@a8techads/cli 0.4.0 → 0.4.2

package/dist/a8techads.js

@@ -5,35 +5,21 @@ var __getProtoOf = Object.getPrototypeOf;
 var __defProp = Object.defineProperty;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
-function __accessProp(key) {
-  return this[key];
-}
-var __toESMCache_node;
-var __toESMCache_esm;
 var __toESM = (mod, isNodeMode, target) => {
-  var canCache = mod != null && typeof mod === "object";
-  if (canCache) {
-    var cache = isNodeMode ? __toESMCache_node ??= new WeakMap : __toESMCache_esm ??= new WeakMap;
-    var cached = cache.get(mod);
-    if (cached)
-      return cached;
-  }
   target = mod != null ? __create(__getProtoOf(mod)) : {};
   const to = isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target;
   for (let key of __getOwnPropNames(mod))
     if (!__hasOwnProp.call(to, key))
       __defProp(to, key, {
-        get: __accessProp.bind(mod, key),
+        get: () => mod[key],
         enumerable: true
       });
-  if (canCache)
-    cache.set(mod, to);
   return to;
 };
 var __commonJS = (cb, mod) => () => (mod || cb((mod = { exports: {} }).exports, mod), mod.exports);
 var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
-// node_modules/commander/lib/error.js
+// ../../node_modules/.pnpm/commander@13.1.0/node_modules/commander/lib/error.js
 var require_error = __commonJS((exports) => {
   class CommanderError extends Error {
     constructor(exitCode, code, message) {
@@ -57,7 +43,7 @@ var require_error = __commonJS((exports) => {
   exports.InvalidArgumentError = InvalidArgumentError;
 });
 
-// node_modules/commander/lib/argument.js
+// ../../node_modules/.pnpm/commander@13.1.0/node_modules/commander/lib/argument.js
 var require_argument = __commonJS((exports) => {
   var { InvalidArgumentError } = require_error();
 
@@ -136,7 +122,7 @@ var require_argument = __commonJS((exports) => {
   exports.humanReadableArgName = humanReadableArgName;
 });
 
-// node_modules/commander/lib/help.js
+// ../../node_modules/.pnpm/commander@13.1.0/node_modules/commander/lib/help.js
 var require_help = __commonJS((exports) => {
   var { humanReadableArgName } = require_argument();
 
@@ -486,7 +472,7 @@ ${itemIndentStr}`);
   exports.stripColor = stripColor;
 });
 
-// node_modules/commander/lib/option.js
+// ../../node_modules/.pnpm/commander@13.1.0/node_modules/commander/lib/option.js
 var require_option = __commonJS((exports) => {
   var { InvalidArgumentError } = require_error();
 
@@ -664,7 +650,7 @@ var require_option = __commonJS((exports) => {
   exports.DualOptions = DualOptions;
 });
 
-// node_modules/commander/lib/suggestSimilar.js
+// ../../node_modules/.pnpm/commander@13.1.0/node_modules/commander/lib/suggestSimilar.js
 var require_suggestSimilar = __commonJS((exports) => {
   var maxDistance = 3;
   function editDistance(a, b) {
@@ -737,7 +723,7 @@ var require_suggestSimilar = __commonJS((exports) => {
   exports.suggestSimilar = suggestSimilar;
 });
 
-// node_modules/commander/lib/command.js
+// ../../node_modules/.pnpm/commander@13.1.0/node_modules/commander/lib/command.js
 var require_command = __commonJS((exports) => {
   var EventEmitter = __require("node:events").EventEmitter;
   var childProcess = __require("node:child_process");
@@ -2047,7 +2033,7 @@ Expecting one of '${allowedValues.join("', '")}'`);
   exports.useColor = useColor;
 });
 
-// node_modules/commander/index.js
+// ../../node_modules/.pnpm/commander@13.1.0/node_modules/commander/index.js
 var require_commander = __commonJS((exports) => {
   var { Argument } = require_argument();
   var { Command } = require_command();
@@ -2067,7 +2053,7 @@ var require_commander = __commonJS((exports) => {
   exports.InvalidOptionArgumentError = InvalidArgumentError;
 });
 
-// node_modules/commander/esm.mjs
+// ../../node_modules/.pnpm/commander@13.1.0/node_modules/commander/esm.mjs
 var import__ = __toESM(require_commander(), 1);
 var {
   program,
@@ -2087,7 +2073,7 @@ var {
 import { createServer } from "http";
 import { exec } from "child_process";
 
-// node_modules/oauth4webapi/build/index.js
+// ../../node_modules/.pnpm/oauth4webapi@3.8.5/node_modules/oauth4webapi/build/index.js
 var USER_AGENT;
 if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) {
   const NAME = "oauth4webapi";
@@ -2628,6 +2614,18 @@ async function login(opts = {}) {
   const authUrl = opts.authUrl ?? DEFAULT_AUTH_URL;
   const tokenEndpoint = `${authUrl}/.ory/hydra/oauth2/token`;
   const authorizationEndpoint = `${authUrl}/.ory/hydra/oauth2/auth`;
+  if (opts.forceLogin) {
+    const existingCreds = loadCredentials();
+    if (existingCreds.profiles[profileName]) {
+      delete existingCreds.profiles[profileName];
+      saveCredentials(existingCreds);
+    }
+    const existingCtx = loadContext();
+    if (existingCtx.profiles[profileName]) {
+      delete existingCtx.profiles[profileName];
+      saveContext(existingCtx);
+    }
+  }
   const codeVerifier = generateRandomCodeVerifier();
   const codeChallenge = await calculatePKCECodeChallenge(codeVerifier);
   const state = generateRandomState();
@@ -2831,7 +2829,9 @@ async function loginClientCredentials(opts) {
   const apiUrl = opts.apiUrl ?? DEFAULT_API_URL2;
   const authUrl = opts.authUrl ?? DEFAULT_AUTH_URL2;
   const tokenEndpoint = `${authUrl}/.ory/hydra/oauth2/token`;
-  console.log("Authenticating with client credentials...");
+  if (!opts.silent) {
+    console.log("Authenticating with client credentials...");
+  }
   const resp = await fetch(tokenEndpoint, {
     method: "POST",
     headers: { "Content-Type": "application/x-www-form-urlencoded" },
@@ -2849,7 +2849,7 @@ async function loginClientCredentials(opts) {
   const tokens = await resp.json();
   const claims = decodeJwt(tokens.access_token);
   const authClaims = claims ? getAuthClaims(claims) : null;
-  const profileName = `client:${opts.clientId}`;
+  const profileName = opts.profile ?? `client:${opts.clientId}`;
   const tenants = await fetchTenantsForClient(apiUrl, tokens.access_token);
   const expiresAt = new Date(Date.now() + tokens.expires_in * 1000).toISOString();
   const profileCreds = {
@@ -2881,19 +2881,21 @@ async function loginClientCredentials(opts) {
   ctx.current_profile = profileName;
   ctx.profiles[profileName] = profileCtx;
   saveContext(ctx);
-  console.log(`
+  if (!opts.silent) {
+    console.log(`
 Authenticated as ${profileName}`);
-  console.log(`Profile: ${profileName}`);
-  if (tenant) {
-    console.log(`Tenant: ${tenant.tenant_name} (${tenant.tenant_id})`);
-  }
-  console.log(`App: ${app}`);
-  if (capability) {
-    console.log(`Capability: ${capability}`);
-  }
-  console.log(`Token expires: ${expiresAt}`);
-  console.log(`
+    console.log(`Profile: ${profileName}`);
+    if (tenant) {
+      console.log(`Tenant: ${tenant.tenant_name} (${tenant.tenant_id})`);
+    }
+    console.log(`App: ${app}`);
+    if (capability) {
+      console.log(`Capability: ${capability}`);
+    }
+    console.log(`Token expires: ${expiresAt}`);
+    console.log(`
 Note: Client credentials tokens cannot be refreshed. Re-authenticate on expiry.`);
+  }
 }
 function deriveApp2(tenant) {
   if (!tenant)
@@ -2958,16 +2960,124 @@ function logout(profileName) {
   console.log(`Logged out from profile "${name}".`);
 }
 
+// src/store/oauth-client.ts
+import { join as join3 } from "path";
+import { homedir as homedir3 } from "os";
+import { existsSync as existsSync3, mkdirSync as mkdirSync3, readFileSync as readFileSync3, writeFileSync as writeFileSync3, chmodSync as chmodSync3 } from "fs";
+var CONFIG_DIR3 = join3(homedir3(), ".alpineads");
+var OAUTH_CLIENT_PATH = join3(CONFIG_DIR3, "oauth-client.json");
+var DEFAULT_API_URL3 = "https://api.a8.tech";
+var DEFAULT_AUTH_URL3 = "https://auth.a8.tech";
+function ensureDir3() {
+  if (!existsSync3(CONFIG_DIR3)) {
+    mkdirSync3(CONFIG_DIR3, { recursive: true, mode: 448 });
+  }
+}
+function defaultClientProfile(clientId) {
+  return `client:${clientId}`;
+}
+function loadOAuthClientConfig(profileName) {
+  const fromEnv = loadOAuthClientConfigFromEnv(profileName);
+  if (fromEnv)
+    return fromEnv;
+  const file = loadOAuthClientConfigFile();
+  if (!file)
+    return null;
+  const selectedProfile = profileName ?? file.current_profile;
+  const selected = file.profiles[selectedProfile];
+  if (!selected)
+    return null;
+  return {
+    profile: selectedProfile,
+    ...selected
+  };
+}
+function loadOAuthClientConfigFile() {
+  if (!existsSync3(OAUTH_CLIENT_PATH))
+    return null;
+  const raw = JSON.parse(readFileSync3(OAUTH_CLIENT_PATH, "utf-8"));
+  if ("profiles" in raw)
+    return raw;
+  return {
+    version: 1,
+    current_profile: raw.profile,
+    profiles: {
+      [raw.profile]: {
+        client_id: raw.client_id,
+        client_secret: raw.client_secret,
+        api_url: raw.api_url,
+        auth_url: raw.auth_url
+      }
+    }
+  };
+}
+function saveOAuthClientConfig(input) {
+  const profile = input.profile ?? defaultClientProfile(input.clientId);
+  const file = loadOAuthClientConfigFile() ?? {
+    version: 1,
+    current_profile: profile,
+    profiles: {}
+  };
+  file.current_profile = profile;
+  file.profiles[profile] = {
+    client_id: input.clientId,
+    client_secret: input.clientSecret,
+    api_url: input.apiUrl ?? DEFAULT_API_URL3,
+    auth_url: input.authUrl ?? DEFAULT_AUTH_URL3
+  };
+  ensureDir3();
+  writeFileSync3(OAUTH_CLIENT_PATH, JSON.stringify(file, null, 2), {
+    mode: 384
+  });
+  chmodSync3(OAUTH_CLIENT_PATH, 384);
+  return {
+    profile,
+    ...file.profiles[profile]
+  };
+}
+function getConfiguredOAuthClientProfiles() {
+  const envConfig = loadOAuthClientConfigFromEnv();
+  const file = loadOAuthClientConfigFile();
+  return Array.from(new Set([
+    ...file ? Object.keys(file.profiles) : [],
+    ...envConfig ? [envConfig.profile] : []
+  ]));
+}
+function hasConfiguredOAuthClientProfile(profileName) {
+  return loadOAuthClientConfig(profileName) !== null;
+}
+function loadOAuthClientConfigFromEnv(profileName) {
+  const clientId = process.env.A8TECHADS_CLIENT_ID ?? process.env.A8TECHADS_OAUTH_CLIENT_ID;
+  const clientSecret = process.env.A8TECHADS_CLIENT_SECRET ?? process.env.A8TECHADS_OAUTH_CLIENT_SECRET;
+  if (!clientId || !clientSecret)
+    return null;
+  const profile = process.env.A8TECHADS_PROFILE ?? process.env.A8TECHADS_OAUTH_PROFILE ?? defaultClientProfile(clientId);
+  if (profileName && profileName !== profile)
+    return null;
+  return {
+    profile,
+    client_id: clientId,
+    client_secret: clientSecret,
+    api_url: process.env.A8TECHADS_API_URL ?? DEFAULT_API_URL3,
+    auth_url: process.env.A8TECHADS_AUTH_URL ?? DEFAULT_AUTH_URL3
+  };
+}
+
 // src/auth/refresh.ts
 async function refreshTokenIfNeeded(profileName) {
   const creds = loadCredentials();
+  const effectiveProfileName = profileName ?? creds.current_profile;
   const profile = profileName ? getProfile(creds, profileName) : getCurrentProfile(creds);
-  if (!profile)
-    return false;
+  if (!profile) {
+    return await loginFromConfiguredOAuthClient(effectiveProfileName);
+  }
   const claims = decodeJwt(profile.access_token);
   if (!claims || !isTokenExpired(claims))
     return false;
   if (!profile.refresh_token) {
+    const refreshed = await loginFromConfiguredOAuthClient(effectiveProfileName, profile.client_id);
+    if (refreshed)
+      return true;
     throw new Error('Token expired and no refresh token available. Run "a8techads auth login" to re-authenticate.');
   }
   const response = await fetch(profile.token_endpoint, {
@@ -2981,6 +3091,12 @@ async function refreshTokenIfNeeded(profileName) {
   });
   if (!response.ok) {
     const text = await response.text();
+    const refreshedClaims = decodeJwt(profile.access_token);
+    const expiresAtMs = profile.expires_at ? Date.parse(profile.expires_at) : NaN;
+    const tokenStillUsable = refreshedClaims && !isTokenExpired(refreshedClaims) || !Number.isNaN(expiresAtMs) && expiresAtMs - Date.now() > 30000;
+    if (tokenStillUsable) {
+      return false;
+    }
     throw new Error(`Token refresh failed (${response.status}): ${text}
 Run "a8techads auth login" to re-authenticate.`);
   }
@@ -2994,16 +3110,31 @@ Run "a8techads auth login" to re-authenticate.`);
   saveCredentials(creds);
   return true;
 }
+async function loginFromConfiguredOAuthClient(profileName, expectedClientId) {
+  const config = loadOAuthClientConfig(profileName);
+  if (!config)
+    return false;
+  if (expectedClientId && expectedClientId !== config.client_id)
+    return false;
+  await loginClientCredentials({
+    clientId: config.client_id,
+    clientSecret: config.client_secret,
+    apiUrl: config.api_url,
+    authUrl: config.auth_url,
+    profile: config.profile,
+    silent: true
+  });
+  return true;
+}
 
 // src/auth/token.ts
 async function outputToken(profileName) {
-  const creds = loadCredentials();
-  const name = profileName ?? creds.current_profile;
-  await refreshTokenIfNeeded(name);
+  await refreshTokenIfNeeded(profileName);
   const freshCreds = loadCredentials();
-  const profile = getProfile(freshCreds, name);
+  const freshName = profileName ?? freshCreds.current_profile;
+  const profile = getProfile(freshCreds, freshName);
   if (!profile) {
-    console.error(`No credentials for profile "${name}". Run "a8techads auth login --profile ${name}" first.`);
+    console.error(`No credentials for profile "${freshName}". Run "a8techads auth login --profile ${freshName}" first.`);
     process.exit(1);
   }
   process.stdout.write(profile.access_token);
@@ -3018,8 +3149,16 @@ function showAuthStatus(profileNameOverride) {
   const profileCtx = ctx.profiles[profileName] ?? null;
   console.log(`Profile:     ${profileName}`);
   if (!profile) {
-    console.log("Auth mode:   none");
-    console.log('Token:       not authenticated (run "a8techads auth login")');
+    const clientConfig = loadOAuthClientConfig(profileName);
+    if (clientConfig) {
+      console.log("Auth mode:   client_credentials (configured)");
+      console.log(`Client ID:   ${clientConfig.client_id}`);
+      console.log("Token:       not cached (will be obtained on next command)");
+      console.log(`API URL:     ${clientConfig.api_url}`);
+    } else {
+      console.log("Auth mode:   none");
+      console.log('Token:       not authenticated (run "a8techads auth login")');
+    }
     return;
   }
   const isClientCreds = profileName.startsWith("client:");
@@ -3078,6 +3217,7 @@ function createAuthCommand() {
 Examples:
   $ a8techads auth login                           # Browser OAuth + PKCE
   $ a8techads auth login --client-id X --client-secret Y  # Client credentials
+  $ a8techads auth configure-client --client-id X --client-secret Y  # Save non-interactive client
   $ a8techads auth status                          # Show current auth state
   $ a8techads auth token                           # Print access token for scripting
   $ a8techads auth logout                          # Clear stored tokens`);
@@ -3086,10 +3226,10 @@ Examples:
 Browser mode (default): Opens browser for OAuth 2.1 Authorization Code + PKCE.
 Client credentials mode: Non-interactive auth using --client-id and --client-secret.
 
-Requires: network access to auth server.`).option("-p, --profile <name>", "Profile name (browser mode only)", "default").option("--api-url <url>", "API base URL (default: https://api.a8.tech)").option("--auth-url <url>", "Auth server URL (default: https://auth.a8.tech)").option("--client-id <id>", "OAuth client ID (enables client_credentials flow)").option("--client-secret <secret>", "OAuth client secret (requires --client-id)").option("--force-login", "Force login prompt even if browser session exists (use to switch users)").addHelpText("after", `
+Requires: network access to auth server.`).option("-p, --profile <name>", "Profile name (browser default: default; client default: client:<client-id>)").option("--api-url <url>", "API base URL (default: https://api.a8.tech)").option("--auth-url <url>", "Auth server URL (default: https://auth.a8.tech)").option("--client-id <id>", "OAuth client ID (enables client_credentials flow)").option("--client-secret <secret>", "OAuth client secret (requires --client-id)").option("--force-login", "Force login prompt even if browser session exists (use to switch users)").addHelpText("after", `
 Examples:
   $ a8techads auth login                               # Interactive browser login
-  $ a8techads auth login -p staging --api-url https://api.staging.a8.tech
+  $ a8techads auth login -p pilot --api-url https://api.a8.tech
   $ a8techads auth login --client-id svc-001 --client-secret s3cret
   $ a8techads auth login -p owner --force-login        # Switch to different user
 
@@ -3101,7 +3241,8 @@ Note: Client credentials tokens cannot be refreshed. The CLI will prompt
           clientId: opts.clientId,
           clientSecret: opts.clientSecret,
           apiUrl: opts.apiUrl,
-          authUrl: opts.authUrl
+          authUrl: opts.authUrl,
+          profile: opts.profile
         });
       } else if (opts.clientId || opts.clientSecret) {
         console.error("Error: Both --client-id and --client-secret are required for client credentials flow.");
@@ -3109,7 +3250,7 @@ Note: Client credentials tokens cannot be refreshed. The CLI will prompt
         process.exit(1);
       } else {
         await login({
-          profile: opts.profile,
+          profile: opts.profile ?? "default",
           apiUrl: opts.apiUrl,
           authUrl: opts.authUrl,
           forceLogin: opts.forceLogin
@@ -3121,12 +3262,41 @@ Note: Client credentials tokens cannot be refreshed. The CLI will prompt
       process.exit(1);
     }
   });
+  auth.command("configure-client").description(`Save OAuth client credentials for non-interactive CLI use.
+
+After configuration, normal CLI commands can obtain and renew access tokens via client_credentials without running auth login.`).requiredOption("--client-id <id>", "OAuth client ID").requiredOption("--client-secret <secret>", "OAuth client secret").option("-p, --profile <name>", "Profile name (default: client:<client-id>)").option("--api-url <url>", "API base URL (default: https://api.a8.tech)").option("--auth-url <url>", "Auth server URL (default: https://auth.a8.tech)").addHelpText("after", `
+Examples:
+  $ a8techads auth configure-client --client-id svc-001 --client-secret s3cret
+  $ a8techads campaigns list
+
+Environment-only alternative:
+  $ export A8TECHADS_CLIENT_ID=svc-001
+  $ export A8TECHADS_CLIENT_SECRET=s3cret
+  $ a8techads campaigns list`).action((opts) => {
+    const config = saveOAuthClientConfig({
+      clientId: opts.clientId,
+      clientSecret: opts.clientSecret,
+      apiUrl: opts.apiUrl,
+      authUrl: opts.authUrl,
+      profile: opts.profile
+    });
+    const creds = loadCredentials();
+    creds.current_profile = config.profile;
+    saveCredentials(creds);
+    const ctx = loadContext();
+    ctx.current_profile = config.profile;
+    saveContext(ctx);
+    console.log("OAuth client configured for non-interactive CLI use.");
+    console.log(`Profile: ${config.profile}`);
+    console.log(`API URL: ${config.api_url}`);
+    console.log("The client secret is stored in ~/.alpineads/oauth-client.json with mode 600.");
+  });
   auth.command("logout").description(`Clear stored tokens for a profile.
 
 Requires: an existing profile.`).option("-p, --profile <name>", "Profile name (default: current profile)").addHelpText("after", `
 Examples:
   $ a8techads auth logout                # Logout current profile
-  $ a8techads auth logout -p staging     # Logout specific profile`).action((opts) => {
+  $ a8techads auth logout -p pilot       # Logout specific profile`).action((opts) => {
     logout(opts.profile);
   });
   auth.command("token").description(`Output current access token to stdout.
@@ -3137,7 +3307,7 @@ cannot be refreshed — re-authenticate if expired.
 Requires: an active profile with valid credentials.`).option("-p, --profile <name>", "Profile name (default: current profile)").addHelpText("after", `
 Examples:
   $ a8techads auth token                 # Print token for current profile
-  $ a8techads auth token -p staging      # Print token for specific profile
+  $ a8techads auth token -p pilot        # Print token for specific profile
   $ curl -H "Authorization: Bearer $(a8techads auth token)" https://api.a8.tech/api/v1/dsp/me`).action(async (opts) => {
     try {
       await outputToken(opts.profile);
@@ -3164,20 +3334,31 @@ function createProfileCommand() {
   const profile = new Command("profile").description("Profile management");
   profile.command("list").description("List all profiles").action(() => {
     const creds = loadCredentials();
-    const profiles = Object.keys(creds.profiles);
+    const clientProfiles = getConfiguredOAuthClientProfiles();
+    const profiles = Array.from(new Set([
+      ...Object.keys(creds.profiles),
+      ...clientProfiles
+    ]));
     if (profiles.length === 0) {
-      console.log('No profiles. Run "a8techads auth login" to create one.');
+      console.log('No profiles. Run "a8techads auth login" or "a8techads auth configure-client" to create one.');
       return;
     }
     console.log(`Profiles:
 `);
     for (const name of profiles) {
       const p = creds.profiles[name];
+      const clientConfig = loadOAuthClientConfig(name);
       const marker = name === creds.current_profile ? " (active)" : "";
       console.log(`  ${name}${marker}`);
-      console.log(`    Email: ${p.email}`);
-      console.log(`    API:   ${p.api_url}`);
-      if (p.tenants.length > 0) {
+      if (p) {
+        console.log(`    Email: ${p.email}`);
+        console.log(`    API:   ${p.api_url}`);
+      } else if (clientConfig) {
+        console.log(`    Auth:  client_credentials (configured)`);
+        console.log(`    Client ID: ${clientConfig.client_id}`);
+        console.log(`    API:   ${clientConfig.api_url}`);
+      }
+      if (p?.tenants.length > 0) {
         console.log(`    Tenants: ${p.tenants.map((t) => `${t.tenant_name} (${t.tenant_id})`).join(", ")}`);
       }
       console.log();
@@ -3185,7 +3366,8 @@ function createProfileCommand() {
   });
   profile.command("use").description("Switch active profile").argument("<name>", "Profile name to switch to").action((name) => {
     const creds = loadCredentials();
-    if (!creds.profiles[name]) {
+    const clientConfigExists = hasConfiguredOAuthClientProfile(name);
+    if (!creds.profiles[name] && !clientConfigExists) {
       console.error(`Profile "${name}" not found. Run "a8techads profile list" to see available profiles.`);
       process.exit(1);
     }
@@ -3195,13 +3377,21 @@ function createProfileCommand() {
     ctx.current_profile = name;
     saveContext(ctx);
     const p = creds.profiles[name];
-    console.log(`Switched to profile "${name}" (${p.email})`);
+    if (p) {
+      console.log(`Switched to profile "${name}" (${p.email})`);
+    } else {
+      console.log(`Switched to profile "${name}" (client_credentials configured)`);
+    }
   });
   return profile;
 }
 
 // src/utils/http.ts
 async function apiRequest(opts) {
+  const request = await buildAuthenticatedRequest(opts);
+  return fetch(request.url, request.init);
+}
+async function buildAuthenticatedRequest(opts) {
   await refreshTokenIfNeeded();
   const creds = loadCredentials();
   const profile = getCurrentProfile(creds);
@@ -3216,21 +3406,23 @@ async function apiRequest(opts) {
     "Content-Type": "application/json",
     ...opts.headers
   };
-  if (context?.current_capability) {
-    headers["X-Effective-Capability"] = context.current_capability;
-  }
   if (context?.impersonation) {
     headers["X-Impersonate-Tenant"] = context.impersonation.target_tenant_id;
     if (context.impersonation.effective_capability) {
       headers["X-Impersonate-Capability"] = context.impersonation.effective_capability;
     }
+  } else if (context?.current_capability) {
+    headers["X-Effective-Capability"] = context.current_capability;
   }
-  const url = `${profile.api_url}${opts.path}`;
-  return fetch(url, {
-    method: opts.method ?? "GET",
-    headers,
-    body: opts.body ? JSON.stringify(opts.body) : undefined
-  });
+  const url = `${opts.baseUrl ?? profile.api_url}${opts.path}`;
+  return {
+    url,
+    init: {
+      method: opts.method ?? "GET",
+      headers,
+      body: opts.body ? JSON.stringify(opts.body) : undefined
+    }
+  };
 }
 function validateTenantMatch(accessToken, contextTenantId) {
   const claims = decodeJwt(accessToken);
@@ -3538,6 +3730,9 @@ function dspPrefix() {
 function sspPrefix() {
   return "/api/v1/ssp";
 }
+function consolePrefix() {
+  return "/api/v1/console";
+}
 
 // src/utils/output.ts
 function printData(data, columns, format = "table") {
@@ -3646,25 +3841,28 @@ Examples:
     printData(rows, COLUMNS, opts.format);
   });
   addFormatOption(cmd.command("get").description("Get audience details by ID.").argument("<id>", "Audience ID")).action(async (id, opts) => {
-    const resp = await apiRequest({ path: `${dspPrefix()}/audiences/${id}` });
-    const json = await resp.json();
-    if (!resp.ok) {
-      console.error(`Error: ${json.error ?? resp.statusText}`);
-      process.exit(1);
-    }
-    printDetail(json.data ?? json, opts.format);
+    const audience = await fetchAudience(id);
+    printDetail(audience, opts.format);
   });
-  cmd.command("create").description(`Create a new audience.
-
-Phase 1 only supports type UPLOADED_LIST.`).option("--name <name>", "Audience name (required)").option("--type <type>", "Audience type: UPLOADED_LIST or RETARGETING", "UPLOADED_LIST").option("--description <desc>", "Description").option("--ttl <days>", "Membership TTL in days (default: 90)", "90").option("--goal-id <id>", "Conversion goal ID (required for RETARGETING type)").option("--from-json <file>", "Create from JSON file").addHelpText("after", `
+  addFormatOption(cmd.command("size").description("Show the current estimated audience size.").argument("<id>", "Audience ID")).action(async (id, opts) => {
+    const audience = await fetchAudience(id);
+    const detail = {
+      id: audience.id,
+      name: audience.name,
+      status: audience.status,
+      estimatedSize: audience.estimatedSize ?? audience.estimated_size ?? null
+    };
+    printDetail(detail, opts.format);
+  });
+  cmd.command("create").description("Create a new audience.").option("--name <name>", "Audience name (required)").option("--type <type>", "Audience type: UPLOADED_LIST, RETARGETING, or LOOKALIKE", "UPLOADED_LIST").option("--description <desc>", "Description").option("--ttl <days>", "Membership TTL in days (default: 90)", "90").option("--goal-id <id>", "Conversion goal ID (required for RETARGETING type)").option("--seed <id>", "Seed audience ID (required for LOOKALIKE type)").option("--ratio <n>", "Expansion ratio for LOOKALIKE (default: 0.05)", "0.05").option("--from-json <file>", "Create from JSON file").addHelpText("after", `
 Examples:
   $ a8techads audiences create --name "High-Value Customers"
-  $ a8techads audiences create --name "Retarget Pool" --ttl 30
-  $ a8techads audiences create --from-json audience.json`).action(async (opts) => {
+  $ a8techads audiences create --name "Retarget Pool" --type RETARGETING --goal-id <id>
+  $ a8techads audiences create --name "Similar Users" --type LOOKALIKE --seed <id> --ratio 0.05`).action(async (opts) => {
     let body;
     if (opts.fromJson) {
-      const { readFileSync: readFileSync3 } = await import("fs");
-      body = JSON.parse(readFileSync3(opts.fromJson, "utf-8"));
+      const { readFileSync: readFileSync4 } = await import("fs");
+      body = JSON.parse(readFileSync4(opts.fromJson, "utf-8"));
     } else {
       if (!opts.name) {
         console.error('Error: --name is required. Run "a8techads audiences create --help".');
@@ -3674,6 +3872,10 @@ Examples:
         console.error("Error: --goal-id is required for RETARGETING type.");
         process.exit(1);
       }
+      if (opts.type === "LOOKALIKE" && !opts.seed) {
+        console.error("Error: --seed is required for LOOKALIKE type.");
+        process.exit(1);
+      }
       body = {
         name: opts.name,
         type: opts.type,
@@ -3684,6 +3886,9 @@ Examples:
       if (opts.goalId) {
         body.rules = { source: "conversion_goal", goal_id: opts.goalId, action: "positive", recency_days: 30 };
       }
+      if (opts.seed) {
+        body.rules = { seed_audience_id: opts.seed, expansion_ratio: Number(opts.ratio) };
+      }
     }
     const resp = await apiRequest({ method: "POST", path: `${dspPrefix()}/audiences`, body });
     const json = await resp.json();
@@ -3763,10 +3968,10 @@ File format (one per line):
       console.error("Error: --file is required.");
       process.exit(1);
     }
-    const { readFileSync: readFileSync3 } = await import("fs");
+    const { readFileSync: readFileSync4 } = await import("fs");
     let identifiers;
     try {
-      const content = readFileSync3(opts.file, "utf-8").trim();
+      const content = readFileSync4(opts.file, "utf-8").trim();
       try {
         identifiers = JSON.parse(content);
         if (!Array.isArray(identifiers))
@@ -3796,17 +4001,130 @@ File format (one per line):
     }
     console.log(`Upload complete. Status: ${json.data?.status ?? json.status}, Members: ${json.data?.uploadedCount ?? json.uploadedCount ?? "?"}`);
   });
+  cmd.command("wait-ready").description("Poll audience status until it becomes READY, ACTIVE, or ERROR.").argument("<id>", "Audience ID").option("--timeout <seconds>", "Timeout in seconds", "120").option("--interval <seconds>", "Polling interval in seconds", "3").action(async (id, opts) => {
+    const timeoutMs = Number(opts.timeout) * 1000;
+    const intervalMs = Number(opts.interval) * 1000;
+    const started = Date.now();
+    while (true) {
+      const audience = await fetchAudience(id);
+      const status = audience.status;
+      const size = audience.estimatedSize ?? audience.estimated_size ?? null;
+      console.log(`Status: ${status}${size != null ? ` | Size: ${Number(size).toLocaleString()}` : ""}`);
+      if (status === "READY" || status === "ACTIVE") {
+        console.log(`Audience ${id} is ready.`);
+        return;
+      }
+      if (status === "ERROR" || status === "ARCHIVED") {
+        console.error(`Audience ${id} reached terminal status: ${status}`);
+        process.exit(1);
+      }
+      if (Date.now() - started >= timeoutMs) {
+        console.error(`Timed out waiting for audience ${id}.`);
+        process.exit(1);
+      }
+      await new Promise((resolve) => setTimeout(resolve, intervalMs));
+    }
+  });
   return cmd;
 }
+async function fetchAudience(id) {
+  const resp = await apiRequest({ path: `${dspPrefix()}/audiences/${id}` });
+  const json = await resp.json();
+  if (!resp.ok) {
+    console.error(`Error: ${json.error ?? resp.statusText}`);
+    process.exit(1);
+  }
+  return json.data ?? json;
+}
 
 // src/commands/campaigns.ts
 var COLUMNS2 = [
   { key: "id", header: "ID", width: 36 },
   { key: "name", header: "NAME", width: 30 },
   { key: "status", header: "STATUS", width: 12 },
+  { key: "supplyProductCount", header: "SUPPLY", width: 8 },
   { key: "budget", header: "BUDGET", width: 10, format: (v) => v != null ? `$${Number(v).toFixed(2)}` : "-" },
   { key: "spent", header: "SPENT", width: 10, format: (v) => v != null ? `$${Number(v).toFixed(2)}` : "-" }
 ];
+function formatScalar(value) {
+  if (value === undefined || value === null)
+    return null;
+  if (Array.isArray(value))
+    return value.length > 0 ? value.join(",") : null;
+  if (typeof value === "object")
+    return JSON.stringify(value);
+  return value;
+}
+function formatSupplyProducts(value) {
+  if (!Array.isArray(value))
+    return null;
+  const names = value.map((item) => {
+    if (item && typeof item === "object" && "name" in item)
+      return String(item.name);
+    return null;
+  }).filter(Boolean);
+  return names.length > 0 ? names.join(", ") : null;
+}
+function printSectionedCampaignDetail(campaign) {
+  const sections = [
+    {
+      title: "Scope",
+      entries: {
+        id: campaign.id,
+        name: campaign.name,
+        status: campaign.status,
+        campaignMode: campaign.campaignMode,
+        categories: formatScalar(campaign.categories),
+        adFormat: campaign.adFormat,
+        adSize: formatScalar(campaign.adSize),
+        zoneTypes: formatScalar(campaign.zoneTypes)
+      }
+    },
+    {
+      title: "Budget And Pricing",
+      entries: {
+        dailyBudget: campaign.dailyBudget,
+        totalBudget: campaign.totalBudget,
+        pricingModel: campaign.pricingModel,
+        priceSettings: formatScalar(campaign.priceSettings)
+      }
+    },
+    {
+      title: "Supply Binding",
+      entries: {
+        supplyProductIds: formatScalar(campaign.supplyProductIds),
+        supplyProductCount: campaign.supplyProductCount ?? (Array.isArray(campaign.supplyProductIds) ? campaign.supplyProductIds.length : 0),
+        supplyProducts: formatSupplyProducts(campaign.supplyProducts),
+        sspPartnerIds: formatScalar(campaign.sspPartnerIds),
+        sourceMasking: formatScalar(campaign.sourceMasking)
+      }
+    },
+    {
+      title: "Delivery",
+      entries: {
+        startDate: campaign.startDate,
+        endDate: campaign.endDate,
+        timezone: campaign.timezone,
+        frequencyCap: formatScalar(campaign.frequencyCap),
+        targeting: formatScalar(campaign.targeting)
+      }
+    },
+    {
+      title: "Meta",
+      entries: {
+        createdAt: campaign.createdAt,
+        updatedAt: campaign.updatedAt,
+        version: campaign.version
+      }
+    }
+  ];
+  for (const [index, section] of sections.entries()) {
+    console.log(section.title);
+    printDetail(section.entries, "table");
+    if (index < sections.length - 1)
+      console.log("");
+  }
+}
 function createCampaignsCommand() {
   const cmd = new Command("campaigns").description(`Campaign management (DSP)
 
@@ -3815,6 +4133,7 @@ Examples:
   $ a8techads campaigns list
   $ a8techads campaigns get <id>
   $ a8techads campaigns create --name "Summer Sale" --budget 500
+  $ a8techads campaigns update <id> --max-bid 6
   $ a8techads campaigns pause <id>`);
   addFormatOption(cmd.command("list").description("List campaigns with optional filters.").option("--status <status>", "Filter by status (draft, active, paused, etc.)").option("--limit <n>", "Max results", "20")).action(async (opts) => {
     const params = new URLSearchParams;
@@ -3831,6 +4150,7 @@ Examples:
       id: c.id,
       name: c.name,
       status: c.status,
+      supplyProductCount: c.supplyProductCount ?? (Array.isArray(c.supplyProductIds) ? c.supplyProductIds.length : 0),
       budget: c.budget ?? c.dailyBudget,
       spent: c.stats?.spend ?? c.spent
     }));
@@ -3843,7 +4163,12 @@ Examples:
       console.error(`Error: ${json.error ?? resp.statusText}`);
       process.exit(1);
     }
-    printDetail(json.data ?? json, opts.format);
+    const data = json.data ?? json;
+    if (opts.format !== "json") {
+      printSectionedCampaignDetail(data);
+      return;
+    }
+    printDetail(data, opts.format);
   });
   addFormatOption(cmd.command("stats").description("Get campaign performance statistics.").argument("<id>", "Campaign ID").option("--from <date>", "Start date (YYYY-MM-DD)").option("--to <date>", "End date (YYYY-MM-DD)")).action(async (id, opts) => {
     const params = new URLSearchParams;
@@ -3861,14 +4186,15 @@ Examples:
   });
   cmd.command("create").description(`Create a new campaign.
 
-Requires: ADVERTISER capability, advertiser_admin or advertiser_member role.`).option("--name <name>", "Campaign name (required)").option("--budget <amount>", "Daily budget in dollars").option("--from-json <file>", "Create from JSON file").addHelpText("after", `
+Requires: ADVERTISER capability, advertiser_admin or advertiser_member role.`).option("--name <name>", "Campaign name (required)").option("--budget <amount>", "Daily budget in dollars").option("--max-bid <amount>", "Maximum bid ceiling to store in priceSettings.maxBid").option("--supply-products <ids>", "Comma-separated supply product bindings").option("--preferred-supply <ids>", "Deprecated alias for --supply-products").option("--from-json <file>", "Create from JSON file").addHelpText("after", `
 Examples:
   $ a8techads campaigns create --name "Summer Sale" --budget 500
+  $ a8techads campaigns create --name "Pilot Supply Binding" --budget 500 --supply-products <supply-product-id>
   $ a8techads campaigns create --from-json campaign.json`).action(async (opts) => {
     let body;
     if (opts.fromJson) {
-      const { readFileSync: readFileSync3 } = await import("fs");
-      body = JSON.parse(readFileSync3(opts.fromJson, "utf-8"));
+      const { readFileSync: readFileSync4 } = await import("fs");
+      body = JSON.parse(readFileSync4(opts.fromJson, "utf-8"));
     } else {
       if (!opts.name) {
         console.error('Error: --name is required. Run "a8techads campaigns create --help".');
@@ -3877,6 +4203,11 @@ Examples:
       body = { name: opts.name };
       if (opts.budget)
         body.dailyBudget = Number(opts.budget);
+      if (opts.maxBid)
+        body.priceSettings = { maxBid: Number(opts.maxBid) };
+      const supplyProducts = opts.supplyProducts ?? opts.preferredSupply;
+      if (supplyProducts)
+        body.supplyProductIds = parseCsvList(supplyProducts);
     }
     const resp = await apiRequest({ method: "POST", path: `${dspPrefix()}/campaigns`, body });
     const json = await resp.json();
@@ -3886,17 +4217,52 @@ Examples:
     }
     console.log(`Campaign created: ${json.data?.id ?? json.id}`);
   });
-  cmd.command("update").description("Update an existing campaign.").argument("<id>", "Campaign ID").option("--name <name>", "New name").option("--budget <amount>", "New daily budget").option("--from-json <file>", "Update from JSON file").action(async (id, opts) => {
+  cmd.command("update").description("Update an existing campaign.").argument("<id>", "Campaign ID").option("--name <name>", "New name").option("--budget <amount>", "New daily budget").option("--max-bid <amount>", "Set priceSettings.maxBid without overwriting existing price settings").option("--clear-max-bid", "Remove priceSettings.maxBid without overwriting other price settings").option("--supply-products <ids>", "Comma-separated supply product bindings").option("--preferred-supply <ids>", "Deprecated alias for --supply-products").option("--clear-supply-products", "Remove all supply product bindings").option("--clear-preferred-supply", "Deprecated alias for --clear-supply-products").option("--from-json <file>", "Update from JSON file").action(async (id, opts) => {
     let body;
     if (opts.fromJson) {
-      const { readFileSync: readFileSync3 } = await import("fs");
-      body = JSON.parse(readFileSync3(opts.fromJson, "utf-8"));
+      const { readFileSync: readFileSync4 } = await import("fs");
+      body = JSON.parse(readFileSync4(opts.fromJson, "utf-8"));
     } else {
       body = {};
       if (opts.name)
         body.name = opts.name;
       if (opts.budget)
         body.dailyBudget = Number(opts.budget);
+      if (opts.maxBid && opts.clearMaxBid) {
+        console.error("Error: use either --max-bid or --clear-max-bid, not both.");
+        process.exit(1);
+      }
+      const supplyProducts = opts.supplyProducts ?? opts.preferredSupply;
+      const clearSupplyProducts = opts.clearSupplyProducts || opts.clearPreferredSupply;
+      if (supplyProducts && clearSupplyProducts) {
+        console.error("Error: use either --supply-products or --clear-supply-products, not both.");
+        process.exit(1);
+      }
+      const updatesSupplyBindings = Boolean(supplyProducts || clearSupplyProducts);
+      if (updatesSupplyBindings) {
+        const campaign = await fetchCampaign(id);
+        if (String(campaign.status || "").toUpperCase() === "ACTIVE") {
+          console.error("Error: active campaigns cannot change supply product bindings via update.");
+          console.error(`Next steps:`);
+          console.error(`  a8techads campaigns pause ${id}`);
+          console.error(`  a8techads campaigns update ${id} ${supplyProducts ? `--supply-products ${supplyProducts}` : "--clear-supply-products"}`);
+          console.error(`  a8techads campaigns resume ${id}`);
+          process.exit(1);
+        }
+      }
+      if (opts.maxBid || opts.clearMaxBid) {
+        const campaign = await fetchCampaign(id);
+        const priceSettings = normalizePriceSettings(campaign.priceSettings);
+        if (opts.maxBid)
+          priceSettings.maxBid = Number(opts.maxBid);
+        if (opts.clearMaxBid)
+          delete priceSettings.maxBid;
+        body.priceSettings = priceSettings;
+      }
+      if (supplyProducts)
+        body.supplyProductIds = parseCsvList(supplyProducts);
+      if (clearSupplyProducts)
+        body.supplyProductIds = [];
     }
     const resp = await apiRequest({ method: "PATCH", path: `${dspPrefix()}/campaigns/${id}`, body });
     if (!resp.ok) {
@@ -3942,8 +4308,181 @@ Examples:
     }
     console.log(`Campaign duplicated. New ID: ${json.data?.id ?? json.id}`);
   });
+  const targetingCmd = new Command("targeting").description("Show or update campaign targeting without editing full JSON.").addHelpText("after", `
+Examples:
+  $ a8techads campaigns targeting show <campaign-id>
+  $ a8techads campaigns targeting set-geo <campaign-id> --countries US,CA --mode target
+  $ a8techads campaigns targeting add-audience <campaign-id> --audience <id> --mode include
+  $ a8techads campaigns targeting set-day-parting <campaign-id> --timezone UTC --from-json schedule.json`);
+  addFormatOption(targetingCmd.command("show").description("Show campaign targeting, audience include/exclude, and day parting.").argument("<id>", "Campaign ID")).action(async (id, opts) => {
+    const campaign = await fetchCampaign(id);
+    const detail = {
+      campaignId: campaign.id,
+      campaignName: campaign.name,
+      targeting: campaign.targeting ?? {},
+      timezone: campaign.timezone ?? "UTC",
+      dayParting: campaign.dayParting ?? null
+    };
+    printDetail(detail, opts.format);
+  });
+  targetingCmd.command("set-geo").description("Replace campaign geo countries and mode.").argument("<id>", "Campaign ID").requiredOption("--countries <codes>", "Comma-separated country codes, e.g. US,CA").option("--mode <mode>", "target or block", "target").action(async (id, opts) => {
+    const campaign = await fetchCampaign(id);
+    const targeting = normalizeTargeting(campaign.targeting);
+    const countries = parseCsvList(opts.countries);
+    const mode = opts.mode === "block" ? "block" : "target";
+    targeting.geo = {
+      ...targeting.geo ?? {},
+      countries,
+      mode,
+      countriesMode: mode
+    };
+    await patchCampaign(id, { targeting });
+    console.log(`Campaign ${id} geo targeting updated.`);
+  });
+  targetingCmd.command("add-audience").description("Add an audience to include or exclude targeting.").argument("<id>", "Campaign ID").requiredOption("--audience <audience-id>", "Audience ID").requiredOption("--mode <mode>", "include or exclude").action(async (id, opts) => {
+    const mode = normalizeAudienceMode(opts.mode);
+    const campaign = await fetchCampaign(id);
+    const targeting = normalizeTargeting(campaign.targeting);
+    const audiences = normalizeAudiences(targeting.audiences);
+    const list = new Set(mode === "include" ? audiences.include : audiences.exclude);
+    list.add(opts.audience);
+    targeting.audiences = {
+      ...audiences,
+      [mode]: Array.from(list)
+    };
+    await patchCampaign(id, { targeting });
+    console.log(`Campaign ${id} audience ${opts.audience} added to ${mode}.`);
+  });
+  targetingCmd.command("remove-audience").description("Remove an audience from include or exclude targeting.").argument("<id>", "Campaign ID").requiredOption("--audience <audience-id>", "Audience ID").requiredOption("--mode <mode>", "include or exclude").action(async (id, opts) => {
+    const mode = normalizeAudienceMode(opts.mode);
+    const campaign = await fetchCampaign(id);
+    const targeting = normalizeTargeting(campaign.targeting);
+    const audiences = normalizeAudiences(targeting.audiences);
+    targeting.audiences = {
+      ...audiences,
+      [mode]: (mode === "include" ? audiences.include : audiences.exclude).filter((audId) => audId !== opts.audience)
+    };
+    await patchCampaign(id, { targeting });
+    console.log(`Campaign ${id} audience ${opts.audience} removed from ${mode}.`);
+  });
+  targetingCmd.command("set-day-parting").description("Set or disable day parting schedule.").argument("<id>", "Campaign ID").option("--timezone <tz>", "Timezone (default: keep existing or UTC)").option("--from-json <file>", "Schedule JSON file").option("--disable", "Disable day parting").action(async (id, opts) => {
+    if (!opts.disable && !opts.fromJson) {
+      console.error("Error: provide --from-json <file> or --disable.");
+      process.exit(1);
+    }
+    const campaign = await fetchCampaign(id);
+    let dayParting;
+    if (opts.disable) {
+      dayParting = null;
+    } else {
+      const { readFileSync: readFileSync4 } = await import("fs");
+      dayParting = JSON.parse(readFileSync4(opts.fromJson, "utf-8"));
+    }
+    await patchCampaign(id, {
+      dayParting,
+      timezone: opts.timezone ?? campaign.timezone ?? "UTC"
+    });
+    console.log(`Campaign ${id} day parting updated.`);
+  });
+  for (const [resourceName, field] of [
+    ["domain", "domains"],
+    ["keyword", "keywords"],
+    ["ip-range", "ipRanges"]
+  ]) {
+    targetingCmd.command(`add-${resourceName}`).description(`Add a ${resourceName} to targeting list.`).argument("<id>", "Campaign ID").requiredOption(`--${resourceName} <value>`, `Value to add`).option("--mode <mode>", "target or block (default: keep current or target)", "target").action(async (id, opts) => {
+      const campaign = await fetchCampaign(id);
+      const targeting = normalizeTargeting(campaign.targeting);
+      const existing = normalizeListTargeting(targeting[field]);
+      const value = String(opts[camelizeOption(resourceName)]).trim();
+      if (!value) {
+        console.error(`Error: --${resourceName} is required.`);
+        process.exit(1);
+      }
+      const list = new Set(existing.list);
+      list.add(value);
+      targeting[field] = {
+        mode: opts.mode === "block" ? "block" : existing.mode,
+        list: Array.from(list)
+      };
+      await patchCampaign(id, { targeting });
+      console.log(`Campaign ${id} ${resourceName} added.`);
+    });
+    targetingCmd.command(`remove-${resourceName}`).description(`Remove a ${resourceName} from targeting list.`).argument("<id>", "Campaign ID").requiredOption(`--${resourceName} <value>`, `Value to remove`).action(async (id, opts) => {
+      const campaign = await fetchCampaign(id);
+      const targeting = normalizeTargeting(campaign.targeting);
+      const existing = normalizeListTargeting(targeting[field]);
+      const value = String(opts[camelizeOption(resourceName)]).trim();
+      targeting[field] = {
+        ...existing,
+        list: existing.list.filter((item) => item !== value)
+      };
+      await patchCampaign(id, { targeting });
+      console.log(`Campaign ${id} ${resourceName} removed.`);
+    });
+    targetingCmd.command(`set-${resourceName}-mode`).description(`Set ${resourceName} targeting mode.`).argument("<id>", "Campaign ID").requiredOption("--mode <mode>", "target or block").action(async (id, opts) => {
+      const campaign = await fetchCampaign(id);
+      const targeting = normalizeTargeting(campaign.targeting);
+      const existing = normalizeListTargeting(targeting[field]);
+      targeting[field] = {
+        ...existing,
+        mode: opts.mode === "block" ? "block" : "target"
+      };
+      await patchCampaign(id, { targeting });
+      console.log(`Campaign ${id} ${resourceName} mode updated.`);
+    });
+  }
+  cmd.addCommand(targetingCmd);
   return cmd;
 }
+async function fetchCampaign(id) {
+  const resp = await apiRequest({ path: `${dspPrefix()}/campaigns/${id}` });
+  const json = await resp.json();
+  if (!resp.ok) {
+    console.error(`Error: ${json.error ?? resp.statusText}`);
+    process.exit(1);
+  }
+  return json.data ?? json;
+}
+async function patchCampaign(id, body) {
+  const resp = await apiRequest({ method: "PATCH", path: `${dspPrefix()}/campaigns/${id}`, body });
+  const json = await resp.json().catch(() => ({}));
+  if (!resp.ok) {
+    console.error(`Error: ${json.error ?? json.errors ?? resp.statusText}`);
+    process.exit(1);
+  }
+}
+function parseCsvList(value) {
+  return value.split(",").map((item) => item.trim()).filter(Boolean);
+}
+function normalizeAudienceMode(value) {
+  const normalized = String(value).toLowerCase();
+  if (normalized !== "include" && normalized !== "exclude") {
+    console.error("Error: --mode must be include or exclude.");
+    process.exit(1);
+  }
+  return normalized;
+}
+function normalizeTargeting(targeting) {
+  return targeting && typeof targeting === "object" ? { ...targeting } : {};
+}
+function normalizeAudiences(audiences) {
+  return {
+    include: Array.isArray(audiences?.include) ? audiences.include : [],
+    exclude: Array.isArray(audiences?.exclude) ? audiences.exclude : []
+  };
+}
+function normalizeListTargeting(value) {
+  return {
+    mode: value?.mode === "block" ? "block" : "target",
+    list: Array.isArray(value?.list) ? value.list : []
+  };
+}
+function normalizePriceSettings(value) {
+  return value && typeof value === "object" && !Array.isArray(value) ? { ...value } : {};
+}
+function camelizeOption(value) {
+  return value.replace(/-([a-z])/g, (_, char) => char.toUpperCase());
+}
 
 // src/commands/variations.ts
 var COLUMNS3 = [
@@ -3991,8 +4530,8 @@ Examples:
   cmd.command("create").description("Create a new ad variation.").option("--campaign <id>", "Campaign ID (required)").option("--name <name>", "Variation name (required)").option("--from-json <file>", "Create from JSON file").action(async (opts) => {
     let body;
     if (opts.fromJson) {
-      const { readFileSync: readFileSync3 } = await import("fs");
-      body = JSON.parse(readFileSync3(opts.fromJson, "utf-8"));
+      const { readFileSync: readFileSync4 } = await import("fs");
+      body = JSON.parse(readFileSync4(opts.fromJson, "utf-8"));
     } else {
       if (!opts.campaign || !opts.name) {
         console.error("Error: --campaign and --name are required.");
@@ -4011,8 +4550,8 @@ Examples:
   cmd.command("update").description("Update a variation.").argument("<id>", "Variation ID").option("--name <name>", "New name").option("--from-json <file>", "Update from JSON file").action(async (id, opts) => {
     let body;
     if (opts.fromJson) {
-      const { readFileSync: readFileSync3 } = await import("fs");
-      body = JSON.parse(readFileSync3(opts.fromJson, "utf-8"));
+      const { readFileSync: readFileSync4 } = await import("fs");
+      body = JSON.parse(readFileSync4(opts.fromJson, "utf-8"));
     } else {
       body = {};
       if (opts.name)
@@ -4038,47 +4577,144 @@ Examples:
     }
     console.log(`Variation ${id} deleted.`);
   });
+  cmd.command("submit").description("Submit a variation for approval.").argument("<id>", "Variation ID").action(async (id) => {
+    const resp = await apiRequest({ method: "PATCH", path: `${dspPrefix()}/variations/${id}/submit` });
+    if (!resp.ok) {
+      const j = await resp.json();
+      console.error(`Error: ${j.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Variation ${id} submitted.`);
+  });
+  cmd.command("pause").description("Pause an active variation.").argument("<id>", "Variation ID").action(async (id) => {
+    const resp = await apiRequest({ method: "PATCH", path: `${dspPrefix()}/variations/${id}/pause` });
+    if (!resp.ok) {
+      const j = await resp.json();
+      console.error(`Error: ${j.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Variation ${id} paused.`);
+  });
+  cmd.command("resume").description("Resume a paused variation.").argument("<id>", "Variation ID").action(async (id) => {
+    const resp = await apiRequest({ method: "PATCH", path: `${dspPrefix()}/variations/${id}/resume` });
+    if (!resp.ok) {
+      const j = await resp.json();
+      console.error(`Error: ${j.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Variation ${id} resumed.`);
+  });
+  cmd.command("archive").description("Archive a variation.").argument("<id>", "Variation ID").action(async (id) => {
+    const resp = await apiRequest({ method: "PATCH", path: `${dspPrefix()}/variations/${id}/archive` });
+    if (!resp.ok) {
+      const j = await resp.json();
+      console.error(`Error: ${j.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Variation ${id} archived.`);
+  });
   return cmd;
 }
 
-// src/commands/sites.ts
+// src/commands/media-assets.ts
+import { basename, extname } from "node:path";
+import { readFileSync as readFileSync4 } from "node:fs";
 var COLUMNS4 = [
   { key: "id", header: "ID", width: 36 },
-  { key: "name", header: "NAME", width: 25 },
-  { key: "domain", header: "DOMAIN", width: 25 },
-  { key: "status", header: "STATUS", width: 12 },
-  { key: "zoneCount", header: "ZONES", width: 6 }
+  { key: "name", header: "NAME", width: 24 },
+  { key: "type", header: "TYPE", width: 10 },
+  { key: "status", header: "STATUS", width: 10 },
+  { key: "adFormat", header: "FORMAT", width: 12 },
+  { key: "mimeType", header: "MIME", width: 20 }
 ];
-function createSitesCommand() {
-  const cmd = new Command("sites").description(`Site management (SSP)
+function inferMimeType(filePath) {
+  switch (extname(filePath).toLowerCase()) {
+    case ".png":
+      return "image/png";
+    case ".jpg":
+    case ".jpeg":
+      return "image/jpeg";
+    case ".gif":
+      return "image/gif";
+    case ".webp":
+      return "image/webp";
+    case ".svg":
+      return "image/svg+xml";
+    case ".mp4":
+      return "video/mp4";
+    case ".mov":
+      return "video/quicktime";
+    case ".html":
+      return "text/html";
+    case ".txt":
+      return "text/plain";
+    default:
+      return "application/octet-stream";
+  }
+}
+function normalizeAsset(asset) {
+  return {
+    id: asset.id,
+    name: asset.name,
+    type: asset.type,
+    status: asset.status,
+    adFormat: asset.adFormat ?? asset.ad_format,
+    mimeType: asset.mimeType ?? asset.mime_type
+  };
+}
+function createMediaAssetsCommand() {
+  const cmd = new Command("media-assets").description(`Media library management (DSP)
 
-Requires: PUBLISHER capability.`).addHelpText("after", `
+Requires: ADVERTISER capability.`).addHelpText("after", `
 Examples:
-  $ a8techads sites list
-  $ a8techads sites get <id>
-  $ a8techads sites create --name "My Blog" --domain blog.example.com`);
-  addFormatOption(cmd.command("list").description("List publisher sites.").option("--status <status>", "Filter by status").option("--limit <n>", "Max results", "20")).action(async (opts) => {
+  $ a8techads media-assets list
+  $ a8techads media-assets get <id>
+  $ a8techads media-assets upload --file ./banner.png --ad-format BANNER
+  $ a8techads media-assets pause <id>`);
+  addFormatOption(cmd.command("list").description("List media assets.").option("--status <status>", "Filter by status").option("--type <type>", "Filter by type").option("--ad-format <format>", "Filter by ad format").option("--search <text>", "Search by name").option("--limit <n>", "Max results", "20").option("--offset <n>", "Offset", "0")).action(async (opts) => {
     const params = new URLSearchParams;
+    params.set("limit", opts.limit);
+    params.set("offset", opts.offset);
     if (opts.status)
       params.set("status", opts.status);
+    if (opts.type)
+      params.set("type", opts.type);
+    if (opts.adFormat)
+      params.set("adFormat", opts.adFormat);
+    if (opts.search)
+      params.set("search", opts.search);
+    const resp = await apiRequest({ path: `${dspPrefix()}/media-assets?${params}` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    const rows = (json.data ?? json).map(normalizeAsset);
+    printData(rows, COLUMNS4, opts.format);
+  });
+  addFormatOption(cmd.command("active").description("List active media assets.").option("--ad-format <format>", "Filter by ad format").option("--width <n>", "Required width").option("--height <n>", "Required height").option("--limit <n>", "Max results", "20").option("--offset <n>", "Offset", "0")).action(async (opts) => {
+    const params = new URLSearchParams;
     params.set("limit", opts.limit);
-    const resp = await apiRequest({ path: `${sspPrefix()}/sites?${params}` });
+    params.set("offset", opts.offset);
+    if (opts.adFormat)
+      params.set("adFormat", opts.adFormat);
+    if (opts.width)
+      params.set("width", opts.width);
+    if (opts.height)
+      params.set("height", opts.height);
+    const resp = await apiRequest({
+      path: `${dspPrefix()}/media-assets/active?${params}`
+    });
     const json = await resp.json();
     if (!resp.ok) {
       console.error(`Error: ${json.error ?? resp.statusText}`);
       process.exit(1);
     }
-    const rows = (json.data ?? json).map((s) => ({
-      id: s.id,
-      name: s.name,
-      domain: s.domain,
-      status: s.status,
-      zoneCount: s.zoneCount ?? s.zone_count ?? "-"
-    }));
+    const rows = (json.data ?? json).map(normalizeAsset);
     printData(rows, COLUMNS4, opts.format);
   });
-  addFormatOption(cmd.command("get").description("Get site details by ID.").argument("<id>", "Site ID")).action(async (id, opts) => {
-    const resp = await apiRequest({ path: `${sspPrefix()}/sites/${id}` });
+  addFormatOption(cmd.command("get").description("Get media asset details.").argument("<id>", "Media asset ID")).action(async (id, opts) => {
+    const resp = await apiRequest({ path: `${dspPrefix()}/media-assets/${id}` });
     const json = await resp.json();
     if (!resp.ok) {
       console.error(`Error: ${json.error ?? resp.statusText}`);
@@ -4086,37 +4722,274 @@ Examples:
     }
     printDetail(json.data ?? json, opts.format);
   });
-  cmd.command("create").description("Create a new site.").option("--name <name>", "Site name (required)").option("--domain <domain>", "Site domain (required)").option("--type <type>", "Site type: WEB, APP, CTV", "WEB").option("--from-json <file>", "Create from JSON file").action(async (opts) => {
-    let body;
-    if (opts.fromJson) {
-      const { readFileSync: readFileSync3 } = await import("fs");
-      body = JSON.parse(readFileSync3(opts.fromJson, "utf-8"));
-    } else {
-      if (!opts.name || !opts.domain) {
-        console.error("Error: --name and --domain are required.");
-        process.exit(1);
-      }
-      body = { name: opts.name, domain: opts.domain, type: opts.type };
-    }
-    const resp = await apiRequest({ method: "POST", path: `${sspPrefix()}/sites`, body });
+  addFormatOption(cmd.command("size-limits").description("Get media asset size limits.")).action(async (opts) => {
+    const resp = await apiRequest({ path: `${dspPrefix()}/media-assets/size-limits` });
     const json = await resp.json();
     if (!resp.ok) {
       console.error(`Error: ${json.error ?? resp.statusText}`);
       process.exit(1);
     }
-    console.log(`Site created: ${json.data?.id ?? json.id}`);
+    printDetail(json.data ?? json, opts.format);
   });
-  cmd.command("update").description("Update a site.").argument("<id>", "Site ID").option("--name <name>", "New name").option("--from-json <file>", "Update from JSON file").action(async (id, opts) => {
-    let body;
-    if (opts.fromJson) {
-      const { readFileSync: readFileSync3 } = await import("fs");
-      body = JSON.parse(readFileSync3(opts.fromJson, "utf-8"));
-    } else {
-      body = {};
-      if (opts.name)
-        body.name = opts.name;
-    }
-    const resp = await apiRequest({ method: "PATCH", path: `${sspPrefix()}/sites/${id}`, body });
+  cmd.command("upload").description("Upload a media asset file.").requiredOption("--file <path>", "Path to local file").option("--name <name>", "Override asset name").option("--ad-format <format>", "Ad format, e.g. BANNER, NATIVE, VIDEO").action(async (opts) => {
+    const filePath = opts.file;
+    const fileName = basename(filePath);
+    const request = await buildAuthenticatedRequest({
+      method: "POST",
+      path: `${dspPrefix()}/media-assets/upload`,
+      headers: {}
+    });
+    const headers = new Headers(request.init.headers);
+    headers.delete("Content-Type");
+    const body = new FormData;
+    const fileBytes = readFileSync4(filePath);
+    body.append("file", new Blob([fileBytes], { type: inferMimeType(filePath) }), fileName);
+    if (opts.name)
+      body.append("name", opts.name);
+    if (opts.adFormat)
+      body.append("adFormat", opts.adFormat);
+    const resp = await fetch(request.url, {
+      ...request.init,
+      headers,
+      body
+    });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? json.errors ?? resp.statusText}`);
+      process.exit(1);
+    }
+    const asset = json.data ?? json;
+    console.log(`Media asset uploaded: ${asset.id}`);
+    if (asset.name)
+      console.log(`  Name: ${asset.name}`);
+    if (asset.cdnUrl ?? asset.cdn_url) {
+      console.log(`  CDN URL: ${asset.cdnUrl ?? asset.cdn_url}`);
+    }
+  });
+  cmd.command("update").description("Update media asset metadata.").argument("<id>", "Media asset ID").option("--name <name>", "New name").option("--description <text>", "New description").option("--product-category <value>", "Product category").option("--target-audience <value>", "Target audience").option("--from-json <file>", "Update from JSON file").action(async (id, opts) => {
+    let body = {};
+    if (opts.fromJson) {
+      body = JSON.parse(readFileSync4(opts.fromJson, "utf-8"));
+    } else {
+      if (opts.name)
+        body.name = opts.name;
+      if (opts.description)
+        body.description = opts.description;
+      if (opts.productCategory)
+        body.productCategory = opts.productCategory;
+      if (opts.targetAudience)
+        body.targetAudience = opts.targetAudience;
+    }
+    const resp = await apiRequest({
+      method: "PATCH",
+      path: `${dspPrefix()}/media-assets/${id}`,
+      body
+    });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Media asset ${id} updated.`);
+  });
+  cmd.command("delete").description("Delete a media asset.").argument("<id>", "Media asset ID").option("--yes", "Skip confirmation").action(async (id, opts) => {
+    if (!opts.yes) {
+      console.error("Add --yes to confirm deletion.");
+      process.exit(1);
+    }
+    const resp = await apiRequest({
+      method: "DELETE",
+      path: `${dspPrefix()}/media-assets/${id}`
+    });
+    if (!resp.ok && resp.status !== 204) {
+      const json = await resp.json();
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Media asset ${id} deleted.`);
+  });
+  for (const action of ["pause", "resume", "archive", "unarchive"]) {
+    cmd.command(action).description(`${action.charAt(0).toUpperCase() + action.slice(1)} a media asset.`).argument("<id>", "Media asset ID").action(async (id) => {
+      const resp = await apiRequest({
+        method: "PATCH",
+        path: `${dspPrefix()}/media-assets/${id}/${action}`,
+        body: {}
+      });
+      const json = await resp.json();
+      if (!resp.ok) {
+        console.error(`Error: ${json.error ?? resp.statusText}`);
+        process.exit(1);
+      }
+      console.log(`Media asset ${id} ${action}d.`);
+    });
+  }
+  return cmd;
+}
+
+// src/commands/landing-pages.ts
+var GROUP_COLUMNS = [
+  { key: "id", header: "ID", width: 36 },
+  { key: "name", header: "NAME", width: 28 },
+  { key: "status", header: "STATUS", width: 10 },
+  { key: "distributionAlgorithm", header: "DISTRIBUTION", width: 14 },
+  { key: "pagesCount", header: "PAGES", width: 8 }
+];
+var PAGE_COLUMNS = [
+  { key: "id", header: "ID", width: 36 },
+  { key: "name", header: "NAME", width: 24 },
+  { key: "status", header: "STATUS", width: 10 },
+  { key: "weight", header: "WEIGHT", width: 8 },
+  { key: "url", header: "URL", width: 60 }
+];
+function createLandingPagesCommand() {
+  const cmd = new Command("landing-pages").description(`Landing page groups and pages (DSP)
+
+Requires: ADVERTISER capability.`).addHelpText("after", `
+Examples:
+  $ a8techads landing-pages list
+  $ a8techads landing-pages active
+  $ a8techads landing-pages get <group-id>
+  $ a8techads landing-pages pages <group-id>`);
+  addFormatOption(cmd.command("list").description("List landing page groups.").option("--status <status>", "Filter by status").option("--limit <n>", "Max results", "50")).action(async (opts) => {
+    const params = new URLSearchParams;
+    if (opts.status)
+      params.set("status", opts.status);
+    params.set("limit", opts.limit);
+    const resp = await apiRequest({ path: `${dspPrefix()}/landing-page-groups?${params}` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    const rows = (json.data ?? json).map((g) => ({
+      id: g.id,
+      name: g.name,
+      status: g.status,
+      distributionAlgorithm: g.distributionAlgorithm ?? g.distribution_algorithm,
+      pagesCount: g.pagesCount ?? g.pages_count ?? 0
+    }));
+    printData(rows, GROUP_COLUMNS, opts.format);
+  });
+  addFormatOption(cmd.command("active").description("List active landing page groups.")).action(async (_arg, opts) => {
+    const resp = await apiRequest({ path: `${dspPrefix()}/landing-page-groups/active` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    const rows = (json.data ?? json).map((g) => ({
+      id: g.id,
+      name: g.name,
+      status: g.status,
+      distributionAlgorithm: g.distributionAlgorithm ?? g.distribution_algorithm,
+      pagesCount: g.pagesCount ?? g.pages_count ?? 0
+    }));
+    printData(rows, GROUP_COLUMNS, opts.format);
+  });
+  addFormatOption(cmd.command("get").description("Get landing page group details.").argument("<id>", "Landing page group ID")).action(async (id, opts) => {
+    const resp = await apiRequest({ path: `${dspPrefix()}/landing-page-groups/${id}` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    printDetail(json.data ?? json, opts.format);
+  });
+  addFormatOption(cmd.command("pages").description("List landing pages in a landing page group.").argument("<group-id>", "Landing page group ID")).action(async (groupId, opts) => {
+    const resp = await apiRequest({ path: `${dspPrefix()}/landing-page-groups/${groupId}/pages` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    const rows = (json.data ?? json).map((page) => ({
+      id: page.id,
+      name: page.name,
+      status: page.status,
+      weight: page.weight,
+      url: page.url
+    }));
+    printData(rows, PAGE_COLUMNS, opts.format);
+  });
+  return cmd;
+}
+
+// src/commands/sites.ts
+var COLUMNS5 = [
+  { key: "id", header: "ID", width: 36 },
+  { key: "name", header: "NAME", width: 25 },
+  { key: "domain", header: "DOMAIN", width: 25 },
+  { key: "status", header: "STATUS", width: 12 },
+  { key: "zoneCount", header: "ZONES", width: 6 }
+];
+function createSitesCommand() {
+  const cmd = new Command("sites").description(`Site management (SSP)
+
+Requires: PUBLISHER capability.`).addHelpText("after", `
+Examples:
+  $ a8techads sites list
+  $ a8techads sites get <id>
+  $ a8techads sites create --name "My Blog" --domain blog.example.com`);
+  addFormatOption(cmd.command("list").description("List publisher sites.").option("--status <status>", "Filter by status").option("--limit <n>", "Max results", "20")).action(async (opts) => {
+    const params = new URLSearchParams;
+    if (opts.status)
+      params.set("status", opts.status);
+    params.set("limit", opts.limit);
+    const resp = await apiRequest({ path: `${sspPrefix()}/sites?${params}` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    const rows = (json.data ?? json).map((s) => ({
+      id: s.id,
+      name: s.name,
+      domain: s.domain,
+      status: s.status,
+      zoneCount: s.zoneCount ?? s.zone_count ?? "-"
+    }));
+    printData(rows, COLUMNS5, opts.format);
+  });
+  addFormatOption(cmd.command("get").description("Get site details by ID.").argument("<id>", "Site ID")).action(async (id, opts) => {
+    const resp = await apiRequest({ path: `${sspPrefix()}/sites/${id}` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    printDetail(json.data ?? json, opts.format);
+  });
+  cmd.command("create").description("Create a new site.").option("--name <name>", "Site name (required)").option("--domain <domain>", "Site domain (required)").option("--type <type>", "Site type: WEB, APP, CTV", "WEB").option("--from-json <file>", "Create from JSON file").action(async (opts) => {
+    let body;
+    if (opts.fromJson) {
+      const { readFileSync: readFileSync5 } = await import("fs");
+      body = JSON.parse(readFileSync5(opts.fromJson, "utf-8"));
+    } else {
+      if (!opts.name || !opts.domain) {
+        console.error("Error: --name and --domain are required.");
+        process.exit(1);
+      }
+      body = { name: opts.name, domain: opts.domain, type: opts.type };
+    }
+    const resp = await apiRequest({ method: "POST", path: `${sspPrefix()}/sites`, body });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Site created: ${json.data?.id ?? json.id}`);
+  });
+  cmd.command("update").description("Update a site.").argument("<id>", "Site ID").option("--name <name>", "New name").option("--from-json <file>", "Update from JSON file").action(async (id, opts) => {
+    let body;
+    if (opts.fromJson) {
+      const { readFileSync: readFileSync5 } = await import("fs");
+      body = JSON.parse(readFileSync5(opts.fromJson, "utf-8"));
+    } else {
+      body = {};
+      if (opts.name)
+        body.name = opts.name;
+    }
+    const resp = await apiRequest({ method: "PATCH", path: `${sspPrefix()}/sites/${id}`, body });
     if (!resp.ok) {
       const j = await resp.json();
       console.error(`Error: ${j.error ?? resp.statusText}`);
@@ -4161,7 +5034,7 @@ Examples:
 }
 
 // src/commands/zones.ts
-var COLUMNS5 = [
+var COLUMNS6 = [
   { key: "id", header: "ID", width: 36 },
   { key: "name", header: "NAME", width: 25 },
   { key: "format", header: "FORMAT", width: 18 },
@@ -4193,7 +5066,7 @@ Examples:
       format: z.adFormat ?? z.ad_format ?? "-",
       status: z.status
     }));
-    printData(rows, COLUMNS5, opts.format);
+    printData(rows, COLUMNS6, opts.format);
   });
   addFormatOption(cmd.command("get").description("Get zone details by ID.").argument("<id>", "Zone ID")).action(async (id, opts) => {
     const resp = await apiRequest({ path: `${sspPrefix()}/zones/${id}` });
@@ -4207,8 +5080,8 @@ Examples:
   cmd.command("create").description("Create a new ad zone.").option("--site <id>", "Site ID (required)").option("--name <name>", "Zone name (required)").option("--format <format>", "Ad format (e.g., banner_300x250)").option("--from-json <file>", "Create from JSON file").action(async (opts) => {
     let body;
     if (opts.fromJson) {
-      const { readFileSync: readFileSync3 } = await import("fs");
-      body = JSON.parse(readFileSync3(opts.fromJson, "utf-8"));
+      const { readFileSync: readFileSync5 } = await import("fs");
+      body = JSON.parse(readFileSync5(opts.fromJson, "utf-8"));
     } else {
       if (!opts.site || !opts.name) {
         console.error("Error: --site and --name are required.");
@@ -4229,8 +5102,8 @@ Examples:
   cmd.command("update").description("Update a zone.").argument("<id>", "Zone ID").option("--name <name>", "New name").option("--from-json <file>", "Update from JSON file").action(async (id, opts) => {
     let body;
     if (opts.fromJson) {
-      const { readFileSync: readFileSync3 } = await import("fs");
-      body = JSON.parse(readFileSync3(opts.fromJson, "utf-8"));
+      const { readFileSync: readFileSync5 } = await import("fs");
+      body = JSON.parse(readFileSync5(opts.fromJson, "utf-8"));
     } else {
       body = {};
       if (opts.name)
@@ -4279,11 +5152,12 @@ Examples:
   $ a8techads reports templates`);
   addFormatOption(cmd.command("query").description(`Execute an ad-hoc analytics query.
 
-Requires: authenticated profile with DSP or SSP capability.`).option("--metrics <list>", "Comma-separated metrics (e.g., spend,impressions,clicks,ctr)", "impressions,clicks,spend").option("--dimensions <list>", "Comma-separated dimensions (e.g., date,campaign,geo)", "date").option("--from <date>", "Start date (YYYY-MM-DD)").option("--to <date>", "End date (YYYY-MM-DD)").option("--limit <n>", "Max rows", "100").addHelpText("after", `
+Requires: authenticated profile with DSP or SSP capability.`).option("--metrics <list>", "Comma-separated metrics (e.g., spend,impressions,clicks,ctr)", "impressions,clicks,spend").option("--dimensions <list>", "Comma-separated dimensions (e.g., date,campaign,geo,goal,goal_id,goal_order)", "date").option("--from <date>", "Start date (YYYY-MM-DD)").option("--to <date>", "End date (YYYY-MM-DD)").option("--limit <n>", "Max rows", "100").addHelpText("after", `
 Examples:
   $ a8techads reports query --metrics spend,impressions --dimensions date --from 2026-03-01 --to 2026-03-20
   $ a8techads reports query --metrics revenue --dimensions publisher --format json
-  $ a8techads reports query --dimensions geo --limit 10`)).action(async (opts) => {
+  $ a8techads reports query --dimensions geo --limit 10
+  $ a8techads reports query --dimensions goal,date --metrics conversions,spend,cpa --from 2026-03-01`)).action(async (opts) => {
     const body = {
       metrics: opts.metrics.split(","),
       dimensions: opts.dimensions.split(","),
@@ -4299,19 +5173,20 @@ Examples:
       console.error(`Error: ${json.error ?? resp.statusText}`);
       process.exit(1);
     }
-    const rows = json.data?.rows ?? json.rows ?? [];
+    const data = json.data ?? json;
+    const rows = data.rows ?? data.results ?? json.rows ?? json.results ?? [];
     if (rows.length === 0) {
       console.log("No results.");
       return;
     }
     if (opts.format === "json") {
-      console.log(JSON.stringify(json.data ?? json, null, 2));
+      console.log(JSON.stringify(data, null, 2));
       return;
     }
     const keys = Object.keys(rows[0]);
     const columns = keys.map((k) => ({ key: k, header: k.toUpperCase(), width: Math.max(k.length, 12) }));
     printData(rows, columns, opts.format);
-    const summary = json.data?.summary ?? json.summary;
+    const summary = data.summary ?? data.totals ?? json.summary ?? json.totals;
     if (summary && opts.format === "table") {
       console.log(`
 Summary:`);
@@ -4327,7 +5202,9 @@ Summary:`);
       console.error(`Error: ${json.error ?? resp.statusText}`);
       process.exit(1);
     }
-    const rows = (json.data ?? json).map((r) => ({ id: r.id, name: r.name, createdAt: r.createdAt ?? r.created_at }));
+    const data = json.data ?? json;
+    const reports = data.reports ?? json.reports ?? data;
+    const rows = (Array.isArray(reports) ? reports : []).map((r) => ({ id: r.id, name: r.name, createdAt: r.createdAt ?? r.created_at }));
     printData(rows, [
       { key: "id", header: "ID", width: 36 },
       { key: "name", header: "NAME", width: 30 },
@@ -4350,7 +5227,9 @@ Summary:`);
       console.error(`Error: ${json.error ?? resp.statusText}`);
       process.exit(1);
     }
-    const rows = (json.data ?? json).map((t) => ({ id: t.id, name: t.name, description: t.description }));
+    const data = json.data ?? json;
+    const templates = data.templates ?? json.templates ?? data;
+    const rows = (Array.isArray(templates) ? templates : []).map((t) => ({ id: t.id, name: t.name, description: t.description }));
     printData(rows, [
       { key: "id", header: "ID", width: 20 },
       { key: "name", header: "NAME", width: 25 },
@@ -4360,8 +5239,8 @@ Summary:`);
   cmd.command("create").description("Create a saved report.").option("--name <name>", "Report name (required)").option("--from-json <file>", "Create from JSON file").action(async (opts) => {
     let body;
     if (opts.fromJson) {
-      const { readFileSync: readFileSync3 } = await import("fs");
-      body = JSON.parse(readFileSync3(opts.fromJson, "utf-8"));
+      const { readFileSync: readFileSync5 } = await import("fs");
+      body = JSON.parse(readFileSync5(opts.fromJson, "utf-8"));
     } else {
       if (!opts.name) {
         console.error("Error: --name is required.");
@@ -4463,8 +5342,8 @@ Examples:
   cmd.command("settings-update").description("Update billing settings.").option("--auto-recharge <bool>", "Enable/disable auto-recharge (true/false)").option("--from-json <file>", "Update from JSON file").action(async (opts) => {
     let body;
     if (opts.fromJson) {
-      const { readFileSync: readFileSync3 } = await import("fs");
-      body = JSON.parse(readFileSync3(opts.fromJson, "utf-8"));
+      const { readFileSync: readFileSync5 } = await import("fs");
+      body = JSON.parse(readFileSync5(opts.fromJson, "utf-8"));
     } else {
       body = {};
       if (opts.autoRecharge !== undefined)
@@ -4478,6 +5357,60 @@ Examples:
     }
     console.log("Billing settings updated.");
   });
+  addFormatOption(cmd.command("payment-methods").description("List saved payment methods.")).action(async (opts) => {
+    const resp = await apiRequest({ path: `${dspPrefix()}/payments/stripe/payment-methods` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    const columns = [
+      { key: "id", header: "ID", width: 30 },
+      { key: "type", header: "TYPE", width: 10 },
+      { key: "last4", header: "LAST4", width: 6 },
+      { key: "brand", header: "BRAND", width: 12 },
+      { key: "expires", header: "EXPIRES", width: 10 }
+    ];
+    const rows = (json.data ?? json).map((pm) => ({
+      id: pm.id,
+      type: pm.type,
+      last4: pm.last4 ?? pm.card?.last4,
+      brand: pm.brand ?? pm.card?.brand,
+      expires: pm.expires ?? (pm.card ? `${pm.card.exp_month}/${pm.card.exp_year}` : "-")
+    }));
+    printData(rows, columns, opts.format);
+  });
+  cmd.command("usdt-deposit").description("Initiate a USDT deposit.").option("--amount <dollars>", "Deposit amount in dollars (required)").option("--network <network>", "Blockchain network", "TRC20").option("--yes", "Skip confirmation prompt").action(async (opts) => {
+    if (!opts.amount) {
+      console.error("Error: --amount is required.");
+      process.exit(1);
+    }
+    const amount = Number(opts.amount);
+    if (isNaN(amount) || amount <= 0) {
+      console.error("Error: Amount must be a positive number.");
+      process.exit(1);
+    }
+    if (!opts.yes) {
+      const rl = await import("readline");
+      const iface = rl.createInterface({ input: process.stdin, output: process.stdout });
+      const answer = await new Promise((resolve) => iface.question(`Initiate USDT deposit of $${amount.toFixed(2)}? (y/N) `, resolve));
+      iface.close();
+      if (answer.toLowerCase() !== "y") {
+        console.log("Cancelled.");
+        process.exit(0);
+      }
+    }
+    const resp = await apiRequest({ method: "POST", path: `${dspPrefix()}/payments/usdt/checkout`, body: { amount, network: opts.network } });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`USDT deposit of $${amount.toFixed(2)} initiated.`);
+    if (json.data?.paymentUrl || json.paymentUrl) {
+      console.log(`Payment URL: ${json.data?.paymentUrl ?? json.paymentUrl}`);
+    }
+  });
   return cmd;
 }
 
@@ -4494,7 +5427,7 @@ function usersPrefix() {
   }
   return app === "ssp" ? "/api/v1/ssp" : "/api/v1/dsp";
 }
-var COLUMNS6 = [
+var COLUMNS7 = [
   { key: "id", header: "ID", width: 36 },
   { key: "email", header: "EMAIL", width: 30 },
   { key: "name", header: "NAME", width: 20 },
@@ -4525,7 +5458,7 @@ Examples:
       role: u.role,
       status: u.status
     }));
-    printData(rows, COLUMNS6, opts.format);
+    printData(rows, COLUMNS7, opts.format);
   });
   addFormatOption(cmd.command("get").description("Get team member details.").argument("<id>", "User ID")).action(async (id, opts) => {
     const resp = await apiRequest({ path: `${usersPrefix()}/users/${id}` });
@@ -4605,6 +5538,40 @@ Examples:
 }
 
 // src/commands/admin.ts
+function parseDurationMs(input) {
+  const trimmed = input.trim();
+  const match = /^(\d+)\s*(ms|s|m|h|d)?$/i.exec(trimmed);
+  if (!match)
+    return 60 * 60 * 1000;
+  const value = parseInt(match[1], 10);
+  const unit = (match[2] || "s").toLowerCase();
+  switch (unit) {
+    case "ms":
+      return value;
+    case "s":
+      return value * 1000;
+    case "m":
+      return value * 60 * 1000;
+    case "h":
+      return value * 60 * 60 * 1000;
+    case "d":
+      return value * 24 * 60 * 60 * 1000;
+    default:
+      return value * 1000;
+  }
+}
+async function confirmAction(message, yes) {
+  if (yes)
+    return;
+  const rl = await import("readline");
+  const iface = rl.createInterface({ input: process.stdin, output: process.stdout });
+  const answer = await new Promise((resolve) => iface.question(`${message} (y/N) `, resolve));
+  iface.close();
+  if (answer.toLowerCase() !== "y") {
+    console.log("Cancelled.");
+    process.exit(0);
+  }
+}
 function createAdminCommand() {
   const cmd = new Command("admin").description(`Platform administration (Console)
 
@@ -4612,6 +5579,8 @@ Requires: platform_owner or platform_admin role.`).addHelpText("after", `
 Examples:
   $ a8techads admin tenants list
   $ a8techads admin tenants get <id>
+  $ a8techads admin campaign-reviews pending
+  $ a8techads admin campaign-reviews approve-all <campaign-id> --yes
   $ a8techads admin audit-logs
   $ a8techads admin system health`);
   const tenants = cmd.command("tenants").description("Tenant management");
@@ -4645,6 +5614,108 @@ Examples:
     }
     printDetail(json.data ?? json, opts.format);
   });
+  tenants.command("create").description("Create a new tenant with admin user.").option("--name <name>", "Company name (required)").option("--email <email>", "Admin email (required)").option("--admin-name <name>", "Admin user name").option("--capabilities <caps>", "Comma-separated capabilities: ADVERTISER,PUBLISHER", "ADVERTISER").addHelpText("after", `
+Examples:
+  $ a8techads admin tenants create --name "Acme Corp" --email admin@acme.com
+  $ a8techads admin tenants create --name "MediaCo" --email admin@media.co --capabilities ADVERTISER,PUBLISHER`).action(async (opts) => {
+    if (!opts.name) {
+      console.error("Error: --name is required.");
+      process.exit(1);
+    }
+    if (!opts.email) {
+      console.error("Error: --email is required.");
+      process.exit(1);
+    }
+    const capabilities = opts.capabilities.split(",").map((c) => c.trim().toUpperCase());
+    const body = {
+      tenant: {
+        companyName: opts.name,
+        capabilities
+      },
+      admin: {
+        email: opts.email,
+        name: opts.adminName ?? undefined
+      }
+    };
+    const resp = await apiRequest({ method: "POST", path: `${consolePrefix()}/tenants`, body });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? json.errors ?? resp.statusText}`);
+      process.exit(1);
+    }
+    const data = json.data ?? json;
+    const tenant = data.tenant ?? data;
+    console.log(`Tenant created: ${tenant.id}`);
+    if (tenant.companyName)
+      console.log(`  Name: ${tenant.companyName}`);
+    if (tenant.status)
+      console.log(`  Status: ${tenant.status}`);
+    if (data.admin) {
+      console.log(`  Admin: ${data.admin.email} (userId: ${data.admin.userId})`);
+    }
+  });
+  tenants.command("update").description("Update a tenant.").argument("<id>", "Tenant ID").option("--name <name>", "New company name").option("--status <status>", "New status: ACTIVE, SUSPENDED, TESTING").action(async (id, opts) => {
+    const body = {};
+    if (opts.name)
+      body.companyName = opts.name;
+    if (opts.status)
+      body.status = opts.status.toUpperCase();
+    if (Object.keys(body).length === 0) {
+      console.error("Error: at least one of --name or --status is required.");
+      process.exit(1);
+    }
+    const resp = await apiRequest({ method: "PATCH", path: `${consolePrefix()}/tenants/${id}`, body });
+    if (!resp.ok) {
+      const j = await resp.json();
+      console.error(`Error: ${j.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Tenant ${id} updated.`);
+  });
+  tenants.command("suspend").description("Suspend a tenant (set status to SUSPENDED).").argument("<id>", "Tenant ID").action(async (id) => {
+    const resp = await apiRequest({
+      method: "PATCH",
+      path: `${consolePrefix()}/tenants/${id}`,
+      body: { status: "SUSPENDED" }
+    });
+    if (!resp.ok) {
+      const j = await resp.json();
+      console.error(`Error: ${j.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Tenant ${id} suspended.`);
+  });
+  tenants.command("activate").description("Activate a tenant (set status to ACTIVE).").argument("<id>", "Tenant ID").action(async (id) => {
+    const resp = await apiRequest({
+      method: "PATCH",
+      path: `${consolePrefix()}/tenants/${id}`,
+      body: { status: "ACTIVE" }
+    });
+    if (!resp.ok) {
+      const j = await resp.json();
+      console.error(`Error: ${j.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Tenant ${id} activated.`);
+  });
+  tenants.command("delete").description("Delete a tenant, its members, and associated data.").argument("<id>", "Tenant ID").option("--yes", "Skip confirmation", false).action(async (id, opts) => {
+    await confirmAction(`Delete tenant ${id}? This removes the organization, its members, and associated data.`, opts.yes);
+    const resp = await apiRequest({
+      method: "DELETE",
+      path: `${consolePrefix()}/tenants/${id}`
+    });
+    const json = await resp.json().catch(() => null);
+    if (!resp.ok) {
+      console.error(`Error: ${json?.error ?? json?.errors ?? resp.statusText}`);
+      process.exit(1);
+    }
+    const data = json?.data ?? json ?? {};
+    console.log(`Tenant ${id} deleted.`);
+    if (data.deletedUserCount !== undefined)
+      console.log(`  Deleted users: ${data.deletedUserCount}`);
+    if (data.removedMembershipCount !== undefined)
+      console.log(`  Removed memberships: ${data.removedMembershipCount}`);
+  });
   const members = tenants.command("members").description("Tenant member management");
   addFormatOption(members.command("list").description("List tenant members.").option("--tenant <id>", "Tenant ID (required)")).action(async (opts) => {
     if (!opts.tenant) {
@@ -4693,18 +5764,114 @@ Examples:
       { key: "time", header: "TIME", width: 22 }
     ], opts.format);
   });
-  const system = cmd.command("system").description("System operations");
-  addFormatOption(system.command("health").description("System health check.")).action(async (opts) => {
-    const resp = await apiRequest({ path: "/api/v1/console/system/health" });
+  const campaignReviews = cmd.command("campaign-reviews").description("Campaign review operations (Console).").addHelpText("after", `
+Examples:
+  $ a8techads admin campaign-reviews pending
+  $ a8techads admin campaign-reviews show <campaign-id>
+  $ a8techads admin campaign-reviews approve-all <campaign-id> --yes
+  $ a8techads admin campaign-reviews decline <campaign-id> --reason-code policy --feedback "Needs changes" --yes`);
+  const reviewColumns = [
+    { key: "id", header: "ID", width: 36 },
+    { key: "name", header: "NAME", width: 28 },
+    { key: "status", header: "STATUS", width: 12 },
+    { key: "tenantName", header: "TENANT", width: 24 },
+    { key: "adFormat", header: "FORMAT", width: 12 },
+    { key: "pendingVariations", header: "PENDING", width: 8 },
+    { key: "totalVariations", header: "TOTAL", width: 8 }
+  ];
+  function normalizeReviewCampaign(campaign) {
+    return {
+      id: campaign.id ?? campaign.campaignId,
+      name: campaign.name,
+      status: campaign.status ?? campaign.reviewStatus,
+      tenantName: campaign.tenantName ?? campaign.tenant?.companyName ?? campaign.tenant?.company_name,
+      adFormat: campaign.adFormat ?? campaign.ad_format,
+      pendingVariations: campaign.pendingVariations ?? campaign.pending_variations,
+      totalVariations: campaign.totalVariations ?? campaign.total_variations,
+      submittedAt: campaign.submittedAt ?? campaign.submitted_at
+    };
+  }
+  addFormatOption(campaignReviews.command("pending").description("List campaigns pending review.").option("--limit <n>", "Max results", "20").option("--offset <n>", "Offset", "0")).action(async (opts) => {
+    const params = new URLSearchParams({ limit: opts.limit, offset: opts.offset });
+    const resp = await apiRequest({ path: `${consolePrefix()}/campaigns/pending?${params}` });
     const json = await resp.json();
     if (!resp.ok) {
-      console.error(`Error: ${json.error ?? resp.statusText}`);
+      console.error(`Error: ${json.error ?? json.errors ?? resp.statusText}`);
       process.exit(1);
     }
-    printDetail(json.data ?? json, opts.format);
+    const rows = (json.data ?? json).map(normalizeReviewCampaign);
+    printData(rows, reviewColumns, opts.format);
   });
-  system.command("cache-clear").description("Clear system cache.").action(async () => {
-    const resp = await apiRequest({ method: "POST", path: "/api/v1/console/system/cache/clear" });
+  addFormatOption(campaignReviews.command("show").description("Show campaign review details, including variations.").argument("<id>", "Campaign ID")).action(async (id, opts) => {
+    const resp = await apiRequest({ path: `${consolePrefix()}/campaigns/${id}/review` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? json.errors ?? resp.statusText}`);
+      process.exit(1);
+    }
+    const data = json.data ?? json;
+    if (opts.format === "json") {
+      printDetail(data, "json");
+      return;
+    }
+    const summary = normalizeReviewCampaign(data);
+    printDetail(summary, "table");
+    const variations = Array.isArray(data.variations) ? data.variations : [];
+    if (variations.length > 0) {
+      console.log(`
+Variations`);
+      printData(variations.map((variation) => ({
+        id: variation.id,
+        name: variation.name,
+        type: variation.type,
+        status: variation.reviewStatus ?? variation.status,
+        mediaAsset: variation.mediaAsset?.name ?? variation.media_asset?.name
+      })), [
+        { key: "id", header: "ID", width: 36 },
+        { key: "name", header: "NAME", width: 28 },
+        { key: "type", header: "TYPE", width: 12 },
+        { key: "status", header: "STATUS", width: 12 },
+        { key: "mediaAsset", header: "MEDIA", width: 24 }
+      ], "table");
+    }
+  });
+  addFormatOption(campaignReviews.command("approve-all").description("Approve all pending variations and activate the campaign atomically.").argument("<id>", "Campaign ID").option("--yes", "Skip confirmation", false)).action(async (id, opts) => {
+    await confirmAction(`Approve all pending variations and activate campaign ${id}?`, opts.yes);
+    const resp = await apiRequest({ method: "POST", path: `${consolePrefix()}/campaigns/${id}/approve-all` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? json.errors ?? resp.statusText}`);
+      process.exit(1);
+    }
+    printDetail(json.data ?? json, opts.format);
+  });
+  addFormatOption(campaignReviews.command("decline").description("Decline all pending variations for a campaign atomically.").argument("<id>", "Campaign ID").option("--feedback <text>", "Review feedback").option("--reason-code <code>", "Review reason code").option("--yes", "Skip confirmation", false)).action(async (id, opts) => {
+    await confirmAction(`Decline campaign ${id}?`, opts.yes);
+    const body = {};
+    if (opts.feedback)
+      body.feedback = opts.feedback;
+    if (opts.reasonCode)
+      body.reasonCode = opts.reasonCode;
+    const resp = await apiRequest({ method: "POST", path: `${consolePrefix()}/campaigns/${id}/decline`, body });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? json.errors ?? resp.statusText}`);
+      process.exit(1);
+    }
+    printDetail(json.data ?? json, opts.format);
+  });
+  const system = cmd.command("system").description("System operations");
+  addFormatOption(system.command("health").description("System health check.")).action(async (opts) => {
+    const resp = await apiRequest({ path: "/api/v1/console/system/health" });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    printDetail(json.data ?? json, opts.format);
+  });
+  system.command("cache-clear").description("Clear system cache.").action(async () => {
+    const resp = await apiRequest({ method: "POST", path: "/api/v1/console/system/cache/clear" });
     if (!resp.ok) {
       const j = await resp.json();
       console.error(`Error: ${j.error ?? resp.statusText}`);
@@ -4712,33 +5879,10 @@ Examples:
     }
     console.log("Cache cleared.");
   });
-  return cmd;
-}
-
-// src/commands/settings.ts
-function settingsPrefix() {
-  const ctx = loadContext();
-  const context = getCurrentContext(ctx);
-  const app = context?.app ?? "dsp";
-  if (app === "console") {
-    console.error("Error: Settings commands are not available in Console mode.");
-    console.error('Switch to DSP or SSP context: "a8techads context dsp" or "a8techads context ssp"');
-    process.exit(1);
-  }
-  return app === "ssp" ? "/api/v1/ssp" : "/api/v1/dsp";
-}
-function createSettingsCommand() {
-  const cmd = new Command("settings").description(`Tenant settings (DSP / SSP only)
-
-Requires: ADVERTISER or PUBLISHER capability.
-Not available in Console mode.`).addHelpText("after", `
-Examples:
-  $ a8techads settings show
-  $ a8techads settings update --from-json settings.json
-  $ a8techads settings profile
-  $ a8techads settings profile-update --company-name "New Name"`);
-  addFormatOption(cmd.command("show").description("Show current tenant settings.")).action(async (opts) => {
-    const resp = await apiRequest({ path: `${settingsPrefix()}/settings` });
+  const biddingGate = system.command("bidding-gate").description("Manage bidder runtime gate without redeploy.");
+  addFormatOption(biddingGate.command("show").description("Show bidder runtime gate state.").option("--partner-code <code>", "Show gate state for one supply partner code")).action(async (opts) => {
+    const path = opts.partnerCode ? `/api/v1/console/system/bidding-gate/${encodeURIComponent(String(opts.partnerCode))}` : "/api/v1/console/system/bidding-gate";
+    const resp = await apiRequest({ path });
     const json = await resp.json();
     if (!resp.ok) {
       console.error(`Error: ${json.error ?? resp.statusText}`);
@@ -4746,8 +5890,139 @@ Examples:
     }
     printDetail(json.data ?? json, opts.format);
   });
-  addFormatOption(cmd.command("profile").description("Show tenant profile (contact/business info).")).action(async (opts) => {
-    const resp = await apiRequest({ path: `${settingsPrefix()}/settings/profile` });
+  biddingGate.command("set").description("Set bidder runtime gate mode.").argument("<mode>", "active | observe_only").option("--partner-code <code>", "Set gate mode for one supply partner code").option("--yes", "Skip confirmation", false).addHelpText("after", `
+Examples:
+  $ a8techads admin system bidding-gate show
+  $ a8techads admin system bidding-gate set observe_only --yes
+  $ a8techads admin system bidding-gate set active --yes
+  $ a8techads admin system bidding-gate set observe_only --partner-code PROPELLERADS --yes`).action(async (mode, opts) => {
+    const normalizedMode = String(mode).trim();
+    if (!["active", "observe_only"].includes(normalizedMode)) {
+      console.error("Error: mode must be one of: active, observe_only");
+      process.exit(1);
+    }
+    const partnerCode = opts.partnerCode ? String(opts.partnerCode).trim() : "";
+    await confirmAction(partnerCode ? `Set bidder runtime gate for ${partnerCode} to ${normalizedMode}?` : `Set bidder runtime gate to ${normalizedMode}?`, opts.yes);
+    const resp = await apiRequest({
+      method: "PUT",
+      path: partnerCode ? `/api/v1/console/system/bidding-gate/${encodeURIComponent(partnerCode)}` : "/api/v1/console/system/bidding-gate",
+      body: { mode: normalizedMode }
+    });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    printDetail(json.data ?? json);
+  });
+  const debug = biddingGate.command("debug").description("Phase 4 per-request pacer debug funnel.");
+  debug.command("arm").description("Arm N debug slot(s) for a partner. Each consumed slot routes one request via the pacer path.").requiredOption("--partner <code>", "Partner code (e.g. HILLTOPADS)").option("--count <n>", "Number of slots to arm", "1").option("--region <region>", "sin | dfw | all", "dfw").addHelpText("after", `
+Examples:
+  $ a8techads admin system bidding-gate debug arm --partner HILLTOPADS
+  $ a8techads admin system bidding-gate debug arm --partner HILLTOPADS --count 10
+  $ a8techads admin system bidding-gate debug arm --partner HILLTOPADS --region sin --count 1`).action(async (opts) => {
+    const body = {
+      partner_code: String(opts.partner).trim(),
+      count: parseInt(String(opts.count), 10),
+      region: String(opts.region).trim()
+    };
+    const resp = await apiRequest({ method: "POST", path: "/api/v1/console/system/bidding-gate/debug/arm", body });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    printDetail(json.data ?? json);
+  });
+  debug.command("disarm").description("Disarm debug slots. --all wipes every armed partner across regions.").option("--partner <code>", "Partner code to disarm").option("--region <region>", "sin | dfw | all", "all").option("--all", "Disarm every armed partner across all regions", false).action(async (opts) => {
+    if (!opts.all && !opts.partner) {
+      console.error("Error: provide --partner <code> or --all");
+      process.exit(1);
+    }
+    const body = opts.all ? { all: true } : { partner_code: String(opts.partner).trim(), region: String(opts.region).trim() };
+    const resp = await apiRequest({ method: "POST", path: "/api/v1/console/system/bidding-gate/debug/disarm", body });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    printDetail(json.data ?? json);
+  });
+  debug.command("show").description("Show armed counters and cumulative tallies for a partner across regions.").requiredOption("--partner <code>", "Partner code").option("--region <region>", "sin | dfw | all", "all").action(async (opts) => {
+    const params = new URLSearchParams({
+      partner_code: String(opts.partner).trim(),
+      region: String(opts.region).trim()
+    });
+    const resp = await apiRequest({ path: `/api/v1/console/system/bidding-gate/debug/show?${params}` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    printDetail(json.data ?? json);
+  });
+  debug.command("tail").description("Tail captured fallback entries for a partner. Each entry is one request that came back as non-2xx-non-204 from the bidder.").requiredOption("--partner <code>", "Partner code").option("--region <region>", "sin | dfw", "dfw").option("--since <duration>", "How far back to read (e.g. 5m, 1h)", "1h").option("--max <n>", "Cap on entries returned", "100").action(async (opts) => {
+    const sinceMs = Date.now() - parseDurationMs(String(opts.since));
+    const params = new URLSearchParams({
+      partner_code: String(opts.partner).trim(),
+      region: String(opts.region).trim(),
+      since_ms: String(sinceMs),
+      max_count: String(opts.max)
+    });
+    const resp = await apiRequest({ path: `/api/v1/console/system/bidding-gate/debug/tail?${params}` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    printDetail(json.data ?? json);
+  });
+  debug.command("prune").description("Trim captured fallback stream entries older than --max-age.").requiredOption("--partner <code>", "Partner code").option("--region <region>", "sin | dfw | all", "all").option("--max-age <duration>", "Drop entries older than this", "24h").action(async (opts) => {
+    const cutoffMs = Date.now() - parseDurationMs(String(opts.maxAge));
+    const body = {
+      partner_code: String(opts.partner).trim(),
+      region: String(opts.region).trim(),
+      cutoff_ms: cutoffMs
+    };
+    const resp = await apiRequest({ method: "POST", path: "/api/v1/console/system/bidding-gate/debug/prune", body });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    printDetail(json.data ?? json);
+  });
+  debug.command("preflight").description("Dependency preflight: control-plane reachable, runtime Redis healthy, BILLING_CONFIRM stream alive. Touches no real billing.").action(async () => {
+    const resp = await apiRequest({ path: "/api/v1/console/system/bidding-gate/debug/preflight" });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    printDetail(json.data ?? json);
+  });
+  const tracking = cmd.command("tracking-identities").description("User identity graph stats");
+  tracking.command("stats").description("Show tracking identity statistics.").action(async () => {
+    const resp = await apiRequest({ path: "/api/v1/console/tracking-identities/stats" });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    const data = json.data ?? json;
+    console.log(`Tracking Identity Stats:`);
+    console.log(`  Total Identities: ${(data.total_identities ?? 0).toLocaleString()}`);
+    console.log(`  Active (30d):     ${(data.active_30d ?? 0).toLocaleString()}`);
+    console.log(`  Active (7d):      ${(data.active_7d ?? 0).toLocaleString()}`);
+    console.log(`  Active (1d):      ${(data.active_1d ?? 0).toLocaleString()}`);
+    if (data.earliest_seen)
+      console.log(`  Earliest Seen:    ${data.earliest_seen}`);
+    if (data.latest_seen)
+      console.log(`  Latest Seen:      ${data.latest_seen}`);
+  });
+  const finance = cmd.command("finance").description("Financial overview and audit");
+  addFormatOption(finance.command("summary").description("Financial summary.")).action(async (opts) => {
+    const resp = await apiRequest({ path: `${consolePrefix()}/billing-ops/summary` });
     const json = await resp.json();
     if (!resp.ok) {
       console.error(`Error: ${json.error ?? resp.statusText}`);
@@ -4755,85 +6030,236 @@ Examples:
     }
     printDetail(json.data ?? json, opts.format);
   });
-  cmd.command("update").description(`Update tenant settings.
-
-Requires: admin role.`).option("--from-json <file>", "Update from JSON file").action(async (opts) => {
-    if (!opts.fromJson) {
-      console.error("Error: --from-json is required for settings update.");
+  finance.command("finalize-daily").description("Run daily billing finalization for a date.").option("--date <yyyy-mm-dd>", "Date to finalize (default: today UTC)").option("--yes", "Skip confirmation", false).action(async (opts) => {
+    const targetDate = opts.date || new Date().toISOString().slice(0, 10);
+    await confirmAction(`Run daily billing finalization for ${targetDate}?`, opts.yes);
+    const body = {};
+    if (opts.date)
+      body.date = opts.date;
+    const resp = await apiRequest({ method: "POST", path: `${consolePrefix()}/billing-ops/finalize-daily`, body });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
       process.exit(1);
     }
-    const { readFileSync: readFileSync3 } = await import("fs");
-    const body = JSON.parse(readFileSync3(opts.fromJson, "utf-8"));
-    const resp = await apiRequest({ method: "PATCH", path: `${settingsPrefix()}/settings`, body });
+    const data = json.data ?? json;
+    console.log(`Daily billing finalized for ${data.date ?? targetDate}.`);
+  });
+  addFormatOption(finance.command("events").description("List billing events.").option("--limit <n>", "Max results", "20").option("--aggregate-type <type>", "Filter by aggregate type").option("--event-type <type>", "Filter by event type")).action(async (opts) => {
+    const params = new URLSearchParams({ limit: opts.limit });
+    if (opts.aggregateType)
+      params.set("aggregate_type", opts.aggregateType);
+    if (opts.eventType)
+      params.set("event_type", opts.eventType);
+    const resp = await apiRequest({ path: `${consolePrefix()}/billing-ops/events?${params}` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    const payload = json.data ?? json;
+    const rows = (payload.events ?? payload).map((e) => ({
+      id: e.id,
+      eventType: e.eventType ?? e.event_type,
+      aggregateType: e.aggregateType ?? e.aggregate_type,
+      createdAt: e.createdAt ?? e.created_at
+    }));
+    printData(rows, [
+      { key: "id", header: "ID", width: 36 },
+      { key: "eventType", header: "EVENT_TYPE", width: 25 },
+      { key: "aggregateType", header: "AGGREGATE_TYPE", width: 20 },
+      { key: "createdAt", header: "CREATED_AT", width: 22 }
+    ], opts.format);
+  });
+  addFormatOption(finance.command("operations").description("List billing operations.").option("--limit <n>", "Max results", "20").option("--type <type>", "Filter by operation type").option("--status <status>", "Filter by status")).action(async (opts) => {
+    const params = new URLSearchParams({ limit: opts.limit });
+    if (opts.type)
+      params.set("type", opts.type);
+    if (opts.status)
+      params.set("status", opts.status);
+    const resp = await apiRequest({ path: `${consolePrefix()}/billing-ops/operations?${params}` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    const payload = json.data ?? json;
+    const rows = (payload.operations ?? payload).map((o) => ({
+      id: o.id,
+      type: o.type,
+      target: o.target ?? o.targetId ?? o.target_id,
+      amount: o.amount,
+      status: o.status,
+      createdAt: o.createdAt ?? o.created_at
+    }));
+    printData(rows, [
+      { key: "id", header: "ID", width: 36 },
+      { key: "type", header: "TYPE", width: 18 },
+      { key: "target", header: "TARGET", width: 20 },
+      { key: "amount", header: "AMOUNT", width: 12 },
+      { key: "status", header: "STATUS", width: 12 },
+      { key: "createdAt", header: "CREATED_AT", width: 22 }
+    ], opts.format);
+  });
+  const invoices = cmd.command("invoices").description("Invoice management");
+  addFormatOption(invoices.command("list").description("List invoices.").option("--limit <n>", "Max results", "20").option("--status <status>", "Filter by status").option("--tenant-type <type>", "Filter by tenant type")).action(async (opts) => {
+    const params = new URLSearchParams({ limit: opts.limit });
+    if (opts.status)
+      params.set("status", opts.status);
+    if (opts.tenantType)
+      params.set("tenantType", opts.tenantType);
+    const resp = await apiRequest({ path: `${consolePrefix()}/billing-ops/invoices?${params}` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    const payload = json.data ?? json;
+    const invoiceRows = Array.isArray(payload) ? payload : payload.invoices ?? [];
+    const rows = invoiceRows.map((i) => ({
+      invoiceNumber: i.invoiceNumber ?? i.invoice_number ?? i.id,
+      tenant: i.tenantName ?? i.tenant_name ?? i.tenantId ?? i.tenant_id,
+      amount: i.amount ?? i.totalAmount ?? i.total_amount,
+      status: i.status,
+      dueDate: i.dueDate ?? i.due_date
+    }));
+    printData(rows, [
+      { key: "invoiceNumber", header: "INVOICE#", width: 20 },
+      { key: "tenant", header: "TENANT", width: 25 },
+      { key: "amount", header: "AMOUNT", width: 12 },
+      { key: "status", header: "STATUS", width: 12 },
+      { key: "dueDate", header: "DUE_DATE", width: 16 }
+    ], opts.format);
+  });
+  addFormatOption(invoices.command("preview").description("Preview unbilled invoices for current period.")).action(async (opts) => {
+    const resp = await apiRequest({ path: `${consolePrefix()}/billing-ops/invoices/preview?tenantType=advertiser` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    const data = json.data ?? json;
+    if (data.summary) {
+      console.log(`
+Period: ${data.summary.period}  |  Accounts: ${data.summary.accountCount}  |  Estimated Total Due: $${data.summary.totalAmount?.toFixed(2)}  |  As of: ${data.summary.asOfDate}
+`);
+    }
+    const rows = (data.previews ?? []).map((p) => ({
+      tenant: p.tenantName,
+      adSpend: p.adSpend,
+      platformFee: p.platformFee,
+      totalDue: p.totalDue,
+      days: p.daysWithData,
+      impressions: p.impressions
+    }));
+    printData(rows, [
+      { key: "tenant", header: "TENANT", width: 25 },
+      { key: "adSpend", header: "AD_SPEND", width: 12, format: (v) => `$${Number(v).toFixed(2)}` },
+      { key: "platformFee", header: "PLATFORM_FEE", width: 14, format: (v) => `$${Number(v).toFixed(2)}` },
+      { key: "totalDue", header: "TOTAL_DUE", width: 12, format: (v) => `$${Number(v).toFixed(2)}` },
+      { key: "days", header: "DAYS", width: 6 },
+      { key: "impressions", header: "IMPRESSIONS", width: 12 }
+    ], opts.format);
+  });
+  addFormatOption(invoices.command("get").description("Get invoice details.").argument("<id>", "Invoice ID")).action(async (id, opts) => {
+    const resp = await apiRequest({ path: `${consolePrefix()}/billing-ops/invoices/${id}` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    printDetail(json.data ?? json, opts.format);
+  });
+  invoices.command("issue").description("Issue an invoice.").argument("<id>", "Invoice ID").option("--yes", "Skip confirmation", false).action(async (id, opts) => {
+    await confirmAction(`Issue invoice ${id}?`, opts.yes);
+    const resp = await apiRequest({ method: "POST", path: `${consolePrefix()}/billing-ops/invoices/${id}/issue` });
     if (!resp.ok) {
       const j = await resp.json();
       console.error(`Error: ${j.error ?? resp.statusText}`);
       process.exit(1);
     }
-    console.log("Settings updated.");
+    console.log(`Invoice ${id} issued.`);
   });
-  cmd.command("profile-update").description("Update tenant profile.").option("--company-name <name>", "Company name").option("--from-json <file>", "Update from JSON file").action(async (opts) => {
-    let body;
-    if (opts.fromJson) {
-      const { readFileSync: readFileSync3 } = await import("fs");
-      body = JSON.parse(readFileSync3(opts.fromJson, "utf-8"));
-    } else {
-      body = {};
-      if (opts.companyName)
-        body.companyName = opts.companyName;
+  invoices.command("void").description("Void an invoice.").argument("<id>", "Invoice ID").option("--yes", "Skip confirmation", false).action(async (id, opts) => {
+    await confirmAction(`Void invoice ${id}?`, opts.yes);
+    const resp = await apiRequest({ method: "POST", path: `${consolePrefix()}/billing-ops/invoices/${id}/void` });
+    if (!resp.ok) {
+      const j = await resp.json();
+      console.error(`Error: ${j.error ?? resp.statusText}`);
+      process.exit(1);
     }
-    const resp = await apiRequest({ method: "PATCH", path: `${settingsPrefix()}/settings/profile`, body });
+    console.log(`Invoice ${id} voided.`);
+  });
+  invoices.command("mark-paid").description("Mark an invoice as paid.").argument("<id>", "Invoice ID").option("--yes", "Skip confirmation", false).action(async (id, opts) => {
+    await confirmAction(`Mark invoice ${id} as paid?`, opts.yes);
+    const resp = await apiRequest({ method: "POST", path: `${consolePrefix()}/billing-ops/invoices/${id}/mark-paid` });
     if (!resp.ok) {
       const j = await resp.json();
       console.error(`Error: ${j.error ?? resp.statusText}`);
       process.exit(1);
     }
-    console.log("Profile updated.");
+    console.log(`Invoice ${id} marked as paid.`);
   });
-  return cmd;
-}
-
-// src/commands/invoices.ts
-function createInvoicesCommand() {
-  const cmd = new Command("invoices").description(`Invoice management (DSP)
-
-Requires: ADVERTISER capability.`).addHelpText("after", `
-Examples:
-  $ a8techads invoices list
-  $ a8techads invoices get <id>
-  $ a8techads invoices spending`);
-  addFormatOption(cmd.command("list").description("List invoices.")).action(async (opts) => {
-    const resp = await apiRequest({ path: `${dspPrefix()}/invoices` });
+  const statements = cmd.command("statements").description("Publisher statement management");
+  addFormatOption(statements.command("list").description("List publisher statements.").option("--limit <n>", "Max results", "20").option("--status <status>", "Filter by status")).action(async (opts) => {
+    const params = new URLSearchParams({ limit: opts.limit, tenantType: "publisher" });
+    if (opts.status)
+      params.set("status", opts.status);
+    const resp = await apiRequest({ path: `${consolePrefix()}/billing-ops/invoices?${params}` });
     const json = await resp.json();
     if (!resp.ok) {
       console.error(`Error: ${json.error ?? resp.statusText}`);
       process.exit(1);
     }
-    const columns = [
-      { key: "id", header: "ID", width: 36 },
-      { key: "period", header: "PERIOD", width: 20 },
-      { key: "amount", header: "AMOUNT", width: 12, format: (v) => v != null ? `$${Number(v).toFixed(2)}` : "-" },
-      { key: "status", header: "STATUS", width: 12 }
-    ];
-    const rows = (json.data ?? json).map((i) => ({
-      id: i.id,
-      period: i.period ?? i.billingPeriod,
-      amount: i.amount ?? i.totalAmount,
-      status: i.status
+    const payload = json.data ?? json;
+    const invoiceRows = Array.isArray(payload) ? payload : payload.invoices ?? [];
+    const rows = invoiceRows.map((i) => ({
+      invoiceNumber: i.invoiceNumber ?? i.invoice_number ?? i.id,
+      tenant: i.tenantName ?? i.tenant_name ?? i.tenantId ?? i.tenant_id,
+      amount: i.amount ?? i.totalAmount ?? i.total_amount,
+      status: i.status,
+      dueDate: i.dueDate ?? i.due_date
     }));
-    printData(rows, columns, opts.format);
+    printData(rows, [
+      { key: "invoiceNumber", header: "INVOICE#", width: 20 },
+      { key: "tenant", header: "TENANT", width: 25 },
+      { key: "amount", header: "AMOUNT", width: 12 },
+      { key: "status", header: "STATUS", width: 12 },
+      { key: "dueDate", header: "DUE_DATE", width: 16 }
+    ], opts.format);
   });
-  addFormatOption(cmd.command("get").description("Get invoice details.").argument("<id>", "Invoice ID")).action(async (id, opts) => {
-    const resp = await apiRequest({ path: `${dspPrefix()}/invoices/${id}` });
+  addFormatOption(statements.command("preview").description("Preview unbilled statements for current period.")).action(async (opts) => {
+    const resp = await apiRequest({ path: `${consolePrefix()}/billing-ops/invoices/preview?tenantType=publisher` });
     const json = await resp.json();
     if (!resp.ok) {
       console.error(`Error: ${json.error ?? resp.statusText}`);
       process.exit(1);
     }
-    printDetail(json.data ?? json, opts.format);
+    const data = json.data ?? json;
+    if (data.summary) {
+      console.log(`
+Period: ${data.summary.period}  |  Accounts: ${data.summary.accountCount}  |  Estimated Net Payable: $${data.summary.totalAmount?.toFixed(2)}  |  As of: ${data.summary.asOfDate}
+`);
+    }
+    const rows = (data.previews ?? []).map((p) => ({
+      tenant: p.tenantName,
+      grossRevenue: p.grossRevenue,
+      commission: p.platformCommission,
+      netPayable: p.netPayable,
+      days: p.daysWithData,
+      impressions: p.impressions
+    }));
+    printData(rows, [
+      { key: "tenant", header: "TENANT", width: 25 },
+      { key: "grossRevenue", header: "GROSS_REV", width: 12, format: (v) => `$${Number(v).toFixed(2)}` },
+      { key: "commission", header: "COMMISSION", width: 12, format: (v) => `$${Number(v).toFixed(2)}` },
+      { key: "netPayable", header: "NET_PAY", width: 12, format: (v) => `$${Number(v).toFixed(2)}` },
+      { key: "days", header: "DAYS", width: 6 },
+      { key: "impressions", header: "IMPRESSIONS", width: 12 }
+    ], opts.format);
   });
-  addFormatOption(cmd.command("spending").description("Show current period spending summary.")).action(async (opts) => {
-    const resp = await apiRequest({ path: `${dspPrefix()}/invoices/spending` });
+  addFormatOption(statements.command("get").description("Get statement details.").argument("<id>", "Statement ID")).action(async (id, opts) => {
+    const resp = await apiRequest({ path: `${consolePrefix()}/billing-ops/invoices/${id}` });
     const json = await resp.json();
     if (!resp.ok) {
       console.error(`Error: ${json.error ?? resp.statusText}`);
@@ -4841,12 +6267,2216 @@ Examples:
     }
     printDetail(json.data ?? json, opts.format);
   });
+  const payoutsAdmin = cmd.command("payouts").description("Payout operations");
+  addFormatOption(payoutsAdmin.command("list").description("List payouts.").option("--limit <n>", "Max results", "20").option("--status <status>", "Filter by status")).action(async (opts) => {
+    const params = new URLSearchParams({ limit: opts.limit });
+    if (opts.status)
+      params.set("status", opts.status);
+    const resp = await apiRequest({ path: `${consolePrefix()}/payout-ops/payouts?${params}` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    const rows = (json.data ?? json).map((p) => ({
+      id: p.id,
+      publisher: p.publisherName ?? p.publisher_name ?? p.tenantId ?? p.tenant_id,
+      amount: p.amount,
+      status: p.status,
+      requestedAt: p.requestedAt ?? p.requested_at ?? p.createdAt ?? p.created_at
+    }));
+    printData(rows, [
+      { key: "id", header: "ID", width: 36 },
+      { key: "publisher", header: "PUBLISHER", width: 25 },
+      { key: "amount", header: "AMOUNT", width: 12 },
+      { key: "status", header: "STATUS", width: 12 },
+      { key: "requestedAt", header: "REQUESTED_AT", width: 22 }
+    ], opts.format);
+  });
+  payoutsAdmin.command("approve").description("Approve a payout.").argument("<id>", "Payout ID").option("--yes", "Skip confirmation", false).action(async (id, opts) => {
+    await confirmAction(`Approve payout ${id}?`, opts.yes);
+    const resp = await apiRequest({ method: "POST", path: `${consolePrefix()}/payout-ops/payouts/${id}/approve` });
+    if (!resp.ok) {
+      const j = await resp.json();
+      console.error(`Error: ${j.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Payout ${id} approved.`);
+  });
+  payoutsAdmin.command("reject").description("Reject a payout.").argument("<id>", "Payout ID").option("--yes", "Skip confirmation", false).option("--reason <reason>", "Rejection reason").action(async (id, opts) => {
+    await confirmAction(`Reject payout ${id}?`, opts.yes);
+    const body = {};
+    if (opts.reason)
+      body.reason = opts.reason;
+    const resp = await apiRequest({ method: "POST", path: `${consolePrefix()}/payout-ops/payouts/${id}/reject`, body });
+    if (!resp.ok) {
+      const j = await resp.json();
+      console.error(`Error: ${j.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Payout ${id} rejected.`);
+  });
+  payoutsAdmin.command("process").description("Process a payout.").argument("<id>", "Payout ID").option("--yes", "Skip confirmation", false).action(async (id, opts) => {
+    await confirmAction(`Process payout ${id}?`, opts.yes);
+    const resp = await apiRequest({ method: "POST", path: `${consolePrefix()}/payout-ops/payouts/${id}/process` });
+    if (!resp.ok) {
+      const j = await resp.json();
+      console.error(`Error: ${j.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Payout ${id} processed.`);
+  });
+  payoutsAdmin.command("manual-create").description("Manually create a payout.").option("--tenant-id <id>", "Publisher tenant ID (required)").option("--amount <amount>", "Payout amount (required)").option("--reason <reason>", "Reason for manual payout").option("--wallet <wallet>", "Wallet address").option("--network <network>", "Payment network").option("--yes", "Skip confirmation", false).action(async (opts) => {
+    if (!opts.tenantId) {
+      console.error("Error: --tenant-id is required.");
+      process.exit(1);
+    }
+    if (!opts.amount) {
+      console.error("Error: --amount is required.");
+      process.exit(1);
+    }
+    await confirmAction(`Create manual payout of ${opts.amount} for tenant ${opts.tenantId}?`, opts.yes);
+    const body = { tenantId: opts.tenantId, amount: opts.amount };
+    if (opts.reason)
+      body.reason = opts.reason;
+    if (opts.wallet)
+      body.wallet = opts.wallet;
+    if (opts.network)
+      body.network = opts.network;
+    const resp = await apiRequest({ method: "POST", path: `${consolePrefix()}/billing-ops/manual-payout`, body });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Manual payout created: ${(json.data ?? json).id ?? "OK"}`);
+  });
+  const deposits = cmd.command("deposits").description("Deposit operations");
+  addFormatOption(deposits.command("list").description("List deposits.").option("--limit <n>", "Max results", "20").option("--status <status>", "Filter by status")).action(async (opts) => {
+    const params = new URLSearchParams({ limit: opts.limit });
+    if (opts.status)
+      params.set("status", opts.status);
+    const resp = await apiRequest({ path: `${consolePrefix()}/payments-ops/deposits?${params}` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    const transactions = json.data?.transactions ?? json.transactions ?? json.data ?? json;
+    const items = Array.isArray(transactions) ? transactions : [];
+    const rows = items.map((d) => ({
+      id: d.id,
+      advertiser: d.advertiser?.name ?? d.advertiserName ?? d.advertiser_name ?? d.tenantId ?? d.tenant_id,
+      amount: d.amount,
+      status: d.status,
+      date: d.createdAt ?? d.created_at ?? d.date
+    }));
+    printData(rows, [
+      { key: "id", header: "ID", width: 36 },
+      { key: "advertiser", header: "ADVERTISER", width: 25 },
+      { key: "amount", header: "AMOUNT", width: 12 },
+      { key: "status", header: "STATUS", width: 12 },
+      { key: "date", header: "DATE", width: 22 }
+    ], opts.format);
+  });
+  deposits.command("confirm").description("Confirm a deposit.").argument("<id>", "Deposit ID").option("--yes", "Skip confirmation", false).action(async (id, opts) => {
+    await confirmAction(`Confirm deposit ${id}?`, opts.yes);
+    const resp = await apiRequest({ method: "POST", path: `${consolePrefix()}/payments-ops/deposits/${id}/confirm` });
+    if (!resp.ok) {
+      const j = await resp.json();
+      console.error(`Error: ${j.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Deposit ${id} confirmed.`);
+  });
+  deposits.command("manual-create").description("Manually create a deposit.").option("--tenant-id <id>", "Advertiser tenant ID (required)").option("--amount <amount>", "Deposit amount (required)").option("--reason <reason>", "Reason for manual deposit").option("--reference <ref>", "External reference").option("--notes <notes>", "Additional notes").option("--yes", "Skip confirmation", false).action(async (opts) => {
+    if (!opts.tenantId) {
+      console.error("Error: --tenant-id is required.");
+      process.exit(1);
+    }
+    if (!opts.amount) {
+      console.error("Error: --amount is required.");
+      process.exit(1);
+    }
+    await confirmAction(`Create manual deposit of ${opts.amount} for tenant ${opts.tenantId}?`, opts.yes);
+    const body = { tenantId: opts.tenantId, amount: opts.amount };
+    if (opts.reason)
+      body.reason = opts.reason;
+    if (opts.reference)
+      body.reference = opts.reference;
+    if (opts.notes)
+      body.notes = opts.notes;
+    const resp = await apiRequest({ method: "POST", path: `${consolePrefix()}/billing-ops/manual-deposit`, body });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Manual deposit created: ${(json.data ?? json).id ?? "OK"}`);
+  });
+  const refunds = cmd.command("refunds").description("Refund operations");
+  addFormatOption(refunds.command("list").description("List refunds.").option("--limit <n>", "Max results", "20").option("--status <status>", "Filter by status")).action(async (opts) => {
+    const params = new URLSearchParams({ limit: opts.limit });
+    if (opts.status)
+      params.set("status", opts.status);
+    const resp = await apiRequest({ path: `${consolePrefix()}/payments-ops/refunds?${params}` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    const rows = (json.data ?? json).map((r) => ({
+      id: r.id,
+      advertiser: r.advertiserName ?? r.advertiser_name ?? r.accountId ?? r.account_id,
+      amount: r.amount,
+      reason: r.reason,
+      status: r.status
+    }));
+    printData(rows, [
+      { key: "id", header: "ID", width: 36 },
+      { key: "advertiser", header: "ADVERTISER", width: 25 },
+      { key: "amount", header: "AMOUNT", width: 12 },
+      { key: "reason", header: "REASON", width: 20 },
+      { key: "status", header: "STATUS", width: 12 }
+    ], opts.format);
+  });
+  addFormatOption(refunds.command("get").description("Get refund details.").argument("<id>", "Refund ID")).action(async (id, opts) => {
+    const resp = await apiRequest({ path: `${consolePrefix()}/payments-ops/refunds/${id}` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    printDetail(json.data ?? json, opts.format);
+  });
+  refunds.command("create").description("Create a refund.").option("--account-id <id>", "Account ID (required)").option("--amount <amount>", "Refund amount (required)").option("--reason <reason>", "Refund reason").option("--yes", "Skip confirmation", false).action(async (opts) => {
+    if (!opts.accountId) {
+      console.error("Error: --account-id is required.");
+      process.exit(1);
+    }
+    if (!opts.amount) {
+      console.error("Error: --amount is required.");
+      process.exit(1);
+    }
+    await confirmAction(`Create refund of ${opts.amount} for account ${opts.accountId}?`, opts.yes);
+    const body = { accountId: opts.accountId, amount: opts.amount };
+    if (opts.reason)
+      body.reason = opts.reason;
+    const resp = await apiRequest({ method: "POST", path: `${consolePrefix()}/payments-ops/refunds`, body });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Refund created: ${(json.data ?? json).id ?? "OK"}`);
+  });
+  refunds.command("approve").description("Approve a refund.").argument("<id>", "Refund ID").option("--yes", "Skip confirmation", false).action(async (id, opts) => {
+    await confirmAction(`Approve refund ${id}?`, opts.yes);
+    const resp = await apiRequest({ method: "POST", path: `${consolePrefix()}/payments-ops/refunds/${id}/approve` });
+    if (!resp.ok) {
+      const j = await resp.json();
+      console.error(`Error: ${j.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Refund ${id} approved.`);
+  });
+  refunds.command("reject").description("Reject a refund.").argument("<id>", "Refund ID").option("--yes", "Skip confirmation", false).option("--reason <reason>", "Rejection reason").action(async (id, opts) => {
+    await confirmAction(`Reject refund ${id}?`, opts.yes);
+    const body = {};
+    if (opts.reason)
+      body.reason = opts.reason;
+    const resp = await apiRequest({ method: "POST", path: `${consolePrefix()}/payments-ops/refunds/${id}/reject`, body });
+    if (!resp.ok) {
+      const j = await resp.json();
+      console.error(`Error: ${j.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Refund ${id} rejected.`);
+  });
+  refunds.command("process").description("Process an approved refund.").argument("<id>", "Refund ID").option("--yes", "Skip confirmation", false).action(async (id, opts) => {
+    await confirmAction(`Process refund ${id}?`, opts.yes);
+    const resp = await apiRequest({ method: "POST", path: `${consolePrefix()}/payments-ops/refunds/${id}/process` });
+    if (!resp.ok) {
+      const j = await resp.json();
+      console.error(`Error: ${j.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Refund ${id} processed.`);
+  });
+  const balances = cmd.command("balances").description("Account balance management");
+  addFormatOption(balances.command("list").description("List account balances.")).action(async (opts) => {
+    const resp = await apiRequest({ path: `${consolePrefix()}/billing-ops/balances` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    printDetail(json.data ?? json, opts.format);
+  });
+  balances.command("adjust").description("Adjust an account balance.").option("--tenant-id <id>", "Tenant ID (required)").option("--amount <amount>", "Adjustment amount (required)").option("--reason <reason>", "Reason for adjustment").option("--account-type <type>", "Account type", "advertiser").option("--yes", "Skip confirmation", false).action(async (opts) => {
+    if (!opts.tenantId) {
+      console.error("Error: --tenant-id is required.");
+      process.exit(1);
+    }
+    if (!opts.amount) {
+      console.error("Error: --amount is required.");
+      process.exit(1);
+    }
+    await confirmAction(`Adjust balance by ${opts.amount} for tenant ${opts.tenantId} (${opts.accountType})?`, opts.yes);
+    const body = { tenantId: opts.tenantId, amount: opts.amount, accountType: opts.accountType };
+    if (opts.reason)
+      body.reason = opts.reason;
+    const resp = await apiRequest({ method: "POST", path: `${consolePrefix()}/billing-ops/adjust`, body });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Balance adjusted for tenant ${opts.tenantId}.`);
+  });
+  const lease = cmd.command("lease").description("Pacer lease operator commands (v3)");
+  lease.command("flush").description("Flush chunks/outbox/dedupe for a single campaign.").requiredOption("--campaign <cid>", "Campaign ID to flush").option("--region <region>", 'Region to scope (omit or "all" for every region)', "all").option("--dry-run", "Preview keys without deleting (default true)", false).option("--execute", "Actually delete; otherwise dry-run is forced", false).option("--yes", "Skip confirmation when --execute is given", false).addHelpText("after", `
+Examples:
+  $ a8techads admin lease flush --campaign cid-1
+  $ a8techads admin lease flush --campaign cid-1 --region sin
+  $ a8techads admin lease flush --campaign cid-1 --execute --yes`).action(async (opts) => {
+    const dryRun = !opts.execute;
+    if (!dryRun)
+      await confirmAction(`Flush leases for ${opts.campaign} in ${opts.region}?`, opts.yes);
+    const resp = await apiRequest({
+      method: "POST",
+      path: "/internal/pacer/ops/flush-campaign",
+      body: { campaign_id: opts.campaign, region: opts.region, dry_run: dryRun }
+    });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(dryRun ? "[DRY RUN]" : "[APPLIED]");
+    printDetail(json);
+  });
+  lease.command("flush-all").description("Flush all chunks for a region (bounded by active-set discovery).").requiredOption("--region <region>", 'Region to scope ("all" prohibited)').option("--shard-count <n>", "Pacer shard count (default 8)", "8").option("--execute", "Actually delete; otherwise dry-run is forced", false).option("--yes", "Skip confirmation when --execute is given", false).action(async (opts) => {
+    if (opts.region === "all") {
+      console.error("--region all is prohibited for flush-all; use flush per campaign");
+      process.exit(1);
+    }
+    const dryRun = !opts.execute;
+    if (!dryRun)
+      await confirmAction(`Flush ALL leases in region ${opts.region}?`, opts.yes);
+    const resp = await apiRequest({
+      method: "POST",
+      path: "/internal/pacer/ops/flush-region",
+      body: { region: opts.region, shard_count: parseInt(opts.shardCount, 10), dry_run: dryRun }
+    });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(dryRun ? "[DRY RUN]" : "[APPLIED]");
+    printDetail(json);
+  });
+  lease.command("reset-daily").description("Reset the pacer-side daily_spent projection.").option("--shard-count <n>", "Pacer shard count (default 8)", "8").option("--execute", "Actually delete; otherwise dry-run is forced", false).option("--yes", "Skip confirmation when --execute is given", false).action(async (opts) => {
+    const dryRun = !opts.execute;
+    if (!dryRun)
+      await confirmAction("Reset daily_spent projection across all active campaigns?", opts.yes);
+    const resp = await apiRequest({
+      method: "POST",
+      path: "/internal/pacer/ops/reset-daily",
+      body: { shard_count: parseInt(opts.shardCount, 10), dry_run: dryRun }
+    });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(dryRun ? "[DRY RUN]" : "[APPLIED]");
+    printDetail(json);
+  });
+  return cmd;
+}
+
+// src/commands/external-ssp.ts
+var COLUMNS8 = [
+  { key: "id", header: "ID", width: 36 },
+  { key: "name", header: "NAME", width: 25 },
+  { key: "code", header: "CODE", width: 15 },
+  { key: "status", header: "STATUS", width: 12 },
+  { key: "routingMode", header: "ROUTING", width: 12 },
+  { key: "allowedRegions", header: "ALLOWED", width: 18, format: (v) => Array.isArray(v) ? v.join(", ") : "-" },
+  { key: "formats", header: "FORMATS", width: 25, format: (v) => Array.isArray(v) ? v.join(", ") : "-" }
+];
+function parseCsvList2(value) {
+  if (!value)
+    return;
+  const items = value.split(",").map((item) => item.trim()).filter(Boolean);
+  return items.length > 0 ? items : undefined;
+}
+function createExternalSspCommand() {
+  const cmd = new Command("external-ssp").description(`External SSP Partner management (Console)
+
+Requires: platform_owner or platform_admin role.`).addHelpText("after", `
+Examples:
+  $ a8techads external-ssp list
+  $ a8techads external-ssp get <id>
+  $ a8techads external-ssp create --name "OpenX" --code OPENX --formats BANNER,VIDEO
+  $ a8techads external-ssp update <id> --adm-mode plain_url
+  $ a8techads external-ssp activate <id>
+  $ a8techads external-ssp pause <id>`);
+  addFormatOption(cmd.command("list").description("List all external SSP partners.").option("--status <status>", "Filter by status (TESTING, ACTIVE, SUSPENDED)").option("--limit <n>", "Max results", "20")).action(async (opts) => {
+    const params = new URLSearchParams;
+    if (opts.status)
+      params.set("status", opts.status);
+    params.set("limit", opts.limit);
+    const resp = await apiRequest({ path: `${consolePrefix()}/ssp-partners?${params}` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    const rows = (json.data ?? json).map((p) => ({
+      id: p.id,
+      name: p.name,
+      code: p.code,
+      status: p.status,
+      routingMode: p.routingMode ?? p.routing_mode ?? "global",
+      allowedRegions: p.allowedRegions ?? p.allowed_regions ?? [],
+      formats: p.supportedFormats ?? p.supported_formats ?? []
+    }));
+    printData(rows, COLUMNS8, opts.format);
+  });
+  addFormatOption(cmd.command("get").description("Get external SSP partner details (includes API key).").argument("<id>", "Partner ID")).action(async (id, opts) => {
+    const resp = await apiRequest({ path: `${consolePrefix()}/ssp-partners/${id}` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    printDetail(json.data ?? json, opts.format);
+  });
+  cmd.command("create").description("Create a new external SSP partner.").option("--name <name>", "Partner name (required)").option("--code <code>", "Partner code (auto-generated from name if omitted)").option("--formats <formats>", "Supported formats, comma-separated (default: BANNER,VIDEO,NATIVE)").option("--region <region>", "Fallback region (legacy compatibility field)").option("--routing-mode <mode>", "Routing mode (global or pinned)").option("--allowed-regions <regions>", "Allowed regions, comma-separated").option("--preferred-regions <regions>", "Preferred regions, comma-separated").option("--adm-mode <mode>", "ADM response mode (markup or plain_url)").addHelpText("after", `
+Examples:
+  $ a8techads external-ssp create --name "OpenX"
+  $ a8techads external-ssp create --name "AppLovin" --code APPLOVIN --formats BANNER,VIDEO
+  $ a8techads external-ssp create --name "PropellerAds" --code PROPELLERADS --formats BANNER,VIDEO,NATIVE,DIRECT_LINK --routing-mode global --allowed-regions sin,dfw --adm-mode plain_url`).action(async (opts) => {
+    if (!opts.name) {
+      console.error('Error: --name is required. Run "a8techads external-ssp create --help".');
+      process.exit(1);
+    }
+    const body = { name: opts.name };
+    if (opts.code)
+      body.code = opts.code;
+    if (opts.formats)
+      body.supportedFormats = parseCsvList2(opts.formats);
+    if (opts.region)
+      body.region = opts.region;
+    if (opts.routingMode)
+      body.routingMode = opts.routingMode;
+    if (opts.allowedRegions)
+      body.allowedRegions = parseCsvList2(opts.allowedRegions);
+    if (opts.preferredRegions)
+      body.preferredRegions = parseCsvList2(opts.preferredRegions);
+    if (opts.admMode)
+      body.responseTransform = { admMode: opts.admMode };
+    const resp = await apiRequest({ method: "POST", path: `${consolePrefix()}/ssp-partners`, body });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? json.errors ?? resp.statusText}`);
+      process.exit(1);
+    }
+    const data = json.data ?? json;
+    console.log(`Partner created: ${data.id}`);
+    if (data.code)
+      console.log(`  Code: ${data.code}`);
+    if (data.apiKey)
+      console.log(`  API Key: ${data.apiKey}`);
+    if (data.apiSecret)
+      console.log(`  API Secret: ${data.apiSecret}`);
+  });
+  cmd.command("update").description("Update an external SSP partner.").argument("<id>", "Partner ID").option("--name <name>", "New partner name").option("--formats <formats>", "Supported formats, comma-separated").option("--region <region>", "Fallback region (legacy compatibility field)").option("--routing-mode <mode>", "Routing mode (global or pinned)").option("--allowed-regions <regions>", "Allowed regions, comma-separated").option("--preferred-regions <regions>", "Preferred regions, comma-separated").option("--adm-mode <mode>", "ADM response mode (markup or plain_url)").action(async (id, opts) => {
+    const body = {};
+    if (opts.name)
+      body.name = opts.name;
+    if (opts.formats)
+      body.supportedFormats = parseCsvList2(opts.formats);
+    if (opts.region)
+      body.region = opts.region;
+    if (opts.routingMode)
+      body.routingMode = opts.routingMode;
+    if (opts.allowedRegions)
+      body.allowedRegions = parseCsvList2(opts.allowedRegions);
+    if (opts.preferredRegions)
+      body.preferredRegions = parseCsvList2(opts.preferredRegions);
+    if (opts.admMode)
+      body.responseTransform = { admMode: opts.admMode };
+    const resp = await apiRequest({ method: "PATCH", path: `${consolePrefix()}/ssp-partners/${id}`, body });
+    if (!resp.ok) {
+      const j = await resp.json();
+      console.error(`Error: ${j.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Partner ${id} updated.`);
+  });
+  cmd.command("regenerate-key").description("Regenerate API credentials for an external SSP partner.").argument("<id>", "Partner ID").action(async (id) => {
+    const resp = await apiRequest({
+      method: "POST",
+      path: `${consolePrefix()}/ssp-partners/${id}/regenerate-key`
+    });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? json.errors ?? resp.statusText}`);
+      process.exit(1);
+    }
+    const data = json.data ?? json;
+    const credentials = data.credentials ?? data;
+    console.log(`Partner ${id} credentials regenerated.`);
+    if (credentials.apiKey)
+      console.log(`  API Key: ${credentials.apiKey}`);
+    if (credentials.apiSecret)
+      console.log(`  API Secret: ${credentials.apiSecret}`);
+  });
+  cmd.command("delete").description("Delete an external SSP partner.").argument("<id>", "Partner ID").option("--yes", "Skip confirmation").action(async (id, opts) => {
+    if (!opts.yes) {
+      console.error("Add --yes to confirm deletion.");
+      process.exit(1);
+    }
+    const resp = await apiRequest({ method: "DELETE", path: `${consolePrefix()}/ssp-partners/${id}` });
+    if (!resp.ok && resp.status !== 204) {
+      console.error(`Error: ${resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Partner ${id} deleted.`);
+  });
+  cmd.command("activate").description("Activate an external SSP partner (TESTING/SUSPENDED → ACTIVE).").argument("<id>", "Partner ID").action(async (id) => {
+    const resp = await apiRequest({
+      method: "PATCH",
+      path: `${consolePrefix()}/ssp-partners/${id}/status`,
+      body: { status: "ACTIVE" }
+    });
+    if (!resp.ok) {
+      const j = await resp.json();
+      console.error(`Error: ${j.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Partner ${id} activated.`);
+  });
+  cmd.command("pause").description("Pause an external SSP partner (ACTIVE → SUSPENDED).").argument("<id>", "Partner ID").action(async (id) => {
+    const resp = await apiRequest({
+      method: "PATCH",
+      path: `${consolePrefix()}/ssp-partners/${id}/status`,
+      body: { status: "SUSPENDED" }
+    });
+    if (!resp.ok) {
+      const j = await resp.json();
+      console.error(`Error: ${j.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Partner ${id} paused.`);
+  });
+  return cmd;
+}
+
+// src/commands/settings.ts
+function settingsPrefix() {
+  const ctx = loadContext();
+  const context = getCurrentContext(ctx);
+  const app = context?.app ?? "dsp";
+  if (app === "console") {
+    console.error("Error: Settings commands are not available in Console mode.");
+    console.error('Switch to DSP or SSP context: "a8techads context dsp" or "a8techads context ssp"');
+    process.exit(1);
+  }
+  return app === "ssp" ? "/api/v1/ssp" : "/api/v1/dsp";
+}
+function createSettingsCommand() {
+  const cmd = new Command("settings").description(`Tenant settings (DSP / SSP only)
+
+Requires: ADVERTISER or PUBLISHER capability.
+Not available in Console mode.`).addHelpText("after", `
+Examples:
+  $ a8techads settings show
+  $ a8techads settings update --from-json settings.json
+  $ a8techads settings profile
+  $ a8techads settings profile-update --company-name "New Name"`);
+  addFormatOption(cmd.command("show").description("Show current tenant settings.")).action(async (opts) => {
+    const resp = await apiRequest({ path: `${settingsPrefix()}/settings` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    printDetail(json.data ?? json, opts.format);
+  });
+  addFormatOption(cmd.command("profile").description("Show tenant profile (contact/business info).")).action(async (opts) => {
+    const resp = await apiRequest({ path: `${settingsPrefix()}/settings/profile` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    printDetail(json.data ?? json, opts.format);
+  });
+  cmd.command("update").description(`Update tenant settings.
+
+Requires: admin role.`).option("--from-json <file>", "Update from JSON file").action(async (opts) => {
+    if (!opts.fromJson) {
+      console.error("Error: --from-json is required for settings update.");
+      process.exit(1);
+    }
+    const { readFileSync: readFileSync5 } = await import("fs");
+    const body = JSON.parse(readFileSync5(opts.fromJson, "utf-8"));
+    const resp = await apiRequest({ method: "PATCH", path: `${settingsPrefix()}/settings`, body });
+    if (!resp.ok) {
+      const j = await resp.json();
+      console.error(`Error: ${j.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log("Settings updated.");
+  });
+  cmd.command("profile-update").description("Update tenant profile.").option("--company-name <name>", "Company name").option("--from-json <file>", "Update from JSON file").action(async (opts) => {
+    let body;
+    if (opts.fromJson) {
+      const { readFileSync: readFileSync5 } = await import("fs");
+      body = JSON.parse(readFileSync5(opts.fromJson, "utf-8"));
+    } else {
+      body = {};
+      if (opts.companyName)
+        body.companyName = opts.companyName;
+    }
+    const resp = await apiRequest({ method: "PATCH", path: `${settingsPrefix()}/settings/profile`, body });
+    if (!resp.ok) {
+      const j = await resp.json();
+      console.error(`Error: ${j.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log("Profile updated.");
+  });
+  return cmd;
+}
+
+// src/commands/invoices.ts
+function createInvoicesCommand() {
+  const cmd = new Command("invoices").description(`Invoice management (DSP)
+
+Requires: ADVERTISER capability.`).addHelpText("after", `
+Examples:
+  $ a8techads invoices list
+  $ a8techads invoices get <id>
+  $ a8techads invoices spending`);
+  addFormatOption(cmd.command("list").description("List invoices.")).action(async (opts) => {
+    const resp = await apiRequest({ path: `${dspPrefix()}/invoices` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    const columns = [
+      { key: "id", header: "ID", width: 36 },
+      { key: "period", header: "PERIOD", width: 20 },
+      { key: "amount", header: "AMOUNT", width: 12, format: (v) => v != null ? `$${Number(v).toFixed(2)}` : "-" },
+      { key: "status", header: "STATUS", width: 12 }
+    ];
+    const rows = (json.data ?? json).map((i) => ({
+      id: i.id,
+      period: i.period ?? i.billingPeriod,
+      amount: i.amount ?? i.totalAmount,
+      status: i.status
+    }));
+    printData(rows, columns, opts.format);
+  });
+  addFormatOption(cmd.command("get").description("Get invoice details.").argument("<id>", "Invoice ID")).action(async (id, opts) => {
+    const resp = await apiRequest({ path: `${dspPrefix()}/invoices/${id}` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    printDetail(json.data ?? json, opts.format);
+  });
+  addFormatOption(cmd.command("spending").description("Show current period spending summary.")).action(async (opts) => {
+    const resp = await apiRequest({ path: `${dspPrefix()}/invoices/spending` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    printDetail(json.data ?? json, opts.format);
+  });
+  return cmd;
+}
+
+// src/commands/conversion-goals.ts
+var COLUMNS9 = [
+  { key: "id", header: "ID", width: 36 },
+  { key: "name", header: "NAME", width: 24 },
+  { key: "goalOrder", header: "G#", width: 4 },
+  { key: "conversionType", header: "TYPE", width: 20 },
+  { key: "valueType", header: "VALUE", width: 10 },
+  { key: "status", header: "STATUS", width: 10 }
+];
+function createConversionGoalsCommand() {
+  const cmd = new Command("conversion-goals").description(`Conversion goal management (DSP)
+
+Requires: ADVERTISER capability.`).addHelpText("after", `
+Examples:
+  $ a8techads conversion-goals list
+  $ a8techads conversion-goals get <id>
+  $ a8techads conversion-goals create --name "Purchase" --conversion-type PURCHASE_CC --goal-order 1
+  $ a8techads conversion-goals pause <id>`);
+  addFormatOption(cmd.command("list").description("List conversion goals.").option("--status <status>", "Filter by status (ACTIVE, PAUSED, ARCHIVED)").option("--limit <n>", "Max results", "20")).action(async (opts) => {
+    const params = new URLSearchParams;
+    if (opts.status)
+      params.set("status", opts.status);
+    params.set("limit", opts.limit);
+    const resp = await apiRequest({ path: `${dspPrefix()}/conversion-goals?${params}` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    const rows = (json.data ?? json).map((g) => ({
+      id: g.id,
+      name: g.name,
+      goalOrder: `G${g.goalOrder ?? g.goal_order}`,
+      conversionType: g.conversionType ?? g.conversion_type,
+      valueType: g.valueType ?? g.value_type,
+      status: g.status
+    }));
+    printData(rows, COLUMNS9, opts.format);
+  });
+  addFormatOption(cmd.command("get").description("Get conversion goal details.").argument("<id>", "Goal ID")).action(async (id, opts) => {
+    const resp = await apiRequest({ path: `${dspPrefix()}/conversion-goals/${id}` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    printDetail(json.data ?? json, opts.format);
+  });
+  cmd.command("create").description(`Create a conversion goal.
+
+Conversion types: APP_INSTALL, LEAD_SOI, LEAD_DOI, PURCHASE_CC, PURCHASE_COD,
+  PURCHASE_CARRIER, SUBSCRIPTION_CC, SUBSCRIPTION_CARRIER, WEBSITE_INTERACTION, MULTIPLE, OTHER`).option("--name <name>", "Goal name (required)").option("--conversion-type <type>", "Conversion type (required)").option("--goal-order <n>", "Priority 1-10, maps to G1-G10 (required)").option("--value-type <type>", "NO_VALUE, FIXED, or DYNAMIC", "NO_VALUE").option("--fixed-value <amount>", "Fixed value per conversion (when value-type is FIXED)").option("--count-type <type>", "ONE per user or EVERY conversion", "EVERY").option("--window <hours>", "Attribution window in hours", "720").option("--description <text>", "Goal description").option("--from-json <file>", "Create from JSON file").action(async (opts) => {
+    let body;
+    if (opts.fromJson) {
+      const { readFileSync: readFileSync5 } = await import("fs");
+      body = JSON.parse(readFileSync5(opts.fromJson, "utf-8"));
+    } else {
+      if (!opts.name) {
+        console.error("Error: --name is required");
+        process.exit(1);
+      }
+      if (!opts.conversionType) {
+        console.error("Error: --conversion-type is required");
+        process.exit(1);
+      }
+      if (!opts.goalOrder) {
+        console.error("Error: --goal-order is required (1-10)");
+        process.exit(1);
+      }
+      body = {
+        name: opts.name,
+        conversionType: opts.conversionType,
+        goalOrder: Number(opts.goalOrder),
+        valueType: opts.valueType,
+        countType: opts.countType,
+        conversionWindowHours: Number(opts.window)
+      };
+      if (opts.fixedValue)
+        body.fixedValue = Number(opts.fixedValue);
+      if (opts.description)
+        body.description = opts.description;
+    }
+    const resp = await apiRequest({ method: "POST", path: `${dspPrefix()}/conversion-goals`, body });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? json.errors ?? resp.statusText}`);
+      process.exit(1);
+    }
+    const goal = json.data ?? json;
+    console.log(`Conversion goal created: ${goal.id}`);
+    console.log(`  Goal ID: ${goal.goalId ?? goal.goal_id}`);
+    console.log(`  Postback URL: ${goal.postbackUrl ?? goal.postback_url ?? "(see get)"}`);
+  });
+  cmd.command("update").description("Update a conversion goal.").argument("<id>", "Goal ID").option("--name <name>", "New name").option("--description <text>", "New description").option("--value-type <type>", "NO_VALUE, FIXED, or DYNAMIC").option("--fixed-value <amount>", "Fixed value").option("--count-type <type>", "ONE or EVERY").option("--window <hours>", "Attribution window").option("--from-json <file>", "Update from JSON file").action(async (id, opts) => {
+    let body;
+    if (opts.fromJson) {
+      const { readFileSync: readFileSync5 } = await import("fs");
+      body = JSON.parse(readFileSync5(opts.fromJson, "utf-8"));
+    } else {
+      body = {};
+      if (opts.name)
+        body.name = opts.name;
+      if (opts.description)
+        body.description = opts.description;
+      if (opts.valueType)
+        body.valueType = opts.valueType;
+      if (opts.fixedValue)
+        body.fixedValue = Number(opts.fixedValue);
+      if (opts.countType)
+        body.countType = opts.countType;
+      if (opts.window)
+        body.conversionWindowHours = Number(opts.window);
+    }
+    const resp = await apiRequest({ method: "PATCH", path: `${dspPrefix()}/conversion-goals/${id}`, body });
+    if (!resp.ok) {
+      const j = await resp.json();
+      console.error(`Error: ${j.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Conversion goal ${id} updated.`);
+  });
+  cmd.command("delete").description("Delete a conversion goal.").argument("<id>", "Goal ID").option("--yes", "Skip confirmation").action(async (id, opts) => {
+    if (!opts.yes) {
+      console.error("Add --yes to confirm deletion.");
+      process.exit(1);
+    }
+    const resp = await apiRequest({ method: "DELETE", path: `${dspPrefix()}/conversion-goals/${id}` });
+    if (!resp.ok && resp.status !== 204) {
+      console.error(`Error: ${resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Conversion goal ${id} deleted.`);
+  });
+  for (const action of ["pause", "activate", "archive"]) {
+    cmd.command(action).description(`${action.charAt(0).toUpperCase() + action.slice(1)} a conversion goal.`).argument("<id>", "Goal ID").action(async (id) => {
+      const resp = await apiRequest({ method: "PATCH", path: `${dspPrefix()}/conversion-goals/${id}/${action}` });
+      if (!resp.ok) {
+        const j = await resp.json();
+        console.error(`Error: ${j.error ?? resp.statusText}`);
+        process.exit(1);
+      }
+      console.log(`Conversion goal ${id} ${action}d.`);
+    });
+  }
+  cmd.command("regenerate-secret").description("Regenerate secret key and postback URL.").argument("<id>", "Goal ID").action(async (id) => {
+    const resp = await apiRequest({ method: "POST", path: `${dspPrefix()}/conversion-goals/${id}/regenerate-secret` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    const goal = json.data ?? json;
+    console.log(`Secret regenerated for goal ${id}`);
+    console.log(`  New postback URL: ${goal.postbackUrl ?? goal.postback_url}`);
+  });
+  return cmd;
+}
+
+// src/commands/algorithms.ts
+var COLUMNS10 = [
+  { key: "id", header: "ID", width: 36 },
+  { key: "name", header: "NAME", width: 28 },
+  { key: "goal", header: "GOAL", width: 8 },
+  { key: "conversionGoalId", header: "CONV_GOAL", width: 36 },
+  { key: "status", header: "STATUS", width: 10 },
+  { key: "campaignCount", header: "CAMPAIGNS", width: 10 }
+];
+function createAlgorithmsCommand() {
+  const cmd = new Command("algorithms").description(`Bidder algorithm management (DSP)
+
+Requires: ADVERTISER capability.`).addHelpText("after", `
+Examples:
+  $ a8techads algorithms list
+  $ a8techads algorithms get <id>
+  $ a8techads algorithms create --name "CPA Base" --optimization-goal CPA --target-value 5
+  $ a8techads algorithms update <id> --conversion-goal-id <goal-id>
+  $ a8techads algorithms pause <id>`);
+  addFormatOption(cmd.command("list").description("List bidder algorithms.").option("--status <status>", "Filter by status (ACTIVE, PAUSED, ARCHIVED)").option("--limit <n>", "Max results", "20")).action(async (opts) => {
+    const params = new URLSearchParams;
+    if (opts.status)
+      params.set("status", opts.status);
+    params.set("limit", opts.limit);
+    const resp = await apiRequest({ path: `${dspPrefix()}/bidder-algorithms?${params}` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    const rows = (json.data ?? json).map((algo) => ({
+      id: algo.id,
+      name: algo.name,
+      goal: algo.optimizationGoal,
+      conversionGoalId: algo.conversionGoalId,
+      status: algo.status,
+      campaignCount: algo.campaignCount ?? 0
+    }));
+    printData(rows, COLUMNS10, opts.format);
+  });
+  addFormatOption(cmd.command("get").description("Get bidder algorithm details.").argument("<id>", "Algorithm ID")).action(async (id, opts) => {
+    const resp = await apiRequest({ path: `${dspPrefix()}/bidder-algorithms/${id}` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    printDetail(json.data ?? json, opts.format);
+  });
+  cmd.command("create").description("Create a bidder algorithm.").option("--name <name>", "Algorithm name (required)").option("--description <text>", "Description").option("--optimization-goal <goal>", "CPA, ROAS, CTR, or CVR").option("--target-value <number>", "Target value").option("--conversion-goal-id <id>", "Conversion goal ID").option("--from-json <file>", "Create from JSON file").action(async (opts) => {
+    const body = await buildAlgorithmBody(opts, true);
+    const resp = await apiRequest({ method: "POST", path: `${dspPrefix()}/bidder-algorithms`, body });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? json.errors ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Algorithm created: ${json.data?.id ?? json.id}`);
+  });
+  cmd.command("update").description("Update a bidder algorithm.").argument("<id>", "Algorithm ID").option("--name <name>", "Algorithm name").option("--description <text>", "Description").option("--optimization-goal <goal>", "CPA, ROAS, CTR, or CVR").option("--target-value <number>", "Target value").option("--conversion-goal-id <id>", "Conversion goal ID").option("--from-json <file>", "Update from JSON file").action(async (id, opts) => {
+    const body = await buildAlgorithmBody(opts, false);
+    const resp = await apiRequest({ method: "PATCH", path: `${dspPrefix()}/bidder-algorithms/${id}`, body });
+    const json = await resp.json().catch(() => ({}));
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? json.errors ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Algorithm ${id} updated.`);
+  });
+  cmd.command("archive").description("Archive a bidder algorithm by setting status to ARCHIVED.").argument("<id>", "Algorithm ID").option("--yes", "Skip confirmation").action(async (id, opts) => {
+    if (!opts.yes) {
+      console.error("Add --yes to confirm archiving.");
+      process.exit(1);
+    }
+    const resp = await apiRequest({
+      method: "PATCH",
+      path: `${dspPrefix()}/bidder-algorithms/${id}`,
+      body: { status: "ARCHIVED" }
+    });
+    const json = await resp.json().catch(() => ({}));
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? json.errors ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Algorithm ${id} archived.`);
+  });
+  for (const action of ["pause", "activate"]) {
+    cmd.command(action).description(`${action.charAt(0).toUpperCase() + action.slice(1)} a bidder algorithm.`).argument("<id>", "Algorithm ID").action(async (id) => {
+      const resp = await apiRequest({
+        method: "PATCH",
+        path: `${dspPrefix()}/bidder-algorithms/${id}/${action}`
+      });
+      const json = await resp.json().catch(() => ({}));
+      if (!resp.ok) {
+        console.error(`Error: ${json.error ?? json.errors ?? resp.statusText}`);
+        process.exit(1);
+      }
+      console.log(`Algorithm ${id} ${action}d.`);
+    });
+  }
+  return cmd;
+}
+async function buildAlgorithmBody(opts, creating) {
+  if (opts.fromJson) {
+    const { readFileSync: readFileSync5 } = await import("fs");
+    return JSON.parse(readFileSync5(opts.fromJson, "utf-8"));
+  }
+  const body = {};
+  if (opts.name)
+    body.name = opts.name;
+  if (opts.description)
+    body.description = opts.description;
+  if (opts.optimizationGoal)
+    body.optimizationGoal = String(opts.optimizationGoal).toUpperCase();
+  if (opts.targetValue !== undefined)
+    body.targetValue = Number(opts.targetValue);
+  if (opts.conversionGoalId)
+    body.conversionGoalId = opts.conversionGoalId;
+  if (creating) {
+    if (!body.name) {
+      console.error("Error: --name is required.");
+      process.exit(1);
+    }
+    if (!body.optimizationGoal) {
+      console.error("Error: --optimization-goal is required.");
+      process.exit(1);
+    }
+    if (body.targetValue === undefined) {
+      console.error("Error: --target-value is required.");
+      process.exit(1);
+    }
+  }
+  return body;
+}
+
+// src/commands/payouts.ts
+function createPayoutsCommand() {
+  const cmd = new Command("payouts").description(`Payout management (SSP)
+
+Requires: PUBLISHER capability.`).addHelpText("after", `
+Examples:
+  $ a8techads payouts balance
+  $ a8techads payouts account
+  $ a8techads payouts list --limit 10
+  $ a8techads payouts request --amount 50 --method usdt --yes`);
+  addFormatOption(cmd.command("balance").description("Show current payout balance.")).action(async (opts) => {
+    const resp = await apiRequest({ path: `${sspPrefix()}/payouts/balance` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    printDetail(json.data ?? json, opts.format);
+  });
+  addFormatOption(cmd.command("account").description("Show payout account details.")).action(async (opts) => {
+    const resp = await apiRequest({ path: `${sspPrefix()}/payouts/account` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    printDetail(json.data ?? json, opts.format);
+  });
+  addFormatOption(cmd.command("list").description("List payout history.").option("--limit <n>", "Max results", "20").option("--status <status>", "Filter by status")).action(async (opts) => {
+    const params = new URLSearchParams({ limit: opts.limit });
+    if (opts.status)
+      params.set("status", opts.status);
+    const resp = await apiRequest({ path: `${sspPrefix()}/payouts/list?${params}` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    const columns = [
+      { key: "id", header: "ID", width: 36 },
+      { key: "amount", header: "AMOUNT", width: 12, format: (v) => v != null ? `$${Number(v).toFixed(2)}` : "-" },
+      { key: "status", header: "STATUS", width: 14 },
+      { key: "method", header: "METHOD", width: 10 },
+      { key: "requestedAt", header: "REQUESTED_AT", width: 20 }
+    ];
+    const rows = (json.data ?? json).map((t) => ({
+      id: t.id,
+      amount: t.amount,
+      status: t.status,
+      method: t.method,
+      requestedAt: t.requestedAt ?? t.requested_at
+    }));
+    printData(rows, columns, opts.format);
+  });
+  cmd.command("request").description("Request a payout.").option("--amount <dollars>", "Payout amount in dollars (required)").option("--method <method>", "Payout method", "usdt").option("--wallet <address>", "Wallet address").option("--network <network>", "Network for crypto payouts", "TRC20").option("--yes", "Skip confirmation prompt").action(async (opts) => {
+    if (!opts.amount) {
+      console.error("Error: --amount is required.");
+      process.exit(1);
+    }
+    const amount = Number(opts.amount);
+    if (isNaN(amount) || amount <= 0) {
+      console.error("Error: Amount must be a positive number.");
+      process.exit(1);
+    }
+    if (!opts.yes) {
+      const rl = await import("readline");
+      const iface = rl.createInterface({ input: process.stdin, output: process.stdout });
+      const answer = await new Promise((resolve) => iface.question(`Request payout of $${amount.toFixed(2)}? (y/N) `, resolve));
+      iface.close();
+      if (answer.toLowerCase() !== "y") {
+        console.log("Cancelled.");
+        process.exit(0);
+      }
+    }
+    let resp;
+    if (opts.method === "usdt") {
+      const body = { amount, walletAddress: opts.wallet, network: opts.network };
+      resp = await apiRequest({ method: "POST", path: `${sspPrefix()}/payments/usdt/payout`, body });
+    } else {
+      resp = await apiRequest({ method: "POST", path: `${sspPrefix()}/payouts/request`, body: { amount } });
+    }
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(`Payout of $${amount.toFixed(2)} requested successfully.`);
+  });
+  return cmd;
+}
+
+// src/commands/statements.ts
+function createStatementsCommand() {
+  const cmd = new Command("statements").description(`Statement management (SSP)
+
+Requires: PUBLISHER capability.`).addHelpText("after", `
+Examples:
+  $ a8techads statements list
+  $ a8techads statements get <id>`);
+  addFormatOption(cmd.command("list").description("List statements.").option("--limit <n>", "Max results", "20")).action(async (opts) => {
+    const params = new URLSearchParams({ limit: opts.limit });
+    const resp = await apiRequest({ path: `${sspPrefix()}/statements?${params}` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    const columns = [
+      { key: "id", header: "ID", width: 36 },
+      { key: "number", header: "NUMBER", width: 14 },
+      { key: "period", header: "PERIOD", width: 16 },
+      { key: "amount", header: "AMOUNT", width: 12, format: (v) => v != null ? `$${Number(v).toFixed(2)}` : "-" },
+      { key: "status", header: "STATUS", width: 12 }
+    ];
+    const rows = (json.data ?? json).map((t) => ({
+      id: t.id,
+      number: t.number,
+      period: t.period,
+      amount: t.amount,
+      status: t.status
+    }));
+    printData(rows, columns, opts.format);
+  });
+  addFormatOption(cmd.command("get <id>").description("Show statement details.")).action(async (id, opts) => {
+    const resp = await apiRequest({ path: `${sspPrefix()}/statements/${id}` });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    printDetail(json.data ?? json, opts.format);
+  });
+  return cmd;
+}
+
+// src/commands/simulator.ts
+import { readFileSync as readFileSync5 } from "fs";
+async function confirmAction2(message, yes) {
+  if (yes)
+    return;
+  const rl = await import("readline");
+  const iface = rl.createInterface({ input: process.stdin, output: process.stdout });
+  const answer = await new Promise((resolve) => iface.question(`${message} (y/N) `, resolve));
+  iface.close();
+  if (answer.toLowerCase() !== "y") {
+    console.log("Cancelled.");
+    process.exit(0);
+  }
+}
+function createSimulatorCommand() {
+  const cmd = new Command("simulator").description(`Simulator control and inspection
+
+Used for replay and traffic verification workflows.`).addHelpText("after", `
+Examples:
+  $ a8techads simulator status
+  $ a8techads simulator start
+  $ a8techads simulator stop --yes
+  $ a8techads simulator reset --yes
+  $ a8techads simulator config show
+  $ a8techads simulator config update --from-json ./simulator-config.json`);
+  addFormatOption(cmd.command("status").description("Show simulator runtime status and counters.")).action(async (opts) => {
+    const resp = await simulatorRequest("GET", "/api/v1/simulator/status");
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    printDetail(json, opts.format);
+  });
+  cmd.command("start").description("Start the simulator.").option("--from-json <file>", "Optional JSON file used as start config override").action(async (opts) => {
+    let body = undefined;
+    if (opts.fromJson) {
+      body = JSON.parse(readFileSync5(opts.fromJson, "utf-8"));
+    }
+    const resp = await simulatorRequest("POST", "/api/v1/simulator/start", body);
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(json.message ?? "Simulator started.");
+  });
+  cmd.command("stop").description("Stop the simulator.").option("--yes", "Skip confirmation prompt").action(async (opts) => {
+    await confirmAction2("Stop simulator?", opts.yes);
+    const resp = await simulatorRequest("POST", "/api/v1/simulator/stop");
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(json.message ?? "Simulator stopped.");
+  });
+  cmd.command("reset").description("Reset simulator counters and stats.").option("--yes", "Skip confirmation prompt").action(async (opts) => {
+    await confirmAction2("Reset simulator stats?", opts.yes);
+    const resp = await simulatorRequest("POST", "/api/v1/simulator/reset");
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log(json.message ?? "Simulator stats reset.");
+  });
+  const config = cmd.command("config").description("Simulator config management");
+  addFormatOption(config.command("show").description("Show current simulator config.")).action(async (opts) => {
+    const resp = await simulatorRequest("GET", "/api/v1/simulator/config");
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    printDetail(json, opts.format);
+  });
+  config.command("update").description("Update simulator config from a JSON file.").requiredOption("--from-json <file>", "JSON file path").action(async (opts) => {
+    const body = JSON.parse(readFileSync5(opts.fromJson, "utf-8"));
+    const resp = await simulatorRequest("POST", "/api/v1/simulator/config", body);
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${json.error ?? resp.statusText}`);
+      process.exit(1);
+    }
+    console.log("Simulator config updated.");
+    if (json.config) {
+      printDetail(json.config, "table");
+    }
+  });
+  return cmd;
+}
+async function simulatorRequest(method, path, body) {
+  const creds = loadCredentials();
+  const profile = getCurrentProfile(creds);
+  if (!profile) {
+    throw new Error('No active profile. Run "a8techads auth login" to authenticate.');
+  }
+  const baseUrl = toConsoleApiBase(profile.api_url);
+  const request = await buildAuthenticatedRequest({ method, path, body, baseUrl });
+  return fetch(request.url, request.init);
+}
+function toConsoleApiBase(apiUrl) {
+  const url = new URL(apiUrl);
+  if (url.hostname.startsWith("api.")) {
+    url.hostname = url.hostname.replace(/^api\./, "console.");
+  }
+  return url.origin;
+}
+
+// src/commands/supply-ops.ts
+function formatRegion(value) {
+  if (Array.isArray(value))
+    return value.join(",");
+  if (value === null || value === undefined)
+    return "-";
+  return String(value);
+}
+function formatScalar2(value) {
+  if (value === undefined)
+    return null;
+  if (Array.isArray(value))
+    return value.length > 0 ? value.join(",") : null;
+  if (value === null)
+    return null;
+  if (typeof value === "object")
+    return JSON.stringify(value);
+  return value;
+}
+function formatLeaseDetail(row) {
+  return {
+    sectionScope: "scope",
+    id: row.id,
+    leaseType: row.leaseType,
+    scopeId: row.scopeId,
+    scopeName: row.scopeName,
+    supplyProductId: row.supplyProductId,
+    supplyProductName: row.supplyProductName,
+    supplyContractId: row.supplyContractId,
+    supplyContractName: row.supplyContractName,
+    region: formatScalar2(row.region),
+    status: row.status,
+    sectionContractTruth: "contract_truth",
+    contractType: row.contractType,
+    commitmentMetric: row.commitmentMetric,
+    commitmentValue: row.commitmentValue,
+    commitmentWindow: row.commitmentWindow,
+    remainingCommitmentValue: row.remainingCommitmentValue,
+    sectionOperatorIntent: "operator_intent",
+    policyMode: row.policyMode,
+    operatorPriority: row.operatorPriority,
+    allowed: row.allowed,
+    sectionRuntimeState: "runtime_state",
+    effectivePriority: row.effectivePriority ?? row.priority,
+    bidAggressivenessCap: row.bidAggressivenessCap,
+    bidAggressivenessEnabled: row.bidAggressivenessEnabled,
+    executionControlMetric: row.executionControlMetric,
+    executionQuota: row.executionQuota,
+    remainingExecutionCapacity: row.remainingExecutionCapacity,
+    windowSeconds: row.windowSeconds,
+    expiresAt: row.expiresAt,
+    sectionMeta: "meta",
+    createdAt: row.createdAt,
+    updatedAt: row.updatedAt
+  };
+}
+function printSectionedLeaseDetail(row) {
+  const sections = [
+    {
+      title: "Scope",
+      entries: {
+        id: row.id,
+        leaseType: row.leaseType,
+        scopeId: row.scopeId,
+        scopeName: row.scopeName,
+        supplyProductId: row.supplyProductId,
+        supplyProductName: row.supplyProductName,
+        supplyContractId: row.supplyContractId,
+        supplyContractName: row.supplyContractName,
+        region: formatScalar2(row.region),
+        status: row.status
+      }
+    },
+    {
+      title: "Contract Truth",
+      entries: {
+        contractType: row.contractType,
+        commitmentMetric: row.commitmentMetric,
+        commitmentValue: row.commitmentValue,
+        commitmentWindow: row.commitmentWindow,
+        remainingCommitmentValue: row.remainingCommitmentValue
+      }
+    },
+    {
+      title: "Operator Intent",
+      entries: {
+        policyMode: row.policyMode,
+        operatorPriority: row.operatorPriority,
+        allowed: row.allowed
+      }
+    },
+    {
+      title: "Runtime State",
+      entries: {
+        effectivePriority: row.effectivePriority ?? row.priority,
+        bidAggressivenessCap: row.bidAggressivenessCap,
+        bidAggressivenessEnabled: row.bidAggressivenessEnabled,
+        executionControlMetric: row.executionControlMetric,
+        executionQuota: row.executionQuota,
+        remainingExecutionCapacity: row.remainingExecutionCapacity,
+        windowSeconds: row.windowSeconds,
+        expiresAt: row.expiresAt
+      }
+    },
+    {
+      title: "Meta",
+      entries: {
+        createdAt: row.createdAt,
+        updatedAt: row.updatedAt
+      }
+    }
+  ];
+  for (const [index, section] of sections.entries()) {
+    console.log(section.title);
+    printDetail(section.entries, "table");
+    if (index < sections.length - 1)
+      console.log("");
+  }
+}
+function formatContractDetail(row) {
+  return {
+    sectionScope: "scope",
+    id: row.id,
+    name: row.name,
+    supplierTenantId: row.supplierTenantId,
+    supplierName: row.supplierName,
+    supplyProductId: row.supplyProductId,
+    supplyProductName: row.supplyProductName,
+    region: formatScalar2(row.region),
+    status: row.status,
+    sectionContractTruth: "contract_truth",
+    contractType: row.contractType,
+    windowType: row.windowType,
+    commitmentMetric: row.commitmentMetric,
+    commitmentValue: row.commitmentValue,
+    commitmentWindow: row.commitmentWindow,
+    matchRules: formatScalar2(row.matchRules),
+    sectionRouting: "routing",
+    priority: row.priority,
+    qpsCap: row.qpsCap,
+    targetFillRate: row.targetFillRate,
+    currency: row.currency,
+    startDate: row.startDate,
+    endDate: row.endDate,
+    sectionMeta: "meta",
+    createdAt: row.createdAt,
+    updatedAt: row.updatedAt
+  };
+}
+function printSectionedContractDetail(row) {
+  const sections = [
+    {
+      title: "Scope",
+      entries: {
+        id: row.id,
+        name: row.name,
+        supplierTenantId: row.supplierTenantId,
+        supplierName: row.supplierName,
+        supplyProductId: row.supplyProductId,
+        supplyProductName: row.supplyProductName,
+        region: formatScalar2(row.region),
+        status: row.status
+      }
+    },
+    {
+      title: "Contract Truth",
+      entries: {
+        contractType: row.contractType,
+        windowType: row.windowType,
+        commitmentMetric: row.commitmentMetric,
+        commitmentValue: row.commitmentValue,
+        commitmentWindow: row.commitmentWindow,
+        matchRules: formatScalar2(row.matchRules)
+      }
+    },
+    {
+      title: "Routing",
+      entries: {
+        priority: row.priority,
+        qpsCap: row.qpsCap,
+        targetFillRate: row.targetFillRate,
+        currency: row.currency,
+        startDate: row.startDate,
+        endDate: row.endDate
+      }
+    },
+    {
+      title: "Meta",
+      entries: {
+        createdAt: row.createdAt,
+        updatedAt: row.updatedAt
+      }
+    }
+  ];
+  for (const [index, section] of sections.entries()) {
+    console.log(section.title);
+    printDetail(section.entries, "table");
+    if (index < sections.length - 1)
+      console.log("");
+  }
+}
+function formatProductDetail(row) {
+  return {
+    sectionScope: "scope",
+    id: row.id,
+    tenantId: row.tenantId,
+    name: row.name,
+    region: formatScalar2(row.region),
+    status: row.status,
+    sectionPackaging: "packaging",
+    description: row.description,
+    qualityTier: row.qualityTier,
+    contractCount: row.contractCount,
+    sectionMeta: "meta",
+    createdAt: row.createdAt,
+    updatedAt: row.updatedAt
+  };
+}
+function printSectionedProductDetail(row) {
+  const sections = [
+    {
+      title: "Scope",
+      entries: {
+        id: row.id,
+        tenantId: row.tenantId,
+        name: row.name,
+        region: formatScalar2(row.region),
+        status: row.status
+      }
+    },
+    {
+      title: "Packaging",
+      entries: {
+        description: row.description,
+        qualityTier: row.qualityTier,
+        contractCount: row.contractCount
+      }
+    },
+    {
+      title: "Meta",
+      entries: {
+        createdAt: row.createdAt,
+        updatedAt: row.updatedAt
+      }
+    }
+  ];
+  for (const [index, section] of sections.entries()) {
+    console.log(section.title);
+    printDetail(section.entries, "table");
+    if (index < sections.length - 1)
+      console.log("");
+  }
+}
+function printSectionedSummary(kind, summary) {
+  if (kind === "products") {
+    const sections2 = [
+      {
+        title: "Packaging Layer",
+        entries: {
+          total: summary.total,
+          totalContracts: summary.totalContracts,
+          regions: formatScalar2(summary.regions)
+        }
+      },
+      {
+        title: "Status",
+        entries: {
+          statuses: formatScalar2(summary.statuses)
+        }
+      }
+    ];
+    for (const [index, section] of sections2.entries()) {
+      console.log(section.title);
+      printDetail(section.entries, "table");
+      if (index < sections2.length - 1)
+        console.log("");
+    }
+    return;
+  }
+  if (kind === "contracts") {
+    const sections2 = [
+      {
+        title: "Contract Truth",
+        entries: {
+          total: summary.total,
+          supplierCount: summary.supplierCount,
+          suppliers: formatScalar2(summary.suppliers),
+          regions: formatScalar2(summary.regions)
+        }
+      },
+      {
+        title: "Status",
+        entries: {
+          statuses: formatScalar2(summary.statuses)
+        }
+      }
+    ];
+    for (const [index, section] of sections2.entries()) {
+      console.log(section.title);
+      printDetail(section.entries, "table");
+      if (index < sections2.length - 1)
+        console.log("");
+    }
+    return;
+  }
+  const sections = [
+    {
+      title: "Operator Intent",
+      entries: {
+        total: summary.total,
+        averageOperatorPriority: summary.averageOperatorPriority,
+        regions: formatScalar2(summary.regions)
+      }
+    },
+    {
+      title: "Runtime State",
+      entries: {
+        totalQuota: summary.totalQuota,
+        totalRemaining: summary.totalRemaining,
+        averageEffectivePriority: summary.averageEffectivePriority,
+        utilizationRatio: summary.utilizationRatio
+      }
+    },
+    {
+      title: "Status",
+      entries: {
+        statuses: formatScalar2(summary.statuses)
+      }
+    }
+  ];
+  for (const [index, section] of sections.entries()) {
+    console.log(section.title);
+    printDetail(section.entries, "table");
+    if (index < sections.length - 1)
+      console.log("");
+  }
+}
+var PRODUCT_FULL_COLUMNS = [
+  { key: "id", header: "ID", width: 36 },
+  { key: "name", header: "NAME", width: 28 },
+  { key: "region", header: "REGION", width: 14, format: formatRegion },
+  { key: "qualityTier", header: "QUALITY", width: 10 },
+  { key: "status", header: "STATUS", width: 16 },
+  { key: "contractCount", header: "CONTRACTS", width: 10 }
+];
+var PRODUCT_PACKAGING_COLUMNS = [
+  { key: "id", header: "ID", width: 36 },
+  { key: "name", header: "NAME", width: 28 },
+  { key: "qualityTier", header: "QUALITY", width: 10 },
+  { key: "status", header: "STATUS", width: 16 },
+  { key: "contractCount", header: "CONTRACTS", width: 10 }
+];
+var PRODUCT_COVERAGE_COLUMNS = [
+  { key: "id", header: "ID", width: 36 },
+  { key: "name", header: "NAME", width: 28 },
+  { key: "region", header: "REGION", width: 14, format: formatRegion },
+  { key: "status", header: "STATUS", width: 16 },
+  { key: "contractCount", header: "CONTRACTS", width: 10 }
+];
+function productColumnsForView(view) {
+  switch ((view ?? "packaging").toLowerCase()) {
+    case "coverage":
+      return PRODUCT_COVERAGE_COLUMNS;
+    case "full":
+      return PRODUCT_FULL_COLUMNS;
+    case "packaging":
+    default:
+      return PRODUCT_PACKAGING_COLUMNS;
+  }
+}
+var CONTRACT_FULL_COLUMNS = [
+  { key: "id", header: "ID", width: 36 },
+  { key: "name", header: "NAME", width: 28 },
+  { key: "supplierName", header: "SUPPLIER", width: 22 },
+  { key: "supplyProductName", header: "TRAFFIC PACKAGE", width: 28 },
+  { key: "region", header: "REGION", width: 14, format: formatRegion },
+  { key: "contractType", header: "TYPE", width: 14 },
+  { key: "commitmentMetric", header: "METRIC", width: 12 },
+  { key: "commitmentValue", header: "COMMITMENT", width: 14 },
+  { key: "priority", header: "ROUTING PRI", width: 12 },
+  { key: "status", header: "STATUS", width: 12 }
+];
+var CONTRACT_TRUTH_COLUMNS = [
+  { key: "id", header: "ID", width: 36 },
+  { key: "name", header: "NAME", width: 28 },
+  { key: "supplierName", header: "SUPPLIER", width: 22 },
+  { key: "supplyProductName", header: "TRAFFIC PACKAGE", width: 28 },
+  { key: "contractType", header: "TYPE", width: 14 },
+  { key: "commitmentMetric", header: "METRIC", width: 12 },
+  { key: "commitmentValue", header: "COMMITMENT", width: 14 },
+  { key: "commitmentWindow", header: "WINDOW", width: 12 },
+  { key: "status", header: "STATUS", width: 12 }
+];
+var CONTRACT_ROUTING_COLUMNS = [
+  { key: "id", header: "ID", width: 36 },
+  { key: "name", header: "NAME", width: 28 },
+  { key: "region", header: "REGION", width: 14, format: formatRegion },
+  { key: "contractType", header: "TYPE", width: 14 },
+  { key: "priority", header: "ROUTING PRI", width: 12 },
+  { key: "qpsCap", header: "QPS CAP", width: 10 },
+  { key: "targetFillRate", header: "FILL TARGET", width: 12 },
+  { key: "status", header: "STATUS", width: 12 }
+];
+function contractColumnsForView(view) {
+  switch ((view ?? "truth").toLowerCase()) {
+    case "routing":
+      return CONTRACT_ROUTING_COLUMNS;
+    case "full":
+      return CONTRACT_FULL_COLUMNS;
+    case "truth":
+    default:
+      return CONTRACT_TRUTH_COLUMNS;
+  }
+}
+var LEASE_FULL_COLUMNS = [
+  { key: "id", header: "ID", width: 36 },
+  { key: "scopeName", header: "SCOPE", width: 28 },
+  { key: "leaseType", header: "LEASE TYPE", width: 14 },
+  { key: "region", header: "REGION", width: 14, format: formatRegion },
+  { key: "policyMode", header: "POLICY MODE", width: 16 },
+  { key: "operatorPriority", header: "OPERATOR", width: 10 },
+  { key: "effectivePriority", header: "EFFECTIVE", width: 10 },
+  { key: "status", header: "STATUS", width: 16 },
+  { key: "executionQuota", header: "RUNTIME QUOTA", width: 14 },
+  { key: "remainingExecutionCapacity", header: "RUNTIME REM", width: 12 }
+];
+var LEASE_RUNTIME_COLUMNS = [
+  { key: "id", header: "ID", width: 36 },
+  { key: "scopeName", header: "SCOPE", width: 28 },
+  { key: "region", header: "REGION", width: 14, format: formatRegion },
+  { key: "status", header: "STATUS", width: 16 },
+  { key: "effectivePriority", header: "EFFECTIVE", width: 10 },
+  { key: "executionControlMetric", header: "METRIC", width: 12 },
+  { key: "executionQuota", header: "RUNTIME QUOTA", width: 14 },
+  { key: "remainingExecutionCapacity", header: "RUNTIME REM", width: 12 }
+];
+var LEASE_OPERATOR_COLUMNS = [
+  { key: "id", header: "ID", width: 36 },
+  { key: "scopeName", header: "SCOPE", width: 28 },
+  { key: "leaseType", header: "LEASE TYPE", width: 14 },
+  { key: "region", header: "REGION", width: 14, format: formatRegion },
+  { key: "status", header: "STATUS", width: 16 },
+  { key: "policyMode", header: "POLICY MODE", width: 16 },
+  { key: "operatorPriority", header: "OPERATOR", width: 10 },
+  { key: "allowed", header: "ALLOWED", width: 8 }
+];
+function leaseColumnsForView(view) {
+  switch ((view ?? "runtime").toLowerCase()) {
+    case "operator":
+      return LEASE_OPERATOR_COLUMNS;
+    case "full":
+      return LEASE_FULL_COLUMNS;
+    case "runtime":
+    default:
+      return LEASE_RUNTIME_COLUMNS;
+  }
+}
+async function listResource(path, opts, columns) {
+  const rows = await fetchResource(path, opts);
+  printData(rows, columns, opts.format);
+}
+async function fetchResource(path, opts) {
+  const params = new URLSearchParams;
+  params.set("limit", opts.limit ?? "20");
+  if (opts.offset)
+    params.set("offset", opts.offset);
+  const resp = await apiRequest({ path: `${path}?${params.toString()}` });
+  const json = await resp.json();
+  if (!resp.ok) {
+    const errorValue = json.error ?? json.errors ?? resp.statusText;
+    console.error(`Error: ${typeof errorValue === "string" ? errorValue : JSON.stringify(errorValue)}`);
+    process.exit(1);
+  }
+  return applyFilters(json.data ?? [], opts);
+}
+function applyFilters(rows, opts) {
+  return rows.filter((row) => {
+    if (opts.id && row.id !== opts.id)
+      return false;
+    if (opts.region) {
+      const regions = Array.isArray(row.region) ? row.region.map((region) => String(region).toLowerCase()) : [String(row.region ?? "").toLowerCase()];
+      if (!regions.includes(opts.region.toLowerCase()))
+        return false;
+    }
+    if (opts.status && String(row.status ?? "").toLowerCase() !== opts.status.toLowerCase())
+      return false;
+    if (opts.type) {
+      const candidate = String(row.leaseType ?? row.contractType ?? "").toLowerCase();
+      if (candidate !== opts.type.toLowerCase())
+        return false;
+    }
+    if (opts.supplier) {
+      const supplier = String(row.supplierName ?? "").toLowerCase();
+      if (!supplier.includes(opts.supplier.toLowerCase()))
+        return false;
+    }
+    if (opts.name) {
+      const name = String(row.name ?? row.scopeName ?? "").toLowerCase();
+      if (!name.includes(opts.name.toLowerCase()))
+        return false;
+    }
+    return true;
+  });
+}
+function summarizeRows(rows, kind) {
+  const statuses = Object.create(null);
+  const regions = new Set;
+  for (const row of rows) {
+    const status = String(row.status ?? "UNKNOWN");
+    statuses[status] = (statuses[status] ?? 0) + 1;
+    const regionValues = Array.isArray(row.region) ? row.region : [row.region];
+    for (const region of regionValues) {
+      const text = String(region ?? "");
+      if (text)
+        regions.add(text);
+    }
+  }
+  if (kind === "leases") {
+    const totalQuota = rows.reduce((sum, row) => sum + Number(row.executionQuota ?? 0), 0);
+    const totalRemaining = rows.reduce((sum, row) => sum + Number(row.remainingExecutionCapacity ?? 0), 0);
+    const averageOperatorPriority = rows.length > 0 ? Number((rows.reduce((sum, row) => sum + Number(row.operatorPriority ?? 0), 0) / rows.length).toFixed(2)) : 0;
+    const averageEffectivePriority = rows.length > 0 ? Number((rows.reduce((sum, row) => sum + Number(row.effectivePriority ?? row.priority ?? 0), 0) / rows.length).toFixed(2)) : 0;
+    return {
+      total: rows.length,
+      regions: Array.from(regions),
+      statuses,
+      totalQuota,
+      totalRemaining,
+      averageOperatorPriority,
+      averageEffectivePriority,
+      utilizationRatio: totalQuota > 0 ? Number(((totalQuota - totalRemaining) / totalQuota).toFixed(4)) : 0
+    };
+  }
+  if (kind === "contracts") {
+    const suppliers = new Set(rows.map((row) => String(row.supplierName ?? "")).filter(Boolean));
+    return {
+      total: rows.length,
+      regions: Array.from(regions),
+      statuses,
+      supplierCount: suppliers.size,
+      suppliers: Array.from(suppliers)
+    };
+  }
+  return {
+    total: rows.length,
+    regions: Array.from(regions),
+    statuses,
+    totalContracts: rows.reduce((sum, row) => sum + Number(row.contractCount ?? 0), 0)
+  };
+}
+async function getResource(path, opts) {
+  const id = opts.id;
+  const resp = await apiRequest({ path: `${path}/${id}` });
+  const json = await resp.json();
+  if (!resp.ok) {
+    const errorValue = json.error ?? json.errors ?? resp.statusText;
+    console.error(`Error: ${typeof errorValue === "string" ? errorValue : JSON.stringify(errorValue)}`);
+    process.exit(1);
+  }
+  const data = json.data ?? {};
+  if (path.endsWith("/supply-products") && opts.format !== "json") {
+    printSectionedProductDetail(formatProductDetail(data));
+    return;
+  }
+  if (path.endsWith("/supply-contracts") && opts.format !== "json") {
+    printSectionedContractDetail(formatContractDetail(data));
+    return;
+  }
+  if (path.endsWith("/allocation-leases") && opts.format !== "json") {
+    printSectionedLeaseDetail(formatLeaseDetail(data));
+    return;
+  }
+  printDetail(data, opts.format);
+}
+async function summarizeResource(path, opts, kind) {
+  const rows = await fetchResource(path, { ...opts, limit: opts.limit ?? "200" });
+  const summary = summarizeRows(rows, kind);
+  if (opts.format !== "json") {
+    printSectionedSummary(kind, summary);
+    return;
+  }
+  printDetail(summary, opts.format);
+}
+function createSupplyOpsCommand() {
+  const cmd = new Command("supply-ops").description(`Supply operations (Console)
+
+Aligned to Product -> Contract -> Allocation Lease -> Runtime execution.`).addHelpText("after", `
+Examples:
+  $ a8techads supply-ops products list
+  $ a8techads supply-ops products summary
+  $ a8techads supply-ops products get <id>
+  $ a8techads supply-ops contracts list --limit 50
+  $ a8techads supply-ops leases list --format json
+  $ a8techads supply-ops leases update <id> --operator-priority 70 --policy-mode delivery_first`);
+  const products = cmd.command("products").description("Traffic package views");
+  addFormatOption(products.command("list").description("List traffic packages.").option("--limit <n>", "Max results", "20").option("--region <region>", "Filter by region").option("--status <status>", "Filter by status").option("--view <view>", "packaging, coverage, full", "packaging").option("--name <name>", "Filter by name contains")).action(async (opts) => {
+    await listResource(`${consolePrefix()}/supply-products`, opts, productColumnsForView(opts.view));
+  });
+  addFormatOption(products.command("get").description("Get one traffic package by id.").argument("<id>", "Traffic package ID")).action(async (id, opts) => {
+    await getResource(`${consolePrefix()}/supply-products`, { ...opts, id });
+  });
+  addFormatOption(products.command("summary").description("Summarize traffic packages.").option("--limit <n>", "Max results to scan", "200").option("--region <region>", "Filter by region").option("--status <status>", "Filter by status")).action(async (opts) => {
+    await summarizeResource(`${consolePrefix()}/supply-products`, opts, "products");
+  });
+  products.command("create").description("Create a traffic package (product packaging layer).").requiredOption("--name <name>", "Traffic package name").requiredOption("--region <regions>", "Serving regions, comma-separated").option("--description <text>", "Description").option("--quality-tier <tier>", "PREMIUM, STANDARD, REMNANT", "STANDARD").option("--source-masking-mode <mode>", "OPAQUE, REGION_ONLY, PRODUCT_ONLY", "REGION_ONLY").option("--status <status>", "DRAFT, ACTIVE, PAUSED, ARCHIVED", "DRAFT").option("--from-json <file>", "Create from JSON file").action(async (opts) => {
+    let body;
+    if (opts.fromJson) {
+      const { readFileSync: readFileSync6 } = await import("fs");
+      body = JSON.parse(readFileSync6(opts.fromJson, "utf-8"));
+    } else {
+      body = {
+        name: opts.name,
+        region: String(opts.region).split(",").map((item) => item.trim()).filter(Boolean),
+        description: opts.description,
+        qualityTier: opts.qualityTier,
+        sourceMaskingMode: opts.sourceMaskingMode,
+        status: opts.status
+      };
+    }
+    const resp = await apiRequest({ method: "POST", path: `${consolePrefix()}/supply-products`, body });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${JSON.stringify(json.error ?? json.errors ?? resp.statusText)}`);
+      process.exit(1);
+    }
+    console.log(`Traffic package created: ${json.data?.id ?? json.id}`);
+  });
+  products.command("update").description("Update a traffic package.").argument("<id>", "Traffic package ID").option("--name <name>", "Traffic package name").option("--region <regions>", "Serving regions, comma-separated").option("--description <text>", "Description").option("--quality-tier <tier>", "PREMIUM, STANDARD, REMNANT").option("--source-masking-mode <mode>", "OPAQUE, REGION_ONLY, PRODUCT_ONLY").option("--status <status>", "DRAFT, ACTIVE, PAUSED, ARCHIVED").option("--from-json <file>", "Update from JSON file").action(async (id, opts) => {
+    let body;
+    if (opts.fromJson) {
+      const { readFileSync: readFileSync6 } = await import("fs");
+      body = JSON.parse(readFileSync6(opts.fromJson, "utf-8"));
+    } else {
+      body = {
+        ...opts.name ? { name: opts.name } : {},
+        ...opts.region ? { region: String(opts.region).split(",").map((item) => item.trim()).filter(Boolean) } : {},
+        ...opts.description ? { description: opts.description } : {},
+        ...opts.qualityTier ? { qualityTier: opts.qualityTier } : {},
+        ...opts.sourceMaskingMode ? { sourceMaskingMode: opts.sourceMaskingMode } : {},
+        ...opts.status ? { status: opts.status } : {}
+      };
+    }
+    const resp = await apiRequest({ method: "PATCH", path: `${consolePrefix()}/supply-products/${id}`, body });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${JSON.stringify(json.error ?? json.errors ?? resp.statusText)}`);
+      process.exit(1);
+    }
+    console.log(`Traffic package ${id} updated.`);
+  });
+  products.command("delete").description("Delete a traffic package.").argument("<id>", "Traffic package ID").option("--yes", "Skip confirmation").action(async (id, opts) => {
+    if (!opts.yes) {
+      console.error("Add --yes to confirm deletion.");
+      process.exit(1);
+    }
+    const resp = await apiRequest({ method: "DELETE", path: `${consolePrefix()}/supply-products/${id}` });
+    if (!resp.ok && resp.status !== 204) {
+      const json = await resp.json();
+      console.error(`Error: ${JSON.stringify(json.error ?? json.errors ?? resp.statusText)}`);
+      process.exit(1);
+    }
+    console.log(`Traffic package ${id} deleted.`);
+  });
+  const contracts = cmd.command("contracts").description("Supply contract views");
+  addFormatOption(contracts.command("list").description("List supply contracts.").option("--limit <n>", "Max results", "20").option("--region <region>", "Filter by region").option("--status <status>", "Filter by status").option("--supplier <name>", "Filter by supplier name contains").option("--type <type>", "Filter by contract type").option("--view <view>", "truth, routing, full", "truth").option("--name <name>", "Filter by name contains")).action(async (opts) => {
+    await listResource(`${consolePrefix()}/supply-contracts`, opts, contractColumnsForView(opts.view));
+  });
+  addFormatOption(contracts.command("get").description("Get one supply contract by id.").argument("<id>", "Supply contract ID")).action(async (id, opts) => {
+    await getResource(`${consolePrefix()}/supply-contracts`, { ...opts, id });
+  });
+  addFormatOption(contracts.command("summary").description("Summarize supply contracts.").option("--limit <n>", "Max results to scan", "200").option("--region <region>", "Filter by region").option("--status <status>", "Filter by status").option("--supplier <name>", "Filter by supplier name contains").option("--type <type>", "Filter by contract type")).action(async (opts) => {
+    await summarizeResource(`${consolePrefix()}/supply-contracts`, opts, "contracts");
+  });
+  contracts.command("create").description("Create a supply contract.").requiredOption("--name <name>", "Contract name").requiredOption("--region <regions>", "Serving regions, comma-separated").requiredOption("--supplier-tenant-id <id>", "Supplier tenant ID").requiredOption("--supply-product-id <id>", "Traffic package ID").option("--description <text>", "Description").option("--contract-type <type>", "GUARANTEED, PREFERRED_DEAL, PRIVATE_MARKETPLACE, OPEN_AUCTION", "OPEN_AUCTION").option("--source-masking-mode <mode>", "OPAQUE, REGION_ONLY, PRODUCT_ONLY", "OPAQUE").option("--priority <n>", "Contract-level routing priority", "0").option("--match-rules <json>", 'Request match rules JSON, e.g. [{"fieldPath":"ext.alpineads.route_key","operator":"eq","value":"hilltopads-open"}]').option("--qps-cap <n>", "QPS cap").option("--target-fill-rate <n>", "Target fill rate, decimal string").option("--currency <code>", "Currency", "USD").option("--start-date <iso>", "ISO UTC datetime").option("--end-date <iso>", "ISO UTC datetime").option("--status <status>", "DRAFT, ACTIVE, PAUSED, ARCHIVED", "DRAFT").option("--from-json <file>", "Create from JSON file").action(async (opts) => {
+    let body;
+    if (opts.fromJson) {
+      const { readFileSync: readFileSync6 } = await import("fs");
+      body = JSON.parse(readFileSync6(opts.fromJson, "utf-8"));
+    } else {
+      body = {
+        name: opts.name,
+        region: String(opts.region).split(",").map((item) => item.trim()).filter(Boolean),
+        supplierTenantId: opts.supplierTenantId,
+        supplyProductId: opts.supplyProductId,
+        description: opts.description,
+        contractType: opts.contractType,
+        sourceMaskingMode: opts.sourceMaskingMode,
+        priority: Number(opts.priority),
+        ...opts.matchRules ? { matchRules: JSON.parse(opts.matchRules) } : {},
+        ...opts.qpsCap ? { qpsCap: Number(opts.qpsCap) } : {},
+        ...opts.targetFillRate ? { targetFillRate: opts.targetFillRate } : {},
+        currency: opts.currency,
+        ...opts.startDate ? { startDate: opts.startDate } : {},
+        ...opts.endDate ? { endDate: opts.endDate } : {},
+        status: opts.status
+      };
+    }
+    const resp = await apiRequest({ method: "POST", path: `${consolePrefix()}/supply-contracts`, body });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${JSON.stringify(json.error ?? json.errors ?? resp.statusText)}`);
+      process.exit(1);
+    }
+    console.log(`Supply contract created: ${json.data?.id ?? json.id}`);
+  });
+  contracts.command("update").description("Update a supply contract.").argument("<id>", "Supply contract ID").option("--name <name>", "Contract name").option("--region <regions>", "Serving regions, comma-separated").option("--description <text>", "Description").option("--contract-type <type>", "GUARANTEED, PREFERRED_DEAL, PRIVATE_MARKETPLACE, OPEN_AUCTION").option("--source-masking-mode <mode>", "OPAQUE, REGION_ONLY, PRODUCT_ONLY").option("--priority <n>", "Contract-level routing priority").option("--match-rules <json>", "Request match rules JSON").option("--qps-cap <n>", "QPS cap").option("--target-fill-rate <n>", "Target fill rate, decimal string").option("--currency <code>", "Currency").option("--start-date <iso>", "ISO UTC datetime").option("--end-date <iso>", "ISO UTC datetime").option("--status <status>", "DRAFT, ACTIVE, PAUSED, ARCHIVED").option("--from-json <file>", "Update from JSON file").action(async (id, opts) => {
+    let body;
+    if (opts.fromJson) {
+      const { readFileSync: readFileSync6 } = await import("fs");
+      body = JSON.parse(readFileSync6(opts.fromJson, "utf-8"));
+    } else {
+      body = {
+        ...opts.name ? { name: opts.name } : {},
+        ...opts.region ? { region: String(opts.region).split(",").map((item) => item.trim()).filter(Boolean) } : {},
+        ...opts.description ? { description: opts.description } : {},
+        ...opts.contractType ? { contractType: opts.contractType } : {},
+        ...opts.sourceMaskingMode ? { sourceMaskingMode: opts.sourceMaskingMode } : {},
+        ...opts.priority ? { priority: Number(opts.priority) } : {},
+        ...opts.matchRules ? { matchRules: JSON.parse(opts.matchRules) } : {},
+        ...opts.qpsCap ? { qpsCap: Number(opts.qpsCap) } : {},
+        ...opts.targetFillRate ? { targetFillRate: opts.targetFillRate } : {},
+        ...opts.currency ? { currency: opts.currency } : {},
+        ...opts.startDate ? { startDate: opts.startDate } : {},
+        ...opts.endDate ? { endDate: opts.endDate } : {},
+        ...opts.status ? { status: opts.status } : {}
+      };
+    }
+    const resp = await apiRequest({ method: "PATCH", path: `${consolePrefix()}/supply-contracts/${id}`, body });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${JSON.stringify(json.error ?? json.errors ?? resp.statusText)}`);
+      process.exit(1);
+    }
+    console.log(`Supply contract ${id} updated.`);
+  });
+  contracts.command("delete").description("Delete a supply contract.").argument("<id>", "Supply contract ID").option("--yes", "Skip confirmation").action(async (id, opts) => {
+    if (!opts.yes) {
+      console.error("Add --yes to confirm deletion.");
+      process.exit(1);
+    }
+    const resp = await apiRequest({ method: "DELETE", path: `${consolePrefix()}/supply-contracts/${id}` });
+    if (!resp.ok && resp.status !== 204) {
+      const json = await resp.json();
+      console.error(`Error: ${JSON.stringify(json.error ?? json.errors ?? resp.statusText)}`);
+      process.exit(1);
+    }
+    console.log(`Supply contract ${id} deleted.`);
+  });
+  const leases = cmd.command("leases").description("Allocation lease views (operator intent + runtime-derived state)");
+  addFormatOption(leases.command("list").description("List allocation leases with operator intent and runtime-derived state.").option("--limit <n>", "Max results", "20").option("--region <region>", "Filter by region").option("--status <status>", "Filter by status").option("--type <type>", "Filter by lease type").option("--view <view>", "runtime, operator, full", "runtime").option("--name <name>", "Filter by scope name contains")).action(async (opts) => {
+    await listResource(`${consolePrefix()}/allocation-leases`, opts, leaseColumnsForView(opts.view));
+  });
+  addFormatOption(leases.command("get").description("Get one allocation lease by id.").argument("<id>", "Allocation lease ID")).action(async (id, opts) => {
+    await getResource(`${consolePrefix()}/allocation-leases`, { ...opts, id });
+  });
+  addFormatOption(leases.command("summary").description("Summarize allocation leases.").option("--limit <n>", "Max results to scan", "200").option("--region <region>", "Filter by region").option("--status <status>", "Filter by status").option("--type <type>", "Filter by lease type")).action(async (opts) => {
+    await summarizeResource(`${consolePrefix()}/allocation-leases`, opts, "leases");
+  });
+  leases.command("create").description("Create an allocation lease. CLI only accepts operator intent; runtime quota is allocator-derived.").requiredOption("--supply-contract-id <id>", "Supply contract ID").requiredOption("--region <regions>", "Serving regions, comma-separated").option("--allowed <bool>", "true or false", "true").option("--status <status>", "DRAFT, ACTIVE, PAUSED, EXHAUSTED, ARCHIVED", "DRAFT").option("--policy-mode <mode>", "BALANCED, PRIORITY_FIRST, DELIVERY_FIRST, SPEND_CONSERVATIVE").option("--operator-priority <n>", "Operator priority (0-100)", "50").option("--execution-quota <n>", "Optional runtime quota override for emergency/debug use").option("--window-seconds <n>", "Optional lease window seconds override").option("--expires-at <iso>", "Optional lease expiry override").option("--from-json <file>", "Create from JSON file").action(async (opts) => {
+    let body;
+    if (opts.fromJson) {
+      const { readFileSync: readFileSync6 } = await import("fs");
+      body = JSON.parse(readFileSync6(opts.fromJson, "utf-8"));
+    } else {
+      body = {
+        supplyContractId: opts.supplyContractId,
+        region: String(opts.region).split(",").map((item) => item.trim()).filter(Boolean),
+        allowed: opts.allowed === "true",
+        status: opts.status,
+        ...opts.policyMode ? { policyMode: opts.policyMode } : {},
+        ...opts.executionQuota ? { executionQuota: Number(opts.executionQuota) } : {},
+        operatorPriority: Number(opts.operatorPriority),
+        ...opts.windowSeconds ? { windowSeconds: Number(opts.windowSeconds) } : {},
+        ...opts.expiresAt ? { expiresAt: opts.expiresAt } : {}
+      };
+    }
+    const resp = await apiRequest({ method: "POST", path: `${consolePrefix()}/allocation-leases`, body });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${JSON.stringify(json.error ?? json.errors ?? resp.statusText)}`);
+      process.exit(1);
+    }
+    console.log(`Allocation lease created: ${json.data?.id ?? json.id}`);
+  });
+  leases.command("update").description("Update an allocation lease. Prefer operator intent fields; runtime fields are override-only.").argument("<id>", "Allocation lease ID").option("--region <regions>", "Serving regions, comma-separated").option("--allowed <bool>", "true or false").option("--status <status>", "DRAFT, ACTIVE, PAUSED, EXHAUSTED, ARCHIVED").option("--policy-mode <mode>", "BALANCED, PRIORITY_FIRST, DELIVERY_FIRST, SPEND_CONSERVATIVE").option("--operator-priority <n>", "Operator priority (0-100)").option("--execution-quota <n>", "Optional runtime quota override for emergency/debug use").option("--window-seconds <n>", "Optional lease window seconds override").option("--expires-at <iso>", "Optional lease expiry override").option("--from-json <file>", "Update from JSON file").action(async (id, opts) => {
+    let body;
+    if (opts.fromJson) {
+      const { readFileSync: readFileSync6 } = await import("fs");
+      body = JSON.parse(readFileSync6(opts.fromJson, "utf-8"));
+    } else {
+      body = {
+        ...opts.region ? { region: String(opts.region).split(",").map((item) => item.trim()).filter(Boolean) } : {},
+        ...opts.allowed ? { allowed: opts.allowed === "true" } : {},
+        ...opts.status ? { status: opts.status } : {},
+        ...opts.policyMode ? { policyMode: opts.policyMode } : {},
+        ...opts.executionQuota ? { executionQuota: Number(opts.executionQuota) } : {},
+        ...opts.operatorPriority ? { operatorPriority: Number(opts.operatorPriority) } : {},
+        ...opts.windowSeconds ? { windowSeconds: Number(opts.windowSeconds) } : {},
+        ...opts.expiresAt ? { expiresAt: opts.expiresAt } : {}
+      };
+    }
+    const resp = await apiRequest({ method: "PATCH", path: `${consolePrefix()}/allocation-leases/${id}`, body });
+    const json = await resp.json();
+    if (!resp.ok) {
+      console.error(`Error: ${JSON.stringify(json.error ?? json.errors ?? resp.statusText)}`);
+      process.exit(1);
+    }
+    console.log(`Allocation lease ${id} updated.`);
+  });
+  leases.command("delete").description("Delete an allocation lease.").argument("<id>", "Allocation lease ID").option("--yes", "Skip confirmation").action(async (id, opts) => {
+    if (!opts.yes) {
+      console.error("Add --yes to confirm deletion.");
+      process.exit(1);
+    }
+    const resp = await apiRequest({ method: "DELETE", path: `${consolePrefix()}/allocation-leases/${id}` });
+    if (!resp.ok && resp.status !== 204) {
+      const json = await resp.json();
+      console.error(`Error: ${JSON.stringify(json.error ?? json.errors ?? resp.statusText)}`);
+      process.exit(1);
+    }
+    console.log(`Allocation lease ${id} deleted.`);
+  });
+  return cmd;
+}
+
+// src/commands/validate.ts
+function unwrapData(json) {
+  if (json && typeof json === "object" && "data" in json) {
+    return json.data;
+  }
+  return json;
+}
+function getPath(value, path) {
+  return path.reduce((current, key) => {
+    if (!current || typeof current !== "object")
+      return;
+    return current[key];
+  }, value);
+}
+function describe(value) {
+  if (value === null)
+    return "null";
+  if (value === undefined)
+    return "missing";
+  if (typeof value === "string")
+    return value;
+  if (typeof value === "number" || typeof value === "boolean")
+    return String(value);
+  return JSON.stringify(value);
+}
+function addRow(rows, check, status, detail) {
+  rows.push({ check, status, detail });
+}
+function maybeSuspiciousZero(value) {
+  return typeof value === "number" && value === 0;
+}
+async function fetchJson(path) {
+  const resp = await apiRequest({ path });
+  const json = await resp.json().catch(() => null);
+  if (!resp.ok) {
+    const message = json && typeof json === "object" && "error" in json ? describe(json.error) : resp.statusText;
+    throw new Error(`${path} failed: ${message}`);
+  }
+  return json;
+}
+async function requestJson(method, path, body) {
+  const resp = await apiRequest({ method, path, body });
+  const json = await resp.json().catch(() => null);
+  return { status: resp.status, ok: resp.ok, json };
+}
+function summarizeError(json) {
+  const body = json ?? {};
+  if (body.error)
+    return describe(body.error);
+  if (body.errors)
+    return describe(body.errors);
+  return "no error body";
+}
+function parseCsv(value) {
+  return value.split(",").map((part) => part.trim()).filter(Boolean);
+}
+async function runDataHonestyChecks() {
+  const rows = [];
+  const [summaryRaw, financeRaw, billingRaw, systemHealthRaw, systemQueuesRaw] = await Promise.all([
+    fetchJson("/api/v1/console/summary"),
+    fetchJson("/api/v1/console/billing-ops/overview"),
+    fetchJson("/api/v1/console/billing-ops/summary"),
+    fetchJson("/api/v1/console/system/health"),
+    fetchJson("/api/v1/console/system/queues")
+  ]);
+  const summary = unwrapData(summaryRaw);
+  const finance = unwrapData(financeRaw);
+  const billing = unwrapData(billingRaw);
+  const systemHealth = unwrapData(systemHealthRaw);
+  const systemQueues = unwrapData(systemQueuesRaw);
+  const pending = getPath(finance, ["pending"]);
+  const depositsCount = pending?.depositsCount;
+  const depositsAmount = pending?.depositsAmount;
+  if (depositsCount === null && depositsAmount === null) {
+    addRow(rows, "finance.pendingDeposits", "pass", "pending deposits disclosed as unavailable");
+  } else if (maybeSuspiciousZero(depositsCount) && maybeSuspiciousZero(depositsAmount)) {
+    addRow(rows, "finance.pendingDeposits", "fail", "still returning 0 / 0.0 placeholder values");
+  } else {
+    addRow(rows, "finance.pendingDeposits", "warn", `returned count=${describe(depositsCount)} amount=${describe(depositsAmount)}`);
+  }
+  const overdue = getPath(billing, ["receivables", "overdue"]);
+  if (overdue === null) {
+    addRow(rows, "billing.receivables.overdue", "pass", "overdue disclosed as unavailable");
+  } else {
+    addRow(rows, "billing.receivables.overdue", "warn", `returned ${describe(overdue)}`);
+  }
+  const pendingPayouts = getPath(systemHealth, ["stats", "pendingPayouts"]);
+  if (pendingPayouts === null) {
+    addRow(rows, "system.pendingPayouts", "pass", "pending payouts disclosed as unavailable");
+  } else if (pendingPayouts === undefined) {
+    addRow(rows, "system.pendingPayouts", "warn", "system/health does not currently expose stats.pendingPayouts");
+  } else {
+    addRow(rows, "system.pendingPayouts", "warn", `returned ${describe(pendingPayouts)}`);
+  }
+  const advertiserChange = getPath(summary, ["platformHealth", "advertiserChange"]);
+  const publisherChange = getPath(summary, ["platformHealth", "publisherChange"]);
+  const clicksChange = getPath(summary, ["changes", "clicks"]);
+  addRow(rows, "summary.platformHealth.advertiserChange", advertiserChange === null ? "pass" : "warn", describe(advertiserChange));
+  addRow(rows, "summary.platformHealth.publisherChange", publisherChange === null ? "pass" : "warn", describe(publisherChange));
+  addRow(rows, "summary.changes.clicks", clicksChange === null ? "pass" : "warn", describe(clicksChange));
+  const queueRows = Array.isArray(systemQueues) ? systemQueues : [];
+  const fallbackQueue = queueRows.find((row) => {
+    if (!row || typeof row !== "object")
+      return false;
+    return row.available === false;
+  });
+  if (!fallbackQueue) {
+    addRow(rows, "system.queues.unavailableFallback", "warn", "no unavailable queue row found");
+  } else {
+    const hasNilMetrics = ["pending", "processing", "completed", "failed", "avgProcessingTime"].every((key) => fallbackQueue[key] === null);
+    addRow(rows, "system.queues.unavailableFallback", hasNilMetrics ? "pass" : "warn", hasNilMetrics ? "queue fallback row marks metrics unavailable" : `queue row=${JSON.stringify(fallbackQueue)}`);
+  }
+  return rows;
+}
+function createValidateCommand() {
+  const cmd = new Command("validate").description("Deploy and integration validation helpers").addHelpText("after", `
+Examples:
+  $ a8techads validate health
+  $ a8techads validate data-honesty
+  $ a8techads validate data-honesty --format json`);
+  cmd.command("health").description("Public API health check.").option("--base-url <url>", "Base API URL", "https://api.a8.tech").action(async (opts) => {
+    const url = new URL("/health", opts.baseUrl).toString();
+    const resp = await fetch(url);
+    if (!resp.ok) {
+      console.error(`Health check failed: ${url} -> ${resp.status}`);
+      process.exit(1);
+    }
+    console.log(`OK ${url} -> ${resp.status}`);
+  });
+  addFormatOption(cmd.command("data-honesty").description("Check post-deploy nullable/disclosure behavior for Console data honesty changes.")).action(async (opts) => {
+    const rows = await runDataHonestyChecks();
+    const columns = [
+      { key: "check", header: "CHECK", width: 38 },
+      { key: "status", header: "STATUS", width: 8 },
+      { key: "detail", header: "DETAIL", width: 80 }
+    ];
+    printData(rows, columns, opts.format);
+    if (rows.some((row) => row.status === "fail")) {
+      process.exit(1);
+    }
+  });
+  addFormatOption(cmd.command("tenant-boundary").description("Assert that current tenant context cannot access known foreign resources.").requiredOption("--campaign <id>", "Campaign ID that must not be visible from current tenant context").option("--supply-product <id>", "Active DSP-visible supply product ID to verify shared catalog access").option("--tenant <id>", "Tenant ID that current user does not belong to; used for tenant switch rejection check")).action(async (opts) => {
+    const rows = [];
+    const campaignId = String(opts.campaign);
+    const campaignShow = await requestJson("GET", `/api/v1/dsp/campaigns/${campaignId}`);
+    addRow(rows, "campaign.show.foreign", campaignShow.status === 404 ? "pass" : "fail", `expected 404, got ${campaignShow.status}${campaignShow.ok ? "" : ` (${summarizeError(campaignShow.json)})`}`);
+    const campaignUpdate = await requestJson("PATCH", `/api/v1/dsp/campaigns/${campaignId}`, {
+      name: `cross-tenant-check-${Date.now()}`
+    });
+    addRow(rows, "campaign.update.foreign", campaignUpdate.status === 404 ? "pass" : "fail", `expected 404, got ${campaignUpdate.status}${campaignUpdate.ok ? "" : ` (${summarizeError(campaignUpdate.json)})`}`);
+    const campaignDelete = await requestJson("DELETE", `/api/v1/dsp/campaigns/${campaignId}`);
+    addRow(rows, "campaign.delete.foreign", campaignDelete.status === 404 ? "pass" : "fail", `expected 404, got ${campaignDelete.status}${campaignDelete.ok ? "" : ` (${summarizeError(campaignDelete.json)})`}`);
+    if (opts.supplyProduct) {
+      const supplyProductId = String(opts.supplyProduct);
+      const supplyProductShow = await requestJson("GET", `/api/v1/dsp/supply-products/${supplyProductId}`);
+      addRow(rows, "supplyProduct.sharedCatalog", supplyProductShow.status === 200 ? "pass" : "warn", supplyProductShow.status === 200 ? "active supply product is visible through DSP shared catalog" : `expected shared catalog access, got ${supplyProductShow.status}${supplyProductShow.ok ? "" : ` (${summarizeError(supplyProductShow.json)})`}`);
+    }
+    if (opts.tenant) {
+      const tenantId = String(opts.tenant);
+      const tenantSwitch = await requestJson("POST", "/api/v1/me/switch-tenant", { tenant_id: tenantId });
+      addRow(rows, "tenantSwitch.foreignTenant", tenantSwitch.status === 403 ? "pass" : "fail", `expected 403, got ${tenantSwitch.status}${tenantSwitch.ok ? "" : ` (${summarizeError(tenantSwitch.json)})`}`);
+    }
+    const columns = [
+      { key: "check", header: "CHECK", width: 32 },
+      { key: "status", header: "STATUS", width: 8 },
+      { key: "detail", header: "DETAIL", width: 80 }
+    ];
+    printData(rows, columns, opts.format);
+    if (rows.some((row) => row.status === "fail")) {
+      process.exit(1);
+    }
+  });
+  addFormatOption(cmd.command("campaign-binding-flow").description("Run pause -> update supply binding -> resume against a real DSP campaign.").argument("<campaign-id>", "Campaign ID to mutate during the validation flow").requiredOption("--supply-products <ids>", "Comma-separated supply product IDs to apply while paused").option("--yes", "Allow live mutation of campaign state", false)).action(async (campaignId, opts) => {
+    if (!opts.yes) {
+      console.error("Error: this command mutates live campaign state. Re-run with --yes.");
+      process.exit(1);
+    }
+    const rows = [];
+    const supplyProductIds = parseCsv(String(opts.supplyProducts));
+    const pauseResp = await requestJson("PATCH", `/api/v1/dsp/campaigns/${campaignId}/status`, { status: "paused" });
+    addRow(rows, "campaign.pause", pauseResp.ok ? "pass" : "fail", pauseResp.ok ? "pause request accepted" : `status ${pauseResp.status} (${summarizeError(pauseResp.json)})`);
+    const updateResp = await requestJson("PATCH", `/api/v1/dsp/campaigns/${campaignId}`, { supplyProductIds });
+    addRow(rows, "campaign.updateSupplyBinding", updateResp.ok ? "pass" : "fail", updateResp.ok ? `updated supplyProductIds=${supplyProductIds.join(",")}` : `status ${updateResp.status} (${summarizeError(updateResp.json)})`);
+    const resumeResp = await requestJson("PATCH", `/api/v1/dsp/campaigns/${campaignId}/status`, { status: "active" });
+    addRow(rows, "campaign.resume", resumeResp.ok ? "pass" : "fail", resumeResp.ok ? "resume request accepted" : `status ${resumeResp.status} (${summarizeError(resumeResp.json)})`);
+    const verifyResp = await requestJson("GET", `/api/v1/dsp/campaigns/${campaignId}`);
+    const verify = unwrapData(verifyResp.json);
+    const actualStatus = getPath(verify, ["status"]);
+    const actualSupplyProducts = getPath(verify, ["supplyProductIds"]);
+    const supplyBindingMatches = Array.isArray(actualSupplyProducts) && actualSupplyProducts.length === supplyProductIds.length && supplyProductIds.every((id) => actualSupplyProducts.includes(id));
+    addRow(rows, "campaign.verifyStatus", String(actualStatus).toUpperCase() === "ACTIVE" ? "pass" : "fail", `status=${describe(actualStatus)}`);
+    addRow(rows, "campaign.verifySupplyBinding", supplyBindingMatches ? "pass" : "fail", `supplyProductIds=${describe(actualSupplyProducts)}`);
+    const columns = [
+      { key: "check", header: "CHECK", width: 32 },
+      { key: "status", header: "STATUS", width: 8 },
+      { key: "detail", header: "DETAIL", width: 80 }
+    ];
+    printData(rows, columns, opts.format);
+    if (rows.some((row) => row.status === "fail")) {
+      process.exit(1);
+    }
+  });
   return cmd;
 }
 
 // src/index.ts
 function createProgram() {
-  const program2 = new Command().name("a8techads").description("A8TechAds CLI — programmatic ad platform management").version("0.4.0").addHelpText("after", `
+  const program2 = new Command().name("a8techads").description("A8TechAds CLI — programmatic ad platform management").version("0.4.1").addHelpText("after", `
 Command Groups:
   auth          Authentication (login, logout, token, status)
   profile       Multi-profile management
@@ -4854,13 +8484,23 @@ Command Groups:
   audiences     Audience management (DSP)
   campaigns     Campaign management (DSP)
   variations    Ad variation management (DSP)
+  landing-pages  Landing page groups and pages (DSP)
+  conversion-goals  Conversion goal management (DSP)
+  media-assets  Media library management (DSP)
+  algorithms    Bidder algorithm management (DSP)
   sites         Site management (SSP)
   zones         Ad zone management (SSP)
   reports       Analytics and reporting
   billing       Billing and payments (DSP)
   invoices      Invoice management (DSP)
+  payouts       Payout management (SSP)
+  statements    Statement management (SSP)
+  simulator     Simulator control and replay support
   users         Team member management
   settings      Tenant settings
+  admin         Platform administration (Console)
+  external-ssp  External SSP partner management (Console)
+  supply-ops    Internal supply operations views (Console)
 
 Getting Started:
   $ a8techads auth login                    # Authenticate
@@ -4874,14 +8514,24 @@ Getting Started:
   program2.addCommand(createAudiencesCommand());
   program2.addCommand(createCampaignsCommand());
   program2.addCommand(createVariationsCommand());
+  program2.addCommand(createMediaAssetsCommand());
+  program2.addCommand(createLandingPagesCommand());
+  program2.addCommand(createConversionGoalsCommand());
+  program2.addCommand(createAlgorithmsCommand());
   program2.addCommand(createSitesCommand());
   program2.addCommand(createZonesCommand());
   program2.addCommand(createReportsCommand());
   program2.addCommand(createBillingCommand());
+  program2.addCommand(createPayoutsCommand());
+  program2.addCommand(createStatementsCommand());
+  program2.addCommand(createSimulatorCommand());
   program2.addCommand(createUsersCommand());
   program2.addCommand(createSettingsCommand());
   program2.addCommand(createInvoicesCommand());
   program2.addCommand(createAdminCommand());
+  program2.addCommand(createExternalSspCommand());
+  program2.addCommand(createSupplyOpsCommand());
+  program2.addCommand(createValidateCommand());
   return program2;
 }