feat: migrate from Cedar to SpiceDB authorization system

This is a major architectural change that replaces the Cedar policy-based
authorization system with SpiceDB's relation-based authorization.

Key changes:

- Migrate from Rust to Go implementation
- Replace Cedar policies with SpiceDB schema and relationships
- Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks
- Update build system and dependencies for Go ecosystem
- Maintain Envoy integration for external authorization

This change enables more flexible permission modeling through SpiceDB's
Google Zanzibar inspired relation-based system, supporting complex
hierarchical permissions that were difficult to express in Cedar.

Breaking change: Existing Cedar policies and Rust-based configuration
will no longer work and need to be migrated to SpiceDB schema.

1 files changed, 0 insertions, 174 deletions

diff --git a/vendor/security-framework/src/import_export.rs b/vendor/security-framework/src/import_export.rs
deleted file mode 100644
index 378a2d5b..00000000
--- a/vendor/security-framework/src/import_export.rs
+++ /dev/null
@@ -1,174 +0,0 @@
-//! Security Framework type import/export support.
-
-use core_foundation::array::CFArray;
-use core_foundation::base::{CFType, TCFType};
-use core_foundation::data::CFData;
-use core_foundation::dictionary::CFDictionary;
-use core_foundation::string::CFString;
-use security_framework_sys::import_export::*;
-use std::ptr;
-
-use crate::base::Result;
-use crate::certificate::SecCertificate;
-use crate::cvt;
-use crate::identity::SecIdentity;
-#[cfg(target_os = "macos")]
-use crate::os::macos::access::SecAccess;
-#[cfg(target_os = "macos")]
-use crate::os::macos::keychain::SecKeychain;
-use crate::trust::SecTrust;
-
-/// Information about an imported identity.
-pub struct ImportedIdentity {
-    /// The label of the identity.
-    pub label: Option<String>,
-    /// The ID of the identity. Typically the SHA-1 hash of the public key.
-    pub key_id: Option<Vec<u8>>,
-    /// A `SecTrust` object set up to validate this identity.
-    pub trust: Option<SecTrust>,
-    /// A certificate chain validating this identity.
-    pub cert_chain: Option<Vec<SecCertificate>>,
-    /// The identity itself.
-    pub identity: Option<SecIdentity>,
-    _p: (),
-}
-
-/// A builder type to import an identity from PKCS#12 formatted data.
-#[derive(Default)]
-pub struct Pkcs12ImportOptions {
-    passphrase: Option<CFString>,
-    #[cfg(target_os = "macos")]
-    keychain: Option<SecKeychain>,
-    #[cfg(target_os = "macos")]
-    access: Option<SecAccess>,
-}
-
-#[cfg(target_os = "macos")]
-impl crate::Pkcs12ImportOptionsInternals for Pkcs12ImportOptions {
-    #[inline(always)]
-    fn keychain(&mut self, keychain: SecKeychain) -> &mut Self {
-        self.keychain = Some(keychain);
-        self
-    }
-
-    #[inline(always)]
-    fn access(&mut self, access: SecAccess) -> &mut Self {
-        self.access = Some(access);
-        self
-    }
-}
-
-impl Pkcs12ImportOptions {
-    /// Creates a new builder with default options.
-    #[inline(always)]
-    #[must_use]
-    pub fn new() -> Self {
-        Self::default()
-    }
-
-    /// Specifies the passphrase to be used to decrypt the data.
-    ///
-    /// This must be specified, as unencrypted PKCS#12 data is not supported.
-    #[inline]
-    pub fn passphrase(&mut self, passphrase: &str) -> &mut Self {
-        self.passphrase = Some(CFString::new(passphrase));
-        self
-    }
-
-    /// Imports identities from PKCS#12 encoded data.
-    pub fn import(&self, pkcs12_data: &[u8]) -> Result<Vec<ImportedIdentity>> {
-        unsafe {
-            let pkcs12_data = CFData::from_buffer(pkcs12_data);
-
-            let mut options = vec![];
-
-            if let Some(ref passphrase) = self.passphrase {
-                options.push((
-                    CFString::wrap_under_get_rule(kSecImportExportPassphrase),
-                    passphrase.as_CFType(),
-                ));
-            }
-
-            self.import_setup(&mut options);
-
-            let options = CFDictionary::from_CFType_pairs(&options);
-
-            let mut raw_items = ptr::null();
-            cvt(SecPKCS12Import(
-                pkcs12_data.as_concrete_TypeRef(),
-                options.as_concrete_TypeRef(),
-                &mut raw_items,
-            ))?;
-            let raw_items = CFArray::<CFDictionary<CFString, *const _>>::wrap_under_create_rule(raw_items);
-
-            let mut items = vec![];
-
-            for raw_item in &raw_items {
-                let label = raw_item
-                    .find(kSecImportItemLabel)
-                    .map(|label| CFString::wrap_under_get_rule((*label).cast()).to_string());
-                let key_id = raw_item
-                    .find(kSecImportItemKeyID)
-                    .map(|key_id| CFData::wrap_under_get_rule((*key_id).cast()).to_vec());
-                let trust = raw_item
-                    .find(kSecImportItemTrust)
-                    .map(|trust| SecTrust::wrap_under_get_rule(*trust as *mut _));
-                let cert_chain = raw_item.find(kSecImportItemCertChain.cast()).map(
-                    |cert_chain| {
-                        CFArray::<SecCertificate>::wrap_under_get_rule((*cert_chain).cast())
-                            .iter()
-                            .map(|c| c.clone())
-                            .collect()
-                    },
-                );
-                let identity = raw_item
-                    .find(kSecImportItemIdentity)
-                    .map(|identity| SecIdentity::wrap_under_get_rule(*identity as *mut _));
-
-                items.push(ImportedIdentity {
-                    label,
-                    key_id,
-                    trust,
-                    cert_chain,
-                    identity,
-                    _p: (),
-                });
-            }
-
-            Ok(items)
-        }
-    }
-
-    #[cfg(target_os = "macos")]
-    fn import_setup(&self, options: &mut Vec<(CFString, CFType)>) {
-        unsafe {
-            if let Some(ref keychain) = self.keychain {
-                options.push((
-                    CFString::wrap_under_get_rule(kSecImportExportKeychain),
-                    keychain.as_CFType(),
-                ));
-            }
-
-            if let Some(ref access) = self.access {
-                options.push((
-                    CFString::wrap_under_get_rule(kSecImportExportAccess),
-                    access.as_CFType(),
-                ));
-            }
-        }
-    }
-
-    #[cfg(not(target_os = "macos"))]
-    fn import_setup(&self, _: &mut Vec<(CFString, CFType)>) {}
-}
-
-#[cfg(test)]
-mod test {
-    use super::*;
-
-    #[test]
-    fn missing_passphrase() {
-        let data = include_bytes!("../test/server.p12");
-        assert!(Pkcs12ImportOptions::new().import(data).is_err());
-    }
-}