Cerbos v0.48.0

The hubctl upload-git command is now able to determine the last git reference from the remote store and upload the files that changed since that revision. If the remote store doesn’t contain git information, it will be overwritten with the files from the current HEAD. As part of this change, the from and to parameters have been converted to explicit flags rather than positional arguments. The cerbos-store-action GitHub Action uses this updated command under the hood to sync changes from GitHub repositories to Cerbos Hub stores.

The Cerbos PDP now exposes API endpoints that are compatible with the AuthZEN authorization API specification. These include the PDP metadata endpoint as well as the access evaluation endpoints. See API documentation for more details about how AuthZEN requests are mapped to Cerbos requests.

When using the hub storage driver, the PDP is now able to consume bundles generated using a new format. This format is more efficient and closer to the final in-memory data structure used by the Cerbos engine.

In case a collection is a known value, then collection.all(t, <bodyExpr>) can be simplified as a logical AND of the body expr evaluated for each value of t in the collection. The collection can be either a map or a list. Both single- and two-var operations are supported.

Fixes a regression where resource kinds with special characters in their name were not correctly matched during policy evaluation.+

Fixes an issue where the query planner failed to correctly deal with expressions that make use of simple booleans as lambda expressions (e.g. R.attr.teams.all(t, false)).+