fix: use CONNECT tunnel for WebSocket endpoints in Discord/Slack presets

nemoclaw-blueprint/policies/presets/discord.yaml

@@ -17,15 +17,25 @@ network_policies:
         rules:
           - allow: { method: GET, path: "/**" }
           - allow: { method: POST, path: "/**" }
+          - allow: { method: PUT, path: "/**" }
+          - allow: { method: PATCH, path: "/**" }
+          - allow: { method: DELETE, path: "/**" }
+      # WebSocket gateway — must use access: full (CONNECT tunnel) instead
+      # of protocol: rest. The proxy's HTTP idle timeout (~2 min) kills
+      # long-lived WebSocket connections; a CONNECT tunnel avoids
+      # HTTP-level timeouts entirely. See #409.
       - host: gateway.discord.gg
+        port: 443
+        access: full
+      - host: cdn.discordapp.com
         port: 443
         protocol: rest
         enforcement: enforce
         tls: terminate
         rules:
           - allow: { method: GET, path: "/**" }
-          - allow: { method: POST, path: "/**" }
-      - host: cdn.discordapp.com
+      # Media/attachment access (read-only, proxied through Discord CDN)
+      - host: media.discordapp.net
         port: 443
         protocol: rest
         enforcement: enforce

nemoclaw-blueprint/policies/presets/slack.yaml

@@ -3,7 +3,7 @@
 
 preset:
   name: slack
-  description: "Slack API and webhooks access"
+  description: "Slack API, Socket Mode, and webhooks access"
 
 network_policies:
   slack:
@@ -33,5 +33,13 @@ network_policies:
         rules:
           - allow: { method: GET, path: "/**" }
           - allow: { method: POST, path: "/**" }
+      # Socket Mode WebSocket — requires CONNECT tunnel to avoid
+      # HTTP idle timeout killing the persistent connection. See #409.
+      - host: wss-primary.slack.com
+        port: 443
+        access: full
+      - host: wss-backup.slack.com
+        port: 443
+        access: full
     binaries:
       - { path: /usr/local/bin/node }