@a8techads/cli 0.2.0 → 0.4.0

package/dist/a8techads.js

@@ -2646,6 +2646,9 @@ async function login(opts = {}) {
   if (opts.tenantId) {
     authorizeUrl.searchParams.set("tenant_id", opts.tenantId);
   }
+  if (opts.forceLogin) {
+    authorizeUrl.searchParams.set("prompt", "login");
+  }
   const code = await waitForAuthorizationCode(authorizeUrl.toString(), state);
   console.log("Exchanging authorization code for tokens...");
   const tokenResponse = await fetch(tokenEndpoint, {
@@ -3083,11 +3086,12 @@ Examples:
 Browser mode (default): Opens browser for OAuth 2.1 Authorization Code + PKCE.
 Client credentials mode: Non-interactive auth using --client-id and --client-secret.
 
-Requires: network access to auth server.`).option("-p, --profile <name>", "Profile name (browser mode only)", "default").option("--api-url <url>", "API base URL (default: https://api.a8.tech)").option("--auth-url <url>", "Auth server URL (default: https://auth.a8.tech)").option("--client-id <id>", "OAuth client ID (enables client_credentials flow)").option("--client-secret <secret>", "OAuth client secret (requires --client-id)").addHelpText("after", `
+Requires: network access to auth server.`).option("-p, --profile <name>", "Profile name (browser mode only)", "default").option("--api-url <url>", "API base URL (default: https://api.a8.tech)").option("--auth-url <url>", "Auth server URL (default: https://auth.a8.tech)").option("--client-id <id>", "OAuth client ID (enables client_credentials flow)").option("--client-secret <secret>", "OAuth client secret (requires --client-id)").option("--force-login", "Force login prompt even if browser session exists (use to switch users)").addHelpText("after", `
 Examples:
   $ a8techads auth login                               # Interactive browser login
   $ a8techads auth login -p staging --api-url https://api.staging.a8.tech
   $ a8techads auth login --client-id svc-001 --client-secret s3cret
+  $ a8techads auth login -p owner --force-login        # Switch to different user
 
 Note: Client credentials tokens cannot be refreshed. The CLI will prompt
       for re-authentication when the token expires.`).action(async (opts) => {
@@ -3107,7 +3111,8 @@ Note: Client credentials tokens cannot be refreshed. The CLI will prompt
         await login({
           profile: opts.profile,
           apiUrl: opts.apiUrl,
-          authUrl: opts.authUrl
+          authUrl: opts.authUrl,
+          forceLogin: opts.forceLogin
         });
       }
     } catch (err) {
@@ -3195,6 +3200,52 @@ function createProfileCommand() {
   return profile;
 }
 
+// src/utils/http.ts
+async function apiRequest(opts) {
+  await refreshTokenIfNeeded();
+  const creds = loadCredentials();
+  const profile = getCurrentProfile(creds);
+  if (!profile) {
+    throw new Error('No active profile. Run "a8techads auth login" to authenticate.');
+  }
+  const ctx = loadContext();
+  const context = getCurrentContext(ctx);
+  validateTenantMatch(profile.access_token, context?.tenant_id ?? null);
+  const headers = {
+    Authorization: `Bearer ${profile.access_token}`,
+    "Content-Type": "application/json",
+    ...opts.headers
+  };
+  if (context?.current_capability) {
+    headers["X-Effective-Capability"] = context.current_capability;
+  }
+  if (context?.impersonation) {
+    headers["X-Impersonate-Tenant"] = context.impersonation.target_tenant_id;
+    if (context.impersonation.effective_capability) {
+      headers["X-Impersonate-Capability"] = context.impersonation.effective_capability;
+    }
+  }
+  const url = `${profile.api_url}${opts.path}`;
+  return fetch(url, {
+    method: opts.method ?? "GET",
+    headers,
+    body: opts.body ? JSON.stringify(opts.body) : undefined
+  });
+}
+function validateTenantMatch(accessToken, contextTenantId) {
+  const claims = decodeJwt(accessToken);
+  if (!claims)
+    return;
+  const authClaims = getAuthClaims(claims);
+  const tokenTenantId = authClaims?.tenant_id ?? null;
+  if (!contextTenantId || !tokenTenantId)
+    return;
+  if (contextTenantId !== tokenTenantId) {
+    throw new Error(`Token tenant mismatch. Context tenant: ${contextTenantId}, token tenant: ${tokenTenantId}.
+` + `Run 'a8techads context set-tenant ${contextTenantId}' to re-authenticate.`);
+  }
+}
+
 // src/commands/context.ts
 function createContextCommand() {
   const context = new Command("context").description("Workspace context — tenant, capability, and app selection").addHelpText("after", `
@@ -3237,6 +3288,16 @@ Examples:
     }
     console.log(`App:          ${profileCtx?.app ?? "none"}`);
     console.log(`Capability:   ${profileCtx?.current_capability ?? "null (platform)"}`);
+    if (profileCtx?.impersonation) {
+      const imp = profileCtx.impersonation;
+      console.log(`
+--- Managed Access Session ---`);
+      console.log(`Target:       ${imp.target_tenant_name} (${imp.target_tenant_id})`);
+      console.log(`Capability:   ${imp.effective_capability}`);
+      console.log(`Role:         ${imp.effective_role}`);
+      console.log(`Grant:        ${imp.managed_grant_id ?? "none"}`);
+      console.log(`Started:      ${imp.started_at}`);
+    }
   });
   context.command("set-tenant").description(`Switch to a different tenant. Triggers re-authentication if the
 tenant differs from the current token tenant.
@@ -3371,6 +3432,74 @@ Shortcuts:
     console.log("Capability: PUBLISHER");
     console.log("App: ssp");
   });
+  context.command("assume-role").description(`Start a managed access session as a platform operator.
+
+Requires: platform_owner or platform_admin role.`).option("--tenant <id>", "Target tenant ID (required)").option("--capability <cap>", "Effective capability: ADVERTISER or PUBLISHER").addHelpText("after", `
+Examples:
+  $ a8techads context assume-role --tenant 00000000-... --capability ADVERTISER
+  $ a8techads context assume-role --tenant <id>`).action(async (opts) => {
+    if (!opts.tenant) {
+      console.error("Error: --tenant is required.");
+      console.error('Run "a8techads context assume-role --help" for usage.');
+      process.exit(1);
+    }
+    try {
+      const body = { target_tenant_id: opts.tenant };
+      if (opts.capability)
+        body.target_capability = opts.capability;
+      const resp = await apiRequest({
+        method: "POST",
+        path: "/api/v1/console/impersonation/start",
+        body
+      });
+      if (!resp.ok) {
+        const err = await resp.json().catch(() => ({ error: resp.statusText }));
+        console.error(`Error: ${err.error || resp.statusText}`);
+        process.exit(1);
+      }
+      const data = await resp.json();
+      const targetTenant = data.target_tenant || {};
+      const ctx = loadContext();
+      const impersonation = {
+        target_tenant_id: opts.tenant,
+        target_tenant_name: targetTenant.company_name || "Unknown",
+        effective_capability: data.effective_capability || opts.capability || "",
+        effective_role: data.effective_role || "",
+        managed_grant_id: data.managed_grant_id || null,
+        started_at: new Date().toISOString()
+      };
+      setCurrentContext(ctx, { impersonation });
+      saveContext(ctx);
+      console.log("Managed access session started.");
+      console.log(`Target:      ${impersonation.target_tenant_name} (${opts.tenant})`);
+      console.log(`Capability:  ${impersonation.effective_capability}`);
+      console.log(`Grant:       ${impersonation.managed_grant_id || "auto-created"}`);
+    } catch (err) {
+      console.error(`Failed: ${err.message}`);
+      process.exit(1);
+    }
+  });
+  context.command("end-session").description(`End the current managed access session.
+
+Requires: an active managed access session.`).addHelpText("after", `
+Examples:
+  $ a8techads context end-session`).action(async () => {
+    const ctx = loadContext();
+    const profileCtx = getCurrentContext(ctx);
+    if (!profileCtx?.impersonation) {
+      console.log("No active managed access session.");
+      return;
+    }
+    try {
+      await apiRequest({
+        method: "POST",
+        path: "/api/v1/console/impersonation/end"
+      });
+    } catch {}
+    setCurrentContext(ctx, { impersonation: null });
+    saveContext(ctx);
+    console.log("Managed access session ended.");
+  });
   return context;
 }
 function deriveAppFromTenant(tenant) {
@@ -3387,46 +3516,6 @@ function deriveAuthUrl(tokenEndpoint) {
   return url.origin;
 }
 
-// src/utils/http.ts
-async function apiRequest(opts) {
-  await refreshTokenIfNeeded();
-  const creds = loadCredentials();
-  const profile = getCurrentProfile(creds);
-  if (!profile) {
-    throw new Error('No active profile. Run "a8techads auth login" to authenticate.');
-  }
-  const ctx = loadContext();
-  const context = getCurrentContext(ctx);
-  validateTenantMatch(profile.access_token, context?.tenant_id ?? null);
-  const headers = {
-    Authorization: `Bearer ${profile.access_token}`,
-    "Content-Type": "application/json",
-    ...opts.headers
-  };
-  if (context?.current_capability) {
-    headers["X-Effective-Capability"] = context.current_capability;
-  }
-  const url = `${profile.api_url}${opts.path}`;
-  return fetch(url, {
-    method: opts.method ?? "GET",
-    headers,
-    body: opts.body ? JSON.stringify(opts.body) : undefined
-  });
-}
-function validateTenantMatch(accessToken, contextTenantId) {
-  const claims = decodeJwt(accessToken);
-  if (!claims)
-    return;
-  const authClaims = getAuthClaims(claims);
-  const tokenTenantId = authClaims?.tenant_id ?? null;
-  if (!contextTenantId || !tokenTenantId)
-    return;
-  if (contextTenantId !== tokenTenantId) {
-    throw new Error(`Token tenant mismatch. Context tenant: ${contextTenantId}, token tenant: ${tokenTenantId}.
-` + `Run 'a8techads context set-tenant ${contextTenantId}' to re-authenticate.`);
-  }
-}
-
 // src/utils/api-prefix.ts
 function getApiPrefix() {
   const ctx = loadContext();
@@ -3514,8 +3603,204 @@ function addFormatOption(cmd) {
   return cmd.option("-f, --format <format>", "Output format: table, json, csv (default: table)", "table");
 }
 
-// src/commands/campaigns.ts
+// src/commands/audiences.ts
 var COLUMNS = [
+  { key: "id", header: "ID", width: 36 },
+  { key: "name", header: "NAME", width: 25 },
+  { key: "type", header: "TYPE", width: 15 },
+  { key: "status", header: "STATUS", width: 10 },
+  { key: "estimatedSize", header: "SIZE", width: 10, format: (v) => v != null ? Number(v).toLocaleString() : "-" }
+];
+function createAudiencesCommand() {
+  const cmd = new Command("audiences").description(`Audience management (DSP)
+
+Phase 1: UPLOADED_LIST only.
+
+Requires: ADVERTISER capability.`).addHelpText("after", `
+Examples:
+  $ a8techads audiences list
+  $ a8techads audiences get <id>
+  $ a8techads audiences create --name "High-Value Customers" --type UPLOADED_LIST
+  $ a8techads audiences upload <id> --file users.csv --identifier-type EMAIL_HASH
+  $ a8techads audiences activate <id>
+  $ a8techads audiences pause <id>`);
+  addFormatOption(cmd.command("list").description("List audiences.").option("--type <type>", "Filter by type (UPLOADED_LIST)").option("--status <status>", "Filter by status (DRAFT, READY, ACTIVE, PAUSED, etc.)").option("--limit <n>", "Max results", "20")).action(async (opts) => {
+    const params = new URLSearchParams({ limit: opts.limit });
+    if (opts.type)
+      params.set("type", opts.type);
+    if (opts.status)
+      params.set("status", opts.status);
+    const resp = await apiRequest({ path: `${dspPrefix()}/audiences?${params}` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    const rows = (json.data ?? json).map((a) => ({
+      id: a.id,
+      name: a.name,
+      type: a.type,
+      status: a.status,
+      estimatedSize: a.estimatedSize ?? a.estimated_size
+    }));
+    printData(rows, COLUMNS, opts.format);
+  });
+  addFormatOption(cmd.command("get").description("Get audience details by ID.").argument("<id>", "Audience ID")).action(async (id, opts) => {
+    const resp = await apiRequest({ path: `${dspPrefix()}/audiences/${id}` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    printDetail(json.data ?? json, opts.format);
+  });
+  cmd.command("create").description(`Create a new audience.
+
+Phase 1 only supports type UPLOADED_LIST.`).option("--name <name>", "Audience name (required)").option("--type <type>", "Audience type: UPLOADED_LIST or RETARGETING", "UPLOADED_LIST").option("--description <desc>", "Description").option("--ttl <days>", "Membership TTL in days (default: 90)", "90").option("--goal-id <id>", "Conversion goal ID (required for RETARGETING type)").option("--from-json <file>", "Create from JSON file").addHelpText("after", `
+Examples:
+  $ a8techads audiences create --name "High-Value Customers"
+  $ a8techads audiences create --name "Retarget Pool" --ttl 30
+  $ a8techads audiences create --from-json audience.json`).action(async (opts) => {
+    let body;
+    if (opts.fromJson) {
+      const { readFileSync: readFileSync3 } = await import("fs");
+      body = JSON.parse(readFileSync3(opts.fromJson, "utf-8"));
+    } else {
+      if (!opts.name) {
+        console.error('Error: --name is required. Run "a8techads audiences create --help".');
+        process.exit(1);
+      }
+      if (opts.type === "RETARGETING" && !opts.goalId) {
+        console.error("Error: --goal-id is required for RETARGETING type.");
+        process.exit(1);
+      }
+      body = {
+        name: opts.name,
+        type: opts.type,
+        membershipTtlDays: Number(opts.ttl)
+      };
+      if (opts.description)
+        body.description = opts.description;
+      if (opts.goalId) {
+        body.rules = { source: "conversion_goal", goal_id: opts.goalId, action: "positive", recency_days: 30 };
+      }
+    }
+    const resp = await apiRequest({ method: "POST", path: `${dspPrefix()}/audiences`, body });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? json.errors ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Audience created: ${json.data?.id ?? json.id}`);
+  });
+  cmd.command("update").description("Update an audience.").argument("<id>", "Audience ID").option("--name <name>", "New name").option("--description <desc>", "New description").option("--ttl <days>", "New membership TTL in days").action(async (id, opts) => {
+    const body = {};
+    if (opts.name)
+      body.name = opts.name;
+    if (opts.description)
+      body.description = opts.description;
+    if (opts.ttl)
+      body.membershipTtlDays = Number(opts.ttl);
+    const resp = await apiRequest({ method: "PATCH", path: `${dspPrefix()}/audiences/${id}`, body });
+    if (!resp.ok) {
+      const j = await resp.json();
+      console.error(`Error: ${j.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Audience ${id} updated.`);
+  });
+  cmd.command("delete").description("Delete an audience.").argument("<id>", "Audience ID").option("--yes", "Skip confirmation").action(async (id, opts) => {
+    if (!opts.yes) {
+      console.error("Add --yes to confirm deletion.");
+      process.exit(1);
+    }
+    const resp = await apiRequest({ method: "DELETE", path: `${dspPrefix()}/audiences/${id}` });
+    if (!resp.ok && resp.status !== 204) {
+      console.error(`Error: ${resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Audience ${id} deleted.`);
+  });
+  cmd.command("activate").description("Activate an audience (must be READY or PAUSED).").argument("<id>", "Audience ID").action(async (id) => {
+    const resp = await apiRequest({ method: "PATCH", path: `${dspPrefix()}/audiences/${id}/activate` });
+    if (!resp.ok) {
+      const j = await resp.json();
+      console.error(`Error: ${j.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Audience ${id} activated.`);
+  });
+  cmd.command("pause").description("Pause an active audience.").argument("<id>", "Audience ID").action(async (id) => {
+    const resp = await apiRequest({ method: "PATCH", path: `${dspPrefix()}/audiences/${id}/pause` });
+    if (!resp.ok) {
+      const j = await resp.json();
+      console.error(`Error: ${j.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Audience ${id} paused.`);
+  });
+  cmd.command("archive").description("Archive an audience.").argument("<id>", "Audience ID").action(async (id) => {
+    const resp = await apiRequest({ method: "PATCH", path: `${dspPrefix()}/audiences/${id}/archive` });
+    if (!resp.ok) {
+      const j = await resp.json();
+      console.error(`Error: ${j.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Audience ${id} archived.`);
+  });
+  cmd.command("upload").description(`Upload user identifiers to populate audience membership.
+
+Reads a file with one identifier per line (email hash, device ID, etc.)
+and uploads to the audience membership store.`).argument("<id>", "Audience ID").option("--file <path>", "File path (one identifier per line, or JSON array)").option("--identifier-type <type>", "Identifier type: EMAIL_HASH or DEVICE_ID", "EMAIL_HASH").addHelpText("after", `
+Examples:
+  $ a8techads audiences upload <id> --file users.txt --identifier-type EMAIL_HASH
+  $ a8techads audiences upload <id> --file devices.txt --identifier-type DEVICE_ID
+
+File format (one per line):
+  a1b2c3d4e5f6...
+  f6e5d4c3b2a1...`).action(async (id, opts) => {
+    if (!opts.file) {
+      console.error("Error: --file is required.");
+      process.exit(1);
+    }
+    const { readFileSync: readFileSync3 } = await import("fs");
+    let identifiers;
+    try {
+      const content = readFileSync3(opts.file, "utf-8").trim();
+      try {
+        identifiers = JSON.parse(content);
+        if (!Array.isArray(identifiers))
+          throw new Error("not array");
+      } catch {
+        identifiers = content.split(`
+`).map((l) => l.trim()).filter((l) => l.length > 0);
+      }
+    } catch (err) {
+      console.error(`Error reading file: ${err.message}`);
+      process.exit(1);
+    }
+    if (identifiers.length === 0) {
+      console.error("Error: file contains no identifiers.");
+      process.exit(1);
+    }
+    console.log(`Uploading ${identifiers.length} identifiers...`);
+    const body = {
+      identifiers,
+      identifierType: opts.identifierType
+    };
+    const resp = await apiRequest({ method: "POST", path: `${dspPrefix()}/audiences/${id}/upload`, body });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Upload complete. Status: ${json.data?.status ?? json.status}, Members: ${json.data?.uploadedCount ?? json.uploadedCount ?? "?"}`);
+  });
+  return cmd;
+}
+
+// src/commands/campaigns.ts
+var COLUMNS2 = [
   { key: "id", header: "ID", width: 36 },
   { key: "name", header: "NAME", width: 30 },
   { key: "status", header: "STATUS", width: 12 },
@@ -3549,7 +3834,7 @@ Examples:
       budget: c.budget ?? c.dailyBudget,
       spent: c.stats?.spend ?? c.spent
     }));
-    printData(rows, COLUMNS, opts.format);
+    printData(rows, COLUMNS2, opts.format);
   });
   addFormatOption(cmd.command("get").description("Get campaign details by ID.").argument("<id>", "Campaign ID")).action(async (id, opts) => {
     const resp = await apiRequest({ path: `${dspPrefix()}/campaigns/${id}` });
@@ -3661,7 +3946,7 @@ Examples:
 }
 
 // src/commands/variations.ts
-var COLUMNS2 = [
+var COLUMNS3 = [
   { key: "id", header: "ID", width: 36 },
   { key: "name", header: "NAME", width: 25 },
   { key: "type", header: "TYPE", width: 10 },
@@ -3692,7 +3977,7 @@ Examples:
       status: v.status,
       campaignId: v.campaignId ?? v.campaign_id
     }));
-    printData(rows, COLUMNS2, opts.format);
+    printData(rows, COLUMNS3, opts.format);
   });
   addFormatOption(cmd.command("get").description("Get variation details.").argument("<id>", "Variation ID")).action(async (id, opts) => {
     const resp = await apiRequest({ path: `${dspPrefix()}/variations/${id}` });
@@ -3757,7 +4042,7 @@ Examples:
 }
 
 // src/commands/sites.ts
-var COLUMNS3 = [
+var COLUMNS4 = [
   { key: "id", header: "ID", width: 36 },
   { key: "name", header: "NAME", width: 25 },
   { key: "domain", header: "DOMAIN", width: 25 },
@@ -3790,7 +4075,7 @@ Examples:
       status: s.status,
       zoneCount: s.zoneCount ?? s.zone_count ?? "-"
     }));
-    printData(rows, COLUMNS3, opts.format);
+    printData(rows, COLUMNS4, opts.format);
   });
   addFormatOption(cmd.command("get").description("Get site details by ID.").argument("<id>", "Site ID")).action(async (id, opts) => {
     const resp = await apiRequest({ path: `${sspPrefix()}/sites/${id}` });
@@ -3876,7 +4161,7 @@ Examples:
 }
 
 // src/commands/zones.ts
-var COLUMNS4 = [
+var COLUMNS5 = [
   { key: "id", header: "ID", width: 36 },
   { key: "name", header: "NAME", width: 25 },
   { key: "format", header: "FORMAT", width: 18 },
@@ -3908,7 +4193,7 @@ Examples:
       format: z.adFormat ?? z.ad_format ?? "-",
       status: z.status
     }));
-    printData(rows, COLUMNS4, opts.format);
+    printData(rows, COLUMNS5, opts.format);
   });
   addFormatOption(cmd.command("get").description("Get zone details by ID.").argument("<id>", "Zone ID")).action(async (id, opts) => {
     const resp = await apiRequest({ path: `${sspPrefix()}/zones/${id}` });
@@ -4209,7 +4494,7 @@ function usersPrefix() {
   }
   return app === "ssp" ? "/api/v1/ssp" : "/api/v1/dsp";
 }
-var COLUMNS5 = [
+var COLUMNS6 = [
   { key: "id", header: "ID", width: 36 },
   { key: "email", header: "EMAIL", width: 30 },
   { key: "name", header: "NAME", width: 20 },
@@ -4240,7 +4525,7 @@ Examples:
       role: u.role,
       status: u.status
     }));
-    printData(rows, COLUMNS5, opts.format);
+    printData(rows, COLUMNS6, opts.format);
   });
   addFormatOption(cmd.command("get").description("Get team member details.").argument("<id>", "User ID")).action(async (id, opts) => {
     const resp = await apiRequest({ path: `${usersPrefix()}/users/${id}` });
@@ -4319,6 +4604,117 @@ Examples:
   return cmd;
 }
 
+// src/commands/admin.ts
+function createAdminCommand() {
+  const cmd = new Command("admin").description(`Platform administration (Console)
+
+Requires: platform_owner or platform_admin role.`).addHelpText("after", `
+Examples:
+  $ a8techads admin tenants list
+  $ a8techads admin tenants get <id>
+  $ a8techads admin audit-logs
+  $ a8techads admin system health`);
+  const tenants = cmd.command("tenants").description("Tenant management");
+  addFormatOption(tenants.command("list").description("List all tenants.")).action(async (opts) => {
+    const resp = await apiRequest({ path: "/api/v1/console/tenants" });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    const rows = (json.data ?? json).map((t) => ({
+      id: t.id,
+      name: t.companyName ?? t.company_name,
+      type: t.tenantType ?? t.tenant_type,
+      status: t.status
+    }));
+    const columns = [
+      { key: "id", header: "ID", width: 36 },
+      { key: "name", header: "NAME", width: 25 },
+      { key: "type", header: "TYPE", width: 12 },
+      { key: "status", header: "STATUS", width: 10 }
+    ];
+    printData(rows, columns, opts.format);
+  });
+  addFormatOption(tenants.command("get").description("Get tenant details.").argument("<id>", "Tenant ID")).action(async (id, opts) => {
+    const resp = await apiRequest({ path: `/api/v1/console/tenants/${id}` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    printDetail(json.data ?? json, opts.format);
+  });
+  const members = tenants.command("members").description("Tenant member management");
+  addFormatOption(members.command("list").description("List tenant members.").option("--tenant <id>", "Tenant ID (required)")).action(async (opts) => {
+    if (!opts.tenant) {
+      console.error("Error: --tenant is required.");
+      process.exit(1);
+    }
+    const resp = await apiRequest({ path: `/api/v1/console/tenants/${opts.tenant}/members` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    const rows = (json.data ?? json).map((m) => ({
+      id: m.userId ?? m.user_id ?? m.id,
+      email: m.email,
+      role: m.role,
+      status: m.status
+    }));
+    printData(rows, [
+      { key: "id", header: "USER ID", width: 36 },
+      { key: "email", header: "EMAIL", width: 30 },
+      { key: "role", header: "ROLE", width: 20 }
+    ], opts.format);
+  });
+  addFormatOption(cmd.command("audit-logs").description("View audit logs.").option("--tenant <id>", "Filter by tenant").option("--limit <n>", "Max results", "20")).action(async (opts) => {
+    const params = new URLSearchParams({ limit: opts.limit });
+    if (opts.tenant)
+      params.set("tenant_id", opts.tenant);
+    const resp = await apiRequest({ path: `/api/v1/console/audit-logs?${params}` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    const rows = (json.data ?? json).map((l) => ({
+      action: l.action,
+      target: l.targetType ?? l.target_type,
+      targetId: l.targetId ?? l.target_id,
+      user: l.adminUserId ?? l.admin_user_id,
+      time: l.createdAt ?? l.created_at
+    }));
+    printData(rows, [
+      { key: "action", header: "ACTION", width: 25 },
+      { key: "target", header: "TARGET", width: 12 },
+      { key: "targetId", header: "TARGET ID", width: 36 },
+      { key: "time", header: "TIME", width: 22 }
+    ], opts.format);
+  });
+  const system = cmd.command("system").description("System operations");
+  addFormatOption(system.command("health").description("System health check.")).action(async (opts) => {
+    const resp = await apiRequest({ path: "/api/v1/console/system/health" });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    printDetail(json.data ?? json, opts.format);
+  });
+  system.command("cache-clear").description("Clear system cache.").action(async () => {
+    const resp = await apiRequest({ method: "POST", path: "/api/v1/console/system/cache/clear" });
+    if (!resp.ok) {
+      const j = await resp.json();
+      console.error(`Error: ${j.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log("Cache cleared.");
+  });
+  return cmd;
+}
+
 // src/commands/settings.ts
 function settingsPrefix() {
   const ctx = loadContext();
@@ -4450,11 +4846,12 @@ Examples:
 
 // src/index.ts
 function createProgram() {
-  const program2 = new Command().name("a8techads").description("A8TechAds CLI — programmatic ad platform management").version("0.2.0").addHelpText("after", `
+  const program2 = new Command().name("a8techads").description("A8TechAds CLI — programmatic ad platform management").version("0.4.0").addHelpText("after", `
 Command Groups:
   auth          Authentication (login, logout, token, status)
   profile       Multi-profile management
   context       Workspace context (tenant, capability, app)
+  audiences     Audience management (DSP)
   campaigns     Campaign management (DSP)
   variations    Ad variation management (DSP)
   sites         Site management (SSP)
@@ -4474,6 +4871,7 @@ Getting Started:
   program2.addCommand(createAuthCommand());
   program2.addCommand(createProfileCommand());
   program2.addCommand(createContextCommand());
+  program2.addCommand(createAudiencesCommand());
   program2.addCommand(createCampaignsCommand());
   program2.addCommand(createVariationsCommand());
   program2.addCommand(createSitesCommand());
@@ -4483,6 +4881,7 @@ Getting Started:
   program2.addCommand(createUsersCommand());
   program2.addCommand(createSettingsCommand());
   program2.addCommand(createInvoicesCommand());
+  program2.addCommand(createAdminCommand());
   return program2;
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@a8techads/cli",
-  "version": "0.2.0",
+  "version": "0.4.0",
   "description": "A8TechAds CLI — programmatic ad platform management",
   "type": "module",
   "bin": {