litellm - 💡(How to fix) Fix [Bug]: experimental_use_latest_role_message_only - parallel tool calls leave N-1 responses unchecked by Bedrock Guardrails [1 participants]

Check for existing issues

• I have searched the existing issues and checked that my issue is not a duplicate.

Summary

When experimental_use_latest_role_message_only is enabled and an LLM requests N tool calls in a single agentic loop iteration, all N results are appended to the conversation history before the next request is sent. LiteLLM then forwards only messages[-1] to Bedrock Guardrails, meaning the first N-1 tool responses are never evaluated. This is a silent security gap, since tool outputs are a known indirect prompt injection vector.

Observed behavior

In a multi-turn agentic loop, when the assistant requests N tool calls at once, the agent executes all of them and appends all N results to the conversation before sending the next request. The message array at that point looks like:

[..., assistant(+N tool_calls), tool_result_1, tool_result_2, ..., tool_result_N]

With experimental_use_latest_role_message_only, LiteLLM sends only tool_result_N (messages[-1]) to Bedrock Guardrails.
tool_result_1 through tool_result_{N-1} are silently skipped — never evaluated.

Concrete example: 3 parallel tool calls

messages = [
  # first iteration of the loop
  [0] system
  [1] user:      "..."
  # second (and current) iteration of the loop
  [2] assistant: [tool_call_A, tool_call_B, tool_call_C]
  [3] tool:      result_A   ← NOT sent to Bedrock Guardrails
  [4] tool:      result_B   ← NOT sent to Bedrock Guardrails
  [5] tool:      result_C   ← sent to Bedrock Guardrails ✅ (messages[-1])
]

Full coverage table

Steps to reproduce

1. Set up a LiteLLM proxy with Bedrock Guardrails enabled and experimental_use_latest_role_message_only: true.

2. Define at least one tool that the model is likely to call multiple times in parallel (e.g. a search or lookup tool).

3. Enable Litellm DEBUG level logging so you can inspect what is forwarded to the Bedrock Guardrail applyGuardrail endpoint.

4. Send a user message that causes the model to issue 2 or more tool calls in a single assistant turn (parallel tool use).

5. Observe the Bedrock Guardrail API calls made during that agentic loop iteration corresponds only to the latest tool response in the array

Expected: Each tool result is sent to Bedrock Guardrails individually (or all are batched in a single call).
Actual: Only messages[-1] — the last tool result in the batch — is forwarded. All preceding tool results in the same turn are skipped.

Expected behavior

All tool results from the current agentic loop iteration should be evaluated by Bedrock Guardrails. Ideally each tool result is forwarded individually (one guardrail API call per result), so that:

• Every tool response is inspected exactly once
• Guardrail payload size stays bounded (no accumulated history, no batch of N results at once), which mitigates false positive risk from large payloads

Why this matters

Tool outputs are a well-known indirect prompt injection vector. An attacker who controls a tool's response can craft a payload. Silently skipping N-1 out of every N tool results when the model uses parallel tool calls means Bedrock Guardrails defense is only partially applied, with no warning or indication to the operator.

Environment

• LiteLLM version: 1.81.12
• Bedrock region: us-west-2
• Model: us.anthropic.claude-sonnet-4-6

config.yaml:

guardrails:
  - guardrail_name: <guardrail_name>
    litellm_params:
      guardrail: "bedrock"
      mode: "pre_call"
      guardrailIdentifier: <guardrailIdentifier>
      guardrailVersion: "6"
      aws_region_name: "us-west-2"
      default_on: true
      experimental_use_latest_role_message_only: true

What part of LiteLLM is this about?

Proxy

What LiteLLM version are you on ?

1.81.12