fix(discord): harden API URL construction

[RSO]

Summary

• Add Discord snowflake validation and fixed-origin URL construction for bot/API calls.
• Validate forwarded gateway message payloads before scheduling Discord bot work.
• Add regression coverage for malformed Discord IDs not reaching authenticated fetches.
• Tighten DISCORD_SNOWFLAKE_PATTERN from /^\d{1,20}$/ to /^\d{17,20}$/ to correctly reject values shorter than 17 digits, which are not valid Discord snowflakes.

Verification

N/A - backend security hardening only.

Visual Changes

N/A

Reviewer Notes

Addresses the Discord-side CodeQL request-forgery findings by validating path-segment IDs before Discord API URL construction. The GitLab CodeQL findings from the earlier plan are intentionally not included in this PR.

Built for RSO by Kilo

[kilo-code-bot]

Code Review Summary

Status: 1 Issue Remaining | Recommendation: Address before merge

Executive Summary

buildDiscordMessageLink still throws on invalid IDs with no @throws annotation; the latest commit (4cb506c) is a test fix — it corrects the guild snowflake used in rejects malformed message link IDs from '1' (invalid) to '111111111111111111' (valid 18-digit snowflake), which is a correct and necessary fix.

Overview

Severity	Count
CRITICAL	0
WARNING	1
SUGGESTION	0

Issue Details (click to expand)

WARNING

File	Line	Issue
apps/web/src/lib/discord-bot/discord-utils.ts	83	buildDiscordMessageLink throws on invalid IDs — breaking contract change with no @throws annotation

Resolved Issues

File	Issue	Status
apps/web/src/lib/discord-bot/discord-id.ts	Snowflake pattern /^\d{1,20}$/ accepted 1–16 digit values — fixed to /^\d{17,20}$/	✅ Fixed in commit 96a5c01
apps/web/src/lib/discord-bot/discord-id.test.ts	Test formatting (oxfmt)	✅ Fixed in commit fe358fe
apps/web/src/lib/discord-bot/discord-utils.test.ts	Test used '1' (invalid snowflake) as guildId, causing wrong validation error path	✅ Fixed in commit 4cb506c

Files Reviewed (14 files)

• apps/web/src/app/discord/webhook/route.ts
• apps/web/src/lib/discord-bot/discord-channel-context.test.ts
• apps/web/src/lib/discord-bot/discord-channel-context.ts
• apps/web/src/lib/discord-bot/discord-id.test.ts — reformatted ✅
• apps/web/src/lib/discord-bot/discord-id.ts — snowflake pattern fixed ✅
• apps/web/src/lib/discord-bot/discord-utils.test.ts — test guildId fixed ✅
• apps/web/src/lib/discord-bot/discord-utils.ts — 1 issue (unchanged)
• apps/web/src/lib/discord-bot/forwarded-gateway-event.test.ts
• apps/web/src/lib/discord-bot/forwarded-gateway-event.ts
• apps/web/src/lib/integrations/discord-guild-membership.test.ts
• apps/web/src/lib/integrations/discord-guild-membership.ts
• apps/web/src/lib/integrations/discord-service.test.ts
• apps/web/src/lib/integrations/discord-service.ts

Fix these issues in Kilo Cloud

---

_{Reviewed by claude-sonnet-4.6 · 350,673 tokens}

_{Review guidance: REVIEW.md from base branch main}

[RSO]

@kilocode-bot please fix the format-check

[kilo-code-bot]

Cloud Agent session agent_0bcd30d1-e4ca-4f2f-9265-d0221237cfed completed but the final response was not provided in the callback payload.

[RSO]

@kilocode-bot fix the tests, when you try to push, use --no-verify

[kilo-code-bot]

The Cloud Agent has fixed the failing test and pushed the changes. Here's a summary:

Root cause: The test rejects malformed message link IDs used '1' as a guildId, which is only 1 digit. Since the snowflake pattern was tightened to /^\d{17,20}$/ in this PR, it now correctly rejects '1' — but with "Invalid Discord guild ID", not the expected "Invalid Discord channel ID".

Fix: Updated the test's guildId from '1' to '111111111111111111' (a valid 18-digit snowflake), so validation flows through to the malformed channelId '2/../3' and throws the expected error.

This is consistent with the security hardening intent of the PR — the tests now accurately reflect the tightened validation logic.