v1.5.3 — Security: pin Bosch cloud CA (CWE-295)

v1.5.3 — Security patch (CWE-295)

Advisory: GHSA-6qh5-x5m5-vj6v

The shared requests session used for OAuth and all Bosch cloud API calls now verifies TLS against the bundled Bosch private CA plus system roots, instead of accepting any certificate. This closes an adjacent-network MITM on your Bosch OAuth tokens and bearer credentials.

• New cloud_ssl.py pins the Bosch CA (system roots stay trusted for the Let's Encrypt login host).
• cli_bridge.py defensively enforces verification on the cloud session, so the MCP server is protected regardless of the installed CLI version.
• Local camera endpoints are unchanged (TOFU certificate-pinned at first connect).

Update recommended. Reported by EQSTLab.