JWT tokens without both 'iss' and 'aud' are no longer reported as active credentials

src/scanner/validation.rs

@@ -335,12 +335,6 @@ pub async fn run_secret_validation(
         ds.replace_matches(updated_arcs);
     }
 
-    // ── 5. Done ─────────────────────────────────────────────────────────────
-    println!(
-        "Validation complete – {} succeeded, {} failed",
-        success_count.load(Ordering::Relaxed),
-        fail_count.load(Ordering::Relaxed)
-    );
     Ok(())
 }
 

src/validation/jwt.rs

@@ -71,7 +71,11 @@ pub async fn validate_jwt(token: &str) -> Result<(bool, String)> {
 
     // ---------------------------------------------------------------------------
     let issuer = claims.iss.clone().unwrap_or_default();
+    let aud_strings = extract_aud_strings(&claims);
 
+    if issuer.trim().is_empty() && aud_strings.iter().all(|s| s.trim().is_empty()) {
+        return Ok((false, "JWT missing issuer and audience".to_string()));
+    }
     if let Some(iss) = claims.iss.clone() {
         // parse header now (kid, alg)
         let header = decode_header(token).map_err(|e| anyhow!("decode header: {e}"))?;