@ppcassist/amazon-ads-mcp 1.0.7 → 1.1.0

package/README.md

@@ -1,28 +1,80 @@
 # @ppcassist/amazon-ads-mcp
 
-Local MCP proxy for the Amazon Ads API. Sits between Claude Desktop and Amazon's official Advertising MCP server, handling OAuth authentication and token refresh automatically.
+Local MCP proxy for the Amazon Ads API. Sits between Claude Desktop and Amazon's official Advertising MCP server, handling OAuth authentication and access-token refresh automatically.
 
 ## How it works
 
 1. On startup, exchanges your refresh token for an access token via Amazon OAuth
-2. Auto-refreshes the token every 50 minutes
+2. Auto-refreshes the token every 50 minutes (plus an on-the-fly retry if Amazon returns 401)
 3. Proxies all MCP requests from Claude Desktop to the Amazon Ads MCP server
-4. Injects required authentication headers on every request
+4. Injects the required authentication headers on every request
 5. Streams SSE responses back to Claude without buffering
 
-## Prerequisites
+## Quick start
 
-You need Amazon Ads API credentials:
+```
+npx @ppcassist/amazon-ads-mcp setup
+```
+
+The setup command handles the OAuth flow end-to-end, asks whether you want **flexible mode** (operate across all your marketplaces) or **pinned mode** (lock to one marketplace), fetches your advertiser accounts, and writes the Claude Desktop config for you.
+
+Restart Claude Desktop after setup completes.
+
+## Operating modes
+
+The proxy supports the two account-context modes defined by Amazon's MCP server.
+
+### Flexible mode (default)
+
+No scope is pinned in the config. Claude picks the account and marketplace at runtime, per question. Best if you manage multiple marketplaces or multiple accounts.
+
+Config written by `setup`:
+
+```json
+{
+  "CLIENT_ID": "amzn1.application-oa2-client...",
+  "CLIENT_SECRET": "...",
+  "REFRESH_TOKEN": "Atzr|...",
+  "REGION": "EU"
+}
+```
+
+### Pinned mode
+
+One marketplace profile is locked in. Every tool call is scoped to that profile. Simpler mental model if you only manage one marketplace.
+
+Config written by `setup`:
 
-- **CLIENT_ID** - Your Amazon Ads API client ID (Login with Amazon)
-- **CLIENT_SECRET** - Your Amazon Ads API client secret
-- **REFRESH_TOKEN** - OAuth refresh token for your Amazon Ads account
-- **PROFILE_ID** - Your Amazon Advertising profile ID
-- **REGION** - One of `EU`, `NA`, or `FE`
+```json
+{
+  "CLIENT_ID": "amzn1.application-oa2-client...",
+  "CLIENT_SECRET": "...",
+  "REFRESH_TOKEN": "Atzr|...",
+  "PROFILE_ID": "1234567890",
+  "ACCOUNT_ID": "amzn1.ads-account.g.xxxxxxxxx",
+  "REGION": "EU"
+}
+```
+
+## Environment variables
 
-## Setup with Claude Desktop
+| Variable | Required | Description |
+|----------|----------|-------------|
+| `CLIENT_ID` | yes | Your Amazon LWA application client id |
+| `CLIENT_SECRET` | yes | Your Amazon LWA application client secret |
+| `REFRESH_TOKEN` | yes | OAuth refresh token for an Amazon Ads user |
+| `REGION` | yes | `NA`, `EU`, or `FE` |
+| `PROFILE_ID` | optional | Amazon Advertising profile id — sent as `Amazon-Advertising-API-Scope` |
+| `ACCOUNT_ID` | optional | Global advertiser account id — sent as `Amazon-Ads-AccountID` (needed for the reporting tools) |
+| `MANAGER_ACCOUNT_ID` | optional | Sent as `Amazon-Ads-Manager-AccountID` |
 
-Add to your Claude Desktop configuration (`claude_desktop_config.json`):
+If **any** of `PROFILE_ID` / `ACCOUNT_ID` / `MANAGER_ACCOUNT_ID` is set, the proxy operates in **fixed account context** (sending `Amazon-Ads-AI-Account-Selection-Mode: FIXED`). If none are set, the proxy operates in **dynamic account context**, and Claude passes account identifiers per tool call.
+
+> **Note**: the Amazon reporting tools require `Amazon-Ads-AccountID` to be present. In pinned mode, `setup` writes both `PROFILE_ID` and `ACCOUNT_ID` for you so both campaign tools and reporting tools work out of the box.
+
+## Manual configuration
+
+If you prefer to edit your Claude Desktop config by hand:
 
 ```json
 {
@@ -34,7 +86,6 @@ Add to your Claude Desktop configuration (`claude_desktop_config.json`):
         "CLIENT_ID": "amzn1.application-oa2-client.xxxxx",
         "CLIENT_SECRET": "your-client-secret",
         "REFRESH_TOKEN": "Atzr|your-refresh-token",
-        "PROFILE_ID": "your-profile-id",
         "REGION": "EU"
       }
     }
@@ -42,26 +93,49 @@ Add to your Claude Desktop configuration (`claude_desktop_config.json`):
 }
 ```
 
+Add `PROFILE_ID` / `ACCOUNT_ID` / `MANAGER_ACCOUNT_ID` to `env` to pin a scope.
+
 ## Supported regions
 
-| Region | Endpoint |
-|--------|----------|
+| Region | Amazon Ads MCP endpoint |
+|--------|-------------------------|
 | NA | `https://advertising-ai.amazon.com/mcp` |
 | EU | `https://advertising-ai-eu.amazon.com/mcp` |
 | FE | `https://advertising-ai-fe.amazon.com/mcp` |
 
+Amazon's endpoints are region-scoped — use the one that matches your marketplaces.
+
 ## How it proxies
 
-All MCP JSON-RPC messages (`initialize`, `tools/list`, `tools/call`, etc.) are forwarded to Amazon's MCP server with these headers injected:
+All MCP JSON-RPC messages (`initialize`, `tools/list`, `tools/call`, …) are forwarded to Amazon's MCP server with these headers injected:
 
 - `Authorization: Bearer <access_token>`
 - `Amazon-Ads-ClientId: <CLIENT_ID>`
-- `Amazon-Advertising-API-Scope: <PROFILE_ID>`
-- `Amazon-Ads-AI-Account-Selection-Mode: FIXED`
 - `Accept: application/json, text/event-stream`
+- `Amazon-Advertising-API-Scope: <PROFILE_ID>` *(if set)*
+- `Amazon-Ads-AccountID: <ACCOUNT_ID>` *(if set)*
+- `Amazon-Ads-Manager-AccountID: <MANAGER_ACCOUNT_ID>` *(if set)*
+- `Amazon-Ads-AI-Account-Selection-Mode: FIXED` *(if any scope header is set)*
 
 Responses (including SSE streams) are forwarded back to Claude as-is.
 
+## Troubleshooting
+
+**"The provided account identifier header is not supported for this tool"**
+The tool you called requires a different scope header than what you have configured. The most common case is calling a reporting tool with only `PROFILE_ID` set. Add `ACCOUNT_ID` to your config, or re-run `setup` and pick pinned mode (which writes both).
+
+**"400 Bad Request — redirect URI not whitelisted"**
+During `setup`, Amazon rejected the OAuth callback URL. In your LWA Security Profile → Web Settings → Allowed Return URLs, add:
+
+```
+http://localhost:8080/callback
+http://localhost:8081/callback
+http://localhost:8082/callback
+```
+
+**Token refresh failed after the 50-minute timer**
+The proxy will retry once on a 401 before giving up. If it persists, check that your refresh token hasn't been revoked and that your LWA app still has the `advertising::campaign_management` scope granted.
+
 ## License
 
 MIT

package/index.js

@@ -24,9 +24,15 @@ if (process.argv[2] === "setup") {
     const clientId = requireEnv("CLIENT_ID");
     const clientSecret = requireEnv("CLIENT_SECRET");
     const refreshToken = requireEnv("REFRESH_TOKEN");
-    const profileId = requireEnv("PROFILE_ID");
     const region = requireEnv("REGION");
 
+    // All scope identifiers are optional. Any combination is valid.
+    //   - None set  -> Dynamic Account Context mode (Claude picks per call)
+    //   - One+ set  -> Fixed Account Context mode (headers pin the scope)
+    const profileId = process.env.PROFILE_ID || null;
+    const accountId = process.env.ACCOUNT_ID || null;
+    const managerAccountId = process.env.MANAGER_ACCOUNT_ID || null;
+
     const tokenManager = new TokenManager({ clientId, clientSecret, refreshToken });
     try {
       await tokenManager.init();
@@ -35,9 +41,17 @@ if (process.argv[2] === "setup") {
       process.exit(1);
     }
 
-    const proxy = new McpProxy({ tokenManager, clientId, profileId, region });
+    const proxy = new McpProxy({
+      tokenManager,
+      clientId,
+      region,
+      profileId,
+      accountId,
+      managerAccountId,
+    });
 
-    log(`Started (region=${region})`);
+    const mode = proxy.hasFixedScope() ? "FIXED" : "DYNAMIC";
+    log(`Started (region=${region}, mode=${mode})`);
 
     let buffer = "";
 

package/lib/proxy.js

@@ -6,11 +6,19 @@ const ENDPOINTS = {
   FE: "https://advertising-ai-fe.amazon.com/mcp",
 };
 
+const REQUEST_TIMEOUT_MS = 30 * 1000;
+
 class McpProxy {
-  constructor({ tokenManager, clientId, profileId, region }) {
+  constructor({ tokenManager, clientId, region, profileId, accountId, managerAccountId }) {
     this.tokenManager = tokenManager;
     this.clientId = clientId;
-    this.profileId = profileId;
+    // All three scope identifiers are optional. Any combination is valid.
+    // If NONE are set, the proxy runs in Amazon's Dynamic Account Context mode
+    // (the MCP server expects account identifiers to be passed in the request
+    // body by the LLM per tool call, and the FIXED header is omitted).
+    this.profileId = profileId || null;
+    this.accountId = accountId || null;
+    this.managerAccountId = managerAccountId || null;
 
     const endpoint = ENDPOINTS[region.toUpperCase()];
     if (!endpoint) {
@@ -19,6 +27,10 @@ class McpProxy {
     this.endpoint = new URL(endpoint);
   }
 
+  hasFixedScope() {
+    return Boolean(this.profileId || this.accountId || this.managerAccountId);
+  }
+
   async forward(jsonRpcRequest, _isRetry) {
     const result = await this._doRequest(jsonRpcRequest);
 
@@ -32,23 +44,47 @@ class McpProxy {
     return result;
   }
 
+  _buildHeaders(bodyLength) {
+    const token = this.tokenManager.getToken();
+
+    const headers = {
+      "Content-Type": "application/json",
+      "Content-Length": bodyLength,
+      Authorization: `Bearer ${token}`,
+      "Amazon-Ads-ClientId": this.clientId,
+      Accept: "application/json, text/event-stream",
+    };
+
+    // Inject only scope headers that are actually configured.
+    // Amazon's doc: "not all three account identifier headers need to be
+    // included, but at least one is required" when FIXED mode is used.
+    if (this.profileId) {
+      headers["Amazon-Advertising-API-Scope"] = this.profileId;
+    }
+    if (this.accountId) {
+      headers["Amazon-Ads-AccountID"] = this.accountId;
+    }
+    if (this.managerAccountId) {
+      headers["Amazon-Ads-Manager-AccountID"] = this.managerAccountId;
+    }
+    // FIXED mode is signaled only when at least one scope identifier is set.
+    // Omitting this header puts the server in Dynamic Account Context mode,
+    // where the LLM is expected to pass account identifiers in each tool call.
+    if (this.hasFixedScope()) {
+      headers["Amazon-Ads-AI-Account-Selection-Mode"] = "FIXED";
+    }
+
+    return headers;
+  }
+
   _doRequest(jsonRpcRequest) {
     const body = JSON.stringify(jsonRpcRequest);
-    const token = this.tokenManager.getToken();
 
     const options = {
       hostname: this.endpoint.hostname,
       path: this.endpoint.pathname,
       method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        "Content-Length": Buffer.byteLength(body),
-        Authorization: `Bearer ${token}`,
-        "Amazon-Ads-ClientId": this.clientId,
-        "Amazon-Advertising-API-Scope": this.profileId,
-        "Amazon-Ads-AI-Account-Selection-Mode": "FIXED",
-        Accept: "application/json, text/event-stream",
-      },
+      headers: this._buildHeaders(Buffer.byteLength(body)),
     };
 
     return new Promise((resolve, reject) => {
@@ -57,7 +93,7 @@ class McpProxy {
         const isSSE = contentType.includes("text/event-stream");
 
         if (isSSE) {
-          resolve({ type: "stream", stream: res });
+          resolve({ type: "stream", stream: res, statusCode: res.statusCode });
         } else {
           let chunks = [];
           res.on("data", (chunk) => chunks.push(chunk));
@@ -72,6 +108,9 @@ class McpProxy {
         }
       });
 
+      req.setTimeout(REQUEST_TIMEOUT_MS, () => {
+        req.destroy(new Error(`Upstream request timed out after ${REQUEST_TIMEOUT_MS}ms`));
+      });
       req.on("error", reject);
       req.write(body);
       req.end();

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@ppcassist/amazon-ads-mcp",
-  "version": "1.0.7",
-  "description": "Local MCP proxy for Amazon Ads API - authenticates and forwards requests to Amazon's official MCP server",
+  "version": "1.1.0",
+  "description": "Local MCP proxy for Amazon Ads API — handles OAuth refresh, supports flexible (dynamic) and pinned (fixed) account modes",
   "main": "index.js",
   "bin": {
     "amazon-ads-mcp": "./index.js"

package/setup.js

@@ -11,7 +11,14 @@ const CALLBACK_PATH = "/callback";
 
 const OAUTH_AUTHORIZE_URL = "https://www.amazon.com/ap/oa";
 const OAUTH_TOKEN_URL = "https://api.amazon.com/auth/o2/token";
-const PROFILES_URL = "https://advertising-api-eu.amazon.com/v2/profiles";
+
+// Per-region endpoints for Amazon Ads API. The setup probes all three to
+// discover which region(s) this LWA app has access to.
+const REGION_HOSTS = {
+  NA: "advertising-api.amazon.com",
+  EU: "advertising-api-eu.amazon.com",
+  FE: "advertising-api-fe.amazon.com",
+};
 
 const TIMEOUT_MS = 2 * 60 * 1000; // 2 minutes
 
@@ -88,61 +95,29 @@ function openBrowser(url) {
   });
 }
 
-function httpPost(urlStr, body, headers) {
+function httpRequest({ hostname, path: reqPath, method, headers, body }) {
   return new Promise((resolve, reject) => {
-    const url = new URL(urlStr);
     const options = {
-      hostname: url.hostname,
-      path: url.pathname,
-      method: "POST",
+      hostname,
+      path: reqPath,
+      method,
       headers: {
-        "Content-Type": "application/x-www-form-urlencoded",
-        "Content-Length": Buffer.byteLength(body),
+        ...(body ? { "Content-Length": Buffer.byteLength(body) } : {}),
         ...headers,
       },
     };
-
     const req = https.request(options, (res) => {
       let chunks = [];
       res.on("data", (c) => chunks.push(c));
       res.on("end", () => {
         const raw = Buffer.concat(chunks).toString();
-        try {
-          resolve(JSON.parse(raw));
-        } catch {
-          reject(new Error(`Invalid JSON from ${urlStr}: ${raw.slice(0, 200)}`));
-        }
-      });
-    });
-    req.on("error", reject);
-    req.write(body);
-    req.end();
-  });
-}
-
-function httpGet(urlStr, headers) {
-  return new Promise((resolve, reject) => {
-    const url = new URL(urlStr);
-    const options = {
-      hostname: url.hostname,
-      path: url.pathname + url.search,
-      method: "GET",
-      headers,
-    };
-
-    const req = https.request(options, (res) => {
-      let chunks = [];
-      res.on("data", (c) => chunks.push(c));
-      res.on("end", () => {
-        const raw = Buffer.concat(chunks).toString();
-        try {
-          resolve(JSON.parse(raw));
-        } catch {
-          reject(new Error(`Invalid JSON from ${urlStr}: ${raw.slice(0, 200)}`));
-        }
+        let parsed = null;
+        try { parsed = raw ? JSON.parse(raw) : null; } catch { /* keep raw */ }
+        resolve({ statusCode: res.statusCode, raw, json: parsed });
       });
     });
     req.on("error", reject);
+    if (body) req.write(body);
     req.end();
   });
 }
@@ -157,19 +132,7 @@ function getConfigPath() {
   return path.join(os.homedir(), ".config", "Claude", "claude_desktop_config.json");
 }
 
-function detectRegion(profiles) {
-  const euCountries = ["UK", "GB", "DE", "FR", "IT", "ES", "NL", "SE", "PL", "BE", "TR", "AE", "SA", "EG", "IN"];
-  const feCountries = ["JP", "AU", "SG"];
-
-  for (const p of profiles) {
-    const cc = (p.countryCode || "").toUpperCase();
-    if (euCountries.includes(cc)) return "EU";
-    if (feCountries.includes(cc)) return "FE";
-  }
-  return "NA";
-}
-
-// ─── Start local server and wait for callback ───
+// ─── OAuth callback server ───
 
 function startCallbackServer(port) {
   return new Promise((resolve, reject) => {
@@ -233,6 +196,80 @@ function startCallbackServer(port) {
   });
 }
 
+// ─── Amazon Ads API calls ───
+
+async function exchangeCodeForTokens({ code, clientId, clientSecret, redirectUri }) {
+  const body = new URLSearchParams({
+    grant_type: "authorization_code",
+    code,
+    redirect_uri: redirectUri,
+    client_id: clientId,
+    client_secret: clientSecret,
+  }).toString();
+
+  const res = await httpRequest({
+    hostname: "api.amazon.com",
+    path: "/auth/o2/token",
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body,
+  });
+
+  if (res.json?.error) {
+    throw new Error(`Amazon OAuth error: ${res.json.error} — ${res.json.error_description || ""}`);
+  }
+  if (!res.json?.access_token) {
+    throw new Error(`Unexpected token response: ${res.raw.slice(0, 200)}`);
+  }
+  return res.json;
+}
+
+/**
+ * Fetch all advertiser accounts accessible to this LWA application, across
+ * every Amazon Ads region the app has access to (NA / EU / FE).
+ *
+ * Uses Amazon Ads API v3 POST /adsAccounts/list. Returns a flat array of
+ * { accountName, adsAccountId, region, alternateIds[] } objects. Probes all
+ * three regions so users with multi-region accounts see everything.
+ */
+async function fetchAccountsAllRegions({ accessToken, clientId }) {
+  const all = [];
+
+  for (const [region, hostname] of Object.entries(REGION_HOSTS)) {
+    try {
+      const body = JSON.stringify({ maxResults: 100 });
+      const res = await httpRequest({
+        hostname,
+        path: "/adsAccounts/list",
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          "Amazon-Advertising-API-ClientId": clientId,
+          "Content-Type": "application/vnd.listaccountsresource.v1+json",
+          Accept: "application/vnd.listaccountsresource.v1+json",
+        },
+        body,
+      });
+
+      if (res.statusCode === 200 && Array.isArray(res.json?.adsAccounts)) {
+        for (const a of res.json.adsAccounts) {
+          all.push({
+            accountName: a.accountName || "(unnamed)",
+            adsAccountId: a.adsAccountId,
+            region,
+            alternateIds: Array.isArray(a.alternateIds) ? a.alternateIds : [],
+          });
+        }
+      }
+      // Non-200 responses are usually "not authorized in this region" — silent skip.
+    } catch {
+      // Network error per region is not fatal — other regions may still work.
+    }
+  }
+
+  return all;
+}
+
 // ─── Main ───
 
 async function main() {
@@ -240,7 +277,7 @@ async function main() {
   print("\u{1F680} Amazon Ads MCP Setup");
   print("\u2500".repeat(35));
 
-  // Ask for credentials
+  // ── Step 1: Credentials ──
   const clientId = await ask("\u2192 Enter your Amazon Ads Client ID: ");
   if (!clientId) {
     print("\n\u274C Client ID is required.");
@@ -255,8 +292,8 @@ async function main() {
 
   print("");
 
-  // Find an available port and start callback server
-  let result = null;
+  // ── Step 2: OAuth code flow via localhost callback ──
+  let oauthResult = null;
 
   for (let port = 8080; port <= 8082; port++) {
     const redirectUri = `${REDIRECT_URI_BASE}:${port}${CALLBACK_PATH}`;
@@ -267,11 +304,8 @@ async function main() {
       `&redirect_uri=${encodeURIComponent(redirectUri)}`;
 
     const promise = startCallbackServer(port);
-
-    // Give server a moment to bind or fail
     await new Promise((r) => setTimeout(r, 150));
 
-    // Quick check — if port was in use, promise resolves to null immediately
     const quick = await Promise.race([
       promise,
       new Promise((r) => setTimeout(() => r("waiting"), 300)),
@@ -282,129 +316,171 @@ async function main() {
       continue;
     }
 
-    // Server is listening — open browser
     print(`\u2192 Opening Amazon authorization in your browser...`);
     openBrowser(authUrl);
     print(`\u2192 Waiting for authorization... (press Ctrl+C to cancel)`);
 
-    result = quick === "waiting" ? await promise : quick;
+    oauthResult = quick === "waiting" ? await promise : quick;
     break;
   }
 
-  if (!result) {
+  if (!oauthResult) {
     print("\n\u274C Could not find an available port (tried 8080-8082). Please free one and try again.");
     process.exit(1);
   }
 
   print("\u2705 Authorization received");
 
-  // Exchange code for tokens using the actual port that was bound
-  const redirectUri = `${REDIRECT_URI_BASE}:${result.port}${CALLBACK_PATH}`;
-  const tokenBody = new URLSearchParams({
-    grant_type: "authorization_code",
-    code: result.code,
-    redirect_uri: redirectUri,
-    client_id: clientId,
-    client_secret: clientSecret,
-  }).toString();
-
-  let tokenData;
+  // ── Step 3: Exchange code for tokens ──
+  const redirectUri = `${REDIRECT_URI_BASE}:${oauthResult.port}${CALLBACK_PATH}`;
+  let tokens;
   try {
-    tokenData = await httpPost(OAUTH_TOKEN_URL, tokenBody);
+    tokens = await exchangeCodeForTokens({
+      code: oauthResult.code,
+      clientId,
+      clientSecret,
+      redirectUri,
+    });
   } catch (err) {
-    print(`\n\u274C Token exchange failed: ${err.message}`);
+    print(`\n\u274C ${err.message}`);
     process.exit(1);
   }
 
-  if (tokenData.error) {
-    print(`\n\u274C Amazon OAuth error: ${tokenData.error} - ${tokenData.error_description || ""}`);
-    process.exit(1);
-  }
+  const { access_token, refresh_token } = tokens;
 
-  const { access_token, refresh_token } = tokenData;
+  // ── Step 4: Fetch advertiser accounts across all regions ──
+  print("\u2192 Fetching your Amazon Ads accounts...");
 
-  // Fetch advertiser profiles
-  print("\u2192 Fetching your Amazon Ads profiles...");
+  const accounts = await fetchAccountsAllRegions({
+    accessToken: access_token,
+    clientId,
+  });
 
-  let profiles;
-  try {
-    profiles = await httpGet(PROFILES_URL, {
-      Authorization: `Bearer ${access_token}`,
-      "Amazon-Advertising-API-ClientId": clientId,
-    });
-  } catch (err) {
-    print(`\n\u274C Failed to fetch profiles: ${err.message}`);
+  if (accounts.length === 0) {
+    print("\n\u274C No advertiser accounts found for this LWA application.");
+    print("   Make sure your app has Amazon Ads API access approved.");
     process.exit(1);
   }
 
-  if (!Array.isArray(profiles) || profiles.length === 0) {
-    print("\n\u274C No advertising profiles found on this account.");
-    process.exit(1);
-  }
+  print(`\u2192 Found ${accounts.length} advertiser account(s)`);
+  print("");
+
+  // ── Step 5: Ask the user which mode they want ──
+  print("\u{1F4CD} Account scope — two ways to run the MCP:");
+  print("");
+  print("   1. \u{1F517} Flexible mode (recommended if you manage multiple marketplaces)");
+  print("      Claude picks the marketplace per question at runtime.");
+  print("      Works across every account + marketplace your LWA app can access.");
+  print("");
+  print("   2. \u{1F4CD} Pinned mode (recommended if you only manage one marketplace)");
+  print("      One marketplace is locked in. Simpler, no per-question selection.");
+  print("");
 
-  // Select profile
-  let selectedProfile;
+  const modeAnswer = await ask("\u2192 Choose mode [1 = flexible (default), 2 = pinned]: ");
+  const mode = modeAnswer === "2" ? "pinned" : "flexible";
 
-  if (profiles.length === 1) {
-    selectedProfile = profiles[0];
-    print(`\u2192 Found 1 profile: ${selectedProfile.accountInfo?.name || "Account"} (${selectedProfile.profileId})`);
+  let config = {
+    CLIENT_ID: clientId,
+    CLIENT_SECRET: clientSecret,
+    REFRESH_TOKEN: refresh_token,
+  };
+
+  let displayLabel;
+  let chosenRegion;
+
+  if (mode === "flexible") {
+    // In flexible/dynamic mode, we do NOT pin any scope — the proxy will omit
+    // the FIXED header, and Claude will pass account identifiers per call.
+    // We still need to pick a REGION for the MCP endpoint URL. Use the region
+    // that hosts the most accounts for this user (arbitrary sensible default).
+    const regionCounts = accounts.reduce((acc, a) => {
+      acc[a.region] = (acc[a.region] || 0) + 1;
+      return acc;
+    }, {});
+    chosenRegion = Object.entries(regionCounts).sort((a, b) => b[1] - a[1])[0][0];
+    displayLabel = `Flexible mode — all accounts (${accounts.length}) across ${Object.keys(regionCounts).join(", ")}`;
   } else {
-    print(`\u2192 Found ${profiles.length} profiles:`);
-    profiles.forEach((p, i) => {
-      const name = p.accountInfo?.name || `Profile ${p.profileId}`;
-      const cc = p.countryCode || "";
-      print(`   ${i + 1}. ${name} ${cc ? `(${cc})` : ""} \u2014 profile_id: ${p.profileId}`);
+    // Pinned mode: user picks an account, then one of its marketplace profiles.
+    const sorted = [...accounts].sort((a, b) => a.accountName.localeCompare(b.accountName));
+    print("");
+    print("\u2192 Select an account to pin:");
+    sorted.forEach((a, i) => {
+      const marketplaces = [...new Set(a.alternateIds.map((x) => x.countryCode))].join(", ");
+      print(`   ${i + 1}. ${a.accountName}  \u2014  ${marketplaces || a.region}`);
     });
 
-    const answer = await ask(`\u2192 Select a profile [1-${profiles.length}]: `);
-    const idx = parseInt(answer, 10) - 1;
-
-    if (isNaN(idx) || idx < 0 || idx >= profiles.length) {
+    const accIdx = parseInt(await ask(`\u2192 Select account [1-${sorted.length}]: `), 10) - 1;
+    if (isNaN(accIdx) || accIdx < 0 || accIdx >= sorted.length) {
       print("\n\u274C Invalid selection.");
       process.exit(1);
     }
+    const selectedAccount = sorted[accIdx];
 
-    selectedProfile = profiles[idx];
+    // Pick a marketplace within that account (always, so query_campaign works)
+    const profiles = selectedAccount.alternateIds.filter((x) => x.profileId);
+    if (profiles.length === 0) {
+      print("\n\u274C Selected account has no advertising profiles.");
+      process.exit(1);
+    }
+
+    let selectedProfile;
+    if (profiles.length === 1) {
+      selectedProfile = profiles[0];
+      print(`\u2192 Only one marketplace available: ${selectedProfile.countryCode}`);
+    } else {
+      print("");
+      print(`\u2192 Select a marketplace within ${selectedAccount.accountName}:`);
+      profiles.forEach((p, i) => {
+        print(`   ${i + 1}. ${p.countryCode}  \u2014  profile ${p.profileId}`);
+      });
+      const pIdx = parseInt(await ask(`\u2192 Select marketplace [1-${profiles.length}]: `), 10) - 1;
+      if (isNaN(pIdx) || pIdx < 0 || pIdx >= profiles.length) {
+        print("\n\u274C Invalid selection.");
+        process.exit(1);
+      }
+      selectedProfile = profiles[pIdx];
+    }
+
+    config.PROFILE_ID = String(selectedProfile.profileId);
+    config.ACCOUNT_ID = selectedAccount.adsAccountId;
+    chosenRegion = selectedAccount.region;
+    displayLabel = `${selectedAccount.accountName} — ${selectedProfile.countryCode}`;
   }
 
-  const profileName = selectedProfile.accountInfo?.name || "Amazon Ads";
-  const profileId = String(selectedProfile.profileId);
-  const region = detectRegion([selectedProfile]);
+  config.REGION = chosenRegion;
 
-  print(`\u2705 Profile selected: ${profileName} (${region})`);
+  print("");
+  print(`\u2705 Mode: ${mode === "flexible" ? "Flexible" : "Pinned"}`);
+  print(`   ${displayLabel}`);
+  print(`   Region: ${chosenRegion}`);
 
-  // Write Claude Desktop config
+  // ── Step 6: Write Claude Desktop config ──
   const configPath = getConfigPath();
   const configDir = path.dirname(configPath);
 
-  let config = {};
+  let existingConfig = {};
   if (fs.existsSync(configPath)) {
     try {
-      config = JSON.parse(fs.readFileSync(configPath, "utf8"));
+      existingConfig = JSON.parse(fs.readFileSync(configPath, "utf8"));
     } catch {
       print(`  Warning: existing config was invalid JSON, creating fresh.`);
     }
   }
 
-  if (!config.mcpServers) {
-    config.mcpServers = {};
+  if (!existingConfig.mcpServers) {
+    existingConfig.mcpServers = {};
   }
 
-  config.mcpServers["amazon-ads"] = {
+  existingConfig.mcpServers["amazon-ads"] = {
     command: "npx",
     args: ["-y", "@ppcassist/amazon-ads-mcp"],
-    env: {
-      CLIENT_ID: clientId,
-      CLIENT_SECRET: clientSecret,
-      REFRESH_TOKEN: refresh_token,
-      PROFILE_ID: profileId,
-      REGION: region,
-    },
+    env: config,
   };
 
   fs.mkdirSync(configDir, { recursive: true });
-  fs.writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n");
+  fs.writeFileSync(configPath, JSON.stringify(existingConfig, null, 2) + "\n");
 
+  print("");
   print(`\u2705 Claude Desktop config updated`);
   print(`   ${configPath}`);
   print("\u2500".repeat(35));