Palisade

Trust-boundary defense primitives for Elixir web apps.

Apache-2.0 licensed. Originally extracted from CarverAutomation's CRM + ServiceRadar codebases, which kept drifting verbatim copies of the same SSRF / OIDC / SAML hardening modules. Palisade is the canonical home.

Scope

Palisade currently provides:

• Palisade.NetworkAddressPolicy — rejects loopback, link-local, and private-CIDR network addresses (IPv4 + IPv6). DNS-resolution aware (defeats DNS rebinding).
• Palisade.OutboundURLPolicy — HTTPS-only, public-host URL validator. Used wherever app code follows an admin-supplied URL (SAML IdP metadata, OIDC discovery, webhook callbacks).
• Palisade.OutboundFetch — HTTP fetch helper that binds requests to the resolved IP OutboundURLPolicy approved. TLS hostname verification + the Host: header stay tied to the original hostname.

Planned for next versions:

• Palisade.OIDC.Client — OIDC discovery + JWKS + ID-token verify with proper nonce / iss / aud / exp validation.
• Palisade.OIDC.ConfigCache — ETS-backed cache for OIDC discovery + JWKS payloads.
• Palisade.SAML.CertTrust / Palisade.SAML.AssertionValidator / Palisade.SAML.XML — SAML primitives.

Installation

Add palisade to your list of dependencies in mix.exs:

def deps do
  [
    {:palisade, "~> 0.1"}
  ]
end

Where the source lives

Palisade's source lives inside ServiceRadar's monorepo at elixir/palisade/. ServiceRadar's other Elixir apps consume it via the standard sibling-path dep:

# in e.g. elixir/serviceradar_core/mix.exs
{:palisade, path: "../palisade"}

External consumers pull from hex.pm.

Versioning + publishing

Tag-based. From the ServiceRadar repo root:

git tag palisade-v0.x.y
git push --tags

ServiceRadar CI watches for palisade-v* tags and runs mix hex.publish package --yes from elixir/palisade/. The publish step needs HEX_API_KEY set as a CI secret with publish scope on hex.pm.

Why not Bazel?

Palisade is a small single-language Elixir library. Consumers call mix compile on it directly when they pull it in as a hex dep — Bazel never enters the picture. CI runs mix format / compile / test / credo and is done.

Development

cd elixir/palisade
mix deps.get
mix test
mix credo --strict
mix format --check-formatted