#23765: Gateway hooks: enforce JSON content type and strict payload keys

## Summary - enforce `Content-Type: application/json` for hooks ingress POST requests - reject unknown top-level keys for `/hooks/wake` and `/hooks/agent` payloads (fail-closed schema behavior) - keep existing body size limits in place and covered by tests ## Testing - pnpm lint - pnpm vitest run src/gateway/server-http.hooks-request-timeout.test.ts <!-- greptile_comment --> <h3>Greptile Summary</h3> This PR hardens the gateway hooks ingress by adding two validation layers before payload processing: - **Content-Type enforcement**: Returns HTTP 415 if the `Content-Type` header is not `application/json` (or a `+json` subtype), checked before body parsing to avoid unnecessary work. - **Strict payload key validation**: Rejects requests to `/hooks/wake` and `/hooks/agent` that contain unrecognized top-level keys, implementing fail-closed schema behavior. Allowed keys are defined as static `Set` constants that match the fields processed by `normalizeWakePayload` and `normalizeAgentPayload`. The validation correctly applies only to the two built-in hook endpoints and does not affect mapped hooks (which accept arbitrary external payloads). Tests cover all new rejection paths. <h3>Confidence Score: 5/5</h3> - This PR is safe to merge — it adds input validation that strictly narrows accepted requests without altering existing valid behavior. - The changes are straightforward input validation additions. The allowed key sets are verified to match the fields processed by the existing normalize functions. Content-type checking uses correct HTTP semantics (415 status). No existing behavior is altered for valid requests. Tests cover all new rejection paths. No security concerns — the changes actually improve security posture. - No files require special attention. _{Last reviewed commit: 08ca08a} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->