Add serializer to response wrapper

[matez0]

Note:
From python 3.8, the _unwrap method could be replaced with using functools.singledispatchmethod.

Implements #144

[matez0]

Updated the author's and committer's email address.

[matez0]

While the README states that "Requires Python > 3.6", the build was run for Python 3.6 as well.
Since the walrus operator only introduced in Python 3.8, I still should not have used it.
The commit avoiding to use walrus operator could be squashed (fixed up) with the commit adding the serializer.
Should I do it?

[matez0]

Rename decorator and argument name for more readability.

[matez0]

Rebased onto the top of main.

[matez0]

Rebased on the top of main.

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[matez0]

Rebased on the top of main.

[david-ruiz-cko]

Thanks for this @matez0 — clean implementation, thorough tests (the circular-reference handling with JSON Pointer–style $ref is a nice touch). Two suggestions before merge, both about the attribute-walking strategy in _unwrap_object:

1. dir(data) invokes property getters and walks inherited attributes

https://github.com/checkout/checkout-sdk-python/blob/2573f14/checkout_sdk/checkout_response.py#L57-L65

return {
key: cls._unwrap(getattr(data, key), paths_by_id, path + [key])
for key in dir(data)
if not key.startswith('__')
and not cls._is_function(getattr(data, key))
}

A few concerns with dir():

Property getters fire on serialization. If a consumer subclasses ResponseWrapper (or wraps an object) with a @Property that hits a DB, raises, or has side effects, .dict() will trigger it — and getattr runs twice here (once in the filter, once in the value), so the side effect happens twice.
Inherited / class-level attributes are included. dir() returns everything visible on the class, not just the instance.

Performance. Two getattr calls per attribute.
Could we use vars(data) (i.e. data.dict) instead? It walks instance attributes only, never invokes descriptors, and only requires a single getattr/dict lookup per key.

Heads-up that this is a behavior change: test_serialize_object declares ObjAttr attributes as class variables, which vars(instance) won't see. If we want to keep that test passing as-is, we'd need to either (a) move them to init, or (b) merge type(data).dict in for non-ResponseWrapper instances.

2. Single-underscore attributes leak through the filter

The filter is not key.startswith('__'), so conventional Python privates (_internal_state, _cached_token, etc.) are serialized. The SDK doesn't currently use _-prefixed sensitive fields, but it's a sharp edge for future code or downstream subclasses.

Two options:

• (a) tighten the filter — single underscores are conventionally private
  if not key.startswith('_')

Or if there's a reason to include them:

• (b) keep the current behavior, document it
  def dict(self):
  """
  Serializes the instance to a dictionary recursively.
  ...
  Note: attributes prefixed with a single underscore are included in the output.
  If you store sensitive data on _-prefixed attributes, filter the result before logging or persisting.
  """

Aside

Worth a one-liner in the docstring that responses may contain payment-sensitive fields (PAN, CVV tokens, OAuth tokens) and that callers should treat .dict() output the same as the underlying response — i.e. don't log/persist without redaction. Not a code issue, just an ergonomics nudge so .dict() doesn't make accidental logging too easy.

Tests are great either way — really appreciate the circular-reference coverage.