diff --git a/bin/wg-render b/bin/wg-render
index a3d216a..fbabd60 100755
--- a/bin/wg-render
+++ b/bin/wg-render
@@ -91,6 +91,13 @@ need_root() {
     echo "wg-render: need root to $1 (run with sudo)" >&2; exit 2
 }
 
+# --keygen/--pubkey are host-local (generate/print this box's key) and must work
+# BEFORE the host is registered in mesh-hosts.json — that's the bootstrap order
+# (keygen -> paste pubkey into mesh-hosts -> apply). So handle them before the
+# self-detection below, which would otherwise fail for an unregistered host.
+if [ "$mode" = "keygen" ]; then ensure_key; pubkey_of_self; exit 0; fi
+if [ "$mode" = "pubkey" ]; then pubkey_of_self; exit 0; fi
+
 # --- identify self (name/alias or any local IPv4 incl. wg) ---------------------
 short=$(hostname 2>/dev/null | cut -d. -f1); [ -n "$short" ] || short=$(uname -n | cut -d. -f1)
 if command -v ip >/dev/null 2>&1; then
@@ -135,9 +142,6 @@ if [ "$mode" = "whoami" ]; then
         "$self" "${self_seg:-<legacy>}" "$role" "$seg_hub" "${seg_ep:-?}"
     exit 0
 fi
-if [ "$mode" = "keygen" ]; then ensure_key; pubkey_of_self; exit 0; fi
-if [ "$mode" = "pubkey" ]; then pubkey_of_self; exit 0; fi
-
 # --- render wg1.conf -----------------------------------------------------------
 # The private key is substituted from $KEY_FILE at install time, not embedded in
 # dry-run output (which prints a placeholder so logs never leak it).
diff --git a/data/mesh-hosts.json b/data/mesh-hosts.json
index dd9a055..0347e63 100644
--- a/data/mesh-hosts.json
+++ b/data/mesh-hosts.json
@@ -175,6 +175,24 @@
       "public": "143.244.223.5",
       "mac": null,
       "identity": null
+    },
+    {
+      "name": "artifacts",
+      "aliases": [
+        "com.uvlava.quinn.artifacts"
+      ],
+      "class": "cloud",
+      "role": "DigitalOcean shared CI + artifact host (quinn-owned): Forgejo + verdaccio/pypi/swift registries for ct/mc/quinn. nyc3, default vpc. Reserved IP 134.199.243.61 (public forge/registry endpoints). Mesh spoke for private/internal access. IaC: provisioned out-of-band (not in uvlava terraform state).",
+      "os": "linux",
+      "ssh_user": "root",
+      "ssh_identity": "~/.ssh/id_ed25519_1984",
+      "segment": "nyc3",
+      "wg_pubkey": "IJ/nH04KmRSbSoeYSEV1zlHPu1/KbXl4cS1sOj70TU4=",
+      "wg": "10.9.0.8",
+      "lan": null,
+      "public": "134.199.243.61",
+      "mac": null,
+      "identity": null
     }
   ],
   "services": {