feat: migrate from Cedar to SpiceDB authorization system

This is a major architectural change that replaces the Cedar policy-based
authorization system with SpiceDB's relation-based authorization.

Key changes:

- Migrate from Rust to Go implementation
- Replace Cedar policies with SpiceDB schema and relationships
- Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks
- Update build system and dependencies for Go ecosystem
- Maintain Envoy integration for external authorization

This change enables more flexible permission modeling through SpiceDB's
Google Zanzibar inspired relation-based system, supporting complex
hierarchical permissions that were difficult to express in Cedar.

Breaking change: Existing Cedar policies and Rust-based configuration
will no longer work and need to be migrated to SpiceDB schema.

1 files changed, 0 insertions, 125 deletions

diff --git a/share/man/cedar/README.md b/share/man/cedar/README.md
deleted file mode 100644
index ec665d69..00000000
--- a/share/man/cedar/README.md
+++ /dev/null
@@ -1,125 +0,0 @@
-# Cedar Authorization Guide
-
-Cedar provides policy-based authorization using Amazon's Cedar policy
-language. This service handles request authorization through Envoy's
-`ext_authz` filter.
-
-## Architecture
-
-```
-+---------------------------------------------------------------------+
-|                     Client Request                                  |
-+---------------------------------------------------------------------+
-                          │
-                          V
-+---------------------------------------------------------------------+
-│                     Envoy Proxy (:20000)                            |
-│                                                                     |
-│  * JWT Filter extracts x-jwt-claim-sub header                       |
-│  * ext_authz sends CheckRequest to authzd                           |
-+---------------------------------------------------------------------+
-                          | ext_authz
-                          V
-              +---------------------+
-              |   authzd (:50052)   |
-              |                     |
-              | +-----------------+ |
-              | | Cedar Policies  | |
-              | | * Static Assets | |
-              | | * JWT Claims    | |
-              | | * Path Rules    | |
-              | +-----------------+ |
-              +---------------------+
-```
-
-## Authorization Flow
-
-```
-     Client                    Envoy                     authzd
-        |                       |                        |
-        | HTTP Request + JWT    |                        |
-        |---------------------->|                        |
-        |                       | Extract JWT claims     |
-        |                       | Add x-jwt-claim-sub    |
-        |                       |                        |
-        |                       | ext_authz CheckRequest |
-        |                       |----------------------->|
-        |                       |                        |
-        |                       |                        | Evaluate
-        |                       |                        | Cedar
-        |                       |                        | policies
-        |                       |      Allow/Deny        |
-        |                       |<-----------------------|
-        |                       |                        |
-        | Forward request       |                        |
-        | or 403 Forbidden      |                        |
-        |<----------------------|                        |
-```
-
-## Cedar Policies
-
-### Policy Structure
-
-Policies are stored in `etc/authzd/*.cedar` files using Cedar's policy language:
-
-```cedar
-permit (
-  principal == User::"1",
-  action == Action::"GET",
-  resource == Resource::"/sparkle/"
-)
-when
-{
-  context has host &&
-  context.host == "sparkle.staging.runway.gitlab.net" &&
-  principal has username
-};
-```
-
-## JWT Integration
-
-### JWT Header Extraction
-
-Envoy's JWT filter extracts claims and adds them as headers:
-
-- `x-jwt-claim-sub` - User ID (subject)
-
-## Policy Development
-
-### Adding New Policies
-
-1. Create or edit `.cedar` files in `etc/authzd/`
-2. Use Cedar policy syntax for rules
-3. Test with `make test`
-4. Validate with `make lint`
-
-### Policy Validation
-
-```bash
-# Check policy syntax
-cedar check-parse --policies etc/authzd/policy1.cedar
-
-# Format policies
-cedar format --policies etc/authzd/policy1.cedar --check
-```
-
-### Testing Policies
-
-```bash
-# Run Cedar authorization tests
-cargo test authorization::cedar_authorizer_test
-
-# Test specific scenarios
-cargo test test_sparkle_homepage
-```
-
-## Make Targets
-
-- `make test` - Run all tests including Cedar policy tests
-- `make lint` - Validate Cedar policy syntax and formatting
-
-## References
-
-- [Cedar Policy Language](https://docs.cedarpolicy.com/)
-- [Cedar Language Guide](https://docs.cedarpolicy.com/policies/syntax.html)
-- [Envoy JWT Authentication](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter)