- Modified step_git_pull() to fetch tags from main branch and checkout the latest tag
- Added fallback to main branch if no tags are found
- Changed default branch parameter from "release" to "main"
- Removed redundant git pull from step_update_app()
- Updated success message to indicate tag checkout
- Added rewrite_allowed_ips() to replace 0.0.0.0/0 with VPN CIDR in WireGuard configs
- Modified step_wireguard_provision() to rewrite AllowedIPs before deploying config
- Removed TODO comment about VPN blocking local network access
- Added gen-secure-msd-sig.sh to sign boot.img with private key using rpi-eeprom-digest
- Added rpi-boot-secure.sh to load signed secure-boot mass storage gadget via rpiboot
- Updated .gitignore to exclude usbboot/ directory
- Updated README with secure boot CM4 unlock instructions
- Added step_set_eth1_mac() to generate and configure random locally administered MAC addresses
- Made --name argument optional and conditional based on selected provisioning steps
- Updated documentation to include MAC configuration in production deployment checklist
