From 45df4d0d9b577fecee798d672695fe24ff57fb1b Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Tue, 15 Jul 2025 16:37:08 -0600
Subject: feat: migrate from Cedar to SpiceDB authorization system

This is a major architectural change that replaces the Cedar policy-based
authorization system with SpiceDB's relation-based authorization.

Key changes:

- Migrate from Rust to Go implementation
- Replace Cedar policies with SpiceDB schema and relationships
- Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks
- Update build system and dependencies for Go ecosystem
- Maintain Envoy integration for external authorization

This change enables more flexible permission modeling through SpiceDB's
Google Zanzibar inspired relation-based system, supporting complex
hierarchical permissions that were difficult to express in Cedar.

Breaking change: Existing Cedar policies and Rust-based configuration
will no longer work and need to be migrated to SpiceDB schema.
---
 vendor/security-framework-sys/src/item.rs | 93 -------------------------------
 1 file changed, 93 deletions(-)
 delete mode 100644 vendor/security-framework-sys/src/item.rs

(limited to 'vendor/security-framework-sys/src/item.rs')

diff --git a/vendor/security-framework-sys/src/item.rs b/vendor/security-framework-sys/src/item.rs
deleted file mode 100644
index 5427bc99..00000000
--- a/vendor/security-framework-sys/src/item.rs
+++ /dev/null
@@ -1,93 +0,0 @@
-use core_foundation_sys::string::CFStringRef;
-
-extern "C" {
-    pub static kSecClass: CFStringRef;
-    pub static kSecClassInternetPassword: CFStringRef;
-    pub static kSecClassGenericPassword: CFStringRef;
-    pub static kSecClassCertificate: CFStringRef;
-    pub static kSecClassKey: CFStringRef;
-    pub static kSecClassIdentity: CFStringRef;
-
-    pub static kSecMatchLimit: CFStringRef;
-    pub static kSecMatchLimitAll: CFStringRef;
-
-    pub static kSecMatchTrustedOnly: CFStringRef;
-    pub static kSecMatchCaseInsensitive: CFStringRef;
-    #[cfg(target_os = "macos")]
-    pub static kSecMatchSubjectWholeString: CFStringRef;
-
-    pub static kSecReturnData: CFStringRef;
-    pub static kSecReturnAttributes: CFStringRef;
-    pub static kSecReturnRef: CFStringRef;
-    pub static kSecReturnPersistentRef: CFStringRef;
-
-    pub static kSecMatchSearchList: CFStringRef;
-
-    pub static kSecAttrApplicationLabel: CFStringRef;
-    pub static kSecAttrKeyType: CFStringRef;
-    pub static kSecAttrLabel: CFStringRef;
-    pub static kSecAttrIsPermanent: CFStringRef;
-    pub static kSecAttrPublicKeyHash: CFStringRef;
-    pub static kSecAttrSerialNumber: CFStringRef;
-    pub static kSecPrivateKeyAttrs: CFStringRef;
-    pub static kSecPublicKeyAttrs: CFStringRef;
-
-    pub static kSecAttrKeyClass: CFStringRef;
-    pub static kSecAttrKeyClassPublic: CFStringRef;
-    pub static kSecAttrKeyClassPrivate: CFStringRef;
-    pub static kSecAttrKeyClassSymmetric: CFStringRef;
-
-    pub static kSecUseKeychain: CFStringRef;
-    #[cfg(any(feature = "OSX_10_15", target_os = "ios", target_os = "tvos", target_os = "watchos", target_os = "visionos"))]
-    pub static kSecUseDataProtectionKeychain: CFStringRef;
-    #[cfg(any(feature = "OSX_10_12", target_os = "ios", target_os = "tvos", target_os = "watchos", target_os = "visionos"))]
-    pub static kSecAttrTokenID: CFStringRef;
-    #[cfg(any(feature = "OSX_10_12", target_os = "ios", target_os = "tvos", target_os = "watchos", target_os = "visionos"))]
-    pub static kSecAttrTokenIDSecureEnclave: CFStringRef;
-    #[cfg(any(feature = "OSX_10_13", target_os = "ios", target_os = "tvos", target_os = "watchos", target_os = "visionos"))]
-    pub static kSecUseAuthenticationContext: CFStringRef;
-    #[cfg(any(feature = "OSX_10_13", target_os = "ios", target_os = "tvos", target_os = "watchos", target_os = "visionos"))]
-    pub static kSecAttrSynchronizable: CFStringRef;
-
-    pub static kSecAttrKeySizeInBits: CFStringRef;
-
-    pub static kSecAttrKeyTypeECSECPrimeRandom: CFStringRef;
-    pub static kSecAttrKeyTypeRSA: CFStringRef;
-    #[cfg(target_os = "macos")]
-    pub static kSecAttrKeyTypeDSA: CFStringRef;
-    #[cfg(target_os = "macos")]
-    pub static kSecAttrKeyTypeAES: CFStringRef;
-    #[cfg(target_os = "macos")]
-    pub static kSecAttrKeyTypeDES: CFStringRef;
-    #[cfg(target_os = "macos")]
-    pub static kSecAttrKeyType3DES: CFStringRef;
-    #[cfg(target_os = "macos")]
-    pub static kSecAttrKeyTypeRC4: CFStringRef;
-    #[cfg(target_os = "macos")]
-    pub static kSecAttrKeyTypeRC2: CFStringRef;
-    #[cfg(target_os = "macos")]
-    pub static kSecAttrKeyTypeCAST: CFStringRef;
-    pub static kSecAttrKeyTypeEC: CFStringRef;
-
-    pub static kSecAttrAccessGroup: CFStringRef;
-    pub static kSecAttrAccessGroupToken: CFStringRef;
-
-    #[cfg(any(feature = "OSX_10_12", target_os = "ios", target_os = "tvos", target_os = "watchos", target_os = "visionos"))]
-    pub static kSecKeyKeyExchangeParameterRequestedSize: CFStringRef;
-    #[cfg(any(feature = "OSX_10_12", target_os = "ios", target_os = "tvos", target_os = "watchos", target_os = "visionos"))]
-    pub static kSecKeyKeyExchangeParameterSharedInfo: CFStringRef;
-
-    pub static kSecAttrAuthenticationType: CFStringRef;
-    pub static kSecAttrComment: CFStringRef;
-    pub static kSecAttrDescription: CFStringRef;
-    pub static kSecAttrPath: CFStringRef;
-    pub static kSecAttrPort: CFStringRef;
-    pub static kSecAttrProtocol: CFStringRef;
-    pub static kSecAttrSecurityDomain: CFStringRef;
-    pub static kSecAttrServer: CFStringRef;
-    pub static kSecAttrService: CFStringRef;
-    pub static kSecAttrAccessControl: CFStringRef;
-    pub static kSecAttrAccount: CFStringRef;
-    pub static kSecValueData: CFStringRef;
-    pub static kSecValueRef: CFStringRef;
-}
-- 
cgit v1.2.3