Every candidate action passes through the validation envelope before execution. Confidence is composed from sensor reliability, scene quality, memory consistency, and policy fit. Below threshold, no action leaves the runtime.
Confidence is a weighted sum: sensor reliability Cs, memory consistency Cm, temporal stability Ct, human policy fit Ch. Action emits only when Cv ≥ τ. Below threshold, the runtime yields a no-op + diagnostic.
Live per-stream confidence — calibration, occlusion, exposure.
Are the cited objects/events actually in the Scene Contract? No hallucinated entities.
Persistence checks — did the evidence hold over the window?
Compared to recent history — anomaly or routine?
Configured rules — restricted actions, allowed zones, escalation gates.
Constrained vocabulary, schema-enforced output, no free-form action text.
Reversibility, audit log, replay envelope archived per decision.
Every decision keeps its full envelope — scene + reasoning + confidence + policy. Reviewable in dashboards.
Reasoning produces candidates. Validation decides whether they leave the runtime.