Cerbos PDP v0.50.0: Stricter CEL, more predictable scope plans, and faster evaluation

The Cerbos PDP v0.50.0 release brings a set of important changes to policy semantics, scope handling, and evaluation performance. This version tightens CEL identifier rules, aligns query plan behavior with actual decisions across scopes, and introduces optimizations that reduce compute usage and speed up policy evaluation. As always, the full changelog is available in the repository.

Before upgrading in production, we strongly recommend validating your policies and workloads in a staging environment due to the breaking changes outlined below.

Stricter CEL identifier rules

In v0.50.0, the PDP enforces more precise CEL semantics around how constants, globals, and variables are accessed. Previously, it was possible to treat these top-level identifiers as map-like containers using index syntax (e.g., V["foo"]). This undocumented pattern is no longer supported.

Now, all access must use dot notation (V.foo), and names must be valid CEL identifiers. Identifiers that do not match the allowed pattern or that collide with reserved keywords will cause policy compilation to fail.

This change eliminates ambiguity in CEL expressions and improves predictability at compile time, but may require edits to existing policies that rely on index lookups.

Default scopes and scope consistency

This release introduces the ability to configure a default scope via the PDP’s configuration (engine.DefaultScope). When set, any CheckResources or PlanResources request that omits a scope will automatically inherit the configured default.

In addition, we’ve improved how scoped query plans are generated: the planner now considers rules from parent scopes, making its output consistent with the check API’s actual evaluation logic. If your policies use hierarchical scopes, you may see slight differences in the plans you get back as a result.

Together, these changes make scoped authorization more intuitive and aligned with runtime behavior.

Major performance and usability improvements

Performance optimizations

Under-the-hood improvements to the rule engine significantly reduce CPU and memory usage during evaluation. Across a wide range of workloads, this makes decisions faster and lowers the compute cost of running Cerbos PDP at scale.

InspectPolicies support

You can now use the InspectPolicies API, improving introspection and easing debugging in environments that rely on these stores.

Dot alias for empty scope

When you configure a default scope, you can now use the literal . in check and plan requests as an alias for an empty (root) scope. This makes certain caller workflows more ergonomic and explicit.

Bug fixes

This release also includes targeted fixes to the query planner:

• Role policy restrictions now isolate correctly in the planner, addressing a regression affecting principals with multiple roles.
• Conditions across scope boundaries are now properly unioned when evaluating ancestor and descendant rules, rather than short-circuiting early.

Be aware that the change to how conditions are merged across scopes can alter query plans if you rely on legacy planner behavior.

For full details, see the changelog.