RCAN Protocol Specification

Version 1.0.0 | Draft

1. Robot URI (RURI)

Every robot has a globally unique RURI:

rcan://<registry>/<manufacturer>/<model>/<device-id>[:<port>][/<capability>]

Examples

rcan://continuon.cloud/continuon/companion-v1/d3a4b5c6-7890-1234-5678-abcdef012345
rcan://continuon.cloud/continuon/companion-v1/d3a4b5c6/arm
rcan://local.rcan/discovered/192.168.1.42:8080
rcan://my-server.lan/acme/bot-x1/a1b2c3d4:9000/teleop

Components

Component	Description	Required
`registry`	Root registry domain (e.g., `continuon.cloud`, `local.rcan`)	Yes
`manufacturer`	Manufacturer namespace	Yes
`model`	Robot model identifier	Yes
`device-id`	UUID or short-form (8 hex chars)	Yes
`port`	Communication port (default: 8080)	No
`capability`	Specific endpoint (e.g., `/arm`, `/vision`)	No

Validation Regex

^rcan://([a-z0-9][a-z0-9.-]*[a-z0-9])/([a-z0-9][a-z0-9-]*[a-z0-9])/([a-z0-9][a-z0-9-]*[a-z0-9])/([0-9a-f]{8}(?:-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})?)(?::(\d{1,5}))?(/[a-z][a-z0-9/-]*)?$

2. Role-Based Access Control

RCAN defines a five-level role hierarchy:

Role	Level	Key Permissions
CREATOR	5	Full hardware/software control, OTA push, safety override
OWNER	4	Configuration, skill installation, user management
LEASEE	3	Time-bound operational control, cannot change ownership
USER	2	Operational control within allowed modes
GUEST	1	Limited interaction, chat, read-only status

Rule: Higher roles inherit all permissions of lower roles.

3. Message Format

All RCAN messages use a common envelope:

message RCANMessage {
  string version = 1;           // "1.0.0"
  string message_id = 2;        // UUID
  string source_ruri = 3;       // Sender RURI
  string target_ruri = 4;       // Recipient RURI (or "broadcast")
  string auth_token = 5;        // JWT session token
  MessageType type = 6;
  bytes payload = 7;            // Type-specific payload
  int64 timestamp_ms = 8;
  int32 ttl_ms = 9;             // Time-to-live (0 = no expiry)
  Priority priority = 10;
  
  enum MessageType {
    DISCOVER = 1;
    STATUS = 2;
    COMMAND = 3;
    STREAM = 4;
    EVENT = 5;
    HANDOFF = 6;
    ACK = 7;
    ERROR = 8;
  }
  
  enum Priority {
    LOW = 1;
    NORMAL = 2;
    HIGH = 3;
    SAFETY = 4;  // Always processed first
  }
}

4. Discovery (mDNS)

For LAN discovery without cloud connectivity:

_rcan._tcp.local.

TXT Records

ruri=rcan://continuon.cloud/continuon/companion-v1/d3a4b5c6
model=companion-v1
caps=arm,vision,chat,teleop
roles=owner,user,guest
version=1.0.0
name=Living Room Companion
status=idle

5. Authentication

RCAN uses JWT tokens for session management:

{
  "sub": "550e8400-e29b-41d4-a716-446655440000",
  "iss": "continuon.cloud",
  "aud": "rcan://continuon.cloud/continuon/companion-v1/*",
  "role": "owner",
  "scope": ["control", "config", "training"],
  "fleet": ["d3a4b5c6", "a1b2c3d4"],
  "exp": 1735689600,
  "iat": 1735603200
}

6. Safety Invariants

These are protocol requirements, not suggestions:

Local safety always wins. No remote command can bypass on-device safety checks.
Graceful degradation. Network loss triggers safe-stop, not undefined behavior.
Audit trail. All commands logged with user, timestamp, and outcome.
Rate limiting. Commands throttled per role (Guest: 10/min, User: 100/min, etc.).
Timeout enforcement. Control sessions expire; explicit renewal required.

7. Federation

RCAN is federated like email, not centralized like a platform:

rcan://continuon.cloud/... — Managed service
rcan://my-local-server.lan/... — Self-hosted
rcan://robotics-co-op.org/... — Community run

The Right to Redirect: An Owner (Level 4) can always change the robot's upstream registry.

Local Supremacy: Even if the cloud registry deletes your ID, local discovery (_rcan._tcp.local) always works.

→ Next: Conformance Tests