Hi everyone,
I’m working with the open-source openai-agents-python SDK, streaming events (RunItemStreamEvent, RawResponsesStreamEvent) from an agent runner to a frontend via Server-Sent Events (SSE) and ND-JSON.
Context:
Our current setup (agents_ndjson.py) transforms SDK events to ND-JSON and filters out sensitive internal messages before sending them to the frontend. Typically, the flow is:
- The LLM outputs a message containing a tool invocation, e.g.:
json
CopyEdit
{"pdf_url":"https://…","lang":"spa"}
- SDK emits
RunItemStreamEvent(name="message_output_created"). - The tool runs, and on completion, the SDK emits
RunItemStreamEvent(name="tool_output").
The problem:
Despite our filtering logic, sensitive initial invocation messages (with URLs or parameters) still reach the frontend briefly before being filtered out. We believe this leakage is due to incremental delta events (RawResponsesStreamEvent) being emitted before our filters have context.
What we’ve tried:
- Filtering events explicitly at both
message_output_createdandRawResponsesStreamEventlevels. - Regex-based filtering on internal keys (e.g.,
pdf_url,file_url, etc.). - Attempting to remove or delay events containing sensitive info before they reach the frontend.
However, sensitive messages still occasionally leak through.
Our questions:
- Where is the exact best place to reliably intercept and fully suppress sensitive messages without disrupting the event stream?
- Is there a robust pattern or recommended strategy for reliably identifying and filtering internal tool calls emitted as incremental delta events?
- Would buffering events until we have enough context to decide their sensitivity be the best solution? Any potential pitfalls?
Has anyone faced similar challenges? Any guidance, suggestions, or alternative approaches would be greatly appreciated!
Thanks!