fix(cli): handle security: [] correctly in v3 OpenAPI importer (#11474)

tstanmay13 · web-flow · commit 7302b2e97a6d · 2026-01-11T14:54:58.000-05:00
handle  correctly in OpenAPI v3 importer
diff --git a/packages/cli/api-importers/openapi-to-ir/src/3.1/paths/operations/OperationConverter.ts b/packages/cli/api-importers/openapi-to-ir/src/3.1/paths/operations/OperationConverter.ts
@@ -196,10 +196,7 @@ export class OperationConverter extends AbstractOperationConverter {
             ),
             sdkRequest: undefined,
             errors,
-            auth:
-                this.operation.security != null ||
-                this.context.spec.security != null ||
-                this.shouldApplyDefaultAuthOverrides(),
+            auth: this.computeEndpointAuth(),
             security:
                 this.operation.security ?? this.context.spec.security ?? this.getDefaultSecurityFromAuthOverrides(),
             availability: this.context.getAvailability({
@@ -463,6 +460,21 @@ export class OperationConverter extends AbstractOperationConverter {
         return convertedResponseBody;
     }
 
+    private computeEndpointAuth(): boolean {
+        if (this.operation.security != null && this.operation.security.length === 0) {
+            return false;
+        }
+
+        if (this.operation.security != null && this.operation.security.length > 0) {
+            return true;
+        }
+
+        return (
+            (this.context.spec.security != null && this.context.spec.security.length > 0) ||
+            this.shouldApplyDefaultAuthOverrides()
+        );
+    }
+
     /**
      * Converts security scheme IDs to HTTP headers
      * @param securitySchemeIds - List of security scheme IDs
@@ -474,7 +486,8 @@ export class OperationConverter extends AbstractOperationConverter {
         }
 
         const hasGlobalSecurity = this.context.spec.security != null && this.context.spec.security.length > 0;
-        const hasEndpointSecurity = this.operation.security != null;
+        // Check for non-empty endpoint security (empty array means explicit no-auth, not "has security")
+        const hasEndpointSecurity = this.operation.security != null && this.operation.security.length > 0;
 
         // If there's already security defined (global or endpoint), don't apply defaults
         return !(hasGlobalSecurity || hasEndpointSecurity);
diff --git a/packages/cli/api-importers/v3-importer-tests/src/__test__/__snapshots__/v3-sdks/security-explicit-none.json b/packages/cli/api-importers/v3-importer-tests/src/__test__/__snapshots__/v3-sdks/security-explicit-none.json
@@ -258,7 +258,7 @@
           "queryParameters": [],
           "headers": [],
           "errors": [],
-          "auth": true,
+          "auth": false,
           "security": [],
           "userSpecifiedExamples": [],
           "autogeneratedExamples": [
diff --git a/packages/cli/cli/versions.yml b/packages/cli/cli/versions.yml
@@ -1,4 +1,11 @@
 # yaml-language-server: $schema=../../../fern-versions-yml.schema.json
+- version: 3.37.4
+  changelogEntry:
+    - summary: |
+        Fix `security: []` handling in OpenAPI importer to correctly mark endpoints as not requiring authentication.
+      type: fix
+  createdAt: "2026-01-10"
+  irVersion: 62
 
 - version: 3.37.3
   changelogEntry:
