(* Goal verification framework - Actions *) \ \This theory sets up the concepts of agents, actions, transitions and traces. We extend the language for mental state formulas with enabledness of actions. We provide its syntax, semantics and a sound proof system.\ theory Gvf_Actions imports Gvf_Mental_States begin section \Actions\ \ \The identifier for basic actions is a natural number.\ type_synonym Bcap = nat \ \Agent capability is a basic capability, adopt or drop (the latter two are built into GOAL).\ datatype cap = basic Bcap | adopt (cget: \\<^sub>L) | drop (cget: \\<^sub>L) \ \Auxiliary function.\ fun is_drop :: \cap \ bool\ where \is_drop (drop _) = True\ | \is_drop _ = False\ \ \Type for conditional action that is a pair: a condition on the mental state and a basic action.\ type_synonym cond_act = \\\<^sub>M \ cap\ \ \Atoms are extended with enabled for basic/conditional actions.\ datatype Atoms\<^sub>E = Bl \\<^sub>L | Gl \\<^sub>L | enabled_basic cap | enabled_cond cond_act \ \The simple type theory makes it less delicate to extend types, so we redefine the belief and goal operators while adding two new options: one for basic and one for conditional actions.\ \ \The type for mental state formulas concerning enabledness.\ type_synonym \\<^sub>E = \Atoms\<^sub>E \\<^sub>P\ \ \Introducing some notation.\ syntax "_G" :: \\\<^sub>L \ \\<^sub>E\ (\G _\ 55) "_B" :: \\\<^sub>L \ \\<^sub>E\ (\B _\ 55) "_enabled_basic" :: \Atoms\<^sub>E \ \\<^sub>E\ (\enabledb _\ 55) "_enabled_cond" :: \Atoms\<^sub>E \ \\<^sub>E\ (\enabled _\ 55) "_cond_act" :: \\\<^sub>M \ cap \ \\<^sub>M \ cap\ (\_ \ do _\) translations "enabledb c" \ "(Gvf_Logic.Atom (Atoms\<^sub>E.enabled_basic c))" "enabled c" \ "(Gvf_Logic.Atom (Atoms\<^sub>E.enabled_cond c))" "\ \ do a" \ "(\, a)" section \Semantics of GOAL\ \ \The type for the function \ that gives the agent's belief update capabilities.\ type_synonym bel_upd_t = \Bcap \ mental_state \ \\<^sub>L set option\ \ \We replace notion of undefined (from paper) with an optional value, i.e. \ a \ = None means that basic action a is not defined for \. We further assume that the goal base (entire mental state) is added to the input.\ \ \The mental state transformer gives the agent's mental state update capabilities.\ fun mental_state_transformer :: \bel_upd_t \ cap \ mental_state \ mental_state option\ (\\*\) where \ \If \ a \ is defined, update the goal base accordingly.\ \\* \ (basic n) (\, \) = (case \ n (\, \) of Some \' \ Some (\', \ - {\ \ \. \' \\<^sub>L \}) | _ \ None)\ | \ \Remove the goals that entail \.\ \\* \ (drop \) (\, \) = Some (\, \ - {\ \ \. {\} \\<^sub>L \})\ | \ \Add the goal \ if it is consistent and not entailed by the belief base.\ \\* \ (adopt \) (\, \) = (if \ {} \\<^sub>L \<^bold>\ \ \ \ \ \\<^sub>L \ then Some (\, \ \ {\}) else None)\ \ \We fix to a single agent and assume a given belief update function, a set of conditional actions and an initial state.\ locale single_agent = fixes \ :: bel_upd_t and \ :: \cond_act set\ and M\<^sub>0 :: mental_state assumes \ \Non-empty set of conditional actions and initial state is a mental state.\ is_agent: \\ \ {} \ \ M\<^sub>0\ and \ \\ preserves consistency.\ \_consistent: \(\\. (\, basic a) \ \) \ \ \ \\<^sub>L \\<^sub>L \ \ a (\, \) \ None \ \ the (\ a (\, \)) \\<^sub>L \\<^sub>L\ and \ \\ only for defined actions.\ \_in_domain: \\ a (\, \) \ None \ (\\. (\, basic a) \ \)\ \ \Working in the context of single_agent, means that we can base definitions, proofs etc. around fixed variables for which a number of assumptions apply. For a specific agent, we need to prove that the assumptions apply for the given input variables. By doing so, we get immediate access to everything defined within the single_agent context.\ context single_agent begin \ \Basic capabilities derived from the set of conditional actions.\ definition Cap :: \Bcap set\ where \Cap \ { a. \\. (\, (basic a)) \ \ }\ \ \We assume that a basic capability is represented by at least one conditional action.\ \ \Define mental state transformer local to the agent.\ abbreviation \\ a M \ \* \ a M\ \ \Examples.\ lemma assumes \\ n ({P}, {Q}) = Some {P, Q}\ shows \\ (basic n) ({P}, {Q}) = Some ({P, Q}, {})\ using assms by simp lemma \\ (drop \\<^sub>L) ({}, {P, Q}) = Some ({}, {})\ by simp lemma assumes \\ {} \\<^sub>L \<^bold>\ Q\ and \\ {} \\<^sub>L Q\ shows \\ (adopt Q) ({}, {P}) = Some ({}, {P, Q})\ proof - have \\ (adopt Q) ({}, {P}) = Some ({}, {P} \ {Q})\ using assms by simp then show ?thesis by auto qed \ \The mental state transformer is only defined for actions of \.\ lemma \_some_in_\: assumes \\ (basic n) M \ None\ shows \\\. (\, basic n) \ \\ proof (cases M) case (Pair \ \) with assms obtain \' \' where someM: \\ (basic n) (\, \) = Some (\', \')\ by auto then have \\ n (\, \) = Some \'\ proof (cases \\ n (\, \)\) case None then have \\ (basic n) (\, \) = None\ by simp with someM show ?thesis by simp next case (Some \'') moreover have \fst (the (\ (basic n) (\, \))) = \''\ using Some by simp moreover have \fst (the (\ (basic n) (\, \))) = \'\ using someM by simp ultimately show ?thesis by simp qed with \_in_domain show ?thesis by blast qed \ \The mental state transformer is only defined for basic capabilities of Cap.\ lemma \_some_Cap: assumes \\ (basic a) M \ None\ shows \a \ Cap\ using assms \_some_in_\ Cap_def by auto \ \Mental state transformer preserves properties of mental states (when \ preserves consistency).\ lemma \_preserves_mst: \\ (\, \) \ \ c (\, \) \ None \ \ (the (\ c (\, \)))\ proof (induct c) case basic: (basic a) then obtain \' where \': \\ a (\, \) = Some \'\ by fastforce have \\ (\', \ - {\ \ \. \' \\<^sub>L \})\ (is \\ (\', ?\')\) proof - have \\ \' \\<^sub>L \\<^sub>L\ proof - from basic(1) have \\ \ \\<^sub>L \\<^sub>L\ unfolding is_mental_state_def by simp moreover have \\\. (\, basic a) \ \\ using \_some_in_\ basic.prems(2) by blast ultimately have \\ the (\ a (\, \)) \\<^sub>L \\<^sub>L\ using \' \_consistent basic(2) by blast with \' show ?thesis by simp qed moreover from basic(1) have \\\\?\'. \ \ \\<^sub>L \ \ \ {} \\<^sub>L \<^bold>\ \\ unfolding is_mental_state_def by simp ultimately show ?thesis unfolding is_mental_state_def by simp qed with \' show ?case by simp next case adopt: (adopt \) with mental_state_transformer.simps(3) have mst_goal: \\ {} \\<^sub>L \<^bold>\ \ \ \ \ \\<^sub>L \\ by metis with adopt(1) have \\ (\, \ \ {\})\ unfolding is_mental_state_def by simp with mst_goal show ?case by simp next case (drop \) then have \\ (\, \ - {\ \ \. {\} \\<^sub>L \})\ unfolding is_mental_state_def by simp then show ?case by simp qed section \Traces\ \ \Transition relation between states due to an action.\ definition transition :: \mental_state \ cond_act \ mental_state \ bool\ (\_ \_ _\) where \M \b M' \ let (\, a) = b in b \ \ \ M \\<^sub>M \ \ \ a M = Some M'\ \ \If b is a conditional action, and the condition true in M, then there is possible transition between M and M' where M' is the result of applying \ for a to M.\ \ \Chain of transitions (computation steps) gives the computation relation.\ inductive computation :: \mental_state \ mental_state \ bool\ (\_ \* _\) where \ \The base step from the initial mental state.\ basis: \M\<^sub>0 \b M' \ M\<^sub>0 \* M'\ | \ \Inductive step from an existing computation given a transition.\ step: \M \* M' \ M' \b M'' \ M \* M''\ \ \Example\ lemma \M\<^sub>0 \a M\<^sub>1 \ M\<^sub>1 \b M\<^sub>2 \ M\<^sub>0 \* M\<^sub>2\ using basis step by blast \ \Traces are infinite structures.\ codatatype trace = Trace mental_state \cond_act \ trace\ \ \trace := mental state, conditional action, trace\ \ \Example.\ value \Trace M\<^sub>0 (a, (Trace M\<^sub>1 (b, (Trace M\<^sub>2 X))))\ \ \Retrieve the nth conditional action of the trace.\ fun act_nth :: \trace \ nat \ cond_act\ where \act_nth (Trace _ (b, _)) 0 = b\ | \act_nth (Trace _ (_, S)) n = act_nth S (n-1)\ \ \Example.\ lemma \b = act_nth (Trace M\<^sub>0 (a, (Trace M\<^sub>1 (b, (Trace M\<^sub>2 X))))) 1\ by simp \ \Retrieve the nth mental state of the trace.\ fun st_nth :: \trace \ nat \ mental_state\ where \st_nth (Trace M (_, _)) 0 = M\ | \st_nth (Trace _ (_, S)) n = st_nth S (n-1)\ \ \Example.\ lemma \M\<^sub>1 = st_nth (Trace M\<^sub>0 (a, (Trace M\<^sub>1 (b, (Trace M\<^sub>2 X))))) 1\ by simp \ \if (\, a) is the ith conditional action of trace s, then the first value of (act_nth s i) is \. This is intuitively easy to see, but pattern matching using equality can be problematic.\ lemma fst_act_nth: \(\, a) = act_nth s i \ fst (act_nth s i) = \\ by (metis fstI) \ \The same as above but for the second value.\ lemma snd_act_nth: \(\, a) = act_nth s i \ snd (act_nth s i) = a\ by (metis sndI) \ \The definition of a trace (not every element of the datatype trace qualifies).\ definition is_trace :: \trace \ bool\ where \is_trace s \ \i. (let (M, M', (\, a)) = (st_nth s i, st_nth s (i+1), act_nth s i) in (\, a) \ \ \ ((M \(\, a) M') \ \ a M = None \ M = M'))\ \ \For all i there is a transition between M_i and M_(i+1) due to an action, or the action is not enabled and the successor state (M_(i+1)) is equal to the current (M_i).\ \ \The nth conditional action of a trace is in \.\ lemma trace_in_\: assumes \is_trace s\ shows \\i. (act_nth s i) \ \\ proof fix i let ?M = \st_nth s i\ and ?M' = \st_nth s (i+1)\ from assms(1) have \let (\, a) = (act_nth s i) in (\, a) \ \ \ ((?M \(\, a) ?M') \ \ a ?M = None \ ?M = ?M')\ unfolding is_trace_def by simp then have \let (\, a) = (act_nth s i) in (\, a) \ \\ by auto then show \(act_nth s i) \ \\ by simp qed \ \If there is no transition between a state and its successor in a trace, they must be equal.\ lemma not_transition_eq: assumes \is_trace s\ shows \\((st_nth s i) \(act_nth s i) (st_nth s (i+1))) \ (st_nth s i) = (st_nth s (i+1))\ (is \\(?M \?b ?M') \ ?M = ?M'\) proof assume \\(?M \?b ?M')\ moreover from assms have \let (\, a) = act_nth s i in (\, a) \ \ \ ((?M \(\, a) ?M') \ \ a ?M = None \ ?M = ?M')\ unfolding is_trace_def by simp ultimately have \let (\, a) = act_nth s i in (\, a) \ \ \ \ a ?M = None \ ?M = ?M'\ by auto then show \?M = ?M'\ by auto qed \ \A fair trace ensures that there always is a future point where an actions is scheduled.\ definition fair_trace :: \trace \ bool\ where \fair_trace s \ \ b \ \ . \i . \ j > i. act_nth s j = b\ \ \An agent is defined as the set of fair traces starting from the initial state.\ definition Agent :: \trace set\ where \Agent \ {s . is_trace s \ fair_trace s \ st_nth s 0 = M\<^sub>0}\ \ \If the mental state transformer is defined for a state in the trace, then it gives the successor state.\ lemma \_suc_state: assumes \s \ Agent\ and \(\, a) = act_nth s i\ and \\ a (st_nth s i) \ None\ shows \st_nth s (i+1) = the (\ a (st_nth s i))\ (is \?M' = the (\ a ?M)\) proof - from assms(1) have \is_trace s\ unfolding Agent_def by simp then have \let (M, M', (\, a)) = (?M, ?M', act_nth s i) in (\, a) \ \ \ ((M \(\, a) M') \ \ a M = None \ M = M')\ unfolding is_trace_def by simp with assms(2) have \(?M \(\, a) ?M') \ \ a ?M = None \ ?M = ?M'\ by auto with assms(3) have \?M \(\, a) ?M'\ by auto then show ?thesis unfolding transition_def by simp qed \ \All states in trace comply to mental state definition.\ lemma is_mst_trace: assumes \s \ Agent\ shows \\ (st_nth s n)\ proof (induct n) case 0 with assms show ?case using is_agent unfolding Agent_def by simp next case (Suc n) let ?M = \st_nth s n\ and ?M' = \st_nth s (Suc n)\ and ?b = \act_nth s n\ have trace_n: \(?M \?b ?M') \ \ (snd ?b) ?M = None \ ?M = ?M'\ proof - from assms(1) have \is_trace s\ unfolding Agent_def by simp then have \let (\, a) = ?b in (\, a) \ \ \ ((?M \(\, a) ?M') \ \ a ?M = None \ ?M = ?M')\ unfolding is_trace_def by simp then show ?thesis by auto qed then show ?case proof (cases \\ (snd ?b) ?M = None\) case True with Suc trace_n show ?thesis unfolding transition_def by auto next case False with \_preserves_mst have \\ (the (\ (snd ?b) ?M))\ using Suc by (cases ?M) simp with \_suc_state trace_n show ?thesis using assms False unfolding Agent_def by (metis (no_types, lifting) Suc_eq_plus1 prod.collapse) qed qed section \Derivability\ \ \Auxiliary function that converts mental state formulas to the type including enabledness.\ fun to_\\<^sub>E :: \\\<^sub>M \ \\<^sub>E\ (\_\<^sup>E\) where \(Atom (Atoms\<^sub>M.Bl \))\<^sup>E = Atom (Bl \)\ | \(Atom (Atoms\<^sub>M.Gl \))\<^sup>E = Atom (Gl \)\ | \(\<^bold>\ \)\<^sup>E = \<^bold>\ (\\<^sup>E)\ | \(\\<^sub>1 \<^bold>\ \\<^sub>2)\<^sup>E = (\\<^sub>1\<^sup>E) \<^bold>\ (\\<^sub>2\<^sup>E)\ | \(\\<^sub>1 \<^bold>\ \\<^sub>2)\<^sup>E = (\\<^sub>1\<^sup>E) \<^bold>\ (\\<^sub>2\<^sup>E)\ | \(\\<^sub>1 \<^bold>\ \\<^sub>2)\<^sup>E = (\\<^sub>1\<^sup>E) \<^bold>\ (\\<^sub>2\<^sup>E)\ \ \Truth of enabledness (semantics).\ fun semantics\<^sub>E' :: \mental_state \ Atoms\<^sub>E \ bool\ where \ \Semantics of B and G are the same as for mental state formulas without enabled.\ \semantics\<^sub>E' M (Bl \) = semantics\<^sub>M' M (Atoms\<^sub>M.Bl \)\ | \semantics\<^sub>E' M (Gl \) = semantics\<^sub>M' M (Atoms\<^sub>M.Gl \)\ | \ \a is defined for the action and \ a is defined for M.\ \semantics\<^sub>E' M (enabled_basic a) = (\ a M \ None)\ | \ \Conditional action b is enabled if there exists a transition from M to M' using b for some M'.\ \semantics\<^sub>E' M (enabled_cond b) = (\M'. (M \b M'))\ \ \Semantics of atoms with enabled can be seen as an interpretation given a mental state.\ abbreviation semantics\<^sub>E :: \mental_state \ \\<^sub>E \ bool\ (infix \\\<^sub>E\ 50) where \M \\<^sub>E \ \ semantics\<^sub>P (semantics\<^sub>E' M) \\ \ \Example.\ lemma \(M\<^sub>0 \b M\<^sub>1) \ M\<^sub>0 \\<^sub>E enabled b\ proof - assume \M\<^sub>0 \b M\<^sub>1\ then have \\M'. (M\<^sub>0 \b M')\ by blast then show \M\<^sub>0 \\<^sub>E enabled b\ by simp qed \ \Proof system.\ inductive provable\<^sub>E :: \\\<^sub>E \ bool\ (\\\<^sub>E _\ 40) where \ \Derive classical tautologies.\ R1: \\\<^sub>P \ \ \\<^sub>E \\ | \ \Properties of beliefs and goals. Imported from proof system for mental state formulas.\ R\<^sub>M: \\\<^sub>M \ \ \\<^sub>E (\\<^sup>E)\ | \ \Properties of enabled.\ E1: \\\<^sub>P \ \ \\<^sub>E (enabledb a) \ (\ \ do a) \ \ \ \\<^sub>E (enabled (\ \ do a))\ | E2: \\\<^sub>E (enabledb (drop \))\ | R3: \\ \\<^sub>P \<^bold>\ \ \ \\<^sub>E (\<^bold>\ ((B \)\<^sup>E) \<^bold>\ (enabledb (adopt \)))\ | R4: \\\<^sub>P (\<^bold>\ \) \ \\<^sub>E (\<^bold>\ (enabledb (adopt \)))\ | R5: \\M. \ a M \ None \ \\<^sub>E (enabledb (basic a))\ section \Soundness\ \ \The soundness theorem.\ theorem soundness\<^sub>E: assumes \\ M\ shows \\\<^sub>E \ \ M \\<^sub>E \\ proof (induct rule: provable\<^sub>E.induct) case (R1 \) with soundness\<^sub>P show ?case by fastforce next case (R\<^sub>M \) with soundness\<^sub>M have \M \\<^sub>M \\ using \\ M\ by simp moreover have \M \\<^sub>M \ = (M \\<^sub>E (\\<^sup>E))\ proof (induct \) case (Atom x) then show ?case by (cases x) simp_all qed auto ultimately show ?case by simp next case (E1 \ a) with soundness\<^sub>P have \M \\<^sub>M \\ by fastforce then show ?case proof (cases a) case (basic n) with E1.hyps(3) obtain M' where \\ a M = Some M'\ by auto with \M \\<^sub>M \\ have \M \(\ \ do a) M'\ using E1(4) unfolding transition_def by simp then have \\M'. (M \(\ \ do a) M')\ by blast then show ?thesis by simp next case (adopt \) with E1.hyps(3) obtain M' where \\ a M = Some M'\ by auto with \M \\<^sub>M \\ have \M \(\ \ do a) M'\ using E1(4) unfolding transition_def by simp then have \\M'. (M \(\ \ do a) M')\ by blast then show ?thesis by simp next case (drop \) with E1.hyps(3) obtain M' where \\ a M = Some M'\ by auto with \M \\<^sub>M \\ have \M \(\ \ do a) M'\ using E1(4) unfolding transition_def by simp then have \\M'. (M \(\ \ do a) M')\ by blast then show ?thesis by simp qed next case (E2 \) have \\ (drop \) M \ None\ using mental_state_transformer.simps(2) by (cases M) simp then show ?case by simp next case (R3 \) then show ?case by simp next case (R4 \) with soundness\<^sub>L have \\M. \ (adopt \) M = None\ by fastforce then have \\ (adopt \) M = None\ by blast then show ?case by simp next case (R5 a) have \\\ \. (\, \) \\<^sub>E Atom (enabled_basic (basic a))\ proof fix \ show \\\. (\, \) \\<^sub>E Atom (enabled_basic (basic a))\ proof fix \ from \\M. \ a M \ None\ have \\ a (\, \) \ None\ \a \ Cap\ using \_in_domain unfolding Cap_def by simp_all then show \(\, \) \\<^sub>E Atom (enabled_basic (basic a))\ by auto qed qed then have \\M. M \\<^sub>E Atom (enabled_basic (basic a))\ by simp then show ?case by blast qed \ \The semantics of a converted formula is equal to the original.\ lemma transfer_semantics\<^sub>M: \M \\<^sub>M \ \ M \\<^sub>E (\\<^sup>E)\ proof (induct \) case (Atom x) show ?case by (cases x) simp_all qed simp_all end end