feat: migrate from Cedar to SpiceDB authorization system

This is a major architectural change that replaces the Cedar policy-based
authorization system with SpiceDB's relation-based authorization.

Key changes:

- Migrate from Rust to Go implementation
- Replace Cedar policies with SpiceDB schema and relationships
- Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks
- Update build system and dependencies for Go ecosystem
- Maintain Envoy integration for external authorization

This change enables more flexible permission modeling through SpiceDB's
Google Zanzibar inspired relation-based system, supporting complex
hierarchical permissions that were difficult to express in Cedar.

Breaking change: Existing Cedar policies and Rust-based configuration
will no longer work and need to be migrated to SpiceDB schema.

1 files changed, 25 insertions, 0 deletions

diff --git a/vendor/github.com/google/yamlfmt/Dockerfile b/vendor/github.com/google/yamlfmt/Dockerfile
new file mode 100644
index 00000000..a5dbd810
--- /dev/null
+++ b/vendor/github.com/google/yamlfmt/Dockerfile
@@ -0,0 +1,25 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM golang:alpine AS build
+RUN apk add --no-cache git make
+WORKDIR /build
+COPY . .
+ENV CGO_ENABLED=0
+RUN make build
+
+FROM alpine:latest
+COPY --from=build /build/dist/yamlfmt /bin/yamlfmt
+WORKDIR /project
+ENTRYPOINT ["/bin/yamlfmt"]