#23763: Hooks: require session key prefixes for request override

## Summary - fail closed when `hooks.allowRequestSessionKey=true` but `hooks.allowedSessionKeyPrefixes` is unset/empty - preserve existing prefix/default-session validation logic - add tests for new startup validation and explicit allow path ## Testing - pnpm lint - pnpm vitest run src/gateway/hooks.test.ts <!-- greptile_comment --> <h3>Greptile Summary</h3> Adds startup validation to fail closed when request session key override is enabled but allowed session key prefixes are unset or empty. This prevents a security misconfiguration where external hook requests could provide arbitrary session keys without prefix restrictions. The change preserves all existing validation logic for prefix matching and default session keys. <h3>Confidence Score: 5/5</h3> - This PR is safe to merge with minimal risk - The change adds critical security validation with comprehensive test coverage, follows the repository's existing patterns, and has no breaking changes to correct configurations - No files require special attention _{Last reviewed commit: eda343b} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->