ksef-client-ts 0.1.1 → 0.3.0

package/dist/index.js

@@ -31,6 +31,1951 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
   mod
 ));
 
+// src/config/environments.ts
+var Environment;
+var init_environments = __esm({
+  "src/config/environments.ts"() {
+    "use strict";
+    Environment = {
+      TEST: {
+        apiUrl: "https://api-test.ksef.mf.gov.pl",
+        qrUrl: "https://qr-test.ksef.mf.gov.pl",
+        lighthouseUrl: "https://api-latarnia-test.ksef.mf.gov.pl"
+      },
+      DEMO: {
+        apiUrl: "https://api-demo.ksef.mf.gov.pl",
+        qrUrl: "https://qr-demo.ksef.mf.gov.pl",
+        lighthouseUrl: ""
+      },
+      PROD: {
+        apiUrl: "https://api.ksef.mf.gov.pl",
+        qrUrl: "https://qr.ksef.mf.gov.pl",
+        lighthouseUrl: "https://api-latarnia.ksef.mf.gov.pl"
+      }
+    };
+  }
+});
+
+// src/config/options.ts
+function resolveOptions(options = {}) {
+  const env = options.environment ? Environment[options.environment] : Environment.TEST;
+  return {
+    baseUrl: options.baseUrl ?? env.apiUrl,
+    baseQrUrl: options.baseQrUrl ?? env.qrUrl,
+    lighthouseUrl: options.lighthouseUrl ?? env.lighthouseUrl,
+    apiVersion: options.apiVersion ?? DEFAULT_API_VERSION,
+    timeout: options.timeout ?? DEFAULT_TIMEOUT,
+    customHeaders: options.customHeaders ?? {},
+    environmentName: options.environment ?? (options.baseUrl ? void 0 : "TEST")
+  };
+}
+var DEFAULT_API_VERSION, DEFAULT_TIMEOUT;
+var init_options = __esm({
+  "src/config/options.ts"() {
+    "use strict";
+    init_environments();
+    DEFAULT_API_VERSION = "v2";
+    DEFAULT_TIMEOUT = 3e4;
+  }
+});
+
+// src/config/index.ts
+var init_config = __esm({
+  "src/config/index.ts"() {
+    "use strict";
+    init_environments();
+    init_options();
+  }
+});
+
+// src/errors/ksef-error.ts
+var KSeFError;
+var init_ksef_error = __esm({
+  "src/errors/ksef-error.ts"() {
+    "use strict";
+    KSeFError = class extends Error {
+      constructor(message) {
+        super(message);
+        this.name = "KSeFError";
+      }
+    };
+  }
+});
+
+// src/errors/ksef-api-error.ts
+var KSeFApiError;
+var init_ksef_api_error = __esm({
+  "src/errors/ksef-api-error.ts"() {
+    "use strict";
+    init_ksef_error();
+    KSeFApiError = class _KSeFApiError extends KSeFError {
+      statusCode;
+      errorResponse;
+      constructor(message, statusCode, errorResponse) {
+        super(message);
+        this.name = "KSeFApiError";
+        this.statusCode = statusCode;
+        this.errorResponse = errorResponse;
+      }
+      static fromResponse(statusCode, body) {
+        const details = body?.exception?.exceptionDetailList;
+        const message = details?.length ? details.map((d) => d.exceptionDescription ?? "").filter(Boolean).join("; ") || `KSeF API error: HTTP ${statusCode}` : `KSeF API error: HTTP ${statusCode}`;
+        return new _KSeFApiError(message, statusCode, body);
+      }
+    };
+  }
+});
+
+// src/errors/ksef-rate-limit-error.ts
+var KSeFRateLimitError;
+var init_ksef_rate_limit_error = __esm({
+  "src/errors/ksef-rate-limit-error.ts"() {
+    "use strict";
+    init_ksef_api_error();
+    KSeFRateLimitError = class _KSeFRateLimitError extends KSeFApiError {
+      retryAfterSeconds;
+      retryAfterDate;
+      recommendedDelay;
+      constructor(message, statusCode, errorResponse, retryAfterSeconds, retryAfterDate) {
+        super(message, statusCode, errorResponse);
+        this.name = "KSeFRateLimitError";
+        this.retryAfterSeconds = retryAfterSeconds;
+        this.retryAfterDate = retryAfterDate;
+        this.recommendedDelay = retryAfterSeconds ?? 60;
+      }
+      static fromRetryAfterHeader(statusCode, retryAfterHeader, body) {
+        let retryAfterSeconds;
+        let retryAfterDate;
+        if (retryAfterHeader) {
+          const seconds = Number(retryAfterHeader);
+          if (!Number.isNaN(seconds)) {
+            retryAfterSeconds = seconds;
+          } else {
+            const date = new Date(retryAfterHeader);
+            if (!Number.isNaN(date.getTime())) {
+              retryAfterDate = date;
+              retryAfterSeconds = Math.max(0, Math.ceil((date.getTime() - Date.now()) / 1e3));
+            }
+          }
+        }
+        const message = retryAfterSeconds != null ? `Rate limited. Retry after ${retryAfterSeconds}s` : "Rate limited by KSeF API";
+        return new _KSeFRateLimitError(message, statusCode, body, retryAfterSeconds, retryAfterDate);
+      }
+    };
+  }
+});
+
+// src/errors/ksef-unauthorized-error.ts
+var KSeFUnauthorizedError;
+var init_ksef_unauthorized_error = __esm({
+  "src/errors/ksef-unauthorized-error.ts"() {
+    "use strict";
+    init_ksef_error();
+    KSeFUnauthorizedError = class extends KSeFError {
+      statusCode = 401;
+      detail;
+      traceId;
+      instance;
+      constructor(problemDetails) {
+        super(problemDetails.detail || "Unauthorized");
+        this.name = "KSeFUnauthorizedError";
+        this.detail = problemDetails.detail;
+        this.traceId = problemDetails.traceId;
+        this.instance = problemDetails.instance;
+      }
+    };
+  }
+});
+
+// src/errors/ksef-forbidden-error.ts
+var KSeFForbiddenError;
+var init_ksef_forbidden_error = __esm({
+  "src/errors/ksef-forbidden-error.ts"() {
+    "use strict";
+    init_ksef_error();
+    KSeFForbiddenError = class extends KSeFError {
+      statusCode = 403;
+      detail;
+      reasonCode;
+      instance;
+      security;
+      traceId;
+      constructor(problemDetails) {
+        super(problemDetails.detail || "Forbidden");
+        this.name = "KSeFForbiddenError";
+        this.detail = problemDetails.detail;
+        this.reasonCode = problemDetails.reasonCode;
+        this.instance = problemDetails.instance;
+        this.security = problemDetails.security;
+        this.traceId = problemDetails.traceId;
+      }
+    };
+  }
+});
+
+// src/errors/ksef-auth-status-error.ts
+var KSeFAuthStatusError;
+var init_ksef_auth_status_error = __esm({
+  "src/errors/ksef-auth-status-error.ts"() {
+    "use strict";
+    init_ksef_error();
+    KSeFAuthStatusError = class extends KSeFError {
+      referenceNumber;
+      statusDescription;
+      constructor(message, referenceNumber, statusDescription) {
+        super(message);
+        this.name = "KSeFAuthStatusError";
+        this.referenceNumber = referenceNumber;
+        this.statusDescription = statusDescription;
+      }
+    };
+  }
+});
+
+// src/errors/ksef-session-expired-error.ts
+var KSeFSessionExpiredError;
+var init_ksef_session_expired_error = __esm({
+  "src/errors/ksef-session-expired-error.ts"() {
+    "use strict";
+    init_ksef_error();
+    KSeFSessionExpiredError = class extends KSeFError {
+      constructor(message = "KSeF session has expired") {
+        super(message);
+        this.name = "KSeFSessionExpiredError";
+      }
+    };
+  }
+});
+
+// src/errors/ksef-validation-error.ts
+var KSeFValidationError;
+var init_ksef_validation_error = __esm({
+  "src/errors/ksef-validation-error.ts"() {
+    "use strict";
+    init_ksef_error();
+    KSeFValidationError = class _KSeFValidationError extends KSeFError {
+      details;
+      constructor(message, details = []) {
+        super(message);
+        this.name = "KSeFValidationError";
+        this.details = details;
+      }
+      static fromField(field, message) {
+        return new _KSeFValidationError(message, [{ field, message }]);
+      }
+      static fromMessages(messages) {
+        const details = messages.map((m) => ({ message: m }));
+        return new _KSeFValidationError(messages.join("; "), details);
+      }
+    };
+  }
+});
+
+// src/errors/index.ts
+var init_errors = __esm({
+  "src/errors/index.ts"() {
+    "use strict";
+    init_ksef_error();
+    init_ksef_api_error();
+    init_ksef_rate_limit_error();
+    init_ksef_unauthorized_error();
+    init_ksef_forbidden_error();
+    init_ksef_auth_status_error();
+    init_ksef_session_expired_error();
+    init_ksef_validation_error();
+  }
+});
+
+// src/http/route-builder.ts
+var RouteBuilder;
+var init_route_builder = __esm({
+  "src/http/route-builder.ts"() {
+    "use strict";
+    RouteBuilder = class {
+      apiVersion;
+      constructor(apiVersion) {
+        this.apiVersion = apiVersion;
+      }
+      build(endpoint, apiVersion) {
+        const version = apiVersion ?? this.apiVersion;
+        return `/${version}/${endpoint}`;
+      }
+    };
+  }
+});
+
+// src/http/rest-request.ts
+var RestRequest;
+var init_rest_request = __esm({
+  "src/http/rest-request.ts"() {
+    "use strict";
+    RestRequest = class _RestRequest {
+      method;
+      path;
+      _body;
+      _headers = {};
+      _query = [];
+      _presigned = false;
+      _skipAuthRetry = false;
+      constructor(method, path) {
+        this.method = method;
+        this.path = path;
+      }
+      static get(path) {
+        return new _RestRequest("GET", path);
+      }
+      static post(path) {
+        return new _RestRequest("POST", path);
+      }
+      static put(path) {
+        return new _RestRequest("PUT", path);
+      }
+      static delete(path) {
+        return new _RestRequest("DELETE", path);
+      }
+      body(data) {
+        this._body = data;
+        return this;
+      }
+      header(name, value) {
+        this._headers[name] = value;
+        return this;
+      }
+      headers(headers) {
+        Object.assign(this._headers, headers);
+        return this;
+      }
+      accessToken(token) {
+        this._headers["Authorization"] = `Bearer ${token}`;
+        return this;
+      }
+      query(key, value) {
+        this._query.push([key, value]);
+        return this;
+      }
+      presigned(flag = true) {
+        this._presigned = flag;
+        return this;
+      }
+      isPresigned() {
+        return this._presigned;
+      }
+      skipAuthRetry(flag = true) {
+        this._skipAuthRetry = flag;
+        return this;
+      }
+      isSkipAuthRetry() {
+        return this._skipAuthRetry;
+      }
+      getBody() {
+        return this._body;
+      }
+      getHeaders() {
+        return { ...this._headers };
+      }
+      getQuery() {
+        return [...this._query];
+      }
+    };
+  }
+});
+
+// src/http/transport.ts
+var defaultTransport;
+var init_transport = __esm({
+  "src/http/transport.ts"() {
+    "use strict";
+    defaultTransport = (url, init) => fetch(url, init);
+  }
+});
+
+// src/http/retry-policy.ts
+function defaultRetryPolicy() {
+  return {
+    maxRetries: 3,
+    baseDelayMs: 500,
+    maxDelayMs: 3e4,
+    retryableStatusCodes: [429, 500, 502, 503, 504],
+    retryNetworkErrors: true
+  };
+}
+function calculateBackoff(attempt, policy) {
+  const exponential = policy.baseDelayMs * Math.pow(2, attempt);
+  const jitter = Math.random() * policy.baseDelayMs;
+  return Math.min(exponential + jitter, policy.maxDelayMs);
+}
+function parseRetryAfter(header) {
+  if (!header) return null;
+  const seconds = Number(header);
+  if (!Number.isNaN(seconds)) {
+    return seconds * 1e3;
+  }
+  const date = new Date(header);
+  if (!Number.isNaN(date.getTime())) {
+    return Math.max(0, date.getTime() - Date.now());
+  }
+  return null;
+}
+function isRetryableError(error, policy) {
+  if (!policy.retryNetworkErrors) return false;
+  if (!(error instanceof Error)) return false;
+  if (error.name === "AbortError") return true;
+  const code = error.code;
+  if (code && RETRYABLE_ERROR_CODES.has(code)) return true;
+  return false;
+}
+function isRetryableStatus(status, policy) {
+  return policy.retryableStatusCodes.includes(status);
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+var RETRYABLE_ERROR_CODES;
+var init_retry_policy = __esm({
+  "src/http/retry-policy.ts"() {
+    "use strict";
+    RETRYABLE_ERROR_CODES = /* @__PURE__ */ new Set([
+      "ECONNRESET",
+      "ECONNREFUSED",
+      "ETIMEDOUT",
+      "UND_ERR_CONNECT_TIMEOUT"
+    ]);
+  }
+});
+
+// src/http/presigned-url-policy.ts
+function defaultPresignedUrlPolicy() {
+  return {
+    allowedHosts: ["*.ksef.mf.gov.pl"],
+    requireHttps: true,
+    blockRedirectParams: true,
+    rejectPrivateIps: true
+  };
+}
+function validatePresignedUrl(url, policy) {
+  const parsed = new URL(url);
+  if (policy.requireHttps && parsed.protocol !== "https:") {
+    throw new KSeFValidationError(`Presigned URL must use HTTPS: ${url}`);
+  }
+  if (!matchesAllowedHost(parsed.hostname, policy.allowedHosts)) {
+    throw new KSeFValidationError(
+      `Presigned URL host '${parsed.hostname}' is not in the allowed hosts list`
+    );
+  }
+  if (policy.blockRedirectParams) {
+    checkRedirectParams(parsed, url);
+  }
+  if (policy.rejectPrivateIps) {
+    checkPrivateIp(parsed.hostname, url);
+  }
+}
+function matchesAllowedHost(hostname, allowedHosts) {
+  for (const pattern of allowedHosts) {
+    if (pattern.startsWith("*.")) {
+      const suffix = pattern.slice(1);
+      if (hostname.endsWith(suffix) && hostname.length > suffix.length) {
+        return true;
+      }
+    } else if (hostname === pattern) {
+      return true;
+    }
+  }
+  return false;
+}
+function checkRedirectParams(parsed, originalUrl) {
+  for (const [key] of parsed.searchParams) {
+    if (BLOCKED_PARAMS.includes(key.toLowerCase())) {
+      throw new KSeFValidationError(
+        `Presigned URL contains blocked redirect parameter '${key}': ${originalUrl}`
+      );
+    }
+  }
+}
+function checkPrivateIp(hostname, originalUrl) {
+  const host = hostname.startsWith("[") ? hostname.slice(1, -1) : hostname;
+  if (isPrivateIPv4(host) || isPrivateIPv6(host)) {
+    throw new KSeFValidationError(
+      `Presigned URL resolves to a private/reserved IP address '${hostname}': ${originalUrl}`
+    );
+  }
+}
+function isPrivateIPv4(ip) {
+  const parts = ip.split(".");
+  if (parts.length !== 4) return false;
+  const nums = parts.map(Number);
+  if (nums.some((n) => Number.isNaN(n))) return false;
+  const a = nums[0];
+  const b = nums[1];
+  if (a === 127) return true;
+  if (a === 10) return true;
+  if (a === 172 && b >= 16 && b <= 31) return true;
+  if (a === 192 && b === 168) return true;
+  if (a === 169 && b === 254) return true;
+  return false;
+}
+function isPrivateIPv6(ip) {
+  const lower = ip.toLowerCase();
+  if (lower === "::1") return true;
+  if (lower.startsWith("fc") || lower.startsWith("fd")) return true;
+  if (lower.startsWith("fe8") || lower.startsWith("fe9") || lower.startsWith("fea") || lower.startsWith("feb")) return true;
+  return false;
+}
+var BLOCKED_PARAMS;
+var init_presigned_url_policy = __esm({
+  "src/http/presigned-url-policy.ts"() {
+    "use strict";
+    init_ksef_validation_error();
+    BLOCKED_PARAMS = ["redirect", "callback", "return_url", "next"];
+  }
+});
+
+// src/http/rest-client.ts
+import { consola } from "consola";
+var RestClient;
+var init_rest_client = __esm({
+  "src/http/rest-client.ts"() {
+    "use strict";
+    init_ksef_api_error();
+    init_ksef_rate_limit_error();
+    init_ksef_unauthorized_error();
+    init_ksef_forbidden_error();
+    init_route_builder();
+    init_transport();
+    init_retry_policy();
+    init_presigned_url_policy();
+    RestClient = class {
+      options;
+      routeBuilder;
+      transport;
+      retryPolicy;
+      rateLimitPolicy;
+      authManager;
+      presignedUrlPolicy;
+      constructor(options, config) {
+        this.options = options;
+        this.routeBuilder = new RouteBuilder(options.apiVersion);
+        this.transport = config?.transport ?? defaultTransport;
+        this.retryPolicy = config?.retryPolicy ?? defaultRetryPolicy();
+        this.rateLimitPolicy = config?.rateLimitPolicy ?? null;
+        this.authManager = config?.authManager;
+        this.presignedUrlPolicy = config?.presignedUrlPolicy;
+      }
+      async execute(request) {
+        const response = await this.sendRequest(request);
+        await this.ensureSuccess(response);
+        const body = await response.json();
+        return { body, headers: response.headers, statusCode: response.status };
+      }
+      async executeVoid(request) {
+        const response = await this.sendRequest(request);
+        await this.ensureSuccess(response);
+      }
+      async executeRaw(request) {
+        const response = await this.sendRequest(request);
+        await this.ensureSuccess(response);
+        const body = await response.arrayBuffer();
+        return { body, headers: response.headers, statusCode: response.status };
+      }
+      async sendRequest(request) {
+        const url = this.buildUrl(request);
+        if (request.isPresigned() && this.presignedUrlPolicy) {
+          validatePresignedUrl(url, this.presignedUrlPolicy);
+        }
+        if (this.rateLimitPolicy) {
+          await this.rateLimitPolicy.acquire(request.path);
+        }
+        let lastError;
+        for (let attempt = 0; attempt <= this.retryPolicy.maxRetries; attempt++) {
+          try {
+            const response = await this.doRequest(request, url);
+            if (response.status === 401 && this.authManager && attempt === 0 && !request.isSkipAuthRetry()) {
+              const newToken = await this.authManager.onUnauthorized();
+              if (newToken) {
+                consola.debug("Auth token refreshed, retrying request");
+                return this.doRequest(request, url, newToken);
+              }
+            }
+            if (isRetryableStatus(response.status, this.retryPolicy) && attempt < this.retryPolicy.maxRetries) {
+              const is429 = response.status === 429;
+              const retryAfterMs = is429 ? parseRetryAfter(response.headers.get("Retry-After")) : null;
+              const delayMs = retryAfterMs ?? calculateBackoff(attempt, this.retryPolicy);
+              consola.debug(`Retryable ${response.status}, attempt ${attempt + 1}/${this.retryPolicy.maxRetries}, waiting ${Math.round(delayMs)}ms`);
+              await sleep(delayMs);
+              if (is429 && this.rateLimitPolicy) {
+                await this.rateLimitPolicy.acquire(request.path);
+              }
+              continue;
+            }
+            return response;
+          } catch (error) {
+            lastError = error;
+            if (isRetryableError(error, this.retryPolicy) && attempt < this.retryPolicy.maxRetries) {
+              const delayMs = calculateBackoff(attempt, this.retryPolicy);
+              consola.debug(`Network error, attempt ${attempt + 1}/${this.retryPolicy.maxRetries}, waiting ${Math.round(delayMs)}ms`);
+              await sleep(delayMs);
+              continue;
+            }
+            throw error;
+          }
+        }
+        throw lastError;
+      }
+      async doRequest(request, url, overrideToken) {
+        const headers = {
+          ...this.options.customHeaders,
+          ...request.getHeaders()
+        };
+        if (!headers["Authorization"] && this.authManager) {
+          const token = overrideToken ?? this.authManager.getAccessToken();
+          if (token) {
+            headers["Authorization"] = `Bearer ${token}`;
+          }
+        }
+        const rawBody = request.getBody();
+        if (rawBody !== void 0 && !headers["Content-Type"]) {
+          headers["Content-Type"] = "application/json";
+        }
+        let body;
+        if (rawBody !== void 0) {
+          body = typeof rawBody === "string" ? rawBody : JSON.stringify(rawBody);
+        }
+        const start = performance.now();
+        const response = await this.transport(url, {
+          method: request.method,
+          headers,
+          body,
+          signal: AbortSignal.timeout(this.options.timeout)
+        });
+        const elapsed = Math.round(performance.now() - start);
+        consola.debug(`${request.method} ${url} \u2192 ${response.status} (${elapsed}ms)`);
+        return response;
+      }
+      buildUrl(request) {
+        const path = this.routeBuilder.build(request.path);
+        const base = this.options.baseUrl;
+        const url = new URL(`${base}${path}`);
+        const query = request.getQuery();
+        for (const [key, value] of query) {
+          url.searchParams.append(key, value);
+        }
+        return url.toString();
+      }
+      async ensureSuccess(response) {
+        if (response.ok) return;
+        const text = await response.text().catch(() => "");
+        const parseJson = () => {
+          try {
+            return JSON.parse(text);
+          } catch {
+            return void 0;
+          }
+        };
+        if (response.status === 429) {
+          const parsed = parseJson();
+          throw KSeFRateLimitError.fromRetryAfterHeader(
+            response.status,
+            response.headers.get("Retry-After"),
+            parsed
+          );
+        }
+        if (response.status === 401) {
+          const body = parseJson();
+          if (body?.detail) {
+            throw new KSeFUnauthorizedError(body);
+          }
+        }
+        if (response.status === 403) {
+          const body = parseJson();
+          if (body?.reasonCode) {
+            throw new KSeFForbiddenError(body);
+          }
+        }
+        throw KSeFApiError.fromResponse(response.status, parseJson());
+      }
+    };
+  }
+});
+
+// src/http/routes.ts
+var Routes;
+var init_routes = __esm({
+  "src/http/routes.ts"() {
+    "use strict";
+    Routes = {
+      TestData: {
+        createSubject: "testdata/subject",
+        removeSubject: "testdata/subject/remove",
+        createPerson: "testdata/person",
+        removePerson: "testdata/person/remove",
+        grantPerms: "testdata/permissions",
+        revokePerms: "testdata/permissions/revoke",
+        enableAttach: "testdata/attachment",
+        disableAttach: "testdata/attachment/revoke",
+        changeSessionLimitsInCurrentContext: "testdata/limits/context/session",
+        restoreDefaultSessionLimitsInCurrentContext: "testdata/limits/context/session",
+        changeCertificatesLimitInCurrentSubject: "testdata/limits/subject/certificate",
+        restoreDefaultCertificatesLimitInCurrentSubject: "testdata/limits/subject/certificate",
+        rateLimits: "testdata/rate-limits",
+        productionRateLimits: "testdata/rate-limits/production",
+        blockContext: "testdata/context/block",
+        unblockContext: "testdata/context/unblock"
+      },
+      Limits: {
+        currentContext: "limits/context",
+        currentSubject: "limits/subject",
+        rateLimits: "rate-limits"
+      },
+      ActiveSessions: {
+        session: "auth/sessions",
+        delete: (ref) => `auth/sessions/${ref}`,
+        currentSession: "auth/sessions/current"
+      },
+      Authorization: {
+        challenge: "auth/challenge",
+        xadesSignature: "auth/xades-signature",
+        ksefToken: "auth/ksef-token",
+        status: (ref) => `auth/${ref}`,
+        Token: {
+          redeem: "auth/token/redeem",
+          refresh: "auth/token/refresh"
+        }
+      },
+      Sessions: {
+        root: "sessions",
+        byReference: (ref) => `sessions/${ref}`,
+        invoices: (ref) => `sessions/${ref}/invoices`,
+        invoice: (ref, invoiceRef) => `sessions/${ref}/invoices/${invoiceRef}`,
+        failedInvoices: (ref) => `sessions/${ref}/invoices/failed`,
+        upoByKsefNumber: (ref, ksefNumber) => `sessions/${ref}/invoices/ksef/${ksefNumber}/upo`,
+        upoByInvoiceReference: (ref, invoiceRef) => `sessions/${ref}/invoices/${invoiceRef}/upo`,
+        upo: (ref, upoRef) => `sessions/${ref}/upo/${upoRef}`,
+        Online: {
+          open: "sessions/online",
+          invoices: (sessionRef) => `sessions/online/${sessionRef}/invoices`,
+          close: (sessionRef) => `sessions/online/${sessionRef}/close`
+        },
+        Batch: {
+          open: "sessions/batch",
+          close: (batchRef) => `sessions/batch/${batchRef}/close`
+        }
+      },
+      Invoices: {
+        byKsefNumber: (ksefNumber) => `invoices/ksef/${ksefNumber}`,
+        queryMetadata: "invoices/query/metadata",
+        exports: "invoices/exports",
+        exportByReference: (ref) => `invoices/exports/${ref}`
+      },
+      Permissions: {
+        Grants: {
+          persons: "permissions/persons/grants",
+          entities: "permissions/entities/grants",
+          authorizations: "permissions/authorizations/grants",
+          indirect: "permissions/indirect/grants",
+          subunits: "permissions/subunits/grants",
+          euEntities: "permissions/eu-entities/administration/grants",
+          euEntitiesRepresentatives: "permissions/eu-entities/grants"
+        },
+        Common: {
+          grantById: (id) => `permissions/common/grants/${id}`
+        },
+        Authorizations: {
+          grantById: (id) => `permissions/authorizations/grants/${id}`
+        },
+        Query: {
+          personalGrants: "permissions/query/personal/grants",
+          personsGrants: "permissions/query/persons/grants",
+          subunitsGrants: "permissions/query/subunits/grants",
+          entitiesRoles: "permissions/query/entities/roles",
+          entitiesGrants: "permissions/query/entities/grants",
+          subordinateEntitiesRoles: "permissions/query/subordinate-entities/roles",
+          authorizationsGrants: "permissions/query/authorizations/grants",
+          euEntitiesGrants: "permissions/query/eu-entities/grants"
+        },
+        Operations: {
+          byReference: (ref) => `permissions/operations/${ref}`
+        },
+        Attachments: {
+          status: "permissions/attachments/status"
+        }
+      },
+      Certificates: {
+        limits: "certificates/limits",
+        enrollmentData: "certificates/enrollments/data",
+        enrollments: "certificates/enrollments",
+        enrollmentStatus: (ref) => `certificates/enrollments/${ref}`,
+        retrieve: "certificates/retrieve",
+        revoke: (serialNumber) => `certificates/${serialNumber}/revoke`,
+        query: "certificates/query"
+      },
+      Tokens: {
+        root: "tokens",
+        byReference: (ref) => `tokens/${ref}`
+      },
+      Peppol: {
+        query: "peppol/query"
+      },
+      Security: {
+        publicKeyCertificates: "security/public-key-certificates"
+      },
+      Lighthouse: {
+        status: "status",
+        messages: "messages"
+      }
+    };
+  }
+});
+
+// src/http/rate-limit-policy.ts
+function defaultRateLimitPolicy() {
+  return new RateLimitPolicy({ globalRps: 10 });
+}
+var TokenBucket, RateLimitPolicy;
+var init_rate_limit_policy = __esm({
+  "src/http/rate-limit-policy.ts"() {
+    "use strict";
+    TokenBucket = class {
+      tokens;
+      maxTokens;
+      refillRate;
+      // tokens per ms
+      lastRefill;
+      constructor(rps) {
+        this.maxTokens = rps;
+        this.tokens = rps;
+        this.refillRate = rps / 1e3;
+        this.lastRefill = Date.now();
+      }
+      async acquire() {
+        this.refill();
+        if (this.tokens >= 1) {
+          this.tokens -= 1;
+          return;
+        }
+        const waitMs = Math.ceil((1 - this.tokens) / this.refillRate);
+        await new Promise((resolve) => setTimeout(resolve, waitMs));
+        this.refill();
+        this.tokens -= 1;
+      }
+      refill() {
+        const now = Date.now();
+        const elapsed = now - this.lastRefill;
+        this.tokens = Math.min(this.maxTokens, this.tokens + elapsed * this.refillRate);
+        this.lastRefill = now;
+      }
+    };
+    RateLimitPolicy = class {
+      globalBucket;
+      endpointBuckets = /* @__PURE__ */ new Map();
+      endpointLimits;
+      chain = Promise.resolve();
+      constructor(config) {
+        this.globalBucket = new TokenBucket(config.globalRps);
+        this.endpointLimits = config.endpointLimits ?? {};
+      }
+      async acquire(endpoint) {
+        return new Promise((resolve, reject) => {
+          this.chain = this.chain.then(() => this.doAcquire(endpoint)).then(resolve, reject);
+        });
+      }
+      async doAcquire(endpoint) {
+        await this.globalBucket.acquire();
+        const limit = this.endpointLimits[endpoint];
+        if (limit !== void 0) {
+          let bucket = this.endpointBuckets.get(endpoint);
+          if (!bucket) {
+            bucket = new TokenBucket(limit);
+            this.endpointBuckets.set(endpoint, bucket);
+          }
+          await bucket.acquire();
+        }
+      }
+    };
+  }
+});
+
+// src/http/auth-manager.ts
+var DefaultAuthManager;
+var init_auth_manager = __esm({
+  "src/http/auth-manager.ts"() {
+    "use strict";
+    DefaultAuthManager = class {
+      token;
+      refreshToken;
+      refreshFn;
+      refreshPromise = null;
+      constructor(refreshFn, initialToken) {
+        this.refreshFn = refreshFn;
+        this.token = initialToken;
+      }
+      getAccessToken() {
+        return this.token;
+      }
+      setAccessToken(token) {
+        this.token = token;
+      }
+      getRefreshToken() {
+        return this.refreshToken;
+      }
+      setRefreshToken(token) {
+        this.refreshToken = token;
+      }
+      async onUnauthorized() {
+        if (this.refreshPromise) return this.refreshPromise;
+        this.refreshPromise = this.refreshFn().then((newToken) => {
+          this.token = newToken ?? void 0;
+          return newToken;
+        }).finally(() => {
+          this.refreshPromise = null;
+        });
+        return this.refreshPromise;
+      }
+    };
+  }
+});
+
+// src/http/ksef-feature.ts
+var KSEF_FEATURE_HEADER, UpoVersion, ENFORCE_XADES_COMPLIANCE;
+var init_ksef_feature = __esm({
+  "src/http/ksef-feature.ts"() {
+    "use strict";
+    KSEF_FEATURE_HEADER = "X-KSeF-Feature";
+    UpoVersion = {
+      /** UPO v4-2 format (default before 2026-01-05). */
+      V4_2: "upo-v4-2",
+      /** UPO v4-3 format (default from 2026-01-05, adds InvoicingMode field). */
+      V4_3: "upo-v4-3"
+    };
+    ENFORCE_XADES_COMPLIANCE = "enforce-xades-compliance";
+  }
+});
+
+// src/services/auth.ts
+var AuthService;
+var init_auth = __esm({
+  "src/services/auth.ts"() {
+    "use strict";
+    init_ksef_feature();
+    init_rest_request();
+    init_routes();
+    AuthService = class {
+      restClient;
+      constructor(restClient) {
+        this.restClient = restClient;
+      }
+      async getChallenge() {
+        const request = RestRequest.post(Routes.Authorization.challenge);
+        const response = await this.restClient.execute(request);
+        return response.body;
+      }
+      async submitXadesAuthRequest(signedXml, verifyCertificateChain = false, enforceXadesCompliance = false) {
+        const request = RestRequest.post(Routes.Authorization.xadesSignature).body(signedXml).header("Content-Type", "application/xml").query("verifyCertificateChain", String(verifyCertificateChain));
+        if (enforceXadesCompliance) {
+          request.header(KSEF_FEATURE_HEADER, ENFORCE_XADES_COMPLIANCE);
+        }
+        const response = await this.restClient.execute(request);
+        return response.body;
+      }
+      async submitKsefTokenAuthRequest(payload) {
+        const request = RestRequest.post(Routes.Authorization.ksefToken).body(payload);
+        const response = await this.restClient.execute(request);
+        return response.body;
+      }
+      async getAuthStatus(referenceNumber, authToken) {
+        const request = RestRequest.get(Routes.Authorization.status(referenceNumber)).accessToken(authToken);
+        const response = await this.restClient.execute(request);
+        return response.body;
+      }
+      async getAccessToken(authToken) {
+        const request = RestRequest.post(Routes.Authorization.Token.redeem).accessToken(authToken);
+        const response = await this.restClient.execute(request);
+        return response.body;
+      }
+      async refreshAccessToken(refreshToken) {
+        const request = RestRequest.post(Routes.Authorization.Token.refresh).accessToken(refreshToken).skipAuthRetry();
+        const response = await this.restClient.execute(request);
+        return response.body;
+      }
+    };
+  }
+});
+
+// src/services/active-sessions.ts
+var ActiveSessionsService;
+var init_active_sessions = __esm({
+  "src/services/active-sessions.ts"() {
+    "use strict";
+    init_rest_request();
+    init_routes();
+    ActiveSessionsService = class {
+      restClient;
+      constructor(restClient) {
+        this.restClient = restClient;
+      }
+      async getActiveSessions(pageSize, continuationToken) {
+        const request = RestRequest.get(Routes.ActiveSessions.session);
+        if (pageSize !== void 0) request.query("pageSize", String(pageSize));
+        if (continuationToken !== void 0) request.header("x-continuation-token", continuationToken);
+        const response = await this.restClient.execute(request);
+        return response.body;
+      }
+      async revokeCurrentSession() {
+        const request = RestRequest.delete(Routes.ActiveSessions.currentSession);
+        await this.restClient.executeVoid(request);
+      }
+      async revokeSession(sessionRef) {
+        const request = RestRequest.delete(Routes.ActiveSessions.delete(sessionRef));
+        await this.restClient.executeVoid(request);
+      }
+    };
+  }
+});
+
+// src/services/online-session.ts
+var OnlineSessionService;
+var init_online_session = __esm({
+  "src/services/online-session.ts"() {
+    "use strict";
+    init_ksef_feature();
+    init_rest_request();
+    init_routes();
+    OnlineSessionService = class {
+      restClient;
+      constructor(restClient) {
+        this.restClient = restClient;
+      }
+      async openSession(request, upoVersion) {
+        const req = RestRequest.post(Routes.Sessions.Online.open).body(request);
+        if (upoVersion) {
+          req.header(KSEF_FEATURE_HEADER, upoVersion);
+        }
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      async sendInvoice(sessionRef, request) {
+        const req = RestRequest.post(Routes.Sessions.Online.invoices(sessionRef)).body(request);
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      async closeSession(sessionRef) {
+        const req = RestRequest.post(Routes.Sessions.Online.close(sessionRef));
+        await this.restClient.executeVoid(req);
+      }
+    };
+  }
+});
+
+// src/services/batch-session.ts
+var BatchSessionService;
+var init_batch_session = __esm({
+  "src/services/batch-session.ts"() {
+    "use strict";
+    init_ksef_feature();
+    init_rest_request();
+    init_routes();
+    BatchSessionService = class {
+      restClient;
+      constructor(restClient) {
+        this.restClient = restClient;
+      }
+      async openSession(request, upoVersion) {
+        const req = RestRequest.post(Routes.Sessions.Batch.open).body(request);
+        if (upoVersion) {
+          req.header(KSEF_FEATURE_HEADER, upoVersion);
+        }
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      async sendParts(openResponse, parts) {
+        const uploadRequests = openResponse.partUploadRequests;
+        const tasks = parts.map(async (part) => {
+          const uploadReq = uploadRequests.find(
+            (r) => r.ordinalNumber === part.ordinalNumber
+          );
+          if (!uploadReq) {
+            throw new Error(`No upload request found for part ${part.ordinalNumber}`);
+          }
+          const headers = {};
+          for (const [k, v] of Object.entries(uploadReq.headers)) {
+            if (v != null) headers[k] = v;
+          }
+          await fetch(uploadReq.url, {
+            method: uploadReq.method,
+            headers,
+            body: part.data
+          });
+        });
+        await Promise.all(tasks);
+      }
+      async closeSession(batchRef) {
+        const req = RestRequest.post(Routes.Sessions.Batch.close(batchRef));
+        await this.restClient.executeVoid(req);
+      }
+    };
+  }
+});
+
+// src/services/session-status.ts
+var SessionStatusService;
+var init_session_status = __esm({
+  "src/services/session-status.ts"() {
+    "use strict";
+    init_rest_request();
+    init_routes();
+    SessionStatusService = class {
+      restClient;
+      constructor(restClient) {
+        this.restClient = restClient;
+      }
+      async getSessions(type, pageSize, continuationToken, filter) {
+        const req = RestRequest.get(Routes.Sessions.root);
+        req.query("sessionType", type);
+        if (pageSize !== void 0) req.query("pageSize", String(pageSize));
+        if (continuationToken !== void 0) req.header("x-continuation-token", continuationToken);
+        if (filter) {
+          if (filter.referenceNumber) req.query("referenceNumber", filter.referenceNumber);
+          if (filter.dateCreatedFrom) req.query("dateCreatedFrom", filter.dateCreatedFrom);
+          if (filter.dateCreatedTo) req.query("dateCreatedTo", filter.dateCreatedTo);
+          if (filter.dateClosedFrom) req.query("dateClosedFrom", filter.dateClosedFrom);
+          if (filter.dateClosedTo) req.query("dateClosedTo", filter.dateClosedTo);
+          if (filter.dateModifiedFrom) req.query("dateModifiedFrom", filter.dateModifiedFrom);
+          if (filter.dateModifiedTo) req.query("dateModifiedTo", filter.dateModifiedTo);
+          if (filter.statuses) {
+            for (const status of filter.statuses) {
+              req.query("statuses", status);
+            }
+          }
+        }
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      async getSessionStatus(sessionRef) {
+        const req = RestRequest.get(Routes.Sessions.byReference(sessionRef));
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      async getSessionInvoices(sessionRef, pageSize, continuationToken) {
+        const req = RestRequest.get(Routes.Sessions.invoices(sessionRef));
+        if (pageSize !== void 0) req.query("pageSize", String(pageSize));
+        if (continuationToken !== void 0) req.header("x-continuation-token", continuationToken);
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      async getSessionInvoice(sessionRef, invoiceRef) {
+        const req = RestRequest.get(Routes.Sessions.invoice(sessionRef, invoiceRef));
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      async getSessionFailedInvoices(sessionRef, pageSize, continuationToken) {
+        const req = RestRequest.get(Routes.Sessions.failedInvoices(sessionRef));
+        if (pageSize !== void 0) req.query("pageSize", String(pageSize));
+        if (continuationToken !== void 0) req.header("x-continuation-token", continuationToken);
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      async getInvoiceUpoByKsefNumber(sessionRef, ksefNumber) {
+        const req = RestRequest.get(Routes.Sessions.upoByKsefNumber(sessionRef, ksefNumber));
+        const response = await this.restClient.executeRaw(req);
+        return {
+          upo: new TextDecoder().decode(response.body),
+          hash: response.headers.get("x-ms-meta-hash") ?? void 0
+        };
+      }
+      async getInvoiceUpoByReference(sessionRef, invoiceRef) {
+        const req = RestRequest.get(Routes.Sessions.upoByInvoiceReference(sessionRef, invoiceRef));
+        const response = await this.restClient.executeRaw(req);
+        return {
+          upo: new TextDecoder().decode(response.body),
+          hash: response.headers.get("x-ms-meta-hash") ?? void 0
+        };
+      }
+      async getSessionUpo(sessionRef, upoRef) {
+        const req = RestRequest.get(Routes.Sessions.upo(sessionRef, upoRef));
+        const response = await this.restClient.executeRaw(req);
+        return {
+          upo: new TextDecoder().decode(response.body),
+          hash: response.headers.get("x-ms-meta-hash") ?? void 0
+        };
+      }
+    };
+  }
+});
+
+// src/services/invoice-download.ts
+var InvoiceDownloadService;
+var init_invoice_download = __esm({
+  "src/services/invoice-download.ts"() {
+    "use strict";
+    init_rest_request();
+    init_routes();
+    InvoiceDownloadService = class {
+      restClient;
+      constructor(restClient) {
+        this.restClient = restClient;
+      }
+      async getInvoice(ksefNumber) {
+        const req = RestRequest.get(Routes.Invoices.byKsefNumber(ksefNumber));
+        const response = await this.restClient.executeRaw(req);
+        return new TextDecoder().decode(response.body);
+      }
+      async queryInvoiceMetadata(filters, pageOffset, pageSize, sortOrder) {
+        const req = RestRequest.post(Routes.Invoices.queryMetadata).body(filters);
+        if (pageOffset !== void 0) req.query("pageOffset", String(pageOffset));
+        if (pageSize !== void 0) req.query("pageSize", String(pageSize));
+        if (sortOrder !== void 0) req.query("sortOrder", sortOrder);
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      async exportInvoices(request) {
+        const req = RestRequest.post(Routes.Invoices.exports).body(request);
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      async getInvoiceExportStatus(ref) {
+        const req = RestRequest.get(Routes.Invoices.exportByReference(ref));
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+    };
+  }
+});
+
+// src/services/permissions.ts
+var PermissionsService;
+var init_permissions = __esm({
+  "src/services/permissions.ts"() {
+    "use strict";
+    init_rest_request();
+    init_routes();
+    PermissionsService = class {
+      restClient;
+      constructor(restClient) {
+        this.restClient = restClient;
+      }
+      // Grant methods
+      async grantPersonPermissions(request) {
+        const req = RestRequest.post(Routes.Permissions.Grants.persons).body(request);
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      async grantEntityPermissions(request) {
+        const req = RestRequest.post(Routes.Permissions.Grants.entities).body(request);
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      async grantAuthorizationPermissions(request) {
+        const req = RestRequest.post(Routes.Permissions.Grants.authorizations).body(request);
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      async grantIndirectPermissions(request) {
+        const req = RestRequest.post(Routes.Permissions.Grants.indirect).body(request);
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      async grantSubunitPermissions(request) {
+        const req = RestRequest.post(Routes.Permissions.Grants.subunits).body(request);
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      async grantEuEntityAdminPermissions(request) {
+        const req = RestRequest.post(Routes.Permissions.Grants.euEntities).body(request);
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      /** @deprecated Use grantEuEntityAdminPermissions instead */
+      async grantEuEntityPermissions(request) {
+        return this.grantEuEntityAdminPermissions(request);
+      }
+      async grantEuEntityRepresentativePermissions(request) {
+        const req = RestRequest.post(Routes.Permissions.Grants.euEntitiesRepresentatives).body(request);
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      // Revoke methods
+      async revokeCommonGrant(grantId) {
+        const req = RestRequest.delete(Routes.Permissions.Common.grantById(grantId));
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      async revokeAuthorizationGrant(grantId) {
+        const req = RestRequest.delete(Routes.Permissions.Authorizations.grantById(grantId));
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      // Search methods
+      async queryPersonalGrants(options, pageOffset, pageSize) {
+        const req = RestRequest.post(Routes.Permissions.Query.personalGrants).body(options ?? {});
+        if (pageOffset !== void 0) req.query("pageOffset", String(pageOffset));
+        if (pageSize !== void 0) req.query("pageSize", String(pageSize));
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      async queryPersonsGrants(options, pageOffset, pageSize) {
+        const req = RestRequest.post(Routes.Permissions.Query.personsGrants).body(options);
+        if (pageOffset !== void 0) req.query("pageOffset", String(pageOffset));
+        if (pageSize !== void 0) req.query("pageSize", String(pageSize));
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      async querySubunitsGrants(options, pageOffset, pageSize) {
+        const req = RestRequest.post(Routes.Permissions.Query.subunitsGrants).body(options ?? {});
+        if (pageOffset !== void 0) req.query("pageOffset", String(pageOffset));
+        if (pageSize !== void 0) req.query("pageSize", String(pageSize));
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      async queryEntitiesRoles(options) {
+        const req = RestRequest.get(Routes.Permissions.Query.entitiesRoles);
+        if (options?.pageOffset !== void 0) req.query("pageOffset", String(options.pageOffset));
+        if (options?.pageSize !== void 0) req.query("pageSize", String(options.pageSize));
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      async queryEntitiesGrants(options, pageOffset, pageSize) {
+        const req = RestRequest.post(Routes.Permissions.Query.entitiesGrants).body(options ?? {});
+        if (pageOffset !== void 0) req.query("pageOffset", String(pageOffset));
+        if (pageSize !== void 0) req.query("pageSize", String(pageSize));
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      async querySubordinateEntitiesRoles(options, pageOffset, pageSize) {
+        const req = RestRequest.post(Routes.Permissions.Query.subordinateEntitiesRoles).body(options ?? {});
+        if (pageOffset !== void 0) req.query("pageOffset", String(pageOffset));
+        if (pageSize !== void 0) req.query("pageSize", String(pageSize));
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      async queryAuthorizationsGrants(options, pageOffset, pageSize) {
+        const req = RestRequest.post(Routes.Permissions.Query.authorizationsGrants).body(options);
+        if (pageOffset !== void 0) req.query("pageOffset", String(pageOffset));
+        if (pageSize !== void 0) req.query("pageSize", String(pageSize));
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      async queryEuEntitiesGrants(options, pageOffset, pageSize) {
+        const req = RestRequest.post(Routes.Permissions.Query.euEntitiesGrants).body(options ?? {});
+        if (pageOffset !== void 0) req.query("pageOffset", String(pageOffset));
+        if (pageSize !== void 0) req.query("pageSize", String(pageSize));
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      // Operation status methods
+      async getOperationStatus(ref) {
+        const req = RestRequest.get(Routes.Permissions.Operations.byReference(ref));
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      async getAttachmentStatus() {
+        const req = RestRequest.get(Routes.Permissions.Attachments.status);
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+    };
+  }
+});
+
+// src/services/tokens.ts
+var TokenService;
+var init_tokens = __esm({
+  "src/services/tokens.ts"() {
+    "use strict";
+    init_rest_request();
+    init_routes();
+    TokenService = class {
+      restClient;
+      constructor(restClient) {
+        this.restClient = restClient;
+      }
+      async generateToken(request) {
+        const req = RestRequest.post(Routes.Tokens.root).body(request);
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      async queryTokens(options) {
+        const req = RestRequest.get(Routes.Tokens.root);
+        if (options?.continuationToken !== void 0) req.header("x-continuation-token", options.continuationToken);
+        if (options?.pageSize !== void 0) req.query("pageSize", String(options.pageSize));
+        if (options?.status) {
+          for (const s of options.status) {
+            req.query("status", s);
+          }
+        }
+        if (options?.description !== void 0) req.query("description", options.description);
+        if (options?.authorIdentifier !== void 0) req.query("authorIdentifier", options.authorIdentifier);
+        if (options?.authorIdentifierType !== void 0) req.query("authorIdentifierType", options.authorIdentifierType);
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      async getToken(ref) {
+        const req = RestRequest.get(Routes.Tokens.byReference(ref));
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      async revokeToken(ref) {
+        const req = RestRequest.delete(Routes.Tokens.byReference(ref));
+        await this.restClient.executeVoid(req);
+      }
+    };
+  }
+});
+
+// src/services/certificates.ts
+var CertificateApiService;
+var init_certificates = __esm({
+  "src/services/certificates.ts"() {
+    "use strict";
+    init_rest_request();
+    init_routes();
+    CertificateApiService = class {
+      restClient;
+      constructor(restClient) {
+        this.restClient = restClient;
+      }
+      async getLimits() {
+        const req = RestRequest.get(Routes.Certificates.limits);
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      async getEnrollmentData() {
+        const req = RestRequest.get(Routes.Certificates.enrollmentData);
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      async enroll(request) {
+        const req = RestRequest.post(Routes.Certificates.enrollments).body(request);
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      async getEnrollmentStatus(ref) {
+        const req = RestRequest.get(Routes.Certificates.enrollmentStatus(ref));
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      async retrieve(request) {
+        const req = RestRequest.post(Routes.Certificates.retrieve).body(request);
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      async revoke(serialNumber, request) {
+        const req = RestRequest.post(Routes.Certificates.revoke(serialNumber)).body(request);
+        await this.restClient.executeVoid(req);
+      }
+      async query(request, pageSize, pageOffset) {
+        const req = RestRequest.post(Routes.Certificates.query).body(request);
+        if (pageSize !== void 0) req.query("pageSize", String(pageSize));
+        if (pageOffset !== void 0) req.query("pageOffset", String(pageOffset));
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+    };
+  }
+});
+
+// src/services/lighthouse.ts
+var LighthouseService;
+var init_lighthouse = __esm({
+  "src/services/lighthouse.ts"() {
+    "use strict";
+    init_errors();
+    LighthouseService = class {
+      lighthouseUrl;
+      timeout;
+      constructor(options) {
+        this.lighthouseUrl = options.lighthouseUrl;
+        this.timeout = options.timeout;
+      }
+      async fetchJson(path) {
+        if (!this.lighthouseUrl) {
+          throw new KSeFError(
+            "Lighthouse API is not available for the DEMO environment. Use TEST or PROD instead."
+          );
+        }
+        const response = await fetch(`${this.lighthouseUrl}${path}`, {
+          headers: { Accept: "application/json" },
+          signal: AbortSignal.timeout(this.timeout)
+        });
+        if (!response.ok) {
+          const body = await response.text();
+          throw new KSeFError(
+            `Lighthouse ${path} failed: HTTP ${response.status} \u2014 ${body}`
+          );
+        }
+        return await response.json();
+      }
+      async getStatus() {
+        return this.fetchJson("/status");
+      }
+      async getMessages() {
+        const data = await this.fetchJson("/messages");
+        return data.messages ?? [];
+      }
+    };
+  }
+});
+
+// src/services/limits.ts
+var LimitsService;
+var init_limits = __esm({
+  "src/services/limits.ts"() {
+    "use strict";
+    init_rest_request();
+    init_routes();
+    LimitsService = class {
+      restClient;
+      constructor(restClient) {
+        this.restClient = restClient;
+      }
+      async getContextLimits() {
+        const req = RestRequest.get(Routes.Limits.currentContext);
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      async getSubjectLimits() {
+        const req = RestRequest.get(Routes.Limits.currentSubject);
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+      async getRateLimits() {
+        const req = RestRequest.get(Routes.Limits.rateLimits);
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+    };
+  }
+});
+
+// src/services/peppol.ts
+var PeppolService;
+var init_peppol = __esm({
+  "src/services/peppol.ts"() {
+    "use strict";
+    init_rest_request();
+    init_routes();
+    PeppolService = class {
+      restClient;
+      constructor(restClient) {
+        this.restClient = restClient;
+      }
+      async queryProviders(pageOffset, pageSize) {
+        const req = RestRequest.get(Routes.Peppol.query);
+        if (pageOffset !== void 0) req.query("pageOffset", String(pageOffset));
+        if (pageSize !== void 0) req.query("pageSize", String(pageSize));
+        const response = await this.restClient.execute(req);
+        return response.body;
+      }
+    };
+  }
+});
+
+// src/services/test-data.ts
+var TestDataService;
+var init_test_data = __esm({
+  "src/services/test-data.ts"() {
+    "use strict";
+    init_rest_request();
+    init_routes();
+    init_ksef_error();
+    TestDataService = class {
+      restClient;
+      environmentName;
+      constructor(restClient, environmentName) {
+        this.restClient = restClient;
+        this.environmentName = environmentName;
+      }
+      ensureTestEnvironment() {
+        if (this.environmentName && this.environmentName !== "TEST") {
+          throw new KSeFError(
+            `Test data APIs are only available on the TEST environment (current: ${this.environmentName})`
+          );
+        }
+      }
+      // Subject management
+      async createSubject(request) {
+        this.ensureTestEnvironment();
+        const req = RestRequest.post(Routes.TestData.createSubject).body(request);
+        await this.restClient.executeVoid(req);
+      }
+      async removeSubject(request) {
+        this.ensureTestEnvironment();
+        const req = RestRequest.post(Routes.TestData.removeSubject).body(request);
+        await this.restClient.executeVoid(req);
+      }
+      // Person management
+      async createPerson(request) {
+        this.ensureTestEnvironment();
+        const req = RestRequest.post(Routes.TestData.createPerson).body(request);
+        await this.restClient.executeVoid(req);
+      }
+      async removePerson(request) {
+        this.ensureTestEnvironment();
+        const req = RestRequest.post(Routes.TestData.removePerson).body(request);
+        await this.restClient.executeVoid(req);
+      }
+      // Permissions
+      async grantPermissions(request) {
+        this.ensureTestEnvironment();
+        const req = RestRequest.post(Routes.TestData.grantPerms).body(request);
+        await this.restClient.executeVoid(req);
+      }
+      async revokePermissions(request) {
+        this.ensureTestEnvironment();
+        const req = RestRequest.post(Routes.TestData.revokePerms).body(request);
+        await this.restClient.executeVoid(req);
+      }
+      // Attachment permissions
+      async enableAttachment(request) {
+        this.ensureTestEnvironment();
+        const req = RestRequest.post(Routes.TestData.enableAttach).body(request);
+        await this.restClient.executeVoid(req);
+      }
+      async disableAttachment(request) {
+        this.ensureTestEnvironment();
+        const req = RestRequest.post(Routes.TestData.disableAttach).body(request);
+        await this.restClient.executeVoid(req);
+      }
+      // Session limits
+      async changeSessionLimits(request) {
+        this.ensureTestEnvironment();
+        const req = RestRequest.post(Routes.TestData.changeSessionLimitsInCurrentContext).body(request);
+        await this.restClient.executeVoid(req);
+      }
+      async restoreDefaultSessionLimits() {
+        this.ensureTestEnvironment();
+        const req = RestRequest.delete(Routes.TestData.restoreDefaultSessionLimitsInCurrentContext);
+        await this.restClient.executeVoid(req);
+      }
+      // Certificate limits
+      async changeCertificatesLimit(request) {
+        this.ensureTestEnvironment();
+        const req = RestRequest.post(Routes.TestData.changeCertificatesLimitInCurrentSubject).body(request);
+        await this.restClient.executeVoid(req);
+      }
+      async restoreDefaultCertificatesLimit() {
+        this.ensureTestEnvironment();
+        const req = RestRequest.delete(Routes.TestData.restoreDefaultCertificatesLimitInCurrentSubject);
+        await this.restClient.executeVoid(req);
+      }
+      // Rate limits
+      async setRateLimits(request) {
+        this.ensureTestEnvironment();
+        const req = RestRequest.post(Routes.TestData.rateLimits).body(request);
+        await this.restClient.executeVoid(req);
+      }
+      async restoreDefaultRateLimits() {
+        this.ensureTestEnvironment();
+        const req = RestRequest.delete(Routes.TestData.rateLimits);
+        await this.restClient.executeVoid(req);
+      }
+      async setProductionRateLimits() {
+        this.ensureTestEnvironment();
+        const req = RestRequest.post(Routes.TestData.productionRateLimits);
+        await this.restClient.executeVoid(req);
+      }
+      // Context blocking
+      async blockContext(request) {
+        this.ensureTestEnvironment();
+        const req = RestRequest.post(Routes.TestData.blockContext).body(request);
+        await this.restClient.executeVoid(req);
+      }
+      async unblockContext(request) {
+        this.ensureTestEnvironment();
+        const req = RestRequest.post(Routes.TestData.unblockContext).body(request);
+        await this.restClient.executeVoid(req);
+      }
+    };
+  }
+});
+
+// src/crypto/certificate-fetcher.ts
+var CertificateFetcher;
+var init_certificate_fetcher = __esm({
+  "src/crypto/certificate-fetcher.ts"() {
+    "use strict";
+    init_rest_request();
+    init_routes();
+    CertificateFetcher = class {
+      restClient;
+      symmetricKeyPem;
+      ksefTokenPem;
+      initialized = false;
+      constructor(restClient) {
+        this.restClient = restClient;
+      }
+      async init() {
+        if (this.initialized) return;
+        await this.fetchCertificates();
+      }
+      async refresh() {
+        this.initialized = false;
+        await this.fetchCertificates();
+      }
+      getSymmetricKeyEncryptionPem() {
+        if (!this.symmetricKeyPem) {
+          throw new Error("CertificateFetcher not initialized. Call init() first.");
+        }
+        return this.symmetricKeyPem;
+      }
+      getKsefTokenEncryptionPem() {
+        if (!this.ksefTokenPem) {
+          throw new Error("CertificateFetcher not initialized. Call init() first.");
+        }
+        return this.ksefTokenPem;
+      }
+      async fetchCertificates() {
+        const request = RestRequest.get(Routes.Security.publicKeyCertificates);
+        const response = await this.restClient.execute(request);
+        const certs = response.body;
+        if (!certs || certs.length === 0) {
+          throw new Error("No public key certificates returned from KSeF API.");
+        }
+        const symmetricCert = certs.find((c) => c.usage.includes("SymmetricKeyEncryption"));
+        if (!symmetricCert) {
+          throw new Error("No SymmetricKeyEncryption certificate found.");
+        }
+        this.symmetricKeyPem = this.derBase64ToPem(symmetricCert.certificate);
+        const tokenCerts = certs.filter((c) => c.usage.includes("KsefTokenEncryption")).sort((a, b) => a.validFrom.localeCompare(b.validFrom));
+        const tokenCert = tokenCerts[0];
+        if (!tokenCert) {
+          throw new Error("No KsefTokenEncryption certificate found.");
+        }
+        this.ksefTokenPem = this.derBase64ToPem(tokenCert.certificate);
+        this.initialized = true;
+      }
+      derBase64ToPem(base64Der) {
+        const lines = [];
+        for (let i = 0; i < base64Der.length; i += 64) {
+          lines.push(base64Der.substring(i, i + 64));
+        }
+        return `-----BEGIN CERTIFICATE-----
+${lines.join("\n")}
+-----END CERTIFICATE-----`;
+      }
+    };
+  }
+});
+
+// src/crypto/cryptography-service.ts
+import * as crypto2 from "crypto";
+import * as x509 from "@peculiar/x509";
+function setCryptoProvider() {
+  x509.cryptoProvider.set(crypto2.webcrypto);
+}
+function buildX500Name(fields) {
+  const parts = [];
+  if (fields.commonName) parts.push(`CN=${fields.commonName}`);
+  if (fields.givenName) parts.push(`2.5.4.42=${fields.givenName}`);
+  if (fields.surname) parts.push(`2.5.4.4=${fields.surname}`);
+  if (fields.serialNumber) parts.push(`2.5.4.5=${fields.serialNumber}`);
+  if (fields.organizationName) parts.push(`O=${fields.organizationName}`);
+  if (fields.organizationIdentifier) parts.push(`2.5.4.97=${fields.organizationIdentifier}`);
+  if (fields.uniqueIdentifier) parts.push(`2.5.4.45=${fields.uniqueIdentifier}`);
+  if (fields.countryCode) parts.push(`C=${fields.countryCode}`);
+  return parts.join(", ");
+}
+function pemEncode(der, label) {
+  const base64 = Buffer.from(der).toString("base64");
+  const lines = [];
+  for (let i = 0; i < base64.length; i += 64) {
+    lines.push(base64.substring(i, i + 64));
+  }
+  return `-----BEGIN ${label}-----
+${lines.join("\n")}
+-----END ${label}-----`;
+}
+var CryptographyService;
+var init_cryptography_service = __esm({
+  "src/crypto/cryptography-service.ts"() {
+    "use strict";
+    CryptographyService = class {
+      fetcher;
+      constructor(fetcher) {
+        this.fetcher = fetcher;
+      }
+      /** Initialise the underlying certificate fetcher. */
+      async init() {
+        await this.fetcher.init();
+      }
+      // ---------------------------------------------------------------------------
+      // AES-256-CBC
+      // ---------------------------------------------------------------------------
+      /** Encrypt with AES-256-CBC (PKCS7 padding is automatic in Node). */
+      encryptAES256(content, key, iv) {
+        const cipher = crypto2.createCipheriv("aes-256-cbc", key, iv);
+        return new Uint8Array(Buffer.concat([cipher.update(content), cipher.final()]));
+      }
+      /** Decrypt with AES-256-CBC. */
+      decryptAES256(content, key, iv) {
+        const decipher = crypto2.createDecipheriv("aes-256-cbc", key, iv);
+        return new Uint8Array(Buffer.concat([decipher.update(content), decipher.final()]));
+      }
+      // ---------------------------------------------------------------------------
+      // Encryption data (AES key + IV wrapped with RSA-OAEP)
+      // ---------------------------------------------------------------------------
+      /**
+       * Generate a random AES-256 key and IV, then wrap the key with the
+       * SymmetricKeyEncryption certificate's RSA public key (RSA-OAEP SHA-256).
+       */
+      getEncryptionData() {
+        const key = crypto2.randomBytes(32);
+        const iv = crypto2.randomBytes(16);
+        const certPem = this.fetcher.getSymmetricKeyEncryptionPem();
+        const encryptedKey = crypto2.publicEncrypt(
+          {
+            key: certPem,
+            oaepHash: "sha256",
+            padding: crypto2.constants.RSA_PKCS1_OAEP_PADDING
+          },
+          key
+        );
+        const encryptionInfo = {
+          encryptedSymmetricKey: encryptedKey.toString("base64"),
+          initializationVector: iv.toString("base64")
+        };
+        return {
+          cipherKey: new Uint8Array(key),
+          cipherIv: new Uint8Array(iv),
+          encryptionInfo
+        };
+      }
+      // ---------------------------------------------------------------------------
+      // KSeF token encryption
+      // ---------------------------------------------------------------------------
+      /**
+       * Encrypt a KSeF token for session authorisation.
+       *
+       * Token payload: `"<token>|<challengeTimestampMs>"`.
+       *
+       * The algorithm is chosen automatically based on the KsefTokenEncryption
+       * certificate's public key type:
+       *  - **RSA** — RSA-OAEP with SHA-256
+       *  - **EC**  — ECDH key-agreement (P-256) + AES-256-GCM
+       *
+       * The EC variant outputs bytes in the Java-compatible format:
+       * `[ephemeralSPKI | nonce(12) | ciphertext+tag]`.
+       */
+      encryptKsefToken(token, challengeTimestamp) {
+        const timestampMs = new Date(challengeTimestamp).getTime();
+        const plaintext = Buffer.from(`${token}|${timestampMs}`, "utf-8");
+        const certPem = this.fetcher.getKsefTokenEncryptionPem();
+        const cert = new crypto2.X509Certificate(certPem);
+        const publicKey = cert.publicKey;
+        if (publicKey.asymmetricKeyType === "rsa") {
+          return this.encryptRsaOaep(certPem, plaintext);
+        }
+        if (publicKey.asymmetricKeyType === "ec") {
+          return this.encryptEcdhAesGcm(publicKey, plaintext);
+        }
+        throw new Error(`Unsupported key algorithm: ${publicKey.asymmetricKeyType ?? "unknown"}`);
+      }
+      // ---------------------------------------------------------------------------
+      // File metadata
+      // ---------------------------------------------------------------------------
+      /** Compute SHA-256 hash (base64) and byte length. */
+      getFileMetadata(file) {
+        const hash = crypto2.createHash("sha256").update(file).digest("base64");
+        return { hashSHA: hash, fileSize: file.length };
+      }
+      // ---------------------------------------------------------------------------
+      // CSR generation
+      // ---------------------------------------------------------------------------
+      /** Generate an RSA-2048 CSR (PKCS#10, DER) and return it together with the private key PEM. */
+      async generateCsrRsa(fields) {
+        setCryptoProvider();
+        const algorithm = {
+          name: "RSASSA-PKCS1-v1_5",
+          hash: "SHA-256",
+          publicExponent: new Uint8Array([1, 0, 1]),
+          modulusLength: 2048
+        };
+        const keys = await crypto2.webcrypto.subtle.generateKey(
+          algorithm,
+          true,
+          ["sign", "verify"]
+        );
+        const csr = await x509.Pkcs10CertificateRequestGenerator.create({
+          name: buildX500Name(fields),
+          keys,
+          signingAlgorithm: algorithm
+        });
+        const csrDer = new Uint8Array(csr.rawData);
+        const pkcs8 = await crypto2.webcrypto.subtle.exportKey("pkcs8", keys.privateKey);
+        const privateKeyPem = pemEncode(new Uint8Array(pkcs8), "PRIVATE KEY");
+        return { csrDer, privateKeyPem };
+      }
+      /** Generate an ECDSA P-256 CSR (PKCS#10, DER) and return it together with the private key PEM. */
+      async generateCsrEcdsa(fields) {
+        setCryptoProvider();
+        const algorithm = {
+          name: "ECDSA",
+          namedCurve: "P-256"
+        };
+        const keys = await crypto2.webcrypto.subtle.generateKey(
+          algorithm,
+          true,
+          ["sign", "verify"]
+        );
+        const csr = await x509.Pkcs10CertificateRequestGenerator.create({
+          name: buildX500Name(fields),
+          keys,
+          signingAlgorithm: { name: "ECDSA", hash: "SHA-256" }
+        });
+        const csrDer = new Uint8Array(csr.rawData);
+        const pkcs8 = await crypto2.webcrypto.subtle.exportKey("pkcs8", keys.privateKey);
+        const privateKeyPem = pemEncode(new Uint8Array(pkcs8), "PRIVATE KEY");
+        return { csrDer, privateKeyPem };
+      }
+      // ---------------------------------------------------------------------------
+      // Key parsing
+      // ---------------------------------------------------------------------------
+      /** Parse a PEM-encoded private key into a Node.js KeyObject. */
+      parsePrivateKey(pem) {
+        return crypto2.createPrivateKey(pem);
+      }
+      // ---------------------------------------------------------------------------
+      // Private helpers
+      // ---------------------------------------------------------------------------
+      /** RSA-OAEP SHA-256 encryption. */
+      encryptRsaOaep(certPem, plaintext) {
+        return new Uint8Array(
+          crypto2.publicEncrypt(
+            {
+              key: certPem,
+              oaepHash: "sha256",
+              padding: crypto2.constants.RSA_PKCS1_OAEP_PADDING
+            },
+            plaintext
+          )
+        );
+      }
+      /**
+       * ECDH (P-256) + AES-256-GCM encryption.
+       *
+       * 1. Generate an ephemeral EC key pair on the same curve (P-256).
+       * 2. Derive a shared secret via ECDH with the receiver's public key.
+       * 3. Use the shared secret (32 bytes) as the AES-256-GCM key.
+       * 4. Encrypt with a random 12-byte nonce.
+       * 5. Output: `[ephemeralSPKI | nonce(12) | ciphertext+tag]`
+       *    (Java-compatible — GCM appends the 16-byte tag to the ciphertext).
+       */
+      encryptEcdhAesGcm(receiverPublicKey, plaintext) {
+        const { privateKey: ephPrivKey, publicKey: ephPubKey } = crypto2.generateKeyPairSync("ec", {
+          namedCurve: "prime256v1"
+        });
+        const sharedSecret = crypto2.diffieHellman({
+          privateKey: ephPrivKey,
+          publicKey: receiverPublicKey
+        });
+        const nonce = crypto2.randomBytes(12);
+        const cipher = crypto2.createCipheriv("aes-256-gcm", sharedSecret, nonce);
+        const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+        const tag = cipher.getAuthTag();
+        const ephemeralSpki = ephPubKey.export({ type: "spki", format: "der" });
+        return new Uint8Array(Buffer.concat([ephemeralSpki, nonce, ciphertext, tag]));
+      }
+    };
+  }
+});
+
 // node_modules/@xmldom/xmldom/lib/conventions.js
 var require_conventions = __commonJS({
   "node_modules/@xmldom/xmldom/lib/conventions.js"(exports) {
@@ -4572,7 +6517,7 @@ var signature_service_exports = {};
 __export(signature_service_exports, {
   SignatureService: () => SignatureService
 });
-import * as crypto2 from "crypto";
+import * as crypto3 from "crypto";
 import { ExclusiveCanonicalization } from "xml-crypto";
 function extractDerFromPem(pem) {
   const base64 = pem.replace(/-----BEGIN [A-Z\s]+-----/g, "").replace(/-----END [A-Z\s]+-----/g, "").replace(/\s+/g, "");
@@ -4591,7 +6536,7 @@ function canonicalize(elem) {
 function computeRootDigest(doc) {
   const root = doc.documentElement;
   const canonical = canonicalize(root);
-  return crypto2.createHash("sha256").update(canonical, "utf-8").digest("base64");
+  return crypto3.createHash("sha256").update(canonical, "utf-8").digest("base64");
 }
 function computeSignedPropertiesDigest(qualifyingPropertiesXml) {
   const parser = new import_xmldom.DOMParser();
@@ -4601,7 +6546,7 @@ function computeSignedPropertiesDigest(qualifyingPropertiesXml) {
     throw new Error("SignedProperties element not found in QualifyingProperties");
   }
   const canonical = canonicalize(signedProps);
-  return crypto2.createHash("sha256").update(canonical, "utf-8").digest("base64");
+  return crypto3.createHash("sha256").update(canonical, "utf-8").digest("base64");
 }
 function buildSignedInfo(signatureAlgorithm, rootDigest, signedPropertiesDigest) {
   return [
@@ -4632,12 +6577,12 @@ function computeSignatureValue(canonicalSignedInfo, privateKeyPem, isEc) {
   const data = Buffer.from(canonicalSignedInfo, "utf-8");
   let signature;
   if (isEc) {
-    signature = crypto2.sign("sha256", data, {
+    signature = crypto3.sign("sha256", data, {
       key: privateKeyPem,
       dsaEncoding: "ieee-p1363"
     });
   } else {
-    signature = crypto2.sign("sha256", data, privateKeyPem);
+    signature = crypto3.sign("sha256", data, privateKeyPem);
   }
   return signature.toString("base64");
 }
@@ -4737,11 +6682,11 @@ var init_signature_service = __esm({
         }
         const certDer = extractDerFromPem(certPem);
         const certBase64 = certDer.toString("base64");
-        const certDigest = crypto2.createHash("sha256").update(certDer).digest("base64");
-        const x5093 = new crypto2.X509Certificate(certPem);
+        const certDigest = crypto3.createHash("sha256").update(certDer).digest("base64");
+        const x5093 = new crypto3.X509Certificate(certPem);
         const issuerName = normalizeIssuerDn(x5093.issuer);
         const serialNumber = hexSerialToDecimal(x5093.serialNumber);
-        const privateKey = crypto2.createPrivateKey(privateKeyPem);
+        const privateKey = crypto3.createPrivateKey(privateKeyPem);
         const isEc = privateKey.asymmetricKeyType === "ec";
         const signatureAlgorithm = isEc ? ECDSA_SHA256_SIGNATURE : RSA_SHA256_SIGNATURE;
         const signingTime = new Date(Date.now() + CLOCK_SKEW_BUFFER_MS).toISOString();
@@ -4826,771 +6771,265 @@ var init_pkcs12_loader = __esm({
         if (!cert) {
           throw new Error("PKCS#12 certificate bag is empty.");
         }
-        if (!key) {
-          throw new Error("PKCS#12 key bag is empty.");
-        }
-        const certificatePem = pki.certificateToPem(cert);
-        let privateKeyPem;
-        try {
-          privateKeyPem = pki.privateKeyToPem(key);
-        } catch {
-          throw new Error(
-            "Failed to export private key from PKCS#12 to PEM. This can happen with EC keys. Use separate --cert and --key PEM files instead."
-          );
-        }
-        return { certificatePem, privateKeyPem };
-      }
-    };
-  }
-});
-
-// src/config/environments.ts
-var Environment = {
-  TEST: {
-    apiUrl: "https://api-test.ksef.mf.gov.pl",
-    qrUrl: "https://qr-test.ksef.mf.gov.pl",
-    lighthouseUrl: "https://api-latarnia-test.ksef.mf.gov.pl"
-  },
-  DEMO: {
-    apiUrl: "https://api-demo.ksef.mf.gov.pl",
-    qrUrl: "https://qr-demo.ksef.mf.gov.pl",
-    lighthouseUrl: ""
-  },
-  PROD: {
-    apiUrl: "https://api.ksef.mf.gov.pl",
-    qrUrl: "https://qr.ksef.mf.gov.pl",
-    lighthouseUrl: "https://api-latarnia.ksef.mf.gov.pl"
-  }
-};
-
-// src/config/options.ts
-var DEFAULT_API_VERSION = "v2";
-var DEFAULT_TIMEOUT = 3e4;
-function resolveOptions(options = {}) {
-  const env = options.environment ? Environment[options.environment] : Environment.TEST;
-  return {
-    baseUrl: options.baseUrl ?? env.apiUrl,
-    baseQrUrl: options.baseQrUrl ?? env.qrUrl,
-    lighthouseUrl: options.lighthouseUrl ?? env.lighthouseUrl,
-    apiVersion: options.apiVersion ?? DEFAULT_API_VERSION,
-    timeout: options.timeout ?? DEFAULT_TIMEOUT,
-    customHeaders: options.customHeaders ?? {}
-  };
-}
-
-// src/errors/ksef-error.ts
-var KSeFError = class extends Error {
-  constructor(message) {
-    super(message);
-    this.name = "KSeFError";
-  }
-};
-
-// src/errors/ksef-api-error.ts
-var KSeFApiError = class _KSeFApiError extends KSeFError {
-  statusCode;
-  errorResponse;
-  constructor(message, statusCode, errorResponse) {
-    super(message);
-    this.name = "KSeFApiError";
-    this.statusCode = statusCode;
-    this.errorResponse = errorResponse;
-  }
-  static fromResponse(statusCode, body) {
-    const details = body?.exception?.exceptionDetailList;
-    const message = details?.length ? details.map((d) => d.exceptionDescription ?? "").filter(Boolean).join("; ") || `KSeF API error: HTTP ${statusCode}` : `KSeF API error: HTTP ${statusCode}`;
-    return new _KSeFApiError(message, statusCode, body);
-  }
-};
-
-// src/errors/ksef-rate-limit-error.ts
-var KSeFRateLimitError = class _KSeFRateLimitError extends KSeFApiError {
-  retryAfterSeconds;
-  retryAfterDate;
-  recommendedDelay;
-  constructor(message, statusCode, errorResponse, retryAfterSeconds, retryAfterDate) {
-    super(message, statusCode, errorResponse);
-    this.name = "KSeFRateLimitError";
-    this.retryAfterSeconds = retryAfterSeconds;
-    this.retryAfterDate = retryAfterDate;
-    this.recommendedDelay = retryAfterSeconds ?? 60;
-  }
-  static fromRetryAfterHeader(statusCode, retryAfterHeader, body) {
-    let retryAfterSeconds;
-    let retryAfterDate;
-    if (retryAfterHeader) {
-      const seconds = Number(retryAfterHeader);
-      if (!Number.isNaN(seconds)) {
-        retryAfterSeconds = seconds;
-      } else {
-        const date = new Date(retryAfterHeader);
-        if (!Number.isNaN(date.getTime())) {
-          retryAfterDate = date;
-          retryAfterSeconds = Math.max(0, Math.ceil((date.getTime() - Date.now()) / 1e3));
-        }
-      }
-    }
-    const message = retryAfterSeconds != null ? `Rate limited. Retry after ${retryAfterSeconds}s` : "Rate limited by KSeF API";
-    return new _KSeFRateLimitError(message, statusCode, body, retryAfterSeconds, retryAfterDate);
-  }
-};
-
-// src/errors/ksef-unauthorized-error.ts
-var KSeFUnauthorizedError = class extends KSeFError {
-  statusCode = 401;
-  detail;
-  traceId;
-  instance;
-  constructor(problemDetails) {
-    super(problemDetails.detail || "Unauthorized");
-    this.name = "KSeFUnauthorizedError";
-    this.detail = problemDetails.detail;
-    this.traceId = problemDetails.traceId;
-    this.instance = problemDetails.instance;
-  }
-};
-
-// src/errors/ksef-forbidden-error.ts
-var KSeFForbiddenError = class extends KSeFError {
-  statusCode = 403;
-  detail;
-  reasonCode;
-  instance;
-  security;
-  traceId;
-  constructor(problemDetails) {
-    super(problemDetails.detail || "Forbidden");
-    this.name = "KSeFForbiddenError";
-    this.detail = problemDetails.detail;
-    this.reasonCode = problemDetails.reasonCode;
-    this.instance = problemDetails.instance;
-    this.security = problemDetails.security;
-    this.traceId = problemDetails.traceId;
-  }
-};
-
-// src/errors/ksef-auth-status-error.ts
-var KSeFAuthStatusError = class extends KSeFError {
-  referenceNumber;
-  statusDescription;
-  constructor(message, referenceNumber, statusDescription) {
-    super(message);
-    this.name = "KSeFAuthStatusError";
-    this.referenceNumber = referenceNumber;
-    this.statusDescription = statusDescription;
-  }
-};
-
-// src/errors/ksef-session-expired-error.ts
-var KSeFSessionExpiredError = class extends KSeFError {
-  constructor(message = "KSeF session has expired") {
-    super(message);
-    this.name = "KSeFSessionExpiredError";
-  }
-};
-
-// src/errors/ksef-validation-error.ts
-var KSeFValidationError = class _KSeFValidationError extends KSeFError {
-  details;
-  constructor(message, details = []) {
-    super(message);
-    this.name = "KSeFValidationError";
-    this.details = details;
-  }
-  static fromField(field, message) {
-    return new _KSeFValidationError(message, [{ field, message }]);
-  }
-  static fromMessages(messages) {
-    const details = messages.map((m) => ({ message: m }));
-    return new _KSeFValidationError(messages.join("; "), details);
-  }
-};
-
-// src/http/route-builder.ts
-var RouteBuilder = class {
-  apiVersion;
-  constructor(apiVersion) {
-    this.apiVersion = apiVersion;
-  }
-  build(endpoint, apiVersion) {
-    const version = apiVersion ?? this.apiVersion;
-    return `/${version}/${endpoint}`;
-  }
-};
-
-// src/http/rest-request.ts
-var RestRequest = class _RestRequest {
-  method;
-  path;
-  _body;
-  _headers = {};
-  _query = [];
-  _presigned = false;
-  _skipAuthRetry = false;
-  constructor(method, path) {
-    this.method = method;
-    this.path = path;
-  }
-  static get(path) {
-    return new _RestRequest("GET", path);
-  }
-  static post(path) {
-    return new _RestRequest("POST", path);
-  }
-  static put(path) {
-    return new _RestRequest("PUT", path);
-  }
-  static delete(path) {
-    return new _RestRequest("DELETE", path);
-  }
-  body(data) {
-    this._body = data;
-    return this;
-  }
-  header(name, value) {
-    this._headers[name] = value;
-    return this;
-  }
-  headers(headers) {
-    Object.assign(this._headers, headers);
-    return this;
-  }
-  accessToken(token) {
-    this._headers["Authorization"] = `Bearer ${token}`;
-    return this;
-  }
-  query(key, value) {
-    this._query.push([key, value]);
-    return this;
-  }
-  presigned(flag = true) {
-    this._presigned = flag;
-    return this;
-  }
-  isPresigned() {
-    return this._presigned;
-  }
-  skipAuthRetry(flag = true) {
-    this._skipAuthRetry = flag;
-    return this;
-  }
-  isSkipAuthRetry() {
-    return this._skipAuthRetry;
-  }
-  getBody() {
-    return this._body;
-  }
-  getHeaders() {
-    return { ...this._headers };
-  }
-  getQuery() {
-    return [...this._query];
-  }
-};
-
-// src/http/rest-client.ts
-import { consola } from "consola";
-
-// src/http/transport.ts
-var defaultTransport = (url, init) => fetch(url, init);
-
-// src/http/retry-policy.ts
-function defaultRetryPolicy() {
-  return {
-    maxRetries: 3,
-    baseDelayMs: 500,
-    maxDelayMs: 3e4,
-    retryableStatusCodes: [429, 500, 502, 503, 504],
-    retryNetworkErrors: true
-  };
-}
-function calculateBackoff(attempt, policy) {
-  const exponential = policy.baseDelayMs * Math.pow(2, attempt);
-  const jitter = Math.random() * policy.baseDelayMs;
-  return Math.min(exponential + jitter, policy.maxDelayMs);
-}
-function parseRetryAfter(header) {
-  if (!header) return null;
-  const seconds = Number(header);
-  if (!Number.isNaN(seconds)) {
-    return seconds * 1e3;
-  }
-  const date = new Date(header);
-  if (!Number.isNaN(date.getTime())) {
-    return Math.max(0, date.getTime() - Date.now());
-  }
-  return null;
-}
-var RETRYABLE_ERROR_CODES = /* @__PURE__ */ new Set([
-  "ECONNRESET",
-  "ECONNREFUSED",
-  "ETIMEDOUT",
-  "UND_ERR_CONNECT_TIMEOUT"
-]);
-function isRetryableError(error, policy) {
-  if (!policy.retryNetworkErrors) return false;
-  if (!(error instanceof Error)) return false;
-  if (error.name === "AbortError") return true;
-  const code = error.code;
-  if (code && RETRYABLE_ERROR_CODES.has(code)) return true;
-  return false;
-}
-function isRetryableStatus(status, policy) {
-  return policy.retryableStatusCodes.includes(status);
-}
-function sleep(ms) {
-  return new Promise((resolve) => setTimeout(resolve, ms));
-}
-
-// src/http/presigned-url-policy.ts
-function defaultPresignedUrlPolicy() {
-  return {
-    allowedHosts: ["*.ksef.mf.gov.pl"],
-    requireHttps: true,
-    blockRedirectParams: true,
-    rejectPrivateIps: true
-  };
-}
-function validatePresignedUrl(url, policy) {
-  const parsed = new URL(url);
-  if (policy.requireHttps && parsed.protocol !== "https:") {
-    throw new KSeFValidationError(`Presigned URL must use HTTPS: ${url}`);
-  }
-  if (!matchesAllowedHost(parsed.hostname, policy.allowedHosts)) {
-    throw new KSeFValidationError(
-      `Presigned URL host '${parsed.hostname}' is not in the allowed hosts list`
-    );
-  }
-  if (policy.blockRedirectParams) {
-    checkRedirectParams(parsed, url);
-  }
-  if (policy.rejectPrivateIps) {
-    checkPrivateIp(parsed.hostname, url);
-  }
-}
-function matchesAllowedHost(hostname, allowedHosts) {
-  for (const pattern of allowedHosts) {
-    if (pattern.startsWith("*.")) {
-      const suffix = pattern.slice(1);
-      if (hostname.endsWith(suffix) && hostname.length > suffix.length) {
-        return true;
-      }
-    } else if (hostname === pattern) {
-      return true;
-    }
-  }
-  return false;
-}
-var BLOCKED_PARAMS = ["redirect", "callback", "return_url", "next"];
-function checkRedirectParams(parsed, originalUrl) {
-  for (const [key] of parsed.searchParams) {
-    if (BLOCKED_PARAMS.includes(key.toLowerCase())) {
-      throw new KSeFValidationError(
-        `Presigned URL contains blocked redirect parameter '${key}': ${originalUrl}`
-      );
-    }
-  }
-}
-function checkPrivateIp(hostname, originalUrl) {
-  const host = hostname.startsWith("[") ? hostname.slice(1, -1) : hostname;
-  if (isPrivateIPv4(host) || isPrivateIPv6(host)) {
-    throw new KSeFValidationError(
-      `Presigned URL resolves to a private/reserved IP address '${hostname}': ${originalUrl}`
-    );
-  }
-}
-function isPrivateIPv4(ip) {
-  const parts = ip.split(".");
-  if (parts.length !== 4) return false;
-  const nums = parts.map(Number);
-  if (nums.some((n) => Number.isNaN(n))) return false;
-  const a = nums[0];
-  const b = nums[1];
-  if (a === 127) return true;
-  if (a === 10) return true;
-  if (a === 172 && b >= 16 && b <= 31) return true;
-  if (a === 192 && b === 168) return true;
-  if (a === 169 && b === 254) return true;
-  return false;
-}
-function isPrivateIPv6(ip) {
-  const lower = ip.toLowerCase();
-  if (lower === "::1") return true;
-  if (lower.startsWith("fc") || lower.startsWith("fd")) return true;
-  if (lower.startsWith("fe8") || lower.startsWith("fe9") || lower.startsWith("fea") || lower.startsWith("feb")) return true;
-  return false;
-}
-
-// src/http/rest-client.ts
-var RestClient = class {
-  options;
-  routeBuilder;
-  transport;
-  retryPolicy;
-  rateLimitPolicy;
-  authManager;
-  presignedUrlPolicy;
-  constructor(options, config) {
-    this.options = options;
-    this.routeBuilder = new RouteBuilder(options.apiVersion);
-    this.transport = config?.transport ?? defaultTransport;
-    this.retryPolicy = config?.retryPolicy ?? defaultRetryPolicy();
-    this.rateLimitPolicy = config?.rateLimitPolicy ?? null;
-    this.authManager = config?.authManager;
-    this.presignedUrlPolicy = config?.presignedUrlPolicy;
-  }
-  async execute(request) {
-    const response = await this.sendRequest(request);
-    await this.ensureSuccess(response);
-    const body = await response.json();
-    return { body, headers: response.headers, statusCode: response.status };
-  }
-  async executeVoid(request) {
-    const response = await this.sendRequest(request);
-    await this.ensureSuccess(response);
-  }
-  async executeRaw(request) {
-    const response = await this.sendRequest(request);
-    await this.ensureSuccess(response);
-    const body = await response.arrayBuffer();
-    return { body, headers: response.headers, statusCode: response.status };
-  }
-  async sendRequest(request) {
-    const url = this.buildUrl(request);
-    if (request.isPresigned() && this.presignedUrlPolicy) {
-      validatePresignedUrl(url, this.presignedUrlPolicy);
-    }
-    if (this.rateLimitPolicy) {
-      await this.rateLimitPolicy.acquire(request.path);
-    }
-    let lastError;
-    for (let attempt = 0; attempt <= this.retryPolicy.maxRetries; attempt++) {
-      try {
-        const response = await this.doRequest(request, url);
-        if (response.status === 401 && this.authManager && attempt === 0 && !request.isSkipAuthRetry()) {
-          const newToken = await this.authManager.onUnauthorized();
-          if (newToken) {
-            consola.debug("Auth token refreshed, retrying request");
-            return this.doRequest(request, url, newToken);
-          }
-        }
-        if (isRetryableStatus(response.status, this.retryPolicy) && attempt < this.retryPolicy.maxRetries) {
-          const is429 = response.status === 429;
-          const retryAfterMs = is429 ? parseRetryAfter(response.headers.get("Retry-After")) : null;
-          const delayMs = retryAfterMs ?? calculateBackoff(attempt, this.retryPolicy);
-          consola.debug(`Retryable ${response.status}, attempt ${attempt + 1}/${this.retryPolicy.maxRetries}, waiting ${Math.round(delayMs)}ms`);
-          await sleep(delayMs);
-          if (is429 && this.rateLimitPolicy) {
-            await this.rateLimitPolicy.acquire(request.path);
-          }
-          continue;
+        if (!key) {
+          throw new Error("PKCS#12 key bag is empty.");
         }
-        return response;
-      } catch (error) {
-        lastError = error;
-        if (isRetryableError(error, this.retryPolicy) && attempt < this.retryPolicy.maxRetries) {
-          const delayMs = calculateBackoff(attempt, this.retryPolicy);
-          consola.debug(`Network error, attempt ${attempt + 1}/${this.retryPolicy.maxRetries}, waiting ${Math.round(delayMs)}ms`);
-          await sleep(delayMs);
-          continue;
+        const certificatePem = pki.certificateToPem(cert);
+        let privateKeyPem;
+        try {
+          privateKeyPem = pki.privateKeyToPem(key);
+        } catch {
+          throw new Error(
+            "Failed to export private key from PKCS#12 to PEM. This can happen with EC keys. Use separate --cert and --key PEM files instead."
+          );
         }
-        throw error;
+        return { certificatePem, privateKeyPem };
       }
-    }
-    throw lastError;
-  }
-  async doRequest(request, url, overrideToken) {
-    const headers = {
-      ...this.options.customHeaders,
-      ...request.getHeaders()
     };
-    if (!headers["Authorization"] && this.authManager) {
-      const token = overrideToken ?? this.authManager.getAccessToken();
-      if (token) {
-        headers["Authorization"] = `Bearer ${token}`;
-      }
-    }
-    const rawBody = request.getBody();
-    if (rawBody !== void 0 && !headers["Content-Type"]) {
-      headers["Content-Type"] = "application/json";
-    }
-    let body;
-    if (rawBody !== void 0) {
-      body = typeof rawBody === "string" ? rawBody : JSON.stringify(rawBody);
-    }
-    const start = performance.now();
-    const response = await this.transport(url, {
-      method: request.method,
-      headers,
-      body,
-      signal: AbortSignal.timeout(this.options.timeout)
-    });
-    const elapsed = Math.round(performance.now() - start);
-    consola.debug(`${request.method} ${url} \u2192 ${response.status} (${elapsed}ms)`);
-    return response;
-  }
-  buildUrl(request) {
-    const path = this.routeBuilder.build(request.path);
-    const base = this.options.baseUrl;
-    const url = new URL(`${base}${path}`);
-    const query = request.getQuery();
-    for (const [key, value] of query) {
-      url.searchParams.append(key, value);
-    }
-    return url.toString();
   }
-  async ensureSuccess(response) {
-    if (response.ok) return;
-    const text = await response.text().catch(() => "");
-    const parseJson = () => {
-      try {
-        return JSON.parse(text);
-      } catch {
-        return void 0;
+});
+
+// src/qr/verification-link-service.ts
+import crypto5 from "crypto";
+var VerificationLinkService;
+var init_verification_link_service = __esm({
+  "src/qr/verification-link-service.ts"() {
+    "use strict";
+    VerificationLinkService = class {
+      constructor(baseQrUrl) {
+        this.baseQrUrl = baseQrUrl;
       }
-    };
-    if (response.status === 429) {
-      const parsed = parseJson();
-      throw KSeFRateLimitError.fromRetryAfterHeader(
-        response.status,
-        response.headers.get("Retry-After"),
-        parsed
-      );
-    }
-    if (response.status === 401) {
-      const body = parseJson();
-      if (body?.detail) {
-        throw new KSeFUnauthorizedError(body);
+      /**
+       * Build invoice verification URL (Code I).
+       * Format: {baseQrUrl}/invoice/{NIP}/{DD-MM-YYYY}/{hash_base64url}
+       */
+      buildInvoiceVerificationUrl(nip, issueDate, invoiceHashBase64) {
+        const date = typeof issueDate === "string" ? new Date(issueDate) : issueDate;
+        const dd = String(date.getUTCDate()).padStart(2, "0");
+        const mm = String(date.getUTCMonth() + 1).padStart(2, "0");
+        const yyyy = date.getUTCFullYear();
+        const dateStr = `${dd}-${mm}-${yyyy}`;
+        const hashBase64Url = this.base64ToBase64Url(invoiceHashBase64);
+        return `${this.baseQrUrl}/invoice/${nip}/${dateStr}/${hashBase64Url}`;
       }
-    }
-    if (response.status === 403) {
-      const body = parseJson();
-      if (body?.reasonCode) {
-        throw new KSeFForbiddenError(body);
+      /**
+       * Build certificate verification URL (Code II).
+       * Format: {baseQrUrl}/certificate/{contextType}/{contextId}/{sellerNip}/{certSerial}/{hash_base64url}/{signature_base64url}
+       */
+      buildCertificateVerificationUrl(contextType, contextId, sellerNip, certSerial, invoiceHashBase64, privateKeyPem) {
+        const hashBase64Url = this.base64ToBase64Url(invoiceHashBase64);
+        const pathWithoutSignature = `${this.baseQrUrl}/certificate/${contextType}/${contextId}/${sellerNip}/${certSerial}/${hashBase64Url}`;
+        const dataToSign = pathWithoutSignature.replace(/^https?:\/\//, "");
+        const key = crypto5.createPrivateKey(privateKeyPem);
+        let signature;
+        if (key.asymmetricKeyType === "rsa") {
+          signature = crypto5.sign("sha256", Buffer.from(dataToSign), {
+            key,
+            padding: crypto5.constants.RSA_PKCS1_PSS_PADDING,
+            saltLength: 32
+          });
+        } else if (key.asymmetricKeyType === "ec") {
+          signature = crypto5.sign("sha256", Buffer.from(dataToSign), {
+            key,
+            dsaEncoding: "ieee-p1363"
+          });
+        } else {
+          throw new Error(`Unsupported key type: ${key.asymmetricKeyType}`);
+        }
+        const signatureBase64Url = signature.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+        return `${pathWithoutSignature}/${signatureBase64Url}`;
       }
-    }
-    throw KSeFApiError.fromResponse(response.status, parseJson());
-  }
-};
-
-// src/http/routes.ts
-var Routes = {
-  TestData: {
-    createSubject: "testdata/subject",
-    removeSubject: "testdata/subject/remove",
-    createPerson: "testdata/person",
-    removePerson: "testdata/person/remove",
-    grantPerms: "testdata/permissions",
-    revokePerms: "testdata/permissions/revoke",
-    enableAttach: "testdata/attachment",
-    disableAttach: "testdata/attachment/revoke",
-    changeSessionLimitsInCurrentContext: "testdata/limits/context/session",
-    restoreDefaultSessionLimitsInCurrentContext: "testdata/limits/context/session",
-    changeCertificatesLimitInCurrentSubject: "testdata/limits/subject/certificate",
-    restoreDefaultCertificatesLimitInCurrentSubject: "testdata/limits/subject/certificate",
-    rateLimits: "testdata/rate-limits",
-    productionRateLimits: "testdata/rate-limits/production",
-    blockContext: "testdata/context/block",
-    unblockContext: "testdata/context/unblock"
-  },
-  Limits: {
-    currentContext: "limits/context",
-    currentSubject: "limits/subject",
-    rateLimits: "rate-limits"
-  },
-  ActiveSessions: {
-    session: "auth/sessions",
-    delete: (ref) => `auth/sessions/${ref}`,
-    currentSession: "auth/sessions/current"
-  },
-  Authorization: {
-    challenge: "auth/challenge",
-    xadesSignature: "auth/xades-signature",
-    ksefToken: "auth/ksef-token",
-    status: (ref) => `auth/${ref}`,
-    Token: {
-      redeem: "auth/token/redeem",
-      refresh: "auth/token/refresh"
-    }
-  },
-  Sessions: {
-    root: "sessions",
-    byReference: (ref) => `sessions/${ref}`,
-    invoices: (ref) => `sessions/${ref}/invoices`,
-    invoice: (ref, invoiceRef) => `sessions/${ref}/invoices/${invoiceRef}`,
-    failedInvoices: (ref) => `sessions/${ref}/invoices/failed`,
-    upoByKsefNumber: (ref, ksefNumber) => `sessions/${ref}/invoices/ksef/${ksefNumber}/upo`,
-    upoByInvoiceReference: (ref, invoiceRef) => `sessions/${ref}/invoices/${invoiceRef}/upo`,
-    upo: (ref, upoRef) => `sessions/${ref}/upo/${upoRef}`,
-    Online: {
-      open: "sessions/online",
-      invoices: (sessionRef) => `sessions/online/${sessionRef}/invoices`,
-      close: (sessionRef) => `sessions/online/${sessionRef}/close`
-    },
-    Batch: {
-      open: "sessions/batch",
-      close: (batchRef) => `sessions/batch/${batchRef}/close`
-    }
-  },
-  Invoices: {
-    byKsefNumber: (ksefNumber) => `invoices/ksef/${ksefNumber}`,
-    queryMetadata: "invoices/query/metadata",
-    exports: "invoices/exports",
-    exportByReference: (ref) => `invoices/exports/${ref}`
-  },
-  Permissions: {
-    Grants: {
-      persons: "permissions/persons/grants",
-      entities: "permissions/entities/grants",
-      authorizations: "permissions/authorizations/grants",
-      indirect: "permissions/indirect/grants",
-      subunits: "permissions/subunits/grants",
-      euEntities: "permissions/eu-entities/administration/grants",
-      euEntitiesRepresentatives: "permissions/eu-entities/grants"
-    },
-    Common: {
-      grantById: (id) => `permissions/common/grants/${id}`
-    },
-    Authorizations: {
-      grantById: (id) => `permissions/authorizations/grants/${id}`
-    },
-    Query: {
-      personalGrants: "permissions/query/personal/grants",
-      personsGrants: "permissions/query/persons/grants",
-      subunitsGrants: "permissions/query/subunits/grants",
-      entitiesRoles: "permissions/query/entities/roles",
-      entitiesGrants: "permissions/query/entities/grants",
-      subordinateEntitiesRoles: "permissions/query/subordinate-entities/roles",
-      authorizationsGrants: "permissions/query/authorizations/grants",
-      euEntitiesGrants: "permissions/query/eu-entities/grants"
-    },
-    Operations: {
-      byReference: (ref) => `permissions/operations/${ref}`
-    },
-    Attachments: {
-      status: "permissions/attachments/status"
-    }
-  },
-  Certificates: {
-    limits: "certificates/limits",
-    enrollmentData: "certificates/enrollments/data",
-    enrollments: "certificates/enrollments",
-    enrollmentStatus: (ref) => `certificates/enrollments/${ref}`,
-    retrieve: "certificates/retrieve",
-    revoke: (serialNumber) => `certificates/${serialNumber}/revoke`,
-    query: "certificates/query"
-  },
-  Tokens: {
-    root: "tokens",
-    byReference: (ref) => `tokens/${ref}`
-  },
-  Peppol: {
-    query: "peppol/query"
-  },
-  Security: {
-    publicKeyCertificates: "security/public-key-certificates"
-  },
-  Lighthouse: {
-    status: "status",
-    messages: "messages"
+      base64ToBase64Url(base64) {
+        return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+      }
+    };
   }
-};
+});
 
-// src/http/rate-limit-policy.ts
-var TokenBucket = class {
-  tokens;
-  maxTokens;
-  refillRate;
-  // tokens per ms
-  lastRefill;
-  constructor(rps) {
-    this.maxTokens = rps;
-    this.tokens = rps;
-    this.refillRate = rps / 1e3;
-    this.lastRefill = Date.now();
-  }
-  async acquire() {
-    this.refill();
-    if (this.tokens >= 1) {
-      this.tokens -= 1;
-      return;
-    }
-    const waitMs = Math.ceil((1 - this.tokens) / this.refillRate);
-    await new Promise((resolve) => setTimeout(resolve, waitMs));
-    this.refill();
-    this.tokens -= 1;
+// src/client.ts
+var client_exports = {};
+__export(client_exports, {
+  KSeFClient: () => KSeFClient,
+  buildAuthTokenRequestXml: () => buildAuthTokenRequestXml
+});
+function buildAuthTokenRequestXml(challenge, nip, subjectIdentifierType = "certificateSubject") {
+  return [
+    '<?xml version="1.0" encoding="utf-8"?>',
+    `<AuthTokenRequest xmlns="${AUTH_TOKEN_REQUEST_NS}">`,
+    `<Challenge>${xmlEscape(challenge)}</Challenge>`,
+    `<ContextIdentifier>`,
+    `<Nip>${xmlEscape(nip)}</Nip>`,
+    `</ContextIdentifier>`,
+    `<SubjectIdentifierType>${xmlEscape(subjectIdentifierType)}</SubjectIdentifierType>`,
+    `</AuthTokenRequest>`
+  ].join("");
+}
+function xmlEscape(str) {
+  return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
+}
+function buildRestClientConfig(options, authManager) {
+  const config = { authManager };
+  if (options?.transport) {
+    config.transport = options.transport;
   }
-  refill() {
-    const now = Date.now();
-    const elapsed = now - this.lastRefill;
-    this.tokens = Math.min(this.maxTokens, this.tokens + elapsed * this.refillRate);
-    this.lastRefill = now;
+  if (options?.retry) {
+    config.retryPolicy = { ...defaultRetryPolicy(), ...options.retry };
   }
-};
-var RateLimitPolicy = class {
-  globalBucket;
-  endpointBuckets = /* @__PURE__ */ new Map();
-  endpointLimits;
-  chain = Promise.resolve();
-  constructor(config) {
-    this.globalBucket = new TokenBucket(config.globalRps);
-    this.endpointLimits = config.endpointLimits ?? {};
-  }
-  async acquire(endpoint) {
-    return new Promise((resolve, reject) => {
-      this.chain = this.chain.then(() => this.doAcquire(endpoint)).then(resolve, reject);
+  if (options?.rateLimit === null) {
+    config.rateLimitPolicy = null;
+  } else if (options?.rateLimit) {
+    config.rateLimitPolicy = new RateLimitPolicy({
+      globalRps: options.rateLimit.globalRps ?? 10,
+      endpointLimits: options.rateLimit.endpointLimits
     });
   }
-  async doAcquire(endpoint) {
-    await this.globalBucket.acquire();
-    const limit = this.endpointLimits[endpoint];
-    if (limit !== void 0) {
-      let bucket = this.endpointBuckets.get(endpoint);
-      if (!bucket) {
-        bucket = new TokenBucket(limit);
-        this.endpointBuckets.set(endpoint, bucket);
-      }
-      await bucket.acquire();
-    }
+  if (options?.presignedUrlHosts) {
+    const base = defaultPresignedUrlPolicy();
+    config.presignedUrlPolicy = {
+      ...base,
+      allowedHosts: [...base.allowedHosts, ...options.presignedUrlHosts]
+    };
   }
-};
-function defaultRateLimitPolicy() {
-  return new RateLimitPolicy({ globalRps: 10 });
+  return config;
 }
-
-// src/http/auth-manager.ts
-var DefaultAuthManager = class {
-  token;
-  refreshToken;
-  refreshFn;
-  refreshPromise = null;
-  constructor(refreshFn, initialToken) {
-    this.refreshFn = refreshFn;
-    this.token = initialToken;
-  }
-  getAccessToken() {
-    return this.token;
-  }
-  setAccessToken(token) {
-    this.token = token;
-  }
-  getRefreshToken() {
-    return this.refreshToken;
-  }
-  setRefreshToken(token) {
-    this.refreshToken = token;
-  }
-  async onUnauthorized() {
-    if (this.refreshPromise) return this.refreshPromise;
-    this.refreshPromise = this.refreshFn().then((newToken) => {
-      this.token = newToken ?? void 0;
-      return newToken;
-    }).finally(() => {
-      this.refreshPromise = null;
-    });
-    return this.refreshPromise;
+var KSeFClient, AUTH_TOKEN_REQUEST_NS;
+var init_client = __esm({
+  "src/client.ts"() {
+    "use strict";
+    init_config();
+    init_rest_client();
+    init_retry_policy();
+    init_rate_limit_policy();
+    init_presigned_url_policy();
+    init_auth_manager();
+    init_auth();
+    init_active_sessions();
+    init_online_session();
+    init_batch_session();
+    init_session_status();
+    init_invoice_download();
+    init_permissions();
+    init_tokens();
+    init_certificates();
+    init_lighthouse();
+    init_limits();
+    init_peppol();
+    init_test_data();
+    init_certificate_fetcher();
+    init_cryptography_service();
+    init_verification_link_service();
+    KSeFClient = class {
+      auth;
+      activeSessions;
+      onlineSession;
+      batchSession;
+      sessionStatus;
+      invoices;
+      permissions;
+      tokens;
+      certificates;
+      lighthouse;
+      limits;
+      peppol;
+      testData;
+      crypto;
+      qr;
+      options;
+      authManager;
+      constructor(options) {
+        this.options = resolveOptions(options);
+        const authManager = options?.authManager ?? new DefaultAuthManager(async () => {
+          const rt = this.authManager.getRefreshToken();
+          if (!rt) return null;
+          const res = await this.auth.refreshAccessToken(rt);
+          return res.accessToken.token;
+        });
+        this.authManager = authManager;
+        const restClientConfig = buildRestClientConfig(options, authManager);
+        const restClient = new RestClient(this.options, restClientConfig);
+        const fetcher = new CertificateFetcher(restClient);
+        this.crypto = new CryptographyService(fetcher);
+        this.auth = new AuthService(restClient);
+        this.activeSessions = new ActiveSessionsService(restClient);
+        this.onlineSession = new OnlineSessionService(restClient);
+        this.batchSession = new BatchSessionService(restClient);
+        this.sessionStatus = new SessionStatusService(restClient);
+        this.invoices = new InvoiceDownloadService(restClient);
+        this.permissions = new PermissionsService(restClient);
+        this.tokens = new TokenService(restClient);
+        this.certificates = new CertificateApiService(restClient);
+        this.lighthouse = new LighthouseService(this.options);
+        this.limits = new LimitsService(restClient);
+        this.peppol = new PeppolService(restClient);
+        this.testData = new TestDataService(restClient, this.options.environmentName);
+        this.qr = new VerificationLinkService(this.options.baseQrUrl);
+      }
+      async loginWithToken(token, nip) {
+        const challenge = await this.auth.getChallenge();
+        await this.crypto.init();
+        const encryptedToken = this.crypto.encryptKsefToken(token, challenge.timestamp);
+        const submitResult = await this.auth.submitKsefTokenAuthRequest({
+          challenge: challenge.challenge,
+          contextIdentifier: { type: "Nip", value: nip },
+          encryptedToken: Buffer.from(encryptedToken).toString("base64")
+        });
+        const authToken = submitResult.authenticationToken.token;
+        await this.awaitAuthReady(submitResult.referenceNumber, authToken);
+        const tokens = await this.auth.getAccessToken(authToken);
+        this.authManager.setAccessToken(tokens.accessToken.token);
+        this.authManager.setRefreshToken(tokens.refreshToken.token);
+      }
+      async loginWithCertificate(certPem, keyPem, nip) {
+        const challenge = await this.auth.getChallenge();
+        const authRequestXml = buildAuthTokenRequestXml(challenge.challenge, nip);
+        const { SignatureService: SignatureService2 } = await Promise.resolve().then(() => (init_signature_service(), signature_service_exports));
+        const signedXml = SignatureService2.sign(authRequestXml, certPem, keyPem);
+        const submitResult = await this.auth.submitXadesAuthRequest(signedXml);
+        const authToken = submitResult.authenticationToken.token;
+        await this.awaitAuthReady(submitResult.referenceNumber, authToken);
+        const tokens = await this.auth.getAccessToken(authToken);
+        this.authManager.setAccessToken(tokens.accessToken.token);
+        this.authManager.setRefreshToken(tokens.refreshToken.token);
+      }
+      async loginWithPkcs12(p12, password, nip) {
+        const { Pkcs12Loader: Pkcs12Loader2 } = await Promise.resolve().then(() => (init_pkcs12_loader(), pkcs12_loader_exports));
+        const { certificatePem, privateKeyPem } = Pkcs12Loader2.load(p12, password);
+        await this.loginWithCertificate(certificatePem, privateKeyPem, nip);
+      }
+      async awaitAuthReady(referenceNumber, authToken) {
+        for (let i = 0; i < 30; i++) {
+          const status = await this.auth.getAuthStatus(referenceNumber, authToken);
+          if (status.status.code === 200) return;
+          if (status.status.code !== 100) {
+            throw new Error(`Authentication failed with status ${status.status.code}: ${status.status.description}`);
+          }
+          await new Promise((r) => setTimeout(r, 1e3));
+        }
+      }
+      async logout() {
+        this.authManager.setAccessToken(void 0);
+        this.authManager.setRefreshToken(void 0);
+      }
+    };
+    AUTH_TOKEN_REQUEST_NS = "http://ksef.mf.gov.pl/auth/token/2.0";
   }
-};
+});
+
+// src/index.ts
+init_config();
+init_errors();
+
+// src/http/index.ts
+init_route_builder();
+init_rest_request();
+init_rest_client();
+init_routes();
+init_transport();
+init_retry_policy();
+init_rate_limit_policy();
+init_auth_manager();
+init_presigned_url_policy();
+init_ksef_feature();
 
 // src/validation/patterns.ts
 var NIP_PATTERN_CORE = "[1-9]((\\d[1-9])|([1-9]\\d))\\d{7}";
@@ -5602,681 +7041,127 @@ var InternalId = /^[1-9]((\d[1-9])|([1-9]\d))\d{7}-\d{5}$/;
 var PeppolId = /^P[A-Z]{2}[0-9]{6}$/;
 var ReferenceNumber = /^(20[2-9][0-9]|2[1-9][0-9]{2}|[3-9][0-9]{3})(0[1-9]|1[0-2])(0[1-9]|[1-2][0-9]|3[0-1])-([0-9A-Z]{2})-([0-9A-F]{10})-([0-9A-F]{10})-([0-9A-F]{2})$/;
 var KsefNumber = /^([1-9](\d[1-9]|[1-9]\d)\d{7})-(20[2-9][0-9]|2[1-9]\d{2}|[3-9]\d{3})(0[1-9]|1[0-2])(0[1-9]|[12]\d|3[01])-([0-9A-F]{6})-?([0-9A-F]{6})-([0-9A-F]{2})$/;
-var KsefNumberV35 = /^([1-9]((\d[1-9])|([1-9]\d))\d{7}|M\d{9}|[A-Z]{3}\d{7})-(20[2-9][0-9]|2[1-9][0-9]{2}|[3-9][0-9]{3})(0[1-9]|1[0-2])(0[1-9]|[1-2][0-9]|3[0-1])-([0-9A-F]{6})([0-9A-F]{6})-([0-9A-F]{2})$/;
-var KsefNumberV36 = /^([1-9]((\d[1-9])|([1-9]\d))\d{7}|M\d{9}|[A-Z]{3}\d{7})-(20[2-9][0-9]|2[1-9][0-9]{2}|[3-9][0-9]{3})(0[1-9]|1[0-2])(0[1-9]|[1-2][0-9]|3[0-1])-([0-9A-F]{6})-([0-9A-F]{6})-([0-9A-F]{2})$/;
-var CertificateName = /^[a-zA-Z0-9_\- ąćęłńóśźżĄĆĘŁŃÓŚŹŻ]+$/;
-var Pesel = /^\d{2}(?:0[1-9]|1[0-2]|2[1-9]|3[0-2]|4[1-9]|5[0-2]|6[1-9]|7[0-2]|8[1-9]|9[0-2])\d{7}$/;
-var CertificateFingerprint = /^[0-9A-F]{64}$/;
-var Base64String = /^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/;
-var Ip4Address = /^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$/;
-var Ip4Range = /^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}-((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$/;
-var Ip4Mask = /^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}\/(0|[1-9]|1[0-9]|2[0-9]|3[0-2])$/;
-var Sha256Base64 = /^[A-Za-z0-9+/]{43}=$/;
-var NIP_WEIGHTS = [6, 5, 7, 2, 3, 4, 5, 6, 7];
-var PESEL_WEIGHTS = [1, 3, 7, 9, 1, 3, 7, 9, 1, 3];
-function isValidNip(value) {
-  if (!Nip.test(value)) return false;
-  let sum = 0;
-  for (let i = 0; i < 9; i++) {
-    sum += Number(value[i]) * NIP_WEIGHTS[i];
-  }
-  const checksum = sum % 11;
-  return checksum !== 10 && checksum === Number(value[9]);
-}
-function isValidVatUe(value) {
-  return VatUe.test(value);
-}
-function isValidNipVatUe(value) {
-  return NipVatUe.test(value);
-}
-function isValidInternalId(value) {
-  return InternalId.test(value);
-}
-function isValidPeppolId(value) {
-  return PeppolId.test(value);
-}
-function isValidReferenceNumber(value) {
-  return ReferenceNumber.test(value);
-}
-function isValidKsefNumber(value) {
-  return KsefNumber.test(value);
-}
-function isValidPesel(value) {
-  if (!Pesel.test(value)) return false;
-  let sum = 0;
-  for (let i = 0; i < 10; i++) {
-    sum += Number(value[i]) * PESEL_WEIGHTS[i];
-  }
-  const checksum = (10 - sum % 10) % 10;
-  return checksum === Number(value[10]);
-}
-function isValidCertificateName(value) {
-  return CertificateName.test(value);
-}
-function isValidCertificateFingerprint(value) {
-  return CertificateFingerprint.test(value);
-}
-function isValidBase64(value) {
-  return Base64String.test(value);
-}
-function isValidIp4Address(value) {
-  return Ip4Address.test(value);
-}
-function isValidSha256Base64(value) {
-  return Sha256Base64.test(value);
-}
-
-// src/validation/constraints.ts
-var REQUIRED_CHALLENGE_LENGTH = 36;
-var CERTIFICATE_NAME_MIN_LENGTH = 5;
-var CERTIFICATE_NAME_MAX_LENGTH = 100;
-var SUBUNIT_NAME_MIN_LENGTH = 5;
-var SUBUNIT_NAME_MAX_LENGTH = 256;
-var PERMISSION_DESCRIPTION_MIN_LENGTH = 5;
-var PERMISSION_DESCRIPTION_MAX_LENGTH = 256;
-
-// src/services/auth.ts
-var AuthService = class {
-  restClient;
-  constructor(restClient) {
-    this.restClient = restClient;
-  }
-  async getChallenge() {
-    const request = RestRequest.post(Routes.Authorization.challenge);
-    const response = await this.restClient.execute(request);
-    return response.body;
-  }
-  async submitXadesAuthRequest(signedXml, verifyCertificateChain = false) {
-    const request = RestRequest.post(Routes.Authorization.xadesSignature).body(signedXml).header("Content-Type", "application/xml").query("verifyCertificateChain", String(verifyCertificateChain));
-    const response = await this.restClient.execute(request);
-    return response.body;
-  }
-  async submitKsefTokenAuthRequest(payload) {
-    const request = RestRequest.post(Routes.Authorization.ksefToken).body(payload);
-    const response = await this.restClient.execute(request);
-    return response.body;
-  }
-  async getAuthStatus(referenceNumber, authToken) {
-    const request = RestRequest.get(Routes.Authorization.status(referenceNumber)).accessToken(authToken);
-    const response = await this.restClient.execute(request);
-    return response.body;
-  }
-  async getAccessToken(authToken) {
-    const request = RestRequest.post(Routes.Authorization.Token.redeem).accessToken(authToken);
-    const response = await this.restClient.execute(request);
-    return response.body;
-  }
-  async refreshAccessToken(refreshToken) {
-    const request = RestRequest.post(Routes.Authorization.Token.refresh).accessToken(refreshToken).skipAuthRetry();
-    const response = await this.restClient.execute(request);
-    return response.body;
-  }
-};
-
-// src/services/active-sessions.ts
-var ActiveSessionsService = class {
-  restClient;
-  constructor(restClient) {
-    this.restClient = restClient;
-  }
-  async getActiveSessions(pageSize, continuationToken) {
-    const request = RestRequest.get(Routes.ActiveSessions.session);
-    if (pageSize !== void 0) request.query("pageSize", String(pageSize));
-    if (continuationToken !== void 0) request.header("x-continuation-token", continuationToken);
-    const response = await this.restClient.execute(request);
-    return response.body;
-  }
-  async revokeCurrentSession() {
-    const request = RestRequest.delete(Routes.ActiveSessions.currentSession);
-    await this.restClient.executeVoid(request);
-  }
-  async revokeSession(sessionRef) {
-    const request = RestRequest.delete(Routes.ActiveSessions.delete(sessionRef));
-    await this.restClient.executeVoid(request);
-  }
-};
-
-// src/services/online-session.ts
-var OnlineSessionService = class {
-  restClient;
-  constructor(restClient) {
-    this.restClient = restClient;
-  }
-  async openSession(request, upoVersion) {
-    const req = RestRequest.post(Routes.Sessions.Online.open).body(request);
-    if (upoVersion) {
-      req.header("X-KSeF-Feature", upoVersion);
-    }
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  async sendInvoice(sessionRef, request) {
-    const req = RestRequest.post(Routes.Sessions.Online.invoices(sessionRef)).body(request);
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  async closeSession(sessionRef) {
-    const req = RestRequest.post(Routes.Sessions.Online.close(sessionRef));
-    await this.restClient.executeVoid(req);
-  }
-};
-
-// src/services/batch-session.ts
-var BatchSessionService = class {
-  restClient;
-  constructor(restClient) {
-    this.restClient = restClient;
-  }
-  async openSession(request, upoVersion) {
-    const req = RestRequest.post(Routes.Sessions.Batch.open).body(request);
-    if (upoVersion) {
-      req.header("X-KSeF-Feature", upoVersion);
-    }
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  async sendParts(openResponse, parts) {
-    const uploadRequests = openResponse.partUploadRequests;
-    const tasks = parts.map(async (part) => {
-      const uploadReq = uploadRequests.find(
-        (r) => r.ordinalNumber === part.ordinalNumber
-      );
-      if (!uploadReq) {
-        throw new Error(`No upload request found for part ${part.ordinalNumber}`);
-      }
-      const headers = {};
-      for (const [k, v] of Object.entries(uploadReq.headers)) {
-        if (v != null) headers[k] = v;
-      }
-      await fetch(uploadReq.url, {
-        method: uploadReq.method,
-        headers,
-        body: part.data
-      });
-    });
-    await Promise.all(tasks);
-  }
-  async closeSession(batchRef) {
-    const req = RestRequest.post(Routes.Sessions.Batch.close(batchRef));
-    await this.restClient.executeVoid(req);
-  }
-};
-
-// src/services/session-status.ts
-var SessionStatusService = class {
-  restClient;
-  constructor(restClient) {
-    this.restClient = restClient;
-  }
-  async getSessions(type, pageSize, continuationToken, filter) {
-    const req = RestRequest.get(Routes.Sessions.root);
-    req.query("sessionType", type);
-    if (pageSize !== void 0) req.query("pageSize", String(pageSize));
-    if (continuationToken !== void 0) req.header("x-continuation-token", continuationToken);
-    if (filter) {
-      if (filter.referenceNumber) req.query("referenceNumber", filter.referenceNumber);
-      if (filter.dateCreatedFrom) req.query("dateCreatedFrom", filter.dateCreatedFrom);
-      if (filter.dateCreatedTo) req.query("dateCreatedTo", filter.dateCreatedTo);
-      if (filter.dateClosedFrom) req.query("dateClosedFrom", filter.dateClosedFrom);
-      if (filter.dateClosedTo) req.query("dateClosedTo", filter.dateClosedTo);
-      if (filter.dateModifiedFrom) req.query("dateModifiedFrom", filter.dateModifiedFrom);
-      if (filter.dateModifiedTo) req.query("dateModifiedTo", filter.dateModifiedTo);
-      if (filter.statuses) {
-        for (const status of filter.statuses) {
-          req.query("statuses", status);
-        }
-      }
-    }
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  async getSessionStatus(sessionRef) {
-    const req = RestRequest.get(Routes.Sessions.byReference(sessionRef));
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  async getSessionInvoices(sessionRef, pageSize, continuationToken) {
-    const req = RestRequest.get(Routes.Sessions.invoices(sessionRef));
-    if (pageSize !== void 0) req.query("pageSize", String(pageSize));
-    if (continuationToken !== void 0) req.header("x-continuation-token", continuationToken);
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  async getSessionInvoice(sessionRef, invoiceRef) {
-    const req = RestRequest.get(Routes.Sessions.invoice(sessionRef, invoiceRef));
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  async getSessionFailedInvoices(sessionRef, pageSize, continuationToken) {
-    const req = RestRequest.get(Routes.Sessions.failedInvoices(sessionRef));
-    if (pageSize !== void 0) req.query("pageSize", String(pageSize));
-    if (continuationToken !== void 0) req.header("x-continuation-token", continuationToken);
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  async getInvoiceUpoByKsefNumber(sessionRef, ksefNumber) {
-    const req = RestRequest.get(Routes.Sessions.upoByKsefNumber(sessionRef, ksefNumber));
-    const response = await this.restClient.executeRaw(req);
-    return {
-      upo: new TextDecoder().decode(response.body),
-      hash: response.headers.get("x-ms-meta-hash") ?? void 0
-    };
-  }
-  async getInvoiceUpoByReference(sessionRef, invoiceRef) {
-    const req = RestRequest.get(Routes.Sessions.upoByInvoiceReference(sessionRef, invoiceRef));
-    const response = await this.restClient.executeRaw(req);
-    return {
-      upo: new TextDecoder().decode(response.body),
-      hash: response.headers.get("x-ms-meta-hash") ?? void 0
-    };
-  }
-  async getSessionUpo(sessionRef, upoRef) {
-    const req = RestRequest.get(Routes.Sessions.upo(sessionRef, upoRef));
-    const response = await this.restClient.executeRaw(req);
-    return {
-      upo: new TextDecoder().decode(response.body),
-      hash: response.headers.get("x-ms-meta-hash") ?? void 0
-    };
-  }
-};
-
-// src/services/invoice-download.ts
-var InvoiceDownloadService = class {
-  restClient;
-  constructor(restClient) {
-    this.restClient = restClient;
-  }
-  async getInvoice(ksefNumber) {
-    const req = RestRequest.get(Routes.Invoices.byKsefNumber(ksefNumber));
-    const response = await this.restClient.executeRaw(req);
-    return new TextDecoder().decode(response.body);
-  }
-  async queryInvoiceMetadata(filters, pageOffset, pageSize, sortOrder) {
-    const req = RestRequest.post(Routes.Invoices.queryMetadata).body(filters);
-    if (pageOffset !== void 0) req.query("pageOffset", String(pageOffset));
-    if (pageSize !== void 0) req.query("pageSize", String(pageSize));
-    if (sortOrder !== void 0) req.query("sortOrder", sortOrder);
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  async exportInvoices(request) {
-    const req = RestRequest.post(Routes.Invoices.exports).body(request);
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  async getInvoiceExportStatus(ref) {
-    const req = RestRequest.get(Routes.Invoices.exportByReference(ref));
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-};
-
-// src/services/permissions.ts
-var PermissionsService = class {
-  restClient;
-  constructor(restClient) {
-    this.restClient = restClient;
-  }
-  // Grant methods
-  async grantPersonPermissions(request) {
-    const req = RestRequest.post(Routes.Permissions.Grants.persons).body(request);
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  async grantEntityPermissions(request) {
-    const req = RestRequest.post(Routes.Permissions.Grants.entities).body(request);
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  async grantAuthorizationPermissions(request) {
-    const req = RestRequest.post(Routes.Permissions.Grants.authorizations).body(request);
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  async grantIndirectPermissions(request) {
-    const req = RestRequest.post(Routes.Permissions.Grants.indirect).body(request);
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  async grantSubunitPermissions(request) {
-    const req = RestRequest.post(Routes.Permissions.Grants.subunits).body(request);
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  async grantEuEntityAdminPermissions(request) {
-    const req = RestRequest.post(Routes.Permissions.Grants.euEntities).body(request);
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  /** @deprecated Use grantEuEntityAdminPermissions instead */
-  async grantEuEntityPermissions(request) {
-    return this.grantEuEntityAdminPermissions(request);
-  }
-  async grantEuEntityRepresentativePermissions(request) {
-    const req = RestRequest.post(Routes.Permissions.Grants.euEntitiesRepresentatives).body(request);
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  // Revoke methods
-  async revokeCommonGrant(grantId) {
-    const req = RestRequest.delete(Routes.Permissions.Common.grantById(grantId));
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  async revokeAuthorizationGrant(grantId) {
-    const req = RestRequest.delete(Routes.Permissions.Authorizations.grantById(grantId));
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  // Search methods
-  async queryPersonalGrants(options, pageOffset, pageSize) {
-    const req = RestRequest.post(Routes.Permissions.Query.personalGrants).body(options ?? {});
-    if (pageOffset !== void 0) req.query("pageOffset", String(pageOffset));
-    if (pageSize !== void 0) req.query("pageSize", String(pageSize));
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  async queryPersonsGrants(options, pageOffset, pageSize) {
-    const req = RestRequest.post(Routes.Permissions.Query.personsGrants).body(options);
-    if (pageOffset !== void 0) req.query("pageOffset", String(pageOffset));
-    if (pageSize !== void 0) req.query("pageSize", String(pageSize));
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  async querySubunitsGrants(options, pageOffset, pageSize) {
-    const req = RestRequest.post(Routes.Permissions.Query.subunitsGrants).body(options ?? {});
-    if (pageOffset !== void 0) req.query("pageOffset", String(pageOffset));
-    if (pageSize !== void 0) req.query("pageSize", String(pageSize));
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  async queryEntitiesRoles(options) {
-    const req = RestRequest.get(Routes.Permissions.Query.entitiesRoles);
-    if (options?.pageOffset !== void 0) req.query("pageOffset", String(options.pageOffset));
-    if (options?.pageSize !== void 0) req.query("pageSize", String(options.pageSize));
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  async queryEntitiesGrants(options, pageOffset, pageSize) {
-    const req = RestRequest.post(Routes.Permissions.Query.entitiesGrants).body(options ?? {});
-    if (pageOffset !== void 0) req.query("pageOffset", String(pageOffset));
-    if (pageSize !== void 0) req.query("pageSize", String(pageSize));
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  async querySubordinateEntitiesRoles(options, pageOffset, pageSize) {
-    const req = RestRequest.post(Routes.Permissions.Query.subordinateEntitiesRoles).body(options ?? {});
-    if (pageOffset !== void 0) req.query("pageOffset", String(pageOffset));
-    if (pageSize !== void 0) req.query("pageSize", String(pageSize));
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  async queryAuthorizationsGrants(options, pageOffset, pageSize) {
-    const req = RestRequest.post(Routes.Permissions.Query.authorizationsGrants).body(options);
-    if (pageOffset !== void 0) req.query("pageOffset", String(pageOffset));
-    if (pageSize !== void 0) req.query("pageSize", String(pageSize));
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  async queryEuEntitiesGrants(options, pageOffset, pageSize) {
-    const req = RestRequest.post(Routes.Permissions.Query.euEntitiesGrants).body(options ?? {});
-    if (pageOffset !== void 0) req.query("pageOffset", String(pageOffset));
-    if (pageSize !== void 0) req.query("pageSize", String(pageSize));
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  // Operation status methods
-  async getOperationStatus(ref) {
-    const req = RestRequest.get(Routes.Permissions.Operations.byReference(ref));
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  async getAttachmentStatus() {
-    const req = RestRequest.get(Routes.Permissions.Attachments.status);
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-};
-
-// src/services/tokens.ts
-var TokenService = class {
-  restClient;
-  constructor(restClient) {
-    this.restClient = restClient;
-  }
-  async generateToken(request) {
-    const req = RestRequest.post(Routes.Tokens.root).body(request);
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  async queryTokens(options) {
-    const req = RestRequest.get(Routes.Tokens.root);
-    if (options?.continuationToken !== void 0) req.header("x-continuation-token", options.continuationToken);
-    if (options?.pageSize !== void 0) req.query("pageSize", String(options.pageSize));
-    if (options?.status) {
-      for (const s of options.status) {
-        req.query("status", s);
-      }
-    }
-    if (options?.description !== void 0) req.query("description", options.description);
-    if (options?.authorIdentifier !== void 0) req.query("authorIdentifier", options.authorIdentifier);
-    if (options?.authorIdentifierType !== void 0) req.query("authorIdentifierType", options.authorIdentifierType);
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  async getToken(ref) {
-    const req = RestRequest.get(Routes.Tokens.byReference(ref));
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  async revokeToken(ref) {
-    const req = RestRequest.delete(Routes.Tokens.byReference(ref));
-    await this.restClient.executeVoid(req);
-  }
-};
-
-// src/services/certificates.ts
-var CertificateApiService = class {
-  restClient;
-  constructor(restClient) {
-    this.restClient = restClient;
-  }
-  async getLimits() {
-    const req = RestRequest.get(Routes.Certificates.limits);
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  async getEnrollmentData() {
-    const req = RestRequest.get(Routes.Certificates.enrollmentData);
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  async enroll(request) {
-    const req = RestRequest.post(Routes.Certificates.enrollments).body(request);
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  async getEnrollmentStatus(ref) {
-    const req = RestRequest.get(Routes.Certificates.enrollmentStatus(ref));
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  async retrieve(request) {
-    const req = RestRequest.post(Routes.Certificates.retrieve).body(request);
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  async revoke(serialNumber, request) {
-    const req = RestRequest.post(Routes.Certificates.revoke(serialNumber)).body(request);
-    await this.restClient.executeVoid(req);
-  }
-  async query(request, pageSize, pageOffset) {
-    const req = RestRequest.post(Routes.Certificates.query).body(request);
-    if (pageSize !== void 0) req.query("pageSize", String(pageSize));
-    if (pageOffset !== void 0) req.query("pageOffset", String(pageOffset));
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-};
-
-// src/services/lighthouse.ts
-var LighthouseService = class {
-  lighthouseUrl;
-  timeout;
-  constructor(options) {
-    this.lighthouseUrl = options.lighthouseUrl;
-    this.timeout = options.timeout;
-  }
-  async fetchJson(path) {
-    if (!this.lighthouseUrl) {
-      throw new KSeFError(
-        "Lighthouse API is not available for the DEMO environment. Use TEST or PROD instead."
-      );
-    }
-    const response = await fetch(`${this.lighthouseUrl}${path}`, {
-      headers: { Accept: "application/json" },
-      signal: AbortSignal.timeout(this.timeout)
-    });
-    if (!response.ok) {
-      const body = await response.text();
-      throw new KSeFError(
-        `Lighthouse ${path} failed: HTTP ${response.status} \u2014 ${body}`
-      );
+var KsefNumberV35 = /^([1-9]((\d[1-9])|([1-9]\d))\d{7}|M\d{9}|[A-Z]{3}\d{7})-(20[2-9][0-9]|2[1-9][0-9]{2}|[3-9][0-9]{3})(0[1-9]|1[0-2])(0[1-9]|[1-2][0-9]|3[0-1])-([0-9A-F]{6})([0-9A-F]{6})-([0-9A-F]{2})$/;
+var KsefNumberV36 = /^([1-9]((\d[1-9])|([1-9]\d))\d{7}|M\d{9}|[A-Z]{3}\d{7})-(20[2-9][0-9]|2[1-9][0-9]{2}|[3-9][0-9]{3})(0[1-9]|1[0-2])(0[1-9]|[1-2][0-9]|3[0-1])-([0-9A-F]{6})-([0-9A-F]{6})-([0-9A-F]{2})$/;
+var CertificateName = /^[a-zA-Z0-9_\- ąćęłńóśźżĄĆĘŁŃÓŚŹŻ]+$/;
+var Pesel = /^\d{2}(?:0[1-9]|1[0-2]|2[1-9]|3[0-2]|4[1-9]|5[0-2]|6[1-9]|7[0-2]|8[1-9]|9[0-2])\d{7}$/;
+var CertificateFingerprint = /^[0-9A-F]{64}$/;
+var Base64String = /^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/;
+var Ip4Address = /^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$/;
+var Ip4Range = /^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}-((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$/;
+var Ip4Mask = /^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}\/(0|[1-9]|1[0-9]|2[0-9]|3[0-2])$/;
+var Sha256Base64 = /^[A-Za-z0-9+/]{43}=$/;
+var NIP_WEIGHTS = [6, 5, 7, 2, 3, 4, 5, 6, 7];
+var PESEL_WEIGHTS = [1, 3, 7, 9, 1, 3, 7, 9, 1, 3];
+var CRC8_POLY = 7;
+function computeCrc8Hex(data) {
+  let crc = 0;
+  const bytes = new TextEncoder().encode(data);
+  for (const byte of bytes) {
+    crc ^= byte;
+    for (let i = 0; i < 8; i++) {
+      crc = (crc & 128) !== 0 ? (crc << 1 ^ CRC8_POLY) & 255 : crc << 1 & 255;
     }
-    return await response.json();
   }
-  async getStatus() {
-    return this.fetchJson("/status");
-  }
-  async getMessages() {
-    const data = await this.fetchJson("/messages");
-    return data.messages ?? [];
+  return crc.toString(16).toUpperCase().padStart(2, "0");
+}
+function isValidNip(value) {
+  if (!Nip.test(value)) return false;
+  let sum = 0;
+  for (let i = 0; i < 9; i++) {
+    sum += Number(value[i]) * NIP_WEIGHTS[i];
   }
-};
-
-// src/services/limits.ts
-var LimitsService = class {
-  restClient;
-  constructor(restClient) {
-    this.restClient = restClient;
-  }
-  async getContextLimits() {
-    const req = RestRequest.get(Routes.Limits.currentContext);
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  async getSubjectLimits() {
-    const req = RestRequest.get(Routes.Limits.currentSubject);
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-  async getRateLimits() {
-    const req = RestRequest.get(Routes.Limits.rateLimits);
-    const response = await this.restClient.execute(req);
-    return response.body;
+  const checksum = sum % 11;
+  return checksum !== 10 && checksum === Number(value[9]);
+}
+function isValidVatUe(value) {
+  return VatUe.test(value);
+}
+function isValidNipVatUe(value) {
+  return NipVatUe.test(value);
+}
+function isValidInternalId(value) {
+  return InternalId.test(value);
+}
+function isValidPeppolId(value) {
+  return PeppolId.test(value);
+}
+function isValidReferenceNumber(value) {
+  return ReferenceNumber.test(value);
+}
+function isValidKsefNumber(value) {
+  if (!KsefNumber.test(value)) return false;
+  let normalized = value;
+  if (value.length === 36) {
+    const parts = value.split("-");
+    if (parts.length === 5) normalized = `${parts[0]}-${parts[1]}-${parts[2]}${parts[3]}-${parts[4]}`;
+    else return false;
+  }
+  if (normalized.length !== 35) return false;
+  return computeCrc8Hex(normalized.slice(0, 32)) === normalized.slice(-2);
+}
+function isValidKsefNumberV35(value) {
+  if (!KsefNumberV35.test(value)) return false;
+  return computeCrc8Hex(value.slice(0, 32)) === value.slice(-2);
+}
+function isValidKsefNumberV36(value) {
+  if (!KsefNumberV36.test(value)) return false;
+  const parts = value.split("-");
+  if (parts.length !== 5) return false;
+  const normalized = `${parts[0]}-${parts[1]}-${parts[2]}${parts[3]}-${parts[4]}`;
+  return computeCrc8Hex(normalized.slice(0, 32)) === normalized.slice(-2);
+}
+function isValidPesel(value) {
+  if (!Pesel.test(value)) return false;
+  let sum = 0;
+  for (let i = 0; i < 10; i++) {
+    sum += Number(value[i]) * PESEL_WEIGHTS[i];
   }
-};
+  const checksum = (10 - sum % 10) % 10;
+  return checksum === Number(value[10]);
+}
+function isValidCertificateName(value) {
+  return CertificateName.test(value);
+}
+function isValidCertificateFingerprint(value) {
+  return CertificateFingerprint.test(value);
+}
+function isValidBase64(value) {
+  return Base64String.test(value);
+}
+function isValidIp4Address(value) {
+  return Ip4Address.test(value);
+}
+function isValidSha256Base64(value) {
+  return Sha256Base64.test(value);
+}
 
-// src/services/peppol.ts
-var PeppolService = class {
-  restClient;
-  constructor(restClient) {
-    this.restClient = restClient;
-  }
-  async queryProviders(pageOffset, pageSize) {
-    const req = RestRequest.get(Routes.Peppol.query);
-    if (pageOffset !== void 0) req.query("pageOffset", String(pageOffset));
-    if (pageSize !== void 0) req.query("pageSize", String(pageSize));
-    const response = await this.restClient.execute(req);
-    return response.body;
-  }
-};
+// src/validation/constraints.ts
+var REQUIRED_CHALLENGE_LENGTH = 36;
+var CERTIFICATE_NAME_MIN_LENGTH = 5;
+var CERTIFICATE_NAME_MAX_LENGTH = 100;
+var SUBUNIT_NAME_MIN_LENGTH = 5;
+var SUBUNIT_NAME_MAX_LENGTH = 256;
+var PERMISSION_DESCRIPTION_MIN_LENGTH = 5;
+var PERMISSION_DESCRIPTION_MAX_LENGTH = 256;
 
-// src/services/test-data.ts
-var TestDataService = class {
-  restClient;
-  constructor(restClient) {
-    this.restClient = restClient;
-  }
-  // Subject management
-  async createSubject(request) {
-    const req = RestRequest.post(Routes.TestData.createSubject).body(request);
-    await this.restClient.executeVoid(req);
-  }
-  async removeSubject(request) {
-    const req = RestRequest.post(Routes.TestData.removeSubject).body(request);
-    await this.restClient.executeVoid(req);
-  }
-  // Person management
-  async createPerson(request) {
-    const req = RestRequest.post(Routes.TestData.createPerson).body(request);
-    await this.restClient.executeVoid(req);
-  }
-  async removePerson(request) {
-    const req = RestRequest.post(Routes.TestData.removePerson).body(request);
-    await this.restClient.executeVoid(req);
-  }
-  // Permissions
-  async grantPermissions(request) {
-    const req = RestRequest.post(Routes.TestData.grantPerms).body(request);
-    await this.restClient.executeVoid(req);
-  }
-  async revokePermissions(request) {
-    const req = RestRequest.post(Routes.TestData.revokePerms).body(request);
-    await this.restClient.executeVoid(req);
-  }
-  // Attachment permissions
-  async enableAttachment(request) {
-    const req = RestRequest.post(Routes.TestData.enableAttach).body(request);
-    await this.restClient.executeVoid(req);
-  }
-  async disableAttachment(request) {
-    const req = RestRequest.post(Routes.TestData.disableAttach).body(request);
-    await this.restClient.executeVoid(req);
-  }
-  // Session limits
-  async changeSessionLimits(request) {
-    const req = RestRequest.post(Routes.TestData.changeSessionLimitsInCurrentContext).body(request);
-    await this.restClient.executeVoid(req);
-  }
-  async restoreDefaultSessionLimits() {
-    const req = RestRequest.delete(Routes.TestData.restoreDefaultSessionLimitsInCurrentContext);
-    await this.restClient.executeVoid(req);
-  }
-  // Certificate limits
-  async changeCertificatesLimit(request) {
-    const req = RestRequest.post(Routes.TestData.changeCertificatesLimitInCurrentSubject).body(request);
-    await this.restClient.executeVoid(req);
-  }
-  async restoreDefaultCertificatesLimit() {
-    const req = RestRequest.delete(Routes.TestData.restoreDefaultCertificatesLimitInCurrentSubject);
-    await this.restClient.executeVoid(req);
-  }
-  // Rate limits
-  async setRateLimits(request) {
-    const req = RestRequest.post(Routes.TestData.rateLimits).body(request);
-    await this.restClient.executeVoid(req);
-  }
-  async restoreDefaultRateLimits() {
-    const req = RestRequest.delete(Routes.TestData.rateLimits);
-    await this.restClient.executeVoid(req);
-  }
-  async setProductionRateLimits() {
-    const req = RestRequest.post(Routes.TestData.productionRateLimits);
-    await this.restClient.executeVoid(req);
-  }
-  // Context blocking
-  async blockContext(request) {
-    const req = RestRequest.post(Routes.TestData.blockContext).body(request);
-    await this.restClient.executeVoid(req);
-  }
-  async unblockContext(request) {
-    const req = RestRequest.post(Routes.TestData.unblockContext).body(request);
-    await this.restClient.executeVoid(req);
-  }
-};
+// src/services/index.ts
+init_auth();
+init_active_sessions();
+init_online_session();
+init_batch_session();
+init_session_status();
+init_invoice_download();
+init_permissions();
+init_tokens();
+init_certificates();
+init_lighthouse();
+init_limits();
+init_peppol();
+init_test_data();
 
 // src/builders/auth-token-request.ts
+init_ksef_validation_error();
 var AuthTokenRequestBuilder = class {
   challenge;
   contextIdentifier;
@@ -6330,6 +7215,7 @@ var AuthTokenRequestBuilder = class {
 };
 
 // src/builders/auth-ksef-token-request.ts
+init_ksef_validation_error();
 var AuthKsefTokenRequestBuilder = class {
   challenge;
   contextIdentifier;
@@ -6383,6 +7269,7 @@ var AuthKsefTokenRequestBuilder = class {
 };
 
 // src/builders/invoice-query-filter.ts
+init_ksef_validation_error();
 var InvoiceQueryFilterBuilder = class {
   subjectType;
   dateRange;
@@ -6479,6 +7366,7 @@ var InvoiceQueryFilterBuilder = class {
 };
 
 // src/builders/permissions/person-permission.ts
+init_ksef_validation_error();
 var PersonPermissionGrantBuilder = class {
   subjectIdentifier;
   permissions = [];
@@ -6527,6 +7415,7 @@ var PersonPermissionGrantBuilder = class {
 };
 
 // src/builders/permissions/entity-permission.ts
+init_ksef_validation_error();
 var EntityPermissionGrantBuilder = class {
   nip;
   permissions = [];
@@ -6575,6 +7464,7 @@ var EntityPermissionGrantBuilder = class {
 };
 
 // src/builders/permissions/authorization-permission.ts
+init_ksef_validation_error();
 var AuthorizationPermissionGrantBuilder = class {
   _subjectIdentifier;
   _permission;
@@ -6618,292 +7508,86 @@ var AuthorizationPermissionGrantBuilder = class {
   }
 };
 
-// src/crypto/certificate-fetcher.ts
-var CertificateFetcher = class {
-  restClient;
-  symmetricKeyPem;
-  ksefTokenPem;
-  initialized = false;
-  constructor(restClient) {
-    this.restClient = restClient;
-  }
-  async init() {
-    if (this.initialized) return;
-    await this.fetchCertificates();
-  }
-  async refresh() {
-    this.initialized = false;
-    await this.fetchCertificates();
-  }
-  getSymmetricKeyEncryptionPem() {
-    if (!this.symmetricKeyPem) {
-      throw new Error("CertificateFetcher not initialized. Call init() first.");
-    }
-    return this.symmetricKeyPem;
-  }
-  getKsefTokenEncryptionPem() {
-    if (!this.ksefTokenPem) {
-      throw new Error("CertificateFetcher not initialized. Call init() first.");
-    }
-    return this.ksefTokenPem;
-  }
-  async fetchCertificates() {
-    const request = RestRequest.get(Routes.Security.publicKeyCertificates);
-    const response = await this.restClient.execute(request);
-    const certs = response.body;
-    if (!certs || certs.length === 0) {
-      throw new Error("No public key certificates returned from KSeF API.");
-    }
-    const symmetricCert = certs.find((c) => c.usage.includes("SymmetricKeyEncryption"));
-    if (!symmetricCert) {
-      throw new Error("No SymmetricKeyEncryption certificate found.");
-    }
-    this.symmetricKeyPem = this.derBase64ToPem(symmetricCert.certificate);
-    const tokenCerts = certs.filter((c) => c.usage.includes("KsefTokenEncryption")).sort((a, b) => a.validFrom.localeCompare(b.validFrom));
-    const tokenCert = tokenCerts[0];
-    if (!tokenCert) {
-      throw new Error("No KsefTokenEncryption certificate found.");
-    }
-    this.ksefTokenPem = this.derBase64ToPem(tokenCert.certificate);
-    this.initialized = true;
-  }
-  derBase64ToPem(base64Der) {
-    const lines = [];
-    for (let i = 0; i < base64Der.length; i += 64) {
-      lines.push(base64Der.substring(i, i + 64));
-    }
-    return `-----BEGIN CERTIFICATE-----
-${lines.join("\n")}
------END CERTIFICATE-----`;
-  }
-};
-
-// src/crypto/cryptography-service.ts
+// src/builders/batch-file.ts
+init_ksef_validation_error();
 import * as crypto from "crypto";
-import * as x509 from "@peculiar/x509";
-var CryptographyService = class {
-  fetcher;
-  constructor(fetcher) {
-    this.fetcher = fetcher;
-  }
-  /** Initialise the underlying certificate fetcher. */
-  async init() {
-    await this.fetcher.init();
-  }
-  // ---------------------------------------------------------------------------
-  // AES-256-CBC
-  // ---------------------------------------------------------------------------
-  /** Encrypt with AES-256-CBC (PKCS7 padding is automatic in Node). */
-  encryptAES256(content, key, iv) {
-    const cipher = crypto.createCipheriv("aes-256-cbc", key, iv);
-    return new Uint8Array(Buffer.concat([cipher.update(content), cipher.final()]));
-  }
-  /** Decrypt with AES-256-CBC. */
-  decryptAES256(content, key, iv) {
-    const decipher = crypto.createDecipheriv("aes-256-cbc", key, iv);
-    return new Uint8Array(Buffer.concat([decipher.update(content), decipher.final()]));
-  }
-  // ---------------------------------------------------------------------------
-  // Encryption data (AES key + IV wrapped with RSA-OAEP)
-  // ---------------------------------------------------------------------------
-  /**
-   * Generate a random AES-256 key and IV, then wrap the key with the
-   * SymmetricKeyEncryption certificate's RSA public key (RSA-OAEP SHA-256).
-   */
-  getEncryptionData() {
-    const key = crypto.randomBytes(32);
-    const iv = crypto.randomBytes(16);
-    const certPem = this.fetcher.getSymmetricKeyEncryptionPem();
-    const encryptedKey = crypto.publicEncrypt(
-      {
-        key: certPem,
-        oaepHash: "sha256",
-        padding: crypto.constants.RSA_PKCS1_OAEP_PADDING
-      },
-      key
-    );
-    const encryptionInfo = {
-      encryptedSymmetricKey: encryptedKey.toString("base64"),
-      initializationVector: iv.toString("base64")
-    };
-    return {
-      cipherKey: new Uint8Array(key),
-      cipherIv: new Uint8Array(iv),
-      encryptionInfo
-    };
-  }
-  // ---------------------------------------------------------------------------
-  // KSeF token encryption
-  // ---------------------------------------------------------------------------
+var BATCH_MAX_PART_SIZE = 1e8;
+var BATCH_MAX_TOTAL_SIZE = 5e9;
+var BATCH_MAX_PARTS = 50;
+var BatchFileBuilder = class {
   /**
-   * Encrypt a KSeF token for session authorisation.
-   *
-   * Token payload: `"<token>|<challengeTimestampMs>"`.
-   *
-   * The algorithm is chosen automatically based on the KsefTokenEncryption
-   * certificate's public key type:
-   *  - **RSA** — RSA-OAEP with SHA-256
-   *  - **EC**  — ECDH key-agreement (P-256) + AES-256-GCM
+   * Build batch file metadata and encrypted parts from a raw ZIP.
    *
-   * The EC variant outputs bytes in the Java-compatible format:
-   * `[ephemeralSPKI | nonce(12) | ciphertext+tag]`.
+   * @param zipBytes - Unencrypted ZIP data
+   * @param encryptFn - AES-256-CBC encryption function (called per part)
+   * @param options - Optional configuration
    */
-  encryptKsefToken(token, challengeTimestamp) {
-    const timestampMs = new Date(challengeTimestamp).getTime();
-    const plaintext = Buffer.from(`${token}|${timestampMs}`, "utf-8");
-    const certPem = this.fetcher.getKsefTokenEncryptionPem();
-    const cert = new crypto.X509Certificate(certPem);
-    const publicKey = cert.publicKey;
-    if (publicKey.asymmetricKeyType === "rsa") {
-      return this.encryptRsaOaep(certPem, plaintext);
+  static build(zipBytes, encryptFn, options) {
+    const maxPartSize = options?.maxPartSize ?? BATCH_MAX_PART_SIZE;
+    if (maxPartSize <= 0) {
+      throw new KSeFValidationError("maxPartSize must be a positive number");
     }
-    if (publicKey.asymmetricKeyType === "ec") {
-      return this.encryptEcdhAesGcm(publicKey, plaintext);
+    if (zipBytes.length === 0) {
+      throw new KSeFValidationError("ZIP data must not be empty");
     }
-    throw new Error(`Unsupported key algorithm: ${publicKey.asymmetricKeyType ?? "unknown"}`);
-  }
-  // ---------------------------------------------------------------------------
-  // File metadata
-  // ---------------------------------------------------------------------------
-  /** Compute SHA-256 hash (base64) and byte length. */
-  getFileMetadata(file) {
-    const hash = crypto.createHash("sha256").update(file).digest("base64");
-    return { hashSHA: hash, fileSize: file.length };
-  }
-  // ---------------------------------------------------------------------------
-  // CSR generation
-  // ---------------------------------------------------------------------------
-  /** Generate an RSA-2048 CSR (PKCS#10, DER) and return it together with the private key PEM. */
-  async generateCsrRsa(fields) {
-    setCryptoProvider();
-    const algorithm = {
-      name: "RSASSA-PKCS1-v1_5",
-      hash: "SHA-256",
-      publicExponent: new Uint8Array([1, 0, 1]),
-      modulusLength: 2048
-    };
-    const keys = await crypto.webcrypto.subtle.generateKey(
-      algorithm,
-      true,
-      ["sign", "verify"]
-    );
-    const csr = await x509.Pkcs10CertificateRequestGenerator.create({
-      name: buildX500Name(fields),
-      keys,
-      signingAlgorithm: algorithm
+    if (zipBytes.length > BATCH_MAX_TOTAL_SIZE) {
+      throw new KSeFValidationError(
+        `ZIP size ${zipBytes.length} exceeds maximum of ${BATCH_MAX_TOTAL_SIZE} bytes (5 GB)`
+      );
+    }
+    const rawParts = splitBuffer(zipBytes, maxPartSize);
+    if (rawParts.length > BATCH_MAX_PARTS) {
+      throw new KSeFValidationError(
+        `Data requires ${rawParts.length} parts, exceeding maximum of ${BATCH_MAX_PARTS}`
+      );
+    }
+    const zipHash = sha256Base64(zipBytes);
+    const encryptedParts = [];
+    const fileParts = rawParts.map((raw, i) => {
+      const encrypted = encryptFn(raw);
+      encryptedParts.push(encrypted);
+      return {
+        ordinalNumber: i + 1,
+        fileSize: encrypted.length,
+        fileHash: sha256Base64(encrypted)
+      };
     });
-    const csrDer = new Uint8Array(csr.rawData);
-    const pkcs8 = await crypto.webcrypto.subtle.exportKey("pkcs8", keys.privateKey);
-    const privateKeyPem = pemEncode(new Uint8Array(pkcs8), "PRIVATE KEY");
-    return { csrDer, privateKeyPem };
-  }
-  /** Generate an ECDSA P-256 CSR (PKCS#10, DER) and return it together with the private key PEM. */
-  async generateCsrEcdsa(fields) {
-    setCryptoProvider();
-    const algorithm = {
-      name: "ECDSA",
-      namedCurve: "P-256"
+    return {
+      batchFile: {
+        fileSize: zipBytes.length,
+        fileHash: zipHash,
+        fileParts
+      },
+      encryptedParts
     };
-    const keys = await crypto.webcrypto.subtle.generateKey(
-      algorithm,
-      true,
-      ["sign", "verify"]
-    );
-    const csr = await x509.Pkcs10CertificateRequestGenerator.create({
-      name: buildX500Name(fields),
-      keys,
-      signingAlgorithm: { name: "ECDSA", hash: "SHA-256" }
-    });
-    const csrDer = new Uint8Array(csr.rawData);
-    const pkcs8 = await crypto.webcrypto.subtle.exportKey("pkcs8", keys.privateKey);
-    const privateKeyPem = pemEncode(new Uint8Array(pkcs8), "PRIVATE KEY");
-    return { csrDer, privateKeyPem };
-  }
-  // ---------------------------------------------------------------------------
-  // Key parsing
-  // ---------------------------------------------------------------------------
-  /** Parse a PEM-encoded private key into a Node.js KeyObject. */
-  parsePrivateKey(pem) {
-    return crypto.createPrivateKey(pem);
-  }
-  // ---------------------------------------------------------------------------
-  // Private helpers
-  // ---------------------------------------------------------------------------
-  /** RSA-OAEP SHA-256 encryption. */
-  encryptRsaOaep(certPem, plaintext) {
-    return new Uint8Array(
-      crypto.publicEncrypt(
-        {
-          key: certPem,
-          oaepHash: "sha256",
-          padding: crypto.constants.RSA_PKCS1_OAEP_PADDING
-        },
-        plaintext
-      )
-    );
-  }
-  /**
-   * ECDH (P-256) + AES-256-GCM encryption.
-   *
-   * 1. Generate an ephemeral EC key pair on the same curve (P-256).
-   * 2. Derive a shared secret via ECDH with the receiver's public key.
-   * 3. Use the shared secret (32 bytes) as the AES-256-GCM key.
-   * 4. Encrypt with a random 12-byte nonce.
-   * 5. Output: `[ephemeralSPKI | nonce(12) | ciphertext+tag]`
-   *    (Java-compatible — GCM appends the 16-byte tag to the ciphertext).
-   */
-  encryptEcdhAesGcm(receiverPublicKey, plaintext) {
-    const { privateKey: ephPrivKey, publicKey: ephPubKey } = crypto.generateKeyPairSync("ec", {
-      namedCurve: "prime256v1"
-    });
-    const sharedSecret = crypto.diffieHellman({
-      privateKey: ephPrivKey,
-      publicKey: receiverPublicKey
-    });
-    const nonce = crypto.randomBytes(12);
-    const cipher = crypto.createCipheriv("aes-256-gcm", sharedSecret, nonce);
-    const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
-    const tag = cipher.getAuthTag();
-    const ephemeralSpki = ephPubKey.export({ type: "spki", format: "der" });
-    return new Uint8Array(Buffer.concat([ephemeralSpki, nonce, ciphertext, tag]));
   }
 };
-function setCryptoProvider() {
-  x509.cryptoProvider.set(crypto.webcrypto);
-}
-function buildX500Name(fields) {
+function splitBuffer(data, maxPartSize) {
+  if (data.length <= maxPartSize) {
+    return [data];
+  }
   const parts = [];
-  if (fields.commonName) parts.push(`CN=${fields.commonName}`);
-  if (fields.givenName) parts.push(`2.5.4.42=${fields.givenName}`);
-  if (fields.surname) parts.push(`2.5.4.4=${fields.surname}`);
-  if (fields.serialNumber) parts.push(`2.5.4.5=${fields.serialNumber}`);
-  if (fields.organizationName) parts.push(`O=${fields.organizationName}`);
-  if (fields.organizationIdentifier) parts.push(`2.5.4.97=${fields.organizationIdentifier}`);
-  if (fields.uniqueIdentifier) parts.push(`2.5.4.45=${fields.uniqueIdentifier}`);
-  if (fields.countryCode) parts.push(`C=${fields.countryCode}`);
-  return parts.join(", ");
-}
-function pemEncode(der, label) {
-  const base64 = Buffer.from(der).toString("base64");
-  const lines = [];
-  for (let i = 0; i < base64.length; i += 64) {
-    lines.push(base64.substring(i, i + 64));
+  for (let offset = 0; offset < data.length; offset += maxPartSize) {
+    parts.push(data.subarray(offset, Math.min(offset + maxPartSize, data.length)));
   }
-  return `-----BEGIN ${label}-----
-${lines.join("\n")}
------END ${label}-----`;
+  return parts;
+}
+function sha256Base64(data) {
+  return crypto.createHash("sha256").update(data).digest("base64");
 }
 
 // src/crypto/index.ts
+init_certificate_fetcher();
+init_cryptography_service();
 init_signature_service();
 
 // src/crypto/certificate-service.ts
-import * as crypto3 from "crypto";
+import * as crypto4 from "crypto";
 import * as x5092 from "@peculiar/x509";
 var CertificateService = class {
   static getSha256Fingerprint(certPem) {
     const der = extractDerFromPem2(certPem);
-    return crypto3.createHash("sha256").update(der).digest("hex").toUpperCase();
+    return crypto4.createHash("sha256").update(der).digest("hex").toUpperCase();
   }
   static async generatePersonalCertificate(givenName, surname, serialNumber, commonName, method = "RSA") {
     const nameParts = [];
@@ -6926,7 +7610,7 @@ var CertificateService = class {
   }
 };
 async function generateSelfSigned(subject, method) {
-  x5092.cryptoProvider.set(crypto3.webcrypto);
+  x5092.cryptoProvider.set(crypto4.webcrypto);
   let algorithm;
   let signingAlgorithm;
   if (method === "ECDSA") {
@@ -6941,7 +7625,7 @@ async function generateSelfSigned(subject, method) {
     };
     signingAlgorithm = algorithm;
   }
-  const keys = await crypto3.webcrypto.subtle.generateKey(
+  const keys = await crypto4.webcrypto.subtle.generateKey(
     algorithm,
     true,
     ["sign", "verify"]
@@ -6958,9 +7642,9 @@ async function generateSelfSigned(subject, method) {
     serialNumber: Date.now().toString(16)
   });
   const certPem = cert.toString("pem");
-  const pkcs8 = await crypto3.webcrypto.subtle.exportKey("pkcs8", keys.privateKey);
+  const pkcs8 = await crypto4.webcrypto.subtle.exportKey("pkcs8", keys.privateKey);
   const privateKeyPem = pemEncode2(new Uint8Array(pkcs8), "PRIVATE KEY");
-  const fingerprint = crypto3.createHash("sha256").update(Buffer.from(cert.rawData)).digest("hex").toUpperCase();
+  const fingerprint = crypto4.createHash("sha256").update(Buffer.from(cert.rawData)).digest("hex").toUpperCase();
   return { certificatePem: certPem, privateKeyPem, fingerprint };
 }
 function extractDerFromPem2(pem) {
@@ -6981,56 +7665,8 @@ ${lines.join("\n")}
 // src/crypto/index.ts
 init_pkcs12_loader();
 
-// src/qr/verification-link-service.ts
-import crypto4 from "crypto";
-var VerificationLinkService = class {
-  constructor(baseQrUrl) {
-    this.baseQrUrl = baseQrUrl;
-  }
-  /**
-   * Build invoice verification URL (Code I).
-   * Format: {baseQrUrl}/invoice/{NIP}/{DD-MM-YYYY}/{hash_base64url}
-   */
-  buildInvoiceVerificationUrl(nip, issueDate, invoiceHashBase64) {
-    const date = typeof issueDate === "string" ? new Date(issueDate) : issueDate;
-    const dd = String(date.getUTCDate()).padStart(2, "0");
-    const mm = String(date.getUTCMonth() + 1).padStart(2, "0");
-    const yyyy = date.getUTCFullYear();
-    const dateStr = `${dd}-${mm}-${yyyy}`;
-    const hashBase64Url = this.base64ToBase64Url(invoiceHashBase64);
-    return `${this.baseQrUrl}/invoice/${nip}/${dateStr}/${hashBase64Url}`;
-  }
-  /**
-   * Build certificate verification URL (Code II).
-   * Format: {baseQrUrl}/certificate/{contextType}/{contextId}/{sellerNip}/{certSerial}/{hash_base64url}/{signature_base64url}
-   */
-  buildCertificateVerificationUrl(contextType, contextId, sellerNip, certSerial, invoiceHashBase64, privateKeyPem) {
-    const hashBase64Url = this.base64ToBase64Url(invoiceHashBase64);
-    const pathWithoutSignature = `${this.baseQrUrl}/certificate/${contextType}/${contextId}/${sellerNip}/${certSerial}/${hashBase64Url}`;
-    const dataToSign = pathWithoutSignature.replace(/^https?:\/\//, "");
-    const key = crypto4.createPrivateKey(privateKeyPem);
-    let signature;
-    if (key.asymmetricKeyType === "rsa") {
-      signature = crypto4.sign("sha256", Buffer.from(dataToSign), {
-        key,
-        padding: crypto4.constants.RSA_PKCS1_PSS_PADDING,
-        saltLength: 32
-      });
-    } else if (key.asymmetricKeyType === "ec") {
-      signature = crypto4.sign("sha256", Buffer.from(dataToSign), {
-        key,
-        dsaEncoding: "ieee-p1363"
-      });
-    } else {
-      throw new Error(`Unsupported key type: ${key.asymmetricKeyType}`);
-    }
-    const signatureBase64Url = signature.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-    return `${pathWithoutSignature}/${signatureBase64Url}`;
-  }
-  base64ToBase64Url(base64) {
-    return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-  }
-};
+// src/qr/index.ts
+init_verification_link_service();
 
 // src/qr/qrcode-service.ts
 import * as QRCode from "qrcode";
@@ -7091,148 +7727,270 @@ function escapeXml2(str) {
   return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
 }
 
-// src/client.ts
-var KSeFClient = class {
-  auth;
-  activeSessions;
-  onlineSession;
-  batchSession;
-  sessionStatus;
-  invoices;
-  permissions;
-  tokens;
-  certificates;
-  lighthouse;
-  limits;
-  peppol;
-  testData;
-  crypto;
-  qr;
-  options;
-  authManager;
-  constructor(options) {
-    this.options = resolveOptions(options);
-    const authManager = options?.authManager ?? new DefaultAuthManager(async () => {
-      const rt = this.authManager.getRefreshToken();
-      if (!rt) return null;
-      const res = await this.auth.refreshAccessToken(rt);
-      return res.accessToken.token;
-    });
-    this.authManager = authManager;
-    const restClientConfig = buildRestClientConfig(options, authManager);
-    const restClient = new RestClient(this.options, restClientConfig);
-    const fetcher = new CertificateFetcher(restClient);
-    this.crypto = new CryptographyService(fetcher);
-    this.auth = new AuthService(restClient);
-    this.activeSessions = new ActiveSessionsService(restClient);
-    this.onlineSession = new OnlineSessionService(restClient);
-    this.batchSession = new BatchSessionService(restClient);
-    this.sessionStatus = new SessionStatusService(restClient);
-    this.invoices = new InvoiceDownloadService(restClient);
-    this.permissions = new PermissionsService(restClient);
-    this.tokens = new TokenService(restClient);
-    this.certificates = new CertificateApiService(restClient);
-    this.lighthouse = new LighthouseService(this.options);
-    this.limits = new LimitsService(restClient);
-    this.peppol = new PeppolService(restClient);
-    this.testData = new TestDataService(restClient);
-    this.qr = new VerificationLinkService(this.options.baseQrUrl);
-  }
-  async loginWithToken(token, nip) {
-    const challenge = await this.auth.getChallenge();
-    await this.crypto.init();
-    const encryptedToken = this.crypto.encryptKsefToken(token, challenge.timestamp);
-    const submitResult = await this.auth.submitKsefTokenAuthRequest({
-      challenge: challenge.challenge,
-      contextIdentifier: { type: "Nip", value: nip },
-      encryptedToken: Buffer.from(encryptedToken).toString("base64")
-    });
-    const authToken = submitResult.authenticationToken.token;
-    await this.awaitAuthReady(submitResult.referenceNumber, authToken);
-    const tokens = await this.auth.getAccessToken(authToken);
-    this.authManager.setAccessToken(tokens.accessToken.token);
-    this.authManager.setRefreshToken(tokens.refreshToken.token);
-  }
-  async loginWithCertificate(certPem, keyPem, nip) {
-    const challenge = await this.auth.getChallenge();
-    const authRequestXml = buildAuthTokenRequestXml(challenge.challenge, nip);
-    const { SignatureService: SignatureService2 } = await Promise.resolve().then(() => (init_signature_service(), signature_service_exports));
-    const signedXml = SignatureService2.sign(authRequestXml, certPem, keyPem);
-    const submitResult = await this.auth.submitXadesAuthRequest(signedXml);
-    const authToken = submitResult.authenticationToken.token;
-    await this.awaitAuthReady(submitResult.referenceNumber, authToken);
-    const tokens = await this.auth.getAccessToken(authToken);
-    this.authManager.setAccessToken(tokens.accessToken.token);
-    this.authManager.setRefreshToken(tokens.refreshToken.token);
-  }
-  async loginWithPkcs12(p12, password, nip) {
-    const { Pkcs12Loader: Pkcs12Loader2 } = await Promise.resolve().then(() => (init_pkcs12_loader(), pkcs12_loader_exports));
-    const { certificatePem, privateKeyPem } = Pkcs12Loader2.load(p12, password);
-    await this.loginWithCertificate(certificatePem, privateKeyPem, nip);
-  }
-  async awaitAuthReady(referenceNumber, authToken) {
-    for (let i = 0; i < 30; i++) {
-      const status = await this.auth.getAuthStatus(referenceNumber, authToken);
-      if (status.status.code === 200) return;
-      if (status.status.code !== 100) {
-        throw new Error(`Authentication failed with status ${status.status.code}: ${status.status.description}`);
-      }
-      await new Promise((r) => setTimeout(r, 1e3));
+// src/workflows/polling.ts
+async function pollUntil(action, condition, options) {
+  const intervalMs = options?.intervalMs ?? 2e3;
+  const maxAttempts = options?.maxAttempts ?? 60;
+  for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+    const result = await action();
+    if (condition(result)) return result;
+    options?.onProgress?.(attempt, maxAttempts);
+    if (attempt < maxAttempts) {
+      await new Promise((r) => setTimeout(r, intervalMs));
+    }
+  }
+  throw new Error(
+    `Polling timeout: ${options?.description ?? "condition"} after ${maxAttempts} attempts`
+  );
+}
+
+// src/workflows/online-session-workflow.ts
+var DEFAULT_FORM_CODE = { systemCode: "FA", schemaVersion: "3", value: "FA (3)" };
+async function openOnlineSession(client, options) {
+  await client.crypto.init();
+  const encData = client.crypto.getEncryptionData();
+  const formCode = options?.formCode ?? DEFAULT_FORM_CODE;
+  const openResp = await client.onlineSession.openSession(
+    { formCode, encryption: encData.encryptionInfo },
+    options?.upoVersion
+  );
+  const sessionRef = openResp.referenceNumber;
+  return {
+    sessionRef,
+    validUntil: openResp.validUntil,
+    async sendInvoice(invoiceXml) {
+      const data = typeof invoiceXml === "string" ? new TextEncoder().encode(invoiceXml) : invoiceXml;
+      const plainMeta = client.crypto.getFileMetadata(data);
+      const encrypted = client.crypto.encryptAES256(data, encData.cipherKey, encData.cipherIv);
+      const encMeta = client.crypto.getFileMetadata(encrypted);
+      const resp = await client.onlineSession.sendInvoice(sessionRef, {
+        invoiceHash: plainMeta.hashSHA,
+        invoiceSize: plainMeta.fileSize,
+        encryptedInvoiceHash: encMeta.hashSHA,
+        encryptedInvoiceSize: encMeta.fileSize,
+        encryptedInvoiceContent: Buffer.from(encrypted).toString("base64")
+      });
+      return resp.referenceNumber;
+    },
+    async close() {
+      await client.onlineSession.closeSession(sessionRef);
+    },
+    async waitForUpo(pollOpts) {
+      const result = await pollUntil(
+        () => client.sessionStatus.getSessionStatus(sessionRef),
+        (s) => s.status.code === 200 || s.status.code >= 400,
+        { ...pollOpts, description: `UPO for session ${sessionRef}` }
+      );
+      if (result.status.code !== 200) {
+        throw new Error(`Session failed: ${result.status.code} \u2014 ${result.status.description}`);
+      }
+      return {
+        pages: result.upo?.pages ?? [],
+        invoiceCount: result.invoiceCount,
+        successfulInvoiceCount: result.successfulInvoiceCount,
+        failedInvoiceCount: result.failedInvoiceCount
+      };
     }
-  }
-  async logout() {
-    this.authManager.setAccessToken(void 0);
-    this.authManager.setRefreshToken(void 0);
-  }
-};
-var AUTH_TOKEN_REQUEST_NS = "http://ksef.mf.gov.pl/auth/token/2.0";
-function buildAuthTokenRequestXml(challenge, nip, subjectIdentifierType = "certificateSubject") {
-  return [
-    '<?xml version="1.0" encoding="utf-8"?>',
-    `<AuthTokenRequest xmlns="${AUTH_TOKEN_REQUEST_NS}">`,
-    `<Challenge>${xmlEscape(challenge)}</Challenge>`,
-    `<ContextIdentifier>`,
-    `<Nip>${xmlEscape(nip)}</Nip>`,
-    `</ContextIdentifier>`,
-    `<SubjectIdentifierType>${xmlEscape(subjectIdentifierType)}</SubjectIdentifierType>`,
-    `</AuthTokenRequest>`
-  ].join("");
+  };
 }
-function xmlEscape(str) {
-  return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
+async function openSendAndClose(client, invoices, options) {
+  const handle = await openOnlineSession(client, options);
+  for (const inv of invoices) {
+    await handle.sendInvoice(inv);
+  }
+  await handle.close();
+  return handle.waitForUpo(options?.pollOptions);
 }
-function buildRestClientConfig(options, authManager) {
-  const config = { authManager };
-  if (options?.transport) {
-    config.transport = options.transport;
+
+// src/workflows/batch-session-workflow.ts
+var DEFAULT_FORM_CODE2 = { systemCode: "FA", schemaVersion: "3", value: "FA (3)" };
+async function uploadBatch(client, zipData, options) {
+  await client.crypto.init();
+  const encData = client.crypto.getEncryptionData();
+  const formCode = options?.formCode ?? DEFAULT_FORM_CODE2;
+  const encryptFn = (part) => client.crypto.encryptAES256(part, encData.cipherKey, encData.cipherIv);
+  const { batchFile, encryptedParts } = BatchFileBuilder.build(zipData, encryptFn, {
+    maxPartSize: options?.maxPartSize
+  });
+  const openResp = await client.batchSession.openSession(
+    {
+      formCode,
+      encryption: encData.encryptionInfo,
+      batchFile,
+      offlineMode: options?.offlineMode
+    },
+    options?.upoVersion
+  );
+  const sendingParts = encryptedParts.map((part, i) => ({
+    data: part.buffer.slice(part.byteOffset, part.byteOffset + part.byteLength),
+    metadata: {
+      hashSHA: batchFile.fileParts[i].fileHash,
+      fileSize: batchFile.fileParts[i].fileSize
+    },
+    ordinalNumber: i + 1
+  }));
+  await client.batchSession.sendParts(openResp, sendingParts);
+  await client.batchSession.closeSession(openResp.referenceNumber);
+  const result = await pollUntil(
+    () => client.sessionStatus.getSessionStatus(openResp.referenceNumber),
+    (s) => s.status.code === 200 || s.status.code >= 400,
+    { ...options?.pollOptions, description: `UPO for batch ${openResp.referenceNumber}` }
+  );
+  if (result.status.code !== 200) {
+    throw new Error(`Batch session failed: ${result.status.code} \u2014 ${result.status.description}`);
   }
-  if (options?.retry) {
-    config.retryPolicy = { ...defaultRetryPolicy(), ...options.retry };
+  return {
+    sessionRef: openResp.referenceNumber,
+    upo: {
+      pages: result.upo?.pages ?? [],
+      invoiceCount: result.invoiceCount,
+      successfulInvoiceCount: result.successfulInvoiceCount,
+      failedInvoiceCount: result.failedInvoiceCount
+    }
+  };
+}
+
+// src/workflows/invoice-export-workflow.ts
+async function doExport(client, filters, options) {
+  await client.crypto.init();
+  const encData = client.crypto.getEncryptionData();
+  const opResp = await client.invoices.exportInvoices({
+    encryption: encData.encryptionInfo,
+    filters,
+    onlyMetadata: options?.onlyMetadata
+  });
+  const result = await pollUntil(
+    () => client.invoices.getInvoiceExportStatus(opResp.referenceNumber),
+    (s) => s.status.code === 200 || s.status.code >= 400,
+    { ...options?.pollOptions, description: `export ${opResp.referenceNumber}` }
+  );
+  if (result.status.code !== 200) {
+    throw new Error(`Export failed: ${result.status.code} \u2014 ${result.status.description}`);
   }
-  if (options?.rateLimit === null) {
-    config.rateLimitPolicy = null;
-  } else if (options?.rateLimit) {
-    config.rateLimitPolicy = new RateLimitPolicy({
-      globalRps: options.rateLimit.globalRps ?? 10,
-      endpointLimits: options.rateLimit.endpointLimits
-    });
+  if (!result.package) {
+    throw new Error("Export completed but no package available");
   }
-  if (options?.presignedUrlHosts) {
-    const base = defaultPresignedUrlPolicy();
-    config.presignedUrlPolicy = {
-      ...base,
-      allowedHosts: [...base.allowedHosts, ...options.presignedUrlHosts]
-    };
+  return {
+    encData,
+    result: {
+      parts: result.package.parts.map((p) => ({
+        ordinalNumber: p.ordinalNumber,
+        url: p.url,
+        method: p.method,
+        partSize: p.partSize,
+        encryptedPartSize: p.encryptedPartSize,
+        encryptedPartHash: p.encryptedPartHash,
+        expirationDate: p.expirationDate
+      })),
+      invoiceCount: result.package.invoiceCount,
+      isTruncated: result.package.isTruncated,
+      permanentStorageHwmDate: result.package.permanentStorageHwmDate
+    }
+  };
+}
+async function exportInvoices(client, filters, options) {
+  const { result } = await doExport(client, filters, options);
+  return result;
+}
+async function exportAndDownload(client, filters, options) {
+  const { result: exportResult, encData } = await doExport(client, filters, options);
+  const download = options?.transport ?? fetch;
+  const decryptedParts = [];
+  for (const part of exportResult.parts) {
+    const resp = await download(part.url, { method: part.method });
+    if (!resp.ok) {
+      throw new Error(`Download failed for part ${part.ordinalNumber}: HTTP ${resp.status}`);
+    }
+    const encryptedData = new Uint8Array(await resp.arrayBuffer());
+    const decrypted = client.crypto.decryptAES256(encryptedData, encData.cipherKey, encData.cipherIv);
+    decryptedParts.push(decrypted);
   }
-  return config;
+  return {
+    ...exportResult,
+    decryptedParts
+  };
+}
+
+// src/workflows/auth-workflow.ts
+async function authenticateWithToken(client, options) {
+  const challenge = await client.auth.getChallenge();
+  await client.crypto.init();
+  const encryptedToken = client.crypto.encryptKsefToken(options.token, challenge.timestamp);
+  const submitResult = await client.auth.submitKsefTokenAuthRequest({
+    challenge: challenge.challenge,
+    contextIdentifier: { type: "Nip", value: options.nip },
+    encryptedToken: Buffer.from(encryptedToken).toString("base64"),
+    authorizationPolicy: options.authorizationPolicy
+  });
+  const authToken = submitResult.authenticationToken.token;
+  await pollUntil(
+    () => client.auth.getAuthStatus(submitResult.referenceNumber, authToken),
+    (s) => s.status.code !== 100,
+    { ...options.pollOptions, description: `auth ${submitResult.referenceNumber}` }
+  );
+  const tokens = await client.auth.getAccessToken(authToken);
+  client.authManager.setAccessToken(tokens.accessToken.token);
+  client.authManager.setRefreshToken(tokens.refreshToken.token);
+  return {
+    accessToken: tokens.accessToken.token,
+    accessTokenValidUntil: tokens.accessToken.validUntil,
+    refreshToken: tokens.refreshToken.token,
+    refreshTokenValidUntil: tokens.refreshToken.validUntil
+  };
 }
+async function authenticateWithCertificate(client, options) {
+  const challenge = await client.auth.getChallenge();
+  const { buildAuthTokenRequestXml: buildAuthTokenRequestXml2 } = await Promise.resolve().then(() => (init_client(), client_exports));
+  const { SignatureService: SignatureService2 } = await Promise.resolve().then(() => (init_signature_service(), signature_service_exports));
+  const authRequestXml = buildAuthTokenRequestXml2(challenge.challenge, options.nip);
+  const signedXml = SignatureService2.sign(authRequestXml, options.certPem, options.keyPem);
+  const submitResult = await client.auth.submitXadesAuthRequest(
+    signedXml,
+    options.verifyCertificateChain ?? false,
+    options.enforceXadesCompliance ?? false
+  );
+  const authToken = submitResult.authenticationToken.token;
+  await pollUntil(
+    () => client.auth.getAuthStatus(submitResult.referenceNumber, authToken),
+    (s) => s.status.code !== 100,
+    { ...options.pollOptions, description: `auth ${submitResult.referenceNumber}` }
+  );
+  const tokens = await client.auth.getAccessToken(authToken);
+  client.authManager.setAccessToken(tokens.accessToken.token);
+  client.authManager.setRefreshToken(tokens.refreshToken.token);
+  return {
+    accessToken: tokens.accessToken.token,
+    accessTokenValidUntil: tokens.accessToken.validUntil,
+    refreshToken: tokens.refreshToken.token,
+    refreshTokenValidUntil: tokens.refreshToken.validUntil
+  };
+}
+async function authenticateWithPkcs12(client, options) {
+  const { Pkcs12Loader: Pkcs12Loader2 } = await Promise.resolve().then(() => (init_pkcs12_loader(), pkcs12_loader_exports));
+  const { certificatePem, privateKeyPem } = Pkcs12Loader2.load(options.p12, options.password);
+  return authenticateWithCertificate(client, {
+    nip: options.nip,
+    certPem: certificatePem,
+    keyPem: privateKeyPem,
+    verifyCertificateChain: options.verifyCertificateChain,
+    enforceXadesCompliance: options.enforceXadesCompliance,
+    pollOptions: options.pollOptions
+  });
+}
+
+// src/index.ts
+init_client();
 export {
   ActiveSessionsService,
   AuthKsefTokenRequestBuilder,
   AuthService,
   AuthTokenRequestBuilder,
   AuthorizationPermissionGrantBuilder,
+  BATCH_MAX_PARTS,
+  BATCH_MAX_PART_SIZE,
+  BATCH_MAX_TOTAL_SIZE,
   Base64String,
+  BatchFileBuilder,
   BatchSessionService,
   CERTIFICATE_NAME_MAX_LENGTH,
   CERTIFICATE_NAME_MIN_LENGTH,
@@ -7243,6 +8001,7 @@ export {
   CertificateService,
   CryptographyService,
   DefaultAuthManager,
+  ENFORCE_XADES_COMPLIANCE,
   EntityPermissionGrantBuilder,
   Environment,
   InternalId,
@@ -7251,6 +8010,7 @@ export {
   Ip4Address,
   Ip4Mask,
   Ip4Range,
+  KSEF_FEATURE_HEADER,
   KSeFApiError,
   KSeFAuthStatusError,
   KSeFClient,
@@ -7291,13 +8051,19 @@ export {
   SignatureService,
   TestDataService,
   TokenService,
+  UpoVersion,
   VatUe,
   VerificationLinkService,
+  authenticateWithCertificate,
+  authenticateWithPkcs12,
+  authenticateWithToken,
   calculateBackoff,
   defaultPresignedUrlPolicy,
   defaultRateLimitPolicy,
   defaultRetryPolicy,
   defaultTransport,
+  exportAndDownload,
+  exportInvoices,
   isRetryableError,
   isRetryableStatus,
   isValidBase64,
@@ -7306,6 +8072,8 @@ export {
   isValidInternalId,
   isValidIp4Address,
   isValidKsefNumber,
+  isValidKsefNumberV35,
+  isValidKsefNumberV36,
   isValidNip,
   isValidNipVatUe,
   isValidPeppolId,
@@ -7313,9 +8081,13 @@ export {
   isValidReferenceNumber,
   isValidSha256Base64,
   isValidVatUe,
+  openOnlineSession,
+  openSendAndClose,
   parseRetryAfter,
+  pollUntil,
   resolveOptions,
   sleep,
+  uploadBatch,
   validatePresignedUrl
 };
 //# sourceMappingURL=index.js.map