ZedTokens: SpiceDBAuthorizer cleanup

[geropl]

Description

Follow-up for: #18893

This PR:

1. split the EnhancedLogContext as suggested here
2. Cleanup of the SpiceDbAuthorizer API/bindings as suggested here
3. Passes ZedTokens to readPermissions calls as well (turns out we are calling them more often then expected)

Summary generated by Copilot

🤖 Generated by Copilot at dcd42e3

Refactor the server component to use SpiceDB for authorization and simplify the log context module. Add TypeScript bindings and code generation for SpiceDB protobuf files.

Related Issue(s)

Fixes #

How to test

Documentation

Preview status

Gitpod was successfully deployed to your preview environment.

• 🏷️ Name - gpl-738-zedtokens-4
• 🔗 URL - gpl-738-zedtokens-4.preview.gitpod-dev.com/workspaces.
• 📚 Documentation - See our internal documentation for information on how to interact with your preview environment.
• 📦 Version - gpl-738-zedtokens-4-gha.18348
• 🗒️ Logs - GCP Logs Explorer

Build Options

Build

• /werft with-werft
  Run the build with werft instead of GHA
• leeway-no-cache
• /werft no-test
  Run Leeway with --dont-test

Publish

• /werft publish-to-npm
• /werft publish-to-jb-marketplace

Installer

• analytics=segment
• with-dedicated-emulation
• workspace-feature-flags
  Add desired feature flags to the end of the line above, space separated

Preview Environment / Integration Tests

• /werft with-local-preview
  If enabled this will build install/preview
• /werft with-preview
• /werft with-large-vm
• /werft with-gce-vm
  If enabled this will create the environment on GCE infra
• with-integration-tests=all
  Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh. If enabled, with-preview and with-large-vm will be enabled.
• with-monitoring

/hold

[svenefftinge]

I would always expect a token on successful writes. Did you see cases where no writtenAt was returned?

[geropl]

The API gives no guarantee, so I decided to not assume things. 🤷

[svenefftinge]

I doubt it happens, but let's at least log a warning in those cases

[svenefftinge]

is that not an error case?

[geropl]

Yes, this is a technical error. But it would not break in a user-facing way - except we got a bunch of these, which we need to detect via metrics+alerts.

I think we need to decide (and document) how we see log levels being used, because I heart people (over time) argue for very different perspectives. 👍

[svenefftinge]

Probably similar case to the above. I think we should at least log an error

[svenefftinge]

I don't think there's a need for an interface

[geropl]

I did not touch the code here yet. Let's do the rollout first.

[svenefftinge]

none of these methods need to be async

[svenefftinge]

Also let's remove the unused arguments. We can introduce them when we need them

[geropl]

I'd rather go with the current version and get data. 🙂 Removal is very quick.

[svenefftinge]

I thought the reason for this PR is clean up?

[svenefftinge]

wouldn't it be enough to just pass in a single token and only set it if it is greater than the existing one?

[geropl]

We get a bunch of tokens in some cases. As mentioned above, happy to remove all of this once we decided the current implementation is sufficient.

[svenefftinge]

only because you want to update them per resource which we currently don't do/need

[svenefftinge]

nit: I would pass in the zedtoken and move this method to the authorizer. it seems unrelated to the caching aspect.

[geropl]

For this cache implementation: Yes. For others definitely not. Again, happy to remove/fold in if we don't need that stuff. 🤞

[svenefftinge]

Looks good!

(minus the comments regarding the token cache, which we can tackle in a follow up)

[geropl]

/unhold