RFC: AWS Bedrock Guardrails Integration (ApplyGuardrail API)

[koushikkethamakka]

Summary

Add support for AWS Bedrock Guardrails via the ApplyGuardrail API to provide content filtering, PII detection, and prompt attack prevention across the OpenClaw data flow.

Motivation

Bedrock Guardrails provide enterprise-grade content safety features:

• Content filtering (hate, violence, sexual, misconduct, prompt attacks)
• PII detection and masking (names, emails, SSN, etc.)
• Denied topics (custom topic blocking)
• Word filters (custom blocklists)

Critically, the ApplyGuardrail API works independently of the model provider - you can use Bedrock guardrails even when using Anthropic direct API, OpenAI, or any other provider. This makes it a universal safety layer.

Proposed Architecture

Hook Points

Instead of just wrapping model inference, guardrails should be applied at multiple points in the data flow:

Hook	When	Purpose
input	User message received	Block prompt attacks, denied topics
output	Model response ready	Filter harmful content before delivery
memory.write	Before saving to memory files	Prevent PII/secrets from persisting
memory.read	After memory_search retrieval	Check retrieved context before use
tool.result	After tool execution	Catch sensitive data in file contents, exec output
web.search	After search results return	Filter injected prompts in results
web.fetch	After URL content fetched	Check external content before context

Data Flow

User Input
    ↓
[Guardrail: INPUT] ← prompt attack detection
    ↓
Memory Search
    ↓
[Guardrail: MEMORY_READ] ← PII check on retrieved context
    ↓
Web Search/Fetch
    ↓
[Guardrail: WEB_*] ← external content validation
    ↓
Tool Calls
    ↓
[Guardrail: TOOL_RESULT] ← sensitive data in outputs
    ↓
Model Inference
    ↓
[Guardrail: OUTPUT] ← content filtering
    ↓
Memory Write
    ↓
[Guardrail: MEMORY_WRITE] ← prevent PII persistence
    ↓
Response to User

Configuration

{
  guardrails: {
    bedrock: {
      enabled: true,
      guardrailId: "abc123def",
      guardrailVersion: "DRAFT", // or version number
      region: "us-east-1",
      
      // Enable/disable specific hooks
      hooks: {
        input: true,
        output: true,
        memoryWrite: true,
        memoryRead: false,  // might be noisy
        toolResult: true,
        webSearch: true,
        webFetch: true,
      },
      
      // Behavior when guardrail triggers
      onBlock: "reject",     // reject | warn | log
      onPiiDetected: "mask", // mask | reject | log
    }
  }
}

Implementation

New files:

• src/agents/bedrock-guardrails.ts - Core ApplyGuardrail wrapper
• src/agents/guardrails-hooks.ts - Hook registration and execution
• src/config/types.guardrails.ts - Config schema

Key functions:

async function applyGuardrail(params: {
  content: string;
  source: "INPUT" | "OUTPUT";
  guardrailId: string;
  guardrailVersion: string;
}): Promise<GuardrailResult>;

function registerGuardrailHook(
  hook: GuardrailHook,
  handler: GuardrailHandler
): void;

AWS Permissions Required

• bedrock:ApplyGuardrail

Uses existing AWS SDK auth chain (same as Bedrock inference).

Use Cases

1. Enterprise compliance - Prevent PII from leaking into logs/memory
2. Content safety - Block harmful outputs before delivery
3. Prompt injection defense - Check external content (web, RAG) for attacks
4. Audit logging - Track what guardrails caught

Open Questions

1. Should guardrail checks be async/non-blocking for low-priority hooks?
2. How to handle guardrail latency impact on response time?
3. Should we support multiple guardrail configurations for different hooks?
4. Integration with existing tool policy system?

References

• ApplyGuardrail API docs
• Bedrock Guardrails overview
• AWS SDK: @aws-sdk/client-bedrock-runtime (already installed)

---

Happy to implement this if the design direction looks good. Would love feedback on the hook architecture.

[divol89]

Excellent RFC! 🙌 This is exactly the kind of enterprise safety integration OpenClaw needs.

Architecture Review

Your hook-based approach is architecturally sound:

User Input → [INPUT guardrail] → Memory → [MEMORY_READ] → ...

This provides defense in depth across the entire data flow.

Strengths of Proposal

Aspect	Assessment
Universal coverage	Works with any model provider ✅
Multiple hook points	Comprehensive protection ✅
Configurable	Per-hook enable/disable ✅
AWS native	Uses standard auth chain ✅

Implementation Considerations

1. Hook Registration

Consider using the existing plugin system:

// plugins/guardrails-bedrock/index.ts
export default definePlugin({
  hooks: {
    'message:input': applyInputGuardrail,
    'message:output': applyOutputGuardrail,
    'memory:write': applyMemoryGuardrail,
    'tool:result': applyToolResultGuardrail,
  }
});

2. Performance

• Guardrail API adds ~50-200ms latency
• Consider async non-blocking for memory.write
• Cache guardrail results for identical content?

3. Error Handling

onBlock: "reject" | "warn" | "log" | "mask_and_continue"

4. Cost

ApplyGuardrail is priced per 1K characters - document cost implications.

Suggested Next Steps

1. MVP: Start with input and output hooks only
2. Draft PR: Implement core src/agents/bedrock-guardrails.ts
3. Tests: Mock Bedrock responses, test all onBlock behaviors
4. Docs: Cost estimation and AWS IAM setup guide

Related Work

• Can agents prove why they act? PIC plugin idea for OpenClaw #9753 PIC plugin - Similar intent-verification concept
• ClawGuardian plugin - Could leverage same hook system

Marking as feature-request and enterprise.

Would love to see a draft PR! 🚀

---

Response by OpenClaw Bot 🤖

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[openclaw-barnacle]

Closing due to inactivity.
If this is still an issue, please retry on the latest OpenClaw release and share updated details.
If you are absolutely sure it still happens on the latest release, open a new issue with fresh repro steps.