feat: Add configurable security policy filename to AgentBase

openhands-agent · openhands-agent · commit cfc6c9f48c8d · 2025-09-22T16:42:58.000Z
- Add security_policy_filename field to AgentBase with default 'security_policy.j2'
- Update system_prompt.j2 template to use configurable security policy filename
- Update system_message property to pass security_policy_filename to template
- Add comprehensive tests for configurable security policy functionality
- Maintain backward compatibility with existing security policy behavior
- Add custom_security_policy.j2 template for testing purposes

Co-authored-by: openhands &lt;openhands@all-hands.dev&gt;
diff --git a/openhands/sdk/agent/base.py b/openhands/sdk/agent/base.py
@@ -109,6 +109,12 @@ class AgentBase(DiscriminatedUnionMixin, ABC):
         description="Optional kwargs to pass to the system prompt Jinja2 template.",
         examples=[{"cli_mode": True}],
     )
+    security_policy_filename: str = Field(
+        default="security_policy.j2",
+        description=(
+            "Filename of the security policy template to include in system prompt."
+        ),
+    )
     security_analyzer: analyzer.SecurityAnalyzerBase | None = Field(
         default=None,
         description="Optional security analyzer to evaluate action risks.",
@@ -156,6 +162,9 @@ def system_message(self) -> str:
         if hasattr(self, "cli_mode"):
             template_kwargs["cli_mode"] = getattr(self, "cli_mode")
 
+        # Add security_policy_filename to template kwargs
+        template_kwargs["security_policy_filename"] = self.security_policy_filename
+
         system_message = render_template(
             prompt_dir=self.prompt_dir,
             template_name=self.system_prompt_filename,
diff --git a/openhands/sdk/agent/prompts/custom_security_policy.j2 b/openhands/sdk/agent/prompts/custom_security_policy.j2
@@ -0,0 +1,12 @@
+# 🔒 Custom Security Policy
+
+## Custom Security Rules
+
+- This is a custom security policy template
+- Used for testing configurable security policy functionality
+- Contains different content than the default policy
+
+## Custom Guidelines
+
+- Follow custom security guidelines
+- Test that custom templates are properly loaded
diff --git a/openhands/sdk/agent/prompts/system_prompt.j2 b/openhands/sdk/agent/prompts/system_prompt.j2
@@ -62,7 +62,7 @@ Your primary role is to assist users by executing commands, modifying code, and
 </PROBLEM_SOLVING_WORKFLOW>
 
 <SECURITY>
-{% include 'security_policy.j2' %}
+{% include security_policy_filename %}
 </SECURITY>
 
 <SECURITY_RISK_ASSESSMENT>
diff --git a/tests/sdk/agent/test_security_policy_integration.py b/tests/sdk/agent/test_security_policy_integration.py
@@ -69,3 +69,70 @@ def test_security_policy_template_rendering():
     # Verify it's properly formatted (no extra whitespace at start/end)
     assert not security_policy.startswith(" ")
     assert not security_policy.endswith(" ")
+
+
+def test_configurable_security_policy_filename():
+    """Test that security policy filename can be configured."""
+    # Create agent with custom security policy filename
+    agent = Agent(
+        llm=LLM(
+            model="test-model", api_key=SecretStr("test-key"), base_url="http://test"
+        ),
+        security_policy_filename="custom_security_policy.j2",
+    )
+
+    # Get the system message
+    system_message = agent.system_message
+
+    # Verify that the custom security policy content is included
+    assert "🔒 Custom Security Policy" in system_message
+    assert "Custom Security Rules" in system_message
+    assert "This is a custom security policy template" in system_message
+    assert "Custom Guidelines" in system_message
+
+    # Verify that the default security policy content is NOT included
+    assert "🔐 Security Policy" not in system_message
+    assert "OK to do without Explicit User Consent" not in system_message
+
+
+def test_default_security_policy_filename():
+    """Test that default security policy filename works correctly."""
+    # Create agent with default security policy filename
+    agent = Agent(
+        llm=LLM(
+            model="test-model", api_key=SecretStr("test-key"), base_url="http://test"
+        )
+    )
+
+    # Verify the default filename is set correctly
+    assert agent.security_policy_filename == "security_policy.j2"
+
+    # Get the system message
+    system_message = agent.system_message
+
+    # Verify that the default security policy content is included
+    assert "🔐 Security Policy" in system_message
+    assert "OK to do without Explicit User Consent" in system_message
+
+
+def test_security_policy_filename_field_access():
+    """Test that security_policy_filename field can be accessed and modified."""
+    # Create agent with custom security policy filename
+    agent = Agent(
+        llm=LLM(
+            model="test-model", api_key=SecretStr("test-key"), base_url="http://test"
+        ),
+        security_policy_filename="custom_security_policy.j2",
+    )
+
+    # Verify the field is accessible
+    assert agent.security_policy_filename == "custom_security_policy.j2"
+
+    # Test model_copy with different security policy filename
+    agent_copy = agent.model_copy(
+        update={"security_policy_filename": "security_policy.j2"}
+    )
+    assert agent_copy.security_policy_filename == "security_policy.j2"
+    assert (
+        agent.security_policy_filename == "custom_security_policy.j2"
+    )  # Original unchanged
