v2.21.0 (Feature — terminal SDK + CLI, and an audit-verify semantics fix)
Adds first-class terminal clients for the CertMate API and fixes a monitoring false-alarm in the audit-verify endpoint.
Terminal clients (new)
certmate-sdkandcertmate-cli, in-repo underclients/, layered so the CLI is built on the SDK (never the reverse) and packaged sopip install certmate-sdkstays light (httpx only — no server, no certbot). The SDK (from certmate import Client) wraps the same/api/...surface the MCP server drives; the CLI (certmate cert create/ls/info/renew/reissue/rm,dns,backup,deploy run,audit verify,health) renders tables and adds two things the terminal lacked:--waiton create (polls the async job with a spinner) and a client-side--dry-run(validate the domain and preflight the DNS provider, issue nothing). A Swagger contract test keeps the SDK's endpoints in lockstep with the API.
Audit trail
GET /api/audit/verifyno longer reports a brand-new instance as broken. An instance that has audited nothing yet has no chain file; that returned409(identical to a tamper), so a monitoring probe false-alarmed on a fresh deploy. It now returns200withstate='absent'when nothing has ever been audited, and keeps409for a genuine break — including a chain file that was deleted after a signed checkpoint attested it existed.