Fix DEFAULT_ANCHOR: use post-rotation network key (ab2b72...)

The anchor rotated its network key on 2026-04-22 22:57 UTC during the
v0.6.1 upgrade (keeping the old key as its posting identity). The
DEFAULT_ANCHOR constant was never updated, so every v0.6.1 and v0.6.2
client has been pinning the old cert identity when connecting, producing
a TLS "UnknownIssuer" handshake error.

Symptom: fresh clients can't bootstrap; existing installs drop when the
anchor's old connection times out and can't re-handshake.

Verified: rebuilt CLI with the new constant successfully connects to
the anchor, completes the initial exchange, registers as a mesh peer,
and runs a pull sync.

Note: `DEFAULT_ANCHOR_POSTING_ID` in lib.rs still holds the OLD key
(17af14...) — that's correct, it's the anchor's posting identity used
to verify signed announcements, distinct from the network key used for
QUIC cert verification.

crates/core/src/node.rs

@@ -19,7 +19,17 @@ use crate::types::{
 };
 
 /// Built-in default anchor — always available as a bootstrap fallback.
-const DEFAULT_ANCHOR: &str = "17af141956ae0b50dc1cb9248cadf5fca371ea2d8531ac9add3c03caffc61441@itsgoin.net:4433";
+/// Bootstrap anchor connect string. The NodeId here is the anchor's CURRENT
+/// network identity (used for QUIC handshake / cert verification). It was
+/// rotated from `17af14...` to `ab2b72...` by v0.6.1's upgrade path on the
+/// anchor host at 2026-04-22 22:57 UTC. The old key became the anchor's
+/// posting identity (see `DEFAULT_ANCHOR_POSTING_ID` in lib.rs) and is
+/// used to verify signed announcements; it is NOT used for connection
+/// verification.
+///
+/// Clients compiled against the pre-rotation value fail the TLS handshake
+/// with "UnknownIssuer" because they pin the wrong cert identity.
+const DEFAULT_ANCHOR: &str = "ab2b7258ef0b75b2c6ee8bf6595232055f6199d584d3c0fc10b15a1ed549aa13@itsgoin.net:4433";
 
 /// A distsoc node: ties together identity, storage, and networking
 pub struct Node {