feat: migrate from Cedar to SpiceDB authorization system

This is a major architectural change that replaces the Cedar policy-based
authorization system with SpiceDB's relation-based authorization.

Key changes:

- Migrate from Rust to Go implementation
- Replace Cedar policies with SpiceDB schema and relationships
- Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks
- Update build system and dependencies for Go ecosystem
- Maintain Envoy integration for external authorization

This change enables more flexible permission modeling through SpiceDB's
Google Zanzibar inspired relation-based system, supporting complex
hierarchical permissions that were difficult to express in Cedar.

Breaking change: Existing Cedar policies and Rust-based configuration
will no longer work and need to be migrated to SpiceDB schema.

1 files changed, 37 insertions, 0 deletions

diff --git a/pkg/authz/server.go b/pkg/authz/server.go
new file mode 100644
index 00000000..0c680a65
--- /dev/null
+++ b/pkg/authz/server.go
@@ -0,0 +1,37 @@
+package authz
+
+import (
+	"context"
+
+	authzed "github.com/authzed/authzed-go/v1"
+	auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
+	xcontext "github.com/xlgmokha/x/pkg/context"
+	"github.com/xlgmokha/x/pkg/log"
+	"github.com/xlgmokha/x/pkg/x"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd.git/pkg/pls"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/reflection"
+)
+
+var Connection xcontext.Key[*authzed.Client] = xcontext.Key[*authzed.Client]("authzed_client")
+
+type Server struct {
+	*grpc.Server
+}
+
+func New(ctx context.Context, options ...grpc.ServerOption) *Server {
+	logger := log.From(ctx)
+
+	server := grpc.NewServer(x.Prepend(
+		options,
+		grpc.UnaryInterceptor(pls.LogGRPC(logger)),
+		grpc.StreamInterceptor(pls.LogGRPCStream(logger)),
+	)...)
+
+	auth.RegisterAuthorizationServer(server, NewCheckService(Connection.From(ctx)))
+	reflection.Register(server)
+
+	return &Server{
+		Server: server,
+	}
+}