# Lecture 4: Software Engineering Applied to LLMs
* **Created by:** Eric Martinez
* **For:** Software Engineering 2
* **At:** University of Texas Rio-Grande Valley

## Quality and Performance Issues

* Applications depend on external APIs which has issues with flakiness and pricing, how do we avoid hitting APIs in testing?
* Responses may not be correct or accurate, how do we increase confidence in result?
* Responses may be biased or unethical or unwanted output, how do we stop this type of output?
* User requests could be unethical or unwanted input, how do we filter this type of input?


## Prototyping
* Develop prompt prototypes early when working with customers or stakeholders, it is fast and cheap to test that the idea will work.
* Test against realistic examples, early. Fail fast and iterate quickly.
* Make a plan for how you will source dynamic data. If there is no path, the project is dead in the water.

## Testing
* Unit test prompts using traditional methods to increase confidence.
* Unit test your prompts using LLMs to increase confidence.
* Write tests that handle API errors or bad output (malformed, incorrect, unethical).
* Use 'mocking' in integration tests to avoid unnecessary calls to APIs, flakiness, and unwanted charges.

## Handling Bad Output
* Develop 'retry' mechanisms when you get unwanted output.
* Develop specific prompts for different 'retry' conditions. Include the context, what went wrong, and what needs to be fixed.
* Consider adding logging to your app to keep track of how often your app gets bad output.

## Template Languages and Version Control
* Consider writing your prompt templates in dynamic template languages like ERB, Handlebars, etc.
* Keep prompt templates and prompts in version control in your app's repo.
* Write tests for handling template engine errors.

## Prompt Injection/Leakage
* User-facing prompts should be tested against prompt injection attacks
* Validate input at the UI and LLM level
* Consider using an LLM to check if an output is similar to the prompt
* Have mechanisms for anomaly detection and incident response

## Security
* **Do not:** store API keys in application code as strings, encrypted or not.
* **Do not:** store API keys in compiled binaries distributed to users.
* **Do not:** store API keys in metadeta files bundled with your application.
* **Do:** create an intermediate web app (or API) with authentication/authorization that delegates requests to LLMs at run-time for use in front-end applications
* **Do:** if your front-end application does not have user accounts, consider implementing guest or anonymous accounts and expiring or rotating keys
* **Do:** when allowing LLMs to use tools, consider designing systems to pass-through user ids to tools so that they tools operate at the same level of access as the end-user