Problem
The default local hostname across the stack is `webprotege-local.edu`. `.edu` is a real, accredited-institution TLD registered through EDUCAUSE, not a safe-for-local namespace. Using it here is:
- Non-standard — RFC 2606 reserves `.test`, `.example`, `.invalid`, `.localhost` for exactly this use case. `.edu` isn't in that list.
- A latent DNS-hijack surface — if anyone in the network chain ever routes `.edu` queries externally, or if `webprotege-local.edu` is ever registered as a real subdomain, requests could leak.
- Slightly misleading — it reads as if it's a real Stanford/EDUCAUSE subdomain.
There's also an internal inconsistency surfaced during the 2.x migration: the user-facing `SERVER_HOST` in some developers' `.env` was `webprotege.local`, while the defaults shipped in the realm JSON, the gateway's `application.yaml`, and (previously) docker-compose.yml were `webprotege-local.edu`. The mismatch caused a real bug (the gateway crashed because Keycloak's discovery doc returned the .edu issuer while the gateway was configured for `webprotege.local`).
Suggested fix
Standardize on `webprotege.test` (RFC 2606 reserved, collision-safe, reads clearly as local-dev).
Touch points:
Existing developers would need to update their `/etc/hosts` (swap the line) and either update their `.env` or rely on the new default. No runtime migration beyond that — the new realm/client URIs get applied by the existing entrypoint patch script when `SERVER_HOST` changes.
Alternative
`webprotege.localhost` — on many systems (macOS, Linux with systemd-resolved) `*.localhost` auto-resolves to 127.0.0.1 so no `/etc/hosts` entry is needed. But support isn't universal, so `.test` is the safer baseline.
Problem
The default local hostname across the stack is `webprotege-local.edu`. `.edu` is a real, accredited-institution TLD registered through EDUCAUSE, not a safe-for-local namespace. Using it here is:
There's also an internal inconsistency surfaced during the 2.x migration: the user-facing `SERVER_HOST` in some developers' `.env` was `webprotege.local`, while the defaults shipped in the realm JSON, the gateway's `application.yaml`, and (previously) docker-compose.yml were `webprotege-local.edu`. The mismatch caused a real bug (the gateway crashed because Keycloak's discovery doc returned the .edu issuer while the gateway was configured for `webprotege.local`).
Suggested fix
Standardize on `webprotege.test` (RFC 2606 reserved, collision-safe, reads clearly as local-dev).
Touch points:
Existing developers would need to update their `/etc/hosts` (swap the line) and either update their `.env` or rely on the new default. No runtime migration beyond that — the new realm/client URIs get applied by the existing entrypoint patch script when `SERVER_HOST` changes.
Alternative
`webprotege.localhost` — on many systems (macOS, Linux with systemd-resolved) `*.localhost` auto-resolves to 127.0.0.1 so no `/etc/hosts` entry is needed. But support isn't universal, so `.test` is the safer baseline.