fix(service-bus): enable jsonwebtoken aws_lc_rs crypto backend

TheNewAutonomy · TheNewAutonomy · commit 91db59be14fa · 2026-03-22T14:17:14.000Z
jsonwebtoken 10 requires rust_crypto or aws_lc_rs; tests were panicking
without it. Aligns JWT crypto with the rest of the aws-lc stack.

Made-with: Cursor
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/catalyst-service-bus/Cargo.toml b/crates/catalyst-service-bus/Cargo.toml
@@ -41,7 +41,8 @@ anyhow = "1.0"
 governor = "0.6"
 
 # Authentication
-jsonwebtoken = "10.3"
+# jsonwebtoken 10+ requires an explicit crypto backend (see CryptoProvider in crate docs).
+jsonwebtoken = { version = "10.3", features = ["aws_lc_rs"] }
 
 [dev-dependencies]
 tokio-test = "0.4"
diff --git a/docs/security-dependency-updates.md b/docs/security-dependency-updates.md
@@ -16,7 +16,7 @@ This note tracks **high-severity Dependabot-class** dependency work (crypto, P2P
 - **`wasmtime`:** **`15` → `24.0.x`** (`catalyst-runtime-svm`; addresses multiple RUSTSEC items on older JIT/runtime lines).
 - **`keccak`:** lockfile **`0.1.5` → `0.1.6`** (RUSTSEC-2026-0012 / yanked 0.1.5).
 - **`catalyst-service-bus`:** removed unused **`reqwest` 0.11** and dev-dependency **`wiremock`** (shrinks the graph; `rustls-pemfile` / `instant` warnings tied to those paths drop when unused).
-- **`jsonwebtoken`:** **`9.x` → `10.3`** (`catalyst-service-bus` auth; addresses Dependabot-class JWT issues on older lines).
+- **`jsonwebtoken`:** **`9.x` → `10.3`** with feature **`aws_lc_rs`** (`catalyst-service-bus` auth; v10 requires an explicit crypto backend — see crate `CryptoProvider` docs).
 
 ## Code changes
 
