diff --git a/bin/test b/bin/test
index 38bd4b2..a9f4510 100755
--- a/bin/test
+++ b/bin/test
@@ -26,11 +26,13 @@ case "$hub_who" in *"role=hub"*) : ;; *) echo "FAIL: citron not resolved as hub
 # Hub config must include a [Peer] block for its spoke(s).
 WG_RENDER_SELF=citron "$root/bin/wg-render" --dry-run 2>/dev/null | grep -q '^\[Peer\]' \
     || { echo "FAIL: citron hub render has no [Peer]" >&2; exit 1; }
-# Spoke config must point at the segment hub endpoint with a keepalive.
+# Spoke config must point at the segment hub endpoint with a keepalive. Derive
+# the expected endpoint from the data file (not hardcoded) so it can't drift.
+nyc3_ep=$(jq -r '.mesh.segments.nyc3.endpoint' "$root/data/mesh-hosts.json")
 spoke=$(WG_RENDER_SELF=lime "$root/bin/wg-render" --dry-run 2>/dev/null)
-case "$spoke" in *"Endpoint = 143.244.223.5:51820"*"PersistentKeepalive"*) : ;;
-    *) echo "FAIL: lime spoke render missing hub endpoint/keepalive" >&2; exit 1 ;; esac
-echo "ok: citron=hub peers spokes, lime=spoke -> citron"
+case "$spoke" in *"Endpoint = ${nyc3_ep}"*"PersistentKeepalive"*) : ;;
+    *) echo "FAIL: lime spoke render missing hub endpoint ${nyc3_ep}/keepalive" >&2; exit 1 ;; esac
+echo "ok: citron=hub peers spokes, lime=spoke -> citron ($nyc3_ep)"
 
 echo "==> wg-dns-sync segment listen"
 cit_listen=$(WG_DNS_SELF=citron "$root/bin/wg-dns-sync" --dry-run 2>/dev/null | sed -n 's/^listen-address=//p')