pith. sign in

arxiv: 2606.27231 · v1 · pith:54QU4VXUnew · submitted 2026-06-25 · 🪐 quant-ph · physics.ins-det

A hardware-safety-gated system for LLM-written native ARTIQ control code on a trapped-ion platform

Duanyang Wang , Lu Qi , Yuanheng Xie , Norbert M. Linke , Kenneth R. Brown This is my paper

Pith reviewed 2026-06-26 04:15 UTC · model grok-4.3

classification 🪐 quant-ph physics.ins-det
keywords LLM agentstrapped ionsARTIQhardware safetyexperimental controlauthorization tokensquantum computingautonomous experiments
0
0 comments X

The pith

An LLM agent develops its own ARTIQ control scripts for trapped-ion hardware when every operation is blocked until an authorization token is issued by simulation or human review.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper shows that an LLM can be placed inside the control loop of a trapped-ion experiment without allowing unchecked code to reach the hardware. The agent interacts with the ARTIQ stack through a server that supplies tools, but no tool call executes unless it carries a token tied exactly to its content. Tokens are granted automatically when an isolated simulator verifies that every operation stays inside preset device limits, or manually for sensitive steps. Demonstrations include the agent building a full calibration sequence on a calcium ion crystal and, with limited guidance, stabilizing a magnetic field across instruments. The same interface works on a separate ytterbium platform, and adversarial tests map where the token check can still be challenged.

Core claim

By routing all agent actions through a Model Context Protocol server and requiring every hardware-directed tool call to carry a content-specific authorization token, the system creates a formal boundary between the LLM's decisions and physical execution. Tokens are produced either by running the proposed script in dax.sim and confirming compliance with per-device bounds or by direct human approval. Inside this boundary the agent generates and iterates on its own experimental code rather than invoking only pre-written functions, as shown by autonomous calibration of a co-trapped Ca+/CaOH+ crystal and partial closure of a magnetic-field loop on the same apparatus plus successful porting to an

What carries the argument

The content-bound authorization token, issued either automatically by isolated dax.sim simulation against preset bounds or manually by an operator, which must accompany every tool call before it can reach the ARTIQ hardware.

If this is right

  • The agent can autonomously construct and run a complete calibration stack for a co-trapped calcium ion crystal without pre-built routines.
  • With targeted human input on problem framing, the agent can close a cross-instrument magnetic-field stabilization loop.
  • The same tool interface and token gate operate without modification on an independent ytterbium ion platform.
  • Systematic tests with adversarial scripts identify the precise locations where the token authorization can still be challenged.
  • The agent's remaining need for human guidance stems from difficulty recognizing when an experimental problem requires re-framing rather than from gaps in domain knowledge.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same token-plus-simulation gate could be applied to other control frameworks beyond ARTIQ on different quantum hardware platforms.
  • Adding explicit checks for metacognitive steps, such as detecting when a calibration sequence is not converging, might reduce the frequency of required human interventions.
  • Extending the simulator to include interactions between multiple devices could tighten the safety boundary for more complex experiments.

Load-bearing premise

The isolated hardware simulator can correctly detect and block every operation that would exceed safe device limits without missing any damaging actions.

What would settle it

An adversarial script that reaches and executes on the real hardware despite violating a preset device bound, thereby showing that the token mechanism failed to intercept it.

Figures

Figures reproduced from arXiv: 2606.27231 by Duanyang Wang, Kenneth R. Brown, Lu Qi, Norbert M. Linke, Yuanheng Xie.

Figure 1
Figure 1. Figure 1: FIG. 1. Overview of the closed-loop control path. The human operator supplies a high-level goal and approves only sensitive [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: FIG. 2. Sideband thermometry at the endpoint of the agent-built cooling chain. Shelving probability against detuning from the [PITH_FULL_IMAGE:figures/full_fig_p006_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: FIG. 3. Carrier Rabi flopping on the 729 transition (left), measured by the agent’s probe sequence after cooling. Shelving [PITH_FULL_IMAGE:figures/full_fig_p006_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: FIG. 4. Carrier Ramsey coherence of the optical qubit in the co-trapped crystal under the four combinations of compensation [PITH_FULL_IMAGE:figures/full_fig_p009_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: FIG. 5. Outcome of the adversarial campaign. (a) The 1932 generated scripts, classified by the filter’s response. The control set [PITH_FULL_IMAGE:figures/full_fig_p010_5.png] view at source ↗
read the original abstract

Large-language-model (LLM) agents can write and run experimental control code. This allows laboratory work to be conducted autonomously. However, this autonomy raises a safety problem that prior work has not addressed. Unchecked code can damage the apparatus, and there is no formal, per-operation boundary between human authorization/supervision, and agent decisions. We present a control system that places an LLM agent in the loop of a trapped-ion experiment while enforcing such a boundary. The agent controls the existing Advanced Real-Time Infrastructure for Quantum physics (ARTIQ) stack through tools provided by a Model Context Protocol (MCP) server. No tool call reaches the hardware unless it carries an authorization token bound to its exact contents. Tokens are issued in one of two ways: automatically, by running the agent's proposed script in an isolated hardware simulation (dax.sim) and checking every operation against preset per-device bounds, or manually by a human operator for sensitive actions. Within this boundary the agent develops its own experiments, rather than only calling pre-built routines. We deploy the system on a co-trapped $^{40}$Ca$^{+}$/$^{40}$CaOH$^{+}$ crystal, where the agent autonomously builds a full calibration stack and, with targeted operator guidance, closes a cross-instrument magnetic-field-stabilization loop. On a separate, independent $^{171}$Yb$^{+}$ platform, we confirm interface-level portability. We systematically test token-authorization mechanism with adversarial scripts that attempt to bypass it, mapping the precise boundary of its protection and prioritizing where to strengthen it next. Analyzing where the agent still requires human guidance, we find that its limits lie in metacognitive control, namely recognizing when a problem must be re-framed, rather than in domain knowledge.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The manuscript presents a control architecture integrating an LLM agent with the ARTIQ stack via an MCP server for trapped-ion experiments. No tool call reaches hardware without a content-bound authorization token; tokens are issued automatically after the agent's script runs in dax.sim and passes per-device bounds checks, or manually for sensitive actions. The system is deployed on a co-trapped 40Ca+/40CaOH+ crystal where the agent builds a calibration stack and (with guidance) closes a magnetic-field stabilization loop, with interface portability confirmed on an independent 171Yb+ platform. Adversarial scripts are used to test the token mechanism and map its protection boundary; the agent's remaining limits are identified as metacognitive rather than domain-knowledge gaps.

Significance. If the simulation-based gating is reliable, the work supplies a concrete, per-operation safety boundary for LLM-driven autonomous experimentation that prior systems lacked. The explicit token mechanism, dual-platform deployment, and systematic adversarial testing constitute practical contributions to safe lab automation in quantum control. The distinction drawn between domain knowledge and metacognitive control is a useful diagnostic for future agent design.

major comments (2)
  1. [token-authorization mechanism and dax.sim description (abstract and deployment sections)] The central safety claim—that no unsafe operation reaches hardware—rests on dax.sim constituting a sound over-approximation of the physical apparatus. The manuscript should state which effects are modeled in dax.sim and discuss potential gaps (laser-power fluctuations, trap-electrode charging, unmodeled CaOH+ reaction pathways) that could allow a damaging script to receive an automatic token. Because the described adversarial tests occur inside the same simulator, they cannot detect this class of incompleteness.
  2. [deployment on Ca+/CaOH+ and Yb+ platforms] The deployments are presented only descriptively. No quantitative metrics (success rate of autonomous calibration sequences, number of manual interventions required, wall-clock time, or comparison against human baselines) are supplied, leaving the practical utility of the agent-in-the-loop claim only qualitatively supported.
minor comments (2)
  1. [title and abstract] The phrase 'native ARTIQ control code' is used in the title and abstract but is not defined until later; an early clarification would help readers unfamiliar with ARTIQ.
  2. [figures] Figure captions and axis labels for any timing or token-flow diagrams should be checked for consistency with the text description of the MCP server.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback. Below we respond point-by-point to the major comments, indicating where the manuscript will be revised.

read point-by-point responses

  1. Referee: [token-authorization mechanism and dax.sim description (abstract and deployment sections)] The central safety claim—that no unsafe operation reaches hardware—rests on dax.sim constituting a sound over-approximation of the physical apparatus. The manuscript should state which effects are modeled in dax.sim and discuss potential gaps (laser-power fluctuations, trap-electrode charging, unmodeled CaOH+ reaction pathways) that could allow a damaging script to receive an automatic token. Because the described adversarial tests occur inside the same simulator, they cannot detect this class of incompleteness.

    Authors: We agree that the safety claim would be strengthened by an explicit account of dax.sim's modeling assumptions. In revision we will insert a new subsection describing the effects currently modeled (ion motion under laser forces and basic pulse timing as implemented in the ARTIQ layer) and will list the cited gaps (laser-power fluctuations, trap-electrode charging, unmodeled CaOH+ reaction pathways) as acknowledged limitations that could in principle permit an unsafe script to obtain an automatic token. We will also clarify that the adversarial tests validate only the token logic inside the simulator and do not address simulator-to-hardware fidelity; this limitation will be stated and flagged for future work. revision: yes

  2. Referee: [deployment on Ca+/CaOH+ and Yb+ platforms] The deployments are presented only descriptively. No quantitative metrics (success rate of autonomous calibration sequences, number of manual interventions required, wall-clock time, or comparison against human baselines) are supplied, leaving the practical utility of the agent-in-the-loop claim only qualitatively supported.

    Authors: The primary contribution is the safety architecture rather than agent performance benchmarking. Nevertheless, we will revise the deployment sections to report the concrete counts of autonomous calibration steps versus those requiring manual guidance that were observed in the Ca+/CaOH+ runs, and we will add a brief statement on the Yb+ portability test. Systematic success rates, wall-clock times, and human-baseline comparisons were not recorded in the original experiments; these cannot be supplied without new data collection and will therefore be noted as a limitation of the present study. revision: partial

Circularity Check

0 steps flagged

No circularity; systems paper with no derivations or self-referential predictions

full rationale

The manuscript is a description of an implemented control system (LLM agent + MCP tools + dax.sim gating + ARTIQ). It contains no equations, fitted parameters, predictions of quantities from other quantities, or uniqueness theorems. All claims are grounded in code, hardware deployment, and adversarial testing rather than any derivation chain. The dax.sim safety boundary is an engineering assumption whose soundness is external to the paper; it is not derived from or equivalent to the paper's own outputs. No self-citation load-bearing steps appear in the load-bearing claims.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The central claim depends on the accuracy of the dax.sim simulator for automatic approvals and the un-bypassable nature of the token mechanism; both are domain assumptions without independent evidence supplied in the abstract.

axioms (1)
  • domain assumption dax.sim simulation accurately represents all hardware operations for the purpose of bound checking.
    Required for automatic token issuance without human intervention for every safe command.
invented entities (1)
  • Content-bound authorization token issued by MCP server no independent evidence
    purpose: To enforce a formal per-operation boundary between LLM agent decisions and hardware execution.
    New architectural component introduced to solve the safety problem.

pith-pipeline@v0.9.1-grok · 5867 in / 1249 out tokens · 62542 ms · 2026-06-26T04:15:34.544531+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

41 extracted references · 7 linked inside Pith

  1. [1]

    Develop a Doppler cool- ing experiment for the 40Ca+/40CaOH+ ion chain

    Doppler cool- ing “Develop a Doppler cool- ing experiment for the 40Ca+/40CaOH+ ion chain.” 397 nm alignment; power vs. AOM attenuation; beam position at ion None at this stage

  2. [2]

    Use the 729 nm laser to scan the quadrupole transi- tion spectrum

    729 nm spec- troscopy “Use the 729 nm laser to scan the quadrupole transi- tion spectrum.” 729 nm alignment; polar- ization;B-field; axial sec- ular frequencies; carrier AOM setpoint≈152 MHz; Ω/2π≈100 kHz None

  3. [3]

    Use the 729 nm laser to cool the ion’s axial motion

    Sideband cool- ing “Use the 729 nm laser to cool the ion’s axial motion.” Inherited from stages 1 and 2 Data-quality direc- tives (shot count,χ 2 criterion); request for shorter sequence

  4. [4]

    Develop Rabi flopping on the carrier atXMHz

    Rabi flopping“Develop Rabi flopping on the carrier atXMHz.” Calibrated carrier fre- quency from stage 2 None

  5. [5]

    Build a Ramsey fringe measurement

    Ramsey inter- ferometry “Build a Ramsey fringe measurement.” Inherited from stages 1–3 None C. Control-stack integration test on a second platform To demonstrate that our control interface and safety architecture are fundamentally decoupled from our pri- mary laboratory’s specific hardware configuration, we perform an interface-level validation on an inde...

    1932

  6. [6]

    Seifrid, R

    M. Seifrid, R. Pollice, A. Aguilar-Granda, Z. Mor- gan Chan, K. Hotta, C. T. Ser, J. Vestfrid, T. C. Wu, and A. Aspuru-Guzik, Acc. Chem. Res.55, 2454 (2022)

    2022

  7. [7]

    Abolhasani and E

    M. Abolhasani and E. Kumacheva, Nat. Synth.2, 483 (2023)

    2023

  8. [8]

    Riesebos, B

    L. Riesebos, B. Bondurant, J. Whitlow, J. Kim, M. Kuzyk, T. Chen, S. Phiri, Y. Wang, C. Fang, A. Van Horn, J. Kim, and K. R. Brown, in2022 IEEE Int. Conf. on Quantum Computing and Engineer- ing (QCE)(IEEE, 2022) pp. 545–555

    2022

  9. [9]

    Kasprowicz, P

    G. Kasprowicz, P. Kulik, M. Gaska, T. Przywozki, K. Pozniak, J. Jarosinski, J. W. Britton, T. Harty, C. Balance, W. Zhang, D. Nadlinger, D. Slichter, D. All- cock, S. Bourdeauducq, and R. J¨ ordens, inOSA Quan- tum 2.0 Conf.(Optica Publishing Group, 2020) p. QTu8B.14

    2020

  10. [10]

    Zhang, H

    Z. Zhang, H. Que, J. Chang, X. Zhang, H. Wei, and T. Zhu, Safe-sdl: Establishing safety boundaries and control mechanisms for ai-driven self-driving laboratories (2026), 2602.15061

    arXiv 2026

  11. [11]

    H. Moon, D. T. Lennon, J. Kirkpatrick, N. M. van Es- broeck, L. C. Camenzind, L. Yu, F. Vigneau, D. M. Zumb¨ uhl, G. A. D. Briggs, M. A. Osborne, D. Sejdi- novic, E. A. Laird, and N. Ares, Nat. Commun.11, 4161 (2020)

    2020

  12. [12]

    Nguyen, S

    V. Nguyen, S. B. Orbell, D. T. Lennon, H. Moon, F. Vi- gneau, L. C. Camenzind, L. Yu, D. M. Zumb¨ uhl, G. A. D. Briggs, M. A. Osborne, D. Sejdinovic, and N. Ares, npj Quantum Inf.7, 100 (2021)

    2021

  13. [13]

    Schuff, M

    J. Schuff, M. J. Carballido, M. Kotzagiannidis, J. C. Calvo, M. Caselli, J. Rawling, D. L. Craig, B. van Straaten, B. Severin, F. Fedele, S. Svab, P. Cheva- lier Kwon, R. S. Eggli, T. Patlatiuk, N. Korda, D. Zumb¨ uhl, and N. Ares, Nat. Electron.9, 304 (2026)

    2026

  14. [14]

    J. P. Zwolak and J. M. Taylor, Rev. Mod. Phys.95, 011006 (2023)

    2023

  15. [15]

    Kelly, P

    J. Kelly, P. O’Malley, M. Neeley, H. Neven, and J. M. Martinis, Physical qubit calibration on a directed acyclic graph (2018), 1803.03226

    Pith/arXiv arXiv 2018

  16. [16]

    Wittler, F

    N. Wittler, F. Roy, K. Pack, M. Werninghaus, A. S. Roy, D. J. Egger, S. Filipp, F. K. Wilhelm, and S. Machnes, Phys. Rev. Appl.15, 034080 (2021). 15

    2021

  17. [17]

    M. Y. Niu, S. Boixo, V. N. Smelyanskiy, and H. Neven, npj Quantum Inf.5, 33 (2019)

    2019

  18. [18]

    Y. Baum, M. Amico, S. Howell, M. Hush, M. Liuzzi, P. Mundada, T. Merkh, A. R. R. Carvalho, and M. J. Biercuk, PRX Quantum2, 040324 (2021)

    2021

  19. [19]

    Gerster, F

    L. Gerster, F. Mart´ ınez-Garc´ ıa, P. Hrmo, M. W. van Mourik, B. Wilhelm, D. Vodola, M. M¨ uller, R. Blatt, P. Schindler, and T. Monz, PRX Quantum3, 020350 (2022)

    2022

  20. [20]

    D. A. Boiko, R. MacKnight, B. Kline, and G. Gomes, Nature624, 570 (2023)

    2023

  21. [21]

    M Bran, S

    A. M Bran, S. Cox, O. Schilter, C. Baldassari, A. D. White, and P. Schwaller, Nat. Mach. Intell.6, 525 (2024)

    2024

  22. [22]

    C. Lu, C. Lu, R. T. Lange, J. Foerster, J. Clune, and D. Ha, The ai scientist: Towards fully automated open- ended scientific discovery (2024), 2408.06292

    Pith/arXiv arXiv 2024

  23. [23]

    Gottweis, W.-H

    J. Gottweis, W.-H. Weng, A. Daryin, T. Tu, A. Palepu, P. Sirkovic, A. Myaskovsky, F. Weissenberger, K. Rong, R. Tanno, K. Saab, D. Popovici, J. Blum, F. Zhang, K. Chou, A. Hassidim, B. Gokturk, A. Vahdat, P. Kohli, Y. Matias, A. Carroll, K. Kulkarni, N. Tomasev, Y. Guan, V. Dhillon, E. D. Vaishnav, B. Lee, T. R. D. Costa, J. R. Penad´ es, G. Peltz, Y. Xu,...

    Pith/arXiv arXiv 2025

  24. [24]

    S. Cao, Z. Zhang, M. Alghadeer, S. D. Fasciati, M. Piscitelli, M. Bakr, P. Leek, and A. Aspuru-Guzik, Patterns6, 101372 (2025)

    2025

  25. [25]

    S. Li, J. M. Miller, P. J. Lee, G. Andersson, C. R. Con- ner, Y. J. Joshi, B. Karimi, A. M. King, H. L. Malc, H. Mishra, H. Qiao, M. Ryu, X. Wu, S. Xing, H. Yan, J. Shi, and A. N. Cleland, Large language model-assisted superconducting qubit experiments (2026), 2603.08801

    arXiv 2026

  26. [26]

    A. S. Rao, B. van Straaten, V. John, C. X. Yu, S. D. Oosterhout, L. Stehouwer, G. Scappucci, M. D. Stew- art, Jr, M. Veldhorst, F. Borsoi, and J. P. Zwolak, To- wards autonomous time-calibration of large quantum-dot devices: Detection, real-time feedback, and noise spec- troscopy (2025), 2512.24894

    arXiv 2025

  27. [27]

    S. Cao, Z. Zhang, A. Agarwal, G. Bratrud, N. R. Beysen- gulov, D. C. Cole, A. G´ omez Frieiro, E. O. Glen, H. Hsu, G. Huang, R. Jow, G. Shaji, T. Lubowe, L. Zhu, L. Man- tilla Calder´ on, N. Pancotti, J. Pendleton, B. Severin, C. E. Staub, S. Sussman, A. Veps¨ al¨ ainen, N. R. Vora, Y. Xu, V. Bernales, D. Bowring, E. Kyoseva, I. Rung- ger, G. Semeghini, S...

    Pith/arXiv arXiv 2026

  28. [28]

    S. X. Leong, C. E. Griesbach, R. Zhang, K. Darvish, Y. Zhao, A. Mandal, Y. Zou, H. Hao, V. Bernales, and A. Aspuru-Guzik, Nat. Rev. Chem.9, 707 (2025)

    2025

  29. [29]

    X. Tang, Q. Jin, K. Zhu, T. Yuan, Y. Zhang, W. Zhou, M. Qu, Y. Zhao, J. Tang, Z. Zhang, A. Cohan, D. Green- baum, Z. Lu, and M. Gerstein, Nat. Commun.16, 8317 (2025)

    2025

  30. [30]

    Lazaros, A

    K.-P. Lazaros, A. Vrahatis, and S. Kotsiantis, Entropy 28, 377 (2026)

    2026

  31. [31]

    Anthropic, Model context protocol specification (2025), version 2025-06-18

    2025

  32. [32]

    Schick, J

    T. Schick, J. Dwivedi-Yu, R. Dess` ı, R. Raileanu, M. Lomeli, L. Zettlemoyer, N. Cancedda, and T. Scialom, Toolformer: Language models can teach themselves to use tools (2023), 2302.04761

    Pith/arXiv arXiv 2023

  33. [33]

    S. Yao, J. Zhao, D. Yu, N. Du, I. Shafran, K. Narasimhan, and Y. Cao, React: Synergizing reasoning and acting in language models (2023), 2210.03629

    Pith/arXiv arXiv 2023

  34. [34]

    S. G. Patil, T. Zhang, X. Wang, and J. E. Gonzalez, Gorilla: Large language model connected with massive apis (2024), 2305.15334

    Pith/arXiv arXiv 2024

  35. [35]

    Z. Xi, W. Chen, X. Guo, W. He, Y. Ding, B. Hong, M. Zhang, J. Wang, S. Jin, E. Zhou, R. Zheng, X. Fan, X. Wang, L. Xiong, Y. Zhou, W. Wang, C. Jiang, Y. Zou, X. Liu, Z. Yin, S. Dou, R. Weng, W. Cheng, Q. Zhang, W. Qin, Y. Zheng, X. Qiu, X. Huang, and T. Gui, Sci. China Inf. Sci.68, 121101 (2025)

    2025

  36. [36]

    L. Qi, E. C. Reed, and K. R. Brown, Phys. Rev. A108, 013108 (2023)

    2023

  37. [37]

    E. C. Reed, L. Qi, and K. R. Brown, Phys. Rev. A110, 013123 (2024)

    2024

  38. [38]

    L. Qi, E. C. Reed, B. Yu, and K. R. Brown, Experi- mental evidence for dipole-phonon quantum logic in a trapped calcium monoxide and calcium ion chain (2024), 2411.07137

    arXiv 2024

  39. [39]

    R. T. Birge, Phys. Rev.40, 207 (1932)

    1932

  40. [40]

    Navaset al.(Particle Data Group), Phys

    S. Navaset al.(Particle Data Group), Phys. Rev. D110, 030001 (2024)

    2024

  41. [41]

    D’Agostini, On a curious bias arising when the p χ2/ν scaling prescription is first applied to a sub-sample of the individual results (2020), 2001.07562

    G. D’Agostini, On a curious bias arising when the p χ2/ν scaling prescription is first applied to a sub-sample of the individual results (2020), 2001.07562

    arXiv 2020