feat: migrate from Cedar to SpiceDB authorization system

This is a major architectural change that replaces the Cedar policy-based
authorization system with SpiceDB's relation-based authorization.

Key changes:

- Migrate from Rust to Go implementation
- Replace Cedar policies with SpiceDB schema and relationships
- Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks
- Update build system and dependencies for Go ecosystem
- Maintain Envoy integration for external authorization

This change enables more flexible permission modeling through SpiceDB's
Google Zanzibar inspired relation-based system, supporting complex
hierarchical permissions that were difficult to express in Cedar.

Breaking change: Existing Cedar policies and Rust-based configuration
will no longer work and need to be migrated to SpiceDB schema.

1 files changed, 0 insertions, 123 deletions

diff --git a/tests/authorization/check_service_test.rs b/tests/authorization/check_service_test.rs
deleted file mode 100644
index 3db0ec9e..00000000
--- a/tests/authorization/check_service_test.rs
+++ /dev/null
@@ -1,123 +0,0 @@
-#[cfg(test)]
-mod tests {
-    use crate::support::factory_bot::*;
-    use authzd::CheckService;
-    use envoy_types::ext_authz::v3::pb::Authorization;
-    use envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest;
-    use std::sync::Arc;
-
-    fn subject() -> CheckService {
-        CheckService::new(Arc::new(build_cedar_authorizer(
-            cedar_policy::Entities::empty(),
-        )))
-    }
-
-    #[tokio::test]
-    async fn test_no_headers() {
-        let request = tonic::Request::new(build_request(|_http| {}));
-
-        let response = subject().check(request).await;
-        assert!(response.is_ok());
-
-        let check_response = response.unwrap().into_inner();
-        assert!(check_response.status.is_some());
-
-        let status = check_response.status.unwrap();
-        assert_eq!(
-            tonic::Code::from_i32(status.code),
-            tonic::Code::Unauthenticated
-        );
-    }
-
-    #[tokio::test]
-    async fn test_static_assets() {
-        let routes = vec![
-            ("GET", "/app.js", tonic::Code::Ok),
-            ("GET", "/application.js", tonic::Code::Ok),
-            ("GET", "/favicon.ico", tonic::Code::Ok),
-            ("GET", "/favicon.png", tonic::Code::Ok),
-            ("GET", "/image.jpg", tonic::Code::Ok),
-            ("GET", "/assets/image.jpg", tonic::Code::Ok),
-            ("GET", "/assets/style.css", tonic::Code::Ok),
-            ("GET", "/assets/application.js", tonic::Code::Ok),
-            ("GET", "/htmx.js", tonic::Code::Ok),
-            ("GET", "/index.html", tonic::Code::Ok),
-            ("GET", "/logo.png", tonic::Code::Ok),
-            ("GET", "/pico.min.css", tonic::Code::Ok),
-            ("GET", "/vue.global.js", tonic::Code::Ok),
-        ];
-
-        for (method, path, expected_status_code) in &routes {
-            let request = tonic::Request::new(build_request(|item: &mut HttpRequest| {
-                item.method = method.to_string();
-                item.path = path.to_string();
-                item.host = "localhost:3000".to_string();
-                item.headers = build_headers(vec![
-                    (String::from(":path"), item.path.to_string()),
-                    (String::from(":method"), item.method.to_string()),
-                    (String::from(":authority"), item.host.to_string()),
-                ]);
-            }));
-
-            let response = subject().check(request).await;
-            assert!(response.is_ok());
-
-            let check_response = response.unwrap().into_inner();
-            assert!(check_response.status.is_some());
-
-            let status = check_response.status.unwrap();
-            assert_eq!(tonic::Code::from_i32(status.code), *expected_status_code);
-        }
-    }
-
-    #[tokio::test]
-    async fn test_public_sparkle_endpoints() {
-        let hosts = vec![
-            "localhost:10000",
-            "sparkle.runway.gitlab.net",
-            "sparkle.staging.runway.gitlab.net",
-        ];
-
-        let routes = vec![
-            ("GET", "/", tonic::Code::Ok),
-            ("GET", "/callback", tonic::Code::Ok),
-            ("GET", "/dashboard/nav", tonic::Code::Ok),
-            ("GET", "/health", tonic::Code::Ok),
-            ("GET", "/signout", tonic::Code::Ok),
-            ("GET", "/sparkles", tonic::Code::Ok),
-            ("POST", "/sparkles/restore", tonic::Code::Ok),
-            ("GET", "/dashboard", tonic::Code::Unauthenticated),
-            ("POST", "/sparkles", tonic::Code::Unauthenticated),
-        ];
-
-        for host in hosts {
-            for (method, path, expected_status_code) in &routes {
-                let request = tonic::Request::new(build_request(|item: &mut HttpRequest| {
-                    item.method = method.to_string();
-                    item.path = path.to_string();
-                    item.host = host.to_string();
-                    item.headers = build_headers(vec![
-                        (String::from(":path"), path.to_string()),
-                        (String::from(":method"), method.to_string()),
-                        (String::from(":authority"), host.to_string()),
-                    ]);
-                }));
-
-                let response = subject().check(request).await;
-                assert!(response.is_ok());
-
-                let check_response = response.unwrap().into_inner();
-                assert!(check_response.status.is_some());
-
-                let status = check_response.status.unwrap();
-                assert_eq!(
-                    tonic::Code::from_i32(status.code),
-                    *expected_status_code,
-                    "{} {}",
-                    method,
-                    path
-                );
-            }
-        }
-    }
-}