Opinionated Python web framework CLI — scaffolding, doctor, registry, and interactive dev playbooks.
Project description
Fabbro
An opinionated Python web framework for building custom, on-demand web software fast — and for making AI-generated code production-fit: secured by default, no hardcoded secrets, built around reusable modules.
fabbro create scaffolds a working project with a production-ready foundation —
authentication, an encrypted secret vault, a background worker queue, and an
external-API registry — plus a dev-only interactive playbook that walks you
through it.
Install
pip install fabbro
Requires Python 3.12+.
Quickstart
fabbro create myproject
cd myproject
fabbro secret gen # generate SECRET_KEY / FERNET_KEY into .env
fabbro create-admin # create the first admin user
fabbro doctor # run pre-flight checks
python3 _dev/serve.py # start the playbooks, then follow Getting Started
What you get
Fabbro turns AI-generated code into production-fit code. The two failure modes of AI-written web apps — secrets and settings hardcoded into logic, and security reinvented (badly) on every project — are designed out from the start:
- Nothing hardcoded. What AI usually bakes into code — passwords hashing
cost, cookie flags, token TTLs, rate limits, CSP, role policy — lives in
versioned YAML config, not in source. Change a limit, rotate a policy,
tighten a cookie: edit
config/, not your logic. - Security is reusable and already implemented. Rate limiting, secure
cookies, CSRF, CSP, HSTS, Argon2id — shipped once in
core/, imported and never rewritten. AI extends your app through config and extension points, not by re-authoring the security layer each time.
The scaffolded project ships with a reusable core/ you import but never edit:
| Area | What's in the box |
|---|---|
| Auth & sessions | Argon2id hashing with rehash · session rotation on login · CSRF on every mutation · CSP with per-request nonce · require_auth / require_role gating · role policy in auth.yaml |
| Rate limiting | Per-route limits by IP, email, and user — all declared in security.yaml (10 per minute on login, tighter on password reset, etc.) |
| Secure defaults | Cookie SameSite + secure, HSTS, permissions-policy, Argon2 tuning — every value in config, none in code |
| Secret vault | Provider credentials encrypted at rest (Fernet) · one canonical resolution cascade (vault → _FILE → env) — never in source |
| Background worker | SQLite-backed job queue · atomic claim under a WAL lock · heartbeat reaper for crashed jobs |
| API registry | Register providers by OpenAPI spec, autodiscovery, or manually · bind endpoints as stable service.verb aliases your modules call |
CLI
| Command | Purpose |
|---|---|
fabbro create <name> |
Scaffold a new project |
fabbro create-admin |
Create the first admin user |
fabbro doctor |
Run the project's pre-flight checks |
fabbro secret gen |
Generate base secrets into .env |
fabbro vault set·list·rm |
Manage provider API credentials |
fabbro registry … |
Inspect and drive the API registry |
Run any command with
--helpfor its full options.
Notes for 0.1.0
A 0.x release with a couple of deliberate, declared gaps — safe under the
intended single-tenant, trusted-input use, and scheduled to change as the
surface grows:
| Area | Current behavior |
|---|---|
| Registry autodiscovery | Outbound requests to a provider's base_url aren't yet validated against private/loopback ranges — use trusted base_url values. Full SSRF allowlist lands with the public-API surface. |
| Session fingerprinting | Sessions are bound to user-agent + IP, so a network or device change logs the user out. Intentional for now; its exact role is an open design decision. |
© Forjelo · Proprietary · Built for certified Fabbro developers.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file fabbro-0.1.0.tar.gz.
File metadata
- Download URL: fabbro-0.1.0.tar.gz
- Upload date:
- Size: 414.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7315f9d201e984ed9456602771fe3f2f59552a8271a39fdac67e84677733f070
|
|
| MD5 |
8dd8a2bc2c4a80bcbf99738ce3bdf960
|
|
| BLAKE2b-256 |
91f9205d49166238450e27158789ab5a5bd30fb2f7bc7f9f00c38b5b330c2755
|
File details
Details for the file fabbro-0.1.0-py3-none-any.whl.
File metadata
- Download URL: fabbro-0.1.0-py3-none-any.whl
- Upload date:
- Size: 445.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e993126dc61542965df92b878e40b7af3aec0d9a984230a9a2c27c0e4c47dc87
|
|
| MD5 |
e0f0bb63fad6806aca3555634980fe60
|
|
| BLAKE2b-256 |
e05ee18848e09e6401a2708bd52503fe22aec6fa6ff16a42d66f3446b449de17
|