npm - ksef-client-ts - Versions diffs - 0.2.0 → 0.4.0 - Mend

ksef-client-ts 0.2.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/dist/cli.js CHANGED Viewed

@@ -32,6 +32,74 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
   mod
 ));
+// src/errors/ksef-error.ts
+var KSeFError;
+var init_ksef_error = __esm({
+  "src/errors/ksef-error.ts"() {
+    "use strict";
+    KSeFError = class extends Error {
+      constructor(message) {
+        super(message);
+        this.name = "KSeFError";
+      }
+    };
+  }
+});
+// src/errors/ksef-validation-error.ts
+var KSeFValidationError;
+var init_ksef_validation_error = __esm({
+  "src/errors/ksef-validation-error.ts"() {
+    "use strict";
+    init_ksef_error();
+    KSeFValidationError = class _KSeFValidationError extends KSeFError {
+      details;
+      constructor(message, details = []) {
+        super(message);
+        this.name = "KSeFValidationError";
+        this.details = details;
+      }
+      static fromField(field, message) {
+        return new _KSeFValidationError(message, [{ field, message }]);
+      }
+      static fromMessages(messages2) {
+        const details = messages2.map((m) => ({ message: m }));
+        return new _KSeFValidationError(messages2.join("; "), details);
+      }
+    };
+  }
+});
+// src/crypto/auth-xml-builder.ts
+var auth_xml_builder_exports = {};
+__export(auth_xml_builder_exports, {
+  buildUnsignedAuthTokenRequestXml: () => buildUnsignedAuthTokenRequestXml
+});
+function buildUnsignedAuthTokenRequestXml(options) {
+  const { challenge: challenge2, contextIdentifier, subjectIdentifierType = "certificateSubject" } = options;
+  const identifierElement = `<${contextIdentifier.type}>${xmlEscape(contextIdentifier.value)}</${contextIdentifier.type}>`;
+  return [
+    '<?xml version="1.0" encoding="utf-8"?>',
+    `<AuthTokenRequest xmlns="${AUTH_TOKEN_REQUEST_NS}">`,
+    `<Challenge>${xmlEscape(challenge2)}</Challenge>`,
+    `<ContextIdentifier>`,
+    identifierElement,
+    `</ContextIdentifier>`,
+    `<SubjectIdentifierType>${xmlEscape(subjectIdentifierType)}</SubjectIdentifierType>`,
+    `</AuthTokenRequest>`
+  ].join("");
+}
+function xmlEscape(str) {
+  return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
+}
+var AUTH_TOKEN_REQUEST_NS;
+var init_auth_xml_builder = __esm({
+  "src/crypto/auth-xml-builder.ts"() {
+    "use strict";
+    AUTH_TOKEN_REQUEST_NS = "http://ksef.mf.gov.pl/auth/token/2.0";
+  }
+});
 // node_modules/@xmldom/xmldom/lib/conventions.js
 var require_conventions = __commonJS({
   "node_modules/@xmldom/xmldom/lib/conventions.js"(exports) {
@@ -456,7 +524,7 @@ var require_dom = __commonJS({
        * @see https://www.w3.org/TR/REC-DOM-Level-1/level-one-core.html#ID-5CED94D7 DOM Level 1 Core
        * @see https://dom.spec.whatwg.org/#dom-domimplementation-hasfeature DOM Living Standard
        */
-      hasFeature: function(feature, version) {
+      hasFeature: function(feature, version2) {
         return true;
       },
       /**
@@ -577,8 +645,8 @@ var require_dom = __commonJS({
         }
       },
       // Introduced in DOM Level 2:
-      isSupported: function(feature, version) {
-        return this.ownerDocument.implementation.hasFeature(feature, version);
+      isSupported: function(feature, version2) {
+        return this.ownerDocument.implementation.hasFeature(feature, version2);
       },
       // Introduced in DOM Level 2:
       hasAttributes: function() {
@@ -4845,8 +4913,542 @@ var init_pkcs12_loader = __esm({
   }
 });
+// src/workflows/polling.ts
+async function pollUntil(action, condition, options) {
+  const intervalMs = options?.intervalMs ?? 2e3;
+  const maxAttempts = options?.maxAttempts ?? 60;
+  for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+    const result = await action();
+    if (condition(result)) return result;
+    options?.onProgress?.(attempt, maxAttempts);
+    if (attempt < maxAttempts) {
+      await new Promise((r) => setTimeout(r, intervalMs));
+    }
+  }
+  throw new Error(
+    `Polling timeout: ${options?.description ?? "condition"} after ${maxAttempts} attempts`
+  );
+}
+var init_polling = __esm({
+  "src/workflows/polling.ts"() {
+    "use strict";
+  }
+});
+// src/models/document-structures/types.ts
+var SystemCode, FORM_CODES, INVOICE_TYPES_BY_SYSTEM_CODE, FORM_CODE_KEYS;
+var init_types = __esm({
+  "src/models/document-structures/types.ts"() {
+    "use strict";
+    SystemCode = {
+      FA_2: "FA (2)",
+      FA_3: "FA (3)",
+      PEF_3: "PEF (3)",
+      PEF_KOR_3: "PEF_KOR (3)",
+      FA_RR_1: "FA_RR (1)"
+    };
+    FORM_CODES = {
+      FA_2: { systemCode: "FA (2)", schemaVersion: "1-0E", value: "FA" },
+      FA_3: { systemCode: "FA (3)", schemaVersion: "1-0E", value: "FA" },
+      PEF_3: { systemCode: "PEF (3)", schemaVersion: "2-1", value: "PEF" },
+      PEF_KOR_3: { systemCode: "PEF_KOR (3)", schemaVersion: "2-1", value: "PEF" },
+      FA_RR_1_LEGACY: { systemCode: "FA_RR (1)", schemaVersion: "1-0E", value: "RR" },
+      FA_RR_1_TRANSITION: { systemCode: "FA_RR (1)", schemaVersion: "1-1E", value: "RR" },
+      FA_RR_1: { systemCode: "FA_RR (1)", schemaVersion: "1-1E", value: "FA_RR" }
+    };
+    INVOICE_TYPES_BY_SYSTEM_CODE = {
+      [SystemCode.FA_2]: ["Vat", "Zal", "Kor", "Roz", "Upr", "KorZal", "KorRoz"],
+      [SystemCode.FA_3]: ["Vat", "Zal", "Kor", "Roz", "Upr", "KorZal", "KorRoz"],
+      [SystemCode.PEF_3]: ["VatPef", "VatPefSp", "KorPef"],
+      [SystemCode.PEF_KOR_3]: ["KorPef"],
+      [SystemCode.FA_RR_1]: ["VatRr", "KorVatRr"]
+    };
+    FORM_CODE_KEYS = {
+      FA2: FORM_CODES.FA_2,
+      FA3: FORM_CODES.FA_3,
+      PEF3: FORM_CODES.PEF_3,
+      PEFKOR3: FORM_CODES.PEF_KOR_3,
+      FARR1: FORM_CODES.FA_RR_1
+    };
+  }
+});
+// src/models/document-structures/helpers.ts
+function validateFormCodeForSession(formCode, sessionType) {
+  if (sessionType === "online") return true;
+  return !BATCH_DISALLOWED_SYSTEM_CODES.has(formCode.systemCode);
+}
+var SYSTEM_CODE_TO_FORM_CODE, ALL_FORM_CODES, BATCH_DISALLOWED_SYSTEM_CODES;
+var init_helpers = __esm({
+  "src/models/document-structures/helpers.ts"() {
+    "use strict";
+    init_types();
+    SYSTEM_CODE_TO_FORM_CODE = {
+      [SystemCode.FA_2]: FORM_CODES.FA_2,
+      [SystemCode.FA_3]: FORM_CODES.FA_3,
+      [SystemCode.PEF_3]: FORM_CODES.PEF_3,
+      [SystemCode.PEF_KOR_3]: FORM_CODES.PEF_KOR_3,
+      [SystemCode.FA_RR_1]: FORM_CODES.FA_RR_1
+    };
+    ALL_FORM_CODES = Object.values(FORM_CODES);
+    BATCH_DISALLOWED_SYSTEM_CODES = /* @__PURE__ */ new Set([
+      SystemCode.PEF_3,
+      SystemCode.PEF_KOR_3
+    ]);
+  }
+});
+// src/models/document-structures/index.ts
+var init_document_structures = __esm({
+  "src/models/document-structures/index.ts"() {
+    "use strict";
+    init_types();
+    init_helpers();
+  }
+});
+// src/xml/upo-parser.ts
+import { XMLParser } from "fast-xml-parser";
+function isRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function requireRecord(value, at) {
+  if (!isRecord(value)) {
+    throw KSeFValidationError.fromField(at, `Expected object at ${at}`);
+  }
+  return value;
+}
+function requireString(value, at) {
+  if (typeof value !== "string" || value.length === 0) {
+    throw KSeFValidationError.fromField(at, `Expected non-empty string at ${at}`);
+  }
+  return value;
+}
+function optionalRecord(value) {
+  return isRecord(value) ? value : void 0;
+}
+function optionalString(value) {
+  return typeof value === "string" && value.length > 0 ? value : void 0;
+}
+function requireNumberFromString(value, at) {
+  const raw = requireString(value, at);
+  const parsed = Number.parseInt(raw, 10);
+  if (!Number.isFinite(parsed)) {
+    throw KSeFValidationError.fromField(at, `Expected integer at ${at}, got "${raw}"`);
+  }
+  return parsed;
+}
+function ensureArray(value) {
+  if (value == null) return [];
+  return Array.isArray(value) ? value : [value];
+}
+function parseIdKontekstu(obj) {
+  const nip = optionalString(obj.Nip);
+  if (nip) return { kind: "Nip", nip };
+  const idWewnetrzny = optionalString(obj.IdWewnetrzny);
+  if (idWewnetrzny) return { kind: "IdWewnetrzny", idWewnetrzny };
+  const idZlozonyVatUE = optionalString(obj.IdZlozonyVatUE);
+  if (idZlozonyVatUE) return { kind: "IdZlozonyVatUE", idZlozonyVatUE };
+  const idDostawcyUslugPeppol = optionalString(obj.IdDostawcyUslugPeppol);
+  if (idDostawcyUslugPeppol) return { kind: "IdDostawcyUslugPeppol", idDostawcyUslugPeppol };
+  throw KSeFValidationError.fromField(
+    "Uwierzytelnienie.IdKontekstu",
+    "Unsupported context identifier. Expected Nip | IdWewnetrzny | IdZlozonyVatUE | IdDostawcyUslugPeppol"
+  );
+}
+function parseProof(obj) {
+  const tokenRef = optionalString(obj.NumerReferencyjnyTokenaKSeF);
+  if (tokenRef) return { kind: "NumerReferencyjnyTokenaKSeF", numerReferencyjnyTokenaKSeF: tokenRef };
+  const docHash = optionalString(obj.SkrotDokumentuUwierzytelniajacego);
+  if (docHash) return { kind: "SkrotDokumentuUwierzytelniajacego", skrotDokumentuUwierzytelniajacego: docHash };
+  throw KSeFValidationError.fromField(
+    "Uwierzytelnienie",
+    "Unsupported auth proof. Expected NumerReferencyjnyTokenaKSeF | SkrotDokumentuUwierzytelniajacego"
+  );
+}
+function parseUwierzytelnienie(obj) {
+  const idKontekstu = parseIdKontekstu(
+    requireRecord(obj.IdKontekstu, "Uwierzytelnienie.IdKontekstu")
+  );
+  const proof = parseProof(obj);
+  return { idKontekstu, proof };
+}
+function parseOpisPotwierdzenia(obj) {
+  return {
+    strona: requireNumberFromString(obj.Strona, "OpisPotwierdzenia.Strona"),
+    liczbaStron: requireNumberFromString(obj.LiczbaStron, "OpisPotwierdzenia.LiczbaStron"),
+    zakresDokumentowOd: requireNumberFromString(obj.ZakresDokumentowOd, "OpisPotwierdzenia.ZakresDokumentowOd"),
+    zakresDokumentowDo: requireNumberFromString(obj.ZakresDokumentowDo, "OpisPotwierdzenia.ZakresDokumentowDo"),
+    calkowitaLiczbaDokumentow: requireNumberFromString(obj.CalkowitaLiczbaDokumentow, "OpisPotwierdzenia.CalkowitaLiczbaDokumentow")
+  };
+}
+function parseDokument(obj) {
+  return {
+    nipSprzedawcy: requireString(obj.NipSprzedawcy, "Dokument.NipSprzedawcy"),
+    numerKSeFDokumentu: requireString(obj.NumerKSeFDokumentu, "Dokument.NumerKSeFDokumentu"),
+    numerFaktury: requireString(obj.NumerFaktury, "Dokument.NumerFaktury"),
+    dataWystawieniaFaktury: requireString(obj.DataWystawieniaFaktury, "Dokument.DataWystawieniaFaktury"),
+    dataPrzeslaniaDokumentu: requireString(obj.DataPrzeslaniaDokumentu, "Dokument.DataPrzeslaniaDokumentu"),
+    dataNadaniaNumeruKSeF: requireString(obj.DataNadaniaNumeruKSeF, "Dokument.DataNadaniaNumeruKSeF"),
+    skrotDokumentu: requireString(obj.SkrotDokumentu, "Dokument.SkrotDokumentu"),
+    trybWysylki: requireString(obj.TrybWysylki, "Dokument.TrybWysylki")
+  };
+}
+function parseUpoXml(xml) {
+  const text = Buffer.isBuffer(xml) ? xml.toString("utf8") : xml;
+  const parsed = upoParser.parse(text);
+  const potwierdzenie = requireRecord(parsed?.Potwierdzenie, "Potwierdzenie");
+  const opisPotwierdzenia = optionalRecord(potwierdzenie.OpisPotwierdzenia);
+  const dokumenty = ensureArray(potwierdzenie.Dokument).map(
+    (doc, i) => parseDokument(requireRecord(doc, `Dokument[${i}]`))
+  );
+  if (dokumenty.length === 0) {
+    throw KSeFValidationError.fromField("Dokument", "Expected at least one Dokument in UPO");
+  }
+  return {
+    nazwaPodmiotuPrzyjmujacego: requireString(potwierdzenie.NazwaPodmiotuPrzyjmujacego, "NazwaPodmiotuPrzyjmujacego"),
+    numerReferencyjnySesji: requireString(potwierdzenie.NumerReferencyjnySesji, "NumerReferencyjnySesji"),
+    uwierzytelnienie: parseUwierzytelnienie(requireRecord(potwierdzenie.Uwierzytelnienie, "Uwierzytelnienie")),
+    ...opisPotwierdzenia && { opisPotwierdzenia: parseOpisPotwierdzenia(opisPotwierdzenia) },
+    nazwaStrukturyLogicznej: requireString(potwierdzenie.NazwaStrukturyLogicznej, "NazwaStrukturyLogicznej"),
+    kodFormularza: requireString(potwierdzenie.KodFormularza, "KodFormularza"),
+    dokumenty
+  };
+}
+var upoParser;
+var init_upo_parser = __esm({
+  "src/xml/upo-parser.ts"() {
+    "use strict";
+    init_ksef_validation_error();
+    upoParser = new XMLParser({
+      ignoreAttributes: false,
+      attributeNamePrefix: "@_",
+      parseTagValue: false,
+      parseAttributeValue: false,
+      removeNSPrefix: true,
+      trimValues: false
+    });
+  }
+});
+// src/xml/index.ts
+var init_xml = __esm({
+  "src/xml/index.ts"() {
+    "use strict";
+    init_upo_parser();
+  }
+});
+// src/builders/batch-file.ts
+import * as crypto4 from "crypto";
+function splitBuffer(data, maxPartSize) {
+  if (data.length <= maxPartSize) {
+    return [data];
+  }
+  const parts = [];
+  for (let offset = 0; offset < data.length; offset += maxPartSize) {
+    parts.push(data.subarray(offset, Math.min(offset + maxPartSize, data.length)));
+  }
+  return parts;
+}
+function sha256Base64(data) {
+  return crypto4.createHash("sha256").update(data).digest("base64");
+}
+var BATCH_MAX_PART_SIZE, BATCH_MAX_TOTAL_SIZE, BATCH_MAX_PARTS, BatchFileBuilder;
+var init_batch_file = __esm({
+  "src/builders/batch-file.ts"() {
+    "use strict";
+    init_ksef_validation_error();
+    BATCH_MAX_PART_SIZE = 1e8;
+    BATCH_MAX_TOTAL_SIZE = 5e9;
+    BATCH_MAX_PARTS = 50;
+    BatchFileBuilder = class {
+      /**
+       * Build batch file metadata and encrypted parts from a raw ZIP.
+       *
+       * @param zipBytes - Unencrypted ZIP data
+       * @param encryptFn - AES-256-CBC encryption function (called per part)
+       * @param options - Optional configuration
+       */
+      static build(zipBytes, encryptFn, options) {
+        const maxPartSize = options?.maxPartSize ?? BATCH_MAX_PART_SIZE;
+        if (maxPartSize <= 0) {
+          throw new KSeFValidationError("maxPartSize must be a positive number");
+        }
+        if (zipBytes.length === 0) {
+          throw new KSeFValidationError("ZIP data must not be empty");
+        }
+        if (zipBytes.length > BATCH_MAX_TOTAL_SIZE) {
+          throw new KSeFValidationError(
+            `ZIP size ${zipBytes.length} exceeds maximum of ${BATCH_MAX_TOTAL_SIZE} bytes (5 GB)`
+          );
+        }
+        const rawParts = splitBuffer(zipBytes, maxPartSize);
+        if (rawParts.length > BATCH_MAX_PARTS) {
+          throw new KSeFValidationError(
+            `Data requires ${rawParts.length} parts, exceeding maximum of ${BATCH_MAX_PARTS}`
+          );
+        }
+        const zipHash = sha256Base64(zipBytes);
+        const encryptedParts = [];
+        const fileParts = rawParts.map((raw, i) => {
+          const encrypted = encryptFn(raw);
+          encryptedParts.push(encrypted);
+          return {
+            ordinalNumber: i + 1,
+            fileSize: encrypted.length,
+            fileHash: sha256Base64(encrypted)
+          };
+        });
+        return {
+          batchFile: {
+            fileSize: zipBytes.length,
+            fileHash: zipHash,
+            fileParts
+          },
+          encryptedParts
+        };
+      }
+      /**
+       * Stream-based variant: two-pass build from a stream factory.
+       *
+       * Pass 1: consume stream to compute ZIP hash.
+       * Pass 2: re-create stream, split into parts, encrypt each, compute per-part metadata.
+       *
+       * @param zipStreamFactory - Factory that creates a fresh ReadableStream of the ZIP data
+       * @param zipSize - Total ZIP byte size (from fs.stat or known in advance)
+       * @param encryptStreamFn - Stream-to-stream AES-256-CBC encryption function
+       * @param hashStreamFn - Stream-to-FileMetadata hashing function
+       * @param options - Optional configuration
+       */
+      static async buildFromStream(zipStreamFactory, zipSize, encryptStreamFn, hashStreamFn, options) {
+        const maxPartSize = options?.maxPartSize ?? BATCH_MAX_PART_SIZE;
+        if (maxPartSize <= 0) {
+          throw new KSeFValidationError("maxPartSize must be a positive number");
+        }
+        if (zipSize === 0) {
+          throw new KSeFValidationError("ZIP data must not be empty");
+        }
+        if (zipSize > BATCH_MAX_TOTAL_SIZE) {
+          throw new KSeFValidationError(
+            `ZIP size ${zipSize} exceeds maximum of ${BATCH_MAX_TOTAL_SIZE} bytes (5 GB)`
+          );
+        }
+        const partCount = Math.ceil(zipSize / maxPartSize);
+        if (partCount > BATCH_MAX_PARTS) {
+          throw new KSeFValidationError(
+            `Data requires ${partCount} parts, exceeding maximum of ${BATCH_MAX_PARTS}`
+          );
+        }
+        const zipMeta = await hashStreamFn(zipStreamFactory());
+        const fileParts = [];
+        const streamParts = [];
+        const reader = zipStreamFactory().getReader();
+        let pending = [];
+        let pendingSize = 0;
+        for (let partIndex = 0; partIndex < partCount; partIndex++) {
+          const isLastPart = partIndex === partCount - 1;
+          const targetSize = isLastPart ? zipSize - partIndex * maxPartSize : maxPartSize;
+          while (pendingSize < targetSize) {
+            const { done, value } = await reader.read();
+            if (done) break;
+            pending.push(value);
+            pendingSize += value.byteLength;
+          }
+          const buffer = new Uint8Array(Buffer.concat(pending));
+          const partData = buffer.subarray(0, targetSize);
+          if (buffer.byteLength > targetSize) {
+            const remainder = buffer.subarray(targetSize);
+            pending = [remainder];
+            pendingSize = remainder.byteLength;
+          } else {
+            pending = [];
+            pendingSize = 0;
+          }
+          const partStream = new ReadableStream({
+            start(controller) {
+              controller.enqueue(partData);
+              controller.close();
+            }
+          });
+          const encryptedStream = encryptStreamFn(partStream);
+          const encryptedChunks = [];
+          const encReader = encryptedStream.getReader();
+          for (; ; ) {
+            const { done, value } = await encReader.read();
+            if (done) break;
+            encryptedChunks.push(value);
+          }
+          const encryptedData = new Uint8Array(Buffer.concat(encryptedChunks));
+          const encryptedMeta = sha256Base64(encryptedData);
+          fileParts.push({
+            ordinalNumber: partIndex + 1,
+            fileSize: encryptedData.byteLength,
+            fileHash: encryptedMeta
+          });
+          const uploadStream = new ReadableStream({
+            start(controller) {
+              controller.enqueue(encryptedData);
+              controller.close();
+            }
+          });
+          streamParts.push({
+            dataStream: uploadStream,
+            metadata: {
+              hashSHA: encryptedMeta,
+              fileSize: encryptedData.byteLength
+            },
+            ordinalNumber: partIndex + 1
+          });
+        }
+        reader.releaseLock();
+        return {
+          batchFile: {
+            fileSize: zipSize,
+            fileHash: zipMeta.hashSHA,
+            fileParts
+          },
+          streamParts
+        };
+      }
+    };
+  }
+});
+// src/workflows/batch-session-workflow.ts
+var batch_session_workflow_exports = {};
+__export(batch_session_workflow_exports, {
+  uploadBatch: () => uploadBatch,
+  uploadBatchParsed: () => uploadBatchParsed,
+  uploadBatchStream: () => uploadBatchStream,
+  uploadBatchStreamParsed: () => uploadBatchStreamParsed
+});
+async function uploadBatch(client, zipData, options) {
+  await client.crypto.init();
+  const encData = client.crypto.getEncryptionData();
+  const formCode = options?.formCode ?? FORM_CODES.FA_2;
+  const encryptFn = (part) => client.crypto.encryptAES256(part, encData.cipherKey, encData.cipherIv);
+  const { batchFile, encryptedParts } = BatchFileBuilder.build(zipData, encryptFn, {
+    maxPartSize: options?.maxPartSize
+  });
+  const openResp = await client.batchSession.openSession(
+    {
+      formCode,
+      encryption: encData.encryptionInfo,
+      batchFile,
+      offlineMode: options?.offlineMode
+    },
+    options?.upoVersion
+  );
+  const sendingParts = encryptedParts.map((part, i) => ({
+    data: part.buffer.slice(part.byteOffset, part.byteOffset + part.byteLength),
+    metadata: {
+      hashSHA: batchFile.fileParts[i].fileHash,
+      fileSize: batchFile.fileParts[i].fileSize
+    },
+    ordinalNumber: i + 1
+  }));
+  await client.batchSession.sendParts(openResp, sendingParts);
+  await client.batchSession.closeSession(openResp.referenceNumber);
+  const result = await pollUntil(
+    () => client.sessionStatus.getSessionStatus(openResp.referenceNumber),
+    (s) => s.status.code === 200 || s.status.code >= 400,
+    { ...options?.pollOptions, description: `UPO for batch ${openResp.referenceNumber}` }
+  );
+  if (result.status.code !== 200) {
+    throw new Error(`Batch session failed: ${result.status.code} \u2014 ${result.status.description}`);
+  }
+  return {
+    sessionRef: openResp.referenceNumber,
+    upo: {
+      pages: result.upo?.pages ?? [],
+      invoiceCount: result.invoiceCount,
+      successfulInvoiceCount: result.successfulInvoiceCount,
+      failedInvoiceCount: result.failedInvoiceCount
+    }
+  };
+}
+async function uploadBatchStream(client, zipStreamFactory, zipSize, options) {
+  await client.crypto.init();
+  const encData = client.crypto.getEncryptionData();
+  const formCode = options?.formCode ?? FORM_CODES.FA_2;
+  const encryptStreamFn = (stream) => client.crypto.encryptAES256Stream(stream, encData.cipherKey, encData.cipherIv);
+  const hashStreamFn = (stream) => client.crypto.getFileMetadataFromStream(stream);
+  const { batchFile, streamParts } = await BatchFileBuilder.buildFromStream(
+    zipStreamFactory,
+    zipSize,
+    encryptStreamFn,
+    hashStreamFn,
+    { maxPartSize: options?.maxPartSize }
+  );
+  const openResp = await client.batchSession.openSession(
+    {
+      formCode,
+      encryption: encData.encryptionInfo,
+      batchFile,
+      offlineMode: options?.offlineMode
+    },
+    options?.upoVersion
+  );
+  await client.batchSession.sendPartsWithStream(openResp, streamParts);
+  await client.batchSession.closeSession(openResp.referenceNumber);
+  const result = await pollUntil(
+    () => client.sessionStatus.getSessionStatus(openResp.referenceNumber),
+    (s) => s.status.code === 200 || s.status.code >= 400,
+    { ...options?.pollOptions, description: `UPO for batch ${openResp.referenceNumber}` }
+  );
+  if (result.status.code !== 200) {
+    throw new Error(`Batch session failed: ${result.status.code} \u2014 ${result.status.description}`);
+  }
+  return {
+    sessionRef: openResp.referenceNumber,
+    upo: {
+      pages: result.upo?.pages ?? [],
+      invoiceCount: result.invoiceCount,
+      successfulInvoiceCount: result.successfulInvoiceCount,
+      failedInvoiceCount: result.failedInvoiceCount
+    }
+  };
+}
+async function uploadBatchStreamParsed(client, zipStreamFactory, zipSize, options) {
+  const result = await uploadBatchStream(client, zipStreamFactory, zipSize, options);
+  const parsed = [];
+  for (const page of result.upo.pages) {
+    const upoResult = await client.sessionStatus.getSessionUpo(result.sessionRef, page.referenceNumber);
+    parsed.push(parseUpoXml(upoResult.upo));
+  }
+  return {
+    sessionRef: result.sessionRef,
+    upo: { ...result.upo, parsed }
+  };
+}
+async function uploadBatchParsed(client, zipData, options) {
+  const result = await uploadBatch(client, zipData, options);
+  const parsed = [];
+  for (const page of result.upo.pages) {
+    const upoResult = await client.sessionStatus.getSessionUpo(result.sessionRef, page.referenceNumber);
+    parsed.push(parseUpoXml(upoResult.upo));
+  }
+  return {
+    sessionRef: result.sessionRef,
+    upo: { ...result.upo, parsed }
+  };
+}
+var init_batch_session_workflow = __esm({
+  "src/workflows/batch-session-workflow.ts"() {
+    "use strict";
+    init_document_structures();
+    init_batch_file();
+    init_polling();
+    init_xml();
+  }
+});
 // src/cli/index.ts
-import { defineCommand as defineCommand15, runMain } from "citty";
+import { readFileSync as readFileSync6 } from "fs";
+import { fileURLToPath } from "url";
+import { dirname as dirname2, resolve } from "path";
+import { defineCommand as defineCommand16, runMain } from "citty";
 // src/cli/commands/config.ts
 import { defineCommand } from "citty";
@@ -4935,15 +5537,8 @@ function outputWarning(msg) {
 // src/cli/error-handler.ts
 import { consola as consola2 } from "consola";
-// src/errors/ksef-error.ts
-var KSeFError = class extends Error {
-  constructor(message) {
-    super(message);
-    this.name = "KSeFError";
-  }
-};
 // src/errors/ksef-api-error.ts
+init_ksef_error();
 var KSeFApiError = class _KSeFApiError extends KSeFError {
   statusCode;
   errorResponse;
@@ -4993,6 +5588,7 @@ var KSeFRateLimitError = class _KSeFRateLimitError extends KSeFApiError {
 };
 // src/errors/ksef-unauthorized-error.ts
+init_ksef_error();
 var KSeFUnauthorizedError = class extends KSeFError {
   statusCode = 401;
   detail;
@@ -5008,6 +5604,7 @@ var KSeFUnauthorizedError = class extends KSeFError {
 };
 // src/errors/ksef-forbidden-error.ts
+init_ksef_error();
 var KSeFForbiddenError = class extends KSeFError {
   statusCode = 403;
   detail;
@@ -5144,6 +5741,9 @@ var configCommand = defineCommand({
 });
 // src/cli/commands/auth.ts
+import * as fs3 from "fs";
+import * as path3 from "path";
+import * as os3 from "os";
 import { defineCommand as defineCommand2 } from "citty";
 // src/cli/client-factory.ts
@@ -5179,7 +5779,8 @@ function resolveOptions(options = {}) {
     lighthouseUrl: options.lighthouseUrl ?? env.lighthouseUrl,
     apiVersion: options.apiVersion ?? DEFAULT_API_VERSION,
     timeout: options.timeout ?? DEFAULT_TIMEOUT,
-    customHeaders: options.customHeaders ?? {}
+    customHeaders: options.customHeaders ?? {},
+    environmentName: options.environment ?? (options.baseUrl ? void 0 : "TEST")
   };
 }
@@ -5193,8 +5794,8 @@ var RouteBuilder = class {
     this.apiVersion = apiVersion;
   }
   build(endpoint, apiVersion) {
-    const version = apiVersion ?? this.apiVersion;
-    return `/${version}/${endpoint}`;
+    const version2 = apiVersion ?? this.apiVersion;
+    return `/${version2}/${endpoint}`;
   }
 };
@@ -5246,27 +5847,11 @@ function isRetryableStatus(status6, policy) {
   return policy.retryableStatusCodes.includes(status6);
 }
 function sleep(ms) {
-  return new Promise((resolve) => setTimeout(resolve, ms));
+  return new Promise((resolve2) => setTimeout(resolve2, ms));
 }
-// src/errors/ksef-validation-error.ts
-var KSeFValidationError = class _KSeFValidationError extends KSeFError {
-  details;
-  constructor(message, details = []) {
-    super(message);
-    this.name = "KSeFValidationError";
-    this.details = details;
-  }
-  static fromField(field, message) {
-    return new _KSeFValidationError(message, [{ field, message }]);
-  }
-  static fromMessages(messages2) {
-    const details = messages2.map((m) => ({ message: m }));
-    return new _KSeFValidationError(messages2.join("; "), details);
-  }
-};
 // src/http/presigned-url-policy.ts
+init_ksef_validation_error();
 function defaultPresignedUrlPolicy() {
   return {
     allowedHosts: ["*.ksef.mf.gov.pl"],
@@ -5454,9 +6039,9 @@ var RestClient = class {
     return response;
   }
   buildUrl(request) {
-    const path5 = this.routeBuilder.build(request.path);
+    const path7 = this.routeBuilder.build(request.path);
     const base = this.options.baseUrl;
-    const url2 = new URL(`${base}${path5}`);
+    const url2 = new URL(`${base}${path7}`);
     const query2 = request.getQuery();
     for (const [key, value] of query2) {
       url2.searchParams.append(key, value);
@@ -5517,7 +6102,7 @@ var TokenBucket = class {
       return;
     }
     const waitMs = Math.ceil((1 - this.tokens) / this.refillRate);
-    await new Promise((resolve) => setTimeout(resolve, waitMs));
+    await new Promise((resolve2) => setTimeout(resolve2, waitMs));
     this.refill();
     this.tokens -= 1;
   }
@@ -5538,8 +6123,8 @@ var RateLimitPolicy = class {
     this.endpointLimits = config.endpointLimits ?? {};
   }
   async acquire(endpoint) {
-    return new Promise((resolve, reject) => {
-      this.chain = this.chain.then(() => this.doAcquire(endpoint)).then(resolve, reject);
+    return new Promise((resolve2, reject) => {
+      this.chain = this.chain.then(() => this.doAcquire(endpoint)).then(resolve2, reject);
     });
   }
   async doAcquire(endpoint) {
@@ -5603,21 +6188,21 @@ var RestRequest = class _RestRequest {
   _query = [];
   _presigned = false;
   _skipAuthRetry = false;
-  constructor(method, path5) {
+  constructor(method, path7) {
     this.method = method;
-    this.path = path5;
+    this.path = path7;
   }
-  static get(path5) {
-    return new _RestRequest("GET", path5);
+  static get(path7) {
+    return new _RestRequest("GET", path7);
   }
-  static post(path5) {
-    return new _RestRequest("POST", path5);
+  static post(path7) {
+    return new _RestRequest("POST", path7);
   }
-  static put(path5) {
-    return new _RestRequest("PUT", path5);
+  static put(path7) {
+    return new _RestRequest("PUT", path7);
   }
-  static delete(path5) {
-    return new _RestRequest("DELETE", path5);
+  static delete(path7) {
+    return new _RestRequest("DELETE", path7);
   }
   body(data) {
     this._body = data;
@@ -5911,6 +6496,36 @@ var BatchSessionService = class {
     });
     await Promise.all(tasks);
   }
+  /**
+   * Upload parts sequentially (not in parallel) because each part uses a
+   * streaming body (`duplex: 'half'`). Parallel streaming uploads can cause
+   * backpressure issues and exceed memory limits for large payloads.
+   */
+  async sendPartsWithStream(openResponse, parts) {
+    const uploadRequests = openResponse.partUploadRequests;
+    for (const part of parts) {
+      const uploadReq = uploadRequests.find(
+        (r) => r.ordinalNumber === part.ordinalNumber
+      );
+      if (!uploadReq) {
+        throw new Error(`No upload request found for part ${part.ordinalNumber}`);
+      }
+      const headers = {};
+      for (const [k, v] of Object.entries(uploadReq.headers)) {
+        if (v != null) headers[k] = v;
+      }
+      const resp = await fetch(uploadReq.url, {
+        method: uploadReq.method,
+        headers,
+        body: part.dataStream,
+        // @ts-expect-error -- Node 18+ undici supports duplex for streaming body
+        duplex: "half"
+      });
+      if (!resp.ok) {
+        throw new Error(`Upload failed for part ${part.ordinalNumber}: HTTP ${resp.status}`);
+      }
+    }
+  }
   async closeSession(batchRef) {
     const req = RestRequest.post(Routes.Sessions.Batch.close(batchRef));
     await this.restClient.executeVoid(req);
@@ -6234,6 +6849,18 @@ var CertificateApiService = class {
   }
 };
+// src/errors/index.ts
+init_ksef_error();
+// src/errors/ksef-auth-status-error.ts
+init_ksef_error();
+// src/errors/ksef-session-expired-error.ts
+init_ksef_error();
+// src/errors/index.ts
+init_ksef_validation_error();
 // src/services/lighthouse.ts
 var LighthouseService = class {
   lighthouseUrl;
@@ -6242,20 +6869,20 @@ var LighthouseService = class {
     this.lighthouseUrl = options.lighthouseUrl;
     this.timeout = options.timeout;
   }
-  async fetchJson(path5) {
+  async fetchJson(path7) {
     if (!this.lighthouseUrl) {
       throw new KSeFError(
         "Lighthouse API is not available for the DEMO environment. Use TEST or PROD instead."
       );
     }
-    const response = await fetch(`${this.lighthouseUrl}${path5}`, {
+    const response = await fetch(`${this.lighthouseUrl}${path7}`, {
       headers: { Accept: "application/json" },
       signal: AbortSignal.timeout(this.timeout)
     });
     if (!response.ok) {
       const body = await response.text();
       throw new KSeFError(
-        `Lighthouse ${path5} failed: HTTP ${response.status} \u2014 ${body}`
+        `Lighthouse ${path7} failed: HTTP ${response.status} \u2014 ${body}`
       );
     }
     return await response.json();
@@ -6308,84 +6935,111 @@ var PeppolService = class {
 };
 // src/services/test-data.ts
+init_ksef_error();
 var TestDataService = class {
   restClient;
-  constructor(restClient) {
+  environmentName;
+  constructor(restClient, environmentName) {
     this.restClient = restClient;
+    this.environmentName = environmentName;
+  }
+  ensureTestEnvironment() {
+    if (this.environmentName && this.environmentName !== "TEST") {
+      throw new KSeFError(
+        `Test data APIs are only available on the TEST environment (current: ${this.environmentName})`
+      );
+    }
   }
   // Subject management
   async createSubject(request) {
+    this.ensureTestEnvironment();
     const req = RestRequest.post(Routes.TestData.createSubject).body(request);
     await this.restClient.executeVoid(req);
   }
   async removeSubject(request) {
+    this.ensureTestEnvironment();
     const req = RestRequest.post(Routes.TestData.removeSubject).body(request);
     await this.restClient.executeVoid(req);
   }
   // Person management
   async createPerson(request) {
+    this.ensureTestEnvironment();
     const req = RestRequest.post(Routes.TestData.createPerson).body(request);
     await this.restClient.executeVoid(req);
   }
   async removePerson(request) {
+    this.ensureTestEnvironment();
     const req = RestRequest.post(Routes.TestData.removePerson).body(request);
     await this.restClient.executeVoid(req);
   }
   // Permissions
   async grantPermissions(request) {
+    this.ensureTestEnvironment();
     const req = RestRequest.post(Routes.TestData.grantPerms).body(request);
     await this.restClient.executeVoid(req);
   }
   async revokePermissions(request) {
+    this.ensureTestEnvironment();
     const req = RestRequest.post(Routes.TestData.revokePerms).body(request);
     await this.restClient.executeVoid(req);
   }
   // Attachment permissions
   async enableAttachment(request) {
+    this.ensureTestEnvironment();
     const req = RestRequest.post(Routes.TestData.enableAttach).body(request);
     await this.restClient.executeVoid(req);
   }
   async disableAttachment(request) {
+    this.ensureTestEnvironment();
     const req = RestRequest.post(Routes.TestData.disableAttach).body(request);
     await this.restClient.executeVoid(req);
   }
   // Session limits
   async changeSessionLimits(request) {
+    this.ensureTestEnvironment();
     const req = RestRequest.post(Routes.TestData.changeSessionLimitsInCurrentContext).body(request);
     await this.restClient.executeVoid(req);
   }
   async restoreDefaultSessionLimits() {
+    this.ensureTestEnvironment();
     const req = RestRequest.delete(Routes.TestData.restoreDefaultSessionLimitsInCurrentContext);
     await this.restClient.executeVoid(req);
   }
   // Certificate limits
   async changeCertificatesLimit(request) {
+    this.ensureTestEnvironment();
     const req = RestRequest.post(Routes.TestData.changeCertificatesLimitInCurrentSubject).body(request);
     await this.restClient.executeVoid(req);
   }
   async restoreDefaultCertificatesLimit() {
+    this.ensureTestEnvironment();
     const req = RestRequest.delete(Routes.TestData.restoreDefaultCertificatesLimitInCurrentSubject);
     await this.restClient.executeVoid(req);
   }
   // Rate limits
   async setRateLimits(request) {
+    this.ensureTestEnvironment();
     const req = RestRequest.post(Routes.TestData.rateLimits).body(request);
     await this.restClient.executeVoid(req);
   }
   async restoreDefaultRateLimits() {
+    this.ensureTestEnvironment();
     const req = RestRequest.delete(Routes.TestData.rateLimits);
     await this.restClient.executeVoid(req);
   }
   async setProductionRateLimits() {
+    this.ensureTestEnvironment();
     const req = RestRequest.post(Routes.TestData.productionRateLimits);
     await this.restClient.executeVoid(req);
   }
   // Context blocking
   async blockContext(request) {
+    this.ensureTestEnvironment();
     const req = RestRequest.post(Routes.TestData.blockContext).body(request);
     await this.restClient.executeVoid(req);
   }
   async unblockContext(request) {
+    this.ensureTestEnvironment();
     const req = RestRequest.post(Routes.TestData.unblockContext).body(request);
     await this.restClient.executeVoid(req);
   }
@@ -6471,6 +7125,28 @@ var CryptographyService = class {
     const cipher = crypto.createCipheriv("aes-256-cbc", key, iv);
     return new Uint8Array(Buffer.concat([cipher.update(content), cipher.final()]));
   }
+  /**
+   * Encrypt with AES-256-CBC as a streaming transform.
+   * Returns a ReadableStream that yields encrypted chunks as the input is read.
+   */
+  encryptAES256Stream(input, key, iv) {
+    const cipher = crypto.createCipheriv("aes-256-cbc", key, iv);
+    const transform = new TransformStream({
+      transform(chunk, controller) {
+        const encrypted = cipher.update(chunk);
+        if (encrypted.length > 0) {
+          controller.enqueue(new Uint8Array(encrypted));
+        }
+      },
+      flush(controller) {
+        const final = cipher.final();
+        if (final.length > 0) {
+          controller.enqueue(new Uint8Array(final));
+        }
+      }
+    });
+    return input.pipeThrough(transform);
+  }
   /** Decrypt with AES-256-CBC. */
   decryptAES256(content, key, iv) {
     const decipher = crypto.createDecipheriv("aes-256-cbc", key, iv);
@@ -6543,6 +7219,23 @@ var CryptographyService = class {
     const hash = crypto.createHash("sha256").update(file).digest("base64");
     return { hashSHA: hash, fileSize: file.length };
   }
+  /** Compute SHA-256 hash (base64) and byte length from a ReadableStream. */
+  async getFileMetadataFromStream(stream) {
+    const hash = crypto.createHash("sha256");
+    let fileSize = 0;
+    const reader = stream.getReader();
+    try {
+      for (; ; ) {
+        const { done, value } = await reader.read();
+        if (done) break;
+        hash.update(value);
+        fileSize += value.byteLength;
+      }
+    } finally {
+      reader.releaseLock();
+    }
+    return { hashSHA: hash.digest("base64"), fileSize };
+  }
   // ---------------------------------------------------------------------------
   // CSR generation
   // ---------------------------------------------------------------------------
@@ -6719,6 +7412,7 @@ var VerificationLinkService = class {
 };
 // src/client.ts
+init_auth_xml_builder();
 var KSeFClient = class {
   auth;
   activeSessions;
@@ -6762,7 +7456,7 @@ var KSeFClient = class {
     this.lighthouse = new LighthouseService(this.options);
     this.limits = new LimitsService(restClient);
     this.peppol = new PeppolService(restClient);
-    this.testData = new TestDataService(restClient);
+    this.testData = new TestDataService(restClient, this.options.environmentName);
     this.qr = new VerificationLinkService(this.options.baseQrUrl);
   }
   async loginWithToken(token, nip) {
@@ -6812,21 +7506,12 @@ var KSeFClient = class {
     this.authManager.setRefreshToken(void 0);
   }
 };
-var AUTH_TOKEN_REQUEST_NS = "http://ksef.mf.gov.pl/auth/token/2.0";
 function buildAuthTokenRequestXml(challenge2, nip, subjectIdentifierType = "certificateSubject") {
-  return [
-    '<?xml version="1.0" encoding="utf-8"?>',
-    `<AuthTokenRequest xmlns="${AUTH_TOKEN_REQUEST_NS}">`,
-    `<Challenge>${xmlEscape(challenge2)}</Challenge>`,
-    `<ContextIdentifier>`,
-    `<Nip>${xmlEscape(nip)}</Nip>`,
-    `</ContextIdentifier>`,
-    `<SubjectIdentifierType>${xmlEscape(subjectIdentifierType)}</SubjectIdentifierType>`,
-    `</AuthTokenRequest>`
-  ].join("");
-}
-function xmlEscape(str) {
-  return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
+  return buildUnsignedAuthTokenRequestXml({
+    challenge: challenge2,
+    contextIdentifier: { type: "Nip", value: nip },
+    subjectIdentifierType
+  });
 }
 function buildRestClientConfig(options, authManager) {
   const config = { authManager };
@@ -6936,6 +7621,29 @@ function requireSession(globalOpts) {
 }
 // src/cli/commands/auth.ts
+init_polling();
+var PENDING_CHALLENGE_FILE = path3.join(os3.homedir(), ".ksef", "pending-challenge.json");
+function savePendingChallenge(data) {
+  const dir = path3.dirname(PENDING_CHALLENGE_FILE);
+  fs3.mkdirSync(dir, { recursive: true });
+  fs3.writeFileSync(PENDING_CHALLENGE_FILE, JSON.stringify(data, null, 2) + "\n", {
+    encoding: "utf-8",
+    mode: 384
+  });
+}
+function clearPendingChallenge() {
+  try {
+    fs3.unlinkSync(PENDING_CHALLENGE_FILE);
+  } catch {
+  }
+}
+async function readStdin(stream = process.stdin) {
+  const chunks = [];
+  for await (const chunk of stream) {
+    chunks.push(chunk);
+  }
+  return Buffer.concat(chunks).toString("utf-8");
+}
 function getGlobalOpts(args) {
   return {
     env: args.env,
@@ -6988,13 +7696,13 @@ var login = defineCommand2({
       if (args.token) {
         await client.loginWithToken(args.token, nip);
       } else if (args.p12) {
-        const fs7 = await import("fs");
-        const p12Buffer = fs7.readFileSync(args.p12);
+        const fs10 = await import("fs");
+        const p12Buffer = fs10.readFileSync(args.p12);
         await client.loginWithPkcs12(p12Buffer, args["p12-password"] ?? "", nip);
       } else if (args.cert && args.key) {
-        const fs7 = await import("fs");
-        const certPem = fs7.readFileSync(args.cert, "utf-8");
-        const keyPem = fs7.readFileSync(args.key, "utf-8");
+        const fs10 = await import("fs");
+        const certPem = fs10.readFileSync(args.cert, "utf-8");
+        const keyPem = fs10.readFileSync(args.key, "utf-8");
         await client.loginWithCertificate(certPem, keyPem, nip);
       } else {
         throw new Error("Provide --token, --p12, or both --cert and --key for authentication.");
@@ -7096,15 +7804,109 @@ var whoami = defineCommand2({
     });
   }
 });
+var loginExternal = defineCommand2({
+  meta: { name: "login-external", description: "Authenticate with externally-signed XAdES XML" },
+  args: {
+    generate: { type: "boolean", description: "Generate unsigned auth request XML" },
+    submit: { type: "boolean", description: "Submit externally-signed XML" },
+    nip: { type: "string", description: "NIP number (or identifier value for non-Nip context types)" },
+    "context-type": { type: "string", description: "Context identifier type: Nip, InternalId, NipVatUe, PeppolId (default: Nip)" },
+    output: { type: "string", description: "Write unsigned XML to file instead of stdout (--generate)" },
+    input: { type: "string", description: "Read signed XML from file instead of stdin (--submit)" },
+    env: { type: "string", description: "Environment (test/demo/prod)" },
+    json: { type: "boolean", description: "Output as JSON" },
+    verbose: { type: "boolean", description: "Show HTTP request/response details" },
+    timeout: { type: "string", description: "Request timeout (ms)" }
+  },
+  run({ args }) {
+    return withErrorHandler(async () => {
+      const globalOpts = getGlobalOpts(args);
+      const config = loadConfig();
+      const nip = args.nip ?? config.nip;
+      if (!nip) {
+        throw new Error("NIP/identifier is required. Provide --nip or set it via `ksef config set --nip <nip>`.");
+      }
+      const contextType = args["context-type"] ?? "Nip";
+      const validTypes = ["Nip", "InternalId", "NipVatUe", "PeppolId"];
+      if (!validTypes.includes(contextType)) {
+        throw new Error(`Invalid --context-type "${contextType}". Must be one of: ${validTypes.join(", ")}`);
+      }
+      if (!args.generate && !args.submit) {
+        throw new Error("Specify --generate to create unsigned XML, or --submit to send signed XML.");
+      }
+      const client = createClient(globalOpts);
+      if (args.generate) {
+        const { buildUnsignedAuthTokenRequestXml: buildUnsignedAuthTokenRequestXml2 } = await Promise.resolve().then(() => (init_auth_xml_builder(), auth_xml_builder_exports));
+        const challengeResult = await client.auth.getChallenge();
+        const unsignedXml = buildUnsignedAuthTokenRequestXml2({
+          challenge: challengeResult.challenge,
+          contextIdentifier: { type: contextType, value: nip }
+        });
+        if (args.output) {
+          fs3.writeFileSync(args.output, unsignedXml, "utf-8");
+          process.stderr.write(`Unsigned XML written to ${args.output}
+`);
+        } else {
+          process.stdout.write(unsignedXml);
+        }
+        savePendingChallenge({
+          challenge: challengeResult.challenge,
+          timestamp: challengeResult.timestamp,
+          contextIdentifier: { type: contextType, value: nip },
+          createdAt: (/* @__PURE__ */ new Date()).toISOString()
+        });
+        process.stderr.write(`Challenge: ${challengeResult.challenge}
+`);
+        process.stderr.write(`Timestamp: ${challengeResult.timestamp}
+`);
+        process.stderr.write(`Note: Sign this XML and submit with --submit before the challenge expires.
+`);
+      }
+      if (args.submit) {
+        let signedXml;
+        if (args.input) {
+          signedXml = fs3.readFileSync(args.input, "utf-8");
+        } else {
+          signedXml = await readStdin();
+        }
+        if (!signedXml.trim()) {
+          throw new Error("No signed XML provided. Pipe signed XML to stdin or use --input <file>.");
+        }
+        const submitResult = await client.auth.submitXadesAuthRequest(signedXml);
+        const authToken = submitResult.authenticationToken.token;
+        await pollUntil(
+          () => client.auth.getAuthStatus(submitResult.referenceNumber, authToken),
+          (s) => s.status.code !== 100,
+          { intervalMs: 1e3, maxAttempts: 30, description: `auth ${submitResult.referenceNumber}` }
+        );
+        const tokens = await client.auth.getAccessToken(authToken);
+        const session = {
+          accessToken: tokens.accessToken.token,
+          refreshToken: tokens.refreshToken.token,
+          expiresAt: tokens.accessToken.validUntil,
+          environment: args.env ?? config.environment
+        };
+        saveSession(session);
+        if (args.env && args.env !== config.environment) {
+          saveConfig({ ...config, environment: session.environment });
+        }
+        clearPendingChallenge();
+        outputSuccess("Logged in successfully via external signature.");
+      }
+    });
+  }
+});
 var authCommand = defineCommand2({
   meta: { name: "auth", description: "Authentication commands" },
-  subCommands: { challenge, login, status, logout, refresh, whoami }
+  subCommands: { challenge, login, "login-external": loginExternal, status, logout, refresh, whoami }
 });
 // src/cli/commands/session.ts
-import * as fs3 from "fs";
+import * as fs4 from "fs";
 import { defineCommand as defineCommand3 } from "citty";
 import { consola as consola5 } from "consola";
+init_document_structures();
+init_xml();
 function getGlobalOpts2(args) {
   return {
     env: args.env,
@@ -7118,6 +7920,7 @@ var open = defineCommand3({
   meta: { name: "open", description: "Open a KSeF session (online or batch)" },
   args: {
     batch: { type: "boolean", description: "Open a batch session instead of online" },
+    formCode: { type: "string", description: "Document type: FA2, FA3, PEF3, PEFKOR3, FARR1 (default: FA2)" },
     env: { type: "string", description: "Environment (test/demo/prod)" },
     json: { type: "boolean", description: "Output as JSON" },
     verbose: { type: "boolean", description: "Show HTTP request/response details" },
@@ -7135,7 +7938,15 @@ var open = defineCommand3({
       }
       await client.crypto.init();
       const encryptionData = client.crypto.getEncryptionData();
-      const formCode = { systemCode: "FA (2)", schemaVersion: "1-0E", value: "FA" };
+      const formCodeKey = args.formCode;
+      let formCode = FORM_CODES.FA_2;
+      if (formCodeKey) {
+        const resolved = FORM_CODE_KEYS[formCodeKey];
+        if (!resolved) {
+          throw new Error(`Invalid form code "${formCodeKey}". Valid keys: ${Object.keys(FORM_CODE_KEYS).join(", ")}`);
+        }
+        formCode = resolved;
+      }
       if (args.batch) {
         throw new Error("Batch session open is used internally by `ksef invoice send <dir>`. Use `ksef session open` for online sessions.");
       }
@@ -7373,6 +8184,7 @@ var upo = defineCommand3({
     upoRef: { type: "string", description: "UPO reference" },
     ksefNumber: { type: "string", description: "KSeF invoice number" },
     invoiceRef: { type: "string", description: "Invoice reference" },
+    parsed: { type: "boolean", description: "Parse UPO XML and output as JSON" },
     o: { type: "string", description: "Output file path" },
     env: { type: "string", description: "Environment (test/demo/prod)" },
     json: { type: "boolean", description: "Output as JSON" },
@@ -7394,12 +8206,23 @@ var upo = defineCommand3({
       } else {
         throw new Error("Provide one of: --upo-ref, --ksef-number, or --invoice-ref");
       }
+      if (args.parsed) {
+        const parsed = parseUpoXml(result.upo);
+        const json = JSON.stringify(parsed, null, 2);
+        if (args.o) {
+          fs4.writeFileSync(args.o, json, "utf-8");
+          outputSuccess(`Parsed UPO saved to ${args.o}`);
+        } else {
+          console.log(json);
+        }
+        return;
+      }
       if (args.json) {
         outputResult(result, { json: true });
         return;
       }
       if (args.o) {
-        fs3.writeFileSync(args.o, result.upo, "utf-8");
+        fs4.writeFileSync(args.o, result.upo, "utf-8");
         outputSuccess(`UPO saved to ${args.o}`);
       } else {
         console.log(result.upo);
@@ -7529,10 +8352,173 @@ var sessionCommand = defineCommand3({
 });
 // src/cli/commands/invoice.ts
-import * as fs4 from "fs";
-import * as path3 from "path";
+import * as fs7 from "fs";
+import * as path5 from "path";
+import { Readable } from "stream";
+import { defineCommand as defineCommand5 } from "citty";
+import { consola as consola7 } from "consola";
+init_document_structures();
+// src/cli/commands/export-incremental.ts
+import * as fs6 from "fs";
+import * as path4 from "path";
 import { defineCommand as defineCommand4 } from "citty";
 import { consola as consola6 } from "consola";
+// src/workflows/hwm-storage.ts
+import * as fs5 from "fs/promises";
+var FileHwmStore = class {
+  constructor(filePath) {
+    this.filePath = filePath;
+  }
+  async load() {
+    try {
+      const data = await fs5.readFile(this.filePath, "utf-8");
+      return JSON.parse(data);
+    } catch (err) {
+      if (err.code === "ENOENT") {
+        return {};
+      }
+      throw err;
+    }
+  }
+  async save(points) {
+    await fs5.writeFile(this.filePath, JSON.stringify(points, null, 2), "utf-8");
+  }
+};
+// src/utils/zip.ts
+import { ZipFile } from "yazl";
+import { fromBuffer } from "yauzl";
+// src/workflows/invoice-export-workflow.ts
+init_polling();
+async function doExport(client, filters, options) {
+  await client.crypto.init();
+  const encData = client.crypto.getEncryptionData();
+  const opResp = await client.invoices.exportInvoices({
+    encryption: encData.encryptionInfo,
+    filters,
+    onlyMetadata: options?.onlyMetadata
+  });
+  const result = await pollUntil(
+    () => client.invoices.getInvoiceExportStatus(opResp.referenceNumber),
+    (s) => s.status.code === 200 || s.status.code >= 400,
+    { ...options?.pollOptions, description: `export ${opResp.referenceNumber}` }
+  );
+  if (result.status.code !== 200) {
+    throw new Error(`Export failed: ${result.status.code} \u2014 ${result.status.description}`);
+  }
+  if (!result.package) {
+    throw new Error("Export completed but no package available");
+  }
+  return {
+    encData,
+    referenceNumber: opResp.referenceNumber,
+    result: {
+      parts: result.package.parts.map((p) => ({
+        ordinalNumber: p.ordinalNumber,
+        url: p.url,
+        method: p.method,
+        partSize: p.partSize,
+        encryptedPartSize: p.encryptedPartSize,
+        encryptedPartHash: p.encryptedPartHash,
+        expirationDate: p.expirationDate
+      })),
+      invoiceCount: result.package.invoiceCount,
+      isTruncated: result.package.isTruncated,
+      permanentStorageHwmDate: result.package.permanentStorageHwmDate,
+      lastPermanentStorageDate: result.package.lastPermanentStorageDate
+    }
+  };
+}
+// src/workflows/hwm-coordinator.ts
+function updateContinuationPoint(points, subjectType, pkg2) {
+  if (pkg2.isTruncated && pkg2.lastPermanentStorageDate) {
+    points[subjectType] = pkg2.lastPermanentStorageDate;
+  } else if (pkg2.permanentStorageHwmDate) {
+    points[subjectType] = pkg2.permanentStorageHwmDate;
+  } else {
+    delete points[subjectType];
+  }
+}
+function getEffectiveStartDate(points, subjectType, windowFrom) {
+  return points[subjectType] ?? windowFrom;
+}
+// src/workflows/incremental-export-workflow.ts
+async function incrementalExportAndDownload(client, options) {
+  const maxIterations = options.maxIterations ?? 20;
+  const points = options.continuationPoints;
+  if (options.store) {
+    const loaded = await options.store.load();
+    for (const [key, value] of Object.entries(loaded)) {
+      if (value !== void 0 && points[key] === void 0) {
+        points[key] = value;
+      }
+    }
+  }
+  const referenceNumbers = [];
+  const decryptedParts = [];
+  let previousFrom;
+  let iteration = 0;
+  for (; iteration < maxIterations; iteration++) {
+    const effectiveFrom = getEffectiveStartDate(points, options.subjectType, options.windowFrom);
+    if (previousFrom !== void 0 && effectiveFrom === previousFrom) {
+      break;
+    }
+    previousFrom = effectiveFrom;
+    const filters = options.filtersFactory ? options.filtersFactory(effectiveFrom, options.windowTo) : buildDefaultFilters(options.subjectType, effectiveFrom, options.windowTo);
+    const { result, encData, referenceNumber } = await doExport(client, filters, {
+      onlyMetadata: options.onlyMetadata,
+      pollOptions: options.pollOptions
+    });
+    referenceNumbers.push(referenceNumber);
+    const download = options.transport ?? fetch;
+    for (const part of result.parts) {
+      const resp = await download(part.url, { method: part.method });
+      if (!resp.ok) {
+        throw new Error(`Download failed for part ${part.ordinalNumber}: HTTP ${resp.status}`);
+      }
+      const encryptedData = new Uint8Array(await resp.arrayBuffer());
+      const decrypted = client.crypto.decryptAES256(encryptedData, encData.cipherKey, encData.cipherIv);
+      decryptedParts.push(decrypted);
+    }
+    updateContinuationPoint(points, options.subjectType, {
+      isTruncated: result.isTruncated,
+      lastPermanentStorageDate: result.lastPermanentStorageDate,
+      permanentStorageHwmDate: result.permanentStorageHwmDate
+    });
+    if (options.store) {
+      await options.store.save(points);
+    }
+    options.onIterationComplete?.(iteration, result);
+    if (!result.isTruncated) {
+      iteration++;
+      break;
+    }
+  }
+  return {
+    referenceNumbers,
+    invoices: [],
+    decryptedParts,
+    continuationPoints: points,
+    iterationCount: iteration
+  };
+}
+function buildDefaultFilters(subjectType, from, to) {
+  return {
+    subjectType,
+    dateRange: {
+      dateType: "PermanentStorage",
+      from,
+      to
+    }
+  };
+}
+// src/cli/commands/export-incremental.ts
 function getGlobalOpts3(args) {
   return {
     env: args.env,
@@ -7542,6 +8528,101 @@ function getGlobalOpts3(args) {
     nip: args.nip
   };
 }
+var exportIncremental = defineCommand4({
+  meta: { name: "export-incremental", description: "Incremental invoice export with HWM state persistence" },
+  args: {
+    from: { type: "string", description: "Start date (YYYY-MM-DD) \u2014 required", required: true },
+    to: { type: "string", description: "End date (YYYY-MM-DD)" },
+    subjectType: { type: "string", description: "Subject type: Subject1|Subject2|Subject3|SubjectAuthorized (default: Subject1)" },
+    stateFile: { type: "string", description: "HWM state file path (default: ./ksef-hwm-state.json)" },
+    outputDir: { type: "string", description: "Output directory for exported parts (default: ./ksef-exports/)" },
+    maxIterations: { type: "string", description: "Max export iterations (default: 20)" },
+    env: { type: "string", description: "Environment (test/demo/prod)" },
+    json: { type: "boolean", description: "Output as JSON" },
+    verbose: { type: "boolean", description: "Show HTTP request/response details" },
+    timeout: { type: "string", description: "Request timeout (ms)" },
+    nip: { type: "string", description: "NIP number" }
+  },
+  run({ args }) {
+    return withErrorHandler(async () => {
+      const globalOpts = getGlobalOpts3(args);
+      const { client } = requireSession(globalOpts);
+      const from = args.from;
+      const to = args.to ?? (/* @__PURE__ */ new Date()).toISOString().slice(0, 10);
+      const subjectType = args.subjectType ?? "Subject1";
+      const stateFile = args.stateFile ?? "./ksef-hwm-state.json";
+      const outputDir = args.outputDir ?? "./ksef-exports";
+      const maxIterations = args.maxIterations ? parseInt(args.maxIterations, 10) : 20;
+      const isJson = args.json;
+      const store = new FileHwmStore(stateFile);
+      const continuationPoints = {};
+      if (!fs6.existsSync(outputDir)) {
+        fs6.mkdirSync(outputDir, { recursive: true });
+      }
+      if (!isJson) {
+        consola6.start(`Incremental export: ${from} \u2192 ${to}, subject: ${subjectType}`);
+        consola6.info(`State file: ${stateFile}`);
+        consola6.info(`Output dir: ${outputDir}`);
+      }
+      const iterationParts = [];
+      const result = await incrementalExportAndDownload(client, {
+        subjectType,
+        windowFrom: from,
+        windowTo: to,
+        continuationPoints,
+        maxIterations,
+        store,
+        pollOptions: { intervalMs: 2e3 },
+        onIterationComplete: (iteration, iterResult) => {
+          iterationParts.push({ iteration, partCount: iterResult.parts.length });
+          if (!isJson) {
+            const hwmDate = continuationPoints[subjectType] ?? "complete";
+            consola6.info(
+              `Iteration ${iteration + 1}: ${iterResult.invoiceCount} invoices, truncated: ${iterResult.isTruncated}, HWM: ${hwmDate}`
+            );
+          }
+        }
+      });
+      let partIndex = 0;
+      for (const { iteration, partCount } of iterationParts) {
+        for (let p = 0; p < partCount; p++) {
+          if (partIndex < result.decryptedParts.length) {
+            const fileName = `iter-${String(iteration + 1).padStart(3, "0")}-part-${String(p + 1).padStart(3, "0")}.zip`;
+            const filePath = path4.join(outputDir, fileName);
+            fs6.writeFileSync(filePath, result.decryptedParts[partIndex]);
+            partIndex++;
+          }
+        }
+      }
+      if (isJson) {
+        outputResult({
+          referenceNumbers: result.referenceNumbers,
+          iterationCount: result.iterationCount,
+          totalParts: result.decryptedParts.length,
+          continuationPoints: result.continuationPoints,
+          outputDir
+        }, { json: true });
+      } else {
+        outputSuccess(
+          `Export complete: ${result.iterationCount} iterations, ${result.decryptedParts.length} parts downloaded`
+        );
+        consola6.info(`Final HWM: ${continuationPoints[subjectType] ?? "complete"}`);
+        consola6.info(`Output: ${outputDir}`);
+      }
+    });
+  }
+});
+// src/cli/commands/invoice.ts
+function getGlobalOpts4(args) {
+  return {
+    env: args.env,
+    json: args.json,
+    verbose: args.verbose,
+    timeout: args.timeout,
+    nip: args.nip
+  };
+}
 function buildQueryFilters(args) {
   const from = args.from;
   if (!from) {
@@ -7585,11 +8666,13 @@ var QUERY_FILTER_ARGS = {
   amountType: { type: "string", description: "Amount type: Brutto|Netto|Vat (default: Brutto)" },
   currency: { type: "string", description: "Currency code (e.g. PLN, EUR)" }
 };
-var send = defineCommand4({
+var send = defineCommand5({
   meta: { name: "send", description: "Send invoice(s) \u2014 single XML file or directory for batch" },
   args: {
-    path: { type: "positional", description: "Path to XML file or directory of XMLs", required: true },
+    path: { type: "positional", description: "Path to XML file, directory of XMLs, or ZIP for batch", required: true },
     sessionRef: { type: "string", description: "Override online session reference" },
+    stream: { type: "boolean", description: "Use stream-based batch upload (for ZIP files, reduces memory usage)" },
+    formCode: { type: "string", description: "Document type: FA2, FA3, PEF3, PEFKOR3, FARR1 (default: FA2)" },
     env: { type: "string", description: "Environment (test/demo/prod)" },
     json: { type: "boolean", description: "Output as JSON" },
     verbose: { type: "boolean", description: "Show HTTP request/response details" },
@@ -7598,29 +8681,65 @@ var send = defineCommand4({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts3(args);
+      const globalOpts = getGlobalOpts4(args);
       const { client, session } = requireSession(globalOpts);
       const config = loadConfig();
       const nip = args.nip ?? config.nip;
       const filePath = args.path;
-      if (!fs4.existsSync(filePath)) {
+      const formCodeKey = args.formCode;
+      let formCode = FORM_CODES.FA_2;
+      if (formCodeKey) {
+        const resolved = FORM_CODE_KEYS[formCodeKey];
+        if (!resolved) {
+          throw new Error(`Invalid form code "${formCodeKey}". Valid keys: ${Object.keys(FORM_CODE_KEYS).join(", ")}`);
+        }
+        formCode = resolved;
+      }
+      if (!fs7.existsSync(filePath)) {
         throw new Error(`Path not found: ${filePath}`);
       }
-      const stat = fs4.statSync(filePath);
+      const stat = fs7.statSync(filePath);
+      if (args.stream) {
+        if (!filePath.endsWith(".zip") || stat.isDirectory()) {
+          throw new Error("--stream requires a .zip file path.");
+        }
+        if (!nip) {
+          throw new Error("NIP is required. Provide --nip or set it via `ksef config set --nip <nip>`.");
+        }
+        if (!validateFormCodeForSession(formCode, "batch")) {
+          throw new Error(`Document type "${formCode.systemCode}" is not supported in batch sessions. PEF/PEF_KOR require online sessions.`);
+        }
+        const { uploadBatchStream: uploadBatchStream2 } = await Promise.resolve().then(() => (init_batch_session_workflow(), batch_session_workflow_exports));
+        const zipSize = stat.size;
+        const zipStreamFactory = () => Readable.toWeb(fs7.createReadStream(filePath));
+        if (!args.json) consola7.start(`Sending batch via stream (${(zipSize / 1e6).toFixed(1)} MB)...`);
+        const result = await uploadBatchStream2(client, zipStreamFactory, zipSize, {
+          formCode,
+          pollOptions: { intervalMs: 3e3 }
+        });
+        if (args.json) {
+          outputResult(result, { json: true });
+        } else {
+          outputSuccess(`Batch sent via stream. Ref: ${result.sessionRef}, invoices: ${result.upo.invoiceCount ?? "unknown"}`);
+        }
+        return;
+      }
       if (stat.isDirectory()) {
-        const xmlFiles = fs4.readdirSync(filePath).filter((f) => f.endsWith(".xml")).map((f) => path3.join(filePath, f));
+        const xmlFiles = fs7.readdirSync(filePath).filter((f) => f.endsWith(".xml")).map((f) => path5.join(filePath, f));
         if (xmlFiles.length === 0) {
           throw new Error(`No XML files found in ${filePath}`);
         }
         if (!nip) {
           throw new Error("NIP is required. Provide --nip or set it via `ksef config set --nip <nip>`.");
         }
-        if (!args.json) consola6.start(`Sending ${xmlFiles.length} invoices via batch session...`);
+        if (!validateFormCodeForSession(formCode, "batch")) {
+          throw new Error(`Document type "${formCode.systemCode}" is not supported in batch sessions. PEF/PEF_KOR require online sessions.`);
+        }
+        if (!args.json) consola7.start(`Sending ${xmlFiles.length} invoices via batch session...`);
         await client.crypto.init();
         const encryptionData = client.crypto.getEncryptionData();
-        const formCode = { systemCode: "FA (2)", schemaVersion: "1-0E", value: "FA" };
         const parts = xmlFiles.map((file, i) => {
-          const content = fs4.readFileSync(file);
+          const content = fs7.readFileSync(file);
           const metadata = client.crypto.getFileMetadata(new Uint8Array(content));
           return {
             data: content.buffer,
@@ -7628,7 +8747,7 @@ var send = defineCommand4({
             ordinalNumber: i + 1
           };
         });
-        const totalContent = Buffer.concat(xmlFiles.map((f) => fs4.readFileSync(f)));
+        const totalContent = Buffer.concat(xmlFiles.map((f) => fs7.readFileSync(f)));
         const totalMetadata = client.crypto.getFileMetadata(new Uint8Array(totalContent));
         const batchFileInfo = {
           fileSize: totalMetadata.fileSize,
@@ -7656,10 +8775,10 @@ var send = defineCommand4({
         if (!ref) {
           throw new Error("No active online session. Run `ksef session open` or provide --session-ref.");
         }
-        if (!args.json) consola6.start("Sending invoice...");
+        if (!args.json) consola7.start("Sending invoice...");
         await client.crypto.init();
         const encryptionData = client.crypto.getEncryptionData();
-        const xmlContent = fs4.readFileSync(filePath);
+        const xmlContent = fs7.readFileSync(filePath);
         const xmlBytes = new Uint8Array(xmlContent);
         const plainMetadata = client.crypto.getFileMetadata(xmlBytes);
         const encrypted = client.crypto.encryptAES256(xmlBytes, encryptionData.cipherKey, encryptionData.cipherIv);
@@ -7680,7 +8799,7 @@ var send = defineCommand4({
     });
   }
 });
-var get = defineCommand4({
+var get = defineCommand5({
   meta: { name: "get", description: "Download invoice by KSeF number" },
   args: {
     ksefNumber: { type: "positional", description: "KSeF invoice number", required: true },
@@ -7692,7 +8811,7 @@ var get = defineCommand4({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts3(args);
+      const globalOpts = getGlobalOpts4(args);
       const { client } = requireSession(globalOpts);
       const xml = await client.invoices.getInvoice(args.ksefNumber);
       if (args.json) {
@@ -7700,7 +8819,7 @@ var get = defineCommand4({
         return;
       }
       if (args.o) {
-        fs4.writeFileSync(args.o, xml, "utf-8");
+        fs7.writeFileSync(args.o, xml, "utf-8");
         outputSuccess(`Invoice saved to ${args.o}`);
       } else {
         console.log(xml);
@@ -7708,7 +8827,7 @@ var get = defineCommand4({
     });
   }
 });
-var query = defineCommand4({
+var query = defineCommand5({
   meta: { name: "query", description: "Query invoice metadata" },
   args: {
     ...QUERY_FILTER_ARGS,
@@ -7722,7 +8841,7 @@ var query = defineCommand4({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts3(args);
+      const globalOpts = getGlobalOpts4(args);
       const { client } = requireSession(globalOpts);
       const filters = buildQueryFilters(args);
       const pageOffset = args.page ? parseInt(args.page, 10) : void 0;
@@ -7737,7 +8856,7 @@ var query = defineCommand4({
         return;
       }
       if (result.invoices.length === 0) {
-        consola6.info("No invoices found matching the criteria.");
+        consola7.info("No invoices found matching the criteria.");
         return;
       }
       outputTable(
@@ -7760,12 +8879,12 @@ var query = defineCommand4({
         { json: false }
       );
       if (result.hasMore) {
-        consola6.info("More results available. Use --page to fetch the next page.");
+        consola7.info("More results available. Use --page to fetch the next page.");
       }
     });
   }
 });
-var exportCmd = defineCommand4({
+var exportCmd = defineCommand5({
   meta: { name: "export", description: "Start invoice export" },
   args: {
     ...QUERY_FILTER_ARGS,
@@ -7777,9 +8896,9 @@ var exportCmd = defineCommand4({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts3(args);
+      const globalOpts = getGlobalOpts4(args);
       const { client } = requireSession(globalOpts);
-      if (!args.json) consola6.start("Starting invoice export...");
+      if (!args.json) consola7.start("Starting invoice export...");
       await client.crypto.init();
       const encryptionData = client.crypto.getEncryptionData();
       const filters = buildQueryFilters(args);
@@ -7790,12 +8909,12 @@ var exportCmd = defineCommand4({
         outputResult(result, { json: true });
       } else {
         outputSuccess(`Export started. Ref: ${result.referenceNumber}`);
-        consola6.info("Check status with: ksef invoice export-status " + result.referenceNumber);
+        consola7.info("Check status with: ksef invoice export-status " + result.referenceNumber);
       }
     });
   }
 });
-var exportStatus = defineCommand4({
+var exportStatus = defineCommand5({
   meta: { name: "export-status", description: "Check invoice export status" },
   args: {
     ref: { type: "positional", description: "Export reference number", required: true },
@@ -7806,22 +8925,22 @@ var exportStatus = defineCommand4({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts3(args);
+      const globalOpts = getGlobalOpts4(args);
       const { client } = requireSession(globalOpts);
       const result = await client.invoices.getInvoiceExportStatus(args.ref);
       if (args.json) {
         outputResult(result, { json: true });
         return;
       }
-      consola6.info(`Status: ${result.status.code} \u2014 ${result.status.description}`);
+      consola7.info(`Status: ${result.status.code} \u2014 ${result.status.description}`);
       if (result.completedDate) {
-        consola6.info(`Completed: ${result.completedDate}`);
+        consola7.info(`Completed: ${result.completedDate}`);
       }
       if (result.packageExpirationDate) {
-        consola6.info(`Package expires: ${result.packageExpirationDate}`);
+        consola7.info(`Package expires: ${result.packageExpirationDate}`);
       }
       if (result.package) {
-        consola6.info(`Invoices: ${result.package.invoiceCount}, Size: ${result.package.size} bytes`);
+        consola7.info(`Invoices: ${result.package.invoiceCount}, Size: ${result.package.size} bytes`);
         if (result.package.parts.length > 0) {
           outputTable(
             result.package.parts.map((p) => ({
@@ -7845,14 +8964,14 @@ var exportStatus = defineCommand4({
     });
   }
 });
-var invoiceCommand = defineCommand4({
+var invoiceCommand = defineCommand5({
   meta: { name: "invoice", description: "Invoice commands" },
-  subCommands: { send, get, query, export: exportCmd, "export-status": exportStatus }
+  subCommands: { send, get, query, export: exportCmd, "export-status": exportStatus, "export-incremental": exportIncremental }
 });
 // src/cli/commands/permission.ts
-import { defineCommand as defineCommand5 } from "citty";
-function getGlobalOpts4(args) {
+import { defineCommand as defineCommand6 } from "citty";
+function getGlobalOpts5(args) {
   return {
     env: args.env,
     json: args.json,
@@ -7861,7 +8980,7 @@ function getGlobalOpts4(args) {
     nip: args.nip
   };
 }
-var grant = defineCommand5({
+var grant = defineCommand6({
   meta: { name: "grant", description: "Grant permissions to a subject" },
   args: {
     type: { type: "string", description: "Grant type: person, entity, authorization, indirect, subunit, eu-entity-admin, eu-entity-representative", required: true },
@@ -7886,7 +9005,7 @@ var grant = defineCommand5({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts4(args);
+      const globalOpts = getGlobalOpts5(args);
       const { client } = requireSession(globalOpts);
       let result;
       switch (args.type) {
@@ -8042,7 +9161,7 @@ var grant = defineCommand5({
     });
   }
 });
-var revoke2 = defineCommand5({
+var revoke2 = defineCommand6({
   meta: { name: "revoke", description: "Revoke a permission grant" },
   args: {
     grantId: { type: "positional", description: "Grant ID to revoke", required: true },
@@ -8055,7 +9174,7 @@ var revoke2 = defineCommand5({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts4(args);
+      const globalOpts = getGlobalOpts5(args);
       const { client } = requireSession(globalOpts);
       let result;
       if (args.authorization) {
@@ -8071,7 +9190,7 @@ var revoke2 = defineCommand5({
     });
   }
 });
-var search = defineCommand5({
+var search = defineCommand6({
   meta: { name: "search", description: "Search permissions" },
   args: {
     type: { type: "string", description: "Search type: personal, persons, subunits, entities, entities-grants, subordinate-entities, authorizations, eu-entities", required: true },
@@ -8088,7 +9207,7 @@ var search = defineCommand5({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts4(args);
+      const globalOpts = getGlobalOpts5(args);
       const { client } = requireSession(globalOpts);
       const page = args.page ? parseInt(args.page, 10) : void 0;
       const pageSize = args.pageSize ? parseInt(args.pageSize, 10) : void 0;
@@ -8310,7 +9429,7 @@ var search = defineCommand5({
     });
   }
 });
-var status3 = defineCommand5({
+var status3 = defineCommand6({
   meta: { name: "status", description: "Check permission operation status" },
   args: {
     ref: { type: "positional", description: "Operation reference number", required: true },
@@ -8322,7 +9441,7 @@ var status3 = defineCommand5({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts4(args);
+      const globalOpts = getGlobalOpts5(args);
       const { client } = requireSession(globalOpts);
       const result = await client.permissions.getOperationStatus(args.ref);
       if (args.json) {
@@ -8336,7 +9455,7 @@ var status3 = defineCommand5({
     });
   }
 });
-var attachmentStatus = defineCommand5({
+var attachmentStatus = defineCommand6({
   meta: { name: "attachment-status", description: "Check if attachment permissions are allowed" },
   args: {
     env: { type: "string", description: "Environment (test/demo/prod)" },
@@ -8347,7 +9466,7 @@ var attachmentStatus = defineCommand5({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts4(args);
+      const globalOpts = getGlobalOpts5(args);
       const { client } = requireSession(globalOpts);
       const result = await client.permissions.getAttachmentStatus();
       if (args.json) {
@@ -8360,15 +9479,15 @@ var attachmentStatus = defineCommand5({
     });
   }
 });
-var permissionCommand = defineCommand5({
+var permissionCommand = defineCommand6({
   meta: { name: "permission", description: "Permission management commands" },
   subCommands: { grant, revoke: revoke2, search, status: status3, "attachment-status": attachmentStatus }
 });
 // src/cli/commands/token.ts
-import { defineCommand as defineCommand6 } from "citty";
-import { consola as consola7 } from "consola";
-function getGlobalOpts5(args) {
+import { defineCommand as defineCommand7 } from "citty";
+import { consola as consola8 } from "consola";
+function getGlobalOpts6(args) {
   return {
     env: args.env,
     json: args.json,
@@ -8377,7 +9496,7 @@ function getGlobalOpts5(args) {
     nip: args.nip
   };
 }
-var generate = defineCommand6({
+var generate = defineCommand7({
   meta: { name: "generate", description: "Generate a new KSeF token" },
   args: {
     permissions: { type: "string", description: "Comma-separated permissions (e.g. InvoiceRead,InvoiceWrite)", required: true },
@@ -8390,7 +9509,7 @@ var generate = defineCommand6({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts5(args);
+      const globalOpts = getGlobalOpts6(args);
       const { client } = requireSession(globalOpts);
       if (!args.permissions) {
         throw new Error("--permissions is required. Provide comma-separated values (e.g. InvoiceRead,InvoiceWrite).");
@@ -8413,7 +9532,7 @@ var generate = defineCommand6({
     });
   }
 });
-var list2 = defineCommand6({
+var list2 = defineCommand7({
   meta: { name: "list", description: "List KSeF tokens" },
   args: {
     status: { type: "string", description: "Comma-separated statuses (e.g. Active,Pending)" },
@@ -8430,7 +9549,7 @@ var list2 = defineCommand6({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts5(args);
+      const globalOpts = getGlobalOpts6(args);
       const { client } = requireSession(globalOpts);
       const options = {
         continuationToken: args.continue,
@@ -8467,12 +9586,12 @@ var list2 = defineCommand6({
         { json: false }
       );
       if (result.continuationToken) {
-        consola7.info(`More results available. Continuation token: ${result.continuationToken}`);
+        consola8.info(`More results available. Continuation token: ${result.continuationToken}`);
       }
     });
   }
 });
-var get2 = defineCommand6({
+var get2 = defineCommand7({
   meta: { name: "get", description: "Get token details" },
   args: {
     ref: { type: "positional", description: "Token reference number", required: true },
@@ -8484,7 +9603,7 @@ var get2 = defineCommand6({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts5(args);
+      const globalOpts = getGlobalOpts6(args);
       const { client } = requireSession(globalOpts);
       const ref = args.ref;
       const result = await client.tokens.getToken(ref);
@@ -8505,7 +9624,7 @@ var get2 = defineCommand6({
     });
   }
 });
-var revoke3 = defineCommand6({
+var revoke3 = defineCommand7({
   meta: { name: "revoke", description: "Revoke a KSeF token" },
   args: {
     ref: { type: "positional", description: "Token reference number", required: true },
@@ -8517,7 +9636,7 @@ var revoke3 = defineCommand6({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts5(args);
+      const globalOpts = getGlobalOpts6(args);
       const { client } = requireSession(globalOpts);
       const ref = args.ref;
       await client.tokens.revokeToken(ref);
@@ -8529,24 +9648,24 @@ var revoke3 = defineCommand6({
     });
   }
 });
-var tokenCommand = defineCommand6({
+var tokenCommand = defineCommand7({
   meta: { name: "token", description: "Token management commands" },
   subCommands: { generate, list: list2, get: get2, revoke: revoke3 }
 });
 // src/cli/commands/cert.ts
-import { defineCommand as defineCommand7 } from "citty";
-import { consola as consola8 } from "consola";
-import fs5 from "fs";
-import path4 from "path";
+import { defineCommand as defineCommand8 } from "citty";
+import { consola as consola9 } from "consola";
+import fs8 from "fs";
+import path6 from "path";
 // src/crypto/certificate-service.ts
-import * as crypto4 from "crypto";
+import * as crypto5 from "crypto";
 import * as x5092 from "@peculiar/x509";
 var CertificateService = class {
   static getSha256Fingerprint(certPem) {
     const der = extractDerFromPem2(certPem);
-    return crypto4.createHash("sha256").update(der).digest("hex").toUpperCase();
+    return crypto5.createHash("sha256").update(der).digest("hex").toUpperCase();
   }
   static async generatePersonalCertificate(givenName, surname, serialNumber, commonName, method = "RSA") {
     const nameParts = [];
@@ -8569,7 +9688,7 @@ var CertificateService = class {
   }
 };
 async function generateSelfSigned(subject2, method) {
-  x5092.cryptoProvider.set(crypto4.webcrypto);
+  x5092.cryptoProvider.set(crypto5.webcrypto);
   let algorithm;
   let signingAlgorithm;
   if (method === "ECDSA") {
@@ -8584,7 +9703,7 @@ async function generateSelfSigned(subject2, method) {
     };
     signingAlgorithm = algorithm;
   }
-  const keys = await crypto4.webcrypto.subtle.generateKey(
+  const keys = await crypto5.webcrypto.subtle.generateKey(
     algorithm,
     true,
     ["sign", "verify"]
@@ -8601,9 +9720,9 @@ async function generateSelfSigned(subject2, method) {
     serialNumber: Date.now().toString(16)
   });
   const certPem = cert.toString("pem");
-  const pkcs8 = await crypto4.webcrypto.subtle.exportKey("pkcs8", keys.privateKey);
+  const pkcs8 = await crypto5.webcrypto.subtle.exportKey("pkcs8", keys.privateKey);
   const privateKeyPem = pemEncode2(new Uint8Array(pkcs8), "PRIVATE KEY");
-  const fingerprint = crypto4.createHash("sha256").update(Buffer.from(cert.rawData)).digest("hex").toUpperCase();
+  const fingerprint = crypto5.createHash("sha256").update(Buffer.from(cert.rawData)).digest("hex").toUpperCase();
   return { certificatePem: certPem, privateKeyPem, fingerprint };
 }
 function extractDerFromPem2(pem) {
@@ -8622,7 +9741,7 @@ ${lines.join("\n")}
 }
 // src/cli/commands/cert.ts
-function getGlobalOpts6(args) {
+function getGlobalOpts7(args) {
   return {
     env: args.env,
     json: args.json,
@@ -8631,7 +9750,7 @@ function getGlobalOpts6(args) {
     nip: args.nip
   };
 }
-var generate2 = defineCommand7({
+var generate2 = defineCommand8({
   meta: { name: "generate", description: "Generate a self-signed certificate locally" },
   args: {
     type: { type: "string", description: "Certificate type: personal or company-seal", required: true },
@@ -8656,21 +9775,21 @@ var generate2 = defineCommand7({
       const certType = args.type;
       const cn = args.cn;
       const method = args.method || "RSA";
-      const outDir = path4.resolve(args.out || ".");
+      const outDir = path6.resolve(args.out || ".");
       if (certType !== "personal" && certType !== "company-seal") {
         throw new Error('--type must be "personal" or "company-seal".');
       }
       if (method !== "RSA" && method !== "ECDSA") {
         throw new Error('--method must be "RSA" or "ECDSA".');
       }
-      fs5.mkdirSync(outDir, { recursive: true });
-      const certPath = path4.join(outDir, "cert.pem");
-      const keyPath = path4.join(outDir, "key.pem");
+      fs8.mkdirSync(outDir, { recursive: true });
+      const certPath = path6.join(outDir, "cert.pem");
+      const keyPath = path6.join(outDir, "key.pem");
       if (!args.force) {
-        if (fs5.existsSync(certPath)) {
+        if (fs8.existsSync(certPath)) {
           throw new Error(`File already exists: ${certPath}. Use --force to overwrite.`);
         }
-        if (fs5.existsSync(keyPath)) {
+        if (fs8.existsSync(keyPath)) {
           throw new Error(`File already exists: ${keyPath}. Use --force to overwrite.`);
         }
       }
@@ -8697,8 +9816,8 @@ var generate2 = defineCommand7({
           method
         );
       }
-      fs5.writeFileSync(certPath, result.certificatePem, "utf-8");
-      fs5.writeFileSync(keyPath, result.privateKeyPem, "utf-8");
+      fs8.writeFileSync(certPath, result.certificatePem, "utf-8");
+      fs8.writeFileSync(keyPath, result.privateKeyPem, "utf-8");
       if (args.json) {
         outputResult({ certPath, keyPath, fingerprint: result.fingerprint }, { json: true });
       } else {
@@ -8712,7 +9831,7 @@ var generate2 = defineCommand7({
     });
   }
 });
-var enroll = defineCommand7({
+var enroll = defineCommand8({
   meta: { name: "enroll", description: "Submit certificate enrollment" },
   args: {
     cert: { type: "string", description: "Path to certificate PEM file", required: true },
@@ -8727,9 +9846,9 @@ var enroll = defineCommand7({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts6(args);
+      const globalOpts = getGlobalOpts7(args);
       const { client } = requireSession(globalOpts);
-      const certPem = fs5.readFileSync(args.cert, "utf-8");
+      const certPem = fs8.readFileSync(args.cert, "utf-8");
       await client.crypto.init();
       const request = {
         certificateName: args.name,
@@ -8750,7 +9869,7 @@ var enroll = defineCommand7({
     });
   }
 });
-var status4 = defineCommand7({
+var status4 = defineCommand8({
   meta: { name: "status", description: "Check certificate enrollment status" },
   args: {
     ref: { type: "positional", description: "Enrollment reference number", required: true },
@@ -8762,7 +9881,7 @@ var status4 = defineCommand7({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts6(args);
+      const globalOpts = getGlobalOpts7(args);
       const { client } = requireSession(globalOpts);
       const ref = args.ref;
       const result = await client.certificates.getEnrollmentStatus(ref);
@@ -8782,7 +9901,7 @@ var status4 = defineCommand7({
     });
   }
 });
-var list3 = defineCommand7({
+var list3 = defineCommand8({
   meta: { name: "list", description: "Query certificates" },
   args: {
     serial: { type: "string", description: "Filter by serial number" },
@@ -8800,7 +9919,7 @@ var list3 = defineCommand7({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts6(args);
+      const globalOpts = getGlobalOpts7(args);
       const { client } = requireSession(globalOpts);
       const request = {
         certificateSerialNumber: args.serial,
@@ -8840,12 +9959,12 @@ var list3 = defineCommand7({
         { json: false }
       );
       if (result.hasMore) {
-        consola8.info("More results available. Use --page to paginate.");
+        consola9.info("More results available. Use --page to paginate.");
       }
     });
   }
 });
-var revoke4 = defineCommand7({
+var revoke4 = defineCommand8({
   meta: { name: "revoke", description: "Revoke a certificate" },
   args: {
     serial: { type: "positional", description: "Certificate serial number", required: true },
@@ -8858,7 +9977,7 @@ var revoke4 = defineCommand7({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts6(args);
+      const globalOpts = getGlobalOpts7(args);
       const { client } = requireSession(globalOpts);
       const serial = args.serial;
       await client.certificates.revoke(serial, {
@@ -8872,7 +9991,7 @@ var revoke4 = defineCommand7({
     });
   }
 });
-var limits = defineCommand7({
+var limits = defineCommand8({
   meta: { name: "limits", description: "View certificate limits" },
   args: {
     env: { type: "string", description: "Environment (test/demo/prod)" },
@@ -8883,7 +10002,7 @@ var limits = defineCommand7({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts6(args);
+      const globalOpts = getGlobalOpts7(args);
       const { client } = requireSession(globalOpts);
       const result = await client.certificates.getLimits();
       if (args.json) {
@@ -8900,7 +10019,7 @@ var limits = defineCommand7({
     });
   }
 });
-var enrollmentData = defineCommand7({
+var enrollmentData = defineCommand8({
   meta: { name: "enrollment-data", description: "Get enrollment data template from KSeF" },
   args: {
     env: { type: "string", description: "Environment (test/demo/prod)" },
@@ -8911,7 +10030,7 @@ var enrollmentData = defineCommand7({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts6(args);
+      const globalOpts = getGlobalOpts7(args);
       const { client } = requireSession(globalOpts);
       const result = await client.certificates.getEnrollmentData();
       if (args.json) {
@@ -8931,7 +10050,7 @@ var enrollmentData = defineCommand7({
     });
   }
 });
-var retrieve = defineCommand7({
+var retrieve = defineCommand8({
   meta: { name: "retrieve", description: "Retrieve certificates by serial numbers" },
   args: {
     serial: { type: "string", description: "Comma-separated certificate serial numbers", required: true },
@@ -8943,7 +10062,7 @@ var retrieve = defineCommand7({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts6(args);
+      const globalOpts = getGlobalOpts7(args);
       const { client } = requireSession(globalOpts);
       const serials = args.serial.split(",").map((s) => s.trim()).filter(Boolean);
       if (serials.length === 0) {
@@ -8974,14 +10093,14 @@ var retrieve = defineCommand7({
     });
   }
 });
-var certCommand = defineCommand7({
+var certCommand = defineCommand8({
   meta: { name: "cert", description: "Certificate management commands" },
   subCommands: { generate: generate2, enroll, status: status4, list: list3, revoke: revoke4, limits, "enrollment-data": enrollmentData, retrieve }
 });
 // src/cli/commands/qr.ts
-import * as fs6 from "fs";
-import { defineCommand as defineCommand8 } from "citty";
+import * as fs9 from "fs";
+import { defineCommand as defineCommand9 } from "citty";
 // src/qr/qrcode-service.ts
 import * as QRCode from "qrcode";
@@ -9043,7 +10162,7 @@ function escapeXml2(str) {
 }
 // src/cli/commands/qr.ts
-function getGlobalOpts7(args) {
+function getGlobalOpts8(args) {
   return {
     env: args.env,
     json: args.json,
@@ -9052,7 +10171,7 @@ function getGlobalOpts7(args) {
     nip: args.nip
   };
 }
-var invoice2 = defineCommand8({
+var invoice2 = defineCommand9({
   meta: { name: "invoice", description: "Generate invoice QR code" },
   args: {
     nip: { type: "string", description: "NIP number", required: true },
@@ -9069,7 +10188,7 @@ var invoice2 = defineCommand8({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts7(args);
+      const globalOpts = getGlobalOpts8(args);
       const client = createClient(globalOpts);
       const size = args.size ? parseInt(args.size, 10) : 300;
       const format = args.format ?? "png";
@@ -9082,7 +10201,7 @@ var invoice2 = defineCommand8({
       if (format === "svg") {
         const svg = args.label ? await QrCodeService.generateQrCodeSvgWithLabel(url2, args.label, { width: size }) : await QrCodeService.generateQrCodeSvg(url2, { width: size });
         if (args.o) {
-          fs6.writeFileSync(args.o, svg);
+          fs9.writeFileSync(args.o, svg);
           outputSuccess(`QR code saved to ${args.o}
 URL: ${url2}`);
         } else {
@@ -9091,7 +10210,7 @@ URL: ${url2}`);
       } else {
         const buffer = await QrCodeService.generateQrCode(url2, { width: size });
         if (args.o) {
-          fs6.writeFileSync(args.o, buffer);
+          fs9.writeFileSync(args.o, buffer);
           outputSuccess(`QR code saved to ${args.o}
 URL: ${url2}`);
         } else {
@@ -9101,7 +10220,7 @@ URL: ${url2}`);
     });
   }
 });
-var certificate = defineCommand8({
+var certificate = defineCommand9({
   meta: { name: "certificate", description: "Generate certificate QR code" },
   args: {
     "context-type": { type: "string", description: "Context identifier type", required: true },
@@ -9122,11 +10241,11 @@ var certificate = defineCommand8({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts7(args);
+      const globalOpts = getGlobalOpts8(args);
       const client = createClient(globalOpts);
       const size = args.size ? parseInt(args.size, 10) : 300;
       const format = args.format ?? "png";
-      const privateKeyPem = fs6.readFileSync(args.key, "utf-8");
+      const privateKeyPem = fs9.readFileSync(args.key, "utf-8");
       const url2 = client.qr.buildCertificateVerificationUrl(
         args["context-type"],
         args["context-id"],
@@ -9143,7 +10262,7 @@ var certificate = defineCommand8({
       if (format === "svg") {
         const svg = args.label ? await QrCodeService.generateQrCodeSvgWithLabel(url2, args.label, { width: size }) : await QrCodeService.generateQrCodeSvg(url2, { width: size });
         if (args.o) {
-          fs6.writeFileSync(args.o, svg);
+          fs9.writeFileSync(args.o, svg);
           outputSuccess(`QR code saved to ${args.o}
 URL: ${url2}`);
         } else {
@@ -9152,7 +10271,7 @@ URL: ${url2}`);
       } else {
         const buffer = await QrCodeService.generateQrCode(url2, { width: size });
         if (args.o) {
-          fs6.writeFileSync(args.o, buffer);
+          fs9.writeFileSync(args.o, buffer);
           outputSuccess(`QR code saved to ${args.o}
 URL: ${url2}`);
         } else {
@@ -9162,7 +10281,7 @@ URL: ${url2}`);
     });
   }
 });
-var url = defineCommand8({
+var url = defineCommand9({
   meta: { name: "url", description: "Print invoice verification URL (no QR image)" },
   args: {
     nip: { type: "string", description: "NIP number", required: true },
@@ -9175,7 +10294,7 @@ var url = defineCommand8({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts7(args);
+      const globalOpts = getGlobalOpts8(args);
       const client = createClient(globalOpts);
       const verificationUrl = client.qr.buildInvoiceVerificationUrl(args.nip, args.date, args.hash);
       if (args.json) {
@@ -9186,14 +10305,14 @@ var url = defineCommand8({
     });
   }
 });
-var qrCommand = defineCommand8({
+var qrCommand = defineCommand9({
   meta: { name: "qr", description: "QR code generation commands" },
   subCommands: { invoice: invoice2, certificate, url }
 });
 // src/cli/commands/lighthouse.ts
-import { defineCommand as defineCommand9 } from "citty";
-function getGlobalOpts8(args) {
+import { defineCommand as defineCommand10 } from "citty";
+function getGlobalOpts9(args) {
   return {
     env: args.env ?? "prod",
     json: args.json,
@@ -9202,7 +10321,7 @@ function getGlobalOpts8(args) {
     nip: args.nip
   };
 }
-var status5 = defineCommand9({
+var status5 = defineCommand10({
   meta: { name: "status", description: "Check KSeF system status" },
   args: {
     env: { type: "string", description: "Environment (test/prod, default: prod)" },
@@ -9213,7 +10332,7 @@ var status5 = defineCommand9({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts8(args);
+      const globalOpts = getGlobalOpts9(args);
       const client = createClient(globalOpts);
       const result = await client.lighthouse.getStatus();
       if (args.json) {
@@ -9230,7 +10349,7 @@ var status5 = defineCommand9({
     });
   }
 });
-var messages = defineCommand9({
+var messages = defineCommand10({
   meta: { name: "messages", description: "View KSeF system messages" },
   args: {
     env: { type: "string", description: "Environment (test/prod, default: prod)" },
@@ -9241,7 +10360,7 @@ var messages = defineCommand9({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts8(args);
+      const globalOpts = getGlobalOpts9(args);
       const client = createClient(globalOpts);
       const msgs = await client.lighthouse.getMessages();
       if (args.json) {
@@ -9272,14 +10391,14 @@ var messages = defineCommand9({
     });
   }
 });
-var lighthouseCommand = defineCommand9({
+var lighthouseCommand = defineCommand10({
   meta: { name: "lighthouse", description: "KSeF system status commands" },
   subCommands: { status: status5, messages }
 });
 // src/cli/commands/test-data.ts
-import { defineCommand as defineCommand10 } from "citty";
-function getGlobalOpts9(args) {
+import { defineCommand as defineCommand11 } from "citty";
+function getGlobalOpts10(args) {
   return {
     env: args.env,
     json: args.json,
@@ -9301,7 +10420,7 @@ function outputDone(json) {
     outputSuccess("Done.");
   }
 }
-var createSubject = defineCommand10({
+var createSubject = defineCommand11({
   meta: { name: "create-subject", description: "Create a test subject" },
   args: {
     nip: { type: "string", description: "Subject NIP", required: true },
@@ -9315,7 +10434,7 @@ var createSubject = defineCommand10({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts9(args);
+      const globalOpts = getGlobalOpts10(args);
       requireNonProd(globalOpts);
       const request = {
         subjectNip: args.nip,
@@ -9328,7 +10447,7 @@ var createSubject = defineCommand10({
     });
   }
 });
-var removeSubject = defineCommand10({
+var removeSubject = defineCommand11({
   meta: { name: "remove-subject", description: "Remove a test subject" },
   args: {
     nip: { type: "string", description: "Subject NIP", required: true },
@@ -9339,7 +10458,7 @@ var removeSubject = defineCommand10({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts9(args);
+      const globalOpts = getGlobalOpts10(args);
       requireNonProd(globalOpts);
       const request = { subjectNip: args.nip };
       await createClient(globalOpts).testData.removeSubject(request);
@@ -9347,7 +10466,7 @@ var removeSubject = defineCommand10({
     });
   }
 });
-var createPerson = defineCommand10({
+var createPerson = defineCommand11({
   meta: { name: "create-person", description: "Create a test person" },
   args: {
     nip: { type: "string", description: "Person NIP", required: true },
@@ -9363,7 +10482,7 @@ var createPerson = defineCommand10({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts9(args);
+      const globalOpts = getGlobalOpts10(args);
       requireNonProd(globalOpts);
       const request = {
         nip: args.nip,
@@ -9378,7 +10497,7 @@ var createPerson = defineCommand10({
     });
   }
 });
-var removePerson = defineCommand10({
+var removePerson = defineCommand11({
   meta: { name: "remove-person", description: "Remove a test person" },
   args: {
     nip: { type: "string", description: "Person NIP", required: true },
@@ -9389,7 +10508,7 @@ var removePerson = defineCommand10({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts9(args);
+      const globalOpts = getGlobalOpts10(args);
       requireNonProd(globalOpts);
       const request = { nip: args.nip };
       await createClient(globalOpts).testData.removePerson(request);
@@ -9397,7 +10516,7 @@ var removePerson = defineCommand10({
     });
   }
 });
-var grantPermissions = defineCommand10({
+var grantPermissions = defineCommand11({
   meta: { name: "grant-permissions", description: "Grant test data permissions" },
   args: {
     "context-nip": { type: "string", description: "Context NIP", required: true },
@@ -9412,7 +10531,7 @@ var grantPermissions = defineCommand10({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts9(args);
+      const globalOpts = getGlobalOpts10(args);
       requireNonProd(globalOpts);
       const permissions = args.permissions.split(",").map((p) => ({ permissionType: p.trim(), description: "" }));
       const request = {
@@ -9428,7 +10547,7 @@ var grantPermissions = defineCommand10({
     });
   }
 });
-var revokePermissions = defineCommand10({
+var revokePermissions = defineCommand11({
   meta: { name: "revoke-permissions", description: "Revoke test data permissions" },
   args: {
     "context-nip": { type: "string", description: "Context NIP", required: true },
@@ -9442,7 +10561,7 @@ var revokePermissions = defineCommand10({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts9(args);
+      const globalOpts = getGlobalOpts10(args);
       requireNonProd(globalOpts);
       const request = {
         contextIdentifier: { type: "Nip", value: args["context-nip"] },
@@ -9456,7 +10575,7 @@ var revokePermissions = defineCommand10({
     });
   }
 });
-var enableAttachment = defineCommand10({
+var enableAttachment = defineCommand11({
   meta: { name: "enable-attachment", description: "Enable attachment permission for a subject" },
   args: {
     nip: { type: "string", description: "Subject NIP", required: true },
@@ -9467,7 +10586,7 @@ var enableAttachment = defineCommand10({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts9(args);
+      const globalOpts = getGlobalOpts10(args);
       requireNonProd(globalOpts);
       const request = { nip: args.nip };
       await createClient(globalOpts).testData.enableAttachment(request);
@@ -9475,7 +10594,7 @@ var enableAttachment = defineCommand10({
     });
   }
 });
-var disableAttachment = defineCommand10({
+var disableAttachment = defineCommand11({
   meta: { name: "disable-attachment", description: "Disable attachment permission for a subject" },
   args: {
     nip: { type: "string", description: "Subject NIP", required: true },
@@ -9487,7 +10606,7 @@ var disableAttachment = defineCommand10({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts9(args);
+      const globalOpts = getGlobalOpts10(args);
       requireNonProd(globalOpts);
       const request = {
         nip: args.nip,
@@ -9498,7 +10617,7 @@ var disableAttachment = defineCommand10({
     });
   }
 });
-var changeSessionLimits = defineCommand10({
+var changeSessionLimits = defineCommand11({
   meta: { name: "change-session-limits", description: "Change session limits in current context" },
   args: {
     "online-max-size": { type: "string", description: "Online session: max invoice size in MB (0-5)", required: true },
@@ -9515,7 +10634,7 @@ var changeSessionLimits = defineCommand10({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts9(args);
+      const globalOpts = getGlobalOpts10(args);
       requireNonProd(globalOpts);
       const { client } = requireSession(globalOpts);
       const request = {
@@ -9535,7 +10654,7 @@ var changeSessionLimits = defineCommand10({
     });
   }
 });
-var restoreSessionLimits = defineCommand10({
+var restoreSessionLimits = defineCommand11({
   meta: { name: "restore-session-limits", description: "Restore default session limits" },
   args: {
     env: { type: "string", description: "Environment (test/demo/prod)" },
@@ -9546,7 +10665,7 @@ var restoreSessionLimits = defineCommand10({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts9(args);
+      const globalOpts = getGlobalOpts10(args);
       requireNonProd(globalOpts);
       const { client } = requireSession(globalOpts);
       await client.testData.restoreDefaultSessionLimits();
@@ -9554,7 +10673,7 @@ var restoreSessionLimits = defineCommand10({
     });
   }
 });
-var changeCertLimits = defineCommand10({
+var changeCertLimits = defineCommand11({
   meta: { name: "change-cert-limits", description: "Change subject limits (enrollment/certificate) in current subject" },
   args: {
     "identifier-type": { type: "string", description: "Subject identifier type (Nip/Pesel/Fingerprint)" },
@@ -9568,7 +10687,7 @@ var changeCertLimits = defineCommand10({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts9(args);
+      const globalOpts = getGlobalOpts10(args);
       requireNonProd(globalOpts);
       const { client } = requireSession(globalOpts);
       const request = {
@@ -9581,7 +10700,7 @@ var changeCertLimits = defineCommand10({
     });
   }
 });
-var restoreCertLimits = defineCommand10({
+var restoreCertLimits = defineCommand11({
   meta: { name: "restore-cert-limits", description: "Restore default certificates limit" },
   args: {
     env: { type: "string", description: "Environment (test/demo/prod)" },
@@ -9592,7 +10711,7 @@ var restoreCertLimits = defineCommand10({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts9(args);
+      const globalOpts = getGlobalOpts10(args);
       requireNonProd(globalOpts);
       const { client } = requireSession(globalOpts);
       await client.testData.restoreDefaultCertificatesLimit();
@@ -9600,7 +10719,7 @@ var restoreCertLimits = defineCommand10({
     });
   }
 });
-var setRateLimits = defineCommand10({
+var setRateLimits = defineCommand11({
   meta: { name: "set-rate-limits", description: "Set effective API rate limits" },
   args: {
     limits: { type: "string", description: "Rate limits as JSON string (ApiRateLimitsOverride)", required: true },
@@ -9612,7 +10731,7 @@ var setRateLimits = defineCommand10({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts9(args);
+      const globalOpts = getGlobalOpts10(args);
       requireNonProd(globalOpts);
       const { client } = requireSession(globalOpts);
       const request = {
@@ -9623,7 +10742,7 @@ var setRateLimits = defineCommand10({
     });
   }
 });
-var restoreRateLimits = defineCommand10({
+var restoreRateLimits = defineCommand11({
   meta: { name: "restore-rate-limits", description: "Restore default API rate limits" },
   args: {
     env: { type: "string", description: "Environment (test/demo/prod)" },
@@ -9634,7 +10753,7 @@ var restoreRateLimits = defineCommand10({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts9(args);
+      const globalOpts = getGlobalOpts10(args);
       requireNonProd(globalOpts);
       const { client } = requireSession(globalOpts);
       await client.testData.restoreDefaultRateLimits();
@@ -9642,7 +10761,7 @@ var restoreRateLimits = defineCommand10({
     });
   }
 });
-var setProductionRateLimits = defineCommand10({
+var setProductionRateLimits = defineCommand11({
   meta: { name: "set-production-rate-limits", description: "Set production API rate limits" },
   args: {
     env: { type: "string", description: "Environment (test/demo/prod)" },
@@ -9653,7 +10772,7 @@ var setProductionRateLimits = defineCommand10({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts9(args);
+      const globalOpts = getGlobalOpts10(args);
       requireNonProd(globalOpts);
       const { client } = requireSession(globalOpts);
       await client.testData.setProductionRateLimits();
@@ -9661,7 +10780,7 @@ var setProductionRateLimits = defineCommand10({
     });
   }
 });
-var blockContext = defineCommand10({
+var blockContext = defineCommand11({
   meta: { name: "block-context", description: "Block a context" },
   args: {
     "context-value": { type: "string", description: "Context identifier value", required: true },
@@ -9674,7 +10793,7 @@ var blockContext = defineCommand10({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts9(args);
+      const globalOpts = getGlobalOpts10(args);
       requireNonProd(globalOpts);
       const { client } = requireSession(globalOpts);
       const request = {
@@ -9688,7 +10807,7 @@ var blockContext = defineCommand10({
     });
   }
 });
-var unblockContext = defineCommand10({
+var unblockContext = defineCommand11({
   meta: { name: "unblock-context", description: "Unblock a context" },
   args: {
     "context-value": { type: "string", description: "Context identifier value", required: true },
@@ -9701,7 +10820,7 @@ var unblockContext = defineCommand10({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts9(args);
+      const globalOpts = getGlobalOpts10(args);
       requireNonProd(globalOpts);
       const { client } = requireSession(globalOpts);
       const request = {
@@ -9715,7 +10834,7 @@ var unblockContext = defineCommand10({
     });
   }
 });
-var testDataCommand = defineCommand10({
+var testDataCommand = defineCommand11({
   meta: { name: "test-data", description: "Test environment data management (test/demo only)" },
   subCommands: {
     "create-subject": createSubject,
@@ -9739,8 +10858,8 @@ var testDataCommand = defineCommand10({
 });
 // src/cli/commands/limits.ts
-import { defineCommand as defineCommand11 } from "citty";
-function getGlobalOpts10(args) {
+import { defineCommand as defineCommand12 } from "citty";
+function getGlobalOpts11(args) {
   return {
     env: args.env,
     json: args.json,
@@ -9749,7 +10868,7 @@ function getGlobalOpts10(args) {
     nip: args.nip
   };
 }
-var context = defineCommand11({
+var context = defineCommand12({
   meta: { name: "context", description: "View effective context limits" },
   args: {
     env: { type: "string", description: "Environment (test/demo/prod)" },
@@ -9759,7 +10878,7 @@ var context = defineCommand11({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts10(args);
+      const globalOpts = getGlobalOpts11(args);
       const { client } = requireSession(globalOpts);
       const result = await client.limits.getContextLimits();
       if (args.json) {
@@ -9777,7 +10896,7 @@ var context = defineCommand11({
     });
   }
 });
-var subject = defineCommand11({
+var subject = defineCommand12({
   meta: { name: "subject", description: "View effective subject limits" },
   args: {
     env: { type: "string", description: "Environment (test/demo/prod)" },
@@ -9787,7 +10906,7 @@ var subject = defineCommand11({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts10(args);
+      const globalOpts = getGlobalOpts11(args);
       const { client } = requireSession(globalOpts);
       const result = await client.limits.getSubjectLimits();
       if (args.json) {
@@ -9801,7 +10920,7 @@ var subject = defineCommand11({
     });
   }
 });
-var rate = defineCommand11({
+var rate = defineCommand12({
   meta: { name: "rate", description: "View effective API rate limits" },
   args: {
     env: { type: "string", description: "Environment (test/demo/prod)" },
@@ -9811,7 +10930,7 @@ var rate = defineCommand11({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts10(args);
+      const globalOpts = getGlobalOpts11(args);
       const { client } = requireSession(globalOpts);
       const result = await client.limits.getRateLimits();
       if (args.json) {
@@ -9837,15 +10956,15 @@ var rate = defineCommand11({
     });
   }
 });
-var limitsCommand = defineCommand11({
+var limitsCommand = defineCommand12({
   meta: { name: "limits", description: "View KSeF API limits" },
   subCommands: { context, subject, rate }
 });
 // src/cli/commands/peppol.ts
-import { defineCommand as defineCommand12 } from "citty";
-import { consola as consola9 } from "consola";
-function getGlobalOpts11(args) {
+import { defineCommand as defineCommand13 } from "citty";
+import { consola as consola10 } from "consola";
+function getGlobalOpts12(args) {
   return {
     env: args.env,
     json: args.json,
@@ -9854,7 +10973,7 @@ function getGlobalOpts11(args) {
     nip: args.nip
   };
 }
-var providers = defineCommand12({
+var providers = defineCommand13({
   meta: { name: "providers", description: "Query Peppol providers" },
   args: {
     page: { type: "string", description: "Page offset" },
@@ -9866,7 +10985,7 @@ var providers = defineCommand12({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts11(args);
+      const globalOpts = getGlobalOpts12(args);
       const { client } = requireSession(globalOpts);
       const pageOffset = args.page ? parseInt(args.page, 10) : void 0;
       const pageSize = args.pageSize ? parseInt(args.pageSize, 10) : void 0;
@@ -9893,20 +11012,20 @@ var providers = defineCommand12({
         { json: false }
       );
       if (result.hasMore) {
-        consola9.info("More results available. Use --page to paginate.");
+        consola10.info("More results available. Use --page to paginate.");
       }
     });
   }
 });
-var peppolCommand = defineCommand12({
+var peppolCommand = defineCommand13({
   meta: { name: "peppol", description: "Peppol integration commands" },
   subCommands: { providers }
 });
 // src/cli/commands/doctor.ts
-import { defineCommand as defineCommand13 } from "citty";
-import { consola as consola10 } from "consola";
-function getGlobalOpts12(args) {
+import { defineCommand as defineCommand14 } from "citty";
+import { consola as consola11 } from "consola";
+function getGlobalOpts13(args) {
   return {
     env: args.env,
     json: args.json,
@@ -9915,7 +11034,7 @@ function getGlobalOpts12(args) {
     verbose: args.verbose
   };
 }
-var doctorCommand = defineCommand13({
+var doctorCommand = defineCommand14({
   meta: { name: "doctor", description: "Check CLI configuration and connectivity" },
   args: {
     env: { type: "string", description: "Environment (test/demo/prod)" },
@@ -9926,7 +11045,7 @@ var doctorCommand = defineCommand13({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts12(args);
+      const globalOpts = getGlobalOpts13(args);
       const checks = [];
       try {
         const config = loadConfig();
@@ -9996,14 +11115,14 @@ var doctorCommand = defineCommand13({
       }
       for (const check of checks) {
         const icon = check.status === "pass" ? "\u2713" : check.status === "warn" ? "\u26A0" : "\u2717";
-        const log = check.status === "pass" ? consola10.success : check.status === "warn" ? consola10.warn : consola10.error;
+        const log = check.status === "pass" ? consola11.success : check.status === "warn" ? consola11.warn : consola11.error;
         log(`${icon} ${check.message}`);
       }
       if (passed === total) {
-        consola10.success(`
+        consola11.success(`
 ${passed}/${total} checks passed.`);
       } else {
-        consola10.warn(`
+        consola11.warn(`
 ${passed}/${total} checks passed.`);
       }
     });
@@ -10011,7 +11130,7 @@ ${passed}/${total} checks passed.`);
 });
 // src/cli/commands/completion.ts
-import { defineCommand as defineCommand14 } from "citty";
+import { defineCommand as defineCommand15 } from "citty";
 var COMMAND_TREE = {
   config: ["set", "show", "reset"],
   auth: ["challenge", "login", "status", "logout", "refresh", "whoami"],
@@ -10103,34 +11222,37 @@ function generateFish() {
   }
   return lines.join("\n") + "\n";
 }
-var bash = defineCommand14({
+var bash = defineCommand15({
   meta: { name: "bash", description: "Generate bash completion script" },
   run() {
     console.log(generateBash());
   }
 });
-var zsh = defineCommand14({
+var zsh = defineCommand15({
   meta: { name: "zsh", description: "Generate zsh completion script" },
   run() {
     console.log(generateZsh());
   }
 });
-var fish = defineCommand14({
+var fish = defineCommand15({
   meta: { name: "fish", description: "Generate fish completion script" },
   run() {
     console.log(generateFish());
   }
 });
-var completionCommand = defineCommand14({
+var completionCommand = defineCommand15({
   meta: { name: "completion", description: "Generate shell completion scripts" },
   subCommands: { bash, zsh, fish }
 });
 // src/cli/index.ts
-var main = defineCommand15({
+var __dirname = dirname2(fileURLToPath(import.meta.url));
+var pkg = JSON.parse(readFileSync6(resolve(__dirname, "..", "package.json"), "utf-8"));
+var version = pkg.version;
+var main = defineCommand16({
   meta: {
     name: "ksef",
-    version: "0.1.0",
+    version,
     description: "CLI for the Polish National e-Invoice System (KSeF)"
   },
   subCommands: {