When cwmp.auth is not set, GenieACS defaults to AUTH(username, password). The values for username and password get pulled from InternetGatewayDevice.ManagementServer.ConnectionRequestUsername and InternetGatewayDevice.ManagementServer.ConnectionRequestPasword. So if you are not setting those values for the device, then no authentication will be able to take place. And this is confirmed by when you hard code in the username and password everything work. But for all of this to work, you have to use the default inform script which sets the connection request username and password params.
// Device ID as username
const username = declare("DeviceID.ID", {value: 1}).value[0]
// Password will be fixed for a given device because Math.random() is seeded with device ID by default.
const password = Math.trunc(Math.random() * Number.MAX_SAFE_INTEGER).toString(36);
declare("InternetGatewayDevice.ManagementServer.ConnectionRequestUsername", {value: 1}, {value: username});
declare("InternetGatewayDevice.ManagementServer.ConnectionRequestPassword", {value: 1}, {value: password});
declare("Device.ManagementServer.ConnectionRequestUsername", {value: 1}, {value: username});
declare("Device.ManagementServer.ConnectionRequestPassword", {value: 1}, {value: password});
If you aren’t happy with GenieACS, you should look at Calix Cloud. Calix would love to have your money. But for the amount of money you pay Calix per device, you could hire a full time engineer to work on your ACS infrastructure/write scripts/etc.