feat(hooks): expose input messages to BeforeInvocationEvent #9
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Unshure
reviewed
Jan 13, 2026
docs/HOOKS.md
Outdated
Comment on lines
25
to
70
|
|
||
| ## Input Guardrails with BeforeInvocationEvent | ||
|
|
||
| The `BeforeInvocationEvent` provides access to input messages through its `messages` attribute, enabling hooks to implement input-side guardrails that run before messages are added to the agent's conversation history. | ||
|
|
||
| ### Use Cases | ||
|
|
||
| - **PII Detection/Redaction**: Scan and redact sensitive information before processing | ||
| - **Content Moderation**: Filter toxic or inappropriate content | ||
| - **Prompt Attack Prevention**: Detect and block malicious prompt injection attempts | ||
|
|
||
| ### Example: Input Redaction Hook | ||
|
|
||
| ```python | ||
| from strands import Agent | ||
| from strands.hooks import BeforeInvocationEvent, HookProvider, HookRegistry | ||
|
|
||
| class InputGuardrailHook(HookProvider): | ||
| def register_hooks(self, registry: HookRegistry) -> None: | ||
| registry.add_callback(BeforeInvocationEvent, self.check_input) | ||
|
|
||
| async def check_input(self, event: BeforeInvocationEvent) -> None: | ||
| if event.messages is None: | ||
| return | ||
|
|
||
| for message in event.messages: | ||
| if message.get("role") == "user": | ||
| content = message.get("content", []) | ||
| for block in content: | ||
| if "text" in block: | ||
| # Option 1: Redact in-place | ||
| block["text"] = redact_pii(block["text"]) | ||
|
|
||
| # Option 2: Abort invocation by raising an exception | ||
| # if contains_malicious_content(block["text"]): | ||
| # raise ValueError("Malicious content detected") | ||
|
|
||
| agent = Agent(hooks=[InputGuardrailHook()]) | ||
| agent("Process this message") # Guardrail runs before message is added to memory | ||
| ``` | ||
|
|
||
| ### Key Behaviors | ||
|
|
||
| - `messages` defaults to `None` for backward compatibility (e.g., when invoked from deprecated methods) | ||
| - `messages` is writable, allowing hooks to modify content in-place | ||
| - The `AfterInvocationEvent` is always triggered even if a hook raises an exception, maintaining the paired event guarantee |
Owner
There was a problem hiding this comment.
Remove this. Its too specific for this document.
Author
There was a problem hiding this comment.
Done - removed the Input Guardrails section from HOOKS.md.
src/strands/hooks/events.py
Outdated
Comment on lines
42
to
47
| The messages attribute provides access to the input messages for this invocation, | ||
| allowing hooks to inspect or modify message content before processing. This is | ||
| particularly useful for implementing input guardrails (e.g., PII detection, | ||
| content moderation, prompt attack prevention) that need to run before messages | ||
| are added to the agent's conversation history. | ||
Owner
There was a problem hiding this comment.
Remove this. the purpose of messages should be covered in the Attributes.
Author
There was a problem hiding this comment.
Done - removed the detailed guardrails description from the docstring.
src/strands/hooks/events.py
Outdated
Comment on lines
55
to
56
| to redact or transform content before processing. May be None for | ||
| backward compatibility or when invoked from deprecated methods. |
Owner
There was a problem hiding this comment.
Suggested change
| to redact or transform content before processing. May be None for | |
| backward compatibility or when invoked from deprecated methods. | |
| to redact or transform content before processing. |
Author
There was a problem hiding this comment.
Done - removed the backward compatibility note from the attribute description.
Comment on lines
180
to
184
| def test_before_invocation_event_messages_set_on_init(agent, sample_messages): | ||
| """Test that BeforeInvocationEvent.messages can be set on initialization.""" | ||
| event = BeforeInvocationEvent(agent=agent, messages=sample_messages) | ||
| assert event.messages is sample_messages | ||
| assert event.messages == [{"role": "user", "content": [{"text": "Hello, agent!"}]}] |
Owner
There was a problem hiding this comment.
Remove this since its a no-op test.
Author
There was a problem hiding this comment.
Done - removed the no-op test.
Owner
|
/strands |
Add messages attribute to BeforeInvocationEvent to enable input-side guardrails for PII detection, content moderation, and prompt attack prevention. Hooks can now inspect and modify messages before they are added to the agent's conversation history. - Add writable messages attribute to BeforeInvocationEvent (None default) - Pass messages parameter from _run_loop() to BeforeInvocationEvent - Add unit tests for new messages attribute and writability - Add integration tests for message modification use case - Update docs/HOOKS.md with input guardrails documentation Resolves #8
- Remove detailed Input Guardrails section from docs/HOOKS.md - Simplify BeforeInvocationEvent docstring per review - Remove backward compatibility note from messages attribute - Remove no-op test for messages initialization
Unshure
force-pushed
the
agent-tasks/8
branch
from
d244c27 to
128730b
Compare
Unshure
had a problem deploying
to
manual-approval
GitHub Actions
Failure
Unshure
reviewed
Jan 14, 2026
Comment on lines
244
to
246
| # Verify BeforeInvocationEvent includes messages | ||
| before_event_2 = next(events) | ||
| assert isinstance(before_event_2, BeforeInvocationEvent) |
Owner
There was a problem hiding this comment.
Any reason this can't be something like:
assert next(events) == BeforeInvocationEvent(agent=agent, messages=agent.messages[0:1])
That would be a lot more concise & readable
Author
There was a problem hiding this comment.
Good point! Updated to use the concise equality comparison pattern.
Owner
|
/strands |
Use concise equality comparison for BeforeInvocationEvent assertions instead of verbose instance checks and property assertions.
Unshure
had a problem deploying
to
manual-approval
GitHub Actions
Failure
Unshure
had a problem deploying
to
manual-approval
GitHub Actions
Failure
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation
Hook providers implementing input-side guardrails (PII detection, content moderation, prompt attack prevention) need access to input messages before they are added to the agent's conversation history. The
BeforeInvocationEventpreviously only provided a reference to the agent with no visibility into incoming messages, forcing guardrail implementations to hook onMessageAddedEventinstead—which runs after messages are already in memory and creates ordering dependencies with session/memory managers.Resolves #8
Public API Changes
BeforeInvocationEventnow includes a writablemessagesattribute:The
messagesattribute defaults toNonefor backward compatibility with deprecated code paths.Use Cases