feat: migrate from Cedar to SpiceDB authorization system

This is a major architectural change that replaces the Cedar policy-based
authorization system with SpiceDB's relation-based authorization.

Key changes:

- Migrate from Rust to Go implementation
- Replace Cedar policies with SpiceDB schema and relationships
- Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks
- Update build system and dependencies for Go ecosystem
- Maintain Envoy integration for external authorization

This change enables more flexible permission modeling through SpiceDB's
Google Zanzibar inspired relation-based system, supporting complex
hierarchical permissions that were difficult to express in Cedar.

Breaking change: Existing Cedar policies and Rust-based configuration
will no longer work and need to be migrated to SpiceDB schema.

1 files changed, 0 insertions, 148 deletions

diff --git a/vendor/nonempty/flake.nix b/vendor/nonempty/flake.nix
deleted file mode 100644
index 2b7b68f8..00000000
--- a/vendor/nonempty/flake.nix
+++ /dev/null
@@ -1,148 +0,0 @@
-{
-  description = "Build a cargo project";
-
-  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/release-23.11";
-
-    crane = {
-      url = "github:ipetkov/crane";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
-    fenix = {
-      url = "github:nix-community/fenix";
-      inputs.nixpkgs.follows = "nixpkgs";
-      inputs.rust-analyzer-src.follows = "";
-    };
-
-    flake-utils.url = "github:numtide/flake-utils";
-
-    advisory-db = {
-      url = "github:rustsec/advisory-db";
-      flake = false;
-    };
-  };
-
-  outputs = {
-    self,
-    nixpkgs,
-    crane,
-    fenix,
-    flake-utils,
-    advisory-db,
-    ...
-  }:
-    flake-utils.lib.eachDefaultSystem (system: let
-      pname = "nonempty";
-      pkgs = nixpkgs.legacyPackages.${system};
-
-      inherit (pkgs) lib;
-
-      craneLib = crane.lib.${system};
-      src = craneLib.cleanCargoSource (craneLib.path ./.);
-
-      # Common arguments can be set here to avoid repeating them later
-      commonArgs = {
-        inherit src;
-        strictDeps = true;
-
-        buildInputs =
-          [
-            # Add additional build inputs here
-          ]
-          ++ lib.optionals pkgs.stdenv.isDarwin [
-            # Additional darwin specific inputs can be set here
-            pkgs.libiconv
-          ];
-      };
-
-      craneLibLLvmTools =
-        craneLib.overrideToolchain
-        (fenix.packages.${system}.complete.withComponents [
-          "cargo"
-          "llvm-tools"
-          "rustc"
-        ]);
-
-      # Build *just* the cargo dependencies, so we can reuse
-      # all of that work (e.g. via cachix) when running in CI
-      cargoArtifacts = craneLib.buildDepsOnly commonArgs;
-
-      # Build the actual crate itself, reusing the dependency
-      # artifacts from above.
-      nonempty = craneLib.buildPackage (commonArgs
-        // {
-          inherit cargoArtifacts;
-          doCheck = false;
-        });
-    in {
-      # Formatter
-      formatter = pkgs.alejandra;
-
-      checks = {
-        # Build the crate as part of `nix flake check` for convenience
-        inherit nonempty;
-
-        # Run clippy (and deny all warnings) on the crate source,
-        # again, resuing the dependency artifacts from above.
-        #
-        # Note that this is done as a separate derivation so that
-        # we can block the CI if there are issues here, but not
-        # prevent downstream consumers from building our crate by itself.
-        nonempty-clippy = craneLib.cargoClippy (commonArgs
-          // {
-            inherit cargoArtifacts;
-            cargoClippyExtraArgs = "--all-targets -- --deny warnings";
-          });
-
-        nonempty-doc = craneLib.cargoDoc (commonArgs
-          // {
-            inherit cargoArtifacts;
-          });
-
-        # Check formatting
-        nonempty-fmt = craneLib.cargoFmt {
-          inherit src;
-        };
-
-        # Audit dependencies
-        nonempty-audit = craneLib.cargoAudit {
-          inherit src advisory-db;
-        };
-
-        # Audit licenses
-        nonempty-deny = craneLib.cargoDeny {
-          inherit src;
-        };
-
-        # Run tests with cargo-nextest
-        nonempty-nextest = craneLib.cargoNextest (commonArgs
-          // {
-            inherit cargoArtifacts;
-            partitions = 1;
-            partitionType = "count";
-          });
-      };
-
-      packages =
-        {
-          default = nonempty;
-        }
-        // lib.optionalAttrs (!pkgs.stdenv.isDarwin) {
-          nonempty-llvm-coverage = craneLibLLvmTools.cargoLlvmCov (commonArgs
-            // {
-              inherit cargoArtifacts;
-            });
-        };
-
-      devShells.default = craneLib.devShell {
-        # Extra inputs can be added here; cargo and rustc are provided by default.
-        packages = [
-          pkgs.cargo-watch
-          pkgs.cargo-nextest
-          pkgs.ripgrep
-          pkgs.rust-analyzer
-        ];
-      };
-    });
-}