feat: migrate from Cedar to SpiceDB authorization system

This is a major architectural change that replaces the Cedar policy-based
authorization system with SpiceDB's relation-based authorization.

Key changes:

- Migrate from Rust to Go implementation
- Replace Cedar policies with SpiceDB schema and relationships
- Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks
- Update build system and dependencies for Go ecosystem
- Maintain Envoy integration for external authorization

This change enables more flexible permission modeling through SpiceDB's
Google Zanzibar inspired relation-based system, supporting complex
hierarchical permissions that were difficult to express in Cedar.

Breaking change: Existing Cedar policies and Rust-based configuration
will no longer work and need to be migrated to SpiceDB schema.

1 files changed, 0 insertions, 96 deletions

diff --git a/vendor/nonempty/src/nonzero.rs b/vendor/nonempty/src/nonzero.rs
deleted file mode 100644
index 4d611022..00000000
--- a/vendor/nonempty/src/nonzero.rs
+++ /dev/null
@@ -1,96 +0,0 @@
-#[cfg(feature = "arbitrary")]
-use arbitrary::Arbitrary;
-use std::num::NonZeroUsize;
-
-/// A non-empty list which statically guarantees certain operations
-/// cannot return zero, using [`std::num::NonZeroUsize`].
-///
-/// *Experimental*
-///
-#[repr(transparent)]
-#[cfg_attr(feature = "arbitrary", derive(Arbitrary))]
-#[derive(Clone, Debug, PartialEq, Eq, Hash, PartialOrd, Ord)]
-pub struct NonEmpty<T>(super::NonEmpty<T>);
-
-impl<T> NonEmpty<T> {
-    /// Get the length of the list.
-    pub fn len(&self) -> NonZeroUsize {
-        unsafe { NonZeroUsize::new_unchecked(self.0.tail.len() + 1) }
-    }
-
-    /// Get the capacity of the list.
-    pub fn capacity(&self) -> NonZeroUsize {
-        unsafe { NonZeroUsize::new_unchecked(self.0.tail.capacity() + 1) }
-    }
-
-    /// Truncate the list to a certain size.
-    pub fn truncate(&mut self, len: NonZeroUsize) {
-        self.tail.truncate(usize::from(len) - 1);
-    }
-}
-
-impl<T> From<super::NonEmpty<T>> for NonEmpty<T> {
-    fn from(other: super::NonEmpty<T>) -> NonEmpty<T> {
-        NonEmpty(other)
-    }
-}
-
-impl<T> std::ops::Deref for NonEmpty<T> {
-    type Target = super::NonEmpty<T>;
-
-    fn deref(&self) -> &Self::Target {
-        &self.0
-    }
-}
-
-impl<T> std::ops::DerefMut for NonEmpty<T> {
-    fn deref_mut(&mut self) -> &mut Self::Target {
-        &mut self.0
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use crate::nonzero;
-    use crate::NonEmpty;
-
-    use std::convert::TryInto;
-
-    #[test]
-    fn test_nonzero() {
-        let nonempty: nonzero::NonEmpty<_> = NonEmpty::from((0, vec![1, 2, 3])).into();
-
-        assert_eq!(nonempty.len(), 4.try_into().unwrap());
-        assert_eq!(nonempty.capacity(), 4.try_into().unwrap());
-    }
-
-    #[cfg(feature = "arbitrary")]
-    mod arbitrary {
-        use crate::nonzero;
-        use arbitrary::{Arbitrary, Unstructured};
-
-        use std::convert::TryInto;
-
-        #[test]
-        fn test_nonzero_arbitrary_empty_tail() -> arbitrary::Result<()> {
-            let mut u = Unstructured::new(&[1, 2, 3, 4]);
-            let nonempty: nonzero::NonEmpty<_> = nonzero::NonEmpty::<i32>::arbitrary(&mut u)?;
-
-            assert_eq!(nonempty.len(), 1.try_into().unwrap());
-            assert_eq!(nonempty.capacity(), 1.try_into().unwrap());
-
-            Ok(())
-        }
-
-        #[test]
-        fn test_nonzero_arbitrary_with_tail() -> arbitrary::Result<()> {
-            let mut u = Unstructured::new(&[1, 2, 3, 4, 5, 6, 7, 8]);
-            let nonempty: nonzero::NonEmpty<_> = nonzero::NonEmpty::<i32>::arbitrary(&mut u)?;
-
-            assert_eq!(nonempty.len(), 2.try_into().unwrap());
-            assert_eq!(nonempty.capacity(), 5.try_into().unwrap());
-
-            Ok(())
-        }
-    }
-}