Skip to content

Commit 5d28f14

Browse files
Kalindi-Devbgagent
andauthored
fix(cedar): align cedarpy and cedar-wasm to Cedar Rust 4.8.2 (aws-samples#168) (aws-samples#271)
* fix(cedar): align cedarpy and cedar-wasm to Cedar Rust 4.8.2 (aws-samples#168) Bump cedarpy 4.8.0->4.8.3 and downgrade @cedar-policy/cedar-wasm 4.10.0->4.8.2 so both bindings wrap the same Rust core, giving true engine parity instead of the prior tested-compatible skew. Update the CEDAR_WASM_VERSION drift-guard constant in cedar-wasm-layer.ts to match. Add Dependabot ignore rules for both packages so future bumps must be coordinated. Verified: contracts/cedar-parity fixtures pass on both engines (12/12), full CDK suite passes (1808/1808), full agent suite passes (819/819). Closes aws-samples#168 * fix(cedar): bump cedarpy 4.8.3 -> 4.8.4 per review Same Cedar Rust core (4.8.2), so engine parity is preserved. 4.8.4 picks up Python-side patches: - 4.8.1: pytest/wheel/time/keccak CVE patches in dev/transitive deps - 4.8.4: release-mode benchmark gating (build-only, no runtime impact) Verified our diagnostics.reasons usage (agent/src/policy.py:1133-1134) still surfaces parser-generated policy IDs — the 4.8.2 silent change was reverted in 4.8.3 and that revert is preserved in 4.8.4. Re-ran the full test plan: parity 6/6 + 6/6, CDK 1808/1808, agent 819/819. * fix(cedar): update mise.toml parity banner to match new pins The banner is read by future contributors when bumping either binding; keeping it pointed at the old skew (cedarpy==4.8.0 / cedar-wasm@4.10.0) would mislead them after this PR lands. - agent: cedarpy==4.8.0 -> 4.8.4 - cdk: cedar-wasm@4.10.0 -> 4.8.2 --------- Co-authored-by: bgagent <bgagent@noreply.github.com>
1 parent bb7876a commit 5d28f14

8 files changed

Lines changed: 43 additions & 27 deletions

File tree

.github/dependabot.yml

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,14 @@ updates:
4444
groups:
4545
all-python:
4646
patterns: ["*"]
47+
ignore:
48+
# Cedar engine parity — bump in lockstep with @cedar-policy/cedar-wasm via a
49+
# dedicated coordinated PR. See docs/design/CEDAR_HITL_GATES.md §15.6 (decision #23).
50+
- dependency-name: "cedarpy"
51+
update-types:
52+
- "version-update:semver-major"
53+
- "version-update:semver-minor"
54+
- "version-update:semver-patch"
4755

4856
- package-ecosystem: "npm"
4957
directories:
@@ -59,3 +67,11 @@ updates:
5967
groups:
6068
all-npm:
6169
patterns: ["*"]
70+
ignore:
71+
# Cedar engine parity — bump in lockstep with cedarpy via a dedicated
72+
# coordinated PR. See docs/design/CEDAR_HITL_GATES.md §15.6 (decision #23).
73+
- dependency-name: "@cedar-policy/cedar-wasm"
74+
update-types:
75+
- "version-update:semver-major"
76+
- "version-update:semver-minor"
77+
- "version-update:semver-patch"

agent/pyproject.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@ dependencies = [
3333
# in cdk/package.json AND refresh the parity fixtures, in the same
3434
# commit. See docs/design/CEDAR_HITL_GATES.md §15.6 (decision #23) and
3535
# the parity-contract banner in mise.toml.
36-
"cedarpy==4.8.0", #https://github.com/k9securityio/cedar-py — EXACT pin (no ^/~), parity with @cedar-policy/cedar-wasm@4.10.0
36+
"cedarpy==4.8.4", #https://github.com/k9securityio/cedar-py — EXACT pin (no ^/~), parity with @cedar-policy/cedar-wasm@4.8.2 (both Cedar Rust 4.8.2)
3737
]
3838

3939
[tool.uv]

agent/uv.lock

Lines changed: 17 additions & 17 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

cdk/layers/cedar-wasm/package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,6 @@
44
"private": true,
55
"description": "Lambda layer bundling @cedar-policy/cedar-wasm for Cedar HITL policy handlers. Pinned version must match cdk/package.json.",
66
"dependencies": {
7-
"@cedar-policy/cedar-wasm": "4.10.0"
7+
"@cedar-policy/cedar-wasm": "4.8.2"
88
}
99
}

cdk/package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@
2828
"@aws-sdk/s3-presigned-post": "^3.1021.0",
2929
"@aws-sdk/s3-request-presigner": "^3.1021.0",
3030
"@aws/durable-execution-sdk-js": "^1.1.0",
31-
"@cedar-policy/cedar-wasm": "4.10.0",
31+
"@cedar-policy/cedar-wasm": "4.8.2",
3232
"aws-cdk-lib": "^2.257.0",
3333
"cdk-nag": "^2.38.2",
3434
"constructs": "^10.3.0",

cdk/src/constructs/cedar-wasm-layer.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@ import { Construct } from 'constructs';
3434
* lets the tests assert we ship the right version without duplicating
3535
* the number across files.
3636
*/
37-
export const CEDAR_WASM_VERSION = '4.10.0';
37+
export const CEDAR_WASM_VERSION = '4.8.2';
3838

3939
/**
4040
* Minimum memory the Lambda attaching this layer should be configured

mise.toml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,8 +5,8 @@
55
# decision #23): both engines are pinned EXACTLY (no ^/~) and must move
66
# together. Golden-file parity fixtures under contracts/cedar-parity/ fail
77
# CI if the engines diverge on any (policy, input) pair.
8-
# - agent: cedarpy==4.8.0 (agent/pyproject.toml)
9-
# - cdk: @cedar-policy/cedar-wasm@4.10.0 (cdk/package.json)
8+
# - agent: cedarpy==4.8.4 (agent/pyproject.toml)
9+
# - cdk: @cedar-policy/cedar-wasm@4.8.2 (cdk/package.json)
1010
min_version = "2026.2.6"
1111

1212
experimental_monorepo_root = true

yarn.lock

Lines changed: 4 additions & 4 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)