fix(cedar): align cedarpy and cedar-wasm to Cedar Rust 4.8.2 (#168)

[Kalindi-Dev]

Summary

Align both Cedar policy engine bindings to the same underlying Rust core (4.8.2) so the agent-side (cedarpy) and Lambda-side (@cedar-policy/cedar-wasm) engines have true parity instead of the prior tested-compatible skew.

• cedarpy 4.8.0 → 4.8.4 (still wraps Rust 4.8.2)
• @cedar-policy/cedar-wasm 4.10.0 → 4.8.2
• Updated CEDAR_WASM_VERSION drift-guard constant in cdk/src/constructs/cedar-wasm-layer.ts
• Updated parity banner comment in mise.toml to match new pins
• Added Dependabot ignore rules for both packages so future bumps must be coordinated through a dedicated PR

Closes #168.

Why 4.8.2 (not 4.10.0)

No cedarpy release wraps Cedar Rust 4.9+. The latest cedarpy (4.8.4) still pins cedar-policy = "4.8.2". Until k9securityio publishes a cedarpy wrapping a newer core, 4.8.2 is the only version both bindings can share.

API surface check

cdk/src/handlers/shared/cedar-policy.ts only uses policySetTextToParts, policyToJson, and isAuthorized — all stable in 4.8.2. No 4.9/4.10-specific calls.

agent/src/policy.py reads result.diagnostics.reasons (lines 1133–1134). Note 4.8.0 → 4.8.4 is not a flat patch sequence: 4.8.2 silently changed reasons to surface @id("…") annotation values instead of parser-generated policy0-style IDs, which would have broken our usage. 4.8.3 reverted that and 4.8.4 keeps the revert, so effective behavior matches 4.8.0.

Test plan

• agent/tests/test_cedar_parity.py — 6/6 passed (cedarpy 4.8.4 vs golden fixtures)
• cdk/test/handlers/shared/cedar-parity.test.ts — 6/6 passed (cedar-wasm 4.8.2 vs golden fixtures)
• mise //cdk:test — 1808/1808 passed, 101/101 suites
• mise //agent:quality — 819/819 passed, lint + type-check clean, coverage 72.48% ≥ 72%
• Both lockfiles regenerated (agent/uv.lock, yarn.lock)
• Verified parity fixtures did not need refreshing (same Rust core ⇒ identical decisions)

Follow-ups

• PR chore(deps): uv: bump cedarpy from 4.8.0 to 4.8.2 in /agent in the all-python group across 1 directory #156 (Dependabot's isolated cedarpy bump) should be closed by a maintainer after this merges.
• PRs chore(deps): uv: bump the all-python group across 1 directory with 9 updates #244 and chore(deps): npm: bump the all-npm group across 5 directories with 30 updates #224 will both have merge conflicts after this lands and should be closed (not merged) — the new Dependabot ignore rules prevent this class of PR going forward.

Notes

Documentation under docs/design/CEDAR_HITL_GATES.md still references the prior cedarpy==4.8.0 ↔ cedar-wasm==4.10.0 skew narrative. That's intentionally left for a follow-up doc PR — this PR keeps the change set narrow to manifests, lockfiles, the version constant, the parity banner, and Dependabot config so the diff is reviewable as a focused parity-alignment change.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@bb7876a). Learn more about missing BASE report.
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #271   +/-   ##
=======================================
  Coverage        ?   86.09%           
=======================================
  Files           ?      167           
  Lines           ?    39535           
  Branches        ?     3923           
=======================================
  Hits            ?    34036           
  Misses          ?     5499           
  Partials        ?        0           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[scottschreckengaust]

No blocker:

1. Minor version bump opportunity: could use cedarpy==4.8.4 instead of 4.8.3 for the latest patch. Same Cedar core, just newer Python-side fixes. This is optional — both achieve parity.
2. Conflicting Dependabot PRs: Once this merges, PRs chore(deps): uv: bump the all-python group across 1 directory with 9 updates #244 and chore(deps): npm: bump the all-npm group across 5 directories with 30 updates #224 will both have merge conflicts (they each bump one side independently). They should be closed (not merged) since this Dependabot ignore rules prevent this class of PR going forward.
3. PR chore(deps): uv: bump cedarpy from 4.8.0 to 4.8.2 in /agent in the all-python group across 1 directory #156: Also superseded — close after this merges (already called out in PR body).
4. Doc follow-up: body notes that docs/design/CEDAR_HITL_GATES.md still references the old skew narrative (cedarpy==4.8.0 ↔ cedar-wasm==4.10.0). That's intentionally deferred to a separate doc PR.

[Kalindi-Dev]

Bumped to cedarpy==4.8.4 in 3515c75. Verified it still wraps Cedar Rust 4.8.2, so engine parity is preserved.

One thing worth calling out: 4.8.0 → 4.8.4 is not a flat patch sequence — 4.8.2 silently changed AuthzResult.diagnostics.reasons to surface @id("…") annotation values instead of parser-generated policy0-style IDs, which would have broken our usage at agent/src/policy.py:1133-1134. 4.8.3 reverted that, and 4.8.4 keeps the revert. So the effective behavior of reasons is identical to 4.8.0 from our code's perspective.

Re-ran the same test plan: parity 6/6 + 6/6, mise //cdk:test 1808/1808, mise //agent:quality 819/819.

[isadeks]

Approve after one fix: mise.toml:8-9 parity banner still says cedarpy==4.8.0 / cedar-wasm@4.10.0 — update to match the new pins so the banner future bumpers are pointed at isn't lying.
Also: PR description says cedarpy 4.8.3 but the diff pins 4.8.4

[isadeks]

lgtm

[scottschreckengaust]

LGTM