aiox-core 5.0.7 → 5.0.8

package/pro/license/license-cache.js

@@ -21,6 +21,7 @@ const fs = require('fs');
 const path = require('path');
 const {
   generateMachineId,
+  generateMachineIdLegacy,
   generateSalt,
   deriveCacheKey,
   encrypt,
@@ -44,6 +45,9 @@ const CONFIG = {
 
   // Cache version for migration support
   CACHE_VERSION: 1,
+
+  // Legacy cache fallback window for hostname/CPU/MAC machine IDs.
+  LEGACY_MACHINE_ID_FALLBACK_DAYS: 90,
 };
 
 /**
@@ -168,6 +172,112 @@ function writeLicenseCache(data, baseDir) {
   }
 }
 
+/**
+ * Build the canonical HMAC payload for encrypted cache content.
+ *
+ * @param {object} cacheFile - Parsed encrypted cache file
+ * @returns {string} JSON payload used for HMAC verification
+ */
+function buildHmacData(cacheFile) {
+  return JSON.stringify({
+    ciphertext: cacheFile.encrypted,
+    iv: cacheFile.iv,
+    tag: cacheFile.tag,
+  });
+}
+
+/**
+ * Validate encrypted cache file structure.
+ *
+ * @param {object} cacheFile - Parsed encrypted cache file
+ * @returns {boolean} true when required fields exist
+ */
+function hasValidCacheStructure(cacheFile) {
+  return Boolean(
+    cacheFile
+      && cacheFile.encrypted
+      && cacheFile.iv
+      && cacheFile.tag
+      && cacheFile.hmac
+      && cacheFile.salt,
+  );
+}
+
+/**
+ * Try to decrypt a cache file with a specific machine ID.
+ *
+ * @param {object} cacheFile - Parsed encrypted cache file
+ * @param {string} machineId - Machine ID candidate for key derivation
+ * @returns {object|null} Decrypted cache data or null
+ */
+function decryptCacheWithMachineId(cacheFile, machineId) {
+  try {
+    const salt = Buffer.from(cacheFile.salt, 'hex');
+    const key = deriveCacheKey(machineId, salt);
+    const hmacData = buildHmacData(cacheFile);
+
+    if (!verifyHMAC(hmacData, key, cacheFile.hmac)) {
+      return null;
+    }
+
+    const decrypted = decrypt(
+      {
+        ciphertext: cacheFile.encrypted,
+        iv: cacheFile.iv,
+        tag: cacheFile.tag,
+      },
+      key,
+    );
+
+    if (decrypted.machineId !== machineId) {
+      return null;
+    }
+
+    return decrypted;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Check whether a legacy machine-ID cache is still inside its migration window.
+ *
+ * @param {object} cache - Decrypted legacy cache data
+ * @returns {boolean} true if fallback may still be used
+ */
+function isLegacyFallbackAllowed(cache) {
+  if (!cache || !cache.activatedAt) {
+    return false;
+  }
+
+  const activatedAt = new Date(cache.activatedAt);
+  const activatedAtMs = activatedAt.getTime();
+
+  if (!Number.isFinite(activatedAtMs)) {
+    return false;
+  }
+
+  const fallbackMs = CONFIG.LEGACY_MACHINE_ID_FALLBACK_DAYS * 24 * 60 * 60 * 1000;
+  return Date.now() - activatedAtMs <= fallbackMs;
+}
+
+/**
+ * Re-encrypt a legacy cache with the new native machine-ID key.
+ *
+ * @param {object} cache - Decrypted legacy cache data
+ * @param {string} [baseDir] - Optional base directory override
+ * @returns {{ success: boolean, error?: string }} Migration result
+ */
+function migrateCacheKey(cache, baseDir) {
+  const result = writeLicenseCache(cache, baseDir);
+
+  if (result.success) {
+    console.info('[aiox-pro] Cache migrated to new machine_id format');
+  }
+
+  return result;
+}
+
 /**
  * Read and verify license cache from disk.
  *
@@ -195,42 +305,34 @@ function readLicenseCache(baseDir) {
     const cacheFile = JSON.parse(fileContent);
 
     // Validate structure
-    if (!cacheFile.encrypted || !cacheFile.iv || !cacheFile.tag || !cacheFile.hmac || !cacheFile.salt) {
+    if (!hasValidCacheStructure(cacheFile)) {
       return null;
     }
 
-    // Derive key from current machine
-    const machineId = generateMachineId();
-    const salt = Buffer.from(cacheFile.salt, 'hex');
-    const key = deriveCacheKey(machineId, salt);
-
-    // Verify HMAC integrity
-    const hmacData = JSON.stringify({
-      ciphertext: cacheFile.encrypted,
-      iv: cacheFile.iv,
-      tag: cacheFile.tag,
-    });
-
-    if (!verifyHMAC(hmacData, key, cacheFile.hmac)) {
-      // HMAC mismatch: cache is tampered or from different machine
-      return null;
+    // First try the legacy key so existing caches can migrate in place.
+    const legacyMachineId = generateMachineIdLegacy();
+    const legacyCache = decryptCacheWithMachineId(cacheFile, legacyMachineId);
+
+    if (legacyCache) {
+      if (!isLegacyFallbackAllowed(legacyCache)) {
+        return null;
+      }
+
+      const migrationResult = migrateCacheKey(legacyCache, baseDir);
+      if (migrationResult.success) {
+        return {
+          ...legacyCache,
+          machineId: generateMachineId(),
+          version: CONFIG.CACHE_VERSION,
+        };
+      }
+
+      return legacyCache;
     }
 
-    // Decrypt
-    const encryptedData = {
-      ciphertext: cacheFile.encrypted,
-      iv: cacheFile.iv,
-      tag: cacheFile.tag,
-    };
-
-    const decrypted = decrypt(encryptedData, key);
-
-    // Verify machine ID matches (defense in depth)
-    if (decrypted.machineId !== machineId) {
-      return null;
-    }
-
-    return decrypted;
+    // Then try the new native machine-ID key for migrated and fresh caches.
+    const machineId = generateMachineId();
+    return decryptCacheWithMachineId(cacheFile, machineId);
   } catch {
     // Any error (parse, decrypt, etc.) means cache is invalid
     return null;
@@ -519,5 +621,7 @@ module.exports = {
   getAioxDir,
 
   // Exported for testing
+  migrateCacheKey,
+  isLegacyFallbackAllowed,
   _CONFIG: CONFIG,
 };

package/pro/license/license-crypto.js

@@ -16,6 +16,7 @@
 
 const crypto = require('crypto');
 const os = require('os');
+const { machineIdSync } = require('node-machine-id');
 
 /**
  * Configuration constants for cryptographic operations.
@@ -40,14 +41,32 @@ const CONFIG = {
 };
 
 /**
- * Generate a deterministic machine identifier.
+ * Namespace the raw OS UUID before hashing so this format cannot collide with
+ * legacy hostname/CPU/MAC fingerprints that happen to produce the same text.
+ */
+const MACHINE_ID_HASH_PREFIX = 'aiox-pro-native-machine-id:v1:';
+
+let cachedMachineId = null;
+
+/**
+ * Hash machine identity material without exposing the raw OS UUID.
+ *
+ * @param {string} value - Raw machine identity material
+ * @returns {string} SHA-256 hex digest
+ */
+function hashMachineId(value) {
+  return crypto.createHash('sha256').update(value).digest('hex');
+}
+
+/**
+ * Generate the legacy deterministic machine identifier.
  *
  * Combines hostname + CPU model + first MAC address to create
  * a unique but reproducible identifier for this machine.
  *
  * @returns {string} SHA-256 hash of machine fingerprint components
  */
-function generateMachineId() {
+function generateMachineIdLegacy() {
   const components = [];
 
   // Hostname
@@ -77,7 +96,42 @@ function generateMachineId() {
 
   // Create deterministic hash
   const fingerprint = components.join('|');
-  return crypto.createHash('sha256').update(fingerprint).digest('hex');
+  return hashMachineId(fingerprint);
+}
+
+/**
+ * Generate a stable deterministic machine identifier.
+ *
+ * Uses the OS native machine UUID instead of network-interface metadata so the
+ * result survives Wi-Fi MAC rotation, VPN changes, and interface ordering.
+ *
+ * @returns {string} SHA-256 hash of native machine UUID
+ */
+function generateMachineId() {
+  if (cachedMachineId) {
+    return cachedMachineId;
+  }
+
+  try {
+    const nativeMachineId = machineIdSync(true);
+
+    if (!nativeMachineId || typeof nativeMachineId !== 'string') {
+      throw new Error('Native machine id unavailable');
+    }
+
+    cachedMachineId = hashMachineId(`${MACHINE_ID_HASH_PREFIX}${nativeMachineId}`);
+    return cachedMachineId;
+  } catch {
+    cachedMachineId = generateMachineIdLegacy();
+    return cachedMachineId;
+  }
+}
+
+/**
+ * Reset cached machine ID. Intended for tests that mock the machine-id provider.
+ */
+function _resetMachineIdCacheForTests() {
+  cachedMachineId = null;
 }
 
 /**
@@ -299,5 +353,7 @@ module.exports = {
   validateKeyFormat,
 
   // Exported for testing
+  generateMachineIdLegacy,
+  _resetMachineIdCacheForTests,
   _CONFIG: CONFIG,
 };

package/pro/package.json

@@ -1,16 +1,17 @@
 {
-  "name": "@aiox-fullstack/pro",
-  "version": "0.3.0",
+  "name": "@aiox-squads/pro",
+  "version": "0.4.0",
   "description": "AIOX Pro: Premium features for AIOX Framework",
   "private": false,
   "dependencies": {
-    "yaml": "^2.8.2"
+    "node-machine-id": "^1.1.12",
+    "yaml": "^2.8.4"
   },
   "scripts": {
     "validate:publish-surface": "node scripts/validate-publish-surface.js"
   },
   "peerDependencies": {
-    "aiox-core": ">=5.0.0"
+    "aiox-core": ">=5.0.8"
   },
   "engines": {
     "node": ">=18"

package/pro/squads/README.md

@@ -4,25 +4,25 @@ Pre-built agent squads installed during `npx aiox-core install` after Pro licens
 
 ## Available Squads
 
-| Squad | Agents | Description |
-|-------|--------|-------------|
-| **aiox-sop** | 6 | SOP factory, audit, extraction, and machine-readable operational playbooks |
-| **brand** | 16 | Naming, identity, positioning, narrative, and brand activation systems |
-| **claude-code-mastery** | 8 | Claude Code setup, hooks, MCP, swarm orchestration, and integration guardrails |
-| **data** | 7 | Data intelligence, analytics, segmentation, and measurement workflows |
-| **db-sage** | 1 | PostgreSQL and Supabase architecture, migrations, RLS, and query optimization |
-| **squad-creator-pro** | 6 | Meta-squad for creating AI agent squads based on real elite minds |
-| **design** | 8 | Design System squad — tokens, components, accessibility, DesignOps |
-| **etl-ops** | 3 | Extraction and transformation pipelines for local and remote content sources |
-| **hormozi** | 16 | Offers, leads, ads, pricing, retention, and growth systems inspired by Hormozi |
-| **spy** | 3 | Competitive intelligence, viral content analysis, and benchmark workflows |
-| **squad-creator** | 1 | Core squad creation, evolution, validation, and ecosystem orchestration |
-| **storytelling** | 13 | Narrative systems, pitches, storytelling frameworks, and brand communication |
+| Squad                   | Agents | Description                                                                    |
+| ----------------------- | ------ | ------------------------------------------------------------------------------ |
+| **aiox-sop**            | 6      | SOP factory, audit, extraction, and machine-readable operational playbooks     |
+| **brand**               | 16     | Naming, identity, positioning, narrative, and brand activation systems         |
+| **claude-code-mastery** | 8      | Claude Code setup, hooks, MCP, swarm orchestration, and integration guardrails |
+| **data**                | 7      | Data intelligence, analytics, segmentation, and measurement workflows          |
+| **db-sage**             | 1      | PostgreSQL and Supabase architecture, migrations, RLS, and query optimization  |
+| **squad-creator-pro**   | 6      | Meta-squad for creating AI agent squads based on real elite minds              |
+| **design**              | 8      | Design System squad — tokens, components, accessibility, DesignOps             |
+| **etl-ops**             | 3      | Extraction and transformation pipelines for local and remote content sources   |
+| **hormozi**             | 16     | Offers, leads, ads, pricing, retention, and growth systems inspired by Hormozi |
+| **spy**                 | 3      | Competitive intelligence, viral content analysis, and benchmark workflows      |
+| **squad-creator**       | 1      | Core squad creation, evolution, validation, and ecosystem orchestration        |
+| **storytelling**        | 13     | Narrative systems, pitches, storytelling frameworks, and brand communication   |
 
 ## How It Works
 
 1. User runs `npx aiox-core install` and activates Pro license
-2. `@aiox-fullstack/pro` npm package is installed
+2. `@aiox-squads/pro` npm package is installed
 3. Scaffolder copies all squads from this directory into the user's project `squads/`
 4. Agent commands are auto-installed into active IDEs (Claude Code, Codex, Gemini, Cursor)
 5. CI validates package and README coverage before the sync PR to `aiox-core`
@@ -39,4 +39,4 @@ Pre-built agent squads installed during `npx aiox-core install` after Pro licens
 
 - `npm run validate:publish-surface` fails if a top-level squad is missing from `package.json` or this README
 - `.github/workflows/sync-aiox-core.yml` opens or updates the `aiox-core` PR that advances the `pro` submodule
-- Durante a transição do npm, o `aiox-core` ainda aceita o fallback legado `@aios-fullstack/pro` em ambientes já instalados
+- Durante a transição do npm, o `aiox-core` permanece como pacote core canônico; novos fluxos Pro devem usar `aiox-core` + `@aiox-squads/pro`

package/pro/squads/index.js

@@ -5,7 +5,7 @@
  * This pattern should be followed by all pro modules.
  *
  * Usage:
- *   const { PremiumSquads } = require('@aiox-fullstack/pro/squads');
+ *   const { PremiumSquads } = require('@aiox-squads/pro/squads');
  *
  *   // The module will throw ProFeatureError if not licensed
  *   const squads = new PremiumSquads();

package/scripts/e2e/installed-skills-smoke.js

@@ -0,0 +1,264 @@
+#!/usr/bin/env node
+
+'use strict';
+
+/**
+ * Installed Project Skills E2E Smoke
+ *
+ * Packs the local aiox-core package, installs it into a temporary brownfield
+ * project, runs the installed CLI, and validates that skills are materialized
+ * and activatable from the installed project rather than from the source repo.
+ */
+
+const { spawnSync } = require('child_process');
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+
+const repoRoot = path.resolve(__dirname, '..', '..');
+const { getSkillId } = require(path.join(
+  repoRoot,
+  '.aiox-core',
+  'infrastructure',
+  'scripts',
+  'codex-skills-sync',
+  'index',
+));
+const verbose = process.env.AIOX_E2E_VERBOSE === '1';
+const keepTemp = process.env.AIOX_E2E_KEEP_TEMP === '1';
+const agentSet = (process.env.AIOX_E2E_AGENT_SET || 'dev,qa,aiox-master')
+  .split(',')
+  .map((agent) => agent.trim())
+  .filter(Boolean);
+
+const packDir = fs.mkdtempSync(path.join(os.tmpdir(), 'aiox-pack-'));
+const tempRoot = fs.mkdtempSync(path.join(os.tmpdir(), 'aiox-installed-skills-'));
+const projectRoot = path.join(tempRoot, 'project');
+const requiredCorePackages = ['fast-glob', 'fs-extra', 'js-yaml', 'semver', 'ajv', 'tar', 'chalk'];
+
+function log(message) {
+  console.log(`[installed-skills-e2e] ${message}`);
+}
+
+function fail(message, details = '') {
+  const suffix = details ? `\n${details}` : '';
+  throw new Error(`${message}${suffix}`);
+}
+
+function run(command, args, options = {}) {
+  const cwd = options.cwd || repoRoot;
+  const env = { ...process.env, ...(options.env || {}) };
+  const label = `${command} ${args.join(' ')}`;
+
+  if (verbose) {
+    log(`$ ${label} (cwd=${cwd})`);
+  }
+
+  const result = spawnSync(command, args, {
+    cwd,
+    env,
+    encoding: 'utf8',
+    timeout: options.timeout || 120000,
+    maxBuffer: 1024 * 1024 * 20,
+  });
+
+  if (result.error) {
+    fail(`Command failed to start: ${label}`, result.error.message);
+  }
+
+  if (verbose && result.stdout) process.stdout.write(result.stdout);
+  if (verbose && result.stderr) process.stderr.write(result.stderr);
+
+  if (result.status !== 0) {
+    fail(
+      `Command failed (${result.status}): ${label}`,
+      [
+        result.stdout && `STDOUT:\n${result.stdout}`,
+        result.stderr && `STDERR:\n${result.stderr}`,
+      ].filter(Boolean).join('\n\n'),
+    );
+  }
+
+  return result.stdout || '';
+}
+
+function assertPathExists(relativePath, type = 'any') {
+  const absolutePath = path.join(projectRoot, relativePath);
+  if (!fs.existsSync(absolutePath)) {
+    fail(`Missing expected installed path: ${relativePath}`);
+  }
+
+  const stat = fs.statSync(absolutePath);
+  if (type === 'file' && !stat.isFile()) {
+    fail(`Expected file but found non-file: ${relativePath}`);
+  }
+  if (type === 'dir' && !stat.isDirectory()) {
+    fail(`Expected directory but found non-directory: ${relativePath}`);
+  }
+
+  return absolutePath;
+}
+
+function assertAbsolutePathExists(absolutePath, type = 'any') {
+  if (!fs.existsSync(absolutePath)) {
+    fail(`Missing expected path: ${absolutePath}`);
+  }
+
+  const stat = fs.statSync(absolutePath);
+  if (type === 'file' && !stat.isFile()) {
+    fail(`Expected file but found non-file: ${absolutePath}`);
+  }
+  if (type === 'dir' && !stat.isDirectory()) {
+    fail(`Expected directory but found non-directory: ${absolutePath}`);
+  }
+
+  return absolutePath;
+}
+
+function assertNoSourceRepoLeak(relativePath) {
+  const absolutePath = assertPathExists(relativePath, 'file');
+  const content = fs.readFileSync(absolutePath, 'utf8');
+
+  if (content.includes(repoRoot)) {
+    fail(`Installed artifact leaks source repo path: ${relativePath}`);
+  }
+
+  return content;
+}
+
+function assertContains(content, expected, relativePath) {
+  if (!content.includes(expected)) {
+    fail(`Expected ${relativePath} to contain: ${expected}`);
+  }
+}
+
+function parseDoctorJson(output) {
+  try {
+    return JSON.parse(output);
+  } catch {
+    fail('Doctor --json did not return parseable JSON', output);
+  }
+}
+
+function cleanup() {
+  if (keepTemp) {
+    log(`Keeping temp root: ${tempRoot}`);
+    log(`Keeping pack dir: ${packDir}`);
+    return;
+  }
+
+  fs.rmSync(tempRoot, { recursive: true, force: true });
+  fs.rmSync(packDir, { recursive: true, force: true });
+}
+
+async function main() {
+  log(`Repo root: ${repoRoot}`);
+  log(`Temp project: ${projectRoot}`);
+
+  fs.mkdirSync(projectRoot, { recursive: true });
+
+  log('Packing local aiox-core package');
+  run('npm', ['pack', '--pack-destination', packDir], { cwd: repoRoot, timeout: 180000 });
+  const tarballs = fs.readdirSync(packDir).filter((entry) => entry.endsWith('.tgz'));
+  if (tarballs.length !== 1) {
+    fail(`Expected exactly one packed tarball, found ${tarballs.length}`, tarballs.join('\n'));
+  }
+  const tarballPath = path.join(packDir, tarballs[0]);
+
+  log('Creating brownfield test project');
+  run('npm', ['init', '-y'], { cwd: projectRoot });
+
+  log('Installing packed aiox-core tarball');
+  run('npm', ['install', tarballPath], { cwd: projectRoot, timeout: 180000 });
+
+  const cliPath = path.join(projectRoot, 'node_modules', 'aiox-core', 'bin', 'aiox.js');
+  const packagedCoreDir = path.join(projectRoot, 'node_modules', 'aiox-core', '.aiox-core');
+  assertPathExists(path.join('node_modules', 'aiox-core', 'bin', 'aiox.js'), 'file');
+
+  log('Validating packaged .aiox-core dependencies');
+  assertAbsolutePathExists(path.join(packagedCoreDir, 'package.json'), 'file');
+  run('npm', ['install', '--production', '--ignore-scripts'], {
+    cwd: packagedCoreDir,
+    timeout: 180000,
+  });
+  for (const packageName of requiredCorePackages) {
+    assertAbsolutePathExists(path.join(packagedCoreDir, 'node_modules', packageName), 'dir');
+  }
+
+  log('Running installed aiox install in CI mode');
+  run('node', [cliPath, 'install', '--ci', '--yes', '--ide', 'claude-code'], {
+    cwd: projectRoot,
+    timeout: 240000,
+    env: {
+      CI: '1',
+      AIOX_INSTALL_FORCE: '1',
+      AIOX_INSTALL_QUIET: '1',
+    },
+  });
+
+  log('Validating installed skill and agent artifacts');
+  assertPathExists('.aiox-core', 'dir');
+  assertPathExists('.aiox-core/development/agents', 'dir');
+  assertPathExists('.claude/skills/AIOX/agents', 'dir');
+  assertPathExists('.codex/agents', 'dir');
+  assertPathExists('.codex/skills', 'dir');
+
+  for (const agent of agentSet) {
+    const claudeSkill = `.claude/skills/AIOX/agents/${agent}/SKILL.md`;
+    const codexAgent = `.codex/agents/${agent}.md`;
+    const codexSkillId = getSkillId(agent);
+    const codexSkill = `.codex/skills/${codexSkillId}/SKILL.md`;
+    const sourceAgent = `.aiox-core/development/agents/${agent}.md`;
+
+    assertPathExists(sourceAgent, 'file');
+
+    const claudeSkillContent = assertNoSourceRepoLeak(claudeSkill);
+    assertContains(claudeSkillContent, 'activation_type: pipeline', claudeSkill);
+    assertContains(claudeSkillContent, `Source: .aiox-core/development/agents/${agent}.md`, claudeSkill);
+
+    const codexAgentContent = assertNoSourceRepoLeak(codexAgent);
+    assertContains(codexAgentContent, `id: ${agent}`, codexAgent);
+
+    const codexSkillContent = assertNoSourceRepoLeak(codexSkill);
+    assertContains(codexSkillContent, `name: ${codexSkillId}`, codexSkill);
+    assertContains(codexSkillContent, `.aiox-core/development/agents/${agent}.md`, codexSkill);
+  }
+
+  log(`Activating installed agents: ${agentSet.join(', ')}`);
+  const greetingScript = path.join(projectRoot, '.aiox-core', 'development', 'scripts', 'generate-greeting.js');
+  assertPathExists('.aiox-core/development/scripts/generate-greeting.js', 'file');
+
+  for (const agent of agentSet) {
+    const greeting = run('node', [greetingScript, agent], { cwd: projectRoot, timeout: 30000 });
+    if (!/Agent .*ready|Agent .*loaded|ready/i.test(greeting)) {
+      fail(`Activation smoke did not produce a ready signal for ${agent}`, greeting);
+    }
+    if (!/Available Commands|\*help/.test(greeting)) {
+      fail(`Activation smoke did not expose commands/help for ${agent}`, greeting);
+    }
+  }
+
+  log('Running installed doctor --json');
+  const doctorOutput = run('node', [cliPath, 'doctor', '--json'], {
+    cwd: projectRoot,
+    timeout: 120000,
+  });
+  const doctor = parseDoctorJson(doctorOutput);
+  if (!doctor.summary || doctor.summary.fail > 0) {
+    fail('Installed doctor reported FAIL results', JSON.stringify(doctor, null, 2));
+  }
+
+  log(`PASS: installed project skills E2E completed for ${agentSet.length} agents`);
+}
+
+main()
+  .catch((error) => {
+    console.error(`\n[installed-skills-e2e] FAIL: ${error.message}`);
+    if (!keepTemp) {
+      console.error('[installed-skills-e2e] Re-run with AIOX_E2E_KEEP_TEMP=1 to preserve temp files.');
+    } else {
+      console.error(`[installed-skills-e2e] Temp root preserved: ${tempRoot}`);
+    }
+    process.exitCode = 1;
+  })
+  .finally(cleanup);

package/scripts/package-synapse.js

@@ -217,19 +217,19 @@ cp hook/synapse-engine.cjs <your-project>/.claude/hooks/
 
 Add to \`.claude/settings.local.json\`:
 
-\`\`\`json
+~~~json
 {
   "hooks": {
     "UserPromptSubmit": [
       {
         "type": "command",
-        "command": "node \"$CLAUDE_PROJECT_DIR/.claude/hooks/synapse-engine.cjs\"",
+        "command": "node \\"$CLAUDE_PROJECT_DIR/.claude/hooks/synapse-engine.cjs\\"",
         "timeout": 10
       }
     ]
   }
 }
-\`\`\`
+~~~
 
 ### 4. Copy Runtime Domains