v0.25.0

New Commands

strut <stack> init-secrets (#119)

Generate a populated .env file from .env.template with auto-generated secrets. Detects placeholder values, respects generation hints in comments, and preserves existing values on re-run.

strut <host> provision (#120)

One-time host bootstrap via convention-based provision scripts. SCPs and executes scripts/provision-<host>.sh on the remote, marks host as provisioned.

strut <host> cert:renew / cert:status (#121)

Tailscale HTTPS cert lifecycle management. Renews certs, fixes ownership for Caddy, reloads the service. cert:status shows expiry dates with warnings.

First-run hooks (#122)

New hooks/first_run.sh lifecycle hook that runs once on first deploy. Creates a .strut-initialized marker to prevent re-running. Use cases: Synapse generate, DB migrations, admin user creation.

strut gateway (#123)

Caddy system-service management (deploy/status/reload/validate). Convention: stacks/gateway/Caddyfile.<host>. Validates config on remote before reload, auto-rollback on failure.

Fixes

• Fixed SC2119/SC2120 shellcheck warnings in topology.sh
• Fixed plugin test collision with core ship command

Testing

78 new tests across the 5 features. All passing with clean shellcheck.