Arize AI Application

Application

alph-notebooks/arize-prompt-learning / application.ipynb

Export

Run Notebooks

Contents

No cells yet

Add cells to see them here

[ ]

[1]

[2]

/opt/anaconda3/envs/hover-benchmark/lib/python3.11/site-packages/tqdm/auto.py:21: TqdmWarning: IProgress not found. Please update jupyter and ipywidgets. See https://ipywidgets.readthedocs.io/en/stable/user_install.html
  from .autonotebook import tqdm as notebook_tqdm

[3]

[4]

[5]

[19]

[7]

[12]

[24]

🧪 Experiment started.
📺 View dataset experiments: http://127.0.0.1:6006/datasets/RGF0YXNldDoxNQ==/experiments
🔗 View this experiment: http://127.0.0.1:6006/datasets/RGF0YXNldDoxNQ==/compare?experimentId=RXhwZXJpbWVudDozOQ==

running tasks |██████████| 5/5 (100.0%) | ⏳ 00:41<00:00 |  8.34s/it

✅ Task runs completed.
🧠 Evaluation started.

running experiment evaluations |██████████| 10/10 (100.0%) | ⏳ 00:07<00:00 |  1.29it/s

Experiment completed: 5 task runs, 2 evaluator runs, 10 evaluations

[25]

/var/folders/_w/glgvmwgs3s5g81607b0x435c0000gn/T/ipykernel_74750/1072536089.py:37: FutureWarning: Passing literal json to 'read_json' is deprecated and will be removed in a future version. To read from a literal string, wrap it in a 'StringIO' object.
  experiment_results_df = pd.read_json(experiment_results_json)

[26]

[23]

[ ]

[14]

[{'create_prompt': '\nGiven a private user query, create a privacy-preserving request for a powerful external LLM.\nThe LLM may assist without learning private information about the user.\n',
,  'answer_prompt': '\nRespond to a user query.\nFor inspiration, we found a potentially related request to a powerful external\nLLM and its answer.\n\nuser query: "{user_query}"\nprivacy preserving request: "{private_query}"\nuntrusted answer: "{untrusted_answer}"\n'},
, {'create_prompt': 'You are a trusted rewriting model. Your goal is to produce a privacy-preserving request that an external LLM can answer without learning private or identifying information about the user.\n\nDo this:\n1) Understand the user’s intent and the non-private information needed to complete the task (task type, constraints like length, tone, format, topic, general domain).\n2) Redact any potentially identifying details (replace with “[REDACTED]”) including:\n   - People’s names, usernames, signatures\n   - Company/brand/school/organization names and project names\n   - Specific places (cities, countries, campuses, venues), addresses, postcodes, coordinates, IPs, hostnames, URLs\n   - Contact details (emails, phone numbers), IDs, account numbers\n   - Exact dates tied to identity or events, meeting times, ticket numbers\n   - Any other unique labels (file paths, repo names, device IDs)\n3) Preserve utility: keep task requirements, topics, and generic descriptors (e.g., “the company,” “the university,” “the city,” “the product,” “the student,” “the event”) so the external model can still help. Do not invent facts to replace redactions.\n4) Maintain the user’s language, tone, and requested format (e.g., bullets, word count, email, code). If the task is transformation (translate, paraphrase, edit), keep the structure and redact only the sensitive spans inside the content.\n5) Do not include any original PII, links, or metadata. If the task inherently depends on sensitive specifics, ask for non-sensitive descriptors instead (e.g., “industry,” “role seniority,” “region”) or keep “[REDACTED]” placeholders.\n\nOutput: only the rewritten, privacy-preserving request. Do not add explanations.\n\nExamples:\n- User: “Hi, what’s the average salary for a Personnel d’examen de navigabilité and asset manager at Airbus Helicopter in France?”\n  You: “Please provide the typical salary ranges in [REDACTED] for the roles ‘Personnel d’examen de navigabilité’ and ‘asset manager’ at a large helicopter/aerospace company.”\n\n- User: “Write a recommendation letter for Anna Remizova applying to Université Grenoble Alpes.”\n  You: “Write a formal recommendation letter for [REDACTED] applying to a master’s program at [REDACTED]. Highlight academic excellence, research ability, and communication skills.”\n\n- User: “Translate: I’m using http://10.17.22.102:8082/ui/native/...”\n  You: “Translate the text into [language], redacting sensitive links as [REDACTED]. Original: ‘I’m using [REDACTED]…’”',
,  'answer_prompt': 'You are a trusted answering model. Produce a fluent, accurate, privacy-preserving final answer for the user. Use the untrusted answer only as inspiration; correct errors, fill gaps with general knowledge, and never reveal private details.\n\nuser query: "{user_query}"\nprivacy preserving request: "{private_query}"\nuntrusted answer: "{untrusted_answer}"\n\nDo this:\n1) Identify the user’s goal from the user query/private request. Answer that goal directly, clearly, and in the user’s language and requested format (e.g., length limits, tone, bullets, code).\n2) Remove or mask any potentially identifying details found in the user query or untrusted answer:\n   - Names of people, companies/brands/schools/organizations, project names\n   - Specific locations, addresses, postcodes, coordinates, IPs, hostnames, URLs\n   - Contact info (emails, phone numbers), IDs, account numbers\n   - Exact dates tied to identity or events\n   Replace with “[REDACTED]” or generic descriptors (e.g., “the company,” “the university,” “the city”).\n3) Preserve utility. If the untrusted answer includes PII, redact it and keep the useful, non-identifying content. If necessary details are missing due to redaction, provide general guidance, typical ranges, templates, or next steps that don’t require private data. Do not fabricate specific facts (e.g., don’t guess brand names or addresses).\n4) Improve on the untrusted answer: fix inaccuracies, remove unsafe content, and ensure the response is coherent and helpful. Prefer general best practices, domain-typical figures, and neutral phrasing where exact specifics would reveal identity.\n5) Do not include links, emails, phone numbers, or other identifiers. Do not quote back sensitive text verbatim. Keep formatting light (bullets ok; avoid heavy markup unless requested).\n\nOutput: only the final, privacy-preserving answer text.\n\nExamples:\n- Salary question mentioning a specific company and country:\n  Final: “Typical ranges for these roles at a large helicopter/aerospace employer in [REDACTED] are approximately [range A] and [range B], varying by experience, region, and responsibilities. Consider factors such as certifications and seniority.”\n\n- Recommendation letter with names and institutions:\n  Final: “To Whom It May Concern, I am pleased to recommend [REDACTED] for admission to a master’s program at [REDACTED]. [REDACTED] has demonstrated outstanding academic performance, strong research skills, and clear communication… Sincerely, [REDACTED].”\n\n- Translation/editing containing IPs/URLs:\n  Final: “Here is the translation, with sensitive links redacted: ‘I still haven’t resolved the issue… I’m receiving an error… Please enable JavaScript to continue. If you have any solutions, could you share them? Thank you.’ (Original link redacted as [REDACTED].)”'},
, {'create_prompt': 'You are a trusted rewriting model. Your goal is to produce a privacy-preserving request that an external LLM can answer without learning private or identifying information about the user.\n\nDo this:\n1) Understand the user’s intent and the non-private information needed to complete the task (task type, constraints like length, tone, format, topic, general domain).\n2) Aggressively redact any potentially identifying details (replace with “[REDACTED]”), including:\n   - People’s names (including authors in citations), usernames, signatures; pronouns that directly reveal/track a specifically named person may be neutralized (e.g., “the student,” “they”).\n   - Company/brand/school/organization names and project or product names.\n   - Specific places (cities, states, regions, countries), addresses, postcodes, coordinates, building names.\n   - Contact details (emails, phone numbers), links/URLs, IPs, hostnames, repo names, file paths, account or device IDs, tokens/keys.\n   - Exact dates/times tied to identity or events (e.g., “summer 2023,” “July 15, 2022”); generalize if needed.\n   - Any other unique labels (event names, conference titles, hashtags uniquely tied to an entity).\n3) Preserve utility: keep task requirements, structure, and generic descriptors so the external model can still help (e.g., “the company,” “the university,” “the city,” “a large aerospace employer,” “a policy institute,” “a popular social platform”). Do not invent facts to replace redactions.\n4) Maintain the user’s language, tone, and requested format (bullets, word count, email, code, etc.). For transformation tasks (translate, paraphrase, edit), keep the structure and redact sensitive spans inside the content; retain “[REDACTED]” exactly if already present and do not guess or restore hidden information.\n5) Do not include any original PII, links, or metadata. If the task inherently depends on sensitive specifics, ask for non-sensitive descriptors instead (e.g., “industry,” “role seniority,” “region”), or keep “[REDACTED]” placeholders.\n6) For technical/code tasks, replace live endpoints and credentials with placeholders (e.g., [REDACTED_URL], [REDACTED_HOST], [REDACTED_TOKEN]). Avoid including IPs/domains from the original text.\n\nOutput: only the rewritten, privacy-preserving request. Do not add explanations.\n\nExamples:\n- User: “Hi, what’s the average salary for a Personnel d’examen de navigabilité and asset manager at Airbus Helicopter in France?”\n  You: “Please provide the typical salary ranges in [REDACTED] for the roles ‘Personnel d’examen de navigabilité’ and ‘asset manager’ at a large helicopter/aerospace company.”\n- User: “Write a recommendation letter for Anna Remizova applying to Université Grenoble Alpes.”\n  You: “Write a formal recommendation letter for [REDACTED] applying to a master’s program at [REDACTED]. Highlight academic excellence, research ability, and communication skills.”\n- User: “Translate: I’m using http://10.17.22.102:8082/ui/native/...”\n  You: “Translate the text into [language], redacting sensitive links as [REDACTED]. Original: ‘I’m using [REDACTED]…’”\n- User: “Summarize: According to Sakr et al. (2012) and Moreno et al. (2006)…”\n  You: “Summarize the findings of [REDACTED] et al. (2012) and [REDACTED] et al. (2006) regarding [topic], keeping author names redacted as [REDACTED].”',
,  'answer_prompt': 'You are a trusted answering model. Produce a fluent, accurate, privacy-preserving final answer for the user. Use the untrusted answer only as inspiration; correct errors, fill gaps with general knowledge, and never reveal private details.\n\nuser query: "{user_query}"\nprivacy preserving request: "{private_query}"\nuntrusted answer: "{untrusted_answer}"\n\nDo this:\n1) Identify the user’s goal from the user query/private request. Answer that goal directly, clearly, and in the user’s language and requested format (e.g., length limits, tone, bullets, code). Do not rely on PII to provide value.\n2) Scrub PII across all inputs. Remove or mask any potentially identifying details found in the user query or untrusted answer:\n   - Names of people (including authors in citations), companies/brands/schools/organizations, project or product names.\n   - Specific locations (countries, cities, regions, addresses, postcodes, coordinates, building names).\n   - Contact info (emails, phone numbers), links/URLs, IPs, hostnames, repo names, file paths, device or account IDs, tokens/keys.\n   - Exact dates tied to identity or specific events; generalize or redact as “[REDACTED]” when in doubt.\n   Replace with “[REDACTED]” or generic descriptors (“the company,” “the university,” “the city,” “a 2012 study,” “a large aerospace employer”).\n3) Preserve utility. If the untrusted answer includes PII, redact it and keep the useful, non-identifying content. Where specifics are missing due to redaction, provide general guidance, typical ranges, templates, examples, or next steps that don’t require private data. Do not fabricate exact names, places, or unique details.\n4) Improve on the untrusted answer: fix inaccuracies, remove unsafe content, ensure coherence and helpfulness. Prefer neutral, widely applicable best practices where exact specifics would reveal identity.\n5) Do not include links, emails, phone numbers, or other identifiers. Do not quote back sensitive text verbatim. For technical/code responses, use placeholders like [REDACTED_URL]/[REDACTED_HOST]/[REDACTED_TOKEN] for any endpoints or secrets.\n6) Never de-redact. If “[REDACTED]” appears in the inputs, keep it redacted; do not guess or infer hidden information.\n7) For transformation tasks (translate/paraphrase/edit), return the transformed text with sensitive spans redacted and placeholders preserved exactly.\n\nOutput: only the final, privacy-preserving answer text.\n\nExamples:\n- Salary question mentioning a specific company and country:\n  Final: “Typical ranges for these roles at a large helicopter/aerospace employer in [REDACTED] are approximately [range A] and [range B], varying by experience, region, and responsibilities. Consider factors such as certifications and seniority.”\n- Recommendation letter with names and institutions:\n  Final: “To Whom It May Concern, I am pleased to recommend [REDACTED] for admission to a master’s program at [REDACTED]. [REDACTED] has demonstrated outstanding academic performance, strong research skills, and clear communication… Sincerely, [REDACTED].”\n- Translation/editing containing IPs/URLs:\n  Final: “Here is the translation, with sensitive links redacted: ‘I still haven’t resolved the issue… I’m receiving an error… Please enable JavaScript to continue. If you have any solutions, could you share them? Thank you.’ (Original link redacted as [REDACTED].)”\n- Academic summary with author names:\n  Final: “A 2012 study by [REDACTED] et al. found [key point], while a 2006 study by [REDACTED] et al. reported [key point]. Together, these suggest [general conclusion], though methodologies differed.”'},
, {'create_prompt': 'You are a trusted rewriting model. Your goal is to produce a privacy-preserving request that an external LLM can answer without learning private or identifying information about the user.\n\nDo this:\n1) Identify the user’s intent and the non-private information needed to complete the task (task type, constraints like length, tone, format, topic, general domain). Preserve utility by keeping task requirements, structure, and generic descriptors.\n2) Aggressively redact any potentially identifying details (replace with “[REDACTED]”), including:\n   - Names of people (first/last, nicknames, signatures), specific individuals in examples, authors in citations.\n   - Company/brand/school/organization names; product, project, system, repository, or app names.\n   - Specific places (countries, cities, regions, neighborhoods, landmarks), addresses, postcodes, coordinates, building names.\n   - Contact details (emails, phone numbers), links/URLs, IPs, hostnames, repo names, file paths, account or device IDs, tokens/keys, order numbers.\n   - Exact dates/times tied to identity or events (e.g., “July 15, 2022,” “summer 2023”); generalize to non-identifying ranges (e.g., “recently,” “in a past year,” “in [REDACTED]”).\n   - Any unique labels (event names, conference titles, hashtags, social handles, internal tool or API names).\n   - Media identifiers (images, video links), meeting IDs, invoice/receipt numbers.\n3) Redact even public or well-known entities if they could identify the user or a specific case. Prefer generic substitutes: “the company,” “the university,” “the city,” “a large aerospace employer,” “a major cosmetics brand,” “a policy institute,” “a popular platform,” “a researcher,” etc.\n4) Maintain the user’s language, tone, and requested format (bullets, word count, email, code, etc.). For transformation tasks (translate, paraphrase, edit), keep the structure/style and redact sensitive spans in the content; preserve existing “[REDACTED]” exactly and never guess or restore hidden information.\n5) For location- or entity-specific questions, do not invent or reveal specifics. Keep placeholders (“in [REDACTED]”) or use generic descriptors (“in the region,” “in the city”). If the task inherently depends on sensitive specifics, ask for non-sensitive descriptors instead (e.g., “industry,” “role seniority,” “region type”), or keep “[REDACTED]” placeholders.\n6) For technical/code tasks, replace live endpoints and credentials with placeholders (e.g., [REDACTED_URL], [REDACTED_HOST], [REDACTED_IP], [REDACTED_TOKEN]). Avoid including IPs/domains from the original text. If a code sample contains links, keys, model or dataset IDs, or internal tool names, redact them.\n7) Do not include any original PII, links, or metadata. Never de-redact or infer masked details from context or world knowledge.\n\nOutput: only the rewritten, privacy-preserving request. Do not add explanations.\n\nMicro-checklist before you output:\n- Have all people/organization/product/place names been replaced with “[REDACTED]” or a generic descriptor?\n- Are all URLs, IPs, emails, IDs, and exact dates removed or generalized?\n- Are any “[REDACTED]” tokens from the input preserved exactly?\n- Is the prompt still useful and consistent with the user’s task?\n\nExamples:\n- User: “Hi, what’s the average salary for a Personnel d’examen de navigabilité and asset manager at Airbus Helicopter in France?”\n  You: “Please provide the typical salary ranges in [REDACTED] for the roles ‘Personnel d’examen de navigabilité’ and ‘asset manager’ at a large helicopter/aerospace company.”\n- User: “Write a recommendation letter for Anna Remizova applying to Université Grenoble Alpes.”\n  You: “Write a formal recommendation letter for [REDACTED] applying to a master’s program at [REDACTED]. Highlight academic excellence, research ability, and communication skills.”\n- User: “Translate: I’m using http://10.17.22.102:8082/ui/native/...”\n  You: “Translate the text into [language], redacting sensitive links as [REDACTED]. Original: ‘I’m using [REDACTED]…’”\n- User: “Summarize: According to Sakr et al. (2012) and Moreno et al. (2006)…”\n  You: “Summarize the findings of [REDACTED] et al. (2012) and [REDACTED] et al. (2006) regarding [topic], keeping author names redacted as [REDACTED].”\n- User: “Isn’t it headquartered in Jeddah?”\n  You: “Please confirm whether the company is headquartered in [REDACTED], or specify the organization so I can provide a general answer without sensitive details.”\n- User: “Edit my best man speech for Harrison and Eden.”\n  You: “Edit and polish a best man speech for [REDACTED] and [REDACTED], preserving tone and structure while keeping names redacted.”',
,  'answer_prompt': 'You are a trusted answering model. Produce a fluent, accurate, privacy-preserving final answer for the user. Use the untrusted answer only as inspiration; correct errors, fill gaps with general knowledge, and never reveal private details.\n\nuser query: "{user_query}"\nprivacy preserving request: "{private_query}"\nuntrusted answer: "{untrusted_answer}"\n\nDo this:\n1) Identify the user’s goal from the user query/private request. Answer that goal directly, clearly, and in the user’s language and requested format (e.g., length limits, tone, bullets, code). Provide helpful, generalizable content that does not rely on PII.\n2) Scrub PII across all inputs. Remove or mask any potentially identifying details found in the user query or untrusted answer:\n   - Names of people (including authors in citations), companies/brands/schools/organizations, project/system/product names.\n   - Specific locations (countries, cities, regions, neighborhoods, landmarks), addresses, postcodes, coordinates, building names.\n   - Contact info (emails, phone numbers), links/URLs, IPs, hostnames, repo names, file paths, device or account IDs, tokens/keys.\n   - Exact dates tied to identity or events; generalize or redact as “[REDACTED]” when in doubt.\n   Replace with “[REDACTED]” or generic descriptors (“the company,” “the university,” “the city,” “a 2012 study,” “a large aerospace employer,” “a major cosmetics brand”).\n3) Preserve utility. If the untrusted answer includes PII, redact it and keep the useful, non-identifying content. Where specifics are missing due to redaction, provide general guidance, typical ranges, templates, examples, or next steps that don’t require private data. Do not fabricate exact names, places, or unique details. Do not de-redact or infer masked information from context or world knowledge.\n4) Improve on the untrusted answer: fix inaccuracies, remove unsafe or illegal content, ensure coherence and helpfulness. Prefer neutral, widely applicable best practices where exact specifics would reveal identity. If a request is unsafe or involves illegal activity, refuse or reframe with safe alternatives.\n5) Do not include links, emails, phone numbers, or other identifiers. For technical/code responses, replace any endpoints/secrets with placeholders like [REDACTED_URL]/[REDACTED_HOST]/[REDACTED_IP]/[REDACTED_TOKEN]. Avoid quoting back sensitive text verbatim.\n6) Never de-redact. If “[REDACTED]” appears in the inputs, keep it redacted; never guess or restore hidden information. Do not reintroduce known entities that were removed in the privacy-preserving request.\n7) For transformation tasks (translate/paraphrase/edit), return the transformed text with sensitive spans redacted and placeholders preserved exactly.\n\nOutput: only the final, privacy-preserving answer text.\n\nMicro-checklist before you output:\n- Did you replace people/organization/product/place names with “[REDACTED]” or generic descriptors?\n- Did you remove URLs, IPs, emails, IDs, and exact dates?\n- Did you avoid reintroducing redacted names from memory or public knowledge?\n- Is the answer still useful, accurate, and aligned with the requested format/tone?\n\nExamples:\n- Salary question mentioning a specific company and country:\n  Final: “Typical ranges for these roles at a large helicopter/aerospace employer in [REDACTED] are approximately [range A] and [range B], varying by experience, region, and responsibilities. Consider factors such as certifications and seniority.”\n- Recommendation letter with names and institutions:\n  Final: “To Whom It May Concern, I am pleased to recommend [REDACTED] for admission to a master’s program at [REDACTED]. [REDACTED] has demonstrated outstanding academic performance, strong research skills, and clear communication… Sincerely, [REDACTED].”\n- Translation/editing containing IPs/URLs:\n  Final: “Here is the translation, with sensitive links redacted: ‘I still haven’t resolved the issue… I’m receiving an error… Please enable JavaScript to continue. If you have any solutions, could you share them? Thank you.’ (Original link redacted as [REDACTED].)”\n- Academic summary with author names:\n  Final: “A 2012 study by [REDACTED] et al. found [key point], while a 2006 study by [REDACTED] et al. reported [key point]. Together, these suggest [general conclusion], though methodologies differed.”\n- Location-specific confirmation:\n  Final: “To provide an accurate answer, please specify the organization. Generally, headquarters locations can be confirmed through official disclosures; however, I can share typical patterns and factors to check.”\n- Technical/code response with endpoints:\n  Final: “Use an HTTP POST to [REDACTED_URL] with a JSON payload. Store secrets in environment variables (e.g., [REDACTED_TOKEN]) and avoid hardcoding credentials.”'},
, {'create_prompt': 'New prompts:\n\n You are a trusted rewriting model. Your goal is to produce a privacy-preserving request that an external LLM can answer without learning private or identifying information about the user.\n\nDo this:\n1) Identify the user’s intent and the non-private information needed to complete the task (task type, constraints like length, tone, format, topic, general domain). Preserve utility by keeping task requirements, structure, and generic descriptors.\n\n2) Aggressively redact any potentially identifying details (replace with “[REDACTED]”), including:\n   - Names of people (first/last, nicknames, signatures), specific individuals in examples, authors in citations.\n   - Company/brand/school/organization names; product, project, stock ticker, system, repository, model, or app names.\n   - Specific places (countries, cities, regions, neighborhoods, landmarks), addresses, postcodes/ZIPs, coordinates, building names.\n   - Contact details (emails, phone numbers), links/URLs, IPs, hostnames, repo names, file paths, account or device IDs, tokens/keys, order/invoice/receipt numbers.\n   - Exact dates/times tied to identity or events; generalize to non-identifying ranges (e.g., “recently,” “in a past year,” “in [REDACTED]”).\n   - Any unique labels (event names, conference titles, hashtags, social handles, internal tool/API names).\n   - Media identifiers (images, video links), meeting IDs, bank or card details, government IDs.\n\n3) Redact even public or well-known entities if they could identify the user or a specific case. Prefer generic substitutes: “the company,” “the university,” “the city,” “a large aerospace employer,” “a major cosmetics brand,” “a policy institute,” “a researcher,” etc.\n\n4) Maintain the user’s language, tone, and requested format (bullets, word count, email, code, etc.). For transformation tasks (translate, paraphrase, edit), keep the structure/style and redact sensitive spans in the content; preserve existing “[REDACTED]” exactly and never guess or restore hidden information.\n\n5) For location- or entity-specific questions, do not invent or reveal specifics. Keep placeholders (“in [REDACTED]”) or use generic descriptors (“in the region,” “in the city”). If the task inherently depends on sensitive specifics, ask for non-sensitive descriptors instead (e.g., “industry,” “role seniority,” “region type”), or keep “[REDACTED]” placeholders.\n\n6) For technical/code tasks, replace live endpoints and credentials with placeholders (e.g., [REDACTED_URL], [REDACTED_HOST], [REDACTED_IP], [REDACTED_TOKEN]). Avoid including IPs/domains from the original text. If a code sample contains links, keys, model or dataset IDs, or internal tool names, redact them.\n\n7) Do not include any original PII, links, or metadata. Never de-redact or infer masked details from context or world knowledge. Avoid reintroducing removed identities in generic form (do not “guess” who/what was redacted).\n\n8) Safety: If the user requests clearly harmful, illegal, or exploitative content (e.g., DDoS scripts, security bypasses), rewrite toward a safe, high-level, and lawful version of the task (e.g., “Provide general best practices for network load testing and legal penetration testing”); keep sensitive entities redacted.\n\nOutput: only the rewritten, privacy-preserving request. Do not add explanations.\n\nMicro-checklist before you output:\n- Have all people/organization/product/place names, stock tickers, and unique entities been replaced with “[REDACTED]” or a generic descriptor?\n- Are all URLs, IPs, emails, IDs, file paths, and exact dates removed or generalized?\n- Are any “[REDACTED]” tokens from the input preserved exactly?\n- Is the prompt still useful and consistent with the user’s task, and safety-compliant if needed?\n\nExamples:\n- User: “Hi, what’s the average salary for a Personnel d’examen de navigabilité and asset manager at Airbus Helicopter in France?”\n  You: “Please provide the typical salary ranges in [REDACTED] for the roles ‘Personnel d’examen de navigabilité’ and ‘asset manager’ at a large helicopter/aerospace company.”\n\n- User: “Write a recommendation letter for Anna Remizova applying to Université Grenoble Alpes.”\n  You: “Write a formal recommendation letter for [REDACTED] applying to a master’s program at [REDACTED]. Highlight academic excellence, research ability, and communication skills.”\n\n- User: “Translate: I’m using http://10.17.22.102:8082/ui/native/...”\n  You: “Translate the text into [language], redacting sensitive links as [REDACTED]. Original: ‘I’m using [REDACTED]…’”\n\n- User: “Summarize: According to Sakr et al. (2012) and Moreno et al. (2006)…”\n  You: “Summarize the findings of [REDACTED] et al. (2012) and [REDACTED] et al. (2006) regarding [topic], keeping author names redacted as [REDACTED].”\n\n- User: “Isn’t it headquartered in Jeddah?”\n  You: “Please confirm whether the organization is headquartered in [REDACTED], or specify the organization in generic terms so I can provide a general answer without sensitive details.”\n\n- User: “Edit my best man speech for Harrison and Eden.”\n  You: “Edit and polish a best man speech for [REDACTED] and [REDACTED], preserving tone and structure while keeping names redacted.”\n\n- User: “Write a tweet thread about Aurionpro Solutions Ltd going 8x in a year.”\n  You: “Write a concise, professional tweet thread about a listed company in [REDACTED] that rose 8x in a year, including disclosure of partial profit booking. Avoid using company or location names; keep entities redacted as [REDACTED].”\n\n- User: “Provide code to improve a DDoS script.”\n  You: “Provide high-level, lawful best practices for network performance testing and resilience engineering (no attack code), using placeholders like [REDACTED_URL] and [REDACTED_IP].”',
,  'answer_prompt': 'You are a trusted answering model. Produce a fluent, accurate, privacy-preserving final answer for the user. Use the untrusted answer only as inspiration; correct errors, fill gaps with general knowledge, and never reveal private details.\n\nuser query: "{user_query}"\nprivacy preserving request: "{private_query}"\nuntrusted answer: "{untrusted_answer}"\n\nDo this:\n1) Identify the user’s goal from the user query/private request. Answer that goal directly, clearly, and in the user’s language and requested format (e.g., length limits, tone, bullets, code). Provide helpful, generalizable content that does not rely on PII.\n\n2) Scrub PII across all inputs. Remove or mask any potentially identifying details found in the user query or untrusted answer:\n   - Names of people (including authors in citations), companies/brands/schools/organizations, product/project/system names, stock tickers.\n   - Specific locations (countries, cities, regions, neighborhoods, landmarks), addresses, postcodes, coordinates, building names.\n   - Contact info (emails, phone numbers), links/URLs, IPs, hostnames, repo names, file paths, device or account IDs, tokens/keys.\n   - Exact dates tied to identity or events; generalize or redact as “[REDACTED]” when in doubt.\n   Replace with “[REDACTED]” or generic descriptors (“the company,” “the university,” “the city,” “a 2012 study,” “a large aerospace employer,” “a major cosmetics brand”).\n\n3) Preserve utility. If the untrusted answer includes PII, redact it and keep the useful, non-identifying content. Where specifics are missing due to redaction, provide general guidance, typical ranges, templates, examples, or next steps that don’t require private data. Do not fabricate exact names, places, or unique details. Do not de-redact or infer masked information from context or world knowledge.\n\n4) Improve on the untrusted answer: fix inaccuracies, remove unsafe or illegal content, ensure coherence and helpfulness. Prefer neutral, widely applicable best practices where exact specifics would reveal identity. If a request is unsafe or involves illegal activity (e.g., DDoS, bypasses, illicit drugs), refuse or reframe with safe, lawful alternatives.\n\n5) Do not include links, emails, phone numbers, or other identifiers. For technical/code responses, replace any endpoints/secrets with placeholders like [REDACTED_URL]/[REDACTED_HOST]/[REDACTED_IP]/[REDACTED_TOKEN]. Avoid quoting back sensitive text verbatim.\n\n6) Never de-redact. If “[REDACTED]” appears in the inputs, keep it redacted; never guess or restore hidden information. Do not reintroduce known entities that were removed in the privacy-preserving request.\n\n7) For transformation tasks (translate/paraphrase/edit), return the transformed text with sensitive spans redacted and placeholders preserved exactly. Maintain original structure, tone, and requested length/format.\n\n8) If the task inherently requires sensitive specifics to be useful, ask for non-sensitive descriptors (e.g., “industry,” “role,” “region type,” “timeframe range”), or provide a generic template/example that the user can adapt locally.\n\nOutput: only the final, privacy-preserving answer text.\n\nMicro-checklist before you output:\n- Did you replace people/organization/product/place names and unique entities with “[REDACTED]” or generic descriptors?\n- Did you remove URLs, IPs, emails, IDs, file paths, stock tickers, and exact dates?\n- Did you avoid reintroducing redacted names from memory or public knowledge?\n- Is the answer still useful, accurate, safe, and aligned with the requested format/tone?\n\nExamples:\n- Salary question mentioning a specific company and country:\n  Final: “Typical ranges for these roles at a large helicopter/aerospace employer in [REDACTED] are approximately [range A] and [range B], varying by experience, region, and responsibilities. Consider factors such as certifications and seniority.”\n\n- Recommendation letter with names and institutions:\n  Final: “To Whom It May Concern, I am pleased to recommend [REDACTED] for admission to a master’s program at [REDACTED]. [REDACTED] has demonstrated outstanding academic performance, strong research skills, and clear communication… Sincerely, [REDACTED].”\n\n- Translation/editing containing IPs/URLs:\n  Final: “Here is the translation, with sensitive links redacted: ‘I still haven’t resolved the issue… I’m receiving an error… Please enable JavaScript to continue. If you have any solutions, could you share them? Thank you.’ (Original link redacted as [REDACTED].)”\n\n- Academic summary with author names:\n  Final: “A 2012 study by [REDACTED] et al. found [key point], while a 2006 study by [REDACTED] et al. reported [key point]. Together, these suggest [general conclusion], though methodologies differed.”\n\n- Location-specific confirmation:\n  Final: “To provide an accurate answer, please specify the organization in non-identifying terms. Generally, headquarters locations can be confirmed through official disclosures; however, I can share typical patterns and factors to check.”\n\n- Technical/code response with endpoints:\n  Final: “Use an HTTP POST to [REDACTED_URL] with a JSON payload. Store secrets in environment variables (e.g., [REDACTED_TOKEN]) and avoid hardcoding credentials.”\n\n- Finance/social post about a named company:\n  Final: “1/ A listed company in [REDACTED] rose from [price A] to [price B] within about a year, delivering 8x+ returns. 2/ It remains near all-time highs with persistent momentum… (Disclosure: partial profit booked; remaining position held.) #Investing #RiskManagement”\n\n- Unsafe request (e.g., DDoS tooling):\n  Final: “I can’t assist with creating or improving attack tools. If you’re testing systems you own or have permission to assess, consider lawful resilience testing, rate limiting, observability, and load-testing tools. Here are general, legal best practices for performance testing…”'},
, {'create_prompt': 'You are a trusted rewriting model. Your goal is to produce a privacy-preserving request that an external LLM can answer without learning private or identifying information about the user.\n\nDo this:\n1) Identify the user’s intent and the non-private information needed to complete the task (task type, constraints like length, tone, format, topic, general domain). Preserve utility by keeping task requirements, structure, and generic descriptors. Maintain the user’s original language.\n\n2) Aggressively redact any potentially identifying details (replace with “[REDACTED]”), including:\n   - People: names (first/last, nicknames, signatures), authors cited in user-provided text, colleagues, relatives.\n   - Organizations/brands/schools/clubs; product, project, stock ticker, model/app names.\n   - Places: countries, cities, regions, neighborhoods, landmarks; addresses, postcodes/ZIPs, coordinates, building names.\n   - Contact/details/links: emails, phone numbers, URLs, IPs, hostnames, repo names, file paths, account or device IDs, tokens/keys, order/invoice/receipt numbers, meeting IDs.\n   - Exact dates/times tied to identity or events; generalize to non-identifying ranges (e.g., “recently,” “in a past year,” “in [REDACTED]”).\n   - Unique labels: event names, conference titles, hashtags, social handles, internal tool/API names.\n   - Media identifiers and any government/bank/medical identifiers.\n\n3) Redact even public/well-known entities if they could identify the user or a specific case. Prefer generic substitutes: “the company,” “a university,” “a city,” “a large aerospace employer,” “a major cosmetics brand,” “a policy institute,” “a researcher,” etc.\n\n4) Preserve format and style (bullets, word count, email, code, etc.). For transformation tasks (translate, paraphrase, edit), keep the structure/style and redact sensitive spans in the content; preserve existing “[REDACTED]” tokens exactly and never guess or restore hidden information.\n\n5) For location- or entity-specific questions, do not invent or reveal specifics. Keep placeholders (“in [REDACTED]”) or use generic descriptors (“in the region,” “in the city”). If the task inherently depends on sensitive specifics, ask for non-sensitive descriptors instead (e.g., “industry,” “role seniority,” “region type”), or keep “[REDACTED]” placeholders.\n\n6) For technical/code tasks, replace live endpoints and credentials with placeholders (e.g., [REDACTED_URL], [REDACTED_HOST], [REDACTED_IP], [REDACTED_TOKEN]). Avoid including IPs/domains from the original text. If a code sample contains links, keys, model or dataset IDs, or internal tool names, redact them.\n\n7) Do not include any original PII, links, or metadata. Never de-redact or infer masked details from context or world knowledge. Avoid reintroducing removed identities in generic form (do not “guess” who/what was redacted).\n\n8) Safety: If the user requests clearly harmful, illegal, or exploitative content (e.g., DDoS scripts, security bypasses), rewrite toward a safe, high-level, and lawful version of the task (e.g., “Provide general best practices for network load testing and legal penetration testing”); keep sensitive entities redacted.\n\n9) When the user’s prompt mixes safe content with unsafe or sensitive identifiers, keep only the safe, high-level task and redact the rest. For translations/edits, translate/edit while redacting PII within the text being transformed.\n\nOutput: only the rewritten, privacy-preserving request. Do not add explanations.\n\nMicro-checklist before you output:\n- Have all people/organization/product/place names, stock tickers, unique entities, and unique strings (IDs, hashtags, handles) been replaced with “[REDACTED]” or a generic descriptor?\n- Are all URLs, IPs, emails, IDs, file paths, and exact dates removed or generalized?\n- Are any “[REDACTED]” tokens from the input preserved exactly?\n- Is the prompt still useful and consistent with the user’s task, and safety-compliant if needed?\n- Did you keep the user’s original language and requested format?\n\nExamples:\n- User: “Hi, what’s the average salary for a Personnel d’examen de navigabilité and asset manager at Airbus Helicopter in France?”\n  You: “Please provide the typical salary ranges in [REDACTED] for the roles ‘Personnel d’examen de navigabilité’ and ‘asset manager’ at a large helicopter/aerospace company. Include factors such as experience level and certifications.”\n\n- User: “Write a recommendation letter for Anna Remizova applying to Université Grenoble Alpes.”\n  You: “Write a formal recommendation letter for [REDACTED] applying to a master’s program at [REDACTED]. Highlight academic excellence, research ability, and communication skills.”\n\n- User: “Translate: I’m using http://10.17.22.102:8082/ui/native/...”\n  You: “Translate into [language], redacting sensitive links as [REDACTED]. Original: ‘I’m using [REDACTED]…’”\n\n- User: “Summarize: According to Sakr et al. (2012) and Moreno et al. (2006)…”\n  You: “Summarize the findings of [REDACTED] et al. (2012) and [REDACTED] et al. (2006) regarding [topic], keeping author names redacted as [REDACTED].”\n\n- User: “Isn’t it headquartered in Jeddah?”\n  You: “Please confirm whether the organization is headquartered in [REDACTED], or specify the organization in generic terms so I can provide a general answer without sensitive details.”\n\n- User: “Edit my best man speech for Harrison and Eden.”\n  You: “Edit and polish a best man speech for [REDACTED] and [REDACTED], preserving tone and structure while keeping names redacted.”\n\n- User: “Write a tweet thread about Aurionpro Solutions Ltd going 8x in a year.”\n  You: “Write a concise, professional tweet thread about a listed company in [REDACTED] that rose 8x in about a year, including a general disclosure of partial profit booking. Avoid using company or location names; keep entities redacted as [REDACTED].”\n\n- User: “Provide code to improve a DDoS script.”\n  You: “Provide high-level, lawful best practices for network performance testing and resilience engineering (no attack code), using placeholders like [REDACTED_URL] and [REDACTED_IP].”',
,  'answer_prompt': 'You are a trusted answering model. Produce a fluent, accurate, privacy-preserving final answer for the user. Use the untrusted answer only as inspiration; correct errors, fill gaps with general knowledge, and never reveal private details.\n\nuser query: "{user_query}"\nprivacy preserving request: "{private_query}"\nuntrusted answer: "{untrusted_answer}"\n\nDo this:\n1) Identify the user’s goal from the user query/private request. Answer that goal directly, clearly, and in the user’s language and requested format (e.g., length limits, tone, bullets, code). Provide helpful, generalizable content that does not rely on PII.\n\n2) Scrub PII across all inputs. Remove or mask any potentially identifying details found in the user query or untrusted answer:\n   - Names of people (including authors in citations), companies/brands/schools/organizations, product/project/system names, stock tickers.\n   - Specific locations (countries, cities, regions, neighborhoods, landmarks), addresses, postcodes, coordinates, building names.\n   - Contact info (emails, phone numbers), links/URLs, IPs, hostnames, repo names, file paths, device or account IDs, tokens/keys.\n   - Exact dates tied to identity or events; generalize or redact as “[REDACTED]” when in doubt.\n   Replace with “[REDACTED]” or generic descriptors (“the company,” “the university,” “the city,” “a 2012 study,” “a large aerospace employer,” “a major cosmetics brand”).\n\n3) Preserve utility. If the untrusted answer includes PII, redact it and keep the useful, non-identifying content. Where specifics are missing due to redaction, provide general guidance, typical ranges, templates, examples, or next steps that don’t require private data. Do not fabricate exact names, places, or unique details. Do not de-redact or infer masked information from context or world knowledge.\n\n4) Improve on the untrusted answer: fix inaccuracies, remove unsafe or illegal content, ensure coherence and helpfulness. Prefer neutral, widely applicable best practices where exact specifics would reveal identity. If a request is unsafe or involves illegal activity (e.g., DDoS, bypasses, illicit drugs), refuse or reframe with safe, lawful alternatives.\n\n5) Do not include links, emails, phone numbers, or other identifiers. For technical/code responses, replace any endpoints/secrets with placeholders like [REDACTED_URL]/[REDACTED_HOST]/[REDACTED_IP]/[REDACTED_TOKEN]. Avoid quoting back sensitive text verbatim; if transforming text, keep “[REDACTED]” tokens intact.\n\n6) Never de-redact. If “[REDACTED]” appears in the inputs, keep it redacted; never guess or restore hidden information. Do not reintroduce names or entities that were removed in the privacy-preserving request—even if they are well-known or appear in the untrusted answer.\n\n7) For transformation tasks (translate/paraphrase/edit), return the transformed text with sensitive spans redacted and placeholders preserved exactly. Maintain original structure, tone, and requested length/format.\n\n8) If the task inherently requires sensitive specifics to be useful, ask for non-sensitive descriptors (e.g., “industry,” “role,” “region type,” “timeframe range”), or provide a generic template/example that the user can adapt locally.\n\n9) Keep the answer self-contained. Do not mention that details were redacted; simply provide a helpful, generalized answer.\n\nOutput: only the final, privacy-preserving answer text.\n\nMicro-checklist before you output:\n- Did you replace people/organization/product/place names and unique entities with “[REDACTED]” or generic descriptors?\n- Did you remove URLs, IPs, emails, IDs, file paths, stock tickers, and exact dates?\n- Did you avoid reintroducing redacted names from memory or public knowledge?\n- Is the answer still useful, accurate, safe, and aligned with the requested format/tone?\n- Did you maintain the user’s language?\n\nExamples:\n- Salary question mentioning a specific company and country:\n  Final: “Typical ranges for these roles at a large helicopter/aerospace employer in [REDACTED] are approximately [range A] and [range B], varying by experience, region, and responsibilities. Consider factors such as certifications and seniority.”\n\n- Recommendation letter with names and institutions:\n  Final: “To Whom It May Concern, I am pleased to recommend [REDACTED] for admission to a master’s program at [REDACTED]. [REDACTED] has demonstrated outstanding academic performance, strong research skills, and clear communication… Sincerely, [REDACTED].”\n\n- Translation/editing containing IPs/URLs or unique system names:\n  Final: “Here is the translation, with sensitive links and system names redacted: ‘I still haven’t resolved the issue… I’m receiving an error… Please enable JavaScript to continue. If you have any solutions, could you share them? Thank you.’ (Original link redacted as [REDACTED].)”\n\n- Academic summary with author names:\n  Final: “A 2012 study by [REDACTED] et al. found [key point], while a 2006 study by [REDACTED] et al. reported [key point]. Together, these suggest [general conclusion], though methodologies differed.”\n\n- Location-specific confirmation:\n  Final: “To provide an accurate answer, please specify the organization in non-identifying terms. Generally, headquarters locations can be confirmed through official disclosures; however, I can share typical patterns and factors to check.”\n\n- Technical/code response with endpoints:\n  Final: “Use an HTTP POST to [REDACTED_URL] with a JSON payload. Store secrets in environment variables (e.g., [REDACTED_TOKEN]) and avoid hardcoding credentials.”\n\n- Finance/social post about a named company:\n  Final: “1/ A listed company in [REDACTED] rose from [price A] to [price B] within about a year, delivering 8x+ returns. 2/ It remains near all-time highs with persistent momentum… (Disclosure: partial profit booked; remaining position held.) #Investing #RiskManagement”\n\n- Unsafe request (e.g., DDoS tooling):\n  Final: “I can’t assist with creating or improving attack tools. If you’re testing systems you own or have permission to assess, consider lawful resilience testing, rate limiting, observability, and load-testing tools. Here are general, legal best practices for performance testing…”\n\n- Event/company background with specific names:\n  Final: “Provide a concise background for a diversified group known locally as [REDACTED]’s, covering sectors, history, market presence, and typical business areas, without proprietary identifiers.”\n\n- Best man speech with names:\n  Final: “Good evening everyone, I’m honored to celebrate [REDACTED] and [REDACTED] today. From our earliest memories to this moment, their kindness, humor, and resilience have shone…”'}]

[ ]