From 45df4d0d9b577fecee798d672695fe24ff57fb1b Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Tue, 15 Jul 2025 16:37:08 -0600
Subject: feat: migrate from Cedar to SpiceDB authorization system

This is a major architectural change that replaces the Cedar policy-based
authorization system with SpiceDB's relation-based authorization.

Key changes:

- Migrate from Rust to Go implementation
- Replace Cedar policies with SpiceDB schema and relationships
- Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks
- Update build system and dependencies for Go ecosystem
- Maintain Envoy integration for external authorization

This change enables more flexible permission modeling through SpiceDB's
Google Zanzibar inspired relation-based system, supporting complex
hierarchical permissions that were difficult to express in Cedar.

Breaking change: Existing Cedar policies and Rust-based configuration
will no longer work and need to be migrated to SpiceDB schema.
---
 vendor/security-framework-sys/src/code_signing.rs | 96 -----------------------
 1 file changed, 96 deletions(-)
 delete mode 100644 vendor/security-framework-sys/src/code_signing.rs

(limited to 'vendor/security-framework-sys/src/code_signing.rs')

diff --git a/vendor/security-framework-sys/src/code_signing.rs b/vendor/security-framework-sys/src/code_signing.rs
deleted file mode 100644
index bd4abc76..00000000
--- a/vendor/security-framework-sys/src/code_signing.rs
+++ /dev/null
@@ -1,96 +0,0 @@
-use core_foundation_sys::base::CFTypeID;
-use core_foundation_sys::base::OSStatus;
-use core_foundation_sys::dictionary::CFDictionaryRef;
-use core_foundation_sys::string::CFStringRef;
-use core_foundation_sys::url::CFURLRef;
-
-pub enum OpaqueSecRequirementRef {}
-pub type SecRequirementRef = *mut OpaqueSecRequirementRef;
-
-pub enum OpaqueSecCodeRef {}
-pub type SecCodeRef = *mut OpaqueSecCodeRef;
-
-pub enum OpaqueSecStaticCodeRef {}
-pub type SecStaticCodeRef = *mut OpaqueSecStaticCodeRef;
-
-pub type SecCSFlags = u32;
-pub const kSecCSCheckAllArchitectures: SecCSFlags = 1 << 0;
-pub const kSecCSDoNotValidateExecutable: SecCSFlags = 1 << 1;
-pub const kSecCSDoNotValidateResources: SecCSFlags = 1 << 2;
-pub const kSecCSBasicValidateOnly: SecCSFlags =
-    kSecCSDoNotValidateExecutable | kSecCSDoNotValidateResources;
-pub const kSecCSCheckNestedCode: SecCSFlags = 1 << 3;
-pub const kSecCSStrictValidate: SecCSFlags = 1 << 4;
-pub const kSecCSFullReport: SecCSFlags = 1 << 5;
-pub const kSecCSCheckGatekeeperArchitectures: SecCSFlags = (1 << 6) | kSecCSCheckAllArchitectures;
-pub const kSecCSRestrictSymlinks: SecCSFlags = 1 << 7;
-pub const kSecCSRestrictToAppLike: SecCSFlags = 1 << 8;
-pub const kSecCSRestrictSidebandData: SecCSFlags = 1 << 9;
-pub const kSecCSUseSoftwareSigningCert: SecCSFlags = 1 << 10;
-pub const kSecCSValidatePEH: SecCSFlags = 1 << 11;
-pub const kSecCSSingleThreaded: SecCSFlags = 1 << 12;
-// 13 - 15 are unused
-// This is only available in macOS 11.3:
-// pub const kSecCSAllowNetworkAccess: SecCSFlags = 1 << 16;
-// 17 - 25 are unused
-pub const kSecCSQuickCheck: SecCSFlags = 1 << 26;
-pub const kSecCSCheckTrustedAnchors: SecCSFlags = 1 << 27;
-pub const kSecCSReportProgress: SecCSFlags = 1 << 28;
-pub const kSecCSNoNetworkAccess: SecCSFlags = 1 << 29;
-pub const kSecCSEnforceRevocationChecks: SecCSFlags = 1 << 30;
-pub const kSecCSConsiderExpiration: SecCSFlags = 1 << 31;
-
-extern "C" {
-    pub static kSecGuestAttributeArchitecture: CFStringRef;
-    pub static kSecGuestAttributeAudit: CFStringRef;
-    pub static kSecGuestAttributeCanonical: CFStringRef;
-    pub static kSecGuestAttributeDynamicCode: CFStringRef;
-    pub static kSecGuestAttributeDynamicCodeInfoPlist: CFStringRef;
-    pub static kSecGuestAttributeHash: CFStringRef;
-    pub static kSecGuestAttributeMachPort: CFStringRef;
-    pub static kSecGuestAttributePid: CFStringRef;
-    pub static kSecGuestAttributeSubarchitecture: CFStringRef;
-
-    pub fn SecCodeGetTypeID() -> CFTypeID;
-    pub fn SecStaticCodeGetTypeID() -> CFTypeID;
-    pub fn SecRequirementGetTypeID() -> CFTypeID;
-
-    pub fn SecCodeCheckValidity(
-        code: SecCodeRef,
-        flags: SecCSFlags,
-        requirement: SecRequirementRef,
-    ) -> OSStatus;
-
-    pub fn SecCodeCopyGuestWithAttributes(
-        host: SecCodeRef,
-        attrs: CFDictionaryRef,
-        flags: SecCSFlags,
-        guest: *mut SecCodeRef,
-    ) -> OSStatus;
-
-    pub fn SecCodeCopyPath(
-        code: SecStaticCodeRef,
-        flags: SecCSFlags,
-        path: *mut CFURLRef,
-    ) -> OSStatus;
-
-    pub fn SecCodeCopySelf(flags: SecCSFlags, out: *mut SecCodeRef) -> OSStatus;
-
-    pub fn SecRequirementCreateWithString(
-        text: CFStringRef,
-        flags: SecCSFlags,
-        requirement: *mut SecRequirementRef,
-    ) -> OSStatus;
-
-    pub fn SecStaticCodeCheckValidity(
-        code: SecStaticCodeRef,
-        flags: SecCSFlags,
-        requirement: SecRequirementRef,
-    ) -> OSStatus;
-
-    pub fn SecStaticCodeCreateWithPath(
-        path: CFURLRef,
-        flags: SecCSFlags,
-        code: *mut SecStaticCodeRef,
-    ) -> OSStatus;
-}
-- 
cgit v1.2.3