📖 Narrative

🔀 Sequence

🗂 Phase Breakdown

SessionMigration

ProcessSessionMigration StatusActive ReconnectingOutbound/Inbound + IsTransportOnlyReconnect pending Phases1-MigrationInitiation · 2-MigrationDelivery · 3-TransportReconnect · 4-Recovery OrchestratorsPresenceDomainOrchestrator · DirectConnectionDomainOrchestrator · RcsDomainOrchestrator · PmsDomainOrchestrator · ConnectionBlueprintOrchestrator SubprocessesNone — calls into PeerSessionEstablishment transport paths but does NOT invoke the handshake sub-sequence Called byStandalone — triggered by OnConnectivityChanged on the migrating device Cross-refPeerSessionEstablishment · InitiateSessionHandshakeAsync and ConfirmHandshakeAsync are explicitly NOT part of this process

Overview

What it is: Session migration is the process by which two devices maintain their encrypted conversation when one of them changes networks — moving from WiFi to mobile data, switching towers, or changing IP address. The session key is still valid; only the transport path needs to change.

Who's involved: Two trusted peers with an established Ready session. One peer (the migrator) detects the network change. The other peer (the recipient) receives an inbound signal that the migrator has moved.

What success looks like: Both devices are back to SessionStatus.Ready with the same session key and the same PeerSecret they had before the migration. No new handshake has run. No secret has been rotated. Messages queued during the transition deliver automatically.

What failure looks like: Migration pings fail on all paths within the migration window. The session evicts on both sides. Full re-establishment is required — see PeerSessionEstablishment Phase 3b-SessionRecovery. This is recoverable but involves a full handshake and new secret generation.

Why this process exists separately from session establishment

When a peer changes networks, the instinct is to treat it like a new connection — tear down the old session, build a new one, run the full handshake. That is the wrong approach and it is the root cause of the most persistent bugs in this system.

The session key was derived from the relationship key (RK) and committed on both sides. It has not been invalidated. The PeerSecret was committed during the last successful handshake and both sides hold the same value. Running a new handshake generates a new PeerSecret — and if two handshakes run concurrently (which happens when both sides independently try to reconnect), each side commits the result of whichever one arrived last. Those results differ. The secrets diverge. Every subsequent ping from the diverged side fails PeerSecret resolution. The connection is permanently broken until restart.

Critical constraint

InitiateSessionHandshakeAsync and ConfirmHandshakeAsync are not part of this process. Any code path that calls them during migration is a bug. These methods are annotated with PeerSessionEstablishment only — never with SessionMigration.

The asymmetry problem

P2P without a server means the two devices are always in different states during a network transition. This asymmetry must be represented explicitly in the state model — shared states that mean different things depending on which side you are on are the source of guard logic failures.

The migrating device (outbound) knows its network has changed. It knows its key is still valid. It is firing migration pings to find a new transport path to the peer. It should not attempt a new handshake — it is waiting for the peer to acknowledge its new address.

The receiving device (inbound) receives a migration ping from a peer it already has a session with. It knows the peer has moved networks. Its key is still valid. It needs to reach the peer at their new address. It also should not run a handshake — the session is already established.

Proposed new PeerStatus values

ReconnectingOutbound — migrating device state. Blocks PresenceConnect from firing. No new handshake from this state.

ReconnectingInbound — receiving device state. Allows ConnectPeerAsync through even when SessionStatus==Ready. IsTransportOnlyReconnect=true passed to DC — skips InitiateSessionHandshakeAsync.

User Journey

Judas (moves WiFi → mobile) Lilo (stays on WiFi) ──────────────────────────────────────────────────────────────── Judas's phone switches to mobile data. App detects network change silently. Status may briefly show "Reconnecting..." Judas sends migration pings to Lilo ────────────────────────────────────────── Lilo receives migration signal. Status shows "Reconnecting..." briefly. She pings Judas at new address. ──────── Judas receives Lilo's ping. Both sides: status returns to green. Held messages deliver automatically. ───────────────────────────────────────── Judas is back. Messages flow. ────────────────────────────────────────────────────────────────

Participants

Role	Orchestrator	What they do in this process
Migration decision maker	`PresenceDomainOrchestrator`	Detects network change via DC event, sets session to Degraded, fires migration pings, receives inbound migration signal and responds with transport-only reconnect
Transport executor	`DirectConnectionDomainOrchestrator`	Sends migration pings across all transport candidates, handles inbound pings, re-registers session at new endpoint, respects `IsTransportOnlyReconnect` flag to skip handshake
Relay delivery	`RcsDomainOrchestrator`	Delivers migration ping via RCS queue when direct paths fail; polls for inbound relay-queued pings on heartbeat
Endpoint exchange	`PmsDomainOrchestrator`	Facilitates encrypted endpoint hint exchange via PMS rendezvous channel when direct paths fail and both sides need to learn each other's current network address
Candidate ordering	`ConnectionBlueprintOrchestrator`	Recompiled on migration signal with peer's new endpoint prioritised; provides candidate sequence for transport reconnect

🔁 View step cards in Processes →

Full Sequence Diagram

Both direct and relay paths shown. Proposed state values marked with *.

sequenceDiagram participant J as Judas (migrating) participant R as Relay Server participant L as Lilo (receiving) note over J,L: ── PHASE 1: Migration Initiation ───────────────────────────── note over J: OnConnectivityChanged fires.
SessionStatus → Degraded.
PeerStatus → ReconnectingOutbound* J->>J: FireMigrationPingAsync — sort sessions by recency note over J,L: ── PHASE 2: Migration Delivery (parallel attempts) ──────────── J->>L: PingFrame via TCP LAN (Ps=LastSuccessfulSecret) note over J: TCP LAN timeout → try TCP WAN J->>L: PingFrame via TCP WAN (Ps=LastSuccessfulSecret) note over J: TCP WAN timeout → try UDP punch J->>L: PingFrame via UDP (Ps=LastSuccessfulSecret) note over J: UDP timeout → RCS relay fallback J->>R: RcsDeliver(Lilo.RcsId, PingFrame encrypted) note over R: Relay queues encrypted blob only.
Never decrypts. Never reads content. R-->>L: PingFrame on next heartbeat poll note over J,L: ── PHASE 3: Transport Reconnect ────────────────────────────── note over L: HandleInboundPingAsync.
isNewSession=false — existing session found.
NO PeerSecret rotation. NO handshake.
Fires PeerConnectionStateChanged(IsMigrationPing=true). note over L: PeerStatus → ReconnectingInbound*
ClearMigrationHold. InvalidateBlueprint.
ConnectPeerAsync(IsTransportOnlyReconnect=true*) L->>J: PingFrame to Judas new address (Ps=PeerSecret_a2f34ad5) note over J: Session re-registered at new endpoint.
IsTransportOnlyReconnect=true → skip InitiateSessionHandshakeAsync. J->>L: PingReply note over J,L: ── If direct fails: PMS endpoint exchange ───────────────────── J->>R: PMS Init + SendMessage(mobile endpoint, encrypted) R-->>L: PMS GetMessages → Judas mobile endpoint L->>R: PMS SendMessage(Lilo endpoint, encrypted) R-->>J: PMS GetMessages → Lilo endpoint note over R: PMS = temporary rendezvous only.
Encrypted endpoint hints.
No message content stored. J->>L: Direct ping to Lilo endpoint L->>J: PingReply note over J,L: ── PHASE 4: Recovery ───────────────────────────────────────── note over J: PeerStatus → Online.
SessionStatus → Ready.
PeerSecret UNCHANGED (a2f34ad5).
No handshake ran. note over L: PeerStatus → Online.
SessionStatus → Ready.
PeerSecret UNCHANGED (a2f34ad5).
Queue flush — held messages deliver.

Phase Breakdown

Phase 1 — Migration Initiation ReconnectingOutbound* ▶

What's happening: The migrating device detects a network change. It marks all active sessions as SessionStatus.Degraded — the key is still valid, but the transport path is lost. It fires migration pings to each peer sorted by recency.

Why Degraded, not None: Degraded means "key confirmed this boot, contact temporarily lost." This keeps the existing session key in place so the migration path can reuse it. If sessions were evicted to None, the full handshake path would run — leading to secret divergence.

Proposed

PeerStatus → ReconnectingOutbound. Distinct from Connecting (cold start) — must not trigger PresenceConnect, and DC must not run InitiateSessionHandshakeAsync from this state.

Steps: OnConnectivityChanged → OnNetworkChanged → FireMigrationPingAsync per peer (sorted by _lastActiveAt)

Phase 2 — Migration Delivery TCP · UDP · RCS · PMS ▶

What's happening: The migrating device attempts every available transport in sequence with a time budget. Each attempt carries LastSuccessfulSecret (not PeerSecret) in the Ps field.

Why LastSuccessfulSecret

PeerSecret is the proposed next secret — it may have been committed on one side but not yet confirmed on the other. LastSuccessfulSecret is the last value that completed a full ShareStatus(Ready) exchange. It is guaranteed to be findable in the receiving device's AB as either PeerSecret or LastSuccessfulSecret.

Relay roles:

RCS queued delivery — migrating device pushes encrypted ping blob to relay. Peer receives it on next heartbeat poll. Relay never decrypts.
PMS endpoint exchange — both sides post their current network address to a temporary relay channel, then connect directly. Relay sees only encrypted blobs.

Steps: TCP LAN → TCP WAN → UDP punch → TryRcsFallbackAsync → PMS Init/SendMessage/GetMessages

Phase 3 — Transport Reconnect ReconnectingInbound* · IsTransportOnlyReconnect* ▶

What's happening: The receiving device has received the migration ping. It calls ConnectPeerAsync with IsTransportOnlyReconnect=true — this tells DC to find a transport path to the peer's new address but skip InitiateSessionHandshakeAsync. The session key is still valid. No new secret is needed.

Why IsTransportOnlyReconnect is load-bearing

Without this flag, TryDirectEndpointsAsync calls InitiateSessionHandshakeAsync after a successful ping — it has no way to know whether this is a cold start (handshake needed) or migration reconnect (handshake wrong). The flag is the explicit signal. When true, DC re-establishes transport and promotes the session directly to Ready without the handshake sequence.

Proposed

PeerStatus → ReconnectingInbound. Distinct from Connecting so that: (1) the Ready-guard in ConnectPeerAsync that blocks stale cycling can correctly allow migration through, and (2) retry loops don't misinterpret it as needing a full connection attempt.

Steps: HandleInboundPingAsync (isNewSession=false, no rotation) → PeerConnectionStateChanged(IsMigrationPing=true) → ClearMigrationHold → InvalidateBlueprint → ConnectPeerAsync(IsTransportOnlyReconnect=true) → TryDirectEndpointsAsync (skip handshake)

Phase 4 — Recovery PeerSecret unchanged ▶

What's happening: Transport re-established. Both sides confirm the session is live via PingReply. Both transition back to PeerStatus.Online and SessionStatus.Ready. Messages held during migration flush automatically.

What is explicitly NOT happening

InitiateSessionHandshakeAsync does not run. ConfirmHandshakeAsync does not run. ShareStatus(sessionStatus=Ready) is not exchanged for handshake purposes. PeerSecret and LastSuccessfulSecret are identical to their pre-migration values on both sides.

Steps: HandleInboundPingReply (sticky-Ready guard, no Confirmed regression) → NotifyPeerSessionReady → queue flush

Key Design Decisions

Why session key and PeerSecret are preserved across migration

The session key is derived from the relationship key (RK) and session ID — both stable across network changes. Running a new handshake when the key is still valid risks race conditions and is the root cause of the secret divergence bug. The rule: the session key changes only when the session is evicted (None) or when MaxSessionAgeHours forces rotation.

Why LastSuccessfulSecret is used in migration pings, not PeerSecret

PeerSecret may be a value committed on one side but not yet confirmed on the other. LastSuccessfulSecret completed a full ShareStatus(Ready) exchange — it is guaranteed to be findable in the receiving device's AB.

Why IsTransportOnlyReconnect must be a payload flag, not inferred from state

DC's TryDirectEndpointsAsync cannot infer from session state alone whether a handshake is needed after a successful ping. A ping succeeding at SessionStatus==Confirmed is ambiguous — cold start or migration reconnect. The flag makes intent explicit through the async call chain.

Why ReconnectingOutbound and ReconnectingInbound are separate PeerStatus values

The two roles have different guard requirements. ReconnectingOutbound must block PresenceConnect from firing. ReconnectingInbound must allow ConnectPeerAsync through even when SessionStatus==Ready. Using a single state or reusing Degraded means guard logic cannot differentiate and one invariant will be violated.

SyncActions Used

SyncAction	Phase	Role in this process
`Heartbeat`	2-MigrationDelivery	RCS heartbeat delivers queued migration ping to receiving device
`RcsDeliver`	2-MigrationDelivery	Relay-queued delivery of migration ping when direct paths fail
`RcsPollMessages`	2-MigrationDelivery	Receiving device polls relay queue and finds migration ping
`Init`	2-MigrationDelivery	Opens PMS rendezvous channel for endpoint exchange
`SendMessage`	2-MigrationDelivery	Posts encrypted endpoint hint to PMS channel
`GetMessages`	2-MigrationDelivery	Retrieves peer's endpoint hint from PMS channel
`PresenceConnect`	3-TransportReconnect	Receiving device's transport-only reconnect attempt (`IsTransportOnlyReconnect=true`)

Policy Keys That Affect This Process

Policy Key	Effect
`KeepaliveSoftFailCount`	Failures before SoftFail — determines how quickly Lilo detects Judas changed networks
`KeepaliveHardFailCount`	Failures before session evicts — defines outer migration window boundary
`MigrationWaitSeconds`	How long DC holds session in SoftFail while migration pings are in flight
`Blueprint_TimeoutMs_Lan`	LAN ping timeout during migration delivery
`Blueprint_TimeoutMs_Wan`	WAN ping timeout during migration delivery
`Blueprint_TimeoutMs_Punch`	UDP punch timeout during migration delivery
`PmsPollAttempts`	Poll attempts for PMS endpoint exchange
`PmsPollIntervalMs`	Interval between PMS polls

Edge Cases and Failure Modes

Scenario	What happens	Recovery
All migration paths fail	Falls through to `TryReestablishSessionAsync`	PeerSessionEstablishment Phase 3b — full handshake, new secret
Session evicts before migration completes	Hard-fail threshold reached. PeerStatus→Offline.	PeerSessionEstablishment Phase 3b from both sides
Both devices change networks simultaneously	Both exhaust MigrationWait independently	Both fall to full re-establishment independently. Safe.
Concurrent handshakes triggered (current bug)	Two PresenceConnect cycles run. Each side commits different secrets. PeerSecret diverges.	Requires restart. Fixed by `IsTransportOnlyReconnect` + `ReconnectingOutbound/Inbound` guards.
PeerSecret resolution fails on migration ping	Receiving device cannot find `LastSuccessfulSecret` — rotated past two generations	Falls to IP-match, then re-establishment
Both devices in ReconnectingInbound simultaneously	Both call `ConnectPeerAsync(IsTransportOnlyReconnect=true)`	Safe — same session key. First successful ping exchange wins.

Test Plan Anchors

Phase	Happy path	Edge cases
1-MigrationInitiation	OnNetworkChanged fires, SessionStatus→Degraded, FireMigrationPingAsync per peer sorted by recency	No active sessions — silent return; Multiple sessions — sorted correctly
2-MigrationDelivery	Migration ping delivered via TCP LAN within budget	TCP fails → WAN → UDP → RCS relay; Relay unreachable → migration fails
2-MigrationDelivery (relay)	RCS relay queues ping, receiving device polls and receives on next heartbeat	PMS endpoint exchange for cross-network direct
3-TransportReconnect	ConnectPeerAsync(IsTransportOnlyReconnect=true) fires, ping succeeds, no handshake runs, PeerSecret unchanged	ReconnectingInbound guard allows through when SessionStatus==Ready
4-Recovery	Both sides Ready, PeerSecret identical to pre-migration value	Queue flush with parked items; No duplicate handshake on sticky-Ready guard

Open Questions

#	Question	Status
OQ-1	Should `MigrationWaitSeconds` be blueprint-driven per peer? Hot-tier peers may warrant a longer wait.	Deferred — Blueprint Phase 4
OQ-2	Should the receiving device send a `ShareStatus` when it receives a migration ping, to confirm acknowledgement? Currently PingReply serves this implicitly.	Open
OQ-3	When both devices change networks simultaneously and both fall to full re-establishment, which side becomes handshake initiator? Currently deterministic (lower userId).	Open — currently correct by design

🔁 View step cards in Processes → 📖 All Workflows →