Skip to content

fix(cedar): align cedarpy and cedar-wasm to Cedar Rust 4.8.2 (#168)#271

Open
Kalindi-Dev wants to merge 4 commits into
aws-samples:mainfrom
Kalindi-Dev:fix/168-align-cedar-engines
Open

fix(cedar): align cedarpy and cedar-wasm to Cedar Rust 4.8.2 (#168)#271
Kalindi-Dev wants to merge 4 commits into
aws-samples:mainfrom
Kalindi-Dev:fix/168-align-cedar-engines

Conversation

@Kalindi-Dev
Copy link
Copy Markdown

@Kalindi-Dev Kalindi-Dev commented Jun 5, 2026

Summary

Align both Cedar policy engine bindings to the same underlying Rust core (4.8.2) so the agent-side (cedarpy) and Lambda-side (@cedar-policy/cedar-wasm) engines have true parity instead of the prior tested-compatible skew.

  • cedarpy 4.8.0 → 4.8.3 (still wraps Rust 4.8.2)
  • @cedar-policy/cedar-wasm 4.10.0 → 4.8.2
  • Updated CEDAR_WASM_VERSION drift-guard constant in cdk/src/constructs/cedar-wasm-layer.ts
  • Added Dependabot ignore rules for both packages so future bumps must be coordinated through a dedicated PR

Closes #168.

Why 4.8.2 (not 4.10.0)

No cedarpy release wraps Cedar Rust 4.9+. The latest cedarpy (4.8.3, 2026-05-14) still pins cedar-policy = "4.8.2". Until k9securityio publishes a cedarpy wrapping a newer core, 4.8.2 is the only version both bindings can share.

API surface check

cdk/src/handlers/shared/cedar-policy.ts only uses policySetTextToParts, policyToJson, and isAuthorized — all stable in 4.8.2. No 4.9/4.10-specific calls.

Test plan

  • agent/tests/test_cedar_parity.py — 6/6 passed (cedarpy 4.8.3 vs golden fixtures)
  • cdk/test/handlers/shared/cedar-parity.test.ts — 6/6 passed (cedar-wasm 4.8.2 vs golden fixtures)
  • mise //cdk:test — 1808/1808 passed, 101/101 suites
  • mise //agent:quality — 819/819 passed, lint + type-check clean, coverage 72.48% ≥ 72%
  • Both lockfiles regenerated (agent/uv.lock, yarn.lock)
  • Verified parity fixtures did not need refreshing (same Rust core ⇒ identical decisions)

Follow-ups

Notes

Documentation under docs/design/CEDAR_HITL_GATES.md still references the prior cedarpy==4.8.0cedar-wasm==4.10.0 skew narrative. That's intentionally left for a follow-up doc PR — this PR keeps the change set narrow to manifests, lockfiles, the version constant, and Dependabot config so the diff is reviewable as a focused parity-alignment change.

fix(cedar): align cedarpy and cedar-wasm to Cedar Rust 4.8.2 (aws-sam…
a40c080 
…ples#168)

Bump cedarpy 4.8.0->4.8.3 and downgrade @cedar-policy/cedar-wasm
4.10.0->4.8.2 so both bindings wrap the same Rust core, giving true
engine parity instead of the prior tested-compatible skew. Update the
CEDAR_WASM_VERSION drift-guard constant in cedar-wasm-layer.ts to
match. Add Dependabot ignore rules for both packages so future bumps
must be coordinated.

Verified: contracts/cedar-parity fixtures pass on both engines (12/12),
full CDK suite passes (1808/1808), full agent suite passes (819/819).

Closes aws-samples#168
@Kalindi-Dev Kalindi-Dev requested a review from a team as a code owner June 5, 2026 19:27
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Jun 5, 2026
edited
Loading

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@bb7876a). Learn more about missing BASE report.
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #271   +/-   ##
=======================================
  Coverage        ?   85.98%           
=======================================
  Files           ?      167           
  Lines           ?    39535           
  Branches        ?     3923           
=======================================
  Hits            ?    33993           
  Misses          ?     5542           
  Partials        ?        0

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@scottschreckengaust
Copy link
Copy Markdown
Contributor

scottschreckengaust commented Jun 5, 2026
edited
Loading

No blocker:

  1. Minor version bump opportunity: could use cedarpy==4.8.4 instead of 4.8.3 for the latest patch. Same Cedar core, just newer Python-side fixes. This is optional — both achieve parity.
  2. Conflicting Dependabot PRs: Once this merges, PRs chore(deps): uv: bump the all-python group across 1 directory with 9 updates #244 and chore(deps): npm: bump the all-npm group across 5 directories with 30 updates #224 will both have merge conflicts (they each bump one side independently). They should be closed (not merged) since this Dependabot ignore rules prevent this class of PR going forward.
  3. PR chore(deps): uv: bump cedarpy from 4.8.0 to 4.8.2 in /agent in the all-python group across 1 directory #156: Also superseded — close after this merges (already called out in PR body).
  4. Doc follow-up: body notes that docs/design/CEDAR_HITL_GATES.md still references the old skew narrative (cedarpy==4.8.0 ↔ cedar-wasm==4.10.0). That's intentionally deferred to a separate doc PR.

@scottschreckengaust scottschreckengaust self-assigned this Jun 5, 2026
fix(cedar): bump cedarpy 4.8.3 -> 4.8.4 per review
3515c75 
Same Cedar Rust core (4.8.2), so engine parity is preserved. 4.8.4 picks
up Python-side patches:
  - 4.8.1: pytest/wheel/time/keccak CVE patches in dev/transitive deps
  - 4.8.4: release-mode benchmark gating (build-only, no runtime impact)

Verified our diagnostics.reasons usage (agent/src/policy.py:1133-1134)
still surfaces parser-generated policy IDs — the 4.8.2 silent change
was reverted in 4.8.3 and that revert is preserved in 4.8.4.

Re-ran the full test plan: parity 6/6 + 6/6, CDK 1808/1808, agent 819/819.
@Kalindi-Dev
Copy link
Copy Markdown
Author

Kalindi-Dev commented Jun 8, 2026

Bumped to cedarpy==4.8.4 in 3515c75. Verified it still wraps Cedar Rust 4.8.2, so engine parity is preserved.

One thing worth calling out: 4.8.0 → 4.8.4 is not a flat patch sequence — 4.8.2 silently changed AuthzResult.diagnostics.reasons to surface @id("…") annotation values instead of parser-generated policy0-style IDs, which would have broken our usage at agent/src/policy.py:1133-1134. 4.8.3 reverted that, and 4.8.4 keeps the revert. So the effective behavior of reasons is identical to 4.8.0 from our code's perspective.

Re-ran the same test plan: parity 6/6 + 6/6, mise //cdk:test 1808/1808, mise //agent:quality 819/819.

@Kalindi-Dev Kalindi-Dev enabled auto-merge June 8, 2026 15:02
@isadeks
Copy link
Copy Markdown
Contributor

isadeks commented Jun 8, 2026

Approve after one fix: mise.toml:8-9 parity banner still says cedarpy==4.8.0 / cedar-wasm@4.10.0 — update to match the new pins so the banner future bumpers are pointed at isn't lying.
Also: PR description says cedarpy 4.8.3 but the diff pins 4.8.4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@scottschreckengaust scottschreckengaust

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

fix(cedar): align cedarpy and cedar-wasm to same Rust core (4.8.2)

4 participants

@Kalindi-Dev @codecov-commenter @scottschreckengaust @isadeks