Chore(deps): Update kube-cel requirement from 0.7.0 to 0.8.0

[dependabot]

Updates the requirements on kube-cel to permit the latest version.

Release notes

Sourced from kube-cel's releases.

v0.8.0

Apiserver fidelity for schema defaults (#9). The apiserver applies defaults during admission before evaluating CEL; plain validate now does the same, so a CR that omits a defaulted field is validated as the apiserver sees it.

Breaking

• Plain validation now applies schema defaults before evaluating rules. Validator::{validate, validate_with_context, validate_compiled, validate_compiled_with_context} and the free validate / validate_compiled all default first. The function signatures are unchanged, but runtime verdicts can change: a CR omitting a defaulted field may flip. This closes a divergence in both directions, the dangerous one being fail-open — e.g. a rule !has(self.x) with a defaulted x and an object omitting x previously ACCEPTed an input the apiserver REJECTs (verified live against kind via just parity). Under cargo 0.x caret rules this behavior change is breaking, hence 0.8.0.
  • Migration: usually none — the new behavior matches the apiserver, so most callers become more correct for free. There is no longer a no-defaulting fast path; if you were calling validate_with_defaults for fidelity, plain validate now suffices.

Fixed

• apply_defaults now recurses into additionalProperties (map values), not just properties and array items. A default inside a nested map value was previously skipped, leaving validate_with_defaults itself fail-open on that shape (live-confirmed: apiserver REJECT, kube-cel ACCEPT). Defaults at the schema root under additionalProperties remain moot — the apiserver rejects that shape at registration ("must not be used at the root").
• Apiserver-fidelity sweep (161 cases across all 13 extension libraries + the validation engine, measured live against kind) closed three divergences:
  • string.format() %e now emits Go-style scientific notation (1.50e+03: signed exponent, zero-padded to ≥2 digits) instead of Rust's 1.50e3. fail-open before (kube-cel accepted a .format() equality the apiserver rejects).
  • string.format() %s on a map now renders {"a":1} (no space after the colon), matching cel-go's fmt.Sprintf("%s:%s", …). fail-open before.
  • string.lastIndexOf(sub, i) now treats i as the inclusive last start index of a match (cel-go semantics) — a match may extend past i. Previously i was an exclusive end bound, so 'abcabc'.lastIndexOf('abc', 3) returned 0 instead of 3. fail-open before.
  • format: byte string fields now bind as CEL bytes (base64-decoded, as the apiserver does), so size()/indexing operate on the decoded bytes. Was fail-closed (kube-cel kept the encoded string and over-rejected).

Added

• CompiledSchema carries a default field, so the compiled validation path (validate_compiled*) applies defaults identically to the schema path.
• Parity coverage for defaults: defaults_parity_* cases in tests/apiserver_parity.rs assert plain validate matches the apiserver across properties, array items, nested structs, additionalProperties map values, and required + default interaction.

Changed

• just clippy now lints --all-targets (tests, examples, benches), not just the library.

Changelog

Sourced from kube-cel's changelog.

[0.8.0] - 2026-06-19

Apiserver fidelity for schema defaults (#9). The apiserver applies defaults during admission before evaluating CEL; plain validate now does the same, so a CR that omits a defaulted field is validated as the apiserver sees it.

Breaking

• Plain validation now applies schema defaults before evaluating rules. Validator::{validate, validate_with_context, validate_compiled, validate_compiled_with_context} and the free validate / validate_compiled all default first. The function signatures are unchanged, but runtime verdicts can change: a CR omitting a defaulted field may flip. This closes a divergence in both directions, the dangerous one being fail-open — e.g. a rule !has(self.x) with a defaulted x and an object omitting x previously ACCEPTed an input the apiserver REJECTs (verified live against kind via just parity). Under cargo 0.x caret rules this behavior change is breaking, hence 0.8.0.
  • Migration: usually none — the new behavior matches the apiserver, so most callers become more correct for free. There is no longer a no-defaulting fast path; if you were calling validate_with_defaults for fidelity, plain validate now suffices.

Fixed

• apply_defaults now recurses into additionalProperties (map values), not just properties and array items. A default inside a nested map value was previously skipped, leaving validate_with_defaults itself fail-open on that shape (live-confirmed: apiserver REJECT, kube-cel ACCEPT). Defaults at the schema root under additionalProperties remain moot — the apiserver rejects that shape at registration ("must not be used at the root").
• Apiserver-fidelity sweep (161 cases across all 13 extension libraries + the validation engine, measured live against kind) closed three divergences:
  • string.format() %e now emits Go-style scientific notation (1.50e+03: signed exponent, zero-padded to ≥2 digits) instead of Rust's 1.50e3. fail-open before (kube-cel accepted a .format() equality the apiserver rejects).
  • string.format() %s on a map now renders {"a":1} (no space after the colon), matching cel-go's fmt.Sprintf("%s:%s", …). fail-open before.
  • string.lastIndexOf(sub, i) now treats i as the inclusive last start index of a match (cel-go semantics) — a match may extend past i. Previously i was an exclusive end bound, so 'abcabc'.lastIndexOf('abc', 3) returned 0 instead of 3. fail-open before.
  • format: byte string fields now bind as CEL bytes (base64-decoded, as the apiserver does), so size()/indexing operate on the decoded bytes. Was fail-closed (kube-cel kept the encoded string and over-rejected).

Added

• CompiledSchema carries a default field, so the compiled validation path (validate_compiled*) applies defaults identically to the schema path.

... (truncated)

Commits

• 4468cb8 fix: apiserver fidelity for format()/lastIndexOf/byte binding + sweep harness
• f48f218 feat!: plain validate() applies schema defaults (apiserver fidelity), 0.8.0
• cd72970 fix: additionalProperties map keys are not field-name escaped, 0.7.1
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[clux]

Given this is a fix for a new feature that's 1w old. Maybe it's better to release this as a fix rather than wait for 5.0 on our end?

[doxxx93]

yeah.. Agreed, ship it in the 4.x line as a fix rather than holding for 5.0?

The signatures are unchanged, so this isn't an API break on our re-exported surface. It's purely a runtime behavior change, and in the fail-open direction (we were accepting inputs the apiserver rejects), which is exactly what we don't want sitting unfixed for a whole major cycle. I bumped it locally and the existing cel/schema + derive tests all pass, so nothing flips on our side.