Update Rust crate cedar-policy-core to v4.10.0

[hash-worker]

This PR contains the following updates:

Package	Type	Update	Change
cedar-policy-core (source)	workspace.dependencies	minor	4.5.1 → 4.10.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

cedar-policy/cedar (cedar-policy-core)

v4.10.0

Compare Source

Release 4.10.0, available on crates.io

Added

• Extended has operator in JSON policies, maintaining backwards-compatible desugaring of extended has in Cedar policies to json (#​1889).

Changed

• Explicit failure when using experimental features tolerant-ast and protobuf together: serialization of policies with error in action constraint fails (#​2248, #​2247).

Fixed

• Decoding entities with parents and indirect ancestors in protobuf (#​2240).

Full Changelog: cedar-policy/cedar@v4.9.1...v4.10.0

v4.9.1

Compare Source

Release 4.9.1, available on crates.io

Changed

• Minor optimizations to decimal parsing (#​2156) and constructing constant identifiers (#​1880).

Full Changelog: cedar-policy/cedar@v4.9.0...v4.9.1

v4.9.0

Compare Source

Release 4.9.0, available on crates.io

Added

• Entity::attrs() and Entity::tags() to iterate over all attributes/tags of an Entity (#​2084)
• to_json_value() methods on Entities, Context, and EntityUid (matching the existing one on Entity) (#​2085)
• From or TryFrom impls for converting public types into their corresponding FFI versions in
  the ffi module (new impls on ffi::EntityUid, ffi::Context, ffi::Entities, ffi::Policy,
  ffi::Template, and ffi::StaticPolicySet) (#​2085)
• schema_to_json_with_resolved_types() function, which takes in a Cedar schema and returns a json schema without any instances of EntityOrCommon; they're all either Entity or CommonType (#​2058)
• More derives (PartialEq, Clone, etc) for a number of types in the ffi module (#​2083)
• TPE: Simplify <residual> && false to false and <residual> || true to true when <residual> is error-free. (#​2091)

Fixed

• Policy formatting for record literals and index-style attribute access. (#​2117, fixing #​959 and #​1005)

v4.8.2

Compare Source

Release 4.8.2, available on crates.io

Changed

• Deprecated entity-manifest experimental feature. Consumers of these functions should migrate to the tpe feature and use PolicySet::is_authorized_batch. (#​1945)

Fixed

• Fixed authorization and other error messages to correctly display all diagnostic information. (#​1944)

v4.8.1

Compare Source

Release 4.8.1, available on crates.io

Fixed

• Fixed parsing of small negative decimal literals. (#​1964)

v4.8.0

Compare Source

Release 4.8.0, available on crates.io

Added

• Added TpeResponse::residual_policies and TpeResponse::nontrivial_residual_policies to get residual policies under experimental feature tpe. (#​1906)
• Added PartialEntity::new and PartialEntities::from_partial_entities to programmatically construct PartialEntity and PartialEntities under feature tpe. (#​1916)

Changed

• For the tpe experimental feature, PartialEntities::from_concrete now requires a Schema and will validate the entities,
  ensuring that a PartialEntities object always meets the preconditions required for type aware partial evaluation. (#​1903)
• Evaluate has operation when the LHS record is projectable during partial evaluation. (#​1912)
• Deprecated schema parsing errors ActionAttributesContainEmptySet, UnsupportedActionAttribute, ActionAttrEval, and ExprEscapeUsed.
  These errors are never returned, so it is safe to delete any associated error handling code. (#​1929)
• Made policy validation for in, ==, and hasTag slightly more permissive to match the formally verified Lean model. (#​1931)
• Increase partial evaluation precision for if-then-else, or, and expressions (#​1940)

Fixed

• Removed incorrect dependency of feature partial-eval of feature tpe. (#​1898)
• Fixed incomplete policy ID renaming by PolicySet::merge. Updated policy IDs were correctly reflected when getting a
  policy with PolicySet::policy and PolicySet::template, but Policy::id, Template::id, and Policy::template_id
  continued to return the original id.
• Fixed issue where SchemaFragment::to_cedarschema could return a string that is not a valid Cedar schema.

v4.7.1

Compare Source

Release 4.7.1, available on crates.io

Fixed

• Fixed parsing of small negative decimal literals. (#​1966)

v4.7.0

Compare Source

Release 4.7.0, available on crates.io

Cedar Language Version: 4.4

Added

• Added Schema::actions_for_principal_and_resource to list actions which apply to a particular principal and resource type.
• For the tpe experimental feature, added PolicySet::query_actions to list the actions which might be authorized given partial request with an unknown action.
• For the tpe experimental feature, added PartialEntities::empty to conveniently construct an empty partial entity set.

v4.6.2

Compare Source

Release 4.6.2, available on crates.io

Fixed

• Fixed parsing of small negative decimal literals.

v4.6.1

Compare Source

Release 4.6.1, available on crates.io

Fixed

• Fixed doc.rs build (#​1878)

v4.6.0

Compare Source

Release 4.6.0, available on crates.io

Added

• Added deep_eq to the Entity and Entities structs to allow comparing these objects for structural equality. (#​1723)
• Added stateful_is_authorized, preparse_policy_set and preparse_schema to support stateful evaluation using a cached policy set and schema, in the ffi module. (#​1831, fixing #​1829)
• Added has_non_scope_constraint for Policy and Template, returning true if the policy or template has a when or unless condition. (#​1852)
• Implemented variadic ipaddr.isInRange that returns true if the target ipaddr is in range for any of the arguments as described in RFC 99, under the experimental flag variadic-is-in-range. (#​1775)
• Implemented type-aware partial evaluation as described in RFC 95, under the
  experimental flag tpe. (#​1575)
• Implemented batched evaluation, also under the experimental flag tpe. Batched evaluation allows for permission queries against large databases of entities. (#​1812)

Changed

• Bumped MSRV to 1.85 (#​1683)

v4.5.2

Compare Source

Release 4.5.2, available on crates.io

Fixed

• Fixed parsing of small negative decimal literals.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "before 4am every weekday,every weekend"
• Automerge
  • "before 4am every weekday,every weekend"

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 62.32%. Comparing base (a18ae88) to head (f74d179).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #7998   +/-   ##
=======================================
  Coverage   62.31%   62.32%           
=======================================
  Files        1354     1354           
  Lines      137003   137003           
  Branches     5792     5792           
=======================================
+ Hits        85372    85384   +12     
+ Misses      50725    50715   -10     
+ Partials      906      904    -2     

Flag	Coverage Δ
local.claude-hooks	0.00% <ø> (ø)
local.harpc-client	51.24% <ø> (ø)
rust.antsi	0.00% <ø> (ø)
rust.error-stack	90.87% <ø> (ø)
rust.harpc-codec	84.70% <ø> (ø)
rust.harpc-net	96.38% <ø> (+0.19%)	⬆️
rust.harpc-tower	67.03% <ø> (ø)
rust.harpc-types	0.00% <ø> (ø)
rust.harpc-wire-protocol	92.23% <ø> (ø)
rust.hash-codec	72.76% <ø> (ø)
rust.hash-graph-temporal-versioning	47.95% <ø> (ø)
rust.hashql-core	82.44% <ø> (ø)
rust.hashql-diagnostics	72.43% <ø> (ø)
rust.hashql-syntax-jexpr	94.06% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
ds-theme	Ready	Preview, Comment	May 12, 2026 5:05pm
hash	Error		May 12, 2026 5:05pm
hashdotdesign	Ready	Preview, Comment	May 12, 2026 5:05pm
hashdotdesign-tokens	Ready	Preview, Comment	May 12, 2026 5:05pm
petrinaut	Ready	Preview	May 12, 2026 5:05pm

[deepsource-io]

Here's the code health analysis summary for commits d549b46..ea9c8f2. View details on DeepSource ↗.

Analysis Summary

Analyzer	Status	Summary	Link
JavaScript	✅ Success		View Check ↗
Secrets	✅ Success		View Check ↗
SQL	✅ Success		View Check ↗
Rust	✅ Success		View Check ↗
Shell	✅ Success		View Check ↗
Docker	✅ Success		View Check ↗
Test coverage	❌ Failure	🚩 1 error	View Check ↗

Code Coverage Report

Metric	Aggregate	Javascript	Rust
Branch Coverage	66.9% (up 37.4% from main)	33% (up 29% from main)	73% (up 1.1% from main)
Composite Coverage	82.5% (up 26.7% from main)	46.2% (up 38.7% from main)	84.1% (up 19.5% from main)
Line Coverage	82.9% (up 26% from main)	47.6% (up 39.3% from main)	84.4% (up 19.9% from main)

---

💡 If you’re a repository administrator, you can configure the quality gates from the settings.

[cursor]

PR Summary

Medium Risk
Updates the cedar-policy-core dependency (used for policy evaluation/authorization) and refreshes lockfile transitive dependencies, which could subtly change authorization behavior or platform builds.

Overview
Bumps cedar-policy-core from 4.5.1 to 4.10.0 via Cargo.lock, pulling in new transitive crates (notably linked-hash-map, linked_hash_set, and rustc-literal-escaper) and updating nonempty.

The lockfile also reshuffles several Windows-related and build dependencies (multiple windows-sys versions, getrandom, and itertools for prost-*), which may affect cross-platform compilation and dependency resolution.

^{Reviewed by Cursor Bugbot for commit f74d179. Bugbot is set up for automated code reviews on this repo. Configure here.}

[codspeed-hq]

Merging this PR will not alter performance

✅ 56 untouched benchmarks
⏩ 24 skipped benchmarks¹

---

_{Comparing deps/rs/cedar-policy-rust-crates (f74d179) with main (9219cf3)}

Footnotes

1. 24 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩