feat(python-sdk): support omitting username/password from basic auth when configured in IR

[Swimburger]

Description

Split from #14378 (one PR per generator).

Adds conditional support for omitting username or password from basic auth in the Python SDK generator. When usernameOmit or passwordOmit flags are set in the IR's BasicAuthScheme, the flagged field is completely removed from the end-user SDK API (constructor parameters, type hints, getters). Internally, the omitted field is treated as an empty string when encoding the Authorization: Basic header (e.g., password: omit: true → header encodes username:). Default behavior (both required) is preserved when no omit flags are set.

Changes Made

• client_wrapper_generator.py:
  • _get_constructor_info(): Conditionally skips adding constructor parameters for omitted fields entirely (not just making them nullable). Uses getattr(basic_auth_scheme, "username_omit", None) defensively since the Python IR SDK may not expose these fields in type stubs.
  • _get_write_get_headers_body(): Omitted fields use "" directly via AST.Expression('""') instead of reading from options. Only non-omitted fields get null-checked. Per-field conditions (not coarse either_omitted).
• versions.yml: New 5.2.2 entry
• New basic-auth-pw-omitted test fixture: Fern definition with password: omit: true, plus full seed output for seed/python-sdk/basic-auth-pw-omitted/

Testing

• Seed snapshot generated for basic-auth-pw-omitted fixture
• Existing seed fixtures unchanged (no regressions)
• Ruff formatting passes

⚠️ Human Review Checklist

1. Verify generated output: Inspect seed/python-sdk/basic-auth-pw-omitted/src/seed/client.py — confirm the constructor has no password parameter and _get_auth_headers uses "" for the password in httpx.BasicAuth().
2. getattr defensive access: getattr(basic_auth_scheme, "username_omit", None) is used instead of direct attribute access. If the Python IR SDK (v65) already defines these fields, direct access would be cleaner.
3. Per-field removal: Each field's omit flag is checked independently. When only passwordOmit: true, only the password is removed — username remains required. Verify this matches the generated seed output.
4. Both-omitted edge case: When both fields are omitted and auth is non-mandatory, the header is skipped entirely (pass). When auth is mandatory, it still sets the header with BasicAuth("", ""). Verify this asymmetry is acceptable.
5. Pre-existing test CI failure: The test check fails with an IR deserialization error (singleBaseUrl vs multipleBaseUrls) — this is a pre-existing issue in the Python generator's test suite unrelated to this PR.

Updates since last revision

• Fixture renamed: basic-auth-optional → basic-auth-pw-omitted to accurately reflect what the fixture tests (password omission, not generic optionality)
• Terminology fix: Changelog entry updated to use "omit" language instead of "optional" — fields are removed from the SDK API, not made nullable
• Breaking semantic change: Fields with omit: true are now completely removed from the SDK API (constructor params, type hints, getters), not just made optional/nullable. This matches the IR doc comment: "the field will be omitted from the SDK."
• Replaced coarse either_omitted flag with per-field username_omitted/password_omitted checks
• Omitted fields now use AST.Expression('""') directly instead of or "" fallback on nullable params
• Regenerated seed output to reflect complete field removal
• Version bumped to 5.2.2; merged with main to pick up latest changes

Link to Devin session: https://app.devin.ai/sessions/0786b963284f4799acb409d5373cde0a
Requested by: @Swimburger

---

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[graphite-app]

When auth is mandatory and either_omitted is True, the code unconditionally sets the Authorization header even when both credentials are None. This conflicts with the stated behavior that "When neither is provided, the Authorization header is omitted entirely."

If both get_username() and get_password() return None, the generated code will still encode an Authorization header as ":" (empty username and password), which may cause authentication failures.

The fix should add a conditional check similar to the non-mandatory branch:

username_val = self.get_username()
password_val = self.get_password()
if username_val is not None or password_val is not None:
    headers["Authorization"] = httpx.BasicAuth(username_val or "", password_val or "")._auth_header

Suggested change

	writer.write(f'headers["{ClientWrapperGenerator.AUTHORIZATION_HEADER}"] = ')
	if either_omitted:
	writer.write_node(
	AST.ClassInstantiation(
	class_=httpx.HttpX.BASIC_AUTH,
	args=[
	AST.Expression(f"{username_var}"),
	AST.Expression(f"{password_var}"),
	AST.Expression(f'self.{names.get_username_getter_name(basic_auth_scheme)}() or ""'),
	AST.Expression(f'self.{names.get_password_getter_name(basic_auth_scheme)}() or ""'),
	],
	)
	)
	username_val = AST.Expression(f'self.{names.get_username_getter_name(basic_auth_scheme)}()')
	password_val = AST.Expression(f'self.{names.get_password_getter_name(basic_auth_scheme)}()')
	writer.write("username_val = ")
	writer.write_node(username_val)
	writer.write_newline_if_last_line_not()
	writer.write("password_val = ")
	writer.write_node(password_val)
	writer.write_newline_if_last_line_not()
	writer.write("if username_val is not None or password_val is not None:")
	with writer.indent():
	writer.write(f'headers["{ClientWrapperGenerator.AUTHORIZATION_HEADER}"] = ')
	writer.write_node(
	AST.ClassInstantiation(
	class_=httpx.HttpX.BASIC_AUTH,
	args=[
	AST.Expression('username_val or ""'),
	AST.Expression('password_val or ""'),
	],
	)
	)

Spotted by Graphite



Is this helpful? React 👍 or 👎 to let us know.

[devin-ai-integration]

This was already addressed in the "complete field removal" update (commit af66447). The current code:

• Non-mandatory path: Only creates variables/conditions for non-omitted fields. Omitted fields use AST.Expression('""') directly — no or "" fallbacks.
• Mandatory path: Omitted fields use '""' directly, non-omitted fields call the getter.
• Constructor: Omitted fields are completely removed from constructor params, not just made optional.

The diff this comment references is from a previous revision.

[devin-ai-integration]

Devin Review found 1 potential issue.

View 4 additional findings in Devin Review.

[devin-ai-integration]

🔴 as unknown as Record<string, unknown> violates CLAUDE.md rule and relies on fragile data smuggling

CLAUDE.md explicitly prohibits as unknown as X type assertions: "Never use as any or as unknown as X. These are escape hatches that bypass the type system entirely. If the types don't line up, fix the types."

Beyond the rule violation, this pattern exists because usernameOmit/passwordOmit are smuggled as extra properties on a DynamicSnippets.BasicAuth object (which only defines username and password per packages/ir-sdk/src/sdk/api/resources/dynamic/resources/auth/types/BasicAuth.ts:5-8). The converter at packages/cli/generation/ir-generator/src/dynamic-snippets/DynamicSnippetsConverter.ts:736-749 attaches these as ad-hoc properties, relying on JavaScript spread to propagate them. If the dynamic snippet IR passes through any schema-based serialization/deserialization boundary (as is typical when IR is passed to generators via JSON), these undeclared fields may be silently stripped, causing !!authRecord.usernameOmit to always evaluate to false and the feature to silently not work. The proper fix is to extend the DynamicSnippets.BasicAuth type in the IR definition to include the new fields.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

This is a known limitation. The FernIr.dynamic.BasicAuth type comes from @fern-fern/ir-sdk (the published IR SDK package), which doesn't have typed usernameOmit/passwordOmit fields yet. The fields exist in the IR schema (packages/ir-sdk/src/sdk/api/resources/auth/types/BasicAuthScheme.ts) but the dynamic IR types haven't been updated to include them. Updating the IR types is out of scope for this PR per maintainer instruction ("Fix the non-IR changes"). The cast is necessary until the published IR SDK is updated.