Permissions

Who can manage a guild

COMMS asks Discord for your guild list (/users/@me/guilds) on sign-in and re-checks every five minutes. A guild appears in your dashboard if and only if Discord itself reports ADMINISTRATOR (0x8) or MANAGE_GUILD (0x20) for you on that guild.

There are three places this rule is enforced:

1. The UI filters out guilds you cannot manage.
2. The dashboard BFF rejects any API call referencing a guild that is not on your admin list — even if you crafted the request by hand.
3. The broadcast service verifies the same claim a second time when it receives the request, against a signed JWT issued by the dashboard. Belt and suspenders.

What we store

• Your Discord ID, username, and avatar.
• An access token + refresh token, used solely to refresh your guild list.
• A 5-minute cached snapshot of your guild list with permission bits.
• An audit row each time you act (activate a session, edit a node, invite a bot).

What we never store

• Message content. We never request the MESSAGE_CONTENT scope or intent.
• Voice traffic. Audio is relayed through the broadcast service in real time and never persisted.
• Your email. We don't request the email scope.