Search papers, labs, and topics across Lattice.
ICAN-Deploy is introduced as a middleware solution to maintain cryptographic identity during canary deployments of embodied agents, addressing the issue of re-certification requirements caused by identity drift in standard canary controllers. It achieves this by decoupling capability names (hashed) from capability versions (mutable), ensuring the agent's identity remains constant throughout the canary window. The approach is formally verified and empirically validated with a Franka Panda arm in MuJoCo, demonstrating zero identity drift and low entry latency.
Decoupling capability names from versions lets you continuously deploy new robot skills without re-certifying the robot's core identity.
Canary deployment routes a fraction of traffic to a new software version, monitors metrics, and rolls back on regression. Mainstream controllers (Argo Rollouts, Spinnaker, Flagger) change the deployed system's cryptographic identity during the canary window. The drift is harmless for stateless microservices but breaks the claim that "the agent you certified is still the agent you have" for safety-critical embodied agents, forcing re-certification per canary. We present ICAN-Deploy (Identity-stable CANary Deployment), a middleware construction whose state machine holds the identity hash invariant across the canary window by separating capability names (frozen, hashed) from capability versions (mutable runtime state). We implement ICAN-Deploy inside a runtime governance layer for LLM-driven robots and verify invariance by closed-form proof, AST lint, and TLA+ model-checking, then corroborate over N=100 real canary cycles on a Franka Panda arm in MuJoCo (zero drift; entry latency 95% BCa CI [1.52, 2.01] ms). A feature-flagged strawman that folds versions into the manifest falsifies on the same workload. A system certified once at identity-creation time can then ship arbitrary capability evolution under that same certification, within the version-and-name envelope.
