barbacane
mcp
Pass
Health Pass
- License — License: AGPL-3.0
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Community trust — 23 GitHub stars
Code Pass
- Code scan — Scanned 12 files during light audit, no dangerous patterns found
Permissions Pass
- Permissions — No dangerous permissions requested
Purpose
This tool is a spec-driven API gateway built in Rust. It uses your OpenAPI or AsyncAPI specifications as the single source of truth to automatically handle API routing, validation, and authentication.
Security Assessment
Overall Risk: Low. The codebase is written in Rust, which provides excellent memory safety and protects against many common vulnerabilities. A light scan of 12 files found no dangerous patterns, hardcoded secrets, or requests for risky permissions. As an API gateway, it inherently handles network requests and routes external web traffic, but it is explicitly designed with security in mind. It features TLS via Rustls for encrypted connections and restricts gateway extensions to sandboxed WebAssembly (WASM) plugins. This sandboxing ensures that third-party extensions cannot crash or compromise the core system.
Quality Assessment
The project demonstrates strong health and high engineering quality. It is actively maintained, with repository activity as recent as today. The repository is well-documented, highly transparent, and claims a massive test suite spanning unit, integration, plugin, and end-to-end tests (over 1,500 tests passing). It is licensed under AGPL-3.0, a strong copyleft license. While this is perfectly fine for internal infrastructure use, developers should be aware that AGPL requires anyone offering the tool as a network service to also open-source their modifications. The project has a modest community following with 23 GitHub stars, indicating it is in the early adoption phase.
Verdict
Safe to use, though organizations should ensure the AGPL-3.0 copyleft license aligns with their infrastructure and distribution strategies.
This tool is a spec-driven API gateway built in Rust. It uses your OpenAPI or AsyncAPI specifications as the single source of truth to automatically handle API routing, validation, and authentication.
Security Assessment
Overall Risk: Low. The codebase is written in Rust, which provides excellent memory safety and protects against many common vulnerabilities. A light scan of 12 files found no dangerous patterns, hardcoded secrets, or requests for risky permissions. As an API gateway, it inherently handles network requests and routes external web traffic, but it is explicitly designed with security in mind. It features TLS via Rustls for encrypted connections and restricts gateway extensions to sandboxed WebAssembly (WASM) plugins. This sandboxing ensures that third-party extensions cannot crash or compromise the core system.
Quality Assessment
The project demonstrates strong health and high engineering quality. It is actively maintained, with repository activity as recent as today. The repository is well-documented, highly transparent, and claims a massive test suite spanning unit, integration, plugin, and end-to-end tests (over 1,500 tests passing). It is licensed under AGPL-3.0, a strong copyleft license. While this is perfectly fine for internal infrastructure use, developers should be aware that AGPL requires anyone offering the tool as a network service to also open-source their modifications. The project has a modest community following with 23 GitHub stars, indicating it is in the early adoption phase.
Verdict
Safe to use, though organizations should ensure the AGPL-3.0 copyleft license aligns with their infrastructure and distribution strategies.
Barbacane API an AI Gateway mono repo
README.md
Barbacane
Your spec is your gateway.
Barbacane is a spec-driven API gateway built in Rust. Point it at an OpenAPI or AsyncAPI spec and it becomes your gateway — routing, validation, authentication, and all. No proprietary config language, no drift between your spec and your infrastructure.
- Spec as config — Your OpenAPI 3.x or AsyncAPI 3.x specification is the single source of truth. No separate gateway DSL to maintain.
- Fast and predictable — Built on Rust, Tokio, and Hyper. No garbage collector, no latency surprises.
- Secure by default — Memory-safe runtime, TLS via Rustls, sandboxed WASM plugins, secrets never baked into artifacts.
- Edge-ready — Stateless data plane instances designed to run close to your users, with a separate control plane handling compilation and distribution.
- Extensible — Write plugins in any language that compiles to WebAssembly. They run in a sandbox, so a buggy plugin can't take down the gateway.
- Observable — Prometheus metrics, structured JSON logging, and distributed tracing with W3C Trace Context and OTLP export.
Quick Start
# Clone and build
git clone https://github.com/barbacane-dev/barbacane.git
cd barbacane
cargo build --release
# Compile your OpenAPI spec
./target/release/barbacane compile --spec api.yaml --manifest barbacane.yaml --output api.bca
# Run the gateway
./target/release/barbacane serve --artifact api.bca --listen 0.0.0.0:8080
Documentation
Full documentation is available at docs.barbacane.dev.
- Getting Started — First steps with Barbacane
- Spec Configuration — Configure routing and middleware
- Middlewares — Authentication, rate limiting, caching
- Dispatchers — Route requests to backends
- Control Plane — REST API for spec and artifact management
- Web UI — Web-based management interface
- Plugin Development — Build custom WASM plugins
- Development Guide — Setup and contribute
Playground
Try Barbacane locally with the full-featured playground — now in its own repo:
git clone https://github.com/barbacane-dev/playground
cd playground
docker-compose up -d
# Gateway: http://localhost:8080
# Grafana: http://localhost:3000 (admin/admin)
# Control Plane: http://localhost:3001
The playground includes a Train Travel API demo with WireMock backend, full observability stack (Prometheus, Loki, Tempo, Grafana), and the control plane UI. See barbacane-dev/playground for details.
Official Plugins
| Plugin | Type | Description |
|---|---|---|
http-upstream |
Dispatcher | Reverse proxy to HTTP/HTTPS backends |
mock |
Dispatcher | Return static responses |
lambda |
Dispatcher | Invoke AWS Lambda functions |
kafka |
Dispatcher | Publish messages to Kafka |
nats |
Dispatcher | Publish messages to NATS |
s3 |
Dispatcher | Proxy requests to AWS S3 / S3-compatible storage with SigV4 signing |
ai-proxy |
Dispatcher | Unified LLM routing to OpenAI, Anthropic, and Ollama with provider fallback |
ws-upstream |
Dispatcher | WebSocket transparent proxy with full middleware chain on upgrade |
fire-and-forget |
Dispatcher | Forward request to upstream and return immediate static response |
jwt-auth |
Middleware | JWT token validation |
apikey-auth |
Middleware | API key authentication |
basic-auth |
Middleware | HTTP Basic authentication (RFC 7617) |
oauth2-auth |
Middleware | OAuth2 token introspection |
oidc-auth |
Middleware | OpenID Connect (OIDC) authentication |
acl |
Middleware | Consumer-based access control lists |
opa-authz |
Middleware | Open Policy Agent authorization |
cel |
Middleware | Inline CEL expression policy evaluation |
rate-limit |
Middleware | Sliding window rate limiting |
cache |
Middleware | Response caching |
cors |
Middleware | CORS header management |
correlation-id |
Middleware | Request correlation ID propagation |
request-size-limit |
Middleware | Request body size limits |
ip-restriction |
Middleware | IP allowlist/blocklist |
bot-detection |
Middleware | Block bots by User-Agent pattern |
redirect |
Middleware | URL redirections (301/302/307/308) with path matching |
request-transformer |
Middleware | Modify headers, query params, path, and body before upstream |
response-transformer |
Middleware | Modify status code, headers, and body before client |
observability |
Middleware | SLO monitoring and detailed logging |
http-log |
Middleware | Send request/response logs to HTTP endpoint |
Performance
Benchmark results on Apple M4 (MacBook Air 16GB):
Routing & Validation
| Operation | Latency |
|---|---|
| Route lookup (1000 routes) | ~83 ns |
| Request validation (full) | ~1.2 µs |
| Body validation (JSON) | ~458 ns |
| Router build (500 routes) | ~130 µs |
WASM Plugin Runtime
| Operation | Latency |
|---|---|
| Module compilation | ~210 µs |
| Instance creation | ~17 µs |
| Middleware chain (1 plugin) | ~261 µs |
| Middleware chain (3 plugins) | ~941 µs |
| Middleware chain (5 plugins) | ~1.32 ms |
| Memory write (1 KB) | ~14 ns |
| Memory write (100 KB) | ~1.4 µs |
Serialization
| Operation | Latency |
|---|---|
| Request (minimal) | ~118 ns |
| Request (full, 1 KB body) | ~921 ns |
| Response (1 KB body) | ~417 ns |
Spec Compilation
| Operation | Latency |
|---|---|
| Compile 10 operations | ~550 µs |
| Compile 50 operations | ~2.17 ms |
| Compile 100 operations | ~3.72 ms |
Run your own benchmarks:
cargo bench --workspace
Project Status
Barbacane is under active development. See ROADMAP.md for the roadmap and CHANGELOG.md for release history.
Contributing
Contributions are welcome! Please read CONTRIBUTING.md for guidelines.
License
Dual-licensed under AGPLv3 and a commercial license. See LICENSING.md for details.
Trademark
Barbacane is a trademark. The software is open source; the brand is not. See TRADEMARKS.md for usage guidelines.
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found