Fix isAuthExempt (#49)

<!-- CURSOR_SUMMARY -->
> [!NOTE]
> Restricts auth exemption to root and certain top-level commands (not
subcommands) and adds tests for isAuthExempt.
> 
> - **Auth Handling**:
> - Update `isAuthExempt` to exempt only the root and specific top-level
commands (`login`, `logout`, `auth`, `help`, `completion`, `create`),
not their subcommands.
> - **Tests**:
> - Add `cmd/root_test.go` with unit tests validating exemption for
root/top-level and requiring auth for subcommands (e.g., `browser-pools
create`, `browsers create`, `profiles create`, `list`, `deploy`,
`invoke`).
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
3adf913. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Author: Sayan-

cmd/root.go

@@ -71,19 +71,25 @@ func getKernelClient(cmd *cobra.Command) kernel.Client {
 	return util.GetKernelClient(cmd)
 }
 
-// isAuthExempt returns true if the command or any of its parents should skip auth.
+// isAuthExempt returns true if the command should skip auth.
 func isAuthExempt(cmd *cobra.Command) bool {
-	// bare root command does not need auth
+	// Root command doesn't need auth
 	if cmd == rootCmd {
 		return true
 	}
-	for c := cmd; c != nil; c = c.Parent() {
-		switch c.Name() {
-		case "login", "logout", "auth", "help", "completion",
-			"create":
-			return true
-		}
+
+	// Walk up to find the top-level command (direct child of rootCmd)
+	topLevel := cmd
+	for topLevel.Parent() != nil && topLevel.Parent() != rootCmd {
+		topLevel = topLevel.Parent()
+	}
+
+	// Check if the top-level command is in the exempt list
+	switch topLevel.Name() {
+	case "login", "logout", "auth", "help", "completion", "create":
+		return true
 	}
+
 	return false
 }
 

cmd/root_test.go

@@ -0,0 +1,79 @@
+package cmd
+
+import (
+	"testing"
+
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestIsAuthExempt(t *testing.T) {
+	tests := []struct {
+		name     string
+		cmd      *cobra.Command
+		expected bool
+	}{
+		{
+			name:     "root command is exempt",
+			cmd:      rootCmd,
+			expected: true,
+		},
+		{
+			name:     "login command is exempt",
+			cmd:      loginCmd,
+			expected: true,
+		},
+		{
+			name:     "logout command is exempt",
+			cmd:      logoutCmd,
+			expected: true,
+		},
+		{
+			name:     "top-level create command is exempt",
+			cmd:      createCmd,
+			expected: true,
+		},
+		{
+			name:     "browser-pools create subcommand requires auth",
+			cmd:      browserPoolsCreateCmd,
+			expected: false,
+		},
+		{
+			name:     "browsers create subcommand requires auth",
+			cmd:      browsersCreateCmd,
+			expected: false,
+		},
+		{
+			name:     "profiles create subcommand requires auth",
+			cmd:      profilesCreateCmd,
+			expected: false,
+		},
+		{
+			name:     "browser-pools list requires auth",
+			cmd:      browserPoolsListCmd,
+			expected: false,
+		},
+		{
+			name:     "browsers list requires auth",
+			cmd:      browsersListCmd,
+			expected: false,
+		},
+		{
+			name:     "deploy command requires auth",
+			cmd:      deployCmd,
+			expected: false,
+		},
+		{
+			name:     "invoke command requires auth",
+			cmd:      invokeCmd,
+			expected: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := isAuthExempt(tt.cmd)
+			assert.Equal(t, tt.expected, result, "isAuthExempt(%s) = %v, want %v", tt.cmd.Name(), result, tt.expected)
+		})
+	}
+}