feat: add CVE tooltip on hover in Reporting Page

- Add GET /api/cves/:cveId/tooltip backend endpoint with description truncation
- Create CveTooltip portal component with caching, severity badges, and viewport-aware positioning
- Integrate tooltip into ReportingPage with 300ms hover delay on CVE badge spans

backend/server.js

@@ -348,6 +348,29 @@ app.get('/api/cves/:cveId/vendors', requireAuth(db), (req, res) => {
     });
 });
 
+// Get tooltip data for a specific CVE (authenticated users)
+app.get('/api/cves/:cveId/tooltip', requireAuth(db), (req, res) => {
+    const { cveId } = req.params;
+
+    if (!CVE_ID_PATTERN.test(cveId)) {
+        return res.status(400).json({ error: 'Invalid CVE ID format.' });
+    }
+
+    db.get('SELECT cve_id, description, severity FROM cves WHERE cve_id = ? LIMIT 1', [cveId], (err, row) => {
+        if (err) {
+            console.error('Error fetching CVE tooltip:', err);
+            return res.status(500).json({ error: 'Internal server error.' });
+        }
+        if (!row) {
+            return res.json({ exists: false });
+        }
+        let description = row.description || '';
+        if (description.length > 300) {
+            description = description.substring(0, 300) + '\u2026';
+        }
+        res.json({ exists: true, cve_id: row.cve_id, description, severity: row.severity });
+    });
+});
 
 // Compliance export — reads from cve_document_status view
 app.get('/api/cves/compliance', requireAuth(db), (req, res) => {