Avoid expensive cookie truthiness checks

[Sean-Kenneth-Doherty]

Summary

Fixes #783 by avoiding expensive cookie truthiness checks in the request cookie merge path.

• avoids truth-testing arbitrary per-request cookie inputs before merging
• makes Cookies.__bool__ use the CookieJar internal cookie store when available instead of iterating through deepvalues
• keeps an iterator fallback for custom jars without the stdlib _cookies store
• adds regression coverage for the fast path, fallback path, and client/request cookie merging

Root Cause

CookieJar.__iter__ walks the nested cookie store via http.cookiejar.deepvalues. Both BaseClient._merge_cookies() and request construction can hit cookie truthiness checks on hot paths, so checking for cookie presence should avoid that traversal when the jar exposes its internal store.

Validation

• uv run --frozen python -m pytest -q tests/httpx2/models/test_cookies.py::test_cookies_bool_does_not_iterate_cookie_jar tests/httpx2/models/test_cookies.py::test_cookies_bool_iterates_custom_cookie_jar_without_cookie_store tests/httpx2/client/test_cookies.py::test_set_per_request_cookie_merges_with_client_cookies
• uv run --frozen python -m pytest -q tests/httpx2/models/test_cookies.py tests/httpx2/client/test_cookies.py
• scripts/check
• uv run --frozen python -m pytest -q tests/httpx2 (1422 passed, 1 skipped)
• python -m compileall -q src/httpx2/httpx2/_client.py src/httpx2/httpx2/_models.py tests/httpx2/client/test_cookies.py tests/httpx2/models/test_cookies.py
• git diff --check origin/main...HEAD && git diff --check

Upstream CI is also green for Python 3.10 through 3.14, the check job, and security analysis.

Microbenchmark on this branch, 1,000 cookies and 200,000 truthiness checks:

• old truthiness loop: 1.020991s, 5.105 us/op
• new truthiness: 0.303790s, 1.519 us/op
• speedup: 3.36x

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, add credits to your account and enable them for code reviews in your settings.

[Sean-Kenneth-Doherty]

Local validation on updated head cb1bf24:

• uv run pytest tests/httpx2/models/test_cookies.py tests/httpx2/client/test_cookies.py -q -> 17 passed
• scripts/check -> passed (uv lock --check, ruff format check, mypy, ruff check, unasync check)
• scripts/test -> 1645 passed, 1 skipped, coverage remained 100%
• git diff --check origin/main -- src/httpx2/httpx2/_client.py src/httpx2/httpx2/_models.py tests/httpx2/client/test_cookies.py tests/httpx2/models/test_cookies.py && git diff --check -> clean

I also replaced the custom-jar fallback test with a real CookieJar subclass that lacks _cookies, and made the merged cookie-header assertion order-insensitive. The new GitHub Actions run is still in progress after the branch update.

[Sean-Kenneth-Doherty]

Follow-up coverage fix is on cb1bf24.

Local validation under Python 3.11:

• UV_PYTHON=3.11 uv run pytest tests/httpx2/models/test_cookies.py tests/httpx2/client/test_cookies.py -> 17 passed
• UV_PYTHON=3.11 scripts/test -> check gates passed; 1645 passed, 1 skipped; coverage report 100%
• UV_PYTHON=3.11 uv run ruff format --check --diff tests/httpx2/models/test_cookies.py tests/httpx2/client/test_cookies.py src/httpx2/httpx2/_client.py src/httpx2/httpx2/_models.py -> passed
• UV_PYTHON=3.11 uv run ruff check tests/httpx2/models/test_cookies.py tests/httpx2/client/test_cookies.py src/httpx2/httpx2/_client.py src/httpx2/httpx2/_models.py -> passed
• git diff --check -> clean

Hosted checks are now green for Python 3.10, 3.11, 3.12, 3.13, 3.14, check, and zizmor.