overlord-cli 4.17.0 → 4.19.0

package/bin/_cli/attach.mjs

@@ -58,11 +58,11 @@ function statusColor(status) {
 
 // ─── API ──────────────────────────────────────────────────────────────────────
 
-async function searchTickets(platformUrl, agentToken, localSecret, query) {
+async function searchTickets(platformUrl, bearerToken, localSecret, organizationId, query) {
   const res = await fetch(`${platformUrl}/api/protocol/search-tickets`, {
     method: 'POST',
     headers: {
-      ...buildAuthHeaders(agentToken, localSecret),
+      ...buildAuthHeaders(bearerToken, localSecret, organizationId),
       'Content-Type': 'application/json'
     },
     body: JSON.stringify({
@@ -287,7 +287,7 @@ function runInteractivePrompt({ label, items = [], search, prefix = '' }) {
 export async function runAttachCommand(args) {
   const [ticketIdArg, agentArg] = args;
 
-  const { platformUrl, agentToken, localSecret } = resolveAuth();
+  const { platformUrl, bearerToken, localSecret, organizationId } = await resolveAuth();
 
   // ── Phase 1: Ticket selection ──────────────────────────────────────────────
 
@@ -301,7 +301,8 @@ export async function runAttachCommand(args) {
 
     const selectedTicket = await runInteractivePrompt({
       label: 'Search tickets',
-      search: nextQuery => searchTickets(platformUrl, agentToken, localSecret, nextQuery)
+      search: nextQuery =>
+        searchTickets(platformUrl, bearerToken, localSecret, organizationId, nextQuery)
     });
 
     if (!selectedTicket) {

package/bin/_cli/auth.mjs

@@ -240,23 +240,6 @@ async function exchangeCodeForSupabaseTokens(supabaseUrl, clientId, code, codeVe
   return readJsonOrThrow(res, 'Token exchange', supabaseUrl);
 }
 
-async function exchangeForAgentToken(platformUrl, supabaseAccessToken, localSecret) {
-  const res = await fetch(`${platformUrl}/api/auth/token`, {
-    method: 'POST',
-    headers: {
-      ...buildAuthHeaders('', localSecret),
-      Authorization: `Bearer ${supabaseAccessToken}`
-    }
-  });
-
-  if (!res.ok) {
-    const text = await res.text();
-    throw new Error(`Agent token exchange failed (${res.status}): ${snippet(text)}`);
-  }
-
-  return readJsonOrThrow(res, 'Agent token exchange', platformUrl);
-}
-
 function openBrowser(url) {
   try {
     const platform = process.platform;
@@ -331,6 +314,8 @@ export async function authLoginViaDeviceFlow(
       logger.log('\n');
       return {
         access_token: result.access_token,
+        access_token_expires_at: result.access_token_expires_at ?? null,
+        refresh_token: result.refresh_token,
         platform_url: result.platform_url ?? platformUrl
       };
     }
@@ -403,19 +388,88 @@ export async function authLoginViaOAuthLoopback(platformUrl, localSecret) {
     redirectUri
   );
 
-  // 8. Exchange Supabase access token → Overlord agent_token
-  const agentTokenData = await exchangeForAgentToken(
-    resolvedPlatformUrl,
-    supabaseTokens.access_token,
-    localSecret
-  );
-
   return {
-    access_token: agentTokenData.access_token,
-    platform_url: agentTokenData.platform_url ?? resolvedPlatformUrl
+    access_token: supabaseTokens.access_token,
+    access_token_expires_at:
+      typeof supabaseTokens.expires_in === 'number' && supabaseTokens.expires_in > 0
+        ? new Date(Date.now() + supabaseTokens.expires_in * 1000).toISOString()
+        : null,
+    refresh_token: supabaseTokens.refresh_token,
+    platform_url: resolvedPlatformUrl
   };
 }
 
+async function fetchOrganizations(platformUrl, accessToken, localSecret) {
+  const res = await fetch(`${platformUrl}/api/auth/organizations`, {
+    headers: {
+      ...buildAuthHeaders('', localSecret),
+      Authorization: `Bearer ${accessToken}`
+    }
+  });
+
+  if (!res.ok) {
+    const text = await res.text().catch(() => '');
+    throw new Error(`Failed to load organizations (${res.status}): ${snippet(text)}`);
+  }
+
+  const data = await readJsonOrThrow(res, 'Organizations', platformUrl);
+  return Array.isArray(data.organizations) ? data.organizations : [];
+}
+
+async function promptForOrganization(organizations, preselectedId = null) {
+  if (!organizations.length) {
+    throw new Error('No organizations found. Please complete onboarding first.');
+  }
+
+  if (preselectedId !== null) {
+    const match = organizations.find(org => org.id === preselectedId);
+    if (!match) {
+      throw new Error(
+        `Organization ${preselectedId} is not available to this account. ` +
+          `Available: ${organizations.map(o => o.id).join(', ')}`
+      );
+    }
+    return match;
+  }
+
+  if (organizations.length === 1) {
+    return organizations[0];
+  }
+
+  if (!process.stdin.isTTY) {
+    throw new Error(
+      'Multiple organizations available but stdin is not a TTY. ' +
+        'Pass --organization-id <id> to select non-interactively.'
+    );
+  }
+
+  const rl = (await import('node:readline')).createInterface({
+    input: process.stdin,
+    output: process.stdout
+  });
+
+  try {
+    for (;;) {
+      console.log('\nOrganizations');
+      organizations.forEach((organization, index) => {
+        console.log(`  ${index + 1}. ${organization.name} (${organization.id})`);
+      });
+
+      const answer = await new Promise(resolve => {
+        rl.question('\nSelect an organization by number: ', resolve);
+      });
+      const selected = Number.parseInt(String(answer).trim(), 10);
+      if (Number.isFinite(selected) && selected >= 1 && selected <= organizations.length) {
+        return organizations[selected - 1];
+      }
+
+      console.log(`Enter a number between 1 and ${organizations.length}.`);
+    }
+  } finally {
+    rl.close();
+  }
+}
+
 // ---------------------------------------------------------------------------
 // Public auth commands
 // ---------------------------------------------------------------------------
@@ -424,7 +478,19 @@ export function resolveLoginPlatformUrl(runtime = null) {
   return process.env.OVERLORD_URL ?? runtime?.platform_url ?? getDefaultOverlordUrl();
 }
 
-export async function authLogin() {
+function parseOrganizationFlag(args) {
+  const index = args.findIndex(arg => arg === '--organization-id' || arg.startsWith('--organization-id='));
+  if (index === -1) return null;
+  const raw = args[index].includes('=') ? args[index].split('=')[1] : args[index + 1];
+  const parsed = Number.parseInt(String(raw ?? ''), 10);
+  if (!Number.isFinite(parsed)) {
+    throw new Error('--organization-id must be a numeric id');
+  }
+  return parsed;
+}
+
+export async function authLogin(args = []) {
+  const preselectedOrganizationId = parseOrganizationFlag(args);
   const platformUrl = resolveLoginPlatformUrl();
   const runtime = loadRuntime(platformUrl);
   const localSecret = runtime?.local_secret ?? process.env.OVERLORD_LOCAL_SECRET ?? '';
@@ -454,16 +520,27 @@ export async function authLogin() {
     }
   }
 
+  const resolvedPlatformUrl = credentials.platform_url ?? platformUrl;
+  const organizations = await fetchOrganizations(
+    resolvedPlatformUrl,
+    credentials.access_token,
+    localSecret
+  );
+  const selectedOrganization = await promptForOrganization(organizations, preselectedOrganizationId);
+
   saveCredentials({
     access_token: credentials.access_token,
-    platform_url: credentials.platform_url ?? platformUrl
+    access_token_expires_at: credentials.access_token_expires_at ?? undefined,
+    refresh_token: credentials.refresh_token,
+    organization_id: selectedOrganization.id,
+    platform_url: resolvedPlatformUrl
   });
 
   console.log('Logged in successfully!');
 }
 
-function printVerboseAuthStatus() {
-  const status = getAuthStatus();
+async function printVerboseAuthStatus() {
+  const status = await getAuthStatus();
   if (!status.isLoggedIn) {
     console.log('Not logged in. Run: ovld auth login');
   } else {
@@ -473,6 +550,11 @@ function printVerboseAuthStatus() {
   console.log(`  Platform source: ${status.platformUrlSource}`);
   console.log(`  Token source: ${status.tokenSource}`);
   console.log(`  Token present: ${status.tokenPresent ? 'yes' : 'no'}`);
+  console.log(`  Auth mode: ${status.authMode}`);
+  console.log(`  Organization ID: ${status.organizationId ?? 'none'}`);
+  if (status.error) {
+    console.log(`  Error: ${status.error}`);
+  }
   console.log(`  Local secret: ${status.hasLocalSecret ? 'yes' : 'no'}`);
   console.log(`  credentials.json: ${status.credentialsFileExists ? 'present' : 'missing'}`);
   console.log(
@@ -480,9 +562,9 @@ function printVerboseAuthStatus() {
   );
 }
 
-export function authStatus(args = []) {
+export async function authStatus(args = []) {
   if (args.includes('--verbose') || args.includes('-v')) {
-    printVerboseAuthStatus();
+    await printVerboseAuthStatus();
     return;
   }
 
@@ -510,7 +592,7 @@ export function authRepair() {
   } else {
     console.log(`Credentials not repaired: ${result.reason}`);
   }
-  printVerboseAuthStatus();
+  void printVerboseAuthStatus();
 }
 
 export async function runAuthCommand(subcommand, args = []) {
@@ -527,12 +609,12 @@ Subcommands:
   }
 
   if (subcommand === 'login') {
-    await authLogin();
+    await authLogin(args);
     return;
   }
 
   if (subcommand === 'status') {
-    authStatus(args);
+    await authStatus(args);
     return;
   }
 

package/bin/_cli/credentials.mjs

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 
-/* global process, URL */
+/* global Buffer, fetch, process, URL, URLSearchParams */
 
 import fs from 'node:fs';
 import os from 'node:os';
@@ -16,7 +16,15 @@ const LOCAL_DEV_OVERLORD_URL = 'http://localhost:3000';
 const LOCAL_SECRET_HEADER = 'X-Overlord-Local-Secret';
 
 /**
- * @typedef {{ access_token: string, platform_url: string, user_email?: string }} Credentials
+ * @typedef {{
+ *   access_token?: string,
+ *   access_token_expires_at?: string,
+ *   refresh_token?: string,
+ *   organization_id?: number | null,
+ *   platform_url: string,
+ *   user_email?: string,
+ *   legacy_agent_token?: string
+ * }} Credentials
  */
 
 function ensureCredentialsDir() {
@@ -53,44 +61,74 @@ function writeJsonFileAtomic(filePath, data) {
   fs.chmodSync(filePath, 0o600);
 }
 
-function parseStoredCredentialsData(parsed, { requireAccessToken = false } = {}) {
+function parseStoredCredentialsData(parsed, { requireAuthData = false } = {}) {
   if (!parsed || typeof parsed !== 'object') return null;
 
-  const accessToken = normalizeAgentToken(parsed.access_token);
   const platformUrl = typeof parsed.platform_url === 'string' ? parsed.platform_url.trim() : '';
-  if (requireAccessToken && !accessToken) return null;
-  if (!accessToken && !platformUrl) return null;
+  const refreshToken =
+    typeof parsed.refresh_token === 'string'
+      ? parsed.refresh_token.trim()
+      : typeof parsed.supabase_refresh_token === 'string'
+        ? parsed.supabase_refresh_token.trim()
+        : '';
+  const accessToken = typeof parsed.access_token === 'string' ? parsed.access_token.trim() : '';
+  const accessTokenExpiresAt =
+    typeof parsed.access_token_expires_at === 'string'
+      ? parsed.access_token_expires_at.trim()
+      : '';
+  const organizationId =
+    typeof parsed.organization_id === 'number' && Number.isFinite(parsed.organization_id)
+      ? parsed.organization_id
+      : null;
+  const legacyAgentToken = accessToken && !refreshToken ? accessToken : '';
+
+  if (!platformUrl) return null;
+  if (requireAuthData && !refreshToken && !legacyAgentToken) return null;
 
   return {
-    access_token: accessToken,
     platform_url: platformUrl,
+    ...(refreshToken ? { refresh_token: refreshToken } : {}),
+    ...(accessToken ? { access_token: accessToken } : {}),
+    ...(accessTokenExpiresAt ? { access_token_expires_at: accessTokenExpiresAt } : {}),
+    ...(organizationId ? { organization_id: organizationId } : {}),
     ...(typeof parsed.user_email === 'string' && parsed.user_email.trim()
       ? { user_email: parsed.user_email.trim() }
-      : {})
+      : {}),
+    ...(legacyAgentToken ? { legacy_agent_token: legacyAgentToken } : {})
   };
 }
 
 function normalizeCredentialsForSave(data) {
-  const parsed = parseStoredCredentialsData(data, { requireAccessToken: true });
+  const parsed = parseStoredCredentialsData(data, { requireAuthData: true });
   if (!parsed) return null;
 
   const platformUrl = normalizePlatformUrl(parsed.platform_url);
   if (!platformUrl) return null;
 
   return {
-    ...parsed,
-    platform_url: platformUrl
+    platform_url: platformUrl,
+    ...(parsed.refresh_token ? { refresh_token: parsed.refresh_token } : {}),
+    ...(parsed.access_token ? { access_token: parsed.access_token } : {}),
+    ...(parsed.access_token_expires_at
+      ? { access_token_expires_at: parsed.access_token_expires_at }
+      : {}),
+    ...(parsed.organization_id ? { organization_id: parsed.organization_id } : {}),
+    ...(parsed.user_email ? { user_email: parsed.user_email } : {})
   };
 }
 
 /** @returns {Credentials | null} */
 export function loadCredentials() {
-  return (
-    parseStoredCredentialsData(readJsonFile(ELECTRON_CREDENTIALS_FILE), {
-      requireAccessToken: true
-    }) ??
-    parseStoredCredentialsData(readJsonFile(CREDENTIALS_FILE))
-  );
+  const cliCredentials = parseStoredCredentialsData(readJsonFile(CREDENTIALS_FILE), {
+    requireAuthData: true
+  });
+  const electronCredentials = parseStoredCredentialsData(readJsonFile(ELECTRON_CREDENTIALS_FILE), {
+    requireAuthData: true
+  });
+
+  if (cliCredentials?.refresh_token) return cliCredentials;
+  if (electronCredentials?.refresh_token) return electronCredentials;
+  return cliCredentials ?? electronCredentials;
 }
 
 /** @param {Credentials} data */
@@ -100,16 +138,23 @@ export function saveCredentials(data) {
     throw new Error('Cannot save empty Overlord credentials.');
   }
 
-  writeJsonFileAtomic(CREDENTIALS_FILE, credentials);
+  const sharedCredentials = { ...credentials, updated_at: new Date().toISOString() };
+  writeJsonFileAtomic(CREDENTIALS_FILE, sharedCredentials);
 
-  // `electron-credentials.json` is now the shared desktop/CLI credential record.
-  // Preserve Electron-only encrypted fields when CLI login refreshes the agent token.
   const existingElectronCredentials = readJsonFile(ELECTRON_CREDENTIALS_FILE);
-  const electronPayload =
-    existingElectronCredentials && typeof existingElectronCredentials === 'object'
-      ? { ...existingElectronCredentials, ...credentials }
-      : credentials;
-  writeJsonFileAtomic(ELECTRON_CREDENTIALS_FILE, electronPayload);
+  if (existingElectronCredentials && typeof existingElectronCredentials === 'object') {
+    const electronPayload = { ...existingElectronCredentials };
+    electronPayload.updated_at = sharedCredentials.updated_at;
+    if (credentials.platform_url) electronPayload.platform_url = credentials.platform_url;
+    if (credentials.access_token_expires_at) {
+      electronPayload.access_token_expires_at = credentials.access_token_expires_at;
+    }
+    if (credentials.organization_id) electronPayload.organization_id = credentials.organization_id;
+    if (credentials.user_email) electronPayload.user_email = credentials.user_email;
+    delete electronPayload.legacy_agent_token;
+    delete electronPayload.supabase_refresh_token;
+    writeJsonFileAtomic(ELECTRON_CREDENTIALS_FILE, electronPayload);
+  }
 }
 
 export function clearCredentials() {
@@ -123,13 +168,16 @@ export function clearCredentials() {
 }
 
 function getCredentialFileSource() {
+  const cliCredentials = parseStoredCredentialsData(readJsonFile(CREDENTIALS_FILE), {
+    requireAuthData: true
+  });
   const electronCredentials = parseStoredCredentialsData(readJsonFile(ELECTRON_CREDENTIALS_FILE), {
-    requireAccessToken: true
+    requireAuthData: true
   });
-  if (electronCredentials) return 'electron-credentials.json';
-
-  const cliCredentials = parseStoredCredentialsData(readJsonFile(CREDENTIALS_FILE));
+  if (cliCredentials?.refresh_token) return 'credentials.json';
+  if (electronCredentials?.refresh_token) return 'electron-credentials.json';
   if (cliCredentials) return 'credentials.json';
+  if (electronCredentials) return 'electron-credentials.json';
 
   return 'none';
 }
@@ -261,6 +309,88 @@ function isRunningPid(pid) {
   }
 }
 
+function decodeJwtExpiry(accessToken) {
+  try {
+    const payload = JSON.parse(Buffer.from(accessToken.split('.')[1] ?? '', 'base64url').toString('utf8'));
+    return typeof payload.exp === 'number' ? payload.exp : null;
+  } catch {
+    return null;
+  }
+}
+
+function computeAccessTokenExpiry(data) {
+  const expiresIn = Number.parseInt(String(data?.expires_in ?? ''), 10);
+  if (Number.isFinite(expiresIn) && expiresIn > 0) {
+    return new Date(Date.now() + expiresIn * 1000).toISOString();
+  }
+
+  const jwtExp = typeof data?.access_token === 'string' ? decodeJwtExpiry(data.access_token) : null;
+  return jwtExp ? new Date(jwtExp * 1000).toISOString() : null;
+}
+
+function resolveAccessTokenExpiry(credentials) {
+  if (!credentials?.access_token) return null;
+  if (credentials.access_token_expires_at) {
+    const parsed = Date.parse(credentials.access_token_expires_at);
+    if (Number.isFinite(parsed)) return parsed;
+  }
+  const jwtExp = decodeJwtExpiry(credentials.access_token);
+  return jwtExp ? jwtExp * 1000 : null;
+}
+
+function isAccessTokenFresh(credentials) {
+  const expiresAt = resolveAccessTokenExpiry(credentials);
+  if (expiresAt === null) return false;
+  return expiresAt - Date.now() > 60_000;
+}
+
+const authConfigCache = new Map();
+
+async function fetchAuthConfig(platformUrl, localSecret) {
+  if (authConfigCache.has(platformUrl)) return authConfigCache.get(platformUrl);
+  const res = await fetch(`${platformUrl}/api/auth/config`, {
+    headers: buildAuthHeaders('', localSecret)
+  });
+  if (!res.ok) {
+    throw new Error(`Failed to fetch auth config (${res.status}).`);
+  }
+  const data = await res.json();
+  authConfigCache.set(platformUrl, data);
+  return data;
+}
+
+async function refreshOAuthAccessToken(platformUrl, refreshToken, localSecret) {
+  const config = await fetchAuthConfig(platformUrl, localSecret);
+  const clientId = config.cli_client_id ?? config.electron_client_id;
+  const supabaseUrl = config.supabase_url;
+
+  if (!supabaseUrl || !clientId) {
+    throw new Error('OAuth is not configured for Overlord CLI auth.');
+  }
+
+  const res = await fetch(`${supabaseUrl}/auth/v1/oauth/token`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    body: new URLSearchParams({
+      grant_type: 'refresh_token',
+      refresh_token: refreshToken,
+      client_id: clientId
+    })
+  });
+
+  if (!res.ok) {
+    const text = await res.text().catch(() => '');
+    throw new Error(`OAuth token refresh failed (${res.status}): ${text}`);
+  }
+
+  const data = await res.json();
+  return {
+    access_token: data.access_token,
+    refresh_token: data.refresh_token,
+    access_token_expires_at: computeAccessTokenExpiry(data)
+  };
+}
+
 /** @returns {{ platform_url?: string, local_secret?: string } | null} */
 export function loadRuntime(targetUrl) {
   if (targetUrl) {
@@ -284,9 +414,10 @@ export function loadRuntime(targetUrl) {
 /**
  * @param {string} token
  * @param {string} [localSecret]
+ * @param {number | null | undefined} [organizationId]
  * @returns {Record<string, string>}
  */
-export function buildAuthHeaders(token, localSecret) {
+export function buildAuthHeaders(token, localSecret, organizationId) {
   const headers = {};
 
   if (token) {
@@ -297,6 +428,10 @@ export function buildAuthHeaders(token, localSecret) {
     headers[LOCAL_SECRET_HEADER] = localSecret;
   }
 
+  if (organizationId && Number.isFinite(organizationId)) {
+    headers['x-organization-id'] = String(organizationId);
+  }
+
   return headers;
 }
 
@@ -310,23 +445,17 @@ function isLocalDevCli() {
 }
 
 /**
- * Resolve the overlord URL and agent token from credentials file or env vars.
- * @returns {{ platformUrl: string, agentToken: string }}
+ * Resolve the Overlord auth session from env vars or shared credentials.
+ * Refreshes OAuth access tokens when possible.
  */
-export function resolveAuth() {
+export async function resolveAuth() {
   const creds = loadCredentials();
   const overlordUrlFromEnv = normalizePlatformUrl(process.env.OVERLORD_URL);
   const overlordUrlFromCreds = normalizeStoredPlatformUrl(creds?.platform_url);
 
-  const runtime = overlordUrlFromEnv && isLocalhostUrl(overlordUrlFromEnv)
-    ? loadRuntime(overlordUrlFromEnv)
-    : null;
+  const platformUrl = overlordUrlFromEnv ?? overlordUrlFromCreds ?? getDefaultOverlordUrl();
+  const runtime = isLocalhostUrl(platformUrl) ? loadRuntime(platformUrl) : null;
   const runtimeOverlordUrl = runtime?.platform_url;
-
-  const platformUrl =
-    overlordUrlFromEnv ??
-    overlordUrlFromCreds ??
-    getDefaultOverlordUrl();
   const localSecret =
     runtime &&
     runtime.local_secret &&
@@ -336,25 +465,111 @@ export function resolveAuth() {
       ? runtime.local_secret
       : '';
 
+  const envAgentToken = normalizeAgentToken(process.env.AGENT_TOKEN);
+  if (envAgentToken) {
+    return {
+      platformUrl,
+      bearerToken: envAgentToken,
+      localSecret,
+      organizationId:
+        typeof process.env.OVERLORD_ORGANIZATION_ID === 'string'
+          ? Number.parseInt(process.env.OVERLORD_ORGANIZATION_ID, 10)
+          : null,
+      authMode: 'legacy_agent_token'
+    };
+  }
+
+  if (!creds) {
+    return {
+      platformUrl,
+      bearerToken: 'overlord-local-dev-token',
+      localSecret,
+      organizationId: null,
+      authMode: 'local_fallback'
+    };
+  }
+
+  if (creds.refresh_token) {
+    let nextCredentials = creds;
+    if (!isAccessTokenFresh(creds)) {
+      try {
+        const refreshed = await refreshOAuthAccessToken(platformUrl, creds.refresh_token, localSecret);
+        nextCredentials = {
+          ...creds,
+          access_token: refreshed.access_token,
+          access_token_expires_at: refreshed.access_token_expires_at,
+          refresh_token: refreshed.refresh_token || creds.refresh_token
+        };
+        saveCredentials(nextCredentials);
+      } catch (refreshError) {
+        if (!creds.access_token) throw refreshError;
+        // Transient refresh failure — keep the existing access token and let the server
+        // reject it if it's truly expired/revoked.
+      }
+    }
+
+    if (!Number.isFinite(nextCredentials.organization_id)) {
+      throw new Error('Overlord login is missing an organization selection. Run `ovld auth login` again.');
+    }
+
+    if (!nextCredentials.access_token) {
+      throw new Error('No OAuth access token is available. Run `ovld auth login` again.');
+    }
+
+    return {
+      platformUrl,
+      bearerToken: nextCredentials.access_token,
+      localSecret,
+      organizationId: nextCredentials.organization_id,
+      authMode: 'oauth'
+    };
+  }
+
+  if (creds.legacy_agent_token) {
+    return {
+      platformUrl,
+      bearerToken: creds.legacy_agent_token,
+      localSecret,
+      organizationId: creds.organization_id ?? null,
+      authMode: 'legacy_agent_token'
+    };
+  }
+
   return {
     platformUrl,
-    agentToken:
-      normalizeAgentToken(process.env.AGENT_TOKEN) ||
-      normalizeAgentToken(creds?.access_token) ||
-      'overlord-local-dev-token',
-    localSecret
+    bearerToken: 'overlord-local-dev-token',
+    localSecret,
+    organizationId: null,
+    authMode: 'local_fallback'
   };
 }
 
-export function getAuthStatus() {
+export async function getAuthStatus() {
   const creds = loadCredentials();
-  const resolved = resolveAuth();
+  let resolved;
+  let error = null;
+  try {
+    resolved = await resolveAuth();
+  } catch (resolveError) {
+    error = resolveError instanceof Error ? resolveError.message : String(resolveError);
+    resolved = {
+      platformUrl:
+        normalizePlatformUrl(process.env.OVERLORD_URL) ??
+        normalizeStoredPlatformUrl(creds?.platform_url) ??
+        getDefaultOverlordUrl(),
+      localSecret: '',
+      organizationId: creds?.organization_id ?? null,
+      authMode: 'error'
+    };
+  }
 
   let tokenSource = 'fallback';
   if (normalizeAgentToken(process.env.AGENT_TOKEN)) {
     tokenSource = 'AGENT_TOKEN';
-  } else if (normalizeAgentToken(creds?.access_token)) {
+  } else if (creds?.refresh_token) {
     tokenSource = getCredentialFileSource();
+  } else if (creds?.legacy_agent_token) {
+    tokenSource = `${getCredentialFileSource()} (legacy)`;
   }
 
   let platformUrlSource = 'default';
@@ -371,6 +586,9 @@ export function getAuthStatus() {
     tokenPresent: tokenSource !== 'fallback',
     tokenSource,
     hasLocalSecret: Boolean(resolved.localSecret),
+    organizationId: resolved.organizationId ?? null,
+    authMode: resolved.authMode,
+    error,
     credentialsFileExists: fileExists(CREDENTIALS_FILE),
     electronCredentialsFileExists: fileExists(ELECTRON_CREDENTIALS_FILE)
   };
@@ -378,12 +596,12 @@ export function getAuthStatus() {
 
 export function repairCredentials() {
   const creds = loadCredentials();
-  if (!creds || !normalizeAgentToken(creds.access_token)) {
+  if (!creds) {
     ensureCredentialsDir();
     return {
       repaired: false,
-      reason: 'No valid stored credentials with an access token were found.',
-      status: getAuthStatus()
+      reason: 'No valid stored credentials were found.',
+      status: null
     };
   }
 
@@ -391,7 +609,7 @@ export function repairCredentials() {
 
   return {
     repaired: true,
-    status: getAuthStatus()
+    status: null
   };
 }
 

package/bin/_cli/launcher.mjs

@@ -43,7 +43,7 @@ function getInstructionMode(agent) {
   return 'legacy';
 }
 
-async function fetchContext(platformUrl, agentToken, localSecret, ticketId, agent) {
+async function fetchContext(platformUrl, bearerToken, localSecret, organizationId, ticketId, agent) {
   const params = new URLSearchParams({
     context: 'cli',
     agent,
@@ -51,7 +51,7 @@ async function fetchContext(platformUrl, agentToken, localSecret, ticketId, agen
   });
   const url = `${platformUrl}/api/protocol/context/${ticketId}?${params.toString()}`;
   const response = await fetch(url, {
-    headers: buildAuthHeaders(agentToken, localSecret)
+    headers: buildAuthHeaders(bearerToken, localSecret, organizationId)
   });
 
   if (!response.ok) {
@@ -116,8 +116,15 @@ async function runAgent(agent, mode = 'run') {
     process.exit(1);
   }
 
-  const { platformUrl, agentToken, localSecret } = resolveAuth();
-  const context = await fetchContext(platformUrl, agentToken, localSecret, ticketId, agent);
+  const { platformUrl, bearerToken, localSecret, organizationId } = await resolveAuth();
+  const context = await fetchContext(
+    platformUrl,
+    bearerToken,
+    localSecret,
+    organizationId,
+    ticketId,
+    agent
+  );
 
   const childEnv = { ...process.env, AGENT_IDENTIFIER: agentIdentifierMap[agent] };
 
@@ -199,8 +206,15 @@ async function printContext() {
     process.exit(1);
   }
 
-  const { platformUrl, agentToken, localSecret } = resolveAuth();
-  const context = await fetchContext(platformUrl, agentToken, localSecret, ticketId);
+  const { platformUrl, bearerToken, localSecret, organizationId } = await resolveAuth();
+  const context = await fetchContext(
+    platformUrl,
+    bearerToken,
+    localSecret,
+    organizationId,
+    ticketId,
+    'claude'
+  );
   process.stdout.write(context);
 }
 

package/bin/_cli/new-ticket.mjs

@@ -131,9 +131,9 @@ async function promptForSelection({ items, label, prompt, renderItem }) {
   }
 }
 
-async function fetchProjects(platformUrl, agentToken, localSecret) {
+async function fetchProjects(platformUrl, bearerToken, localSecret, organizationId) {
   const res = await fetch(`${platformUrl}/api/protocol/projects`, {
-    headers: buildAuthHeaders(agentToken, localSecret)
+    headers: buildAuthHeaders(bearerToken, localSecret, organizationId)
   });
 
   const data = await res.json().catch(() => ({}));
@@ -146,11 +146,11 @@ async function fetchProjects(platformUrl, agentToken, localSecret) {
   return Array.isArray(data.projects) ? sortProjects(data.projects) : [];
 }
 
-async function createTicket(platformUrl, agentToken, localSecret, body) {
+async function createTicket(platformUrl, bearerToken, localSecret, organizationId, body) {
   const res = await fetch(`${platformUrl}/api/protocol/tickets`, {
     method: 'POST',
     headers: {
-      ...buildAuthHeaders(agentToken, localSecret),
+      ...buildAuthHeaders(bearerToken, localSecret, organizationId),
       'Content-Type': 'application/json'
     },
     body: JSON.stringify(body)
@@ -224,8 +224,8 @@ async function runTicketCreationFlow(args, { commandName, launchAgent }) {
   const objective = String(flags.objective ?? positionals.join(' ')).trim();
   ensureObjective(commandName, objective);
 
-  const { platformUrl, agentToken, localSecret } = resolveAuth();
-  const projects = await fetchProjects(platformUrl, agentToken, localSecret);
+  const { platformUrl, bearerToken, localSecret, organizationId } = await resolveAuth();
+  const projects = await fetchProjects(platformUrl, bearerToken, localSecret, organizationId);
 
   if (!projects.length) {
     throw new Error('No projects available. Create a project first.');
@@ -253,7 +253,7 @@ async function runTicketCreationFlow(args, { commandName, launchAgent }) {
   const modelIdentifier = resolveTicketCreationModelIdentifier(flags);
   const ticketDelegate = resolveTicketCreationDelegate(flags, selectedAgent, modelIdentifier);
 
-  const ticket = await createTicket(platformUrl, agentToken, localSecret, {
+  const ticket = await createTicket(platformUrl, bearerToken, localSecret, organizationId, {
     objective,
     title: String(flags.title ?? ''),
     acceptanceCriteria: String(flags['acceptance-criteria'] ?? ''),

package/bin/_cli/protocol.mjs

@@ -91,7 +91,15 @@ function resolveProtocolMetadata(flags = {}, base = {}) {
  */
 const DEFAULT_TIMEOUT_MS = 30000;
 
-async function apiPost(platformUrl, token, localSecret, path, body, timeoutMs = DEFAULT_TIMEOUT_MS) {
+async function apiPost(
+  platformUrl,
+  token,
+  localSecret,
+  organizationId,
+  path,
+  body,
+  timeoutMs = DEFAULT_TIMEOUT_MS
+) {
   const requestUrl = `${platformUrl}${path}`;
   const requestStart = Date.now();
   let res;
@@ -99,7 +107,7 @@ async function apiPost(platformUrl, token, localSecret, path, body, timeoutMs =
     res = await fetch(requestUrl, {
       method: 'POST',
       headers: {
-        ...buildAuthHeaders(token, localSecret),
+        ...buildAuthHeaders(token, localSecret, organizationId),
         'Content-Type': 'application/json'
       },
       body: JSON.stringify(body),
@@ -150,8 +158,8 @@ async function apiPost(platformUrl, token, localSecret, path, body, timeoutMs =
   if (res.status === 401) {
     throw new Error(
       `Authentication failed (401): ${data.error ?? 'Invalid or missing token.'}\n` +
-      `IMPORTANT: Stop all work immediately. Your agent token is invalid, expired, or revoked.\n` +
-      `The user should open Overlord Settings → Agent Tokens and retrieve an updated token for this project.\n` +
+      `IMPORTANT: Stop all work immediately. Your Overlord auth session is invalid, expired, or missing required scope.\n` +
+      `The user should sign in again with Overlord Desktop or \`ovld auth login\`.\n` +
       `Ask the user if they would like to proceed without submitting updates to Overlord.`
     );
   }
@@ -474,7 +482,7 @@ function resolveExternalSessionId(flags) {
 async function protocolAttach(args) {
   const flags = parseFlags(args);
   const ticketId = requireFlag(flags, 'ticket-id', 'TICKET_ID');
-  const { platformUrl, agentToken, localSecret } = resolveAuth();
+  const { platformUrl, bearerToken, localSecret, organizationId } = await resolveAuth();
   const timeoutMs = resolveTimeout(flags);
 
   const externalSessionId = resolveExternalSessionId(flags);
@@ -489,8 +497,9 @@ async function protocolAttach(args) {
 
   const data = await apiPost(
     platformUrl,
-    agentToken,
+    bearerToken,
     localSecret,
+    organizationId,
     '/api/protocol/attach',
     body,
     timeoutMs
@@ -519,7 +528,7 @@ async function protocolUpdate(args) {
     ? readTextFile(String(flags['summary-file']), '--summary-file')
     : requireFlag(flags, 'summary', undefined);
 
-  const { platformUrl, agentToken, localSecret } = resolveAuth();
+  const { platformUrl, bearerToken, localSecret, organizationId } = await resolveAuth();
   const timeoutMs = resolveTimeout(flags);
   const changeRationales = await resolveChangeRationales(flags);
   const externalSessionId = resolveExternalSessionId(flags);
@@ -545,8 +554,9 @@ async function protocolUpdate(args) {
 
   const data = await apiPost(
     platformUrl,
-    agentToken,
+    bearerToken,
     localSecret,
+    organizationId,
     '/api/protocol/update',
     body,
     timeoutMs
@@ -571,7 +581,7 @@ async function protocolRecordChangeRationales(args) {
     );
   }
 
-  const { platformUrl, agentToken, localSecret } = resolveAuth();
+  const { platformUrl, bearerToken, localSecret, organizationId } = await resolveAuth();
   const timeoutMs = resolveTimeout(flags);
 
   const body = {
@@ -588,8 +598,9 @@ async function protocolRecordChangeRationales(args) {
 
   const data = await apiPost(
     platformUrl,
-    agentToken,
+    bearerToken,
     localSecret,
+    organizationId,
     '/api/protocol/change-rationales',
     body,
     timeoutMs
@@ -610,7 +621,7 @@ async function protocolAsk(args) {
     ? readTextFile(String(flags['question-file']), '--question-file')
     : requireFlag(flags, 'question', undefined);
 
-  const { platformUrl, agentToken, localSecret } = resolveAuth();
+  const { platformUrl, bearerToken, localSecret, organizationId } = await resolveAuth();
   const timeoutMs = resolveTimeout(flags);
 
   const body = {
@@ -621,7 +632,15 @@ async function protocolAsk(args) {
     ...(flags['payload-json'] ? { payload: parseJsonFlag('--payload-json', flags['payload-json']) } : {})
   };
 
-  const data = await apiPost(platformUrl, agentToken, localSecret, '/api/protocol/ask', body, timeoutMs);
+  const data = await apiPost(
+    platformUrl,
+    bearerToken,
+    localSecret,
+    organizationId,
+    '/api/protocol/ask',
+    body,
+    timeoutMs
+  );
   console.log(JSON.stringify(data, null, 2));
 }
 
@@ -636,13 +655,14 @@ async function protocolPermissionRequest(args) {
     ? await readJsonFileOrStdin(String(flags['payload-file']), '--payload-file')
     : {};
 
-  const { platformUrl, agentToken, localSecret } = resolveAuth();
+  const { platformUrl, bearerToken, localSecret, organizationId } = await resolveAuth();
   const timeoutMs = resolveTimeout(flags);
 
   const data = await apiPost(
     platformUrl,
-    agentToken,
+    bearerToken,
     localSecret,
+    organizationId,
     `/api/protocol/permission-request?ticketId=${encodeURIComponent(ticketId)}`,
     payload,
     timeoutMs
@@ -660,7 +680,7 @@ async function protocolReadContext(args) {
   if (!sessionKey) throw new Error('--session-key is required (or set SESSION_KEY)');
   if (!ticketId) throw new Error('--ticket-id is required (or set TICKET_ID)');
 
-  const { platformUrl, agentToken, localSecret } = resolveAuth();
+  const { platformUrl, bearerToken, localSecret, organizationId } = await resolveAuth();
   const timeoutMs = resolveTimeout(flags);
 
   const body = {
@@ -672,8 +692,9 @@ async function protocolReadContext(args) {
 
   const data = await apiPost(
     platformUrl,
-    agentToken,
+    bearerToken,
     localSecret,
+    organizationId,
     '/api/protocol/read-context',
     body,
     timeoutMs
@@ -703,7 +724,7 @@ async function protocolWriteContext(args) {
     value = String(flags.value);
   }
 
-  const { platformUrl, agentToken, localSecret } = resolveAuth();
+  const { platformUrl, bearerToken, localSecret, organizationId } = await resolveAuth();
   const timeoutMs = resolveTimeout(flags);
 
   const body = {
@@ -716,8 +737,9 @@ async function protocolWriteContext(args) {
 
   const data = await apiPost(
     platformUrl,
-    agentToken,
+    bearerToken,
     localSecret,
+    organizationId,
     '/api/protocol/write-context',
     body,
     timeoutMs
@@ -742,7 +764,7 @@ async function protocolDeliver(args) {
       ? readTextFile(String(flags['summary-file']), '--summary-file')
       : requireFlag(flags, 'summary', undefined));
 
-  const { platformUrl, agentToken, localSecret } = resolveAuth();
+  const { platformUrl, bearerToken, localSecret, organizationId } = await resolveAuth();
   const timeoutMs = resolveTimeout(flags);
 
   let artifacts = deliverPayload?.artifacts ?? [];
@@ -775,8 +797,9 @@ async function protocolDeliver(args) {
 
   const data = await apiPost(
     platformUrl,
-    agentToken,
+    bearerToken,
     localSecret,
+    organizationId,
     '/api/protocol/deliver',
     body,
     timeoutMs
@@ -795,7 +818,7 @@ async function protocolArtifactPrepareUpload(args) {
   if (!ticketId) throw new Error('--ticket-id is required (or set TICKET_ID)');
   const fileName = requireFlag(flags, 'file-name', undefined);
 
-  const { platformUrl, agentToken, localSecret } = resolveAuth();
+  const { platformUrl, bearerToken, localSecret, organizationId } = await resolveAuth();
   const timeoutMs = resolveTimeout(flags);
 
   const body = {
@@ -811,8 +834,9 @@ async function protocolArtifactPrepareUpload(args) {
 
   const data = await apiPost(
     platformUrl,
-    agentToken,
+    bearerToken,
     localSecret,
+    organizationId,
     '/api/protocol/artifacts/prepare-upload',
     body,
     timeoutMs
@@ -828,7 +852,7 @@ async function protocolArtifactFinalizeUpload(args) {
   const storagePath = requireFlag(flags, 'storage-path', undefined);
   const label = requireFlag(flags, 'label', undefined);
 
-  const { platformUrl, agentToken, localSecret } = resolveAuth();
+  const { platformUrl, bearerToken, localSecret, organizationId } = await resolveAuth();
   const timeoutMs = resolveTimeout(flags);
 
   const body = {
@@ -844,8 +868,9 @@ async function protocolArtifactFinalizeUpload(args) {
 
   const data = await apiPost(
     platformUrl,
-    agentToken,
+    bearerToken,
     localSecret,
+    organizationId,
     '/api/protocol/artifacts/finalize-upload',
     body,
     timeoutMs
@@ -862,7 +887,7 @@ async function protocolArtifactGetDownloadUrl(args) {
     throw new Error('--artifact-id or --storage-path is required');
   }
 
-  const { platformUrl, agentToken, localSecret } = resolveAuth();
+  const { platformUrl, bearerToken, localSecret, organizationId } = await resolveAuth();
   const timeoutMs = resolveTimeout(flags);
 
   const body = {
@@ -875,8 +900,9 @@ async function protocolArtifactGetDownloadUrl(args) {
 
   const data = await apiPost(
     platformUrl,
-    agentToken,
+    bearerToken,
     localSecret,
+    organizationId,
     '/api/protocol/artifacts/get-download-url',
     body,
     timeoutMs
@@ -900,13 +926,14 @@ async function protocolArtifactUploadFile(args) {
   const fileStats = await stat(filePath);
   const fileBytes = await readFile(filePath);
 
-  const { platformUrl, agentToken, localSecret } = resolveAuth();
+  const { platformUrl, bearerToken, localSecret, organizationId } = await resolveAuth();
   const timeoutMs = resolveTimeout(flags);
 
   const prepared = await apiPost(
     platformUrl,
-    agentToken,
+    bearerToken,
     localSecret,
+    organizationId,
     '/api/protocol/artifacts/prepare-upload',
     {
       sessionKey,
@@ -931,8 +958,9 @@ async function protocolArtifactUploadFile(args) {
 
   const finalized = await apiPost(
     platformUrl,
-    agentToken,
+    bearerToken,
     localSecret,
+    organizationId,
     '/api/protocol/artifacts/finalize-upload',
     {
       sessionKey,
@@ -956,15 +984,16 @@ async function protocolArtifactUploadFile(args) {
 
 async function protocolDiscoverProject(args) {
   const flags = parseFlags(args);
-  const { platformUrl, agentToken, localSecret } = resolveAuth();
+  const { platformUrl, bearerToken, localSecret, organizationId } = await resolveAuth();
   const timeoutMs = resolveTimeout(flags);
 
   const workingDirectory = String(flags['working-directory'] ?? process.cwd());
 
   const data = await apiPost(
     platformUrl,
-    agentToken,
+    bearerToken,
     localSecret,
+    organizationId,
     '/api/protocol/discover-project',
     { workingDirectory },
     timeoutMs
@@ -983,7 +1012,7 @@ async function protocolDiscoverProject(args) {
 async function protocolConnect(args) {
   const flags = parseFlags(args);
   const ticketId = requireFlag(flags, 'ticket-id', 'TICKET_ID');
-  const { platformUrl, agentToken, localSecret } = resolveAuth();
+  const { platformUrl, bearerToken, localSecret, organizationId } = await resolveAuth();
   const timeoutMs = resolveTimeout(flags);
 
   const body = {
@@ -995,8 +1024,9 @@ async function protocolConnect(args) {
 
   const data = await apiPost(
     platformUrl,
-    agentToken,
+    bearerToken,
     localSecret,
+    organizationId,
     '/api/protocol/connect',
     body,
     timeoutMs
@@ -1017,15 +1047,16 @@ async function protocolConnect(args) {
 async function protocolLoadContext(args) {
   const flags = parseFlags(args);
   const ticketId = requireFlag(flags, 'ticket-id', 'TICKET_ID');
-  const { platformUrl, agentToken, localSecret } = resolveAuth();
+  const { platformUrl, bearerToken, localSecret, organizationId } = await resolveAuth();
   const timeoutMs = resolveTimeout(flags);
 
   const body = { ticketId };
 
   const data = await apiPost(
     platformUrl,
-    agentToken,
+    bearerToken,
     localSecret,
+    organizationId,
     '/api/protocol/load-context',
     body,
     timeoutMs
@@ -1040,7 +1071,7 @@ async function protocolLoadContext(args) {
 async function protocolSpawn(args) {
   const flags = parseFlags(args);
   const objective = requireFlag(flags, 'objective', undefined);
-  const { platformUrl, agentToken, localSecret } = resolveAuth();
+  const { platformUrl, bearerToken, localSecret, organizationId } = await resolveAuth();
   const timeoutMs = resolveTimeout(flags);
   const agentIdentifier = resolveProtocolAgentIdentifier(flags);
   const modelIdentifier = resolveProtocolModelIdentifier(flags);
@@ -1072,8 +1103,9 @@ async function protocolSpawn(args) {
 
   const data = await apiPost(
     platformUrl,
-    agentToken,
+    bearerToken,
     localSecret,
+    organizationId,
     '/api/protocol/spawn',
     body,
     timeoutMs
@@ -1099,7 +1131,7 @@ async function protocolCreateTicket(args) {
   const flags = parseFlags(args);
   const { sessionKey, ticketId } = resolveSessionFlags(flags);
   const objective = requireFlag(flags, 'objective', undefined);
-  const { platformUrl, agentToken, localSecret } = resolveAuth();
+  const { platformUrl, bearerToken, localSecret, organizationId } = await resolveAuth();
   const timeoutMs = resolveTimeout(flags);
   const agentIdentifier = resolveProtocolAgentIdentifier(flags);
   const modelIdentifier = resolveProtocolModelIdentifier(flags);
@@ -1122,8 +1154,9 @@ async function protocolCreateTicket(args) {
 
     const data = await apiPost(
       platformUrl,
-      agentToken,
+      bearerToken,
       localSecret,
+      organizationId,
       '/api/protocol/create-ticket',
       body,
       timeoutMs
@@ -1159,8 +1192,9 @@ async function protocolCreateTicket(args) {
 
   const data = await apiPost(
     platformUrl,
-    agentToken,
+    bearerToken,
     localSecret,
+    organizationId,
     '/api/protocol/tickets',
     standaloneBody,
     timeoutMs
@@ -1173,7 +1207,7 @@ async function protocolCreateTicket(args) {
 // ---------------------------------------------------------------------------
 
 async function protocolAuthStatus() {
-  const status = getAuthStatus();
+  const status = await getAuthStatus();
 
   console.log(
     JSON.stringify(
@@ -1185,6 +1219,9 @@ async function protocolAuthStatus() {
           platformUrlSource: status.platformUrlSource,
           tokenSource: status.tokenSource,
           tokenPresent: status.tokenPresent,
+          organizationId: status.organizationId,
+          authMode: status.authMode,
+          error: status.error,
           hasLocalSecret: status.hasLocalSecret,
           credentialsFileExists: status.credentialsFileExists,
           electronCredentialsFileExists: status.electronCredentialsFileExists
@@ -1243,7 +1280,7 @@ Subcommands:
 Environment fallback:
   --session-key <- SESSION_KEY
   --ticket-id   <- TICKET_ID
-  auth/host     <- OVERLORD_URL, AGENT_TOKEN, or shared credentials from ovld auth/Desktop login
+  auth/host     <- OVERLORD_URL, optional legacy AGENT_TOKEN, or shared OAuth credentials from ovld auth/Desktop login
   --timeout     <- OVERLORD_TIMEOUT
 
 Common flags:

package/bin/_cli/ticket.mjs

@@ -15,11 +15,11 @@ export async function ticketContext(ticketId) {
     process.exit(1);
   }
 
-  const { platformUrl, agentToken, localSecret } = resolveAuth();
+  const { platformUrl, bearerToken, localSecret, organizationId } = await resolveAuth();
 
   const url = `${platformUrl}/api/protocol/context/${ticketId}`;
   const res = await fetch(url, {
-    headers: buildAuthHeaders(agentToken, localSecret)
+    headers: buildAuthHeaders(bearerToken, localSecret, organizationId)
   });
 
   if (!res.ok) {

package/bin/_cli/tickets.mjs

@@ -33,11 +33,11 @@ function parseFlags(args, knownFlags) {
   return result;
 }
 
-async function apiPost(url, token, localSecret, body) {
+async function apiPost(url, token, localSecret, organizationId, body) {
   const res = await fetch(url, {
     method: 'POST',
     headers: {
-      ...buildAuthHeaders(token, localSecret),
+      ...buildAuthHeaders(token, localSecret, organizationId),
       'Content-Type': 'application/json'
     },
     body: JSON.stringify(body)
@@ -59,7 +59,7 @@ export async function ticketsCreate(args) {
 export async function ticketsList(args) {
   const flags = parseFlags(args, ['status', 'include-completed']);
 
-  const { platformUrl, agentToken, localSecret } = resolveAuth();
+  const { platformUrl, bearerToken, localSecret, organizationId } = await resolveAuth();
 
   const body = {
     includeCompleted: flags['include-completed'] !== false,
@@ -68,8 +68,9 @@ export async function ticketsList(args) {
 
   const data = await apiPost(
     `${platformUrl}/api/protocol/list-tickets`,
-    agentToken,
+    bearerToken,
     localSecret,
+    organizationId,
     body
   );
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "overlord-cli",
-  "version": "4.17.0",
+  "version": "4.19.0",
   "description": "Overlord CLI — launch AI agents on tickets from anywhere",
   "type": "module",
   "bin": {