.monitor import AnomalyDetector
+
+router = APIRouter(prefix="/demo", tags=["Demo Scenarios"])
+
+# ─────────────────────────── Demo Constants ────────────────────────────────
+
+DEMO_USER_EMAIL = "demo.normal@adaptive.demo"
+DEMO_USER_PASSWORD = "Demo@Normal123!"
+DEMO_ADMIN_EMAIL = "demo.admin@adaptive.demo"
+DEMO_ADMIN_PASSWORD = "Admin@Demo456!"
+
+# The user's established "normal" context (30 days of history)
+NORMAL_CONTEXT = {
+    "ip_address": "203.0.113.10",      # RFC-5737 documentation IP
+    "user_agent": (
+        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) "
+        "AppleWebKit/537.36 (KHTML, like Gecko) "
+        "Chrome/121.0.0.0 Safari/537.36"
+    ),
+    "device_fingerprint": "trusted-win-chrome-abc123",
+    "country": "US",
+    "city": "New York",
+}
+
+# A completely different context – new country, new mobile device, unusual hour
+SUSPICIOUS_CONTEXT = {
+    "ip_address": "198.51.100.55",     # RFC-5737 documentation IP
+    "user_agent": (
+        "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2 like Mac OS X) "
+        "AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2 Mobile/15E148 Safari/604.1"
+    ),
+    "device_fingerprint": "unknown-iphone-device-xyz987",
+    "country": "RU",
+    "city": "Moscow",
+}
+
+# Attacker context – automated script from a different country
+ATTACKER_CONTEXT = {
+    "ip_address": "192.0.2.100",       # RFC-5737 documentation IP
+    "user_agent": "python-requests/2.31.0",
+    "device_fingerprint": "attacker-bot-device-001",
+    "country": "CN",
+    "city": "Beijing",
+}
+
+
+# ─────────────────────────── Setup ─────────────────────────────────────────
+
+@router.post("/setup")
+async def setup_demo(
+    reset: bool = False,
+    db: Session = Depends(get_db)
+):
+    """
+    Initialise demo environment.
+
+    Creates two users:
+    - demo.normal@adaptive.demo  → regular user with 30 days of clean history
+    - demo.admin@adaptive.demo   → admin for the dashboard
+
+    Pass ?reset=true to wipe and rebuild the demo user's behavioral profile.
+    """
+    created = []
+    messages = []
+
+    # ── Normal demo user ──────────────────────────────────────────────────
+    demo_user = db.query(User).filter(User.email == DEMO_USER_EMAIL).first()
+
+    if demo_user and reset:
+        # Wipe behavioral data so the demo starts fresh
+        db.query(UserProfile).filter(UserProfile.user_id == demo_user.id).delete()
+        db.query(LoginAttempt).filter(LoginAttempt.user_id == demo_user.id).delete()
+        db.commit()
+        messages.append("Behavioral profile reset for demo user.")
+
+    if not demo_user:
+        demo_user = User(
+            email=DEMO_USER_EMAIL,
+            password_hash=hash_password(DEMO_USER_PASSWORD),
+            full_name="Demo User",
+            is_active=True,
+            is_verified=True,
+            role="user",
+            created_at=datetime.utcnow() - timedelta(days=30),
+        )
+        db.add(demo_user)
+        db.commit()
+        db.refresh(demo_user)
+        created.append("demo_user")
+
+    # ── Behavioural history ───────────────────────────────────────────────
+    profile = db.query(UserProfile).filter(
+        UserProfile.user_id == demo_user.id
+    ).first()
+
+    if not profile:
+        analyzer = BehaviorAnalyzer(db)
+        profile = analyzer.get_or_create_profile(demo_user)
+
+        # Simulate 15 successful logins over the past 30 days
+        for i in range(15):
+            login_time = datetime.utcnow() - timedelta(days=i * 2, hours=(i % 9) + 8)
+            db.add(LoginAttempt(
+                user_id=demo_user.id,
+                email=DEMO_USER_EMAIL,
+                ip_address=NORMAL_CONTEXT["ip_address"],
+                user_agent=NORMAL_CONTEXT["user_agent"],
+                device_fingerprint=NORMAL_CONTEXT["device_fingerprint"],
+                country="US",
+                city="New York",
+                risk_score=7.5,
+                risk_level=RiskLevel.LOW.value,
+                security_level=0,
+                risk_factors={
+                    "device": 0.0, "location": 0.0,
+                    "time": 5.0, "velocity": 0.0, "behavior": 0.0,
+                },
+                success=True,
+                attempted_at=login_time,
+            ))
+
+        db.commit()
+
+        # Build known profile data from those logins
+        now_iso = datetime.utcnow().isoformat()
+        profile.known_ips = [{
+            "ip": NORMAL_CONTEXT["ip_address"],
+            "country": "US", "city": "New York",
+            "first_seen": (datetime.utcnow() - timedelta(days=30)).isoformat(),
+            "last_seen": now_iso, "count": 15,
+        }]
+        profile.known_browsers = [{
+            "user_agent": NORMAL_CONTEXT["user_agent"],
+            "browser_name": "Chrome",
+            "first_seen": (datetime.utcnow() - timedelta(days=30)).isoformat(),
+            "last_seen": now_iso, "count": 15,
+        }]
+        profile.known_devices = [{
+            "fingerprint": NORMAL_CONTEXT["device_fingerprint"],
+            "name": "Windows - Chrome",
+            "first_seen": (datetime.utcnow() - timedelta(days=30)).isoformat(),
+            "last_seen": now_iso, "count": 15,
+        }]
+        profile.typical_login_hours = [8, 9, 10, 11, 12, 13, 14, 15, 16, 17]
+        profile.typical_login_days = [0, 1, 2, 3, 4]   # Mon–Fri
+        profile.total_logins = 15
+        profile.successful_logins = 15
+        profile.failed_logins = 0
+        db.commit()
+        created.append("behavioral_profile (15 logins)")
+
+    # ── Admin user ────────────────────────────────────────────────────────
+    admin_user = db.query(User).filter(User.email == DEMO_ADMIN_EMAIL).first()
+    if not admin_user:
+        admin_user = User(
+            email=DEMO_ADMIN_EMAIL,
+            password_hash=hash_password(DEMO_ADMIN_PASSWORD),
+            full_name="Demo Admin",
+            is_active=True,
+            is_verified=True,
+            role="admin",
+            created_at=datetime.utcnow() - timedelta(days=30),
+        )
+        db.add(admin_user)
+        db.commit()
+        created.append("admin_user")
+
+    return {
+        "status": "ready",
+        "created": created,
+        "messages": messages,
+        "demo_credentials": {
+            "normal_user": {
+                "email": DEMO_USER_EMAIL,
+                "password": DEMO_USER_PASSWORD,
+                "description": (
+                    "Regular user – 30 days of login history from "
+                    "New York (US) on Windows Chrome, Mon–Fri 8AM–5PM"
+                ),
+            },
+            "admin_user": {
+                "email": DEMO_ADMIN_EMAIL,
+                "password": DEMO_ADMIN_PASSWORD,
+                "description": "Admin user – access the full dashboard",
+            },
+        },
+        "established_normal_behavior": {
+            "ip": NORMAL_CONTEXT["ip_address"],
+            "location": "New York, US",
+            "device": "Windows – Chrome",
+            "typical_hours": "8 AM – 5 PM (UTC)",
+            "typical_days": "Monday – Friday",
+            "login_count": 15,
+        },
+    }
+
+
+# ─────────────────────── Scenario 1: Behavior Change ───────────────────────
+
+@router.post("/scenario1/normal-login")
+async def scenario1_normal_login(db: Session = Depends(get_db)):
+    """
+    SCENARIO 1 – Step 1: Login from the user's known trusted context.
+
+    Expected result: LOW RISK, Security Level 0–1, immediate access.
+    The framework recognises the familiar IP, device, and browser.
+    """
+    demo_user = db.query(User).filter(User.email == DEMO_USER_EMAIL).first()
+    if not demo_user:
+        raise HTTPException(
+            status_code=400,
+            detail="Demo not initialised. Call POST /api/v1/demo/setup first.",
+        )
+
+    auth_service = AuthService(db)
+    result = await auth_service.adaptive_login(
+        email=DEMO_USER_EMAIL,
+        password=DEMO_USER_PASSWORD,
+        context=NORMAL_CONTEXT,
+    )
+
+    return {
+        "scenario": "1 – User Behaviour Anomaly Detection",
+        "step": "Step 1 of 3: Normal login (trusted context)",
+        "context": {
+            "ip": NORMAL_CONTEXT["ip_address"],
+            "location": "New York, US  ✓ Known",
+            "device": "Windows Chrome  ✓ Known",
+            "time_utc": f"{datetime.utcnow().strftime('%H:%M')} UTC",
+        },
+        "framework_decision": result,
+        "explanation": _explain(result),
+        "what_the_framework_checked": [
+            "IP 203.0.113.10 → found in behavioral profile (15 previous logins)",
+            "Device fingerprint → matches known trusted device",
+            "Browser (Chrome/Win) → matches known browser",
+            "Login time → within typical hours (8 AM–5 PM)",
+        ],
+    }
+
+
+@router.post("/scenario1/suspicious-login")
+async def scenario1_suspicious_login(db: Session = Depends(get_db)):
+    """
+    SCENARIO 1 – Step 2: Same credentials, completely different context.
+
+    Expected result: HIGH RISK, Security Level 2–3, challenge required.
+    The framework detects multiple behavioral anomalies simultaneously.
+    """
+    demo_user = db.query(User).filter(User.email == DEMO_USER_EMAIL).first()
+    if not demo_user:
+        raise HTTPException(
+            status_code=400,
+            detail="Demo not initialised. Call POST /api/v1/demo/setup first.",
+        )
+
+    auth_service = AuthService(db)
+    result = await auth_service.adaptive_login(
+        email=DEMO_USER_EMAIL,
+        password=DEMO_USER_PASSWORD,
+        context=SUSPICIOUS_CONTEXT,
+    )
+
+    return {
+        "scenario": "1 – User Behaviour Anomaly Detection",
+        "step": "Step 2 of 3: Suspicious login (unknown context)",
+        "context": {
+            "ip": SUSPICIOUS_CONTEXT["ip_address"],
+            "location": "Moscow, Russia  ✗ NEVER SEEN BEFORE",
+            "device": "iPhone  ✗ UNKNOWN DEVICE",
+            "time_utc": f"{datetime.utcnow().strftime('%H:%M')} UTC",
+        },
+        "framework_decision": result,
+        "explanation": _explain(result),
+        "anomalies_triggered": [
+            "IP 198.51.100.55 NOT in behavioral profile",
+            "Country changed: US → Russia",
+            "Device fingerprint unknown (mobile vs usual desktop)",
+            "User agent changed: Windows Chrome → iPhone Safari",
+        ],
+        "note_on_challenge": (
+            "If challenge_type is 'email', use code '000000' in the demo "
+            "(real deployment sends a live email)."
+            if result.get("status") == "challenge_required" else None
+        ),
+    }
+
+
+@router.post("/scenario1/complete-challenge")
+async def scenario1_complete_challenge(
+    challenge_id: str,
+    code: str,
+    db: Session = Depends(get_db),
+):
+    """
+    SCENARIO 1 – Step 3: User passes the step-up challenge.
+
+    The framework grants access after identity is verified,
+    and updates the behavioral profile with the new context.
+
+    In the live demo, the email OTP is patched to accept '000000'.
+    """
+    # Patch the stored code so the demo works without a real email
+    challenge = db.query(StepUpChallenge).filter(
+        StepUpChallenge.id == int(challenge_id)
+    ).first()
+
+    if not challenge:
+        raise HTTPException(status_code=404, detail="Challenge not found.")
+
+    if challenge.challenge_type == "email" and not challenge.is_completed:
+        # Allow '000000' as a universal demo OTP
+        if code == "000000":
+            challenge.challenge_code = "000000"
+            db.commit()
+
+    auth_service = AuthService(db)
+    result = await auth_service.verify_step_up(
+        challenge_id=challenge_id,
+        code=code,
+        context=SUSPICIOUS_CONTEXT,
+    )
+
+    if result.get("status") == "error":
+        raise HTTPException(
+            status_code=400,
+            detail=result.get("message", "Verification failed"),
+        )
+
+    return {
+        "scenario": "1 – User Behaviour Anomaly Detection",
+        "step": "Step 3 of 3: Step-up challenge completed",
+        "result": result,
+        "explanation": (
+            "Identity verified. Framework grants access and begins learning "
+            "the new context as a potential future trusted location/device."
+        ),
+        "framework_actions_taken": [
+            "Step-up challenge marked complete",
+            "JWT access token issued",
+            "New session created with elevated security awareness",
+            "Risk event logged for audit trail",
+        ],
+    }
+
+
+# ─────────────────────── Scenario 2: Attack Detection ──────────────────────
+
+@router.post("/scenario2/simulate-attack")
+async def scenario2_simulate_attack(
+    num_attempts: int = 12,
+    db: Session = Depends(get_db),
+):
+    """
+    SCENARIO 2 – Step 1: Simulate a brute-force attack.
+
+    Injects `num_attempts` failed login records from the attacker IP,
+    then runs the AnomalyDetector. Returns detected anomaly patterns.
+    """
+    if num_attempts < 1:
+        num_attempts = 1
+    if num_attempts > 25:
+        num_attempts = 25
+
+    attacker_ip = ATTACKER_CONTEXT["ip_address"]
+
+    # Inject failed attempts directly into the DB (no real password check)
+    for i in range(num_attempts):
+        db.add(LoginAttempt(
+            user_id=None,
+            email=DEMO_USER_EMAIL,
+            ip_address=attacker_ip,
+            user_agent=ATTACKER_CONTEXT["user_agent"],
+            device_fingerprint=ATTACKER_CONTEXT["device_fingerprint"],
+            country=ATTACKER_CONTEXT["country"],
+            city=ATTACKER_CONTEXT["city"],
+            risk_score=97.0,
+            risk_level=RiskLevel.CRITICAL.value,
+            security_level=4,
+            risk_factors={
+                "velocity": 100.0, "location": 90.0,
+                "device": 80.0, "time": 30.0, "behavior": 50.0,
+            },
+            success=False,
+            failure_reason="invalid_password",
+            attempted_at=datetime.utcnow() - timedelta(
+                seconds=(num_attempts - i) * 4
+            ),
+        ))
+
+    db.commit()
+
+    # Run anomaly detection
+    detector = AnomalyDetector(db)
+    brute_force_pattern = detector.detect_brute_force(
+        attacker_ip, window_minutes=60, threshold=5
+    )
+    stuffing_pattern = detector.detect_credential_stuffing(
+        attacker_ip, window_minutes=60, unique_users_threshold=3
+    )
+
+    anomalies = []
+    if brute_force_pattern:
+        anomalies.append({
+            "id": brute_force_pattern.id,
+            "type": "BRUTE FORCE",
+            "severity": "CRITICAL",
+            "attacker_ip": attacker_ip,
+            "failed_attempts": num_attempts,
+            "confidence": f"{brute_force_pattern.confidence * 100:.0f}%",
+            "detected_at": brute_force_pattern.first_detected.isoformat(),
+        })
+    if stuffing_pattern:
+        anomalies.append({
+            "id": stuffing_pattern.id,
+            "type": "CREDENTIAL STUFFING",
+            "severity": "CRITICAL",
+            "attacker_ip": attacker_ip,
+            "confidence": f"{stuffing_pattern.confidence * 100:.0f}%",
+        })
+
+    return {
+        "scenario": "2 – Anomaly (Attack) Detection",
+        "step": "Step 1 of 3: Attack simulated",
+        "attack_details": {
+            "attacker_ip": attacker_ip,
+            "attacker_location": "Beijing, China",
+            "tool_signature": ATTACKER_CONTEXT["user_agent"],
+            "attempts_injected": num_attempts,
+            "target": DEMO_USER_EMAIL,
+            "all_attempts_failed": True,
+        },
+        "anomalies_detected": anomalies,
+        "framework_response": (
+            f"AnomalyDetector flagged {attacker_ip} as CRITICAL. "
+            "All future login attempts from this IP will be blocked (Security Level 4)."
+        ),
+        "next_step": (
+            "Now call POST /demo/scenario2/legitimate-user "
+            "to see how a real user is treated compared to the attacker."
+        ),
+    }
+
+
+@router.post("/scenario2/legitimate-user")
+async def scenario2_legitimate_user(db: Session = Depends(get_db)):
+    """
+    SCENARIO 2 – Step 2: Legitimate user logs in while the attack is ongoing.
+
+    Uses the demo user's trusted context (New York IP, known device).
+    Demonstrates that the framework distinguishes real users from attackers.
+    """
+    demo_user = db.query(User).filter(User.email == DEMO_USER_EMAIL).first()
+    if not demo_user:
+        raise HTTPException(
+            status_code=400,
+            detail="Demo not initialised. Call POST /api/v1/demo/setup first.",
+        )
+
+    auth_service = AuthService(db)
+    result = await auth_service.adaptive_login(
+        email=DEMO_USER_EMAIL,
+        password=DEMO_USER_PASSWORD,
+        context=NORMAL_CONTEXT,
+    )
+
+    active_anomalies = db.query(AnomalyPattern).filter(
+        AnomalyPattern.is_active == True
+    ).count()
+
+    return {
+        "scenario": "2 – Anomaly (Attack) Detection",
+        "step": "Step 2 of 3: Legitimate user logs in during attack",
+        "user_context": {
+            "ip": NORMAL_CONTEXT["ip_address"],
+            "location": "New York, US  ✓ Trusted",
+            "device": "Windows Chrome  ✓ Trusted",
+        },
+        "framework_decision": result,
+        "explanation": _explain(result),
+        "active_threats_right_now": active_anomalies,
+        "key_insight": (
+            "Even though an attack is in progress against this account, "
+            "the legitimate user is recognised by their full behavioral profile "
+            "(trusted IP + trusted device + known browser + time pattern). "
+            "The framework can differentiate them from the attacker."
+        ),
+    }
+
+
+@router.post("/scenario2/attacker-login-attempt")
+async def scenario2_attacker_attempt(db: Session = Depends(get_db)):
+    """
+    SCENARIO 2 – Step 3: The attacker now tries a valid password.
+
+    Even with correct credentials, the attacker is blocked because their
+    IP is flagged, their user-agent is suspicious, and velocity rules fire.
+    """
+    auth_service = AuthService(db)
+    result = await auth_service.adaptive_login(
+        email=DEMO_USER_EMAIL,
+        password=DEMO_USER_PASSWORD,     # correct password!
+        context=ATTACKER_CONTEXT,
+    )
+
+    return {
+        "scenario": "2 – Anomaly (Attack) Detection",
+        "step": "Step 3 of 3: Attacker uses correct password – still blocked",
+        "attacker_context": {
+            "ip": ATTACKER_CONTEXT["ip_address"],
+            "location": "Beijing, China  ✗ Flagged IP",
+            "tool": ATTACKER_CONTEXT["user_agent"] + "  ✗ Suspicious",
+        },
+        "framework_decision": result,
+        "explanation": _explain(result),
+        "key_insight": (
+            "The attacker has the correct password but is BLOCKED because: "
+            "(1) IP is flagged as CRITICAL in the anomaly database, "
+            "(2) velocity rules detect rapid prior attempts, "
+            "(3) suspicious user-agent (python-requests). "
+            "Correct password alone is not enough."
+        ),
+    }
+
+
+@router.get("/scenario2/anomalies")
+async def get_scenario2_anomalies(db: Session = Depends(get_db)):
+    """Get all active anomaly patterns (used by the live anomaly feed in the UI)."""
+    detector = AnomalyDetector(db)
+    anomalies = detector.get_active_anomalies()
+
+    return {
+        "active_anomalies": [
+            {
+                "id": a.id,
+                "type": a.pattern_type.upper().replace("_", " "),
+                "severity": a.severity.upper(),
+                "ip": a.ip_address,
+                "user_id": a.user_id,
+                "confidence": f"{a.confidence * 100:.0f}%",
+                "first_detected": a.first_detected.isoformat(),
+                "last_detected": a.last_detected.isoformat(),
+                "data": a.pattern_data,
+            }
+            for a in anomalies
+        ],
+        "total": len(anomalies),
+    }
+
+
+@router.delete("/scenario2/clear-anomalies")
+async def clear_demo_anomalies(db: Session = Depends(get_db)):
+    """Resolve all anomalies (clean-up after demo)."""
+    anomalies = db.query(AnomalyPattern).filter(
+        AnomalyPattern.is_active == True
+    ).all()
+    for a in anomalies:
+        a.is_active = False
+        a.resolved_at = datetime.utcnow()
+    db.commit()
+    return {"message": f"Resolved {len(anomalies)} anomaly pattern(s)."}
+
+
+@router.post("/scenario2/run-monitoring-cycle")
+async def run_monitoring_cycle(db: Session = Depends(get_db)):
+    """
+    Run one complete continuous-monitoring cycle:
+      - Clean expired sessions
+      - Re-scan all known attack IPs for brute-force / credential-stuffing patterns
+      - Collect session statistics
+      - Return a full monitoring report
+
+    The UI calls this endpoint every 2 seconds while monitoring is active.
+    """
+    from ..risk.monitor import SessionMonitor
+
+    monitor = SessionMonitor(db)
+    detector = AnomalyDetector(db)
+    attacker_ip = ATTACKER_CONTEXT["ip_address"]
+
+    # 1. Clean expired sessions
+    expired_cleaned = monitor.cleanup_expired_sessions()
+
+    # 2. Re-scan for active attack patterns
+    brute_force = detector.detect_brute_force(
+        attacker_ip, window_minutes=60, threshold=5
+    )
+    stuffing = detector.detect_credential_stuffing(
+        attacker_ip, window_minutes=60, unique_users_threshold=3
+    )
+
+    # 3. Session statistics
+    session_stats = monitor.get_session_statistics()
+
+    # 4. Failed login count in last hour
+    recent_failed = db.query(LoginAttempt).filter(
+        LoginAttempt.success == False,
+        LoginAttempt.attempted_at >= datetime.utcnow() - timedelta(minutes=60),
+    ).count()
+
+    # 5. All active anomalies
+    active = detector.get_active_anomalies()
+
+    threat_level = "NORMAL"
+    if active:
+        sev_order = {"low": 0, "medium": 1, "high": 2, "critical": 3}
+        max_sev = max(active, key=lambda a: sev_order.get(a.severity, 0)).severity
+        threat_level = max_sev.upper()
+
+    return {
+        "cycle_at": datetime.utcnow().isoformat(),
+        "sessions": {
+            "expired_cleaned": expired_cleaned,
+            "active": session_stats["active"],
+            "suspicious": session_stats["suspicious"],
+            "total": session_stats["total"],
+        },
+        "scan": {
+            "brute_force_active": brute_force is not None,
+            "credential_stuffing_active": stuffing is not None,
+            "total_active_anomalies": len(active),
+            "recent_failed_logins_1h": recent_failed,
+        },
+        "active_anomalies": [
+            {
+                "type": a.pattern_type.upper().replace("_", " "),
+                "severity": a.severity.upper(),
+                "ip": a.ip_address,
+                "confidence": f"{a.confidence * 100:.0f}%",
+                "last_detected": a.last_detected.isoformat(),
+            }
+            for a in active
+        ],
+        "threat_level": threat_level,
+    }
+
+
+# ─────────────────────── Demo State ────────────────────────────────────────
+
+@router.get("/state")
+async def get_demo_state(db: Session = Depends(get_db)):
+    """Return current demo environment state (used by the UI to show setup status)."""
+    demo_user = db.query(User).filter(User.email == DEMO_USER_EMAIL).first()
+    admin_user = db.query(User).filter(User.email == DEMO_ADMIN_EMAIL).first()
+
+    profile = None
+    login_history_count = 0
+    known_devices = 0
+    known_ips = 0
+
+    if demo_user:
+        profile = db.query(UserProfile).filter(
+            UserProfile.user_id == demo_user.id
+        ).first()
+        login_history_count = db.query(LoginAttempt).filter(
+            LoginAttempt.user_id == demo_user.id
+        ).count()
+        if profile:
+            known_devices = len(profile.known_devices or [])
+            known_ips = len(profile.known_ips or [])
+
+    active_anomalies = db.query(AnomalyPattern).filter(
+        AnomalyPattern.is_active == True
+    ).count()
+
+    is_ready = (
+        demo_user is not None
+        and profile is not None
+        and login_history_count >= 5
+    )
+
+    return {
+        "is_ready": is_ready,
+        "demo_user_exists": demo_user is not None,
+        "admin_user_exists": admin_user is not None,
+        "behavioral_profile": {
+            "exists": profile is not None,
+            "login_history_count": login_history_count,
+            "known_devices": known_devices,
+            "known_ips": known_ips,
+            "typical_hours": profile.typical_login_hours if profile else [],
+            "typical_days": profile.typical_login_days if profile else [],
+        },
+        "active_anomalies": active_anomalies,
+        "credentials": {
+            "normal_user": {
+                "email": DEMO_USER_EMAIL,
+                "password": DEMO_USER_PASSWORD,
+            },
+            "admin": {
+                "email": DEMO_ADMIN_EMAIL,
+                "password": DEMO_ADMIN_PASSWORD,
+            },
+        } if demo_user else None,
+    }
+
+
+# ─────────────────────── Helpers ───────────────────────────────────────────
+
+def _explain(result: dict) -> str:
+    """Human-readable explanation of the framework's decision."""
+    s = result.get("status", "")
+    lvl = result.get("security_level", 0)
+
+    if s == "success":
+        if lvl == 0:
+            return (
+                "Framework recognised the trusted device, IP, and time pattern. "
+                "No additional verification needed – access granted immediately."
+            )
+        return "Access granted after challenge completion."
+
+    if s == "challenge_required":
+        challenge = result.get("challenge_type", "verification")
+        if lvl == 2:
+            return (
+                f"Unknown IP detected. {challenge.upper()} challenge sent. "
+                "Medium-risk: new location but no other anomalies."
+            )
+        if lvl == 3:
+            return (
+                f"Unknown device AND new IP. {challenge.upper()} challenge required. "
+                "High-risk: full identity verification needed."
+            )
+        return f"Elevated risk. {challenge.upper()} challenge triggered."
+
+    if s == "blocked":
+        return (
+            "BLOCKED. Velocity rules, anomaly patterns, or critical risk score "
+            "exceeded the threshold. Access denied."
+        )
+
+    return "Framework evaluated the request and made a security decision."

adaptiveauth/routers/session_intel.py

@@ -0,0 +1,461 @@
+"""
+Session Intelligence Router
+============================
+HTTP endpoints for all 8 advanced security features.
+
+Protected endpoints  require a valid Bearer JWT token.
+Demo endpoints       are unauthenticated for demo purposes.
+"""
+from datetime import datetime
+from typing import Optional, Dict, Any
+
+from fastapi import APIRouter, Depends, HTTPException, status, Request
+from pydantic import BaseModel, Field, field_validator
+from sqlalchemy.orm import Session
+
+from ..core.database import get_db
+from ..core.dependencies import get_current_user, get_current_session, oauth2_scheme
+from ..core.security import decode_token
+from ..models import User, UserSession
+from ..risk.session_intelligence import (
+    TrustScoreManager,
+    BehaviorSignalProcessor,
+    ImpossibleTravelDetector,
+    MicroChallengeEngine,
+    RiskExplainer,
+    StatisticalAnomalyDetector,
+    CITY_COORDS,
+)
+
+router = APIRouter(prefix="/session-intel", tags=["Session Intelligence"])
+
+
+# ── Request / Response schemas ───────────────────────────────────────────────
+
+class BehaviorSignalInput(BaseModel):
+    """Privacy-first: client sends only aggregated scores, never raw events."""
+    typing_entropy:  float = Field(..., ge=0, le=1, description="1.0 = very human-like")
+    mouse_linearity: float = Field(..., ge=0, le=1, description="1.0 = natural curved paths")
+    scroll_variance: float = Field(..., ge=0, le=1, description="1.0 = organic scroll rhythm")
+    local_risk_score: float = Field(..., ge=0, le=1, description="Client-computed composite (0 = safe)")
+
+
+class TravelCheckInput(BaseModel):
+    from_city:       str = Field(..., description="Origin city name")
+    from_country:    str = Field("", description="Origin country")
+    to_city:         str = Field(..., description="Destination city name")
+    to_country:      str = Field("", description="Destination country")
+    time_gap_hours:  float = Field(..., gt=0, description="Hours between the two events")
+    from_lat:        Optional[float] = None
+    from_lon:        Optional[float] = None
+    to_lat:          Optional[float] = None
+    to_lon:          Optional[float] = None
+
+
+class AnomalyScoreInput(BaseModel):
+    typing_entropy:       float = Field(0.70, ge=0, le=1)
+    mouse_linearity:      float = Field(0.62, ge=0, le=1)
+    scroll_variance:      float = Field(0.48, ge=0, le=1)
+    hour_normalized:      float = Field(0.55, ge=0, le=1,
+                                        description="Current hour / 24 (0 = midnight)")
+    failed_attempts_norm: float = Field(0.00, ge=0, le=1,
+                                        description="Recent failed logins / 20")
+
+
+class ChallengeVerifyInput(BaseModel):
+    challenge_id: str
+    response:     str = Field(..., description="User's answer as a string")
+
+
+class SimulateTrustDropInput(BaseModel):
+    target_score: float = Field(25.0, ge=0, le=100)
+    reason:       str   = Field("Simulated trust drop for demo")
+
+
+class ExplainInput(BaseModel):
+    """Standalone explainability — submit raw factor scores for a report."""
+    location_score:  float = Field(0.0, ge=0, le=100)
+    device_score:    float = Field(0.0, ge=0, le=100)
+    time_score:      float = Field(0.0, ge=0, le=100)
+    velocity_score:  float = Field(0.0, ge=0, le=100)
+    behavior_score:  float = Field(0.0, ge=0, le=100)
+    security_level:  int   = Field(0, ge=0, le=4)
+    risk_level:      str   = Field("low")
+
+
+# ── Helpers ──────────────────────────────────────────────────────────────────
+
+def _get_or_create_demo_session(user: User, db: Session) -> UserSession:
+    """Return the user's most recent active session, or a lightweight synthetic one."""
+    session = (
+        db.query(UserSession)
+        .filter(UserSession.user_id == user.id, UserSession.status == "active")
+        .order_by(UserSession.created_at.desc())
+        .first()
+    )
+    if session:
+        return session
+
+    # Create a minimal demo session so we can track trust events
+    session = UserSession(
+        user_id=user.id,
+        session_token=f"demo-{user.id}-{datetime.utcnow().timestamp():.0f}",
+        current_risk_level="low",
+        status="active",
+        created_at=datetime.utcnow(),
+    )
+    db.add(session)
+    db.commit()
+    db.refresh(session)
+    return session
+
+
+def _resolve_demo_travel(
+    input_data: TravelCheckInput,
+) -> Dict[str, Any]:
+    """
+    Pure coordinate-based travel check for the demo endpoint.
+    This does not require a registered user — it just calculates distance + speed.
+    """
+    from ..risk.session_intelligence import haversine, _resolve_coords, CITY_COORDS
+
+    lat1, lon1 = _resolve_coords(input_data.from_city, input_data.from_lat, input_data.from_lon)
+    lat2, lon2 = _resolve_coords(input_data.to_city, input_data.to_lat, input_data.to_lon)
+
+    if lat1 is None or lat2 is None:
+        known = sorted(CITY_COORDS.keys())
+        missing = input_data.from_city if lat1 is None else input_data.to_city
+        return {
+            "possible":    None,
+            "verdict":     "coords_unknown",
+            "message":     f"Unknown city: '{missing}'. Known cities: {', '.join(known)}.",
+            "distance_km": 0.0, "speed_kmh": 0.0,
+            "time_gap_minutes": input_data.time_gap_hours * 60,
+            "trust_delta": 0.0,
+        }
+
+    distance_km   = haversine(lat1, lon1, lat2, lon2)
+    time_gap_s    = input_data.time_gap_hours * 3600
+    time_gap_min  = time_gap_s / 60
+    speed_kmh     = distance_km / input_data.time_gap_hours
+
+    IMPOSSIBLE = 900.0
+    SUSPICIOUS  = 400.0
+
+    if distance_km < 50:
+        verdict, possible, trust_delta = "same_area", True, 0.0
+        msg = "Same geographic area. No anomaly detected."
+    elif speed_kmh > IMPOSSIBLE:
+        verdict, possible, trust_delta = "impossible", False, -50.0
+        msg = (
+            f"🚨 IMPOSSIBLE TRAVEL: {distance_km:.0f} km in {time_gap_min:.0f} min "
+            f"= {speed_kmh:.0f} km/h — faster than any commercial aircraft (~900 km/h)."
+        )
+    elif speed_kmh > SUSPICIOUS:
+        verdict, possible, trust_delta = "suspicious", True, -20.0
+        msg = (
+            f"⚠ Suspicious speed: {speed_kmh:.0f} km/h over {distance_km:.0f} km "
+            f"in {time_gap_min:.0f} min. Requires air travel justification."
+        )
+    else:
+        verdict, possible, trust_delta = "plausible", True, 0.0
+        msg = (
+            f"✓ Plausible: {distance_km:.0f} km at {speed_kmh:.0f} km/h "
+            f"in {time_gap_min:.0f} min."
+        )
+
+    return {
+        "possible":    possible,
+        "verdict":     verdict,
+        "message":     msg,
+        "distance_km": round(distance_km, 1),
+        "speed_kmh":   round(speed_kmh, 1),
+        "time_gap_minutes": round(time_gap_min, 1),
+        "from": {
+            "city": input_data.from_city, "country": input_data.from_country,
+            "lat": lat1, "lon": lon1,
+        },
+        "to": {
+            "city": input_data.to_city, "country": input_data.to_country,
+            "lat": lat2, "lon": lon2,
+        },
+        "trust_delta": trust_delta,
+    }
+
+
+# ═══════════════════════════════════════════════════════════════════════════
+# Protected endpoints  (require JWT Bearer token)
+# ═══════════════════════════════════════════════════════════════════════════
+
+@router.post("/behavior-signal")
+async def receive_behavior_signal(
+    signal: BehaviorSignalInput,
+    current_user: User = Depends(get_current_user),
+    db: Session = Depends(get_db),
+):
+    """
+    Feature 2 & 8 – Submit privacy-first behavior signal.
+
+    Client computes typing_entropy, mouse_linearity, scroll_variance locally.
+    Only aggregated 0–1 scores are transmitted — no raw events leave the browser.
+    """
+    session = _get_or_create_demo_session(current_user, db)
+    processor = BehaviorSignalProcessor()
+    result = processor.process(
+        session=session,
+        typing_entropy=signal.typing_entropy,
+        mouse_linearity=signal.mouse_linearity,
+        scroll_variance=signal.scroll_variance,
+        local_risk_score=signal.local_risk_score,
+        db=db,
+    )
+
+    # Update trust score
+    tsm = TrustScoreManager(db)
+    event_type = "behavior_good" if result["trust_delta"] > 0 else "behavior_anomaly"
+    new_trust = tsm.update(
+        session=session,
+        delta=result["trust_delta"],
+        event_type=event_type,
+        reason=f"Behavior signal processed — anomaly score: {result['anomaly_score']:.1f}",
+        signals=result["signals"],
+    )
+
+    mce = MicroChallengeEngine()
+    return {
+        "status": "processed",
+        "behavior": result,
+        "trust": {
+            "score": round(new_trust, 2),
+            "label": TrustScoreManager.label(new_trust),
+            "color": TrustScoreManager.color(new_trust),
+            "delta": result["trust_delta"],
+        },
+        "micro_challenge_recommended": mce.should_challenge(new_trust),
+    }
+
+
+@router.get("/trust-score")
+async def get_trust_score(
+    current_user: User = Depends(get_current_user),
+    db: Session = Depends(get_db),
+):
+    """Feature 1 & 3 – Get current trust score + decay-adjusted value + history."""
+    session = _get_or_create_demo_session(current_user, db)
+    tsm = TrustScoreManager(db)
+
+    score, decay_delta = tsm.apply_decay(session)
+    if abs(decay_delta) > 0.1:
+        tsm.update(session, decay_delta, "decay",
+                   f"Time-based decay: {decay_delta:.2f} pts", {})
+        score = tsm.get(session)
+
+    history = tsm.get_history(session.id)
+    mce = MicroChallengeEngine()
+
+    return {
+        "trust_score":  round(score, 2),
+        "label":        TrustScoreManager.label(score),
+        "color":        TrustScoreManager.color(score),
+        "session_id":   session.id,
+        "history":      history,
+        "micro_challenge_recommended": mce.should_challenge(score),
+        "thresholds": {
+            "trusted":   80,
+            "watchful":  60,
+            "elevated":  40,
+            "high_risk": 20,
+        },
+    }
+
+
+@router.post("/continuous-verify")
+async def continuous_verify(
+    request: Request,
+    current_user: User = Depends(get_current_user),
+    db: Session = Depends(get_db),
+):
+    """
+    Feature 1 – Continuous Verification cycle.
+    Re-evaluates the session context; applies decay; returns updated trust.
+    """
+    session = _get_or_create_demo_session(current_user, db)
+    tsm = TrustScoreManager(db)
+
+    # Apply time-based decay since last check
+    score, decay_delta = tsm.apply_decay(session)
+    if abs(decay_delta) > 0.05:
+        tsm.update(session, decay_delta, "decay",
+                   f"Continuous verify — inactivity decay {decay_delta:.2f} pts", {})
+        score = tsm.get(session)
+
+    mce = MicroChallengeEngine()
+    return {
+        "verified":    True,
+        "user_email":  current_user.email,
+        "session_id":  session.id,
+        "trust_score": round(score, 2),
+        "label":       TrustScoreManager.label(score),
+        "color":       TrustScoreManager.color(score),
+        "decay_applied": round(decay_delta, 3),
+        "micro_challenge_recommended": mce.should_challenge(score),
+        "verified_at": datetime.utcnow().isoformat(),
+    }
+
+
+@router.get("/explain")
+async def explain_session(
+    current_user: User = Depends(get_current_user),
+    db: Session = Depends(get_db),
+):
+    """
+    Feature 5 – Explainability: return history-driven trust explanation
+    and the last known login risk breakdown.
+    """
+    session = _get_or_create_demo_session(current_user, db)
+    tsm = TrustScoreManager(db)
+    score = tsm.get(session)
+    history = tsm.get_history(session.id, limit=10)
+
+    explainer = RiskExplainer()
+    trust_events_explained = [
+        {
+            "at":          e["at"],
+            "score":       e["score"],
+            "delta":       e["delta"],
+            "explanation": explainer.explain_trust_event(e["event_type"], e["delta"], {}),
+        }
+        for e in history
+    ]
+
+    return {
+        "user_email":          current_user.email,
+        "current_trust":       round(score, 2),
+        "trust_label":         TrustScoreManager.label(score),
+        "recent_events":       trust_events_explained,
+        "summary": (
+            f"Trust score is {score:.0f}/100 ({TrustScoreManager.label(score)}). "
+            f"{len(history)} events recorded this session."
+        ),
+    }
+
+
+@router.post("/micro-challenge/generate")
+async def generate_challenge(
+    current_user: User = Depends(get_current_user),
+    db: Session = Depends(get_db),
+):
+    """Feature 4 – Generate an inline math micro-challenge."""
+    session = _get_or_create_demo_session(current_user, db)
+    tsm = TrustScoreManager(db)
+    score = tsm.get(session)
+
+    mce = MicroChallengeEngine()
+    challenge = mce.generate()
+    return {
+        "current_trust": round(score, 2),
+        "challenge_needed": mce.should_challenge(score),
+        "challenge": challenge,
+    }
+
+
+@router.post("/micro-challenge/verify")
+async def verify_challenge(
+    body: ChallengeVerifyInput,
+    current_user: User = Depends(get_current_user),
+    db: Session = Depends(get_db),
+):
+    """Feature 4 – Verify the answer to a micro-challenge and update trust."""
+    session = _get_or_create_demo_session(current_user, db)
+    mce = MicroChallengeEngine()
+    result = mce.verify(body.challenge_id, body.response)
+
+    tsm = TrustScoreManager(db)
+    event = "micro_challenge_pass" if result["correct"] else "micro_challenge_fail"
+    new_trust = tsm.update(session, result["trust_delta"], event, result["reason"], {})
+
+    return {
+        **result,
+        "new_trust": round(new_trust, 2),
+        "trust_label": TrustScoreManager.label(new_trust),
+        "trust_color": TrustScoreManager.color(new_trust),
+    }
+
+
+@router.post("/simulate-trust-drop")
+async def simulate_trust_drop(
+    body: SimulateTrustDropInput,
+    current_user: User = Depends(get_current_user),
+    db: Session = Depends(get_db),
+):
+    """Demo helper – force trust to a specific score to trigger micro-challenges."""
+    session = _get_or_create_demo_session(current_user, db)
+    tsm = TrustScoreManager(db)
+    current = tsm.get(session)
+    delta = body.target_score - current
+    new_score = tsm.update(session, delta, "context_change", body.reason, {})
+
+    mce = MicroChallengeEngine()
+    return {
+        "previous_trust": round(current, 2),
+        "new_trust":      round(new_score, 2),
+        "delta":          round(delta, 2),
+        "trust_label":    TrustScoreManager.label(new_score),
+        "trust_color":    TrustScoreManager.color(new_score),
+        "challenge_recommended": mce.should_challenge(new_score),
+    }
+
+
+# ═══════════════════════════════════════════════════════════════════════════
+# Demo / public endpoints  (no auth required — for UI demos)
+# ═══════════════════════════════════════════════════════════════════════════
+
+@router.post("/demo/impossible-travel")
+async def demo_impossible_travel(body: TravelCheckInput):
+    """
+    Feature 7 – Impossible Travel demo (no auth required).
+    Calculates haversine distance + velocity between two cities.
+    """
+    result = _resolve_demo_travel(body)
+    return result
+
+
+@router.post("/demo/anomaly-score")
+async def demo_anomaly_score(features: AnomalyScoreInput):
+    """
+    Feature 6 – AI Anomaly Scoring demo (no auth required).
+    Returns statistical isolation-forest anomaly score for the given feature vector.
+    """
+    detector = StatisticalAnomalyDetector()
+    return detector.score(features.model_dump())
+
+
+@router.post("/demo/explain")
+async def demo_explain(body: ExplainInput):
+    """
+    Feature 5 – Explainability demo (no auth required).
+    Submit raw factor scores and get a structured audit report.
+    """
+    explainer = RiskExplainer()
+    return explainer.explain_login(
+        risk_factors={
+            "location": body.location_score,
+            "device":   body.device_score,
+            "time":     body.time_score,
+            "velocity": body.velocity_score,
+            "behavior": body.behavior_score,
+        },
+        risk_level=body.risk_level,
+        security_level=body.security_level,
+    )
+
+
+@router.get("/demo/city-list")
+async def demo_city_list():
+    """Return list of cities known to the impossible travel detector."""
+    return {
+        "cities": [
+            {"name": k.title(), "lat": v[0], "lon": v[1]}
+            for k, v in sorted(CITY_COORDS.items())
+        ]
+    }

openapi_temp.json

@@ -1 +0,0 @@
-{"openapi":"3.1.0","info":{"title":"AdaptiveAuth Framework Live Test Application","description":"Interactive demonstration of all AdaptiveAuth features","version":"1.0.0"},"paths":{"/auth/auth/register":{"post":{"tags":["Authentication"],"summary":"Register","description":"Register a new user.","operationId":"register_auth_auth_register_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/UserRegister"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/UserResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/auth/login":{"post":{"tags":["Authentication"],"summary":"Login","description":"Standard OAuth2 login endpoint.\nFor risk-based login, use /auth/adaptive-login.","operationId":"login_auth_auth_login_post","requestBody":{"content":{"application/x-www-form-urlencoded":{"schema":{"$ref":"#/components/schemas/Body_login_auth_auth_login_post"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/TokenResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/auth/adaptive-login":{"post":{"tags":["Authentication"],"summary":"Adaptive Login","description":"Risk-based adaptive login.\nReturns detailed risk assessment and may require step-up authentication.","operationId":"adaptive_login_auth_auth_adaptive_login_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/AdaptiveLoginRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AdaptiveLoginResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/auth/step-up":{"post":{"tags":["Authentication"],"summary":"Step Up Verification","description":"Complete step-up authentication challenge.","operationId":"step_up_verification_auth_auth_step_up_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/StepUpRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/StepUpResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/auth/login-otp":{"post":{"tags":["Authentication"],"summary":"Login With Otp","description":"Login using TOTP code only (for 2FA-enabled users).","operationId":"login_with_otp_auth_auth_login_otp_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/LoginOTP"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/TokenResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/auth/logout":{"post":{"tags":["Authentication"],"summary":"Logout","description":"Logout current user.","operationId":"logout_auth_auth_logout_post","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/auth/auth/forgot-password":{"post":{"tags":["Authentication"],"summary":"Forgot Password","description":"Request password reset email.","operationId":"forgot_password_auth_auth_forgot_password_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/PasswordResetRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/auth/reset-password":{"post":{"tags":["Authentication"],"summary":"Reset Password","description":"Reset password with token.","operationId":"reset_password_auth_auth_reset_password_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/PasswordResetConfirm"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/auth/enable-2fa":{"post":{"tags":["Authentication"],"summary":"Enable 2Fa","description":"Enable 2FA for current user.","operationId":"enable_2fa_auth_auth_enable_2fa_post","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Enable2FAResponse"}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/auth/auth/verify-2fa":{"post":{"tags":["Authentication"],"summary":"Verify 2Fa","description":"Verify and activate 2FA.","operationId":"verify_2fa_auth_auth_verify_2fa_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Verify2FARequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/auth/auth/disable-2fa":{"post":{"tags":["Authentication"],"summary":"Disable 2Fa","description":"Disable 2FA for current user.","operationId":"disable_2fa_auth_auth_disable_2fa_post","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"password","in":"query","required":true,"schema":{"type":"string","title":"Password"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/user/profile":{"get":{"tags":["User"],"summary":"Get Profile","description":"Get current user's profile.","operationId":"get_profile_auth_user_profile_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/UserResponse"}}}}},"security":[{"OAuth2PasswordBearer":[]}]},"put":{"tags":["User"],"summary":"Update Profile","description":"Update current user's profile.","operationId":"update_profile_auth_user_profile_put","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/UserUpdate"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/UserResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/auth/user/security":{"get":{"tags":["User"],"summary":"Get Security Settings","description":"Get user's security settings.","operationId":"get_security_settings_auth_user_security_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/UserSecuritySettings"}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/auth/user/change-password":{"post":{"tags":["User"],"summary":"Change Password","description":"Change user's password.","operationId":"change_password_auth_user_change_password_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/PasswordChange"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/auth/user/devices":{"get":{"tags":["User"],"summary":"Get Devices","description":"Get user's known devices.","operationId":"get_devices_auth_user_devices_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/DeviceListResponse"}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/auth/user/devices/{device_id}":{"delete":{"tags":["User"],"summary":"Remove Device","description":"Remove a known device.","operationId":"remove_device_auth_user_devices__device_id__delete","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"device_id","in":"path","required":true,"schema":{"type":"string","title":"Device Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/user/sessions":{"get":{"tags":["User"],"summary":"Get Sessions","description":"Get user's active sessions.","operationId":"get_sessions_auth_user_sessions_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/SessionListResponse"}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/auth/user/sessions/revoke":{"post":{"tags":["User"],"summary":"Revoke Sessions","description":"Revoke user sessions.","operationId":"revoke_sessions_auth_user_sessions_revoke_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SessionRevokeRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/auth/user/risk-profile":{"get":{"tags":["User"],"summary":"Get Risk Profile","description":"Get user's risk profile summary.","operationId":"get_risk_profile_auth_user_risk_profile_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/auth/admin/users":{"get":{"tags":["Admin"],"summary":"List Users","description":"List all users (admin only).","operationId":"list_users_auth_admin_users_get","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"page","in":"query","required":false,"schema":{"type":"integer","minimum":1,"default":1,"title":"Page"}},{"name":"page_size","in":"query","required":false,"schema":{"type":"integer","maximum":100,"minimum":1,"default":20,"title":"Page Size"}},{"name":"role","in":"query","required":false,"schema":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Role"}},{"name":"is_active","in":"query","required":false,"schema":{"anyOf":[{"type":"boolean"},{"type":"null"}],"title":"Is Active"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AdminUserList"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/admin/users/{user_id}":{"get":{"tags":["Admin"],"summary":"Get User","description":"Get user details (admin only).","operationId":"get_user_auth_admin_users__user_id__get","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"user_id","in":"path","required":true,"schema":{"type":"integer","title":"User Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/UserResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/admin/users/{user_id}/block":{"post":{"tags":["Admin"],"summary":"Block User","description":"Block a user (admin only).","operationId":"block_user_auth_admin_users__user_id__block_post","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"user_id","in":"path","required":true,"schema":{"type":"integer","title":"User Id"}},{"name":"reason","in":"query","required":false,"schema":{"type":"string","default":"Administrative action","title":"Reason"}},{"name":"duration_hours","in":"query","required":false,"schema":{"anyOf":[{"type":"integer"},{"type":"null"}],"title":"Duration Hours"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/admin/users/{user_id}/unblock":{"post":{"tags":["Admin"],"summary":"Unblock User","description":"Unblock a user (admin only).","operationId":"unblock_user_auth_admin_users__user_id__unblock_post","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"user_id","in":"path","required":true,"schema":{"type":"integer","title":"User Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/admin/sessions":{"get":{"tags":["Admin"],"summary":"List Sessions","description":"List all active sessions (admin only).","operationId":"list_sessions_auth_admin_sessions_get","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"status_filter","in":"query","required":false,"schema":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Status Filter"}},{"name":"risk_level","in":"query","required":false,"schema":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Risk Level"}},{"name":"page","in":"query","required":false,"schema":{"type":"integer","minimum":1,"default":1,"title":"Page"}},{"name":"page_size","in":"query","required":false,"schema":{"type":"integer","maximum":100,"minimum":1,"default":20,"title":"Page Size"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/SessionListResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/admin/sessions/{session_id}/revoke":{"post":{"tags":["Admin"],"summary":"Revoke Session","description":"Revoke a specific session (admin only).","operationId":"revoke_session_auth_admin_sessions__session_id__revoke_post","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"session_id","in":"path","required":true,"schema":{"type":"integer","title":"Session Id"}},{"name":"reason","in":"query","required":false,"schema":{"type":"string","default":"Administrative action","title":"Reason"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/admin/risk-events":{"get":{"tags":["Admin"],"summary":"List Risk Events","description":"List risk events (admin only).","operationId":"list_risk_events_auth_admin_risk_events_get","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"risk_level","in":"query","required":false,"schema":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Risk Level"}},{"name":"event_type","in":"query","required":false,"schema":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Event Type"}},{"name":"user_id","in":"query","required":false,"schema":{"anyOf":[{"type":"integer"},{"type":"null"}],"title":"User Id"}},{"name":"page","in":"query","required":false,"schema":{"type":"integer","minimum":1,"default":1,"title":"Page"}},{"name":"page_size","in":"query","required":false,"schema":{"type":"integer","maximum":100,"minimum":1,"default":20,"title":"Page Size"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/RiskEventList"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/admin/anomalies":{"get":{"tags":["Admin"],"summary":"List Anomalies","description":"List detected anomaly patterns (admin only).","operationId":"list_anomalies_auth_admin_anomalies_get","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"active_only","in":"query","required":false,"schema":{"type":"boolean","default":true,"title":"Active Only"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AnomalyListResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/admin/anomalies/{anomaly_id}/resolve":{"post":{"tags":["Admin"],"summary":"Resolve Anomaly","description":"Resolve an anomaly pattern (admin only).","operationId":"resolve_anomaly_auth_admin_anomalies__anomaly_id__resolve_post","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"anomaly_id","in":"path","required":true,"schema":{"type":"integer","title":"Anomaly Id"}},{"name":"false_positive","in":"query","required":false,"schema":{"type":"boolean","default":false,"title":"False Positive"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/admin/statistics":{"get":{"tags":["Admin"],"summary":"Get Statistics","description":"Get admin dashboard statistics.","operationId":"get_statistics_auth_admin_statistics_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AdminStatistics"}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/auth/admin/risk-statistics":{"get":{"tags":["Admin"],"summary":"Get Risk Statistics","description":"Get risk statistics for a period.","operationId":"get_risk_statistics_auth_admin_risk_statistics_get","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"period","in":"query","required":false,"schema":{"type":"string","pattern":"^(day|week|month)$","default":"day","title":"Period"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/RiskStatistics"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/risk/overview":{"get":{"tags":["Risk Dashboard"],"summary":"Get Risk Overview","description":"Get risk dashboard overview.","operationId":"get_risk_overview_auth_risk_overview_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/RiskDashboardOverview"}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/auth/risk/assess":{"post":{"tags":["Risk Dashboard"],"summary":"Assess Risk","description":"Manually assess risk for a context or user.","operationId":"assess_risk_auth_risk_assess_post","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"user_id","in":"query","required":false,"schema":{"anyOf":[{"type":"integer"},{"type":"null"}],"title":"User Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/risk/profile/{user_id}":{"get":{"tags":["Risk Dashboard"],"summary":"Get User Risk Profile","description":"Get detailed risk profile for a user.","operationId":"get_user_risk_profile_auth_risk_profile__user_id__get","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"user_id","in":"path","required":true,"schema":{"type":"integer","title":"User Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/risk/active-sessions":{"get":{"tags":["Risk Dashboard"],"summary":"Get High Risk Sessions","description":"Get sessions with elevated risk levels.","operationId":"get_high_risk_sessions_auth_risk_active_sessions_get","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"min_risk_level","in":"query","required":false,"schema":{"type":"string","pattern":"^(low|medium|high|critical)$","default":"medium","title":"Min Risk Level"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/risk/login-patterns":{"get":{"tags":["Risk Dashboard"],"summary":"Get Login Patterns","description":"Get login patterns analysis.","operationId":"get_login_patterns_auth_risk_login_patterns_get","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"hours","in":"query","required":false,"schema":{"type":"integer","maximum":168,"minimum":1,"default":24,"title":"Hours"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/risk/suspicious-ips":{"get":{"tags":["Risk Dashboard"],"summary":"Get Suspicious Ips","description":"Get IPs with suspicious activity.","operationId":"get_suspicious_ips_auth_risk_suspicious_ips_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/auth/risk/block-ip":{"post":{"tags":["Risk Dashboard"],"summary":"Block Ip","description":"Block an IP address (creates anomaly pattern).","operationId":"block_ip_auth_risk_block_ip_post","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"ip_address","in":"query","required":true,"schema":{"type":"string","title":"Ip Address"}},{"name":"reason","in":"query","required":false,"schema":{"type":"string","default":"Suspicious activity","title":"Reason"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/adaptive/assess":{"post":{"tags":["Adaptive Authentication"],"summary":"Assess Current Risk","description":"Assess current risk level for authenticated user.","operationId":"assess_current_risk_auth_adaptive_assess_post","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/RiskAssessmentResult"}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/auth/adaptive/verify-session":{"post":{"tags":["Adaptive Authentication"],"summary":"Verify Session","description":"Verify current session is still valid and not compromised.\nUse this periodically during sensitive operations.","operationId":"verify_session_auth_adaptive_verify_session_post","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/auth/adaptive/challenge":{"post":{"tags":["Adaptive Authentication"],"summary":"Request Challenge","description":"Request a new authentication challenge for step-up auth.","operationId":"request_challenge_auth_adaptive_challenge_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/ChallengeRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ChallengeResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/auth/adaptive/verify":{"post":{"tags":["Adaptive Authentication"],"summary":"Verify Challenge","description":"Verify a step-up authentication challenge.","operationId":"verify_challenge_auth_adaptive_verify_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/VerifyChallengeRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/auth/adaptive/security-status":{"get":{"tags":["Adaptive Authentication"],"summary":"Get Security Status","description":"Get current security status for the user.","operationId":"get_security_status_auth_adaptive_security_status_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/auth/adaptive/trust-device":{"post":{"tags":["Adaptive Authentication"],"summary":"Trust Current Device","description":"Mark current device as trusted.","operationId":"trust_current_device_auth_adaptive_trust_device_post","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/auth/adaptive/trust-device/{device_index}":{"delete":{"tags":["Adaptive Authentication"],"summary":"Remove Trusted Device","description":"Remove a device from trusted devices.","operationId":"remove_trusted_device_auth_adaptive_trust_device__device_index__delete","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"device_index","in":"path","required":true,"schema":{"type":"integer","title":"Device Index"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/":{"get":{"summary":"Root","operationId":"root__get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}}}},"/test-interface":{"get":{"summary":"Test Interface","description":"Serve the test interface","operationId":"test_interface_test_interface_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}}}},"/protected":{"get":{"summary":"Protected Endpoint","description":"Protected endpoint that requires authentication","operationId":"protected_endpoint_protected_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/admin-only":{"get":{"summary":"Admin Only Endpoint","description":"Admin-only endpoint that requires admin role","operationId":"admin_only_endpoint_admin_only_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}}}},"/health":{"get":{"summary":"Health Check","description":"Health check endpoint","operationId":"health_check_health_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}}}},"/demo/features":{"get":{"summary":"Demo Features","description":"Demonstrate all framework features","operationId":"demo_features_demo_features_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}}}},"/test/register":{"post":{"summary":"Test Register","description":"Test endpoint for user registration","operationId":"test_register_test_register_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/UserRegister"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/test/login":{"post":{"summary":"Test Login","description":"Test endpoint for user login","operationId":"test_login_test_login_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/UserLogin"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/test/create-user":{"post":{"summary":"Create Test User","description":"Create a test user programmatically","operationId":"create_test_user_test_create_user_post","requestBody":{"content":{"application/x-www-form-urlencoded":{"schema":{"$ref":"#/components/schemas/Body_create_test_user_test_create_user_post"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}}},"components":{"schemas":{"AdaptiveLoginRequest":{"properties":{"email":{"type":"string","format":"email","title":"Email"},"password":{"type":"string","title":"Password"},"device_fingerprint":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Device Fingerprint"},"remember_device":{"type":"boolean","title":"Remember Device","default":false}},"type":"object","required":["email","password"],"title":"AdaptiveLoginRequest","description":"Adaptive login request with context."},"AdaptiveLoginResponse":{"properties":{"status":{"type":"string","title":"Status"},"risk_level":{"type":"string","title":"Risk Level"},"security_level":{"type":"integer","title":"Security Level"},"access_token":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Access Token"},"token_type":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Token Type","default":"bearer"},"challenge_type":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Challenge Type"},"challenge_id":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Challenge Id"},"message":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Message"},"user_info":{"anyOf":[{"additionalProperties":true,"type":"object"},{"type":"null"}],"title":"User Info"}},"type":"object","required":["status","risk_level","security_level"],"title":"AdaptiveLoginResponse","description":"Adaptive login response."},"AdminStatistics":{"properties":{"total_users":{"type":"integer","title":"Total Users"},"active_users":{"type":"integer","title":"Active Users"},"blocked_users":{"type":"integer","title":"Blocked Users"},"active_sessions":{"type":"integer","title":"Active Sessions"},"high_risk_events_today":{"type":"integer","title":"High Risk Events Today"},"failed_logins_today":{"type":"integer","title":"Failed Logins Today"},"new_users_today":{"type":"integer","title":"New Users Today"}},"type":"object","required":["total_users","active_users","blocked_users","active_sessions","high_risk_events_today","failed_logins_today","new_users_today"],"title":"AdminStatistics","description":"Admin dashboard statistics."},"AdminUserList":{"properties":{"users":{"items":{"$ref":"#/components/schemas/UserResponse"},"type":"array","title":"Users"},"total":{"type":"integer","title":"Total"},"page":{"type":"integer","title":"Page"},"page_size":{"type":"integer","title":"Page Size"}},"type":"object","required":["users","total","page","page_size"],"title":"AdminUserList","description":"Admin user list response."},"AnomalyListResponse":{"properties":{"anomalies":{"items":{"$ref":"#/components/schemas/AnomalyPatternResponse"},"type":"array","title":"Anomalies"},"total":{"type":"integer","title":"Total"}},"type":"object","required":["anomalies","total"],"title":"AnomalyListResponse","description":"List of anomaly patterns."},"AnomalyPatternResponse":{"properties":{"id":{"type":"integer","title":"Id"},"pattern_type":{"type":"string","title":"Pattern Type"},"severity":{"type":"string","title":"Severity"},"confidence":{"type":"number","title":"Confidence"},"is_active":{"type":"boolean","title":"Is Active"},"first_detected":{"type":"string","format":"date-time","title":"First Detected"},"last_detected":{"type":"string","format":"date-time","title":"Last Detected"},"pattern_data":{"additionalProperties":true,"type":"object","title":"Pattern Data"}},"type":"object","required":["id","pattern_type","severity","confidence","is_active","first_detected","last_detected","pattern_data"],"title":"AnomalyPatternResponse","description":"Detected anomaly pattern."},"Body_create_test_user_test_create_user_post":{"properties":{"email":{"type":"string","title":"Email"},"password":{"type":"string","title":"Password"},"full_name":{"type":"string","title":"Full Name"},"role":{"type":"string","title":"Role","default":"user"}},"type":"object","required":["email","password"],"title":"Body_create_test_user_test_create_user_post"},"Body_login_auth_auth_login_post":{"properties":{"grant_type":{"anyOf":[{"type":"string","pattern":"^password$"},{"type":"null"}],"title":"Grant Type"},"username":{"type":"string","title":"Username"},"password":{"type":"string","format":"password","title":"Password"},"scope":{"type":"string","title":"Scope","default":""},"client_id":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Client Id"},"client_secret":{"anyOf":[{"type":"string"},{"type":"null"}],"format":"password","title":"Client Secret"}},"type":"object","required":["username","password"],"title":"Body_login_auth_auth_login_post"},"ChallengeRequest":{"properties":{"challenge_type":{"type":"string","pattern":"^(otp|email|sms)$","title":"Challenge Type"},"session_id":{"anyOf":[{"type":"integer"},{"type":"null"}],"title":"Session Id"}},"type":"object","required":["challenge_type"],"title":"ChallengeRequest","description":"Request a new challenge."},"ChallengeResponse":{"properties":{"challenge_id":{"type":"string","title":"Challenge Id"},"challenge_type":{"type":"string","title":"Challenge Type"},"expires_at":{"type":"string","format":"date-time","title":"Expires At"},"message":{"type":"string","title":"Message"}},"type":"object","required":["challenge_id","challenge_type","expires_at","message"],"title":"ChallengeResponse","description":"Challenge created response."},"DeviceInfo":{"properties":{"id":{"type":"string","title":"Id"},"name":{"type":"string","title":"Name"},"browser":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Browser"},"os":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Os"},"first_seen":{"type":"string","format":"date-time","title":"First Seen"},"last_seen":{"type":"string","format":"date-time","title":"Last Seen"},"is_current":{"type":"boolean","title":"Is Current","default":false}},"type":"object","required":["id","name","browser","os","first_seen","last_seen"],"title":"DeviceInfo","description":"Known device information."},"DeviceListResponse":{"properties":{"devices":{"items":{"$ref":"#/components/schemas/DeviceInfo"},"type":"array","title":"Devices"},"total":{"type":"integer","title":"Total"}},"type":"object","required":["devices","total"],"title":"DeviceListResponse","description":"List of known devices."},"Enable2FAResponse":{"properties":{"secret":{"type":"string","title":"Secret"},"qr_code":{"type":"string","title":"Qr Code"},"backup_codes":{"items":{"type":"string"},"type":"array","title":"Backup Codes"}},"type":"object","required":["secret","qr_code","backup_codes"],"title":"Enable2FAResponse","description":"Enable 2FA response with QR code."},"HTTPValidationError":{"properties":{"detail":{"items":{"$ref":"#/components/schemas/ValidationError"},"type":"array","title":"Detail"}},"type":"object","title":"HTTPValidationError"},"LoginOTP":{"properties":{"email":{"type":"string","format":"email","title":"Email"},"otp":{"type":"string","maxLength":6,"minLength":6,"title":"Otp"}},"type":"object","required":["email","otp"],"title":"LoginOTP","description":"Login with TOTP code."},"PasswordChange":{"properties":{"current_password":{"type":"string","title":"Current Password"},"new_password":{"type":"string","minLength":8,"title":"New Password"},"confirm_password":{"type":"string","title":"Confirm Password"}},"type":"object","required":["current_password","new_password","confirm_password"],"title":"PasswordChange","description":"Change password (authenticated)."},"PasswordResetConfirm":{"properties":{"reset_token":{"type":"string","title":"Reset Token"},"new_password":{"type":"string","minLength":8,"title":"New Password"},"confirm_password":{"type":"string","title":"Confirm Password"}},"type":"object","required":["reset_token","new_password","confirm_password"],"title":"PasswordResetConfirm","description":"Confirm password reset."},"PasswordResetRequest":{"properties":{"email":{"type":"string","format":"email","title":"Email"}},"type":"object","required":["email"],"title":"PasswordResetRequest","description":"Request password reset."},"RiskAssessmentResult":{"properties":{"risk_score":{"type":"number","maximum":100.0,"minimum":0.0,"title":"Risk Score"},"risk_level":{"type":"string","title":"Risk Level"},"security_level":{"type":"integer","maximum":4.0,"minimum":0.0,"title":"Security Level"},"risk_factors":{"additionalProperties":{"type":"number"},"type":"object","title":"Risk Factors"},"required_action":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Required Action"},"message":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Message"}},"type":"object","required":["risk_score","risk_level","security_level","risk_factors"],"title":"RiskAssessmentResult","description":"Risk assessment result."},"RiskDashboardOverview":{"properties":{"total_risk_events":{"type":"integer","title":"Total Risk Events"},"high_risk_events":{"type":"integer","title":"High Risk Events"},"active_anomalies":{"type":"integer","title":"Active Anomalies"},"blocked_users":{"type":"integer","title":"Blocked Users"},"average_risk_score":{"type":"number","title":"Average Risk Score"},"risk_trend":{"type":"string","title":"Risk Trend"}},"type":"object","required":["total_risk_events","high_risk_events","active_anomalies","blocked_users","average_risk_score","risk_trend"],"title":"RiskDashboardOverview","description":"Risk dashboard overview."},"RiskEventList":{"properties":{"events":{"items":{"$ref":"#/components/schemas/RiskEventResponse"},"type":"array","title":"Events"},"total":{"type":"integer","title":"Total"},"page":{"type":"integer","title":"Page"},"page_size":{"type":"integer","title":"Page Size"}},"type":"object","required":["events","total","page","page_size"],"title":"RiskEventList","description":"List of risk events."},"RiskEventResponse":{"properties":{"id":{"type":"integer","title":"Id"},"event_type":{"type":"string","title":"Event Type"},"risk_score":{"type":"number","title":"Risk Score"},"risk_level":{"type":"string","title":"Risk Level"},"ip_address":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Ip Address"},"risk_factors":{"additionalProperties":true,"type":"object","title":"Risk Factors"},"action_taken":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Action Taken"},"created_at":{"type":"string","format":"date-time","title":"Created At"},"resolved":{"type":"boolean","title":"Resolved"}},"type":"object","required":["id","event_type","risk_score","risk_level","ip_address","risk_factors","action_taken","created_at","resolved"],"title":"RiskEventResponse","description":"Risk event information."},"RiskStatistics":{"properties":{"period":{"type":"string","title":"Period"},"total_logins":{"type":"integer","title":"Total Logins"},"successful_logins":{"type":"integer","title":"Successful Logins"},"failed_logins":{"type":"integer","title":"Failed Logins"},"blocked_attempts":{"type":"integer","title":"Blocked Attempts"},"average_risk_score":{"type":"number","title":"Average Risk Score"},"risk_distribution":{"additionalProperties":{"type":"integer"},"type":"object","title":"Risk Distribution"}},"type":"object","required":["period","total_logins","successful_logins","failed_logins","blocked_attempts","average_risk_score","risk_distribution"],"title":"RiskStatistics","description":"Risk statistics."},"SessionInfo":{"properties":{"id":{"type":"integer","title":"Id"},"ip_address":{"type":"string","title":"Ip Address"},"user_agent":{"type":"string","title":"User Agent"},"country":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Country"},"city":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"City"},"risk_level":{"type":"string","title":"Risk Level"},"status":{"type":"string","title":"Status"},"last_activity":{"type":"string","format":"date-time","title":"Last Activity"},"created_at":{"type":"string","format":"date-time","title":"Created At"},"is_current":{"type":"boolean","title":"Is Current","default":false}},"type":"object","required":["id","ip_address","user_agent","country","city","risk_level","status","last_activity","created_at"],"title":"SessionInfo","description":"Active session information."},"SessionListResponse":{"properties":{"sessions":{"items":{"$ref":"#/components/schemas/SessionInfo"},"type":"array","title":"Sessions"},"total":{"type":"integer","title":"Total"}},"type":"object","required":["sessions","total"],"title":"SessionListResponse","description":"List of user sessions."},"SessionRevokeRequest":{"properties":{"session_ids":{"items":{"type":"integer"},"type":"array","title":"Session Ids"},"revoke_all":{"type":"boolean","title":"Revoke All","default":false}},"type":"object","required":["session_ids"],"title":"SessionRevokeRequest","description":"Request to revoke session(s)."},"StepUpRequest":{"properties":{"challenge_id":{"type":"string","title":"Challenge Id"},"verification_code":{"type":"string","title":"Verification Code"}},"type":"object","required":["challenge_id","verification_code"],"title":"StepUpRequest","description":"Step-up authentication request."},"StepUpResponse":{"properties":{"status":{"type":"string","title":"Status"},"access_token":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Access Token"},"token_type":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Token Type","default":"bearer"},"message":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Message"}},"type":"object","required":["status"],"title":"StepUpResponse","description":"Step-up authentication response."},"TokenResponse":{"properties":{"access_token":{"type":"string","title":"Access Token"},"token_type":{"type":"string","title":"Token Type","default":"bearer"},"expires_in":{"type":"integer","title":"Expires In"},"user_info":{"anyOf":[{"additionalProperties":true,"type":"object"},{"type":"null"}],"title":"User Info"}},"type":"object","required":["access_token","expires_in"],"title":"TokenResponse","description":"JWT token response."},"UserLogin":{"properties":{"email":{"type":"string","format":"email","title":"Email"},"password":{"type":"string","title":"Password"}},"type":"object","required":["email","password"],"title":"UserLogin","description":"Standard login request."},"UserRegister":{"properties":{"email":{"type":"string","format":"email","title":"Email"},"password":{"type":"string","minLength":8,"title":"Password"},"full_name":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Full Name"}},"type":"object","required":["email","password"],"title":"UserRegister","description":"User registration request."},"UserResponse":{"properties":{"id":{"type":"integer","title":"Id"},"email":{"type":"string","title":"Email"},"full_name":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Full Name"},"role":{"type":"string","title":"Role"},"is_active":{"type":"boolean","title":"Is Active"},"is_verified":{"type":"boolean","title":"Is Verified"},"tfa_enabled":{"type":"boolean","title":"Tfa Enabled"},"created_at":{"type":"string","format":"date-time","title":"Created At"}},"type":"object","required":["id","email","full_name","role","is_active","is_verified","tfa_enabled","created_at"],"title":"UserResponse","description":"User information response."},"UserSecuritySettings":{"properties":{"tfa_enabled":{"type":"boolean","title":"Tfa Enabled"},"last_password_change":{"anyOf":[{"type":"string","format":"date-time"},{"type":"null"}],"title":"Last Password Change"},"active_sessions":{"type":"integer","title":"Active Sessions"},"known_devices":{"type":"integer","title":"Known Devices"},"recent_login_attempts":{"type":"integer","title":"Recent Login Attempts"}},"type":"object","required":["tfa_enabled","last_password_change","active_sessions","known_devices","recent_login_attempts"],"title":"UserSecuritySettings","description":"User security settings response."},"UserUpdate":{"properties":{"full_name":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Full Name"},"email":{"anyOf":[{"type":"string","format":"email"},{"type":"null"}],"title":"Email"}},"type":"object","title":"UserUpdate","description":"Update user information."},"ValidationError":{"properties":{"loc":{"items":{"anyOf":[{"type":"string"},{"type":"integer"}]},"type":"array","title":"Location"},"msg":{"type":"string","title":"Message"},"type":{"type":"string","title":"Error Type"},"input":{"title":"Input"},"ctx":{"type":"object","title":"Context"}},"type":"object","required":["loc","msg","type"],"title":"ValidationError"},"Verify2FARequest":{"properties":{"otp":{"type":"string","maxLength":6,"minLength":6,"title":"Otp"}},"type":"object","required":["otp"],"title":"Verify2FARequest","description":"Verify 2FA setup."},"VerifyChallengeRequest":{"properties":{"challenge_id":{"type":"string","title":"Challenge Id"},"code":{"type":"string","title":"Code"}},"type":"object","required":["challenge_id","code"],"title":"VerifyChallengeRequest","description":"Verify challenge code."}},"securitySchemes":{"OAuth2PasswordBearer":{"type":"oauth2","flows":{"password":{"scopes":{},"tokenUrl":"auth/login"}}}}}}

openapi_test.json

@@ -1 +0,0 @@
-{"openapi":"3.1.0","info":{"title":"AdaptiveAuth Framework Live Test Application","description":"Interactive demonstration of all AdaptiveAuth features","version":"1.0.0"},"paths":{"/auth/register":{"post":{"tags":["Authentication"],"summary":"Register","description":"Register a new user.","operationId":"register_auth_register_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/UserRegister"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/UserResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/login":{"post":{"tags":["Authentication"],"summary":"Login","description":"Standard OAuth2 login endpoint.\nFor risk-based login, use /auth/adaptive-login.","operationId":"login_auth_login_post","requestBody":{"content":{"application/x-www-form-urlencoded":{"schema":{"$ref":"#/components/schemas/Body_login_auth_login_post"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/TokenResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/adaptive-login":{"post":{"tags":["Authentication"],"summary":"Adaptive Login","description":"Risk-based adaptive login.\nReturns detailed risk assessment and may require step-up authentication.","operationId":"adaptive_login_auth_adaptive_login_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/AdaptiveLoginRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AdaptiveLoginResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/step-up":{"post":{"tags":["Authentication"],"summary":"Step Up Verification","description":"Complete step-up authentication challenge.","operationId":"step_up_verification_auth_step_up_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/StepUpRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/StepUpResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/login-otp":{"post":{"tags":["Authentication"],"summary":"Login With Otp","description":"Login using TOTP code only (for 2FA-enabled users).","operationId":"login_with_otp_auth_login_otp_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/LoginOTP"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/TokenResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/logout":{"post":{"tags":["Authentication"],"summary":"Logout","description":"Logout current user.","operationId":"logout_auth_logout_post","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/auth/forgot-password":{"post":{"tags":["Authentication"],"summary":"Forgot Password","description":"Request password reset email.","operationId":"forgot_password_auth_forgot_password_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/PasswordResetRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/reset-password":{"post":{"tags":["Authentication"],"summary":"Reset Password","description":"Reset password with token.","operationId":"reset_password_auth_reset_password_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/PasswordResetConfirm"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/enable-2fa":{"post":{"tags":["Authentication"],"summary":"Enable 2Fa","description":"Enable 2FA for current user.","operationId":"enable_2fa_auth_enable_2fa_post","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Enable2FAResponse"}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/auth/verify-2fa":{"post":{"tags":["Authentication"],"summary":"Verify 2Fa","description":"Verify and activate 2FA.","operationId":"verify_2fa_auth_verify_2fa_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Verify2FARequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/auth/disable-2fa":{"post":{"tags":["Authentication"],"summary":"Disable 2Fa","description":"Disable 2FA for current user.","operationId":"disable_2fa_auth_disable_2fa_post","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"password","in":"query","required":true,"schema":{"type":"string","title":"Password"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/user/profile":{"get":{"tags":["User"],"summary":"Get Profile","description":"Get current user's profile.","operationId":"get_profile_user_profile_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/UserResponse"}}}}},"security":[{"OAuth2PasswordBearer":[]}]},"put":{"tags":["User"],"summary":"Update Profile","description":"Update current user's profile.","operationId":"update_profile_user_profile_put","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/UserUpdate"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/UserResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/user/security":{"get":{"tags":["User"],"summary":"Get Security Settings","description":"Get user's security settings.","operationId":"get_security_settings_user_security_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/UserSecuritySettings"}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/user/change-password":{"post":{"tags":["User"],"summary":"Change Password","description":"Change user's password.","operationId":"change_password_user_change_password_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/PasswordChange"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/user/devices":{"get":{"tags":["User"],"summary":"Get Devices","description":"Get user's known devices.","operationId":"get_devices_user_devices_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/DeviceListResponse"}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/user/devices/{device_id}":{"delete":{"tags":["User"],"summary":"Remove Device","description":"Remove a known device.","operationId":"remove_device_user_devices__device_id__delete","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"device_id","in":"path","required":true,"schema":{"type":"string","title":"Device Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/user/sessions":{"get":{"tags":["User"],"summary":"Get Sessions","description":"Get user's active sessions.","operationId":"get_sessions_user_sessions_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/SessionListResponse"}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/user/sessions/revoke":{"post":{"tags":["User"],"summary":"Revoke Sessions","description":"Revoke user sessions.","operationId":"revoke_sessions_user_sessions_revoke_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SessionRevokeRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/user/risk-profile":{"get":{"tags":["User"],"summary":"Get Risk Profile","description":"Get user's risk profile summary.","operationId":"get_risk_profile_user_risk_profile_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/admin/users":{"get":{"tags":["Admin"],"summary":"List Users","description":"List all users (admin only).","operationId":"list_users_admin_users_get","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"page","in":"query","required":false,"schema":{"type":"integer","minimum":1,"default":1,"title":"Page"}},{"name":"page_size","in":"query","required":false,"schema":{"type":"integer","maximum":100,"minimum":1,"default":20,"title":"Page Size"}},{"name":"role","in":"query","required":false,"schema":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Role"}},{"name":"is_active","in":"query","required":false,"schema":{"anyOf":[{"type":"boolean"},{"type":"null"}],"title":"Is Active"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AdminUserList"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/users/{user_id}":{"get":{"tags":["Admin"],"summary":"Get User","description":"Get user details (admin only).","operationId":"get_user_admin_users__user_id__get","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"user_id","in":"path","required":true,"schema":{"type":"integer","title":"User Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/UserResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/users/{user_id}/block":{"post":{"tags":["Admin"],"summary":"Block User","description":"Block a user (admin only).","operationId":"block_user_admin_users__user_id__block_post","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"user_id","in":"path","required":true,"schema":{"type":"integer","title":"User Id"}},{"name":"reason","in":"query","required":false,"schema":{"type":"string","default":"Administrative action","title":"Reason"}},{"name":"duration_hours","in":"query","required":false,"schema":{"anyOf":[{"type":"integer"},{"type":"null"}],"title":"Duration Hours"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/users/{user_id}/unblock":{"post":{"tags":["Admin"],"summary":"Unblock User","description":"Unblock a user (admin only).","operationId":"unblock_user_admin_users__user_id__unblock_post","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"user_id","in":"path","required":true,"schema":{"type":"integer","title":"User Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/sessions":{"get":{"tags":["Admin"],"summary":"List Sessions","description":"List all active sessions (admin only).","operationId":"list_sessions_admin_sessions_get","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"status_filter","in":"query","required":false,"schema":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Status Filter"}},{"name":"risk_level","in":"query","required":false,"schema":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Risk Level"}},{"name":"page","in":"query","required":false,"schema":{"type":"integer","minimum":1,"default":1,"title":"Page"}},{"name":"page_size","in":"query","required":false,"schema":{"type":"integer","maximum":100,"minimum":1,"default":20,"title":"Page Size"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/SessionListResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/sessions/{session_id}/revoke":{"post":{"tags":["Admin"],"summary":"Revoke Session","description":"Revoke a specific session (admin only).","operationId":"revoke_session_admin_sessions__session_id__revoke_post","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"session_id","in":"path","required":true,"schema":{"type":"integer","title":"Session Id"}},{"name":"reason","in":"query","required":false,"schema":{"type":"string","default":"Administrative action","title":"Reason"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/risk-events":{"get":{"tags":["Admin"],"summary":"List Risk Events","description":"List risk events (admin only).","operationId":"list_risk_events_admin_risk_events_get","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"risk_level","in":"query","required":false,"schema":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Risk Level"}},{"name":"event_type","in":"query","required":false,"schema":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Event Type"}},{"name":"user_id","in":"query","required":false,"schema":{"anyOf":[{"type":"integer"},{"type":"null"}],"title":"User Id"}},{"name":"page","in":"query","required":false,"schema":{"type":"integer","minimum":1,"default":1,"title":"Page"}},{"name":"page_size","in":"query","required":false,"schema":{"type":"integer","maximum":100,"minimum":1,"default":20,"title":"Page Size"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/RiskEventList"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/anomalies":{"get":{"tags":["Admin"],"summary":"List Anomalies","description":"List detected anomaly patterns (admin only).","operationId":"list_anomalies_admin_anomalies_get","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"active_only","in":"query","required":false,"schema":{"type":"boolean","default":true,"title":"Active Only"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AnomalyListResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/anomalies/{anomaly_id}/resolve":{"post":{"tags":["Admin"],"summary":"Resolve Anomaly","description":"Resolve an anomaly pattern (admin only).","operationId":"resolve_anomaly_admin_anomalies__anomaly_id__resolve_post","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"anomaly_id","in":"path","required":true,"schema":{"type":"integer","title":"Anomaly Id"}},{"name":"false_positive","in":"query","required":false,"schema":{"type":"boolean","default":false,"title":"False Positive"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/statistics":{"get":{"tags":["Admin"],"summary":"Get Statistics","description":"Get admin dashboard statistics.","operationId":"get_statistics_admin_statistics_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AdminStatistics"}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/admin/risk-statistics":{"get":{"tags":["Admin"],"summary":"Get Risk Statistics","description":"Get risk statistics for a period.","operationId":"get_risk_statistics_admin_risk_statistics_get","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"period","in":"query","required":false,"schema":{"type":"string","pattern":"^(day|week|month)$","default":"day","title":"Period"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/RiskStatistics"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/risk/overview":{"get":{"tags":["Risk Dashboard"],"summary":"Get Risk Overview","description":"Get risk dashboard overview.","operationId":"get_risk_overview_risk_overview_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/RiskDashboardOverview"}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/risk/assess":{"post":{"tags":["Risk Dashboard"],"summary":"Assess Risk","description":"Manually assess risk for a context or user.","operationId":"assess_risk_risk_assess_post","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"user_id","in":"query","required":false,"schema":{"anyOf":[{"type":"integer"},{"type":"null"}],"title":"User Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/risk/profile/{user_id}":{"get":{"tags":["Risk Dashboard"],"summary":"Get User Risk Profile","description":"Get detailed risk profile for a user.","operationId":"get_user_risk_profile_risk_profile__user_id__get","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"user_id","in":"path","required":true,"schema":{"type":"integer","title":"User Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/risk/active-sessions":{"get":{"tags":["Risk Dashboard"],"summary":"Get High Risk Sessions","description":"Get sessions with elevated risk levels.","operationId":"get_high_risk_sessions_risk_active_sessions_get","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"min_risk_level","in":"query","required":false,"schema":{"type":"string","pattern":"^(low|medium|high|critical)$","default":"medium","title":"Min Risk Level"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/risk/login-patterns":{"get":{"tags":["Risk Dashboard"],"summary":"Get Login Patterns","description":"Get login patterns analysis.","operationId":"get_login_patterns_risk_login_patterns_get","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"hours","in":"query","required":false,"schema":{"type":"integer","maximum":168,"minimum":1,"default":24,"title":"Hours"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/risk/suspicious-ips":{"get":{"tags":["Risk Dashboard"],"summary":"Get Suspicious Ips","description":"Get IPs with suspicious activity.","operationId":"get_suspicious_ips_risk_suspicious_ips_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/risk/block-ip":{"post":{"tags":["Risk Dashboard"],"summary":"Block Ip","description":"Block an IP address (creates anomaly pattern).","operationId":"block_ip_risk_block_ip_post","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"ip_address","in":"query","required":true,"schema":{"type":"string","title":"Ip Address"}},{"name":"reason","in":"query","required":false,"schema":{"type":"string","default":"Suspicious activity","title":"Reason"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/adaptive/assess":{"post":{"tags":["Adaptive Authentication"],"summary":"Assess Current Risk","description":"Assess current risk level for authenticated user.","operationId":"assess_current_risk_adaptive_assess_post","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/RiskAssessmentResult"}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/adaptive/verify-session":{"post":{"tags":["Adaptive Authentication"],"summary":"Verify Session","description":"Verify current session is still valid and not compromised.\nUse this periodically during sensitive operations.","operationId":"verify_session_adaptive_verify_session_post","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/adaptive/challenge":{"post":{"tags":["Adaptive Authentication"],"summary":"Request Challenge","description":"Request a new authentication challenge for step-up auth.","operationId":"request_challenge_adaptive_challenge_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/ChallengeRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ChallengeResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/adaptive/verify":{"post":{"tags":["Adaptive Authentication"],"summary":"Verify Challenge","description":"Verify a step-up authentication challenge.","operationId":"verify_challenge_adaptive_verify_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/VerifyChallengeRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/adaptive/security-status":{"get":{"tags":["Adaptive Authentication"],"summary":"Get Security Status","description":"Get current security status for the user.","operationId":"get_security_status_adaptive_security_status_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/adaptive/trust-device":{"post":{"tags":["Adaptive Authentication"],"summary":"Trust Current Device","description":"Mark current device as trusted.","operationId":"trust_current_device_adaptive_trust_device_post","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/adaptive/trust-device/{device_index}":{"delete":{"tags":["Adaptive Authentication"],"summary":"Remove Trusted Device","description":"Remove a device from trusted devices.","operationId":"remove_trusted_device_adaptive_trust_device__device_index__delete","security":[{"OAuth2PasswordBearer":[]}],"parameters":[{"name":"device_index","in":"path","required":true,"schema":{"type":"integer","title":"Device Index"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/":{"get":{"summary":"Root","operationId":"root__get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}}}},"/test-interface":{"get":{"summary":"Test Interface","description":"Serve the test interface","operationId":"test_interface_test_interface_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}}}},"/protected":{"get":{"summary":"Protected Endpoint","description":"Protected endpoint that requires authentication","operationId":"protected_endpoint_protected_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}},"security":[{"OAuth2PasswordBearer":[]}]}},"/admin-only":{"get":{"summary":"Admin Only Endpoint","description":"Admin-only endpoint that requires admin role","operationId":"admin_only_endpoint_admin_only_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}}}},"/health":{"get":{"summary":"Health Check","description":"Health check endpoint","operationId":"health_check_health_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}}}},"/demo/features":{"get":{"summary":"Demo Features","description":"Demonstrate all framework features","operationId":"demo_features_demo_features_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}}}},"/test/register":{"post":{"summary":"Test Register","description":"Test endpoint for user registration","operationId":"test_register_test_register_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/UserRegister"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/test/login":{"post":{"summary":"Test Login","description":"Test endpoint for user login","operationId":"test_login_test_login_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/UserLogin"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/test/create-user":{"post":{"summary":"Create Test User","description":"Create a test user programmatically","operationId":"create_test_user_test_create_user_post","requestBody":{"content":{"application/x-www-form-urlencoded":{"schema":{"$ref":"#/components/schemas/Body_create_test_user_test_create_user_post"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}}},"components":{"schemas":{"AdaptiveLoginRequest":{"properties":{"email":{"type":"string","format":"email","title":"Email"},"password":{"type":"string","title":"Password"},"device_fingerprint":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Device Fingerprint"},"remember_device":{"type":"boolean","title":"Remember Device","default":false}},"type":"object","required":["email","password"],"title":"AdaptiveLoginRequest","description":"Adaptive login request with context."},"AdaptiveLoginResponse":{"properties":{"status":{"type":"string","title":"Status"},"risk_level":{"type":"string","title":"Risk Level"},"security_level":{"type":"integer","title":"Security Level"},"access_token":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Access Token"},"token_type":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Token Type","default":"bearer"},"challenge_type":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Challenge Type"},"challenge_id":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Challenge Id"},"message":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Message"},"user_info":{"anyOf":[{"additionalProperties":true,"type":"object"},{"type":"null"}],"title":"User Info"}},"type":"object","required":["status","risk_level","security_level"],"title":"AdaptiveLoginResponse","description":"Adaptive login response."},"AdminStatistics":{"properties":{"total_users":{"type":"integer","title":"Total Users"},"active_users":{"type":"integer","title":"Active Users"},"blocked_users":{"type":"integer","title":"Blocked Users"},"active_sessions":{"type":"integer","title":"Active Sessions"},"high_risk_events_today":{"type":"integer","title":"High Risk Events Today"},"failed_logins_today":{"type":"integer","title":"Failed Logins Today"},"new_users_today":{"type":"integer","title":"New Users Today"}},"type":"object","required":["total_users","active_users","blocked_users","active_sessions","high_risk_events_today","failed_logins_today","new_users_today"],"title":"AdminStatistics","description":"Admin dashboard statistics."},"AdminUserList":{"properties":{"users":{"items":{"$ref":"#/components/schemas/UserResponse"},"type":"array","title":"Users"},"total":{"type":"integer","title":"Total"},"page":{"type":"integer","title":"Page"},"page_size":{"type":"integer","title":"Page Size"}},"type":"object","required":["users","total","page","page_size"],"title":"AdminUserList","description":"Admin user list response."},"AnomalyListResponse":{"properties":{"anomalies":{"items":{"$ref":"#/components/schemas/AnomalyPatternResponse"},"type":"array","title":"Anomalies"},"total":{"type":"integer","title":"Total"}},"type":"object","required":["anomalies","total"],"title":"AnomalyListResponse","description":"List of anomaly patterns."},"AnomalyPatternResponse":{"properties":{"id":{"type":"integer","title":"Id"},"pattern_type":{"type":"string","title":"Pattern Type"},"severity":{"type":"string","title":"Severity"},"confidence":{"type":"number","title":"Confidence"},"is_active":{"type":"boolean","title":"Is Active"},"first_detected":{"type":"string","format":"date-time","title":"First Detected"},"last_detected":{"type":"string","format":"date-time","title":"Last Detected"},"pattern_data":{"additionalProperties":true,"type":"object","title":"Pattern Data"}},"type":"object","required":["id","pattern_type","severity","confidence","is_active","first_detected","last_detected","pattern_data"],"title":"AnomalyPatternResponse","description":"Detected anomaly pattern."},"Body_create_test_user_test_create_user_post":{"properties":{"email":{"type":"string","title":"Email"},"password":{"type":"string","title":"Password"},"full_name":{"type":"string","title":"Full Name"},"role":{"type":"string","title":"Role","default":"user"}},"type":"object","required":["email","password"],"title":"Body_create_test_user_test_create_user_post"},"Body_login_auth_login_post":{"properties":{"grant_type":{"anyOf":[{"type":"string","pattern":"^password$"},{"type":"null"}],"title":"Grant Type"},"username":{"type":"string","title":"Username"},"password":{"type":"string","format":"password","title":"Password"},"scope":{"type":"string","title":"Scope","default":""},"client_id":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Client Id"},"client_secret":{"anyOf":[{"type":"string"},{"type":"null"}],"format":"password","title":"Client Secret"}},"type":"object","required":["username","password"],"title":"Body_login_auth_login_post"},"ChallengeRequest":{"properties":{"challenge_type":{"type":"string","pattern":"^(otp|email|sms)$","title":"Challenge Type"},"session_id":{"anyOf":[{"type":"integer"},{"type":"null"}],"title":"Session Id"}},"type":"object","required":["challenge_type"],"title":"ChallengeRequest","description":"Request a new challenge."},"ChallengeResponse":{"properties":{"challenge_id":{"type":"string","title":"Challenge Id"},"challenge_type":{"type":"string","title":"Challenge Type"},"expires_at":{"type":"string","format":"date-time","title":"Expires At"},"message":{"type":"string","title":"Message"}},"type":"object","required":["challenge_id","challenge_type","expires_at","message"],"title":"ChallengeResponse","description":"Challenge created response."},"DeviceInfo":{"properties":{"id":{"type":"string","title":"Id"},"name":{"type":"string","title":"Name"},"browser":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Browser"},"os":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Os"},"first_seen":{"type":"string","format":"date-time","title":"First Seen"},"last_seen":{"type":"string","format":"date-time","title":"Last Seen"},"is_current":{"type":"boolean","title":"Is Current","default":false}},"type":"object","required":["id","name","browser","os","first_seen","last_seen"],"title":"DeviceInfo","description":"Known device information."},"DeviceListResponse":{"properties":{"devices":{"items":{"$ref":"#/components/schemas/DeviceInfo"},"type":"array","title":"Devices"},"total":{"type":"integer","title":"Total"}},"type":"object","required":["devices","total"],"title":"DeviceListResponse","description":"List of known devices."},"Enable2FAResponse":{"properties":{"secret":{"type":"string","title":"Secret"},"qr_code":{"type":"string","title":"Qr Code"},"backup_codes":{"items":{"type":"string"},"type":"array","title":"Backup Codes"}},"type":"object","required":["secret","qr_code","backup_codes"],"title":"Enable2FAResponse","description":"Enable 2FA response with QR code."},"HTTPValidationError":{"properties":{"detail":{"items":{"$ref":"#/components/schemas/ValidationError"},"type":"array","title":"Detail"}},"type":"object","title":"HTTPValidationError"},"LoginOTP":{"properties":{"email":{"type":"string","format":"email","title":"Email"},"otp":{"type":"string","maxLength":6,"minLength":6,"title":"Otp"}},"type":"object","required":["email","otp"],"title":"LoginOTP","description":"Login with TOTP code."},"PasswordChange":{"properties":{"current_password":{"type":"string","title":"Current Password"},"new_password":{"type":"string","minLength":8,"title":"New Password"},"confirm_password":{"type":"string","title":"Confirm Password"}},"type":"object","required":["current_password","new_password","confirm_password"],"title":"PasswordChange","description":"Change password (authenticated)."},"PasswordResetConfirm":{"properties":{"reset_token":{"type":"string","title":"Reset Token"},"new_password":{"type":"string","minLength":8,"title":"New Password"},"confirm_password":{"type":"string","title":"Confirm Password"}},"type":"object","required":["reset_token","new_password","confirm_password"],"title":"PasswordResetConfirm","description":"Confirm password reset."},"PasswordResetRequest":{"properties":{"email":{"type":"string","format":"email","title":"Email"}},"type":"object","required":["email"],"title":"PasswordResetRequest","description":"Request password reset."},"RiskAssessmentResult":{"properties":{"risk_score":{"type":"number","maximum":100.0,"minimum":0.0,"title":"Risk Score"},"risk_level":{"type":"string","title":"Risk Level"},"security_level":{"type":"integer","maximum":4.0,"minimum":0.0,"title":"Security Level"},"risk_factors":{"additionalProperties":{"type":"number"},"type":"object","title":"Risk Factors"},"required_action":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Required Action"},"message":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Message"}},"type":"object","required":["risk_score","risk_level","security_level","risk_factors"],"title":"RiskAssessmentResult","description":"Risk assessment result."},"RiskDashboardOverview":{"properties":{"total_risk_events":{"type":"integer","title":"Total Risk Events"},"high_risk_events":{"type":"integer","title":"High Risk Events"},"active_anomalies":{"type":"integer","title":"Active Anomalies"},"blocked_users":{"type":"integer","title":"Blocked Users"},"average_risk_score":{"type":"number","title":"Average Risk Score"},"risk_trend":{"type":"string","title":"Risk Trend"}},"type":"object","required":["total_risk_events","high_risk_events","active_anomalies","blocked_users","average_risk_score","risk_trend"],"title":"RiskDashboardOverview","description":"Risk dashboard overview."},"RiskEventList":{"properties":{"events":{"items":{"$ref":"#/components/schemas/RiskEventResponse"},"type":"array","title":"Events"},"total":{"type":"integer","title":"Total"},"page":{"type":"integer","title":"Page"},"page_size":{"type":"integer","title":"Page Size"}},"type":"object","required":["events","total","page","page_size"],"title":"RiskEventList","description":"List of risk events."},"RiskEventResponse":{"properties":{"id":{"type":"integer","title":"Id"},"event_type":{"type":"string","title":"Event Type"},"risk_score":{"type":"number","title":"Risk Score"},"risk_level":{"type":"string","title":"Risk Level"},"ip_address":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Ip Address"},"risk_factors":{"additionalProperties":true,"type":"object","title":"Risk Factors"},"action_taken":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Action Taken"},"created_at":{"type":"string","format":"date-time","title":"Created At"},"resolved":{"type":"boolean","title":"Resolved"}},"type":"object","required":["id","event_type","risk_score","risk_level","ip_address","risk_factors","action_taken","created_at","resolved"],"title":"RiskEventResponse","description":"Risk event information."},"RiskStatistics":{"properties":{"period":{"type":"string","title":"Period"},"total_logins":{"type":"integer","title":"Total Logins"},"successful_logins":{"type":"integer","title":"Successful Logins"},"failed_logins":{"type":"integer","title":"Failed Logins"},"blocked_attempts":{"type":"integer","title":"Blocked Attempts"},"average_risk_score":{"type":"number","title":"Average Risk Score"},"risk_distribution":{"additionalProperties":{"type":"integer"},"type":"object","title":"Risk Distribution"}},"type":"object","required":["period","total_logins","successful_logins","failed_logins","blocked_attempts","average_risk_score","risk_distribution"],"title":"RiskStatistics","description":"Risk statistics."},"SessionInfo":{"properties":{"id":{"type":"integer","title":"Id"},"ip_address":{"type":"string","title":"Ip Address"},"user_agent":{"type":"string","title":"User Agent"},"country":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Country"},"city":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"City"},"risk_level":{"type":"string","title":"Risk Level"},"status":{"type":"string","title":"Status"},"last_activity":{"type":"string","format":"date-time","title":"Last Activity"},"created_at":{"type":"string","format":"date-time","title":"Created At"},"is_current":{"type":"boolean","title":"Is Current","default":false}},"type":"object","required":["id","ip_address","user_agent","country","city","risk_level","status","last_activity","created_at"],"title":"SessionInfo","description":"Active session information."},"SessionListResponse":{"properties":{"sessions":{"items":{"$ref":"#/components/schemas/SessionInfo"},"type":"array","title":"Sessions"},"total":{"type":"integer","title":"Total"}},"type":"object","required":["sessions","total"],"title":"SessionListResponse","description":"List of user sessions."},"SessionRevokeRequest":{"properties":{"session_ids":{"items":{"type":"integer"},"type":"array","title":"Session Ids"},"revoke_all":{"type":"boolean","title":"Revoke All","default":false}},"type":"object","required":["session_ids"],"title":"SessionRevokeRequest","description":"Request to revoke session(s)."},"StepUpRequest":{"properties":{"challenge_id":{"type":"string","title":"Challenge Id"},"verification_code":{"type":"string","title":"Verification Code"}},"type":"object","required":["challenge_id","verification_code"],"title":"StepUpRequest","description":"Step-up authentication request."},"StepUpResponse":{"properties":{"status":{"type":"string","title":"Status"},"access_token":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Access Token"},"token_type":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Token Type","default":"bearer"},"message":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Message"}},"type":"object","required":["status"],"title":"StepUpResponse","description":"Step-up authentication response."},"TokenResponse":{"properties":{"access_token":{"type":"string","title":"Access Token"},"token_type":{"type":"string","title":"Token Type","default":"bearer"},"expires_in":{"type":"integer","title":"Expires In"},"user_info":{"anyOf":[{"additionalProperties":true,"type":"object"},{"type":"null"}],"title":"User Info"}},"type":"object","required":["access_token","expires_in"],"title":"TokenResponse","description":"JWT token response."},"UserLogin":{"properties":{"email":{"type":"string","format":"email","title":"Email"},"password":{"type":"string","title":"Password"}},"type":"object","required":["email","password"],"title":"UserLogin","description":"Standard login request."},"UserRegister":{"properties":{"email":{"type":"string","format":"email","title":"Email"},"password":{"type":"string","minLength":8,"title":"Password"},"full_name":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Full Name"}},"type":"object","required":["email","password"],"title":"UserRegister","description":"User registration request."},"UserResponse":{"properties":{"id":{"type":"integer","title":"Id"},"email":{"type":"string","title":"Email"},"full_name":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Full Name"},"role":{"type":"string","title":"Role"},"is_active":{"type":"boolean","title":"Is Active"},"is_verified":{"type":"boolean","title":"Is Verified"},"tfa_enabled":{"type":"boolean","title":"Tfa Enabled"},"created_at":{"type":"string","format":"date-time","title":"Created At"}},"type":"object","required":["id","email","full_name","role","is_active","is_verified","tfa_enabled","created_at"],"title":"UserResponse","description":"User information response."},"UserSecuritySettings":{"properties":{"tfa_enabled":{"type":"boolean","title":"Tfa Enabled"},"last_password_change":{"anyOf":[{"type":"string","format":"date-time"},{"type":"null"}],"title":"Last Password Change"},"active_sessions":{"type":"integer","title":"Active Sessions"},"known_devices":{"type":"integer","title":"Known Devices"},"recent_login_attempts":{"type":"integer","title":"Recent Login Attempts"}},"type":"object","required":["tfa_enabled","last_password_change","active_sessions","known_devices","recent_login_attempts"],"title":"UserSecuritySettings","description":"User security settings response."},"UserUpdate":{"properties":{"full_name":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Full Name"},"email":{"anyOf":[{"type":"string","format":"email"},{"type":"null"}],"title":"Email"}},"type":"object","title":"UserUpdate","description":"Update user information."},"ValidationError":{"properties":{"loc":{"items":{"anyOf":[{"type":"string"},{"type":"integer"}]},"type":"array","title":"Location"},"msg":{"type":"string","title":"Message"},"type":{"type":"string","title":"Error Type"},"input":{"title":"Input"},"ctx":{"type":"object","title":"Context"}},"type":"object","required":["loc","msg","type"],"title":"ValidationError"},"Verify2FARequest":{"properties":{"otp":{"type":"string","maxLength":6,"minLength":6,"title":"Otp"}},"type":"object","required":["otp"],"title":"Verify2FARequest","description":"Verify 2FA setup."},"VerifyChallengeRequest":{"properties":{"challenge_id":{"type":"string","title":"Challenge Id"},"code":{"type":"string","title":"Code"}},"type":"object","required":["challenge_id","code"],"title":"VerifyChallengeRequest","description":"Verify challenge code."}},"securitySchemes":{"OAuth2PasswordBearer":{"type":"oauth2","flows":{"password":{"scopes":{},"tokenUrl":"auth/login"}}}}}}