aiox-core 5.0.7 → 5.0.8

package/.aiox-core/development/agents/devops.md

@@ -120,7 +120,7 @@ persona:
 
     quality_gates:
       mandatory_checks:
-        - coderabbit --prompt-only --base main (must have 0 CRITICAL issues)
+        - coderabbit --prompt-only --base ${DEFAULT_BRANCH:-main} (must have 0 CRITICAL issues)
         - npm run lint (must PASS)
         - npm test (must PASS)
         - npm run typecheck (must PASS)
@@ -175,6 +175,38 @@ commands:
     visibility: [full, quick, key]
     args: '{issue_number}'
     description: 'Investigate and resolve a GitHub issue end-to-end'
+  - name: pro-access-grant
+    visibility: [full, quick, key]
+    args: '{email} {password} [--reset-password] [--skip-guided-validation]'
+    description: 'Grant or restore AIOX Pro access with API validation and optional guided installer validation'
+  - name: pro-check-access
+    visibility: [full, quick, key]
+    args: '{email}'
+    description: 'Check AIOX Pro buyer entitlement and account existence via check-email'
+  - name: pro-request-reset
+    visibility: [full, quick, key]
+    args: '{email}'
+    description: 'Trigger the password reset email flow for an AIOX Pro account'
+  - name: pro-resend-verification
+    visibility: [full, quick, key]
+    args: '{email}'
+    description: 'Resend the AIOX Pro email verification link'
+  - name: pro-reset-password
+    visibility: [full, quick, key]
+    args: '{email} {new_password}'
+    description: 'Reset an AIOX Pro password administratively and validate login'
+  - name: pro-validate-login
+    visibility: [full, quick, key]
+    args: '{email} {password}'
+    description: 'Validate AIOX Pro login and return auth health signals'
+  - name: pro-verify-status
+    visibility: [full, quick, key]
+    args: '{access_token}'
+    description: 'Check AIOX Pro email verification status for an access token'
+  - name: pro-activate
+    visibility: [full, quick, key]
+    args: '{access_token} [machine_id] [version]'
+    description: 'Call activate-pro directly to validate or restore AIOX Pro activation'
   - name: init-project-status
     visibility: [full]
     description: 'Initialize dynamic project status tracking (Story 6.1.2.4)'
@@ -272,6 +304,14 @@ dependencies:
     # GitHub Issues Management
     - triage-github-issues.md
     - resolve-github-issue.md
+    - devops-pro-access-grant.md
+    - devops-pro-check-access.md
+    - devops-pro-request-reset.md
+    - devops-pro-resend-verification.md
+    - devops-pro-reset-password.md
+    - devops-pro-validate-login.md
+    - devops-pro-verify-status.md
+    - devops-pro-activate.md
     # Worktree Management (Story 1.3-1.4)
     - create-worktree.md
     - list-worktrees.md
@@ -324,7 +364,7 @@ dependencies:
       LOW: Optional improvements, note in comments
     commands:
       pre_push_uncommitted: "wsl bash -c 'cd ${PROJECT_ROOT} && ~/.local/bin/coderabbit --prompt-only -t uncommitted'"
-      pre_pr_against_main: "wsl bash -c 'cd ${PROJECT_ROOT} && ~/.local/bin/coderabbit --prompt-only --base main'"
+      pre_pr_against_main: "wsl bash -c 'cd ${PROJECT_ROOT} && ~/.local/bin/coderabbit --prompt-only --base ${DEFAULT_BRANCH:-main}'"
       pre_commit_committed: "wsl bash -c 'cd ${PROJECT_ROOT} && ~/.local/bin/coderabbit --prompt-only -t committed'"
     execution_guidelines: |
       CRITICAL: CodeRabbit CLI is installed in WSL, not Windows.
@@ -461,6 +501,14 @@ autoClaude:
 
 - `*triage-issues` - Analyze and prioritize open issues
 - `*resolve-issue {number}` - Investigate and resolve an issue end-to-end
+- `*pro-access-grant {email} {password}` - Grant or restore AIOX Pro access
+- `*pro-check-access {email}` - Check buyer + account state
+- `*pro-request-reset {email}` - Send reset email
+- `*pro-resend-verification {email}` - Resend verification email
+- `*pro-reset-password {email} {new_password}` - Reset password administratively
+- `*pro-validate-login {email} {password}` - Validate login and token issue
+- `*pro-verify-status {access_token}` - Check verification status
+- `*pro-activate {access_token}` - Validate or restore activation
 
 **Quality & Push:**
 
@@ -506,6 +554,8 @@ Type `*help` to see all commands.
 - Release management and versioning
 - Repository cleanup
 - Environment health diagnostics (`*health-check`)
+- AIOX Pro access grant and recovery (`*pro-access-grant`)
+- AIOX Pro point actions (`*pro-check-access`, `*pro-request-reset`, `*pro-resend-verification`, `*pro-reset-password`, `*pro-validate-login`, `*pro-verify-status`, `*pro-activate`)
 
 ### Prerequisites
 

package/.aiox-core/development/agents/po.md

@@ -269,7 +269,7 @@ Type `*help` to see all commands.
 
 ## Handoff Protocol
 
-> Reference: [Command Authority Matrix](../../docs/architecture/command-authority-matrix.md)
+> Reference: [Command Authority Matrix](/docs/architecture/command-authority-matrix.md)
 
 **Commands I delegate:**
 

package/.aiox-core/development/agents/qa.md

@@ -259,12 +259,6 @@ dependencies:
       severity_filter:
         - CRITICAL
         - HIGH
-      behavior:
-        CRITICAL: auto_fix # Auto-fix (3 attempts max)
-        HIGH: auto_fix # Auto-fix (3 attempts max)
-        MEDIUM: document_as_debt # Create tech debt issue
-        LOW: ignore # Note in review, no action
-
     severity_handling:
       CRITICAL: Block story completion, must fix immediately
       HIGH: Report in QA gate, recommend fix before merge
@@ -278,7 +272,7 @@ dependencies:
       max_iterations = 3
 
       WHILE iteration < max_iterations:
-        1. Run: wsl bash -c 'cd /mnt/c/.../aiox-core && ~/.local/bin/coderabbit --prompt-only -t committed --base main'
+        1. Run: wsl bash -c 'cd ${PROJECT_ROOT} && ~/.local/bin/coderabbit --prompt-only -t committed --base ${DEFAULT_BRANCH:-main}'
         2. Parse output for all severity levels
 
         critical_issues = filter(output, severity == "CRITICAL")
@@ -292,8 +286,8 @@ dependencies:
           - BREAK (ready to approve)
 
         IF CRITICAL or HIGH issues found:
-          - Attempt auto-fix for each CRITICAL issue
-          - Attempt auto-fix for each HIGH issue
+          - Request a fix for each CRITICAL issue
+          - Request a fix for each HIGH issue
           - iteration++
           - CONTINUE loop
 
@@ -305,7 +299,7 @@ dependencies:
 
     commands:
       qa_pre_review_uncommitted: "wsl bash -c 'cd ${PROJECT_ROOT} && ~/.local/bin/coderabbit --prompt-only -t uncommitted'"
-      qa_story_review_committed: "wsl bash -c 'cd ${PROJECT_ROOT} && ~/.local/bin/coderabbit --prompt-only -t committed --base main'"
+      qa_story_review_committed: "wsl bash -c 'cd ${PROJECT_ROOT} && ~/.local/bin/coderabbit --prompt-only -t committed --base ${DEFAULT_BRANCH:-main}'"
     execution_guidelines: |
       CRITICAL: CodeRabbit CLI is installed in WSL, not Windows.
 
@@ -316,7 +310,7 @@ dependencies:
 
       **Timeout:** 30 minutes (1800000ms) - Full review may take longer
 
-      **Self-Healing:** Max 3 iterations for CRITICAL and HIGH issues
+      **Self-Healing:** Max 3 advisory request iterations for CRITICAL and HIGH issues
 
       **Error Handling:**
       - If "coderabbit: command not found" → verify wsl_config.installation_path

package/.aiox-core/development/agents/sm.md

@@ -224,14 +224,14 @@ Type `*help` to see all commands.
 
 ## Handoff Protocol
 
-> Reference: [Command Authority Matrix](../../docs/architecture/command-authority-matrix.md)
+> Reference: [Command Authority Matrix](/docs/architecture/command-authority-matrix.md)
 
 **Commands I delegate:**
 
 | Request | Delegate To | Command |
 |---------|-------------|---------|
-| Push to remote | @devops | `*push` |
-| Create PR | @devops | `*create-pr` |
+| Push to remote | @github-devops | `*push` |
+| Create PR | @github-devops | `*create-pr` |
 | Course correction | @aiox-master | `*correct-course` |
 
 **Commands I receive from:**

package/.aiox-core/development/agents/ux-design-expert.md

@@ -294,7 +294,7 @@ workflow:
         output: 'tokens.yaml, design system structure, migration plan'
 
       phase_4_build:
-        commands: ['*build {atom}', '*compose {molecule}', '*extend {variant}']
+        commands: ['*build {component}', '*compose {molecule}', '*extend {component}']
         output: 'Production-ready components (TypeScript, tests, docs)'
 
       phase_5_quality:

package/.aiox-core/development/scripts/unified-activation-pipeline.js

@@ -209,7 +209,7 @@ class UnifiedActivationPipeline {
     const metrics = { loaders: {} };
 
     // --- Tier 1: Critical (AgentConfig) ---
-    const tier1Budget = LOADER_TIERS.critical.timeout;
+    const tier1Budget = this._resolveLoaderTimeout('critical', LOADER_TIERS.critical.timeout);
     const agentComplete = await this._profileLoader('agentConfig', metrics, tier1Budget, () => {
       const loader = new AgentConfigLoader(agentId);
       return loader.loadComplete(coreConfig);
@@ -231,7 +231,7 @@ class UnifiedActivationPipeline {
     }
 
     // --- Tier 2: High (PermissionMode + GitConfig) — parallel ---
-    const tier2Budget = LOADER_TIERS.high.timeout;
+    const tier2Budget = this._resolveLoaderTimeout('high', LOADER_TIERS.high.timeout);
     const elapsedAfterT1 = Date.now() - pipelineStart;
     const tier2Remaining = Math.max(tier2Budget - elapsedAfterT1, 20);
 
@@ -277,7 +277,7 @@ class UnifiedActivationPipeline {
     }
 
     // --- Tier 3: Best-effort (SessionContext + ProjectStatus) — parallel ---
-    const tier3Budget = LOADER_TIERS.bestEffort.timeout;
+    const tier3Budget = this._resolveLoaderTimeout('bestEffort', LOADER_TIERS.bestEffort.timeout);
     const elapsedAfterT2 = Date.now() - pipelineStart;
     const tier3Remaining = Math.max(tier3Budget - elapsedAfterT2, 20);
 
@@ -467,6 +467,32 @@ class UnifiedActivationPipeline {
     return DEFAULT_PIPELINE_TIMEOUT_MS;
   }
 
+  /**
+   * Resolve per-tier loader timeout.
+   *
+   * Intended mainly for constrained CI/test environments where cold filesystem
+   * reads can exceed the production performance budget without indicating a
+   * functional activation failure.
+   *
+   * @private
+   * @param {'critical'|'high'|'bestEffort'} tierName
+   * @param {number} defaultTimeout
+   * @returns {number}
+   */
+  _resolveLoaderTimeout(tierName, defaultTimeout) {
+    const envKey = `AIOX_LOADER_TIMEOUT_${tierName.replace(/([A-Z])/g, '_$1').toUpperCase()}`;
+    const envTimeout = process.env[envKey];
+
+    if (envTimeout) {
+      const parsed = parseInt(envTimeout, 10);
+      if (!isNaN(parsed) && parsed > 0) {
+        return parsed;
+      }
+    }
+
+    return defaultTimeout;
+  }
+
   /**
    * Build agent definition from loaded config data.
    * @private

package/.aiox-core/development/tasks/dev-develop-story.md

@@ -370,7 +370,7 @@ const {
    - All tasks complete
    - All tests pass
    - Execute story-dod-checklist
-   - Set status: "Ready for Review"
+   - Set status: "InReview" (see Status Transitions section)
    - **Generate decision log**:
      ```javascript
      const logPath = await completeDecisionLogging(storyId, 'completed');
@@ -416,7 +416,7 @@ const {
    - All tests pass
    - Execute story-dod-checklist
    - Present completion summary to user
-   - Set status: "Ready for Review"
+   - Set status: "InReview" (see Status Transitions section)
 
 **User Prompts**: 5-10 (balanced for control and speed)
 
@@ -467,7 +467,7 @@ const {
    - All tests pass
    - Execute story-dod-checklist
    - Present execution summary vs. plan
-   - Set status: "Ready for Review"
+   - Set status: "InReview" (see Status Transitions section)
 
 **User Prompts**: All upfront (questionnaire phase), then 0 during execution
 
@@ -501,7 +501,7 @@ const {
 - Completion Notes List
 - File List
 - Change Log (add entry on completion)
-- Status (set to "Ready for Review" when complete)
+- Status (set to "InReview" when complete — see Status Transitions section)
 
 **DO NOT modify**: Story, Acceptance Criteria, Dev Notes, Testing sections
 
@@ -514,7 +514,7 @@ const {
 - Missing configuration
 - Failing regression tests
 
-### Ready for Review Criteria (All Modes)
+### InReview Criteria (All Modes)
 
 - Code matches all requirements
 - All validations pass
@@ -530,7 +530,7 @@ const {
 5. File List is complete
 6. **Execute CodeRabbit Self-Healing Loop** (see below)
 7. Execute `.aiox-core/product/checklists/story-dod-checklist.md`
-8. Set story status: "Ready for Review"
+8. Set story status: "InReview" (see Status Transitions section)
 9. HALT (do not proceed further)
 
 ---
@@ -915,10 +915,49 @@ Found 5 technical decisions needed.
 - **Educational Value**: Interactive mode explanations help developers learn framework patterns
 - **Scope Drift Prevention**: Pre-flight mode eliminates mid-development ambiguity
 
+## Status Transitions (MANDATORY — All Modes)
+
+**Reference:** `.claude/rules/story-lifecycle.md` — @dev owns Ready → InProgress and InProgress → InReview transitions.
+
+**These steps MUST be executed at the specified points, regardless of execution mode.**
+
+**Change Log format:** Use `{date: YYYY-MM-DD}` and `{version: MAJOR.MINOR.PATCH}`. Version MUST follow semantic bump rules: major for breaking changes, minor for features, patch for fixes/process updates. HALT if either value cannot be resolved deterministically.
+
+### On Development Start (before first task):
+
+0. **Pre-check (blocking):**
+   - If current Status is `**InProgress**`, skip to first uncompleted task (resume scenario — no status change needed).
+   - If current Status is not `**Ready**` and not `**InProgress**`, HALT and log: "Cannot start development: expected Ready or InProgress, found {current status}."
+   - If Change Log section is missing, HALT and request user to restore template structure.
+1. **Update story Status field:** change `**Ready**` to `**InProgress**` (skip if already InProgress)
+2. **Add Change Log entry:**
+   ```text
+   | {date: YYYY-MM-DD} | {version: MAJOR.MINOR.PATCH} | Development started ({mode} mode) — Status: Ready → InProgress | @dev |
+   ```
+3. **Log:** "🚀 Story status updated: Ready → InProgress"
+
+### On Development Complete (after DOD checklist, before HALT):
+
+0. **Pre-check (blocking):**
+   - If current Status is not `**InProgress**`, HALT and log: "Cannot mark for review: expected InProgress, found {current status}."
+   - If Change Log section is missing, HALT and request user to restore template structure.
+1. **Update story Status field:** change `**InProgress**` to `**InReview**`
+2. **Add Change Log entry:**
+   ```text
+   | {date: YYYY-MM-DD} | {version: MAJOR.MINOR.PATCH} | Development complete — Status: InProgress → InReview | @dev |
+   ```
+3. **Log:** "✅ Story status updated: InProgress → InReview"
+
+### Rationale
+
+Status transitions defined in `story-lifecycle.md` are advisory (contextual rules). These steps make them imperative (procedural), ensuring agents always execute the transitions as part of the workflow rather than relying on contextual rule awareness.
+
+---
+
 ## Handoff
 next_agent: @qa
 next_command: *review {story-id}
-condition: Story status is Ready for Review
+condition: Story status is InReview (updated in Status Transitions above)
 alternatives:
   - agent: @qa, command: *gate {story-id}, condition: Quick gate decision needed
   - agent: @dev, command: *apply-qa-fixes, condition: Self-identified issues during dev

package/.aiox-core/development/tasks/devops-pro-access-grant.md

@@ -0,0 +1,93 @@
+# Task: DevOps Pro Access Grant
+
+> **Version:** 1.0.0
+> **Created:** 2026-04-20
+> **Type:** SUPPORT-OPS
+> **Agent:** `@devops`
+
+## Purpose
+
+Grant, restore, or validate AIOX Pro access for a customer using the live license server, Supabase Auth, and guided installer validation.
+
+## Inputs
+
+Required:
+
+- `target_email`
+- `target_password`
+
+Optional:
+
+- `reset_password` (`true|false`, default: `false`)
+- `run_guided_validation` (`true|false`, default: `true` after code changes, `false` for pure entitlement-only support)
+- `source` (default: `manual_support`)
+
+## Source Of Truth
+
+- `docs/guides/pro/access-grant-ops-playbook.md`
+- `docs/aiox-workflows/pro-access-grant-workflow.md`
+
+## Execution Order
+
+1. Run `POST /api/v1/auth/check-email` for `target_email`.
+2. If buyer is missing, upsert `public.buyers` with `source=manual_support` and `is_active=true`.
+3. If account is missing, create or update the Supabase Auth user with `target_password` and confirmed email.
+4. If buyer validation is unstable or stale, upsert `public.buyer_validations` with `is_valid=true` for the target `user_id`.
+5. Validate `login`.
+6. Validate `verify-status`.
+7. Validate `activate-pro`.
+8. If `run_guided_validation=true`, validate:
+   - source checkout installer path
+   - packaged tarball installer path
+9. Attach evidence and close the support request.
+
+## Mandatory Checks
+
+- `check-email` must end with `isBuyer=true` and `hasAccount=true`
+- `login` must return `accessToken`
+- `verify-status` must return `emailVerified=true`
+- `activate-pro` must return success
+
+## Guided Validation Checklist
+
+- installer path from source checkout passes
+- installer path from packed `.tgz` passes
+- final report says all checks passed
+- generated project contains `.claude/skills`
+- generated project contains `.claude/commands`
+- generated project contains `.codex/skills`
+
+## Failure Branches
+
+### Buyer missing after grant
+
+- confirm lowercase email in `public.buyers`
+- confirm `is_active=true`
+- seed `public.buyer_validations`
+
+### `activate-pro` returns invalid input for token
+
+- caller is outdated
+- resend using `{ accessToken }` in JSON body
+
+### Email not verified
+
+- confirm the Auth user email manually
+- rerun `verify-status`
+
+### Installer validation misses Claude or Codex assets
+
+- rebuild using the updated package
+- rerun source and tarball validation
+
+## Evidence Pack
+
+Capture:
+
+- `check-email` response
+- `login` status
+- `verify-status` response
+- `activate-pro` status
+- guided install result
+
+Do not store full `accessToken` or full `licenseKey` in tickets, handoffs, or chat.

package/.aiox-core/development/tasks/devops-pro-activate.md

@@ -0,0 +1,42 @@
+# Task: DevOps Pro Activate
+
+> **Version:** 1.0.0
+> **Created:** 2026-04-20
+> **Type:** SUPPORT-OPS
+> **Agent:** `@devops`
+
+## Purpose
+
+Call the live `activate-pro` endpoint directly to validate or restore AIOX Pro activation for a session.
+
+## Inputs
+
+- `access_token`
+- `machine_id` (optional, default: `ops-validation-machine`)
+- `version` (optional, default: current installer version)
+
+## Endpoint
+
+- `POST https://aiox-license-server.vercel.app/api/v1/auth/activate-pro`
+
+## Execution
+
+1. Build the request body with:
+   - `accessToken`
+   - `machineId`
+   - `version`
+   - `aioxCoreVersion`
+2. Call `activate-pro`.
+3. Report:
+   - HTTP status
+   - `activated`
+   - whether activation was new or restored
+4. Never paste the full `licenseKey` into logs or tickets.
+
+## Pass Criteria
+
+- `201` on first activation or `200` on idempotent restore
+
+## Source Of Truth
+
+- `docs/guides/pro/access-grant-ops-playbook.md`

package/.aiox-core/development/tasks/devops-pro-check-access.md

@@ -0,0 +1,34 @@
+# Task: DevOps Pro Check Access
+
+> **Version:** 1.0.0
+> **Created:** 2026-04-20
+> **Type:** SUPPORT-OPS
+> **Agent:** `@devops`
+
+## Purpose
+
+Check whether an email already has AIOX Pro buyer entitlement and whether an auth account exists.
+
+## Input
+
+- `target_email`
+
+## Endpoint
+
+- `POST https://aiox-license-server.vercel.app/api/v1/auth/check-email`
+
+## Execution
+
+1. Call `check-email` with the target email.
+2. Report `isBuyer`, `hasAccount`, and normalized `email`.
+3. If `isBuyer=false`, recommend `*pro-access-grant`.
+4. If `isBuyer=true` and `hasAccount=false`, recommend account creation or `*pro-access-grant`.
+
+## Pass Criteria
+
+- request returns `200`
+- response clearly identifies buyer/account state
+
+## Source Of Truth
+
+- `docs/guides/pro/access-grant-ops-playbook.md`

package/.aiox-core/development/tasks/devops-pro-request-reset.md

@@ -0,0 +1,34 @@
+# Task: DevOps Pro Request Reset
+
+> **Version:** 1.0.0
+> **Created:** 2026-04-20
+> **Type:** SUPPORT-OPS
+> **Agent:** `@devops`
+
+## Purpose
+
+Trigger the user-facing password reset email flow for an AIOX Pro account.
+
+## Input
+
+- `target_email`
+
+## Endpoint
+
+- `POST https://aiox-license-server.vercel.app/api/v1/auth/request-reset`
+
+## Execution
+
+1. Call `request-reset` with the target email.
+2. Report the HTTP status.
+3. Treat the generic success message as expected anti-enumeration behavior.
+4. If the endpoint returns `429`, report the rate limit window.
+
+## Pass Criteria
+
+- request returns `200` with the generic message
+- or a clear `429` with retry guidance
+
+## Source Of Truth
+
+- `docs/guides/pro/access-grant-ops-playbook.md`

package/.aiox-core/development/tasks/devops-pro-resend-verification.md

@@ -0,0 +1,32 @@
+# Task: DevOps Pro Resend Verification
+
+> **Version:** 1.0.0
+> **Created:** 2026-04-20
+> **Type:** SUPPORT-OPS
+> **Agent:** `@devops`
+
+## Purpose
+
+Resend the email verification link for an AIOX Pro user account.
+
+## Input
+
+- `target_email`
+
+## Endpoint
+
+- `POST https://aiox-license-server.vercel.app/api/v1/auth/resend-verification`
+
+## Execution
+
+1. Call `resend-verification` with the target email.
+2. Report status and generic delivery message.
+3. If `429`, report resend rate limit and retry guidance.
+
+## Pass Criteria
+
+- endpoint returns success-style response without leaking account existence
+
+## Source Of Truth
+
+- `docs/guides/pro/access-grant-ops-playbook.md`

package/.aiox-core/development/tasks/devops-pro-reset-password.md

@@ -0,0 +1,36 @@
+# Task: DevOps Pro Reset Password
+
+> **Version:** 1.0.0
+> **Created:** 2026-04-20
+> **Type:** SUPPORT-OPS
+> **Agent:** `@devops`
+
+## Purpose
+
+Reset an AIOX Pro password administratively, then validate login with the new password.
+
+## Inputs
+
+- `target_email`
+- `new_password`
+
+## Execution
+
+1. Ensure the auth user exists for the target email.
+2. Update the password in Supabase Auth.
+3. Ensure the email remains confirmed.
+4. Validate the new password with `login`.
+
+## Pass Criteria
+
+- auth user password updated successfully
+- `POST /api/v1/auth/login` returns `200` and `accessToken`
+
+## Recommended Follow-Up
+
+- if the request was really a recovery flow for the user, also offer `*pro-request-reset {email}`
+
+## Source Of Truth
+
+- `docs/guides/pro/access-grant-ops-playbook.md`
+- `.aiox-core/development/tasks/devops-pro-access-grant.md`

package/.aiox-core/development/tasks/devops-pro-validate-login.md

@@ -0,0 +1,36 @@
+# Task: DevOps Pro Validate Login
+
+> **Version:** 1.0.0
+> **Created:** 2026-04-20
+> **Type:** SUPPORT-OPS
+> **Agent:** `@devops`
+
+## Purpose
+
+Validate whether AIOX Pro login works for a given email and password pair.
+
+## Inputs
+
+- `target_email`
+- `target_password`
+
+## Endpoint
+
+- `POST https://aiox-license-server.vercel.app/api/v1/auth/login`
+
+## Execution
+
+1. Call `login` with the provided credentials.
+2. Report:
+   - HTTP status
+   - whether `accessToken` was issued
+   - whether `emailVerified=true`
+3. Do not expose the raw access token in logs or handoffs.
+
+## Pass Criteria
+
+- `200` response with `accessToken`
+
+## Source Of Truth
+
+- `docs/guides/pro/access-grant-ops-playbook.md`