Bump jsonwebtoken from 9.3.1 to 10.3.0

Symbiont OSS Sync · Symbiont OSS Sync · commit 15cadaafd352 · 2026-02-11T15:02:13.000-08:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/channel-adapter/Cargo.toml b/crates/channel-adapter/Cargo.toml
@@ -6,6 +6,7 @@ authors = ["Jascha Wanger / ThirdKey.ai"]
 description = "Chat channel adapters for the Symbi platform — Slack, Teams, Mattermost"
 license = "MIT"
 repository = "https://github.com/thirdkeyai/symbiont"
+readme = "README.md"
 keywords = ["chat", "slack", "adapter", "symbiont", "agents"]
 
 [dependencies]
@@ -29,7 +30,7 @@ tower = { version = "0.4", optional = true }
 tower-http = { version = "0.5", features = ["cors", "trace"], optional = true }
 serde_urlencoded = { version = "0.7", optional = true }
 base64 = { version = "0.22", optional = true }
-jsonwebtoken = { version = "9", optional = true }
+jsonwebtoken = { version = "10", optional = true }
 
 [dev-dependencies]
 tokio-test = "0.4"
diff --git a/crates/channel-adapter/README.md b/crates/channel-adapter/README.md
@@ -0,0 +1,63 @@
+# symbi-channel-adapter
+
+[![crates.io](https://img.shields.io/crates/v/symbi-channel-adapter.svg)](https://crates.io/crates/symbi-channel-adapter)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+
+Chat channel adapters for the [Symbi](https://crates.io/crates/symbi) platform — bidirectional Slack, Teams, and Mattermost integration for AI agents.
+
+## Overview
+
+`symbi-channel-adapter` provides a `ChannelAdapter` trait and platform-specific implementations that let users invoke Symbi agents directly from chat platforms and receive policy-enforced, audit-logged responses.
+
+## Features
+
+| Feature | Default | Platform |
+|---------|---------|----------|
+| `slack` | Yes | Slack Events API, slash commands, Socket Mode |
+| `teams` | No | Microsoft Teams Bot Framework, OAuth2 |
+| `mattermost` | No | Mattermost outgoing webhooks, REST API |
+| `enterprise-hooks` | No | Policy, DLP, and crypto audit hooks |
+
+## Usage
+
+```rust
+use symbi_channel_adapter::{ChannelAdapterManager, ChannelConfig, SlackConfig};
+
+let config = ChannelConfig {
+    platform: SlackConfig {
+        bot_token: std::env::var("SLACK_BOT_TOKEN").unwrap(),
+        app_token: std::env::var("SLACK_APP_TOKEN").unwrap(),
+        signing_secret: std::env::var("SLACK_SIGNING_SECRET").unwrap(),
+        ..Default::default()
+    }.into(),
+    ..Default::default()
+};
+
+let manager = ChannelAdapterManager::new(config);
+```
+
+### Enabling additional platforms
+
+```toml
+[dependencies]
+symbi-channel-adapter = { version = "0.1", features = ["slack", "teams", "mattermost"] }
+```
+
+## Architecture
+
+The crate is built around a few core abstractions:
+
+- **`ChannelAdapter`** — trait for sending/receiving messages on a chat platform
+- **`InboundHandler`** — trait for processing incoming messages and slash commands
+- **`ChannelAdapterManager`** — orchestrates multiple adapters with health checks and lifecycle management
+- **`AgentInvoker`** — trait bridging chat messages to Symbi agent execution
+
+Each platform adapter handles authentication, signature verification, and message formatting specific to its platform.
+
+## Part of Symbiont
+
+This crate is part of the [Symbiont](https://github.com/thirdkeyai/symbiont) workspace. For the full agent framework, see the [`symbi`](https://crates.io/crates/symbi) crate.
+
+## License
+
+MIT
diff --git a/crates/channel-adapter/src/adapters/teams/auth.rs b/crates/channel-adapter/src/adapters/teams/auth.rs
@@ -70,14 +70,23 @@ pub async fn validate_bot_framework_token(
 ) -> Result<BotFrameworkClaims, ChannelAdapterError> {
     if skip_jwks_verification {
         // Dev mode: decode without signature verification, just validate claims
-        let mut validation = Validation::default();
-        validation.insecure_disable_signature_validation();
-        validation.set_audience(&[client_id]);
-        validation.set_issuer(&[BOT_FRAMEWORK_ISSUER]);
-
         let token_data =
-            decode::<BotFrameworkClaims>(token, &DecodingKey::from_secret(b""), &validation)
-                .map_err(|e| ChannelAdapterError::Auth(format!("JWT validation failed: {}", e)))?;
+            jsonwebtoken::dangerous::insecure_decode::<BotFrameworkClaims>(token)
+                .map_err(|e| ChannelAdapterError::Auth(format!("JWT decode failed: {}", e)))?;
+
+        let claims = &token_data.claims;
+        if claims.iss != BOT_FRAMEWORK_ISSUER {
+            return Err(ChannelAdapterError::Auth(format!(
+                "Invalid issuer: {}",
+                claims.iss
+            )));
+        }
+        if claims.aud != client_id {
+            return Err(ChannelAdapterError::Auth(format!(
+                "Invalid audience: {}",
+                claims.aud
+            )));
+        }
 
         return Ok(token_data.claims);
     }
