Skip to content

fix(policy): remove DELETE method from Discord preset#1486

Closed
dknos wants to merge 2 commits intoNVIDIA:mainfrom
dknos:fix/discord-policy-delete-1433
Closed

fix(policy): remove DELETE method from Discord preset#1486
dknos wants to merge 2 commits intoNVIDIA:mainfrom
dknos:fix/discord-policy-delete-1433

Conversation

@dknos
Copy link
Copy Markdown
Contributor

@dknos dknos commented Apr 5, 2026
edited by coderabbitai bot
Loading

Summary

  • Removes DELETE method from Discord policy preset
  • Discord bots use GET/POST/PUT/PATCH for standard operations; DELETE is rarely needed and expands attack surface

Test plan

  • Verify Discord bot operations (send message, read channels, add reactions) still work without DELETE
  • Confirm no standard bot SDK calls require DELETE

Fixes #1433

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Bug Fixes
    • Disabled HTTP DELETE requests for the Discord integration endpoint; GET, POST, PUT and PATCH remain allowed. This changes the endpoint's behavior to reject delete operations while preserving other request types.

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Apr 5, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8d39a0a1-9932-405a-a5ea-3af824d2c94a

📥 Commits

Reviewing files that changed from the base of the PR and between 6cea193 and 73ce4e8.

📒 Files selected for processing (1)
  • nemoclaw-blueprint/policies/presets/discord.yaml
💤 Files with no reviewable changes (1)
  • nemoclaw-blueprint/policies/presets/discord.yaml
📝 Walkthrough

Walkthrough

The Discord preset removed the HTTP DELETE method from the discord.com:443 network policy rule that matched all paths; other HTTP methods and unrelated rules were unchanged.

Changes

Cohort / File(s) Summary
Discord Policy Security Fix
nemoclaw-blueprint/policies/presets/discord.yaml		 Removed DELETE from the allowed HTTP methods for the discord.com:443 rule that applied to /**, narrowing permitted REST methods for that endpoint.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I nibble rules with careful paws,
DELETE hops off the policy clause,
Paths stay safe, no channels swept,
Only needed calls are kept,
A tidy hop, a quiet cause 🥕

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'fix(policy): remove DELETE method from Discord preset' accurately and concisely describes the main change in the pull request.
Linked Issues check ✅ Passed The pull request removes the DELETE HTTP method from the Discord policy preset, directly addressing the primary objective of issue #1433 to remove DELETE from the default Discord preset.
Out of Scope Changes check ✅ Passed The pull request modifies only the Discord policy preset file to remove the DELETE method, with no out-of-scope changes introduced beyond the stated objective.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@wscurran wscurran added security Something isn't secure priority: high Important issue that should be resolved in the next release Integration: Discord Use this label to identify Discord bot integration issues with NemoClaw. fix enhancement: policy labels Apr 6, 2026
@wscurran
Copy link
Copy Markdown
Contributor

wscurran commented Apr 6, 2026

✨ Thanks for submitting this fix, which proposes a way to remove the DELETE method from the Discord policy preset to improve security by reducing unnecessary permissions.

Possibly related open issues:

@dknos dknos force-pushed the fix/discord-policy-delete-1433 branch from 05bee19 to 6cea193 Compare April 8, 2026 06:02
@dknos
fix(policy): remove DELETE method from Discord preset
73ce4e8 
Discord bots rarely need DELETE access. Removing it reduces the
attack surface for sandbox agents interacting with Discord APIs.

Fixes NVIDIA#1433

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Signed-off-by: dknos <rneebo@gmail.com>
@dknos dknos force-pushed the fix/discord-policy-delete-1433 branch from 6cea193 to 73ce4e8 Compare April 8, 2026 06:32
@cv
Copy link
Copy Markdown
Contributor

cv commented Apr 9, 2026

#1433 closed

@cv cv closed this Apr 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cv cv cv approved these changes

Assignees

No one assigned

Labels

enhancement: policy fix Integration: Discord Use this label to identify Discord bot integration issues with NemoClaw. priority: high Important issue that should be resolved in the next release security Something isn't secure

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Discord Preset Allows DELETE Method on All Paths — Overly Permissive Default - IssueFinder - SN 11

3 participants

@dknos @wscurran @cv