The Code We Kept Rewriting
SSRF guards, risk scoring, jurisdiction lookups, DNS reads. The same logic was already in production across several projects, written fresh each time and tuned to each one. Maintaining five copies stopped making sense, so I pulled each into a single open source package.
There is a certain kind of code you write more than once. Not because you forgot you wrote it, but because last time it lived inside another project, wired to that project assumptions, and lifting it out felt slower than typing it again. An outbound URL that has to be checked before you fetch it. A signup that has to be scored before you trust it. A country that has to resolve to a stable code before a tax line can be drawn. A DNS record that has to be read from the authority, not a cache. I have written each of these several times.
Every copy worked. Each one shipped, went to production, and did its job in the project it was born in. The trouble was never the code. The trouble was that there were five of it.
Five copies, five maintenance surfaces
A bug fixed in one copy never found its way to the other four. A hardening in one project sat next to the same code, unhardened, in the next. Each copy drifted, because each was edited only when that one project needed it. For a helper you can shrug this off. For security-sensitive logic it is a slow leak.
When the Symfony IPv6 transition-form SSRF bypass was disclosed, I did not have one guard to patch. I had a handful of slightly different guards, each in its own repo, each with its own idea of what counted as a private address. That is the moment the math flips. Maintaining several copies of code that has to be correct costs more than extracting it once and depending on the extract everywhere.
Extraction is not copy-paste
I am not lifting the old code verbatim. I am giving it a second pass, with Claude alongside, to reshape logic that was written years ago under a deadline into something that reads like a library instead of a project detail. Some of it got tightened. Some of it got extended. All of it moved behind a contract you can bind, mock or replace, and every package resolves deny-by-default, so an unknown input is refused rather than guessed at.
The upside of that reshaping is code that finally fits a package. The honest downside is that reshaped code is not the same code that has been quietly running in production for years. It has new seams. Which is the whole reason these are early releases and not a 2.0.
What came out
The DNS toolkit was the one I was most tired of rewriting. Domain-ownership verification only means something if you read the token from the zone own authoritative nameservers, not from a recursive resolver whose cache can be stale. So the core speaks the wire protocol over raw sockets, with a DNSSEC chain validator and an intoDNS-style diagnostics engine on top, and zero runtime dependencies.
The Laravel integration wraps that engine into a facade, Artisan commands and validation rules, so an ownership check or an MX-record rule is one composer require away.
The SSRF guard is the one the Symfony CVE lit a fire under. It resolves a host once, pins the connection to that exact IP so a rebind cannot smuggle the request elsewhere, refuses redirects, and blocks the IPv6 transition forms that the disclosure was about. It is honest about its own limits: an application-layer guard is defense in depth, and a network egress allow-list is still the real fix.
The risk scorer is the anti-abuse logic every signup form kept needing. It weights independent signals into a score and maps that score to a graduated outcome, allow, flag, challenge, step-up or reject, with the reasons behind every decision. It ships in monitor mode so you calibrate against real traffic before it ever blocks anyone.
And the geography reference is the quiet primitive underneath the other two: countries, subdivisions and currencies bound to stable ISO codes, carrying the tax-relevant facts that billing and tax engines need. It exists so nothing downstream ever fuzzy-matches a country name.
Expect rough edges
Because the code was reshaped on the way out, not copied verbatim, the first releases may have bugs or gaps the original battle-tested copies did not. That is the trade for code that fits a package. If you hit something, please open an issue or a PR on the relevant repo. That feedback is exactly what turns an early release into a stable one.
What's next
More of these are landing as separate open source packages over the coming days, each one an old piece of logic given a second pass on the way out. Identity was the biggest of them, and it gets its own post.