ksef-client-ts 0.6.0 → 0.6.2

package/dist/index.js

@@ -153,12 +153,14 @@ var init_ksef_unauthorized_error = __esm({
       detail;
       traceId;
       instance;
+      timestamp;
       constructor(problemDetails) {
         super(problemDetails.detail || "Unauthorized");
         this.name = "KSeFUnauthorizedError";
         this.detail = problemDetails.detail;
         this.traceId = problemDetails.traceId;
         this.instance = problemDetails.instance;
+        this.timestamp = problemDetails.timestamp;
       }
     };
   }
@@ -177,6 +179,7 @@ var init_ksef_forbidden_error = __esm({
       instance;
       security;
       traceId;
+      timestamp;
       constructor(problemDetails) {
         super(problemDetails.detail || "Forbidden");
         this.name = "KSeFForbiddenError";
@@ -185,6 +188,31 @@ var init_ksef_forbidden_error = __esm({
         this.instance = problemDetails.instance;
         this.security = problemDetails.security;
         this.traceId = problemDetails.traceId;
+        this.timestamp = problemDetails.timestamp;
+      }
+    };
+  }
+});
+
+// src/errors/ksef-gone-error.ts
+var KSeFGoneError;
+var init_ksef_gone_error = __esm({
+  "src/errors/ksef-gone-error.ts"() {
+    "use strict";
+    init_ksef_error();
+    KSeFGoneError = class extends KSeFError {
+      statusCode = 410;
+      detail;
+      instance;
+      traceId;
+      timestamp;
+      constructor(problemDetails) {
+        super(problemDetails.detail || "Operation status no longer available (retention expired)");
+        this.name = "KSeFGoneError";
+        this.detail = problemDetails.detail;
+        this.instance = problemDetails.instance;
+        this.traceId = problemDetails.traceId;
+        this.timestamp = problemDetails.timestamp;
       }
     };
   }
@@ -252,6 +280,45 @@ var init_ksef_validation_error = __esm({
   }
 });
 
+// src/errors/error-codes.ts
+function hasErrorCode(body, code) {
+  return !!body?.exception?.exceptionDetailList?.some((d) => d.exceptionCode === code);
+}
+var KSeFErrorCode;
+var init_error_codes = __esm({
+  "src/errors/error-codes.ts"() {
+    "use strict";
+    KSeFErrorCode = {
+      BatchTimeout: 21208,
+      DuplicateInvoice: 440
+    };
+  }
+});
+
+// src/errors/ksef-batch-timeout-error.ts
+var KSeFBatchTimeoutError;
+var init_ksef_batch_timeout_error = __esm({
+  "src/errors/ksef-batch-timeout-error.ts"() {
+    "use strict";
+    init_ksef_api_error();
+    init_error_codes();
+    KSeFBatchTimeoutError = class _KSeFBatchTimeoutError extends KSeFApiError {
+      errorCode = KSeFErrorCode.BatchTimeout;
+      constructor(message, statusCode, errorResponse) {
+        super(message, statusCode, errorResponse);
+        this.name = "KSeFBatchTimeoutError";
+      }
+      static fromResponse(statusCode, body) {
+        const detail = body?.exception?.exceptionDetailList?.find(
+          (d) => d.exceptionCode === KSeFErrorCode.BatchTimeout
+        );
+        const message = detail?.exceptionDescription?.trim() || "Batch session timed out before the server completed processing (KSeF 21208).";
+        return new _KSeFBatchTimeoutError(message, statusCode, body);
+      }
+    };
+  }
+});
+
 // src/errors/index.ts
 var init_errors = __esm({
   "src/errors/index.ts"() {
@@ -261,9 +328,12 @@ var init_errors = __esm({
     init_ksef_rate_limit_error();
     init_ksef_unauthorized_error();
     init_ksef_forbidden_error();
+    init_ksef_gone_error();
     init_ksef_auth_status_error();
     init_ksef_session_expired_error();
     init_ksef_validation_error();
+    init_ksef_batch_timeout_error();
+    init_error_codes();
   }
 });
 
@@ -520,6 +590,9 @@ var init_rest_client = __esm({
     init_ksef_rate_limit_error();
     init_ksef_unauthorized_error();
     init_ksef_forbidden_error();
+    init_ksef_gone_error();
+    init_ksef_batch_timeout_error();
+    init_error_codes();
     init_route_builder();
     init_transport();
     init_retry_policy();
@@ -660,18 +733,33 @@ var init_rest_client = __esm({
           );
         }
         if (response.status === 401) {
-          const body = parseJson();
-          if (body?.detail) {
-            throw new KSeFUnauthorizedError(body);
+          const body2 = parseJson();
+          if (body2?.detail) {
+            throw new KSeFUnauthorizedError(body2);
           }
         }
         if (response.status === 403) {
-          const body = parseJson();
-          if (body?.reasonCode) {
-            throw new KSeFForbiddenError(body);
+          const body2 = parseJson();
+          if (body2?.reasonCode) {
+            throw new KSeFForbiddenError(body2);
           }
         }
-        throw KSeFApiError.fromResponse(response.status, parseJson());
+        if (response.status === 410) {
+          const body2 = parseJson();
+          throw new KSeFGoneError({
+            title: body2?.title || "Gone",
+            status: body2?.status || 410,
+            detail: body2?.detail || "Operation status no longer available (retention expired)",
+            instance: body2?.instance,
+            traceId: body2?.traceId,
+            timestamp: body2?.timestamp
+          });
+        }
+        const body = parseJson();
+        if (hasErrorCode(body, KSeFErrorCode.BatchTimeout)) {
+          throw KSeFBatchTimeoutError.fromResponse(response.status, body);
+        }
+        throw KSeFApiError.fromResponse(response.status, body);
       }
     };
   }
@@ -955,7 +1043,9 @@ function isValidVatUe(value) {
   return VatUe.test(value);
 }
 function isValidNipVatUe(value) {
-  return NipVatUe.test(value);
+  if (!NipVatUe.test(value)) return false;
+  const nip = value.split("-")[0];
+  return isValidNip(nip);
 }
 function isValidInternalId(value) {
   return InternalId.test(value);
@@ -2967,6 +3057,32 @@ var init_online_session = __esm({
   }
 });
 
+// src/utils/concurrency.ts
+async function runWithConcurrency(tasks, parallelism) {
+  if (tasks.length === 0) return;
+  const limit = Math.max(1, Math.min(parallelism, tasks.length));
+  const controller = new AbortController();
+  let index = 0;
+  const workers = Array.from({ length: limit }, async () => {
+    while (index < tasks.length && !controller.signal.aborted) {
+      const current = index;
+      index += 1;
+      try {
+        await tasks[current](controller.signal);
+      } catch (err) {
+        controller.abort();
+        throw err;
+      }
+    }
+  });
+  await Promise.all(workers);
+}
+var init_concurrency = __esm({
+  "src/utils/concurrency.ts"() {
+    "use strict";
+  }
+});
+
 // src/services/batch-session.ts
 var BatchSessionService;
 var init_batch_session = __esm({
@@ -2975,6 +3091,7 @@ var init_batch_session = __esm({
     init_ksef_feature();
     init_rest_request();
     init_routes();
+    init_concurrency();
     BatchSessionService = class {
       restClient;
       constructor(restClient) {
@@ -2988,12 +3105,10 @@ var init_batch_session = __esm({
         const response = await this.restClient.execute(req);
         return response.body;
       }
-      async sendParts(openResponse, parts) {
-        const uploadRequests = openResponse.partUploadRequests;
-        const tasks = parts.map(async (part) => {
-          const uploadReq = uploadRequests.find(
-            (r) => r.ordinalNumber === part.ordinalNumber
-          );
+      async sendParts(openResponse, parts, parallelism) {
+        const uploadMap = new Map(openResponse.partUploadRequests.map((r) => [r.ordinalNumber, r]));
+        const tasks = parts.map((part) => async (signal) => {
+          const uploadReq = uploadMap.get(part.ordinalNumber);
           if (!uploadReq) {
             throw new Error(`No upload request found for part ${part.ordinalNumber}`);
           }
@@ -3001,25 +3116,38 @@ var init_batch_session = __esm({
           for (const [k, v] of Object.entries(uploadReq.headers)) {
             if (v != null) headers[k] = v;
           }
-          await fetch(uploadReq.url, {
+          const resp = await fetch(uploadReq.url, {
             method: uploadReq.method,
             headers,
-            body: part.data
+            body: part.data,
+            signal
           });
+          if (!resp.ok) {
+            const body = await resp.text().catch(() => "");
+            throw new Error(
+              `Upload failed for part ${part.ordinalNumber}: HTTP ${resp.status}${body ? ` \u2014 ${body}` : ""}`
+            );
+          }
         });
-        await Promise.all(tasks);
+        if (parallelism !== void 0) {
+          await runWithConcurrency(tasks, parallelism);
+        } else {
+          const ac = new AbortController();
+          await Promise.all(tasks.map((t) => t(ac.signal).catch((err) => {
+            ac.abort();
+            throw err;
+          })));
+        }
       }
       /**
-       * Upload parts sequentially (not in parallel) because each part uses a
-       * streaming body (`duplex: 'half'`). Parallel streaming uploads can cause
-       * backpressure issues and exceed memory limits for large payloads.
+       * Upload parts using streaming bodies (`duplex: 'half'`).
+       * By default uploads sequentially to avoid backpressure issues.
+       * Pass `parallelism` to enable bounded concurrent uploads.
        */
-      async sendPartsWithStream(openResponse, parts) {
-        const uploadRequests = openResponse.partUploadRequests;
-        for (const part of parts) {
-          const uploadReq = uploadRequests.find(
-            (r) => r.ordinalNumber === part.ordinalNumber
-          );
+      async sendPartsWithStream(openResponse, parts, parallelism) {
+        const uploadMap = new Map(openResponse.partUploadRequests.map((r) => [r.ordinalNumber, r]));
+        const uploadPart = async (part, signal) => {
+          const uploadReq = uploadMap.get(part.ordinalNumber);
           if (!uploadReq) {
             throw new Error(`No upload request found for part ${part.ordinalNumber}`);
           }
@@ -3031,11 +3159,23 @@ var init_batch_session = __esm({
             method: uploadReq.method,
             headers,
             body: part.dataStream,
+            signal,
             // @ts-expect-error -- Node 18+ undici supports duplex for streaming body
             duplex: "half"
           });
           if (!resp.ok) {
-            throw new Error(`Upload failed for part ${part.ordinalNumber}: HTTP ${resp.status}`);
+            const body = await resp.text().catch(() => "");
+            throw new Error(
+              `Upload failed for part ${part.ordinalNumber}: HTTP ${resp.status}${body ? ` \u2014 ${body}` : ""}`
+            );
+          }
+        };
+        if (parallelism !== void 0) {
+          await runWithConcurrency(parts.map((p) => (signal) => uploadPart(p, signal)), parallelism);
+        } else {
+          const { signal } = new AbortController();
+          for (const part of parts) {
+            await uploadPart(part, signal);
           }
         }
       }
@@ -3148,7 +3288,10 @@ var init_invoice_download = __esm({
       async getInvoice(ksefNumber) {
         const req = RestRequest.get(Routes.Invoices.byKsefNumber(ksefNumber));
         const response = await this.restClient.executeRaw(req);
-        return new TextDecoder().decode(response.body);
+        return {
+          xml: new TextDecoder().decode(response.body),
+          hash: response.headers.get("x-ms-meta-hash") ?? void 0
+        };
       }
       async queryInvoiceMetadata(filters, pageOffset, pageSize, sortOrder) {
         const req = RestRequest.post(Routes.Invoices.queryMetadata).body(filters);
@@ -4410,6 +4553,72 @@ var init_zip = __esm({
   }
 });
 
+// src/offline/holidays.ts
+function toDateKey(d) {
+  return d.toISOString().slice(0, 10);
+}
+function dateKey(year, month, day) {
+  return toDateKey(new Date(Date.UTC(year, month - 1, day)));
+}
+function addDays(d, n) {
+  const result = new Date(d);
+  result.setUTCDate(result.getUTCDate() + n);
+  return result;
+}
+function computeEasterSunday(year) {
+  const a = year % 19;
+  const b = Math.floor(year / 100);
+  const c = year % 100;
+  const d = Math.floor(b / 4);
+  const e = b % 4;
+  const f = Math.floor((b + 8) / 25);
+  const g = Math.floor((b - f + 1) / 3);
+  const h = (19 * a + b - d - g + 15) % 30;
+  const i = Math.floor(c / 4);
+  const k = c % 4;
+  const l = (32 + 2 * e + 2 * i - h - k) % 7;
+  const m = Math.floor((a + 11 * h + 22 * l) / 451);
+  const month = Math.floor((h + l - 7 * m + 114) / 31);
+  const day = (h + l - 7 * m + 114) % 31 + 1;
+  return new Date(Date.UTC(year, month - 1, day));
+}
+function getPolishHolidays(year) {
+  const cached = holidayCache.get(year);
+  if (cached) return cached;
+  const easter = computeEasterSunday(year);
+  const holidays = /* @__PURE__ */ new Set([
+    // Fixed
+    dateKey(year, 1, 1),
+    dateKey(year, 1, 6),
+    dateKey(year, 5, 1),
+    dateKey(year, 5, 3),
+    dateKey(year, 8, 15),
+    dateKey(year, 11, 1),
+    dateKey(year, 11, 11),
+    dateKey(year, 12, 25),
+    dateKey(year, 12, 26),
+    // Wigilia — added by Dz.U. 2024 poz. 1965, effective from 2025
+    ...year >= 2025 ? [dateKey(year, 12, 24)] : [],
+    // Moveable
+    toDateKey(easter),
+    toDateKey(addDays(easter, 1)),
+    toDateKey(addDays(easter, 49)),
+    toDateKey(addDays(easter, 60))
+  ]);
+  holidayCache.set(year, holidays);
+  return holidays;
+}
+function isPolishHoliday(date) {
+  return getPolishHolidays(date.getUTCFullYear()).has(toDateKey(date));
+}
+var holidayCache;
+var init_holidays = __esm({
+  "src/offline/holidays.ts"() {
+    "use strict";
+    holidayCache = /* @__PURE__ */ new Map();
+  }
+});
+
 // src/offline/deadline.ts
 function getDefaultReason(mode) {
   switch (mode) {
@@ -4426,7 +4635,7 @@ function getDefaultReason(mode) {
 function nextBusinessDay(from) {
   const d = new Date(from);
   d.setUTCDate(d.getUTCDate() + 1);
-  while (d.getUTCDay() === 0 || d.getUTCDay() === 6) {
+  while (d.getUTCDay() === 0 || d.getUTCDay() === 6 || isPolishHoliday(d)) {
     d.setUTCDate(d.getUTCDate() + 1);
   }
   return d;
@@ -4439,7 +4648,7 @@ function addBusinessDays(from, days) {
   let remaining = days;
   while (remaining > 0) {
     d.setUTCDate(d.getUTCDate() + 1);
-    if (d.getUTCDay() !== 0 && d.getUTCDay() !== 6) {
+    if (d.getUTCDay() !== 0 && d.getUTCDay() !== 6 && !isPolishHoliday(d)) {
       remaining--;
     }
   }
@@ -4505,12 +4714,13 @@ var FAR_FUTURE;
 var init_deadline = __esm({
   "src/offline/deadline.ts"() {
     "use strict";
+    init_holidays();
     FAR_FUTURE = /* @__PURE__ */ new Date("9999-12-31T23:59:59Z");
   }
 });
 
 // src/workflows/offline-invoice-workflow.ts
-import crypto6 from "crypto";
+import crypto7 from "crypto";
 var OfflineInvoiceWorkflow;
 var init_offline_invoice_workflow = __esm({
   "src/workflows/offline-invoice-workflow.ts"() {
@@ -4534,7 +4744,7 @@ var init_offline_invoice_workflow = __esm({
         }
         const mode = options?.mode ?? "offline24";
         const reason = getDefaultReason(mode);
-        const invoiceHashBase64 = crypto6.createHash("sha256").update(input.invoiceXml).digest("base64");
+        const invoiceHashBase64 = crypto7.createHash("sha256").update(input.invoiceXml).digest("base64");
         const kod1Url = this.qrService.buildInvoiceVerificationUrl(
           input.sellerNip,
           input.invoiceDate,
@@ -4553,7 +4763,7 @@ var init_offline_invoice_workflow = __esm({
         }
         const submitBy = options?.customDeadline ? typeof options.customDeadline === "string" ? options.customDeadline : options.customDeadline.toISOString() : calculateOfflineDeadline(mode, input.invoiceDate, options?.maintenanceWindow).toISOString();
         const metadata = {
-          id: crypto6.randomUUID(),
+          id: crypto7.randomUUID(),
           mode,
           reason,
           status: "GENERATED",
@@ -4709,7 +4919,7 @@ var init_offline_invoice_workflow = __esm({
             original.status === "CORRECTED" ? `Invoice ${rejectedInvoiceId} has already been corrected (by ${original.correctedBy})` : `Only rejected invoices can be corrected (current status: ${original.status})`
           );
         }
-        const originalHash = crypto6.createHash("sha256").update(original.invoiceXml).digest("base64");
+        const originalHash = crypto7.createHash("sha256").update(original.invoiceXml).digest("base64");
         await client.crypto.init();
         const encData = client.crypto.getEncryptionData();
         const formCode = options.formCode ?? DEFAULT_FORM_CODE;
@@ -4722,9 +4932,9 @@ var init_offline_invoice_workflow = __esm({
           const plainMeta = client.crypto.getFileMetadata(data);
           const encrypted = client.crypto.encryptAES256(data, encData.cipherKey, encData.cipherIv);
           const encMeta = client.crypto.getFileMetadata(encrypted);
-          const correctionId = crypto6.randomUUID();
+          const correctionId = crypto7.randomUUID();
           const submittedAt = (/* @__PURE__ */ new Date()).toISOString();
-          const correctedHashBase64 = crypto6.createHash("sha256").update(correctedInvoiceXml).digest("base64");
+          const correctedHashBase64 = crypto7.createHash("sha256").update(correctedInvoiceXml).digest("base64");
           const kod1Url = this.qrService.buildInvoiceVerificationUrl(
             original.sellerNip,
             original.invoiceDate,
@@ -4879,6 +5089,7 @@ var init_client = __esm({
       qr;
       options;
       authManager;
+      _baseRestClientConfig;
       _offline;
       constructor(options) {
         this.options = resolveOptions(options);
@@ -4890,6 +5101,8 @@ var init_client = __esm({
         });
         this.authManager = authManager;
         const restClientConfig = buildRestClientConfig(options, authManager);
+        const { authManager: _am, ...baseConfig } = restClientConfig;
+        this._baseRestClientConfig = baseConfig;
         const restClient = new RestClient(this.options, restClientConfig);
         const fetcher = new CertificateFetcher(restClient);
         this.crypto = new CryptographyService(fetcher);
@@ -4914,6 +5127,10 @@ var init_client = __esm({
         }
         return this._offline;
       }
+      /** @internal Create a RestClient with a different AuthManager, preserving transport/retry/rateLimit config. */
+      createScopedRestClient(authManager) {
+        return new RestClient(this.options, { ...this._baseRestClientConfig, authManager });
+      }
       async loginWithToken(token, nip) {
         const challenge = await this.auth.getChallenge();
         await this.crypto.init();
@@ -4928,6 +5145,7 @@ var init_client = __esm({
         const tokens = await this.auth.getAccessToken(authToken);
         this.authManager.setAccessToken(tokens.accessToken.token);
         this.authManager.setRefreshToken(tokens.refreshToken.token);
+        return { clientIp: challenge.clientIp };
       }
       async loginWithCertificate(certPem, keyPem, nip, keyPassword) {
         const challenge = await this.auth.getChallenge();
@@ -4940,11 +5158,12 @@ var init_client = __esm({
         const tokens = await this.auth.getAccessToken(authToken);
         this.authManager.setAccessToken(tokens.accessToken.token);
         this.authManager.setRefreshToken(tokens.refreshToken.token);
+        return { clientIp: challenge.clientIp };
       }
       async loginWithPkcs12(p12, password, nip) {
         const { Pkcs12Loader: Pkcs12Loader2 } = await Promise.resolve().then(() => (init_pkcs12_loader(), pkcs12_loader_exports));
         const { certificatePem, privateKeyPem } = Pkcs12Loader2.load(p12, password);
-        await this.loginWithCertificate(certificatePem, privateKeyPem, nip);
+        return this.loginWithCertificate(certificatePem, privateKeyPem, nip);
       }
       async awaitAuthReady(referenceNumber, authToken) {
         for (let i = 0; i < 30; i++) {
@@ -5733,6 +5952,18 @@ function parseKSeFTokenContext(token) {
   };
 }
 
+// src/utils/hash.ts
+import crypto6 from "crypto";
+function sha256Base642(data) {
+  return crypto6.createHash("sha256").update(data).digest("base64");
+}
+function verifyHash(data, expectedHash) {
+  return sha256Base642(data) === expectedHash;
+}
+
+// src/utils/index.ts
+init_concurrency();
+
 // src/workflows/polling.ts
 async function pollUntil(action, condition, options) {
   const intervalMs = options?.intervalMs ?? 2e3;
@@ -5751,6 +5982,10 @@ async function pollUntil(action, condition, options) {
 }
 
 // src/workflows/online-session-workflow.ts
+init_ksef_session_expired_error();
+init_auth_manager();
+init_online_session();
+init_session_status();
 init_document_structures();
 
 // src/xml/upo-parser.ts
@@ -5914,18 +6149,11 @@ function nonEmptyString(value) {
 // src/workflows/online-session-workflow.ts
 init_invoice_validator();
 init_ksef_validation_error();
-async function openOnlineSession(client, options) {
-  await client.crypto.init();
-  const encData = client.crypto.getEncryptionData();
-  const formCode = options?.formCode ?? DEFAULT_FORM_CODE;
-  const openResp = await client.onlineSession.openSession(
-    { formCode, encryption: encData.encryptionInfo },
-    options?.upoVersion
-  );
-  const sessionRef = openResp.referenceNumber;
+function buildSessionHandle(params) {
+  const { deps, sessionRef, validUntil, cipherKey, cipherIv, formCode, validate: validate2 } = params;
   async function fetchUpo(pollOpts) {
     const result = await pollUntil(
-      () => client.sessionStatus.getSessionStatus(sessionRef),
+      () => deps.sessionStatus.getSessionStatus(sessionRef),
       (s) => s.status.code === 200 || s.status.code >= 400,
       { ...pollOpts, description: `UPO for session ${sessionRef}` }
     );
@@ -5941,9 +6169,9 @@ async function openOnlineSession(client, options) {
   }
   return {
     sessionRef,
-    validUntil: openResp.validUntil,
+    validUntil,
     async sendInvoice(invoiceXml) {
-      if (options?.validate) {
+      if (validate2) {
         const xmlStr = typeof invoiceXml === "string" ? invoiceXml : new TextDecoder().decode(invoiceXml);
         const vResult = await validate(xmlStr);
         if (!vResult.valid) {
@@ -5954,10 +6182,10 @@ async function openOnlineSession(client, options) {
         }
       }
       const data = typeof invoiceXml === "string" ? new TextEncoder().encode(invoiceXml) : invoiceXml;
-      const plainMeta = client.crypto.getFileMetadata(data);
-      const encrypted = client.crypto.encryptAES256(data, encData.cipherKey, encData.cipherIv);
-      const encMeta = client.crypto.getFileMetadata(encrypted);
-      const resp = await client.onlineSession.sendInvoice(sessionRef, {
+      const plainMeta = deps.crypto.getFileMetadata(data);
+      const encrypted = deps.crypto.encryptAES256(data, cipherKey, cipherIv);
+      const encMeta = deps.crypto.getFileMetadata(encrypted);
+      const resp = await deps.onlineSession.sendInvoice(sessionRef, {
         invoiceHash: plainMeta.hashSHA,
         invoiceSize: plainMeta.fileSize,
         encryptedInvoiceHash: encMeta.hashSHA,
@@ -5967,7 +6195,7 @@ async function openOnlineSession(client, options) {
       return resp.referenceNumber;
     },
     async close() {
-      await client.onlineSession.closeSession(sessionRef);
+      await deps.onlineSession.closeSession(sessionRef);
     },
     async waitForUpo(pollOpts) {
       return fetchUpo(pollOpts);
@@ -5976,13 +6204,75 @@ async function openOnlineSession(client, options) {
       const upoInfo = await fetchUpo(pollOpts);
       const parsed = [];
       for (const page of upoInfo.pages) {
-        const result = await client.sessionStatus.getSessionUpo(sessionRef, page.referenceNumber);
+        const result = await deps.sessionStatus.getSessionUpo(sessionRef, page.referenceNumber);
         parsed.push(parseUpoXml(result.upo));
       }
       return { ...upoInfo, parsed };
+    },
+    getState() {
+      const token = deps.getAccessToken();
+      if (!token) {
+        throw new Error("Cannot serialize session state: no access token available");
+      }
+      return {
+        referenceNumber: sessionRef,
+        aesKey: Buffer.from(cipherKey).toString("base64"),
+        iv: Buffer.from(cipherIv).toString("base64"),
+        accessToken: token,
+        formCode,
+        validUntil,
+        ...validate2 ? { validate: validate2 } : {}
+      };
     }
   };
 }
+async function openOnlineSession(client, options) {
+  await client.crypto.init();
+  const encData = client.crypto.getEncryptionData();
+  const formCode = options?.formCode ?? DEFAULT_FORM_CODE;
+  const openResp = await client.onlineSession.openSession(
+    { formCode, encryption: encData.encryptionInfo },
+    options?.upoVersion
+  );
+  return buildSessionHandle({
+    deps: {
+      crypto: client.crypto,
+      onlineSession: client.onlineSession,
+      sessionStatus: client.sessionStatus,
+      getAccessToken: () => client.authManager.getAccessToken()
+    },
+    sessionRef: openResp.referenceNumber,
+    validUntil: openResp.validUntil,
+    cipherKey: encData.cipherKey,
+    cipherIv: encData.cipherIv,
+    formCode,
+    validate: options?.validate
+  });
+}
+function resumeOnlineSession(client, state, options) {
+  const expiry = new Date(state.validUntil);
+  if (expiry.getTime() <= Date.now()) {
+    throw new KSeFSessionExpiredError(
+      `Cannot resume session: expired at ${state.validUntil}`
+    );
+  }
+  const scopedAuth = new DefaultAuthManager(() => Promise.resolve(null), state.accessToken);
+  const scopedRestClient = client.createScopedRestClient(scopedAuth);
+  return buildSessionHandle({
+    deps: {
+      crypto: client.crypto,
+      onlineSession: new OnlineSessionService(scopedRestClient),
+      sessionStatus: new SessionStatusService(scopedRestClient),
+      getAccessToken: () => scopedAuth.getAccessToken()
+    },
+    sessionRef: state.referenceNumber,
+    validUntil: state.validUntil,
+    cipherKey: new Uint8Array(Buffer.from(state.aesKey, "base64")),
+    cipherIv: new Uint8Array(Buffer.from(state.iv, "base64")),
+    formCode: state.formCode,
+    validate: options?.validate ?? state.validate
+  });
+}
 async function openSendAndClose(client, invoices, options) {
   const handle = await openOnlineSession(client, options);
   for (const inv of invoices) {
@@ -5995,6 +6285,9 @@ async function openSendAndClose(client, invoices, options) {
 // src/workflows/batch-session-workflow.ts
 init_document_structures();
 async function uploadBatch(client, zipData, options) {
+  if (options?.parallelism !== void 0 && (!Number.isInteger(options.parallelism) || options.parallelism < 1)) {
+    throw new Error("parallelism must be a positive integer");
+  }
   await client.crypto.init();
   if (options?.validate) {
     const { unzip: unzip2 } = await Promise.resolve().then(() => (init_zip(), zip_exports));
@@ -6037,7 +6330,7 @@ async function uploadBatch(client, zipData, options) {
     },
     ordinalNumber: i + 1
   }));
-  await client.batchSession.sendParts(openResp, sendingParts);
+  await client.batchSession.sendParts(openResp, sendingParts, options?.parallelism);
   await client.batchSession.closeSession(openResp.referenceNumber);
   const result = await pollUntil(
     () => client.sessionStatus.getSessionStatus(openResp.referenceNumber),
@@ -6058,6 +6351,9 @@ async function uploadBatch(client, zipData, options) {
   };
 }
 async function uploadBatchStream(client, zipStreamFactory, zipSize, options) {
+  if (options?.parallelism !== void 0 && (!Number.isInteger(options.parallelism) || options.parallelism < 1)) {
+    throw new Error("parallelism must be a positive integer");
+  }
   await client.crypto.init();
   const encData = client.crypto.getEncryptionData();
   const formCode = options?.formCode ?? DEFAULT_FORM_CODE;
@@ -6079,7 +6375,7 @@ async function uploadBatchStream(client, zipStreamFactory, zipSize, options) {
     },
     options?.upoVersion
   );
-  await client.batchSession.sendPartsWithStream(openResp, streamParts);
+  await client.batchSession.sendPartsWithStream(openResp, streamParts, options?.parallelism);
   await client.batchSession.closeSession(openResp.referenceNumber);
   const result = await pollUntil(
     () => client.sessionStatus.getSessionStatus(openResp.referenceNumber),
@@ -6154,6 +6450,7 @@ async function doExport(client, filters, options) {
         url: p.url,
         method: p.method,
         partSize: p.partSize,
+        partHash: p.partHash,
         encryptedPartSize: p.encryptedPartSize,
         encryptedPartHash: p.encryptedPartHash,
         expirationDate: p.expirationDate
@@ -6179,6 +6476,9 @@ async function exportAndDownload(client, filters, options) {
       throw new Error(`Download failed for part ${part.ordinalNumber}: HTTP ${resp.status}`);
     }
     const encryptedData = new Uint8Array(await resp.arrayBuffer());
+    if (options?.verifyHash !== false && !verifyHash(encryptedData, part.encryptedPartHash)) {
+      throw new Error(`Hash mismatch for export part ${part.ordinalNumber}`);
+    }
     const decrypted = client.crypto.decryptAES256(encryptedData, encData.cipherKey, encData.cipherIv);
     decryptedParts.push(decrypted);
   }
@@ -6251,6 +6551,9 @@ async function incrementalExportAndDownload(client, options) {
         throw new Error(`Download failed for part ${part.ordinalNumber}: HTTP ${resp.status}`);
       }
       const encryptedData = new Uint8Array(await resp.arrayBuffer());
+      if (options.verifyHash !== false && !verifyHash(encryptedData, part.encryptedPartHash)) {
+        throw new Error(`Hash mismatch for export part ${part.ordinalNumber}`);
+      }
       const decrypted = client.crypto.decryptAES256(encryptedData, encData.cipherKey, encData.cipherIv);
       decryptedParts.push(decrypted);
     }
@@ -6416,6 +6719,7 @@ async function authenticateWithPkcs12(client, options) {
 
 // src/offline/index.ts
 init_deadline();
+init_holidays();
 
 // src/offline/storage.ts
 function matchesFilter(invoice, filter) {
@@ -6590,9 +6894,12 @@ export {
   KSEF_FEATURE_HEADER,
   KSeFApiError,
   KSeFAuthStatusError,
+  KSeFBatchTimeoutError,
   KSeFClient,
   KSeFError,
+  KSeFErrorCode,
   KSeFForbiddenError,
+  KSeFGoneError,
   KSeFRateLimitError,
   KSeFSessionExpiredError,
   KSeFUnauthorizedError,
@@ -6657,9 +6964,11 @@ export {
   getDefaultReason,
   getEffectiveStartDate,
   getFormCode,
+  getPolishHolidays,
   getTimeUntilDeadline,
   incrementalExportAndDownload,
   isExpired,
+  isPolishHoliday,
   isRetryableError,
   isRetryableStatus,
   isValidBase64,
@@ -6686,6 +6995,9 @@ export {
   parseUpoXml,
   pollUntil,
   resolveOptions,
+  resumeOnlineSession,
+  runWithConcurrency,
+  sha256Base642 as sha256Base64,
   sleep,
   unzip,
   updateContinuationPoint,
@@ -6700,6 +7012,7 @@ export {
   validatePresignedUrl,
   validateSchema,
   validateWellFormedness,
+  verifyHash,
   xmlToObject
 };
 //# sourceMappingURL=index.js.map