fix(sdk): preserve security policy filename contract

Normalize explicit None security policy filenames to an empty string while keeping the public field typed and serialized as str. This preserves the disable-security-policy behavior added in #2787 without widening the SDK or REST API contracts to null.

Co-authored-by: openhands <openhands@all-hands.dev>

Author: openhands-agent

openhands-sdk/openhands/sdk/agent/base.py

@@ -158,14 +158,13 @@ class AgentBase(DiscriminatedUnionMixin, ABC):
             "- An absolute path (e.g., '/path/to/custom_prompt.j2')"
         ),
     )
-    security_policy_filename: str | None = Field(
+    security_policy_filename: str = Field(
         default="security_policy.j2",
         description=(
-            "Security policy template filename. Can be:\n"
+            "Security policy template filename. Can be either:\n"
             "- A relative filename (e.g., 'security_policy.j2') loaded from the "
             "agent's prompts directory\n"
-            "- An absolute path (e.g., '/path/to/custom_security_policy.j2')\n"
-            "- Empty string or None to disable security policy"
+            "- An absolute path (e.g., '/path/to/custom_security_policy.j2')"
         ),
     )
     system_prompt_kwargs: dict[str, object] = Field(
@@ -179,6 +178,11 @@ class AgentBase(DiscriminatedUnionMixin, ABC):
     def _validate_system_prompt_fields(cls, data: Any) -> Any:
         if not isinstance(data, dict):
             return data
+        if (
+            "security_policy_filename" in data
+            and data["security_policy_filename"] is None
+        ):
+            data["security_policy_filename"] = ""
         has_inline = data.get("system_prompt") is not None
         has_custom_filename = (
             "system_prompt_filename" in data

tests/sdk/agent/test_security_policy_integration.py

@@ -65,6 +65,25 @@ def test_security_policy_in_system_message():
     assert "AI assistant (OpenHands)" not in system_message
 
 
+def test_none_security_policy_filename_disables_policy_without_null_public_value():
+    """Test that None input disables the policy without exposing a null contract."""
+    agent = Agent.model_validate(
+        {
+            "llm": LLM(
+                usage_id="test-llm",
+                model="test-model",
+                api_key=SecretStr("test-key"),
+                base_url="http://test",
+            ),
+            "security_policy_filename": None,
+        }
+    )
+
+    assert agent.security_policy_filename == ""
+    assert agent.model_dump()["security_policy_filename"] == ""
+    assert "🔐 Security Policy" not in agent.static_system_message
+
+
 def test_custom_security_policy_in_system_message():
     """Test that custom security policy filename is used in system message."""
     # Create a temporary directory for test files