Release v1.9.0 — Sprint sécurité MCP (C1-C10) · jmrGrav/hugo-mcp

Sprint Sécurité MCP — 10 chantiers complétés

Chantier	Description
C1	slowapi rate limiting — 60 req/min per IP (`X-Real-IP`)
C2	Multi-token auth — `tokens.json` + `token_mgr.py` CLI (add/revoke/list/migrate)
C3	structlog JSON audit events — machine-readable `write_op` + `timing` logs
C4	Pydantic v2 input models — `CreatePageArgs`/`UpdatePageArgs` with field constraints
C5	bcrypt cost-12 for all stored tokens
C6	TLS NUC↔VM — EC P-256 self-signed cert, uvicorn SSL, proxy cert verification
C7	`requirements.lock` with SHA-256 hashes (`pip-compile --generate-hashes`)
C8	FastAPI docs disabled, generic exception handler (no traceback leak), nginx `proxy_hide_header`
C9	nginx enforcement: POST-only + `application/json` on `/mcp`; OWASP CRS ModSec active
C10	`backup.sh` — GPG-encrypted DR backup with 30-day retention

token_mgr.py — Token lifecycle management CLI
backup.sh — DR backup script
requirements.lock — Hashed dependency lockfile
docs/backlogs/upload-asset-tool-2026-05-09.md — Future upload_asset tool spec