docs: update for v1.5.0 public registration feature

PROJECT.md

@@ -119,7 +119,7 @@ A self-hosted pastebin API that:
 
 ## Current Status
 
-**Version:** 1.4.0
+**Version:** 1.5.0
 
 ```
 ┌─────────────────────────────────┬────────────────────────────────────────────┐
@@ -149,6 +149,8 @@ A self-hosted pastebin API that:
 │ CI/CD pipeline                  │ Complete
 │ Scheduled cleanup               │ Complete
 │ CLI paste listing/search        │ Complete
-│ Test suite                      │ 205 tests passing
+│ Public certificate registration │ Complete
+│ CLI register command            │ Complete
+│ Test suite                      │ 216 tests passing
 └─────────────────────────────────┴────────────────────────────────────────────┘
 ```

ROADMAP.md

@@ -2,7 +2,7 @@
 
 ## Current State
 
-FlaskPaste v1.4.0 is deployed with comprehensive security hardening and abuse prevention.
+FlaskPaste v1.5.0 is deployed with comprehensive security hardening and abuse prevention.
 
 **Implemented:**
 - Full REST API (CRUD operations)
@@ -26,7 +26,9 @@ FlaskPaste v1.4.0 is deployed with comprehensive security hardening and abuse pr
 - Security tooling (ruff, bandit, mypy, pip-audit)
 - CI/CD pipeline with lint, security, and test jobs
 - CLI with list, search, update, export commands
-- Comprehensive test suite (205 tests)
+- Public certificate registration (PoW-protected)
+- CLI register command for certificate enrollment
+- Comprehensive test suite (216 tests)
 
 ## Phase 1: Hardening (Complete)
 
@@ -97,9 +99,12 @@ Integrated certificate authority for mTLS:
 - `POST /pki/ca` - Generate CA (first-run bootstrap)
 - `GET /pki/status` - CA status and fingerprint
 - `GET /pki/ca.crt` - Download CA certificate
-- `POST /pki/issue` - Issue client certificate
+- `POST /pki/issue` - Issue client certificate (admin)
 - `POST /pki/revoke/<serial>` - Revoke certificate
+- `GET /register/challenge` - Get PoW challenge for registration
+- `POST /register` - Public certificate registration (PoW-protected)
 - CLI: `fpaste pki status`, `fpaste pki issue`, `fpaste pki revoke`
+- CLI: `fpaste register` - Self-service certificate enrollment
 
 ## Phase 4: Ecosystem (In Progress)
 
@@ -130,8 +135,10 @@ Standalone Python CLI with encryption, PKI, and paste management:
 - `fpaste update <id>` - Update paste content/metadata
 - `fpaste export -o dir/` - Export all pastes to directory
 - `fpaste pki status` - Show PKI status
-- `fpaste pki issue -n "name"` - Request client certificate
+- `fpaste pki issue -n "name"` - Request client certificate (admin)
 - `fpaste pki revoke <serial>` - Revoke certificate
+- `fpaste register` - Self-service certificate registration
+- `fpaste register --configure` - Register and auto-configure client
 - Automatic retry on PoW failure (max 5 attempts)
 - Config file for server URL and cert fingerprint
 - Downloadable via `curl https://server/client > fpaste`
@@ -170,6 +177,7 @@ These features will not be implemented:
 | 2024-12    | Scheduled cleanup (in-process)     | No external cron needed
 | 2024-12    | CLI encrypt-by-default             | Security-first design
 | 2024-12    | CLI retry on PoW failure           | Graceful handling of stale tokens
+| 2024-12    | Public cert registration           | Self-service onboarding with PoW protection
 
 ## Review Schedule
 

TASKLIST.md

@@ -37,6 +37,8 @@ Prioritized, actionable tasks. Each task is small and completable in one session
 
 | Date       | Task
 |------------|--------------------------------------------------------------
+| 2024-12    | Add public certificate registration endpoint
+| 2024-12    | Add CLI register command
 | 2024-12    | Implement anti-flood (dynamic PoW difficulty)
 | 2024-12    | Implement IP-based rate limiting
 | 2024-12    | Add scheduled cleanup (pastes, hashes, rate limits)