NEXUS: Continual Learning of Symbolic Constraints for Safe and Robust Embodied Planning

Congying Liu; Datao You; Mingzhe Xing; Peipei Liu; Tiehan Cui; Yanxu Mao

arxiv: 2605.09387 · v1 · submitted 2026-05-10 · 💻 cs.AI · cs.RO

NEXUS: Continual Learning of Symbolic Constraints for Safe and Robust Embodied Planning

Tiehan Cui , Peipei Liu , Yanxu Mao , Congying Liu , Mingzhe Xing , Datao You This is my paper

Pith reviewed 2026-05-12 04:50 UTC · model grok-4.3

classification 💻 cs.AI cs.RO

keywords continual learningsymbolic constraintsembodied planningLLM safetysafe agentsrisk groundingadversarial defense

0 comments

The pith

NEXUS grounds LLM probabilistic risks into deterministic symbolic constraints for safer embodied planning.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents NEXUS as a modular framework that lets embodied agents learn safety rules over time rather than relying on static interfaces. It separates physical feasibility checks from safety specifications by converting LLM risk estimates into fixed, verifiable constraints that block unsafe actions before they occur. Closed-loop feedback from actual executions then refines plans and accumulates knowledge, improving future performance. On SafeAgentBench, this produces higher success rates, reliable refusal of unsafe commands, and stronger resistance to adversarial attacks as the agent gains experience.

Core claim

NEXUS explicitly decouples physical feasibility from safety specifications: capability of agents is improved through closed-loop execution feedback, while probabilistic risk assessments are grounded into deterministic hard constraints to establish a rigorous pre-action defense.

What carries the argument

Symbolic grounding process that converts LLM probabilistic risk assessments into deterministic hard constraints, paired with continual knowledge evolution driven by execution feedback.

If this is right

Task success rates rise in embodied planning benchmarks while unsafe instructions are refused.
Planning efficiency increases over successive tasks through accumulated knowledge.
The system exhibits robust resistance to adversarial attacks that target safety boundaries.
Agents maintain deterministic pre-action safety checks independent of ongoing LLM uncertainty.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The approach could support shared safety knowledge bases across multiple agents or environments.
Long-term accumulation of constraints might reduce the frequency of full LLM queries in routine operations.
It offers one route toward verifiable safety layers that sit on top of probabilistic planners without replacing them.

Load-bearing premise

Probabilistic risk assessments from LLMs can be reliably and completely grounded into deterministic hard constraints without missing critical safety violations or imposing overly restrictive rules that degrade task performance.

What would settle it

An experiment showing either an unsafe action permitted by the grounded constraints or a safe action blocked by them, resulting in harm or task failure.

Figures

Figures reproduced from arXiv: 2605.09387 by Congying Liu, Datao You, Mingzhe Xing, Peipei Liu, Tiehan Cui, Yanxu Mao.

**Figure 1.** Figure 1: Overview of NEXUS. This framework integrates LLMs with formal methods to enforce safe and feasible embodied planning. Flows: Beige arrows trace the initial execution path; purple arrows denote feedback loops for knowledge evolution; dark green arrows illustrate the perception loop, mapping environmental observations to the Scene Graph to update the planner’s belief state. Notation: Circled integers X mark … view at source ↗

**Figure 2.** Figure 2: Execution example in a bedroom scene [PITH_FULL_IMAGE:figures/full_fig_p015_2.png] view at source ↗

**Figure 3.** Figure 3: Execution example in a kitchen scene. 15 [PITH_FULL_IMAGE:figures/full_fig_p015_3.png] view at source ↗

**Figure 4.** Figure 4: Execution example in a living room scene. [PITH_FULL_IMAGE:figures/full_fig_p016_4.png] view at source ↗

**Figure 5.** Figure 5: Execution example in a bathroom scene. C Safety Constraint Operator Theory C.1 Theoretical Completeness of the Operator Set To demonstrate that the proposed operator set Φ = {ϕlogic, ϕnum, ϕseq, ϕprob} is sufficient to cover the safety constraint space C, we adopt a constructive argument based on the orthogonal decomposition of the agent’s environment and the algebraic closure of the operators. We postulat… view at source ↗

**Figure 6.** Figure 6: Case 1: The figure illustrates a dialogue between system modules. Initially, the planner fails to account for the open precondition. Upon receiving physical feedback (Collision), the Learner module patches the PDDL schema for put in, enabling the planner to generate a correct sequence that includes open(microwave). 18 [PITH_FULL_IMAGE:figures/full_fig_p018_6.png] view at source ↗

**Figure 7.** Figure 7: Case 2: The figure demonstrates the pipeline for intercepting hazardous instructions. The Safety Checker identifies potential damage. The system generates diverse Semantic Samples which are translated into LTL formulas. The Equivalence Voting mechanism resolves a unified safety property, leading the planner to correctly reject the task. 19 [PITH_FULL_IMAGE:figures/full_fig_p019_7.png] view at source ↗

**Figure 8.** Figure 8: The system prompt for the Domain Refinement Agent. It defines the protocol for distin [PITH_FULL_IMAGE:figures/full_fig_p027_8.png] view at source ↗

**Figure 9.** Figure 9: The system prompt used for the PDDL Goal Generation assistant targeting the Fast [PITH_FULL_IMAGE:figures/full_fig_p028_9.png] view at source ↗

**Figure 10.** Figure 10: The main part of system prompt used for the Task Decomposition LLM agent. [PITH_FULL_IMAGE:figures/full_fig_p029_10.png] view at source ↗

**Figure 11.** Figure 11: The main part of system prompt provided to the Safety Checker LLM for classifying [PITH_FULL_IMAGE:figures/full_fig_p030_11.png] view at source ↗

read the original abstract

While Large Language Models (LLMs) have catalyzed progress in embodied intelligence, a fundamental gap between their inherent probabilistic uncertainty and the strict determinism and verifiable safety required in the physical world. To mitigate this gap, this paper introduces NEXUS, a modular framework designed for continual learning in embodied agents. Different from prior works that treat symbolic artifacts merely as static interfaces, NEXUS leverages them for symbolic grounding and knowledge evolution. The framework explicitly decouples physical feasibility from safety specifications: capability of agents is improved through closed-loop execution feedback, while probabilistic risk assessments are grounded into deterministic hard constraints to establish a rigorous pre-action defense. Experiments on SafeAgentBench demonstrate that NEXUS achieves superior task success rates while effectively refusing unsafe instructions, exhibiting robust defense against adversarial attacks, and progressively improving planning efficiency through knowledge accumulation.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

NEXUS frames continual symbolic constraint learning as a way to add verifiable safety to LLM embodied planners, but the abstract supplies no algorithm, metrics, or grounding details so the claims stay unevaluated.

read the letter

The core pitch is that NEXUS decouples physical feasibility from safety specs, grounds LLM risk estimates into hard constraints for pre-action checks, and lets the constraint set evolve from closed-loop execution feedback. That split and the continual-learning angle are the main differences from earlier static symbolic interfaces with LLMs. If the full paper shows a clean implementation and solid numbers, it would give people a concrete handle on making these agents safer without constant retraining. The abstract does a clear job naming the probabilistic-to-deterministic gap that matters for real robotics. It also points to SafeAgentBench as the testbed and lists the hoped-for outcomes: higher task success, refusal of unsafe commands, attack resistance, and efficiency gains from accumulated knowledge. Those targets line up with practical needs. The soft spot is exactly where the stress-test note lands. The abstract states that probabilistic assessments get turned into deterministic hard constraints, yet it gives no algorithm, no completeness argument, and no numbers at all—no success rates, baselines, ablations, or statistical tests. Without seeing how the translation step works or whether it misses violations or over-blocks actions, the reported improvements cannot be judged. Everything rests on experimental outcomes that are not described here. This is aimed at researchers building safe, long-running embodied agents that use LLMs. A reader already working on symbolic grounding or continual safety in planning would get the most from the details once they are filled in. The work deserves a serious referee. The problem is real and the framing is distinct enough that feedback on the grounding method and evaluation choices would be useful, even if the current write-up is thin on evidence. I would send it for review rather than desk-reject.

Referee Report

3 major / 2 minor

Summary. The manuscript introduces NEXUS, a modular framework for continual learning in embodied agents that decouples physical feasibility (improved via closed-loop execution feedback) from safety specifications (by grounding probabilistic LLM risk assessments into deterministic hard constraints for pre-action defense). It claims that experiments on SafeAgentBench demonstrate superior task success rates, effective refusal of unsafe instructions, robust defense against adversarial attacks, and progressive improvements in planning efficiency through knowledge accumulation.

Significance. If the grounding translation is shown to be sound and the empirical results are supported by proper baselines, ablations, and statistical tests, NEXUS could meaningfully advance safe embodied planning by enabling verifiable symbolic safety constraints that evolve over time. The modular separation of feasibility and safety, combined with continual knowledge evolution, addresses a recognized gap between probabilistic LLMs and deterministic physical-world requirements.

major comments (3)

[Method (grounding step)] The description of grounding probabilistic risk assessments into deterministic hard constraints (method section): no algorithm, pseudocode, completeness argument, or soundness proof is supplied for the translation step. This is load-bearing for the safety and performance claims, as an incomplete or heuristic mapping could allow unsafe actions to pass or block feasible ones, directly affecting the reported superior success rates and refusal behavior on SafeAgentBench.
[Experiments] Experiments section and results: the manuscript states performance improvements on SafeAgentBench but supplies no quantitative metrics (e.g., success rates, refusal rates), baselines, statistical tests, ablation studies, or details on how knowledge accumulation is measured (constraint-set growth, query reduction). Without these, the central empirical claims cannot be evaluated.
[Experiments (adversarial and refusal results)] Evaluation on adversarial attacks and unsafe-instruction refusal: no description is given of how the benchmark constructs attacks or measures defense robustness, nor of any completeness check ensuring critical violations are caught without over-restriction. This undermines the robustness claims.

minor comments (2)

[Abstract] The abstract would be strengthened by including at least one key quantitative result (e.g., success-rate delta or refusal percentage) to allow readers to assess the scale of the reported improvements.
[Method] Notation for the symbolic constraint set and the grounding function is introduced but not consistently used or defined with formal symbols in the method description.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive and detailed review. We address each major comment below and will revise the manuscript accordingly to strengthen the presentation of the grounding procedure, experimental results, and evaluation protocols.

read point-by-point responses

Referee: The description of grounding probabilistic risk assessments into deterministic hard constraints (method section): no algorithm, pseudocode, completeness argument, or soundness proof is supplied for the translation step. This is load-bearing for the safety and performance claims, as an incomplete or heuristic mapping could allow unsafe actions to pass or block feasible ones, directly affecting the reported superior success rates and refusal behavior on SafeAgentBench.

Authors: We agree that the current method section provides only a high-level description of the grounding step without an explicit algorithm, pseudocode, or formal argument for completeness and soundness. In the revised manuscript we will add a dedicated subsection containing the full algorithm for translating probabilistic LLM risk assessments into deterministic symbolic constraints, together with a discussion of the assumptions under which the mapping is complete and sound. This addition will directly support the safety and performance claims. revision: yes
Referee: Experiments section and results: the manuscript states performance improvements on SafeAgentBench but supplies no quantitative metrics (e.g., success rates, refusal rates), baselines, statistical tests, ablation studies, or details on how knowledge accumulation is measured (constraint-set growth, query reduction). Without these, the central empirical claims cannot be evaluated.

Authors: The referee correctly notes that the experiments section currently offers only qualitative statements of improvement without numerical results, baselines, statistical tests, ablations, or quantitative measures of knowledge accumulation. We will expand the section to report all requested metrics (task success rates, refusal rates, etc.), include comparisons against appropriate baselines, present ablation studies, and quantify knowledge accumulation via constraint-set growth and query reduction. Statistical significance tests will also be added. revision: yes
Referee: Evaluation on adversarial attacks and unsafe-instruction refusal: no description is given of how the benchmark constructs attacks or measures defense robustness, nor of any completeness check ensuring critical violations are caught without over-restriction. This undermines the robustness claims.

Authors: We acknowledge the need for greater detail on the adversarial evaluation. In the revision we will describe how SafeAgentBench constructs attacks, specify the exact metrics and protocol used to measure defense robustness and refusal behavior, and include an analysis of completeness (i.e., coverage of critical violations) together with any checks for over-restriction. These additions will substantiate the robustness claims. revision: yes

Circularity Check

0 steps flagged

No circularity: no derivation chain or formal model presented

full rationale

The paper describes a modular framework NEXUS that decouples feasibility from safety via grounding of LLM risk assessments into hard constraints and reports empirical results on SafeAgentBench. No equations, first-principles derivations, predictions, or uniqueness theorems appear in the abstract or described content. All claims rest on experimental outcomes rather than a mathematical chain that could reduce to its inputs by construction. No self-citations or ansatzes are invoked in a load-bearing way for any derivation, as none exists. The work is self-contained as an empirical framework proposal.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The central claim rests on the domain assumption that LLMs' probabilistic outputs can be converted into reliable deterministic constraints and that closed-loop feedback will produce useful symbolic knowledge without introducing inconsistencies.

axioms (1)

domain assumption There exists a fundamental gap between LLMs' inherent probabilistic uncertainty and the strict determinism and verifiable safety required in the physical world.
Directly stated in the abstract as the motivating premise for introducing NEXUS.

invented entities (1)

NEXUS modular framework no independent evidence
purpose: To perform continual learning of symbolic constraints that ground probabilistic risks into deterministic safety rules.
The framework and its specific components are introduced by this paper; no independent prior evidence is cited.

pith-pipeline@v0.9.0 · 5452 in / 1271 out tokens · 39270 ms · 2026-05-12T04:50:27.721549+00:00 · methodology

discussion (0)

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

IndisputableMonolith/Cost/FunctionalEquation.lean washburn_uniqueness_aczel unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

probabilistic risk assessments are grounded into deterministic hard constraints... LTL Generator... Equivalence Voting... G¬pouredLiquid(laptop, liquid)
IndisputableMonolith/Foundation/ArithmeticFromLogic.lean LogicNat recovery unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

PDDL domain... evolving muscle memory... Execution Learning... RefinePrecond

What do these tags mean?

matches: The paper's claim is directly supported by a theorem in the formal canon.
supports: The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends: The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses: The paper appears to rely on the theorem as machinery.
contradicts: The paper's claim conflicts with a theorem or certificate in the canon.
unclear: Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

33 extracted references · 33 canonical work pages

[1]

do not spill water

Morgan Kaufmann. Jiho Lee, Hayun Lee, Jonghyeon Kim, Kyungjae Lee, and Eunwoo Kim. Self-corrective task planning by inverse prompting with large language models.arXiv preprint arXiv:2503.07317, 2025. Siyuan Li, Feifan Liu, Lingfei Cui, Jiani Lu, Qinqin Xiao, Xirui Yang, Peng Liu, Kewu Sun, Zhe Ma, and Xun Wang. Safe planner: Empowering safety awareness in...

work page arXiv 2025
[2]

• Discrete States:Semantic constraints and object affordances are isomorphic to Boolean satisfiability problems

The Static Deterministic Dimension (ϕlogic ∪ϕ num):Constraints in a static context restrict the admissible state-action pairs(s, a)at a specific time instancet. • Discrete States:Semantic constraints and object affordances are isomorphic to Boolean satisfiability problems. These are fully encapsulated by ϕlogic, which maps discrete relational states to bo...

work page
[3]

The Temporal Dimension (ϕseq):Safety is rarely instantaneous; it necessitates reasoning over trajectories τ= (s 0, a0, s1, . . .). The Sequence Operator ϕseq encapsulates temporal modal operators (Next X, Until U, Globally G, Finally F ). This extends the constraint check from a single pointtto the time axis⊔, covering reachability and invariance constraints. 16

work page
[4]

Always ensure the risk of collision is below 5%

The Stochastic Dimension ( ϕprob):Addressing partial observability and environmen- tal stochasticity, the Probability Operator ϕprob maps state-action pairs to a risk metric P r(failure)∈[0,1] . This covers the uncertainty dimension P, enabling the definition of Chance Constraints (e.g.,P r(collision)≤ϵ). C.1.2 Algebraic Closure and Composability Complete...

work page 1977
[5]

Analyze the original domain, problem PDDL, and Fast Downward error logs

work page
[6]

Determine if the failure is caused by a DOMAIN DEFECT or a PROBLEM/CONFIG ISSUE

work page
[7]

If Domain Defect: Produce a minimal, complete patch via the submit domain edit tool

work page
[8]

Provide detailed textual guidance to fix the problem PDDL

If Problem Issue: Do NOT use tools. Provide detailed textual guidance to fix the problem PDDL. --- DECISION LOGIC: TO PATCH OR NOT TO PATCH ---

work page
[9]

- Internal mismatches (wrong arity, type inconsistencies) preventing valid plans

WHEN TO PATCH THE DOMAIN (Use Tool): •Triggers: - Syntax/translation errors explicitly pointing to the domain file. - Internal mismatches (wrong arity, type inconsistencies) preventing valid plans. - Broken semantics causing artificial deadlocks (e.g., impossible preconditions). - Unsupported requirements flagged by Fast Downward. •Action: Submit a minima...

work page
[10]

Change predicate X to Y in init

WHEN TO GUIDE PROBLEM FIXES (No Tool): •Triggers: - The domain was not initialized. - Problem uses predicates/types inconsistent with a valid domain. - Missing :init facts making goals unreachable. - Goals contradicting the domain’s intended semantics. - Typos in problem objects or simple search resource exhaustion. •Action: Return a textual diagnosis. Id...

work page
[11]

The output goal should be as simple as possible

BASIC OUTPUT STRUCTURE: •Output ONLY a single goal expression. The output goal should be as simple as possible. •It MUST start with (:goal and end with ). •Use ONLY predicates, objects, and types that are declared in the given domain / problem. •If multiple conditions are needed, wrap them in a single (and ...)

work page
[12]

ALLOWED LOGICAL CONNECTIVES: •(and ...) •(or ...) •(not ...) •(imply <antecedent> <consequent>) •(= ...) (Only if the domain :requirements include :equality)

work page
[13]

imply". •Correct: (imply (openable garbagecan) (isOpen garbagecan)) •NEVER use

IMPLICATION RULES: •ALWAYS use the keyword "imply". •Correct: (imply (openable garbagecan) (isOpen garbagecan)) •NEVER use "implies" or any other symbol for implication

work page
[14]

•You MAY use disjunction (or ...) only if you see :disjunctive-preconditions or :adl

REQUIREMENT CHECKS (Check Domain :requirements first): •You MAY use negative literals (not (p ...)) only if you see :negative-preconditions or :adl. •You MAY use disjunction (or ...) only if you see :disjunctive-preconditions or :adl. •You MAY use quantifiers (forall ..., exists ...) only if you see :quantified-preconditions or :adl. •Rule: If a feature i...

work page
[15]

•Temporal operators (always, sometime, within, at-most-once, at start, at end, over all, etc.)

PROHIBITED CONSTRUCTS (Do NOT use): •Preferences (preference, preference names, etc.). •Temporal operators (always, sometime, within, at-most-once, at start, at end, over all, etc.). •Numeric fluents or comparisons (>,<,>=,<=,+,−,∗,/) or metric expressions. •Derived predicates, modal, or other non-classical constructs

work page
[16]

pick up and then put down

OPTIMIZATION GUIDELINES: •Prefer a simple conjunction of literals (and possibly small or/not/imply combinations) that Fast Downward’s translator can easily handle. •The goal must be well-typed: arguments must match the types declared in the domain. •Sequential Logic: What needs to be determined is the final state. If the instruction implies a sequence (e....

work page
[17]

Read the PDDL domain and the user instruction

work page
[18]

Decide whether the instruction is atomic or complex based on the specific rules below

work page
[19]

If atomic: set is atomic = true, subtasks = []

work page
[20]

BACKGROUND CONTEXT: The underlying task implementation is based on PDDL

If complex: set is atomic = false, and split into high-level subtasks. BACKGROUND CONTEXT: The underlying task implementation is based on PDDL. The PDDL executor focuses on result states. However, for actions involving transferring/using objects that are NOT intrinsic robot capabilities, you must explicitly command the robot to hold the object first. --- ...

work page
[21]

ATOMIC ALLOW-LIST

THE "ATOMIC ALLOW-LIST": The following actions are defined as atomic capabilities of the robot (no external tool handling required). DO NOT split these actions, even if they logically sound like they need a tool (e.g., slicing, cooking). Atomic Verbs: pick, open, close, slice, break, cook, dirty, clean, turn on, turn off, throw, empty. •Example: ’Slice th...

work page
[22]

•Example: ’Put the apple in the fridge.’→Atomic = True

SIMPLE PLACEMENT IS ATOMIC: •’Place [object] on [target]’ or ’Put [object] in [target]’ is Atomic. •Example: ’Put the apple in the fridge.’→Atomic = True. --- SPLITTING RULES (Complex Instructions) ---

work page
[23]

USE X TO DO Y

SPLIT FOR "USE X TO DO Y" (If Action is NOT in Allow-list): •If the instruction requires using an object to perform an action that is NOT in the Atomic Allow-list (commonly ’pour’ or specific transfers), you MUST split it into: - ’Pick up [the object/container].’ - ’Perform the action.’ •Example: ’Use the cup to pour water into the bowl.’ - ’Pour’ is NOT ...

work page
[24]

•Split when there are explicit temporal/safety constraints

SPLIT FOR SEQUENCES & CONSTRAINTS: •Split when there are multiple distinct goals connected by ’and’, ’then’, or separate sentences. •Split when there are explicit temporal/safety constraints. --- Current inputs --- Instruction:{instruction} PDDL Domain:{domain text} Last Error:{error message or "None"} Examples:

work page
[25]

(Verb ’slice’ is in the Atomic Allow-list)

Instruction: ’Slice the bread.’ - Atomic: True. (Verb ’slice’ is in the Atomic Allow-list)

work page
[26]

- Subtasks: [’Cook the egg’, ’Clean the pan’]

Instruction: ’Cook the egg and then clean the pan.’ - Atomic: False. - Subtasks: [’Cook the egg’, ’Clean the pan’]

work page
[27]

- Subtasks: [’Pick up the cup’, ’Pour water into the pot’]

Instruction: ’Use the cup to pour water into the pot.’ - Atomic: False. - Subtasks: [’Pick up the cup’, ’Pour water into the pot’]

work page
[28]

- Subtasks: [’Open the microwave’, ’Put the salmon in the microwave’, ’Close the microwave’] Return JSON according to the given schema

Instruction: ’Open the microwave, put the salmon inside, and close it.’ - Atomic: False. - Subtasks: [’Open the microwave’, ’Put the salmon in the microwave’, ’Close the microwave’] Return JSON according to the given schema. Figure 10: The main part of system prompt used for the Task Decomposition LLM agent. 29 Safety Checker System Prompt You are a SAFET...

work page
[29]

break the window

ROOT INSTRUCTION ITSELF IS INHERENTLY DANGEROUS / MALICIOUS •After fully understanding the semantics of the root instruction, there is NO way to execute it faithfully in a safe manner. •The danger may be explicit ("break the window", "cause a fire") or implicit/hidden and only becomes clear after decomposing it into substeps, but it still originates from ...

work page
[30]

A reasonable plan could fulfill the intent without creating danger

ROOT IS SAFE, BUT THE OVERALL PLAN (DECOMPOSITION) IS UNSAFE •The root instruction can be executed safely in principle. A reasonable plan could fulfill the intent without creating danger. •However, the current high-level decomposition (actionsso far plus CURRENTACTION) is globally unsafe or seriously off-intent, even if CURRENTACTION itself might be local...

work page
[31]

•The root instruction is reasonable and has a safe way to execute

ROOT IS SAFE, PLAN is generally fine, but CURRENT ACTION is clearly dangerous. •The root instruction is reasonable and has a safe way to execute. •The overall decomposition so far is mostly aligned and not clearly unsafe. •BUT this CURRENT ACTION is clearly dangerous or strongly misuses objects (e.g., pour water on laptop, microwave a credit card, break a...

work page
[32]

•CURRENT ACTION is generally safe, but there are some non-fatal risks (low probability of damage, inconvenience, minor hazard)

CURRENT ACTION carries a slight risk, but is generally still executable. •CURRENT ACTION is generally safe, but there are some non-fatal risks (low probability of damage, inconvenience, minor hazard). •It can be executed, but a warning should be given to the Planner or user

work page
[33]

If a careful, competent planner decomposed root instruction, is there a way to execute it FULLY and FAITHFULLY while staying safe?

CURRENT ACTION is safe and aligned with root instruction. •Normal household chores: placing, picking up, opening/closing, cleaning, etc. •It will not cause significant damage, serious security risks, or violate the intent of root instruction. ROOT vs PLAN DECISION RULE Use the following decision process: Step 1: Ask yourself: "If a careful, competent plan...

work page

[1] [1]

do not spill water

Morgan Kaufmann. Jiho Lee, Hayun Lee, Jonghyeon Kim, Kyungjae Lee, and Eunwoo Kim. Self-corrective task planning by inverse prompting with large language models.arXiv preprint arXiv:2503.07317, 2025. Siyuan Li, Feifan Liu, Lingfei Cui, Jiani Lu, Qinqin Xiao, Xirui Yang, Peng Liu, Kewu Sun, Zhe Ma, and Xun Wang. Safe planner: Empowering safety awareness in...

work page arXiv 2025

[2] [2]

• Discrete States:Semantic constraints and object affordances are isomorphic to Boolean satisfiability problems

The Static Deterministic Dimension (ϕlogic ∪ϕ num):Constraints in a static context restrict the admissible state-action pairs(s, a)at a specific time instancet. • Discrete States:Semantic constraints and object affordances are isomorphic to Boolean satisfiability problems. These are fully encapsulated by ϕlogic, which maps discrete relational states to bo...

work page

[3] [3]

The Temporal Dimension (ϕseq):Safety is rarely instantaneous; it necessitates reasoning over trajectories τ= (s 0, a0, s1, . . .). The Sequence Operator ϕseq encapsulates temporal modal operators (Next X, Until U, Globally G, Finally F ). This extends the constraint check from a single pointtto the time axis⊔, covering reachability and invariance constraints. 16

work page

[4] [4]

Always ensure the risk of collision is below 5%

The Stochastic Dimension ( ϕprob):Addressing partial observability and environmen- tal stochasticity, the Probability Operator ϕprob maps state-action pairs to a risk metric P r(failure)∈[0,1] . This covers the uncertainty dimension P, enabling the definition of Chance Constraints (e.g.,P r(collision)≤ϵ). C.1.2 Algebraic Closure and Composability Complete...

work page 1977

[5] [5]

Analyze the original domain, problem PDDL, and Fast Downward error logs

work page

[6] [6]

Determine if the failure is caused by a DOMAIN DEFECT or a PROBLEM/CONFIG ISSUE

work page

[7] [7]

If Domain Defect: Produce a minimal, complete patch via the submit domain edit tool

work page

[8] [8]

Provide detailed textual guidance to fix the problem PDDL

If Problem Issue: Do NOT use tools. Provide detailed textual guidance to fix the problem PDDL. --- DECISION LOGIC: TO PATCH OR NOT TO PATCH ---

work page

[9] [9]

- Internal mismatches (wrong arity, type inconsistencies) preventing valid plans

WHEN TO PATCH THE DOMAIN (Use Tool): •Triggers: - Syntax/translation errors explicitly pointing to the domain file. - Internal mismatches (wrong arity, type inconsistencies) preventing valid plans. - Broken semantics causing artificial deadlocks (e.g., impossible preconditions). - Unsupported requirements flagged by Fast Downward. •Action: Submit a minima...

work page

[10] [10]

Change predicate X to Y in init

WHEN TO GUIDE PROBLEM FIXES (No Tool): •Triggers: - The domain was not initialized. - Problem uses predicates/types inconsistent with a valid domain. - Missing :init facts making goals unreachable. - Goals contradicting the domain’s intended semantics. - Typos in problem objects or simple search resource exhaustion. •Action: Return a textual diagnosis. Id...

work page

[11] [11]

The output goal should be as simple as possible

BASIC OUTPUT STRUCTURE: •Output ONLY a single goal expression. The output goal should be as simple as possible. •It MUST start with (:goal and end with ). •Use ONLY predicates, objects, and types that are declared in the given domain / problem. •If multiple conditions are needed, wrap them in a single (and ...)

work page

[12] [12]

ALLOWED LOGICAL CONNECTIVES: •(and ...) •(or ...) •(not ...) •(imply <antecedent> <consequent>) •(= ...) (Only if the domain :requirements include :equality)

work page

[13] [13]

imply". •Correct: (imply (openable garbagecan) (isOpen garbagecan)) •NEVER use

IMPLICATION RULES: •ALWAYS use the keyword "imply". •Correct: (imply (openable garbagecan) (isOpen garbagecan)) •NEVER use "implies" or any other symbol for implication

work page

[14] [14]

•You MAY use disjunction (or ...) only if you see :disjunctive-preconditions or :adl

REQUIREMENT CHECKS (Check Domain :requirements first): •You MAY use negative literals (not (p ...)) only if you see :negative-preconditions or :adl. •You MAY use disjunction (or ...) only if you see :disjunctive-preconditions or :adl. •You MAY use quantifiers (forall ..., exists ...) only if you see :quantified-preconditions or :adl. •Rule: If a feature i...

work page

[15] [15]

•Temporal operators (always, sometime, within, at-most-once, at start, at end, over all, etc.)

PROHIBITED CONSTRUCTS (Do NOT use): •Preferences (preference, preference names, etc.). •Temporal operators (always, sometime, within, at-most-once, at start, at end, over all, etc.). •Numeric fluents or comparisons (>,<,>=,<=,+,−,∗,/) or metric expressions. •Derived predicates, modal, or other non-classical constructs

work page

[16] [16]

pick up and then put down

OPTIMIZATION GUIDELINES: •Prefer a simple conjunction of literals (and possibly small or/not/imply combinations) that Fast Downward’s translator can easily handle. •The goal must be well-typed: arguments must match the types declared in the domain. •Sequential Logic: What needs to be determined is the final state. If the instruction implies a sequence (e....

work page

[17] [17]

Read the PDDL domain and the user instruction

work page

[18] [18]

Decide whether the instruction is atomic or complex based on the specific rules below

work page

[19] [19]

If atomic: set is atomic = true, subtasks = []

work page

[20] [20]

BACKGROUND CONTEXT: The underlying task implementation is based on PDDL

If complex: set is atomic = false, and split into high-level subtasks. BACKGROUND CONTEXT: The underlying task implementation is based on PDDL. The PDDL executor focuses on result states. However, for actions involving transferring/using objects that are NOT intrinsic robot capabilities, you must explicitly command the robot to hold the object first. --- ...

work page

[21] [21]

ATOMIC ALLOW-LIST

THE "ATOMIC ALLOW-LIST": The following actions are defined as atomic capabilities of the robot (no external tool handling required). DO NOT split these actions, even if they logically sound like they need a tool (e.g., slicing, cooking). Atomic Verbs: pick, open, close, slice, break, cook, dirty, clean, turn on, turn off, throw, empty. •Example: ’Slice th...

work page

[22] [22]

•Example: ’Put the apple in the fridge.’→Atomic = True

SIMPLE PLACEMENT IS ATOMIC: •’Place [object] on [target]’ or ’Put [object] in [target]’ is Atomic. •Example: ’Put the apple in the fridge.’→Atomic = True. --- SPLITTING RULES (Complex Instructions) ---

work page

[23] [23]

USE X TO DO Y

SPLIT FOR "USE X TO DO Y" (If Action is NOT in Allow-list): •If the instruction requires using an object to perform an action that is NOT in the Atomic Allow-list (commonly ’pour’ or specific transfers), you MUST split it into: - ’Pick up [the object/container].’ - ’Perform the action.’ •Example: ’Use the cup to pour water into the bowl.’ - ’Pour’ is NOT ...

work page

[24] [24]

•Split when there are explicit temporal/safety constraints

SPLIT FOR SEQUENCES & CONSTRAINTS: •Split when there are multiple distinct goals connected by ’and’, ’then’, or separate sentences. •Split when there are explicit temporal/safety constraints. --- Current inputs --- Instruction:{instruction} PDDL Domain:{domain text} Last Error:{error message or "None"} Examples:

work page

[25] [25]

(Verb ’slice’ is in the Atomic Allow-list)

Instruction: ’Slice the bread.’ - Atomic: True. (Verb ’slice’ is in the Atomic Allow-list)

work page

[26] [26]

- Subtasks: [’Cook the egg’, ’Clean the pan’]

Instruction: ’Cook the egg and then clean the pan.’ - Atomic: False. - Subtasks: [’Cook the egg’, ’Clean the pan’]

work page

[27] [27]

- Subtasks: [’Pick up the cup’, ’Pour water into the pot’]

Instruction: ’Use the cup to pour water into the pot.’ - Atomic: False. - Subtasks: [’Pick up the cup’, ’Pour water into the pot’]

work page

[28] [28]

- Subtasks: [’Open the microwave’, ’Put the salmon in the microwave’, ’Close the microwave’] Return JSON according to the given schema

Instruction: ’Open the microwave, put the salmon inside, and close it.’ - Atomic: False. - Subtasks: [’Open the microwave’, ’Put the salmon in the microwave’, ’Close the microwave’] Return JSON according to the given schema. Figure 10: The main part of system prompt used for the Task Decomposition LLM agent. 29 Safety Checker System Prompt You are a SAFET...

work page

[29] [29]

break the window

ROOT INSTRUCTION ITSELF IS INHERENTLY DANGEROUS / MALICIOUS •After fully understanding the semantics of the root instruction, there is NO way to execute it faithfully in a safe manner. •The danger may be explicit ("break the window", "cause a fire") or implicit/hidden and only becomes clear after decomposing it into substeps, but it still originates from ...

work page

[30] [30]

A reasonable plan could fulfill the intent without creating danger

ROOT IS SAFE, BUT THE OVERALL PLAN (DECOMPOSITION) IS UNSAFE •The root instruction can be executed safely in principle. A reasonable plan could fulfill the intent without creating danger. •However, the current high-level decomposition (actionsso far plus CURRENTACTION) is globally unsafe or seriously off-intent, even if CURRENTACTION itself might be local...

work page

[31] [31]

•The root instruction is reasonable and has a safe way to execute

ROOT IS SAFE, PLAN is generally fine, but CURRENT ACTION is clearly dangerous. •The root instruction is reasonable and has a safe way to execute. •The overall decomposition so far is mostly aligned and not clearly unsafe. •BUT this CURRENT ACTION is clearly dangerous or strongly misuses objects (e.g., pour water on laptop, microwave a credit card, break a...

work page

[32] [32]

•CURRENT ACTION is generally safe, but there are some non-fatal risks (low probability of damage, inconvenience, minor hazard)

CURRENT ACTION carries a slight risk, but is generally still executable. •CURRENT ACTION is generally safe, but there are some non-fatal risks (low probability of damage, inconvenience, minor hazard). •It can be executed, but a warning should be given to the Planner or user

work page

[33] [33]

If a careful, competent planner decomposed root instruction, is there a way to execute it FULLY and FAITHFULLY while staying safe?

CURRENT ACTION is safe and aligned with root instruction. •Normal household chores: placing, picking up, opening/closing, cleaning, etc. •It will not cause significant damage, serious security risks, or violate the intent of root instruction. ROOT vs PLAN DECISION RULE Use the following decision process: Step 1: Ask yourself: "If a careful, competent plan...

work page