feat: migrate from Cedar to SpiceDB authorization system

This is a major architectural change that replaces the Cedar policy-based
authorization system with SpiceDB's relation-based authorization.

Key changes:

- Migrate from Rust to Go implementation
- Replace Cedar policies with SpiceDB schema and relationships
- Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks
- Update build system and dependencies for Go ecosystem
- Maintain Envoy integration for external authorization

This change enables more flexible permission modeling through SpiceDB's
Google Zanzibar inspired relation-based system, supporting complex
hierarchical permissions that were difficult to express in Cedar.

Breaking change: Existing Cedar policies and Rust-based configuration
will no longer work and need to be migrated to SpiceDB schema.

1 files changed, 89 insertions, 0 deletions

diff --git a/vendor/github.com/rs/zerolog/syslog.go b/vendor/github.com/rs/zerolog/syslog.go
new file mode 100644
index 00000000..a2b7285d
--- /dev/null
+++ b/vendor/github.com/rs/zerolog/syslog.go
@@ -0,0 +1,89 @@
+// +build !windows
+// +build !binary_log
+
+package zerolog
+
+import (
+	"io"
+)
+
+// See http://cee.mitre.org/language/1.0-beta1/clt.html#syslog
+// or https://www.rsyslog.com/json-elasticsearch/
+const ceePrefix = "@cee:"
+
+// SyslogWriter is an interface matching a syslog.Writer struct.
+type SyslogWriter interface {
+	io.Writer
+	Debug(m string) error
+	Info(m string) error
+	Warning(m string) error
+	Err(m string) error
+	Emerg(m string) error
+	Crit(m string) error
+}
+
+type syslogWriter struct {
+	w      SyslogWriter
+	prefix string
+}
+
+// SyslogLevelWriter wraps a SyslogWriter and call the right syslog level
+// method matching the zerolog level.
+func SyslogLevelWriter(w SyslogWriter) LevelWriter {
+	return syslogWriter{w, ""}
+}
+
+// SyslogCEEWriter wraps a SyslogWriter with a SyslogLevelWriter that adds a
+// MITRE CEE prefix for JSON syslog entries, compatible with rsyslog 
+// and syslog-ng JSON logging support. 
+// See https://www.rsyslog.com/json-elasticsearch/
+func SyslogCEEWriter(w SyslogWriter) LevelWriter {
+	return syslogWriter{w, ceePrefix}
+}
+
+func (sw syslogWriter) Write(p []byte) (n int, err error) {
+	var pn int
+	if sw.prefix != "" {
+		pn, err = sw.w.Write([]byte(sw.prefix))
+		if err != nil {
+			return pn, err
+		}
+	}
+	n, err = sw.w.Write(p)
+	return pn + n, err
+}
+
+// WriteLevel implements LevelWriter interface.
+func (sw syslogWriter) WriteLevel(level Level, p []byte) (n int, err error) {
+	switch level {
+	case TraceLevel:
+	case DebugLevel:
+		err = sw.w.Debug(sw.prefix + string(p))
+	case InfoLevel:
+		err = sw.w.Info(sw.prefix + string(p))
+	case WarnLevel:
+		err = sw.w.Warning(sw.prefix + string(p))
+	case ErrorLevel:
+		err = sw.w.Err(sw.prefix + string(p))
+	case FatalLevel:
+		err = sw.w.Emerg(sw.prefix + string(p))
+	case PanicLevel:
+		err = sw.w.Crit(sw.prefix + string(p))
+	case NoLevel:
+		err = sw.w.Info(sw.prefix + string(p))
+	default:
+		panic("invalid level")
+	}
+	// Any CEE prefix is not part of the message, so we don't include its length
+	n = len(p)
+	return
+}
+
+// Call the underlying writer's Close method if it is an io.Closer. Otherwise
+// does nothing.
+func (sw syslogWriter) Close() error {
+	if c, ok := sw.w.(io.Closer); ok {
+		return c.Close()
+	}
+	return nil
+}