The latest articles on DEV Community by Daniel Garza (@daniel_garza_netrunsystems). https://dev.to/daniel_garza_netrunsystems https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3665828%2F41d0f178-fc30-48c5-9f94-2883b13544f5.png https://dev.to/daniel_garza_netrunsystems en Daniel Garza Wed, 17 Dec 2025 00:20:45 +0000 https://dev.to/daniel_garza_netrunsystems/building-10-python-packages-for-enterprise-fastapi-apps-what-i-learned-4hbb https://dev.to/daniel_garza_netrunsystems/building-10-python-packages-for-enterprise-fastapi-apps-what-i-learned-4hbb <p>After a year of building enterprise platforms, I kept solving the same problems:</p> <ul> <li>How do I handle JWT auth with RBAC that actually scales?</li> <li>Why does every project need its own logging configuration?</li> <li>How do I manage secrets across Azure Key Vault and local dev?</li> <li>What's the cleanest way to handle database connection pooling?</li> </ul> <p>So I extracted the patterns into 10 reusable packages and open sourced them.</p> <h2> The Netrun Service Library </h2> <p>All packages are MIT licensed and available on PyPI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>netrun-auth netrun-logging netrun-config </code></pre> </div> <h3> The Foundation Layer </h3> <p><strong>netrun-logging</strong> - Structured logging that doesn't suck</p> <p>Built on Structlog for ~2.9x performance improvement over stdlib. The killer feature? Automatic redaction of sensitive fields:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">netrun_logging</span> <span class="kn">import</span> <span class="n">get_logger</span> <span class="n">logger</span> <span class="o">=</span> <span class="nf">get_logger</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="c1"># This automatically redacts the password field </span><span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">user_login</span><span class="sh">"</span><span class="p">,</span> <span class="n">username</span><span class="o">=</span><span class="sh">"</span><span class="s">daniel</span><span class="sh">"</span><span class="p">,</span> <span class="n">password</span><span class="o">=</span><span class="sh">"</span><span class="s">secret123</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># Logged as "password": "[REDACTED]" </span> <span class="n">ip_address</span><span class="o">=</span><span class="sh">"</span><span class="s">192.168.1.1</span><span class="sh">"</span> <span class="p">)</span> </code></pre> </div> <p><strong>netrun-errors</strong> - Exception hierarchy that maps to HTTP</p> <p>Instead of catching generic exceptions, use typed errors:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">netrun_errors</span> <span class="kn">import</span> <span class="n">NotFoundError</span><span class="p">,</span> <span class="n">ValidationError</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/users/{user_id}</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_user</span><span class="p">(</span><span class="n">user_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">user</span> <span class="o">=</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">get_user</span><span class="p">(</span><span class="n">user_id</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">user</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">NotFoundError</span><span class="p">(</span><span class="sh">"</span><span class="s">User</span><span class="sh">"</span><span class="p">,</span> <span class="n">user_id</span><span class="p">)</span> <span class="c1"># Returns 404 </span> <span class="k">return</span> <span class="n">user</span> </code></pre> </div> <h3> The Auth Layer </h3> <p><strong>netrun-auth</strong> - JWT + RBAC + Multi-tenant isolation</p> <p>This was the hardest one to get right. Uses Casbin for policy-based access control:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">netrun_auth</span> <span class="kn">import</span> <span class="n">JWTAuthenticator</span><span class="p">,</span> <span class="n">require_permission</span> <span class="n">auth</span> <span class="o">=</span> <span class="nc">JWTAuthenticator</span><span class="p">(</span> <span class="n">secret_key</span><span class="o">=</span><span class="sh">"</span><span class="s">your-secret</span><span class="sh">"</span><span class="p">,</span> <span class="n">algorithm</span><span class="o">=</span><span class="sh">"</span><span class="s">HS256</span><span class="sh">"</span> <span class="p">)</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/admin/users</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@require_permission</span><span class="p">(</span><span class="sh">"</span><span class="s">users:read</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">list_users</span><span class="p">(</span><span class="n">user</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">auth</span><span class="p">.</span><span class="n">get_current_user</span><span class="p">)):</span> <span class="c1"># Only users with users:read permission can access </span> <span class="k">return</span> <span class="k">await</span> <span class="nf">get_users</span><span class="p">()</span> </code></pre> </div> <p>The multi-tenant isolation ensures users can only access their own tenant's data:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@require_tenant_access</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_tenant_data</span><span class="p">(</span><span class="n">tenant_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">user</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">auth</span><span class="p">.</span><span class="n">get_current_user</span><span class="p">)):</span> <span class="c1"># Automatically validates user.tenant_id == tenant_id </span> <span class="k">return</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">get_tenant_data</span><span class="p">(</span><span class="n">tenant_id</span><span class="p">)</span> </code></pre> </div> <h3> The Config Layer </h3> <p><strong>netrun-config</strong> - Azure Key Vault with local fallback</p> <p>Works in production with Key Vault and locally with .env files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">netrun_config</span> <span class="kn">import</span> <span class="n">AzureKeyVaultConfig</span> <span class="n">config</span> <span class="o">=</span> <span class="nc">AzureKeyVaultConfig</span><span class="p">(</span> <span class="n">vault_url</span><span class="o">=</span><span class="sh">"</span><span class="s">https://my-vault.vault.azure.net</span><span class="sh">"</span><span class="p">,</span> <span class="n">cache_ttl</span><span class="o">=</span><span class="mi">300</span> <span class="c1"># Cache secrets for 5 minutes </span><span class="p">)</span> <span class="c1"># In production: fetches from Key Vault # Locally: falls back to environment variables </span><span class="n">db_password</span> <span class="o">=</span> <span class="k">await</span> <span class="n">config</span><span class="p">.</span><span class="nf">get_secret</span><span class="p">(</span><span class="sh">"</span><span class="s">database-password</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h3> The LLM Layer </h3> <p><strong>netrun-llm</strong> - Multi-provider orchestration</p> <p>This one was fun. Abstracts away the differences between LLM providers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">netrun_llm</span> <span class="kn">import</span> <span class="n">LLMOrchestrator</span> <span class="n">llm</span> <span class="o">=</span> <span class="nc">LLMOrchestrator</span><span class="p">(</span> <span class="n">providers</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">azure-openai</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ollama</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">claude</span><span class="sh">"</span><span class="p">],</span> <span class="n">fallback_enabled</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> <span class="c1"># Automatically fails over if primary provider is down </span><span class="n">response</span> <span class="o">=</span> <span class="k">await</span> <span class="n">llm</span><span class="p">.</span><span class="nf">complete</span><span class="p">(</span> <span class="n">prompt</span><span class="o">=</span><span class="sh">"</span><span class="s">Summarize this document</span><span class="sh">"</span><span class="p">,</span> <span class="n">model</span><span class="o">=</span><span class="sh">"</span><span class="s">gpt-4</span><span class="sh">"</span><span class="p">,</span> <span class="n">fallback_model</span><span class="o">=</span><span class="sh">"</span><span class="s">llama2</span><span class="sh">"</span> <span class="c1"># Use Ollama if Azure is down </span><span class="p">)</span> </code></pre> </div> <h3> The Data Layer </h3> <p><strong>netrun-db-pool</strong> - Async SQLAlchemy that handles connection storms</p> <p>Connection pooling with automatic health checks:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">netrun_db_pool</span> <span class="kn">import</span> <span class="n">DatabasePool</span> <span class="n">pool</span> <span class="o">=</span> <span class="nc">DatabasePool</span><span class="p">(</span> <span class="n">url</span><span class="o">=</span><span class="sh">"</span><span class="s">postgresql+asyncpg://...</span><span class="sh">"</span><span class="p">,</span> <span class="n">pool_size</span><span class="o">=</span><span class="mi">20</span><span class="p">,</span> <span class="n">max_overflow</span><span class="o">=</span><span class="mi">10</span><span class="p">,</span> <span class="n">health_check_interval</span><span class="o">=</span><span class="mi">30</span> <span class="p">)</span> <span class="k">async</span> <span class="k">with</span> <span class="n">pool</span><span class="p">.</span><span class="nf">session</span><span class="p">()</span> <span class="k">as</span> <span class="n">session</span><span class="p">:</span> <span class="n">result</span> <span class="o">=</span> <span class="k">await</span> <span class="n">session</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="n">query</span><span class="p">)</span> </code></pre> </div> <h2> The Design Philosophy </h2> <h3> Soft Dependencies </h3> <p>Every package works standalone. But when you install multiple packages, they<br> automatically integrate:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>netrun-auth + netrun-logging = Auth events automatically logged netrun-config + netrun-logging = Secret access audited netrun-db-pool + netrun-errors = Connection errors typed </code></pre> </div> <p>This is achieved through runtime detection:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">try</span><span class="p">:</span> <span class="kn">from</span> <span class="n">netrun_logging</span> <span class="kn">import</span> <span class="n">get_logger</span> <span class="n">logger</span> <span class="o">=</span> <span class="nf">get_logger</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="k">except</span> <span class="nb">ImportError</span><span class="p">:</span> <span class="kn">import</span> <span class="n">logging</span> <span class="n">logger</span> <span class="o">=</span> <span class="n">logging</span><span class="p">.</span><span class="nf">getLogger</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> </code></pre> </div> <h3> Zero Config Defaults </h3> <p>Every package has sensible defaults. You don't need to configure anything to<br> get started:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">netrun_auth</span> <span class="kn">import</span> <span class="n">JWTAuthenticator</span> <span class="c1"># Works with defaults </span><span class="n">auth</span> <span class="o">=</span> <span class="nc">JWTAuthenticator</span><span class="p">()</span> <span class="c1"># Or customize everything </span><span class="n">auth</span> <span class="o">=</span> <span class="nc">JWTAuthenticator</span><span class="p">(</span> <span class="n">secret_key</span><span class="o">=</span><span class="sh">"</span><span class="s">...</span><span class="sh">"</span><span class="p">,</span> <span class="n">algorithm</span><span class="o">=</span><span class="sh">"</span><span class="s">RS256</span><span class="sh">"</span><span class="p">,</span> <span class="n">issuer</span><span class="o">=</span><span class="sh">"</span><span class="s">my-app</span><span class="sh">"</span><span class="p">,</span> <span class="n">audience</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">api</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">web</span><span class="sh">"</span><span class="p">]</span> <span class="p">)</span> </code></pre> </div> <h3> Testing First </h3> <p><strong>netrun-pytest-fixtures</strong> provides unified test fixtures:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># conftest.py </span><span class="n">pytest_plugins</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">netrun_pytest_fixtures</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Your tests automatically get: # - mock_auth: Pre-configured auth bypass # - mock_db: In-memory SQLite # - mock_config: Environment-based config # - mock_llm: Deterministic LLM responses </span></code></pre> </div> <h2> What's Next </h2> <p>I'm actively maintaining these packages. Current priorities:</p> <ol> <li>Better documentation (it's in the READMEs but needs a proper docs site)</li> <li>More LLM providers (Anthropic Claude API, Google Gemini)</li> <li>OpenTelemetry tracing across all packages</li> </ol> <h2> Try It Out </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>netrun-auth netrun-logging netrun-config </code></pre> </div> <ul> <li> <strong>GitHub</strong>: <a href="https://github.com/netrun-systems/netrun-oss" rel="noopener noreferrer">https://github.com/netrun-systems/netrun-oss</a> </li> <li> <strong>PyPI</strong>: <a href="https://pypi.org/search/?q=netrun" rel="noopener noreferrer">https://pypi.org/search/?q=netrun</a> </li> </ul> <p>MIT licensed. Issues and PRs welcome.</p> <p><em>What patterns do you use for cross-cutting concerns in your FastAPI apps? I'd love to hear what I'm missing.</em></p> python fastapi opensource azure