Cerbos PDP v0.48: OpenID AuthZEN support, improved query plans, faster bundle loading

The v0.48 release of Cerbos PDP introduces first-class support for the AuthZEN Authorization API, a more capable Git upload flow for Hub stores, and a set of under-the-hood improvements that make policy distribution and evaluation faster and more predictable. It also includes several targeted fixes that remove edge-case inconsistencies discovered by users integrating Cerbos into large multi-tenant deployments. As always, the full changelog is available in the repository.

AuthZEN Authorization API 1.0

The PDP now implements the endpoints defined in version 1.0 of the AuthZEN Authorization API. This includes the metadata endpoint and the evaluation endpoints required for AuthZEN-compatible clients. Cerbos maps AuthZEN requests to the native evaluation model while preserving response semantics, making it possible to adopt Cerbos in environments standardising on AuthZEN without changing existing client code.

See the API reference for the supported request shapes and mapping details.

Support for the new bundle format

When running with a Hub storage driver, the PDP can now consume bundles generated using a new, more efficient format. The updated layout is closer to the internal data structures used by the engine, which reduces load times and improves memory use in large installations.

Simplified plan generation for all operations

The planner now recognises when a collection is a known value and simplifies collection.all(t, <expr>) into a logical AND of <expr> evaluated for each element. This applies to lists and maps, and works for both one-variable and two-variable lambda operations. The result is a more compact and deterministic query plan, especially for policies that rely heavily on set membership filters.

Detect diff parameters for hubctl upload-git

The hubctl upload-git command now automatically determines the last git reference recorded in the remote store and uploads only the files that have changed since that revision. If a store has no git metadata yet, its contents are replaced using the files from the current HEAD.

As part of this work, the from and to parameters have been replaced with explicit flags. Any automation depending on the positional argument format will need to be updated. The new cerbos-store-action GitHub Action relies on this updated behaviour to provide consistent, idempotent policy sync from GitHub repositories to Hub stores.