hashicorp · LeahMarieBush · Sep 17, 2025 · Sep 16, 2025 · Sep 16, 2025 · Sep 16, 2025
@@ -1,3 +1,6 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+
 # Add a Terraform label to changes under the related folders:
 #
 # Folder                      | Labels
@@ -92,4 +95,17 @@ WAF:
   - changed-files:
     - any-glob-to-any-file: [
         'content/well-architected-framework/**'
+      ]
+
+# Add 'Sentinel' label to changes under 'content/sentinel'
+#
+# Label           | Rule
+# --------------- | ------------------------------------------------------------
+# Sentinel        | Default; applies to all doc updates
+
+Sentinel:
+- any:
+  - changed-files:
+    - any-glob-to-any-file: [
+        'content/sentinel/**'
       ]
@@ -0,0 +1,314 @@
+---
+page_title: Sentinel Runtime Release Notes
+sidebar_title: Release Notes
+sidebar_current: docs-changelog
+description: >-
+  This are the public release notes for the Sentinel runtime. See this document
+  for the latest updates.
+layout: docs
+---
+
+# Sentinel Runtime Release Notes
+
+These are the release notes for the Sentinel runtime.
+
+Each version of the runtime is released with a corresponding version of
+[Sentinel CLI](/sentinel/commands). To download the CLI, see the [downloads
+page](/sentinel/downloads).
+
+Sentinel integrations and embedded runtimes may not always have the latest
+version installed, depending on the product's individual release cycle. For more
+information, contact the support team for your specific integration.
+
+<!-- BEGIN GENERATED CONTENT -->
+
+## 0.12.1 (Unreleased)
+
+## 0.12.0 (October 7, 2019)
+
+LANGUAGE CHANGES:
+
+- **New `case` statement**. This statement is a selection control mechanism to
+  conditionally execute a branch based on expression equality, allowing
+  simplification of complex conditional chains that may otherwise need to be
+  written with `else if`. See the [Case
+  Statements](https://docs.hashicorp.com/sentinel/language/spec#case-statements)
+  section of the Sentinel language specification for more details.
+
+IMPROVEMENTS:
+
+- `lang/semantic`: Added a semantic check to ensure usage of append is not using
+  a return value.
+
+BUG FIXES:
+
+- `runtime/eval`: Corrected an issue where calling a method on an import object
+  value that was the result of a method call on another import object value
+  would have erroneously tried to call an import of the name of the "parent"
+  import object value. Example: in `a = subject.new(); b = a.call(); c = b.call()`, `b.call()` would attempt to call a method named `call` on the root
+  namespace for an import named `a`. This has now been corrected so that
+  `b.call()` will now correctly call the `call` method for the respective object
+  namespace residing in the import named `subject`.
+- `imports`: Some standard imports may have been returning null for some unknown
+  keys in objects when they should have been returning undefined. This was due
+  to an SDK issue which was corrected in SDK version 0.3.2, which has now been
+  corrected.
+- `cmd/test`: `sentinel test` will now correctly fail a policy if it encounters
+  an error.
+- `cmd/test`: `sentinel test` will now correctly display errors and other output
+  that were missing due to a formatting issue.
+- `runtime/eval`: The `append` builtin now correctly returns undefined for all
+  calls, as called for by the Specification. Note that in most cases, the
+  semantic check outlined above will trigger an error if the return value is
+  used.
+
+## 0.11.0 (September 5, 2019)
+
+LANGUAGE CHANGES:
+
+- **New builtin function:** `range()`. This function existed in the spec in
+  earlier versions but was removed as it lacked an implementation. This has now
+  been implemented and re-added to the spec. See the
+  [Range](https://docs.hashicorp.com/sentinel/language/spec#range) section of
+  the Sentinel Specification for more details.
+- Lists are now comparable. Lists are equal if their corresponding elements are
+  comparable and equal.
+- Method calls on values returned by imports are now supported. See the
+  [Imports](https://docs.hashicorp.com/sentinel/language/spec#imports) section
+  of the Sentinel Specification for more details.
+
+FEATURES:
+
+- `imports/decimal`: This is a new import designed to do exact precision
+  mathematical calculations.
+- `runtime/eval`: Compound call expressions that refer to imports (example:
+  foo.bar().baz() when `foo` is a loaded import) will now function as expected.
+  Previously, this was only supported up to the first call (example:
+  `foo.bar()`).
+- `imports/time`: Timespaces returned by calls such as `time.now` are now
+  callable. Example: `t = time.now; t.after(some_previous_time)` will now
+  function.
+
+IMPROVEMENTS:
+
+- `runtime/eval`: The implementation of comparison of non-comparable types has
+  now changed. Rather than triggering a runtime error, non-comparable types will
+  now return false when attempting to compare.
+
+## 0.10.4 (August 15, 2019)
+
+BUG FIXES:
+
+- `runtime/encoding`: Fixed an issue with conversion of null values that could
+  lead to crashes in imports.
+
+## 0.10.3 (July 15, 2019)
+
+BUG FIXES:
+
+- `command/config`: Parsing a configuration file where malformed data is
+  encountered after apparently properly-formed data will now report an error. An
+  example would be a situation where misplaced braces would cause a JSON object
+  to only parse part of the configuration file.
+
+## 0.10.2 (June 25, 2019)
+
+BUG FIXES:
+
+- `lang/parser`: Corrected an issue where parsing certain compound binary
+  expressions where the negation predicate (`not`) was in use would cause the
+  negation to have no effect. Example: `foo else "bar" not in "baz"` would have
+  been parsed and evaluated as `foo else "bar" in "baz"`, effectively producing
+  the opposite result.
+
+## 0.10.1 (May 9, 2019)
+
+BUG FIXES:
+
+- `command/test`: `sentinel test` now displays policies without
+  tests as an unknown result with [no test files], instead of the somewhat
+  erroneous behavior of displaying it as a PASS. A full test run with a mixture
+  of passing tests and no tests still results in an overall successful result.
+
+## 0.10.0 (April 18, 2019)
+
+LANGUAGE CHANGES:
+
+- Mixed-number arithmetic operations are now allowed. Addition (`+`),
+  subtraction (`-`), multiplication (`*`), division (`/`), and remainder
+  operations (`%`) are no longer restricted to number values of the same
+  type, and can mix integer and floating point. The result of these operations
+  is always a floating-point number.
+- Remainder (modulo, `%`) operations are now allowed on floating-point numbers.
+
+BUG FIXES:
+
+- `lang/parser`: Fixed a bug that affected the use of `not` with `contains`,
+  `matches`, or `in` in a compound expression.
+- `runtime/eval`: Fixed error messages on evaluation errors with `contains` and
+  `in` to indicate that strings are an allowed type along with lists and maps.
+
+## 0.9.2 (March 15, 2019)
+
+This is a dependency update related to the changes mentioned in 0.9.1. No other
+changes have been made.
+
+## 0.9.1 (March 14, 2019)
+
+This is a patch release that is required to integrate with the latest versions
+of the [Sentinel SDK](https://github.com/hashicorp/sentinel-sdk). No other
+changes have been made.
+
+## 0.9.0 (January 28, 2019)
+
+FEATURES:
+
+- `imports/strings`: Added a `join` function to the `strings` import. This can
+  be used to join a list into a string with a specific separator.
+  Multi-dimensional lists and all Sentinel primitives are supported.
+
+## 0.8.1 (January 17, 2019)
+
+BUG FIXES:
+
+- `lang/eval`: Fixed a bug that prevents the effective use of `return`
+  statements in `for` loops.
+
+## 0.8.0 (January 14, 2019)
+
+FEATURES:
+
+- Mocks can now be represented by Sentinel code. This allows for the mocking of
+  functions and other complex data structures that cannot be represented in
+  JSON. For more information on using this feature via mocks, click
+  [here](https://docs.hashicorp.com/sentinel/commands/config#mocking-with-sentinel-code).
+
+IMPROVEMENTS:
+
+- Import validation has now been moved to the semantic checking phase. This
+  should result in better reporting of validation errors. In addition, import
+  validation will now enforce the use of an `as` identifier when an import path
+  is not a valid identifier on its own (example: `import "foo/bar"`).
+
+## 0.7.0 (December 12, 2018)
+
+BUG FIXES:
+
+- There have been changes to the runtime in how scope is handled over multiple
+  policy executions. Scope is now correctly unique per single policy execution,
+  and values set or builtins that are overridden in one policy will no longer
+  affect those values within another.
+
+## 0.6.0 (November 30, 2018)
+
+FEATURES:
+
+- `imports/runtime`: This new import allows for one to check various aspects of
+  the Sentinel runtime as it may be embedded in the simulator or a specific
+  implementation. For now, it allows the version to be checked.
+
+## 0.5.1 (November 28, 2018)
+
+IMPROVEMENTS:
+
+- `imports/time`: Added the `zone` and `zone_string` attributes to assist with
+  validation of a timespace's zone.
+- `command/fmt`: Added a new -check flag. This option does not commit changes,
+  but instead checks to see what files need formatting and outputs them on
+  stdout.
+
+BUG FIXES:
+
+- `command/test`: Ensure that passing test results are correctly output one per
+  line. Tests are also now run in a deterministic fashion based on
+  lexicographical (alphabetical) order.
+- `imports/time`: `month_name` and `weekday_name` will now show up correctly in
+  a returned timespace result.
+
+## 0.5.0 (November 5, 2018)
+
+IMPROVEMENTS:
+
+- `spec`: Selectors can now contain any reserved word (example: `rule`) or
+  keyword operator (example: `any`, `all`, `is`, `not`). This only works for the
+  _selector_ part of the expression (after the first period) - the first primary
+  expression (before the first period) still needs to be an identifier that does
+  not conflict with reserved words.
+
+BUG FIXES:
+
+- The simulator should now display import function call names correctly in
+  import errors.
+
+## 0.4.0 (October 1, 2018)
+
+FEATURES:
+
+- `builtin`: Added the `bool` built-in type conversion function. Booleans will
+  also now accepted as conversion into other values as well, with the full list
+  of behaviors available in the spec.
+
+## 0.3.2 (September 27, 2018)
+
+FEATURES:
+
+- `command/apply`: `sentinel apply` now prints out messages output by the
+  `print()` function when a trace is output on policy failure, or when a trace
+  is forced with `-trace`.
+- `imports/time`: Added the `month_name` and `weekday_name` keys to the
+  timespace, which return full-English names for the month and day of the week.
+
+BUG FIXES:
+
+- `command/fmt`: `sentinel fmt -` Will no longer print out the filter status
+  message on the output stream when `-write=false` Is not explicitly stated.
+  This brings the behavior of the command in line with the help text.
+- `runtime`: Index operations on the right-hand-side that have negative indexes
+  that go out of range (example: `length(list) * -1 - 1`) now correctly return
+  `undefined`. left-hand-side index assignments with a out-of-range negative
+  index still return runtime errors.
+
+## 0.3.1 (August 3, 2018)
+
+BUG FIXES:
+
+- `runtime`: Basic index assignment has been implemented as per the spec.
+- `runtime`: Index expressions for lists with negative indexes will no longer panic if the
+  list index is less than `length(list) * -1`.
+
+## 0.3.0 (July 20, 2018)
+
+FEATURES:
+
+- **New standard import: `types`.** This can be used to dynamicaly detect the
+  type of some value.
+
+## 0.2.0 (April 11, 2018)
+
+FEATURES:
+
+- **New standard import: `json`.** Marshal and unmarshal JSON documents and
+  access their contents as native Sentinel values.
+- **`break` and `continue`.** These are now both specified and implemented.
+  `break` allows loop exiting and `continue` allows immediate execution of the
+  next iteration.
+
+IMPROVEMENTS:
+
+- runtime: `print()` map values are now ordered alphabetically by keys.
+
+BUG FIXES:
+
+- command/test: If no `test` block exists, test behaves like it is asserting
+  `main: true`.
+- runtime: default maximum stack depth to 500
+- runtime: `print()` map values now appear like more typical maps.
+- runtime: division by zero is an error, not a crash
+- runtime: plugins that send map values with `null` values now decode properly
+  into native Sentinel values.
+
+## 0.1.0 (September 19, 2017)
+
+Initial release.
+
+<!-- END GENERATED CONTENT -->
@@ -0,0 +1,47 @@
+---
+page_title: 'Command: apply'
+sidebar_title: '<code>apply</code>'
+sidebar_current: docs-commands-apply
+description: >-
+  The `sentinel apply` command is used to execute a policy locally for
+  development purposes.
+layout: docs
+---
+
+# Command: `apply`
+
+The `sentinel apply` command is used to execute a policy locally for development
+purposes.
+
+## Usage
+
+Usage: `sentinel apply [options] POLICY`
+
+This command executes the policy file at the path specified by POLICY.
+
+Use the exit code of this command to determine the exact status of the policy
+evaluation. `0` is pass, `1` is fail, `2` is undefined (fail, but because the
+result was undefined), and `3` is a runtime error. Errors unrelated to the
+policy status itself are returned with an exit status of `9`.
+
+To control the behavior of the `apply` command, create a [configuration
+file](/sentinel/commands/config). With this, you can define available
+[import plugins](/sentinel/concepts/imports), mock data, and global values.
+This can help you simulate a policy embedded within an application.
+
+The command-line flags are all optional. The list of available flags are:
+
+- `-config=path` - Path to a configuration file specifying available imports,
+  mock data, globals, etc. The default is `sentinel.json`.
+
+- `-global key=value` - Set global values. This is the same as setting `global`
+  in the configuration file, and will override any of these respective values
+  set in the configuration. The value is either a string, or a JSON number,
+  array, or object. To force strings, use quotes.
+
+- `-param key=value` - Set parameters, the same as setting `param` in the
+  configuration file. Values are handled in the same way they are with the
+  `-global` flag.
+
+- `-trace` - Always show the execution trace. This shows intermediate
+  boolean expression values. This always shows for failed policies.