Sync without us in the middle

Canon alignment

Identity payloads should not need to live in our database as ciphertext forever. P2P-capable clients negotiate E2E channels for vault bundles; the server coordinates ICE/SDP signaling, not plaintext secrets.

Where relay paths remain for legacy clients, @canon-deviation and progressive honesty apply—name the mode, test downgrade resistance, ship the P2P path without a flag day.

WebRTC DataChannel

Encrypted vault bytes move peer-to-peer. STUN/TURN may assist NAT traversal; TURN sees encrypted frames if your crypto story is correct—verify with threat-model review, not assumptions.

Migration without big-bang

p2p_capable (or equivalent) lets new clients prefer P2P while old clients keep relay—no forced cutover that strands users on unsupported OS versions.

Revocation honesty

Push notifications + signed catch-up on reconnect handle stolen offline devices within the limits of practical systems today. We say what ships; we roadmap stronger distributed revocation where Canon pushes us—progressive honesty again.

Pair with

• Multi-device ECDH + QR — pairing and relay staging.
• Sovereignty spine — narrative thread across Passport, P2P, Guardian.

---

Guardian + P2P share signaling patterns; see guardian recovery plan for shard delivery.