fix(policy): use access: full for gateway.discord.gg in default sandbox policy

[deepujain]

Summary

The default sandbox policy in openclaw-sandbox.yaml still uses protocol: rest for gateway.discord.gg, which causes the OpenShell proxy to apply L7 HTTP inspection to WebSocket connections. Discord detects the TLS intercept and never sends the HELLO packet, causing 30-second connection timeouts (#979).

The fix already existed in presets/discord.yaml (added to address #409), but the same change was never applied to the base sandbox policy. This PR closes the gap.

Changes

• nemoclaw-blueprint/policies/openclaw-sandbox.yaml — replace protocol: rest block for gateway.discord.gg with access: full (CONNECT tunnel) and add the explanatory comment from the preset so the intent is clear to future readers

Why access: full matters here

protocol: rest tells the proxy to terminate TLS and inspect HTTP. For a WebSocket upgrade this activates Layer-7 inspection, which Discord recognises as a MITM and refuses to HELLO. access: full issues a raw CONNECT tunnel, bypassing HTTP-level inspection entirely -- the same approach that curl uses and that already works.

Testing

npm test passes (542/542). Policy-only change; no build step needed.

Fixes #979

Signed-off-by: Deepak Jain [email protected]

Summary by CodeRabbit

• Chores
  • Updated network access policy configuration for Discord services to enhance connectivity and endpoint handling.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3a4a7083-f81b-489a-bfef-23f7b5c08bfc

📥 Commits

Reviewing files that changed from the base of the PR and between 5c269c1 and f4297b1.

📒 Files selected for processing (1)

• nemoclaw-blueprint/policies/openclaw-sandbox.yaml

---

📝 Walkthrough

Walkthrough

A network policy endpoint for Discord's gateway in the sandbox configuration was modified to change from HTTP REST with TLS termination and explicit method rules to a tunnel-style full access model, affecting only the specified endpoint configuration.

Changes

Cohort / File(s)	Summary
Discord Network Policy Configuration nemoclaw-blueprint/policies/openclaw-sandbox.yaml	Modified gateway.discord.gg:443 endpoint from REST/TLS-terminated enforcement with explicit GET/POST allow rules to full tunnel-style access model (access: full), removing protocol-specific constraints.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Hop, hop! A tunnel now flows where REST did go,
Discord's gateway opens wide, the sandbox aglow,
From strict enforcement to full access granted true,
Network policies evolve—what the tunnel can do! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the primary change: updating the Discord gateway policy from HTTP REST inspection to full access mode to fix a TLS interception issue.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}