Update Rust crate cedar-policy-core to v4.8.1

[hash-worker]

This PR contains the following updates:

Package	Type	Update	Change
cedar-policy-core (source)	workspace.dependencies	minor	4.5.1 -> 4.8.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

cedar-policy/cedar (cedar-policy-core)

v4.8.1

Compare Source

Release 4.8.1, available on crates.io

Fixed

• Fixed parsing of small negative decimal literals. (#​1964)

v4.8.0

Compare Source

Release 4.8.0, available on crates.io

Added

• Added TpeResponse::residual_policies and TpeResponse::nontrivial_residual_policies to get residual policies under experimental feature tpe. (#​1906)
• Added PartialEntity::new and PartialEntities::from_partial_entities to programmatically construct PartialEntity and PartialEntities under feature tpe. (#​1916)

Changed

• For the tpe experimental feature, PartialEntities::from_concrete now requires a Schema and will validate the entities,
  ensuring that a PartialEntities object always meets the preconditions required for type aware partial evaluation. (#​1903)
• Evaluate has operation when the LHS record is projectable during partial evaluation. (#​1912)
• Deprecated schema parsing errors ActionAttributesContainEmptySet, UnsupportedActionAttribute, ActionAttrEval, and ExprEscapeUsed.
  These errors are never returned, so it is safe to delete any associated error handling code. (#​1929)
• Made policy validation for in, ==, and hasTag slightly more permissive to match the formally verified Lean model. (#​1931)
• Increase partial evaluation precision for if-then-else, or, and expressions (#​1940)

Fixed

• Removed incorrect dependency of feature partial-eval of feature tpe. (#​1898)
• Fixed incomplete policy ID renaming by PolicySet::merge. Updated policy IDs were correctly reflected when getting a
  policy with PolicySet::policy and PolicySet::template, but Policy::id, Template::id, and Policy::template_id
  continued to return the original id.
• Fixed issue where SchemaFragment::to_cedarschema could return a string that is not a valid Cedar schema.

v4.7.1

Compare Source

Release 4.7.1, available on crates.io

Fixed

• Fixed parsing of small negative decimal literals. (#​1966)

v4.7.0

Compare Source

Release 4.7.0, available on crates.io

Cedar Language Version: 4.4

Added

• Added Schema::actions_for_principal_and_resource to list actions which apply to a particular principal and resource type.
• For the tpe experimental feature, added PolicySet::query_actions to list the actions which might be authorized given partial request with an unknown action.
• For the tpe experimental feature, added PartialEntities::empty to conveniently construct an empty partial entity set.

v4.6.2

Compare Source

Release 4.6.2, available on crates.io

Fixed

• Fixed parsing of small negative decimal literals.

v4.6.1

Compare Source

Release 4.6.1, available on crates.io

Fixed

• Fixed doc.rs build (#​1878)

v4.6.0

Compare Source

Release 4.6.0, available on crates.io

Added

• Added deep_eq to the Entity and Entities structs to allow comparing these objects for structural equality. (#​1723)
• Added stateful_is_authorized, preparse_policy_set and preparse_schema to support stateful evaluation using a cached policy set and schema, in the ffi module. (#​1831, fixing #​1829)
• Added has_non_scope_constraint for Policy and Template, returning true if the policy or template has a when or unless condition. (#​1852)
• Implemented variadic ipaddr.isInRange that returns true if the target ipaddr is in range for any of the arguments as described in RFC 99, under the experimental flag variadic-is-in-range. (#​1775)
• Implemented type-aware partial evaluation as described in RFC 95, under the
  experimental flag tpe. (#​1575)
• Implemented batched evaluation, also under the experimental flag tpe. Batched evaluation allows for permission queries against large databases of entities. (#​1812)

Changed

• Bumped MSRV to 1.85 (#​1683)

v4.5.2

Compare Source

Release 4.5.2, available on crates.io

Fixed

• Fixed parsing of small negative decimal literals.

---

Configuration

📅 Schedule: Branch creation - "before 4am every weekday,every weekend" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 57.84%. Comparing base (3813458) to head (c3f87ad).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7998      +/-   ##
==========================================
- Coverage   57.84%   57.84%   -0.01%     
==========================================
  Files        1167     1167              
  Lines      109264   109264              
  Branches     4976     4976              
==========================================
- Hits        63209    63207       -2     
- Misses      45309    45311       +2     
  Partials      746      746              

Flag	Coverage Δ
local.claude-hooks	0.00% <ø> (ø)
local.harpc-client	51.24% <ø> (ø)
rust.antsi	0.00% <ø> (ø)
rust.error-stack	90.88% <ø> (ø)
rust.harpc-codec	84.70% <ø> (ø)
rust.harpc-net	96.14% <ø> (-0.04%)	⬇️
rust.harpc-tower	66.80% <ø> (ø)
rust.harpc-types	0.00% <ø> (ø)
rust.harpc-wire-protocol	92.23% <ø> (ø)
rust.hash-codec	72.76% <ø> (ø)
rust.hash-graph-temporal-versioning	47.95% <ø> (ø)
rust.hashql-core	82.46% <ø> (ø)
rust.hashql-diagnostics	72.43% <ø> (ø)
rust.hashql-syntax-jexpr	94.04% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Updated (UTC)
petrinaut	Ready	Preview	Nov 27, 2025 9:17am

[deepsource-io]

Here's the code health analysis summary for commits d549b46..ea9c8f2. View details on DeepSource ↗.

Analysis Summary

Analyzer	Status	Summary	Link
JavaScript	✅ Success		View Check ↗
Secrets	✅ Success		View Check ↗
SQL	✅ Success		View Check ↗
Rust	✅ Success		View Check ↗
Shell	✅ Success		View Check ↗
Docker	✅ Success		View Check ↗
Test coverage	❌ Failure	🚩 1 error	View Check ↗

Code Coverage Report

Metric	Aggregate	Javascript	Rust
Branch Coverage	66.9% (up 37.4% from main)	33% (up 29% from main)	73% (up 1.1% from main)
Composite Coverage	82.5% (up 26.7% from main)	46.2% (up 38.7% from main)	84.1% (up 19.5% from main)
Line Coverage	82.9% (up 26% from main)	47.6% (up 39.3% from main)	84.4% (up 19.9% from main)

---

💡 If you’re a repository administrator, you can configure the quality gates from the settings.