This work addresses the challenge of safely upgrading capability modules in embodied agents while preserving policy constraints, execution assumptions, and recovery guarantees. It introduces a lifecycle-aware upgrade framework that treats managed capability evolution as a first-class systems problem. The approach enforces compatibility through four dimensions—interfaces, policies, behaviors, and recovery—and implements a comprehensive governance pipeline at runtime, including sandboxed evaluation, shadow deployment, gated activation, online monitoring, and rollback. Empirical results demonstrate that the method maintains a 67.4% task success rate across six upgrade cycles with zero unsafe activations (p = 0.003). Shadow deployment additionally captures 40% of performance regressions missed by sandboxing, and the rollback mechanism successfully recovers from capability drift in 79.8% of affected scenarios.

Embodied agents are increasingly expected to improve over time by updating their executable capabilities rather than rewriting the agent itself. Prior work has separately studied modular capability packaging, capability evolution, and runtime governance. However, a key systems problem remains underexplored: once an embodied capability module evolves into a new version, how can the hosting system deploy it safely without breaking policy constraints, execution assumptions, or recovery guarantees? We formulate governed capability evolution as a first-class systems problem for embodied agents. We propose a lifecycle-aware upgrade framework in which every new capability version is treated as a governed deployment candidate rather than an immediately executable replacement. The framework introduces four upgrade compatibility checks -- interface, policy, behavioral, and recovery -- and organizes them into a staged runtime pipeline comprising candidate validation, sandbox evaluation, shadow deployment, gated activation, online monitoring, and rollback. We evaluate over 6 rounds of capability upgrade with 15 random seeds. Naive upgrade achieves 72.9% task success but drives unsafe activation to 60% by the final round; governed upgrade retains comparable success (67.4%) while maintaining zero unsafe activations across all rounds (Wilcoxon p=0.003). Shadow deployment reveals 40% of regressions invisible to sandbox evaluation alone, and rollback succeeds in 79.8% of post-activation drift scenarios.