{"bundle_type":"pith_open_graph_bundle","bundle_version":"1.0","pith_number":"pith:2026:BLJKZC7VXITEIB4CCHRAZLRJ2D","short_pith_number":"pith:BLJKZC7V","canonical_record":{"source":{"id":"2605.14290","kind":"arxiv","version":1},"metadata":{"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-14T02:48:57Z","cross_cats_sorted":["cs.AI","cs.CL","cs.SE"],"title_canon_sha256":"ca4debe7f05ce0be949c1538d13a1f17a7695bb450c059ea2057b72093894b19","abstract_canon_sha256":"aa080c96474c2c77bc98109b6e72ab2a8c429ad8f35e58432cff3b5f39144891"},"schema_version":"1.0"},"canonical_sha256":"0ad2ac8bf5ba2644078211e20cae29d0f98df4def5ea37c34b749bf1c57f3dcd","source":{"kind":"arxiv","id":"2605.14290","version":1},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2605.14290","created_at":"2026-05-17T23:39:10Z"},{"alias_kind":"arxiv_version","alias_value":"2605.14290v1","created_at":"2026-05-17T23:39:10Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2605.14290","created_at":"2026-05-17T23:39:10Z"},{"alias_kind":"pith_short_12","alias_value":"BLJKZC7VXITE","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_16","alias_value":"BLJKZC7VXITEIB4C","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_8","alias_value":"BLJKZC7V","created_at":"2026-05-18T12:33:37Z"}],"events":[{"event_type":"record_created","subject_pith_number":"pith:2026:BLJKZC7VXITEIB4CCHRAZLRJ2D","target":"record","payload":{"canonical_record":{"source":{"id":"2605.14290","kind":"arxiv","version":1},"metadata":{"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-14T02:48:57Z","cross_cats_sorted":["cs.AI","cs.CL","cs.SE"],"title_canon_sha256":"ca4debe7f05ce0be949c1538d13a1f17a7695bb450c059ea2057b72093894b19","abstract_canon_sha256":"aa080c96474c2c77bc98109b6e72ab2a8c429ad8f35e58432cff3b5f39144891"},"schema_version":"1.0"},"canonical_sha256":"0ad2ac8bf5ba2644078211e20cae29d0f98df4def5ea37c34b749bf1c57f3dcd","receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-17T23:39:10.205937Z","signature_b64":"eG2xOND0k5xvvUeBlzKrD2Jj3M10bosipv0Wwd/VqUDlNdzuNu1O+d0a5simlJDR71H/vHhWS6ynBv51O343CQ==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"0ad2ac8bf5ba2644078211e20cae29d0f98df4def5ea37c34b749bf1c57f3dcd","last_reissued_at":"2026-05-17T23:39:10.205401Z","signature_status":"signed_v1","first_computed_at":"2026-05-17T23:39:10.205401Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"source_kind":"arxiv","source_id":"2605.14290","source_version":1,"attestation_state":"computed"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-17T23:39:10Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"QhvFWJo95kJkU9jiz+hEmrvDLlChRiU3YsSZkAfBB3Ou+zDBKS1nwCTRs7u1JXmL07IDvv6saeKVMSQMDEqEAw==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-05-25T14:23:54.411866Z"},"content_sha256":"4b11d610a59bac1eefbcddf26a1d804fe11ed9b51e90713b694a95aa79bc0e10","schema_version":"1.0","event_id":"sha256:4b11d610a59bac1eefbcddf26a1d804fe11ed9b51e90713b694a95aa79bc0e10"},{"event_type":"graph_snapshot","subject_pith_number":"pith:2026:BLJKZC7VXITEIB4CCHRAZLRJ2D","target":"graph","payload":{"graph_snapshot":{"paper":{"title":"Web Agents Should Adopt the Plan-Then-Execute Paradigm","license":"http://creativecommons.org/licenses/by/4.0/","headline":"Web agents should commit to a task-specific program before observing runtime web content.","cross_cats":["cs.AI","cs.CL","cs.SE"],"primary_cat":"cs.CR","authors_text":"Annabella Chow, David Wagner, Jinhao Zhu, Julien Piet, Muxi Lyu, Raluca Ada Popa, Sylvie Venuto, Yiwei Hou","submitted_at":"2026-05-14T02:48:57Z","abstract_excerpt":"ReAct has become the default architecture across LLM agents, and many existing web agents follow this paradigm. We argue that it is the wrong default for web agents. Instead, web agents should default to plan-then-execute: commit to a task-specific program before observing runtime web content, then execute it. The reason is that web content mixes inputs from many parties. An e-commerce product page may combine a seller's listing, customer reviews and sponsored advertisements. Under ReAct, all of this content flows into the model when deciding on the next action, creating a direct path for prom"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"web agents should default to plan-then-execute: commit to a task-specific program before observing runtime web content, then execute it. The reason is that web content mixes inputs from many parties.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"That web tasks do not require reactivity by default and that tools can be made to map cleanly to semantic actions with effects known before execution.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"Web agents should default to planning a complete task program before observing live web content to reduce prompt injection exposure, since WebArena tasks are compatible and 80% need no runtime LLM calls.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"Web agents should commit to a task-specific program before observing runtime web content.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"2e1de3d351976701c0ce516ffa0f6711fc85587a3a7b85700692965330c713a0"},"source":{"id":"2605.14290","kind":"arxiv","version":1},"verdict":{"id":"407d6aac-b371-462b-98f5-00a81a1847fa","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-15T02:39:54.993875Z","strongest_claim":"web agents should default to plan-then-execute: commit to a task-specific program before observing runtime web content, then execute it. The reason is that web content mixes inputs from many parties.","one_line_summary":"Web agents should default to planning a complete task program before observing live web content to reduce prompt injection exposure, since WebArena tasks are compatible and 80% need no runtime LLM calls.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"That web tasks do not require reactivity by default and that tools can be made to map cleanly to semantic actions with effects known before execution.","pith_extraction_headline":"Web agents should commit to a task-specific program before observing runtime web content."},"references":{"count":41,"sample":[{"doi":"","year":2025,"title":"IPIGuard: A novel tool dependency graph-based defense against indirect prompt injection in LLM agents.arXiv preprint arXiv:2508.15310, 2025","work_id":"e52e49b8-5458-4d9f-b54f-6183b61c74df","ref_index":1,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2026,"title":"Claude code auto mode: a safer way to skip permissions","work_id":"edc119d2-0d1b-4450-a675-fd0641ca522b","ref_index":2,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2025,"title":"Design Patterns for Securing LLM Agents against Prompt Injections","work_id":"70848d7e-8598-47ff-8b1a-58f3b3bd25a0","ref_index":3,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2024,"title":"StruQ: Defending Against Prompt Injection with Structured Queries","work_id":"5e57b942-26b0-4859-8393-c0fa2c2ad65b","ref_index":4,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2024,"title":"SecAlign: Defending Against Prompt Injection with Preference Optimization","work_id":"ee1040df-3911-42c9-b921-8e69093f4f74","ref_index":5,"cited_arxiv_id":"","is_internal_anchor":false}],"resolved_work":41,"snapshot_sha256":"ea687b204a572be1702be6d1e8c6371bb8c65e93f6459ed8146dd6a075442bc7","internal_anchors":12},"formal_canon":{"evidence_count":2,"snapshot_sha256":"734bbdf4a4fba6269a0346f0157455b44fec8d244388656b05e953464f88e33a"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"verdict_id":"407d6aac-b371-462b-98f5-00a81a1847fa"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-17T23:39:10Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"BCetRf17Fb72xyLiFxUnS5B4YyG5B1ppZhRbS5JEfsshXwguodCQcddUIlcu2Dqx7u7mRSF1wm2Fa8SLcOnUBg==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-05-25T14:23:54.412726Z"},"content_sha256":"2b402d3837eaaac9a8938fffa8e7c9a818c67432de90155ffd00b4ba503e33a4","schema_version":"1.0","event_id":"sha256:2b402d3837eaaac9a8938fffa8e7c9a818c67432de90155ffd00b4ba503e33a4"}],"timestamp_proofs":[],"mirror_hints":[{"mirror_type":"https","name":"Pith Resolver","base_url":"https://pith.science","bundle_url":"https://pith.science/pith/BLJKZC7VXITEIB4CCHRAZLRJ2D/bundle.json","state_url":"https://pith.science/pith/BLJKZC7VXITEIB4CCHRAZLRJ2D/state.json","well_known_bundle_url":"https://pith.science/.well-known/pith/BLJKZC7VXITEIB4CCHRAZLRJ2D/bundle.json","status":"primary"}],"public_keys":[{"key_id":"pith-v1-2026-05","algorithm":"ed25519","format":"raw","public_key_b64":"stVStoiQhXFxp4s2pdzPNoqVNBMojDU/fJ2db5S3CbM=","public_key_hex":"b2d552b68890857171a78b36a5dccf368a953413288c353f7c9d9d6f94b709b3","fingerprint_sha256_b32_first128bits":"RVFV5Z2OI2J3ZUO7ERDEBCYNKS","fingerprint_sha256_hex":"8d4b5ee74e4693bcd1df2446408b0d54","rotates_at":null,"url":"https://pith.science/pith-signing-key.json","notes":"Pith uses this Ed25519 key to sign canonical record SHA-256 digests. Verify with: ed25519_verify(public_key, message=canonical_sha256_bytes, signature=base64decode(signature_b64))."}],"merge_version":"pith-open-graph-merge-v1","built_at":"2026-05-25T14:23:54Z","links":{"resolver":"https://pith.science/pith/BLJKZC7VXITEIB4CCHRAZLRJ2D","bundle":"https://pith.science/pith/BLJKZC7VXITEIB4CCHRAZLRJ2D/bundle.json","state":"https://pith.science/pith/BLJKZC7VXITEIB4CCHRAZLRJ2D/state.json","well_known_bundle":"https://pith.science/.well-known/pith/BLJKZC7VXITEIB4CCHRAZLRJ2D/bundle.json"},"state":{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2026:BLJKZC7VXITEIB4CCHRAZLRJ2D","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"aa080c96474c2c77bc98109b6e72ab2a8c429ad8f35e58432cff3b5f39144891","cross_cats_sorted":["cs.AI","cs.CL","cs.SE"],"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-14T02:48:57Z","title_canon_sha256":"ca4debe7f05ce0be949c1538d13a1f17a7695bb450c059ea2057b72093894b19"},"schema_version":"1.0","source":{"id":"2605.14290","kind":"arxiv","version":1}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2605.14290","created_at":"2026-05-17T23:39:10Z"},{"alias_kind":"arxiv_version","alias_value":"2605.14290v1","created_at":"2026-05-17T23:39:10Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2605.14290","created_at":"2026-05-17T23:39:10Z"},{"alias_kind":"pith_short_12","alias_value":"BLJKZC7VXITE","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_16","alias_value":"BLJKZC7VXITEIB4C","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_8","alias_value":"BLJKZC7V","created_at":"2026-05-18T12:33:37Z"}],"graph_snapshots":[{"event_id":"sha256:2b402d3837eaaac9a8938fffa8e7c9a818c67432de90155ffd00b4ba503e33a4","target":"graph","created_at":"2026-05-17T23:39:10Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":4,"items":[{"attestation":"unclaimed","claim_id":"C1","kind":"strongest_claim","source":"verdict.strongest_claim","status":"machine_extracted","text":"web agents should default to plan-then-execute: commit to a task-specific program before observing runtime web content, then execute it. The reason is that web content mixes inputs from many parties."},{"attestation":"unclaimed","claim_id":"C2","kind":"weakest_assumption","source":"verdict.weakest_assumption","status":"machine_extracted","text":"That web tasks do not require reactivity by default and that tools can be made to map cleanly to semantic actions with effects known before execution."},{"attestation":"unclaimed","claim_id":"C3","kind":"one_line_summary","source":"verdict.one_line_summary","status":"machine_extracted","text":"Web agents should default to planning a complete task program before observing live web content to reduce prompt injection exposure, since WebArena tasks are compatible and 80% need no runtime LLM calls."},{"attestation":"unclaimed","claim_id":"C4","kind":"headline","source":"verdict.pith_extraction.headline","status":"machine_extracted","text":"Web agents should commit to a task-specific program before observing runtime web content."}],"snapshot_sha256":"2e1de3d351976701c0ce516ffa0f6711fc85587a3a7b85700692965330c713a0"},"formal_canon":{"evidence_count":2,"snapshot_sha256":"734bbdf4a4fba6269a0346f0157455b44fec8d244388656b05e953464f88e33a"},"paper":{"abstract_excerpt":"ReAct has become the default architecture across LLM agents, and many existing web agents follow this paradigm. We argue that it is the wrong default for web agents. Instead, web agents should default to plan-then-execute: commit to a task-specific program before observing runtime web content, then execute it. The reason is that web content mixes inputs from many parties. An e-commerce product page may combine a seller's listing, customer reviews and sponsored advertisements. Under ReAct, all of this content flows into the model when deciding on the next action, creating a direct path for prom","authors_text":"Annabella Chow, David Wagner, Jinhao Zhu, Julien Piet, Muxi Lyu, Raluca Ada Popa, Sylvie Venuto, Yiwei Hou","cross_cats":["cs.AI","cs.CL","cs.SE"],"headline":"Web agents should commit to a task-specific program before observing runtime web content.","license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-14T02:48:57Z","title":"Web Agents Should Adopt the Plan-Then-Execute Paradigm"},"references":{"count":41,"internal_anchors":12,"resolved_work":41,"sample":[{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":1,"title":"IPIGuard: A novel tool dependency graph-based defense against indirect prompt injection in LLM agents.arXiv preprint arXiv:2508.15310, 2025","work_id":"e52e49b8-5458-4d9f-b54f-6183b61c74df","year":2025},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":2,"title":"Claude code auto mode: a safer way to skip permissions","work_id":"edc119d2-0d1b-4450-a675-fd0641ca522b","year":2026},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":3,"title":"Design Patterns for Securing LLM Agents against Prompt Injections","work_id":"70848d7e-8598-47ff-8b1a-58f3b3bd25a0","year":2025},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":4,"title":"StruQ: Defending Against Prompt Injection with Structured Queries","work_id":"5e57b942-26b0-4859-8393-c0fa2c2ad65b","year":2024},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":5,"title":"SecAlign: Defending Against Prompt Injection with Preference Optimization","work_id":"ee1040df-3911-42c9-b921-8e69093f4f74","year":2024}],"snapshot_sha256":"ea687b204a572be1702be6d1e8c6371bb8c65e93f6459ed8146dd6a075442bc7"},"source":{"id":"2605.14290","kind":"arxiv","version":1},"verdict":{"created_at":"2026-05-15T02:39:54.993875Z","id":"407d6aac-b371-462b-98f5-00a81a1847fa","model_set":{"reader":"grok-4.3"},"one_line_summary":"Web agents should default to planning a complete task program before observing live web content to reduce prompt injection exposure, since WebArena tasks are compatible and 80% need no runtime LLM calls.","pipeline_version":"pith-pipeline@v0.9.0","pith_extraction_headline":"Web agents should commit to a task-specific program before observing runtime web content.","strongest_claim":"web agents should default to plan-then-execute: commit to a task-specific program before observing runtime web content, then execute it. The reason is that web content mixes inputs from many parties.","weakest_assumption":"That web tasks do not require reactivity by default and that tools can be made to map cleanly to semantic actions with effects known before execution."}},"verdict_id":"407d6aac-b371-462b-98f5-00a81a1847fa"}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:4b11d610a59bac1eefbcddf26a1d804fe11ed9b51e90713b694a95aa79bc0e10","target":"record","created_at":"2026-05-17T23:39:10Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"aa080c96474c2c77bc98109b6e72ab2a8c429ad8f35e58432cff3b5f39144891","cross_cats_sorted":["cs.AI","cs.CL","cs.SE"],"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-14T02:48:57Z","title_canon_sha256":"ca4debe7f05ce0be949c1538d13a1f17a7695bb450c059ea2057b72093894b19"},"schema_version":"1.0","source":{"id":"2605.14290","kind":"arxiv","version":1}},"canonical_sha256":"0ad2ac8bf5ba2644078211e20cae29d0f98df4def5ea37c34b749bf1c57f3dcd","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"0ad2ac8bf5ba2644078211e20cae29d0f98df4def5ea37c34b749bf1c57f3dcd","first_computed_at":"2026-05-17T23:39:10.205401Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-05-17T23:39:10.205401Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"eG2xOND0k5xvvUeBlzKrD2Jj3M10bosipv0Wwd/VqUDlNdzuNu1O+d0a5simlJDR71H/vHhWS6ynBv51O343CQ==","signature_status":"signed_v1","signed_at":"2026-05-17T23:39:10.205937Z","signed_message":"canonical_sha256_bytes"},"source_id":"2605.14290","source_kind":"arxiv","source_version":1}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:4b11d610a59bac1eefbcddf26a1d804fe11ed9b51e90713b694a95aa79bc0e10","sha256:2b402d3837eaaac9a8938fffa8e7c9a818c67432de90155ffd00b4ba503e33a4"],"state_sha256":"aa9c0019a09b8ef215dafa723d03cf6cf9bfb88106cef6782bcd3f7fa9e71cd8"},"bundle_signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"Pv9hQ4tQXmSsHgIhNJApuN2k6zSDdEQxEW0OxHVnooIlio2K8A0Z63SCsRsQ9CQoqX5swXDoel2U1XH41980CA==","signed_message":"bundle_sha256_bytes","signed_at":"2026-05-25T14:23:54.417687Z","bundle_sha256":"c553d075407b162e659c6c5fbf460e6c552f92b3ad6fb6e873364c4220da5aa8"}}