feat: migrate from Cedar to SpiceDB authorization system

This is a major architectural change that replaces the Cedar policy-based
authorization system with SpiceDB's relation-based authorization.

Key changes:

- Migrate from Rust to Go implementation
- Replace Cedar policies with SpiceDB schema and relationships
- Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks
- Update build system and dependencies for Go ecosystem
- Maintain Envoy integration for external authorization

This change enables more flexible permission modeling through SpiceDB's
Google Zanzibar inspired relation-based system, supporting complex
hierarchical permissions that were difficult to express in Cedar.

Breaking change: Existing Cedar policies and Rust-based configuration
will no longer work and need to be migrated to SpiceDB schema.

1 files changed, 0 insertions, 89 deletions

diff --git a/vendor/rustls/src/lock.rs b/vendor/rustls/src/lock.rs
deleted file mode 100644
index b632b2c5..00000000
--- a/vendor/rustls/src/lock.rs
+++ /dev/null
@@ -1,89 +0,0 @@
-#[cfg(not(feature = "std"))]
-pub use no_std_lock::*;
-#[cfg(feature = "std")]
-pub use std_lock::*;
-
-#[cfg(feature = "std")]
-mod std_lock {
-    use std::sync::Mutex as StdMutex;
-    pub use std::sync::MutexGuard;
-
-    /// A wrapper around [`std::sync::Mutex`].
-    #[derive(Debug)]
-    pub struct Mutex<T> {
-        inner: StdMutex<T>,
-    }
-
-    impl<T> Mutex<T> {
-        /// Creates a new mutex in an unlocked state ready for use.
-        pub fn new(data: T) -> Self {
-            Self {
-                inner: StdMutex::new(data),
-            }
-        }
-
-        /// Acquires the mutex, blocking the current thread until it is able to do so.
-        ///
-        /// This will return `None` in the case the mutex is poisoned.
-        #[inline]
-        pub fn lock(&self) -> Option<MutexGuard<'_, T>> {
-            self.inner.lock().ok()
-        }
-    }
-}
-
-#[cfg(not(feature = "std"))]
-mod no_std_lock {
-    use alloc::boxed::Box;
-    use core::fmt::Debug;
-    use core::ops::DerefMut;
-
-    use crate::sync::Arc;
-
-    /// A no-std compatible wrapper around [`Lock`].
-    #[derive(Debug)]
-    pub struct Mutex<T> {
-        inner: Arc<dyn Lock<T>>,
-    }
-
-    impl<T: Send + 'static> Mutex<T> {
-        /// Creates a new mutex in an unlocked state ready for use.
-        pub fn new<M>(val: T) -> Self
-        where
-            M: MakeMutex,
-            T: Send + 'static,
-        {
-            Self {
-                inner: M::make_mutex(val),
-            }
-        }
-
-        /// Acquires the mutex, blocking the current thread until it is able to do so.
-        ///
-        /// This will return `None` in the case the mutex is poisoned.
-        #[inline]
-        pub fn lock(&self) -> Option<MutexGuard<'_, T>> {
-            self.inner.lock().ok()
-        }
-    }
-
-    /// A lock protecting shared data.
-    pub trait Lock<T>: Debug + Send + Sync {
-        /// Acquire the lock.
-        fn lock(&self) -> Result<MutexGuard<'_, T>, Poisoned>;
-    }
-
-    /// A lock builder.
-    pub trait MakeMutex {
-        /// Create a new mutex.
-        fn make_mutex<T>(value: T) -> Arc<dyn Lock<T>>
-        where
-            T: Send + 'static;
-    }
-
-    /// A no-std compatible mutex guard.
-    pub type MutexGuard<'a, T> = Box<dyn DerefMut<Target = T> + 'a>;
-
-    /// A marker type used to indicate `Lock::lock` failed due to a poisoned lock.
-    pub struct Poisoned;
-}