Idempotency key is sent in both header and JSON body

[saxon134]

'TasksResource.create builds the JSON body from all keyword params and separately uses params.get("idempotency_key") for the Idempotency-Key header. Because _payload includes every non-None param, calling client.tasks.create(..., idempotency_key="idem") sends {"idempotency_key":"idem"} in the request body as well as the header. The same pattern exists for video creation. Strip SDK-only header params before building the JSON payload.

File: src/globalrouter/_resources.py

Line: 385

Severity: medium

Summary: idempotency key leaked into create payloads

[saxon134]

Coding Loop Plan

Refined Issue

Supplying idempotency_key to create requests currently sends it as both the Idempotency-Key HTTP header and an idempotency_key JSON body field. It should be sent only as the header.

Implementation Plan

Implementation Plan

Keep the change limited to request construction for create endpoints that currently pass headers=_idempotency_header(params.get("idempotency_key")) while also building the JSON body from the same params. Add regression coverage proving the header is preserved and idempotency_key is absent from the serialized body. Avoid unrelated request payload refactors.

Development Tasks

1. Add idempotency body regression coverage
   Add or update tests in tests/test_client.py so mocked handlers for videos.create and tasks.create assert two things when idempotency_key is provided: the HTTP Idempotency-Key header is present with the expected value, and json.loads(request.content) does not contain the idempotency_key field. Include coverage for the existing sync paths at minimum; add async coverage too if it fits naturally with existing async tests.
   Files: tests/test_client.py
   Tests: python -m pytest tests/test_client.py -k idempotency

2. Remove idempotency_key from JSON bodies
   Update src/globalrouter/_resources.py so VideosResource.create, VideosResource.create_async, TasksResource.create, and TasksResource.create_async still derive the Idempotency-Key header from the provided idempotency_key, but do not include that key in the JSON body created from keyword params. Keep behavior for other payload fields unchanged and avoid touching unrelated endpoints.
   Files: src/globalrouter/_resources.py, tests/test_client.py
   Tests: python -m pytest tests/test_client.py -k idempotency, python -m pytest