Hook 会话路由升级:迁移到 defaultSessionKey + prefix allowlist
用于 2026.2.12 后 `POST /hooks/agent` 默认拒绝 request 内 sessionKey 覆盖的场景。前置:有 Webhook/Hooks 入站。步骤:审计现有 hook payload→配置 `hooks.defaultSessionKey` 与 `hooks.allowedSessionKeyPrefixes`→仅在兼容窗口临时开启 `hooks.allowRequestSessionKey: true`→回归。关键配置:defaultSessionKey。验证:非法覆盖被拒绝、合法固定路由可用。风险:旧集成会因 breaking change 失败。
GITHUBDiscovered 2026-02-15Author steipete
Prerequisites
- Gateway is upgraded to 2026.2.12+ and hook endpoints are enabled.
- You can patch config and restart gateway safely.
Steps
- Inventory all webhook producers and identify payloads that still pass request-level sessionKey.
- Set `hooks.defaultSessionKey` and `hooks.allowedSessionKeyPrefixes: ['hook:']` to enforce fixed routing.
- Keep `hooks.allowRequestSessionKey` disabled by default; enable only for short migration windows.
- Run positive/negative webhook tests and verify audit logs for blocked overrides.
Commands
openclaw gateway statusopenclaw gateway restartVerify
Requests route to expected fixed sessions; override attempts fail closed.
Caveats
- Legacy integrations may appear 'silently broken' until payload producers are migrated.
- If you must keep legacy behavior, bound it with strict prefix allowlists and sunset date(需验证).
Source attribution
This tip is aggregated from community/public sources and preserved with attribution.
Open original source ↗