ksef-client-ts 0.2.0 → 0.3.0

package/dist/index.cjs

@@ -67,7 +67,8 @@ function resolveOptions(options = {}) {
     lighthouseUrl: options.lighthouseUrl ?? env.lighthouseUrl,
     apiVersion: options.apiVersion ?? DEFAULT_API_VERSION,
     timeout: options.timeout ?? DEFAULT_TIMEOUT,
-    customHeaders: options.customHeaders ?? {}
+    customHeaders: options.customHeaders ?? {},
+    environmentName: options.environment ?? (options.baseUrl ? void 0 : "TEST")
   };
 }
 var DEFAULT_API_VERSION, DEFAULT_TIMEOUT;
@@ -1575,84 +1576,111 @@ var init_test_data = __esm({
     "use strict";
     init_rest_request();
     init_routes();
+    init_ksef_error();
     TestDataService = class {
       restClient;
-      constructor(restClient) {
+      environmentName;
+      constructor(restClient, environmentName) {
         this.restClient = restClient;
+        this.environmentName = environmentName;
+      }
+      ensureTestEnvironment() {
+        if (this.environmentName && this.environmentName !== "TEST") {
+          throw new KSeFError(
+            `Test data APIs are only available on the TEST environment (current: ${this.environmentName})`
+          );
+        }
       }
       // Subject management
       async createSubject(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.createSubject).body(request);
         await this.restClient.executeVoid(req);
       }
       async removeSubject(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.removeSubject).body(request);
         await this.restClient.executeVoid(req);
       }
       // Person management
       async createPerson(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.createPerson).body(request);
         await this.restClient.executeVoid(req);
       }
       async removePerson(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.removePerson).body(request);
         await this.restClient.executeVoid(req);
       }
       // Permissions
       async grantPermissions(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.grantPerms).body(request);
         await this.restClient.executeVoid(req);
       }
       async revokePermissions(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.revokePerms).body(request);
         await this.restClient.executeVoid(req);
       }
       // Attachment permissions
       async enableAttachment(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.enableAttach).body(request);
         await this.restClient.executeVoid(req);
       }
       async disableAttachment(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.disableAttach).body(request);
         await this.restClient.executeVoid(req);
       }
       // Session limits
       async changeSessionLimits(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.changeSessionLimitsInCurrentContext).body(request);
         await this.restClient.executeVoid(req);
       }
       async restoreDefaultSessionLimits() {
+        this.ensureTestEnvironment();
         const req = RestRequest.delete(Routes.TestData.restoreDefaultSessionLimitsInCurrentContext);
         await this.restClient.executeVoid(req);
       }
       // Certificate limits
       async changeCertificatesLimit(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.changeCertificatesLimitInCurrentSubject).body(request);
         await this.restClient.executeVoid(req);
       }
       async restoreDefaultCertificatesLimit() {
+        this.ensureTestEnvironment();
         const req = RestRequest.delete(Routes.TestData.restoreDefaultCertificatesLimitInCurrentSubject);
         await this.restClient.executeVoid(req);
       }
       // Rate limits
       async setRateLimits(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.rateLimits).body(request);
         await this.restClient.executeVoid(req);
       }
       async restoreDefaultRateLimits() {
+        this.ensureTestEnvironment();
         const req = RestRequest.delete(Routes.TestData.rateLimits);
         await this.restClient.executeVoid(req);
       }
       async setProductionRateLimits() {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.productionRateLimits);
         await this.restClient.executeVoid(req);
       }
       // Context blocking
       async blockContext(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.blockContext).body(request);
         await this.restClient.executeVoid(req);
       }
       async unblockContext(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.unblockContext).body(request);
         await this.restClient.executeVoid(req);
       }
@@ -1730,7 +1758,7 @@ ${lines.join("\n")}
 
 // src/crypto/cryptography-service.ts
 function setCryptoProvider() {
-  x509.cryptoProvider.set(crypto.webcrypto);
+  x509.cryptoProvider.set(crypto2.webcrypto);
 }
 function buildX500Name(fields) {
   const parts = [];
@@ -1754,11 +1782,11 @@ function pemEncode(der, label) {
 ${lines.join("\n")}
 -----END ${label}-----`;
 }
-var crypto, x509, CryptographyService;
+var crypto2, x509, CryptographyService;
 var init_cryptography_service = __esm({
   "src/crypto/cryptography-service.ts"() {
     "use strict";
-    crypto = __toESM(require("crypto"), 1);
+    crypto2 = __toESM(require("crypto"), 1);
     x509 = __toESM(require("@peculiar/x509"), 1);
     CryptographyService = class {
       fetcher;
@@ -1774,12 +1802,12 @@ var init_cryptography_service = __esm({
       // ---------------------------------------------------------------------------
       /** Encrypt with AES-256-CBC (PKCS7 padding is automatic in Node). */
       encryptAES256(content, key, iv) {
-        const cipher = crypto.createCipheriv("aes-256-cbc", key, iv);
+        const cipher = crypto2.createCipheriv("aes-256-cbc", key, iv);
         return new Uint8Array(Buffer.concat([cipher.update(content), cipher.final()]));
       }
       /** Decrypt with AES-256-CBC. */
       decryptAES256(content, key, iv) {
-        const decipher = crypto.createDecipheriv("aes-256-cbc", key, iv);
+        const decipher = crypto2.createDecipheriv("aes-256-cbc", key, iv);
         return new Uint8Array(Buffer.concat([decipher.update(content), decipher.final()]));
       }
       // ---------------------------------------------------------------------------
@@ -1790,14 +1818,14 @@ var init_cryptography_service = __esm({
        * SymmetricKeyEncryption certificate's RSA public key (RSA-OAEP SHA-256).
        */
       getEncryptionData() {
-        const key = crypto.randomBytes(32);
-        const iv = crypto.randomBytes(16);
+        const key = crypto2.randomBytes(32);
+        const iv = crypto2.randomBytes(16);
         const certPem = this.fetcher.getSymmetricKeyEncryptionPem();
-        const encryptedKey = crypto.publicEncrypt(
+        const encryptedKey = crypto2.publicEncrypt(
           {
             key: certPem,
             oaepHash: "sha256",
-            padding: crypto.constants.RSA_PKCS1_OAEP_PADDING
+            padding: crypto2.constants.RSA_PKCS1_OAEP_PADDING
           },
           key
         );
@@ -1831,7 +1859,7 @@ var init_cryptography_service = __esm({
         const timestampMs = new Date(challengeTimestamp).getTime();
         const plaintext = Buffer.from(`${token}|${timestampMs}`, "utf-8");
         const certPem = this.fetcher.getKsefTokenEncryptionPem();
-        const cert = new crypto.X509Certificate(certPem);
+        const cert = new crypto2.X509Certificate(certPem);
         const publicKey = cert.publicKey;
         if (publicKey.asymmetricKeyType === "rsa") {
           return this.encryptRsaOaep(certPem, plaintext);
@@ -1846,7 +1874,7 @@ var init_cryptography_service = __esm({
       // ---------------------------------------------------------------------------
       /** Compute SHA-256 hash (base64) and byte length. */
       getFileMetadata(file) {
-        const hash = crypto.createHash("sha256").update(file).digest("base64");
+        const hash = crypto2.createHash("sha256").update(file).digest("base64");
         return { hashSHA: hash, fileSize: file.length };
       }
       // ---------------------------------------------------------------------------
@@ -1861,7 +1889,7 @@ var init_cryptography_service = __esm({
           publicExponent: new Uint8Array([1, 0, 1]),
           modulusLength: 2048
         };
-        const keys = await crypto.webcrypto.subtle.generateKey(
+        const keys = await crypto2.webcrypto.subtle.generateKey(
           algorithm,
           true,
           ["sign", "verify"]
@@ -1872,7 +1900,7 @@ var init_cryptography_service = __esm({
           signingAlgorithm: algorithm
         });
         const csrDer = new Uint8Array(csr.rawData);
-        const pkcs8 = await crypto.webcrypto.subtle.exportKey("pkcs8", keys.privateKey);
+        const pkcs8 = await crypto2.webcrypto.subtle.exportKey("pkcs8", keys.privateKey);
         const privateKeyPem = pemEncode(new Uint8Array(pkcs8), "PRIVATE KEY");
         return { csrDer, privateKeyPem };
       }
@@ -1883,7 +1911,7 @@ var init_cryptography_service = __esm({
           name: "ECDSA",
           namedCurve: "P-256"
         };
-        const keys = await crypto.webcrypto.subtle.generateKey(
+        const keys = await crypto2.webcrypto.subtle.generateKey(
           algorithm,
           true,
           ["sign", "verify"]
@@ -1894,7 +1922,7 @@ var init_cryptography_service = __esm({
           signingAlgorithm: { name: "ECDSA", hash: "SHA-256" }
         });
         const csrDer = new Uint8Array(csr.rawData);
-        const pkcs8 = await crypto.webcrypto.subtle.exportKey("pkcs8", keys.privateKey);
+        const pkcs8 = await crypto2.webcrypto.subtle.exportKey("pkcs8", keys.privateKey);
         const privateKeyPem = pemEncode(new Uint8Array(pkcs8), "PRIVATE KEY");
         return { csrDer, privateKeyPem };
       }
@@ -1903,7 +1931,7 @@ var init_cryptography_service = __esm({
       // ---------------------------------------------------------------------------
       /** Parse a PEM-encoded private key into a Node.js KeyObject. */
       parsePrivateKey(pem) {
-        return crypto.createPrivateKey(pem);
+        return crypto2.createPrivateKey(pem);
       }
       // ---------------------------------------------------------------------------
       // Private helpers
@@ -1911,11 +1939,11 @@ var init_cryptography_service = __esm({
       /** RSA-OAEP SHA-256 encryption. */
       encryptRsaOaep(certPem, plaintext) {
         return new Uint8Array(
-          crypto.publicEncrypt(
+          crypto2.publicEncrypt(
             {
               key: certPem,
               oaepHash: "sha256",
-              padding: crypto.constants.RSA_PKCS1_OAEP_PADDING
+              padding: crypto2.constants.RSA_PKCS1_OAEP_PADDING
             },
             plaintext
           )
@@ -1932,15 +1960,15 @@ var init_cryptography_service = __esm({
        *    (Java-compatible — GCM appends the 16-byte tag to the ciphertext).
        */
       encryptEcdhAesGcm(receiverPublicKey, plaintext) {
-        const { privateKey: ephPrivKey, publicKey: ephPubKey } = crypto.generateKeyPairSync("ec", {
+        const { privateKey: ephPrivKey, publicKey: ephPubKey } = crypto2.generateKeyPairSync("ec", {
           namedCurve: "prime256v1"
         });
-        const sharedSecret = crypto.diffieHellman({
+        const sharedSecret = crypto2.diffieHellman({
           privateKey: ephPrivKey,
           publicKey: receiverPublicKey
         });
-        const nonce = crypto.randomBytes(12);
-        const cipher = crypto.createCipheriv("aes-256-gcm", sharedSecret, nonce);
+        const nonce = crypto2.randomBytes(12);
+        const cipher = crypto2.createCipheriv("aes-256-gcm", sharedSecret, nonce);
         const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
         const tag = cipher.getAuthTag();
         const ephemeralSpki = ephPubKey.export({ type: "spki", format: "der" });
@@ -6508,7 +6536,7 @@ function canonicalize(elem) {
 function computeRootDigest(doc) {
   const root = doc.documentElement;
   const canonical = canonicalize(root);
-  return crypto2.createHash("sha256").update(canonical, "utf-8").digest("base64");
+  return crypto3.createHash("sha256").update(canonical, "utf-8").digest("base64");
 }
 function computeSignedPropertiesDigest(qualifyingPropertiesXml) {
   const parser = new import_xmldom.DOMParser();
@@ -6518,7 +6546,7 @@ function computeSignedPropertiesDigest(qualifyingPropertiesXml) {
     throw new Error("SignedProperties element not found in QualifyingProperties");
   }
   const canonical = canonicalize(signedProps);
-  return crypto2.createHash("sha256").update(canonical, "utf-8").digest("base64");
+  return crypto3.createHash("sha256").update(canonical, "utf-8").digest("base64");
 }
 function buildSignedInfo(signatureAlgorithm, rootDigest, signedPropertiesDigest) {
   return [
@@ -6549,12 +6577,12 @@ function computeSignatureValue(canonicalSignedInfo, privateKeyPem, isEc) {
   const data = Buffer.from(canonicalSignedInfo, "utf-8");
   let signature;
   if (isEc) {
-    signature = crypto2.sign("sha256", data, {
+    signature = crypto3.sign("sha256", data, {
       key: privateKeyPem,
       dsaEncoding: "ieee-p1363"
     });
   } else {
-    signature = crypto2.sign("sha256", data, privateKeyPem);
+    signature = crypto3.sign("sha256", data, privateKeyPem);
   }
   return signature.toString("base64");
 }
@@ -6623,11 +6651,11 @@ function wrapBase64(base64) {
   }
   return lines.join("\n");
 }
-var crypto2, import_xml_crypto, import_xmldom, XADES_NS, DS_NS, SIGNED_PROPERTIES_TYPE, SHA256_DIGEST_METHOD, EXC_C14N_ALGORITHM, ENVELOPED_SIGNATURE_TRANSFORM, RSA_SHA256_SIGNATURE, ECDSA_SHA256_SIGNATURE, CLOCK_SKEW_BUFFER_MS, SIGNATURE_ID, SIGNED_PROPERTIES_ID, SignatureService;
+var crypto3, import_xml_crypto, import_xmldom, XADES_NS, DS_NS, SIGNED_PROPERTIES_TYPE, SHA256_DIGEST_METHOD, EXC_C14N_ALGORITHM, ENVELOPED_SIGNATURE_TRANSFORM, RSA_SHA256_SIGNATURE, ECDSA_SHA256_SIGNATURE, CLOCK_SKEW_BUFFER_MS, SIGNATURE_ID, SIGNED_PROPERTIES_ID, SignatureService;
 var init_signature_service = __esm({
   "src/crypto/signature-service.ts"() {
     "use strict";
-    crypto2 = __toESM(require("crypto"), 1);
+    crypto3 = __toESM(require("crypto"), 1);
     import_xml_crypto = require("xml-crypto");
     import_xmldom = __toESM(require_lib(), 1);
     XADES_NS = "http://uri.etsi.org/01903/v1.3.2#";
@@ -6656,11 +6684,11 @@ var init_signature_service = __esm({
         }
         const certDer = extractDerFromPem(certPem);
         const certBase64 = certDer.toString("base64");
-        const certDigest = crypto2.createHash("sha256").update(certDer).digest("base64");
-        const x5093 = new crypto2.X509Certificate(certPem);
+        const certDigest = crypto3.createHash("sha256").update(certDer).digest("base64");
+        const x5093 = new crypto3.X509Certificate(certPem);
         const issuerName = normalizeIssuerDn(x5093.issuer);
         const serialNumber = hexSerialToDecimal(x5093.serialNumber);
-        const privateKey = crypto2.createPrivateKey(privateKeyPem);
+        const privateKey = crypto3.createPrivateKey(privateKeyPem);
         const isEc = privateKey.asymmetricKeyType === "ec";
         const signatureAlgorithm = isEc ? ECDSA_SHA256_SIGNATURE : RSA_SHA256_SIGNATURE;
         const signingTime = new Date(Date.now() + CLOCK_SKEW_BUFFER_MS).toISOString();
@@ -6935,7 +6963,7 @@ var init_client = __esm({
         this.lighthouse = new LighthouseService(this.options);
         this.limits = new LimitsService(restClient);
         this.peppol = new PeppolService(restClient);
-        this.testData = new TestDataService(restClient);
+        this.testData = new TestDataService(restClient, this.options.environmentName);
         this.qr = new VerificationLinkService(this.options.baseQrUrl);
       }
       async loginWithToken(token, nip) {
@@ -6997,7 +7025,11 @@ __export(index_exports, {
   AuthService: () => AuthService,
   AuthTokenRequestBuilder: () => AuthTokenRequestBuilder,
   AuthorizationPermissionGrantBuilder: () => AuthorizationPermissionGrantBuilder,
+  BATCH_MAX_PARTS: () => BATCH_MAX_PARTS,
+  BATCH_MAX_PART_SIZE: () => BATCH_MAX_PART_SIZE,
+  BATCH_MAX_TOTAL_SIZE: () => BATCH_MAX_TOTAL_SIZE,
   Base64String: () => Base64String,
+  BatchFileBuilder: () => BatchFileBuilder,
   BatchSessionService: () => BatchSessionService,
   CERTIFICATE_NAME_MAX_LENGTH: () => CERTIFICATE_NAME_MAX_LENGTH,
   CERTIFICATE_NAME_MIN_LENGTH: () => CERTIFICATE_NAME_MIN_LENGTH,
@@ -7590,18 +7622,86 @@ var AuthorizationPermissionGrantBuilder = class {
   }
 };
 
+// src/builders/batch-file.ts
+var crypto = __toESM(require("crypto"), 1);
+init_ksef_validation_error();
+var BATCH_MAX_PART_SIZE = 1e8;
+var BATCH_MAX_TOTAL_SIZE = 5e9;
+var BATCH_MAX_PARTS = 50;
+var BatchFileBuilder = class {
+  /**
+   * Build batch file metadata and encrypted parts from a raw ZIP.
+   *
+   * @param zipBytes - Unencrypted ZIP data
+   * @param encryptFn - AES-256-CBC encryption function (called per part)
+   * @param options - Optional configuration
+   */
+  static build(zipBytes, encryptFn, options) {
+    const maxPartSize = options?.maxPartSize ?? BATCH_MAX_PART_SIZE;
+    if (maxPartSize <= 0) {
+      throw new KSeFValidationError("maxPartSize must be a positive number");
+    }
+    if (zipBytes.length === 0) {
+      throw new KSeFValidationError("ZIP data must not be empty");
+    }
+    if (zipBytes.length > BATCH_MAX_TOTAL_SIZE) {
+      throw new KSeFValidationError(
+        `ZIP size ${zipBytes.length} exceeds maximum of ${BATCH_MAX_TOTAL_SIZE} bytes (5 GB)`
+      );
+    }
+    const rawParts = splitBuffer(zipBytes, maxPartSize);
+    if (rawParts.length > BATCH_MAX_PARTS) {
+      throw new KSeFValidationError(
+        `Data requires ${rawParts.length} parts, exceeding maximum of ${BATCH_MAX_PARTS}`
+      );
+    }
+    const zipHash = sha256Base64(zipBytes);
+    const encryptedParts = [];
+    const fileParts = rawParts.map((raw, i) => {
+      const encrypted = encryptFn(raw);
+      encryptedParts.push(encrypted);
+      return {
+        ordinalNumber: i + 1,
+        fileSize: encrypted.length,
+        fileHash: sha256Base64(encrypted)
+      };
+    });
+    return {
+      batchFile: {
+        fileSize: zipBytes.length,
+        fileHash: zipHash,
+        fileParts
+      },
+      encryptedParts
+    };
+  }
+};
+function splitBuffer(data, maxPartSize) {
+  if (data.length <= maxPartSize) {
+    return [data];
+  }
+  const parts = [];
+  for (let offset = 0; offset < data.length; offset += maxPartSize) {
+    parts.push(data.subarray(offset, Math.min(offset + maxPartSize, data.length)));
+  }
+  return parts;
+}
+function sha256Base64(data) {
+  return crypto.createHash("sha256").update(data).digest("base64");
+}
+
 // src/crypto/index.ts
 init_certificate_fetcher();
 init_cryptography_service();
 init_signature_service();
 
 // src/crypto/certificate-service.ts
-var crypto3 = __toESM(require("crypto"), 1);
+var crypto4 = __toESM(require("crypto"), 1);
 var x5092 = __toESM(require("@peculiar/x509"), 1);
 var CertificateService = class {
   static getSha256Fingerprint(certPem) {
     const der = extractDerFromPem2(certPem);
-    return crypto3.createHash("sha256").update(der).digest("hex").toUpperCase();
+    return crypto4.createHash("sha256").update(der).digest("hex").toUpperCase();
   }
   static async generatePersonalCertificate(givenName, surname, serialNumber, commonName, method = "RSA") {
     const nameParts = [];
@@ -7624,7 +7724,7 @@ var CertificateService = class {
   }
 };
 async function generateSelfSigned(subject, method) {
-  x5092.cryptoProvider.set(crypto3.webcrypto);
+  x5092.cryptoProvider.set(crypto4.webcrypto);
   let algorithm;
   let signingAlgorithm;
   if (method === "ECDSA") {
@@ -7639,7 +7739,7 @@ async function generateSelfSigned(subject, method) {
     };
     signingAlgorithm = algorithm;
   }
-  const keys = await crypto3.webcrypto.subtle.generateKey(
+  const keys = await crypto4.webcrypto.subtle.generateKey(
     algorithm,
     true,
     ["sign", "verify"]
@@ -7656,9 +7756,9 @@ async function generateSelfSigned(subject, method) {
     serialNumber: Date.now().toString(16)
   });
   const certPem = cert.toString("pem");
-  const pkcs8 = await crypto3.webcrypto.subtle.exportKey("pkcs8", keys.privateKey);
+  const pkcs8 = await crypto4.webcrypto.subtle.exportKey("pkcs8", keys.privateKey);
   const privateKeyPem = pemEncode2(new Uint8Array(pkcs8), "PRIVATE KEY");
-  const fingerprint = crypto3.createHash("sha256").update(Buffer.from(cert.rawData)).digest("hex").toUpperCase();
+  const fingerprint = crypto4.createHash("sha256").update(Buffer.from(cert.rawData)).digest("hex").toUpperCase();
   return { certificatePem: certPem, privateKeyPem, fingerprint };
 }
 function extractDerFromPem2(pem) {
@@ -7792,7 +7892,7 @@ async function openOnlineSession(client, options) {
     async waitForUpo(pollOpts) {
       const result = await pollUntil(
         () => client.sessionStatus.getSessionStatus(sessionRef),
-        (s) => s.status.code !== 100,
+        (s) => s.status.code === 200 || s.status.code >= 400,
         { ...pollOpts, description: `UPO for session ${sessionRef}` }
       );
       if (result.status.code !== 200) {
@@ -7818,31 +7918,36 @@ async function openSendAndClose(client, invoices, options) {
 
 // src/workflows/batch-session-workflow.ts
 var DEFAULT_FORM_CODE2 = { systemCode: "FA", schemaVersion: "3", value: "FA (3)" };
-async function uploadBatch(client, zipParts, totalFileSize, totalFileHash, options) {
+async function uploadBatch(client, zipData, options) {
   await client.crypto.init();
   const encData = client.crypto.getEncryptionData();
   const formCode = options?.formCode ?? DEFAULT_FORM_CODE2;
-  const fileParts = zipParts.map((part, i) => {
-    const meta = client.crypto.getFileMetadata(new Uint8Array(part.data));
-    return { ordinalNumber: i + 1, fileSize: meta.fileSize, fileHash: meta.hashSHA };
+  const encryptFn = (part) => client.crypto.encryptAES256(part, encData.cipherKey, encData.cipherIv);
+  const { batchFile, encryptedParts } = BatchFileBuilder.build(zipData, encryptFn, {
+    maxPartSize: options?.maxPartSize
   });
   const openResp = await client.batchSession.openSession(
     {
       formCode,
       encryption: encData.encryptionInfo,
-      batchFile: { fileSize: totalFileSize, fileHash: totalFileHash, fileParts }
+      batchFile,
+      offlineMode: options?.offlineMode
     },
     options?.upoVersion
   );
-  const sendingParts = zipParts.map((part, i) => {
-    const meta = client.crypto.getFileMetadata(new Uint8Array(part.data));
-    return { data: part.data, metadata: meta, ordinalNumber: i + 1 };
-  });
+  const sendingParts = encryptedParts.map((part, i) => ({
+    data: part.buffer.slice(part.byteOffset, part.byteOffset + part.byteLength),
+    metadata: {
+      hashSHA: batchFile.fileParts[i].fileHash,
+      fileSize: batchFile.fileParts[i].fileSize
+    },
+    ordinalNumber: i + 1
+  }));
   await client.batchSession.sendParts(openResp, sendingParts);
   await client.batchSession.closeSession(openResp.referenceNumber);
   const result = await pollUntil(
     () => client.sessionStatus.getSessionStatus(openResp.referenceNumber),
-    (s) => s.status.code !== 100,
+    (s) => s.status.code === 200 || s.status.code >= 400,
     { ...options?.pollOptions, description: `UPO for batch ${openResp.referenceNumber}` }
   );
   if (result.status.code !== 200) {
@@ -7860,7 +7965,7 @@ async function uploadBatch(client, zipParts, totalFileSize, totalFileHash, optio
 }
 
 // src/workflows/invoice-export-workflow.ts
-async function exportInvoices(client, filters, options) {
+async function doExport(client, filters, options) {
   await client.crypto.init();
   const encData = client.crypto.getEncryptionData();
   const opResp = await client.invoices.exportInvoices({
@@ -7870,7 +7975,7 @@ async function exportInvoices(client, filters, options) {
   });
   const result = await pollUntil(
     () => client.invoices.getInvoiceExportStatus(opResp.referenceNumber),
-    (s) => s.status.code !== 100,
+    (s) => s.status.code === 200 || s.status.code >= 400,
     { ...options?.pollOptions, description: `export ${opResp.referenceNumber}` }
   );
   if (result.status.code !== 200) {
@@ -7880,23 +7985,29 @@ async function exportInvoices(client, filters, options) {
     throw new Error("Export completed but no package available");
   }
   return {
-    parts: result.package.parts.map((p) => ({
-      ordinalNumber: p.ordinalNumber,
-      url: p.url,
-      method: p.method,
-      partSize: p.partSize,
-      encryptedPartSize: p.encryptedPartSize,
-      encryptedPartHash: p.encryptedPartHash,
-      expirationDate: p.expirationDate
-    })),
-    invoiceCount: result.package.invoiceCount,
-    isTruncated: result.package.isTruncated,
-    permanentStorageHwmDate: result.package.permanentStorageHwmDate
+    encData,
+    result: {
+      parts: result.package.parts.map((p) => ({
+        ordinalNumber: p.ordinalNumber,
+        url: p.url,
+        method: p.method,
+        partSize: p.partSize,
+        encryptedPartSize: p.encryptedPartSize,
+        encryptedPartHash: p.encryptedPartHash,
+        expirationDate: p.expirationDate
+      })),
+      invoiceCount: result.package.invoiceCount,
+      isTruncated: result.package.isTruncated,
+      permanentStorageHwmDate: result.package.permanentStorageHwmDate
+    }
   };
 }
+async function exportInvoices(client, filters, options) {
+  const { result } = await doExport(client, filters, options);
+  return result;
+}
 async function exportAndDownload(client, filters, options) {
-  const encData = client.crypto.getEncryptionData();
-  const exportResult = await exportInvoices(client, filters, options);
+  const { result: exportResult, encData } = await doExport(client, filters, options);
   const download = options?.transport ?? fetch;
   const decryptedParts = [];
   for (const part of exportResult.parts) {
@@ -7990,7 +8101,11 @@ init_client();
   AuthService,
   AuthTokenRequestBuilder,
   AuthorizationPermissionGrantBuilder,
+  BATCH_MAX_PARTS,
+  BATCH_MAX_PART_SIZE,
+  BATCH_MAX_TOTAL_SIZE,
   Base64String,
+  BatchFileBuilder,
   BatchSessionService,
   CERTIFICATE_NAME_MAX_LENGTH,
   CERTIFICATE_NAME_MIN_LENGTH,