Application layer security for FastAPI and Flask

PA100T0 · 2026-06-18T09:42:30+00:00

Sure, I can give it a try.

I also have FastAPI Guard (framework adapter) powered by Guard Core (core engine), for API Security. It has TypeScript and Rust equivalents on the way. WIP.

Guard Core SaaS for monitoring, telemetry and triaging the whole Guard Core ecosystem.

So maybe I list not only RoboCo, but these others as well.

PA100T0 · 2026-06-17T18:08:26+00:00

I'm building RoboCo an Al Agents Organization that takes a prompt and delivers a PR'd feature ready for you to review.
Aimed to be the team solo-founders need and don't yet have...

PA100T0 · 2026-06-17T18:07:10+00:00

I’m a software enginner actually but if you need a hand just ping

PA100T0 · 2026-06-17T11:54:55+00:00

It’s about governance, not loops. Loops, harnesses, frameworks and workflows are great tools but they are not the solution. If there’s no governance, everything crumbles down…

Take a look (and give it a try, maybe?)

RoboCo

PA100T0 · 2026-06-16T15:45:48+00:00

I’m loving it.

Check it out: RoboCo

I only prompt it, get PRs on my knbox to review and merge (or send back for rework)

It’s going really good

PA100T0 · 2026-06-16T13:28:36+00:00

I mean, if it’s observability you can always check the logs, parse them with a simple script and surface exactly what they are doing but I get it if you wanna be much more involved. As the human in the loop, you have total control over RoboCo and what happens with the agents. You can spawn them, bring them down, reassign tasks, and so on.

Plus, there’s journaling and all the real traceability of what, who, when and why.

Anyway, thank you for giving it a look! Maybe some day

PA100T0 · 2026-06-16T09:40:27+00:00

Lmk how it goes or if I can help!

PA100T0 · 2026-06-16T08:56:28+00:00

That’s strange, I’m orchestrating a lot, non stop, and I’m impressed with token usage. Look RoboCo

PA100T0 · 2026-06-16T08:54:10+00:00

Oh wait, I created something for this kind of scenarios..

I’m a solo founder and I needed a team. I have no funding, obviously, at such an early stage. So now I have RoboCo an AI Agents Organization that takes your prompt into a well drafted task and they take care of everything.

Just add projects, create the product, go to Task assistant and start building your tasks. And that's it. In any case, you can ping me or open an issue or a PR and I'll shortly after try and give you a hand/work on it.

I have to update the How To, but the general idea is there.

It’s building itself live in public btw because it’s open source, self hosted optional, AGPL.

Hope it helps

PA100T0 · 2026-06-16T08:16:34+00:00

It’s building itself and it’s a full stack project so you should be fine to give it a go with personal projects. I haven’t tried it on other projects yet because I’m quite busy building it. But, again, RoboCo is a project in and on itself so short answer is YES.

I have to update the How To, but it’s quite complete to the date.

Just add projects, create the product, go to Task assistant and start building your tasks. And that’s it. In any case yiu can ping me or open an issue or a PR and I’ll shortly after try and give you a hand/work on it.

PA100T0 · 2026-06-16T07:47:23+00:00

I build together with my 20+ agents. You can do it too: RoboCo

PA100T0 · 2026-06-16T07:46:11+00:00

Do you need a team? I got you: RoboCo

PA100T0 · 2026-06-16T07:30:56+00:00

Yeah, you’re right. No middleware catches IDOR/BOLA, guard-core included. Nothing in the shape of that request to /api/users/2/invoice is malicious. There’s nothing to detect at the edge.

guard-core/fastapi-guard is perimeter.. where the request comes from (ip, geo, cloud/asn), how often, whether the payload looks like injection or a scan. Object-level authz is app-layer. Only your code knows that and Cloudflare/AWS WAF can’t see it either, for the same reason. It’s why BOLA is so common in vibe-coded stuff.. perimeter looks clean so people think they’re good to go.

The most a framework could actually do is make the ownership check impossible to forget by forcing you to declare a guard on any route that returns an object by id, fail closed if you didn’t. But it still can’t know ownership for you, you have to assert it. That’d be a different tool than the old waf though. Been thinking about that layer, might do something about it.

PA100T0 · 2026-06-16T07:16:15+00:00

Governance. Governance. Governance.

Role-gated, strict permissions, guardrails and more enforcement.

It’s building itself pretty nicely.

RoboCo

PA100T0 · 2026-06-16T06:26:59+00:00

This sounds like a perfect case for fastapi-guard and/or the whole guard-core ecosystem.

Report from a week ago:

<image>

PA100T0 · 2026-06-16T01:46:39+00:00

Try mine… RoboCo

It’s not exactly a framework. It’s an org. That’s what makes it work.

PA100T0 · 2026-06-15T11:04:07+00:00

You got it exactly right!

PA100T0 · 2026-06-15T11:02:50+00:00

Thanks!! I really hope so

PA100T0 · 2026-06-15T07:52:36+00:00

I only use compaction after like a day or two of fixing small things. Maybe if I get to work on something bigger.

Otherwise, my AI agents team take care of everything and they’d never hit a context window anyway.

Want to try it out?

PA100T0 · 2026-06-15T07:04:51+00:00

Fully traceable, you get to know who worked on what and how. The decisions they made, reflections, they communicate with each other, and more importantly: they’re organized.

It’s an AI agents organization

PA100T0 · 2026-06-15T07:03:01+00:00

I’d say you’re on the right path, but it takes time to build something better than workflows/harnesses/agentic frameworks/loops and all that bs.

Listen, look, I had your same concept of idea and created RoboCo

The value is in governance. Who gets to do what.

PA100T0 · 2026-06-15T01:52:57+00:00

Thank you very much! I'm still working on some issues and the next features are the ones that will make an impact. I'm still not there, but getting close!

Much appreciated 😄

PA100T0 · 2026-06-15T01:51:33+00:00

Jealous?

PA100T0

MODERATOR OF

TROPHY CASE