chore: Release v3.0.0-beta.3

Security:
- JWT algorithm confusion attack prevention (fail-closed validation)
- Key-type/algorithm compatibility checks for JWKS
- HTTPS enforcement for JWKS URLs
- Removed Default impl for JwtConfig

Added:
- WorkerError wrapper for worker::Error → ToolError conversion
- WorkerResultExt trait with .into_tool_result() method

Documentation:
- OAuth protection guide with 3 authentication patterns
- Worker error integration examples
- Security checklist for production deployments

Author: nicholasjpaterno

CHANGELOG.md

@@ -7,6 +7,35 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [3.0.0-beta.3] - 2026-01-22
+
+### Security
+
+#### JWT Algorithm Confusion Attack Prevention (`turbomcp-wasm`)
+- **Fail-Closed Algorithm Validation** - Empty algorithm lists now return an error instead of bypassing validation
+- **Key-Type/Algorithm Compatibility** - RSA keys can only be used with RS* algorithms, EC keys with ES* algorithms
+- **Removed `Default` for `JwtConfig`** - Prevents accidental creation of insecure configurations
+- **HTTPS Enforcement for JWKS** - JWKS URLs must use HTTPS (localhost exempt for development)
+- Added `allow_insecure_http()` for development/testing only
+- Added comprehensive security tests for algorithm confusion and HTTPS validation
+
+### Added
+
+#### Worker Error Integration (`turbomcp-wasm`)
+- **`WorkerError` newtype wrapper** - Enables `worker::Error` to `ToolError` conversion via `.map_err(WorkerError)`
+- **`WorkerResultExt` trait** - Ergonomic `.into_tool_result()` method for `worker::Result<T>`
+- Both approaches enable full `?` operator support with Cloudflare Workers APIs (KV, Durable Objects, R2, D1, etc.)
+
+### Documentation
+
+#### OAuth and Authentication (`turbomcp-wasm`)
+- **Comprehensive OAuth Protection Guide** - Three authentication patterns documented:
+  1. Cloudflare Access (recommended for production)
+  2. Custom JWT Validation (for self-hosted OAuth/OIDC)
+  3. Bearer Token (development only, with security warnings)
+- **Worker Error Integration Examples** - Usage examples for `WorkerError` and `WorkerResultExt`
+- **Security Checklist** - Production deployment checklist for authentication
+
 ## [3.0.0-beta.2] - 2026-01-20
 
 ### Documentation

Cargo.toml

@@ -184,7 +184,7 @@ testcontainers = "0.25.0"
 doc-comment = "0.3"
 
 # Workspace dependencies are defined below
-# Internal crate dependencies - v3.0.0-beta.2
+# Internal crate dependencies - v3.0.0-beta.3
 #
 # NOTE on `default-features = false`:
 # - turbomcp-core: Has `default = ["std"]` - needed for no_std/WASM builds
@@ -194,32 +194,32 @@ doc-comment = "0.3"
 #
 # All other crates either have empty defaults (removed vestigial `default-features = false`)
 # or useful defaults that should be enabled by default.
-turbomcp = { version = "3.0.0-beta.2", path = "crates/turbomcp" }
+turbomcp = { version = "3.0.0-beta.3", path = "crates/turbomcp" }
 # v3.0: turbomcp-types is THE source of truth for all MCP types
-turbomcp-types = { version = "3.0.0-beta.2", path = "crates/turbomcp-types" }
+turbomcp-types = { version = "3.0.0-beta.3", path = "crates/turbomcp-types" }
 # v3.0: turbomcp-core re-extracted as no_std foundation layer
-turbomcp-core = { version = "3.0.0-beta.2", path = "crates/turbomcp-core", default-features = false }
+turbomcp-core = { version = "3.0.0-beta.3", path = "crates/turbomcp-core", default-features = false }
 # v3.0: turbomcp-transport-traits lean transport traits crate
-turbomcp-transport-traits = { version = "3.0.0-beta.2", path = "crates/turbomcp-transport-traits" }
+turbomcp-transport-traits = { version = "3.0.0-beta.3", path = "crates/turbomcp-transport-traits" }
 # v3.0: Individual transport crates (extracted from monolithic turbomcp-transport)
-turbomcp-stdio = { version = "3.0.0-beta.2", path = "crates/turbomcp-stdio" }
-turbomcp-http = { version = "3.0.0-beta.2", path = "crates/turbomcp-http" }
-turbomcp-websocket = { version = "3.0.0-beta.2", path = "crates/turbomcp-websocket" }
-turbomcp-tcp = { version = "3.0.0-beta.2", path = "crates/turbomcp-tcp" }
-turbomcp-unix = { version = "3.0.0-beta.2", path = "crates/turbomcp-unix" }
-turbomcp-protocol = { version = "3.0.0-beta.2", path = "crates/turbomcp-protocol" }
-turbomcp-transport = { version = "3.0.0-beta.2", path = "crates/turbomcp-transport", default-features = false }
-turbomcp-client = { version = "3.0.0-beta.2", path = "crates/turbomcp-client" }
-turbomcp-server = { version = "3.0.0-beta.2", path = "crates/turbomcp-server" }
-turbomcp-macros = { version = "3.0.0-beta.2", path = "crates/turbomcp-macros" }
-turbomcp-cli = { version = "3.0.0-beta.2", path = "crates/turbomcp-cli" }
+turbomcp-stdio = { version = "3.0.0-beta.3", path = "crates/turbomcp-stdio" }
+turbomcp-http = { version = "3.0.0-beta.3", path = "crates/turbomcp-http" }
+turbomcp-websocket = { version = "3.0.0-beta.3", path = "crates/turbomcp-websocket" }
+turbomcp-tcp = { version = "3.0.0-beta.3", path = "crates/turbomcp-tcp" }
+turbomcp-unix = { version = "3.0.0-beta.3", path = "crates/turbomcp-unix" }
+turbomcp-protocol = { version = "3.0.0-beta.3", path = "crates/turbomcp-protocol" }
+turbomcp-transport = { version = "3.0.0-beta.3", path = "crates/turbomcp-transport", default-features = false }
+turbomcp-client = { version = "3.0.0-beta.3", path = "crates/turbomcp-client" }
+turbomcp-server = { version = "3.0.0-beta.3", path = "crates/turbomcp-server" }
+turbomcp-macros = { version = "3.0.0-beta.3", path = "crates/turbomcp-macros" }
+turbomcp-cli = { version = "3.0.0-beta.3", path = "crates/turbomcp-cli" }
 # v3.0: OpenTelemetry integration and observability
-turbomcp-telemetry = { version = "3.0.0-beta.2", path = "crates/turbomcp-telemetry" }
-turbomcp-dpop = { version = "3.0.0-beta.2", path = "crates/turbomcp-dpop" }
+turbomcp-telemetry = { version = "3.0.0-beta.3", path = "crates/turbomcp-telemetry" }
+turbomcp-dpop = { version = "3.0.0-beta.3", path = "crates/turbomcp-dpop" }
 # v3.0: Wire format codec abstraction (no_std compatible)
-turbomcp-wire = { version = "3.0.0-beta.2", path = "crates/turbomcp-wire", default-features = false }
+turbomcp-wire = { version = "3.0.0-beta.3", path = "crates/turbomcp-wire", default-features = false }
 # v3.0: WASM server proc macros
-turbomcp-wasm-macros = { version = "3.0.0-beta.2", path = "crates/turbomcp-wasm-macros" }
+turbomcp-wasm-macros = { version = "3.0.0-beta.3", path = "crates/turbomcp-wasm-macros" }
 
 [profile.dev]
 opt-level = 1

crates/turbomcp-auth/Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "turbomcp-auth"
 
-version = "3.0.0-beta.2"
+version = "3.0.0-beta.3"
 
 edition = "2024"
 authors = ["Nicholas Paterno <nick@epistates.com>"]
@@ -71,10 +71,10 @@ dashmap = { version = "6.1.0", optional = true }  # Concurrent HashMap for cachi
 
 # Internal dependencies
 
-turbomcp-protocol = { version = "3.0.0-beta.2", path = "../turbomcp-protocol" }
+turbomcp-protocol = { version = "3.0.0-beta.3", path = "../turbomcp-protocol" }
 
 # Optional: DPoP support
-turbomcp-dpop = { version = "3.0.0-beta.2", path = "../turbomcp-dpop", optional = true }
+turbomcp-dpop = { version = "3.0.0-beta.3", path = "../turbomcp-dpop", optional = true }
 
 # Optional: DPoP support
 

crates/turbomcp-cli/Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "turbomcp-cli"
 
-version = "3.0.0-beta.2"
+version = "3.0.0-beta.3"
 
 edition = "2024"
 authors = ["Nicholas Paterno <nick@epistates.com>"]
@@ -17,9 +17,9 @@ rust-version = "1.89.0"
 [dependencies]
 # Core TurboMCP
 
-turbomcp-client = { path = "../turbomcp-client", version = "3.0.0-beta.2" }
-turbomcp-transport = { path = "../turbomcp-transport", version = "3.0.0-beta.2" }
-turbomcp-protocol = { path = "../turbomcp-protocol", version = "3.0.0-beta.2" }
+turbomcp-client = { path = "../turbomcp-client", version = "3.0.0-beta.3" }
+turbomcp-transport = { path = "../turbomcp-transport", version = "3.0.0-beta.3" }
+turbomcp-protocol = { path = "../turbomcp-protocol", version = "3.0.0-beta.3" }
 
 # CLI framework
 clap = { workspace = true, features = ["derive", "env", "string"] }

crates/turbomcp-client/Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "turbomcp-client"
 
-version = "3.0.0-beta.2"
+version = "3.0.0-beta.3"
 
 edition = "2024"
 authors = ["Nicholas Paterno <nick@epistates.com>"]

crates/turbomcp-core/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "turbomcp-core"
-version = "3.0.0-beta.2"
+version = "3.0.0-beta.3"
 edition = "2024"
 authors = ["Nicholas Paterno <nick@epistates.com>"]
 description = "Core MCP types and primitives - no_std compatible for WASM targets"
@@ -14,7 +14,7 @@ rust-version = "1.89.0"
 
 [dependencies]
 # Types (single source of truth)
-turbomcp-types = { version = "3.0.0-beta.2", path = "../turbomcp-types" }
+turbomcp-types = { version = "3.0.0-beta.3", path = "../turbomcp-types" }
 
 # Serialization (no_std compatible with alloc)
 serde = { version = "1.0", default-features = false, features = ["derive", "alloc"] }

crates/turbomcp-dpop/Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "turbomcp-dpop"
 
-version = "3.0.0-beta.2"
+version = "3.0.0-beta.3"
 
 edition = "2024"
 authors = ["Nicholas Paterno <nick@epistates.com>"]

crates/turbomcp-grpc/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "turbomcp-grpc"
-version = "3.0.0-beta.2"
+version = "3.0.0-beta.3"
 edition = "2024"
 authors = ["Nicholas Paterno <nick@epistates.com>"]
 description = "gRPC transport for TurboMCP - high-performance MCP over HTTP/2"
@@ -29,9 +29,9 @@ tokio-stream = { version = "0.1", features = ["net"] }
 futures = "0.3"
 
 # Internal dependencies
-turbomcp-core = { version = "3.0.0-beta.2", path = "../turbomcp-core", default-features = false, features = ["std"] }
-turbomcp-protocol = { version = "3.0.0-beta.2", path = "../turbomcp-protocol", default-features = false }
-turbomcp-transport-traits = { version = "3.0.0-beta.2", path = "../turbomcp-transport-traits", default-features = false }
+turbomcp-core = { version = "3.0.0-beta.3", path = "../turbomcp-core", default-features = false, features = ["std"] }
+turbomcp-protocol = { version = "3.0.0-beta.3", path = "../turbomcp-protocol", default-features = false }
+turbomcp-transport-traits = { version = "3.0.0-beta.3", path = "../turbomcp-transport-traits", default-features = false }
 
 # Tower integration
 tower = { workspace = true }

crates/turbomcp-http/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "turbomcp-http"
-version = "3.0.0-beta.2"
+version = "3.0.0-beta.3"
 edition = "2024"
 authors = ["Nicholas Paterno <nick@epistates.com>"]
 description = "HTTP/SSE transport implementation for MCP (Model Context Protocol) - Client transport"

crates/turbomcp-macros/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "turbomcp-macros"
-version = "3.0.0-beta.2"
+version = "3.0.0-beta.3"
 edition = "2024"
 description = "Procedural macros for ergonomic MCP tool and resource registration"
 license = "MIT"
@@ -32,8 +32,8 @@ schemars = { version = "1.0" }
 axum = { workspace = true, optional = true }
 tokio = { workspace = true, optional = true }
 
-turbomcp-protocol = { version = "3.0.0-beta.2", path = "../turbomcp-protocol" }
-turbomcp-transport = { version = "3.0.0-beta.2", path = "../turbomcp-transport", optional = true }
+turbomcp-protocol = { version = "3.0.0-beta.3", path = "../turbomcp-protocol" }
+turbomcp-transport = { version = "3.0.0-beta.3", path = "../turbomcp-transport", optional = true }
 
 [dev-dependencies]
 async-trait = "0.1"