chore(security): pin tomcat-embed-core 10.1.55 — Apache Tomcat CVE fixes (v0.1.25.13)

AUDIT.md

@@ -1,11 +1,11 @@
 # Cycles Protocol v0.1.25 — Events Server Implementation Audit
 
-**Date:** 2026-04-26 (v0.1.25.12 — dependency hygiene: Spring Boot 3.5.13 → 3.5.14 (patch with security fixes incl. constant-time comparison for remote DevTools secret, hostname verification, `RandomValuePropertySource` SecureRandom); Jedis 5.2.0 → 6.2.0 (major; binary compatibility for `SetParams` restored in 6.1.0; our usage `JedisPool`/`Jedis`/`SetParams`/`ScanParams`/`ScanResult`/`JedisConnectionException` is unaffected, all 199 tests pass); GHA `aquasecurity/trivy-action` 0.35.0 → 0.36.0 and `dependabot/fetch-metadata` v2 → v3; **drop `<tomcat.version>10.1.54</tomcat.version>` override** since Spring Boot 3.5.14's BOM now manages 10.1.54 — same effective Tomcat, simpler pom. No code changes; `WebhookTransport` hardcoded version fallback synced to 0.1.25.12.), 2026-04-23 (v0.1.25.11 — admin-spec v0.1.25.33 alignment, dispatcher half: emit `webhook.disabled` Event on auto-disable. When `DeliveryHandler.incrementConsecutiveFailures` crosses `disable_after_failures`, the dispatcher now writes an Event directly to the shared Redis store alongside the existing `DISABLED` status flip and `cycles_subscription_auto_disabled_total` metric. `EventRepository.save` mirrors the admin-side Lua script (`event:<id>` with TTL + ZADD on `events:<tenantId>` and `events:_all` + optional SADD on `events:correlation:<cid>`); `EventType.WEBHOOK_DISABLED` and `EventCategory.WEBHOOK` enum values added (additive, no wire break). `correlation_id = webhook_auto_disable:<subscription_id>:<delivery_id>`; payload conforms to `EventDataWebhookLifecycle` with `disable_reason="consecutive_failures_exceeded_threshold"`; `actor.type=system`, `source=cycles-events`; `trace_id` copied from the triggering Delivery when present. Emit is best-effort (Redis write failure is logged at WARN but does not revert the status flip). The operator-initiated webhook lifecycle emits — `webhook.created/updated/paused/resumed/deleted` — remain the responsibility of `cycles-server-admin` v0.1.25.39; this patch closes only the auto-disable gap the spec names as the dispatcher's exclusive emission point.), 2026-04-19 (v0.1.25.10 — supply-chain CVE fix; Spring Boot 3.5.11 → 3.5.13 + `<tomcat.version>10.1.54</tomcat.version>` pin closes 4 HIGH/CRITICAL CVEs on `tomcat-embed-core`: CVE-2026-29145 CRITICAL, CVE-2026-29129 HIGH (SB 3.5.13 transitive 10.1.53), CVE-2026-34483 HIGH, CVE-2026-34487 HIGH (10.1.54 pin). No code changes; all 195 tests pass.),
+**Date:** 2026-05-25 (v0.1.25.13 — Apache Tomcat CVE patch: re-introduce `<tomcat.version>10.1.55</tomcat.version>` override to fix 3 CRITICAL + 3 HIGH + 1 LOW CVEs landed in trivy DB between 2026-05-11 and 2026-05-24 against `tomcat-embed-core 10.1.54` (SB 3.5.14's managed version). CVEs: CVE-2026-43515 / -43512 / -41293 (CRITICAL), -43513 / -42498 / -41284 (HIGH), -43514 (LOW). All in `tomcat-embed-core` 10.1.0-M1..10.1.54 range; all fixed in 10.1.55. Property-override only — no code change, no spec change, no wire change. Same pin shape as the v0.1.25.10 10.1.54 override (dropped at v0.1.25.12 when SB 3.5.14 caught up). Remove once SB ships 10.1.55+ as managed.), 2026-04-26 (v0.1.25.12 — dependency hygiene: Spring Boot 3.5.13 → 3.5.14 (patch with security fixes incl. constant-time comparison for remote DevTools secret, hostname verification, `RandomValuePropertySource` SecureRandom); Jedis 5.2.0 → 6.2.0 (major; binary compatibility for `SetParams` restored in 6.1.0; our usage `JedisPool`/`Jedis`/`SetParams`/`ScanParams`/`ScanResult`/`JedisConnectionException` is unaffected, all 199 tests pass); GHA `aquasecurity/trivy-action` 0.35.0 → 0.36.0 and `dependabot/fetch-metadata` v2 → v3; **drop `<tomcat.version>10.1.54</tomcat.version>` override** since Spring Boot 3.5.14's BOM now manages 10.1.54 — same effective Tomcat, simpler pom. No code changes; `WebhookTransport` hardcoded version fallback synced to 0.1.25.12.), 2026-04-23 (v0.1.25.11 — admin-spec v0.1.25.33 alignment, dispatcher half: emit `webhook.disabled` Event on auto-disable. When `DeliveryHandler.incrementConsecutiveFailures` crosses `disable_after_failures`, the dispatcher now writes an Event directly to the shared Redis store alongside the existing `DISABLED` status flip and `cycles_subscription_auto_disabled_total` metric. `EventRepository.save` mirrors the admin-side Lua script (`event:<id>` with TTL + ZADD on `events:<tenantId>` and `events:_all` + optional SADD on `events:correlation:<cid>`); `EventType.WEBHOOK_DISABLED` and `EventCategory.WEBHOOK` enum values added (additive, no wire break). `correlation_id = webhook_auto_disable:<subscription_id>:<delivery_id>`; payload conforms to `EventDataWebhookLifecycle` with `disable_reason="consecutive_failures_exceeded_threshold"`; `actor.type=system`, `source=cycles-events`; `trace_id` copied from the triggering Delivery when present. Emit is best-effort (Redis write failure is logged at WARN but does not revert the status flip). The operator-initiated webhook lifecycle emits — `webhook.created/updated/paused/resumed/deleted` — remain the responsibility of `cycles-server-admin` v0.1.25.39; this patch closes only the auto-disable gap the spec names as the dispatcher's exclusive emission point.), 2026-04-19 (v0.1.25.10 — supply-chain CVE fix; Spring Boot 3.5.11 → 3.5.13 + `<tomcat.version>10.1.54</tomcat.version>` pin closes 4 HIGH/CRITICAL CVEs on `tomcat-embed-core`: CVE-2026-29145 CRITICAL, CVE-2026-29129 HIGH (SB 3.5.13 transitive 10.1.53), CVE-2026-34483 HIGH, CVE-2026-34487 HIGH (10.1.54 pin). No code changes; all 195 tests pass.),
 2026-04-18 (v0.1.25.8 — admin-spec v0.1.25.28 alignment: extend correlation/tracing onto `WebhookDelivery`. Add three optional fields to `Delivery` model (`trace_id`, `trace_flags`, `traceparent_inbound_valid`); `TraceContext.buildTraceparent` now accepts a `trace_flags` byte so outbound `traceparent` preserves inbound sampling decisions when `traceparent_inbound_valid=true`; `Transport.deliver` gains a `Delivery` parameter so the transport can read the sampling hints. Proactive `trace_id` stamping: `DeliveryHandler` copies `Event.trace_id` onto the persisted `Delivery` record when admin hasn't set one, filling the gap while `cycles-server-admin` catches up to spec v0.1.25.28 (no overwrite if admin has already stamped).), 2026-04-18 (v0.1.25.7 — admin-spec v0.1.25.27 alignment: three-tier correlation/tracing. Add `Event.trace_id` (optional, `^[0-9a-f]{32}$`); new `TraceContext` helper resolves-or-mints trace-id and builds W3C `traceparent` v00 with fresh span-id per delivery; WebhookTransport emits `X-Cycles-Trace-Id` + `traceparent` on every outbound POST and forwards `X-Request-Id` when event carries `request_id`; EventPayloadValidator gains non-fatal `trace_id_shape` rule. Documents negative findings for spec v0.1.25.19–.26 (admin-plane-only changes that do not affect the dispatcher).), 2026-04-16 (v0.1.25.6 — admin-spec v0.1.25.18 alignment: add `BUDGET_RESET_SPENT`; add `cycles_webhook_*` Micrometer counters + latency timer mirroring `cycles-server` v0.1.25.10; add non-fatal `EventPayloadValidator` mirroring `cycles-server-admin` v0.1.25.12; parity refactor adopting dotted metric names, `tags(...)` helper, tenant-tag toggle, `UNKNOWN` sentinel; add `CHANGELOG.md` + `OPERATIONS.md` for doc parity), 2026-04-08 (v0.1.25.5 — force HTTP/1.1 outbound transport to fix h2c body drop, #16), 2026-04-07 (v0.1.25.4 — partial subscription update to avoid overwriting admin config), 2026-04-03 (v0.1.25.3 — Prometheus registry dependency; typed `DeliveryStatus`/`WebhookStatus` enums), 2026-04-01 (v0.1.25.1 initial implementation — dispatch loop, delivery handler, retry scheduler, AES-256-GCM secret encryption, TTL-based retention, E2E integration test).
 
 **Spec:** `cycles-governance-admin-v0.1.25.yaml` (OpenAPI 3.1.0, v0.1.25.34) — authoritative source at `cycles-protocol` repo; served from `cycles-server-admin`. v0.1.25.33 introduced the `webhook.*` lifecycle EventTypes and `EventDataWebhookLifecycle` schema; v0.1.25.34 added the `webhook` value to `EventCategory`. This service implements only the dispatcher-emission half (auto-disable → `webhook.disabled`); the operator-plane emits live in `cycles-server-admin` v0.1.25.39.
 
-**Service:** Spring Boot 3.5.14 / Java 21 / Jedis 6.2.0 / Micrometer Prometheus registry. Redis-driven webhook dispatcher (no inbound API surface of its own).
+**Service:** Spring Boot 3.5.14 / Java 21 / Jedis 6.2.0 / Micrometer Prometheus registry. Redis-driven webhook dispatcher (no inbound API surface of its own). · tomcat-embed-core 10.1.55 pin (SB 3.5.14 still manages 10.1.54; pin re-introduced 2026-05-25 for Apache Tomcat CVE-2026-43512 / -43513 / -43514 / -43515 / -42498 / -41284 / -41293)
 
 **Downstream docs:**
 - [`CHANGELOG.md`](CHANGELOG.md) — release notes for consumers (Keep-a-Changelog format)

pom.xml

@@ -18,10 +18,23 @@
     <description>Event delivery service for the Cycles ecosystem</description>
 
     <properties>
-        <revision>0.1.25.12</revision>
+        <revision>0.1.25.13</revision>
         <java.version>21</java.version>
         <jedis.version>7.5.0</jedis.version>
         <testcontainers.version>1.20.4</testcontainers.version>
+        <!-- Override Spring Boot 3.5.14's managed tomcat-embed-core 10.1.54 to
+             pick up the fix in 10.1.55 for 3 CRITICAL + 3 HIGH + 1 LOW Apache
+             Tomcat CVEs (all in the 10.1.0-M1..10.1.54 range; fixed in 10.1.55):
+               CVE-2026-43515 CRITICAL — Improper Authorization (method constraints)
+               CVE-2026-43512 CRITICAL — Authentication Bypass (digest auth)
+               CVE-2026-41293 CRITICAL — Improper Input Validation
+               CVE-2026-43513 HIGH     — Case-sensitivity in LockOutRealm
+               CVE-2026-42498 HIGH     — HTTP Auth header leak in WebSocket
+               CVE-2026-41284 HIGH     — Resource allocation DoS
+               CVE-2026-43514 LOW      — Observable timing in AJP secret compare
+             Same pin shape as v0.1.25.10's 10.1.54 override (dropped at v0.1.25.12
+             when SB 3.5.14's BOM caught up). Remove once SB ships with 10.1.55+. -->
+        <tomcat.version>10.1.55</tomcat.version>
     </properties>
 
     <dependencies>