overlord-cli 5.5.0 → 5.7.0

package/bin/_cli/auth.mjs

@@ -660,6 +660,9 @@ export async function runAuthCommand(subcommand, args = []) {
 
 Subcommands:
   login    Authorize the CLI via browser (works locally or over SSH)
+             --organization-id <id>   Pre-select organization non-interactively
+                                      (required when stdin is not a TTY and
+                                      multiple organizations are available)
   status   Show current login status (use --verbose for redacted diagnostics)
   repair   Mirror and chmod shared Desktop/CLI credentials when possible
   logout   Remove stored credentials

package/bin/_cli/credentials.mjs

@@ -553,13 +553,16 @@ export async function resolveAuth() {
         'OVERLORD_ACCESS_TOKEN requires OVERLORD_ORGANIZATION_ID so protocol requests stay scoped.'
       );
     }
-    return {
-      platformUrl,
-      bearerToken: envAccessToken,
-      localSecret,
-      organizationId: envOrganizationId,
-      authMode: 'oauth_env'
-    };
+
+    if (isEnvAccessTokenUsable(envAccessToken)) {
+      return {
+        platformUrl,
+        bearerToken: envAccessToken,
+        localSecret,
+        organizationId: envOrganizationId,
+        authMode: 'oauth_env'
+      };
+    }
   }
 
   if (!creds) {
@@ -636,8 +639,9 @@ export async function getAuthStatus() {
     };
   }
 
+  const envAccessToken = normalizeAccessToken(process.env.OVERLORD_ACCESS_TOKEN);
   let tokenSource = 'fallback';
-  if (normalizeAccessToken(process.env.OVERLORD_ACCESS_TOKEN)) {
+  if (envAccessToken && isEnvAccessTokenUsable(envAccessToken)) {
     tokenSource = 'OVERLORD_ACCESS_TOKEN';
   } else if (creds?.refresh_token) {
     tokenSource = getCredentialFileSource();
@@ -690,6 +694,11 @@ function normalizeAccessToken(value) {
   return value.trim();
 }
 
+function isEnvAccessTokenUsable(accessToken) {
+  const expiresAt = decodeJwtExpiry(accessToken);
+  return expiresAt === null || expiresAt * 1000 - Date.now() > 60_000;
+}
+
 function normalizePlatformUrl(value) {
   if (typeof value !== 'string') return undefined;
   const trimmed = value.trim();

package/bin/_cli/protocol.mjs

@@ -163,8 +163,9 @@ async function apiPost(
     throw new Error(
       `Authentication failed (401): ${data.error ?? 'Invalid or missing token.'}\n` +
       `IMPORTANT: Stop all work immediately. Your Overlord auth session is invalid, expired, or missing required scope.\n` +
-      `The user should try \`ovld auth repair\` first, then sign in again with Overlord Desktop or \`ovld auth login\` if needed.\n` +
-      `Ask the user if they would like to proceed without submitting updates to Overlord.`
+      `First run \`ovld auth repair\` yourself.\n` +
+      `If repair does not fix it, ask the user to sign in again with Overlord Desktop or \`ovld auth login\` if needed.\n` +
+      `Then ask whether they would like to proceed without submitting updates to Overlord.`
     );
   }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "overlord-cli",
-  "version": "5.5.0",
+  "version": "5.7.0",
   "description": "Overlord CLI — launch AI agents on tickets from anywhere",
   "type": "module",
   "bin": {

package/plugins/claude/skills/overlord-ticket/SKILL.md

@@ -153,7 +153,9 @@ ovld protocol artifact-download-url --session-key <sessionKey> --ticket-id $TICK
 - The `summary` in deliver is what the PM reads first, so write it as a narrative, not a command list.
 - Use `write-context` for facts a future agent session should know.
 - If `ovld` reports `OVERLORD_URL` is unreachable, request permission escalation or network access before retrying.
+- If a protocol or MCP call fails with auth/session errors, run `ovld auth repair` yourself before asking the user to log in again or proceed without Overlord updates.
+- If you must run `ovld auth login`, always include `--organization-id <id>` — use the organization ID from the ticket prompt context to select the organization non-interactively and avoid a blocking TTY prompt.
 - Do not add or commit changes unless the user explicitly asks you to commit.
 - Delivery is the concluding step. After delivering, stop unless the user follows up or the ticket is reopened.
 
-<!-- version: 0.2.3 -->
+<!-- version: 0.2.5 -->

package/plugins/cursor/skills/overlord-ticket/SKILL.md

@@ -42,7 +42,8 @@ When in doubt, ask yourself: *can this be done entirely inside a terminal or bro
 - Use `ovld protocol` commands, the plugin commands, and the MCP tool instead of ad hoc scripts.
 - Do not invent protocol subcommands. Use `ovld protocol help` when unsure.
 - If `ovld` reports `OVERLORD_URL` is unreachable, request permission escalation or network access before retrying.
+- If a protocol or MCP call fails with auth/session errors, run `ovld auth repair` yourself before asking the user to log in again or proceed without Overlord updates.
 - Include at least one progress update before delivering.
 - When creating follow-up tickets, always set `--execution-target` explicitly using the `agent`/`human` rule above.
 
-<!-- version: 0.2.3 -->
+<!-- version: 0.2.4 -->

package/plugins/overlord/skills/overlord-ticket/SKILL.md

@@ -138,5 +138,6 @@ When in doubt, ask yourself: *can this be done entirely inside a terminal or bro
 - Do not create or rely on a local Codex `AGENTS.md` bundle for Overlord.
 - If `ovld` reports `OVERLORD_URL` is unreachable, request permission escalation or network access before retrying.
 - When the ticket was launched by Overlord, the ticket prompt remains authoritative for the specific task objective and ticket-level constraints.
+- If a protocol or MCP call fails with auth/session errors, run `ovld auth repair` yourself before asking the user to log in again or proceed without Overlord updates.
 
-<!-- version: 0.2.3 -->
+<!-- version: 0.2.4 -->