feat: migrate from Cedar to SpiceDB authorization system

This is a major architectural change that replaces the Cedar policy-based
authorization system with SpiceDB's relation-based authorization.

Key changes:

- Migrate from Rust to Go implementation
- Replace Cedar policies with SpiceDB schema and relationships
- Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks
- Update build system and dependencies for Go ecosystem
- Maintain Envoy integration for external authorization

This change enables more flexible permission modeling through SpiceDB's
Google Zanzibar inspired relation-based system, supporting complex
hierarchical permissions that were difficult to express in Cedar.

Breaking change: Existing Cedar policies and Rust-based configuration
will no longer work and need to be migrated to SpiceDB schema.

5 files changed, 0 insertions, 485 deletions

diff --git a/vendor/sync_wrapper/.cargo-checksum.json b/vendor/sync_wrapper/.cargo-checksum.json
deleted file mode 100644
index ec10656c..00000000
--- a/vendor/sync_wrapper/.cargo-checksum.json
+++ /dev/null
@@ -1 +0,0 @@
-{"files":{"Cargo.toml":"d6523f082d2ac59ffcdb22683a13b5804543141be28764e7d7a30063000767f9","LICENSE":"0d542e0c8804e39aa7f37eb00da5a762149dc682d7829451287e11b938e94594","README.md":"61e995daa67a37597f76b78ca3c61916a42a66034f01e9473ee7b7753029ca3a","src/lib.rs":"81898bdb0429273524efb125b8b5d3b0fc0fea0e134946b366f043708dc07b83"},"package":"0bf256ce5efdfa370213c1dabab5935a12e49f2c58d15e9eac2870d3b4f27263"}
\ No newline at end of file
diff --git a/vendor/sync_wrapper/Cargo.toml b/vendor/sync_wrapper/Cargo.toml
deleted file mode 100644
index dd5368a0..00000000
--- a/vendor/sync_wrapper/Cargo.toml
+++ /dev/null
@@ -1,41 +0,0 @@
-# THIS FILE IS AUTOMATICALLY GENERATED BY CARGO
-#
-# When uploading crates to the registry Cargo will automatically
-# "normalize" Cargo.toml files for maximal compatibility
-# with all versions of Cargo and also rewrite `path` dependencies
-# to registry (e.g., crates.io) dependencies.
-#
-# If you are reading this file be aware that the original Cargo.toml
-# will likely look very different (and much more reasonable).
-# See Cargo.toml.orig for the original contents.
-
-[package]
-edition = "2021"
-name = "sync_wrapper"
-version = "1.0.2"
-authors = ["Actyx AG <developer@actyx.io>"]
-description = "A tool for enlisting the compiler's help in proving the absence of concurrency"
-homepage = "https://docs.rs/sync_wrapper"
-documentation = "https://docs.rs/sync_wrapper"
-readme = "README.md"
-keywords = ["concurrency"]
-categories = ["concurrency"]
-license = "Apache-2.0"
-repository = "https://github.com/Actyx/sync_wrapper"
-
-[package.metadata.docs.rs]
-all-features = true
-
-[dependencies.futures-core]
-version = "0.3"
-optional = true
-default-features = false
-
-[dev-dependencies.futures]
-version = "0.3"
-
-[dev-dependencies.pin-project-lite]
-version = "0.2.7"
-
-[features]
-futures = ["futures-core"]
diff --git a/vendor/sync_wrapper/LICENSE b/vendor/sync_wrapper/LICENSE
deleted file mode 100644
index f433b1a5..00000000
--- a/vendor/sync_wrapper/LICENSE
+++ /dev/null
@@ -1,177 +0,0 @@
-
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
diff --git a/vendor/sync_wrapper/README.md b/vendor/sync_wrapper/README.md
deleted file mode 100644
index 20261c93..00000000
--- a/vendor/sync_wrapper/README.md
+++ /dev/null
@@ -1,8 +0,0 @@
-[![Latest Version](https://img.shields.io/crates/v/sync_wrapper.svg)](https://crates.io/crates/sync_wrapper)
-[![Rust Documentation](https://docs.rs/sync_wrapper/badge.svg)](https://docs.rs/sync_wrapper)
-
-# SyncWrapper
-
-A mutual exclusion primitive that relies on static type information only.
-
-This library is inspired by [this discussion](https://internals.rust-lang.org/t/what-shall-sync-mean-across-an-await/12020/2).
diff --git a/vendor/sync_wrapper/src/lib.rs b/vendor/sync_wrapper/src/lib.rs
deleted file mode 100644
index a508e2ff..00000000
--- a/vendor/sync_wrapper/src/lib.rs
+++ /dev/null
@@ -1,258 +0,0 @@
-/*
- * Copyright 2020 Actyx AG
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-//! A mutual exclusion primitive that relies on static type information only
-//!
-//! This library is inspired by [this discussion](https://internals.rust-lang.org/t/what-shall-sync-mean-across-an-await/12020/2).
-#![doc(html_logo_url = "https://developer.actyx.com/img/logo.svg")]
-#![doc(html_favicon_url = "https://developer.actyx.com/img/favicon.ico")]
-#![no_std]
-
-use core::{
-    fmt::{self, Debug, Formatter},
-    pin::Pin,
-    future::Future,
-    task::{Context, Poll},
-};
-
-/// A mutual exclusion primitive that relies on static type information only
-///
-/// In some cases synchronization can be proven statically: whenever you hold an exclusive `&mut`
-/// reference, the Rust type system ensures that no other part of the program can hold another
-/// reference to the data. Therefore it is safe to access it even if the current thread obtained
-/// this reference via a channel. Whenever this is the case, the overhead of allocating and locking
-/// a [`Mutex`] can be avoided by using this static version.
-///
-/// One example where this is often applicable is [`Future`], which requires an exclusive reference
-/// for its [`poll`] method: While a given `Future` implementation may not be safe to access by
-/// multiple threads concurrently, the executor can only run the `Future` on one thread at any
-/// given time, making it [`Sync`] in practice as long as the implementation is `Send`. You can
-/// therefore use the static mutex to prove that your data structure is `Sync` even though it
-/// contains such a `Future`.
-///
-/// # Example
-///
-/// ```
-/// use sync_wrapper::SyncWrapper;
-/// use std::future::Future;
-///
-/// struct MyThing {
-///     future: SyncWrapper<Box<dyn Future<Output = String> + Send>>,
-/// }
-///
-/// impl MyThing {
-///     // all accesses to `self.future` now require an exclusive reference or ownership
-/// }
-///
-/// fn assert_sync<T: Sync>() {}
-///
-/// assert_sync::<MyThing>();
-/// ```
-///
-/// [`Mutex`]: https://doc.rust-lang.org/std/sync/struct.Mutex.html
-/// [`Future`]: https://doc.rust-lang.org/std/future/trait.Future.html
-/// [`poll`]: https://doc.rust-lang.org/std/future/trait.Future.html#method.poll
-/// [`Sync`]: https://doc.rust-lang.org/std/marker/trait.Sync.html
-#[repr(transparent)]
-pub struct SyncWrapper<T>(T);
-
-impl<T> SyncWrapper<T> {
-    /// Creates a new static mutex containing the given value.
-    ///
-    /// # Examples
-    ///
-    /// ```
-    /// use sync_wrapper::SyncWrapper;
-    ///
-    /// let mutex = SyncWrapper::new(42);
-    /// ```
-    pub const fn new(value: T) -> Self {
-        Self(value)
-    }
-
-    /// Acquires a reference to the protected value.
-    ///
-    /// This is safe because it requires an exclusive reference to the mutex. Therefore this method
-    /// neither panics nor does it return an error. This is in contrast to [`Mutex::get_mut`] which
-    /// returns an error if another thread panicked while holding the lock. It is not recommended
-    /// to send an exclusive reference to a potentially damaged value to another thread for further
-    /// processing.
-    ///
-    /// [`Mutex::get_mut`]: https://doc.rust-lang.org/std/sync/struct.Mutex.html#method.get_mut
-    ///
-    /// # Examples
-    ///
-    /// ```
-    /// use sync_wrapper::SyncWrapper;
-    ///
-    /// let mut mutex = SyncWrapper::new(42);
-    /// let value = mutex.get_mut();
-    /// *value = 0;
-    /// assert_eq!(*mutex.get_mut(), 0);
-    /// ```
-    pub fn get_mut(&mut self) -> &mut T {
-        &mut self.0
-    }
-
-    /// Acquires a pinned reference to the protected value.
-    ///
-    /// See [`Self::get_mut`] for why this method is safe.
-    ///
-    /// # Examples
-    ///
-    /// ```
-    /// use std::future::Future;
-    /// use std::pin::Pin;
-    /// use std::task::{Context, Poll};
-    ///
-    /// use pin_project_lite::pin_project;
-    /// use sync_wrapper::SyncWrapper;
-    ///
-    /// pin_project! {
-    ///     struct FutureWrapper<F> {
-    ///         #[pin]
-    ///         inner: SyncWrapper<F>,
-    ///     }
-    /// }
-    ///
-    /// impl<F: Future> Future for FutureWrapper<F> {
-    ///     type Output = F::Output;
-    ///
-    ///     fn poll(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Self::Output> {
-    ///         self.project().inner.get_pin_mut().poll(cx)
-    ///     }
-    /// }
-    /// ```
-    pub fn get_pin_mut(self: Pin<&mut Self>) -> Pin<&mut T> {
-        unsafe { Pin::map_unchecked_mut(self, |this| &mut this.0) }
-    }
-
-    /// Consumes this mutex, returning the underlying data.
-    ///
-    /// This is safe because it requires ownership of the mutex, therefore this method will neither
-    /// panic nor does it return an error. This is in contrast to [`Mutex::into_inner`] which
-    /// returns an error if another thread panicked while holding the lock. It is not recommended
-    /// to send an exclusive reference to a potentially damaged value to another thread for further
-    /// processing.
-    ///
-    /// [`Mutex::into_inner`]: https://doc.rust-lang.org/std/sync/struct.Mutex.html#method.into_inner
-    ///
-    /// # Examples
-    ///
-    /// ```
-    /// use sync_wrapper::SyncWrapper;
-    ///
-    /// let mut mutex = SyncWrapper::new(42);
-    /// assert_eq!(mutex.into_inner(), 42);
-    /// ```
-    pub fn into_inner(self) -> T {
-        self.0
-    }
-}
-
-// this is safe because the only operations permitted on this data structure require exclusive
-// access or ownership
-unsafe impl<T> Sync for SyncWrapper<T> {}
-
-impl<T> Debug for SyncWrapper<T> {
-    fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result {
-        f.pad("SyncWrapper")
-    }
-}
-
-impl<T: Default> Default for SyncWrapper<T> {
-    fn default() -> Self {
-        Self::new(T::default())
-    }
-}
-
-impl<T> From<T> for SyncWrapper<T> {
-    fn from(value: T) -> Self {
-        Self::new(value)
-    }
-}
-
-/// `Future` which is `Sync`.
-///
-/// # Examples
-///
-/// ```
-/// use sync_wrapper::{SyncWrapper, SyncFuture};
-///
-/// let fut = async { 1 };
-/// let fut = SyncFuture::new(fut);
-/// ```
-pub struct SyncFuture<F> {
-    inner: SyncWrapper<F>
-}
-impl <F: Future> SyncFuture<F> {
-    pub fn new(inner: F) -> Self {
-        Self { inner: SyncWrapper::new(inner) }
-    }
-    pub fn into_inner(self) -> F {
-        self.inner.into_inner()
-    }
-}
-impl <F: Future> Future for SyncFuture<F> {
-    type Output = F::Output;
-    fn poll(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Self::Output> {
-        let inner = unsafe { self.map_unchecked_mut(|x| x.inner.get_mut()) };
-        inner.poll(cx)
-    }
-}
-impl<T> Debug for SyncFuture<T> {
-    fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result {
-        f.pad("SyncFuture")
-    }
-}
-
-/// `Stream` which is `Sync`.
-///
-/// # Examples
-///
-/// ```
-/// use sync_wrapper::SyncStream;
-/// use futures::stream;
-///
-/// let st = stream::iter(vec![1]);
-/// let st = SyncStream::new(st);
-/// ```
-#[cfg(feature = "futures")]
-pub struct SyncStream<S> {
-    inner: SyncWrapper<S>
-}
-#[cfg(feature = "futures")]
-impl <S: futures_core::Stream> SyncStream<S> {
-    pub fn new(inner: S) -> Self {
-        Self { inner: SyncWrapper::new(inner) }
-    }
-    pub fn into_inner(self) -> S {
-        self.inner.into_inner()
-    }
-}
-#[cfg(feature = "futures")]
-impl <S: futures_core::Stream> futures_core::Stream for SyncStream<S> {
-    type Item = S::Item;
-    fn poll_next(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Option<Self::Item>> {
-        let inner = unsafe { self.map_unchecked_mut(|x| x.inner.get_mut()) };
-        inner.poll_next(cx)
-    }
-}
-#[cfg(feature = "futures")]
-impl<T> Debug for SyncStream<T> {
-    fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result {
-        f.pad("SyncStream")
-    }
-}