hooks: default hooks.internal.enabled to true so bundled hooks load on fresh installs

Made-with: Cursor

src/security/audit-extra.sync.test.ts

@@ -23,9 +23,16 @@ describe("collectAttackSurfaceSummaryFindings", () => {
       expectedDetail: ["hooks.webhooks: enabled", "hooks.internal: enabled"],
     },
     {
-      name: "reports both hook systems as disabled when neither is configured",
+      name: "reports internal hooks as enabled by default and webhooks as disabled when neither is configured",
       cfg: {} satisfies OpenClawConfig,
-      expectedDetail: ["hooks.webhooks: disabled", "hooks.internal: disabled"],
+      expectedDetail: ["hooks.webhooks: disabled", "hooks.internal: enabled"],
+    },
+    {
+      name: "reports internal hooks as disabled when explicitly set to false",
+      cfg: {
+        hooks: { internal: { enabled: false } },
+      } satisfies OpenClawConfig,
+      expectedDetail: ["hooks.internal: disabled"],
     },
   ])("$name", ({ cfg, expectedDetail }) => {
     const [finding] = collectAttackSurfaceSummaryFindings(cfg);

src/security/audit-extra.sync.ts

@@ -526,7 +526,7 @@ export function collectAttackSurfaceSummaryFindings(cfg: OpenClawConfig): Securi
   const group = summarizeGroupPolicy(cfg);
   const elevated = cfg.tools?.elevated?.enabled !== false;
   const webhooksEnabled = cfg.hooks?.enabled === true;
-  const internalHooksEnabled = cfg.hooks?.internal?.enabled === true;
+  const internalHooksEnabled = cfg.hooks?.internal?.enabled !== false;
   const browserEnabled = cfg.browser?.enabled ?? true;
 
   const detail =