Problem
NodeConfig.URL is documented as "Must be publicly reachable on the internet — never localhost or private addresses" (convex-peer/src/main/java/convex/node/NodeConfig.java:40). The code does not enforce this — NodeServer.publishNodeInfo (convex-peer/src/main/java/convex/node/NodeServer.java:254) publishes whatever string the operator configured into the signed [:p2p :nodes] entry.
A misconfigured node silently pollutes the P2P registry with unreachable URLs (localhost, RFC1918 addresses, malformed URIs). Peers waste reconnect attempts against them; signed entries age out via LWW but take a while to clear.
Scope note
Fix must be a local validation — we cannot (and should not) reach out over the network to verify reachability from the node's own code. Pre-publication checks we can do locally:
- Parse the URI. Reject if malformed or missing scheme/host/port.
- Reject
localhost, 127.0.0.0/8, ::1.
- Reject RFC1918 ranges:
10/8, 172.16/12, 192.168/16, 169.254/16 link-local, fc00::/7 ULA.
- Reject
0.0.0.0 / ::.
- Optional opt-out flag for dev networks where private addresses are intentional (
allowPrivateURL: true in NodeConfig).
Fail at launch() time with a clear error message if URL is set but invalid, rather than silently not publishing or publishing bad data.
Out of scope
Active reachability probing from an external vantage point — that belongs to a monitoring / bootstrap peer, not to the node publishing itself.
Problem
NodeConfig.URLis documented as "Must be publicly reachable on the internet — never localhost or private addresses" (convex-peer/src/main/java/convex/node/NodeConfig.java:40). The code does not enforce this —NodeServer.publishNodeInfo(convex-peer/src/main/java/convex/node/NodeServer.java:254) publishes whatever string the operator configured into the signed[:p2p :nodes]entry.A misconfigured node silently pollutes the P2P registry with unreachable URLs (localhost, RFC1918 addresses, malformed URIs). Peers waste reconnect attempts against them; signed entries age out via LWW but take a while to clear.
Scope note
Fix must be a local validation — we cannot (and should not) reach out over the network to verify reachability from the node's own code. Pre-publication checks we can do locally:
localhost,127.0.0.0/8,::1.10/8,172.16/12,192.168/16,169.254/16link-local,fc00::/7ULA.0.0.0.0/::.allowPrivateURL: truein NodeConfig).Fail at
launch()time with a clear error message ifURLis set but invalid, rather than silently not publishing or publishing bad data.Out of scope
Active reachability probing from an external vantage point — that belongs to a monitoring / bootstrap peer, not to the node publishing itself.