This work addresses the challenge of repeated re-certification in traditional canary deployments for safety-critical embodied intelligent agents, which arises from changes to the system’s cryptographic identity. The authors propose ICAN-Deploy, a middleware that decouples immutable capability names—hashed to serve as stable identities—from mutable capability versions, thereby preserving identity hashes throughout the canary window and enabling, for the first time, identity-stable canary deployment. The approach integrates a state machine design, a runtime governance layer, AST-based static analysis, closed-form proofs, and TLA+ model checking to guarantee safety and correctness. Empirical validation on a Franka Panda robotic arm in MuJoCo across 100 deployments demonstrates zero identity drift, with entry latency falling within a 95% BCa confidence interval of [1.52, 2.01] milliseconds.

Canary deployment routes a fraction of traffic to a new software version, monitors metrics, and rolls back on regression. Mainstream controllers (Argo Rollouts, Spinnaker, Flagger) change the deployed system's cryptographic identity during the canary window. The drift is harmless for stateless microservices but breaks the claim that "the agent you certified is still the agent you have" for safety-critical embodied agents, forcing re-certification per canary. We present ICAN-Deploy (Identity-stable CANary Deployment), a middleware construction whose state machine holds the identity hash invariant across the canary window by separating capability names (frozen, hashed) from capability versions (mutable runtime state). We implement ICAN-Deploy inside a runtime governance layer for LLM-driven robots and verify invariance by closed-form proof, AST lint, and TLA+ model-checking, then corroborate over N=100 real canary cycles on a Franka Panda arm in MuJoCo (zero drift; entry latency 95% BCa CI [1.52, 2.01] ms). A feature-flagged strawman that folds versions into the manifest falsifies on the same workload. A system certified once at identity-creation time can then ship arbitrary capability evolution under that same certification, within the version-and-name envelope.