feat: migrate from Cedar to SpiceDB authorization system

This is a major architectural change that replaces the Cedar policy-based
authorization system with SpiceDB's relation-based authorization.

Key changes:

- Migrate from Rust to Go implementation
- Replace Cedar policies with SpiceDB schema and relationships
- Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks
- Update build system and dependencies for Go ecosystem
- Maintain Envoy integration for external authorization

This change enables more flexible permission modeling through SpiceDB's
Google Zanzibar inspired relation-based system, supporting complex
hierarchical permissions that were difficult to express in Cedar.

Breaking change: Existing Cedar policies and Rust-based configuration
will no longer work and need to be migrated to SpiceDB schema.

1 files changed, 0 insertions, 25 deletions

diff --git a/vendor/hyper-rustls/examples/openssl.cnf b/vendor/hyper-rustls/examples/openssl.cnf
deleted file mode 100644
index cda95b5a..00000000
--- a/vendor/hyper-rustls/examples/openssl.cnf
+++ /dev/null
@@ -1,25 +0,0 @@
-
-[ v3_end ]
-basicConstraints = critical,CA:false
-keyUsage = nonRepudiation, digitalSignature
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always,issuer:always
-subjectAltName = @alt_names
-
-[ v3_client ]
-basicConstraints = critical,CA:false
-keyUsage = nonRepudiation, digitalSignature
-extendedKeyUsage = critical, clientAuth
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always,issuer:always
-
-[ v3_inter ]
-subjectKeyIdentifier = hash
-extendedKeyUsage = critical, serverAuth, clientAuth
-basicConstraints = CA:true
-keyUsage = cRLSign, keyCertSign, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign
-
-[ alt_names ]
-DNS.1 = testserver.com
-DNS.2 = second.testserver.com
-DNS.3 = localhost