Remove nanoTDF documentation (#173)

Remove all nanoTDF references from public documentation and code samples
as the feature is being made proprietary.

## Changes
- Removed KAS NanoTDF rewrap section and diagram from Key Access
documentation
- Deleted NanoTDF code samples (Java collection examples, TDF encryption
example)
- Removed NanoTDF feature matrix entries and constraints in base key
documentation
- Updated OpenAPI spec descriptions to remove nanoTDF-specific language
- Updated build configuration to stop generating nanoTDF specification
pages

## Note
OpenAPI specs in `/specs` are vendored from upstream. Local
modifications will be overwritten when running `npm run
update-vendored-yaml`. The upstream opentdf/platform repository should
be updated separately.

Author: strantalis

code_samples/java/decrypt-collection-example.mdx

@@ -58,7 +58,6 @@ Feature matrix for the different SDK versions.
 |                            |          |          |            |
 | **Encrypt/Decrypt**[^103]  | Stable   | Stable   | Stable     |
 | - ZTDF[^110]               | Stable   | Stable   | Stable     |
-| - NanoTDF[^111]            | Stable   | Stable   | Stable     |
 | - ABAC[^112]               | Stable   | Stable   | Stable     |
 | - Key Access Grants[^140]  | Stable   | Stable   | Stable     |
 |                            |          |          |            |
@@ -71,7 +70,6 @@ Feature matrix for the different SDK versions.
 [^103]: Encrypt is the ability to encrypt data.
 [^105]: Service APIs are APIs that are provided by the library to interact with the service.
 [^110]: Support for the [Zero Trust Data Format](https://github.com/opentdf/spec/tree/main/schema/tdf) utilizing JSON manifests and assertation.
-[^111]: Support for the [Nano Trusted Data Format](https://github.com/opentdf/spec/tree/main/schema/nanotdf).
 [^112]: ABAC is Attribute Based Access Control.
 [^113]: Dissem is Dissemination List (i.e., email lists).
 [^120]: Authorization APIs for managing authorization policies.

code_samples/java/encrypt-collection-example.mdx

@@ -77,60 +77,3 @@ At this point, the client is ready to make the rewrap request. The following is
     ```
 
 6. If the policy is valid and untampered, KAS calls the [Authorization Service](./authorization) to confirm whether the entity is allowed access to the TDF. If authorized, KAS rewraps the symmetric key with the client's public key and returns the newly wrapped key for the client to use in decrypting the TDF.
-
-### NanoTDF
-
-<img src="/img/kas_nano_flow.svg" alt="KAS NanoTDF Rewrap"/>
-
-NanoTDF leverages the same KAS Rewrap Endpoint but the request body differs slightly from a TDF Rewrap call. 
-
-1. The client extracts the NanoTDF [Header](/spec/schema/nanotdf#331-header) and from that Header extracts the KAS URL.
-
-2. The client generates an ephemeral asymmetric key pair, used to wrap the shared secret originally generated on NanoTDF creation.
-
-3. Because NanoTDF doesn't have the concept of a Key Access Object the client builds one. The Key Access Object is then used to help build a `RequestBody`: 
-
-  ```json title="Key Access"
-   {
-    "header": "<nanotdf header>",
-    "type": "remote",
-    "url": "https://kas.opentdf.io",
-    "protocol": "kas"
-    }
-  ```
-
-  ```json title="Request Body"
-    {
-      "requestBody": {
-        "algorithm": "ec:secp256r1",
-        "keyAccess": "<key access>",
-        "clientPublicKey": "<client public key>"
-      }
-    }
-  ```
-
-4. With this `RequestBody`, the client creates a Signed Request Token, which is a JWT signed with the client's DPoP public key or Ephemeral Key Pair
-
-    :::note
-    "Demonstration of Proof of Possession" is currently optional due to inconsistencies across identity providers.
-    :::
-
-    ```json title="Body of JWT"
-    {
-      "requestBody": "<RequestBody>"
-    }
-    ```
-
-  At this point, the client is ready to make the rewrap request. The following is an example request body. 
-
-    ```json title="Signed Request Token"
-    {
-      "signedRequestToken": "<The JWT>"
-    }
-    ```
-
-1. KAS extracts the encrypted policy in the NanoTDF [Header](/spec/schema/nanotdf#331-header) and verifies the policy binding. 
-  - If ECDSA Binding is enabled KAS will verify the use ECDSA to verify the signature otherwise it defaults to comparing the `GMAC`
-
-2. If the policy is valid and untampered, KAS calls the [Authorization Service](./authorization) to confirm whether the entity is allowed access to the NanoTDF. If authorized, KAS generates a new shared key with the clients ephemeral public key and uses `AES-GCM` to encrypt the shared secret used to encrypt the NanoTDF payload.
-

code_samples/tdf/encryption_nanotdf.mdx

@@ -23,8 +23,6 @@ When using the [kas-registry proto](https://github.com/opentdf/platform/blob/522
    1. The passed in kas information list
    2. The key algorithm
 2. If a base key is not present, the SDK will fallback to using the passed in kas information list and key algorithm.
-3. If the base key is not of type ECC, it **cannot** be used with NanoTDF.
-   1. If the registered base key is not of type ECC, the SDK will fallback to using the passed in kas url and key type.
 
 :::note
 In upcoming versions of the SDK, post v0.5.0, the SDK will prefer to error when no base key is set; instead of falling back.

docs/appendix/matrix.mdx

@@ -544,20 +544,14 @@ Now that we have a few basic resources in place we can show you how to control a
 
 ### Encrypt Data Without Attributes
 
-Within the `otdfctl` CLI there is basic functionality to interact with `zTDF` and `nanoTDF`.
+Within the `otdfctl` CLI there is basic functionality to interact with `zTDF`.
 
 #### Example zTDF encryption
 
 ```shell
 echo 'my first encrypted tdf' | otdfctl encrypt --profile platform-otdf-local -o example.tdf --tdf-type tdf3
 ```
 
-#### Example nanoTDF encryption
-
-```shell
-echo 'my first encrypted nano tdf' | otdfctl encrypt --profile platform-otdf-local -o example.nano.tdf --tdf-type nano
-```
-
 ### Decrypt Data Without Attributes
 
 Because we didn't add any attributes to the data we encrypted, we should be able to decrypt the data without any issues.
@@ -571,21 +565,12 @@ otdfctl decrypt --profile platform-otdf-local --tdf-type tdf3 example.tdf
 my first encrypted tdf
 ```
 
-```shell
-otdfctl decrypt --profile platform-otdf-local --tdf-type nano example.nano.tdf
-```
-
-```shell
-# Output
-my first encrypted nano tdf
-```
-
 ### Encrypt Data With Attributes
 
 In this example we will encrypt the data with the attribute `https://opentdf.io/attr/role/value/guest`. First cleanup any existing tdf files from before.
 
 ```shell
-rm example.tdf example.nano.tdf
+rm example.tdf
 ```
 
 #### Example zTDF encryption with attributes
@@ -594,12 +579,6 @@ rm example.tdf example.nano.tdf
 echo 'my first encrypted tdf' | otdfctl encrypt --profile platform-otdf-local -o example.tdf --tdf-type tdf3 --attr https://opentdf.io/attr/role/value/guest
 ```
 
-#### Example nanoTDF encryption with attributes
-
-```shell
-echo 'my first encrypted nano tdf' | otdfctl encrypt --profile platform-otdf-local -o example.nano.tdf --tdf-type nano --attr https://opentdf.io/attr/role/value/guest
-```
-
 ### Decrypt Data With Attributes
 
 In this first example we will try to decrypt the data but it will fail because we shouldn't be assigned the entitlement of `https://opentdf.io/attr/role/value/guest` at this point.
@@ -616,17 +595,6 @@ ERROR    Failed to decrypt file: reader.WriteTo failed: doPayloadKeyUnwrap split
             rpc error: code = PermissionDenied desc = forbidden
 ```
 
-#### Example nanoTDF failed decryption
-
-```shell
-otdfctl decrypt --profile platform-otdf-local --tdf-type nano example.nano.tdf
-```
-
-```shell
-ERROR    Failed to decrypt file: readSeeker.Seek failed: error making request to kas: error making rewrap request: rpc error: code = PermissionDenied desc = request error
-            rpc error: code = PermissionDenied desc = forbidden
-```
-
 What we have to do now is assign the entitlement of `https://opentdf.io/attr/role/value/guest` to the entity by creating a new subject mapping for the condition set we created earlier.
 
 #### Create a new subject mapping
@@ -665,17 +633,6 @@ otdfctl decrypt --profile platform-otdf-local --tdf-type tdf3 example.tdf
 my first encrypted tdf
 ```
 
-#### Example nanoTDF successful decryption
-
-```shell
-otdfctl decrypt --profile platform-otdf-local --tdf-type nano example.nano.tdf
-```
-
-```shell
-# Output
-my first encrypted nano tdf
-```
-
 ## Takeaways and Next Steps
 
 In this document you have learned how to create a namespace, attribute, subject mapping, and encrypt/decrypt data with the **OpenTDF Platform**.