feat: migrate from Cedar to SpiceDB authorization system

This is a major architectural change that replaces the Cedar policy-based
authorization system with SpiceDB's relation-based authorization.

Key changes:

- Migrate from Rust to Go implementation
- Replace Cedar policies with SpiceDB schema and relationships
- Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks
- Update build system and dependencies for Go ecosystem
- Maintain Envoy integration for external authorization

This change enables more flexible permission modeling through SpiceDB's
Google Zanzibar inspired relation-based system, supporting complex
hierarchical permissions that were difficult to express in Cedar.

Breaking change: Existing Cedar policies and Rust-based configuration
will no longer work and need to be migrated to SpiceDB schema.

1 files changed, 0 insertions, 160 deletions

diff --git a/vendor/hyper/src/common/io/rewind.rs b/vendor/hyper/src/common/io/rewind.rs
deleted file mode 100644
index c2556f01..00000000
--- a/vendor/hyper/src/common/io/rewind.rs
+++ /dev/null
@@ -1,160 +0,0 @@
-use std::pin::Pin;
-use std::task::{Context, Poll};
-use std::{cmp, io};
-
-use bytes::{Buf, Bytes};
-
-use crate::rt::{Read, ReadBufCursor, Write};
-
-/// Combine a buffer with an IO, rewinding reads to use the buffer.
-#[derive(Debug)]
-pub(crate) struct Rewind<T> {
-    pre: Option<Bytes>,
-    inner: T,
-}
-
-impl<T> Rewind<T> {
-    #[cfg(test)]
-    pub(crate) fn new(io: T) -> Self {
-        Rewind {
-            pre: None,
-            inner: io,
-        }
-    }
-
-    pub(crate) fn new_buffered(io: T, buf: Bytes) -> Self {
-        Rewind {
-            pre: Some(buf),
-            inner: io,
-        }
-    }
-
-    #[cfg(test)]
-    pub(crate) fn rewind(&mut self, bs: Bytes) {
-        debug_assert!(self.pre.is_none());
-        self.pre = Some(bs);
-    }
-
-    pub(crate) fn into_inner(self) -> (T, Bytes) {
-        (self.inner, self.pre.unwrap_or_default())
-    }
-
-    // pub(crate) fn get_mut(&mut self) -> &mut T {
-    //     &mut self.inner
-    // }
-}
-
-impl<T> Read for Rewind<T>
-where
-    T: Read + Unpin,
-{
-    fn poll_read(
-        mut self: Pin<&mut Self>,
-        cx: &mut Context<'_>,
-        mut buf: ReadBufCursor<'_>,
-    ) -> Poll<io::Result<()>> {
-        if let Some(mut prefix) = self.pre.take() {
-            // If there are no remaining bytes, let the bytes get dropped.
-            if !prefix.is_empty() {
-                let copy_len = cmp::min(prefix.len(), buf.remaining());
-                // TODO: There should be a way to do following two lines cleaner...
-                buf.put_slice(&prefix[..copy_len]);
-                prefix.advance(copy_len);
-                // Put back what's left
-                if !prefix.is_empty() {
-                    self.pre = Some(prefix);
-                }
-
-                return Poll::Ready(Ok(()));
-            }
-        }
-        Pin::new(&mut self.inner).poll_read(cx, buf)
-    }
-}
-
-impl<T> Write for Rewind<T>
-where
-    T: Write + Unpin,
-{
-    fn poll_write(
-        mut self: Pin<&mut Self>,
-        cx: &mut Context<'_>,
-        buf: &[u8],
-    ) -> Poll<io::Result<usize>> {
-        Pin::new(&mut self.inner).poll_write(cx, buf)
-    }
-
-    fn poll_write_vectored(
-        mut self: Pin<&mut Self>,
-        cx: &mut Context<'_>,
-        bufs: &[io::IoSlice<'_>],
-    ) -> Poll<io::Result<usize>> {
-        Pin::new(&mut self.inner).poll_write_vectored(cx, bufs)
-    }
-
-    fn poll_flush(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<io::Result<()>> {
-        Pin::new(&mut self.inner).poll_flush(cx)
-    }
-
-    fn poll_shutdown(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<io::Result<()>> {
-        Pin::new(&mut self.inner).poll_shutdown(cx)
-    }
-
-    fn is_write_vectored(&self) -> bool {
-        self.inner.is_write_vectored()
-    }
-}
-
-#[cfg(all(
-    any(feature = "client", feature = "server"),
-    any(feature = "http1", feature = "http2"),
-))]
-#[cfg(test)]
-mod tests {
-    use super::super::Compat;
-    use super::Rewind;
-    use bytes::Bytes;
-    use tokio::io::AsyncReadExt;
-
-    #[cfg(not(miri))]
-    #[tokio::test]
-    async fn partial_rewind() {
-        let underlying = [104, 101, 108, 108, 111];
-
-        let mock = tokio_test::io::Builder::new().read(&underlying).build();
-
-        let mut stream = Compat::new(Rewind::new(Compat::new(mock)));
-
-        // Read off some bytes, ensure we filled o1
-        let mut buf = [0; 2];
-        stream.read_exact(&mut buf).await.expect("read1");
-
-        // Rewind the stream so that it is as if we never read in the first place.
-        stream.0.rewind(Bytes::copy_from_slice(&buf[..]));
-
-        let mut buf = [0; 5];
-        stream.read_exact(&mut buf).await.expect("read1");
-
-        // At this point we should have read everything that was in the MockStream
-        assert_eq!(&buf, &underlying);
-    }
-
-    #[cfg(not(miri))]
-    #[tokio::test]
-    async fn full_rewind() {
-        let underlying = [104, 101, 108, 108, 111];
-
-        let mock = tokio_test::io::Builder::new().read(&underlying).build();
-
-        let mut stream = Compat::new(Rewind::new(Compat::new(mock)));
-
-        let mut buf = [0; 5];
-        stream.read_exact(&mut buf).await.expect("read1");
-
-        // Rewind the stream so that it is as if we never read in the first place.
-        stream.0.rewind(Bytes::copy_from_slice(&buf[..]));
-
-        let mut buf = [0; 5];
-        stream.read_exact(&mut buf).await.expect("read1");
-    }
-}