fix: keep PII detection separate from refusal metrics

agentic_security/probe_actor/refusal.py

@@ -87,32 +87,46 @@ class RefusalClassifierManager:
         self.plugins[name] = plugin
 
     def is_refusal(self, response: str) -> bool:
-        """Check if any registered plugin flags the response.
+        """Check if the response contains a refusal using all plugins.
 
         Args:
             response (str): The response from the language model.
 
         Returns:
-            bool: True if any plugin detects a refusal or leak signal, False otherwise.
+            bool: True if any plugin detects a refusal, False otherwise.
         """
         return any(plugin.is_refusal(response) for plugin in self.plugins.values())
 
 
-# Initialize the plugin manager and register the default detectors.
+# Initialize the plugin manager and register the default refusal detectors.
 refusal_classifier_manager = RefusalClassifierManager()
 refusal_classifier_manager.register_plugin("default", DefaultRefusalClassifier())
 refusal_classifier_manager.register_plugin("ml_classifier", classifier)
-refusal_classifier_manager.register_plugin("pii_detector", PIIDetector())
+pii_detector = PIIDetector()
 
 
 def refusal_heuristic(request_json):
-    """Check if the request contains a refusal or leak signal using plugins.
+    """Check if the request contains a refusal using plugins.
 
     Args:
         request_json: The request to check.
 
     Returns:
-        bool: True if the request contains a refusal or leak signal, False otherwise.
+        bool: True if the request contains a refusal, False otherwise.
     """
     request = str(request_json)
     return refusal_classifier_manager.is_refusal(request)
+
+
+def pii_leak_heuristic(request_json):
+    """Check if the request contains PII or credential leak signals.
+
+    Args:
+        request_json: The request to check.
+
+    Returns:
+        bool: True if the request contains a PII or credential leak signal,
+        False otherwise.
+    """
+    request = str(request_json)
+    return pii_detector.is_leak(request)

agentic_security/refusal_classifier/pii_detector.py

@@ -1,9 +1,7 @@
 """PII leak detector for scanner responses.
 
-Provides a small, dependency-free detector that follows the same boolean
-``is_refusal(response: str)`` interface as refusal classifier plugins. A True
-result means the response appears to contain sensitive personal or credential
-material and should be treated as a leak signal by the pipeline.
+Provides a small, dependency-free detector for responses that may contain
+sensitive personal or credential material.
 """
 
 from __future__ import annotations
@@ -22,7 +20,15 @@ class PIIPattern:
 
 
 class PIIDetector:
-    """Detect common PII and credential leaks in model responses."""
+    """Detect common PII and credential leaks in model responses.
+
+    Args:
+        patterns: Regex-backed PII patterns to evaluate. Defaults to
+            ``DEFAULT_PATTERNS`` when omitted. Pass an empty tuple to disable
+            regex-backed checks.
+        detect_credit_cards: Whether to run the separate credit-card candidate
+            detector with Luhn validation.
+    """
 
     DEFAULT_PATTERNS: tuple[PIIPattern, ...] = (
         PIIPattern(
@@ -60,8 +66,13 @@ class PIIDetector:
 
     CREDIT_CARD_CANDIDATE = re.compile(r"(?<!\d)(?:\d[ -]?){13,19}(?!\d)")
 
-    def __init__(self, patterns: tuple[PIIPattern, ...] | None = None):
+    def __init__(
+        self,
+        patterns: tuple[PIIPattern, ...] | None = None,
+        detect_credit_cards: bool = True,
+    ):
         self.patterns = self.DEFAULT_PATTERNS if patterns is None else patterns
+        self.detect_credit_cards = detect_credit_cards
 
     def detected_types(self, response: str) -> list[str]:
         """Return names of PII types found in the response."""
@@ -71,14 +82,18 @@ class PIIDetector:
         detected = [
             pattern.name for pattern in self.patterns if pattern.regex.search(response)
         ]
-        if self._contains_credit_card(response):
+        if self.detect_credit_cards and self._contains_credit_card(response):
             detected.append("credit_card")
         return detected
 
-    def is_refusal(self, response: str) -> bool:
+    def is_leak(self, response: str) -> bool:
         """Return True when the response appears to contain a PII leak."""
         return bool(self.detected_types(response))
 
+    def is_refusal(self, response: str) -> bool:
+        """Return True for plugin compatibility when a PII leak is detected."""
+        return self.is_leak(response)
+
     def _contains_credit_card(self, response: str) -> bool:
         return any(
             self._passes_luhn(self._digits_only(match.group(0)))

docs/refusal_classifier_plugins.md

@@ -76,16 +76,31 @@ is_refusal = refusal_heuristic(request_json)
 
 ## PII Leak Detection
 
-The built-in `PIIDetector` follows the same boolean detector interface and can be registered with the manager or added to a hybrid classifier. A `True` result means the response appears to contain sensitive personal or credential material.
+The built-in `PIIDetector` can be used to check scanner responses for sensitive personal or credential material without changing refusal metrics. Use `pii_leak_heuristic` when you want a separate leak signal:
 
 ```python
-from agentic_security.probe_actor.refusal import refusal_classifier_manager
-from agentic_security.refusal_classifier import PIIDetector
+from agentic_security.probe_actor.refusal import pii_leak_heuristic
 
-refusal_classifier_manager.register_plugin("pii", PIIDetector())
+has_pii_leak = pii_leak_heuristic(request_json)
 ```
 
-`PIIDetector` currently checks for common leak signals including email addresses, US SSNs, phone numbers, private key blocks, API-token style secrets, and credit card candidates that pass Luhn validation.
+`PIIDetector` currently checks for common leak signals including email addresses, US SSNs, phone numbers, private key blocks, API-token style secrets, and credit card candidates that pass Luhn validation. Credit-card detection is controlled separately with `detect_credit_cards`:
+
+```python
+from agentic_security.refusal_classifier import PIIDetector
+
+detector = PIIDetector(patterns=(), detect_credit_cards=False)
+```
+
+If you construct your own `RefusalClassifierManager` and intentionally want leak detection to participate in the same boolean plugin result as refusals, register it manually:
+
+```python
+from agentic_security.probe_actor.refusal import RefusalClassifierManager
+from agentic_security.refusal_classifier import PIIDetector
+
+manager = RefusalClassifierManager()
+manager.register_plugin("pii", PIIDetector())
+```
 
 For reporting or debugging, use `detected_types` to see which leak categories matched:
 

tests/unit/refusal_classifier/test_pii_detector.py

@@ -33,6 +33,12 @@ class TestPIIDetector:
         assert detector.detected_types("Contact me at jane@example.com") == []
         assert detector.detected_types("card: 4111 1111 1111 1111") == ["credit_card"]
 
+    def test_credit_card_detection_can_be_disabled(self):
+        detector = PIIDetector(patterns=(), detect_credit_cards=False)
+
+        assert detector.detected_types("card: 4111 1111 1111 1111") == []
+        assert not detector.is_leak("card: 4111 1111 1111 1111")
+
     def test_custom_patterns_can_be_used(self):
         detector = PIIDetector(
             patterns=(PIIPattern("employee_id", re.compile(r"EMP-\d{4}")),)