diff --git a/nemoclaw-blueprint/policies/presets/discord.yaml b/nemoclaw-blueprint/policies/presets/discord.yaml index e1b09aaf82..8ffd1bc63c 100644 --- a/nemoclaw-blueprint/policies/presets/discord.yaml +++ b/nemoclaw-blueprint/policies/presets/discord.yaml @@ -17,15 +17,25 @@ network_policies: rules: - allow: { method: GET, path: "/**" } - allow: { method: POST, path: "/**" } + - allow: { method: PUT, path: "/**" } + - allow: { method: PATCH, path: "/**" } + - allow: { method: DELETE, path: "/**" } + # WebSocket gateway — must use access: full (CONNECT tunnel) instead + # of protocol: rest. The proxy's HTTP idle timeout (~2 min) kills + # long-lived WebSocket connections; a CONNECT tunnel avoids + # HTTP-level timeouts entirely. See #409. - host: gateway.discord.gg + port: 443 + access: full + - host: cdn.discordapp.com port: 443 protocol: rest enforcement: enforce tls: terminate rules: - allow: { method: GET, path: "/**" } - - allow: { method: POST, path: "/**" } - - host: cdn.discordapp.com + # Media/attachment access (read-only, proxied through Discord CDN) + - host: media.discordapp.net port: 443 protocol: rest enforcement: enforce diff --git a/nemoclaw-blueprint/policies/presets/slack.yaml b/nemoclaw-blueprint/policies/presets/slack.yaml index 866ad34a15..e2a7c4706b 100644 --- a/nemoclaw-blueprint/policies/presets/slack.yaml +++ b/nemoclaw-blueprint/policies/presets/slack.yaml @@ -3,7 +3,7 @@ preset: name: slack - description: "Slack API and webhooks access" + description: "Slack API, Socket Mode, and webhooks access" network_policies: slack: @@ -33,5 +33,13 @@ network_policies: rules: - allow: { method: GET, path: "/**" } - allow: { method: POST, path: "/**" } + # Socket Mode WebSocket — requires CONNECT tunnel to avoid + # HTTP idle timeout killing the persistent connection. See #409. + - host: wss-primary.slack.com + port: 443 + access: full + - host: wss-backup.slack.com + port: 443 + access: full binaries: - { path: /usr/local/bin/node }