fix(security): classify hook sessions case-insensitively

src/security/external-content.test.ts

@@ -246,6 +246,12 @@ describe("external-content security", () => {
       expect(isExternalHookSession("hook:custom:456")).toBe(true);
     });
 
+    it("identifies mixed-case hook prefixes", () => {
+      expect(isExternalHookSession("HOOK:gmail:msg-123")).toBe(true);
+      expect(isExternalHookSession("Hook:custom:456")).toBe(true);
+      expect(isExternalHookSession("  HOOK:webhook:123  ")).toBe(true);
+    });
+
     it("rejects non-hook sessions", () => {
       expect(isExternalHookSession("cron:daily-task")).toBe(false);
       expect(isExternalHookSession("agent:main")).toBe(false);
@@ -266,6 +272,12 @@ describe("external-content security", () => {
       expect(getHookType("hook:custom:456")).toBe("webhook");
     });
 
+    it("returns hook type for mixed-case hook prefixes", () => {
+      expect(getHookType("HOOK:gmail:msg-123")).toBe("email");
+      expect(getHookType("  HOOK:webhook:123  ")).toBe("webhook");
+      expect(getHookType("Hook:custom:456")).toBe("webhook");
+    });
+
     it("returns unknown for non-hook sessions", () => {
       expect(getHookType("cron:daily")).toBe("unknown");
     });