In libp2p, a signed peer record is more than just an address list. It is a cryptographically certified statement: "I am peer X, I live at these addresses, and here is my signature to prove it." The certified address book exists precisely so nodes can trust addresses they receive without re-verifying them every time. Without it, the DHT and GossipSub have to fall back to uncertified paths, and every restart breaks continuity.

The persistent peerstore has been saving and loading addresses, protocols, and metadata correctly since libp2p#946. But signed peer records (Envelopes) were being silently lost on every restart. The write path called serialize_record_state, which stored only a State.VALID byte marker and discarded the envelope and sequence number entirely. The read path called deserialize_record_state, which returned a dummy PeerRecordState constructed from a 32-byte zero key. Every peer whose record had been consumed and stored would come back as a ghost on restart: present in the map, but with no actual data.

The fix is two lines per peerstore. The serialize_envelope and deserialize_envelope functions already exist in the same serialization module and handle the full envelope round-trip correctly — the local peer record already uses them. The peer record load and save paths now use the same approach: serialize the envelope directly, and on restore reconstruct the PeerRecordState from the envelope and its embedded sequence number.

Four tests cover the new behavior: SQLite-backed peer record persistence for the sync and async implementations, a control case confirming the memory backend does not persist records across restarts, and a seq-ordering test verifying that after a restart, the peerstore still correctly rejects older records that arrive with a lower sequence number. All existing tests pass.