From 3406ee09d964bfb9792ff0804821b158381ae9b0 Mon Sep 17 00:00:00 2001 From: Nicolas Dreno Date: Thu, 23 Apr 2026 00:20:47 +0200 Subject: [PATCH 1/8] feat(homepage): reposition around MCP / AI gateway wedge Lead the homepage with the MCP + AI gateway story. Spec-first becomes the "how" in the second fold, not the primary pitch. - Hero: "Turn any OpenAPI spec into an MCP tool server" - Update title tag, default meta description, and badge (MCP native) - Primary CTA now jumps to the new MCP quickstart section - New "Your OpenAPI becomes an MCP server" section with an OAS example showing root-level enable plus per-operation opt-out, three short explainers on tool discovery, middleware pass-through, and opt-out - New "AI governance, built in" section with four cards: prompt guard, token limits, cost tracking, response guard - Feature grid header reframed to "One gateway for your APIs and your agents"; MCP card promoted from position 15 to position 1 Technical copy verified against docs.barbacane.dev/guide/mcp.html: opt-out semantics, JSON-RPC 2.0 endpoint at /__barbacane/mcp, tool name from operationId, input/output schemas merged from parameters and responses, full middleware pipeline on tool calls. Note: AI governance claims depend on gateway PR #67 landing. This branch should not be deployed to production until #67 is merged and released. --- src/layouts/Layout.astro | 2 +- src/pages/index.astro | 206 ++++++++++++++++++++++++++++++++++----- 2 files changed, 184 insertions(+), 24 deletions(-) diff --git a/src/layouts/Layout.astro b/src/layouts/Layout.astro index 0d464e0..64d03bc 100644 --- a/src/layouts/Layout.astro +++ b/src/layouts/Layout.astro @@ -15,7 +15,7 @@ interface Props { const { title, - description = "Barbacane - The spec-driven API gateway built in Rust. Your OpenAPI and AsyncAPI specs become your gateway configuration.", + description = "Barbacane is the open-source AI gateway that turns any OpenAPI spec into an MCP tool server, with built-in prompt guarding, token limits, cost tracking, and response guarding. Rust-native and spec-first.", type = 'website', article, ogImage: customOgImage, diff --git a/src/pages/index.astro b/src/pages/index.astro index b56581a..8375ebd 100644 --- a/src/pages/index.astro +++ b/src/pages/index.astro @@ -2,7 +2,7 @@ import Layout from '../layouts/Layout.astro'; --- - +
@@ -10,22 +10,24 @@ import Layout from '../layouts/Layout.astro';
- Open Source · AGPLv3 + Open source · MCP native · AGPLv3

- Your spec is your - gateway + Turn any OpenAPI spec into an + MCP tool server

- Stop maintaining two sources of truth. Barbacane uses your OpenAPI and AsyncAPI - specifications as the single source of truth for routing, validation, authentication, authorization, and event bridging. + Barbacane is the open-source AI gateway for Model Context Protocol. + Expose your existing APIs to AI agents as typed, governed, auditable tools. + Prompt guarding, token limits, cost tracking, and response guarding are built in. + One Rust-native artifact, spec-first.

- - Get Started + + See it in action @@ -41,6 +43,163 @@ import Layout from '../layouts/Layout.astro';
+ +
+
+
+
+

+ Your OpenAPI becomes an MCP server +

+

+ Enable MCP once at the spec root and your existing API is agent-callable. + Authentication, rate limits, validation, and audit logging all apply to tool + calls, because they are just HTTP requests in disguise. +

+
+ +
+
+ 
# Enable MCP for the whole API
+x-barbacane-mcp:
+  enabled: true
+  server_name: Orders API
+  server_version: 1.0.0
+
+paths:
+  /orders/{id}:
+    get:
+      operationId: getOrder
+      summary: Fetch an order by id
+      security:
+        - bearerAuth: []
+      parameters:
+        - name: id
+          in: path
+          required: true
+          schema: { type: string }
+      responses:
+        '200':
+          description: Order
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Order'
+
+  /admin/orders/purge:
+    delete:
+      operationId: purgeOrders
+      summary: Purge archived orders
+      # Hide this one from agents
+      x-barbacane-mcp:
+        enabled: false
+
+ +
+
+

Agents discover your tools

+

+ Barbacane exposes a JSON-RPC 2.0 MCP endpoint at + /__barbacane/mcp. Each operation becomes a + typed tool, with the name taken from operationId, + the description from summary, and input and + output schemas merged from your parameters, body, and responses. +

+
+
+

Calls run through your middleware

+

+ Tool calls are HTTP requests. They pass through authentication, authorization, + rate limits, validation, transformations, and observability like any other + request. No shadow stack, no drift. +

+
+
+

Opt out what agents should not see

+

+ By default every operation is a tool. Add + x-barbacane-mcp: { enabled: false } + to any operation you want to hide, such as admin endpoints or destructive + actions. +

+
+
+
+
+
+
+ + +
+
+
+
+

+ AI governance, built in +

+

+ Four middlewares compose like any other Barbacane plugin. Named profiles, + CEL expressions, fail-closed on misconfiguration. +

+
+ +
+
+
+ + + +
+

Prompt guard

+

+ PII redaction, regex allow and deny lists, shape constraints on inbound prompts. + Shift-left validation at lint time. +

+
+ +
+
+ + + +
+

Token limits

+

+ Token-based sliding windows per consumer, per operation, per tenant. + Stop runaway agents before they cost you money. +

+
+ +
+
+ + + +
+

Cost tracking

+

+ Per-operation spend observability as Prometheus metrics. Budget alerts and + cost attribution across tenants and agents. +

+
+ +
+
+ + + +
+

Response guard

+

+ Output scrubbing, schema re-validation, and policy checks before responses + reach the agent. Fail closed on misconfiguration. +

+
+
+
+
+
+
@@ -134,14 +293,28 @@ import Layout from '../layouts/Layout.astro';

- Everything you need in an API gateway + One gateway for your APIs and your agents

- Built in Rust for speed and safety. Extended with WebAssembly for flexibility. + AI-native features on top of a production-grade, spec-first gateway. + Rust for speed and safety, WebAssembly plugins for extensibility.

+
+
+ + + +
+

MCP server for AI agents

+

+ Expose your API operations as AI-callable tools via the Model Context Protocol. + AI agents discover and call endpoints through JSON-RPC 2.0, one extension to enable. +

+
+
@@ -324,19 +497,6 @@ import Layout from '../layouts/Layout.astro';

-
-
- - - -
-

MCP Server for AI Agents

-

- Expose your API operations as AI-callable tools via the Model Context Protocol. - AI agents discover and call endpoints through JSON-RPC 2.0 — one extension to enable. -

-
-
From 958aeb51b11df480ad54b7d0de48983047406f84 Mon Sep 17 00:00:00 2001 From: Nicolas Dreno Date: Thu, 23 Apr 2026 12:02:55 +0200 Subject: [PATCH 2/8] feat(site): audience-oriented nav, /mcp and /platform landing pages, AI cards in the homepage feature grid Reframe the site IA around the two buyer personas the strategic audit identifies and bring the homepage feature grid in line with the new AI-gateway positioning. New landing pages: - /mcp/ - For AI teams. Hero, MCP category explainer, four-step quickstart (add extension, vacuum lint, barbacane compile, serve), how it works, AI governance highlights, persona use cases, FAQ, CTA. Technical copy verified against docs.barbacane.dev/guide/mcp.html and /guide/vacuum.html. - /platform/ - For platform teams. Hero, two-sources-of-truth problem, three-step how-it-works, platform-oriented feature grid (9 cards), persona use cases (internal developer platforms, API governance at scale, legacy gateway modernization), FAQ, CTA. Nav (desktop + mobile + footer): - "AI teams" -> /mcp/ - "Platform teams" -> /platform/ - "Docs" promoted from right-side CTA button to a primary nav item - "Blog", "Pricing" dropdown, "GitHub" unchanged - Removed: anchor-only "Features" and "Use Cases" items that jumped to homepage sections and broke when viewed from other pages - Right-side actions narrowed to theme toggle plus a single "Get started" CTA - Footer tagline and Product column updated to the new positioning Homepage feature grid: - "29 WASM Plugins" renamed to "Every plugin you need" so the copy stays accurate as the plugin suite grows - Four weaker cards replaced with AI governance cards, keeping the grid balanced at 18: - Edge Ready -> AI prompt guard - S3 Storage Proxy -> AI token limits - Bot Detection -> AI cost tracking - Remote Plugin Loading -> AI response guard Same PR #67 coupling as the earlier homepage repositioning: the AI governance cards claim features from gateway PR #67, which is still open. Do not deploy this branch to production before that PR merges. --- src/layouts/Layout.astro | 22 +- src/pages/index.astro | 39 ++-- src/pages/mcp.astro | 491 +++++++++++++++++++++++++++++++++++++++ src/pages/platform.astro | 443 +++++++++++++++++++++++++++++++++++ 4 files changed, 966 insertions(+), 29 deletions(-) create mode 100644 src/pages/mcp.astro create mode 100644 src/pages/platform.astro diff --git a/src/layouts/Layout.astro b/src/layouts/Layout.astro index 64d03bc..fa04937 100644 --- a/src/layouts/Layout.astro +++ b/src/layouts/Layout.astro @@ -134,8 +134,9 @@ const structuredData = type === 'article' && article @@ -422,13 +423,13 @@ paths:
- +
-

Edge Ready

+

AI prompt guard

- Service planes are lightweight compiled artifacts. Deploy anywhere — - cloud, on-prem, edge locations, or embedded devices. + PII redaction, regex allow and deny lists, and schema constraints on inbound + prompts. Shift-left validation at lint time, fail-closed in production.

@@ -461,13 +462,13 @@ paths:
- +
-

S3 Storage Proxy

+

AI token limits

- Proxy requests to AWS S3 or S3-compatible storage (MinIO, RustFS, Ceph) with - SigV4 signing. Single-bucket CDN or multi-bucket routing. + Token-based sliding windows per consumer, per operation, per tenant. Stop + runaway agents before they cost you money.

@@ -487,13 +488,13 @@ paths:
- +
-

Bot Detection

+

AI cost tracking

- Block scrapers and unwanted bots by User-Agent pattern matching. - Allow/deny lists with configurable responses. + Per-operation LLM spend as Prometheus metrics. Budget alerts and cost + attribution across tenants, teams, and agents.

@@ -526,13 +527,13 @@ paths:
- +
-

Remote Plugin Loading

+

AI response guard

- Load plugins from HTTPS URLs at compile time with optional SHA-256 integrity verification. - Local cache with checksum-based invalidation for fast rebuilds. + Output scrubbing, schema re-validation, and policy checks before responses + reach the agent. Fail closed on misconfiguration.

diff --git a/src/pages/mcp.astro b/src/pages/mcp.astro new file mode 100644 index 0000000..03f89f3 --- /dev/null +++ b/src/pages/mcp.astro @@ -0,0 +1,491 @@ +--- +import Layout from '../layouts/Layout.astro'; +--- + + + +
+
+
+
+
+ + MCP native · Open source · AGPLv3 +
+ +

+ The open-source + MCP gateway +

+ +

+ Make your existing APIs agent-callable in five minutes. Barbacane compiles your + OpenAPI spec into a Rust-native MCP tool server, with authentication, rate limits, + validation, and AI governance in the same middleware chain your HTTP clients + already use. +

+ +
+ + Try in 5 minutes + + + + + + + + + View on GitHub + +
+
+
+
+ + +
+
+
+

What is an MCP gateway?

+

+ Model Context Protocol (MCP) is the open standard for exposing tools to AI agents. + Most teams adopting MCP quickly hit the same problem: every internal API becomes a + separate tool server, each with its own auth story, its own observability story, + its own blast-radius story. A gap between what your agent can do and what your + platform team can approve. +

+

+ An MCP gateway fixes that. It sits in front of your existing APIs, translates + agent tool calls into HTTP requests, and applies the middleware chain every + request already uses: authentication, authorization, rate limits, validation, + transformations, observability. One artifact, one blast radius, one audit trail. +

+

+ Barbacane is the open-source MCP gateway built for that job. Rust-native, + spec-first, AGPLv3. +

+
+
+
+ + +
+
+
+
+

+ From OpenAPI to MCP in 5 minutes +

+

+ Four steps. No rewrite, no parallel tool server, no shadow stack. +

+
+ +
+
+
+
+ 1 +
+
+

Add MCP to your spec

+

+ Enable at the document root. Every operation with an + operationId and a + summary becomes a tool. Opt out of + admin or destructive operations per-path with + enabled: false. +

+
+ 
x-barbacane-mcp:
+  enabled: true
+  server_name: Orders API
+  server_version: 1.0.0
+
+
+
+
+ +
+
+
+ 2 +
+
+

Lint the spec, shift-left

+

+ Run the Barbacane vacuum ruleset + in your editor, a pre-commit hook, or CI. It catches missing + operationIds, security + misconfiguration, and MCP gaps before the compiler ever sees the spec. +

+
+ 
vacuum lint \
+  -f .barbacane/rulesets/functions \
+  api.yaml
+
+
+
+
+ +
+
+
+ 3 +
+
+

Compile the artifact

+

+ The compiler synthesises tool schemas from your parameters and responses + and produces a single deployable binary. It also emits warnings + (E1060, E1061) + if an MCP-exposed operation is missing an + operationId or description, as a second + line of defence after the lint. +

+
+ 
barbacane compile \
+  --spec api.yaml \
+  --manifest barbacane.yaml \
+  --output api.bca
+
+
+
+
+ +
+
+
+ 4 +
+
+

Serve and connect your agent

+

+ Point any MCP-compatible agent at the JSON-RPC endpoint. Tool calls pass + through the same authentication, rate-limit, and validation middleware as + any HTTP request. +

+
+ 
barbacane serve --artifact api.bca
+
+# Agent connects to:
+# POST http://localhost:8080/__barbacane/mcp
+
+
+
+
+
+ +
+ + Read the full MCP guide + +
+
+
+
+ + +
+
+
+
+

How it works

+

+ The MCP server is not a separate runtime. It is a thin translation layer in + front of the request pipeline your HTTP clients already trust. +

+
+ +
+
+
+ 1 +
+

Shift-left lint

+

+ The vacuum ruleset + runs in your editor, pre-commit hook, or CI, before + barbacane compile ever sees the spec. + Missing operationIds, missing descriptions, + and security misconfigurations fail the lint, not production. +

+
+ +
+
+ 2 +
+

Schema synthesis

+

+ Input schema is merged from path, query, and body parameters. Output schema + comes from your 200 response. Agents see typed tools with no extra work on + your side. +

+
+ +
+
+ 3 +
+

JSON-RPC 2.0 endpoint

+

+ Agents call POST /__barbacane/mcp with + standard MCP methods: tools/list, + tools/call, and session lifecycle. +

+
+ +
+
+ 4 +
+

Middleware pass-through

+

+ Tool calls route through the same auth, rate-limit, validation, + transformation, and observability chain as any HTTP request. The + Authorization header is forwarded; audit + logs capture every call. +

+
+
+
+
+
+ + +
+
+
+
+

AI governance, built in

+

+ Four middlewares compose like any other Barbacane plugin. Named profiles, + CEL expressions, fail-closed on misconfiguration. +

+
+ +
+
+
+ + + +
+

Prompt guard

+

+ PII redaction, regex allow and deny lists, shape constraints on inbound + prompts. Shift-left validation at lint time. +

+
+ +
+
+ + + +
+

Token limits

+

+ Token-based sliding windows per consumer, per operation, per tenant. + Stop runaway agents before they cost you money. +

+
+ +
+
+ + + +
+

Cost tracking

+

+ Per-operation spend observability as Prometheus metrics. Budget alerts and + cost attribution across tenants and agents. +

+
+ +
+
+ + + +
+

Response guard

+

+ Output scrubbing, schema re-validation, and policy checks before responses + reach the agent. Fail closed on misconfiguration. +

+
+
+
+
+
+ + +
+
+
+
+

Built for these teams

+
+ +
+
+

Platform teams

+

+ Give every product team one-line MCP access to internal APIs, without each + one shipping and operating its own MCP server. +

+
    +
  • + + Central tool catalog per tenant +
    • +
  • + + Consistent auth and rate limits +
    • +
  • + + One audit trail for tool calls +
    • +
+
+ +
+

AI product builders

+

+ Ship agents that can safely call your production APIs. Auth enforced, rate + limits applied, tokens capped, cost tracked per agent and tenant. +

+
    +
  • + + Typed tool schemas from OpenAPI +
    • +
  • + + Per-operation opt-out for admin routes +
    • +
  • + + AI governance middlewares +
    • +
+
+ +
+

Regulated-industry CIOs

+

+ MCP your security, audit, and compliance teams can approve. Single gateway, + clear blast radius, fail-closed defaults, FIPS 140-3 option. +

+
    +
  • + + AGPLv3, no vendor lock-in +
    • +
  • + + Self-hostable on-prem or air-gapped +
    • +
  • + + Artifact provenance and drift detection +
    • +
+
+
+
+
+
+ + +
+
+
+

Frequently asked

+ +
+
+

Do I need to rewrite my APIs?

+

+ No. Barbacane sits in front of your existing HTTP services. Tool calls are + translated into the same HTTP requests your clients already make, no + separate tool server to build or operate. +

+
+ +
+

How is this different from an AI gateway?

+

+ Outbound AI gateways (Portkey, LiteLLM, Cloudflare AI Gateway) sit between + your agent and an LLM provider. Barbacane is an inbound AI gateway: it sits + between an agent and your APIs, exposing them as MCP tools. You can + run both side by side; they solve different problems. +

+
+ +
+

Which MCP transport is supported?

+

+ JSON-RPC 2.0 over HTTP POST on + /__barbacane/mcp. Session termination via + DELETE on the same path. No SSE dependency. +

+
+ +
+

Can I hide admin endpoints from agents?

+

+ Yes. Add x-barbacane-mcp: { enabled: false } + to any operation you want to exclude. Everything else stays a normal HTTP + endpoint. +

+
+ +
+

Does authentication pass through?

+

+ Yes. The Authorization header from the MCP + request is forwarded into the internal dispatch, where your + jwt-auth, apikey-auth, + or OAuth2 middleware validates it like any other request. +

+
+
+
+
+
+ + +
+
+
+
+

+ Ready to make your APIs agent-callable? +

+

+ Read the docs, star the repo, or bring Barbacane into an internal platform + pilot. +

+ +
+ + Read the docs + + + View on GitHub + +
+
+
+
+
+ diff --git a/src/pages/platform.astro b/src/pages/platform.astro new file mode 100644 index 0000000..e53c9e7 --- /dev/null +++ b/src/pages/platform.astro @@ -0,0 +1,443 @@ +--- +import Layout from '../layouts/Layout.astro'; +--- + + + +
+
+
+
+
+ + Spec-first · Open source · AGPLv3 +
+ +

+ The spec-first API gateway for + platform teams +

+ +

+ Your OpenAPI spec is your gateway configuration. Authentication, authorization, + rate limits, validation, and transformations compile from the same file your API + is documented in. No drift, no reconciliation work, no silent security gaps. +

+ +
+ + See how it works + + + + + + + + + View on GitHub + +
+
+
+
+ + +
+
+
+

Two sources of truth, one problem

+

+ Most platform teams maintain an OpenAPI spec (what the API is supposed to do) and + a gateway config (what the API actually does at the edge). The two drift apart + the day they are both written, and stay drifted. +

+

+ Every drift is either wasted time reconciling, a bug shipping to production, or a + silent policy gap waiting to become a security incident. At a certain size, the + reconciliation is the platform team's day job. +

+

+ Barbacane has one source: the spec. Auth, rate limits, validation, + transformations, and routing all compile from it. Drift is impossible because + there is only one place to change anything. +

+
+
+
+ + +
+
+
+
+

+ One spec, one compile, zero drift +

+

+ Three steps, fully reproducible, all in your version control. +

+
+ +
+
+
+ 1 +
+

Write your spec

+

+ OpenAPI or AsyncAPI, annotated with + x-barbacane-* extensions for auth, rate + limits, routing, and policy. One file per service. +

+
+ +
+
+ 2 +
+

Compile the artifact

+

+ barbacane compile validates, resolves + references, and packages your spec into one deployable binary. Invalid specs + never reach production. +

+
+ +
+
+ 3 +
+

Deploy and serve

+

+ Push the artifact to a data plane. Hot-reload, zero-downtime deploys, and + drift detection. Data planes keep serving even if the control plane is + offline. +

+
+
+
+
+
+ + +
+
+
+
+

Everything platform teams need

+

+ Compiled from the spec, enforced at the edge. No extra config files, no shadow + policies. +

+
+ +
+
+
+ + + +
+

Request validation

+

+ Automatic JSON Schema validation for bodies, parameters, and headers, with + full $ref resolution. Invalid requests + never reach your upstreams. +

+
+ +
+
+ + + +
+

Authentication

+

+ Five built-in auth plugins: JWT, OIDC, OAuth2, API Key, Basic. Configured + directly in your OpenAPI security schemes. +

+
+ +
+
+ + + +
+

Authorization

+

+ Policy-driven access control with inline CEL expressions, Open Policy Agent + integration, and consumer-based ACLs. Zero-trust at the gateway. +

+
+ +
+
+ + + +
+

Rust performance

+

+ Sub-microsecond routing and validation. Built on Tokio and Hyper. Memory + safety without a garbage collector. +

+
+ +
+
+ + + +
+

Every plugin you need

+

+ Built-in WebAssembly plugins for auth, security, traffic control, + transformations, and observability. Sandboxed execution means a faulty + plugin cannot crash the gateway; write your own when the built-ins do not + cover your case. +

+
+ +
+
+ + + +
+

Observability

+

+ Prometheus metrics, OpenTelemetry traces, structured logging. Full visibility + into every request with no extra instrumentation on your upstreams. +

+
+ +
+
+ + + +
+

Control and data plane split

+

+ Autonomous data planes that keep serving traffic even if the control plane is + offline. Push deployments, hot-reload, drift detection, provenance in every + artifact. +

+
+ +
+
+ + + +
+

Request transformation

+

+ Declarative transformations on headers, query params, paths, and JSON bodies + before requests reach your upstreams. Variable interpolation with capture + groups. +

+
+ +
+
+ + + +
+

FIPS 140-3 ready

+

+ Built on rustls with AWS-LC, a NIST-certified FIPS 140-3 cryptographic + module. Enable FIPS mode with a single feature flag. No OpenSSL dependency. +

+
+
+ +
+ See the full feature list +
+
+
+
+ + +
+
+
+
+

Built for these teams

+
+ +
+
+

Internal developer platforms

+

+ Product teams write OpenAPI specs. The platform does the rest: auth, rate + limits, validation, observability. Self-service without the governance + compromises. +

+
    +
  • + + Spec-first publishing workflow +
    • +
  • + + Centralized policy, distributed ownership +
    • +
  • + + One audit trail across services +
    • +
+
+ +
+

API governance at scale

+

+ Express and enforce consistent auth, rate limits, and security policies + across hundreds of services. Changes ship by PR, not by ticket. +

+
    +
  • + + Shift-left lint with vacuum rulesets +
    • +
  • + + Fail-closed defaults on misconfiguration +
    • +
  • + + Artifact provenance and drift detection +
    • +
+
+ +
+

Legacy gateway modernization

+

+ Migrating from Kong, Apigee, or Tyk? The + strangler fig pattern + works naturally. Add Barbacane in front, migrate routes one by one, retire + the legacy stack when you are ready. +

+
    +
  • + + Incremental migration path +
    • +
  • + + No vendor lock-in, AGPLv3 +
    • +
  • + + On-prem, cloud, edge, or air-gapped +
    • +
+
+
+
+
+
+ + +
+
+
+

Frequently asked

+ +
+
+

How is this different from Kong, Apigee, or Tyk?

+

+ Those gateways ship with their own config DSL. Your OpenAPI spec is a + parallel document you have to keep in sync with the gateway. Barbacane + inverts that: the spec is the config. There is no second source of + truth to drift from. +

+
+ +
+

Does it work with my existing OpenAPI specs?

+

+ Yes. Add x-barbacane-* extensions where you + need gateway behaviour. Existing fields (security schemes, parameters, + responses) are already interpreted. Specs stay portable to other tools. +

+
+ +
+

Can I add custom logic?

+

+ Yes, via WebAssembly plugins. Barbacane ships a full suite of official + plugins and lets you write your own in any WASM-compiling language. Plugins + are sandboxed, so a faulty plugin cannot crash the gateway. +

+
+ +
+

How does it deploy?

+

+ A compiled artifact is a single binary. Run it anywhere: Kubernetes, bare + metal, on-prem VMs, edge locations, air-gapped environments. The control + plane and data planes are independent, so data planes keep serving even if + the control plane is offline. +

+
+ +
+

AGPLv3. Can I use it commercially?

+

+ Yes. Small teams and non-profits get a free commercial license. Larger + organisations can buy a paid commercial license. Either way, every feature is + open source, no gated enterprise tier. + See pricing for + details. +

+
+ +
+

Does it support event-driven systems?

+

+ Yes. Barbacane reads AsyncAPI specs and bridges HTTP to Kafka, NATS, or AWS + Lambda. The same spec-first, compile-safe workflow applies. +

+
+
+
+
+
+ + +
+
+
+
+

+ Ready to cut your gateway drift to zero? +

+

+ Read the docs, star the repo, or bring Barbacane into a platform pilot. +

+ +
+ + Read the docs + + + View on GitHub + +
+
+
+
+
+ From cd75c9f4735c75bc104f06d9506497a952645587 Mon Sep 17 00:00:00 2001 From: Nicolas Dreno Date: Thu, 23 Apr 2026 12:07:56 +0200 Subject: [PATCH 3/8] fix(blog): expand index subtitle to cover MCP and AI topics The blog subtitle and meta description still framed the content as API-gateway-only. Existing posts already lean in that direction, but the next wave of articles (canonical "What is an MCP gateway", comparison pieces, AI governance explainers) is MCP and AI focused, so the blog index should set that expectation up front. --- src/pages/blog/index.astro | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/pages/blog/index.astro b/src/pages/blog/index.astro index bebffa2..bfcb436 100644 --- a/src/pages/blog/index.astro +++ b/src/pages/blog/index.astro @@ -21,7 +21,7 @@ function formatDate(date: Date): string {
@@ -30,7 +30,8 @@ function formatDate(date: Date): string { Blog

- Articles about API gateways, spec-driven development, and building with Rust and WASM. + Articles on MCP gateways, AI governance, API gateways, spec-driven development, + and building with Rust and WASM.

From 63c048a3f7a9f99186a9f1566fac2e7a7b81b34c Mon Sep 17 00:00:00 2001 From: Nicolas Dreno Date: Thu, 23 Apr 2026 14:18:46 +0200 Subject: [PATCH 4/8] feat(site): Option A - unify /mcp and the outbound AI story under /ai Second-pass pass on the website to reflect what Barbacane actually does. After verifying against docs.barbacane.dev/guide/dispatchers.html#ai-proxy, adr/0024-ai-gateway-plugin.md, and PRs #67 / #69, it was clear the previous positioning underclaimed by roughly half: Barbacane is a full AI gateway in BOTH directions (outbound ai-proxy to OpenAI / Anthropic / Ollama, and inbound MCP from agents to your APIs), plus a spec-first API gateway. Changes: - New /ai/ landing page covering both directions. Hero, "two directions" overview, dedicated outbound section (ai-proxy with fallback + policy routing), dedicated inbound section (MCP, distilled from the old /mcp page), AI governance middleware cards, "one gateway not three" positioning argument, use cases across three personas, FAQ, CTA. - Old /mcp/ page removed. A redirect from /mcp/ to /ai/ is configured in astro.config.mjs, which Astro emits as a proper meta-refresh page with canonical link for SEO. Existing blog-article /mcp/ links continue to work via the redirect. - Homepage hero reworded to lead with "One AI gateway, both directions" instead of the narrower MCP-only framing. Primary CTA now jumps to /ai/. Badge updated from "MCP native" to "AI gateway". - Homepage gains a new "Your app calls LLMs through one dispatcher" section showing the ai-proxy config (OpenAI primary, Anthropic + Ollama fallback), sitting alongside the existing "Your OpenAPI becomes an MCP server" section. Together they tell the both-directions story above the fold. - Layout.astro default description, footer tagline, and nav URL updated for the new positioning. "AI teams" nav entry now points to /ai/. Technical copy verified against the three sources above. Template interpolation in the ai-proxy YAML examples is HTML-entity-escaped (${'{'}...{'}'} -> ${...}) to avoid Astro interpreting it as JSX. Same PR #67 coupling as before: the four AI governance middleware cards depend on PR #67 landing. --- astro.config.mjs | 3 + src/layouts/Layout.astro | 12 +- src/pages/ai.astro | 596 +++++++++++++++++++++++++++++++++++++++ src/pages/index.astro | 100 ++++++- src/pages/mcp.astro | 491 -------------------------------- 5 files changed, 693 insertions(+), 509 deletions(-) create mode 100644 src/pages/ai.astro delete mode 100644 src/pages/mcp.astro diff --git a/astro.config.mjs b/astro.config.mjs index 2592aa5..d677740 100644 --- a/astro.config.mjs +++ b/astro.config.mjs @@ -6,6 +6,9 @@ export default defineConfig({ integrations: [tailwind(), sitemap()], site: 'https://barbacane.dev', trailingSlash: 'always', + redirects: { + '/mcp/': '/ai/', + }, markdown: { shikiConfig: { themes: { diff --git a/src/layouts/Layout.astro b/src/layouts/Layout.astro index fa04937..e327dc9 100644 --- a/src/layouts/Layout.astro +++ b/src/layouts/Layout.astro @@ -15,7 +15,7 @@ interface Props { const { title, - description = "Barbacane is the open-source AI gateway that turns any OpenAPI spec into an MCP tool server, with built-in prompt guarding, token limits, cost tracking, and response guarding. Rust-native and spec-first.", + description = "Barbacane is the open-source AI gateway, both directions. Route LLM calls through OpenAI, Anthropic, or Ollama outbound. Expose your APIs to AI agents as typed MCP tools inbound. Rust-native, spec-first, composed from dispatchers and middlewares.", type = 'website', article, ogImage: customOgImage, @@ -134,7 +134,7 @@ const structuredData = type === 'article' && article
From 5ecda7c205646853c90d0be9ea8f7c854aa6928e Mon Sep 17 00:00:00 2001 From: Nicolas Dreno Date: Thu, 23 Apr 2026 14:45:16 +0200 Subject: [PATCH 7/8] fix(site): Shiki syntax highlighting on /ai and homepage; blog trailing slashes Two small but visible issues: 1. Syntax highlighting. The OpenAPI YAML examples on /ai/ and the homepage were hand-rolled 
 blocks with no highlighting.
   Swapped them for Astro's  component (backed by Shiki), passing
   dual themes ({ light: github-light, dark: github-dark }) so the
   highlighting follows the site's theme toggle. Matches the rendering
   of YAML snippets in blog posts. As a side benefit, the YAML lives in
   frontmatter constants now, so the template-literal $ escaping is
   handled by the JS template string instead of HTML entities.

2. Trailing-slash 404s on blog links. astro.config.mjs sets
   trailingSlash: 'always', but /src/pages/blog/index.astro emitted
   hrefs like /blog/compliance-by-construction-part-1 without the final
   slash, producing the "404: Not found - Your site is configured with
   trailingSlash set to always" page. Both occurrences (title link and
   "Read more" link) now include the trailing slash.
---
 src/pages/ai.astro         | 145 ++++++++++++++++++++-----------------
 src/pages/blog/index.astro |   4 +-
 src/pages/index.astro      | 119 ++++++++++++++++--------------
 3 files changed, 143 insertions(+), 125 deletions(-)

diff --git a/src/pages/ai.astro b/src/pages/ai.astro
index cab8dd8..b4468f1 100644
--- a/src/pages/ai.astro
+++ b/src/pages/ai.astro
@@ -1,5 +1,78 @@
 ---
+import { Code } from 'astro:components';
 import Layout from '../layouts/Layout.astro';
+
+const outboundYaml = `paths:
+  /v1/chat/completions:
+    post:
+      operationId: chatCompletion
+      summary: Route LLM chat completion requests
+      x-barbacane-dispatch:
+        name: ai-proxy
+        config:
+          provider: openai
+          model: gpt-4o
+          api_key: "\${OPENAI_API_KEY}"
+          timeout: 120
+
+          # Tried in order on 5xx / timeout
+          fallback:
+            - provider: anthropic
+              model: claude-sonnet-4-20250514
+              api_key: "\${ANTHROPIC_API_KEY}"
+            - provider: ollama
+              model: llama3
+              base_url: http://ollama:11434
+
+          # Named targets for policy-driven routing
+          targets:
+            local:
+              provider: ollama
+              model: mistral
+              base_url: http://ollama:11434
+            premium:
+              provider: anthropic
+              model: claude-opus-4-6
+              api_key: "\${ANTHROPIC_API_KEY}"
+          default_target: local
+`;
+
+const inboundYaml = `# Enable MCP for the whole API
+x-barbacane-mcp:
+  enabled: true
+  server_name: Orders API
+  server_version: 1.0.0
+
+paths:
+  /orders/{id}:
+    get:
+      operationId: getOrder
+      summary: Fetch an order by id
+      security:
+        - bearerAuth: []
+      parameters:
+        - name: id
+          in: path
+          required: true
+          schema: { type: string }
+      responses:
+        '200':
+          description: Order
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Order'
+
+  /admin/orders/purge:
+    delete:
+      operationId: purgeOrders
+      summary: Purge archived orders
+      # Hide this one from agents
+      x-barbacane-mcp:
+        enabled: false
+`;
+
+const codeThemes = { light: 'github-light', dark: 'github-dark' };
 ---
 
 
 
         

-          

-            
paths:
-  /v1/chat/completions:
-    post:
-      operationId: chatCompletion
-      summary: Route LLM chat completion requests
-      x-barbacane-dispatch:
-        name: ai-proxy
-        config:
-          provider: openai
-          model: gpt-4o
-          api_key: "${OPENAI_API_KEY}"
-          timeout: 120
-
-          # Tried in order on 5xx / timeout
-          fallback:
-            - provider: anthropic
-              model: claude-sonnet-4-20250514
-              api_key: "${ANTHROPIC_API_KEY}"
-            - provider: ollama
-              model: llama3
-              base_url: http://ollama:11434
-
-          # Named targets for policy-driven routing
-          targets:
-            local:
-              provider: ollama
-              model: mistral
-              base_url: http://ollama:11434
-            premium:
-              provider: anthropic
-              model: claude-opus-4-6
-              api_key: "${ANTHROPIC_API_KEY}"
-          default_target: local

+          

+            
           

 
           

@@ -218,40 +259,8 @@ import Layout from '../layouts/Layout.astro';
         

 
         

-          

-            
# Enable MCP for the whole API
-x-barbacane-mcp:
-  enabled: true
-  server_name: Orders API
-  server_version: 1.0.0
-
-paths:
-  /orders/{id}:
-    get:
-      operationId: getOrder
-      summary: Fetch an order by id
-      security:
-        - bearerAuth: []
-      parameters:
-        - name: id
-          in: path
-          required: true
-          schema: { type: string }
-      responses:
-        '200':
-          description: Order
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/Order'
-
-  /admin/orders/purge:
-    delete:
-      operationId: purgeOrders
-      summary: Purge archived orders
-      # Hide this one from agents
-      x-barbacane-mcp:
-        enabled: false

+          

+            
           

 
           

diff --git a/src/pages/blog/index.astro b/src/pages/blog/index.astro
index bfcb436..62f1bec 100644
--- a/src/pages/blog/index.astro
+++ b/src/pages/blog/index.astro
@@ -43,7 +43,7 @@ function formatDate(date: Date): string {
                 {formatDate(post.data.publishDate)}
               
               

-                
+                
                   {post.data.title}
                 
               

@@ -62,7 +62,7 @@ function formatDate(date: Date): string {
                 

               )}
               
                 Read more
diff --git a/src/pages/index.astro b/src/pages/index.astro
index b981154..eebbede 100644
--- a/src/pages/index.astro
+++ b/src/pages/index.astro
@@ -1,5 +1,65 @@
 ---
+import { Code } from 'astro:components';
 import Layout from '../layouts/Layout.astro';
+
+const mcpYaml = `# Enable MCP for the whole API
+x-barbacane-mcp:
+  enabled: true
+  server_name: Orders API
+  server_version: 1.0.0
+
+paths:
+  /orders/{id}:
+    get:
+      operationId: getOrder
+      summary: Fetch an order by id
+      security:
+        - bearerAuth: []
+      parameters:
+        - name: id
+          in: path
+          required: true
+          schema: { type: string }
+      responses:
+        '200':
+          description: Order
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Order'
+
+  /admin/orders/purge:
+    delete:
+      operationId: purgeOrders
+      summary: Purge archived orders
+      # Hide this one from agents
+      x-barbacane-mcp:
+        enabled: false
+`;
+
+const aiProxyYaml = `paths:
+  /v1/chat/completions:
+    post:
+      operationId: chatCompletion
+      summary: Route LLM chat completion
+      x-barbacane-dispatch:
+        name: ai-proxy
+        config:
+          provider: openai
+          model: gpt-4o
+          api_key: "\${OPENAI_API_KEY}"
+
+          # Tried in order on 5xx / timeout
+          fallback:
+            - provider: anthropic
+              model: claude-sonnet-4-20250514
+              api_key: "\${ANTHROPIC_API_KEY}"
+            - provider: ollama
+              model: llama3
+              base_url: http://ollama:11434
+`;
+
+const codeThemes = { light: 'github-light', dark: 'github-dark' };
 ---
 
 
@@ -59,40 +119,8 @@ import Layout from '../layouts/Layout.astro';
         

 
         

-          

-            
# Enable MCP for the whole API
-x-barbacane-mcp:
-  enabled: true
-  server_name: Orders API
-  server_version: 1.0.0
-
-paths:
-  /orders/{id}:
-    get:
-      operationId: getOrder
-      summary: Fetch an order by id
-      security:
-        - bearerAuth: []
-      parameters:
-        - name: id
-          in: path
-          required: true
-          schema: { type: string }
-      responses:
-        '200':
-          description: Order
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/Order'
-
-  /admin/orders/purge:
-    delete:
-      operationId: purgeOrders
-      summary: Purge archived orders
-      # Hide this one from agents
-      x-barbacane-mcp:
-        enabled: false

+          

+            
           

 
           

@@ -145,27 +173,8 @@ paths:
         

 
         

-          

-            
paths:
-  /v1/chat/completions:
-    post:
-      operationId: chatCompletion
-      summary: Route LLM chat completion
-      x-barbacane-dispatch:
-        name: ai-proxy
-        config:
-          provider: openai
-          model: gpt-4o
-          api_key: "${OPENAI_API_KEY}"
-
-          # Tried in order on 5xx / timeout
-          fallback:
-            - provider: anthropic
-              model: claude-sonnet-4-20250514
-              api_key: "${ANTHROPIC_API_KEY}"
-            - provider: ollama
-              model: llama3
-              base_url: http://ollama:11434

+          

+            
           

 
           


From 5e93eec08318e523948af739a59a84dfb1c22758 Mon Sep 17 00:00:00 2001
From: Nicolas Dreno 
Date: Thu, 23 Apr 2026 14:51:57 +0200
Subject: [PATCH 8/8] fix(blog): add trailing slash to shared postUrl for
 Twitter/LinkedIn links

The canonical postUrl used for Twitter and LinkedIn share buttons was
emitted as https://barbacane.dev/blog/ without the trailing slash.
With trailingSlash: 'always', someone clicking a shared link lands on a
404. Fixed to include the trailing slash.

All other /blog/ references audited (nav, footer, platform link,
ai page link, back-to-blog link, inter-article markdown links) already
use trailing slashes.
---
 src/pages/blog/[slug].astro | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/pages/blog/[slug].astro b/src/pages/blog/[slug].astro
index 8a8e54c..d8702a1 100644
--- a/src/pages/blog/[slug].astro
+++ b/src/pages/blog/[slug].astro
@@ -25,7 +25,7 @@ function formatDate(date: Date): string {
 }
 
 const readingTime = Math.ceil((post.body?.split(/\s+/).length ?? 0) / 200);
-const postUrl = `https://barbacane.dev/blog/${post.id}`;
+const postUrl = `https://barbacane.dev/blog/${post.id}/`;
 ---