Update Rust crate cedar-policy-core to v4.9.1

[hash-worker]

This PR contains the following updates:

Package	Type	Update	Change
cedar-policy-core (source)	workspace.dependencies	minor	4.5.1 -> 4.9.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

cedar-policy/cedar (cedar-policy-core)

v4.9.1

Compare Source

Release 4.9.1, available on crates.io

Changed

• Minor optimizations to decimal parsing (#​2156) and constructing constant identifiers (#​1880).

Full Changelog: cedar-policy/cedar@v4.9.0...v4.9.1

v4.9.0

Compare Source

Release 4.9.0, available on crates.io

Added

• Entity::attrs() and Entity::tags() to iterate over all attributes/tags of an Entity (#​2084)
• to_json_value() methods on Entities, Context, and EntityUid (matching the existing one on Entity) (#​2085)
• From or TryFrom impls for converting public types into their corresponding FFI versions in
  the ffi module (new impls on ffi::EntityUid, ffi::Context, ffi::Entities, ffi::Policy,
  ffi::Template, and ffi::StaticPolicySet) (#​2085)
• schema_to_json_with_resolved_types() function, which takes in a Cedar schema and returns a json schema without any instances of EntityOrCommon; they're all either Entity or CommonType (#​2058)
• More derives (PartialEq, Clone, etc) for a number of types in the ffi module (#​2083)
• TPE: Simplify <residual> && false to false and <residual> || true to true when <residual> is error-free. (#​2091)

Fixed

• Policy formatting for record literals and index-style attribute access. (#​2117, fixing #​959 and #​1005)

v4.8.2

Compare Source

Release 4.8.2, available on crates.io

Changed

• Deprecated entity-manifest experimental feature. Consumers of these functions should migrate to the tpe feature and use PolicySet::is_authorized_batch. (#​1945)

Fixed

• Fixed authorization and other error messages to correctly display all diagnostic information. (#​1944)

v4.8.1

Compare Source

Release 4.8.1, available on crates.io

Fixed

• Fixed parsing of small negative decimal literals. (#​1964)

v4.8.0

Compare Source

Release 4.8.0, available on crates.io

Added

• Added TpeResponse::residual_policies and TpeResponse::nontrivial_residual_policies to get residual policies under experimental feature tpe. (#​1906)
• Added PartialEntity::new and PartialEntities::from_partial_entities to programmatically construct PartialEntity and PartialEntities under feature tpe. (#​1916)

Changed

• For the tpe experimental feature, PartialEntities::from_concrete now requires a Schema and will validate the entities,
  ensuring that a PartialEntities object always meets the preconditions required for type aware partial evaluation. (#​1903)
• Evaluate has operation when the LHS record is projectable during partial evaluation. (#​1912)
• Deprecated schema parsing errors ActionAttributesContainEmptySet, UnsupportedActionAttribute, ActionAttrEval, and ExprEscapeUsed.
  These errors are never returned, so it is safe to delete any associated error handling code. (#​1929)
• Made policy validation for in, ==, and hasTag slightly more permissive to match the formally verified Lean model. (#​1931)
• Increase partial evaluation precision for if-then-else, or, and expressions (#​1940)

Fixed

• Removed incorrect dependency of feature partial-eval of feature tpe. (#​1898)
• Fixed incomplete policy ID renaming by PolicySet::merge. Updated policy IDs were correctly reflected when getting a
  policy with PolicySet::policy and PolicySet::template, but Policy::id, Template::id, and Policy::template_id
  continued to return the original id.
• Fixed issue where SchemaFragment::to_cedarschema could return a string that is not a valid Cedar schema.

v4.7.1

Compare Source

Release 4.7.1, available on crates.io

Fixed

• Fixed parsing of small negative decimal literals. (#​1966)

v4.7.0

Compare Source

Release 4.7.0, available on crates.io

Cedar Language Version: 4.4

Added

• Added Schema::actions_for_principal_and_resource to list actions which apply to a particular principal and resource type.
• For the tpe experimental feature, added PolicySet::query_actions to list the actions which might be authorized given partial request with an unknown action.
• For the tpe experimental feature, added PartialEntities::empty to conveniently construct an empty partial entity set.

v4.6.2

Compare Source

Release 4.6.2, available on crates.io

Fixed

• Fixed parsing of small negative decimal literals.

v4.6.1

Compare Source

Release 4.6.1, available on crates.io

Fixed

• Fixed doc.rs build (#​1878)

v4.6.0

Compare Source

Release 4.6.0, available on crates.io

Added

• Added deep_eq to the Entity and Entities structs to allow comparing these objects for structural equality. (#​1723)
• Added stateful_is_authorized, preparse_policy_set and preparse_schema to support stateful evaluation using a cached policy set and schema, in the ffi module. (#​1831, fixing #​1829)
• Added has_non_scope_constraint for Policy and Template, returning true if the policy or template has a when or unless condition. (#​1852)
• Implemented variadic ipaddr.isInRange that returns true if the target ipaddr is in range for any of the arguments as described in RFC 99, under the experimental flag variadic-is-in-range. (#​1775)
• Implemented type-aware partial evaluation as described in RFC 95, under the
  experimental flag tpe. (#​1575)
• Implemented batched evaluation, also under the experimental flag tpe. Batched evaluation allows for permission queries against large databases of entities. (#​1812)

Changed

• Bumped MSRV to 1.85 (#​1683)

v4.5.2

Compare Source

Release 4.5.2, available on crates.io

Fixed

• Fixed parsing of small negative decimal literals.

---

Configuration

📅 Schedule: Branch creation - "before 4am every weekday,every weekend" (UTC), Automerge - "before 4am every weekday,every weekend" (UTC).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 62.68%. Comparing base (da576c7) to head (5788b6d).
⚠️ Report is 31 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #7998   +/-   ##
=======================================
  Coverage   62.68%   62.68%           
=======================================
  Files        1312     1312           
  Lines      133798   133798           
  Branches     5511     5511           
=======================================
+ Hits        83870    83872    +2     
+ Misses      49013    49011    -2     
  Partials      915      915           

Flag	Coverage Δ
local.claude-hooks	0.00% <ø> (ø)
local.harpc-client	51.24% <ø> (ø)
rust.antsi	0.00% <ø> (ø)
rust.error-stack	90.88% <ø> (ø)
rust.harpc-codec	84.70% <ø> (ø)
rust.harpc-net	96.19% <ø> (+0.03%)	⬆️
rust.harpc-tower	66.80% <ø> (ø)
rust.harpc-types	0.00% <ø> (ø)
rust.harpc-wire-protocol	92.23% <ø> (ø)
rust.hash-codec	72.76% <ø> (ø)
rust.hash-graph-temporal-versioning	47.95% <ø> (ø)
rust.hashql-core	82.29% <ø> (ø)
rust.hashql-diagnostics	72.43% <ø> (ø)
rust.hashql-syntax-jexpr	94.05% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
ds-theme	Ready	Preview, Comment	Mar 12, 2026 10:29am
hash	Error		Mar 12, 2026 10:29am
hashdotdesign	Ready	Preview, Comment	Mar 12, 2026 10:29am
hashdotdesign-tokens	Ready	Preview, Comment	Mar 12, 2026 10:29am
petrinaut	Ready	Preview	Mar 12, 2026 10:29am

[deepsource-io]

Here's the code health analysis summary for commits d549b46..ea9c8f2. View details on DeepSource ↗.

Analysis Summary

Analyzer	Status	Summary	Link
JavaScript	✅ Success		View Check ↗
Secrets	✅ Success		View Check ↗
SQL	✅ Success		View Check ↗
Rust	✅ Success		View Check ↗
Shell	✅ Success		View Check ↗
Docker	✅ Success		View Check ↗
Test coverage	❌ Failure	🚩 1 error	View Check ↗

Code Coverage Report

Metric	Aggregate	Javascript	Rust
Branch Coverage	66.9% (up 37.4% from main)	33% (up 29% from main)	73% (up 1.1% from main)
Composite Coverage	82.5% (up 26.7% from main)	46.2% (up 38.7% from main)	84.1% (up 19.5% from main)
Line Coverage	82.9% (up 26% from main)	47.6% (up 39.3% from main)	84.4% (up 19.9% from main)

---

💡 If you’re a repository administrator, you can configure the quality gates from the settings.

[cursor]

PR Summary

Medium Risk
Updates the Cedar policy evaluation dependency used by hash-graph-authorization, which can subtly change authorization parsing/evaluation behavior. Most changes are dependency resolution/lockfile churn, but they affect a security-adjacent component.

Overview
Updates the locked cedar-policy-core crate from 4.5.1 to 4.9.1, pulling in new transitive crates (notably linked-hash-map, linked_hash_set, and rustc-literal-escaper) and updating related versions like nonempty.

Regenerates Cargo.lock, resulting in several downstream resolution shifts (e.g., some crates now depending on older windows-sys variants, data-encoding-macro-internal switching to syn v1, and prost-* using itertools v0.10.5).

^{Written by Cursor Bugbot for commit 5788b6d. This will update automatically on new commits. Configure here.}

[codspeed-hq]

Merging this PR will not alter performance

✅ 56 untouched benchmarks
⏩ 24 skipped benchmarks¹

---

_{Comparing deps/rs/cedar-policy-rust-crates (5788b6d) with main (da576c7)}

Footnotes

1. 24 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩