ksef-client-ts 0.2.0 → 0.4.0

package/dist/index.js

@@ -65,7 +65,8 @@ function resolveOptions(options = {}) {
     lighthouseUrl: options.lighthouseUrl ?? env.lighthouseUrl,
     apiVersion: options.apiVersion ?? DEFAULT_API_VERSION,
     timeout: options.timeout ?? DEFAULT_TIMEOUT,
-    customHeaders: options.customHeaders ?? {}
+    customHeaders: options.customHeaders ?? {},
+    environmentName: options.environment ?? (options.baseUrl ? void 0 : "TEST")
   };
 }
 var DEFAULT_API_VERSION, DEFAULT_TIMEOUT;
@@ -1105,6 +1106,36 @@ var init_batch_session = __esm({
         });
         await Promise.all(tasks);
       }
+      /**
+       * Upload parts sequentially (not in parallel) because each part uses a
+       * streaming body (`duplex: 'half'`). Parallel streaming uploads can cause
+       * backpressure issues and exceed memory limits for large payloads.
+       */
+      async sendPartsWithStream(openResponse, parts) {
+        const uploadRequests = openResponse.partUploadRequests;
+        for (const part of parts) {
+          const uploadReq = uploadRequests.find(
+            (r) => r.ordinalNumber === part.ordinalNumber
+          );
+          if (!uploadReq) {
+            throw new Error(`No upload request found for part ${part.ordinalNumber}`);
+          }
+          const headers = {};
+          for (const [k, v] of Object.entries(uploadReq.headers)) {
+            if (v != null) headers[k] = v;
+          }
+          const resp = await fetch(uploadReq.url, {
+            method: uploadReq.method,
+            headers,
+            body: part.dataStream,
+            // @ts-expect-error -- Node 18+ undici supports duplex for streaming body
+            duplex: "half"
+          });
+          if (!resp.ok) {
+            throw new Error(`Upload failed for part ${part.ordinalNumber}: HTTP ${resp.status}`);
+          }
+        }
+      }
       async closeSession(batchRef) {
         const req = RestRequest.post(Routes.Sessions.Batch.close(batchRef));
         await this.restClient.executeVoid(req);
@@ -1573,84 +1604,111 @@ var init_test_data = __esm({
     "use strict";
     init_rest_request();
     init_routes();
+    init_ksef_error();
     TestDataService = class {
       restClient;
-      constructor(restClient) {
+      environmentName;
+      constructor(restClient, environmentName) {
         this.restClient = restClient;
+        this.environmentName = environmentName;
+      }
+      ensureTestEnvironment() {
+        if (this.environmentName && this.environmentName !== "TEST") {
+          throw new KSeFError(
+            `Test data APIs are only available on the TEST environment (current: ${this.environmentName})`
+          );
+        }
       }
       // Subject management
       async createSubject(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.createSubject).body(request);
         await this.restClient.executeVoid(req);
       }
       async removeSubject(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.removeSubject).body(request);
         await this.restClient.executeVoid(req);
       }
       // Person management
       async createPerson(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.createPerson).body(request);
         await this.restClient.executeVoid(req);
       }
       async removePerson(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.removePerson).body(request);
         await this.restClient.executeVoid(req);
       }
       // Permissions
       async grantPermissions(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.grantPerms).body(request);
         await this.restClient.executeVoid(req);
       }
       async revokePermissions(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.revokePerms).body(request);
         await this.restClient.executeVoid(req);
       }
       // Attachment permissions
       async enableAttachment(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.enableAttach).body(request);
         await this.restClient.executeVoid(req);
       }
       async disableAttachment(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.disableAttach).body(request);
         await this.restClient.executeVoid(req);
       }
       // Session limits
       async changeSessionLimits(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.changeSessionLimitsInCurrentContext).body(request);
         await this.restClient.executeVoid(req);
       }
       async restoreDefaultSessionLimits() {
+        this.ensureTestEnvironment();
         const req = RestRequest.delete(Routes.TestData.restoreDefaultSessionLimitsInCurrentContext);
         await this.restClient.executeVoid(req);
       }
       // Certificate limits
       async changeCertificatesLimit(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.changeCertificatesLimitInCurrentSubject).body(request);
         await this.restClient.executeVoid(req);
       }
       async restoreDefaultCertificatesLimit() {
+        this.ensureTestEnvironment();
         const req = RestRequest.delete(Routes.TestData.restoreDefaultCertificatesLimitInCurrentSubject);
         await this.restClient.executeVoid(req);
       }
       // Rate limits
       async setRateLimits(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.rateLimits).body(request);
         await this.restClient.executeVoid(req);
       }
       async restoreDefaultRateLimits() {
+        this.ensureTestEnvironment();
         const req = RestRequest.delete(Routes.TestData.rateLimits);
         await this.restClient.executeVoid(req);
       }
       async setProductionRateLimits() {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.productionRateLimits);
         await this.restClient.executeVoid(req);
       }
       // Context blocking
       async blockContext(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.blockContext).body(request);
         await this.restClient.executeVoid(req);
       }
       async unblockContext(request) {
+        this.ensureTestEnvironment();
         const req = RestRequest.post(Routes.TestData.unblockContext).body(request);
         await this.restClient.executeVoid(req);
       }
@@ -1727,10 +1785,10 @@ ${lines.join("\n")}
 });
 
 // src/crypto/cryptography-service.ts
-import * as crypto from "crypto";
+import * as crypto2 from "crypto";
 import * as x509 from "@peculiar/x509";
 function setCryptoProvider() {
-  x509.cryptoProvider.set(crypto.webcrypto);
+  x509.cryptoProvider.set(crypto2.webcrypto);
 }
 function buildX500Name(fields) {
   const parts = [];
@@ -1772,12 +1830,34 @@ var init_cryptography_service = __esm({
       // ---------------------------------------------------------------------------
       /** Encrypt with AES-256-CBC (PKCS7 padding is automatic in Node). */
       encryptAES256(content, key, iv) {
-        const cipher = crypto.createCipheriv("aes-256-cbc", key, iv);
+        const cipher = crypto2.createCipheriv("aes-256-cbc", key, iv);
         return new Uint8Array(Buffer.concat([cipher.update(content), cipher.final()]));
       }
+      /**
+       * Encrypt with AES-256-CBC as a streaming transform.
+       * Returns a ReadableStream that yields encrypted chunks as the input is read.
+       */
+      encryptAES256Stream(input, key, iv) {
+        const cipher = crypto2.createCipheriv("aes-256-cbc", key, iv);
+        const transform = new TransformStream({
+          transform(chunk, controller) {
+            const encrypted = cipher.update(chunk);
+            if (encrypted.length > 0) {
+              controller.enqueue(new Uint8Array(encrypted));
+            }
+          },
+          flush(controller) {
+            const final = cipher.final();
+            if (final.length > 0) {
+              controller.enqueue(new Uint8Array(final));
+            }
+          }
+        });
+        return input.pipeThrough(transform);
+      }
       /** Decrypt with AES-256-CBC. */
       decryptAES256(content, key, iv) {
-        const decipher = crypto.createDecipheriv("aes-256-cbc", key, iv);
+        const decipher = crypto2.createDecipheriv("aes-256-cbc", key, iv);
         return new Uint8Array(Buffer.concat([decipher.update(content), decipher.final()]));
       }
       // ---------------------------------------------------------------------------
@@ -1788,14 +1868,14 @@ var init_cryptography_service = __esm({
        * SymmetricKeyEncryption certificate's RSA public key (RSA-OAEP SHA-256).
        */
       getEncryptionData() {
-        const key = crypto.randomBytes(32);
-        const iv = crypto.randomBytes(16);
+        const key = crypto2.randomBytes(32);
+        const iv = crypto2.randomBytes(16);
         const certPem = this.fetcher.getSymmetricKeyEncryptionPem();
-        const encryptedKey = crypto.publicEncrypt(
+        const encryptedKey = crypto2.publicEncrypt(
           {
             key: certPem,
             oaepHash: "sha256",
-            padding: crypto.constants.RSA_PKCS1_OAEP_PADDING
+            padding: crypto2.constants.RSA_PKCS1_OAEP_PADDING
           },
           key
         );
@@ -1829,7 +1909,7 @@ var init_cryptography_service = __esm({
         const timestampMs = new Date(challengeTimestamp).getTime();
         const plaintext = Buffer.from(`${token}|${timestampMs}`, "utf-8");
         const certPem = this.fetcher.getKsefTokenEncryptionPem();
-        const cert = new crypto.X509Certificate(certPem);
+        const cert = new crypto2.X509Certificate(certPem);
         const publicKey = cert.publicKey;
         if (publicKey.asymmetricKeyType === "rsa") {
           return this.encryptRsaOaep(certPem, plaintext);
@@ -1844,9 +1924,26 @@ var init_cryptography_service = __esm({
       // ---------------------------------------------------------------------------
       /** Compute SHA-256 hash (base64) and byte length. */
       getFileMetadata(file) {
-        const hash = crypto.createHash("sha256").update(file).digest("base64");
+        const hash = crypto2.createHash("sha256").update(file).digest("base64");
         return { hashSHA: hash, fileSize: file.length };
       }
+      /** Compute SHA-256 hash (base64) and byte length from a ReadableStream. */
+      async getFileMetadataFromStream(stream) {
+        const hash = crypto2.createHash("sha256");
+        let fileSize = 0;
+        const reader = stream.getReader();
+        try {
+          for (; ; ) {
+            const { done, value } = await reader.read();
+            if (done) break;
+            hash.update(value);
+            fileSize += value.byteLength;
+          }
+        } finally {
+          reader.releaseLock();
+        }
+        return { hashSHA: hash.digest("base64"), fileSize };
+      }
       // ---------------------------------------------------------------------------
       // CSR generation
       // ---------------------------------------------------------------------------
@@ -1859,7 +1956,7 @@ var init_cryptography_service = __esm({
           publicExponent: new Uint8Array([1, 0, 1]),
           modulusLength: 2048
         };
-        const keys = await crypto.webcrypto.subtle.generateKey(
+        const keys = await crypto2.webcrypto.subtle.generateKey(
           algorithm,
           true,
           ["sign", "verify"]
@@ -1870,7 +1967,7 @@ var init_cryptography_service = __esm({
           signingAlgorithm: algorithm
         });
         const csrDer = new Uint8Array(csr.rawData);
-        const pkcs8 = await crypto.webcrypto.subtle.exportKey("pkcs8", keys.privateKey);
+        const pkcs8 = await crypto2.webcrypto.subtle.exportKey("pkcs8", keys.privateKey);
         const privateKeyPem = pemEncode(new Uint8Array(pkcs8), "PRIVATE KEY");
         return { csrDer, privateKeyPem };
       }
@@ -1881,7 +1978,7 @@ var init_cryptography_service = __esm({
           name: "ECDSA",
           namedCurve: "P-256"
         };
-        const keys = await crypto.webcrypto.subtle.generateKey(
+        const keys = await crypto2.webcrypto.subtle.generateKey(
           algorithm,
           true,
           ["sign", "verify"]
@@ -1892,7 +1989,7 @@ var init_cryptography_service = __esm({
           signingAlgorithm: { name: "ECDSA", hash: "SHA-256" }
         });
         const csrDer = new Uint8Array(csr.rawData);
-        const pkcs8 = await crypto.webcrypto.subtle.exportKey("pkcs8", keys.privateKey);
+        const pkcs8 = await crypto2.webcrypto.subtle.exportKey("pkcs8", keys.privateKey);
         const privateKeyPem = pemEncode(new Uint8Array(pkcs8), "PRIVATE KEY");
         return { csrDer, privateKeyPem };
       }
@@ -1901,7 +1998,7 @@ var init_cryptography_service = __esm({
       // ---------------------------------------------------------------------------
       /** Parse a PEM-encoded private key into a Node.js KeyObject. */
       parsePrivateKey(pem) {
-        return crypto.createPrivateKey(pem);
+        return crypto2.createPrivateKey(pem);
       }
       // ---------------------------------------------------------------------------
       // Private helpers
@@ -1909,11 +2006,11 @@ var init_cryptography_service = __esm({
       /** RSA-OAEP SHA-256 encryption. */
       encryptRsaOaep(certPem, plaintext) {
         return new Uint8Array(
-          crypto.publicEncrypt(
+          crypto2.publicEncrypt(
             {
               key: certPem,
               oaepHash: "sha256",
-              padding: crypto.constants.RSA_PKCS1_OAEP_PADDING
+              padding: crypto2.constants.RSA_PKCS1_OAEP_PADDING
             },
             plaintext
           )
@@ -1930,15 +2027,15 @@ var init_cryptography_service = __esm({
        *    (Java-compatible — GCM appends the 16-byte tag to the ciphertext).
        */
       encryptEcdhAesGcm(receiverPublicKey, plaintext) {
-        const { privateKey: ephPrivKey, publicKey: ephPubKey } = crypto.generateKeyPairSync("ec", {
+        const { privateKey: ephPrivKey, publicKey: ephPubKey } = crypto2.generateKeyPairSync("ec", {
           namedCurve: "prime256v1"
         });
-        const sharedSecret = crypto.diffieHellman({
+        const sharedSecret = crypto2.diffieHellman({
           privateKey: ephPrivKey,
           publicKey: receiverPublicKey
         });
-        const nonce = crypto.randomBytes(12);
-        const cipher = crypto.createCipheriv("aes-256-gcm", sharedSecret, nonce);
+        const nonce = crypto2.randomBytes(12);
+        const cipher = crypto2.createCipheriv("aes-256-gcm", sharedSecret, nonce);
         const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
         const tag = cipher.getAuthTag();
         const ephemeralSpki = ephPubKey.export({ type: "spki", format: "der" });
@@ -6489,7 +6586,7 @@ var signature_service_exports = {};
 __export(signature_service_exports, {
   SignatureService: () => SignatureService
 });
-import * as crypto2 from "crypto";
+import * as crypto3 from "crypto";
 import { ExclusiveCanonicalization } from "xml-crypto";
 function extractDerFromPem(pem) {
   const base64 = pem.replace(/-----BEGIN [A-Z\s]+-----/g, "").replace(/-----END [A-Z\s]+-----/g, "").replace(/\s+/g, "");
@@ -6508,7 +6605,7 @@ function canonicalize(elem) {
 function computeRootDigest(doc) {
   const root = doc.documentElement;
   const canonical = canonicalize(root);
-  return crypto2.createHash("sha256").update(canonical, "utf-8").digest("base64");
+  return crypto3.createHash("sha256").update(canonical, "utf-8").digest("base64");
 }
 function computeSignedPropertiesDigest(qualifyingPropertiesXml) {
   const parser = new import_xmldom.DOMParser();
@@ -6518,7 +6615,7 @@ function computeSignedPropertiesDigest(qualifyingPropertiesXml) {
     throw new Error("SignedProperties element not found in QualifyingProperties");
   }
   const canonical = canonicalize(signedProps);
-  return crypto2.createHash("sha256").update(canonical, "utf-8").digest("base64");
+  return crypto3.createHash("sha256").update(canonical, "utf-8").digest("base64");
 }
 function buildSignedInfo(signatureAlgorithm, rootDigest, signedPropertiesDigest) {
   return [
@@ -6549,12 +6646,12 @@ function computeSignatureValue(canonicalSignedInfo, privateKeyPem, isEc) {
   const data = Buffer.from(canonicalSignedInfo, "utf-8");
   let signature;
   if (isEc) {
-    signature = crypto2.sign("sha256", data, {
+    signature = crypto3.sign("sha256", data, {
       key: privateKeyPem,
       dsaEncoding: "ieee-p1363"
     });
   } else {
-    signature = crypto2.sign("sha256", data, privateKeyPem);
+    signature = crypto3.sign("sha256", data, privateKeyPem);
   }
   return signature.toString("base64");
 }
@@ -6654,11 +6751,11 @@ var init_signature_service = __esm({
         }
         const certDer = extractDerFromPem(certPem);
         const certBase64 = certDer.toString("base64");
-        const certDigest = crypto2.createHash("sha256").update(certDer).digest("base64");
-        const x5093 = new crypto2.X509Certificate(certPem);
+        const certDigest = crypto3.createHash("sha256").update(certDer).digest("base64");
+        const x5093 = new crypto3.X509Certificate(certPem);
         const issuerName = normalizeIssuerDn(x5093.issuer);
         const serialNumber = hexSerialToDecimal(x5093.serialNumber);
-        const privateKey = crypto2.createPrivateKey(privateKeyPem);
+        const privateKey = crypto3.createPrivateKey(privateKeyPem);
         const isEc = privateKey.asymmetricKeyType === "ec";
         const signatureAlgorithm = isEc ? ECDSA_SHA256_SIGNATURE : RSA_SHA256_SIGNATURE;
         const signingTime = new Date(Date.now() + CLOCK_SKEW_BUFFER_MS).toISOString();
@@ -6761,8 +6858,34 @@ var init_pkcs12_loader = __esm({
   }
 });
 
+// src/crypto/auth-xml-builder.ts
+function buildUnsignedAuthTokenRequestXml(options) {
+  const { challenge, contextIdentifier, subjectIdentifierType = "certificateSubject" } = options;
+  const identifierElement = `<${contextIdentifier.type}>${xmlEscape(contextIdentifier.value)}</${contextIdentifier.type}>`;
+  return [
+    '<?xml version="1.0" encoding="utf-8"?>',
+    `<AuthTokenRequest xmlns="${AUTH_TOKEN_REQUEST_NS}">`,
+    `<Challenge>${xmlEscape(challenge)}</Challenge>`,
+    `<ContextIdentifier>`,
+    identifierElement,
+    `</ContextIdentifier>`,
+    `<SubjectIdentifierType>${xmlEscape(subjectIdentifierType)}</SubjectIdentifierType>`,
+    `</AuthTokenRequest>`
+  ].join("");
+}
+function xmlEscape(str) {
+  return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
+}
+var AUTH_TOKEN_REQUEST_NS;
+var init_auth_xml_builder = __esm({
+  "src/crypto/auth-xml-builder.ts"() {
+    "use strict";
+    AUTH_TOKEN_REQUEST_NS = "http://ksef.mf.gov.pl/auth/token/2.0";
+  }
+});
+
 // src/qr/verification-link-service.ts
-import crypto4 from "crypto";
+import crypto5 from "crypto";
 var VerificationLinkService;
 var init_verification_link_service = __esm({
   "src/qr/verification-link-service.ts"() {
@@ -6792,16 +6915,16 @@ var init_verification_link_service = __esm({
         const hashBase64Url = this.base64ToBase64Url(invoiceHashBase64);
         const pathWithoutSignature = `${this.baseQrUrl}/certificate/${contextType}/${contextId}/${sellerNip}/${certSerial}/${hashBase64Url}`;
         const dataToSign = pathWithoutSignature.replace(/^https?:\/\//, "");
-        const key = crypto4.createPrivateKey(privateKeyPem);
+        const key = crypto5.createPrivateKey(privateKeyPem);
         let signature;
         if (key.asymmetricKeyType === "rsa") {
-          signature = crypto4.sign("sha256", Buffer.from(dataToSign), {
+          signature = crypto5.sign("sha256", Buffer.from(dataToSign), {
             key,
-            padding: crypto4.constants.RSA_PKCS1_PSS_PADDING,
+            padding: crypto5.constants.RSA_PKCS1_PSS_PADDING,
             saltLength: 32
           });
         } else if (key.asymmetricKeyType === "ec") {
-          signature = crypto4.sign("sha256", Buffer.from(dataToSign), {
+          signature = crypto5.sign("sha256", Buffer.from(dataToSign), {
             key,
             dsaEncoding: "ieee-p1363"
           });
@@ -6825,19 +6948,11 @@ __export(client_exports, {
   buildAuthTokenRequestXml: () => buildAuthTokenRequestXml
 });
 function buildAuthTokenRequestXml(challenge, nip, subjectIdentifierType = "certificateSubject") {
-  return [
-    '<?xml version="1.0" encoding="utf-8"?>',
-    `<AuthTokenRequest xmlns="${AUTH_TOKEN_REQUEST_NS}">`,
-    `<Challenge>${xmlEscape(challenge)}</Challenge>`,
-    `<ContextIdentifier>`,
-    `<Nip>${xmlEscape(nip)}</Nip>`,
-    `</ContextIdentifier>`,
-    `<SubjectIdentifierType>${xmlEscape(subjectIdentifierType)}</SubjectIdentifierType>`,
-    `</AuthTokenRequest>`
-  ].join("");
-}
-function xmlEscape(str) {
-  return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
+  return buildUnsignedAuthTokenRequestXml({
+    challenge,
+    contextIdentifier: { type: "Nip", value: nip },
+    subjectIdentifierType
+  });
 }
 function buildRestClientConfig(options, authManager) {
   const config = { authManager };
@@ -6864,7 +6979,7 @@ function buildRestClientConfig(options, authManager) {
   }
   return config;
 }
-var KSeFClient, AUTH_TOKEN_REQUEST_NS;
+var KSeFClient;
 var init_client = __esm({
   "src/client.ts"() {
     "use strict";
@@ -6890,6 +7005,7 @@ var init_client = __esm({
     init_certificate_fetcher();
     init_cryptography_service();
     init_verification_link_service();
+    init_auth_xml_builder();
     KSeFClient = class {
       auth;
       activeSessions;
@@ -6933,7 +7049,7 @@ var init_client = __esm({
         this.lighthouse = new LighthouseService(this.options);
         this.limits = new LimitsService(restClient);
         this.peppol = new PeppolService(restClient);
-        this.testData = new TestDataService(restClient);
+        this.testData = new TestDataService(restClient, this.options.environmentName);
         this.qr = new VerificationLinkService(this.options.baseQrUrl);
       }
       async loginWithToken(token, nip) {
@@ -6983,7 +7099,6 @@ var init_client = __esm({
         this.authManager.setRefreshToken(void 0);
       }
     };
-    AUTH_TOKEN_REQUEST_NS = "http://ksef.mf.gov.pl/auth/token/2.0";
   }
 });
 
@@ -7117,6 +7232,65 @@ var SUBUNIT_NAME_MAX_LENGTH = 256;
 var PERMISSION_DESCRIPTION_MIN_LENGTH = 5;
 var PERMISSION_DESCRIPTION_MAX_LENGTH = 256;
 
+// src/models/document-structures/types.ts
+var SystemCode = {
+  FA_2: "FA (2)",
+  FA_3: "FA (3)",
+  PEF_3: "PEF (3)",
+  PEF_KOR_3: "PEF_KOR (3)",
+  FA_RR_1: "FA_RR (1)"
+};
+var FORM_CODES = {
+  FA_2: { systemCode: "FA (2)", schemaVersion: "1-0E", value: "FA" },
+  FA_3: { systemCode: "FA (3)", schemaVersion: "1-0E", value: "FA" },
+  PEF_3: { systemCode: "PEF (3)", schemaVersion: "2-1", value: "PEF" },
+  PEF_KOR_3: { systemCode: "PEF_KOR (3)", schemaVersion: "2-1", value: "PEF" },
+  FA_RR_1_LEGACY: { systemCode: "FA_RR (1)", schemaVersion: "1-0E", value: "RR" },
+  FA_RR_1_TRANSITION: { systemCode: "FA_RR (1)", schemaVersion: "1-1E", value: "RR" },
+  FA_RR_1: { systemCode: "FA_RR (1)", schemaVersion: "1-1E", value: "FA_RR" }
+};
+var INVOICE_TYPES_BY_SYSTEM_CODE = {
+  [SystemCode.FA_2]: ["Vat", "Zal", "Kor", "Roz", "Upr", "KorZal", "KorRoz"],
+  [SystemCode.FA_3]: ["Vat", "Zal", "Kor", "Roz", "Upr", "KorZal", "KorRoz"],
+  [SystemCode.PEF_3]: ["VatPef", "VatPefSp", "KorPef"],
+  [SystemCode.PEF_KOR_3]: ["KorPef"],
+  [SystemCode.FA_RR_1]: ["VatRr", "KorVatRr"]
+};
+var FORM_CODE_KEYS = {
+  FA2: FORM_CODES.FA_2,
+  FA3: FORM_CODES.FA_3,
+  PEF3: FORM_CODES.PEF_3,
+  PEFKOR3: FORM_CODES.PEF_KOR_3,
+  FARR1: FORM_CODES.FA_RR_1
+};
+
+// src/models/document-structures/helpers.ts
+var SYSTEM_CODE_TO_FORM_CODE = {
+  [SystemCode.FA_2]: FORM_CODES.FA_2,
+  [SystemCode.FA_3]: FORM_CODES.FA_3,
+  [SystemCode.PEF_3]: FORM_CODES.PEF_3,
+  [SystemCode.PEF_KOR_3]: FORM_CODES.PEF_KOR_3,
+  [SystemCode.FA_RR_1]: FORM_CODES.FA_RR_1
+};
+var ALL_FORM_CODES = Object.values(FORM_CODES);
+var BATCH_DISALLOWED_SYSTEM_CODES = /* @__PURE__ */ new Set([
+  SystemCode.PEF_3,
+  SystemCode.PEF_KOR_3
+]);
+function getFormCode(systemCode) {
+  return SYSTEM_CODE_TO_FORM_CODE[systemCode];
+}
+function parseFormCode(raw) {
+  const match = ALL_FORM_CODES.find(
+    (fc) => fc.systemCode === raw.systemCode && fc.schemaVersion === raw.schemaVersion && fc.value === raw.value
+  );
+  return match ?? raw;
+}
+function validateFormCodeForSession(formCode, sessionType) {
+  if (sessionType === "online") return true;
+  return !BATCH_DISALLOWED_SYSTEM_CODES.has(formCode.systemCode);
+}
+
 // src/services/index.ts
 init_auth();
 init_active_sessions();
@@ -7480,18 +7654,188 @@ var AuthorizationPermissionGrantBuilder = class {
   }
 };
 
+// src/builders/batch-file.ts
+init_ksef_validation_error();
+import * as crypto from "crypto";
+var BATCH_MAX_PART_SIZE = 1e8;
+var BATCH_MAX_TOTAL_SIZE = 5e9;
+var BATCH_MAX_PARTS = 50;
+var BatchFileBuilder = class {
+  /**
+   * Build batch file metadata and encrypted parts from a raw ZIP.
+   *
+   * @param zipBytes - Unencrypted ZIP data
+   * @param encryptFn - AES-256-CBC encryption function (called per part)
+   * @param options - Optional configuration
+   */
+  static build(zipBytes, encryptFn, options) {
+    const maxPartSize = options?.maxPartSize ?? BATCH_MAX_PART_SIZE;
+    if (maxPartSize <= 0) {
+      throw new KSeFValidationError("maxPartSize must be a positive number");
+    }
+    if (zipBytes.length === 0) {
+      throw new KSeFValidationError("ZIP data must not be empty");
+    }
+    if (zipBytes.length > BATCH_MAX_TOTAL_SIZE) {
+      throw new KSeFValidationError(
+        `ZIP size ${zipBytes.length} exceeds maximum of ${BATCH_MAX_TOTAL_SIZE} bytes (5 GB)`
+      );
+    }
+    const rawParts = splitBuffer(zipBytes, maxPartSize);
+    if (rawParts.length > BATCH_MAX_PARTS) {
+      throw new KSeFValidationError(
+        `Data requires ${rawParts.length} parts, exceeding maximum of ${BATCH_MAX_PARTS}`
+      );
+    }
+    const zipHash = sha256Base64(zipBytes);
+    const encryptedParts = [];
+    const fileParts = rawParts.map((raw, i) => {
+      const encrypted = encryptFn(raw);
+      encryptedParts.push(encrypted);
+      return {
+        ordinalNumber: i + 1,
+        fileSize: encrypted.length,
+        fileHash: sha256Base64(encrypted)
+      };
+    });
+    return {
+      batchFile: {
+        fileSize: zipBytes.length,
+        fileHash: zipHash,
+        fileParts
+      },
+      encryptedParts
+    };
+  }
+  /**
+   * Stream-based variant: two-pass build from a stream factory.
+   *
+   * Pass 1: consume stream to compute ZIP hash.
+   * Pass 2: re-create stream, split into parts, encrypt each, compute per-part metadata.
+   *
+   * @param zipStreamFactory - Factory that creates a fresh ReadableStream of the ZIP data
+   * @param zipSize - Total ZIP byte size (from fs.stat or known in advance)
+   * @param encryptStreamFn - Stream-to-stream AES-256-CBC encryption function
+   * @param hashStreamFn - Stream-to-FileMetadata hashing function
+   * @param options - Optional configuration
+   */
+  static async buildFromStream(zipStreamFactory, zipSize, encryptStreamFn, hashStreamFn, options) {
+    const maxPartSize = options?.maxPartSize ?? BATCH_MAX_PART_SIZE;
+    if (maxPartSize <= 0) {
+      throw new KSeFValidationError("maxPartSize must be a positive number");
+    }
+    if (zipSize === 0) {
+      throw new KSeFValidationError("ZIP data must not be empty");
+    }
+    if (zipSize > BATCH_MAX_TOTAL_SIZE) {
+      throw new KSeFValidationError(
+        `ZIP size ${zipSize} exceeds maximum of ${BATCH_MAX_TOTAL_SIZE} bytes (5 GB)`
+      );
+    }
+    const partCount = Math.ceil(zipSize / maxPartSize);
+    if (partCount > BATCH_MAX_PARTS) {
+      throw new KSeFValidationError(
+        `Data requires ${partCount} parts, exceeding maximum of ${BATCH_MAX_PARTS}`
+      );
+    }
+    const zipMeta = await hashStreamFn(zipStreamFactory());
+    const fileParts = [];
+    const streamParts = [];
+    const reader = zipStreamFactory().getReader();
+    let pending = [];
+    let pendingSize = 0;
+    for (let partIndex = 0; partIndex < partCount; partIndex++) {
+      const isLastPart = partIndex === partCount - 1;
+      const targetSize = isLastPart ? zipSize - partIndex * maxPartSize : maxPartSize;
+      while (pendingSize < targetSize) {
+        const { done, value } = await reader.read();
+        if (done) break;
+        pending.push(value);
+        pendingSize += value.byteLength;
+      }
+      const buffer = new Uint8Array(Buffer.concat(pending));
+      const partData = buffer.subarray(0, targetSize);
+      if (buffer.byteLength > targetSize) {
+        const remainder = buffer.subarray(targetSize);
+        pending = [remainder];
+        pendingSize = remainder.byteLength;
+      } else {
+        pending = [];
+        pendingSize = 0;
+      }
+      const partStream = new ReadableStream({
+        start(controller) {
+          controller.enqueue(partData);
+          controller.close();
+        }
+      });
+      const encryptedStream = encryptStreamFn(partStream);
+      const encryptedChunks = [];
+      const encReader = encryptedStream.getReader();
+      for (; ; ) {
+        const { done, value } = await encReader.read();
+        if (done) break;
+        encryptedChunks.push(value);
+      }
+      const encryptedData = new Uint8Array(Buffer.concat(encryptedChunks));
+      const encryptedMeta = sha256Base64(encryptedData);
+      fileParts.push({
+        ordinalNumber: partIndex + 1,
+        fileSize: encryptedData.byteLength,
+        fileHash: encryptedMeta
+      });
+      const uploadStream = new ReadableStream({
+        start(controller) {
+          controller.enqueue(encryptedData);
+          controller.close();
+        }
+      });
+      streamParts.push({
+        dataStream: uploadStream,
+        metadata: {
+          hashSHA: encryptedMeta,
+          fileSize: encryptedData.byteLength
+        },
+        ordinalNumber: partIndex + 1
+      });
+    }
+    reader.releaseLock();
+    return {
+      batchFile: {
+        fileSize: zipSize,
+        fileHash: zipMeta.hashSHA,
+        fileParts
+      },
+      streamParts
+    };
+  }
+};
+function splitBuffer(data, maxPartSize) {
+  if (data.length <= maxPartSize) {
+    return [data];
+  }
+  const parts = [];
+  for (let offset = 0; offset < data.length; offset += maxPartSize) {
+    parts.push(data.subarray(offset, Math.min(offset + maxPartSize, data.length)));
+  }
+  return parts;
+}
+function sha256Base64(data) {
+  return crypto.createHash("sha256").update(data).digest("base64");
+}
+
 // src/crypto/index.ts
 init_certificate_fetcher();
 init_cryptography_service();
 init_signature_service();
 
 // src/crypto/certificate-service.ts
-import * as crypto3 from "crypto";
+import * as crypto4 from "crypto";
 import * as x5092 from "@peculiar/x509";
 var CertificateService = class {
   static getSha256Fingerprint(certPem) {
     const der = extractDerFromPem2(certPem);
-    return crypto3.createHash("sha256").update(der).digest("hex").toUpperCase();
+    return crypto4.createHash("sha256").update(der).digest("hex").toUpperCase();
   }
   static async generatePersonalCertificate(givenName, surname, serialNumber, commonName, method = "RSA") {
     const nameParts = [];
@@ -7514,7 +7858,7 @@ var CertificateService = class {
   }
 };
 async function generateSelfSigned(subject, method) {
-  x5092.cryptoProvider.set(crypto3.webcrypto);
+  x5092.cryptoProvider.set(crypto4.webcrypto);
   let algorithm;
   let signingAlgorithm;
   if (method === "ECDSA") {
@@ -7529,7 +7873,7 @@ async function generateSelfSigned(subject, method) {
     };
     signingAlgorithm = algorithm;
   }
-  const keys = await crypto3.webcrypto.subtle.generateKey(
+  const keys = await crypto4.webcrypto.subtle.generateKey(
     algorithm,
     true,
     ["sign", "verify"]
@@ -7546,9 +7890,9 @@ async function generateSelfSigned(subject, method) {
     serialNumber: Date.now().toString(16)
   });
   const certPem = cert.toString("pem");
-  const pkcs8 = await crypto3.webcrypto.subtle.exportKey("pkcs8", keys.privateKey);
+  const pkcs8 = await crypto4.webcrypto.subtle.exportKey("pkcs8", keys.privateKey);
   const privateKeyPem = pemEncode2(new Uint8Array(pkcs8), "PRIVATE KEY");
-  const fingerprint = crypto3.createHash("sha256").update(Buffer.from(cert.rawData)).digest("hex").toUpperCase();
+  const fingerprint = crypto4.createHash("sha256").update(Buffer.from(cert.rawData)).digest("hex").toUpperCase();
   return { certificatePem: certPem, privateKeyPem, fingerprint };
 }
 function extractDerFromPem2(pem) {
@@ -7568,6 +7912,7 @@ ${lines.join("\n")}
 
 // src/crypto/index.ts
 init_pkcs12_loader();
+init_auth_xml_builder();
 
 // src/qr/index.ts
 init_verification_link_service();
@@ -7631,6 +7976,94 @@ function escapeXml2(str) {
   return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
 }
 
+// src/utils/zip.ts
+import { ZipFile } from "yazl";
+import { fromBuffer } from "yauzl";
+var DEFAULT_UNZIP_OPTIONS = {
+  maxFiles: 1e4,
+  maxTotalUncompressedSize: 2e9,
+  maxFileUncompressedSize: 5e8,
+  maxCompressionRatio: 200
+};
+async function createZip(entries) {
+  return new Promise((resolve, reject) => {
+    const zipfile = new ZipFile();
+    for (const entry of entries) {
+      zipfile.addBuffer(Buffer.from(entry.content), entry.fileName);
+    }
+    const chunks = [];
+    zipfile.outputStream.on("data", (chunk) => chunks.push(chunk));
+    zipfile.outputStream.on("error", (err) => reject(err));
+    zipfile.outputStream.on("end", () => resolve(Buffer.concat(chunks)));
+    zipfile.end();
+  });
+}
+async function unzip(buffer, options = {}) {
+  const limits = { ...DEFAULT_UNZIP_OPTIONS, ...options };
+  return new Promise((resolve, reject) => {
+    fromBuffer(buffer, { lazyEntries: true }, (err, zipfile) => {
+      if (err || !zipfile) {
+        reject(err ?? new Error("Failed to open zip buffer"));
+        return;
+      }
+      const files = /* @__PURE__ */ new Map();
+      let totalUncompressed = 0;
+      zipfile.readEntry();
+      zipfile.on("entry", (entry) => {
+        if (entry.fileName.endsWith("/")) {
+          zipfile.readEntry();
+          return;
+        }
+        if (limits.maxFiles > 0 && files.size >= limits.maxFiles) {
+          reject(new Error("zip contains too many files"));
+          return;
+        }
+        const uncompressedSize = entry.uncompressedSize ?? 0;
+        const compressedSize = entry.compressedSize ?? 0;
+        if (limits.maxFileUncompressedSize > 0 && uncompressedSize > limits.maxFileUncompressedSize) {
+          reject(new Error("zip entry exceeds max_file_uncompressed_size"));
+          return;
+        }
+        if (limits.maxTotalUncompressedSize > 0) {
+          totalUncompressed += uncompressedSize;
+          if (totalUncompressed > limits.maxTotalUncompressedSize) {
+            reject(new Error("zip exceeds max_total_uncompressed_size"));
+            return;
+          }
+        }
+        if (limits.maxCompressionRatio !== null) {
+          if (compressedSize === 0 && uncompressedSize > 0) {
+            reject(new Error("zip entry has suspicious compression metadata"));
+            return;
+          }
+          if (compressedSize > 0 && uncompressedSize > 0) {
+            const ratio = uncompressedSize / compressedSize;
+            if (ratio > limits.maxCompressionRatio) {
+              reject(new Error("zip entry exceeds max_compression_ratio"));
+              return;
+            }
+          }
+        }
+        zipfile.openReadStream(entry, (streamErr, stream) => {
+          if (streamErr || !stream) {
+            reject(streamErr ?? new Error("Failed to read zip entry"));
+            return;
+          }
+          const chunks = [];
+          stream.on("data", (chunk) => chunks.push(chunk));
+          stream.on("error", (streamError) => reject(streamError));
+          stream.on("end", () => {
+            files.set(entry.fileName, Buffer.concat(chunks));
+            zipfile.readEntry();
+          });
+        });
+      });
+      zipfile.on("end", () => resolve(files));
+      zipfile.on("error", (zipErr) => reject(zipErr));
+    });
+  });
+}
+
 // src/workflows/polling.ts
 async function pollUntil(action, condition, options) {
   const intervalMs = options?.intervalMs ?? 2e3;
@@ -7648,17 +8081,150 @@ async function pollUntil(action, condition, options) {
   );
 }
 
+// src/xml/upo-parser.ts
+init_ksef_validation_error();
+import { XMLParser } from "fast-xml-parser";
+function isRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function requireRecord(value, at) {
+  if (!isRecord(value)) {
+    throw KSeFValidationError.fromField(at, `Expected object at ${at}`);
+  }
+  return value;
+}
+function requireString(value, at) {
+  if (typeof value !== "string" || value.length === 0) {
+    throw KSeFValidationError.fromField(at, `Expected non-empty string at ${at}`);
+  }
+  return value;
+}
+function optionalRecord(value) {
+  return isRecord(value) ? value : void 0;
+}
+function optionalString(value) {
+  return typeof value === "string" && value.length > 0 ? value : void 0;
+}
+function requireNumberFromString(value, at) {
+  const raw = requireString(value, at);
+  const parsed = Number.parseInt(raw, 10);
+  if (!Number.isFinite(parsed)) {
+    throw KSeFValidationError.fromField(at, `Expected integer at ${at}, got "${raw}"`);
+  }
+  return parsed;
+}
+function ensureArray(value) {
+  if (value == null) return [];
+  return Array.isArray(value) ? value : [value];
+}
+function parseIdKontekstu(obj) {
+  const nip = optionalString(obj.Nip);
+  if (nip) return { kind: "Nip", nip };
+  const idWewnetrzny = optionalString(obj.IdWewnetrzny);
+  if (idWewnetrzny) return { kind: "IdWewnetrzny", idWewnetrzny };
+  const idZlozonyVatUE = optionalString(obj.IdZlozonyVatUE);
+  if (idZlozonyVatUE) return { kind: "IdZlozonyVatUE", idZlozonyVatUE };
+  const idDostawcyUslugPeppol = optionalString(obj.IdDostawcyUslugPeppol);
+  if (idDostawcyUslugPeppol) return { kind: "IdDostawcyUslugPeppol", idDostawcyUslugPeppol };
+  throw KSeFValidationError.fromField(
+    "Uwierzytelnienie.IdKontekstu",
+    "Unsupported context identifier. Expected Nip | IdWewnetrzny | IdZlozonyVatUE | IdDostawcyUslugPeppol"
+  );
+}
+function parseProof(obj) {
+  const tokenRef = optionalString(obj.NumerReferencyjnyTokenaKSeF);
+  if (tokenRef) return { kind: "NumerReferencyjnyTokenaKSeF", numerReferencyjnyTokenaKSeF: tokenRef };
+  const docHash = optionalString(obj.SkrotDokumentuUwierzytelniajacego);
+  if (docHash) return { kind: "SkrotDokumentuUwierzytelniajacego", skrotDokumentuUwierzytelniajacego: docHash };
+  throw KSeFValidationError.fromField(
+    "Uwierzytelnienie",
+    "Unsupported auth proof. Expected NumerReferencyjnyTokenaKSeF | SkrotDokumentuUwierzytelniajacego"
+  );
+}
+function parseUwierzytelnienie(obj) {
+  const idKontekstu = parseIdKontekstu(
+    requireRecord(obj.IdKontekstu, "Uwierzytelnienie.IdKontekstu")
+  );
+  const proof = parseProof(obj);
+  return { idKontekstu, proof };
+}
+function parseOpisPotwierdzenia(obj) {
+  return {
+    strona: requireNumberFromString(obj.Strona, "OpisPotwierdzenia.Strona"),
+    liczbaStron: requireNumberFromString(obj.LiczbaStron, "OpisPotwierdzenia.LiczbaStron"),
+    zakresDokumentowOd: requireNumberFromString(obj.ZakresDokumentowOd, "OpisPotwierdzenia.ZakresDokumentowOd"),
+    zakresDokumentowDo: requireNumberFromString(obj.ZakresDokumentowDo, "OpisPotwierdzenia.ZakresDokumentowDo"),
+    calkowitaLiczbaDokumentow: requireNumberFromString(obj.CalkowitaLiczbaDokumentow, "OpisPotwierdzenia.CalkowitaLiczbaDokumentow")
+  };
+}
+function parseDokument(obj) {
+  return {
+    nipSprzedawcy: requireString(obj.NipSprzedawcy, "Dokument.NipSprzedawcy"),
+    numerKSeFDokumentu: requireString(obj.NumerKSeFDokumentu, "Dokument.NumerKSeFDokumentu"),
+    numerFaktury: requireString(obj.NumerFaktury, "Dokument.NumerFaktury"),
+    dataWystawieniaFaktury: requireString(obj.DataWystawieniaFaktury, "Dokument.DataWystawieniaFaktury"),
+    dataPrzeslaniaDokumentu: requireString(obj.DataPrzeslaniaDokumentu, "Dokument.DataPrzeslaniaDokumentu"),
+    dataNadaniaNumeruKSeF: requireString(obj.DataNadaniaNumeruKSeF, "Dokument.DataNadaniaNumeruKSeF"),
+    skrotDokumentu: requireString(obj.SkrotDokumentu, "Dokument.SkrotDokumentu"),
+    trybWysylki: requireString(obj.TrybWysylki, "Dokument.TrybWysylki")
+  };
+}
+var upoParser = new XMLParser({
+  ignoreAttributes: false,
+  attributeNamePrefix: "@_",
+  parseTagValue: false,
+  parseAttributeValue: false,
+  removeNSPrefix: true,
+  trimValues: false
+});
+function parseUpoXml(xml) {
+  const text = Buffer.isBuffer(xml) ? xml.toString("utf8") : xml;
+  const parsed = upoParser.parse(text);
+  const potwierdzenie = requireRecord(parsed?.Potwierdzenie, "Potwierdzenie");
+  const opisPotwierdzenia = optionalRecord(potwierdzenie.OpisPotwierdzenia);
+  const dokumenty = ensureArray(potwierdzenie.Dokument).map(
+    (doc, i) => parseDokument(requireRecord(doc, `Dokument[${i}]`))
+  );
+  if (dokumenty.length === 0) {
+    throw KSeFValidationError.fromField("Dokument", "Expected at least one Dokument in UPO");
+  }
+  return {
+    nazwaPodmiotuPrzyjmujacego: requireString(potwierdzenie.NazwaPodmiotuPrzyjmujacego, "NazwaPodmiotuPrzyjmujacego"),
+    numerReferencyjnySesji: requireString(potwierdzenie.NumerReferencyjnySesji, "NumerReferencyjnySesji"),
+    uwierzytelnienie: parseUwierzytelnienie(requireRecord(potwierdzenie.Uwierzytelnienie, "Uwierzytelnienie")),
+    ...opisPotwierdzenia && { opisPotwierdzenia: parseOpisPotwierdzenia(opisPotwierdzenia) },
+    nazwaStrukturyLogicznej: requireString(potwierdzenie.NazwaStrukturyLogicznej, "NazwaStrukturyLogicznej"),
+    kodFormularza: requireString(potwierdzenie.KodFormularza, "KodFormularza"),
+    dokumenty
+  };
+}
+
 // src/workflows/online-session-workflow.ts
-var DEFAULT_FORM_CODE = { systemCode: "FA", schemaVersion: "3", value: "FA (3)" };
 async function openOnlineSession(client, options) {
   await client.crypto.init();
   const encData = client.crypto.getEncryptionData();
-  const formCode = options?.formCode ?? DEFAULT_FORM_CODE;
+  const formCode = options?.formCode ?? FORM_CODES.FA_2;
   const openResp = await client.onlineSession.openSession(
     { formCode, encryption: encData.encryptionInfo },
     options?.upoVersion
   );
   const sessionRef = openResp.referenceNumber;
+  async function fetchUpo(pollOpts) {
+    const result = await pollUntil(
+      () => client.sessionStatus.getSessionStatus(sessionRef),
+      (s) => s.status.code === 200 || s.status.code >= 400,
+      { ...pollOpts, description: `UPO for session ${sessionRef}` }
+    );
+    if (result.status.code !== 200) {
+      throw new Error(`Session failed: ${result.status.code} \u2014 ${result.status.description}`);
+    }
+    return {
+      pages: result.upo?.pages ?? [],
+      invoiceCount: result.invoiceCount,
+      successfulInvoiceCount: result.successfulInvoiceCount,
+      failedInvoiceCount: result.failedInvoiceCount
+    };
+  }
   return {
     sessionRef,
     validUntil: openResp.validUntil,
@@ -7680,20 +8246,16 @@ async function openOnlineSession(client, options) {
       await client.onlineSession.closeSession(sessionRef);
     },
     async waitForUpo(pollOpts) {
-      const result = await pollUntil(
-        () => client.sessionStatus.getSessionStatus(sessionRef),
-        (s) => s.status.code !== 100,
-        { ...pollOpts, description: `UPO for session ${sessionRef}` }
-      );
-      if (result.status.code !== 200) {
-        throw new Error(`Session failed: ${result.status.code} \u2014 ${result.status.description}`);
-      }
-      return {
-        pages: result.upo?.pages ?? [],
-        invoiceCount: result.invoiceCount,
-        successfulInvoiceCount: result.successfulInvoiceCount,
-        failedInvoiceCount: result.failedInvoiceCount
-      };
+      return fetchUpo(pollOpts);
+    },
+    async waitForUpoParsed(pollOpts) {
+      const upoInfo = await fetchUpo(pollOpts);
+      const parsed = [];
+      for (const page of upoInfo.pages) {
+        const result = await client.sessionStatus.getSessionUpo(sessionRef, page.referenceNumber);
+        parsed.push(parseUpoXml(result.upo));
+      }
+      return { ...upoInfo, parsed };
     }
   };
 }
@@ -7707,32 +8269,36 @@ async function openSendAndClose(client, invoices, options) {
 }
 
 // src/workflows/batch-session-workflow.ts
-var DEFAULT_FORM_CODE2 = { systemCode: "FA", schemaVersion: "3", value: "FA (3)" };
-async function uploadBatch(client, zipParts, totalFileSize, totalFileHash, options) {
+async function uploadBatch(client, zipData, options) {
   await client.crypto.init();
   const encData = client.crypto.getEncryptionData();
-  const formCode = options?.formCode ?? DEFAULT_FORM_CODE2;
-  const fileParts = zipParts.map((part, i) => {
-    const meta = client.crypto.getFileMetadata(new Uint8Array(part.data));
-    return { ordinalNumber: i + 1, fileSize: meta.fileSize, fileHash: meta.hashSHA };
+  const formCode = options?.formCode ?? FORM_CODES.FA_2;
+  const encryptFn = (part) => client.crypto.encryptAES256(part, encData.cipherKey, encData.cipherIv);
+  const { batchFile, encryptedParts } = BatchFileBuilder.build(zipData, encryptFn, {
+    maxPartSize: options?.maxPartSize
   });
   const openResp = await client.batchSession.openSession(
     {
       formCode,
       encryption: encData.encryptionInfo,
-      batchFile: { fileSize: totalFileSize, fileHash: totalFileHash, fileParts }
+      batchFile,
+      offlineMode: options?.offlineMode
     },
     options?.upoVersion
   );
-  const sendingParts = zipParts.map((part, i) => {
-    const meta = client.crypto.getFileMetadata(new Uint8Array(part.data));
-    return { data: part.data, metadata: meta, ordinalNumber: i + 1 };
-  });
+  const sendingParts = encryptedParts.map((part, i) => ({
+    data: part.buffer.slice(part.byteOffset, part.byteOffset + part.byteLength),
+    metadata: {
+      hashSHA: batchFile.fileParts[i].fileHash,
+      fileSize: batchFile.fileParts[i].fileSize
+    },
+    ordinalNumber: i + 1
+  }));
   await client.batchSession.sendParts(openResp, sendingParts);
   await client.batchSession.closeSession(openResp.referenceNumber);
   const result = await pollUntil(
     () => client.sessionStatus.getSessionStatus(openResp.referenceNumber),
-    (s) => s.status.code !== 100,
+    (s) => s.status.code === 200 || s.status.code >= 400,
     { ...options?.pollOptions, description: `UPO for batch ${openResp.referenceNumber}` }
   );
   if (result.status.code !== 200) {
@@ -7748,9 +8314,75 @@ async function uploadBatch(client, zipParts, totalFileSize, totalFileHash, optio
     }
   };
 }
+async function uploadBatchStream(client, zipStreamFactory, zipSize, options) {
+  await client.crypto.init();
+  const encData = client.crypto.getEncryptionData();
+  const formCode = options?.formCode ?? FORM_CODES.FA_2;
+  const encryptStreamFn = (stream) => client.crypto.encryptAES256Stream(stream, encData.cipherKey, encData.cipherIv);
+  const hashStreamFn = (stream) => client.crypto.getFileMetadataFromStream(stream);
+  const { batchFile, streamParts } = await BatchFileBuilder.buildFromStream(
+    zipStreamFactory,
+    zipSize,
+    encryptStreamFn,
+    hashStreamFn,
+    { maxPartSize: options?.maxPartSize }
+  );
+  const openResp = await client.batchSession.openSession(
+    {
+      formCode,
+      encryption: encData.encryptionInfo,
+      batchFile,
+      offlineMode: options?.offlineMode
+    },
+    options?.upoVersion
+  );
+  await client.batchSession.sendPartsWithStream(openResp, streamParts);
+  await client.batchSession.closeSession(openResp.referenceNumber);
+  const result = await pollUntil(
+    () => client.sessionStatus.getSessionStatus(openResp.referenceNumber),
+    (s) => s.status.code === 200 || s.status.code >= 400,
+    { ...options?.pollOptions, description: `UPO for batch ${openResp.referenceNumber}` }
+  );
+  if (result.status.code !== 200) {
+    throw new Error(`Batch session failed: ${result.status.code} \u2014 ${result.status.description}`);
+  }
+  return {
+    sessionRef: openResp.referenceNumber,
+    upo: {
+      pages: result.upo?.pages ?? [],
+      invoiceCount: result.invoiceCount,
+      successfulInvoiceCount: result.successfulInvoiceCount,
+      failedInvoiceCount: result.failedInvoiceCount
+    }
+  };
+}
+async function uploadBatchStreamParsed(client, zipStreamFactory, zipSize, options) {
+  const result = await uploadBatchStream(client, zipStreamFactory, zipSize, options);
+  const parsed = [];
+  for (const page of result.upo.pages) {
+    const upoResult = await client.sessionStatus.getSessionUpo(result.sessionRef, page.referenceNumber);
+    parsed.push(parseUpoXml(upoResult.upo));
+  }
+  return {
+    sessionRef: result.sessionRef,
+    upo: { ...result.upo, parsed }
+  };
+}
+async function uploadBatchParsed(client, zipData, options) {
+  const result = await uploadBatch(client, zipData, options);
+  const parsed = [];
+  for (const page of result.upo.pages) {
+    const upoResult = await client.sessionStatus.getSessionUpo(result.sessionRef, page.referenceNumber);
+    parsed.push(parseUpoXml(upoResult.upo));
+  }
+  return {
+    sessionRef: result.sessionRef,
+    upo: { ...result.upo, parsed }
+  };
+}
 
 // src/workflows/invoice-export-workflow.ts
-async function exportInvoices(client, filters, options) {
+async function doExport(client, filters, options) {
   await client.crypto.init();
   const encData = client.crypto.getEncryptionData();
   const opResp = await client.invoices.exportInvoices({
@@ -7760,7 +8392,7 @@ async function exportInvoices(client, filters, options) {
   });
   const result = await pollUntil(
     () => client.invoices.getInvoiceExportStatus(opResp.referenceNumber),
-    (s) => s.status.code !== 100,
+    (s) => s.status.code === 200 || s.status.code >= 400,
     { ...options?.pollOptions, description: `export ${opResp.referenceNumber}` }
   );
   if (result.status.code !== 200) {
@@ -7770,23 +8402,31 @@ async function exportInvoices(client, filters, options) {
     throw new Error("Export completed but no package available");
   }
   return {
-    parts: result.package.parts.map((p) => ({
-      ordinalNumber: p.ordinalNumber,
-      url: p.url,
-      method: p.method,
-      partSize: p.partSize,
-      encryptedPartSize: p.encryptedPartSize,
-      encryptedPartHash: p.encryptedPartHash,
-      expirationDate: p.expirationDate
-    })),
-    invoiceCount: result.package.invoiceCount,
-    isTruncated: result.package.isTruncated,
-    permanentStorageHwmDate: result.package.permanentStorageHwmDate
+    encData,
+    referenceNumber: opResp.referenceNumber,
+    result: {
+      parts: result.package.parts.map((p) => ({
+        ordinalNumber: p.ordinalNumber,
+        url: p.url,
+        method: p.method,
+        partSize: p.partSize,
+        encryptedPartSize: p.encryptedPartSize,
+        encryptedPartHash: p.encryptedPartHash,
+        expirationDate: p.expirationDate
+      })),
+      invoiceCount: result.package.invoiceCount,
+      isTruncated: result.package.isTruncated,
+      permanentStorageHwmDate: result.package.permanentStorageHwmDate,
+      lastPermanentStorageDate: result.package.lastPermanentStorageDate
+    }
   };
 }
+async function exportInvoices(client, filters, options) {
+  const { result } = await doExport(client, filters, options);
+  return result;
+}
 async function exportAndDownload(client, filters, options) {
-  const encData = client.crypto.getEncryptionData();
-  const exportResult = await exportInvoices(client, filters, options);
+  const { result: exportResult, encData } = await doExport(client, filters, options);
   const download = options?.transport ?? fetch;
   const decryptedParts = [];
   for (const part of exportResult.parts) {
@@ -7798,13 +8438,144 @@ async function exportAndDownload(client, filters, options) {
     const decrypted = client.crypto.decryptAES256(encryptedData, encData.cipherKey, encData.cipherIv);
     decryptedParts.push(decrypted);
   }
+  if (options?.extract) {
+    const zipBuffer = Buffer.concat(decryptedParts);
+    const files = await unzip(zipBuffer, options.unzipOptions);
+    return { ...exportResult, files };
+  }
   return {
     ...exportResult,
     decryptedParts
   };
 }
 
+// src/workflows/hwm-coordinator.ts
+function updateContinuationPoint(points, subjectType, pkg) {
+  if (pkg.isTruncated && pkg.lastPermanentStorageDate) {
+    points[subjectType] = pkg.lastPermanentStorageDate;
+  } else if (pkg.permanentStorageHwmDate) {
+    points[subjectType] = pkg.permanentStorageHwmDate;
+  } else {
+    delete points[subjectType];
+  }
+}
+function getEffectiveStartDate(points, subjectType, windowFrom) {
+  return points[subjectType] ?? windowFrom;
+}
+function deduplicateByKsefNumber(entries) {
+  const seen = /* @__PURE__ */ new Set();
+  return entries.filter((entry) => {
+    const key = entry.ksefNumber.toLowerCase();
+    if (seen.has(key)) return false;
+    seen.add(key);
+    return true;
+  });
+}
+
+// src/workflows/incremental-export-workflow.ts
+async function incrementalExportAndDownload(client, options) {
+  const maxIterations = options.maxIterations ?? 20;
+  const points = options.continuationPoints;
+  if (options.store) {
+    const loaded = await options.store.load();
+    for (const [key, value] of Object.entries(loaded)) {
+      if (value !== void 0 && points[key] === void 0) {
+        points[key] = value;
+      }
+    }
+  }
+  const referenceNumbers = [];
+  const decryptedParts = [];
+  let previousFrom;
+  let iteration = 0;
+  for (; iteration < maxIterations; iteration++) {
+    const effectiveFrom = getEffectiveStartDate(points, options.subjectType, options.windowFrom);
+    if (previousFrom !== void 0 && effectiveFrom === previousFrom) {
+      break;
+    }
+    previousFrom = effectiveFrom;
+    const filters = options.filtersFactory ? options.filtersFactory(effectiveFrom, options.windowTo) : buildDefaultFilters(options.subjectType, effectiveFrom, options.windowTo);
+    const { result, encData, referenceNumber } = await doExport(client, filters, {
+      onlyMetadata: options.onlyMetadata,
+      pollOptions: options.pollOptions
+    });
+    referenceNumbers.push(referenceNumber);
+    const download = options.transport ?? fetch;
+    for (const part of result.parts) {
+      const resp = await download(part.url, { method: part.method });
+      if (!resp.ok) {
+        throw new Error(`Download failed for part ${part.ordinalNumber}: HTTP ${resp.status}`);
+      }
+      const encryptedData = new Uint8Array(await resp.arrayBuffer());
+      const decrypted = client.crypto.decryptAES256(encryptedData, encData.cipherKey, encData.cipherIv);
+      decryptedParts.push(decrypted);
+    }
+    updateContinuationPoint(points, options.subjectType, {
+      isTruncated: result.isTruncated,
+      lastPermanentStorageDate: result.lastPermanentStorageDate,
+      permanentStorageHwmDate: result.permanentStorageHwmDate
+    });
+    if (options.store) {
+      await options.store.save(points);
+    }
+    options.onIterationComplete?.(iteration, result);
+    if (!result.isTruncated) {
+      iteration++;
+      break;
+    }
+  }
+  return {
+    referenceNumbers,
+    invoices: [],
+    decryptedParts,
+    continuationPoints: points,
+    iterationCount: iteration
+  };
+}
+function buildDefaultFilters(subjectType, from, to) {
+  return {
+    subjectType,
+    dateRange: {
+      dateType: "PermanentStorage",
+      from,
+      to
+    }
+  };
+}
+
+// src/workflows/hwm-storage.ts
+import * as fs from "fs/promises";
+var InMemoryHwmStore = class {
+  points = {};
+  async load() {
+    return { ...this.points };
+  }
+  async save(points) {
+    this.points = { ...points };
+  }
+};
+var FileHwmStore = class {
+  constructor(filePath) {
+    this.filePath = filePath;
+  }
+  async load() {
+    try {
+      const data = await fs.readFile(this.filePath, "utf-8");
+      return JSON.parse(data);
+    } catch (err) {
+      if (err.code === "ENOENT") {
+        return {};
+      }
+      throw err;
+    }
+  }
+  async save(points) {
+    await fs.writeFile(this.filePath, JSON.stringify(points, null, 2), "utf-8");
+  }
+};
+
 // src/workflows/auth-workflow.ts
+init_auth_xml_builder();
 async function authenticateWithToken(client, options) {
   const challenge = await client.auth.getChallenge();
   await client.crypto.init();
@@ -7858,6 +8629,34 @@ async function authenticateWithCertificate(client, options) {
     refreshTokenValidUntil: tokens.refreshToken.validUntil
   };
 }
+async function authenticateWithExternalSignature(client, options) {
+  const challenge = await client.auth.getChallenge();
+  const unsignedXml = buildUnsignedAuthTokenRequestXml({
+    challenge: challenge.challenge,
+    contextIdentifier: options.contextIdentifier
+  });
+  const signedXml = await options.signXml(unsignedXml);
+  const submitResult = await client.auth.submitXadesAuthRequest(
+    signedXml,
+    options.verifyCertificateChain ?? false,
+    options.enforceXadesCompliance ?? false
+  );
+  const authToken = submitResult.authenticationToken.token;
+  await pollUntil(
+    () => client.auth.getAuthStatus(submitResult.referenceNumber, authToken),
+    (s) => s.status.code !== 100,
+    { ...options.pollOptions, description: `auth ${submitResult.referenceNumber}` }
+  );
+  const tokens = await client.auth.getAccessToken(authToken);
+  client.authManager.setAccessToken(tokens.accessToken.token);
+  client.authManager.setRefreshToken(tokens.refreshToken.token);
+  return {
+    accessToken: tokens.accessToken.token,
+    accessTokenValidUntil: tokens.accessToken.validUntil,
+    refreshToken: tokens.refreshToken.token,
+    refreshTokenValidUntil: tokens.refreshToken.validUntil
+  };
+}
 async function authenticateWithPkcs12(client, options) {
   const { Pkcs12Loader: Pkcs12Loader2 } = await Promise.resolve().then(() => (init_pkcs12_loader(), pkcs12_loader_exports));
   const { certificatePem, privateKeyPem } = Pkcs12Loader2.load(options.p12, options.password);
@@ -7879,7 +8678,11 @@ export {
   AuthService,
   AuthTokenRequestBuilder,
   AuthorizationPermissionGrantBuilder,
+  BATCH_MAX_PARTS,
+  BATCH_MAX_PART_SIZE,
+  BATCH_MAX_TOTAL_SIZE,
   Base64String,
+  BatchFileBuilder,
   BatchSessionService,
   CERTIFICATE_NAME_MAX_LENGTH,
   CERTIFICATE_NAME_MIN_LENGTH,
@@ -7893,6 +8696,11 @@ export {
   ENFORCE_XADES_COMPLIANCE,
   EntityPermissionGrantBuilder,
   Environment,
+  FORM_CODES,
+  FORM_CODE_KEYS,
+  FileHwmStore,
+  INVOICE_TYPES_BY_SYSTEM_CODE,
+  InMemoryHwmStore,
   InternalId,
   InvoiceDownloadService,
   InvoiceQueryFilterBuilder,
@@ -7938,21 +8746,29 @@ export {
   SessionStatusService,
   Sha256Base64,
   SignatureService,
+  SystemCode,
   TestDataService,
   TokenService,
   UpoVersion,
   VatUe,
   VerificationLinkService,
   authenticateWithCertificate,
+  authenticateWithExternalSignature,
   authenticateWithPkcs12,
   authenticateWithToken,
+  buildUnsignedAuthTokenRequestXml,
   calculateBackoff,
+  createZip,
+  deduplicateByKsefNumber,
   defaultPresignedUrlPolicy,
   defaultRateLimitPolicy,
   defaultRetryPolicy,
   defaultTransport,
   exportAndDownload,
   exportInvoices,
+  getEffectiveStartDate,
+  getFormCode,
+  incrementalExportAndDownload,
   isRetryableError,
   isRetryableStatus,
   isValidBase64,
@@ -7972,11 +8788,19 @@ export {
   isValidVatUe,
   openOnlineSession,
   openSendAndClose,
+  parseFormCode,
   parseRetryAfter,
+  parseUpoXml,
   pollUntil,
   resolveOptions,
   sleep,
+  unzip,
+  updateContinuationPoint,
   uploadBatch,
+  uploadBatchParsed,
+  uploadBatchStream,
+  uploadBatchStreamParsed,
+  validateFormCodeForSession,
   validatePresignedUrl
 };
 //# sourceMappingURL=index.js.map