Skip to main content

On the robot

The robot is a passive sensing + decision node. It never uploads media. 
Livox MID-360 (LiDAR) ┐
RealSense D435 (depth) ┼─► perception ─► moment detection ─► one event per moment
Robot IMU / odometry   ┘                     │
                          chest screen ◄──────┘ serve ad / house ad
A moment is counted only when it’s genuinely worth counting: a real adult faced the screen, close enough and long enough, while the robot was steady. Everything else is telemetry, not a billable moment.

The gated install

No source ships to the robot. The installer fetches a signed, ABI-matched, compiled artifact gated by your fleet key: 
robot (install.sh)            Kovio control plane           storage
   │ detect runtime ABI            │                           │
   │── activate (fleet key) ──────►│ validate key              │
   │                               │ match wheel, sign URL ───►│
   │◄── signed URL + sha256 ───────│                           │
   │── download + verify sha256 ───────────────────────────►   │
   │── install + start service                                 │
If the key is invalid/revoked or the runtime is unsupported, nothing is installed.

Revocation

The running SDK checks in with Kovio on a short interval. If the key or robot is revoked, the SDK stops on its own within one interval — a leaked copy is inert without a live key.
Security posture, stated plainly: this raises the cost of copying and makes a leaked artifact useless without a live, revocable key. It is not represented as making on-device code secret — the operator has root on their own robot.