feat(models): add guardrails configuration and redaction support to Bedrock provider

[Unshure]

Summary

This PR implements proper handling of modelRedactContentEvent in the Agent SDK, enabling guardrail-based content redaction for both user input and assistant output.

Why This Change Is Needed

When Bedrock Guardrails detect content that should be blocked (either inappropriate user input or harmful assistant output), they emit modelRedactContentEvent events with redaction messages. The SDK needs to:

1. Capture these events during streaming
2. Replace blocked content with the redaction messages
3. Maintain consistency in the message history

Public API Changes

StreamAggregatedResult Interface (model.ts)

The result returned by streamAggregated now includes an optional redactionMessage:

interface StreamAggregatedResult {
  message: Message
  stopReason: StopReason
  metadata?: ModelMetadataEvent
  redactionMessage?: string  // For user input redaction
}

ModelStopData Interface (events.ts)

The AfterModelCallEvent now includes redaction info:

interface ModelStopData {
  readonly message: Message
  readonly stopReason: StopReason
  readonly redactionMessage?: string  // For user input redaction
}

Architecture

Separation of Concerns

1. Model Layer (streamAggregated):

   • Handles modelRedactContentEvent events
   • Directly redacts assistant output by updating the message content
   • Returns redactionMessage for agent to handle user input redaction

2. Agent Layer (_stream):

   • Receives redactionMessage from model via invokeModel
   • Handles user message redaction using _redactLastMessage helper
   • Exposes redactionMessage via AfterModelCallEvent.stopData

Implementation Details

• _redactLastMessage: Redacts the last message in the conversation history (preserves role)
• Assistant output redaction is handled directly by the model
• User input redaction info is passed to agent via redactionMessage

Testing

• Tests verify redactionMessage is returned correctly for user input redaction
• Tests verify assistant message is redacted directly by model
• Tests verify model does NOT modify user messages (agent handles this)

Resolves #564

[github-actions]

Assessment: Request Changes

This PR adds a well-structured guardrails configuration API for Bedrock with good test coverage and documentation. The implementation follows existing patterns and handles both streaming and non-streaming modes correctly.

Review Summary

• Missing Exports: The new public types (ModelRedactContentEvent, ModelRedactContentEventData, GuardrailConfig) need to be exported from src/index.ts for customers to properly type-check redaction events and configure guardrails.

• API Design: The API follows a clean pattern with sensible defaults (redactInput: true, redactOutput: false). The PR description includes good documentation of use cases and API signatures.

Nice work on the comprehensive test coverage! 🎉

[Unshure]

/strands how does this pull request update the agent.messages array? If a user message, or assistant message, is redacted, the message in the messages array should be updated as well with the new content. This can likely be done in the model.ts file, where if a redact event is encountered, it can overwrite the return value from the model.

[github-actions]

I've implemented the message redaction support in streamAggregated as requested.

Changes Made

src/models/model.ts

• Added import for ModelRedactContentEvent
• Updated _convert_to_class_event to handle the new event type
• Added redaction handling in streamAggregated:
  • User redaction: When redactUserContentMessage is present, finds and replaces the last user message in the messages array with a new Message containing the redaction text
  • Assistant redaction: When redactAssistantContentMessage is present, clears contentBlocks, adds the redaction message, and recreates stoppedMessage with the redacted content

src/models/__tests__/model.test.ts

Added 4 new tests:

• Redacts last user message when redactUserContentMessage is present
• Redacts assistant content when redactAssistantContentMessage is present
• Redacts both user and assistant content when both are present
• Finds and redacts only the last user message in multi-turn conversation

All 1033 tests pass.

[Unshure]

/strands Im liking this better, but can you update the AggregatedStreamResult to include the redact content, and update the agent class to overwrite the latest message with this redacted content if its present?

[Unshure]

Can you add redactContent to AfterModelCallEvent?

[github-actions]

Done - added redactionMessage to ModelStopData interface and updated AfterModelCallEvent to include it in stopData.

[Unshure]

nit: Can this still just be result.value?

[github-actions]

Done - simplified to return result.value.

[Unshure]

Can you update this so that it just redacts the last message, not the last user message?

[github-actions]

Done - renamed to _redactLastMessage and simplified to redact the last message regardless of role.

[Unshure]

This can just be redactionMessage. We will only ever return this value if the redactUserContentMessage is set. If redactAssistantContentMessage event is returned from the underlying model, then we just update the message of the StreamAggregatedResult so there is no need to redact.

[github-actions]

Done - simplified to just redactionMessage. Assistant redaction is now handled directly in the model by updating the message content.

[Unshure]

/strands