Ginny Thomas’ Post

𝗦𝘁𝗼𝗽 𝗯𝘂𝗶𝗹𝗱𝗶𝗻𝗴 𝗲𝘃𝗲𝗿𝘆 𝗯𝗮𝗰𝗸𝗲𝗻𝗱 𝘁𝗵𝗲 𝘀𝗮𝗺𝗲 𝘄𝗮𝘆. FastAPI isn't just "another Python framework." It's a deliberate choice — and knowing when to reach for it matters more than knowing how to use it. 𝗣𝗶𝗰𝗸 𝗙𝗮𝘀𝘁𝗔𝗣𝗜 𝘄𝗵𝗲𝗻:  • You're building ML/AI-powered APIs and your team already lives in Python  • You need async performance without the boilerplate of Go or Java  • Auto-generated docs (Swagger/OpenAPI) aren't a nice-to-have — they're a requirement  • You want type safety that actually catches bugs before production 𝗦𝘁𝗶𝗰𝗸 𝘄𝗶𝘁𝗵 𝘁𝗿𝗮𝗱𝗶𝘁𝗶𝗼𝗻𝗮𝗹 𝗯𝗮𝗰𝗸𝗲𝗻𝗱𝘀 (𝗦𝗽𝗿𝗶𝗻𝗴, 𝗗𝗷𝗮𝗻𝗴𝗼, 𝗘𝘅𝗽𝗿𝗲𝘀𝘀, .𝗡𝗘𝗧) 𝘄𝗵𝗲𝗻:  • Your org already has deep expertise and infra around them  • You need battle-tested ORM support and a massive plugin ecosystem  • You're building monoliths where convention-over-configuration saves months 𝗧𝗵𝗲 𝗿𝗲𝗮𝗹 𝗮𝗻𝘀𝘄𝗲𝗿? 𝗜𝘁'𝘀 𝗻𝗲𝘃𝗲𝗿 𝗮𝗯𝗼𝘂𝘁 𝘁𝗵𝗲 𝗳𝗿𝗮𝗺𝗲𝘄𝗼𝗿𝗸. 𝗜𝘁'𝘀 𝗮𝗯𝗼𝘂𝘁 𝘁𝗵𝗲 𝗽𝗿𝗼𝗯𝗹𝗲𝗺. FastAPI shines where speed-to-deploy, async I/O, and Python-native ML pipelines intersect. Forcing it into a legacy enterprise CRUD app is like using a scalpel to chop wood. Choose your tools like an engineer, not a fan. Thoughts? When did FastAPI click (or not click) for you? #FastAPI #Python #BackendDevelopment #SoftwareEngineering #WebDevelopment #APIDevelopment #TechCommunity #Programming #MLOps #SystemDesign

One instruction file doesn't scale. The moment your codebase has a Python service and a TypeScript frontend and a Go worker, a single CLAUDE.md becomes either too generic to be useful or too bloated to trust. Scoped context solves this the way filesystems already do — by nesting. Org-level rules wrap user-level rules wrap project-level rules wrap directory-level rules. The agent reads whichever scope it's working inside, the same way a developer picks up conventions walking into a new folder. Example: the org says "never commit .env files." The project says "use Zod for validation." The ./src/api/ directory says "return JSON, validate schema." The agent sees all three, cleanly composed. The trade-off is discoverability. When rules live in four places, it's harder to answer "what does the agent actually see right now?" Good tooling here isn't optional — it's the whole pattern. Treat context as a tree, not a file. How are you organizing rules across a multi-language codebase? #AI #AgenticAI #SoftwareArchitecture #DeveloperTools #Clausey

𝗧𝗵𝗲 𝗔𝗻𝘁𝗵𝗿𝗼𝗽𝗶𝗰 𝘀𝗼𝘂𝗿𝗰𝗲 𝗰𝗼𝗱𝗲 𝗹𝗲𝗮𝗸 is a sobering reminder for those of us building in the LLM space. Your most sophisticated safety guardrails are useless if your CI/CD pipeline fails. Anthropic accidentally bundled a massive debugging file into a Claude Code update. This single mistake exposed 512,000 lines of proprietary code to the public. Within minutes, the leak went viral. A researcher spotted the file, and the news reached over 21 million people before the team could even react. From a technical and implementation perspective, the drama is less interesting than the precedents being set here: - 𝗧𝗵𝗲 𝗜𝗿𝗼𝗻𝘆 𝗼𝗳 𝗨𝗻𝗱𝗲𝗿𝗰𝗼𝘃𝗲𝗿 𝗠𝗼𝗱𝗲: Anthropic built a feature called Undercover Mode specifically to stop Claude from leaking secrets. Yet, a simple packaging error bypassed the very security it was meant to protect. - 𝗧𝗵𝗲 𝗗𝗠𝗖𝗔 𝗟𝗼𝗼𝗽𝗵𝗼𝗹𝗲: When the original repo was taken down, a developer reportedly used AI to rewrite the entire codebase in Python and Rust and named it "𝗖𝗹𝗮𝘄 𝗖𝗼𝗱𝗲". The Python repository hit 50,000 stars almost overnight; it currently sits at 118k stars and 101k forks. This raises a massive question: is an AI-translated rewrite a "new creative work" or a derivative one? - 𝗕𝘂𝗶𝗹𝗱 𝗔𝗿𝘁𝗶𝗳𝗮𝗰𝘁 𝗔𝘂𝗱𝗶𝘁𝗶𝗻𝗴: This wasn't a sophisticated hack, but a production build that accidentally included debugging maps. It serves as a clear signal that when we move at "AI speed", our automated auditing of build packages must be as rigorous as our model alignment. It is easy to look at a giant like Anthropic and wonder how they missed this. However, many teams are one misconfigured config file away from a similar disaster. We must start treating deployment hygiene as a core security function rather than an afterthought. Original thread: https://lnkd.in/gq4aVnyF The Python rewrite repo: https://lnkd.in/gzNCbbgh

OpenAI Codex SDK The Gist: Released April 22, 2026, this SDK turns the Codex engineering agent into an embeddable engine. Developers can now programmatically control AI agents to automate high-level engineering tasks like fixing CI/CD builds or conducting code reviews. Key Highlights: - Native Libraries: Launched with official support for TypeScript and Python, allowing you to build Codex directly into your internal tools. - Core Primitives: Introduced Threads (persistent context), Turns (specific tasks), and Runs (execution) to manage complex, multi-step coding workflows. - CI/CD Integration: Designed to live inside your pipeline to automatically diagnose failures and suggest patches before humans get involved. - Open Protocols: Uses a JSON-RPC 2.0 "App Server" protocol, making it easy to connect the AI to private APIs and local development environments. The Bottom Line: This is the "API for Software Engineering." It moves AI from a side-chat window into the core infrastructure of how software is built and maintained. https://lnkd.in/gWQGRndX

The Great 24-Hour Extraction: How Anthropic’s "Source Map" Slip Changed the Game ( yes its April fools day but this story is real🙂) Yesterday, a simple human error in a build script did what competitors have been trying to do for a year: It revealed the "Special Sauce" of Claude Code. The Leak: A 59.8 MB Javascript source map was bundled into version 2.1.88 of @anthropic-ai/claude-code. This wasn't just minified code; it was a roadmap to ~1,900 TypeScript files covering everything from "Self-Healing Memory" to "Agent Swarm" logic.  The "Clean Room" Counter-Move: What’s most impressive isn't the leak itself, but the speed of the reimplementation. • Sigrid Jin (@realsigridjin) used OpenAI’s Codex (via the oh-my-codex orchestrator) to perform a systematic rewrite.  • By porting the logic to Python, they’ve created a "legal buffer"—a clean-room implementation that replicates the behavior and architecture (the "claw-code" repo) without infringing on the specific TypeScript copyright.  • As of this morning, the project has already surpassed 50,000 stars on GitHub, making it the fastest-growing repo in history. The Engineering Takeaway: We are officially in the era of Instant Legacy. If your competitive advantage is "hidden code," you don't have a competitive advantage. The only thing that stays proprietary in 2026 is your compute and your live data. The logic? That belongs to the agents now. Anthropic tried to sell a "Security Review" tool, but their own packaging script was the ultimate security failure. The community didn't just look at the code—they ingested it.  Is this the end of "Closed Source" developer tools, or just a really expensive lesson in .npmignore? The "Claw-Code" Python Port: Repository and Discussion 👉 GitHub - instructkr/claw-code: The fastest repo in history to surpass 50K stars ⭐, reaching the milestone in just 2 hours after publication. https://lnkd.in/dSV3VjCC #claudecode

I used to think async def = concurrency. Turns out it's a promise I have to keep. Here's what clicked for me about FastAPI performance 👇 First, the mental model I had wrong: I thought async def meant "spread 40 requests across 40 threads and run them in parallel." Nope. Async doesn't use threads at all. The event loop runs everything on one thread and rapidly switches between requests at every await point. The actual waiting (DB, network) happens outside Python , so thousands of requests can be "in-flight" on a single thread. ❌ Wrong: 40 requests → 40 threads in parallel  ✅ Right: 40 requests → 1 thread juggling them at every await Now the trap I almost fell into: If your endpoint has a blocking call (like requests.get() or a sync DB query), using async def is actually worse than plain def. 🔹 Plain def: FastAPI offloads to a threadpool (~40 threads). Slow requests run on separate threads. Event loop stays free. Free concurrency. ✅ 🔹 async def with blocking code inside: No await to pause at → the one thread freezes → entire event loop dies. Every other request waits. ❌ My decision guide now: 🔸 No I/O? → def  🔸 I/O with async libraries (httpx, asyncpg)? → async def + await  🔸 I/O but only blocking libraries (requests, psycopg2)? → def  🔸 Heavy CPU work? → neither. Use multiple workers or a task queue. The golden rule: async def is a promise to the event loop that you'll only do non-blocking work. If you can't keep that promise, don't make it. The trap: devs see "async = fast" and slap async def everywhere. But async without real await, is just a slower version of sync. Write async only when you can actually be async. 😀 #Python #FastAPI #WebDevelopment #BackendEngineering

Microsoft Agent Framework (MAF) v1.0 has been released. This is the production-ready release: stable APIs, and a commitment to long-term support. Whether you’re building a single assistant or orchestrating a fleet of specialized agents, Agent Framework 1.0 gives you enterprise-grade multi-agent orchestration, multi-provider model support, and cross-runtime interoperability via A2A and MCP. https://lnkd.in/e7VP2eWG #MAF #AI #AIAgents #Python #DoNet

Quite often Agent needs to have some logic, like data processing, orchestration of multiple tool calls, or conditional logic. Common approach would be either make Agent to do this or have some Sandbox and then have some scripting in it. First one would waste tokens, second one requires sandboxing and wastes CPU resources. To solve this, here is Bashkit, in-process Bash with in-memory file system. Basically your Agent can have full execution engine runnig scripts in microseconds, in the same process as your app. Implemented in rust, with Python and TypeScript bindings and integrations in probably any popular AI Agents framework, like LangChain Agents, LangChain Deep Agents, Vercel AI, Pydantic AI. Couple of use cases: 1. "code mode" - idea when API surface is exposed via CLI tools inside Bash, and so Agent can call hundreds or thousands tools via single tool (or + seconds tool for discovery) 2. Tool Results token optimization - where instead feeding whole tool result to context, it post processed via bash script (grep, awk, jq) 3. Tool call orchestration - simple cases when your agent need to go via paginated API calls, easy to do with simple loop in bash 4. Math - yeh, agents not always good at math. Bash is okay: `a=1;b=-3;c=2;echo "scale=5;d=$b*$b-4*$a*$c;(-($b)+sqrt(d))/(2*$a);(-($b)-sqrt(d))/(2*$a)" | bc -l` Enjoy )

Five AI agent frameworks shipped the same vulnerability class in a single week: Paperclip, Flowise, Gemini CLI, OpenClaude, and Evolver. Different teams, different languages, identical root cause: agent-supplied strings flowing into subprocess calls without being treated as user-controlled data. Then the MCP SDK STDIO injection (CVE-2026-30623, CVE-2026-22252) extended the same pattern to foundational protocol infrastructure across Python, TypeScript, Java, and Rust simultaneously.                                                                                                                                              When the same mistake appears in five independent codebases the same week, the diagnosis is not collective carelessness; it is a shared mental model that has not yet integrated adversarial threat assumptions. This is the buffer overflow era for agentic systems.                                                                                                                                                      For CISOs, the question to put in front of every agent platform vendor: are agent-produced outputs isolated from system execution contexts at the API level, or is the trust model still treating agent inputs as operator configuration?                                                                                                                                              Full analysis: https://lnkd.in/e5ZpgDjz                                                                                                                                            #cybersecurity #AISecurity #AgenticAI #MCP #AppSec #Cyber #Analysis

🚀 FastAPI vs REST API — What’s the Difference? Many developers confuse FastAPI with REST API, but they are not the same thing 👇 🔹 REST API (Architectural Style) REST (Representational State Transfer) is a design pattern for building APIs. It defines how clients and servers communicate over HTTP using methods like GET, POST, PUT, DELETE. ✔️ Language-agnostic ✔️ Widely adopted standard ✔️ Focuses on structure & principles 🔹 FastAPI (Framework) FastAPI is a modern Python framework used to build APIs, often following REST principles. ✔️ Built with Python 🐍 ✔️ High performance (comparable to Node.js & Go) ✔️ Automatic API docs (Swagger UI) ✔️ Async support out of the box ✔️ Data validation using Pydantic ⚖️ Key Difference 👉 REST is how you design APIs 👉 FastAPI is a tool to implement APIs 💡 In Simple Terms: You can build a REST API using FastAPI, Django, Express, or any framework — FastAPI is just one of the fastest and most developer-friendly options today. 🔥 When to Choose FastAPI? - Building high-performance APIs - Working with Python ecosystem - Need auto docs & validation - Creating AI/ML backend services 📌 Final Thought: REST gives you the blueprint 🏗️ FastAPI helps you build it faster ⚡ #FastAPI #RESTAPI #Python #WebDevelopment #BackendDevelopment #API #SoftwareEngineering #Coding #Developers #Tech