ksef-client-ts 0.3.0 → 0.4.0

package/dist/cli.js

@@ -32,6 +32,74 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
   mod
 ));
 
+// src/errors/ksef-error.ts
+var KSeFError;
+var init_ksef_error = __esm({
+  "src/errors/ksef-error.ts"() {
+    "use strict";
+    KSeFError = class extends Error {
+      constructor(message) {
+        super(message);
+        this.name = "KSeFError";
+      }
+    };
+  }
+});
+
+// src/errors/ksef-validation-error.ts
+var KSeFValidationError;
+var init_ksef_validation_error = __esm({
+  "src/errors/ksef-validation-error.ts"() {
+    "use strict";
+    init_ksef_error();
+    KSeFValidationError = class _KSeFValidationError extends KSeFError {
+      details;
+      constructor(message, details = []) {
+        super(message);
+        this.name = "KSeFValidationError";
+        this.details = details;
+      }
+      static fromField(field, message) {
+        return new _KSeFValidationError(message, [{ field, message }]);
+      }
+      static fromMessages(messages2) {
+        const details = messages2.map((m) => ({ message: m }));
+        return new _KSeFValidationError(messages2.join("; "), details);
+      }
+    };
+  }
+});
+
+// src/crypto/auth-xml-builder.ts
+var auth_xml_builder_exports = {};
+__export(auth_xml_builder_exports, {
+  buildUnsignedAuthTokenRequestXml: () => buildUnsignedAuthTokenRequestXml
+});
+function buildUnsignedAuthTokenRequestXml(options) {
+  const { challenge: challenge2, contextIdentifier, subjectIdentifierType = "certificateSubject" } = options;
+  const identifierElement = `<${contextIdentifier.type}>${xmlEscape(contextIdentifier.value)}</${contextIdentifier.type}>`;
+  return [
+    '<?xml version="1.0" encoding="utf-8"?>',
+    `<AuthTokenRequest xmlns="${AUTH_TOKEN_REQUEST_NS}">`,
+    `<Challenge>${xmlEscape(challenge2)}</Challenge>`,
+    `<ContextIdentifier>`,
+    identifierElement,
+    `</ContextIdentifier>`,
+    `<SubjectIdentifierType>${xmlEscape(subjectIdentifierType)}</SubjectIdentifierType>`,
+    `</AuthTokenRequest>`
+  ].join("");
+}
+function xmlEscape(str) {
+  return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
+}
+var AUTH_TOKEN_REQUEST_NS;
+var init_auth_xml_builder = __esm({
+  "src/crypto/auth-xml-builder.ts"() {
+    "use strict";
+    AUTH_TOKEN_REQUEST_NS = "http://ksef.mf.gov.pl/auth/token/2.0";
+  }
+});
+
 // node_modules/@xmldom/xmldom/lib/conventions.js
 var require_conventions = __commonJS({
   "node_modules/@xmldom/xmldom/lib/conventions.js"(exports) {
@@ -456,7 +524,7 @@ var require_dom = __commonJS({
        * @see https://www.w3.org/TR/REC-DOM-Level-1/level-one-core.html#ID-5CED94D7 DOM Level 1 Core
        * @see https://dom.spec.whatwg.org/#dom-domimplementation-hasfeature DOM Living Standard
        */
-      hasFeature: function(feature, version) {
+      hasFeature: function(feature, version2) {
         return true;
       },
       /**
@@ -577,8 +645,8 @@ var require_dom = __commonJS({
         }
       },
       // Introduced in DOM Level 2:
-      isSupported: function(feature, version) {
-        return this.ownerDocument.implementation.hasFeature(feature, version);
+      isSupported: function(feature, version2) {
+        return this.ownerDocument.implementation.hasFeature(feature, version2);
       },
       // Introduced in DOM Level 2:
       hasAttributes: function() {
@@ -4845,8 +4913,542 @@ var init_pkcs12_loader = __esm({
   }
 });
 
+// src/workflows/polling.ts
+async function pollUntil(action, condition, options) {
+  const intervalMs = options?.intervalMs ?? 2e3;
+  const maxAttempts = options?.maxAttempts ?? 60;
+  for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+    const result = await action();
+    if (condition(result)) return result;
+    options?.onProgress?.(attempt, maxAttempts);
+    if (attempt < maxAttempts) {
+      await new Promise((r) => setTimeout(r, intervalMs));
+    }
+  }
+  throw new Error(
+    `Polling timeout: ${options?.description ?? "condition"} after ${maxAttempts} attempts`
+  );
+}
+var init_polling = __esm({
+  "src/workflows/polling.ts"() {
+    "use strict";
+  }
+});
+
+// src/models/document-structures/types.ts
+var SystemCode, FORM_CODES, INVOICE_TYPES_BY_SYSTEM_CODE, FORM_CODE_KEYS;
+var init_types = __esm({
+  "src/models/document-structures/types.ts"() {
+    "use strict";
+    SystemCode = {
+      FA_2: "FA (2)",
+      FA_3: "FA (3)",
+      PEF_3: "PEF (3)",
+      PEF_KOR_3: "PEF_KOR (3)",
+      FA_RR_1: "FA_RR (1)"
+    };
+    FORM_CODES = {
+      FA_2: { systemCode: "FA (2)", schemaVersion: "1-0E", value: "FA" },
+      FA_3: { systemCode: "FA (3)", schemaVersion: "1-0E", value: "FA" },
+      PEF_3: { systemCode: "PEF (3)", schemaVersion: "2-1", value: "PEF" },
+      PEF_KOR_3: { systemCode: "PEF_KOR (3)", schemaVersion: "2-1", value: "PEF" },
+      FA_RR_1_LEGACY: { systemCode: "FA_RR (1)", schemaVersion: "1-0E", value: "RR" },
+      FA_RR_1_TRANSITION: { systemCode: "FA_RR (1)", schemaVersion: "1-1E", value: "RR" },
+      FA_RR_1: { systemCode: "FA_RR (1)", schemaVersion: "1-1E", value: "FA_RR" }
+    };
+    INVOICE_TYPES_BY_SYSTEM_CODE = {
+      [SystemCode.FA_2]: ["Vat", "Zal", "Kor", "Roz", "Upr", "KorZal", "KorRoz"],
+      [SystemCode.FA_3]: ["Vat", "Zal", "Kor", "Roz", "Upr", "KorZal", "KorRoz"],
+      [SystemCode.PEF_3]: ["VatPef", "VatPefSp", "KorPef"],
+      [SystemCode.PEF_KOR_3]: ["KorPef"],
+      [SystemCode.FA_RR_1]: ["VatRr", "KorVatRr"]
+    };
+    FORM_CODE_KEYS = {
+      FA2: FORM_CODES.FA_2,
+      FA3: FORM_CODES.FA_3,
+      PEF3: FORM_CODES.PEF_3,
+      PEFKOR3: FORM_CODES.PEF_KOR_3,
+      FARR1: FORM_CODES.FA_RR_1
+    };
+  }
+});
+
+// src/models/document-structures/helpers.ts
+function validateFormCodeForSession(formCode, sessionType) {
+  if (sessionType === "online") return true;
+  return !BATCH_DISALLOWED_SYSTEM_CODES.has(formCode.systemCode);
+}
+var SYSTEM_CODE_TO_FORM_CODE, ALL_FORM_CODES, BATCH_DISALLOWED_SYSTEM_CODES;
+var init_helpers = __esm({
+  "src/models/document-structures/helpers.ts"() {
+    "use strict";
+    init_types();
+    SYSTEM_CODE_TO_FORM_CODE = {
+      [SystemCode.FA_2]: FORM_CODES.FA_2,
+      [SystemCode.FA_3]: FORM_CODES.FA_3,
+      [SystemCode.PEF_3]: FORM_CODES.PEF_3,
+      [SystemCode.PEF_KOR_3]: FORM_CODES.PEF_KOR_3,
+      [SystemCode.FA_RR_1]: FORM_CODES.FA_RR_1
+    };
+    ALL_FORM_CODES = Object.values(FORM_CODES);
+    BATCH_DISALLOWED_SYSTEM_CODES = /* @__PURE__ */ new Set([
+      SystemCode.PEF_3,
+      SystemCode.PEF_KOR_3
+    ]);
+  }
+});
+
+// src/models/document-structures/index.ts
+var init_document_structures = __esm({
+  "src/models/document-structures/index.ts"() {
+    "use strict";
+    init_types();
+    init_helpers();
+  }
+});
+
+// src/xml/upo-parser.ts
+import { XMLParser } from "fast-xml-parser";
+function isRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function requireRecord(value, at) {
+  if (!isRecord(value)) {
+    throw KSeFValidationError.fromField(at, `Expected object at ${at}`);
+  }
+  return value;
+}
+function requireString(value, at) {
+  if (typeof value !== "string" || value.length === 0) {
+    throw KSeFValidationError.fromField(at, `Expected non-empty string at ${at}`);
+  }
+  return value;
+}
+function optionalRecord(value) {
+  return isRecord(value) ? value : void 0;
+}
+function optionalString(value) {
+  return typeof value === "string" && value.length > 0 ? value : void 0;
+}
+function requireNumberFromString(value, at) {
+  const raw = requireString(value, at);
+  const parsed = Number.parseInt(raw, 10);
+  if (!Number.isFinite(parsed)) {
+    throw KSeFValidationError.fromField(at, `Expected integer at ${at}, got "${raw}"`);
+  }
+  return parsed;
+}
+function ensureArray(value) {
+  if (value == null) return [];
+  return Array.isArray(value) ? value : [value];
+}
+function parseIdKontekstu(obj) {
+  const nip = optionalString(obj.Nip);
+  if (nip) return { kind: "Nip", nip };
+  const idWewnetrzny = optionalString(obj.IdWewnetrzny);
+  if (idWewnetrzny) return { kind: "IdWewnetrzny", idWewnetrzny };
+  const idZlozonyVatUE = optionalString(obj.IdZlozonyVatUE);
+  if (idZlozonyVatUE) return { kind: "IdZlozonyVatUE", idZlozonyVatUE };
+  const idDostawcyUslugPeppol = optionalString(obj.IdDostawcyUslugPeppol);
+  if (idDostawcyUslugPeppol) return { kind: "IdDostawcyUslugPeppol", idDostawcyUslugPeppol };
+  throw KSeFValidationError.fromField(
+    "Uwierzytelnienie.IdKontekstu",
+    "Unsupported context identifier. Expected Nip | IdWewnetrzny | IdZlozonyVatUE | IdDostawcyUslugPeppol"
+  );
+}
+function parseProof(obj) {
+  const tokenRef = optionalString(obj.NumerReferencyjnyTokenaKSeF);
+  if (tokenRef) return { kind: "NumerReferencyjnyTokenaKSeF", numerReferencyjnyTokenaKSeF: tokenRef };
+  const docHash = optionalString(obj.SkrotDokumentuUwierzytelniajacego);
+  if (docHash) return { kind: "SkrotDokumentuUwierzytelniajacego", skrotDokumentuUwierzytelniajacego: docHash };
+  throw KSeFValidationError.fromField(
+    "Uwierzytelnienie",
+    "Unsupported auth proof. Expected NumerReferencyjnyTokenaKSeF | SkrotDokumentuUwierzytelniajacego"
+  );
+}
+function parseUwierzytelnienie(obj) {
+  const idKontekstu = parseIdKontekstu(
+    requireRecord(obj.IdKontekstu, "Uwierzytelnienie.IdKontekstu")
+  );
+  const proof = parseProof(obj);
+  return { idKontekstu, proof };
+}
+function parseOpisPotwierdzenia(obj) {
+  return {
+    strona: requireNumberFromString(obj.Strona, "OpisPotwierdzenia.Strona"),
+    liczbaStron: requireNumberFromString(obj.LiczbaStron, "OpisPotwierdzenia.LiczbaStron"),
+    zakresDokumentowOd: requireNumberFromString(obj.ZakresDokumentowOd, "OpisPotwierdzenia.ZakresDokumentowOd"),
+    zakresDokumentowDo: requireNumberFromString(obj.ZakresDokumentowDo, "OpisPotwierdzenia.ZakresDokumentowDo"),
+    calkowitaLiczbaDokumentow: requireNumberFromString(obj.CalkowitaLiczbaDokumentow, "OpisPotwierdzenia.CalkowitaLiczbaDokumentow")
+  };
+}
+function parseDokument(obj) {
+  return {
+    nipSprzedawcy: requireString(obj.NipSprzedawcy, "Dokument.NipSprzedawcy"),
+    numerKSeFDokumentu: requireString(obj.NumerKSeFDokumentu, "Dokument.NumerKSeFDokumentu"),
+    numerFaktury: requireString(obj.NumerFaktury, "Dokument.NumerFaktury"),
+    dataWystawieniaFaktury: requireString(obj.DataWystawieniaFaktury, "Dokument.DataWystawieniaFaktury"),
+    dataPrzeslaniaDokumentu: requireString(obj.DataPrzeslaniaDokumentu, "Dokument.DataPrzeslaniaDokumentu"),
+    dataNadaniaNumeruKSeF: requireString(obj.DataNadaniaNumeruKSeF, "Dokument.DataNadaniaNumeruKSeF"),
+    skrotDokumentu: requireString(obj.SkrotDokumentu, "Dokument.SkrotDokumentu"),
+    trybWysylki: requireString(obj.TrybWysylki, "Dokument.TrybWysylki")
+  };
+}
+function parseUpoXml(xml) {
+  const text = Buffer.isBuffer(xml) ? xml.toString("utf8") : xml;
+  const parsed = upoParser.parse(text);
+  const potwierdzenie = requireRecord(parsed?.Potwierdzenie, "Potwierdzenie");
+  const opisPotwierdzenia = optionalRecord(potwierdzenie.OpisPotwierdzenia);
+  const dokumenty = ensureArray(potwierdzenie.Dokument).map(
+    (doc, i) => parseDokument(requireRecord(doc, `Dokument[${i}]`))
+  );
+  if (dokumenty.length === 0) {
+    throw KSeFValidationError.fromField("Dokument", "Expected at least one Dokument in UPO");
+  }
+  return {
+    nazwaPodmiotuPrzyjmujacego: requireString(potwierdzenie.NazwaPodmiotuPrzyjmujacego, "NazwaPodmiotuPrzyjmujacego"),
+    numerReferencyjnySesji: requireString(potwierdzenie.NumerReferencyjnySesji, "NumerReferencyjnySesji"),
+    uwierzytelnienie: parseUwierzytelnienie(requireRecord(potwierdzenie.Uwierzytelnienie, "Uwierzytelnienie")),
+    ...opisPotwierdzenia && { opisPotwierdzenia: parseOpisPotwierdzenia(opisPotwierdzenia) },
+    nazwaStrukturyLogicznej: requireString(potwierdzenie.NazwaStrukturyLogicznej, "NazwaStrukturyLogicznej"),
+    kodFormularza: requireString(potwierdzenie.KodFormularza, "KodFormularza"),
+    dokumenty
+  };
+}
+var upoParser;
+var init_upo_parser = __esm({
+  "src/xml/upo-parser.ts"() {
+    "use strict";
+    init_ksef_validation_error();
+    upoParser = new XMLParser({
+      ignoreAttributes: false,
+      attributeNamePrefix: "@_",
+      parseTagValue: false,
+      parseAttributeValue: false,
+      removeNSPrefix: true,
+      trimValues: false
+    });
+  }
+});
+
+// src/xml/index.ts
+var init_xml = __esm({
+  "src/xml/index.ts"() {
+    "use strict";
+    init_upo_parser();
+  }
+});
+
+// src/builders/batch-file.ts
+import * as crypto4 from "crypto";
+function splitBuffer(data, maxPartSize) {
+  if (data.length <= maxPartSize) {
+    return [data];
+  }
+  const parts = [];
+  for (let offset = 0; offset < data.length; offset += maxPartSize) {
+    parts.push(data.subarray(offset, Math.min(offset + maxPartSize, data.length)));
+  }
+  return parts;
+}
+function sha256Base64(data) {
+  return crypto4.createHash("sha256").update(data).digest("base64");
+}
+var BATCH_MAX_PART_SIZE, BATCH_MAX_TOTAL_SIZE, BATCH_MAX_PARTS, BatchFileBuilder;
+var init_batch_file = __esm({
+  "src/builders/batch-file.ts"() {
+    "use strict";
+    init_ksef_validation_error();
+    BATCH_MAX_PART_SIZE = 1e8;
+    BATCH_MAX_TOTAL_SIZE = 5e9;
+    BATCH_MAX_PARTS = 50;
+    BatchFileBuilder = class {
+      /**
+       * Build batch file metadata and encrypted parts from a raw ZIP.
+       *
+       * @param zipBytes - Unencrypted ZIP data
+       * @param encryptFn - AES-256-CBC encryption function (called per part)
+       * @param options - Optional configuration
+       */
+      static build(zipBytes, encryptFn, options) {
+        const maxPartSize = options?.maxPartSize ?? BATCH_MAX_PART_SIZE;
+        if (maxPartSize <= 0) {
+          throw new KSeFValidationError("maxPartSize must be a positive number");
+        }
+        if (zipBytes.length === 0) {
+          throw new KSeFValidationError("ZIP data must not be empty");
+        }
+        if (zipBytes.length > BATCH_MAX_TOTAL_SIZE) {
+          throw new KSeFValidationError(
+            `ZIP size ${zipBytes.length} exceeds maximum of ${BATCH_MAX_TOTAL_SIZE} bytes (5 GB)`
+          );
+        }
+        const rawParts = splitBuffer(zipBytes, maxPartSize);
+        if (rawParts.length > BATCH_MAX_PARTS) {
+          throw new KSeFValidationError(
+            `Data requires ${rawParts.length} parts, exceeding maximum of ${BATCH_MAX_PARTS}`
+          );
+        }
+        const zipHash = sha256Base64(zipBytes);
+        const encryptedParts = [];
+        const fileParts = rawParts.map((raw, i) => {
+          const encrypted = encryptFn(raw);
+          encryptedParts.push(encrypted);
+          return {
+            ordinalNumber: i + 1,
+            fileSize: encrypted.length,
+            fileHash: sha256Base64(encrypted)
+          };
+        });
+        return {
+          batchFile: {
+            fileSize: zipBytes.length,
+            fileHash: zipHash,
+            fileParts
+          },
+          encryptedParts
+        };
+      }
+      /**
+       * Stream-based variant: two-pass build from a stream factory.
+       *
+       * Pass 1: consume stream to compute ZIP hash.
+       * Pass 2: re-create stream, split into parts, encrypt each, compute per-part metadata.
+       *
+       * @param zipStreamFactory - Factory that creates a fresh ReadableStream of the ZIP data
+       * @param zipSize - Total ZIP byte size (from fs.stat or known in advance)
+       * @param encryptStreamFn - Stream-to-stream AES-256-CBC encryption function
+       * @param hashStreamFn - Stream-to-FileMetadata hashing function
+       * @param options - Optional configuration
+       */
+      static async buildFromStream(zipStreamFactory, zipSize, encryptStreamFn, hashStreamFn, options) {
+        const maxPartSize = options?.maxPartSize ?? BATCH_MAX_PART_SIZE;
+        if (maxPartSize <= 0) {
+          throw new KSeFValidationError("maxPartSize must be a positive number");
+        }
+        if (zipSize === 0) {
+          throw new KSeFValidationError("ZIP data must not be empty");
+        }
+        if (zipSize > BATCH_MAX_TOTAL_SIZE) {
+          throw new KSeFValidationError(
+            `ZIP size ${zipSize} exceeds maximum of ${BATCH_MAX_TOTAL_SIZE} bytes (5 GB)`
+          );
+        }
+        const partCount = Math.ceil(zipSize / maxPartSize);
+        if (partCount > BATCH_MAX_PARTS) {
+          throw new KSeFValidationError(
+            `Data requires ${partCount} parts, exceeding maximum of ${BATCH_MAX_PARTS}`
+          );
+        }
+        const zipMeta = await hashStreamFn(zipStreamFactory());
+        const fileParts = [];
+        const streamParts = [];
+        const reader = zipStreamFactory().getReader();
+        let pending = [];
+        let pendingSize = 0;
+        for (let partIndex = 0; partIndex < partCount; partIndex++) {
+          const isLastPart = partIndex === partCount - 1;
+          const targetSize = isLastPart ? zipSize - partIndex * maxPartSize : maxPartSize;
+          while (pendingSize < targetSize) {
+            const { done, value } = await reader.read();
+            if (done) break;
+            pending.push(value);
+            pendingSize += value.byteLength;
+          }
+          const buffer = new Uint8Array(Buffer.concat(pending));
+          const partData = buffer.subarray(0, targetSize);
+          if (buffer.byteLength > targetSize) {
+            const remainder = buffer.subarray(targetSize);
+            pending = [remainder];
+            pendingSize = remainder.byteLength;
+          } else {
+            pending = [];
+            pendingSize = 0;
+          }
+          const partStream = new ReadableStream({
+            start(controller) {
+              controller.enqueue(partData);
+              controller.close();
+            }
+          });
+          const encryptedStream = encryptStreamFn(partStream);
+          const encryptedChunks = [];
+          const encReader = encryptedStream.getReader();
+          for (; ; ) {
+            const { done, value } = await encReader.read();
+            if (done) break;
+            encryptedChunks.push(value);
+          }
+          const encryptedData = new Uint8Array(Buffer.concat(encryptedChunks));
+          const encryptedMeta = sha256Base64(encryptedData);
+          fileParts.push({
+            ordinalNumber: partIndex + 1,
+            fileSize: encryptedData.byteLength,
+            fileHash: encryptedMeta
+          });
+          const uploadStream = new ReadableStream({
+            start(controller) {
+              controller.enqueue(encryptedData);
+              controller.close();
+            }
+          });
+          streamParts.push({
+            dataStream: uploadStream,
+            metadata: {
+              hashSHA: encryptedMeta,
+              fileSize: encryptedData.byteLength
+            },
+            ordinalNumber: partIndex + 1
+          });
+        }
+        reader.releaseLock();
+        return {
+          batchFile: {
+            fileSize: zipSize,
+            fileHash: zipMeta.hashSHA,
+            fileParts
+          },
+          streamParts
+        };
+      }
+    };
+  }
+});
+
+// src/workflows/batch-session-workflow.ts
+var batch_session_workflow_exports = {};
+__export(batch_session_workflow_exports, {
+  uploadBatch: () => uploadBatch,
+  uploadBatchParsed: () => uploadBatchParsed,
+  uploadBatchStream: () => uploadBatchStream,
+  uploadBatchStreamParsed: () => uploadBatchStreamParsed
+});
+async function uploadBatch(client, zipData, options) {
+  await client.crypto.init();
+  const encData = client.crypto.getEncryptionData();
+  const formCode = options?.formCode ?? FORM_CODES.FA_2;
+  const encryptFn = (part) => client.crypto.encryptAES256(part, encData.cipherKey, encData.cipherIv);
+  const { batchFile, encryptedParts } = BatchFileBuilder.build(zipData, encryptFn, {
+    maxPartSize: options?.maxPartSize
+  });
+  const openResp = await client.batchSession.openSession(
+    {
+      formCode,
+      encryption: encData.encryptionInfo,
+      batchFile,
+      offlineMode: options?.offlineMode
+    },
+    options?.upoVersion
+  );
+  const sendingParts = encryptedParts.map((part, i) => ({
+    data: part.buffer.slice(part.byteOffset, part.byteOffset + part.byteLength),
+    metadata: {
+      hashSHA: batchFile.fileParts[i].fileHash,
+      fileSize: batchFile.fileParts[i].fileSize
+    },
+    ordinalNumber: i + 1
+  }));
+  await client.batchSession.sendParts(openResp, sendingParts);
+  await client.batchSession.closeSession(openResp.referenceNumber);
+  const result = await pollUntil(
+    () => client.sessionStatus.getSessionStatus(openResp.referenceNumber),
+    (s) => s.status.code === 200 || s.status.code >= 400,
+    { ...options?.pollOptions, description: `UPO for batch ${openResp.referenceNumber}` }
+  );
+  if (result.status.code !== 200) {
+    throw new Error(`Batch session failed: ${result.status.code} \u2014 ${result.status.description}`);
+  }
+  return {
+    sessionRef: openResp.referenceNumber,
+    upo: {
+      pages: result.upo?.pages ?? [],
+      invoiceCount: result.invoiceCount,
+      successfulInvoiceCount: result.successfulInvoiceCount,
+      failedInvoiceCount: result.failedInvoiceCount
+    }
+  };
+}
+async function uploadBatchStream(client, zipStreamFactory, zipSize, options) {
+  await client.crypto.init();
+  const encData = client.crypto.getEncryptionData();
+  const formCode = options?.formCode ?? FORM_CODES.FA_2;
+  const encryptStreamFn = (stream) => client.crypto.encryptAES256Stream(stream, encData.cipherKey, encData.cipherIv);
+  const hashStreamFn = (stream) => client.crypto.getFileMetadataFromStream(stream);
+  const { batchFile, streamParts } = await BatchFileBuilder.buildFromStream(
+    zipStreamFactory,
+    zipSize,
+    encryptStreamFn,
+    hashStreamFn,
+    { maxPartSize: options?.maxPartSize }
+  );
+  const openResp = await client.batchSession.openSession(
+    {
+      formCode,
+      encryption: encData.encryptionInfo,
+      batchFile,
+      offlineMode: options?.offlineMode
+    },
+    options?.upoVersion
+  );
+  await client.batchSession.sendPartsWithStream(openResp, streamParts);
+  await client.batchSession.closeSession(openResp.referenceNumber);
+  const result = await pollUntil(
+    () => client.sessionStatus.getSessionStatus(openResp.referenceNumber),
+    (s) => s.status.code === 200 || s.status.code >= 400,
+    { ...options?.pollOptions, description: `UPO for batch ${openResp.referenceNumber}` }
+  );
+  if (result.status.code !== 200) {
+    throw new Error(`Batch session failed: ${result.status.code} \u2014 ${result.status.description}`);
+  }
+  return {
+    sessionRef: openResp.referenceNumber,
+    upo: {
+      pages: result.upo?.pages ?? [],
+      invoiceCount: result.invoiceCount,
+      successfulInvoiceCount: result.successfulInvoiceCount,
+      failedInvoiceCount: result.failedInvoiceCount
+    }
+  };
+}
+async function uploadBatchStreamParsed(client, zipStreamFactory, zipSize, options) {
+  const result = await uploadBatchStream(client, zipStreamFactory, zipSize, options);
+  const parsed = [];
+  for (const page of result.upo.pages) {
+    const upoResult = await client.sessionStatus.getSessionUpo(result.sessionRef, page.referenceNumber);
+    parsed.push(parseUpoXml(upoResult.upo));
+  }
+  return {
+    sessionRef: result.sessionRef,
+    upo: { ...result.upo, parsed }
+  };
+}
+async function uploadBatchParsed(client, zipData, options) {
+  const result = await uploadBatch(client, zipData, options);
+  const parsed = [];
+  for (const page of result.upo.pages) {
+    const upoResult = await client.sessionStatus.getSessionUpo(result.sessionRef, page.referenceNumber);
+    parsed.push(parseUpoXml(upoResult.upo));
+  }
+  return {
+    sessionRef: result.sessionRef,
+    upo: { ...result.upo, parsed }
+  };
+}
+var init_batch_session_workflow = __esm({
+  "src/workflows/batch-session-workflow.ts"() {
+    "use strict";
+    init_document_structures();
+    init_batch_file();
+    init_polling();
+    init_xml();
+  }
+});
+
 // src/cli/index.ts
-import { defineCommand as defineCommand15, runMain } from "citty";
+import { readFileSync as readFileSync6 } from "fs";
+import { fileURLToPath } from "url";
+import { dirname as dirname2, resolve } from "path";
+import { defineCommand as defineCommand16, runMain } from "citty";
 
 // src/cli/commands/config.ts
 import { defineCommand } from "citty";
@@ -4935,15 +5537,8 @@ function outputWarning(msg) {
 // src/cli/error-handler.ts
 import { consola as consola2 } from "consola";
 
-// src/errors/ksef-error.ts
-var KSeFError = class extends Error {
-  constructor(message) {
-    super(message);
-    this.name = "KSeFError";
-  }
-};
-
 // src/errors/ksef-api-error.ts
+init_ksef_error();
 var KSeFApiError = class _KSeFApiError extends KSeFError {
   statusCode;
   errorResponse;
@@ -4993,6 +5588,7 @@ var KSeFRateLimitError = class _KSeFRateLimitError extends KSeFApiError {
 };
 
 // src/errors/ksef-unauthorized-error.ts
+init_ksef_error();
 var KSeFUnauthorizedError = class extends KSeFError {
   statusCode = 401;
   detail;
@@ -5008,6 +5604,7 @@ var KSeFUnauthorizedError = class extends KSeFError {
 };
 
 // src/errors/ksef-forbidden-error.ts
+init_ksef_error();
 var KSeFForbiddenError = class extends KSeFError {
   statusCode = 403;
   detail;
@@ -5144,6 +5741,9 @@ var configCommand = defineCommand({
 });
 
 // src/cli/commands/auth.ts
+import * as fs3 from "fs";
+import * as path3 from "path";
+import * as os3 from "os";
 import { defineCommand as defineCommand2 } from "citty";
 
 // src/cli/client-factory.ts
@@ -5194,8 +5794,8 @@ var RouteBuilder = class {
     this.apiVersion = apiVersion;
   }
   build(endpoint, apiVersion) {
-    const version = apiVersion ?? this.apiVersion;
-    return `/${version}/${endpoint}`;
+    const version2 = apiVersion ?? this.apiVersion;
+    return `/${version2}/${endpoint}`;
   }
 };
 
@@ -5247,27 +5847,11 @@ function isRetryableStatus(status6, policy) {
   return policy.retryableStatusCodes.includes(status6);
 }
 function sleep(ms) {
-  return new Promise((resolve) => setTimeout(resolve, ms));
+  return new Promise((resolve2) => setTimeout(resolve2, ms));
 }
 
-// src/errors/ksef-validation-error.ts
-var KSeFValidationError = class _KSeFValidationError extends KSeFError {
-  details;
-  constructor(message, details = []) {
-    super(message);
-    this.name = "KSeFValidationError";
-    this.details = details;
-  }
-  static fromField(field, message) {
-    return new _KSeFValidationError(message, [{ field, message }]);
-  }
-  static fromMessages(messages2) {
-    const details = messages2.map((m) => ({ message: m }));
-    return new _KSeFValidationError(messages2.join("; "), details);
-  }
-};
-
 // src/http/presigned-url-policy.ts
+init_ksef_validation_error();
 function defaultPresignedUrlPolicy() {
   return {
     allowedHosts: ["*.ksef.mf.gov.pl"],
@@ -5455,9 +6039,9 @@ var RestClient = class {
     return response;
   }
   buildUrl(request) {
-    const path5 = this.routeBuilder.build(request.path);
+    const path7 = this.routeBuilder.build(request.path);
     const base = this.options.baseUrl;
-    const url2 = new URL(`${base}${path5}`);
+    const url2 = new URL(`${base}${path7}`);
     const query2 = request.getQuery();
     for (const [key, value] of query2) {
       url2.searchParams.append(key, value);
@@ -5518,7 +6102,7 @@ var TokenBucket = class {
       return;
     }
     const waitMs = Math.ceil((1 - this.tokens) / this.refillRate);
-    await new Promise((resolve) => setTimeout(resolve, waitMs));
+    await new Promise((resolve2) => setTimeout(resolve2, waitMs));
     this.refill();
     this.tokens -= 1;
   }
@@ -5539,8 +6123,8 @@ var RateLimitPolicy = class {
     this.endpointLimits = config.endpointLimits ?? {};
   }
   async acquire(endpoint) {
-    return new Promise((resolve, reject) => {
-      this.chain = this.chain.then(() => this.doAcquire(endpoint)).then(resolve, reject);
+    return new Promise((resolve2, reject) => {
+      this.chain = this.chain.then(() => this.doAcquire(endpoint)).then(resolve2, reject);
     });
   }
   async doAcquire(endpoint) {
@@ -5604,21 +6188,21 @@ var RestRequest = class _RestRequest {
   _query = [];
   _presigned = false;
   _skipAuthRetry = false;
-  constructor(method, path5) {
+  constructor(method, path7) {
     this.method = method;
-    this.path = path5;
+    this.path = path7;
   }
-  static get(path5) {
-    return new _RestRequest("GET", path5);
+  static get(path7) {
+    return new _RestRequest("GET", path7);
   }
-  static post(path5) {
-    return new _RestRequest("POST", path5);
+  static post(path7) {
+    return new _RestRequest("POST", path7);
   }
-  static put(path5) {
-    return new _RestRequest("PUT", path5);
+  static put(path7) {
+    return new _RestRequest("PUT", path7);
   }
-  static delete(path5) {
-    return new _RestRequest("DELETE", path5);
+  static delete(path7) {
+    return new _RestRequest("DELETE", path7);
   }
   body(data) {
     this._body = data;
@@ -5912,6 +6496,36 @@ var BatchSessionService = class {
     });
     await Promise.all(tasks);
   }
+  /**
+   * Upload parts sequentially (not in parallel) because each part uses a
+   * streaming body (`duplex: 'half'`). Parallel streaming uploads can cause
+   * backpressure issues and exceed memory limits for large payloads.
+   */
+  async sendPartsWithStream(openResponse, parts) {
+    const uploadRequests = openResponse.partUploadRequests;
+    for (const part of parts) {
+      const uploadReq = uploadRequests.find(
+        (r) => r.ordinalNumber === part.ordinalNumber
+      );
+      if (!uploadReq) {
+        throw new Error(`No upload request found for part ${part.ordinalNumber}`);
+      }
+      const headers = {};
+      for (const [k, v] of Object.entries(uploadReq.headers)) {
+        if (v != null) headers[k] = v;
+      }
+      const resp = await fetch(uploadReq.url, {
+        method: uploadReq.method,
+        headers,
+        body: part.dataStream,
+        // @ts-expect-error -- Node 18+ undici supports duplex for streaming body
+        duplex: "half"
+      });
+      if (!resp.ok) {
+        throw new Error(`Upload failed for part ${part.ordinalNumber}: HTTP ${resp.status}`);
+      }
+    }
+  }
   async closeSession(batchRef) {
     const req = RestRequest.post(Routes.Sessions.Batch.close(batchRef));
     await this.restClient.executeVoid(req);
@@ -6235,6 +6849,18 @@ var CertificateApiService = class {
   }
 };
 
+// src/errors/index.ts
+init_ksef_error();
+
+// src/errors/ksef-auth-status-error.ts
+init_ksef_error();
+
+// src/errors/ksef-session-expired-error.ts
+init_ksef_error();
+
+// src/errors/index.ts
+init_ksef_validation_error();
+
 // src/services/lighthouse.ts
 var LighthouseService = class {
   lighthouseUrl;
@@ -6243,20 +6869,20 @@ var LighthouseService = class {
     this.lighthouseUrl = options.lighthouseUrl;
     this.timeout = options.timeout;
   }
-  async fetchJson(path5) {
+  async fetchJson(path7) {
     if (!this.lighthouseUrl) {
       throw new KSeFError(
         "Lighthouse API is not available for the DEMO environment. Use TEST or PROD instead."
       );
     }
-    const response = await fetch(`${this.lighthouseUrl}${path5}`, {
+    const response = await fetch(`${this.lighthouseUrl}${path7}`, {
       headers: { Accept: "application/json" },
       signal: AbortSignal.timeout(this.timeout)
     });
     if (!response.ok) {
       const body = await response.text();
       throw new KSeFError(
-        `Lighthouse ${path5} failed: HTTP ${response.status} \u2014 ${body}`
+        `Lighthouse ${path7} failed: HTTP ${response.status} \u2014 ${body}`
       );
     }
     return await response.json();
@@ -6309,6 +6935,7 @@ var PeppolService = class {
 };
 
 // src/services/test-data.ts
+init_ksef_error();
 var TestDataService = class {
   restClient;
   environmentName;
@@ -6498,6 +7125,28 @@ var CryptographyService = class {
     const cipher = crypto.createCipheriv("aes-256-cbc", key, iv);
     return new Uint8Array(Buffer.concat([cipher.update(content), cipher.final()]));
   }
+  /**
+   * Encrypt with AES-256-CBC as a streaming transform.
+   * Returns a ReadableStream that yields encrypted chunks as the input is read.
+   */
+  encryptAES256Stream(input, key, iv) {
+    const cipher = crypto.createCipheriv("aes-256-cbc", key, iv);
+    const transform = new TransformStream({
+      transform(chunk, controller) {
+        const encrypted = cipher.update(chunk);
+        if (encrypted.length > 0) {
+          controller.enqueue(new Uint8Array(encrypted));
+        }
+      },
+      flush(controller) {
+        const final = cipher.final();
+        if (final.length > 0) {
+          controller.enqueue(new Uint8Array(final));
+        }
+      }
+    });
+    return input.pipeThrough(transform);
+  }
   /** Decrypt with AES-256-CBC. */
   decryptAES256(content, key, iv) {
     const decipher = crypto.createDecipheriv("aes-256-cbc", key, iv);
@@ -6570,6 +7219,23 @@ var CryptographyService = class {
     const hash = crypto.createHash("sha256").update(file).digest("base64");
     return { hashSHA: hash, fileSize: file.length };
   }
+  /** Compute SHA-256 hash (base64) and byte length from a ReadableStream. */
+  async getFileMetadataFromStream(stream) {
+    const hash = crypto.createHash("sha256");
+    let fileSize = 0;
+    const reader = stream.getReader();
+    try {
+      for (; ; ) {
+        const { done, value } = await reader.read();
+        if (done) break;
+        hash.update(value);
+        fileSize += value.byteLength;
+      }
+    } finally {
+      reader.releaseLock();
+    }
+    return { hashSHA: hash.digest("base64"), fileSize };
+  }
   // ---------------------------------------------------------------------------
   // CSR generation
   // ---------------------------------------------------------------------------
@@ -6746,6 +7412,7 @@ var VerificationLinkService = class {
 };
 
 // src/client.ts
+init_auth_xml_builder();
 var KSeFClient = class {
   auth;
   activeSessions;
@@ -6839,21 +7506,12 @@ var KSeFClient = class {
     this.authManager.setRefreshToken(void 0);
   }
 };
-var AUTH_TOKEN_REQUEST_NS = "http://ksef.mf.gov.pl/auth/token/2.0";
 function buildAuthTokenRequestXml(challenge2, nip, subjectIdentifierType = "certificateSubject") {
-  return [
-    '<?xml version="1.0" encoding="utf-8"?>',
-    `<AuthTokenRequest xmlns="${AUTH_TOKEN_REQUEST_NS}">`,
-    `<Challenge>${xmlEscape(challenge2)}</Challenge>`,
-    `<ContextIdentifier>`,
-    `<Nip>${xmlEscape(nip)}</Nip>`,
-    `</ContextIdentifier>`,
-    `<SubjectIdentifierType>${xmlEscape(subjectIdentifierType)}</SubjectIdentifierType>`,
-    `</AuthTokenRequest>`
-  ].join("");
-}
-function xmlEscape(str) {
-  return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
+  return buildUnsignedAuthTokenRequestXml({
+    challenge: challenge2,
+    contextIdentifier: { type: "Nip", value: nip },
+    subjectIdentifierType
+  });
 }
 function buildRestClientConfig(options, authManager) {
   const config = { authManager };
@@ -6963,6 +7621,29 @@ function requireSession(globalOpts) {
 }
 
 // src/cli/commands/auth.ts
+init_polling();
+var PENDING_CHALLENGE_FILE = path3.join(os3.homedir(), ".ksef", "pending-challenge.json");
+function savePendingChallenge(data) {
+  const dir = path3.dirname(PENDING_CHALLENGE_FILE);
+  fs3.mkdirSync(dir, { recursive: true });
+  fs3.writeFileSync(PENDING_CHALLENGE_FILE, JSON.stringify(data, null, 2) + "\n", {
+    encoding: "utf-8",
+    mode: 384
+  });
+}
+function clearPendingChallenge() {
+  try {
+    fs3.unlinkSync(PENDING_CHALLENGE_FILE);
+  } catch {
+  }
+}
+async function readStdin(stream = process.stdin) {
+  const chunks = [];
+  for await (const chunk of stream) {
+    chunks.push(chunk);
+  }
+  return Buffer.concat(chunks).toString("utf-8");
+}
 function getGlobalOpts(args) {
   return {
     env: args.env,
@@ -7015,13 +7696,13 @@ var login = defineCommand2({
       if (args.token) {
         await client.loginWithToken(args.token, nip);
       } else if (args.p12) {
-        const fs7 = await import("fs");
-        const p12Buffer = fs7.readFileSync(args.p12);
+        const fs10 = await import("fs");
+        const p12Buffer = fs10.readFileSync(args.p12);
         await client.loginWithPkcs12(p12Buffer, args["p12-password"] ?? "", nip);
       } else if (args.cert && args.key) {
-        const fs7 = await import("fs");
-        const certPem = fs7.readFileSync(args.cert, "utf-8");
-        const keyPem = fs7.readFileSync(args.key, "utf-8");
+        const fs10 = await import("fs");
+        const certPem = fs10.readFileSync(args.cert, "utf-8");
+        const keyPem = fs10.readFileSync(args.key, "utf-8");
         await client.loginWithCertificate(certPem, keyPem, nip);
       } else {
         throw new Error("Provide --token, --p12, or both --cert and --key for authentication.");
@@ -7123,15 +7804,109 @@ var whoami = defineCommand2({
     });
   }
 });
-var authCommand = defineCommand2({
-  meta: { name: "auth", description: "Authentication commands" },
-  subCommands: { challenge, login, status, logout, refresh, whoami }
-});
-
-// src/cli/commands/session.ts
-import * as fs3 from "fs";
+var loginExternal = defineCommand2({
+  meta: { name: "login-external", description: "Authenticate with externally-signed XAdES XML" },
+  args: {
+    generate: { type: "boolean", description: "Generate unsigned auth request XML" },
+    submit: { type: "boolean", description: "Submit externally-signed XML" },
+    nip: { type: "string", description: "NIP number (or identifier value for non-Nip context types)" },
+    "context-type": { type: "string", description: "Context identifier type: Nip, InternalId, NipVatUe, PeppolId (default: Nip)" },
+    output: { type: "string", description: "Write unsigned XML to file instead of stdout (--generate)" },
+    input: { type: "string", description: "Read signed XML from file instead of stdin (--submit)" },
+    env: { type: "string", description: "Environment (test/demo/prod)" },
+    json: { type: "boolean", description: "Output as JSON" },
+    verbose: { type: "boolean", description: "Show HTTP request/response details" },
+    timeout: { type: "string", description: "Request timeout (ms)" }
+  },
+  run({ args }) {
+    return withErrorHandler(async () => {
+      const globalOpts = getGlobalOpts(args);
+      const config = loadConfig();
+      const nip = args.nip ?? config.nip;
+      if (!nip) {
+        throw new Error("NIP/identifier is required. Provide --nip or set it via `ksef config set --nip <nip>`.");
+      }
+      const contextType = args["context-type"] ?? "Nip";
+      const validTypes = ["Nip", "InternalId", "NipVatUe", "PeppolId"];
+      if (!validTypes.includes(contextType)) {
+        throw new Error(`Invalid --context-type "${contextType}". Must be one of: ${validTypes.join(", ")}`);
+      }
+      if (!args.generate && !args.submit) {
+        throw new Error("Specify --generate to create unsigned XML, or --submit to send signed XML.");
+      }
+      const client = createClient(globalOpts);
+      if (args.generate) {
+        const { buildUnsignedAuthTokenRequestXml: buildUnsignedAuthTokenRequestXml2 } = await Promise.resolve().then(() => (init_auth_xml_builder(), auth_xml_builder_exports));
+        const challengeResult = await client.auth.getChallenge();
+        const unsignedXml = buildUnsignedAuthTokenRequestXml2({
+          challenge: challengeResult.challenge,
+          contextIdentifier: { type: contextType, value: nip }
+        });
+        if (args.output) {
+          fs3.writeFileSync(args.output, unsignedXml, "utf-8");
+          process.stderr.write(`Unsigned XML written to ${args.output}
+`);
+        } else {
+          process.stdout.write(unsignedXml);
+        }
+        savePendingChallenge({
+          challenge: challengeResult.challenge,
+          timestamp: challengeResult.timestamp,
+          contextIdentifier: { type: contextType, value: nip },
+          createdAt: (/* @__PURE__ */ new Date()).toISOString()
+        });
+        process.stderr.write(`Challenge: ${challengeResult.challenge}
+`);
+        process.stderr.write(`Timestamp: ${challengeResult.timestamp}
+`);
+        process.stderr.write(`Note: Sign this XML and submit with --submit before the challenge expires.
+`);
+      }
+      if (args.submit) {
+        let signedXml;
+        if (args.input) {
+          signedXml = fs3.readFileSync(args.input, "utf-8");
+        } else {
+          signedXml = await readStdin();
+        }
+        if (!signedXml.trim()) {
+          throw new Error("No signed XML provided. Pipe signed XML to stdin or use --input <file>.");
+        }
+        const submitResult = await client.auth.submitXadesAuthRequest(signedXml);
+        const authToken = submitResult.authenticationToken.token;
+        await pollUntil(
+          () => client.auth.getAuthStatus(submitResult.referenceNumber, authToken),
+          (s) => s.status.code !== 100,
+          { intervalMs: 1e3, maxAttempts: 30, description: `auth ${submitResult.referenceNumber}` }
+        );
+        const tokens = await client.auth.getAccessToken(authToken);
+        const session = {
+          accessToken: tokens.accessToken.token,
+          refreshToken: tokens.refreshToken.token,
+          expiresAt: tokens.accessToken.validUntil,
+          environment: args.env ?? config.environment
+        };
+        saveSession(session);
+        if (args.env && args.env !== config.environment) {
+          saveConfig({ ...config, environment: session.environment });
+        }
+        clearPendingChallenge();
+        outputSuccess("Logged in successfully via external signature.");
+      }
+    });
+  }
+});
+var authCommand = defineCommand2({
+  meta: { name: "auth", description: "Authentication commands" },
+  subCommands: { challenge, login, "login-external": loginExternal, status, logout, refresh, whoami }
+});
+
+// src/cli/commands/session.ts
+import * as fs4 from "fs";
 import { defineCommand as defineCommand3 } from "citty";
 import { consola as consola5 } from "consola";
+init_document_structures();
+init_xml();
 function getGlobalOpts2(args) {
   return {
     env: args.env,
@@ -7145,6 +7920,7 @@ var open = defineCommand3({
   meta: { name: "open", description: "Open a KSeF session (online or batch)" },
   args: {
     batch: { type: "boolean", description: "Open a batch session instead of online" },
+    formCode: { type: "string", description: "Document type: FA2, FA3, PEF3, PEFKOR3, FARR1 (default: FA2)" },
     env: { type: "string", description: "Environment (test/demo/prod)" },
     json: { type: "boolean", description: "Output as JSON" },
     verbose: { type: "boolean", description: "Show HTTP request/response details" },
@@ -7162,7 +7938,15 @@ var open = defineCommand3({
       }
       await client.crypto.init();
       const encryptionData = client.crypto.getEncryptionData();
-      const formCode = { systemCode: "FA (2)", schemaVersion: "1-0E", value: "FA" };
+      const formCodeKey = args.formCode;
+      let formCode = FORM_CODES.FA_2;
+      if (formCodeKey) {
+        const resolved = FORM_CODE_KEYS[formCodeKey];
+        if (!resolved) {
+          throw new Error(`Invalid form code "${formCodeKey}". Valid keys: ${Object.keys(FORM_CODE_KEYS).join(", ")}`);
+        }
+        formCode = resolved;
+      }
       if (args.batch) {
         throw new Error("Batch session open is used internally by `ksef invoice send <dir>`. Use `ksef session open` for online sessions.");
       }
@@ -7400,6 +8184,7 @@ var upo = defineCommand3({
     upoRef: { type: "string", description: "UPO reference" },
     ksefNumber: { type: "string", description: "KSeF invoice number" },
     invoiceRef: { type: "string", description: "Invoice reference" },
+    parsed: { type: "boolean", description: "Parse UPO XML and output as JSON" },
     o: { type: "string", description: "Output file path" },
     env: { type: "string", description: "Environment (test/demo/prod)" },
     json: { type: "boolean", description: "Output as JSON" },
@@ -7421,12 +8206,23 @@ var upo = defineCommand3({
       } else {
         throw new Error("Provide one of: --upo-ref, --ksef-number, or --invoice-ref");
       }
+      if (args.parsed) {
+        const parsed = parseUpoXml(result.upo);
+        const json = JSON.stringify(parsed, null, 2);
+        if (args.o) {
+          fs4.writeFileSync(args.o, json, "utf-8");
+          outputSuccess(`Parsed UPO saved to ${args.o}`);
+        } else {
+          console.log(json);
+        }
+        return;
+      }
       if (args.json) {
         outputResult(result, { json: true });
         return;
       }
       if (args.o) {
-        fs3.writeFileSync(args.o, result.upo, "utf-8");
+        fs4.writeFileSync(args.o, result.upo, "utf-8");
         outputSuccess(`UPO saved to ${args.o}`);
       } else {
         console.log(result.upo);
@@ -7556,10 +8352,173 @@ var sessionCommand = defineCommand3({
 });
 
 // src/cli/commands/invoice.ts
-import * as fs4 from "fs";
-import * as path3 from "path";
+import * as fs7 from "fs";
+import * as path5 from "path";
+import { Readable } from "stream";
+import { defineCommand as defineCommand5 } from "citty";
+import { consola as consola7 } from "consola";
+init_document_structures();
+
+// src/cli/commands/export-incremental.ts
+import * as fs6 from "fs";
+import * as path4 from "path";
 import { defineCommand as defineCommand4 } from "citty";
 import { consola as consola6 } from "consola";
+
+// src/workflows/hwm-storage.ts
+import * as fs5 from "fs/promises";
+var FileHwmStore = class {
+  constructor(filePath) {
+    this.filePath = filePath;
+  }
+  async load() {
+    try {
+      const data = await fs5.readFile(this.filePath, "utf-8");
+      return JSON.parse(data);
+    } catch (err) {
+      if (err.code === "ENOENT") {
+        return {};
+      }
+      throw err;
+    }
+  }
+  async save(points) {
+    await fs5.writeFile(this.filePath, JSON.stringify(points, null, 2), "utf-8");
+  }
+};
+
+// src/utils/zip.ts
+import { ZipFile } from "yazl";
+import { fromBuffer } from "yauzl";
+
+// src/workflows/invoice-export-workflow.ts
+init_polling();
+async function doExport(client, filters, options) {
+  await client.crypto.init();
+  const encData = client.crypto.getEncryptionData();
+  const opResp = await client.invoices.exportInvoices({
+    encryption: encData.encryptionInfo,
+    filters,
+    onlyMetadata: options?.onlyMetadata
+  });
+  const result = await pollUntil(
+    () => client.invoices.getInvoiceExportStatus(opResp.referenceNumber),
+    (s) => s.status.code === 200 || s.status.code >= 400,
+    { ...options?.pollOptions, description: `export ${opResp.referenceNumber}` }
+  );
+  if (result.status.code !== 200) {
+    throw new Error(`Export failed: ${result.status.code} \u2014 ${result.status.description}`);
+  }
+  if (!result.package) {
+    throw new Error("Export completed but no package available");
+  }
+  return {
+    encData,
+    referenceNumber: opResp.referenceNumber,
+    result: {
+      parts: result.package.parts.map((p) => ({
+        ordinalNumber: p.ordinalNumber,
+        url: p.url,
+        method: p.method,
+        partSize: p.partSize,
+        encryptedPartSize: p.encryptedPartSize,
+        encryptedPartHash: p.encryptedPartHash,
+        expirationDate: p.expirationDate
+      })),
+      invoiceCount: result.package.invoiceCount,
+      isTruncated: result.package.isTruncated,
+      permanentStorageHwmDate: result.package.permanentStorageHwmDate,
+      lastPermanentStorageDate: result.package.lastPermanentStorageDate
+    }
+  };
+}
+
+// src/workflows/hwm-coordinator.ts
+function updateContinuationPoint(points, subjectType, pkg2) {
+  if (pkg2.isTruncated && pkg2.lastPermanentStorageDate) {
+    points[subjectType] = pkg2.lastPermanentStorageDate;
+  } else if (pkg2.permanentStorageHwmDate) {
+    points[subjectType] = pkg2.permanentStorageHwmDate;
+  } else {
+    delete points[subjectType];
+  }
+}
+function getEffectiveStartDate(points, subjectType, windowFrom) {
+  return points[subjectType] ?? windowFrom;
+}
+
+// src/workflows/incremental-export-workflow.ts
+async function incrementalExportAndDownload(client, options) {
+  const maxIterations = options.maxIterations ?? 20;
+  const points = options.continuationPoints;
+  if (options.store) {
+    const loaded = await options.store.load();
+    for (const [key, value] of Object.entries(loaded)) {
+      if (value !== void 0 && points[key] === void 0) {
+        points[key] = value;
+      }
+    }
+  }
+  const referenceNumbers = [];
+  const decryptedParts = [];
+  let previousFrom;
+  let iteration = 0;
+  for (; iteration < maxIterations; iteration++) {
+    const effectiveFrom = getEffectiveStartDate(points, options.subjectType, options.windowFrom);
+    if (previousFrom !== void 0 && effectiveFrom === previousFrom) {
+      break;
+    }
+    previousFrom = effectiveFrom;
+    const filters = options.filtersFactory ? options.filtersFactory(effectiveFrom, options.windowTo) : buildDefaultFilters(options.subjectType, effectiveFrom, options.windowTo);
+    const { result, encData, referenceNumber } = await doExport(client, filters, {
+      onlyMetadata: options.onlyMetadata,
+      pollOptions: options.pollOptions
+    });
+    referenceNumbers.push(referenceNumber);
+    const download = options.transport ?? fetch;
+    for (const part of result.parts) {
+      const resp = await download(part.url, { method: part.method });
+      if (!resp.ok) {
+        throw new Error(`Download failed for part ${part.ordinalNumber}: HTTP ${resp.status}`);
+      }
+      const encryptedData = new Uint8Array(await resp.arrayBuffer());
+      const decrypted = client.crypto.decryptAES256(encryptedData, encData.cipherKey, encData.cipherIv);
+      decryptedParts.push(decrypted);
+    }
+    updateContinuationPoint(points, options.subjectType, {
+      isTruncated: result.isTruncated,
+      lastPermanentStorageDate: result.lastPermanentStorageDate,
+      permanentStorageHwmDate: result.permanentStorageHwmDate
+    });
+    if (options.store) {
+      await options.store.save(points);
+    }
+    options.onIterationComplete?.(iteration, result);
+    if (!result.isTruncated) {
+      iteration++;
+      break;
+    }
+  }
+  return {
+    referenceNumbers,
+    invoices: [],
+    decryptedParts,
+    continuationPoints: points,
+    iterationCount: iteration
+  };
+}
+function buildDefaultFilters(subjectType, from, to) {
+  return {
+    subjectType,
+    dateRange: {
+      dateType: "PermanentStorage",
+      from,
+      to
+    }
+  };
+}
+
+// src/cli/commands/export-incremental.ts
 function getGlobalOpts3(args) {
   return {
     env: args.env,
@@ -7569,6 +8528,101 @@ function getGlobalOpts3(args) {
     nip: args.nip
   };
 }
+var exportIncremental = defineCommand4({
+  meta: { name: "export-incremental", description: "Incremental invoice export with HWM state persistence" },
+  args: {
+    from: { type: "string", description: "Start date (YYYY-MM-DD) \u2014 required", required: true },
+    to: { type: "string", description: "End date (YYYY-MM-DD)" },
+    subjectType: { type: "string", description: "Subject type: Subject1|Subject2|Subject3|SubjectAuthorized (default: Subject1)" },
+    stateFile: { type: "string", description: "HWM state file path (default: ./ksef-hwm-state.json)" },
+    outputDir: { type: "string", description: "Output directory for exported parts (default: ./ksef-exports/)" },
+    maxIterations: { type: "string", description: "Max export iterations (default: 20)" },
+    env: { type: "string", description: "Environment (test/demo/prod)" },
+    json: { type: "boolean", description: "Output as JSON" },
+    verbose: { type: "boolean", description: "Show HTTP request/response details" },
+    timeout: { type: "string", description: "Request timeout (ms)" },
+    nip: { type: "string", description: "NIP number" }
+  },
+  run({ args }) {
+    return withErrorHandler(async () => {
+      const globalOpts = getGlobalOpts3(args);
+      const { client } = requireSession(globalOpts);
+      const from = args.from;
+      const to = args.to ?? (/* @__PURE__ */ new Date()).toISOString().slice(0, 10);
+      const subjectType = args.subjectType ?? "Subject1";
+      const stateFile = args.stateFile ?? "./ksef-hwm-state.json";
+      const outputDir = args.outputDir ?? "./ksef-exports";
+      const maxIterations = args.maxIterations ? parseInt(args.maxIterations, 10) : 20;
+      const isJson = args.json;
+      const store = new FileHwmStore(stateFile);
+      const continuationPoints = {};
+      if (!fs6.existsSync(outputDir)) {
+        fs6.mkdirSync(outputDir, { recursive: true });
+      }
+      if (!isJson) {
+        consola6.start(`Incremental export: ${from} \u2192 ${to}, subject: ${subjectType}`);
+        consola6.info(`State file: ${stateFile}`);
+        consola6.info(`Output dir: ${outputDir}`);
+      }
+      const iterationParts = [];
+      const result = await incrementalExportAndDownload(client, {
+        subjectType,
+        windowFrom: from,
+        windowTo: to,
+        continuationPoints,
+        maxIterations,
+        store,
+        pollOptions: { intervalMs: 2e3 },
+        onIterationComplete: (iteration, iterResult) => {
+          iterationParts.push({ iteration, partCount: iterResult.parts.length });
+          if (!isJson) {
+            const hwmDate = continuationPoints[subjectType] ?? "complete";
+            consola6.info(
+              `Iteration ${iteration + 1}: ${iterResult.invoiceCount} invoices, truncated: ${iterResult.isTruncated}, HWM: ${hwmDate}`
+            );
+          }
+        }
+      });
+      let partIndex = 0;
+      for (const { iteration, partCount } of iterationParts) {
+        for (let p = 0; p < partCount; p++) {
+          if (partIndex < result.decryptedParts.length) {
+            const fileName = `iter-${String(iteration + 1).padStart(3, "0")}-part-${String(p + 1).padStart(3, "0")}.zip`;
+            const filePath = path4.join(outputDir, fileName);
+            fs6.writeFileSync(filePath, result.decryptedParts[partIndex]);
+            partIndex++;
+          }
+        }
+      }
+      if (isJson) {
+        outputResult({
+          referenceNumbers: result.referenceNumbers,
+          iterationCount: result.iterationCount,
+          totalParts: result.decryptedParts.length,
+          continuationPoints: result.continuationPoints,
+          outputDir
+        }, { json: true });
+      } else {
+        outputSuccess(
+          `Export complete: ${result.iterationCount} iterations, ${result.decryptedParts.length} parts downloaded`
+        );
+        consola6.info(`Final HWM: ${continuationPoints[subjectType] ?? "complete"}`);
+        consola6.info(`Output: ${outputDir}`);
+      }
+    });
+  }
+});
+
+// src/cli/commands/invoice.ts
+function getGlobalOpts4(args) {
+  return {
+    env: args.env,
+    json: args.json,
+    verbose: args.verbose,
+    timeout: args.timeout,
+    nip: args.nip
+  };
+}
 function buildQueryFilters(args) {
   const from = args.from;
   if (!from) {
@@ -7612,11 +8666,13 @@ var QUERY_FILTER_ARGS = {
   amountType: { type: "string", description: "Amount type: Brutto|Netto|Vat (default: Brutto)" },
   currency: { type: "string", description: "Currency code (e.g. PLN, EUR)" }
 };
-var send = defineCommand4({
+var send = defineCommand5({
   meta: { name: "send", description: "Send invoice(s) \u2014 single XML file or directory for batch" },
   args: {
-    path: { type: "positional", description: "Path to XML file or directory of XMLs", required: true },
+    path: { type: "positional", description: "Path to XML file, directory of XMLs, or ZIP for batch", required: true },
     sessionRef: { type: "string", description: "Override online session reference" },
+    stream: { type: "boolean", description: "Use stream-based batch upload (for ZIP files, reduces memory usage)" },
+    formCode: { type: "string", description: "Document type: FA2, FA3, PEF3, PEFKOR3, FARR1 (default: FA2)" },
     env: { type: "string", description: "Environment (test/demo/prod)" },
     json: { type: "boolean", description: "Output as JSON" },
     verbose: { type: "boolean", description: "Show HTTP request/response details" },
@@ -7625,29 +8681,65 @@ var send = defineCommand4({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts3(args);
+      const globalOpts = getGlobalOpts4(args);
       const { client, session } = requireSession(globalOpts);
       const config = loadConfig();
       const nip = args.nip ?? config.nip;
       const filePath = args.path;
-      if (!fs4.existsSync(filePath)) {
+      const formCodeKey = args.formCode;
+      let formCode = FORM_CODES.FA_2;
+      if (formCodeKey) {
+        const resolved = FORM_CODE_KEYS[formCodeKey];
+        if (!resolved) {
+          throw new Error(`Invalid form code "${formCodeKey}". Valid keys: ${Object.keys(FORM_CODE_KEYS).join(", ")}`);
+        }
+        formCode = resolved;
+      }
+      if (!fs7.existsSync(filePath)) {
         throw new Error(`Path not found: ${filePath}`);
       }
-      const stat = fs4.statSync(filePath);
+      const stat = fs7.statSync(filePath);
+      if (args.stream) {
+        if (!filePath.endsWith(".zip") || stat.isDirectory()) {
+          throw new Error("--stream requires a .zip file path.");
+        }
+        if (!nip) {
+          throw new Error("NIP is required. Provide --nip or set it via `ksef config set --nip <nip>`.");
+        }
+        if (!validateFormCodeForSession(formCode, "batch")) {
+          throw new Error(`Document type "${formCode.systemCode}" is not supported in batch sessions. PEF/PEF_KOR require online sessions.`);
+        }
+        const { uploadBatchStream: uploadBatchStream2 } = await Promise.resolve().then(() => (init_batch_session_workflow(), batch_session_workflow_exports));
+        const zipSize = stat.size;
+        const zipStreamFactory = () => Readable.toWeb(fs7.createReadStream(filePath));
+        if (!args.json) consola7.start(`Sending batch via stream (${(zipSize / 1e6).toFixed(1)} MB)...`);
+        const result = await uploadBatchStream2(client, zipStreamFactory, zipSize, {
+          formCode,
+          pollOptions: { intervalMs: 3e3 }
+        });
+        if (args.json) {
+          outputResult(result, { json: true });
+        } else {
+          outputSuccess(`Batch sent via stream. Ref: ${result.sessionRef}, invoices: ${result.upo.invoiceCount ?? "unknown"}`);
+        }
+        return;
+      }
       if (stat.isDirectory()) {
-        const xmlFiles = fs4.readdirSync(filePath).filter((f) => f.endsWith(".xml")).map((f) => path3.join(filePath, f));
+        const xmlFiles = fs7.readdirSync(filePath).filter((f) => f.endsWith(".xml")).map((f) => path5.join(filePath, f));
         if (xmlFiles.length === 0) {
           throw new Error(`No XML files found in ${filePath}`);
         }
         if (!nip) {
           throw new Error("NIP is required. Provide --nip or set it via `ksef config set --nip <nip>`.");
         }
-        if (!args.json) consola6.start(`Sending ${xmlFiles.length} invoices via batch session...`);
+        if (!validateFormCodeForSession(formCode, "batch")) {
+          throw new Error(`Document type "${formCode.systemCode}" is not supported in batch sessions. PEF/PEF_KOR require online sessions.`);
+        }
+        if (!args.json) consola7.start(`Sending ${xmlFiles.length} invoices via batch session...`);
         await client.crypto.init();
         const encryptionData = client.crypto.getEncryptionData();
-        const formCode = { systemCode: "FA (2)", schemaVersion: "1-0E", value: "FA" };
         const parts = xmlFiles.map((file, i) => {
-          const content = fs4.readFileSync(file);
+          const content = fs7.readFileSync(file);
           const metadata = client.crypto.getFileMetadata(new Uint8Array(content));
           return {
             data: content.buffer,
@@ -7655,7 +8747,7 @@ var send = defineCommand4({
             ordinalNumber: i + 1
           };
         });
-        const totalContent = Buffer.concat(xmlFiles.map((f) => fs4.readFileSync(f)));
+        const totalContent = Buffer.concat(xmlFiles.map((f) => fs7.readFileSync(f)));
         const totalMetadata = client.crypto.getFileMetadata(new Uint8Array(totalContent));
         const batchFileInfo = {
           fileSize: totalMetadata.fileSize,
@@ -7683,10 +8775,10 @@ var send = defineCommand4({
         if (!ref) {
           throw new Error("No active online session. Run `ksef session open` or provide --session-ref.");
         }
-        if (!args.json) consola6.start("Sending invoice...");
+        if (!args.json) consola7.start("Sending invoice...");
         await client.crypto.init();
         const encryptionData = client.crypto.getEncryptionData();
-        const xmlContent = fs4.readFileSync(filePath);
+        const xmlContent = fs7.readFileSync(filePath);
         const xmlBytes = new Uint8Array(xmlContent);
         const plainMetadata = client.crypto.getFileMetadata(xmlBytes);
         const encrypted = client.crypto.encryptAES256(xmlBytes, encryptionData.cipherKey, encryptionData.cipherIv);
@@ -7707,7 +8799,7 @@ var send = defineCommand4({
     });
   }
 });
-var get = defineCommand4({
+var get = defineCommand5({
   meta: { name: "get", description: "Download invoice by KSeF number" },
   args: {
     ksefNumber: { type: "positional", description: "KSeF invoice number", required: true },
@@ -7719,7 +8811,7 @@ var get = defineCommand4({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts3(args);
+      const globalOpts = getGlobalOpts4(args);
       const { client } = requireSession(globalOpts);
       const xml = await client.invoices.getInvoice(args.ksefNumber);
       if (args.json) {
@@ -7727,7 +8819,7 @@ var get = defineCommand4({
         return;
       }
       if (args.o) {
-        fs4.writeFileSync(args.o, xml, "utf-8");
+        fs7.writeFileSync(args.o, xml, "utf-8");
         outputSuccess(`Invoice saved to ${args.o}`);
       } else {
         console.log(xml);
@@ -7735,7 +8827,7 @@ var get = defineCommand4({
     });
   }
 });
-var query = defineCommand4({
+var query = defineCommand5({
   meta: { name: "query", description: "Query invoice metadata" },
   args: {
     ...QUERY_FILTER_ARGS,
@@ -7749,7 +8841,7 @@ var query = defineCommand4({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts3(args);
+      const globalOpts = getGlobalOpts4(args);
       const { client } = requireSession(globalOpts);
       const filters = buildQueryFilters(args);
       const pageOffset = args.page ? parseInt(args.page, 10) : void 0;
@@ -7764,7 +8856,7 @@ var query = defineCommand4({
         return;
       }
       if (result.invoices.length === 0) {
-        consola6.info("No invoices found matching the criteria.");
+        consola7.info("No invoices found matching the criteria.");
         return;
       }
       outputTable(
@@ -7787,12 +8879,12 @@ var query = defineCommand4({
         { json: false }
       );
       if (result.hasMore) {
-        consola6.info("More results available. Use --page to fetch the next page.");
+        consola7.info("More results available. Use --page to fetch the next page.");
       }
     });
   }
 });
-var exportCmd = defineCommand4({
+var exportCmd = defineCommand5({
   meta: { name: "export", description: "Start invoice export" },
   args: {
     ...QUERY_FILTER_ARGS,
@@ -7804,9 +8896,9 @@ var exportCmd = defineCommand4({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts3(args);
+      const globalOpts = getGlobalOpts4(args);
       const { client } = requireSession(globalOpts);
-      if (!args.json) consola6.start("Starting invoice export...");
+      if (!args.json) consola7.start("Starting invoice export...");
       await client.crypto.init();
       const encryptionData = client.crypto.getEncryptionData();
       const filters = buildQueryFilters(args);
@@ -7817,12 +8909,12 @@ var exportCmd = defineCommand4({
         outputResult(result, { json: true });
       } else {
         outputSuccess(`Export started. Ref: ${result.referenceNumber}`);
-        consola6.info("Check status with: ksef invoice export-status " + result.referenceNumber);
+        consola7.info("Check status with: ksef invoice export-status " + result.referenceNumber);
       }
     });
   }
 });
-var exportStatus = defineCommand4({
+var exportStatus = defineCommand5({
   meta: { name: "export-status", description: "Check invoice export status" },
   args: {
     ref: { type: "positional", description: "Export reference number", required: true },
@@ -7833,22 +8925,22 @@ var exportStatus = defineCommand4({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts3(args);
+      const globalOpts = getGlobalOpts4(args);
       const { client } = requireSession(globalOpts);
       const result = await client.invoices.getInvoiceExportStatus(args.ref);
       if (args.json) {
         outputResult(result, { json: true });
         return;
       }
-      consola6.info(`Status: ${result.status.code} \u2014 ${result.status.description}`);
+      consola7.info(`Status: ${result.status.code} \u2014 ${result.status.description}`);
       if (result.completedDate) {
-        consola6.info(`Completed: ${result.completedDate}`);
+        consola7.info(`Completed: ${result.completedDate}`);
       }
       if (result.packageExpirationDate) {
-        consola6.info(`Package expires: ${result.packageExpirationDate}`);
+        consola7.info(`Package expires: ${result.packageExpirationDate}`);
       }
       if (result.package) {
-        consola6.info(`Invoices: ${result.package.invoiceCount}, Size: ${result.package.size} bytes`);
+        consola7.info(`Invoices: ${result.package.invoiceCount}, Size: ${result.package.size} bytes`);
         if (result.package.parts.length > 0) {
           outputTable(
             result.package.parts.map((p) => ({
@@ -7872,14 +8964,14 @@ var exportStatus = defineCommand4({
     });
   }
 });
-var invoiceCommand = defineCommand4({
+var invoiceCommand = defineCommand5({
   meta: { name: "invoice", description: "Invoice commands" },
-  subCommands: { send, get, query, export: exportCmd, "export-status": exportStatus }
+  subCommands: { send, get, query, export: exportCmd, "export-status": exportStatus, "export-incremental": exportIncremental }
 });
 
 // src/cli/commands/permission.ts
-import { defineCommand as defineCommand5 } from "citty";
-function getGlobalOpts4(args) {
+import { defineCommand as defineCommand6 } from "citty";
+function getGlobalOpts5(args) {
   return {
     env: args.env,
     json: args.json,
@@ -7888,7 +8980,7 @@ function getGlobalOpts4(args) {
     nip: args.nip
   };
 }
-var grant = defineCommand5({
+var grant = defineCommand6({
   meta: { name: "grant", description: "Grant permissions to a subject" },
   args: {
     type: { type: "string", description: "Grant type: person, entity, authorization, indirect, subunit, eu-entity-admin, eu-entity-representative", required: true },
@@ -7913,7 +9005,7 @@ var grant = defineCommand5({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts4(args);
+      const globalOpts = getGlobalOpts5(args);
       const { client } = requireSession(globalOpts);
       let result;
       switch (args.type) {
@@ -8069,7 +9161,7 @@ var grant = defineCommand5({
     });
   }
 });
-var revoke2 = defineCommand5({
+var revoke2 = defineCommand6({
   meta: { name: "revoke", description: "Revoke a permission grant" },
   args: {
     grantId: { type: "positional", description: "Grant ID to revoke", required: true },
@@ -8082,7 +9174,7 @@ var revoke2 = defineCommand5({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts4(args);
+      const globalOpts = getGlobalOpts5(args);
       const { client } = requireSession(globalOpts);
       let result;
       if (args.authorization) {
@@ -8098,7 +9190,7 @@ var revoke2 = defineCommand5({
     });
   }
 });
-var search = defineCommand5({
+var search = defineCommand6({
   meta: { name: "search", description: "Search permissions" },
   args: {
     type: { type: "string", description: "Search type: personal, persons, subunits, entities, entities-grants, subordinate-entities, authorizations, eu-entities", required: true },
@@ -8115,7 +9207,7 @@ var search = defineCommand5({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts4(args);
+      const globalOpts = getGlobalOpts5(args);
       const { client } = requireSession(globalOpts);
       const page = args.page ? parseInt(args.page, 10) : void 0;
       const pageSize = args.pageSize ? parseInt(args.pageSize, 10) : void 0;
@@ -8337,7 +9429,7 @@ var search = defineCommand5({
     });
   }
 });
-var status3 = defineCommand5({
+var status3 = defineCommand6({
   meta: { name: "status", description: "Check permission operation status" },
   args: {
     ref: { type: "positional", description: "Operation reference number", required: true },
@@ -8349,7 +9441,7 @@ var status3 = defineCommand5({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts4(args);
+      const globalOpts = getGlobalOpts5(args);
       const { client } = requireSession(globalOpts);
       const result = await client.permissions.getOperationStatus(args.ref);
       if (args.json) {
@@ -8363,7 +9455,7 @@ var status3 = defineCommand5({
     });
   }
 });
-var attachmentStatus = defineCommand5({
+var attachmentStatus = defineCommand6({
   meta: { name: "attachment-status", description: "Check if attachment permissions are allowed" },
   args: {
     env: { type: "string", description: "Environment (test/demo/prod)" },
@@ -8374,7 +9466,7 @@ var attachmentStatus = defineCommand5({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts4(args);
+      const globalOpts = getGlobalOpts5(args);
       const { client } = requireSession(globalOpts);
       const result = await client.permissions.getAttachmentStatus();
       if (args.json) {
@@ -8387,15 +9479,15 @@ var attachmentStatus = defineCommand5({
     });
   }
 });
-var permissionCommand = defineCommand5({
+var permissionCommand = defineCommand6({
   meta: { name: "permission", description: "Permission management commands" },
   subCommands: { grant, revoke: revoke2, search, status: status3, "attachment-status": attachmentStatus }
 });
 
 // src/cli/commands/token.ts
-import { defineCommand as defineCommand6 } from "citty";
-import { consola as consola7 } from "consola";
-function getGlobalOpts5(args) {
+import { defineCommand as defineCommand7 } from "citty";
+import { consola as consola8 } from "consola";
+function getGlobalOpts6(args) {
   return {
     env: args.env,
     json: args.json,
@@ -8404,7 +9496,7 @@ function getGlobalOpts5(args) {
     nip: args.nip
   };
 }
-var generate = defineCommand6({
+var generate = defineCommand7({
   meta: { name: "generate", description: "Generate a new KSeF token" },
   args: {
     permissions: { type: "string", description: "Comma-separated permissions (e.g. InvoiceRead,InvoiceWrite)", required: true },
@@ -8417,7 +9509,7 @@ var generate = defineCommand6({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts5(args);
+      const globalOpts = getGlobalOpts6(args);
       const { client } = requireSession(globalOpts);
       if (!args.permissions) {
         throw new Error("--permissions is required. Provide comma-separated values (e.g. InvoiceRead,InvoiceWrite).");
@@ -8440,7 +9532,7 @@ var generate = defineCommand6({
     });
   }
 });
-var list2 = defineCommand6({
+var list2 = defineCommand7({
   meta: { name: "list", description: "List KSeF tokens" },
   args: {
     status: { type: "string", description: "Comma-separated statuses (e.g. Active,Pending)" },
@@ -8457,7 +9549,7 @@ var list2 = defineCommand6({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts5(args);
+      const globalOpts = getGlobalOpts6(args);
       const { client } = requireSession(globalOpts);
       const options = {
         continuationToken: args.continue,
@@ -8494,12 +9586,12 @@ var list2 = defineCommand6({
         { json: false }
       );
       if (result.continuationToken) {
-        consola7.info(`More results available. Continuation token: ${result.continuationToken}`);
+        consola8.info(`More results available. Continuation token: ${result.continuationToken}`);
       }
     });
   }
 });
-var get2 = defineCommand6({
+var get2 = defineCommand7({
   meta: { name: "get", description: "Get token details" },
   args: {
     ref: { type: "positional", description: "Token reference number", required: true },
@@ -8511,7 +9603,7 @@ var get2 = defineCommand6({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts5(args);
+      const globalOpts = getGlobalOpts6(args);
       const { client } = requireSession(globalOpts);
       const ref = args.ref;
       const result = await client.tokens.getToken(ref);
@@ -8532,7 +9624,7 @@ var get2 = defineCommand6({
     });
   }
 });
-var revoke3 = defineCommand6({
+var revoke3 = defineCommand7({
   meta: { name: "revoke", description: "Revoke a KSeF token" },
   args: {
     ref: { type: "positional", description: "Token reference number", required: true },
@@ -8544,7 +9636,7 @@ var revoke3 = defineCommand6({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts5(args);
+      const globalOpts = getGlobalOpts6(args);
       const { client } = requireSession(globalOpts);
       const ref = args.ref;
       await client.tokens.revokeToken(ref);
@@ -8556,24 +9648,24 @@ var revoke3 = defineCommand6({
     });
   }
 });
-var tokenCommand = defineCommand6({
+var tokenCommand = defineCommand7({
   meta: { name: "token", description: "Token management commands" },
   subCommands: { generate, list: list2, get: get2, revoke: revoke3 }
 });
 
 // src/cli/commands/cert.ts
-import { defineCommand as defineCommand7 } from "citty";
-import { consola as consola8 } from "consola";
-import fs5 from "fs";
-import path4 from "path";
+import { defineCommand as defineCommand8 } from "citty";
+import { consola as consola9 } from "consola";
+import fs8 from "fs";
+import path6 from "path";
 
 // src/crypto/certificate-service.ts
-import * as crypto4 from "crypto";
+import * as crypto5 from "crypto";
 import * as x5092 from "@peculiar/x509";
 var CertificateService = class {
   static getSha256Fingerprint(certPem) {
     const der = extractDerFromPem2(certPem);
-    return crypto4.createHash("sha256").update(der).digest("hex").toUpperCase();
+    return crypto5.createHash("sha256").update(der).digest("hex").toUpperCase();
   }
   static async generatePersonalCertificate(givenName, surname, serialNumber, commonName, method = "RSA") {
     const nameParts = [];
@@ -8596,7 +9688,7 @@ var CertificateService = class {
   }
 };
 async function generateSelfSigned(subject2, method) {
-  x5092.cryptoProvider.set(crypto4.webcrypto);
+  x5092.cryptoProvider.set(crypto5.webcrypto);
   let algorithm;
   let signingAlgorithm;
   if (method === "ECDSA") {
@@ -8611,7 +9703,7 @@ async function generateSelfSigned(subject2, method) {
     };
     signingAlgorithm = algorithm;
   }
-  const keys = await crypto4.webcrypto.subtle.generateKey(
+  const keys = await crypto5.webcrypto.subtle.generateKey(
     algorithm,
     true,
     ["sign", "verify"]
@@ -8628,9 +9720,9 @@ async function generateSelfSigned(subject2, method) {
     serialNumber: Date.now().toString(16)
   });
   const certPem = cert.toString("pem");
-  const pkcs8 = await crypto4.webcrypto.subtle.exportKey("pkcs8", keys.privateKey);
+  const pkcs8 = await crypto5.webcrypto.subtle.exportKey("pkcs8", keys.privateKey);
   const privateKeyPem = pemEncode2(new Uint8Array(pkcs8), "PRIVATE KEY");
-  const fingerprint = crypto4.createHash("sha256").update(Buffer.from(cert.rawData)).digest("hex").toUpperCase();
+  const fingerprint = crypto5.createHash("sha256").update(Buffer.from(cert.rawData)).digest("hex").toUpperCase();
   return { certificatePem: certPem, privateKeyPem, fingerprint };
 }
 function extractDerFromPem2(pem) {
@@ -8649,7 +9741,7 @@ ${lines.join("\n")}
 }
 
 // src/cli/commands/cert.ts
-function getGlobalOpts6(args) {
+function getGlobalOpts7(args) {
   return {
     env: args.env,
     json: args.json,
@@ -8658,7 +9750,7 @@ function getGlobalOpts6(args) {
     nip: args.nip
   };
 }
-var generate2 = defineCommand7({
+var generate2 = defineCommand8({
   meta: { name: "generate", description: "Generate a self-signed certificate locally" },
   args: {
     type: { type: "string", description: "Certificate type: personal or company-seal", required: true },
@@ -8683,21 +9775,21 @@ var generate2 = defineCommand7({
       const certType = args.type;
       const cn = args.cn;
       const method = args.method || "RSA";
-      const outDir = path4.resolve(args.out || ".");
+      const outDir = path6.resolve(args.out || ".");
       if (certType !== "personal" && certType !== "company-seal") {
         throw new Error('--type must be "personal" or "company-seal".');
       }
       if (method !== "RSA" && method !== "ECDSA") {
         throw new Error('--method must be "RSA" or "ECDSA".');
       }
-      fs5.mkdirSync(outDir, { recursive: true });
-      const certPath = path4.join(outDir, "cert.pem");
-      const keyPath = path4.join(outDir, "key.pem");
+      fs8.mkdirSync(outDir, { recursive: true });
+      const certPath = path6.join(outDir, "cert.pem");
+      const keyPath = path6.join(outDir, "key.pem");
       if (!args.force) {
-        if (fs5.existsSync(certPath)) {
+        if (fs8.existsSync(certPath)) {
           throw new Error(`File already exists: ${certPath}. Use --force to overwrite.`);
         }
-        if (fs5.existsSync(keyPath)) {
+        if (fs8.existsSync(keyPath)) {
           throw new Error(`File already exists: ${keyPath}. Use --force to overwrite.`);
         }
       }
@@ -8724,8 +9816,8 @@ var generate2 = defineCommand7({
           method
         );
       }
-      fs5.writeFileSync(certPath, result.certificatePem, "utf-8");
-      fs5.writeFileSync(keyPath, result.privateKeyPem, "utf-8");
+      fs8.writeFileSync(certPath, result.certificatePem, "utf-8");
+      fs8.writeFileSync(keyPath, result.privateKeyPem, "utf-8");
       if (args.json) {
         outputResult({ certPath, keyPath, fingerprint: result.fingerprint }, { json: true });
       } else {
@@ -8739,7 +9831,7 @@ var generate2 = defineCommand7({
     });
   }
 });
-var enroll = defineCommand7({
+var enroll = defineCommand8({
   meta: { name: "enroll", description: "Submit certificate enrollment" },
   args: {
     cert: { type: "string", description: "Path to certificate PEM file", required: true },
@@ -8754,9 +9846,9 @@ var enroll = defineCommand7({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts6(args);
+      const globalOpts = getGlobalOpts7(args);
       const { client } = requireSession(globalOpts);
-      const certPem = fs5.readFileSync(args.cert, "utf-8");
+      const certPem = fs8.readFileSync(args.cert, "utf-8");
       await client.crypto.init();
       const request = {
         certificateName: args.name,
@@ -8777,7 +9869,7 @@ var enroll = defineCommand7({
     });
   }
 });
-var status4 = defineCommand7({
+var status4 = defineCommand8({
   meta: { name: "status", description: "Check certificate enrollment status" },
   args: {
     ref: { type: "positional", description: "Enrollment reference number", required: true },
@@ -8789,7 +9881,7 @@ var status4 = defineCommand7({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts6(args);
+      const globalOpts = getGlobalOpts7(args);
       const { client } = requireSession(globalOpts);
       const ref = args.ref;
       const result = await client.certificates.getEnrollmentStatus(ref);
@@ -8809,7 +9901,7 @@ var status4 = defineCommand7({
     });
   }
 });
-var list3 = defineCommand7({
+var list3 = defineCommand8({
   meta: { name: "list", description: "Query certificates" },
   args: {
     serial: { type: "string", description: "Filter by serial number" },
@@ -8827,7 +9919,7 @@ var list3 = defineCommand7({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts6(args);
+      const globalOpts = getGlobalOpts7(args);
       const { client } = requireSession(globalOpts);
       const request = {
         certificateSerialNumber: args.serial,
@@ -8867,12 +9959,12 @@ var list3 = defineCommand7({
         { json: false }
       );
       if (result.hasMore) {
-        consola8.info("More results available. Use --page to paginate.");
+        consola9.info("More results available. Use --page to paginate.");
       }
     });
   }
 });
-var revoke4 = defineCommand7({
+var revoke4 = defineCommand8({
   meta: { name: "revoke", description: "Revoke a certificate" },
   args: {
     serial: { type: "positional", description: "Certificate serial number", required: true },
@@ -8885,7 +9977,7 @@ var revoke4 = defineCommand7({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts6(args);
+      const globalOpts = getGlobalOpts7(args);
       const { client } = requireSession(globalOpts);
       const serial = args.serial;
       await client.certificates.revoke(serial, {
@@ -8899,7 +9991,7 @@ var revoke4 = defineCommand7({
     });
   }
 });
-var limits = defineCommand7({
+var limits = defineCommand8({
   meta: { name: "limits", description: "View certificate limits" },
   args: {
     env: { type: "string", description: "Environment (test/demo/prod)" },
@@ -8910,7 +10002,7 @@ var limits = defineCommand7({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts6(args);
+      const globalOpts = getGlobalOpts7(args);
       const { client } = requireSession(globalOpts);
       const result = await client.certificates.getLimits();
       if (args.json) {
@@ -8927,7 +10019,7 @@ var limits = defineCommand7({
     });
   }
 });
-var enrollmentData = defineCommand7({
+var enrollmentData = defineCommand8({
   meta: { name: "enrollment-data", description: "Get enrollment data template from KSeF" },
   args: {
     env: { type: "string", description: "Environment (test/demo/prod)" },
@@ -8938,7 +10030,7 @@ var enrollmentData = defineCommand7({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts6(args);
+      const globalOpts = getGlobalOpts7(args);
       const { client } = requireSession(globalOpts);
       const result = await client.certificates.getEnrollmentData();
       if (args.json) {
@@ -8958,7 +10050,7 @@ var enrollmentData = defineCommand7({
     });
   }
 });
-var retrieve = defineCommand7({
+var retrieve = defineCommand8({
   meta: { name: "retrieve", description: "Retrieve certificates by serial numbers" },
   args: {
     serial: { type: "string", description: "Comma-separated certificate serial numbers", required: true },
@@ -8970,7 +10062,7 @@ var retrieve = defineCommand7({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts6(args);
+      const globalOpts = getGlobalOpts7(args);
       const { client } = requireSession(globalOpts);
       const serials = args.serial.split(",").map((s) => s.trim()).filter(Boolean);
       if (serials.length === 0) {
@@ -9001,14 +10093,14 @@ var retrieve = defineCommand7({
     });
   }
 });
-var certCommand = defineCommand7({
+var certCommand = defineCommand8({
   meta: { name: "cert", description: "Certificate management commands" },
   subCommands: { generate: generate2, enroll, status: status4, list: list3, revoke: revoke4, limits, "enrollment-data": enrollmentData, retrieve }
 });
 
 // src/cli/commands/qr.ts
-import * as fs6 from "fs";
-import { defineCommand as defineCommand8 } from "citty";
+import * as fs9 from "fs";
+import { defineCommand as defineCommand9 } from "citty";
 
 // src/qr/qrcode-service.ts
 import * as QRCode from "qrcode";
@@ -9070,7 +10162,7 @@ function escapeXml2(str) {
 }
 
 // src/cli/commands/qr.ts
-function getGlobalOpts7(args) {
+function getGlobalOpts8(args) {
   return {
     env: args.env,
     json: args.json,
@@ -9079,7 +10171,7 @@ function getGlobalOpts7(args) {
     nip: args.nip
   };
 }
-var invoice2 = defineCommand8({
+var invoice2 = defineCommand9({
   meta: { name: "invoice", description: "Generate invoice QR code" },
   args: {
     nip: { type: "string", description: "NIP number", required: true },
@@ -9096,7 +10188,7 @@ var invoice2 = defineCommand8({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts7(args);
+      const globalOpts = getGlobalOpts8(args);
       const client = createClient(globalOpts);
       const size = args.size ? parseInt(args.size, 10) : 300;
       const format = args.format ?? "png";
@@ -9109,7 +10201,7 @@ var invoice2 = defineCommand8({
       if (format === "svg") {
         const svg = args.label ? await QrCodeService.generateQrCodeSvgWithLabel(url2, args.label, { width: size }) : await QrCodeService.generateQrCodeSvg(url2, { width: size });
         if (args.o) {
-          fs6.writeFileSync(args.o, svg);
+          fs9.writeFileSync(args.o, svg);
           outputSuccess(`QR code saved to ${args.o}
 URL: ${url2}`);
         } else {
@@ -9118,7 +10210,7 @@ URL: ${url2}`);
       } else {
         const buffer = await QrCodeService.generateQrCode(url2, { width: size });
         if (args.o) {
-          fs6.writeFileSync(args.o, buffer);
+          fs9.writeFileSync(args.o, buffer);
           outputSuccess(`QR code saved to ${args.o}
 URL: ${url2}`);
         } else {
@@ -9128,7 +10220,7 @@ URL: ${url2}`);
     });
   }
 });
-var certificate = defineCommand8({
+var certificate = defineCommand9({
   meta: { name: "certificate", description: "Generate certificate QR code" },
   args: {
     "context-type": { type: "string", description: "Context identifier type", required: true },
@@ -9149,11 +10241,11 @@ var certificate = defineCommand8({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts7(args);
+      const globalOpts = getGlobalOpts8(args);
       const client = createClient(globalOpts);
       const size = args.size ? parseInt(args.size, 10) : 300;
       const format = args.format ?? "png";
-      const privateKeyPem = fs6.readFileSync(args.key, "utf-8");
+      const privateKeyPem = fs9.readFileSync(args.key, "utf-8");
       const url2 = client.qr.buildCertificateVerificationUrl(
         args["context-type"],
         args["context-id"],
@@ -9170,7 +10262,7 @@ var certificate = defineCommand8({
       if (format === "svg") {
         const svg = args.label ? await QrCodeService.generateQrCodeSvgWithLabel(url2, args.label, { width: size }) : await QrCodeService.generateQrCodeSvg(url2, { width: size });
         if (args.o) {
-          fs6.writeFileSync(args.o, svg);
+          fs9.writeFileSync(args.o, svg);
           outputSuccess(`QR code saved to ${args.o}
 URL: ${url2}`);
         } else {
@@ -9179,7 +10271,7 @@ URL: ${url2}`);
       } else {
         const buffer = await QrCodeService.generateQrCode(url2, { width: size });
         if (args.o) {
-          fs6.writeFileSync(args.o, buffer);
+          fs9.writeFileSync(args.o, buffer);
           outputSuccess(`QR code saved to ${args.o}
 URL: ${url2}`);
         } else {
@@ -9189,7 +10281,7 @@ URL: ${url2}`);
     });
   }
 });
-var url = defineCommand8({
+var url = defineCommand9({
   meta: { name: "url", description: "Print invoice verification URL (no QR image)" },
   args: {
     nip: { type: "string", description: "NIP number", required: true },
@@ -9202,7 +10294,7 @@ var url = defineCommand8({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts7(args);
+      const globalOpts = getGlobalOpts8(args);
       const client = createClient(globalOpts);
       const verificationUrl = client.qr.buildInvoiceVerificationUrl(args.nip, args.date, args.hash);
       if (args.json) {
@@ -9213,14 +10305,14 @@ var url = defineCommand8({
     });
   }
 });
-var qrCommand = defineCommand8({
+var qrCommand = defineCommand9({
   meta: { name: "qr", description: "QR code generation commands" },
   subCommands: { invoice: invoice2, certificate, url }
 });
 
 // src/cli/commands/lighthouse.ts
-import { defineCommand as defineCommand9 } from "citty";
-function getGlobalOpts8(args) {
+import { defineCommand as defineCommand10 } from "citty";
+function getGlobalOpts9(args) {
   return {
     env: args.env ?? "prod",
     json: args.json,
@@ -9229,7 +10321,7 @@ function getGlobalOpts8(args) {
     nip: args.nip
   };
 }
-var status5 = defineCommand9({
+var status5 = defineCommand10({
   meta: { name: "status", description: "Check KSeF system status" },
   args: {
     env: { type: "string", description: "Environment (test/prod, default: prod)" },
@@ -9240,7 +10332,7 @@ var status5 = defineCommand9({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts8(args);
+      const globalOpts = getGlobalOpts9(args);
       const client = createClient(globalOpts);
       const result = await client.lighthouse.getStatus();
       if (args.json) {
@@ -9257,7 +10349,7 @@ var status5 = defineCommand9({
     });
   }
 });
-var messages = defineCommand9({
+var messages = defineCommand10({
   meta: { name: "messages", description: "View KSeF system messages" },
   args: {
     env: { type: "string", description: "Environment (test/prod, default: prod)" },
@@ -9268,7 +10360,7 @@ var messages = defineCommand9({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts8(args);
+      const globalOpts = getGlobalOpts9(args);
       const client = createClient(globalOpts);
       const msgs = await client.lighthouse.getMessages();
       if (args.json) {
@@ -9299,14 +10391,14 @@ var messages = defineCommand9({
     });
   }
 });
-var lighthouseCommand = defineCommand9({
+var lighthouseCommand = defineCommand10({
   meta: { name: "lighthouse", description: "KSeF system status commands" },
   subCommands: { status: status5, messages }
 });
 
 // src/cli/commands/test-data.ts
-import { defineCommand as defineCommand10 } from "citty";
-function getGlobalOpts9(args) {
+import { defineCommand as defineCommand11 } from "citty";
+function getGlobalOpts10(args) {
   return {
     env: args.env,
     json: args.json,
@@ -9328,7 +10420,7 @@ function outputDone(json) {
     outputSuccess("Done.");
   }
 }
-var createSubject = defineCommand10({
+var createSubject = defineCommand11({
   meta: { name: "create-subject", description: "Create a test subject" },
   args: {
     nip: { type: "string", description: "Subject NIP", required: true },
@@ -9342,7 +10434,7 @@ var createSubject = defineCommand10({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts9(args);
+      const globalOpts = getGlobalOpts10(args);
       requireNonProd(globalOpts);
       const request = {
         subjectNip: args.nip,
@@ -9355,7 +10447,7 @@ var createSubject = defineCommand10({
     });
   }
 });
-var removeSubject = defineCommand10({
+var removeSubject = defineCommand11({
   meta: { name: "remove-subject", description: "Remove a test subject" },
   args: {
     nip: { type: "string", description: "Subject NIP", required: true },
@@ -9366,7 +10458,7 @@ var removeSubject = defineCommand10({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts9(args);
+      const globalOpts = getGlobalOpts10(args);
       requireNonProd(globalOpts);
       const request = { subjectNip: args.nip };
       await createClient(globalOpts).testData.removeSubject(request);
@@ -9374,7 +10466,7 @@ var removeSubject = defineCommand10({
     });
   }
 });
-var createPerson = defineCommand10({
+var createPerson = defineCommand11({
   meta: { name: "create-person", description: "Create a test person" },
   args: {
     nip: { type: "string", description: "Person NIP", required: true },
@@ -9390,7 +10482,7 @@ var createPerson = defineCommand10({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts9(args);
+      const globalOpts = getGlobalOpts10(args);
       requireNonProd(globalOpts);
       const request = {
         nip: args.nip,
@@ -9405,7 +10497,7 @@ var createPerson = defineCommand10({
     });
   }
 });
-var removePerson = defineCommand10({
+var removePerson = defineCommand11({
   meta: { name: "remove-person", description: "Remove a test person" },
   args: {
     nip: { type: "string", description: "Person NIP", required: true },
@@ -9416,7 +10508,7 @@ var removePerson = defineCommand10({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts9(args);
+      const globalOpts = getGlobalOpts10(args);
       requireNonProd(globalOpts);
       const request = { nip: args.nip };
       await createClient(globalOpts).testData.removePerson(request);
@@ -9424,7 +10516,7 @@ var removePerson = defineCommand10({
     });
   }
 });
-var grantPermissions = defineCommand10({
+var grantPermissions = defineCommand11({
   meta: { name: "grant-permissions", description: "Grant test data permissions" },
   args: {
     "context-nip": { type: "string", description: "Context NIP", required: true },
@@ -9439,7 +10531,7 @@ var grantPermissions = defineCommand10({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts9(args);
+      const globalOpts = getGlobalOpts10(args);
       requireNonProd(globalOpts);
       const permissions = args.permissions.split(",").map((p) => ({ permissionType: p.trim(), description: "" }));
       const request = {
@@ -9455,7 +10547,7 @@ var grantPermissions = defineCommand10({
     });
   }
 });
-var revokePermissions = defineCommand10({
+var revokePermissions = defineCommand11({
   meta: { name: "revoke-permissions", description: "Revoke test data permissions" },
   args: {
     "context-nip": { type: "string", description: "Context NIP", required: true },
@@ -9469,7 +10561,7 @@ var revokePermissions = defineCommand10({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts9(args);
+      const globalOpts = getGlobalOpts10(args);
       requireNonProd(globalOpts);
       const request = {
         contextIdentifier: { type: "Nip", value: args["context-nip"] },
@@ -9483,7 +10575,7 @@ var revokePermissions = defineCommand10({
     });
   }
 });
-var enableAttachment = defineCommand10({
+var enableAttachment = defineCommand11({
   meta: { name: "enable-attachment", description: "Enable attachment permission for a subject" },
   args: {
     nip: { type: "string", description: "Subject NIP", required: true },
@@ -9494,7 +10586,7 @@ var enableAttachment = defineCommand10({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts9(args);
+      const globalOpts = getGlobalOpts10(args);
       requireNonProd(globalOpts);
       const request = { nip: args.nip };
       await createClient(globalOpts).testData.enableAttachment(request);
@@ -9502,7 +10594,7 @@ var enableAttachment = defineCommand10({
     });
   }
 });
-var disableAttachment = defineCommand10({
+var disableAttachment = defineCommand11({
   meta: { name: "disable-attachment", description: "Disable attachment permission for a subject" },
   args: {
     nip: { type: "string", description: "Subject NIP", required: true },
@@ -9514,7 +10606,7 @@ var disableAttachment = defineCommand10({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts9(args);
+      const globalOpts = getGlobalOpts10(args);
       requireNonProd(globalOpts);
       const request = {
         nip: args.nip,
@@ -9525,7 +10617,7 @@ var disableAttachment = defineCommand10({
     });
   }
 });
-var changeSessionLimits = defineCommand10({
+var changeSessionLimits = defineCommand11({
   meta: { name: "change-session-limits", description: "Change session limits in current context" },
   args: {
     "online-max-size": { type: "string", description: "Online session: max invoice size in MB (0-5)", required: true },
@@ -9542,7 +10634,7 @@ var changeSessionLimits = defineCommand10({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts9(args);
+      const globalOpts = getGlobalOpts10(args);
       requireNonProd(globalOpts);
       const { client } = requireSession(globalOpts);
       const request = {
@@ -9562,7 +10654,7 @@ var changeSessionLimits = defineCommand10({
     });
   }
 });
-var restoreSessionLimits = defineCommand10({
+var restoreSessionLimits = defineCommand11({
   meta: { name: "restore-session-limits", description: "Restore default session limits" },
   args: {
     env: { type: "string", description: "Environment (test/demo/prod)" },
@@ -9573,7 +10665,7 @@ var restoreSessionLimits = defineCommand10({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts9(args);
+      const globalOpts = getGlobalOpts10(args);
       requireNonProd(globalOpts);
       const { client } = requireSession(globalOpts);
       await client.testData.restoreDefaultSessionLimits();
@@ -9581,7 +10673,7 @@ var restoreSessionLimits = defineCommand10({
     });
   }
 });
-var changeCertLimits = defineCommand10({
+var changeCertLimits = defineCommand11({
   meta: { name: "change-cert-limits", description: "Change subject limits (enrollment/certificate) in current subject" },
   args: {
     "identifier-type": { type: "string", description: "Subject identifier type (Nip/Pesel/Fingerprint)" },
@@ -9595,7 +10687,7 @@ var changeCertLimits = defineCommand10({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts9(args);
+      const globalOpts = getGlobalOpts10(args);
       requireNonProd(globalOpts);
       const { client } = requireSession(globalOpts);
       const request = {
@@ -9608,7 +10700,7 @@ var changeCertLimits = defineCommand10({
     });
   }
 });
-var restoreCertLimits = defineCommand10({
+var restoreCertLimits = defineCommand11({
   meta: { name: "restore-cert-limits", description: "Restore default certificates limit" },
   args: {
     env: { type: "string", description: "Environment (test/demo/prod)" },
@@ -9619,7 +10711,7 @@ var restoreCertLimits = defineCommand10({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts9(args);
+      const globalOpts = getGlobalOpts10(args);
       requireNonProd(globalOpts);
       const { client } = requireSession(globalOpts);
       await client.testData.restoreDefaultCertificatesLimit();
@@ -9627,7 +10719,7 @@ var restoreCertLimits = defineCommand10({
     });
   }
 });
-var setRateLimits = defineCommand10({
+var setRateLimits = defineCommand11({
   meta: { name: "set-rate-limits", description: "Set effective API rate limits" },
   args: {
     limits: { type: "string", description: "Rate limits as JSON string (ApiRateLimitsOverride)", required: true },
@@ -9639,7 +10731,7 @@ var setRateLimits = defineCommand10({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts9(args);
+      const globalOpts = getGlobalOpts10(args);
       requireNonProd(globalOpts);
       const { client } = requireSession(globalOpts);
       const request = {
@@ -9650,7 +10742,7 @@ var setRateLimits = defineCommand10({
     });
   }
 });
-var restoreRateLimits = defineCommand10({
+var restoreRateLimits = defineCommand11({
   meta: { name: "restore-rate-limits", description: "Restore default API rate limits" },
   args: {
     env: { type: "string", description: "Environment (test/demo/prod)" },
@@ -9661,7 +10753,7 @@ var restoreRateLimits = defineCommand10({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts9(args);
+      const globalOpts = getGlobalOpts10(args);
       requireNonProd(globalOpts);
       const { client } = requireSession(globalOpts);
       await client.testData.restoreDefaultRateLimits();
@@ -9669,7 +10761,7 @@ var restoreRateLimits = defineCommand10({
     });
   }
 });
-var setProductionRateLimits = defineCommand10({
+var setProductionRateLimits = defineCommand11({
   meta: { name: "set-production-rate-limits", description: "Set production API rate limits" },
   args: {
     env: { type: "string", description: "Environment (test/demo/prod)" },
@@ -9680,7 +10772,7 @@ var setProductionRateLimits = defineCommand10({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts9(args);
+      const globalOpts = getGlobalOpts10(args);
       requireNonProd(globalOpts);
       const { client } = requireSession(globalOpts);
       await client.testData.setProductionRateLimits();
@@ -9688,7 +10780,7 @@ var setProductionRateLimits = defineCommand10({
     });
   }
 });
-var blockContext = defineCommand10({
+var blockContext = defineCommand11({
   meta: { name: "block-context", description: "Block a context" },
   args: {
     "context-value": { type: "string", description: "Context identifier value", required: true },
@@ -9701,7 +10793,7 @@ var blockContext = defineCommand10({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts9(args);
+      const globalOpts = getGlobalOpts10(args);
       requireNonProd(globalOpts);
       const { client } = requireSession(globalOpts);
       const request = {
@@ -9715,7 +10807,7 @@ var blockContext = defineCommand10({
     });
   }
 });
-var unblockContext = defineCommand10({
+var unblockContext = defineCommand11({
   meta: { name: "unblock-context", description: "Unblock a context" },
   args: {
     "context-value": { type: "string", description: "Context identifier value", required: true },
@@ -9728,7 +10820,7 @@ var unblockContext = defineCommand10({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts9(args);
+      const globalOpts = getGlobalOpts10(args);
       requireNonProd(globalOpts);
       const { client } = requireSession(globalOpts);
       const request = {
@@ -9742,7 +10834,7 @@ var unblockContext = defineCommand10({
     });
   }
 });
-var testDataCommand = defineCommand10({
+var testDataCommand = defineCommand11({
   meta: { name: "test-data", description: "Test environment data management (test/demo only)" },
   subCommands: {
     "create-subject": createSubject,
@@ -9766,8 +10858,8 @@ var testDataCommand = defineCommand10({
 });
 
 // src/cli/commands/limits.ts
-import { defineCommand as defineCommand11 } from "citty";
-function getGlobalOpts10(args) {
+import { defineCommand as defineCommand12 } from "citty";
+function getGlobalOpts11(args) {
   return {
     env: args.env,
     json: args.json,
@@ -9776,7 +10868,7 @@ function getGlobalOpts10(args) {
     nip: args.nip
   };
 }
-var context = defineCommand11({
+var context = defineCommand12({
   meta: { name: "context", description: "View effective context limits" },
   args: {
     env: { type: "string", description: "Environment (test/demo/prod)" },
@@ -9786,7 +10878,7 @@ var context = defineCommand11({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts10(args);
+      const globalOpts = getGlobalOpts11(args);
       const { client } = requireSession(globalOpts);
       const result = await client.limits.getContextLimits();
       if (args.json) {
@@ -9804,7 +10896,7 @@ var context = defineCommand11({
     });
   }
 });
-var subject = defineCommand11({
+var subject = defineCommand12({
   meta: { name: "subject", description: "View effective subject limits" },
   args: {
     env: { type: "string", description: "Environment (test/demo/prod)" },
@@ -9814,7 +10906,7 @@ var subject = defineCommand11({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts10(args);
+      const globalOpts = getGlobalOpts11(args);
       const { client } = requireSession(globalOpts);
       const result = await client.limits.getSubjectLimits();
       if (args.json) {
@@ -9828,7 +10920,7 @@ var subject = defineCommand11({
     });
   }
 });
-var rate = defineCommand11({
+var rate = defineCommand12({
   meta: { name: "rate", description: "View effective API rate limits" },
   args: {
     env: { type: "string", description: "Environment (test/demo/prod)" },
@@ -9838,7 +10930,7 @@ var rate = defineCommand11({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts10(args);
+      const globalOpts = getGlobalOpts11(args);
       const { client } = requireSession(globalOpts);
       const result = await client.limits.getRateLimits();
       if (args.json) {
@@ -9864,15 +10956,15 @@ var rate = defineCommand11({
     });
   }
 });
-var limitsCommand = defineCommand11({
+var limitsCommand = defineCommand12({
   meta: { name: "limits", description: "View KSeF API limits" },
   subCommands: { context, subject, rate }
 });
 
 // src/cli/commands/peppol.ts
-import { defineCommand as defineCommand12 } from "citty";
-import { consola as consola9 } from "consola";
-function getGlobalOpts11(args) {
+import { defineCommand as defineCommand13 } from "citty";
+import { consola as consola10 } from "consola";
+function getGlobalOpts12(args) {
   return {
     env: args.env,
     json: args.json,
@@ -9881,7 +10973,7 @@ function getGlobalOpts11(args) {
     nip: args.nip
   };
 }
-var providers = defineCommand12({
+var providers = defineCommand13({
   meta: { name: "providers", description: "Query Peppol providers" },
   args: {
     page: { type: "string", description: "Page offset" },
@@ -9893,7 +10985,7 @@ var providers = defineCommand12({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts11(args);
+      const globalOpts = getGlobalOpts12(args);
       const { client } = requireSession(globalOpts);
       const pageOffset = args.page ? parseInt(args.page, 10) : void 0;
       const pageSize = args.pageSize ? parseInt(args.pageSize, 10) : void 0;
@@ -9920,20 +11012,20 @@ var providers = defineCommand12({
         { json: false }
       );
       if (result.hasMore) {
-        consola9.info("More results available. Use --page to paginate.");
+        consola10.info("More results available. Use --page to paginate.");
       }
     });
   }
 });
-var peppolCommand = defineCommand12({
+var peppolCommand = defineCommand13({
   meta: { name: "peppol", description: "Peppol integration commands" },
   subCommands: { providers }
 });
 
 // src/cli/commands/doctor.ts
-import { defineCommand as defineCommand13 } from "citty";
-import { consola as consola10 } from "consola";
-function getGlobalOpts12(args) {
+import { defineCommand as defineCommand14 } from "citty";
+import { consola as consola11 } from "consola";
+function getGlobalOpts13(args) {
   return {
     env: args.env,
     json: args.json,
@@ -9942,7 +11034,7 @@ function getGlobalOpts12(args) {
     verbose: args.verbose
   };
 }
-var doctorCommand = defineCommand13({
+var doctorCommand = defineCommand14({
   meta: { name: "doctor", description: "Check CLI configuration and connectivity" },
   args: {
     env: { type: "string", description: "Environment (test/demo/prod)" },
@@ -9953,7 +11045,7 @@ var doctorCommand = defineCommand13({
   },
   run({ args }) {
     return withErrorHandler(async () => {
-      const globalOpts = getGlobalOpts12(args);
+      const globalOpts = getGlobalOpts13(args);
       const checks = [];
       try {
         const config = loadConfig();
@@ -10023,14 +11115,14 @@ var doctorCommand = defineCommand13({
       }
       for (const check of checks) {
         const icon = check.status === "pass" ? "\u2713" : check.status === "warn" ? "\u26A0" : "\u2717";
-        const log = check.status === "pass" ? consola10.success : check.status === "warn" ? consola10.warn : consola10.error;
+        const log = check.status === "pass" ? consola11.success : check.status === "warn" ? consola11.warn : consola11.error;
         log(`${icon} ${check.message}`);
       }
       if (passed === total) {
-        consola10.success(`
+        consola11.success(`
 ${passed}/${total} checks passed.`);
       } else {
-        consola10.warn(`
+        consola11.warn(`
 ${passed}/${total} checks passed.`);
       }
     });
@@ -10038,7 +11130,7 @@ ${passed}/${total} checks passed.`);
 });
 
 // src/cli/commands/completion.ts
-import { defineCommand as defineCommand14 } from "citty";
+import { defineCommand as defineCommand15 } from "citty";
 var COMMAND_TREE = {
   config: ["set", "show", "reset"],
   auth: ["challenge", "login", "status", "logout", "refresh", "whoami"],
@@ -10130,34 +11222,37 @@ function generateFish() {
   }
   return lines.join("\n") + "\n";
 }
-var bash = defineCommand14({
+var bash = defineCommand15({
   meta: { name: "bash", description: "Generate bash completion script" },
   run() {
     console.log(generateBash());
   }
 });
-var zsh = defineCommand14({
+var zsh = defineCommand15({
   meta: { name: "zsh", description: "Generate zsh completion script" },
   run() {
     console.log(generateZsh());
   }
 });
-var fish = defineCommand14({
+var fish = defineCommand15({
   meta: { name: "fish", description: "Generate fish completion script" },
   run() {
     console.log(generateFish());
   }
 });
-var completionCommand = defineCommand14({
+var completionCommand = defineCommand15({
   meta: { name: "completion", description: "Generate shell completion scripts" },
   subCommands: { bash, zsh, fish }
 });
 
 // src/cli/index.ts
-var main = defineCommand15({
+var __dirname = dirname2(fileURLToPath(import.meta.url));
+var pkg = JSON.parse(readFileSync6(resolve(__dirname, "..", "package.json"), "utf-8"));
+var version = pkg.version;
+var main = defineCommand16({
   meta: {
     name: "ksef",
-    version: "0.1.0",
+    version,
     description: "CLI for the Polish National e-Invoice System (KSeF)"
   },
   subCommands: {