fix(cedar): align cedarpy and cedar-wasm to Cedar Rust 4.8.2 (aws-samples#168) (aws-samples#271)

* fix(cedar): align cedarpy and cedar-wasm to Cedar Rust 4.8.2 (aws-samples#168)

Bump cedarpy 4.8.0->4.8.3 and downgrade @cedar-policy/cedar-wasm
4.10.0->4.8.2 so both bindings wrap the same Rust core, giving true
engine parity instead of the prior tested-compatible skew. Update the
CEDAR_WASM_VERSION drift-guard constant in cedar-wasm-layer.ts to
match. Add Dependabot ignore rules for both packages so future bumps
must be coordinated.

Verified: contracts/cedar-parity fixtures pass on both engines (12/12),
full CDK suite passes (1808/1808), full agent suite passes (819/819).

Closes aws-samples#168

* fix(cedar): bump cedarpy 4.8.3 -> 4.8.4 per review

Same Cedar Rust core (4.8.2), so engine parity is preserved. 4.8.4 picks
up Python-side patches:
  - 4.8.1: pytest/wheel/time/keccak CVE patches in dev/transitive deps
  - 4.8.4: release-mode benchmark gating (build-only, no runtime impact)

Verified our diagnostics.reasons usage (agent/src/policy.py:1133-1134)
still surfaces parser-generated policy IDs — the 4.8.2 silent change
was reverted in 4.8.3 and that revert is preserved in 4.8.4.

Re-ran the full test plan: parity 6/6 + 6/6, CDK 1808/1808, agent 819/819.

* fix(cedar): update mise.toml parity banner to match new pins

The banner is read by future contributors when bumping either binding;
keeping it pointed at the old skew (cedarpy==4.8.0 / cedar-wasm@4.10.0)
would mislead them after this PR lands.

  - agent: cedarpy==4.8.0   -> 4.8.4
  - cdk:   cedar-wasm@4.10.0 -> 4.8.2

---------

Co-authored-by: bgagent <bgagent@noreply.github.com>

Author: Kalindi-Dev

.github/dependabot.yml

@@ -44,6 +44,14 @@ updates:
     groups:
       all-python:
         patterns: ["*"]
+    ignore:
+      # Cedar engine parity — bump in lockstep with @cedar-policy/cedar-wasm via a
+      # dedicated coordinated PR. See docs/design/CEDAR_HITL_GATES.md §15.6 (decision #23).
+      - dependency-name: "cedarpy"
+        update-types:
+          - "version-update:semver-major"
+          - "version-update:semver-minor"
+          - "version-update:semver-patch"
 
   - package-ecosystem: "npm"
     directories:
@@ -59,3 +67,11 @@ updates:
     groups:
       all-npm:
         patterns: ["*"]
+    ignore:
+      # Cedar engine parity — bump in lockstep with cedarpy via a dedicated
+      # coordinated PR. See docs/design/CEDAR_HITL_GATES.md §15.6 (decision #23).
+      - dependency-name: "@cedar-policy/cedar-wasm"
+        update-types:
+          - "version-update:semver-major"
+          - "version-update:semver-minor"
+          - "version-update:semver-patch"

agent/pyproject.toml

@@ -33,7 +33,7 @@ dependencies = [
     # in cdk/package.json AND refresh the parity fixtures, in the same
     # commit. See docs/design/CEDAR_HITL_GATES.md §15.6 (decision #23) and
     # the parity-contract banner in mise.toml.
-    "cedarpy==4.8.0", #https://github.com/k9securityio/cedar-py — EXACT pin (no ^/~), parity with @cedar-policy/cedar-wasm@4.10.0
+    "cedarpy==4.8.4", #https://github.com/k9securityio/cedar-py — EXACT pin (no ^/~), parity with @cedar-policy/cedar-wasm@4.8.2 (both Cedar Rust 4.8.2)
 ]
 
 [tool.uv]

agent/uv.lock

@@ -4,6 +4,6 @@
   "private": true,
   "description": "Lambda layer bundling @cedar-policy/cedar-wasm for Cedar HITL policy handlers. Pinned version must match cdk/package.json.",
   "dependencies": {
-    "@cedar-policy/cedar-wasm": "4.10.0"
+    "@cedar-policy/cedar-wasm": "4.8.2"
   }
 }

cdk/layers/cedar-wasm/package.json

@@ -28,7 +28,7 @@
     "@aws-sdk/s3-presigned-post": "^3.1021.0",
     "@aws-sdk/s3-request-presigner": "^3.1021.0",
     "@aws/durable-execution-sdk-js": "^1.1.0",
-    "@cedar-policy/cedar-wasm": "4.10.0",
+    "@cedar-policy/cedar-wasm": "4.8.2",
     "aws-cdk-lib": "^2.257.0",
     "cdk-nag": "^2.38.2",
     "constructs": "^10.3.0",

cdk/package.json

@@ -34,7 +34,7 @@ import { Construct } from 'constructs';
  * lets the tests assert we ship the right version without duplicating
  * the number across files.
  */
-export const CEDAR_WASM_VERSION = '4.10.0';
+export const CEDAR_WASM_VERSION = '4.8.2';
 
 /**
  * Minimum memory the Lambda attaching this layer should be configured

cdk/src/constructs/cedar-wasm-layer.ts

@@ -5,8 +5,8 @@
 # decision #23): both engines are pinned EXACTLY (no ^/~) and must move
 # together. Golden-file parity fixtures under contracts/cedar-parity/ fail
 # CI if the engines diverge on any (policy, input) pair.
-#   - agent:   cedarpy==4.8.0                 (agent/pyproject.toml)
-#   - cdk:     @cedar-policy/cedar-wasm@4.10.0 (cdk/package.json)
+#   - agent:   cedarpy==4.8.4                 (agent/pyproject.toml)
+#   - cdk:     @cedar-policy/cedar-wasm@4.8.2  (cdk/package.json)
 min_version = "2026.2.6"
 
 experimental_monorepo_root = true