config: make server.host and rateLimit.trustForwardedFor required

Two remaining hidden defaults flagged by the explicit-over-implicit
principle:

- `server.host` was defaulted to `'0.0.0.0'`. That's a security choice
  (every interface vs loopback-only), not a universal default. Operators
  should declare it.
- `rateLimit.trustForwardedFor` was defaulted to `false`. Behind a
  reverse proxy this is the difference between per-client and per-proxy
  rate limiting — wrong answer either way is operationally surprising.

Both are now required. Updated all four example configs, inline test
YAMLs (schema/parser/validate test fixtures), the server.md reference,
and the "applies defaults" test (which no longer asserts host defaulting
since there's no default to assert).

Author: andreogle

CLAUDE.md

@@ -53,8 +53,8 @@ Key conventions:
 - In config YAML, the `settings` section goes immediately after `version`, before `apis`.
 - Runtime config is `config.yaml` + `.env` in the working directory (gitignored).
 - **Explicit over implicit**: config fields should be required with no defaults, unless a default is genuinely universal
-  (e.g. `method: GET`). Only truly optional behavior (like `rateLimit`, `cors`) uses optional fields. When adding new
-  schema fields, default to required.
+  (e.g. `method: GET`). Only truly optional behavior (like `cors`, `cache`) uses optional fields. When adding new schema
+  fields, default to required.
 
 ## Architecture
 
@@ -68,15 +68,16 @@ HTTP service.
 Routes:
 
 - `POST /endpoints/{endpointId}` — call an endpoint with parameters in the request body
-- `GET /health` — health check with version and airnode address
+- `GET /requests/{requestId}` — poll an async request's status (mode: `async` endpoints)
+- `GET /health` — status and airnode address (no version exposed)
 
 ### Request processing pipeline
 
 The pipeline runs per-request in `src/pipeline.ts`:
 
 1. **Resolve endpoint** → look up endpoint by ID in the endpoint map
 2. **Plugin: onHttpRequest** → plugins can reject requests early
-3. **Authenticate** → verify client credentials (free access or API key via `X-Api-Key` header)
+3. **Authenticate** → verify client credentials (`free`, `apiKey` via `X-Api-Key`, or `x402` payment proof)
 4. **Validate parameters** → check that all required parameters are present
 5. **Check cache** → return cached response if TTL has not expired
 6. **Plugin: onBeforeApiCall** → plugins can modify parameters
@@ -94,14 +95,19 @@ The pipeline runs per-request in `src/pipeline.ts`:
 
 Version `'1.0'`. Top-level sections: `version`, `server`, `settings`, `apis`.
 
-- `server` contains `port`, `host` (default `'0.0.0.0'`), `cors` (optional), `rateLimit` (optional).
-- `settings` contains `timeout` (default 10s), `proof` (`'none'` or `{ type: 'reclaim', gatewayUrl }` for TLS proofs),
-  `fhe` (`'none'` or `{ network, rpcUrl, verifier, apiKey? }` for FHE encryption), `plugins`.
+- `server` contains `port`, `host` (default `'0.0.0.0'`), `cors` (optional), `rateLimit` (**required**, with `window`,
+  `max`, and an `x402` sub-block of `{window, max}`).
+- `settings` contains `timeout` (default 10s), `maxConcurrentApiCalls` (**required**), `proof` (`'none'` or
+  `{ type: 'reclaim', gatewayUrl }` for TLS proofs), `fhe` (`'none'` or `{ network, rpcUrl, verifier, apiKey? }` for FHE
+  encryption), `plugins`.
 - `apis[].url` is the upstream API base URL. Upstream credentials go in `apis[].headers`.
 - `apis[].auth` is client-facing: `{ type: 'free' }`, `{ type: 'apiKey', keys: [...] }`, or `{ type: 'x402', ... }`.
-- Endpoints use `encoding: { type, path, times? }` instead of `reservedParameters`. Encoding is optional — endpoints
-  without it return raw JSON with a signature over the JSON hash. Endpoints can also set `encrypt: { type, contract }`
-  (requires `settings.fhe` and an integer `encoding`) to FHE-encrypt the encoded value before signing.
+- Endpoints use `encoding: { type, path, times? }`. When `encoding` is set, `type` and `path` are required — each may be
+  a concrete value or the literal `'*'` (which delegates that field to the matching reserved request param: `_type`,
+  `_path`, `_times`). `times` is optional and only valid on numeric types. Without an `encoding` block the response is
+  raw JSON with a signature over the JSON hash; reserved params can't synthesize encoding from nothing. Endpoints can
+  also set `encrypt: { type, contract }` (requires `settings.fhe` and a concretely pinned integer `encoding`) to
+  FHE-encrypt the encoded value before signing.
 - Auth and cache config inherit from API level; endpoint-level overrides take precedence.
 
 ### Plugin hooks

README.md

@@ -56,7 +56,8 @@ curl -X POST http://localhost:3000/endpoints/{endpointId} \
 - **Sign any API response** with your key — turn untrusted data into a verifiable attestation
 - **Serve data to smart contracts** — ABI-encoded responses ready for on-chain submission
 - **Monetize access** — API keys or pay-per-request via x402
-- **Control encoding at request time** — clients pass `_type`, `_path`, `_times` to choose what to extract
+- **Opt-in requester-controlled encoding** — endpoints that mark fields as `'*'` let clients supply
+  `_type`/`_path`/`_times` per request
 - **Extend with plugins** — hooks at every pipeline stage for custom logic
 
 ## Routes
@@ -65,7 +66,7 @@ curl -X POST http://localhost:3000/endpoints/{endpointId} \
 | ------ | ------------------------- | -------------------------------- |
 | `POST` | `/endpoints/{endpointId}` | Call an endpoint with parameters |
 | `GET`  | `/requests/{requestId}`   | Poll an async request for status |
-| `GET`  | `/health`                 | Version and airnode address      |
+| `GET`  | `/health`                 | Status and airnode address       |
 
 ## Configuration
 
@@ -76,8 +77,15 @@ version: '1.0'
 
 server:
   port: 3000
+  rateLimit:
+    window: 60000
+    max: 100
+    x402:
+      window: 60000
+      max: 30
 
 settings:
+  maxConcurrentApiCalls: 50
   proof: none
 
 apis:

book/docs/config/index.md

@@ -12,7 +12,7 @@ Airnode is configured with a single YAML file. JSON is also accepted. The file h
 | ----------------------------------- | ------------------------------------------------------- |
 | `version`                           | Must be `'1.0'`. Used for schema validation.            |
 | [`server`](/docs/config/server)     | HTTP server port, host, CORS, and rate limiting.        |
-| [`settings`](/docs/config/settings) | Global timeout, proof mode, and plugin configuration.   |
+| [`settings`](/docs/config/settings) | Timeout, upstream concurrency, proof, FHE, and plugins. |
 | [`apis`](/docs/config/apis)         | Upstream API definitions with endpoints and parameters. |
 
 ## Minimal config
@@ -25,8 +25,12 @@ server:
   rateLimit:
     window: 60000
     max: 100
+    x402:
+      window: 60000
+      max: 30
 
 settings:
+  maxConcurrentApiCalls: 50
   proof: none
 
 apis:
@@ -54,9 +58,13 @@ server:
   rateLimit:
     window: 60000
     max: 100
+    x402:
+      window: 60000
+      max: 30
 
 settings:
   timeout: 15000
+  maxConcurrentApiCalls: 50
   proof: none # or: { type: reclaim, gatewayUrl: 'http://localhost:5177/v1/prove' }
   plugins:
     - source: ../../plugins/heartbeat.ts

book/docs/config/server.md

@@ -10,43 +10,46 @@ The `server` section configures the HTTP server that receives client requests.
 ```yaml
 server:
   port: 3000
-  host: '0.0.0.0' # default
+  host: '0.0.0.0'
   cors:
     origins: ['*'] # default
   rateLimit:
     window: 60000 # ms
     max: 100 # requests per window per IP
+    trustForwardedFor: false
     x402:
       window: 60000 # ms
       max: 30 # x402 verification attempts per window per IP
 ```
 
 ## Fields
 
-| Field                         | Type       | Required | Default     | Description                                                                                                                |
-| ----------------------------- | ---------- | -------- | ----------- | -------------------------------------------------------------------------------------------------------------------------- |
-| `port`                        | `number`   | Yes      | --          | TCP port the server listens on.                                                                                            |
-| `host`                        | `string`   | No       | `'0.0.0.0'` | Bind address. Use `127.0.0.1` to restrict to localhost.                                                                    |
-| `cors`                        | `object`   | No       | --          | CORS configuration. When omitted, `Access-Control-Allow-Origin: *` is used.                                                |
-| `cors.origins`                | `string[]` | No       | `['*']`     | Allow-list of origins. The request's `Origin` is reflected back only if it matches an entry.                               |
-| `rateLimit`                   | `object`   | **Yes**  | --          | Per-IP rate limiting (required). Set `max` very high to effectively disable it.                                            |
-| `rateLimit.window`            | `number`   | Yes      | --          | Time window in milliseconds.                                                                                               |
-| `rateLimit.max`               | `number`   | Yes      | --          | Maximum requests per IP within the window.                                                                                 |
-| `rateLimit.trustForwardedFor` | `boolean`  | No       | `false`     | Use the first `X-Forwarded-For` entry as the client IP. Only enable behind a trusted reverse proxy.                        |
-| `rateLimit.x402`              | `object`   | **Yes**  | --          | Stricter per-IP bucket on x402 verification attempts (each one fires several chain-RPC reads). Shares `trustForwardedFor`. |
-| `rateLimit.x402.window`       | `number`   | Yes      | --          | Time window in milliseconds.                                                                                               |
-| `rateLimit.x402.max`          | `number`   | Yes      | --          | Maximum x402 verification attempts per IP within the window.                                                               |
+| Field                         | Type       | Required | Default | Description                                                                                                                |
+| ----------------------------- | ---------- | -------- | ------- | -------------------------------------------------------------------------------------------------------------------------- |
+| `port`                        | `number`   | **Yes**  | --      | TCP port the server listens on.                                                                                            |
+| `host`                        | `string`   | **Yes**  | --      | Bind address. `'0.0.0.0'` binds every interface; `'127.0.0.1'` restricts to localhost.                                     |
+| `cors`                        | `object`   | No       | --      | CORS configuration. When omitted, `Access-Control-Allow-Origin: *` is used.                                                |
+| `cors.origins`                | `string[]` | No       | `['*']` | Allow-list of origins. The request's `Origin` is reflected back only if it matches an entry.                               |
+| `rateLimit`                   | `object`   | **Yes**  | --      | Per-IP rate limiting. Set `max` very high to effectively disable it.                                                       |
+| `rateLimit.window`            | `number`   | **Yes**  | --      | Time window in milliseconds.                                                                                               |
+| `rateLimit.max`               | `number`   | **Yes**  | --      | Maximum requests per IP within the window.                                                                                 |
+| `rateLimit.trustForwardedFor` | `boolean`  | **Yes**  | --      | Use the first `X-Forwarded-For` entry as the client IP. Set `true` only behind a trusted reverse proxy; otherwise `false`. |
+| `rateLimit.x402`              | `object`   | **Yes**  | --      | Stricter per-IP bucket on x402 verification attempts (each one fires several chain-RPC reads). Shares `trustForwardedFor`. |
+| `rateLimit.x402.window`       | `number`   | **Yes**  | --      | Time window in milliseconds.                                                                                               |
+| `rateLimit.x402.max`          | `number`   | **Yes**  | --      | Maximum x402 verification attempts per IP within the window.                                                               |
 
 ## Minimal
 
-`port` and `rateLimit` (including the `x402` sub-block) are required:
+`port`, `host`, and `rateLimit` (including `trustForwardedFor` and the `x402` sub-block) are required:
 
 ```yaml
 server:
   port: 3000
+  host: '0.0.0.0'
   rateLimit:
     window: 60000
     max: 100
+    trustForwardedFor: false
     x402:
       window: 60000
       max: 30
@@ -63,9 +66,11 @@ resetting at fixed intervals.
 ```yaml
 server:
   port: 3000
+  host: '0.0.0.0'
   rateLimit:
     window: 60000 # 60 seconds
     max: 100 # 100 requests per 60s per IP
+    trustForwardedFor: false
     x402:
       window: 60000
       max: 30 # 30 x402 verification attempts per 60s per IP
@@ -75,10 +80,11 @@ When a client exceeds the limit, the server returns `429 Too Many Requests`.
 
 The rate limiter tracks up to 10,000 unique IPs. When this limit is reached, the oldest entries are evicted.
 
-By default the client IP is the socket peer. If Airnode runs behind a reverse proxy that is the proxy's address, so
-every client would share one bucket — set `rateLimit.trustForwardedFor: true` to use the first `X-Forwarded-For` entry
-instead. Only enable this when a trusted proxy controls that header; a client-supplied `X-Forwarded-For` is otherwise
-trivially spoofable.
+The client IP defaults to the socket peer when `trustForwardedFor` is `false`. If Airnode runs behind a reverse proxy
+the peer is the proxy itself, so every client would share one bucket — set `trustForwardedFor: true` to use the first
+`X-Forwarded-For` entry instead. Only enable this when a trusted proxy controls that header; a client-supplied
+`X-Forwarded-For` is otherwise trivially spoofable, which would let any client bypass the rate limit by picking a fresh
+IP per request.
 
 ### x402 verification bucket
 

book/docs/introduction.md

@@ -122,8 +122,12 @@ server:
   rateLimit:
     window: 60000
     max: 100
+    x402:
+      window: 60000
+      max: 30
 
 settings:
+  maxConcurrentApiCalls: 50
   proof: none
 
 apis:

book/docs/operators/index.md

@@ -37,8 +37,12 @@ server:
   rateLimit:
     window: 60000
     max: 100
+    x402:
+      window: 60000
+      max: 30
 
 settings:
+  maxConcurrentApiCalls: 50
   proof: none
 
 apis:

examples/configs/complete/config.yaml

@@ -9,6 +9,7 @@ server:
   rateLimit:
     window: 60000
     max: 100
+    trustForwardedFor: false
     x402:
       window: 60000
       max: 30

examples/configs/fhe-encrypt/config.yaml

@@ -2,9 +2,11 @@ version: '1.0'
 
 server:
   port: 3000
+  host: '0.0.0.0'
   rateLimit:
     window: 60000
     max: 100
+    trustForwardedFor: false
     x402:
       window: 60000
       max: 30

examples/configs/minimal/config.yaml

@@ -2,9 +2,11 @@ version: '1.0'
 
 server:
   port: 3000
+  host: '0.0.0.0'
   rateLimit:
     window: 60000
     max: 100
+    trustForwardedFor: false
     x402:
       window: 60000
       max: 30

examples/configs/reclaim-proof/config.yaml

@@ -2,9 +2,11 @@ version: '1.0'
 
 server:
   port: 3000
+  host: '0.0.0.0'
   rateLimit:
     window: 60000
     max: 100
+    trustForwardedFor: false
     x402:
       window: 60000
       max: 30