we rely on this separation for our agents. the llm outputs a declarative json plan that gets validated against security policies before the runtime executes any side effects. catching a bad command during validation is way cheaper than rolling back a container.