fix: preserve http_auth in _safe_deepcopy_config for OpenSearch (#3580)

[utkarsh240799]

Description

_safe_deepcopy_config() used broad substring matching to sanitize sensitive fields during telemetry config cloning. The token "auth" matched http_auth, and "connection_class" was listed explicitly — both are runtime objects required by OpenSearch's AWS SigV4 authentication (AWSV4SignerAuth, RequestsHttpConnection). When deepcopy fails for these non-serializable objects, the fallback path nullified them, causing AuthorizationException(403, '') errors.

Root cause

sensitive_tokens = ("auth", "credential", "password", "token", "secret", "key", "connection_class")
for field_name in list(clone_dict.keys()):
    if any(token in field_name.lower() for token in sensitive_tokens):
        clone_dict[field_name] = None  # ← nullifies http_auth, connection_class

Fix

Replaced the broad substring sanitizer with a 3-layer field matching system:

1. Allowlist (_RUNTIME_FIELDS) — runtime objects like http_auth, auth, connection_class, ssl_context are always preserved (highest priority)
2. Exact deny (_SENSITIVE_FIELDS_EXACT) — 19 known secret field names (api_key, password, secret_key, auth_client_secret, etc.)
3. Suffix deny (_SENSITIVE_SUFFIXES) — catches patterns like db_password, client_secret, oauth_token

Also fixed model_dump(mode="json") → model_dump() to preserve actual Python objects instead of relying on a PydanticSerializationError fallback to the __dict__ path.

Removed a dead _safe_deepcopy_config call in the sync Memory.__init__ whose result was immediately overwritten.

Fixes #3580

Type of change

• Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

Unit tests (106 total, all passing)

New test file tests/memory/test_safe_deepcopy_config.py — 94 tests covering:

• _is_sensitive_field() allowlist, exact deny, suffix deny, case insensitivity, edge cases
• Over-matching prevention: primary_key, partition_key, monkey, keyboard, tokenizer, authenticate, credentials_path are correctly NOT redacted
• Real-world field names from 20+ vector store configs (OpenSearch, Weaviate, Databricks, Pinecone, Qdrant, Vertex AI, Azure, AWS, etc.)
• _safe_deepcopy_config() integration with plain classes, Pydantic BaseModel, and dataclasses
• End-to-end: real Pydantic model with mock AWSV4SignerAuth verifying result.http_auth is auth (actual object identity preserved)

Updated tests/vector_stores/test_opensearch.py — flipped assertions from is None to is not None for http_auth, auth, connection_class while keeping credentials is None

Manual verification

Reproduced the exact scenario from #3580 using real OpenSearchConfig with mock AWSV4SignerAuth (thread lock, raises on __deepcopy__). Verified both sync and async telemetry flows preserve auth objects end-to-end.

=== AFTER _safe_deepcopy_config ===
  http_auth:        PRESERVED (actual auth object)
  connection_class: PRESERVED (actual class reference)
  password:         REDACTED (None)
  api_key:          REDACTED (None)
  collection_name:  MUTABLE (can be overridden for telemetry)

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

Maintainer Checklist

• closes Bug: _safe_deepcopy_config removes http_auth from OpenSearch configs #3580
• Made sure Checks passed

[kartik-mem0]

all of the changes lgtm!