From b616544e0b8c9de223beab4cdc5bf9d92b3ce875 Mon Sep 17 00:00:00 2001 From: Benedikt Schackenberg <6381261+BenediktSchackenberg@users.noreply.github.com> Date: Thu, 19 Mar 2026 20:08:17 +0000 Subject: [PATCH 1/2] fix: use CONNECT tunnel for WebSocket endpoints in Discord/Slack presets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The egress proxy's HTTP idle timeout (~2 min) kills long-lived WebSocket connections when endpoints are configured with protocol:rest + tls:terminate. Switch WebSocket endpoints to access:full (CONNECT tunnel) which bypasses HTTP-level timeouts entirely. Discord: - gateway.discord.gg → access:full (WebSocket gateway) - Add PUT/PATCH/DELETE methods for discord.com (message editing, reactions) - Add media.discordapp.net for attachment access Slack: - Add wss-primary.slack.com and wss-backup.slack.com → access:full (Socket Mode WebSocket endpoints) Partially addresses #409 — the policy-level fix enables WebSocket connections to survive. The hardcoded 2-min timeout in openshell-sandbox still affects any protocol:rest endpoints with long-lived connections. Related: #361 (WhatsApp Web, same root cause) --- .../policies/presets/discord.yaml | 21 +++++++++++++++---- .../policies/presets/slack.yaml | 10 ++++++++- 2 files changed, 26 insertions(+), 5 deletions(-) diff --git a/nemoclaw-blueprint/policies/presets/discord.yaml b/nemoclaw-blueprint/policies/presets/discord.yaml index e1b09aaf82..1864b67e68 100644 --- a/nemoclaw-blueprint/policies/presets/discord.yaml +++ b/nemoclaw-blueprint/policies/presets/discord.yaml @@ -17,20 +17,33 @@ network_policies: rules: - allow: { method: GET, path: "/**" } - allow: { method: POST, path: "/**" } + - allow: { method: PUT, path: "/**" } + - allow: { method: PATCH, path: "/**" } + - allow: { method: DELETE, path: "/**" } + # WebSocket gateway — must use access:full (CONNECT tunnel) instead + # of protocol:rest. The proxy's HTTP idle timeout (~2 min) kills + # long-lived WebSocket connections; a CONNECT tunnel avoids + # HTTP-level timeouts entirely. See #409. - host: gateway.discord.gg + port: 443 + access: full + - host: cdn.discordapp.com port: 443 protocol: rest enforcement: enforce tls: terminate rules: - allow: { method: GET, path: "/**" } - - allow: { method: POST, path: "/**" } - - host: cdn.discordapp.com +<<<<<<< HEAD + binaries: + - { path: /usr/local/bin/node } +======= + # Media/attachment uploads use a separate domain + - host: media.discordapp.net port: 443 protocol: rest enforcement: enforce tls: terminate rules: - allow: { method: GET, path: "/**" } - binaries: - - { path: /usr/local/bin/node } +>>>>>>> b926698 (fix: use CONNECT tunnel for WebSocket endpoints in Discord/Slack presets) diff --git a/nemoclaw-blueprint/policies/presets/slack.yaml b/nemoclaw-blueprint/policies/presets/slack.yaml index 866ad34a15..e2a7c4706b 100644 --- a/nemoclaw-blueprint/policies/presets/slack.yaml +++ b/nemoclaw-blueprint/policies/presets/slack.yaml @@ -3,7 +3,7 @@ preset: name: slack - description: "Slack API and webhooks access" + description: "Slack API, Socket Mode, and webhooks access" network_policies: slack: @@ -33,5 +33,13 @@ network_policies: rules: - allow: { method: GET, path: "/**" } - allow: { method: POST, path: "/**" } + # Socket Mode WebSocket — requires CONNECT tunnel to avoid + # HTTP idle timeout killing the persistent connection. See #409. + - host: wss-primary.slack.com + port: 443 + access: full + - host: wss-backup.slack.com + port: 443 + access: full binaries: - { path: /usr/local/bin/node } From 8ee9ec0091bcbd73ad71dee6ee6440d9e1fd3278 Mon Sep 17 00:00:00 2001 From: Benedikt Schackenberg <6381261+BenediktSchackenberg@users.noreply.github.com> Date: Thu, 19 Mar 2026 20:13:02 +0000 Subject: [PATCH 2/2] fix: correct comment wording for media endpoint and YAML formatting --- nemoclaw-blueprint/policies/presets/discord.yaml | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/nemoclaw-blueprint/policies/presets/discord.yaml b/nemoclaw-blueprint/policies/presets/discord.yaml index 1864b67e68..8ffd1bc63c 100644 --- a/nemoclaw-blueprint/policies/presets/discord.yaml +++ b/nemoclaw-blueprint/policies/presets/discord.yaml @@ -20,8 +20,8 @@ network_policies: - allow: { method: PUT, path: "/**" } - allow: { method: PATCH, path: "/**" } - allow: { method: DELETE, path: "/**" } - # WebSocket gateway — must use access:full (CONNECT tunnel) instead - # of protocol:rest. The proxy's HTTP idle timeout (~2 min) kills + # WebSocket gateway — must use access: full (CONNECT tunnel) instead + # of protocol: rest. The proxy's HTTP idle timeout (~2 min) kills # long-lived WebSocket connections; a CONNECT tunnel avoids # HTTP-level timeouts entirely. See #409. - host: gateway.discord.gg @@ -34,11 +34,7 @@ network_policies: tls: terminate rules: - allow: { method: GET, path: "/**" } -<<<<<<< HEAD - binaries: - - { path: /usr/local/bin/node } -======= - # Media/attachment uploads use a separate domain + # Media/attachment access (read-only, proxied through Discord CDN) - host: media.discordapp.net port: 443 protocol: rest @@ -46,4 +42,5 @@ network_policies: tls: terminate rules: - allow: { method: GET, path: "/**" } ->>>>>>> b926698 (fix: use CONNECT tunnel for WebSocket endpoints in Discord/Slack presets) + binaries: + - { path: /usr/local/bin/node }