feat: migrate from Cedar to SpiceDB authorization system

This is a major architectural change that replaces the Cedar policy-based
authorization system with SpiceDB's relation-based authorization.

Key changes:

- Migrate from Rust to Go implementation
- Replace Cedar policies with SpiceDB schema and relationships
- Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks
- Update build system and dependencies for Go ecosystem
- Maintain Envoy integration for external authorization

This change enables more flexible permission modeling through SpiceDB's
Google Zanzibar inspired relation-based system, supporting complex
hierarchical permissions that were difficult to express in Cedar.

Breaking change: Existing Cedar policies and Rust-based configuration
will no longer work and need to be migrated to SpiceDB schema.

3 files changed, 0 insertions, 173 deletions

diff --git a/vendor/rustix/src/backend/libc/system/mod.rs b/vendor/rustix/src/backend/libc/system/mod.rs
deleted file mode 100644
index bff7fd56..00000000
--- a/vendor/rustix/src/backend/libc/system/mod.rs
+++ /dev/null
@@ -1,3 +0,0 @@
-#[cfg(not(windows))]
-pub(crate) mod syscalls;
-pub(crate) mod types;
diff --git a/vendor/rustix/src/backend/libc/system/syscalls.rs b/vendor/rustix/src/backend/libc/system/syscalls.rs
deleted file mode 100644
index 0e8a7b36..00000000
--- a/vendor/rustix/src/backend/libc/system/syscalls.rs
+++ /dev/null
@@ -1,162 +0,0 @@
-//! libc syscalls supporting `rustix::process`.
-
-use super::types::RawUname;
-use crate::backend::c;
-#[cfg(not(target_os = "wasi"))]
-use crate::backend::conv::ret_infallible;
-#[cfg(target_os = "linux")]
-use crate::system::RebootCommand;
-use core::mem::MaybeUninit;
-#[cfg(linux_kernel)]
-use {
-    crate::backend::conv::c_str, crate::fd::BorrowedFd, crate::ffi::CStr, crate::system::Sysinfo,
-};
-#[cfg(not(any(
-    target_os = "emscripten",
-    target_os = "espidf",
-    target_os = "redox",
-    target_os = "vita",
-    target_os = "wasi"
-)))]
-use {crate::backend::conv::ret, crate::io};
-
-#[cfg(not(target_os = "wasi"))]
-#[inline]
-pub(crate) fn uname() -> RawUname {
-    let mut uname = MaybeUninit::<RawUname>::uninit();
-    unsafe {
-        let r = c::uname(uname.as_mut_ptr());
-
-        // On POSIX, `uname` is documented to return non-negative on success
-        // instead of the usual 0, though some specific systems do document
-        // that they always use zero allowing us to skip this check.
-        #[cfg(not(any(apple, freebsdlike, linux_like, target_os = "netbsd")))]
-        let r = core::cmp::min(r, 0);
-
-        ret_infallible(r);
-        uname.assume_init()
-    }
-}
-
-#[cfg(linux_kernel)]
-pub(crate) fn sysinfo() -> Sysinfo {
-    let mut info = MaybeUninit::<Sysinfo>::uninit();
-    unsafe {
-        ret_infallible(c::sysinfo(info.as_mut_ptr()));
-        info.assume_init()
-    }
-}
-
-#[cfg(not(any(
-    target_os = "emscripten",
-    target_os = "espidf",
-    target_os = "horizon",
-    target_os = "redox",
-    target_os = "vita",
-    target_os = "wasi"
-)))]
-pub(crate) fn sethostname(name: &[u8]) -> io::Result<()> {
-    unsafe {
-        ret(c::sethostname(
-            name.as_ptr().cast(),
-            name.len().try_into().map_err(|_| io::Errno::INVAL)?,
-        ))
-    }
-}
-
-#[cfg(not(any(
-    target_os = "android",
-    target_os = "cygwin",
-    target_os = "emscripten",
-    target_os = "espidf",
-    target_os = "illumos",
-    target_os = "haiku",
-    target_os = "horizon",
-    target_os = "redox",
-    target_os = "solaris",
-    target_os = "vita",
-    target_os = "wasi",
-)))]
-pub(crate) fn setdomainname(name: &[u8]) -> io::Result<()> {
-    unsafe {
-        ret(c::setdomainname(
-            name.as_ptr().cast(),
-            name.len().try_into().map_err(|_| io::Errno::INVAL)?,
-        ))
-    }
-}
-
-// <https://github.com/rust-lang/libc/pull/4212>
-#[cfg(target_os = "android")]
-pub(crate) fn setdomainname(name: &[u8]) -> io::Result<()> {
-    syscall! {
-        fn setdomainname(
-            name: *const c::c_char,
-            len: c::size_t
-        ) via SYS_setdomainname -> c::c_int
-    }
-
-    unsafe {
-        ret(setdomainname(
-            name.as_ptr().cast(),
-            name.len().try_into().map_err(|_| io::Errno::INVAL)?,
-        ))
-    }
-}
-
-#[cfg(target_os = "linux")]
-pub(crate) fn reboot(cmd: RebootCommand) -> io::Result<()> {
-    unsafe { ret(c::reboot(cmd as i32)) }
-}
-
-#[cfg(linux_kernel)]
-#[inline]
-pub(crate) fn init_module(image: &[u8], param_values: &CStr) -> io::Result<()> {
-    syscall! {
-        fn init_module(
-            module_image: *const c::c_void,
-            len: c::c_ulong,
-            param_values: *const c::c_char
-        ) via SYS_init_module -> c::c_int
-    }
-
-    unsafe {
-        ret(init_module(
-            image.as_ptr().cast(),
-            image.len() as _,
-            c_str(param_values),
-        ))
-    }
-}
-
-#[cfg(linux_kernel)]
-#[inline]
-pub(crate) fn finit_module(
-    fd: BorrowedFd<'_>,
-    param_values: &CStr,
-    flags: c::c_int,
-) -> io::Result<()> {
-    use crate::fd::AsRawFd as _;
-
-    syscall! {
-        fn finit_module(
-            fd: c::c_int,
-            param_values: *const c::c_char,
-            flags: c::c_int
-        ) via SYS_finit_module -> c::c_int
-    }
-
-    unsafe { ret(finit_module(fd.as_raw_fd(), c_str(param_values), flags)) }
-}
-
-#[cfg(linux_kernel)]
-#[inline]
-pub(crate) fn delete_module(name: &CStr, flags: c::c_int) -> io::Result<()> {
-    syscall! {
-        fn delete_module(
-            name: *const c::c_char,
-            flags: c::c_int
-        ) via SYS_delete_module -> c::c_int
-    }
-    unsafe { ret(delete_module(c_str(name), flags)) }
-}
diff --git a/vendor/rustix/src/backend/libc/system/types.rs b/vendor/rustix/src/backend/libc/system/types.rs
deleted file mode 100644
index 731e89be..00000000
--- a/vendor/rustix/src/backend/libc/system/types.rs
+++ /dev/null
@@ -1,8 +0,0 @@
-use crate::backend::c;
-
-/// `sysinfo`
-#[cfg(linux_kernel)]
-pub type Sysinfo = c::sysinfo;
-
-#[cfg(not(target_os = "wasi"))]
-pub(crate) type RawUname = c::utsname;