@miranda0808/maya-codex 0.1.0 → 0.1.2

package/payload/tools/meta/meta-fetch.ps1

@@ -1,324 +1,405 @@
-param(
-  [Parameter(Mandatory = $true)]
-  [ValidateSet('accounts', 'campaigns', 'adsets', 'ads', 'audiences')]
-  [string]$Resource,
-
-  [Parameter(Mandatory = $true)]
-  [string]$Action,
-
-  [string]$AccountId,
-  [string]$Id,
-  [string]$AdsetId,
-  [string]$DatePreset = 'last_30d',
-  [switch]$DryRun
-)
-
-$ErrorActionPreference = 'Stop'
-
-$allowedActions = @{
-  accounts = @('list')
-  campaigns = @('list', 'insights')
-  adsets = @('list')
-  ads = @('list')
-  audiences = @('list')
-}
-
-if (-not $allowedActions.ContainsKey($Resource) -or $Action -notin $allowedActions[$Resource]) {
-  throw "Unsupported operation '$Resource $Action'. Allowed read-only operations: accounts list, campaigns list|insights, adsets list, ads list, audiences list."
-}
-
-if (-not $env:META_ACCESS_TOKEN) {
-  throw 'META_ACCESS_TOKEN environment variable is required.'
-}
-
-$effectiveAccountId = if ($AccountId) { $AccountId } else { $env:META_AD_ACCOUNT_ID }
-
-switch ("$Resource/$Action") {
-  'campaigns/list' {
-    if (-not $effectiveAccountId) { throw 'META_AD_ACCOUNT_ID or -AccountId is required for campaigns list.' }
-  }
-  'campaigns/insights' {
-    if (-not $Id) { throw '-Id is required for campaigns insights.' }
-  }
-  'adsets/list' {
-    if (-not $effectiveAccountId) { throw 'META_AD_ACCOUNT_ID or -AccountId is required for adsets list.' }
-  }
-  'ads/list' {
-    if (-not $AdsetId) { throw '-AdsetId is required for ads list.' }
-  }
-  'audiences/list' {
-    if (-not $effectiveAccountId) { throw 'META_AD_ACCOUNT_ID or -AccountId is required for audiences list.' }
-  }
-}
-
-function Get-SafeAccountAlias([string]$Value) {
-  if (-not $Value) { return 'none' }
-  $trimmed = $Value.Trim()
-  if ($trimmed.Length -le 4) { return "acct-$trimmed" }
-  return "acct-***$($trimmed.Substring($trimmed.Length - 4))"
-}
-
-function Sanitize-Data($InputObject) {
-  if ($null -eq $InputObject) { return $null }
-
-  if ($InputObject -is [System.Collections.IDictionary]) {
-    $result = [ordered]@{}
-    foreach ($key in $InputObject.Keys) {
-      $keyText = [string]$key
-      $value = $InputObject[$key]
-      if ($keyText -match '(?i)authorization|access_token|token|secret|password|api[_-]?key') {
-        $result[$keyText] = '***'
-      } else {
-        $result[$keyText] = Sanitize-Data $value
-      }
-    }
-    return $result
-  }
-
-  if ($InputObject -is [pscustomobject]) {
-    $result = [ordered]@{}
-    foreach ($property in $InputObject.PSObject.Properties) {
-      $name = [string]$property.Name
-      $value = $property.Value
-      if ($name -match '(?i)authorization|access_token|token|secret|password|api[_-]?key') {
-        $result[$name] = '***'
-      } else {
-        $result[$name] = Sanitize-Data $value
-      }
-    }
-    return $result
-  }
-
-  if ($InputObject -is [System.Collections.IEnumerable] -and -not ($InputObject -is [string])) {
-    $items = @()
-    foreach ($item in $InputObject) {
-      $items += ,(Sanitize-Data $item)
-    }
-    return $items
-  }
-
-  if ($InputObject -is [string] -and $InputObject -eq $env:META_ACCESS_TOKEN) {
-    return '***'
-  }
-
-  return $InputObject
-}
-
-function Get-JsonKey($Object) {
-  return (($Object | ConvertTo-Json -Depth 20 -Compress) -replace '\s+', '')
-}
-
-function Get-RequestPolicy([string]$ResourceName, [string]$ActionName, [string]$Preset) {
-  if ($ResourceName -eq 'campaigns' -and $ActionName -eq 'insights') {
-    $safeClosedPresets = @('yesterday')
-    if ($Preset -notin $safeClosedPresets) {
-      return [ordered]@{
-        cache_bypass = $true
-        coverage_type = 'intraday'
-        is_complete = $false
-        ttl_minutes = 0
-      }
-    }
-
-    return [ordered]@{
-      cache_bypass = $false
-      coverage_type = 'complete_day'
-      is_complete = $true
-      ttl_minutes = 360
-    }
-  }
-
-  return [ordered]@{
-    cache_bypass = $false
-    coverage_type = 'complete_snapshot'
-    is_complete = $true
-    ttl_minutes = 15
-  }
-}
-
-$repoRoot = Split-Path -Parent (Split-Path -Parent $PSScriptRoot)
-$cliPath = Join-Path $repoRoot 'tools\clis\meta-ads.js'
-$cacheRoot = Join-Path $repoRoot 'outputs\meta-cache'
-
-if (-not (Test-Path $cliPath)) {
-  throw "Vendored CLI not found at $cliPath"
-}
-
-$normalizedParams = [ordered]@{
-  resource = $Resource
-  action = $Action
-  account_id = if ($effectiveAccountId) { Get-SafeAccountAlias $effectiveAccountId } else { $null }
-  id = if ($Id) { $Id } else { '' }
-  adset_id = if ($AdsetId) { Get-SafeAccountAlias $AdsetId } else { $null }
-  date_preset = if ($Resource -eq 'campaigns' -and $Action -eq 'insights') { $DatePreset } else { $null }
-}
-$requestKey = Get-JsonKey $normalizedParams
-$policy = Get-RequestPolicy -ResourceName $Resource -ActionName $Action -Preset $DatePreset
-
-function Find-FreshCacheEntry {
-  param(
-    [string]$CacheDirectory,
-    [string]$WantedKey
-  )
-
-  if (-not (Test-Path $CacheDirectory)) {
-    return $null
-  }
-
-  $now = Get-Date
-  foreach ($file in Get-ChildItem $CacheDirectory -Filter '*.json' -File -ErrorAction SilentlyContinue) {
-    try {
-      $doc = Get-Content $file.FullName -Raw | ConvertFrom-Json
-    }
-    catch {
-      continue
-    }
-
-    if (-not $doc.normalized_params) {
-      continue
-    }
-
-    $docKey = Get-JsonKey (Sanitize-Data $doc.normalized_params)
-    if ($docKey -ne $WantedKey) {
-      continue
-    }
-
-    if (-not $doc.expires_at) {
-      continue
-    }
-
-    try {
-      $expiresAt = [datetimeoffset]::Parse([string]$doc.expires_at)
-    }
-    catch {
-      continue
-    }
-
-    if ($expiresAt -le [datetimeoffset]$now) {
-      continue
-    }
-
-    return [ordered]@{
-      file = $file.FullName
-      document = $doc
-    }
-  }
-
-  return $null
-}
-
-function Invoke-MetaCli {
-  param([switch]$UseDryRun)
-
-  $cliArgs = @($cliPath, $Resource, $Action)
-  if ($effectiveAccountId -and $Resource -in @('campaigns', 'adsets', 'audiences')) {
-    $cliArgs += @('--account-id', $effectiveAccountId)
-  }
-  if ($Id) {
-    $cliArgs += @('--id', $Id)
-  }
-  if ($AdsetId) {
-    $cliArgs += @('--adset-id', $AdsetId)
-  }
-  if ($Resource -eq 'campaigns' -and $Action -eq 'insights' -and $DatePreset) {
-    $cliArgs += @('--date-preset', $DatePreset)
-  }
-  if ($UseDryRun) {
-    $cliArgs += '--dry-run'
-  }
-
-  $rawOutput = & node @cliArgs 2>&1
-  $exitCode = $LASTEXITCODE
-  $textOutput = ($rawOutput | Out-String).Trim()
-
-  if ($exitCode -ne 0) {
-    $safeError = $textOutput -replace [regex]::Escape($env:META_ACCESS_TOKEN), '***'
-    throw "meta-ads.js failed: $safeError"
-  }
-
-  try {
-    return $textOutput | ConvertFrom-Json
-  }
-  catch {
-    throw "meta-ads.js returned non-JSON output: $textOutput"
-  }
-}
-
-function Build-Result {
-  param(
-    [string]$CacheStatus,
-    [string]$CoverageType,
-    [bool]$IsComplete,
-    [object]$Payload,
-    [string]$AsOf,
-    [string]$ExpiresAt,
-    [string]$CachePath
-  )
-
-  $result = [ordered]@{
-    source = 'meta-ads'
-    dry_run = [bool]$DryRun
-    cache_status = $CacheStatus
-    safe_account_alias = Get-SafeAccountAlias $effectiveAccountId
-    as_of = $AsOf
-    expires_at = $ExpiresAt
-    coverage_type = $CoverageType
-    is_complete = $IsComplete
-    normalized_params = $normalizedParams
-    payload = $Payload
-    forbidden_fields = @('authorization', 'access_token', 'token', 'secret', 'password', 'api_key')
-  }
-
-  if ($CachePath) {
-    $result['cache_path'] = $CachePath
-  }
-
-  return $result
-}
-
-$cacheEntry = $null
-if (-not $policy.cache_bypass) {
-  $cacheEntry = Find-FreshCacheEntry -CacheDirectory $cacheRoot -WantedKey $requestKey
-}
-
-if ($cacheEntry) {
-  $doc = $cacheEntry.document
-  $payload = Sanitize-Data $doc.payload
-  $result = Build-Result -CacheStatus 'hit' -CoverageType ([string]$doc.coverage_type) -IsComplete ([bool]$doc.is_complete) -Payload $payload -AsOf ([string]$doc.as_of) -ExpiresAt ([string]$doc.expires_at) -CachePath $cacheEntry.file
-  ($result | ConvertTo-Json -Depth 20)
-  exit 0
-}
-
-$livePayload = Sanitize-Data (Invoke-MetaCli -UseDryRun:$DryRun)
-$cacheStatus = if ($policy.cache_bypass) { 'bypass' } else { 'miss' }
-$asOf = (Get-Date).ToString('o')
-$expiresAt = if ($policy.ttl_minutes -gt 0) { (Get-Date).AddMinutes($policy.ttl_minutes).ToString('o') } else { $null }
-$cachePath = $null
-
-if (-not $DryRun -and -not $policy.cache_bypass) {
-  New-Item -ItemType Directory -Force -Path $cacheRoot | Out-Null
-  $stamp = Get-Date -Format 'yyyyMMdd-HHmmss'
-  $fileName = "meta-$Resource-$Action-$stamp.json"
-  $cachePath = Join-Path $cacheRoot $fileName
-
-  $cacheDocument = [ordered]@{
-    schema_version = 1
-    source = 'meta-ads'
-    cache_status = $cacheStatus
-    safe_account_alias = Get-SafeAccountAlias $effectiveAccountId
-    as_of = $asOf
-    fetched_at = $asOf
-    expires_at = $expiresAt
-    coverage_type = $policy.coverage_type
-    is_complete = $policy.is_complete
-    date_range = if ($Resource -eq 'campaigns' -and $Action -eq 'insights') { @{ date_preset = $DatePreset } } else { $null }
-    normalized_params = $normalizedParams
-    forbidden_fields = @('authorization', 'access_token', 'token', 'secret', 'password', 'api_key')
-    payload = $livePayload
-  }
-
-  ($cacheDocument | ConvertTo-Json -Depth 20) | Set-Content $cachePath
-}
-
-$result = Build-Result -CacheStatus $cacheStatus -CoverageType $policy.coverage_type -IsComplete $policy.is_complete -Payload $livePayload -AsOf $asOf -ExpiresAt $expiresAt -CachePath $cachePath
+param(
+  [Parameter(Mandatory = $true)]
+  [ValidateSet('accounts', 'campaigns', 'adsets', 'ads', 'audiences')]
+  [string]$Resource,
+
+  [Parameter(Mandatory = $true)]
+  [string]$Action,
+
+  [string]$AccountId,
+  [string]$Id,
+  [string]$AdsetId,
+  [string]$DatePreset = 'last_30d',
+  [switch]$DryRun
+)
+
+$ErrorActionPreference = 'Stop'
+
+$allowedActions = @{
+  accounts = @('list')
+  campaigns = @('list', 'insights')
+  adsets = @('list')
+  ads = @('list')
+  audiences = @('list')
+}
+
+if (-not $allowedActions.ContainsKey($Resource) -or $Action -notin $allowedActions[$Resource]) {
+  throw "Unsupported operation '$Resource $Action'. Allowed read-only operations: accounts list, campaigns list|insights, adsets list, ads list, audiences list."
+}
+
+function Read-EnvFile([string]$Path) {
+  $values = [ordered]@{}
+
+  if (-not (Test-Path $Path)) {
+    return $values
+  }
+
+  $content = Get-Content $Path -Raw
+  $normalized = $content -replace "`r`n?", "`n"
+
+  foreach ($line in ($normalized -split "`n")) {
+    $trimmed = $line.Trim()
+    if (-not $trimmed -or $trimmed.StartsWith('#')) {
+      continue
+    }
+
+    $separatorIndex = $trimmed.IndexOf('=')
+    if ($separatorIndex -lt 1) {
+      continue
+    }
+
+    $key = $trimmed.Substring(0, $separatorIndex).Trim()
+    $value = $trimmed.Substring($separatorIndex + 1).Trim()
+
+    if (($value.StartsWith('"') -and $value.EndsWith('"')) -or ($value.StartsWith("'") -and $value.EndsWith("'"))) {
+      $value = $value.Substring(1, $value.Length - 2)
+    }
+
+    $values[$key] = $value
+  }
+
+  return $values
+}
+
+function Resolve-MetaEnv([string]$WorkspaceRoot) {
+  $metaKeys = @('META_ACCESS_TOKEN', 'META_AD_ACCOUNT_ID')
+  $mergedValues = [ordered]@{}
+
+  foreach ($envPath in @((Join-Path $WorkspaceRoot '.env'), (Join-Path $WorkspaceRoot '.env.local'))) {
+    $fileValues = Read-EnvFile $envPath
+    foreach ($metaKey in $metaKeys) {
+      if ($fileValues.Contains($metaKey)) {
+        $mergedValues[$metaKey] = [string]$fileValues[$metaKey]
+      }
+    }
+  }
+
+  return [ordered]@{
+    access_token = if (-not [string]::IsNullOrWhiteSpace($env:META_ACCESS_TOKEN)) {
+      $env:META_ACCESS_TOKEN
+    } elseif ($mergedValues.Contains('META_ACCESS_TOKEN')) {
+      [string]$mergedValues['META_ACCESS_TOKEN']
+    } else {
+      $null
+    }
+    ad_account_id = if (-not [string]::IsNullOrWhiteSpace($env:META_AD_ACCOUNT_ID)) {
+      $env:META_AD_ACCOUNT_ID
+    } elseif ($mergedValues.Contains('META_AD_ACCOUNT_ID')) {
+      [string]$mergedValues['META_AD_ACCOUNT_ID']
+    } else {
+      $null
+    }
+  }
+}
+
+$repoRoot = Split-Path -Parent (Split-Path -Parent $PSScriptRoot)
+$metaConfig = Resolve-MetaEnv -WorkspaceRoot $repoRoot
+$metaAccessToken = [string]$metaConfig.access_token
+$defaultMetaAccountId = [string]$metaConfig.ad_account_id
+
+if (-not $metaAccessToken) {
+  throw 'META_ACCESS_TOKEN environment variable is required.'
+}
+
+$effectiveAccountId = if ($AccountId) { $AccountId } else { $defaultMetaAccountId }
+
+switch ("$Resource/$Action") {
+  'campaigns/list' {
+    if (-not $effectiveAccountId) { throw 'META_AD_ACCOUNT_ID or -AccountId is required for campaigns list.' }
+  }
+  'campaigns/insights' {
+    if (-not $Id) { throw '-Id is required for campaigns insights.' }
+  }
+  'adsets/list' {
+    if (-not $effectiveAccountId) { throw 'META_AD_ACCOUNT_ID or -AccountId is required for adsets list.' }
+  }
+  'ads/list' {
+    if (-not $AdsetId) { throw '-AdsetId is required for ads list.' }
+  }
+  'audiences/list' {
+    if (-not $effectiveAccountId) { throw 'META_AD_ACCOUNT_ID or -AccountId is required for audiences list.' }
+  }
+}
+
+function Get-SafeAccountAlias([string]$Value) {
+  if (-not $Value) { return 'none' }
+  $trimmed = $Value.Trim()
+  if ($trimmed.Length -le 4) { return "acct-$trimmed" }
+  return "acct-***$($trimmed.Substring($trimmed.Length - 4))"
+}
+
+function Sanitize-Data($InputObject) {
+  if ($null -eq $InputObject) { return $null }
+
+  if ($InputObject -is [System.Collections.IDictionary]) {
+    $result = [ordered]@{}
+    foreach ($key in $InputObject.Keys) {
+      $keyText = [string]$key
+      $value = $InputObject[$key]
+      if ($keyText -match '(?i)authorization|access_token|token|secret|password|api[_-]?key') {
+        $result[$keyText] = '***'
+      } else {
+        $result[$keyText] = Sanitize-Data $value
+      }
+    }
+    return $result
+  }
+
+  if ($InputObject -is [pscustomobject]) {
+    $result = [ordered]@{}
+    foreach ($property in $InputObject.PSObject.Properties) {
+      $name = [string]$property.Name
+      $value = $property.Value
+      if ($name -match '(?i)authorization|access_token|token|secret|password|api[_-]?key') {
+        $result[$name] = '***'
+      } else {
+        $result[$name] = Sanitize-Data $value
+      }
+    }
+    return $result
+  }
+
+  if ($InputObject -is [System.Collections.IEnumerable] -and -not ($InputObject -is [string])) {
+    $items = @()
+    foreach ($item in $InputObject) {
+      $items += ,(Sanitize-Data $item)
+    }
+    return $items
+  }
+
+  if ($InputObject -is [string] -and $InputObject -eq $metaAccessToken) {
+    return '***'
+  }
+
+  return $InputObject
+}
+
+function Get-JsonKey($Object) {
+  return (($Object | ConvertTo-Json -Depth 20 -Compress) -replace '\s+', '')
+}
+
+function Get-RequestPolicy([string]$ResourceName, [string]$ActionName, [string]$Preset) {
+  if ($ResourceName -eq 'campaigns' -and $ActionName -eq 'insights') {
+    $safeClosedPresets = @('yesterday')
+    if ($Preset -notin $safeClosedPresets) {
+      return [ordered]@{
+        cache_bypass = $true
+        coverage_type = 'intraday'
+        is_complete = $false
+        ttl_minutes = 0
+      }
+    }
+
+    return [ordered]@{
+      cache_bypass = $false
+      coverage_type = 'complete_day'
+      is_complete = $true
+      ttl_minutes = 360
+    }
+  }
+
+  return [ordered]@{
+    cache_bypass = $false
+    coverage_type = 'complete_snapshot'
+    is_complete = $true
+    ttl_minutes = 15
+  }
+}
+
+$cliPath = Join-Path $repoRoot 'tools\clis\meta-ads.js'
+$cacheRoot = Join-Path $repoRoot 'outputs\meta-cache'
+
+if (-not (Test-Path $cliPath)) {
+  throw "Vendored CLI not found at $cliPath"
+}
+
+$normalizedParams = [ordered]@{
+  resource = $Resource
+  action = $Action
+  account_id = if ($effectiveAccountId) { Get-SafeAccountAlias $effectiveAccountId } else { $null }
+  id = if ($Id) { $Id } else { '' }
+  adset_id = if ($AdsetId) { Get-SafeAccountAlias $AdsetId } else { $null }
+  date_preset = if ($Resource -eq 'campaigns' -and $Action -eq 'insights') { $DatePreset } else { $null }
+}
+$requestKey = Get-JsonKey $normalizedParams
+$policy = Get-RequestPolicy -ResourceName $Resource -ActionName $Action -Preset $DatePreset
+
+function Find-FreshCacheEntry {
+  param(
+    [string]$CacheDirectory,
+    [string]$WantedKey
+  )
+
+  if (-not (Test-Path $CacheDirectory)) {
+    return $null
+  }
+
+  $now = Get-Date
+  foreach ($file in Get-ChildItem $CacheDirectory -Filter '*.json' -File -ErrorAction SilentlyContinue) {
+    try {
+      $doc = Get-Content $file.FullName -Raw | ConvertFrom-Json
+    }
+    catch {
+      continue
+    }
+
+    if (-not $doc.normalized_params) {
+      continue
+    }
+
+    $docKey = Get-JsonKey (Sanitize-Data $doc.normalized_params)
+    if ($docKey -ne $WantedKey) {
+      continue
+    }
+
+    if (-not $doc.expires_at) {
+      continue
+    }
+
+    try {
+      $expiresAt = [datetimeoffset]::Parse([string]$doc.expires_at)
+    }
+    catch {
+      continue
+    }
+
+    if ($expiresAt -le [datetimeoffset]$now) {
+      continue
+    }
+
+    return [ordered]@{
+      file = $file.FullName
+      document = $doc
+    }
+  }
+
+  return $null
+}
+
+function Invoke-MetaCli {
+  param([switch]$UseDryRun)
+
+  $cliArgs = @($cliPath, $Resource, $Action)
+  if ($effectiveAccountId -and $Resource -in @('campaigns', 'adsets', 'audiences')) {
+    $cliArgs += @('--account-id', $effectiveAccountId)
+  }
+  if ($Id) {
+    $cliArgs += @('--id', $Id)
+  }
+  if ($AdsetId) {
+    $cliArgs += @('--adset-id', $AdsetId)
+  }
+  if ($Resource -eq 'campaigns' -and $Action -eq 'insights' -and $DatePreset) {
+    $cliArgs += @('--date-preset', $DatePreset)
+  }
+  if ($UseDryRun) {
+    $cliArgs += '--dry-run'
+  }
+
+  $previousToken = [Environment]::GetEnvironmentVariable('META_ACCESS_TOKEN', 'Process')
+  $previousAccount = [Environment]::GetEnvironmentVariable('META_AD_ACCOUNT_ID', 'Process')
+
+  try {
+    [Environment]::SetEnvironmentVariable('META_ACCESS_TOKEN', $metaAccessToken, 'Process')
+    [Environment]::SetEnvironmentVariable('META_AD_ACCOUNT_ID', $defaultMetaAccountId, 'Process')
+
+    $rawOutput = & node @cliArgs 2>&1
+    $exitCode = $LASTEXITCODE
+    $textOutput = ($rawOutput | Out-String).Trim()
+
+    if ($exitCode -ne 0) {
+      $safeError = $textOutput -replace [regex]::Escape($metaAccessToken), '***'
+      throw "meta-ads.js failed: $safeError"
+    }
+
+    try {
+      return $textOutput | ConvertFrom-Json
+    }
+    catch {
+      throw "meta-ads.js returned non-JSON output: $textOutput"
+    }
+  }
+  finally {
+    [Environment]::SetEnvironmentVariable('META_ACCESS_TOKEN', $previousToken, 'Process')
+    [Environment]::SetEnvironmentVariable('META_AD_ACCOUNT_ID', $previousAccount, 'Process')
+  }
+}
+
+function Build-Result {
+  param(
+    [string]$CacheStatus,
+    [string]$CoverageType,
+    [bool]$IsComplete,
+    [object]$Payload,
+    [string]$AsOf,
+    [string]$ExpiresAt,
+    [string]$CachePath
+  )
+
+  $result = [ordered]@{
+    source = 'meta-ads'
+    dry_run = [bool]$DryRun
+    cache_status = $CacheStatus
+    safe_account_alias = Get-SafeAccountAlias $effectiveAccountId
+    as_of = $AsOf
+    expires_at = $ExpiresAt
+    coverage_type = $CoverageType
+    is_complete = $IsComplete
+    normalized_params = $normalizedParams
+    payload = $Payload
+    forbidden_fields = @('authorization', 'access_token', 'token', 'secret', 'password', 'api_key')
+  }
+
+  if ($CachePath) {
+    $result['cache_path'] = $CachePath
+  }
+
+  return $result
+}
+
+$cacheEntry = $null
+if (-not $policy.cache_bypass) {
+  $cacheEntry = Find-FreshCacheEntry -CacheDirectory $cacheRoot -WantedKey $requestKey
+}
+
+if ($cacheEntry) {
+  $doc = $cacheEntry.document
+  $payload = Sanitize-Data $doc.payload
+  $result = Build-Result -CacheStatus 'hit' -CoverageType ([string]$doc.coverage_type) -IsComplete ([bool]$doc.is_complete) -Payload $payload -AsOf ([string]$doc.as_of) -ExpiresAt ([string]$doc.expires_at) -CachePath $cacheEntry.file
+  ($result | ConvertTo-Json -Depth 20)
+  exit 0
+}
+
+$livePayload = Sanitize-Data (Invoke-MetaCli -UseDryRun:$DryRun)
+$cacheStatus = if ($policy.cache_bypass) { 'bypass' } else { 'miss' }
+$asOf = (Get-Date).ToString('o')
+$expiresAt = if ($policy.ttl_minutes -gt 0) { (Get-Date).AddMinutes($policy.ttl_minutes).ToString('o') } else { $null }
+$cachePath = $null
+
+if (-not $DryRun -and -not $policy.cache_bypass) {
+  New-Item -ItemType Directory -Force -Path $cacheRoot | Out-Null
+  $stamp = Get-Date -Format 'yyyyMMdd-HHmmss'
+  $fileName = "meta-$Resource-$Action-$stamp.json"
+  $cachePath = Join-Path $cacheRoot $fileName
+
+  $cacheDocument = [ordered]@{
+    schema_version = 1
+    source = 'meta-ads'
+    cache_status = $cacheStatus
+    safe_account_alias = Get-SafeAccountAlias $effectiveAccountId
+    as_of = $asOf
+    fetched_at = $asOf
+    expires_at = $expiresAt
+    coverage_type = $policy.coverage_type
+    is_complete = $policy.is_complete
+    date_range = if ($Resource -eq 'campaigns' -and $Action -eq 'insights') { @{ date_preset = $DatePreset } } else { $null }
+    normalized_params = $normalizedParams
+    forbidden_fields = @('authorization', 'access_token', 'token', 'secret', 'password', 'api_key')
+    payload = $livePayload
+  }
+
+  ($cacheDocument | ConvertTo-Json -Depth 20) | Set-Content $cachePath
+}
+
+$result = Build-Result -CacheStatus $cacheStatus -CoverageType $policy.coverage_type -IsComplete $policy.is_complete -Payload $livePayload -AsOf $asOf -ExpiresAt $expiresAt -CachePath $cachePath
 ($result | ConvertTo-Json -Depth 20)