fix: guardrail redact targets last user message, not trailing LTM context

[giulio-leone]

Issue

Closes #1639

Problem

When guardrail redaction is enabled (guardrail_redact_input=True) together with a long-term memory (LTM) session manager like AgentCoreMemorySessionManager, the redact logic incorrectly modifies the LTM context message instead of the user's input.

The LTM session manager appends an assistant message after the user turn:

messages[0]: {role: 'user',      content: [{text: 'Tell me something bad'}]}      ← should be redacted
messages[1]: {role: 'assistant', content: [{text: '<user_context>...</user_context>'}]}  ← was being redacted

The redact handler used self.messages[-1], which blindly picked the last message regardless of role.

Root Cause

In agent.py, the guardrail redaction code assumed self.messages[-1] is always the user's input:

self.messages[-1]['content'] = self._redact_user_content(
    self.messages[-1]['content'], ...
)

With LTM enabled, messages[-1] is the assistant's context message, not the user's input.

Solution

Replaced self.messages[-1] with a reverse search for the last message with role == 'user':

last_user_msg = next(
    (m for m in reversed(self.messages) if m['role'] == 'user'),
    None,
)

This matches the pattern already used by _find_last_user_text_message_index() in the Bedrock model for guardrail_latest_message wrapping.

Testing

• Added test_agent_redacts_user_message_not_ltm_context: Simulates the LTM scenario with a trailing assistant context message, verifies the user message is redacted and the LTM context is preserved
• All 8 guardrail-related tests pass
• All 113 agent tests pass

Changes

• src/strands/agent/agent.py: Changed guardrail redact handler to find last user-role message
• tests/strands/agent/test_agent.py: Added test for LTM + guardrail interaction

⚠️ This reopens #1884 which was accidentally closed due to fork deletion.

[codecov]

Codecov Report

❌ Patch coverage is 80.00000% with 1 line in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
src/strands/agent/agent.py	80.00%	0 Missing and 1 partial ⚠️

📢 Thoughts on this report? Let us know!

[github-actions]

Issue: The new test test_agent_redacts_user_message_not_ltm_context accidentally absorbed the entire body of the existing test_agent_restored_from_session_management_with_correct_index function. The diff replaced the old def line but the old function's body (lines 1626-1648) now runs as dead code inside the new test.

You can verify this by running the test — it prints hello!world! which comes from the old test's MockedModelProvider and agent("Hello!") calls that are now orphaned code within your new test function.

Suggestion: The new test should end at line 1623 (after the LTM assertions). The old test_agent_restored_from_session_management_with_correct_index function definition needs to be preserved as a separate function. This likely happened because the PR branch was forked from a slightly different base. Please rebase onto main and ensure the new test is inserted before the existing test_agent_restored_from_session_management_with_correct_index, not replacing it.

[github-actions]

Issue: The assertions here are overly loose for a deterministic scenario. With the test setup (one user message + one assistant LTM message → agent("ignored") adds another user message → guardrail redacts the last user), you know exactly which message should be redacted and the exact final state of agent.messages.

Suggestion: Assert on the exact expected state rather than using >= 1 checks. For example:

# The last user message (the "ignored" input from agent()) should be redacted
last_user_msgs = [m for m in agent.messages if m["role"] == "user"]
assert last_user_msgs[-1]["content"] == [{"text": "BLOCKED!"}]

# The first user message ("Tell me something bad") should NOT be redacted
assert last_user_msgs[0]["content"] == [{"text": "Tell me something bad"}]

This makes the test clearer about what "last user message" means and catches regressions more precisely.

[github-actions]

Issue: Minor — response is assigned but unused, requiring a noqa suppression.

Suggestion: Simply call agent("ignored") without assigning to a variable, which eliminates the need for the noqa comment.

[github-actions]

Issue: The None guard silently drops the redaction when no user message is found. While this shouldn't happen in normal operation, silently ignoring a guardrail redaction could mask issues.

Suggestion: Consider adding a logger.warning in the else branch so unexpected scenarios are surfaced:

if last_user_msg is not None:
    ...
else:
    logger.warning("no user message found to redact | guardrail redaction skipped")

[github-actions]

Assessment: Request Changes

The core fix in agent.py is correct and well-motivated — replacing self.messages[-1] with a reverse search for the last user-role message is the right approach and aligns with existing patterns in the codebase. The PR description is thorough and clearly explains the problem and solution.

However, the test file has a critical issue that must be resolved before merge.

Review Details

• Critical — Test absorbs existing test: The new test_agent_redacts_user_message_not_ltm_context accidentally replaced the def line of the existing test_agent_restored_from_session_management_with_correct_index and absorbed its body as dead code. This deletes an existing test and runs unrelated assertions silently inside the new test. This is likely a rebase issue — please rebase onto the latest main and ensure the new test is inserted cleanly alongside the existing one.
• Testing: The test assertions could be more precise — using exact expected state rather than >= 1 checks would make the test more robust and readable.
• Observability: Consider logging a warning when no user message is found for redaction, rather than silently skipping.

The fix itself is clean and the approach is sound 👍