fix: harden hook session key routing defaults

src/config/types.hooks.ts

@@ -117,6 +117,21 @@ export type HooksConfig = {
   enabled?: boolean;
   path?: string;
   token?: string;
+  /**
+   * Default session key used for hook agent runs when no request/mapping session key is used.
+   * If omitted, OpenClaw generates `hook:<uuid>` per request.
+   */
+  defaultSessionKey?: string;
+  /**
+   * Allow `sessionKey` from external `/hooks/agent` request payloads.
+   * Default: false.
+   */
+  allowRequestSessionKey?: boolean;
+  /**
+   * Optional allowlist for explicit session keys (request + mapping). Example: ["hook:"].
+   * Empty/omitted means no prefix restriction.
+   */
+  allowedSessionKeyPrefixes?: string[];
   /**
    * Restrict explicit hook `agentId` routing to these agent ids.
    * Omit or include `*` to allow any agent. Set `[]` to deny all explicit `agentId` routing.

src/config/zod-schema.ts

@@ -302,6 +302,9 @@ export const OpenClawSchema = z
         enabled: z.boolean().optional(),
         path: z.string().optional(),
         token: z.string().optional(),
+        defaultSessionKey: z.string().optional(),
+        allowRequestSessionKey: z.boolean().optional(),
+        allowedSessionKeyPrefixes: z.array(z.string()).optional(),
         allowedAgentIds: z.array(z.string()).optional(),
         maxBodyBytes: z.number().int().positive().optional(),
         presets: z.array(z.string()).optional(),