extract palisade — shared trust-boundary primitives #3277

Merged

mfreeman451 merged 2 commits from carverauto/extract-palisade into staging 2026-05-12 17:49:15 +00:00

Conversation 0 Commits 2 Files changed 15 +1424

mfreeman451 commented 2026-05-12 15:56:10 +00:00

Owner

Copy link

Summary

Extracts shared trust-boundary primitives into a new
`elixir/palisade/` sub-project, plus wires the CI quality gate
and a publish-on-tag workflow.

What lands

`elixir/palisade/` — new sub-project

Apache-2.0 licensed. Houses the modules that CRM and
ServiceRadar previously kept as drifting verbatim copies:

• `Palisade.NetworkAddressPolicy` — IPv4/IPv6 CIDR rejection
  (loopback, link-local, ULA, private). DNS-resolution-aware
  (defeats DNS rebinding).
• `Palisade.OutboundURLPolicy` — HTTPS-only + public-host
  validator.
• `Palisade.OutboundFetch` — HTTP fetch helper binding to the
  resolved IP, with TLS hostname verification + Host: header
  on the original hostname.

36 ExUnit cases ported (with module renames) from the previous
`serviceradar_core/lib/serviceradar/policies/` test surface +
the `web-ng`'s `outbound_fetch.ex` test.

CI

• `.forgejo/workflows/elixir-quality.yml` — palisade joins the
  existing matrix-driven Elixir Quality gate (format / compile
  / test / credo on every PR + push).
• `.forgejo/workflows/palisade-publish.yml` — new workflow on
  `palisade-v*` tag pushes. Verifies tag matches `@version`,
  runs the quality gate, then `mix hex.publish package --repo
  carverauto --yes` against https://hex.carverauto.dev.
  Requires `HEX_API_KEY` secret on the runner.

Consumer model

• ServiceRadar's own Elixir apps (web-ng, serviceradar_core,
  etc.) will consume via `{:palisade, path: "../palisade"}` —
  same sibling-path pattern already used for serviceradar_srql,
  connection, elixir_uuid.
• External consumers (CRM is the first) consume via the
  public CarverAutomation hex registry:
  `{:palisade, "~> 0.1", repo: "carverauto"}` after
  `mix hex.repo add carverauto https://hex.carverauto.dev`.

Out of scope (separate tracks)

• Future palisade versions porting the OIDC client + ConfigCache
  • SAML primitives from `web-ng/lib/.../auth/`.
• ServiceRadar's own apps swapping their local copies in
  `serviceradar_core/lib/serviceradar/policies/` and
  `web-ng/lib/.../auth/{outbound_fetch,outbound_url_policy}.ex`
  for the new package. Filed as a follow-up issue.

Test plan

• palisade `mix format / compile --warnings-as-errors / test`
  under the matrix gate (will run on this PR).
• palisade-publish.yml syntactically valid (lints in the
  workflow editor).
• hex.carverauto.dev: bring registry online + set
  HEX_API_KEY secret (in-flight in a separate session).
• Once the registry is up: cut `palisade-v0.1.0` tag, watch
  publish workflow, verify CRM PR #179's
  `{:palisade, "~> 0.1", repo: "carverauto"}` resolves.

## Summary Extracts shared trust-boundary primitives into a new \`elixir/palisade/\` sub-project, plus wires the CI quality gate and a publish-on-tag workflow. ## What lands ### \`elixir/palisade/\` — new sub-project Apache-2.0 licensed. Houses the modules that CRM and ServiceRadar previously kept as drifting verbatim copies: - \`Palisade.NetworkAddressPolicy\` — IPv4/IPv6 CIDR rejection (loopback, link-local, ULA, private). DNS-resolution-aware (defeats DNS rebinding). - \`Palisade.OutboundURLPolicy\` — HTTPS-only + public-host validator. - \`Palisade.OutboundFetch\` — HTTP fetch helper binding to the resolved IP, with TLS hostname verification + Host: header on the original hostname. 36 ExUnit cases ported (with module renames) from the previous \`serviceradar_core/lib/serviceradar/policies/\` test surface + the \`web-ng\`'s \`outbound_fetch.ex\` test. ### CI - \`.forgejo/workflows/elixir-quality.yml\` — palisade joins the existing matrix-driven Elixir Quality gate (format / compile / test / credo on every PR + push). - \`.forgejo/workflows/palisade-publish.yml\` — new workflow on \`palisade-v*\` tag pushes. Verifies tag matches \`@version\`, runs the quality gate, then \`mix hex.publish package --repo carverauto --yes\` against https://hex.carverauto.dev. Requires \`HEX_API_KEY\` secret on the runner. ## Consumer model - **ServiceRadar's own Elixir apps** (web-ng, serviceradar_core, etc.) will consume via \`{:palisade, path: \"../palisade\"}\` — same sibling-path pattern already used for serviceradar_srql, connection, elixir_uuid. - **External consumers** (CRM is the first) consume via the public CarverAutomation hex registry: \`{:palisade, \"~> 0.1\", repo: \"carverauto\"}\` after \`mix hex.repo add carverauto https://hex.carverauto.dev\`. ## Out of scope (separate tracks) - Future palisade versions porting the OIDC client + ConfigCache + SAML primitives from \`web-ng/lib/.../auth/\`. - ServiceRadar's own apps swapping their local copies in \`serviceradar_core/lib/serviceradar/policies/\` and \`web-ng/lib/.../auth/{outbound_fetch,outbound_url_policy}.ex\` for the new package. Filed as a follow-up issue. ## Test plan - [x] palisade \`mix format / compile --warnings-as-errors / test\` under the matrix gate (will run on this PR). - [x] palisade-publish.yml syntactically valid (lints in the workflow editor). - [ ] hex.carverauto.dev: bring registry online + set HEX_API_KEY secret (in-flight in a separate session). - [ ] Once the registry is up: cut \`palisade-v0.1.0\` tag, watch publish workflow, verify CRM PR #179's \`{:palisade, "~> 0.1", repo: "carverauto"}\` resolves.

mfreeman451 added 130 commits 2026-05-12 15:56:10 +00:00

spec: start agent-routed remote access integration 3797cab806

agent: add remote access session manager scaffold ff2d9bfea3

spec: clarify teleport dependency license gate 20c8951968

spec: expand remote access to teleport parity 811048eafc

spec: add teleport license gate inventory 6b11fb7d8e

agent: route proxmox console through remote access manager 8554799ede

spec: close remote access design checklist 840b832b2f

agent: add clean-room remote access ssh pty f02c2d145d

agent: decode remote access ssh open frames 7380f2dbdc

agent: route ssh sessions over console frame tunnel 45e529ae57

agent: wire remote access ssh credentials file 8614f8ef83

edge: add generic remote access broker bee8aa3546

remote-access: reject generic agent-local ssh secrets 3af43a45f3

remote-access: support ssh user certificates 74d9472e95

remote-access: add ssh ca signing primitive 738e88bf11

remote-access: add ssh certificate policy boundary d754048672

remote-access: accept ssh certificate credential mode e3cedf9bef

remote-access: add ssh certificate issuer boundary 2286122d58

remote-access: include ssh username in certificate envelope 6bd91a8471

remote-access: merge ssh certificate envelopes 72138dfc4d

remote-access: bind ssh certs to agent scope 1529b03a10

remote-access: add ssh ca signer command ec543c3572

remote-access: add ssh ca command signer 08bd8b4a58

remote-access: map idp claims to ssh principals 3a0dbd4f15

remote-access: add ssh session credential grant fe02af42dd

remote-access: allow configured ssh ca signer 00401f0641

remote-access: add user-present ssh grants dffda8296c

remote-access: include targets in ssh grants 557327bf5e

remote-access: verify ssh certificate grant scoping 0981453a1b

remote-access: require session agent frame ownership 20d77b4404

remote-access: guard console channel ticket echoes e8a5fca8e6

remote-access: issue ssh certs from sso identity 69cc88fe8c

remote-access: prove ssh ca with openssh eeaebb0634

remote-access: audit ssh certificate issuance 039e91dd6c

remote-access: audit generic session broker cd91f29321

remote-access: add sso certificate grant 07a273feb7

remote-access: bind ssh open payload scope 56a81f91cb

remote-access: bind agent metadata in console wrapper 030e459949

remote-access: prove agent ssh certificate adapter eabb4d072f

remote-access: validate ssh certificate key binding 1d879c179f

remote-access: add generic session resource 9ef2531770

remote-access: bind broker lifecycle to sessions 3b836f6d3c

remote-access: add generic session api 0a6644a594

remote-access: add generic stream endpoint cdb04fd7df

remote-access: extract generic terminal renderer e26fb2aa34

remote-access: require approval for brokered sessions bdafe9a82c

remote-access: add browser ssh credential UI 25a155cc47

remote-access: add recording manifests 8794bb796f

remote-access: add enhanced recording gate 0ffd9a8a34

remote-access: gate enhanced recording capability efb223f4c1

remote-access: add protocol adapter registry 3a370aea3e

remote-access: test enhanced recording fail closed 37b684df72

remote-access: wire oidc ssh cert attach f368875d32

remote-access: add demo ssh smoke f0aa03835b

remote-access: add authentik ssh cert smoke 401fd998d3

remote-access: add linux enhanced recording fallback c49c1e098e

remote-access: propose ebpf enhanced recording 3f88e2d6f7

remote-access: plan shared agent ebpf runtime 682b1c309c

remote-access: document ebpf dependency review 4a2d97a940

remote-access: require shared ebpf runtime 4c4a1df618

remote-access: define ebpf runtime ownership 232f6cdfae

remote-access: define ebpf session scoping 76c91d954b

remote-access: record teleport bpf provenance 5bc0db170d

remote-access: document ebpf ops profile b374083c0a

remote-access: complete ebpf runtime review 6e782f0ba1

remote-access: sequence ebpf implementation 9876470426

remote-access: add shared ebpf runtime shell 4d7ea15889

remote-access: add ebpf probe generation workflow 7843a8ffdb

remote-access: add generic ebpf collection loader c54ee72df8

remote-access: add ebpf command event normalization 1345ef678a

remote-access: add ebpf file event normalization d83c3c7b16

remote-access: add ebpf network event normalization b54868fb7e

remote-access: add ebpf loss accounting 29e9dc6894

remote-access: stop enhanced recording on session cancellation 32657be795

helm: add explicit agent ebpf profile fa5180a085

remote-access: gate bpf capability on runtime self-test 2ef3cb90cb

remote-access: cover bpf fallback policy gates 1f9e278c39

remote-access: harden enhanced event redaction 76828abe14

remote-access: require managed boundary for ssh bpf 47a67b74a0

remote-access: add ebpf validation smoke checks b3779ce016

remote-access: mark ebpf linux validation complete 2e90af28e6

remote-access: align ssh certificate custody audit c5714e320c

remote-access: bind ssh certificates to session target 48c0fecf16

remote-access: make ssh host key policy explicit c2fc05576e

remote-access: add ssh known hosts verification 7001675ef0

remote-access: persist ssh known hosts by default 554a31f60a

remote-access: clarify browser key digest label 051e79f3cb

remote-access: gate remembered browser keys e0116b6fa4

remote-access: expose ssh certificate mode in console 3794e3c417

remote-access: isolate remembered keys to user-present mode 87b54e9a53

remote-access: strip client ssh policy metadata 61b77494e2

remote-access: add trusted ssh cert policy config 90ee640eb4

remote-access: wire ssh ca signer runtime config 41fb63f88e

remote-access: require ssh cert principal policy bcb86be3da

remote-access: gate ssh host key skip verify 6777065947

remote-access: require approval verification 0d23e0d866

remote-access: bind custody modes to protocol c86bea84f5

remote-access: gate browser target overrides 3455597dae

remote-access: restrict public api to ssh 5fde24811b

remote-access: gate ssh target port overrides 7d1d85d407

remote-access: reject browser route selection 537d4d03f2

remote-access: strip credential metadata at api 0e9008dec5

remote-access: validate ssh target port override 4ff0200612

remote-access: validate terminal dimensions 8e0397d1fa

remote-access: reject browser recording policy 483378f962

remote-access: reject browser credential rules 52890bb6b7

remote-access: bound stream terminal dimensions f9afd391a3

remote-access: validate attach credential envelope 735a4461d5

remote-access: bound stream data frames 5c83a02c60

remote-access: bound proxmox stream frames c7d74af050

remote-access: validate agent frame bounds 35a5a768dc

remote-access: bound agent open and output frames bd89be07f1

remote-access: bound ssh adapter inputs 37a38dab4d

remote-access: bound proxmox ssh config e5234563a4

remote-access: bound ssh certificate issuance 616d56695c

remote-access: bound ssh principal mapping 26d2301b19

Merge remote-tracking branch 'origin/staging' into codex/teleport-agent-routed-remote-access ... a332ed7b97

# Conflicts:
#	elixir/web-ng/assets/component/index.js
#	elixir/web-ng/assets/js/hooks/index.js
#	elixir/web-ng/lib/serviceradar_web_ng_web/components/react_components.ex
#	elixir/web-ng/lib/serviceradar_web_ng_web/live/device_live/show.ex
#	elixir/web-ng/test/phoenix/channels/proxmox_console_stream_handler_test.exs
#	go/pkg/agent/control_stream.go
#	go/pkg/agent/push_loop.go
#	openspec/changes/add-secure-agent-routed-remote-access/design.md
#	openspec/changes/add-secure-agent-routed-remote-access/proposal.md
#	openspec/changes/add-secure-agent-routed-remote-access/specs/agent-connectivity/spec.md
#	openspec/changes/add-secure-agent-routed-remote-access/specs/edge-architecture/spec.md
#	openspec/changes/add-secure-agent-routed-remote-access/tasks.md

remote-access: harden teleport license scans 962e0e40a7

remote-access: remove agent-local console credentials 99fa5793a4

remote-access: require session-owned broker frames a5204684e8

remote-access: require registered agent frame ownership cf07d1dc8c

remote-access: keep ssh grants in memory db8e7e7c65

remote-access: require brokered grants for central custody a4f6966fc9

remote-access: keep central custody policy owned 7b4657a9a0

spec: track teleport parity hardening d01e15fdd1

remote-access: require trusted brokered credential rules 55e51a751c

remote-access: resolve scoped central grants 8f405441f4

remote-access: share ssh host key policy 78903fe186

build: fix local darwin bazel tests 8e6fbbf020

extract palisade — shared trust-boundary primitives for Elixir ... 5c810564af

New `elixir/palisade/` sub-project housing the boundary-defense
modules that CRM and ServiceRadar previously kept as drifting
verbatim copies:

  Palisade.NetworkAddressPolicy
  Palisade.OutboundURLPolicy
  Palisade.OutboundFetch

Apache-2.0 licensed. ServiceRadar-internal consumers (web-ng,
serviceradar_core, etc.) consume via the standard sibling-path
dep:

    {:palisade, path: "../palisade"}

External consumers (CRM, and anyone else who wants the modules)
pull from the public CarverAutomation hex registry at
https://hex.carverauto.dev. Add the registry once per machine /
CI runner:

    mix hex.repo add carverauto https://hex.carverauto.dev

then declare the dep:

    {:palisade, "~> 0.1", repo: "carverauto"}

CI

  .forgejo/workflows/elixir-quality.yml — palisade joins the
    existing matrix-driven Elixir Quality gate (format / compile
    / test / credo on every PR + push).

  .forgejo/workflows/palisade-publish.yml — new workflow that
    fires on `palisade-vX.Y.Z` tag pushes:
      1. Verifies the tag version matches mix.exs @version
      2. Runs the full quality gate one more time
      3. `mix hex.publish package --repo carverauto --yes`
    Requires HEX_API_KEY secret on the runner with publish scope
    against hex.carverauto.dev.

Versioning

  Tag from repo root: `git tag palisade-v0.x.y && git push --tags`.
  Bump consumers' `~> 0.x` pin to pick up the new release.

Tests

  36 ExUnit cases ported (with module renames) from the previous
  serviceradar/policies test surface + the web-ng outbound_fetch
  test. Covers scheme rejection (https-only, case-insensitive),
  IPv4 + IPv6 private/loopback/link-local blocks, hostname
  blocks (localhost, *.local, case-insensitive), public IPv4
  acceptance, URL rewriting to resolved IP with original-host
  SNI / Host: header, IPv6 inet6 transport flag, conservative
  req_opts.

Out of scope (next palisade versions, tracked separately)

  - Palisade.OIDC.Client — discovery + JWKS + ID-token verify
    with proper nonce / iss / aud / exp validation.
  - Palisade.OIDC.ConfigCache — ETS-backed cache for OIDC
    discovery + JWKS payloads.
  - Palisade.SAML.{CertTrust, AssertionValidator, XML} — SAML
    primitives.
  - ServiceRadar consumers swapping their local copies in
    serviceradar_core/lib/serviceradar/policies/ and
    web-ng/lib/.../auth/{outbound_fetch,outbound_url_policy}.ex
    for the new package. Filed as a follow-up issue.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

mfreeman451 referenced this pull request 2026-05-12 15:56:58 +00:00

Swap ServiceRadar's local policy copies for the palisade package #3278

mfreeman451 added 1 commit 2026-05-12 17:41:15 +00:00

chore(palisade): publish to hex.pm instead of mini_repo ... 51f42c2a3b

Palisade is Apache-2.0 OSS — hex.pm is the canonical Elixir
registry. mini_repo's API isn't hex.pm-compatible
(POST /api/repos/:repo/publish vs hex_core's
POST /api/repos/:repo/packages/:name/releases), so vanilla
`mix hex.publish` doesn't work with it. Going to public hex.pm
eliminates the registry-side complexity for an OSS package.

The mini_repo at hex.carverauto.dev stays useful for any
future actually-internal packages; it just isn't the right
home for palisade.

palisade v0.1.0 is live at
https://hex.pm/packages/palisade/0.1.0.

Changes
  .forgejo/workflows/palisade-publish.yml — target hex.pm
    instead of hex.carverauto.dev. Env var name follows the
    hex convention (HEX_API_KEY); generate the publish key on
    hex.pm and set as a Forgejo secret. Drops the carverauto-
    specific `--organization` / api_url plumbing.
  elixir/palisade/README.md — drop the private-registry
    framing; reference hex.pm + the standard install pattern.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

mfreeman451 force-pushed carverauto/extract-palisade from 51f42c2a3b to f9fb3c25ab 2026-05-12 17:48:58 +00:00 Compare

mfreeman451 merged commit cbe9c56efb into staging 2026-05-12 17:49:15 +00:00

mfreeman451 referenced this pull request from a commit 2026-05-12 17:49:17 +00:00

Merge pull request 'extract palisade — shared trust-boundary primitives' (#3277) from carverauto/extract-palisade into staging

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

1week

  

2weeks

  

Failed compliance check

  

IP cameras

  

NATS

NATS JetStream

  

Possible security concern

  

Review effort 1/5

  

Review effort 2/5

  

Review effort 3/5

  

Review effort 4/5

  

Review effort 5/5

  

UI

  

aardvark

  

accessibility

  

amd64

  

api

  

arm64

  

auth

  

back-end

  

bgp

  

blog

  

bug

Something isn't working

  

build

  

checkers

  

ci-cd

continuous integration-continuous deployments

  

cleanup

  

cnpg

cloud-native postgres

  

codex

  

core

core service

  

dependencies

Pull requests that update a dependency file

  

device-management

  

documentation

Improvements or additions to documentation

  

duplicate

This issue or pull request already exists

  

dusk

  

ebpf

  

enhancement

New feature or request

  

eta 1d

  

eta 1hr

  

eta 3d

  

eta 3hr

  

feature

  

fieldsurvey

  

github_actions

Pull requests that update GitHub Actions code

  

go

Pull requests that update Go code

  

good first issue

Good for newcomers

  

help wanted

Extra attention is needed

  

invalid

This doesn't seem right

  

javascript

Pull requests that update Javascript code

  

k8s

  

log-collector

  

mapper

  

mtr

multi traceroute

  

needs-triage

  

netflow

  

network-sweep

  

observability

  

oracle

Oracle Linux related issues

  

otel

opentelemetry logs, traces, metrics

  

plug-in

  

proton

timeplus proton streaming database

  

python

  

question

Further information is requested

  

reddit

  

redhat

  

research

  

rperf

  

rperf-checker

  

rust

Pull requests that update rust code

  

sdk

  

security

  

serviceradar-agent

  

serviceradar-agent-gateway

  

serviceradar-web

  

serviceradar-web-ng

  

siem

  

snmp

  

sysmon

  

topology

  

ubiquiti

  

wasm

  

wontfix

This will not be worked on

  

zen-engine

No labels

1week

2weeks

Failed compliance check

IP cameras

NATS

Possible security concern

Review effort 1/5

Review effort 2/5

Review effort 3/5

Review effort 4/5

Review effort 5/5

UI

aardvark

accessibility

amd64

api

arm64

auth

back-end

bgp

blog

bug

build

checkers

ci-cd

cleanup

cnpg

codex

core

dependencies

device-management

documentation

duplicate

dusk

ebpf

enhancement

eta 1d

eta 1hr

eta 3d

eta 3hr

feature

fieldsurvey

github_actions

go

good first issue

help wanted

invalid

javascript

k8s

log-collector

mapper

mtr

needs-triage

netflow

network-sweep

observability

oracle

otel

plug-in

proton

python

question

reddit

redhat

research

rperf

rperf-checker

rust

sdk

security

serviceradar-agent

serviceradar-agent-gateway

serviceradar-web

serviceradar-web-ng

siem

snmp

sysmon

topology

ubiquiti

wasm

wontfix

zen-engine

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

carverauto/serviceradar!3277

No description provided.