chore(deps): uv: bump cedarpy from 4.8.0 to 4.8.2 in /agent in the all-python group across 1 directory

[dependabot]

Bumps the all-python group with 1 update in the /agent directory: cedarpy.

Updates cedarpy from 4.8.0 to 4.8.2

Release notes

Sourced from cedarpy's releases.

cedarpy v4.8.2

v4.8.2 ships three improvements:

• Correctness: invalid schemas now surface as Decision.NoDecision (or validation_passed=False) with a diagnostic, instead of being silently discarded while is_authorized returned a real Allow/Deny based on no schema (#65 - thanks @​rupivbluegreen!).
• Ergonomics: @id("...") annotations on a policy now surface as the human-readable id in AuthzResult.diagnostics.reasons and ValidationError.policy_id, making diagnostics easier to read in logs and tooling (#74, #75 - thanks @​rupivbluegreen for the original feature proposal and work in #66 that started us down this path!).
• Release process robustness:
  • make release now actually builds and tests the release-mode wheel that would ship — the target previously produced an unoptimized dev-profile wheel and ran tests against whatever was installed in the venv, neither of which exercised the artifact. PyPI artifacts were unaffected; this only fixed locally-built wheels.
  • Benchmarks now run in release mode against a synthesized median-of-5 v4.8.0 baseline (make benchmark-compare), and a committed cross-state history (make benchmark-history → tests/benchmark/results/HISTORY.md) records performance across cedar-py development states. Together these make performance regressions easier to detect than the previous debug-mode single-run captures (#69, #71, #72).

Cedar Policy engine version is unchanged (still v4.8.2).

Added

• Behavior change. @id("...") annotations on a policy now surface as the human-readable id in AuthzResult.diagnostics.reasons and ValidationError.policy_id, instead of the auto-generated policy0/policy1/... id. Annotations are inert in Cedar evaluation per the Cedar docs; this is a labeling step on the response surface, not a rename of the underlying PolicyId. An @id with an empty value — either @id("") or value-less @id (which per the Cedar docs is equivalent to @id("")) — falls back to the parser-generated id, since an empty display id is unhelpful for logs and lookups (#29, #74, #75 — thanks @​rupivbluegreen for the original feature proposal and prototype in #66).

Changed

• Behavior change. is_authorized / is_authorized_batch now return Decision.NoDecision with a diagnostic when given an invalid schema, instead of silently discarding the schema and returning a real Allow / Deny. The same path applies in validate_policies (#65 — thanks @​rupivbluegreen).

Fixed

• make release now builds and tests a release-mode wheel. The target previously ran maturin build (which defaults to the dev/debug profile) and then ran pytest against whatever cedarpy was currently installed in the venv — neither half tested the wheel that would ship. PyPI artifacts were unaffected (CI already passed --release); this fixes locally-built wheels.

Performance

Benchmark	v4.8.0 median (μs)	v4.8.2 median (μs)	Δ
test_complex_policy	281	279	-0.6%
test_batch_complex_policy	1278	1249	-2.3%
test_batch_simple_policy	396	404	+2.1%
test_medium_policy	(within noise)	(within noise)	<3%

Per-benchmark history across cedar-py development states lives in tests/benchmark/results/HISTORY.md.

Full Changelog: k9securityio/cedar-py@v4.8.1...v4.8.2

cedarpy v4.8.1 is a dependency update release. There are no functional or API changes. The Cedar Policy engine version is unchanged (still v4.8.2).

Security

• pytest 7.4.0 → 9.0.3 — CVE-2025-71176 (PR #41)
• wheel 0.40.0 → 0.47.0 — CVE-2026-24049 (PR #41)
• time 0.3.37 → 0.3.47 — CVE-2026-25727 (PR #42)
• keccak 0.1.5 → 0.1.6 — GHSA-3288-p39f-rqpv (PR #42)

Build / supply chain

• Removed stale rustix = "~0.37.25" pin; rustix is now governed by the transitive dep graph (PR #43)
• Added Dependabot cooldown on version updates — 7 days for minor/patch bumps, 14 for majors — to reduce exposure to newly-published compromised releases (PR #44, PR #45)
• Switched PyPI publish from long-lived API token to Trusted Publishing (OIDC) with a protected pypi-release deployment environment (PR #59)

Verified integrity

... (truncated)

Changelog

Sourced from cedarpy's changelog.

[4.8.2] - 2026-05-12

Added

• Behavior change. @id("...") annotations on a policy now surface as the human-readable id in AuthzResult.diagnostics.reasons and ValidationError.policy_id, instead of the auto-generated policy0/policy1/... id. Annotations are inert in Cedar evaluation per the Cedar docs; this is a labeling step on the response surface, not a rename of the underlying PolicyId. An @id with an empty value — either @id("") or value-less @id (which per the Cedar docs is equivalent to @id("")) — falls back to the parser-generated id, since an empty display id is unhelpful for logs and lookups (#29, #74, #75)

Changed

• Behavior change. is_authorized / is_authorized_batch now return Decision.NoDecision with a diagnostic when given an invalid schema, instead of silently discarding the schema and returning a real Allow / Deny. The same path applies in validate_policies (#65)

Fixed

• make release now builds and tests a release-mode wheel. The target previously ran maturin build (which defaults to the dev/debug profile) and then ran pytest against whatever cedarpy was currently installed in the venv — neither half tested the wheel that would ship. PyPI artifacts were unaffected (CI already passed --release); this fixes locally-built wheels.

[4.8.1] - 2026-04-22

Dependency update release. No functional or API changes — Cedar Policy engine version is unchanged (still v4.8.2).

Security

• Bump pytest 7.4.0 → 9.0.3 — CVE-2025-71176 (#41)
• Bump wheel 0.40.0 → 0.47.0 — CVE-2026-24049 (#41)
• Bump time 0.3.37 → 0.3.47 — CVE-2026-25727 (#42)
• Bump keccak 0.1.5 → 0.1.6 — GHSA-3288-p39f-rqpv (#42)

Changed

• Removed the stale rustix = "~0.37.25" pin; rustix is now governed by the transitive dep graph (#43)

Build & supply chain

• Switched PyPI publishing from a long-lived API token to PyPI Trusted Publishing (OIDC), with a protected pypi-release deployment environment requiring maintainer approval. All wheels and the sdist for this release ship with SLSA build-provenance attestations (#59)
• Added a Dependabot cooldown policy (7 days for minor/patch bumps, 14 for majors) to reduce exposure to newly-published compromised releases (#44, #45)
• Disabled Dependabot version-update PRs; security-update PRs remain active (#60)

Commits

• 2353045 Merge pull request #76 from k9securityio/release/4.8.2
• 0bbed30 release: bump version to 4.8.2
• bb48fc5 chore(benchmark): record PR #75 Path B state data
• 24823b4 chore(benchmark): declare PR #75 Path B state in history
• 51704ef fix: 'make release' now builds and tests a release-mode wheel
• a11872e docs: clarify @​id annotation entry in [Unreleased] changelog
• 963e3e6 docs: mark #74 task implementation steps complete
• faf92a4 Merge pull request #75 from k9securityio/feat/id-annotations-via-post-process
• bf30f70 feat: fall back to parser id when @​id annotation value is empty
• 57053a4 docs: record @​id annotation implementation results in task file
• Additional commits viewable in compare view

[scottschreckengaust]

@dependabot rebase

[scottschreckengaust]

Was this parity verified?

[scottschreckengaust]

#168

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml