Harden HTTP surface: explicit idleTimeout, drop /health version, scrub log URLs

- server.ts: set Bun.serve `idleTimeout` explicitly, derived from the upstream
  + proof timeouts (so a request waiting on a slow upstream isn't killed
  mid-flight) and capped at 255s — bounds connections that just sit there.
- /health no longer returns `version` — don't volunteer build info on an
  unauthenticated endpoint. It returns `{ status, airnode }`; the airnode
  address is operationally useful and public anyway. (`airnode --version` for
  the build.)
- logger.ts: strip the query string from any URL in a log line / error message
  / stack (`https://…?api_key=…` → `https://…?[redacted]`). Upstream creds are
  normally in headers, but some APIs — and the fetch errors they produce — put
  them in the query string; keep them out of logs and aggregators.
- Tests + docs updated for the /health shape; logger redaction unit-tested.

(The TLS-proof gateway timeout stays at 30s — zkTLS attestations are
genuinely slow; the right fix for "30s blocking" is a non-blocking proof,
which is a separate change.)

Author: andreogle

book/docs/concepts/architecture.md

@@ -15,7 +15,7 @@ starts, loads the config, and serves requests.
 | ------ | ------------------------- | ---------------------------------------------------- |
 | `POST` | `/endpoints/{endpointId}` | Call an endpoint with parameters in the request body |
 | `GET`  | `/requests/{requestId}`   | Poll an async request for its result                 |
-| `GET`  | `/health`                 | Health check returning version and airnode address   |
+| `GET`  | `/health`                 | Health check (status + airnode address)              |
 
 CORS preflight (`OPTIONS`) is handled automatically. Rate limiting uses a token bucket per client IP, configured via
 `server.rateLimit`.

book/docs/consumers/http-client.md

@@ -208,5 +208,9 @@ uniqueness key.
 curl http://airnode.example.com/health
 ```
 
-Returns the airnode address and version. Use this to verify the server is running and to discover the airnode address
-for signature verification.
+```json
+{ "status": "ok", "airnode": "0x..." }
+```
+
+Use this to verify the server is running and to discover the airnode address for signature verification. (No version
+field — build info isn't exposed on this endpoint.)

book/docs/introduction.md

@@ -181,15 +181,14 @@ curl http://localhost:3000/health
 ```json
 {
   "status": "ok",
-  "version": "2.0.0-alpha.0",
   "airnode": "0x..."
 }
 ```
 
 ## Routes
 
-| Method | Path                      | Description                                   |
-| ------ | ------------------------- | --------------------------------------------- |
-| `POST` | `/endpoints/{endpointId}` | Call an endpoint with parameters              |
-| `GET`  | `/requests/{requestId}`   | Poll an async request for its result          |
-| `GET`  | `/health`                 | Health check with version and airnode address |
+| Method | Path                      | Description                             |
+| ------ | ------------------------- | --------------------------------------- |
+| `POST` | `/endpoints/{endpointId}` | Call an endpoint with parameters        |
+| `GET`  | `/requests/{requestId}`   | Poll an async request for its result    |
+| `GET`  | `/health`                 | Health check (status + airnode address) |

book/docs/operators/deployment.md

@@ -151,7 +151,7 @@ The `AIRNODE_PRIVATE_KEY` controls the airnode's on-chain identity and signs all
 
 ## Health checks
 
-The `/health` endpoint returns the node's status, version, and airnode address:
+The `/health` endpoint returns the node's status and airnode address:
 
 ```bash
 curl http://localhost:3000/health
@@ -160,9 +160,9 @@ curl http://localhost:3000/health
 ```json
 {
   "status": "ok",
-  "version": "2.0.0-alpha.0",
   "airnode": "0x..."
 }
 ```
 
-Use this for Docker `HEALTHCHECK`, load balancer probes, or uptime monitoring.
+Use this for Docker `HEALTHCHECK`, load balancer probes, or uptime monitoring. (To check the binary version, run
+`airnode --version` — the version is deliberately not exposed on `/health`.)

book/docs/operators/index.md

@@ -92,7 +92,6 @@ Expected response:
 ```json
 {
   "status": "ok",
-  "version": "2.0.0-alpha.0",
   "airnode": "0x..."
 }
 ```

integration/scenarios/s20-health.test.ts

@@ -1,5 +1,4 @@
 import { afterAll, beforeAll, describe, expect, test } from 'bun:test';
-import { VERSION } from '../../src/version';
 import { AIRNODE_ADDRESS, createTestServer } from '../helpers';
 import type { TestContext } from '../helpers';
 
@@ -14,14 +13,12 @@ afterAll(() => {
 });
 
 describe('S20 — Health endpoint', () => {
-  test('returns status, version, and airnode address', async () => {
+  test('returns status and the airnode address (no version field)', async () => {
     const response = await fetch(`${ctx.baseUrl}/health`);
-    const body = (await response.json()) as { status: string; version: string; airnode: string };
+    const body = (await response.json()) as Record<string, unknown>;
 
     expect(response.status).toBe(200);
-    expect(body.status).toBe('ok');
-    expect(body.version).toBe(VERSION);
-    expect(body.airnode).toBe(AIRNODE_ADDRESS);
+    expect(body).toEqual({ status: 'ok', airnode: AIRNODE_ADDRESS });
   });
 
   test('returns 404 for unknown routes', async () => {

src/logger.test.ts

@@ -237,3 +237,27 @@ describe('runWithContext', () => {
     expect(result).toBe('async result');
   });
 });
+
+describe('secret redaction', () => {
+  test('strips a URL query string from a log message', () => {
+    logger.error('API call failed: https://api.example.com/v3/price?x_cg_pro_api_key=SUPERSECRET&vs=usd');
+    const output = lastCall(errorMock);
+    expect(output).toContain('https://api.example.com/v3/price?[redacted]');
+    expect(output).not.toContain('SUPERSECRET');
+    expect(output).not.toContain('x_cg_pro_api_key');
+  });
+
+  test('leaves a URL without a query string alone', () => {
+    logger.info('GET https://api.example.com/health 200 3ms');
+    expect(lastCall(infoMock)).toContain('https://api.example.com/health 200 3ms');
+  });
+
+  test('redacts the query string in an Error message and stack (json format)', () => {
+    configureLogger('json');
+    logger.error('upstream unreachable', new Error('connect failed: https://api.example.com/p?token=LEAK'));
+    const entry = JSON.parse(lastCall(errorMock)) as { error: { message: string; stack: string } };
+    expect(entry.error.message).toBe('connect failed: https://api.example.com/p?[redacted]');
+    expect(entry.error.message).not.toContain('LEAK');
+    expect(entry.error.stack).not.toContain('LEAK');
+  });
+});

src/logger.ts

@@ -26,6 +26,15 @@ export function getContext(): LogContext | undefined {
 
 const MIN_MESSAGE_WIDTH = 80;
 
+// Strip the query string from any URL in a log line. Upstream API credentials are
+// usually passed in headers, but some APIs (and the resulting fetch error
+// messages) put them in `?api_key=…`; this keeps them out of logs / aggregators.
+const URL_WITH_QUERY = /(\bhttps?:\/\/[^\s?#"'`<>]*)\?[^\s#"'`<>]*/gi;
+
+function redactSecrets(text: string): string {
+  return text.replaceAll(URL_WITH_QUERY, '$1?[redacted]');
+}
+
 function formatText(level: LogLevel, message: string, context: LogContext | undefined): string {
   const timestamp = new Date().toISOString();
   const paddedMessage = message.padEnd(MIN_MESSAGE_WIDTH);
@@ -40,14 +49,23 @@ function formatJson(level: LogLevel, message: string, context: LogContext | unde
     level,
     message,
     ...(context ? { requestId: context.requestId } : {}),
-    ...(error ? { error: { name: error.name, message: error.message, stack: error.stack } } : {}),
+    ...(error
+      ? {
+          error: {
+            name: error.name,
+            message: redactSecrets(error.message),
+            stack: error.stack ? redactSecrets(error.stack) : undefined,
+          },
+        }
+      : {}),
   };
 
   return JSON.stringify(entry);
 }
 
-function formatEntry(level: LogLevel, message: string, error?: Error): string {
+function formatEntry(level: LogLevel, rawMessage: string, error?: Error): string {
   const context = logStore.getStore();
+  const message = redactSecrets(rawMessage);
 
   if (logFormat === 'json') {
     return formatJson(level, message, context, error);
@@ -58,7 +76,7 @@ function formatEntry(level: LogLevel, message: string, error?: Error): string {
     return base;
   }
 
-  return `${base}\n${error.stack}`;
+  return `${base}\n${redactSecrets(error.stack)}`;
 }
 
 export const logger = {

src/server.test.ts

@@ -7,7 +7,6 @@ import { createServer } from './server';
 import type { ServerDependencies, ServerHandle } from './server';
 import { createAirnodeAccount } from './sign';
 import type { Config } from './types';
-import { VERSION } from './version';
 
 const TEST_PRIVATE_KEY: Hex = '0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80';
 const TEST_AIRNODE: Hex = '0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266';
@@ -61,18 +60,16 @@ describe('createServer', () => {
     void server?.stop();
   });
 
-  test('health endpoint returns status, version, airnode', async () => {
+  test('health endpoint returns status and airnode (no version)', async () => {
     const deps = makeDeps();
     server = createServer(deps);
     baseUrl = `http://127.0.0.1:${String(server.port)}`;
 
     const response = await fetch(`${baseUrl}/health`);
-    const body = (await response.json()) as { status: string; version: string; airnode: string };
+    const body = (await response.json()) as Record<string, unknown>;
 
     expect(response.status).toBe(200);
-    expect(body.status).toBe('ok');
-    expect(body.version).toBe(VERSION);
-    expect(body.airnode).toBe(TEST_AIRNODE);
+    expect(body).toEqual({ status: 'ok', airnode: TEST_AIRNODE });
   });
 
   test('POST to /endpoints/{id} calls handleRequest', async () => {

src/server.ts

@@ -10,7 +10,6 @@ import type { PluginRegistry } from './plugins';
 import { checkRateLimit } from './rate-limit';
 import type { TokenBucket } from './rate-limit';
 import type { Config } from './types';
-import { VERSION } from './version';
 
 // =============================================================================
 // Types
@@ -194,7 +193,10 @@ function createServer(deps: ServerDependencies): ServerHandle {
     }
 
     if (url.pathname === '/health' && request.method === 'GET') {
-      return jsonResponse({ status: 'ok', version: VERSION, airnode: deps.airnode }, 200, cors);
+      // Deliberately no version field — don't volunteer build info on an
+      // unauthenticated endpoint. The airnode address (the actual identity) is
+      // useful for "is this the airnode I expect?" and is public anyway.
+      return jsonResponse({ status: 'ok', airnode: deps.airnode }, 200, cors);
     }
 
     // Async request polling
@@ -244,9 +246,17 @@ function createServer(deps: ServerDependencies): ServerHandle {
     return errorResponse('Not Found', 404, cors);
   }
 
+  // Connection idle timeout (seconds, Bun caps it at 255). Set it explicitly,
+  // and high enough that a legitimate request waiting on a slow upstream + TLS
+  // proof isn't killed mid-flight, while still bounding connections that just
+  // sit there. Worst-case wait ≈ upstream timeout + proof timeout + overhead.
+  const proofTimeoutMs = deps.settings.proof === 'none' ? 0 : deps.settings.proof.timeout;
+  const idleTimeout = Math.min(255, Math.ceil((deps.settings.timeout + proofTimeoutMs) / 1000) + 20);
+
   const server = Bun.serve({
     port: deps.config.server.port,
     hostname: deps.config.server.host,
+    idleTimeout,
     fetch: async (request: Request, bunServer): Promise<Response> => {
       const start = Date.now();
       const url = new URL(request.url);