[FEATURE] Expose input messages to BeforeInvocationEvent hook

[Unshure]

Overview

To implement standalone input-side guardrails (for e.g. PII, toxic content, prompt attack prevention), we'd like to place a Hook as early as possible in the invocation. In particular, we want to make sure it runs (and has the opportunity to redact the user's input message) before the message gets added to memory by e.g. AgentCoreMemorySessionManager, which hooks on MessageAddedEvent.

However, the current BeforeInvocationEvent hook only receives a reference to the agent and has no visibility of the incoming messages because they haven't been added to agent.messages yet.

---

Implementation Requirements

Based on clarification discussion and repository analysis:

Technical Approach

1. Extend BeforeInvocationEvent to include messages

Modify src/strands/hooks/events.py:

• Add a messages attribute to BeforeInvocationEvent dataclass
• Use None as default value for backward compatibility
• Make messages writable to allow hooks to modify messages in-place for redaction
• Type: Messages | None (where Messages = list[Message])

@dataclass
class BeforeInvocationEvent(HookEvent):
    """Event triggered at the beginning of a new agent request.
    
    Attributes:
        messages: The input messages for this invocation. Can be modified by hooks
            to redact or transform content before processing. May be None for
            backward compatibility or when invoked from deprecated methods.
    """
    messages: Messages | None = None

    def _can_write(self, name: str) -> bool:
        return name == "messages"

2. Update _run_loop() to pass messages

Modify src/strands/agent/agent.py in the _run_loop() method:

• Pass the messages parameter when invoking BeforeInvocationEvent
• The event should be raised before messages are appended to agent.messages

# Current (line ~647):
await self.hooks.invoke_callbacks_async(BeforeInvocationEvent(agent=self))

# Updated:
await self.hooks.invoke_callbacks_async(BeforeInvocationEvent(agent=self, messages=messages))

3. Do NOT modify structured_output_async()

This method is deprecated and should not be updated. The messages attribute will remain None when BeforeInvocationEvent is invoked from this deprecated code path.

Error Handling

• If a guardrail hook raises an exception in BeforeInvocationEvent, AfterInvocationEvent should still be triggered (maintaining the paired event guarantee)
• Hooks can raise exceptions to abort the entire agent invocation (useful when redaction leaves nothing useful)

Files to Modify

File	Changes
src/strands/hooks/events.py	Add messages attribute to BeforeInvocationEvent, implement _can_write()
src/strands/agent/agent.py	Pass messages to BeforeInvocationEvent in _run_loop()
tests/strands/agent/hooks/test_events.py	Add tests for new messages attribute and writability
tests/strands/agent/test_agent_hooks.py	Update existing tests to verify messages are passed correctly
docs/HOOKS.md	Document the new messages attribute and its use for input guardrails

Acceptance Criteria

• BeforeInvocationEvent has a messages attribute with None default
• messages attribute is writable (hooks can modify in-place)
• _run_loop() passes messages to BeforeInvocationEvent
• Existing hooks that don't use messages continue to work (backward compatibility)
• AfterInvocationEvent fires even if BeforeInvocationEvent hook raises an exception
• Unit tests cover the new functionality
• docs/HOOKS.md is updated with guidance on input guardrails

Example Usage

from strands import Agent
from strands.hooks import BeforeInvocationEvent, HookProvider, HookRegistry

class InputGuardrailHook(HookProvider):
    def register_hooks(self, registry: HookRegistry) -> None:
        registry.add_callback(BeforeInvocationEvent, self.check_input)
    
    async def check_input(self, event: BeforeInvocationEvent) -> None:
        if event.messages is None:
            return
        
        for message in event.messages:
            if contains_pii(message["content"]):
                # Option 1: Redact in-place
                message["content"] = redact_pii(message["content"])
                
                # Option 2: Abort invocation
                # raise ValueError("PII detected in input")

agent = Agent(hooks=[InputGuardrailHook()])
agent("Process this message")  # Guardrail runs before message is added to memory

---

Original Problem Statement

Today the next-earliest workaround is for an input guardrail to hook on to MessageAddedEvent instead (since this'll get called as soon as the agent initializes its messages list, before BeforeModelCallEvent)... But this is not ideal because MessageAdded is a typical place for session/memory managers (like AgentCoreMemorySessionManager) to hook - so relies on users to connect their guardrail and memory hooks in the right sequence to avoid leakage of sensitive/malicious input into memory. It should work, but is easy to mis-configure without realizing.

Related Issues

• [FEATURE] Add ability to bypass LLM invocation and provide custom responses in hooks strands-agents/sdk-python#758 (guardrail hook aborting invocation)

[Unshure]

/strands

[github-actions]

Repository Analysis & Clarifying Questions

I've analyzed the repository structure and the current implementation of the hooks system. Here's my understanding and some clarifying questions:

Repository Context

• Framework: Strands Agents Python SDK
• Hooks System: Located in src/strands/hooks/ with events defined in events.py
• Key Files to Modify:
  • src/strands/hooks/events.py - Add messages attribute to BeforeInvocationEvent
  • src/strands/agent/agent.py - Update when/how BeforeInvocationEvent is invoked
  • Tests in tests/strands/agent/hooks/test_events.py and tests/strands/agent/test_agent_hooks.py
  • Documentation in docs/HOOKS.md

Current Implementation Flow

1. _run_loop() (line 647): BeforeInvocationEvent is raised, but messages aren't appended to agent.messages until line 653
2. structured_output_async() (line 465): BeforeInvocationEvent is raised before temp_messages is constructed at line 473

Clarifying Questions

1. Messages Writability

Should the messages attribute on BeforeInvocationEvent be writable to allow hooks to modify messages in-place for redaction?

Looking at the existing pattern with BeforeToolCallEvent, some properties like selected_tool and tool_use are writable. Would you expect similar behavior for messages?

# Example: Would hooks be expected to do this?
def input_guardrail_hook(event: BeforeInvocationEvent):
    for message in event.messages:
        message["content"] = redact_pii(message["content"])

2. structured_output_async() Handling

I noticed structured_output_async() is marked as deprecated (line 458). Should changes still be made to this method for consistency, or should the focus be solely on the non-deprecated code paths (__call__, stream_async)?

The issue mentions moving BeforeInvocationEvent invocation to after temp_messages is set up - should this still be implemented given the deprecation?

3. Backward Compatibility

Adding messages as a new attribute to BeforeInvocationEvent - should this be:

• Required parameter: Would be a breaking change for any code that constructs this event directly
• Optional parameter with None default: Backward compatible, but hooks would need to handle None case

Given this is a public API, what's the preference for maintaining backward compatibility?

4. Edge Case: Error Handling

If a guardrail hook raises an exception in BeforeInvocationEvent (e.g., to abort the invocation as mentioned in the issue), should AfterInvocationEvent still be triggered? The current pattern seems to guarantee paired events even on exceptions.

[Unshure]

/strands

1. yes
2. This should not be added to structured_output_async()
3. None default for backwards compatibility
4. Yes

[github-actions]

Task Refinement Complete

I've updated the issue description with comprehensive implementation requirements based on the clarifications provided.

Summary of Implementation Scope

What will be implemented:

• Add messages attribute to BeforeInvocationEvent (writable, with None default)
• Update _run_loop() to pass messages to the event
• Maintain backward compatibility for existing hooks
• Ensure AfterInvocationEvent fires even if BeforeInvocationEvent hook raises

What will NOT be implemented:

• Changes to structured_output_async() (deprecated method)

Files to Modify

1. src/strands/hooks/events.py
2. src/strands/agent/agent.py
3. tests/strands/agent/hooks/test_events.py
4. tests/strands/agent/test_agent_hooks.py
5. docs/HOOKS.md

Estimated Effort

Small to medium task - implementable by a single developer in approximately 3-5 days.

---

This issue is now ready for implementation.

[Unshure]

/strands implement