ksef-client-ts 0.5.2 → 0.6.1

package/dist/cli.js

@@ -281,8 +281,8 @@ function isRetryableError(error, policy) {
   if (code && RETRYABLE_ERROR_CODES.has(code)) return true;
   return false;
 }
-function isRetryableStatus(status6, policy) {
-  return policy.retryableStatusCodes.includes(status6);
+function isRetryableStatus(status7, policy) {
+  return policy.retryableStatusCodes.includes(status7);
 }
 function sleep(ms) {
   return new Promise((resolve2) => setTimeout(resolve2, ms));
@@ -508,9 +508,9 @@ var init_rest_client = __esm({
         return response;
       }
       buildUrl(request) {
-        const path9 = this.routeBuilder.build(request.path);
+        const path10 = this.routeBuilder.build(request.path);
         const base = this.options.baseUrl;
-        const url2 = new URL(`${base}${path9}`);
+        const url2 = new URL(`${base}${path10}`);
         const query2 = request.getQuery();
         for (const [key, value] of query2) {
           url2.searchParams.append(key, value);
@@ -681,21 +681,21 @@ var init_rest_request = __esm({
       _query = [];
       _presigned = false;
       _skipAuthRetry = false;
-      constructor(method, path9) {
+      constructor(method, path10) {
         this.method = method;
-        this.path = path9;
+        this.path = path10;
       }
-      static get(path9) {
-        return new _RestRequest("GET", path9);
+      static get(path10) {
+        return new _RestRequest("GET", path10);
       }
-      static post(path9) {
-        return new _RestRequest("POST", path9);
+      static post(path10) {
+        return new _RestRequest("POST", path10);
       }
-      static put(path9) {
-        return new _RestRequest("PUT", path9);
+      static put(path10) {
+        return new _RestRequest("PUT", path10);
       }
-      static delete(path9) {
-        return new _RestRequest("DELETE", path9);
+      static delete(path10) {
+        return new _RestRequest("DELETE", path10);
       }
       body(data) {
         this._body = data;
@@ -988,6 +988,32 @@ var init_online_session = __esm({
   }
 });
 
+// src/utils/concurrency.ts
+async function runWithConcurrency(tasks, parallelism) {
+  if (tasks.length === 0) return;
+  const limit = Math.max(1, Math.min(parallelism, tasks.length));
+  const controller = new AbortController();
+  let index = 0;
+  const workers = Array.from({ length: limit }, async () => {
+    while (index < tasks.length && !controller.signal.aborted) {
+      const current = index;
+      index += 1;
+      try {
+        await tasks[current](controller.signal);
+      } catch (err) {
+        controller.abort();
+        throw err;
+      }
+    }
+  });
+  await Promise.all(workers);
+}
+var init_concurrency = __esm({
+  "src/utils/concurrency.ts"() {
+    "use strict";
+  }
+});
+
 // src/services/batch-session.ts
 var BatchSessionService;
 var init_batch_session = __esm({
@@ -996,6 +1022,7 @@ var init_batch_session = __esm({
     init_ksef_feature();
     init_rest_request();
     init_routes();
+    init_concurrency();
     BatchSessionService = class {
       restClient;
       constructor(restClient) {
@@ -1009,12 +1036,10 @@ var init_batch_session = __esm({
         const response = await this.restClient.execute(req);
         return response.body;
       }
-      async sendParts(openResponse, parts) {
-        const uploadRequests = openResponse.partUploadRequests;
-        const tasks = parts.map(async (part) => {
-          const uploadReq = uploadRequests.find(
-            (r) => r.ordinalNumber === part.ordinalNumber
-          );
+      async sendParts(openResponse, parts, parallelism) {
+        const uploadMap = new Map(openResponse.partUploadRequests.map((r) => [r.ordinalNumber, r]));
+        const tasks = parts.map((part) => async (signal) => {
+          const uploadReq = uploadMap.get(part.ordinalNumber);
           if (!uploadReq) {
             throw new Error(`No upload request found for part ${part.ordinalNumber}`);
           }
@@ -1022,25 +1047,38 @@ var init_batch_session = __esm({
           for (const [k, v] of Object.entries(uploadReq.headers)) {
             if (v != null) headers[k] = v;
           }
-          await fetch(uploadReq.url, {
+          const resp = await fetch(uploadReq.url, {
             method: uploadReq.method,
             headers,
-            body: part.data
+            body: part.data,
+            signal
           });
+          if (!resp.ok) {
+            const body = await resp.text().catch(() => "");
+            throw new Error(
+              `Upload failed for part ${part.ordinalNumber}: HTTP ${resp.status}${body ? ` \u2014 ${body}` : ""}`
+            );
+          }
         });
-        await Promise.all(tasks);
+        if (parallelism !== void 0) {
+          await runWithConcurrency(tasks, parallelism);
+        } else {
+          const ac = new AbortController();
+          await Promise.all(tasks.map((t) => t(ac.signal).catch((err) => {
+            ac.abort();
+            throw err;
+          })));
+        }
       }
       /**
-       * Upload parts sequentially (not in parallel) because each part uses a
-       * streaming body (`duplex: 'half'`). Parallel streaming uploads can cause
-       * backpressure issues and exceed memory limits for large payloads.
+       * Upload parts using streaming bodies (`duplex: 'half'`).
+       * By default uploads sequentially to avoid backpressure issues.
+       * Pass `parallelism` to enable bounded concurrent uploads.
        */
-      async sendPartsWithStream(openResponse, parts) {
-        const uploadRequests = openResponse.partUploadRequests;
-        for (const part of parts) {
-          const uploadReq = uploadRequests.find(
-            (r) => r.ordinalNumber === part.ordinalNumber
-          );
+      async sendPartsWithStream(openResponse, parts, parallelism) {
+        const uploadMap = new Map(openResponse.partUploadRequests.map((r) => [r.ordinalNumber, r]));
+        const uploadPart = async (part, signal) => {
+          const uploadReq = uploadMap.get(part.ordinalNumber);
           if (!uploadReq) {
             throw new Error(`No upload request found for part ${part.ordinalNumber}`);
           }
@@ -1052,11 +1090,23 @@ var init_batch_session = __esm({
             method: uploadReq.method,
             headers,
             body: part.dataStream,
+            signal,
             // @ts-expect-error -- Node 18+ undici supports duplex for streaming body
             duplex: "half"
           });
           if (!resp.ok) {
-            throw new Error(`Upload failed for part ${part.ordinalNumber}: HTTP ${resp.status}`);
+            const body = await resp.text().catch(() => "");
+            throw new Error(
+              `Upload failed for part ${part.ordinalNumber}: HTTP ${resp.status}${body ? ` \u2014 ${body}` : ""}`
+            );
+          }
+        };
+        if (parallelism !== void 0) {
+          await runWithConcurrency(parts.map((p) => (signal) => uploadPart(p, signal)), parallelism);
+        } else {
+          const { signal } = new AbortController();
+          for (const part of parts) {
+            await uploadPart(part, signal);
           }
         }
       }
@@ -1094,8 +1144,8 @@ var init_session_status = __esm({
           if (filter.dateModifiedFrom) req.query("dateModifiedFrom", filter.dateModifiedFrom);
           if (filter.dateModifiedTo) req.query("dateModifiedTo", filter.dateModifiedTo);
           if (filter.statuses) {
-            for (const status6 of filter.statuses) {
-              req.query("statuses", status6);
+            for (const status7 of filter.statuses) {
+              req.query("statuses", status7);
             }
           }
         }
@@ -1169,7 +1219,10 @@ var init_invoice_download = __esm({
       async getInvoice(ksefNumber) {
         const req = RestRequest.get(Routes.Invoices.byKsefNumber(ksefNumber));
         const response = await this.restClient.executeRaw(req);
-        return new TextDecoder().decode(response.body);
+        return {
+          xml: new TextDecoder().decode(response.body),
+          hash: response.headers.get("x-ms-meta-hash") ?? void 0
+        };
       }
       async queryInvoiceMetadata(filters, pageOffset, pageSize, sortOrder) {
         const req = RestRequest.post(Routes.Invoices.queryMetadata).body(filters);
@@ -1469,20 +1522,20 @@ var init_lighthouse = __esm({
         this.lighthouseUrl = options.lighthouseUrl;
         this.timeout = options.timeout;
       }
-      async fetchJson(path9) {
+      async fetchJson(path10) {
         if (!this.lighthouseUrl) {
           throw new KSeFError(
             "Lighthouse API is not available for the DEMO environment. Use TEST or PROD instead."
           );
         }
-        const response = await fetch(`${this.lighthouseUrl}${path9}`, {
+        const response = await fetch(`${this.lighthouseUrl}${path10}`, {
           headers: { Accept: "application/json" },
           signal: AbortSignal.timeout(this.timeout)
         });
         if (!response.ok) {
           const body = await response.text();
           throw new KSeFError(
-            `Lighthouse ${path9} failed: HTTP ${response.status} \u2014 ${body}`
+            `Lighthouse ${path10} failed: HTTP ${response.status} \u2014 ${body}`
           );
         }
         return await response.json();
@@ -2087,12 +2140,517 @@ var init_auth_xml_builder = __esm({
   }
 });
 
+// src/offline/holidays.ts
+function toDateKey(d) {
+  return d.toISOString().slice(0, 10);
+}
+function dateKey(year, month, day) {
+  return toDateKey(new Date(Date.UTC(year, month - 1, day)));
+}
+function addDays(d, n) {
+  const result = new Date(d);
+  result.setUTCDate(result.getUTCDate() + n);
+  return result;
+}
+function computeEasterSunday(year) {
+  const a = year % 19;
+  const b = Math.floor(year / 100);
+  const c = year % 100;
+  const d = Math.floor(b / 4);
+  const e = b % 4;
+  const f = Math.floor((b + 8) / 25);
+  const g = Math.floor((b - f + 1) / 3);
+  const h = (19 * a + b - d - g + 15) % 30;
+  const i = Math.floor(c / 4);
+  const k = c % 4;
+  const l = (32 + 2 * e + 2 * i - h - k) % 7;
+  const m = Math.floor((a + 11 * h + 22 * l) / 451);
+  const month = Math.floor((h + l - 7 * m + 114) / 31);
+  const day = (h + l - 7 * m + 114) % 31 + 1;
+  return new Date(Date.UTC(year, month - 1, day));
+}
+function getPolishHolidays(year) {
+  const cached = holidayCache.get(year);
+  if (cached) return cached;
+  const easter = computeEasterSunday(year);
+  const holidays = /* @__PURE__ */ new Set([
+    // Fixed
+    dateKey(year, 1, 1),
+    dateKey(year, 1, 6),
+    dateKey(year, 5, 1),
+    dateKey(year, 5, 3),
+    dateKey(year, 8, 15),
+    dateKey(year, 11, 1),
+    dateKey(year, 11, 11),
+    dateKey(year, 12, 25),
+    dateKey(year, 12, 26),
+    // Wigilia — added by Dz.U. 2024 poz. 1965, effective from 2025
+    ...year >= 2025 ? [dateKey(year, 12, 24)] : [],
+    // Moveable
+    toDateKey(easter),
+    toDateKey(addDays(easter, 1)),
+    toDateKey(addDays(easter, 49)),
+    toDateKey(addDays(easter, 60))
+  ]);
+  holidayCache.set(year, holidays);
+  return holidays;
+}
+function isPolishHoliday(date) {
+  return getPolishHolidays(date.getUTCFullYear()).has(toDateKey(date));
+}
+var holidayCache;
+var init_holidays = __esm({
+  "src/offline/holidays.ts"() {
+    "use strict";
+    holidayCache = /* @__PURE__ */ new Map();
+  }
+});
+
+// src/offline/deadline.ts
+function getDefaultReason(mode) {
+  switch (mode) {
+    case "offline24":
+      return "PLANNED";
+    case "offline":
+      return "SYSTEM_UNAVAILABLE";
+    case "awaryjny":
+      return "EMERGENCY";
+    case "awaria_calkowita":
+      return "TOTAL_FAILURE";
+  }
+}
+function nextBusinessDay(from) {
+  const d = new Date(from);
+  d.setUTCDate(d.getUTCDate() + 1);
+  while (d.getUTCDay() === 0 || d.getUTCDay() === 6 || isPolishHoliday(d)) {
+    d.setUTCDate(d.getUTCDate() + 1);
+  }
+  return d;
+}
+function addBusinessDays(from, days) {
+  if (!Number.isInteger(days) || days < 0) {
+    throw new Error(`days must be a non-negative integer, got ${days}`);
+  }
+  const d = new Date(from);
+  let remaining = days;
+  while (remaining > 0) {
+    d.setUTCDate(d.getUTCDate() + 1);
+    if (d.getUTCDay() !== 0 && d.getUTCDay() !== 6 && !isPolishHoliday(d)) {
+      remaining--;
+    }
+  }
+  return d;
+}
+function endOfDay(d) {
+  const result = new Date(d);
+  result.setUTCHours(23, 59, 59, 999);
+  return result;
+}
+function getMaintenanceEndFallback(mw) {
+  if (mw.endTime) {
+    return new Date(mw.endTime);
+  }
+  const start = new Date(mw.startTime);
+  start.setUTCDate(start.getUTCDate() + 7);
+  return start;
+}
+function calculateOfflineDeadline(mode, invoiceDate, maintenanceWindow) {
+  const date = typeof invoiceDate === "string" ? new Date(invoiceDate) : invoiceDate;
+  switch (mode) {
+    case "offline24": {
+      return endOfDay(nextBusinessDay(date));
+    }
+    case "offline": {
+      const base = maintenanceWindow ? getMaintenanceEndFallback(maintenanceWindow) : date;
+      return endOfDay(nextBusinessDay(base));
+    }
+    case "awaryjny": {
+      const base = maintenanceWindow ? getMaintenanceEndFallback(maintenanceWindow) : date;
+      return endOfDay(addBusinessDays(base, 7));
+    }
+    case "awaria_calkowita": {
+      return new Date(FAR_FUTURE);
+    }
+  }
+}
+function isExpired(submitBy) {
+  const deadline = typeof submitBy === "string" ? new Date(submitBy) : submitBy;
+  return Date.now() > deadline.getTime();
+}
+var FAR_FUTURE;
+var init_deadline = __esm({
+  "src/offline/deadline.ts"() {
+    "use strict";
+    init_holidays();
+    FAR_FUTURE = /* @__PURE__ */ new Date("9999-12-31T23:59:59Z");
+  }
+});
+
+// src/models/document-structures/types.ts
+var SystemCode, FORM_CODES, DEFAULT_FORM_CODE, INVOICE_TYPES_BY_SYSTEM_CODE, FORM_CODE_KEYS;
+var init_types = __esm({
+  "src/models/document-structures/types.ts"() {
+    "use strict";
+    SystemCode = {
+      FA_2: "FA (2)",
+      FA_3: "FA (3)",
+      PEF_3: "PEF (3)",
+      PEF_KOR_3: "PEF_KOR (3)",
+      FA_RR_1: "FA_RR (1)"
+    };
+    FORM_CODES = {
+      FA_2: { systemCode: "FA (2)", schemaVersion: "1-0E", value: "FA" },
+      FA_3: { systemCode: "FA (3)", schemaVersion: "1-0E", value: "FA" },
+      PEF_3: { systemCode: "PEF (3)", schemaVersion: "2-1", value: "PEF" },
+      PEF_KOR_3: { systemCode: "PEF_KOR (3)", schemaVersion: "2-1", value: "PEF" },
+      FA_RR_1_LEGACY: { systemCode: "FA_RR (1)", schemaVersion: "1-0E", value: "RR" },
+      FA_RR_1_TRANSITION: { systemCode: "FA_RR (1)", schemaVersion: "1-1E", value: "RR" },
+      FA_RR_1: { systemCode: "FA_RR (1)", schemaVersion: "1-1E", value: "FA_RR" }
+    };
+    DEFAULT_FORM_CODE = FORM_CODES.FA_3;
+    INVOICE_TYPES_BY_SYSTEM_CODE = {
+      [SystemCode.FA_2]: ["Vat", "Zal", "Kor", "Roz", "Upr", "KorZal", "KorRoz"],
+      [SystemCode.FA_3]: ["Vat", "Zal", "Kor", "Roz", "Upr", "KorZal", "KorRoz"],
+      [SystemCode.PEF_3]: ["VatPef", "VatPefSp", "KorPef"],
+      [SystemCode.PEF_KOR_3]: ["KorPef"],
+      [SystemCode.FA_RR_1]: ["VatRr", "KorVatRr"]
+    };
+    FORM_CODE_KEYS = {
+      FA2: FORM_CODES.FA_2,
+      FA3: FORM_CODES.FA_3,
+      PEF3: FORM_CODES.PEF_3,
+      PEFKOR3: FORM_CODES.PEF_KOR_3,
+      FARR1: FORM_CODES.FA_RR_1
+    };
+  }
+});
+
+// src/models/document-structures/helpers.ts
+function validateFormCodeForSession(formCode, sessionType) {
+  if (sessionType === "online") return true;
+  return !BATCH_DISALLOWED_SYSTEM_CODES.has(formCode.systemCode);
+}
+var SYSTEM_CODE_TO_FORM_CODE, ALL_FORM_CODES, BATCH_DISALLOWED_SYSTEM_CODES;
+var init_helpers = __esm({
+  "src/models/document-structures/helpers.ts"() {
+    "use strict";
+    init_types();
+    SYSTEM_CODE_TO_FORM_CODE = {
+      [SystemCode.FA_2]: FORM_CODES.FA_2,
+      [SystemCode.FA_3]: FORM_CODES.FA_3,
+      [SystemCode.PEF_3]: FORM_CODES.PEF_3,
+      [SystemCode.PEF_KOR_3]: FORM_CODES.PEF_KOR_3,
+      [SystemCode.FA_RR_1]: FORM_CODES.FA_RR_1
+    };
+    ALL_FORM_CODES = Object.values(FORM_CODES);
+    BATCH_DISALLOWED_SYSTEM_CODES = /* @__PURE__ */ new Set([
+      SystemCode.PEF_3,
+      SystemCode.PEF_KOR_3
+    ]);
+  }
+});
+
+// src/models/document-structures/index.ts
+var init_document_structures = __esm({
+  "src/models/document-structures/index.ts"() {
+    "use strict";
+    init_types();
+    init_helpers();
+  }
+});
+
+// src/workflows/offline-invoice-workflow.ts
+import crypto3 from "crypto";
+var OfflineInvoiceWorkflow;
+var init_offline_invoice_workflow = __esm({
+  "src/workflows/offline-invoice-workflow.ts"() {
+    "use strict";
+    init_ksef_api_error();
+    init_deadline();
+    init_document_structures();
+    OfflineInvoiceWorkflow = class {
+      constructor(qrService) {
+        this.qrService = qrService;
+      }
+      async generate(input, options) {
+        if (!input.invoiceXml || input.invoiceXml.trim().length === 0) {
+          throw new Error("invoiceXml must not be empty");
+        }
+        if (!input.invoiceNumber) {
+          throw new Error("invoiceNumber is required");
+        }
+        if (!input.sellerNip) {
+          throw new Error("sellerNip is required");
+        }
+        const mode = options?.mode ?? "offline24";
+        const reason = getDefaultReason(mode);
+        const invoiceHashBase64 = crypto3.createHash("sha256").update(input.invoiceXml).digest("base64");
+        const kod1Url = this.qrService.buildInvoiceVerificationUrl(
+          input.sellerNip,
+          input.invoiceDate,
+          invoiceHashBase64
+        );
+        let kod2Url;
+        if (options?.certificate) {
+          kod2Url = this.qrService.buildCertificateVerificationUrl(
+            input.sellerIdentifier.type,
+            input.sellerIdentifier.value,
+            input.sellerNip,
+            options.certificate.certificateSerial,
+            invoiceHashBase64,
+            options.certificate.privateKeyPem
+          );
+        }
+        const submitBy = options?.customDeadline ? typeof options.customDeadline === "string" ? options.customDeadline : options.customDeadline.toISOString() : calculateOfflineDeadline(mode, input.invoiceDate, options?.maintenanceWindow).toISOString();
+        const metadata = {
+          id: crypto3.randomUUID(),
+          mode,
+          reason,
+          status: "GENERATED",
+          invoiceNumber: input.invoiceNumber,
+          invoiceDate: input.invoiceDate,
+          invoiceXml: input.invoiceXml,
+          sellerNip: input.sellerNip,
+          sellerIdentifier: input.sellerIdentifier,
+          buyerIdentifier: input.buyerIdentifier,
+          totalAmount: input.totalAmount,
+          currency: input.currency,
+          kod1Url,
+          kod2Url,
+          generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+          submitBy,
+          maintenanceWindowId: options?.maintenanceWindow?.id
+        };
+        if (options?.storage) {
+          await options.storage.save(metadata);
+        }
+        return metadata;
+      }
+      async submit(client, options) {
+        const { storage, checkExpiry = true } = options;
+        let invoices2;
+        if (options.invoiceIds) {
+          invoices2 = [];
+          const notFound = [];
+          for (const id of options.invoiceIds) {
+            const inv = await storage.get(id);
+            if (inv) {
+              invoices2.push(inv);
+            } else {
+              notFound.push(id);
+            }
+          }
+          if (notFound.length > 0) {
+            throw new Error(`Offline invoice(s) not found: ${notFound.join(", ")}`);
+          }
+        } else {
+          invoices2 = await storage.list({ status: ["GENERATED", "QUEUED", "SUBMITTED"] });
+        }
+        const result = {
+          total: invoices2.length,
+          submitted: 0,
+          accepted: 0,
+          rejected: 0,
+          failed: 0,
+          expired: 0,
+          results: []
+        };
+        if (invoices2.length === 0) return result;
+        const pending = [];
+        for (const inv of invoices2) {
+          if (checkExpiry && isExpired(inv.submitBy)) {
+            await storage.update(inv.id, { status: "EXPIRED" });
+            result.expired++;
+            result.results.push({
+              invoiceId: inv.id,
+              invoiceNumber: inv.invoiceNumber,
+              status: "EXPIRED"
+            });
+          } else {
+            pending.push(inv);
+          }
+        }
+        if (pending.length === 0) return result;
+        await client.crypto.init();
+        const encData = client.crypto.getEncryptionData();
+        const formCode = options.formCode ?? DEFAULT_FORM_CODE;
+        const openResp = await client.onlineSession.openSession(
+          { formCode, encryption: encData.encryptionInfo }
+        );
+        const sessionRef = openResp.referenceNumber;
+        try {
+          for (const inv of pending) {
+            await storage.update(inv.id, { status: "QUEUED" });
+            try {
+              const data = new TextEncoder().encode(inv.invoiceXml);
+              const plainMeta = client.crypto.getFileMetadata(data);
+              const encrypted = client.crypto.encryptAES256(data, encData.cipherKey, encData.cipherIv);
+              const encMeta = client.crypto.getFileMetadata(encrypted);
+              await storage.update(inv.id, { status: "SUBMITTED", submittedAt: (/* @__PURE__ */ new Date()).toISOString() });
+              const resp = await client.onlineSession.sendInvoice(sessionRef, {
+                invoiceHash: plainMeta.hashSHA,
+                invoiceSize: plainMeta.fileSize,
+                encryptedInvoiceHash: encMeta.hashSHA,
+                encryptedInvoiceSize: encMeta.fileSize,
+                encryptedInvoiceContent: Buffer.from(encrypted).toString("base64"),
+                offlineMode: true
+              });
+              await storage.update(inv.id, {
+                status: "ACCEPTED",
+                acceptedAt: (/* @__PURE__ */ new Date()).toISOString(),
+                ksefReferenceNumber: resp.referenceNumber
+              });
+              result.submitted++;
+              result.accepted++;
+              result.results.push({
+                invoiceId: inv.id,
+                invoiceNumber: inv.invoiceNumber,
+                status: "ACCEPTED",
+                ksefReferenceNumber: resp.referenceNumber
+              });
+            } catch (err) {
+              const message = err instanceof Error ? err.message : String(err);
+              if (err instanceof KSeFApiError) {
+                await storage.update(inv.id, {
+                  status: "REJECTED",
+                  error: { code: err.statusCode, message }
+                });
+                result.submitted++;
+                result.rejected++;
+                result.results.push({
+                  invoiceId: inv.id,
+                  invoiceNumber: inv.invoiceNumber,
+                  status: "REJECTED",
+                  error: { code: err.statusCode, message }
+                });
+              } else {
+                await storage.update(inv.id, {
+                  status: "QUEUED",
+                  error: { code: 0, message }
+                });
+                result.failed++;
+                result.results.push({
+                  invoiceId: inv.id,
+                  invoiceNumber: inv.invoiceNumber,
+                  status: "QUEUED",
+                  error: { code: 0, message }
+                });
+              }
+            }
+          }
+        } finally {
+          try {
+            await client.onlineSession.closeSession(sessionRef);
+          } catch {
+          }
+        }
+        return result;
+      }
+      // TODO(perf): Each correction opens a separate KSeF session.
+      // For batch corrections, consider a correctBatch() sharing one session (like submit()).
+      async correct(client, options) {
+        const { storage, rejectedInvoiceId, correctedInvoiceXml } = options;
+        const original = await storage.get(rejectedInvoiceId);
+        if (!original) {
+          throw new Error(`Offline invoice not found: ${rejectedInvoiceId}`);
+        }
+        if (original.status !== "REJECTED") {
+          throw new Error(
+            original.status === "CORRECTED" ? `Invoice ${rejectedInvoiceId} has already been corrected (by ${original.correctedBy})` : `Only rejected invoices can be corrected (current status: ${original.status})`
+          );
+        }
+        const originalHash = crypto3.createHash("sha256").update(original.invoiceXml).digest("base64");
+        await client.crypto.init();
+        const encData = client.crypto.getEncryptionData();
+        const formCode = options.formCode ?? DEFAULT_FORM_CODE;
+        const openResp = await client.onlineSession.openSession(
+          { formCode, encryption: encData.encryptionInfo }
+        );
+        const sessionRef = openResp.referenceNumber;
+        try {
+          const data = new TextEncoder().encode(correctedInvoiceXml);
+          const plainMeta = client.crypto.getFileMetadata(data);
+          const encrypted = client.crypto.encryptAES256(data, encData.cipherKey, encData.cipherIv);
+          const encMeta = client.crypto.getFileMetadata(encrypted);
+          const correctionId = crypto3.randomUUID();
+          const submittedAt = (/* @__PURE__ */ new Date()).toISOString();
+          const correctedHashBase64 = crypto3.createHash("sha256").update(correctedInvoiceXml).digest("base64");
+          const kod1Url = this.qrService.buildInvoiceVerificationUrl(
+            original.sellerNip,
+            original.invoiceDate,
+            correctedHashBase64
+          );
+          let kod2Url;
+          if (options.certificate) {
+            kod2Url = this.qrService.buildCertificateVerificationUrl(
+              original.sellerIdentifier.type,
+              original.sellerIdentifier.value,
+              original.sellerNip,
+              options.certificate.certificateSerial,
+              correctedHashBase64,
+              options.certificate.privateKeyPem
+            );
+          }
+          const correctionMetadata = {
+            id: correctionId,
+            mode: original.mode,
+            reason: original.reason,
+            status: "SUBMITTED",
+            invoiceNumber: original.invoiceNumber,
+            invoiceDate: original.invoiceDate,
+            invoiceXml: correctedInvoiceXml,
+            sellerNip: original.sellerNip,
+            sellerIdentifier: original.sellerIdentifier,
+            buyerIdentifier: original.buyerIdentifier,
+            kod1Url,
+            kod2Url,
+            generatedAt: submittedAt,
+            submitBy: original.submitBy,
+            submittedAt,
+            correctedInvoiceId: rejectedInvoiceId
+          };
+          await storage.save(correctionMetadata);
+          const resp = await client.onlineSession.sendInvoice(sessionRef, {
+            invoiceHash: plainMeta.hashSHA,
+            invoiceSize: plainMeta.fileSize,
+            encryptedInvoiceHash: encMeta.hashSHA,
+            encryptedInvoiceSize: encMeta.fileSize,
+            encryptedInvoiceContent: Buffer.from(encrypted).toString("base64"),
+            offlineMode: true,
+            hashOfCorrectedInvoice: originalHash
+          });
+          await storage.update(correctionId, {
+            status: "ACCEPTED",
+            acceptedAt: (/* @__PURE__ */ new Date()).toISOString(),
+            ksefReferenceNumber: resp.referenceNumber
+          });
+          await storage.update(rejectedInvoiceId, {
+            status: "CORRECTED",
+            correctedBy: correctionId
+          });
+          return {
+            invoiceId: correctionId,
+            invoiceNumber: correctionMetadata.invoiceNumber,
+            status: "ACCEPTED",
+            ksefReferenceNumber: resp.referenceNumber
+          };
+        } finally {
+          try {
+            await client.onlineSession.closeSession(sessionRef);
+          } catch {
+          }
+        }
+      }
+    };
+  }
+});
+
 // src/crypto/signature-service.ts
 var signature_service_exports = {};
 __export(signature_service_exports, {
   SignatureService: () => SignatureService
 });
-import * as crypto3 from "crypto";
+import * as crypto4 from "crypto";
 import { ExclusiveCanonicalization } from "xml-crypto";
 import { DOMParser, XMLSerializer } from "@xmldom/xmldom";
 function extractDerFromPem(pem) {
@@ -2112,7 +2670,7 @@ function canonicalize(elem) {
 function computeRootDigest(doc) {
   const root = doc.documentElement;
   const canonical = canonicalize(root);
-  return crypto3.createHash("sha256").update(canonical, "utf-8").digest("base64");
+  return crypto4.createHash("sha256").update(canonical, "utf-8").digest("base64");
 }
 function computeSignedPropertiesDigest(qualifyingPropertiesXml) {
   const parser = new DOMParser();
@@ -2122,7 +2680,7 @@ function computeSignedPropertiesDigest(qualifyingPropertiesXml) {
     throw new Error("SignedProperties element not found in QualifyingProperties");
   }
   const canonical = canonicalize(signedProps);
-  return crypto3.createHash("sha256").update(canonical, "utf-8").digest("base64");
+  return crypto4.createHash("sha256").update(canonical, "utf-8").digest("base64");
 }
 function buildSignedInfo(signatureAlgorithm, rootDigest, signedPropertiesDigest) {
   return [
@@ -2153,12 +2711,12 @@ function computeSignatureValue(canonicalSignedInfo, privateKey, isEc) {
   const data = Buffer.from(canonicalSignedInfo, "utf-8");
   let signature;
   if (isEc) {
-    signature = crypto3.sign("sha256", data, {
+    signature = crypto4.sign("sha256", data, {
       key: privateKey,
       dsaEncoding: "ieee-p1363"
     });
   } else {
-    signature = crypto3.sign("sha256", data, privateKey);
+    signature = crypto4.sign("sha256", data, privateKey);
   }
   return signature.toString("base64");
 }
@@ -2258,11 +2816,11 @@ var init_signature_service = __esm({
         }
         const certDer = extractDerFromPem(certPem);
         const certBase64 = certDer.toString("base64");
-        const certDigest = crypto3.createHash("sha256").update(certDer).digest("base64");
-        const x5093 = new crypto3.X509Certificate(certPem);
+        const certDigest = crypto4.createHash("sha256").update(certDer).digest("base64");
+        const x5093 = new crypto4.X509Certificate(certPem);
         const issuerName = normalizeIssuerDn(x5093.issuer);
         const serialNumber = hexSerialToDecimal(x5093.serialNumber);
-        const privateKey = crypto3.createPrivateKey(
+        const privateKey = crypto4.createPrivateKey(
           passphrase ? { key: privateKeyPem, format: "pem", passphrase } : privateKeyPem
         );
         const isEc = privateKey.asymmetricKeyType === "ec";
@@ -2427,6 +2985,7 @@ var init_client = __esm({
     init_cryptography_service();
     init_verification_link_service();
     init_auth_xml_builder();
+    init_offline_invoice_workflow();
     KSeFClient = class {
       auth;
       activeSessions;
@@ -2445,6 +3004,8 @@ var init_client = __esm({
       qr;
       options;
       authManager;
+      _baseRestClientConfig;
+      _offline;
       constructor(options) {
         this.options = resolveOptions(options);
         const authManager = options?.authManager ?? new DefaultAuthManager(async () => {
@@ -2455,6 +3016,8 @@ var init_client = __esm({
         });
         this.authManager = authManager;
         const restClientConfig = buildRestClientConfig(options, authManager);
+        const { authManager: _am, ...baseConfig } = restClientConfig;
+        this._baseRestClientConfig = baseConfig;
         const restClient = new RestClient(this.options, restClientConfig);
         const fetcher = new CertificateFetcher(restClient);
         this.crypto = new CryptographyService(fetcher);
@@ -2473,6 +3036,16 @@ var init_client = __esm({
         this.testData = new TestDataService(restClient, this.options.environmentName);
         this.qr = new VerificationLinkService(this.options.baseQrUrl);
       }
+      get offline() {
+        if (!this._offline) {
+          this._offline = new OfflineInvoiceWorkflow(this.qr);
+        }
+        return this._offline;
+      }
+      /** @internal Create a RestClient with a different AuthManager, preserving transport/retry/rateLimit config. */
+      createScopedRestClient(authManager) {
+        return new RestClient(this.options, { ...this._baseRestClientConfig, authManager });
+      }
       async loginWithToken(token, nip) {
         const challenge2 = await this.auth.getChallenge();
         await this.crypto.init();
@@ -2507,10 +3080,10 @@ var init_client = __esm({
       }
       async awaitAuthReady(referenceNumber, authToken) {
         for (let i = 0; i < 30; i++) {
-          const status6 = await this.auth.getAuthStatus(referenceNumber, authToken);
-          if (status6.status.code === 200) return;
-          if (status6.status.code !== 100) {
-            throw new Error(`Authentication failed with status ${status6.status.code}: ${status6.status.description}`);
+          const status7 = await this.auth.getAuthStatus(referenceNumber, authToken);
+          if (status7.status.code === 200) return;
+          if (status7.status.code !== 100) {
+            throw new Error(`Authentication failed with status ${status7.status.code}: ${status7.status.description}`);
           }
           await new Promise((r) => setTimeout(r, 1e3));
         }
@@ -2545,79 +3118,6 @@ var init_polling = __esm({
   }
 });
 
-// src/models/document-structures/types.ts
-var SystemCode, FORM_CODES, DEFAULT_FORM_CODE, INVOICE_TYPES_BY_SYSTEM_CODE, FORM_CODE_KEYS;
-var init_types = __esm({
-  "src/models/document-structures/types.ts"() {
-    "use strict";
-    SystemCode = {
-      FA_2: "FA (2)",
-      FA_3: "FA (3)",
-      PEF_3: "PEF (3)",
-      PEF_KOR_3: "PEF_KOR (3)",
-      FA_RR_1: "FA_RR (1)"
-    };
-    FORM_CODES = {
-      FA_2: { systemCode: "FA (2)", schemaVersion: "1-0E", value: "FA" },
-      FA_3: { systemCode: "FA (3)", schemaVersion: "1-0E", value: "FA" },
-      PEF_3: { systemCode: "PEF (3)", schemaVersion: "2-1", value: "PEF" },
-      PEF_KOR_3: { systemCode: "PEF_KOR (3)", schemaVersion: "2-1", value: "PEF" },
-      FA_RR_1_LEGACY: { systemCode: "FA_RR (1)", schemaVersion: "1-0E", value: "RR" },
-      FA_RR_1_TRANSITION: { systemCode: "FA_RR (1)", schemaVersion: "1-1E", value: "RR" },
-      FA_RR_1: { systemCode: "FA_RR (1)", schemaVersion: "1-1E", value: "FA_RR" }
-    };
-    DEFAULT_FORM_CODE = FORM_CODES.FA_3;
-    INVOICE_TYPES_BY_SYSTEM_CODE = {
-      [SystemCode.FA_2]: ["Vat", "Zal", "Kor", "Roz", "Upr", "KorZal", "KorRoz"],
-      [SystemCode.FA_3]: ["Vat", "Zal", "Kor", "Roz", "Upr", "KorZal", "KorRoz"],
-      [SystemCode.PEF_3]: ["VatPef", "VatPefSp", "KorPef"],
-      [SystemCode.PEF_KOR_3]: ["KorPef"],
-      [SystemCode.FA_RR_1]: ["VatRr", "KorVatRr"]
-    };
-    FORM_CODE_KEYS = {
-      FA2: FORM_CODES.FA_2,
-      FA3: FORM_CODES.FA_3,
-      PEF3: FORM_CODES.PEF_3,
-      PEFKOR3: FORM_CODES.PEF_KOR_3,
-      FARR1: FORM_CODES.FA_RR_1
-    };
-  }
-});
-
-// src/models/document-structures/helpers.ts
-function validateFormCodeForSession(formCode, sessionType) {
-  if (sessionType === "online") return true;
-  return !BATCH_DISALLOWED_SYSTEM_CODES.has(formCode.systemCode);
-}
-var SYSTEM_CODE_TO_FORM_CODE, ALL_FORM_CODES, BATCH_DISALLOWED_SYSTEM_CODES;
-var init_helpers = __esm({
-  "src/models/document-structures/helpers.ts"() {
-    "use strict";
-    init_types();
-    SYSTEM_CODE_TO_FORM_CODE = {
-      [SystemCode.FA_2]: FORM_CODES.FA_2,
-      [SystemCode.FA_3]: FORM_CODES.FA_3,
-      [SystemCode.PEF_3]: FORM_CODES.PEF_3,
-      [SystemCode.PEF_KOR_3]: FORM_CODES.PEF_KOR_3,
-      [SystemCode.FA_RR_1]: FORM_CODES.FA_RR_1
-    };
-    ALL_FORM_CODES = Object.values(FORM_CODES);
-    BATCH_DISALLOWED_SYSTEM_CODES = /* @__PURE__ */ new Set([
-      SystemCode.PEF_3,
-      SystemCode.PEF_KOR_3
-    ]);
-  }
-});
-
-// src/models/document-structures/index.ts
-var init_document_structures = __esm({
-  "src/models/document-structures/index.ts"() {
-    "use strict";
-    init_types();
-    init_helpers();
-  }
-});
-
 // src/xml/upo-parser.ts
 import { XMLParser } from "fast-xml-parser";
 function isRecord(value) {
@@ -2742,11 +3242,58 @@ var init_upo_parser = __esm({
   }
 });
 
+// src/xml/invoice-field-extractor.ts
+import { XMLParser as XMLParser2 } from "fast-xml-parser";
+function extractInvoiceFields(xml) {
+  const parsed = invoiceParser.parse(xml);
+  const root = parsed?.Faktura;
+  if (!root || typeof root !== "object") {
+    throw new Error(
+      "Cannot extract invoice fields: missing <Faktura> root element. Ensure the XML is a valid KSeF invoice (FA_2, FA_3, or FA_RR)."
+    );
+  }
+  if (root.Fa && typeof root.Fa === "object") {
+    const invoiceDate = nonEmptyString(root.Fa.P_1);
+    const invoiceNumber = nonEmptyString(root.Fa.P_2);
+    if (invoiceDate && invoiceNumber) {
+      return { invoiceNumber, invoiceDate };
+    }
+  }
+  if (root.FakturaRR && typeof root.FakturaRR === "object") {
+    const invoiceDate = nonEmptyString(root.FakturaRR.P_4B);
+    const invoiceNumber = nonEmptyString(root.FakturaRR.P_4C);
+    if (invoiceDate && invoiceNumber) {
+      return { invoiceNumber, invoiceDate };
+    }
+  }
+  throw new Error(
+    "Cannot extract invoice number and date from XML. Expected <Fa><P_1>/<P_2> (FA format) or <FakturaRR><P_4B>/<P_4C> (RR format)."
+  );
+}
+function nonEmptyString(value) {
+  return typeof value === "string" && value.length > 0 ? value : void 0;
+}
+var invoiceParser;
+var init_invoice_field_extractor = __esm({
+  "src/xml/invoice-field-extractor.ts"() {
+    "use strict";
+    invoiceParser = new XMLParser2({
+      ignoreAttributes: false,
+      attributeNamePrefix: "@_",
+      parseTagValue: false,
+      parseAttributeValue: false,
+      removeNSPrefix: true,
+      trimValues: false
+    });
+  }
+});
+
 // src/xml/index.ts
 var init_xml = __esm({
   "src/xml/index.ts"() {
     "use strict";
     init_upo_parser();
+    init_invoice_field_extractor();
   }
 });
 
@@ -4488,11 +5035,11 @@ async function validateSchema(xml, options, _parsed) {
   const prefix = rootElement ? `/${rootElement}/` : "/";
   const validationErrors = result.error.issues.map((issue) => {
     const zodPath = issue.path.join("/");
-    const path9 = zodPath ? `${prefix}${zodPath}` : rootElement ? `/${rootElement}` : void 0;
+    const path10 = zodPath ? `${prefix}${zodPath}` : rootElement ? `/${rootElement}` : void 0;
     return {
       code: mapZodErrorCode(issue),
       message: issue.message,
-      path: path9
+      path: path10
     };
   });
   return { valid: false, schemaType, errors: validationErrors };
@@ -4532,9 +5079,9 @@ function validateBusinessRules(xml, _parsed) {
   collectDateErrors(object, rootElement, errors);
   return { valid: errors.length === 0, schemaType, errors };
 }
-function collectNipPeselErrors(obj, path9, errors) {
+function collectNipPeselErrors(obj, path10, errors) {
   for (const [key, value] of Object.entries(obj)) {
-    const currentPath = path9 ? `${path9}/${key}` : key;
+    const currentPath = path10 ? `${path10}/${key}` : key;
     if (key === "NIP" && typeof value === "string") {
       if (!isValidNip(value)) {
         errors.push({
@@ -4614,7 +5161,7 @@ var init_invoice_validator = __esm({
 });
 
 // src/builders/batch-file.ts
-import * as crypto4 from "crypto";
+import * as crypto6 from "crypto";
 function splitBuffer(data, maxPartSize) {
   if (data.length <= maxPartSize) {
     return [data];
@@ -4625,8 +5172,8 @@ function splitBuffer(data, maxPartSize) {
   }
   return parts;
 }
-function sha256Base64(data) {
-  return crypto4.createHash("sha256").update(data).digest("base64");
+function sha256Base642(data) {
+  return crypto6.createHash("sha256").update(data).digest("base64");
 }
 var BATCH_MAX_PART_SIZE, BATCH_MAX_TOTAL_SIZE, BATCH_MAX_PARTS, BatchFileBuilder;
 var init_batch_file = __esm({
@@ -4663,7 +5210,7 @@ var init_batch_file = __esm({
             `Data requires ${rawParts.length} parts, exceeding maximum of ${BATCH_MAX_PARTS}`
           );
         }
-        const zipHash = sha256Base64(zipBytes);
+        const zipHash = sha256Base642(zipBytes);
         const encryptedParts = [];
         const fileParts = rawParts.map((raw, i) => {
           const encrypted = encryptFn(raw);
@@ -4671,7 +5218,7 @@ var init_batch_file = __esm({
           return {
             ordinalNumber: i + 1,
             fileSize: encrypted.length,
-            fileHash: sha256Base64(encrypted)
+            fileHash: sha256Base642(encrypted)
           };
         });
         return {
@@ -4754,7 +5301,7 @@ var init_batch_file = __esm({
             encryptedChunks.push(value);
           }
           const encryptedData = new Uint8Array(Buffer.concat(encryptedChunks));
-          const encryptedMeta = sha256Base64(encryptedData);
+          const encryptedMeta = sha256Base642(encryptedData);
           fileParts.push({
             ordinalNumber: partIndex + 1,
             fileSize: encryptedData.byteLength,
@@ -4798,6 +5345,9 @@ __export(batch_session_workflow_exports, {
   uploadBatchStreamParsed: () => uploadBatchStreamParsed
 });
 async function uploadBatch(client, zipData, options) {
+  if (options?.parallelism !== void 0 && (!Number.isInteger(options.parallelism) || options.parallelism < 1)) {
+    throw new Error("parallelism must be a positive integer");
+  }
   await client.crypto.init();
   if (options?.validate) {
     const { unzip: unzip2 } = await Promise.resolve().then(() => (init_zip(), zip_exports));
@@ -4840,7 +5390,7 @@ async function uploadBatch(client, zipData, options) {
     },
     ordinalNumber: i + 1
   }));
-  await client.batchSession.sendParts(openResp, sendingParts);
+  await client.batchSession.sendParts(openResp, sendingParts, options?.parallelism);
   await client.batchSession.closeSession(openResp.referenceNumber);
   const result = await pollUntil(
     () => client.sessionStatus.getSessionStatus(openResp.referenceNumber),
@@ -4861,6 +5411,9 @@ async function uploadBatch(client, zipData, options) {
   };
 }
 async function uploadBatchStream(client, zipStreamFactory, zipSize, options) {
+  if (options?.parallelism !== void 0 && (!Number.isInteger(options.parallelism) || options.parallelism < 1)) {
+    throw new Error("parallelism must be a positive integer");
+  }
   await client.crypto.init();
   const encData = client.crypto.getEncryptionData();
   const formCode = options?.formCode ?? DEFAULT_FORM_CODE;
@@ -4882,7 +5435,7 @@ async function uploadBatchStream(client, zipStreamFactory, zipSize, options) {
     },
     options?.upoVersion
   );
-  await client.batchSession.sendPartsWithStream(openResp, streamParts);
+  await client.batchSession.sendPartsWithStream(openResp, streamParts, options?.parallelism);
   await client.batchSession.closeSession(openResp.referenceNumber);
   const result = await pollUntil(
     () => client.sessionStatus.getSessionStatus(openResp.referenceNumber),
@@ -4937,10 +5490,10 @@ var init_batch_session_workflow = __esm({
 });
 
 // src/cli/index.ts
-import { readFileSync as readFileSync8 } from "fs";
+import { readFileSync as readFileSync9 } from "fs";
 import { fileURLToPath } from "url";
 import { dirname as dirname2, resolve } from "path";
-import { defineCommand as defineCommand17, runMain } from "citty";
+import { defineCommand as defineCommand18, runMain } from "citty";
 
 // src/cli/commands/config.ts
 import { defineCommand } from "citty";
@@ -5506,13 +6059,13 @@ var login = defineCommand2({
       if (token) {
         await client.loginWithToken(token, nip);
       } else if (args.p12) {
-        const fs13 = await import("fs");
-        const p12Buffer = fs13.readFileSync(args.p12);
+        const fs15 = await import("fs");
+        const p12Buffer = fs15.readFileSync(args.p12);
         await client.loginWithPkcs12(p12Buffer, args["p12-password"] ?? "", nip);
       } else if (args.cert && args.key) {
-        const fs13 = await import("fs");
-        const certPem = fs13.readFileSync(args.cert, "utf-8");
-        const keyPem = fs13.readFileSync(args.key, "utf-8");
+        const fs15 = await import("fs");
+        const certPem = fs15.readFileSync(args.cert, "utf-8");
+        const keyPem = fs15.readFileSync(args.key, "utf-8");
         await client.loginWithCertificate(certPem, keyPem, nip, args["key-password"]);
       } else {
         throw new Error("Provide --token, --p12, or both --cert and --key for authentication.");
@@ -6226,6 +6779,17 @@ var FileHwmStore = class {
 // src/workflows/invoice-export-workflow.ts
 init_zip();
 init_polling();
+
+// src/utils/hash.ts
+import crypto5 from "crypto";
+function sha256Base64(data) {
+  return crypto5.createHash("sha256").update(data).digest("base64");
+}
+function verifyHash(data, expectedHash) {
+  return sha256Base64(data) === expectedHash;
+}
+
+// src/workflows/invoice-export-workflow.ts
 async function doExport(client, filters, options) {
   await client.crypto.init();
   const encData = client.crypto.getEncryptionData();
@@ -6254,6 +6818,7 @@ async function doExport(client, filters, options) {
         url: p.url,
         method: p.method,
         partSize: p.partSize,
+        partHash: p.partHash,
         encryptedPartSize: p.encryptedPartSize,
         encryptedPartHash: p.encryptedPartHash,
         expirationDate: p.expirationDate
@@ -6315,6 +6880,9 @@ async function incrementalExportAndDownload(client, options) {
         throw new Error(`Download failed for part ${part.ordinalNumber}: HTTP ${resp.status}`);
       }
       const encryptedData = new Uint8Array(await resp.arrayBuffer());
+      if (options.verifyHash !== false && !verifyHash(encryptedData, part.encryptedPartHash)) {
+        throw new Error(`Hash mismatch for export part ${part.ordinalNumber}`);
+      }
       const decrypted = client.crypto.decryptAES256(encryptedData, encData.cipherKey, encData.cipherIv);
       decryptedParts.push(decrypted);
     }
@@ -6523,6 +7091,7 @@ var send = defineCommand5({
     stream: { type: "boolean", description: "Use stream-based batch upload (for ZIP files, reduces memory usage)" },
     formCode: { type: "string", description: "Document type: FA2, FA3, PEF3, PEFKOR3, FARR1 (default: FA3)" },
     validate: { type: "boolean", description: "Validate XML before sending" },
+    parallelism: { type: "string", description: "Number of concurrent part uploads (batch mode)" },
     env: { type: "string", description: "Environment (test/demo/prod)" },
     json: { type: "boolean", description: "Output as JSON" },
     verbose: { type: "boolean", description: "Show HTTP request/response details" },
@@ -6536,6 +7105,10 @@ var send = defineCommand5({
       const config = loadConfig();
       const nip = args.nip ?? config.nip;
       const filePath = args.path;
+      const parallelism = args.parallelism ? Number(args.parallelism) : void 0;
+      if (parallelism !== void 0 && (!Number.isInteger(parallelism) || parallelism < 1)) {
+        throw new Error("--parallelism must be a positive integer");
+      }
       const formCodeKey = args.formCode;
       let formCode = DEFAULT_FORM_CODE;
       if (formCodeKey) {
@@ -6568,7 +7141,8 @@ var send = defineCommand5({
         if (!args.json) consola9.start(`Sending batch via stream (${(zipSize / 1e6).toFixed(1)} MB)...`);
         const result = await uploadBatchStream2(client, zipStreamFactory, zipSize, {
           formCode,
-          pollOptions: { intervalMs: 3e3 }
+          pollOptions: { intervalMs: 3e3 },
+          parallelism
         });
         if (args.json) {
           outputResult(result, { json: true });
@@ -6632,7 +7206,7 @@ var send = defineCommand5({
           { formCode, batchFile: batchFileInfo, encryption: encryptionData.encryptionInfo }
         );
         saveOnlineSessionRef(openResult.referenceNumber);
-        await client.batchSession.sendParts(openResult, parts);
+        await client.batchSession.sendParts(openResult, parts, parallelism);
         await client.batchSession.closeSession(openResult.referenceNumber);
         clearOnlineSessionRef();
         if (args.json) {
@@ -6697,9 +7271,9 @@ var get = defineCommand5({
     return withErrorHandler(async () => {
       const globalOpts = getGlobalOpts4(args);
       const { client } = await requireSession(globalOpts);
-      const xml = await client.invoices.getInvoice(args.ksefNumber);
+      const { xml, hash } = await client.invoices.getInvoice(args.ksefNumber);
       if (args.json) {
-        outputResult({ ksefNumber: args.ksefNumber, xml }, { json: true });
+        outputResult({ ksefNumber: args.ksefNumber, xml, hash }, { json: true });
         return;
       }
       if (args.o) {
@@ -7616,12 +8190,12 @@ import fs10 from "fs";
 import path7 from "path";
 
 // src/crypto/certificate-service.ts
-import * as crypto5 from "crypto";
+import * as crypto7 from "crypto";
 import * as x5092 from "@peculiar/x509";
 var CertificateService = class {
   static getSha256Fingerprint(certPem) {
     const der = extractDerFromPem2(certPem);
-    return crypto5.createHash("sha256").update(der).digest("hex").toUpperCase();
+    return crypto7.createHash("sha256").update(der).digest("hex").toUpperCase();
   }
   static async generatePersonalCertificate(givenName, surname, serialNumber, commonName, method = "RSA") {
     const nameParts = [];
@@ -7644,7 +8218,7 @@ var CertificateService = class {
   }
 };
 async function generateSelfSigned(subject2, method) {
-  x5092.cryptoProvider.set(crypto5.webcrypto);
+  x5092.cryptoProvider.set(crypto7.webcrypto);
   let algorithm;
   let signingAlgorithm;
   if (method === "ECDSA") {
@@ -7659,7 +8233,7 @@ async function generateSelfSigned(subject2, method) {
     };
     signingAlgorithm = algorithm;
   }
-  const keys = await crypto5.webcrypto.subtle.generateKey(
+  const keys = await crypto7.webcrypto.subtle.generateKey(
     algorithm,
     true,
     ["sign", "verify"]
@@ -7676,9 +8250,9 @@ async function generateSelfSigned(subject2, method) {
     serialNumber: Date.now().toString(16)
   });
   const certPem = cert.toString("pem");
-  const pkcs8 = await crypto5.webcrypto.subtle.exportKey("pkcs8", keys.privateKey);
+  const pkcs8 = await crypto7.webcrypto.subtle.exportKey("pkcs8", keys.privateKey);
   const privateKeyPem = pemEncode2(new Uint8Array(pkcs8), "PRIVATE KEY");
-  const fingerprint = crypto5.createHash("sha256").update(Buffer.from(cert.rawData)).digest("hex").toUpperCase();
+  const fingerprint = crypto7.createHash("sha256").update(Buffer.from(cert.rawData)).digest("hex").toUpperCase();
   return { certificatePem: certPem, privateKeyPem, fingerprint };
 }
 function extractDerFromPem2(pem) {
@@ -8136,6 +8710,7 @@ var invoice2 = defineCommand9({
     format: { type: "string", description: "Output format: png or svg (default: png)" },
     size: { type: "string", description: "QR code size in pixels (default: 300)" },
     label: { type: "string", description: "Label text (SVG only)" },
+    offline: { type: "boolean", description: 'Use "OFFLINE" as label (SVG, overrides --label)' },
     o: { type: "string", description: "Output file path" },
     env: { type: "string", description: "Environment (test/demo/prod)" },
     json: { type: "boolean", description: "Output as JSON" },
@@ -8155,7 +8730,8 @@ var invoice2 = defineCommand9({
         return;
       }
       if (format === "svg") {
-        const svg = args.label ? await QrCodeService.generateQrCodeSvgWithLabel(url2, args.label, { width: size }) : await QrCodeService.generateQrCodeSvg(url2, { width: size });
+        const effectiveLabel = args.offline ? "OFFLINE" : args.label;
+        const svg = effectiveLabel ? await QrCodeService.generateQrCodeSvgWithLabel(url2, effectiveLabel, { width: size }) : await QrCodeService.generateQrCodeSvg(url2, { width: size });
         if (args.o) {
           fs11.writeFileSync(args.o, svg);
           outputSuccess(`QR code saved to ${args.o}
@@ -9022,11 +9598,11 @@ var doctorCommand = defineCommand14({
         const controller = new AbortController();
         const timeout = setTimeout(() => controller.abort(), 5e3);
         try {
-          const status6 = await client.lighthouse.getStatus();
+          const status7 = await client.lighthouse.getStatus();
           checks.push({
             name: "connectivity",
             status: "pass",
-            message: `API reachable (${status6.status})`
+            message: `API reachable (${status7.status})`
           });
         } finally {
           clearTimeout(timeout);
@@ -9470,11 +10046,474 @@ var setupCommand = defineCommand16({
   }
 });
 
+// src/cli/commands/offline.ts
+import * as fs14 from "fs";
+import { defineCommand as defineCommand17 } from "citty";
+import { consola as consola15 } from "consola";
+
+// src/offline/file-storage.ts
+import * as fs13 from "fs/promises";
+import * as path9 from "path";
+import * as os6 from "os";
+
+// src/offline/storage.ts
+function matchesFilter(invoice3, filter) {
+  if (filter.status !== void 0) {
+    const statuses = Array.isArray(filter.status) ? filter.status : [filter.status];
+    if (!statuses.includes(invoice3.status)) return false;
+  }
+  if (filter.mode !== void 0 && invoice3.mode !== filter.mode) return false;
+  if (filter.sellerNip !== void 0 && invoice3.sellerNip !== filter.sellerNip) return false;
+  if (filter.expiringBefore !== void 0) {
+    const cutoff = typeof filter.expiringBefore === "string" ? new Date(filter.expiringBefore).getTime() : filter.expiringBefore.getTime();
+    if (new Date(invoice3.submitBy).getTime() >= cutoff) return false;
+  }
+  return true;
+}
+
+// src/offline/file-storage.ts
+function resolveDir(dir) {
+  if (dir === "~" || dir.startsWith("~/")) {
+    return path9.join(os6.homedir(), dir.slice(1));
+  }
+  return dir;
+}
+var UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+function validateId(id) {
+  if (!UUID_RE.test(id)) {
+    throw new Error(`Invalid invoice ID: ${id}`);
+  }
+}
+var FileOfflineInvoiceStorage = class {
+  dir;
+  constructor(directory) {
+    this.dir = resolveDir(directory ?? "~/.ksef/offline");
+  }
+  async ensureDir() {
+    await fs13.mkdir(this.dir, { recursive: true });
+  }
+  filePath(id) {
+    validateId(id);
+    return path9.join(this.dir, `${id}.json`);
+  }
+  async save(invoice3) {
+    await this.ensureDir();
+    const file = this.filePath(invoice3.id);
+    const tmp = `${file}.tmp`;
+    await fs13.writeFile(tmp, JSON.stringify(invoice3, null, 2));
+    await fs13.rename(tmp, file);
+  }
+  async get(id) {
+    const file = this.filePath(id);
+    try {
+      return JSON.parse(await fs13.readFile(file, "utf-8"));
+    } catch (err) {
+      if (err instanceof Error && "code" in err && err.code === "ENOENT") {
+        return null;
+      }
+      console.warn(`Warning: Failed to read offline invoice ${id}: ${err instanceof Error ? err.message : String(err)}`);
+      return null;
+    }
+  }
+  async list(filter) {
+    let files;
+    try {
+      files = (await fs13.readdir(this.dir)).filter((f) => f.endsWith(".json"));
+    } catch {
+      return [];
+    }
+    const results = [];
+    for (const file of files) {
+      try {
+        const data = JSON.parse(
+          await fs13.readFile(path9.join(this.dir, file), "utf-8")
+        );
+        if (!filter || matchesFilter(data, filter)) {
+          results.push(data);
+        }
+      } catch (err) {
+        console.warn(`Warning: Skipping corrupt offline invoice file ${file}: ${err instanceof Error ? err.message : String(err)}`);
+      }
+    }
+    return results;
+  }
+  /**
+   * Update invoice metadata (read-modify-write).
+   *
+   * Note: No file locking — concurrent updates to the same ID may cause
+   * lost writes. Acceptable for CLI (single process). Library consumers
+   * running parallel operations should use external locking.
+   */
+  async update(id, updates) {
+    const existing = await this.get(id);
+    if (!existing) throw new Error(`Offline invoice not found: ${id}`);
+    await this.save({ ...existing, ...updates });
+  }
+  async delete(id) {
+    const file = this.filePath(id);
+    try {
+      await fs13.unlink(file);
+    } catch (e) {
+      if (e instanceof Error && "code" in e && e.code !== "ENOENT") throw e;
+    }
+  }
+};
+
+// src/cli/commands/offline.ts
+init_invoice_field_extractor();
+function getGlobalOpts14(args) {
+  return {
+    env: args.env,
+    json: args.json,
+    verbose: args.verbose,
+    timeout: args.timeout,
+    nip: args.nip
+  };
+}
+function getStorage(args) {
+  return new FileOfflineInvoiceStorage(args["store-dir"]);
+}
+var globalArgs = {
+  env: { type: "string", description: "Environment (test/demo/prod)" },
+  json: { type: "boolean", description: "Output as JSON" },
+  verbose: { type: "boolean", description: "Verbose output" },
+  timeout: { type: "string", description: "Request timeout (ms)" },
+  nip: { type: "string", description: "NIP number" },
+  "store-dir": { type: "string", description: "Offline invoice store directory" }
+};
+var generate3 = defineCommand17({
+  meta: { name: "generate", description: "Generate offline invoice metadata with QR codes" },
+  args: {
+    ...globalArgs,
+    xml: { type: "positional", description: "Invoice XML file path", required: true },
+    mode: { type: "string", description: "Offline mode (offline24/offline/awaryjny)" },
+    key: { type: "string", description: "Private key PEM file for KOD II signing" },
+    "cert-serial": { type: "string", description: "Certificate serial number (hex)" },
+    "context-type": { type: "string", description: "Seller context type (default: Nip)" },
+    "context-id": { type: "string", description: "Seller context value" },
+    "qr-format": { type: "string", description: "QR format: png or svg (default: png)" },
+    "qr-out": { type: "string", description: "Directory to save QR images" },
+    "no-store": { type: "boolean", description: "Do not save to local store" }
+  },
+  run({ args }) {
+    return withErrorHandler(async () => {
+      const globalOpts = getGlobalOpts14(args);
+      const config = loadConfig();
+      const xmlPath = args.xml;
+      if (!fs14.existsSync(xmlPath)) {
+        throw new Error(`File not found: ${xmlPath}`);
+      }
+      const invoiceXml = fs14.readFileSync(xmlPath, "utf-8");
+      const sellerNip = args.nip ?? config.nip;
+      if (!sellerNip) {
+        throw new Error("NIP is required. Use --nip or set via `ksef config set --nip`");
+      }
+      const contextType = args["context-type"] ?? "Nip";
+      const contextId = args["context-id"] ?? sellerNip;
+      const client = createClient(globalOpts);
+      const workflow = client.offline;
+      if (args.key && !args["cert-serial"]) {
+        throw new Error("--cert-serial is required when using --key");
+      }
+      const certificate2 = args.key ? {
+        privateKeyPem: fs14.readFileSync(args.key, "utf-8"),
+        certificateSerial: args["cert-serial"]
+      } : void 0;
+      const validModes = ["offline24", "offline", "awaryjny", "awaria_calkowita"];
+      const modeArg = args.mode ?? "offline24";
+      if (!validModes.includes(modeArg)) {
+        throw new Error(`Invalid --mode "${modeArg}". Must be one of: ${validModes.join(", ")}`);
+      }
+      const storage = args["no-store"] ? void 0 : getStorage(args);
+      const { invoiceNumber, invoiceDate } = extractInvoiceFields(invoiceXml);
+      const metadata = await workflow.generate(
+        {
+          invoiceNumber,
+          invoiceDate,
+          invoiceXml,
+          sellerNip,
+          sellerIdentifier: { type: contextType, value: contextId }
+        },
+        {
+          mode: modeArg,
+          certificate: certificate2,
+          storage
+        }
+      );
+      if (args["qr-out"]) {
+        const outDir = args["qr-out"];
+        fs14.mkdirSync(outDir, { recursive: true });
+        const format = args["qr-format"] ?? "png";
+        if (format !== "png" && format !== "svg") {
+          throw new Error(`Invalid --qr-format "${format}". Must be one of: png, svg`);
+        }
+        const shortId = metadata.id.slice(0, 8);
+        if (format === "svg") {
+          const svg1 = await QrCodeService.generateQrCodeSvgWithLabel(metadata.kod1Url, "OFFLINE");
+          fs14.writeFileSync(`${outDir}/${shortId}-kod1.svg`, svg1);
+          if (metadata.kod2Url) {
+            const svg2 = await QrCodeService.generateQrCodeSvgWithLabel(metadata.kod2Url, "CERTYFIKAT");
+            fs14.writeFileSync(`${outDir}/${shortId}-kod2.svg`, svg2);
+          }
+        } else {
+          const png1 = await QrCodeService.generateQrCode(metadata.kod1Url);
+          fs14.writeFileSync(`${outDir}/${shortId}-kod1.png`, png1);
+          if (metadata.kod2Url) {
+            const png2 = await QrCodeService.generateQrCode(metadata.kod2Url);
+            fs14.writeFileSync(`${outDir}/${shortId}-kod2.png`, png2);
+          }
+        }
+        outputSuccess(`QR codes saved to ${outDir}/`);
+      }
+      if (!certificate2) {
+        outputWarning("No certificate provided \u2014 KOD II QR code was not generated. Use --key and --cert-serial for offline compliance.");
+      }
+      if (args.json) {
+        outputResult(metadata, { json: true });
+      } else {
+        outputKeyValue({
+          ID: metadata.id,
+          Mode: metadata.mode,
+          Status: metadata.status,
+          Deadline: metadata.submitBy,
+          "KOD I": metadata.kod1Url,
+          "KOD II": metadata.kod2Url ?? "(not generated)"
+        }, { json: false });
+      }
+    });
+  }
+});
+var list4 = defineCommand17({
+  meta: { name: "list", description: "List stored offline invoices" },
+  args: {
+    ...globalArgs,
+    status: { type: "string", description: "Filter by status" },
+    mode: { type: "string", description: "Filter by mode" },
+    expiring: { type: "boolean", description: "Show only invoices expiring within 24h" }
+  },
+  run({ args }) {
+    return withErrorHandler(async () => {
+      const storage = getStorage(args);
+      const filter = {};
+      if (args.status) filter.status = args.status;
+      if (args.mode) filter.mode = args.mode;
+      if (args.expiring) {
+        const cutoff = new Date(Date.now() + 24 * 60 * 60 * 1e3);
+        filter.expiringBefore = cutoff.toISOString();
+      }
+      const invoices2 = await storage.list(Object.keys(filter).length > 0 ? filter : void 0);
+      if (invoices2.length === 0) {
+        if (args.json) {
+          outputResult([], { json: true });
+        } else {
+          outputSuccess("No offline invoices found.");
+        }
+        return;
+      }
+      outputTable(
+        invoices2.map((i) => ({
+          id: i.id.slice(0, 8),
+          number: i.invoiceNumber,
+          mode: i.mode,
+          status: i.status,
+          deadline: i.submitBy.slice(0, 19),
+          nip: i.sellerNip
+        })),
+        [
+          { key: "id", label: "ID" },
+          { key: "number", label: "Number" },
+          { key: "mode", label: "Mode" },
+          { key: "status", label: "Status" },
+          { key: "deadline", label: "Deadline" },
+          { key: "nip", label: "NIP" }
+        ],
+        { json: args.json }
+      );
+    });
+  }
+});
+var status6 = defineCommand17({
+  meta: { name: "status", description: "Show offline invoice details" },
+  args: {
+    ...globalArgs,
+    id: { type: "positional", description: "Invoice ID", required: true }
+  },
+  run({ args }) {
+    return withErrorHandler(async () => {
+      const storage = getStorage(args);
+      const invoice3 = await storage.get(args.id);
+      if (!invoice3) {
+        throw new Error(`Offline invoice not found: ${args.id}`);
+      }
+      if (args.json) {
+        outputResult(invoice3, { json: true });
+      } else {
+        outputKeyValue({
+          ID: invoice3.id,
+          Number: invoice3.invoiceNumber,
+          Date: invoice3.invoiceDate,
+          Mode: invoice3.mode,
+          Reason: invoice3.reason,
+          Status: invoice3.status,
+          "Seller NIP": invoice3.sellerNip,
+          Deadline: invoice3.submitBy,
+          "Generated At": invoice3.generatedAt,
+          "Submitted At": invoice3.submittedAt ?? "-",
+          "KSeF Reference": invoice3.ksefReferenceNumber ?? "-",
+          "KOD I URL": invoice3.kod1Url,
+          "KOD II URL": invoice3.kod2Url ?? "-",
+          Error: invoice3.error ? `${invoice3.error.code}: ${invoice3.error.message}` : "-"
+        }, { json: false });
+      }
+    });
+  }
+});
+var submit = defineCommand17({
+  meta: { name: "submit", description: "Submit offline invoices to KSeF" },
+  args: {
+    ...globalArgs,
+    all: { type: "boolean", description: "Submit all pending invoices" },
+    "no-check-expiry": { type: "boolean", description: "Skip expiry check" },
+    ids: { type: "positional", description: "Invoice IDs to submit" }
+  },
+  run({ args }) {
+    return withErrorHandler(async () => {
+      const globalOpts = getGlobalOpts14(args);
+      const { client } = await requireSession(globalOpts);
+      const storage = getStorage(args);
+      const invoiceIds = args.ids ? args.ids.split(",").map((s) => s.trim()) : void 0;
+      if (args.all && invoiceIds) {
+        throw new Error("Cannot use --all together with specific invoice IDs. Use one or the other.");
+      }
+      if (!args.all && !invoiceIds) {
+        throw new Error("Specify invoice IDs or use --all to submit all pending invoices.");
+      }
+      const result = await client.offline.submit(client, {
+        storage,
+        invoiceIds: args.all ? void 0 : invoiceIds,
+        checkExpiry: !args["no-check-expiry"]
+      });
+      if (result.total === 0) {
+        outputSuccess("No pending invoices to submit.");
+        return;
+      }
+      if (args.json) {
+        outputResult(result, { json: true });
+      } else {
+        outputSuccess(
+          `Submitted: ${result.submitted}, Accepted: ${result.accepted}, Rejected: ${result.rejected}, Expired: ${result.expired}`
+        );
+        if (result.results.length > 0) {
+          outputTable(
+            result.results.map((r) => ({
+              id: r.invoiceId.slice(0, 8),
+              number: r.invoiceNumber,
+              status: r.status,
+              ref: r.ksefReferenceNumber ?? "-"
+            })),
+            [
+              { key: "id", label: "ID" },
+              { key: "number", label: "Number" },
+              { key: "status", label: "Status" },
+              { key: "ref", label: "KSeF Ref" }
+            ],
+            { json: false }
+          );
+        }
+      }
+    });
+  }
+});
+var correct = defineCommand17({
+  meta: { name: "correct", description: "Technical correction for rejected offline invoice" },
+  args: {
+    ...globalArgs,
+    id: { type: "positional", description: "Rejected invoice ID", required: true },
+    xml: { type: "positional", description: "Corrected XML file path", required: true }
+  },
+  run({ args }) {
+    return withErrorHandler(async () => {
+      const globalOpts = getGlobalOpts14(args);
+      const { client } = await requireSession(globalOpts);
+      const storage = getStorage(args);
+      const xmlPath = args.xml;
+      if (!fs14.existsSync(xmlPath)) {
+        throw new Error(`File not found: ${xmlPath}`);
+      }
+      const correctedXml = fs14.readFileSync(xmlPath, "utf-8");
+      const result = await client.offline.correct(client, {
+        rejectedInvoiceId: args.id,
+        correctedInvoiceXml: correctedXml,
+        storage
+      });
+      if (args.json) {
+        outputResult(result, { json: true });
+      } else {
+        outputSuccess(`Correction submitted. KSeF ref: ${result.ksefReferenceNumber ?? "pending"}`);
+      }
+    });
+  }
+});
+var del = defineCommand17({
+  meta: { name: "delete", description: "Delete offline invoice from local store" },
+  args: {
+    ...globalArgs,
+    id: { type: "positional", description: "Invoice ID to delete" },
+    expired: { type: "boolean", description: "Delete all expired invoices" },
+    force: { type: "boolean", description: "Skip confirmation prompt" }
+  },
+  run({ args }) {
+    return withErrorHandler(async () => {
+      const storage = getStorage(args);
+      if (args.expired) {
+        const expired = await storage.list({ status: "EXPIRED" });
+        if (expired.length === 0) {
+          outputSuccess("No expired invoices to delete.");
+          return;
+        }
+        if (!args.force) {
+          if (!process.stdin.isTTY) {
+            throw new Error(
+              `${expired.length} expired invoice(s) would be deleted. Use --force to confirm in non-interactive mode.`
+            );
+          }
+          const confirmed = await consola15.prompt(
+            `Delete ${expired.length} expired invoice(s)?`,
+            { type: "confirm", initial: false }
+          );
+          if (!confirmed) {
+            consola15.info("Cancelled.");
+            return;
+          }
+        }
+        for (const inv of expired) {
+          await storage.delete(inv.id);
+        }
+        outputSuccess(`Deleted ${expired.length} expired invoice(s).`);
+        return;
+      }
+      if (!args.id) {
+        throw new Error("Specify an invoice ID or use --expired to delete all expired invoices.");
+      }
+      const invoice3 = await storage.get(args.id);
+      if (!invoice3) {
+        throw new Error(`Offline invoice not found: ${args.id}`);
+      }
+      await storage.delete(args.id);
+      outputSuccess(`Deleted offline invoice ${args.id}`);
+    });
+  }
+});
+var offlineCommand = defineCommand17({
+  meta: { name: "offline", description: "Offline invoice management" },
+  subCommands: { generate: generate3, list: list4, status: status6, submit, correct, delete: del }
+});
+
 // src/cli/index.ts
 var __dirname = dirname2(fileURLToPath(import.meta.url));
-var pkg = JSON.parse(readFileSync8(resolve(__dirname, "..", "package.json"), "utf-8"));
+var pkg = JSON.parse(readFileSync9(resolve(__dirname, "..", "package.json"), "utf-8"));
 var version = pkg.version;
-var main = defineCommand17({
+var main = defineCommand18({
   meta: {
     name: "ksef",
     version,
@@ -9494,6 +10533,7 @@ var main = defineCommand17({
     limits: limitsCommand,
     peppol: peppolCommand,
     "test-data": testDataCommand,
+    offline: offlineCommand,
     doctor: doctorCommand,
     completion: completionCommand
   }