Defensive by construction. Audited by default.
Velora's safety posture is not a checklist — it is the structure of the system. Every command is signed, every frame is journaled, every mode change is reviewable, and the worst case the platform can produce is a deterministic, replayable BRAKE.
Every decision is grammatical.
Velora speaks in reason codes. They are emitted by the engine that fired, carried verbatim through every layer above, and rendered to the operator. There is no opaque escalation.
- cruiselane_centre
- behaviorfollow.car.id3
- behaviorvru.person.id5
- behaviorvru.bicycle.id7
- interactionhigh.car.id3
- interactioncritical.car.id3
- ruletraffic_light.RED|conf=0.88
- rulestop_sign.near
- ruletraffic_light.YELLOW
- negotiationYIELD.tti=2.1s
- arbitrationDEADLOCK_BREAK
- safetycollision_flag
- safetylane_emergency
- safetyhand_brake
- planavoid.shift=+0.30
The doctrine in five lines.
Fail-safe by default
The default state when context is lost is a yield, not a guess. Silence is treated as an unsafe input.
Never trust a single sensor
Decisions ride on tracked, predicted, and rule-confirmed signals — not on a single-frame detection.
Always log critical decisions
Every escalation, every safety gate, every override fires a reason code into the ring journal.
Prioritise human override
The operator is a first-class citizen of the state plane. Their input is logged as another sealed slice.
Simulation before deployment
Every behaviour change must clear the canonical scenario suite before it can ship to a vehicle.
Sealed Console Entry
Enter the operator phrase to derive the session key.