Filtrum-Safety: LLM-Agnostic RAG for Reducing Legal Hallucinations in Civil-Law Contexts

Uriel Ismael Guadalupe Ramirez Andrade, Peña Martínez Diego David, Cadena Alfaro Tadeo

Filtrum-Safety is an LLM-agnostic RAG tool that helps reduce legal hallucinations and jurisdictional confusion in civil-law contexts. The system lets users upload multiple legal documents, converts them into chunks and embeddings, retrieves the most relevant fragments through cosine similarity, and exports a traceable Markdown file that can be used as context in any LLM. In preliminary tests with Mexican legal documents, Filtrum-Safety improved document grounding, verifiability, and jurisdictional control compared with direct LLM prompting.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

Filtrum-Safety se ocupa de un riesgo especialmente delicado en el uso de modelos de lenguaje para tareas jurídicas: la generación de respuestas legales con apariencia de certeza, pero sin soporte normativo verificable. Este riesgo es particularmente sensible en sistemas de tradición civilista, como los latinoamericanos, donde el razonamiento jurídico depende de códigos, leyes escritas, jurisprudencia, reglas de competencia y jurisdicción aplicable. En ese contexto, el valor del proyecto está en reducir la dependencia de la memoria interna del modelo y ofrecer una capa de apoyo basada en documentos recuperados, fuentes trazables y contexto verificable.

Un mérito importante del trabajo es su prudencia: no presenta la herramienta como una solución que elimina las alucinaciones, sino como un mecanismo para reducir su superficie al separar la recuperación documental de la generación de texto y mantener la supervisión humana como necesaria. Esa delimitación es clave, porque el aporte más sólido del proyecto no está en sustituir el criterio profesional, sino en hacer más verificable, auditable y controlable el uso de IA en razonamientos legales.

También conviene situar el aporte frente a lo que ya existe. El uso de RAG para anclar respuestas en documentos recuperados no es nuevo, y el RAG legal ya es un campo activo. La contribución distintiva de Filtrum-Safety parece estar más en su aplicación a sistemas jurídicos de tradición civilista en español, en la portabilidad del Markdown trazable y en la separación entre recuperación y generación, que en el método técnico por sí solo.

La ejecución todavía necesita fortalecerse. La arquitectura es clara y el enfoque es útil, pero la validación se apoya esencialmente en un único caso evaluado con la matriz del propio equipo, sin permitir inferencia estadística, algo que el mismo trabajo reconoce. El chequeo complementario con varios modelos es ilustrativo, pero también cualitativo. Una versión más robusta debería probar el sistema con más casos y en condiciones adversas: corpus incompletos, fuentes desactualizadas, normas derogadas o modificadas, documentos de distintas jurisdicciones y fragmentos semánticamente relevantes pero jurídicamente insuficientes.

Desde la perspectiva de gobernanza, rendición de cuentas, auditoría y supervisión humana, el proyecto podría fortalecerse explicando con mayor detalle cómo se controla el ciclo de vida del conocimiento jurídico que alimenta la herramienta. En un sistema basado en recuperación documental, la seguridad no depende solo de que el modelo cite fragmentos, sino de que exista claridad sobre quién selecciona y valida los documentos, cómo se verifica su vigencia y jurisdicción, cómo se gestionan normas derogadas o modificadas, qué registro queda de las fuentes utilizadas, qué límites de uso se establecen y cómo se protege la información sensible.

En últimas, la trazabilidad documental mejora la verificabilidad, pero no reemplaza la gobernanza del corpus, la auditoría del proceso, la supervisión humana ni la responsabilidad profesional del abogado o funcionario que interpreta y utiliza la salida del sistema.

Clear engagement with a real gap in the field. The threat model, an LLM confidently mixing Common Law categories into a civil-law answer or citing authorities that don't exist, is well chosen, and the supplemental check across Claude, Gemini, and DeepSeek is a genuine strength, since it shows the retrieval layer changes model behavior across three different interfaces rather than just the one the team built around.

One area I think you can take this further is positioning against the closest prior work. Lima already proposes multilayer embeddings for legal text and LegalGraphRAG already does structured retrieval for legal reasoning, so what does Filtrum-Safety add beyond model-agnostic Markdown export? A single sentence naming that explicitly would change how the contribution reads.

There's also a deeper issue worth resolving, and it goes beyond a typo. The paper states the prototype used jina-embeddings-v2-base-es for its Spanish orientation, but the repository's EmbeddingConfig instantiates AllMiniLmL6V2QuantizedEmbeddingModel instead. The paper also describes chunking that "respects legal boundaries such as articles, subsections, or sections," but ChunkingService.java splits purely by sentence boundary and character count, with no legal-structure detection at all. These two are confirmed directly against the code in the repository.

On top of that, the video walkthrough states a 55% similarity threshold, which matches the default in application.yml, while the paper and its own Figure 4 state 0.65; this third point is based on the paper's own text rather than a direct code check, so it's worth the team double-checking which value the demo actually ran with.

None of these look intentional, but together they mean at least two, and possibly three, methodological claims in the paper don't match what the code actually does, which puts the 427-chunk count and the headline 10/10 score on uncertain footing.

The evaluation itself also rests on a single self-graded case, and the most useful next step is small: the team already collected three more model outputs in the supplemental check, so scoring those with the same matrix would turn one data point into four. The title also promises civil-law contexts broadly while the corpus is entirely Mexican; narrowing it would match what was actually tested.

Overall, a working prototype with a useful cross-model check, built by a team that clearly understands the problem they're trying to solve. Before the quantitative results can carry much weight, though, it would help to align the paper's description with the current state of the code, particularly around the embedding model, the chunking approach, and the similarity threshold used in the demo.

The instinct here is right: civil-law users get LLMs that invent citations and smuggle in Common Law categories, and forcing the answer to start from documents the user actually uploaded is a sane way to shrink that surface. The build is real, the Markdown export is genuinely useful (LLM-agnostic, and it sidesteps free-tier upload caps), and the cross-model check is the best thing in the paper. DeepSeek saying "this context isn't enough" is exactly the behavior you want, and it's real signal. One thing you underplay: your strongest asset is the regional angle you treat in passing. You've got a specific, underserved jurisdiction (Mexican civil law, a real amparo query, federal-versus-Jalisco sources), and that's exactly where English-built legal AI fails Latam users, but the paper reaches for "any document-intensive domain, health, education, engineering" instead of planting a flag there.

Lead with the civil-law Global South stake, don't bury it under multidomain ambition. Where this has to grow is evidence, because right now it's one query, one corpus, scored by a five-criterion matrix you built and then handed your own tool a 10/10 on, and a perfect score for your own system on your own rubric on a single case reads as a demo with numbers, not proof. You say n=1 yourself. Three moves fix it: run 20-30 queries with a blind scorer who doesn't know which output came from Filtrum, measure the retrieval itself (are the pulled chunks actually the right articles, precision and recall on those 427) since that's the part safety rests on, and add a real failure case where retrieval misses or the LLM ignores the context, because a tool that only shows its wins is hard to trust. The idea deserves that test, and the build is far enough along to run it. Tighten the evidence, lean into the Latam stake, and this is something a law school clinic in Mexico could actually pick up.

Cite this work

@misc {

title={

(HckPrj) Filtrum-Safety: LLM-Agnostic RAG for Reducing Legal Hallucinations in Civil-Law Contexts

},

author={

Uriel Ismael Guadalupe Ramirez Andrade, Peña Martínez Diego David, Cadena Alfaro Tadeo

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.