v2026.2.12 安全升级落地清单（含 hooks/sessionKey 变更）

解决升级后 webhook/session 路由异常或安全回归问题：按发布说明先做配置对齐，再执行回归验证与灰度发布。

GITHUBDiscovered 2026-02-13Author steipete

Prerequisites

You can access staging and production OpenClaw gateways with rollback capability.
Current hooks/session routing config is versioned before upgrade.

Steps

Read v2026.2.12 release notes and extract breaking changes related to `POST /hooks/agent` and `sessionKey` behavior.
In staging, set `hooks.defaultSessionKey` + `hooks.allowedSessionKeyPrefixes` for fixed hook routing; only enable `hooks.allowRequestSessionKey: true` if you intentionally keep legacy behavior.
Run smoke tests for webhook auth, browser/web tool untrusted-content flow, and gateway restart drain behavior.
After staging pass, deploy to production in low-traffic window and monitor auth-failure / 429 / blocked-fetch logs.

Commands

openclaw gateway status

openclaw logs --local-time

openclaw gateway restart

Verify

Hook requests route to expected fixed session, security checks pass, and no unexpected session-key override appears after upgrade.

Caveats

If external integrations still rely on request-level `sessionKey`, migration should be phased and documented before hardening.
Release-note security items still need environment-specific validation in your own topology（需验证）。

Source attribution

This tip is aggregated from community/public sources and preserved with attribution.