docs(security): cite CVE-2026-45091 throughout the repo

MITRE has formally assigned CVE-2026-45091 to the JWS-payload
TOTP-secret leak that affected 0.1.0-alpha.{1,2,3} and was patched
in alpha.4. The advisory entry was previously cited as
'CVE-2026-XXXXX' or 'CVE was requested' — replaced with the
official identifier alongside the existing GHSA-x3r2-fj3r-g5mv
GitHub Security Advisory link.

Touched:
  - README.md: CVE badge added next to threat-model badge
  - THREAT_MODEL.md: section 6 (Token-payload exposure) now cites
    the CVE directly with NVD link
  - CHANGELOG.md: alpha.4 security banner cites CVE; 0.1.0
    summary expanded with the CVE link; new [Unreleased] entry
    documenting the assignment
  - java/sealed-env-core/.../SealedEnvSmokeTest.java: regression
    comment now anchors the test to the CVE id

Also reverts a stale-info edit from a previous commit that claimed
Node now writes 'KDF=argon2id' — Node still writes 'KDF=scrypt'
(the spec accepts both for cross-stack interop). The README diagram
and wire-format example now reflect reality.

Author: davidalmeidac

CHANGELOG.md

@@ -12,6 +12,17 @@ files written today will remain readable forever. See [SPEC.md](./SPEC.md).
 
 ## [Unreleased]
 
+### Security
+
+- **CVE-2026-45091 has been formally assigned** to the JWS-payload
+  TOTP-secret leak that affected `0.1.0-alpha.{1,2,3}` and was patched
+  in alpha.4 on 2026-05-07. The MITRE entry is now public at
+  [nvd.nist.gov/vuln/detail/CVE-2026-45091](https://nvd.nist.gov/vuln/detail/CVE-2026-45091).
+  No code change in this entry — references throughout the repository
+  (README, THREAT_MODEL, Java regression tests, CHANGELOG) updated to
+  cite the official identifier alongside the existing GitHub Security
+  Advisory ([GHSA-x3r2-fj3r-g5mv](https://github.com/davidalmeidac/sealed-env/security/advisories/GHSA-x3r2-fj3r-g5mv)).
+
 ---
 
 ## [0.1.0] — 2026-05-07
@@ -42,9 +53,10 @@ What 0.1.0 represents:
   Render, Railway, Heroku, Docker, Kubernetes, generic SSH) plus an
   OIDC-federation pattern for shops that want zero persistent
   master-key storage in CI.
-- A public threat model (T1-T13) and a track record of CVE response
-  (alpha.6 closed a JWS-payload TOTP-secret leak in under four hours
-  with cross-stack vectors and a migration playbook).
+- A public threat model (T1-T13) and a track record of CVE response.
+  alpha.6 closed [CVE-2026-45091](https://nvd.nist.gov/vuln/detail/CVE-2026-45091)
+  (JWS-payload TOTP-secret leak) in under four hours with cross-stack
+  vectors and a migration playbook.
 
 ### Added
 
@@ -383,12 +395,14 @@ and vice versa.
 
 ## [0.1.0-alpha.4] — 2026-05-07
 
-> **🚨 SECURITY: this release fixes a critical issue in `enterprise` mode.
-> Prior versions (alpha.1, alpha.2, alpha.3) embedded the operator's TOTP
-> secret in the JWS payload of every unseal token. JWS payload is base64-
-> encoded JSON, NOT encrypted — anyone observing a token (CI logs, container
-> env dumps, stack traces) could extract the secret and use it (with the
-> master key) to mint unseal tokens for FUTURE deploys indefinitely.**
+> **🚨 SECURITY: [CVE-2026-45091](https://nvd.nist.gov/vuln/detail/CVE-2026-45091)
+> ([GHSA-x3r2-fj3r-g5mv](https://github.com/davidalmeidac/sealed-env/security/advisories/GHSA-x3r2-fj3r-g5mv)).
+> This release fixes a critical issue in `enterprise` mode. Prior versions
+> (alpha.1, alpha.2, alpha.3) embedded the operator's TOTP secret in the JWS
+> payload of every unseal token. JWS payload is base64-encoded JSON, NOT
+> encrypted — anyone observing a token (CI logs, container env dumps, stack
+> traces) could extract the secret and use it (with the master key) to mint
+> unseal tokens for FUTURE deploys indefinitely.**
 >
 > **All `0.1.0-alpha.{1,2,3}` releases are deprecated on npm and Maven
 > Central. If you adopted enterprise mode in any of those versions:**

README.md

@@ -15,6 +15,7 @@ with optional TOTP-based unsealing for production deploys.
 [![Java CI](https://img.shields.io/github/actions/workflow/status/davidalmeidac/sealed-env/java-ci.yml?branch=main&style=flat-square&color=1a1612&labelColor=c4471f&label=java%20ci)](https://github.com/davidalmeidac/sealed-env/actions/workflows/java-ci.yml)
 [![License](https://img.shields.io/badge/license-MIT-1a1612?style=flat-square&labelColor=c4471f)](LICENSE)
 [![Threat model](https://img.shields.io/badge/threat--model-public-1a1612?style=flat-square&labelColor=c4471f)](THREAT_MODEL.md)
+[![CVE response](https://img.shields.io/badge/CVE--2026--45091-resolved%20%E2%9C%93-1a1612?style=flat-square&labelColor=c4471f)](https://nvd.nist.gov/vuln/detail/CVE-2026-45091)
 
 [Docs](docs/) · [Threat Model](THREAT_MODEL.md) · [File Format](SPEC.md) · [Security Policy](SECURITY.md) · [Landing](https://davidalmeidac.github.io/sealed-env/)
 
@@ -54,7 +55,7 @@ pipeline is fully compromised, attackers cannot decrypt without the operator's p
    │  ────────────           │         │  ────────────           │
    │  • CLI: sealed-env seal │         │  • SealedEnv core lib   │
    │  • npm: sealed-env      │         │  • Spring Boot starter  │
-   │  • writes KDF=argon2id  │         │  • writes KDF=argon2id  │
+   │  • writes KDF=scrypt    │         │  • writes KDF=argon2id  │
    └────────────┬────────────┘         └────────────┬────────────┘
                 │                                   │
                 │  both speak SEALED-ENV-V1         │
@@ -64,7 +65,7 @@ pipeline is fully compromised, attackers cannot decrypt without the operator's p
             │            .env.sealed                 │
             │  ───────────────────────────           │
             │  SEALED-ENV-V1 MODE=team               │
-            │  KDF=argon2id                          │
+            │  KDF=<scrypt|argon2id>                 │
             │  KDF-PARAMS=...   SALT=...             │
             │  NONCE=...        AAD-DIGEST=...       │
             │  HMAC=...         CREATED=2026-...     │

THREAT_MODEL.md

@@ -62,7 +62,7 @@
 - A single misconfig (Actuator exposed) defeats encryption-at-rest
 - Plaintext secrets must not survive boot
 
-### 6. Token-payload exposure (lesson from sealed-env's own CVE-2026-XXXXX)
+### 6. Token-payload exposure (lesson from sealed-env's own CVE-2026-45091)
 
 **What happened (to us, May 2026):**
 
@@ -76,7 +76,8 @@ the leaked secret allowed minting **future** unseal tokens indefinitely.
 The reviewer found it in 5 minutes by base32-encoding the bytes from
 `payload.totp_secret` and comparing to the operator's `.env.local` value.
 
-Affected versions are deprecated and a CVE was requested. See
+Affected versions are deprecated. Tracked as
+**[CVE-2026-45091](https://nvd.nist.gov/vuln/detail/CVE-2026-45091)** /
 [GHSA-x3r2-fj3r-g5mv](https://github.com/davidalmeidac/sealed-env/security/advisories/GHSA-x3r2-fj3r-g5mv).
 
 **What it teaches us (and what we now do):**

java/sealed-env-core/src/test/java/io/github/davidalmeidac/sealedenv/SealedEnvSmokeTest.java

@@ -154,9 +154,10 @@ void fullFlow() {
             String serialized = SealedEnv.seal(opts).serialized();
             assertThat(serialized).contains("\nEPOCH-COMMIT=");
             assertThat(serialized).contains("\nCHALLENGE-BIND=enabled\n");
-            // Hardening regression: the serialized file must NEVER carry
-            // the literal TOTP secret. Pre-alpha.4 files exposed it via
-            // `totp_secret` in the JWS payload of unseal tokens.
+            // Hardening regression for CVE-2026-45091: the serialized
+            // file must NEVER carry the literal TOTP secret. Pre-alpha.4
+            // files exposed it via `totp_secret` in the JWS payload of
+            // unseal tokens.
             assertThat(serialized).doesNotContain("TOTP-VERIFIER=");
 
             SealedFile file = SealedFileParser.parse(serialized);