Backport bug fixes to 2.4.x

CONTRIBUTING.md

@@ -4,23 +4,20 @@ Cedar is a community project that is built and maintained by people just like **
 
 ## First Things First
 
-1. **When in doubt, open an issue** - For almost any type of contribution, the first step is opening an issue. Even if you think you already know what the solution is, writing down a description of the problem you're trying to solve will help everyone get context when they review your pull request. If it's truly a trivial change (e.g. spelling error), you can skip this step — but as the subject says, when in doubt, [open an issue](https://github.com/cedar-policy/cedar/issues). DO NOT open an issue for security-related issues. See SECURITY.md.
+1. **When in doubt, open an issue** - For almost any type of contribution, the first step is opening an issue. Even if you think you already know what the solution is, writing down a description of the problem you're trying to solve will help everyone get context when they review your pull request. If it's truly a trivial change (e.g. spelling error), you can skip this step — but as the subject says, when in doubt, [open an issue](https://github.com/cedar-policy/cedar/issues). DO NOT open an issue for security-related issues. See [SECURITY](SECURITY.md).
 2. **Only submit your own work**  (or work you have sufficient rights to submit) - Please make sure that any code or documentation you submit is your work or you have the rights to submit. We respect the intellectual property rights of others.
 
 ## Ways to Contribute
 
-
-
 ### Bug Reports
 
 A bug is when software behaves in a way that you didn't expect and the developer didn't intend. To help us understand what's going on, we first want to make sure you're working from the latest version. Please make sure you're testing against the latest version.
 
 Once you've confirmed that the bug still exists in the latest version, you'll want to check to make sure it's not something we already know about on the [open issues GitHub page](https://github.com/cedar-policy/cedar/issues).
 
+If you've upgraded to the latest version and you can't find it in our open issues list, then you'll need to tell us how to reproduce it. To make the behavior as clear as possible, please provide your policies, entities, request, and CLI commands.
 
-If you've upgraded to the latest version and you can't find it in our open issues list, then you'll need to tell us how to reproduce it. To make the behavior as clear as possible, please provided your policies, entities, request, and CLI commands. 
-
-Provide as much information as you can. You may think that the problem lies with your query, when actually it depends on how your data is indexed. The easier it is for us to recreate your problem, the faster it is likely to be fixed. Please try to include as much information as you can. Details like these are incredibly useful:
+The easier it is for us to recreate your problem, the faster it is likely to be fixed. Please try to include as much information as you can. Details like these are incredibly useful:
 
 * A reproducible test case or series of steps
 * The version of our code being used
@@ -31,36 +28,23 @@ Provide as much information as you can. You may think that the problem lies with
 
 If you've thought of a way that Cedar could be better, we want to hear about it. We track feature requests using GitHub, so please feel free to open an issue which describes the feature you would like to see, why you need it, and how it should work.
 
-
 ### Documentation Changes
 
-If you would like to contribute to the documentation, please do so in the [documentation](https://github.com/cedar-policy/cedar-docs) repo. 
-
+If you would like to contribute to the documentation hosted on docs.cedarpolicy.com, please do so in the [documentation](https://github.com/cedar-policy/cedar-docs) repo.
 
 ### Contributing Code
 
 As with other types of contributions, the first step is to [**open an issue on GitHub**](https://github.com/cedar-policy/cedar/issues). Opening an issue before you make changes makes sure that someone else isn't already working on that particular problem. It also lets us all work together to find the right approach before you spend a bunch of time on a PR. So again, when in doubt, open an issue.
 
-Additionally, here are a few guidelines to help you decide whether a particular feature should be included in Cedar.
-
-**Is your feature important to most users of Cedar?**
-
-If you believe that a feature is going to fulfill a need for most users of Cedar, then it belongs in Cedar. However, we don't want every feature built into the core server. If the feature requires additional permissions or brings in extra dependencies it should instead be included as a module in core.
-
-**Is your feature a common dependency across multiple plugins?**
-
-Does this feature contain functionality that cuts across multiple plugins? If so, this most likely belongs in Cedar as a core module or plugin.
-
+If you would like to propose a change to the Cedar language, or suggest a substantial new feature, please [follow the RFC process](https://github.com/cedar-policy/rfcs).
 
 ## Changelog
 
-Cedar maintains version specific changelog by enforcing a change to the ongoing [CHANGELOG](CHANGELOG.md) file adhering to the [Keep A Changelog](https://keepachangelog.com/en/1.0.0/) format. The purpose of the changelog is for the contributors and maintainers to incrementally build the release notes throughout the development process to avoid a painful and error-prone process of attempting to compile the release notes at release time. On each release the "unreleased" entries of the changelog are moved to the appropriate release notes document in the `./release-notes` folder. Also, incrementally building the changelog provides a concise, human-readable list of significant features that have been added to the unreleased version under development.
-
+Cedar maintains changelogs for the public-facing crates [cedar-policy](./cedar-policy/CHANGELOG.md) and [cedar-policy-cli](./cedar-policy-cli/CHANGELOG.md), which adhere to the [Keep A Changelog](https://keepachangelog.com/en/1.0.0/) format. The purpose of the changelog is for the contributors and maintainers to incrementally build release notes throughout the development process to avoid the painful and error-prone process of attempting to compile the release notes at release time. On each release the "unreleased" entries of the changelog are moved under the appropriate header. Also, incrementally building the changelog provides a concise, human-readable list of significant features that have been added to the unreleased version under development.
 
-### Which changes require a CHANGELOG entry?
-
-Changelogs are intended for operators/administrators, developers integrating with libraries and APIs, and end-users interacting with Cedar Dashboards and/or the REST API (collectively referred to as "user"). In short, any change that a user of Cedar might want to be aware of should be included in the changelog. The changelog is *not* intended to replace the git commit log that developers of Cedar itself rely upon. The following are some examples of changes that should be in the changelog:
+### Which changes require a changelog entry?
 
+Changelogs are intended for developers integrating with libraries and APIs, and end-users interacting with Cedar policies (collectively referred to as "user"). In short, any change that a user of Cedar might want to be aware of should be included in the changelog. The changelog is *not* intended to replace the git commit log that developers of Cedar itself rely upon. The following are some examples of changes that should be in the changelog:
 
 * A newly added feature
 * A fix for a user-facing bug
@@ -69,40 +53,22 @@ Changelogs are intended for operators/administrators, developers integrating wit
 
 The following are some examples where a changelog entry is not necessary:
 
-
 * Adding, modifying, or fixing tests
 * An incremental PR for a larger feature (such features should include *one* changelog entry for the feature)
 * Documentation changes or code refactoring
 * Build-related changes
 
-Any PR that does not include a changelog entry will result in a failure of the validation workflow in GitHub. If the contributor and maintainers agree that no changelog entry is required, then the `skip-changelog` label can be applied to the PR which will result in the workflow passing.
-
-
-### How to add my changes to [CHANGELOG](CHANGELOG.md)?
-
-Adding in the change is two step process:
-
-1. Add your changes to the corresponding section within the CHANGELOG file with dummy pull request information, publish the PR
-2. Update the entry for your change in [`CHANGELOG.md`](CHANGELOG.md) and make sure that you reference the pull request there.
-
-### Where should I put my CHANGELOG entry?
-
-The changelog on the `main` branch will contain sections for the *next major* and *next minor* releases. Your entry should go into the section it is intended to be released in. In practice, most changes to `main` will be backported to the next minor release so most entries will likely be in that section.
-
-The following examples assume the *next major* release on main is 3.0, then *next minor* release is 2.5, and the *current* release is 2.4.
-
+### Where should I put my changelog entry?
 
-* **Add a new feature to release in next minor:** Add a changelog entry to `[Unreleased 2.x]` on main, then backport to 2.x (including the changelog entry).
-* **Introduce a breaking API change to release in next major:** Add a changelog entry to `[Unreleased 3.0]` on main, do not backport.
-* **Upgrade a dependency to fix a CVE:** Add a changelog entry to `[Unreleased 2.x]` on main, then backport to 2.x (including the changelog entry), then backport to 2.4 and ensure the changelog entry is added to `[Unreleased 2.4.2]`.
+For a PR to the `main` branch, add your entry under the "Unreleased" section. For a PR to one of the `release/X.Y.Z` branches, add your entry under the appropriate version header. Once a version is released on crates.io, make sure to update the changelog on `main` to include the new release.
 
 ## Review Process
 
-We deeply appreciate everyone who takes the time to make a contribution. We will review all contributions as quickly as possible. As a reminder, [opening an issue]() discussing your change before you make it is the best way to smooth the PR process. This will prevent a rejection because someone else is already working on the problem, or because the solution is incompatible with the architectural direction.
+We deeply appreciate everyone who takes the time to make a contribution. We will review all contributions as quickly as possible. As a reminder, [opening an issue](https://github.com/cedar-policy/cedar/issues) discussing your change before you make it is the best way to smooth the PR process. This will prevent a rejection because someone else is already working on the problem, or because the solution is incompatible with the architectural direction.
 
 During the PR process, expect that there will be some back-and-forth. Please try to respond to comments in a timely fashion, and if you don't wish to continue with the PR, let us know. If a PR takes too many iterations for its complexity or size, we may reject it. Additionally, if you stop responding we may close the PR as abandoned. In either case, if you feel this was done in error, please add a comment on the PR.
 
-If we accept the PR, a [maintainer](MAINTAINERS.md) will merge your change and usually take care of backporting it to appropriate branches ourselves.
+If we accept the PR, a maintainer will merge your change and usually take care of backporting it to appropriate branches ourselves.
 
 If we reject the PR, we will close the pull request with a comment explaining why. This decision isn't always final: if you feel we have misunderstood your intended change or otherwise think that we should reconsider then please continue the conversation with a comment on the PR and we'll do our best to address any further points you raise.
 
@@ -123,17 +89,17 @@ To send us a pull request, please:
 
 GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and [creating a pull request](https://help.github.com/articles/creating-a-pull-request/).
 
-## Finding contributions to work on
+## Finding Ways to Contribute
 
-Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start.
+Looking at the existing issues is a great way to find something to contribute on. Looking at any issues labeled as 'help-wanted' or 'good-first-issue' is a great place to start.
 
 ## Code of Conduct
 
 This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact [[email protected]](mailto:[email protected]) with any additional questions or comments.
 
-## Security issue notifications
+## Security Issues
 
-If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue.
+If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue. See [SECURITY](SECURITY.md).
 
 ## Licensing
 

README.md

@@ -11,22 +11,31 @@ This repository contains source code of the Rust crates that implement the [Ceda
 Cedar is a language for writing and enforcing authorization policies in your applications. Using Cedar, you can write policies that specify your applications' fine-grained permissions. Your applications then authorize access requests by calling Cedar's authorization engine. Because Cedar policies are separate from application code, they can be independently authored, updated, analyzed, and audited. You can use Cedar's validator to check that Cedar policies are consistent with a declared schema which defines your application's authorization model.
 
 Cedar is:
+
 ### Expressive
+
 Cedar is a simple yet expressive language that is purpose-built to support authorization use cases for common authorization models such as RBAC and ABAC.
+
 ### Performant
+
 Cedar is fast and scalable. The policy structure is designed to be indexed for quick retrieval and to support fast and scalable real-time evaluation, with bounded latency.
+
 ### Analyzable
+
 Cedar is designed for analysis using Automated Reasoning. This enables analyzer tools capable of optimizing your policies and proving that your security model is what you believe it is.
 
 ## Using Cedar
-Cedar can be used in your application by depending on the `cedar-policy` crate.
 
-Just add `cedar-policy` as a dependency in your `Cargo.toml`:
+Cedar can be used in your application by depending on the [`cedar-policy` crate](https://crates.io/crates/cedar-policy).
+
+Just add `cedar-policy` as a dependency in your `Cargo.toml`. For example:
+
 ```toml
 [dependencies]
-cedar-policy = "2.0"
+cedar-policy = "2.4"
 ```
-## Crates in this workspace
+
+## Crates in This Workspace
 
 * [cedar-policy](./cedar-policy) : Main crate for using Cedar to authorize access requests in your applications, and validate Cedar policies against a schema
 * [cedar-policy-cli](./cedar-policy-cli) : Crate containing a simple command-line interface (CLI) for interacting with Cedar
@@ -37,19 +46,22 @@ cedar-policy = "2.0"
 
 ## Quick Start
 
-Let's put the policy in policy.cedar and the entities in entities.json:
+Let's put the policy in `policy.cedar` and the entities in `entities.json`.
 
-policy.cedar
-```
+`policy.cedar`:
+
+```cedar
 permit (
   principal == User::"alice",
   action == Action::"view",
   resource in Album::"jane_vacation"
 );
 ```
+
 This policy specifies that `alice` is allowed to view the photos in the `"jane_vacation"` album.
 
-entities.json
+`entities.json`:
+
 ```json
 [
     {
@@ -65,10 +77,12 @@ entities.json
 ]
 
 ```
+
 Cedar represents principals, resources, and actions as entities. An entity has a type (e.g., `User`) and an id (e.g., `alice`). They can also have attributes (e.g., `User::"alice"`'s `age` attribute is the integer `18`).
 
-Now, let's test our policy with the CLI
-```rust
+Now, let's test our policy with the CLI:
+
+```sh
  cargo run authorize \
     --policies policy.cedar \
     --entities entities.json \
@@ -78,18 +92,20 @@ Now, let's test our policy with the CLI
 ```
 
 CLI output:
+
 ```
 ALLOW
 ```
-It is allowed because `VacationPhoto94.jpg` belongs to `Album::"jane_vacation"`, and `alice` can view photos in `Album::"jane_vacation"`.
 
-If you'd like to see more details on what can be expressed as Cedar policies, see the [documentation](https://docs.cedarpolicy.com/what-is-cedar.html).
+This request is allowed because `VacationPhoto94.jpg` belongs to `Album::"jane_vacation"`, and `alice` can view photos in `Album::"jane_vacation"`.
+
+If you'd like to see more details on what can be expressed as Cedar policies, see the [documentation](https://docs.cedarpolicy.com).
 
 Examples of how to use Cedar in an application are contained in the repository [cedar-examples](https://github.com/cedar-policy/cedar-examples). [TinyTodo](https://github.com/cedar-policy/cedar-examples/tree/main/tinytodo) is a simple task list management app whose users' requests, sent as HTTP messages, are authorized by Cedar. It shows how you can integrate Cedar into your own Rust program.
 
 ## Documentation
 
-General documentation for Cedar is available at [docs.cedarpolicy.com](https://docs.cedarpolicy.com), with docs source code in the [cedar-policy/cedar-docs](https://github.com/cedar-policy/cedar-docs/) repository.
+General documentation for Cedar is available at [docs.cedarpolicy.com](https://docs.cedarpolicy.com), with source code in the [cedar-policy/cedar-docs](https://github.com/cedar-policy/cedar-docs/) repository.
 
 Generated documentation for the latest version of the Rust crates can be accessed
 [on docs.rs](https://docs.rs/cedar-policy).
@@ -98,28 +114,28 @@ Generated documentation for the latest version of the Rust crates can be accesse
 
 To build, simply run `cargo build` (or `cargo build --release`).
 
-## What's new / Changelog
+## What's New
 
 We maintain changelogs for our public-facing crates: [cedar-policy](./cedar-policy/CHANGELOG.md) and [cedar-policy-cli](./cedar-policy-cli/CHANGELOG.md).
 For a list of the current and past releases, see [crates.io](https://crates.io/crates/cedar-policy) or [Releases](https://github.com/cedar-policy/cedar/releases).
 
 ## Backward Compatibility Considerations
 
-Cedar is written in Rust and you will typically depend on Cedar via Cargo. Cargo makes sane choices for the majority of project, but your needs may differ. If you don't want automatic updates to Cedar replace
+Cedar is written in Rust and you will typically depend on Cedar via Cargo. Cargo makes sane choices for the majority of projects, but your needs may differ. If you don't want automatic updates to Cedar, then you can pin to a specific version in your `Cargo.toml`. For example:
 
-```
+```toml
 [dependencies]
-cedar-policy = "2.3.3"
+cedar-policy = "=2.4.2"
 ```
 
-with
+Note that this is different from:
 
-```
+```toml
 [dependencies]
-cedar-policy = "=2.3.3"
+cedar-policy = "2.4.2"
 ```
 
-in your `Cargo.toml` file.
+Which expresses that 2.4.2 is the minimum version of Cedar you accept, and you implicitly accept anything newer that is semver-compatible. See <https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html>.
 
 ## Security