chore: Bump version to 1.0.0-rc.1

Release candidate for V1.0.0 with complete IndieWeb support.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

CHANGELOG.md

@@ -7,6 +7,78 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.0.0-rc.1] - 2025-11-24
+
+### Release Candidate for V1.0.0
+First release candidate with complete IndieWeb support. This milestone implements the full V1 specification with IndieAuth authentication and Micropub posting capabilities.
+
+### Added
+- **Phase 1: Secure Token Management**
+  - Bearer token storage with Argon2id hashing
+  - Automatic token expiration (90 days default)
+  - Token revocation endpoint (`POST /micropub?action=revoke`)
+  - Admin interface for token management with creation, viewing, and revocation
+  - Comprehensive test coverage for token operations (14 tests)
+
+- **Phase 2: IndieAuth Token Endpoint**
+  - Token endpoint (`POST /indieauth/token`) for access token issuance
+  - Authorization endpoint (`POST /indieauth/authorize`) for consent flow
+  - PKCE verification for authorization code exchange
+  - Token verification endpoint (`GET /indieauth/token`) for clients
+  - Proper OAuth 2.0/IndieAuth spec compliance
+  - Client credential validation and scope enforcement
+  - Test suite for token and authorization endpoints (13 tests)
+
+- **Phase 3: Micropub Endpoint**
+  - Micropub endpoint (`POST /micropub`) for creating posts
+  - Support for both JSON and form-encoded requests
+  - Bearer token authentication with scope validation
+  - Content validation and sanitization
+  - Post creation with automatic timestamps
+  - Location header with post URL in responses
+  - Comprehensive error handling with proper HTTP status codes
+  - Integration tests for complete authentication flow (11 tests)
+
+### Changed
+- Admin interface now includes token management section
+- Database schema extended with `tokens` table for secure token storage
+- Authentication system now supports both admin sessions and bearer tokens
+- Authorization flow integrated with existing IndieAuth authentication
+
+### Security
+- Bearer tokens hashed with Argon2id (same as passwords)
+- Tokens support automatic expiration
+- Scope validation enforces `create` permission for posting
+- PKCE prevents authorization code interception
+- Token verification validates both hash and expiration
+
+### Standards Compliance
+- IndieAuth specification (W3C) for authentication and authorization
+- Micropub specification (W3C) for posting interface
+- OAuth 2.0 bearer token authentication
+- Proper HTTP status codes and error responses
+- Location header for created resources
+
+### Testing
+- 77 total tests (all passing)
+- Complete coverage of token management, IndieAuth endpoints, and Micropub
+- Integration tests verify end-to-end flows
+- Error case coverage for validation and authentication failures
+
+### Documentation
+- Implementation reports for all three phases
+- Architecture reviews documenting design decisions
+- API contracts specified in docs/design/api-contracts.md
+- Test coverage documented in implementation reports
+
+### Related Standards
+- ADR-023: Micropub V1 Implementation Strategy
+- W3C IndieAuth Specification
+- W3C Micropub Specification
+
+### Notes
+This is a release candidate for testing. Stable 1.0.0 will be released after testing period and any necessary fixes.
+
 ## [0.9.5] - 2025-11-23
 
 ### Fixed

starpunk/__init__.py

@@ -153,5 +153,5 @@ def create_app(config=None):
 
 # Package version (Semantic Versioning 2.0.0)
 # See docs/standards/versioning-strategy.md for details
-__version__ = "0.9.5"
+__version__ = "1.0.0-rc.1"
-__version_info__ = (0, 9, 5)
+__version_info__ = (1, 0, 0, "rc", 1)