bamboo-server 2026.4.27

HTTP server and API layer for the Bamboo agent framework
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118

use crate::{
    app_state::{AppState, ConfigUpdateEffects},
    error::AppError,
};
use actix_web::{web, HttpResponse};

use super::types::ProxyAuthPayload;

/// Sets proxy authentication credentials
///
/// # HTTP Route
/// `POST /bamboo/proxy-auth`
///
/// # Request Body
/// ```json
/// {
///   "username": "user",
///   "password": "pass"
/// }
/// ```
///
/// # Response Format
/// ```json
/// {
///   "success": true
/// }
/// ```
///
/// # Response Status
/// - `200 OK`: Proxy auth saved and provider reloaded
/// - `500 Internal Server Error`: Failed to save or reload
///
/// # Security
/// Credentials are encrypted before storage in config.json.
///
/// # Example
/// ```bash
/// curl -X POST http://localhost:3000/bamboo/proxy-auth \
///   -H "Content-Type: application/json" \
///   -d '{"username": "user", "password": "pass"}'
/// ```
pub async fn set_proxy_auth(
    app_state: web::Data<AppState>,
    payload: web::Json<ProxyAuthPayload>,
) -> Result<HttpResponse, AppError> {
    let auth = payload.into_inner().into_proxy_auth();

    app_state
        .update_config(
            move |config| {
                config.proxy_auth = auth;
                config.refresh_proxy_auth_encrypted().map_err(|e| {
                    AppError::InternalError(anyhow::anyhow!(
                        "Failed to encrypt proxy auth before save: {e}"
                    ))
                })?;
                Ok(())
            },
            ConfigUpdateEffects {
                // Best-effort: setup flows often set proxy auth before provider config is complete.
                // Persisting should not fail just because provider init can't happen yet.
                reload_provider: false,
                // Proxy auth can affect SSE-based MCP servers too.
                reconcile_mcp: true,
            },
        )
        .await?;

    if let Err(e) = app_state.reload_provider().await {
        tracing::warn!("Proxy auth updated but provider reload failed: {}", e);
    }

    Ok(HttpResponse::Ok().json(serde_json::json!({ "success": true })))
}

/// Gets proxy authentication status
///
/// # HTTP Route
/// `GET /bamboo/proxy-auth/status`
///
/// # Response Format
/// ```json
/// {
///   "configured": true,
///   "username": "myuser"
/// }
/// ```
///
/// # Response Status
/// - `200 OK`: Status retrieved successfully
///
/// # Note
/// Password is never returned, only whether auth is configured and the username.
///
/// # Example
/// ```bash
/// curl http://localhost:3000/bamboo/proxy-auth/status
/// ```
pub async fn get_proxy_auth_status(
    app_state: web::Data<AppState>,
) -> Result<HttpResponse, AppError> {
    // Defensive: ensure in-memory proxy_auth is hydrated from encrypted fields.
    // Some call paths update config via JSON patching and may only carry encrypted values.
    let mut config = app_state.config.write().await;
    config.hydrate_proxy_auth_from_encrypted();

    if let Some(auth) = config.proxy_auth.as_ref() {
        return Ok(HttpResponse::Ok().json(serde_json::json!({
            "configured": true,
            "username": auth.username,
        })));
    }

    Ok(HttpResponse::Ok().json(serde_json::json!({
        "configured": false,
        "username": serde_json::Value::Null
    })))
}