PRACTICAL GUIDE / query rewriting evaluation for RAG

Evaluating Query Rewriting Before and After Retrieval

Evaluate RAG query rewrites with paired retrieval runs, intent checks, tenant-safe authorization filters, slice analysis, and evidence-based rollout gates.

By The Testing AcademyUpdated July 11, 20269 min read
All field guides
In this guide10 sections
  1. Define the Evaluation Unit Before Running Retrieval
  2. Build Cases Around Intent-Preserving Transformations
  3. Keep Tenant Authorization Outside the Rewrite
  4. Compare Retrieval Before Comparing Answers
  5. Score Intent Preservation With Layered Oracles
  6. Run Ablations That Isolate Policy Choices
  7. Inspect Slices and Conflict Cases
  8. Model the Failures You Expect in Production
  9. Operational Checklist
  10. Action Plan: Ship a Rewrite Policy With Evidence

What you will learn

  • Define the Evaluation Unit Before Running Retrieval
  • Build Cases Around Intent-Preserving Transformations
  • Keep Tenant Authorization Outside the Rewrite
  • Compare Retrieval Before Comparing Answers

Query rewriting is valuable only when it retrieves better evidence for the user's actual request. A smoother-looking query is not the objective. The test target is a policy that decides whether to keep the original, use one rewrite, issue several variants, or stop because the transformation changed meaning or security scope.

Evaluate that policy with paired runs. Hold the corpus, index, retriever settings, and trusted authorization context constant; vary only the query sent to retrieval. This makes gains attributable to rewriting and exposes regressions that an end-to-end answer score can conceal.

Define the Evaluation Unit Before Running Retrieval

Treat one unit as the original request, its trusted context, candidate rewrites, retrieval outputs, and relevance judgments. The LangChain retrieval overview separates retrievers from the surrounding RAG workflow and describes query enhancement as a hybrid RAG step. That boundary is useful for testing because it lets the team inspect retrieval before generation adds another source of variation.

Record user intent as constraints rather than as a reference sentence. A support query such as "Which retention rule applies to our EU workspace after renewal?" contains jurisdiction, tenant, lifecycle event, and requested policy type. A rewrite that preserves the topic but drops "our" or "after renewal" is not equivalent.

Animated field map

Paired Query Rewrite Evaluation

Original intent stays attached while rewrite candidates retrieve in parallel and earn a policy decision from paired evidence.

  1. 01 / original query

    Original Query

    Capture user wording, trusted tenant context, and protected intent constraints.

  2. 02 / rewrite candidates

    Rewrite Candidates

    Generate zero or more transformations with provenance and policy version.

  3. 03 / parallel retrieval

    Parallel Retrieval

    Run original and rewrites against one frozen index and authorization filter.

  4. 04 / paired scores

    Intent and Recall Scores

    Compare relevance gains, losses, constraint preservation, and forbidden hits.

  5. 05 / rewrite policy

    Rewrite Policy

    Keep, reject, combine, or fall back using slice-aware release rules.

Build Cases Around Intent-Preserving Transformations

Create cases from production-shaped queries, known retrieval misses, abbreviations, conversational follow-ups, multilingual wording, and underspecified requests. For each case, label facts that a valid rewrite may add, facts it must preserve, and assumptions it must not invent. Link every transformed query to its original family so variants do not inflate the apparent sample size.

Include a no-rewrite control. Without it, the experiment can select the least bad rewrite even when the original query performs better. Also include deliberately harmful candidates: changed dates, negated terms, broader entities, missing product names, and injected document identifiers. These mutants test whether the selector recognizes semantic damage.

A compact fixture can make those obligations reviewable:

JSON
{
  "caseId": "renewal-policy-014",
  "original": "Which retention rule applies to our EU workspace after renewal?",
  "mustPreserve": ["tenant", "EU", "after renewal", "retention rule"],
  "allowedExpansion": ["data retention", "contract renewal"],
  "forbiddenAssumptions": ["consumer account", "US region"],
  "relevantChunkIds": ["policy-eu-17", "renewal-terms-4"]
}

Keep Tenant Authorization Outside the Rewrite

Permission-aware RAG requires two independent inputs: semantic query text and a trusted authorization filter. Never ask a rewriter to reproduce tenant IDs, role scopes, ACLs, or allowed document sets in natural language. The application should derive those values from authenticated request context and pass the same filter to every retrieval branch.

Test with neighboring tenants that have confusingly similar documents. Give Tenant A and Tenant B near-duplicate policy titles, shared product vocabulary, and unique canary phrases. A rewrite succeeds only if it improves authorized retrieval without returning any chunk that fails the principal's access check. Also test stale ACL caches, removed group membership, missing tenant context, and a forged tenant name inside the user prompt.

Security assertions are vetoes. A candidate with excellent relevance and one unauthorized hit is not a net improvement. The failure is in retrieval scope even if the generator later ignores the leaked chunk.

Compare Retrieval Before Comparing Answers

Run the original and rewritten query over the same index snapshot with identical top-k, hybrid weights, reranker, filters, and timeout budget. Capture ranked chunk IDs, document versions, raw scores, filter decisions, and retrieval errors. If approximate search is used, repeat paired branches in an interleaved order so infrastructure drift does not consistently favor one side.

Measure judged recall, precision at the consumption depth, first relevant rank, forbidden-hit count, and evidence sufficiency. The Ragas metric catalog lists context precision, context recall, response relevancy, and faithfulness as separate concerns. Use that separation as a reminder that a better answer score does not identify where a rewrite helped.

Compare per-query deltas, not only aggregate means. Ten small wins must not silently offset one severe loss on a regulatory or cross-tenant slice. Preserve retrieval failures and empty results as first-class outcomes instead of converting them to zero-length context and losing the cause.

Score Intent Preservation With Layered Oracles

Use deterministic checks for explicit entities, dates, negation, locale, product, and requested output constraints. Use a narrowly calibrated semantic grader only for obligations that cannot be parsed reliably. Give the grader the original, rewrite, protected constraints, and a three-way output of preserved, changed, or uncertain; do not force uncertainty into a pass.

The selection function should reject first and rank second:

TypeScript
type RewriteEvidence = {
  intent: "preserved" | "changed" | "uncertain";
  forbiddenHits: number;
  relevantFound: number;
  relevantExpected: number;
};

export function eligible(candidate: RewriteEvidence): boolean {
  if (candidate.intent !== "preserved") return false;
  if (candidate.forbiddenHits !== 0) return false;
  return candidate.relevantFound > 0 && candidate.relevantExpected > 0;
}

Keep grader development examples separate from the evaluation set. Review false-preserved and false-changed decisions by slice, because the cost of accepting semantic drift differs from the cost of rejecting a harmless paraphrase.

Run Ablations That Isolate Policy Choices

Evaluate at least four branches: original only, unconditional single rewrite, original plus rewrite, and selector-controlled rewriting. If the production design uses decomposition or multi-query expansion, add those as separate branches. This reveals whether gains come from the transformation itself, extra retrieval budget, rank fusion, or the selector.

Match total retrieval budgets when comparing policies. A five-query expansion should not be credited solely for searching five times as many candidates unless that added cost is part of the intended tradeoff. Log latency and downstream context size, but avoid turning them into universal limits.

For an illustrative local gate, a team might require zero authorization violations, no confirmed intent changes in critical slices, and a positive paired recall delta whose uncertainty interval excludes its tolerated regression boundary. Those thresholds are examples to calibrate against business risk, not model facts.

Inspect Slices and Conflict Cases

Break results down by short versus conversational queries, follow-ups requiring chat context, explicit identifiers, locale, language, negation, time qualifiers, acronym density, tenant size, and document ACL shape. Query rewriting often helps one ambiguity class while harming already-specific requests, so one global enablement flag can be too coarse.

Create conflict cases where two plausible rewrites emphasize different interpretations. The correct policy may retrieve both branches and abstain from choosing, ask for clarification, or keep the original. Labeling only one rewrite as canonical punishes legitimate ambiguity handling and encourages premature certainty.

Inspect retrieval overlap as diagnostic evidence, not as a quality score. Low overlap can be beneficial when the original missed the right evidence; high overlap can still contain the wrong chunks. Human review should see the query pair, protected constraints, ranked evidence, and authorization decisions together.

Model the Failures You Expect in Production

The main failure classes are semantic drift, scope broadening, lost qualifiers, fabricated specificity, context leakage from conversation history, cross-tenant retrieval, rewrite loops, and budget exhaustion. Add infrastructure cases too: one branch times out, the index version changes mid-run, the reranker fails, or the authorization service returns an indeterminate decision.

Specify fallback behavior for every class. An unavailable rewrite service may fall back to original retrieval; a missing authorization context must fail closed; conflicting high-quality rewrites may trigger clarification. Do not let an exception path silently remove filters or switch to an unrestricted index.

Tradeoffs should remain visible. Multi-query retrieval may increase coverage and cost, while strict intent vetoes can reject useful expansions. A conservative selector may protect high-risk traffic but leave recall gains unrealized. Report each outcome rather than compressing safety, quality, and latency into one opaque score.

Operational Checklist

  • Freeze the corpus, index, retriever configuration, and authorization policy version.
  • Store original and rewritten queries under one family identifier.
  • Label protected constraints, permitted expansions, and forbidden assumptions.
  • Include original-only and no-rewrite controls.
  • Apply trusted tenant and ACL filters identically to every branch.
  • Capture ranked chunk IDs, document versions, filter verdicts, and errors.
  • Score retrieval and intent before running answer generation.
  • Treat unauthorized hits and confirmed intent changes as vetoes.
  • Compare paired deltas by risk and query slice.
  • Test timeout, stale policy, missing identity, and partial-branch failures.

Action Plan: Ship a Rewrite Policy With Evidence

Start with one failure-rich query family, such as acronym expansion or conversational follow-ups. Freeze a labeled corpus and build original-only, unconditional-rewrite, and selector-controlled branches. Add tenant twins and forged-scope prompts before tuning the selector, then review every intent change and forbidden hit.

Choose rollout rules from paired slice evidence. Enable rewriting first where it improves relevant retrieval without weakening constraints, preserve the original path as a measured fallback, and shadow uncertain slices until adjudication is stable. Promote the policy only when its trace explains which rewrite was used, which trusted filters were applied, and why the selected evidence was allowed.

// LIVE COURSE / THE TESTING ACADEMY

AI Tester Blueprint

Master GenAI, AI Agents, MCP, RAG, CrewAI. Build 23+ real AI projects.

From the instructor behind this guide.

AI testing roles are up 180% and pay 12-22 LPA. 12+ weeks / 65+ live hrs / Sat-Sun 8:30 AM IST.

Code PROMODE / 10% offJoin the batch

The Testing Academy editorial desk

Practical QA guidance built around test evidence, production tradeoffs, and interview-ready explanations.

Published July 11, 2026 / Reviewed July 11, 2026

PRIMARY REFERENCES

Verify the details at the source

QABattle guides are practical explanations. Product behavior, standards, and APIs can change, so use these primary references for the canonical details.

  1. 01
    Evaluation best practices

    OpenAI

    Official guidance for task-specific datasets, graders, evaluation design, and continuous iteration.

  2. 02
    Retrieval documentation

    LangChain

    Official retrieval pipeline concepts covering indexing, retrieval, and generation boundaries.

  3. 03
    Ragas metric reference

    Ragas

    Primary definitions for retrieval, groundedness, relevance, and agent evaluation metrics.

  4. 04
    AI Risk Management Framework

    NIST

    A primary risk framework for trustworthy AI measurement and governance.

FAQ / QUICK ANSWERS

Questions testers ask

Should a RAG query rewriter be evaluated with answer quality alone?

No. Score intent preservation and paired retrieval first, then evaluate the generated answer. Answer quality can hide a rewrite that retrieved the wrong evidence or crossed an authorization boundary.

How do authorization filters interact with rewritten queries?

Tenant, principal, role, and document-policy filters should come from trusted request context and remain outside model-written text. Apply the identical trusted filter to baseline and rewrite retrieval runs.

What is a useful paired experiment for query rewriting?

Run the original query and each rewrite against the same index snapshot, retrieval settings, authorization context, and relevance labels, then compare per-query gains and losses by slice.

Can a rewrite improve recall while still being unsafe?

Yes. It may retrieve more relevant-looking chunks by dropping a tenant qualifier, expanding into a restricted topic, or changing the requested time period. Security and intent checks must be vetoes, not averages.

When should the system skip rewriting?

Skip or fall back when the original query is already specific, the rewrite changes protected constraints, evidence for a benefit is weak, or the rewrite policy cannot preserve the trusted retrieval scope.