Add http_request and http_response hooks for LLM provider HTTP interception

[kim0]

Adds HTTP-level hooks that allow intercepting requests to LLM providers for logging, adding custom headers, authentication injection, and request cancellation.

New Hook Events

http_request

Fires before each HTTP request to an LLM provider. Handlers receive:

• provider, modelId, url, method
• headers (sensitive headers redacted)
• body (string bodies only)

Handlers can return:

• { headers: {...} } to add/override headers
• { cancel: true } to abort the request

http_response

Fires after each HTTP response. Handlers receive:

• provider, modelId, status, headers, durationMs

Example Hook

// .pi/hooks/http-logger.ts
import type { HookAPI } from "@mariozechner/pi-coding-agent";

export default function(pi: HookAPI) {
  pi.on("http_request", async (event) => {
    console.log(`→ ${event.method} ${event.url}`);
    return { headers: { "X-Custom-Header": "value" } };
  });
  
  pi.on("http_response", async (event) => {
    console.log(`← ${event.status} (${event.durationMs}ms)`);
  });
}

Implementation

• packages/ai: Added fetch option to StreamOptions, threaded through all provider functions
• packages/agent: Added createFetch factory option to AgentOptions and AgentLoopConfig
• packages/coding-agent: Hook event types, HookRunner methods, fetch wrapper factory in SDK

Provider Support

Provider	HTTP Hooks Support
anthropic	✅
openai, github-copilot, xai, groq, cerebras, openrouter, zai, mistral	✅
google-gemini-cli, google-antigravity	✅
google	❌ (SDK limitation)

The @google/genai SDK does not expose custom fetch in its public API. Users needing HTTP hooks with Google models should use google-gemini-cli provider.

Security

Sensitive headers are automatically redacted in hook events:

• Explicit: authorization, x-api-key, api-key, x-goog-api-key, anthropic-api-key, proxy-authorization, cookie, set-cookie
• Heuristic: any header containing auth, token, key, secret, or cookie

Tests

Added 36 tests covering:

• Hook event emission and handler behavior
• Header injection, cancellation, redaction, normalization
• Request object input, non-string bodies, network errors

[badlogic]

Lovely, I planned on adding this, did an exploration, and also ran into the Google provider issue. I think it's fine to have it even if the Google provider doesn't support it. I'm finishing the session-tree refactor today, so this will have to be rebased. See #316

[kim0]

@badlogic This has been rebased, thx!

[kim0]

@badlogic ready for main

[badlogic]

Sorry, had to finish the session-tree branch. Will give it a looksy asap.

[kim0]

@badlogic rebased http_hooks onto latest main and resolved the conflicts by porting the hook-based HTTP interception to the new extensions API.

[kim0]

@badlogic Please take a look before it conflicts again :)