diff --git a/AUDIT.md b/AUDIT.md
index 21fbdc5..6f5242d 100644
--- a/AUDIT.md
+++ b/AUDIT.md
@@ -1,11 +1,11 @@
# Cycles Protocol v0.1.25 — Events Server Implementation Audit
-**Date:** 2026-04-26 (v0.1.25.12 — dependency hygiene: Spring Boot 3.5.13 → 3.5.14 (patch with security fixes incl. constant-time comparison for remote DevTools secret, hostname verification, `RandomValuePropertySource` SecureRandom); Jedis 5.2.0 → 6.2.0 (major; binary compatibility for `SetParams` restored in 6.1.0; our usage `JedisPool`/`Jedis`/`SetParams`/`ScanParams`/`ScanResult`/`JedisConnectionException` is unaffected, all 199 tests pass); GHA `aquasecurity/trivy-action` 0.35.0 → 0.36.0 and `dependabot/fetch-metadata` v2 → v3; **drop `10.1.54` override** since Spring Boot 3.5.14's BOM now manages 10.1.54 — same effective Tomcat, simpler pom. No code changes; `WebhookTransport` hardcoded version fallback synced to 0.1.25.12.), 2026-04-23 (v0.1.25.11 — admin-spec v0.1.25.33 alignment, dispatcher half: emit `webhook.disabled` Event on auto-disable. When `DeliveryHandler.incrementConsecutiveFailures` crosses `disable_after_failures`, the dispatcher now writes an Event directly to the shared Redis store alongside the existing `DISABLED` status flip and `cycles_subscription_auto_disabled_total` metric. `EventRepository.save` mirrors the admin-side Lua script (`event:` with TTL + ZADD on `events:` and `events:_all` + optional SADD on `events:correlation:`); `EventType.WEBHOOK_DISABLED` and `EventCategory.WEBHOOK` enum values added (additive, no wire break). `correlation_id = webhook_auto_disable::`; payload conforms to `EventDataWebhookLifecycle` with `disable_reason="consecutive_failures_exceeded_threshold"`; `actor.type=system`, `source=cycles-events`; `trace_id` copied from the triggering Delivery when present. Emit is best-effort (Redis write failure is logged at WARN but does not revert the status flip). The operator-initiated webhook lifecycle emits — `webhook.created/updated/paused/resumed/deleted` — remain the responsibility of `cycles-server-admin` v0.1.25.39; this patch closes only the auto-disable gap the spec names as the dispatcher's exclusive emission point.), 2026-04-19 (v0.1.25.10 — supply-chain CVE fix; Spring Boot 3.5.11 → 3.5.13 + `10.1.54` pin closes 4 HIGH/CRITICAL CVEs on `tomcat-embed-core`: CVE-2026-29145 CRITICAL, CVE-2026-29129 HIGH (SB 3.5.13 transitive 10.1.53), CVE-2026-34483 HIGH, CVE-2026-34487 HIGH (10.1.54 pin). No code changes; all 195 tests pass.),
+**Date:** 2026-05-25 (v0.1.25.13 — Apache Tomcat CVE patch: re-introduce `10.1.55` override to fix 3 CRITICAL + 3 HIGH + 1 LOW CVEs landed in trivy DB between 2026-05-11 and 2026-05-24 against `tomcat-embed-core 10.1.54` (SB 3.5.14's managed version). CVEs: CVE-2026-43515 / -43512 / -41293 (CRITICAL), -43513 / -42498 / -41284 (HIGH), -43514 (LOW). All in `tomcat-embed-core` 10.1.0-M1..10.1.54 range; all fixed in 10.1.55. Property-override only — no code change, no spec change, no wire change. Same pin shape as the v0.1.25.10 10.1.54 override (dropped at v0.1.25.12 when SB 3.5.14 caught up). Remove once SB ships 10.1.55+ as managed.), 2026-04-26 (v0.1.25.12 — dependency hygiene: Spring Boot 3.5.13 → 3.5.14 (patch with security fixes incl. constant-time comparison for remote DevTools secret, hostname verification, `RandomValuePropertySource` SecureRandom); Jedis 5.2.0 → 6.2.0 (major; binary compatibility for `SetParams` restored in 6.1.0; our usage `JedisPool`/`Jedis`/`SetParams`/`ScanParams`/`ScanResult`/`JedisConnectionException` is unaffected, all 199 tests pass); GHA `aquasecurity/trivy-action` 0.35.0 → 0.36.0 and `dependabot/fetch-metadata` v2 → v3; **drop `10.1.54` override** since Spring Boot 3.5.14's BOM now manages 10.1.54 — same effective Tomcat, simpler pom. No code changes; `WebhookTransport` hardcoded version fallback synced to 0.1.25.12.), 2026-04-23 (v0.1.25.11 — admin-spec v0.1.25.33 alignment, dispatcher half: emit `webhook.disabled` Event on auto-disable. When `DeliveryHandler.incrementConsecutiveFailures` crosses `disable_after_failures`, the dispatcher now writes an Event directly to the shared Redis store alongside the existing `DISABLED` status flip and `cycles_subscription_auto_disabled_total` metric. `EventRepository.save` mirrors the admin-side Lua script (`event:` with TTL + ZADD on `events:` and `events:_all` + optional SADD on `events:correlation:`); `EventType.WEBHOOK_DISABLED` and `EventCategory.WEBHOOK` enum values added (additive, no wire break). `correlation_id = webhook_auto_disable::`; payload conforms to `EventDataWebhookLifecycle` with `disable_reason="consecutive_failures_exceeded_threshold"`; `actor.type=system`, `source=cycles-events`; `trace_id` copied from the triggering Delivery when present. Emit is best-effort (Redis write failure is logged at WARN but does not revert the status flip). The operator-initiated webhook lifecycle emits — `webhook.created/updated/paused/resumed/deleted` — remain the responsibility of `cycles-server-admin` v0.1.25.39; this patch closes only the auto-disable gap the spec names as the dispatcher's exclusive emission point.), 2026-04-19 (v0.1.25.10 — supply-chain CVE fix; Spring Boot 3.5.11 → 3.5.13 + `10.1.54` pin closes 4 HIGH/CRITICAL CVEs on `tomcat-embed-core`: CVE-2026-29145 CRITICAL, CVE-2026-29129 HIGH (SB 3.5.13 transitive 10.1.53), CVE-2026-34483 HIGH, CVE-2026-34487 HIGH (10.1.54 pin). No code changes; all 195 tests pass.),
2026-04-18 (v0.1.25.8 — admin-spec v0.1.25.28 alignment: extend correlation/tracing onto `WebhookDelivery`. Add three optional fields to `Delivery` model (`trace_id`, `trace_flags`, `traceparent_inbound_valid`); `TraceContext.buildTraceparent` now accepts a `trace_flags` byte so outbound `traceparent` preserves inbound sampling decisions when `traceparent_inbound_valid=true`; `Transport.deliver` gains a `Delivery` parameter so the transport can read the sampling hints. Proactive `trace_id` stamping: `DeliveryHandler` copies `Event.trace_id` onto the persisted `Delivery` record when admin hasn't set one, filling the gap while `cycles-server-admin` catches up to spec v0.1.25.28 (no overwrite if admin has already stamped).), 2026-04-18 (v0.1.25.7 — admin-spec v0.1.25.27 alignment: three-tier correlation/tracing. Add `Event.trace_id` (optional, `^[0-9a-f]{32}$`); new `TraceContext` helper resolves-or-mints trace-id and builds W3C `traceparent` v00 with fresh span-id per delivery; WebhookTransport emits `X-Cycles-Trace-Id` + `traceparent` on every outbound POST and forwards `X-Request-Id` when event carries `request_id`; EventPayloadValidator gains non-fatal `trace_id_shape` rule. Documents negative findings for spec v0.1.25.19–.26 (admin-plane-only changes that do not affect the dispatcher).), 2026-04-16 (v0.1.25.6 — admin-spec v0.1.25.18 alignment: add `BUDGET_RESET_SPENT`; add `cycles_webhook_*` Micrometer counters + latency timer mirroring `cycles-server` v0.1.25.10; add non-fatal `EventPayloadValidator` mirroring `cycles-server-admin` v0.1.25.12; parity refactor adopting dotted metric names, `tags(...)` helper, tenant-tag toggle, `UNKNOWN` sentinel; add `CHANGELOG.md` + `OPERATIONS.md` for doc parity), 2026-04-08 (v0.1.25.5 — force HTTP/1.1 outbound transport to fix h2c body drop, #16), 2026-04-07 (v0.1.25.4 — partial subscription update to avoid overwriting admin config), 2026-04-03 (v0.1.25.3 — Prometheus registry dependency; typed `DeliveryStatus`/`WebhookStatus` enums), 2026-04-01 (v0.1.25.1 initial implementation — dispatch loop, delivery handler, retry scheduler, AES-256-GCM secret encryption, TTL-based retention, E2E integration test).
**Spec:** `cycles-governance-admin-v0.1.25.yaml` (OpenAPI 3.1.0, v0.1.25.34) — authoritative source at `cycles-protocol` repo; served from `cycles-server-admin`. v0.1.25.33 introduced the `webhook.*` lifecycle EventTypes and `EventDataWebhookLifecycle` schema; v0.1.25.34 added the `webhook` value to `EventCategory`. This service implements only the dispatcher-emission half (auto-disable → `webhook.disabled`); the operator-plane emits live in `cycles-server-admin` v0.1.25.39.
-**Service:** Spring Boot 3.5.14 / Java 21 / Jedis 6.2.0 / Micrometer Prometheus registry. Redis-driven webhook dispatcher (no inbound API surface of its own).
+**Service:** Spring Boot 3.5.14 / Java 21 / Jedis 6.2.0 / Micrometer Prometheus registry. Redis-driven webhook dispatcher (no inbound API surface of its own). · tomcat-embed-core 10.1.55 pin (SB 3.5.14 still manages 10.1.54; pin re-introduced 2026-05-25 for Apache Tomcat CVE-2026-43512 / -43513 / -43514 / -43515 / -42498 / -41284 / -41293)
**Downstream docs:**
- [`CHANGELOG.md`](CHANGELOG.md) — release notes for consumers (Keep-a-Changelog format)
diff --git a/pom.xml b/pom.xml
index 19ce881..1a3ed43 100644
--- a/pom.xml
+++ b/pom.xml
@@ -18,10 +18,23 @@
Event delivery service for the Cycles ecosystem
- 0.1.25.12
+ 0.1.25.13
21
7.5.0
1.20.4
+
+ 10.1.55