feat: migrate from Cedar to SpiceDB authorization system

This is a major architectural change that replaces the Cedar policy-based
authorization system with SpiceDB's relation-based authorization.

Key changes:

- Migrate from Rust to Go implementation
- Replace Cedar policies with SpiceDB schema and relationships
- Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks
- Update build system and dependencies for Go ecosystem
- Maintain Envoy integration for external authorization

This change enables more flexible permission modeling through SpiceDB's
Google Zanzibar inspired relation-based system, supporting complex
hierarchical permissions that were difficult to express in Cedar.

Breaking change: Existing Cedar policies and Rust-based configuration
will no longer work and need to be migrated to SpiceDB schema.

3 files changed, 0 insertions, 132 deletions

diff --git a/vendor/rustix/src/backend/linux_raw/system/mod.rs b/vendor/rustix/src/backend/linux_raw/system/mod.rs
deleted file mode 100644
index 1e0181a9..00000000
--- a/vendor/rustix/src/backend/linux_raw/system/mod.rs
+++ /dev/null
@@ -1,2 +0,0 @@
-pub(crate) mod syscalls;
-pub(crate) mod types;
diff --git a/vendor/rustix/src/backend/linux_raw/system/syscalls.rs b/vendor/rustix/src/backend/linux_raw/system/syscalls.rs
deleted file mode 100644
index bbee2680..00000000
--- a/vendor/rustix/src/backend/linux_raw/system/syscalls.rs
+++ /dev/null
@@ -1,91 +0,0 @@
-//! linux_raw syscalls supporting `rustix::system`.
-//!
-//! # Safety
-//!
-//! See the `rustix::backend` module documentation for details.
-#![allow(unsafe_code, clippy::undocumented_unsafe_blocks)]
-
-use super::types::RawUname;
-use crate::backend::c;
-use crate::backend::conv::{c_int, ret, ret_infallible, slice};
-use crate::fd::BorrowedFd;
-use crate::ffi::CStr;
-use crate::io;
-use crate::system::{RebootCommand, Sysinfo};
-use core::mem::MaybeUninit;
-
-#[inline]
-pub(crate) fn uname() -> RawUname {
-    let mut uname = MaybeUninit::<RawUname>::uninit();
-    unsafe {
-        ret_infallible(syscall!(__NR_uname, &mut uname));
-        uname.assume_init()
-    }
-}
-
-#[inline]
-pub(crate) fn sysinfo() -> Sysinfo {
-    let mut info = MaybeUninit::<Sysinfo>::uninit();
-    unsafe {
-        ret_infallible(syscall!(__NR_sysinfo, &mut info));
-        info.assume_init()
-    }
-}
-
-#[inline]
-pub(crate) fn sethostname(name: &[u8]) -> io::Result<()> {
-    let (ptr, len) = slice(name);
-    unsafe { ret(syscall_readonly!(__NR_sethostname, ptr, len)) }
-}
-
-#[inline]
-pub(crate) fn setdomainname(name: &[u8]) -> io::Result<()> {
-    let (ptr, len) = slice(name);
-    unsafe { ret(syscall_readonly!(__NR_setdomainname, ptr, len)) }
-}
-
-#[inline]
-pub(crate) fn reboot(cmd: RebootCommand) -> io::Result<()> {
-    unsafe {
-        ret(syscall_readonly!(
-            __NR_reboot,
-            c_int(c::LINUX_REBOOT_MAGIC1),
-            c_int(c::LINUX_REBOOT_MAGIC2),
-            c_int(cmd as i32)
-        ))
-    }
-}
-
-#[inline]
-pub(crate) fn init_module(image: &[u8], param_values: &CStr) -> io::Result<()> {
-    let (image, len) = slice(image);
-    unsafe {
-        ret(syscall_readonly!(
-            __NR_init_module,
-            image,
-            len,
-            param_values
-        ))
-    }
-}
-
-#[inline]
-pub(crate) fn finit_module(
-    fd: BorrowedFd<'_>,
-    param_values: &CStr,
-    flags: c::c_int,
-) -> io::Result<()> {
-    unsafe {
-        ret(syscall_readonly!(
-            __NR_finit_module,
-            fd,
-            param_values,
-            c_int(flags)
-        ))
-    }
-}
-
-#[inline]
-pub(crate) fn delete_module(name: &CStr, flags: c::c_int) -> io::Result<()> {
-    unsafe { ret(syscall_readonly!(__NR_delete_module, name, c_int(flags))) }
-}
diff --git a/vendor/rustix/src/backend/linux_raw/system/types.rs b/vendor/rustix/src/backend/linux_raw/system/types.rs
deleted file mode 100644
index 92cc5278..00000000
--- a/vendor/rustix/src/backend/linux_raw/system/types.rs
+++ /dev/null
@@ -1,39 +0,0 @@
-use crate::ffi;
-use core::mem::size_of;
-
-/// `sysinfo`
-#[non_exhaustive]
-#[repr(C)]
-pub struct Sysinfo {
-    /// Seconds since boot
-    pub uptime: ffi::c_long,
-    /// 1, 5, and 15 minute load averages
-    pub loads: [ffi::c_ulong; 3],
-    /// Total usable main memory size
-    pub totalram: ffi::c_ulong,
-    /// Available memory size
-    pub freeram: ffi::c_ulong,
-    /// Amount of shared memory
-    pub sharedram: ffi::c_ulong,
-    /// Memory used by buffers
-    pub bufferram: ffi::c_ulong,
-    /// Total swap space size
-    pub totalswap: ffi::c_ulong,
-    /// Swap space still available
-    pub freeswap: ffi::c_ulong,
-    /// Number of current processes
-    pub procs: ffi::c_ushort,
-
-    pub(crate) pad: ffi::c_ushort,
-
-    /// Total high memory size
-    pub totalhigh: ffi::c_ulong,
-    /// Available high memory size
-    pub freehigh: ffi::c_ulong,
-    /// Memory unit size in bytes
-    pub mem_unit: ffi::c_uint,
-
-    pub(crate) f: [u8; 20 - 2 * size_of::<ffi::c_long>() - size_of::<ffi::c_int>()],
-}
-
-pub(crate) type RawUname = linux_raw_sys::system::new_utsname;