overlord-cli 4.19.0 → 4.21.0

package/bin/_cli/credentials.mjs

@@ -22,8 +22,7 @@ const LOCAL_SECRET_HEADER = 'X-Overlord-Local-Secret';
  *   refresh_token?: string,
  *   organization_id?: number | null,
  *   platform_url: string,
- *   user_email?: string,
- *   legacy_agent_token?: string
+ *   user_email?: string
  * }} Credentials
  */
 
@@ -80,10 +79,9 @@ function parseStoredCredentialsData(parsed, { requireAuthData = false } = {}) {
     typeof parsed.organization_id === 'number' && Number.isFinite(parsed.organization_id)
       ? parsed.organization_id
       : null;
-  const legacyAgentToken = accessToken && !refreshToken ? accessToken : '';
 
   if (!platformUrl) return null;
-  if (requireAuthData && !refreshToken && !legacyAgentToken) return null;
+  if (requireAuthData && !refreshToken) return null;
 
   return {
     platform_url: platformUrl,
@@ -93,8 +91,7 @@ function parseStoredCredentialsData(parsed, { requireAuthData = false } = {}) {
     ...(organizationId ? { organization_id: organizationId } : {}),
     ...(typeof parsed.user_email === 'string' && parsed.user_email.trim()
       ? { user_email: parsed.user_email.trim() }
-      : {}),
-    ...(legacyAgentToken ? { legacy_agent_token: legacyAgentToken } : {})
+      : {})
   };
 }
 
@@ -151,7 +148,6 @@ export function saveCredentials(data) {
     }
     if (credentials.organization_id) electronPayload.organization_id = credentials.organization_id;
     if (credentials.user_email) electronPayload.user_email = credentials.user_email;
-    delete electronPayload.legacy_agent_token;
     delete electronPayload.supabase_refresh_token;
     writeJsonFileAtomic(ELECTRON_CREDENTIALS_FILE, electronPayload);
   }
@@ -465,17 +461,23 @@ export async function resolveAuth() {
       ? runtime.local_secret
       : '';
 
-  const envAgentToken = normalizeAgentToken(process.env.AGENT_TOKEN);
-  if (envAgentToken) {
+  const envAccessToken = normalizeAccessToken(process.env.OVERLORD_ACCESS_TOKEN);
+  if (envAccessToken) {
+    const envOrganizationId =
+      typeof process.env.OVERLORD_ORGANIZATION_ID === 'string'
+        ? Number.parseInt(process.env.OVERLORD_ORGANIZATION_ID, 10)
+        : null;
+    if (!Number.isFinite(envOrganizationId)) {
+      throw new Error(
+        'OVERLORD_ACCESS_TOKEN requires OVERLORD_ORGANIZATION_ID so protocol requests stay scoped.'
+      );
+    }
     return {
       platformUrl,
-      bearerToken: envAgentToken,
+      bearerToken: envAccessToken,
       localSecret,
-      organizationId:
-        typeof process.env.OVERLORD_ORGANIZATION_ID === 'string'
-          ? Number.parseInt(process.env.OVERLORD_ORGANIZATION_ID, 10)
-          : null,
-      authMode: 'legacy_agent_token'
+      organizationId: envOrganizationId,
+      authMode: 'oauth_env'
     };
   }
 
@@ -525,16 +527,6 @@ export async function resolveAuth() {
     };
   }
 
-  if (creds.legacy_agent_token) {
-    return {
-      platformUrl,
-      bearerToken: creds.legacy_agent_token,
-      localSecret,
-      organizationId: creds.organization_id ?? null,
-      authMode: 'legacy_agent_token'
-    };
-  }
-
   return {
     platformUrl,
     bearerToken: 'overlord-local-dev-token',
@@ -564,12 +556,10 @@ export async function getAuthStatus() {
   }
 
   let tokenSource = 'fallback';
-  if (normalizeAgentToken(process.env.AGENT_TOKEN)) {
-    tokenSource = 'AGENT_TOKEN';
+  if (normalizeAccessToken(process.env.OVERLORD_ACCESS_TOKEN)) {
+    tokenSource = 'OVERLORD_ACCESS_TOKEN';
   } else if (creds?.refresh_token) {
     tokenSource = getCredentialFileSource();
-  } else if (creds?.legacy_agent_token) {
-    tokenSource = `${getCredentialFileSource()} (legacy)`;
   }
 
   let platformUrlSource = 'default';
@@ -613,7 +603,7 @@ export function repairCredentials() {
   };
 }
 
-function normalizeAgentToken(value) {
+function normalizeAccessToken(value) {
   if (typeof value !== 'string') return '';
   return value.trim();
 }

package/bin/_cli/launcher.mjs

@@ -173,8 +173,31 @@ async function runAgent(agent, mode = 'run') {
       } else {
         execFileSync('opencode', ['--prompt', context], { stdio: 'inherit', env: childEnv });
       }
-    } else {
-      execFileSync('gemini', [context], { stdio: 'inherit', env: childEnv });
+    } else if (agent === 'gemini') {
+      // Write context to a temp file. Passing inline content as a positional arg
+      // causes Gemini's @-reference parser to lstat(cwd + content) when it encounters
+      // @ symbols in the markdown (e.g. "@@ -10,6 +10,14 @@" in JSON hunk examples),
+      // producing an ENAMETOOLONG crash. Using @file keeps the path short.
+      const tag = `overlord-${ticketId.slice(-8)}-${Date.now()}`;
+      const contextFile = path.join(os.tmpdir(), `${tag}-ctx.md`);
+      fs.writeFileSync(contextFile, context, 'utf-8');
+      setTimeout(() => { try { fs.unlinkSync(contextFile); } catch { /* already gone */ } }, 30 * 60_000).unref();
+
+      if (mode === 'resume') {
+        const geminiSessionId = process.env.GEMINI_SESSION_ID?.trim();
+        const resumeTarget = geminiSessionId ?? 'latest';
+        execFileSync(
+          'gemini',
+          ['--resume', resumeTarget, '--include-directories', os.tmpdir(), `@${contextFile}`],
+          { stdio: 'inherit', env: childEnv }
+        );
+      } else {
+        execFileSync(
+          'gemini',
+          ['--include-directories', os.tmpdir(), `@${contextFile}`],
+          { stdio: 'inherit', env: childEnv }
+        );
+      }
     }
   } catch (error) {
     const isResume = mode === 'resume';

package/bin/_cli/protocol.mjs

@@ -1280,7 +1280,7 @@ Subcommands:
 Environment fallback:
   --session-key <- SESSION_KEY
   --ticket-id   <- TICKET_ID
-  auth/host     <- OVERLORD_URL, optional legacy AGENT_TOKEN, or shared OAuth credentials from ovld auth/Desktop login
+  auth/host     <- OVERLORD_URL, optional OVERLORD_ACCESS_TOKEN + OVERLORD_ORGANIZATION_ID, or shared OAuth credentials from ovld auth/Desktop login
   --timeout     <- OVERLORD_TIMEOUT
 
 Common flags:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "overlord-cli",
-  "version": "4.19.0",
+  "version": "4.21.0",
   "description": "Overlord CLI — launch AI agents on tickets from anywhere",
   "type": "module",
   "bin": {

package/plugins/claude/README.md

@@ -7,7 +7,7 @@ Claude Code plugin that exposes the Overlord local ticket workflow to any Claude
 - `skills/overlord-ticket/SKILL.md` — durable attach → update → ask → deliver workflow.
 - `commands/{connect,load,create,spawn}.md` — slash commands for session routing and ticket creation.
 - `hooks/hooks.json` + `scripts/permission-hook.sh` — PermissionRequest notifier that calls `ovld protocol permission-request`.
-- `userConfig` for legacy `overlord_url` and `agent_token` installs. Current installs should authenticate with `ovld auth login` or Overlord Desktop; env vars remain optional overrides for remote shells, CI, and explicit token injection.
+- `userConfig` for `overlord_url`. Current installs should authenticate with `ovld auth login` or Overlord Desktop; env vars remain optional overrides for remote shells, CI, and explicit OAuth token injection.
 
 ## Requirements
 
@@ -29,7 +29,7 @@ claude plugin marketplace add cooperativ/overlord-marketplace
 claude plugin install overlord@cooperativ
 ```
 
-Older plugin versions prompted for `overlord_url` and `agent_token` at install time. The current hook goes through `ovld protocol`, so the CLI resolves auth from env vars or the shared `~/.ovld` credentials written by CLI/Desktop login.
+Older plugin versions prompted for `overlord_url` and a legacy token at install time. The current hook goes through `ovld protocol`, so the CLI resolves auth from env vars or the shared `~/.ovld` credentials written by CLI/Desktop login.
 
 ## Namespaced components
 

package/plugins/claude/scripts/permission-hook.sh

@@ -2,12 +2,12 @@
 # Overlord PermissionRequest notification hook (plugin-managed).
 #
 # Prefers plugin userConfig values (CLAUDE_PLUGIN_OPTION_*) when set, and falls
-# back to the raw OVERLORD_URL / AGENT_TOKEN env vars Overlord-launched shells
-# already export. Silently no-ops if we can't authenticate — the hook must
+# back to the raw OVERLORD_URL / OVERLORD_ACCESS_TOKEN env vars Overlord-launched
+# shells already export. Silently no-ops if we can't authenticate — the hook must
 # never block the user or leak errors into the Claude session.
 BODY=$(cat -)
 OVERLORD_BASE_URL="${CLAUDE_PLUGIN_OPTION_OVERLORD_URL:-$OVERLORD_URL}"
-OVERLORD_TOKEN="${CLAUDE_PLUGIN_OPTION_AGENT_TOKEN:-$AGENT_TOKEN}"
+OVERLORD_TOKEN="${CLAUDE_PLUGIN_OPTION_OVERLORD_ACCESS_TOKEN:-$OVERLORD_ACCESS_TOKEN}"
 if [ -n "$OVERLORD_BASE_URL" ] && [ -n "$OVERLORD_TOKEN" ] && [ -n "$TICKET_ID" ]; then
   curl -sf -m 5 \
     -X POST "$OVERLORD_BASE_URL/api/protocol/permission-request?ticketId=$TICKET_ID" \

package/plugins/overlord/README.md

@@ -14,7 +14,7 @@ personal marketplace entry at `~/.agents/plugins/marketplace.json`.
 ## Requirements
 
 - Install the Overlord CLI so `ovld` is available on `PATH`.
-- Authenticate with `ovld auth login` or Overlord Desktop. `OVERLORD_URL` and `AGENT_TOKEN` are optional overrides, mainly for remote shells, CI, or explicit token injection.
+- Authenticate with `ovld auth login` or Overlord Desktop. `OVERLORD_URL` can be used to point the CLI at a non-default host.
 - Optionally set `OVLD_BIN` if the CLI lives at a non-standard path.
 
 ## Tool coverage