feat(net): remove Boar bootstrap nodes and replace with operator peers

Replace all Boar bootstrap node entries with curated DNS-backed operator
peers to complete the bootstrap infrastructure decommission. This is the
final phase — Staked nodes were removed in v2.5.1.

Peer list changes:
- Mainnet: 2 Boar entries replaced with 5 operator peers at keep-nodes.io
- Testnet: 1 Boar entry replaced with 2 operator peers at test.keep-nodes.io
- All entries use /dns4/ format for IP change resilience

Security — AllowList decoupling:
- Pass firewall.EmptyAllowList instead of extracting embedded peer keys
- All peers (including embedded operators) now pass IsRecognized() staking
  checks with no firewall bypass
- Remove dead ExtractPeersPublicKeys function and its tests

Deprecations and renames:
- Deprecate --network.bootstrap flag with runtime warning
- Rename connected_bootstrap_count metric to connected_wellknown_peers_count

Documentation:
- Add operator migration guide covering Boar address removal,
  --network.peers override behavior, and monitoring updates

Author: lrsaturnino

cmd/flags.go

@@ -206,7 +206,7 @@ func initNetworkFlags(cmd *cobra.Command, cfg *config.Config) {
 		&cfg.LibP2P.Bootstrap,
 		"network.bootstrap",
 		false,
-		"Run the client in bootstrap mode.",
+		"[DEPRECATED] Run the client in bootstrap mode. This flag is deprecated and will be removed in a future release.",
 	)
 
 	cmd.Flags().StringSliceVar(

cmd/start.go

@@ -188,6 +188,9 @@ func start(cmd *cobra.Command) error {
 }
 
 func isBootstrap() bool {
+	if clientConfig.LibP2P.Bootstrap {
+		logger.Warnf("--network.bootstrap is deprecated and will be removed in a future release")
+	}
 	return clientConfig.LibP2P.Bootstrap
 }
 
@@ -197,19 +200,9 @@ func initializeNetwork(
 	operatorPrivateKey *operator.PrivateKey,
 	blockCounter chain.BlockCounter,
 ) (net.Provider, error) {
-	bootstrapPeersPublicKeys, err := libp2p.ExtractPeersPublicKeys(
-		clientConfig.LibP2P.Peers,
-	)
-	if err != nil {
-		return nil, fmt.Errorf(
-			"error extracting bootstrap peers public keys: [%v]",
-			err,
-		)
-	}
-
 	firewall := firewall.AnyApplicationPolicy(
 		applications,
-		firewall.NewAllowList(bootstrapPeersPublicKeys),
+		firewall.EmptyAllowList,
 	)
 
 	netProvider, err := libp2p.Connect(
@@ -244,7 +237,7 @@ func initializeClientInfo(
 		config.ClientInfo.NetworkMetricsTick,
 	)
 
-	registry.ObserveConnectedBootstrapCount(
+	registry.ObserveConnectedWellknownPeersCount(
 		netProvider,
 		config.LibP2P.Peers,
 		config.ClientInfo.NetworkMetricsTick,

cmd/start_test.go

@@ -0,0 +1,59 @@
+package cmd
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/keep-network/keep-core/config"
+	"github.com/spf13/cobra"
+)
+
+func TestNetworkBootstrapFlagDescription_ContainsDeprecationNotice(t *testing.T) {
+	cmd := &cobra.Command{Use: "test"}
+	cfg := &config.Config{}
+
+	initNetworkFlags(cmd, cfg)
+
+	flag := cmd.Flags().Lookup("network.bootstrap")
+	if flag == nil {
+		t.Fatal("expected network.bootstrap flag to be registered")
+	}
+
+	usageLower := strings.ToLower(flag.Usage)
+	if !strings.Contains(usageLower, "deprecated") {
+		t.Errorf(
+			"expected flag description to contain deprecation notice, got: %q",
+			flag.Usage,
+		)
+	}
+}
+
+func TestIsBootstrap(t *testing.T) {
+	tests := map[string]struct {
+		bootstrapValue bool
+		expected       bool
+	}{
+		"returns true when bootstrap flag is set": {
+			bootstrapValue: true,
+			expected:       true,
+		},
+		"returns false when bootstrap flag is not set": {
+			bootstrapValue: false,
+			expected:       false,
+		},
+	}
+
+	for name, tc := range tests {
+		t.Run(name, func(t *testing.T) {
+			originalBootstrap := clientConfig.LibP2P.Bootstrap
+			defer func() { clientConfig.LibP2P.Bootstrap = originalBootstrap }()
+
+			clientConfig.LibP2P.Bootstrap = tc.bootstrapValue
+
+			got := isBootstrap()
+			if got != tc.expected {
+				t.Errorf("expected isBootstrap() to return %v, got %v", tc.expected, got)
+			}
+		})
+	}
+}

config/_peers/mainnet

@@ -1,2 +1,5 @@
-/dns4/bst-a01.tbtc.boar.network/tcp/5001/ipfs/16Uiu2HAmAmCrLuUmnBgpavU8y8JBUN6jWAQ93JwydZy3ABRyY6wU
-/dns4/bst-b01.tbtc.boar.network/tcp/5001/ipfs/16Uiu2HAm4w5HdJQxBnadGRepaiGfWVvtMzhdAGZVcrf9i71mv69V
+/dns4/keep-operator-1.keep-nodes.io/tcp/3919/ipfs/16Uiu2HAmVUxCz2YjBpGaGirVLx6RGtHbPg5rygEWMPoUFE4bHTkr
+/dns4/keep-operator-2.keep-nodes.io/tcp/3919/ipfs/16Uiu2HAm8bLqTcGMDFaNPGPC6gxStKCnJr2DaVsMbce1ZEyaKo9S
+/dns4/keep-operator-3.keep-nodes.io/tcp/3919/ipfs/16Uiu2HAmQLCwPnNmFMDQkc5hLfapGKtXPvFJQKB3rUFYa1wjVnfi
+/dns4/keep-operator-4.keep-nodes.io/tcp/3919/ipfs/16Uiu2HAmTv4atEFadTVPz7BWhE3gRFMeJ5Kk4LQfgN2V8ViWYFRx
+/dns4/keep-operator-5.keep-nodes.io/tcp/3919/ipfs/16Uiu2HAmPwQuywYq9qFRn8gLCtiKaDZwg2u3JQhWia7RYHRdfk1r

config/_peers/testnet

@@ -1 +1,2 @@
-/dns4/bst-a01.test.keep.boar.network/tcp/6001/ipfs/16Uiu2HAmSLDSahiKyTbCNNu8wJmZAsiKF7wuYJ8mogY8ZuAG1jhu
+/dns4/keep-operator-1.test.keep-nodes.io/tcp/3920/ipfs/16Uiu2HAmDrk2Bh4VNPUJfKRHTE2CvH9xfKzN4KFnmRJbGLkJFDqL
+/dns4/keep-operator-2.test.keep-nodes.io/tcp/3920/ipfs/16Uiu2HAm3ex8rGzwFpWYbRreRUiX9JEYCKxp7KDMzB8RZ6fQWnMa

config/peers_test.go

@@ -18,13 +18,17 @@ func TestResolvePeers(t *testing.T) {
 		"mainnet network": {
 			network: network.Mainnet,
 			expectedPeers: []string{
-				"/dns4/bst-a01.tbtc.boar.network/tcp/5001/ipfs/16Uiu2HAmAmCrLuUmnBgpavU8y8JBUN6jWAQ93JwydZy3ABRyY6wU",
-				"/dns4/bst-b01.tbtc.boar.network/tcp/5001/ipfs/16Uiu2HAm4w5HdJQxBnadGRepaiGfWVvtMzhdAGZVcrf9i71mv69V",
+				"/dns4/keep-operator-1.keep-nodes.io/tcp/3919/ipfs/16Uiu2HAmVUxCz2YjBpGaGirVLx6RGtHbPg5rygEWMPoUFE4bHTkr",
+				"/dns4/keep-operator-2.keep-nodes.io/tcp/3919/ipfs/16Uiu2HAm8bLqTcGMDFaNPGPC6gxStKCnJr2DaVsMbce1ZEyaKo9S",
+				"/dns4/keep-operator-3.keep-nodes.io/tcp/3919/ipfs/16Uiu2HAmQLCwPnNmFMDQkc5hLfapGKtXPvFJQKB3rUFYa1wjVnfi",
+				"/dns4/keep-operator-4.keep-nodes.io/tcp/3919/ipfs/16Uiu2HAmTv4atEFadTVPz7BWhE3gRFMeJ5Kk4LQfgN2V8ViWYFRx",
+				"/dns4/keep-operator-5.keep-nodes.io/tcp/3919/ipfs/16Uiu2HAmPwQuywYq9qFRn8gLCtiKaDZwg2u3JQhWia7RYHRdfk1r",
 			}},
 		"sepolia network": {
 			network: network.Testnet,
 			expectedPeers: []string{
-				"/dns4/bst-a01.test.keep.boar.network/tcp/6001/ipfs/16Uiu2HAmSLDSahiKyTbCNNu8wJmZAsiKF7wuYJ8mogY8ZuAG1jhu",
+				"/dns4/keep-operator-1.test.keep-nodes.io/tcp/3920/ipfs/16Uiu2HAmDrk2Bh4VNPUJfKRHTE2CvH9xfKzN4KFnmRJbGLkJFDqL",
+				"/dns4/keep-operator-2.test.keep-nodes.io/tcp/3920/ipfs/16Uiu2HAm3ex8rGzwFpWYbRreRUiX9JEYCKxp7KDMzB8RZ6fQWnMa",
 			},
 		},
 		"developer network": {

docs/network-peer-migration-guide.md

@@ -0,0 +1,218 @@
+# Network Peer Migration Guide
+
+## Quick Action
+
+**If you have NOT manually configured `--network.peers` or `[LibP2P].Peers`**,
+no action is needed. Your node uses embedded defaults that are updated
+automatically with each client release.
+
+**If you HAVE manually configured peers**, check your configuration for any
+address containing `boar.network` or `staked.cloud` and remove it. The
+recommended fix is to remove the `--network.peers` / `[LibP2P].Peers` setting
+entirely so your node uses the new built-in defaults. See
+[Required Action](#required-action-remove-hardcoded-boar-addresses) below.
+
+> **Warning**: If you do nothing and your custom peer list contains only Boar
+> addresses, your node will lose network connectivity when Boar infrastructure
+> is decommissioned.
+
+---
+
+## Summary of Changes
+
+The keep-client embedded peer list has been updated to replace Boar bootstrap
+node addresses with curated operator-run peers.
+
+The following changes are included in this release:
+
+- **Boar bootstrap addresses removed** from embedded peer lists (mainnet and
+  testnet). The Boar infrastructure (`bst-*.boar.network`) is being
+  decommissioned.
+- **New curated operator peers** are now embedded as defaults, hosted at
+  `keep-nodes.io` (mainnet) and `test.keep-nodes.io` (testnet).
+- **Firewall validation strengthened**: all peers are now validated through
+  on-chain staking checks. Previously, embedded peer public keys bypassed
+  staking validation via a firewall allow-list.
+- **`--network.bootstrap` flag deprecated**: the flag still functions but will
+  be removed in a future release.
+- **Metric renamed**: `connected_bootstrap_count` has been renamed to
+  `connected_wellknown_peers_count`.
+
+Most operators do not need to take any action. If you have manually configured
+`--network.peers` or `[LibP2P].Peers` in your configuration, read the next
+section carefully.
+
+---
+
+## Required Action: Remove Hardcoded Boar Addresses
+
+**If your node is configured with `--network.peers` (CLI flag) or
+`[LibP2P].Peers` (configuration file), you must review and update your
+configuration before Boar infrastructure is decommissioned.** Failure to act
+will result in your node being unable to discover peers on the network.
+
+### How to Check if You Are Affected
+
+1. **Check your startup command** for the `--network.peers` flag:
+   ```
+   --network.peers=/dns4/bst-a01.tbtc.boar.network/tcp/3919/ipfs/16Uiu2HAm...
+   ```
+
+2. **Check your configuration file** (TOML, YAML, or JSON) for a `Peers`
+   entry under the `[LibP2P]` section:
+   ```toml
+   [LibP2P]
+     Peers = [
+       "/dns4/bst-a01.tbtc.boar.network/tcp/3919/ipfs/16Uiu2HAm...",
+       "/dns4/bst-b01.tbtc.boar.network/tcp/3919/ipfs/16Uiu2HAm..."
+     ]
+   ```
+
+3. **If neither is set**, you are using the embedded defaults and no action is
+   needed. The new operator peers are included automatically.
+
+### Boar Addresses to Remove
+
+Remove any peer address whose hostname contains `boar.network` or
+`staked.cloud`. The specific Boar hostnames being decommissioned are:
+
+| Network | Hostname |
+|---------|----------|
+| Mainnet | `bst-a01.tbtc.boar.network` |
+| Mainnet | `bst-b01.tbtc.boar.network` |
+| Testnet | `bst-a01.test.keep.boar.network` |
+
+The peer ID suffix (the `/ipfs/16Uiu2HAm...` portion) varies, but the hostname
+is the identifying part. Any multiaddress containing one of the hostnames above
+must be removed.
+
+### What to Do
+
+**Option A (recommended):** Remove `--network.peers` / `[LibP2P].Peers`
+entirely. Your node will then use the new embedded defaults, which are
+maintained and updated with each client release.
+
+Before:
+```toml
+[LibP2P]
+  Peers = [
+    "/dns4/bst-a01.tbtc.boar.network/tcp/3919/ipfs/16Uiu2HAm...",
+    "/dns4/bst-b01.tbtc.boar.network/tcp/3919/ipfs/16Uiu2HAm..."
+  ]
+```
+
+After:
+```toml
+[LibP2P]
+  # Peers removed -- the client now uses built-in operator peer defaults.
+```
+
+Or, if using the CLI flag, simply remove `--network.peers` from your startup
+command.
+
+**Option B:** Replace the Boar addresses with currently active operator peer
+addresses. Only use this option if you have a specific reason to maintain a
+custom peer list.
+
+### Why This Matters
+
+When you set `--network.peers` (or `[LibP2P].Peers` in your configuration
+file), the client uses your list exclusively and ignores the built-in defaults.
+
+Internally, the `resolvePeers()` function in `config/peers.go` checks whether
+`LibP2P.Peers` is already populated. If it is, the function returns immediately
+without loading the embedded peer list. This means manually configured peers
+completely override the defaults -- there is no merging.
+
+If your custom peer list contains only Boar addresses, your node will be unable
+to discover any peers once Boar infrastructure is decommissioned.
+
+---
+
+## Bootstrap Flag Deprecation
+
+The `--network.bootstrap=true` flag is deprecated and will be removed in a
+future release.
+
+Historically, this flag marked a node as a bootstrap/relay node, which enabled
+special behaviors such as adjusted dissemination timing and self-dial skipping.
+As the network has matured, dedicated bootstrap mode is no longer necessary for
+standard peer discovery.
+
+The flag still functions and the node will log a deprecation warning when it is
+used. Operators currently running with `--network.bootstrap=true` should plan
+to stop using it. If you need to adjust dissemination timing directly, use the
+`--network.disseminationTime` flag instead.
+
+---
+
+## Metric Rename
+
+The `connected_bootstrap_count` metric has been renamed to
+`connected_wellknown_peers_count`.
+
+The metric semantics are unchanged -- it tracks the number of currently
+connected well-known peers that are embedded in the client. Only the name has
+changed to more accurately reflect that these peers are curated operator nodes
+rather than traditional bootstrap nodes.
+
+If you have Grafana dashboards, Prometheus alerts, or other monitoring that
+references the old metric name, update your queries:
+
+| Before | After |
+|--------|-------|
+| `connected_bootstrap_count` | `connected_wellknown_peers_count` |
+
+The metric is exposed on the Client Info HTTP endpoint (port 9601 by default).
+
+---
+
+## Technical Background
+
+This section provides additional context for operators who want to understand
+the underlying mechanisms.
+
+### Embedded Peer Resolution
+
+The keep-client binary embeds a default peer list at compile time using Go's
+`embed` package. The peer addresses are stored in the `config/_peers/` directory
+with separate files for each network (mainnet, testnet).
+
+When the client starts, `resolvePeers()` in `config/peers.go` runs the
+following logic:
+
+1. If `LibP2P.Peers` is already populated (via `--network.peers` flag or
+   configuration file), return immediately without changes.
+2. If the network type is `developer` or `unknown`, log a warning and return
+   (no embedded defaults for these networks).
+3. Otherwise, read the embedded peer list for the current network and set
+   `LibP2P.Peers` to those values.
+
+This design means that manually configured peers always take precedence over
+embedded defaults. There is no merging of the two lists.
+
+### Firewall Allow-List Change
+
+Previously, the public keys of embedded peers were added to a firewall
+allow-list, which allowed them to bypass the `IsRecognized()` on-chain staking
+validation. This was a convenience for bootstrap infrastructure but weakened
+the security model.
+
+With this release, the allow-list is no longer populated with embedded peer
+keys. All peers -- including the embedded operator peers -- must pass staking
+validation through the on-chain contracts. This ensures that only properly
+staked operators can participate in the network.
+
+### Network Discovery Flow
+
+The overall peer discovery architecture follows this path:
+
+1. **Embedded peers** provide initial connectivity (the addresses in
+   `config/_peers/<network>`).
+2. **libp2p connections** are established to these well-known peers.
+3. **DHT discovery** uses these initial connections to find additional peers
+   across the network.
+4. **Full mesh connectivity** is established as more peers are discovered.
+
+Removing Boar addresses from the embedded list and replacing them with active
+operator peers ensures that step 1 connects to reliable, staked infrastructure.