diff --git a/simulations/mixnet/run_lioness_sim.sh b/simulations/mixnet/run_lioness_sim.sh
new file mode 100755
index 000000000..68ef2f29c
--- /dev/null
+++ b/simulations/mixnet/run_lioness_sim.sh
@@ -0,0 +1,87 @@
+#!/bin/bash
+# Headless mixnet simulation driver for the LIONESS payload-encryption branch.
+# Starts 5 mix nodes + 2 chat clients in background, sends a test message
+# from alice → bob through the mixnet, captures cover-traffic metrics, tears down.
+
+set -u
+cd "$(dirname "$0")"
+
+# --- cleanup helper ---------------------------------------------------
+cleanup() {
+  echo "[cleanup] killing wakunode2 + chat2mix processes..."
+  pkill -f 'wakunode2 --config-file' 2>/dev/null
+  pkill -f 'chat2mix --cluster-id=2' 2>/dev/null
+  sleep 1
+}
+trap cleanup EXIT
+
+# --- start mix nodes --------------------------------------------------
+echo "[sim] starting bootstrap mix node..."
+./run_mix_node.sh > mix_node.log 2>&1 &
+sleep 6
+
+for i in 1 2 3 4; do
+  echo "[sim] starting mix node $i..."
+  ./run_mix_node$i.sh > mix_node$i.log 2>&1 &
+  sleep 2
+done
+
+echo "[sim] waiting 15s for nodes to peer..."
+sleep 15
+
+echo "[sim] checking node setup completion..."
+for f in mix_node.log mix_node1.log mix_node2.log mix_node3.log mix_node4.log; do
+  if grep -q "Node setup complete" "$f"; then
+    echo "  [ok] $f"
+  else
+    echo "  [WARN] $f missing 'Node setup complete'"
+  fi
+done
+
+# --- baseline metrics -------------------------------------------------
+echo ""
+echo "[sim] === baseline cover-traffic metrics (t0) ==="
+./check_cover_traffic.sh > metrics_t0.log 2>&1
+cat metrics_t0.log
+
+# --- chat clients -----------------------------------------------------
+echo ""
+echo "[sim] launching chat clients..."
+
+# alice: nickname → wait → send message → wait → /exit
+( echo "alice"
+  sleep 20
+  echo "Hello from Alice via LIONESS!"
+  sleep 25
+  echo "/exit"
+) | ./run_chat_mix.sh > chat_alice.log 2>&1 &
+
+# bob: nickname → wait → /exit (just listening)
+( echo "bob"
+  sleep 50
+  echo "/exit"
+) | ./run_chat_mix1.sh > chat_bob.log 2>&1 &
+
+echo "[sim] waiting 60s for message round-trip through mixnet..."
+sleep 60
+
+# --- verify message receipt ------------------------------------------
+echo ""
+echo "[sim] === message delivery check ==="
+if grep -q "Hello from Alice via LIONESS" chat_bob.log; then
+  echo "[PASS] Bob received Alice's message"
+  grep "Hello from Alice" chat_bob.log
+else
+  echo "[FAIL] Bob did not receive Alice's message"
+  echo "--- last 20 lines of chat_bob.log ---"
+  tail -20 chat_bob.log
+fi
+
+# --- final metrics ----------------------------------------------------
+echo ""
+echo "[sim] === post-traffic cover-traffic metrics (t1) ==="
+./check_cover_traffic.sh > metrics_t1.log 2>&1
+cat metrics_t1.log
+
+echo ""
+echo "[sim] done. Logs: mix_node*.log, chat_alice.log, chat_bob.log, metrics_t{0,1}.log"
diff --git a/vendor/nim-libp2p b/vendor/nim-libp2p
index d2675d122..c51850284 160000
--- a/vendor/nim-libp2p
+++ b/vendor/nim-libp2p
@@ -1 +1 @@
-Subproject commit d2675d122c5ec6f21a9620f9360e5fd29de75404
+Subproject commit c518502842f34a542a9d70ed0766d0efc9d694b4
diff --git a/waku/discovery/waku_kademlia.nim b/waku/discovery/waku_kademlia.nim
index 77de264f2..fd5dfc1ac 100644
--- a/waku/discovery/waku_kademlia.nim
+++ b/waku/discovery/waku_kademlia.nim
@@ -68,11 +68,9 @@ proc new*(
   # initial self-signed peer record published to the DHT
   if params.advertiseMix:
     if params.mixPubKey.isSome():
-      let alreadyAdvertising = kademlia.startAdvertising(
+      kademlia.startAdvertising(
         ServiceInfo(id: MixProtocolID, data: @(params.mixPubKey.get()))
       )
-      if alreadyAdvertising:
-        warn "mix service was already being advertised"
       debug "extended kademlia advertising mix service",
         keyHex = byteutils.toHex(params.mixPubKey.get()),
         bootstrapNodes = params.bootstrapNodes.len
@@ -162,17 +160,18 @@ proc lookupMixPeers*(
     return err("cannot lookup mix peers: kademlia not mounted")
 
   let mixService = ServiceInfo(id: MixProtocolID, data: @[])
-  var records: seq[ExtendedPeerRecord]
-  try:
-    records = await wk.protocol.lookup(mixService)
-  except CatchableError:
-    return err("mix peer lookup failed: " & getCurrentExceptionMsg())
+  let advertisements =
+    try:
+      (await wk.protocol.lookup(mixService)).valueOr:
+        return err("mix peer lookup failed: " & error)
+    except CatchableError:
+      return err("mix peer lookup failed: " & getCurrentExceptionMsg())
 
-  debug "mix peer lookup returned records", numRecords = records.len
+  debug "mix peer lookup returned records", numRecords = advertisements.len
 
   var added = 0
-  for record in records:
-    let peerOpt = remotePeerInfoFrom(record)
+  for ad in advertisements:
+    let peerOpt = remotePeerInfoFrom(ad.data)
     if peerOpt.isNone():
       continue
 
@@ -202,7 +201,7 @@ proc runDiscoveryLoop(
 
       var records: seq[ExtendedPeerRecord]
       try:
-        records = await wk.protocol.randomRecords()
+        records = await wk.protocol.lookupRandom()
       except CatchableError as e:
         warn "extended kademlia discovery failed", error = e.msg
         await sleepAsync(interval)
diff --git a/waku/factory/builder.nim b/waku/factory/builder.nim
index 87b0db492..a690a2174 100644
--- a/waku/factory/builder.nim
+++ b/waku/factory/builder.nim
@@ -189,7 +189,7 @@ proc build*(builder: WakuNodeBuilder): Result[WakuNode, string] =
       wsAddress = builder.netConfig.get().wsHostAddress,
       transportFlags = {ServerFlags.ReuseAddr, ServerFlags.TcpNoDelay},
       rng = rng,
-      maxConnections = builder.switchMaxConnections.get(builders.MaxConnections),
+      maxConnections = builder.switchMaxConnections.get(MaxConnections),
       wssEnabled = builder.netConfig.get().wssEnabled,
       secureKeyPath = builder.switchSslSecureKey.get(""),
       secureCertPath = builder.switchSslSecureCert.get(""),
@@ -209,7 +209,7 @@ proc build*(builder: WakuNodeBuilder): Result[WakuNode, string] =
     maxServicePeers = some(builder.maxServicePeers),
     colocationLimit = builder.colocationLimit,
     shardedPeerManagement = builder.shardAware,
-    maxConnections = builder.switchMaxConnections.get(builders.MaxConnections),
+    maxConnections = builder.switchMaxConnections.get(MaxConnections),
   )
 
   var node: WakuNode
diff --git a/waku/node/peer_manager/peer_manager.nim b/waku/node/peer_manager/peer_manager.nim
index 15958a5a2..a01886ff5 100644
--- a/waku/node/peer_manager/peer_manager.nim
+++ b/waku/node/peer_manager/peer_manager.nim
@@ -24,6 +24,7 @@ import
     common/utils/parse_size_units,
     common/broker/broker_context,
     node/health_monitor/online_monitor,
+    node/waku_switch,
   ],
   ./peer_store/peer_storage,
   ./waku_peer_store
diff --git a/waku/node/waku_switch.nim b/waku/node/waku_switch.nim
index d1af77662..fd564aa14 100644
--- a/waku/node/waku_switch.nim
+++ b/waku/node/waku_switch.nim
@@ -17,6 +17,9 @@ import
 
 # override nim-libp2p default value (which is also 1)
 const MaxConnectionsPerPeer* = 1
+# nim-libp2p#2329 made libp2p's MaxConnections const private
+# (renamed to DefaultMaxConnections); redeclare here to keep waku's cap explicit.
+const MaxConnections* = 50
 
 proc withWsTransport*(b: SwitchBuilder): SwitchBuilder =
   b.withTransport(