npm - ksef-client-ts - Versions diffs - 0.2.0 → 0.4.0 - Mend

ksef-client-ts 0.2.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/dist/index.cjs CHANGED Viewed

@@ -67,7 +67,8 @@ function resolveOptions(options = {}) {
     lighthouseUrl: options.lighthouseUrl ?? env.lighthouseUrl,
     apiVersion: options.apiVersion ?? DEFAULT_API_VERSION,
     timeout: options.timeout ?? DEFAULT_TIMEOUT,
-    customHeaders: options.customHeaders ?? {}
+    customHeaders: options.customHeaders ?? {},
+    environmentName: options.environment ?? (options.baseUrl ? void 0 : "TEST")
   };
 }
 var DEFAULT_API_VERSION, DEFAULT_TIMEOUT;
@@ -1107,6 +1108,36 @@ var init_batch_session = __esm({
         });
         await Promise.all(tasks);
       }
+      /**
+       * Upload parts sequentially (not in parallel) because each part uses a
+       * streaming body (`duplex: 'half'`). Parallel streaming uploads can cause
+       * backpressure issues and exceed memory limits for large payloads.
+       */
+      async sendPartsWithStream(openResponse, parts) {
+        const uploadRequests = openResponse.partUploadRequests;
+        for (const part of parts) {
+          const uploadReq = uploadRequests.find(
+            (r) => r.ordinalNumber === part.ordinalNumber
+          );
+          if (!uploadReq) {
+            throw new Error(`No upload request found for part ${part.ordinalNumber}`);
+          }
+          const headers = {};
+          for (const [k, v] of Object.entries(uploadReq.headers)) {
+            if (v != null) headers[k] = v;
+          }
+          const resp = await fetch(uploadReq.url, {
+            method: uploadReq.method,
+            headers,
+            body: part.dataStream,
+            // @ts-expect-error -- Node 18+ undici supports duplex for streaming body
+            duplex: "half"
+          });
+          if (!resp.ok) {
+            throw new Error(`Upload failed for part ${part.ordinalNumber}: HTTP ${resp.status}`);
+          }
+        }
+      }
       async closeSession(batchRef) {
         const req = RestRequest.post(Routes.Sessions.Batch.close(batchRef));
         await this.restClient.executeVoid(req);
@@ -1575,84 +1606,111 @@ var init_test_data = __esm({
     "use strict";
     init_rest_request();
     init_routes();
+    init_ksef_error();
     TestDataService = class {
       restClient;
-      constructor(restClient) {
+      environmentName;
+      constructor(restClient, environmentName) {
         this.restClient = restClient;
+        this.environmentName = environmentName;
+      }
+      ensureTestEnvironment() {
+        if (this.environmentName && this.environmentName !== "TEST") {
+          throw new KSeFError(
+            `Test data APIs are only available on the TEST environment (current: ${this.environmentName})`
+          );
+        }
       }
       // Subject management
       async createSubject(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.createSubject).body(request);
         await this.restClient.executeVoid(req);
       }
       async removeSubject(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.removeSubject).body(request);
         await this.restClient.executeVoid(req);
       }
       // Person management
       async createPerson(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.createPerson).body(request);
         await this.restClient.executeVoid(req);
       }
       async removePerson(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.removePerson).body(request);
         await this.restClient.executeVoid(req);
       }
       // Permissions
       async grantPermissions(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.grantPerms).body(request);
         await this.restClient.executeVoid(req);
       }
       async revokePermissions(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.revokePerms).body(request);
         await this.restClient.executeVoid(req);
       }
       // Attachment permissions
       async enableAttachment(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.enableAttach).body(request);
         await this.restClient.executeVoid(req);
       }
       async disableAttachment(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.disableAttach).body(request);
         await this.restClient.executeVoid(req);
       }
       // Session limits
       async changeSessionLimits(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.changeSessionLimitsInCurrentContext).body(request);
         await this.restClient.executeVoid(req);
       }
       async restoreDefaultSessionLimits() {
+        this.ensureTestEnvironment();
         const req = RestRequest.delete(Routes.TestData.restoreDefaultSessionLimitsInCurrentContext);
         await this.restClient.executeVoid(req);
       }
       // Certificate limits
       async changeCertificatesLimit(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.changeCertificatesLimitInCurrentSubject).body(request);
         await this.restClient.executeVoid(req);
       }
       async restoreDefaultCertificatesLimit() {
+        this.ensureTestEnvironment();
         const req = RestRequest.delete(Routes.TestData.restoreDefaultCertificatesLimitInCurrentSubject);
         await this.restClient.executeVoid(req);
       }
       // Rate limits
       async setRateLimits(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.rateLimits).body(request);
         await this.restClient.executeVoid(req);
       }
       async restoreDefaultRateLimits() {
+        this.ensureTestEnvironment();
         const req = RestRequest.delete(Routes.TestData.rateLimits);
         await this.restClient.executeVoid(req);
       }
       async setProductionRateLimits() {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.productionRateLimits);
         await this.restClient.executeVoid(req);
       }
       // Context blocking
       async blockContext(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.blockContext).body(request);
         await this.restClient.executeVoid(req);
       }
       async unblockContext(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.unblockContext).body(request);
         await this.restClient.executeVoid(req);
       }
@@ -1730,7 +1788,7 @@ ${lines.join("\n")}
 // src/crypto/cryptography-service.ts
 function setCryptoProvider() {
-  x509.cryptoProvider.set(crypto.webcrypto);
+  x509.cryptoProvider.set(crypto2.webcrypto);
 }
 function buildX500Name(fields) {
   const parts = [];
@@ -1754,11 +1812,11 @@ function pemEncode(der, label) {
 ${lines.join("\n")}
 -----END ${label}-----`;
 }
-var crypto, x509, CryptographyService;
+var crypto2, x509, CryptographyService;
 var init_cryptography_service = __esm({
   "src/crypto/cryptography-service.ts"() {
     "use strict";
-    crypto = __toESM(require("crypto"), 1);
+    crypto2 = __toESM(require("crypto"), 1);
     x509 = __toESM(require("@peculiar/x509"), 1);
     CryptographyService = class {
       fetcher;
@@ -1774,12 +1832,34 @@ var init_cryptography_service = __esm({
       // ---------------------------------------------------------------------------
       /** Encrypt with AES-256-CBC (PKCS7 padding is automatic in Node). */
       encryptAES256(content, key, iv) {
-        const cipher = crypto.createCipheriv("aes-256-cbc", key, iv);
+        const cipher = crypto2.createCipheriv("aes-256-cbc", key, iv);
         return new Uint8Array(Buffer.concat([cipher.update(content), cipher.final()]));
       }
+      /**
+       * Encrypt with AES-256-CBC as a streaming transform.
+       * Returns a ReadableStream that yields encrypted chunks as the input is read.
+       */
+      encryptAES256Stream(input, key, iv) {
+        const cipher = crypto2.createCipheriv("aes-256-cbc", key, iv);
+        const transform = new TransformStream({
+          transform(chunk, controller) {
+            const encrypted = cipher.update(chunk);
+            if (encrypted.length > 0) {
+              controller.enqueue(new Uint8Array(encrypted));
+            }
+          },
+          flush(controller) {
+            const final = cipher.final();
+            if (final.length > 0) {
+              controller.enqueue(new Uint8Array(final));
+            }
+          }
+        });
+        return input.pipeThrough(transform);
+      }
       /** Decrypt with AES-256-CBC. */
       decryptAES256(content, key, iv) {
-        const decipher = crypto.createDecipheriv("aes-256-cbc", key, iv);
+        const decipher = crypto2.createDecipheriv("aes-256-cbc", key, iv);
         return new Uint8Array(Buffer.concat([decipher.update(content), decipher.final()]));
       }
       // ---------------------------------------------------------------------------
@@ -1790,14 +1870,14 @@ var init_cryptography_service = __esm({
        * SymmetricKeyEncryption certificate's RSA public key (RSA-OAEP SHA-256).
        */
       getEncryptionData() {
-        const key = crypto.randomBytes(32);
-        const iv = crypto.randomBytes(16);
+        const key = crypto2.randomBytes(32);
+        const iv = crypto2.randomBytes(16);
         const certPem = this.fetcher.getSymmetricKeyEncryptionPem();
-        const encryptedKey = crypto.publicEncrypt(
+        const encryptedKey = crypto2.publicEncrypt(
           {
             key: certPem,
             oaepHash: "sha256",
-            padding: crypto.constants.RSA_PKCS1_OAEP_PADDING
+            padding: crypto2.constants.RSA_PKCS1_OAEP_PADDING
           },
           key
         );
@@ -1831,7 +1911,7 @@ var init_cryptography_service = __esm({
         const timestampMs = new Date(challengeTimestamp).getTime();
         const plaintext = Buffer.from(`${token}|${timestampMs}`, "utf-8");
         const certPem = this.fetcher.getKsefTokenEncryptionPem();
-        const cert = new crypto.X509Certificate(certPem);
+        const cert = new crypto2.X509Certificate(certPem);
         const publicKey = cert.publicKey;
         if (publicKey.asymmetricKeyType === "rsa") {
           return this.encryptRsaOaep(certPem, plaintext);
@@ -1846,9 +1926,26 @@ var init_cryptography_service = __esm({
       // ---------------------------------------------------------------------------
       /** Compute SHA-256 hash (base64) and byte length. */
       getFileMetadata(file) {
-        const hash = crypto.createHash("sha256").update(file).digest("base64");
+        const hash = crypto2.createHash("sha256").update(file).digest("base64");
         return { hashSHA: hash, fileSize: file.length };
       }
+      /** Compute SHA-256 hash (base64) and byte length from a ReadableStream. */
+      async getFileMetadataFromStream(stream) {
+        const hash = crypto2.createHash("sha256");
+        let fileSize = 0;
+        const reader = stream.getReader();
+        try {
+          for (; ; ) {
+            const { done, value } = await reader.read();
+            if (done) break;
+            hash.update(value);
+            fileSize += value.byteLength;
+          }
+        } finally {
+          reader.releaseLock();
+        }
+        return { hashSHA: hash.digest("base64"), fileSize };
+      }
       // ---------------------------------------------------------------------------
       // CSR generation
       // ---------------------------------------------------------------------------
@@ -1861,7 +1958,7 @@ var init_cryptography_service = __esm({
           publicExponent: new Uint8Array([1, 0, 1]),
           modulusLength: 2048
         };
-        const keys = await crypto.webcrypto.subtle.generateKey(
+        const keys = await crypto2.webcrypto.subtle.generateKey(
           algorithm,
           true,
           ["sign", "verify"]
@@ -1872,7 +1969,7 @@ var init_cryptography_service = __esm({
           signingAlgorithm: algorithm
         });
         const csrDer = new Uint8Array(csr.rawData);
-        const pkcs8 = await crypto.webcrypto.subtle.exportKey("pkcs8", keys.privateKey);
+        const pkcs8 = await crypto2.webcrypto.subtle.exportKey("pkcs8", keys.privateKey);
         const privateKeyPem = pemEncode(new Uint8Array(pkcs8), "PRIVATE KEY");
         return { csrDer, privateKeyPem };
       }
@@ -1883,7 +1980,7 @@ var init_cryptography_service = __esm({
           name: "ECDSA",
           namedCurve: "P-256"
         };
-        const keys = await crypto.webcrypto.subtle.generateKey(
+        const keys = await crypto2.webcrypto.subtle.generateKey(
           algorithm,
           true,
           ["sign", "verify"]
@@ -1894,7 +1991,7 @@ var init_cryptography_service = __esm({
           signingAlgorithm: { name: "ECDSA", hash: "SHA-256" }
         });
         const csrDer = new Uint8Array(csr.rawData);
-        const pkcs8 = await crypto.webcrypto.subtle.exportKey("pkcs8", keys.privateKey);
+        const pkcs8 = await crypto2.webcrypto.subtle.exportKey("pkcs8", keys.privateKey);
         const privateKeyPem = pemEncode(new Uint8Array(pkcs8), "PRIVATE KEY");
         return { csrDer, privateKeyPem };
       }
@@ -1903,7 +2000,7 @@ var init_cryptography_service = __esm({
       // ---------------------------------------------------------------------------
       /** Parse a PEM-encoded private key into a Node.js KeyObject. */
       parsePrivateKey(pem) {
-        return crypto.createPrivateKey(pem);
+        return crypto2.createPrivateKey(pem);
       }
       // ---------------------------------------------------------------------------
       // Private helpers
@@ -1911,11 +2008,11 @@ var init_cryptography_service = __esm({
       /** RSA-OAEP SHA-256 encryption. */
       encryptRsaOaep(certPem, plaintext) {
         return new Uint8Array(
-          crypto.publicEncrypt(
+          crypto2.publicEncrypt(
             {
               key: certPem,
               oaepHash: "sha256",
-              padding: crypto.constants.RSA_PKCS1_OAEP_PADDING
+              padding: crypto2.constants.RSA_PKCS1_OAEP_PADDING
             },
             plaintext
           )
@@ -1932,15 +2029,15 @@ var init_cryptography_service = __esm({
        *    (Java-compatible — GCM appends the 16-byte tag to the ciphertext).
        */
       encryptEcdhAesGcm(receiverPublicKey, plaintext) {
-        const { privateKey: ephPrivKey, publicKey: ephPubKey } = crypto.generateKeyPairSync("ec", {
+        const { privateKey: ephPrivKey, publicKey: ephPubKey } = crypto2.generateKeyPairSync("ec", {
           namedCurve: "prime256v1"
         });
-        const sharedSecret = crypto.diffieHellman({
+        const sharedSecret = crypto2.diffieHellman({
           privateKey: ephPrivKey,
           publicKey: receiverPublicKey
         });
-        const nonce = crypto.randomBytes(12);
-        const cipher = crypto.createCipheriv("aes-256-gcm", sharedSecret, nonce);
+        const nonce = crypto2.randomBytes(12);
+        const cipher = crypto2.createCipheriv("aes-256-gcm", sharedSecret, nonce);
         const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
         const tag = cipher.getAuthTag();
         const ephemeralSpki = ephPubKey.export({ type: "spki", format: "der" });
@@ -6508,7 +6605,7 @@ function canonicalize(elem) {
 function computeRootDigest(doc) {
   const root = doc.documentElement;
   const canonical = canonicalize(root);
-  return crypto2.createHash("sha256").update(canonical, "utf-8").digest("base64");
+  return crypto3.createHash("sha256").update(canonical, "utf-8").digest("base64");
 }
 function computeSignedPropertiesDigest(qualifyingPropertiesXml) {
   const parser = new import_xmldom.DOMParser();
@@ -6518,7 +6615,7 @@ function computeSignedPropertiesDigest(qualifyingPropertiesXml) {
     throw new Error("SignedProperties element not found in QualifyingProperties");
   }
   const canonical = canonicalize(signedProps);
-  return crypto2.createHash("sha256").update(canonical, "utf-8").digest("base64");
+  return crypto3.createHash("sha256").update(canonical, "utf-8").digest("base64");
 }
 function buildSignedInfo(signatureAlgorithm, rootDigest, signedPropertiesDigest) {
   return [
@@ -6549,12 +6646,12 @@ function computeSignatureValue(canonicalSignedInfo, privateKeyPem, isEc) {
   const data = Buffer.from(canonicalSignedInfo, "utf-8");
   let signature;
   if (isEc) {
-    signature = crypto2.sign("sha256", data, {
+    signature = crypto3.sign("sha256", data, {
       key: privateKeyPem,
       dsaEncoding: "ieee-p1363"
     });
   } else {
-    signature = crypto2.sign("sha256", data, privateKeyPem);
+    signature = crypto3.sign("sha256", data, privateKeyPem);
   }
   return signature.toString("base64");
 }
@@ -6623,11 +6720,11 @@ function wrapBase64(base64) {
   }
   return lines.join("\n");
 }
-var crypto2, import_xml_crypto, import_xmldom, XADES_NS, DS_NS, SIGNED_PROPERTIES_TYPE, SHA256_DIGEST_METHOD, EXC_C14N_ALGORITHM, ENVELOPED_SIGNATURE_TRANSFORM, RSA_SHA256_SIGNATURE, ECDSA_SHA256_SIGNATURE, CLOCK_SKEW_BUFFER_MS, SIGNATURE_ID, SIGNED_PROPERTIES_ID, SignatureService;
+var crypto3, import_xml_crypto, import_xmldom, XADES_NS, DS_NS, SIGNED_PROPERTIES_TYPE, SHA256_DIGEST_METHOD, EXC_C14N_ALGORITHM, ENVELOPED_SIGNATURE_TRANSFORM, RSA_SHA256_SIGNATURE, ECDSA_SHA256_SIGNATURE, CLOCK_SKEW_BUFFER_MS, SIGNATURE_ID, SIGNED_PROPERTIES_ID, SignatureService;
 var init_signature_service = __esm({
   "src/crypto/signature-service.ts"() {
     "use strict";
-    crypto2 = __toESM(require("crypto"), 1);
+    crypto3 = __toESM(require("crypto"), 1);
     import_xml_crypto = require("xml-crypto");
     import_xmldom = __toESM(require_lib(), 1);
     XADES_NS = "http://uri.etsi.org/01903/v1.3.2#";
@@ -6656,11 +6753,11 @@ var init_signature_service = __esm({
         }
         const certDer = extractDerFromPem(certPem);
         const certBase64 = certDer.toString("base64");
-        const certDigest = crypto2.createHash("sha256").update(certDer).digest("base64");
-        const x5093 = new crypto2.X509Certificate(certPem);
+        const certDigest = crypto3.createHash("sha256").update(certDer).digest("base64");
+        const x5093 = new crypto3.X509Certificate(certPem);
         const issuerName = normalizeIssuerDn(x5093.issuer);
         const serialNumber = hexSerialToDecimal(x5093.serialNumber);
-        const privateKey = crypto2.createPrivateKey(privateKeyPem);
+        const privateKey = crypto3.createPrivateKey(privateKeyPem);
         const isEc = privateKey.asymmetricKeyType === "ec";
         const signatureAlgorithm = isEc ? ECDSA_SHA256_SIGNATURE : RSA_SHA256_SIGNATURE;
         const signingTime = new Date(Date.now() + CLOCK_SKEW_BUFFER_MS).toISOString();
@@ -6763,6 +6860,32 @@ var init_pkcs12_loader = __esm({
   }
 });
+// src/crypto/auth-xml-builder.ts
+function buildUnsignedAuthTokenRequestXml(options) {
+  const { challenge, contextIdentifier, subjectIdentifierType = "certificateSubject" } = options;
+  const identifierElement = `<${contextIdentifier.type}>${xmlEscape(contextIdentifier.value)}</${contextIdentifier.type}>`;
+  return [
+    '<?xml version="1.0" encoding="utf-8"?>',
+    `<AuthTokenRequest xmlns="${AUTH_TOKEN_REQUEST_NS}">`,
+    `<Challenge>${xmlEscape(challenge)}</Challenge>`,
+    `<ContextIdentifier>`,
+    identifierElement,
+    `</ContextIdentifier>`,
+    `<SubjectIdentifierType>${xmlEscape(subjectIdentifierType)}</SubjectIdentifierType>`,
+    `</AuthTokenRequest>`
+  ].join("");
+}
+function xmlEscape(str) {
+  return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
+}
+var AUTH_TOKEN_REQUEST_NS;
+var init_auth_xml_builder = __esm({
+  "src/crypto/auth-xml-builder.ts"() {
+    "use strict";
+    AUTH_TOKEN_REQUEST_NS = "http://ksef.mf.gov.pl/auth/token/2.0";
+  }
+});
 // src/qr/verification-link-service.ts
 var import_node_crypto, VerificationLinkService;
 var init_verification_link_service = __esm({
@@ -6827,19 +6950,11 @@ __export(client_exports, {
   buildAuthTokenRequestXml: () => buildAuthTokenRequestXml
 });
 function buildAuthTokenRequestXml(challenge, nip, subjectIdentifierType = "certificateSubject") {
-  return [
-    '<?xml version="1.0" encoding="utf-8"?>',
-    `<AuthTokenRequest xmlns="${AUTH_TOKEN_REQUEST_NS}">`,
-    `<Challenge>${xmlEscape(challenge)}</Challenge>`,
-    `<ContextIdentifier>`,
-    `<Nip>${xmlEscape(nip)}</Nip>`,
-    `</ContextIdentifier>`,
-    `<SubjectIdentifierType>${xmlEscape(subjectIdentifierType)}</SubjectIdentifierType>`,
-    `</AuthTokenRequest>`
-  ].join("");
-}
-function xmlEscape(str) {
-  return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
+  return buildUnsignedAuthTokenRequestXml({
+    challenge,
+    contextIdentifier: { type: "Nip", value: nip },
+    subjectIdentifierType
+  });
 }
 function buildRestClientConfig(options, authManager) {
   const config = { authManager };
@@ -6866,7 +6981,7 @@ function buildRestClientConfig(options, authManager) {
   }
   return config;
 }
-var KSeFClient, AUTH_TOKEN_REQUEST_NS;
+var KSeFClient;
 var init_client = __esm({
   "src/client.ts"() {
     "use strict";
@@ -6892,6 +7007,7 @@ var init_client = __esm({
     init_certificate_fetcher();
     init_cryptography_service();
     init_verification_link_service();
+    init_auth_xml_builder();
     KSeFClient = class {
       auth;
       activeSessions;
@@ -6935,7 +7051,7 @@ var init_client = __esm({
         this.lighthouse = new LighthouseService(this.options);
         this.limits = new LimitsService(restClient);
         this.peppol = new PeppolService(restClient);
-        this.testData = new TestDataService(restClient);
+        this.testData = new TestDataService(restClient, this.options.environmentName);
         this.qr = new VerificationLinkService(this.options.baseQrUrl);
       }
       async loginWithToken(token, nip) {
@@ -6985,7 +7101,6 @@ var init_client = __esm({
         this.authManager.setRefreshToken(void 0);
       }
     };
-    AUTH_TOKEN_REQUEST_NS = "http://ksef.mf.gov.pl/auth/token/2.0";
   }
 });
@@ -6997,7 +7112,11 @@ __export(index_exports, {
   AuthService: () => AuthService,
   AuthTokenRequestBuilder: () => AuthTokenRequestBuilder,
   AuthorizationPermissionGrantBuilder: () => AuthorizationPermissionGrantBuilder,
+  BATCH_MAX_PARTS: () => BATCH_MAX_PARTS,
+  BATCH_MAX_PART_SIZE: () => BATCH_MAX_PART_SIZE,
+  BATCH_MAX_TOTAL_SIZE: () => BATCH_MAX_TOTAL_SIZE,
   Base64String: () => Base64String,
+  BatchFileBuilder: () => BatchFileBuilder,
   BatchSessionService: () => BatchSessionService,
   CERTIFICATE_NAME_MAX_LENGTH: () => CERTIFICATE_NAME_MAX_LENGTH,
   CERTIFICATE_NAME_MIN_LENGTH: () => CERTIFICATE_NAME_MIN_LENGTH,
@@ -7011,6 +7130,11 @@ __export(index_exports, {
   ENFORCE_XADES_COMPLIANCE: () => ENFORCE_XADES_COMPLIANCE,
   EntityPermissionGrantBuilder: () => EntityPermissionGrantBuilder,
   Environment: () => Environment,
+  FORM_CODES: () => FORM_CODES,
+  FORM_CODE_KEYS: () => FORM_CODE_KEYS,
+  FileHwmStore: () => FileHwmStore,
+  INVOICE_TYPES_BY_SYSTEM_CODE: () => INVOICE_TYPES_BY_SYSTEM_CODE,
+  InMemoryHwmStore: () => InMemoryHwmStore,
   InternalId: () => InternalId,
   InvoiceDownloadService: () => InvoiceDownloadService,
   InvoiceQueryFilterBuilder: () => InvoiceQueryFilterBuilder,
@@ -7056,21 +7180,29 @@ __export(index_exports, {
   SessionStatusService: () => SessionStatusService,
   Sha256Base64: () => Sha256Base64,
   SignatureService: () => SignatureService,
+  SystemCode: () => SystemCode,
   TestDataService: () => TestDataService,
   TokenService: () => TokenService,
   UpoVersion: () => UpoVersion,
   VatUe: () => VatUe,
   VerificationLinkService: () => VerificationLinkService,
   authenticateWithCertificate: () => authenticateWithCertificate,
+  authenticateWithExternalSignature: () => authenticateWithExternalSignature,
   authenticateWithPkcs12: () => authenticateWithPkcs12,
   authenticateWithToken: () => authenticateWithToken,
+  buildUnsignedAuthTokenRequestXml: () => buildUnsignedAuthTokenRequestXml,
   calculateBackoff: () => calculateBackoff,
+  createZip: () => createZip,
+  deduplicateByKsefNumber: () => deduplicateByKsefNumber,
   defaultPresignedUrlPolicy: () => defaultPresignedUrlPolicy,
   defaultRateLimitPolicy: () => defaultRateLimitPolicy,
   defaultRetryPolicy: () => defaultRetryPolicy,
   defaultTransport: () => defaultTransport,
   exportAndDownload: () => exportAndDownload,
   exportInvoices: () => exportInvoices,
+  getEffectiveStartDate: () => getEffectiveStartDate,
+  getFormCode: () => getFormCode,
+  incrementalExportAndDownload: () => incrementalExportAndDownload,
   isRetryableError: () => isRetryableError,
   isRetryableStatus: () => isRetryableStatus,
   isValidBase64: () => isValidBase64,
@@ -7090,11 +7222,19 @@ __export(index_exports, {
   isValidVatUe: () => isValidVatUe,
   openOnlineSession: () => openOnlineSession,
   openSendAndClose: () => openSendAndClose,
+  parseFormCode: () => parseFormCode,
   parseRetryAfter: () => parseRetryAfter,
+  parseUpoXml: () => parseUpoXml,
   pollUntil: () => pollUntil,
   resolveOptions: () => resolveOptions,
   sleep: () => sleep,
+  unzip: () => unzip,
+  updateContinuationPoint: () => updateContinuationPoint,
   uploadBatch: () => uploadBatch,
+  uploadBatchParsed: () => uploadBatchParsed,
+  uploadBatchStream: () => uploadBatchStream,
+  uploadBatchStreamParsed: () => uploadBatchStreamParsed,
+  validateFormCodeForSession: () => validateFormCodeForSession,
   validatePresignedUrl: () => validatePresignedUrl
 });
 module.exports = __toCommonJS(index_exports);
@@ -7227,6 +7367,65 @@ var SUBUNIT_NAME_MAX_LENGTH = 256;
 var PERMISSION_DESCRIPTION_MIN_LENGTH = 5;
 var PERMISSION_DESCRIPTION_MAX_LENGTH = 256;
+// src/models/document-structures/types.ts
+var SystemCode = {
+  FA_2: "FA (2)",
+  FA_3: "FA (3)",
+  PEF_3: "PEF (3)",
+  PEF_KOR_3: "PEF_KOR (3)",
+  FA_RR_1: "FA_RR (1)"
+};
+var FORM_CODES = {
+  FA_2: { systemCode: "FA (2)", schemaVersion: "1-0E", value: "FA" },
+  FA_3: { systemCode: "FA (3)", schemaVersion: "1-0E", value: "FA" },
+  PEF_3: { systemCode: "PEF (3)", schemaVersion: "2-1", value: "PEF" },
+  PEF_KOR_3: { systemCode: "PEF_KOR (3)", schemaVersion: "2-1", value: "PEF" },
+  FA_RR_1_LEGACY: { systemCode: "FA_RR (1)", schemaVersion: "1-0E", value: "RR" },
+  FA_RR_1_TRANSITION: { systemCode: "FA_RR (1)", schemaVersion: "1-1E", value: "RR" },
+  FA_RR_1: { systemCode: "FA_RR (1)", schemaVersion: "1-1E", value: "FA_RR" }
+};
+var INVOICE_TYPES_BY_SYSTEM_CODE = {
+  [SystemCode.FA_2]: ["Vat", "Zal", "Kor", "Roz", "Upr", "KorZal", "KorRoz"],
+  [SystemCode.FA_3]: ["Vat", "Zal", "Kor", "Roz", "Upr", "KorZal", "KorRoz"],
+  [SystemCode.PEF_3]: ["VatPef", "VatPefSp", "KorPef"],
+  [SystemCode.PEF_KOR_3]: ["KorPef"],
+  [SystemCode.FA_RR_1]: ["VatRr", "KorVatRr"]
+};
+var FORM_CODE_KEYS = {
+  FA2: FORM_CODES.FA_2,
+  FA3: FORM_CODES.FA_3,
+  PEF3: FORM_CODES.PEF_3,
+  PEFKOR3: FORM_CODES.PEF_KOR_3,
+  FARR1: FORM_CODES.FA_RR_1
+};
+// src/models/document-structures/helpers.ts
+var SYSTEM_CODE_TO_FORM_CODE = {
+  [SystemCode.FA_2]: FORM_CODES.FA_2,
+  [SystemCode.FA_3]: FORM_CODES.FA_3,
+  [SystemCode.PEF_3]: FORM_CODES.PEF_3,
+  [SystemCode.PEF_KOR_3]: FORM_CODES.PEF_KOR_3,
+  [SystemCode.FA_RR_1]: FORM_CODES.FA_RR_1
+};
+var ALL_FORM_CODES = Object.values(FORM_CODES);
+var BATCH_DISALLOWED_SYSTEM_CODES = /* @__PURE__ */ new Set([
+  SystemCode.PEF_3,
+  SystemCode.PEF_KOR_3
+]);
+function getFormCode(systemCode) {
+  return SYSTEM_CODE_TO_FORM_CODE[systemCode];
+}
+function parseFormCode(raw) {
+  const match = ALL_FORM_CODES.find(
+    (fc) => fc.systemCode === raw.systemCode && fc.schemaVersion === raw.schemaVersion && fc.value === raw.value
+  );
+  return match ?? raw;
+}
+function validateFormCodeForSession(formCode, sessionType) {
+  if (sessionType === "online") return true;
+  return !BATCH_DISALLOWED_SYSTEM_CODES.has(formCode.systemCode);
+}
 // src/services/index.ts
 init_auth();
 init_active_sessions();
@@ -7590,18 +7789,188 @@ var AuthorizationPermissionGrantBuilder = class {
   }
 };
+// src/builders/batch-file.ts
+var crypto = __toESM(require("crypto"), 1);
+init_ksef_validation_error();
+var BATCH_MAX_PART_SIZE = 1e8;
+var BATCH_MAX_TOTAL_SIZE = 5e9;
+var BATCH_MAX_PARTS = 50;
+var BatchFileBuilder = class {
+  /**
+   * Build batch file metadata and encrypted parts from a raw ZIP.
+   *
+   * @param zipBytes - Unencrypted ZIP data
+   * @param encryptFn - AES-256-CBC encryption function (called per part)
+   * @param options - Optional configuration
+   */
+  static build(zipBytes, encryptFn, options) {
+    const maxPartSize = options?.maxPartSize ?? BATCH_MAX_PART_SIZE;
+    if (maxPartSize <= 0) {
+      throw new KSeFValidationError("maxPartSize must be a positive number");
+    }
+    if (zipBytes.length === 0) {
+      throw new KSeFValidationError("ZIP data must not be empty");
+    }
+    if (zipBytes.length > BATCH_MAX_TOTAL_SIZE) {
+      throw new KSeFValidationError(
+        `ZIP size ${zipBytes.length} exceeds maximum of ${BATCH_MAX_TOTAL_SIZE} bytes (5 GB)`
+      );
+    }
+    const rawParts = splitBuffer(zipBytes, maxPartSize);
+    if (rawParts.length > BATCH_MAX_PARTS) {
+      throw new KSeFValidationError(
+        `Data requires ${rawParts.length} parts, exceeding maximum of ${BATCH_MAX_PARTS}`
+      );
+    }
+    const zipHash = sha256Base64(zipBytes);
+    const encryptedParts = [];
+    const fileParts = rawParts.map((raw, i) => {
+      const encrypted = encryptFn(raw);
+      encryptedParts.push(encrypted);
+      return {
+        ordinalNumber: i + 1,
+        fileSize: encrypted.length,
+        fileHash: sha256Base64(encrypted)
+      };
+    });
+    return {
+      batchFile: {
+        fileSize: zipBytes.length,
+        fileHash: zipHash,
+        fileParts
+      },
+      encryptedParts
+    };
+  }
+  /**
+   * Stream-based variant: two-pass build from a stream factory.
+   *
+   * Pass 1: consume stream to compute ZIP hash.
+   * Pass 2: re-create stream, split into parts, encrypt each, compute per-part metadata.
+   *
+   * @param zipStreamFactory - Factory that creates a fresh ReadableStream of the ZIP data
+   * @param zipSize - Total ZIP byte size (from fs.stat or known in advance)
+   * @param encryptStreamFn - Stream-to-stream AES-256-CBC encryption function
+   * @param hashStreamFn - Stream-to-FileMetadata hashing function
+   * @param options - Optional configuration
+   */
+  static async buildFromStream(zipStreamFactory, zipSize, encryptStreamFn, hashStreamFn, options) {
+    const maxPartSize = options?.maxPartSize ?? BATCH_MAX_PART_SIZE;
+    if (maxPartSize <= 0) {
+      throw new KSeFValidationError("maxPartSize must be a positive number");
+    }
+    if (zipSize === 0) {
+      throw new KSeFValidationError("ZIP data must not be empty");
+    }
+    if (zipSize > BATCH_MAX_TOTAL_SIZE) {
+      throw new KSeFValidationError(
+        `ZIP size ${zipSize} exceeds maximum of ${BATCH_MAX_TOTAL_SIZE} bytes (5 GB)`
+      );
+    }
+    const partCount = Math.ceil(zipSize / maxPartSize);
+    if (partCount > BATCH_MAX_PARTS) {
+      throw new KSeFValidationError(
+        `Data requires ${partCount} parts, exceeding maximum of ${BATCH_MAX_PARTS}`
+      );
+    }
+    const zipMeta = await hashStreamFn(zipStreamFactory());
+    const fileParts = [];
+    const streamParts = [];
+    const reader = zipStreamFactory().getReader();
+    let pending = [];
+    let pendingSize = 0;
+    for (let partIndex = 0; partIndex < partCount; partIndex++) {
+      const isLastPart = partIndex === partCount - 1;
+      const targetSize = isLastPart ? zipSize - partIndex * maxPartSize : maxPartSize;
+      while (pendingSize < targetSize) {
+        const { done, value } = await reader.read();
+        if (done) break;
+        pending.push(value);
+        pendingSize += value.byteLength;
+      }
+      const buffer = new Uint8Array(Buffer.concat(pending));
+      const partData = buffer.subarray(0, targetSize);
+      if (buffer.byteLength > targetSize) {
+        const remainder = buffer.subarray(targetSize);
+        pending = [remainder];
+        pendingSize = remainder.byteLength;
+      } else {
+        pending = [];
+        pendingSize = 0;
+      }
+      const partStream = new ReadableStream({
+        start(controller) {
+          controller.enqueue(partData);
+          controller.close();
+        }
+      });
+      const encryptedStream = encryptStreamFn(partStream);
+      const encryptedChunks = [];
+      const encReader = encryptedStream.getReader();
+      for (; ; ) {
+        const { done, value } = await encReader.read();
+        if (done) break;
+        encryptedChunks.push(value);
+      }
+      const encryptedData = new Uint8Array(Buffer.concat(encryptedChunks));
+      const encryptedMeta = sha256Base64(encryptedData);
+      fileParts.push({
+        ordinalNumber: partIndex + 1,
+        fileSize: encryptedData.byteLength,
+        fileHash: encryptedMeta
+      });
+      const uploadStream = new ReadableStream({
+        start(controller) {
+          controller.enqueue(encryptedData);
+          controller.close();
+        }
+      });
+      streamParts.push({
+        dataStream: uploadStream,
+        metadata: {
+          hashSHA: encryptedMeta,
+          fileSize: encryptedData.byteLength
+        },
+        ordinalNumber: partIndex + 1
+      });
+    }
+    reader.releaseLock();
+    return {
+      batchFile: {
+        fileSize: zipSize,
+        fileHash: zipMeta.hashSHA,
+        fileParts
+      },
+      streamParts
+    };
+  }
+};
+function splitBuffer(data, maxPartSize) {
+  if (data.length <= maxPartSize) {
+    return [data];
+  }
+  const parts = [];
+  for (let offset = 0; offset < data.length; offset += maxPartSize) {
+    parts.push(data.subarray(offset, Math.min(offset + maxPartSize, data.length)));
+  }
+  return parts;
+}
+function sha256Base64(data) {
+  return crypto.createHash("sha256").update(data).digest("base64");
+}
 // src/crypto/index.ts
 init_certificate_fetcher();
 init_cryptography_service();
 init_signature_service();
 // src/crypto/certificate-service.ts
-var crypto3 = __toESM(require("crypto"), 1);
+var crypto4 = __toESM(require("crypto"), 1);
 var x5092 = __toESM(require("@peculiar/x509"), 1);
 var CertificateService = class {
   static getSha256Fingerprint(certPem) {
     const der = extractDerFromPem2(certPem);
-    return crypto3.createHash("sha256").update(der).digest("hex").toUpperCase();
+    return crypto4.createHash("sha256").update(der).digest("hex").toUpperCase();
   }
   static async generatePersonalCertificate(givenName, surname, serialNumber, commonName, method = "RSA") {
     const nameParts = [];
@@ -7624,7 +7993,7 @@ var CertificateService = class {
   }
 };
 async function generateSelfSigned(subject, method) {
-  x5092.cryptoProvider.set(crypto3.webcrypto);
+  x5092.cryptoProvider.set(crypto4.webcrypto);
   let algorithm;
   let signingAlgorithm;
   if (method === "ECDSA") {
@@ -7639,7 +8008,7 @@ async function generateSelfSigned(subject, method) {
     };
     signingAlgorithm = algorithm;
   }
-  const keys = await crypto3.webcrypto.subtle.generateKey(
+  const keys = await crypto4.webcrypto.subtle.generateKey(
     algorithm,
     true,
     ["sign", "verify"]
@@ -7656,9 +8025,9 @@ async function generateSelfSigned(subject, method) {
     serialNumber: Date.now().toString(16)
   });
   const certPem = cert.toString("pem");
-  const pkcs8 = await crypto3.webcrypto.subtle.exportKey("pkcs8", keys.privateKey);
+  const pkcs8 = await crypto4.webcrypto.subtle.exportKey("pkcs8", keys.privateKey);
   const privateKeyPem = pemEncode2(new Uint8Array(pkcs8), "PRIVATE KEY");
-  const fingerprint = crypto3.createHash("sha256").update(Buffer.from(cert.rawData)).digest("hex").toUpperCase();
+  const fingerprint = crypto4.createHash("sha256").update(Buffer.from(cert.rawData)).digest("hex").toUpperCase();
   return { certificatePem: certPem, privateKeyPem, fingerprint };
 }
 function extractDerFromPem2(pem) {
@@ -7678,6 +8047,7 @@ ${lines.join("\n")}
 // src/crypto/index.ts
 init_pkcs12_loader();
+init_auth_xml_builder();
 // src/qr/index.ts
 init_verification_link_service();
@@ -7741,6 +8111,94 @@ function escapeXml2(str) {
   return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
 }
+// src/utils/zip.ts
+var import_yazl = require("yazl");
+var import_yauzl = require("yauzl");
+var DEFAULT_UNZIP_OPTIONS = {
+  maxFiles: 1e4,
+  maxTotalUncompressedSize: 2e9,
+  maxFileUncompressedSize: 5e8,
+  maxCompressionRatio: 200
+};
+async function createZip(entries) {
+  return new Promise((resolve, reject) => {
+    const zipfile = new import_yazl.ZipFile();
+    for (const entry of entries) {
+      zipfile.addBuffer(Buffer.from(entry.content), entry.fileName);
+    }
+    const chunks = [];
+    zipfile.outputStream.on("data", (chunk) => chunks.push(chunk));
+    zipfile.outputStream.on("error", (err) => reject(err));
+    zipfile.outputStream.on("end", () => resolve(Buffer.concat(chunks)));
+    zipfile.end();
+  });
+}
+async function unzip(buffer, options = {}) {
+  const limits = { ...DEFAULT_UNZIP_OPTIONS, ...options };
+  return new Promise((resolve, reject) => {
+    (0, import_yauzl.fromBuffer)(buffer, { lazyEntries: true }, (err, zipfile) => {
+      if (err || !zipfile) {
+        reject(err ?? new Error("Failed to open zip buffer"));
+        return;
+      }
+      const files = /* @__PURE__ */ new Map();
+      let totalUncompressed = 0;
+      zipfile.readEntry();
+      zipfile.on("entry", (entry) => {
+        if (entry.fileName.endsWith("/")) {
+          zipfile.readEntry();
+          return;
+        }
+        if (limits.maxFiles > 0 && files.size >= limits.maxFiles) {
+          reject(new Error("zip contains too many files"));
+          return;
+        }
+        const uncompressedSize = entry.uncompressedSize ?? 0;
+        const compressedSize = entry.compressedSize ?? 0;
+        if (limits.maxFileUncompressedSize > 0 && uncompressedSize > limits.maxFileUncompressedSize) {
+          reject(new Error("zip entry exceeds max_file_uncompressed_size"));
+          return;
+        }
+        if (limits.maxTotalUncompressedSize > 0) {
+          totalUncompressed += uncompressedSize;
+          if (totalUncompressed > limits.maxTotalUncompressedSize) {
+            reject(new Error("zip exceeds max_total_uncompressed_size"));
+            return;
+          }
+        }
+        if (limits.maxCompressionRatio !== null) {
+          if (compressedSize === 0 && uncompressedSize > 0) {
+            reject(new Error("zip entry has suspicious compression metadata"));
+            return;
+          }
+          if (compressedSize > 0 && uncompressedSize > 0) {
+            const ratio = uncompressedSize / compressedSize;
+            if (ratio > limits.maxCompressionRatio) {
+              reject(new Error("zip entry exceeds max_compression_ratio"));
+              return;
+            }
+          }
+        }
+        zipfile.openReadStream(entry, (streamErr, stream) => {
+          if (streamErr || !stream) {
+            reject(streamErr ?? new Error("Failed to read zip entry"));
+            return;
+          }
+          const chunks = [];
+          stream.on("data", (chunk) => chunks.push(chunk));
+          stream.on("error", (streamError) => reject(streamError));
+          stream.on("end", () => {
+            files.set(entry.fileName, Buffer.concat(chunks));
+            zipfile.readEntry();
+          });
+        });
+      });
+      zipfile.on("end", () => resolve(files));
+      zipfile.on("error", (zipErr) => reject(zipErr));
+    });
+  });
+}
 // src/workflows/polling.ts
 async function pollUntil(action, condition, options) {
   const intervalMs = options?.intervalMs ?? 2e3;
@@ -7758,17 +8216,150 @@ async function pollUntil(action, condition, options) {
   );
 }
+// src/xml/upo-parser.ts
+var import_fast_xml_parser = require("fast-xml-parser");
+init_ksef_validation_error();
+function isRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function requireRecord(value, at) {
+  if (!isRecord(value)) {
+    throw KSeFValidationError.fromField(at, `Expected object at ${at}`);
+  }
+  return value;
+}
+function requireString(value, at) {
+  if (typeof value !== "string" || value.length === 0) {
+    throw KSeFValidationError.fromField(at, `Expected non-empty string at ${at}`);
+  }
+  return value;
+}
+function optionalRecord(value) {
+  return isRecord(value) ? value : void 0;
+}
+function optionalString(value) {
+  return typeof value === "string" && value.length > 0 ? value : void 0;
+}
+function requireNumberFromString(value, at) {
+  const raw = requireString(value, at);
+  const parsed = Number.parseInt(raw, 10);
+  if (!Number.isFinite(parsed)) {
+    throw KSeFValidationError.fromField(at, `Expected integer at ${at}, got "${raw}"`);
+  }
+  return parsed;
+}
+function ensureArray(value) {
+  if (value == null) return [];
+  return Array.isArray(value) ? value : [value];
+}
+function parseIdKontekstu(obj) {
+  const nip = optionalString(obj.Nip);
+  if (nip) return { kind: "Nip", nip };
+  const idWewnetrzny = optionalString(obj.IdWewnetrzny);
+  if (idWewnetrzny) return { kind: "IdWewnetrzny", idWewnetrzny };
+  const idZlozonyVatUE = optionalString(obj.IdZlozonyVatUE);
+  if (idZlozonyVatUE) return { kind: "IdZlozonyVatUE", idZlozonyVatUE };
+  const idDostawcyUslugPeppol = optionalString(obj.IdDostawcyUslugPeppol);
+  if (idDostawcyUslugPeppol) return { kind: "IdDostawcyUslugPeppol", idDostawcyUslugPeppol };
+  throw KSeFValidationError.fromField(
+    "Uwierzytelnienie.IdKontekstu",
+    "Unsupported context identifier. Expected Nip | IdWewnetrzny | IdZlozonyVatUE | IdDostawcyUslugPeppol"
+  );
+}
+function parseProof(obj) {
+  const tokenRef = optionalString(obj.NumerReferencyjnyTokenaKSeF);
+  if (tokenRef) return { kind: "NumerReferencyjnyTokenaKSeF", numerReferencyjnyTokenaKSeF: tokenRef };
+  const docHash = optionalString(obj.SkrotDokumentuUwierzytelniajacego);
+  if (docHash) return { kind: "SkrotDokumentuUwierzytelniajacego", skrotDokumentuUwierzytelniajacego: docHash };
+  throw KSeFValidationError.fromField(
+    "Uwierzytelnienie",
+    "Unsupported auth proof. Expected NumerReferencyjnyTokenaKSeF | SkrotDokumentuUwierzytelniajacego"
+  );
+}
+function parseUwierzytelnienie(obj) {
+  const idKontekstu = parseIdKontekstu(
+    requireRecord(obj.IdKontekstu, "Uwierzytelnienie.IdKontekstu")
+  );
+  const proof = parseProof(obj);
+  return { idKontekstu, proof };
+}
+function parseOpisPotwierdzenia(obj) {
+  return {
+    strona: requireNumberFromString(obj.Strona, "OpisPotwierdzenia.Strona"),
+    liczbaStron: requireNumberFromString(obj.LiczbaStron, "OpisPotwierdzenia.LiczbaStron"),
+    zakresDokumentowOd: requireNumberFromString(obj.ZakresDokumentowOd, "OpisPotwierdzenia.ZakresDokumentowOd"),
+    zakresDokumentowDo: requireNumberFromString(obj.ZakresDokumentowDo, "OpisPotwierdzenia.ZakresDokumentowDo"),
+    calkowitaLiczbaDokumentow: requireNumberFromString(obj.CalkowitaLiczbaDokumentow, "OpisPotwierdzenia.CalkowitaLiczbaDokumentow")
+  };
+}
+function parseDokument(obj) {
+  return {
+    nipSprzedawcy: requireString(obj.NipSprzedawcy, "Dokument.NipSprzedawcy"),
+    numerKSeFDokumentu: requireString(obj.NumerKSeFDokumentu, "Dokument.NumerKSeFDokumentu"),
+    numerFaktury: requireString(obj.NumerFaktury, "Dokument.NumerFaktury"),
+    dataWystawieniaFaktury: requireString(obj.DataWystawieniaFaktury, "Dokument.DataWystawieniaFaktury"),
+    dataPrzeslaniaDokumentu: requireString(obj.DataPrzeslaniaDokumentu, "Dokument.DataPrzeslaniaDokumentu"),
+    dataNadaniaNumeruKSeF: requireString(obj.DataNadaniaNumeruKSeF, "Dokument.DataNadaniaNumeruKSeF"),
+    skrotDokumentu: requireString(obj.SkrotDokumentu, "Dokument.SkrotDokumentu"),
+    trybWysylki: requireString(obj.TrybWysylki, "Dokument.TrybWysylki")
+  };
+}
+var upoParser = new import_fast_xml_parser.XMLParser({
+  ignoreAttributes: false,
+  attributeNamePrefix: "@_",
+  parseTagValue: false,
+  parseAttributeValue: false,
+  removeNSPrefix: true,
+  trimValues: false
+});
+function parseUpoXml(xml) {
+  const text = Buffer.isBuffer(xml) ? xml.toString("utf8") : xml;
+  const parsed = upoParser.parse(text);
+  const potwierdzenie = requireRecord(parsed?.Potwierdzenie, "Potwierdzenie");
+  const opisPotwierdzenia = optionalRecord(potwierdzenie.OpisPotwierdzenia);
+  const dokumenty = ensureArray(potwierdzenie.Dokument).map(
+    (doc, i) => parseDokument(requireRecord(doc, `Dokument[${i}]`))
+  );
+  if (dokumenty.length === 0) {
+    throw KSeFValidationError.fromField("Dokument", "Expected at least one Dokument in UPO");
+  }
+  return {
+    nazwaPodmiotuPrzyjmujacego: requireString(potwierdzenie.NazwaPodmiotuPrzyjmujacego, "NazwaPodmiotuPrzyjmujacego"),
+    numerReferencyjnySesji: requireString(potwierdzenie.NumerReferencyjnySesji, "NumerReferencyjnySesji"),
+    uwierzytelnienie: parseUwierzytelnienie(requireRecord(potwierdzenie.Uwierzytelnienie, "Uwierzytelnienie")),
+    ...opisPotwierdzenia && { opisPotwierdzenia: parseOpisPotwierdzenia(opisPotwierdzenia) },
+    nazwaStrukturyLogicznej: requireString(potwierdzenie.NazwaStrukturyLogicznej, "NazwaStrukturyLogicznej"),
+    kodFormularza: requireString(potwierdzenie.KodFormularza, "KodFormularza"),
+    dokumenty
+  };
+}
 // src/workflows/online-session-workflow.ts
-var DEFAULT_FORM_CODE = { systemCode: "FA", schemaVersion: "3", value: "FA (3)" };
 async function openOnlineSession(client, options) {
   await client.crypto.init();
   const encData = client.crypto.getEncryptionData();
-  const formCode = options?.formCode ?? DEFAULT_FORM_CODE;
+  const formCode = options?.formCode ?? FORM_CODES.FA_2;
   const openResp = await client.onlineSession.openSession(
     { formCode, encryption: encData.encryptionInfo },
     options?.upoVersion
   );
   const sessionRef = openResp.referenceNumber;
+  async function fetchUpo(pollOpts) {
+    const result = await pollUntil(
+      () => client.sessionStatus.getSessionStatus(sessionRef),
+      (s) => s.status.code === 200 || s.status.code >= 400,
+      { ...pollOpts, description: `UPO for session ${sessionRef}` }
+    );
+    if (result.status.code !== 200) {
+      throw new Error(`Session failed: ${result.status.code} \u2014 ${result.status.description}`);
+    }
+    return {
+      pages: result.upo?.pages ?? [],
+      invoiceCount: result.invoiceCount,
+      successfulInvoiceCount: result.successfulInvoiceCount,
+      failedInvoiceCount: result.failedInvoiceCount
+    };
+  }
   return {
     sessionRef,
     validUntil: openResp.validUntil,
@@ -7790,20 +8381,16 @@ async function openOnlineSession(client, options) {
       await client.onlineSession.closeSession(sessionRef);
     },
     async waitForUpo(pollOpts) {
-      const result = await pollUntil(
-        () => client.sessionStatus.getSessionStatus(sessionRef),
-        (s) => s.status.code !== 100,
-        { ...pollOpts, description: `UPO for session ${sessionRef}` }
-      );
-      if (result.status.code !== 200) {
-        throw new Error(`Session failed: ${result.status.code} \u2014 ${result.status.description}`);
-      }
-      return {
-        pages: result.upo?.pages ?? [],
-        invoiceCount: result.invoiceCount,
-        successfulInvoiceCount: result.successfulInvoiceCount,
-        failedInvoiceCount: result.failedInvoiceCount
-      };
+      return fetchUpo(pollOpts);
+    },
+    async waitForUpoParsed(pollOpts) {
+      const upoInfo = await fetchUpo(pollOpts);
+      const parsed = [];
+      for (const page of upoInfo.pages) {
+        const result = await client.sessionStatus.getSessionUpo(sessionRef, page.referenceNumber);
+        parsed.push(parseUpoXml(result.upo));
+      }
+      return { ...upoInfo, parsed };
     }
   };
 }
@@ -7817,32 +8404,78 @@ async function openSendAndClose(client, invoices, options) {
 }
 // src/workflows/batch-session-workflow.ts
-var DEFAULT_FORM_CODE2 = { systemCode: "FA", schemaVersion: "3", value: "FA (3)" };
-async function uploadBatch(client, zipParts, totalFileSize, totalFileHash, options) {
+async function uploadBatch(client, zipData, options) {
   await client.crypto.init();
   const encData = client.crypto.getEncryptionData();
-  const formCode = options?.formCode ?? DEFAULT_FORM_CODE2;
-  const fileParts = zipParts.map((part, i) => {
-    const meta = client.crypto.getFileMetadata(new Uint8Array(part.data));
-    return { ordinalNumber: i + 1, fileSize: meta.fileSize, fileHash: meta.hashSHA };
+  const formCode = options?.formCode ?? FORM_CODES.FA_2;
+  const encryptFn = (part) => client.crypto.encryptAES256(part, encData.cipherKey, encData.cipherIv);
+  const { batchFile, encryptedParts } = BatchFileBuilder.build(zipData, encryptFn, {
+    maxPartSize: options?.maxPartSize
   });
   const openResp = await client.batchSession.openSession(
     {
       formCode,
       encryption: encData.encryptionInfo,
-      batchFile: { fileSize: totalFileSize, fileHash: totalFileHash, fileParts }
+      batchFile,
+      offlineMode: options?.offlineMode
     },
     options?.upoVersion
   );
-  const sendingParts = zipParts.map((part, i) => {
-    const meta = client.crypto.getFileMetadata(new Uint8Array(part.data));
-    return { data: part.data, metadata: meta, ordinalNumber: i + 1 };
-  });
+  const sendingParts = encryptedParts.map((part, i) => ({
+    data: part.buffer.slice(part.byteOffset, part.byteOffset + part.byteLength),
+    metadata: {
+      hashSHA: batchFile.fileParts[i].fileHash,
+      fileSize: batchFile.fileParts[i].fileSize
+    },
+    ordinalNumber: i + 1
+  }));
   await client.batchSession.sendParts(openResp, sendingParts);
   await client.batchSession.closeSession(openResp.referenceNumber);
   const result = await pollUntil(
     () => client.sessionStatus.getSessionStatus(openResp.referenceNumber),
-    (s) => s.status.code !== 100,
+    (s) => s.status.code === 200 || s.status.code >= 400,
+    { ...options?.pollOptions, description: `UPO for batch ${openResp.referenceNumber}` }
+  );
+  if (result.status.code !== 200) {
+    throw new Error(`Batch session failed: ${result.status.code} \u2014 ${result.status.description}`);
+  }
+  return {
+    sessionRef: openResp.referenceNumber,
+    upo: {
+      pages: result.upo?.pages ?? [],
+      invoiceCount: result.invoiceCount,
+      successfulInvoiceCount: result.successfulInvoiceCount,
+      failedInvoiceCount: result.failedInvoiceCount
+    }
+  };
+}
+async function uploadBatchStream(client, zipStreamFactory, zipSize, options) {
+  await client.crypto.init();
+  const encData = client.crypto.getEncryptionData();
+  const formCode = options?.formCode ?? FORM_CODES.FA_2;
+  const encryptStreamFn = (stream) => client.crypto.encryptAES256Stream(stream, encData.cipherKey, encData.cipherIv);
+  const hashStreamFn = (stream) => client.crypto.getFileMetadataFromStream(stream);
+  const { batchFile, streamParts } = await BatchFileBuilder.buildFromStream(
+    zipStreamFactory,
+    zipSize,
+    encryptStreamFn,
+    hashStreamFn,
+    { maxPartSize: options?.maxPartSize }
+  );
+  const openResp = await client.batchSession.openSession(
+    {
+      formCode,
+      encryption: encData.encryptionInfo,
+      batchFile,
+      offlineMode: options?.offlineMode
+    },
+    options?.upoVersion
+  );
+  await client.batchSession.sendPartsWithStream(openResp, streamParts);
+  await client.batchSession.closeSession(openResp.referenceNumber);
+  const result = await pollUntil(
+    () => client.sessionStatus.getSessionStatus(openResp.referenceNumber),
+    (s) => s.status.code === 200 || s.status.code >= 400,
     { ...options?.pollOptions, description: `UPO for batch ${openResp.referenceNumber}` }
   );
   if (result.status.code !== 200) {
@@ -7858,9 +8491,33 @@ async function uploadBatch(client, zipParts, totalFileSize, totalFileHash, optio
     }
   };
 }
+async function uploadBatchStreamParsed(client, zipStreamFactory, zipSize, options) {
+  const result = await uploadBatchStream(client, zipStreamFactory, zipSize, options);
+  const parsed = [];
+  for (const page of result.upo.pages) {
+    const upoResult = await client.sessionStatus.getSessionUpo(result.sessionRef, page.referenceNumber);
+    parsed.push(parseUpoXml(upoResult.upo));
+  }
+  return {
+    sessionRef: result.sessionRef,
+    upo: { ...result.upo, parsed }
+  };
+}
+async function uploadBatchParsed(client, zipData, options) {
+  const result = await uploadBatch(client, zipData, options);
+  const parsed = [];
+  for (const page of result.upo.pages) {
+    const upoResult = await client.sessionStatus.getSessionUpo(result.sessionRef, page.referenceNumber);
+    parsed.push(parseUpoXml(upoResult.upo));
+  }
+  return {
+    sessionRef: result.sessionRef,
+    upo: { ...result.upo, parsed }
+  };
+}
 // src/workflows/invoice-export-workflow.ts
-async function exportInvoices(client, filters, options) {
+async function doExport(client, filters, options) {
   await client.crypto.init();
   const encData = client.crypto.getEncryptionData();
   const opResp = await client.invoices.exportInvoices({
@@ -7870,7 +8527,7 @@ async function exportInvoices(client, filters, options) {
   });
   const result = await pollUntil(
     () => client.invoices.getInvoiceExportStatus(opResp.referenceNumber),
-    (s) => s.status.code !== 100,
+    (s) => s.status.code === 200 || s.status.code >= 400,
     { ...options?.pollOptions, description: `export ${opResp.referenceNumber}` }
   );
   if (result.status.code !== 200) {
@@ -7880,23 +8537,31 @@ async function exportInvoices(client, filters, options) {
     throw new Error("Export completed but no package available");
   }
   return {
-    parts: result.package.parts.map((p) => ({
-      ordinalNumber: p.ordinalNumber,
-      url: p.url,
-      method: p.method,
-      partSize: p.partSize,
-      encryptedPartSize: p.encryptedPartSize,
-      encryptedPartHash: p.encryptedPartHash,
-      expirationDate: p.expirationDate
-    })),
-    invoiceCount: result.package.invoiceCount,
-    isTruncated: result.package.isTruncated,
-    permanentStorageHwmDate: result.package.permanentStorageHwmDate
+    encData,
+    referenceNumber: opResp.referenceNumber,
+    result: {
+      parts: result.package.parts.map((p) => ({
+        ordinalNumber: p.ordinalNumber,
+        url: p.url,
+        method: p.method,
+        partSize: p.partSize,
+        encryptedPartSize: p.encryptedPartSize,
+        encryptedPartHash: p.encryptedPartHash,
+        expirationDate: p.expirationDate
+      })),
+      invoiceCount: result.package.invoiceCount,
+      isTruncated: result.package.isTruncated,
+      permanentStorageHwmDate: result.package.permanentStorageHwmDate,
+      lastPermanentStorageDate: result.package.lastPermanentStorageDate
+    }
   };
 }
+async function exportInvoices(client, filters, options) {
+  const { result } = await doExport(client, filters, options);
+  return result;
+}
 async function exportAndDownload(client, filters, options) {
-  const encData = client.crypto.getEncryptionData();
-  const exportResult = await exportInvoices(client, filters, options);
+  const { result: exportResult, encData } = await doExport(client, filters, options);
   const download = options?.transport ?? fetch;
   const decryptedParts = [];
   for (const part of exportResult.parts) {
@@ -7908,13 +8573,144 @@ async function exportAndDownload(client, filters, options) {
     const decrypted = client.crypto.decryptAES256(encryptedData, encData.cipherKey, encData.cipherIv);
     decryptedParts.push(decrypted);
   }
+  if (options?.extract) {
+    const zipBuffer = Buffer.concat(decryptedParts);
+    const files = await unzip(zipBuffer, options.unzipOptions);
+    return { ...exportResult, files };
+  }
   return {
     ...exportResult,
     decryptedParts
   };
 }
+// src/workflows/hwm-coordinator.ts
+function updateContinuationPoint(points, subjectType, pkg) {
+  if (pkg.isTruncated && pkg.lastPermanentStorageDate) {
+    points[subjectType] = pkg.lastPermanentStorageDate;
+  } else if (pkg.permanentStorageHwmDate) {
+    points[subjectType] = pkg.permanentStorageHwmDate;
+  } else {
+    delete points[subjectType];
+  }
+}
+function getEffectiveStartDate(points, subjectType, windowFrom) {
+  return points[subjectType] ?? windowFrom;
+}
+function deduplicateByKsefNumber(entries) {
+  const seen = /* @__PURE__ */ new Set();
+  return entries.filter((entry) => {
+    const key = entry.ksefNumber.toLowerCase();
+    if (seen.has(key)) return false;
+    seen.add(key);
+    return true;
+  });
+}
+// src/workflows/incremental-export-workflow.ts
+async function incrementalExportAndDownload(client, options) {
+  const maxIterations = options.maxIterations ?? 20;
+  const points = options.continuationPoints;
+  if (options.store) {
+    const loaded = await options.store.load();
+    for (const [key, value] of Object.entries(loaded)) {
+      if (value !== void 0 && points[key] === void 0) {
+        points[key] = value;
+      }
+    }
+  }
+  const referenceNumbers = [];
+  const decryptedParts = [];
+  let previousFrom;
+  let iteration = 0;
+  for (; iteration < maxIterations; iteration++) {
+    const effectiveFrom = getEffectiveStartDate(points, options.subjectType, options.windowFrom);
+    if (previousFrom !== void 0 && effectiveFrom === previousFrom) {
+      break;
+    }
+    previousFrom = effectiveFrom;
+    const filters = options.filtersFactory ? options.filtersFactory(effectiveFrom, options.windowTo) : buildDefaultFilters(options.subjectType, effectiveFrom, options.windowTo);
+    const { result, encData, referenceNumber } = await doExport(client, filters, {
+      onlyMetadata: options.onlyMetadata,
+      pollOptions: options.pollOptions
+    });
+    referenceNumbers.push(referenceNumber);
+    const download = options.transport ?? fetch;
+    for (const part of result.parts) {
+      const resp = await download(part.url, { method: part.method });
+      if (!resp.ok) {
+        throw new Error(`Download failed for part ${part.ordinalNumber}: HTTP ${resp.status}`);
+      }
+      const encryptedData = new Uint8Array(await resp.arrayBuffer());
+      const decrypted = client.crypto.decryptAES256(encryptedData, encData.cipherKey, encData.cipherIv);
+      decryptedParts.push(decrypted);
+    }
+    updateContinuationPoint(points, options.subjectType, {
+      isTruncated: result.isTruncated,
+      lastPermanentStorageDate: result.lastPermanentStorageDate,
+      permanentStorageHwmDate: result.permanentStorageHwmDate
+    });
+    if (options.store) {
+      await options.store.save(points);
+    }
+    options.onIterationComplete?.(iteration, result);
+    if (!result.isTruncated) {
+      iteration++;
+      break;
+    }
+  }
+  return {
+    referenceNumbers,
+    invoices: [],
+    decryptedParts,
+    continuationPoints: points,
+    iterationCount: iteration
+  };
+}
+function buildDefaultFilters(subjectType, from, to) {
+  return {
+    subjectType,
+    dateRange: {
+      dateType: "PermanentStorage",
+      from,
+      to
+    }
+  };
+}
+// src/workflows/hwm-storage.ts
+var fs = __toESM(require("fs/promises"), 1);
+var InMemoryHwmStore = class {
+  points = {};
+  async load() {
+    return { ...this.points };
+  }
+  async save(points) {
+    this.points = { ...points };
+  }
+};
+var FileHwmStore = class {
+  constructor(filePath) {
+    this.filePath = filePath;
+  }
+  async load() {
+    try {
+      const data = await fs.readFile(this.filePath, "utf-8");
+      return JSON.parse(data);
+    } catch (err) {
+      if (err.code === "ENOENT") {
+        return {};
+      }
+      throw err;
+    }
+  }
+  async save(points) {
+    await fs.writeFile(this.filePath, JSON.stringify(points, null, 2), "utf-8");
+  }
+};
 // src/workflows/auth-workflow.ts
+init_auth_xml_builder();
 async function authenticateWithToken(client, options) {
   const challenge = await client.auth.getChallenge();
   await client.crypto.init();
@@ -7968,6 +8764,34 @@ async function authenticateWithCertificate(client, options) {
     refreshTokenValidUntil: tokens.refreshToken.validUntil
   };
 }
+async function authenticateWithExternalSignature(client, options) {
+  const challenge = await client.auth.getChallenge();
+  const unsignedXml = buildUnsignedAuthTokenRequestXml({
+    challenge: challenge.challenge,
+    contextIdentifier: options.contextIdentifier
+  });
+  const signedXml = await options.signXml(unsignedXml);
+  const submitResult = await client.auth.submitXadesAuthRequest(
+    signedXml,
+    options.verifyCertificateChain ?? false,
+    options.enforceXadesCompliance ?? false
+  );
+  const authToken = submitResult.authenticationToken.token;
+  await pollUntil(
+    () => client.auth.getAuthStatus(submitResult.referenceNumber, authToken),
+    (s) => s.status.code !== 100,
+    { ...options.pollOptions, description: `auth ${submitResult.referenceNumber}` }
+  );
+  const tokens = await client.auth.getAccessToken(authToken);
+  client.authManager.setAccessToken(tokens.accessToken.token);
+  client.authManager.setRefreshToken(tokens.refreshToken.token);
+  return {
+    accessToken: tokens.accessToken.token,
+    accessTokenValidUntil: tokens.accessToken.validUntil,
+    refreshToken: tokens.refreshToken.token,
+    refreshTokenValidUntil: tokens.refreshToken.validUntil
+  };
+}
 async function authenticateWithPkcs12(client, options) {
   const { Pkcs12Loader: Pkcs12Loader2 } = await Promise.resolve().then(() => (init_pkcs12_loader(), pkcs12_loader_exports));
   const { certificatePem, privateKeyPem } = Pkcs12Loader2.load(options.p12, options.password);
@@ -7990,7 +8814,11 @@ init_client();
   AuthService,
   AuthTokenRequestBuilder,
   AuthorizationPermissionGrantBuilder,
+  BATCH_MAX_PARTS,
+  BATCH_MAX_PART_SIZE,
+  BATCH_MAX_TOTAL_SIZE,
   Base64String,
+  BatchFileBuilder,
   BatchSessionService,
   CERTIFICATE_NAME_MAX_LENGTH,
   CERTIFICATE_NAME_MIN_LENGTH,
@@ -8004,6 +8832,11 @@ init_client();
   ENFORCE_XADES_COMPLIANCE,
   EntityPermissionGrantBuilder,
   Environment,
+  FORM_CODES,
+  FORM_CODE_KEYS,
+  FileHwmStore,
+  INVOICE_TYPES_BY_SYSTEM_CODE,
+  InMemoryHwmStore,
   InternalId,
   InvoiceDownloadService,
   InvoiceQueryFilterBuilder,
@@ -8049,21 +8882,29 @@ init_client();
   SessionStatusService,
   Sha256Base64,
   SignatureService,
+  SystemCode,
   TestDataService,
   TokenService,
   UpoVersion,
   VatUe,
   VerificationLinkService,
   authenticateWithCertificate,
+  authenticateWithExternalSignature,
   authenticateWithPkcs12,
   authenticateWithToken,
+  buildUnsignedAuthTokenRequestXml,
   calculateBackoff,
+  createZip,
+  deduplicateByKsefNumber,
   defaultPresignedUrlPolicy,
   defaultRateLimitPolicy,
   defaultRetryPolicy,
   defaultTransport,
   exportAndDownload,
   exportInvoices,
+  getEffectiveStartDate,
+  getFormCode,
+  incrementalExportAndDownload,
   isRetryableError,
   isRetryableStatus,
   isValidBase64,
@@ -8083,11 +8924,19 @@ init_client();
   isValidVatUe,
   openOnlineSession,
   openSendAndClose,
+  parseFormCode,
   parseRetryAfter,
+  parseUpoXml,
   pollUntil,
   resolveOptions,
   sleep,
+  unzip,
+  updateContinuationPoint,
   uploadBatch,
+  uploadBatchParsed,
+  uploadBatchStream,
+  uploadBatchStreamParsed,
+  validateFormCodeForSession,
   validatePresignedUrl
 });
 //# sourceMappingURL=index.cjs.map