Author here. You're right. The project is still in beta - so we're still working on ironing out some of the kinks. The host key verification issue is being worked on today actually. I'm not sure what you mean by "bootstrapping the chain of trust with pre-verified credentials" though. If you want to open an issue on https://github.com/CypherpunkArmory/holepunch we'd love to get your feedback about how we can improve security prior to a general release.