fix(cmdutil): honor DisableAuthCheck under repo-override parents

EnableRepoOverride's hook shadows the root auth gate, then re-runs the nearest ancestor hook to restore it. That re-run passed the ancestor as the command, so the gate judged the wrong node and ignored a leaf's DisableAuthCheck. Pass the invoked leaf instead, as cobra does for every persistent hook.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: BagToad

pkg/cmdutil/repo_override.go

@@ -9,11 +9,25 @@ import (
 	"github.com/spf13/cobra"
 )
 
-func executeParentHooks(cmd *cobra.Command, args []string) error {
-	for cmd.HasParent() {
-		cmd = cmd.Parent()
-		if cmd.PersistentPreRunE != nil {
-			return cmd.PersistentPreRunE(cmd, args)
+// executeParentHook re-runs the nearest ancestor's persistent pre-run hook,
+// which the hook installed by EnableRepoOverride would otherwise shadow. By
+// default cobra runs only the nearest PersistentPreRunE found walking up from
+// the invoked command, so without this the nearest ancestor hook, such as the
+// root auth gate, would never run for a repo-override command.
+//
+// That ancestor hook receives the invoked leaf cmd, not the ancestor, matching
+// how cobra passes the leaf to every persistent hook:
+// https://github.com/spf13/cobra/blob/v1.10.2/command.go#L984-L986
+//
+// cobra's EnableTraverseRunHooks global is the native equivalent and runs the
+// whole root-to-leaf chain for us, but it is global. Enabling it would change
+// pre-run behavior for every command: double-running the parents that issue
+// develop and EnableRepoOverride re-run by hand, and un-suppressing the root
+// gate that agent-task and skills intentionally shadow.
+func executeParentHook(overrideCmd, cmd *cobra.Command, args []string) error {
+	for p := overrideCmd.Parent(); p != nil; p = p.Parent() {
+		if p.PersistentPreRunE != nil {
+			return p.PersistentPreRunE(cmd, args)
 		}
 	}
 	return nil
@@ -47,8 +61,9 @@ func EnableRepoOverride(cmd *cobra.Command, f *Factory) {
 		return results, cobra.ShellCompDirectiveNoFileComp
 	})
 
+	overrideCmd := cmd
 	cmd.PersistentPreRunE = func(cmd *cobra.Command, args []string) error {
-		if err := executeParentHooks(cmd, args); err != nil {
+		if err := executeParentHook(overrideCmd, cmd, args); err != nil {
 			return err
 		}
 		repoOverride, _ := cmd.Flags().GetString("repo")

pkg/cmdutil/repo_override_test.go

@@ -0,0 +1,70 @@
+package cmdutil
+
+import (
+	"testing"
+
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/require"
+)
+
+// Test_EnableRepoOverride_authCheckIntegration is an integration test for the
+// coupling between repo override and the root auth gate, wired through cobra's
+// persistent pre-run hooks. EnableRepoOverride replaces a command's
+// PersistentPreRunE, so cobra no longer reaches the root auth gate on its own;
+// the override hook re-runs the ancestor hooks itself. That re-run must evaluate
+// the command the user actually invoked, the same way cobra hands the target
+// command to parent hooks:
+// https://github.com/spf13/cobra/blob/v1.10.2/command.go#L984-L986
+// This pins that a leaf's DisableAuthCheck is honored under a repo-override
+// parent.
+func Test_EnableRepoOverride_authCheckIntegration(t *testing.T) {
+	tests := []struct {
+		name            string
+		disableAuthLeaf bool
+		wantAuthChecked bool
+	}{
+		{
+			name:            "leaf opts out, honored under repo-override parent",
+			disableAuthLeaf: true,
+			wantAuthChecked: false,
+		},
+		{
+			name:            "leaf does not opt out, auth still checked",
+			disableAuthLeaf: false,
+			wantAuthChecked: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var gotAuthChecked, ranLeaf bool
+
+			// Stand in for the real root auth gate: it judges whatever command
+			// it is handed, so it must receive the invoked leaf command.
+			root := &cobra.Command{Use: "root"}
+			root.PersistentPreRunE = func(cmd *cobra.Command, args []string) error {
+				gotAuthChecked = IsAuthCheckEnabled(cmd)
+				return nil
+			}
+
+			parent := &cobra.Command{Use: "parent"}
+			EnableRepoOverride(parent, &Factory{})
+			root.AddCommand(parent)
+
+			leaf := &cobra.Command{
+				Use:  "leaf",
+				RunE: func(cmd *cobra.Command, args []string) error { ranLeaf = true; return nil },
+			}
+			if tt.disableAuthLeaf {
+				DisableAuthCheck(leaf)
+			}
+			parent.AddCommand(leaf)
+
+			root.SetArgs([]string{"parent", "leaf"})
+			require.NoError(t, root.Execute())
+
+			require.True(t, ranLeaf, "leaf command should have executed")
+			require.Equal(t, tt.wantAuthChecked, gotAuthChecked)
+		})
+	}
+}