diff --git a/AUDIT.md b/AUDIT.md
index ac0d3bb..8056652 100644
--- a/AUDIT.md
+++ b/AUDIT.md
@@ -1,6 +1,7 @@
 # Cycles Protocol v0.1.25 — Server Implementation Audit
 
-**Date:** 2026-04-26 (v0.1.25.18 — dependency hygiene matching `cycles-server-events` v0.1.25.12: bump `spring-boot-starter-parent` 3.5.13 → 3.5.14 (patch with upstream security hardening — constant-time comparison for remote DevTools secret, `RandomValuePropertySource` SecureRandom, hostname verification applied consistently for Cassandra/RabbitMQ SSL, plus symlink-handling fixes); **drop `<tomcat.version>10.1.54</tomcat.version>` override** since Spring Boot 3.5.14's BOM now manages 10.1.54 directly (verified against `spring-boot-dependencies-3.5.14.pom`); commons-lang3 3.18.0 override retained — Spring Boot 3.5.14's BOM still manages 3.17.0. **Jedis 7.4.1 → 6.2.0** to align all three services on the same Redis client major (events at 6.2.0 since v0.1.25.12, admin at 6.2.0 in v0.1.25.41); all call sites use stable APIs (`Jedis`, `JedisPool`, `Pipeline`, `Response`, `ScanParams`, `ScanResult`, `JedisNoScriptException`) — no 7.x-only API usage. No code changes; all 152 tests pass.),
+**Date:** 2026-05-21 (v0.1.25.19 — supply-chain CVE patch; re-pin `tomcat.version=10.1.55` in `cycles-protocol-service/pom.xml` to close 7 new CVEs flagged by Trivy against `tomcat-embed-core 10.1.54` (CRITICAL: CVE-2026-43512, CVE-2026-43515, CVE-2026-41293; HIGH: CVE-2026-43513, CVE-2026-42498, CVE-2026-41284; LOW: CVE-2026-43514 — all fixed in 10.1.55 / 11.0.22). Mirrors the v0.1.25.16 pattern; the override was dropped in v0.1.25.18 when SB 3.5.14's BOM caught up to 10.1.54, now re-added one patch higher because Trivy DB updates between 2026-05-11 (last green main run) and 2026-05-21 surfaced a new wave on the same artifact. Removable once Spring Boot ships with 10.1.55+ as its managed version. `commons-lang3.version=3.18.0` retained (CVE-2025-48924 still unfixed in SB 3.5.14's managed 3.17.0). No production code or test changes; all 537 protocol-service tests pass.),
+2026-04-26 (v0.1.25.18 — dependency hygiene matching `cycles-server-events` v0.1.25.12: bump `spring-boot-starter-parent` 3.5.13 → 3.5.14 (patch with upstream security hardening — constant-time comparison for remote DevTools secret, `RandomValuePropertySource` SecureRandom, hostname verification applied consistently for Cassandra/RabbitMQ SSL, plus symlink-handling fixes); **drop `<tomcat.version>10.1.54</tomcat.version>` override** since Spring Boot 3.5.14's BOM now manages 10.1.54 directly (verified against `spring-boot-dependencies-3.5.14.pom`); commons-lang3 3.18.0 override retained — Spring Boot 3.5.14's BOM still manages 3.17.0. **Jedis 7.4.1 → 6.2.0** to align all three services on the same Redis client major (events at 6.2.0 since v0.1.25.12, admin at 6.2.0 in v0.1.25.41); all call sites use stable APIs (`Jedis`, `JedisPool`, `Pipeline`, `Response`, `ScanParams`, `ScanResult`, `JedisNoScriptException`) — no 7.x-only API usage. No code changes; all 152 tests pass.),
 2026-04-19 (v0.1.25.17 — supply-chain CVE fix follow-up; pin `commons-lang3.version=3.18.0` to close CVE-2025-48924 (Trivy HIGH) on the `commons-lang3-3.17.0` jar that ships in the fat-jar image via `swagger-core-jakarta` (OpenAPI UI). Spring Boot 3.5.13's BOM manages commons-lang3 at 3.17.0 — override is removable once Spring Boot ships a managed version of 3.18.0+. All 152 tests pass),
 2026-04-19 (v0.1.25.16 — supply-chain CVE fix; bump `spring-boot-starter-parent` 3.5.11 → 3.5.13 and pin `tomcat.version=10.1.54` to close 5 HIGH/CRITICAL CVEs flagged by the new PR-time Trivy scan — CVE-2026-22732 CRITICAL on `spring-security-web` (fixed 6.5.9, pulled in transitively by 3.5.13), CVE-2026-29129 HIGH + CVE-2026-29145 CRITICAL on `tomcat-embed-core` (fixed 10.1.53, transitive), CVE-2026-34483 HIGH + CVE-2026-34487 HIGH on `tomcat-embed-core` (fixed 10.1.54, explicit property override since Spring Boot 3.5.14 with 10.1.54+ as managed version hasn't shipped yet); no code changes, all 152 tests pass),
 2026-04-18 (v0.1.25.15 — runtime audit-log retention TTL fix; `AuditRepository` now writes `audit:log:{id}` keys with `EX ttl` via the same Lua shape admin uses, configurable via `audit.retention.days` (default 400d), daily `@Scheduled` sweep prunes stale ZSET index pointers; closes a gap where runtime-written rows persisted indefinitely and did not participate in admin's authenticated-tier retention),
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8981a28..0b2b9cd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,38 @@ changes to request/response bodies or Lua-script semantics would require a
 minor bump. "Internal signature changes" (e.g. Java method parameters) are
 called out but are not breaking to API clients.
 
+## [0.1.25.19] — 2026-05-21
+
+Supply-chain CVE patch. No code, API, or Lua-script changes — pom-only.
+
+### Fixed (security)
+
+- Re-pin `tomcat.version=10.1.55` in `cycles-protocol-service/pom.xml`
+  to close seven CVEs flagged by Trivy against
+  `org.apache.tomcat.embed:tomcat-embed-core 10.1.54` (the version
+  Spring Boot 3.5.14's BOM manages today):
+  - **CVE-2026-43512 (CRITICAL)** — fixed in 10.1.55 / 11.0.22.
+  - **CVE-2026-43515 (CRITICAL)** — fixed in 10.1.55 / 11.0.22.
+  - **CVE-2026-41293 (CRITICAL)** — fixed in 10.1.55 / 11.0.22.
+  - **CVE-2026-43513 (HIGH)** — fixed in 10.1.55 / 11.0.22.
+  - **CVE-2026-42498 (HIGH)** — fixed in 10.1.55 / 11.0.22.
+  - **CVE-2026-41284 (HIGH)** — fixed in 10.1.55 / 11.0.22.
+  - **CVE-2026-43514 (LOW)** — fixed in 10.1.55 / 11.0.22.
+- The v0.1.25.16 override (`tomcat.version=10.1.54`) was removed in
+  v0.1.25.18 once Spring Boot 3.5.14's BOM caught up. This re-adds the
+  same pattern one patch higher. Removable again once Spring Boot
+  ships with 10.1.55+ as its managed version.
+
+### Retained
+
+- `commons-lang3.version=3.18.0` override stays (CVE-2025-48924 still
+  unfixed in Spring Boot 3.5.14's BOM-managed 3.17.0).
+
+### Notes
+
+- No production-code or test changes. All 537 protocol-service tests
+  pass (374 data + 163 api). Wire format unchanged from v0.1.25.18.
+
 ## [0.1.25.18] — 2026-04-26
 
 Dependency hygiene aligning all three Cycles services (events / server /
diff --git a/cycles-protocol-service/pom.xml b/cycles-protocol-service/pom.xml
index cffacd8..895d272 100644
--- a/cycles-protocol-service/pom.xml
+++ b/cycles-protocol-service/pom.xml
@@ -18,7 +18,7 @@
         <module>cycles-protocol-service-api</module>
     </modules>
     <properties>
-        <revision>0.1.25.18</revision>
+        <revision>0.1.25.19</revision>
         <java.version>21</java.version>
         <maven.compiler.source>21</maven.compiler.source>
         <maven.compiler.target>21</maven.compiler.target>
@@ -27,6 +27,17 @@
              the image transitively via swagger-core-jakarta (OpenAPI UI).
              Remove once Spring Boot ships with 3.18.0+ as its managed version. -->
         <commons-lang3.version>3.18.0</commons-lang3.version>
+        <!-- Re-override Spring Boot 3.5.14's managed tomcat-embed-core 10.1.54
+             to pick up a new wave of CVEs first fixed in 10.1.55:
+               CVE-2026-43512 CRITICAL, CVE-2026-43515 CRITICAL, CVE-2026-41293 CRITICAL,
+               CVE-2026-43513 HIGH,     CVE-2026-42498 HIGH,     CVE-2026-41284 HIGH,
+               CVE-2026-43514 LOW.
+             All seven are scoped to org.apache.tomcat.embed:tomcat-embed-core and
+             ship transitively via spring-boot-starter-web. The v0.1.25.16 override
+             (10.1.54) was removed in v0.1.25.18 once SB 3.5.14's BOM caught up;
+             this re-adds the same pattern at 10.1.55. Remove again once Spring
+             Boot ships with 10.1.55+ as its managed version. -->
+        <tomcat.version>10.1.55</tomcat.version>
     </properties>
     <dependencyManagement>
         <dependencies>