overlord-cli 4.23.0 → 5.1.0

package/README.md

@@ -25,6 +25,14 @@ overlord help
 The CLI exposes the same command set under both names.
 `ovld auth login` opens a browser when possible and also prints a verification URL/code so login can be completed from another machine over SSH.
 
+Desktop-installed wrappers default `OVERLORD_URL` to `https://www.ovld.ai` unless you override it explicitly.
+For local dev against the web app on port 3000, export the override before running auth or protocol commands:
+
+```bash
+export OVERLORD_URL=http://localhost:3000
+ovld auth login
+```
+
 Common commands:
 
 ```bash

package/bin/_cli/auth.mjs

@@ -144,6 +144,17 @@ function snippet(value, max = 180) {
   return normalized.length <= max ? normalized : `${normalized.slice(0, max)}...`;
 }
 
+function describeNetworkError(error, context) {
+  const cause = error?.cause;
+  const details = [cause?.code, cause?.message].filter(Boolean).join(': ');
+  if (details) {
+    return new Error(`${context}: ${details}`);
+  }
+
+  const message = error instanceof Error ? error.message : String(error);
+  return new Error(`${context}: ${message}`);
+}
+
 async function readJsonOrThrow(res, context, baseUrl) {
   const contentType = res.headers.get('content-type') ?? '';
   const bodyText = await res.text();
@@ -165,9 +176,14 @@ async function readJsonOrThrow(res, context, baseUrl) {
 }
 
 async function fetchAuthConfig(platformUrl, localSecret) {
-  const res = await fetch(`${platformUrl}/api/auth/config`, {
-    headers: buildAuthHeaders('', localSecret)
-  });
+  let res;
+  try {
+    res = await fetch(`${platformUrl}/api/auth/config`, {
+      headers: buildAuthHeaders('', localSecret)
+    });
+  } catch (error) {
+    throw describeNetworkError(error, `Failed to fetch auth config from ${platformUrl}`);
+  }
   if (!res.ok) {
     throw new Error(
       `Failed to fetch auth config (${res.status}). Check that Overlord is running at ${platformUrl}.`
@@ -181,10 +197,18 @@ async function fetchAuthConfig(platformUrl, localSecret) {
 }
 
 async function requestDeviceAuthorization(platformUrl, localSecret) {
-  const res = await fetch(`${platformUrl}/api/auth/device/request`, {
-    method: 'POST',
-    headers: buildAuthHeaders('', localSecret)
-  });
+  let res;
+  try {
+    res = await fetch(`${platformUrl}/api/auth/device/request`, {
+      method: 'POST',
+      headers: buildAuthHeaders('', localSecret)
+    });
+  } catch (error) {
+    throw describeNetworkError(
+      error,
+      `Device authorization request failed for ${platformUrl}`
+    );
+  }
 
   if (!res.ok) {
     const text = await res.text();
@@ -195,14 +219,22 @@ async function requestDeviceAuthorization(platformUrl, localSecret) {
 }
 
 async function pollDeviceAuthorization(platformUrl, deviceCode, localSecret) {
-  const res = await fetch(`${platformUrl}/api/auth/device/poll`, {
-    method: 'POST',
-    headers: {
-      ...buildAuthHeaders('', localSecret),
-      'Content-Type': 'application/json'
-    },
-    body: JSON.stringify({ device_code: deviceCode })
-  });
+  let res;
+  try {
+    res = await fetch(`${platformUrl}/api/auth/device/poll`, {
+      method: 'POST',
+      headers: {
+        ...buildAuthHeaders('', localSecret),
+        'Content-Type': 'application/json'
+      },
+      body: JSON.stringify({ device_code: deviceCode })
+    });
+  } catch (error) {
+    throw describeNetworkError(
+      error,
+      `Device authorization poll failed for ${platformUrl}`
+    );
+  }
 
   const body = await readJsonOrThrow(res, 'Device authorization poll', platformUrl);
 
@@ -220,17 +252,25 @@ function sleep(ms) {
 }
 
 async function exchangeCodeForSupabaseTokens(supabaseUrl, clientId, code, codeVerifier, redirectUri) {
-  const res = await fetch(`${supabaseUrl}/auth/v1/oauth/token`, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-    body: new URLSearchParams({
-      grant_type: 'authorization_code',
-      code,
-      client_id: clientId,
-      redirect_uri: redirectUri,
-      code_verifier: codeVerifier
-    })
-  });
+  let res;
+  try {
+    res = await fetch(`${supabaseUrl}/auth/v1/oauth/token`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: new URLSearchParams({
+        grant_type: 'authorization_code',
+        code,
+        client_id: clientId,
+        redirect_uri: redirectUri,
+        code_verifier: codeVerifier
+      })
+    });
+  } catch (error) {
+    throw describeNetworkError(
+      error,
+      `Token exchange failed for ${new URL(supabaseUrl).host}`
+    );
+  }
 
   if (!res.ok) {
     const text = await res.text();
@@ -474,8 +514,8 @@ async function promptForOrganization(organizations, preselectedId = null) {
 // Public auth commands
 // ---------------------------------------------------------------------------
 
-export function resolveLoginPlatformUrl(runtime = null) {
-  return process.env.OVERLORD_URL ?? runtime?.platform_url ?? getDefaultOverlordUrl();
+export function resolveLoginPlatformUrl(runtime = null, storedPlatformUrl = null) {
+  return process.env.OVERLORD_URL ?? storedPlatformUrl ?? runtime?.platform_url ?? getDefaultOverlordUrl();
 }
 
 function parseOrganizationFlag(args) {
@@ -491,7 +531,8 @@ function parseOrganizationFlag(args) {
 
 export async function authLogin(args = []) {
   const preselectedOrganizationId = parseOrganizationFlag(args);
-  const platformUrl = resolveLoginPlatformUrl();
+  const storedCredentials = loadCredentials();
+  const platformUrl = resolveLoginPlatformUrl(null, storedCredentials?.platform_url ?? null);
   const runtime = loadRuntime(platformUrl);
   const localSecret = runtime?.local_secret ?? process.env.OVERLORD_LOCAL_SECRET ?? '';
 
@@ -556,10 +597,13 @@ async function printVerboseAuthStatus() {
     console.log(`  Error: ${status.error}`);
   }
   console.log(`  Local secret: ${status.hasLocalSecret ? 'yes' : 'no'}`);
-  console.log(`  credentials.json: ${status.credentialsFileExists ? 'present' : 'missing'}`);
-  console.log(
-    `  electron-credentials.json: ${status.electronCredentialsFileExists ? 'present' : 'missing'}`
-  );
+  console.log(`  credentials.cli.json: ${status.credentialsFileExists ? 'present' : 'missing'}`);
+  if (status.legacyCredentialsFileExists) {
+    console.log(`  credentials.json (legacy): present`);
+  }
+  if (status.electronCredentialsFileExists) {
+    console.log(`  electron-credentials.json (legacy): present`);
+  }
 }
 
 export async function authStatus(args = []) {

package/bin/_cli/credentials.mjs

@@ -8,8 +8,10 @@ import path from 'node:path';
 import { fileURLToPath } from 'node:url';
 
 const CREDENTIALS_DIR = path.join(os.homedir(), '.ovld');
-const CREDENTIALS_FILE = path.join(CREDENTIALS_DIR, 'credentials.json');
-const ELECTRON_CREDENTIALS_FILE = path.join(CREDENTIALS_DIR, 'electron-credentials.json');
+const CLI_CREDENTIALS_FILE = path.join(CREDENTIALS_DIR, 'credentials.cli.json');
+const LEGACY_CREDENTIALS_FILE = path.join(CREDENTIALS_DIR, 'credentials.json');
+const LEGACY_ELECTRON_CREDENTIALS_FILE = path.join(CREDENTIALS_DIR, 'electron-credentials.json');
+const LEGACY_MIGRATION_MARKER = path.join(CREDENTIALS_DIR, '.cli-migrated');
 const RUNTIME_FILE_PATTERN = /^runtime\..+\.json$/;
 const HOSTED_OVERLORD_URL = 'https://www.ovld.ai';
 const LOCAL_DEV_OVERLORD_URL = 'http://localhost:3000';
@@ -114,18 +116,39 @@ function normalizeCredentialsForSave(data) {
   };
 }
 
-/** @returns {Credentials | null} */
-export function loadCredentials() {
-  const cliCredentials = parseStoredCredentialsData(readJsonFile(CREDENTIALS_FILE), {
+function migrateLegacyCredentials() {
+  if (fileExists(LEGACY_MIGRATION_MARKER)) return null;
+
+  const legacyShared = parseStoredCredentialsData(readJsonFile(LEGACY_CREDENTIALS_FILE), {
+    requireAuthData: true
+  });
+  const legacyElectron = parseStoredCredentialsData(readJsonFile(LEGACY_ELECTRON_CREDENTIALS_FILE), {
     requireAuthData: true
   });
-  const electronCredentials = parseStoredCredentialsData(readJsonFile(ELECTRON_CREDENTIALS_FILE), {
+
+  const source = legacyShared ?? legacyElectron;
+  if (!source) return null;
+
+  try {
+    writeJsonFileAtomic(CLI_CREDENTIALS_FILE, { ...source, updated_at: new Date().toISOString() });
+    ensureCredentialsDir();
+    fs.writeFileSync(LEGACY_MIGRATION_MARKER, new Date().toISOString(), { mode: 0o600 });
+  } catch {
+    // Best-effort migration
+  }
+
+  return source;
+}
+
+/** @returns {Credentials | null} */
+export function loadCredentials() {
+  const cliCredentials = parseStoredCredentialsData(readJsonFile(CLI_CREDENTIALS_FILE), {
     requireAuthData: true
   });
 
   if (cliCredentials?.refresh_token) return cliCredentials;
-  if (electronCredentials?.refresh_token) return electronCredentials;
-  return cliCredentials ?? electronCredentials;
+
+  return migrateLegacyCredentials();
 }
 
 /** @param {Credentials} data */
@@ -135,45 +158,36 @@ export function saveCredentials(data) {
     throw new Error('Cannot save empty Overlord credentials.');
   }
 
-  const sharedCredentials = { ...credentials, updated_at: new Date().toISOString() };
-  writeJsonFileAtomic(CREDENTIALS_FILE, sharedCredentials);
-
-  const existingElectronCredentials = readJsonFile(ELECTRON_CREDENTIALS_FILE);
-  if (existingElectronCredentials && typeof existingElectronCredentials === 'object') {
-    const electronPayload = { ...existingElectronCredentials };
-    electronPayload.updated_at = sharedCredentials.updated_at;
-    if (credentials.platform_url) electronPayload.platform_url = credentials.platform_url;
-    if (credentials.access_token_expires_at) {
-      electronPayload.access_token_expires_at = credentials.access_token_expires_at;
-    }
-    if (credentials.organization_id) electronPayload.organization_id = credentials.organization_id;
-    if (credentials.user_email) electronPayload.user_email = credentials.user_email;
-    delete electronPayload.supabase_refresh_token;
-    writeJsonFileAtomic(ELECTRON_CREDENTIALS_FILE, electronPayload);
-  }
+  writeJsonFileAtomic(CLI_CREDENTIALS_FILE, { ...credentials, updated_at: new Date().toISOString() });
 }
 
 export function clearCredentials() {
-  for (const filePath of [CREDENTIALS_FILE, ELECTRON_CREDENTIALS_FILE]) {
-    try {
-      fs.unlinkSync(filePath);
-    } catch {
-      // Already gone
-    }
+  try {
+    fs.unlinkSync(CLI_CREDENTIALS_FILE);
+  } catch {
+    // Already gone
   }
 }
 
 function getCredentialFileSource() {
-  const cliCredentials = parseStoredCredentialsData(readJsonFile(CREDENTIALS_FILE), {
-    requireAuthData: true
-  });
-  const electronCredentials = parseStoredCredentialsData(readJsonFile(ELECTRON_CREDENTIALS_FILE), {
+  const cliCredentials = parseStoredCredentialsData(readJsonFile(CLI_CREDENTIALS_FILE), {
     requireAuthData: true
   });
-  if (cliCredentials?.refresh_token) return 'credentials.json';
-  if (electronCredentials?.refresh_token) return 'electron-credentials.json';
-  if (cliCredentials) return 'credentials.json';
-  if (electronCredentials) return 'electron-credentials.json';
+  if (cliCredentials?.refresh_token) return 'credentials.cli.json';
+
+  if (fileExists(LEGACY_CREDENTIALS_FILE)) {
+    const legacyShared = parseStoredCredentialsData(readJsonFile(LEGACY_CREDENTIALS_FILE), {
+      requireAuthData: true
+    });
+    if (legacyShared?.refresh_token) return 'credentials.json (legacy)';
+  }
+
+  if (fileExists(LEGACY_ELECTRON_CREDENTIALS_FILE)) {
+    const legacyElectron = parseStoredCredentialsData(readJsonFile(LEGACY_ELECTRON_CREDENTIALS_FILE), {
+      requireAuthData: true
+    });
+    if (legacyElectron?.refresh_token) return 'electron-credentials.json (legacy)';
+  }
 
   return 'none';
 }
@@ -340,13 +354,29 @@ function isAccessTokenFresh(credentials) {
   return expiresAt - Date.now() > 60_000;
 }
 
+function describeNetworkError(error, context) {
+  const cause = error?.cause;
+  const details = [cause?.code, cause?.message].filter(Boolean).join(': ');
+  if (details) {
+    return new Error(`${context}: ${details}`);
+  }
+
+  const message = error instanceof Error ? error.message : String(error);
+  return new Error(`${context}: ${message}`);
+}
+
 const authConfigCache = new Map();
 
 async function fetchAuthConfig(platformUrl, localSecret) {
   if (authConfigCache.has(platformUrl)) return authConfigCache.get(platformUrl);
-  const res = await fetch(`${platformUrl}/api/auth/config`, {
-    headers: buildAuthHeaders('', localSecret)
-  });
+  let res;
+  try {
+    res = await fetch(`${platformUrl}/api/auth/config`, {
+      headers: buildAuthHeaders('', localSecret)
+    });
+  } catch (error) {
+    throw describeNetworkError(error, `Failed to fetch auth config from ${platformUrl}`);
+  }
   if (!res.ok) {
     throw new Error(`Failed to fetch auth config (${res.status}).`);
   }
@@ -364,15 +394,23 @@ async function refreshOAuthAccessToken(platformUrl, refreshToken, localSecret) {
     throw new Error('OAuth is not configured for Overlord CLI auth.');
   }
 
-  const res = await fetch(`${supabaseUrl}/auth/v1/oauth/token`, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-    body: new URLSearchParams({
-      grant_type: 'refresh_token',
-      refresh_token: refreshToken,
-      client_id: clientId
-    })
-  });
+  let res;
+  try {
+    res = await fetch(`${supabaseUrl}/auth/v1/oauth/token`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: new URLSearchParams({
+        grant_type: 'refresh_token',
+        refresh_token: refreshToken,
+        client_id: clientId
+      })
+    });
+  } catch (error) {
+    throw describeNetworkError(
+      error,
+      `OAuth token refresh failed for ${new URL(supabaseUrl).host}`
+    );
+  }
 
   if (!res.ok) {
     const text = await res.text().catch(() => '');
@@ -504,9 +542,9 @@ export async function resolveAuth() {
         };
         saveCredentials(nextCredentials);
       } catch (refreshError) {
-        if (!creds.access_token) throw refreshError;
-        // Transient refresh failure — keep the existing access token and let the server
-        // reject it if it's truly expired/revoked.
+        throw new Error(
+          `Stored Overlord session expired and refresh failed. ${refreshError instanceof Error ? refreshError.message : String(refreshError)} Run \`ovld auth login\` again.`
+        );
       }
     }
 
@@ -570,7 +608,7 @@ export async function getAuthStatus() {
   }
 
   return {
-    isLoggedIn: tokenSource !== 'fallback',
+    isLoggedIn: tokenSource !== 'fallback' && !error,
     platformUrl: resolved.platformUrl,
     platformUrlSource,
     tokenPresent: tokenSource !== 'fallback',
@@ -579,8 +617,9 @@ export async function getAuthStatus() {
     organizationId: resolved.organizationId ?? null,
     authMode: resolved.authMode,
     error,
-    credentialsFileExists: fileExists(CREDENTIALS_FILE),
-    electronCredentialsFileExists: fileExists(ELECTRON_CREDENTIALS_FILE)
+    credentialsFileExists: fileExists(CLI_CREDENTIALS_FILE),
+    legacyCredentialsFileExists: fileExists(LEGACY_CREDENTIALS_FILE),
+    electronCredentialsFileExists: fileExists(LEGACY_ELECTRON_CREDENTIALS_FILE)
   };
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "overlord-cli",
-  "version": "4.23.0",
+  "version": "5.1.0",
   "description": "Overlord CLI — launch AI agents on tickets from anywhere",
   "type": "module",
   "bin": {