diff --git a/nemoclaw-blueprint/policies/presets/discord.yaml b/nemoclaw-blueprint/policies/presets/discord.yaml
index 8ffd1bc63..42a0dd8dd 100644
--- a/nemoclaw-blueprint/policies/presets/discord.yaml
+++ b/nemoclaw-blueprint/policies/presets/discord.yaml
@@ -19,7 +19,10 @@ network_policies:
           - allow: { method: POST, path: "/**" }
           - allow: { method: PUT, path: "/**" }
           - allow: { method: PATCH, path: "/**" }
-          - allow: { method: DELETE, path: "/**" }
+          # DELETE only on message and reaction endpoints — not all paths
+          # Reaction DELETE requires an extra path segment: /reactions/{emoji}/@me or /{user_id}
+          - allow: { method: DELETE, path: "/api/v*/channels/*/messages/*" }
+          - allow: { method: DELETE, path: "/api/v*/channels/*/messages/*/reactions/*/*" }
       # WebSocket gateway — must use access: full (CONNECT tunnel) instead
       # of protocol: rest. The proxy's HTTP idle timeout (~2 min) kills
       # long-lived WebSocket connections; a CONNECT tunnel avoids
diff --git a/nemoclaw-blueprint/policies/presets/huggingface.yaml b/nemoclaw-blueprint/policies/presets/huggingface.yaml
index 6462e238b..ef9a7b724 100644
--- a/nemoclaw-blueprint/policies/presets/huggingface.yaml
+++ b/nemoclaw-blueprint/policies/presets/huggingface.yaml
@@ -24,7 +24,7 @@ network_policies:
         tls: terminate
         rules:
           - allow: { method: GET, path: "/**" }
-      - host: api-inference.huggingface.co
+      - host: router.huggingface.co
         port: 443
         protocol: rest
         enforcement: enforce