Documented the vortex-unblock shipment (8 gaps closed across config, core, docker, system, and a new git provider). New page language/interpolation.md covers ${...} string interpolation: grammar, scalar coercion, \${ escape, the honesty guard still applying through templates. New page providers/git.md covers the git_repo kind: branch / tag / SHA dispatch, recreate-on-url-change, commit_sha drift, depth handling. New page... actually no: extended providers/system.md with system_secret_file (whole-file secret kind, sha256-only state, stricter default mode 0400, secret ref directly in content). Extended providers/docker.md with docker_image (build-on-host producer kind, DOCKER_BUILDKIT=1, image_id in state) and four new docker_container attrs: depends_on (planner topo sort + cycle / unknown-ref detection), healthcheck (map lowered to --health-* flags + post-apply readiness wait up to 60s), memory / memory_swap (passthrough to docker run), and list-form command (argv-style with shell-escaping). Updated providers/ssh.md for the new ssh_exec.env map (sorted, shell-quoted, supports secret refs). Updated cli.md for the new global --env-file flag with auto-./.env load (12-factor: process env wins, first-set wins among files) and the new stratum status subcommand (per-host uptime + free + df + docker stats table). Updated architecture.md with planner-side validators (port-conflict, depends_on topo sort), the normalize_for_plan / SECRET_CONTENT_TO_SHA plaintext-leak fix, plan-level redact_plan walk (drops marker-vs-plaintext spurious drift), the post-apply readiness wait, and rewrote the delete-ordering section for forward-topo with reverse-iteration fallback. Refreshed introduction.md "what works" (now four providers; ${...} interpolation, --env-file, status, git_repo, docker_image, system_secret_file, depends_on, healthcheck, planner validators all listed). Extended tutorials/inject-secret-into-container.md with the connection-string-via-${...} pattern and the whole-file-secret-via-system_secret_file pattern. SUMMARY.md adds language/interpolation.md and providers/git.md.
Documented four shipped features. Added language/secrets.md (full reference for secret blocks: sources, refs, redaction map, marker shape, sensitive/short-value rules, the honesty guard, --allow-unresolved-secrets). Added language/multi-config.md (one-state-per-droplet rule, cross-file refs, duplicate hard errors, pointer to state merge). Added tutorials/inject-secret-into-container.md (env-var-on-docker_container pattern with rotation; inline code blocks — listings infra not yet present). Rewrote the destruction-guard section in cli.md around the 165.22.246.185 brick incident, updated the error template to include loaded configs + state path. Added state merge to cli.md. Added --allow-unresolved-secrets to plan flag table. Documented docker_container.pull = false in providers/docker.md with the locally-built-image use case. Documented system_dir empty-dir mode (no source_dir) in providers/system.md and made source_dir optional in the attribute table; updated language/types.md to match. Added secret as a top-level block in language/overview.md and added secret as a ref root in language/references.md. Updated tutorials/book-serve.md to teach one-state-per-droplet via multi--c, not one-state-per-config. Refreshed introduction.md "what works" with all four features. Fixed traefik:v3.1 -> traefik:v2.11 in architecture.md state-file example and added a secret-marker subsection.
Documented system_dir kind (tar+gz upload, manifest sha tracking, delete_extra, 200-file read cap) under providers/system.md. Added source_dir semantics to language/types.md. Added tutorials/book-serve.md walking through examples/book-serve.strat as the canonical "second app behind Traefik" pattern, including the one-state-file-per-config rule. Documented apply --allow-destroy and the destruction-guard rationale on cli.md; updated the bootstrap teardown step to use it. Refreshed introduction "what works" with system_dir and the destroy guard.
Scope pivot to ansible-replacement: coolify provider deleted, app-deployment work moved to sibling project deployd. --live flag dropped (apply -y now executes). New system provider documented (system_package, system_service, system_file, system_ufw_rule). Drift detection shipped (stratum plan --refresh, post-apply self-check, Observed/Drift types, one-sided diff_observed). content_file attribute on system_file documented under language reference. Replaced tutorials/slice-1-hello.md with tutorials/bootstrap-droplet.md. Architecture page got a drift section and a delete-ordering note.
Backfilled the book from current source: introduction, language reference (overview / hosts / resources / references / types), provider pages (coolify / ssh / docker), CLI reference, architecture, and the Slice 1 tutorial. Doc agent did the writing; source under crates/ is the source of truth.