Adding tool input and output guardrails

Author: steven10a

docs/guardrails.md

@@ -152,3 +152,83 @@ async def main():
 2. This is the guardrail's output type.
 3. This is the guardrail function that receives the agent's output, and returns the result.
 4. This is the actual agent that defines the workflow.
+
+## Tool guardrails
+
+Tool guardrails provide fine-grained control over individual tool calls, allowing you to validate inputs and outputs at the tool level. This is particularly useful for:
+
+- Blocking sensitive data in tool arguments
+- Preventing unauthorized access to certain tools
+- Sanitizing tool outputs before they're returned
+- Implementing custom validation logic for specific tools
+
+There are two types of tool guardrails:
+
+1. **Tool input guardrails** run before a tool is executed, validating the tool call arguments
+2. **Tool output guardrails** run after a tool is executed, validating the tool's output
+
+### Tool input guardrails
+
+Tool input guardrails run in 3 steps:
+
+1. First, the guardrail receives the tool call data including arguments, context, and agent information
+2. Next, the guardrail function runs to produce a [`ToolGuardrailFunctionOutput`][agents.tool_guardrails.ToolGuardrailFunctionOutput]
+3. Finally, we check if [`.tripwire_triggered`][agents.tool_guardrails.ToolGuardrailFunctionOutput.tripwire_triggered] is true. If true, a [`ToolInputGuardrailTripwireTriggered`][agents.exceptions.ToolInputGuardrailTripwireTriggered] exception is raised
+
+### Tool output guardrails
+
+Tool output guardrails run in 3 steps:
+
+1. First, the guardrail receives the tool call data plus the tool's output
+2. Next, the guardrail function runs to produce a [`ToolGuardrailFunctionOutput`][agents.tool_guardrails.ToolGuardrailFunctionOutput]
+3. Finally, we check if [`.tripwire_triggered`][agents.tool_guardrails.ToolGuardrailFunctionOutput.tripwire_triggered] is true. If true, a [`ToolOutputGuardrailTripwireTriggered`][agents.exceptions.ToolOutputGuardrailTripwireTriggered] exception is raised
+
+### Implementing tool guardrails
+
+You can create tool guardrails using the `@tool_input_guardrail` and `@tool_output_guardrail` decorators:
+
+```python
+from agents import (
+    ToolGuardrailFunctionOutput,
+    ToolInputGuardrailData,
+    ToolOutputGuardrailData,
+    tool_input_guardrail,
+    tool_output_guardrail,
+)
+
+@tool_input_guardrail
+def block_sensitive_words(data: ToolInputGuardrailData) -> ToolGuardrailFunctionOutput:
+    """Block tool calls that contain sensitive words in arguments."""
+    # Check arguments for sensitive content
+    if "password" in data.tool_call.arguments.lower():
+        return ToolGuardrailFunctionOutput(
+            tripwire_triggered=True,
+            model_message="🚨 Tool call blocked: contains sensitive word",
+            output_info={"blocked_word": "password"},
+        )
+    return ToolGuardrailFunctionOutput(tripwire_triggered=False, output_info="Input validated")
+
+@tool_output_guardrail
+def block_sensitive_output(data: ToolOutputGuardrailData) -> ToolGuardrailFunctionOutput:
+    """Block tool outputs that contain sensitive data."""
+    if "ssn" in str(data.output).lower():
+        return ToolGuardrailFunctionOutput(
+            tripwire_triggered=True,
+            model_message="🚨 Tool output blocked: contains sensitive data",
+            output_info={"blocked_pattern": "SSN"},
+        )
+    return ToolGuardrailFunctionOutput(tripwire_triggered=False, output_info="Output validated")
+
+# Apply guardrails to tools
+my_tool.tool_input_guardrails = [block_sensitive_words]
+my_tool.tool_output_guardrails = [block_sensitive_output]
+```
+
+For a complete working example, see [tool_guardrails.py](https://github.com/openai/openai-agents-python/blob/main/examples/basic/tool_guardrails.py).
+
+### Key differences from agent guardrails
+
+- **Scope**: Tool guardrails operate on individual tool calls, while agent guardrails operate on the entire agent input/output
+- **Timing**: Tool guardrails run immediately before/after tool execution, while agent guardrails run at the beginning/end of agent execution
+- **Data access**: Tool guardrails have access to the specific tool call arguments and outputs, plus the tool context
+- **Application**: Tool guardrails are applied directly to function tools via the `tool_input_guardrails` and `tool_output_guardrails` attributes

docs/ref/tool_guardrails.md

@@ -0,0 +1,3 @@
+# `Tool Guardrails`
+
+::: agents.tool_guardrails

examples/basic/tool_guardrails.py

@@ -0,0 +1,145 @@
+import asyncio
+import json
+
+from agents import (
+    Agent,
+    Runner,
+    ToolGuardrailFunctionOutput,
+    ToolInputGuardrailData,
+    ToolInputGuardrailTripwireTriggered,
+    ToolOutputGuardrailData,
+    ToolOutputGuardrailTripwireTriggered,
+    function_tool,
+    tool_input_guardrail,
+    tool_output_guardrail,
+)
+
+
+@function_tool
+def send_email(to: str, subject: str, body: str) -> str:
+    """Send an email to the specified recipient."""
+    return f"Email sent to {to} with subject '{subject}'"
+
+
+@function_tool
+def get_user_data(user_id: str) -> dict[str, str]:
+    """Get user data by ID."""
+    # Simulate returning sensitive data
+    return {
+        "user_id": user_id,
+        "name": "John Doe",
+        "email": "[email protected]",
+        "ssn": "123-45-6789",  # Sensitive data that should be blocked!
+        "phone": "555-1234",
+    }
+
+
+@tool_input_guardrail
+def block_sensitive_words(data: ToolInputGuardrailData) -> ToolGuardrailFunctionOutput:
+    """Block tool calls that contain sensitive words in arguments."""
+    try:
+        args = json.loads(data.tool_call.arguments)
+    except json.JSONDecodeError:
+        return ToolGuardrailFunctionOutput(
+            tripwire_triggered=False, output_info="Invalid JSON arguments"
+        )
+
+    # Check for suspicious content
+    sensitive_words = [
+        "password",
+        "hack",
+        "exploit",
+        "malware",
+        "orange",
+    ]  # to mock sensitive words
+    for key, value in args.items():
+        value_str = str(value).lower()
+        for word in sensitive_words:
+            if word in value_str:
+                return ToolGuardrailFunctionOutput(
+                    tripwire_triggered=True,
+                    model_message=f"🚨 Tool call blocked: contains '{word}'",
+                    output_info={"blocked_word": word, "argument": key},
+                )
+
+    return ToolGuardrailFunctionOutput(tripwire_triggered=False, output_info="Input validated")
+
+
+@tool_output_guardrail
+def block_sensitive_output(data: ToolOutputGuardrailData) -> ToolGuardrailFunctionOutput:
+    """Block tool outputs that contain sensitive data."""
+    output_str = str(data.output).lower()
+
+    # Check for sensitive data patterns
+    if "ssn" in output_str or "123-45-6789" in output_str:
+        return ToolGuardrailFunctionOutput(
+            tripwire_triggered=True,
+            model_message="🚨 Tool output blocked: contains sensitive data",
+            output_info={"blocked_pattern": "SSN", "tool": data.tool_call.name},
+        )
+
+    return ToolGuardrailFunctionOutput(tripwire_triggered=False, output_info="Output validated")
+
+
+# Apply guardrails to tools
+send_email.tool_input_guardrails = [block_sensitive_words]
+get_user_data.tool_output_guardrails = [block_sensitive_output]
+
+agent = Agent(
+    name="Secure Assistant",
+    instructions="You are a helpful assistant with access to email and user data tools.",
+    tools=[send_email, get_user_data],
+)
+
+
+async def main():
+    print("=== Tool Guardrails Example ===\n")
+
+    # Example 1: Normal operation - should work fine
+    print("1. Normal email sending:")
+    try:
+        result = await Runner.run(agent, "Send a welcome email to [email protected]")
+        print(f"✅ Success: {result.final_output}\n")
+    except Exception as e:
+        print(f"❌ Error: {e}\n")
+
+    # Example 2: Input guardrail triggers - should block suspicious content
+    print("2. Attempting to send email with suspicious content:")
+    try:
+        result = await Runner.run(
+            agent, "Send an email to [email protected] with the subject: orange"
+        )
+        print(f"✅ Success: {result.final_output}\n")
+    except ToolInputGuardrailTripwireTriggered as e:
+        print(f"🚨 Input guardrail triggered: {e.output.model_message}")
+        print(f"   Details: {e.output.output_info}\n")
+
+    # Example 3: Output guardrail triggers - should block sensitive data
+    print("3. Attempting to get user data (contains SSN):")
+    try:
+        result = await Runner.run(agent, "Get the data for user ID user123")
+        print(f"✅ Success: {result.final_output}\n")
+    except ToolOutputGuardrailTripwireTriggered as e:
+        print(f"🚨 Output guardrail triggered: {e.output.model_message}")
+        print(f"   Details: {e.output.output_info}\n")
+
+
+if __name__ == "__main__":
+    asyncio.run(main())
+
+"""
+Example output:
+
+=== Tool Guardrails Example ===
+
+1. Normal email sending:
+✅ Success: I've sent a welcome email to [email protected] with an appropriate subject and greeting message.
+
+2. Attempting to send email with suspicious content:
+🚨 Input guardrail triggered: 🚨 Tool call blocked: contains 'orange'
+   Details: {'blocked_word': 'orange', 'argument': 'subject'}
+
+3. Attempting to get user data (contains SSN):
+🚨 Output guardrail triggered: 🚨 Tool output blocked: contains sensitive data
+   Details: {'blocked_pattern': 'SSN', 'tool': 'get_user_data'}
+"""

examples/basic/tools.py

@@ -18,6 +18,7 @@ def get_weather(city: Annotated[str, "The city to get the weather for"]) -> Weat
     print("[debug] get_weather called")
     return Weather(city=city, temperature_range="14-20C", conditions="Sunny with wind.")
 
+
 agent = Agent(
     name="Hello world",
     instructions="You are a helpful agent.",

mkdocs.yml

@@ -101,6 +101,7 @@ plugins:
                     - ref/usage.md
                     - ref/exceptions.md
                     - ref/guardrail.md
+                    - ref/tool_guardrails.md
                     - ref/model_settings.md
                     - ref/agent_output.md
                     - ref/function_schema.md

src/agents/__init__.py

@@ -21,6 +21,8 @@
     ModelBehaviorError,
     OutputGuardrailTripwireTriggered,
     RunErrorDetails,
+    ToolInputGuardrailTripwireTriggered,
+    ToolOutputGuardrailTripwireTriggered,
     UserError,
 )
 from .guardrail import (
@@ -83,6 +85,15 @@
     default_tool_error_function,
     function_tool,
 )
+from .tool_guardrails import (
+    ToolGuardrailFunctionOutput,
+    ToolInputGuardrail,
+    ToolInputGuardrailData,
+    ToolOutputGuardrail,
+    ToolOutputGuardrailData,
+    tool_input_guardrail,
+    tool_output_guardrail,
+)
 from .tracing import (
     AgentSpanData,
     CustomSpanData,
@@ -191,6 +202,8 @@ def enable_verbose_stdout_logging():
     "AgentsException",
     "InputGuardrailTripwireTriggered",
     "OutputGuardrailTripwireTriggered",
+    "ToolInputGuardrailTripwireTriggered",
+    "ToolOutputGuardrailTripwireTriggered",
     "DynamicPromptFunction",
     "GenerateDynamicPromptData",
     "Prompt",
@@ -204,6 +217,13 @@ def enable_verbose_stdout_logging():
     "GuardrailFunctionOutput",
     "input_guardrail",
     "output_guardrail",
+    "ToolInputGuardrail",
+    "ToolOutputGuardrail",
+    "ToolGuardrailFunctionOutput",
+    "ToolInputGuardrailData",
+    "ToolOutputGuardrailData",
+    "tool_input_guardrail",
+    "tool_output_guardrail",
     "handoff",
     "Handoff",
     "HandoffInputData",