feat: harden private Pro distribution

[rafaelscosta]

Summary

• bump @aiox-squads/core to 5.1.16 and remove bundled pro/ from the public package files
• invert validate:publish so public core fails if pro/ enters npm pack output
• move Pro setup/update to authenticated license-server signed artifact acquisition
• install verified artifacts into target node_modules/@aiox-squads/pro with --no-save for existing status/update compatibility
• update aiox-pro wrapper, docs, story, and evidence for PRO-13.5
• point pro submodule at SynkraAI/aiox-pro#13 commit for @aiox-squads/pro@0.4.1

Validation

• npm run validate:publish
• npm run typecheck
• npm run lint (passes with 82 pre-existing warnings)
• npm test -- --runInBand tests/pro-wizard.test.js tests/installer/pro-setup-auth.test.js tests/installer/pro-scaffolder.test.js tests/cli/validate-publish.test.js tests/pro/pro-updater.test.js tests/pro-recover.test.js
• npx jest --runInBand tests/license/license-api.test.js --testPathIgnorePatterns='node_modules'
• npm --prefix pro ci --ignore-scripts --no-audit --no-fund
• npm --prefix pro run validate:publish-surface
• full smoke matrix saved in outputs/qa/2026-05-pro-13-5-smoke.json: core 5.1.16, Pro 0.4.1, invalid user blocked, update idempotent

Operational evidence

• uploaded private artifact @aiox-squads/pro@0.4.1 to Supabase Storage
• updated production PRO_ARTIFACT_MANIFEST_JSON to include 0.4.0 and 0.4.1
• redeployed aios-license-server production: dpl_83E1Nk88UWVwM5aFhgp7xerkan2i

Dependency

• Depends on SynkraAI/aiox-pro#13 being merged/preserved before core release.

Release order

1. Merge/publish @aiox-squads/pro@0.4.1
2. Merge/publish @aiox-squads/core@5.1.16
3. Smoke npm install + Pro install/update again
4. Only then set @aiox-squads/pro visibility to private

Summary by CodeRabbit

• New Features

  • Pro setup/update now uses an authenticated installer wizard, supports legacy -k/--key, and can install signed Pro artifacts from license-server URLs with integrity checks.

• Documentation

  • Added private Pro distribution guidance, developer workflow updates, publish validation criteria, story & troubleshooting docs.

• Refactor

  • Pro content excluded from public publishes; CLI delegates Pro install/setup to the core installer/wrapper.

• Chores

  • Publish validation tightened; package version and manifests bumped.

• Tests

  • Updated/added tests for publish gate, artifact acquisition/install, CLI key flag, and wizard flows.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
aiox-core	Ready	Preview, Comment	May 8, 2026 9:46pm

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

This PR implements PRO-13.5: removes Pro assets from public core tarballs, enforces a public-only tarball boundary via npm-pack validation, refactors pro setup/update to use the installer wizard (supporting license-server signed-artifact acquisition with SHA256/size verification), converts aiox-pro into a thin delegating wrapper, updates manifests/docs/tests, and records QA evidence.

Changes

Pro-13.5 Distribution Hardening

Layer / File(s)	Summary
Public Tarball Surface Hardening package.json, bin/utils/validate-publish.js, tests/cli/validate-publish.test.js, outputs/qa/*	Remove pro/ entries from publish files; validate npm pack --dry-run --json output to block pro/ paths and enforce minimum file count; update tests and QA outputs.
Core CLI: pro command changes .aiox-core/cli/commands/pro/index.js	Add loadProSetupWizard(); detect installed Pro via manifest/version/package files; call proSetup.runProWizard() for setup/update (supporting refreshArtifact and --key/-k); update update-check/dry-run outputs.
aiox-pro thin wrapper packages/aiox-pro-cli/bin/aiox-pro.js	Resolve and delegate to core aiox binary; run Pro wizard for install/setup with optional --key/-k; remove local install/detection guards and update help/examples.
Installer: artifact acquisition & helpers packages/installer/src/wizard/pro-setup.js	Add artifact constants and helpers; InlineLicenseClient.getProArtifactUrl(); download .tgz, verify size+sha256, extract and npm-install into temp and target; expose helpers via _testing.
Pro source resolution & orchestration packages/installer/src/wizard/pro-setup.js	Multi-path stepInstallScaffold: explicit proSourceDir, refresh artifact, bundle/submodule/npm resolution, or license-result→artifact acquisition; move license cache persistence into step 2; prefer resolved proSourceDir for scaffolding and clean up temps.
Auth & activation extensions packages/installer/src/wizard/pro-setup.js	Normalize activation payload/response shapes; switch legacy endpoint to /api/v1/license/activate and include aioxCoreVersion/aiosCoreVersion; include accessToken, machineId, aioxCoreVersion in activation results; support artifact requests.
Scaffolder, imports & i18n packages/installer/src/pro/pro-scaffolder.js, packages/installer/src/wizard/i18n.js	Use local installer import for ensureProjectNodeModulesLink, refresh proPackageNotFound i18n messages, and ensure temp artifact cleanup.
Tests: publish, auth, license paths, wizard tests/cli/validate-publish.test.js, tests/installer/pro-setup-auth.test.js, tests/license/license-api.test.js, tests/pro-wizard.test.js, tests/pro-recover.test.js	Update publish-validation tests, add artifact-URL contract tests, change license API tests to /api/v1/license/..., add wizard artifact-source fallback coverage and CLI -k alias test, and update fixtures.
Documentation & story docs/PUBLISHING.md, docs/guides/workflows/pro-developer-workflow.md, docs/stories/epic-pro-13/...	Add PRO-13.5 publishing procedure and developer workflow describing license-server artifact channel, signed URL verification, customer setup/update, CI publish rules, and acceptance criteria.
Manifests, version bump & QA outputs .aiox-core/install-manifest.yaml, pro (submodule), package.json, outputs/qa/*	Bump core version to 5.1.16; update manifest entry/hash and CLI file hashes; advance pro submodule pointer; add QA artifact/smoke metadata JSON outputs.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• SynkraAI/aiox-core#648: Overlaps on pro submodule pointer and publish/test changes.
• SynkraAI/aiox-core#637: Overlapping installer/wizard and CLI test changes.
• SynkraAI/aiox-core#649: Related publish-safety tooling edits (validate-publish).

Suggested labels

area: pro, area: core, area: devops

Suggested reviewers

• Pedrovaleriolopez
• oalanicolas

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 60.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: harden private Pro distribution' accurately captures the main objective: hardening the private distribution mechanism for the Pro package through license-server-signed artifacts and core package boundary enforcement.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/pro-13-5-private-pro-distribution

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

📊 Coverage Report

Coverage report not available

📈 Full coverage report available in Codecov

---

Generated by PR Automation (Story 6.1)

[coderabbitai]

Actionable comments posted: 6

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

bin/utils/validate-publish.js (1)

51-67: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Normalize legacy npm notice lines to extract file paths correctly.

The fallback parser doesn't account for the size column in legacy npm pack output. Lines like npm notice 1.2kB pro/license/license-api.js are currently parsed to 1.2kB pro/license/license-api.js, which fails the PRO_PATH_PATTERN check (starts with size, not pro/). This allows premium files to pass the validation gate.

The codebase already contains a correct pattern in scripts/validate-package-completeness.js that properly extracts the path after the size: line.match(/npm notice\s+[\d.]+[kMG]?B?\s+(.+)/). Apply the same approach here.

Suggested fix

   return packOutput
     .split('\n')
     .filter(
       (line) =>
         line.includes('npm notice') &&
         !line.includes('Tarball') &&
         !line.includes('name:') &&
         !line.includes('version:') &&
         !line.includes('filename:') &&
         !line.includes('package size:') &&
         !line.includes('unpacked size:') &&
         !line.includes('shasum:') &&
         !line.includes('integrity:') &&
         !line.includes('total files:'),
     )
-    .map((line) => line.replace(/^.*npm notice\s+/, '').trim())
+    .map((line) => {
+      const match = line.match(/npm notice\s+[\d.]+[kMG]?B?\s+(.+)/);
+      return match ? match[1].trim() : '';
+    })
     .filter(Boolean);

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@bin/utils/validate-publish.js` around lines 51 - 67, The parser that builds
the npm notice lines from packOutput should normalize legacy lines that include
a size column before the path; update the mapping logic in
bin/utils/validate-publish.js (the packOutput -> .split(...).map(...) pipeline)
to first attempt extracting the path with the same regex used in
scripts/validate-package-completeness.js (e.g. match for npm notice + optional
size and capture the remainder), falling back to the existing replace(/^.*npm
notice\s+/, '') if no size is present, so that downstream checks (like
PRO_PATH_PATTERN) receive the actual file path rather than a leading size token.

packages/aiox-pro-cli/bin/aiox-pro.js (1)

150-176: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

install/setup/wizard drops the -k short key flag.

The wrapper only reads --key, so npx aiox-pro install -k <KEY> won’t pass the key and may unexpectedly fall back to interactive prompts.

💡 Suggested fix

-function getArgValue(flag) {
-  const idx = args.indexOf(flag);
-  if (idx !== -1 && idx + 1 < args.length) {
-    return args[idx + 1];
-  }
+function getArgValue(...flags) {
+  for (const flag of flags) {
+    const idx = args.indexOf(flag);
+    if (idx !== -1 && idx + 1 < args.length) {
+      return args[idx + 1];
+    }
+  }
   return null;
 }
@@
 function installPro() {
-  runProWizard(getArgValue('--key'));
+  runProWizard(getArgValue('--key', '-k'));
 }
@@
   case 'setup':
   case 'wizard': {
     // Run the Pro Installation Wizard with license gate
-    const wizardKey = getArgValue('--key');
+    const wizardKey = getArgValue('--key', '-k');
     runProWizard(wizardKey);
     break;
   }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/aiox-pro-cli/bin/aiox-pro.js` around lines 150 - 176, The
install/setup/wizard handlers only read the long flag '--key' so short flag '-k'
is ignored; update call sites to accept both forms (use getArgValue('-k') ||
getArgValue('--key')) when retrieving the key (e.g., in installPro() and where
wizardKey is set before runProWizard), or extend getArgValue to accept aliases
so runProWizard receives the provided '-k' value; ensure you reference
installPro, runProWizard, and getArgValue when making the change.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/guides/workflows/pro-developer-workflow.md`:
- Line 221: In the table row containing the text "npm artifact for maintainers,
customer access through license-server signed URL" update the compound modifier
by hyphenating it to "license-server-signed URL" so the cell reads "npm artifact
for maintainers, customer access through license-server-signed URL"; locate the
exact string in the table line that currently starts with "**aiox-pro** | With
aiox-core cloned" and replace the unhyphenated phrase accordingly.

In `@outputs/qa/2026-05-pro-13-5-npm-access-pro-status.json`:
- Around line 1-3: The QA artifact currently shows "@aiox-squads/pro" as
"public" (pre-hardening) and lacks post-hardening evidence; run the final
release step that sets the package visibility to private for the package
"@aiox-squads/pro", verify the npm registry (or org) reports visibility
"private", and add a new QA artifact file (e.g.,
2026-05-pro-13-5-npm-access-pro-status-final.json) containing
{"@aiox-squads/pro": "private"} to the PR to confirm the post-step state.

In `@outputs/qa/2026-05-pro-13-5-npm-view-core.json`:
- Around line 1-7: The pre-publish snapshot shows dist-tags.latest is 5.1.15
instead of the expected 5.1.16; update or add a post-publish snapshot that
verifies dist-tags.latest becomes "5.1.16" and also add a check that the packed
tarball (the package produced during validate:publish) does not contain the
"pro/" directory; locate the snapshot generation logic (the test or script that
produces qa/2026-05-pro-13-5-npm-view-core.json) and modify it to run after
publish, assert dist-tags.latest === "5.1.16", and assert the tarball contents
exclude "pro/" so the validate:publish hardening has complete evidence.

In `@outputs/qa/2026-05-pro-13-5-npm-view-pro.json`:
- Around line 1-6: The snapshot shows "version": "0.4.0" and "dist-tags.latest":
"0.4.0" for `@aiox-squads/pro` but was taken before the 0.4.1 publish; update the
snapshot capture so it runs after the package is published (while still public)
and re-record the JSON to reflect "version": "0.4.1" and "dist-tags.latest":
"0.4.1" (i.e., re-run the npm view step and replace the current snapshot object
containing the "version" and "dist-tags.latest" keys).

In `@packages/installer/src/wizard/pro-setup.js`:
- Around line 839-845: The code currently installs the pro package and persists
the local license cache before calling scaffoldProContent, which leaves
activated cache and node_modules/@aiox-squads/pro behind on scaffold failure;
change the flow so that cache persistence happens only after scaffoldProContent
succeeds, and on any scaffoldProContent error roll back the just-installed
package and temporary extraction (use installedProSourceDir/targetDir to remove
the installed package or call the inverse uninstall helper if available, and
clean extractedProSourceDir), keeping test hook support
(module.exports._testing.installProArtifactIntoTarget/targetInstaller) intact;
apply the same change to the other similar installation blocks in the file.
- Around line 700-724: The downloadArtifactFile function currently calls
fetch(artifactUrl) without an abort signal which can hang; add an
AbortController with a timeout (e.g., configurable constant or parameter) and
pass controller.signal to fetch, start a setTimeout that calls
controller.abort() after the timeout, and clear the timeout on success or error;
ensure you catch the abort error and rethrow a clear timeout-specific Error
before continuing with the existing response checks and writing the file so
downloadArtifactFile fails promptly on network hangs.

---

Outside diff comments:
In `@bin/utils/validate-publish.js`:
- Around line 51-67: The parser that builds the npm notice lines from packOutput
should normalize legacy lines that include a size column before the path; update
the mapping logic in bin/utils/validate-publish.js (the packOutput ->
.split(...).map(...) pipeline) to first attempt extracting the path with the
same regex used in scripts/validate-package-completeness.js (e.g. match for npm
notice + optional size and capture the remainder), falling back to the existing
replace(/^.*npm notice\s+/, '') if no size is present, so that downstream checks
(like PRO_PATH_PATTERN) receive the actual file path rather than a leading size
token.

In `@packages/aiox-pro-cli/bin/aiox-pro.js`:
- Around line 150-176: The install/setup/wizard handlers only read the long flag
'--key' so short flag '-k' is ignored; update call sites to accept both forms
(use getArgValue('-k') || getArgValue('--key')) when retrieving the key (e.g.,
in installPro() and where wizardKey is set before runProWizard), or extend
getArgValue to accept aliases so runProWizard receives the provided '-k' value;
ensure you reference installPro, runProWizard, and getArgValue when making the
change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 12b511c7-4d98-4152-8632-c6b48d6eafb2

📥 Commits

Reviewing files that changed from the base of the PR and between 6863749 and 3c09159.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (24)

• .aiox-core/cli/commands/pro/index.js
• .aiox-core/install-manifest.yaml
• bin/utils/validate-publish.js
• docs/PUBLISHING.md
• docs/guides/workflows/pro-developer-workflow.md
• docs/stories/epic-pro-13/STORY-PRO-13.5-PRIVATE-PRO-DISTRIBUTION-HARDENING.md
• outputs/qa/2026-05-pro-13-5-core-pack-dry-run.json
• outputs/qa/2026-05-pro-13-5-npm-access-core-status.json
• outputs/qa/2026-05-pro-13-5-npm-access-pro-status.json
• outputs/qa/2026-05-pro-13-5-npm-view-core.json
• outputs/qa/2026-05-pro-13-5-npm-view-pro.json
• outputs/qa/2026-05-pro-13-5-pro-artifact-0.4.1.json
• outputs/qa/2026-05-pro-13-5-smoke.json
• outputs/qa/2026-05-pro-13-5-vercel-manifest-0.4.1.json
• package.json
• packages/aiox-pro-cli/bin/aiox-pro.js
• packages/installer/src/pro/pro-scaffolder.js
• packages/installer/src/wizard/i18n.js
• packages/installer/src/wizard/pro-setup.js
• pro
• tests/cli/validate-publish.test.js
• tests/installer/pro-setup-auth.test.js
• tests/license/license-api.test.js
• tests/pro-wizard.test.js

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Missing post-hardening QA evidence for @aiox-squads/pro private access.

This artifact shows @aiox-squads/pro as "public", which is the pre-hardening state. The PR's release order lists setting visibility to private as the final step (step 4), but no corresponding QA artifact confirming the private state was applied is included. Without that post-step evidence, the core hardening objective of this PR is unverified in the QA record.

Consider adding a 2026-05-pro-13-5-npm-access-pro-status-final.json (or equivalent) after executing step 4, confirming "private".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@outputs/qa/2026-05-pro-13-5-npm-access-pro-status.json` around lines 1 - 3,
The QA artifact currently shows "@aiox-squads/pro" as "public" (pre-hardening)
and lacks post-hardening evidence; run the final release step that sets the
package visibility to private for the package "@aiox-squads/pro", verify the npm
registry (or org) reports visibility "private", and add a new QA artifact file
(e.g., 2026-05-pro-13-5-npm-access-pro-status-final.json) containing
{"@aiox-squads/pro": "private"} to the PR to confirm the post-step state.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Pre-publish baseline snapshot — dist-tags.latest is 5.1.15, not 5.1.16.

This captures state before publishing the version introduced in this PR. A post-publish snapshot confirming 5.1.16 became latest (and that the packed tarball excludes pro/) would complete the evidence chain for the validate:publish hardening.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@outputs/qa/2026-05-pro-13-5-npm-view-core.json` around lines 1 - 7, The
pre-publish snapshot shows dist-tags.latest is 5.1.15 instead of the expected
5.1.16; update or add a post-publish snapshot that verifies dist-tags.latest
becomes "5.1.16" and also add a check that the packed tarball (the package
produced during validate:publish) does not contain the "pro/" directory; locate
the snapshot generation logic (the test or script that produces
qa/2026-05-pro-13-5-npm-view-core.json) and modify it to run after publish,
assert dist-tags.latest === "5.1.16", and assert the tarball contents exclude
"pro/" so the validate:publish hardening has complete evidence.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Pre-publish snapshot — dist-tags.latest is 0.4.0, not 0.4.1.

This was captured before publishing @aiox-squads/pro@0.4.1. Since @aiox-squads/pro will eventually be set to private (step 4), npm view won't be usable post-release to confirm. Consider capturing this snapshot post-publish (while still public) to close the audit loop.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@outputs/qa/2026-05-pro-13-5-npm-view-pro.json` around lines 1 - 6, The
snapshot shows "version": "0.4.0" and "dist-tags.latest": "0.4.0" for
`@aiox-squads/pro` but was taken before the 0.4.1 publish; update the snapshot
capture so it runs after the package is published (while still public) and
re-record the JSON to reflect "version": "0.4.1" and "dist-tags.latest": "0.4.1"
(i.e., re-run the npm view step and replace the current snapshot object
containing the "version" and "dist-tags.latest" keys).

[coderabbitai]

🧹 Nitpick comments (2)

tests/pro-recover.test.js (1)

224-230: ⚡ Quick win

Optional: deduplicate repeated readFileSync across all three tests in the describe block.

All three tests in the CLI alias reset-password describe block (lines 203–230) perform the same readFileSync + path.join call inline. Hoisting it to a beforeAll / shared let would reduce duplication and make the tests cheaper to maintain if the path ever changes.

♻️ Proposed refactor

 describe('CLI alias reset-password', () => {
+  let cliSource;
+
+  beforeAll(() => {
+    const fs = require('fs');
+    const path = require('path');
+    cliSource = fs.readFileSync(
+      path.join(__dirname, '../packages/aiox-pro-cli/bin/aiox-pro.js'),
+      'utf-8',
+    );
+  });
+
   test('aiox-pro.js switch handles reset-password same as recover', () => {
-    const cliSource = require('fs').readFileSync(
-      require('path').join(__dirname, '../packages/aiox-pro-cli/bin/aiox-pro.js'),
-      'utf-8',
-    );
     expect(cliSource).toContain("case 'recover':");
     expect(cliSource).toContain("case 'reset-password':");
     expect(cliSource).toContain('reset-password');
   });

   test('showHelp includes reset-password as alias for recover', () => {
-    const cliSource = require('fs').readFileSync(
-      require('path').join(__dirname, '../packages/aiox-pro-cli/bin/aiox-pro.js'),
-      'utf-8',
-    );
     expect(cliSource).toMatch(/reset-password\s+.*alias/i);
   });

   test('install and wizard accept short -k key flag', () => {
-    const cliSource = require('fs').readFileSync(
-      require('path').join(__dirname, '../packages/aiox-pro-cli/bin/aiox-pro.js'),
-      'utf-8',
-    );
     expect(cliSource).toContain("getArgValue('--key', '-k')");
   });
 });

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/pro-recover.test.js` around lines 224 - 230, The three tests in the
"CLI alias reset-password" block repeat the same fs.readFileSync + path.join
call to load the CLI source; extract that into a shared variable (e.g., let
cliSource) and populate it in a beforeAll hook so each test (including the test
'install and wizard accept short -k key flag') reuses the loaded string; update
references in the tests to use cliSource and remove the duplicate readFileSync
calls (look for occurrences of readFileSync/path.join in the tests and the test
name 'install and wizard accept short -k key flag' to locate them).

tests/cli/validate-publish.test.js (1)

112-116: ⚡ Quick win

Refactor to avoid shell parsing, but handle stderr capture properly (Line 112).

Using execSync with shell string redirection (2>&1) introduces unnecessary shell parsing. However, the proposed change requires adjustment: execFileSync by default doesn't capture stderr. Since the script outputs to both console.log and console.error, preserve both streams using the stdio option.

Suggested fix:

-const { execSync } = require('child_process');
+const { execFileSync } = require('child_process');

@@
-      const result = execSync(`node "${SCRIPT_PATH}" 2>&1`, {
+      const result = execFileSync(process.execPath, [SCRIPT_PATH], {
         encoding: 'utf8',
         cwd: path.join(__dirname, '..', '..'),
         timeout: 330000,
+        stdio: ['pipe', 'pipe', 'pipe'],
       });

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/cli/validate-publish.test.js` around lines 112 - 116, Replace the
shell-invoking execSync call with execFileSync to avoid shell parsing: call
execFileSync('node', [SCRIPT_PATH], ...) instead of execSync(`node
"${SCRIPT_PATH}" 2>&1`, ...), and ensure you capture both stdout and stderr by
setting stdio to pipe (e.g., stdio: ['pipe','pipe','pipe']) and keep
encoding:'utf8', cwd and timeout as before so console.log and console.error
output are both returned; update the test in tests/cli/validate-publish.test.js
to use execFileSync and those options.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@tests/cli/validate-publish.test.js`:
- Around line 112-116: Replace the shell-invoking execSync call with
execFileSync to avoid shell parsing: call execFileSync('node', [SCRIPT_PATH],
...) instead of execSync(`node "${SCRIPT_PATH}" 2>&1`, ...), and ensure you
capture both stdout and stderr by setting stdio to pipe (e.g., stdio:
['pipe','pipe','pipe']) and keep encoding:'utf8', cwd and timeout as before so
console.log and console.error output are both returned; update the test in
tests/cli/validate-publish.test.js to use execFileSync and those options.

In `@tests/pro-recover.test.js`:
- Around line 224-230: The three tests in the "CLI alias reset-password" block
repeat the same fs.readFileSync + path.join call to load the CLI source; extract
that into a shared variable (e.g., let cliSource) and populate it in a beforeAll
hook so each test (including the test 'install and wizard accept short -k key
flag') reuses the loaded string; update references in the tests to use cliSource
and remove the duplicate readFileSync calls (look for occurrences of
readFileSync/path.join in the tests and the test name 'install and wizard accept
short -k key flag' to locate them).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: bbb0dd97-082f-4d3e-b2eb-7d6dff1ed773

📥 Commits

Reviewing files that changed from the base of the PR and between d9116b5 and d64bf1d.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (9)

• .aiox-core/install-manifest.yaml
• bin/utils/validate-publish.js
• docs/guides/workflows/pro-developer-workflow.md
• docs/stories/epic-pro-13/STORY-PRO-13.5-PRIVATE-PRO-DISTRIBUTION-HARDENING.md
• package.json
• packages/aiox-pro-cli/bin/aiox-pro.js
• packages/installer/src/wizard/pro-setup.js
• tests/cli/validate-publish.test.js
• tests/pro-recover.test.js

✅ Files skipped from review due to trivial changes (3)

• docs/guides/workflows/pro-developer-workflow.md
• .aiox-core/install-manifest.yaml
• docs/stories/epic-pro-13/STORY-PRO-13.5-PRIVATE-PRO-DISTRIBUTION-HARDENING.md

🚧 Files skipped from review as they are similar to previous changes (4)

• package.json
• packages/aiox-pro-cli/bin/aiox-pro.js
• bin/utils/validate-publish.js
• packages/installer/src/wizard/pro-setup.js

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.aiox-core/data/entity-registry.yaml (1)

8858-8869: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Restore ai-providers and memory-query to dependencies array.

The subagent-dispatcher.js module imports both ai-providers (line 18) and memory-query (line 28) at runtime, but line 8858 declares dependencies: []. This metadata inconsistency will degrade dependency-aware tooling and impact analysis.

Proposed fix

-      dependencies: []
+      dependencies:
+        - ai-providers
+        - memory-query

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.aiox-core/data/entity-registry.yaml around lines 8858 - 8869, Update the
YAML entry so the declared runtime dependencies match the imports used by
subagent-dispatcher.js: add "ai-providers" and "memory-query" back into the
dependencies array (they already appear in plannedDeps) so dependency-aware
tooling sees them; reference the existing plannedDeps list and ensure
dependencies: includes ai-providers and memory-query and keep plannedDeps
unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.aiox-core/data/entity-registry.yaml:
- Around line 8858-8869: Update the YAML entry so the declared runtime
dependencies match the imports used by subagent-dispatcher.js: add
"ai-providers" and "memory-query" back into the dependencies array (they already
appear in plannedDeps) so dependency-aware tooling sees them; reference the
existing plannedDeps list and ensure dependencies: includes ai-providers and
memory-query and keep plannedDeps unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c72da2fe-ad8b-4ef2-b747-1091fa56cc38

📥 Commits

Reviewing files that changed from the base of the PR and between d64bf1d and e2c9f2c.

📒 Files selected for processing (2)

• .aiox-core/data/entity-registry.yaml
• .aiox-core/install-manifest.yaml

✅ Files skipped from review due to trivial changes (1)

• .aiox-core/install-manifest.yaml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pro`:
- Line 1: The CI failure is caused by the pro submodule pointer change which
removed/relocated tests so `jest --roots pro/` finds “No tests found”; either
pin the submodule to the commit that contains the expected test layout (restore
the commit SHA that previously contained the test files) or update the
CI/workflow Jest roots to the new layout (adjust the jest roots in the workflow
step that runs `jest --roots pro/` or update pro/package.json/jest.config.js to
include the new test directories), and keep the submodule checkout recursive at
this pinned commit so CI checks out the correct tree.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1837e27b-cb7a-454b-84cb-f7e3440fd144

📥 Commits

Reviewing files that changed from the base of the PR and between e2c9f2c and 0d53fdf.

📒 Files selected for processing (3)

• .aiox-core/data/entity-registry.yaml
• .aiox-core/install-manifest.yaml
• pro

✅ Files skipped from review due to trivial changes (1)

• .aiox-core/install-manifest.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• .aiox-core/data/entity-registry.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Submodule bump is breaking Pro integration test discovery in CI

This pointer update is associated with a blocking CI failure (jest --roots pro/ → “No tests found”). Please ensure the pinned commit includes the expected test layout or adjust the workflow/Jest roots to match the new Pro repo structure (and keep submodule checkout recursive at this commit).

🧰 Tools

🪛 GitHub Actions: Pro Integration / 0_Pro Integration Tests.txt

[error] 1-1: jest --roots pro/ --no-coverage --verbose failed: No tests found, exiting with code 1. Use --passWithNoTests to exit with code 0.

🪛 GitHub Actions: Pro Integration / Pro Integration Tests

[error] 1-1: Jest unit test step failed: No tests found. Command: npx jest --roots pro/ --no-coverage --verbose (exiting with code 1; Run with --passWithNoTests to exit with code 0).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pro` at line 1, The CI failure is caused by the pro submodule pointer change
which removed/relocated tests so `jest --roots pro/` finds “No tests found”;
either pin the submodule to the commit that contains the expected test layout
(restore the commit SHA that previously contained the test files) or update the
CI/workflow Jest roots to the new layout (adjust the jest roots in the workflow
step that runs `jest --roots pro/` or update pro/package.json/jest.config.js to
include the new test directories), and keep the submodule checkout recursive at
this pinned commit so CI checks out the correct tree.

Dismissed as stale: current head 0d53fdf has Pro Integration Tests passing, including the submodule checkout/test discovery path. No code change required.

[rafaelscosta]

Ready for CODEOWNER review. Current head 0d53fdf has all required checks green: Jest Node 18/20/22/24/25, Pro Integration, Pro Machine ID Stability on macOS/Ubuntu/Windows, Install Manifest Validation, Installer Smoke, Brownfield Install, ESLint, TypeScript, Security Audit, CodeRabbit. aiox-pro PR #13 was merged first and the submodule points to merged main commit 5d125ec. Earlier stale CodeRabbit changes-requested reviews were dismissed with evidence after current-head checks passed.

[rafaelscosta]

Update: @aiox-squads/pro@0.4.1 is now published on npm as the transitional public release. Verification: npm view reports version/latest 0.4.1; npm access status is still public; temp install smoke passed and loaded license/license-api.js. I am intentionally not switching @aiox-squads/pro to private yet because core 5.1.16 has not been merged/published; making the package private before the new signed-artifact-capable core release could break legacy/current install paths. Final step after core merge + publish + smoke: npm access set status=private @aiox-squads/pro and verify access status.