Update Rust crate cedar-policy-core to v4.11.0

[hash-worker]

This PR contains the following updates:

Package	Type	Update	Change	Pending
cedar-policy-core (source)	workspace.dependencies	minor	4.5.1 → 4.11.0	4.11.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

cedar-policy/cedar (cedar-policy-core)

v4.11.0

Compare Source

Release 4.11.0, available on crates.io

Added

• Public syntax tree (pst) module for programmatic construction, inspection, and manipulation of Cedar policies. Accessible via to_pst() / try_into_pst() / from_pst() on Policy, Template, and PolicySet. try_into_pst() consumes the value to avoid cloning. TPE residual policies can be converted to PST for structured inspection of residual expressions. Third-party types used in PST fields (SmolStr, LinkedHashMap, NonEmpty) are re-exported from the pst module. (#​816, #​366)
• The Type-aware partial evaluation (TPE) experimental feature now supports template-linked policies. This would previously return a SlotNotSupportedError error.
  This error variant is removed and replaced with UnlinkedSlotError, occurring only when slot in a linked policy is not bound. (#​2314).

Fixed

• Improved Cedar schema parse help for two common syntax mistakes: forgetting appliesTo before an action block, and adding ; after a namespace declaration. (#​1043, #​1044)
• FunctionArgumentValidation errors now include a help message describing the expected format for extension function arguments: decimal, ip, datetime, and duration. (#​834)
• Serialization of residual policies with error() nodes does not fail, instead results in JSON with {"error": []}. (#​2202)
• Fixed conversion from protobuf policy sets to public type for policy sets containing templates and template-linked policies. (#​2330)
• Fixed deserialization from protobuf of entity and context attributes containing extension values. (#​2344)

v4.10.0

Compare Source

Release 4.10.0, available on crates.io

Added

• Extended has operator in JSON policies, maintaining backwards-compatible desugaring of extended has in Cedar policies to json (#​1889).

Changed

• Explicit failure when using experimental features tolerant-ast and protobuf together: serialization of policies with error in action constraint fails (#​2248, #​2247).

Fixed

• Decoding entities with parents and indirect ancestors in protobuf (#​2240).

Full Changelog: cedar-policy/cedar@v4.9.1...v4.10.0

v4.9.1

Compare Source

Release 4.9.1, available on crates.io

Changed

• Minor optimizations to decimal parsing (#​2156) and constructing constant identifiers (#​1880).

Full Changelog: cedar-policy/cedar@v4.9.0...v4.9.1

v4.9.0

Compare Source

Release 4.9.0, available on crates.io

Added

• Entity::attrs() and Entity::tags() to iterate over all attributes/tags of an Entity (#​2084)
• to_json_value() methods on Entities, Context, and EntityUid (matching the existing one on Entity) (#​2085)
• From or TryFrom impls for converting public types into their corresponding FFI versions in
  the ffi module (new impls on ffi::EntityUid, ffi::Context, ffi::Entities, ffi::Policy,
  ffi::Template, and ffi::StaticPolicySet) (#​2085)
• schema_to_json_with_resolved_types() function, which takes in a Cedar schema and returns a json schema without any instances of EntityOrCommon; they're all either Entity or CommonType (#​2058)
• More derives (PartialEq, Clone, etc) for a number of types in the ffi module (#​2083)
• TPE: Simplify <residual> && false to false and <residual> || true to true when <residual> is error-free. (#​2091)

Fixed

• Policy formatting for record literals and index-style attribute access. (#​2117, fixing #​959 and #​1005)

v4.8.2

Compare Source

Release 4.8.2, available on crates.io

Changed

• Deprecated entity-manifest experimental feature. Consumers of these functions should migrate to the tpe feature and use PolicySet::is_authorized_batch. (#​1945)

Fixed

• Fixed authorization and other error messages to correctly display all diagnostic information. (#​1944)

v4.8.1

Compare Source

Release 4.8.1, available on crates.io

Fixed

• Fixed parsing of small negative decimal literals. (#​1964)

v4.8.0

Compare Source

Release 4.8.0, available on crates.io

Added

• Added TpeResponse::residual_policies and TpeResponse::nontrivial_residual_policies to get residual policies under experimental feature tpe. (#​1906)
• Added PartialEntity::new and PartialEntities::from_partial_entities to programmatically construct PartialEntity and PartialEntities under feature tpe. (#​1916)

Changed

• For the tpe experimental feature, PartialEntities::from_concrete now requires a Schema and will validate the entities,
  ensuring that a PartialEntities object always meets the preconditions required for type aware partial evaluation. (#​1903)
• Evaluate has operation when the LHS record is projectable during partial evaluation. (#​1912)
• Deprecated schema parsing errors ActionAttributesContainEmptySet, UnsupportedActionAttribute, ActionAttrEval, and ExprEscapeUsed.
  These errors are never returned, so it is safe to delete any associated error handling code. (#​1929)
• Made policy validation for in, ==, and hasTag slightly more permissive to match the formally verified Lean model. (#​1931)
• Increase partial evaluation precision for if-then-else, or, and expressions (#​1940)

Fixed

• Removed incorrect dependency of feature partial-eval of feature tpe. (#​1898)
• Fixed incomplete policy ID renaming by PolicySet::merge. Updated policy IDs were correctly reflected when getting a
  policy with PolicySet::policy and PolicySet::template, but Policy::id, Template::id, and Policy::template_id
  continued to return the original id.
• Fixed issue where SchemaFragment::to_cedarschema could return a string that is not a valid Cedar schema.

v4.7.1

Compare Source

Release 4.7.1, available on crates.io

Fixed

• Fixed parsing of small negative decimal literals. (#​1966)

v4.7.0

Compare Source

Release 4.7.0, available on crates.io

Cedar Language Version: 4.4

Added

• Added Schema::actions_for_principal_and_resource to list actions which apply to a particular principal and resource type.
• For the tpe experimental feature, added PolicySet::query_actions to list the actions which might be authorized given partial request with an unknown action.
• For the tpe experimental feature, added PartialEntities::empty to conveniently construct an empty partial entity set.

v4.6.2

Compare Source

Release 4.6.2, available on crates.io

Fixed

• Fixed parsing of small negative decimal literals.

v4.6.1

Compare Source

Release 4.6.1, available on crates.io

Fixed

• Fixed doc.rs build (#​1878)

v4.6.0

Compare Source

Release 4.6.0, available on crates.io

Added

• Added deep_eq to the Entity and Entities structs to allow comparing these objects for structural equality. (#​1723)
• Added stateful_is_authorized, preparse_policy_set and preparse_schema to support stateful evaluation using a cached policy set and schema, in the ffi module. (#​1831, fixing #​1829)
• Added has_non_scope_constraint for Policy and Template, returning true if the policy or template has a when or unless condition. (#​1852)
• Implemented variadic ipaddr.isInRange that returns true if the target ipaddr is in range for any of the arguments as described in RFC 99, under the experimental flag variadic-is-in-range. (#​1775)
• Implemented type-aware partial evaluation as described in RFC 95, under the
  experimental flag tpe. (#​1575)
• Implemented batched evaluation, also under the experimental flag tpe. Batched evaluation allows for permission queries against large databases of entities. (#​1812)

Changed

• Bumped MSRV to 1.85 (#​1683)

v4.5.2

Compare Source

Release 4.5.2, available on crates.io

Fixed

• Fixed parsing of small negative decimal literals.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "before 4am every weekday,every weekend"
• Automerge
  • "before 4am every weekday,every weekend"

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 59.09%. Comparing base (9eab148) to head (55b4fad).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7998      +/-   ##
==========================================
- Coverage   59.09%   59.09%   -0.01%     
==========================================
  Files        1344     1344              
  Lines      129782   129782              
  Branches     5869     5869              
==========================================
- Hits        76699    76697       -2     
- Misses      52180    52182       +2     
  Partials      903      903              

Flag	Coverage Δ
local.claude-hooks	0.00% <ø> (ø)
local.harpc-client	51.24% <ø> (ø)
rust.antsi	0.00% <ø> (ø)
rust.error-stack	90.87% <ø> (ø)
rust.harpc-codec	84.70% <ø> (ø)
rust.harpc-net	96.18% <ø> (-0.04%)	⬇️
rust.harpc-tower	67.03% <ø> (ø)
rust.harpc-types	0.00% <ø> (ø)
rust.harpc-wire-protocol	92.23% <ø> (ø)
rust.hash-codec	72.76% <ø> (ø)
rust.hashql-core	79.28% <ø> (ø)
rust.hashql-diagnostics	72.53% <ø> (ø)
rust.hashql-syntax-jexpr	94.06% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
ds-theme	Ready	Preview, Comment	Jun 1, 2026 7:11pm
hash	Error		Jun 1, 2026 7:11pm
hashdotdesign	Ready	Preview, Comment	Jun 1, 2026 7:11pm
hashdotdesign-tokens	Ready	Preview, Comment	Jun 1, 2026 7:11pm
petrinaut	Ready	Preview	Jun 1, 2026 7:11pm

[deepsource-io]

Here's the code health analysis summary for commits d549b46..ea9c8f2. View details on DeepSource ↗.

Analysis Summary

Analyzer	Status	Summary	Link
JavaScript	✅ Success		View Check ↗
Secrets	✅ Success		View Check ↗
SQL	✅ Success		View Check ↗
Rust	✅ Success		View Check ↗
Shell	✅ Success		View Check ↗
Docker	✅ Success		View Check ↗
Test coverage	❌ Failure	🚩 1 error	View Check ↗

Code Coverage Report

Metric	Aggregate	Javascript	Rust
Branch Coverage	66.9% (up 37.4% from main)	33% (up 29% from main)	73% (up 1.1% from main)
Composite Coverage	82.5% (up 26.7% from main)	46.2% (up 38.7% from main)	84.1% (up 19.5% from main)
Line Coverage	82.9% (up 26% from main)	47.6% (up 39.3% from main)	84.4% (up 19.9% from main)

---

💡 If you’re a repository administrator, you can configure the quality gates from the settings.

[cursor]

PR Summary

High Risk
Minor-version jumps on the Cedar policy engine affect authorization parsing, validation, and evaluation for hash-graph-authorization, with only lockfile changes and no accompanying code or test updates in the PR.

Overview
Bumps the resolved cedar-policy-core crate from 4.5.1 to 4.11.0 via Cargo.lock only (Renovate dependency update). No application Rust changes appear in this diff.

The lockfile refresh pulls in Cedar’s newer transitive graph (e.g. linked-hash-map, rustc-literal-escaper, nonempty 0.12, serde_with 3.20) and adjusts several unrelated pinned versions (e.g. prost-* back to itertools 0.10.5, some windows-sys 0.48 edges). hash-graph-authorization continues to depend on cedar_policy_core for AST, entities, and policy validation—so authorization parsing, validation, and evaluation behavior may change across the 4.6–4.11 release line without any code edits here.

Worth a full cargo test / policy-validation pass after merge; confirm the root Cargo.toml workspace version matches 4.11.0 if it isn’t part of this commit.

^{Reviewed by Cursor Bugbot for commit 55b4fad. Bugbot is set up for automated code reviews on this repo. Configure here.}

[codspeed-hq]

Merging this PR will not alter performance

✅ 56 untouched benchmarks
⏩ 24 skipped benchmarks¹

---

_{Comparing deps/rs/cedar-policy-rust-crates (55b4fad) with main (9eab148)}

Footnotes

1. 24 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩