fix(discord): harden API URL construction

[RSO]

Summary

• Add Discord snowflake validation and fixed-origin URL construction for bot/API calls.
• Validate forwarded gateway message payloads before scheduling Discord bot work.
• Add regression coverage for malformed Discord IDs not reaching authenticated fetches.
• Tighten DISCORD_SNOWFLAKE_PATTERN from /^\d{1,20}$/ to /^\d{17,20}$/ to correctly reject values shorter than 17 digits, which are not valid Discord snowflakes.

Verification

N/A - backend security hardening only.

Visual Changes

N/A

Reviewer Notes

Addresses the Discord-side CodeQL request-forgery findings by validating path-segment IDs before Discord API URL construction. The GitLab CodeQL findings from the earlier plan are intentionally not included in this PR.

Built for RSO by Kilo

[kilo-code-bot]

Code Review Summary

Status: 1 Issue Remaining | Recommendation: Address before merge

Executive Summary

buildDiscordMessageLink still throws on invalid IDs with no @throws annotation; the latest commit (fe358fe) is a pure oxfmt formatting fix with no logic changes.

Overview

Severity	Count
CRITICAL	0
WARNING	1
SUGGESTION	0

Issue Details (click to expand)

WARNING

File	Line	Issue
apps/web/src/lib/discord-bot/discord-utils.ts	83	buildDiscordMessageLink now throws on invalid IDs — breaking contract change with no @throws annotation

Resolved Issues

File	Issue	Status
apps/web/src/lib/discord-bot/discord-id.ts	Snowflake pattern /^\d{1,20}$/ accepted 1–16 digit values — fixed to /^\d{17,20}$/	✅ Fixed in commit 96a5c01
apps/web/src/lib/discord-bot/discord-id.test.ts	Test formatting (oxfmt)	✅ Fixed in commit fe358fe

Files Reviewed (14 files)

• apps/web/src/app/discord/webhook/route.ts
• apps/web/src/lib/discord-bot/discord-channel-context.test.ts
• apps/web/src/lib/discord-bot/discord-channel-context.ts
• apps/web/src/lib/discord-bot/discord-id.test.ts — reformatted ✅
• apps/web/src/lib/discord-bot/discord-id.ts — snowflake pattern fixed ✅
• apps/web/src/lib/discord-bot/discord-utils.test.ts
• apps/web/src/lib/discord-bot/discord-utils.ts — 1 issue (unchanged)
• apps/web/src/lib/discord-bot/forwarded-gateway-event.test.ts
• apps/web/src/lib/discord-bot/forwarded-gateway-event.ts
• apps/web/src/lib/integrations/discord-guild-membership.test.ts
• apps/web/src/lib/integrations/discord-guild-membership.ts
• apps/web/src/lib/integrations/discord-service.test.ts
• apps/web/src/lib/integrations/discord-service.ts

Fix these issues in Kilo Cloud

---

_{Reviewed by claude-sonnet-4.6 · 327,727 tokens}

_{Review guidance: REVIEW.md from base branch main}

[RSO]

@kilocode-bot please fix the format-check

[kilo-code-bot]

Cloud Agent session agent_0bcd30d1-e4ca-4f2f-9265-d0221237cfed completed but the final response was not provided in the callback payload.