Record project continuation changes

docs/architecture/VPN_IP_TUNNEL_SERVICE_TARGET.md

@@ -131,6 +131,43 @@ Data Plane
 
 The backend/control plane must not become a production VPN packet relay.
 
+## Universal Packet Dataplane Principle
+
+The VPN service carries IP packets. It must not classify the product as a web
+proxy, an RDP helper, or an HTTP-only accelerator. HTTP, DNS, RDP, SSH, VNC,
+messengers, audio calls, file transfer, application sync, and future mobile or
+desktop traffic are all just packets flowing through the same tunnel contract.
+
+Implementation rules:
+
+- packet forwarding must not branch on application protocol for correctness
+- performance work must optimize the shared packet path, not a specific site or
+  port
+- batching, backpressure, retries, and route failover are dataplane mechanics
+  and must apply to all traffic
+- diagnostics may summarize protocol/ports for operators, but diagnostics must
+  not decide whether traffic is allowed to flow
+- a transient transport error must not permanently downgrade the tunnel to a
+  per-packet request mode
+- the control plane chooses entry, exit, route, lease, and policy; packet flow
+  should use the fastest available fabric path
+
+The temporary backend HTTP packet relay is a lab compatibility path. The
+production target is:
+
+```text
+client device
+  -> selected entry node
+  -> fabric route / alternate route set
+  -> selected exit node
+  -> target private network or Internet gateway
+```
+
+When the cluster grows, route choice must consider latency, loss, queue depth,
+node health, role eligibility, lease freshness, and regional/network locality.
+If a node or link degrades, the fabric should switch to an alternate route
+without requiring the client to understand mesh topology.
+
 ## Control Plane Responsibilities
 
 The control plane owns: