@adcp/sdk 8.1.0-beta.13 → 8.1.0-beta.14

package/dist/lib/server/decisioning/runtime/from-platform.js

@@ -55,10 +55,13 @@ exports.createAdcpServerFromPlatform = createAdcpServerFromPlatform;
 exports._resetMergeSeamDedupe = _resetMergeSeamDedupe;
 exports.getAllAdcpMigrations = getAllAdcpMigrations;
 const node_crypto_1 = require("node:crypto");
+const types_js_1 = require("@modelcontextprotocol/sdk/types.js");
 const create_adcp_server_1 = require("../../create-adcp-server");
 const account_1 = require("../account");
+const buyer_agent_1 = require("../buyer-agent");
 const async_outcome_1 = require("../async-outcome");
 const proposal_1 = require("../proposal");
+const capability_rollups_1 = require("../../../utils/capability-rollups");
 const errors_1 = require("../../errors");
 const validate_platform_1 = require("./validate-platform");
 const validate_specialisms_1 = require("../validate-specialisms");
@@ -92,9 +95,9 @@ const comply_controller_1 = require("../../../testing/comply-controller");
 const seed_merge_1 = require("../../../testing/seed-merge");
 const adcp_server_1 = require("../../adcp-server");
 const account_mode_1 = require("../../account-mode");
-const test_controller_1 = require("../../test-controller");
 const observed_modes_1 = require("./observed-modes");
 const normalize_errors_1 = require("../../normalize-errors");
+const redact_1 = require("../../redact");
 /**
  * Apply `normalizeErrors` to a sync_creatives row's optional `errors`
  * field. Adopters often return errors as bare strings, native Error
@@ -343,7 +346,15 @@ function createAdcpServerFromPlatform(platform, opts) {
     const at = platform.capabilities.audience_targeting;
     const ct = platform.capabilities.conversion_tracking;
     const cs = platform.capabilities.content_standards;
-    const som = platform.capabilities.supported_optimization_metrics;
+    const explicitSom = platform.capabilities.supported_optimization_metrics;
+    const derivedSom = explicitSom == null && platform.capabilities.productCatalog != null
+        ? (0, capability_rollups_1.rollupOptimizationMetricsFromProducts)(platform.capabilities.productCatalog)
+        : undefined;
+    const somCandidate = explicitSom ?? derivedSom;
+    // Empty arrays are an explicit "no seller-level rollup to advertise" signal,
+    // not a malformed capability. Omit the wire field so buyers do not see an
+    // empty support list as a positive 3.1 metric-optimization declaration.
+    const som = somCandidate != null && somCandidate.length > 0 ? somCandidate : undefined;
     const fc = platform.capabilities.frequency_capping;
     const hasSalesPlatform = platform.sales != null || platform.proposalManager != null;
     const supportsProposals = platform.capabilities.supportsProposals ??
@@ -373,6 +384,14 @@ function createAdcpServerFromPlatform(platform, opts) {
             },
         }),
     };
+    if (process.env.NODE_ENV !== 'production') {
+        if (explicitSom != null && explicitSom.length > 0) {
+            fwLogger.info(`[adcp/decisioning] using explicit media_buy.supported_optimization_metrics override (${explicitSom.length} metric${explicitSom.length === 1 ? '' : 's'}).`);
+        }
+        else if (derivedSom != null) {
+            fwLogger.info(`[adcp/decisioning] derived media_buy.supported_optimization_metrics from productCatalog (${derivedSom.length} metric${derivedSom.length === 1 ? '' : 's'}).`);
+        }
+    }
     // Brand-protocol capability projection. Adopters who declare
     // `capabilities.brand` get the block projected via `overrides.brand`.
     // When `BrandRightsPlatform` is supplied, `rights: true` is auto-
@@ -587,7 +606,7 @@ function createAdcpServerFromPlatform(platform, opts) {
                 // the `{ account_id }` arm is refused. Closes adcp-client#1364
                 // (implicit) and adcp-client#1468 (derived).
                 refuseInlineAccountIdWhenForbidden(platform.accounts.resolution, ref);
-                const account = await platform.accounts.resolve(ref, toResolveCtx(ctx, ctx.toolName));
+                const account = await platform.accounts.resolve(ref, toResolveCtx(ctx, ctx.toolName, ctx.input));
                 resolved = account != null;
                 resolvedAccountId = account?.id;
                 return account;
@@ -629,7 +648,7 @@ function createAdcpServerFromPlatform(platform, opts) {
             let resolved = false;
             let resolvedAccountId;
             try {
-                const account = await platform.accounts.resolve(undefined, toResolveCtx(ctx, ctx.toolName));
+                const account = await platform.accounts.resolve(undefined, toResolveCtx(ctx, ctx.toolName, ctx.input));
                 resolved = account != null;
                 resolvedAccountId = account?.id;
                 return account;
@@ -688,6 +707,83 @@ function createAdcpServerFromPlatform(platform, opts) {
         })(),
     };
     const server = (0, create_adcp_server_1.createAdcpServer)(config);
+    const mcp = (0, adcp_server_1.getSdkServer)(server);
+    const resolveComplyBuyerAgent = async (extra, input) => {
+        if (platform.agentRegistry === undefined)
+            return undefined;
+        try {
+            const inboundCredential = extra?.authInfo?.extra?.credential;
+            const credential = extra?.authInfo?.credential ?? inboundCredential;
+            const resolved = await platform.agentRegistry.resolve({
+                ...(credential !== undefined && { credential }),
+                ...(extra?.authInfo?.extra !== undefined && { extra: extra.authInfo.extra }),
+                ...(input !== undefined && { input }),
+            });
+            if (resolved == null)
+                return undefined;
+            if (!Object.isFrozen(resolved)) {
+                if (resolved.billing_capabilities instanceof Set) {
+                    Object.freeze(resolved.billing_capabilities);
+                }
+                Object.freeze(resolved);
+            }
+            return resolved;
+        }
+        catch (err) {
+            fwLogger.warn?.('Buyer-agent registry resolution failed during comply controller visibility check', {
+                error: (0, redact_1.redactCredentialPatterns)(err instanceof Error ? err.message : String(err)),
+            });
+            return undefined;
+        }
+    };
+    const resolveComplyControllerVisible = async (extra, toolName, input) => {
+        const agent = await resolveComplyBuyerAgent(extra, input);
+        let principalAccount = null;
+        try {
+            principalAccount = await platform.accounts.resolve(undefined, toResolveCtx({
+                ...(extra?.authInfo !== undefined && { authInfo: extra.authInfo }),
+                ...(agent !== undefined && { agent }),
+            }, toolName, input));
+        }
+        catch {
+            principalAccount = null;
+        }
+        (0, observed_modes_1.recordResolvedAccountMode)(principalAccount);
+        if ((0, account_mode_1.isSandboxOrMockAccount)(principalAccount))
+            return true;
+        if (process.env.ADCP_SANDBOX === '1') {
+            if ((0, observed_modes_1.hasObservedLiveMode)()) {
+                throw new Error('comply_test_controller: ADCP_SANDBOX=1 is set but this process has resolved at least one ' +
+                    'live-mode account from platform.accounts.resolve. Remove ADCP_SANDBOX from your prod ' +
+                    'environment; gate the controller via mode: "sandbox" on resolved sandbox accounts instead. ' +
+                    'See docs/proposals/lifecycle-state-and-sandbox-authority.md.');
+            }
+            return true;
+        }
+        return false;
+    };
+    if (mcp != null && hasComplianceTestingProjection) {
+        const wrappedCapabilities = (0, adcp_server_1.wrapRegisteredToolHandler)(mcp, 'get_adcp_capabilities', async (orig, args, extra) => {
+            const response = await orig(args, extra);
+            if (await resolveComplyControllerVisible(extra, 'get_adcp_capabilities', args)) {
+                return response;
+            }
+            if (response == null || typeof response !== 'object')
+                return response;
+            const structured = response.structuredContent;
+            if (structured == null || typeof structured !== 'object')
+                return response;
+            if (!Object.hasOwn(structured, 'compliance_testing'))
+                return response;
+            const nextStructured = { ...structured };
+            delete nextStructured['compliance_testing'];
+            return { ...response, structuredContent: nextStructured };
+        });
+        if (!wrappedCapabilities) {
+            throw new Error('createAdcpServerFromPlatform: failed to wrap get_adcp_capabilities for comply_test_controller visibility. ' +
+                'The MCP SDK registered-tool internals may have changed.');
+        }
+    }
     // Wire `comply_test_controller` if the adopter supplied adapters.
     // `createComplyController` builds the tool definition + handler + raw
     // dispatch. The framework registers the tool itself (bypassing
@@ -772,25 +868,23 @@ function createAdcpServerFromPlatform(platform, opts) {
         // `account.sandbox === true` on the wire. The resolver is the only
         // thing that names the account's mode; the gate refuses dispatch when
         // mode is `live` (or the resolver fails to produce an account, modulo
-        // the env / context fallbacks below).
+        // the narrow fallbacks below).
         //
         // Fallback paths (deprecated):
-        //   - `context.sandbox === true` admits when no account resolved. Useful
-        //     during the migration window for adopters whose wire shape carries
-        //     sandbox routing in `context` but whose resolver isn't yet returning
-        //     `mode: 'sandbox'`.
-        //   - `process.env.ADCP_SANDBOX === '1'` admits unconditionally — the
-        //     historical pattern. KEPT for back-compat so existing test platforms
-        //     don't break on upgrade. Fails closed if the same process has ever
-        //     resolved an explicit `mode: 'live'` account from the resolver: that
-        //     pairing is a misconfiguration (env var should be unset on prod) and
-        //     leaving it open re-exposes the live principal we just gated against.
+        //   - `account.sandbox === true` admits only for unresolved target-account
+        //     refs after a sandbox/mock principal has already passed the discovery
+        //     visibility gate. A buyer wire claim never overrides a resolved live
+        //     account and is never used for principal visibility.
+        //   - `process.env.ADCP_SANDBOX === '1'` admits the principal visibility
+        //     check and target dispatch for legacy conformance deployments. It
+        //     fails closed if the same process has ever resolved an explicit
+        //     `mode: 'live'` account from the resolver: that pairing is a
+        //     misconfiguration (env var should be unset on prod) and leaving it
+        //     open re-exposes the live principal we just gated against.
         //
-        // `list_scenarios` is exempt — it's the discovery probe used by buyer
-        // tooling to distinguish "controller wired but locked" from "controller
-        // missing entirely". Read-only and reveals nothing beyond which scenarios
-        // the adopter advertised in capabilities.
-        const mcp = (0, adcp_server_1.getSdkServer)(server);
+        // `list_scenarios` is exempt from the target-account gate once the
+        // principal can see the controller. Read-only and reveals nothing beyond
+        // which scenarios the adopter advertised in capabilities.
         if (mcp == null) {
             // Non-MCP server — fall back to the controller's own registration so
             // adopters wiring a custom transport keep the v5 behavior. The gate is
@@ -832,6 +926,9 @@ function createAdcpServerFromPlatform(platform, opts) {
                 description: controller.toolDefinition.description,
                 inputSchema: gatedInputSchema,
             }, (async (input, extra) => {
+                if (!(await resolveComplyControllerVisible(extra, 'comply_test_controller', input))) {
+                    throw new types_js_1.McpError(types_js_1.ErrorCode.MethodNotFound, 'Method not found');
+                }
                 // Probe exempt — capability discovery, no state mutation.
                 if (input.scenario === 'list_scenarios') {
                     return controller.handle(input);
@@ -843,10 +940,11 @@ function createAdcpServerFromPlatform(platform, opts) {
                 const accountRef = refFromTop ?? refFromContext;
                 let resolvedAccount = null;
                 try {
-                    resolvedAccount = await platform.accounts.resolve(accountRef, {
+                    const agent = await resolveComplyBuyerAgent(extra, input);
+                    resolvedAccount = await platform.accounts.resolve(accountRef, toResolveCtx({
                         ...(extra?.authInfo !== undefined && { authInfo: extra.authInfo }),
-                        toolName: 'comply_test_controller',
-                    });
+                        ...(agent !== undefined && { agent }),
+                    }, 'comply_test_controller', input));
                 }
                 catch {
                     // Resolver failures fall through to the wire-ref / env fallbacks.
@@ -879,10 +977,10 @@ function createAdcpServerFromPlatform(platform, opts) {
                 }
                 const allowed = accountIsSandbox || (resolvedAccount == null && refSandbox) || envSandbox;
                 if (!allowed) {
-                    // Echo the request's context (and ext, if present) onto the
-                    // refusal so callers can correlate. The comply_controller_mode_gate
-                    // storyboard (adcp#4028) asserts `context.correlation_id` is
-                    // returned unchanged on the FORBIDDEN response.
+                    // Refuse with the standard AdCP permission code once the
+                    // sandbox/mock principal can see the controller but the target
+                    // account is live or unresolved. Live principals never reach
+                    // this branch: they get MCP method-not-found above.
                     //
                     // `context` and `ext` are open-object on the request schema, so a
                     // hostile caller could stuff arbitrarily large payloads. Self-
@@ -905,18 +1003,65 @@ function createAdcpServerFromPlatform(platform, opts) {
                     };
                     const requestContext = safeEcho(input.context);
                     const requestExt = safeEcho(input.ext);
-                    return (0, test_controller_1.toMcpResponse)({
-                        status: 'failed',
-                        success: false,
-                        error: 'FORBIDDEN',
-                        error_detail: 'comply_test_controller requires a sandbox or mock account; ' +
-                            'resolved account is in live mode (or no account resolved).',
-                        ...(requestContext !== undefined && { context: requestContext }),
-                        ...(requestExt !== undefined && { ext: requestExt }),
+                    const response = (0, errors_1.adcpError)('PERMISSION_DENIED', {
+                        message: 'comply_test_controller requires a sandbox or mock target account; ' +
+                            'resolved target account is live or unresolved.',
+                        recovery: 'terminal',
+                        details: {
+                            scope: 'sandbox-gate',
+                            tool: 'comply_test_controller',
+                            reason: 'sandbox-or-mock-required',
+                        },
                     });
+                    if (requestContext !== undefined || requestExt !== undefined) {
+                        const structured = response.structuredContent;
+                        if (requestContext !== undefined)
+                            structured['context'] = requestContext;
+                        if (requestExt !== undefined)
+                            structured['ext'] = requestExt;
+                        response.content = [{ type: 'text', text: JSON.stringify(structured) }];
+                    }
+                    return response;
                 }
                 return controller.handle(input);
             }));
+            const wrappedToolsCall = (0, adcp_server_1.wrapSdkRequestHandler)(mcp, 'tools/call', async (orig, req, extra) => {
+                const params = (req.params ?? {});
+                if (params.name === 'comply_test_controller') {
+                    const input = params.arguments != null && typeof params.arguments === 'object'
+                        ? params.arguments
+                        : undefined;
+                    if (!(await resolveComplyControllerVisible(extra, 'comply_test_controller', input))) {
+                        throw new types_js_1.McpError(types_js_1.ErrorCode.MethodNotFound, 'Method not found');
+                    }
+                }
+                return orig(req, extra);
+            });
+            if (!wrappedToolsCall) {
+                throw new Error('createAdcpServerFromPlatform: failed to wrap MCP tools/call for comply_test_controller visibility. ' +
+                    'The MCP SDK request-handler internals may have changed.');
+            }
+            const wrappedToolsList = (0, adcp_server_1.wrapSdkRequestHandler)(mcp, 'tools/list', async (orig, req, extra) => {
+                const response = await orig(req, extra);
+                const input = req.params != null && typeof req.params === 'object'
+                    ? req.params
+                    : undefined;
+                if (await resolveComplyControllerVisible(extra, undefined, input))
+                    return response;
+                if (response == null || typeof response !== 'object')
+                    return response;
+                const tools = response.tools;
+                if (!Array.isArray(tools))
+                    return response;
+                return {
+                    ...response,
+                    tools: tools.filter(tool => tool?.name !== 'comply_test_controller'),
+                };
+            });
+            if (!wrappedToolsList) {
+                throw new Error('createAdcpServerFromPlatform: failed to wrap MCP tools/list for comply_test_controller visibility. ' +
+                    'The MCP SDK request-handler internals may have changed.');
+            }
         }
     }
     return Object.assign(server, {
@@ -1034,6 +1179,7 @@ function buildTasksGetTool(platform, taskRegistry, agentRegistry, logger) {
                     const resolved = await agentRegistry.resolve({
                         ...(extra?.authInfo?.credential !== undefined && { credential: extra.authInfo.credential }),
                         ...(extra?.authInfo?.extra !== undefined && { extra: extra.authInfo.extra }),
+                        input: args,
                     });
                     if (resolved != null) {
                         // Mirror the dispatcher's freeze contract: lock the resolved
@@ -1365,6 +1511,19 @@ function buildDefaultTaskRegistry() {
     }
     return (0, task_registry_1.createInMemoryTaskRegistry)();
 }
+function cloneAccountForRequest(account) {
+    try {
+        return structuredClone(account);
+    }
+    catch (cause) {
+        const publicError = new async_outcome_1.AdcpError('CONFIGURATION_ERROR', {
+            message: 'Resolved account is not safely cloneable for request-local auth refresh.',
+            recovery: 'terminal',
+        });
+        publicError.cause = cause;
+        throw publicError;
+    }
+}
 /** Auth codes that signal "credentials missing, refresh and retry once." */
 const REFRESHABLE_AUTH_CODES = new Set(['AUTH_REQUIRED', 'AUTH_MISSING']);
 /**
@@ -1372,16 +1531,16 @@ const REFRESHABLE_AUTH_CODES = new Set(['AUTH_REQUIRED', 'AUTH_MISSING']);
  * auth codes (`AUTH_REQUIRED` on 3.0.x sellers, `AUTH_MISSING` on 3.1+).
  * Without a refresh fn (or no `refresh` at all) this passes the call
  * through. With one, catches the refreshable code, calls `refresh.fn`,
- * mutates `account.authInfo.token` (and `expiresAt` if returned), and
- * retries the inner call exactly once.
+ * mutates or creates `account.authInfo` (including `expiresAt` when
+ * returned), and retries the inner call exactly once.
  *
  * `AUTH_INVALID` is intentionally NOT refreshed — it's terminal by
  * spec (credentials presented and rejected); refreshing creates the
  * SSO retry-storm pattern adcp#3730 split the code to prevent.
  *
  * Failure modes:
- *   - Refresh hook throws → re-throw `AUTH_REQUIRED` with `recovery: 'correctable'`
- *     so the buyer re-links via their UI.
+ *   - Refresh hook throws → re-throw legacy-compatible `AUTH_REQUIRED` with
+ *     `recovery: 'correctable'` so the buyer re-links via their UI.
  *   - Retried call throws a refreshable auth code again → bubble out
  *     (don't refresh a second time).
  */
@@ -1399,29 +1558,30 @@ async function runWithTokenRefresh(fn, refresh) {
         try {
             refreshed = await refresh.fn(refresh.account, 'auth_required');
         }
-        catch {
+        catch (cause) {
             // Refresh-fn exception text is intentionally NOT echoed on the wire
             // — upstream identity-provider error messages routinely embed
             // refresh-token prefixes, internal hostnames, OAuth provider error
             // codes, and stack-trace fragments. Adopters log details server-
             // side; the buyer gets a fixed message + correctable recovery
             // signaling they need to re-authorize.
-            throw new async_outcome_1.AdcpError('AUTH_REQUIRED', {
+            const publicError = new async_outcome_1.AdcpError('AUTH_REQUIRED', {
                 message: 'Token refresh failed; re-authentication required',
                 recovery: 'correctable',
             });
+            publicError.cause = cause;
+            throw publicError;
         }
-        // `authInfo` became optional in #1286. Token refresh only fires after an
-        // AUTH_REQUIRED throw — meaning an upstream call attempted to use a
-        // token, which means `authInfo` was populated before the throw.
-        // Defensive guard: if for some reason it isn't, the refreshed token
-        // still flows on the next request rather than crashing here.
-        if (refresh.account.authInfo) {
-            refresh.account.authInfo.token = refreshed.token;
-            if (refreshed.expiresAt !== undefined) {
-                refresh.account.authInfo.expiresAt = refreshed.expiresAt;
-            }
+        // `authInfo` became optional in #1286. A 3.1-native AUTH_MISSING can mean
+        // the upstream request had no usable credential at all, so attach the
+        // freshly minted OAuth-style token even when the resolver omitted
+        // account.authInfo.
+        const authInfo = refresh.account.authInfo ?? { kind: 'oauth' };
+        authInfo.token = refreshed.token;
+        if (refreshed.expiresAt !== undefined) {
+            authInfo.expiresAt = refreshed.expiresAt;
         }
+        refresh.account.authInfo = authInfo;
         return fn();
     }
 }
@@ -1430,9 +1590,9 @@ async function runWithTokenRefresh(fn, refresh) {
  * throws → wire `adcp_error` envelope; other thrown errors bubble to the
  * framework's `SERVICE_UNAVAILABLE` mapping.
  *
- * When `refresh` is provided and the call throws `AUTH_REQUIRED`, the
+ * When `refresh` is provided and the call throws a refreshable auth code, the
  * framework calls `refresh.fn(refresh.account, 'auth_required')`, updates
- * `account.authInfo.token`, and retries the platform method once.
+ * `account.authInfo`, and retries the platform method once.
  */
 async function projectSync(fn, mapResult, refresh) {
     try {
@@ -1871,7 +2031,7 @@ function makeCtxFor(ctxMetadataStore) {
 function toResolveCtx(ctx, toolName, input) {
     return {
         ...(ctx.authInfo !== undefined && { authInfo: ctx.authInfo }),
-        toolName,
+        ...(toolName !== undefined && { toolName }),
         ...(ctx.agent != null && { agent: ctx.agent }),
         ...(input != null && { input }),
     };
@@ -3050,7 +3210,7 @@ function buildSignalsHandlers(platform, ctxFor, ctxMetadataStore, logger) {
     };
 }
 /**
- * Adapt `SponsoredIntelligencePlatform` (v6 protocol-keyed shape) onto the v5
+ * Adapt `SponsoredIntelligencePlatform` (v6 platform-specialism shape) onto the v5
  * `SponsoredIntelligenceHandlers` handler-bag the dispatcher consumes.
  *
  * Auto-store on `initiateSession`: stash a session record keyed by
@@ -3332,6 +3492,136 @@ function buildGovernanceHandlers(platform, ctxFor) {
     }
     return handlers;
 }
+const BILLING_VALUES = ['operator', 'agent', 'advertiser'];
+function isBillingParty(value) {
+    return typeof value === 'string' && BILLING_VALUES.includes(value);
+}
+function isPaymentTerms(value) {
+    return typeof value === 'string';
+}
+function supportedBillingsFor(platform) {
+    const configured = platform.capabilities.supportedBillings;
+    return configured?.length ? configured : ['agent'];
+}
+function entryBrandOperator(entry) {
+    if (entry.brand !== undefined && typeof entry.operator === 'string') {
+        return { brand: entry.brand, operator: entry.operator };
+    }
+    const account = entry.account;
+    if (account !== undefined &&
+        'brand' in account &&
+        account.brand !== undefined &&
+        'operator' in account &&
+        typeof account.operator === 'string') {
+        return { brand: account.brand, operator: account.operator };
+    }
+    return undefined;
+}
+function entryHasAccountId(entry) {
+    if ((0, account_1.refAccountId)(entry) !== undefined)
+        return true;
+    return entry.account !== undefined && (0, account_1.refAccountId)(entry.account) !== undefined;
+}
+function failedSyncAccountRow(entry, error) {
+    const key = entryBrandOperator(entry);
+    if (key === undefined) {
+        throw new async_outcome_1.AdcpError(error.code, {
+            message: error.message,
+            recovery: error.recovery,
+            ...(error.field !== undefined && { field: error.field }),
+            ...(error.suggestion !== undefined && { suggestion: error.suggestion }),
+            ...(error.retry_after !== undefined && { retry_after: error.retry_after }),
+            ...(error.details !== undefined && { details: error.details }),
+        });
+    }
+    return {
+        brand: key.brand,
+        operator: key.operator,
+        action: 'failed',
+        status: 'rejected',
+        errors: [error],
+    };
+}
+function buildBillingNotSupportedError(opts) {
+    return new async_outcome_1.AdcpError('BILLING_NOT_SUPPORTED', {
+        message: `Billing value "${opts.requestedBilling}" is not supported for this account sync request.`,
+        recovery: 'correctable',
+        field: 'accounts[].billing',
+        ...(opts.exposeCapabilityScope && opts.supportedBillings !== undefined
+            ? { details: { scope: 'capability', supported_billing: [...opts.supportedBillings] } }
+            : {}),
+    }).toStructuredError();
+}
+function buildBillingNotPermittedError(agent, requestedBilling) {
+    const fallback = (0, buyer_agent_1.suggestBilling)(agent.billing_capabilities, requestedBilling);
+    return new async_outcome_1.AdcpError('BILLING_NOT_PERMITTED_FOR_AGENT', {
+        message: `Billing value "${requestedBilling}" is not permitted for this buyer agent.`,
+        recovery: 'correctable',
+        field: 'accounts[].billing',
+        details: {
+            rejected_billing: requestedBilling,
+            ...(fallback !== undefined && { suggested_billing: fallback }),
+        },
+    }).toStructuredError();
+}
+function enforceSyncAccountsCommercialPolicy(platform, params, resolveCtx) {
+    const entries = (params.accounts ?? []);
+    const supportedBillings = supportedBillingsFor(platform);
+    const supportedPaymentTerms = platform.capabilities.supportedPaymentTerms;
+    const failedRows = new Map();
+    const acceptedEntries = [];
+    entries.forEach((entry, index) => {
+        const hasBillableFields = entry.billing !== undefined || entry.payment_terms !== undefined || entry.billing_entity !== undefined;
+        if (hasBillableFields && entryBrandOperator(entry) === undefined && !entryHasAccountId(entry)) {
+            throw new async_outcome_1.AdcpError('BRAND_REQUIRED', {
+                message: 'Billable account sync entries require a brand reference or account_id.',
+                recovery: 'correctable',
+                field: `accounts[${index}].brand`,
+            });
+        }
+        let failure;
+        if (isBillingParty(entry.billing)) {
+            if (!supportedBillings.includes(entry.billing)) {
+                failure = buildBillingNotSupportedError({
+                    requestedBilling: entry.billing,
+                    supportedBillings,
+                    exposeCapabilityScope: true,
+                });
+            }
+            else if (platform.agentRegistry !== undefined && resolveCtx.agent === undefined) {
+                failure = buildBillingNotSupportedError({
+                    requestedBilling: entry.billing,
+                    exposeCapabilityScope: false,
+                });
+            }
+            else if (resolveCtx.agent !== undefined && !resolveCtx.agent.billing_capabilities.has(entry.billing)) {
+                failure = buildBillingNotPermittedError(resolveCtx.agent, entry.billing);
+            }
+        }
+        if (failure === undefined &&
+            supportedPaymentTerms !== undefined &&
+            supportedPaymentTerms.length > 0 &&
+            isPaymentTerms(entry.payment_terms) &&
+            !supportedPaymentTerms.includes(entry.payment_terms)) {
+            failure = new async_outcome_1.AdcpError('PAYMENT_TERMS_NOT_SUPPORTED', {
+                message: `Payment terms "${entry.payment_terms}" are not supported for this account sync request.`,
+                recovery: 'correctable',
+                field: `accounts[${index}].payment_terms`,
+            }).toStructuredError();
+        }
+        if (failure !== undefined) {
+            failedRows.set(index, failedSyncAccountRow(entry, failure));
+        }
+        else {
+            acceptedEntries.push(entry);
+        }
+    });
+    return {
+        acceptedEntries,
+        acceptedParams: { ...params, accounts: acceptedEntries },
+        failedRows,
+    };
+}
 function buildAccountHandlers(platform, ctxFor) {
     const accounts = platform.accounts;
     // Only emit framework-derived handlers for methods the platform actually
@@ -3347,9 +3637,30 @@ function buildAccountHandlers(platform, ctxFor) {
     const handlers = {};
     if (accounts.upsert) {
         handlers.syncAccounts = async (params, ctx) => {
-            const refs = (params.accounts ?? []);
             const resolveCtx = toResolveCtx(ctx, 'sync_accounts', params);
-            return projectSync(() => accounts.upsert(refs, resolveCtx), rows => ({ accounts: rows.map(account_1.toWireSyncAccountRow) }));
+            const policy = enforceSyncAccountsCommercialPolicy(platform, params, resolveCtx);
+            const dispatchCtx = policy.failedRows.size === 0 ? resolveCtx : toResolveCtx(ctx, 'sync_accounts', policy.acceptedParams);
+            return projectSync(() => policy.acceptedEntries.length > 0
+                ? accounts.upsert(policy.acceptedEntries, dispatchCtx)
+                : Promise.resolve([]), rows => {
+                if (policy.failedRows.size === 0) {
+                    return { accounts: rows.map(account_1.toWireSyncAccountRow) };
+                }
+                const combined = [];
+                let acceptedIndex = 0;
+                const originalCount = (params.accounts ?? []).length;
+                for (let index = 0; index < originalCount; index += 1) {
+                    const failed = policy.failedRows.get(index);
+                    if (failed !== undefined) {
+                        combined.push(failed);
+                    }
+                    else {
+                        combined.push(rows[acceptedIndex]);
+                        acceptedIndex += 1;
+                    }
+                }
+                return { accounts: combined.map(account_1.toWireSyncAccountRow) };
+            });
         };
     }
     if (accounts.syncGovernance) {
@@ -3394,8 +3705,12 @@ function buildAccountHandlers(platform, ctxFor) {
                     recovery: 'terminal',
                 });
             }
-            const toolCtx = { ...resolveCtx, account: resolved };
-            return projectSync(() => accounts.getAccountFinancials(params, toolCtx), r => r, accounts.refreshToken ? { account: resolved, fn: accounts.refreshToken.bind(accounts) } : undefined);
+            // Request-local clone: refreshToken mutates account.authInfo before the
+            // retry. Never write refreshed credentials onto a resolver-owned object;
+            // adopters sometimes cache Account rows between requests.
+            const account = cloneAccountForRequest(resolved);
+            const toolCtx = { ...resolveCtx, account };
+            return projectSync(() => accounts.getAccountFinancials(params, toolCtx), r => r, accounts.refreshToken ? { account, fn: accounts.refreshToken.bind(accounts) } : undefined);
         };
     }
     return handlers;