Idempotency key is sent in request body

[saxon134]

VideosResource.create() and TasksResource.create() derive the Idempotency-Key header from params.get("idempotency_key") but also pass the same params mapping unchanged into _payload(), so calls like tasks.create(type="x", idempotency_key="idem") include idempotency_key in the JSON body as well as the header. Filter header-only params before building the sync and async create payloads.

File: src/globalrouter/_resources.py

Line: 335

Severity: medium

Summary: idempotency key leaked into create payloads

[saxon134]

Coding Loop Plan

Refined Issue

Bug: when callers pass idempotency_key, the SDK should send it only as the Idempotency-Key request header, not as an idempotency_key field in the JSON request body.

Implementation Plan

Add focused regression tests for video and task creation covering the existing idempotency behavior: the Idempotency-Key header is set and idempotency_key is absent from the JSON body. Cover the duplicated sync and async create paths, and include the public request mapping form as well as keyword parameters so _payload(request, params) cannot leak idempotency_key from either source.

Update only VideosResource.create, VideosResource.create_async, TasksResource.create, and TasksResource.create_async so idempotency_key is extracted before payload construction, used only to build the idempotency header, and removed from the JSON body regardless of whether it was supplied via request or keyword parameters. Preserve existing public method signatures, preserve current None handling, and avoid changing unrelated resources or payload behavior.

Development Tasks

1. Add regression tests for idempotency header-only behavior
   Extend tests/test_client.py so mocked handlers assert that calls using idempotency_key still include the Idempotency-Key header but the parsed JSON body does not contain idempotency_key. Cover the existing sync videos.create(...) path and add/adjust coverage for sync tasks.create(...) with an idempotency key, since both resources currently route this value to headers.
   Files: tests/test_client.py
   Tests: python -m pytest tests/test_client.py -q

2. Exclude idempotency_key from request JSON bodies
   Update src/globalrouter/_resources.py so VideosResource.create, VideosResource.create_async, TasksResource.create, and TasksResource.create_async pass idempotency_key to _idempotency_header(...) but omit it from json_body. Prefer a small local helper or narrowly scoped copy/pop so other parameters and request mapping behavior remain unchanged. Preserve existing behavior when idempotency_key is omitted.
   Files: src/globalrouter/_resources.py
   Tests: python -m pytest tests/test_client.py -q