Graceful shutdown drain, per-request access log, CI workflow, and coverage

Operational hardening:
- server.ts: ServerHandle.stop() now returns a Promise and resolves once
  in-flight requests have drained (server.stop(false)); start.ts awaits it on
  SIGINT/SIGTERM before tearing down the cache/async store. The fetch handler
  is wrapped to emit one access-log line per request ("METHOD path status Nms")
  at info level.
- .github/workflows/ci.yml: frozen install + prettier + eslint + tsc + bun
  test, a `bun pm scan` dependency-audit job, and the Foundry contract tests
  (there was previously only a docs-deploy workflow).

Coverage:
- server.test.ts: GET /requests/{id} polling route (pending / complete /
  failed / unknown / bad-format), 413/415 request-body rejections, stop()
  resolves → src/server.ts now 100%.
- pipeline.test.ts: fetchProofIfEnabled — proof attached on gateway success,
  proof omitted (non-fatal) on gateway failure, gateway skipped when the
  endpoint has no responseMatches.
- src/cli/commands/{address,generate-mnemonic,start}.test.ts: spawn-based
  smoke tests (previously only config and identity had CLI tests).

Author: andreogle

.github/workflows/ci.yml

@@ -0,0 +1,39 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+jobs:
+  node:
+    name: Lint, typecheck, test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: oven-sh/setup-bun@v2
+      - run: bun install --frozen-lockfile
+      - run: bun run lint:prettier
+      - run: bun run lint:eslint
+      - run: bunx tsc --noEmit
+      - run: bun test
+
+  audit:
+    name: Dependency audit
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: oven-sh/setup-bun@v2
+      - run: bun install --frozen-lockfile
+      - run: bun pm scan
+
+  contracts:
+    name: Foundry tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - uses: foundry-rs/foundry-toolchain@v1
+      - run: forge test -vvv
+        working-directory: contracts

book/docs/concepts/architecture.md

@@ -32,10 +32,10 @@ giving plugins the ability to observe, filter, or modify data at each stage.
    `X-Api-Key` header, or x402 payment proof (an `X-Payment-Proof` header attesting a confirmed on-chain payment). An
    unpaid x402 request gets `402` with the payment parameters.
 4. **Validate parameters** -- check that all required parameters (those without `fixed` or `default` values) are present
-   in the request body. (Async-mode endpoints stop here and return `202` + a `pollUrl`; the rest of the pipeline runs
-   in the background.)
-5. **Check cache** -- if the endpoint has cache config, return a cached response when the TTL has not expired
-   (sync mode only).
+   in the request body. (Async-mode endpoints stop here and return `202` + a `pollUrl`; the rest of the pipeline runs in
+   the background.)
+5. **Check cache** -- if the endpoint has cache config, return a cached response when the TTL has not expired (sync mode
+   only).
 6. **Plugin: onBeforeApiCall** -- plugins can modify request parameters before the upstream call.
 7. **Call API** -- make the HTTP request to the upstream API via `src/api/call.ts`. Method, path, headers, query
    parameters, and body are assembled from the endpoint config and client parameters.

book/docs/config/settings.md

@@ -79,7 +79,8 @@ requested. Endpoints without `responseMatches` skip proof generation even when p
 ## `fhe`
 
 Configures FHE encryption of encoded responses. When set to an object, any endpoint with an
-[`encrypt`](/docs/config/apis#encryption-fhe) block has its ABI-encoded value replaced with an FHE ciphertext before signing.
+[`encrypt`](/docs/config/apis#encryption-fhe) block has its ABI-encoded value replaced with an FHE ciphertext before
+signing.
 
 ### No FHE (default)
 

book/docs/introduction.md

@@ -68,17 +68,20 @@ Client ──POST──▶ Airnode ──HTTP──▶ Upstream API
 4. If the endpoint has encoding configured, Airnode ABI-encodes the response. Otherwise, the raw JSON is returned.
 5. If the endpoint has `encrypt` configured, the encoded value is replaced with an FHE ciphertext.
 6. Airnode signs the result with the operator's private key.
-7. If TLS proofs are enabled, Airnode requests an attestation of the upstream call (non-fatal — a failure just omits the proof).
+7. If TLS proofs are enabled, Airnode requests an attestation of the upstream call (non-fatal — a failure just omits the
+   proof).
 8. The signed response is returned to the client.
 
-Endpoints can also run in `async` mode (returns `202` with a `pollUrl`; the result is fetched later from `GET /requests/{requestId}`) or `stream` mode (the signed result is wrapped in a single Server-Sent Events frame). See [Request and Response](/docs/concepts/request-response).
+Endpoints can also run in `async` mode (returns `202` with a `pollUrl`; the result is fetched later from
+`GET /requests/{requestId}`) or `stream` mode (the signed result is wrapped in a single Server-Sent Events frame). See
+[Request and Response](/docs/concepts/request-response).
 
 ## Endpoint IDs
 
-Endpoint IDs are deterministic hashes of the API specification -- the URL, path, method, non-secret parameters,
-encoding configuration, and encryption configuration. The ID binds the airnode's signature to the exact API spec the
-operator committed to, so a consumer hard-coding an endpoint ID locks in the upstream URL, parameters, and encoding
-rules. Any change to the spec produces a different ID, which on-chain consumers can detect immediately.
+Endpoint IDs are deterministic hashes of the API specification -- the URL, path, method, non-secret parameters, encoding
+configuration, and encryption configuration. The ID binds the airnode's signature to the exact API spec the operator
+committed to, so a consumer hard-coding an endpoint ID locks in the upstream URL, parameters, and encoding rules. Any
+change to the spec produces a different ID, which on-chain consumers can detect immediately.
 
 ```
 endpointId = keccak256(url | path | method | sorted parameters | encoding spec | encrypt spec)

book/docs/operators/deployment.md

@@ -115,7 +115,7 @@ docker compose up -d
 | Variable              | Required | Description                                                                        |
 | --------------------- | -------- | ---------------------------------------------------------------------------------- |
 | `AIRNODE_MNEMONIC`    | Yes\*    | BIP-39 mnemonic. Signs all responses. Takes precedence over `AIRNODE_PRIVATE_KEY`. |
-| `AIRNODE_PRIVATE_KEY` | Yes\*    | Hex-encoded private key (with `0x` prefix). Signs all responses.                    |
+| `AIRNODE_PRIVATE_KEY` | Yes\*    | Hex-encoded private key (with `0x` prefix). Signs all responses.                   |
 | `LOG_FORMAT`          | No       | `text` (default) or `json`.                                                        |
 | `LOG_LEVEL`           | No       | `debug`, `info` (default), `warn`, or `error`.                                     |
 

book/docs/operators/index.md

@@ -99,12 +99,12 @@ Expected response:
 
 ## Environment variables
 
-| Variable              | Required | Description                                                                          |
-| --------------------- | -------- | ------------------------------------------------------------------------------------ |
-| `AIRNODE_MNEMONIC`    | Yes\*    | BIP-39 mnemonic. Signs all responses. Takes precedence over `AIRNODE_PRIVATE_KEY`.   |
-| `AIRNODE_PRIVATE_KEY` | Yes\*    | Hex-encoded private key (with `0x` prefix). Signs all responses.                      |
-| `LOG_FORMAT`          | No       | `text` (default) or `json`.                                                          |
-| `LOG_LEVEL`           | No       | `debug`, `info` (default), `warn`, or `error`.                                       |
+| Variable              | Required | Description                                                                        |
+| --------------------- | -------- | ---------------------------------------------------------------------------------- |
+| `AIRNODE_MNEMONIC`    | Yes\*    | BIP-39 mnemonic. Signs all responses. Takes precedence over `AIRNODE_PRIVATE_KEY`. |
+| `AIRNODE_PRIVATE_KEY` | Yes\*    | Hex-encoded private key (with `0x` prefix). Signs all responses.                   |
+| `LOG_FORMAT`          | No       | `text` (default) or `json`.                                                        |
+| `LOG_LEVEL`           | No       | `debug`, `info` (default), `warn`, or `error`.                                     |
 
 \* Exactly one of `AIRNODE_MNEMONIC` or `AIRNODE_PRIVATE_KEY` is required.
 

book/docs/plugins.md

@@ -12,18 +12,18 @@ alter encoded data, and observe events -- all without modifying the core node.
 
 Six hooks fire at specific points in the pipeline:
 
-| Hook              | Type        | Can modify               | When it fires                          |
-| ----------------- | ----------- | ------------------------ | -------------------------------------- |
-| `onHttpRequest`   | Mutation    | Reject the request       | After endpoint resolution, before auth |
-| `onBeforeApiCall` | Mutation    | Request parameters       | Before the upstream API call           |
-| `onAfterApiCall`  | Mutation    | Response data and status | After the upstream API responds        |
+| Hook              | Type        | Can modify                  | When it fires                                               |
+| ----------------- | ----------- | --------------------------- | ----------------------------------------------------------- |
+| `onHttpRequest`   | Mutation    | Reject the request          | After endpoint resolution, before auth                      |
+| `onBeforeApiCall` | Mutation    | Request parameters          | Before the upstream API call                                |
+| `onAfterApiCall`  | Mutation    | Response data and status    | After the upstream API responds                             |
 | `onBeforeSign`    | Mutation    | The data about to be signed | After encoding (and FHE encryption, if any), before signing |
-| `onResponseSent`  | Observation | Nothing (read-only)      | After the signed response is sent      |
-| `onError`         | Observation | Nothing (read-only)      | When an error occurs at any stage      |
+| `onResponseSent`  | Observation | Nothing (read-only)         | After the signed response is sent                           |
+| `onError`         | Observation | Nothing (read-only)         | When an error occurs at any stage                           |
 
-For an `encrypt`-configured endpoint, `onBeforeSign` sees the FHE ciphertext (`abi.encode(bytes32 handle, bytes proof)`),
-not the plaintext-encoded value. Every hook context also includes a `requestId` (a per-request hex id), in addition to
-the fields shown below.
+For an `encrypt`-configured endpoint, `onBeforeSign` sees the FHE ciphertext
+(`abi.encode(bytes32 handle, bytes proof)`), not the plaintext-encoded value. Every hook context also includes a
+`requestId` (a per-request hex id), in addition to the fields shown below.
 
 **Mutation hooks** can change the pipeline. If a mutation hook fails or times out, the request is **dropped** rather
 than processed without the plugin's intervention. This prevents data leaks if the plugin exists for security purposes.

book/docs/troubleshooting.md

@@ -150,7 +150,8 @@ the API changed its response format, a nested field was renamed, or the path use
 **Check the logs.** Airnode logs every request with its endpoint ID, response status, and processing time. Set
 `LOG_LEVEL=debug` for detailed pipeline output including upstream request/response details.
 
-**Verify the config.** Run `airnode config validate -c config.yaml` to check your config against the schema before starting the server.
+**Verify the config.** Run `airnode config validate -c config.yaml` to check your config against the schema before
+starting the server.
 
 **Test the upstream API directly.** Use curl to call the upstream API with the same parameters the airnode would use.
 This isolates whether the issue is in the airnode or the upstream.

integration/helpers.ts

@@ -84,7 +84,7 @@ async function createTestServer(options: TestServerOptions = {}): Promise<TestCo
     endpointMap,
     baseUrl: `http://127.0.0.1:${String(server.port)}`,
     stop: () => {
-      server.stop();
+      void server.stop();
       cache.stop();
       asyncStore.stop();
     },

src/cli/commands/address.test.ts

@@ -0,0 +1,57 @@
+import { describe, expect, test } from 'bun:test';
+
+// =============================================================================
+// CLI `address` command — spawn-based smoke tests
+//
+// The address-derivation logic is unit-tested in src/sign.test.ts
+// (`accountFromEnv`); these cover the CLI wiring: key/mnemonic in, address out,
+// clear error + exit 1 when the key material is missing or malformed.
+// =============================================================================
+
+// The anvil account #0 — its private key and mnemonic both derive this address.
+const TEST_PRIVATE_KEY = '0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80';
+const TEST_MNEMONIC = 'test test test test test test test test test test test junk';
+const TEST_ADDRESS = '0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266';
+
+async function runAddress(
+  env: Record<string, string | undefined>
+): Promise<{ exitCode: number; stdout: string; stderr: string }> {
+  const { AIRNODE_PRIVATE_KEY: _k, AIRNODE_MNEMONIC: _m, ...base } = process.env;
+  const proc = Bun.spawn(['bun', '--env-file', '/dev/null', 'src/cli/index.ts', 'address'], {
+    env: { ...base, ...env },
+    stdout: 'pipe',
+    stderr: 'pipe',
+  });
+  const [exitCode, stdout, stderr] = await Promise.all([
+    proc.exited,
+    new Response(proc.stdout).text(),
+    new Response(proc.stderr).text(),
+  ]);
+  return { exitCode, stdout, stderr };
+}
+
+describe('address CLI', () => {
+  test('derives the address from AIRNODE_PRIVATE_KEY', async () => {
+    const { exitCode, stdout } = await runAddress({ AIRNODE_PRIVATE_KEY: TEST_PRIVATE_KEY });
+    expect(exitCode).toBe(0);
+    expect(stdout).toContain(TEST_ADDRESS);
+  });
+
+  test('derives the address from AIRNODE_MNEMONIC', async () => {
+    const { exitCode, stdout } = await runAddress({ AIRNODE_MNEMONIC: TEST_MNEMONIC });
+    expect(exitCode).toBe(0);
+    expect(stdout).toContain(TEST_ADDRESS);
+  });
+
+  test('exits 1 with a clear error when neither variable is set', async () => {
+    const { exitCode, stderr } = await runAddress({});
+    expect(exitCode).toBe(1);
+    expect(stderr).toContain('AIRNODE_PRIVATE_KEY or AIRNODE_MNEMONIC environment variable is required');
+  });
+
+  test('exits 1 with a clear error on a malformed private key', async () => {
+    const { exitCode, stderr } = await runAddress({ AIRNODE_PRIVATE_KEY: '0xnothex' });
+    expect(exitCode).toBe(1);
+    expect(stderr).toContain('AIRNODE_PRIVATE_KEY must be a 0x-prefixed 32-byte hex string');
+  });
+});