feat: migrate from Cedar to SpiceDB authorization system

This is a major architectural change that replaces the Cedar policy-based
authorization system with SpiceDB's relation-based authorization.

Key changes:

- Migrate from Rust to Go implementation
- Replace Cedar policies with SpiceDB schema and relationships
- Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks
- Update build system and dependencies for Go ecosystem
- Maintain Envoy integration for external authorization

This change enables more flexible permission modeling through SpiceDB's
Google Zanzibar inspired relation-based system, supporting complex
hierarchical permissions that were difficult to express in Cedar.

Breaking change: Existing Cedar policies and Rust-based configuration
will no longer work and need to be migrated to SpiceDB schema.

1 files changed, 9 insertions, 52 deletions

diff --git a/Makefile b/Makefile
index 6f08a38d..a6795d1c 100644
--- a/Makefile
+++ b/Makefile
@@ -14,52 +14,32 @@ else
 ZED_CMD = zed --endpoint "$(SPICEDB_ENDPOINT)" --token "$(SPICEDB_TOKEN)" --insecure
 endif
 
-.PHONY: build check test run clean fmt lint doc vendor
+.PHONY: build test run clean tidy
 .PHONY: build-image run-image
-.PHONY: health-check list-services
-.PHONY: staging-entities production-entities
 
 setup:
 	mise install
 	mise exec go -- go install github.com/xlgmokha/minit@latest
-	mise exec rust -- rustup component add clippy rustfmt rust-analyzer
-	mise exec rust -- cargo install --locked cedar-policy-cli
 
-$(AUTHZD_BIN): $(shell find src -name "*.rs" 2>/dev/null) Cargo.toml
-	@cargo build --bin authzd --offline
-	@cp target/debug/authzd bin/authzd
+$(AUTHZD_BIN): $(shell find src -name "*.go" 2>/dev/null) go.sum
+	@go build -o $(AUTHZD_BIN) ./cmd/authzd/main.go
 
-# Cargo targets
 build: $(AUTHZD_BIN)
 
-check:
-	@cargo check
-
 test:
-	@cargo test
+	@go test ./...
 
 run: build
 	@minit
 
 clean:
 	@rm -f $(AUTHZD_BIN)
-	@cargo clean
-
-fmt:
-	@cargo fmt
-	@for policy in etc/authzd/*.cedar; do cedar format --policies $$policy --write; done
-
-lint:
-	@cargo clippy
-	@for policy in etc/authzd/*.cedar; do cedar check-parse --policies $$policy; done
-	@for policy in etc/authzd/*.cedar; do cedar format --policies $$policy --check; done
-	@./bin/envoy --mode validate -c ./etc/envoy/envoy.yaml || echo "Envoy not available, skipping validation"
 
-doc:
-	@cargo doc --open
-
-vendor:
-	@cargo vendor
+tidy:
+	@go get -u ./...
+	@go mod tidy
+	@go mod vendor
+	@go tool yamlfmt -exclude vendor .
 
 # Docker targets
 build-image:
@@ -68,29 +48,6 @@ build-image:
 run-image: build-image
 	@docker run --rm -p 20000:20000 --init -it $(IMAGE_TAG)
 
-# HTTP and gRPC testing targets
-health-check:
-	@grpcurl -plaintext localhost:20000 grpc.health.v1.Health/Check
-
-list-services:
-	@grpcurl -plaintext localhost:20000 list
-
-# entities targets
-check-gitlab-token:
-	@if [ -z "$$GITLAB_TOKEN" ]; then \
-		echo "Error: GITLAB_TOKEN environment variable is required"; \
-		echo "Set it with: export GITLAB_TOKEN=your_token"; \
-		exit 1; \
-	fi
-
-staging-entities: $(AUTHZD_BIN) check-gitlab-token
-	@$(AUTHZD_BIN) generate --host https://staging.gitlab.com --project authorization/sparkle/team --output etc/authzd/staging.gitlab.com/authorization/sparkle/team/entities.json
-
-production-entities: $(AUTHZD_BIN) check-gitlab-token
-	@$(AUTHZD_BIN) generate --project gitlab-org/gitlab --output etc/authzd/gitlab.com/gitlab-org/gitlab/entities.json
-	@$(AUTHZD_BIN) generate --project gitlab-org/software-supply-chain-security/authorization/authzd --output etc/authzd/gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd/entities.json
-	@$(AUTHZD_BIN) generate --project gitlab-org/software-supply-chain-security/authorization/sparkled --output etc/authzd/gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/entities.json
-
 # spice targets
 # Usage: make run-spicedb-setup SPICEDB_ENDPOINT=localhost:20000
 #        make run-spicedb-setup SPICEDB_ENDPOINT=authzd.staging.runway.gitlab.net:443