OK, here's the deal. There's a Whole Lotta (TM) CGIs that use REMOTE_USER which the web server is supposed to set if the user sent the apppropriate HTTP authentication headers and the .htaccess (or whatever - in our case the .cred database) matches. Specifically, that's how roundup works. No, I'm not in the mood to integrate Roundup with Twisted, thanks for asking. So, any idea how to get web.twcgi to properly set REMOTE_USER based on a parent's .guard? I'm drawing a blank here... (perhaps a .guard should stamp the Request object as it is passing it through...)